Post-X-Society/Post-Tyranny-Tech-Infrastructure
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
Post-Tyranny-Tech-Infrastru.../ansible/roles/authentik/tasks/bootstrap.yml

47 lines
1.4 KiB
YAML
Raw Normal View History

Add Authentik identity provider to architecture Added Authentik as the identity provider for SSO authentication: Why Authentik: - MIT license (truly open source, most permissive) - Simple Docker Compose deployment (no manual wizards) - Lightweight Python-based architecture - Comprehensive protocol support (SAML, OAuth2/OIDC, LDAP, RADIUS) - No Redis required as of v2025.10 (all caching in PostgreSQL) - Active development and strong community Implementation: - Created complete Authentik Ansible role - Docker Compose with server + worker architecture - PostgreSQL 16 database backend - Traefik integration with Let's Encrypt SSL - Bootstrap tasks for initial setup guidance - Health checks and proper service dependencies Architecture decisions updated: - Documented comparison: Authentik vs Zitadel vs Keycloak - Explained Zitadel removal (FirstInstance bugs) - Added deployment example and configuration notes Next steps: - Update documentation (PROJECT_REFERENCE.md, README.md) - Create Authentik agent configuration - Add secrets template - Test deployment on test server 🤖 Generated with Claude Code Co-Authored-By: Claude <noreply@anthropic.com>
2026-01-07 11:23:13 +01:00
---
# Bootstrap tasks for initial Authentik configuration
feat: Complete Authentik SSO integration with automated OIDC setup ## Changes ### Identity Provider (Authentik) - ✅ Deployed Authentik 2025.10.3 as identity provider - ✅ Configured automatic bootstrap with admin account (akadmin) - ✅ Fixed OIDC provider creation with correct redirect_uris format - ✅ Added automated OAuth2/OIDC provider configuration for Nextcloud - ✅ API-driven provider setup eliminates manual configuration ### Nextcloud Configuration - ✅ Fixed reverse proxy header configuration (trusted_proxies) - ✅ Added missing database indices (fs_storage_path_prefix) - ✅ Ran mimetype migrations for proper file type handling - ✅ Verified PHP upload limits (16GB upload_max_filesize) - ✅ Configured OIDC integration with Authentik - ✅ "Login with Authentik" button auto-configured ### Automation Scripts - ✅ Added deploy-client.sh for automated client deployment - ✅ Added rebuild-client.sh for infrastructure rebuild - ✅ Added destroy-client.sh for cleanup - ✅ Full deployment now takes ~10-15 minutes end-to-end ### Documentation - ✅ Updated README with automated deployment instructions - ✅ Added SSO automation workflow documentation - ✅ Added automation status tracking - ✅ Updated project reference with Authentik details ### Technical Fixes - Fixed Authentik API redirect_uris format (requires list of dicts with matching_mode) - Fixed Nextcloud OIDC command (user_oidc:provider not user_oidc:provider:add) - Fixed file lookup in Ansible (changed to slurp for remote files) - Updated Traefik to v3.6 for Docker API 1.44 compatibility - Improved error handling in app installation tasks ## Security - All credentials stored in SOPS-encrypted secrets - Trusted proxy configuration prevents IP spoofing - Bootstrap tokens auto-generated and secured ## Result Fully automated SSO deployment - no manual configuration required! 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2026-01-08 16:56:19 +01:00
- name: Wait for Authentik to be fully ready
uri:
url: "https://{{ authentik_domain }}/"
validate_certs: yes
status_code: [200, 302]
register: authentik_ready
until: authentik_ready.status in [200, 302]
fix: Improve Authentik bootstrap resilience - Increase HTTPS readiness check retries from 30 to 60 - Increase delay between retries from 10s to 15s (total max wait: 15 minutes) - Add failed_when: false to prevent deployment failure - Display helpful warning if HTTPS not yet accessible - Continues deployment even if DNS/SSL not ready yet This resolves timing issues during initial deployment when: - DNS records are still propagating - Let's Encrypt certificates are being issued - Traefik is still configuring routes Authentik runs internally on HTTP and will be accessible via HTTPS once DNS/SSL is fully configured. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2026-01-08 17:39:42 +01:00
retries: 60
delay: 15
failed_when: false
- name: Display warning if HTTPS access not yet available
debug:
msg: |
⚠ WARNING: Authentik not yet accessible via HTTPS
This is normal during initial deployment when:
- DNS records are still propagating
- Let's Encrypt certificates are being issued
- Traefik is still configuring routes
Authentik is running internally and will be accessible soon.
