diff --git a/flake.nix b/flake.nix
index 6135b69..81d4a40 100644
--- a/flake.nix
+++ b/flake.nix
@@ -22,7 +22,13 @@
 
     lanzaboote = {
       url = "github:nix-community/lanzaboote/v0.4.1";
-      inputs.nixpkgs.follows = "nixpkgs-stable";
+      inputs.nixpkgs.follows = "nixpkgs-unstable";
+    };
+
+    authentik-nix = {
+      url = "github:nix-community/authentik-nix";
+      inputs.nixpkgs.follows = "nixpkgs-unstable";
+      # inputs.flake-parts.follows
     };
 
     tmux-yank = {
@@ -34,6 +40,7 @@
   outputs =
     inputs@{
       self,
+      authentik-nix,
       flake-utils,
       lanzaboote,
       microvm,
@@ -90,6 +97,7 @@
           specialArgs = { inherit inputs; };
           modules = [
             sops-nix.nixosModules.sops
+            microvm.nixosModules.host
 
             ./hosts/minime
             ./modules/basic-tools
@@ -98,7 +106,20 @@
             ./modules/wg
           ];
         };
+
+        authentik = nixpkgs-stable.lib.nixosSystem {
+          system = "x84_64-linux";
+          specialArgs = { inherit inputs; };
+          modules = [
+            sops-nix.nixosModules.sops
+            microvm.nixosModules.microvm
+            authentik-nix.nixosModules.default
+
+            ./microvms/authentik
+            ./modules/server
       };
+
+
       hydraJobs =
         let
           get-toplevel = (
diff --git a/hosts/minime/default.nix b/hosts/minime/default.nix
index 3b679be..95f1f6b 100644
--- a/hosts/minime/default.nix
+++ b/hosts/minime/default.nix
@@ -3,7 +3,7 @@
   imports = [
     ./configuration.nix
     ./hardware-configuration.nix
-    ./networking.nix
+    ./networking
     ./secrets.nix
     ./zfs.nix
   ];
diff --git a/hosts/minime/networking/default.nix b/hosts/minime/networking/default.nix
new file mode 100644
index 0000000..b1c044f
--- /dev/null
+++ b/hosts/minime/networking/default.nix
@@ -0,0 +1,24 @@
+{ ... }: {
+  imports = [
+    ./uplink.nix
+    ./uvm.nix
+  ];
+
+  networking.hostName = "minime"; # Define your hostname.
+  networking.useNetworkd = true;
+  networking.firewall.enable = true;
+
+  services.resolved = {
+    enable = true;
+    dnssec = "false";
+    fallbackDns = [
+      "9.9.9.9"
+      "2620:fe::fe"
+      "149.112.112.112"
+      "2620:fe::9"
+    ];
+  };
+
+  systemd.network.enable = true;
+
+}
diff --git a/hosts/minime/networking.nix b/hosts/minime/networking/uplink.nix
similarity index 100%
rename from hosts/minime/networking.nix
rename to hosts/minime/networking/uplink.nix
diff --git a/hosts/minime/networking/uvm.nix b/hosts/minime/networking/uvm.nix
new file mode 100644
index 0000000..15e498e
--- /dev/null
+++ b/hosts/minime/networking/uvm.nix
@@ -0,0 +1,19 @@
+{ ... }: {
+  systemd.network = {
+    netdevs."10-uvm-br" = {
+      netdevConfig = {
+        Kind = bridge;
+        Name = "uvm-br";
+      };
+    };
+
+    networks."10-uvm-br" = {
+      matchConfig.Name = "uvm-br";
+      networkConfig = {
+        DHCPServer = false;
+        IPv6SendRA = true;
+      };
+      Address = [ ];
+    };
+  };
+}
diff --git a/microvms/authentik/default.nix b/microvms/authentik/default.nix
new file mode 100644
index 0000000..e69de29
diff --git a/modules/wg/module.nix b/modules/wg/module.nix
index c27f325..4f53ab7 100644
--- a/modules/wg/module.nix
+++ b/modules/wg/module.nix
@@ -1,8 +1,6 @@
 {
   lib,
   config,
-  self,
-  registry,
   ...
 }:
 {
diff --git a/modules/wg/proxy.nix b/modules/wg/proxy.nix
index 78f78bb..4151d59 100644
--- a/modules/wg/proxy.nix
+++ b/modules/wg/proxy.nix
@@ -23,6 +23,14 @@
             publicIface = "enp1s0";
           };
         };
+        "authentik" = {
+          address = [
+            "10.89.88.2/24"
+            "fd31:185d:722f::2/48"
+          ];
+          publicKey = "";
+          privateKeyFile = config.sops.secrets."wg/0xa-proxy".path;
+        };
       };
     }
   ];