diff --git a/nki-personal-do/configuration.nix b/nki-personal-do/configuration.nix
index 447da89..3670b29 100644
--- a/nki-personal-do/configuration.nix
+++ b/nki-personal-do/configuration.nix
@@ -25,6 +25,7 @@
     ./owncast.nix
     ./peertube.nix
     ./outline.nix
+    ./vikunja.nix
   ];
 
   system.stateVersion = "21.11";
diff --git a/nki-personal-do/secrets/secrets.yaml b/nki-personal-do/secrets/secrets.yaml
index c02ed8e..d041d34 100644
--- a/nki-personal-do/secrets/secrets.yaml
+++ b/nki-personal-do/secrets/secrets.yaml
@@ -5,7 +5,7 @@ authentik-oidc-client-secret: ENC[AES256_GCM,data:lD/xyU87nik68JX+T2H3Gw5ZqsSGzX
 cloudflare-dns-api-token: ENC[AES256_GCM,data:2ny3JehpK30fTUDKrbzHv1QOczriChRyMQn6kNPULpUJ+eVwdptLvg==,iv:8wNAn3oawzLez7sO4ZvhFXcaZIpFVKgKCvTBlszFHn8=,tag:fRaO+u/5MtAWnTiy2Zwh0Q==,type:str]
 #ENC[AES256_GCM,data:KWrVRQg+cLm5MUdfsYrh7hkI4CWkl4Z0sDj0769eebeXDy+veixrQrxh1ZW+ro3WLwoIdU/IH5DPM4TWYn2qoM5aDHjGX764pr1x,iv:uZHBsGvSHv9vd/Wragl1dYNJ+8vCcMit2K3SrMFlz7s=,tag:7z4LyADfQvXsM2vvtWru8w==,type:comment]
 traefik-dashboard-users: ENC[AES256_GCM,data:kviapOq+xzxhjryse+5DaZbXRS/LEYyjqqFbHymXAZVEkWlu0T5pZ2bxSNCbXN+tXnb0u+6YPgGCaRNPLW74AF1hO8W8QqlLDA==,iv:41bwPyFQcuOLILTjLWUu5Kcnct/MaIIJsMbllc+n7Y0=,tag:17HyUjfRUcLGb0FrUm1O2A==,type:str]
-mail-users: ENC[AES256_GCM,data:qKLi42k8LT6ojxbPXQgbi6FlI2I6ge6qJn0aNj/Lp9iRjjnnuArdsLJTfBMB7rPUyKWELa7jPrh8cHzJZZX7PsaXt1x07tQrVitKY6aDMpmb0pdU5TsvRTNhMV8lNWDrQeDXMV3hfigFXDU9YYRowllTJn8Uh5m20oGm8xjQrc55pPd2mDRWUt8WdJYGIYvXJ4Dyc+kXwibFC5xb0+7sLIPOcL8SkurMk0v2E63oBvoR089ZOhgWZ2DtqsUF7cGMcEDj6D6GcH2tlIkhTXo/na0b6caK6/mSIHbz/cfeVD/kdphC+q9edqm5UAAm5SaBDsar5vrXZcgQfD3/iEDHpqfdNJQv7Jt1l4vfwSY6nx3BgjggAZpL7YKXME+5Qqrp/epSegailDled5GUOlXKtomzixTA4OsgTjhMFPPOR/GiBuNIbYoGWnnR6Zs6l9Nw5ITJXKFgwNQTZVkndvQcr1Bw6nQqBDXt1qgmTdKTtNkrWEfgyYBnJtQW6qS+rZL8RB1x9Rjnu5PE+ao4YzrZEnKcenlWRh7+1GUdkRPm5qJWAMnuT1LkBdUx4bUPGf1D8iQ12kMLa5NnMQMq4Yek,iv:fTsBB5yZYi47dk8JIDs1JmgtnK8dOhkNt481vqAU+ME=,tag:pAXBSgzPB8nDdAO9YXM02A==,type:str]
+mail-users: ENC[AES256_GCM,data:/Ca14QPfdmVS8U/MpPgApi9FTfgE3PMojNBmJaOtGxf7RYrq0AjCqIq5d5Byzp7K92xrUdIKWSr+lTAxK7TnMbM9y8EdGJ1v+ZIgAW9dVEFVxZ+wm3dwaFZ5jLn+f6dwB9JdTVFvHuOyxf+abMiGAVxCJIxdV9JreEnS3tMJPIFdl97WFuBFG6DJlT9hjwvAmscXYQFioCHtmnvp/E4r+gMxOs04TLVj+vrhP/JbTgIJ2uTiaB9lYJbVMqeaz9W64LyQlPLeh1cdZHFtYN8vMR8UfkQIAVKRREEu0+/wjH5ZTEQsktjw2j1jNbz+mmcPnJLpfVWzZoAW7Dt+azQ+V4X1GP510q9JpfYZUuy6DtstIrbn3+CSqPm4oFmCD77