diff --git a/modules/machine/yshtola/configuration.nix b/modules/machine/yshtola/configuration.nix
index 13f6861..1f4e70e 100644
--- a/modules/machine/yshtola/configuration.nix
+++ b/modules/machine/yshtola/configuration.nix
@@ -17,8 +17,10 @@
   # After deploying Mastodon, register an OAuth application at
   # https://social.wyattjmiller.com/settings/applications and write the
   # client ID / secret to these paths (chmod 400, owned by the tuwunel user):
-  mastodonOauthClientIdFile = "/var/lib/tuwunel/mastodon-oauth-client-id";
-  mastodonOauthClientSecretFile = "/var/lib/tuwunel/mastodon-oauth-client-secret";
+  mastodonOauthClientIdFile = "/var/lib/private/tuwunel/matrix-oauth-client-id";
+  mastodonOauthClientSecretFile = "/var/lib/private/tuwunel/matrix-oauth-client-secret";
+  mastodonOauthClientId = builtins.readFile mastodonOauthClientIdFile;
+  mastodonOauthClientSecret = builtins.readFile mastodonOauthClientSecretFile;
 in {
   imports = [
     ../../pwrMgmt
@@ -200,10 +202,13 @@ in {
           {
             brand = "Mastodon";
             issuer_url = "https://${mastodonFqdn}";
-            id = "oidc-mastodon";
-            client_id = mastodonOauthClientIdFile;
-            client_secret = mastodonOauthClientSecretFile;
-            scope = ["openid" "read:accounts"];
+            id = mastodonOauthClientId;
+            callback_url = "https://${matrixFqdn}/_matrix/client/v3/login/sso/callback/${mastodonOauthClientId}";
+            discovery_url = "https://${mastodonFqdn}/.well-known/oauth-authorization-server";
+            client_id = mastodonOauthClientId;
+            client_secret = mastodonOauthClientSecret;
+            scope = ["profile"];
+            userid_claims = ["preferred_username"];
           }
         ];
       };