!Env expects a bare string (e.g. !Env FOO), not a YAML sequence
(!Env [FOO]). The list form caused IndexError during blueprint
discovery.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
extraCommands in buildLayeredImage can't access store paths from
contents (they're in separate layers), so the glob matched nothing.
Instead, create a wrapper entrypoint that symlinks built-in blueprint
dirs from the Nix store into /blueprints at container start. The
directory is created world-writable so user 65534 can create links.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The nixpkgs authentik-django package hardcodes blueprints_dir to its
Nix store path, making custom blueprints mounted at /blueprints/custom
invisible to the discovery system. Add extraCommands to create a
/blueprints directory with symlinks to the built-in blueprint dirs,
and set AUTHENTIK_BLUEPRINTS_DIR=/blueprints so authentik scans the
unified directory.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Nix-built authentik hardcodes blueprints_dir to the Nix store path.
Custom blueprints at /blueprints/custom/ are not discovered.
Need to override AUTHENTIK_BLUEPRINTS_DIR or patch the container.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Authentik is deployed but no services use it yet. New leaf node
to migrate Grafana's OIDC from Dex to Authentik, then decommission Dex.
Goal card re-activated with new dependency.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Mikado chain complete: all three prerequisites resolved, Authentik
server/worker/Redis healthy on k3s, accessible at authentik.ops.eblu.me.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The ak wrapper script requires mkdir (and likely other coreutils)
to create runtime directories.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Both prerequisites for deploy-authentik are now satisfied:
- CNPG managed role + ExternalSecret for authentik DB user
- 1Password item "Authentik (blumeops)" with all required fields
- Database created and cross-cluster connectivity verified
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Add managed role for authentik user on blumeops-pg CNPG cluster,
with ExternalSecret pulling password from 1Password item
"Authentik (blumeops)".
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Image registry.ops.eblu.me/blumeops/authentik:v1.0.0-nix built
via Nix on ringtail and verified in zot registry.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Nix-built container using pkgs.authentik with ak entrypoint.
Includes bashInteractive (ak is a bash wrapper), cacert, tzdata.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Build artifacts (container images, git tags) are independent of branch
lifecycle and don't need to be deferred or reset during Mikado iterations.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Mikado cards are discovered through failed attempts, not designed
upfront — they don't belong in plans/. Cards now live where they
topically belong (how-to/authentik/ for this chain). Updated
agent-change-process to document this convention.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Lessons learned from first C2 attempt (deploy-authentik):
- When an attempt fails, reset code changes before committing cards
- Cherry-pick doc commits onto clean base if code/docs got mixed
- Open a PR early so the user can review the Mikado graph evolving
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Attempted deployment fails on three independent blockers:
1. Container image doesn't exist (build-authentik-container)
2. PostgreSQL database doesn't exist (provision-authentik-database)
3. 1Password secrets don't exist (create-authentik-secrets)
Created cards for each and added requires to goal card.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
