{
  lib,
  config,
  ...
}:
with lib; let
  name = "sso";
  cfg = config.services.skynet."${name}";
in {
  imports = [
  ];

  options.services.skynet."${name}" = {
    enable = mkEnableOption "Keycloak server";

    datasource = {
      name = mkOption {
        type = types.str;
      };

      url = mkOption {
        type = types.str;
      };
    };
  };

  config = mkIf cfg.enable {
    services.skynet.dns.records = [
      {
        record = "${name}";
        r_type = "CNAME";
        value = config.services.skynet.host.name;
      }
    ];

    services.skynet.acme.domains = [
      "${name}.skynet.ie"
    ];

    age.secrets.keycloak_pw.file = ../secrets/keycloak/pw.age;

    services.nginx.virtualHosts = {
      "${name}.skynet.ie" = {
        forceSSL = true;
        useACMEHost = "skynet";
        locations = {
          "/" = {
            proxyPass = "http://localhost:${toString config.services.keycloak.settings.http-port}/";
          };
        };
      };
    };

    services.postgresql.enable = true;

    services.keycloak = {
      enable = true;

      initialAdminPassword = "sharky_loves_sso";

      database = {
        type = "postgresql";
        createLocally = true;

        username = "keycloak";
        passwordFile = config.age.secrets.keycloak_pw.path;
      };

      settings = {
        hostname = "${name}.skynet.ie";
        http-port = 38080;
        proxy-headers = "xforwarded";
        http-enabled = true;
      };
    };
  };
}