Deploy authentik

Not integrated into other services quite yet. But it's there

ansible/main.yml

@@ -67,6 +67,7 @@
     - privatebin
     - vaultwarden
     - tandoor
+    - authentik
 
 - hosts: ingress
   roles:

ansible/roles/authentik/files/docker-compose.yml

@@ -0,0 +1,58 @@
+version: "2.3"
+
+x-authentik: &authentik
+  image: ghcr.io/goauthentik/server:2022.8.2
+  restart: unless-stopped
+  environment:
+    - TIMEZONE={{ timezone }}
+    - AUTHENTIK_REDIS__HOST=redis
+    - AUTHENTIK_POSTGRESQL__HOST=db
+    - AUTHENTIK_POSTGRESQL__USER=authentik
+    - AUTHENTIK_POSTGRESQL__NAME=authentik
+    - AUTHENTIK_POSTGRESQL__PASSWORD=authentik
+    - AUTHENTIK_SECRET_KEY="{{ authentik_secret_key }}"
+  volumes:
+    - "{{ app_data_dir }}/authentik/media:/media"
+    - "{{ app_data_dir }}/authentik/custom-templates:/templates"
+    - "{{ app_data_dir }}/authentik/certs:/certs"
+  depends_on:
+    - db
+    - redis
+
+services:
+  authentik:
+    <<: *authentik
+    command: server
+    networks:
+      - default
+      - traefik
+    labels:
+      - traefik.enable=true
+      - traefik.http.routers.authentik.rule=Host(`auth.jakehoward.tech`)
+      - traefik.http.services.authentik-authentik.loadbalancer.server.port=9000
+      - traefik.http.middlewares.authentik-ratelimit.ratelimit.average=5
+      - traefik.http.middlewares.authentik-ratelimit.ratelimit.burst=1000
+      - traefik.http.routers.authentik.middlewares=authentik-ratelimit
+
+  worker:
+    <<: *authentik
+    command: worker
+
+  db:
+    image: postgres:14-alpine
+    restart: unless-stopped
+    volumes:
+      - /mnt/tank/dbs/postgres/authentik/:/var/lib/postgresql/data
+    environment:
+      - POSTGRES_PASSWORD=authentik
+      - POSTGRES_USER=authentik
+
+  redis:
+    image: redis:6-alpine
+    restart: unless-stopped
+    volumes:
+      - /mnt/tank/dbs/redis/authentik:/data
+
+networks:
+  traefik:
+    external: true

ansible/roles/authentik/handlers/main.yml

@@ -0,0 +1,4 @@
+- name: restart authentik
+  shell:
+    chdir: /opt/authentik
+    cmd: "{{ docker_update_command }}"

ansible/roles/authentik/tasks/main.yml

@@ -0,0 +1,20 @@
+- name: Include vault
+  include_vars: vault.yml
+
+- name: Create install directory
+  file:
+    path: /opt/authentik
+    state: directory
+    owner: "{{ docker_user.name }}"
+    mode: "{{ docker_compose_directory_mask }}"
+  become: true
+
+- name: Install compose file
+  template:
+    src: files/docker-compose.yml
+    dest: /opt/authentik/docker-compose.yml
+    mode: "{{ docker_compose_file_mask }}"
+    owner: "{{ docker_user.name }}"
+    validate: docker-compose -f %s config
+  notify: restart authentik
+  become: true

ansible/roles/authentik/vars/main.yml

@@ -0,0 +1 @@
+authentik_secret_key: "{{ vault_authentik_secret_key }}"

ansible/roles/authentik/vars/vault.yml

@@ -0,0 +1,9 @@
+$ANSIBLE_VAULT;1.1;AES256
+36393735346231366132626665313535323561383032343832363437313735646262356436336432
+3264356265333862373135653934633066656339373338650a326231363935623237303238616432
+64353361626637623934393032346338356266393332643038353936633832646333373065393733
+3133383063616163340a363663616564646265336535313265313731613939366364623164333138
+35616330393565643863393863306266386239393063373937303362393531373861626163643831
+30333035356230353139326263626265343631323532663664646565303530626164626464373162
+61373166373333363738363830356335653362383335303134323966363935366333383436386636
+62353535393366393638

terraform/jakehoward.tech.tf

@@ -147,3 +147,11 @@ resource "cloudflare_record" "jakehowardtech_tandoor" {
   type    = "A"
   ttl     = 1
 }
+
+resource "cloudflare_record" "jakehowardtech_auth" {
+  zone_id = cloudflare_zone.jakehowardtech.id
+  name    = "auth"
+  value   = linode_instance.casey.ip_address
+  type    = "A"
+  ttl     = 1
+}