# /etc/nixos/configuration.nix
{
  config,
  lib,
  pkgs,
  ...
}: let
  oauth2ProxyKeyFile = config.sops.secrets."oauth2-proxy-env".path;
in {
  services.oauth2-proxy = {
    enable = true;
    package = pkgs.oauth2-proxy;

    keyFile = oauth2ProxyKeyFile;

    provider = "keycloak-oidc"; # Use "oidc" for standard OIDC providers like Keycloak
    oidcIssuerUrl = "https://keycloak.procopius.dk/realms/homelab";
    clientID = "oauth2-proxy"; # Matches the client ID in Keycloak

    # Public URL for oauth2-proxy itself, where Keycloak redirects back to
    redirectURL = "https://oauth.procopius.dk/oauth2/callback";
    upstream = ["static://202"];
    extraConfig = {
      code-challenge-method = "S256";
      # email-domain = "*";
      auth-logging = true;
      request-logging = true;
      whitelist-domain = ".procopius.dk";
      pass-host-header = true;
      skip-provider-button = true;
    };

    # Cookie configuration
    cookie = {
      name = "_oauth2_proxy_homelab";
      domain = ".procopius.dk";
      secure = true;
      httpOnly = true;
      expire = "24h";
      refresh = "1h";
    };

    # Listen address for oauth2-proxy internally. Traefik will forward to this.
    httpAddress = "http://127.0.0.1:4180"; # Ensure this port is not blocked by your firewall internally

    # Reverse proxy settings for headers
    reverseProxy = true; # Set to true because it's behind Traefik

    # Headers to set for the upstream applications after successful authentication
    setXauthrequest = true; # Set X-Auth-Request-User, X-Auth-Request-Email etc.
    passBasicAuth = true; # Pass HTTP Basic Auth headers
    passHostHeader = true; # Pass the original Host header to the upstream

    # Authorization rules for who can access
    # You can restrict by email domain (allows everyone from that domain)
    email.domains = ["*"]; # Allows any authenticated user from Keycloak
    # Or restrict by specific email addresses (if you want tighter control):
    # email.addresses = allowedOauth2ProxyEmails;

    # Logging
    requestLogging = true;

    # Optional: If you use specific scopes for Keycloak (e.g., if you want groups claim)
    # scope = "openid profile email";
    # If you specifically added a 'groups' claim in Keycloak:
    scope = "openid profile email";

    # You can add extra command-line flags here if needed, e.g., for debug logging
    # extraConfig = {
    #
    # };
  };

  # Expose the internal port for oauth2-proxy if needed for debugging or direct access (less common)
  networking.firewall.allowedTCPPorts = [4180];
}