diff --git a/config/hosts/mastodon/mastodon.nix b/config/hosts/mastodon/mastodon.nix
index 94b890a..79c0da0 100644
--- a/config/hosts/mastodon/mastodon.nix
+++ b/config/hosts/mastodon/mastodon.nix
@@ -50,7 +50,21 @@ in
     extraConfig = {
       SMTP_TLS = "true";
       ES_PRESET = "single_node_cluster";
+      OIDC_CLIENT_ID = "mastodon";
+      OIDC_ENABLED = "true";
+      OMNIAUTH_ONLY = "false";
+      OIDC_DISPLAY_NAME = "Login with Nekoverse ID";
+      OIDC_ISSUER = "https://id.nekover.se/realms/nekoverse";
+      OIDC_DISCOVERY = "true";
+      OIDC_SCOPE = "openid,profile,email";
+      OIDC_UID_FIELD = "preferred_username";
+      OIDC_REDIRECT_URI = "https://social.nekover.se/auth/auth/openid_connect/callback";
+      OIDC_SECURITY_ASSUME_EMAIL_IS_VERIFIED = "true";
+      OIDC_END_SESSION_ENDPOINT = "https://id.nekover.se/realms/nekoverse/protocol/openid-connect/logout";
     };
+    extraEnvFiles = [
+      "/secrets/mastodon-keycloak-client-secret.secret"
+    ];
     elasticsearch.host = "127.0.0.1";
   };
 }
diff --git a/config/hosts/mastodon/secrets.nix b/config/hosts/mastodon/secrets.nix
index 42f7489..f1f9457 100644
--- a/config/hosts/mastodon/secrets.nix
+++ b/config/hosts/mastodon/secrets.nix
@@ -33,5 +33,13 @@
       permissions = "0640";
       uploadAt = "pre-activation";
     };
+    "mastodon-keycloak-client-secret.secret" = {
+      keyCommand = keyCommandEnv ++ [ "pass" "mastodon/keycloak-client-secret" ];
+      destDir = "/secrets";
+      user = "mastodon";
+      group = "mastodon";
+      permissions = "0640";
+      uploadAt = "pre-activation";
+    };
   };
 }