diff --git a/auth/docker-compose.yml b/auth/docker-compose.yml
new file mode 100644
index 0000000..1214623
--- /dev/null
+++ b/auth/docker-compose.yml
@@ -0,0 +1,90 @@
+services:
+
+  authentik-server:
+    image: ghcr.io/goauthentik/server:${AUTHENTIK_VERSION}
+    restart: unless-stopped
+    command: server
+    environment:
+      - AUTHENTIK_REDIS__HOST=redis
+      - AUTHENTIK_POSTGRESQL__HOST=postgresql
+      - AUTHENTIK_POSTGRESQL__USER=${POSTGRES_USER}
+      - AUTHENTIK_POSTGRESQL__NAME=${POSTGRES_DB}
+      - AUTHENTIK_POSTGRESQL__PASSWORD=${POSTGRES_PASSWORD}
+      - AUTHENTIK_SECRET_KEY=${AUTHENTIK_SECRET_KEY}
+      - AUTHENTIK_ERROR_REPORTING__ENABLED=${AUTHENTIK_ERROR_REPORTING__ENABLED}
+    volumes:
+      - ${VOLUMES_PATH}/auth/media:/media
+      - ${VOLUMES_PATH}/auth/custom-templates:/templates
+    depends_on:
+      postgresql:
+        condition: service_healthy
+      redis:
+        condition: service_healthy
+    networks:
+      - web
+      - auth
+
+  authentik-worker:
+    image: ghcr.io/goauthentik/server:${AUTHENTIK_VERSION}
+    restart: unless-stopped
+    command: worker
+    environment:
+      - AUTHENTIK_REDIS__HOST=redis
+      - AUTHENTIK_POSTGRESQL__HOST=postgresql
+      - AUTHENTIK_POSTGRESQL__USER=${POSTGRES_USER}
+      - AUTHENTIK_POSTGRESQL__NAME=${POSTGRES_DB}
+      - AUTHENTIK_POSTGRESQL__PASSWORD=${POSTGRES_PASSWORD}
+      - AUTHENTIK_SECRET_KEY=${AUTHENTIK_SECRET_KEY}
+      - AUTHENTIK_ERROR_REPORTING__ENABLED=${AUTHENTIK_ERROR_REPORTING__ENABLED}
+    user: root
+    volumes:
+      # - /var/run/docker.sock:/var/run/docker.sock
+      - ${VOLUMES_PATH}/auth/media:/media
+      - ${VOLUMES_PATH}/auth/certs:/certs
+      - ${VOLUMES_PATH}/auth/custom-templates:/templates
+    depends_on:
+      postgresql:
+        condition: service_healthy
+      redis:
+        condition: service_healthy
+    networks:
+      - auth
+
+  postgresql:
+    image: postgres:${POSTGRES_VERSION}
+    restart: unless-stopped
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"]
+      start_period: 20s
+      interval: 30s
+      retries: 5
+      timeout: 5s
+    volumes:
+      - ${VOLUMES_PATH}/auth/postgres/:/var/lib/postgresql/data
+    environment:
+      - POSTGRES_PASSWORD=${POSTGRES_PASSWORD}
+      - POSTGRES_USER=${POSTGRES_USER}
+      - POSTGRES_DB=${POSTGRES_DB}
+    networks:
+      - auth
+
+  redis:
+    image: redis:${REDIS_VERSION}
+    command: --save 60 1 --loglevel warning
+    restart: unless-stopped
+    healthcheck:
+      test: ["CMD-SHELL", "redis-cli ping | grep PONG"]
+      start_period: 20s
+      interval: 30s
+      retries: 5
+      timeout: 3s
+    volumes:
+      - ${VOLUMES_PATH}/auth/redis:/data
+    networks:
+      - auth
+
+
+networks:
+  auth:
+  web:
+    external: true
diff --git a/paperless/docker-compose.yaml b/paperless/docker-compose.yaml
index 20b0079..5688a55 100644
--- a/paperless/docker-compose.yaml
+++ b/paperless/docker-compose.yaml
@@ -60,6 +60,9 @@ services:
       - USERMAP_GID=1000
       - PAPERLESS_PRE_CONSUME_SCRIPT=/usr/src/paperless/scripts/removePdfPassword.py
       - PAPERLESS_OCR_USER_ARGS=${USER_ARGS_JSON}
+      - PAPERLESS_APPS=allauth.socialaccount.providers.openid_connect
+      - PAPERLESS_SOCIALACCOUNT_PROVIDERS=${PAPERLESS_SOCIALACCOUNT_PROVIDERS}
+      - PAPERLESS_CSRF_TRUSTED_ORIGINS=https://paperless.home.florianzirker.de,https://auth.home.florianzirker.de
     labels:
       - "docker.group=paperless"
 
diff --git a/proxy/Caddyfile b/proxy/Caddyfile
index bc24cc5..a245a03 100644
--- a/proxy/Caddyfile
+++ b/proxy/Caddyfile
@@ -4,7 +4,24 @@
 		output stdout
 		format console
 	}
-	debug
+	auto_https disable_redirects
+}
+
+(proxy-auth) {
+	reverse_proxy /outpost.goauthentik.io/* http://authentik-server:9000
+	forward_auth http://authentik-server:9000 {
+		uri /outpost.goauthentik.io/auth/caddy
+		copy_headers X-Authentik-Username X-Authentik-Groups X-Authentik-Entitlements X-Authentik-Email X-Authentik-Name X-Authentik-Uid X-Authentik-Jwt X-Authentik-Meta-Jwks X-Authentik-Meta-Outpost X-Authentik-Meta-Provider X-Authentik-Meta-App X-Authentik-Meta-Version
+		trusted_proxies private_ranges
+	}
+}
+
+http://*.{$DOMAIN} {
+	redir https://{labels.3}.{$DOMAIN}{uri} permanent
+}
+
+http://*.{$OLD_DOMAIN} {
+	redir https://{labels.1}.{$DOMAIN}{uri} permanent
 }
 
