diff --git a/hosts/VEGAS/modules/oauth2-proxy/default.nix b/hosts/VEGAS/modules/oauth2-proxy/default.nix
new file mode 100644
index 0000000..edca564
--- /dev/null
+++ b/hosts/VEGAS/modules/oauth2-proxy/default.nix
@@ -0,0 +1,54 @@
+{ config, lib, pkgs, tools, ... }:
+let
+  inherit (tools.meta) domain;
+  login = x: "https://login.${domain}/auth/realms/master/protocol/openid-connect/${x}";
+  cfg = config.services.oauth2_proxy;
+in
+{
+  age.secrets.oauth2_proxy-secrets = {
+    file = ../../../../secrets/oauth2_proxy-secrets.age;
+    owner = "root";
+    group = "root";
+    mode = "0400";
+  };
+  services.oauth2_proxy = {
+    enable = true;
+    approvalPrompt = "auto";
+    provider = "keycloak";
+    scope = "openid";
+    clientID = "net.privatevoid.admin-interfaces1";
+    keyFile = config.age.secrets.oauth2_proxy-secrets.path;
+    loginURL = login "auth";
+    redeemURL = login "token";
+    validateURL = login "userinfo";
+    cookie = {
+      secure = true;
+      domain = ".${domain}";
+    };
+    email.domains = [ domain ];
+    extraConfig = {
+      keycloak-group = "/admins";
+      skip-provider-button = true;
+    };
+  };
+  services.nginx.virtualHosts = lib.genAttrs cfg.nginx.virtualHosts (vhost: {
+    # apply protection to the whole vhost, not just /
+    extraConfig = ''
+      auth_request /oauth2/auth;
+      error_page 401 = /oauth2/sign_in;
+
+      # pass information via X-User and X-Email headers to backend,
+      # requires running with --set-xauthrequest flag
+      auth_request_set $user   $upstream_http_x_auth_request_user;
+      auth_request_set $email  $upstream_http_x_auth_request_email;
+      proxy_set_header X-User  $user;
+      proxy_set_header X-Email $email;
+
+      # if you enabled --cookie-refresh, this is needed for it to work with auth_request
+      auth_request_set $auth_cookie $upstream_http_set_cookie;
+      add_header Set-Cookie $auth_cookie;
+    '';
+    locations."/oauth2/".extraConfig = "auth_request off;";
+    locations."/oauth2/auth".extraConfig = "auth_request off;";
+  });
+}
diff --git a/hosts/VEGAS/system.nix b/hosts/VEGAS/system.nix
index a639726..96e13c3 100644
--- a/hosts/VEGAS/system.nix
+++ b/hosts/VEGAS/system.nix
@@ -9,6 +9,7 @@
       # Plumbing
       ./modules/database
       ./modules/nginx
+      ./modules/oauth2-proxy
       inputs.agenix.nixosModules.age
     ]
     # TODO: fix users
diff --git a/secrets/oauth2_proxy-secrets.age b/secrets/oauth2_proxy-secrets.age
new file mode 100644
index 0000000..c61a25a
Binary files /dev/null and b/secrets/oauth2_proxy-secrets.age differ
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 6eb0778..1d7c60a 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -7,4 +7,5 @@ in with hosts;
   "hydra-s3.age".publicKeys = max ++ map systemKeys [ styx ];
   "hydra-db-credentials.age".publicKeys = max ++ map systemKeys [ styx ];
   "gitea-db-credentials.age".publicKeys = max ++ map systemKeys [ git ];
+  "oauth2_proxy-secrets.age".publicKeys = max ++ map systemKeys [ VEGAS ];
 }