Add Authentik SSO service and refactor Valkey configuration to use native tools and consolidated systemd service

2025-11-22 21:36:23 +01:00
parent 500224b5de
commit d814369c99
21 changed files with 769 additions and 74 deletions
--- a/roles/authentik/tasks/containers.yml
+++ b/roles/authentik/tasks/containers.yml
@@ -0,0 +1,69 @@
+---
+# Authentik Container Deployment - Podman Quadlets
+
+- name: Deploy authentik environment file
+  template:
+    src: authentik.env.j2
+    dest: "{{ authentik_home }}/.config/containers/authentik.env"
+    owner: "{{ authentik_user }}"
+    group: "{{ authentik_group }}"
+    mode: '0600'
+  notify: restart authentik pod
+
+- name: Deploy authentik pod quadlet
+  template:
+    src: authentik.pod.j2
+    dest: "{{ authentik_home }}/.config/containers/systemd/{{ authentik_pod_name }}.pod"
+    owner: "{{ authentik_user }}"
+    group: "{{ authentik_group }}"
+    mode: '0644'
+  notify:
+    - reload user systemd for authentik
+    - restart authentik pod
+
+- name: Deploy authentik server container quadlet
+  template:
+    src: authentik-server.container.j2
+    dest: "{{ authentik_home }}/.config/containers/systemd/authentik-server.container"
+    owner: "{{ authentik_user }}"
+    group: "{{ authentik_group }}"
+    mode: '0644'
+  notify:
+    - reload user systemd for authentik
+    - restart authentik pod
+
+- name: Deploy authentik worker container quadlet
+  template:
+    src: authentik-worker.container.j2
+    dest: "{{ authentik_home }}/.config/containers/systemd/authentik-worker.container"
+    owner: "{{ authentik_user }}"
+    group: "{{ authentik_group }}"
+    mode: '0644'
+  notify:
+    - reload user systemd for authentik
+    - restart authentik pod
+
+- name: Reload user systemd to recognize quadlets
+  systemd:
+    daemon_reload: yes
+    scope: user
+  become: yes
+  become_user: "{{ authentik_user }}"
+
+- name: Enable and start authentik pod
+  systemd:
+    name: "{{ authentik_pod_name }}-pod"
+    enabled: "{{ authentik_service_enabled }}"
+    state: "{{ authentik_service_state }}"
+    scope: user
+  become: yes
+  become_user: "{{ authentik_user }}"
+
+- name: Wait for Authentik to be ready
+  uri:
+    url: "http://127.0.0.1:{{ authentik_http_port }}/if/flow/initial-setup/"
+    method: GET
+    status_code: [200, 302]
+  retries: 30
+  delay: 2
+  when: authentik_service_state == "started"
--- a/roles/authentik/tasks/database.yml
+++ b/roles/authentik/tasks/database.yml
@@ -0,0 +1,28 @@
+---
+# Authentik Database Management - Self-Contained Database Setup
+
+- name: Create Authentik database user
+  postgresql_user:
+    name: "{{ authentik_db_user }}"
+    password: "{{ authentik_db_password }}"
+    encrypted: yes
+  become: yes
+  become_user: postgres
+
+- name: Create Authentik database
+  postgresql_db:
+    name: "{{ authentik_db_name }}"
+    owner: "{{ authentik_db_user }}"
+    encoding: UTF8
+    template: template0
+  become: yes
+  become_user: postgres
+
+- name: Grant all privileges on Authentik database to user
+  postgresql_privs:
+    db: "{{ authentik_db_name }}"
+    privs: ALL
+    type: database
+    role: "{{ authentik_db_user }}"
+  become: yes
+  become_user: postgres
--- a/roles/authentik/tasks/main.yml
+++ b/roles/authentik/tasks/main.yml
@@ -0,0 +1,36 @@
+---
+# Authentik Authentication Service Role - Containerized Implementation
+# Manages Authentik using Podman with self-contained database
+
+- name: Create authentik user and configure subuid/subgid
+  include_tasks: user.yml
+
+- name: Set up authentik database
+  include_tasks: database.yml
+
+- name: Configure container networking
+  include_tasks: networking.yml
+
+- name: Deploy authentik containers via quadlets
+  include_tasks: containers.yml
+
+- name: Deploy Caddy configuration for Authentik
+  template:
+    src: authentik.caddy.j2
+    dest: "{{ caddy_sites_enabled_dir }}/authentik.caddy"
+    mode: '0644'
+  notify: reload caddy
+  when: caddy_sites_enabled_dir is defined
+
+- name: Display Authentik service status
+  debug:
+    msg: |
+      ✅ Authentik authentication service deployed successfully!
