joakim/rick-infra
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
b42ee2a22b646a677ab070f8d815b18c0bce7af2
rick-infra/roles/valkey/defaults/main.yml
Joakim b42ee2a22b Fix: Complete authentik Quadlet implementation with networking solution 
Resolves authentik deployment issues by implementing proper Podman Quadlet
configuration and fixing networking for external access through Caddy.

Core Fixes:
• Add missing [Install] sections to container Quadlet files for systemd service generation
• Fix pod references from 'systemd-authentik' to 'authentik.pod' for proper Quadlet linking
• Remove problematic --userns=host to use proper rootless user namespaces
• Configure subuid/subgid ranges for authentik user (200000:65536)
• Update networking to bind 0.0.0.0:9000 only (remove unnecessary HTTPS port 9443)
• Add AUTHENTIK_LISTEN__HTTP=0.0.0.0:9000 environment configuration
• Fix Caddy reverse proxy to use HTTP backend instead of HTTPS

Infrastructure Updates:
• Enhance PostgreSQL role with Unix socket configuration and user management
• Improve Valkey role with proper systemd integration and socket permissions
• Add comprehensive service integration documentation
• Update deployment playbooks with backup and restore capabilities

Security Improvements:
• Secure network isolation with Caddy SSL termination
• Reduced attack surface by removing direct HTTPS container exposure
• Proper rootless container configuration with user namespace mapping

Result: authentik now fully operational with external HTTPS access via auth.jnss.me
All systemd services (authentik-pod, authentik-server, authentik-worker) running correctly.
2025-12-04 19:42:31 +01:00

93 lines
3.1 KiB
YAML
Raw Blame History

---
# =================================================================
# Valkey Infrastructure Role - Simplified Configuration
# =================================================================
# Provides Valkey (Redis-compatible) as shared infrastructure for applications
# Applications manage their own Valkey database selections and usage
# =================================================================
# Essential Configuration
# =================================================================
# Service Management
valkey_service_enabled: true
valkey_service_state: "started"
# Network Security (localhost only - matches PostgreSQL pattern)
valkey_bind: "127.0.0.1"
valkey_port: 6379
valkey_protected_mode: true
# Unix Socket Configuration
valkey_unix_socket_enabled: true
valkey_unix_socket_path: "/var/run/valkey/valkey.sock"
valkey_unix_socket_perm: "770"
# Authentication
valkey_requirepass: "{{ vault_valkey_password }}"
# =================================================================
# Performance Settings (Conservative Defaults)
# =================================================================
# Memory Management
valkey_maxmemory: "256mb"
valkey_maxmemory_policy: "allkeys-lru"
# Persistence (balanced approach)
valkey_save_enabled: true
valkey_save_intervals:
- "900 1" # Save if 1 key changed in 900s
- "300 10" # Save if 10 keys changed in 300s
- "60 10000" # Save if 10000 keys changed in 60s
# RDB and AOF settings
valkey_rdbcompression: true
valkey_rdbchecksum: true
valkey_appendonly: false # RDB only for simplicity
# =================================================================
# Security Configuration
# =================================================================
# Systemd security hardening
valkey_systemd_security: true
# Valkey security settings
valkey_timeout: 300
valkey_tcp_keepalive: 300
valkey_tcp_backlog: 511
# =================================================================
# Database Configuration
# =================================================================
# Database allocation for applications
# Applications should use different database numbers:
# - authentik: database 1
# - nextcloud: database 2
# - future services: database 3, 4, etc.
valkey_databases: 16
# =================================================================
# Logging Configuration
# =================================================================
valkey_loglevel: "notice"
valkey_syslog_enabled: true
valkey_syslog_ident: "valkey"
# =================================================================
# Infrastructure Notes
# =================================================================
# This role provides minimal Valkey infrastructure
# Applications should configure their own Valkey usage:
#
# Environment variables in application configs:
# - VALKEY_HOST: "{{ ansible_default_ipv4.address }}" or "127.0.0.1"
# - VALKEY_PORT: "6379"
# - VALKEY_PASSWORD: "{{ vault_valkey_password }}"
# - VALKEY_DB: "1" (or 2, 3, etc. - unique per application)
#
# Note: Applications can also use REDIS_* environment variables
# for compatibility since Valkey is fully Redis-compatible
Reference in New Issue View Git Blame Copy Permalink