diff --git a/hosts/parsons/configuration.nix b/hosts/parsons/configuration.nix
index 1537bb5..937ea4a 100644
--- a/hosts/parsons/configuration.nix
+++ b/hosts/parsons/configuration.nix
@@ -21,6 +21,7 @@
     ../../services/gitlab-runner.nix
     ../../services/lantifa.nix
     ../../services/vaultwarden.nix
+    ../../services/uffd.nix
     # ../../services/workadventure.nix
 
     ./lxc.nix
diff --git a/modules/mattermost.nix b/modules/mattermost.nix
index de6ca00..c2a7509 100644
--- a/modules/mattermost.nix
+++ b/modules/mattermost.nix
@@ -227,7 +227,7 @@ in
           User = cfg.user;
           Group = cfg.group;
           ExecStart = "${pkgs.mattermost}/bin/mattermost" +
-            (lib.optionalString (!cfg.mutableConfig) " -c ${database}");
+            (if cfg.mutableConfig then " -c ${database}" else " -c ${cfg.statePath}/config/config.json");
           WorkingDirectory = "${cfg.statePath}";
           Restart = "always";
           RestartSec = "10";
diff --git a/pkgs/default.nix b/pkgs/default.nix
index beb7bd8..cbb225c 100644
--- a/pkgs/default.nix
+++ b/pkgs/default.nix
@@ -60,6 +60,8 @@ let
       '';
     };
 
+    uffd = callPackage ./uffd {};
+
     inherit (unstable) bottom vaultwarden vaultwarden-vault;
   };
 
diff --git a/pkgs/uffd/default.nix b/pkgs/uffd/default.nix
new file mode 100644
index 0000000..9e23c8b
--- /dev/null
+++ b/pkgs/uffd/default.nix
@@ -0,0 +1,35 @@
+{ stdenv, lib, python3Packages, fetchzip }:
+
+python3Packages.buildPythonPackage rec {
+  pname = "uffd";
+  version = "2.0.1";
+
+  src = fetchzip {
+    url =
+      "https://git.cccv.de/uffd/uffd/-/archive/v${version}/uffd-v${version}.tar.gz";
+    hash = "sha256-KP4J1bw5u7MklaPu2SBFRNyGgkKOBOpft5MMH+em5M4=";
+  };
+
+  patches = [ ./fix-setuppy.patch ./fix-userinfo.patch ];
+
+  propagatedBuildInputs = with python3Packages; [
+    flask
+    flask_sqlalchemy
+    flask_migrate
+    qrcode
+    fido2
+    oauthlib
+    flask-babel
+    argon2_cffi
+    itsdangerous
+    alembic
+    Mako
+  ];
+
+  postPatch = ''
+    sed -i -e 's/==[0-9.]\+//g' setup.py
+  '';
+
+  doCheck = false;
+  doInstallCheck = false;
+}
diff --git a/pkgs/uffd/fix-setuppy.patch b/pkgs/uffd/fix-setuppy.patch
new file mode 100644
index 0000000..64ccc10
--- /dev/null
+++ b/pkgs/uffd/fix-setuppy.patch
@@ -0,0 +1,34 @@
+--- a/setup.py	2022-04-30 13:12:45.564651955 +0000
++++ b/setup.py	2022-04-30 13:17:02.545809513 +0000
+@@ -41,31 +41,5 @@
+ 		'Flask-Babel==0.11.2',
+ 		'alembic==1.0.0',
+ 		'argon2-cffi==18.3.0',
+-
+-		# The main dependencies on their own lead to version collisions and pip is
+-		# not very good at resolving them, so we pin the versions from Debian Buster
+-		# for all dependencies.
