diff --git a/inventories/default.nix b/inventories/default.nix
index d19c5be..07e3a7e 100644
--- a/inventories/default.nix
+++ b/inventories/default.nix
@@ -1,6 +1,14 @@
-{ inputs, self, ... }:
+{
+  inputs,
+  self,
+  lib,
+  ...
+}:
 {
   clan = {
+    modules = {
+      pocket-id = ../modules/clan/pocket-id;
+    };
     inventory = {
 
       instances = {
@@ -21,6 +29,14 @@
           roles.default.machines = [ "b4l" ];
         };
       };
+
+      instances.pocket-id = {
+        module = {
+          name = "pocket-id";
+          input = "self";
+        };
+        roles.default.machines.b4l = { };
+      };
     };
   };
 }
diff --git a/modules/clan/pocket-id/default.nix b/modules/clan/pocket-id/default.nix
new file mode 100644
index 0000000..9ba268c
--- /dev/null
+++ b/modules/clan/pocket-id/default.nix
@@ -0,0 +1,69 @@
+{ lib, ... }:
+{
+  _class = "clan.service";
+  manifest.name = "pocket-id";
+  manifest.description = "A simple and easy-to-use OIDC provider that allows users to authenticate with their passkeys to your services.";
+  manifest.categories = [ "System" ];
+
+  roles.default = {
+    interface.options = {
+      domain = lib.mkOption {
+        type = lib.types.str;
+        default = "auth";
+        description = "";
+      };
+    };
+
+    perInstance =
+      {
+        settings,
+        ...
+      }:
+      {
+        nixosModule =
+          {
+            config,
+            pkgs,
+            ...
+          }:
+          let
+            domain = "${settings.domain}.${config.networking.fqdn}";
+          in
+          {
+            clan.core.vars.generators.pocket-id = {
+              files = {
+                encryption-key = {
+                  owner = "${config.services.pocket-id.user}";
+                  group = "${config.services.pocket-id.group}";
+                  secret = true;
+                };
+              };
+              runtimeInputs = [ pkgs.pwgen ];
+              script = ''
+                pwgen -s 32 1 > $out/encryption-key
+              '';
+            };
+            services.pocket-id = {
+              enable = true;
+              settings = {
+                ENCRYPTION_KEY_FILE = config.clan.core.vars.generators.pocket-id.files.encryption-key.path;
+                APP_ENV = "production";
+                APP_URL = "https://${domain}";
+                TRUST_PROXY = true;
+                PORT = 1411;
+
+                UI_CONFIG_DISABLED = true;
+              };
+            };
+            services.nginx.virtualHosts."${domain}" = {
+              forceSSL = true;
+              enableACME = true;
+              locations."/" = {
+                proxyPass = "http://localhost:${builtins.toString config.services.pocket-id.settings.PORT}";
+              };
+            };
+
+          };
+      };
+  };
+}
diff --git a/sops/machines/b4l/key.json b/sops/machines/b4l/key.json
index c6794cd..2d0e2b4 100755
--- a/sops/machines/b4l/key.json
+++ b/sops/machines/b4l/key.json
@@ -3,4 +3,4 @@
     "publickey": "age1sg0rvgyetdcqw7j2x983fh69kdkvqsngpe5x36e5920qa7fze3cqhj4wgx",
     "type": "age"
   }
-]
\ No newline at end of file
+]
diff --git a/vars/per-machine/b4l/emergency-access/password-hash/value b/vars/per-machine/b4l/emergency-access/password-hash/value
index 98f6618..274963c 100644
--- a/vars/per-machine/b4l/emergency-access/password-hash/value
+++ b/vars/per-machine/b4l/emergency-access/password-hash/value
@@ -1 +1 @@
-$6$GInixVejze2Ixdeu$a4.DpQd9c8A86ea/OGcHXxcJTIvpYYgItR1vBN7XtURfVgTXGZQuSz5t59qxNwWVHZZivhH97xPAuoHjwztQx/
\ No newline at end of file
+$6$GInixVejze2Ixdeu$a4.DpQd9c8A86ea/OGcHXxcJTIvpYYgItR1vBN7XtURfVgTXGZQuSz5t59qxNwWVHZZivhH97xPAuoHjwztQx/