diff --git a/apps/authentik/Chart.yaml b/apps/authentik/Chart.yaml
new file mode 100644
index 0000000..10cfe44
--- /dev/null
+++ b/apps/authentik/Chart.yaml
@@ -0,0 +1,7 @@
+apiVersion: v2
+name: authentik
+version: 1.0.0
+dependencies:
+  - name: authentik
+    version: 2025.10.1
+    repository: https://charts.goauthentik.io
diff --git a/apps/authentik/application.yaml b/apps/authentik/application.yaml
new file mode 100644
index 0000000..9f9f2b3
--- /dev/null
+++ b/apps/authentik/application.yaml
@@ -0,0 +1,40 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: authentik
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: "1"
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+  source:
+    repoURL: https://git.mvzijl.nl/marco/veda.git
+    targetRevision: applicationset-rewrite
+    path: apps/authentik
+    helm:
+      releaseName: authentik
+      valueFiles:
+        - values.yaml
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: authentik
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+      - ServerSideApply=true
+    managedNamespaceMetadata:
+      labels:
+        pod-security.kubernetes.io/enforce: baseline
+        pod-security.kubernetes.io/audit: baseline
+        pod-security.kubernetes.io/warn: baseline
+  ignoreDifferences:
+    - group: gateway.networking.k8s.io
+      kind: HTTPRoute
+      jqPathExpressions:
+        - .spec.parentRefs[] | .group, .kind
+        - .spec.rules[].backendRefs[] | .group, .kind, .weight
diff --git a/apps/authentik/values.yaml b/apps/authentik/values.yaml
new file mode 100644
index 0000000..3f6da72
--- /dev/null
+++ b/apps/authentik/values.yaml
@@ -0,0 +1,145 @@
+authentik:
+
+  authentik:
+    postgresql:
+      host: file:///postgres-creds/host
+      name: file:///postgres-creds/dbname
+      username: file:///postgres-creds/username
+      password: file:///postgres-creds/password
+      port: file:///postgres-creds/port
+
+  server:
+    route:
+      main:
+        enabled: true
+        hostnames:
+          - "auth.noxxos.nl"
+          - "authentik.noxxos.nl"
+          - "sso.noxxos.nl"
+        parentRefs:
+          - name: traefik-gateway
+            namespace: traefik
+            sectionName: websecure
+    resources:
+      requests:
+        cpu: 100m
+        memory: 512Mi
+      limits:
+        memory: 1Gi
+    volumes:
+      - name: postgres-creds
+        secret:
+          secretName: authentik-pg-cluster-app
+    volumeMounts:
+      - name: postgres-creds
+        mountPath: /postgres-creds
+        readOnly: true
+
+  worker:
+    replicas: 2
+    resources:
+      requests:
+        cpu: 100m
+        memory: 512Mi
+      limits:
+        memory: 1Gi
+    volumes:
+      - name: postgres-creds
+        secret:
+          secretName: authentik-pg-cluster-app
+    volumeMounts:
+      - name: postgres-creds
+        mountPath: /postgres-creds
+        readOnly: true
+
+  extraObjects:
+    - apiVersion: postgresql.cnpg.io/v1
+      kind: Cluster
+      metadata:
+        name: authentik-pg-cluster
+        namespace: authentik
+      spec:
+        instances: 2
+        postgresql:
+          parameters:
+            max_connections: "20"
+            shared_buffers: "25MB"
+            effective_cache_size: "75MB"
+            maintenance_work_mem: "6400kB"
+            checkpoint_completion_target: "0.9"
+            wal_buffers: "768kB"
+            default_statistics_target: "100"
+            random_page_cost: "1.1"
+            effective_io_concurrency: "300"
+            work_mem: "640kB"
+            huge_pages: "off"
+            max_wal_size: "128MB"
+        bootstrap:
+          initdb:
+            database: authentik
+            owner: authentik
+            secret:
+              name: authentik-pg-cluster-app
+        storage:
+          storageClass: ceph-block
+          size: 10Gi
+        resources:
+          requests:
+            cpu: 100m
+            memory: 100Mi
+          limits:
+            memory: 512Mi
+        plugins:
+          - enabled: true
+            name: barman-cloud.cloudnative-pg.io
+            isWALArchiver: true
+            parameters:
+              barmanObjectName: authentik-backup-store
+
+    - apiVersion: barmancloud.cnpg.io/v1
+      kind: ObjectStore
+      metadata:
+        name: authentik-backup-store
+        namespace: authentik
+      spec:
+        retentionPolicy: "30d"
+        configuration:
+          destinationPath: s3://postgresql-backups/authentik
+          endpointURL: http://rook-ceph-rgw-ceph-objectstore.rook-ceph.svc:80
+          s3Credentials:
+            accessKeyId:
+              name: authentik-pg-backup-creds
+              key: AWS_ACCESS_KEY_ID
+            secretAccessKey:
+              name: authentik-pg-backup-creds
+              key: AWS_SECRET_ACCESS_KEY
+          wal:
+            compression: bzip2
+          data:
+            compression: bzip2
+
+    - apiVersion: postgresql.cnpg.io/v1
+      kind: ScheduledBackup
+      metadata:
+        name: authentik-pg-backup
+        namespace: authentik
+      spec:
+        method: plugin
+        immediate: true
+        schedule: "0 30 3 * * *"  # 03:30 daily
+        backupOwnerReference: self
+        cluster:
+          name: authentik-pg-cluster
+        pluginConfiguration:
+          name: barman-cloud.cloudnative-pg.io
+
+    - apiVersion: objectbucket.io/v1alpha1
+      kind: ObjectBucketClaim
+      metadata:
+        name: authentik-pg-backups
+        namespace: authentik
+      spec:
+        bucketName: postgresql-backups
+        storageClassName: ceph-bucket
+        additionalConfig:
+          maxSize: "50Gi"