diff --git a/hosts/hitsugibune/matrix.nix b/hosts/hitsugibune/matrix.nix
index a04de12..2031fc6 100644
--- a/hosts/hitsugibune/matrix.nix
+++ b/hosts/hitsugibune/matrix.nix
@@ -22,13 +22,19 @@ in {
     group = "matrix-synapse";
   };
 
+  age.secrets.matrix-oidc = {
+    file = ../../secrets/matrix-oidc.age;
+    owner = "matrix-synapse";
+    group = "matrix-synapse";
+  };
+
   age.secrets.mautrix-signal = {
     file = ../../secrets/mautrix-signal.age;
     owner = "mautrix-signal";
     group = "mautrix-signal";
   };
   age.secrets.mautrix-signal-puppeting = {
-    file = ../../secrets/mautrix-signal-puppeting.yaml.age; # your encrypted YAML
+    file = ../../secrets/mautrix-signal-puppeting.yaml.age;
     owner = "mautrix-signal";
     group = "mautrix-signal";
     mode = "0640";
@@ -184,26 +190,44 @@ in {
     settings.public_baseurl = baseUrl;
     settings.enable_registration = false;
     enableRegistrationScript = true;
-    settings.listeners = [
-      {
-        port = 8008;
-        bind_addresses = ["::1"];
-        type = "http";
-        tls = false;
-        x_forwarded = true;
-        resources = [
-          {
-            names = ["client" "federation"];
-            compress = true;
-          }
-        ];
-      }
-    ];
+    settings = {
+      listeners = [
+        {
+          port = 8008;
+          bind_addresses = ["::1"];
+          type = "http";
+          tls = false;
+          x_forwarded = true;
+          resources = [
+            {
+              names = ["client" "federation"];
+              compress = true;
+            }
+          ];
+        }
+      ];
+      oidc_providers = [
+        {
+          idp_id = "authentik";
+          idp_name = "Authentik";
+          issuer = "https://auth.sprechtl.me/application/o/matrix-synapse/.well-known/openid-configuration";
+          client_id = "xoTtitlCqRbK9fjl2VAugYdswYGOLUJUzeV1dacc";
+          scopes = [ "openid" "profile" "email" ];
+          user_mapping_provider.config = {
+            localpart_template = "{{ user.preferred_username }}";
+            display_name_template = "{{ user.name }}";
+          };
+        }
+      ];
+    };
     settings.app_service_config_files = [
       "/var/lib/mautrix-signal/double-puppeting.yaml"
     ];
 
-    extraConfigFiles = [config.age.secrets.matrix.path];
+    extraConfigFiles = [
+      config.age.secrets.matrix.path
+      config.age.secrets.matrix-oidc.path
+    ];
     settings.turn_uris = ["turn:${turn.realm}:3478?transport=udp" "turn:${turn.realm}:3478?transport=tcp"];
     settings.turn_user_lifetime = "1h";
   };
diff --git a/secrets/matrix-oidc.age b/secrets/matrix-oidc.age
new file mode 100644
index 0000000..606d7e2
Binary files /dev/null and b/secrets/matrix-oidc.age differ
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 6935e19..8e457b9 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -12,6 +12,7 @@ in {
   "speedtest-tracker.age".publicKeys = [saberofxebec key];
   "homarr.age".publicKeys = [saberofxebec key];
   "matrix.age".publicKeys = [hitsugibune key];
+  "matrix-oidc.age".publicKeys = [hitsugibune key];
   "mautrix-signal.age".publicKeys = [hitsugibune key];
   "mautrix-signal-puppeting.yaml.age".publicKeys = [hitsugibune key];
   "mautrix-whatsapp.age".publicKeys = [hitsugibune key];