Joakim
b42ee2a22b
Resolves authentik deployment issues by implementing proper Podman Quadlet configuration and fixing networking for external access through Caddy. Core Fixes: • Add missing [Install] sections to container Quadlet files for systemd service generation • Fix pod references from 'systemd-authentik' to 'authentik.pod' for proper Quadlet linking • Remove problematic --userns=host to use proper rootless user namespaces • Configure subuid/subgid ranges for authentik user (200000:65536) • Update networking to bind 0.0.0.0:9000 only (remove unnecessary HTTPS port 9443) • Add AUTHENTIK_LISTEN__HTTP=0.0.0.0:9000 environment configuration • Fix Caddy reverse proxy to use HTTP backend instead of HTTPS Infrastructure Updates: • Enhance PostgreSQL role with Unix socket configuration and user management • Improve Valkey role with proper systemd integration and socket permissions • Add comprehensive service integration documentation • Update deployment playbooks with backup and restore capabilities Security Improvements: • Secure network isolation with Caddy SSL termination • Reduced attack surface by removing direct HTTPS container exposure • Proper rootless container configuration with user namespace mapping Result: authentik now fully operational with external HTTPS access via auth.jnss.me All systemd services (authentik-pod, authentik-server, authentik-worker) running correctly.
57 lines
1.8 KiB
YAML
57 lines
1.8 KiB
YAML
---
|
|
# =================================================================
|
|
# PostgreSQL Infrastructure Role - Simplified Configuration
|
|
# =================================================================
|
|
# Provides PostgreSQL database server as shared infrastructure
|
|
# Applications manage their own databases/users
|
|
|
|
# =================================================================
|
|
# Essential Configuration
|
|
# =================================================================
|
|
|
|
# Service Management
|
|
postgresql_service_enabled: true
|
|
postgresql_service_state: "started"
|
|
|
|
# Network Security
|
|
postgresql_listen_addresses: "localhost"
|
|
postgresql_port: 5432
|
|
|
|
# Unix Socket Configuration
|
|
postgresql_unix_socket_enabled: true
|
|
postgresql_unix_socket_directories: "/var/run/postgresql"
|
|
postgresql_unix_socket_permissions: "0770"
|
|
|
|
# Authentication
|
|
postgresql_auth_method: "scram-sha-256"
|
|
|
|
# Database Cluster Setup
|
|
postgresql_encoding: "UTF8"
|
|
postgresql_locale: "C.UTF-8"
|
|
postgresql_data_checksums: true
|
|
|
|
# Security
|
|
postgresql_systemd_security: true
|
|
|
|
# =================================================================
|
|
# Optional Performance (Conservative Defaults)
|
|
# =================================================================
|
|
|
|
# Basic performance settings - PostgreSQL defaults are excellent
|
|
postgresql_max_connections: 100
|
|
postgresql_shared_buffers: "128MB"
|
|
|
|
# =================================================================
|
|
# Infrastructure Notes
|
|
# =================================================================
|
|
# This role provides minimal PostgreSQL infrastructure
|
|
# Applications should create their own databases/users:
|
|
#
|
|
# - postgresql_user:
|
|
# name: myapp
|
|
# password: "{{ vault_myapp_password }}"
|
|
# - postgresql_db:
|
|
# name: myapp
|
|
# owner: myapp
|
|
#
|
|
# PostgreSQL's built-in defaults are used for everything else |