diff --git a/contributors.nix b/contributors.nix
index 22c28b6..95d4e59 100644
--- a/contributors.nix
+++ b/contributors.nix
@@ -8,7 +8,6 @@
     contact = {
       displayName = "Burrow";
       canonicalEmail = "contact@burrow.net";
-      sourceEmail = "net.burrow@gmail.com";
       isAdmin = true;
       forgeAuthorized = true;
       bootstrapAuthentik = true;
@@ -22,7 +21,6 @@
     conrad = {
       displayName = "Conrad Kramer";
       canonicalEmail = "conrad@burrow.net";
-      sourceEmail = "ckrames1234@gmail.com";
       isAdmin = true;
       forgeAuthorized = false;
       bootstrapAuthentik = true;
@@ -32,6 +30,29 @@
       ];
     };
 
+    jett = {
+      displayName = "Jett";
+      canonicalEmail = "jett@burrow.net";
+      isAdmin = true;
+      forgeAuthorized = false;
+      bootstrapAuthentik = true;
+      roles = [
+        "member"
+      ];
+    };
+
+    davnotdev = {
+      displayName = "David";
+      canonicalEmail = "davnotdev@burrow.net";
+      isAdmin = true;
+      forgeAuthorized = false;
+      bootstrapAuthentik = true;
+      roles = [
+        "member"
+        "operator"
+      ];
+    };
+
     agent = {
       displayName = "Burrow Agent";
       canonicalEmail = "agent@burrow.net";
diff --git a/nixos/hosts/burrow-forge/default.nix b/nixos/hosts/burrow-forge/default.nix
index bf6330f..497d40e 100644
--- a/nixos/hosts/burrow-forge/default.nix
+++ b/nixos/hosts/burrow-forge/default.nix
@@ -13,7 +13,6 @@ let
         inherit username;
         name = identity.displayName;
         email = identity.canonicalEmail;
-        sourceEmail = identity.sourceEmail or null;
         isAdmin = identity.isAdmin or false;
         passwordFile = authentikPasswordSecretPath identity;
       }
@@ -85,6 +84,12 @@ in
     group = "root";
     mode = "0400";
   };
+  age.secrets.burrowAuthentikGoogleAccountMap = {
+    file = ../../../secrets/infra/authentik-google-account-map.json.age;
+    owner = "root";
+    group = "root";
+    mode = "0400";
+  };
   age.secrets.burrowAuthentikUiTestPassword = {
     file = ../../../secrets/infra/authentik-ui-test-password.age;
     owner = "root";
@@ -158,6 +163,7 @@ in
     tailscaleClientSecretFile = config.age.secrets.burrowTailscaleOidcClientSecret.path;
     googleClientIDFile = config.age.secrets.burrowAuthentikGoogleClientId.path;
     googleClientSecretFile = config.age.secrets.burrowAuthentikGoogleClientSecret.path;
+    googleAccountMapFile = config.age.secrets.burrowAuthentikGoogleAccountMap.path;
     googleLoginMode = "redirect";
     userGroupName = contributors.groups.users;
     adminGroupName = contributors.groups.admins;
diff --git a/nixos/modules/burrow-authentik.nix b/nixos/modules/burrow-authentik.nix
index 1616b36..2fa83da 100644
--- a/nixos/modules/burrow-authentik.nix
+++ b/nixos/modules/burrow-authentik.nix
@@ -180,6 +180,12 @@ in
       description = "Host-local file containing the Google OAuth client secret for the Authentik source.";
     };
 
+    googleAccountMapFile = lib.mkOption {
+      type = lib.types.nullOr lib.types.str;
+      default = null;
+      description = "Optional host-local JSON file mapping external Google accounts onto Burrow Authentik users.";
+    };
+
     googleSourceSlug = lib.mkOption {
       type = lib.types.str;
       default = "google";
@@ -477,7 +483,7 @@ EOF
         cfg.envFile
         cfg.googleClientIDFile
         cfg.googleClientSecretFile
-      ];
+      ] ++ lib.optional (cfg.googleAccountMapFile != null) cfg.googleAccountMapFile;
       path = [
         pkgs.bash
         pkgs.coreutils
@@ -501,12 +507,16 @@ EOF
         export AUTHENTIK_GOOGLE_USER_MATCHING_MODE=email_link
         export AUTHENTIK_GOOGLE_CLIENT_ID="$(tr -d '\r\n' < ${lib.escapeShellArg cfg.googleClientIDFile})"
         export AUTHENTIK_GOOGLE_CLIENT_SECRET="$(tr -d '\r\n' < ${lib.escapeShellArg cfg.googleClientSecretFile})"
-        export AUTHENTIK_GOOGLE_ACCOUNT_MAP_JSON='${builtins.toJSON (map (user: {
-          source_email = user.sourceEmail;
-          username = user.username;
-          email = user.email;
-          name = user.name;
-        }) (lib.filter (user: user.sourceEmail != null) cfg.bootstrapUsers))}'
+        if [ -n ${lib.escapeShellArg (cfg.googleAccountMapFile or "")} ]; then
+          export AUTHENTIK_GOOGLE_ACCOUNT_MAP_JSON="$(tr -d '\n' < ${lib.escapeShellArg (cfg.googleAccountMapFile or "/dev/null")})"
+        else
+          export AUTHENTIK_GOOGLE_ACCOUNT_MAP_JSON='${builtins.toJSON (map (user: {
+            source_email = user.sourceEmail;
+            username = user.username;
+            email = user.email;
+            name = user.name;
+          }) (lib.filter (user: user.sourceEmail != null) cfg.bootstrapUsers))}'
+        fi
 
         ${pkgs.bash}/bin/bash ${googleSourceSyncScript}
       '';
diff --git a/secrets.nix b/secrets.nix
index a8fb923..e3fd9a2 100644
--- a/secrets.nix
+++ b/secrets.nix
@@ -14,6 +14,7 @@ in
   "secrets/infra/authentik.env.age".publicKeys = burrowForgeRecipients;
   "secrets/infra/authentik-google-client-id.age".publicKeys = burrowForgeRecipients;
   "secrets/infra/authentik-google-client-secret.age".publicKeys = burrowForgeRecipients;
+  "secrets/infra/authentik-google-account-map.json.age".publicKeys = burrowForgeRecipients;
   "secrets/infra/authentik-ui-test-password.age".publicKeys = uiTestRecipients;
   "secrets/infra/forgejo-oidc-client-secret.age".publicKeys = burrowForgeRecipients;
   "secrets/infra/forgejo-nsc-autoscaler-config.age".publicKeys = burrowForgeRecipients;
diff --git a/secrets/infra/authentik-google-account-map.json.age b/secrets/infra/authentik-google-account-map.json.age
new file mode 100644
index 0000000..b3cb6f8
Binary files /dev/null and b/secrets/infra/authentik-google-account-map.json.age differ