ASwqOtKRvP0qbx8SC3Bn/s6zFHakxzTPLA5HtrDDhnqm3xl+PYdEW1wlINaVyvGtwK5SYUwVFJVGBdeiof2Zn9Zz2T417JAVN9C7qZ3BY2Ur8Fx9DDqZGclwJNhHC5HLaqWG4ajAJIeSzmtu8Bn5wmuF8c1AobkoljCunRjaXGfMt0+FVDnxkppXeONOiuLCw44Ii+ejZ3gxtz+xebYiLQhhYx2vOX1vJJfG0T8FDawTn32jlakmt1Nb9IzwgTWE/0yQAKJTjWztEahEcUUxmslISKPUlLtvCyUOf31Wq4Eg+iC0qMoKFTejp+DjLVwPhEMpNdMRA1JC8Wg==,iv:agQUE9UstOv/QYYamKWU6ouw9aSmrvl8HEYc8eTM25A=,tag:Qf+FuSpvfea9POljQ3UweQ==,type:str]
 youmubot-env: ENC[AES256_GCM,data:EQ9e6lmCrjofHiHyN5Qe4b2oplP9/3JKl0vuFp54Hw9aYIS7j3nqzWLCvV54ZK7j1PcQ+CQorjeCVMV0TUy1f1Pf3qjrLkdOdV7ICq540gdfXOeXuhAx2EILpGkwIYOdKmTMSO3l2QkOlM02RNOn1lq/DogAydkEq7gJ7qSWnUEr45oNCa1+LamH8vcbDmIyzUWWXyA5EQ==,iv:fnNGZ6OaZ4D71SvWPRynsMpO1IsvxjQ3XtrswNSY+Wo=,tag:cN/ZnKrjSfD6AbU9pYNl+Q==,type:str]
 outline:
     smtp-password: ENC[AES256_GCM,data:zpIi6jVB2Y7ksBOR8SGFgjOD1x3aS6dKa6taLKB8v2l9p92iWDti75qgB1puglmmq8mCzz8KXLrM0Bv7W8GWRg==,iv:6tKINzQcApmNuIbNn0kSzFJtwn3rky/uFG2Ff3lazUk=,tag:kjB6qB87tRQVpy32Pt3D5A==,type:str]
@@ -42,6 +42,9 @@ peertube: ENC[AES256_GCM,data:YWySVZVTC26qPMcgSV5v4Vp1u69jGt7VV2ElQBSxvG/R589PCJ
 peertube-env: ENC[AES256_GCM,data:ZrWBwSfMuepIYTzHVCCSnpsXb+MTcOfklI0O/UdcGaR3RzO1R+/wXQcFlV46g9dvKLMOaH7bxrHeWxqPh/7hlPEYFYwlbwcX31MGiSeRyeR5YtVi0CmhiGRA3l8X5NMCpvZmNhnjYNuri/My86SMkjhuaFQ5+BjYISoJ5WnbNSqE9qgQKuJVu64hsOgaQQbmaBL/LU7Pv/vushbNg421kdbRnzCPcc3IzkVzsFsgYH2fdEJa3gE8M63eLn99PbA+e5cWEwGNkuoNuro2tnaMaX1PM6iTF+q0A8HbiEioNMRIdD9czatgF7EwKgCFNu44cm2lp/c5qj+Lm/nC,iv:+MjpreGr9M+Oe5DrDe5SIBKtLuIqtb0a50YvGhDZT2Y=,tag:gYGlMcgWwa1ZpbQb4XfMmQ==,type:str]
 nix-build-farm:
     private-key: ENC[AES256_GCM,data:bYQ5TAHgJ8rZmmnp0ZW9pM3p6e2ewAqz9+clp2lDnvPsU/YHr/POSW+UESvulT0UDI8t5th71py2G4BG3z9PdPaWw2iSm6hW3VITYCGYvLbF2yK6anSkww0ilpjwm5NXKJLTiPehkAqsZlZsAxeYw5bF0+7JjeH9+49jLOXtGD0uFSf5M3wVZcObzSYsdGaNKGYkokBYeZii1tdwZvAuUKKZ1eOvDAz5v6hjqZA7brDWr5IZXNCqRZOdyGQ5g3UP4o5XFnl57d1RAmKPK9WaTCjbi0hMfms4zldqGeXTRDAhvqMH2w/BY7KvgIOr+aQelTvQbOciq+DaZbzNgdI5gqrSUA19EEL04Qu/gjoVGwMhZ7Lq9+yS2Lb+xdhmn/99sbcRjaRqqjgzHRvbyirPT9EuEAdrijyuZzY9kASv8LN/Q8cawRZNk2vf0M8Qzg0F7iw2kcDrf+dwdcyrrAbg2XDlGsFBckBcPKA44PkOPtFLHZRU9pSpd15rL1JIes6m2YX7AmJFP2+FA5WjXQoqF+CRhBVUWXaXAmcq,iv:7Uqnu2xEcHotczRzIcDfq9bM7wNXdz0Fg2HNpxlV1/Q=,tag:w5aLsT9LN92+83rdP2YJTg==,type:str]
+vikunja:
+    env: ENC[AES256_GCM,data:TyHSS5aqrzdKDki42vtTKj707R2HRWDCmKqU/ntUfHVADgy3fljpBslokbO2PdXH8/WbV42STALqPXdWvN6EYSpoE/NZECP35W0PS4bYhQfhvY/tMDiTR1aBTDJejzgadC1n4/uIeicbnzAU8BQNljilFGg3GIR+A36M42CJUjAHPAAOuKarz+5ADs/T1WJRL3kG30TVC8o=,iv:9PI4jjVmRcsVg7aYpSrxSxMofIflYZ0WYT5vRbB2Hxc=,tag:4AZmCfB8xLRfV9vFdp3Vng==,type:str]
