Fix authentik 2026.2.0 migration ordering bug (#275)

## Summary

- Patch `authentik_rbac/0010` migration to depend on `authentik_core/0056`, fixing non-deterministic ordering that crashes startup with `FieldError: Cannot resolve keyword 'group_id'`
- Upstream bug: goauthentik/authentik#19616, #20634 — no fix released yet
- Document the issue in the lessons-learned table

## Deployment and Testing

- [ ] CI builds container image
- [ ] Deploy from branch: `argocd app set authentik --revision fix/authentik-migration-ordering && argocd app sync authentik`
- [ ] Pods reach Running/Ready without crash-looping
- [ ] `kubectl logs` show 0056 migrating before 0010
- [ ] authentik UI loads at authentik.ops.eblu.me
- [ ] `mise run services-check`
- [ ] After merge: `argocd app set authentik --revision main && argocd app sync authentik`

Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/275

containers/authentik/authentik-django.nix

@@ -136,6 +136,14 @@ pkgs.stdenv.mkDerivation {
       --replace-fail 'Path("web/dist/assets/icons/icon_left_brand.png")' \
                      'Path("${webuiPath}/dist/assets/icons/icon_left_brand.png")'
 
+    # Migration ordering: 0010 removes Role.group_id, but 0056 needs it
+    # for data migration. Upstream bug in authentik 2026.2.0.
+    # https://github.com/goauthentik/authentik/issues/19616
+    substituteInPlace ${sp}/authentik/rbac/migrations/0010_remove_role_group_alter_role_name.py \
+      --replace-fail \
+        '("authentik_rbac", "0009_remove_initialpermissions_mode"),' \
+        '("authentik_rbac", "0009_remove_initialpermissions_mode"), ("authentik_core", "0056_user_roles"),'
+
     # Lifecycle bash script: use Nix store bash (no /usr/bin/env in containers)
     substituteInPlace ${sp}/lifecycle/ak \
       --replace-fail '#!/usr/bin/env -S bash' '#!${pkgs.bash}/bin/bash'