{
  config,
  secrets,
  ...
}:
{
  sops.secrets.oauth2-proxy = {
    sopsFile = "${secrets}/oauth2-proxy.env";
  };

  services.oauth2-proxy = {
    enable = true;

    provider = "oidc";
    scope = "openid profile email groups";
    clientID = "38aa51e2-783e-48f0-a4b9-440e269f1217";
    oidcIssuerUrl = "https://auth.donsz.nl";
    reverseProxy = true;

    proxyPrefix = "/oauth2";

    keyFile = config.sops.secrets.oauth2-proxy.path;

    email.domains = [ "*" ];

    cookie = {
      domain = "donsz.nl";
      refresh = "1h";
      secure = true;
    };

    extraConfig = {
      whitelist-domain = [ "*.donsz.nl" ];
      insecure-oidc-allow-unverified-email = true;
    };

    nginx.domain = "oauth2.donsz.nl";
  };

  services.nginx.virtualHosts."oauth2.donsz.nl" = {
    forceSSL = true;
    http2 = true;
    enableACME = true;

    locations."/".return = "301 https://oauth2.donsz.nl/oauth2/sign_in";
  };
}