{
  config,
  lib,
  pkgs,
  ...
}:
with lib; let
  cfg = config.my.services.keycloak;
  inherit (config.my.server) domain firewallInterface;
  keycloakDomain = "auth.${domain}";
  keycloakUrl = "https://${keycloakDomain}";
in {
  options.my.services.keycloak = {
    enable = mkEnableOption "Keycloak";
    proxy = mkEnableOption "Keycloak reverse proxy entry";
    port = mkOption {
      type = types.port;
      default = 7654;
      example = 8080;
      description = "HTTP port for the Keycloak service.";
    };
  };

  config = mkMerge [
    (mkIf cfg.enable {
      age.secrets.keycloakDb.file = ../../secrets/keycloak-db.age;
      services.keycloak = {
        enable = true;
        package = pkgs.keycloak;
        settings = {
          hostname = keycloakUrl;
          hostname-admin = keycloakUrl;
          hostname-strict = false;
          hostname-strict-https = false;
          proxy-headers = "xforwarded";
          http-enabled = true;
          http-port = cfg.port;
        };
        database.passwordFile = config.age.secrets.keycloakDb.path;
        themes = with pkgs; {
          keywind = keycloak-theme-keywind;
        };
      };

      networking.firewall.interfaces."${firewallInterface}".allowedTCPPorts = [cfg.port];
    })
    (mkIf cfg.proxy {
      services.caddy.virtualHosts."${keycloakDomain}".extraConfig = ''
        reverse_proxy http://${proxyIP}:${toString cfg.port}
      '';
    })
  ];
}