Replace authentik with pocket-id

Much lighter weight
2026-01-23 02:14:14 +00:00 · 2025-05-19 20:49:40 +01:00 · 2025-05-19 20:49:40 +01:00 · 281581f9ee
commit 281581f9ee
parent 809af5c369
9 changed files with 74 additions and 107 deletions
--- a/ansible/main.yml
+++ b/ansible/main.yml
@ -67,7 +67,7 @@
    - mastodon
    - forgejo
    - vikunja
-    - authentik
+    - pocket_id
    - minio
    - ntfy
    - baby_buddy
--- a/ansible/roles/authentik/files/docker-compose.yml
+++ b/ansible/roles/authentik/files/docker-compose.yml
@ -1,76 +0,0 @@
-x-env: &env
-  - TIMEZONE={{ timezone }}
-  - AUTHENTIK_REDIS__HOST=redis
-  - AUTHENTIK_POSTGRESQL__HOST=db
-  - AUTHENTIK_POSTGRESQL__USER=authentik
-  - AUTHENTIK_POSTGRESQL__NAME=authentik
-  - AUTHENTIK_POSTGRESQL__PASSWORD={{ vault_authentik_db_password }}
-  - AUTHENTIK_SECRET_KEY={{ vault_authentik_secret_key }}
-  - AUTHENTIK_WEB__WORKERS=1
-  - AUTHENTIK_DISABLE_UPDATE_CHECK=true
-  - AUTHENTIK_ERROR_REPORTING__ENABLED=false
-  - AUTHENTIK_DISABLE_STARTUP_ANALYTICS=true
-  - AUTHENTIK_EMAIL__HOST=smtp.eu.mailgun.org
-  - AUTHENTIK_EMAIL__PORT=465
-  - AUTHENTIK_EMAIL__USERNAME={{ vault_authentik_email_username }}
-  - AUTHENTIK_EMAIL__PASSWORD={{ vault_authentik_email_password }}
-  - AUTHENTIK_EMAIL__USE_TLS=true
-  - AUTHENTIK_EMAIL__FROM={{ vault_authentik_email_from }}
-
-services:
-  server:
-    image: ghcr.io/goauthentik/server:2025.2
-    restart: unless-stopped
-    command: server
-    user: "{{ docker_user.id }}"
-    environment: *env
-    volumes:
-      - "{{ app_data_dir }}/authentik/media:/media"
-      - "{{ app_data_dir }}/authentik/custom-templates:/templates"
-    labels:
-      - traefik.enable=true
-      - traefik.http.routers.authentik.rule=Host(`auth.jakehoward.tech`)
-      - traefik.http.services.authentik-authentik.loadbalancer.server.port=9000
-      - traefik.http.middlewares.authentik-ratelimit.ratelimit.average=5
-      - traefik.http.middlewares.authentik-ratelimit.ratelimit.burst=1000
-      - traefik.http.routers.authentik.middlewares=authentik-ratelimit
-    depends_on:
-      - db
-      - redis
-    networks:
-      - default
-      - traefik
-
-  worker:
-    image: ghcr.io/goauthentik/server:2025.2
-    restart: unless-stopped
-    command: worker
-    user: "{{ docker_user.id }}"
-    environment: *env
-    volumes:
-      - "{{ app_data_dir }}/authentik/media:/media"
-      - "{{ app_data_dir }}/authentik/certs:/certs"
-      - "{{ app_data_dir }}/authentik/custom-templates:/templates"
-    depends_on:
-      - db
-      - redis
-      - server
-
-  db:
-    image: postgres:15-alpine
-    restart: unless-stopped
-    volumes:
-      - /mnt/speed/dbs/postgres/authentik:/var/lib/postgresql/data
-    environment:
-      - POSTGRES_PASSWORD={{ vault_authentik_db_password }}
-      - POSTGRES_USER=authentik
-
-  redis:
-    image: redis:7-alpine
-    restart: unless-stopped
-    volumes:
-      - /mnt/speed/dbs/redis/authentik:/data
-
-networks:
-  traefik:
-    external: true
--- a/ansible/roles/authentik/handlers/main.yml
+++ b/ansible/roles/authentik/handlers/main.yml
@ -1,4 +0,0 @@
- name: restart authentik
-  shell:
-    chdir: /opt/authentik
-    cmd: "{{ docker_update_command }}"
--- a/ansible/roles/authentik/vars/vault.yml
+++ b/ansible/roles/authentik/vars/vault.yml
@ -1,22 +0,0 @@
-$ANSIBLE_VAULT;1.1;AES256
-31633966386539623139356136333664326633646537366433626432363437336331333639636634
-6563646365666534393834636539376337666336376666300a313338336365383338633165646531
-35656231613762393636666332653434393966343039313863333566646434643630343438623362
-6466383362396539610a366438306332303331656237343466313135336431363335306636643363
-32383066353331383461613532323265353861663835663463383235303863306438386364303235
-31323264323732326231336162393438313262323263316564336266663565666361316564373332
-61616637306636353362633338616461646232616165323638346164346565353139666238323033
-36366537393530613464613033383438666362636166613062653930326663626337346636346434
-66396362656231613930653866386334393438336332383637356663323936623863313161323039
-34316639633235313132336238636162343936336163356135303034383434346561356365633636
-32633930313335343961653835656363333365656438393334303333373337353566666532373964
-38316362306362363464313237383130343239326238663062616533396230316438316536333139
-66353835333066346634366638323930616365386364643165666133666565383137303062636263
-64646639666235356264623663313762333666306565303237656434323365316165633866373964
-38326631656463373161356562303031643231623332653861616535333834336630363239363632
-31643862626639353132373232393966323461653361343331653261356431363933326130363433
-38323633343433346535633937373466666639353530653164313532623535653135613766336138
-64626631656431613937366563373934616364656536373437353563346165626535326464353439
-37353136376636633231393733613663633864616163373736386332316162333166303863663538
-63376461643263326362373434666138303635636165616564316432626564356138623032653737
-37323633353165623661343736363933323631646438383430303234326665613566
--- a/ansible/roles/pocket_id/files/docker-compose.yml
+++ b/ansible/roles/pocket_id/files/docker-compose.yml
@ -0,0 +1,47 @@
+services:
+  pocket-id:
+    image: ghcr.io/pocket-id/pocket-id
+    restart: unless-stopped
+    user: "{{ docker_user.id }}"
+    environment:
+      - PUBLIC_APP_URL=https://auth.jakehoward.tech
+      - TRUST_PROXY=true
+      - DB_PROVIDER=postgres
+      - DB_CONNECTION_STRING=postgres://pocketid:{{ vault_pocket_id_db_password }}@db/pocketid
+      - UPDATE_CHECK_DISABLED=true
+      - PUBLIC_UI_CONFIG_DISABLED=true
+      - APP_NAME=Orange ID
+      - SESSION_DURATION=30
+      - SMTP_HOST=smtp.eu.mailgun.org
+      - SMTP_PORT=465
+      - SMTP_FROM={{ vault_pocket_id_from_address }}
+      - SMTP_USER={{ vault_pocket_id_smtp_user }}
+      - SMTP_PASSWORD={{ vault_pocket_id_smtp_password }}
+      - SMTP_TLS=tls
+      - EMAIL_LOGIN_NOTIFICATION_ENABLED=true
+    volumes:
+      - "{{ app_data_dir }}/pocket-id:/app/backend/data"
+    labels:
+      - traefik.enable=true
+      - traefik.http.routers.pocket-id.rule=Host(`auth.jakehoward.tech`)
+      - traefik.http.middlewares.pocket-id-ratelimit.ratelimit.average=5
+      - traefik.http.middlewares.pocket-id-ratelimit.ratelimit.burst=200
+      - traefik.http.routers.pocket-id.middlewares=pocket-id-ratelimit
+    depends_on:
+      - db
+    networks:
+      - default
+      - traefik
+
+  db:
+    image: postgres:15-alpine
+    restart: unless-stopped
+    volumes:
+      - /mnt/speed/dbs/postgres/pocket-id:/var/lib/postgresql/data
+    environment:
+      - POSTGRES_PASSWORD={{ vault_pocket_id_db_password }}
+      - POSTGRES_USER=pocketid
+
+networks:
+  traefik:
+    external: true
--- a/ansible/roles/pocket_id/handlers/main.yml
+++ b/ansible/roles/pocket_id/handlers/main.yml
@ -0,0 +1,4 @@
+- name: restart pocket-id
+  shell:
+    chdir: /opt/pocket-id
+    cmd: "{{ docker_update_command }}"
--- a/ansible/roles/pocket_id/tasks/main.yml
+++ b/ansible/roles/pocket_id/tasks/main.yml
@ -3,7 +3,7 @@

 - name: Create install directory
  file:
-    path: /opt/authentik
+    path: /opt/pocket-id
    state: directory
    owner: "{{ docker_user.name }}"
    mode: "{{ docker_compose_directory_mask }}"
@ -11,8 +11,8 @@
 - name: Install compose file
  template:
    src: files/docker-compose.yml
-    dest: /opt/authentik/docker-compose.yml
+    dest: /opt/pocket-id/docker-compose.yml
    mode: "{{ docker_compose_file_mask }}"
    owner: "{{ docker_user.name }}"
    validate: docker-compose -f %s config
-  notify: restart authentik
+  notify: restart pocket-id
--- a/ansible/roles/pocket_id/vars/vault.yml
+++ b/ansible/roles/pocket_id/vars/vault.yml
@ -0,0 +1,18 @@
+$ANSIBLE_VAULT;1.1;AES256
+61613231353938346635326165303531326232393334313261366561326633323836366334663634
+3563306334306632383964643634653166373964666335360a363338323236323461316634333161
+38303037373861326263353366653034646162653331616265313865613964666133326334666666
+3038633037313437370a353865346537323135313632303439373535303366383437633135386333
+65393434633037393535373331366265386663313334333664636565313331353332393530393231
+64646135356265653662333637643461636539306138386263383062396666363264386535653438
+30653634393337366363646364613032666631346662333435313931356639643962316666343939
+36383563373733353437386262326638666533653232636363363636376131313661396136663261
+30373732616665353137623561346666616361376563323764346536623734633737643736653238
+62633663373863653663383635373537653337376338656433626163393666396139363038666461
+37316537383566373239393831353632393135303831353866373339323831663038333733356333
+30663137653539363162386362303266396365623936386335303536386239323739383436373462
+34336566316332396166633735396532363238386531396361656666323233393763663335333038
+65333939343066376365633138383364376136303431343333353835656332626563646530343766
+64366466303038373661616136636530383366373365323062383836336530373035323466306135
+34366438613438323133356138383566663165323837666435353435333539333862366630306132
+66386265636139653739386630656566326131613231373639656264643232373134
--- a/ansible/roles/pve_docker/files/nextcloud/config.php
+++ b/ansible/roles/pve_docker/files/nextcloud/config.php
@ -54,7 +54,7 @@ $CONFIG = array (
  'mail_smtppassword' => '{{ nextcloud.email_password }}',
  'mail_smtpport' => '465',
  'upgrade.disable-web' => true,
-  # Allow Nextcloud to talk to Authentik
+  # Allow Nextcloud to talk to other services
  'allow_local_remote_servers' => true,
  'maintenance_window_start' => 18,
 );