diff --git a/nix/systems/aarch64-linux/kas.codes/forgejo/default.nix b/nix/systems/aarch64-linux/kas.codes/forgejo/default.nix
index 37743a0..6163202 100644
--- a/nix/systems/aarch64-linux/kas.codes/forgejo/default.nix
+++ b/nix/systems/aarch64-linux/kas.codes/forgejo/default.nix
@@ -87,8 +87,8 @@ in
       mailer = {
         ENABLED = true;
         SMTP_ADDR = "kas.codes";
-        FROM = "forgejo@khs.codes";
-        USER = "forgejo@khs.codes";
+        FROM = "forgejo@kas.codes";
+        USER = "forgejo@kas.codes";
       };
       "ui.meta" = {
         AUTHOR = "Kaare Hoff Skovgaard <kaare@kaareskovgaard.net>";
diff --git a/nix/systems/aarch64-linux/kas.codes/forgejo/oauth.nix b/nix/systems/aarch64-linux/kas.codes/forgejo/oauth.nix
index c8ab23c..9b111bf 100644
--- a/nix/systems/aarch64-linux/kas.codes/forgejo/oauth.nix
+++ b/nix/systems/aarch64-linux/kas.codes/forgejo/oauth.nix
@@ -16,22 +16,28 @@ let
       config="${config.services.forgejo.stateDir}/custom/conf/app.ini"
       secret="$(cat ${oauthSecretIdFile})"
 
+      options=(
+          "--name" "Kanidm" \
+          "--key" "forgejo" \
+          "--secret" "$secret" \
+          "--auto-discover-url" https://login.kaareskovgaard.net/oauth2/openid/forgejo/.well-known/openid-configuration \
+          "--scopes" "email profile" \
+          "--skip-local-2fa" \
+          "--provider" openidConnect \
+          "--group-claim-name" "groups" \
+          "--admin-group" "admin" \
+          "--group-team-map-removal" \
+          "--group-team-map" '{"nix": {"nix": [] }, "actions": { "actons": [] }}'
+      )
+
       if gitea "--config=$config" admin auth list | grep -q "Kanidm" 2> /dev/null; then
-        echo "Oauth2 app already exists, updating not yet implemented"
-        exit 0
+        id="$(gitea "--config=$config" admin auth list | grep "Kanidm" | cut -d$'\t' -f1)"
+        gitea "--config=$config" admin auth update-oauth \
+          --id "$id" \
+          "''${options[@]}"
       else
         gitea "--config=$config" admin auth add-oauth \
-          --name "Kanidm" \
-          --key "forgejo" \
-          --secret "$secret" \
-          --auto-discover-url https://login.kaareskovgaard.net/oauth2/openid/forgejo/.well-known/openid-configuration \
-          --scopes "email profile" \
-          --skip-local-2fa \
-          --provider openidConnect \
-          --group-claim-name groups \
-          --admin-group admin \
-          --group-team-map-removal \
-          --group-team-map '{"nix": ["nix"], "actions": ["actons"]}'
+          "''${options[@]}"
       fi
     '';
   };
diff --git a/nix/systems/aarch64-linux/security.kaareskovgaard.net/kanidm.nix b/nix/systems/aarch64-linux/security.kaareskovgaard.net/kanidm.nix
index 631db97..2eb1ced 100644
--- a/nix/systems/aarch64-linux/security.kaareskovgaard.net/kanidm.nix
+++ b/nix/systems/aarch64-linux/security.kaareskovgaard.net/kanidm.nix
@@ -79,6 +79,10 @@ in
         present = true;
         members = [ "khs" ];
       };
+      groups.forgejo_admin = {
+        present = true;
+        members = [ "khs" ];
+      };
       # We cannot add oauth2 apps before the secrets for them are generated.
       systems.oauth2 = lib.mkIf (!bootstrapping) {
         openbao = {
@@ -167,6 +171,9 @@ in
               "forgejo_comitter" = [
                 "comitter"
               ];
+              "forgejo_admin" = [
+                "admin"
+              ];
             };
           };
         };