joakim/rick-infra
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix: Complete authentik Quadlet implementation with networking solution

Browse Source 
Resolves authentik deployment issues by implementing proper Podman Quadlet
configuration and fixing networking for external access through Caddy.

Core Fixes:
• Add missing [Install] sections to container Quadlet files for systemd service generation
• Fix pod references from 'systemd-authentik' to 'authentik.pod' for proper Quadlet linking
• Remove problematic --userns=host to use proper rootless user namespaces
• Configure subuid/subgid ranges for authentik user (200000:65536)
• Update networking to bind 0.0.0.0:9000 only (remove unnecessary HTTPS port 9443)
• Add AUTHENTIK_LISTEN__HTTP=0.0.0.0:9000 environment configuration
• Fix Caddy reverse proxy to use HTTP backend instead of HTTPS

Infrastructure Updates:
• Enhance PostgreSQL role with Unix socket configuration and user management
• Improve Valkey role with proper systemd integration and socket permissions
• Add comprehensive service integration documentation
• Update deployment playbooks with backup and restore capabilities

Security Improvements:
• Secure network isolation with Caddy SSL termination
• Reduced attack surface by removing direct HTTPS container exposure
• Proper rootless container configuration with user namespace mapping

Result: authentik now fully operational with external HTTPS access via auth.jnss.me
All systemd services (authentik-pod, authentik-server, authentik-worker) running correctly.
This commit is contained in:
Joakim
2025-12-04 19:42:31 +01:00
parent df4ae0eb17
commit b42ee2a22b
25 changed files with 986 additions and 92 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
site.yml
View File

@@ -4,8 +4,8 @@
- name: Deploy Core Infrastructure
hosts: arch-vps
become: yes
gather_facts: yes
become: true
gather_facts: true
roles:
# Infrastructure services
@@ -13,12 +13,14 @@
# tags: ['postgresql', 'infrastructure', 'database']
# - role: valkey
# tags: ['valkey', 'redis', 'infrastructure', 'cache']
- role: podman
tags: ['podman', 'containers', 'infrastructure']
# - role: podman
# tags: ['podman', 'containers', 'infrastructure']
# - role: caddy
# tags: ['caddy', 'infrastructure', 'web']
# Application services
- role: authentik
tags: ['authentik']
# - role: gitea
# tags: ['gitea', 'git', 'development']
# - role: sigvild-gallery