diff --git a/flake.lock b/flake.lock
index a9982ca..c88c337 100644
--- a/flake.lock
+++ b/flake.lock
@@ -581,11 +581,11 @@
     },
     "nixpkgs-master": {
       "locked": {
-        "lastModified": 1724505469,
-        "narHash": "sha256-U0KAINJreo0RbZ2QbA4Y5EhWO7XERFRlkJdrRIncjn8=",
+        "lastModified": 1726071952,
+        "narHash": "sha256-HBTpIZFHQ2rgMdLOquGk4GbAU1lnyzukRYLj4dHWxTg=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "59fbe04a3baa1011fe9f6eb00a1afb7db5179933",
+        "rev": "182ffe0f2da71206de247c535ace12659a0a62b5",
         "type": "github"
       },
       "original": {
@@ -597,11 +597,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1724224976,
-        "narHash": "sha256-Z/ELQhrSd7bMzTO8r7NZgi9g5emh+aRKoCdaAv5fiO0=",
+        "lastModified": 1725983898,
+        "narHash": "sha256-4b3A9zPpxAxLnkF9MawJNHDtOOl6ruL0r6Og1TEDGCE=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "c374d94f1536013ca8e92341b540eba4c22f9c62",
+        "rev": "1355a0cbfeac61d785b7183c0caaec1f97361b43",
         "type": "github"
       },
       "original": {
@@ -645,11 +645,11 @@
     },
     "nixpkgs_4": {
       "locked": {
-        "lastModified": 1724316499,
-        "narHash": "sha256-Qb9MhKBUTCfWg/wqqaxt89Xfi6qTD3XpTzQ9eXi3JmE=",
+        "lastModified": 1725930920,
+        "narHash": "sha256-RVhD9hnlTT2nJzPHlAqrWqCkA7T6CYrP41IoVRkciZM=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "797f7dc49e0bc7fab4b57c021cdf68f595e47841",
+        "rev": "44a71ff39c182edaf25a7ace5c9454e7cba2c658",
         "type": "github"
       },
       "original": {
diff --git a/hosts/pie/.env.firefly b/hosts/pie/.env.firefly
index be16ce7..d74c104 100644
--- a/hosts/pie/.env.firefly
+++ b/hosts/pie/.env.firefly
@@ -149,13 +149,13 @@ MAP_DEFAULT_ZOOM=6
 #
 # LDAP is no longer supported :(
 #
-AUTHENTICATION_GUARD=web
+AUTHENTICATION_GUARD=remote_user_guard
 
 #
 # Remote user guard settings
 #
 AUTHENTICATION_GUARD_HEADER=REMOTE_USER
-AUTHENTICATION_GUARD_EMAIL=
+AUTHENTICATION_GUARD_EMAIL=REMOTE_EMAIL
 
 #
 # Firefly III supports webhooks. These are security sensitive and must be enabled manually first.
diff --git a/hosts/pie/authelia.nix b/hosts/pie/authelia.nix
index acb92d9..ce1e53e 100644
--- a/hosts/pie/authelia.nix
+++ b/hosts/pie/authelia.nix
@@ -9,6 +9,14 @@ with lib; let
   psCfg = config.pub-solar;
   xdg = config.home-manager.users."${psCfg.user.name}".xdg;
 in {
+  disabledModules = [
+    "services/security/authelia.nix"
+  ];
+
+  imports = [
+    "${flake.inputs.nixpkgs-master}/nixos/modules/services/security/authelia.nix"
+  ];
+
   age.secrets."authelia-storage-encryption-key" = {
     file = "${flake.self}/secrets/authelia-storage-encryption-key.age";
     mode = "400";
@@ -83,6 +91,10 @@ in {
       oidcHmacSecretFile = config.age.secrets."authelia-oidc-hmac-secret".path;
     };
 
+    environmentVariables = {
+      AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE = config.age.secrets."mail@b12f.io-password".path;
+    };
+
     settings = {
       theme = "light";
       default_2fa_method = "webauthn";
@@ -111,17 +123,13 @@ in {
         }
       ];
       notifier.smtp = {
-        host = "mail.b12f.io";
-        port = 587;
+        address = "submission://mail.b12f.io:587";
         username = "mail@b12f.io";
         sender = "auth.b12f.io <mail@b12f.io>";
         identifier = "auth@b12f.io";
         subject = "[auth.b12f.io] {title}";
       };
       identity_providers.oidc = {
-        jwks = [{
-          key = ''{{- fileContent "${config.age.secrets."authelia-jwks-private-key".path}" | nindent 8 }}'';
-        }];
         authorization_policies = {
           admins = {
             default_policy = "deny";
@@ -130,20 +138,13 @@ in {
               subject = "group:admins";
             }];
           };
-          jellyfin = {
-            default_policy = "deny";
-            rules = [{
-              policy = "two_factor";
-              subject = "group:jellyfin-users";
-            }];
-          };
         };
         clients = [
           {
             client_id = "jellyfin";
             client_secret = "$pbkdf2-sha512$310000$koY0g1AqL.fEeQUJcE48SA$b9G4p7qquc6M9rSTnR.Ac3Le9KS25zbTN0aNiXT4sxag7Kstu4Pt66/sVlAh3lIS4CGjLcPA2GvjhXnapC.ziQ";
             public = false;
-            authorization_policy = "jellyfin";
+            authorization_policy = "admins";
             require_pkce = true;
             pkce_challenge_method = "S256";
             redirect_uris = [ "https://media.b12f.io/sso/OID/redirect/authelia" ];
@@ -160,7 +161,7 @@ in {
     };
   };
 
