diff --git a/dns/services.json b/dns/services.json
index 120b940..2212367 100644
--- a/dns/services.json
+++ b/dns/services.json
@@ -4,6 +4,11 @@
 		"domain": "serguzim.me",
 		"host": "node002"
 	},
+	"auth": {
+		"target": "auth",
+		"domain": "serguzim.me",
+		"host": "node002"
+	},
 	"faas": {
 		"target": "faas",
 		"domain": "serguzim.me",
diff --git a/dnsconfig.js b/dnsconfig.js
index c72bb4e..9285cea 100644
--- a/dnsconfig.js
+++ b/dnsconfig.js
@@ -72,6 +72,7 @@ D("serguzim.me", REG_OVH, DnsProvider(DSP_OVH),
 	TLSA("_25._tcp.mail", 3, 1, 1, "e66a608a3ec459bda7fb1f2d500b8abeb78f2910f26641204b6bc454b8aa2a49"),
 
 	acme_challenge("db", "ca2c86c0-ff3d-458a-89e0-11bcfd2543e4"),
+	acme_challenge("auth", "18a42983-3d19-4c17-8213-fc275a8be721"),
 
 	verify_amazon_ses([
 		"dd4g333vxgahaf3rh3dafdx6g7kq7t7z",
diff --git a/roles/authentik/vars/main.yml b/roles/authentik/vars/main.yml
index fe7c4ca..178b0e1 100644
--- a/roles/authentik/vars/main.yml
+++ b/roles/authentik/vars/main.yml
@@ -47,6 +47,7 @@ authentik_compose:
         user: root
         volumes:
           - /var/run/docker.sock:/var/run/docker.sock
+          - ./certs:/certs
         env_file:
           - service.env
         depends_on:
diff --git a/roles/lego/files/node002/auth.serguzim.me b/roles/lego/files/node002/auth.serguzim.me
new file mode 100755
index 0000000..0f8fcea
--- /dev/null
+++ b/roles/lego/files/node002/auth.serguzim.me
@@ -0,0 +1,12 @@
+#!/usr/bin/env sh
+
+domain="auth.serguzim.me"
+
+_install() {
+  install --owner=root --group=root --mode=600 \
+	  "$CERTIFICATES_PATH/$domain.$1" \
+	  "/opt/services/authentik/certs/$domain.$2"
+}
+
+_install crt pem
+_install key key
diff --git a/roles/lego/tasks/systemd.yml b/roles/lego/tasks/systemd.yml
index 0c3e56a..dec3732 100644
--- a/roles/lego/tasks/systemd.yml
+++ b/roles/lego/tasks/systemd.yml
@@ -20,4 +20,5 @@
   loop:
     - msrg.cc
     - db.serguzim.me
+    - auth.serguzim.me
   become: true