diff --git a/hosts/cloud/proxy/dav-htaccess.nix b/hosts/cloud/proxy/dav-htaccess.nix
new file mode 100644
index 0000000..7902270
--- /dev/null
+++ b/hosts/cloud/proxy/dav-htaccess.nix
@@ -0,0 +1,17 @@
+{ ... }:
+{
+  services.nginx.upstreams.radicale = {
+    servers = {
+      "10.89.88.12:5232" = { };
+      "[fd31:185d:722f::12]:5232" = { };
+    };
+  };
+
+  services.nginx.virtualHosts."dav.oxapentane.com" = {
+    forceSSL = true;
+    enableACME = true;
+    locations."/" = {
+      proxyPass = "http://radicale/";
+    };
+  };
+}
diff --git a/hosts/cloud/proxy/dav.nix b/hosts/cloud/proxy/dav.nix
new file mode 100644
index 0000000..d3bf7fb
--- /dev/null
+++ b/hosts/cloud/proxy/dav.nix
@@ -0,0 +1,49 @@
+{ ... }:
+{
+  services.nginx.upstreams.radicale = {
+    servers = {
+      "10.89.88.12:5232" = { };
+      "[fd31:185d:722f::12]:5232" = { };
+    };
+  };
+
+  services.nginx.virtualHosts."dav.oxapentane.com" = {
+    forceSSL = true;
+    enableACME = true;
+    locations."/oauth2/" = {
+      proxyPass = "http://10.89.88.11:4180/";
+      extraConfig = ''
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Auth-Request-Redirect $scheme://$host$request_uri;
+      '';
+    };
+    locations."/oauth2/auth" = {
+      proxyPass = "http://10.89.88.11:4180";
+      extraConfig = ''
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-Uri $request_uri;
+        proxy_set_header Content-Length "";
+        proxy_pass_request_body off;
+      '';
+    };
+    locations."/" = {
+      proxyPass = "http://radicale/";
+      extraConfig = ''
+        auth_request /oauth2/auth;
+        error_page 401 =403 /oauth2/sign_in;
+
+        auth_request_set $user $upstream_http_x_auth_request_user;
+
+        auth_request_set $auth_cookie $upstream_http_set_cookie;
+        # add_header Set-Cookie $auth_cookie;
+
+        proxy_set_header X-Remote-User $user;
+        proxy_set_header X-User $user;
+        proxy_set_header X-Real-IP $remote_addr;
+
+      '';
+    };
+  };
+}
diff --git a/hosts/cloud/proxy/default.nix b/hosts/cloud/proxy/default.nix
index 1b0becf..548fbc7 100644
--- a/hosts/cloud/proxy/default.nix
+++ b/hosts/cloud/proxy/default.nix
@@ -2,6 +2,7 @@
 {
   imports = [
     ./auth.nix
+    ./dav-htaccess.nix
   ];
 
   networking.firewall.allowedTCPPorts = [
@@ -20,6 +21,10 @@
     sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
 
     appendHttpConfig = ''
+      proxy_buffers 4 256k;
+      proxy_buffer_size 128k;
+      proxy_busy_buffers_size 256k;
+
       ### TLS
       # Add HSTS header with preloading to HTTPS requests.
       # Adding this header to HTTP requests is discouraged