diff --git a/authentik/authentik-email-password.yaml b/authentik/authentik-email-password.yaml
new file mode 100644
index 0000000..a73724b
--- /dev/null
+++ b/authentik/authentik-email-password.yaml
@@ -0,0 +1,21 @@
+{
+  "kind": "SealedSecret",
+  "apiVersion": "bitnami.com/v1alpha1",
+  "metadata": {
+    "name": "authentik-email-password",
+    "namespace": "authentik",
+    "creationTimestamp": null
+  },
+  "spec": {
+    "template": {
+      "metadata": {
+        "name": "authentik-email-password",
+        "namespace": "authentik",
+        "creationTimestamp": null
+      }
+    },
+    "encryptedData": {
+      "AUTHENTIK_EMAIL__PASSWORD": "AgB9S0bCYnUrxbQ/EAG7vRuUuZstQuvZ/s9kz4E4c9iyWMN6AYVkYxyFhrFy5F5Ge9Mis3m8wUjVVUTRoKIesWodLwOXWbZQ/VBldXlOLf7qXFnfHamSsrBKmNvCemZA+IWIurTqr5f08MF3uZrZ4tiYR1VJLilfxVdWEWo+hahwUuwWA/9BHhrE73XUImRuG7avhGcn6ek+s2W8inEpLfd7XN8L+dDACYJPNMwB9KJkceZDVr+vxCJVNHKWVMicxrLT1u5IdFxYDwhFceOdXVLNhr4BS/P97DUxWwVv3hWgY/sgW0sf8ghMkjeKegnSINIcQbjW3iLJn7Txi0zoQipv6XhJOEWvU0URc+CSY8VvEFVULN/TJ7/11mINTeLrHsTX14JTmugbMhMQxqn0mYGMmjGthOFgob6YC6YBu9bDi7iZWLxaIbx89wfxfR/zvrcAvWE+xpvf77X/fmINHBNhvlgeq00IDpQGEo0Hbm/sp2bdEZTtz7HSneKKcdFH/RUYnwHRLmglfHfG4a74KGwxsGv/aUogdz+PywsTEz1B22YMp/qCCJBfn9HUdsWyTmyAsqXL1zzhRPIoHdeoqztnOBdwZwH3c9W1IImUToMjxiyFW4x8CuVIDrpfBj2pAmkGo+zd4zLbumMcLlkoq1M6A5ad4QuRgSftczX6slNG32XWNbN/8eICfgbcv/6beTWIOK19c9kOdTbSJIL6e5nMWrgx/925qanG"
+    }
+  }
+}
diff --git a/authentik/authentik-postgresql-password.yaml b/authentik/authentik-postgresql-password.yaml
new file mode 100644
index 0000000..a27b799
--- /dev/null
+++ b/authentik/authentik-postgresql-password.yaml
@@ -0,0 +1,21 @@
+{
+  "kind": "SealedSecret",
+  "apiVersion": "bitnami.com/v1alpha1",
+  "metadata": {
+    "name": "authentik-postgresql-password",
+    "namespace": "authentik",
+    "creationTimestamp": null
+  },
+  "spec": {
+    "template": {
+      "metadata": {
+        "name": "authentik-postgresql-password",
+        "namespace": "authentik",
+        "creationTimestamp": null
+      }
+    },
+    "encryptedData": {
+      "AUTHENTIK_POSTGRESQL__PASSWORD": "AgBbQwrjhB1FpCCqqcK6t8u+tfvkGE4zauPEehkcgspGiTkK5gl7df6N+D2Ft8S16BL5wT3wcFL94pXousJZaASlV+P+MMD/mfpGUil2PM4nRM/BSXUDIqYYf/u5MiNDcT25DDv78K3Bg2RYZSssPNRb3r2+uTgmUAcsUKdmKm2E0fSCBMpo3+nMMPWjyUrVnZtGvJq48CxpG4DBW2awDQtFZOZkTnsXgXAyZEQOmmHNaZrRbqE7BwsMS5JEyvOW6vSYh4168fVls2fpJy389AV8OTUcwZfSzc+x3qCDkZYW+lgfW5n1R7eBD3sOOCbrNyLcHqJOgdsqetqr3Q//A7EvGbZ2WYHGTXJfwz0u61nJVNVtJPml1MybzvYUdGaunVo3fLetY/O6fEPCxDgUPAYZEhjYKYWxlosuz8KrihD1E+KNP9HP+7C04H3r1tBUelJSBcV/VAgM211TfhAxaq0Lh7O0ZaiNdt9w3fZufcwdxuRf4xuwHJKtS9GaFvprH/GF8rw9t6BHc798c7bW3S9/mym0l250KSb2WcjdZFOWYuWAPjtLrU2UjDQ79k8GuX7wx6lt8QWdiO+DFQGWV7TOXpyNfl+XA2241QVXx1SBdmCvQpimlbf9pTN5P0Op608TUVRTWGIDItaH17NDgo+qcnvNXElKzuRSwI7jmtL2H8xzQYG+0OILbc1fRatzSCRQhZExQZjZI8F8QDGXj6tiH7HwJivZCHuKOFZHImmPLKjf7FWw1BLOFgyPbgrLXfLc9A=="
