Deploy Authentik identity provider (C2 Mikado) (#227)

## Summary
C2 Mikado chain for deploying Authentik as the SSO identity provider, replacing Dex.

This PR will evolve over multiple sessions. Each iteration adds documentation (prerequisite cards) and eventually code as leaf nodes are resolved.

## Current Mikado State
- **Goal:** `deploy-authentik` (active)
- **Leaf prerequisites:**
  - `build-authentik-container` — Build Nix container image
  - `provision-authentik-database` — Create PostgreSQL database on CNPG cluster
  - `create-authentik-secrets` — Create 1Password item with credentials

## Process refinements
- Updated agent-change-process with lessons from first attempt: reset code before committing cards, open PRs early

## Test plan
- [ ] `mise run docs-mikado` shows correct dependency chain
- [ ] Leaf nodes can be worked independently
- [ ] Container builds on ringtail
- [ ] Authentik starts and reaches healthy state
- [ ] Forgejo OAuth2 connector works

Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/227

docs/how-to/how-to.md

@@ -63,5 +63,14 @@ Migration and transition plans for upcoming infrastructure changes.
 | [[harden-zot-registry]] | Add authentication and tag immutability to zot registry |
 | [[forgejo-actions-dashboard]] | Grafana dashboard for Forgejo Actions CI metrics |
 | [[upgrade-grafana-helm-chart]] | Upgrade Grafana Helm chart from 8.8.2 to 11.x |
-| [[deploy-authentik]] | Deploy Authentik identity provider to replace Dex |
 | [[operationalize-reolink-camera]] | Cloud-free NVR with Frigate and ring buffer recording |
+
+## Authentik
+
+Mikado chain for deploying Authentik. Track progress with `mise run docs-mikado deploy-authentik`.
+
+- [[deploy-authentik]]
+- [[build-authentik-container]]
+- [[provision-authentik-database]]
+- [[create-authentik-secrets]]
+- [[migrate-grafana-to-authentik]]