add authentik

authentik.yml

@@ -0,0 +1,6 @@
+- hosts: authentik
+  vars:
+    ansible_user: root
+  roles:
+    - base
+    - authentik

roles/authentik/handlers/main.yml

@@ -0,0 +1,22 @@
+- name: systemctl daemon-reload
+  command: systemctl daemon-reload
+
+- name: restart authentik-server
+  service:
+    name: authentik-server
+    state: restarted
+
+- name: restart authentik-worker
+  service:
+    name: authentik-worker
+    state: restarted
+
+- name: restart postgresql
+  service:
+    name: postgresql
+    state: restarted
+
+- name: restart redis
+  service:
+    name: redis
+    state: restarted

roles/authentik/tasks/main.yml

@@ -0,0 +1,76 @@
+- name: Install dependencies
+  apt:
+    name: [postgresql, redis, podman, python3-psycopg2]
+
+- name: Install authentik-*.service
+  template:
+    src: authentik-{{ item }}.service
+    dest: /etc/systemd/system/authentik-{{ item }}.service
+  with_items: [server, worker]
+  notify:
+    - systemctl daemon-reload
+    - restart authentik-server
+    - restart authentik-worker
+
+- name: Enable authentik-*.service
+  service:
+    name: "authentik-{{ item }}"
+    enabled: true
+  with_items: [server, worker]
+
+- name: Configure Authentik environment variables
+  template:
+    src: authentik.env
+    dest: /etc/authentik.env
+  notify:
+    - restart authentik-server
+    - restart authentik-worker
+
+- name: make some folders
+  file:
+    path: "{{ item }}"
+    state: directory
+  with_items:
+    - /var/lib/authentik/media
+    - /var/lib/authentik/templates
+
+- name: configure postgres to listen for connections from containers
+  template:
+    src: postgres.conf
+    dest: /etc/postgresql/15/main/conf.d/listen.conf
+  notify:
+    - restart postgresql
+
+- name: configure postgres container access
+  community.postgresql.postgresql_pg_hba:
+    address: 10.88.0.0/24
+    contype: host
+    databases: authentik
+    dest: /etc/postgresql/15/main/pg_hba.conf
+  notify:
+    - restart postgresql
+
+- name: configure redis
+  template:
+    src: redis.conf
+    dest: /etc/redis/redis.conf
+  notify:
+    - restart redis
+
+- include_tasks:
+    file: postgres.yml
+    apply:
+      become: true
+      become_user: postgres
+
+- name: make override dirs
+  file:
+    name: "/etc/systemd/system/{{ item }}.service.d"
+    state: directory
+  with_items: [redis, postgresql@15-main]
+
+- name: configure service overrides to make sure they bind to the podman network
+  template:
+    src: block-until-podman.conf
+    dest: "/etc/systemd/system/{{ item }}.service.d/block-until-podman.conf"
+  with_items: [redis, postgresql@15-main]

roles/authentik/tasks/postgres.yml

@@ -0,0 +1,24 @@
+- name: create db in postgres
+  community.postgresql.postgresql_db:
+    name: authentik
+
+- name: create postgres authentik user
+  community.postgresql.postgresql_user:
+    name: authentik
+    db: authentik
+    password: "{{ lookup('ansible.builtin.password', 'secrets/' + inventory_hostname + '/authentik-pg-password.txt', length=15) }}"
+
+- name: grant postgres authentik user permissions
+  community.postgresql.postgresql_privs:
+    database: authentik
+    role: authentik
+    type: database
+    privs: all
+
+- name: grant postgres authentik user permissions
+  community.postgresql.postgresql_privs:
+    database: authentik
+    role: authentik
+    type: schema
+    objs: public
+    privs: all

roles/authentik/templates/authentik-server.service

@@ -0,0 +1,14 @@
+[Unit]
+Description=Authentik Server
+Wants=network.target
+
+[Service]
+Type=simple
+ExecStartPre=/usr/bin/podman pull ghcr.io/goauthentik/server:2023.10.6
+ExecStartPre=-/usr/bin/podman stop authentik-server
+ExecStartPre=-/usr/bin/podman rm authentik-server
+ExecStart=/usr/bin/podman run --rm -v /var/lib/authentik/media:/media -v /var/lib/authentik/templates:/templates -p 9000:9000 --env-file /etc/authentik.env --name authentik-server ghcr.io/goauthentik/server:2023.10.6 server
+Restart=always
+
+[Install]
+WantedBy=multi-user.target

roles/authentik/templates/authentik-worker.service

@@ -0,0 +1,14 @@
+[Unit]
+Description=Authentik Server
+Wants=network.target
+
+[Service]
+Type=simple
+ExecStartPre=/usr/bin/podman pull ghcr.io/goauthentik/server:2023.10.6
+ExecStartPre=-/usr/bin/podman stop authentik-worker
+ExecStartPre=-/usr/bin/podman rm authentik-server
+ExecStart=/usr/bin/podman run --rm -v /var/lib/authentik/media:/media -v /var/lib/authentik/templates:/templates --env-file /etc/authentik.env --name authentik-worker ghcr.io/goauthentik/server:2023.10.6 worker
+Restart=always
+
+[Install]
+WantedBy=multi-user.target

roles/authentik/templates/authentik.env

@@ -0,0 +1,7 @@
+AUTHENTIK_REDIS__HOST=10.88.0.1
+AUTHENTIK_POSTGRESQL__HOST=10.88.0.1
+AUTHENTIK_POSTGRESQL__USER=authentik
+AUTHENTIK_POSTGRESQL__NAME=authentik
+AUTHENTIK_POSTGRESQL__PASSWORD={{ lookup('ansible.builtin.password', 'secrets/' + inventory_hostname + '/authentik-pg-password.txt', length=15) }}
+AUTHENTIK_SECRET_KEY={{ lookup('ansible.builtin.password', 'secrets/' + inventory_hostname + '/authentik-secret-key.txt', length=15) }}
+AUTHENTIK_ERROR_REPORTING__ENABLED=true

roles/authentik/templates/block-until-authentik.service

@@ -0,0 +1,2 @@
+[Unit]
+Requires=authentik-server.service

roles/authentik/templates/postgres.conf

@@ -0,0 +1 @@
+listen_addresses = 'localhost,10.88.0.1'