Fix: Complete authentik Quadlet implementation with networking solution

Resolves authentik deployment issues by implementing proper Podman Quadlet
configuration and fixing networking for external access through Caddy.

Core Fixes:
• Add missing [Install] sections to container Quadlet files for systemd service generation
• Fix pod references from 'systemd-authentik' to 'authentik.pod' for proper Quadlet linking
• Remove problematic --userns=host to use proper rootless user namespaces
• Configure subuid/subgid ranges for authentik user (200000:65536)
• Update networking to bind 0.0.0.0:9000 only (remove unnecessary HTTPS port 9443)
• Add AUTHENTIK_LISTEN__HTTP=0.0.0.0:9000 environment configuration
• Fix Caddy reverse proxy to use HTTP backend instead of HTTPS

Infrastructure Updates:
• Enhance PostgreSQL role with Unix socket configuration and user management
• Improve Valkey role with proper systemd integration and socket permissions
• Add comprehensive service integration documentation
• Update deployment playbooks with backup and restore capabilities

Security Improvements:
• Secure network isolation with Caddy SSL termination
• Reduced attack surface by removing direct HTTPS container exposure
• Proper rootless container configuration with user namespace mapping

Result: authentik now fully operational with external HTTPS access via auth.jnss.me
All systemd services (authentik-pod, authentik-server, authentik-worker) running correctly.

roles/postgresql/defaults/main.yml

@@ -13,10 +13,15 @@
 postgresql_service_enabled: true
 postgresql_service_state: "started"
 
-# Network Security (localhost only)
+# Network Security
 postgresql_listen_addresses: "localhost"
 postgresql_port: 5432
 
+# Unix Socket Configuration  
+postgresql_unix_socket_enabled: true
+postgresql_unix_socket_directories: "/var/run/postgresql"
+postgresql_unix_socket_permissions: "0770"
+
 # Authentication
 postgresql_auth_method: "scram-sha-256"
 

roles/postgresql/tasks/main.yml

@@ -25,7 +25,7 @@
     --auth-local=peer
     --auth-host={{ postgresql_auth_method }}
     {{ '--data-checksums' if postgresql_data_checksums else '' }}
-  become: yes
+  become: true
   become_user: postgres
   when: not postgresql_initialized.stat.exists
   notify: restart postgresql
@@ -67,27 +67,49 @@
     - reload systemd
     - restart postgresql
 
+- name: Create PostgreSQL Unix socket directory
+  file:
+    path: "{{ postgresql_unix_socket_directories }}"
+    state: directory
+    owner: postgres
+    group: postgres
+    mode: '0770'
+  when: postgresql_unix_socket_enabled
+
 - name: Enable and start PostgreSQL service
   systemd:
     name: postgresql
     enabled: "{{ postgresql_service_enabled }}"
     state: "{{ postgresql_service_state }}"
-    daemon_reload: yes
+    daemon_reload: true
 
-- name: Wait for PostgreSQL to be ready
+- name: Wait for PostgreSQL to be ready (TCP)
   wait_for:
     port: "{{ postgresql_port }}"
     host: "{{ postgresql_listen_addresses }}"
     timeout: 30
-  when: postgresql_service_state == "started"
+  when: postgresql_service_state == "started" and postgresql_listen_addresses != ""
+
+- name: Wait for PostgreSQL to be ready (Unix Socket)
+  postgresql_ping:
+    login_unix_socket: "{{ postgresql_unix_socket_directories }}"
+    login_user: postgres
+  become: true
+  become_user: postgres
+  register: postgresql_socket_ready
+  until: postgresql_socket_ready is succeeded
+  retries: 10
+  delay: 3
+  when: postgresql_service_state == "started" and postgresql_unix_socket_enabled and postgresql_listen_addresses == ""
 
 - name: Display PostgreSQL infrastructure status
   debug:
     msg: |
       ✅ PostgreSQL infrastructure ready!
       
-      📡 Service: {{ postgresql_listen_addresses }}:{{ postgresql_port }}
+      📡 Service: {% if postgresql_unix_socket_enabled and postgresql_listen_addresses == "" %}Unix Socket ({{ postgresql_unix_socket_directories }}){% else %}{{ postgresql_listen_addresses }}:{{ postgresql_port }}{% endif %}
       🔒 Auth: {{ postgresql_auth_method }}
       📊 Checksums: {{ 'Enabled' if postgresql_data_checksums else 'Disabled' }}
+      {% if postgresql_unix_socket_enabled %}🔌 Socket: {{ postgresql_unix_socket_directories }} (mode {{ postgresql_unix_socket_permissions }}){% endif %}
       
       🏗️ Ready for applications to create databases/users

roles/postgresql/templates/postgresql.conf.j2

@@ -3,6 +3,11 @@
 # PostgreSQL's excellent defaults are used except for essentials
 
 # Network and Security
+{% if postgresql_unix_socket_enabled %}
+# Unix Socket Configuration
+unix_socket_directories = '{{ postgresql_unix_socket_directories }}'
+unix_socket_permissions = {{ postgresql_unix_socket_permissions }}
+{% endif %}
 listen_addresses = '{{ postgresql_listen_addresses }}'
 port = {{ postgresql_port }}