Fix: Complete authentik Quadlet implementation with networking solution
Resolves authentik deployment issues by implementing proper Podman Quadlet configuration and fixing networking for external access through Caddy. Core Fixes: • Add missing [Install] sections to container Quadlet files for systemd service generation • Fix pod references from 'systemd-authentik' to 'authentik.pod' for proper Quadlet linking • Remove problematic --userns=host to use proper rootless user namespaces • Configure subuid/subgid ranges for authentik user (200000:65536) • Update networking to bind 0.0.0.0:9000 only (remove unnecessary HTTPS port 9443) • Add AUTHENTIK_LISTEN__HTTP=0.0.0.0:9000 environment configuration • Fix Caddy reverse proxy to use HTTP backend instead of HTTPS Infrastructure Updates: • Enhance PostgreSQL role with Unix socket configuration and user management • Improve Valkey role with proper systemd integration and socket permissions • Add comprehensive service integration documentation • Update deployment playbooks with backup and restore capabilities Security Improvements: • Secure network isolation with Caddy SSL termination • Reduced attack surface by removing direct HTTPS container exposure • Proper rootless container configuration with user namespace mapping Result: authentik now fully operational with external HTTPS access via auth.jnss.me All systemd services (authentik-pod, authentik-server, authentik-worker) running correctly.
This commit is contained in:
@@ -38,6 +38,33 @@ sigvild_gallery_pb_su_password: "{{ vault_pb_su_password}}"
|
||||
sigvild_gallery_host_password: "{{ vault_sigvild_host_password }}"
|
||||
sigvild_gallery_guest_password: "{{ vault_sigvild_guest_password }}"
|
||||
|
||||
# =================================================================
|
||||
# Authentik Configuration
|
||||
# =================================================================
|
||||
authentik_domain: "auth.jnss.me"
|
||||
|
||||
# Database configuration
|
||||
authentik_db_name: "authentik"
|
||||
authentik_db_user: "authentik"
|
||||
authentik_db_password: "{{ vault_authentik_db_password }}"
|
||||
|
||||
# Cache configuration
|
||||
authentik_valkey_db: 1
|
||||
|
||||
# Core configuration
|
||||
authentik_secret_key: "{{ vault_authentik_secret_key }}"
|
||||
authentik_default_admin_email: "admin@jnss.me"
|
||||
authentik_default_admin_password: "{{ vault_authentik_admin_password }}"
|
||||
|
||||
# Service configuration
|
||||
authentik_service_enabled: true
|
||||
authentik_service_state: "started"
|
||||
|
||||
# Infrastructure socket configuration
|
||||
postgresql_unix_socket_enabled: true
|
||||
postgresql_listen_addresses: "" # Socket-only mode (no TCP)
|
||||
valkey_unix_socket_enabled: true
|
||||
|
||||
# =================================================================
|
||||
# Security & Logging
|
||||
# =================================================================
|
||||
|
||||
Reference in New Issue
Block a user