benschubert.infrastructure.auth role – Setup an authentication server in podman, using Authentik

Note

This role is part of the benschubert.infrastructure collection (version 0.0.1).

It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it use: ansible-galaxy collection install benschubert.infrastructure.

To use it in a playbook, specify: benschubert.infrastructure.auth.

Entry point application – Setup an application and provider to protect an application via proxy

Synopsis

Parameters

Parameter

Comments

allowlisted_groups

list / elements=string

A list of groups to restrict the application to.

Users not in any of the specified groups won’t be able to see or login to the application.

null or [] doesn’t restrict the access.

application_name

string / required

The human readable name for the application as registered in Authentik

application_slug

string / required

The unique identifier for the application in Authentik

auth_authentik_hostname

string / required

The hostname at which the Authentik instance is reachable

auth_authentik_token

string / required

The token to use to connect to Authentik

group

string / required

The group to which to add the application on the Authentik dashboard

icon_url

string / required

The URL at which to find the icon for the application, to be displayed on the Authentik dashboard

ingress_custom_ca_cert

string

The path on disk to a custom certificate to validate the TLS certificates if they are not available in the root certificate authorities

ingress_https_port

integer

The port at which the service is exposed via the ingress.

Default: 443

ingress_validate_certs

boolean

Whether the TLS certificate to access Authentik should be validated or not

Choices:

  • false

  • true ← (default)

meta_description

string / required

The description to show on the dashboard about the application

provider_oauth2

dictionary

The configuration for the provider if it is using OAuth2

Mutually exclusive with provider_proxy

redirect_uris

list / elements=dictionary / required

The list of valid URIs where Authentik can redirect after login

Each entry must be a dict of {url: <url>, matching_mode: “strict” | “regex”}

scopes

list / elements=string / required

The scopes allowed for the OAuth2 application

sub_mode

string / required

The mode for the `sub` oauth2 entry

Choices:

  • "hashed_user_id"

  • "user_id"

  • "user_uuid"

  • "user_username"

  • "user_email"

  • "user_upn"

provider_proxy

dictionary

The configuration for the provider if it is using the proxy mode

Mutually exclusive with provider_oauth2

hostname

string / required

The external facing hostname for the application to register

Entry point main – Setup an authentication server in podman, using Authentik

Synopsis

  • This sets up an Authentik webserver to act as an authentication and SSO server used by the rest of the services in this collection.

  • Additionally, it will setup a PostgreSQL database and a Redis instance for it.

Parameters

Parameter

Comments

auth_authentik_authentication_page_title

string

The title to show users when they are trying to login on Authentik

Default: "Welcome to {{ auth_authentik_hostname }}"

auth_authentik_background

string

Name of the file to use as a background for Authentik when users login

auth_authentik_branding_title

string

The title of the brand to use for Authentik. This is mainly shown on the website’s title.

Default: "Authentik"

auth_authentik_configuration_path

string / required

The directory in which the configuration files for Authentik will be stored

auth_authentik_email_config

dictionary

configuration to allow Authentik to send emails when needed

from

string / required

The email address authentik will send from

In order to change the display name, use Name <account@domain>

host

string / required

The email provider host

password

string / required

The password to authenticate with the email provider

port

string / required

The port for the SMTP service to send emails to

ssl

boolean

Whether to use SSL to connect to the email provider

Choices:

  • false

  • true

tls

boolean

Whether to use TLS to connect to the email provider

Choices:

  • false

  • true

username

string / required

The username to authenticate with the email provider

auth_authentik_hostname

string / required

The hostname under which Authentik should be reachable

auth_authentik_icon

string

Name of the SVG file to use as an icon for Authentik on login screen

auth_authentik_image

string

The container image path and tag to use for Authentik

Default: "ghcr.io/goauthentik/server:latest"

auth_authentik_secret_key

string / required

Secret key used for cookie signing and unique user IDs, don’t change this after the first install.

auth_authentik_superadmin_bootstrap_password

string

The password for the super admin that Authentik creates at bootstrap

Only required for the first run.

auth_authentik_superadmin_bootstrap_token

string

The value of the token to create for the super admin at bootstrap

This is then used to connect to Authentik

auth_monitor_agent_alloy_image

string

The container image path and tag to use for Alloy

Default: "See I(monitoring_agent_alloy_image) from the Monitoring role"

auth_monitor_agent_config_path

string / required

The path on disk where to store the monitoring’s agent configuration files

auth_monitor_agent_data_path

string / required

The path on disk where to store the monitoring’s agent data

auth_monitor_agent_user_group

string

A group name to which to add the role account that is created for monitoring Authentik.

This is useful if you want to restrict apps per user, so you can have those bots publish their metrics correctly.

auth_postgres_data_path

string / required

The path on disk where the PostgreSQL instance should store its data

auth_postgres_image

string

The container image path and tag to use for Postgres

Default: "See I(postgres_image) from the Postgres role"

auth_postgres_password

string / required

The password used to connect to PostgreSQL database

auth_redis_config_path

string / required

The path on disk where the Redis instance should store its configurations

auth_redis_data_path

string / required

The path on disk where the Redis instance should store its data

auth_redis_image

string

The container image path and tag to use for Redis

Default: "See I(redis_image) from the Redis role"

auth_redis_metrics_password

string / required

The password to allow the metric gathering agent to connect to Redis

auth_redis_password

string / required

The password that Authentik will use to connect to Redis

This is also used to configure the Redis instance

auth_worker_additional_networks

list / elements=string

A list of additional podman networks that need to be attached to the Authentik worker pod.

This is useful if you want to configure a SMTP gateway for sending emails via Authentik. For example, this would allow validating and resetting emails.

Default: []

ingress_custom_ca_cert

string

The path on disk to a custom certificate to validate the TLS certificates if they are not available in the root certificate authorities

If set, this will be used whenever contacting the Authentik server

ingress_https_port

integer

The port at which the service is exposed via the ingress, in order to be able to make API calls to the service

Default: 443

monitoring_grafana_config_path

string / required

The path to where the Grafana configuration is kept

This is used to install dashboards for viewing metrics

template_warning

string / required

A warning that this role will add to the top of each file it creates so users know it is managed by an automated process.