joakim/rick-infra
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix: Complete authentik Quadlet implementation with networking solution

Browse Source 
Resolves authentik deployment issues by implementing proper Podman Quadlet
configuration and fixing networking for external access through Caddy.

Core Fixes:
• Add missing [Install] sections to container Quadlet files for systemd service generation
• Fix pod references from 'systemd-authentik' to 'authentik.pod' for proper Quadlet linking
• Remove problematic --userns=host to use proper rootless user namespaces
• Configure subuid/subgid ranges for authentik user (200000:65536)
• Update networking to bind 0.0.0.0:9000 only (remove unnecessary HTTPS port 9443)
• Add AUTHENTIK_LISTEN__HTTP=0.0.0.0:9000 environment configuration
• Fix Caddy reverse proxy to use HTTP backend instead of HTTPS

Infrastructure Updates:
• Enhance PostgreSQL role with Unix socket configuration and user management
• Improve Valkey role with proper systemd integration and socket permissions
• Add comprehensive service integration documentation
• Update deployment playbooks with backup and restore capabilities

Security Improvements:
• Secure network isolation with Caddy SSL termination
• Reduced attack surface by removing direct HTTPS container exposure
• Proper rootless container configuration with user namespace mapping

Result: authentik now fully operational with external HTTPS access via auth.jnss.me
All systemd services (authentik-pod, authentik-server, authentik-worker) running correctly.
This commit is contained in:
Joakim
2025-12-04 19:42:31 +01:00
parent df4ae0eb17
commit b42ee2a22b
25 changed files with 986 additions and 92 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
roles/authentik/defaults/main.yml
View File

@@ -14,10 +14,11 @@ authentik_group: authentik
authentik_home: /opt/authentik
authentik_data_dir: "{{ authentik_home }}/data"
authentik_media_dir: "{{ authentik_home }}/media"
authentik_log_dir: "{{ authentik_home }}/logs"
# Container configuration
authentik_version: "latest"
authentik_image: "ghcr.io/goauthentik/authentik"
authentik_version: "2025.10"
authentik_image: "ghcr.io/goauthentik/server"
# Service management
authentik_service_enabled: true
@@ -43,8 +44,7 @@ authentik_valkey_db: 1 # Use database 1 for Authentik
authentik_domain: "auth.jnss.me"
authentik_http_port: 9000
authentik_https_port: 9443
authentik_bind_address: "127.0.0.1"
authentik_bind_address: "0.0.0.0"
# =================================================================
# Authentik Core Configuration
@@ -107,4 +107,4 @@ postgresql_unix_socket_directories: "/var/run/postgresql"
# Valkey socket configuration (managed by valkey role)
valkey_unix_socket_path: "/var/run/valkey/valkey.sock"
valkey_password: "{{ vault_valkey_password }}"
valkey_password: "{{ vault_valkey_password }}"