diff --git a/hosts/franz/arion/auth/arion-compose.nix b/hosts/franz/arion/auth/arion-compose.nix
new file mode 100644
index 0000000..eed03b3
--- /dev/null
+++ b/hosts/franz/arion/auth/arion-compose.nix
@@ -0,0 +1,129 @@
+{pkgs, ...}: let
+  authentikImage = "ghcr.io/goauthentik/server:2024.4.1";
+in {
+  project.name = "auth";
+
+  networks.dmz = {
+    name = "dmz";
+    external = true;
+  };
+  networks.internal = {};
+
+  services = {
+    authentik.service = {
+      image = authentikImage;
+      container_name = "authentik";
+      labels = {
+        "traefik.enable" = "true";
+
+        "traefik.http.services.authentik.loadbalancer.server.port" = "9000";
+        "traefik.http.routers.authentik.service" = "authentik";
+        "traefik.http.routers.authentik.rule" = "Host(`auth.ghoscht.com`)";
+        "traefik.http.routers.authentik.entrypoints" = "websecure";
+        "traefik.http.routers.authentik.tls" = "true";
+        "traefik.http.routers.authentik.tls.certresolver" = "letsencrypt";
+
+        "traefik.http.services.authentik-external.loadbalancer.server.port" = "9000";
+        "traefik.http.routers.authentik-external.service" = "authentik-external";
+        "traefik.http.routers.authentik-external.rule" = "Host(`auth.ghoscht.com`)";
+        "traefik.http.routers.authentik-external.entrypoints" = "websecure-external";
+        "traefik.http.routers.authentik-external.tls" = "true";
+        "traefik.http.routers.authentik-external.tls.certresolver" = "letsencrypt";
+      };
+      command = "server";
+      environment = {
+        AUTHENTIK_REDIS__HOST = "redis";
+        AUTHENTIK_POSTGRESQL__HOST = "postgres";
+        AUTHENTIK_ERROR_REPORTING__ENABLED = "true";
+      };
+      env_file = [
+        "/home/ghoscht/.docker/auth/authentik.env"
+      ];
+      dns = ["1.1.1.1"];
+      restart = "always";
+      depends_on = {
+        redis = {condition = "service_healthy";};
+        postgres = {condition = "service_healthy";};
+      };
+      volumes = [
+        "/storage/dataset/docker/auth/authentik_media:/media"
+        "/storage/dataset/docker/auth/authentik_custom_templates:/templates"
+      ];
+      networks = [
+        "dmz"
+        "internal"
+      ];
+    };
+    worker.service = {
+      image = authentikImage;
+      command = "worker";
+      environment = {
+        AUTHENTIK_REDIS__HOST = "redis";
+        AUTHENTIK_POSTGRESQL__HOST = "postgres";
+        AUTHENTIK_ERROR_REPORTING__ENABLED = "true";
+      };
+      env_file = [
+        "/home/ghoscht/.docker/auth/authentik.env"
+      ];
+      dns = ["1.1.1.1"];
+      depends_on = {
+        redis = {condition = "service_healthy";};
+        postgres = {condition = "service_healthy";};
+      };
+      volumes = [
+        "/var/run/docker.sock:/var/run/docker.sock"
+        "/storage/dataset/docker/auth/authentik_media:/media"
+        "/storage/dataset/docker/auth/authentik_custom_templates:/templates"
+      ];
+      restart = "always";
+      user = "root";
+      networks = [
+        "internal"
+      ];
+    };
+    redis.service = {
+      image = "redis:7.2.4";
+      command = "--save 60 1 --loglevel warning";
+      healthcheck = {
+        test = [
+          "CMD-SHELL"
+          "redis-cli ping | grep PONG"
+        ];
+        start_period = "20s";
+        interval = "30s";
+        retries = 5;
+        timeout = "5s";
+      };
+      restart = "always";
+      volumes = [
+        "/storage/dataset/docker/auth/redis_data:/data"
+      ];
+      networks = [
+        "internal"
+      ];
+    };
+    postgres.service = {
+      image = "postgres:12.18";
+      restart = "always";
+      env_file = [
+        "/home/ghoscht/.docker/auth/postgres.env"
+      ];
+      volumes = [
+        "/storage/dataset/docker/auth/postgres_data:/var/lib/postgresql/data"
+      ];
+      healthcheck = {
+        test = [
+          "CMD-SHELL"
+          "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"
+        ];
+        start_period = "20s";
+        interval = "30s";
+        retries = 5;
+        timeout = "5s";
+      };
+      networks = [
+        "internal"
+      ];
+    };
+  };
+}
diff --git a/hosts/franz/arion/auth/arion-pkgs.nix b/hosts/franz/arion/auth/arion-pkgs.nix
new file mode 100644
index 0000000..69aad13
--- /dev/null
+++ b/hosts/franz/arion/auth/arion-pkgs.nix
@@ -0,0 +1,6 @@
+# Instead of pinning Nixpkgs, we can opt to use the one in NIX_PATH
+import <nixpkgs> {
+  # We specify the architecture explicitly. Use a Linux remote builder when
+  # calling arion from other platforms.
