diff --git a/hosts/sobotka/modules.nix b/hosts/sobotka/modules.nix
index 770172cc..4d70c502 100644
--- a/hosts/sobotka/modules.nix
+++ b/hosts/sobotka/modules.nix
@@ -214,7 +214,7 @@
         flags = "--performance";
       };
       tailscale = {
-        enable = true;
+        enable = false;
       };
       udisks = {
         enable = true;
diff --git a/modules/server/authentik/default.nix b/modules/server/authentik/default.nix
index e23f4d6b..c6e3871c 100644
--- a/modules/server/authentik/default.nix
+++ b/modules/server/authentik/default.nix
@@ -54,10 +54,14 @@ in {
       authentikEnv = {
         file = "${self}/secrets/authentikEnv.age";
         owner = "authentik";
+        group = "authentik";
+        mode = "0400";
       };
       authentikCloudflared = {
         file = "${self}/secrets/authentikCloudflared.age";
         owner = "authentik";
+        group = "authentik";
+        mode = "0400";
       };
     };
 
@@ -66,7 +70,7 @@ in {
         jails = {
           authentik = {
             serviceName = "authentik";
-            failregex = ^.*Username or password is incorrect.*IP:\s*<HOST>
+            failRegex = "^.*Username or password is incorrect.*IP:\s*<HOST>";
           };
         };
       };
@@ -99,7 +103,7 @@ in {
             middlewares = {
               authentik = {
                 forwardAuth = {
-                  tls.insecureSkipVerify = true;
+                  # tls.insecureSkipVerify = true;
                   address = "https://localhost:9443/outpost.goauthentik.io/auth/traefik";
                   trustForwardHeader = true;
                   authResponseHeaders = [