Add Authentik container definition (Nix)

Nix-built container using pkgs.authentik with ak entrypoint.
Includes bashInteractive (ak is a bash wrapper), cacert, tzdata.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

containers/authentik/default.nix

@@ -0,0 +1,29 @@
+# Nix-built Authentik identity provider
+# Uses nixpkgs authentik package (ak entrypoint wrapping Go server + Python worker)
+# Built with dockerTools.buildLayeredImage for efficient layer caching
+{ pkgs ? import <nixpkgs> { } }:
+
+pkgs.dockerTools.buildLayeredImage {
+  name = "blumeops/authentik";
+  tag = "latest";
+
+  contents = [
+    pkgs.authentik
+    pkgs.bashInteractive
+    pkgs.cacert
+    pkgs.tzdata
+  ];
+
+  config = {
+    Entrypoint = [ "${pkgs.authentik}/bin/ak" ];
+    Env = [
+      "SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"
+      "TZDIR=${pkgs.tzdata}/share/zoneinfo"
+    ];
+    ExposedPorts = {
+      "9000/tcp" = { };
+      "9443/tcp" = { };
+    };
+    User = "65534";
+  };
+}