joakim/rick-infra
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
b3c3fe5c56306d96dcef4a0236f6aeb68e75d1a4
rick-infra/roles/valkey/templates/valkey.conf.j2
Joakim b42ee2a22b Fix: Complete authentik Quadlet implementation with networking solution 
Resolves authentik deployment issues by implementing proper Podman Quadlet
configuration and fixing networking for external access through Caddy.

Core Fixes:
• Add missing [Install] sections to container Quadlet files for systemd service generation
• Fix pod references from 'systemd-authentik' to 'authentik.pod' for proper Quadlet linking
• Remove problematic --userns=host to use proper rootless user namespaces
• Configure subuid/subgid ranges for authentik user (200000:65536)
• Update networking to bind 0.0.0.0:9000 only (remove unnecessary HTTPS port 9443)
• Add AUTHENTIK_LISTEN__HTTP=0.0.0.0:9000 environment configuration
• Fix Caddy reverse proxy to use HTTP backend instead of HTTPS

Infrastructure Updates:
• Enhance PostgreSQL role with Unix socket configuration and user management
• Improve Valkey role with proper systemd integration and socket permissions
• Add comprehensive service integration documentation
• Update deployment playbooks with backup and restore capabilities

Security Improvements:
• Secure network isolation with Caddy SSL termination
• Reduced attack surface by removing direct HTTPS container exposure
• Proper rootless container configuration with user namespace mapping

Result: authentik now fully operational with external HTTPS access via auth.jnss.me
All systemd services (authentik-pod, authentik-server, authentik-worker) running correctly.
2025-12-04 19:42:31 +01:00

139 lines
4.1 KiB
Django/Jinja
Raw Blame History

# Valkey Configuration - Generated by Ansible
# rick-infra Valkey Infrastructure Role
#
# This configuration provides a secure, performant Valkey instance
# for use by multiple applications on the same host.
# =================================================================
# Network Configuration
# =================================================================
# Bind to localhost only for security (like PostgreSQL)
bind {{ valkey_bind }}
# Valkey port
port {{ valkey_port }}
{% if valkey_unix_socket_enabled %}
# Unix Socket Configuration
unixsocket {{ valkey_unix_socket_path }}
unixsocketperm {{ valkey_unix_socket_perm }}
# Enable both TCP and Unix socket (for compatibility during transition)
# To disable TCP completely, comment out the port line above
{% endif %}
# Protected mode - requires authentication
protected-mode {{ 'yes' if valkey_protected_mode else 'no' }}
# Connection timeout
timeout {{ valkey_timeout }}
# TCP listen backlog
tcp-backlog {{ valkey_tcp_backlog }}
# TCP keepalive
tcp-keepalive {{ valkey_tcp_keepalive }}
# =================================================================
# Authentication
# =================================================================
# Require password for all operations
requirepass {{ valkey_requirepass }}
# =================================================================
# Memory Management
# =================================================================
# Maximum memory usage
maxmemory {{ valkey_maxmemory }}
# Eviction policy when max memory is reached
maxmemory-policy {{ valkey_maxmemory_policy }}
# =================================================================
# Persistence Configuration
# =================================================================
# Working directory for RDB files
dir /var/lib/valkey
{% if valkey_save_enabled %}
# RDB persistence - save snapshots
{% for interval in valkey_save_intervals %}
save {{ interval }}
{% endfor %}
# RDB file compression and checksums
rdbcompression {{ 'yes' if valkey_rdbcompression else 'no' }}
rdbchecksum {{ 'yes' if valkey_rdbchecksum else 'no' }}
{% else %}
# RDB persistence disabled
save ""
{% endif %}
# AOF persistence
appendonly {{ 'yes' if valkey_appendonly else 'no' }}
# =================================================================
# Database Configuration
# =================================================================
# Number of databases (0 to databases-1)
databases {{ valkey_databases }}
# =================================================================
# Logging Configuration
# =================================================================
# Log level
loglevel {{ valkey_loglevel }}
# Syslog integration
{% if valkey_syslog_enabled %}
syslog-enabled yes
syslog-ident {{ valkey_syslog_ident }}
{% endif %}
# =================================================================
# Security Settings
# =================================================================
# Disable dangerous commands
rename-command FLUSHDB ""
rename-command FLUSHALL ""
rename-command KEYS ""
rename-command CONFIG ""
rename-command SHUTDOWN VALKEY_SHUTDOWN
rename-command DEBUG ""
rename-command EVAL ""
# =================================================================
# Performance Tuning
# =================================================================
# Disable automatic rehashing for better performance
activerehashing yes
# Client output buffer limits for normal clients
client-output-buffer-limit normal 0 0 0
# Client output buffer limits for replica clients
client-output-buffer-limit replica 256mb 64mb 60
# Client output buffer limits for pubsub clients
client-output-buffer-limit pubsub 32mb 8mb 60
# =================================================================
# Application Notes
# =================================================================
#
# Applications should use different database numbers:
# - Database 0: Reserved for system/testing
# - Database 1: Authentik (sessions, cache)
# - Database 2: Nextcloud (sessions, file locking, cache)
# - Database 3+: Future applications
#
# Connection example:
# redis-cli -h {{ valkey_bind }} -p {{ valkey_port }} -a {{ valkey_requirepass }} -n 1
Reference in New Issue View Git Blame Copy Permalink