diff --git a/roles/docker/templates/paperlessngx-compose.yml.j2 b/roles/docker/templates/paperlessngx-compose.yml.j2
index 50702ae..d390037 100644
--- a/roles/docker/templates/paperlessngx-compose.yml.j2
+++ b/roles/docker/templates/paperlessngx-compose.yml.j2
@@ -18,6 +18,8 @@ services:
       - ./export:/usr/src/paperless/export
       - ./consume:/usr/src/paperless/consume
     env_file: docker-compose.env
+    extra_hosts:
+      - 'auth.thesatelliteoflove.com:172.20.0.5'
     environment:
       PAPERLESS_REDIS: redis://broker:6379
       PAPERLESS_TIKA_ENABLED: 1
diff --git a/roles/docker/templates/paperlessngx.env.j2 b/roles/docker/templates/paperlessngx.env.j2
index 8193b64..8e38a20 100644
--- a/roles/docker/templates/paperlessngx.env.j2
+++ b/roles/docker/templates/paperlessngx.env.j2
@@ -39,4 +39,8 @@ PAPERLESS_TIME_ZONE=America/Denver
 
 # Set if accessing paperless via a domain subpath e.g. https://domain.com/PATHPREFIX and using a reverse-proxy like traefik or nginx
 #PAPERLESS_FORCE_SCRIPT_NAME=/PATHPREFIX
-#PAPERLESS_STATIC_URL=/PATHPREFIX/static/ # trailing slash required
\ No newline at end of file
+#PAPERLESS_STATIC_URL=/PATHPREFIX/static/ # trailing slash required
+
+# authentik
+PAPERLESS_APPS: "allauth.socialaccount.providers.openid_connect"
+PAPERLESS_SOCIALACCOUNT_PROVIDERS: '{"openid_connect": {"APPS": [{"provider_id": "authentik","name": "Authentik SSO","client_id": "{{ paperless_oauth_client_id }}","secret": "{{ paperless_oauth_client_secret }}","settings": { "server_url": "https://auth.thesatelliteoflove.com/application/o/paperlessngx/.well-known/openid-configuration"}}]}}'
\ No newline at end of file