diff --git a/core/authelia.tf b/core/authelia.tf
index aeda0db..4cf126a 100644
--- a/core/authelia.tf
+++ b/core/authelia.tf
@@ -114,6 +114,9 @@ namespace "default" {
     path "authelia/*" {
       capabilities = ["read"]
     }
+    path "secrets/authelia/*" {
+      capabilities = ["read"]
+    }
   }
 }
 EOH
@@ -142,6 +145,22 @@ EOH
   }
 }
 
+# Enable oidc for nomad clients
+module "nomad_oidc_client" {
+  source = "./oidc_client"
+
+  name = "nomad"
+  oidc_client_config = {
+    description          = "Nomad"
+    authorization_policy = "two_factor"
+    redirect_uris = [
+      "https://nomad.${var.base_hostname}/oidc/callback",
+      "https://nomad.${var.base_hostname}/ui/settings/tokens",
+    ]
+    scopes = ["openid", "groups"]
+  }
+}
+
 resource "nomad_acl_auth_method" "nomad_authelia" {
   name           = "authelia"
   type           = "OIDC"
@@ -151,8 +170,8 @@ resource "nomad_acl_auth_method" "nomad_authelia" {
 
   config {
     oidc_discovery_url = "https://authelia.${var.base_hostname}"
-    oidc_client_id     = "nomad"
-    oidc_client_secret = yamldecode(file("${path.module}/../ansible_playbooks/vars/nomad_vars.yml"))["nomad/oidc"]["secret"]
+    oidc_client_id     = module.nomad_oidc_client.client_id
+    oidc_client_secret = module.nomad_oidc_client.secret
     bound_audiences    = ["nomad"]
     oidc_scopes = [
       "groups",
diff --git a/core/authelia.yml b/core/authelia.yml
index e1498dc..6f44985 100644
--- a/core/authelia.yml
+++ b/core/authelia.yml
@@ -249,4 +249,18 @@ identity_providers:
     # hmac_secret: <file>
     # issuer_private_key: <file>
 
-    clients: {{ with nomadVar "nomad/jobs/authelia" }}{{ .oidc_clients.Value }}{{ end }}
+    clients:
+{{ range nomadVarList "authelia/access_control/oidc_clients" -}}
+{{- $name := (sprig_last (sprig_splitList "/" .Path)) -}}
+      {{ "-" | indent 6 }}
+{{ with nomadVar .Path }}
+
+{{- $im := .ItemsMap -}}
+{{- $im = sprig_set $im "redirect_uris" (.redirect_uris.Value | parseYAML) -}}
+{{- $im = sprig_set $im "scopes" (.scopes.Value | parseYAML) -}}
+{{- with nomadVar (printf "secrets/authelia/%s" $name) -}}
+{{- $im = sprig_set $im "secret" .secret_hash.Value -}}
+{{- end -}}
+{{ $im | toYAML | indent 8 }}
+{{ end }}
+{{ end }}
diff --git a/core/grafana.nomad b/core/grafana.nomad
index 5a5f100..fbdebd0 100644
--- a/core/grafana.nomad
+++ b/core/grafana.nomad
@@ -155,7 +155,6 @@ GF_SECURITY_ADMIN_PASSWORD={{ .admin_pw }}
 GF_EXTERNAL_IMAGE_STORAGE_S3_ACCESS_KEY={{ .minio_access_key }}
 GF_EXTERNAL_IMAGE_STORAGE_S3_SECRET_KEY={{ .minio_secret_key }}
 GRAFANA_ALERT_EMAIL_ADDRESSES={{ .alert_email_addresses }}
-GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET={{ .oidc_secret }}
 {{ if .db_name -}}
 # Database storage
 GF_DATABASE_TYPE=mysql
@@ -167,6 +166,10 @@ GF_DATABASE_PASSWORD={{ .db_pass }}
 SLACK_BOT_URL={{ .slack_bot_url }}
 SLACK_BOT_TOKEN={{ .slack_bot_token }}
 SLACK_HOOK_URL={{ .slack_hook_url }}
+{{ end -}}
+{{ with nomadVar "secrets/authelia/grafana" -}}
+GF_AUTH_GENERIC_OAUTH_CLIENT_ID={{ .client_id }}
+GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET={{ .secret }}
 {{ end -}}
         EOF
         env = true
diff --git a/core/grafana/grafana.ini b/core/grafana/grafana.ini
index 3745bda..a688061 100644
--- a/core/grafana/grafana.ini
+++ b/core/grafana/grafana.ini
@@ -261,7 +261,7 @@ log_queries =
 enabled = true
 name = Authelia
 ;allow_sign_up = true
-client_id = grafana
+client_id = from_env
 client_secret = from_env
 scopes = openid profile email groups
 auth_url = https://authelia.{{ with nomadVar "nomad/jobs" }}{{ .base_hostname }}{{ end }}/api/oidc/authorization
diff --git a/core/metrics.tf b/core/metrics.tf
index 98094ae..1265f53 100644
--- a/core/metrics.tf
+++ b/core/metrics.tf
@@ -93,3 +93,27 @@ EOH
     task   = "stunnel"
   }
 }
+
+module "grafana_oidc" {
+  source = "./oidc_client"
+
+  name = "grafana"
+  oidc_client_config = {
+    description = "Grafana"
+    scopes = [
+      "openid",
+      "groups",
+      "email",
+      "profile",
+    ]
+    redirect_uris = [
+      "https://grafana.thefij.rocks/login/generic_oauth",
+    ]
+  }
+
+  job_acl = {
+    job_id = "grafana"
+    group  = "grafana"
+    task   = "grafana"
+  }
+}
diff --git a/services/gitea.tf b/services/gitea.tf
index 896a313..943d2c7 100644
--- a/services/gitea.tf
+++ b/services/gitea.tf
@@ -42,10 +42,19 @@ module "gitea" {
   ]
 
