diff --git a/SwarselSystems.org b/SwarselSystems.org
index 41a67b2..0147772 100644
--- a/SwarselSystems.org
+++ b/SwarselSystems.org
@@ -7221,6 +7221,8 @@ Here I am forcing =startWhenNeeded= to false so that the value will not be set t
           ScanSchedule = "@every 24h";
           MPVPath = "${pkgs.mpv}/bin/mpv";
           MPVCommandTemplate = "mpv --audio-device=%d --no-audio-display --pause %f";
+          ReverseProxyWhitelist = "0.0.0.0/0";
+          ReverseProxyUserHeader = "X-User";
           Jukebox = {
             Enabled = true;
             Default = "default";
@@ -7253,6 +7255,23 @@ Here I am forcing =startWhenNeeded= to false so that the value will not be set t
                 proxyPass = "http://localhost:4040";
                 proxyWebsockets = true;
                 extraConfig = ''
+                  auth_request /oauth2/auth;
+                  error_page 401 = /oauth2/sign_in;
+
+                  # pass information via X-User and X-Email headers to backend,
+                  # requires running with --set-xauthrequest flag (done by NixOS)
+                  auth_request_set $user   $upstream_http_x_auth_request_user;
+                  auth_request_set $email  $upstream_http_x_auth_request_email;
+                  proxy_set_header X-User  $user;
+                  proxy_set_header X-Email $email;
+
+                  # if you enabled --pass-access-token, this will pass the token to the backend
+                  auth_request_set $token  $upstream_http_x_auth_request_access_token;
+                  proxy_set_header X-Access-Token $token;
+
+                  # if you enabled --cookie-refresh, this is needed for it to work with auth_request
+                  auth_request_set $auth_cookie $upstream_http_set_cookie;
+                  add_header Set-Cookie $auth_cookie;
                   proxy_redirect          http:// https://;
                   proxy_read_timeout      600s;
                   proxy_send_timeout      600s;
@@ -7261,6 +7280,52 @@ Here I am forcing =startWhenNeeded= to false so that the value will not be set t
                   client_max_body_size    0;
                 '';
               };
+              "/oauth2/" = {
+                proxyPass = "http://oauth2-proxy";
+                extraConfig = ''
+                  proxy_set_header X-Scheme                $scheme;
+                  proxy_set_header X-Auth-Request-Redirect $scheme://$host$request_uri;
+                '';
+              };
+              "= /oauth2/auth" = {
+                proxyPass = "http://oauth2-proxy/oauth2/auth";
+                extraConfig = ''
+                  internal;
+
+                  proxy_set_header X-Scheme         $scheme;
+                  # nginx auth_request includes headers but not body
+                  proxy_set_header Content-Length   "";
+                  proxy_pass_request_body           off;
+                '';
+              };
+              "/share" = {
+                proxyPass = "http://localhost:4040";
+                proxyWebsockets = true;
+                extraConfig = ''
+                  proxy_redirect          http:// https://;
+                  proxy_read_timeout      600s;
+                  proxy_send_timeout      600s;
+                  proxy_buffering         off;
+                  proxy_request_buffering off;
+                  client_max_body_size    0;
+                  proxy_set_header X-User  "";
+                  proxy_set_header X-Email "";
+                '';
+              };
+              "/rest" = {
+                proxyPass = "http://localhost:4040";
+                proxyWebsockets = true;
+                extraConfig = ''
+                  proxy_redirect          http:// https://;
+                  proxy_read_timeout      600s;
+                  proxy_send_timeout      600s;
+                  proxy_buffering         off;
+                  proxy_request_buffering off;
+                  client_max_body_size    0;
+                  proxy_set_header X-User  "";
+                  proxy_set_header X-Email "";
+                '';
+              };
             };
           };
         };
@@ -8601,6 +8666,8 @@ It serves both a Greader API at https://signpost.swarsel.win/api/greader.php, as
 
 I am using this with CapyReader on my phone, set it up as a FreshRSS account with Server URL =https://signpost.swarsel.win/api/greader.php
 
+FreshRSS claims to support HTTP header auth, but at least it does not work with my oauth2-proxy setup. Until this is fixed, I resorted to the "form" login, since I mostly do not use the web version anyways.
+
 #+begin_src nix :tangle modules/nixos/server/freshrss.nix
   { lib, config, ... }:
   {
@@ -9009,24 +9076,9 @@ To get other URLs (token, etc.), use https://<kanidmDomain>/oauth2/openid/<clien
               "freshrss.access" = { };
               "firefly.access" = { };
             };
-            persons = {
-              swarsel = {
-                present = true;
-                mailAddresses = [ "leon@swarsel.win" ];
-                legalName = "Leon Schwarzäugl";
-                groups = [
-                  "immich.access"
-                  "paperless.access"
-                  "grafana.access"
-                  "forgejo.access"
-                  "nextcloud.access"
-                  "freshrss.access"
-                  "navidrome.access"
-                  "firefly.access"
-                ];
-                displayName = "Swarsel";
