Merge authentik-quadlet-fix: Integrate working authentik implementation

Merge completed authentik Quadlet implementation that resolves all deployment issues and enables external HTTPS access. This brings the working solution developed and tested on authentik-quadlet-fix branch into main. All systemd services now generate correctly and authentik is fully operational at https://auth.jnss.me with proper SSL termination via Caddy.
2025-12-04 19:43:36 +01:00
parent dd62e93517 b42ee2a22b
commit b3c3fe5c56
29 changed files with 1715 additions and 368 deletions
--- a/roles/valkey/defaults/main.yml
+++ b/roles/valkey/defaults/main.yml
@@ -22,6 +22,11 @@ valkey_protected_mode: true  # Enable protection for TCP
 valkey_unixsocket: "/run/valkey/valkey.sock"
 valkey_unixsocketperm: 777  # Allows container access

+# Unix Socket Configuration
+valkey_unix_socket_enabled: true
+valkey_unix_socket_path: "/var/run/valkey/valkey.sock"
+valkey_unix_socket_perm: "770"
+
 # Authentication
 valkey_password: "{{ vault_valkey_password }}"

--- a/roles/valkey/tasks/main.yml
+++ b/roles/valkey/tasks/main.yml
@@ -15,15 +15,6 @@
    state: directory
    mode: '0755'

- name: Create Valkey socket directory
-  file:
-    path: /run/valkey
-    state: directory
-    owner: valkey
-    group: valkey
-    mode: '0755'
-  when: valkey_unixsocket is defined
-
 - name: Check if Valkey data directory exists
  stat:
    path: "/var/lib/valkey"
@@ -37,6 +28,24 @@
    group: valkey
    mode: '0750'

+- name: Create Valkey Unix socket directory
+  file:
+    path: "{{ valkey_unix_socket_path | dirname }}"
+    state: directory
+    owner: valkey
+    group: valkey
+    mode: '0775'
+  when: valkey_unix_socket_enabled
+
+- name: Ensure socket directory is accessible
+  file:
+    path: "{{ valkey_unix_socket_path | dirname }}"
+    owner: valkey
+    group: valkey
+    mode: '0775'
+    recurse: yes
+  when: valkey_unix_socket_enabled
+
 - name: Deploy Valkey configuration file
  template:
    src: valkey.conf.j2
@@ -47,12 +56,19 @@
    backup: yes
  notify: restart valkey

- name: Deploy custom Valkey service file
+- name: Create systemd override directory for Valkey security
+  file:
+    path: /etc/systemd/system/valkey.service.d
+    state: directory
+    mode: '0755'
+  when: valkey_systemd_security
+
+- name: Deploy Valkey systemd security override
  template:
-    src: valkey.service.j2
-    dest: /etc/systemd/system/valkey.service
+    src: systemd-override.conf.j2
+    dest: /etc/systemd/system/valkey.service.d/override.conf
    mode: '0644'
-    backup: yes
+  when: valkey_systemd_security
  notify:
    - reload systemd
    - restart valkey
@@ -62,40 +78,67 @@
    name: valkey
    enabled: "{{ valkey_service_enabled }}"
    state: "{{ valkey_service_state }}"
-    daemon_reload: yes
+    daemon_reload: true
+  register: valkey_service_result

 - name: Wait for Valkey to be ready (TCP)
  wait_for:
    port: "{{ valkey_port }}"
-    host: "{{ valkey_bind | default('127.0.0.1') }}"
+    host: "{{ valkey_bind }}"
    timeout: 30
-  when: 
-    - valkey_service_state == "started"
-    - valkey_port != 0
+  when: valkey_service_state == "started" and not valkey_unix_socket_enabled

- name: Wait for Valkey Unix socket to be ready
+- name: Wait for Valkey socket file to exist
  wait_for:
-    path: "{{ valkey_unixsocket }}"
+    path: "{{ valkey_unix_socket_path }}"
    timeout: 30
-  when: 
-    - valkey_service_state == "started"
-    - valkey_unixsocket is defined
+  when: valkey_service_state == "started" and valkey_unix_socket_enabled

