rick-infra

joakim/rick-infra

Fork 0

Commit Graph

Author	SHA1	Message	Date
Joakim	0507e3291d	Fix: Update authentik Caddy template to use HTTP backend - Change reverse_proxy from https:// to http:// backend - Use authentik_http_port instead of authentik_https_port - Remove unnecessary TLS transport configuration - Remove health check for non-existent endpoint This aligns the Ansible template with the working configuration where authentik only serves HTTP internally and Caddy handles SSL.	2025-12-07 16:45:42 +01:00
Joakim	b42ee2a22b	Fix: Complete authentik Quadlet implementation with networking solution Resolves authentik deployment issues by implementing proper Podman Quadlet configuration and fixing networking for external access through Caddy. Core Fixes: • Add missing [Install] sections to container Quadlet files for systemd service generation • Fix pod references from 'systemd-authentik' to 'authentik.pod' for proper Quadlet linking • Remove problematic --userns=host to use proper rootless user namespaces • Configure subuid/subgid ranges for authentik user (200000:65536) • Update networking to bind 0.0.0.0:9000 only (remove unnecessary HTTPS port 9443) • Add AUTHENTIK_LISTEN__HTTP=0.0.0.0:9000 environment configuration • Fix Caddy reverse proxy to use HTTP backend instead of HTTPS Infrastructure Updates: • Enhance PostgreSQL role with Unix socket configuration and user management • Improve Valkey role with proper systemd integration and socket permissions • Add comprehensive service integration documentation • Update deployment playbooks with backup and restore capabilities Security Improvements: • Secure network isolation with Caddy SSL termination • Reduced attack surface by removing direct HTTPS container exposure • Proper rootless container configuration with user namespace mapping Result: authentik now fully operational with external HTTPS access via auth.jnss.me All systemd services (authentik-pod, authentik-server, authentik-worker) running correctly.	2025-12-04 19:42:31 +01:00
Joakim	3b062edeb6	Add Valkey infrastructure role as Redis-compatible cache service - Implemented complete Valkey infrastructure role following PostgreSQL patterns - Provides 100% Redis-compatible high-performance data structure store - Configured for multi-application support with database isolation - Security-focused: localhost-only binding, password auth, systemd hardening - Arch Linux compatible: uses native Valkey package with Redis compatibility - Database allocation strategy: DB 0 reserved, DB 1+ for applications - Full systemd integration with security overrides and proper service management - Redis client compatibility maintained for seamless application integration - Ready for Authentik and future container workloads requiring cache services	2025-11-19 22:20:54 +01:00

Author

SHA1

Message

Date

Joakim

0507e3291d

Fix: Update authentik Caddy template to use HTTP backend

- Change reverse_proxy from https:// to http:// backend
- Use authentik_http_port instead of authentik_https_port
- Remove unnecessary TLS transport configuration
- Remove health check for non-existent endpoint

This aligns the Ansible template with the working configuration
where authentik only serves HTTP internally and Caddy handles SSL.

2025-12-07 16:45:42 +01:00

Joakim

b42ee2a22b

Fix: Complete authentik Quadlet implementation with networking solution

Resolves authentik deployment issues by implementing proper Podman Quadlet
configuration and fixing networking for external access through Caddy.

Core Fixes:
• Add missing [Install] sections to container Quadlet files for systemd service generation
• Fix pod references from 'systemd-authentik' to 'authentik.pod' for proper Quadlet linking
• Remove problematic --userns=host to use proper rootless user namespaces
• Configure subuid/subgid ranges for authentik user (200000:65536)
• Update networking to bind 0.0.0.0:9000 only (remove unnecessary HTTPS port 9443)
• Add AUTHENTIK_LISTEN__HTTP=0.0.0.0:9000 environment configuration
• Fix Caddy reverse proxy to use HTTP backend instead of HTTPS

Infrastructure Updates:
• Enhance PostgreSQL role with Unix socket configuration and user management
• Improve Valkey role with proper systemd integration and socket permissions
• Add comprehensive service integration documentation
• Update deployment playbooks with backup and restore capabilities

Security Improvements:
• Secure network isolation with Caddy SSL termination
• Reduced attack surface by removing direct HTTPS container exposure
• Proper rootless container configuration with user namespace mapping

Result: authentik now fully operational with external HTTPS access via auth.jnss.me
All systemd services (authentik-pod, authentik-server, authentik-worker) running correctly.

2025-12-04 19:42:31 +01:00

Joakim

3b062edeb6

Add Valkey infrastructure role as Redis-compatible cache service

- Implemented complete Valkey infrastructure role following PostgreSQL patterns
- Provides 100% Redis-compatible high-performance data structure store
- Configured for multi-application support with database isolation
- Security-focused: localhost-only binding, password auth, systemd hardening
- Arch Linux compatible: uses native Valkey package with Redis compatibility
- Database allocation strategy: DB 0 reserved, DB 1+ for applications
- Full systemd integration with security overrides and proper service management
- Redis client compatibility maintained for seamless application integration
- Ready for Authentik and future container workloads requiring cache services

2025-11-19 22:20:54 +01:00

3 Commits