blumeops/docs/reference/services/authentik.md

---
title: Authentik
modified: 2026-02-20
tags:
  - service
  - security
  - oidc
---

# Authentik

OIDC identity provider for BlumeOps. Authentik is the **source of truth** for user identity — users are created and managed in Authentik, and services authenticate against it via OIDC.

## Quick Reference

| Property | Value |
|----------|-------|
| **URL** | https://authentik.ops.eblu.me |
| **Admin UI** | https://authentik.ops.eblu.me/if/admin/ |
| **Tailscale URL** | https://authentik.tail8d86e.ts.net |
| **Namespace** | `authentik` |
| **Cluster** | k3s (ringtail) |
| **Image** | `registry.ops.eblu.me/blumeops/authentik:v1.1.2-nix` |
| **Manifests** | `argocd/manifests/authentik/` |
| **Container build** | `containers/authentik/default.nix` |

## Architecture

Authentik runs on [[ringtail]]'s k3s cluster, isolated from the main services on indri's minikube. This means the IdP is independent of the minikube cluster lifecycle.

Three deployments:
- **server** — HTTP/HTTPS interface, handles OIDC flows
- **worker** — Background tasks, blueprint application
- **redis** — Caching, sessions, task queue

## Database

Uses the shared CNPG `blumeops-pg` cluster on [[indri]], accessed cross-cluster via `pg.ops.eblu.me:5432`. Database `authentik` with managed role.

## Blueprints

Authentik configuration is managed via Blueprints (YAML) stored as a ConfigMap mounted into the worker at `/blueprints/custom/`. Current blueprints:

- **`common.yaml`** — shared identity resources (`admins` group)
- **`grafana.yaml`** — Grafana OAuth2 provider, application, and policy binding
- **`forgejo.yaml`** — Forgejo OAuth2 provider, application, and policy binding

All providers include the `groups` scope mapping for group-based admin propagation.

Blueprint file: `argocd/manifests/authentik/configmap-blueprint.yaml`

## OIDC Clients

| Client | Status |
|--------|--------|
| [[grafana]] | Active |
| [[forgejo]] | Active |

Future clients: [[argocd]], [[miniflux]], [[zot]]

## Secrets

Injected via [[external-secrets]] from the "Authentik (blumeops)" 1Password item.

| 1Password Field | Purpose |
|-----------------|---------|
| `secret-key` | Authentik secret key |
| `db-password` | PostgreSQL password |
| `grafana-client-secret` | OIDC client secret for Grafana |
| `forgejo-client-secret` | OIDC client secret for Forgejo |
| `api-token` | Authentik API token |

## Container Image

Nix-built via `dockerTools.buildLayeredImage`. The entrypoint wrapper symlinks built-in blueprint directories from the Nix store into `/blueprints/` at runtime, allowing custom blueprints to coexist with defaults. `AUTHENTIK_BLUEPRINTS_DIR=/blueprints` overrides the hardcoded Nix store path.

## Related

- [[federated-login]] - How authentication works across BlumeOps
- [[grafana]] - First OIDC client
- [[deploy-authentik]] - Deployment how-to
- [[external-secrets]] - Secrets injection from 1Password
Deploy Authentik identity provider (C2 Mikado) (#227) ## Summary C2 Mikado chain for deploying Authentik as the SSO identity provider, replacing Dex. This PR will evolve over multiple sessions. Each iteration adds documentation (prerequisite cards) and eventually code as leaf nodes are resolved. ## Current Mikado State - Goal: `deploy-authentik` (active) - Leaf prerequisites: - `build-authentik-container` — Build Nix container image - `provision-authentik-database` — Create PostgreSQL database on CNPG cluster - `create-authentik-secrets` — Create 1Password item with credentials ## Process refinements - Updated agent-change-process with lessons from first attempt: reset code before committing cards, open PRs early ## Test plan - [ ] `mise run docs-mikado` shows correct dependency chain - [ ] Leaf nodes can be worked independently - [ ] Container builds on ringtail - [ ] Authentik starts and reaches healthy state - [ ] Forgejo OAuth2 connector works Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/227 2026-02-20 12:55:59 -08:00			`---`
			`title: Authentik`
			`modified: 2026-02-20`
			`tags:`
			`- service`
			`- security`
			`- oidc`
			`---`

			`# Authentik`

			`OIDC identity provider for BlumeOps. Authentik is the source of truth for user identity — users are created and managed in Authentik, and services authenticate against it via OIDC.`

			`## Quick Reference`

			`\| Property \| Value \|`
			`\|----------\|-------\|`
			`\| URL \| https://authentik.ops.eblu.me \|`
			`\| Admin UI \| https://authentik.ops.eblu.me/if/admin/ \|`
			`\| Tailscale URL \| https://authentik.tail8d86e.ts.net \|`
			\| Namespace \| `authentik` \|
			`\| Cluster \| k3s (ringtail) \|`
			\| Image \| `registry.ops.eblu.me/blumeops/authentik:v1.1.2-nix` \|
			\| Manifests \| `argocd/manifests/authentik/` \|
			\| Container build \| `containers/authentik/default.nix` \|

