diff --git a/flake.nix b/flake.nix
index aa9953b..835bac4 100644
--- a/flake.nix
+++ b/flake.nix
@@ -46,11 +46,15 @@
           session-domain = lib.mkOption { type = with lib.types; nullOr str; };
         };
         options.services.nginx.virtualHosts = lib.mkOption {
-          type = lib.types.attrsOf (lib.types.submodule ({ config, ... }: {
+          type = lib.types.attrsOf (lib.types.submodule ({ config, ...}: {
+            options.locations = lib.types.attrsOf (lib.types.submodule {
+              extraConfig = lib.mkIf config.sso.enable ''
+                proxy_set_header X-Auth-Username $auth_resp_username
+              '';
+            })
             options.sso.enable = lib.mkEnableOption "SSO BSN";
             config.extraConfig = lib.mkIf config.sso.enable ''
               auth_request /__auth_sso_validate;
-              proxy_set_header X-Auth-Username $auth_resp_username;
 
               location = /__auth_sso_validate {
                 internal;