Disable authentik servers in haproxy before restarts

2024-11-28 15:12:26 +05:00 · 2024-11-28 15:12:26 +05:00 · a720e784e2
commit a720e784e2
parent 9592eb0890
3 changed files with 99 additions and 55 deletions
--- a/roles/authentik/tasks/main.yml
+++ b/roles/authentik/tasks/main.yml
@ -31,35 +31,10 @@
  ansible.builtin.template:
    src: authentik.env.j2
    dest: /etc/authentik/.env
- name: Run authentik server container
+- include_tasks: start_server.yml
-  become: true
+  loop: [1, 2]
-  community.docker.docker_container:
+  loop_control:
-    name: authentik-{{ item }}
+    loop_var: server_idx
    image: "{{ image }}:{{ tag }}"
    command: ["server"]
    networks:
      - name: authentik
      - name: postgresql
      - name: haproxy
      - name: monitoring
    user: root
    volumes:
      - authentik-media:/media
      - authentik-templates:/templates
      - authentik-certs:/certs
      - /etc/letsencrypt/live/comfycamp.space/fullchain.pem:/certs/comfycamp.space/fullchain.pem:ro
      - /etc/letsencrypt/live/comfycamp.space/privkey.pem:/certs/comfycamp.space/privkey.pem:ro
    env_file: /etc/authentik/.env
    restart_policy: unless-stopped
    healthcheck:
      test: ["CMD", "ak", "healthcheck"]
      interval: 30s
      timeout: 10s
      retries: 3
      start_period: 60s
    # TODO: enable after ansible update
    # state: healthy
  loop: ["1", "2"]
 - name: Run authentik worker container
  become: true
  community.docker.docker_container:
@ -83,29 +58,7 @@
      start_period: 60s
    # TODO: enable after ansible update
    # state: healthy
- name: Run authentik LDAP outpost
+- include_tasks: start_ldap_server.yml
-  become: true
+  loop: [1, 2]
-  community.docker.docker_container:
+  loop_control:
-    name: authentik-ldap-{{ item }}
+    loop_var: server_idx
    image: ghcr.io/goauthentik/ldap:{{ tag }}
    networks:
      - name: authentik
      - name: haproxy
      - name: monitoring
    volumes:
      - authentik-certs:/certs
      - /etc/letsencrypt/live/comfycamp.space/fullchain.pem:/certs/comfycamp.space/fullchain.pem:ro
      - /etc/letsencrypt/live/comfycamp.space/privkey.pem:/certs/comfycamp.space/privkey.pem:ro
    env:
      AUTHENTIK_HOST: http://authentik-{{ item }}:9000
      AUTHENTIK_TOKEN: "{{ ldap_outpost_token }}"
    restart_policy: unless-stopped
    healthcheck:
      test: ["CMD", "/ldap", "healthcheck"]
      interval: 30s
      timeout: 10s
      retries: 3
      start_period: 5s
    # TODO: enable after ansible update
    # state: healthy
  loop: ["1", "2"]
--- a/roles/authentik/tasks/start_ldap_server.yml
+++ b/roles/authentik/tasks/start_ldap_server.yml
@ -0,0 +1,44 @@
 ---
 - name: Disable LDAP server in haproxy
  become: true
  community.general.haproxy:
    socket: /run/haproxy/admin.sock
    state: disabled
    drain: true
    wait: true
    backend: authentik_ldap
    host: s{{ server_idx }}
    fail_on_not_found: true
 - name: Run authentik LDAP outpost
  become: true
  community.docker.docker_container:
    name: authentik-ldap-{{ server_idx }}
    image: ghcr.io/goauthentik/ldap:{{ tag }}
    networks:
      - name: authentik
      - name: haproxy
      - name: monitoring
    volumes:
      - authentik-certs:/certs
      - /etc/letsencrypt/live/comfycamp.space/fullchain.pem:/certs/comfycamp.space/fullchain.pem:ro
      - /etc/letsencrypt/live/comfycamp.space/privkey.pem:/certs/comfycamp.space/privkey.pem:ro
    env:
      AUTHENTIK_HOST: https://auth.comfycamp.space
      AUTHENTIK_TOKEN: "{{ ldap_outpost_token }}"
    restart_policy: unless-stopped
    healthcheck:
      test: ["CMD", "/ldap", "healthcheck"]
      interval: 30s
      timeout: 10s
      retries: 3
      start_period: 5s
    # TODO: enable after ansible update
    # state: healthy
 - name: Enable LDAP server in haproxy
  become: true
  community.general.haproxy:
    socket: /run/haproxy/admin.sock
    state: enabled
    backend: authentik_ldap
    host: s{{ server_idx }}
    fail_on_not_found: true
--- a/roles/authentik/tasks/start_server.yml
+++ b/roles/authentik/tasks/start_server.yml
@ -0,0 +1,47 @@
 ---
 - name: Disable server in haproxy
  become: true
  community.general.haproxy:
    socket: /run/haproxy/admin.sock
    state: disabled
    drain: true
    wait: true
    backend: authentik
    host: s{{ server_idx }}
    fail_on_not_found: true
 - name: Run authentik server container
  become: true
  community.docker.docker_container:
    name: authentik-{{ server_idx }}
    image: "{{ image }}:{{ tag }}"
    command: ["server"]
    networks:
      - name: authentik
      - name: postgresql
      - name: haproxy
      - name: monitoring
    user: root
    volumes:
      - authentik-media:/media
      - authentik-templates:/templates
      - authentik-certs:/certs
      - /etc/letsencrypt/live/comfycamp.space/fullchain.pem:/certs/comfycamp.space/fullchain.pem:ro
      - /etc/letsencrypt/live/comfycamp.space/privkey.pem:/certs/comfycamp.space/privkey.pem:ro
    env_file: /etc/authentik/.env
    restart_policy: unless-stopped
    healthcheck:
      test: ["CMD", "ak", "healthcheck"]
      interval: 30s
      timeout: 10s
      retries: 3
      start_period: 60s
    # TODO: enable after ansible update
    # state: healthy
 - name: Enable server in haproxy
  become: true
  community.general.haproxy:
    socket: /run/haproxy/admin.sock
    state: enabled
    backend: authentik
    host: s{{ server_idx }}
    fail_on_not_found: true