diff --git a/flux/olympus/apps/services/grist/external-secret.yaml b/flux/olympus/apps/services/grist/external-secret.yaml
new file mode 100644
index 0000000..21a84e7
--- /dev/null
+++ b/flux/olympus/apps/services/grist/external-secret.yaml
@@ -0,0 +1,17 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: grist
+  namespace: services
+spec:
+  refreshInterval: "5m"
+  secretStoreRef:
+    name: vault
+    kind: ClusterSecretStore
+  target:
+    name: grist
+  data:
+    - secretKey: GRIST_SESSION_SECRET
+      remoteRef:
+        key: services/grist
+        property: grist_session_secret
diff --git a/flux/olympus/apps/services/grist/grist.yaml b/flux/olympus/apps/services/grist/grist.yaml
new file mode 100644
index 0000000..b2ce844
--- /dev/null
+++ b/flux/olympus/apps/services/grist/grist.yaml
@@ -0,0 +1,47 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: grist
+  namespace: services
+  labels:
+    app: grist
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: grist
+  template:
+    metadata:
+      labels:
+        app: grist
+    spec:
+      volumes:
+        - name: persist
+          persistentVolumeClaim:
+          claimName: grist
+      containers:
+        - name: grist-core
+          image: gristlabs/grist:1.1.7
+          volumeMounts:
+            - name: persist
+              mountPath: /persist
+          env:
+            - name: APP_HOME_URL
+              value: "https://grist.0x76.dev"
+            - name: GRIST_SINGLE_ORG
+              value: ""
+            - name: GRIST_SUPPORT_ANON
+              value: false
+            - name: PYTHON_VERSION
+              value: 3
+            - name: PYTHON_VERSION_ON_CREATION
+              value: 3
+            - name: GRIST_FORWARD_AUTH_HEADER
+              value: X-Forwarded-User
+            - name: GRIST_FORWARD_AUTH_LOGOUT_PATH
+              value: /_oauth/logout
+          envFrom:
+            - secretRef:
+                name: grist
+          ports:
+            - containerPort: 8484
diff --git a/flux/olympus/apps/services/grist/ingress.yaml b/flux/olympus/apps/services/grist/ingress.yaml
new file mode 100644
index 0000000..c648f4e
--- /dev/null
+++ b/flux/olympus/apps/services/grist/ingress.yaml
@@ -0,0 +1,29 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: grist
+  namespace: services
+spec:
+  selector:
+    app: grist
+  ports:
+    - protocol: TCP
+      port: 8484
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: grist
+  namespace: services
+spec:
+  rules:
+    - host: "grist.0x76.dev"
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: grist
+                port:
+                  number: 8484
diff --git a/flux/olympus/apps/services/grist/kustomization.yaml b/flux/olympus/apps/services/grist/kustomization.yaml
new file mode 100644
index 0000000..2bb88f3
--- /dev/null
+++ b/flux/olympus/apps/services/grist/kustomization.yaml
@@ -0,0 +1,7 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - external-secret.yaml
+  - pvc.yaml
+  - grist.yaml
+  - ingress.yaml
diff --git a/flux/olympus/apps/services/grist/pvc.yaml b/flux/olympus/apps/services/grist/pvc.yaml
new file mode 100644
index 0000000..eefaa64
--- /dev/null
+++ b/flux/olympus/apps/services/grist/pvc.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: grist
+  namespace: services
+spec:
+  accessModes:
+    - ReadWriteOnce
+  storageClassName: local-path
+  resources:
+    requests:
+      storage: 2Gi
diff --git a/flux/olympus/apps/services/kustomization.yaml b/flux/olympus/apps/services/kustomization.yaml
index 4ddab70..c3536ca 100644
--- a/flux/olympus/apps/services/kustomization.yaml
