Migrate to rootful container architecture with infrastructure fact pattern

Major architectural change from rootless user services to system-level (rootful) containers to enable group-based Unix socket access for containerized applications. Infrastructure Changes: - PostgreSQL: Export postgres-clients group GID as Ansible fact - Valkey: Export valkey-clients group GID as Ansible fact - Valkey: Add socket-fix service to maintain correct socket group ownership - Both: Set socket directories to 770 with client group ownership Authentik Role Refactoring: - Remove rootless container configuration (subuid/subgid, lingering, user systemd) - Deploy Quadlet files to /etc/containers/systemd/ (system-level) - Use dynamic GID facts in container PodmanArgs (--group-add) - Simplify user creation to system user with infrastructure group membership - Update handlers for system scope service management - Remove unnecessary container security options (no user namespace isolation) Container Template Changes: - Pod: Remove --userns args, change WantedBy to multi-user.target - Containers: Replace Annotation with PodmanArgs using dynamic GIDs - Remove /dev/shm mounts and SecurityLabelDisable (not needed for rootful) - Change WantedBy to multi-user.target for system services Documentation Updates: - Add ADR-005: Rootful Containers with Infrastructure Fact Pattern - Update ADR-003: Podman + systemd for system-level deployment - Update authentik-deployment-guide.md for system scope commands - Update service-integration-guide.md with rootful pattern examples - Document discarded rootless approach and rationale Why Rootful Succeeds: - Direct UID/GID mapping preserves supplementary groups - Container process groups match host socket group ownership - No user namespace remapping breaking permissions Why Rootless Failed (Discarded): - User namespace UID/GID remapping broke group-based socket access - Supplementary groups remapped into subgid range didn't match socket ownership - Even with --userns=host and keep_original_groups, permissions failed Pattern Established: - Infrastructure roles create client groups and export GID facts - Application roles validate facts and consume in container templates - Rootful containers run as dedicated users with --group-add for socket access - System-level deployment provides standard systemd service management Deployment Validated: - Services in /system.slice/ ✓ - Process groups: 961 (valkey-clients), 962 (postgres-clients), 966 (authentik) ✓ - Socket permissions: 770 with client groups ✓ - HTTP endpoint responding ✓
2025-12-14 16:56:50 +01:00
parent 9e570ac2a3
commit 3506e55016
21 changed files with 587 additions and 288 deletions
--- a/roles/postgresql/defaults/main.yml
+++ b/roles/postgresql/defaults/main.yml
@@ -22,6 +22,10 @@ postgresql_unix_socket_enabled: true
 postgresql_unix_socket_directories: "/var/run/postgresql"
 postgresql_unix_socket_permissions: "0770"

+# Group-Based Access Control
+postgresql_client_group: "postgres-clients"
+postgresql_client_group_create: true
+
 # Authentication
 postgresql_auth_method: "scram-sha-256"

--- a/roles/postgresql/tasks/main.yml
+++ b/roles/postgresql/tasks/main.yml
@@ -11,6 +11,19 @@
    name: python-psycopg2
    state: present

+- name: Create PostgreSQL client access group
+  group:
+    name: "{{ postgresql_client_group }}"
+    system: true
+  when: postgresql_client_group_create
+
+- name: Ensure postgres user is in client group
+  user:
+    name: postgres
+    groups: "{{ postgresql_client_group }}"
+    append: true
+  when: postgresql_client_group_create
+
 - name: Check if PostgreSQL data directory exists and is initialized
  stat:
    path: "/var/lib/postgres/data/PG_VERSION"
@@ -72,10 +85,21 @@
    path: "{{ postgresql_unix_socket_directories }}"
    state: directory
    owner: postgres
-    group: postgres
+    group: "{{ postgresql_client_group }}"
    mode: '0770'
  when: postgresql_unix_socket_enabled

+- name: Get PostgreSQL client group GID for containerized applications
+  shell: "getent group {{ postgresql_client_group }} | cut -d: -f3"
+  register: postgresql_client_group_lookup
+  changed_when: false
+  when: postgresql_client_group_create
+
+- name: Set PostgreSQL client group GID as fact
+  set_fact:
+    postgresql_client_group_gid: "{{ postgresql_client_group_lookup.stdout }}"
+  when: postgresql_client_group_create and postgresql_client_group_lookup.stdout is defined
+
 - name: Enable and start PostgreSQL service
  systemd:
    name: postgresql
--- a/roles/postgresql/templates/postgresql.conf.j2
+++ b/roles/postgresql/templates/postgresql.conf.j2
@@ -7,14 +7,11 @@
 # Unix Socket Configuration
 unix_socket_directories = '{{ postgresql_unix_socket_directories }}'
 unix_socket_permissions = {{ postgresql_unix_socket_permissions }}
+unix_socket_group = '{{ postgresql_client_group }}'
 {% endif %}
 listen_addresses = '{{ postgresql_listen_addresses }}'
 port = {{ postgresql_port }}

-# Unix socket configuration
-unix_socket_directories = '{{ postgresql_unix_socket_directories | default("/run/postgresql") }}'
-unix_socket_permissions = {{ postgresql_unix_socket_permissions | default("0777") }}
-
 # Basic Performance (only override if needed)
 max_connections = {{ postgresql_max_connections }}
 shared_buffers = {{ postgresql_shared_buffers }}