diff --git a/flux/cluster/apps/authentik/helm.yaml b/flux/cluster/apps/authentik/helm.yaml
new file mode 100644
index 0000000..ccad170
--- /dev/null
+++ b/flux/cluster/apps/authentik/helm.yaml
@@ -0,0 +1,46 @@
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: authentik
+  namespace: authentik
+spec:
+  interval: 1m0s
+  chart: 
+    spec:
+      # renovate: registryUrl=https://charts.goauthentik.io
+      chart: authentik
+      version: 2022.4.3
+      sourceRef:
+        kind: HelmRepository
+        name: authentik-charts
+        namespace: flux-system
+      interval: 5m
+  valuesFrom:
+    - kind: Secret
+      name: authentik
+      valuesKey: secret_key
+      targetPath: authentik.secret_key
+      optional: false
+  values:
+    image:
+      repository: ghcr.io/goauthentik/server
+      tag: 2022.5.1
+    authentik:
+      error_reporting:
+        enabled: true
+      postgresql:
+        host: "postgres.lxd"
+        name: "authentik"
+        user: "authentik"
+    redis:
+      enabled: true
+      architecture: standalone
+      auth:
+        enabled: false
+    ingress:
+      enabled: true
+      hosts:
+        - host: auth.asraphiel.dev
+          paths:
+            - path: "/"
+              pathType: Prefix
diff --git a/flux/cluster/apps/authentik/kustomization.yaml b/flux/cluster/apps/authentik/kustomization.yaml
new file mode 100644
index 0000000..8b77d3a
--- /dev/null
+++ b/flux/cluster/apps/authentik/kustomization.yaml
@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - helm.yaml
diff --git a/flux/cluster/apps/authentik/secret.yaml b/flux/cluster/apps/authentik/secret.yaml
new file mode 100644
index 0000000..74b736e
--- /dev/null
+++ b/flux/cluster/apps/authentik/secret.yaml
@@ -0,0 +1,17 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: authentik
+  namespace: authentik
+spec:
+  refreshInterval: "5m"
+  secretStoreRef:
+    name: vault
+    kind: ClusterSecretStore
+  target:
+    name: authentik
+  data:
+  - secretKey: secret_key
+    remoteRef:
+      key: k8s/authentik
+      property: secret_key
diff --git a/flux/cluster/apps/kustomization.yaml b/flux/cluster/apps/kustomization.yaml
index 4a17495..745fc3a 100644
--- a/flux/cluster/apps/kustomization.yaml
+++ b/flux/cluster/apps/kustomization.yaml
@@ -2,3 +2,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
   - test
+  - authentik
diff --git a/flux/cluster/base/flux-system/charts/authentik-charts.yaml b/flux/cluster/base/flux-system/charts/authentik-charts.yaml
new file mode 100644
index 0000000..f02d972
--- /dev/null
+++ b/flux/cluster/base/flux-system/charts/authentik-charts.yaml
@@ -0,0 +1,8 @@
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: HelmRepository
+metadata:
+  name: authentik-charts
+  namespace: flux-system
+spec:
+  interval: 15m
+  url: https://charts.goauthentik.io
\ No newline at end of file
diff --git a/flux/cluster/base/flux-system/charts/kustomization.yaml b/flux/cluster/base/flux-system/charts/kustomization.yaml
index fe3979e..6a3062a 100644
--- a/flux/cluster/base/flux-system/charts/kustomization.yaml
+++ b/flux/cluster/base/flux-system/charts/kustomization.yaml
@@ -2,3 +2,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
   - external-secrets-charts.yaml
+  - authentik-charts.yaml
diff --git a/flux/cluster/core/namespaces/authentik.yaml b/flux/cluster/core/namespaces/authentik.yaml
new file mode 100644
index 0000000..a4d744e
--- /dev/null
+++ b/flux/cluster/core/namespaces/authentik.yaml
@@ -0,0 +1,6 @@
+kind: Namespace
+apiVersion: v1
+metadata:
+  name: authentik
+  labels:
+    name: authentik
\ No newline at end of file
diff --git a/flux/cluster/core/namespaces/kustomization.yaml b/flux/cluster/core/namespaces/kustomization.yaml
index 4030537..a060c4f 100644
--- a/flux/cluster/core/namespaces/kustomization.yaml
+++ b/flux/cluster/core/namespaces/kustomization.yaml
@@ -3,3 +3,4 @@ kind: Kustomization
 resources:
   - test-name.yaml
   - external-secrets.yaml
+  - authentik.yaml
diff --git a/nixos/machines/nginx/default.nix b/nixos/machines/nginx/default.nix
index 7020da0..2331d91 100644
--- a/nixos/machines/nginx/default.nix
+++ b/nixos/machines/nginx/default.nix
@@ -50,6 +50,7 @@ in {
     virtualHosts."registry.asraphiel.dev" = proxy "http://registry.lxd:5000/";
     virtualHosts."vaultwarden.asraphiel.dev" = proxy "http://vaultwarden.lxd:8000/";
     virtualHosts."whoami.asraphiel.dev" = k8sProxy;
+    virtualHosts."auth.asraphiel.dev" = k8sProxy;
   };
   security.acme.email = "acme@voidcorp.nl";
   security.acme.acceptTerms = true;
diff --git a/nixos/machines/postgres/default.nix b/nixos/machines/postgres/default.nix
index 157ddb5..bb627c0 100644
--- a/nixos/machines/postgres/default.nix
+++ b/nixos/machines/postgres/default.nix
@@ -17,7 +17,7 @@
       host all all 10.0.0.0/8 trust
       host all all fd42:8db7:2e6b:8e9b:216:3eff::/96 trust
     '';
-    ensureDatabases = [ "gitea" "vault" "vaultwarden" ];
+    ensureDatabases = [ "gitea" "vault" "vaultwarden" "authentik" ];
     ensureUsers = [
       {
         name = "gitea";
@@ -32,6 +32,10 @@
         name = "vaultwarden";
         ensurePermissions = { "DATABASE \"vaultwarden\"" = "ALL PRIVILEGES"; };
       }
+      {
+        name = "authentik";
+        ensurePermissions = { "DATABASE \"authentik\"" = "ALL PRIVILEGES"; };
+      }
     ];
 
     enableTCPIP = true;