diff --git a/modules/kubernetes/main.tf b/modules/kubernetes/main.tf
index 7ecd0bd6..40670cae 100644
--- a/modules/kubernetes/main.tf
+++ b/modules/kubernetes/main.tf
@@ -122,17 +122,17 @@ variable "defcon_level" {
 }
 locals {
   defcon_modules = {
-    1 : ["wireguard", "technitium", "headscale", "nginx-ingress", "xray", "authentik", "cloudflare"],          # Critical connectivity services
-    2 : ["vaultwarden", "redis", "immich", "nvidia", "metrics-server", "uptime-kuma", "crowdsec"],             # Storage and other db services
-    3 : ["k8s-dashboard", "reverse-proxy"],                                                                    # Cluster admin services
-    4 : ["mailserver", "shadowsocks", "webhook_handler", "tuya-bridge", "dawarich", "owntracks", "nextcloud"], # Nice to have services
+    1 : ["wireguard", "technitium", "headscale", "nginx-ingress", "xray", "authentik", "cloudflare", "authelia"], # Critical connectivity services
+    2 : ["vaultwarden", "redis", "immich", "nvidia", "metrics-server", "uptime-kuma", "crowdsec"],                # Storage and other db services
+    3 : ["k8s-dashboard", "reverse-proxy"],                                                                       # Cluster admin services
+    4 : ["mailserver", "shadowsocks", "webhook_handler", "tuya-bridge", "dawarich", "owntracks", "nextcloud"],    # Nice to have services
     # Optional services
     5 : [
       "blog", "descheduler", "drone", "f1-stream", "hackmd", "kms", "privatebin", "vault", "reloader", "city-guesser", "echo"
       , "url", "excalidraw", "travel_blog", "dashy", "send", "ytdlp", "wealthfolio", "rybbit", "isponsorblocktv", "stirling-pdf",
       "networking-toolbox", "navidrome", "freshrss", "forgejo", "onlyoffice", "tor-proxy", "real-estate-crawler", "n8n", "tnadoor",
       "changedetection", "actualbudget", "linkwarden", "matrix", "homepage", "meshcentral", "diun", "cyberchef", "ntfy", "ollama",
-      "servarr", "jsoncrack", "paperless-ngx", "frigate", "audiobookshelf", "calibre"
+      "servarr", "jsoncrack", "paperless-ngx", "frigate", "audiobookshelf", "calibre", "tandoor"
     ],
   }
   active_modules = distinct(flatten([
@@ -563,6 +563,7 @@ module "cloudflared" {
 
 # module "authelia" {
 #   source          = "./authelia"
+#   for_each        = contains(local.active_modules, "authelia") ? { authelia = true } : {}
 #   tls_secret_name = var.tls_secret_name
 # }