feat(infra): Authentik blueprints (portal+operator OIDC, dezky brand)

Mirror the dev Authentik config in prod via blueprints, applied & successful on
node1:
- brand.yaml: dezky branding on the default brand (title + signal-green custom
  CSS) — login page now in dezky colors.
- portal-application.yaml / operator-application.yaml: dezky-portal &
  dezky-operator OIDC apps/providers (prod redirect URLs) + the
  dezky-platform-admins group & operator access policy.

Two 2026.5 gotchas handled + documented in README:
- invalidation_flow is now REQUIRED on OAuth2 providers (added via !Find).
- ConfigMap mounts are symlinks (discovery can't read them) → worker uses an
  initContainer that copies them to an emptyDir as real files. (chart
  worker.volumes didn't apply on this version; patch reverts on helm upgrade —
  noted as a durability TODO.)

Client secrets (PORTAL/OPERATOR_OIDC_CLIENT_SECRET) live in authentik-secret;
the apps must reuse them.

infrastructure/production/fleet/authentik/blueprints/brand.yaml

@@ -0,0 +1,39 @@
+# dezky branding for the default Authentik brand — title + signal-green accent.
+# (The "Powered by authentik" string lives in the web bundle and needs the
+# separate rebrand-web patch; this covers the colors/title that custom CSS can
+# reach.)
+version: 1
+metadata:
+  name: dezky-brand
+  labels:
+    blueprints.goauthentik.io/instantiate: "true"
+entries:
+  - model: authentik_brands.brand
+    state: present
+    identifiers:
+      domain: authentik-default
+    attrs:
+      branding_title: dezky
+      branding_custom_css: |
+        :root, :host {
+          --ak-accent: #D4FF3A;
+          --ak-accent-secondary: #b8e020;
+          --pf-t--global--color--brand--default: #D4FF3A;
+          --pf-v5-global--primary-color--100: #D4FF3A;
+          --pf-v5-global--primary-color--200: #b8e020;
+          --pf-global--primary-color--100: #D4FF3A;
+          --pf-global--primary-color--200: #b8e020;
+          --pf-global--link--Color: #D4FF3A;
+          --pf-global--active-color--100: #D4FF3A;
+        }
+        .pf-c-button.pf-m-primary,
+        .pf-v5-c-button.pf-m-primary,
+        .pf-v6-c-button.pf-m-primary {
+          background-color: #D4FF3A !important;
+          color: #0A0A0A !important;
+          border-color: #D4FF3A !important;
+        }
+        a, .pf-c-button.pf-m-link, .pf-v5-c-button.pf-m-link {
+          color: #D4FF3A !important;
+        }
+        .pf-c-login__main, .ak-login-container { border-top: 3px solid #D4FF3A; }

