Add Authentik SSO service and refactor Valkey configuration to use native tools and consolidated systemd service

roles/valkey/defaults/main.yml

@@ -19,7 +19,7 @@ valkey_port: 6379
 valkey_protected_mode: true
 
 # Authentication
-valkey_requirepass: "{{ vault_valkey_password }}"
+valkey_password: "{{ vault_valkey_password }}"
 
 # =================================================================
 # Performance Settings (Conservative Defaults)
@@ -45,8 +45,7 @@ valkey_appendonly: false  # RDB only for simplicity
 # Security Configuration
 # =================================================================
 
-# Systemd security hardening
-valkey_systemd_security: true
+# Security hardening is now built into the custom service file
 
 # Valkey security settings
 valkey_timeout: 300
@@ -85,4 +84,4 @@ valkey_syslog_ident: "valkey"
 # - VALKEY_DB: "1" (or 2, 3, etc. - unique per application)
 #
 # Note: Applications can also use REDIS_* environment variables
-# for compatibility since Valkey is fully Redis-compatible
+# for compatibility since Valkey is fully Redis-compatible

roles/valkey/tasks/main.yml

@@ -38,19 +38,12 @@
     backup: yes
   notify: restart valkey
 
-- name: Create systemd override directory for Valkey security
-  file:
-    path: /etc/systemd/system/valkey.service.d
-    state: directory
-    mode: '0755'
-  when: valkey_systemd_security
-
-- name: Deploy Valkey systemd security override
+- name: Deploy custom Valkey service file
   template:
-    src: systemd-override.conf.j2
-    dest: /etc/systemd/system/valkey.service.d/override.conf
+    src: valkey.service.j2
+    dest: /etc/systemd/system/valkey.service
     mode: '0644'
-  when: valkey_systemd_security
+    backup: yes
   notify:
     - reload systemd
     - restart valkey
@@ -70,7 +63,7 @@
   when: valkey_service_state == "started"
 
 - name: Test Valkey connectivity
-  command: redis-cli -h {{ valkey_bind }} -p {{ valkey_port }} -a {{ valkey_requirepass }} ping
+  command: valkey-cli -h {{ valkey_bind }} -p {{ valkey_port }} -a "{{ valkey_password }}" ping
   register: valkey_ping_result
   changed_when: false
   failed_when: valkey_ping_result.stdout != "PONG"

roles/valkey/templates/systemd-override.conf.j2

@@ -1,49 +0,0 @@
-# Redis Systemd Security Override
-# Generated by rick-infra Redis role
-#
-# This file provides additional security hardening for the Redis service
-# following the same security patterns as the PostgreSQL role.
-
-[Service]
-# Security hardening
-NoNewPrivileges=yes
-PrivateTmp=yes
-PrivateDevices=yes
-ProtectSystem=strict
-ProtectHome=yes
-ProtectKernelTunables=yes
-ProtectKernelModules=yes
-ProtectControlGroups=yes
-RestrictRealtime=yes
-RestrictSUIDSGID=yes
-
-# Network security
-RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
-
-# Filesystem permissions
-ReadWritePaths=/var/lib/valkey
-ReadOnlyPaths=/etc/valkey
-
-# System call filtering
-SystemCallFilter=@system-service
-SystemCallFilter=~@privileged @resources @obsolete
-
-# Memory and resource limits
-MemoryDenyWriteExecute=yes
-LockPersonality=yes
-
-# Capabilities
-CapabilityBoundingSet=
-AmbientCapabilities=
-
-# User and group isolation
-DynamicUser=no
-User=valkey
-Group=valkey
-
-# Process isolation
-PrivateUsers=yes
-RemoveIPC=yes
-
-# Additional Redis-specific security
-UMask=0027

roles/valkey/templates/valkey.conf.j2

@@ -31,7 +31,7 @@ tcp-keepalive {{ valkey_tcp_keepalive }}
 # =================================================================
 
 # Require password for all operations
-requirepass {{ valkey_requirepass }}
+requirepass {{ valkey_password }}
 
 # =================================================================
 # Memory Management
@@ -127,4 +127,4 @@ client-output-buffer-limit pubsub 32mb 8mb 60
 # - Database 3+: Future applications
 #
 # Connection example:
-# redis-cli -h {{ valkey_bind }} -p {{ valkey_port }} -a {{ valkey_requirepass }} -n 1
+# valkey-cli -h {{ valkey_bind }} -p {{ valkey_port }} -a {{ valkey_password }} -n 1

roles/valkey/templates/valkey.service.j2

@@ -0,0 +1,78 @@
+# Valkey Systemd Service
+# Generated by rick-infra Valkey role
+#
+# This service provides a secure, hardened Valkey instance with proper configuration loading
+
+[Unit]
+Description=Valkey (Redis-compatible) Key-Value Store
+Documentation=https://valkey.io/
+After=network.target
+Wants=network-online.target
+
+[Service]
+Type=notify
+User=valkey
+Group=valkey
+
+# Core service configuration - ensures config file is loaded
+ExecStart=/usr/bin/valkey-server /etc/valkey/valkey.conf --supervised systemd
+ExecReload=/bin/kill -USR2 $MAINPID
+
+# Restart configuration
+Restart=on-failure
+RestartSec=5s
+TimeoutStartSec=60
+TimeoutStopSec=60
+
+# Runtime directory
+RuntimeDirectory=valkey
+RuntimeDirectoryMode=755
+
+# Resource limits
+LimitNOFILE=10032
+
+# Security hardening
+NoNewPrivileges=yes
+PrivateTmp=yes
+PrivateDevices=yes
+ProtectSystem=strict
+ProtectHome=yes
+ProtectKernelTunables=yes
+ProtectKernelModules=yes
+ProtectControlGroups=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+
+# Network security
+RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
+
+# Filesystem permissions
+ReadWritePaths=/var/lib/valkey
+ReadOnlyPaths=/etc/valkey
+
+# System call filtering
+SystemCallFilter=@system-service
+SystemCallFilter=~@privileged @resources @obsolete
+
+# Memory and resource limits
+MemoryDenyWriteExecute=yes
+LockPersonality=yes
+
+# Capabilities (remove all unnecessary capabilities)
+CapabilityBoundingSet=
+AmbientCapabilities=
+
+# Process isolation
+PrivateUsers=yes
+RemoveIPC=yes
+
+# Additional security
+UMask=0027
+
+# Ensure service stops cleanly
+KillMode=mixed
+KillSignal=SIGTERM
+
+[Install]
+WantedBy=multi-user.target
+Alias=redis.service