-              };
-            };
+
+            inherit (config.repo.secrets.local) persons;
+
             systems = {
               oauth2 = {
                 immich = {
diff --git a/hosts/nixos/winters/secrets/pii.nix.enc b/hosts/nixos/winters/secrets/pii.nix.enc
index 60a5833..898d83a 100644
--- a/hosts/nixos/winters/secrets/pii.nix.enc
+++ b/hosts/nixos/winters/secrets/pii.nix.enc
@@ -1,5 +1,5 @@
 {
-	"data": "ENC[AES256_GCM,data:fV+l+oFGo7zQFxQG+EYbLzUjkqClszi79/LpPvhJNl4IBXjSSMUo6E3vGnB/RRoAWwix9EurHDYV9jydd67uQ6Lx1Y31+0daflC/BNYsDYDNUKvDJDWvhbONs2Xg3RGDNacQ+EoHN7mCyHuaiNW7OXHBPhzs+rLlADdgtZ6CNR9bLV2HRpeR+d6uTne5ex8SJ4m3ChJe1O9Cyir4/z4eftfnKtAIezPrAxUPlm1QxnU7/z4YipWVw4HkYVzzWvi9Ewbis1j9C2TRkuOpEWU+I7zrIWiWdsWwnpKZqQv5FJEo3MZpVKcMMlNltvlJiUC+abC9K7079C+5XHhrZgJ73jAQ5fkcSspT5y6JfA+NveqYx7ZmOdS/yg90lrM4X8eE4SlqeN7gdW6nxPOzGZwMQQYeLjGdanKKQhUDQsf8iFW7egfCB+o=,iv:OO+Y91C90hLtZ0ZegEX00ukTUyBHnRqBRTff1LLX5/0=,tag:gZS0S9RrqWZlB5Nyjp6kfA==,type:str]",
+	"data": "ENC[AES256_GCM,data:lDZMNsc9MwBxrLWzgOmo+y+Th5nDOWZhnQkvPlJ79/oZ3qcu5aCL5PqkWlldyxvRvUuatrRmxVKD/6EbR/W4G/l9YQnG/dw1XAtb2VPz1RjQLC/X8h+V+F1XHv7g6afUPd7HRUq4HIgEYeRi9qwwDbL7/LUV09PAr9w55n9Ch92/rhIstGWt9te1D2igfRgQo3Vsqxy3JGV1R9NVKLkJt/snVcKN9SaQp94hlzkhOUnYtrvOjE1++TaIX5EL1ZqQ0bIabRKATxRTF8yKfQBQ0Y7d82yQyME+xit27aXhuYG42UbbCVxh1NlZuwGFUAzZa5k4K13/a1/Axiww8wYQdCPMqv+TYrYxMDVdqdn53qaFqxoy6aunucVYKfpObyDbRFugrVldfnmEKGcSSv5xrO9RRv+B3rLbq3MRsi3Jsgt3uo2SI0UkiAUq7Il6epLsEBIsxSrPGlncRNu9BjZqRq4BzqD2KvPXtz2YdLJBRBrjc6iWadIDB6ABl8xF25jb7oxK7XkWi7Oi5HWRbrWzsw4jLftNhIJYWb/V2IDxbnVPWEnZNO44Ez68pqpnrAMo4UprxTwXiAaufx2E5opQHf4PhJ5Dtei/TPyPyxpSUjUMbVpCjbXu784k+SY3Dgi7ZKA87nylz+sYvh2ezGeoQETbDoKOAf0X3oIvub10qOc+lhKHuMiHCBhmZWmnic5vLWZdqYYtsnG6fsOYTYJWkSFoFuUJpBnAFs1k4lRKFz2hVVifO2x5i1YEUMRasx02Br/3JyMLeVZ3tlZqAAVIuwaIzIseAyaDlUuHApqjCqjxnzWRWxZlMKFDVLvgXsjQ2D5eRCDiCN0qrmOQYSHreuyrLnuPzyvZuqKUCXOg4XjzwXBi+sfqf/N+C2i70iGOG30mULxnboZ3HcNtpR5NxHBIrbyiTwqb5tW19qjVtf97buAfnexnHzufQdHMtjIXDNkf7ue8E/f8J+khYVG2Om01+aiJmYpc4JnmZ/pO2HVZeFOUEMruWr0xhZ0rRasT5LiJJqk9xavwnZdzLBtRgtS56yVxEqX5AhJWYEcp8EmPGDv2xEB0gFZ0i5iiBickcxnvQ2BGTQd1lrkZN7qEcSJlOBDukG8DLV5euZrkZwynF4AUubvrOE5M0zCzc0RxNQ8qW+CVoCqygoTkXzvZtrxZHnfIGLxyFsuPE2FgK1giHo7gh0FQRzPSlqA4h3iuJtMAiV60NYiE0Rw9HzYDcfOEtbM2neKRclzSBDSVXwg=,iv:YHJfh4UqYLw9mOYBf0rgOxyuRMLHuLUh/QuKTCzZ6R4=,tag:VXMCjBEeYzGYzsHW8ATmLA==,type:str]",
 	"sops": {
 		"age": [
 			{
@@ -7,8 +7,8 @@
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyK0w2RjJ5R1l2ay94QXRj\nekJwSlowcFVLc1cvWVFjNEVFUnFocEJHYlNnCnBnUEYvNWdNWE9BTjB5ODRuTlAw\nMUh4QmlTeVVYNHM0S1FwWG5qUG42VDgKLS0tIHh5VlU2dVZmUlRIMDRlVEJmNU55\ncFlXR1BzMkVnMkFWN3BBZWhHalltMlEKibdARxBcFqaXUhYp3KkrrvO9YgaBDacl\n8BEv4ph0f2baDN0dsymJjmdHStwKTjOwDspRtCTs5u75hR35a2xyFQ==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
-		"lastmodified": "2025-06-11T12:16:31Z",
-		"mac": "ENC[AES256_GCM,data:cdN7ip4KbuZVXfbNv3lCacXj6VImR5XLQgDG8u9336MAqERKRdumjj+z9vHNozK+Q2AAAvRuqqCO23RllYlqYpiL++UUEkSe4FNPt0yRQWZFUjHwBeitW4Rlk2PKnoFLngrmBN7+1nrSaFV1aZCQWDybgvBqUv7paBVR0y5cN9E=,iv:FhZsbGT5Z4s2r+1LxSxBYrglr+KWqh+gKeXQF6gflNg=,tag:kkaPCxtx1JQuRPXkl9nA+A==,type:str]",
+		"lastmodified": "2025-06-13T01:21:29Z",
+		"mac": "ENC[AES256_GCM,data:vXi8WeZ4/dP/M13NgrKMNzDw9SIbMcIHWP+2VZWDlHQyDwGsZoMeIQ+LDefRp/5h894XiRoDgPvzY61JukJG2ytZpKHelZaAVSDwPkMmtAA4ccCLUlTmu5I1VozIPfCbeMJVEWYGlZbRoDGsiey8906R4pauInzgjRvg8pcBUqs=,iv:rGDTDiZjRVBZlea4HVJJVien6c11u34XBJWtYL0Tgeg=,tag:4uaGiBIdF3uvb3fd5jRVPg==,type:str]",
 		"pgp": [
 			{
 				"created_at": "2025-06-11T11:42:23Z",
diff --git a/index.html b/index.html
index 04d32e8..2508cf2 100644
--- a/index.html
+++ b/index.html
@@ -3,7 +3,7 @@
 "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
 <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
 <head>
-<!-- 2025-06-13 Fr 02:34 -->
+<!-- 2025-06-13 Fr 03:31 -->
 <meta http-equiv="Content-Type" content="text/html;charset=utf-8" />
 <meta name="viewport" content="width=device-width, initial-scale=1" />
 <title>SwarselSystems: NixOS + Emacs Configuration</title>
@@ -263,9 +263,9 @@
 <li><a href="#h:7056b9a0-f38b-4bca-b2ba-ab34e2d73493">3.1.4.3. Home-manager only (default non-NixOS)</a></li>
 <li><a href="#h:e1498bef-ec67-483d-bf02-76264e30be8e">3.1.4.4. ChaosTheatre (Demo Physical/VM)</a>
 <ul>
-<li><a href="#orge6ad58f">3.1.4.4.1. Main configuration</a></li>
-<li><a href="#orga3d14c3">3.1.4.4.2. NixOS dummy options configuration</a></li>
-<li><a href="#orgb9cef36">3.1.4.4.3. home-manager dummy options configuration</a></li>
+<li><a href="#org46ad702">3.1.4.4.1. Main configuration</a></li>
+<li><a href="#org8b2e1d1">3.1.4.4.2. NixOS dummy options configuration</a></li>
+<li><a href="#orgfd34f92">3.1.4.4.3. home-manager dummy options configuration</a></li>
 </ul>
 </li>
 </ul>
@@ -305,8 +305,8 @@
 <li><a href="#h:36d6c17c-6d91-4297-b76d-9d7feab6c1a0">3.2.1.27. fhs</a></li>
 <li><a href="#h:814d5e7f-4b95-412d-b246-33f888514ec6">3.2.1.28. swarsel-displaypower</a></li>
 <li><a href="#h:799579f3-ddd3-4f76-928a-a8c665980476">3.2.1.29. swarsel-mgba</a></li>
-<li><a href="#org6c977da">3.2.1.30. swarsel-deploy</a></li>
-<li><a href="#orgbf90fc3">3.2.1.31. sshrm</a></li>
+<li><a href="#org077451c">3.2.1.30. swarsel-deploy</a></li>
+<li><a href="#orgbaf42fe">3.2.1.31. sshrm</a></li>
 </ul>
 </li>
 <li><a href="#h:5e3e21e0-57af-4dad-b32f-6400af9b7aab">3.2.2. Overlays (additions, overrides, nixpkgs-stable)</a></li>
@@ -314,37 +314,37 @@
 <ul>
 <li><a href="#h:14e68518-8ec7-48ec-b208-0e3d6d49954d">3.2.3.1. NixOS</a>
