Merge authentik-quadlet-fix: Integrate working authentik implementation

Merge completed authentik Quadlet implementation that resolves all deployment
issues and enables external HTTPS access. This brings the working solution
developed and tested on authentik-quadlet-fix branch into main.

All systemd services now generate correctly and authentik is fully operational
at https://auth.jnss.me with proper SSL termination via Caddy.

roles/authentik/templates/authentik-server.container

@@ -0,0 +1,32 @@
+[Unit]
+Description=Authentik Server Container
+After=authentik-pod.service
+Requires=authentik-pod.service
+
+[Container]
+ContainerName={{ authentik_container_server_name }}
+Image={{ authentik_image }}:{{ authentik_version }}
+Pod=authentik.pod
+EnvironmentFile={{ authentik_home }}/.env
+User={{ authentik_uid }}:{{ authentik_gid }}
+Annotation=run.oci.keep_original_groups=1
+
+# Logging configuration
+LogDriver=k8s-file
+LogOpt=path={{ authentik_home }}/logs/server.log
+Volume={{ authentik_home }}/logs:{{ authentik_home }}/logs
+
+# Volume mounts for data and sockets
+Volume={{ authentik_media_dir }}:/media
+Volume={{ authentik_data_dir }}:/data
+Volume={{ postgresql_unix_socket_directories }}:{{ postgresql_unix_socket_directories }}:Z
+Volume={{ valkey_unix_socket_path | dirname }}:{{ valkey_unix_socket_path | dirname }}:Z
+
+Exec=server
+
+[Service]
+Restart=always
+TimeoutStartSec=300
+
+[Install]
+WantedBy=default.target

roles/authentik/templates/authentik-worker.container

@@ -0,0 +1,32 @@
+[Unit]
+Description=Authentik Worker Container  
+After=authentik-pod.service
+Requires=authentik-pod.service
+
+[Container]
+ContainerName={{ authentik_container_worker_name }}
+Image={{ authentik_image }}:{{ authentik_version }}
+Pod=authentik.pod
+EnvironmentFile={{ authentik_home }}/.env
+User={{ authentik_uid }}:{{ authentik_gid }}
+Annotation=run.oci.keep_original_groups=1
+
+# Logging configuration
+LogDriver=k8s-file
+LogOpt=path={{ authentik_home }}/logs/worker.log
+Volume={{ authentik_home }}/logs:{{ authentik_home }}/logs
+
+# Volume mounts for data and sockets
+Volume={{ authentik_media_dir }}:/media
+Volume={{ authentik_data_dir }}:/data
+Volume={{ postgresql_unix_socket_directories }}:{{ postgresql_unix_socket_directories }}:Z
+Volume={{ valkey_unix_socket_path | dirname }}:{{ valkey_unix_socket_path | dirname }}:Z
+
+Exec=worker
+
+[Service]
+Restart=always
+TimeoutStartSec=300
+
+[Install]
+WantedBy=default.target

roles/authentik/templates/authentik.caddy.j2

@@ -1,34 +1,41 @@
-# Authentik Caddy Configuration - Rick-Infra
-# Generated by Ansible Authentik role
-# Deployed to {{ caddy_sites_enabled_dir }}/authentik.caddy
-
-{{ authentik_full_domain }} {
-    # Reverse proxy to Authentik
-    reverse_proxy 127.0.0.1:{{ authentik_http_port }}
-
-    # Security headers for authentication service
-    header {
-        # Enable HSTS
-        Strict-Transport-Security max-age=31536000;
-        # Prevent embedding in frames
-        X-Frame-Options DENY
-        # Prevent content type sniffing
-        X-Content-Type-Options nosniff
-        # XSS protection
-        X-XSS-Protection "1; mode=block"
-        # Referrer policy for privacy
-        Referrer-Policy strict-origin-when-cross-origin
+# Authentik Authentication Service
+{{ authentik_domain }} {
+    reverse_proxy https://{{ authentik_bind_address }}:{{ authentik_https_port }} {
+        transport http {
+            tls_insecure_skip_verify
+        }
+        
+        header_up Host {upstream_hostport}
+        header_up X-Real-IP {remote_host}
+        header_up X-Forwarded-Proto https
+        header_up X-Forwarded-For {remote_host}
+        header_up X-Forwarded-Host {host}
+        
+        # Health check
+        health_uri /if/health/live/
+        health_timeout 10s
+        health_interval 30s
+        health_status 200
     }
 
