diff --git a/hosts/auth/default.nix b/hosts/auth/default.nix
index dbc585c..95e3153 100644
--- a/hosts/auth/default.nix
+++ b/hosts/auth/default.nix
@@ -5,6 +5,7 @@ in
 {
   imports = [
     ./keycloak.nix
+    ./oauth2-proxy.nix
   ];
   sops.defaultSopsFile = ./secrets.yaml;
   sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
diff --git a/hosts/auth/oauth2-proxy.nix b/hosts/auth/oauth2-proxy.nix
new file mode 100644
index 0000000..81cdf8f
--- /dev/null
+++ b/hosts/auth/oauth2-proxy.nix
@@ -0,0 +1,25 @@
+{ config, ... }:
+{
+  sops.secrets."oauth2-proxy/env" = {
+    owner = config.users.users.oauth2-proxy.name;
+  };
+
+  services.oauth2-proxy = {
+    enable = true;
+    reverseProxy = true;
+    provider = "keycloak-oidc";
+    httpAddress = "0.0.0.0:4180";
+    oidcIssuerUrl = "https://auth.oxapentane.com/realms/0xalab-prod";
+    clientID = "radicale-proxy";
+    redirectURL = "https://dav.oxapentane.com/oauth2/callback";
+    keyFile = config.sops.secrets."oauth2-proxy/env".path;
+    scope = "openid";
+    email.domains = [ "*" ];
+    setXauthrequest = true;
+    cookie = {
+      secure = true;
+      refresh = "48h0m0s";
+      domain = ".oxapentane.com";
+    };
+  };
+}