blumeops/docs/how-to/authentik/deploy-authentik.md

---
title: Deploy Authentik Identity Provider
modified: 2026-02-23
last-reviewed: 2026-02-23
tags:
  - how-to
  - authentik
  - security
  - oidc
---

# Deploy Authentik Identity Provider

Replace Dex with [Authentik](https://goauthentik.io/) as the SSO identity provider. Authentik is the **source of truth** for user identity in BlumeOps. Users are created and managed in Authentik; services authenticate against it via OIDC.

## Architecture Decisions

| Decision | Choice | Rationale |
|----------|--------|-----------|
| **Identity model** | Authentik is source of truth | Central user/group management, not Forgejo-upstream like Dex |
| **Cluster** | [[ringtail]] (k3s) | IdP independent of main services cluster, same as Dex |
| **Database** | CNPG `blumeops-pg` on [[indri]] | Cross-cluster via Caddy L4 (`pg.ops.eblu.me`), no new operator needed |
| **Redis** | Co-deployed in authentik namespace | Required for caching/sessions/task queue |
| **Containers** | Nix-built (`dockerTools.buildLayeredImage`) | Supply chain control, consistent with Dex/ntfy pattern |
| **Manifests** | Kustomize (no Helm) | Consistent with all other BlumeOps services |
| **Networking** | Tailscale Ingress + Caddy reverse proxy | Same pattern as Dex |
| **IaC** | Authentik Blueprints (YAML in ConfigMap) | GitOps-native, config stored in repo |

## Deployment Process

1. Build a Nix container image — Authentik needs `coreutils` and `bashInteractive` alongside the main package; the entrypoint wrapper must symlink built-in blueprint directories so custom blueprints coexist with defaults
2. Create secrets in 1Password (secret key, DB credentials, OIDC client secrets)
3. Provision a dedicated database and managed role on the shared CNPG cluster
4. Deploy server, worker, and Redis as separate deployments
5. Wire ExternalSecret to pull config from 1Password
6. Add Tailscale Ingress and Caddy reverse proxy entries
7. Complete the first-run wizard manually (creates admin account)
8. Migrate OIDC clients via Blueprints, then decommission the old IdP

## URLs

- **Admin:** https://authentik.ops.eblu.me/if/admin/
- **Tailscale:** https://authentik.tail8d86e.ts.net

## Related

- [[authentik]] — OIDC identity provider
- [[federated-login]] — How authentication works across BlumeOps
- [[ringtail]] — Target cluster
- [[agent-change-process]] — C2 methodology used for this change
Deploy Authentik identity provider (C2 Mikado) (#227) ## Summary C2 Mikado chain for deploying Authentik as the SSO identity provider, replacing Dex. This PR will evolve over multiple sessions. Each iteration adds documentation (prerequisite cards) and eventually code as leaf nodes are resolved. ## Current Mikado State - Goal: `deploy-authentik` (active) - Leaf prerequisites: - `build-authentik-container` — Build Nix container image - `provision-authentik-database` — Create PostgreSQL database on CNPG cluster - `create-authentik-secrets` — Create 1Password item with credentials ## Process refinements - Updated agent-change-process with lessons from first attempt: reset code before committing cards, open PRs early ## Test plan - [ ] `mise run docs-mikado` shows correct dependency chain - [ ] Leaf nodes can be worked independently - [ ] Container builds on ringtail - [ ] Authentik starts and reaches healthy state - [ ] Forgejo OAuth2 connector works Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/227 2026-02-20 12:55:59 -08:00			`---`
			`title: Deploy Authentik Identity Provider`
Review deploy-authentik: rewrite as process guide (#257) ## Summary - Rewrites deploy-authentik from a historical changelog into a reproducible process guide - Removes stale version info (`v1.1.2-nix`) and future work section (Forgejo federation is done, rest belongs elsewhere) - Marks deploy-authentik as completed in plans index and completed archive - Removes hardcoded image tag from authentik reference card (use `service-versions.yaml`) - Adds `last-reviewed: 2026-02-23` frontmatter ## Test plan - [x] All pre-commit hooks pass (docs-check-links, docs-check-index, etc.) - [x] ArgoCD app verified synced and healthy - [x] All wiki-links validated Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/257 2026-02-23 14:35:39 -08:00			`modified: 2026-02-23`
			`last-reviewed: 2026-02-23`
Deploy Authentik identity provider (C2 Mikado) (#227) ## Summary C2 Mikado chain for deploying Authentik as the SSO identity provider, replacing Dex. This PR will evolve over multiple sessions. Each iteration adds documentation (prerequisite cards) and eventually code as leaf nodes are resolved. ## Current Mikado State - Goal: `deploy-authentik` (active) - Leaf prerequisites: - `build-authentik-container` — Build Nix container image - `provision-authentik-database` — Create PostgreSQL database on CNPG cluster - `create-authentik-secrets` — Create 1Password item with credentials ## Process refinements - Updated agent-change-process with lessons from first attempt: reset code before committing cards, open PRs early ## Test plan - [ ] `mise run docs-mikado` shows correct dependency chain - [ ] Leaf nodes can be worked independently - [ ] Container builds on ringtail - [ ] Authentik starts and reaches healthy state - [ ] Forgejo OAuth2 connector works Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/227 2026-02-20 12:55:59 -08:00			`tags:`
			`- how-to`
			`- authentik`
			`- security`
			`- oidc`
			`---`

