diff --git a/infrastructure/terraform/authentik/.terraform.lock.hcl b/infrastructure/terraform/authentik/.terraform.lock.hcl
new file mode 100644
index 0000000000..0ffd533683
--- /dev/null
+++ b/infrastructure/terraform/authentik/.terraform.lock.hcl
@@ -0,0 +1,46 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/1password/onepassword" {
+  version     = "1.4.3"
+  constraints = "1.4.3"
+  hashes = [
+    "h1:/iQ2CwCCmUuqFtKXqtgUl9YqQQ2bss6Bl+sC4YuxqM0=",
+    "zh:01c3d2bbc3199f46504d7c26e78230e52b8044c7965322edb107f7ebb5339d5c",
+    "zh:210aaad41ad9d3df6c21bac532fcd3f554b09e4ba51a73adc0dee528fb537dbe",
+    "zh:2210573c368187cea89d948f60c8e65bcab42571e4c079fbf96bf36820a20fcf",
+    "zh:32b677a638d19a7d71cdec76d9172ba564cc65af726be54584a151fb0dbf9240",
+    "zh:3357f032c0de221ae1a99dc2c752e1bd3e7fbbbf30640cd82b3568689e372116",
+    "zh:3c82397d200c8726c2e96f47049e039257200856a2eb925fc2bf9eed17bfffef",
+    "zh:420259b5a29d1d849e050293f4dcfaa5e69c144eb8cda1f228c9f624f072e3d0",
+    "zh:42709d61d8db8fa08522a5a54e8f739b99bca5dd9336f328cd3de525850cac03",
+    "zh:7a91b6990b23edb488a2a2e3b158e7d8c8bf01b9cf9e9464822a2889d620b1d8",
+    "zh:95ca0311c5b56df47818432bd42a9315ef83bdf22f59b0d8e2bee8cabbbe5efd",
+    "zh:9fa8741ef3d65fb879e534e5e962eb992b9dadcc0b578afeb3f2d68b6fe103b8",
+    "zh:a5961294d6e50e60462dfa7df5fb82f984617cf1ba04602b1812643c0341252a",
+    "zh:b11ad8ad3e4e01688bf99341230deddc392865d3ade3250f1c76f52f17aa132e",
+    "zh:bc96a3f36a261b00c7825e1bfdf25cc671b4fcc7042c36dec47f8bc6d052209d",
+  ]
+}
+
+provider "registry.terraform.io/goauthentik/authentik" {
+  version     = "2024.2.0"
+  constraints = "2024.2.0"
+  hashes = [
+    "h1:kxxwtM45+KNPbMfNieNTTPyce8t67wXNEswMInkNU+w=",
+    "zh:03b13879c66d1536f250c91f61ba078cc34af2fec271ea19c838a719dd4f1baa",
+    "zh:1c4d93aa3de72e4b00ac33fc0d4134fc5a641b863e9cd9afdc1105a4024fc8f0",
+    "zh:50d2f5b71ea5410633dbc8b143bef6fa77a9670a07a3fd85f9921e1094ab416e",
+    "zh:5320a267adb8506c23941df1c4cba56a176d0b9e0441f247fe714d34a514fcc8",
+    "zh:58376699c8941c109e49db7edfca4f83ec47b5b46619346380ca79d50902623e",
+    "zh:61f86a37dcb30167d1bfb84428b821de10c73cdec1ef911f167991ebc7eb9cd5",
+    "zh:6e99b5cf0f5987e3e3e24e26af12084f741a0f0b79a04d0b7e6703525cf4633e",
+    "zh:81c39322353f7da1c84c4ec82b6e7de70131156b256de21aee741240694e5bef",
+    "zh:bbec3872accea0294c86f812d668f9e2e8255b3d1f7424b39ddc261d6d02e036",
+    "zh:c1b56e5c4e82c683baf7854153caa85c600001ca6d1405f0d82a1aa29a600375",
+    "zh:cf4e41422aba2435f68bf1cf6c1e83315fe70c810dfd7e81a581d94490d6870b",
+    "zh:d86a2383e7fae38c9ea80f87d27d34d46a13fa24579b4612a248c888a3c9e265",
+    "zh:df693bc3156a2d632843abad9294d9192d1569039800c59e8a594c1b8e0fc9df",
+    "zh:e1a7148102d5a169dfb24c0de8441f3a9c25363976f4f2ce97f4c0b2e904302c",
+  ]
+}
diff --git a/infrastructure/terraform/authentik/main.tf b/infrastructure/terraform/authentik/main.tf
new file mode 100644
index 0000000000..22e23a8b26
--- /dev/null
+++ b/infrastructure/terraform/authentik/main.tf
@@ -0,0 +1,20 @@
+terraform {
+  required_providers {
+    authentik = {
+      source  = "goauthentik/authentik"
+      version = "2024.2.0"
+    }
+  }
+}
+
+module "onepassword_authentik" {
+  source = "github.com/bjw-s/terraform-1password-item?ref=main"
+  vault  = "Kubernetes"
+  item   = "authentik"
+}
+
+
+provider "authentik" {
+  url   = "https://sso.${var.cluster_domain}"
+  token = module.onepassword_authentik.fields.BOOTSTRAP_TOKEN
+}
diff --git a/infrastructure/terraform/minio/.terraform.lock.hcl b/infrastructure/terraform/minio/.terraform.lock.hcl
index b287e31d31..5ec997167e 100644
--- a/infrastructure/terraform/minio/.terraform.lock.hcl
+++ b/infrastructure/terraform/minio/.terraform.lock.hcl
@@ -1,44 +1,33 @@
-# This file is maintained automatically by "tofu init".
+# This file is maintained automatically by "terraform init".
 # Manual edits may be lost in future updates.
 
-provider "registry.opentofu.org/1password/onepassword" {
-  version     = "1.4.1"
-  constraints = "1.4.1"
+provider "registry.terraform.io/1password/onepassword" {
+  version     = "1.4.3"
+  constraints = "1.4.3"
   hashes = [
-    "h1:d5dalzjaEJbNL8+SXVTE9S2qCA3RWMavWAoFJHkKegI=",
-    "zh:026bc0b0b4d1d3839a42a02d07c59e368b3d89956acc030e56f5cf4bf26e40a6",
-    "zh:12da280deff1db1dd09f71aa54f7bbe74133fa86162addf253324c21b8af28fc",
-    "zh:14be7f3ede72b1cca7b26fd3d35c99f28d2066b4718b0cc13eedd192a2331fed",
-    "zh:2b7aa5b8d181c476044ae2cec058b01f978ab045573dd36edc2077b2295aa617",
-    "zh:43cd56d2f73ec236ad1267a3b2424baa6aae652a09a89b6b73b9b920330580fe",
-    "zh:68ffab144ac92fcc2f09b36107253080ad5df721dba8903e8c6586000d39fca9",
-    "zh:77a21ecbece1cae1d1fc7848b6f3fbf5375d0b8aea137113d3be76c21887a399",
-    "zh:8682cd285fe07e80541440d8003786cc94fe8703c4ced5225d20b0b9b2742139",
-    "zh:94c565f80c6b9c7d6adf47e6cf8aad79acb588adf17a8e067f1c1f5a38b43a31",
-    "zh:9b5834af8333906baf7be4793572eb6b5e3d125224727c390aa5a9bd09a99418",
-    "zh:a71271ad157e9763086ba0957e1a25446e7f29c139ef1ea5ed2123acaf885a01",
-    "zh:aa9b019815e3b75a6c033387326c7111c73888b7f6f6d22747fa04426f54082d",
-    "zh:c12a7c6604071d95640d86d6aa8b1ec9e54608d586cbc532ef0ee6eefb9100d9",
-    "zh:d19d03d26e3f5cab4ac55699615e4889d0ce39ac3fe55b66e0f89f832b240e9b",
+    "h1:/iQ2CwCCmUuqFtKXqtgUl9YqQQ2bss6Bl+sC4YuxqM0=",
+    "zh:01c3d2bbc3199f46504d7c26e78230e52b8044c7965322edb107f7ebb5339d5c",
+    "zh:210aaad41ad9d3df6c21bac532fcd3f554b09e4ba51a73adc0dee528fb537dbe",
+    "zh:2210573c368187cea89d948f60c8e65bcab42571e4c079fbf96bf36820a20fcf",
+    "zh:32b677a638d19a7d71cdec76d9172ba564cc65af726be54584a151fb0dbf9240",
+    "zh:3357f032c0de221ae1a99dc2c752e1bd3e7fbbbf30640cd82b3568689e372116",
+    "zh:3c82397d200c8726c2e96f47049e039257200856a2eb925fc2bf9eed17bfffef",
+    "zh:420259b5a29d1d849e050293f4dcfaa5e69c144eb8cda1f228c9f624f072e3d0",
+    "zh:42709d61d8db8fa08522a5a54e8f739b99bca5dd9336f328cd3de525850cac03",
+    "zh:7a91b6990b23edb488a2a2e3b158e7d8c8bf01b9cf9e9464822a2889d620b1d8",
+    "zh:95ca0311c5b56df47818432bd42a9315ef83bdf22f59b0d8e2bee8cabbbe5efd",
+    "zh:9fa8741ef3d65fb879e534e5e962eb992b9dadcc0b578afeb3f2d68b6fe103b8",
+    "zh:a5961294d6e50e60462dfa7df5fb82f984617cf1ba04602b1812643c0341252a",
