diff --git a/roles/oauth2proxy/tasks/main.yml b/roles/oauth2proxy/tasks/main.yml
new file mode 100644
index 0000000..b0a4cfc
--- /dev/null
+++ b/roles/oauth2proxy/tasks/main.yml
@@ -0,0 +1,31 @@
+- name: ensure directories exist
+  file:
+    path: "{{ item }}"
+    state: directory
+    mode: '0755'
+  loop:
+    - "{{ data_folder }}/oauth2-proxy"
+- name: copy oauth2-proxy config
+  template:
+    src: oauth2-proxy.cfg
+    dest: "{{ data_folder }}/oauth2-proxy/oauth2-proxy.cfg"
+    mode: '0755'
+  notify: reload nginx
+- name: run container
+  docker_container:
+    name: 'oauth2-proxy'
+    image: quay.io/oauth2-proxy/oauth2-proxy
+    networks:
+      - name: bridge
+      - name: nginx-internal
+    command: '/bin/oauth2-proxy --config=/etc/oauth-proxy.cfg'
+    volumes:
+      - "{{ data_folder }}/oauth2-proxy/oauth-proxy.cfg:/etc/oauth-proxy.cfg"
+    ports:
+      - "4180:4180"
+- name: copy oauth2-proxy nginx config
+  template:
+    src: oauth2-proxy.conf.j2
+    dest: "{{ nginx_confd_folder }}/oauth2-proxy.conf"
+    mode: '0755'
+  notify: reload nginx
diff --git a/roles/oauth2proxy/templates/oauth2-proxy.cfg b/roles/oauth2proxy/templates/oauth2-proxy.cfg
new file mode 100644
index 0000000..0c64826
--- /dev/null
+++ b/roles/oauth2proxy/templates/oauth2-proxy.cfg
@@ -0,0 +1,15 @@
+provider = "github"
+redirect_url = "https://auth.dev.local/oauth2/callback"
+provider_display_name = "Gitea"
+client_id = "8a433bb1-4da1-4948-a0f2-57a85e3b2cc5"
+client_secret = "xMESmq2UwOsMKR8hei60XrU4s7nen3KL8ymVELivcb8="
+login_url = "https://git.kucharczyk.xyz/login/oauth/authorize"
+redeem_url = "https://git.kucharczyk.xyz/login/oauth/access_token"
+validate_url = "https://git.kucharczyk.xyz/api/v1"
+
+email_domains = [
+    "dev.local"
+]
+
+cookie_secret = "lVyySw_e0gb30CRU9nwGOA=="
+reverse_proxy = "true"
diff --git a/roles/oauth2proxy/templates/oauth2-proxy.conf.j2 b/roles/oauth2proxy/templates/oauth2-proxy.conf.j2
new file mode 100644
index 0000000..e5fc2df
--- /dev/null
+++ b/roles/oauth2proxy/templates/oauth2-proxy.conf.j2
@@ -0,0 +1,15 @@
+server {
+    listen 443 default ssl;
+    server_name auth.dev.local;
+    add_header Strict-Transport-Security max-age=2592000;
+
+    location / {
+        proxy_pass http://127.0.0.1:4180;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Scheme $scheme;
+        proxy_connect_timeout 1;
+        proxy_send_timeout 30;
+        proxy_read_timeout 30;
+    }
+}
\ No newline at end of file