 <ul>
-<li><a href="#org7ab2427">3.2.3.1.1. Personal</a></li>
-<li><a href="#orgebed78c">3.2.3.1.2. Chaostheatre</a></li>
-<li><a href="#org1615bc2">3.2.3.1.3. toto</a></li>
-<li><a href="#orgc7113d0">3.2.3.1.4. Work</a></li>
-<li><a href="#org9ac5e22">3.2.3.1.5. Framework</a></li>
-<li><a href="#org1c1802e">3.2.3.1.6. AMD CPU</a></li>
-<li><a href="#org619b6ae">3.2.3.1.7. AMD GPU</a></li>
-<li><a href="#org14d09b9">3.2.3.1.8. Hibernation</a></li>
-<li><a href="#org9c9d768">3.2.3.1.9. BTRFS</a></li>
-<li><a href="#orgff2b98d">3.2.3.1.10. Local Server</a></li>
-<li><a href="#orgeeba793">3.2.3.1.11. OCI Sync Server</a></li>
+<li><a href="#orgd15d84e">3.2.3.1.1. Personal</a></li>
+<li><a href="#orgb8dd5c5">3.2.3.1.2. Chaostheatre</a></li>
+<li><a href="#orgcddd248">3.2.3.1.3. toto</a></li>
+<li><a href="#org61a8f9a">3.2.3.1.4. Work</a></li>
+<li><a href="#org4e83ade">3.2.3.1.5. Framework</a></li>
+<li><a href="#org312152a">3.2.3.1.6. AMD CPU</a></li>
+<li><a href="#org2af34cd">3.2.3.1.7. AMD GPU</a></li>
+<li><a href="#org473aa8d">3.2.3.1.8. Hibernation</a></li>
+<li><a href="#org22fc9b4">3.2.3.1.9. BTRFS</a></li>
+<li><a href="#org45f368e">3.2.3.1.10. Local Server</a></li>
+<li><a href="#org8434eac">3.2.3.1.11. OCI Sync Server</a></li>
 </ul>
 </li>
 <li><a href="#h:ced5841f-c088-4d88-b3a1-7d62aad8837b">3.2.3.2. home-manager</a>
 <ul>
-<li><a href="#orgdcc40f5">3.2.3.2.1. Personal</a></li>
-<li><a href="#orgda5bd25">3.2.3.2.2. Chaostheatre</a></li>
-<li><a href="#org78bfd93">3.2.3.2.3. toto</a></li>
-<li><a href="#org095828f">3.2.3.2.4. Work</a></li>
-<li><a href="#org71075bc">3.2.3.2.5. Framework</a></li>
-<li><a href="#orgab68be6">3.2.3.2.6. Darwin</a></li>
-<li><a href="#orgc70220b">3.2.3.2.7. Local Server</a></li>
+<li><a href="#org63891dc">3.2.3.2.1. Personal</a></li>
+<li><a href="#orgb17ec88">3.2.3.2.2. Chaostheatre</a></li>
+<li><a href="#orgd284186">3.2.3.2.3. toto</a></li>
+<li><a href="#org407c366">3.2.3.2.4. Work</a></li>
+<li><a href="#org6ba8061">3.2.3.2.5. Framework</a></li>
+<li><a href="#org05805fc">3.2.3.2.6. Darwin</a></li>
+<li><a href="#org924b91c">3.2.3.2.7. Local Server</a></li>
 </ul>
 </li>
 </ul>
 </li>
 <li><a href="#h:4d38c9f7-2680-4c02-a1f4-ed8db0d55ce4">3.2.4. Library functions</a></li>
-<li><a href="#org111a002">3.2.5. Auxiliary files</a>
+<li><a href="#org41896e4">3.2.5. Auxiliary files</a>
 <ul>
-<li><a href="#orgac4d22d">3.2.5.1. extra-builtins</a></li>
-<li><a href="#org12f22da">3.2.5.2. sops-decrypt-and-cache</a></li>
+<li><a href="#org1c08edd">3.2.5.1. extra-builtins</a></li>
+<li><a href="#org89d8266">3.2.5.2. sops-decrypt-and-cache</a></li>
 </ul>
 </li>
 </ul>
@@ -369,9 +369,9 @@
 <li><a href="#h:aa433f5e-a455-4414-b76b-0a2692fa06aa">3.3.1.14. Pipewire</a></li>
 <li><a href="#h:7d696b64-debe-4a95-80b5-1e510156a6c6">3.3.1.15. Common network settings</a></li>
 <li><a href="#h:852d59ab-63c3-4831-993d-b5e23b877796">3.3.1.16. Time, locale settings</a></li>
-<li><a href="#org4af165f">3.3.1.17. Meta options</a></li>
+<li><a href="#org0311649">3.3.1.17. Meta options</a></li>
 <li><a href="#h:d87d80fd-2ac7-4f29-b338-0518d06b4deb">3.3.1.18. sops</a></li>
-<li><a href="#org040e64b">3.3.1.19. PII management</a></li>
+<li><a href="#orga526cf8">3.3.1.19. PII management</a></li>
 <li><a href="#h:e6e44705-94af-49fe-9ca0-0629d0f7d932">3.3.1.20. Theme (stylix)</a></li>
 <li><a href="#h:2bbf5f31-246d-4738-925f-eca40681f7b6">3.3.1.21. Programs (including zsh setup)</a>
 <ul>
@@ -386,7 +386,7 @@
 <li><a href="#h:f101daa2-604d-4553-99e2-f64b9c207f51">3.3.1.22.3. enable GVfs</a></li>
 <li><a href="#h:08d213d5-a9f4-4309-8635-ba557b01dc7d">3.3.1.22.4. interception-tools: Make CAPS work as ESC/CTRL</a></li>
 <li><a href="#h:82fbba41-3a46-4db7-aade-49e4c23fc475">3.3.1.22.5. power-profiles-daemon</a></li>
-<li><a href="#orgcef61ea">3.3.1.22.6. SwayOSD</a></li>
+<li><a href="#orgde7b754">3.3.1.22.6. SwayOSD</a></li>
 </ul>
 </li>
 <li><a href="#h:7a89b5e3-b700-4167-8b14-2b8172f33936">3.3.1.23. Hardware compatibility settings (Yubikey, Ledger, Keyboards) - udev rules</a>
@@ -438,8 +438,8 @@
 <li><a href="#h:9da3df74-6fc5-4ee1-a345-23ab4e8a613d">3.3.2.24. FreshRSS</a></li>
 <li><a href="#h:a9965660-4358-4b9a-8c46-d55f28598344">3.3.2.25. forgejo (git server)</a></li>
 <li><a href="#h:cb3f6552-7751-4f9a-b4c7-8d8ba5b255c4">3.3.2.26. Anki Sync Server</a></li>
-<li><a href="#orgadabdd9">3.3.2.27. IDM (kanidm + oauth2-proxy)</a></li>
-<li><a href="#org1319ef2">3.3.2.28. Firefly-III</a></li>
+<li><a href="#org1fe325a">3.3.2.27. IDM (kanidm + oauth2-proxy)</a></li>
+<li><a href="#org6082ad8">3.3.2.28. Firefly-III</a></li>
 </ul>
 </li>
 <li><a href="#h:ac0cd8b3-06cf-4dca-ba73-6100c8fedb47">3.3.3. Darwin</a>
@@ -454,11 +454,11 @@
 <li><a href="#h:34db28fb-62f7-4597-a9ff-0de2991a8415">3.3.4.3. VmWare</a></li>
 <li><a href="#h:fa8d9ec4-3e22-458a-9239-859cffe7f55c">3.3.4.4. Auto-login</a></li>
 <li><a href="#h:5c41c4ee-22ca-405b-9e4f-cc4051634edd">3.3.4.5. nswitch-rcm</a></li>
-<li><a href="#org2a02f56">3.3.4.6. Framework</a></li>
-<li><a href="#orgdbf44f7">3.3.4.7. AMD CPU</a></li>
-<li><a href="#orgecd29c2">3.3.4.8. AMD GPU</a></li>
-<li><a href="#orgda0d8f6">3.3.4.9. Hibernation</a></li>
-<li><a href="#org957abf9">3.3.4.10. BTRFS</a></li>
+<li><a href="#org0a20b2e">3.3.4.6. Framework</a></li>
+<li><a href="#orgf3b1ad5">3.3.4.7. AMD CPU</a></li>
+<li><a href="#org74c15c0">3.3.4.8. AMD GPU</a></li>
+<li><a href="#org60c0738">3.3.4.9. Hibernation</a></li>
+<li><a href="#orgc1656bc">3.3.4.10. BTRFS</a></li>
