Fix: Update authentik Caddy template to use HTTP backend

- Change reverse_proxy from https:// to http:// backend
- Use authentik_http_port instead of authentik_https_port
- Remove unnecessary TLS transport configuration
- Remove health check for non-existent endpoint

This aligns the Ansible template with the working configuration
where authentik only serves HTTP internally and Caddy handles SSL.

roles/authentik/defaults/main.yml

@@ -44,7 +44,7 @@ authentik_valkey_db: 1  # Use database 1 for Authentik
 
 authentik_domain: "auth.jnss.me"
 authentik_http_port: 9000
-authentik_bind_address: "0.0.0.0"
+authentik_bind_address: "127.0.0.1"
 
 # =================================================================
 # Authentik Core Configuration

roles/authentik/templates/authentik-server.container.j2

@@ -1,37 +0,0 @@
-# Authentik Server Container Quadlet
-# Generated by rick-infra Ansible role
-
-[Unit]
-Description=Authentik Server Container
-Requires={{ authentik_pod_name }}-pod.service
-After={{ authentik_pod_name }}-pod.service
-
-[Container]
-ContainerName=authentik-server
-Image={{ authentik_image_server }}:{{ authentik_image_tag }}
-Pod={{ authentik_pod_name }}.pod
-
-# Environment configuration
-EnvironmentFile={{ authentik_home }}/.config/containers/authentik.env
-Environment=AUTHENTIK_LISTEN__HTTP=0.0.0.0:9000
-Environment=AUTHENTIK_LISTEN__HTTPS=0.0.0.0:9443
-
-# Server command
-Exec=server
-
-# Volumes for persistent data
-Volume={{ authentik_home }}/data:/data:Z
-Volume={{ authentik_home }}/media:/media:Z
-
-# Health check
-HealthCmd=ak healthcheck
-HealthInterval=30s
-HealthTimeout=10s
-HealthRetries=3
-
-[Service]
-Restart=always
-RestartSec=10
-
-[Install]
-WantedBy=default.target

roles/authentik/templates/authentik-worker.container.j2

@@ -1,35 +0,0 @@
-# Authentik Worker Container Quadlet
-# Generated by rick-infra Ansible role
-
-[Unit]
-Description=Authentik Worker Container
-Requires={{ authentik_pod_name }}-pod.service authentik-server.service
-After={{ authentik_pod_name }}-pod.service authentik-server.service
-
-[Container]
-ContainerName=authentik-worker
-Image={{ authentik_image_server }}:{{ authentik_image_tag }}
-Pod={{ authentik_pod_name }}.pod
-
-# Environment configuration
-EnvironmentFile={{ authentik_home }}/.config/containers/authentik.env
-
-# Worker command
-Exec=worker
-
-# Volumes for persistent data
-Volume={{ authentik_home }}/data:/data:Z
-Volume={{ authentik_home }}/media:/media:Z
-
-# Health check
-HealthCmd=ak healthcheck
-HealthInterval=30s
-HealthTimeout=10s
-HealthRetries=3
-
-[Service]
-Restart=always
-RestartSec=10
-
-[Install]
-WantedBy=default.target

roles/authentik/templates/authentik.caddy.j2

@@ -1,21 +1,11 @@
 # Authentik Authentication Service
 {{ authentik_domain }} {
-    reverse_proxy https://{{ authentik_bind_address }}:{{ authentik_https_port }} {
-        transport http {
-            tls_insecure_skip_verify
-        }
-        
-        header_up Host {upstream_hostport}
+    reverse_proxy http://{{ authentik_bind_address }}:{{ authentik_http_port }} {
+        header_up Host {host}
         header_up X-Real-IP {remote_host}
         header_up X-Forwarded-Proto https
         header_up X-Forwarded-For {remote_host}
         header_up X-Forwarded-Host {host}
-        
-        # Health check
-        health_uri /if/health/live/
-        health_timeout 10s
-        health_interval 30s
-        health_status 200
     }
 
     # Security headers
@@ -29,7 +19,7 @@
 
     # Authentik-specific paths
     handle_path /outpost.goauthentik.io/* {
-        reverse_proxy https://{{ authentik_bind_address }}:{{ authentik_https_port }}
+        reverse_proxy http://{{ authentik_bind_address }}:{{ authentik_http_port }}
     }
     
     # Logging
@@ -38,4 +28,4 @@
         level INFO
         format json
     }
-}
+}

roles/authentik/templates/authentik.env.j2

@@ -15,6 +15,7 @@ AUTHENTIK_CACHE__URL=unix://{{ valkey_unix_socket_path }}?db={{ authentik_valkey
 AUTHENTIK_SECRET_KEY={{ authentik_secret_key }}
 AUTHENTIK_LOG_LEVEL={{ authentik_log_level }}
 AUTHENTIK_ERROR_REPORTING__ENABLED={{ authentik_error_reporting | lower }}
+AUTHENTIK_URL=https://{{authentik_domain}}
 
