Joakim
b42ee2a22b
Resolves authentik deployment issues by implementing proper Podman Quadlet configuration and fixing networking for external access through Caddy. Core Fixes: • Add missing [Install] sections to container Quadlet files for systemd service generation • Fix pod references from 'systemd-authentik' to 'authentik.pod' for proper Quadlet linking • Remove problematic --userns=host to use proper rootless user namespaces • Configure subuid/subgid ranges for authentik user (200000:65536) • Update networking to bind 0.0.0.0:9000 only (remove unnecessary HTTPS port 9443) • Add AUTHENTIK_LISTEN__HTTP=0.0.0.0:9000 environment configuration • Fix Caddy reverse proxy to use HTTP backend instead of HTTPS Infrastructure Updates: • Enhance PostgreSQL role with Unix socket configuration and user management • Improve Valkey role with proper systemd integration and socket permissions • Add comprehensive service integration documentation • Update deployment playbooks with backup and restore capabilities Security Improvements: • Secure network isolation with Caddy SSL termination • Reduced attack surface by removing direct HTTPS container exposure • Proper rootless container configuration with user namespace mapping Result: authentik now fully operational with external HTTPS access via auth.jnss.me All systemd services (authentik-pod, authentik-server, authentik-worker) running correctly.
70 lines
1.9 KiB
YAML
70 lines
1.9 KiB
YAML
---
|
|
# Cache setup for Authentik - Self-contained socket permissions
|
|
|
|
- name: Add authentik user to valkey group for socket access
|
|
user:
|
|
name: "{{ authentik_user }}"
|
|
groups: valkey
|
|
append: true
|
|
|
|
- name: Ensure authentik can access Valkey socket directory
|
|
file:
|
|
path: "{{ valkey_unix_socket_path | dirname }}"
|
|
mode: '0770'
|
|
group: valkey
|
|
become: true
|
|
|
|
- name: Test Valkey socket connectivity
|
|
command: >
|
|
redis-cli -s {{ valkey_unix_socket_path }}
|
|
-a {{ valkey_password }}
|
|
-n {{ authentik_valkey_db }}
|
|
ping
|
|
become: true
|
|
become_user: "{{ authentik_user }}"
|
|
register: valkey_socket_test
|
|
failed_when: valkey_socket_test.stdout != "PONG"
|
|
changed_when: false
|
|
|
|
- name: Configure Authentik Valkey database
|
|
command: >
|
|
redis-cli -s {{ valkey_unix_socket_path }}
|
|
-a {{ valkey_password }}
|
|
-n {{ authentik_valkey_db }}
|
|
CONFIG SET save ""
|
|
become: true
|
|
become_user: "{{ authentik_user }}"
|
|
register: valkey_config_result
|
|
changed_when: true
|
|
|
|
- name: Verify Authentik can write to Valkey database
|
|
command: >
|
|
redis-cli -s {{ valkey_unix_socket_path }}
|
|
-a {{ valkey_password }}
|
|
-n {{ authentik_valkey_db }}
|
|
SET authentik:healthcheck "deployed"
|
|
become: true
|
|
become_user: "{{ authentik_user }}"
|
|
register: valkey_write_test
|
|
changed_when: false
|
|
|
|
- name: Clean up Valkey test key
|
|
command: >
|
|
redis-cli -s {{ valkey_unix_socket_path }}
|
|
-a {{ valkey_password }}
|
|
-n {{ authentik_valkey_db }}
|
|
DEL authentik:healthcheck
|
|
become: true
|
|
become_user: "{{ authentik_user }}"
|
|
changed_when: false
|
|
|
|
- name: Display cache setup status
|
|
debug:
|
|
msg: |
|
|
✅ Authentik cache setup complete!
|
|
|
|
🗄️ Cache DB: {{ authentik_valkey_db }}
|
|
🔌 Connection: Unix socket ({{ valkey_unix_socket_path }})
|
|
📊 Test: {{ valkey_socket_test.stdout }}
|
|
|
|
🏗️ Ready for Authentik container deployment |