Post-X-Society/Post-Tyranny-Tech-Infrastructure
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
Post-Tyranny-Tech-Infrastru.../ansible/playbooks/deploy.yml
Pieter 20856f7f18 Add Authentik identity provider to architecture 
Added Authentik as the identity provider for SSO authentication:

Why Authentik:
- MIT license (truly open source, most permissive)
- Simple Docker Compose deployment (no manual wizards)
- Lightweight Python-based architecture
- Comprehensive protocol support (SAML, OAuth2/OIDC, LDAP, RADIUS)
- No Redis required as of v2025.10 (all caching in PostgreSQL)
- Active development and strong community

Implementation:
- Created complete Authentik Ansible role
- Docker Compose with server + worker architecture
- PostgreSQL 16 database backend
- Traefik integration with Let's Encrypt SSL
- Bootstrap tasks for initial setup guidance
- Health checks and proper service dependencies

Architecture decisions updated:
- Documented comparison: Authentik vs Zitadel vs Keycloak
- Explained Zitadel removal (FirstInstance bugs)
- Added deployment example and configuration notes

Next steps:
- Update documentation (PROJECT_REFERENCE.md, README.md)
- Create Authentik agent configuration
- Add secrets template
- Test deployment on test server

🤖 Generated with Claude Code

Co-Authored-By: Claude <noreply@anthropic.com>
2026-01-07 11:23:13 +01:00

50 lines
1.5 KiB
YAML
Raw Blame History

---
# Deploy applications to client servers
# This playbook deploys Authentik, Nextcloud, and other applications
- name: Deploy applications to client servers
hosts: all
become: yes
pre_tasks:
- name: Gather facts
setup:
- name: Determine client name from hostname
set_fact:
client_name: "{{ inventory_hostname }}"
- name: Load client secrets
community.sops.load_vars:
file: "{{ playbook_dir }}/../../secrets/clients/{{ client_name }}.sops.yaml"
name: client_secrets
age_key: "{{ lookup('env', 'SOPS_AGE_KEY_FILE') }}"
no_log: true
- name: Set client domain from secrets
set_fact:
client_domain: "{{ client_secrets.client_domain }}"
when: client_secrets.client_domain is defined
- name: Set Authentik domain from secrets
set_fact:
authentik_domain: "{{ client_secrets.authentik_domain }}"
when: client_secrets.authentik_domain is defined
roles:
- role: authentik
- role: nextcloud
post_tasks:
- name: Display deployment summary
debug:
msg: |
Deployment complete for client: {{ client_name }}
Authentik SSO: https://{{ authentik_domain }}
Nextcloud: https://nextcloud.{{ client_domain }}
Next steps:
1. Complete Authentik initial setup at: https://{{ authentik_domain }}/if/flow/initial-setup/
2. Create OAuth2/OIDC provider for Nextcloud in Authentik
3. Configure Nextcloud to use Authentik for SSO
Reference in a new issue View git blame Copy permalink