+    # Security headers
+    header {
+        X-Frame-Options SAMEORIGIN
+        X-Content-Type-Options nosniff
+        X-XSS-Protection "1; mode=block"
+        Referrer-Policy strict-origin-when-cross-origin
+        Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
+    }
+
+    # Authentik-specific paths
+    handle_path /outpost.goauthentik.io/* {
+        reverse_proxy https://{{ authentik_bind_address }}:{{ authentik_https_port }}
+    }
+    
     # Logging
     log {
-        output file /var/log/caddy/authentik_access.log
+        output file {{ caddy_log_dir }}/authentik.log
+        level INFO
+        format json
     }
-
-    # Optional: Custom error pages
-    handle_errors {
-        respond "Authentication service temporarily unavailable" 503
-    }
-}
-
-# Rick-Infra: Containerized Authentik authentication service with Caddy reverse proxy
+}

roles/authentik/templates/authentik.env.j2

@@ -1,39 +1,39 @@
-# Authentik Environment Configuration
-# Generated by rick-infra Ansible role
+# Authentik Configuration - Unix Socket IPC
+# Generated by Ansible - DO NOT EDIT
 
-# Database Configuration
-AUTHENTIK_POSTGRESQL__HOST={{ authentik_db_host }}
-AUTHENTIK_POSTGRESQL__PORT={{ authentik_db_port }}
+# PostgreSQL Configuration (Unix Socket)
+AUTHENTIK_POSTGRESQL__HOST={{ postgresql_unix_socket_directories }}
 AUTHENTIK_POSTGRESQL__NAME={{ authentik_db_name }}
 AUTHENTIK_POSTGRESQL__USER={{ authentik_db_user }}
 AUTHENTIK_POSTGRESQL__PASSWORD={{ authentik_db_password }}
+# No port needed for Unix socket
 
-# Cache Configuration (Valkey/Redis)
-AUTHENTIK_REDIS__HOST={{ authentik_redis_host }}
-AUTHENTIK_REDIS__PORT={{ authentik_redis_port }}
-AUTHENTIK_REDIS__DB={{ authentik_redis_db }}
-{% if authentik_redis_password %}
-AUTHENTIK_REDIS__PASSWORD={{ authentik_redis_password }}
-{% endif %}
+# Valkey/Redis Configuration (Unix Socket) - Using cache URL format to avoid port parsing issues
+AUTHENTIK_CACHE__URL=unix://{{ valkey_unix_socket_path }}?db={{ authentik_valkey_db }}&password={{ valkey_password }}
 
-# Core Configuration
+# Authentik Core Configuration
 AUTHENTIK_SECRET_KEY={{ authentik_secret_key }}
-AUTHENTIK_ERROR_REPORTING__ENABLED={{ authentik_error_reporting_enabled | lower }}
-AUTHENTIK_DISABLE_UPDATE_CHECK={{ authentik_disable_update_check | lower }}
-AUTHENTIK_DISABLE_STARTUP_ANALYTICS={{ authentik_disable_startup_analytics | lower }}
+AUTHENTIK_LOG_LEVEL={{ authentik_log_level }}
+AUTHENTIK_ERROR_REPORTING__ENABLED={{ authentik_error_reporting | lower }}
 
-# Worker Configuration
-AUTHENTIK_WORKER__CONCURRENCY={{ authentik_worker_concurrency }}
+# Security Configuration
+AUTHENTIK_COOKIE_DOMAIN={{ authentik_domain }}
+AUTHENTIK_DISABLE_UPDATE_CHECK=true
+AUTHENTIK_DISABLE_STARTUP_ANALYTICS=true
 
+# Network binding
+AUTHENTIK_LISTEN__HTTP={{ authentik_bind_address }}:{{ authentik_http_port }}
+
+{% if authentik_email_enabled %}
 # Email Configuration
-{% if authentik_email_host %}
 AUTHENTIK_EMAIL__HOST={{ authentik_email_host }}
 AUTHENTIK_EMAIL__PORT={{ authentik_email_port }}
 AUTHENTIK_EMAIL__USERNAME={{ authentik_email_username }}
 AUTHENTIK_EMAIL__PASSWORD={{ authentik_email_password }}
-AUTHENTIK_EMAIL__USE_TLS={{ authentik_email_use_tls | lower }}
+AUTHENTIK_EMAIL__USE_TLS={{ authentik_email_tls | lower }}
 AUTHENTIK_EMAIL__FROM={{ authentik_email_from }}
 {% endif %}
 
-# Trust reverse proxy headers
-AUTHENTIK_LISTEN__TRUSTED_PROXY_CIDRS=127.0.0.1/32,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16
+# Default admin user
+AUTHENTIK_BOOTSTRAP_PASSWORD={{ authentik_default_admin_password }}
+AUTHENTIK_BOOTSTRAP_EMAIL={{ authentik_default_admin_email }}

roles/authentik/templates/authentik.pod

@@ -0,0 +1,13 @@
+[Unit]
+Description=Authentik Authentication Pod
+
+[Pod]
+PublishPort=0.0.0.0:{{ authentik_http_port }}:{{ authentik_http_port }}
+PodmanArgs=
+
+[Service]
+Restart=always
+TimeoutStartSec=900
+
+[Install]
+WantedBy=default.target