 *.{$DOMAIN} {
@@ -22,7 +39,10 @@
 
 	@whoami host whoami.{$DOMAIN}
 	handle @whoami {
-		reverse_proxy whoami:80
+		route {
+			import proxy-auth
+			reverse_proxy whoami:80
+		}
 	}
 
 	@dashboard host dashboard.{$DOMAIN}
@@ -32,13 +52,15 @@
 
 	@hassi host hassi.{$DOMAIN}
 	handle @hassi {
-		# reverse_proxy homeassistant:8123
-		reverse_proxy {host}:8123
+		reverse_proxy homeassistant:8123
 	}
 
 	@zigbee2mqtt host zigbee2mqtt.{$DOMAIN}
 	handle @zigbee2mqtt {
-		reverse_proxy zigbee2mqtt:8080
+		route {
+			import proxy-auth
+			reverse_proxy zigbee2mqtt:8080
+		}
 	}
 
 	@jellyfin host jellyfin.{$DOMAIN}
@@ -53,17 +75,31 @@
 
 	@download host download.{$DOMAIN}
 	handle @download {
-		reverse_proxy pyload:8000
+		route {
+			import proxy-auth
+			reverse_proxy pyload:8000
+		}
 	}
 
 	@uptime host uptime.{$DOMAIN}
 	handle @uptime {
-		reverse_proxy uptime-kuma:3001
+		route {
+			import proxy-auth
+			reverse_proxy uptime-kuma:3001
+		}
 	}
 
 	@torrent host torrent.{$DOMAIN}
 	handle @torrent {
-		reverse_proxy transmission:9091
+		route {
+			import proxy-auth
+			reverse_proxy transmission:9091
+		}
+	}
+
+	@auth host auth.{$DOMAIN}
+	handle @auth {
+		reverse_proxy authentik-server:9000
 	}
 
 	# Fallback unhandled (sub)domains
diff --git a/proxy/docker-compose.yaml b/proxy/docker-compose.yaml
index 9f0eaac..c6e63dd 100644
--- a/proxy/docker-compose.yaml
+++ b/proxy/docker-compose.yaml
@@ -16,6 +16,7 @@ services:
       - web
     environment:
       - DOMAIN=${DOMAIN}
+      - OLD_DOMAIN=${OLD_DOMAIN}
       - LOCAL_CA_NAME=${LOCAL_CA_NAME}
       - NETCUP_CUSTOMER_NUMBER=${NETCUP_CUSTOMER_NUMBER}
       - NETCUP_API_KEY=${NETCUP_API_KEY}
@@ -37,6 +38,4 @@ services:
 networks:
   web:
     external: true
-  dockersocket:
-    external: true
 
diff --git a/smartHome/docker-compose.yaml b/smartHome/docker-compose.yaml
index 026778b..4a27a1b 100644
--- a/smartHome/docker-compose.yaml
+++ b/smartHome/docker-compose.yaml
@@ -8,11 +8,13 @@ services:
     environment:
       - TZ=Europe/Berlin
     restart: unless-stopped
-    network_mode: host
+    #network_mode: host
+    networks:
+       - web
+       - smarthome
     labels:
       - "docker.group=smartHome"
 
-
   mqttbroker:
     image: eclipse-mosquitto:${MOSQUITTO_VERSION}
     restart: unless-stopped
@@ -28,7 +30,6 @@ services:
     labels:
       - "docker.group=smartHome"
 
-
   zigbee2mqtt:
     restart: unless-stopped
     image: koenkk/zigbee2mqtt
@@ -45,6 +46,26 @@ services:
     labels:
       - "docker.group=smartHome"
 
+  db:
+    image: postgres:${POSTGRES_VERSION}
+    restart: unless-stopped
+    networks:
+      - smarthome
+    volumes:
+      - ${VOLUMES_PATH}/smartHome/postgres:/var/lib/postgresql/data
+    environment:
+      - POSTGRES_DB=${POSTGRES_DB}
+      - POSTGRES_USER=${POSTGRES_USER}
+      - POSTGRES_PASSWORD=${POSTGRES_PASSWORD}
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"]
+      start_period: 20s
+      interval: 30s
+      retries: 5
+      timeout: 5s
+    labels:
+      - "docker.group=smartHome"
+
 
 networks:
   web:
diff --git a/start-all.sh b/start-all.sh
index 8010786..69b5585 100755
--- a/start-all.sh
+++ b/start-all.sh
@@ -6,6 +6,7 @@ function up {
 }
 
 up proxy;
+up auth;
 up monitoring;
 up smartHome;
 up dashboard;
diff --git a/torrent/docker-compose.yaml b/torrent/docker-compose.yaml
index f5b6923..72d8c9b 100644
--- a/torrent/docker-compose.yaml
+++ b/torrent/docker-compose.yaml
@@ -4,8 +4,6 @@ services:
     image: lscr.io/linuxserver/transmission:${TRANSMISSION_VERSION}
     environment:
       - TZ=Etc/UTC
-      - USER=${USERNAME}
-      - PASS=${PASSWORD}
     volumes:
       - ${VOLUMES_PATH}/torrent/transmission:/config
       - ${DOWNLOAD_PATH}:/downloads