--- # playbooks/docker/deploy_authentik_standalone.yml # Deploy Authentik on a standalone Docker host (statler by default). - name: Deploy Authentik on standalone Docker host hosts: "{{ target_host | default('statler') }}" become: true gather_facts: false vars_files: - ../../group_vars/all.yml vars: authentik_base_dir: "{{ standalone_authentik_base_dir | default('/mnt/homelab/apps/authentik') }}" authentik_db_dir: "{{ authentik_base_dir }}/data/database" authentik_redis_dir: "{{ authentik_base_dir }}/data/redis" authentik_media_dir: "{{ authentik_base_dir }}/data/media" authentik_config_dir: "{{ authentik_base_dir }}/data/config" authentik_blueprints_dir: "{{ authentik_base_dir }}/data/blueprints" authentik_network: "proxy-net" authentik_host_domain: "{{ standalone_authentik_domain | default('sso.castaldifamily.com') }}" authentik_bind_ip: "{{ ansible_host }}" authentik_redis_addr: "{{ edge_routing.integration.redis_addr }}" tasks: - name: Assert target_host is explicit and safe ansible.builtin.assert: that: - target_host is defined - target_host | length > 0 - target_host not in ['all', '*', 'ubuntu_lab', 'docker_hosts', 'swarm_hosts'] fail_msg: >- Invalid target_host scope. Use an explicit host, for example: -e "target_host=statler" run_once: true delegate_to: localhost - name: Assert Authentik secrets are available and decrypted ansible.builtin.assert: that: - vault_authentik_secret_key is defined - vault_authentik_secret_key | trim | length > 0 - vault_authentik_postgres_password is defined - vault_authentik_postgres_password | trim | length > 0 - vault_authentik_secret_key is not search('^\\$ANSIBLE_VAULT;') - vault_authentik_postgres_password is not search('^\\$ANSIBLE_VAULT;') fail_msg: >- Authentik secrets are unavailable or not decrypted. Ensure vault credentials are available before deployment. - name: Ensure Authentik app directories exist ansible.builtin.file: path: "{{ item }}" state: directory owner: "1000" group: "1000" mode: '0755' loop: - "{{ authentik_base_dir }}" - "{{ authentik_media_dir }}" - "{{ authentik_config_dir }}" - "{{ authentik_blueprints_dir }}" - name: Ensure Authentik service data directories exist ansible.builtin.file: path: "{{ item }}" state: directory mode: '0755' loop: - "{{ authentik_db_dir }}" - "{{ authentik_redis_dir }}" - name: Ensure Authentik network exists community.docker.docker_network: name: "{{ authentik_network }}" state: present - name: Deploy Authentik Postgres community.docker.docker_container: name: authentik-postgres image: docker.io/library/postgres:16-alpine pull: always restart_policy: unless-stopped state: started env: TZ: America/New_York POSTGRES_DB: authentik POSTGRES_USER: authentik POSTGRES_PASSWORD: "{{ vault_authentik_postgres_password }}" volumes: - "{{ authentik_db_dir }}:/var/lib/postgresql/data" networks: - name: "{{ authentik_network }}" - name: Deploy Authentik Redis community.docker.docker_container: name: authentik-redis image: redis:7-alpine pull: always command: - --save - "60" - "1" - --loglevel - warning restart_policy: unless-stopped state: started volumes: - "{{ authentik_redis_dir }}:/data" networks: - name: "{{ authentik_network }}" - name: Deploy Authentik server with Traefik labels community.docker.docker_container: name: authentik-server image: ghcr.io/goauthentik/server:2025.10.1 pull: always command: ["server"] restart_policy: unless-stopped state: started published_ports: - "9000:9000" env: TZ: America/New_York AUTHENTIK_POSTGRESQL__HOST: authentik-postgres AUTHENTIK_POSTGRESQL__NAME: authentik AUTHENTIK_POSTGRESQL__USER: authentik AUTHENTIK_POSTGRESQL__PASSWORD: "{{ vault_authentik_postgres_password }}" AUTHENTIK_SECRET_KEY: "{{ vault_authentik_secret_key }}" AUTHENTIK_REDIS__HOST: authentik-redis volumes: - "{{ authentik_media_dir }}:/media" - "{{ authentik_config_dir }}:/config" - "{{ authentik_blueprints_dir }}:/blueprints/custom:ro" networks: - name: "{{ authentik_network }}" labels: traefik.enable: "true" traefik.http.routers.authentik.rule: "Host(`{{ authentik_host_domain }}`)" traefik.http.routers.authentik.entrypoints: websecure traefik.http.routers.authentik.tls: "true" traefik.http.routers.authentik.tls.certresolver: cloudflare traefik.http.services.authentik.loadbalancer.server.port: "9000" - name: Deploy Authentik worker community.docker.docker_container: name: authentik-worker image: ghcr.io/goauthentik/server:2025.10.1 pull: always command: ["worker"] restart_policy: unless-stopped state: started env: TZ: America/New_York AUTHENTIK_POSTGRESQL__HOST: authentik-postgres AUTHENTIK_POSTGRESQL__NAME: authentik AUTHENTIK_POSTGRESQL__USER: authentik AUTHENTIK_POSTGRESQL__PASSWORD: "{{ vault_authentik_postgres_password }}" AUTHENTIK_SECRET_KEY: "{{ vault_authentik_secret_key }}" AUTHENTIK_REDIS__HOST: authentik-redis volumes: - "{{ authentik_media_dir }}:/media" - "{{ authentik_config_dir }}:/config" networks: - name: "{{ authentik_network }}" - name: Show deployment summary ansible.builtin.debug: msg: - "Standalone Authentik deployed to {{ inventory_hostname }}" - "Base dir: {{ authentik_base_dir }}" - "Domain: {{ authentik_host_domain }}" - "Traefik-kop Redis: {{ authentik_redis_addr }}" - "Bind IP: {{ authentik_bind_ip }}"