From 9417bdb451b1f793aa0407dd14fab5693eaa2223 Mon Sep 17 00:00:00 2001 From: Erich Blume Date: Fri, 20 Feb 2026 11:55:25 -0800 Subject: [PATCH] Mikado: document blueprint loading issue on Nix container Nix-built authentik hardcodes blueprints_dir to the Nix store path. Custom blueprints at /blueprints/custom/ are not discovered. Need to override AUTHENTIK_BLUEPRINTS_DIR or patch the container. Co-Authored-By: Claude Opus 4.6 --- .../authentik/migrate-grafana-to-authentik.md | 27 ++++++++++++++++++- 1 file changed, 26 insertions(+), 1 deletion(-) diff --git a/docs/how-to/authentik/migrate-grafana-to-authentik.md b/docs/how-to/authentik/migrate-grafana-to-authentik.md index 3844151..495bdb9 100644 --- a/docs/how-to/authentik/migrate-grafana-to-authentik.md +++ b/docs/how-to/authentik/migrate-grafana-to-authentik.md @@ -40,9 +40,34 @@ Discovered while attempting [[deploy-authentik]]: Authentik is deployed and runn 3. Remove `dex` entry from Caddy reverse proxy (`ansible/roles/caddy/defaults/main.yml`) 4. Provision Caddy to apply the change +## What Was Done So Far + +### Completed + +- API token created and stored in 1Password "Authentik (blumeops)" field `api-token` +- `grafana-client-secret` generated and stored in 1Password "Authentik (blumeops)" +- Blueprint YAML created at `argocd/manifests/authentik/configmap-blueprint.yaml` defining: admins group, Grafana OAuth2 provider, Grafana application, and policy binding +- Blueprint ConfigMap mounted into worker at `/blueprints/custom/` +- ExternalSecret updated to pull `grafana-client-secret` from 1Password +- Grafana `values.yaml` updated to point at Authentik OIDC endpoints +- `external-secret-authentik-oauth.yaml` created to replace `external-secret-dex-oauth.yaml` + +### Blocked: Blueprint not loading + +**Root cause:** The Nix-built container hardcodes `blueprints_dir` to `/nix/store/3h1g...authentik-django-2025.10.1/blueprints` in its `default.yml`. Custom blueprints mounted at `/blueprints/custom/` are invisible because that path is not on the search path. + +**Fix options:** +1. Set env var `AUTHENTIK_BLUEPRINTS_DIR=/blueprints` and mount custom blueprints alongside copies/symlinks of the built-in ones — risky, could break built-in blueprints if the path doesn't include them. +2. Mount the custom blueprint ConfigMap directly into the Nix store blueprints path (e.g., `/nix/store/.../blueprints/custom/`) — fragile, path changes on rebuild. +3. Use the API to apply the configuration and skip file-based blueprints for now. Store the API calls in a mise task for reproducibility. +4. Patch the Nix container to set a writable `blueprints_dir` or create a wrapper that symlinks. + +**Recommendation:** Option 4 (patch container) or option 1 (override env var) are the cleanest. Need to test whether `AUTHENTIK_BLUEPRINTS_DIR` is respected and whether built-in blueprints still load from the Nix store path when overridden. + ## Notes -- Requires an Authentik API token — create one in Admin > System > Tokens, store as `api-token` field in "Authentik (blumeops)" 1Password item. +- Authentik API token stored as `api-token` in 1Password "Authentik (blumeops)". +- The `admins` group and Grafana provider/application created via API during investigation were cleaned up (deleted). ## Related