{ config, ... }: {
  # age.secrets.keycloak-password-file.file = ../secrets/keycloak-password-file.age;
  networking.firewall.allowedTCPPorts = [ 80 443 ];
  services.nginx = {
    enable = true;
    recommendedTlsSettings = true;
    recommendedOptimisation = true;
    recommendedGzipSettings = true;
    recommendedProxySettings = true;

    virtualHosts."sso.federez.net" = {
      enableACME = true;
      forceSSL = true;

      locations."/".proxyPass = "http://127.0.0.1:8080";
    };
  };

  services.keycloak = {
    enable = true;
    database = {
      createLocally = true;
      passwordFile = "/etc/secrets/keycloak-password";
    };
    settings = {
      proxy = "edge";
      http-host = "127.0.0.1";
      http-port = 8080;
      hostname = "sso.federez.net";
    };
  };


}