			`## Architecture`

			`Authentik runs on [[ringtail]]'s k3s cluster, isolated from the main services on indri's minikube. This means the IdP is independent of the minikube cluster lifecycle.`

			`Three deployments:`
			`- server — HTTP/HTTPS interface, handles OIDC flows`
			`- worker — Background tasks, blueprint application`
			`- redis — Caching, sessions, task queue`

			`## Database`

			Uses the shared CNPG `blumeops-pg` cluster on [[indri]], accessed cross-cluster via `pg.ops.eblu.me:5432`. Database `authentik` with managed role.

			`## Blueprints`

Integrate Forgejo with Authentik OIDC Refactor Authentik blueprints into common.yaml (shared admins group), grafana.yaml (updated with !Find and groups scope), and forgejo.yaml (new provider + application). Add forgejo-client-secret to ExternalSecret and worker deployment. Configure Forgejo oauth2_client for auto-registration with login-based account linking to safely preserve existing accounts. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-20 16:10:01 -08:00			Authentik configuration is managed via Blueprints (YAML) stored as a ConfigMap mounted into the worker at `/blueprints/custom/`. Current blueprints:
Deploy Authentik identity provider (C2 Mikado) (#227) ## Summary C2 Mikado chain for deploying Authentik as the SSO identity provider, replacing Dex. This PR will evolve over multiple sessions. Each iteration adds documentation (prerequisite cards) and eventually code as leaf nodes are resolved. ## Current Mikado State - Goal: `deploy-authentik` (active) - Leaf prerequisites: - `build-authentik-container` — Build Nix container image - `provision-authentik-database` — Create PostgreSQL database on CNPG cluster - `create-authentik-secrets` — Create 1Password item with credentials ## Process refinements - Updated agent-change-process with lessons from first attempt: reset code before committing cards, open PRs early ## Test plan - [ ] `mise run docs-mikado` shows correct dependency chain - [ ] Leaf nodes can be worked independently - [ ] Container builds on ringtail - [ ] Authentik starts and reaches healthy state - [ ] Forgejo OAuth2 connector works Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/227 2026-02-20 12:55:59 -08:00
Integrate Forgejo with Authentik OIDC Refactor Authentik blueprints into common.yaml (shared admins group), grafana.yaml (updated with !Find and groups scope), and forgejo.yaml (new provider + application). Add forgejo-client-secret to ExternalSecret and worker deployment. Configure Forgejo oauth2_client for auto-registration with login-based account linking to safely preserve existing accounts. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-20 16:10:01 -08:00			- `common.yaml` — shared identity resources (`admins` group)
			- `grafana.yaml` — Grafana OAuth2 provider, application, and policy binding
			- `forgejo.yaml` — Forgejo OAuth2 provider, application, and policy binding

			All providers include the `groups` scope mapping for group-based admin propagation.
Deploy Authentik identity provider (C2 Mikado) (#227) ## Summary C2 Mikado chain for deploying Authentik as the SSO identity provider, replacing Dex. This PR will evolve over multiple sessions. Each iteration adds documentation (prerequisite cards) and eventually code as leaf nodes are resolved. ## Current Mikado State - Goal: `deploy-authentik` (active) - Leaf prerequisites: - `build-authentik-container` — Build Nix container image - `provision-authentik-database` — Create PostgreSQL database on CNPG cluster - `create-authentik-secrets` — Create 1Password item with credentials ## Process refinements - Updated agent-change-process with lessons from first attempt: reset code before committing cards, open PRs early ## Test plan - [ ] `mise run docs-mikado` shows correct dependency chain - [ ] Leaf nodes can be worked independently - [ ] Container builds on ringtail - [ ] Authentik starts and reaches healthy state - [ ] Forgejo OAuth2 connector works Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/227 2026-02-20 12:55:59 -08:00
			Blueprint file: `argocd/manifests/authentik/configmap-blueprint.yaml`

