diff --git a/nixos/modules/services/security/oauth2_proxy_nginx.nix b/nixos/modules/services/security/oauth2_proxy_nginx.nix
index 87ea61276837..1b86656c7d4c 100644
--- a/nixos/modules/services/security/oauth2_proxy_nginx.nix
+++ b/nixos/modules/services/security/oauth2_proxy_nginx.nix
@@ -25,10 +25,41 @@ in
     };
 
     virtualHosts = mkOption {
-      type = types.listOf types.str;
-      default = [];
+      type = let
+        vhostSubmodule = types.submodule {
+          options = {
+            allowed_groups = mkOption {
+              type = types.nullOr (types.listOf types.str);
+              description = "List of groups to allow access to this vhost, or null to allow all.";
+              default = null;
+            };
+            allowed_emails = mkOption {
+              type = types.nullOr (types.listOf types.str);
+              description = "List of emails to allow access to this vhost, or null to allow all.";
+              default = null;
+            };
+            allowed_email_domains = mkOption {
+              type = types.nullOr (types.listOf types.str);
+              description = "List of email domains to allow access to this vhost, or null to allow all.";
+              default = null;
+            };
+          };
+        };
+        oldType = types.listOf types.str;
+        convertFunc = x:
+          lib.warn "services.oauth2_proxy.nginx.virtualHosts should be an attrset, found ${lib.generators.toPretty {} x}"
+          lib.genAttrs x (_: {});
+        newType = types.attrsOf vhostSubmodule;
+      in types.coercedTo oldType convertFunc newType;
+      default = {};
+      example = {
+        "protected.foo.com" = {
+          allowed_groups = ["admins"];
+          allowed_emails = ["boss@foo.com"];
+        };
+      };
       description = ''
-        A list of nginx virtual hosts to put behind the oauth2 proxy.
+        Nginx virtual hosts to put behind the oauth2 proxy.
         You can exclude specific locations by setting `auth_request off;` in the locations extraConfig setting.
       '';
     };
@@ -50,11 +81,20 @@ in
     }
   ] ++ optional (cfg.virtualHosts != []) {
     recommendedProxySettings = true; # needed because duplicate headers
-  } ++ (map (vhost: {
+  } ++ (lib.mapAttrsToList (vhost: conf: {
     virtualHosts.${vhost} = {
       locations = {
-        "/oauth2/auth" = {
-          proxyPass = cfg.proxy;
+        "/oauth2/auth" = let
+          maybeQueryArg = name: value:
+            if value == null then null
+            else "${name}=${lib.concatStringsSep "," value}";
+          allArgs = lib.mapAttrsToList maybeQueryArg conf;
+          cleanArgs = builtins.map lib.escapeURL (builtins.filter (x: x != null) allArgs);
+          cleanArgsStr = lib.concatStringsSep "&" cleanArgs;
+        in {
+          # nginx doesn't support passing query string arguments to auth_request,
+          # so pass them here instead
+          proxyPass = "${cfg.proxy}/oauth2/auth?${cleanArgsStr}";
           extraConfig = ''
             auth_request off;
             proxy_set_header X-Scheme         $scheme;