diff --git a/cluster/apps/data/pgbackups/deployment.yaml b/cluster/apps/data/pgbackups/deployment.yaml
index cf43a3556..070eb13ba 100644
--- a/cluster/apps/data/pgbackups/deployment.yaml
+++ b/cluster/apps/data/pgbackups/deployment.yaml
@@ -29,7 +29,7 @@ spec:
             - name: POSTGRES_HOST
               value: postgresql-kube.data.svc.cluster.local.
             - name: POSTGRES_DB
-              value: authelia,drone,freshrss,gitea,hass,healthchecks,joplin,lychee,postgres,recipes,sharry,vaultwarden,vikunja,wallabag
+              value: authelia,authentik,drone,freshrss,gitea,hass,healthchecks,joplin,lychee,postgres,recipes,sharry,vaultwarden,vikunja,wallabag
             - name: POSTGRES_USER
               value: postgres
             - name: POSTGRES_PASSWORD
diff --git a/cluster/apps/networking/authentik/helm-release.yaml b/cluster/apps/networking/authentik/helm-release.yaml
new file mode 100644
index 000000000..a28fdb1aa
--- /dev/null
+++ b/cluster/apps/networking/authentik/helm-release.yaml
@@ -0,0 +1,64 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: authentik
+  namespace: networking
+spec:
+  interval: 5m
+  chart:
+    spec:
+      # renovate: registryUrl=https://goauthentik.github.io/helm
+      chart: authentik
+      version: 1.1.0
+      sourceRef:
+        kind: HelmRepository
+        name: authentik-charts
+        namespace: flux-system
+      interval: 5m
+  values:
+    image:
+      repository: ghcr.io/goauthentik/server
+      tag: 2021.7.3
+
+    ingress:
+      enabled: true
+      ingressClassName: "nginx"
+      hosts:
+        - host: id.${SECRET_CLUSTER_DOMAIN}
+          paths:
+            - path: /
+      tls:
+        - hosts:
+            - id.${SECRET_CLUSTER_DOMAIN}
+
+    geoip:
+      enabled: false
+    authentik:
+      email:
+        host: smtp.fastmail.com
+        port: 587
+        username: ${SECRET_SMTP_USERNAME}
+        password: ${SECRET_AUTHENTIK_SMTP_PASSWORD}
+        use_ssl: true
+        from: authentik@${SECRET_CLUSTER_DOMAIN_ROOT}
+      secret_key: ${SECRET_AUTHENTIK_SECRET_KEY}
+      log_level: debug
+
+      outposts:
+        docker_image_base: ghcr.io/goauthentik/%(type)s:%(version)s
+
+      postgresql:
+        host: postgresql-kube.data.svc.cluster.local.
+        name: authentik
+        user: authentik
+        password: ${SECRET_AUTHENTIK_POSTGRES_PASSWORD}
+      redis:
+        host: '{{ .Release.Name }}-redis-master'
+        password: ${SECRET_AUTHENTIK_REDIS_PASSWORD}
+
+    redis:
+      enabled: true
+      auth:
+        enabled: true
+        password: ${SECRET_AUTHENTIK_REDIS_PASSWORD}
diff --git a/cluster/apps/networking/authentik/kustomization.yaml b/cluster/apps/networking/authentik/kustomization.yaml
new file mode 100644
index 000000000..2fa2de20c
--- /dev/null
+++ b/cluster/apps/networking/authentik/kustomization.yaml
@@ -0,0 +1,5 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - helm-release.yaml
diff --git a/cluster/apps/networking/kustomization.yaml b/cluster/apps/networking/kustomization.yaml
index 6ca4c7399..e055bd585 100644
--- a/cluster/apps/networking/kustomization.yaml
+++ b/cluster/apps/networking/kustomization.yaml
@@ -1,8 +1,10 @@
+---
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
   - namespace.yaml
   - authelia
+  - authentik
   - certificate
   - ingress-nginx
   - k8s-gateway
diff --git a/cluster/base-custom/charts/authentik-charts.yaml b/cluster/base-custom/charts/authentik-charts.yaml
new file mode 100644
index 000000000..68a6dced6
--- /dev/null
+++ b/cluster/base-custom/charts/authentik-charts.yaml
@@ -0,0 +1,10 @@
+---
+apiVersion: source.toolkit.fluxcd.io/v1beta1
