joakim/rick-infra
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge authentik-quadlet-fix: Integrate working authentik implementation

Browse Source 
Merge completed authentik Quadlet implementation that resolves all deployment
issues and enables external HTTPS access. This brings the working solution
developed and tested on authentik-quadlet-fix branch into main.

All systemd services now generate correctly and authentik is fully operational
at https://auth.jnss.me with proper SSL termination via Caddy.
This commit is contained in:
Joakim
2025-12-04 19:43:36 +01:00
parent dd62e93517 b42ee2a22b
commit b3c3fe5c56
29 changed files with 1715 additions and 368 deletions
Download Patch File Download Diff File Expand all files Collapse all files

70
roles/authentik/tasks/cache.yml Normal file
View File

@@ -0,0 +1,70 @@
---
# Cache setup for Authentik - Self-contained socket permissions
- name: Add authentik user to valkey group for socket access
user:
name: "{{ authentik_user }}"
groups: valkey
append: true
- name: Ensure authentik can access Valkey socket directory
file:
path: "{{ valkey_unix_socket_path | dirname }}"
mode: '0770'
group: valkey
become: true
- name: Test Valkey socket connectivity
command: >
redis-cli -s {{ valkey_unix_socket_path }}
-a {{ valkey_password }}
-n {{ authentik_valkey_db }}
ping
become: true
become_user: "{{ authentik_user }}"
register: valkey_socket_test
failed_when: valkey_socket_test.stdout != "PONG"
changed_when: false
- name: Configure Authentik Valkey database
command: >
redis-cli -s {{ valkey_unix_socket_path }}
-a {{ valkey_password }}
-n {{ authentik_valkey_db }}
CONFIG SET save ""
become: true
become_user: "{{ authentik_user }}"
register: valkey_config_result
changed_when: true
- name: Verify Authentik can write to Valkey database
command: >
redis-cli -s {{ valkey_unix_socket_path }}
-a {{ valkey_password }}
-n {{ authentik_valkey_db }}
SET authentik:healthcheck "deployed"
become: true
become_user: "{{ authentik_user }}"
register: valkey_write_test
changed_when: false
- name: Clean up Valkey test key
command: >
redis-cli -s {{ valkey_unix_socket_path }}
-a {{ valkey_password }}
-n {{ authentik_valkey_db }}
DEL authentik:healthcheck
become: true
become_user: "{{ authentik_user }}"
changed_when: false
- name: Display cache setup status
debug:
msg: |
✅ Authentik cache setup complete!
🗄️ Cache DB: {{ authentik_valkey_db }}
🔌 Connection: Unix socket ({{ valkey_unix_socket_path }})
📊 Test: {{ valkey_socket_test.stdout }}
🏗️ Ready for Authentik container deployment

56
roles/authentik/tasks/database.yml
View File

@@ -1,28 +1,62 @@
---
# Authentik Database Management - Self-Contained Database Setup
# Database setup for Authentik - Self-contained socket permissions
- name: Create Authentik database user
- name: Add authentik user to postgres group for socket access
user:
name: "{{ authentik_user }}"
groups: postgres
append: true
- name: Ensure authentik can access PostgreSQL socket directory
file:
path: "{{ postgresql_unix_socket_directories }}"
mode: '0770'
group: postgres
become: true
- name: Test PostgreSQL socket connectivity
postgresql_ping:
login_unix_socket: "{{ postgresql_unix_socket_directories }}"
login_user: "{{ authentik_user }}"
become: true
become_user: "{{ authentik_user }}"
- name: Create Authentik database user via socket
postgresql_user:
name: "{{ authentik_db_user }}"
password: "{{ authentik_db_password }}"
encrypted: yes
become: yes
login_unix_socket: "{{ postgresql_unix_socket_directories }}"
login_user: postgres
become: true
become_user: postgres
- name: Create Authentik database
- name: Create Authentik database via socket
postgresql_db:
name: "{{ authentik_db_name }}"
owner: "{{ authentik_db_user }}"
encoding: UTF8
template: template0
become: yes
login_unix_socket: "{{ postgresql_unix_socket_directories }}"
login_user: postgres
become: true
become_user: postgres
- name: Grant all privileges on Authentik database to user
- name: Grant Authentik database privileges
postgresql_privs:
db: "{{ authentik_db_name }}"
privs: ALL
type: database
role: "{{ authentik_db_user }}"
become: yes
become_user: postgres
login_unix_socket: "{{ postgresql_unix_socket_directories }}"
login_user: postgres
become: true
become_user: postgres
- name: Display database setup status
debug:
msg: |
✅ Authentik database setup complete!
📊 Database: {{ authentik_db_name }}
👤 User: {{ authentik_db_user }}
🔌 Connection: Unix socket ({{ postgresql_unix_socket_directories }})
🏗️ Ready for Authentik container deployment

