Add Authentik SSO service and refactor Valkey configuration to use native tools and consolidated systemd service

2025-11-22 21:36:23 +01:00
parent 500224b5de
commit d814369c99
21 changed files with 769 additions and 74 deletions
--- a/roles/authentik/templates/authentik-server.container.j2
+++ b/roles/authentik/templates/authentik-server.container.j2
@@ -0,0 +1,37 @@
+# Authentik Server Container Quadlet
+# Generated by rick-infra Ansible role
+
+[Unit]
+Description=Authentik Server Container
+Requires={{ authentik_pod_name }}-pod.service
+After={{ authentik_pod_name }}-pod.service
+
+[Container]
+ContainerName=authentik-server
+Image={{ authentik_image_server }}:{{ authentik_image_tag }}
+Pod={{ authentik_pod_name }}.pod
+
+# Environment configuration
+EnvironmentFile={{ authentik_home }}/.config/containers/authentik.env
+Environment=AUTHENTIK_LISTEN__HTTP=0.0.0.0:9000
+Environment=AUTHENTIK_LISTEN__HTTPS=0.0.0.0:9443
+
+# Server command
+Exec=server
+
+# Volumes for persistent data
+Volume={{ authentik_home }}/data:/data:Z
+Volume={{ authentik_home }}/media:/media:Z
+
+# Health check
+HealthCmd=ak healthcheck
+HealthInterval=30s
+HealthTimeout=10s
+HealthRetries=3
+
+[Service]
+Restart=always
+RestartSec=10
+
+[Install]
+WantedBy=default.target
--- a/roles/authentik/templates/authentik-worker.container.j2
+++ b/roles/authentik/templates/authentik-worker.container.j2
@@ -0,0 +1,35 @@
+# Authentik Worker Container Quadlet
+# Generated by rick-infra Ansible role
+
+[Unit]
+Description=Authentik Worker Container
+Requires={{ authentik_pod_name }}-pod.service authentik-server.service
+After={{ authentik_pod_name }}-pod.service authentik-server.service
+
+[Container]
+ContainerName=authentik-worker
+Image={{ authentik_image_server }}:{{ authentik_image_tag }}
+Pod={{ authentik_pod_name }}.pod
+
+# Environment configuration
+EnvironmentFile={{ authentik_home }}/.config/containers/authentik.env
+
+# Worker command
+Exec=worker
+
+# Volumes for persistent data
+Volume={{ authentik_home }}/data:/data:Z
+Volume={{ authentik_home }}/media:/media:Z
+
+# Health check
+HealthCmd=ak healthcheck
+HealthInterval=30s
+HealthTimeout=10s
+HealthRetries=3
+
+[Service]
+Restart=always
+RestartSec=10
+
+[Install]
+WantedBy=default.target
--- a/roles/authentik/templates/authentik.caddy.j2
+++ b/roles/authentik/templates/authentik.caddy.j2
@@ -0,0 +1,34 @@
+# Authentik Caddy Configuration - Rick-Infra
+# Generated by Ansible Authentik role
+# Deployed to {{ caddy_sites_enabled_dir }}/authentik.caddy
+
+{{ authentik_full_domain }} {
+    # Reverse proxy to Authentik
+    reverse_proxy 127.0.0.1:{{ authentik_http_port }}
+
+    # Security headers for authentication service
+    header {
+        # Enable HSTS
+        Strict-Transport-Security max-age=31536000;
+        # Prevent embedding in frames
+        X-Frame-Options DENY
+        # Prevent content type sniffing
+        X-Content-Type-Options nosniff
+        # XSS protection
+        X-XSS-Protection "1; mode=block"
+        # Referrer policy for privacy
+        Referrer-Policy strict-origin-when-cross-origin
+    }
+
+    # Logging
+    log {
+        output file /var/log/caddy/authentik_access.log
+    }
+
+    # Optional: Custom error pages
+    handle_errors {
+        respond "Authentication service temporarily unavailable" 503
+    }
+}
+
+# Rick-Infra: Containerized Authentik authentication service with Caddy reverse proxy
--- a/roles/authentik/templates/authentik.env.j2
+++ b/roles/authentik/templates/authentik.env.j2
@@ -0,0 +1,39 @@
+# Authentik Environment Configuration
+# Generated by rick-infra Ansible role
+
+# Database Configuration
+AUTHENTIK_POSTGRESQL__HOST={{ authentik_db_host }}
+AUTHENTIK_POSTGRESQL__PORT={{ authentik_db_port }}
+AUTHENTIK_POSTGRESQL__NAME={{ authentik_db_name }}
+AUTHENTIK_POSTGRESQL__USER={{ authentik_db_user }}
+AUTHENTIK_POSTGRESQL__PASSWORD={{ authentik_db_password }}
+
+# Cache Configuration (Valkey/Redis)
+AUTHENTIK_REDIS__HOST={{ authentik_redis_host }}
+AUTHENTIK_REDIS__PORT={{ authentik_redis_port }}
+AUTHENTIK_REDIS__DB={{ authentik_redis_db }}
+{% if authentik_redis_password %}
+AUTHENTIK_REDIS__PASSWORD={{ authentik_redis_password }}
+{% endif %}
+
+# Core Configuration
+AUTHENTIK_SECRET_KEY={{ authentik_secret_key }}
+AUTHENTIK_ERROR_REPORTING__ENABLED={{ authentik_error_reporting_enabled | lower }}
+AUTHENTIK_DISABLE_UPDATE_CHECK={{ authentik_disable_update_check | lower }}
+AUTHENTIK_DISABLE_STARTUP_ANALYTICS={{ authentik_disable_startup_analytics | lower }}
+
+# Worker Configuration
+AUTHENTIK_WORKER__CONCURRENCY={{ authentik_worker_concurrency }}
+
+# Email Configuration
+{% if authentik_email_host %}
+AUTHENTIK_EMAIL__HOST={{ authentik_email_host }}
+AUTHENTIK_EMAIL__PORT={{ authentik_email_port }}
+AUTHENTIK_EMAIL__USERNAME={{ authentik_email_username }}
+AUTHENTIK_EMAIL__PASSWORD={{ authentik_email_password }}
+AUTHENTIK_EMAIL__USE_TLS={{ authentik_email_use_tls | lower }}
+AUTHENTIK_EMAIL__FROM={{ authentik_email_from }}
+{% endif %}
+
+# Trust reverse proxy headers
+AUTHENTIK_LISTEN__TRUSTED_PROXY_CIDRS=127.0.0.1/32,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16
--- a/roles/authentik/templates/authentik.pod.j2
+++ b/roles/authentik/templates/authentik.pod.j2
@@ -0,0 +1,21 @@
+# Authentik Pod Quadlet
+# Generated by rick-infra Ansible role
+
+[Unit]
+Description=Authentik Authentication Service Pod
+Wants=network-online.target
+After=network-online.target
+
+[Pod]
+PodName={{ authentik_pod_name }}
+Network={{ authentik_network_name }}
+{% if authentik_enable_host_gateway | default(true) %}
+AddHost=host.containers.internal:host-gateway
+{% endif %}
+
+# Published ports for web access
+PublishPort={{ authentik_http_port }}:9000
+PublishPort={{ authentik_https_port }}:9443
+
+[Install]
+WantedBy=default.target