eblume/blumeops
1
1
Fork 0
Code Issues Pull requests Projects Releases 83 Packages Wiki Activity Actions

Deploy Authentik identity provider (C2 Mikado) #227

Merged
eblume merged 23 commits from feature/deploy-authentik into main 2026-02-20 12:56:00 -08:00
Conversation 0 Commits 23 Files changed 46 +26 -1
1 changed files with 26 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files
Showing only changes of commit 9417bdb451 - Show all commits

Mikado: document blueprint loading issue on Nix container

Prev Next 
Nix-built authentik hardcodes blueprints_dir to the Nix store path.
Custom blueprints at /blueprints/custom/ are not discovered.
Need to override AUTHENTIK_BLUEPRINTS_DIR or patch the container.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Erich Blume 2026-02-20 11:55:25 -08:00
commit 9417bdb451

27
docs/how-to/authentik/migrate-grafana-to-authentik.md
View file

@ -40,9 +40,34 @@ Discovered while attempting [[deploy-authentik]]: Authentik is deployed and runn
3. Remove `dex` entry from Caddy reverse proxy (`ansible/roles/caddy/defaults/main.yml`)
4. Provision Caddy to apply the change
## What Was Done So Far
### Completed
- API token created and stored in 1Password "Authentik (blumeops)" field `api-token`
- `grafana-client-secret` generated and stored in 1Password "Authentik (blumeops)"
- Blueprint YAML created at `argocd/manifests/authentik/configmap-blueprint.yaml` defining: admins group, Grafana OAuth2 provider, Grafana application, and policy binding
- Blueprint ConfigMap mounted into worker at `/blueprints/custom/`
- ExternalSecret updated to pull `grafana-client-secret` from 1Password
- Grafana `values.yaml` updated to point at Authentik OIDC endpoints
- `external-secret-authentik-oauth.yaml` created to replace `external-secret-dex-oauth.yaml`
### Blocked: Blueprint not loading
**Root cause:** The Nix-built container hardcodes `blueprints_dir` to `/nix/store/3h1g...authentik-django-2025.10.1/blueprints` in its `default.yml`. Custom blueprints mounted at `/blueprints/custom/` are invisible because that path is not on the search path.
**Fix options:**
1. Set env var `AUTHENTIK_BLUEPRINTS_DIR=/blueprints` and mount custom blueprints alongside copies/symlinks of the built-in ones — risky, could break built-in blueprints if the path doesn't include them.
2. Mount the custom blueprint ConfigMap directly into the Nix store blueprints path (e.g., `/nix/store/.../blueprints/custom/`) — fragile, path changes on rebuild.
3. Use the API to apply the configuration and skip file-based blueprints for now. Store the API calls in a mise task for reproducibility.
4. Patch the Nix container to set a writable `blueprints_dir` or create a wrapper that symlinks.
**Recommendation:** Option 4 (patch container) or option 1 (override env var) are the cleanest. Need to test whether `AUTHENTIK_BLUEPRINTS_DIR` is respected and whether built-in blueprints still load from the Nix store path when overridden.
## Notes
- Requires an Authentik API token — create one in Admin > System > Tokens, store as `api-token` field in "Authentik (blumeops)" 1Password item.
- Authentik API token stored as `api-token` in 1Password "Authentik (blumeops)".
- The `admins` group and Grafana provider/application created via API during investigation were cleaned up (deleted).
## Related