diff --git a/nixos/server/git.nix b/nixos/server/git.nix
index 02b99fefe815a620aaf5e39064a3663d1c42b12f..af879b6637a4365530a9d35ccb3dabf3133bdfcb 100644
--- a/nixos/server/git.nix
+++ b/nixos/server/git.nix
@@ -441,6 +441,24 @@ See:
       replace-notes.headers = {
         customRequestHeaders.Host = "notes-8efb78.pages.eisfunke.com";
       };
+      auth-private-notes.forwardAuth = {
+        # localhost:61022 is the authentik container
+        address = "http://localhost:61022/outpost.goauthentik.io/auth/TODO";
+        trustForwardHeader = true;
+        authResponseHeaders = [
+          "X-authentik-username"
+          "X-authentik-groups"
+          "X-authentik-email"
+          "X-authentik-name"
+          "X-authentik-uid"
+          "X-authentik-jwt"
+          "X-authentik-meta-jwks"
+          "X-authentik-meta-outpost"
+          "X-authentik-meta-provider"
+          "X-authentik-meta-app"
+          "X-authentik-meta-version"
+        ];
+      };
     };
     services = {
       git.loadBalancer.servers = [ { url = "http://localhost:61026"; } ];