diff --git a/services/self_host/sso.nix b/services/self_host/sso.nix
index 70b9955..e83b5e3 100644
--- a/services/self_host/sso.nix
+++ b/services/self_host/sso.nix
@@ -9,6 +9,22 @@ let
   cfg = config.service.selfhost.sso;
   kanidm-admin = config.age.secrets."kanidm-admin".path;
   kanidm-idmAdmin = config.age.secrets."kanidm-idmAdmin".path;
+  imagesDir = "/user/share/kanidm/assets";
+  kanidmLogo = pkgs.fetchurl {
+    url = "https://raw.githubusercontent.com/doc-sheet/forgejo/refs/heads/forgejo/assets/logo.svg";
+    name = "kanidm.svg";
+    sha256 = "sha256-rP7aZURtHBfF2OYuGLcKZhbvIN+B596T/3kaOxHUvig=";
+  };
+  grafanaLogo = pkgs.fetchurl {
+    url = "https://upload.wikimedia.org/wikipedia/commons/a/a1/Grafana_logo.svg";
+    name = "grafana.svg";
+    sha256 = "sha256-UjE6ArLCa52o3XGUmpqPoakbEOeFi+zfsnATi1FtWmQ=";
+  };
+  nextcloudLogo = pkgs.fetchurl {
+    url = "https://upload.wikimedia.org/wikipedia/commons/6/60/Nextcloud_Logo.svg";
+    name = "nextcloud.svg";
+    sha256 = "sha256-hL51zJkFxUys1CoM8yUxiH8BDw111wh3Qv7eTLm+XYo=";
+  };
 in
   {
   config = lib.mkIf cfg {
@@ -48,6 +64,7 @@ in
               ];
               groups = [
                 "grafana_superadmins"
+                "forgejo_admins"
                 "nextcloud_user"
               ];
             };
@@ -62,7 +79,13 @@ in
             grafana_editors = {
               present = true;
             };
-            grafana_user = {
+            grafana_users = {
+              present = true;
+            };
+            forgejo_admins = {
+              present = true;
+            };
+            forgejo_users = {
               present = true;
             };
             nextcloud_user = {
@@ -112,6 +135,7 @@ in
             grafana = {
               present = true;
               displayName = "Grafana";
+              imageFile = grafanaLogo;
               originUrl = "https://monitor.enium.eu";
               originLanding = "https://monitor.enium.eu/login/generic_oauth";
               basicSecretFile = config.age.secrets.grafana-oidc-secret.path;
@@ -138,7 +162,7 @@ in
                   "profile"
                   "groups"
                 ];
-                grafana_user = [
+                grafana_users = [
                   "email"
                   "openid"
                   "profile"
@@ -158,8 +182,8 @@ in
                     grafana_editors = [
                       "grafana_editors"
                     ];
-                    grafana_user = [
-                      "grafana_user"
+                    grafana_users = [
+                      "grafana_users"
                     ];
                   };
                 };
@@ -168,6 +192,7 @@ in
             nextcloud = {
               present = true;
               displayName = "Nextcloud";
+              imageFile = nextcloudLogo;
               originUrl = "https://nextcloud.enium.eu";
               originLanding = "https://nextcloud.enium.eu/login";
               basicSecretFile = config.age.secrets.nextcloud-oidc-secret.path;