186
roles/authentik/tasks/main.yml
View File

@@ -1,36 +1,184 @@
---
# Authentik Authentication Service Role - Containerized Implementation
# Manages Authentik using Podman with self-contained database
# Authentik Authentication Role - Main Tasks
# Self-contained deployment with Podman and Unix sockets
- name: Create authentik user and configure subuid/subgid
include_tasks: user.yml
- name: Create authentik group
group:
name: "{{ authentik_group }}"
system: true
- name: Set up authentik database
- name: Create authentik system user
user:
name: "{{ authentik_user }}"
system: true
shell: /bin/bash
home: "{{ authentik_home }}"
create_home: true
group: "{{ authentik_group }}"
- name: Create authentik directories
file:
path: "{{ item }}"
state: directory
owner: "{{ authentik_user }}"
group: "{{ authentik_group }}"
mode: '0755'
loop:
- "{{ authentik_home }}"
- "{{ authentik_data_dir }}"
- "{{ authentik_media_dir }}"
- "{{ authentik_user_quadlet_dir }}"
- "{{ authentik_log_dir }}"
- name: Enable lingering for authentik user (services persist without login)
command: loginctl enable-linger {{ authentik_user }}
register: linger_result
changed_when: linger_result.rc == 0
- name: Get authentik user UID and GID for container configuration
shell: |
echo "uid=$(id -u {{ authentik_user }})"
echo "gid=$(id -g {{ authentik_user }})"
register: authentik_user_info
changed_when: false
tags: [setup]
- name: Set authentik UID/GID facts for container templates
set_fact:
authentik_uid: "{{ authentik_user_info.stdout_lines[0] | regex_replace('uid=', '') }}"
authentik_gid: "{{ authentik_user_info.stdout_lines[1] | regex_replace('gid=', '') }}"
tags: [setup]
- name: Setup database access and permissions
include_tasks: database.yml
tags: [database, setup]
- name: Configure container networking
include_tasks: networking.yml
- name: Setup cache access and permissions
include_tasks: cache.yml
tags: [cache, setup]
- name: Deploy authentik containers via quadlets
include_tasks: containers.yml
- name: Deploy environment configuration
template:
src: authentik.env.j2
dest: "{{ authentik_home }}/.env"
owner: "{{ authentik_user }}"
group: "{{ authentik_group }}"
mode: '0600'
backup: true
notify:
- restart authentik pod
- restart authentik server
- restart authentik worker
tags: [config]
- name: Deploy Caddy configuration for Authentik
- name: Create Quadlet systemd directory (user scope)
file:
path: "{{ authentik_quadlet_dir }}"
state: directory
owner: "{{ authentik_user }}"
group: "{{ authentik_group }}"
mode: '0755'
- name: Deploy Quadlet pod and container files (user scope)
template:
src: "{{ item.src }}"
dest: "{{ authentik_quadlet_dir }}/{{ item.dest }}"
owner: "{{ authentik_user }}"
group: "{{ authentik_group }}"
mode: '0644'
loop:
- { src: 'authentik.pod', dest: 'authentik.pod' }
- { src: 'authentik-server.container', dest: 'authentik-server.container' }
- { src: 'authentik-worker.container', dest: 'authentik-worker.container' }
become: true
become_user: "{{ authentik_user }}"
notify:
- reload systemd user
- restart authentik pod
- restart authentik server
- restart authentik worker
tags: [containers, deployment]
- name: Deploy Caddy configuration
template:
src: authentik.caddy.j2
dest: "{{ caddy_sites_enabled_dir }}/authentik.caddy"
owner: root
group: "{{ caddy_user }}"
mode: '0644'
backup: true
notify: reload caddy
when: caddy_sites_enabled_dir is defined
tags: [caddy, reverse-proxy]
- name: Display Authentik service status
- name: Ensure system dependencies are running
systemd:
name: "{{ item }}"
state: started
loop:
- postgresql
- valkey
register: system_deps
- name: Wait for PostgreSQL socket to be ready
wait_for:
path: "{{ postgresql_unix_socket_directories }}/.s.PGSQL.{{ postgresql_port }}"
timeout: 30
when: postgresql_unix_socket_enabled
- name: Wait for Valkey socket to be ready
wait_for:
path: "{{ valkey_unix_socket_path }}"
timeout: 30
when: valkey_unix_socket_enabled
- name: Ensure systemd user session is started
systemd:
name: "user@{{ authentik_uid }}.service"
state: started
scope: system
register: user_session_start
- name: Enable and start Authentik pod (user scope)
systemd:
name: "authentik-pod"
enabled: "{{ authentik_service_enabled }}"
state: "{{ authentik_service_state }}"
scope: user
daemon_reload: true
become: true
become_user: "{{ authentik_user }}"
tags: [containers, service]
- name: Wait for Authentik to be ready
uri:
url: "https://{{ authentik_domain }}/if/health/live/"
method: GET
status_code: [200]
timeout: 30
validate_certs: true
retries: 10
delay: 30
register: authentik_health_check
tags: [verification, health-check]
- name: Display Authentik deployment status
debug:
msg: |
✅ Authentik authentication service deployed successfully!
✅ Authentik Authentication deployed successfully!
🌐 Web Interface: https://{{ authentik_full_domain }}
🔐 Admin Interface: https://{{ authentik_full_domain }}/if/admin/
📦 Local HTTP: http://127.0.0.1:{{ authentik_http_port }}
🗄️ Database: {{ authentik_db_name }} (self-managed)
🚀 Cache: Valkey database {{ authentik_redis_db }}
🌐 Domain: {{ authentik_domain }}
🗄️ Database: {{ authentik_db_name }} (Unix socket)
🗄️ Cache: Valkey DB {{ authentik_valkey_db }} (Unix socket)
🐳 Containers: Pod with server + worker
🔒 Admin: {{ authentik_default_admin_email }}
🏗️ Authentication service ready for SSO integration!
🚀 Ready for SSO configuration!
📋 Next Steps:
- Access {{ authentik_domain }} to complete setup
- Configure applications and providers
- Set up SSO for services
tags: [verification]