			`# Deploy Authentik Identity Provider`

Review deploy-authentik: rewrite as process guide (#257) ## Summary - Rewrites deploy-authentik from a historical changelog into a reproducible process guide - Removes stale version info (`v1.1.2-nix`) and future work section (Forgejo federation is done, rest belongs elsewhere) - Marks deploy-authentik as completed in plans index and completed archive - Removes hardcoded image tag from authentik reference card (use `service-versions.yaml`) - Adds `last-reviewed: 2026-02-23` frontmatter ## Test plan - [x] All pre-commit hooks pass (docs-check-links, docs-check-index, etc.) - [x] ArgoCD app verified synced and healthy - [x] All wiki-links validated Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/257 2026-02-23 14:35:39 -08:00			`Replace Dex with [Authentik](https://goauthentik.io/) as the SSO identity provider. Authentik is the source of truth for user identity in BlumeOps. Users are created and managed in Authentik; services authenticate against it via OIDC.`
Deploy Authentik identity provider (C2 Mikado) (#227) ## Summary C2 Mikado chain for deploying Authentik as the SSO identity provider, replacing Dex. This PR will evolve over multiple sessions. Each iteration adds documentation (prerequisite cards) and eventually code as leaf nodes are resolved. ## Current Mikado State - Goal: `deploy-authentik` (active) - Leaf prerequisites: - `build-authentik-container` — Build Nix container image - `provision-authentik-database` — Create PostgreSQL database on CNPG cluster - `create-authentik-secrets` — Create 1Password item with credentials ## Process refinements - Updated agent-change-process with lessons from first attempt: reset code before committing cards, open PRs early ## Test plan - [ ] `mise run docs-mikado` shows correct dependency chain - [ ] Leaf nodes can be worked independently - [ ] Container builds on ringtail - [ ] Authentik starts and reaches healthy state - [ ] Forgejo OAuth2 connector works Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/227 2026-02-20 12:55:59 -08:00
			`## Architecture Decisions`

			`\| Decision \| Choice \| Rationale \|`
			`\|----------\|--------\|-----------\|`
			`\| Identity model \| Authentik is source of truth \| Central user/group management, not Forgejo-upstream like Dex \|`
			`\| Cluster \| [[ringtail]] (k3s) \| IdP independent of main services cluster, same as Dex \|`
			\| Database \| CNPG `blumeops-pg` on [[indri]] \| Cross-cluster via Caddy L4 (`pg.ops.eblu.me`), no new operator needed \|
			`\| Redis \| Co-deployed in authentik namespace \| Required for caching/sessions/task queue \|`
			\| Containers \| Nix-built (`dockerTools.buildLayeredImage`) \| Supply chain control, consistent with Dex/ntfy pattern \|
			`\| Manifests \| Kustomize (no Helm) \| Consistent with all other BlumeOps services \|`
			`\| Networking \| Tailscale Ingress + Caddy reverse proxy \| Same pattern as Dex \|`
			`\| IaC \| Authentik Blueprints (YAML in ConfigMap) \| GitOps-native, config stored in repo \|`

