diff --git a/hosts/hitsugibune/immich.nix b/hosts/hitsugibune/immich.nix
index 0c09030..2f5cd76 100644
--- a/hosts/hitsugibune/immich.nix
+++ b/hosts/hitsugibune/immich.nix
@@ -36,7 +36,23 @@ in
     locations."/" = {
       proxyPass = "http://localhost:2283";
       proxyWebsockets = true;
-      extraConfig = "client_max_body_size 50000M;";  # for large video uploads
+      # https://docs.immich.app/administration/reverse-proxy/
+      extraConfig = ''
+          # allow large file uploads
+          client_max_body_size 50000M;
+
+          # disable buffering uploads to prevent OOM on reverse proxy server and make uploads twice as fast (no pause)
+          proxy_request_buffering off;
+
+          # increase body buffer to avoid limiting upload speed
+          client_body_buffer_size 1024k;
+
+          # Set headers
+          proxy_set_header Host              $host;
+          proxy_set_header X-Real-IP         $remote_addr;
+          proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
+          proxy_set_header X-Forwarded-Proto $scheme;
+    '';
     };
   };
 }
diff --git a/hosts/hitsugibune/matrix.nix b/hosts/hitsugibune/matrix.nix
index a04de12..b40ab61 100644
--- a/hosts/hitsugibune/matrix.nix
+++ b/hosts/hitsugibune/matrix.nix
@@ -22,13 +22,19 @@ in {
     group = "matrix-synapse";
   };
 
+  age.secrets.matrix-oidc = {
+    file = ../../secrets/matrix-oidc.age;
+    owner = "matrix-synapse";
+    group = "matrix-synapse";
+  };
+
   age.secrets.mautrix-signal = {
     file = ../../secrets/mautrix-signal.age;
     owner = "mautrix-signal";
     group = "mautrix-signal";
   };
   age.secrets.mautrix-signal-puppeting = {
-    file = ../../secrets/mautrix-signal-puppeting.yaml.age; # your encrypted YAML
+    file = ../../secrets/mautrix-signal-puppeting.yaml.age;
     owner = "mautrix-signal";
     group = "mautrix-signal";
     mode = "0640";
@@ -176,34 +182,41 @@ in {
 
   services.matrix-synapse = {
     enable = true;
-    settings.server_name = config.networking.domain;
+    extras = [ "oidc" ];
     # The public base URL value must match the `base_url` value set in `clientConfig` above.
     # The default value here is based on `server_name`, so if your `server_name` is different
     # from the value of `fqdn` above, you will likely run into some mismatched domain names
     # in client applications.
-    settings.public_baseurl = baseUrl;
-    settings.enable_registration = false;
-    enableRegistrationScript = true;
-    settings.listeners = [
-      {
-        port = 8008;
-        bind_addresses = ["::1"];
-        type = "http";
-        tls = false;
-        x_forwarded = true;
-        resources = [
-          {
-            names = ["client" "federation"];
-            compress = true;
-          }
-        ];
-      }
-    ];
+    settings = {
+      server_name = config.networking.domain;
+      public_baseurl = baseUrl;
+      enable_registration = false;
+      enableRegistrationScript = true;
+      listeners = [
+        {
+          port = 8008;
+          bind_addresses = ["::1"];
+          type = "http";
+          tls = false;
+          x_forwarded = true;
+          resources = [
+            {
+              names = ["client" "federation"];
+              compress = true;
+            }
+          ];
+        }
+      ];
+      log_level = "DEBUG";
+    };
     settings.app_service_config_files = [
       "/var/lib/mautrix-signal/double-puppeting.yaml"
     ];
 
