diff --git a/machines/gerd.nix b/machines/gerd.nix
index 0715de4..e2d95f7 100644
--- a/machines/gerd.nix
+++ b/machines/gerd.nix
@@ -30,6 +30,7 @@
     ./gerd/services/notify
     ./gerd/services/drasl.nix
     ./gerd/services/drtvrss.nix
+    ./gerd/services/vikunja.nix
 
     ./gerd/services/monitoring
   ];
diff --git a/machines/gerd/services/vikunja.nix b/machines/gerd/services/vikunja.nix
new file mode 100644
index 0000000..da29cd3
--- /dev/null
+++ b/machines/gerd/services/vikunja.nix
@@ -0,0 +1,125 @@
+{ config, pkgs, lib, ... }:
+
+let
+  svc_domain = "vikunja.${config.mine.shared.settings.domain}";
+  vikunjaOIDCName = "authelia";
+in {
+  services.vikunja = {
+    enable = true;
+
+    package = pkgs.vikunja.overrideAttrs (old: {
+      # src = lib.cleanSource /tmp/vikunja;
+      patches = (old.patches or []) ++ [
+        (pkgs.writeText "vikunja-clientsecret-envvar.patch" ''
+          diff --git a/pkg/modules/auth/openid/providers.go b/pkg/modules/auth/openid/providers.go
+          index 5e14c1b31..d9a5215c1 100644
+          --- a/pkg/modules/auth/openid/providers.go
+          +++ b/pkg/modules/auth/openid/providers.go
+          @@ -17,6 +17,8 @@
+           package openid
+           
+           import (
+          +	"fmt"
+          +	"os"
+           	"regexp"
+           	"strconv"
+           	"strings"
+          @@ -139,6 +141,10 @@ func getProviderFromMap(pi map[string]interface{}) (provider *Provider, err erro
+           		Scope:           scope,
+           	}
+           
+          +	if clientSecret, ok := os.LookupEnv(fmt.Sprintf("VIKUNJA_AUTH_OPENID_PROVIDERS_%s_CLIENTSECRET", strings.ToUpper(provider.Name))); ok {
+          +		provider.ClientSecret = clientSecret
+          +	}
+          +
+           	cl, is := pi["clientid"].(int)
+           	if is {
+           		provider.ClientID = strconv.Itoa(cl)
+        '')
+      ];
+    });
+
+    frontendScheme = "https";
+    frontendHostname = svc_domain;
+
+    database = {
+      type = "postgres";
+      host = "/run/postgresql";
+    };
+
+    environmentFiles = [
+      config.age.secrets.vikunja-env.path
+    ];
+
+    settings = {
+      service.enableregistration = false;
+      auth.local.enabled = false;
+
+      auth.openid = {
+        enabled = true;
+        providers = [{
+          key = "authelia";
+          name = vikunjaOIDCName;
+          clientid = "vikunja";
+          authurl = "https://${config.mine.shared.settings.authelia.domain}";
+          clientsecret = "not-used-but-needs-to-be-set";
+        }];
+      };
+    };
+  };
+
+  # setup for oidc
+  services.authelia.instances.main.settings.identity_providers.oidc.clients = [{
+    client_id = "vikunja";
+    client_name = "Vikunja";
+    client_secret = "$pbkdf2-sha512$310000$GjslCZ8GAperXUFzmFGslA$QsQHK.HbuvMIiH5Q2vnM1cYR5N.yNjc6RDNU0RBnqVpJjySvjZBQa1dteceTNtvgQz7hXPlnSpRzKTGYj/k.Hw";
+    consent_mode = "implicit";
+    redirect_uris = [ "https://${svc_domain}/auth/openid/${vikunjaOIDCName}" ];
+    scopes = [
+      "openid"
+      "profile"
+      "email"
+    ];
+  }];
+
+  # persistence
+  environment.persistence.root.directories = [
+    { directory = "/var/lib/private/vikunja"; mode = "0700"; }
+  ];
+    
+  # setup postgresql
+  services.postgresql = let
+    user = config.services.vikunja.database.user;
+  in {
+    ensureDatabases = [ user ];
+    ensureUsers = [{
+      name = user;
+      ensureDBOwnership = true;
+    }];
+  };
+
+  # nginx
+  services.nginx.virtualHosts."${svc_domain}" = {
+    forceSSL = true;
+    enableACME = true;
+    
+    locations."/".proxyPass = "http://localhost:${builtins.toString config.services.vikunja.port}";
+  };
+
+  # meta
+  mine.shared.meta.vikunja = rec {
+    name = "Vikunja";
+    description = ''
+      The to-do app to organize your life. 
+    '';
+    url = "https://${svc_domain}";
+
+    package = let
+      pkg = config.services.vikunja.package;
+    in {
+      name = pkg.pname;
+      version = pkg.version;
+      meta = pkg.meta;
+    };
+  };
+}
diff --git a/secrets/default.nix b/secrets/default.nix
index af50e42..a45dce6 100644
--- a/secrets/default.nix
+++ b/secrets/default.nix
@@ -69,6 +69,9 @@
 
     # drasl
     drasl-env.file = ./drasl/env.age;
+
+    # vikunja
+    vikunja-env.file = ./vikunja/env.age;
   };
 
   users.groups.secrets-lldap-bind-user-pass = {};
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index d0a2734..9577a0f 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -79,4 +79,7 @@ in
 
   # drasl
   "drasl/env.age".publicKeys = defaultAccess;
+
+  # vikunja
+  "vikunja/env.age".publicKeys = defaultAccess;
 }
diff --git a/secrets/vikunja/env.age b/secrets/vikunja/env.age
new file mode 100644
index 0000000..830967b
Binary files /dev/null and b/secrets/vikunja/env.age differ