diff --git a/config/services/kanidm.nix b/config/services/kanidm.nix
index c95621b..6f2fc4b 100644
--- a/config/services/kanidm.nix
+++ b/config/services/kanidm.nix
@@ -88,9 +88,6 @@ in {
         preferShortUsername = true;
       };
 
-      groups."rss.access" = {};
-      groups."oauth2-proxy.access" = {};
-
       groups."nextcloud.access" = {
         members = ["nextcloud.admins"];
       };
@@ -122,16 +119,10 @@ in {
         scopeMaps."immich.access" = ["openid" "email" "profile"];
         preferShortUsername = true;
       };
-      groups."netbird.access" = {
-      };
 
-      groups."forgejo.access" = {
-        members = ["forgejo.admins"];
+      groups."rss.access" = {};
+      groups."adguardhome.access" = {
       };
-      groups."forgejo.admins" = {
-        members = ["administrator"];
-      };
-
       systems.oauth2.oauth2-proxy = {
         displayName = "Oauth2-Proxy";
         originUrl = "https://oauth2.${config.secrets.secrets.global.domains.web}/";
@@ -146,7 +137,11 @@ in {
         };
       };
 
-      groups."adguardhome.access" = {
+      groups."forgejo.access" = {
+        members = ["forgejo.admins"];
+      };
+      groups."forgejo.admins" = {
+        members = ["administrator"];
       };
       systems.oauth2.forgejo = {
         displayName = "Forgejo";
@@ -160,6 +155,18 @@ in {
           valuesByGroup."forgejo.admins" = ["admin"];
         };
       };
+
+      groups."netbird.access" = {
+      };
+      systems.oauth2.netbird = {
+        public = true;
+        displayName = "Netbird";
+        originUrl = "https://netbird.${config.secrets.secrets.global.domains.web}/";
+        preferShortUsername = true;
+        enableLocalhostRedirects = true;
+        enableLegacyCrypto = true;
+        scopeMaps."netbird.access" = ["openid" "email" "profile"];
+      };
     };
   };
   systemd.services.kanidm.serviceConfig.RestartSec = "60"; # Retry every minute
diff --git a/hosts/elisabeth/secrets/kanidm/secrets.nix.age b/hosts/elisabeth/secrets/kanidm/secrets.nix.age
index c807785..6542a28 100644
Binary files a/hosts/elisabeth/secrets/kanidm/secrets.nix.age and b/hosts/elisabeth/secrets/kanidm/secrets.nix.age differ
diff --git a/modules/kanidm.nix b/modules/kanidm.nix
index 1d1e767..16d92f9 100644
--- a/modules/kanidm.nix
+++ b/modules/kanidm.nix
@@ -450,6 +450,12 @@ in {
           options = {
             present = mkPresentOption "oauth2 resource server";
 
+            public = mkOption {
+              description = "Whether this is a public client (enforces PKCE, doesn't use a basic secret)";
+              type = types.bool;
+              default = false;
+            };
+
             displayName = mkOption {
               description = "Display name";
               type = types.str;
@@ -479,10 +485,23 @@ in {
               default = null;
             };
 
+            enableLocalhostRedirects = mkOption {
+              description = "Allow localhost redirects. Only for public clients.";
+              type = types.bool;
+              default = false;
+            };
+
+            enableLegacyCrypto = mkOption {
+              description = "Enable legacy crypto on this client. Allows JWT signing algorthms like RS256.";
+              type = types.bool;
+              default = false;
+            };
+
             allowInsecureClientDisablePkce = mkOption {
               description = ''
                 Disable PKCE on this oauth2 resource server to work around insecure clients
                 that may not support it. You should request the client to enable PKCE!
+                Only for non-public clients.
               '';
               type = types.bool;
               default = false;
@@ -681,6 +700,21 @@ in {
               assertion = (cfg.provision.enable && cfg.enableServer) -> any (xs: xs != []) (attrValues claimCfg.valuesByGroup);
               message = "services.kanidm.provision.systems.oauth2.${oauth2}.claimMaps.${claim} does not specify any values for any group";
             }
+            # Public clients cannot define a basic secret
+            {
+              assertion = (cfg.provision.enable && cfg.enableServer && oauth2Cfg.public) -> oauth2Cfg.basicSecretFile == null;
+              message = "services.kanidm.provision.systems.oauth2.${oauth2} is a public client and thus cannot specify a basic secret";
+            }
+            # Public clients cannot disable PKCE
+            {
+              assertion = (cfg.provision.enable && cfg.enableServer && oauth2Cfg.public) -> !oauth2Cfg.allowInsecureClientDisablePkce;
+              message = "services.kanidm.provision.systems.oauth2.${oauth2} is a public client and thus cannot disable PKCE";
+            }
+            # Non-public clients cannot enable localhost redirects
+            {
+              assertion = (cfg.provision.enable && cfg.enableServer && !oauth2Cfg.public) -> !oauth2Cfg.enableLocalhostRedirects;
+              message = "services.kanidm.provision.systems.oauth2.${oauth2} is a non-public client and thus cannot enable localhost redirects";
+            }
           ]))
       ));