{
  config,
  pkgs,
  ...
}: {
  services.postgresql.enable = true;

  services.keycloak = {
    enable = true;
    initialAdminPassword = "password";
    database = {
      type = "postgresql";
      createLocally = true;

      username = "keycloak";
      passwordFile = config.sops.secrets.keycloak_psql_pass.path;
    };

    settings = {
      hostname = "keycloak.procopius.dk";
      # hostname-admin = "http://keycloak.lab:8080";
      # hostname-strict = false;
      # hostname-backchannel-dynamic = true;
      http-enabled = true;
      http-port = 8080;
      proxy-headers = "xforwarded";
    };
  };

  networking.firewall.allowedTCPPorts = [8080];
}