joakim/rick-infra
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix: Complete authentik Quadlet implementation with networking solution

Browse Source 
Resolves authentik deployment issues by implementing proper Podman Quadlet
configuration and fixing networking for external access through Caddy.

Core Fixes:
• Add missing [Install] sections to container Quadlet files for systemd service generation
• Fix pod references from 'systemd-authentik' to 'authentik.pod' for proper Quadlet linking
• Remove problematic --userns=host to use proper rootless user namespaces
• Configure subuid/subgid ranges for authentik user (200000:65536)
• Update networking to bind 0.0.0.0:9000 only (remove unnecessary HTTPS port 9443)
• Add AUTHENTIK_LISTEN__HTTP=0.0.0.0:9000 environment configuration
• Fix Caddy reverse proxy to use HTTP backend instead of HTTPS

Infrastructure Updates:
• Enhance PostgreSQL role with Unix socket configuration and user management
• Improve Valkey role with proper systemd integration and socket permissions
• Add comprehensive service integration documentation
• Update deployment playbooks with backup and restore capabilities

Security Improvements:
• Secure network isolation with Caddy SSL termination
• Reduced attack surface by removing direct HTTPS container exposure
• Proper rootless container configuration with user namespace mapping

Result: authentik now fully operational with external HTTPS access via auth.jnss.me
All systemd services (authentik-pod, authentik-server, authentik-worker) running correctly.
This commit is contained in:
Joakim
2025-12-04 19:42:31 +01:00
parent df4ae0eb17
commit b42ee2a22b
25 changed files with 986 additions and 92 deletions
Download Patch File Download Diff File Expand all files Collapse all files

80
roles/authentik/README.md
View File

@@ -224,4 +224,82 @@ service.example.com {
reverse_proxy localhost:8080
}
```
```
## Technical Implementation Notes
### Unix Socket Access Solution
This role implements a sophisticated solution for containerized Unix socket access:
**Challenge**: Containers need to access Unix sockets owned by different system services (PostgreSQL, Valkey) while maintaining security isolation.
**Solution Components**:
1. **User Namespace Preservation**: `--userns=host` in pod configuration
- Preserves host UID/GID mapping within containers
- Allows direct access to host socket files
2. **Group Membership Preservation**: `Annotation=run.oci.keep_original_groups=1` in containers
- Ensures supplementary group memberships are maintained in containers
- Enables access to postgres and valkey groups within containers
3. **Correct Redis URL Format**: `AUTHENTIK_CACHE__URL=unix://...?db=N&password=...`
- Avoids Django Redis client URL parsing issues
- Prevents incorrect port appending to Unix socket paths
4. **Host Service Integration**: Authentik user added to service groups
- Added to `postgres` group for PostgreSQL socket access
- Added to `valkey` group for Valkey socket access
### Container Architecture
```
┌─────────────────────────────────────────────────────────────┐
│ Authentik Pod (--userns=host) │
│ │
│ ┌─────────────────┐ ┌─────────────────┐ │
│ │ Server Container│ │ Worker Container│ │
│ │ UID: 963 (host) │ │ UID: 963 (host) │ │
│ │ Groups: 963, │ │ Groups: 963, │ │
│ │ 968(postgres),│ │ 968(postgres),│ │
│ │ 965(valkey) │ │ 965(valkey) │ │
│ └─────────────────┘ └─────────────────┘ │
│ │ │ │
│ └────────────────────┴─────────────┐ │
└─────────────────────────────────────────────│─────────────┘
┌───────────────▼──────────────┐
│ Host Unix Sockets │
│ │
│ /var/run/postgresql/ │
│ ├─ .s.PGSQL.5432 │
│ │ (postgres:postgres 0770) │
│ │
│ /var/run/valkey/ │
│ ├─ valkey.sock │
│ (valkey:valkey 0770) │
└──────────────────────────────┘
```
### Security Implications
**Maintained Security**:
- Container network isolation preserved (no `--network=host`)
- Individual container user/group isolation
- Standard Podman security features active
- Principle of least privilege through group membership
**Trade-offs**:
- Containers share host user namespace (reduced UID isolation)
- Group membership grants broader access to service files
- Requires careful service group management
### Compatibility
This solution is:
-**Portable**: Works regardless of UID assignments
-**Maintainable**: No custom subuid/subgid configuration
-**Performant**: Unix sockets avoid TCP overhead
-**Secure**: Maintains container isolation where it matters
-**Standard**: Uses documented Podman/OCI features

10
roles/authentik/defaults/main.yml
View File

@@ -14,10 +14,11 @@ authentik_group: authentik
authentik_home: /opt/authentik
authentik_data_dir: "{{ authentik_home }}/data"
authentik_media_dir: "{{ authentik_home }}/media"
authentik_log_dir: "{{ authentik_home }}/logs"
# Container configuration
authentik_version: "latest"
authentik_image: "ghcr.io/goauthentik/authentik"
authentik_version: "2025.10"
authentik_image: "ghcr.io/goauthentik/server"
# Service management
authentik_service_enabled: true
@@ -43,8 +44,7 @@ authentik_valkey_db: 1 # Use database 1 for Authentik
authentik_domain: "auth.jnss.me"
authentik_http_port: 9000
authentik_https_port: 9443
authentik_bind_address: "127.0.0.1"
authentik_bind_address: "0.0.0.0"
# =================================================================
# Authentik Core Configuration
@@ -107,4 +107,4 @@ postgresql_unix_socket_directories: "/var/run/postgresql"
# Valkey socket configuration (managed by valkey role)
valkey_unix_socket_path: "/var/run/valkey/valkey.sock"
valkey_password: "{{ vault_valkey_password }}"
valkey_password: "{{ vault_valkey_password }}"

2
roles/authentik/tasks/cache.yml
View File

@@ -42,7 +42,7 @@
redis-cli -s {{ valkey_unix_socket_path }}
-a {{ valkey_password }}
-n {{ authentik_valkey_db }}
SET authentik:healthcheck "{{ ansible_date_time.iso8601 }}"
SET authentik:healthcheck "deployed"
become: true
become_user: "{{ authentik_user }}"
register: valkey_write_test

73
roles/authentik/tasks/main.yml
View File

@@ -28,29 +28,29 @@
- "{{ authentik_data_dir }}"
- "{{ authentik_media_dir }}"
- "{{ authentik_user_quadlet_dir }}"
- "{{ authentik_log_dir }}"
- name: Get authentik user UID
getent:
database: passwd
key: "{{ authentik_user }}"
register: authentik_user_info
- name: Set authentik UID variable
set_fact:
authentik_uid: "{{ authentik_user_info.ansible_facts.getent_passwd[authentik_user][1] }}"
- name: Enable lingering for authentik user (services persist without login)
command: loginctl enable-linger {{ authentik_user }}
register: linger_result
changed_when: linger_result.rc == 0
- name: Ensure XDG runtime directory exists
file:
path: "/run/user/{{ authentik_uid }}"
state: directory
owner: "{{ authentik_user }}"
group: "{{ authentik_group }}"
mode: '0700'
- name: Get authentik user UID and GID for container configuration
shell: |
echo "uid=$(id -u {{ authentik_user }})"
echo "gid=$(id -g {{ authentik_user }})"
register: authentik_user_info
changed_when: false
tags: [setup]
- name: Set authentik UID/GID facts for container templates
set_fact:
authentik_uid: "{{ authentik_user_info.stdout_lines[0] | regex_replace('uid=', '') }}"
authentik_gid: "{{ authentik_user_info.stdout_lines[1] | regex_replace('gid=', '') }}"
tags: [setup]
- name: Setup database access and permissions
include_tasks: database.yml
@@ -134,15 +134,12 @@
timeout: 30
when: valkey_unix_socket_enabled
- name: Reload systemd daemon for Quadlet (user scope)
- name: Ensure systemd user session is started
systemd:
daemon_reload: true
scope: user
become: true
become_user: "{{ authentik_user }}"
environment:
XDG_RUNTIME_DIR: "/run/user/{{ authentik_uid }}"
tags: [containers, deployment]
name: "user@{{ authentik_uid }}.service"
state: started
scope: system
register: user_session_start
- name: Enable and start Authentik pod (user scope)
systemd:
@@ -153,34 +150,6 @@
daemon_reload: true
become: true
become_user: "{{ authentik_user }}"
environment:
XDG_RUNTIME_DIR: "/run/user/{{ authentik_uid }}"
tags: [containers, service]
- name: Enable and start Authentik server (user scope)
systemd:
name: "{{ authentik_container_server_name }}"
enabled: "{{ authentik_service_enabled }}"
state: "{{ authentik_service_state }}"
scope: user
daemon_reload: true
become: true
become_user: "{{ authentik_user }}"
environment:
XDG_RUNTIME_DIR: "/run/user/{{ authentik_uid }}"
tags: [containers, service]
- name: Enable and start Authentik worker (user scope)
systemd:
name: "{{ authentik_container_worker_name }}"
enabled: "{{ authentik_service_enabled }}"
state: "{{ authentik_service_state }}"
scope: user
daemon_reload: true
become: true
become_user: "{{ authentik_user }}"
environment:
XDG_RUNTIME_DIR: "/run/user/{{ authentik_uid }}"
tags: [containers, service]
- name: Wait for Authentik to be ready

9
roles/authentik/templates/authentik-server.container
View File

@@ -6,8 +6,15 @@ Requires=authentik-pod.service
[Container]
ContainerName={{ authentik_container_server_name }}
Image={{ authentik_image }}:{{ authentik_version }}
Pod=authentik
Pod=authentik.pod
EnvironmentFile={{ authentik_home }}/.env
User={{ authentik_uid }}:{{ authentik_gid }}
Annotation=run.oci.keep_original_groups=1
# Logging configuration
LogDriver=k8s-file
LogOpt=path={{ authentik_home }}/logs/server.log
Volume={{ authentik_home }}/logs:{{ authentik_home }}/logs
# Volume mounts for data and sockets
Volume={{ authentik_media_dir }}:/media

9
roles/authentik/templates/authentik-worker.container
View File

@@ -6,8 +6,15 @@ Requires=authentik-pod.service
[Container]
ContainerName={{ authentik_container_worker_name }}
Image={{ authentik_image }}:{{ authentik_version }}
Pod=authentik
Pod=authentik.pod
EnvironmentFile={{ authentik_home }}/.env
User={{ authentik_uid }}:{{ authentik_gid }}
Annotation=run.oci.keep_original_groups=1
# Logging configuration
LogDriver=k8s-file
LogOpt=path={{ authentik_home }}/logs/worker.log
Volume={{ authentik_home }}/logs:{{ authentik_home }}/logs
# Volume mounts for data and sockets
Volume={{ authentik_media_dir }}:/media

10
roles/authentik/templates/authentik.env.j2
View File

@@ -8,11 +8,8 @@ AUTHENTIK_POSTGRESQL__USER={{ authentik_db_user }}
AUTHENTIK_POSTGRESQL__PASSWORD={{ authentik_db_password }}
# No port needed for Unix socket
# Valkey/Redis Configuration (Unix Socket)
AUTHENTIK_REDIS__HOST=unix://{{ valkey_unix_socket_path }}
AUTHENTIK_REDIS__PASSWORD={{ valkey_password }}
AUTHENTIK_REDIS__DB={{ authentik_valkey_db }}
# No port needed for Unix socket
# Valkey/Redis Configuration (Unix Socket) - Using cache URL format to avoid port parsing issues
AUTHENTIK_CACHE__URL=unix://{{ valkey_unix_socket_path }}?db={{ authentik_valkey_db }}&password={{ valkey_password }}
# Authentik Core Configuration
AUTHENTIK_SECRET_KEY={{ authentik_secret_key }}
@@ -26,7 +23,6 @@ AUTHENTIK_DISABLE_STARTUP_ANALYTICS=true
# Network binding
AUTHENTIK_LISTEN__HTTP={{ authentik_bind_address }}:{{ authentik_http_port }}
AUTHENTIK_LISTEN__HTTPS={{ authentik_bind_address }}:{{ authentik_https_port }}
{% if authentik_email_enabled %}
# Email Configuration
@@ -40,4 +36,4 @@ AUTHENTIK_EMAIL__FROM={{ authentik_email_from }}
# Default admin user
AUTHENTIK_BOOTSTRAP_PASSWORD={{ authentik_default_admin_password }}
AUTHENTIK_BOOTSTRAP_EMAIL={{ authentik_default_admin_email }}
AUTHENTIK_BOOTSTRAP_EMAIL={{ authentik_default_admin_email }}

6
roles/authentik/templates/authentik.pod
View File

@@ -2,10 +2,8 @@
Description=Authentik Authentication Pod
[Pod]
PodName=authentik
PublishPort={{ authentik_bind_address }}:{{ authentik_http_port }}:{{ authentik_http_port }}
PublishPort={{ authentik_bind_address }}:{{ authentik_https_port }}:{{ authentik_https_port }}
PodmanArgs=--userns=keep-id
PublishPort=0.0.0.0:{{ authentik_http_port }}:{{ authentik_http_port }}
PodmanArgs=
[Service]
Restart=always

7
roles/postgresql/defaults/main.yml
View File

@@ -13,10 +13,15 @@
postgresql_service_enabled: true
postgresql_service_state: "started"
# Network Security (localhost only)
# Network Security
postgresql_listen_addresses: "localhost"
postgresql_port: 5432
# Unix Socket Configuration
postgresql_unix_socket_enabled: true
postgresql_unix_socket_directories: "/var/run/postgresql"
postgresql_unix_socket_permissions: "0770"
# Authentication
postgresql_auth_method: "scram-sha-256"

32
roles/postgresql/tasks/main.yml
View File

@@ -25,7 +25,7 @@
--auth-local=peer
--auth-host={{ postgresql_auth_method }}
{{ '--data-checksums' if postgresql_data_checksums else '' }}
become: yes
become: true
become_user: postgres
when: not postgresql_initialized.stat.exists
notify: restart postgresql
@@ -67,27 +67,49 @@
- reload systemd
- restart postgresql
- name: Create PostgreSQL Unix socket directory
file:
path: "{{ postgresql_unix_socket_directories }}"
state: directory
owner: postgres
group: postgres
mode: '0770'
when: postgresql_unix_socket_enabled
- name: Enable and start PostgreSQL service
systemd:
name: postgresql
enabled: "{{ postgresql_service_enabled }}"
state: "{{ postgresql_service_state }}"
daemon_reload: yes
daemon_reload: true
- name: Wait for PostgreSQL to be ready
- name: Wait for PostgreSQL to be ready (TCP)
wait_for:
port: "{{ postgresql_port }}"
host: "{{ postgresql_listen_addresses }}"
timeout: 30
when: postgresql_service_state == "started"
when: postgresql_service_state == "started" and postgresql_listen_addresses != ""
- name: Wait for PostgreSQL to be ready (Unix Socket)
postgresql_ping:
login_unix_socket: "{{ postgresql_unix_socket_directories }}"
login_user: postgres
become: true
become_user: postgres
register: postgresql_socket_ready
until: postgresql_socket_ready is succeeded
retries: 10
delay: 3
when: postgresql_service_state == "started" and postgresql_unix_socket_enabled and postgresql_listen_addresses == ""
- name: Display PostgreSQL infrastructure status
debug:
msg: |
✅ PostgreSQL infrastructure ready!
📡 Service: {{ postgresql_listen_addresses }}:{{ postgresql_port }}
📡 Service: {% if postgresql_unix_socket_enabled and postgresql_listen_addresses == "" %}Unix Socket ({{ postgresql_unix_socket_directories }}){% else %}{{ postgresql_listen_addresses }}:{{ postgresql_port }}{% endif %}
🔒 Auth: {{ postgresql_auth_method }}
📊 Checksums: {{ 'Enabled' if postgresql_data_checksums else 'Disabled' }}
{% if postgresql_unix_socket_enabled %}🔌 Socket: {{ postgresql_unix_socket_directories }} (mode {{ postgresql_unix_socket_permissions }}){% endif %}
🏗️ Ready for applications to create databases/users

5
roles/postgresql/templates/postgresql.conf.j2
View File

@@ -3,6 +3,11 @@
# PostgreSQL's excellent defaults are used except for essentials
# Network and Security
{% if postgresql_unix_socket_enabled %}
# Unix Socket Configuration
unix_socket_directories = '{{ postgresql_unix_socket_directories }}'
unix_socket_permissions = {{ postgresql_unix_socket_permissions }}
{% endif %}
listen_addresses = '{{ postgresql_listen_addresses }}'
port = {{ postgresql_port }}

79
roles/sigvild-gallery/README.md
View File

@@ -44,6 +44,10 @@ sigvild_gallery_host: "127.0.0.1"
sigvild_gallery_home: "/opt/sigvild-gallery"
sigvild_gallery_web_root: "/var/www/sigvild-gallery"
sigvild_gallery_local_project_path: "{{ ansible_env.PWD }}/sigvild-gallery"
# Backup configuration
sigvild_gallery_backup_enabled: true
sigvild_gallery_backup_local_path: "{{ playbook_dir }}/backups/sigvild-gallery"
```
## Usage
@@ -71,6 +75,62 @@ ansible-playbook site.yml --tags="backend"
ansible-playbook site.yml --tags="caddy"
```
### Data Backup and Restoration
#### Creating a Backup
Before formatting your server or making major changes, create a backup of all production data:
```bash
# Create backup of production data
ansible-playbook playbooks/backup-sigvild.yml
# Backup will be saved to: ./backups/sigvild-gallery/sigvild-gallery-backup-YYYYMMDDTHHMMSS.tar.gz
```
The backup includes:
- PocketBase SQLite database (`data.db`, `auxiliary.db`)
- All uploaded wedding photos and media files
- PocketBase logs and system state
#### Automatic Restoration
When deploying to a fresh server, the role automatically detects and restores from the latest backup:
```bash
# Normal deployment will auto-restore if backup exists
ansible-playbook playbooks/deploy-sigvild.yml
# Or deploy full infrastructure (includes auto-restore)
ansible-playbook site.yml
```
#### Manual Restoration
To restore data manually or from a specific backup:
```bash
# Restore with specific backup file
ansible-playbook playbooks/deploy-sigvild.yml --tags="restore" \
--extra-vars="sigvild_gallery_backup_local_path=/path/to/backup/directory"
# Force restoration (overwrite existing data)
ansible-playbook playbooks/deploy-sigvild.yml --tags="backend,restore"
```
#### Backup Management
```bash
# List available backups
ls -la ./backups/sigvild-gallery/
# Verify backup contents
tar -tzf ./backups/sigvild-gallery/sigvild-gallery-backup-YYYYMMDDTHHMMSS.tar.gz
# Extract backup for inspection (local)
tar -xzf ./backups/sigvild-gallery/sigvild-gallery-backup-YYYYMMDDTHHMMSS.tar.gz
```
## Security Features
### Environment Variables
@@ -169,6 +229,21 @@ systemctl reload caddy
- `/opt/sigvild-gallery/` (application directory)
- `/var/www/sigvild-gallery/` (frontend files)
## Data Protection
### Backup Strategy
- **Automated**: Backup creation via dedicated playbook
- **Comprehensive**: Includes database, uploaded files, and system state
- **Consistent**: Service temporarily stopped during backup for data integrity
- **Local storage**: Backups stored in `./backups/sigvild-gallery/` directory
- **Timestamped**: Each backup includes ISO timestamp for easy identification
### Recovery Process
- **Automatic detection**: Deployment automatically detects available backups
- **Zero-downtime restore**: Restoration happens before service startup
- **Integrity verification**: Backups verified before and after restoration
- **Permission preservation**: User/group ownership maintained during restore
## Tags
- `sigvild`: Complete Sigvild Gallery deployment
@@ -177,4 +252,6 @@ systemctl reload caddy
- `build`: Local build processes
- `service`: SystemD service management
- `caddy`: Caddy configuration
- `verify`: Post-deployment verification
- `verify`: Post-deployment verification
- `backup`: Data backup operations
- `restore`: Data restoration operations

4
roles/sigvild-gallery/defaults/main.yml
View File

@@ -31,6 +31,10 @@ sigvild_gallery_local_project_path: "{{ ansible_env.PWD }}/sigvild-gallery"
sigvild_gallery_service_enabled: true
sigvild_gallery_service_state: started
# Backup configuration
sigvild_gallery_backup_enabled: true
sigvild_gallery_backup_local_path: "{{ playbook_dir }}/backups/sigvild-gallery"
# Caddy integration (assumes caddy role provides these)
# caddy_sites_enabled_dir: /etc/caddy/sites-enabled
# caddy_user: caddy

100
roles/sigvild-gallery/tasks/backup.yml Normal file
View File

@@ -0,0 +1,100 @@
---
# Sigvild Gallery Data Backup Tasks
- name: Create local backup directory
local_action:
module: file
path: "{{ sigvild_gallery_backup_local_path }}/{{ ansible_date_time.iso8601_basic_short }}"
state: directory
mode: '0755'
become: false
run_once: true
- name: Display backup information
debug:
msg:
- "Creating backup of Sigvild Gallery data..."
- "Data directory: {{ sigvild_gallery_data_dir }}"
- "Backup will be saved to: {{ sigvild_gallery_backup_local_path }}"
- "Timestamp: {{ ansible_date_time.iso8601_basic_short }}"
- name: Check if data directory exists
stat:
path: "{{ sigvild_gallery_data_dir }}"
register: data_dir_stat
- name: Fail if no data directory found
fail:
msg: "No data directory found at {{ sigvild_gallery_data_dir }}. Nothing to backup."
when: not data_dir_stat.stat.exists
- name: Display data directory size
command: du -sh {{ sigvild_gallery_data_dir }}
register: data_size
changed_when: false
- name: Show data size
debug:
msg: "Data directory size: {{ data_size.stdout }}"
- name: Stop sigvild-gallery service for consistent backup
systemd:
name: sigvild-gallery
state: stopped
register: service_stopped
- name: Create compressed backup of pb_data
archive:
path: "{{ sigvild_gallery_data_dir }}"
dest: "/tmp/sigvild-gallery-backup-{{ ansible_date_time.iso8601_basic_short }}.tar.gz"
format: gz
owner: "{{ sigvild_gallery_user }}"
group: "{{ sigvild_gallery_user }}"
mode: '0644'
register: backup_created
- name: Verify backup contains critical files
command: tar -tzf /tmp/sigvild-gallery-backup-{{ ansible_date_time.iso8601_basic_short }}.tar.gz
register: backup_contents
changed_when: false
failed_when:
- "'data.db' not in backup_contents.stdout"
- name: Display backup verification
debug:
msg: "Backup verified - contains required database files"
- name: Get backup file size
stat:
path: "/tmp/sigvild-gallery-backup-{{ ansible_date_time.iso8601_basic_short }}.tar.gz"
register: backup_file_stat
- name: Display backup file info
debug:
msg: "Backup file created: {{ (backup_file_stat.stat.size / 1024 / 1024) | round(2) }}MB"
when: backup_file_stat.stat.exists
- name: Download backup to local machine
fetch:
src: "/tmp/sigvild-gallery-backup-{{ ansible_date_time.iso8601_basic_short }}.tar.gz"
dest: "{{ sigvild_gallery_backup_local_path }}/"
flat: yes
register: backup_downloaded
- name: Clean up remote backup file
file:
path: "/tmp/sigvild-gallery-backup-{{ ansible_date_time.iso8601_basic_short }}.tar.gz"
state: absent
- name: Restart sigvild-gallery service
systemd:
name: sigvild-gallery
state: started
when: service_stopped.changed
- name: Display backup completion
debug:
msg:
- "✅ Backup completed successfully!"
- "Local backup location: {{ sigvild_gallery_backup_local_path }}/sigvild-gallery-backup-{{ ansible_date_time.iso8601_basic_short }}.tar.gz"
- "Service has been restarted."

4
roles/sigvild-gallery/tasks/deploy_backend.yml
View File

@@ -33,6 +33,10 @@
notify: restart sigvild-gallery
tags: [backend]
- name: Restore data from backup if available
include_tasks: restore.yml
tags: [backend, restore]
- name: Create data directory for PocketBase
file:
path: "{{ sigvild_gallery_data_dir }}"

126
roles/sigvild-gallery/tasks/restore.yml Normal file
View File

@@ -0,0 +1,126 @@
---
# Sigvild Gallery Data Restoration Tasks
- name: Check for existing data backup files
local_action:
module: find
paths: "{{ sigvild_gallery_backup_local_path }}"
patterns: "sigvild-gallery-backup-*.tar.gz"
register: backup_files
become: false
- name: Display backup search results
debug:
msg:
- "Searching for backups in: {{ sigvild_gallery_backup_local_path }}"
- "Found {{ backup_files.files | length }} backup file(s)"
- name: Display found backup files
debug:
msg: "Found backup: {{ item.path }} ({{ (item.size / 1024 / 1024) | round(2) }}MB, {{ item.mtime | to_datetime }})"
loop: "{{ backup_files.files | sort(attribute='mtime') }}"
when: backup_files.files | length > 0
- name: Check if data directory already exists with data
stat:
path: "{{ sigvild_gallery_data_dir }}/data.db"
register: existing_data
- name: Warn about existing data
debug:
msg: "⚠️ WARNING: Existing data found at {{ sigvild_gallery_data_dir }}/data.db - restoration will overwrite it!"
when:
- existing_data.stat.exists
- backup_files.files | length > 0
- name: Restore from latest backup
block:
- name: Get latest backup file
set_fact:
latest_backup: "{{ (backup_files.files | sort(attribute='mtime') | last).path }}"
- name: Display restoration info
debug:
msg:
- "Restoring from latest backup: {{ latest_backup | basename }}"
- "Target directory: {{ sigvild_gallery_data_dir }}"
- name: Stop sigvild-gallery service before restoration
systemd:
name: sigvild-gallery
state: stopped
register: service_stopped_for_restore
ignore_errors: true # Service might not exist on fresh deployment
- name: Upload backup to remote server
copy:
src: "{{ latest_backup }}"
dest: "/tmp/restore-backup.tar.gz"
owner: root
group: root
mode: '0644'
- name: Verify uploaded backup integrity
command: tar -tzf /tmp/restore-backup.tar.gz
register: restore_contents
changed_when: false
failed_when: "'data.db' not in restore_contents.stdout"
- name: Remove existing data directory if it exists
file:
path: "{{ sigvild_gallery_data_dir }}"
state: absent
when: existing_data.stat.exists
- name: Ensure parent directory exists
file:
path: "{{ sigvild_gallery_home }}"
state: directory
owner: "{{ sigvild_gallery_user }}"
group: "{{ sigvild_gallery_user }}"
mode: '0755'
- name: Extract backup to target location
unarchive:
src: "/tmp/restore-backup.tar.gz"
dest: "{{ sigvild_gallery_home }}"
remote_src: true
owner: "{{ sigvild_gallery_user }}"
group: "{{ sigvild_gallery_user }}"
- name: Verify restoration
stat:
path: "{{ sigvild_gallery_data_dir }}/data.db"
register: restored_data
- name: Fail if restoration unsuccessful
fail:
msg: "Restoration failed - data.db not found after extraction"
when: not restored_data.stat.exists
- name: Get restored data size
command: du -sh {{ sigvild_gallery_data_dir }}
register: restored_size
changed_when: false
- name: Clean up uploaded backup file
file:
path: "/tmp/restore-backup.tar.gz"
state: absent
- name: Display restoration success
debug:
msg:
- "✅ Data restoration completed successfully!"
- "Restored from: {{ latest_backup | basename }}"
- "Restored data size: {{ restored_size.stdout }}"
- "Location: {{ sigvild_gallery_data_dir }}"
when: backup_files.files | length > 0
- name: No backup available message
debug:
msg:
- " No backup files found - starting with fresh installation"
- "Data directory will be created empty: {{ sigvild_gallery_data_dir }}"
when: backup_files.files | length == 0

5
roles/valkey/defaults/main.yml
View File

@@ -18,6 +18,11 @@ valkey_bind: "127.0.0.1"
valkey_port: 6379
valkey_protected_mode: true
# Unix Socket Configuration
valkey_unix_socket_enabled: true
valkey_unix_socket_path: "/var/run/valkey/valkey.sock"
valkey_unix_socket_perm: "770"
# Authentication
valkey_requirepass: "{{ vault_valkey_password }}"

76
roles/valkey/tasks/main.yml
View File

@@ -28,6 +28,24 @@
group: valkey
mode: '0750'
- name: Create Valkey Unix socket directory
file:
path: "{{ valkey_unix_socket_path | dirname }}"
state: directory
owner: valkey
group: valkey
mode: '0775'
when: valkey_unix_socket_enabled
- name: Ensure socket directory is accessible
file:
path: "{{ valkey_unix_socket_path | dirname }}"
owner: valkey
group: valkey
mode: '0775'
recurse: yes
when: valkey_unix_socket_enabled
- name: Deploy Valkey configuration file
template:
src: valkey.conf.j2
@@ -60,28 +78,67 @@
name: valkey
enabled: "{{ valkey_service_enabled }}"
state: "{{ valkey_service_state }}"
daemon_reload: yes
daemon_reload: true
register: valkey_service_result
- name: Wait for Valkey to be ready
- name: Wait for Valkey to be ready (TCP)
wait_for:
port: "{{ valkey_port }}"
host: "{{ valkey_bind }}"
timeout: 30
when: valkey_service_state == "started"
when: valkey_service_state == "started" and not valkey_unix_socket_enabled
- name: Test Valkey connectivity
command: redis-cli -h {{ valkey_bind }} -p {{ valkey_port }} -a {{ valkey_requirepass }} ping
register: valkey_ping_result
- name: Wait for Valkey socket file to exist
wait_for:
path: "{{ valkey_unix_socket_path }}"
timeout: 30
when: valkey_service_state == "started" and valkey_unix_socket_enabled
- name: Wait for Valkey to be ready (Unix Socket) - Try without auth first
command: redis-cli -s {{ valkey_unix_socket_path }} ping
register: valkey_socket_ping_noauth
until: >
valkey_socket_ping_noauth.stdout == "PONG" or
"NOAUTH" in (valkey_socket_ping_noauth.stdout + valkey_socket_ping_noauth.stderr)
retries: 15
delay: 2
changed_when: false
failed_when: valkey_ping_result.stdout != "PONG"
when: valkey_service_state == "started"
failed_when: false
when: valkey_service_state == "started" and valkey_unix_socket_enabled
- name: Wait for Valkey to be ready (Unix Socket) - Try with auth if needed
command: redis-cli -s {{ valkey_unix_socket_path }} -a {{ valkey_requirepass }} ping
register: valkey_socket_ping_auth
until: valkey_socket_ping_auth.stdout == "PONG"
retries: 5
delay: 2
changed_when: false
failed_when: valkey_socket_ping_auth.rc != 0
when: >
valkey_service_state == "started" and valkey_unix_socket_enabled and
(valkey_socket_ping_noauth.stdout != "PONG") and
("NOAUTH" in (valkey_socket_ping_noauth.stdout + valkey_socket_ping_noauth.stderr) or valkey_socket_ping_noauth.rc != 0)
- name: Test Valkey connectivity (TCP)
command: redis-cli -h {{ valkey_bind }} -p {{ valkey_port }} -a {{ valkey_requirepass }} ping
register: valkey_ping_result_tcp
changed_when: false
failed_when: valkey_ping_result_tcp.stdout != "PONG"
when: valkey_service_state == "started" and not valkey_unix_socket_enabled
- name: Test Valkey connectivity (Unix Socket)
command: redis-cli -s {{ valkey_unix_socket_path }} -a {{ valkey_requirepass }} ping
register: valkey_ping_result_socket
changed_when: false
failed_when: valkey_ping_result_socket.stdout != "PONG"
when: valkey_service_state == "started" and valkey_unix_socket_enabled
- name: Display Valkey infrastructure status
debug:
msg: |
✅ Valkey infrastructure ready!
📡 Service: {{ valkey_bind }}:{{ valkey_port }}
📡 Service: {% if valkey_unix_socket_enabled %}Unix Socket ({{ valkey_unix_socket_path }}){% else %}{{ valkey_bind }}:{{ valkey_port }}{% endif %}
🔒 Auth: Password protected
💾 Persistence: {{ 'RDB enabled' if valkey_save_enabled else 'Memory only' }}
🗄️ Databases: {{ valkey_databases }} available (0-{{ valkey_databases - 1 }})
@@ -91,4 +148,5 @@
📋 Application Integration:
- Use database numbers 1-{{ valkey_databases - 1 }} for applications
- Database 0 reserved for system/testing
- {% if valkey_unix_socket_enabled %}Unix socket: {{ valkey_unix_socket_path }}{% else %}TCP: {{ valkey_bind }}:{{ valkey_port }}{% endif %}
- Redis-compatible: applications can use REDIS_* or VALKEY_* env vars

9
roles/valkey/templates/valkey.conf.j2
View File

@@ -14,6 +14,15 @@ bind {{ valkey_bind }}
# Valkey port
port {{ valkey_port }}
{% if valkey_unix_socket_enabled %}
# Unix Socket Configuration
unixsocket {{ valkey_unix_socket_path }}
unixsocketperm {{ valkey_unix_socket_perm }}
# Enable both TCP and Unix socket (for compatibility during transition)
# To disable TCP completely, comment out the port line above
{% endif %}
# Protected mode - requires authentication
protected-mode {{ 'yes' if valkey_protected_mode else 'no' }}