diff --git a/lotus-land-story/gotosocial.yml b/lotus-land-story/gotosocial.yml
new file mode 100644
index 0000000..4e9c588
--- /dev/null
+++ b/lotus-land-story/gotosocial.yml
@@ -0,0 +1,58 @@
+# https://docs.gotosocial.org/en/latest/getting_started/installation/container/
+
+- name: Set up GoToSocial
+  hosts: lotus-land-story
+  vars_files:
+    - vars.yml
+  vars:
+    version: snapshot  # temporary, to get import/export functionality
+  tasks:
+
+    - name: Create working directory
+      ansible.builtin.file:
+        path: /mnt/lotus-land-story/gotosocial
+        state: directory
+        mode: "0755"
+
+    - name: Create data directory
+      ansible.builtin.file:
+        path: /mnt/lotus-land-story/gotosocial/data
+        state: directory
+        owner: 1000
+        group: 1000
+        mode: "0755"
+
+    # https://raw.githubusercontent.com/superseriousbusiness/gotosocial/main/example/docker-compose/docker-compose.yaml
+    - name: Run GoToSocial
+      community.docker.docker_container:
+        name: gotosocial
+        image: superseriousbusiness/gotosocial:{{ version }}
+        restart: true
+        restart_policy: unless-stopped
+        env:
+          GTS_HOST: hey.kejadlen.dev
+          GTS_LANDING_PAGE_USER: alpha
+          GTS_DB_TYPE: sqlite
+          GTS_DB_ADDRESS: /gotosocial/storage/sqlite.db
+          GTS_OIDC_ENABLED: "true"
+          GTS_OIDC_IDP_NAME: "Authelia"
+          GTS_OIDC_ISSUER: https://auth.kejadlen.dev
+          GTS_OIDC_CLIENT_ID: gotosocial
+          GTS_OIDC_CLIENT_SECRET: "{{ gotosocial.oidc_client_secret }}"
+          GTS_OIDC_ADMIN_GROUPS: admin
+          GTS_METRICS_ENABLED: "true"
+          GTS_METRICS_AUTH_ENABLED: "true"
+          GTS_METRICS_AUTH_USERNAME: "{{ prometheus.gotosocial.username }}"
+          GTS_METRICS_AUTH_PASSWORD: "{{ prometheus.gotosocial.password }}"
+          # GTS_ADVANCED_RATE_LIMIT_REQUESTS: "0"
+          TZ: UTC
+        volumes:
+          - /mnt/lotus-land-story/gotosocial/data:/gotosocial/storage
+        networks:
+          - name: lotus_land_story
+
+  handlers:
+    - name: Import restarts
+      ansible.builtin.import_tasks: restarts.yml
+
+# vim: ft=yaml.ansible
diff --git a/lotus-land-story/main.yml b/lotus-land-story/main.yml
index 3d1afcd..78da324 100644
--- a/lotus-land-story/main.yml
+++ b/lotus-land-story/main.yml
@@ -100,6 +100,7 @@
 - import_playbook: grafana.yml     # noqa: name[play]
 - import_playbook: loki.yml        # noqa: name[play]
 - import_playbook: miniflux.yml    # noqa: name[play]
+- import_playbook: gotosocial.yml  # noqa: name[play]
 
 - import_playbook: caddy.yml       # noqa: name[play]
 
diff --git a/lotus-land-story/templates/Caddyfile b/lotus-land-story/templates/Caddyfile
index 675f3a0..2a8af5b 100644
--- a/lotus-land-story/templates/Caddyfile
+++ b/lotus-land-story/templates/Caddyfile
@@ -137,4 +137,12 @@ logs.{{ domain }} {
 	reverse_proxy parseable:8000
 }
 
+hey.kejadlen.dev
+	reverse_proxy gotosocial:8080
+
+	handle /metrics {
+		respond 404
+	}
+}
+
 # vim: ts=4
diff --git a/lotus-land-story/templates/authelia_configuration.yml b/lotus-land-story/templates/authelia_configuration.yml
index cc98e63..ab277b9 100644
--- a/lotus-land-story/templates/authelia_configuration.yml
+++ b/lotus-land-story/templates/authelia_configuration.yml
@@ -62,6 +62,8 @@ identity_providers:
           {{ authelia.oidc_private_key | indent(10) }}
 
     clients:
+      # https://www.authelia.com/reference/guides/generating-secure-values/#generating-a-random-password-hash
+
       - client_id: grafana
         client_name: Grafana
         client_secret: $argon2id$v=19$m=65536,t=3,p=4$bHcAAorVdHuZzuz53WfAQA$x+pIDTo6SsGyY9JD4OZ7dT6pkEcPf8Yh6Yb7DXco8aQ
@@ -105,3 +107,15 @@ identity_providers:
           - openid
           - email
           - profile
+
+      - client_id: gotosocial
+        client_name: GoToSocial
+        client_secret: $argon2id$v=19$m=65536,t=3,p=4$4fkP2O3FYs26yKH/3WLuvQ$JHkaAA+b752/v7rtyhEzGwGutpSZR+7PSmz8psFb8BM
+        public: false
+        redirect_uris:
+          - https://hey.kejadlen.dev/auth/callback
+        scopes:
+          - openid
+          - email
+          - profile
+          - groups
diff --git a/lotus-land-story/templates/authelia_users_database.yml b/lotus-land-story/templates/authelia_users_database.yml
index c45394b..1d4f838 100644
--- a/lotus-land-story/templates/authelia_users_database.yml
+++ b/lotus-land-story/templates/authelia_users_database.yml
@@ -5,7 +5,7 @@ users:
     password: "$argon2id$v=19$m=65536,t=3,p=4$JHtyy/vVD+37neJUjy5Shw$6GODmDOXW/v7cfhqwuEp30bVSCWLT5R3OEe/Gi5FGX0" # yamllint disable-line rule:line-length
     email: alpha@kejadlen.dev
     groups:
-      - admins
+      - admin
       - family
   lydia:
     disabled: false
diff --git a/lotus-land-story/templates/prometheus.yml b/lotus-land-story/templates/prometheus.yml
index 87dbff4..dd5740b 100644
--- a/lotus-land-story/templates/prometheus.yml
+++ b/lotus-land-story/templates/prometheus.yml
@@ -70,4 +70,11 @@ scrape_configs:
     static_configs:
       - targets: ['paperless-ngx:5555']
 
-# vim: ft=yaml.ansible
+  - job_name: gotosocial
+    metrics_path: /metrics
+    scheme: http
+    basic_auth:
+      username: {{ prometheus.gotosocial.username }}
+      password: {{ prometheus.gotosocial.password }}
+    static_configs:
+      - targets: ['gotosocial:8080']