add authentik and sso-enabled tandoor

ansible/inventories/production/group_vars/podman_hosts/vault.yml

@@ -1,62 +1,106 @@
 $ANSIBLE_VAULT;1.2;AES256;podman_hosts
-34663362613164623866623535646637643134393861343463323666323930353635623931353964
-3033393864646661323066363964313164373432366138630a323932626361316339666361386564
-30656431323730316262663163623462396134353633393438356366326265616533343363633336
-3430333963356332660a353039333564363739616635383535396365636131663637393961383364
-66373734353338626133313233373063616237313933326335313861663232643935643430366337
-30623439366563376564623239383035376332343334623764326662643430626231343131393831
-33303737633430363964373630633261383630623363623939306536333434623964616661623861
-66636239326364646639386564663936656265666330643963353932653264373932373437383838
-36353462616537306632356262653038303138633238623534633233643432663162333062393831
-66626135613865343635653133343735383265353534356137353734376536356465663636333833
-38316539613261353631353266616565306533626239346139626439373933386361323061366164
-32623236666337636239323566663263303839333731353332316563373436313365316234623763
-38333134666531386439363535386537643830336133353233636266366666653935376166313762
-64376131346562643565646436643765633731613434366265386433383639393364366238313663
-61333164626430333462333634383161633764656134333030333861393566616633383438323066
-34323033316163666665326330393061633533336564613632663539636237336437643239316464
-37313338363731363635363337346565363631376132613665326239316136653939363734373035
-61313236663739343330313466663533373434633365346336326363313230353564396466373133
-32346433646666316130346630653062643564353061666466623830613461373134613664356134
-61633836316264623536383636353064613465366263393465366430623132393432613961393761
-37396531313361353436646563313433393836313831336164396130643235663534643037303064
-37616135626366366661663233623436316563366465333663373132666465313539323737323133
-63653636376136306531616561376363363231653564333131366534643339393566316130376537
-32303265326165326334653965636561376536616439396639333736346536663462613031323030
-32333565636235343435636238383232376263313364666231323262323439336261333137653132
-32643362303763636137316365323434306430616230653064623538316533396235653932633865
-33333938646536356538366531353361363135356634363238386365663963323032383839386166
-66353932663037373235623931646533336266376634643337323232326264343633373139383533
-63363330313138626331376462353433346637663139386466613465383832666264363430633038
-35356262356563303531303937383864313239396563343162666535303566663131613665623062
-37313964363132633962626631616531633434393961666462393636363637636266343961663164
-36623231653135663938623238313337333533633231643161366262383935336264336639383165
-32363465313761636639336532346333646337373337363764303435623266356564626132336537
-63613062613135396233653261373638323162343563303137363965373232313230363436323562
-34303032363630373436613838343834383535383030623466613961623330623536396136363366
-66396230643130343436316434396465313939363037636263303938353735626437326535373537
-38316361656639643337626330383437376638333033666566613764323432636663313433636236
-39333732363666363762376365623435353832653738393239643839326335656431343438343562
-30633861663339633261356433333866636430633531333632323065626465323264373465333731
-61343336336262626666663538613931396536626439383735643836356131386136313938393062
-32343263366430396635646666323737633130363035396136333633323339636666316438326166
-34346334326565663163653661643561656338666432393538633065303961333439366263633430
-66663161326463346465643865346164356135386637393730396130636233346565333839336365
-61346561663239353964613163656333323265306431373036623734633861633232353561326336
-62643737633537353065353463306662313739313734376337656132313434666366343132306230
-33353461343933626232663030386530383363616161396536663234326432623465353930376437
-31353939376365386266376135636133316464366365313537356565333564386633376366326232
-31323235646134373133346338333564616533643432616264383432346465363965383764616361
-38303239616530306132306131353062373761326663343264343961353833343732373435613834
-34346462343037643663376230366465616161376632336564393463633535643462326132646538
-35376333316261613363323865386633663862393365313139336234613435646264376366636362
-33373031643961393935333937396564306164343138623737366132373737396234306332616463
-37356330323064626261616665376133666535333336323338653831393135333436336631343461
