From df4ae0eb170a86b9ce20844fb5903b5c8424f180 Mon Sep 17 00:00:00 2001 From: Joakim Date: Wed, 26 Nov 2025 23:24:09 +0100 Subject: [PATCH] WIP: Authentik role with Quadlet pod approach - debugging container service generation - Created authentik.pod file for proper pod definition - Removed superfluous authentik-pod.container file - Updated container templates to reference pod correctly - Issue: Quadlet still reports 'pod authentik is not Quadlet based' - Container services not being generated (only pod service works) --- roles/authentik/README.md | 227 ++++++++++++++++++ roles/authentik/defaults/main.yml | 110 +++++++++ roles/authentik/handlers/main.yml | 78 ++++++ roles/authentik/meta/main.yml | 10 + roles/authentik/tasks/cache.yml | 70 ++++++ roles/authentik/tasks/database.yml | 62 +++++ roles/authentik/tasks/main.yml | 215 +++++++++++++++++ .../templates/authentik-server.container | 25 ++ .../templates/authentik-worker.container | 25 ++ roles/authentik/templates/authentik.caddy.j2 | 41 ++++ roles/authentik/templates/authentik.env.j2 | 43 ++++ roles/authentik/templates/authentik.pod | 15 ++ 12 files changed, 921 insertions(+) create mode 100644 roles/authentik/README.md create mode 100644 roles/authentik/defaults/main.yml create mode 100644 roles/authentik/handlers/main.yml create mode 100644 roles/authentik/meta/main.yml create mode 100644 roles/authentik/tasks/cache.yml create mode 100644 roles/authentik/tasks/database.yml create mode 100644 roles/authentik/tasks/main.yml create mode 100644 roles/authentik/templates/authentik-server.container create mode 100644 roles/authentik/templates/authentik-worker.container create mode 100644 roles/authentik/templates/authentik.caddy.j2 create mode 100644 roles/authentik/templates/authentik.env.j2 create mode 100644 roles/authentik/templates/authentik.pod diff --git a/roles/authentik/README.md b/roles/authentik/README.md new file mode 100644 index 0000000..d6105bc --- /dev/null +++ b/roles/authentik/README.md @@ -0,0 +1,227 @@ +# Authentik Role + +Self-contained Authentik authentication server deployment using Podman and Unix sockets. + +## Overview + +This role deploys Authentik as a containerized authentication service with: +- **Unix socket IPC** for PostgreSQL and Valkey +- **Rootless Podman** with systemd integration via Quadlet +- **Self-contained permissions** management +- **Caddy reverse proxy** configuration + +## Architecture + +``` +┌─────────────────┐ ┌─────────────────┐ ┌─────────────────┐ +│ Caddy Proxy │ │ Authentik Pod │ │ Infrastructure │ +│ │ │ │ │ │ +│ auth.jnss.me │───▶│ ┌─────────────┐ │ │ PostgreSQL │ +│ :443 │ │ │ Server │ │◄──▶│ (Unix Socket) │ +│ │ │ │ :9443 │ │ │ │ +│ │ │ └─────────────┘ │ │ Valkey │ +│ │ │ ┌─────────────┐ │◄──▶│ (Unix Socket) │ +│ │ │ │ Worker │ │ │ │ +│ │ │ └─────────────┘ │ │ │ +└─────────────────┘ └─────────────────┘ └─────────────────┘ +``` + +## Dependencies + +- `postgresql` role (provides Unix socket infrastructure) +- `valkey` role (provides Unix socket infrastructure) +- `podman` role (provides container runtime) +- `caddy` role (provides reverse proxy infrastructure) + +## Configuration + +### Required Variables + +```yaml +# Domain configuration +authentik_domain: "auth.jnss.me" + +# Database credentials +authentik_db_password: "{{ vault_authentik_db_password }}" +authentik_secret_key: "{{ vault_authentik_secret_key }}" +authentik_default_admin_password: "{{ vault_authentik_admin_password }}" + +# Infrastructure socket enablement +postgresql_unix_socket_enabled: true +valkey_unix_socket_enabled: true +``` + +### Optional Variables + +```yaml +# Service configuration +authentik_service_enabled: true +authentik_service_state: "started" + +# Container version +authentik_version: "latest" + +# Email