joakim/rick-infra
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
df4ae0eb170a86b9ce20844fb5903b5c8424f180
rick-infra/roles/authentik/tasks/main.yml
Joakim df4ae0eb17 WIP: Authentik role with Quadlet pod approach - debugging container service generation 
- Created authentik.pod file for proper pod definition
- Removed superfluous authentik-pod.container file
- Updated container templates to reference pod correctly
- Issue: Quadlet still reports 'pod authentik is not Quadlet based'
- Container services not being generated (only pod service works)
2025-11-26 23:24:09 +01:00

216 lines
5.8 KiB
YAML
Raw Blame History

---
# Authentik Authentication Role - Main Tasks
# Self-contained deployment with Podman and Unix sockets
- name: Create authentik group
group:
name: "{{ authentik_group }}"
system: true
- name: Create authentik system user
user:
name: "{{ authentik_user }}"
system: true
shell: /bin/bash
home: "{{ authentik_home }}"
create_home: true
group: "{{ authentik_group }}"
- name: Create authentik directories
file:
path: "{{ item }}"
state: directory
owner: "{{ authentik_user }}"
group: "{{ authentik_group }}"
mode: '0755'
loop:
- "{{ authentik_home }}"
- "{{ authentik_data_dir }}"
- "{{ authentik_media_dir }}"
- "{{ authentik_user_quadlet_dir }}"
- name: Get authentik user UID
getent:
database: passwd
key: "{{ authentik_user }}"
register: authentik_user_info
- name: Set authentik UID variable
set_fact:
authentik_uid: "{{ authentik_user_info.ansible_facts.getent_passwd[authentik_user][1] }}"
- name: Enable lingering for authentik user (services persist without login)
command: loginctl enable-linger {{ authentik_user }}
register: linger_result
changed_when: linger_result.rc == 0
- name: Ensure XDG runtime directory exists
file:
path: "/run/user/{{ authentik_uid }}"
state: directory
owner: "{{ authentik_user }}"
group: "{{ authentik_group }}"
mode: '0700'
- name: Setup database access and permissions
include_tasks: database.yml
tags: [database, setup]
- name: Setup cache access and permissions
include_tasks: cache.yml
tags: [cache, setup]
- name: Deploy environment configuration
template:
src: authentik.env.j2
dest: "{{ authentik_home }}/.env"
owner: "{{ authentik_user }}"
group: "{{ authentik_group }}"
mode: '0600'
backup: true
notify:
- restart authentik pod
- restart authentik server
- restart authentik worker
tags: [config]
- name: Create Quadlet systemd directory (user scope)
file:
path: "{{ authentik_quadlet_dir }}"
state: directory
owner: "{{ authentik_user }}"
group: "{{ authentik_group }}"
mode: '0755'
- name: Deploy Quadlet pod and container files (user scope)
template:
src: "{{ item.src }}"
dest: "{{ authentik_quadlet_dir }}/{{ item.dest }}"
owner: "{{ authentik_user }}"
group: "{{ authentik_group }}"
mode: '0644'
loop:
- { src: 'authentik.pod', dest: 'authentik.pod' }
- { src: 'authentik-server.container', dest: 'authentik-server.container' }
- { src: 'authentik-worker.container', dest: 'authentik-worker.container' }
become: true
become_user: "{{ authentik_user }}"
notify:
- reload systemd user
- restart authentik pod
- restart authentik server
- restart authentik worker
tags: [containers, deployment]
- name: Deploy Caddy configuration
template:
src: authentik.caddy.j2
dest: "{{ caddy_sites_enabled_dir }}/authentik.caddy"
owner: root
group: "{{ caddy_user }}"
mode: '0644'
backup: true
notify: reload caddy
tags: [caddy, reverse-proxy]
- name: Ensure system dependencies are running
systemd:
name: "{{ item }}"
state: started
loop:
- postgresql
- valkey
register: system_deps
- name: Wait for PostgreSQL socket to be ready
wait_for:
path: "{{ postgresql_unix_socket_directories }}/.s.PGSQL.{{ postgresql_port }}"
timeout: 30
when: postgresql_unix_socket_enabled
- name: Wait for Valkey socket to be ready
wait_for:
path: "{{ valkey_unix_socket_path }}"
timeout: 30
when: valkey_unix_socket_enabled
- name: Reload systemd daemon for Quadlet (user scope)
systemd:
daemon_reload: true
scope: user
become: true
become_user: "{{ authentik_user }}"
environment:
XDG_RUNTIME_DIR: "/run/user/{{ authentik_uid }}"
tags: [containers, deployment]
- name: Enable and start Authentik pod (user scope)
systemd:
name: "authentik-pod"
enabled: "{{ authentik_service_enabled }}"
state: "{{ authentik_service_state }}"
scope: user
daemon_reload: true
become: true
become_user: "{{ authentik_user }}"
environment:
XDG_RUNTIME_DIR: "/run/user/{{ authentik_uid }}"
tags: [containers, service]
- name: Enable and start Authentik server (user scope)
systemd:
name: "{{ authentik_container_server_name }}"
enabled: "{{ authentik_service_enabled }}"
state: "{{ authentik_service_state }}"
scope: user
daemon_reload: true
become: true
become_user: "{{ authentik_user }}"
environment:
XDG_RUNTIME_DIR: "/run/user/{{ authentik_uid }}"
tags: [containers, service]
- name: Enable and start Authentik worker (user scope)
systemd:
name: "{{ authentik_container_worker_name }}"
enabled: "{{ authentik_service_enabled }}"
state: "{{ authentik_service_state }}"
scope: user
daemon_reload: true
become: true
become_user: "{{ authentik_user }}"
environment:
XDG_RUNTIME_DIR: "/run/user/{{ authentik_uid }}"
tags: [containers, service]
- name: Wait for Authentik to be ready
uri:
url: "https://{{ authentik_domain }}/if/health/live/"
method: GET
status_code: [200]
timeout: 30
validate_certs: true
retries: 10
delay: 30
register: authentik_health_check
tags: [verification, health-check]
- name: Display Authentik deployment status
debug:
msg: |
✅ Authentik Authentication deployed successfully!
🌐 Domain: {{ authentik_domain }}
🗄️ Database: {{ authentik_db_name }} (Unix socket)
🗄️ Cache: Valkey DB {{ authentik_valkey_db }} (Unix socket)
🐳 Containers: Pod with server + worker
🔒 Admin: {{ authentik_default_admin_email }}
🚀 Ready for SSO configuration!
📋 Next Steps:
- Access {{ authentik_domain }} to complete setup
- Configure applications and providers
- Set up SSO for services
tags: [verification]
Reference in New Issue View Git Blame Copy Permalink