Erich Blume
c427f04ec4
## Summary - Stamped `last-reviewed: 2026-02-22` on three never-reviewed docs - `agent-change-process.md`: accurate, no content changes - `build-authentik-container.md`: accurate, container image verified in registry - `create-authentik-secrets.md`: added note about additional OIDC client secret fields added since original card was written ## Changelog - `docs/changelog.d/doc-review/agent-change-process.doc.md` (not added — stamp-only, no user-visible change) Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/243
1.4 KiB
1.4 KiB
| title | modified | last-reviewed | tags | ||
|---|---|---|---|---|---|
| Build Authentik Container Image | 2026-02-20 | 2026-02-22 |
|
Build Authentik Container Image
Build and publish a Nix-based container image for Authentik to the local registry.
Context
Discovered while attempting deploy-authentik: the deployment references registry.ops.eblu.me/blumeops/authentik:v1.0.0-nix which doesn't exist. Authentik's nixpkgs package (pkgs.authentik) provides the ak wrapper which orchestrates a Go server binary and Python Django worker.
What to Do
- Verify
containers/authentik/default.nixbuilds — locally via Dagger (dagger call build-nix --src=. --container-name=authentik) or on ringtail (the CI nix builder runs there) - The
akentrypoint needs bash (included viabashInteractive) and orchestrates bothserverandworkersubcommands - Trigger build:
mise run container-build-and-release authentik - Verify the
-nixtagged image appears in the registry
What We Learned
- The entrypoint is
ak(bash wrapper), notauthentik(Go binary) ak serverruns the Go HTTP server,ak workerruns the Python Django workerpkgs.authentikbundles Go binary, Python environment, and static assets viawrapProgram- nixpkgs has v2025.10.1, upstream latest is 2025.12.4 — acceptable for initial deployment
- Container needs
bashInteractivesinceakis a bash script
Related
- deploy-authentik — Parent goal