diff --git a/owntracks/frontend/deployment.yaml b/owntracks/frontend/deployment.yaml
index 1c3f5de..649603a 100644
--- a/owntracks/frontend/deployment.yaml
+++ b/owntracks/frontend/deployment.yaml
@@ -17,17 +17,46 @@ spec:
         app: frontend
     spec:
       containers:
-      - env:
+      - name: oauth2-proxy
+        image: quay.io/oauth2-proxy/oauth2-proxy:v5.1.1
+        imagePullPolicy: IfNotPresent
+        ports:
+        - containerPort: 8080
+          protocol: TCP
+          name: http
+        env:
+        - name: OAUTH2_PROXY_HTTP_ADDRESS
+          value: :8080
+        - name: OAUTH2_PROXY_REVERSE_PROXY
+          value: "true"
+        - name: OAUTH2_PROXY_EMAIL_DOMAINS
+          value: tobru.ch
+        - name: OAUTH2_PROXY_PROVIDER
+          value: github
+        - name: OAUTH2_PROXY_REDIRECT_URL
+          value: https://whereis.tobru.ch/oauth2/callback
+        - name: OAUTH2_PROXY_PROVIDER_DISPLAY_NAME
+          value: tbrnt Gitea
+        - name: OAUTH2_PROXY_LOGIN_URL
+          value: https://git.tbrnt.ch/login/oauth/authorize
+        - name: OAUTH2_PROXY_REDEEM_URL
+          value: https://git.tbrnt.ch/login/oauth/access_token
+        - name: OAUTH2_PROXY_VALIDATE_URL
+          value: https://git.tbrnt.ch/api/v1
+        envFrom:
+        - secretRef:
+            name: oauth2-proxy
+        args:
+        - --upstream
+        - http://127.0.0.1
+      - name: frontend
+        env:
         - name: SERVER_HOST
           value: owntracks
         - name: SERVER_PORT
           value: "8083"
         image: docker.io/owntracks/frontend:v2.3.1
         imagePullPolicy: IfNotPresent
-        name: frontend
-        ports:
-        - containerPort: 80
-          protocol: TCP
         volumeMounts:
         - mountPath: /usr/share/nginx/html/config
           name: config
diff --git a/owntracks/frontend/service.yaml b/owntracks/frontend/service.yaml
index 522e98f..afb193a 100644
--- a/owntracks/frontend/service.yaml
+++ b/owntracks/frontend/service.yaml
@@ -9,7 +9,7 @@ spec:
   ports:
   - port: 80
     protocol: TCP
-    targetPort: 80
+    targetPort: 8080
   selector:
     app: frontend
   type: ClusterIP
diff --git a/owntracks/oauth2-secret.yaml b/owntracks/oauth2-secret.yaml
new file mode 100644
index 0000000..705a355
--- /dev/null
+++ b/owntracks/oauth2-secret.yaml
@@ -0,0 +1,18 @@
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  creationTimestamp: null
+  name: oauth2-proxy
+  namespace: owntracks