+++ b/flux/olympus/apps/services/kustomization.yaml
@@ -2,3 +2,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
   - renovate
+  - oauth2-proxy
diff --git a/flux/olympus/apps/services/oauth2-proxy/external-secret.yaml b/flux/olympus/apps/services/oauth2-proxy/external-secret.yaml
new file mode 100644
index 0000000..c127b72
--- /dev/null
+++ b/flux/olympus/apps/services/oauth2-proxy/external-secret.yaml
@@ -0,0 +1,25 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: oauth2-proxy
+  namespace: services
+spec:
+  refreshInterval: "5m"
+  secretStoreRef:
+    name: vault
+    kind: ClusterSecretStore
+  target:
+    name: oauth2-proxy
+  data:
+    - secretKey: OAUTH2_PROXY_CLIENT_ID
+      remoteRef:
+        key: services/oauth2-proxy
+        property: client_id
+    - secretKey: OAUTH2_PROXY_CLIENT_SECRET
+      remoteRef:
+        key: services/oauth2-proxy
+        property: client_secret
+    - secretKey: OAUTH2_PROXY_COOKIE_SECRET
+      remoteRef:
+        key: services/oauth2-proxy
+        property: cookie_secret
diff --git a/flux/olympus/apps/services/oauth2-proxy/kustomization.yaml b/flux/olympus/apps/services/oauth2-proxy/kustomization.yaml
new file mode 100644
index 0000000..fb4e8cd
--- /dev/null
+++ b/flux/olympus/apps/services/oauth2-proxy/kustomization.yaml
@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - external-secret.yaml
+  - oauth2-proxy.yaml
diff --git a/flux/olympus/apps/services/oauth2-proxy/oauth2-proxy.yaml b/flux/olympus/apps/services/oauth2-proxy/oauth2-proxy.yaml
new file mode 100644
index 0000000..1cc4de8
--- /dev/null
+++ b/flux/olympus/apps/services/oauth2-proxy/oauth2-proxy.yaml
@@ -0,0 +1,67 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    k8s-app: oauth2-proxy
+  name: oauth2-proxy
+  namespace: services
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      k8s-app: oauth2-proxy
+  template:
+    metadata:
+      labels:
+        k8s-app: oauth2-proxy
+    spec:
+      containers:
+      - args:
+        - --provider=oidc
+        - --provider-display2-name="Dex"
+        - --oidc-issuer-url=https://dex.0x76.dev/dex
+        - --redirect-url=https://o2p.0x76.dev/oauth2/callback
+        - --cookie-secure=false
+        - --http-address=0.0.0.0:4180
+        image: quay.io/oauth2-proxy/oauth2-proxy:v7.5.1
+        envFrom:
+          - secretRef:
+              name: oauth2-proxy
+        name: oauth2-proxy
+        ports:
+        - containerPort: 4180
+          protocol: TCP
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    k8s-app: oauth2-proxy
+  name: oauth2-proxy
+  namespace: services
+spec:
+  ports:
+  - name: http
+    port: 4180
+    protocol: TCP
+    targetPort: 4180
+  selector:
+    k8s-app: oauth2-proxy
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: oauth2-proxy
+  namespace: services
+spec:
+  rules:
+    - host: "o2p.0x76.dev"
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: oauth2-proxy
+                port:
+                  number: 4180
diff --git a/nixos/hosts/olympus/dex/configuration.nix b/nixos/hosts/olympus/dex/configuration.nix
index af043f4..40ee5ac 100644
--- a/nixos/hosts/olympus/dex/configuration.nix
+++ b/nixos/hosts/olympus/dex/configuration.nix
@@ -90,6 +90,12 @@ in
           redirectURIs = [ "https://flux.0x76.dev/oauth2/callback" ];
           secretEnv = "FLUX_CLIENT_SECRET";
         }
+        {
+          id = "oauth2-proxy";
+          name = "OAuth2 Proxy";
+          redirectURIs = [ "https://o2p.0x76.dev/oauth2/callback" ];
+          secretEnv = "O2P_CLIENT_SECRET";
+        }
       ];
     };