From f6b8724b9302e49e1dce7aca7e04531a29f77cbc Mon Sep 17 00:00:00 2001
From: Markus Hauschild <markus@moepman.eu>
Date: Mon, 17 Jul 2023 17:45:45 +0200
Subject: [PATCH] authentik: new role (SSO provider)

---
 group_vars/all/vars.yml                       |   6 +
 group_vars/all/vault.yml                      | 228 +++++++++---------
 roles/authentik/handlers/main.yml             |  13 +
 roles/authentik/meta/main.yml                 |   5 +
 roles/authentik/tasks/main.yml                |  51 ++++
 .../authentik/templates/authentik.service.j2  |  28 +++
 roles/authentik/templates/certs.j2            |  15 ++
 .../authentik/templates/docker-compose.yml.j2 |  69 ++++++
 roles/authentik/templates/vhost.j2            |  41 ++++
 9 files changed, 344 insertions(+), 112 deletions(-)
 create mode 100644 roles/authentik/handlers/main.yml
 create mode 100644 roles/authentik/meta/main.yml
 create mode 100644 roles/authentik/tasks/main.yml
 create mode 100644 roles/authentik/templates/authentik.service.j2
 create mode 100644 roles/authentik/templates/certs.j2
 create mode 100644 roles/authentik/templates/docker-compose.yml.j2
 create mode 100644 roles/authentik/templates/vhost.j2

diff --git a/group_vars/all/vars.yml b/group_vars/all/vars.yml
index fae3323..5b9e62f 100644
--- a/group_vars/all/vars.yml
+++ b/group_vars/all/vars.yml
@@ -5,6 +5,12 @@ acertmgr_mode: webdir
 acme_dnskey_file: /etc/acertmgr/nsupdate.key
 acme_dnskey_server: neon.binary-kitchen.net
 
+authentik_domain: auth.binary-kitchen.de
+authentik_dbname: authentik
+authentik_dbuser: authentik
+authentik_dbpass: "{{ vault_authentik_dbpass }}"
+authentik_secret: "{{ vault_authentik_secret }}"
+
 bk23b_domain: 23b.binary-kitchen.de
 
 coturn_realm: turn.binary-kitchen.de
diff --git a/group_vars/all/vault.yml b/group_vars/all/vault.yml
index 3a75052..c23a9ef 100644
--- a/group_vars/all/vault.yml
+++ b/group_vars/all/vault.yml
@@ -1,113 +1,117 @@
 $ANSIBLE_VAULT;1.1;AES256
-33356339653434306633616533373539393833643861336239613238306565383934623362323936
-3231313234343830613238636565366362393164303361640a353264333266633737366330653939
-63306561623062623637383862323462336238623737666638346535653262316631356335653634
-3266313436366432620a363766343137643236646139613666646361663638613033323234386330
-38366261353239613837623463376130383033336665393936613937633330613461653831376461
-64356337356338383537323231653238353861626461306164393033326635626537613636623132
-33306634326437646234623531313432323131336635336365333334643761343233656564303233
-61643461656631396533343463663937653063353235393861623433306666363131343061643938
-33623039636636386662383639663837373730666164303430303634303936303837326431643538
-39333061636534323932316432393364353537353665643138636637313731316637316139643635
-32363262343161656664666432333533303836623661643264323335313836666162633261633963
-33326131653034313763613164656135636532373261346631326335396533613234353138316233
-34356364666365656630376536666139303332396235356365356232333831373362663536326364
-65386563613631323339356232323334396539326163373630313038333364366439353935663335
-35383530353465636532326162336136366664353539313465346536323339343234393231313833
-63383163633439363234353230343463653265363062623961316565376237396131666264373737
-34313435356661653763356238363734663239613933326239623535393564363162663535663238
-39313562353364373638373734626136636135303962326135343333616536373761663533613734
-37336566663036383466343433376466633061383032653137653935336238613665383661393939
-64656366383538623862356538303266656364653561313538316461316232306531343265303263
-65356531626335666433646438323463343731656235376338613439663636353934323461306465
-36303262346465626332616233323636306232373435373765616237336636333466393233373264
-64646437656638633565333436353433386535633063363235613537353038373439616565373936
-30306131383661383930336365353435666134373438316335656564396530316266636134316437
-31653832343932646165363563653462326665383533636365373963366233386464373634313535