 <li><a href="#h:bbf2ecb6-c8ff-4462-b5d5-d45b28604ddf">3.3.4.11. work</a></li>
 <li><a href="#h:3fc1d301-7bae-4678-9085-d12c23eed8ac">3.3.4.12. Minimal Install</a></li>
 </ul>
@@ -507,7 +507,7 @@
 <li><a href="#h:cb812c8a-247c-4ce5-a00c-59332c2f5fb9">3.4.1.29.1. gnome-keyring</a></li>
 <li><a href="#h:be6afd89-9e1e-40b6-8542-5c07a0ab780d">3.4.1.29.2. KDE Connect</a></li>
 <li><a href="#h:99d05729-df35-4958-9940-3319d6a41359">3.4.1.29.3. Mako</a></li>
-<li><a href="#org6a90363">3.4.1.29.4. SwayOSD</a></li>
+<li><a href="#org4d519db">3.4.1.29.4. SwayOSD</a></li>
 <li><a href="#h:1598c90b-f195-41a0-9132-94612edf3586">3.4.1.29.5. yubikey-touch-detector</a></li>
 </ul>
 </li>
@@ -532,7 +532,7 @@
 <ul>
 <li><a href="#h:84fd7029-ecb6-4131-9333-289982f24ffa">3.4.4.1. Gaming</a></li>
 <li><a href="#h:f0b2ea93-94c8-48d8-8d47-6fe58f58e0e6">3.4.4.2. Work</a></li>
-<li><a href="#orgead591d">3.4.4.3. Framework</a></li>
+<li><a href="#orgff2dfbe">3.4.4.3. Framework</a></li>
 </ul>
 </li>
 </ul>
@@ -710,7 +710,7 @@
 <ul>
 <li><a href="#h:c1e53aed-fb47-4aff-930c-dc52f3c5dcb8">6.1. Server Emacs config</a></li>
 <li><a href="#h:fc64f42f-e7cf-4829-89f6-2d0d58e04f51">6.2. tridactylrc</a></li>
-<li><a href="#org71bf76e">6.3. tridactyl theme</a></li>
+<li><a href="#org8972093">6.3. tridactyl theme</a></li>
 <li><a href="#h:77b1c523-5074-4610-b320-90af95e6134d">6.4. Waybar style.css</a></li>
 <li><a href="#h:788937cf-8816-466b-8e57-1b695cb50f52">6.5. justfile</a></li>
 </ul>
@@ -719,7 +719,7 @@
 </div>
 </div>
 <p>
-<b>This file has 66782 words spanning 17613 lines and was last revised on 2025-06-13 02:34:40 +0200.</b>
+<b>This file has 67098 words spanning 17669 lines and was last revised on 2025-06-13 03:31:20 +0200.</b>
 </p>
 
 <p>
@@ -772,7 +772,7 @@ This section defines my Emacs configuration. For a while, I considered to use ry
 </p>
 
 <p>
-My emacs is built using the emacs-overlay nix flake, which builds a bleeding edge emacs on wayland (pgtk) with utilities like treesitter support. By executing the below source block, the current build setting can be updated at any time, and you can see my most up-to-date build options (last updated: 2025-06-13 02:34:40 +0200)
+My emacs is built using the emacs-overlay nix flake, which builds a bleeding edge emacs on wayland (pgtk) with utilities like treesitter support. By executing the below source block, the current build setting can be updated at any time, and you can see my most up-to-date build options (last updated: 2025-06-13 03:31:20 +0200)
 </p></li>
 </ul>
 
@@ -2908,8 +2908,8 @@ This is just a demo host. It applies all the configuration found in the common p
 I also set the <code>WLR_RENDERER_ALLOW_SOFTWARE=1</code> to allow this configuration to run in a virtualized environment. I also enable <code>qemuGuest</code> for a smoother experience when testing on QEMU.
 </p>
 </div>
-<div id="outline-container-orge6ad58f" class="outline-6">
-<h6 id="orge6ad58f"><span class="section-number-6">3.1.4.4.1.</span> Main configuration</h6>
+<div id="outline-container-org46ad702" class="outline-6">
+<h6 id="org46ad702"><span class="section-number-6">3.1.4.4.1.</span> Main configuration</h6>
 <div class="outline-text-6" id="text-3-1-4-4-1">
 <div class="org-src-container">
 <pre class="src src-nix">{ self, inputs, config, pkgs, lib, primaryUser, ... }:
@@ -2988,8 +2988,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-orga3d14c3" class="outline-6">
-<h6 id="orga3d14c3"><span class="section-number-6">3.1.4.4.2.</span> NixOS dummy options configuration</h6>
+<div id="outline-container-org8b2e1d1" class="outline-6">
+<h6 id="org8b2e1d1"><span class="section-number-6">3.1.4.4.2.</span> NixOS dummy options configuration</h6>
 <div class="outline-text-6" id="text-3-1-4-4-2">
 <div class="org-src-container">
 <pre class="src src-nix">_:
@@ -2999,8 +2999,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-orgb9cef36" class="outline-6">
-<h6 id="orgb9cef36"><span class="section-number-6">3.1.4.4.3.</span> home-manager dummy options configuration</h6>
+<div id="outline-container-orgfd34f92" class="outline-6">
+<h6 id="orgfd34f92"><span class="section-number-6">3.1.4.4.3.</span> home-manager dummy options configuration</h6>
 <div class="outline-text-6" id="text-3-1-4-4-3">
 <div class="org-src-container">
 <pre class="src src-nix">_:
@@ -4781,8 +4781,8 @@ appimageTools.wrapType2 {
 </div>
 </div>
 </div>
-<div id="outline-container-org6c977da" class="outline-5">
-<h5 id="org6c977da"><span class="section-number-5">3.2.1.30.</span> swarsel-deploy</h5>
+<div id="outline-container-org077451c" class="outline-5">
+<h5 id="org077451c"><span class="section-number-5">3.2.1.30.</span> swarsel-deploy</h5>
 <div class="outline-text-5" id="text-3-2-1-30">
 <div class="org-src-container">
 <pre class="src src-nix"># heavily inspired from https://github.com/oddlama/nix-config/blob/d42cbde676001a7ad8a3cace156e050933a4dcc3/pkgs/deploy.nix
@@ -4913,8 +4913,8 @@ writeShellApplication {
 </div>
 </div>
 </div>
-<div id="outline-container-orgbf90fc3" class="outline-5">
-<h5 id="orgbf90fc3"><span class="section-number-5">3.2.1.31.</span> sshrm</h5>
+<div id="outline-container-orgbaf42fe" class="outline-5">
+<h5 id="orgbaf42fe"><span class="section-number-5">3.2.1.31.</span> sshrm</h5>
 <div class="outline-text-5" id="text-3-2-1-31">
 <p>
 This programs simply runs ssh-keygen on the last host that I tried to ssh into. I need this frequently when working with cloud-init usually.
