diff --git a/apps/authentik/authentik-postgres-credentials.yaml b/apps/authentik/authentik-postgres-credentials.yaml
new file mode 100644
index 0000000..448afed
--- /dev/null
+++ b/apps/authentik/authentik-postgres-credentials.yaml
@@ -0,0 +1,16 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  creationTimestamp: null
+  name: authentik-postgres-credentials
+  namespace: authentik
+spec:
+  encryptedData:
+    password: AgCeULxDSkTGXNAW+3QzMUd4RxdTepvDDx0Pm0S6cd97rGsSMVFIeyztrEwb9TN+k6WtbZVW689KkNCEPCg17dkuCSosnRTwlq/PVCyuu3Pqa081auqBdLTLQEAI4LxBicumzSCUuBjjg5ZX572RPsnZmvIC9VWJdrqwePGi5YRp7ziUMb7Zjyh/lUD5aGyQWqyXNT3IVVQIyCu5GeOXEOauKZzvudmdDhFtOXE1V2iabFaW2A4V6ySdzAgqQHCO2omLOXL4hAo7ZoGjh8zoroO3vK1/M6wgRiQzq0/A/3PTgehL8i5qqOH9QlDadIoamJ9HNPOtb8uRvODoGasUtVv7IhxoRca4q1X0MNIrwj+CSE8d4M8+61i/OM/7fIgUueJvZtIxok9PY9Jdi4xS7uGxrhRyeASVKZszgjPE364fUiLVeqdxNi6ihVr/uqRdvClBMdU6MxyPM22LTpuWxoRtfS022TzC4OLjMQGV41C8q4NT/4esN/rTTEvgCxfe42E5kRBcdLAFQabPRnx1SN+n0kRknoa0VvBa+RQjip4Vmu+2GuvZxNx6EJUTuSMQAme0TCIrhA+6v7CBadZl8A4OOLNjMGQD9DERHF5gt161KSw/yTJ9RFiD96NHy2EnyY3rHNM0zSMF58Pz2AHK5aAUp+M2mMeIehH6QROmqBE28XK5sUmFON69b1G2OreKkd9LwK0jgx+AHXhKEjE9LKOHHXhjXwfUYAzZoB0qSaB4hPnB1SNk7JoMbZIKjjK1NeuP1Q==
+    username: AgCj8m8gKQKKj23pe4NifDviLJ8Q2+pVNFFQBXYDw2tO6C9aukg3G98mUDITdB1z3p+lOmagKx3dkVJx2Ut0SxTsxK2y1zeQp4uMBcw463UcqY3l81qjyVkUuEh+8ugFqQips1dWQko/DZ0TpxYvajT6e7FNtr2Sbvud8fVK+j6lG6A+hPqOwE9UxHuwVJwFDY0L/LTuMspl5Jr3otXLuoQWV3vpeRgg7A72UvT075aaVvqiZCsL4wI2v6JGeD72ZcAseTMtzfsN7st3qt4CJFRiwLKOm8gT3SXhKIaeT9Mx0zFXnVm3wpR6b8ctiqt2/p/TIQfTLD3O7J1PTqYngQE8gnSP6eYxvamevdFVzObeYYdZASR3fILjrJZg9ln0+48Z7vazmP6KCQEWeLTTaoeZV5+utt0kUvnR3d5v6LG5XMofGgfNBRqGMD2Jr1bHZUKfH8Fyb8HXCF87bB/3uT8J1NU1SeMkyCrt9a74Ev+0QST4Dabd4Me3Am75kdhn1xEgGr8tZXcsbDI9UKVWrvsqp7coHlshOCSGV24dObcSPxM+4cvGfmuVmbjwp73FTdMHmXYSj5L0inGnVkwDdP5QofzjVQ50hCLFx+hdiBdZOpIrphdVGWl0mvo6DtEPbmJDY88y62RIx5ZXjo3meGaQlw1ooCP9YEqfLx+bOKxIuR3evev8uofAGwSd78b4a2v+gDE87t6UV1c=
+  template:
+    metadata:
+      creationTimestamp: null
+      name: authentik-postgres-credentials
+      namespace: authentik
diff --git a/apps/authentik/authentik-secret-key.yaml b/apps/authentik/authentik-secret-key.yaml
new file mode 100644
index 0000000..7f344bf
--- /dev/null
+++ b/apps/authentik/authentik-secret-key.yaml
@@ -0,0 +1,15 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  creationTimestamp: null
+  name: authentik-secret-key
+  namespace: authentik
+spec:
+  encryptedData:
+    key: AgBFtfb2z4mTpz8kLeTZVYCk3KnU+1VF5Z7eW9Her7qd8kEsArsDbhv8txIxGrwVU8aib861X4QcjO5Vh3YjsT+raV2LaVMFjXNr/SzY391gRFiGQp0BpCOIuGrfhV/yVhWcGIJbSMPb4wQVBp55u/I/lTVrUprofj9ubbMDxIkUp/tpi/8s1FxNlcUmpQq/uCWfTpoBy50IWUvWEGEf2u1HejUNwp1iAlgS0jTXgZcKJeLoJCx7dyFWRdrpb9lBO3J7+YWAR4JTjIkOVT29YXaeJRt+kRLeW3TrR5MHamygpNzxi45nRvrK6ACE+39CZX/iMig0teneQXRY2JCUDTZ7mEsVLrQwb6R0TFRBGr41KxODixH5+S2ph/0VOtMoiwMDM3helRX6wVBBTUw8j118BeYebpNmpObSccK0m0v5lPJwucJde9P/pdi50DPUOenScxYaBOexOoA08W/B00sT4s1ODbPVRX+2KqGEe0sck+A3YsySORViwJOOKQUPwh3+NEiwQzCsAvvvLIvEqhYrRYutvl39TCe3TWQbAwAYkfYW7ZhsPW2DM6lwBTaDDedvpBJek2bBLPMNyWkRMQyubvj5f2X5aFCzKeUARUjYTwk2AZR1Yei6bhDrb8kuC51tCgDou1jigg9scdiE34h31MWFuh2lFTQFVDojB6c/VtoUKHHVJFY7pGWi2odlzAwqKqv6YK7NwD9vrGFLrqlSECvbY+2lIq/KfL7Xik4h9Iu6Se979+sGu5PeSJT1elQa1g==