The deployment will continue with internal checks.
when: authentik_ready.status not in [200, 302]
feat: Complete Authentik SSO integration with automated OIDC setup ## Changes ### Identity Provider (Authentik) - ✅ Deployed Authentik 2025.10.3 as identity provider - ✅ Configured automatic bootstrap with admin account (akadmin) - ✅ Fixed OIDC provider creation with correct redirect_uris format - ✅ Added automated OAuth2/OIDC provider configuration for Nextcloud - ✅ API-driven provider setup eliminates manual configuration ### Nextcloud Configuration - ✅ Fixed reverse proxy header configuration (trusted_proxies) - ✅ Added missing database indices (fs_storage_path_prefix) - ✅ Ran mimetype migrations for proper file type handling - ✅ Verified PHP upload limits (16GB upload_max_filesize) - ✅ Configured OIDC integration with Authentik - ✅ "Login with Authentik" button auto-configured ### Automation Scripts - ✅ Added deploy-client.sh for automated client deployment - ✅ Added rebuild-client.sh for infrastructure rebuild - ✅ Added destroy-client.sh for cleanup - ✅ Full deployment now takes ~10-15 minutes end-to-end ### Documentation - ✅ Updated README with automated deployment instructions - ✅ Added SSO automation workflow documentation - ✅ Added automation status tracking - ✅ Updated project reference with Authentik details ### Technical Fixes - Fixed Authentik API redirect_uris format (requires list of dicts with matching_mode) - Fixed Nextcloud OIDC command (user_oidc:provider not user_oidc:provider:add) - Fixed file lookup in Ansible (changed to slurp for remote files) - Updated Traefik to v3.6 for Docker API 1.44 compatibility - Improved error handling in app installation tasks ## Security - All credentials stored in SOPS-encrypted secrets - Trusted proxy configuration prevents IP spoofing - Bootstrap tokens auto-generated and secured ## Result Fully automated SSO deployment - no manual configuration required! 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2026-01-08 16:56:19 +01:00
- name: Display bootstrap status
debug:
msg: |
========================================
Authentik is running!
========================================
Add Authentik identity provider to architecture Added Authentik as the identity provider for SSO authentication: Why Authentik: - MIT license (truly open source, most permissive) - Simple Docker Compose deployment (no manual wizards) - Lightweight Python-based architecture - Comprehensive protocol support (SAML, OAuth2/OIDC, LDAP, RADIUS) - No Redis required as of v2025.10 (all caching in PostgreSQL) - Active development and strong community Implementation: - Created complete Authentik Ansible role - Docker Compose with server + worker architecture - PostgreSQL 16 database backend - Traefik integration with Let's Encrypt SSL - Bootstrap tasks for initial setup guidance - Health checks and proper service dependencies Architecture decisions updated: - Documented comparison: Authentik vs Zitadel vs Keycloak - Explained Zitadel removal (FirstInstance bugs) - Added deployment example and configuration notes Next steps: - Update documentation (PROJECT_REFERENCE.md, README.md) - Create Authentik agent configuration - Add secrets template - Test deployment on test server 🤖 Generated with Claude Code Co-Authored-By: Claude <noreply@anthropic.com>
2026-01-07 11:23:13 +01:00
feat: Complete Authentik SSO integration with automated OIDC setup ## Changes ### Identity Provider (Authentik) - ✅ Deployed Authentik 2025.10.3 as identity provider - ✅ Configured automatic bootstrap with admin account (akadmin) - ✅ Fixed OIDC provider creation with correct redirect_uris format - ✅ Added automated OAuth2/OIDC provider configuration for Nextcloud - ✅ API-driven provider setup eliminates manual configuration ### Nextcloud Configuration - ✅ Fixed reverse proxy header configuration (trusted_proxies) - ✅ Added missing database indices (fs_storage_path_prefix) - ✅ Ran mimetype migrations for proper file type handling - ✅ Verified PHP upload limits (16GB upload_max_filesize) - ✅ Configured OIDC integration with Authentik - ✅ "Login with Authentik" button auto-configured ### Automation Scripts - ✅ Added deploy-client.sh for automated client deployment - ✅ Added rebuild-client.sh for infrastructure rebuild - ✅ Added destroy-client.sh for cleanup - ✅ Full deployment now takes ~10-15 minutes end-to-end ### Documentation - ✅ Updated README with automated deployment instructions - ✅ Added SSO automation workflow documentation - ✅ Added automation status tracking - ✅ Updated project reference with Authentik details ### Technical Fixes - Fixed Authentik API redirect_uris format (requires list of dicts with matching_mode) - Fixed Nextcloud OIDC command (user_oidc:provider not user_oidc:provider:add) - Fixed file lookup in Ansible (changed to slurp for remote files) - Updated Traefik to v3.6 for Docker API 1.44 compatibility - Improved error handling in app installation tasks ## Security - All credentials stored in SOPS-encrypted secrets - Trusted proxy configuration prevents IP spoofing - Bootstrap tokens auto-generated and secured ## Result Fully automated SSO deployment - no manual configuration required! 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2026-01-08 16:56:19 +01:00
