diff --git a/docs/how-to/how-to.md b/docs/how-to/how-to.md
index 356c2b2..edd5b2f 100644
--- a/docs/how-to/how-to.md
+++ b/docs/how-to/how-to.md
@@ -64,4 +64,7 @@ Migration and transition plans for upcoming infrastructure changes.
 | [[forgejo-actions-dashboard]] | Grafana dashboard for Forgejo Actions CI metrics |
 | [[upgrade-grafana-helm-chart]] | Upgrade Grafana Helm chart from 8.8.2 to 11.x |
 | [[deploy-authentik]] | Deploy Authentik identity provider to replace Dex |
+| [[build-authentik-container]] | Build Nix container image for Authentik |
+| [[provision-authentik-database]] | Create PostgreSQL database for Authentik |
+| [[create-authentik-secrets]] | Create 1Password secrets for Authentik |
 | [[operationalize-reolink-camera]] | Cloud-free NVR with Frigate and ring buffer recording |
diff --git a/docs/how-to/plans/build-authentik-container.md b/docs/how-to/plans/build-authentik-container.md
new file mode 100644
index 0000000..e1326f3
--- /dev/null
+++ b/docs/how-to/plans/build-authentik-container.md
@@ -0,0 +1,36 @@
+---
+title: Build Authentik Container Image
+status: active
+modified: 2026-02-20
+tags:
+  - how-to
+  - plans
+  - authentik
+---
+
+# Build Authentik Container Image
+
+Build and publish a Nix-based container image for Authentik to the local registry.
+
+## Context
+
+Discovered while attempting [[deploy-authentik]]: the deployment references `registry.ops.eblu.me/blumeops/authentik:v1.0.0-nix` which doesn't exist. Authentik's nixpkgs package (`pkgs.authentik`) provides the `ak` wrapper which orchestrates a Go server binary and Python Django worker.
+
+## What to Do
+
+1. Verify `containers/authentik/default.nix` builds on ringtail (the Nix builder runs there)
+2. The `ak` entrypoint needs bash (included via `bashInteractive`) and orchestrates both `server` and `worker` subcommands
+3. Tag and release: `mise run container-tag-and-release authentik v1.0.0`
+4. Verify the `-nix` tagged image appears in the registry
+
+## What We Learned
+
+- The entrypoint is `ak` (bash wrapper), not `authentik` (Go binary)
+- `ak server` runs the Go HTTP server, `ak worker` runs the Python Django worker
+- `pkgs.authentik` bundles Go binary, Python environment, and static assets via `wrapProgram`
+- nixpkgs has v2025.10.1, upstream latest is 2025.12.4 — acceptable for initial deployment
+- Container needs `bashInteractive` since `ak` is a bash script
+
+## Related
+
+- [[deploy-authentik]] — Parent goal
diff --git a/docs/how-to/plans/create-authentik-secrets.md b/docs/how-to/plans/create-authentik-secrets.md
new file mode 100644
index 0000000..7cf57a4
--- /dev/null
+++ b/docs/how-to/plans/create-authentik-secrets.md
@@ -0,0 +1,39 @@
+---
+title: Create Authentik Secrets
+status: active
+modified: 2026-02-20
+tags:
+  - how-to
+  - plans
+  - authentik
+  - secrets
+---
+
+# Create Authentik Secrets
+
+Create the 1Password item that the ExternalSecret references for Authentik configuration.
+
+## Context
+
+Discovered while attempting [[deploy-authentik]]: the ExternalSecret references 1Password item "Authentik (blumeops)" which doesn't exist. Without it, the `authentik-config` Kubernetes secret won't be created and pods can't start.
+
+## What to Do
+
+1. Generate a random secret key for Authentik (`AUTHENTIK_SECRET_KEY`)
+2. Create 1Password item "Authentik (blumeops)" in vault `blumeops` with fields:
+   - `secret-key`: random 50+ character string
+   - `postgresql-host`: Tailscale-accessible postgres hostname
+   - `postgresql-port`: `5432`
+   - `postgresql-name`: `authentik`
+   - `postgresql-user`: `authentik`
+   - `postgresql-password`: the password from [[provision-authentik-database]]
+3. Verify the ExternalSecret can resolve on ringtail's cluster
+
+## Notes
+
+- This partially depends on [[provision-authentik-database]] for the postgres password, but the 1Password item structure and secret key can be created independently.
+
+## Related
+
+- [[deploy-authentik]] — Parent goal
+- [[provision-authentik-database]] — Source of database credentials
diff --git a/docs/how-to/plans/deploy-authentik.md b/docs/how-to/plans/deploy-authentik.md
index f977ddd..338e15f 100644
--- a/docs/how-to/plans/deploy-authentik.md
+++ b/docs/how-to/plans/deploy-authentik.md
@@ -2,6 +2,10 @@
 title: Deploy Authentik Identity Provider
 status: active
 modified: 2026-02-20
+requires:
+  - build-authentik-container
+  - provision-authentik-database
+  - create-authentik-secrets
 tags:
   - how-to
   - plans
@@ -27,7 +31,7 @@ Replace [[dex]] with [Authentik](https://goauthentik.io/) as the SSO identity pr
 
