{ config, pkgs, ... }: let port = 11328; in { age.secrets.keycloak-db-pass.file = ../../secrets/keycloak-db-pass.age; services.keycloak = { enable = true; package = pkgs.unstable.keycloak; database.passwordFile = config.age.secrets.keycloak-db-pass.path; settings = { hostname = "https://kc.buffet.sh/"; http-port = port; proxy = "edge"; hostname-debug = "true"; }; }; services.nginx = { enable = true; recommendedGzipSettings = true; recommendedOptimisation = true; recommendedProxySettings = true; recommendedTlsSettings = true; virtualHosts."kc.buffet.sh" = { useACMEHost = "buffet.sh"; forceSSL = true; locations = { "/" = { proxyPass = "http://localhost:${toString port}"; }; }; }; }; }