   use_smtp = true
+
   mysql_bootstrap = {
     enabled = true
   }
 
+  oidc_client_config = {
+    description = "Gitea"
+    redirect_uris = [
+      "https://git.thefij.rocks/user/oauth2/authelia/callback",
+    ]
+    scopes = ["openid", "email", "profile"]
+  }
+
   host_volumes = [
     {
       name      = "gitea-data"
@@ -111,6 +120,49 @@ GITEA__mailer__PASSWD={{ .password }}
       mount       = false
       dest        = "env"
       dest_prefix = "$${NOMAD_SECRETS_DIR}"
-    }
+    },
+    {
+      data        = <<EOF
+{{ with nomadVar "secrets/authelia/git" -}}
+CLIENT_ID={{ .client_id }}
+SECRET={{ .secret }}
+{{- end }}
+EOF
+      dest        = "oauth.env"
+      dest_prefix = "$${NOMAD_SECRETS_DIR}"
+      mount       = false
+      change_mode = "script"
+      change_script = {
+        command = "/local/bootstrap_auth.sh"
+      }
+    },
+    {
+      data        = <<EOF
+#! /bin/bash
+source {{ env "NOMAD_SECRETS_DIR" }}/oauth.env
+auth_provider_id=$(su -- git gitea admin auth list | awk '/authelia/ { print $1 }')
+
+if [ -z "$auth_provider_id" ]; then
+  echo "Creating Authelia OAuth provider"
+  su -- git gitea admin auth add-oauth \
+    --name authelia \
+    --provider openidConnect \
+    --key "$CLIENT_ID" \
+    --secret "$SECRET" \
+    --auto-discover-url https://authelia.thefij.rocks/.well-known/openid-configuration \
+    --skip-local-2fa
+else
+  echo "Updating Authelia OAuth provider"
+  su -- git gitea admin auth update-oauth \
+    --id $auth_provider_id \
+    --key "$CLIENT_ID" \
+    --secret "$SECRET"
+fi
+EOF
+      dest        = "bootstrap_auth.sh"
+      perms       = "777"
+      change_mode = "noop"
+      mount       = false
+    },
   ]
 }
diff --git a/services/photoprism.tf b/services/photoprism.tf
index 2131ad7..5f35a06 100644
--- a/services/photoprism.tf
+++ b/services/photoprism.tf
@@ -1,4 +1,4 @@
-module "photoprism_module" {
+module "photoprism" {
   source = "./service"
 
   name               = "photoprism"
@@ -42,6 +42,14 @@ module "photoprism_module" {
     enabled = true
   }
 
