{ ... }:
{
  services.keycloak = {
    enable = true;
    settings = {
      hostname = "https://id.nekover.se";
      hostname-admin = "https://keycloak-admin.nekover.se";
      proxy-headers = "xforwarded";
      http-enabled = true;
      http-host = "127.0.0.1";
      http-port = 8080;
    };
    database.passwordFile = "/run/secrets/keycloak-database-password";
  };

  sops.secrets."keycloak-database-password" = {
    mode = "0440";
    owner = "root";
    group = "systemd-network";
    restartUnits = [ "keycloak.service" ];
  };
}