diff --git a/machines/gerd.nix b/machines/gerd.nix
index c1d5e14..b727eb1 100644
--- a/machines/gerd.nix
+++ b/machines/gerd.nix
@@ -6,6 +6,7 @@
     ./../shared/applications/server/nginx.nix
     ./../shared/applications/server/postgresql.nix # INCLUDES DATABASE BACKUPS
     ./../shared/applications/server/restic.nix # EXTERNAL BACKUP
+    ./../shared/applications/server/podman.nix
     ./../shared/applications/state/postgresql.nix
     ./../shared/applications/state/ssh.nix
 
@@ -28,6 +29,8 @@
     ./gerd/services/matrix-synapse.nix
 
     ./gerd/services/uptime-kuma.nix
+
+    ./gerd/services/rallly.nix
   ];
 
   networking.hostName = "gerd";
diff --git a/machines/gerd/services/rallly.nix b/machines/gerd/services/rallly.nix
new file mode 100644
index 0000000..d1f27b9
--- /dev/null
+++ b/machines/gerd/services/rallly.nix
@@ -0,0 +1,141 @@
+{ config, lib, pkgs, ... }:
+
+let
+  svc_name = "rallly";
+  svc_domain = "${svc_name}.${config.mine.shared.settings.domain}";
+
+  psqlSocket = "/run/postgresql";
+
+  user = "rallly";
+  group = user;
+  port = 7384;
+  internal_port = port;
+
+  rally_version = "3.11";
+in {
+  # setup container
+  virtualisation.oci-containers.containers.rallly = {
+    autoStart = true;
+    image = "lukevella/rallly:${rally_version}";
+
+    podman.user = user;
+
+    extraOptions = let
+      uid = config.users.users."${user}".uid;
+      gid = config.users.groups."${group}".gid;
+    in [
+      "--userns=keep-id:uid=${builtins.toString uid},gid=${builtins.toString gid}"
+      # TODO(eyJhb): required, otherwise rallly container cannot access authelia well-known openid configuration
+      "--network=host"
+    ];
+
+    environmentFiles = [
+      config.age.secrets.rallly-env.path
+    ];
+    environment = {
+      PORT = builtins.toString internal_port;
+      DATABASE_URL = "postgresql://${user}@localhost/${user}?host=${psqlSocket}";
+      NEXT_PUBLIC_BASE_URL = "https://${svc_domain}";
+      # SECRET_PASSWORD = "specified-in-env";
+
+      # limit signup even further
+      ALLOWED_EMAILS = "*@${config.mine.shared.settings.domain}";
+
+      # email
+      SUPPORT_EMAIL = "${svc_name}@${config.mine.shared.settings.domain}";
+      SMTP_HOST = config.mine.shared.settings.mail.domain_smtp;
+      SMTP_PORT = builtins.toString config.mine.shared.settings.mail.ports.submissions;
+      SMTP_SECURE = "true";
+      SMTP_USER = svc_name;
+      # SMTP_PWD = "specified-in-env";
+
+
+      # OIDC
+      OIDC_NAME = "Authelia";
+      OIDC_DISCOVERY_URL = "https://${config.mine.shared.settings.authelia.domain}/.well-known/openid-configuration";
+      OIDC_CLIENT_ID = "rallly";
+      # OIDC_CLIENT_SECRET = "specified-in-env";
+    };
+
+    volumes = [
+      "${psqlSocket}:${psqlSocket}"
+    ];
+
+    # TODO(eyJhb): likely not needed, because of the tmp network=host
+    ports = [
+      "127.0.0.1:${builtins.toString port}:${builtins.toString internal_port}"
+    ];
+  };
+
+  # setup postgresql
+  services.postgresql = {
+    ensureDatabases = [ user ];
+    ensureUsers = [{
+      name = user;
+      ensureDBOwnership = true;
+    }];
+  };
+
+  # setup ldap user for email
+  services.lldap.provision.users = config.mine.shared.lib.ldap.mkScope (lconfig: llib: {
+    "${svc_name}" = llib.mkProvisionUserSystem "${svc_name}" config.age.secrets.rallly-ldap-pass.path;
+  });
+
+  # give rallly user access to the secrets
+  age.secrets.rallly-env.owner = user;
+
+  # setup users
+  users.users."${user}" = {
+    isNormalUser = true;
+    group = group;
+    uid = 1001;
+  };
+  users.groups."${group}".gid = 974;
+
+  # authelia
+  services.authelia.instances.main.settings.identity_providers.oidc.clients = [{
+    client_id = "rallly";
+    client_name = "Rallly";
+    client_secret = "$pbkdf2-sha512$310000$KB4UqeuVr86lEOoISSE92w$i2YGpz3wRwceiRfYnMUhZ0MboutkDPPYVWnXqiw6tUt./mgZ5kfV1ES.kcdsHhMdavhCrJfWvVTPQRJKImuUrQ";
+    redirect_uris = [ "https://${svc_domain}/api/auth/callback/oidc" ];
+    scopes = [
+      "openid"
+      "email"
+      "profile"
+    ];
+  }];
+
+  # nginx
+  services.nginx.virtualHosts."${svc_domain}" = config.mine.shared.lib.authelia.mkProtectedWebsite {
+    forceSSL = true;
+    enableACME = true;
+    
+    locations."/" = {
+      proxyPass = "http://localhost:${builtins.toString port}";
+    };
+
+    # try to disable registration
+    locations."/api/trpc/auth.requestRegistration" = {
+      root = pkgs.writeTextDir "index.html" ''
+        NO REGISTRATION!!
+      '';
+    };
+  };
+
+  mine.shared.meta.rallly = {
+    name = "Rallly";
+    description = ''Rallly is an open-source scheduling and collaboration tool designed to make organizing events and meetings easier. Please do not try to use the register or normal login, only try to sign in using the SSO method. '';
+    url = "https://${svc_domain}";
+
+    package = {
+      name = "rallly";
+      version = "v${rally_version}";
+      meta = with lib; {
+        description = "Rallly is an open-source scheduling and collaboration tool designed to make organizing events and meetings easier.";
+        license = licenses.agpl3Plus;
+        homepage = "https://git.fricloud.dk/fricloud/server-configs/src/branch/main/machines/gerd/services/member-website/app.py";
+        platforms = platforms.all;
+      };
+    };
+  };
+}
diff --git a/secrets/default.nix b/secrets/default.nix
index 312fecd..037c8cb 100644
--- a/secrets/default.nix
+++ b/secrets/default.nix
@@ -54,6 +54,10 @@
 
