diff --git a/roles/oauth2_proxy/README.md b/roles/oauth2_proxy/README.md
new file mode 100644
index 0000000..16cb83d
--- /dev/null
+++ b/roles/oauth2_proxy/README.md
@@ -0,0 +1 @@
+Sets up a oauth2-proxy container
diff --git a/roles/oauth2_proxy/meta/argument_specs.yml b/roles/oauth2_proxy/meta/argument_specs.yml
new file mode 100644
index 0000000..d949c0b
--- /dev/null
+++ b/roles/oauth2_proxy/meta/argument_specs.yml
@@ -0,0 +1,17 @@
+---
+argument_specs:
+  main:
+    description: "Sets up a oauth2-proxy container"
+    options:
+      oauth2_proxy_oidc_issuer_url:
+        description: the OpenID Connect issuer URL
+        type: str
+        required: true
+      oauth2_proxy_client_id:
+        description: the OAuth client ID
+        type: str
+        required: true
+      oauth2_proxy_client_secret:
+        description: the OAuth client secret
+        type: str
+        required: true
diff --git a/roles/oauth2_proxy/tasks/main.yml b/roles/oauth2_proxy/tasks/main.yml
new file mode 100644
index 0000000..a318ff6
--- /dev/null
+++ b/roles/oauth2_proxy/tasks/main.yml
@@ -0,0 +1,24 @@
+---
+- name: OAuth2 Proxy
+  ansible.builtin.import_role:
+    name: service
+  vars:
+    service_name: oauth2-proxy
+    service_container_image: "quay.io/oauth2-proxy/oauth2-proxy:latest-alpine"
+    service_container_http_port: 4180
+    service_container_command:
+      - --config
+      - /oauth2-proxy.cfg
+      - --client-secret-file
+      - /run/secrets/client_secret
+    service_container_mounts:
+      - type: template
+        source: oauth2-proxy.cfg.j2
+        destination: /oauth2-proxy.cfg
+    service_container_secrets:
+      - name: cookie_secret
+        length: 32
+        type: env
+        target: OAUTH2_PROXY_COOKIE_SECRET
+      - name: client_secret
+        value: "{{ oauth2_proxy_client_secret }}"
diff --git a/roles/oauth2_proxy/templates/oauth2-proxy.cfg.j2 b/roles/oauth2_proxy/templates/oauth2-proxy.cfg.j2
new file mode 100644
index 0000000..2702021
--- /dev/null
+++ b/roles/oauth2_proxy/templates/oauth2-proxy.cfg.j2
@@ -0,0 +1,11 @@
+# OAuth2 Proxy Configuration
+http_address = "0.0.0.0:4180"
+
+# OIDC Provider Configuration
+provider = "oidc"
+oidc_issuer_url = "{{ oauth2_proxy_oidc_issuer_url }}"
+client_id = "{{ oauth2_proxy_client_id }}"
+code_challenge_method = "S256"
+skip_provider_button = "true"
+
+email_domains = "*"