diff --git a/system/hosts/mcp/containers/pocket-id.nix b/system/hosts/mcp/containers/pocket-id.nix
index 9286c4d..432c6a7 100644
--- a/system/hosts/mcp/containers/pocket-id.nix
+++ b/system/hosts/mcp/containers/pocket-id.nix
@@ -2,6 +2,13 @@
 let 
   inherit (import ./lib.nix config) mkContainer blazestar;
   userIds = import ./user-ids.nix;
+  # The default is to run on port 80, which the pocket-id user cannot bind to.
+  # We need a different port to be able to serve traffic.
+  # The following ports in the container are already taken:
+  # - 8080: API
+  # - 3000: Web UI
+  # - 2019: Admin endpoint
+  port = 8888;
 in
 {
   users.groups.pocket-id = {
@@ -19,7 +26,7 @@ in
     image = "ghcr.io/pocket-id/pocket-id";
     dependsOn = [];
     hostName = "auth";
-    port = 3000;
+    port = port;
     public = false;
     domain = blazestar;
     homepageOpts = {
@@ -34,7 +41,10 @@ in
     environment = {
       PUBLIC_APP_URL = "https://auth.${blazestar}";
       # Whether the app is behind a reverse proxy.
-      TRUST_PROXY = "true";
+      TRUST_PROXY = "false";
+      CADDY_PORT = toString port;
+      # PORT = "3000"; # Frontend port
+      # BACKEND_PORT = "8080"; # Backend port
       PUID = toString userIds.pocket-id.uid;
       PGID = toString userIds.pocket-id.gid;
     };