diff --git a/hosts/plover/default.nix b/hosts/plover/default.nix
index 4f1b6bd3..25d6ea28 100644
--- a/hosts/plover/default.nix
+++ b/hosts/plover/default.nix
@@ -28,6 +28,10 @@ in
     # The reverse proxy of choice.
     ./modules/services/nginx.nix
 
+    # The single-sign on setup.
+    ./modules/services/kanidm.nix
+    ./modules/services/vouch-proxy.nix
+
     # The monitoring stack.
     ./modules/services/grafana.nix
 
@@ -39,7 +43,6 @@ in
     # configuring it here will make it too big.
     ./modules/services/atuin.nix
     ./modules/services/gitea.nix
-    ./modules/services/kanidm.nix
     ./modules/services/vaultwarden.nix
     ./modules/services/wireguard.nix
     ./modules/services/wezterm-mux-server.nix
diff --git a/hosts/plover/modules/services/vouch-proxy.nix b/hosts/plover/modules/services/vouch-proxy.nix
new file mode 100644
index 00000000..fe21a4ba
--- /dev/null
+++ b/hosts/plover/modules/services/vouch-proxy.nix
@@ -0,0 +1,51 @@
+{ config, lib, pkgs, ... }:
+
+let
+  inherit (config.services.vouch-proxy) settings;
+  vouchDomain = "vouch.${config.networking.domain}";
+  authDomain = config.services.kanidm.serverSettings.domain;
+in
+{
+  sops.secrets = lib.getSecrets ../../secrets/secrets.yaml {
+    "vouch-proxy/jwt/secret" = { };
+    "vouch-proxy/client/secret" = { };
+  };
+
+  services.vouch-proxy = {
+    enable = true;
+    settings = {
+      vouch = {
+        listen = "127.0.0.1";
+        port = 19900;
+
+        domains = [ "foodogsquared.one" ];
+        jwt.secret._secret = config.sops.secrets."vouch-proxy/jwt/secret".path;
+      };
+
+      oauth = rec {
+        provider = "oidc";
+        client_id = "kanidm";
+        client_secret._secret = config.sops.secrets."vouch-proxy/client/secret".path;
+        auth_url = "${authDomain}/ui/oauth2";
+        token_url = "${authDomain}/oauth2/token";
+        user_info_url = "${authDomain}/oauth2/openid/${client_id}/userinfo";
+        scopes = [ "login" ];
+        callback_url = "https://${vouchDomain}/auth";
+      };
+    };
+  };
+
+  services.nginx.virtualHosts."${vouchDomain}" = {
+    forceSSL = true;
+    enableACME = true;
+    acmeRoot = null;
+    kTLS = true;
+    locations."/" = {
+      proxyPass = "http://${settings.vouch.listen}:${builtins.toString settings.vouch.port}";
+      extraConfig = ''
+        proxy_set_header  Host  ${vouchDomain};
+        proxy_set_header  X-Forwarded-Proto https;
+      '';
+    };
+  };
+}