Erich Blume
9417bdb451
Nix-built authentik hardcodes blueprints_dir to the Nix store path. Custom blueprints at /blueprints/custom/ are not discovered. Need to override AUTHENTIK_BLUEPRINTS_DIR or patch the container. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
3.7 KiB
| title | status | modified | tags | |||
|---|---|---|---|---|---|---|
| Migrate Grafana to Authentik | active | 2026-02-20 |
|
Migrate Grafana to Authentik
Move Grafana's OIDC authentication from Dex to Authentik, then decommission Dex.
Context
Discovered while attempting deploy-authentik: Authentik is deployed and running, but no services use it yet. Grafana is the first client to migrate. Once Grafana is off Dex, Dex has no remaining clients and can be decommissioned.
What to Do
Authentik configuration (via API, then capture as Blueprint)
- Create an
adminsgroup in Authentik - Ensure user
blume.erich@gmail.comis in theadminsgroup - Create an OAuth2/OIDC provider for Grafana (client ID:
grafana, redirect URIs for bothgrafana.ops.eblu.meandgrafana.tail8d86e.ts.net) - Create an Application for Grafana linked to the provider, gated to the
adminsgroup - Store the client secret in 1Password "Authentik (blumeops)" as
grafana-client-secret - Capture the configuration as an Authentik Blueprint YAML in the manifests
Grafana configuration
- Update
argocd/manifests/grafana/values.yaml— changeauth.generic_oauthfrom Dex to Authentik endpoints - Replace
external-secret-dex-oauth.yamlwith one that pulls from "Authentik (blumeops)" instead of "Dex (blumeops)" - Sync Grafana via ArgoCD and verify SSO login works
Dex decommission
- Delete ArgoCD app
dex - Remove
argocd/manifests/dex/andargocd/apps/dex.yaml - Remove
dexentry from Caddy reverse proxy (ansible/roles/caddy/defaults/main.yml) - Provision Caddy to apply the change
What Was Done So Far
Completed
- API token created and stored in 1Password "Authentik (blumeops)" field
api-token grafana-client-secretgenerated and stored in 1Password "Authentik (blumeops)"- Blueprint YAML created at
argocd/manifests/authentik/configmap-blueprint.yamldefining: admins group, Grafana OAuth2 provider, Grafana application, and policy binding - Blueprint ConfigMap mounted into worker at
/blueprints/custom/ - ExternalSecret updated to pull
grafana-client-secretfrom 1Password - Grafana
values.yamlupdated to point at Authentik OIDC endpoints external-secret-authentik-oauth.yamlcreated to replaceexternal-secret-dex-oauth.yaml
Blocked: Blueprint not loading
Root cause: The Nix-built container hardcodes blueprints_dir to /nix/store/3h1g...authentik-django-2025.10.1/blueprints in its default.yml. Custom blueprints mounted at /blueprints/custom/ are invisible because that path is not on the search path.
Fix options:
- Set env var
AUTHENTIK_BLUEPRINTS_DIR=/blueprintsand mount custom blueprints alongside copies/symlinks of the built-in ones — risky, could break built-in blueprints if the path doesn't include them. - Mount the custom blueprint ConfigMap directly into the Nix store blueprints path (e.g.,
/nix/store/.../blueprints/custom/) — fragile, path changes on rebuild. - Use the API to apply the configuration and skip file-based blueprints for now. Store the API calls in a mise task for reproducibility.
- Patch the Nix container to set a writable
blueprints_diror create a wrapper that symlinks.
Recommendation: Option 4 (patch container) or option 1 (override env var) are the cleanest. Need to test whether AUTHENTIK_BLUEPRINTS_DIR is respected and whether built-in blueprints still load from the Nix store path when overridden.
Notes
- Authentik API token stored as
api-tokenin 1Password "Authentik (blumeops)". - The
adminsgroup and Grafana provider/application created via API during investigation were cleaned up (deleted).
Related
- deploy-authentik — Parent goal
- grafana — Grafana reference
- dex — Current IdP being replaced