{config, ...}: {
  services.caddy = {
    enable = true;
    virtualHosts."auth.wanderingcrow.net".extraConfig = ''
      reverse_proxy http://localhost:5555
    '';
  };

  sops.secrets."keycloak/database/pass" = {};

  services.keycloak = {
    enable = true;
    initialAdminPassword = "changeme";
    settings = {
      hostname = "https://auth.wanderingcrow.net";
      http-port = 5555;
      https-port = 9443;
      http-enabled = true;
      hostname-strict-https = false;
    };
    database = {
      type = "postgresql";
      createLocally = true;
      passwordFile = config.sops.secrets."keycloak/database/pass".path;
    };
  };
}