joakim/rick-infra
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
d814369c9909e45d009764e53ec9d33c21589a80
rick-infra/roles/authentik/README.md

3.8 KiB
Raw Blame History

Authentik Authentication Service Role

Containerized Authentik authentication service for rick-infra using Podman quadlets and following established architectural patterns.

Features

  • Containerized deployment: Uses Podman with systemd quadlets
  • Self-contained: Manages its own database and configuration
  • Service-specific user: Runs as dedicated authentik user with subuid/subgid
  • Infrastructure integration: PostgreSQL database, Valkey cache, Caddy proxy
  • Bridge networking: Container-to-host communication via host.containers.internal
  • Security hardened: Rootless containers with proper isolation
  • Production ready: HTTPS, proper health checks, restart policies

Architecture

  • Dependencies: PostgreSQL, Valkey, Podman, Caddy infrastructure roles
  • Database: Self-managed authentik database and user in PostgreSQL
  • Cache: Uses Valkey database 1 for session/cache storage
  • Containers: 2-container pod (server + worker) deployed via quadlets
  • Network: Custom bridge network with host gateway access
  • Web access: https://auth.domain.com (via Caddy reverse proxy)

Configuration

Key variables (defaults in defaults/main.yml):

# Service
authentik_service_enabled: true
authentik_http_port: 9000
authentik_https_port: 9443

# Domain 
authentik_subdomain: "auth"
authentik_domain: "{{ caddy_domain }}"

# Container
authentik_image_server: "ghcr.io/goauthentik/server"
authentik_image_tag: "2024.8.3"
authentik_user: "authentik"

# Database (self-managed)
authentik_db_name: "authentik"
authentik_db_user: "authentik"
authentik_db_password: "{{ vault_authentik_db_password }}"

# Cache (Valkey)
authentik_redis_host: "host.containers.internal"
authentik_redis_db: 1

# Security
authentik_secret_key: "{{ vault_authentik_secret_key }}"

Container Architecture

Pod Structure

authentik-pod
├── authentik-server   (web interface, API)
└── authentik-worker   (background tasks)

Networking

  • Bridge network: authentik-net with DNS resolution
  • Host gateway: host.containers.internal → host system
  • Port mapping: 9000:9000 (HTTP), 9443:9443 (HTTPS)

Storage

  • Config: ~authentik/.config/containers/ (quadlets, env)
  • Data: ~authentik/data/ (persistent application data)
  • Media: ~authentik/media/ (uploaded files)

Usage

  1. Add vault secrets: Set required vault variables in host_vars:

    vault_authentik_db_password: "secure_db_password"
vault_authentik_secret_key: "long_random_secret_key"

  2. Deploy: ansible-playbook site.yml --tags authentik

  3. Access: Visit https://auth.yourdomain.com/if/flow/initial-setup/

Dependencies

  • PostgreSQL infrastructure role (database)
  • Valkey infrastructure role (cache)
  • Podman infrastructure role (containers)
  • Caddy web server (HTTPS reverse proxy)
  • Vault secrets: vault_authentik_db_password, vault_authentik_secret_key

Containerized Service Pattern

This role establishes rick-infra's containerized service pattern:

User Management

  • Service-specific user (authentik) with dedicated home directory
  • Subuid/subgid ranges (100000-165535) for rootless containers
  • Systemd user session with lingering enabled

Container Integration

  • Podman quadlets for native systemd integration
  • Custom bridge networks with host gateway access
  • Container-to-host connectivity via host.containers.internal
  • Persistent storage mounted from user home directory

Infrastructure Integration

  • Self-managed database creation via PostgreSQL role
  • Cache integration with Valkey infrastructure
  • Reverse proxy deployment via Caddy sites-enabled
  • Follows rick-infra self-contained service patterns

Rick-Infra Authentik Service
SSO authentication and authorization platform for modern applications.

Reference in New Issue View Git Blame Copy Permalink