-37386164656461623330613035373234613365326338653338306639613430653638363030356533
-37623234383132323333343662346332663436326533613332323731613834646431336562383562
-30663830313166613536623432636437356266363662306335386235653539663033323034313362
-38336564313538643238343635323534646264653537356631643031346432396363633338363865
-34393135363832303033346465316162656662313431336633346135666261303331373562663563
-62633833303261323432333138353662343430356231663437353631386163333633643961366139
-34353864626137656333663530376231346535316332636462616338336538313333663263646138
-3230
+35636231666236656439333036623437316238393965376631333265393261343338653639353039
+6564356666333862336639653265343336663530373538390a623066303830613132336433396366
+33353133613934656433366261396361373066393065646334393431373330633137313439613964
+6363363039663336640a393930666630343965373330373264366237616431313463623965626166
+38303261396333396434333165323730316137353033373265633033383234636536616364316338
+31383132323666396139343463636233626236326332393865643135353565653662363439653237
+62626431373962373932656134653966383133373463363530383436346233653166363535323632
+32366164643532353964366233356366646235303862653233633765376234393434353037316564
+61373866663638613030623935316266326631313039393761646637616166363362623966326237
+65373333656662336538646661383239623033313531313530366531643063316134636265623664
+37336466343231636134303536363966356331363434393839363434396165666631393436303933
+36313236383131323862663330303332656434396564633433666237396239373065306234623064
+35353335623032336534366133623363363330653039646564333863636433353837323764386364
+38616363623362336666386139366636373833613362303264306233383738656135626139663931
+31336566363435303863343262393538353263346138343236356465393861376536633734396665
+31316538373362383031373535376232363761616164303239313939303639616531666633383031
+61646362643961633334376236346361363365636331343366663939366164393564383963306339
+31323934363136323931353663353666303063373734353932356137626363333636323236663031
+31626535373337343964373962656531373536643638333032313239343638323335353937313530
+64313237646363373436393662633762343065313837343131633733383237383966303264353266
+35666339386337373737363362343234363436303463633463303862336439356165303361316566
+65613263336433313032633737366238333236326536356635313631383664626130666138333163
+63386333326233653137383731646165326134626135623231393362313738376230363532326238
+32653032646433613561343030356236306366316463636666396461353866376436643461353264
+37313937323630336136383564323664643438363739336431353235383433646335346563636636
+32626334616663356636396336376232343031316432356439376663363832656662316364633466
+37303332653064363439396362383434396338373066346231396137663834346432666362346231
+30353363626538306631643064356161656138363935623961323862613739626639393561353965
+65623465393461366666663361333265646439336236666634336133313839663135663133656464
+37626634363766396637356430646366303134383130323535363736383936666436376264633964
+64636565353238326663326632383563343636613030366433613233336563343536666565623565
+37393166336264633335613031313339336465323562316632653539333961393063623365653333
+35363939313530643736646530343134653931396237396164393136666264313964366565346566
+62343465346237313833626539373965343934393732343161393633613231643935643037303133
+64613935363965636532613738633961376238346631323330343334323332613063393766336434
+33366433396562353662396431353363656537386532643332613266303139376137656232666561
+66656135396133316239313265343237306234313333396263346532636630306636383635353537
+66646237323465356462353838626333303363356263383237313335616632633932363335623463
+32313737323261353931393063653830306164346331663164383030393461303133376336363939
+36333635613930393064373936633738343265313030313136653436666536396161666538656561
+38396435623038373738653061346236326131633465333838373036356330613161333361336630
+36613830333135643939636138313833343538306533643738303036313232353463386230633630
+63313463623362653332633938306231316339313237383634626165396663633434313332366238
+64346231616330356433613937303464313664656432313763623934326130376139306132663639
+66643963353461626238383964663765616666303038343238666537616331613230613332646639
+62663362376430353661316462623339656231326537386363326335306264333034313333393665
+32373336373336343535633362336238653133653730623661313039613933616537363762343737
+33333262653361643762363438663766353635656336373166613035663139303864376564336136
+63383235383462316131636239633465393063346230313039646564383862663662396436633033
