diff --git a/hosts/koi/containers/authentik/default.nix b/hosts/koi/containers/authentik/default.nix
new file mode 100644
index 0000000..b0236e8
--- /dev/null
+++ b/hosts/koi/containers/authentik/default.nix
@@ -0,0 +1,77 @@
+{ abs, pkgs, config, ... }@inputs:
+
+let 
+  secrets = import (abs "lib/secrets.nix");
+
+  UID = 1110;
+  sharedConfig = {
+    image = "ghcr.io/goauthentik/server:2024.8.2";
+    dependsOn = [ "authentik-redis" ];
+    environment = {
+      AUTHENTIK_POSTGRESQL__HOST = "172.17.0.1";
+      AUTHENTIK_POSTGRESQL__USER = "authentik";
+      AUTHENTIK_POSTGRESQL__PASSWORD = "authentik";
+      AUTHENTIK_POSTGRESQL__NAME = "authentik";
+      AUTHENTIK_REDIS__HOST = "authentik-redis.docker";
+    };
+    volumes = [
+      "/mnt/puffer/authentik/media:/media"
+      "/mnt/puffer/authentik/templates:/templates"
+    ];
+    user = builtins.toString UID;
+    environmentFiles = [
+      (secrets.file config "authentik-env")
+    ];
+  };
+in {
+  imports = [
+    # email related + AUTHENTIK_SECRET_KEY
+    (secrets.declare [{
+      name = "authentik-env";
+      owner = "authentik";
+    }])
+  ];
+
+  users.users.authentik = {
+    isNormalUser = true;
+    uid = UID;
+  };
+
+  services.postgresql.ensureUsers = [
+    { name = "authentik"; ensureDBOwnership = true; }
+  ];
+  services.postgresql.ensureDatabases = [ "authentik" ];
+  desu.postgresql.ensurePasswords.authentik = "authentik";
+
+  virtualisation.oci-containers.containers.authentik-redis = {
+    image = "docker.io/redis:7.0-alpine";
+    volumes = [
+      "/mnt/puffer/authentik/redis:/data"
+    ];
+    user = builtins.toString UID;
+  };
+
+  virtualisation.oci-containers.containers.authentik-server = sharedConfig // {
+    cmd = [ "server" ];
+  };
+  systemd.services.docker-authentik-server.after = [ "postgresql.service" ];
+
+  virtualisation.oci-containers.containers.authentik-worker = sharedConfig // {
+    cmd = [ "worker" ];
+  };
+  systemd.services.docker-authentik-worker.after = [ "postgresql.service" ];
+
+  systemd.tmpfiles.rules = [
+    "d /mnt/puffer/authentik 0777 root root -"
+  ];
+
+  services.nginx.virtualHosts."id.stupid.fish" = {
+    forceSSL = true;
+    useACMEHost = "stupid.fish";
+
+    locations."/" = {
+      proxyPass = "http://authentik-server.docker:9000$request_uri";
+      proxyWebsockets = true;
+    };
+  };
+}
\ No newline at end of file
diff --git a/secrets/authentik-env.age b/secrets/authentik-env.age
new file mode 100644
index 0000000..e2ca917
Binary files /dev/null and b/secrets/authentik-env.age differ