{ config, lib, pkgs, ... }:

with lib;
let
  hostname = config.instance.hostname;
  host = config.fudo.hosts."${hostname}";
  domainName = host.domain;
  domain = config.fudo.domains."${domainName}";

  zone = domain.zone;

  keycloakHostname = "keycloak.fudo.link";

  keycloakHost = "nostromo";
  gatewayHost = "limina";
  postgresHost = domain.postgresql-server;

  keycloakFqdn = pkgs.lib.getHostFqdn keycloakHost;
  postgresFqdn = pkgs.lib.getHostFqdn postgresHost;

  keycloakPort = 9085;

  isKeycloak = hostname == keycloakHost;
  isProxy = hostname == gatewayHost;
  isPostgres = hostname == postgresHost;

  hostSecrets = config.fudo.secrets.host-secrets."${hostname}";

  postgresPasswd =
    pkgs.lib.passwd.stablerandom-passwd-file "keycloak-postgres-passwd"
    config.instance.build-seed;

in {
  config = {
    fudo = {
      secrets.host-secrets."${hostname}" = {
        keycloak-postgres-passwd = mkIf isKeycloak {
          source-file = postgresPasswd;
          target-file = "/run/keycloak/postgres.passwd";
        };
        postgres-keycloak-passwd = mkIf isPostgres {
          source-file = postgresPasswd;
          target-file = "/run/postgres/keycloak.passwd";
          user = config.systemd.services.postgresql.serviceConfig.User;
        };
      };

      zones."${zone}".aliases.keycloak = keycloakHost;

      postgresql = mkIf isPostgres {
        required-services = [ "fudo-passwords.target" ];

        databases.keycloak.users = config.instance.local-admins;

        users.keycloak = {
          password-file = hostSecrets.postgres-keycloak-passwd.target-file;
          databases.keycloak = {
            access = "ALL PRIVILEGES";
            entity-access = {
              "ALL TABLES IN SCHEMA public" = "SELECT,INSERT,UPDATE,DELETE";
              "ALL SEQUENCES IN SCHEMA public" = "SELECT,UPDATE";
            };
          };
        };
      };
    };

    services = {
      keycloak = mkIf isKeycloak {
        enable = true;
        settings = {
          http-port = keycloakPort;
          hostname = keycloakHostname;
          proxy = "edge";
        };
        database = {
          host = postgresFqdn;
          type = "postgresql";
          name = "keycloak";
          username = "keycloak";
          passwordFile = hostSecrets.keycloak-postgres-passwd.target-file;
          useSSL = false;
        };
      };

      nginx = mkIf (isProxy || isKeycloak) {
        enable = true;
        recommendedOptimisation = true;
        recommendedProxySettings = true;

        virtualHosts = {
          # "${keycloakHostname}" = mkIf isProxy {
          #   enableACME = true;
          #   forceSSL = true;
          #   locations."/" = {
          #     proxyPass = "http://keycloak.${domainName}:80";
          #     proxyWebsockets = true;
          #   };
          # };
          "keycloak.${domainName}" = mkIf isKeycloak {
            enableACME = false;
            forceSSL = false;
            locations."/" = {
              proxyPass = "http://localhost:${toString keycloakPort}";
              proxyWebsockets = true;
            };
          };
        };
      };
    };
  };
}