joakim/rick-infra
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

WIP: Authentik role with Quadlet pod approach - debugging container service generation

Browse Source 
- Created authentik.pod file for proper pod definition
- Removed superfluous authentik-pod.container file
- Updated container templates to reference pod correctly
- Issue: Quadlet still reports 'pod authentik is not Quadlet based'
- Container services not being generated (only pod service works)
This commit is contained in:
Joakim
2025-11-26 23:24:09 +01:00
parent 500224b5de
commit df4ae0eb17
12 changed files with 921 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

227
roles/authentik/README.md Normal file
View File

@@ -0,0 +1,227 @@
# Authentik Role
Self-contained Authentik authentication server deployment using Podman and Unix sockets.
## Overview
This role deploys Authentik as a containerized authentication service with:
- **Unix socket IPC** for PostgreSQL and Valkey
- **Rootless Podman** with systemd integration via Quadlet
- **Self-contained permissions** management
- **Caddy reverse proxy** configuration
## Architecture
```
┌─────────────────┐ ┌─────────────────┐ ┌─────────────────┐
│ Caddy Proxy │ │ Authentik Pod │ │ Infrastructure │
│ │ │ │ │ │
│ auth.jnss.me │───▶│ ┌─────────────┐ │ │ PostgreSQL │
│ :443 │ │ │ Server │ │◄──▶│ (Unix Socket) │
│ │ │ │ :9443 │ │ │ │
│ │ │ └─────────────┘ │ │ Valkey │
│ │ │ ┌─────────────┐ │◄──▶│ (Unix Socket) │
│ │ │ │ Worker │ │ │ │
│ │ │ └─────────────┘ │ │ │
└─────────────────┘ └─────────────────┘ └─────────────────┘
```
## Dependencies
- `postgresql` role (provides Unix socket infrastructure)
- `valkey` role (provides Unix socket infrastructure)
- `podman` role (provides container runtime)
- `caddy` role (provides reverse proxy infrastructure)
## Configuration
### Required Variables
```yaml
# Domain configuration
authentik_domain: "auth.jnss.me"
# Database credentials
authentik_db_password: "{{ vault_authentik_db_password }}"
authentik_secret_key: "{{ vault_authentik_secret_key }}"
authentik_default_admin_password: "{{ vault_authentik_admin_password }}"
# Infrastructure socket enablement
postgresql_unix_socket_enabled: true
valkey_unix_socket_enabled: true
```
### Optional Variables
```yaml
# Service configuration
authentik_service_enabled: true
authentik_service_state: "started"
# Container version
authentik_version: "latest"
# Email configuration
authentik_email_enabled: false
authentik_email_host: "smtp.example.com"
```
## Vault Variables Required
```yaml
# Database password
vault_authentik_db_password: "secure_db_password"
# Authentik secret key (generate with: openssl rand -base64 32)
vault_authentik_secret_key: "long_random_secret_key"
# Admin user password
vault_authentik_admin_password: "secure_admin_password"
# Existing infrastructure passwords
vault_valkey_password: "valkey_password"
```
## Usage
### Basic Deployment
```yaml
- hosts: auth_servers
roles:
- postgresql
- valkey
- podman
- caddy
- authentik
```