			`## OIDC Clients`

			`\| Client \| Status \|`
			`\|--------\|--------\|`
			`\| [[grafana]] \| Active \|`
Integrate Forgejo with Authentik OIDC Refactor Authentik blueprints into common.yaml (shared admins group), grafana.yaml (updated with !Find and groups scope), and forgejo.yaml (new provider + application). Add forgejo-client-secret to ExternalSecret and worker deployment. Configure Forgejo oauth2_client for auto-registration with login-based account linking to safely preserve existing accounts. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-20 16:10:01 -08:00			`\| [[forgejo]] \| Active \|`
Deploy Authentik identity provider (C2 Mikado) (#227) ## Summary C2 Mikado chain for deploying Authentik as the SSO identity provider, replacing Dex. This PR will evolve over multiple sessions. Each iteration adds documentation (prerequisite cards) and eventually code as leaf nodes are resolved. ## Current Mikado State - Goal: `deploy-authentik` (active) - Leaf prerequisites: - `build-authentik-container` — Build Nix container image - `provision-authentik-database` — Create PostgreSQL database on CNPG cluster - `create-authentik-secrets` — Create 1Password item with credentials ## Process refinements - Updated agent-change-process with lessons from first attempt: reset code before committing cards, open PRs early ## Test plan - [ ] `mise run docs-mikado` shows correct dependency chain - [ ] Leaf nodes can be worked independently - [ ] Container builds on ringtail - [ ] Authentik starts and reaches healthy state - [ ] Forgejo OAuth2 connector works Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/227 2026-02-20 12:55:59 -08:00
Integrate Forgejo with Authentik OIDC Refactor Authentik blueprints into common.yaml (shared admins group), grafana.yaml (updated with !Find and groups scope), and forgejo.yaml (new provider + application). Add forgejo-client-secret to ExternalSecret and worker deployment. Configure Forgejo oauth2_client for auto-registration with login-based account linking to safely preserve existing accounts. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-20 16:10:01 -08:00			`Future clients: [[argocd]], [[miniflux]], [[zot]]`
Deploy Authentik identity provider (C2 Mikado) (#227) ## Summary C2 Mikado chain for deploying Authentik as the SSO identity provider, replacing Dex. This PR will evolve over multiple sessions. Each iteration adds documentation (prerequisite cards) and eventually code as leaf nodes are resolved. ## Current Mikado State - Goal: `deploy-authentik` (active) - Leaf prerequisites: - `build-authentik-container` — Build Nix container image - `provision-authentik-database` — Create PostgreSQL database on CNPG cluster - `create-authentik-secrets` — Create 1Password item with credentials ## Process refinements - Updated agent-change-process with lessons from first attempt: reset code before committing cards, open PRs early ## Test plan - [ ] `mise run docs-mikado` shows correct dependency chain - [ ] Leaf nodes can be worked independently - [ ] Container builds on ringtail - [ ] Authentik starts and reaches healthy state - [ ] Forgejo OAuth2 connector works Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/227 2026-02-20 12:55:59 -08:00
			`## Secrets`

			`Injected via [[external-secrets]] from the "Authentik (blumeops)" 1Password item.`

			`\| 1Password Field \| Purpose \|`
			`\|-----------------\|---------\|`
			\| `secret-key` \| Authentik secret key \|
			\| `db-password` \| PostgreSQL password \|
			\| `grafana-client-secret` \| OIDC client secret for Grafana \|
Integrate Forgejo with Authentik OIDC Refactor Authentik blueprints into common.yaml (shared admins group), grafana.yaml (updated with !Find and groups scope), and forgejo.yaml (new provider + application). Add forgejo-client-secret to ExternalSecret and worker deployment. Configure Forgejo oauth2_client for auto-registration with login-based account linking to safely preserve existing accounts. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-20 16:10:01 -08:00			\| `forgejo-client-secret` \| OIDC client secret for Forgejo \|
Deploy Authentik identity provider (C2 Mikado) (#227) ## Summary C2 Mikado chain for deploying Authentik as the SSO identity provider, replacing Dex. This PR will evolve over multiple sessions. Each iteration adds documentation (prerequisite cards) and eventually code as leaf nodes are resolved. ## Current Mikado State - Goal: `deploy-authentik` (active) - Leaf prerequisites: - `build-authentik-container` — Build Nix container image - `provision-authentik-database` — Create PostgreSQL database on CNPG cluster - `create-authentik-secrets` — Create 1Password item with credentials ## Process refinements - Updated agent-change-process with lessons from first attempt: reset code before committing cards, open PRs early ## Test plan - [ ] `mise run docs-mikado` shows correct dependency chain - [ ] Leaf nodes can be worked independently - [ ] Container builds on ringtail - [ ] Authentik starts and reaches healthy state - [ ] Forgejo OAuth2 connector works Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/227 2026-02-20 12:55:59 -08:00			\| `api-token` \| Authentik API token \|

			`## Container Image`

			Nix-built via `dockerTools.buildLayeredImage`. The entrypoint wrapper symlinks built-in blueprint directories from the Nix store into `/blueprints/` at runtime, allowing custom blueprints to coexist with defaults. `AUTHENTIK_BLUEPRINTS_DIR=/blueprints` overrides the hardcoded Nix store path.

			`## Related`

			`- [[federated-login]] - How authentication works across BlumeOps`
			`- [[grafana]] - First OIDC client`
			`- [[deploy-authentik]] - Deployment how-to`
			`- [[external-secrets]] - Secrets injection from 1Password`