Update docs: fix mealie storageClass, borgmatic SQLite backups, federated-login

- mealie.md: fix storageClassName to standard, add auth/backup sections
- borgmatic.md: document k8s SQLite dump pattern and mealie entry
- federated-login.md: remove ArgoCD from future work (already done),
  add mealie to related links

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

docs/explanation/federated-login.md

@@ -76,11 +76,12 @@ Authentik enforces TOTP MFA on its default authentication flow (`not_configured_
 
 ## Future Work
 
-- **Additional services:** ArgoCD, Miniflux, Immich
+- **Additional services:** Miniflux, Immich
 
 ## Related
 
 - [[authentik]] - OIDC identity provider reference
 - [[grafana]] - First OIDC client
+- [[mealie]] - Recipe manager (public PKCE client)
 - [[security-model]] - Network security and access control
 - [[deploy-authentik]] - Deployment how-to

docs/reference/services/borgmatic.md

@@ -1,6 +1,6 @@
 ---
 title: Borgmatic
-modified: 2026-02-10
+modified: 2026-03-16
 tags:
   - service
   - backup
@@ -26,11 +26,15 @@ Daily backup system using Borg backup, running on indri.
 - `/opt/homebrew/var/forgejo` - Git forge data
 - `~/.config/borgmatic` - Borgmatic config
 - `~/Documents` - Personal documents
+- `~/.local/share/borgmatic/k8s-dumps/` - SQLite dumps from k8s pods
 
-**Databases:**
+**PostgreSQL databases:**
 - `miniflux` on [[postgresql]]
 - `teslamate` on [[postgresql]]
 
+**K8s SQLite databases (pre-backup dump via kubectl exec):**
+- [[mealie]] - Recipe manager (`/app/data/mealie.db`)
+
 **Not backed up (by design):**
 - ZIM archives (re-downloadable)
 - Prometheus metrics (ephemeral)

docs/reference/services/mealie.md

@@ -32,12 +32,20 @@ Self-hosted recipe manager with a REST API. Part of the meal planning pipeline:
 - API token auth for automation
 - OIDC login via [[authentik]] (public client with PKCE)
 
+## Authentication
+
+OIDC via [[authentik]] using a public client with PKCE (no client secret needed). All Authentik users can log in; members of the `admins` group get Mealie admin privileges via `OIDC_ADMIN_GROUP`.
+
 ## Storage
 
-- 2Gi PVC at `/app/data/` via `local-path` storageClassName
-- SQLite database (sufficient for single-user, no network storage concerns on minikube)
+- 2Gi PVC at `/app/data/` via `standard` storageClassName (minikube-hostpath)
+- SQLite database (sufficient for single-user)
 - Recipe images and assets stored alongside the database
 
+## Backup
+
+SQLite database backed up via [[borgmatic]]'s `before_backup` hook. Borgmatic runs `kubectl exec` to create a safe `.backup` copy (via Python's `sqlite3` module), then `kubectl cp` to the host. The dump lands in `~/.local/share/borgmatic/k8s-dumps/mealie.db` and is included in both local (sifaka) and offsite (BorgBase) backups.
+
 ## Networking
 
 | Endpoint | Reachable from |
@@ -48,5 +56,6 @@ Self-hosted recipe manager with a REST API. Part of the meal planning pipeline:
 
 ## Related
 
+- [[authentik]] — OIDC identity provider
 - [[ollama]] — LLM backend for meal timeline generation
 - [[borgmatic]] — Data backup