diff --git a/modules/nixos/services/homeserver/default.nix b/modules/nixos/services/homeserver/default.nix
index 49368bd..e2a48ec 100755
--- a/modules/nixos/services/homeserver/default.nix
+++ b/modules/nixos/services/homeserver/default.nix
@@ -5,6 +5,7 @@
     ./grafana
     ./caddy.nix
     ./cloudflared.nix
+    ./jellyfin.nix
     ./kanidm.nix
     ./nextcloud.nix
     ./ntfy.nix
diff --git a/modules/nixos/services/homeserver/jellyfin.nix b/modules/nixos/services/homeserver/jellyfin.nix
new file mode 100644
index 0000000..5e8573a
--- /dev/null
+++ b/modules/nixos/services/homeserver/jellyfin.nix
@@ -0,0 +1,18 @@
+{ config, pkgs, ... }:
+
+{
+  services.caddy.virtualHosts."jellyfin.taild5f7e6.ts.net".extraConfig = ''
+    import default-settings
+
+    bind tailscale/jellyfin
+
+    reverse_proxy localhost:8007
+  '';
+
+  services.jellyfin.enable = true;
+  environment.systemPackages = [
+    pkgs.jellyfin
+    pkgs.jellyfin-web
+    pkgs.jellyfin-ffmpeg
+  ];
+}
diff --git a/modules/nixos/services/homeserver/kanidm.nix b/modules/nixos/services/homeserver/kanidm.nix
index b413d29..704047d 100644
--- a/modules/nixos/services/homeserver/kanidm.nix
+++ b/modules/nixos/services/homeserver/kanidm.nix
@@ -8,6 +8,10 @@
       owner = "kanidm";
       group = "kanidm";
     };
+    "kanidm/oauth2/jellyfin" = {
+      owner = "kanidm";
+      group = "kanidm";
+    };
     "kanidm/oauth2/nextcloud" = {
       owner = "kanidm";
       group = "kanidm";
@@ -73,19 +77,23 @@
 
         groups = [
           "grafana_users"
+          "jellyfin_users"
           "nextcloud_users"
           "zipline_users"
 
           "grafana_admins"
+          "jellyfin_admins"
         ];
       };
 
       groups = {
         grafana_users = {};
+        jellyfin_users = {};
         nextcloud_users = {};
         zipline_users = {};
 
         grafana_admins.members = [ "grafana_users" ];
+        jellyfin_admins.members = [ "jellyfin_users" ];
       };
 
       systems.oauth2 = {
@@ -100,6 +108,17 @@
           claimMaps.grafana_users.valuesByGroup.grafana_admins = [ "GrafanaAdmin" ];
         };
 
+        jellyfin = {
+          displayName = "Jellyfin";
+          originUrl = "https://jellyfin.taild5f7e6.ts.net/sso/OID/redirect/Kanidm";
+          originLanding = "https://jellyfin.taild5f7e6.ts.net";
+
+          preferShortUsername = true;
+          basicSecretFile = config.sops.secrets."kanidm/oauth2/jellyfin".path;
+          scopeMaps.jellyfin_users = [ "openid" "profile" "groups" ];
+          claimMaps.grafana_users.valuesByGroup.jellyfin_admins = [ "JellyfinAdmin" ];
+        };
+
         nextcloud = {
           displayName = "Nextcloud";
           originUrl = "https://nextcloud.wo2wz.fyi/index.php/apps/user_oidc/code";
diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml
index 1e6d6d9..845d5ee 100755
--- a/secrets/secrets.yaml
+++ b/secrets/secrets.yaml
@@ -11,6 +11,7 @@ grafana:
 kanidm:
     oauth2:
         grafana: ENC[AES256_GCM,data:9aWa5SJ4UNWcQCCRT9rL6XnoUjlkXeifBYe3fL4xRbNC3bc5L6jNtJOF9v0ZZ874pTr/dnv5LzLz/ISLDQWfnw==,iv:+V+JjP2EA02cn7aFif262DjqoCXYRLqXv2jR0pc457c=,tag:CI9daTCxkeOueb3d//hx0A==,type:str]
+        jellyfin: ENC[AES256_GCM,data:37edw83rscw19EiFOVUYoq33awKMWw+XXN6KKYYjEdKwtBx7I01RuOha3DkspFM7zJdmZf3E6IL1UT3N/sBB6w==,iv:T9N4h90799xOhFeNxqmKR0nDGn6BXuIGB4DiOIkt6vk=,tag:JZuu+uqRKAbQskKxzOPIEQ==,type:str]
         nextcloud: ENC[AES256_GCM,data:P7ha6OwX6A5PyNO4xy+UTfdQBeKbktJbK5Ggv/fLuW+SDrxTehuwM1F9A5el3j1Dsegk3VsrrTPBZTVU6i5qwA==,iv:YcvNvAZHjdBd9q5Uxdp+Phj5uQRqLoRi33rIzUcv7Ng=,tag:cXM58lfOpHbTbaJRNUm1Kw==,type:str]
         zipline: ENC[AES256_GCM,data:q25Ugsqj6+we3dTDyczfxuGA1DcnlxUDbJLxlzVAF3wTtzdF4t6p2tkPlTtvvgLQQPg/sYAQB0zFE9DcxpxuCw==,iv:fyhRGFUTx1d0ITygUWOkaDAtVI2h05DMv3aEI/DUM2k=,tag:WaPRXbFXl1+aTC+ZtyITYw==,type:str]
 nextcloud:
@@ -34,7 +35,7 @@ sops:
             N0U5bkt4aXJOS3N0Z2N4YTg4TDVUVncKCQLUTMmdM/IPzV3NDRhPdta1tvXxy/6P
             RYbLzlUryw+tqfTp8nDrdxyOWScLNzPOswAq0Qf7VMcEQ5bJEkAOhQ==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-11-06T15:31:14Z"
-    mac: ENC[AES256_GCM,data:mOKxCnv5dDNuWGairJhV4Es36/MqM61d8ludzIgjpVmDD7arAxaMQA56FpCBU8eu0hVs1pO/Gw7xj0DIo+VTD0k2mdkimsp74gi13eEUdOCN5s+/7Th9sBpk5LeY9hzPp2fDFmBK3LLP9Jvp8IdKsbMgNKu6VzxukrWKOr1RpkM=,iv:HJKu/io7tV0Il06V2aglOaJHkjOxOcZ9JFbFCqFbTFw=,tag:iDmktXmP64OkijUxsQ5FCA==,type:str]
+    lastmodified: "2025-11-09T22:08:25Z"
+    mac: ENC[AES256_GCM,data:V7IH1q2sn01fRhfYEcuPqI3K0y1HFNwS8gkO1S/joTXbn0jaTj1IkHj1kIKtGmA0582XViH5YKlPMuErRz2O0Rh3ayQddY3x5FO+CqtAfeWVqUNxThbVev35XGQHNIFyjINHn8W2CaRyAu6bpCYChC0UpkopMpOTIaTIJ4YciGY=,iv:Hictv/vlZGQsFwfXfA7umn+IU6qIY2aqusUjCLwvfn0=,tag:5fZxMA9DlzUcV9dE4gFv/A==,type:str]
     unencrypted_suffix: _unencrypted
     version: 3.11.0