Fix ensures rolling out a new instances of Authentik works as well (for example during disaster recovery)

This commit is contained in:
erebion 2023-09-15 21:22:16 +02:00
parent 0e0228f686
commit d57cde9a8c
6 changed files with 19 additions and 15 deletions

View file

@ -39,9 +39,9 @@
ansible.builtin.file: ansible.builtin.file:
path: "{{ docker_volumes_dir }}/authentik/database" path: "{{ docker_volumes_dir }}/authentik/database"
state: directory state: directory
owner: root owner: '70'
group: root group: root
mode: '0750' mode: '0700'
- name: "Template .env file for Authentik with Docker" - name: "Template .env file for Authentik with Docker"
ansible.builtin.template: ansible.builtin.template:

View file

@ -11,7 +11,8 @@ ExecStart=/usr/bin/docker run --rm --name {{ container_names.authentik.db }} --n
docker.io/library/postgres:{{ authentik_postgres_version }} docker.io/library/postgres:{{ authentik_postgres_version }}
ExecStop=/usr/bin/docker stop {{ container_names.authentik.db }} ExecStop=/usr/bin/docker stop {{ container_names.authentik.db }}
Restart=always Restart=always
RestartSec=15s RestartSec=30s
TimeoutStartSec=30s
Type=exec Type=exec
[Install] [Install]

View file

@ -5,7 +5,8 @@ Requires=docker.service
[Service] [Service]
ExecStartPre=-/usr/bin/docker rm --force {{ container_names.authentik.redis }} ExecStartPre=-/usr/bin/docker rm --force {{ container_names.authentik.redis }}
ExecStart=/usr/bin/docker run --rm --name {{ container_names.authentik.redis }} --network authentik_net \ ExecStart=/usr/bin/docker run --rm --name {{ container_names.authentik.redis }} \
--network authentik_net --expose 6379 \
-v {{ docker_volumes_dir }}/authentik/redis:/data \ -v {{ docker_volumes_dir }}/authentik/redis:/data \
docker.io/library/redis:alpine --save 60 1 --loglevel warning docker.io/library/redis:alpine --save 60 1 --loglevel warning
ExecStop=/usr/bin/docker stop {{ container_names.authentik.redis }} ExecStop=/usr/bin/docker stop {{ container_names.authentik.redis }}

View file

@ -5,8 +5,8 @@ Requires=docker.service
[Service] [Service]
ExecStartPre=-/usr/bin/docker rm --force {{ container_names.authentik.server }} ExecStartPre=-/usr/bin/docker rm --force {{ container_names.authentik.server }}
ExecStart=/usr/bin/docker run --rm --name {{ container_names.authentik.server }} --network authentik_net \ ExecStart=/usr/bin/docker run --rm --name {{ container_names.authentik.server }} \
--expose 9000 --expose 9443 \ --network authentik_net --publish 127.0.0.1:9000:9000 --publish 127.0.0.1:9443:9443 \
--env-file {{ docker_volumes_dir }}/authentik/authentik.env \ --env-file {{ docker_volumes_dir }}/authentik/authentik.env \
-v {{ docker_volumes_dir }}/authentik/media:/media \ -v {{ docker_volumes_dir }}/authentik/media:/media \
-v {{ docker_volumes_dir }}/authentik/custom-templates:/templates \ -v {{ docker_volumes_dir }}/authentik/custom-templates:/templates \

