diff --git a/ansible/main.yml b/ansible/main.yml
index bddd6bb..4350aff 100644
--- a/ansible/main.yml
+++ b/ansible/main.yml
@@ -66,6 +66,7 @@
     - mastodon
     - gitea
     - vikunja
+    - authentik
 
 - hosts: ingress
   roles:
diff --git a/ansible/roles/authentik/files/docker-compose.yml b/ansible/roles/authentik/files/docker-compose.yml
new file mode 100644
index 0000000..da79e63
--- /dev/null
+++ b/ansible/roles/authentik/files/docker-compose.yml
@@ -0,0 +1,78 @@
+version: "3.4"
+
+x-env: &env
+  - TIMEZONE={{ timezone }}
+  - AUTHENTIK_REDIS__HOST=redis
+  - AUTHENTIK_POSTGRESQL__HOST=db
+  - AUTHENTIK_POSTGRESQL__USER=authentik
+  - AUTHENTIK_POSTGRESQL__NAME=authentik
+  - AUTHENTIK_POSTGRESQL__PASSWORD={{ authentik_db_password }}
+  - AUTHENTIK_SECRET_KEY={{ authentik_secret_key }}
+  - AUTHENTIK_WEB__WORKERS=1
+  - AUTHENTIK_DISABLE_UPDATE_CHECK=true
+  - AUTHENTIK_ERROR_REPORTING__ENABLED=false
+  - AUTHENTIK_DISABLE_STARTUP_ANALYTICS=true
+  - AUTHENTIK_EMAIL__HOST=smtp.eu.mailgun.org
+  - AUTHENTIK_EMAIL__PORT=465
+  - AUTHENTIK_EMAIL__USERNAME={{ authentik_email_username }}
+  - AUTHENTIK_EMAIL__PASSWORD={{ authentik_email_password }}
+  - AUTHENTIK_EMAIL__USE_TLS=true
+  - AUTHENTIK_EMAIL__FROM={{ authentik_email_from }}
+
+services:
+  server:
+    image: ghcr.io/goauthentik/server:2023.10.2
+    restart: unless-stopped
+    command: server
+    user: "{{ docker_user.id }}"
+    environment: *env
+    volumes:
+      - "{{ app_data_dir }}/authentik/media:/media"
+      - "{{ app_data_dir }}/authentik/custom-templates:/templates"
+    labels:
+      - traefik.enable=true
+      - traefik.http.routers.authentik.rule=Host(`auth.jakehoward.tech`)
+      - traefik.http.services.authentik-authentik.loadbalancer.server.port=9000
+      - traefik.http.middlewares.authentik-ratelimit.ratelimit.average=5
+      - traefik.http.middlewares.authentik-ratelimit.ratelimit.burst=1000
+      - traefik.http.routers.authentik.middlewares=authentik-ratelimit
+    depends_on:
+      - db
+      - redis
+    networks:
+      - default
+      - traefik
+
+  worker:
+    image: ghcr.io/goauthentik/server:2023.10.2
+    restart: unless-stopped
+    command: worker
+    user: "{{ docker_user.id }}"
+    environment: *env
+    volumes:
+      - "{{ app_data_dir }}/authentik/media:/media"
+      - "{{ app_data_dir }}/authentik/certs:/certs"
+      - "{{ app_data_dir }}/authentik/custom-templates:/templates"
+    depends_on:
+      - db
+      - redis
+      - server
+
+  db:
+    image: postgres:15-alpine
+    restart: unless-stopped
+    volumes:
+      - /mnt/speed/dbs/postgres/authentik:/var/lib/postgresql/data
+    environment:
+      - POSTGRES_PASSWORD={{ authentik_db_password }}
+      - POSTGRES_USER=authentik
+
+  redis:
+    image: redis:alpine
+    restart: unless-stopped
+    volumes:
+      - /mnt/speed/dbs/redis/authentik:/data
+
+networks:
+  traefik:
+    external: true
diff --git a/ansible/roles/authentik/handlers/main.yml b/ansible/roles/authentik/handlers/main.yml
new file mode 100644
index 0000000..3aa4d8d
--- /dev/null
+++ b/ansible/roles/authentik/handlers/main.yml
@@ -0,0 +1,4 @@
+- name: restart authentik
+  shell:
+    chdir: /opt/authentik
+    cmd: "{{ docker_update_command }}"
diff --git a/ansible/roles/authentik/tasks/main.yml b/ansible/roles/authentik/tasks/main.yml
new file mode 100644
index 0000000..56122e2
--- /dev/null
+++ b/ansible/roles/authentik/tasks/main.yml
@@ -0,0 +1,20 @@
+- name: Include vault
+  include_vars: vault.yml
+
+- name: Create install directory
+  file:
+    path: /opt/authentik
+    state: directory
+    owner: "{{ docker_user.name }}"
+    mode: "{{ docker_compose_directory_mask }}"
+  become: true
+
+- name: Install compose file
+  template:
+    src: files/docker-compose.yml
+    dest: /opt/authentik/docker-compose.yml
+    mode: "{{ docker_compose_file_mask }}"
+    owner: "{{ docker_user.name }}"
+    validate: docker-compose -f %s config
+  notify: restart authentik
+  become: true
diff --git a/ansible/roles/authentik/vars/main.yml b/ansible/roles/authentik/vars/main.yml
new file mode 100644
index 0000000..ad95e8b
--- /dev/null
+++ b/ansible/roles/authentik/vars/main.yml
@@ -0,0 +1,5 @@
+authentik_db_password: "{{ vault_authentik_db_password }}"
+authentik_secret_key: "{{ vault_authentik_secret_key }}"
+authentik_email_username: "{{ vault_authentik_email_username }}"
+authentik_email_password: "{{ vault_authentik_email_password }}"
+authentik_email_from: "{{ vault_authentik_email_from }}"
diff --git a/ansible/roles/authentik/vars/vault.yml b/ansible/roles/authentik/vars/vault.yml
new file mode 100644
index 0000000..f75ef88
--- /dev/null
+++ b/ansible/roles/authentik/vars/vault.yml
@@ -0,0 +1,22 @@
+$ANSIBLE_VAULT;1.1;AES256
+31633966386539623139356136333664326633646537366433626432363437336331333639636634
+6563646365666534393834636539376337666336376666300a313338336365383338633165646531
+35656231613762393636666332653434393966343039313863333566646434643630343438623362
+6466383362396539610a366438306332303331656237343466313135336431363335306636643363
+32383066353331383461613532323265353861663835663463383235303863306438386364303235
+31323264323732326231336162393438313262323263316564336266663565666361316564373332
+61616637306636353362633338616461646232616165323638346164346565353139666238323033
+36366537393530613464613033383438666362636166613062653930326663626337346636346434
+66396362656231613930653866386334393438336332383637356663323936623863313161323039
+34316639633235313132336238636162343936336163356135303034383434346561356365633636
+32633930313335343961653835656363333365656438393334303333373337353566666532373964
+38316362306362363464313237383130343239326238663062616533396230316438316536333139
+66353835333066346634366638323930616365386364643165666133666565383137303062636263
+64646639666235356264623663313762333666306565303237656434323365316165633866373964
+38326631656463373161356562303031643231623332653861616535333834336630363239363632
+31643862626639353132373232393966323461653361343331653261356431363933326130363433
+38323633343433346535633937373466666639353530653164313532623535653135613766336138
+64626631656431613937366563373934616364656536373437353563346165626535326464353439
+37353136376636633231393733613663633864616163373736386332316162333166303863663538
+63376461643263326362373434666138303635636165616564316432626564356138623032653737
+37323633353165623661343736363933323631646438383430303234326665613566
diff --git a/terraform/jakehoward.tech.tf b/terraform/jakehoward.tech.tf
index 7bd2ecf..0af13c4 100644
--- a/terraform/jakehoward.tech.tf
+++ b/terraform/jakehoward.tech.tf
@@ -213,6 +213,14 @@ resource "cloudflare_record" "jakehowardtech_tasks" {
   ttl     = 1
 }
 
+resource "cloudflare_record" "jakehowardtech_auth" {
+  zone_id = cloudflare_zone.jakehowardtech.id
+  name    = "auth"
+  value   = linode_instance.casey.ip_address
+  type    = "A"
+  ttl     = 1
+}
+
 resource "cloudflare_record" "jakehowardtech_caa" {
   zone_id = cloudflare_zone.jakehowardtech.id
   name    = "@"