joakim/rick-infra
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
b42ee2a22b646a677ab070f8d815b18c0bce7af2
rick-infra/roles/valkey
History
Joakim b42ee2a22b Fix: Complete authentik Quadlet implementation with networking solution 
Resolves authentik deployment issues by implementing proper Podman Quadlet
configuration and fixing networking for external access through Caddy.

Core Fixes:
• Add missing [Install] sections to container Quadlet files for systemd service generation
• Fix pod references from 'systemd-authentik' to 'authentik.pod' for proper Quadlet linking
• Remove problematic --userns=host to use proper rootless user namespaces
• Configure subuid/subgid ranges for authentik user (200000:65536)
• Update networking to bind 0.0.0.0:9000 only (remove unnecessary HTTPS port 9443)
• Add AUTHENTIK_LISTEN__HTTP=0.0.0.0:9000 environment configuration
• Fix Caddy reverse proxy to use HTTP backend instead of HTTPS

Infrastructure Updates:
• Enhance PostgreSQL role with Unix socket configuration and user management
• Improve Valkey role with proper systemd integration and socket permissions
• Add comprehensive service integration documentation
• Update deployment playbooks with backup and restore capabilities

Security Improvements:
• Secure network isolation with Caddy SSL termination
• Reduced attack surface by removing direct HTTPS container exposure
• Proper rootless container configuration with user namespace mapping

Result: authentik now fully operational with external HTTPS access via auth.jnss.me
All systemd services (authentik-pod, authentik-server, authentik-worker) running correctly.
2025-12-04 19:42:31 +01:00
..
defaults
Fix: Complete authentik Quadlet implementation with networking solution
2025-12-04 19:42:31 +01:00
handlers
Add Valkey infrastructure role as Redis-compatible cache service
2025-11-19 22:20:54 +01:00
meta
Add Valkey infrastructure role as Redis-compatible cache service
2025-11-19 22:20:54 +01:00
tasks
Fix: Complete authentik Quadlet implementation with networking solution
2025-12-04 19:42:31 +01:00
templates
Fix: Complete authentik Quadlet implementation with networking solution
2025-12-04 19:42:31 +01:00
README.md
Add Valkey infrastructure role as Redis-compatible cache service
2025-11-19 22:20:54 +01:00

README.md

Valkey Infrastructure Role

This role provides Valkey as shared infrastructure for the rick-infra project, following the same patterns established by the PostgreSQL role.

Overview

Valkey is a high-performance data structure store used as a database, cache, and message broker. It's a Redis fork that maintains 100% Redis compatibility while providing additional features and improvements.

Valkey is deployed as a host-level service that multiple applications can use for caching, sessions, and data storage. Each application configures its own Valkey database number and connection parameters.

Why Valkey?

  • Redis-compatible: Drop-in replacement for Redis with identical API
  • Open source: Truly open source alternative to Redis
  • Performance: Enhanced performance optimizations
  • Arch Linux default: Arch Linux provides Valkey instead of Redis in the redis package
  • Future-proof: Active development and community support

Features

  • Security-focused: Localhost-only binding, password authentication, disabled dangerous commands
  • Systemd integration: Native systemd service management with security hardening
  • Multi-application support: 16 databases available for different services
  • Performance optimized: Conservative memory limits and persistence settings
  • Infrastructure pattern: Matches PostgreSQL role architecture
  • Redis compatibility: Applications can use standard Redis clients and commands

Database Allocation

Applications should use different Valkey database numbers:

  • Database 0: Reserved for system/testing use
  • Database 1: Authentik (sessions, cache)
  • Database 2: Nextcloud (sessions, file locking, cache)
  • Database 3+: Available for additional services

Configuration

Required Variables

vault_valkey_password: "your-secure-valkey-password"

Optional Overrides

# Service management
valkey_service_enabled: true
valkey_service_state: "started"

# Network configuration
valkey_bind: "127.0.0.1"
valkey_port: 6379

# Memory management  
valkey_maxmemory: "256mb"
valkey_maxmemory_policy: "allkeys-lru"

# Security hardening
valkey_systemd_security: true

Application Integration

Applications can connect to Valkey using either Valkey-specific or Redis-compatible patterns:

Valkey Environment Variables (Recommended)

VALKEY_HOST: "{{ ansible_default_ipv4.address }}"
VALKEY_PORT: "6379"
VALKEY_PASSWORD: "{{ vault_valkey_password }}"
VALKEY_DB: "1"  # Unique database number per application

Redis-Compatible Environment Variables (Also Supported)

REDIS_HOST: "{{ ansible_default_ipv4.address }}"
REDIS_PORT: "6379"
REDIS_PASSWORD: "{{ vault_valkey_password }}"
REDIS_DB: "1"  # Unique database number per application

Connection Example

# Using redis-cli (Redis-compatible)
redis-cli -h 127.0.0.1 -p 6379 -a password -n 1

# Using valkey-cli (native Valkey client)
valkey-cli -h 127.0.0.1 -p 6379 -a password -n 1

Redis Compatibility

Valkey maintains 100% Redis compatibility:

  • Same commands: All Redis commands work identically
  • Same protocols: RESP (Redis Serialization Protocol) supported
  • Same client libraries: All Redis client libraries work without modification
  • Same configuration format: Configuration syntax identical to Redis
  • Same data types: All Redis data types supported

Security

  • Network isolation: Binds only to localhost
  • Authentication: Password protection required
  • Command restrictions: Dangerous commands disabled
  • Systemd hardening: Full security restrictions applied
  • File permissions: Restrictive access to configuration and data

Dependencies

This is an infrastructure role with no dependencies. Applications that need Valkey should declare this role as a dependency:

# roles/your-app/meta/main.yml
dependencies:
  - role: valkey

Service Management

# Service status
sudo systemctl status valkey

# View logs
sudo journalctl -u valkey -f

# Test connectivity
redis-cli -h 127.0.0.1 -p 6379 -a password ping

Monitoring

Valkey status is reported during deployment and can be monitored through:

  • systemctl: Service health and status
  • journald: Centralized logging
  • Redis CLI: Direct connectivity testing using standard Redis tools
  • Application logs: Connection status from applications

File Locations

  • Configuration: /etc/valkey/valkey.conf
  • Data directory: /var/lib/valkey
  • Systemd override: /etc/systemd/system/valkey.service.d/override.conf
  • Logs: journalctl -u valkey

Migration from Redis

If migrating from Redis:

  1. Data compatibility: Valkey can read existing Redis data files
  2. Configuration: Most Redis configurations work without changes
  3. Applications: No application changes required due to protocol compatibility
  4. Monitoring: Same Redis monitoring tools work with Valkey

Notes

This role follows the rick-infra infrastructure pattern where foundational services (Valkey, PostgreSQL) are provided as host-level services, and applications configure their own usage patterns rather than managing separate instances.

Arch Linux Integration: The role automatically works with Arch Linux's package system, which provides Valkey as the redis package with full Redis compatibility.

Reference in New Issue View Git Blame Copy Permalink