diff --git a/common/secrets/secrets/oauth2_proxy_cookie_secret.age b/common/secrets/secrets/oauth2_proxy_cookie_secret.age
new file mode 100644
index 0000000..e510df6
--- /dev/null
+++ b/common/secrets/secrets/oauth2_proxy_cookie_secret.age
@@ -0,0 +1,15 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IDd6MzN5USBDdER5
+WmpUMmlPLzVpaXYvcllYN04yayt4SmNRZjVpSzE0N3ZUeHFHTEJvClNQYjB4Y1hh
+UVNpUjdrSkpoZU9za3M4bkNpNVVBTzN3WktJQ0dEV1JiNUEKLT4gc3NoLWVkMjU1
+MTkgcGVGQlFnIEwvNGJTaDdSTTlnSjZ3Y0tjdFJkNmFpQVZUL0ZVUkczOE9sNnhz
+YmJjbnMKWjdCRHhiQ2NZMENlQlBhV1NTL1hnay90OU95WDZaVUg0RlRZUFRucE94
+awotPiBzc2gtZWQyNTUxOSA5di8ySEEgOGJ3TlUyTm54dS9MNjNVakJaTWFweEtK
+SkUvQXdpZmU3dHFzSDBqNHZrbwpmK2VIaDRmY3lFNVJUY0NiMTNIK2k4UUk0eFVH
+a3JTZHFTZ0g0U0NISzVzCi0+IENtfC1ncmVhc2UgWFMgM1clUiUgMAo1TlJLUFND
+WkVtKzJQMDJqQS90Nk1rMHZBS2FiTHVxQy9CWFZ3R1gzMEMvZUZRckFJZE56enBP
+WGlGOS92bTNLCjVuM2dmdHd2WU1weWtQWEgvemhNSCtocmw2MTVoeG1ORUZQcU1F
+czZ4QkhHcWlNUE9qL0d5dkUKLS0tIGVPNU81WkNRVXFkSmFWc3dDWnVnZHA0MUV4
+U1FBQzRIM1NyVHFzend0SEkK0A/M77A5p2fcxe6rAm7RUCkXfrQU9ZRI3/psue2z
+6Cd1B5LW8gsCKgsKKBFD7O0mPQXF5Rs8s2ShqtjKBlVva6NqRy5S7VKbY2Gv8lc=
+-----END AGE ENCRYPTED FILE-----
diff --git a/common/secrets/secrets/secrets.nix b/common/secrets/secrets/secrets.nix
index 502d58c..58f6c6f 100644
--- a/common/secrets/secrets/secrets.nix
+++ b/common/secrets/secrets/secrets.nix
@@ -129,6 +129,9 @@ in
   "oauth2_proxy_zitadel_client_secret.age" = {
     publicKeys = authorityKey ++ h001;
   };
+  "oauth2_proxy_cookie_secret.age" = {
+    publicKeys = authorityKey ++ h001;
+  };
   "openwebui_env.age" = {
     publicKeys = authorityKey ++ h001;
   };
diff --git a/hosts/h001/mods/oauth2-proxy.nix b/hosts/h001/mods/oauth2-proxy.nix
index 3e6fc29..9a5001c 100644
--- a/hosts/h001/mods/oauth2-proxy.nix
+++ b/hosts/h001/mods/oauth2-proxy.nix
@@ -11,7 +11,7 @@
     oidcIssuerUrl = "https://sso.joshuabell.xyz:443";
     keyFile = config.age.secrets.oauth2_proxy_zitadel_client_secret.path;
     nginx.domain = "sso-proxy.joshuabell.xyz";
-    # email.domains = [ ];
+    email.domains = [ "*" ];
     # extraConfig = {
     #   whitelist-domain = ".joshuabell.xyz";
     #   cookie-domain = ".joshuabell.xyz";