diff --git a/inventories/vagrant/host_vars/backend/authentik.yml b/inventories/vagrant/host_vars/backend/authentik.yml
new file mode 100644
index 0000000..1a7633f
--- /dev/null
+++ b/inventories/vagrant/host_vars/backend/authentik.yml
@@ -0,0 +1,69 @@
+authentik_domain: authentik.local.test
+authentik_secret_key: "vagrant-test-secret-key-change-in-production"
+authentik_postgres_password: "vagrant-test-password"
+
+authentik_proxy_apps:
+- slug: httpbin
+  name: httpbin
+  internal_host: "http://httbin.local.test:80"
+  external_host: "https://httbin.local.test"
+  skip_path_regex: |
+    ^/healthz$
+  flows:
+    authentication_slug: default-authentication-flow
+    authorization_slug: default-provider-authorization-implicit-consent
+    invalidation_slug: default-provider-invalidation-flow
+
+authentik_proxy_outposts:
+  - name: "proxy-main"
+    type: "proxy"
+    service_connection: null
+    providers:
+      - httpbin
+    config:
+      authentik_host: "https://authentik.local.test/"
+      authentik_host_browser: "https://authentik.local.test/"
+      log_level: "info"
+
+authentik_oidc_apps:
+  - slug: nextcloud
+    name: Nextcloud
+    client_id_env: NEXTCLOUD_OIDC_CLIENT_ID
+    client_secret_env: NEXTCLOUD_OIDC_CLIENT_SECRET
+    redirect_uris:
+      - url: "https://nextcloud.local.test/login/generic_oauth"
+        matching_mode: strict
+    signing_key_name: "authentik Self-signed Certificate"
+    flows:
+      authorization_slug: default-provider-authorization-implicit-consent
+      invalidation_slug: default-provider-invalidation-flow
+    scopes: [openid, email, profile, offline_access]
+
+authentik_entra_sources:
+  - slug: entra-id
+    name: "Login with Entra"
+    tenant_mode: multi  # Use 'single' with real tenant ID in production
+    # tenant_id_env: ENTRA_TENANT_ID  # Not needed for multi-tenant mode
+    client_id_env: ENTRA_CLIENT_ID
+    client_secret_env: ENTRA_CLIENT_SECRET
+    scopes:
+      - openid
+      - profile
+      - email
+
+authentik_login_sources:
+  - slug: entra-id
+
+authentik_local_users:
+  - username: akadmin
+    name: "Authentik Admin"
+    email: "admin@local.test"
+    password_env: AKADMIN_PASSWORD
+    is_active: true
+    groups:
+      - authentik Admins
+
+authentik_blueprint_env:
+  AKADMIN_PASSWORD: "admin"
+  NEXTCLOUD_OIDC_CLIENT_ID: test1234
+  NEXTCLOUD_OIDC_CLIENT_SECRET: test1234
\ No newline at end of file
diff --git a/playbooks/site.yml b/playbooks/site.yml
index 68abc5e..ffbb9c4 100644
--- a/playbooks/site.yml
+++ b/playbooks/site.yml
@@ -35,6 +35,12 @@
   roles:
     - digitalboard.core.nextcloud
 
+- name: Deploy authentik service
+  hosts: authentik_servers
+  become: yes
+  roles:
+    - digitalboard.core.authentik
+
 - name: Configure reverse proxy on DMZ servers
   hosts: traefik_servers_dmz
   become: yes