diff --git a/.git-age.yaml b/.git-age.yaml
index a0c3512be74e3263c733819bd6232cbd0f4cc2b2..2c731904fdf380d7b5fa76d2865051ca5238f81b 100644
--- a/.git-age.yaml
+++ b/.git-age.yaml
@@ -1,3 +1,5 @@
+dragonwell/dex.nix:
+    - age105cm5awxxegyrqthh4vhnxzr0tdy86q8uq52wkkjacfkutp2vprqwseak7
 dragonwell/tandoor.nix:
     - age105cm5awxxegyrqthh4vhnxzr0tdy86q8uq52wkkjacfkutp2vprqwseak7
 
diff --git a/dragonwell/caddy.nix b/dragonwell/caddy.nix
index 1e53756abbbe5f0f6e2fd2c3535b8cfb50644e41..b8330ef12a15c7aff72a77f2f84c68de7163cd1b 100644
--- a/dragonwell/caddy.nix
+++ b/dragonwell/caddy.nix
@@ -62,8 +62,13 @@       '';
       "pr.jolheiser.com".extraConfig = ''
         reverse_proxy localhost:7449
       '';
+      "auth.jolheiser.com".extraConfig = ''
+        reverse_proxy localhost:2884
+      '';
       "id.jolheiser.com".extraConfig = ''
-        reverse_proxy localhost:2884
+        reverse_proxy /api/* localhost:8080
+        reverse_proxy /.well-known/* localhost:8080
+        reverse_proxy /* localhost:3000
       '';
       "recipes.jolheiser.com".extraConfig = ''
         reverse_proxy localhost:3663
diff --git a/dragonwell/default.nix b/dragonwell/default.nix
index a60504689b4ee8fc435a47a1c94b2e52c76ec255..81ea24da74aab68dcf401e4fadb5cfab723fbd98 100644
--- a/dragonwell/default.nix
+++ b/dragonwell/default.nix
@@ -6,6 +6,7 @@ {
   imports = [
     ./beszel.nix
     ./caddy.nix
+    ./dex.nix
     ./forge-lines.nix
     ./foundry.nix
     ./git-pr.nix
diff --git a/dragonwell/dex.nix b/dragonwell/dex.nix
new file mode 100644
index 0000000000000000000000000000000000000000..3c29d36924dc681ed294c4efbaa6f408b09110bd
Binary files /dev/null and b/dragonwell/dex.nix differ
diff --git a/dragonwell/pocket-id.nix b/dragonwell/pocket-id.nix
index 2cb4a9031e2c179ad0dc615664683115816573ed..01feb4bfdff7f473e912486a983a52718db7d0e9 100644
--- a/dragonwell/pocket-id.nix
+++ b/dragonwell/pocket-id.nix
@@ -4,13 +4,11 @@   age.secrets.pocket-id.file = ../secrets/pocket-id.age;
   services.pocket-id = {
     enable = true;
     settings = {
-      APP_URL = "https://id.jolheiser.com";
-      PORT = 2884;
+      PUBLIC_APP_URL = "https://id.jolheiser.com";
       APP_NAME = "jolheiser ID";
       EMAILS_VERIFIED = true;
-      UI_CONFIG_DISABLED = true;
+      PUBLIC_UI_CONFIG_DISABLED = true;
       HOST = "localhost";
-      ANALYTICS_DISABLED = true;
     };
     environmentFile = config.age.secrets.pocket-id.path;
   };
diff --git a/dragonwell/pubserve.nix b/dragonwell/pubserve.nix
index 10a0ee65af37d433d0b95df34b524ef2964bd46e..ed05fc5ce2adb9a5209ab2ff4ab2174ac2684fdc 100644
--- a/dragonwell/pubserve.nix
+++ b/dragonwell/pubserve.nix
@@ -43,7 +43,7 @@         description = "Miniserve Public File Server (Admin)";
         after = [ "network.target" ];
         wantedBy = [ "multi-user.target" ];
         serviceConfig = {
-          ExecStart = "${pkgs.miniserve}/bin/miniserve -u -U -o 'overwrite' -t 'PrivServe' -p 3455 ${lib.concatStringsSep " " commonArgs}";
+          ExecStart = "${pkgs.miniserve}/bin/miniserve -u -U -o -t 'PrivServe' -p 3455 ${lib.concatStringsSep " " commonArgs}";
           Restart = "on-failure";
           User = user;
           Group = user;
diff --git a/dragonwell/tandoor.nix b/dragonwell/tandoor.nix
index 7a132ad574ce9a2dec17f2896dfbc88913a0c2d8..cb55b55357a6c16cb1a3c66d0b90062826f706f0 100644
Binary files a/dragonwell/tandoor.nix and b/dragonwell/tandoor.nix differ
diff --git a/flake.lock b/flake.lock
index 566771aa1eca8cd47570e5c66954031e8b201216..4fb5eb36432fd6971161eb6a0d91708fbb6eefb0 100644
--- a/flake.lock
+++ b/flake.lock
@@ -386,11 +386,11 @@       }
     },
     "nixpkgs_11": {
       "locked": {
-        "lastModified": 1752687322,
-        "narHash": "sha256-RKwfXA4OZROjBTQAl9WOZQFm7L8Bo93FQwSJpAiSRvo=",
+        "lastModified": 1748460289,
