8 commits

Author	SHA1	Message	Date
Erich Blume	353a141181	Remove tag = "latest" from nix container definitions ... The tag field in buildLayeredImage is optional and only affects the local docker-archive output. The CI workflow tags with immutable SHA-based tags via skopeo, so "latest" is misleading noise. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-03-24 13:19:23 -07:00
Erich Blume	2d4098e480	Fix authentik 2026.2.0 migration ordering bug (#275) ... ## Summary - Patch `authentik_rbac/0010` migration to depend on `authentik_core/0056`, fixing non-deterministic ordering that crashes startup with `FieldError: Cannot resolve keyword 'group_id'` - Upstream bug: goauthentik/authentik#19616, #20634 — no fix released yet - Document the issue in the lessons-learned table ## Deployment and Testing - [ ] CI builds container image - [ ] Deploy from branch: `argocd app set authentik --revision fix/authentik-migration-ordering && argocd app sync authentik` - [ ] Pods reach Running/Ready without crash-looping - [ ] `kubectl logs` show 0056 migrating before 0010 - [ ] authentik UI loads at authentik.ops.eblu.me - [ ] `mise run services-check` - [ ] After merge: `argocd app set authentik --revision main && argocd app sync authentik` Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/275	2026-03-01 16:28:36 -08:00
Erich Blume	78027eb783	Fix authentik: entry_points API for Python 3.14 ... Python 3.14's EntryPoints uses string keys, not integer indices. eps[0] raises KeyError(0); use next(iter(eps)) instead. Verified on ringtail with the actual venv python. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-01 16:02:49 -08:00
Erich Blume	e49d966229	Fix authentik: symlink authentik/ for BASE_DIR resolution ... Django's BASE_DIR is $out but source lives in site-packages. Code like BASE_DIR / "authentik" / "sources" / "scim" / "schemas" / ... needs a top-level symlink to find data files alongside Python source. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-01 15:55:26 -08:00
Erich Blume	b7bfb0bfae	Fix authentik container: set TMPDIR=/tmp ... lifecycle/ak uses ${TMPDIR}/authentik-mode — without TMPDIR set it tries to write /authentik-mode in root, which user 65534 can't do. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-01 15:52:36 -08:00
Erich Blume	2ac353b7bf	Fix authentik container: create /tmp for unprivileged user ... buildLayeredImage doesn't create /tmp by default. The container runs as user 65534 (nobody) which can't mkdir /tmp at runtime. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-01 15:48:05 -08:00
Erich Blume	efa9806bfa	C2: Build authentik from source (Mikado chain) (#274) ... ## Mikado Chain: build-authentik-from-source Replace `pkgs.authentik` from nixpkgs with a custom Nix derivation built from source. This removes the dependency on the nixpkgs packaging timeline and gives full version control. Target version: **2025.12.4** (nixpkgs reference, upgrading from deployed 2025.10.1). ### Dependency Graph ``` build-authentik-from-source (goal) ├── authentik-go-server-derivation │ ├── authentik-api-client-generation ← IN PROGRESS │ └── authentik-python-backend-derivation ├── authentik-web-ui-derivation │ └── authentik-api-client-generation ← IN PROGRESS └── authentik-python-backend-derivation ``` ### Ready Leaves - `authentik-api-client-generation` — Go + TypeScript client generation from OpenAPI schema - `authentik-python-backend-derivation` — Django backend with 60+ deps, 4 in-tree packages ### Architecture Ported from [nixpkgs `pkgs/by-name/au/authentik/package.nix`](https://github.com/NixOS/nixpkgs/tree/master/pkgs/by-name/au/authentik): - `source.nix` — shared version/source fetch - `client-go.nix` — Go API client generation - `client-ts.nix` — TypeScript API client generation - `api-go-vendor-hook.nix` — Go vendor directory injection hook - (more components to follow as leaves are closed) ### Related Cards - [[build-authentik-from-source]] — Goal card - [[authentik-api-client-generation]] - [[authentik-python-backend-derivation]] - [[authentik-web-ui-derivation]] - [[authentik-go-server-derivation]] Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/274	2026-03-01 13:45:00 -08:00
Erich Blume	71cb256527	Deploy Authentik identity provider (C2 Mikado) (#227) ... ## Summary C2 Mikado chain for deploying Authentik as the SSO identity provider, replacing Dex. This PR will evolve over multiple sessions. Each iteration adds documentation (prerequisite cards) and eventually code as leaf nodes are resolved. ## Current Mikado State - **Goal:** `deploy-authentik` (active) - **Leaf prerequisites:** - `build-authentik-container` — Build Nix container image - `provision-authentik-database` — Create PostgreSQL database on CNPG cluster - `create-authentik-secrets` — Create 1Password item with credentials ## Process refinements - Updated agent-change-process with lessons from first attempt: reset code before committing cards, open PRs early ## Test plan - [ ] `mise run docs-mikado` shows correct dependency chain - [ ] Leaf nodes can be worked independently - [ ] Container builds on ringtail - [ ] Authentik starts and reaches healthy state - [ ] Forgejo OAuth2 connector works Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/227	2026-02-20 12:55:59 -08:00