Add authentik to ansible

.gitignore

@@ -4,6 +4,7 @@
 
 # services already handled by ansible
 /acme-dns/
+/authentik/
 /coder/
 /forgejo/
 /forgejo-runner/
@@ -28,6 +29,7 @@
 /woodpecker/
 
 /caddy/config/conf.002.d/acme.serguzim.me.conf
+/caddy/config/conf.002.d/auth.serguzim.me.conf
 /caddy/config/conf.002.d/analytics.serguzim.me.conf
 /caddy/config/conf.002.d/ci.serguzim.me.conf
 /caddy/config/conf.002.d/coder.serguzim.me.conf

_ansible/node002.yml

@@ -3,6 +3,7 @@
   hosts: node002
   roles:
     - acme-dns
+    - authentik
     - coder
     - faas
     - forgejo

_ansible/roles/authentik/tasks/main.yml

@@ -0,0 +1,7 @@
+---
+- name: Deploy {{ svc.name }}
+  tags:
+    - authentik
+    - authentication
+  block:
+    - import_tasks: deploy-common-service.yml

_ansible/roles/authentik/vars/main.yml

@@ -0,0 +1,60 @@
+svc:
+  domain: "auth.serguzim.me"
+  name: authentik
+  port: 9000
+  image_tag: 2023.8
+  db:
+    host: "{{ postgres.host }}"
+    database: authentik
+    user: "{{ vault_authentik.db.user }}"
+    pass: "{{ vault_authentik.db.pass }}"
+
+svc_env:
+  AUTHENTIK_SECRET_KEY: "{{ vault_authentik.secret_key }}"
+
+  AUTHENTIK_EMAIL__HOST: "{{ mailer.host }}"
+  AUTHENTIK_EMAIL__PORT: "{{ mailer.port }}"
+  AUTHENTIK_EMAIL__USERNAME: "{{ vault_authentik.mail.user }}"
+  AUTHENTIK_EMAIL__PASSWORD: "{{ vault_authentik.mail.pass }}"
+  AUTHENTIK_EMAIL__USE_TLS: true
+  AUTHENTIK_EMAIL__USE_SSL: false
+  AUTHENTIK_EMAIL__TIMEOUT: 10
+  AUTHENTIK_EMAIL__FROM: auth@serguzim.me
+
+  AUTHENTIK_AVATARS: none
+
+  AUTHENTIK_REDIS__HOST: redis
+
+  AUTHENTIK_POSTGRESQL__HOST: "{{ svc.db.host }}"
+  AUTHENTIK_POSTGRESQL__NAME: "{{ svc.db.database }}"
+  AUTHENTIK_POSTGRESQL__USER: "{{ svc.db.user }}"
+  AUTHENTIK_POSTGRESQL__PASSWORD: "{{ svc.db.pass }}"
+
+compose:
+  watchtower: false
+  image: "ghcr.io/goauthentik/server:{{ svc.image_tag }}"
+  env: true
+  file:
+    services:
+      app:
+        depends_on:
+          - redis
+      worker:
+        image: "ghcr.io/goauthentik/server:{{ svc.image_tag }}"
+        restart: always
+        command: worker
+        user: root
+        volumes:
+          - /var/run/docker.sock:/var/run/docker.sock
+        env_file:
+          - service.env
+        depends_on:
+          - redis
+        networks:
+          default:
+
+      redis:
+        image: redis:alpine
+        restart: always
+        networks:
+          default:

authentik/.env

@@ -1,19 +0,0 @@
-AUTHENTIK_SECRET_KEY=
-
-AUTHENTIK_EMAIL__HOST=mail.serguzim.me
-AUTHENTIK_EMAIL__PORT=587
-AUTHENTIK_EMAIL__USERNAME=auth@serguzim.me
-AUTHENTIK_EMAIL__PASSWORD=
-AUTHENTIK_EMAIL__USE_TLS=true
-AUTHENTIK_EMAIL__USE_SSL=false
-AUTHENTIK_EMAIL__TIMEOUT=10
-AUTHENTIK_EMAIL__FROM=auth@serguzim.me
-
-AUTHENTIK_AVATARS=none
-
-AUTHENTIK_REDIS__HOST=redis
-
-AUTHENTIK_POSTGRESQL__HOST=node002.serguzim.net
-AUTHENTIK_POSTGRESQL__USER=authentik
-AUTHENTIK_POSTGRESQL__NAME=authentik
-AUTHENTIK_POSTGRESQL__PASSWORD=

authentik/.gitignore

@@ -1,2 +0,0 @@
-backups/
-certs/

authentik/docker-compose.yml

@@ -1,43 +0,0 @@
-version: '3.2'
-
-services:
-  app:
-    image: ghcr.io/goauthentik/server:2023.8
-    restart: unless-stopped
-    command: server
-    env_file:
-      - .env
-      - .secret.env
-    depends_on:
-      - redis
-    networks:
-      default:
-      apps:
-        aliases:
-          - authentik
-
-  worker:
-    image: ghcr.io/goauthentik/server:2023.8
-    restart: unless-stopped
-    command: worker
-    user: root
-    volumes:
-      - /var/run/docker.sock:/var/run/docker.sock
-    env_file:
-      - .env
-      - .secret.env
-    depends_on:
-      - redis
-    networks:
-      default:
-
-  redis:
-    image: redis:alpine
-    restart: unless-stopped
-    networks:
-      default:
-
-networks:
-  default:
-  apps:
-    external: true

caddy/config/conf.002.d/auth.serguzim.me.conf

@@ -1,4 +0,0 @@
-auth.serguzim.me {
-	import default
-	reverse_proxy authentik:9000
-}