diff --git a/hosts/sentinel/oauth2.nix b/hosts/sentinel/oauth2.nix
index 19ff6f2..48f6109 100644
--- a/hosts/sentinel/oauth2.nix
+++ b/hosts/sentinel/oauth2.nix
@@ -46,7 +46,6 @@
     redeemURL = "https://${config.networking.providedDomains.kanidm}/oauth2/token";
     validateURL = "https://${config.networking.providedDomains.kanidm}/oauth2/openid/${clientId}/userinfo";
     clientID = clientId;
-    keyFile = config.age.secrets.oauth2-cookie-secret.path;
     email.domains = ["*"];
 
     extraConfig = {
@@ -55,4 +54,9 @@
       #skip-provider-button = true;
     };
   };
+
+  systemd.services.oauth2_proxy.serviceConfig.EnvironmentFile = [
+    config.age.secrets.oauth2-cookie-secret.path
+    config.age.secrets.oauth2-client-secret.path
+  ];
 }
diff --git a/secrets/generated/sentinel/oauth2-client-secret.age b/secrets/generated/sentinel/oauth2-client-secret.age
new file mode 100644
index 0000000..44188cc
--- /dev/null
+++ b/secrets/generated/sentinel/oauth2-client-secret.age
@@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> X25519 5TjTxQw48pHP3ns0GRrkVjHedoEnu82sv/5OtYZBFyM
+y3iPeOI5oGzTG+cZmIhFeOlvYVSbq+ISJq1XG7ouL00
+-> piv-p256 xqSe8Q ArPaLs8WYjgMN+kOzXDEsiCBvqdjU/WVmFGsU9hSn5oz
+HYpOCs8Mysegzk0VJ5i4yYxAV95s/B0RIb3opvGpFlo
+-> O[]-grease 1TcN!PY
+LArbTZLib5yBGl70FKw3Sfsy3LWfvcvDJCCCeHmn9j26hQx+NGIsj/KJ00cN/zb7
+zj9v2QZZqOFafyUT7t3rdqkK
+--- 9uRRxrzXDJ65tOb3Y13LGGyovnN+Se2x781QCDEHpz0
+÷Ë6Ã¦p™>JotþåÍ_Æí/*z¿xvÅ‘ËË¥¬ýÒ·âˆFSú¼ ›LGîmÊµA\ëá™;«Ø¼!	,­ýÈEâ…#XõNzyÀG~õ†¿0ß$-”ò¦S¨€„¿«
\ No newline at end of file
diff --git a/secrets/generated/ward-kanidm/kanidm-oauth2-forgejo.age b/secrets/generated/ward-kanidm/kanidm-oauth2-forgejo.age
new file mode 100644
index 0000000..f4d41aa
--- /dev/null
+++ b/secrets/generated/ward-kanidm/kanidm-oauth2-forgejo.age
@@ -0,0 +1,11 @@
+age-encryption.org/v1
+-> X25519 6svR9FxeCfNCAHbxLZhh83mQTcmPKYRcIQovBFF15TI
+vWV7btlmt0CvRX1iBBh+s1Sy0gI+XPIDQWlHct2T6k8
+-> piv-p256 xqSe8Q AjJtyH+kwD0KROHPs6hmZfCFDGM9MH79URrmKcD0HXzr
+JqlKNTOXebzG6iH6BYQ2nteiQEsunl0eWrTLkN/w2fE
+-> jU-grease Q7, Tgb
+CJ9w/mvrGz9ZTjj7H2anoA3Y70tFeoWQbXzKZUPHPG17OuB3lcIVEXMoruvV02eZ
+nid+JBBulFiOqaatm+yL7DGt08nKfGm+YSS55R7LDGipmp5maDotqIRbm2w
+--- 8c/0zJWpfnsDr0hAVs8Zl3Wo0F/jVOw3Dvi6rUDlpv0
+ž]M„ñ ”Å‘ó5Mbå+×à}î
+ö»è[zŒ|”SfýP–/m6^™ù92À7pÁÄð¿EÍÊ?l…Ð;Cš5Ÿ•f"ªöB,òãé
\ No newline at end of file
diff --git a/secrets/generated/ward-kanidm/kanidm-oauth2-grafana.age b/secrets/generated/ward-kanidm/kanidm-oauth2-grafana.age
new file mode 100644
index 0000000..1ff6cd2
Binary files /dev/null and b/secrets/generated/ward-kanidm/kanidm-oauth2-grafana.age differ
diff --git a/secrets/generated/ward-kanidm/kanidm-oauth2-web-sentinel.age b/secrets/generated/ward-kanidm/kanidm-oauth2-web-sentinel.age
new file mode 100644
index 0000000..0bd3cc5
--- /dev/null
+++ b/secrets/generated/ward-kanidm/kanidm-oauth2-web-sentinel.age
@@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> X25519 YpfsXOubxJqRA44WEtm4+DleuReMP3OXiCGNQLpwkGg
+rrL3eqaG0GzvOBnqB09BuUosAkq4EQs1fF4Qe+p5csE
+-> piv-p256 xqSe8Q Agz+luMhbrLq1vZdQg6FCxyp08Jhn0/H6zKJkl9xpcQw
+5hjyXxHmOW1JW0fr2/BRI/lDLuOFqZHESUYrpPlSSyY
+-> f@<uQkkp-grease
+rVzwtoWqcRO7gHWrTlCyzRr385oCfk5lcdSq99TZO8GgjEg
+--- 7pMqjksyzVIMPG0S23O/0LovRa96IMfmoZB+uWOAsvM
+ç}7ÂKÊihYkýB¨[¿+åÆï[ï[b¶÷Šåm®L¡Û}'˜"Ã~Sp7Þ
+{VÇjœ_â.þªâeâ»%i9’ìž¹Îóû”L¨Å^wÖÁ
\ No newline at end of file