diff --git a/.forgejo/workflows/authentik.yaml b/.forgejo/workflows/authentik.yaml
new file mode 100644
index 0000000..5e389e6
--- /dev/null
+++ b/.forgejo/workflows/authentik.yaml
@@ -0,0 +1,43 @@
+on:
+  push:
+    branches:
+      - 'main'
+
+jobs:
+  authentik":
+    runs-on: docker
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          sparse-checkout: |
+            authentik"
+      - name: Setup OpenTofu
+        run: |
+          curl -fsSl https://get.opentofu.org/install-opentofu.sh -o /tmp/install-opentofu.sh
+          chmod +x /tmp/install-opentofu.sh
+          /tmp/install-opentofu.sh --install-method deb
+          rm -f /tmp/install-opentofu.sh
+      - name: Tofu init
+        working-directory: ${{ github.workspace }}/authentik"
+        run: |
+          export KUBE_CONFIG_PATH="/tmp/kubeconfig"
+          echo ${{ secrets.KUBE_CONFIG_BASE64 }} | base64 -d > ${KUBE_CONFIG_PATH}
+          export AUTHENTIK_TOKEN=${{ secrets.AUTHENTIK_TOKEN }}
+          export AUTHENTIK_URL="https://auth.lab.cowley.tech"
+          tofu init
+      - name: Tofu Plan
+        working-directory: ${{ github.workspace }}/authentik"
+        run: |
+          export KUBE_CONFIG_PATH="/tmp/kubeconfig"
+          echo ${{ secrets.KUBE_CONFIG_BASE64 }} | base64 -d > ${KUBE_CONFIG_PATH}
+          export AUTHENTIK_TOKEN=${{ secrets.AUTHENTIK_TOKEN }}
+          export AUTHENTIK_URL="https://auth.lab.cowley.tech"
+          tofu plan -out tfplan
+      - name: Tofu Apply
+        working-directory: ${{ github.workspace }}/authentik"
+        run: |
+          export KUBE_CONFIG_PATH="/tmp/kubeconfig"
+          echo ${{ secrets.KUBE_CONFIG_BASE64 }} | base64 -d > ${KUBE_CONFIG_PATH}
+          export AUTHENTIK_TOKEN=${{ secrets.AUTHENTIK_TOKEN }}
+          export AUTHENTIK_URL="https://auth.lab.cowley.tech"
+          tofu apply tfplan