{ config, lib, pkgs, ... }:
with lib;
let
  cfg = config.services.keycloak;

  defaultConfig = "${pkgs.keycloak}/standalone/configuration";

  keycloakConfig = pkgs.runCommand "keycloak-config" {} ''
    mkdir $out
    cp ${defaultConfig}/application-roles.properties $out/
    cp ${defaultConfig}/application-users.properties $out/
    cp ${defaultConfig}/mgmt-groups.properties $out/
    cp ${defaultConfig}/mgmt-users.properties $out/
    cp ${defaultConfig}/standalone.xml $out/
    {
      grep -v FILE ${defaultConfig}/logging.properties
      echo "logger.handlers=CONSOLE"
      echo "handler.CONSOLE.level=ALL"
    } > $out/logging.properties
  '';

in {
  options = {
    services.keycloak = {
      enable = mkEnableOption "Keycloak Identity and Access Management Server";
    };
  };

  config = mkIf cfg.enable {
    systemd.services.keycloak = {
      description = "Keycloak Identity and Access Management Server";
      after = [ "network.target" ];
      wantedBy = [ "multi-user.target" ];
      preStart = ''
        mkdir -p /var/lib/keycloak/logs
        mkdir -p /var/lib/keycloak/config
        cp ${keycloakConfig}/*.properties /var/lib/keycloak/config
      '';
      serviceConfig = {
        ExecStart = "${pkgs.keycloak}/bin/standalone.sh -Djboss.server.base.dir=/var/lib/keycloak -Djboss.server.config.dir=/var/lib/keycloak/config --read-only-server-config=${keycloakConfig}/standalone.xml";
      };
    };
  };
}