diff --git a/auth/auth.nix b/auth/auth.nix
index cee1a2a..f889f6d 100644
--- a/auth/auth.nix
+++ b/auth/auth.nix
@@ -1,8 +1,8 @@
 nixpkgs-2411: { config, lib, pkgs, ... }:
 let
-  cfg = config.selfprivacy.modules.auth;
   domain = config.selfprivacy.domain;
-  auth-fqdn = cfg.subdomain + "." + domain;
+  subdomain = "auth";
+  auth-fqdn = subdomain + "." + domain;
 
   ldap-host = "127.0.0.1";
   ldap-port = 3636;
@@ -46,37 +46,7 @@ let
   lua_path = "${lua_core_path};${lua_lrucache_path};";
 in
 {
-  options.selfprivacy.modules.auth = {
-    enable = (lib.mkOption {
-      default = false;
-      type = lib.types.bool;
-    }) // {
-      meta = {
-        type = "enable";
-      };
-    };
-    subdomain = (lib.mkOption {
-      default = "auth";
-      type = lib.types.strMatching "[A-Za-z0-9][A-Za-z0-9\-]{0,61}[A-Za-z0-9]";
-    }) // {
-      meta = {
-        widget = "subdomain";
-        type = "string";
-        regex = "[A-Za-z0-9][A-Za-z0-9\-]{0,61}[A-Za-z0-9]";
-        weight = 0;
-      };
-    };
-    debug = (lib.mkOption {
-      default = false;
-      type = lib.types.bool;
-    }) // {
-      meta = {
-        type = "enable";
-      };
-    };
-  };
-
-  config = lib.mkIf cfg.enable {
+  config = lib.mkIf config.selfprivacy.sso.enable {
     nixpkgs.overlays = [
       (
         _final: prev: {
@@ -132,7 +102,7 @@ in
         # kanidm is behind a proxy
         trust_x_forward_for = true;
 
-        log_level = if cfg.debug then "trace" else "info";
+        log_level = if config.selfprivacy.sso.debug then "trace" else "info";
       };
       provision = {
         enable = true;
@@ -151,8 +121,8 @@ in
     services.nginx = {
       enable = true;
       additionalModules =
-        lib.mkIf cfg.debug [ pkgs.nginxModules.lua ];
-      commonHttpConfig = lib.mkIf cfg.debug ''
+        lib.mkIf config.selfprivacy.sso.debug [ pkgs.nginxModules.lua ];
+      commonHttpConfig = lib.mkIf config.selfprivacy.sso.debug ''
         log_format kanidm escape=none '$request $status\n'
                                       '[Request body]: $request_body\n'
                                       '[Header]: $resp_header\n'
@@ -163,7 +133,7 @@ in
         useACMEHost = domain;
         forceSSL = true;
         locations."/" = {
-          extraConfig = lib.mkIf cfg.debug ''
+          extraConfig = lib.mkIf config.selfprivacy.sso.debug ''
             access_log /var/log/nginx/kanidm.log kanidm;
 
             lua_need_request_body on;
diff --git a/selfprivacy-module.nix b/selfprivacy-module.nix
index 76897a0..55842c9 100644
--- a/selfprivacy-module.nix
+++ b/selfprivacy-module.nix
@@ -34,6 +34,18 @@ with lib;
         type = types.nullOr types.bool;
       };
     };
+    sso = {
+      enable = mkOption {
+        description = "Enable SSO.";
+        default = true;
+        type = types.nullOr types.bool;
+      };
+      debug = mkOption {
+        description = "Enable debug for SSO.";
+        default = false;
+        type = types.nullOr types.bool;
+      };
+    };
     stateVersion = mkOption {
       description = "State version of the server";
       type = types.nullOr types.str;
diff --git a/sp-modules/gitea/module.nix b/sp-modules/gitea/module.nix
index 3c888df..97e0f13 100644
--- a/sp-modules/gitea/module.nix
+++ b/sp-modules/gitea/module.nix
@@ -14,7 +14,7 @@ let
     "gitea-light"
     "gitea-dark"
   ];
-  is-auth-enabled = cfg.enableSso;
+  is-auth-enabled = cfg.enableSso && config.selfprivacy.sso.enable;
   oauth-client-id = "forgejo";
   auth-passthru = config.selfprivacy.passthru.auth;
   oauth2-provider-name = auth-passthru.oauth2-provider-name;
diff --git a/sp-modules/nextcloud/module.nix b/sp-modules/nextcloud/module.nix
index 17719f3..9110b9e 100644
--- a/sp-modules/nextcloud/module.nix
+++ b/sp-modules/nextcloud/module.nix
@@ -12,7 +12,7 @@ let
   hostName = "${cfg.subdomain}.${sp.domain}";
   auth-passthru = config.selfprivacy.passthru.auth;
   cfg = sp.modules.nextcloud;
-  is-auth-enabled = cfg.enableSso;
+  is-auth-enabled = cfg.enableSso && config.selfprivacy.sso.enable;
   ldap_scheme_and_host = "ldaps://${auth-passthru.ldap-host}";
 
   occ = "${config.services.nextcloud.occ}/bin/nextcloud-occ";
diff --git a/sp-modules/roundcube/module.nix b/sp-modules/roundcube/module.nix
index 68147d8..cfb5ee0 100644
--- a/sp-modules/roundcube/module.nix
+++ b/sp-modules/roundcube/module.nix
@@ -2,7 +2,7 @@
 let
   domain = config.selfprivacy.domain;
   cfg = config.selfprivacy.modules.roundcube;
-  is-auth-enabled = cfg.enableSso;
+  is-auth-enabled = cfg.enableSso && config.selfprivacy.sso.enable;
   auth-passthru = config.selfprivacy.passthru.auth;
   auth-fqdn = auth-passthru.auth-fqdn;
   sp-module-name = "roundcube";
diff --git a/sp-modules/simple-nixos-mailserver/common.nix b/sp-modules/simple-nixos-mailserver/common.nix
index 5f21e92..6e60dba 100644
--- a/sp-modules/simple-nixos-mailserver/common.nix
+++ b/sp-modules/simple-nixos-mailserver/common.nix
@@ -4,7 +4,8 @@ rec {
   domain = config.selfprivacy.domain;
   group = "dovecot2";
   is-auth-enabled =
-    config.selfprivacy.modules.simple-nixos-mailserver.enableSso;
+    config.selfprivacy.modules.simple-nixos-mailserver.enableSso
+    && config.selfprivacy.sso.enable;
 
   appendSetting =
     { name, file, prefix, suffix ? "", passwordFile, destination }: