eblume/blumeops
1
1
Fork 0
Code Issues Pull requests Projects Releases 83 Packages Wiki Activity Actions
blumeops/containers/authentik/default.nix
Erich Blume 71cb256527 Deploy Authentik identity provider (C2 Mikado) (#227) 
## Summary
C2 Mikado chain for deploying Authentik as the SSO identity provider, replacing Dex.

This PR will evolve over multiple sessions. Each iteration adds documentation (prerequisite cards) and eventually code as leaf nodes are resolved.

## Current Mikado State
- **Goal:** `deploy-authentik` (active)
- **Leaf prerequisites:**
  - `build-authentik-container` — Build Nix container image
  - `provision-authentik-database` — Create PostgreSQL database on CNPG cluster
  - `create-authentik-secrets` — Create 1Password item with credentials

## Process refinements
- Updated agent-change-process with lessons from first attempt: reset code before committing cards, open PRs early

## Test plan
- [ ] `mise run docs-mikado` shows correct dependency chain
- [ ] Leaf nodes can be worked independently
- [ ] Container builds on ringtail
- [ ] Authentik starts and reaches healthy state
- [ ] Forgejo OAuth2 connector works

Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/227
2026-02-20 12:55:59 -08:00

54 lines
1.8 KiB
Nix
Raw Blame History

# Nix-built Authentik identity provider
# Uses nixpkgs authentik package (ak entrypoint wrapping Go server + Python worker)
# Built with dockerTools.buildLayeredImage for efficient layer caching
{ pkgs ? import <nixpkgs> { } }:
let
# Wrapper entrypoint that sets up /blueprints symlinks before running ak.
# buildLayeredImage's extraCommands can't access store paths from contents (they're
# in separate layers), so we create the symlinks at container start instead.
entrypoint = pkgs.writeShellScript "authentik-entrypoint" ''
# Link built-in blueprint dirs from the Nix store into /blueprints
for item in /nix/store/*authentik-django*/blueprints/*/; do
name=$(basename "$item")
[ ! -e "/blueprints/$name" ] && ln -s "$item" "/blueprints/$name" 2>/dev/null || true
done
exec ${pkgs.authentik}/bin/ak "$@"
'';
in
pkgs.dockerTools.buildLayeredImage {
name = "blumeops/authentik";
tag = "latest";
contents = [
pkgs.authentik
pkgs.bashInteractive
pkgs.coreutils
pkgs.cacert
pkgs.tzdata
];
# Create /blueprints as world-writable so user 65534 can create symlinks at runtime.
# The nixpkgs authentik-django package hardcodes blueprints_dir to its Nix store path,
# making custom blueprints mounted at /blueprints/custom invisible. The entrypoint
# wrapper populates this directory with symlinks to built-in blueprints on each start.
extraCommands = ''
mkdir -p blueprints
chmod 777 blueprints
'';
config = {
Entrypoint = [ "${entrypoint}" ];
Env = [
"SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"
"TZDIR=${pkgs.tzdata}/share/zoneinfo"
"AUTHENTIK_BLUEPRINTS_DIR=/blueprints"
];
ExposedPorts = {
"9000/tcp" = { };
"9443/tcp" = { };
};
User = "65534";
};
}
Reference in a new issue View git blame Copy permalink