-37333962326132313065633830306136373264363162303838376138343131386131346563396335
-36336163383966353738353638376161663131643362626664323865666464306336653462383035
-36353938633662353733303662323335376664346437643361623033646261636432306536626130
-39353630653166653034626362643864363266393233363238326538376237656130343163616435
-61626334313436386639356635623963353938643032323165633732303961393530343664613034
-34656462306434386262616366343532356138643632616466313261366434373939316538326637
-38396436333033373333383062366561313834636239666166373464343862323231633337386536
-31313834373362666630393535663738346561336130383961336365633035373939656662373563
-37643530653638336236383166663438623636623639363839356330396337366462653563346233
-63666231356463333764653666393264386433346562336537663439653464613661663536303863
-38373362393937336266646336393731653864326639623834303663363861393539376632343364
-30626265373931393332353135313461366435386435626636306231303165393564313365393037
-61306264326264663337313139613165336135643133383166323339393232653335326435343136
-61393636643431336235366331616464653633373865353439323034386631643761383431643761
-32646461323731623335633834663938306537363636373066383933373835353031336338623535
-62303934623439363364396466386366616365623130363863353938376566383762343362613130
-39653730633030383039616264646464623434396137616237343466653034373538656162643362
-66656433376134313761303238303965313262336439643330333661613939613037633333303564
-32393431383364656161316635363766343030643437653037393566323365643739346134303864
-64616437663761613034313539383230323932393130363464333731376332303137363034313338
-66663735656130353834373564663936653639626662323436646162393831393637326361386235
-37656265353264666133666162316536643861303939316131613661353633313164666165356663
-33323739633837656164326661663966343937653966636237643535303232333464313562363838
-34613530653237343765613834663935613766323765353431666331653733336464626263653436
-63383538633334343130376463353334616531306164366565323536333231356537373834353264
-30363534303264393235306564323562313539333666313361623830396530356261623436346133
-61313562333335396263633632643062326236653631376462363833356438653539323338383632
-39396464373366646433303738363565346663353733346366636136313361353137663666333339
-66333337373466613230326661363231613164313437316263396361633639393136393837616266
-32343637393034353562346566316138323838613836313632656465316635373531323034663132
-64303166396561326264313338346166323166353561646635663665643038616530636130373734
-30623934646439633531376135373536636562663636383438306433643530643639343236353733
-33306632323738333438633635313563313035333133393439613139613563616264313433363663
-33363033663734666630393030386534306632653163656231383464386266393263306432336462
-61323963396239333833373136393563643534353765313261646238386236356534303833306166
-30373462326339333764613331353162623338633939613938636565336466633030346135303737
-33393633646336326237396434373961613965623565656437653862343635343737623633633032
-36316266646339316636316434373966373666383039336631386365626335343739646330373436
-31616266646565343935336636316531383737646132393462343631316638646337343031623839
-61383831393061336532636565306330643534396466346363636633346139316464376133363730
-64326333393734333430373732353961663137353966646165353564636161306462626161393737
-39663234633531363864376166383531333832663463316463633530323662616536626334636334
-39383638303939633234383336363239353264326239366135646233316564633036333532366361
-30303330663739303063633264366165313966356566613361663834326535326138396238353433
-30656532316164646339306266663739323964363966303030323631343163626139633863343161
-37613338343865373065643162656238613039376634373237376262383335313536386138393738
-66373935633536633136663366323038626130633835333036646134396562316630656539323532
-64346135353062636364313733373266343133653566373961643532663736666132333331656161
-64633136356332663535653763326563346234666535643331616336323164383635373264343763
-61383233616663313164336338636130366462343936633539393638373164373332643462393661
-63356364353565356135313461616537643532316235336565656162643430666638653338356132
-32333138306438633061636430636538623461653538363037633330653338306230376439363434
-32346239313938633161326134643565626531626130666663353836633531366232366262613332
-66303262313736643138663363323365653039313237376665306131393461666435353763633261
-39313339313737313266383334356533643765373964643832366430393335353030373838646136
-37353430376439663563313537366536346630666533313763363934653663616236656534366365
-62353434363439646436323133323763383062356661643931643262386233343538653661623065
-38663939633665303935313531363938663062383934656532636339326532363866663233626633
-64666464353335386163313634333732386466396365306366373532366635376334373064656261
-39623963633233396636653033343564643333393833393937323964663832303565643432623135
-33353361336339666436343061313539373662306230393036346537343834666563326134313265
-31663138613534303262383461313930626163343437653334333163383866353562363965313964
-31353464383135666666393239356632616564376639346438643930373135303935346430633937
-33313035353265323439386233623430633435616539383834303266616363316338393830653137
-36653036323065383936393532643332636265656165633437306137646363626532353436656534
-33346430313534336166353130653034373239613533656465386337643330383062353861333331
-33343264376463616566656339306333346439306338643739336635336631336237613465636230
-38613038333930346264373330316232343233646334373266646438376637363434653138303032
-36346135346564666265326262313862323465313965326636346132646637313762356137613339
-65396263356562653664373061376464623936613036343264663635386537306262323463396632
-33643237623362366138323132626233653631633863313165346661366138366363653637383430
-63303036613637396662323062366132313764396237353639386235383039353634396537333263
-65376665303539626661643562373561626234323234363265326331343963346163333763616332
-36393063376431633566353339303963393865383831353735626134373037653938303338363936
-36393130653861633231303136636636393263303064343662336662383661663864623762383031
-35373935656264393339326563643665623230313032613630383538393036616265366335353934
-65636339313838653038396433643134386235393238386665363364313034626662373736383639
-37336331626339646466306134616465636665613337376335396532343530356532303635353761
-63666235313335353237333535396332653866373930303433613236643665333762616133326362
-36323434343261313635303731363965313566353164356135393034333737396365333164386465
-31376537663534656634663863373364653234376263333530633666646331343536613866383361
-37636664646139383165396531333162613838313736316361633134653238386534386362623631
-63333531303632356661393637373164383833343965313465363735663534313666653561313861
-64313635643765663966316266316133393931663735653933613665326532646632306236353734
-64343462643834373461636261323337646431346435313633396332383934306138333231343263
-32303431616331386339333063653965343062323733333032663432393334323033656564373332
-66613166353130626336
+64323333366663656333326437323631376336393635306431396265363564303536343435306334
+6133343737336133373736303534653062636532653734380a323839353631663132613566303838
+31393839303266323430346465666331366536323362326632313266636462386534646438313438
+3439623866616632390a643234613336643732353232613134336233396462323535393638613031
+36303236386538323762663661646162346564313335633432666166653935336162623637613636
+39323364383232363963393433333565626331363131343765663865396166303834376163646431
+33366634383733663836313630343236663438323364643038623336323431666335343963376335
+36383934386238303034366336656630646134646337363734396639326434393630396530356332
+62613362346531643032636366633438323739323730663934626433653732386565663766623164
+32336230313935313331336438616563623830633931653638626162636664383230343261623639
+62333334393934343035373736343333623664656339656537313266633964306564653565616362
+30386536656430666339393666323463366334623538653166323233316230623533643763343236
+64663132393534393338373130343537666435376337656439653331336664303936656563323961
+37353235313434376333306231623736393539656539636164363630666264343862616530663334
+33613663643066336161656366636233646438626436343863373362613334333434343531626338
+63363832333865376337633162346564306564386536373439643738366335336466663935333762
+30633734333938333039633363323035316534663166623439303365393938306431623739633435
+31653062376236643838336232376432623130663063326462356662323863313334333430636535
+37626561616438376466326666393163373432396635333230353132363466636663316232633931
+31336330356238353434623934333232363032323738626431653130376138356439613264643732
+38366231373661613736353665613334343964326130613562636365326233616538303039653438
+32326637316236623162346664666366396263366231333337666662366662386532323237356562
+65356132626331373531363436316562643633366361626135616238656134376335326537313066
+65323337303536346264663661396133613063343761633364393130373935323435383738623539
+61343131636464373363333737633732313135663063663839313365303166663833376237333666
+34396333653036616639373133363631356362663238336539386463363236356339663037386532
+63306562333534353337323537616562663638623134373662653039306231316166356239643862
+32333234383231626537383638643237613565333831396435316231646161393462306137663566
+31303262643233333533333735653637313334336635653232623763653132663536303134336533
+66373566343463313030663731323663633635306564316638366136643062333134323965613064
+35303733366366623465393433386336643637363533376232616437343864386635393930346464
+66343738663866303237653661346133646336396633643838653561356133373864353938336362
+65326562306237383436336534626434316631613166653234396432333262666634646330306466
+62363161396630343132396335383136353366383261316636333138656632643038393038643463
+64323037313035323836666263366162623162653632393433353831653064316562313935643464
+33326163653131353938666265323662356461353865373737333639663262643463623266383834
+37643833656266666630333234653565363361326133303137396630363062363030356532333438
+66653238323139363033356566656634656361636661386232653735633639313339363533643331
+34623737393836333730653335636637363766383261633364383864666536623436653832613063
+32646235613138303163316536383034363465623566356135326561623466346633623030376335
+37633962363861613339633934356362373361356633313538373362633462303539313162393434
+35383234383332393939336638353663383662633261383131303938613137356335343234663864
+63303731373934386266326536336130636431666339653430643832616562646137373134333233
+38383635336433666437313764303133633836306464383637356537306664313065323164363533
+38613535653562326264626363396332313031656438356331316663643134366663316630366564
+63636437663962353331353963353331333863636462383664633532383662323432376535343763
+32666231646465303239336538613837626239616361623363333637636136303836326136643263
+32623766636662663764613663353232373835393735656532356239643136303632303665656566
+62363732386337373266313337306261616131376163363832653436643638326339343035386334
+66346466376636343530653733356565336637653163376461343938386436313261346539333236
+66636439626435383836366631636439626235323863653933353332653134363235303033356264
+62653833376261363439396333383131653333613264633634323965636539353265656539396535
+36303833386134666539313535333237663231363162373063613233363766303933333734333838
+38333333333466353463383164623533333732353963646562323135633764316365346438623136
+38633963653332623663663434646536386637313061333131363065303639376362353732616266
+38656537393532383861333062393166633765333439343362386239633166346464303230376430
+64666134643532323731626635643235666665316131643265613038373034353964333337663137
+62636565626632613931323536653634633262343538366538616665373134326334386365386538
+33613334303831663362633234613538343962646633356661303736336136663731393661363738
+32626165303063653830613735616434636134353936613761393239666238336132393634376463
+37346363363835353133653639333637616164613236396463316163636463303433623165343231
+64623733646635326232663235343337613633316639633661646535333366393438643734666637
+38656531623631623437653032363366306630346666663033643233613066393139333936666162
+62343032636665363830323634373437313766643933383035663065343961656235653338636130
+37393364636531353164386134633736636134313966633238633038346264313233623034376538
+37663137626162383238383132326433633064366532653033653061316336383663366135343662
+63663064373136366231353633643831656462613061383732353635326432323235386435613166
+37323235636638653031336363383761306631613265616665346233336539653661303430323636
+33646161353936363337623230386239666363313936313733643638363766313035613365373333
+31386535633464326635333333653163636432383739623266616464336432383665346362366465
+64616362376233653031633333366262623566373565313635313461646563386665356533306638
+39336635313034306562323364313039323666623964386361643764373232366436323935353833
+66653030376536613530613163633733653536393964633462666261343265653535666636633838
+61316639653030313964363266386366303833623866343265656164326435313565656362366138
+65636566333431633362306237633232386132366439333936646436306463663834353237313061
+38343461386636323939653739353635316538363561326131633331336638393063353937353730
+66373864326461346165623831306162636632343331366332306531326435393538666263383465
+66656438633534326364366235353130343130323163653936653139343962336361646164306430
+36613931656461646261373133363430643030623031646662663235326539343131333366616165
+31386236313132303164633566393237306365613062363065313333643166656431393533366562
+36333537376535373939636365346366393533393861616566313733643866616538343239643762
+39613863663761636137383931373665353465326539386463643530343237643061333439613137
+66313866643133646361323666643764313666626465393235653965653664653962386464333539
+31343836656237333634633963396564623566363835363466636635623232663834643638333131
+30356631333136643466313230376365613731313863613163346435363534336663376362343034
+63376662616431353564373832366464306361616239383837663737653836663564616635646663
+35313031663537363838633838393664336634633961616162303364386362336535666463336336
+61636637326665313464643333663530393463346265323564623162616330636166316330323438
+64663832333964333938313336326236383935303465373663616638383332363366636234383131
+66656664646662393935363531343536623231346539373232353466386264303337373031373365
+37356663343130366564356366343966376366383237306533376634343766643761373039616664
+38343535316131313764643130613030613061333631653537356635633230363335653931353463
+36383161336236303330356533306431653736343635666239623234653462653330383037383334
+32613437613036333236633664623938356332636432356663663062623234363237393932316462
+66323030393832326133623037303436656535306335613430326666393664616535376332346632
+63373564623534646465313866326430386238396163353165626534366164306231653633613663
+39306133633736646234613535303763323235373639663964363666376634323763396565386537
+33616164663235653363613135643465366137366330643138333338636536663730363963666239
+61666432313437336265383237333930376365356165613935383461373765363965623335373965
+61643461373036643164393366326664383233343939336436623661323662353137303430663533
+66353037663836383037393863333130313337343530336636366535653432343166396462623338
+61663464363437336262303161653433303639363737316530656265663737616164366138383761
+32326531333832623839323832323364623637636330663139316131383534623263663334626234
+66643661643766636566313635663230333837613332616366353931376262616433393532646636
+32646434323534636236633932616361363336653039353737333034346165303533323066393232
+32336266373163386161326131373834613936356362346563616466623233303263653730616363
+36383332653236646339633136376462626431616231323465636464663838323739316562386438
+61373736376263336334313066643131306637383465616266383765623432343537383162643630
+63343532303235373030343562656565666464666437356337643335363364306138336535386461
+65663435643866356639656236306463613333633833353932646665623839663635383266323132
+36363063333833383437356632333562366564633365626331396333333439646165663365353636
+39393136656439333735663065353232666539663433326364323734333461353465656537363339
+35316635346164663037343331343164396561656530636332356637333930313931376239393961
+33353532323137363239653664326436346330326361616161373432363134613437643562313939
+63643133306534396236383866333135306137316632336235666463363165353830313839383531
+66616265316534393635
diff --git a/roles/authentik/handlers/main.yml b/roles/authentik/handlers/main.yml
new file mode 100644
index 0000000..07c6c69
--- /dev/null
+++ b/roles/authentik/handlers/main.yml
@@ -0,0 +1,13 @@
+---
+
+- name: Reload systemd
+  systemd: daemon_reload=yes
+
+- name: Restart authentik
+  service: name=authentik state=restarted
+
+- name: Restart nginx
+  service: name=nginx state=restarted
+
+- name: Run acertmgr
+  command: /usr/bin/acertmgr
diff --git a/roles/authentik/meta/main.yml b/roles/authentik/meta/main.yml
new file mode 100644
index 0000000..8fcf724
--- /dev/null
+++ b/roles/authentik/meta/main.yml
@@ -0,0 +1,5 @@
+---
+
+dependencies:
+- { role: acertmgr }
+- { role: nginx, nginx_ssl: True }
diff --git a/roles/authentik/tasks/main.yml b/roles/authentik/tasks/main.yml
new file mode 100644
index 0000000..4186c0d
--- /dev/null
+++ b/roles/authentik/tasks/main.yml
@@ -0,0 +1,51 @@
+---
+
+- name: Install packages
+  apt:
+    name:
+    - docker-compose
+
+- name: Create authentik group
+  group: name=authentik
+
+- name: Create authentik user
+  user:
+    name: authentik
+    home: /opt/authentik
+    shell: /bin/bash
+    group: authentik
+    groups: docker
+
+- name: Configure authentik container
+  template: src=docker-compose.yml.j2 dest=/opt/authentik/docker-compose.yml
+  notify: Restart authentik
+
+- name: Ensure certificates are available
+  command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ authentik_domain }}.key -out /etc/nginx/ssl/{{ authentik_domain }}.crt -days 730 -subj "/CN={{ authentik_domain }}" creates=/etc/nginx/ssl/{{ authentik_domain }}.crt
+  notify: Restart nginx
+
+- name: Configure certificate manager for authentik
+  template: src=certs.j2 dest=/etc/acertmgr/{{ authentik_domain }}.conf
+  notify: Run acertmgr
+
+- name: Configure vhost
+  template: src=vhost.j2 dest=/etc/nginx/sites-available/authentik
+  notify: Restart nginx
+
+- name: Enable vhost
+  file: src=/etc/nginx/sites-available/authentik dest=/etc/nginx/sites-enabled/authentik state=link
+  notify: Restart nginx
+
+- name: Systemd unit for authentik
+  template: src=authentik.service.j2 dest=/etc/systemd/system/authentik.service
+  notify:
+  - Reload systemd
+  - Restart authentik
+
+- name: Start the authentik service
+  service: name=authentik state=started enabled=yes
+
+- name: Enable monitoring
+  include_role: name=icinga-monitor tasks_from=http
+  vars:
+    vhost: "{{ authentik_domain }}"
diff --git a/roles/authentik/templates/authentik.service.j2 b/roles/authentik/templates/authentik.service.j2
new file mode 100644
index 0000000..7da1a77
--- /dev/null
+++ b/roles/authentik/templates/authentik.service.j2
@@ -0,0 +1,28 @@
+[Unit]
+Description=authentik service using docker compose
+Requires=docker.service
+After=docker.service
+Before=nginx.service
+
+[Service]
+Type=simple
+
+User=authentik
+Group=authentik
+
+Restart=always
+TimeoutStartSec=1200
+
+WorkingDirectory=/opt/authentik
+
+# Make sure no old containers are running
+ExecStartPre=/usr/bin/docker-compose down -v
+
+# Compose up
+ExecStart=/usr/bin/docker-compose up
+
+# Compose down, remove containers and volumes
+ExecStop=/usr/bin/docker-compose down -v
+
+[Install]
+WantedBy=multi-user.target
diff --git a/roles/authentik/templates/certs.j2 b/roles/authentik/templates/certs.j2
new file mode 100644
index 0000000..14fc394
--- /dev/null
+++ b/roles/authentik/templates/certs.j2
@@ -0,0 +1,15 @@
+---
+
+{{ authentik_domain }}:
+- path: /etc/nginx/ssl/{{ authentik_domain }}.key
+  user: root
+  group: root
+  perm: '400'
+  format: key
+  action: '/usr/sbin/service nginx restart'
+- path: /etc/nginx/ssl/{{ authentik_domain }}.crt
+  user: root
+  group: root
+  perm: '400'
+  format: crt,ca
+  action: '/usr/sbin/service nginx restart'
diff --git a/roles/authentik/templates/docker-compose.yml.j2 b/roles/authentik/templates/docker-compose.yml.j2
new file mode 100644
index 0000000..81a347e
--- /dev/null
+++ b/roles/authentik/templates/docker-compose.yml.j2
@@ -0,0 +1,69 @@
+---
+version: "3.4"
+services:
+  postgresql:
+    image: docker.io/library/postgres:12-alpine
+    restart: unless-stopped
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"]
+      start_period: 20s
+      interval: 30s
+      retries: 5
+      timeout: 5s
+    volumes:
+      - ./database:/var/lib/postgresql/data
+    environment:
+      POSTGRES_PASSWORD: {{ authentik_dbpass }}
+      POSTGRES_USER: {{ authentik_dbuser }}
+      POSTGRES_DB: {{ authentik_dbname }}
+  redis:
+    image: docker.io/library/redis:alpine
+    command: --save 60 1 --loglevel warning
+    restart: unless-stopped
+    healthcheck:
+      test: ["CMD-SHELL", "redis-cli ping | grep PONG"]
+      start_period: 20s
+      interval: 30s
+      retries: 5
+      timeout: 3s
+    volumes:
+      - ./redis:/data
+  server:
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2023.6.1}
+    restart: unless-stopped
+    command: server
+    environment:
+      AUTHENTIK_REDIS__HOST: redis
+      AUTHENTIK_POSTGRESQL__HOST: postgresql
+      AUTHENTIK_POSTGRESQL__USER: {{ authentik_dbuser }}
+      AUTHENTIK_POSTGRESQL__NAME: {{ authentik_dbname }}
+      AUTHENTIK_POSTGRESQL__PASSWORD: {{ authentik_dbpass }}
+      AUTHENTIK_SECRET_KEY: {{ authentik_secret }}
+    volumes:
+      - ./media:/media
+      - ./custom-templates:/templates
+    ports:
+      - "127.0.0.1:9000:9000"
+  worker:
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2023.6.1}
+    restart: unless-stopped
+    command: worker
+    environment:
+      AUTHENTIK_REDIS__HOST: redis
+      AUTHENTIK_POSTGRESQL__HOST: postgresql
+      AUTHENTIK_POSTGRESQL__USER: {{ authentik_dbuser }}
+      AUTHENTIK_POSTGRESQL__NAME: {{ authentik_dbname }}
+      AUTHENTIK_POSTGRESQL__PASSWORD: {{ authentik_dbpass }}
+      AUTHENTIK_SECRET_KEY: {{ authentik_secret }}
+    # `user: root` and the docker socket volume are optional.
+    # See more for the docker socket integration here:
+    # https://goauthentik.io/docs/outposts/integrations/docker
+    # Removing `user: root` also prevents the worker from fixing the permissions
+    # on the mounted folders, so when removing this make sure the folders have the correct UID/GID
+    # (1000:1000 by default)
+    user: root
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+      - ./media:/media
+      - ./certs:/certs
+      - ./custom-templates:/templates
diff --git a/roles/authentik/templates/vhost.j2 b/roles/authentik/templates/vhost.j2
new file mode 100644
index 0000000..982cc61
--- /dev/null
+++ b/roles/authentik/templates/vhost.j2
@@ -0,0 +1,41 @@
+map $http_upgrade $connection_upgrade {
+	default	upgrade;
+	''	close;
+}
+
+server {
+	listen 80;
+	listen [::]:80;
+
+	server_name {{ authentik_domain }};
+
+	location /.well-known/acme-challenge {
+		default_type "text/plain";
+		alias /var/www/acme-challenge;
+	}
+
+	location / {
+		return 301 https://{{ authentik_domain }}$request_uri;
+	}
+}
+
+server {
+	listen 443 ssl http2;
+	listen [::]:443 ssl http2;
+
+	server_name {{ authentik_domain }};
+
+	ssl_certificate_key /etc/nginx/ssl/{{ authentik_domain }}.key;
+	ssl_certificate /etc/nginx/ssl/{{ authentik_domain }}.crt;
+
+	location / {
+		proxy_pass http://localhost:9000;
+		proxy_http_version 1.1;
+		proxy_set_header Host $host;
+		proxy_set_header X-Real-IP $remote_addr;
+		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+		proxy_set_header X-Forwarded-Proto $scheme;
+		proxy_set_header Upgrade $http_upgrade;
+		proxy_set_header Connection $connection_upgrade;
+	}
+}