diff --git a/roles/authentik/tasks/main.yml b/roles/authentik/tasks/main.yml index 6ea9c85..062e1d0 100644 --- a/roles/authentik/tasks/main.yml +++ b/roles/authentik/tasks/main.yml @@ -31,35 +31,10 @@ ansible.builtin.template: src: authentik.env.j2 dest: /etc/authentik/.env -- name: Run authentik server container - become: true - community.docker.docker_container: - name: authentik-{{ item }} - image: "{{ image }}:{{ tag }}" - command: ["server"] - networks: - - name: authentik - - name: postgresql - - name: haproxy - - name: monitoring - user: root - volumes: - - authentik-media:/media - - authentik-templates:/templates - - authentik-certs:/certs - - /etc/letsencrypt/live/comfycamp.space/fullchain.pem:/certs/comfycamp.space/fullchain.pem:ro - - /etc/letsencrypt/live/comfycamp.space/privkey.pem:/certs/comfycamp.space/privkey.pem:ro - env_file: /etc/authentik/.env - restart_policy: unless-stopped - healthcheck: - test: ["CMD", "ak", "healthcheck"] - interval: 30s - timeout: 10s - retries: 3 - start_period: 60s - # TODO: enable after ansible update - # state: healthy - loop: ["1", "2"] +- include_tasks: start_server.yml + loop: [1, 2] + loop_control: + loop_var: server_idx - name: Run authentik worker container become: true community.docker.docker_container: @@ -83,29 +58,7 @@ start_period: 60s # TODO: enable after ansible update # state: healthy -- name: Run authentik LDAP outpost - become: true - community.docker.docker_container: - name: authentik-ldap-{{ item }} - image: ghcr.io/goauthentik/ldap:{{ tag }} - networks: - - name: authentik - - name: haproxy - - name: monitoring - volumes: - - authentik-certs:/certs - - /etc/letsencrypt/live/comfycamp.space/fullchain.pem:/certs/comfycamp.space/fullchain.pem:ro - - /etc/letsencrypt/live/comfycamp.space/privkey.pem:/certs/comfycamp.space/privkey.pem:ro - env: - AUTHENTIK_HOST: http://authentik-{{ item }}:9000 - AUTHENTIK_TOKEN: "{{ ldap_outpost_token }}" - restart_policy: unless-stopped - healthcheck: - test: ["CMD", "/ldap", "healthcheck"] - interval: 30s - timeout: 10s - retries: 3 - start_period: 5s - # TODO: enable after ansible update - # state: healthy - loop: ["1", "2"] +- include_tasks: start_ldap_server.yml + loop: [1, 2] + loop_control: + loop_var: server_idx diff --git a/roles/authentik/tasks/start_ldap_server.yml b/roles/authentik/tasks/start_ldap_server.yml new file mode 100644 index 0000000..4064867 --- /dev/null +++ b/roles/authentik/tasks/start_ldap_server.yml @@ -0,0 +1,44 @@ +--- +- name: Disable LDAP server in haproxy + become: true + community.general.haproxy: + socket: /run/haproxy/admin.sock + state: disabled + drain: true + wait: true + backend: authentik_ldap + host: s{{ server_idx }} + fail_on_not_found: true +- name: Run authentik LDAP outpost + become: true + community.docker.docker_container: + name: authentik-ldap-{{ server_idx }} + image: ghcr.io/goauthentik/ldap:{{ tag }} + networks: + - name: authentik + - name: haproxy + - name: monitoring + volumes: + - authentik-certs:/certs + - /etc/letsencrypt/live/comfycamp.space/fullchain.pem:/certs/comfycamp.space/fullchain.pem:ro + - /etc/letsencrypt/live/comfycamp.space/privkey.pem:/certs/comfycamp.space/privkey.pem:ro + env: + AUTHENTIK_HOST: https://auth.comfycamp.space + AUTHENTIK_TOKEN: "{{ ldap_outpost_token }}" + restart_policy: unless-stopped + healthcheck: + test: ["CMD", "/ldap", "healthcheck"] + interval: 30s + timeout: 10s + retries: 3 + start_period: 5s + # TODO: enable after ansible update + # state: healthy +- name: Enable LDAP server in haproxy + become: true + community.general.haproxy: + socket: /run/haproxy/admin.sock + state: enabled + backend: authentik_ldap + host: s{{ server_idx }} + fail_on_not_found: true diff --git a/roles/authentik/tasks/start_server.yml b/roles/authentik/tasks/start_server.yml new file mode 100644 index 0000000..a3635c9 --- /dev/null +++ b/roles/authentik/tasks/start_server.yml @@ -0,0 +1,47 @@ +--- +- name: Disable server in haproxy + become: true + community.general.haproxy: + socket: /run/haproxy/admin.sock + state: disabled + drain: true + wait: true + backend: authentik + host: s{{ server_idx }} + fail_on_not_found: true +- name: Run authentik server container + become: true + community.docker.docker_container: + name: authentik-{{ server_idx }} + image: "{{ image }}:{{ tag }}" + command: ["server"] + networks: + - name: authentik + - name: postgresql + - name: haproxy + - name: monitoring + user: root + volumes: + - authentik-media:/media + - authentik-templates:/templates + - authentik-certs:/certs + - /etc/letsencrypt/live/comfycamp.space/fullchain.pem:/certs/comfycamp.space/fullchain.pem:ro + - /etc/letsencrypt/live/comfycamp.space/privkey.pem:/certs/comfycamp.space/privkey.pem:ro + env_file: /etc/authentik/.env + restart_policy: unless-stopped + healthcheck: + test: ["CMD", "ak", "healthcheck"] + interval: 30s + timeout: 10s + retries: 3 + start_period: 60s + # TODO: enable after ansible update + # state: healthy +- name: Enable server in haproxy + become: true + community.general.haproxy: + socket: /run/haproxy/admin.sock + state: enabled + backend: authentik + host: s{{ server_idx }} + fail_on_not_found: true