+    provider-clientsecret: ENC[AES256_GCM,data:/fN1rH2CKoaivhespd+/KamERjBQOdwR7QQ+hoB+pQ3ZSrBVIKbLMWyOJe8f7rVwXAByqDxQIZJEVPjcjhWSU1eicwpu57FBx+/xJLFazspTVZ+5XKyAwR+UxTHDGAgtFV00QHN53l7ygg4joWWko4IPN1JIpNIASaIWWzpsrIo=,iv:NLsZcmE1kKlzV7B/XPVfENMWlpQtOpESH0ByX1KQ8IQ=,tag:P+ZmsKq0KJAeRTTbvbduMg==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -75,8 +78,8 @@ sops:
             by9kZFlTRVdCZFkxYTVVb0RIRk8zUlkKCqMw9oL9RaYBV5Hhy3o8Nm5xmGrPH8Sd
             hv36sxRFFNZT/DCKaHaSRbT3mfpBZSTXJt1dgl4nZe6whH54t/1KmA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-10-26T12:06:05Z"
-    mac: ENC[AES256_GCM,data:nici08Luubj2xDfsi1s16VCyG5oizIC6DRfvypmjWRpn0DSpcoWW1j32ya2poEwzpBJoVksFp7ijyjaJv8obExKx94ZYc790eOp/kp1f8lBaHDF8qrYYPL5penkt+UTKeb8xb7BPCJ7O89IVkIjAt7EoQOliMYrLpbiZGkMdHE0=,iv:qY5+MjU5VaXAesuFGt4SgmEdcJ6+vb/mk+NdOPLjCik=,tag:poRJZW3sAMv6EMi64SEQyA==,type:str]
+    lastmodified: "2024-12-03T01:35:02Z"
+    mac: ENC[AES256_GCM,data:DrcQDEOAQZnyJ2e0hLdWJ3tYVuRBhYa/TcdoUV6/J3tLMcFYQRZXbO8GxQMMWAs6hZ4nqJWNihAbAwfwRqCLR5mmd2ntjjEYYcRzekWaqQ2JV+yCnXEMouUeVWabkrbbuB0k600Po8vsU2gMb6RtIf95YaUJRkA9dkkAyQVN1mU=,iv:av7TlBrMLHfnkOVzXyKSG9IfZOrDD2t1KCWWjJsmNTE=,tag:tKkYUn6Y32HwXYBHFO4CZg==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.9.1
diff --git a/nki-personal-do/vikunja.nix b/nki-personal-do/vikunja.nix
new file mode 100644
index 0000000..0ed6177
--- /dev/null
+++ b/nki-personal-do/vikunja.nix
@@ -0,0 +1,112 @@
+{ pkgs, lib, config, ... }:
+let
+  secrets = config.sops.secrets;
+
+  host = "kanban.dtth.ch";
+  user = "vikunja";
+  port = 12785;
+
+  storageMount = "/mnt/data/vikunja";
+in
+{
+  sops.secrets."vikunja/env" = { };
+  sops.secrets."vikunja/provider-clientsecret" = { };
+  cloud.postgresql.databases = [ user ];
+  cloud.traefik.hosts.vikunja = {
+    inherit port host;
+  };
+
+  # users
+  users.users."${user}" = {
+    group = "${user}";
+    isSystemUser = true;
+  };
+  users.groups."${user}" = { };
+
+
+  services.vikunja = {
+    inherit port;
+    enable = true;
+    package =
+      builtins.seq
+        (lib.assertMsg (pkgs.vikunja.version == "0.24.5") "Vikunja probably doesn't need custom versions anymore")
+        (pkgs.vikunja.overrideAttrs
+          (attrs: {
+            src = pkgs.fetchFromGitHub {