+34363066373831356235373830636333346366366439623639626337646366616461386635653839
+30363139316431346566333139633538663264306630303063653363303432303863316630323864
+62633737343039346238643662343234353063366430663863313562333463353138356636303861
+31323562653364353332323637323962643439656663313563616336663861643263663537373832
+33613937633033316232363133633236363537366139376331386364386234333964613832333735
+33656662376166633839353835383337656565656439623166356364666238373435666232313335
+34333034653766323234326664666230353535353539363763626532623036356564613031626432
+38356637396434356131656162353837313433383561663735383839623365376136333739623565
+37333661363135623430323134346135623366663036346163393333323265323435636133353034
+30313537396265323461313034373532376537666239316232363935373339363430346237346464
+35623935353031353235626636613237356530626364363862326636366366366338386161613933
+31393162326566663566393033643735326361623839333865306139363133353832636139623734
+65663530386337396239663338393862343733333236336434366230373361303035313937383138
+35663161613735636338636364303335323963363436316432383637343661623863646338623231
+32393464306362336263656430373232663763343163613733313235646338613162316133373632
+34666265643263666364643430646262633233316465663865356438336161353330386338303864
+31643062663034323237623666623039633931346534323662386337646138666634613136373535
+30653136653537626663376261623436316531366232653238363266303238666266316239333134
+33393839363538363132383131636163336432633036376137666230643334376466363237313765
+33306236653463383062393533376161663831373164353834326561333332333436633632646638
+33363863313663393833356464323238316566353664383062626437323732626230333062316663
+66343061303831306436316435356362636330366364336434393632343363623366623339623933
+63346564396365396138653539376134666336376263623665323162383136353435306639663465
+35653835346261363538396461333631333539386433356365653230366161613834663135303166
+32396630613232373566643266323735363136616566353466666236643365383264633830666230
+61643261313530346162306432653366353033663664383564386366633665326164373461636439
+61326435376464613564616161336563623563383930353533353362306564636231363233346261
+33613761643831343337316639646539343239313239663633333031326430633833363765646565
+39666335393764643262613230303331633531393065323664646332653333646465303362303866
+66323061643264313235306438303834613566336566313636366530353066313532316232363964
+34623535663861336463346336653333343139323465343639396336396666643030643762646538
+62653165323265646662636438613861366438656430613532656233366465613133356130353139
+30336363633838363436633361346531313430353134313636663339376236393231656638326237
+38306233613765396461653462376635306135373530346162626239316364616466383538626235
+37373764316263626430323761626538343761353664393862663731326532346534386533313464
+32396362363238376137333833336631386465366230626362656332383031623564646631343032
+62653166336331323235303835333930316234363530373632373032333965303536393062313565
+36393466643332616131366131363337396537653537353833366365656537376431663566316435
+38326238626137346539643839303232383534353064366237353564333332333062643239373863
+32353038633164356235363736313665393532646535653436616539626662613063386663343263
+39613961366135356663303536666230363736323563313339623234386166616131323538313836
+36623131326139633264353439643935623766643364303838626439646362363836366461646634
+35646532653936383065373634613234656334373563623535666338653833343364386134373866
+64626566313765623864313530323639656661353932316431623130363839363639633539353762
+39386331366562643334616231336165336633333331353639643532376263363262623233623661
+33653466613431386230373733363735336264336636303136386139396239306636633831303532
+62653863376334313334323266633961626138303332623861393630386166343033333261313037
+62613436353666366337326131633034366366316435363039633839306338643264383332616639
+61343930396332643163666666653138653062346339613565653863663366373831643636326239
+31376334636538373137653839656462666238656261376132333638643733353264663862383938
+31366362373331333438653165653738316265363433366163386465396334306433646137646561
+35393761303363353265313466346136663733303962333863303837633132303765626265316361
+33316633383066343962333139633530366434663135336364326438633733323239656636653664
+30663034356138643666363134386334626536643765343564386533396236656231666161656464
+36613562363365306235623062323232633162663163386435303830353839626434346236306561
+6261