     # uptime-kuma
     uptime-kuma-ldap-pass.file = ./uptime-kuma/ldap-pass.age;
+
+    # rallly
+    rallly-ldap-pass.file = ./rallly/ldap-pass.age;
+    rallly-env.file = ./rallly/env.age;
   };
 
   users.groups.secrets-lldap-bind-user-pass = {};
diff --git a/secrets/rallly/env.age b/secrets/rallly/env.age
new file mode 100644
index 0000000..01d9b0d
Binary files /dev/null and b/secrets/rallly/env.age differ
diff --git a/secrets/rallly/ldap-pass.age b/secrets/rallly/ldap-pass.age
new file mode 100644
index 0000000..d40f5da
Binary files /dev/null and b/secrets/rallly/ldap-pass.age differ
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index c6a3edd..344d5d0 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -64,4 +64,8 @@ in
 
   # uptime-kuma
   "uptime-kuma/ldap-pass.age".publicKeys = defaultAccess;
+
+  # rallly
+  "rallly/ldap-pass.age".publicKeys = defaultAccess;
+  "rallly/env.age".publicKeys = defaultAccess;
 }
diff --git a/shared/applications/server/podman.nix b/shared/applications/server/podman.nix
new file mode 100644
index 0000000..c982261
--- /dev/null
+++ b/shared/applications/server/podman.nix
@@ -0,0 +1,6 @@
+{
+  virtualisation.podman = {
+    enable = true;
+    dockerCompat = true;
+  };
+}
diff --git a/shared/sources/sources.json b/shared/sources/sources.json
index b069312..a3f3b7f 100644
--- a/shared/sources/sources.json
+++ b/shared/sources/sources.json
@@ -41,10 +41,10 @@
         "homepage": null,
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "5135c59491985879812717f4c9fea69604e7f26f",
-        "sha256": "09qy7zv80bkd9ighsw0bdxjq70dw3qjnyvg7il1fycrsgs5x1gan",
+        "rev": "6313551cd05425cd5b3e63fe47dbc324eabb15e4",
+        "sha256": "0fxw15gia9cc72spsqf1870bggp8gx694cr2g8hspm3jbj87xr0g",
         "type": "tarball",
-        "url": "https://github.com/NixOS/nixpkgs/archive/5135c59491985879812717f4c9fea69604e7f26f.tar.gz",
+        "url": "https://github.com/NixOS/nixpkgs/archive/6313551cd05425cd5b3e63fe47dbc324eabb15e4.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     }
 }