diff --git a/provision.sh b/provision.sh
new file mode 100755
index 0000000..d1518ba
--- /dev/null
+++ b/provision.sh
@@ -0,0 +1 @@
+ANSIBLE_VAULT_PASSWORD_FILE=(pass show ansible-homelab | psub) vagrant provision
\ No newline at end of file
diff --git a/roles/authelia/templates/authelia.conf.j2 b/roles/authelia/templates/authelia.conf.j2
index 463c3dc..c8cb9d2 100644
--- a/roles/authelia/templates/authelia.conf.j2
+++ b/roles/authelia/templates/authelia.conf.j2
@@ -1,5 +1,6 @@
 server {
     listen 80;
+    server_name auth.{{ base_domain }};
     return 301 https://$host$request_uri;
 }
 
diff --git a/roles/authelia/templates/configuration.yml.j2 b/roles/authelia/templates/configuration.yml.j2
index fbd72a0..0c7d6d4 100644
--- a/roles/authelia/templates/configuration.yml.j2
+++ b/roles/authelia/templates/configuration.yml.j2
@@ -28,8 +28,10 @@ access_control:
   default_policy: deny
   rules:
     - domain:
+      - "{{ base_domain }}"
+      - "*.{{ base_domain }}"
       - "keycloak.{{ base_domain }}"
-      policy: one_factor
+      policy: deny
 session:
   name: authelia_session
   secret: somerandomsecret
diff --git a/roles/nginx/templates/snippets/proxy.conf.j2 b/roles/nginx/templates/snippets/proxy.conf.j2
index 26461f5..329c492 100644
--- a/roles/nginx/templates/snippets/proxy.conf.j2
+++ b/roles/nginx/templates/snippets/proxy.conf.j2
@@ -27,6 +27,9 @@ proxy_buffers 64 256k;
 # If behind reverse proxy, forwards the correct IP
 set_real_ip_from 10.0.0.0/8;
 set_real_ip_from 172.16.0.0/12;
+set_real_ip_from 172.17.0.0/16;
+set_real_ip_from 172.18.0.0/16;
+set_real_ip_from 172.19.0.0/16;
 set_real_ip_from 192.168.0.0/16;
 set_real_ip_from fc00::/7;
 real_ip_header X-Forwarded-For;