ansible/roles/services/files/authentik/authentik-postgres.container

@@ -0,0 +1,22 @@
+[Unit]
+Description=Postgres database for Authentik
+Wants=network-online.target
+After=network.target network-online.target
+
+[Container]
+Pod=authentik.pod
+ContainerName=authentik-postgres
+Image=docker.io/library/postgres:16-alpine
+AutoUpdate=registry
+Secret=pg_db,type=env,target=POSTGRES_DB
+Secret=pg_user,type=env,target=POSTGRES_USER
+Secret=pg_pw,type=env,target=POSTGRES_PASSWORD
+Volume=/var/vol/authentik/database:/var/lib/postgresql/data:Z
+
+[Service]
+Restart=on-failure
+RestartSec=60
+TimeoutStartSec=60
+
+[Install]
+WantedBy=multi-user.target default.target

ansible/roles/services/files/authentik/authentik-server.container

@@ -0,0 +1,30 @@
+[Unit]
+Description=Authentik server Service
+Wants=network-online.target
+After=network.target network-online.target authentik-postgres.container authentik-worker.service
+
+[Container]
+Pod=authentik.pod
+ContainerName=authentik-server
+Image=ghcr.io/goauthentik/server:2025.10 
+AutoUpdate=registry
+Exec=server
+Environment=AUTHENTIK_POSTGRESQL__HOST=authentik-postgres
+Secret=pg_db,type=env,target=AUTHENTIK_POSTGRESQL__NAME
+Secret=pg_user,type=env,target=AUTHENTIK_POSTGRESQL__USER
+Secret=pg_pw,type=env,target=AUTHENTIK_POSTGRESQL__PASSWORD
+Environment=AUTHENTIK_DISABLE_STARTUP_ANALYTICS=true
+Environment=AUTHENTIK_DISABLE_UPDATE_CHECK=true
+Environment=AUTHENTIK_ERROR_REPORTING__ENABLED=false
+Secret=secret_key,type=env,target=AUTHENTIK_SECRET_KEY
+Volume=/var/vol/authentik/media:/media
+Volume=/var/vol/authentik/certs:/certs
+Volume=/var/vol/authentik/custom-templates:/templates
+
+[Service]
+Restart=on-failure
+RestartSec=60
+TimeoutStartSec=60
+
+[Install]
+WantedBy=multi-user.target default.target

ansible/roles/services/files/authentik/authentik-worker.container

@@ -0,0 +1,28 @@
+[Unit]
+Description=Authentik Worker Service
+Wants=network-online.target
+After=network.target network-online.target authentik-postgres.container
+
+[Container]
+Pod=authentik.pod
+ContainerName=authentik-worker
+Image=ghcr.io/goauthentik/server:2025.10 
+AutoUpdate=registry
+Exec=worker
+User=root
+Environment=AUTHENTIK_POSTGRESQL__HOST=authentik-postgres
+Secret=pg_db,type=env,target=AUTHENTIK_POSTGRESQL__NAME
+Secret=pg_user,type=env,target=AUTHENTIK_POSTGRESQL__USER
+Secret=pg_pw,type=env,target=AUTHENTIK_POSTGRESQL__PASSWORD
+Secret=secret_key,type=env,target=AUTHENTIK_SECRET_KEY
+Volume=/var/vol/authentik/media:/media:z
+Volume=/var/vol/authentik/certs:/certs:z
+Volume=/var/vol/authentik/custom-templates:/templates:z
+
+[Service]
+Restart=on-failure
+RestartSec=60
+TimeoutStartSec=60
+
+[Install]
+WantedBy=multi-user.target default.target

