Joakim
3506e55016
Major architectural change from rootless user services to system-level (rootful) containers to enable group-based Unix socket access for containerized applications. Infrastructure Changes: - PostgreSQL: Export postgres-clients group GID as Ansible fact - Valkey: Export valkey-clients group GID as Ansible fact - Valkey: Add socket-fix service to maintain correct socket group ownership - Both: Set socket directories to 770 with client group ownership Authentik Role Refactoring: - Remove rootless container configuration (subuid/subgid, lingering, user systemd) - Deploy Quadlet files to /etc/containers/systemd/ (system-level) - Use dynamic GID facts in container PodmanArgs (--group-add) - Simplify user creation to system user with infrastructure group membership - Update handlers for system scope service management - Remove unnecessary container security options (no user namespace isolation) Container Template Changes: - Pod: Remove --userns args, change WantedBy to multi-user.target - Containers: Replace Annotation with PodmanArgs using dynamic GIDs - Remove /dev/shm mounts and SecurityLabelDisable (not needed for rootful) - Change WantedBy to multi-user.target for system services Documentation Updates: - Add ADR-005: Rootful Containers with Infrastructure Fact Pattern - Update ADR-003: Podman + systemd for system-level deployment - Update authentik-deployment-guide.md for system scope commands - Update service-integration-guide.md with rootful pattern examples - Document discarded rootless approach and rationale Why Rootful Succeeds: - Direct UID/GID mapping preserves supplementary groups - Container process groups match host socket group ownership - No user namespace remapping breaking permissions Why Rootless Failed (Discarded): - User namespace UID/GID remapping broke group-based socket access - Supplementary groups remapped into subgid range didn't match socket ownership - Even with --userns=host and keep_original_groups, permissions failed Pattern Established: - Infrastructure roles create client groups and export GID facts - Application roles validate facts and consume in container templates - Rootful containers run as dedicated users with --group-add for socket access - System-level deployment provides standard systemd service management Deployment Validated: - Services in /system.slice/ ✓ - Process groups: 961 (valkey-clients), 962 (postgres-clients), 966 (authentik) ✓ - Socket permissions: 770 with client groups ✓ - HTTP endpoint responding ✓
137 lines
4.0 KiB
Django/Jinja
137 lines
4.0 KiB
Django/Jinja
# Valkey Configuration - Generated by Ansible
|
|
# rick-infra Valkey Infrastructure Role
|
|
#
|
|
# This configuration provides a secure, performant Valkey instance
|
|
# for use by multiple applications on the same host.
|
|
|
|
# =================================================================
|
|
# Network Configuration
|
|
# =================================================================
|
|
|
|
# Socket-only mode - TCP disabled for security
|
|
{% if valkey_bind %}
|
|
bind {{ valkey_bind }}
|
|
{% endif %}
|
|
port {{ valkey_port }}
|
|
|
|
{% if valkey_unix_socket_enabled %}
|
|
# Unix Socket Configuration
|
|
unixsocket {{ valkey_unix_socket_path }}
|
|
unixsocketperm {{ valkey_unix_socket_perm }}
|
|
{% endif %}
|
|
|
|
# Protected mode
|
|
protected-mode {{ 'yes' if valkey_protected_mode else 'no' }}
|
|
|
|
# Connection timeout
|
|
timeout {{ valkey_timeout }}
|
|
|
|
# TCP listen backlog
|
|
tcp-backlog {{ valkey_tcp_backlog }}
|
|
|
|
# TCP keepalive
|
|
tcp-keepalive {{ valkey_tcp_keepalive }}
|
|
|
|
# =================================================================
|
|
# Authentication
|
|
# =================================================================
|
|
|
|
# Require password for all operations
|
|
requirepass {{ valkey_password }}
|
|
|
|
# =================================================================
|
|
# Memory Management
|
|
# =================================================================
|
|
|
|
# Maximum memory usage
|
|
maxmemory {{ valkey_maxmemory }}
|
|
|
|
# Eviction policy when max memory is reached
|
|
maxmemory-policy {{ valkey_maxmemory_policy }}
|
|
|
|
# =================================================================
|
|
# Persistence Configuration
|
|
# =================================================================
|
|
|
|
# Working directory for RDB files
|
|
dir /var/lib/valkey
|
|
|
|
{% if valkey_save_enabled %}
|
|
# RDB persistence - save snapshots
|
|
{% for interval in valkey_save_intervals %}
|
|
save {{ interval }}
|
|
{% endfor %}
|
|
|
|
# RDB file compression and checksums
|
|
rdbcompression {{ 'yes' if valkey_rdbcompression else 'no' }}
|
|
rdbchecksum {{ 'yes' if valkey_rdbchecksum else 'no' }}
|
|
{% else %}
|
|
# RDB persistence disabled
|
|
save ""
|
|
{% endif %}
|
|
|
|
# AOF persistence
|
|
appendonly {{ 'yes' if valkey_appendonly else 'no' }}
|
|
|
|
# =================================================================
|
|
# Database Configuration
|
|
# =================================================================
|
|
|
|
# Number of databases (0 to databases-1)
|
|
databases {{ valkey_databases }}
|
|
|
|
# =================================================================
|
|
# Logging Configuration
|
|
# =================================================================
|
|
|
|
# Log level
|
|
loglevel {{ valkey_loglevel }}
|
|
|
|
# Syslog integration
|
|
{% if valkey_syslog_enabled %}
|
|
syslog-enabled yes
|
|
syslog-ident {{ valkey_syslog_ident }}
|
|
{% endif %}
|
|
|
|
# =================================================================
|
|
# Security Settings
|
|
# =================================================================
|
|
|
|
# Disable dangerous commands
|
|
rename-command FLUSHDB ""
|
|
rename-command FLUSHALL ""
|
|
rename-command KEYS ""
|
|
rename-command CONFIG ""
|
|
rename-command SHUTDOWN VALKEY_SHUTDOWN
|
|
rename-command DEBUG ""
|
|
rename-command EVAL ""
|
|
|
|
# =================================================================
|
|
# Performance Tuning
|
|
# =================================================================
|
|
|
|
# Disable automatic rehashing for better performance
|
|
activerehashing yes
|
|
|
|
# Client output buffer limits for normal clients
|
|
client-output-buffer-limit normal 0 0 0
|
|
|
|
# Client output buffer limits for replica clients
|
|
client-output-buffer-limit replica 256mb 64mb 60
|
|
|
|
# Client output buffer limits for pubsub clients
|
|
client-output-buffer-limit pubsub 32mb 8mb 60
|
|
|
|
# =================================================================
|
|
# Application Notes
|
|
# =================================================================
|
|
#
|
|
# Applications should use different database numbers:
|
|
# - Database 0: Reserved for system/testing
|
|
# - Database 1: Authentik (sessions, cache)
|
|
# - Database 2: Nextcloud (sessions, file locking, cache)
|
|
# - Database 3+: Future applications
|
|
#
|
|
# Connection example:
|
|
# redis-cli -h {{ valkey_bind }} -p {{ valkey_port }} -a {{ valkey_password }} -n 1
|