diff --git a/clusters/atlas/flux-system/applications/kustomization.yaml b/clusters/atlas/flux-system/applications/kustomization.yaml
index 6b5124e..1bc2700 100644
--- a/clusters/atlas/flux-system/applications/kustomization.yaml
+++ b/clusters/atlas/flux-system/applications/kustomization.yaml
@@ -14,3 +14,4 @@ resources:
   - xmr-miner/kustomization.yaml
   - sui-metrics/kustomization.yaml
   - keycloak/kustomization.yaml
+  - oauth2-proxy/kustomization.yaml
diff --git a/clusters/atlas/flux-system/applications/oauth2-proxy/kustomization.yaml b/clusters/atlas/flux-system/applications/oauth2-proxy/kustomization.yaml
new file mode 100644
index 0000000..187572d
--- /dev/null
+++ b/clusters/atlas/flux-system/applications/oauth2-proxy/kustomization.yaml
@@ -0,0 +1,15 @@
+# clusters/atlas/flux-system/applications/oauth2-proxy/kustomization.yaml
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: oauth2-proxy
+  namespace: flux-system
+spec:
+  interval: 10m
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+  path: ./services/oauth2-proxy
+  targetNamespace: sso
+  timeout: 2m
diff --git a/services/oauth2-proxy/deployment.yaml b/services/oauth2-proxy/deployment.yaml
new file mode 100644
index 0000000..8754cb5
--- /dev/null
+++ b/services/oauth2-proxy/deployment.yaml
@@ -0,0 +1,71 @@
+# services/oauth2-proxy/deployment.yaml
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: oauth2-proxy
+  namespace: sso
+  labels:
+    app: oauth2-proxy
+spec:
+  replicas: 2
+  selector:
+    matchLabels:
+      app: oauth2-proxy
+  template:
+    metadata:
+      labels:
+        app: oauth2-proxy
+    spec:
+      containers:
+        - name: oauth2-proxy
+          image: quay.io/oauth2-proxy/oauth2-proxy:v7.6.0
+          imagePullPolicy: IfNotPresent
+          args:
+            - --provider=oidc
+            - --redirect-url=https://auth.bstein.dev/oauth2/callback
+            - --oidc-issuer-url=https://sso.bstein.dev/realms/atlas
+            - --scope=openid profile email groups
+            - --email-domain=*
+            - --set-xauthrequest=true
+            - --pass-access-token=true
+            - --set-authorization-header=true
+            - --cookie-secure=true
+            - --cookie-samesite=lax
+            - --cookie-refresh=20m
+            - --cookie-expire=168h
+            - --upstream=static://200
+            - --http-address=0.0.0.0:4180
+            - --skip-provider-button=true
+            - --skip-jwt-bearer-tokens=true
+            - --oidc-groups-claim=groups
+          env:
+            - name: OAUTH2_PROXY_CLIENT_ID
+              valueFrom:
+                secretKeyRef:
+                  name: oauth2-proxy-oidc
+                  key: client_id
+            - name: OAUTH2_PROXY_CLIENT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: oauth2-proxy-oidc
+                  key: client_secret
+            - name: OAUTH2_PROXY_COOKIE_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: oauth2-proxy-oidc
+                  key: cookie_secret
+          ports:
+            - containerPort: 4180
+              name: http
+          readinessProbe:
+            httpGet:
+              path: /ping
+              port: 4180
+            initialDelaySeconds: 5
+            periodSeconds: 10
+          livenessProbe:
+            httpGet:
+              path: /ping
+              port: 4180
+            initialDelaySeconds: 20
+            periodSeconds: 20
diff --git a/services/oauth2-proxy/ingress.yaml b/services/oauth2-proxy/ingress.yaml
new file mode 100644
index 0000000..96d16ea
--- /dev/null
+++ b/services/oauth2-proxy/ingress.yaml
@@ -0,0 +1,24 @@
+# services/oauth2-proxy/ingress.yaml
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: oauth2-proxy
+  namespace: sso
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt
+spec:
+  ingressClassName: traefik
+  rules:
+    - host: auth.bstein.dev
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: oauth2-proxy
+                port:
+                  number: 80
+  tls:
+    - hosts: [auth.bstein.dev]
+      secretName: auth-tls
diff --git a/services/oauth2-proxy/kustomization.yaml b/services/oauth2-proxy/kustomization.yaml
new file mode 100644
index 0000000..e79ae66
--- /dev/null
+++ b/services/oauth2-proxy/kustomization.yaml
@@ -0,0 +1,9 @@
+# services/oauth2-proxy/kustomization.yaml
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: sso
+resources:
+  - deployment.yaml
+  - service.yaml
+  - ingress.yaml
+  - middleware.yaml
diff --git a/services/oauth2-proxy/middleware.yaml b/services/oauth2-proxy/middleware.yaml
new file mode 100644
index 0000000..db5f3a4
--- /dev/null
+++ b/services/oauth2-proxy/middleware.yaml
@@ -0,0 +1,15 @@
+# services/oauth2-proxy/middleware.yaml
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: oauth2-proxy-forward-auth
+  namespace: sso
+spec:
+  forwardAuth:
+    address: http://oauth2-proxy.sso.svc.cluster.local:4180/oauth2/auth
+    trustForwardHeader: true
+    authResponseHeaders:
+      - Authorization
+      - X-Auth-Request-Email
+      - X-Auth-Request-User
+      - X-Auth-Request-Groups
diff --git a/services/oauth2-proxy/service.yaml b/services/oauth2-proxy/service.yaml
new file mode 100644
index 0000000..1eb5481
--- /dev/null
+++ b/services/oauth2-proxy/service.yaml
@@ -0,0 +1,15 @@
+# services/oauth2-proxy/service.yaml
+apiVersion: v1
+kind: Service
+metadata:
+  name: oauth2-proxy
+  namespace: sso
+  labels:
+    app: oauth2-proxy
+spec:
+  selector:
+    app: oauth2-proxy
+  ports:
+    - name: http
+      port: 80
+      targetPort: 4180