diff --git a/roles/authentik/defaults/main.yml b/roles/authentik/defaults/main.yml
index 2c22ebb..4c346e6 100644
--- a/roles/authentik/defaults/main.yml
+++ b/roles/authentik/defaults/main.yml
@@ -1,3 +1,33 @@
 #SPDX-License-Identifier: MIT-0
 ---
 # defaults file for authentik
+
+# Base directory configuration (inherited from base role or defined here)
+docker_compose_base_dir: /etc/docker/compose
+docker_volume_base_dir: /srv/data
+
+# Authentik-specific configuration
+authentik_service_name: authentik
+authentik_docker_compose_dir: "{{ docker_compose_base_dir }}/{{ authentik_service_name }}"
+authentik_docker_volume_dir: "{{ docker_volume_base_dir }}/{{ authentik_service_name }}"
+
+# Authentik service configuration
+authentik_domain: "authentik.local.test"
+authentik_image: "ghcr.io/goauthentik/server:2025.12.0"
+authentik_port: 9000
+authentik_secret_key: "changeme-generate-a-random-string"
+
+# PostgreSQL configuration
+authentik_postgres_image: "postgres:16-alpine"
+authentik_postgres_db: authentik
+authentik_postgres_user: authentik
+authentik_postgres_password: "changeme"
+
+# Traefik configuration
+authentik_traefik_network: "proxy"
+authentik_backend_network: "backend"
+authentik_use_ssl: true
+
+# Authentik environment settings
+authentik_log_level: "info"
+authentik_error_reporting_enabled: false
diff --git a/roles/authentik/tasks/main.yml b/roles/authentik/tasks/main.yml
index 28b2aa5..612a224 100644
--- a/roles/authentik/tasks/main.yml
+++ b/roles/authentik/tasks/main.yml
@@ -1,3 +1,44 @@
 #SPDX-License-Identifier: MIT-0
 ---
 # tasks file for authentik
+
+- name: Create docker compose directory
+  file:
+    path: "{{ authentik_docker_compose_dir }}"
+    state: directory
+    mode: '0755'
+
+- name: Create authentik data directory
+  file:
+    path: "{{ authentik_docker_volume_dir }}/data"
+    state: directory
+    mode: '0755'
+
+- name: Create authentik certs directory
+  file:
+    path: "{{ authentik_docker_volume_dir }}/certs"
+    state: directory
+    mode: '0755'
+
+- name: Create authentik templates directory
+  file:
+    path: "{{ authentik_docker_volume_dir }}/templates"
+    state: directory
+    mode: '0755'
+
+- name: Create postgres data directory
+  file:
+    path: "{{ authentik_docker_volume_dir }}/postgresql"
+    state: directory
+    mode: '0755'
+
+- name: Create docker-compose file for authentik
+  template:
+    src: docker-compose.yml.j2
+    dest: "{{ authentik_docker_compose_dir }}/docker-compose.yml"
+    mode: '0644'
+
+- name: Start authentik containers
+  community.docker.docker_compose_v2:
+    project_src: "{{ authentik_docker_compose_dir }}"
+    state: present
diff --git a/roles/authentik/templates/docker-compose.yml.j2 b/roles/authentik/templates/docker-compose.yml.j2
new file mode 100644
index 0000000..1b962de
--- /dev/null
+++ b/roles/authentik/templates/docker-compose.yml.j2
@@ -0,0 +1,79 @@
+services:
+  postgres:
+    image: {{ authentik_postgres_image }}
+    restart: unless-stopped
+    environment:
+      POSTGRES_DB: {{ authentik_postgres_db }}
+      POSTGRES_USER: {{ authentik_postgres_user }}
+      POSTGRES_PASSWORD: {{ authentik_postgres_password }}
+    volumes:
+      - {{ authentik_docker_volume_dir }}/postgresql:/var/lib/postgresql/data
+    networks:
+      - {{ authentik_backend_network }}
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -d {{ authentik_postgres_db }} -U {{ authentik_postgres_user }}"]
+      start_period: 20s
+      interval: 30s
+      retries: 5
+      timeout: 5s
+
+  server:
+    image: {{ authentik_image }}
+    restart: unless-stopped
+    command: server
+    environment:
+      AUTHENTIK_SECRET_KEY: {{ authentik_secret_key }}
+      AUTHENTIK_POSTGRESQL__HOST: postgres
+      AUTHENTIK_POSTGRESQL__NAME: {{ authentik_postgres_db }}
+      AUTHENTIK_POSTGRESQL__USER: {{ authentik_postgres_user }}
+      AUTHENTIK_POSTGRESQL__PASSWORD: {{ authentik_postgres_password }}
+      AUTHENTIK_LOG_LEVEL: {{ authentik_log_level }}
+      AUTHENTIK_ERROR_REPORTING__ENABLED: "{{ authentik_error_reporting_enabled | lower }}"
+    volumes:
+      - {{ authentik_docker_volume_dir }}/data:/data
+      - {{ authentik_docker_volume_dir }}/templates:/templates
+    depends_on:
+      postgres:
+        condition: service_healthy
+    networks:
+      - {{ authentik_backend_network }}
+      - {{ authentik_traefik_network }}
+    labels:
+      - traefik.enable=true
+      - traefik.docker.network={{ authentik_traefik_network }}
+      - traefik.http.routers.{{ authentik_service_name }}.rule=Host(`{{ authentik_domain }}`)
+{% if authentik_use_ssl %}
+      - traefik.http.routers.{{ authentik_service_name }}.entrypoints=websecure
+      - traefik.http.routers.{{ authentik_service_name }}.tls=true
+{% else %}
+      - traefik.http.routers.{{ authentik_service_name }}.entrypoints=web
+{% endif %}
+      - traefik.http.services.{{ authentik_service_name }}.loadbalancer.server.port={{ authentik_port }}
+
+  worker:
+    image: {{ authentik_image }}
+    restart: unless-stopped
+    command: worker
+    user: root
+    environment:
+      AUTHENTIK_SECRET_KEY: {{ authentik_secret_key }}
+      AUTHENTIK_POSTGRESQL__HOST: postgres
+      AUTHENTIK_POSTGRESQL__NAME: {{ authentik_postgres_db }}
+      AUTHENTIK_POSTGRESQL__USER: {{ authentik_postgres_user }}
+      AUTHENTIK_POSTGRESQL__PASSWORD: {{ authentik_postgres_password }}
+      AUTHENTIK_LOG_LEVEL: {{ authentik_log_level }}
+      AUTHENTIK_ERROR_REPORTING__ENABLED: "{{ authentik_error_reporting_enabled | lower }}"
+    volumes:
+      - {{ authentik_docker_volume_dir }}/data:/data
+      - {{ authentik_docker_volume_dir }}/certs:/certs
+      - {{ authentik_docker_volume_dir }}/templates:/templates
+    depends_on:
+      postgres:
+        condition: service_healthy
+    networks:
+      - {{ authentik_backend_network }}
+
+networks:
+  {{ authentik_backend_network }}:
+  {{ authentik_traefik_network }}:
+    external: true