diff --git a/ansible/roles/headscale/files/nginx.conf b/ansible/roles/headscale/files/nginx.conf
index 9947c34..4b9ef7e 100644
--- a/ansible/roles/headscale/files/nginx.conf
+++ b/ansible/roles/headscale/files/nginx.conf
@@ -1,5 +1,7 @@
 # {{ ansible_managed }}
 
+limit_req_zone $binary_remote_addr zone=headscale:10m rate=1r/m;
+
 server {
     listen 8888 ssl proxy_protocol;
     http2 on;
@@ -14,4 +16,17 @@ server {
     location / {
         proxy_pass http://localhost:8416;
     }
+
+    location /oidc {
+        # 3 should be enough for the redirect, callback plus 1 error
+        limit_req zone=headscale burst=3 nodelay;
+        limit_req_status 429;
+
+        proxy_pass http://localhost:8416;
+    }
+
+    # Block access to the API entirely - I'm not using it
+    location /api {
+        return 403;
+    }
 }