Fix ensures rolling out a new instances of Authentik works as well (for example during disaster recovery)

2023-09-15 21:22:16 +02:00 · 2023-09-15 21:22:16 +02:00 · d57cde9a8c
commit d57cde9a8c
parent 0e0228f686
6 changed files with 19 additions and 15 deletions
--- a/roles/authentik_docker/tasks/main.yml
+++ b/roles/authentik_docker/tasks/main.yml
@ -39,9 +39,9 @@
  ansible.builtin.file:
    path: "{{ docker_volumes_dir }}/authentik/database"
    state: directory
-    owner: root
+    owner: '70'
    group: root
-    mode: '0750'
+    mode: '0700'

 - name: "Template .env file for Authentik with Docker"
  ansible.builtin.template:
--- a/roles/authentik_docker/templates/authentik-db-docker.service.j2
+++ b/roles/authentik_docker/templates/authentik-db-docker.service.j2
@ -11,7 +11,8 @@ ExecStart=/usr/bin/docker run --rm --name {{ container_names.authentik.db }} --n
          docker.io/library/postgres:{{ authentik_postgres_version }}
 ExecStop=/usr/bin/docker stop {{ container_names.authentik.db }}
 Restart=always
-RestartSec=15s
+RestartSec=30s
+TimeoutStartSec=30s
 Type=exec

 [Install]
--- a/roles/authentik_docker/templates/authentik-redis-docker.service.j2
+++ b/roles/authentik_docker/templates/authentik-redis-docker.service.j2
@ -5,7 +5,8 @@ Requires=docker.service

 [Service]
 ExecStartPre=-/usr/bin/docker rm --force {{ container_names.authentik.redis }}
-ExecStart=/usr/bin/docker run --rm --name {{ container_names.authentik.redis }} --network authentik_net \
+ExecStart=/usr/bin/docker run --rm --name {{ container_names.authentik.redis }} \
+          --network authentik_net --expose 6379 \
          -v {{ docker_volumes_dir }}/authentik/redis:/data \
          docker.io/library/redis:alpine --save 60 1 --loglevel warning
 ExecStop=/usr/bin/docker stop {{ container_names.authentik.redis }}
--- a/roles/authentik_docker/templates/authentik-server-docker.service.j2
+++ b/roles/authentik_docker/templates/authentik-server-docker.service.j2
@ -5,8 +5,8 @@ Requires=docker.service

 [Service]
 ExecStartPre=-/usr/bin/docker rm --force {{ container_names.authentik.server }}
-ExecStart=/usr/bin/docker run --rm --name {{ container_names.authentik.server }} --network authentik_net \
-          --expose 9000 --expose 9443 \
+ExecStart=/usr/bin/docker run --rm --name {{ container_names.authentik.server }} \
+          --network authentik_net --publish 127.0.0.1:9000:9000 --publish 127.0.0.1:9443:9443 \
          --env-file {{ docker_volumes_dir }}/authentik/authentik.env \
          -v {{ docker_volumes_dir }}/authentik/media:/media \
          -v {{ docker_volumes_dir }}/authentik/custom-templates:/templates \
--- a/roles/authentik_docker/templates/authentik-worker-docker.service.j2
+++ b/roles/authentik_docker/templates/authentik-worker-docker.service.j2
@ -5,13 +5,14 @@ Requires=docker.service

 [Service]
 ExecStartPre=-/usr/bin/docker rm --force {{ container_names.authentik.worker }}
-ExecStart=/usr/bin/docker run --rm --name {{ container_names.authentik.worker }} --network authentik_net \
-          --expose 9000 --expose 9443 \
+ExecStart=/usr/bin/docker run --rm --name {{ container_names.authentik.worker }} --user root \
+          --network authentik_net --expose 9000 --expose 9443 \
          --env-file {{ docker_volumes_dir }}/authentik/authentik.env \
+          -v /var/run/docker.sock:/var/run/docker.sock \
          -v {{ docker_volumes_dir }}/authentik/media:/media \
          -v {{ docker_volumes_dir }}/authentik/certs:/certs \
          -v {{ docker_volumes_dir }}/authentik/custom-templates:/templates \
-          ghcr.io/goauthentik/server:{{ version.authentik }} server worker
+          ghcr.io/goauthentik/server:{{ version.authentik }} worker
 ExecStartPost=/usr/bin/bash -c "/bin/sleep 10 && /usr/bin/docker network connect nginx_net {{ container_names.authentik.worker }}"
 ExecStop=/usr/bin/docker stop {{ container_names.authentik.worker }}
 Restart=always
--- a/roles/authentik_docker/templates/authentik.env.j2
+++ b/roles/authentik_docker/templates/authentik.env.j2
@ -1,13 +1,12 @@
+VIRTUAL_HOST={{ authentik_domain }}
+VIRTUAL_PORT={{ authentik_port_http }}
+LETSENCRYPT_HOST={{ authentik_domain }}
+LETSENCRYPT_EMAIL={{letsencrypt_email }}
 AUTHENTIK_REDIS__HOST="{{ container_names.authentik.redis }}"
 AUTHENTIK_POSTGRESQL__HOST="{{ container_names.authentik.db }}" 
 AUTHENTIK_POSTGRESQL__USER={{ database_vars.postgres.authentik.user }}
 AUTHENTIK_POSTGRESQL__NAME={{ database_vars.postgres.authentik.db }}
 AUTHENTIK_POSTGRESQL__PASSWORD={{ database_vars.postgres.authentik.password }}
-VIRTUAL_HOST={{ authentik_domain }}
-VIRTUAL_PORT={{ authentik_port_http }}
-LETSENCRYPT_HOST={{ authentik_domain }}
-LETSENCRYPT_EMAIL={{letsencrypt_email }}
-#PG_PASS={{ database_vars.postgres.authentik.password }}
 AUTHENTIK_SECRET_KEY={{ authentik_secret }}
 AUTHENTIK_ERROR_REPORTING__ENABLED={{ authentik_error_reporting }}
 # SMTP Host Emails are sent to
@ -28,4 +27,6 @@ AUTHENTIK_PORT_HTTPS={{ authentik_port_https }}
 AUTHENTIK_DEFAULT_USER_CHANGE_EMAIL={{ authentik_allow_users_to_change_email }}
 AUTHENTIK_DEFAULT_USER_CHANGE_NAME={{ authentik_allow_users_to_change_names }}
 AUTHENTIK_DEFAULT_USER_CHANGE_USERNAME={{ authentik_allow_users_to_change_usernames }}
-AUTHENTIK_GEOIP=/dev/null #The docs say this is the way to disable GeoIP...
+POSTGRES_USER={{ database_vars.postgres.authentik.user }}
+POSTGRES_PASSWORD={{ database_vars.postgres.authentik.password }}
+POSTGRES_DB={{ database_vars.postgres.authentik.db }}