diff --git a/nixos/hephaestus/authentik.nix b/nixos/hephaestus/authentik.nix
new file mode 100644
index 0000000..75cda66
--- /dev/null
+++ b/nixos/hephaestus/authentik.nix
@@ -0,0 +1,25 @@
+{ config, pkgs, ... }: {
+    environment.systemPackages = with pkgs; [ 
+        nginx
+        authentik
+    ];
+    services.authentik = {
+    enable = true;
+    # The environmentFile needs to be on the target host!
+    # Best use something like sops-nix or agenix to manage it
+    environmentFile = "/run/secrets/authentik/authentik-env";
+    settings = {
+      #email = {
+      #  host = "smtp.example.com";
+      #  port = 587;
+      #  username = "authentik@example.com";
+      #  use_tls = true;
+      #  use_ssl = false;
+      #  from = "authentik@example.com";
+      #};
+      disable_startup_analytics = true;
+      avatars = "initials";
+    };
+  };
+}
+
diff --git a/nixos/hephaestus/flake.nix b/nixos/hephaestus/flake.nix
index 5aedd9a..b931b93 100644
--- a/nixos/hephaestus/flake.nix
+++ b/nixos/hephaestus/flake.nix
@@ -4,6 +4,13 @@
   inputs = {
     # NixOS official package source, using the nixos-24.11 branch here
     nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.11";
+    authentik-nix = {
+    url = "github:nix-community/authentik-nix";
+
+    ## optional overrides. Note that using a different version of nixpkgs can cause issues, especially with python dependencies
+    # inputs.nixpkgs.follows = "nixpkgs"
+    # inputs.flake-parts.follows = "flake-parts"
+    };
   };
 
   outputs = { self, nixpkgs, ... }@inputs: {