-    extraConfigFiles = [config.age.secrets.matrix.path];
+    extraConfigFiles = [
+      config.age.secrets.matrix.path
+      config.age.secrets.matrix-oidc.path
+    ];
     settings.turn_uris = ["turn:${turn.realm}:3478?transport=udp" "turn:${turn.realm}:3478?transport=tcp"];
     settings.turn_user_lifetime = "1h";
   };
diff --git a/secrets/matrix-oidc.age b/secrets/matrix-oidc.age
new file mode 100644
index 0000000..83ecc9c
--- /dev/null
+++ b/secrets/matrix-oidc.age
@@ -0,0 +1,16 @@
+age-encryption.org/v1
+-> ssh-ed25519 7PLkJg XYa7BZNJcLeaFg9P0jVzv/OsvPw5WZhAnIJYdqwGNG0
+HQfQNXNFK1Q9nHBQddY+kOu91gn+1my2jsSO2iEWpAA
+-> ssh-rsa LgF3EQ
+ph+gT+EolN+nBl989531YlE+toiafZ9CUuJgjjBimMh9d3WXe4ZAYLwG8xMnziPZ
+wATCLDU1RnC1twwDLOj5O17DdvofDJgf1b5FO5oxOvMyqdebGsxDiJQSnslbF7lK
+rAIaUqbW/T/RfpMSZM39UrW/K3JeATaOh2dynKZZWEQLdnXt3UU/LJ/YZCQAwtLk
+/EvBQvgmke7dW2yYX0Sc9QZveTJWtTRNtYjE2vgC53ytl+JIpKdIPW/rj+vdj5Ed
+IWUax99IpMdHAlHB5AKwZKmLeOpbFMhJKC0q+O3MFlUdmFKIYnwtVu2m5ZW+pZb+
+IXp9SdjQ4Dt89cT686tHgE+gHyvhwZiHmNDbJKL/35yCXwJIdKEWjcO3j1KvRi/H
+O0msPNnpYycqlg4C1H0psiuZ3g7U/PYhkAPTKBajafPOcddKbOJeLZo9u07gQZEb
+xeNxPivEH7R54+eQQAX/dOHqjgelBB1fBNNWZ0Pu/gQT1nYxRRWoqjdTdgGNuucQ
+
+--- GjXC5GUW8+bfp5Jb2+hzi2AZNuffI0TwUeyLaUQAUww
+ÚÙt±#¥ËaÊÒ40­çCë¶™cA0÷aü0ÆÅü„ƒ»ž.ó5œ¦€³YòÈž«•ðlyòˆu¢¾kªFœÕ­Å§y!g¸¸?ÿÙWk‘$¬LnŒ€ŒÐf‡t³£…;+²çÐ¸T	/œØ‚îUUC§$'—I»&êÄ&¡äjì(ëŒg(W–× 6¿`ŽZ¦ ÎqbÏ’mJÆ}ÅÌ¾ìè¦ìKÛ÷Ã0AS®P¡uÕêL÷ð¿i^:ÛÕ=ŒÓ&ü-@oB(wX¬þS®ÌhR³1äòöÔ'´¨í$XÎ$i«–®tÔG²_2ï’‘"¼5[‰O€‚‹VeÞ:³yÍqØ‹<Xc•à«‡ËjN†„ÓË/¾ìI¬ÖÞÙ5®
+‰6„“ÝìÂYzXªÜFz(6ÖÖ[Ïbs°. .gb¸S¼Gš]|b§O‡êèB¡¡@Æ÷´k·3Æ^ƒÖ²€M%#D;ŽA<ÿs8äOØï+eL‚¶ýÃêc|d-%V'C"a}»¶?Í{êêá¼økTÀñÇiÏŠöô`Îe.z°?ÖçEÙ+ÿÌù=fZf(óÕïÏqÈ˜×L-‚/I3¤>•ý ûéÜ½|Û>gŸÇ·`ü¢”D°ÖµY>Édã«í–$‹Ñ¦žKkBÕSú ÝmÏ×„?a„ZÒ%Œj0w‰›«É¾½QŸ$Ü‹pûÓÈf¾thæ-	‰«3[A2ìœ…”û:Ls( áUÓ‡éû+:÷YêÓ
\ No newline at end of file
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 6935e19..8e457b9 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -12,6 +12,7 @@ in {
   "speedtest-tracker.age".publicKeys = [saberofxebec key];
   "homarr.age".publicKeys = [saberofxebec key];
   "matrix.age".publicKeys = [hitsugibune key];
+  "matrix-oidc.age".publicKeys = [hitsugibune key];
   "mautrix-signal.age".publicKeys = [hitsugibune key];
   "mautrix-signal-puppeting.yaml.age".publicKeys = [hitsugibune key];
   "mautrix-whatsapp.age".publicKeys = [hitsugibune key];