+spec:
+  encryptedData:
+    OAUTH2_PROXY_CLIENT_ID: AgA9qWOAdUr8dJg/29lMCEA95so6R2StB0bC+JjcqlHHG7UlFfvbhJ5tmNTyFEzyf2J2F9w3oPrhyVE959QGVv6umBQdlVFqFb03pWZW3PAMmeZkDQzkrjRW287wF76HjQ8TqKKWXJl0OrtPU34uMxjYT8r+V3CoWQatGrldSr4/5jZaW3G32QSQ6DLAuYYg0mUjz5MIPcwhl8az8EOjaDPGhtW36QZ+ZbYUXH6kndO5KP2y3TUmuPUow58vf+IFHvxf/7FIDqOxOtsx+RHs1/oVbwZf1vz2pq29GqzkGX5MQsetLGHOO87zn1EJ+IQSK0jfLnS3sng4FNT/OQN4JLr2Ikf7LfWxcQPXbUAIMOVmmXZhOn6yjqVQzUg4gYsb5/NGRjtgT9OM54hMUwaoc1O9Q7o5icE6yFcKx4FgeY/1pPcd1u1hHnyH89dWGJi7cI3N4Pnjj+7QuL/FIHU/DcKRpUsHCyud2wUlCxl7piHoAcX1pZQMdXAKj3yVrpvyeqIuIE27l5AyzVmLG1NUEPU4adODRGozQ+oqQNz3l9YT7GD5Leb0zJTiaK0eOY66Srpl9jtwwntapzcsapTexx7vl8Ac6bewWKkBYkLQ9tyx2iw16pUIOmSZthcWdXjAwjTo5VpQZT6xVXh0LsQjlvEN3F0Xp3bMCoSd5nDQzENm96JdK8g1naUlGDtwXBC25kN2sopnxNjpyreniAIY5ojJg23eh2YjCenwOcVK6YCjnRN8klM=
+    OAUTH2_PROXY_CLIENT_SECRET: AgCeszY2nsAeXyr1tUN4Zc8TcZB1xFTtW4dr8JgEp3SqAbCPznA3JQ7APfU5/yhNBcD/r23aTGjNoe28BIZPiViKEDQDya/7mkGSg1hlQ7GEvXenhQv1WHMSjikYW1K1QQjeQWZVw/7c78RYXRFe1W7q0l2gHeHyshnSd3+CajszDaCxNVvC09DjqMY7zlNXkpncnxjronuJVBg5Xm0yBZzHZFOvxlzsY1kV+pRq53MGwSOsf6U83Lz+o5RD595Kd7nje6QU+jiVkqxDG9MHVu92e+aLEmvS+jxF6HqqF0US+FhH8qgGNiI42bAIW7ALEreMs9gWI2GS7FZQ5T8MelJeZwm8kL4xAGpIdZvcRVNfu1rUzr8KtN+0JjpIEiKvhsxjzWjgKD4LaGNdkObnseEfbZ1F47Hd6jBa0C8XSNKBKliZaK61teTveFsi45EUkiTokBJAOuTx5gWq2F8nFipIL2dIWSoJdOUefAKI7Q0g7C91wgWZSC/ROGpYncUpaLBcRoRI5Pm03XR0tqIFZ/NPLhlGZSloQLgGTMD6RzviKejKWYMsHHvy2E0dqF3mcpFMX4bHg1ry2XFc4YFz5nSdUpf5e6+DjiB9r8UnSjixRuBri/FI0TxxwwCZlNSwNf/P18P5qTFT1AMBRfd7Tdxn/aOr0MxMVcqRYwQ3tyUlBQYKf461Tm1pDYcHv+0ngt2unloNQP1Er8hxjKab+jNydSfwhvVUv42i/1sh5YP1quXCfqjz52CjoCFsiQ==
+    OAUTH2_PROXY_COOKIE_SECRET: AgBChwdtkdktON6RnUgoWmWV/vo2PBmjdZjPYkZQ3gcPYYe3LZ6rqaiVikfLKkulYB4IntR+8zvL/iAQD9Huyc6BlsLRbUM7KRAVcueJoHWBU35hdoAp/oVynLofJx9eELf27a5Y+2i4ov77UbSWRZIIRJomemNTcCLM/Xx/odfHu1I7PwjBYQO3f5VSd345+d8qTh9+KMklBCkeSj795lkhWw4pbxrZS6cC0EWV74uhaw8O8Oabbp76FuCmhgu+1xDRpdVpDaskgNqDowYt6QMUrDKtjQin5ofOLrZBuhwQQYr5beJ4yQZVXljPp6wf3gn+52k3IkMBiPH3ePx+E2Vl7c9w3sWD95QMfTOVDZYgumTB+UYTIKHsUfJATmZX/npqS5LseBSQ6F13ySXsjUNPR+BA7FPHvGIrVxI8Cosfd4td4gOYSLj7zByHUuorrGeABPz4tadAvWs4P/kjy6ZUojHh7mjqi2Umy+oL5Vq8Lu3YJ7BUb2ZfduyU2Kcf5lWjfHK9vxS4MhqpH9Iq5ng9z9S8I8Y1qVsrm8NTdgx0mS1T7Rc5dbYEPMy+g1f12nsvtMK6ERB0r/DTse/IYHgFMNoqsPZwrf0tVi2p5nwSei7ruBz5T8SsHGLgQjSjEXtgkzstDo3IBRxyw4kPB+Wc25Eg1kXtjwGD3pPr0f81RS6Bc9ZBERTYriBCOk9SSSA=
+  template:
+    metadata:
+      creationTimestamp: null
+      name: oauth2-proxy
+      namespace: owntracks
+status: {}
+