Review deploy-authentik: rewrite as process guide (#257) ## Summary - Rewrites deploy-authentik from a historical changelog into a reproducible process guide - Removes stale version info (`v1.1.2-nix`) and future work section (Forgejo federation is done, rest belongs elsewhere) - Marks deploy-authentik as completed in plans index and completed archive - Removes hardcoded image tag from authentik reference card (use `service-versions.yaml`) - Adds `last-reviewed: 2026-02-23` frontmatter ## Test plan - [x] All pre-commit hooks pass (docs-check-links, docs-check-index, etc.) - [x] ArgoCD app verified synced and healthy - [x] All wiki-links validated Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/257 2026-02-23 14:35:39 -08:00			`## Deployment Process`
Deploy Authentik identity provider (C2 Mikado) (#227) ## Summary C2 Mikado chain for deploying Authentik as the SSO identity provider, replacing Dex. This PR will evolve over multiple sessions. Each iteration adds documentation (prerequisite cards) and eventually code as leaf nodes are resolved. ## Current Mikado State - Goal: `deploy-authentik` (active) - Leaf prerequisites: - `build-authentik-container` — Build Nix container image - `provision-authentik-database` — Create PostgreSQL database on CNPG cluster - `create-authentik-secrets` — Create 1Password item with credentials ## Process refinements - Updated agent-change-process with lessons from first attempt: reset code before committing cards, open PRs early ## Test plan - [ ] `mise run docs-mikado` shows correct dependency chain - [ ] Leaf nodes can be worked independently - [ ] Container builds on ringtail - [ ] Authentik starts and reaches healthy state - [ ] Forgejo OAuth2 connector works Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/227 2026-02-20 12:55:59 -08:00
Review deploy-authentik: rewrite as process guide (#257) ## Summary - Rewrites deploy-authentik from a historical changelog into a reproducible process guide - Removes stale version info (`v1.1.2-nix`) and future work section (Forgejo federation is done, rest belongs elsewhere) - Marks deploy-authentik as completed in plans index and completed archive - Removes hardcoded image tag from authentik reference card (use `service-versions.yaml`) - Adds `last-reviewed: 2026-02-23` frontmatter ## Test plan - [x] All pre-commit hooks pass (docs-check-links, docs-check-index, etc.) - [x] ArgoCD app verified synced and healthy - [x] All wiki-links validated Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/257 2026-02-23 14:35:39 -08:00			1. Build a Nix container image — Authentik needs `coreutils` and `bashInteractive` alongside the main package; the entrypoint wrapper must symlink built-in blueprint directories so custom blueprints coexist with defaults
			`2. Create secrets in 1Password (secret key, DB credentials, OIDC client secrets)`
			`3. Provision a dedicated database and managed role on the shared CNPG cluster`
			`4. Deploy server, worker, and Redis as separate deployments`
			`5. Wire ExternalSecret to pull config from 1Password`
			`6. Add Tailscale Ingress and Caddy reverse proxy entries`
			`7. Complete the first-run wizard manually (creates admin account)`
			`8. Migrate OIDC clients via Blueprints, then decommission the old IdP`
Deploy Authentik identity provider (C2 Mikado) (#227) ## Summary C2 Mikado chain for deploying Authentik as the SSO identity provider, replacing Dex. This PR will evolve over multiple sessions. Each iteration adds documentation (prerequisite cards) and eventually code as leaf nodes are resolved. ## Current Mikado State - Goal: `deploy-authentik` (active) - Leaf prerequisites: - `build-authentik-container` — Build Nix container image - `provision-authentik-database` — Create PostgreSQL database on CNPG cluster - `create-authentik-secrets` — Create 1Password item with credentials ## Process refinements - Updated agent-change-process with lessons from first attempt: reset code before committing cards, open PRs early ## Test plan - [ ] `mise run docs-mikado` shows correct dependency chain - [ ] Leaf nodes can be worked independently - [ ] Container builds on ringtail - [ ] Authentik starts and reaches healthy state - [ ] Forgejo OAuth2 connector works Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/227 2026-02-20 12:55:59 -08:00
			`## URLs`

			`- Admin: https://authentik.ops.eblu.me/if/admin/`
			`- Tailscale: https://authentik.tail8d86e.ts.net`

			`## Related`

			`- [[authentik]] — OIDC identity provider`
			`- [[federated-login]] — How authentication works across BlumeOps`
			`- [[ringtail]] — Target cluster`
			`- [[agent-change-process]] — C2 methodology used for this change`