diff --git a/pastefy-system/pastefy.yaml b/pastefy-system/pastefy.yaml
index 123ad6d..d076495 100644
--- a/pastefy-system/pastefy.yaml
+++ b/pastefy-system/pastefy.yaml
@@ -154,36 +154,13 @@ spec:
           value: "3306"
         - name: SERVER_NAME
           value: "https://pastefy.dooplex.hu"
-        # OAuth2 Custom Provider (Authentik)
-        - name: AUTH_PROVIDER
-          value: "OAUTH2"
-        - name: OAUTH2_CUSTOM_CLIENT_ID
-          valueFrom:
-            secretKeyRef:
-              name: pastefy-oidc
-              key: client-id
-        - name: OAUTH2_CUSTOM_CLIENT_SECRET
-          valueFrom:
-            secretKeyRef:
-              name: pastefy-oidc
-              key: client-secret
-        - name: OAUTH2_CUSTOM_SCOPES
-          value: "openid profile email"
-        - name: OAUTH2_CUSTOM_USER_ID_FIELD
-          value: "sub"
-        - name: OAUTH2_CUSTOM_USER_NAME_FIELD
-          value: "preferred_username"
-        - name: OAUTH2_CUSTOM_AUTH_ENDPOINT
-          value: "https://authentik.dooplex.hu/application/o/authorize/"
-        - name: OAUTH2_CUSTOM_TOKEN_ENDPOINT
-          value: "https://authentik.dooplex.hu/application/o/token/"
-        - name: OAUTH2_CUSTOM_USERINFO_ENDPOINT
-          value: "https://authentik.dooplex.hu/application/o/userinfo/"
         # Optional settings
+        - name: AUTH_PROVIDER
+          value: ""  # Disable broken OAuth
         - name: PASTEFY_LOGIN_REQUIRED
           value: "false"
         - name: PASTEFY_LOGIN_REQUIRED_CREATE
-          value: "true"
+          value: "false"
         - name: PASTEFY_PUBLIC_STATS
           value: "false"
         - name: PASTEFY_INFO_CUSTOM_NAME
@@ -247,19 +224,60 @@ spec:
     app.kubernetes.io/instance: pastefy
     app.kubernetes.io/name: pastefy
 ---
+# Ingress 1: Public - for viewing pastes (no auth)
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: pastefy-public
+  namespace: pastefy-system
+  annotations:
+    nginx.ingress.kubernetes.io/use-regex: "true"
+spec:
+  ingressClassName: nginx-internal
+  rules:
+  - host: pastefy.dooplex.hu
+    http:
+      paths:
+      # Match paste IDs (typically 6-8 char alphanumeric)
+      - path: /([a-zA-Z0-9]{5,12})(/raw)?$
+        pathType: ImplementationSpecific
+        backend:
+          service:
+            name: pastefy
+            port:
+              number: 80
+  - host: pastefy.home
+    http:
+      paths:
+      - path: /([a-zA-Z0-9]{5,12})(/raw)?$
+        pathType: ImplementationSpecific
+        backend:
+          service:
+            name: pastefy
+            port:
+              number: 80
+  tls:
+  - hosts:
+    - pastefy.dooplex.hu
+    secretName: pastefy-tls
+---
+# Ingress 2: Protected - main app (with Authentik auth)
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   name: pastefy
   namespace: pastefy-system
-  labels:
-    app.kubernetes.io/instance: pastefy
-    app.kubernetes.io/name: pastefy
   annotations:
     cert-manager.io/cluster-issuer: letsencrypt-prod
     external-dns.alpha.kubernetes.io/hostname: pastefy.dooplex.hu,pastefy.home
     nginx.ingress.kubernetes.io/ssl-redirect: "true"
     nginx.ingress.kubernetes.io/proxy-body-size: "50m"
+    # Authentik forward auth
+    nginx.ingress.kubernetes.io/auth-url: "http://ak-outpost-authentik-embedded-outpost.auth-system.svc.cluster.local:9000/outpost.goauthentik.io/auth/nginx"
+    nginx.ingress.kubernetes.io/auth-signin: "https://authentik.dooplex.hu/outpost.goauthentik.io/start?rd=$scheme://$host$escaped_request_uri"
+    nginx.ingress.kubernetes.io/auth-response-headers: "Set-Cookie,X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid"
+    nginx.ingress.kubernetes.io/auth-snippet: |
+      proxy_set_header X-Forwarded-Host $http_host;
 spec:
   ingressClassName: nginx-internal
   rules: