diff --git a/hosts/hitsugibune/immich.nix b/hosts/hitsugibune/immich.nix
index 9d4ccbb..af2d81b 100644
--- a/hosts/hitsugibune/immich.nix
+++ b/hosts/hitsugibune/immich.nix
@@ -3,11 +3,30 @@ let
   domain = "immich.sprechtl.me";
 in
 {
+  age.secrets.immich = {
+    file = ../../secrets/immich.age;
+    owner = "immich";
+    group = "immich";
+    mode = "0400";
+  };
   services.immich = {
     enable = true;
     database.host = "/run/postgresql";
     port = 2283; # default
-    settings.externalDomain = domain;
+    settings = {
+      externalDomain = domain;
+      oauth = {
+        enabled = true;
+        issuerUrl = "https://auth.sprechtl.me/application/o/immich/.well-known/openid-configuration";
+        clientId = "EXMPaB2SoZYSSWu56ebB6CYV8W1hQS2eTwLdFBDw";
+        # clientSecret = ""; saved in secrets file
+        scope = "openid email profile";
+        buttonText = "Login with Authentik";
+        autoRegister = true;
+        autoLaunch = false; # set true to skip local login page entirely
+      };
+    };
+    secretsFile = config.age.secrets.immich.path;
     mediaLocation = "/data/immich/";
   };
 
diff --git a/secrets/immich.age b/secrets/immich.age
new file mode 100644
index 0000000..2273d4c
Binary files /dev/null and b/secrets/immich.age differ
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 6815f44..6935e19 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -20,4 +20,5 @@ in {
   "authentik.age".publicKeys = [hitsugibune key];
   "vaultwarden.age".publicKeys = [hitsugibune key];
   "forgejo-mailer-password.age".publicKeys = [hitsugibune key];
+  "immich.age".publicKeys = [hitsugibune key];
 }