eblume/blumeops
1
1
Fork 0
Code Issues Pull requests Projects Releases 83 Packages Wiki Activity Actions
blumeops/docs/how-to/authentik/build-authentik-container.md
Erich Blume 71cb256527 Deploy Authentik identity provider (C2 Mikado) (#227) 
## Summary
C2 Mikado chain for deploying Authentik as the SSO identity provider, replacing Dex.

This PR will evolve over multiple sessions. Each iteration adds documentation (prerequisite cards) and eventually code as leaf nodes are resolved.

## Current Mikado State
- **Goal:** `deploy-authentik` (active)
- **Leaf prerequisites:**
  - `build-authentik-container` — Build Nix container image
  - `provision-authentik-database` — Create PostgreSQL database on CNPG cluster
  - `create-authentik-secrets` — Create 1Password item with credentials

## Process refinements
- Updated agent-change-process with lessons from first attempt: reset code before committing cards, open PRs early

## Test plan
- [ ] `mise run docs-mikado` shows correct dependency chain
- [ ] Leaf nodes can be worked independently
- [ ] Container builds on ringtail
- [ ] Authentik starts and reaches healthy state
- [ ] Forgejo OAuth2 connector works

Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/227
2026-02-20 12:55:59 -08:00

1.3 KiB
Raw Blame History

title modified tags
Build Authentik Container Image 2026-02-20
how-to
authentik

Build Authentik Container Image

Build and publish a Nix-based container image for Authentik to the local registry.

Context

Discovered while attempting deploy-authentik: the deployment references registry.ops.eblu.me/blumeops/authentik:v1.0.0-nix which doesn't exist. Authentik's nixpkgs package (pkgs.authentik) provides the ak wrapper which orchestrates a Go server binary and Python Django worker.

What to Do

  1. Verify containers/authentik/default.nix builds on ringtail (the Nix builder runs there)
  2. The ak entrypoint needs bash (included via bashInteractive) and orchestrates both server and worker subcommands
  3. Tag and release: mise run container-tag-and-release authentik v1.0.0
  4. Verify the -nix tagged image appears in the registry

What We Learned

  • The entrypoint is ak (bash wrapper), not authentik (Go binary)
  • ak server runs the Go HTTP server, ak worker runs the Python Django worker
  • pkgs.authentik bundles Go binary, Python environment, and static assets via wrapProgram
  • nixpkgs has v2025.10.1, upstream latest is 2025.12.4 — acceptable for initial deployment
  • Container needs bashInteractive since ak is a bash script

Related