# Authentik Authentication Service Role Containerized Authentik authentication service for rick-infra using Podman quadlets and following established architectural patterns. ## Features - ✅ **Containerized deployment**: Uses Podman with systemd quadlets - ✅ **Self-contained**: Manages its own database and configuration - ✅ **Service-specific user**: Runs as dedicated `authentik` user with subuid/subgid - ✅ **Infrastructure integration**: PostgreSQL database, Valkey cache, Caddy proxy - ✅ **Bridge networking**: Container-to-host communication via host.containers.internal - ✅ **Security hardened**: Rootless containers with proper isolation - ✅ **Production ready**: HTTPS, proper health checks, restart policies ## Architecture - **Dependencies**: PostgreSQL, Valkey, Podman, Caddy infrastructure roles - **Database**: Self-managed authentik database and user in PostgreSQL - **Cache**: Uses Valkey database 1 for session/cache storage - **Containers**: 2-container pod (server + worker) deployed via quadlets - **Network**: Custom bridge network with host gateway access - **Web access**: https://auth.domain.com (via Caddy reverse proxy) ## Configuration Key variables (defaults in `defaults/main.yml`): ```yaml # Service authentik_service_enabled: true authentik_http_port: 9000 authentik_https_port: 9443 # Domain authentik_subdomain: "auth" authentik_domain: "{{ caddy_domain }}" # Container authentik_image_server: "ghcr.io/goauthentik/server" authentik_image_tag: "2024.8.3" authentik_user: "authentik" # Database (self-managed) authentik_db_name: "authentik" authentik_db_user: "authentik" authentik_db_password: "{{ vault_authentik_db_password }}" # Cache (Valkey) authentik_redis_host: "host.containers.internal" authentik_redis_db: 1 # Security authentik_secret_key: "{{ vault_authentik_secret_key }}" ``` ## Container Architecture ### Pod Structure ``` authentik-pod ├── authentik-server (web interface, API) └── authentik-worker (background tasks) ``` ### Networking - **Bridge network**: `authentik-net` with DNS resolution - **Host gateway**: `host.containers.internal` → host system - **Port mapping**: 9000:9000 (HTTP), 9443:9443 (HTTPS) ### Storage - **Config**: `~authentik/.config/containers/` (quadlets, env) - **Data**: `~authentik/data/` (persistent application data) - **Media**: `~authentik/media/` (uploaded files) ## Usage 1. **Add vault secrets**: Set required vault variables in host_vars: ```yaml vault_authentik_db_password: "secure_db_password" vault_authentik_secret_key: "long_random_secret_key" ``` 2. **Deploy**: `ansible-playbook site.yml --tags authentik` 3. **Access**: Visit https://auth.yourdomain.com/if/flow/initial-setup/ ## Dependencies - PostgreSQL infrastructure role (database) - Valkey infrastructure role (cache) - Podman infrastructure role (containers) - Caddy web server (HTTPS reverse proxy) - Vault secrets: `vault_authentik_db_password`, `vault_authentik_secret_key` ## Containerized Service Pattern This role establishes rick-infra's containerized service pattern: ### User Management - Service-specific user (`authentik`) with dedicated home directory - Subuid/subgid ranges (100000-165535) for rootless containers - Systemd user session with lingering enabled ### Container Integration - Podman quadlets for native systemd integration - Custom bridge networks with host gateway access - Container-to-host connectivity via `host.containers.internal` - Persistent storage mounted from user home directory ### Infrastructure Integration - Self-managed database creation via PostgreSQL role - Cache integration with Valkey infrastructure - Reverse proxy deployment via Caddy sites-enabled - Follows rick-infra self-contained service patterns --- **Rick-Infra Authentik Service** SSO authentication and authorization platform for modern applications.