+    }
+  }
+}
diff --git a/authentik/authentik-secret-key.yaml b/authentik/authentik-secret-key.yaml
new file mode 100644
index 0000000..b96d999
--- /dev/null
+++ b/authentik/authentik-secret-key.yaml
@@ -0,0 +1,21 @@
+{
+  "kind": "SealedSecret",
+  "apiVersion": "bitnami.com/v1alpha1",
+  "metadata": {
+    "name": "authentik-secret-key",
+    "namespace": "authentik",
+    "creationTimestamp": null
+  },
+  "spec": {
+    "template": {
+      "metadata": {
+        "name": "authentik-secret-key",
+        "namespace": "authentik",
+        "creationTimestamp": null
+      }
+    },
+    "encryptedData": {
+      "AUTHENTIK_SECRET_KEY": "AgCKZPdfiUFALKZiKEojiSSaTwT0vIpxS6gygO7A1w93Z2qdJsDEpjMXK8V0XKUPw2+FF6oWhM1akDn7lblkM3pgjW4XuySndknaSCGyNxewuhlD0FOBXz8DPoOIyFNLCYV4DRo+A+wIHHdCADpKkCheFJcKKp8whsk+ee98CHjrhrWWWJwlaH3ao5tQQVPDLwUeqrNpCjycoBTgYa4T0iuK2bZUMOhP0EEaLBqLPiHfij2gioE9PHht49poXsKvoqAOXXL1mY1j2y70YJX2rMdq7UW0gVnUHL7WFAvXxTFVAzC4Owe7XTfTf9ttxNUpnTr/Ekkh0I10wNuZElTjJZH4Jk5IV9SzHeAiSXNroowZrSnzuFRtK+z35WEaWPtWwnw6JaM9Vuj/caZCHAC6MtNJMvW/F4z/W29oK396JRilz7yR1hCzyJbVkoDuSul2bIT/eG3+EMfD0lZP/odiArf1a/wI5AD0pL4E9shplw6+EnunJlNj+BRY75jMr6K5UABkjwznAvhnGIQXg5RQ5galFukKwBaGu/Ujpq0erhAaQnBgjsLH3D9/0dRmyuuMo2ymzySO4jCAJYmZ650xKb2tgdT8fGENgIc/+EZ1vudFAIJp7mYOeEhRde6t59R6EmGMOTgLlpeyPymPbq9x7OG1otKsoYVtw1Cjcerm01VasZY6FXfld0agu+sllfmnwYVu8r81bi7t47maWOmLLsgRhdSCAky4gWwQ7zBAWTr0og43E+fXZw5TWZKfWvOWYWbIcA=="
+    }
+  }
+}
diff --git a/authentik/dns-endpoint.yaml b/authentik/dns-endpoint.yaml
new file mode 100644
index 0000000..4b2f79f
--- /dev/null
+++ b/authentik/dns-endpoint.yaml
@@ -0,0 +1,15 @@
+apiVersion: externaldns.k8s.io/v1alpha1
+kind: DNSEndpoint
+metadata:
+  name: authentik.michaelthomson.dev
+  namespace: authentik
+spec:
+  endpoints:
+  - dnsName: authentik.michaelthomson.dev
+    recordTTL: 180
+    recordType: CNAME
+    targets:
+      - michaelthomson.ddns.net
+    providerSpecific:
+      - name: external-dns.alpha.kubernetes.io/cloudflare-proxied
+        value: "true"
diff --git a/authentik/helmrelease-authentik.yaml b/authentik/helmrelease-authentik.yaml
new file mode 100644
index 0000000..1fe5ed5
--- /dev/null
+++ b/authentik/helmrelease-authentik.yaml
@@ -0,0 +1,53 @@
+apiVersion: helm.toolkit.fluxcd.io/v2beta2
+kind: HelmRelease
+metadata:
+  name: authentik
+  namespace: authentik
+spec:
+  chart:
+    spec:
+      chart: authentik
+      version: 2024.8.3
+      sourceRef:
+        kind: HelmRepository
+        name: authentik
+        namespace: flux-system
+  interval: 15m
+  timeout: 5m
+  releaseName: authentik
+  values:
+    global:
+      envFrom:
+        - secretRef:
+            name: authentik-postgresql-password
+        - secretRef:
+            name: authentik-secret-key
+        - secretRef:
+            name: authentik-email-password
+
+    server:
+      ingress:
+        enabled: true
+        ingressClassName: traefik
+        annotations:
+          traefik.ingress.kubernetes.io/router.tls: "true"
+          traefik.ingress.kubernetes.io/router.entrypoints: websecure
+        hosts:
+          - authentik.michaelthomson.dev
+        tls:
+          - secretName: letsencrypt-wildcard-cert-michaelthomson.dev
+            hosts:
+              - authentik.michaelthomson.dev
+
+    postgresql:
+      enabled: true
+
+    redis:
+      enabled: true
+
+    email:
+      host: mail.michaelthomson.dev
+      port: 465
+      username: server@michaelthomson.dev
+      use_tls: true
+      from: "Michael's Server <server@michaelthomson.dev>"
diff --git a/bootstrap/helmrepositories/helmrepository-authentik.yaml b/bootstrap/helmrepositories/helmrepository-authentik.yaml
new file mode 100644
index 0000000..c0708a2
--- /dev/null
+++ b/bootstrap/helmrepositories/helmrepository-authentik.yaml
@@ -0,0 +1,8 @@
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: HelmRepository
+metadata:
+  name: authentik
+  namespace: flux-system
+spec:
+  interval: 15m
+  url: https://charts.goauthentik.io/
diff --git a/bootstrap/kustomizations/kustomization-authentik.yaml b/bootstrap/kustomizations/kustomization-authentik.yaml
new file mode 100644
index 0000000..cc4fcd4
--- /dev/null
+++ b/bootstrap/kustomizations/kustomization-authentik.yaml
@@ -0,0 +1,18 @@
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: authentik
+  namespace: flux-system
+spec:
+  interval: 15m
+  path: ./authentik
+  prune: true # remove any elements later removed from the above path
+  timeout: 2m # if not set, this defaults to interval duration, which is 1h
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+  healthChecks:
+    - apiVersion: helm.toolkit.fluxcd.io/v2beta2
+      kind: HelmRelease
+      name: authentik
+      namespace: authentik
diff --git a/bootstrap/namespaces/namespace-authentik.yaml b/bootstrap/namespaces/namespace-authentik.yaml
new file mode 100644
index 0000000..bb24d8d
--- /dev/null
+++ b/bootstrap/namespaces/namespace-authentik.yaml
@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: authentik