diff --git a/kube/deploy/apps/authentik/app/hr.yaml b/kube/deploy/apps/authentik/app/hr.yaml
index 09c98a87..9a9577d8 100644
--- a/kube/deploy/apps/authentik/app/hr.yaml
+++ b/kube/deploy/apps/authentik/app/hr.yaml
@@ -130,6 +130,31 @@ spec:
                   periodSeconds: 1
                   failureThreshold: 300
                   initialDelaySeconds: 15
+          anubis:
+            image: &img
+              repository: ghcr.io/xe/x/anubis
+              tag: latest@sha256:f54385a986e2032b238c626e9cec989acc4e36160ab87b88722171929cb5880b
+            env: &env
+              TZ: "${CONFIG_TZ}"
+              DIFFICULTY: "5"
+              SERVE_ROBOTS_TXT: "true"
+              TARGET: "http://127.0.0.1:9000"
+            securityContext: *sc
+            resources:
+              requests:
+                cpu: "5m"
+                memory: "32Mi"
+              limits:
+                cpu: "1"
+                memory: "128Mi"
+            ports:
+              - name: anubis
+                containerPort: &anubis 8923
+            probes:
+              liveness:
+                enabled: true
+              readiness:
+                enabled: true
       worker:
         type: deployment
         replicas: 2
@@ -309,6 +334,9 @@ spec:
           metrics:
             <<: *port
             port: *metrics
+          anubis:
+            <<: *port
+            port: *anubis
       redis:
         primary: false
         controller: redis
@@ -368,42 +396,47 @@ spec:
             <<: *radius
             protocol: UDP
     ingress:
-      main:
+      internal: &ingress
         className: nginx-external
         annotations:
-          external-dns.alpha.kubernetes.io/target: "${DNS_CF:=cf}"
-          external-dns.alpha.kubernetes.io/cloudflare-proxied: "true"
+          nginx.ingress.kubernetes.io/whitelist-source-range: "10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 100.64.0.0/10"
         hosts:
           - host: &host "${APP_DNS_AUTHENTIK:=authentik}"
             paths:
-              - path: /
+              - &path
+                path: /
                 pathType: Prefix
                 service:
                   identifier: authentik
                   port: http
-        tls:
+        tls: &tls
           - hosts: [*host]
             secretName: authentik-tls
+      external:
+        <<: *ingress
+        annotations:
+          external-dns.alpha.kubernetes.io/target: "${DNS_CF:=cf}"
+          external-dns.alpha.kubernetes.io/cloudflare-proxied: "true"
+        hosts:
+          - host: *host
+            paths:
+              - <<: *path
+                service:
+                  identifier: authentik
+                  port: anubis
       harden:
-        className: nginx-external
+        <<: *ingress
         annotations:
           nginx.ingress.kubernetes.io/whitelist-source-range: "${IP_JJ_V4:=127.0.0.1/32}"
         hosts:
           - host: *host
             paths:
-              - &path
+              - <<: *path
                 path: /api/v3/policies/expression
-                pathType: Prefix
-                service:
-                  identifier: authentik
-                  port: http
               - <<: *path
                 path: /api/v3/propertymappings
               - <<: *path
                 path: /api/v3/managed/blueprints
-        tls:
-          - hosts: [*host]
-            secretName: authentik-tls
     persistence:
       pg-ca:
         type: secret