Enable health checks for authentik

roles/authentik/tasks/main.yml

@@ -52,6 +52,14 @@
       - /etc/letsencrypt/live/comfycamp.space/privkey.pem:/certs/comfycamp.space/privkey.pem:ro
     env_file: /etc/authentik/.env
     restart_policy: unless-stopped
+    healthcheck:
+      test: ["CMD", "ak", "healthcheck"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+      start_period: 30s
+    # TODO: enable after ansible update
+    # state: healthy
   loop: ["1", "2"]
 - name: Run authentik worker container
   become: true
@@ -69,6 +77,14 @@
       - authentik-certs:/certs
     env_file: /etc/authentik/.env
     restart_policy: unless-stopped
+    healthcheck:
+      test: ["CMD", "ak", "healthcheck"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+      start_period: 30s
+    # TODO: enable after ansible update
+    # state: healthy
 - name: Run authentik LDAP outpost
   become: true
   community.docker.docker_container:
@@ -85,4 +101,12 @@
       AUTHENTIK_HOST: http://authentik-{{ item }}:9000
       AUTHENTIK_TOKEN: "{{ ldap_outpost_token }}"
     restart_policy: unless-stopped
+    healthcheck:
+      test: ["CMD", "/ldap", "healthcheck"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+      start_period: 5s
+    # TODO: enable after ansible update
+    # state: healthy
   loop: ["1", "2"]

roles/haproxy/files/haproxy.cfg

@@ -181,11 +181,17 @@ backend peertube
 
 backend authentik
     mode http
+    option httpchk GET /-/health/live/
+    http-check expect status 200
     server s1 authentik-1:9000 check
     server s2 authentik-2:9000 check
 
 backend authentik_ldap
     mode tcp
+    option httpchk
+    http-check connect port 9300
+    http-check send meth GET uri /outpost.goauthentik.io/ping
+    http-check expect status 204
     server s1 authentik-ldap-1:3389 check
     server s2 authentik-ldap-2:3389 check