WIP: Authentik role with Quadlet pod approach - debugging container service generation
- Created authentik.pod file for proper pod definition - Removed superfluous authentik-pod.container file - Updated container templates to reference pod correctly - Issue: Quadlet still reports 'pod authentik is not Quadlet based' - Container services not being generated (only pod service works)
This commit is contained in:
215
roles/authentik/tasks/main.yml
Normal file
215
roles/authentik/tasks/main.yml
Normal file
@@ -0,0 +1,215 @@
|
||||
---
|
||||
# Authentik Authentication Role - Main Tasks
|
||||
# Self-contained deployment with Podman and Unix sockets
|
||||
|
||||
- name: Create authentik group
|
||||
group:
|
||||
name: "{{ authentik_group }}"
|
||||
system: true
|
||||
|
||||
- name: Create authentik system user
|
||||
user:
|
||||
name: "{{ authentik_user }}"
|
||||
system: true
|
||||
shell: /bin/bash
|
||||
home: "{{ authentik_home }}"
|
||||
create_home: true
|
||||
group: "{{ authentik_group }}"
|
||||
|
||||
- name: Create authentik directories
|
||||
file:
|
||||
path: "{{ item }}"
|
||||
state: directory
|
||||
owner: "{{ authentik_user }}"
|
||||
group: "{{ authentik_group }}"
|
||||
mode: '0755'
|
||||
loop:
|
||||
- "{{ authentik_home }}"
|
||||
- "{{ authentik_data_dir }}"
|
||||
- "{{ authentik_media_dir }}"
|
||||
- "{{ authentik_user_quadlet_dir }}"
|
||||
|
||||
- name: Get authentik user UID
|
||||
getent:
|
||||
database: passwd
|
||||
key: "{{ authentik_user }}"
|
||||
register: authentik_user_info
|
||||
|
||||
- name: Set authentik UID variable
|
||||
set_fact:
|
||||
authentik_uid: "{{ authentik_user_info.ansible_facts.getent_passwd[authentik_user][1] }}"
|
||||
|
||||
- name: Enable lingering for authentik user (services persist without login)
|
||||
command: loginctl enable-linger {{ authentik_user }}
|
||||
register: linger_result
|
||||
changed_when: linger_result.rc == 0
|
||||
|
||||
- name: Ensure XDG runtime directory exists
|
||||
file:
|
||||
path: "/run/user/{{ authentik_uid }}"
|
||||
state: directory
|
||||
owner: "{{ authentik_user }}"
|
||||
group: "{{ authentik_group }}"
|
||||
mode: '0700'
|
||||
|
||||
- name: Setup database access and permissions
|
||||
include_tasks: database.yml
|
||||
tags: [database, setup]
|
||||
|
||||
- name: Setup cache access and permissions
|
||||
include_tasks: cache.yml
|
||||
tags: [cache, setup]
|
||||
|
||||
- name: Deploy environment configuration
|
||||
template:
|
||||
src: authentik.env.j2
|
||||
dest: "{{ authentik_home }}/.env"
|
||||
owner: "{{ authentik_user }}"
|
||||
group: "{{ authentik_group }}"
|
||||
mode: '0600'
|
||||
backup: true
|
||||
notify:
|
||||
- restart authentik pod
|
||||
- restart authentik server
|
||||
- restart authentik worker
|
||||
tags: [config]
|
||||
|
||||
- name: Create Quadlet systemd directory (user scope)
|
||||
file:
|
||||
path: "{{ authentik_quadlet_dir }}"
|
||||
state: directory
|
||||
owner: "{{ authentik_user }}"
|
||||
group: "{{ authentik_group }}"
|
||||
mode: '0755'
|
||||
|
||||
- name: Deploy Quadlet pod and container files (user scope)
|
||||
template:
|
||||
src: "{{ item.src }}"
|
||||
dest: "{{ authentik_quadlet_dir }}/{{ item.dest }}"
|
||||
owner: "{{ authentik_user }}"
|
||||
group: "{{ authentik_group }}"
|
||||
mode: '0644'
|
||||
loop:
|
||||
- { src: 'authentik.pod', dest: 'authentik.pod' }
|
||||
- { src: 'authentik-server.container', dest: 'authentik-server.container' }
|
||||
- { src: 'authentik-worker.container', dest: 'authentik-worker.container' }
|
||||
become: true
|
||||
become_user: "{{ authentik_user }}"
|
||||
notify:
|
||||
- reload systemd user
|
||||
- restart authentik pod
|
||||
- restart authentik server
|
||||
- restart authentik worker
|
||||
tags: [containers, deployment]
|
||||
|
||||
- name: Deploy Caddy configuration
|
||||
template:
|
||||
src: authentik.caddy.j2
|
||||
dest: "{{ caddy_sites_enabled_dir }}/authentik.caddy"
|
||||
owner: root
|
||||
group: "{{ caddy_user }}"
|
||||
mode: '0644'
|
||||
backup: true
|
||||
notify: reload caddy
|
||||
tags: [caddy, reverse-proxy]
|
||||
|
||||
- name: Ensure system dependencies are running
|
||||
systemd:
|
||||
name: "{{ item }}"
|
||||
state: started
|
||||
loop:
|
||||
- postgresql
|
||||
- valkey
|
||||
register: system_deps
|
||||
|
||||
- name: Wait for PostgreSQL socket to be ready
|
||||
wait_for:
|
||||
path: "{{ postgresql_unix_socket_directories }}/.s.PGSQL.{{ postgresql_port }}"
|
||||
timeout: 30
|
||||
when: postgresql_unix_socket_enabled
|
||||
|
||||
- name: Wait for Valkey socket to be ready
|
||||
wait_for:
|
||||
path: "{{ valkey_unix_socket_path }}"
|
||||
timeout: 30
|
||||
when: valkey_unix_socket_enabled
|
||||
|
||||
- name: Reload systemd daemon for Quadlet (user scope)
|
||||
systemd:
|
||||
daemon_reload: true
|
||||
scope: user
|
||||
become: true
|
||||
become_user: "{{ authentik_user }}"
|
||||
environment:
|
||||
XDG_RUNTIME_DIR: "/run/user/{{ authentik_uid }}"
|
||||
tags: [containers, deployment]
|
||||
|
||||
- name: Enable and start Authentik pod (user scope)
|
||||
systemd:
|
||||
name: "authentik-pod"
|
||||
enabled: "{{ authentik_service_enabled }}"
|
||||
state: "{{ authentik_service_state }}"
|
||||
scope: user
|
||||
daemon_reload: true
|
||||
become: true
|
||||
become_user: "{{ authentik_user }}"
|
||||
environment:
|
||||
XDG_RUNTIME_DIR: "/run/user/{{ authentik_uid }}"
|
||||
tags: [containers, service]
|
||||
|
||||
- name: Enable and start Authentik server (user scope)
|
||||
systemd:
|
||||
name: "{{ authentik_container_server_name }}"
|
||||
enabled: "{{ authentik_service_enabled }}"
|
||||
state: "{{ authentik_service_state }}"
|
||||
scope: user
|
||||
daemon_reload: true
|
||||
become: true
|
||||
become_user: "{{ authentik_user }}"
|
||||
environment:
|
||||
XDG_RUNTIME_DIR: "/run/user/{{ authentik_uid }}"
|
||||
tags: [containers, service]
|
||||
|
||||
- name: Enable and start Authentik worker (user scope)
|
||||
systemd:
|
||||
name: "{{ authentik_container_worker_name }}"
|
||||
enabled: "{{ authentik_service_enabled }}"
|
||||
state: "{{ authentik_service_state }}"
|
||||
scope: user
|
||||
daemon_reload: true
|
||||
become: true
|
||||
become_user: "{{ authentik_user }}"
|
||||
environment:
|
||||
XDG_RUNTIME_DIR: "/run/user/{{ authentik_uid }}"
|
||||
tags: [containers, service]
|
||||
|
||||
- name: Wait for Authentik to be ready
|
||||
uri:
|
||||
url: "https://{{ authentik_domain }}/if/health/live/"
|
||||
method: GET
|
||||
status_code: [200]
|
||||
timeout: 30
|
||||
validate_certs: true
|
||||
retries: 10
|
||||
delay: 30
|
||||
register: authentik_health_check
|
||||
tags: [verification, health-check]
|
||||
|
||||
- name: Display Authentik deployment status
|
||||
debug:
|
||||
msg: |
|
||||
✅ Authentik Authentication deployed successfully!
|
||||
|
||||
🌐 Domain: {{ authentik_domain }}
|
||||
🗄️ Database: {{ authentik_db_name }} (Unix socket)
|
||||
🗄️ Cache: Valkey DB {{ authentik_valkey_db }} (Unix socket)
|
||||
🐳 Containers: Pod with server + worker
|
||||
🔒 Admin: {{ authentik_default_admin_email }}
|
||||
|
||||
🚀 Ready for SSO configuration!
|
||||
|
||||
📋 Next Steps:
|
||||
- Access {{ authentik_domain }} to complete setup
|
||||
- Configure applications and providers
|
||||
- Set up SSO for services
|
||||
tags: [verification]
|
||||
Reference in New Issue
Block a user