View file

@ -5,13 +5,14 @@ Requires=docker.service
[Service] [Service]
ExecStartPre=-/usr/bin/docker rm --force {{ container_names.authentik.worker }} ExecStartPre=-/usr/bin/docker rm --force {{ container_names.authentik.worker }}
ExecStart=/usr/bin/docker run --rm --name {{ container_names.authentik.worker }} --network authentik_net \ ExecStart=/usr/bin/docker run --rm --name {{ container_names.authentik.worker }} --user root \
--expose 9000 --expose 9443 \ --network authentik_net --expose 9000 --expose 9443 \
--env-file {{ docker_volumes_dir }}/authentik/authentik.env \ --env-file {{ docker_volumes_dir }}/authentik/authentik.env \
-v /var/run/docker.sock:/var/run/docker.sock \
-v {{ docker_volumes_dir }}/authentik/media:/media \ -v {{ docker_volumes_dir }}/authentik/media:/media \
-v {{ docker_volumes_dir }}/authentik/certs:/certs \ -v {{ docker_volumes_dir }}/authentik/certs:/certs \
-v {{ docker_volumes_dir }}/authentik/custom-templates:/templates \ -v {{ docker_volumes_dir }}/authentik/custom-templates:/templates \
ghcr.io/goauthentik/server:{{ version.authentik }} server worker ghcr.io/goauthentik/server:{{ version.authentik }} worker
ExecStartPost=/usr/bin/bash -c "/bin/sleep 10 && /usr/bin/docker network connect nginx_net {{ container_names.authentik.worker }}" ExecStartPost=/usr/bin/bash -c "/bin/sleep 10 && /usr/bin/docker network connect nginx_net {{ container_names.authentik.worker }}"
ExecStop=/usr/bin/docker stop {{ container_names.authentik.worker }} ExecStop=/usr/bin/docker stop {{ container_names.authentik.worker }}
Restart=always Restart=always

View file

@ -1,13 +1,12 @@
VIRTUAL_HOST={{ authentik_domain }}
VIRTUAL_PORT={{ authentik_port_http }}
LETSENCRYPT_HOST={{ authentik_domain }}
LETSENCRYPT_EMAIL={{letsencrypt_email }}
AUTHENTIK_REDIS__HOST="{{ container_names.authentik.redis }}" AUTHENTIK_REDIS__HOST="{{ container_names.authentik.redis }}"
AUTHENTIK_POSTGRESQL__HOST="{{ container_names.authentik.db }}" AUTHENTIK_POSTGRESQL__HOST="{{ container_names.authentik.db }}"
AUTHENTIK_POSTGRESQL__USER={{ database_vars.postgres.authentik.user }} AUTHENTIK_POSTGRESQL__USER={{ database_vars.postgres.authentik.user }}
AUTHENTIK_POSTGRESQL__NAME={{ database_vars.postgres.authentik.db }} AUTHENTIK_POSTGRESQL__NAME={{ database_vars.postgres.authentik.db }}
AUTHENTIK_POSTGRESQL__PASSWORD={{ database_vars.postgres.authentik.password }} AUTHENTIK_POSTGRESQL__PASSWORD={{ database_vars.postgres.authentik.password }}
VIRTUAL_HOST={{ authentik_domain }}
VIRTUAL_PORT={{ authentik_port_http }}
LETSENCRYPT_HOST={{ authentik_domain }}
LETSENCRYPT_EMAIL={{letsencrypt_email }}
#PG_PASS={{ database_vars.postgres.authentik.password }}
AUTHENTIK_SECRET_KEY={{ authentik_secret }} AUTHENTIK_SECRET_KEY={{ authentik_secret }}
AUTHENTIK_ERROR_REPORTING__ENABLED={{ authentik_error_reporting }} AUTHENTIK_ERROR_REPORTING__ENABLED={{ authentik_error_reporting }}
# SMTP Host Emails are sent to # SMTP Host Emails are sent to
@ -28,4 +27,6 @@ AUTHENTIK_PORT_HTTPS={{ authentik_port_https }}
AUTHENTIK_DEFAULT_USER_CHANGE_EMAIL={{ authentik_allow_users_to_change_email }} AUTHENTIK_DEFAULT_USER_CHANGE_EMAIL={{ authentik_allow_users_to_change_email }}
AUTHENTIK_DEFAULT_USER_CHANGE_NAME={{ authentik_allow_users_to_change_names }} AUTHENTIK_DEFAULT_USER_CHANGE_NAME={{ authentik_allow_users_to_change_names }}
AUTHENTIK_DEFAULT_USER_CHANGE_USERNAME={{ authentik_allow_users_to_change_usernames }} AUTHENTIK_DEFAULT_USER_CHANGE_USERNAME={{ authentik_allow_users_to_change_usernames }}
AUTHENTIK_GEOIP=/dev/null #The docs say this is the way to disable GeoIP... POSTGRES_USER={{ database_vars.postgres.authentik.user }}
POSTGRES_PASSWORD={{ database_vars.postgres.authentik.password }}
POSTGRES_DB={{ database_vars.postgres.authentik.db }}