diff --git a/machines/storage/s0/home-automation.nix b/machines/storage/s0/home-automation.nix
index e2dd499..d5f8431 100644
--- a/machines/storage/s0/home-automation.nix
+++ b/machines/storage/s0/home-automation.nix
@@ -1,14 +1,20 @@
 { config, lib, pkgs, ... }:
 
+let
+  frigateHostname = "frigate.s0";
+  frigatePort = 61617;
+in
 {
   networking.firewall.allowedTCPPorts = [
     # 1883 # mqtt
     55834 # mqtt zigbee frontend
+    frigatePort
+    4180 # oauth proxy
   ];
 
   services.frigate = {
     enable = true;
-    hostname = "frigate.s0";
+    hostname = frigateHostname;
     settings = {
       mqtt = {
         enabled = true;
@@ -73,6 +79,11 @@
   # Coral PCIe driver
   kernel.enableGasketKernelModule = true;
 
+  # Allow accessing frigate UI on a specific port in addition to by hostname
+  services.nginx.virtualHosts.${frigateHostname} = {
+    listen = [{ addr = "0.0.0.0"; port = frigatePort; } { addr = "0.0.0.0"; port = 80; }];
+  };
+
   services.esphome = {
     enable = true;
     address = "0.0.0.0";
@@ -133,4 +144,42 @@
       default_config = { };
     };
   };
+
+  services.oauth2_proxy =
+    let
+      nextcloudServer = "https://neet.cloud/";
+    in
+    {
+      enable = true;
+
+      httpAddress = "http://0.0.0.0:4180";
+
+      nginx.virtualHosts = [
+        frigateHostname
+      ];
+
+      email.domains = [ "*" ];
+
+      cookie.secure = false;
+
+      provider = "nextcloud";
+
+      # redirectURL = "http://s0:4180/oauth2/callback"; # todo forward with nginx?
+      clientID = "4FfhEB2DNzUh6wWhXTjqQQKu3Ibm6TeYpS8TqcHe55PJC1DorE7vBZBELMKDjJ0X";
+      keyFile = "/run/agenix/oauth2-proxy-env";
+
+      loginURL = "${nextcloudServer}/index.php/apps/oauth2/authorize";
+      redeemURL = "${nextcloudServer}/index.php/apps/oauth2/api/v1/token";
+      validateURL = "${nextcloudServer}/ocs/v2.php/cloud/user?format=json";
+
+      # todo --cookie-refresh
+
+      extraConfig = {
+        # cookie-csrf-per-request = true;
+        # cookie-csrf-expire = "5m";
+        # user-id-claim = "preferred_username";
+      };
+    };
+
+  age.secrets.oauth2-proxy-env.file = ../../../secrets/oauth2-proxy-env.age;
 }
diff --git a/secrets/oauth2-proxy-env.age b/secrets/oauth2-proxy-env.age
index 86725cc..bb975be 100644
Binary files a/secrets/oauth2-proxy-env.age and b/secrets/oauth2-proxy-env.age differ
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 635068c..700652c 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -32,6 +32,7 @@ with roles;
   # cloud
   "nextcloud-pw.age".publicKeys = nextcloud;
   "smb-secrets.age".publicKeys = personal ++ media-center;
+  "oauth2-proxy-env.age".publicKeys = server;
 
   # services
   "searx.age".publicKeys = nobody;