- name: Test Valkey connectivity (Unix socket)
-  command: valkey-cli -s {{ valkey_unixsocket }} -a "{{ valkey_password }}" ping
-  register: valkey_ping_result
+- name: Wait for Valkey to be ready (Unix Socket) - Try without auth first
+  command: redis-cli -s {{ valkey_unix_socket_path }} ping
+  register: valkey_socket_ping_noauth
+  until: >
+    valkey_socket_ping_noauth.stdout == "PONG" or 
+    "NOAUTH" in (valkey_socket_ping_noauth.stdout + valkey_socket_ping_noauth.stderr)
+  retries: 15
+  delay: 2
  changed_when: false
-  failed_when: valkey_ping_result.stdout != "PONG"
-  when: 
-    - valkey_service_state == "started"
-    - valkey_unixsocket is defined
+  failed_when: false
+  when: valkey_service_state == "started" and valkey_unix_socket_enabled
+
+- name: Wait for Valkey to be ready (Unix Socket) - Try with auth if needed
+  command: redis-cli -s {{ valkey_unix_socket_path }} -a {{ valkey_requirepass }} ping
+  register: valkey_socket_ping_auth
+  until: valkey_socket_ping_auth.stdout == "PONG"
+  retries: 5
+  delay: 2
+  changed_when: false
+  failed_when: valkey_socket_ping_auth.rc != 0
+  when: >
+    valkey_service_state == "started" and valkey_unix_socket_enabled and 
+    (valkey_socket_ping_noauth.stdout != "PONG") and
+    ("NOAUTH" in (valkey_socket_ping_noauth.stdout + valkey_socket_ping_noauth.stderr) or valkey_socket_ping_noauth.rc != 0)
+
+- name: Test Valkey connectivity (TCP)
+  command: redis-cli -h {{ valkey_bind }} -p {{ valkey_port }} -a {{ valkey_requirepass }} ping
+  register: valkey_ping_result_tcp
+  changed_when: false
+  failed_when: valkey_ping_result_tcp.stdout != "PONG"
+  when: valkey_service_state == "started" and not valkey_unix_socket_enabled
+
+- name: Test Valkey connectivity (Unix Socket)
+  command: redis-cli -s {{ valkey_unix_socket_path }} -a {{ valkey_requirepass }} ping
+  register: valkey_ping_result_socket
+  changed_when: false
+  failed_when: valkey_ping_result_socket.stdout != "PONG"
+  when: valkey_service_state == "started" and valkey_unix_socket_enabled

 - name: Display Valkey infrastructure status
  debug:
    msg: |
      ✅ Valkey infrastructure ready!
      
-      📡 Service: {{ valkey_bind }}:{{ valkey_port }}
+      📡 Service: {% if valkey_unix_socket_enabled %}Unix Socket ({{ valkey_unix_socket_path }}){% else %}{{ valkey_bind }}:{{ valkey_port }}{% endif %}
      🔒 Auth: Password protected
      💾 Persistence: {{ 'RDB enabled' if valkey_save_enabled else 'Memory only' }}
      🗄️ Databases: {{ valkey_databases }} available (0-{{ valkey_databases - 1 }})
@@ -105,4 +148,5 @@
      📋 Application Integration:
      - Use database numbers 1-{{ valkey_databases - 1 }} for applications
      - Database 0 reserved for system/testing
+      - {% if valkey_unix_socket_enabled %}Unix socket: {{ valkey_unix_socket_path }}{% else %}TCP: {{ valkey_bind }}:{{ valkey_port }}{% endif %}
      - Redis-compatible: applications can use REDIS_* or VALKEY_* env vars
--- a/roles/valkey/templates/valkey.conf.j2
+++ b/roles/valkey/templates/valkey.conf.j2
@@ -8,20 +8,19 @@
 # Network Configuration
 # =================================================================

-{% if valkey_bind %}
-# Bind to specified interfaces
+# Bind to localhost only for security (like PostgreSQL)
 bind {{ valkey_bind }}
-{% else %}
-# No TCP binding - Unix socket only
-{% endif %}

-# Valkey port (0 = disable TCP)
+# Valkey port
 port {{ valkey_port }}

-# Unix socket configuration
-{% if valkey_unixsocket is defined %}
-unixsocket {{ valkey_unixsocket }}
-unixsocketperm {{ valkey_unixsocketperm }}
+{% if valkey_unix_socket_enabled %}
+# Unix Socket Configuration
+unixsocket {{ valkey_unix_socket_path }}
+unixsocketperm {{ valkey_unix_socket_perm }}
+
+# Enable both TCP and Unix socket (for compatibility during transition)
+# To disable TCP completely, comment out the port line above
 {% endif %}

 # Protected mode - requires authentication
@@ -41,7 +40,7 @@ tcp-keepalive {{ valkey_tcp_keepalive }}
 # =================================================================

 # Require password for all operations
-requirepass {{ valkey_password }}
+requirepass {{ valkey_requirepass }}

 # =================================================================
 # Memory Management
@@ -137,4 +136,4 @@ client-output-buffer-limit pubsub 32mb 8mb 60
 # - Database 3+: Future applications
 #
 # Connection example:
-# valkey-cli -h {{ valkey_bind }} -p {{ valkey_port }} -a {{ valkey_password }} -n 1
+# redis-cli -h {{ valkey_bind }} -p {{ valkey_port }} -a {{ valkey_requirepass }} -n 1