Post-X-Society/Post-Tyranny-Tech-Infrastructure
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
Post-Tyranny-Tech-Infrastru.../ansible/roles/authentik/templates/docker-compose.authentik.yml.j2
Pieter a5fe631717 feat: Complete Authentik SSO integration with automated OIDC setup 
## Changes

### Identity Provider (Authentik)
-  Deployed Authentik 2025.10.3 as identity provider
-  Configured automatic bootstrap with admin account (akadmin)
-  Fixed OIDC provider creation with correct redirect_uris format
-  Added automated OAuth2/OIDC provider configuration for Nextcloud
-  API-driven provider setup eliminates manual configuration

### Nextcloud Configuration
-  Fixed reverse proxy header configuration (trusted_proxies)
-  Added missing database indices (fs_storage_path_prefix)
-  Ran mimetype migrations for proper file type handling
-  Verified PHP upload limits (16GB upload_max_filesize)
-  Configured OIDC integration with Authentik
-  "Login with Authentik" button auto-configured

### Automation Scripts
-  Added deploy-client.sh for automated client deployment
-  Added rebuild-client.sh for infrastructure rebuild
-  Added destroy-client.sh for cleanup
-  Full deployment now takes ~10-15 minutes end-to-end

### Documentation
-  Updated README with automated deployment instructions
-  Added SSO automation workflow documentation
-  Added automation status tracking
-  Updated project reference with Authentik details

### Technical Fixes
- Fixed Authentik API redirect_uris format (requires list of dicts with matching_mode)
- Fixed Nextcloud OIDC command (user_oidc:provider not user_oidc:provider:add)
- Fixed file lookup in Ansible (changed to slurp for remote files)
- Updated Traefik to v3.6 for Docker API 1.44 compatibility
- Improved error handling in app installation tasks

## Security
- All credentials stored in SOPS-encrypted secrets
- Trusted proxy configuration prevents IP spoofing
- Bootstrap tokens auto-generated and secured

## Result
Fully automated SSO deployment - no manual configuration required!

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
2026-01-08 16:56:19 +01:00

143 lines
4.3 KiB
Django/Jinja
Raw Blame History

services:
authentik-db:
image: postgres:16-alpine
container_name: authentik-db
restart: unless-stopped
environment:
POSTGRES_DB: "{{ authentik_db_name }}"
POSTGRES_USER: "{{ authentik_db_user }}"
POSTGRES_PASSWORD: "{{ client_secrets.authentik_db_password }}"
volumes:
- authentik-db-data:/var/lib/postgresql/data
networks:
- {{ authentik_network }}
healthcheck:
test: ["CMD-SHELL", "pg_isready -d {{ authentik_db_name }} -U {{ authentik_db_user }}"]
interval: 30s
timeout: 5s
retries: 5
start_period: 20s
deploy:
resources:
limits:
memory: 512M
cpus: "0.5"
authentik-server:
image: {{ authentik_image }}:{{ authentik_version }}
container_name: authentik-server
restart: unless-stopped
command: server
environment:
# PostgreSQL connection
AUTHENTIK_POSTGRESQL__HOST: authentik-db
AUTHENTIK_POSTGRESQL__NAME: "{{ authentik_db_name }}"
AUTHENTIK_POSTGRESQL__USER: "{{ authentik_db_user }}"
AUTHENTIK_POSTGRESQL__PASSWORD: "{{ client_secrets.authentik_db_password }}"
# Secret key for encryption
AUTHENTIK_SECRET_KEY: "{{ client_secrets.authentik_secret_key }}"
# Error reporting (optional)
AUTHENTIK_ERROR_REPORTING__ENABLED: "false"
# Branding
AUTHENTIK_BRANDING__TITLE: "{{ client_name | title }} SSO"
# Email configuration (optional, configure later)
# AUTHENTIK_EMAIL__HOST: "smtp.example.com"
# AUTHENTIK_EMAIL__PORT: "587"
# AUTHENTIK_EMAIL__USERNAME: "user@example.com"
# AUTHENTIK_EMAIL__PASSWORD: "password"
# AUTHENTIK_EMAIL__USE_TLS: "true"
# AUTHENTIK_EMAIL__FROM: "authentik@example.com"
volumes:
- authentik-media:/media
- authentik-templates:/templates
networks:
- {{ authentik_traefik_network }}
- {{ authentik_network }}
depends_on:
authentik-db:
condition: service_healthy
labels:
- "traefik.enable=true"
- "traefik.http.routers.authentik.rule=Host(`{{ authentik_domain }}`)"
- "traefik.http.routers.authentik.tls=true"
- "traefik.http.routers.authentik.tls.certresolver=letsencrypt"
- "traefik.http.routers.authentik.entrypoints=websecure"
- "traefik.http.services.authentik.loadbalancer.server.port={{ authentik_http_port }}"
# Security headers
- "traefik.http.routers.authentik.middlewares=authentik-headers"
- "traefik.http.middlewares.authentik-headers.headers.stsSeconds=31536000"
- "traefik.http.middlewares.authentik-headers.headers.stsIncludeSubdomains=true"
- "traefik.http.middlewares.authentik-headers.headers.stsPreload=true"
deploy:
resources:
limits:
memory: 1G
cpus: "1.0"
authentik-worker:
image: {{ authentik_image }}:{{ authentik_version }}
container_name: authentik-worker
restart: unless-stopped
command: worker
environment:
# PostgreSQL connection
AUTHENTIK_POSTGRESQL__HOST: authentik-db
AUTHENTIK_POSTGRESQL__NAME: "{{ authentik_db_name }}"
AUTHENTIK_POSTGRESQL__USER: "{{ authentik_db_user }}"
AUTHENTIK_POSTGRESQL__PASSWORD: "{{ client_secrets.authentik_db_password }}"
# Secret key for encryption (must match server)
AUTHENTIK_SECRET_KEY: "{{ client_secrets.authentik_secret_key }}"
# Error reporting (optional)
AUTHENTIK_ERROR_REPORTING__ENABLED: "false"
# Bootstrap configuration (only used on first startup)
AUTHENTIK_BOOTSTRAP_PASSWORD: "{{ client_secrets.authentik_bootstrap_password }}"
AUTHENTIK_BOOTSTRAP_TOKEN: "{{ client_secrets.authentik_bootstrap_token }}"
AUTHENTIK_BOOTSTRAP_EMAIL: "{{ client_secrets.authentik_bootstrap_email | default('admin@' + client_domain) }}"
volumes:
- authentik-media:/media
- authentik-templates:/templates
networks:
- {{ authentik_network }}
depends_on:
authentik-db:
condition: service_healthy
deploy:
resources:
limits:
memory: 512M
cpus: "0.5"
volumes:
authentik-db-data:
driver: local
authentik-media:
driver: local
authentik-templates:
driver: local
networks:
{{ authentik_traefik_network }}:
external: true
{{ authentik_network }}:
driver: bridge
internal: true
Reference in a new issue View git blame Copy permalink