diff --git a/hosts/nixos/HandlerOne/default.nix b/hosts/nixos/HandlerOne/default.nix
index 4d747a8..3e5a545 100644
--- a/hosts/nixos/HandlerOne/default.nix
+++ b/hosts/nixos/HandlerOne/default.nix
@@ -122,10 +122,12 @@
           cookie insecure off
         }
 
-        authorization policy mypolicy {
+        authorization policy frigate {
           set auth url /caddy-security/oauth2/generic
           allow roles frigate
           inject headers with claims
+          inject header Remote-User from name
+          inject header Remote-Role from groups
         }
       }
     '';
diff --git a/modules/services/frigate/default.nix b/modules/services/frigate/default.nix
index ff2d2dc..3c5a3fe 100644
--- a/modules/services/frigate/default.nix
+++ b/modules/services/frigate/default.nix
@@ -10,19 +10,23 @@ in
 }:
 let
   sopsFolder = builtins.toString inputs.nix-secrets + "/sops";
-  frigateConfig = pkgs.writeText "config.yaml" (
+  frigateConfig = pkgs.writeText "frigate-config.yaml" (
     lib.generators.toYAML { } {
-      auth.reset_admin_password = true; # roll the admin password every restart, depend on user accounts for long-lived access
+      auth.enabled = false; # Proxy auth
       tls.enabled = false; # off because we're doing ssl through the proxy
+      proxy = {
+        logout_url = "https://auth.wanderingcrow.net";
+        default_role = "viewer";
+        header_map = {
+          user = "Remote-User";
+          role = "Remote-Role";
+        };
+      };
       mqtt = {
         enabled = true;
         host = "host.containers.internal";
         port = 1883;
       };
-      notifications = {
-        enabled = true;
-        email = "frigate@wanderingcrow.net";
-      };
       ui = {
         timezone = "America/New_York";
         time_format = "24hour";
@@ -255,7 +259,7 @@ in
         authenticate with myportal
       }
       route /* {
-        authorize with mypolicy
+        authorize with frigate
         reverse_proxy http://10.88.0.10:8971
       }
     '';