+    "zh:b11ad8ad3e4e01688bf99341230deddc392865d3ade3250f1c76f52f17aa132e",
+    "zh:bc96a3f36a261b00c7825e1bfdf25cc671b4fcc7042c36dec47f8bc6d052209d",
   ]
 }
 
-provider "registry.opentofu.org/aminueza/minio" {
+provider "registry.terraform.io/aminueza/minio" {
   version     = "2.2.0"
   constraints = "2.2.0"
   hashes = [
-    "h1:+gOcwYhx4HEZOIZlnem7oLLb+mrgX7LFRVVquG9XuUI=",
-    "h1:25B6SM2ta2UTX5TR0/pykRgFYxdWQ5JqwAjHXTnVR3w=",
-    "h1:2nGf4oa6nmy2M7M3UZL2inCOHVFkaSwPutlyerYwkFw=",
-    "h1:5MGcZWUIXqrMJfDvq0D8sKxPimsPU/HczPey259Zh6Q=",
-    "h1:5xxLvJwCHcFjGoKX/YOnHLDkV5k0eAqEJnqFJ6by4rY=",
-    "h1:EMlrMNiCIXeKBD3aAE6FObv/TTOKKKdJAcnyO+sJXOM=",
     "h1:YTUPYBP9fhvuJeHY7luL55dAd9JmUONgyLAOwSXSVgI=",
-    "h1:cdvbX2/J1f9cGX0HBoqZl3r05zNKua1ZaWg4BWaqhNw=",
-    "h1:dBTHnpWU3y3CC6As/tXq8Hg1hg8bX4yXb5cqWLTXgOY=",
-    "h1:fOjEpTZkZdd/1k8PxKokFcfhNh8eZLycV7n/+gHHl5w=",
-    "h1:lflo8FIxzssa+bVS6E+Q8hdVMeYkX5pm25DTSeZCUzI=",
-    "h1:rvAAHx6m+FsNyJVMZPXeSrjOywp0+XaPvA/oJY4jV+8=",
     "zh:12f5c04c64b4085553a98dede25a7454e316d27e96dfd7185b4e6a845a403535",
     "zh:2268282b35f0862a5f955dbdd06e7e1a64b8329bb91b204a31389140e9ec110b",
     "zh:3d0fc5428f3144180fe7d94058b1a810a7661b90d8c7a577af8736529ac384c8",
diff --git a/infrastructure/terraform/minio/bucket-authentik.tf b/infrastructure/terraform/minio/bucket-authentik.tf
new file mode 100644
index 0000000000..0811ffecb8
--- /dev/null
+++ b/infrastructure/terraform/minio/bucket-authentik.tf
@@ -0,0 +1,8 @@
+module "onepassword_minio_bucket_authentik" {
+  source        = "./modules/onepassword_minio_bucket"
+  vault         = "Kubernetes"
+  password_item = "authentik"
+  providers = {
+    minio = minio.atlas
+  }
+}
diff --git a/kubernetes/main/apps/security/authentik/app/authentik-secret.yaml b/kubernetes/main/apps/security/authentik/app/authentik-secret.yaml
new file mode 100644
index 0000000000..8e84fbad3f
--- /dev/null
+++ b/kubernetes/main/apps/security/authentik/app/authentik-secret.yaml
@@ -0,0 +1,67 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.zinn.ca/external-secrets.io/externalsecret_v1beta1.json
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: &name authentik-secret
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: onepassword-connect
+  target:
+    name: *name
+    creationPolicy: Owner
+    deletionPolicy: "Delete"
+    template:
+      engineVersion: v2
+      data:
+        AUTHENTIK_POSTGRESQL__HOST: &dbhost "postgres-rw.dbms"
+        AUTHENTIK_POSTGRESQL__NAME: &dbname "authentik"
+        AUTHENTIK_POSTGRESQL__USER: &dbuser "authentik"
+        AUTHENTIK_POSTGRESQL__PASSWORD: &dbpass "{{ .authentik_POSTGRESQL_PASSWORD }}"
+        AUTHENTIK_REDIS__DB: "1"
+
+        AUTHENTIK_STORAGE__MEDIA__BACKEND: "s3"
+        AUTHENTIK_STORAGE__MEDIA__S3__ACCESS_KEY: "{{ .authentik_AWS_ACCESS_KEY_ID }}"
+        AUTHENTIK_STORAGE__MEDIA__S3__SECRET_KEY: "{{ .authentik_AWS_SECRET_ACCESS_KEY }}"
+        AUTHENTIK_STORAGE__MEDIA__S3__BUCKET_NAME: "{{ .authentik_AWS_BUCKET_NAME }}"
+        AUTHENTIK_STORAGE__MEDIA__S3__REGION: "{{ .authentik_AWS_REGION }}"
