Fix: Complete authentik Quadlet implementation with networking solution

Resolves authentik deployment issues by implementing proper Podman Quadlet configuration and fixing networking for external access through Caddy. Core Fixes: • Add missing [Install] sections to container Quadlet files for systemd service generation • Fix pod references from 'systemd-authentik' to 'authentik.pod' for proper Quadlet linking • Remove problematic --userns=host to use proper rootless user namespaces • Configure subuid/subgid ranges for authentik user (200000:65536) • Update networking to bind 0.0.0.0:9000 only (remove unnecessary HTTPS port 9443) • Add AUTHENTIK_LISTEN__HTTP=0.0.0.0:9000 environment configuration • Fix Caddy reverse proxy to use HTTP backend instead of HTTPS Infrastructure Updates: • Enhance PostgreSQL role with Unix socket configuration and user management • Improve Valkey role with proper systemd integration and socket permissions • Add comprehensive service integration documentation • Update deployment playbooks with backup and restore capabilities Security Improvements: • Secure network isolation with Caddy SSL termination • Reduced attack surface by removing direct HTTPS container exposure • Proper rootless container configuration with user namespace mapping Result: authentik now fully operational with external HTTPS access via auth.jnss.me All systemd services (authentik-pod, authentik-server, authentik-worker) running correctly.
2025-12-04 19:42:31 +01:00
parent df4ae0eb17
commit b42ee2a22b
25 changed files with 986 additions and 92 deletions
--- a/roles/authentik/tasks/main.yml
+++ b/roles/authentik/tasks/main.yml
@@ -28,29 +28,29 @@
    - "{{ authentik_data_dir }}"
    - "{{ authentik_media_dir }}"
    - "{{ authentik_user_quadlet_dir }}"
+    - "{{ authentik_log_dir }}"

- name: Get authentik user UID
-  getent:
-    database: passwd
-    key: "{{ authentik_user }}"
-  register: authentik_user_info
-
- name: Set authentik UID variable
-  set_fact:
-    authentik_uid: "{{ authentik_user_info.ansible_facts.getent_passwd[authentik_user][1] }}"

 - name: Enable lingering for authentik user (services persist without login)
  command: loginctl enable-linger {{ authentik_user }}
  register: linger_result
  changed_when: linger_result.rc == 0

- name: Ensure XDG runtime directory exists
-  file:
-    path: "/run/user/{{ authentik_uid }}"
-    state: directory
-    owner: "{{ authentik_user }}"
-    group: "{{ authentik_group }}"
-    mode: '0700'
+
+
+- name: Get authentik user UID and GID for container configuration
+  shell: |
+    echo "uid=$(id -u {{ authentik_user }})"
+    echo "gid=$(id -g {{ authentik_user }})"
+  register: authentik_user_info
+  changed_when: false
+  tags: [setup]
+
+- name: Set authentik UID/GID facts for container templates
+  set_fact:
+    authentik_uid: "{{ authentik_user_info.stdout_lines[0] | regex_replace('uid=', '') }}"
+    authentik_gid: "{{ authentik_user_info.stdout_lines[1] | regex_replace('gid=', '') }}"
+  tags: [setup]

 - name: Setup database access and permissions
  include_tasks: database.yml
@@ -134,15 +134,12 @@
    timeout: 30
  when: valkey_unix_socket_enabled

- name: Reload systemd daemon for Quadlet (user scope)
+- name: Ensure systemd user session is started
  systemd:
-    daemon_reload: true
-    scope: user
-  become: true
-  become_user: "{{ authentik_user }}"
-  environment:
-    XDG_RUNTIME_DIR: "/run/user/{{ authentik_uid }}"
-  tags: [containers, deployment]
+    name: "user@{{ authentik_uid }}.service"
+    state: started
+    scope: system
+  register: user_session_start

 - name: Enable and start Authentik pod (user scope)
  systemd:
@@ -153,34 +150,6 @@
    daemon_reload: true
  become: true
  become_user: "{{ authentik_user }}"
-  environment:
-    XDG_RUNTIME_DIR: "/run/user/{{ authentik_uid }}"
-  tags: [containers, service]
-
- name: Enable and start Authentik server (user scope)
-  systemd:
-    name: "{{ authentik_container_server_name }}"
-    enabled: "{{ authentik_service_enabled }}"
-    state: "{{ authentik_service_state }}"
-    scope: user
-    daemon_reload: true
-  become: true
-  become_user: "{{ authentik_user }}"
-  environment:
-    XDG_RUNTIME_DIR: "/run/user/{{ authentik_uid }}"
-  tags: [containers, service]
-
- name: Enable and start Authentik worker (user scope)
-  systemd:
-    name: "{{ authentik_container_worker_name }}"
-    enabled: "{{ authentik_service_enabled }}"
-    state: "{{ authentik_service_state }}"
-    scope: user
-    daemon_reload: true
-  become: true
-  become_user: "{{ authentik_user }}"
-  environment:
-    XDG_RUNTIME_DIR: "/run/user/{{ authentik_uid }}"
  tags: [containers, service]

 - name: Wait for Authentik to be ready