Add Authentik SSO service and refactor Valkey configuration to use native tools and consolidated systemd service

roles/authentik/README.md

@@ -0,0 +1,119 @@
+# Authentik Authentication Service Role
+
+Containerized Authentik authentication service for rick-infra using Podman quadlets and following established architectural patterns.
+
+## Features
+
+- ✅ **Containerized deployment**: Uses Podman with systemd quadlets
+- ✅ **Self-contained**: Manages its own database and configuration  
+- ✅ **Service-specific user**: Runs as dedicated `authentik` user with subuid/subgid
+- ✅ **Infrastructure integration**: PostgreSQL database, Valkey cache, Caddy proxy
+- ✅ **Bridge networking**: Container-to-host communication via host.containers.internal
+- ✅ **Security hardened**: Rootless containers with proper isolation
+- ✅ **Production ready**: HTTPS, proper health checks, restart policies
+
+## Architecture
+
+- **Dependencies**: PostgreSQL, Valkey, Podman, Caddy infrastructure roles
+- **Database**: Self-managed authentik database and user in PostgreSQL
+- **Cache**: Uses Valkey database 1 for session/cache storage
+- **Containers**: 2-container pod (server + worker) deployed via quadlets  
+- **Network**: Custom bridge network with host gateway access
+- **Web access**: https://auth.domain.com (via Caddy reverse proxy)
+
+## Configuration
+
+Key variables (defaults in `defaults/main.yml`):
+
+```yaml
+# Service
+authentik_service_enabled: true
+authentik_http_port: 9000
+authentik_https_port: 9443
+
+# Domain 
+authentik_subdomain: "auth"
+authentik_domain: "{{ caddy_domain }}"
+
+# Container
+authentik_image_server: "ghcr.io/goauthentik/server"
+authentik_image_tag: "2024.8.3"
+authentik_user: "authentik"
+
+# Database (self-managed)
+authentik_db_name: "authentik"
+authentik_db_user: "authentik"
+authentik_db_password: "{{ vault_authentik_db_password }}"
+
+# Cache (Valkey)
+authentik_redis_host: "host.containers.internal"
+authentik_redis_db: 1
+
+# Security
+authentik_secret_key: "{{ vault_authentik_secret_key }}"
+```
+
+## Container Architecture
+
+### Pod Structure
+```
+authentik-pod
+├── authentik-server   (web interface, API)
+└── authentik-worker   (background tasks)
+```
+
+### Networking
+- **Bridge network**: `authentik-net` with DNS resolution
+- **Host gateway**: `host.containers.internal` → host system
+- **Port mapping**: 9000:9000 (HTTP), 9443:9443 (HTTPS)
+
+### Storage
+- **Config**: `~authentik/.config/containers/` (quadlets, env)
+- **Data**: `~authentik/data/` (persistent application data)
+- **Media**: `~authentik/media/` (uploaded files)
+
+## Usage
+
+1. **Add vault secrets**: Set required vault variables in host_vars:
+   ```yaml
+   vault_authentik_db_password: "secure_db_password"
+   vault_authentik_secret_key: "long_random_secret_key"
+   ```
+
+2. **Deploy**: `ansible-playbook site.yml --tags authentik`
+
+3. **Access**: Visit https://auth.yourdomain.com/if/flow/initial-setup/
+
+## Dependencies
+
+- PostgreSQL infrastructure role (database)
+- Valkey infrastructure role (cache) 
+- Podman infrastructure role (containers)
+- Caddy web server (HTTPS reverse proxy)
+- Vault secrets: `vault_authentik_db_password`, `vault_authentik_secret_key`
+
+## Containerized Service Pattern
+
+This role establishes rick-infra's containerized service pattern:
+
+### User Management
+- Service-specific user (`authentik`) with dedicated home directory
+- Subuid/subgid ranges (100000-165535) for rootless containers
+- Systemd user session with lingering enabled
+
+### Container Integration  
+- Podman quadlets for native systemd integration
+- Custom bridge networks with host gateway access
+- Container-to-host connectivity via `host.containers.internal`
+- Persistent storage mounted from user home directory
+
+### Infrastructure Integration
+- Self-managed database creation via PostgreSQL role
+- Cache integration with Valkey infrastructure  
+- Reverse proxy deployment via Caddy sites-enabled
+- Follows rick-infra self-contained service patterns
+
+---
+
+**Rick-Infra Authentik Service**  
+SSO authentication and authorization platform for modern applications.