+        AUTHENTIK_STORAGE__MEDIA__S3__ENDPOINT: "{{ .authentik_S3_ENDPOINT }}"
+
+        AUTHENTIK_BOOTSTRAP_EMAIL: "{{ .authentik_BOOTSTRAP_EMAIL }}"
+        AUTHENTIK_BOOTSTRAP_PASSWORD: "{{ .authentik_BOOTSTRAP_PASSWORD }}"
+        AUTHENTIK_BOOTSTRAP_TOKEN: "{{ .authentik_BOOTSTRAP_TOKEN }}"
+        AUTHENTIK_SECRET_KEY: "{{ .authentik_SECRET_KEY }}"
+
+        AUTHENTIK_EMAIL__HOST: "{{ .email_EMAIL_SMTP_HOST }}"
+        AUTHENTIK_EMAIL__PORT: "{{ .email_EMAIL_SMTP_PORT }}"
+        AUTHENTIK_EMAIL__USERNAME: "{{ .authentik_EMAIL_USER }}"
+        AUTHENTIK_EMAIL__PASSWORD: "{{ .authentik_EMAIL_PASSWORD }}"
+        AUTHENTIK_EMAIL__USE_TLS: "true"
+        AUTHENTIK_EMAIL__FROM: "{{ .authentik_EMAIL_USER }}"
+
+        INIT_POSTGRES_HOST: *dbhost
+        INIT_POSTGRES_DBNAME: *dbname
+        INIT_POSTGRES_USER: *dbuser
+        INIT_POSTGRES_PASS: *dbpass
+        INIT_POSTGRES_SUPER_USER: "{{ .cnpg_POSTGRES_SUPER_USER }}"
+        INIT_POSTGRES_SUPER_PASS: "{{ .cnpg_POSTGRES_SUPER_PASS }}"
+  dataFrom:
+    - extract:
+        key: authentik
+      rewrite:
+        - regexp:
+            source: "(.*)"
+            target: "authentik_$1"
+    - extract:
+        key: cloudnative-pg-superuser
+      rewrite:
+        - regexp:
+            source: "(.*)"
+            target: "cnpg_$1"
+    - extract:
+        key: email-service
+      rewrite:
+        - regexp:
+            source: "(.*)"
+            target: "email_$1"
diff --git a/kubernetes/main/apps/security/authentik/app/helm-release.yaml b/kubernetes/main/apps/security/authentik/app/helm-release.yaml
new file mode 100644
index 0000000000..453b9e610e
--- /dev/null
+++ b/kubernetes/main/apps/security/authentik/app/helm-release.yaml
@@ -0,0 +1,58 @@
+---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2beta2.schema.json
+apiVersion: helm.toolkit.fluxcd.io/v2beta2
+kind: HelmRelease
+metadata:
+  name: authentik
+spec:
+  interval: 30m
+  chart:
+    spec:
+      chart: authentik
+      version: 2024.2.2
+      sourceRef:
+        kind: HelmRepository
+        name: authentik-charts
+        namespace: flux-system
+      interval: 5m
+  values:
+    global:
+      podAnnotations:
+        reloader.stakater.com/auto: "true"
+      deploymentStrategy:
+        type: RollingUpdate
+      envFrom:
+        - secretRef:
+            name: &secrets authentik-secret
+    authentik:
+      redis:
+        host: dragonfly.dbms.svc.cluster.local
+    server:
+      initContainers:
+        init-db:
+          image:
+            repository: ghcr.io/onedr0p/postgres-init
+            tag: 16.2
+            pullPolicy: IfNotPresent
+          envFrom:
+            - secretRef:
+                name: *secrets
+      autoscaling:
+        enabled: true
+        minReplicas: 2
+      metrics:
+        prometheus:
+          serviceMonitor:
+            enabled: true
+      ingress:
+        enabled: true
+        ingressClassName: nginx
+        annotations:
+          ingress.home.arpa/type: external
+        hosts:
+          - sso.${SECRET_DOMAIN_NAME}
+        https: false
