1 Ecosystem Choices

Note

The three big decisions: immutable OS, container runtime, and identity provider. Everything else follows from these.

1.1 The three-layer model

Host as firmware: bootc image-based Linux, rebuilt in CI, no runtime mutation
Workloads in rootless Podman pods, one service user per application, managed by systemd via quadlet
Identity and access through Authentik as a single family IDP

1.2 Why CentOS Stream

CentOS Stream 10 as RHEL’s upstream, not its rebuild
Stable kernel ABI for out-of-tree modules (ZFS, NVIDIA)
bootc is a Red Hat project; CentOS Stream is its primary target
Alternative considered: Fedora (faster kernel, less stable ABI, shorter support window)

1.3 Why Podman over Docker

Rootless by default, no daemon, no root socket
Quadlet units are systemd-native: dependencies, ordering, journal logging for free
Pod model maps naturally to sidecar patterns (app + Caddy per pod)
OCI compatible: same images, same registries

1.4 Why Authentik over the alternatives

Full evaluation in Chapter 7
Short version: Authentik is the only project that ships OIDC, LDAP outpost, and forward auth proxy in a single deployment
Alternatives evaluated: Zitadel, Ory, Keycloak, Kanidm, Authelia

1.5 Upstream health as a selection criterion

Every component here is selected partly on the vitality of its upstream: release cadence, security response, community size
Single-maintainer stack means you inherit upstream’s maintenance posture
Components that stall or go hostile get replaced; the image-based model makes this cheaper than it sounds

# Ecosystem Choices

::: {.callout-note}
The three big decisions: immutable OS, container runtime, and identity provider. Everything else follows from these.
:::

## The three-layer model

- Host as firmware: [bootc](https://containers.github.io/bootc/) image-based Linux, rebuilt in CI, no runtime mutation
- Workloads in rootless [Podman](https://podman.io/) pods, one service user per application, managed by [systemd](https://systemd.io/) via [quadlet](https://docs.podman.io/en/latest/markdown/podman-systemd.unit.5.html)
- Identity and access through [Authentik](https://goauthentik.io/) as a single family IDP

## Why CentOS Stream

- [CentOS Stream](https://centos.org/) 10 as RHEL's upstream, not its rebuild
- Stable kernel ABI for out-of-tree modules (ZFS, NVIDIA)
- `bootc` is a Red Hat project; CentOS Stream is its primary target
- Alternative considered: [Fedora](https://fedoraproject.org/) (faster kernel, less stable ABI, shorter support window)

## Why Podman over Docker

- Rootless by default, no daemon, no root socket
- Quadlet units are systemd-native: dependencies, ordering, journal logging for free
- Pod model maps naturally to sidecar patterns (app + Caddy per pod)
- [OCI](https://opencontainers.org/) compatible: same images, same registries

## Why Authentik over the alternatives

- Full evaluation in @sec-authentication
- Short version: [Authentik](https://goauthentik.io/) is the only project that ships OIDC, LDAP outpost, and forward auth proxy in a single deployment
- Alternatives evaluated: [Zitadel](https://zitadel.com/), [Ory](https://www.ory.sh/), [Keycloak](https://www.keycloak.org/), [Kanidm](https://kanidm.com/), [Authelia](https://www.authelia.com/)

## Upstream health as a selection criterion

- Every component here is selected partly on the vitality of its upstream: release cadence, security response, community size
- Single-maintainer stack means you inherit upstream's maintenance posture
- Components that stall or go hostile get replaced; the image-based model makes this cheaper than it sounds