diff --git a/apps/argocd.yaml b/apps/argocd.yaml
index f66b9e0..4d55d23 100644
--- a/apps/argocd.yaml
+++ b/apps/argocd.yaml
@@ -32,3 +32,41 @@ spec:
               cert-manager.io/cluster-issuer: letsencrypt
             hostname: argocd.sdg.moe
             tls: true
+        configs:
+          cm:
+            dex.config: |
+              connectors:
+              - id: authentik
+                name: authentik
+                type: oidc
+                config:
+                  issuer: https://authentik.sdg.moe/application/o/argocd/
+                  clientID: $authentik:clientId
+                  clientSecret: $authentik:clientSecret
+                  insecureEnableGroups: true
+                  scopes:
+                    - openid
+                    - profile
+                    - email
+          rbac:
+            policy.csv: |
+              g, admins, role:admin
+              g, read-only, role:admins
+        extraObjects:
+        - apiVersion: external-secrets.io/v1
+          kind: ExternalSecret
+          metadata:
+            name: authentik
+          spec:
+            refreshInterval: 24h
+            secretStoreRef:
+              name: bitwarden
+              kind: ClusterSecretStore
+            target:
+              template:
+                metadata:
+                  labels:
+                    app.kubernetes.io/part-of: argocd
+            dataFrom:
+            - extract:
+                key: argocd-sso
diff --git a/apps/authentik.yaml b/apps/authentik.yaml
index 779d1d3..afda5cd 100644
--- a/apps/authentik.yaml
+++ b/apps/authentik.yaml
@@ -63,6 +63,11 @@ spec:
               - authentik.sdg.moe
             annotations:
               cert-manager.io/cluster-issuer: letsencrypt
+              acme.cert-manager.io/http01-edit-in-place: "true"
+            tls:
+            - secretName: authentik-tls
+              hosts:
+                - authentik.sdg.moe
 
         redis:
           enabled: true
diff --git a/apps/misc/bitwarden.yaml b/apps/misc/bitwarden.yaml
index e269479..3843375 100644
--- a/apps/misc/bitwarden.yaml
+++ b/apps/misc/bitwarden.yaml
@@ -7,20 +7,21 @@ spec:
     bitwardensecretsmanager:
       apiURL: https://vault.bitwarden.eu/api
       identityURL: https://vault.bitwarden.eu/identity
+      organizationID: b461238b-9b93-4598-b12c-b32c00834ab6
+      projectID: b63f0f85-2c6f-4f99-b999-b32c009d7bdf
+
       auth:
         secretRef:
           credentials:
             namespace: external-secrets
             name: bitwarden-access-token
             key: token
+      bitwardenServerSDKURL: https://bitwarden-sdk-server.external-secrets.svc.cluster.local:9998
       caProvider:
         type: Secret
         namespace: external-secrets
         name: bitwarden-tls-certs
         key: ca.crt
-
-      organizationID: b461238b-9b93-4598-b12c-b32c00834ab6
-      projectID: b63f0f85-2c6f-4f99-b999-b32c009d7bdf
 ---
 apiVersion: cert-manager.io/v1
 kind: Certificate