Add Authentik SSO service and refactor Valkey configuration to use native tools and consolidated systemd service

roles/authentik/templates/authentik.caddy.j2

@@ -0,0 +1,34 @@
+# Authentik Caddy Configuration - Rick-Infra
+# Generated by Ansible Authentik role
+# Deployed to {{ caddy_sites_enabled_dir }}/authentik.caddy
+
+{{ authentik_full_domain }} {
+    # Reverse proxy to Authentik
+    reverse_proxy 127.0.0.1:{{ authentik_http_port }}
+
+    # Security headers for authentication service
+    header {
+        # Enable HSTS
+        Strict-Transport-Security max-age=31536000;
+        # Prevent embedding in frames
+        X-Frame-Options DENY
+        # Prevent content type sniffing
+        X-Content-Type-Options nosniff
+        # XSS protection
+        X-XSS-Protection "1; mode=block"
+        # Referrer policy for privacy
+        Referrer-Policy strict-origin-when-cross-origin
+    }
+
+    # Logging
+    log {
+        output file /var/log/caddy/authentik_access.log
+    }
+
+    # Optional: Custom error pages
+    handle_errors {
+        respond "Authentication service temporarily unavailable" 503
+    }
+}
+
+# Rick-Infra: Containerized Authentik authentication service with Caddy reverse proxy