ansible/roles/services/files/authentik/authentik.pod

@@ -0,0 +1,19 @@
+[Unit]
+Description=Authentik Pod
+Wants=network-online.target
+After=network.target network-online.target
+
+[Pod]
+PodName=authentik
+HostName=authentik
+PublishPort=127.0.0.1:9100:9000/tcp
+Network=pasta:-4,-a,10.0.0.10,--netmask,24,--map-host-loopback,10.0.0.11,-D,none,--no-udp,--no-icmp,--no-map-gw,--no-ra,--no-ndp,--no-dhcpv6
+# do not share ipc namespace as it causes permission errors
+PodmanArgs=--share net,uts
+
+[Service]
+Restart=on-failure
+RestartSec=60
+
+[Install]
+WantedBy=multi-user.target default.target

ansible/roles/services/files/tandoor/tandoor-db.container

@@ -0,0 +1,22 @@
+[Unit]
+Description=Postgres database for Tandoor
+Wants=network-online.target
+After=network.target network-online.target
+
+[Container]
+Pod=tandoor.pod
+ContainerName=tandoor-db
+Image=docker.io/library/postgres:16-alpine
+AutoUpdate=registry
+Secret=pg_db,type=env,target=POSTGRES_DB
+Secret=pg_user,type=env,target=POSTGRES_USER
+Secret=pg_pw,type=env,target=POSTGRES_PASSWORD
+Volume=/var/vol/tandoor/database:/var/lib/postgresql/data:Z
+
+[Service]
+Restart=on-failure
+RestartSec=60
+TimeoutStartSec=60
+
+[Install]
+WantedBy=multi-user.target default.target

ansible/roles/services/files/tandoor/tandoor-srv.container

@@ -0,0 +1,19 @@
+[Unit]
+Description=Tandoor server
+
+[Container]
+Pod=tandoor.pod
+ContainerName=tandoor-srv
+Image=docker.io/vabene1111/recipes:latest
+Volume=/var/vol/tandoor/staticfiles:/opt/recipes/staticfiles:Z
+Volume=/var/vol/tandoor/mediafiles:/opt/recipes/mediafiles:Z
+Environment=DB_ENGINE=django.db.backends.postgresql
+Environment=POSTGRES_HOST=127.0.0.1
+Environment=POSTGRES_PORT=5432
+Secret=pg_db,type=env,target=POSTGRES_DB
+Secret=pg_user,type=env,target=POSTGRES_USER
+Secret=pg_pw,type=env,target=POSTGRES_PASSWORD
+Secret=secret_key,type=env,target=SECRET_KEY
+Environment=SOCIAL_PROVIDERS=allauth.socialaccount.providers.openid_connect
+Secret=sso_providers,type=env,target=SOCIALACCOUNT_PROVIDERS
+AutoUpdate=registry

ansible/roles/services/files/tandoor/tandoor.pod

@@ -0,0 +1,18 @@
+[Unit]
+Description=Tandoor deployment
+Wants=network-online.target
+After=network.target network-online.target
+
+[Pod]
+PodName=tandoor
+PublishPort=127.0.0.1:9200:80
+Network=pasta:-4,-a,10.0.2.0,--netmask,24,-g,10.0.2.2,--dns-forward,10.0.2.3
+
+[Service]
+# Restart service when sleep finishes
+Restart=on-failure
+RestartSec=60
+
+[Install]
+# Start by default on boot
+WantedBy=multi-user.target default.target

