diff --git a/config/services/firefly.nix b/config/services/firefly.nix
index 5c629cc..537cca3 100644
--- a/config/services/firefly.nix
+++ b/config/services/firefly.nix
@@ -26,6 +26,9 @@
       TRUSTED_PROXIES = nodes.elisabeth.config.wireguard.elisabeth.ipv4;
       SITE_OWNER = "firefly-admin@${config.secrets.secrets.global.domains.mail_public}";
       APP_KEY_FILE = config.age.secrets.appKey.path;
+      AUTHENTICATION_GUARD = "remote_user_guard";
+      AUTHENTICATION_GUARD_HEADER = "X-User";
+      AUTHENTICATION_GUARD_EMAIL = "X-Email";
     };
   };
 
diff --git a/config/services/kanidm.nix b/config/services/kanidm.nix
index 6f2fc4b..408a38f 100644
--- a/config/services/kanidm.nix
+++ b/config/services/kanidm.nix
@@ -121,6 +121,7 @@ in {
       };
 
       groups."rss.access" = {};
+      groups."firefly.access" = {};
       groups."adguardhome.access" = {
       };
       systems.oauth2.oauth2-proxy = {
@@ -129,11 +130,13 @@ in {
         basicSecretFile = config.age.secrets.oauth2-proxy.path;
         scopeMaps."adguardhome.access" = ["openid" "email" "profile"];
         scopeMaps."rss.access" = ["openid" "email" "profile"];
+        scopeMaps."firefly.access" = ["openid" "email" "profile"];
         preferShortUsername = true;
         claimMaps.groups = {
           joinType = "array";
           valuesByGroup."adguardhome.access" = ["adguardhome_access"];
           valuesByGroup."rss.access" = ["ttrss_access"];
+          valuesByGroup."firefly.access" = ["firefly_access"];
         };
       };
 
diff --git a/hosts/elisabeth/guests.nix b/hosts/elisabeth/guests.nix
index 032bc9d..4e52ae4 100644
--- a/hosts/elisabeth/guests.nix
+++ b/hosts/elisabeth/guests.nix
@@ -70,7 +70,7 @@ in {
 
               # pass information via X-User and X-Email headers to backend,
               # requires running with --set-xauthrequest flag
-              auth_request_set $user   $upstream_http_x_auth_request_user;
+              auth_request_set $user   $upstream_http_x_auth_request_preferred_username;
               auth_request_set $email  $upstream_http_x_auth_request_email;
               proxy_set_header X-User  $user;
               proxy_set_header X-Email $email;
@@ -160,7 +160,9 @@ in {
       (blockOf "paperless" {maxBodySize = "5G";})
       (proxyProtect "ttrss" {port = 80;} true)
       (blockOf "yourspotify" {port = 80;})
-      (blockOf "firefly" {port = 80;})
+      ((proxyProtect "firefly" {port = 80;} true)
+        // {
+        })
       (blockOf "apispotify" {
         port = 3000;
         upstream = "yourspotify";
diff --git a/hosts/elisabeth/secrets/kanidm/secrets.nix.age b/hosts/elisabeth/secrets/kanidm/secrets.nix.age
index 6542a28..8144c56 100644
Binary files a/hosts/elisabeth/secrets/kanidm/secrets.nix.age and b/hosts/elisabeth/secrets/kanidm/secrets.nix.age differ