eblume/blumeops
1
1
Fork 0
Code Issues Pull requests Projects Releases 83 Packages Wiki Activity Actions
blumeops/docs/reference/services/authentik.md
Erich Blume cd50c1454a Integrate Forgejo with Authentik OIDC (#228) 
## Summary

- Refactor Authentik blueprints: extract shared `admins` group into `common.yaml`, add `groups` scope mapping to all providers for group-based admin propagation
- Add Forgejo OAuth2 provider and application blueprint (`forgejo.yaml`)
- Add `forgejo-client-secret` to ExternalSecret and worker deployment env
- Configure Forgejo `[oauth2_client]` with `ACCOUNT_LINKING=login` to safely link existing accounts
- Update documentation (forgejo.md, authentik.md, federated-login.md)

## Deployment and Testing

After merge, deployment requires these steps in order:

1. **Authentik (ArgoCD):**
   - `argocd app set authentik --revision feature/forgejo-authentik-oidc && argocd app sync authentik`
   - Verify: Forgejo app/provider visible in Authentik admin UI
   - Verify: Grafana SSO still works (blueprint refactor)

2. **Forgejo app.ini (Ansible):**
   - `mise run provision-indri -- --tags forgejo --check --diff` (dry run)
   - `mise run provision-indri -- --tags forgejo` (apply, restarts Forgejo)

3. **Create Forgejo auth source (CLI on indri):**
   ```
   ssh indri 'sudo -u forgejo /opt/homebrew/bin/forgejo admin auth add-oauth \
     --name authentik \
     --provider openidConnect \
     --key forgejo \
     --secret "$(op read "op://vg6xf6vvfmoh5hqjjhlhbeoaie/Authentik (blumeops)/forgejo-client-secret")" \
     --auto-discover-url https://authentik.ops.eblu.me/application/o/forgejo/.well-known/openid-configuration \
     --scopes "openid email profile groups" \
     --group-claim-name groups \
     --admin-group admins'
   ```

4. **Link eblume account:** Sign in with Authentik on Forgejo, confirm link with local password

5. **Verify:** `tea repo list`, Forgejo Actions, local password break-glass

After merge: `argocd app set authentik --revision main && argocd app sync authentik`

Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/228
2026-02-20 17:39:50 -08:00

3 KiB
Raw Blame History

title modified tags
Authentik 2026-02-20
service
security
oidc

Authentik

OIDC identity provider for BlumeOps. Authentik is the source of truth for user identity — users are created and managed in Authentik, and services authenticate against it via OIDC.

Quick Reference

Property Value
URL https://authentik.ops.eblu.me
Admin UI https://authentik.ops.eblu.me/if/admin/
Tailscale URL https://authentik.tail8d86e.ts.net
Namespace authentik
Cluster k3s (ringtail)
Image registry.ops.eblu.me/blumeops/authentik:v1.1.2-nix
Manifests argocd/manifests/authentik/
Container build containers/authentik/default.nix

Architecture

Authentik runs on ringtail's k3s cluster, isolated from the main services on indri's minikube. This means the IdP is independent of the minikube cluster lifecycle.

Three deployments:

  • server — HTTP/HTTPS interface, handles OIDC flows
  • worker — Background tasks, blueprint application
  • redis — Caching, sessions, task queue

Database

Uses the shared CNPG blumeops-pg cluster on indri, accessed cross-cluster via pg.ops.eblu.me:5432. Database authentik with managed role.

Blueprints

Authentik configuration is managed via Blueprints (YAML) stored as a ConfigMap mounted into the worker at /blueprints/custom/. Current blueprints:

  • common.yaml — shared identity resources (admins group)
  • mfa.yaml — MFA enforcement on the default authentication flow (not_configured_action: configure)
  • grafana.yaml — Grafana OAuth2 provider, application, and policy binding
  • forgejo.yaml — Forgejo OAuth2 provider, application, and policy binding

Group membership is included in the profile scope claim (Authentik built-in). Services use --group-claim-name groups to read it.

Blueprint file: argocd/manifests/authentik/configmap-blueprint.yaml

OIDC Clients

Client Status
grafana Active
forgejo Active

Future clients: argocd, miniflux, zot

Secrets

Injected via external-secrets from the "Authentik (blumeops)" 1Password item.

1Password Field Purpose
secret-key Authentik secret key
db-password PostgreSQL password
grafana-client-secret OIDC client secret for Grafana
forgejo-client-secret OIDC client secret for Forgejo
api-token Authentik API token

Container Image

Nix-built via dockerTools.buildLayeredImage. The entrypoint wrapper symlinks built-in blueprint directories from the Nix store into /blueprints/ at runtime, allowing custom blueprints to coexist with defaults. AUTHENTIK_BLUEPRINTS_DIR=/blueprints overrides the hardcoded Nix store path.

Related