{ config, ... }:
{
  age.secrets.keycloak-db-password = {
    file = ../secrets/keycloak-db-password.age;
  };

  networking.firewall.allowedTCPPorts = [ 8080 ];

  services.keycloak = {
    enable = true;
    database.passwordFile = config.age.secrets.keycloak-db-password.path;
    settings = {
      hostname = "id.fcuny.net";
      http-port = 8080;
      proxy-headers = "xforwarded";
      http-enabled = true;
    };
  };
}