diff --git a/argocd/manifests/authentik/kustomization.yaml b/argocd/manifests/authentik/kustomization.yaml
index fa1e92c..1228d87 100644
--- a/argocd/manifests/authentik/kustomization.yaml
+++ b/argocd/manifests/authentik/kustomization.yaml
@@ -15,4 +15,5 @@ images:
   - name: registry.ops.eblu.me/blumeops/authentik
     newTag: v2026.2.0-2d4098e-nix
   - name: docker.io/library/redis
+    newName: registry.ops.eblu.me/blumeops/authentik-redis
     newTag: 7-alpine
diff --git a/containers/authentik-redis/default.nix b/containers/authentik-redis/default.nix
new file mode 100644
index 0000000..98c09f4
--- /dev/null
+++ b/containers/authentik-redis/default.nix
@@ -0,0 +1,31 @@
+# Nix-built Redis for Authentik
+# Attached service: cache/broker (sessions, Celery task queue, caching)
+# Uses Redis from nixpkgs, packaged with dockerTools.buildLayeredImage
+#
+# The version assertion ensures nix-build fails if a flake.lock update
+# changes the Redis version — forcing an explicit version acknowledgment
+# here and in service-versions.yaml (enforced by container-version-check).
+{ pkgs ? import <nixpkgs> { } }:
+
+let
+  version = "8.2.3";
+in
+
+assert pkgs.redis.version == version;
+
+pkgs.dockerTools.buildLayeredImage {
+  name = "blumeops/authentik-redis";
+  tag = "latest";
+
+  contents = [
+    pkgs.redis
+  ];
+
+  config = {
+    Entrypoint = [ "${pkgs.redis}/bin/redis-server" ];
+    Cmd = [ "--protected-mode" "no" ];
+    ExposedPorts = {
+      "6379/tcp" = { };
+    };
+  };
+}
diff --git a/docs/changelog.d/localize-redis.infra.md b/docs/changelog.d/localize-redis.infra.md
new file mode 100644
index 0000000..2d6b382
--- /dev/null
+++ b/docs/changelog.d/localize-redis.infra.md
@@ -0,0 +1 @@
+Localize authentik-redis container: replace upstream `redis:7-alpine` with nix-built image from nixpkgs (Redis 8.2.3). Introduces attached service pattern with `parent` field in service-versions.yaml and version assertion in default.nix to prevent silent version drift.
diff --git a/docs/how-to/knowledgebase/review-services.md b/docs/how-to/knowledgebase/review-services.md
index 713a021..675bdd6 100644
--- a/docs/how-to/knowledgebase/review-services.md
+++ b/docs/how-to/knowledgebase/review-services.md
@@ -1,6 +1,6 @@
 ---
 title: Review Services
-modified: 2026-02-19
+modified: 2026-03-24
 last-reviewed: 2026-03-07
 tags:
   - how-to
@@ -59,6 +59,29 @@ mise run service-review --type hybrid
 2. Review the Nix derivation or flake input for version pins
 3. If upgrading, update and deploy via `mise run provision-ringtail`
 
+## Attached Services
+
+Some services have auxiliary dependencies that run as separate containers — caches, sidecars, init helpers. These are tracked as **attached services** with a naming convention and an optional `parent` field:
+
+```yaml
+- name: authentik-redis
+  type: argocd
+  parent: authentik
+  current-version: "8.2.3"
+  upstream-source: https://github.com/redis/redis/releases
+  notes: >-
+    Attached service: Redis cache/broker for Authentik.
+```
+
+**Conventions:**
+
+- **Naming:** `<parent>-<component>` (e.g., `authentik-redis`, `grafana-sidecar`)
+- **`parent` field:** points to the parent service entry. Currently informational — the review task doesn't use it yet, but it enables future grouping/dependency-aware reviews.
+- **`notes` field:** always starts with "Attached service:" to make the relationship clear at a glance.
+- **Version tracking:** attached services that use nixpkgs packages should include a version assertion in `default.nix` (`assert pkgs.<pkg>.version == version;`) so that `flake.lock` updates that change the package version break the build and force explicit acknowledgment.
+
+Existing attached services: `grafana-sidecar`, `authentik-redis`.
+
 ## Version Tracking Convention
 
 The `current-version` field in `service-versions.yaml` tracks the **upstream application version**, not the container image tag. For services with custom-built containers, the container image tag (e.g., `v1.0.0`) is decoupled from the contained app version (e.g., `v1.10.1`). This allows container rebuilds (base image updates, build fixes) without implying an upstream version change.
diff --git a/service-versions.yaml b/service-versions.yaml
index 370e134..2aa82fd 100644
--- a/service-versions.yaml
+++ b/service-versions.yaml
@@ -104,6 +104,7 @@ services:
 
   - name: grafana-sidecar
     type: argocd
+    parent: grafana
     last-reviewed: "2026-03-03"
     current-version: "1.28.0"
     upstream-source: https://github.com/kiwigrid/k8s-sidecar/releases
@@ -157,6 +158,16 @@ services:
     current-version: "2026.2.0"
     upstream-source: https://github.com/goauthentik/authentik/releases
 
+  - name: authentik-redis
+    type: argocd
+    parent: authentik
+    last-reviewed: "2026-03-24"
+    current-version: "8.2.3"
+    upstream-source: https://github.com/redis/redis/releases
+    notes: >-
+      Attached service: Redis cache/broker for Authentik (sessions, Celery task
+      queue, caching). Nix-built container from nixpkgs with version assertion.
+
   - name: ollama
     type: argocd
     last-reviewed: "2026-03-02"