@@ -5071,8 +5071,8 @@ in
 </pre>
 </div>
 </div>
-<div id="outline-container-org7ab2427" class="outline-6">
-<h6 id="org7ab2427"><span class="section-number-6">3.2.3.1.1.</span> Personal</h6>
+<div id="outline-container-orgd15d84e" class="outline-6">
+<h6 id="orgd15d84e"><span class="section-number-6">3.2.3.1.1.</span> Personal</h6>
 <div class="outline-text-6" id="text-3-2-3-1-1">
 <div class="org-src-container">
 <pre class="src src-nix">{ lib, config, ... }:
@@ -5142,8 +5142,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-orgebed78c" class="outline-6">
-<h6 id="orgebed78c"><span class="section-number-6">3.2.3.1.2.</span> Chaostheatre</h6>
+<div id="outline-container-orgb8dd5c5" class="outline-6">
+<h6 id="orgb8dd5c5"><span class="section-number-6">3.2.3.1.2.</span> Chaostheatre</h6>
 <div class="outline-text-6" id="text-3-2-3-1-2">
 <div class="org-src-container">
 <pre class="src src-nix">{ lib, config, ... }:
@@ -5205,8 +5205,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-org1615bc2" class="outline-6">
-<h6 id="org1615bc2"><span class="section-number-6">3.2.3.1.3.</span> toto</h6>
+<div id="outline-container-orgcddd248" class="outline-6">
+<h6 id="orgcddd248"><span class="section-number-6">3.2.3.1.3.</span> toto</h6>
 <div class="outline-text-6" id="text-3-2-3-1-3">
 <div class="org-src-container">
 <pre class="src src-nix">{ lib, config, ... }:
@@ -5238,8 +5238,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-orgc7113d0" class="outline-6">
-<h6 id="orgc7113d0"><span class="section-number-6">3.2.3.1.4.</span> Work</h6>
+<div id="outline-container-org61a8f9a" class="outline-6">
+<h6 id="org61a8f9a"><span class="section-number-6">3.2.3.1.4.</span> Work</h6>
 <div class="outline-text-6" id="text-3-2-3-1-4">
 <div class="org-src-container">
 <pre class="src src-nix">{ lib, config, ... }:
@@ -5260,8 +5260,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-org9ac5e22" class="outline-6">
-<h6 id="org9ac5e22"><span class="section-number-6">3.2.3.1.5.</span> Framework</h6>
+<div id="outline-container-org4e83ade" class="outline-6">
+<h6 id="org4e83ade"><span class="section-number-6">3.2.3.1.5.</span> Framework</h6>
 <div class="outline-text-6" id="text-3-2-3-1-5">
 <div class="org-src-container">
 <pre class="src src-nix">{ lib, config, ... }:
@@ -5282,8 +5282,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-org1c1802e" class="outline-6">
-<h6 id="org1c1802e"><span class="section-number-6">3.2.3.1.6.</span> AMD CPU</h6>
+<div id="outline-container-org312152a" class="outline-6">
+<h6 id="org312152a"><span class="section-number-6">3.2.3.1.6.</span> AMD CPU</h6>
 <div class="outline-text-6" id="text-3-2-3-1-6">
 <div class="org-src-container">
 <pre class="src src-nix">{ lib, config, ... }:
@@ -5304,8 +5304,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-org619b6ae" class="outline-6">
-<h6 id="org619b6ae"><span class="section-number-6">3.2.3.1.7.</span> AMD GPU</h6>
+<div id="outline-container-org2af34cd" class="outline-6">
+<h6 id="org2af34cd"><span class="section-number-6">3.2.3.1.7.</span> AMD GPU</h6>
 <div class="outline-text-6" id="text-3-2-3-1-7">
 <div class="org-src-container">
 <pre class="src src-nix">{ lib, config, ... }:
@@ -5326,8 +5326,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-org14d09b9" class="outline-6">
-<h6 id="org14d09b9"><span class="section-number-6">3.2.3.1.8.</span> Hibernation</h6>
+<div id="outline-container-org473aa8d" class="outline-6">
+<h6 id="org473aa8d"><span class="section-number-6">3.2.3.1.8.</span> Hibernation</h6>
 <div class="outline-text-6" id="text-3-2-3-1-8">
 <div class="org-src-container">
 <pre class="src src-nix">{ lib, config, ... }:
@@ -5348,8 +5348,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-org9c9d768" class="outline-6">
-<h6 id="org9c9d768"><span class="section-number-6">3.2.3.1.9.</span> BTRFS</h6>
+<div id="outline-container-org22fc9b4" class="outline-6">
+<h6 id="org22fc9b4"><span class="section-number-6">3.2.3.1.9.</span> BTRFS</h6>
 <div class="outline-text-6" id="text-3-2-3-1-9">
 <div class="org-src-container">
 <pre class="src src-nix">{ lib, config, ... }:
@@ -5370,8 +5370,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-orgff2b98d" class="outline-6">
-<h6 id="orgff2b98d"><span class="section-number-6">3.2.3.1.10.</span> Local Server</h6>
+<div id="outline-container-org45f368e" class="outline-6">
+<h6 id="org45f368e"><span class="section-number-6">3.2.3.1.10.</span> Local Server</h6>
 <div class="outline-text-6" id="text-3-2-3-1-10">
 <div class="org-src-container">
 <pre class="src src-nix">{ lib, config, ... }:
@@ -5424,8 +5424,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-orgeeba793" class="outline-6">
-<h6 id="orgeeba793"><span class="section-number-6">3.2.3.1.11.</span> OCI Sync Server</h6>
+<div id="outline-container-org8434eac" class="outline-6">
+<h6 id="org8434eac"><span class="section-number-6">3.2.3.1.11.</span> OCI Sync Server</h6>
 <div class="outline-text-6" id="text-3-2-3-1-11">
 <div class="org-src-container">
 <pre class="src src-nix">{ lib, config, ... }:
@@ -5481,8 +5481,8 @@ in
 </pre>
 </div>
 </div>
-<div id="outline-container-orgdcc40f5" class="outline-6">
-<h6 id="orgdcc40f5"><span class="section-number-6">3.2.3.2.1.</span> Personal</h6>
+<div id="outline-container-org63891dc" class="outline-6">
+<h6 id="org63891dc"><span class="section-number-6">3.2.3.2.1.</span> Personal</h6>
 <div class="outline-text-6" id="text-3-2-3-2-1">
 <div class="org-src-container">
 <pre class="src src-nix">{ lib, config, ... }:
@@ -5539,8 +5539,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-orgda5bd25" class="outline-6">
-<h6 id="orgda5bd25"><span class="section-number-6">3.2.3.2.2.</span> Chaostheatre</h6>
+<div id="outline-container-orgb17ec88" class="outline-6">
+<h6 id="orgb17ec88"><span class="section-number-6">3.2.3.2.2.</span> Chaostheatre</h6>
 <div class="outline-text-6" id="text-3-2-3-2-2">
 <div class="org-src-container">
 <pre class="src src-nix">{ lib, config, ... }:
@@ -5592,8 +5592,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-org78bfd93" class="outline-6">
-<h6 id="org78bfd93"><span class="section-number-6">3.2.3.2.3.</span> toto</h6>
+<div id="outline-container-orgd284186" class="outline-6">
+<h6 id="orgd284186"><span class="section-number-6">3.2.3.2.3.</span> toto</h6>
 <div class="outline-text-6" id="text-3-2-3-2-3">
 <div class="org-src-container">
 <pre class="src src-nix">{ lib, config, ... }:
@@ -5613,8 +5613,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-org095828f" class="outline-6">
-<h6 id="org095828f"><span class="section-number-6">3.2.3.2.4.</span> Work</h6>
+<div id="outline-container-org407c366" class="outline-6">
+<h6 id="org407c366"><span class="section-number-6">3.2.3.2.4.</span> Work</h6>
 <div class="outline-text-6" id="text-3-2-3-2-4">
 <div class="org-src-container">
 <pre class="src src-nix">{ lib, config, ... }:
@@ -5634,8 +5634,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-org71075bc" class="outline-6">
-<h6 id="org71075bc"><span class="section-number-6">3.2.3.2.5.</span> Framework</h6>
+<div id="outline-container-org6ba8061" class="outline-6">
+<h6 id="org6ba8061"><span class="section-number-6">3.2.3.2.5.</span> Framework</h6>
 <div class="outline-text-6" id="text-3-2-3-2-5">
 <div class="org-src-container">
 <pre class="src src-nix">{ lib, config, ... }:
@@ -5656,8 +5656,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-orgab68be6" class="outline-6">
-<h6 id="orgab68be6"><span class="section-number-6">3.2.3.2.6.</span> Darwin</h6>
+<div id="outline-container-org05805fc" class="outline-6">
+<h6 id="org05805fc"><span class="section-number-6">3.2.3.2.6.</span> Darwin</h6>
 <div class="outline-text-6" id="text-3-2-3-2-6">
 <div class="org-src-container">
