Nix-built authentik hardcodes blueprints_dir to the Nix store path.
Custom blueprints at /blueprints/custom/ are not discovered.
Need to override AUTHENTIK_BLUEPRINTS_DIR or patch the container.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Authentik is deployed but no services use it yet. New leaf node
to migrate Grafana's OIDC from Dex to Authentik, then decommission Dex.
Goal card re-activated with new dependency.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Mikado chain complete: all three prerequisites resolved, Authentik
server/worker/Redis healthy on k3s, accessible at authentik.ops.eblu.me.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Both prerequisites for deploy-authentik are now satisfied:
- CNPG managed role + ExternalSecret for authentik DB user
- 1Password item "Authentik (blumeops)" with all required fields
- Database created and cross-cluster connectivity verified
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Image registry.ops.eblu.me/blumeops/authentik:v1.0.0-nix built
via Nix on ringtail and verified in zot registry.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Mikado cards are discovered through failed attempts, not designed
upfront — they don't belong in plans/. Cards now live where they
topically belong (how-to/authentik/ for this chain). Updated
agent-change-process to document this convention.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
