diff --git a/modules/meta/oauth2-proxy.nix b/modules/meta/oauth2-proxy.nix
index f0efa55..bb03f6a 100644
--- a/modules/meta/oauth2-proxy.nix
+++ b/modules/meta/oauth2-proxy.nix
@@ -10,6 +10,7 @@
     flip
     mapAttrs
     mdDoc
+    mkDefault
     mkEnableOption
     mkIf
     mkOption
@@ -103,7 +104,9 @@ in {
       # reuses refresh tokens but kanidm forbids that. Not sure though.
       #cookie.refresh = "5m";
       cookie.expire = "30m";
+      cookie.secret = mkDefault null;
 
+      clientSecret = mkDefault null;
       reverseProxy = true;
       httpAddress = "unix:///run/oauth2_proxy/oauth2_proxy.sock";
       redirectURL = "https://${cfg.portalDomain}/oauth2/callback";
diff --git a/pkgs/default.nix b/pkgs/default.nix
index 354ee9f..ee5d601 100644
--- a/pkgs/default.nix
+++ b/pkgs/default.nix
@@ -2,6 +2,28 @@
   (import ./caddy.nix)
   (import ./oauth2-proxy)
   (self: super: {
-    kanidm-secret-manipulator = self.callPackage ./kanidm-secret-manipulator.nix {};
+    grafana = super.grafana.overrideAttrs (finalAttrs: previousAttrs: {
+      srcStatic = super.fetchurl {
+        url = "https://dl.grafana.com/oss/release/grafana-${previousAttrs.version}.linux-amd64.tar.gz";
+        hash = "sha256-QFRahjDyL7BNikK2cCsFLfu4/odDbkCxplf6f7yCezE=";
+      };
+    });
+    kanidm-secret-manipulator = super.callPackage ./kanidm-secret-manipulator.nix {};
+    kanidm = super.kanidm.overrideAttrs (finalAttrs: previousAttrs: {
+      patches = [
+        (super.fetchpatch {
+          name = "group-list-json-output.patch";
+          url = "https://patch-diff.githubusercontent.com/raw/kanidm/kanidm/pull/2016.patch";
+          hash = "sha256-gc75KBzhth4fZvuvRa3Rjg1J7DIGy25mzUPCf2aha80=";
+        })
+        (super.fetchpatch {
+          name = "person-and-oauth-json-output.patch";
+          url = "https://patch-diff.githubusercontent.com/raw/kanidm/kanidm/pull/2017.patch";
+          hash = "sha256-fZgJ7dY2LHvBi64A/6o7kfArUAsLqjWRRpH2q1GL5ic=";
+        })
+      ];
+
+      doCheck = false;
+    });
   })
 ]