+  system = "x86_64-linux";
+}
diff --git a/hosts/franz/arion/auth/default.nix b/hosts/franz/arion/auth/default.nix
new file mode 100644
index 0000000..90afd04
--- /dev/null
+++ b/hosts/franz/arion/auth/default.nix
@@ -0,0 +1,45 @@
+{config, ...}: let
+  vars = import ../../../../vars.nix;
+in {
+  virtualisation.arion = {
+    projects.auth.settings = {
+      imports = [./arion-compose.nix];
+    };
+  };
+
+  sops.secrets."auth/postgres_db" = {
+    owner = vars.user;
+  };
+  sops.secrets."auth/postgres_user" = {
+    owner = vars.user;
+  };
+  sops.secrets."auth/postgres_pw" = {
+    owner = vars.user;
+  };
+  sops.secrets."auth/authentik_secret_key" = {
+    owner = vars.user;
+  };
+
+  sops.templates."postgres.env" = {
+    path = "/home/${vars.user}/.docker/auth/postgres.env";
+    owner = vars.user;
+    mode = "0775";
+    content = ''
+      POSTGRES_PASSWORD="${config.sops.placeholder."auth/postgres_pw"}"
+      POSTGRES_USER="${config.sops.placeholder."auth/postgres_user"}"
+      POSTGRES_DB="${config.sops.placeholder."auth/postgres_db"}"
+    '';
+  };
+
+  sops.templates."authentik.env" = {
+    path = "/home/${vars.user}/.docker/auth/authentik.env";
+    owner = vars.user;
+    mode = "0775";
+    content = ''
+      AUTHENTIK_POSTGRESQL__PASSWORD="${config.sops.placeholder."auth/postgres_pw"}"
+      AUTHENTIK_POSTGRESQL__USER="${config.sops.placeholder."auth/postgres_user"}"
+      AUTHENTIK_POSTGRESQL__NAME="${config.sops.placeholder."auth/postgres_db"}"
+      AUTHENTIK_SECRET_KEY="${config.sops.placeholder."auth/authentik_secret_key"}"
+    '';
+  };
+}
diff --git a/hosts/franz/arion/default.nix b/hosts/franz/arion/default.nix
index 8f3a00d..999f309 100644
--- a/hosts/franz/arion/default.nix
+++ b/hosts/franz/arion/default.nix
@@ -20,6 +20,7 @@
     ./feed
     ./matrix
     ./headscale
+    ./auth
   ];
 
   environment.systemPackages = with pkgs; [arion];
diff --git a/hosts/franz/restic.nix b/hosts/franz/restic.nix
index ceba489..95f6c72 100644
--- a/hosts/franz/restic.nix
+++ b/hosts/franz/restic.nix
@@ -186,6 +186,17 @@ in {
               -  arion -f ${arionPath}/headscale/arion-compose.nix -p ${arionPath}/headscale/arion-pkgs.nix stop
             after:
               -  arion -f ${arionPath}/headscale/arion-compose.nix -p ${arionPath}/headscale/arion-pkgs.nix start
+        auth:
+          from: /storage/dataset/docker/auth
+          to:
+            - zfs
+            - eustachius
+          cron: '0 4 * * 0' # Every Sunday at 4:00
+          hooks:
+            before:
+              -  arion -f ${arionPath}/auth/arion-compose.nix -p ${arionPath}/auth/arion-pkgs.nix stop
+            after:
+              -  arion -f ${arionPath}/auth/arion-compose.nix -p ${arionPath}/auth/arion-pkgs.nix start
       backends:
         zfs:
           type: local
diff --git a/secrets/franz.yaml b/secrets/franz.yaml
index 3d8554a..be69107 100644
--- a/secrets/franz.yaml
+++ b/secrets/franz.yaml
@@ -37,6 +37,11 @@ matrix:
     postgres_password: ENC[AES256_GCM,data:sKlU4HKDDNERv4LZK9/M2+kvnNht1uxQ7+pQSIZWPkk=,iv:fD98XPUMjo+eZOmE/cVOh5TFkmTY/KDCjfZcf5fSWOg=,tag:B5zsxgjvs7+czDWcCst/eg==,type:str]
 dyndns:
     cloudflare_api_key: ENC[AES256_GCM,data:O8biURYpw+joKm5A+7E9ARKlFRcnwFaqrbLPHevOXvYTFED1NdMSGQ==,iv:Vm1DreqdaFd1owN7zci242gzpGEZqE57Yn9XAzVxXoQ=,tag:KdQtVvZCypAYIghtuM5kjw==,type:str]
+auth:
+    postgres_db: ENC[AES256_GCM,data:zRDkvA5+p57YMW/J,iv:2LQ5f+uZ15rd6b+c/z9iaVrRNrtMnjj411guxzOke+c=,tag:5VgnajLXvte6FHKNM+mRsw==,type:str]
+    postgres_user: ENC[AES256_GCM,data:Cuw3XEY419FOoguYvyQ=,iv:spERtcJschAfYKjH2W5mgcDbPM2O3GT39lCbcfSK60Y=,tag:nT2LOywbjtSIqSiyPgA2Mw==,type:str]
+    postgres_pw: ENC[AES256_GCM,data:k22Pg9tU9eH//wf0lRDs0hEnW17EHlbnBUAOosHjUSxDcYzNSvltdpqcYN/Y00E9,iv:/EaIzuiJIWmdGDZ9gJYpscjss7xaxpmvyxxe+L5XSJM=,tag:Ny9oUEf9dKvn/kNGp7nKtw==,type:str]
+    authentik_secret_key: ENC[AES256_GCM,data:IBO3ROfj4Mso5/MGQZsS0fVDcqj9XhD74tDWPpDLmcgdYx59p2R3jVwIhxgj0yWiga03UBvXECVSIjTAcPuhX2uBG6DsbyUmI2T2GOi1,iv:U6bRXxDg9rWS34krp2WTGSZ9QWX0p5MK8Q7ETCONjNA=,tag:RAIHwCg8xcXsbniOGaX9tQ==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -52,8 +57,8 @@ sops:
             VUUxcEhvYi8zeXlCUUViUTl0eWdhcU0KXOfbnDc+zc8lnBcyEAV5EiJSjcSU6AgI
             EfeRw8qVqwChrYn1agslcNnDbE0WQsOCBuA6cE4V3kRofp9HU949ig==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-05-01T14:35:26Z"
-    mac: ENC[AES256_GCM,data:w7CK7SSvG3/vgpSwW3F3n/FRpm797pYcYs6sy46qBZffpyi4lSS0e1bnqqIcHxBWP8EWXHJwXIA+eyzpdH9UhUbJ/B7ZSaK0rQC6rp9CIIw5+R1js3ccV/ByOjgzz/fhTWGiYp15sm5d/CjZGq99+kME4LOWkkmE/UTevivFbn8=,iv:VzHl8Vn4D7bHe3LY+GjBHKYmiYIRSkThsl1aky/B7AM=,tag:K+8sQ9AMzADuBHulFauB+g==,type:str]
+    lastmodified: "2024-05-03T09:07:25Z"
+    mac: ENC[AES256_GCM,data:0dWibOxEX8UaXDZSYuSZDuAZch6E6+MIfOz/3QtTt3aQI8R0ySDlEYVTbDEa9IHpjQExDJTeGDrpdRBswOEAIJS1tNDY8SG2RVQagT5STbKx/FX8x55CeWWfh12KkSCvkANBvT0O3jkhVlGcMZPSthrBGm8jwDYte4cc09oZDGA=,iv:5ECpNjHTnXPZcLf/pOYZJ/yEnbIdIbJ5wzVCzDu4G0A=,tag:4YT2oMUgXFQm2sR6X/apXA==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.8.1