Joakim
9e570ac2a3
- Add authentik-deployment-guide.md: Complete step-by-step deployment guide - Add architecture-decisions.md: Document native DB vs containerized rationale - Add authentication-architecture.md: SSO strategy and integration patterns - Update deployment-guide.md: Integrate authentik deployment procedures - Update security-hardening.md: Add multi-layer security documentation - Update service-integration-guide.md: Add authentik integration examples - Update README.md: Professional project overview with architecture benefits - Update authentik role: Fix HTTP binding, add security configs, improve templates - Remove unused authentik task files: containers.yml, networking.yml Key improvements: * Document security benefits of native databases over containers * Document Unix socket IPC architecture advantages * Provide comprehensive troubleshooting and deployment procedures * Add forward auth integration patterns for services * Fix authentik HTTP binding from 127.0.0.1 to 0.0.0.0 * Add shared memory and IPC security configurations
122 lines
4.4 KiB
YAML
122 lines
4.4 KiB
YAML
---
|
|
# =================================================================
|
|
# Authentik Authentication Role - Default Variables
|
|
# =================================================================
|
|
# Self-contained Authentik deployment with Podman and Unix sockets
|
|
|
|
# =================================================================
|
|
# Service Configuration
|
|
# =================================================================
|
|
|
|
# Service user and directories
|
|
authentik_user: authentik
|
|
authentik_group: authentik
|
|
authentik_home: /opt/authentik
|
|
authentik_data_dir: "{{ authentik_home }}/data"
|
|
authentik_media_dir: "{{ authentik_home }}/media"
|
|
authentik_log_dir: "{{ authentik_home }}/logs"
|
|
|
|
# Container configuration
|
|
authentik_version: "2025.10"
|
|
authentik_image: "ghcr.io/goauthentik/server"
|
|
|
|
# Service management
|
|
authentik_service_enabled: true
|
|
authentik_service_state: "started"
|
|
|
|
# =================================================================
|
|
# Database Configuration (Self-managed)
|
|
# =================================================================
|
|
|
|
authentik_db_name: "authentik"
|
|
authentik_db_user: "authentik"
|
|
authentik_db_password: "{{ vault_authentik_db_password }}"
|
|
|
|
# =================================================================
|
|
# Cache Configuration (Self-managed)
|
|
# =================================================================
|
|
|
|
authentik_valkey_db: 1 # Use database 1 for Authentik
|
|
|
|
# =================================================================
|
|
# Network Configuration
|
|
# =================================================================
|
|
|
|
authentik_domain: "auth.jnss.me"
|
|
authentik_http_port: 9000
|
|
authentik_bind_address: "0.0.0.0"
|
|
|
|
# =================================================================
|
|
# Authentik Core Configuration
|
|
# =================================================================
|
|
|
|
authentik_secret_key: "{{ vault_authentik_secret_key }}"
|
|
authentik_log_level: "info"
|
|
authentik_error_reporting: false
|
|
|
|
# =================================================================
|
|
# Email Configuration (Optional)
|
|
# =================================================================
|
|
|
|
authentik_email_enabled: false
|
|
authentik_email_host: ""
|
|
authentik_email_port: 587
|
|
authentik_email_username: ""
|
|
authentik_email_password: "{{ vault_authentik_email_password | default('') }}"
|
|
authentik_email_tls: true
|
|
authentik_email_from: "authentik@{{ authentik_domain }}"
|
|
|
|
# =================================================================
|
|
# Security Configuration
|
|
# =================================================================
|
|
|
|
# Default admin user (created during deployment)
|
|
authentik_default_admin_email: "admin@{{ authentik_domain }}"
|
|
authentik_default_admin_password: "{{ vault_authentik_admin_password }}"
|
|
|
|
# =================================================================
|
|
# Podman Pod Configuration
|
|
# =================================================================
|
|
|
|
# Pod service name is simply "authentik" (generated from authentik.pod)
|
|
authentik_container_server_name: "authentik-server"
|
|
authentik_container_worker_name: "authentik-worker"
|
|
|
|
# Quadlet service directories (USER SCOPE)
|
|
authentik_quadlet_dir: "{{ authentik_user_quadlet_dir }}"
|
|
authentik_user_quadlet_dir: "{{ authentik_home }}/.config/containers/systemd"
|
|
|
|
# User session variables (set dynamically during deployment)
|
|
authentik_uid: ""
|
|
|
|
# =================================================================
|
|
# User Namespace Configuration
|
|
# =================================================================
|
|
|
|
# Subuid/subgid ranges for authentik user containers
|
|
# Range: 200000-265535 (65536 IDs)
|
|
authentik_subuid_start: 200000
|
|
authentik_subuid_size: 65536
|
|
authentik_subgid_start: 200000
|
|
authentik_subgid_size: 65536
|
|
|
|
# =================================================================
|
|
# Caddy Integration
|
|
# =================================================================
|
|
|
|
# Caddy configuration (assumes caddy role provides these variables)
|
|
caddy_sites_enabled_dir: "/etc/caddy/sites-enabled"
|
|
caddy_log_dir: "/var/log/caddy"
|
|
caddy_user: "caddy"
|
|
|
|
# =================================================================
|
|
# Infrastructure Dependencies (Read-only)
|
|
# =================================================================
|
|
|
|
# PostgreSQL socket configuration (managed by postgresql role)
|
|
postgresql_unix_socket_directories: "/var/run/postgresql"
|
|
|
|
# Valkey socket configuration (managed by valkey role)
|
|
valkey_unix_socket_path: "/var/run/valkey/valkey.sock"
|
|
valkey_password: "{{ vault_valkey_password }}"
|