Mikado: add migrate-grafana-to-authentik prerequisite

Authentik is deployed but no services use it yet. New leaf node
to migrate Grafana's OIDC from Dex to Authentik, then decommission Dex.
Goal card re-activated with new dependency.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

docs/how-to/authentik/deploy-authentik.md

@@ -1,10 +1,12 @@
 ---
 title: Deploy Authentik Identity Provider
+status: active
 modified: 2026-02-20
 requires:
   - build-authentik-container
   - provision-authentik-database
   - create-authentik-secrets
+  - migrate-grafana-to-authentik
 tags:
   - how-to
   - authentik
@@ -14,18 +16,20 @@ tags:
 
 # Deploy Authentik Identity Provider
 
-Replace [[dex]] with [Authentik](https://goauthentik.io/) as the SSO identity provider. Authentik adds central user/group management, multi-protocol support (OIDC, SAML, LDAP), self-service flows, and an admin UI that Dex lacks. Forgejo remains the upstream identity source via OAuth2 connector.
+Replace [[dex]] with [Authentik](https://goauthentik.io/) as the SSO identity provider. Authentik is the **source of truth** for user identity in BlumeOps. Users are created and managed in Authentik; services authenticate against it via OIDC. Forgejo federation is deferred to a future effort (existing `eblume` account has extensive automations that need careful migration).
 
 ## Architecture Decisions
 
 | Decision | Choice | Rationale |
 |----------|--------|-----------|
+| **Identity model** | Authentik is source of truth | Central user/group management, not Forgejo-upstream like Dex |
 | **Cluster** | [[ringtail]] (k3s) | IdP independent of main services cluster, same as Dex |
 | **Database** | CNPG `blumeops-pg` on [[indri]] | Cross-cluster via Caddy L4 (`pg.ops.eblu.me`), no new operator needed |
 | **Redis** | Co-deployed in authentik namespace | Required for caching/sessions/task queue |
 | **Containers** | Nix-built (`dockerTools.buildLayeredImage`) | Supply chain control, consistent with Dex/ntfy pattern |
 | **Manifests** | Kustomize (no Helm) | Consistent with all other BlumeOps services |
 | **Networking** | Tailscale Ingress + Caddy reverse proxy | Same pattern as Dex |
+| **IaC** | Authentik Blueprints (YAML in ConfigMap) | GitOps-native, config stored in repo |
 
 ## What Was Done
 
@@ -36,24 +40,22 @@ Replace [[dex]] with [Authentik](https://goauthentik.io/) as the SSO identity pr
 5. ExternalSecret pulls config from 1Password
 6. Tailscale Ingress at `authentik.tail8d86e.ts.net`
 7. Caddy reverse proxy at `authentik.ops.eblu.me`
+8. Completed first-run wizard (admin account created)
 
 ## URLs
 
 - **Admin:** https://authentik.ops.eblu.me/if/admin/
 - **Tailscale:** https://authentik.tail8d86e.ts.net
 
-## Remaining Work
+## Future Work (not blocking this card)
 
-- **Initial setup:** Complete first-run wizard (create admin account)
-- **Forgejo connector:** Configure OAuth2 source for Forgejo federation
-- **Client migration:** Move Grafana (and future services) from Dex to Authentik
+- **Forgejo federation:** Make Forgejo an OIDC client of Authentik (deferred — needs careful `eblume` account migration)
 - **Cross-cluster metrics:** Prometheus on indri scraping authentik on ringtail
-- **Dex decommission:** Separate effort after all OIDC clients migrate
 - **Redis image:** Replace upstream `redis:7-alpine` with Nix-built container
 
 ## Related
 
-- [[dex]] — Current IdP (to be replaced)
+- [[dex]] — Current IdP (to be replaced by [[migrate-grafana-to-authentik]])
 - [[federated-login]] — How authentication works across BlumeOps
 - [[adopt-oidc-provider]] — Dex deployment plan (completed)
 - [[ringtail]] — Target cluster

docs/how-to/authentik/migrate-grafana-to-authentik.md

@@ -0,0 +1,51 @@
+---
+title: Migrate Grafana to Authentik
+status: active
+modified: 2026-02-20
+tags:
+  - how-to
+  - authentik
+  - grafana
+---
+
+# Migrate Grafana to Authentik
+
+Move Grafana's OIDC authentication from Dex to Authentik, then decommission Dex.
+
+## Context
+
+Discovered while attempting [[deploy-authentik]]: Authentik is deployed and running, but no services use it yet. Grafana is the first client to migrate. Once Grafana is off Dex, Dex has no remaining clients and can be decommissioned.
+
+## What to Do
+
+### Authentik configuration (via API, then capture as Blueprint)
+
+1. Create an `admins` group in Authentik
+2. Ensure user `blume.erich@gmail.com` is in the `admins` group
+3. Create an OAuth2/OIDC provider for Grafana (client ID: `grafana`, redirect URIs for both `grafana.ops.eblu.me` and `grafana.tail8d86e.ts.net`)
+4. Create an Application for Grafana linked to the provider, gated to the `admins` group
+5. Store the client secret in 1Password "Authentik (blumeops)" as `grafana-client-secret`
+6. Capture the configuration as an Authentik Blueprint YAML in the manifests
+
+### Grafana configuration
+
+1. Update `argocd/manifests/grafana/values.yaml` — change `auth.generic_oauth` from Dex to Authentik endpoints
+2. Replace `external-secret-dex-oauth.yaml` with one that pulls from "Authentik (blumeops)" instead of "Dex (blumeops)"
+3. Sync Grafana via ArgoCD and verify SSO login works
+
+### Dex decommission
+
+1. Delete ArgoCD app `dex`
+2. Remove `argocd/manifests/dex/` and `argocd/apps/dex.yaml`
+3. Remove `dex` entry from Caddy reverse proxy (`ansible/roles/caddy/defaults/main.yml`)
+4. Provision Caddy to apply the change
+
+## Notes
+
+- Requires an Authentik API token — create one in Admin > System > Tokens, store as `api-token` field in "Authentik (blumeops)" 1Password item.
+
+## Related
+
+- [[deploy-authentik]] — Parent goal
+- [[grafana]] — Grafana reference
+- [[dex]] — Current IdP being replaced

docs/how-to/how-to.md

@@ -73,3 +73,4 @@ Mikado chain for replacing Dex with Authentik. Track progress with `mise run doc
 - [[build-authentik-container]]
 - [[provision-authentik-database]]
 - [[create-authentik-secrets]]
+- [[migrate-grafana-to-authentik]]