diff --git a/inventories/default.nix b/inventories/default.nix
index bbff363..57743f6 100644
--- a/inventories/default.nix
+++ b/inventories/default.nix
@@ -37,6 +37,7 @@
             input = "self";
           };
           roles.default.machines.b4l = { };
+          roles.default.machines.rigel = { };
         };
         nextcloud = {
           module = {
diff --git a/machines/rigel/configuration.nix b/machines/rigel/configuration.nix
index 06e0791..60b7d9c 100644
--- a/machines/rigel/configuration.nix
+++ b/machines/rigel/configuration.nix
@@ -1,3 +1,8 @@
+{ inputs, ... }:
 {
+  imports = [
+    (inputs.import-tree ./services)
+  ];
   system.stateVersion = "25.11";
+  networking.fqdn = "rigel.local";
 }
diff --git a/machines/rigel/services/pocket-id.nix b/machines/rigel/services/pocket-id.nix
new file mode 100644
index 0000000..0f02c2f
--- /dev/null
+++ b/machines/rigel/services/pocket-id.nix
@@ -0,0 +1,35 @@
+{ config, ... }:
+let
+  pidDomain = "${config.clan.core.vars.generators.rigel-pocket-id.files.subdomain.value}.${config.networking.fqdn}";
+in
+{
+  clan.core.vars.generators.rigel-pocket-id = {
+    files.subdomain.secret = false;
+
+    prompts = {
+      subdomain = {
+        persist = true;
+        type = "line";
+        description = "Sub-domain for Pocket-ID app. Default:(auth)";
+      };
+    };
+
+    script = ''cat $prompts/subdomain || echo -n "auth" > $out/subdomain'';
+  };
+
+  services.pocket-id = {
+    settings = {
+      APP_ENV = "production";
+      APP_URL = "http://${pidDomain}";
+      TRUST_PROXY = true;
+    };
+  };
+
+  services.nginx.virtualHosts."${pidDomain}" = {
+    useACMEHost = "${config.networking.fqdn}";
+    forceSSL = true;
+    locations."/" = {
+      proxyPass = "http://localhost:${builtins.toString config.services.pocket-id.settings.PORT}";
+    };
+  };
+}
diff --git a/vars/per-machine/rigel/pocket-id/encryption-key/machines/rigel b/vars/per-machine/rigel/pocket-id/encryption-key/machines/rigel
new file mode 120000
index 0000000..47a146c
--- /dev/null
+++ b/vars/per-machine/rigel/pocket-id/encryption-key/machines/rigel
@@ -0,0 +1 @@
+../../../../../../sops/machines/rigel
\ No newline at end of file
diff --git a/vars/per-machine/rigel/pocket-id/encryption-key/secret b/vars/per-machine/rigel/pocket-id/encryption-key/secret
new file mode 100644
index 0000000..624a862
--- /dev/null
+++ b/vars/per-machine/rigel/pocket-id/encryption-key/secret
@@ -0,0 +1,19 @@
+{
+	"data": "ENC[AES256_GCM,data:11Z7KMxrgnhiI6VHafRjUMHPGWItvZU6L8a6yhQ1WjFK,iv:czyaHb2VAqLCq650CFCGs+0PBGqx4JCtB1/gYPiDF+0=,tag:rKDmsGV1wsY2g9wrNC29qA==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age17d4qt0n9edq57tgcqyk8eu5mrendl59yt6z2y3a4vkq7el8krqtq6lq28g",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiVEg2VVcrcjFJQmlhbmpv\nV0J1M1d0ZXdCcEtrQUt6SDdWMS9nNVJMSWlFClZ5ZlFwK0xaZ1NVZHR2aGRmV09E\nS2o2OFY2NWlOV2luSmJXUG1tdFVENVUKLS0tIGRaVWNVb3MrQXk0a0J2Tm50aWRt\ndXdtTFB1ZklXZll0Y3pHbHRaaExDU2cK8TIS5ZtO/Kljt+kXCwW0bqNF8WM9iLWX\nKL+S1iLzGBsWFfdXDBJuvOdQAtSstxIOM0k6kMJSjAcUQEAEY0ilFA==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1hlzrpqqgndcthq5m5yj9egfgyet2fzrxwa6ynjzwx2r22uy6m3hqr3rd06",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1S3dTaDMvWDVGalVnc3p0\neXNtQ3BiQnJZMVdoc0w0ZndLMVhuREJiYUIwClpQanZUdFQwYnJLK2tBMUZDS3RE\nZ3JodUJ5WmhmWHpwRkF6Z1FYaTVFS1EKLS0tIFArdDkvRVhOd3hPYStjMGV3cWp3\nd29XRk1XZzA5cG1vV05tZmRtR1MzK1UKFlGI8+NEyZfJB7yXwBwsdP4IhI9XiiUV\n8CEnDL095iGLBNCc1ycYmVUXJUDO1B3CJH7yJIJQwlie5cF352GpjA==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-07-30T05:03:59Z",
+		"mac": "ENC[AES256_GCM,data:9iDp/0gkcllEXOVlLMUq6COTCTLjeaB6FSOrZNzIC+rhqZrotYtY6pL/THf3OxzUkr88Pd+kNTewy+zUtb1wlL4DwL9IuaAKzmCYtmkrlmyz0j1xhIj/qDhSyTcFlBk05Mbe4vF+VwPZPHXz04d8sTeijNHLeWHtOULPa6+WPPw=,iv:DJnqTfl8pC3lgsl4FK2sh6k3LNfkfHWEx8wLnA2yeOQ=,tag:8AC+sz7lplAfzYiAZzSp8A==,type:str]",
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.10.2"
+	}
+}
diff --git a/vars/per-machine/rigel/pocket-id/encryption-key/users/kurogeek b/vars/per-machine/rigel/pocket-id/encryption-key/users/kurogeek
new file mode 120000
index 0000000..970aefa
--- /dev/null
+++ b/vars/per-machine/rigel/pocket-id/encryption-key/users/kurogeek
@@ -0,0 +1 @@
+../../../../../../sops/users/kurogeek
\ No newline at end of file
diff --git a/vars/per-machine/rigel/rigel-pocket-id/subdomain/value b/vars/per-machine/rigel/rigel-pocket-id/subdomain/value
new file mode 100644
index 0000000..9ec0d09
--- /dev/null
+++ b/vars/per-machine/rigel/rigel-pocket-id/subdomain/value
@@ -0,0 +1 @@
+auth
\ No newline at end of file