infrastructure/production/fleet/authentik/blueprints/operator-application.yaml

@@ -0,0 +1,77 @@
+# Prod operator OIDC application + dezky-platform-admins access policy.
+# Mirrors infrastructure/docker-compose/configs/authentik/blueprints/
+# operator-application.yaml, with .local → .eu URLs. Applied by the
+# authentik-worker (mounts /blueprints/custom; reads OPERATOR_OIDC_* from env).
+#
+# Provider/app are state:created (never clobber a hand-made live provider);
+# group/policy/binding are state:present (reconcile + enforce on every env).
+version: 1
+metadata:
+  name: dezky-operator-application
+  labels:
+    blueprints.goauthentik.io/instantiate: "true"
+
+entries:
+  - model: authentik_core.group
+    state: present
+    identifiers:
+      name: dezky-platform-admins
+    attrs:
+      name: dezky-platform-admins
+
+  - id: operator-oauth2-provider
+    model: authentik_providers_oauth2.oauth2provider
+    state: created
+    identifiers:
+      client_id: !Env [OPERATOR_OIDC_CLIENT_ID, dezky-operator]
+    attrs:
+      name: dezky-operator
+      client_type: confidential
+      client_id: !Env [OPERATOR_OIDC_CLIENT_ID, dezky-operator]
+      client_secret: !Env OPERATOR_OIDC_CLIENT_SECRET
+      authorization_flow:
+        !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
+      invalidation_flow:
+        !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
+      signing_key:
+        !Find [authentik_crypto.certificatekeypair, [name, "authentik Self-signed Certificate"]]
+      redirect_uris:
+        - matching_mode: strict
+          url: https://operator.dezky.eu/auth/oidc/callback
+      property_mappings:
+        - !Find [authentik_providers_oauth2.scopemapping, [managed, "goauthentik.io/providers/oauth2/scope-openid"]]
+        - !Find [authentik_providers_oauth2.scopemapping, [managed, "goauthentik.io/providers/oauth2/scope-email"]]
+        - !Find [authentik_providers_oauth2.scopemapping, [managed, "goauthentik.io/providers/oauth2/scope-profile"]]
+      sub_mode: hashed_user_id
+      issuer_mode: per_provider
+
+  - id: operator-application
+    model: authentik_core.application
+    state: created
+    identifiers:
+      slug: dezky-operator
+    attrs:
+      name: Dezky Operator
+      slug: dezky-operator
+      provider: !KeyOf operator-oauth2-provider
+      meta_launch_url: https://operator.dezky.eu
+      meta_description: Internal Dezky operator control plane. Platform admins only.
+
+  - id: operator-require-platform-admin
+    model: authentik_policies_expression.expressionpolicy
+    state: present
+    identifiers:
+      name: operator-require-platform-admin
+    attrs:
+      name: operator-require-platform-admin
+      expression: |
+        return ak_is_group_member(request.user, name="dezky-platform-admins")
+
+  - model: authentik_policies.policybinding
+    state: present
+    identifiers:
+      target: !KeyOf operator-application
+      policy: !KeyOf operator-require-platform-admin
+    attrs:
+      enabled: true
+      order: 0

infrastructure/production/fleet/authentik/blueprints/portal-application.yaml

@@ -0,0 +1,53 @@
+# Prod customer-portal OIDC application. In dev this provider was made by hand
+# (docs/AUTHENTIK-SETUP.md §3.3); captured here as code for prod. Same shape as
+# the operator provider (implicit-consent flow, self-signed signing key,
+# openid/email/profile, hashed sub, per-provider issuer) but open to ALL users
+# (no platform-admin policy) and with the portal's redirect URI.
+#
+# state:created so a hand-made live provider is never clobbered. The
+# authentik-worker reads PORTAL_OIDC_CLIENT_SECRET from env; the SAME secret
+# must be given to the portal app (portal-secrets.NUXT_OIDC_CLIENT_SECRET).
+version: 1
+metadata:
+  name: dezky-portal-application
+  labels:
+    blueprints.goauthentik.io/instantiate: "true"
+
+entries:
+  - id: portal-oauth2-provider
+    model: authentik_providers_oauth2.oauth2provider
+    state: created
+    identifiers:
+      client_id: !Env [PORTAL_OIDC_CLIENT_ID, dezky-portal]
+    attrs:
+      name: dezky-portal
+      client_type: confidential
+      client_id: !Env [PORTAL_OIDC_CLIENT_ID, dezky-portal]
+      client_secret: !Env PORTAL_OIDC_CLIENT_SECRET
+      authorization_flow:
+        !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
+      invalidation_flow:
+        !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
+      signing_key:
+        !Find [authentik_crypto.certificatekeypair, [name, "authentik Self-signed Certificate"]]
+      redirect_uris:
+        - matching_mode: strict
+          url: https://app.dezky.eu/api/auth/callback
+      property_mappings:
+        - !Find [authentik_providers_oauth2.scopemapping, [managed, "goauthentik.io/providers/oauth2/scope-openid"]]
+        - !Find [authentik_providers_oauth2.scopemapping, [managed, "goauthentik.io/providers/oauth2/scope-email"]]
+        - !Find [authentik_providers_oauth2.scopemapping, [managed, "goauthentik.io/providers/oauth2/scope-profile"]]
+      sub_mode: hashed_user_id
+      issuer_mode: per_provider
+
+  - id: portal-application
+    model: authentik_core.application
+    state: created
+    identifiers:
+      slug: dezky-portal
+    attrs:
+      name: Dezky Portal
+      slug: dezky-portal
+      provider: !KeyOf portal-oauth2-provider
+      meta_launch_url: https://app.dezky.eu
+      meta_description: Your dezky workspace — mail, files, calendar and more.