joakim/rick-infra
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
b3c3fe5c56306d96dcef4a0236f6aeb68e75d1a4
rick-infra/roles/authentik/templates/authentik.env.j2
Joakim b42ee2a22b Fix: Complete authentik Quadlet implementation with networking solution 
Resolves authentik deployment issues by implementing proper Podman Quadlet
configuration and fixing networking for external access through Caddy.

Core Fixes:
• Add missing [Install] sections to container Quadlet files for systemd service generation
• Fix pod references from 'systemd-authentik' to 'authentik.pod' for proper Quadlet linking
• Remove problematic --userns=host to use proper rootless user namespaces
• Configure subuid/subgid ranges for authentik user (200000:65536)
• Update networking to bind 0.0.0.0:9000 only (remove unnecessary HTTPS port 9443)
• Add AUTHENTIK_LISTEN__HTTP=0.0.0.0:9000 environment configuration
• Fix Caddy reverse proxy to use HTTP backend instead of HTTPS

Infrastructure Updates:
• Enhance PostgreSQL role with Unix socket configuration and user management
• Improve Valkey role with proper systemd integration and socket permissions
• Add comprehensive service integration documentation
• Update deployment playbooks with backup and restore capabilities

Security Improvements:
• Secure network isolation with Caddy SSL termination
• Reduced attack surface by removing direct HTTPS container exposure
• Proper rootless container configuration with user namespace mapping

Result: authentik now fully operational with external HTTPS access via auth.jnss.me
All systemd services (authentik-pod, authentik-server, authentik-worker) running correctly.
2025-12-04 19:42:31 +01:00

40 lines
1.6 KiB
Django/Jinja
Raw Blame History

# Authentik Configuration - Unix Socket IPC
# Generated by Ansible - DO NOT EDIT
# PostgreSQL Configuration (Unix Socket)
AUTHENTIK_POSTGRESQL__HOST={{ postgresql_unix_socket_directories }}
AUTHENTIK_POSTGRESQL__NAME={{ authentik_db_name }}
AUTHENTIK_POSTGRESQL__USER={{ authentik_db_user }}
AUTHENTIK_POSTGRESQL__PASSWORD={{ authentik_db_password }}
# No port needed for Unix socket
# Valkey/Redis Configuration (Unix Socket) - Using cache URL format to avoid port parsing issues
AUTHENTIK_CACHE__URL=unix://{{ valkey_unix_socket_path }}?db={{ authentik_valkey_db }}&password={{ valkey_password }}
# Authentik Core Configuration
AUTHENTIK_SECRET_KEY={{ authentik_secret_key }}
AUTHENTIK_LOG_LEVEL={{ authentik_log_level }}
AUTHENTIK_ERROR_REPORTING__ENABLED={{ authentik_error_reporting | lower }}
# Security Configuration
AUTHENTIK_COOKIE_DOMAIN={{ authentik_domain }}
AUTHENTIK_DISABLE_UPDATE_CHECK=true
AUTHENTIK_DISABLE_STARTUP_ANALYTICS=true
# Network binding
AUTHENTIK_LISTEN__HTTP={{ authentik_bind_address }}:{{ authentik_http_port }}
{% if authentik_email_enabled %}
# Email Configuration
AUTHENTIK_EMAIL__HOST={{ authentik_email_host }}
AUTHENTIK_EMAIL__PORT={{ authentik_email_port }}
AUTHENTIK_EMAIL__USERNAME={{ authentik_email_username }}
AUTHENTIK_EMAIL__PASSWORD={{ authentik_email_password }}
AUTHENTIK_EMAIL__USE_TLS={{ authentik_email_tls | lower }}
AUTHENTIK_EMAIL__FROM={{ authentik_email_from }}
{% endif %}
# Default admin user
AUTHENTIK_BOOTSTRAP_PASSWORD={{ authentik_default_admin_password }}
AUTHENTIK_BOOTSTRAP_EMAIL={{ authentik_default_admin_email }}
Reference in New Issue View Git Blame Copy Permalink