174 lines
6.3 KiB
YAML
174 lines
6.3 KiB
YAML
---
|
|
# playbooks/docker/deploy_authentik_standalone.yml
|
|
# Deploy Authentik on a standalone Docker host (statler by default).
|
|
|
|
- name: Deploy Authentik on standalone Docker host
|
|
hosts: "{{ target_host | default('statler') }}"
|
|
become: true
|
|
gather_facts: false
|
|
vars_files:
|
|
- ../../group_vars/all.yml
|
|
|
|
vars:
|
|
authentik_base_dir: "{{ standalone_authentik_base_dir | default('/mnt/homelab/apps/authentik') }}"
|
|
authentik_db_dir: "{{ authentik_base_dir }}/data/database"
|
|
authentik_redis_dir: "{{ authentik_base_dir }}/data/redis"
|
|
authentik_media_dir: "{{ authentik_base_dir }}/data/media"
|
|
authentik_config_dir: "{{ authentik_base_dir }}/data/config"
|
|
authentik_blueprints_dir: "{{ authentik_base_dir }}/data/blueprints"
|
|
authentik_network: "proxy-net"
|
|
authentik_host_domain: "{{ standalone_authentik_domain | default('sso.castaldifamily.com') }}"
|
|
authentik_bind_ip: "{{ ansible_host }}"
|
|
authentik_redis_addr: "{{ edge_routing.integration.redis_addr }}"
|
|
|
|
tasks:
|
|
- name: Assert target_host is explicit and safe
|
|
ansible.builtin.assert:
|
|
that:
|
|
- target_host is defined
|
|
- target_host | length > 0
|
|
- target_host not in ['all', '*', 'ubuntu_lab', 'docker_hosts', 'swarm_hosts']
|
|
fail_msg: >-
|
|
Invalid target_host scope. Use an explicit host, for example:
|
|
-e "target_host=statler"
|
|
run_once: true
|
|
delegate_to: localhost
|
|
|
|
- name: Assert Authentik secrets are available and decrypted
|
|
ansible.builtin.assert:
|
|
that:
|
|
- vault_authentik_secret_key is defined
|
|
- vault_authentik_secret_key | trim | length > 0
|
|
- vault_authentik_postgres_password is defined
|
|
- vault_authentik_postgres_password | trim | length > 0
|
|
- vault_authentik_secret_key is not search('^\\$ANSIBLE_VAULT;')
|
|
- vault_authentik_postgres_password is not search('^\\$ANSIBLE_VAULT;')
|
|
fail_msg: >-
|
|
Authentik secrets are unavailable or not decrypted.
|
|
Ensure vault credentials are available before deployment.
|
|
|
|
- name: Ensure Authentik app directories exist
|
|
ansible.builtin.file:
|
|
path: "{{ item }}"
|
|
state: directory
|
|
owner: "1000"
|
|
group: "1000"
|
|
mode: '0755'
|
|
loop:
|
|
- "{{ authentik_base_dir }}"
|
|
- "{{ authentik_media_dir }}"
|
|
- "{{ authentik_config_dir }}"
|
|
- "{{ authentik_blueprints_dir }}"
|
|
|
|
- name: Ensure Authentik service data directories exist
|
|
ansible.builtin.file:
|
|
path: "{{ item }}"
|
|
state: directory
|
|
mode: '0755'
|
|
loop:
|
|
- "{{ authentik_db_dir }}"
|
|
- "{{ authentik_redis_dir }}"
|
|
|
|
- name: Ensure Authentik network exists
|
|
community.docker.docker_network:
|
|
name: "{{ authentik_network }}"
|
|
state: present
|
|
|
|
- name: Deploy Authentik Postgres
|
|
community.docker.docker_container:
|
|
name: authentik-postgres
|
|
image: docker.io/library/postgres:16-alpine
|
|
pull: always
|
|
restart_policy: unless-stopped
|