### With Tags
```yaml
# Deploy only database setup
ansible-playbook site.yml -t database
# Deploy only containers
ansible-playbook site.yml -t containers
# Deploy only Caddy config
ansible-playbook site.yml -t caddy
```
## File Structure
```
authentik/
├── defaults/main.yml # Default variables
├── handlers/main.yml # Service handlers
├── meta/main.yml # Role dependencies
├── tasks/
│ ├── main.yml # Main orchestration
│ ├── database.yml # Database setup
│ └── cache.yml # Cache setup
├── templates/
│ ├── authentik.env.j2 # Environment variables
│ ├── authentik.caddy.j2 # Caddy configuration
│ ├── authentik-pod.container # Pod Quadlet file
│ ├── authentik-server.container # Server Quadlet file
│ └── authentik-worker.container # Worker Quadlet file
└── README.md
```
## Systemd Services
The role creates the following systemd services:
- `authentik-pod.service` - Main pod container
- `authentik-server.service` - Web server container
- `authentik-worker.service` - Background worker container
## Networking
- **External**: HTTPS via Caddy on port 443
- **Internal**: Containers bind to `127.0.0.1:9000` (HTTP) and `127.0.0.1:9443` (HTTPS)
- **Database**: Unix socket at `/var/run/postgresql/.s.PGSQL.5432`
- **Cache**: Unix socket at `/var/run/valkey/valkey.sock`
## Security Features
- **Rootless containers** via Podman
- **Unix socket IPC** eliminates network exposure
- **User isolation** with dedicated `authentik` system user
- **Group-based socket access** for PostgreSQL and Valkey
- **TLS termination** at Caddy proxy
- **Security headers** configured in Caddy
## Troubleshooting
### Check Service Status
```bash
systemctl status authentik-pod
systemctl status authentik-server
systemctl status authentik-worker
```
### Check Logs
```bash
journalctl -u authentik-server -f
journalctl -u authentik-worker -f
```
### Check Socket Connectivity
```bash
# Test PostgreSQL socket
sudo -u authentik psql -h /var/run/postgresql -U authentik authentik
# Test Valkey socket
sudo -u authentik redis-cli -s /var/run/valkey/valkey.sock -n 1 ping
```
### Verify Container Status
```bash
podman --user authentik pod ps
podman --user authentik ps
```
## Post-Deployment
1. **Access Web Interface**: Navigate to `https://auth.jnss.me`
2. **Login**: Use admin credentials from vault variables
3. **Configure Providers**: Set up OAuth2/SAML providers for services
4. **Create Applications**: Configure applications for SSO integration
## Maintenance
### Update Containers
```yaml
# Update to specific version
authentik_version: "2024.2.0"
```
### Backup Data
Important directories to backup:
- `{{ authentik_data_dir }}` - Application data
- `{{ authentik_media_dir }}` - Uploaded media
- PostgreSQL database dump
- Vault variables
## Integration Examples
### Protect Service with Authentik
```caddy
service.example.com {
forward_auth https://auth.jnss.me {
uri /outpost.goauthentik.io/auth/caddy
copy_headers Remote-User Remote-Name Remote-Email Remote-Groups
}
reverse_proxy localhost:8080
}
```