 ## Open Questions
 
-- **nixpkgs:** Verify `pkgs.authentik` exists. If not, packaging from source is a significant sub-task.
+- ~~**nixpkgs:** Verify `pkgs.authentik` exists.~~ **Resolved:** exists at v2025.10.1, entrypoint is `ak` (bash wrapper). See [[build-authentik-container]].
 - **Cross-cluster metrics:** Prometheus on indri scraping authentik on ringtail needs a new pattern (Dex has no metrics collection today).
 - **Dex decommission:** Separate effort after all OIDC clients migrate to Authentik.
 
diff --git a/docs/how-to/plans/plans.md b/docs/how-to/plans/plans.md
index bce7184..a4c3293 100644
--- a/docs/how-to/plans/plans.md
+++ b/docs/how-to/plans/plans.md
@@ -22,4 +22,7 @@ Plans differ from regular how-to guides in that they describe work that has been
 | [[forgejo-actions-dashboard]] | Planned | Grafana dashboard and custom Prometheus exporter for Forgejo Actions CI metrics |
 | [[upgrade-grafana-helm-chart]] | Planned | Upgrade Grafana Helm chart from 8.8.2 to 11.x (3 phases) |
 | [[deploy-authentik]] | Active (C2) | Deploy Authentik identity provider to replace Dex for full SSO and user management |
+| [[build-authentik-container]] | Active (C2) | Build Nix container image for Authentik (prerequisite of deploy-authentik) |
+| [[provision-authentik-database]] | Active (C2) | Create PostgreSQL database for Authentik (prerequisite of deploy-authentik) |
+| [[create-authentik-secrets]] | Active (C2) | Create 1Password secrets for Authentik (prerequisite of deploy-authentik) |
 | [[operationalize-reolink-camera]] | Planned | Cloud-free NVR with Frigate, object detection, and ring buffer recording to sifaka |
diff --git a/docs/how-to/plans/provision-authentik-database.md b/docs/how-to/plans/provision-authentik-database.md
new file mode 100644
index 0000000..49381f2
--- /dev/null
+++ b/docs/how-to/plans/provision-authentik-database.md
@@ -0,0 +1,34 @@
+---
+title: Provision Authentik Database
+status: active
+modified: 2026-02-20
+tags:
+  - how-to
+  - plans
+  - authentik
+  - postgresql
+---
+
+# Provision Authentik Database
+
+Create a PostgreSQL database and user for Authentik on the existing CNPG cluster.
+
+## Context
+
+Discovered while attempting [[deploy-authentik]]: Authentik requires a PostgreSQL database, but no `authentik` database exists on `blumeops-pg`. The CNPG cluster runs on [[indri]] (minikube) and is reachable from [[ringtail]] via Tailscale at `blumeops-pg-rw.databases.svc:5432` or the Tailscale endpoint.
+
+## What to Do
+
+1. Create database `authentik` and user `authentik` on the CNPG cluster
+2. Store credentials in 1Password (part of the "Authentik (blumeops)" item)
+3. Verify cross-cluster connectivity: ringtail pod → indri postgres via Tailscale
+
+## Open Questions
+
+- What Tailscale hostname does the CNPG cluster expose? Need to check if there's a Tailscale Ingress for postgres or if we need to use the MagicDNS name directly.
+- Should the database user have limited permissions or superuser access?
+
+## Related
+
+- [[deploy-authentik]] — Parent goal
+- [[postgresql]] — CNPG cluster reference