From 013eadba884d86073e299726e4fe270112bc00e6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lennart=20M=C3=BChlenmeier?=
 <lennart.muehlenmeier@freiheitsrechte.org>
Date: Sat, 28 Feb 2026 11:30:55 +0100
Subject: [PATCH] README: Add considerations for migrating a deployment

We migrated `authentik-nix` a few weeks ago to another machine. Was real
painless.

Not too sure how helpful these considerations are written down into the
README but they might lower the stress levels for some though.
---
 README.md | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/README.md b/README.md
index 094ed2c..9076735 100644
--- a/README.md
+++ b/README.md
@@ -179,6 +179,17 @@ The build artifacts from successful CI runs should be available from the corresp
 
 https://app.cachix.org/cache/nix-community
 
+
+## Migrating
+
+When migrating an `authentik-nix` deployment from one machine to another the following considerations may be helpful.
+
+- Copy `/var/lib/authentik` to the new machine, and be aware that it is a symlink. `/media` is most important.
+- Lock the revision that's used to build `authentik-nix` to not down- or upgrade by accident, making debugging harder if needed.
+- Dump database according to [upstream's documentation](https://docs.goauthentik.io/sys-mgmt/ops/backup-restore/).
+    - By default, certs are written to the database, not filesystem. Migrating certs by restoring the database works.
+- authentik runs fine with a different domain or base URL, you may test everything and only then adjust DNS records for production deployment.
+
 ## License
 This project is released under the terms of the MIT License. See [LICENSE](./LICENSE).
 Consult [the upstream project](https://github.com/goauthentik/authentik) for information about authentik licensing.