From d57cde9a8c96a3e879ac3eddd179e531a50cd4cf Mon Sep 17 00:00:00 2001
From: erebion <noreply@erebion.eu>
Date: Fri, 15 Sep 2023 21:22:16 +0200
Subject: [PATCH] Fix ensures rolling out a new instances of Authentik works as
 well (for example during disaster recovery)

---
 roles/authentik_docker/tasks/main.yml               |  4 ++--
 .../templates/authentik-db-docker.service.j2        |  3 ++-
 .../templates/authentik-redis-docker.service.j2     |  3 ++-
 .../templates/authentik-server-docker.service.j2    |  4 ++--
 .../templates/authentik-worker-docker.service.j2    |  7 ++++---
 roles/authentik_docker/templates/authentik.env.j2   | 13 +++++++------
 6 files changed, 19 insertions(+), 15 deletions(-)

diff --git a/roles/authentik_docker/tasks/main.yml b/roles/authentik_docker/tasks/main.yml
index adf57eb..b56a18a 100644
--- a/roles/authentik_docker/tasks/main.yml
+++ b/roles/authentik_docker/tasks/main.yml
@@ -39,9 +39,9 @@
   ansible.builtin.file:
     path: "{{ docker_volumes_dir }}/authentik/database"
     state: directory
-    owner: root
+    owner: '70'
     group: root
-    mode: '0750'
+    mode: '0700'
 
 - name: "Template .env file for Authentik with Docker"
   ansible.builtin.template:
diff --git a/roles/authentik_docker/templates/authentik-db-docker.service.j2 b/roles/authentik_docker/templates/authentik-db-docker.service.j2
index f58131a..f4b0b5c 100644
--- a/roles/authentik_docker/templates/authentik-db-docker.service.j2
+++ b/roles/authentik_docker/templates/authentik-db-docker.service.j2
@@ -11,7 +11,8 @@ ExecStart=/usr/bin/docker run --rm --name {{ container_names.authentik.db }} --n
           docker.io/library/postgres:{{ authentik_postgres_version }}
 ExecStop=/usr/bin/docker stop {{ container_names.authentik.db }}
 Restart=always
-RestartSec=15s
+RestartSec=30s
+TimeoutStartSec=30s
 Type=exec
 
 [Install]
diff --git a/roles/authentik_docker/templates/authentik-redis-docker.service.j2 b/roles/authentik_docker/templates/authentik-redis-docker.service.j2
index e8485a5..329513c 100644
--- a/roles/authentik_docker/templates/authentik-redis-docker.service.j2
+++ b/roles/authentik_docker/templates/authentik-redis-docker.service.j2
@@ -5,7 +5,8 @@ Requires=docker.service
 
 [Service]
 ExecStartPre=-/usr/bin/docker rm --force {{ container_names.authentik.redis }}
-ExecStart=/usr/bin/docker run --rm --name {{ container_names.authentik.redis }} --network authentik_net \
+ExecStart=/usr/bin/docker run --rm --name {{ container_names.authentik.redis }} \
+          --network authentik_net --expose 6379 \
           -v {{ docker_volumes_dir }}/authentik/redis:/data \
           docker.io/library/redis:alpine --save 60 1 --loglevel warning
 ExecStop=/usr/bin/docker stop {{ container_names.authentik.redis }}
diff --git a/roles/authentik_docker/templates/authentik-server-docker.service.j2 b/roles/authentik_docker/templates/authentik-server-docker.service.j2
index 0e8643f..c8f67ec 100644
--- a/roles/authentik_docker/templates/authentik-server-docker.service.j2
+++ b/roles/authentik_docker/templates/authentik-server-docker.service.j2
@@ -5,8 +5,8 @@ Requires=docker.service
 
 [Service]
 ExecStartPre=-/usr/bin/docker rm --force {{ container_names.authentik.server }}
-ExecStart=/usr/bin/docker run --rm --name {{ container_names.authentik.server }} --network authentik_net \
-          --expose 9000 --expose 9443 \
+ExecStart=/usr/bin/docker run --rm --name {{ container_names.authentik.server }} \
+          --network authentik_net --publish 127.0.0.1:9000:9000 --publish 127.0.0.1:9443:9443 \
           --env-file {{ docker_volumes_dir }}/authentik/authentik.env \
           -v {{ docker_volumes_dir }}/authentik/media:/media \
           -v {{ docker_volumes_dir }}/authentik/custom-templates:/templates \
diff --git a/roles/authentik_docker/templates/authentik-worker-docker.service.j2 b/roles/authentik_docker/templates/authentik-worker-docker.service.j2
index f75439e..dd6ee82 100644
--- a/roles/authentik_docker/templates/authentik-worker-docker.service.j2
+++ b/roles/authentik_docker/templates/authentik-worker-docker.service.j2
@@ -5,13 +5,14 @@ Requires=docker.service
 