+        "narHash": "sha256-7doLyJBzCllvqX4gszYtmZUToxKvMUrg45EUWaUYmBg=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "6e987485eb2c77e5dcc5af4e3c70843711ef9251",
+        "rev": "96ec055edbe5ee227f28cdbc3f1ddf1df5965102",
         "type": "github"
       },
       "original": {
@@ -910,11 +910,11 @@         "tailwind-ctp": "tailwind-ctp",
         "tailwind-ctp-lsp": "tailwind-ctp-lsp"
       },
       "locked": {
-        "lastModified": 1749071626,
-        "narHash": "sha256-kih9aX2IOR/6Ht+qxLwR/Yqt3563AhKcqyoG0f8Dv7s=",
+        "lastModified": 1747241595,
+        "narHash": "sha256-mzDMJpXx+OXThNyUNV4hhCWl8/rO5XIprJVRtWlVWvo=",
         "ref": "refs/heads/main",
-        "rev": "86aa09929fe22207d245dc73c05d592044d61d9c",
-        "revCount": 93,
+        "rev": "68992f08078cf7278bed3e59ffd85ae5502fbfcd",
+        "revCount": 89,
         "type": "git",
         "url": "https://git.jolheiser.com/ugit.git"
       },
diff --git a/modules/miniserve/default.nix b/modules/miniserve/default.nix
index 7c202bd851780001b4280be621bb2b7b8351e0c2..9b6fcf6ad28f41d9508002736b1050ab9d564fb3 100644
--- a/modules/miniserve/default.nix
+++ b/modules/miniserve/default.nix
@@ -400,7 +400,7 @@               ))
               (optionalString cfg.mkdir "-U")
               (optionalString (cfg.mediaType != null) "-m ${cfg.mediaType}")
               (optionalString (cfg.rawMediaType != null) "-M '${cfg.rawMediaType}'")
-              (optionalString cfg.overwriteFiles "-o 'overwrite'")
+              (optionalString cfg.overwriteFiles "-o")
               (optionalString cfg.enableTar "-r")
               (optionalString cfg.enableTarGz "-g")
               (optionalString cfg.enableZip "-z")
diff --git a/secrets/dex-tailscale.age b/secrets/dex-tailscale.age
new file mode 100644
index 0000000000000000000000000000000000000000..fd08a0a9c6041197813d276ef962757ba859a45c
Binary files /dev/null and b/secrets/dex-tailscale.age differ
diff --git a/secrets/dex-tandoor.age b/secrets/dex-tandoor.age
new file mode 100644
index 0000000000000000000000000000000000000000..a225884f01176c109450fa3a327fbef77997c546
--- /dev/null
+++ b/secrets/dex-tandoor.age
@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 E8j6/g YsUIQDctqlCM2OzopdrTXs/45TKcw0sy3X5mz1s39QQ
+MxFJxULdbC2cNESy69fv089Me/g6CT9EYvQw0cgeIxM
+-> ssh-ed25519 f31uNA s2Od8yh4aH2ChLbn7iYksis5Q94wtF3laNXh/1ezUwQ
+soqIbxdxNf+sHaMtFLiwFhyWhLiWXWrr1g7WlV9jMSY
+--- 5bdbdu2tsT5EDvLAXVGaJ1pI0XeGohwMJZxy9e5qHC4
+��?���.��R�g�>z�{q��t�8}P0G�܁ow_��B@�"����
\ No newline at end of file
diff --git a/secrets/dex.age b/secrets/dex.age
new file mode 100644
index 0000000000000000000000000000000000000000..8fd1fb58fe9223a1f19a8207aa0766ac0395e8ec
--- /dev/null
+++ b/secrets/dex.age
@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 E8j6/g FlKwxt0jQldPaUYvtVjgVxMDNdb36kclogKonEwBVww
+Qn9GzexKqtlmfrhvyfvE3uPJyjn2WtM7bMsC2iUpJb0
+-> ssh-ed25519 f31uNA b+0yX8OagjPVGVi8Y85mCu/Qj7kvUqYWfA3nSImuMmQ
+KXnubgxUpL6h25UjzAixmfm59CMvx+vMM3bNMkLxQp8
+--- NQxJ6mSxKAH+ks3btpbDBVmcdT3GuKrCrd6Gi9y8ePw
+t��b�e~4�2-������T��1�������(M��!�o��'`ك�4�v�)�{���pJ��~��>\������s@�O�SY���8�j��o�w�_����ے{����*�9��*�Tf䃽t���l��w�[��@1s}���lq�t���9�d��b�M.����n�_9�i��@��!Z�]�9�SU��)�
\ No newline at end of file
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 758e8f4823b97677a94e0265553baf73349fcfb1..474e2a985c790f069c6ef8c870ac5518dc578662 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -27,6 +27,9 @@ {
   "restic-env.age".publicKeys = dragonwellKeys;
   "restic-pass.age".publicKeys = dragonwellKeys;
   "restic-repo.age".publicKeys = dragonwellKeys;
+  "dex.age".publicKeys = dragonwellKeys;
+  "dex-tailscale.age".publicKeys = dragonwellKeys;
+  "dex-tandoor.age".publicKeys = dragonwellKeys;
   "forge-lines.age".publicKeys = dragonwellKeys;
   "pocket-id.age".publicKeys = dragonwellKeys;
   "beszel-shincha.age".publicKeys = shinchaKeys;