diff --git a/docs/changelog.d/feature-deploy-authentik.feature.md b/docs/changelog.d/feature-deploy-authentik.feature.md new file mode 100644 index 0000000..e2d2daf --- /dev/null +++ b/docs/changelog.d/feature-deploy-authentik.feature.md @@ -0,0 +1 @@ +Deploy Authentik identity provider on ringtail k3s cluster, replacing Dex as the SSO provider. Includes Nix-built container, CNPG database, Redis, and Caddy routing at `authentik.ops.eblu.me`. diff --git a/docs/how-to/authentik/deploy-authentik.md b/docs/how-to/authentik/deploy-authentik.md index 6c59291..ce4165d 100644 --- a/docs/how-to/authentik/deploy-authentik.md +++ b/docs/how-to/authentik/deploy-authentik.md @@ -1,6 +1,5 @@ --- title: Deploy Authentik Identity Provider -status: active modified: 2026-02-20 requires: - build-authentik-container @@ -22,17 +21,35 @@ Replace [[dex]] with [Authentik](https://goauthentik.io/) as the SSO identity pr | Decision | Choice | Rationale | |----------|--------|-----------| | **Cluster** | [[ringtail]] (k3s) | IdP independent of main services cluster, same as Dex | -| **Database** | CNPG `blumeops-pg` on [[indri]] | Cross-cluster via Tailscale, no new operator needed | +| **Database** | CNPG `blumeops-pg` on [[indri]] | Cross-cluster via Caddy L4 (`pg.ops.eblu.me`), no new operator needed | | **Redis** | Co-deployed in authentik namespace | Required for caching/sessions/task queue | | **Containers** | Nix-built (`dockerTools.buildLayeredImage`) | Supply chain control, consistent with Dex/ntfy pattern | | **Manifests** | Kustomize (no Helm) | Consistent with all other BlumeOps services | | **Networking** | Tailscale Ingress + Caddy reverse proxy | Same pattern as Dex | -## Open Questions +## What Was Done -- ~~**nixpkgs:** Verify `pkgs.authentik` exists.~~ **Resolved:** exists at v2025.10.1, entrypoint is `ak` (bash wrapper). See [[build-authentik-container]]. -- **Cross-cluster metrics:** Prometheus on indri scraping authentik on ringtail needs a new pattern (Dex has no metrics collection today). -- **Dex decommission:** Separate effort after all OIDC clients migrate to Authentik. +1. Built Nix container image (`v1.1.0-nix`) — `pkgs.authentik` + `coreutils` + `bashInteractive` +2. Created 1Password item "Authentik (blumeops)" with secret key and DB credentials +3. Provisioned `authentik` database and CNPG managed role on `blumeops-pg` +4. Deployed to ringtail k3s: server, worker, Redis (3 deployments) +5. ExternalSecret pulls config from 1Password +6. Tailscale Ingress at `authentik.tail8d86e.ts.net` +7. Caddy reverse proxy at `authentik.ops.eblu.me` + +## URLs + +- **Admin:** https://authentik.ops.eblu.me/if/admin/ +- **Tailscale:** https://authentik.tail8d86e.ts.net + +## Remaining Work + +- **Initial setup:** Complete first-run wizard (create admin account) +- **Forgejo connector:** Configure OAuth2 source for Forgejo federation +- **Client migration:** Move Grafana (and future services) from Dex to Authentik +- **Cross-cluster metrics:** Prometheus on indri scraping authentik on ringtail +- **Dex decommission:** Separate effort after all OIDC clients migrate +- **Redis image:** Replace upstream `redis:7-alpine` with Nix-built container ## Related