 [Service]
 ExecStartPre=-/usr/bin/docker rm --force {{ container_names.authentik.worker }}
-ExecStart=/usr/bin/docker run --rm --name {{ container_names.authentik.worker }} --network authentik_net \
-          --expose 9000 --expose 9443 \
+ExecStart=/usr/bin/docker run --rm --name {{ container_names.authentik.worker }} --user root \
+          --network authentik_net --expose 9000 --expose 9443 \
           --env-file {{ docker_volumes_dir }}/authentik/authentik.env \
+          -v /var/run/docker.sock:/var/run/docker.sock \
           -v {{ docker_volumes_dir }}/authentik/media:/media \
           -v {{ docker_volumes_dir }}/authentik/certs:/certs \
           -v {{ docker_volumes_dir }}/authentik/custom-templates:/templates \
-          ghcr.io/goauthentik/server:{{ version.authentik }} server worker
+          ghcr.io/goauthentik/server:{{ version.authentik }} worker
 ExecStartPost=/usr/bin/bash -c "/bin/sleep 10 && /usr/bin/docker network connect nginx_net {{ container_names.authentik.worker }}"
 ExecStop=/usr/bin/docker stop {{ container_names.authentik.worker }}
 Restart=always
diff --git a/roles/authentik_docker/templates/authentik.env.j2 b/roles/authentik_docker/templates/authentik.env.j2
index d539c12..af6e50a 100644
--- a/roles/authentik_docker/templates/authentik.env.j2
+++ b/roles/authentik_docker/templates/authentik.env.j2
@@ -1,13 +1,12 @@
+VIRTUAL_HOST={{ authentik_domain }}
+VIRTUAL_PORT={{ authentik_port_http }}
+LETSENCRYPT_HOST={{ authentik_domain }}
+LETSENCRYPT_EMAIL={{letsencrypt_email }}
 AUTHENTIK_REDIS__HOST="{{ container_names.authentik.redis }}"
 AUTHENTIK_POSTGRESQL__HOST="{{ container_names.authentik.db }}" 
 AUTHENTIK_POSTGRESQL__USER={{ database_vars.postgres.authentik.user }}
 AUTHENTIK_POSTGRESQL__NAME={{ database_vars.postgres.authentik.db }}
 AUTHENTIK_POSTGRESQL__PASSWORD={{ database_vars.postgres.authentik.password }}
-VIRTUAL_HOST={{ authentik_domain }}
-VIRTUAL_PORT={{ authentik_port_http }}
-LETSENCRYPT_HOST={{ authentik_domain }}
-LETSENCRYPT_EMAIL={{letsencrypt_email }}
-#PG_PASS={{ database_vars.postgres.authentik.password }}
 AUTHENTIK_SECRET_KEY={{ authentik_secret }}
 AUTHENTIK_ERROR_REPORTING__ENABLED={{ authentik_error_reporting }}
 # SMTP Host Emails are sent to
@@ -28,4 +27,6 @@ AUTHENTIK_PORT_HTTPS={{ authentik_port_https }}
 AUTHENTIK_DEFAULT_USER_CHANGE_EMAIL={{ authentik_allow_users_to_change_email }}
 AUTHENTIK_DEFAULT_USER_CHANGE_NAME={{ authentik_allow_users_to_change_names }}
 AUTHENTIK_DEFAULT_USER_CHANGE_USERNAME={{ authentik_allow_users_to_change_usernames }}
-AUTHENTIK_GEOIP=/dev/null #The docs say this is the way to disable GeoIP...
+POSTGRES_USER={{ database_vars.postgres.authentik.user }}
+POSTGRES_PASSWORD={{ database_vars.postgres.authentik.password }}
+POSTGRES_DB={{ database_vars.postgres.authentik.db }}