{ config, pkgs, ... }:

let

  dex = {
    hostname = "dex.${config.networking.domain}";
  };

in {

  services.dex = {
    enable = true;
    environmentFile = "/var/custom-access/dex-environemnt";
    settings = {
      issuer = "https://${dex.hostname}";
      storage.type = "sqlite3";
      web.http = "127.0.0.1:5556";
      staticClients = [
        {
          id = "outline";
          name = "Outline Client";
          redirectURIs = [ "https://${outline.hostname}/auth/oidc.callback" ];
          secretFile = "/var/custom-access/outline-oidc-secret.txt";
        }
      ];
      enablePasswordDB = true;
      # staticPasswords = [
      #   {
      #     email = "till@ktiu.net";
      #     # gen hash with $ htpasswd -nBC 10 "" | tr -d ':\n'
      #     hash = "";
      #     username = "bootstrap-admin";
      #     # $ uuidgen
      #     userID = "";
      #   }
      # ];
    };
  };

  security.acme.certs."${config.networking.domain}".extraDomainNames = [
    "dex.${config.networking.domain}"
  ];

  services.nginx.virtualHosts = {
    "dex.${config.networking.domain}" = {
      onlySSL = true;
      useACMEHost = config.networking.domain;
      locations."/" = {
        proxyPass = "http://${config.services.dex.settings.web.http}";
        proxyWebsockets = true;
      };
    };
  };
}