{pkgs, config, ...}: {
  sops.secrets.oauth2-proxy = {
    sopsFile = ../../../secrets/oauth2-proxy.env;
  };

  services.oauth2-proxy =
    let
      auth = import ../../lib/auth.nix { baseUrl = "https://auth.donsz.nl"; clientId = "homeserver"; };
    in {
    enable = true;

    provider = "oidc";
    clientID = "${auth.clientId}";
    oidcIssuerUrl = auth.oidcIssuerUri;

    proxyPrefix = "/oauth2";
    reverseProxy = true;

    keyFile = config.sops.secrets.oauth2-proxy.path;

    loginURL = auth.apiAuthUrl;
    redeemURL = auth.tokenUrl;
    validateURL = auth.rfc7662TokenIntrospectionUrl;
    profileURL = auth.oidcUserInfo;

    scope = "openid profile email";

    email.domains = [ "*" ];

    cookie = {
      domain = "donsz.nl";
      refresh = "1h";
      secure = true;
    };

    extraConfig = {
      whitelist-domain = ["*.donsz.nl"];
    };

    nginx.domain = "oauth2.donsz.nl";
  };

  services.nginx.virtualHosts."oauth2.donsz.nl" = {
    forceSSL = true;
    http2 = true;
    enableACME = true;

    locations."/".return = "301 https://oauth2.donsz.nl/oauth2/sign_in";
  };
}