Disable authentik servers in haproxy before restarts

2024-11-28 15:12:26 +05:00 · 2024-11-28 15:12:26 +05:00 · a720e784e2
commit a720e784e2
parent 9592eb0890
3 changed files with 99 additions and 55 deletions
--- a/roles/authentik/tasks/main.yml
+++ b/roles/authentik/tasks/main.yml
@ -31,35 +31,10 @@
  ansible.builtin.template:
    src: authentik.env.j2
    dest: /etc/authentik/.env
- name: Run authentik server container
-  become: true
-  community.docker.docker_container:
-    name: authentik-{{ item }}
-    image: "{{ image }}:{{ tag }}"
-    command: ["server"]
-    networks:
-      - name: authentik
-      - name: postgresql
-      - name: haproxy
-      - name: monitoring
-    user: root
-    volumes:
-      - authentik-media:/media
-      - authentik-templates:/templates
-      - authentik-certs:/certs
-      - /etc/letsencrypt/live/comfycamp.space/fullchain.pem:/certs/comfycamp.space/fullchain.pem:ro
-      - /etc/letsencrypt/live/comfycamp.space/privkey.pem:/certs/comfycamp.space/privkey.pem:ro
-    env_file: /etc/authentik/.env
-    restart_policy: unless-stopped
-    healthcheck:
-      test: ["CMD", "ak", "healthcheck"]
-      interval: 30s
-      timeout: 10s
-      retries: 3
-      start_period: 60s
-    # TODO: enable after ansible update
-    # state: healthy
-  loop: ["1", "2"]
+- include_tasks: start_server.yml
+  loop: [1, 2]
+  loop_control:
+    loop_var: server_idx
 - name: Run authentik worker container
  become: true
  community.docker.docker_container:
@ -83,29 +58,7 @@
      start_period: 60s
    # TODO: enable after ansible update
    # state: healthy
- name: Run authentik LDAP outpost
-  become: true
-  community.docker.docker_container:
-    name: authentik-ldap-{{ item }}
-    image: ghcr.io/goauthentik/ldap:{{ tag }}
-    networks:
-      - name: authentik
-      - name: haproxy
-      - name: monitoring
-    volumes:
-      - authentik-certs:/certs
-      - /etc/letsencrypt/live/comfycamp.space/fullchain.pem:/certs/comfycamp.space/fullchain.pem:ro
-      - /etc/letsencrypt/live/comfycamp.space/privkey.pem:/certs/comfycamp.space/privkey.pem:ro
-    env:
-      AUTHENTIK_HOST: http://authentik-{{ item }}:9000
-      AUTHENTIK_TOKEN: "{{ ldap_outpost_token }}"
-    restart_policy: unless-stopped
-    healthcheck:
-      test: ["CMD", "/ldap", "healthcheck"]
-      interval: 30s
-      timeout: 10s
-      retries: 3
-      start_period: 5s
-    # TODO: enable after ansible update
-    # state: healthy
-  loop: ["1", "2"]
+- include_tasks: start_ldap_server.yml
+  loop: [1, 2]
+  loop_control:
+    loop_var: server_idx
--- a/roles/authentik/tasks/start_ldap_server.yml
+++ b/roles/authentik/tasks/start_ldap_server.yml
@ -0,0 +1,44 @@
+---
+- name: Disable LDAP server in haproxy
+  become: true
+  community.general.haproxy:
+    socket: /run/haproxy/admin.sock
+    state: disabled
+    drain: true
+    wait: true
+    backend: authentik_ldap
+    host: s{{ server_idx }}
+    fail_on_not_found: true
+- name: Run authentik LDAP outpost
+  become: true
+  community.docker.docker_container:
+    name: authentik-ldap-{{ server_idx }}
+    image: ghcr.io/goauthentik/ldap:{{ tag }}
+    networks:
+      - name: authentik
+      - name: haproxy
+      - name: monitoring
+    volumes:
+      - authentik-certs:/certs
+      - /etc/letsencrypt/live/comfycamp.space/fullchain.pem:/certs/comfycamp.space/fullchain.pem:ro
+      - /etc/letsencrypt/live/comfycamp.space/privkey.pem:/certs/comfycamp.space/privkey.pem:ro
+    env:
+      AUTHENTIK_HOST: https://auth.comfycamp.space
+      AUTHENTIK_TOKEN: "{{ ldap_outpost_token }}"
+    restart_policy: unless-stopped
+    healthcheck:
+      test: ["CMD", "/ldap", "healthcheck"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+      start_period: 5s
+    # TODO: enable after ansible update
+    # state: healthy
+- name: Enable LDAP server in haproxy
+  become: true
+  community.general.haproxy:
+    socket: /run/haproxy/admin.sock
+    state: enabled
+    backend: authentik_ldap
+    host: s{{ server_idx }}
+    fail_on_not_found: true
--- a/roles/authentik/tasks/start_server.yml
+++ b/roles/authentik/tasks/start_server.yml
@ -0,0 +1,47 @@
+---
+- name: Disable server in haproxy
+  become: true
+  community.general.haproxy:
+    socket: /run/haproxy/admin.sock
+    state: disabled
+    drain: true
+    wait: true
+    backend: authentik
+    host: s{{ server_idx }}
+    fail_on_not_found: true
+- name: Run authentik server container
+  become: true
+  community.docker.docker_container:
+    name: authentik-{{ server_idx }}
+    image: "{{ image }}:{{ tag }}"
+    command: ["server"]
+    networks:
+      - name: authentik
+      - name: postgresql
+      - name: haproxy
+      - name: monitoring
+    user: root
+    volumes:
+      - authentik-media:/media
+      - authentik-templates:/templates
+      - authentik-certs:/certs
+      - /etc/letsencrypt/live/comfycamp.space/fullchain.pem:/certs/comfycamp.space/fullchain.pem:ro
+      - /etc/letsencrypt/live/comfycamp.space/privkey.pem:/certs/comfycamp.space/privkey.pem:ro
+    env_file: /etc/authentik/.env
+    restart_policy: unless-stopped
+    healthcheck:
+      test: ["CMD", "ak", "healthcheck"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+      start_period: 60s
+    # TODO: enable after ansible update
+    # state: healthy
+- name: Enable server in haproxy
+  become: true
+  community.general.haproxy:
+    socket: /run/haproxy/admin.sock
+    state: enabled
+    backend: authentik
+    host: s{{ server_idx }}
+    fail_on_not_found: true