diff --git a/hosts/koi/vms/hass.nix b/hosts/koi/vms/hass.nix
index f834d30..627015f 100644
--- a/hosts/koi/vms/hass.nix
+++ b/hosts/koi/vms/hass.nix
@@ -22,12 +22,20 @@ in
     };
   };
 
+  desu.secrets.hass-proxy-env = {};
+  desu.openid-proxy.services.hass = {
+    clientId = "hass";
+    domain = "hass.stupid.fish";
+    upstream = "http://10.42.0.3:8123";
+    envSecret = "hass-proxy-env";
+  };
+
   services.nginx.virtualHosts."hass.stupid.fish" = {
     forceSSL = true;
     useACMEHost = "stupid.fish";
 
     locations."/" = {
-      proxyPass = "http://10.42.0.3:8123$request_uri";
+      proxyPass = "http://hass-oidc.docker$request_uri";
       proxyWebsockets = true;
     };
   };
diff --git a/secrets/hass-proxy-env.age b/secrets/hass-proxy-env.age
new file mode 100644
index 0000000..cffd679
Binary files /dev/null and b/secrets/hass-proxy-env.age differ