Erich Blume
71cb256527
## Summary C2 Mikado chain for deploying Authentik as the SSO identity provider, replacing Dex. This PR will evolve over multiple sessions. Each iteration adds documentation (prerequisite cards) and eventually code as leaf nodes are resolved. ## Current Mikado State - **Goal:** `deploy-authentik` (active) - **Leaf prerequisites:** - `build-authentik-container` — Build Nix container image - `provision-authentik-database` — Create PostgreSQL database on CNPG cluster - `create-authentik-secrets` — Create 1Password item with credentials ## Process refinements - Updated agent-change-process with lessons from first attempt: reset code before committing cards, open PRs early ## Test plan - [ ] `mise run docs-mikado` shows correct dependency chain - [ ] Leaf nodes can be worked independently - [ ] Container builds on ringtail - [ ] Authentik starts and reaches healthy state - [ ] Forgejo OAuth2 connector works Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/227
2.6 KiB
| title | modified | tags | |||
|---|---|---|---|---|---|
| Authentik | 2026-02-20 |
|
Authentik
OIDC identity provider for BlumeOps. Authentik is the source of truth for user identity — users are created and managed in Authentik, and services authenticate against it via OIDC.
Quick Reference
| Property | Value |
|---|---|
| URL | https://authentik.ops.eblu.me |
| Admin UI | https://authentik.ops.eblu.me/if/admin/ |
| Tailscale URL | https://authentik.tail8d86e.ts.net |
| Namespace | authentik |
| Cluster | k3s (ringtail) |
| Image | registry.ops.eblu.me/blumeops/authentik:v1.1.2-nix |
| Manifests | argocd/manifests/authentik/ |
| Container build | containers/authentik/default.nix |
Architecture
Authentik runs on ringtail's k3s cluster, isolated from the main services on indri's minikube. This means the IdP is independent of the minikube cluster lifecycle.
Three deployments:
- server — HTTP/HTTPS interface, handles OIDC flows
- worker — Background tasks, blueprint application
- redis — Caching, sessions, task queue
Database
Uses the shared CNPG blumeops-pg cluster on indri, accessed cross-cluster via pg.ops.eblu.me:5432. Database authentik with managed role.
Blueprints
Authentik configuration is managed via Blueprints (YAML) stored as a ConfigMap mounted into the worker at /blueprints/custom/. Current blueprints define:
adminsgroup- Grafana OAuth2 provider (client ID:
grafana) - Grafana application with group-based policy binding
Blueprint file: argocd/manifests/authentik/configmap-blueprint.yaml
OIDC Clients
| Client | Status |
|---|---|
| grafana | Active |
Future clients: forgejo, argocd, miniflux, zot
Secrets
Injected via external-secrets from the "Authentik (blumeops)" 1Password item.
| 1Password Field | Purpose |
|---|---|
secret-key |
Authentik secret key |
db-password |
PostgreSQL password |
grafana-client-secret |
OIDC client secret for Grafana |
api-token |
Authentik API token |
Container Image
Nix-built via dockerTools.buildLayeredImage. The entrypoint wrapper symlinks built-in blueprint directories from the Nix store into /blueprints/ at runtime, allowing custom blueprints to coexist with defaults. AUTHENTIK_BLUEPRINTS_DIR=/blueprints overrides the hardcoded Nix store path.
Related
- federated-login - How authentication works across BlumeOps
- grafana - First OIDC client
- deploy-authentik - Deployment how-to
- external-secrets - Secrets injection from 1Password