joakim/rick-infra
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
9e570ac2a3b62c0b6870a786fa9a567683cb140e
rick-infra/roles/authentik/tasks/main.yml
Joakim 9e570ac2a3 Add comprehensive authentik documentation and improve role configuration 
- Add authentik-deployment-guide.md: Complete step-by-step deployment guide
- Add architecture-decisions.md: Document native DB vs containerized rationale
- Add authentication-architecture.md: SSO strategy and integration patterns
- Update deployment-guide.md: Integrate authentik deployment procedures
- Update security-hardening.md: Add multi-layer security documentation
- Update service-integration-guide.md: Add authentik integration examples
- Update README.md: Professional project overview with architecture benefits
- Update authentik role: Fix HTTP binding, add security configs, improve templates
- Remove unused authentik task files: containers.yml, networking.yml

Key improvements:
* Document security benefits of native databases over containers
* Document Unix socket IPC architecture advantages
* Provide comprehensive troubleshooting and deployment procedures
* Add forward auth integration patterns for services
* Fix authentik HTTP binding from 127.0.0.1 to 0.0.0.0
* Add shared memory and IPC security configurations
2025-12-13 21:04:20 +01:00

158 lines
4.2 KiB
YAML
Raw Blame History

---
# Authentik Authentication Role - Main Tasks
# Self-contained deployment with Podman and Unix sockets
- name: Setup authentik user and container namespaces
include_tasks: user.yml
tags: [user, setup]
- name: Setup database access and permissions
include_tasks: database.yml
tags: [database, setup]
- name: Setup cache access and permissions
include_tasks: cache.yml
tags: [cache, setup]
- name: Pull authentik container image
containers.podman.podman_image:
name: "{{ authentik_image }}:{{ authentik_version }}"
state: present
become: true
become_user: "{{ authentik_user }}"
tags: [containers, image-pull]
- name: Create media directory structure
file:
path: "{{ authentik_media_dir }}/{{ item }}"
state: directory
owner: "{{ authentik_user }}"
group: "{{ authentik_group }}"
mode: '0755'
loop:
- public
- private
tags: [setup, media]
- name: Deploy environment configuration
template:
src: authentik.env.j2
dest: "{{ authentik_home }}/.env"
owner: "{{ authentik_user }}"
group: "{{ authentik_group }}"
mode: '0600'
backup: true
notify:
- restart authentik pod
- restart authentik server
- restart authentik worker
tags: [config]
- name: Create Quadlet systemd directory (user scope)
file:
path: "{{ authentik_quadlet_dir }}"
state: directory
owner: "{{ authentik_user }}"
group: "{{ authentik_group }}"
mode: '0755'
- name: Deploy Quadlet pod and container files (user scope)
template:
src: "{{ item.src }}"
dest: "{{ authentik_quadlet_dir }}/{{ item.dest }}"
owner: "{{ authentik_user }}"
group: "{{ authentik_group }}"
mode: '0644'
loop:
- { src: 'authentik.pod', dest: 'authentik.pod' }
- { src: 'authentik-server.container', dest: 'authentik-server.container' }
- { src: 'authentik-worker.container', dest: 'authentik-worker.container' }
become: true
become_user: "{{ authentik_user }}"
notify:
- reload systemd user
- restart authentik pod
- restart authentik server
- restart authentik worker
tags: [containers, deployment]
- name: Deploy Caddy configuration
template:
src: authentik.caddy.j2
dest: "{{ caddy_sites_enabled_dir }}/authentik.caddy"
owner: root
group: "{{ caddy_user }}"
mode: '0644'
backup: true
notify: reload caddy
tags: [caddy, reverse-proxy]
- name: Ensure system dependencies are running
systemd:
name: "{{ item }}"
state: started
loop:
- postgresql
- valkey
register: system_deps
- name: Wait for PostgreSQL socket to be ready
wait_for:
path: "{{ postgresql_unix_socket_directories }}/.s.PGSQL.{{ postgresql_port }}"
timeout: 30
when: postgresql_unix_socket_enabled
- name: Wait for Valkey socket to be ready
wait_for:
path: "{{ valkey_unix_socket_path }}"
timeout: 30
when: valkey_unix_socket_enabled
- name: Ensure systemd user session is started
systemd:
name: "user@{{ authentik_uid }}.service"
state: started
scope: system
register: user_session_start
- name: Enable and start Authentik pod (user scope)
systemd:
name: "authentik-pod"
enabled: "{{ authentik_service_enabled }}"
state: "{{ authentik_service_state }}"
scope: user
daemon_reload: true
become: true
become_user: "{{ authentik_user }}"
tags: [containers, service]
- name: Wait for Authentik to be ready
uri:
url: "http://127.0.0.1:{{ authentik_http_port }}/"
method: GET
status_code: [200, 302]
timeout: 30
retries: 10
delay: 15
register: authentik_health_check
tags: [verification, health-check]
- name: Display Authentik deployment status
debug:
msg: |
✅ Authentik Authentication deployed successfully!
🌐 Domain: {{ authentik_domain }}
🗄️ Database: {{ authentik_db_name }} (Unix socket)
🗄️ Cache: Valkey DB {{ authentik_valkey_db }} (Unix socket)
🐳 Containers: Pod with server + worker
🔒 Admin: {{ authentik_default_admin_email }}
🚀 Ready for SSO configuration!
📋 Next Steps:
- Access {{ authentik_domain }} to complete setup
- Configure applications and providers
- Set up SSO for services
tags: [verification]
Reference in New Issue View Git Blame Copy Permalink