{
  lib,
  config,
  ...
}:
let
  setup = import ../factories/mkserver.nix { inherit lib config; };
  cfg = config.my.servers.oauth2-proxy;
in
{
  options.my.servers.oauth2-proxy = setup.mkOptions "oauth2-proxy" "auth-proxy" 4180;
  config = lib.mkIf (cfg.enable && config.my.secureHost) {
    sops.secrets.oauth2-proxy = {
      sopsFile = ../../secrets/env.yaml;
      restartUnits = [ "oauth2-proxy.service" ];
    };
    services.oauth2-proxy = {
      inherit (cfg) enable;
      provider = "keycloak-oidc";
      clientID = "oauth2-proxy";
      keyFile = config.sops.secrets.oauth2-proxy.path;
      oidcIssuerUrl = "https://auth.lebubu.org/realms/homelab";
      redirectURL = "https://auth-proxy.lebubu.org/oauth2/callback";
      httpAddress = "${cfg.ip}:${toString cfg.port}";
      email.domains = [ "*" ];
      cookie = {
        name = "_oauth2_proxy";
        secure = true;
        expire = "168h";
        refresh = "1h";
        domain = ".lebubu.org";
      };
      extraConfig = {
        skip-auth-routes = [
          "^/ping$"
        ];
        set-xauthrequest = true;
        pass-access-token = true;
        pass-user-headers = true;
        request-logging = true;
        auth-logging = true;
        session-store-type = "cookie";
        skip-provider-button = true;
      };
    };
    systemd.services.oauth2-proxy = {
      after = [ "network-online.target" ];
      wants = [ "network-online.target" ];
    };
  };
}