|
state: started
|
|
env:
|
|
TZ: America/New_York
|
|
POSTGRES_DB: authentik
|
|
POSTGRES_USER: authentik
|
|
POSTGRES_PASSWORD: "{{ vault_authentik_postgres_password }}"
|
|
volumes:
|
|
- "{{ authentik_db_dir }}:/var/lib/postgresql/data"
|
|
networks:
|
|
- name: "{{ authentik_network }}"
|
|
|
|
- name: Deploy Authentik Redis
|
|
community.docker.docker_container:
|
|
name: authentik-redis
|
|
image: redis:7-alpine
|
|
pull: always
|
|
command:
|
|
- --save
|
|
- "60"
|
|
- "1"
|
|
- --loglevel
|
|
- warning
|
|
restart_policy: unless-stopped
|
|
state: started
|
|
volumes:
|
|
- "{{ authentik_redis_dir }}:/data"
|
|
networks:
|
|
- name: "{{ authentik_network }}"
|
|
|
|
- name: Deploy Authentik server with Traefik labels
|
|
community.docker.docker_container:
|
|
name: authentik-server
|
|
image: ghcr.io/goauthentik/server:2025.10.1
|
|
pull: always
|
|
command: ["server"]
|
|
restart_policy: unless-stopped
|
|
state: started
|
|
published_ports:
|
|
- "9000:9000"
|
|
env:
|
|
TZ: America/New_York
|
|
AUTHENTIK_POSTGRESQL__HOST: authentik-postgres
|
|
AUTHENTIK_POSTGRESQL__NAME: authentik
|
|
AUTHENTIK_POSTGRESQL__USER: authentik
|
|
AUTHENTIK_POSTGRESQL__PASSWORD: "{{ vault_authentik_postgres_password }}"
|
|
AUTHENTIK_SECRET_KEY: "{{ vault_authentik_secret_key }}"
|
|
AUTHENTIK_REDIS__HOST: authentik-redis
|
|
volumes:
|
|
- "{{ authentik_media_dir }}:/media"
|
|
- "{{ authentik_config_dir }}:/config"
|
|
- "{{ authentik_blueprints_dir }}:/blueprints/custom:ro"
|
|
networks:
|
|
- name: "{{ authentik_network }}"
|
|
labels:
|
|
traefik.enable: "true"
|
|
traefik.http.routers.authentik.rule: "Host(`{{ authentik_host_domain }}`)"
|
|
traefik.http.routers.authentik.entrypoints: websecure
|
|
traefik.http.routers.authentik.tls: "true"
|
|
traefik.http.routers.authentik.tls.certresolver: cloudflare
|
|
traefik.http.services.authentik.loadbalancer.server.port: "9000"
|
|
|
|
- name: Deploy Authentik worker
|
|
community.docker.docker_container:
|
|
name: authentik-worker
|
|
image: ghcr.io/goauthentik/server:2025.10.1
|
|
pull: always
|
|
command: ["worker"]
|
|
restart_policy: unless-stopped
|
|
state: started
|
|
env:
|
|
TZ: America/New_York
|
|
AUTHENTIK_POSTGRESQL__HOST: authentik-postgres
|
|
AUTHENTIK_POSTGRESQL__NAME: authentik
|
|
AUTHENTIK_POSTGRESQL__USER: authentik
|
|
AUTHENTIK_POSTGRESQL__PASSWORD: "{{ vault_authentik_postgres_password }}"
|
|
AUTHENTIK_SECRET_KEY: "{{ vault_authentik_secret_key }}"
|
|
AUTHENTIK_REDIS__HOST: authentik-redis
|
|
volumes:
|
|
- "{{ authentik_media_dir }}:/media"
|
|
- "{{ authentik_config_dir }}:/config"
|
|
networks:
|
|
- name: "{{ authentik_network }}"
|
|
|
|
- name: Show deployment summary
|
|
ansible.builtin.debug:
|
|
msg:
|
|
- "Standalone Authentik deployed to {{ inventory_hostname }}"
|
|
- "Base dir: {{ authentik_base_dir }}"
|
|
- "Domain: {{ authentik_host_domain }}"
|
|
- "Traefik-kop Redis: {{ authentik_redis_addr }}"
|
|
- "Bind IP: {{ authentik_bind_ip }}"
|