configuration +authentik_email_enabled: false +authentik_email_host: "smtp.example.com" +``` + +## Vault Variables Required + +```yaml +# Database password +vault_authentik_db_password: "secure_db_password" + +# Authentik secret key (generate with: openssl rand -base64 32) +vault_authentik_secret_key: "long_random_secret_key" + +# Admin user password +vault_authentik_admin_password: "secure_admin_password" + +# Existing infrastructure passwords +vault_valkey_password: "valkey_password" +``` + +## Usage + +### Basic Deployment + +```yaml +- hosts: auth_servers + roles: + - postgresql + - valkey + - podman + - caddy + - authentik +``` + +### With Tags + +```yaml +# Deploy only database setup +ansible-playbook site.yml -t database + +# Deploy only containers +ansible-playbook site.yml -t containers + +# Deploy only Caddy config +ansible-playbook site.yml -t caddy +``` + +## File Structure + +``` +authentik/ +├── defaults/main.yml # Default variables +├── handlers/main.yml # Service handlers +├── meta/main.yml # Role dependencies +├── tasks/ +│ ├── main.yml # Main orchestration +│ ├── database.yml # Database setup +│ └── cache.yml # Cache setup +├── templates/ +│ ├── authentik.env.j2 # Environment variables +│ ├── authentik.caddy.j2 # Caddy configuration +│ ├── authentik-pod.container # Pod Quadlet file +│ ├── authentik-server.container # Server Quadlet file +│ └── authentik-worker.container # Worker Quadlet file +└── README.md +``` + +## Systemd Services + +The role creates the following systemd services: + +- `authentik-pod.service` - Main pod container +- `authentik-server.service` - Web server container +- `authentik-worker.service` - Background worker container + +## Networking + +- **External**: HTTPS via Caddy on port 443 +- **Internal**: Containers bind to `127.0.0.1:9000` (HTTP) and `127.0.0.1:9443` (HTTPS) +- **Database**: Unix socket at `/var/run/postgresql/.s.PGSQL.5432` +- **Cache**: Unix socket at `/var/run/valkey/valkey.sock` + +## Security Features + +- **Rootless containers** via Podman +- **Unix socket IPC** eliminates network exposure +- **User isolation** with dedicated `authentik` system user +- **Group-based socket access** for PostgreSQL and Valkey +- **TLS termination** at Caddy proxy +- **Security headers** configured in Caddy + +## Troubleshooting + +### Check Service Status + +```bash +systemctl status authentik-pod +systemctl status authentik-server +systemctl status authentik-worker +``` + +### Check Logs + +```bash +journalctl -u authentik-server -f +journalctl -u authentik-worker -f +``` + +### Check Socket Connectivity + +```bash +# Test PostgreSQL socket +sudo -u authentik psql -h /var/run/postgresql -U authentik authentik + +# Test Valkey socket +sudo -u authentik redis-cli -s /var/run/valkey/valkey.sock -n 1 ping +``` + +### Verify Container Status + +```bash +podman --user authentik pod ps +podman --user authentik ps +``` + +## Post-Deployment + +1. **Access Web Interface**: Navigate to `https://auth.jnss.me` +2. **Login**: Use admin credentials from vault variables +3. **Configure Providers**: Set up OAuth2/SAML providers for services +4. **Create Applications**: Configure applications for SSO integration + +## Maintenance + +### Update Containers + +```yaml +# Update to specific version +authentik_version: "2024.2.0" +``` + +### Backup Data + +Important directories to backup: +- `{{ authentik_data_dir }}` - Application data +- `{{ authentik_media_dir }}` - Uploaded media +- PostgreSQL database dump +- Vault variables + +## Integration Examples + +### Protect Service with Authentik + +```caddy +service.example.com { + forward_auth https://auth.jnss.me { + uri /outpost.goauthentik.io/auth/caddy + copy_headers Remote-User Remote-Name Remote-Email Remote-Groups + } + + reverse_proxy localhost:8080 +} +``` \ No newline at end of file diff --git a/roles/authentik/defaults/main.yml b/roles/authentik/defaults/main.yml new file mode 100644 index 0000000..b031a3f --- /dev/null +++ b/roles/authentik/defaults/main.yml @@ -0,0 +1,110 @@ +--- +# ================================================================= +# Authentik Authentication Role - Default Variables +# ================================================================= +# Self-contained Authentik deployment with Podman and Unix sockets + +# ================================================================= +# Service Configuration +# ================================================================= + +# Service user and directories +authentik_user: authentik +authentik_group: authentik +authentik_home: /opt/authentik +authentik_data_dir: "{{ authentik_home }}/data" +authentik_media_dir: "{{ authentik_home }}/media" + +# Container configuration +authentik_version: "latest" +authentik_image: "ghcr.io/goauthentik/authentik" + +# Service management +authentik_service_enabled: true +authentik_service_state: "started" + +# ================================================================= +# Database Configuration (Self-managed) +# ================================================================= + +authentik_db_name: "authentik" +authentik_db_user: "authentik" +authentik_db_password: "{{ vault_authentik_db_password }}" + +# ================================================================= +# Cache Configuration (Self-managed) +# ================================================================= + +authentik_valkey_db: 1 # Use database 1 for Authentik + +# ================================================================= +# Network Configuration +# ================================================================= + +authentik_domain: "auth.jnss.me" +authentik_http_port: 9000 +authentik_https_port: 9443 +authentik_bind_address: "127.0.0.1" + +# ================================================================= +# Authentik Core Configuration +# ================================================================= + +authentik_secret_key: "{{ vault_authentik_secret_key }}" +authentik_log_level: "info" +authentik_error_reporting: false + +# ================================================================= +# Email Configuration (Optional) +# ================================================================= + +authentik_email_enabled: false +authentik_email_host: "" +authentik_email_port: 587 +authentik_email_username: "" +authentik_email_password: "{{ vault_authentik_email_password | default('') }}" +authentik_email_tls: true +authentik_email_from: "authentik@{{ authentik_domain }}" + +# ================================================================= +# Security Configuration +# ================================================================= + +# Default admin user (created during deployment) +authentik_default_admin_email: "admin@{{ authentik_domain }}" +authentik_default_admin_password: "{{ vault_authentik_admin_password }}" + +# ================================================================= +# Podman Pod Configuration +# ================================================================= + +# Pod service name is simply "authentik" (generated from authentik.pod) +authentik_container_server_name: "authentik-server" +authentik_container_worker_name: "authentik-worker" + +# Quadlet service directories (USER SCOPE) +authentik_quadlet_dir: "{{ authentik_user_quadlet_dir }}" +authentik_user_quadlet_dir: "{{ authentik_home }}/.config/containers/systemd" + +# User session variables (set dynamically during deployment) +authentik_uid: "" + +# ================================================================= +# Caddy Integration +# ================================================================= + +# Caddy configuration (assumes caddy role provides these variables) +caddy_sites_enabled_dir: "/etc/caddy/sites-enabled" +caddy_log_dir: "/var/log/caddy" +caddy_user: "caddy" + +# ================================================================= +# Infrastructure Dependencies (Read-only) +# ================================================================= + +# PostgreSQL socket configuration (managed by postgresql role) +postgresql_unix_socket_directories: "/var/run/postgresql" + +# Valkey socket configuration (managed by valkey role) +valkey_unix_socket_path: "/var/run/valkey/valkey.sock" +valkey_password: "{{ vault_valkey_password }}" \ No newline at end of file diff --git a/roles/authentik/handlers/main.yml b/roles/authentik/handlers/main.yml new file mode 100644 index 0000000..a424c1e --- /dev/null +++ b/roles/authentik/handlers/main.yml @@ -0,0 +1,78 @@ +--- +# Authentik Service Handlers (User Scope) + +- name: reload systemd user + systemd: + daemon_reload: true + scope: user + become: true + become_user: "{{ authentik_user }}" + environment: + XDG_RUNTIME_DIR: "/run/user/{{ authentik_uid }}" + +- name: reload caddy + systemd: + name: caddy + state: reloaded + +- name: restart authentik pod + systemd: + name: "authentik-pod" + state: restarted + scope: user + daemon_reload: true + become: true + become_user: "{{ authentik_user }}" + environment: + XDG_RUNTIME_DIR: "/run/user/{{ authentik_uid }}" + +- name: restart authentik server + systemd: + name: "{{ authentik_container_server_name }}" + state: restarted + scope: user + daemon_reload: true + become: true + become_user: "{{ authentik_user }}" + environment: + XDG_RUNTIME_DIR: "/run/user/{{ authentik_uid }}" + +- name: restart authentik worker + systemd: + name: "{{ authentik_container_worker_name }}" + state: restarted + scope: user + daemon_reload: true + become: true + become_user: "{{ authentik_user }}" + environment: + XDG_RUNTIME_DIR: "/run/user/{{ authentik_uid }}" + +- name: stop authentik services + systemd: + name: "{{ item }}" + state: stopped + scope: user + become: true + become_user: "{{ authentik_user }}" + environment: + XDG_RUNTIME_DIR: "/run/user/{{ authentik_uid }}" + loop: + - "{{ authentik_container_worker_name }}" + - "{{ authentik_container_server_name }}" + - "authentik-pod" + +- name: start authentik services + systemd: + name: "{{ item }}" + state: started + scope: user + daemon_reload: true + become: true + become_user: "{{ authentik_user }}" + environment: + XDG_RUNTIME_DIR: "/run/user/{{ authentik_uid }}" + loop: + - "authentik-pod" + - "{{ authentik_container_server_name }}" + - "{{ authentik_container_worker_name }}" diff --git a/roles/authentik/meta/main.yml b/roles/authentik/meta/main.yml new file mode 100644 index 0000000..4698e5d --- /dev/null +++ b/roles/authentik/meta/main.yml @@ -0,0 +1,10 @@ +--- +# Authentik Role Dependencies +dependencies: + - role: postgresql + - role: valkey + - role: podman + - role: caddy + +# No modifications to infrastructure roles required +# Authentik role is completely self-contained \ No newline at end of file diff --git a/roles/authentik/tasks/cache.yml b/roles/authentik/tasks/cache.yml new file mode 100644 index 0000000..7df6a6e --- /dev/null +++ b/roles/authentik/tasks/cache.yml @@ -0,0 +1,70 @@ +--- +# Cache setup for Authentik - Self-contained socket permissions + +- name: Add authentik user to valkey group for socket access + user: + name: "{{ authentik_user }}" + groups: valkey + append: true + +- name: Ensure authentik can access Valkey socket directory + file: + path: "{{ valkey_unix_socket_path | dirname }}" + mode: '0770' + group: valkey + become: true + +- name: Test Valkey socket connectivity + command: > + redis-cli -s {{ valkey_unix_socket_path }} + -a {{ valkey_password }} + -n {{ authentik_valkey_db }} + ping + become: true + become_user: "{{ authentik_user }}" + register: valkey_socket_test + failed_when: valkey_socket_test.stdout != "PONG" + changed_when: false + +- name: Configure Authentik Valkey database + command: > + redis-cli -s {{ valkey_unix_socket_path }} + -a {{ valkey_password }} + -n {{ authentik_valkey_db }} + CONFIG SET save "" + become: true + become_user: "{{ authentik_user }}" + register: valkey_config_result + changed_when: true + +- name: Verify Authentik can write to Valkey database + command: > + redis-cli -s {{ valkey_unix_socket_path }} + -a {{ valkey_password }} + -n {{ authentik_valkey_db }} + SET authentik:healthcheck "{{ ansible_date_time.iso8601 }}" + become: true + become_user: "{{ authentik_user }}" + register: valkey_write_test + changed_when: false + +- name: Clean up Valkey test key + command: > + redis-cli -s {{ valkey_unix_socket_path }} + -a {{ valkey_password }} + -n {{ authentik_valkey_db }} + DEL authentik:healthcheck + become: true + become_user: "{{ authentik_user }}" + changed_when: false + +- name: Display cache setup status + debug: + msg: | + ✅ Authentik cache setup complete! + + 🗄️ Cache DB: {{ authentik_valkey_db }} + 🔌 Connection: Unix socket ({{ valkey_unix_socket_path }}) + 📊 Test: {{ valkey_socket_test.stdout }} + + 🏗️ Ready for Authentik container deployment \ No newline at end of file diff --git a/roles/authentik/tasks/database.yml b/roles/authentik/tasks/database.yml new file mode 100644 index 0000000..99b1ef5 --- /dev/null +++ b/roles/authentik/tasks/database.yml @@ -0,0 +1,62 @@ +--- +# Database setup for Authentik - Self-contained socket permissions + +- name: Add authentik user to postgres group for socket access + user: + name: "{{ authentik_user }}" + groups: postgres + append: true + +- name: Ensure authentik can access PostgreSQL socket directory + file: + path: "{{ postgresql_unix_socket_directories }}" + mode: '0770' + group: postgres + become: true + +- name: Test PostgreSQL socket connectivity + postgresql_ping: + login_unix_socket: "{{ postgresql_unix_socket_directories }}" + login_user: "{{ authentik_user }}" + become: true + become_user: "{{ authentik_user }}" + +- name: Create Authentik database user via socket + postgresql_user: + name: "{{ authentik_db_user }}" + password: "{{ authentik_db_password }}" + login_unix_socket: "{{ postgresql_unix_socket_directories }}" + login_user: postgres + become: true + become_user: postgres + +- name: Create Authentik database via socket + postgresql_db: + name: "{{ authentik_db_name }}" + owner: "{{ authentik_db_user }}" + login_unix_socket: "{{ postgresql_unix_socket_directories }}" + login_user: postgres + become: true + become_user: postgres + +- name: Grant Authentik database privileges + postgresql_privs: + db: "{{ authentik_db_name }}" + privs: ALL + type: database + role: "{{ authentik_db_user }}" + login_unix_socket: "{{ postgresql_unix_socket_directories }}" + login_user: postgres + become: true + become_user: postgres + +- name: Display database setup status + debug: + msg: | + ✅ Authentik database setup complete! + + 📊 Database: {{ authentik_db_name }} + 👤 User: {{ authentik_db_user }} + 🔌 Connection: Unix socket ({{ postgresql_unix_socket_directories }}) + + 🏗️ Ready for Authentik container deployment diff --git a/roles/authentik/tasks/main.yml b/roles/authentik/tasks/main.yml new file mode 100644 index 0000000..60212db --- /dev/null +++ b/roles/authentik/tasks/main.yml @@ -0,0 +1,215 @@ +--- +# Authentik Authentication Role - Main Tasks +# Self-contained deployment with Podman and Unix sockets + +- name: Create authentik group + group: + name: "{{ authentik_group }}" + system: true + +- name: Create authentik system user + user: + name: "{{ authentik_user }}" + system: true + shell: /bin/bash + home: "{{ authentik_home }}" + create_home: true + group: "{{ authentik_group }}" + +- name: Create authentik directories + file: + path: "{{ item }}" + state: directory + owner: "{{ authentik_user }}" + group: "{{ authentik_group }}" + mode: '0755' + loop: + - "{{ authentik_home }}" + - "{{ authentik_data_dir }}" + - "{{ authentik_media_dir }}" + - "{{ authentik_user_quadlet_dir }}" + +- name: Get authentik user UID + getent: + database: passwd + key: "{{ authentik_user }}" + register: authentik_user_info + +- name: Set authentik UID variable + set_fact: + authentik_uid: "{{ authentik_user_info.ansible_facts.getent_passwd[authentik_user][1] }}" + +- name: Enable lingering for authentik user (services persist without login) + command: loginctl enable-linger {{ authentik_user }} + register: linger_result + changed_when: linger_result.rc == 0 + +- name: Ensure XDG runtime directory exists + file: + path: "/run/user/{{ authentik_uid }}" + state: directory + owner: "{{ authentik_user }}" + group: "{{ authentik_group }}" + mode: '0700' + +- name: Setup database access and permissions + include_tasks: database.yml + tags: [database, setup] + +- name: Setup cache access and permissions + include_tasks: cache.yml + tags: [cache, setup] + +- name: Deploy environment configuration + template: + src: authentik.env.j2 + dest: "{{ authentik_home }}/.env" + owner: "{{ authentik_user }}" + group: "{{ authentik_group }}" + mode: '0600' + backup: true + notify: + - restart authentik pod + - restart authentik server + - restart authentik worker + tags: [config] + +- name: Create Quadlet systemd directory (user scope) + file: + path: "{{ authentik_quadlet_dir }}" + state: directory + owner: "{{ authentik_user }}" + group: "{{ authentik_group }}" + mode: '0755' + +- name: Deploy Quadlet pod and container files (user scope) + template: + src: "{{ item.src }}" + dest: "{{ authentik_quadlet_dir }}/{{ item.dest }}" + owner: "{{ authentik_user }}" + group: "{{ authentik_group }}" + mode: '0644' + loop: + - { src: 'authentik.pod', dest: 'authentik.pod' } + - { src: 'authentik-server.container', dest: 'authentik-server.container' } + - { src: 'authentik-worker.container', dest: 'authentik-worker.container' } + become: true + become_user: "{{ authentik_user }}" + notify: + - reload systemd user + - restart authentik pod + - restart authentik server + - restart authentik worker + tags: [containers, deployment] + +- name: Deploy Caddy configuration + template: + src: authentik.caddy.j2 + dest: "{{ caddy_sites_enabled_dir }}/authentik.caddy" + owner: root + group: "{{ caddy_user }}" + mode: '0644' + backup: true + notify: reload caddy + tags: [caddy, reverse-proxy] + +- name: Ensure system dependencies are running + systemd: + name: "{{ item }}" + state: started + loop: + - postgresql + - valkey + register: system_deps + +- name: Wait for PostgreSQL socket to be ready + wait_for: + path: "{{ postgresql_unix_socket_directories }}/.s.PGSQL.{{ postgresql_port }}" + timeout: 30 + when: postgresql_unix_socket_enabled + +- name: Wait for Valkey socket to be ready + wait_for: + path: "{{ valkey_unix_socket_path }}" + timeout: 30 + when: valkey_unix_socket_enabled + +- name: Reload systemd daemon for Quadlet (user scope) + systemd: + daemon_reload: true + scope: user + become: true + become_user: "{{ authentik_user }}" + environment: + XDG_RUNTIME_DIR: "/run/user/{{ authentik_uid }}" + tags: [containers, deployment] + +- name: Enable and start Authentik pod (user scope) + systemd: + name: "authentik-pod" + enabled: "{{ authentik_service_enabled }}" + state: "{{ authentik_service_state }}" + scope: user + daemon_reload: true + become: true + become_user: "{{ authentik_user }}" + environment: + XDG_RUNTIME_DIR: "/run/user/{{ authentik_uid }}" + tags: [containers, service] + +- name: Enable and start Authentik server (user scope) + systemd: + name: "{{ authentik_container_server_name }}" + enabled: "{{ authentik_service_enabled }}" + state: "{{ authentik_service_state }}" + scope: user + daemon_reload: true + become: true + become_user: "{{ authentik_user }}" + environment: + XDG_RUNTIME_DIR: "/run/user/{{ authentik_uid }}" + tags: [containers, service] + +- name: Enable and start Authentik worker (user scope) + systemd: + name: "{{ authentik_container_worker_name }}" + enabled: "{{ authentik_service_enabled }}" + state: "{{ authentik_service_state }}" + scope: user + daemon_reload: true + become: true + become_user: "{{ authentik_user }}" + environment: + XDG_RUNTIME_DIR: "/run/user/{{ authentik_uid }}" + tags: [containers, service] + +- name: Wait for Authentik to be ready + uri: + url: "https://{{ authentik_domain }}/if/health/live/" + method: GET + status_code: [200] + timeout: 30 + validate_certs: true + retries: 10 + delay: 30 + register: authentik_health_check + tags: [verification, health-check] + +- name: Display Authentik deployment status + debug: + msg: | + ✅ Authentik Authentication deployed successfully! + + 🌐 Domain: {{ authentik_domain }} + 🗄️ Database: {{ authentik_db_name }} (Unix socket) + 🗄️ Cache: Valkey DB {{ authentik_valkey_db }} (Unix socket) + 🐳 Containers: Pod with server + worker + 🔒 Admin: {{ authentik_default_admin_email }} + + 🚀 Ready for SSO configuration! + + 📋 Next Steps: + - Access {{ authentik_domain }} to complete setup + - Configure applications and providers + - Set up SSO for services + tags: [verification] diff --git a/roles/authentik/templates/authentik-server.container b/roles/authentik/templates/authentik-server.container new file mode 100644 index 0000000..6dd0784 --- /dev/null +++ b/roles/authentik/templates/authentik-server.container @@ -0,0 +1,25 @@ +[Unit] +Description=Authentik Server Container +After=authentik-pod.service +Requires=authentik-pod.service + +[Container] +ContainerName={{ authentik_container_server_name }} +Image={{ authentik_image }}:{{ authentik_version }} +Pod=authentik +EnvironmentFile={{ authentik_home }}/.env + +# Volume mounts for data and sockets +Volume={{ authentik_media_dir }}:/media +Volume={{ authentik_data_dir }}:/data +Volume={{ postgresql_unix_socket_directories }}:{{ postgresql_unix_socket_directories }}:Z +Volume={{ valkey_unix_socket_path | dirname }}:{{ valkey_unix_socket_path | dirname }}:Z + +Exec=server + +[Service] +Restart=always +TimeoutStartSec=300 + +[Install] +WantedBy=default.target diff --git a/roles/authentik/templates/authentik-worker.container b/roles/authentik/templates/authentik-worker.container new file mode 100644 index 0000000..091d416 --- /dev/null +++ b/roles/authentik/templates/authentik-worker.container @@ -0,0 +1,25 @@ +[Unit] +Description=Authentik Worker Container +After=authentik-pod.service +Requires=authentik-pod.service + +[Container] +ContainerName={{ authentik_container_worker_name }} +Image={{ authentik_image }}:{{ authentik_version }} +Pod=authentik +EnvironmentFile={{ authentik_home }}/.env + +# Volume mounts for data and sockets +Volume={{ authentik_media_dir }}:/media +Volume={{ authentik_data_dir }}:/data +Volume={{ postgresql_unix_socket_directories }}:{{ postgresql_unix_socket_directories }}:Z +Volume={{ valkey_unix_socket_path | dirname }}:{{ valkey_unix_socket_path | dirname }}:Z + +Exec=worker + +[Service] +Restart=always +TimeoutStartSec=300 + +[Install] +WantedBy=default.target diff --git a/roles/authentik/templates/authentik.caddy.j2 b/roles/authentik/templates/authentik.caddy.j2 new file mode 100644 index 0000000..1d56dd0 --- /dev/null +++ b/roles/authentik/templates/authentik.caddy.j2 @@ -0,0 +1,41 @@ +# Authentik Authentication Service +{{ authentik_domain }} { + reverse_proxy https://{{ authentik_bind_address }}:{{ authentik_https_port }} { + transport http { + tls_insecure_skip_verify + } + + header_up Host {upstream_hostport} + header_up X-Real-IP {remote_host} + header_up X-Forwarded-Proto https + header_up X-Forwarded-For {remote_host} + header_up X-Forwarded-Host {host} + + # Health check + health_uri /if/health/live/ + health_timeout 10s + health_interval 30s + health_status 200 + } + + # Security headers + header { + X-Frame-Options SAMEORIGIN + X-Content-Type-Options nosniff + X-XSS-Protection "1; mode=block" + Referrer-Policy strict-origin-when-cross-origin + Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" + } + + # Authentik-specific paths + handle_path /outpost.goauthentik.io/* { + reverse_proxy https://{{ authentik_bind_address }}:{{ authentik_https_port }} + } + + # Logging + log { + output file {{ caddy_log_dir }}/authentik.log + level INFO + format json + } +} \ No newline at end of file diff --git a/roles/authentik/templates/authentik.env.j2 b/roles/authentik/templates/authentik.env.j2 new file mode 100644 index 0000000..561ee8f --- /dev/null +++ b/roles/authentik/templates/authentik.env.j2 @@ -0,0 +1,43 @@ +# Authentik Configuration - Unix Socket IPC +# Generated by Ansible - DO NOT EDIT + +# PostgreSQL Configuration (Unix Socket) +AUTHENTIK_POSTGRESQL__HOST={{ postgresql_unix_socket_directories }} +AUTHENTIK_POSTGRESQL__NAME={{ authentik_db_name }} +AUTHENTIK_POSTGRESQL__USER={{ authentik_db_user }} +AUTHENTIK_POSTGRESQL__PASSWORD={{ authentik_db_password }} +# No port needed for Unix socket + +# Valkey/Redis Configuration (Unix Socket) +AUTHENTIK_REDIS__HOST=unix://{{ valkey_unix_socket_path }} +AUTHENTIK_REDIS__PASSWORD={{ valkey_password }} +AUTHENTIK_REDIS__DB={{ authentik_valkey_db }} +# No port needed for Unix socket + +# Authentik Core Configuration +AUTHENTIK_SECRET_KEY={{ authentik_secret_key }} +AUTHENTIK_LOG_LEVEL={{ authentik_log_level }} +AUTHENTIK_ERROR_REPORTING__ENABLED={{ authentik_error_reporting | lower }} + +# Security Configuration +AUTHENTIK_COOKIE_DOMAIN={{ authentik_domain }} +AUTHENTIK_DISABLE_UPDATE_CHECK=true +AUTHENTIK_DISABLE_STARTUP_ANALYTICS=true + +# Network binding +AUTHENTIK_LISTEN__HTTP={{ authentik_bind_address }}:{{ authentik_http_port }} +AUTHENTIK_LISTEN__HTTPS={{ authentik_bind_address }}:{{ authentik_https_port }} + +{% if authentik_email_enabled %} +# Email Configuration +AUTHENTIK_EMAIL__HOST={{ authentik_email_host }} +AUTHENTIK_EMAIL__PORT={{ authentik_email_port }} +AUTHENTIK_EMAIL__USERNAME={{ authentik_email_username }} +AUTHENTIK_EMAIL__PASSWORD={{ authentik_email_password }} +AUTHENTIK_EMAIL__USE_TLS={{ authentik_email_tls | lower }} +AUTHENTIK_EMAIL__FROM={{ authentik_email_from }} +{% endif %} + +# Default admin user +AUTHENTIK_BOOTSTRAP_PASSWORD={{ authentik_default_admin_password }} +AUTHENTIK_BOOTSTRAP_EMAIL={{ authentik_default_admin_email }} \ No newline at end of file diff --git a/roles/authentik/templates/authentik.pod b/roles/authentik/templates/authentik.pod new file mode 100644 index 0000000..27d38b3 --- /dev/null +++ b/roles/authentik/templates/authentik.pod @@ -0,0 +1,15 @@ +[Unit] +Description=Authentik Authentication Pod + +[Pod] +PodName=authentik +PublishPort={{ authentik_bind_address }}:{{ authentik_http_port }}:{{ authentik_http_port }} +PublishPort={{ authentik_bind_address }}:{{ authentik_https_port }}:{{ authentik_https_port }} +PodmanArgs=--userns=keep-id + +[Service] +Restart=always +TimeoutStartSec=900 + +[Install] +WantedBy=default.target