+      
+      🌐 Web Interface: https://{{ authentik_full_domain }}
+      🔐 Admin Interface: https://{{ authentik_full_domain }}/if/admin/
+      📦 Local HTTP: http://127.0.0.1:{{ authentik_http_port }}
+      🗄️  Database: {{ authentik_db_name }} (self-managed)
+      🚀 Cache: Valkey database {{ authentik_redis_db }}
+      
+      🏗️ Authentication service ready for SSO integration!
--- a/roles/authentik/tasks/networking.yml
+++ b/roles/authentik/tasks/networking.yml
@@ -0,0 +1,23 @@
+---
+# Authentik Container Networking - Bridge Network Setup
+
+- name: Create authentik bridge network
+  containers.podman.podman_network:
+    name: "{{ authentik_network_name }}"
+    driver: bridge
+    internal: false
+    state: present
+  become: yes
+  become_user: "{{ authentik_user }}"
+
+- name: Check if authentik network exists
+  command: podman network ls --format json
+  become: yes
+  become_user: "{{ authentik_user }}"
+  register: network_list
+  changed_when: false
+
+- name: Ensure host gateway is available in network
+  debug:
+    msg: "Network {{ authentik_network_name }} configured for host.containers.internal access"
+  when: authentik_enable_host_gateway | default(true)
--- a/roles/authentik/tasks/user.yml
+++ b/roles/authentik/tasks/user.yml
@@ -0,0 +1,60 @@
+---
+# Authentik User Management - Service-Specific User Setup
+
+- name: Create authentik group
+  group:
+    name: "{{ authentik_group }}"
+    system: yes
+
+- name: Create authentik user
+  user:
+    name: "{{ authentik_user }}"
+    group: "{{ authentik_group }}"
+    system: yes
+    shell: /bin/bash
+    home: "{{ authentik_home }}"
+    create_home: yes
+    comment: "Authentik authentication service"
+
+- name: Set up subuid for authentik user
+  lineinfile:
+    path: /etc/subuid
+    line: "{{ authentik_user }}:{{ authentik_subuid_start }}:{{ authentik_subuid_size }}"
+    create: yes
+    mode: '0644'
+
+- name: Set up subgid for authentik user
+  lineinfile:
+    path: /etc/subgid
+    line: "{{ authentik_user }}:{{ authentik_subgid_start }}:{{ authentik_subgid_size }}"
+    create: yes
+    mode: '0644'
+
+- name: Create authentik directories
+  file:
+    path: "{{ item }}"
+    state: directory
+    owner: "{{ authentik_user }}"
+    group: "{{ authentik_group }}"
+    mode: '0755'
+  loop:
+    - "{{ authentik_home }}"
+    - "{{ authentik_home }}/.config"
+    - "{{ authentik_home }}/.config/systemd"
+    - "{{ authentik_home }}/.config/systemd/user"
+    - "{{ authentik_home }}/.config/containers"
+    - "{{ authentik_home }}/.config/containers/systemd"
+    - "{{ authentik_home }}/data"
+    - "{{ authentik_home }}/media"
+
+- name: Enable lingering for authentik user
+  command: loginctl enable-linger {{ authentik_user }}
+  args:
+    creates: "/var/lib/systemd/linger/{{ authentik_user }}"
+
+- name: Initialize user systemd for authentik
+  systemd:
+    daemon_reload: yes
+    scope: user
+  become: yes
+  become_user: "{{ authentik_user }}"