User Provisioning
User provisioning is a GitOps-managed pipeline that creates, updates, and deletes user accounts in Authentik from a single users.json definition. A commit is all it takes to onboard or offboard someone. NetBird groups are synced automatically from Authentik via its IDP manager integration.
Deployment
Section titled “Deployment”| Field | Value |
|---|---|
| Flux path | flux-clusters/stefanzhelev/apps/users-authentik |
| Base path | flux-apps/users |
| Sync wave | 8 |
Dependencies
Section titled “Dependencies”| Kustomization | Depends on |
|---|---|
users-authentik | authentik, external-secrets-config, tofu-controller |
What it deploys
Section titled “What it deploys”- users-authentik: Terraform CR that provisions users, groups, and authentication flows in Authentik
An ExternalSecret pulls the Authentik API token from Vault.
How it works
Section titled “How it works”Single source of truth
Section titled “Single source of truth”The module reads from flux-apps/users/users.json:
{ "users": { "stefan": { "name": "Stefan Zhelev", "email": "stefan@stefanzhelev.com", "groups": ["admins"], "is_admin": true } }}To add a user, add an entry. To remove a user, delete the entry. Commit and push — Flux reconciles the Terraform CR.
Authentication flows
Section titled “Authentication flows”The users-authentik module configures passkey-first authentication:
| Flow | Purpose | Stages |
|---|---|---|
| Passwordless (default) | Passkey / biometrics | WebAuthn challenge → session |
| Password + MFA (fallback) | Traditional login | Password → TOTP / WebAuthn / static → session |
| Enrollment | New user onboarding | Set password → register passkey → enroll TOTP → session |
| Recovery | Password reset | Email identification → recovery email → new password → session |
NetBird group sync
Section titled “NetBird group sync”Groups created in Authentik are automatically synced to NetBird via its IDP manager integration (ManagerType: "authentik"). No separate provisioning is needed — when a user authenticates with NetBird, their Authentik group memberships are reflected in NetBird’s access policies.
Bootstrap
Section titled “Bootstrap”The break-glass account (akadmin) is managed outside this module and is the recovery path if the users pipeline ever breaks.
Integrations
Section titled “Integrations”- Authentik: identity provider — user accounts, groups, auth flows
- NetBird: mesh VPN — groups synced automatically from Authentik via IDP manager
- Vault + Tofu Controller: API credentials stored in Vault, synced by ExternalSecrets
- Flux CD: reconciliation loop that applies changes on commit
Key commands
Section titled “Key commands”# Check Terraform CR statuskubectl get terraform -n flux-system users-authentik
# View Terraform plan outputkubectl describe terraform -n flux-system users-authentik
# Force reconciliationflux reconcile kustomization users-authentik