{
  config,
  lib,
  pkgs,
  ...
}: let
  inherit (config.niksos) server;
  port = 9005;
  host = "coder.jsw.tf";
  sPort = builtins.toString port;
  httpsHost = "https://" + host;
in {
  config = lib.mkIf server {
    services = {
      caddy.virtualHosts."${host}".extraConfig = ''
        reverse_proxy :${sPort}
      '';
      coder = {
        enable = true;
        listenAddress = "127.0.0.1:${sPort}";
        wildcardAccessUrl = "*.${host}";
        accessUrl = httpsHost;
        environment = {
          file = config.age.secrets.coder-env.path; # See format below.
          /*
          CODER_OIDC_CLIENT_ID=""
          CODER_OIDC_CLIENT_SECRET=""
          */
          extra = {
            CODER_DISABLE_PASSWORD_AUTH = true;
            CODER_OAUTH2_GITHUB_ALLOW_SIGNUPS = false;
            CODER_OAUTH2_GITHUB_DEFAULT_PROVIDER_ENABLE = false;

            CODER_OIDC_ISSUER_URL = "https://z.jsw.tf";
            CODER_OIDC_SIGN_IN_TEXT = "Sign in with JSW-Auth";
            CODER_OIDC_ICON_URL = "https://"; #FIXME: icon

            # CODER_OIDC_EMAIL_DOMAIN="your-domain-1,your-domain-2";
          };
        };
      };
    };
  };
}