Fix: Complete authentik Quadlet implementation with networking solution

Resolves authentik deployment issues by implementing proper Podman Quadlet configuration and fixing networking for external access through Caddy. Core Fixes: • Add missing [Install] sections to container Quadlet files for systemd service generation • Fix pod references from 'systemd-authentik' to 'authentik.pod' for proper Quadlet linking • Remove problematic --userns=host to use proper rootless user namespaces • Configure subuid/subgid ranges for authentik user (200000:65536) • Update networking to bind 0.0.0.0:9000 only (remove unnecessary HTTPS port 9443) • Add AUTHENTIK_LISTEN__HTTP=0.0.0.0:9000 environment configuration • Fix Caddy reverse proxy to use HTTP backend instead of HTTPS Infrastructure Updates: • Enhance PostgreSQL role with Unix socket configuration and user management • Improve Valkey role with proper systemd integration and socket permissions • Add comprehensive service integration documentation • Update deployment playbooks with backup and restore capabilities Security Improvements: • Secure network isolation with Caddy SSL termination • Reduced attack surface by removing direct HTTPS container exposure • Proper rootless container configuration with user namespace mapping Result: authentik now fully operational with external HTTPS access via auth.jnss.me All systemd services (authentik-pod, authentik-server, authentik-worker) running correctly.
2025-12-04 19:42:31 +01:00
parent df4ae0eb17
commit b42ee2a22b
25 changed files with 986 additions and 92 deletions
--- a/roles/valkey/tasks/main.yml
+++ b/roles/valkey/tasks/main.yml
@@ -28,6 +28,24 @@
    group: valkey
    mode: '0750'

+- name: Create Valkey Unix socket directory
+  file:
+    path: "{{ valkey_unix_socket_path | dirname }}"
+    state: directory
+    owner: valkey
+    group: valkey
+    mode: '0775'
+  when: valkey_unix_socket_enabled
+
+- name: Ensure socket directory is accessible
+  file:
+    path: "{{ valkey_unix_socket_path | dirname }}"
+    owner: valkey
+    group: valkey
+    mode: '0775'
+    recurse: yes
+  when: valkey_unix_socket_enabled
+
 - name: Deploy Valkey configuration file
  template:
    src: valkey.conf.j2
@@ -60,28 +78,67 @@
    name: valkey
    enabled: "{{ valkey_service_enabled }}"
    state: "{{ valkey_service_state }}"
-    daemon_reload: yes
+    daemon_reload: true
+  register: valkey_service_result

- name: Wait for Valkey to be ready
+- name: Wait for Valkey to be ready (TCP)
  wait_for:
    port: "{{ valkey_port }}"
    host: "{{ valkey_bind }}"
    timeout: 30
-  when: valkey_service_state == "started"
+  when: valkey_service_state == "started" and not valkey_unix_socket_enabled

- name: Test Valkey connectivity
-  command: redis-cli -h {{ valkey_bind }} -p {{ valkey_port }} -a {{ valkey_requirepass }} ping
-  register: valkey_ping_result
+- name: Wait for Valkey socket file to exist
+  wait_for:
+    path: "{{ valkey_unix_socket_path }}"
+    timeout: 30
+  when: valkey_service_state == "started" and valkey_unix_socket_enabled
+
+- name: Wait for Valkey to be ready (Unix Socket) - Try without auth first
+  command: redis-cli -s {{ valkey_unix_socket_path }} ping
+  register: valkey_socket_ping_noauth
+  until: >
+    valkey_socket_ping_noauth.stdout == "PONG" or 
+    "NOAUTH" in (valkey_socket_ping_noauth.stdout + valkey_socket_ping_noauth.stderr)
+  retries: 15
+  delay: 2
  changed_when: false
-  failed_when: valkey_ping_result.stdout != "PONG"
-  when: valkey_service_state == "started"
+  failed_when: false
+  when: valkey_service_state == "started" and valkey_unix_socket_enabled
+
+- name: Wait for Valkey to be ready (Unix Socket) - Try with auth if needed
+  command: redis-cli -s {{ valkey_unix_socket_path }} -a {{ valkey_requirepass }} ping
+  register: valkey_socket_ping_auth
+  until: valkey_socket_ping_auth.stdout == "PONG"
+  retries: 5
+  delay: 2
+  changed_when: false
+  failed_when: valkey_socket_ping_auth.rc != 0
+  when: >
+    valkey_service_state == "started" and valkey_unix_socket_enabled and 
+    (valkey_socket_ping_noauth.stdout != "PONG") and
+    ("NOAUTH" in (valkey_socket_ping_noauth.stdout + valkey_socket_ping_noauth.stderr) or valkey_socket_ping_noauth.rc != 0)
+
+- name: Test Valkey connectivity (TCP)
+  command: redis-cli -h {{ valkey_bind }} -p {{ valkey_port }} -a {{ valkey_requirepass }} ping
+  register: valkey_ping_result_tcp
+  changed_when: false
+  failed_when: valkey_ping_result_tcp.stdout != "PONG"
+  when: valkey_service_state == "started" and not valkey_unix_socket_enabled
+
+- name: Test Valkey connectivity (Unix Socket)
+  command: redis-cli -s {{ valkey_unix_socket_path }} -a {{ valkey_requirepass }} ping
+  register: valkey_ping_result_socket
+  changed_when: false
+  failed_when: valkey_ping_result_socket.stdout != "PONG"
+  when: valkey_service_state == "started" and valkey_unix_socket_enabled

 - name: Display Valkey infrastructure status
  debug:
    msg: |
      ✅ Valkey infrastructure ready!
      
-      📡 Service: {{ valkey_bind }}:{{ valkey_port }}
+      📡 Service: {% if valkey_unix_socket_enabled %}Unix Socket ({{ valkey_unix_socket_path }}){% else %}{{ valkey_bind }}:{{ valkey_port }}{% endif %}
      🔒 Auth: Password protected
      💾 Persistence: {{ 'RDB enabled' if valkey_save_enabled else 'Memory only' }}
      🗄️ Databases: {{ valkey_databases }} available (0-{{ valkey_databases - 1 }})
@@ -91,4 +148,5 @@
      📋 Application Integration:
      - Use database numbers 1-{{ valkey_databases - 1 }} for applications
      - Database 0 reserved for system/testing
+      - {% if valkey_unix_socket_enabled %}Unix socket: {{ valkey_unix_socket_path }}{% else %}TCP: {{ valkey_bind }}:{{ valkey_port }}{% endif %}
      - Redis-compatible: applications can use REDIS_* or VALKEY_* env vars