URL: https://{{ authentik_domain }}
Add Authentik identity provider to architecture Added Authentik as the identity provider for SSO authentication: Why Authentik: - MIT license (truly open source, most permissive) - Simple Docker Compose deployment (no manual wizards) - Lightweight Python-based architecture - Comprehensive protocol support (SAML, OAuth2/OIDC, LDAP, RADIUS) - No Redis required as of v2025.10 (all caching in PostgreSQL) - Active development and strong community Implementation: - Created complete Authentik Ansible role - Docker Compose with server + worker architecture - PostgreSQL 16 database backend - Traefik integration with Let's Encrypt SSL - Bootstrap tasks for initial setup guidance - Health checks and proper service dependencies Architecture decisions updated: - Documented comparison: Authentik vs Zitadel vs Keycloak - Explained Zitadel removal (FirstInstance bugs) - Added deployment example and configuration notes Next steps: - Update documentation (PROJECT_REFERENCE.md, README.md) - Create Authentik agent configuration - Add secrets template - Test deployment on test server 🤖 Generated with Claude Code Co-Authored-By: Claude <noreply@anthropic.com>
2026-01-07 11:23:13 +01:00
feat: Complete Authentik SSO integration with automated OIDC setup ## Changes ### Identity Provider (Authentik) - ✅ Deployed Authentik 2025.10.3 as identity provider - ✅ Configured automatic bootstrap with admin account (akadmin) - ✅ Fixed OIDC provider creation with correct redirect_uris format - ✅ Added automated OAuth2/OIDC provider configuration for Nextcloud - ✅ API-driven provider setup eliminates manual configuration ### Nextcloud Configuration - ✅ Fixed reverse proxy header configuration (trusted_proxies) - ✅ Added missing database indices (fs_storage_path_prefix) - ✅ Ran mimetype migrations for proper file type handling - ✅ Verified PHP upload limits (16GB upload_max_filesize) - ✅ Configured OIDC integration with Authentik - ✅ "Login with Authentik" button auto-configured ### Automation Scripts - ✅ Added deploy-client.sh for automated client deployment - ✅ Added rebuild-client.sh for infrastructure rebuild - ✅ Added destroy-client.sh for cleanup - ✅ Full deployment now takes ~10-15 minutes end-to-end ### Documentation - ✅ Updated README with automated deployment instructions - ✅ Added SSO automation workflow documentation - ✅ Added automation status tracking - ✅ Updated project reference with Authentik details ### Technical Fixes - Fixed Authentik API redirect_uris format (requires list of dicts with matching_mode) - Fixed Nextcloud OIDC command (user_oidc:provider not user_oidc:provider:add) - Fixed file lookup in Ansible (changed to slurp for remote files) - Updated Traefik to v3.6 for Docker API 1.44 compatibility - Improved error handling in app installation tasks ## Security - All credentials stored in SOPS-encrypted secrets - Trusted proxy configuration prevents IP spoofing - Bootstrap tokens auto-generated and secured ## Result Fully automated SSO deployment - no manual configuration required! 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2026-01-08 16:56:19 +01:00
Bootstrap Configuration:
✓ Admin user 'akadmin' automatically created
✓ Password: (stored in secrets file)
✓ API token: (stored in secrets file)
Add Authentik identity provider to architecture Added Authentik as the identity provider for SSO authentication: Why Authentik: - MIT license (truly open source, most permissive) - Simple Docker Compose deployment (no manual wizards) - Lightweight Python-based architecture - Comprehensive protocol support (SAML, OAuth2/OIDC, LDAP, RADIUS) - No Redis required as of v2025.10 (all caching in PostgreSQL) - Active development and strong community Implementation: - Created complete Authentik Ansible role - Docker Compose with server + worker architecture - PostgreSQL 16 database backend - Traefik integration with Let's Encrypt SSL - Bootstrap tasks for initial setup guidance - Health checks and proper service dependencies Architecture decisions updated: - Documented comparison: Authentik vs Zitadel vs Keycloak - Explained Zitadel removal (FirstInstance bugs) - Added deployment example and configuration notes Next steps: - Update documentation (PROJECT_REFERENCE.md, README.md) - Create Authentik agent configuration - Add secrets template - Test deployment on test server 🤖 Generated with Claude Code Co-Authored-By: Claude <noreply@anthropic.com>
2026-01-07 11:23:13 +01:00