+  oidc_client_config = {
+    description = "Photoprism"
+    redirect_uris = [
+      "https://photoprism.thefij.rocks/api/v1/oidc/redirect",
+    ]
+    scopes = ["openid", "email", "profile"]
+  }
+
   env = {
     PHOTOPRISM_DEBUG = true
     # UI
@@ -80,8 +88,6 @@ module "photoprism_module" {
       PHOTOPRISM_DATABASE_USER={{ .db_user }}
       PHOTOPRISM_DATABASE_PASSWORD={{ .db_pass }}
       PHOTOPRISM_DATABASE_SERVER=127.0.0.1:3306
-      PHOTOPRISM_OIDC_CLIENT=photoprism
-      PHOTOPRISM_OIDC_SECRET={{ .oidc_secret }}
       {{- end }}
       {{ if eq (env "meta.hw_transcode.type") "raspberry" -}}
       PHOTOPRISM_FFMPEG_ENCODER=raspberry
@@ -90,6 +96,10 @@ module "photoprism_module" {
       PHOTOPRISM_FFMPEG_ENCODER=intel
       PHOTOPRISM_INIT="intel tensorflow"
       {{- end }}
+      {{ with nomadVar "secrets/authelia/photoprism" -}}
+      PHOTOPRISM_OIDC_CLIENT={{ .client_id }}
+      PHOTOPRISM_OIDC_SECRET={{ .secret }}
+      {{- end }}
       EOF
       dest_prefix = "$${NOMAD_SECRETS_DIR}/"
       dest        = "env"
diff --git a/services/service/main.tf b/services/service/main.tf
index 808133c..ed35d8d 100644
--- a/services/service/main.tf
+++ b/services/service/main.tf
@@ -225,3 +225,23 @@ EOH
     task   = var.name
   }
 }
+
+module "oidc_client" {
+  count = var.oidc_client_config != null ? 1 : 0
+
+  source = "../../core/oidc_client"
+  name   = var.name
+
+  oidc_client_config = {
+    description          = var.oidc_client_config.description
+    authorization_policy = var.oidc_client_config.authorization_policy
+    redirect_uris        = var.oidc_client_config.redirect_uris
+    scopes               = var.oidc_client_config.scopes
+  }
+
+  job_acl = {
+    job_id = resource.nomad_job.service.id
+    group  = var.name
+    task   = var.name
+  }
+}
diff --git a/services/service/service_template.nomad b/services/service/service_template.nomad
index 3ccc084..6435b44 100644
--- a/services/service/service_template.nomad
+++ b/services/service/service_template.nomad
@@ -204,6 +204,9 @@ EOF
         %{~ if template.right_delimiter != null }
         right_delimiter = "${template.right_delimiter}"
         %{~ endif ~}
+        %{~ if template.perms != null }
+        perms = "${template.perms}"
+        %{~ endif ~}
         %{~ if template.change_mode != null }
         change_mode = "${template.change_mode}"
         %{~ endif ~}
diff --git a/services/service/vars.tf b/services/service/vars.tf
index 234b984..016112a 100644
--- a/services/service/vars.tf
+++ b/services/service/vars.tf
@@ -176,6 +176,7 @@ variable "templates" {
     right_delimiter = optional(string)
     mount           = optional(bool, true)
     env             = optional(bool, false)
+    perms           = optional(string)
     change_mode     = optional(string)
     change_signal   = optional(string)
     change_script = optional(object({
@@ -296,3 +297,15 @@ variable "service_check" {
 
   default = {}
 }
+
+variable "oidc_client_config" {
+  description = "Authelia oidc client configuration to enable oidc authentication"
+  type = object({
+    description          = string
+    authorization_policy = optional(string, "one_factor")
+    redirect_uris        = list(string)
+    scopes               = list(string)
+  })
+
+  default = null
+}