 <pre class="src src-nix">{ lib, config, ... }:
@@ -5675,8 +5675,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-orgc70220b" class="outline-6">
-<h6 id="orgc70220b"><span class="section-number-6">3.2.3.2.7.</span> Local Server</h6>
+<div id="outline-container-org924b91c" class="outline-6">
+<h6 id="org924b91c"><span class="section-number-6">3.2.3.2.7.</span> Local Server</h6>
 <div class="outline-text-6" id="text-3-2-3-2-7">
 <div class="org-src-container">
 <pre class="src src-nix">{ lib, config, ... }:
@@ -5916,12 +5916,12 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-org111a002" class="outline-4">
-<h4 id="org111a002"><span class="section-number-4">3.2.5.</span> Auxiliary files</h4>
+<div id="outline-container-org41896e4" class="outline-4">
+<h4 id="org41896e4"><span class="section-number-4">3.2.5.</span> Auxiliary files</h4>
 <div class="outline-text-4" id="text-3-2-5">
 </div>
-<div id="outline-container-orgac4d22d" class="outline-5">
-<h5 id="orgac4d22d"><span class="section-number-5">3.2.5.1.</span> extra-builtins</h5>
+<div id="outline-container-org1c08edd" class="outline-5">
+<h5 id="org1c08edd"><span class="section-number-5">3.2.5.1.</span> extra-builtins</h5>
 <div class="outline-text-5" id="text-3-2-5-1">
 <div class="org-src-container">
 <pre class="src src-nix">
@@ -5956,8 +5956,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-org12f22da" class="outline-5">
-<h5 id="org12f22da"><span class="section-number-5">3.2.5.2.</span> sops-decrypt-and-cache</h5>
+<div id="outline-container-org89d8266" class="outline-5">
+<h5 id="org89d8266"><span class="section-number-5">3.2.5.2.</span> sops-decrypt-and-cache</h5>
 <div class="outline-text-5" id="text-3-2-5-2">
 <div class="org-src-container">
 <pre class="src src-shell">#!/usr/bin/env bash
@@ -6936,8 +6936,8 @@ Setup timezone and locale. I want to use the US layout, but have the rest adapte
 </div>
 </div>
 </div>
-<div id="outline-container-org4af165f" class="outline-5">
-<h5 id="org4af165f"><span class="section-number-5">3.3.1.17.</span> Meta options</h5>
+<div id="outline-container-org0311649" class="outline-5">
+<h5 id="org0311649"><span class="section-number-5">3.3.1.17.</span> Meta options</h5>
 <div class="outline-text-5" id="text-3-3-1-17">
 <div class="org-src-container">
 <pre class="src src-nix">{ lib, ... }:
@@ -7025,8 +7025,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-org040e64b" class="outline-5">
-<h5 id="org040e64b"><span class="section-number-5">3.3.1.19.</span> PII management</h5>
+<div id="outline-container-orga526cf8" class="outline-5">
+<h5 id="orga526cf8"><span class="section-number-5">3.3.1.19.</span> PII management</h5>
 <div class="outline-text-5" id="text-3-3-1-19">
 <div class="org-src-container">
 <pre class="src src-nix">{ config, inputs, lib, ... }:
@@ -7418,8 +7418,8 @@ Most of the time I am using <code>power-saver</code>, however, it is good to be
 </div>
 </div>
 </div>
-<div id="outline-container-orgcef61ea" class="outline-6">
-<h6 id="orgcef61ea"><span class="section-number-6">3.3.1.22.6.</span> SwayOSD</h6>
+<div id="outline-container-orgde7b754" class="outline-6">
+<h6 id="orgde7b754"><span class="section-number-6">3.3.1.22.6.</span> SwayOSD</h6>
 <div class="outline-text-6" id="text-3-3-1-22-6">
 <div class="org-src-container">
 <pre class="src src-nix">{ lib, pkgs, config, ... }:
@@ -8547,6 +8547,8 @@ Here I am forcing <code>startWhenNeeded</code> to false so that the value will n
         ScanSchedule = "@every 24h";
         MPVPath = "${pkgs.mpv}/bin/mpv";
         MPVCommandTemplate = "mpv --audio-device=%d --no-audio-display --pause %f";
+        ReverseProxyWhitelist = "0.0.0.0/0";
+        ReverseProxyUserHeader = "X-User";
         Jukebox = {
           Enabled = true;
           Default = "default";
@@ -8579,6 +8581,23 @@ Here I am forcing <code>startWhenNeeded</code> to false so that the value will n
               proxyPass = "http://localhost:4040";
               proxyWebsockets = true;
               extraConfig = ''
+                auth_request /oauth2/auth;
+                error_page 401 = /oauth2/sign_in;
+
+                # pass information via X-User and X-Email headers to backend,
+                # requires running with --set-xauthrequest flag (done by NixOS)
+                auth_request_set $user   $upstream_http_x_auth_request_user;
+                auth_request_set $email  $upstream_http_x_auth_request_email;
+                proxy_set_header X-User  $user;
+                proxy_set_header X-Email $email;
+
+                # if you enabled --pass-access-token, this will pass the token to the backend
+                auth_request_set $token  $upstream_http_x_auth_request_access_token;
+                proxy_set_header X-Access-Token $token;
+
+                # if you enabled --cookie-refresh, this is needed for it to work with auth_request
+                auth_request_set $auth_cookie $upstream_http_set_cookie;
+                add_header Set-Cookie $auth_cookie;
                 proxy_redirect          http:// https://;
                 proxy_read_timeout      600s;
                 proxy_send_timeout      600s;
@@ -8587,6 +8606,52 @@ Here I am forcing <code>startWhenNeeded</code> to false so that the value will n
                 client_max_body_size    0;
               '';
             };
+            "/oauth2/" = {
+              proxyPass = "http://oauth2-proxy";
+              extraConfig = ''
+                proxy_set_header X-Scheme                $scheme;
+                proxy_set_header X-Auth-Request-Redirect $scheme://$host$request_uri;
+              '';
+            };
+            "= /oauth2/auth" = {
+              proxyPass = "http://oauth2-proxy/oauth2/auth";
+              extraConfig = ''
+                internal;
+
+                proxy_set_header X-Scheme         $scheme;
+                # nginx auth_request includes headers but not body
+                proxy_set_header Content-Length   "";
+                proxy_pass_request_body           off;
+              '';
+            };
+            "/share" = {
+              proxyPass = "http://localhost:4040";
+              proxyWebsockets = true;
+              extraConfig = ''
+                proxy_redirect          http:// https://;
+                proxy_read_timeout      600s;
+                proxy_send_timeout      600s;
+                proxy_buffering         off;
+                proxy_request_buffering off;
+                client_max_body_size    0;
+                proxy_set_header X-User  "";
+                proxy_set_header X-Email "";
+              '';
+            };
+            "/rest" = {
+              proxyPass = "http://localhost:4040";
+              proxyWebsockets = true;
+              extraConfig = ''
+                proxy_redirect          http:// https://;
+                proxy_read_timeout      600s;
+                proxy_send_timeout      600s;
+                proxy_buffering         off;
+                proxy_request_buffering off;
+                client_max_body_size    0;
+                proxy_set_header X-User  "";
+                proxy_set_header X-Email "";
+              '';
+            };
           };
         };
       };
@@ -9945,6 +10010,10 @@ It serves both a Greader API at <a href="https://signpost.swarsel.win/api/greade
 I am using this with CapyReader on my phone, set it up as a FreshRSS account with Server URL =<a href="https://signpost.swarsel.win/api/greader.php">https://signpost.swarsel.win/api/greader.php</a>
 </p>
 
+<p>
+FreshRSS claims to support HTTP header auth, but at least it does not work with my oauth2-proxy setup. Until this is fixed, I resorted to the "form" login, since I mostly do not use the web version anyways.
