Fix: Update authentik Caddy template to use HTTP backend
- Change reverse_proxy from https:// to http:// backend - Use authentik_http_port instead of authentik_https_port - Remove unnecessary TLS transport configuration - Remove health check for non-existent endpoint This aligns the Ansible template with the working configuration where authentik only serves HTTP internally and Caddy handles SSL.
This commit is contained in:
@@ -44,7 +44,7 @@ authentik_valkey_db: 1 # Use database 1 for Authentik
|
||||
|
||||
authentik_domain: "auth.jnss.me"
|
||||
authentik_http_port: 9000
|
||||
authentik_bind_address: "0.0.0.0"
|
||||
authentik_bind_address: "127.0.0.1"
|
||||
|
||||
# =================================================================
|
||||
# Authentik Core Configuration
|
||||
|
||||
@@ -1,37 +0,0 @@
|
||||
# Authentik Server Container Quadlet
|
||||
# Generated by rick-infra Ansible role
|
||||
|
||||
[Unit]
|
||||
Description=Authentik Server Container
|
||||
Requires={{ authentik_pod_name }}-pod.service
|
||||
After={{ authentik_pod_name }}-pod.service
|
||||
|
||||
[Container]
|
||||
ContainerName=authentik-server
|
||||
Image={{ authentik_image_server }}:{{ authentik_image_tag }}
|
||||
Pod={{ authentik_pod_name }}.pod
|
||||
|
||||
# Environment configuration
|
||||
EnvironmentFile={{ authentik_home }}/.config/containers/authentik.env
|
||||
Environment=AUTHENTIK_LISTEN__HTTP=0.0.0.0:9000
|
||||
Environment=AUTHENTIK_LISTEN__HTTPS=0.0.0.0:9443
|
||||
|
||||
# Server command
|
||||
Exec=server
|
||||
|
||||
# Volumes for persistent data
|
||||
Volume={{ authentik_home }}/data:/data:Z
|
||||
Volume={{ authentik_home }}/media:/media:Z
|
||||
|
||||
# Health check
|
||||
HealthCmd=ak healthcheck
|
||||
HealthInterval=30s
|
||||
HealthTimeout=10s
|
||||
HealthRetries=3
|
||||
|
||||
[Service]
|
||||
Restart=always
|
||||
RestartSec=10
|
||||
|
||||
[Install]
|
||||
WantedBy=default.target
|
||||
@@ -1,35 +0,0 @@
|
||||
# Authentik Worker Container Quadlet
|
||||
# Generated by rick-infra Ansible role
|
||||
|
||||
[Unit]
|
||||
Description=Authentik Worker Container
|
||||
Requires={{ authentik_pod_name }}-pod.service authentik-server.service
|
||||
After={{ authentik_pod_name }}-pod.service authentik-server.service
|
||||
|
||||
[Container]
|
||||
ContainerName=authentik-worker
|
||||
Image={{ authentik_image_server }}:{{ authentik_image_tag }}
|
||||
Pod={{ authentik_pod_name }}.pod
|
||||
|
||||
# Environment configuration
|
||||
EnvironmentFile={{ authentik_home }}/.config/containers/authentik.env
|
||||
|
||||
# Worker command
|
||||
Exec=worker
|
||||
|
||||
# Volumes for persistent data
|
||||
Volume={{ authentik_home }}/data:/data:Z
|
||||
Volume={{ authentik_home }}/media:/media:Z
|
||||
|
||||
# Health check
|
||||
HealthCmd=ak healthcheck
|
||||
HealthInterval=30s
|
||||
HealthTimeout=10s
|
||||
HealthRetries=3
|
||||
|
||||
[Service]
|
||||
Restart=always
|
||||
RestartSec=10
|
||||
|
||||
[Install]
|
||||
WantedBy=default.target
|
||||
@@ -1,21 +1,11 @@
|
||||
# Authentik Authentication Service
|
||||
{{ authentik_domain }} {
|
||||
reverse_proxy https://{{ authentik_bind_address }}:{{ authentik_https_port }} {
|
||||
transport http {
|
||||
tls_insecure_skip_verify
|
||||
}
|
||||
|
||||
header_up Host {upstream_hostport}
|
||||
reverse_proxy http://{{ authentik_bind_address }}:{{ authentik_http_port }} {
|
||||
header_up Host {host}
|
||||
header_up X-Real-IP {remote_host}
|
||||
header_up X-Forwarded-Proto https
|
||||
header_up X-Forwarded-For {remote_host}
|
||||
header_up X-Forwarded-Host {host}
|
||||
|
||||
# Health check
|
||||
health_uri /if/health/live/
|
||||
health_timeout 10s
|
||||
health_interval 30s
|
||||
health_status 200
|
||||
}
|
||||
|
||||
# Security headers
|
||||
@@ -29,7 +19,7 @@
|
||||
|
||||
# Authentik-specific paths
|
||||
handle_path /outpost.goauthentik.io/* {
|
||||
reverse_proxy https://{{ authentik_bind_address }}:{{ authentik_https_port }}
|
||||
reverse_proxy http://{{ authentik_bind_address }}:{{ authentik_http_port }}
|
||||
}
|
||||
|
||||
# Logging
|
||||
@@ -38,4 +28,4 @@
|
||||
level INFO
|
||||
format json
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@@ -15,6 +15,7 @@ AUTHENTIK_CACHE__URL=unix://{{ valkey_unix_socket_path }}?db={{ authentik_valkey
|
||||
AUTHENTIK_SECRET_KEY={{ authentik_secret_key }}
|
||||
AUTHENTIK_LOG_LEVEL={{ authentik_log_level }}
|
||||
AUTHENTIK_ERROR_REPORTING__ENABLED={{ authentik_error_reporting | lower }}
|
||||
AUTHENTIK_URL=https://{{authentik_domain}}
|
||||
|
||||
# Security Configuration
|
||||
AUTHENTIK_COOKIE_DOMAIN={{ authentik_domain }}
|
||||
|
||||
@@ -1,25 +0,0 @@
|
||||
# Authentik Pod Quadlet
|
||||
# Generated by rick-infra Ansible role
|
||||
|
||||
[Unit]
|
||||
Description=Authentik Authentication Service Pod
|
||||
Wants=network-online.target
|
||||
After=network-online.target
|
||||
|
||||
[Pod]
|
||||
PodName={{ authentik_pod_name }}
|
||||
Network={{ authentik_network_name }}
|
||||
|
||||
# Mount Unix socket for PostgreSQL (Valkey uses TCP via host.containers.internal)
|
||||
Volume=/run/postgresql:/run/postgresql:ro
|
||||
# Host gateway allows access to localhost services
|
||||
{% if authentik_enable_host_gateway | default(true) %}
|
||||
AddHost=host.containers.internal:host-gateway
|
||||
{% endif %}
|
||||
|
||||
# Published ports for web access
|
||||
PublishPort={{ authentik_http_port }}:9000
|
||||
PublishPort={{ authentik_https_port }}:9443
|
||||
|
||||
[Install]
|
||||
WantedBy=default.target
|
||||
Reference in New Issue
Block a user