BlumeOps Docs

Authentik

2 min read

Authentik

OIDC identity provider for BlumeOps. Authentik is the source of truth for user identity — users are created and managed in Authentik, and services authenticate against it via OIDC.

Quick Reference

PropertyValue
URLhttps://authentik.ops.eblu.me
Admin UIhttps://authentik.ops.eblu.me/if/admin/
Tailscale URLhttps://authentik.tail8d86e.ts.net
Namespaceauthentik
Clusterk3s (ringtail)
Manifestsargocd/manifests/authentik/
Container buildcontainers/authentik/default.nix

Architecture

Authentik runs on ringtail’s k3s cluster, isolated from the main services on indri’s minikube. This means the IdP is independent of the minikube cluster lifecycle.

Three deployments:

  • server — HTTP/HTTPS interface, handles OIDC flows
  • worker — Background tasks, blueprint application
  • redis — Caching, sessions, task queue

Database

Uses the shared CNPG blumeops-pg cluster on indri, accessed cross-cluster via pg.ops.eblu.me:5432. Database authentik with managed role.

Blueprints

Authentik configuration is managed via Blueprints (YAML) stored as a ConfigMap mounted into the worker at /blueprints/custom/. Current blueprints:

  • common.yaml — shared identity resources (admins group)
  • mfa.yaml — MFA enforcement on the default authentication flow (not_configured_action: configure)
  • grafana.yaml — Grafana OAuth2 provider, application, and policy binding
  • forgejo.yaml — Forgejo OAuth2 provider, application, and policy binding

Group membership is included in the profile scope claim (Authentik built-in). Services use --group-claim-name groups to read it.

Blueprint file: argocd/manifests/authentik/configmap-blueprint.yaml

OIDC Clients

ClientStatus
grafanaActive
forgejoActive

Future clients: argocd, miniflux, zot

Secrets

Injected via external-secrets from the “Authentik (blumeops)” 1Password item.

1Password FieldPurpose
secret-keyAuthentik secret key
db-passwordPostgreSQL password
grafana-client-secretOIDC client secret for Grafana
forgejo-client-secretOIDC client secret for Forgejo
api-tokenAuthentik API token

Container Image

Nix-built via dockerTools.buildLayeredImage. The entrypoint wrapper symlinks built-in blueprint directories from the Nix store into /blueprints/ at runtime, allowing custom blueprints to coexist with defaults. AUTHENTIK_BLUEPRINTS_DIR=/blueprints overrides the hardcoded Nix store path.

Graph View

Backlinks