Erich Blume
71cb256527
## Summary C2 Mikado chain for deploying Authentik as the SSO identity provider, replacing Dex. This PR will evolve over multiple sessions. Each iteration adds documentation (prerequisite cards) and eventually code as leaf nodes are resolved. ## Current Mikado State - **Goal:** `deploy-authentik` (active) - **Leaf prerequisites:** - `build-authentik-container` — Build Nix container image - `provision-authentik-database` — Create PostgreSQL database on CNPG cluster - `create-authentik-secrets` — Create 1Password item with credentials ## Process refinements - Updated agent-change-process with lessons from first attempt: reset code before committing cards, open PRs early ## Test plan - [ ] `mise run docs-mikado` shows correct dependency chain - [ ] Leaf nodes can be worked independently - [ ] Container builds on ringtail - [ ] Authentik starts and reaches healthy state - [ ] Forgejo OAuth2 connector works Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/227
3.1 KiB
3.1 KiB
| title | modified | tags | |
|---|---|---|---|
| How-To | 2026-02-17 |
|
How-To Guides
Task-oriented instructions for common BlumeOps operations. These guides assume you already understand the basic concepts - see tutorials if you're learning.
Deployment
| Guide | Description |
|---|---|
| deploy-k8s-service | Deploy a new service to Kubernetes via ArgoCD |
| add-ansible-role | Add a new Ansible role for indri services |
| create-release-artifact-workflow | Build artifacts and publish to Forgejo packages |
| build-container-image | Build and release a custom container image via Dagger |
Configuration
| Guide | Description |
|---|---|
| update-tailscale-acls | Update Tailscale access control policies |
| gandi-operations | Manage DNS records and cycle the Gandi API token |
| use-pypi-proxy | Configure pip and publish packages to devpi |
| expose-service-publicly | Expose a service to the public internet via Fly.io + Tailscale |
| update-documentation | Publish docs via build-blumeops workflow |
Knowledge Base
| Guide | Description |
|---|---|
| review-documentation | Periodically review and maintain documentation |
| review-services | Periodically review services for version freshness |
| agent-change-process | C0/C1/C2 change classification and Mikado method for agents |
Operations
| Guide | Description |
|---|---|
| connect-to-postgres | Connect to PostgreSQL as a superuser via psql |
| restart-indri | Safely shut down and restart indri |
| manage-flyio-proxy | Deploy, shutoff, and troubleshoot the public proxy |
| restore-1password-backup | Recover 1Password credentials from borgmatic backup |
| troubleshooting | Diagnose and fix common issues |
Plans
Migration and transition plans for upcoming infrastructure changes.
| Plan | Description |
|---|---|
| plans | Index of all plans |
| completed | Completed plans archive |
| migrate-forgejo-from-brew | Transition Forgejo from Homebrew to source-built binary |
| add-unifi-pulumi-stack | Add Pulumi IaC for UniFi Express 7 (abandoned) |
| segment-home-network | Manual three-network segmentation for UniFi Express 7 |
| adopt-dagger-ci | Adopt Dagger as CI/CD build engine |
| upstream-fork-strategy | Stacked-branch forking strategy for upstream projects |
| adopt-oidc-provider | Deploy OIDC identity provider for SSO across services |
| harden-zot-registry | Add authentication and tag immutability to zot registry |
| forgejo-actions-dashboard | Grafana dashboard for Forgejo Actions CI metrics |
| upgrade-grafana-helm-chart | Upgrade Grafana Helm chart from 8.8.2 to 11.x |
| operationalize-reolink-camera | Cloud-free NVR with Frigate and ring buffer recording |
Authentik
Mikado chain for deploying Authentik. Track progress with mise run docs-mikado deploy-authentik.