110
roles/authentik/defaults/main.yml Normal file
View File

@@ -0,0 +1,110 @@
---
# =================================================================
# Authentik Authentication Role - Default Variables
# =================================================================
# Self-contained Authentik deployment with Podman and Unix sockets
# =================================================================
# Service Configuration
# =================================================================
# Service user and directories
authentik_user: authentik
authentik_group: authentik
authentik_home: /opt/authentik
authentik_data_dir: "{{ authentik_home }}/data"
authentik_media_dir: "{{ authentik_home }}/media"
# Container configuration
authentik_version: "latest"
authentik_image: "ghcr.io/goauthentik/authentik"
# Service management
authentik_service_enabled: true
authentik_service_state: "started"
# =================================================================
# Database Configuration (Self-managed)
# =================================================================
authentik_db_name: "authentik"
authentik_db_user: "authentik"
authentik_db_password: "{{ vault_authentik_db_password }}"
# =================================================================
# Cache Configuration (Self-managed)
# =================================================================
authentik_valkey_db: 1 # Use database 1 for Authentik
# =================================================================
# Network Configuration
# =================================================================
authentik_domain: "auth.jnss.me"
authentik_http_port: 9000
authentik_https_port: 9443
authentik_bind_address: "127.0.0.1"
# =================================================================
# Authentik Core Configuration
# =================================================================
authentik_secret_key: "{{ vault_authentik_secret_key }}"
authentik_log_level: "info"
authentik_error_reporting: false
# =================================================================
# Email Configuration (Optional)
# =================================================================
authentik_email_enabled: false
authentik_email_host: ""
authentik_email_port: 587
authentik_email_username: ""
authentik_email_password: "{{ vault_authentik_email_password | default('') }}"
authentik_email_tls: true
authentik_email_from: "authentik@{{ authentik_domain }}"
# =================================================================
# Security Configuration
# =================================================================
# Default admin user (created during deployment)
authentik_default_admin_email: "admin@{{ authentik_domain }}"
authentik_default_admin_password: "{{ vault_authentik_admin_password }}"
# =================================================================
# Podman Pod Configuration
# =================================================================
# Pod service name is simply "authentik" (generated from authentik.pod)
authentik_container_server_name: "authentik-server"
authentik_container_worker_name: "authentik-worker"
# Quadlet service directories (USER SCOPE)
authentik_quadlet_dir: "{{ authentik_user_quadlet_dir }}"
authentik_user_quadlet_dir: "{{ authentik_home }}/.config/containers/systemd"
# User session variables (set dynamically during deployment)
authentik_uid: ""
# =================================================================
# Caddy Integration
# =================================================================
# Caddy configuration (assumes caddy role provides these variables)
caddy_sites_enabled_dir: "/etc/caddy/sites-enabled"
caddy_log_dir: "/var/log/caddy"
caddy_user: "caddy"
# =================================================================
# Infrastructure Dependencies (Read-only)
# =================================================================
# PostgreSQL socket configuration (managed by postgresql role)
postgresql_unix_socket_directories: "/var/run/postgresql"
# Valkey socket configuration (managed by valkey role)
valkey_unix_socket_path: "/var/run/valkey/valkey.sock"
valkey_password: "{{ vault_valkey_password }}"

78
roles/authentik/handlers/main.yml Normal file
View File

@@ -0,0 +1,78 @@
---
# Authentik Service Handlers (User Scope)
- name: reload systemd user
systemd:
daemon_reload: true
scope: user
become: true
become_user: "{{ authentik_user }}"
environment:
XDG_RUNTIME_DIR: "/run/user/{{ authentik_uid }}"
- name: reload caddy
systemd:
name: caddy
state: reloaded
- name: restart authentik pod
systemd:
name: "authentik-pod"
state: restarted
scope: user
daemon_reload: true
become: true
become_user: "{{ authentik_user }}"
environment:
XDG_RUNTIME_DIR: "/run/user/{{ authentik_uid }}"
- name: restart authentik server
systemd:
name: "{{ authentik_container_server_name }}"
state: restarted
scope: user
daemon_reload: true
become: true
become_user: "{{ authentik_user }}"
environment:
XDG_RUNTIME_DIR: "/run/user/{{ authentik_uid }}"
- name: restart authentik worker
systemd:
name: "{{ authentik_container_worker_name }}"
state: restarted
scope: user
daemon_reload: true
become: true
become_user: "{{ authentik_user }}"
environment:
XDG_RUNTIME_DIR: "/run/user/{{ authentik_uid }}"
- name: stop authentik services
systemd:
name: "{{ item }}"
state: stopped
scope: user
become: true
become_user: "{{ authentik_user }}"
environment:
XDG_RUNTIME_DIR: "/run/user/{{ authentik_uid }}"
loop:
- "{{ authentik_container_worker_name }}"
- "{{ authentik_container_server_name }}"
- "authentik-pod"
- name: start authentik services
systemd:
name: "{{ item }}"
state: started
scope: user
daemon_reload: true
become: true
become_user: "{{ authentik_user }}"
environment:
XDG_RUNTIME_DIR: "/run/user/{{ authentik_uid }}"
loop:
- "authentik-pod"
- "{{ authentik_container_server_name }}"
- "{{ authentik_container_worker_name }}"

10
roles/authentik/meta/main.yml Normal file
View File

@@ -0,0 +1,10 @@
---
# Authentik Role Dependencies
dependencies:
- role: postgresql
- role: valkey
- role: podman
- role: caddy
# No modifications to infrastructure roles required
# Authentik role is completely self-contained