+-		'certifi==2018.8.24',
+-		#cffi==1.12.2'
+-		'cffi # v1.12.2 no longer works with python3.9. Newer versions seem to work fine.',
+-		'chardet==3.0.4',
+-		'click==7.0',
+-		'cryptography==2.6.1',
+-		'idna==2.6',
+-		'itsdangerous==0.24',
+-		'Jinja2==2.10',
+-		'MarkupSafe==1.1.0',
+-		'oauthlib==2.1.0',
+-		'pyasn1==0.4.2',
+-		'pycparser==2.19',
+-		'requests==2.21.0',
+-		'requests-oauthlib==1.0.0',
+-		'six==1.12.0',
+-		'SQLAlchemy==1.2.18',
+-		'urllib3==1.24.1',
+-		'Werkzeug==0.14.1',
+-		'python-dateutil==2.7.3',
+-		#editor==1.0.3
+-		'Mako==1.0.7',
+ 	],
+ )
diff --git a/pkgs/uffd/fix-userinfo.patch b/pkgs/uffd/fix-userinfo.patch
new file mode 100644
index 0000000..555d805
--- /dev/null
+++ b/pkgs/uffd/fix-userinfo.patch
@@ -0,0 +1,10 @@
+--- a/uffd/oauth2/views.py	2022-04-30 20:39:53.825474990 +0000
++++ b/uffd/oauth2/views.py	2022-04-30 20:40:12.632389377 +0000
+@@ -234,6 +234,7 @@
+ 		id=user.unix_uid,
+ 		name=user.displayname,
+ 		nickname=user.loginname,
++		username=user.loginname,
+ 		email=user.mail,
+ 		groups=[group.name for group in user.groups]
+ 	)
diff --git a/services/gitlab.nix b/services/gitlab.nix
index a735117..5de66be 100644
--- a/services/gitlab.nix
+++ b/services/gitlab.nix
@@ -71,26 +71,23 @@
           };
           omniauth = {
             enabled = true;
-            auto_sign_in_with_provider = "openid_connect";
-            allow_single_sign_on = ["openid_connect"];
+            auto_sign_in_with_provider = "oauth2_generic";
+            allow_single_sign_on = ["oauth2_generic"];
             block_auto_created_users = false;
             providers = [
               {
-                name = "openid_connect";
+                name = "oauth2_generic";
                 label = "infra4future Login";
+                app_id = "gitlab";
+                app_secret = { _secret = "/persist/secrets/oidc-clientsecret"; };
                 args = {
-                  name = "openid_connect";
-                  scope = ["openid" "profile" "email"];
-                  response_type = "code";
-                  issuer = "https://auth.infra4future.de/auth/realms/forfuture";
-                  discovery = true;
-                  client_auth_method = "query";
-                  uid_field = "username";
                   client_options = {
-                    identifier = "gitlab";
-                    secret = { _secret = "/persist/secrets/oidc-clientsecret"; };
-                    redirect_uri = "https://gitlab.infra4future.de/users/auth/openid_connect/callback";
+                    site = "https://login.infra4future.de";
+                    user_info_url = "/oauth2/userinfo";
+                    authorize_url = "/oauth2/authorize";
+                    token_url = "/oauth2/token";
                   };
+                  strategy_class ="OmniAuth::Strategies::OAuth2Generic";
                 };
               }
             ];
diff --git a/services/hedgedoc-hacc.nix b/services/hedgedoc-hacc.nix
index 430e4fb..77b2c8e 100644
--- a/services/hedgedoc-hacc.nix
+++ b/services/hedgedoc-hacc.nix
@@ -55,8 +55,8 @@
           hsts.preload = false;
           email = false;
           oauth2 = {
-            authorizationURL = "https://auth.infra4future.de/auth/realms/forfuture/protocol/openid-connect/auth";
-            tokenURL = "https://auth.infra4future.de/auth/realms/forfuture/protocol/openid-connect/token";
+            authorizationURL = "https://login.infra4future.de/oauth2/authorize";
+            tokenURL = "https://login.infra4future.de/oauth2/token";
             clientID = "hedgedoc";
             clientSecret = "1a730af1-4d6e-4c1d-8f7e-72375c9b8d62";
           };
@@ -64,9 +64,9 @@
       };
