diff --git a/applications/40-authentik/authentik.yaml b/applications/40-authentik/authentik.yaml
index 4aa2b92..9603b06 100644
--- a/applications/40-authentik/authentik.yaml
+++ b/applications/40-authentik/authentik.yaml
@@ -25,11 +25,19 @@ spec:
         authentik:
           ingress:
             enabled: true
+            annotations:
+              external-dns.alpha.kubernetes.io/hostname: auth.hxme.net
+              nginx.ingress.kubernetes.io/server-snippet: |
+                add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
             hosts:
               - host: auth.hxme.net
                 paths:
                   - path: /
                     pathType: Prefix
+            tls:
+              - hosts:
+                  - auth.hxme.net
+                secretName: wildcard-hxme-net
   destination:
     server: https://kubernetes.default.svc
     namespace: home-server