joakim/rick-infra
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Improve logging and infrastructure variable consistency

Browse Source 
Changes:
- Migrate Authentik to journald logging (remove file-based logs)
- Update Gitea to use infrastructure variables for PostgreSQL access
- Add comprehensive logging documentation to deployment guide
- Add infrastructure variable pattern guide to integration docs

Authentik Logging:
- Remove LogDriver=k8s-file from server and worker containers
- Remove logs directory creation from user setup tasks
- Update deployment guide with journald examples and JSON log patterns

Gitea Infrastructure Variables:
- Add infrastructure dependencies section to role defaults
- Replace hardcoded paths with postgresql_unix_socket_directories variable
- Replace hardcoded 'postgres' group with postgresql_client_group variable
- Add infrastructure variable validation in tasks
- Remove manual socket permission override (handled by infrastructure)

Documentation:
- Add journald logging best practices to service integration guide
- Add infrastructure variable pattern documentation with Gitea example
- Update Authentik deployment guide with journald commands and JSON filtering
- Document benefits: centralized logging, single source of truth, maintainability

Validated on arch-vps:
- Authentik logs accessible via journalctl and podman logs (identical output)
- Gitea user added to postgres-clients group (GID 962)
- No PostgreSQL socket permission errors after service restart
This commit is contained in:
Joakim
2025-12-14 17:16:21 +01:00
parent 3506e55016
commit 8e8aabd5e7
7 changed files with 259 additions and 41 deletions
Download Patch File Download Diff File Expand all files Collapse all files

57
docs/authentik-deployment-guide.md
View File

@@ -453,35 +453,64 @@ curl -v https://auth.jnss.me/
#### Key Log Locations
```bash
# Authentik application logs
ssh root@your-vps "cat /opt/authentik/logs/server.log"
ssh root@your-vps "cat /opt/authentik/logs/worker.log"
Authentik uses **journald** for centralized logging. Both `journalctl` and `podman logs` provide access to the same log stream:
# systemd service logs
```bash
# View Authentik logs via journalctl (system-wide logging)
ssh root@your-vps "journalctl -u authentik-server -f"
ssh root@your-vps "journalctl -u authentik-worker -f"
# View Authentik logs via podman (container-specific)
ssh root@your-vps "podman logs -f authentik-server"
ssh root@your-vps "podman logs -f authentik-worker"
# View recent logs with timestamp (last 50 lines)
ssh root@your-vps "journalctl -u authentik-server --lines 50 --no-pager"
# Filter logs by time
ssh root@your-vps "journalctl -u authentik-server --since '10 minutes ago'"
ssh root@your-vps "journalctl -u authentik-server --since '2025-12-14 16:00:00'"
# Search logs for specific patterns
ssh root@your-vps "journalctl -u authentik-server | grep ERROR"
ssh root@your-vps "journalctl -u authentik-worker | grep 'database connection'"
# Caddy logs for reverse proxy issues
ssh root@your-vps "journalctl -u caddy -f"
```
**Note**: Logs are in JSON format with structured fields (timestamp, level, logger, event, etc.).
#### Common Log Patterns
**Successful startup**:
```
INFO authentik.core.signals: authentik 2025.10.x starting
INFO authentik.core.models: Database version up-to-date
Authentik logs are in **JSON format** for structured analysis. Here are common patterns:
**Successful API request**:
```json
{"auth_via": "secret_key", "domain_url": "0.0.0.0", "event": "/api/v3/outposts/proxy/",
"level": "info", "logger": "authentik.asgi", "method": "GET", "status": 200,
"timestamp": "2025-12-14T16:13:17.269312"}
```
**Database connection success**:
```
INFO authentik.core.db: Connected to database via unix socket
**Startup and initialization**:
```json
{"event": "updating brand certificates", "level": "info",
"logger": "authentik.router.brand_tls", "timestamp": "2025-12-14T16:13:17Z"}
```
**Cache connection success**:
**Warning patterns**:
```json
{"event": "No providers assigned to this outpost, check outpost configuration",
"level": "warning", "logger": "authentik.outpost.proxyv2"}
```
INFO authentik.core.cache: Connected to cache via unix socket
**Filtering JSON logs by level**:
```bash
# Filter by error level
ssh root@your-vps "journalctl -u authentik-server --since today | grep '\"level\":\"error\"'"
# Filter by specific event
ssh root@your-vps "journalctl -u authentik-server | grep '\"event\":\"database connection\"'"
```
## Performance Monitoring