+kind: HelmRepository
+metadata:
+  name: authentik-charts
+  namespace: flux-system
+spec:
+  interval: 10m
+  url: https://charts.goauthentik.io
+  timeout: 3m
diff --git a/cluster/base-custom/charts/kustomization.yaml b/cluster/base-custom/charts/kustomization.yaml
index a07f37518..a3ea87547 100644
--- a/cluster/base-custom/charts/kustomization.yaml
+++ b/cluster/base-custom/charts/kustomization.yaml
@@ -2,6 +2,7 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
+  - authentik-charts.yaml
   - bitnami-charts.yaml
   - cert-manager-webhook-ovh.yaml
   - drone-charts.yaml
diff --git a/cluster/base-custom/secrets/cluster-secrets.yaml b/cluster/base-custom/secrets/cluster-secrets.yaml
index e0a7e6215..9cac20601 100644
--- a/cluster/base-custom/secrets/cluster-secrets.yaml
+++ b/cluster/base-custom/secrets/cluster-secrets.yaml
@@ -18,6 +18,10 @@ stringData:
     SECRET_AUTHELIA_USER_HELENE_PASSWORD: ENC[AES256_GCM,data:dIV+8UnTXqTdd17OlULQsK/Sh+xjbYp+7vXRDhUHpFr5HLgmY1pXBTKDUUjvZWeOats1/hO6FaG0z4q0+jMpuNNQ6/g1H6WFGJZ7SoBSnPC2CUnXIkKIrq5HcJ2cFkp1RQko,iv:ENrB5JjmkGXsUtySXMhgsqM/lccvAavcO5HkXNbt6Ls=,tag:64iM/2kceVU7h5qmxgbflw==,type:str]
     SECRET_AUTHELIA_USER_VISITOR_EMAIL: ENC[AES256_GCM,data:+9qhqqYl7uE2CnhMibjnqutcDkP5WQ==,iv:rx1RIaBaGlKRrvDF43OM4UrwdSMd0IwM1t+6OpNB+Tk=,tag:i0ZxfkuOxYDZH/anW4kjsA==,type:str]
     SECRET_AUTHELIA_USER_VISITOR_PASSWORD: ENC[AES256_GCM,data:GdUNxFL899EyPdudAVBsgCPRyKhCG3W82M5eFOp0XPCLUtp25WRiptqNFs1N9cv0KbCxbPUGYeWAf21TFD5xpK733KwL+HOSPlIPZ7GJc3d4sDLNHYfYZOhzp5QWrM5MEv3L,iv:/HjzrV8EfxQ4cr/ZDfgKdafXm71+hR27vA25xefqHXI=,tag:GNj9GzhdM8Xxmmk35pb0/w==,type:str]
+    SECRET_AUTHENTIK_POSTGRES_PASSWORD: ENC[AES256_GCM,data:HkgSJ1q/VtaeHk0DL5MVbg==,iv:Wz//Xi487n9Djc5BxW6Beyz7+Kz1/ov2bEwqMDJeiWQ=,tag:7iSJmax3gt1Glcvm8TNUoA==,type:str]
+    SECRET_AUTHENTIK_REDIS_PASSWORD: ENC[AES256_GCM,data:yKUkTt7pT1sCVuF7hZRuRw==,iv:t+mtJEQeBoKw9s50TAcJgYtQePT+j9PrNsA8gtYwUQU=,tag:mHXzz/oaGXorm41qqUhvmA==,type:str]
+    SECRET_AUTHENTIK_SECRET_KEY: ENC[AES256_GCM,data:dxAkb3GLgLjq3WEcYqlntB3W9pLiJuwJNAqr4c8rK065DdC8UCKbuw==,iv:O8MT15TYXAS4OyimIDHhWjDaJE94m+d0GrMKlHOYMiY=,tag:Q9pjq6pcjlIgj1uICNS/Xg==,type:str]
+    SECRET_AUTHENTIK_SMTP_PASSWORD: ENC[AES256_GCM,data:3GG9ga/EuoQYdk0wl0wUcQ==,iv:X9cr9jpQObF9RkAPSf0M/CBve9YvWXrVdeu6RoIrtEo=,tag:AF+vgtirdBJ2AYzMi/fEqA==,type:str]
     SECRET_BOOKSTACK_DB_PASSWORD: ENC[AES256_GCM,data:i9Ky7+e2UHfh14EP9wus8Q==,iv:6grPFBXTg+Oj/jShYgpM84k65r6bKvXFg5b9St3PeTE=,tag:kEab7xSmieYtdeg0zAEyXg==,type:str]
     SECRET_BOOKSTACK_DB_ROOT_PASSWORD: ENC[AES256_GCM,data:4/o956Da0ckVLdxUqs1WWA==,iv:G8DddhYyMZKuGJyWnj+eOaNRiJm7oGetiIZlQgtRFEo=,tag:WX9+DDnA2UPm9nPRLYibXw==,type:str]
     SECRET_BOTKUBE_DISCORD_BOTID: ENC[AES256_GCM,data:bK1J9v+/Dajd9qrvz3lH49GY,iv:Hq6cY96Te1frwXVf3HC3qgOiaCZW2hHCqjVvvslUGFg=,tag:Dq0cUemHKfcdpx9hLkUekQ==,type:str]
@@ -88,8 +92,8 @@ sops:
     azure_kv: []
     hc_vault: []
     age: []
-    lastmodified: "2021-07-27T08:52:35Z"
-    mac: ENC[AES256_GCM,data:wEB0cjZN5def3YJkJMDiQk3yWCuYBQV8ahA5oIn3UKSQPSOeyeXdXr1FPIZojPi4J/EueZSE5YNhVydeQ8GYgT+uc8N6sVl9ysrpNwSnpEHjkR266lZiST5t3k8BPEb80jQ4OjLK8ZzTvdLY5bc3eYRVpStlhqGihx7Qjv9j+/8=,iv:QqHKL4DRUnKHUIlZR5M7A0GXG9HT1JocfkUIlFHYFnM=,tag:6bvjVJFyhoZUTWs4FSnQ+A==,type:str]
+    lastmodified: "2021-08-05T23:52:05Z"
+    mac: ENC[AES256_GCM,data:wutzizSzG2/pdjFEYeTCpRYjsB7XgLdyOkfVlKkuhcmOw/l22hk3hLpytCdjNHLRQ5wFrEtXhfLNdXkvfPX17FJ+Sp5em/87jXG7z12FeM8FQBmmBth0+6k5pGgcb5ECBVvmp7Jv1Nk9/x/KN51bfy4INp7azK9OhzdvIdd9s/U=,iv:LnWgssuwz/zn+JS8LGzmODJhvMsygYzlsCJ6EIG9al0=,tag:wb6sHKa5hp/4lhi0L9jkOQ==,type:str]
     pgp:
         - created_at: "2021-07-17T21:14:34Z"
           enc: |