+</p>
+
 <div class="org-src-container">
 <pre class="src src-nix">{ lib, config, ... }:
 {
@@ -9990,7 +10059,7 @@ I am using this with CapyReader on my phone, set it up as a FreshRSS account wit
       enable = true;
       virtualHost = "signpost.swarsel.win";
       baseUrl = "https://signpost.swarsel.win";
-      authType = "none";
+      authType = "form";
       dataDir = "/Vault/data/tt-rss";
       defaultUser = "Swarsel";
       passwordFile = config.sops.secrets.fresh.path;
@@ -10014,11 +10083,15 @@ I am using this with CapyReader on my phone, set it up as a FreshRSS account wit
 
                 # pass information via X-User and X-Email headers to backend,
                 # requires running with --set-xauthrequest flag (done by NixOS)
-                auth_request_set $user   $upstream_http_x_auth_request_preferred_username;
-                # Set the email to our own domain in case user change their mail
-                auth_request_set $email  "''${upstream_http_x_auth_request_preferred_username}@swarsel.win";
+                auth_request_set $user   $upstream_http_x_auth_request_user;
+                auth_request_set $email  $upstream_http_x_auth_request_email;
                 proxy_set_header X-User  $user;
                 proxy_set_header X-Email $email;
+                proxy_set_header Remote-User  $user;
+
+                # if you enabled --pass-access-token, this will pass the token to the backend
+                auth_request_set $token  $upstream_http_x_auth_request_access_token;
+                proxy_set_header X-Access-Token $token;
 
                 # if you enabled --cookie-refresh, this is needed for it to work with auth_request
                 auth_request_set $auth_cookie $upstream_http_set_cookie;
@@ -10255,8 +10328,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-orgadabdd9" class="outline-5">
-<h5 id="orgadabdd9"><span class="section-number-5">3.3.2.27.</span> IDM (kanidm + oauth2-proxy)</h5>
+<div id="outline-container-org1fe325a" class="outline-5">
+<h5 id="org1fe325a"><span class="section-number-5">3.3.2.27.</span> IDM (kanidm + oauth2-proxy)</h5>
 <div class="outline-text-5" id="text-3-3-2-27">
 <p>
 The forgejo configuration is a little broken and will show a 500 error when signing in through kanidm. However, when pressing back and refreshing the page, I am logged in. Currently I cannot be bothered to fix this.
@@ -10358,24 +10431,9 @@ in
             "freshrss.access" = { };
             "firefly.access" = { };
           };
-          persons = {
-            swarsel = {
-              present = true;
-              mailAddresses = [ "leon@swarsel.win" ];
-              legalName = "Leon Schwarzäugl";
-              groups = [
-                "immich.access"
-                "paperless.access"
-                "grafana.access"
-                "forgejo.access"
-                "nextcloud.access"
-                "freshrss.access"
-                "navidrome.access"
-                "firefly.access"
-              ];
-              displayName = "Swarsel";
-            };
-          };
+
+          inherit (config.repo.secrets.local) persons;
+
           systems = {
             oauth2 = {
               immich = {
@@ -10613,8 +10671,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-org1319ef2" class="outline-5">
-<h5 id="org1319ef2"><span class="section-number-5">3.3.2.28.</span> Firefly-III</h5>
+<div id="outline-container-org6082ad8" class="outline-5">
+<h5 id="org6082ad8"><span class="section-number-5">3.3.2.28.</span> Firefly-III</h5>
 <div class="outline-text-5" id="text-3-3-2-28">
 <div class="org-src-container">
 <pre class="src src-nix">{ lib, config, ... }:
@@ -10939,8 +10997,8 @@ This smashes Atmosphere 1.3.2 on the switch, which is what I am currenty using.
 </div>
 </div>
 </div>
-<div id="outline-container-org2a02f56" class="outline-5">
-<h5 id="org2a02f56"><span class="section-number-5">3.3.4.6.</span> Framework</h5>
+<div id="outline-container-org0a20b2e" class="outline-5">
+<h5 id="org0a20b2e"><span class="section-number-5">3.3.4.6.</span> Framework</h5>
 <div class="outline-text-5" id="text-3-3-4-6">
 <p>
 This holds configuration that is specific to framework laptops.
@@ -10978,8 +11036,8 @@ This holds configuration that is specific to framework laptops.
 </div>
 </div>
 </div>
-<div id="outline-container-orgdbf44f7" class="outline-5">
-<h5 id="orgdbf44f7"><span class="section-number-5">3.3.4.7.</span> AMD CPU</h5>
+<div id="outline-container-orgf3b1ad5" class="outline-5">
+<h5 id="orgf3b1ad5"><span class="section-number-5">3.3.4.7.</span> AMD CPU</h5>
 <div class="outline-text-5" id="text-3-3-4-7">
 <div class="org-src-container">
 <pre class="src src-nix">{ lib, config, ... }:
@@ -10995,8 +11053,8 @@ This holds configuration that is specific to framework laptops.
 </div>
 </div>
 </div>
-<div id="outline-container-orgecd29c2" class="outline-5">
-<h5 id="orgecd29c2"><span class="section-number-5">3.3.4.8.</span> AMD GPU</h5>
+<div id="outline-container-org74c15c0" class="outline-5">
+<h5 id="org74c15c0"><span class="section-number-5">3.3.4.8.</span> AMD GPU</h5>
 <div class="outline-text-5" id="text-3-3-4-8">
 <div class="org-src-container">
 <pre class="src src-nix">{ lib, config, ... }:
@@ -11018,8 +11076,8 @@ This holds configuration that is specific to framework laptops.
 </div>
 </div>
 </div>
-<div id="outline-container-orgda0d8f6" class="outline-5">
-<h5 id="orgda0d8f6"><span class="section-number-5">3.3.4.9.</span> Hibernation</h5>
+<div id="outline-container-org60c0738" class="outline-5">
+<h5 id="org60c0738"><span class="section-number-5">3.3.4.9.</span> Hibernation</h5>
 <div class="outline-text-5" id="text-3-3-4-9">
 <div class="org-src-container">
 <pre class="src src-nix">{ lib, config, ... }:
@@ -11050,8 +11108,8 @@ This holds configuration that is specific to framework laptops.
 </div>
 </div>
 </div>
-<div id="outline-container-org957abf9" class="outline-5">
-<h5 id="org957abf9"><span class="section-number-5">3.3.4.10.</span> BTRFS</h5>
+<div id="outline-container-orgc1656bc" class="outline-5">
+<h5 id="orgc1656bc"><span class="section-number-5">3.3.4.10.</span> BTRFS</h5>
 <div class="outline-text-5" id="text-3-3-4-10">
 <div class="org-src-container">
 <pre class="src src-nix">{ lib, config, ... }:
@@ -13989,8 +14047,8 @@ The `extraConfig` section here CANNOT be reindented. This has something to do wi
 </div>
 </div>
 </div>
-<div id="outline-container-org6a90363" class="outline-6">
-<h6 id="org6a90363"><span class="section-number-6">3.4.1.29.4.</span> SwayOSD</h6>
+<div id="outline-container-org4d519db" class="outline-6">
+<h6 id="org4d519db"><span class="section-number-6">3.4.1.29.4.</span> SwayOSD</h6>
 <div class="outline-text-6" id="text-3-4-1-29-4">
 <div class="org-src-container">
 <pre class="src src-nix">{ lib, config, ... }:
@@ -15236,8 +15294,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-orgead591d" class="outline-5">
-<h5 id="orgead591d"><span class="section-number-5">3.4.4.3.</span> Framework</h5>
+<div id="outline-container-orgff2dfbe" class="outline-5">
+<h5 id="orgff2dfbe"><span class="section-number-5">3.4.4.3.</span> Framework</h5>
 <div class="outline-text-5" id="text-3-4-4-3">
 <p>
 This holds configuration that is specific to framework laptops.