feat: Complete Authentik SSO integration with automated OIDC setup ## Changes ### Identity Provider (Authentik) - ✅ Deployed Authentik 2025.10.3 as identity provider - ✅ Configured automatic bootstrap with admin account (akadmin) - ✅ Fixed OIDC provider creation with correct redirect_uris format - ✅ Added automated OAuth2/OIDC provider configuration for Nextcloud - ✅ API-driven provider setup eliminates manual configuration ### Nextcloud Configuration - ✅ Fixed reverse proxy header configuration (trusted_proxies) - ✅ Added missing database indices (fs_storage_path_prefix) - ✅ Ran mimetype migrations for proper file type handling - ✅ Verified PHP upload limits (16GB upload_max_filesize) - ✅ Configured OIDC integration with Authentik - ✅ "Login with Authentik" button auto-configured ### Automation Scripts - ✅ Added deploy-client.sh for automated client deployment - ✅ Added rebuild-client.sh for infrastructure rebuild - ✅ Added destroy-client.sh for cleanup - ✅ Full deployment now takes ~10-15 minutes end-to-end ### Documentation - ✅ Updated README with automated deployment instructions - ✅ Added SSO automation workflow documentation - ✅ Added automation status tracking - ✅ Updated project reference with Authentik details ### Technical Fixes - Fixed Authentik API redirect_uris format (requires list of dicts with matching_mode) - Fixed Nextcloud OIDC command (user_oidc:provider not user_oidc:provider:add) - Fixed file lookup in Ansible (changed to slurp for remote files) - Updated Traefik to v3.6 for Docker API 1.44 compatibility - Improved error handling in app installation tasks ## Security - All credentials stored in SOPS-encrypted secrets - Trusted proxy configuration prevents IP spoofing - Bootstrap tokens auto-generated and secured ## Result Fully automated SSO deployment - no manual configuration required! 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2026-01-08 16:56:19 +01:00
The admin account and API token are automatically configured
via AUTHENTIK_BOOTSTRAP_* environment variables.
Add Authentik identity provider to architecture Added Authentik as the identity provider for SSO authentication: Why Authentik: - MIT license (truly open source, most permissive) - Simple Docker Compose deployment (no manual wizards) - Lightweight Python-based architecture - Comprehensive protocol support (SAML, OAuth2/OIDC, LDAP, RADIUS) - No Redis required as of v2025.10 (all caching in PostgreSQL) - Active development and strong community Implementation: - Created complete Authentik Ansible role - Docker Compose with server + worker architecture - PostgreSQL 16 database backend - Traefik integration with Let's Encrypt SSL - Bootstrap tasks for initial setup guidance - Health checks and proper service dependencies Architecture decisions updated: - Documented comparison: Authentik vs Zitadel vs Keycloak - Explained Zitadel removal (FirstInstance bugs) - Added deployment example and configuration notes Next steps: - Update documentation (PROJECT_REFERENCE.md, README.md) - Create Authentik agent configuration - Add secrets template - Test deployment on test server 🤖 Generated with Claude Code Co-Authored-By: Claude <noreply@anthropic.com>
2026-01-07 11:23:13 +01:00
feat: Complete Authentik SSO integration with automated OIDC setup ## Changes ### Identity Provider (Authentik) - ✅ Deployed Authentik 2025.10.3 as identity provider - ✅ Configured automatic bootstrap with admin account (akadmin) - ✅ Fixed OIDC provider creation with correct redirect_uris format - ✅ Added automated OAuth2/OIDC provider configuration for Nextcloud - ✅ API-driven provider setup eliminates manual configuration ### Nextcloud Configuration - ✅ Fixed reverse proxy header configuration (trusted_proxies) - ✅ Added missing database indices (fs_storage_path_prefix) - ✅ Ran mimetype migrations for proper file type handling - ✅ Verified PHP upload limits (16GB upload_max_filesize) - ✅ Configured OIDC integration with Authentik - ✅ "Login with Authentik" button auto-configured ### Automation Scripts - ✅ Added deploy-client.sh for automated client deployment - ✅ Added rebuild-client.sh for infrastructure rebuild - ✅ Added destroy-client.sh for cleanup - ✅ Full deployment now takes ~10-15 minutes end-to-end ### Documentation - ✅ Updated README with automated deployment instructions - ✅ Added SSO automation workflow documentation - ✅ Added automation status tracking - ✅ Updated project reference with Authentik details ### Technical Fixes - Fixed Authentik API redirect_uris format (requires list of dicts with matching_mode) - Fixed Nextcloud OIDC command (user_oidc:provider not user_oidc:provider:add) - Fixed file lookup in Ansible (changed to slurp for remote files) - Updated Traefik to v3.6 for Docker API 1.44 compatibility - Improved error handling in app installation tasks ## Security - All credentials stored in SOPS-encrypted secrets - Trusted proxy configuration prevents IP spoofing - Bootstrap tokens auto-generated and secured ## Result Fully automated SSO deployment - no manual configuration required! 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2026-01-08 16:56:19 +01:00
Documentation: https://docs.goauthentik.io
Reference in a new issue Copy permalink