joakim/rick-infra
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
d814369c9909e45d009764e53ec9d33c21589a80
rick-infra/roles/authentik/README.md

119 lines
3.8 KiB
Markdown
Raw Blame History

# Authentik Authentication Service Role
Containerized Authentik authentication service for rick-infra using Podman quadlets and following established architectural patterns.
## Features
-**Containerized deployment**: Uses Podman with systemd quadlets
-**Self-contained**: Manages its own database and configuration
-**Service-specific user**: Runs as dedicated `authentik` user with subuid/subgid
-**Infrastructure integration**: PostgreSQL database, Valkey cache, Caddy proxy
-**Bridge networking**: Container-to-host communication via host.containers.internal
-**Security hardened**: Rootless containers with proper isolation
-**Production ready**: HTTPS, proper health checks, restart policies
## Architecture
- **Dependencies**: PostgreSQL, Valkey, Podman, Caddy infrastructure roles
- **Database**: Self-managed authentik database and user in PostgreSQL
- **Cache**: Uses Valkey database 1 for session/cache storage
- **Containers**: 2-container pod (server + worker) deployed via quadlets
- **Network**: Custom bridge network with host gateway access
- **Web access**: https://auth.domain.com (via Caddy reverse proxy)
## Configuration
Key variables (defaults in `defaults/main.yml`):
```yaml
# Service
authentik_service_enabled: true
authentik_http_port: 9000
authentik_https_port: 9443
# Domain
authentik_subdomain: "auth"
authentik_domain: "{{ caddy_domain }}"
# Container
authentik_image_server: "ghcr.io/goauthentik/server"
authentik_image_tag: "2024.8.3"
authentik_user: "authentik"
# Database (self-managed)
authentik_db_name: "authentik"
authentik_db_user: "authentik"
authentik_db_password: "{{ vault_authentik_db_password }}"
# Cache (Valkey)
authentik_redis_host: "host.containers.internal"
authentik_redis_db: 1
# Security
authentik_secret_key: "{{ vault_authentik_secret_key }}"
```
## Container Architecture
### Pod Structure
```
authentik-pod
├── authentik-server (web interface, API)
└── authentik-worker (background tasks)
```
### Networking
- **Bridge network**: `authentik-net` with DNS resolution
- **Host gateway**: `host.containers.internal` → host system
- **Port mapping**: 9000:9000 (HTTP), 9443:9443 (HTTPS)
### Storage
- **Config**: `~authentik/.config/containers/` (quadlets, env)
- **Data**: `~authentik/data/` (persistent application data)
- **Media**: `~authentik/media/` (uploaded files)
## Usage
1. **Add vault secrets**: Set required vault variables in host_vars:
```yaml
vault_authentik_db_password: "secure_db_password"
vault_authentik_secret_key: "long_random_secret_key"
```
2. **Deploy**: `ansible-playbook site.yml --tags authentik`
3. **Access**: Visit https://auth.yourdomain.com/if/flow/initial-setup/
## Dependencies
- PostgreSQL infrastructure role (database)
- Valkey infrastructure role (cache)
- Podman infrastructure role (containers)
- Caddy web server (HTTPS reverse proxy)
- Vault secrets: `vault_authentik_db_password`, `vault_authentik_secret_key`
## Containerized Service Pattern
This role establishes rick-infra's containerized service pattern:
### User Management
- Service-specific user (`authentik`) with dedicated home directory
- Subuid/subgid ranges (100000-165535) for rootless containers
- Systemd user session with lingering enabled
### Container Integration
- Podman quadlets for native systemd integration
- Custom bridge networks with host gateway access
- Container-to-host connectivity via `host.containers.internal`
- Persistent storage mounted from user home directory
### Infrastructure Integration
- Self-managed database creation via PostgreSQL role
- Cache integration with Valkey infrastructure
- Reverse proxy deployment via Caddy sites-enabled
- Follows rick-infra self-contained service patterns
---
**Rick-Infra Authentik Service**
SSO authentication and authorization platform for modern applications.
Reference in New Issue View Git Blame Copy Permalink