{
  config,
  lib,
  inputs,
  pkgs,
  self,
  ...
}: let
  hostAddress = "10.10.42.1";
  serviceAddress = "10.10.42.1";

  hostname = "auth.momo.koeln";

  dbUserName = "keycloak";

  hostStateDir = "/mnt/internal/keycloak";
  containerStateDir = "/var/lib/keycloak";
in {
  age.secrets.keycloak-database-password = {
    file = "${self}/secrets/keycloak-database-password.age";
    mode = "700";
    #owner = "keycloak";
  };

  services.caddy.virtualHosts.${hostname} = {
    logFormat = lib.mkForce ''
      output discard
    '';
    extraConfig = ''
      redir / /realms/momo.koeln/account temporary
      reverse_proxy ${serviceAddress}:8080
    '';
  };

  containers."keycloak" = {
    privateNetwork = true;
    hostAddress = hostAddress;
    localAddress = serviceAddress;

    bindMounts."${containerStateDir}" = {
      hostPath = hostStateDir;
      isReadOnly = false;
    };

    bindMounts."${config.age.secrets.keycloak-database-password.path}" = {
      hostPath = config.age.secrets.keycloak-database-password.path;
      isReadOnly = true;
    };

    config = {
      config,
      pkgs,
      ...
    }: {
      # keycloak
      services.keycloak = {
        enable = true;
        database.passwordFile = config.age.secrets.keycloak-database-password.path;

        settings = {
          hostname = domain;
          http-host = "0.0.0.0";
          http-port = 8080;
          proxy = "edge";
        };

        # themes = {
        #   "momo.koeln" = inputs.keycloak-theme-pub-solar.legacyPackages.${pkgs.system}.keycloak-theme-pub-solar;
        # };
      };
    };
  };
}