diff --git a/modules/authentik-ldap.nix b/modules/authentik-ldap.nix
index 7b92368..635f985 100644
--- a/modules/authentik-ldap.nix
+++ b/modules/authentik-ldap.nix
@@ -4,6 +4,7 @@ with lib;
 let
   cfg = config.services.authentik-ldap;
   conf = import ./vars.nix;
+  version = conf.authentik.version;
 in
 {
   options = {
@@ -17,7 +18,7 @@ in
 
   config = {
     virtualisation.oci-containers.containers."authentik-ldap" = {
-      image = "ghcr.io/goauthentik/ldap";
+      image = "ghcr.io/goauthentik/ldap:${version}";
       ports = [
         "389:3389"
         "636:6636"
diff --git a/modules/authentik-proxy.nix b/modules/authentik-proxy.nix
index ea8adb0..a5a05a8 100644
--- a/modules/authentik-proxy.nix
+++ b/modules/authentik-proxy.nix
@@ -4,6 +4,7 @@ with lib;
 let
   cfg = config.services.authentik-proxy;
   conf = import ./vars.nix;
+  version = conf.authentik.version;
 in
 {
   options = {
@@ -17,7 +18,7 @@ in
 
   config = {
     virtualisation.oci-containers.containers."authentik-proxy" = {
-      image = "ghcr.io/goauthentik/proxy";
+      image = "ghcr.io/goauthentik/proxy:${version}";
       ports = [ "9001:9000" ];
       environment = {
         AUTHENTIK_HOST = "https://${conf.authentik.domain}";
diff --git a/modules/authentik-server.nix b/modules/authentik-server.nix
index 0395181..69ee2f0 100644
--- a/modules/authentik-server.nix
+++ b/modules/authentik-server.nix
@@ -5,6 +5,7 @@ let
   domain = cfg.authentik.domain;
   redis = "6379";
   port = cfg.authentik.port;
+  version = conf.authentik.version;
   authentikEnvironment = {
     TZ = "Europe/Berlin";
     AUTHENTIK_REDIS__HOST = cfg.podman.hostIP;
@@ -57,7 +58,7 @@ in
   };
 
   virtualisation.oci-containers.containers.authentik-server = {
-    image = "ghcr.io/goauthentik/server";
+    image = "ghcr.io/goauthentik/server:${version}";
     extraOptions = cfg.podman.extraOptions;
     cmd = [ "server" ];
     dependsOn = [
@@ -75,7 +76,7 @@ in
   };
 
   virtualisation.oci-containers.containers.authentik-worker = {
-    image = "ghcr.io/goauthentik/server";
+    image = "ghcr.io/goauthentik/server:${version}";
     extraOptions = cfg.podman.extraOptions;
     cmd = [ "worker" ];
     dependsOn = [
diff --git a/modules/vars.nix b/modules/vars.nix
index 5f367a9..47a6c13 100644
--- a/modules/vars.nix
+++ b/modules/vars.nix
@@ -22,6 +22,7 @@
     domain = "auth.mc-fucker.cool";
     port = "9000";
     outpostPort = "9001";
+    version = "2025.4";
   };
 
   bookstack = {