Fix: Complete authentik Quadlet implementation with networking solution
Resolves authentik deployment issues by implementing proper Podman Quadlet configuration and fixing networking for external access through Caddy. Core Fixes: • Add missing [Install] sections to container Quadlet files for systemd service generation • Fix pod references from 'systemd-authentik' to 'authentik.pod' for proper Quadlet linking • Remove problematic --userns=host to use proper rootless user namespaces • Configure subuid/subgid ranges for authentik user (200000:65536) • Update networking to bind 0.0.0.0:9000 only (remove unnecessary HTTPS port 9443) • Add AUTHENTIK_LISTEN__HTTP=0.0.0.0:9000 environment configuration • Fix Caddy reverse proxy to use HTTP backend instead of HTTPS Infrastructure Updates: • Enhance PostgreSQL role with Unix socket configuration and user management • Improve Valkey role with proper systemd integration and socket permissions • Add comprehensive service integration documentation • Update deployment playbooks with backup and restore capabilities Security Improvements: • Secure network isolation with Caddy SSL termination • Reduced attack surface by removing direct HTTPS container exposure • Proper rootless container configuration with user namespace mapping Result: authentik now fully operational with external HTTPS access via auth.jnss.me All systemd services (authentik-pod, authentik-server, authentik-worker) running correctly.
This commit is contained in:
@@ -6,8 +6,15 @@ Requires=authentik-pod.service
|
||||
[Container]
|
||||
ContainerName={{ authentik_container_server_name }}
|
||||
Image={{ authentik_image }}:{{ authentik_version }}
|
||||
Pod=authentik
|
||||
Pod=authentik.pod
|
||||
EnvironmentFile={{ authentik_home }}/.env
|
||||
User={{ authentik_uid }}:{{ authentik_gid }}
|
||||
Annotation=run.oci.keep_original_groups=1
|
||||
|
||||
# Logging configuration
|
||||
LogDriver=k8s-file
|
||||
LogOpt=path={{ authentik_home }}/logs/server.log
|
||||
Volume={{ authentik_home }}/logs:{{ authentik_home }}/logs
|
||||
|
||||
# Volume mounts for data and sockets
|
||||
Volume={{ authentik_media_dir }}:/media
|
||||
|
||||
@@ -6,8 +6,15 @@ Requires=authentik-pod.service
|
||||
[Container]
|
||||
ContainerName={{ authentik_container_worker_name }}
|
||||
Image={{ authentik_image }}:{{ authentik_version }}
|
||||
Pod=authentik
|
||||
Pod=authentik.pod
|
||||
EnvironmentFile={{ authentik_home }}/.env
|
||||
User={{ authentik_uid }}:{{ authentik_gid }}
|
||||
Annotation=run.oci.keep_original_groups=1
|
||||
|
||||
# Logging configuration
|
||||
LogDriver=k8s-file
|
||||
LogOpt=path={{ authentik_home }}/logs/worker.log
|
||||
Volume={{ authentik_home }}/logs:{{ authentik_home }}/logs
|
||||
|
||||
# Volume mounts for data and sockets
|
||||
Volume={{ authentik_media_dir }}:/media
|
||||
|
||||
@@ -8,11 +8,8 @@ AUTHENTIK_POSTGRESQL__USER={{ authentik_db_user }}
|
||||
AUTHENTIK_POSTGRESQL__PASSWORD={{ authentik_db_password }}
|
||||
# No port needed for Unix socket
|
||||
|
||||
# Valkey/Redis Configuration (Unix Socket)
|
||||
AUTHENTIK_REDIS__HOST=unix://{{ valkey_unix_socket_path }}
|
||||
AUTHENTIK_REDIS__PASSWORD={{ valkey_password }}
|
||||
AUTHENTIK_REDIS__DB={{ authentik_valkey_db }}
|
||||
# No port needed for Unix socket
|
||||
# Valkey/Redis Configuration (Unix Socket) - Using cache URL format to avoid port parsing issues
|
||||
AUTHENTIK_CACHE__URL=unix://{{ valkey_unix_socket_path }}?db={{ authentik_valkey_db }}&password={{ valkey_password }}
|
||||
|
||||
# Authentik Core Configuration
|
||||
AUTHENTIK_SECRET_KEY={{ authentik_secret_key }}
|
||||
@@ -26,7 +23,6 @@ AUTHENTIK_DISABLE_STARTUP_ANALYTICS=true
|
||||
|
||||
# Network binding
|
||||
AUTHENTIK_LISTEN__HTTP={{ authentik_bind_address }}:{{ authentik_http_port }}
|
||||
AUTHENTIK_LISTEN__HTTPS={{ authentik_bind_address }}:{{ authentik_https_port }}
|
||||
|
||||
{% if authentik_email_enabled %}
|
||||
# Email Configuration
|
||||
@@ -40,4 +36,4 @@ AUTHENTIK_EMAIL__FROM={{ authentik_email_from }}
|
||||
|
||||
# Default admin user
|
||||
AUTHENTIK_BOOTSTRAP_PASSWORD={{ authentik_default_admin_password }}
|
||||
AUTHENTIK_BOOTSTRAP_EMAIL={{ authentik_default_admin_email }}
|
||||
AUTHENTIK_BOOTSTRAP_EMAIL={{ authentik_default_admin_email }}
|
||||
|
||||
@@ -2,10 +2,8 @@
|
||||
Description=Authentik Authentication Pod
|
||||
|
||||
[Pod]
|
||||
PodName=authentik
|
||||
PublishPort={{ authentik_bind_address }}:{{ authentik_http_port }}:{{ authentik_http_port }}
|
||||
PublishPort={{ authentik_bind_address }}:{{ authentik_https_port }}:{{ authentik_https_port }}
|
||||
PodmanArgs=--userns=keep-id
|
||||
PublishPort=0.0.0.0:{{ authentik_http_port }}:{{ authentik_http_port }}
|
||||
PodmanArgs=
|
||||
|
||||
[Service]
|
||||
Restart=always
|
||||
|
||||
Reference in New Issue
Block a user