diff --git a/nss_pam_oidc/config.py b/nss_pam_oidc/config.py
new file mode 100644
index 0000000000000000000000000000000000000000..690c411c3b3902caf5842ac7e63f7ad658db8a49
--- /dev/null
+++ b/nss_pam_oidc/config.py
@@ -0,0 +1,44 @@
+# Copyright 2021 Dominik George <nik@naturalnet.de>
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import os
+
+import toml
+
+DEFAULT_CONFIG_FILE = "/etc/nss_pam_oidc.toml"
+DEFAULT_CONFIG = {
+    "pam": {},
+    "nss": {},
+}
+
+
+def get_config(section: str, **kwargs):
+    """Get configuration for a section, layered from defaults, config file, and args."""
+    config = {}
+
+    # First, copy default configuration
+    for name, conf in DEFAULT_CONFIG.items():
+        config[name] = conf.copy()
+
+    # Second, load configuration from file
+    config_file = kwargs.pop("config", DEFAULT_CONFIG_FILE)
+    if os.path.exists(config_file):
+        config_toml = toml.load(config_file)
+        for name, conf in config.items():
+            conf.update(config_toml.get(name, {}))
+
+    # Lastly, override with passed arguments
+    config[section].update(kwargs)
+
+    return config
diff --git a/pyproject.toml b/pyproject.toml
index 2e0ae0c96186235e4129d36b0fcf5043e6460268..80cab81169803b8faccdae651de29cf927fefcd7 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -13,6 +13,7 @@ classifiers = [
 
 [tool.poetry.dependencies]
 python = "^3.9"
+toml = "^0.10.2"
 
 [tool.poetry.dev-dependencies]