       systemd.services.hedgedoc.environment = {
         "CMD_LOGLEVEL" = "warn";
-        "CMD_OAUTH2_USER_PROFILE_URL" = "https://auth.infra4future.de/auth/realms/forfuture/protocol/openid-connect/userinfo";
-        "CMD_OAUTH2_USER_PROFILE_USERNAME_ATTR" = "name";
-        "CMD_OAUTH2_USER_PROFILE_DISPLAY_NAME_ATTR" = "display-name";
+        "CMD_OAUTH2_USER_PROFILE_URL" = "https://login.infra4future.de/oauth2/userinfo";
+        "CMD_OAUTH2_USER_PROFILE_USERNAME_ATTR" = "nickname";
+        "CMD_OAUTH2_USER_PROFILE_DISPLAY_NAME_ATTR" = "name";
         "CMD_OAUTH2_USER_PROFILE_EMAIL_ATTR" = "email";
         "CMD_OAUTH2_PROVIDERNAME" = "Infra4Future";
       };
diff --git a/services/mattermost.nix b/services/mattermost.nix
index 4e9e41b..debc1a2 100644
--- a/services/mattermost.nix
+++ b/services/mattermost.nix
@@ -141,9 +141,9 @@ in {
             Enable = true;
             Id = "mattermost";
             Scope = "";
-            AuthEndpoint = "https://auth.infra4future.de/auth/realms/forfuture/protocol/openid-connect/auth";
-            TokenEndpoint = "https://auth.infra4future.de/auth/realms/forfuture/protocol/openid-connect/token";
-            UserApiEndpoint = "https://auth.infra4future.de/auth/realms/forfuture/protocol/openid-connect/userinfo";
+            AuthEndpoint = "https://login.infra4future.de/oauth2/authorize";
+            TokenEndpoint = "https://login.infra4future.de/oauth2/token";
+            UserApiEndpoint = "https://login.infra4future.de/oauth2/userinfo";
           };
           # for some reason, these don't appear to be working; the startup
           # process complaines and sets these back to en
diff --git a/services/uffd.nix b/services/uffd.nix
new file mode 100644
index 0000000..81c4a5f
--- /dev/null
+++ b/services/uffd.nix
@@ -0,0 +1,66 @@
+{ config, lib, pkgs, profiles, modules, evalConfig, sources, ... }:
+
+let
+  uffd = pkgs.uffd;
+in {
+  containers.uffd = {
+    privateNetwork = true;
+    hostAddress = "192.168.100.1";
+    localAddress = "192.168.100.9";
+    autoStart = true;
+    bindMounts = {
+      "/persist" = {
+        hostPath = "/persist/containers/uffd";
+        isReadOnly = false;
+      };
+    };
+    path = (evalConfig {hosts = {}; groups = {};} ({ config, lib, pkgs, profiles, modules, sources, ... }: {
+      boot.isContainer = true;
+      networking.useDHCP = false;
+      users.users.root.hashedPassword = "";
+
+      imports = [
+        ((import sources.nix-hexchen) {}).profiles.nopersist
+      ];
+
+      nixpkgs.config.allowUnfree = true;
+      networking.firewall.enable = false;
+      networking.defaultGateway = {
+        address = "192.168.100.1";
+        interface = "eth0";
+      };
+      services.coredns = {
+        enable = true;
+        config = ''
+        .:53 {
+          forward . 1.1.1.1
+        }
+        '';
+      };
+
+      services.uwsgi = {
+        enable = true;
+        plugins = [ "python3" ];
+        instance = {
+          type = "normal";
+          pythonPackages = self: with self; [ uffd ];
+          module = "uffd:create_app()";
+          # socket = "${config.services.uwsgi.runDir}/uwsgi.sock";
+          http = ":8080";
+          env = [
+            "CONFIG_PATH=/persist/uffd/uffd.conf"
+          ];
+          hook-pre-app = "exec:FLASK_APP=${uffd}/lib/python3.9/site-packages/uffd flask db upgrade";
+        };
+      };
+    })).config.system.build.toplevel;
+  };
+  services.nginx.virtualHosts."login.infra4future.de" = {
+    enableACME = true;
+    forceSSL = true;
+    locations = {
+      "/".proxyPass = "http://${config.containers.uffd.localAddress}:8080";
+      "/static".root = "${uffd}/lib/python3.9/site-packages/uffd";
+    };
+  };
+}