ansible/roles/services/tasks/create_containers_conf.yml

@@ -1,22 +0,0 @@
----
-- name: Remove pasta configuration if setting is off
-  ansible.builtin.file:
-    path: "/home/{{ service_name }}/.config/containers/containers.conf"
-    state: absent
-  when: enable_pasta_config is not defined or not enable_pasta_config
-
-- name: Ensure configuration path
-  ansible.builtin.file:
-    path: "/home/{{ service_name }}/.config/containers"
-    state: directory
-    owner: "{{ service_name }}"
-    group: "{{ service_name }}"
-    mode: '0755'
-  when: enable_pasta_config is defined and enable_pasta_config
-- name: Create pasta configuration
-  ansible.builtin.copy:
-    dest: "/home/{{ service_name }}/.config/containers/containers.conf"
-    content: |
-      [network]
-      pasta_options = ["-a", "10.0.2.0", "-n", "24", "-g", "10.0.2.2", "--dns-forward", "10.0.2.3"]
-  when: enable_pasta_config is defined and enable_pasta_config

ansible/roles/services/tasks/create_service_directories.yml

@@ -10,12 +10,12 @@
 
 - name: Create service directories in BTRFS subvolume (only if they don't exist)
   ansible.builtin.file:
-    path: "{{ btrfs_base_path }}/{{ service_name }}/{{ results.item }}"
+    path: "{{ btrfs_base_path }}/{{ service_name }}/{{ dir_stat.service_dir }}"
     state: directory
     owner: "{{ service_name }}"
     group: "{{ service_name }}"
     mode: '0755'
   loop: "{{ directory_stats.results }}"
   loop_control:
-    loop_var: results
-  when: not results.stat.exists
+    loop_var: dir_stat
+  when: not dir_stat.stat.exists

ansible/roles/services/tasks/main.yml

@@ -34,14 +34,6 @@
     service_name: "{{ item.key }}"
     service_directories: "{{ item.value.service_directories }}"
 
-- name: Pasta configuration
-  loop: "{{ services | dict2items }}"
-  loop_control:
-    label: "{{ item.key }}"
-  include_tasks: create_containers_conf.yml
-  vars:
-    service_name: "{{ item.key }}"
-
 - name: Enable linger for the user
   loop: "{{ services | dict2items }}"
   loop_control:

ansible/roles/services/vars/main.yml

@@ -46,3 +46,16 @@ services:
     service_directories:
       - sgnarvaweb
       - sgnarvadb
+  authentik:
+    systemd_service_name: "authentik-pod"
+    service_directories:
+      - database
+      - media
+      - certs
+      - custom-templates
+  tandoor:
+    systemd_service_name: "tandoor-pod"
+    service_directories:
+      - database
+      - staticfiles
+      - mediafiles

ansible/roles/traefik/files/dynamic.yml

@@ -90,6 +90,24 @@ http:
         certResolver: letsencrypt
       service: sgnarva-service
 
+    # Router for auth.rohrschacht.de
+    authentik-router:
+      rule: "Host(`auth.rohrschacht.de`)"
+      entryPoints:
+        - websecure
+      tls:
+        certResolver: letsencrypt
+      service: authentik-serivce
+
+    # Router for tandoor.rohrschacht.de
+    tandoor-router:
+      rule: "Host(`tandoor.rohrschacht.de`)"
+      entryPoints:
+        - websecure
+      tls:
+        certResolver: letsencrypt
+      service: tandoor-service
+
   services:
     # Service for wekan.rohrschacht.de
     wekan-service:
@@ -150,3 +168,15 @@ http:
       loadBalancer:
         servers:
           - url: "http://localhost:9000"
+
+    # Service for auth.rohrschacht.de
+    authentik-serivce:
+      loadBalancer:
+        servers:
+          - url: "http://localhost:9100"
+
+    # Service for tandoor.rohrschacht.de
+    tandoor-service:
+      loadBalancer:
+        servers:
+          - url: "http://localhost:9200"