Add Authentik SSO service and refactor Valkey configuration to use native tools and consolidated systemd service

roles/authentik/defaults/main.yml

@@ -0,0 +1,107 @@
+---
+# =================================================================
+# Authentik Authentication Service Role - Container Configuration
+# =================================================================
+# Containerized Authentik deployment using Podman quadlets
+# Follows rick-infra patterns for pragmatic service deployment
+
+# =================================================================
+# Service Configuration
+# =================================================================
+
+# Service Management
+authentik_service_enabled: true
+authentik_service_state: "started"
+
+# User and Container Configuration
+authentik_user: "authentik"
+authentik_group: "authentik"
+authentik_home: "/var/lib/authentik"
+authentik_subuid_start: 100000
+authentik_subgid_start: 100000
+authentik_subuid_size: 65536
+authentik_subgid_size: 65536
+
+# Container Configuration
+authentik_image_server: "ghcr.io/goauthentik/server"
+authentik_image_tag: "2024.8.3"
+authentik_pod_name: "authentik"
+authentik_network_name: "authentik-net"
+
+# =================================================================
+# Domain and Caddy Integration 
+# =================================================================
+
+# Domain setup (follows rick-infra pattern)
+authentik_subdomain: "auth"
+authentik_domain: "{{ caddy_domain | default('localhost') }}"
+authentik_full_domain: "{{ authentik_subdomain }}.{{ authentik_domain }}"
+
+# Caddy integration
+caddy_sites_enabled_dir: "/etc/caddy/sites-enabled"
+
+# =================================================================
+# Database Configuration (Self-Contained)
+# =================================================================
+
+# Authentik manages its own database
+authentik_db_engine: "postgresql"
+authentik_db_host: "host.containers.internal"
+authentik_db_port: 5432
+authentik_db_name: "authentik"
+authentik_db_user: "authentik"
+authentik_db_password: "{{ vault_authentik_db_password }}"
+
+# =================================================================
+# Cache Configuration (Valkey/Redis)
+# =================================================================
+
+# Valkey/Redis cache configuration
+authentik_redis_host: "host.containers.internal"
+authentik_redis_port: 6379
+authentik_redis_db: 1
+authentik_redis_password: ""  # Valkey has no auth by default
+
+# =================================================================
+# Application Settings
+# =================================================================
+
+# Authentik core configuration
+authentik_secret_key: "{{ vault_authentik_secret_key }}"
+authentik_error_reporting_enabled: false
+authentik_disable_update_check: true
+authentik_disable_startup_analytics: true
+
+# Email configuration (disabled by default)
+authentik_email_host: ""
+authentik_email_port: 587
+authentik_email_username: ""
+authentik_email_password: ""
+authentik_email_use_tls: true
+authentik_email_from: "authentik@{{ authentik_domain }}"
+
+# Worker configuration
+authentik_worker_concurrency: 2
+
+# =================================================================
+# Container Networking
+# =================================================================
+
+# Port mappings
+authentik_http_port: 9000
+authentik_https_port: 9443
+
+# Network configuration
+authentik_bridge_network: true
+authentik_enable_host_gateway: true
+
+# =================================================================
+# Rick-Infra Integration Notes
+# =================================================================
+# This role:
+# - Depends on PostgreSQL, Valkey, Podman, and Caddy infrastructure roles
+# - Creates its own database and user in PostgreSQL
+# - Uses Valkey database 1 for caching
+# - Deploys Caddy configuration to sites-enabled
+# - Uses Podman quadlets for systemd integration
+# - Follows containerized service pattern with service-specific user