70
roles/authentik/tasks/cache.yml Normal file
View File

@@ -0,0 +1,70 @@
---
# Cache setup for Authentik - Self-contained socket permissions
- name: Add authentik user to valkey group for socket access
user:
name: "{{ authentik_user }}"
groups: valkey
append: true
- name: Ensure authentik can access Valkey socket directory
file:
path: "{{ valkey_unix_socket_path | dirname }}"
mode: '0770'
group: valkey
become: true
- name: Test Valkey socket connectivity
command: >
redis-cli -s {{ valkey_unix_socket_path }}
-a {{ valkey_password }}
-n {{ authentik_valkey_db }}
ping
become: true
become_user: "{{ authentik_user }}"
register: valkey_socket_test
failed_when: valkey_socket_test.stdout != "PONG"
changed_when: false
- name: Configure Authentik Valkey database
command: >
redis-cli -s {{ valkey_unix_socket_path }}
-a {{ valkey_password }}
-n {{ authentik_valkey_db }}
CONFIG SET save ""
become: true
become_user: "{{ authentik_user }}"
register: valkey_config_result
changed_when: true
- name: Verify Authentik can write to Valkey database
command: >
redis-cli -s {{ valkey_unix_socket_path }}
-a {{ valkey_password }}
-n {{ authentik_valkey_db }}
SET authentik:healthcheck "{{ ansible_date_time.iso8601 }}"
become: true
become_user: "{{ authentik_user }}"
register: valkey_write_test
changed_when: false
- name: Clean up Valkey test key
command: >
redis-cli -s {{ valkey_unix_socket_path }}
-a {{ valkey_password }}
-n {{ authentik_valkey_db }}
DEL authentik:healthcheck
become: true
become_user: "{{ authentik_user }}"
changed_when: false
- name: Display cache setup status
debug:
msg: |
✅ Authentik cache setup complete!
🗄️ Cache DB: {{ authentik_valkey_db }}
🔌 Connection: Unix socket ({{ valkey_unix_socket_path }})
📊 Test: {{ valkey_socket_test.stdout }}
🏗️ Ready for Authentik container deployment

62
roles/authentik/tasks/database.yml Normal file
View File

@@ -0,0 +1,62 @@
---
# Database setup for Authentik - Self-contained socket permissions
- name: Add authentik user to postgres group for socket access
user:
name: "{{ authentik_user }}"
groups: postgres
append: true
- name: Ensure authentik can access PostgreSQL socket directory
file:
path: "{{ postgresql_unix_socket_directories }}"
mode: '0770'
group: postgres
become: true
- name: Test PostgreSQL socket connectivity
postgresql_ping:
login_unix_socket: "{{ postgresql_unix_socket_directories }}"
login_user: "{{ authentik_user }}"
become: true
become_user: "{{ authentik_user }}"
- name: Create Authentik database user via socket
postgresql_user:
name: "{{ authentik_db_user }}"
password: "{{ authentik_db_password }}"
login_unix_socket: "{{ postgresql_unix_socket_directories }}"
login_user: postgres
become: true
become_user: postgres
- name: Create Authentik database via socket
postgresql_db:
name: "{{ authentik_db_name }}"
owner: "{{ authentik_db_user }}"
login_unix_socket: "{{ postgresql_unix_socket_directories }}"
login_user: postgres
become: true
become_user: postgres
- name: Grant Authentik database privileges
postgresql_privs:
db: "{{ authentik_db_name }}"
privs: ALL
type: database
role: "{{ authentik_db_user }}"
login_unix_socket: "{{ postgresql_unix_socket_directories }}"
login_user: postgres
become: true
become_user: postgres
- name: Display database setup status
debug:
msg: |
✅ Authentik database setup complete!
📊 Database: {{ authentik_db_name }}
👤 User: {{ authentik_db_user }}
🔌 Connection: Unix socket ({{ postgresql_unix_socket_directories }})
🏗️ Ready for Authentik container deployment

215
roles/authentik/tasks/main.yml Normal file
View File

@@ -0,0 +1,215 @@
---
# Authentik Authentication Role - Main Tasks
# Self-contained deployment with Podman and Unix sockets
- name: Create authentik group
group:
name: "{{ authentik_group }}"
system: true
- name: Create authentik system user
user:
name: "{{ authentik_user }}"
system: true
shell: /bin/bash
home: "{{ authentik_home }}"
create_home: true
group: "{{ authentik_group }}"
- name: Create authentik directories
file:
path: "{{ item }}"
state: directory
owner: "{{ authentik_user }}"
group: "{{ authentik_group }}"
mode: '0755'
loop:
- "{{ authentik_home }}"
- "{{ authentik_data_dir }}"
- "{{ authentik_media_dir }}"
- "{{ authentik_user_quadlet_dir }}"
- name: Get authentik user UID
getent:
database: passwd
key: "{{ authentik_user }}"
register: authentik_user_info
- name: Set authentik UID variable
set_fact:
authentik_uid: "{{ authentik_user_info.ansible_facts.getent_passwd[authentik_user][1] }}"
- name: Enable lingering for authentik user (services persist without login)
command: loginctl enable-linger {{ authentik_user }}
register: linger_result
changed_when: linger_result.rc == 0
- name: Ensure XDG runtime directory exists
file:
path: "/run/user/{{ authentik_uid }}"
state: directory
owner: "{{ authentik_user }}"
group: "{{ authentik_group }}"
mode: '0700'
- name: Setup database access and permissions
include_tasks: database.yml
tags: [database, setup]
- name: Setup cache access and permissions
include_tasks: cache.yml
tags: [cache, setup]
- name: Deploy environment configuration
template:
src: authentik.env.j2
dest: "{{ authentik_home }}/.env"
owner: "{{ authentik_user }}"
group: "{{ authentik_group }}"
mode: '0600'
backup: true
notify:
- restart authentik pod
- restart authentik server
- restart authentik worker
tags: [config]
- name: Create Quadlet systemd directory (user scope)
file:
path: "{{ authentik_quadlet_dir }}"
state: directory
owner: "{{ authentik_user }}"
group: "{{ authentik_group }}"
mode: '0755'
- name: Deploy Quadlet pod and container files (user scope)
template:
src: "{{ item.src }}"
dest: "{{ authentik_quadlet_dir }}/{{ item.dest }}"
owner: "{{ authentik_user }}"
group: "{{ authentik_group }}"
mode: '0644'
loop:
- { src: 'authentik.pod', dest: 'authentik.pod' }
- { src: 'authentik-server.container', dest: 'authentik-server.container' }
- { src: 'authentik-worker.container', dest: 'authentik-worker.container' }
become: true
become_user: "{{ authentik_user }}"
notify:
- reload systemd user
- restart authentik pod
- restart authentik server
- restart authentik worker
tags: [containers, deployment]
- name: Deploy Caddy configuration
template:
src: authentik.caddy.j2
dest: "{{ caddy_sites_enabled_dir }}/authentik.caddy"
owner: root
group: "{{ caddy_user }}"
mode: '0644'
backup: true
notify: reload caddy
tags: [caddy, reverse-proxy]
- name: Ensure system dependencies are running
systemd:
name: "{{ item }}"
state: started
loop:
- postgresql
- valkey
register: system_deps
- name: Wait for PostgreSQL socket to be ready
wait_for:
path: "{{ postgresql_unix_socket_directories }}/.s.PGSQL.{{ postgresql_port }}"
timeout: 30
when: postgresql_unix_socket_enabled
- name: Wait for Valkey socket to be ready
wait_for:
path: "{{ valkey_unix_socket_path }}"
timeout: 30
when: valkey_unix_socket_enabled
- name: Reload systemd daemon for Quadlet (user scope)
systemd:
daemon_reload: true
scope: user
become: true
become_user: "{{ authentik_user }}"
environment:
XDG_RUNTIME_DIR: "/run/user/{{ authentik_uid }}"
tags: [containers, deployment]
- name: Enable and start Authentik pod (user scope)
systemd:
name: "authentik-pod"
enabled: "{{ authentik_service_enabled }}"
state: "{{ authentik_service_state }}"
scope: user
daemon_reload: true
become: true
become_user: "{{ authentik_user }}"
environment:
XDG_RUNTIME_DIR: "/run/user/{{ authentik_uid }}"
tags: [containers, service]
- name: Enable and start Authentik server (user scope)
systemd:
name: "{{ authentik_container_server_name }}"
enabled: "{{ authentik_service_enabled }}"
state: "{{ authentik_service_state }}"
scope: user
daemon_reload: true
become: true
become_user: "{{ authentik_user }}"
environment:
XDG_RUNTIME_DIR: "/run/user/{{ authentik_uid }}"
tags: [containers, service]
- name: Enable and start Authentik worker (user scope)
systemd:
name: "{{ authentik_container_worker_name }}"
enabled: "{{ authentik_service_enabled }}"
state: "{{ authentik_service_state }}"
scope: user
daemon_reload: true
become: true
become_user: "{{ authentik_user }}"
environment:
XDG_RUNTIME_DIR: "/run/user/{{ authentik_uid }}"
tags: [containers, service]
- name: Wait for Authentik to be ready
uri:
url: "https://{{ authentik_domain }}/if/health/live/"
method: GET
status_code: [200]
timeout: 30
validate_certs: true
retries: 10
delay: 30
register: authentik_health_check
tags: [verification, health-check]
- name: Display Authentik deployment status
debug:
msg: |
✅ Authentik Authentication deployed successfully!
🌐 Domain: {{ authentik_domain }}
🗄️ Database: {{ authentik_db_name }} (Unix socket)
🗄️ Cache: Valkey DB {{ authentik_valkey_db }} (Unix socket)
🐳 Containers: Pod with server + worker
🔒 Admin: {{ authentik_default_admin_email }}
🚀 Ready for SSO configuration!
📋 Next Steps:
- Access {{ authentik_domain }} to complete setup
- Configure applications and providers
- Set up SSO for services
tags: [verification]

25
roles/authentik/templates/authentik-server.container Normal file
View File

@@ -0,0 +1,25 @@
[Unit]
Description=Authentik Server Container
After=authentik-pod.service
Requires=authentik-pod.service
[Container]
ContainerName={{ authentik_container_server_name }}
Image={{ authentik_image }}:{{ authentik_version }}
Pod=authentik
EnvironmentFile={{ authentik_home }}/.env
# Volume mounts for data and sockets
Volume={{ authentik_media_dir }}:/media
Volume={{ authentik_data_dir }}:/data
Volume={{ postgresql_unix_socket_directories }}:{{ postgresql_unix_socket_directories }}:Z
Volume={{ valkey_unix_socket_path | dirname }}:{{ valkey_unix_socket_path | dirname }}:Z
Exec=server
[Service]
Restart=always
TimeoutStartSec=300
[Install]
WantedBy=default.target

25
roles/authentik/templates/authentik-worker.container Normal file
View File

@@ -0,0 +1,25 @@
[Unit]
Description=Authentik Worker Container
After=authentik-pod.service
Requires=authentik-pod.service
[Container]
ContainerName={{ authentik_container_worker_name }}
Image={{ authentik_image }}:{{ authentik_version }}
Pod=authentik
EnvironmentFile={{ authentik_home }}/.env
# Volume mounts for data and sockets
Volume={{ authentik_media_dir }}:/media
Volume={{ authentik_data_dir }}:/data
Volume={{ postgresql_unix_socket_directories }}:{{ postgresql_unix_socket_directories }}:Z
Volume={{ valkey_unix_socket_path | dirname }}:{{ valkey_unix_socket_path | dirname }}:Z
Exec=worker
[Service]
Restart=always
TimeoutStartSec=300
[Install]
WantedBy=default.target

41
roles/authentik/templates/authentik.caddy.j2 Normal file
View File

@@ -0,0 +1,41 @@
# Authentik Authentication Service
{{ authentik_domain }} {
reverse_proxy https://{{ authentik_bind_address }}:{{ authentik_https_port }} {
transport http {
tls_insecure_skip_verify
}
header_up Host {upstream_hostport}
header_up X-Real-IP {remote_host}
header_up X-Forwarded-Proto https
header_up X-Forwarded-For {remote_host}
header_up X-Forwarded-Host {host}
# Health check
health_uri /if/health/live/
health_timeout 10s
health_interval 30s
health_status 200
}
# Security headers
header {
X-Frame-Options SAMEORIGIN
X-Content-Type-Options nosniff
X-XSS-Protection "1; mode=block"
Referrer-Policy strict-origin-when-cross-origin
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
}
# Authentik-specific paths
handle_path /outpost.goauthentik.io/* {
reverse_proxy https://{{ authentik_bind_address }}:{{ authentik_https_port }}
}
# Logging
log {
output file {{ caddy_log_dir }}/authentik.log
level INFO
format json
}
}

43
roles/authentik/templates/authentik.env.j2 Normal file
View File

@@ -0,0 +1,43 @@
# Authentik Configuration - Unix Socket IPC
# Generated by Ansible - DO NOT EDIT
# PostgreSQL Configuration (Unix Socket)
AUTHENTIK_POSTGRESQL__HOST={{ postgresql_unix_socket_directories }}
AUTHENTIK_POSTGRESQL__NAME={{ authentik_db_name }}
AUTHENTIK_POSTGRESQL__USER={{ authentik_db_user }}
AUTHENTIK_POSTGRESQL__PASSWORD={{ authentik_db_password }}
# No port needed for Unix socket
# Valkey/Redis Configuration (Unix Socket)
AUTHENTIK_REDIS__HOST=unix://{{ valkey_unix_socket_path }}
AUTHENTIK_REDIS__PASSWORD={{ valkey_password }}
AUTHENTIK_REDIS__DB={{ authentik_valkey_db }}
# No port needed for Unix socket
# Authentik Core Configuration
AUTHENTIK_SECRET_KEY={{ authentik_secret_key }}
AUTHENTIK_LOG_LEVEL={{ authentik_log_level }}
AUTHENTIK_ERROR_REPORTING__ENABLED={{ authentik_error_reporting | lower }}
# Security Configuration
AUTHENTIK_COOKIE_DOMAIN={{ authentik_domain }}
AUTHENTIK_DISABLE_UPDATE_CHECK=true
AUTHENTIK_DISABLE_STARTUP_ANALYTICS=true
# Network binding
AUTHENTIK_LISTEN__HTTP={{ authentik_bind_address }}:{{ authentik_http_port }}
AUTHENTIK_LISTEN__HTTPS={{ authentik_bind_address }}:{{ authentik_https_port }}
{% if authentik_email_enabled %}
# Email Configuration
AUTHENTIK_EMAIL__HOST={{ authentik_email_host }}
AUTHENTIK_EMAIL__PORT={{ authentik_email_port }}
AUTHENTIK_EMAIL__USERNAME={{ authentik_email_username }}
AUTHENTIK_EMAIL__PASSWORD={{ authentik_email_password }}
AUTHENTIK_EMAIL__USE_TLS={{ authentik_email_tls | lower }}
AUTHENTIK_EMAIL__FROM={{ authentik_email_from }}
{% endif %}
# Default admin user
AUTHENTIK_BOOTSTRAP_PASSWORD={{ authentik_default_admin_password }}
AUTHENTIK_BOOTSTRAP_EMAIL={{ authentik_default_admin_email }}

15
roles/authentik/templates/authentik.pod Normal file
View File

@@ -0,0 +1,15 @@
[Unit]
Description=Authentik Authentication Pod
[Pod]
PodName=authentik
PublishPort={{ authentik_bind_address }}:{{ authentik_http_port }}:{{ authentik_http_port }}
PublishPort={{ authentik_bind_address }}:{{ authentik_https_port }}:{{ authentik_https_port }}
PodmanArgs=--userns=keep-id
[Service]
Restart=always
TimeoutStartSec=900
[Install]
WantedBy=default.target