diff --git a/hosts/ward/microvms/kanidm.nix b/hosts/ward/microvms/kanidm.nix
index c114882..45e5d93 100644
--- a/hosts/ward/microvms/kanidm.nix
+++ b/hosts/ward/microvms/kanidm.nix
@@ -98,7 +98,7 @@ in {
       groups."grafana.server-admins" = {};
       systems.oauth2.grafana = {
         displayName = "Grafana";
-        originUrl = "https://${config.networking.providedDomains.grafana}";
+        originUrl = "https://${sentinelCfg.networking.providedDomains.grafana}";
         basicSecretFile = config.age.secrets.kanidm-oauth2-grafana.path;
         scopeMaps.grafana = ["openid" "email" "profile"];
         supplementaryScopeMaps = {
@@ -113,7 +113,7 @@ in {
       groups."forgejo.admins" = {};
       systems.oauth2.forgejo = {
         displayName = "Forgejo";
-        originUrl = "https://${config.networking.providedDomains.forgejo}";
+        originUrl = "https://${sentinelCfg.networking.providedDomains.forgejo}";
         basicSecretFile = config.age.secrets.kanidm-oauth2-forgejo.path;
         scopeMaps.forgejo = ["openid" "email" "profile"];
         supplementaryScopeMaps = {
@@ -126,6 +126,7 @@ in {
       # Web Sentinel
       groups.web-sentinel = {};
       groups."web-sentinel.adguardhome" = {};
+      groups."web-sentinel.influxdb" = {};
       systems.oauth2.web-sentinel = {
         displayName = "Web Sentinel";
         originUrl = "https://oauth2.${personalDomain}";
diff --git a/modules/meta/kanidm.nix b/modules/meta/kanidm.nix
index 78f0d6f..8037aef 100644
--- a/modules/meta/kanidm.nix
+++ b/modules/meta/kanidm.nix
@@ -619,7 +619,7 @@ in {
         unknownGroups = subtractLists (attrNames cfg.provision.groups) personCfg.groups;
       in {
         assertion = (cfg.enableServer && cfg.provision.enable) -> unknownGroups == [];
-        message = "kanidm: provision.persons.${person}.groups: Refers to unknown groups: ${unknownGroups}";
+        message = "kanidm: provision.persons.${person}.groups: Refers to unknown groups: ${toString unknownGroups}";
       })
       ++ concatLists (flip mapAttrsToList cfg.provision.systems.oauth2 (oauth2: oauth2Cfg: [
         {
@@ -630,13 +630,13 @@ in {
           unknownGroups = subtractLists (attrNames cfg.provision.groups) (attrNames oauth2Cfg.scopeMaps);
         in {
           assertion = (cfg.enableServer && cfg.provision.enable) -> unknownGroups == [];
-          message = "kanidm: provision.systems.oauth2.${oauth2}.scopeMaps: Refers to unknown groups: ${unknownGroups}";
+          message = "kanidm: provision.systems.oauth2.${oauth2}.scopeMaps: Refers to unknown groups: ${toString unknownGroups}";
         })
         (let
           unknownGroups = subtractLists (attrNames cfg.provision.groups) (attrNames oauth2Cfg.supplementaryScopeMaps);
         in {
           assertion = (cfg.enableServer && cfg.provision.enable) -> unknownGroups == [];
-          message = "kanidm: provision.systems.oauth2.${oauth2}.supplementaryScopeMaps: Refers to unknown groups: ${unknownGroups}";
+          message = "kanidm: provision.systems.oauth2.${oauth2}.supplementaryScopeMaps: Refers to unknown groups: ${toString unknownGroups}";
         })
       ]));
 
diff --git a/secrets/global.nix.age b/secrets/global.nix.age
index 1ffc656..309acb0 100644
Binary files a/secrets/global.nix.age and b/secrets/global.nix.age differ