Fix: Complete authentik Quadlet implementation with networking solution
Resolves authentik deployment issues by implementing proper Podman Quadlet configuration and fixing networking for external access through Caddy. Core Fixes: • Add missing [Install] sections to container Quadlet files for systemd service generation • Fix pod references from 'systemd-authentik' to 'authentik.pod' for proper Quadlet linking • Remove problematic --userns=host to use proper rootless user namespaces • Configure subuid/subgid ranges for authentik user (200000:65536) • Update networking to bind 0.0.0.0:9000 only (remove unnecessary HTTPS port 9443) • Add AUTHENTIK_LISTEN__HTTP=0.0.0.0:9000 environment configuration • Fix Caddy reverse proxy to use HTTP backend instead of HTTPS Infrastructure Updates: • Enhance PostgreSQL role with Unix socket configuration and user management • Improve Valkey role with proper systemd integration and socket permissions • Add comprehensive service integration documentation • Update deployment playbooks with backup and restore capabilities Security Improvements: • Secure network isolation with Caddy SSL termination • Reduced attack surface by removing direct HTTPS container exposure • Proper rootless container configuration with user namespace mapping Result: authentik now fully operational with external HTTPS access via auth.jnss.me All systemd services (authentik-pod, authentik-server, authentik-worker) running correctly.
This commit is contained in:
@@ -44,6 +44,10 @@ sigvild_gallery_host: "127.0.0.1"
|
||||
sigvild_gallery_home: "/opt/sigvild-gallery"
|
||||
sigvild_gallery_web_root: "/var/www/sigvild-gallery"
|
||||
sigvild_gallery_local_project_path: "{{ ansible_env.PWD }}/sigvild-gallery"
|
||||
|
||||
# Backup configuration
|
||||
sigvild_gallery_backup_enabled: true
|
||||
sigvild_gallery_backup_local_path: "{{ playbook_dir }}/backups/sigvild-gallery"
|
||||
```
|
||||
|
||||
## Usage
|
||||
@@ -71,6 +75,62 @@ ansible-playbook site.yml --tags="backend"
|
||||
ansible-playbook site.yml --tags="caddy"
|
||||
```
|
||||
|
||||
### Data Backup and Restoration
|
||||
|
||||
#### Creating a Backup
|
||||
|
||||
Before formatting your server or making major changes, create a backup of all production data:
|
||||
|
||||
```bash
|
||||
# Create backup of production data
|
||||
ansible-playbook playbooks/backup-sigvild.yml
|
||||
|
||||
# Backup will be saved to: ./backups/sigvild-gallery/sigvild-gallery-backup-YYYYMMDDTHHMMSS.tar.gz
|
||||
```
|
||||
|
||||
The backup includes:
|
||||
- PocketBase SQLite database (`data.db`, `auxiliary.db`)
|
||||
- All uploaded wedding photos and media files
|
||||
- PocketBase logs and system state
|
||||
|
||||
#### Automatic Restoration
|
||||
|
||||
When deploying to a fresh server, the role automatically detects and restores from the latest backup:
|
||||
|
||||
```bash
|
||||
# Normal deployment will auto-restore if backup exists
|
||||
ansible-playbook playbooks/deploy-sigvild.yml
|
||||
|
||||
# Or deploy full infrastructure (includes auto-restore)
|
||||
ansible-playbook site.yml
|
||||
```
|
||||
|
||||
#### Manual Restoration
|
||||
|
||||
To restore data manually or from a specific backup:
|
||||
|
||||
```bash
|
||||
# Restore with specific backup file
|
||||
ansible-playbook playbooks/deploy-sigvild.yml --tags="restore" \
|
||||
--extra-vars="sigvild_gallery_backup_local_path=/path/to/backup/directory"
|
||||
|
||||
# Force restoration (overwrite existing data)
|
||||
ansible-playbook playbooks/deploy-sigvild.yml --tags="backend,restore"
|
||||
```
|
||||
|
||||
#### Backup Management
|
||||
|
||||
```bash
|
||||
# List available backups
|
||||
ls -la ./backups/sigvild-gallery/
|
||||
|
||||
# Verify backup contents
|
||||
tar -tzf ./backups/sigvild-gallery/sigvild-gallery-backup-YYYYMMDDTHHMMSS.tar.gz
|
||||
|
||||
# Extract backup for inspection (local)
|
||||
tar -xzf ./backups/sigvild-gallery/sigvild-gallery-backup-YYYYMMDDTHHMMSS.tar.gz
|
||||
```
|
||||
|
||||
## Security Features
|
||||
|
||||
### Environment Variables
|
||||
@@ -169,6 +229,21 @@ systemctl reload caddy
|
||||
- `/opt/sigvild-gallery/` (application directory)
|
||||
- `/var/www/sigvild-gallery/` (frontend files)
|
||||
|
||||
## Data Protection
|
||||
|
||||
### Backup Strategy
|
||||
- **Automated**: Backup creation via dedicated playbook
|
||||
- **Comprehensive**: Includes database, uploaded files, and system state
|
||||
- **Consistent**: Service temporarily stopped during backup for data integrity
|
||||
- **Local storage**: Backups stored in `./backups/sigvild-gallery/` directory
|
||||
- **Timestamped**: Each backup includes ISO timestamp for easy identification
|
||||
|
||||
### Recovery Process
|
||||
- **Automatic detection**: Deployment automatically detects available backups
|
||||
- **Zero-downtime restore**: Restoration happens before service startup
|
||||
- **Integrity verification**: Backups verified before and after restoration
|
||||
- **Permission preservation**: User/group ownership maintained during restore
|
||||
|
||||
## Tags
|
||||
|
||||
- `sigvild`: Complete Sigvild Gallery deployment
|
||||
@@ -177,4 +252,6 @@ systemctl reload caddy
|
||||
- `build`: Local build processes
|
||||
- `service`: SystemD service management
|
||||
- `caddy`: Caddy configuration
|
||||
- `verify`: Post-deployment verification
|
||||
- `verify`: Post-deployment verification
|
||||
- `backup`: Data backup operations
|
||||
- `restore`: Data restoration operations
|
||||
Reference in New Issue
Block a user