diff --git a/dmz/traefik/templates/authentik.yaml b/dmz/traefik/templates/authentik.yaml
new file mode 100644
index 0000000..7032b47
--- /dev/null
+++ b/dmz/traefik/templates/authentik.yaml
@@ -0,0 +1,30 @@
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: authentik-ingress
+spec:
+  entryPoints:
+    - websecure
+  routes:
+  - match: Host(`test.durp.info`) && PathPrefix(`/`) 
+    kind: Rule
+    services:
+    - name: authentik-server
+      port: 443
+  tls:
+    secretName: authentik-tls
+
+---
+
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: authentik-tls
+spec:
+  issuerRef:
+    name: vault-issuer
+    kind: ClusterIssuer
+  secretName: authentik-tls
+  commonName: "test.durp.info"
+  dnsNames:
+  - "test.durp.info"
diff --git a/dmz/traefik/templates/config.yaml b/dmz/traefik/templates/config.yaml
index 56f5d17..e386cb0 100644
--- a/dmz/traefik/templates/config.yaml
+++ b/dmz/traefik/templates/config.yaml
@@ -5,15 +5,8 @@ metadata:
 data:
   traefik.yaml: |
     http:
-      routers:
-        router0:
-          entryPoints:
-          - web
-          service: service-foo
-          rule: host(`test.durp.info`)
-
       services:
-        service-foo:
+        authentik-service:
           loadBalancer:
             servers:
             - url: https://google.com