+  template:
+    metadata:
+      creationTimestamp: null
+      name: authentik-secret-key
+      namespace: authentik
diff --git a/apps/authentik/cluster.yaml b/apps/authentik/cluster.yaml
new file mode 100644
index 0000000..831531a
--- /dev/null
+++ b/apps/authentik/cluster.yaml
@@ -0,0 +1,24 @@
+apiVersion: postgresql.cnpg.io/v1
+kind: Cluster
+metadata:
+  name: authentik-postgres
+  namespace: authentik
+spec:
+  instances: 3
+
+  managed:
+    roles:
+      - name: authentik
+        superuser: true
+        login: true
+
+  bootstrap:
+    initdb:
+      database: authentik
+      owner: authentik
+      secret:
+        name: authentik-postgres-credentials
+
+  storage:
+    size: 8Gi
+    storageClass: longhorn-pg
diff --git a/apps/keycloak/dns-endpoint.yaml b/apps/authentik/dns-endpoint.yaml
similarity index 73%
rename from apps/keycloak/dns-endpoint.yaml
rename to apps/authentik/dns-endpoint.yaml
index 30af113..4b2f79f 100644
--- a/apps/keycloak/dns-endpoint.yaml
+++ b/apps/authentik/dns-endpoint.yaml
@@ -1,11 +1,11 @@
 apiVersion: externaldns.k8s.io/v1alpha1
 kind: DNSEndpoint
 metadata:
-  name: keycloak.michaelthomson.dev
-  namespace: keycloak
+  name: authentik.michaelthomson.dev
+  namespace: authentik
 spec:
   endpoints:
-  - dnsName: keycloak.michaelthomson.dev
+  - dnsName: authentik.michaelthomson.dev
     recordTTL: 180
     recordType: CNAME
     targets:
diff --git a/apps/keycloak/namespace.yaml b/apps/authentik/namespace.yaml
similarity index 69%
rename from apps/keycloak/namespace.yaml
rename to apps/authentik/namespace.yaml
index 80e7888..bb24d8d 100644
--- a/apps/keycloak/namespace.yaml
+++ b/apps/authentik/namespace.yaml
@@ -1,4 +1,4 @@
 apiVersion: v1
 kind: Namespace
 metadata:
-  name: keycloak
+  name: authentik
diff --git a/apps/authentik/release.yaml b/apps/authentik/release.yaml
new file mode 100644
index 0000000..4df3d8a
--- /dev/null
+++ b/apps/authentik/release.yaml
@@ -0,0 +1,60 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: authentik
+  namespace: authentik
+spec:
+  chart:
+    spec:
+      chart: authentik
+      version: 2025.6.1
+      sourceRef:
+        kind: HelmRepository
+        name: authentik
+  interval: 15m
+  releaseName: immich
+  values:
+    authentik:
+      secret_key: file:///secret-key/key
+      postgresql:
+        host: authentik-postgres-rw
+        user: file:///postgres-creds/username
+        password: file:///postgres-creds/password
+    server:
+      ingress:
+        enabled: true
+        ingressClassName: traefik
+        annotations:
+          traefik.ingress.kubernetes.io/router.tls: "true"
+          traefik.ingress.kubernetes.io/router.entrypoints: websecure
+        hosts:
+          - authentik.michaelthomson.dev
+        tls:
+          - secretName: letsencrypt-wildcard-cert-michaelthomson.dev
+            hosts:
+              - authentik.michaelthomson.dev