+              owner = "go-vikunja";
+              repo = "vikunja";
+              rev = "e57f04ec23e9ff8aa9877d2ea7d571c2a44790b0";
+              hash = "sha256-W6o1h6XBPvT1lH1zO5N7HcodksKill5eqSuaFl2kfuY=";
+            };
+
+            passthru = attrs.passthru // {
+              overrideModAttrs = attrs: {
+                outputHash = "sha256-UWjlivF9ySXCAr84A1trCJ/n9pB98ZhEyG11qz3PL7g=";
+              };
+            };
+          }));
+
+    frontendScheme = "https";
+    frontendHostname = host;
+
+    environmentFiles = [ secrets."vikunja/env".path ];
+
+    database = {
+      type = "postgres";
+      host = "/var/run/postgresql";
+      user = user;
+      database = user;
+    };
+
+    settings = {
+      service = {
+        publicurl = "https://${host}";
+        enableregistration = false;
+        enablepublicteams = true;
+      };
+      mailer = {
+        enabled = true;
+        host = "mx1.nkagami.me";
+        port = 465;
+        forcessl = true;
+      };
+      files.basepath = lib.mkForce storageMount;
+      auth = {
+        local.enabled = false;
+        openid = {
+          enabled = true;
+          providers.authentik = {
+            name = "DTTH Discord Account";
+            authurl = "https://auth.dtth.ch/application/o/vikunja/";
+            logouturl = "https://auth.dtth.ch/application/o/vikunja/end-session/";
+            clientid = "GvCIBtdE2ZRbAo5BJzw4FbZjer7umJlaROT1Pvlp";
+            scope = "openid profile email vikunja_scope";
+          };
+        };
+      };
+      defaultsettings = {
+        avatar_provider = "gravatar";
+        week_start = 1;
+        language = "VN";
+        timezone = "Asia/Ho_Chi_Minh";
+      };
+    };
+  };
+
+  systemd.services.vikunja = {
+    serviceConfig.User = user;
+    serviceConfig.LoadCredential = [ "VIKUNJA_AUTH_OPENID_PROVIDERS_AUTHENTIK_CLIENTSECRET_FILE:${secrets."vikunja/provider-clientsecret".path}" ];
+    serviceConfig.DynamicUser = lib.mkForce false;
+    environment.VIKUNJA_AUTH_OPENID_PROVIDERS_AUTHENTIK_CLIENTSECRET_FILE = "%d/VIKUNJA_AUTH_OPENID_PROVIDERS_AUTHENTIK_CLIENTSECRET_FILE";
+    unitConfig = {
+      RequiresMountsFor = [ storageMount ];
+      ReadWritePaths = [ storageMount ];
+    };
+  };
+  systemd.tmpfiles.settings."10-vikunja".${storageMount}.d = {
+    user = user;
+    group = user;
+    mode = "0700";
+  };
+}
+