diff --git a/docs/changelog.d/doc-review-deploy-authentik.doc.md b/docs/changelog.d/doc-review-deploy-authentik.doc.md new file mode 100644 index 0000000..90dd081 --- /dev/null +++ b/docs/changelog.d/doc-review-deploy-authentik.doc.md @@ -0,0 +1 @@ +Review deploy-authentik card: rewrite as reproducible process guide, remove stale version info and future work section, mark plan as completed. diff --git a/docs/how-to/authentik/deploy-authentik.md b/docs/how-to/authentik/deploy-authentik.md index 224701d..5f95bb9 100644 --- a/docs/how-to/authentik/deploy-authentik.md +++ b/docs/how-to/authentik/deploy-authentik.md @@ -1,6 +1,7 @@ --- title: Deploy Authentik Identity Provider -modified: 2026-02-20 +modified: 2026-02-23 +last-reviewed: 2026-02-23 requires: - build-authentik-container - provision-authentik-database @@ -15,7 +16,7 @@ tags: # Deploy Authentik Identity Provider -Replace Dex with [Authentik](https://goauthentik.io/) as the SSO identity provider. Authentik is the **source of truth** for user identity in BlumeOps. Users are created and managed in Authentik; services authenticate against it via OIDC. Forgejo federation is deferred to a future effort (existing `eblume` account has extensive automations that need careful migration). +Replace Dex with [Authentik](https://goauthentik.io/) as the SSO identity provider. Authentik is the **source of truth** for user identity in BlumeOps. Users are created and managed in Authentik; services authenticate against it via OIDC. ## Architecture Decisions @@ -30,30 +31,22 @@ Replace Dex with [Authentik](https://goauthentik.io/) as the SSO identity provid | **Networking** | Tailscale Ingress + Caddy reverse proxy | Same pattern as Dex | | **IaC** | Authentik Blueprints (YAML in ConfigMap) | GitOps-native, config stored in repo | -## What Was Done +## Deployment Process -1. Built Nix container image (`v1.1.2-nix`) — `pkgs.authentik` + `coreutils` + `bashInteractive` + entrypoint wrapper for blueprint symlinks -2. Created 1Password item "Authentik (blumeops)" with secret key and DB credentials -3. Provisioned `authentik` database and CNPG managed role on `blumeops-pg` -4. Deployed to ringtail k3s: server, worker, Redis (3 deployments) -5. ExternalSecret pulls config from 1Password -6. Tailscale Ingress at `authentik.tail8d86e.ts.net` -7. Caddy reverse proxy at `authentik.ops.eblu.me` -8. Completed first-run wizard (admin account created) -9. Migrated Grafana OIDC from Dex to Authentik (Blueprint-driven) -10. Decommissioned Dex (ArgoCD app deleted, manifests removed, Caddy entry removed) +1. Build a Nix container image — Authentik needs `coreutils` and `bashInteractive` alongside the main package; the entrypoint wrapper must symlink built-in blueprint directories so custom blueprints coexist with defaults +2. Create secrets in 1Password (secret key, DB credentials, OIDC client secrets) +3. Provision a dedicated database and managed role on the shared CNPG cluster +4. Deploy server, worker, and Redis as separate deployments +5. Wire ExternalSecret to pull config from 1Password +6. Add Tailscale Ingress and Caddy reverse proxy entries +7. Complete the first-run wizard manually (creates admin account) +8. Migrate OIDC clients via Blueprints, then decommission the old IdP ## URLs - **Admin:** https://authentik.ops.eblu.me/if/admin/ - **Tailscale:** https://authentik.tail8d86e.ts.net -## Future Work (not blocking this card) - -- **Forgejo federation:** Make Forgejo an OIDC client of Authentik (deferred — needs careful `eblume` account migration) -- **Cross-cluster metrics:** Prometheus on indri scraping authentik on ringtail -- **Redis image:** Replace upstream `redis:7-alpine` with Nix-built container - ## Related - [[authentik]] — OIDC identity provider diff --git a/docs/how-to/plans/completed/completed.md b/docs/how-to/plans/completed/completed.md index 3ebfb06..1bac5af 100644 --- a/docs/how-to/plans/completed/completed.md +++ b/docs/how-to/plans/completed/completed.md @@ -1,6 +1,6 @@ --- title: Completed Plans -modified: 2026-02-14 +modified: 2026-02-23 tags: - how-to - plans @@ -16,3 +16,4 @@ Plans that have been fully implemented and verified. Kept for historical referen | [[segment-home-network]] | 2026-02-14 | Manual three-network segmentation for UniFi Express 7 | | [[operationalize-reolink-camera]] | 2026-02-15 | Deploy Frigate NVR stack with Mosquitto, Ntfy, and frigate-notify | | [[adopt-oidc-provider]] | 2026-02-19 | Deploy OIDC identity provider with Grafana SSO (initially Dex, replaced by Authentik) | +| [[deploy-authentik]] | 2026-02-20 | Deploy Authentik IdP with Nix container, Blueprints, and OIDC client migration | diff --git a/docs/how-to/plans/plans.md b/docs/how-to/plans/plans.md index dc28ef9..0f295f2 100644 --- a/docs/how-to/plans/plans.md +++ b/docs/how-to/plans/plans.md @@ -19,5 +19,5 @@ Plans differ from regular how-to guides in that they describe work that has been | [[upstream-fork-strategy]] | Planned | Stacked-branch forking strategy for tracking upstream projects | | [[adopt-oidc-provider]] | Completed | Deploy OIDC identity provider for SSO across services | | [[upgrade-grafana-helm-chart]] | Planned | Upgrade Grafana Helm chart from 8.8.2 to 11.x (3 phases) | -| [[deploy-authentik]] | Active (C2) | Deploy Authentik IdP — Mikado chain tracked in `how-to/authentik/` | +| [[deploy-authentik]] | Completed | Deploy Authentik IdP — Mikado chain tracked in `how-to/authentik/` | | [[operationalize-reolink-camera]] | Planned | Cloud-free NVR with Frigate, object detection, and ring buffer recording to sifaka | diff --git a/docs/reference/services/authentik.md b/docs/reference/services/authentik.md index 3383344..2be467f 100644 --- a/docs/reference/services/authentik.md +++ b/docs/reference/services/authentik.md @@ -20,7 +20,6 @@ OIDC identity provider for BlumeOps. Authentik is the **source of truth** for us | **Tailscale URL** | https://authentik.tail8d86e.ts.net | | **Namespace** | `authentik` | | **Cluster** | k3s (ringtail) | -| **Image** | `registry.ops.eblu.me/blumeops/authentik:v1.1.2-nix` | | **Manifests** | `argocd/manifests/authentik/` | | **Container build** | `containers/authentik/default.nix` |