+      volumes:
+        - name: postgres-creds
+          secret:
+            secretName: authentik-postgres-credentials
+        - name: secret-key
+          secret:
+            secretName: authentik-secret-key
+      volumeMounts:
+        - name: postgres-creds
+          mountPath: /postgres-creds
+          readOnly: true
+        - name: secret-key
+          mountPath: /secret-key
+          readOnly: true
+    worker:
+      volumes:
+        - name: postgres-creds
+          secret:
+            secretName: authentik-postgres-credentials
+      volumeMounts:
+        - name: postgres-creds
+          mountPath: /postgres-creds
+          readOnly: true
+    redis:
+      enabled: true
diff --git a/apps/authentik/repository.yaml b/apps/authentik/repository.yaml
new file mode 100644
index 0000000..f7f3ea3
--- /dev/null
+++ b/apps/authentik/repository.yaml
@@ -0,0 +1,8 @@
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: authentik
+  namespace: authentik
+spec:
+  interval: 15m
+  url: https://charts.goauthentik.io/
diff --git a/apps/keycloak/release.yaml b/apps/keycloak/release.yaml
deleted file mode 100644
index c224c70..0000000
--- a/apps/keycloak/release.yaml
+++ /dev/null
@@ -1,30 +0,0 @@
-apiVersion: helm.toolkit.fluxcd.io/v2
-kind: HelmRelease
-metadata:
-  name: keycloak
-  namespace: keycloak
-spec:
-  chartRef:
-    kind: OCIRepository
-    name: keycloak
-  interval: 15m
-  releaseName: keycloak
-  values:
-    proxy: edge
-    production: true
-    resources:
-      limits:
-        cpu: 2000m
-        ephemeral-storage: 2Gi
-        memory: 2Gi
-    ingress:
-      enabled: true
-      annotations:
-        traefik.ingress.kubernetes.io/router.entrypoints: websecure
-        traefik.ingress.kubernetes.io/router.tls: "true"
-      hostname: keycloak.michaelthomson.dev
-      tls: true
-      extraTls:
-        - hosts:
-            - keycloak.michaelthomson.dev
-          secretName: letsencrypt-wildcard-cert-michaelthomson.dev
diff --git a/apps/keycloak/repository.yaml b/apps/keycloak/repository.yaml
deleted file mode 100644
index f6fb26d..0000000
--- a/apps/keycloak/repository.yaml
+++ /dev/null
@@ -1,10 +0,0 @@
-apiVersion: source.toolkit.fluxcd.io/v1beta2
-kind: OCIRepository
-metadata:
-  name: keycloak
-  namespace: keycloak
-spec:
-  interval: 15m
-  url: oci://registry-1.docker.io/bitnamicharts/keycloak
-  ref:
-    semver: ">=24.0.0"
diff --git a/bootstrap/apps/kustomization-keycloak.yaml b/bootstrap/apps/kustomization-authentik.yaml
similarity index 87%
rename from bootstrap/apps/kustomization-keycloak.yaml
rename to bootstrap/apps/kustomization-authentik.yaml
index 66700bd..d1aeefb 100644
--- a/bootstrap/apps/kustomization-keycloak.yaml
+++ b/bootstrap/apps/kustomization-authentik.yaml
@@ -1,11 +1,11 @@
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
-  name: keycloak
+  name: authentik
   namespace: flux-system
 spec:
   interval: 15m
-  path: ./apps/keycloak
+  path: ./apps/authentik
   prune: true # remove any elements later removed from the above path
   wait: true
   sourceRef: