joakim/rick-infra
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
30a882b1e1945afa8d916c3ce425f187df0bdcb8
rick-infra/README.md
Joakim b42ee2a22b Fix: Complete authentik Quadlet implementation with networking solution 
Resolves authentik deployment issues by implementing proper Podman Quadlet
configuration and fixing networking for external access through Caddy.

Core Fixes:
• Add missing [Install] sections to container Quadlet files for systemd service generation
• Fix pod references from 'systemd-authentik' to 'authentik.pod' for proper Quadlet linking
• Remove problematic --userns=host to use proper rootless user namespaces
• Configure subuid/subgid ranges for authentik user (200000:65536)
• Update networking to bind 0.0.0.0:9000 only (remove unnecessary HTTPS port 9443)
• Add AUTHENTIK_LISTEN__HTTP=0.0.0.0:9000 environment configuration
• Fix Caddy reverse proxy to use HTTP backend instead of HTTPS

Infrastructure Updates:
• Enhance PostgreSQL role with Unix socket configuration and user management
• Improve Valkey role with proper systemd integration and socket permissions
• Add comprehensive service integration documentation
• Update deployment playbooks with backup and restore capabilities

Security Improvements:
• Secure network isolation with Caddy SSL termination
• Reduced attack surface by removing direct HTTPS container exposure
• Proper rootless container configuration with user namespace mapping

Result: authentik now fully operational with external HTTPS access via auth.jnss.me
All systemd services (authentik-pod, authentik-server, authentik-worker) running correctly.
2025-12-04 19:42:31 +01:00

37 lines
1.1 KiB
Markdown
Raw Blame History

# Rick's Infra
## Arch Linux VPS
### Ansible
Infrastructure as code for setting up new instance.
- [ ] Security
- [ ] SSH
- [ ] Firewall
- [ ] Fail2ban
- [ ] Kernel hardening
- [ ] Base packages
- [ ] Monitoring/Logging
- [ ] Backup
### Services
Services are managed by serviced
#### Caddy
Reverse proxy.
### Containers
Containers are managed by rootless Podman.
## Documentation
### Service Integration
- [Service Integration Guide](docs/service-integration-guide.md) - How to add containerized services with PostgreSQL/Valkey access
### Role Documentation
- [Authentik Role](roles/authentik/README.md) - Authentication service with Unix socket implementation
- [PostgreSQL Role](roles/postgresql/README.md) - Database service with Unix socket support
- [Valkey Role](roles/valkey/README.md) - Cache service with Unix socket support
- [Caddy Role](roles/caddy/README.md) - Reverse proxy and SSL termination
### Infrastructure Guides
- [Deployment Guide](docs/deployment-guide.md) - Complete deployment walkthrough
- [Security Hardening](docs/security-hardening.md) - Security configuration and best practices
Reference in New Issue View Git Blame Copy Permalink