 # Security Configuration
 AUTHENTIK_COOKIE_DOMAIN={{ authentik_domain }}

roles/authentik/templates/authentik.pod.j2

@@ -1,25 +0,0 @@
-# Authentik Pod Quadlet
-# Generated by rick-infra Ansible role
-
-[Unit]
-Description=Authentik Authentication Service Pod
-Wants=network-online.target
-After=network-online.target
-
-[Pod]
-PodName={{ authentik_pod_name }}
-Network={{ authentik_network_name }}
-
-# Mount Unix socket for PostgreSQL (Valkey uses TCP via host.containers.internal)
-Volume=/run/postgresql:/run/postgresql:ro
-# Host gateway allows access to localhost services
-{% if authentik_enable_host_gateway | default(true) %}
-AddHost=host.containers.internal:host-gateway
-{% endif %}
-
-# Published ports for web access
-PublishPort={{ authentik_http_port }}:9000
-PublishPort={{ authentik_https_port }}:9443
-
-[Install]
-WantedBy=default.target

roles/valkey/defaults/main.yml

@@ -53,10 +53,6 @@ valkey_appendonly: false  # RDB only for simplicity
 # =================================================================
 # Security Configuration
 # =================================================================
-
-# Security hardening is now built into the custom service file
-
-# Valkey security settings
 valkey_timeout: 300
 valkey_tcp_keepalive: 300
 valkey_tcp_backlog: 511

roles/valkey/tasks/main.yml

@@ -56,23 +56,6 @@
     backup: yes
   notify: restart valkey
 
-- name: Create systemd override directory for Valkey security
-  file:
-    path: /etc/systemd/system/valkey.service.d
-    state: directory
-    mode: '0755'
-  when: valkey_systemd_security
-
-- name: Deploy Valkey systemd security override
-  template:
-    src: systemd-override.conf.j2
-    dest: /etc/systemd/system/valkey.service.d/override.conf
-    mode: '0644'
-  when: valkey_systemd_security
-  notify:
-    - reload systemd
-    - restart valkey
-
 - name: Enable and start Valkey service
   systemd:
     name: valkey
@@ -107,7 +90,7 @@
   when: valkey_service_state == "started" and valkey_unix_socket_enabled
 
 - name: Wait for Valkey to be ready (Unix Socket) - Try with auth if needed
-  command: redis-cli -s {{ valkey_unix_socket_path }} -a {{ valkey_requirepass }} ping
+  command: redis-cli -s {{ valkey_unix_socket_path }} -a {{ valkey_password }} ping
   register: valkey_socket_ping_auth
   until: valkey_socket_ping_auth.stdout == "PONG"
   retries: 5
@@ -120,14 +103,14 @@
     ("NOAUTH" in (valkey_socket_ping_noauth.stdout + valkey_socket_ping_noauth.stderr) or valkey_socket_ping_noauth.rc != 0)
 
 - name: Test Valkey connectivity (TCP)
-  command: redis-cli -h {{ valkey_bind }} -p {{ valkey_port }} -a {{ valkey_requirepass }} ping
+  command: redis-cli -h {{ valkey_bind }} -p {{ valkey_port }} -a {{ valkey_password }} ping
   register: valkey_ping_result_tcp
   changed_when: false
   failed_when: valkey_ping_result_tcp.stdout != "PONG"
   when: valkey_service_state == "started" and not valkey_unix_socket_enabled
 
 - name: Test Valkey connectivity (Unix Socket)
-  command: redis-cli -s {{ valkey_unix_socket_path }} -a {{ valkey_requirepass }} ping
+  command: redis-cli -s {{ valkey_unix_socket_path }} -a {{ valkey_password }} ping
   register: valkey_ping_result_socket
   changed_when: false
   failed_when: valkey_ping_result_socket.stdout != "PONG"

roles/valkey/templates/valkey.conf.j2

@@ -40,7 +40,7 @@ tcp-keepalive {{ valkey_tcp_keepalive }}
 # =================================================================
 
 # Require password for all operations
-requirepass {{ valkey_requirepass }}
+requirepass {{ valkey_password }}
 
 # =================================================================
 # Memory Management
@@ -136,4 +136,4 @@ client-output-buffer-limit pubsub 32mb 8mb 60
 # - Database 3+: Future applications
 #
 # Connection example:
-# redis-cli -h {{ valkey_bind }} -p {{ valkey_port }} -a {{ valkey_requirepass }} -n 1
+# redis-cli -h {{ valkey_bind }} -p {{ valkey_port }} -a {{ valkey_password }} -n 1