diff --git a/kube/deploy/apps/radicale/app/hr.yaml b/kube/deploy/apps/radicale/app/hr.yaml
index c660c3b0..0074dcc9 100644
--- a/kube/deploy/apps/radicale/app/hr.yaml
+++ b/kube/deploy/apps/radicale/app/hr.yaml
@@ -4,8 +4,6 @@ kind: HelmRelease
 metadata:
   name: &app radicale
   namespace: *app
-  labels:
-    nginx.ingress.home.arpa/type: auth
 spec:
   interval: 5m
   chart:
@@ -61,8 +59,13 @@ spec:
       main:
         className: nginx-internal
         annotations:
-          nginx.ingress.kubernetes.io/auth-signin: |-
-            https://${APP_DNS_RADICALE}/outpost.goauthentik.io/start?rd=$escaped_request_uri
+          # nginx.ingress.kubernetes.io/auth-signin annotation not needed since we're only using the "Receiving HTTP basic auth" part of the authentik Proxy Provider which handles forward auth
+          nginx.ingress.kubernetes.io/auth-url: |-
+              http://authentik.authentik.svc.cluster.local:9000/outpost.goauthentik.io/auth/nginx
+          nginx.ingress.kubernetes.io/auth-response-headers: |-
+              Set-Cookie,X-Remote-User
+          nginx.ingress.kubernetes.io/auth-snippet: |
+              proxy_set_header X-Forwarded-Host $http_host;
         hosts:
           - host: &host "${APP_DNS_RADICALE:=radicale}"
             paths: &paths