diff --git a/secrets.yaml b/secrets.yaml
index 1c33401..d7d5eb2 100644
--- a/secrets.yaml
+++ b/secrets.yaml
@@ -6,6 +6,8 @@ tracktrain:
     env: ENC[AES256_GCM,data:jaq039FNxBrsPfG/q+InYpiyl1LBdY++DlLM6UpSAwKlINucooTrHz51QrdRWhAZDqXhVTHM55Q/Zm4wazweCABiNjkXDFoZgxc5YJX+pvBct6M533xl109yD6KiYOXDqPY03u71aop8OmOAnKDp1JlzPS1otdlaN8Vd56G+,iv:nYU2rgMMG4QcJo5DnZpYZm1zr82idd7r1uTsqNiXLdA=,tag:9rdxAneYUREacXNunpTuHw==,type:str]
 vaultwarden:
     env: ENC[AES256_GCM,data:hdm91tI8WBd3es+IUbdBO69kh1pNZTNvZNFIdSZO8lm4yYMPE+Jm7EzVqwOaZRbpQaVDBg7uh5P4ODc=,iv:no7U0wQCwZOeL2pwXf2pUIgrEsEOYwqOT04LvpCl614=,tag:AGSu5M7H69x6pDM062bC6g==,type:str]
+auamost:
+    secrets.fish: ENC[AES256_GCM,data:Dyb0Byigh4tmkmdz7KxkgvudO830x8+1qNQBOT+ohydOY3OeuJseJQ/rjaYhMTfh6tcKpu1aSarKRINbJp2u0yu+eazVV69CRzu9OlsXaMD6Rbvw4Cn0LttJhjK1za8+fXm7IZsAhErrV6WmU1/JryQkZf18hxMrO5EBmFy4ONHNj3lc4pApMUqXLiVL6xaW+Mix+jx4gT8r0/0lpAdT5oObPPBo+HIDJEGj+QPBvxNBJaURKVRX5+8fe4+hFzqBjU7QJ/LLPBo2lp2BLgo39qCeLaHogkWMXEYPb4/eaW0SZ8/Z56gh7dsO5X1r8kSAEMDoYVCC6KrXDh2M48/lYT+biid8iALCphatpZzH9CbV0FWIcZ5s0q8fApTZ1ubtiVqRNN1niGajgLGe5TSQcPAQs1yCBQ+9BJSDro9qNNXXlVpHO59Dfs2w+f2FBBQOnOIqhxQPbyhzIep3kRuIH42rowGG66uOJaC7g1W5fCwkdBNDZK8D01nj1+PA17j3xExqTT4+m1oUSlROhDRgxf+nYWkuxaAM1z+FsTswFHzdBJ8wtK56z+dpBH2f3SNW/5bwMif00uS1z+6U4yuCl0sdh0SF/yLjbIyvMwPiy7xzaBEZ+bve6ps0yh1sYvyLN7vxs7tRhtN0yLs28ZeT5BEwJAiKP1+KWhK86XbKh3fMtfl5V06xyW4aBkeYC4cg2wSNlvlDrbIrtPsJMHQt/swsHvIde4AfEyzhrTs8ezuVRbm/9glTVh1mzw==,iv:MpaFGYbcTXdFabV+vlGyGxexpfP7LUpYYBjF6GVEN7c=,tag:n8qTOhnbBT7Xxz21bU0bYQ==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -93,8 +95,8 @@ sops:
             bndBTXJhQVE2OVlKeGNTbzJlL0duUzAKIWdesesYvBIN/m36fhzxq30+IT8qp/pF
             S6i7QqZF75y2BpEoupRCqNIAsHrouUE+U9ZQJZO8m9J591mWvbVJIw==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-05-03T20:47:22Z"
-    mac: ENC[AES256_GCM,data:5ks4oj4ILLZoJ8TAGLSktV+TZBt1igMOVTiRssr00xnMs1OpR4u0wqwbkM3e2vNP3Hk51AHn7J0W+Ex6f3/iuGdcpYmY/nmSuu+IRZkLL7UEulPm+FDUcw9wgifpNQ263LqvmtFmPURpx4jkTdvcKItWrN0ovV0Wk3jspQ4/QYA=,iv:Kp0cJCYSXBBD4nNetXs6XrFVEl77D7oPuJYAS91DEbU=,tag:b3KF/SFJf1TxDBJ+7KmFvg==,type:str]
+    lastmodified: "2023-12-30T17:53:03Z"
+    mac: ENC[AES256_GCM,data:TmAy6VSexktYaVlmZUPyvSIcByockQ/vf5evrZbgyVy80k1GqgU/sskELaJ6bpHZoo/xgSnepLugQYRazLFPIMSy2jGznco2enYtjgIRjl5SghEwYFPhc6jw+PlV/z9NLNOm+IzLf4YBesqGa2MLwOrT/1kHPFhVPZWA1Y/ccbw=,iv:wFvK0KWD2MRg/ap/5CGMeFr+zu21k7hMzO+4NCVpBbs=,tag:NPiSAj9g8rssqcrOBwVRVQ==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
-    version: 3.7.3
+    version: 3.8.1
diff --git a/services/uffd.nix b/services/uffd.nix
index b51cde7..c7cbbef 100644
--- a/services/uffd.nix
+++ b/services/uffd.nix
@@ -53,9 +53,65 @@
     after = [ "network.target" ];
     serviceConfig.Type = "simple";
     path = [ pkgs.fish pkgs.curl pkgs.jq ];
-    script = "/persist/magic/mattermost-groupsync.fish";
+    script = (pkgs.writeTextFile {
