diff --git a/hosts/sire/guests/ai.nix b/hosts/sire/guests/ai.nix
index e559c56..df732f5 100644
--- a/hosts/sire/guests/ai.nix
+++ b/hosts/sire/guests/ai.nix
@@ -44,11 +44,13 @@ in {
 
       OLLAMA_BASE_URL = "http://localhgost:11434";
       TRANSFORMERS_CACHE = "/var/lib/open-webui/.cache/huggingface";
+
+      WEBUI_AUTH_TRUSTED_EMAIL_HEADER = "X-Email";
     };
   };
 
   globals.services.open-webui.domain = openWebuiDomain;
-  nodes.ward-web-proxy = {
+  nodes.sentinel = {
     services.nginx = {
       upstreams.open-webui = {
         servers."${config.wireguard.proxy-home.ipv4}:${toString config.services.open-webui.port}" = {};
@@ -60,8 +62,11 @@ in {
       virtualHosts.${openWebuiDomain} = {
         forceSSL = true;
         useACMEWildcardHost = true;
-        oauth2.enable = true;
-        oauth2.allowedGroups = ["access_openwebui"];
+        oauth2 = {
+          enable = true;
+          allowedGroups = ["access_openwebui"];
+          X-Email = "\${upstream_http_x_auth_request_email}@local";
+        };
         # FIXME: refer to lan 192.168... and fd10:: via globals
         extraConfig = ''
           client_max_body_size 512M;
diff --git a/modules/oauth2-proxy.nix b/modules/oauth2-proxy.nix
index 55e431e..28c1641 100644
--- a/modules/oauth2-proxy.nix
+++ b/modules/oauth2-proxy.nix
@@ -42,6 +42,16 @@ in {
             empty list to allow any authenticated client.
           '';
         };
+        X-User = mkOption {
+          type = types.str;
+          default = "$upstream_http_x_auth_request_preferred_username";
+          description = "The variable to set as X-User";
+        };
+        X-Email = mkOption {
+          type = types.str;
+          default = "$upstream_http_x_auth_request_email";
+          description = "The variable to set as X-User";
+        };
       };
       config = mkIf config.oauth2.enable {
         extraConfig = ''
@@ -50,8 +60,8 @@ in {
 
           # pass information via X-User and X-Email headers to backend,
           # requires running with --set-xauthrequest flag
-          auth_request_set $user   $upstream_http_x_auth_request_user;
-          auth_request_set $email  $upstream_http_x_auth_request_email;
+          auth_request_set $user   ${config.oauth2.X-User};
+          auth_request_set $email  ${config.oauth2.X-Email};
           proxy_set_header X-User  $user;
           proxy_set_header X-Email $email;
 
@@ -61,6 +71,7 @@ in {
         '';
 
         locations."@redirectToAuth2ProxyLogin" = {
+          # FIXME: allow refering to another node for the portaldomain
           return = "307 https://${cfg.portalDomain}/oauth2/start?rd=$scheme://$host$request_uri";
           extraConfig = ''
             auth_request off;
diff --git a/secrets/global.nix.age b/secrets/global.nix.age
index 693d35b..388b29b 100644
Binary files a/secrets/global.nix.age and b/secrets/global.nix.age differ