@@ -19077,8 +19135,8 @@ autocmd DocStart vc-impimba-1.m.imp.ac.at/ui/webconsole mode ignore
 </div>
 </div>
 </div>
-<div id="outline-container-org71bf76e" class="outline-3">
-<h3 id="org71bf76e"><span class="section-number-3">6.3.</span> tridactyl theme</h3>
+<div id="outline-container-org8972093" class="outline-3">
+<h3 id="org8972093"><span class="section-number-3">6.3.</span> tridactyl theme</h3>
 <div class="outline-text-3" id="text-6-3">
 <div class="org-src-container">
 <pre class="src src-config">
@@ -19575,7 +19633,7 @@ sync USER HOST:
 </div>
 <div id="postamble" class="status">
 <p class="author">Author: Leon Schwarzäugl</p>
-<p class="date">Created: 2025-06-13 Fr 02:34</p>
+<p class="date">Created: 2025-06-13 Fr 03:31</p>
 <p class="validation"><a href="https://validator.w3.org/check?uri=referer">Validate</a></p>
 </div>
 </body>
diff --git a/modules/nixos/server/freshrss.nix b/modules/nixos/server/freshrss.nix
index 3f5c946..9076e1b 100644
--- a/modules/nixos/server/freshrss.nix
+++ b/modules/nixos/server/freshrss.nix
@@ -42,7 +42,7 @@
       enable = true;
       virtualHost = "signpost.swarsel.win";
       baseUrl = "https://signpost.swarsel.win";
-      authType = "none";
+      authType = "form";
       dataDir = "/Vault/data/tt-rss";
       defaultUser = "Swarsel";
       passwordFile = config.sops.secrets.fresh.path;
@@ -66,11 +66,15 @@
 
                 # pass information via X-User and X-Email headers to backend,
                 # requires running with --set-xauthrequest flag (done by NixOS)
-                auth_request_set $user   $upstream_http_x_auth_request_preferred_username;
-                # Set the email to our own domain in case user change their mail
-                auth_request_set $email  "''${upstream_http_x_auth_request_preferred_username}@swarsel.win";
+                auth_request_set $user   $upstream_http_x_auth_request_user;
+                auth_request_set $email  $upstream_http_x_auth_request_email;
                 proxy_set_header X-User  $user;
                 proxy_set_header X-Email $email;
+                proxy_set_header Remote-User  $user;
+
+                # if you enabled --pass-access-token, this will pass the token to the backend
+                auth_request_set $token  $upstream_http_x_auth_request_access_token;
+                proxy_set_header X-Access-Token $token;
 
                 # if you enabled --cookie-refresh, this is needed for it to work with auth_request
                 auth_request_set $auth_cookie $upstream_http_set_cookie;
diff --git a/modules/nixos/server/kanidm.nix b/modules/nixos/server/kanidm.nix
index f0da1dd..353d7c6 100644
--- a/modules/nixos/server/kanidm.nix
+++ b/modules/nixos/server/kanidm.nix
@@ -84,24 +84,9 @@ in
             "freshrss.access" = { };
             "firefly.access" = { };
           };
-          persons = {
-            swarsel = {
-              present = true;
-              mailAddresses = [ "leon@swarsel.win" ];
-              legalName = "Leon Schwarzäugl";
-              groups = [
-                "immich.access"
-                "paperless.access"
-                "grafana.access"
-                "forgejo.access"
-                "nextcloud.access"
-                "freshrss.access"
-                "navidrome.access"
-                "firefly.access"
-              ];
-              displayName = "Swarsel";
-            };
-          };
+
+          inherit (config.repo.secrets.local) persons;
+
           systems = {
             oauth2 = {
               immich = {
diff --git a/modules/nixos/server/navidrome.nix b/modules/nixos/server/navidrome.nix
index 029729d..3c97a50 100644
--- a/modules/nixos/server/navidrome.nix
+++ b/modules/nixos/server/navidrome.nix
@@ -47,6 +47,8 @@
         ScanSchedule = "@every 24h";
         MPVPath = "${pkgs.mpv}/bin/mpv";
         MPVCommandTemplate = "mpv --audio-device=%d --no-audio-display --pause %f";
+        ReverseProxyWhitelist = "0.0.0.0/0";
+        ReverseProxyUserHeader = "X-User";
         Jukebox = {
           Enabled = true;
           Default = "default";
@@ -79,6 +81,23 @@
               proxyPass = "http://localhost:4040";
               proxyWebsockets = true;
               extraConfig = ''
+                auth_request /oauth2/auth;
+                error_page 401 = /oauth2/sign_in;
+
+                # pass information via X-User and X-Email headers to backend,
+                # requires running with --set-xauthrequest flag (done by NixOS)
+                auth_request_set $user   $upstream_http_x_auth_request_user;
+                auth_request_set $email  $upstream_http_x_auth_request_email;
+                proxy_set_header X-User  $user;
+                proxy_set_header X-Email $email;
+
+                # if you enabled --pass-access-token, this will pass the token to the backend
+                auth_request_set $token  $upstream_http_x_auth_request_access_token;
+                proxy_set_header X-Access-Token $token;
+
+                # if you enabled --cookie-refresh, this is needed for it to work with auth_request
+                auth_request_set $auth_cookie $upstream_http_set_cookie;
+                add_header Set-Cookie $auth_cookie;
                 proxy_redirect          http:// https://;
                 proxy_read_timeout      600s;
                 proxy_send_timeout      600s;
@@ -87,6 +106,52 @@
                 client_max_body_size    0;
               '';
             };
+            "/oauth2/" = {
+              proxyPass = "http://oauth2-proxy";
+              extraConfig = ''
+                proxy_set_header X-Scheme                $scheme;
+                proxy_set_header X-Auth-Request-Redirect $scheme://$host$request_uri;
+              '';
+            };
+            "= /oauth2/auth" = {
+              proxyPass = "http://oauth2-proxy/oauth2/auth";
+              extraConfig = ''
+                internal;
+
+                proxy_set_header X-Scheme         $scheme;
+                # nginx auth_request includes headers but not body
+                proxy_set_header Content-Length   "";
+                proxy_pass_request_body           off;
+              '';
+            };
+            "/share" = {
+              proxyPass = "http://localhost:4040";
+              proxyWebsockets = true;
+              extraConfig = ''
+                proxy_redirect          http:// https://;
+                proxy_read_timeout      600s;
+                proxy_send_timeout      600s;
+                proxy_buffering         off;
+                proxy_request_buffering off;
+                client_max_body_size    0;
+                proxy_set_header X-User  "";
+                proxy_set_header X-Email "";
+              '';
+            };
+            "/rest" = {
+              proxyPass = "http://localhost:4040";
+              proxyWebsockets = true;
+              extraConfig = ''
+                proxy_redirect          http:// https://;
+                proxy_read_timeout      600s;
+                proxy_send_timeout      600s;
+                proxy_buffering         off;
+                proxy_request_buffering off;
+                client_max_body_size    0;
+                proxy_set_header X-User  "";
+                proxy_set_header X-Email "";
+              '';
+            };
           };
         };
       };