+      name = "auamost.fish";
+      executable = true;
+      checkPhase = ''
+        ${lib.getExe pkgs.fish} -n $target
+      '';
+      text = ''
+        #!${lib.getExe pkgs.fish}
+        source /run/secrets/auamost/secrets.fish
+
+        for i in (seq 1 (count $groups))
+            set team $teams[$i]
+            set group $groups[$i]
+            set users (curl -u $uffd_token --basic https://login.infra4future.de/api/v1/getusers -d group="$group")
+            set usernames (echo "$users" | jq -c "[.[] | .loginname]")
+            for user in (echo "$users" | jq -c ".[]")
+              set id (echo "$user" | jq .id)
+              set username (echo "$user" | jq .loginname)
+              set email (echo "$user" | jq .email)
+              curl -H $mattermost_token \
+                   -H "Content-Type: application/json" https://mattermost.infra4future.de/api/v4/users \
+                   -d '{"email": '"$email"', "username": '"$username"', "auth_service": "gitlab", "auth_data": "'"$id"'"}'
+            end
+            set userids (curl -H $mattermost_token \
+                -H "Content-Type: application/json" https://mattermost.infra4future.de/api/v4/users/usernames \
+                -d "$usernames" | jq '[.[] | {user_id: .id, team_id: "'$team'"} ]')
+            curl -H $mattermost_token \
+                -H "Content-Type: application/json" https://mattermost.infra4future.de/api/v4/teams/"$team"/members/batch \
+                -d "$userids"
+
+            if test "$group" = "hacc"
+              continue
+            end
+
+            set current_members (curl -H $mattermost_token \
+                -H "Content-Type: application/json" https://mattermost.infra4future.de/api/v4/teams/"$team"/members | jq '[.[] | .user_id]')
+
+            # membership relations don't contain e.g. usernames, so fetch those, too
+            set current_users (curl -H $mattermost_token \
+                -H "Content-Type: application/json" https://mattermost.infra4future.de/api/v4/users/ids \
+                -d "$current_members" | jq -c '.[]')
+
+            set userids (echo "$userids" | jq -c ".[].user_id")
+            for member in $current_users
+                set id (echo $member | jq .id)
+                if not contains -i $id $userids > /dev/null then
+                  set id_unquoted (echo $member | jq -r .id)
+                  echo removing $id_unquoted (echo $member | jq '.email') from $team \($group\)
+                  curl -X DELETE -H $mattermost_token \
+                    -H "Content-Type: application/json" https://mattermost.infra4future.de/api/v4/teams/"$team"/members/"$id_unquoted"
+                end
+            end
+        end
+      '';
+    }).outPath;
     startAt = "*:0/15";
   };
 
+  sops.secrets."auamost/secrets.fish" = { };
+
   environment.systemPackages = with pkgs; [ curl jq ];
 }