{
  lib,
  config,
  extraInfo,
  ...
}:
let
  cfg = config.my.server.sso;
in
with lib;
{
  options = {
    my.server.sso = {
      enable = mkEnableOption "SSO using Keycloak";
      dbPasswordFile = mkOption {
        type = types.str;
        description = "Path to the file containing the database password";
      };
    };
  };

  config = mkIf cfg.enable {
    services.keycloak = {
      enable = true;
      database = {
        type = "postgresql";
        createLocally = true;

        passwordFile = cfg.dbPasswordFile;
      };

      settings = {
        hostname = "https://${extraInfo.keycloakURI}";
        hostname-admin-url = "https://${extraInfo.keycloakURI}";
        http-port = 8081;
        proxy-headers = "forwarded";
        http-enabled = true;
      };
    };

    services.nginx.virtualHosts.${extraInfo.keycloakURI} = mkIf config.services.nginx.enable {
      forceSSL = true;
      enableACME = true;

      locations."/" = {
        recommendedProxySettings = true;
        proxyPass = "http://localhost:${toString config.services.keycloak.settings.http-port}";
      };
    };
  };
}