+    worker:
+      autoscaling:
+        enabled: true
+        minReplicas: 2
diff --git a/kubernetes/main/apps/security/authentik/app/kustomization.yaml b/kubernetes/main/apps/security/authentik/app/kustomization.yaml
new file mode 100644
index 0000000000..238b5fa0c6
--- /dev/null
+++ b/kubernetes/main/apps/security/authentik/app/kustomization.yaml
@@ -0,0 +1,7 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/kustomization
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - authentik-secret.yaml
+  - helm-release.yaml
diff --git a/kubernetes/main/apps/security/authentik/install.yaml b/kubernetes/main/apps/security/authentik/install.yaml
new file mode 100644
index 0000000000..784aced37c
--- /dev/null
+++ b/kubernetes/main/apps/security/authentik/install.yaml
@@ -0,0 +1,25 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.zinn.ca/kustomize.toolkit.fluxcd.io/kustomization_v1.json
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: security-authentik
+  namespace: flux-system
+spec:
+  targetNamespace: security
+  commonMetadata:
+    labels:
+      app.kubernetes.io/name: &app authentik
+  path: ./kubernetes/main/apps/security/authentik/app
+  sourceRef:
+    kind: GitRepository
+    name: homelab-kubernetes
+  dependsOn:
+    - name: dbms-cloudnative-pg
+    - name: dbms-dragonfly-cluster
+    - name: security-external-secrets-stores
+  prune: true
+  wait: false
+  interval: 30m
+  retryInterval: 1m
+  timeout: 5m
diff --git a/kubernetes/main/apps/security/kustomization.yaml b/kubernetes/main/apps/security/kustomization.yaml
index b31ee5addd..1d36fec966 100644
--- a/kubernetes/main/apps/security/kustomization.yaml
+++ b/kubernetes/main/apps/security/kustomization.yaml
@@ -4,6 +4,7 @@ kind: Kustomization
 resources:
   - namespace.yaml
   - authelia/install.yaml
+  - authentik/install.yaml
   - dmarc-report/install.yaml
   - external-secrets/install.yaml
   - lldap/install.yaml
diff --git a/kubernetes/main/cluster/repositories/helm-charts/authentik-charts.yaml b/kubernetes/main/cluster/repositories/helm-charts/authentik-charts.yaml
new file mode 100644
index 0000000000..96b128de28
--- /dev/null
+++ b/kubernetes/main/cluster/repositories/helm-charts/authentik-charts.yaml
@@ -0,0 +1,11 @@
+---
+# yaml-language-server: $schema=https://lds-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1beta2.json
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: HelmRepository
+metadata:
+  name: authentik-charts
+  namespace: flux-system
+spec:
+  interval: 30m
+  url: https://charts.goauthentik.io
+  timeout: 3m
diff --git a/kubernetes/main/cluster/repositories/helm-charts/kustomization.yaml b/kubernetes/main/cluster/repositories/helm-charts/kustomization.yaml
index 9ac71eb550..ef6bacd3eb 100644
--- a/kubernetes/main/cluster/repositories/helm-charts/kustomization.yaml
+++ b/kubernetes/main/cluster/repositories/helm-charts/kustomization.yaml
@@ -3,6 +3,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
   - actions-runner-controller-charts.yaml
+  - authentik-charts.yaml
   - bitnami-charts.yaml
   - backube-charts.yaml
   - bjw-s-charts.yaml