-  systemd.services.authelia-b12f.environment.AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE = config.age.secrets."mail@b12f.io-password".path;
+  systemd.services.authelia-b12f.preStart = "env";
 
   services.restic.backups = {
     authelia = {
@@ -169,7 +170,7 @@ in {
       passwordFile = config.age.secrets."restic-password".path;
       # See https://www.hosting.de/blog/verschluesselte-backups-mit-rclone-und-restic-in-nextcloud/
       repository = "rclone:cloud.pub.solar:/backups/Authelia";
-      rcloneConfigFile = config.age.secrets."rclone-pie.conf".path;
+      rcloneConfigFile = config.age.secrets."rclone-pubsolar.conf".path;
     };
   };
 }
diff --git a/hosts/pie/backup.nix b/hosts/pie/backup.nix
index b962929..fe932e6 100644
--- a/hosts/pie/backup.nix
+++ b/hosts/pie/backup.nix
@@ -8,8 +8,8 @@
   psCfg = config.pub-solar;
   xdg = config.home-manager.users."${psCfg.user.name}".xdg;
 in {
-  age.secrets."rclone-pie.conf" = {
-    file = "${flake.self}/secrets/rclone-pie.conf.age";
+  age.secrets."rclone-pubsolar.conf" = {
+    file = "${flake.self}/secrets/rclone-pubsolar.conf.age";
     path = "/root/.config/rclone/rclone.conf";
     mode = "400";
   };
diff --git a/hosts/pie/firefly.nix b/hosts/pie/firefly.nix
index 3fc3238..0bbe7f6 100644
--- a/hosts/pie/firefly.nix
+++ b/hosts/pie/firefly.nix
@@ -150,7 +150,7 @@ in {
       backupPrepareCommand = ''
         ${pkgs.docker-client}/bin/docker exec -t firefly-db pg_dumpall -c -U firefly > "${backupDir}/postgres.sql"
       '';
-      rcloneConfigFile = config.age.secrets."rclone-pie.conf".path;
+      rcloneConfigFile = config.age.secrets."rclone-pubsolar.conf".path;
     };
   };
 }
diff --git a/hosts/pie/invoiceplane.nix b/hosts/pie/invoiceplane.nix
index 96e5dd5..5da77e8 100644
--- a/hosts/pie/invoiceplane.nix
+++ b/hosts/pie/invoiceplane.nix
@@ -101,7 +101,7 @@ in {
         PW=$(cat ${config.age.secrets."invoiceplane-db-password".path})
         ${pkgs.docker-client}/bin/docker exec -t invoiceplane-db mariadb-dump --all-databases --password=$PW --user=invoiceplane > "${backupDir}/postgres.sql"
       '';
-      rcloneConfigFile = config.age.secrets."rclone-pie.conf".path;
+      rcloneConfigFile = config.age.secrets."rclone-pubsolar.conf".path;
     };
   };
 }
diff --git a/overlays/default.nix b/overlays/default.nix
index 4f17cf9..2028db8 100644
--- a/overlays/default.nix
+++ b/overlays/default.nix
@@ -19,7 +19,11 @@
             master = import inputs.nixpkgs-master {system = prev.system;};
           in {
             factorio-headless = master.factorio-headless;
-            paperless-ngx = unstable.paperless-ngx;
+            authelia = master.authelia;
+            paperless-ngx = master.paperless-ngx.overrideAttrs (oa: {
+             doCheck = false;
+             doInstallCheck = false;
+            });
             waybar = master.waybar;
             nix-inspect = unstable.nix-inspect;
             nix = unstable.lix;
diff --git a/secrets/authelia-oidc-issuer-private-key.age b/secrets/authelia-oidc-issuer-private-key.age
index 4ab985f..ab94113 100644
Binary files a/secrets/authelia-oidc-issuer-private-key.age and b/secrets/authelia-oidc-issuer-private-key.age differ