Review deploy-authentik: rewrite as process guide, mark completed

Rewrites the deploy-authentik card from a historical changelog into a
reproducible process guide. Removes stale version info and future work
section. Marks the plan as completed in plans index and archive. Removes
hardcoded image tag from authentik reference card (use service-versions.yaml).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

docs/changelog.d/doc-review-deploy-authentik.doc.md

@@ -0,0 +1 @@
+Review deploy-authentik card: rewrite as reproducible process guide, remove stale version info and future work section, mark plan as completed.

docs/how-to/authentik/deploy-authentik.md

@@ -1,6 +1,7 @@
 ---
 title: Deploy Authentik Identity Provider
-modified: 2026-02-20
+modified: 2026-02-23
+last-reviewed: 2026-02-23
 requires:
   - build-authentik-container
   - provision-authentik-database
@@ -15,7 +16,7 @@ tags:
 
 # Deploy Authentik Identity Provider
 
-Replace Dex with [Authentik](https://goauthentik.io/) as the SSO identity provider. Authentik is the **source of truth** for user identity in BlumeOps. Users are created and managed in Authentik; services authenticate against it via OIDC. Forgejo federation is deferred to a future effort (existing `eblume` account has extensive automations that need careful migration).
+Replace Dex with [Authentik](https://goauthentik.io/) as the SSO identity provider. Authentik is the **source of truth** for user identity in BlumeOps. Users are created and managed in Authentik; services authenticate against it via OIDC.
 
 ## Architecture Decisions
 
@@ -30,30 +31,22 @@ Replace Dex with [Authentik](https://goauthentik.io/) as the SSO identity provid
 | **Networking** | Tailscale Ingress + Caddy reverse proxy | Same pattern as Dex |
 | **IaC** | Authentik Blueprints (YAML in ConfigMap) | GitOps-native, config stored in repo |
 
-## What Was Done
+## Deployment Process
 
-1. Built Nix container image (`v1.1.2-nix`) — `pkgs.authentik` + `coreutils` + `bashInteractive` + entrypoint wrapper for blueprint symlinks
-2. Created 1Password item "Authentik (blumeops)" with secret key and DB credentials
-3. Provisioned `authentik` database and CNPG managed role on `blumeops-pg`
-4. Deployed to ringtail k3s: server, worker, Redis (3 deployments)
-5. ExternalSecret pulls config from 1Password
-6. Tailscale Ingress at `authentik.tail8d86e.ts.net`
-7. Caddy reverse proxy at `authentik.ops.eblu.me`
-8. Completed first-run wizard (admin account created)
-9. Migrated Grafana OIDC from Dex to Authentik (Blueprint-driven)
-10. Decommissioned Dex (ArgoCD app deleted, manifests removed, Caddy entry removed)
+1. Build a Nix container image — Authentik needs `coreutils` and `bashInteractive` alongside the main package; the entrypoint wrapper must symlink built-in blueprint directories so custom blueprints coexist with defaults
+2. Create secrets in 1Password (secret key, DB credentials, OIDC client secrets)
+3. Provision a dedicated database and managed role on the shared CNPG cluster
+4. Deploy server, worker, and Redis as separate deployments
+5. Wire ExternalSecret to pull config from 1Password
+6. Add Tailscale Ingress and Caddy reverse proxy entries
+7. Complete the first-run wizard manually (creates admin account)
+8. Migrate OIDC clients via Blueprints, then decommission the old IdP
 
 ## URLs
 
 - **Admin:** https://authentik.ops.eblu.me/if/admin/
 - **Tailscale:** https://authentik.tail8d86e.ts.net
 
-## Future Work (not blocking this card)
-
-- **Forgejo federation:** Make Forgejo an OIDC client of Authentik (deferred — needs careful `eblume` account migration)
-- **Cross-cluster metrics:** Prometheus on indri scraping authentik on ringtail
-- **Redis image:** Replace upstream `redis:7-alpine` with Nix-built container
-
 ## Related
 
 - [[authentik]] — OIDC identity provider

docs/how-to/plans/completed/completed.md

@@ -1,6 +1,6 @@
 ---
 title: Completed Plans
-modified: 2026-02-14
+modified: 2026-02-23
 tags:
   - how-to
   - plans
@@ -16,3 +16,4 @@ Plans that have been fully implemented and verified. Kept for historical referen
 | [[segment-home-network]] | 2026-02-14 | Manual three-network segmentation for UniFi Express 7 |
 | [[operationalize-reolink-camera]] | 2026-02-15 | Deploy Frigate NVR stack with Mosquitto, Ntfy, and frigate-notify |
 | [[adopt-oidc-provider]] | 2026-02-19 | Deploy OIDC identity provider with Grafana SSO (initially Dex, replaced by Authentik) |
+| [[deploy-authentik]] | 2026-02-20 | Deploy Authentik IdP with Nix container, Blueprints, and OIDC client migration |

docs/how-to/plans/plans.md

@@ -19,5 +19,5 @@ Plans differ from regular how-to guides in that they describe work that has been
 | [[upstream-fork-strategy]] | Planned | Stacked-branch forking strategy for tracking upstream projects |
 | [[adopt-oidc-provider]] | Completed | Deploy OIDC identity provider for SSO across services |
 | [[upgrade-grafana-helm-chart]] | Planned | Upgrade Grafana Helm chart from 8.8.2 to 11.x (3 phases) |
-| [[deploy-authentik]] | Active (C2) | Deploy Authentik IdP — Mikado chain tracked in `how-to/authentik/` |
+| [[deploy-authentik]] | Completed | Deploy Authentik IdP — Mikado chain tracked in `how-to/authentik/` |
 | [[operationalize-reolink-camera]] | Planned | Cloud-free NVR with Frigate, object detection, and ring buffer recording to sifaka |

docs/reference/services/authentik.md

@@ -20,7 +20,6 @@ OIDC identity provider for BlumeOps. Authentik is the **source of truth** for us
 | **Tailscale URL** | https://authentik.tail8d86e.ts.net |
 | **Namespace** | `authentik` |
 | **Cluster** | k3s (ringtail) |
-| **Image** | `registry.ops.eblu.me/blumeops/authentik:v1.1.2-nix` |
 | **Manifests** | `argocd/manifests/authentik/` |
 | **Container build** | `containers/authentik/default.nix` |