{
  lib,
  config,
  ...
}:
let
  setup = import ../factories/mkserver.nix { inherit lib config; };
  cfg = config.my.servers.oauth2-proxy;
in
{
  options.my.servers.oauth2-proxy = setup.mkOptions "oauth2-proxy" "auth-proxy" 4180;
  config = lib.mkIf (cfg.enable && config.my.secureHost) {
    sops.secrets.oauth2-proxy = {
      sopsFile = ../../secrets/env.yaml;
      restartUnits = [ "oauth2-proxy.service" ];
    };
    sops.secrets.oauth2-proxy-cookie = {
      sopsFile = ../../secrets/secrets.yaml;
      restartUnits = [ "oauth2-proxy.service" ];
    };
    services.oauth2-proxy = {
      inherit (cfg) enable;
      provider = "keycloak-oidc";
      clientID = "oauth2-proxy";
      keyFile = config.sops.secrets.oauth2-proxy.path;
      oidcIssuerUrl = "${config.my.servers.keycloak.url}/realms/homelab";
      httpAddress = "${cfg.ip}:${toString cfg.port}";
      email.domains = [ "*" ];
      cookie = {
        name = "_oauth2_proxy";
        secure = true;
        expire = "168h";
        refresh = "1h";
        domain = ".lebubu.org";
        secret = config.sops.secrets.oauth2-proxy-cookie.path;
      };
      extraConfig = {
        skip-auth-route = [ "^/ping$" ];
        set-xauthrequest = true;
        pass-access-token = true;
        pass-user-headers = true;
        request-logging = true;
        auth-logging = true;
        session-store-type = "cookie";
        skip-provider-button = true;
        code-challenge-method = "S256";
        redirect-url = "${cfg.url}/oauth2/callback";
        whitelist-domain = [ ".lebubu.org" ];
      };
    };
  };
}