diff --git a/hosts/nuc/modules/seafile/default.nix b/hosts/nuc/modules/seafile/default.nix
index fb8dca0..0ec6ef0 100644
--- a/hosts/nuc/modules/seafile/default.nix
+++ b/hosts/nuc/modules/seafile/default.nix
@@ -3,13 +3,38 @@ let
   domain = "seafile.${config.networking.domain}";
 in
 {
+  age.secrets."seafile/oidc-secret" = {
+    file = ../../../../secrets/nuc/seafile/oidc-secret.age;
+    mode = "0440";
+    group = "seafile";
+  };
   services.seafile = {
     enable = true;
-    adminEmail = "rouven@rfive.de";
+    adminEmail = "admin@rfive.de";
     initialAdminPassword = "unused garbage";
     ccnetSettings.General.SERVICE_URL = "https://${domain}";
     ccnetSettings.General.FILE_SERVER_ROOT = "https://${domain}/seafhttp";
     seafileSettings.fileserver.port = 8083;
+    seahubExtraConf = ''
+      ENABLE_OAUTH = True
+      OAUTH_ENABLE_INSECURE_TRANSPORT = True
+
+      OAUTH_CLIENT_ID = "seafile"
+      with open('${config.age.secrets."seafile/oidc-secret".path}') as f:
+        OAUTH_CLIENT_SECRET = f.readline().rstrip()
+      OAUTH_REDIRECT_URL = 'https://seafile.rfive.de/oauth/callback/'
+ 
+      OAUTH_PROVIDER_DOMAIN   = 'seafile.rfive.de'
+      OAUTH_AUTHORIZATION_URL = 'https://auth.rfive.de/realms/master/protocol/openid-connect/auth'
+      OAUTH_TOKEN_URL         = 'https://auth.rfive.de/realms/master/protocol/openid-connect/token'
+      OAUTH_USER_INFO_URL     = 'https://auth.rfive.de/realms/master/protocol/openid-connect/userinfo'
+      OAUTH_SCOPE = [ "openid", "profile", "email"]
+      OAUTH_ATTRIBUTE_MAP = {
+          "id":    (False, "not used"),
+          "name":  (False, "full name"),
+          "email": (True, "email"),
+      }
+    '';
   };
   services.nginx.virtualHosts."${domain}" = {
     locations."/" = {
@@ -24,5 +49,8 @@ in
     locations."/media" = {
       root = pkgs.seahub;
     };
+    locations."/accounts/login" = {
+      return = "301 /oauth/login";
+    };
   };
 }
diff --git a/secrets.nix b/secrets.nix
index f73f67b..8e11522 100644
--- a/secrets.nix
+++ b/secrets.nix
@@ -22,6 +22,7 @@ in
   "secrets/nuc/vaultwarden.age".publicKeys = [ rouven nuc ];
   "secrets/nuc/keycloak/db.age".publicKeys = [ rouven nuc ];
   "secrets/nuc/cache.age".publicKeys = [ rouven nuc ];
+  "secrets/nuc/seafile/oidc-secret.age".publicKeys = [ rouven nuc ];
   "secrets/nuc/borg/passphrase.age".publicKeys = [ rouven nuc ];
   "secrets/nuc/borg/key.age".publicKeys = [ rouven nuc ];
 
diff --git a/secrets/nuc/seafile/oidc-secret.age b/secrets/nuc/seafile/oidc-secret.age
new file mode 100644
index 0000000..07c0f6c
Binary files /dev/null and b/secrets/nuc/seafile/oidc-secret.age differ