blumeops/docs/how-to/authentik/provision-authentik-database.md

---
title: Provision Authentik Database
modified: 2026-02-20
last-reviewed: 2026-02-25
tags:
  - how-to
  - authentik
  - postgresql
---

# Provision Authentik Database

Create a PostgreSQL database and user for Authentik on the existing CNPG cluster.

## What Was Done

1. Added `authentik` managed role to `blumeops-pg` CNPG cluster (`argocd/manifests/databases/blumeops-pg.yaml`) — non-superuser with `createdb` and `login`
2. Created ExternalSecret `blumeops-pg-authentik` pulling password from 1Password item "Authentik (blumeops)" field `postgresql-password`
3. Synced CNPG cluster — role reconciled with password set
4. Created `authentik` database owned by `authentik` user
5. Verified cross-cluster connectivity: ringtail pod → `pg.ops.eblu.me:5432` (Caddy L4)

## Resolved Questions

- **Hostname:** `pg.ops.eblu.me` via Caddy L4 plugin (not MagicDNS)
- **Permissions:** Non-superuser with `createdb` — Authentik manages its own schema via migrations

## Related

- [[deploy-authentik]] — Parent goal
- [[postgresql]] — CNPG cluster reference
Deploy Authentik identity provider (C2 Mikado) (#227) ## Summary C2 Mikado chain for deploying Authentik as the SSO identity provider, replacing Dex. This PR will evolve over multiple sessions. Each iteration adds documentation (prerequisite cards) and eventually code as leaf nodes are resolved. ## Current Mikado State - Goal: `deploy-authentik` (active) - Leaf prerequisites: - `build-authentik-container` — Build Nix container image - `provision-authentik-database` — Create PostgreSQL database on CNPG cluster - `create-authentik-secrets` — Create 1Password item with credentials ## Process refinements - Updated agent-change-process with lessons from first attempt: reset code before committing cards, open PRs early ## Test plan - [ ] `mise run docs-mikado` shows correct dependency chain - [ ] Leaf nodes can be worked independently - [ ] Container builds on ringtail - [ ] Authentik starts and reaches healthy state - [ ] Forgejo OAuth2 connector works Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/227 2026-02-20 12:55:59 -08:00			`---`
			`title: Provision Authentik Database`
			`modified: 2026-02-20`
Review 3 how-to docs and fix update-tailscale-acls inaccuracies Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-25 07:02:49 -08:00			`last-reviewed: 2026-02-25`
Deploy Authentik identity provider (C2 Mikado) (#227) ## Summary C2 Mikado chain for deploying Authentik as the SSO identity provider, replacing Dex. This PR will evolve over multiple sessions. Each iteration adds documentation (prerequisite cards) and eventually code as leaf nodes are resolved. ## Current Mikado State - Goal: `deploy-authentik` (active) - Leaf prerequisites: - `build-authentik-container` — Build Nix container image - `provision-authentik-database` — Create PostgreSQL database on CNPG cluster - `create-authentik-secrets` — Create 1Password item with credentials ## Process refinements - Updated agent-change-process with lessons from first attempt: reset code before committing cards, open PRs early ## Test plan - [ ] `mise run docs-mikado` shows correct dependency chain - [ ] Leaf nodes can be worked independently - [ ] Container builds on ringtail - [ ] Authentik starts and reaches healthy state - [ ] Forgejo OAuth2 connector works Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/227 2026-02-20 12:55:59 -08:00			`tags:`
			`- how-to`
			`- authentik`
			`- postgresql`
			`---`

			`# Provision Authentik Database`

			`Create a PostgreSQL database and user for Authentik on the existing CNPG cluster.`

			`## What Was Done`

			1. Added `authentik` managed role to `blumeops-pg` CNPG cluster (`argocd/manifests/databases/blumeops-pg.yaml`) — non-superuser with `createdb` and `login`
			2. Created ExternalSecret `blumeops-pg-authentik` pulling password from 1Password item "Authentik (blumeops)" field `postgresql-password`
			`3. Synced CNPG cluster — role reconciled with password set`
			4. Created `authentik` database owned by `authentik` user
			5. Verified cross-cluster connectivity: ringtail pod → `pg.ops.eblu.me:5432` (Caddy L4)

			`## Resolved Questions`

			- Hostname: `pg.ops.eblu.me` via Caddy L4 plugin (not MagicDNS)
			- Permissions: Non-superuser with `createdb` — Authentik manages its own schema via migrations

			`## Related`

			`- [[deploy-authentik]] — Parent goal`
			`- [[postgresql]] — CNPG cluster reference`