service: fix conditional

roles/authentik/defaults/main.yml

@@ -3,3 +3,5 @@ authentik_tag: latest
 authentik_env: {}
 docker_networks:
   - name: authentik
+
+authentik_additional_mounts: []

roles/authentik/meta/argument_specs.yml

@@ -15,6 +15,42 @@ argument_specs:
         type: dict
         required: false
         default: {}
+      authentik_additional_mounts:
+        description: "List of bind mounts or volumes to be mounted inside the container. Each element is a dict with path and exactly one of name, src or template"
+        type: list
+        required: false
+        default: []
+        elements: dict
+        options:
+          path:
+            description: "The path inside the container to mount at"
+            type: str
+            required: true
+          readonly:
+            description: "If true, volume will be mounted as read only inside the container. Only applies for named and src mounts."
+            type: bool
+            required: false
+            default: false
+          mode:
+            description: "Permissions for the created/templated directory. Defaults to '0644' for files, '0755' for directories. Doesn't apply for named volumes."
+            type: str
+            required: false
+          name:
+            description: "If docker_volume_type is named, the name of the named volume to be mounted at path. If docker_volume_type is bind, the name of the folder to create under /opt/<service>[/suffix]/mounts/ and mount at path."
+            type: str
+            required: false
+          src:
+            description: "Host path to bind mount inside the container."
+            type: str
+            required: false
+          template:
+            description: "Name of template without .j2 extension. Will be templated at /opt/<service>[/suffix]/mounts/<template> and mounted read only inside the container."
+            type: str
+            required: false
+          copypath:
+            description: "Name of file or directory to copy. Will be deployed from files/<copypath> to /opt/<service>[/suffix]/mounts/<copypath> and mounted read only inside the container."
+            type: str
+            required: false
 
       # All options after this will be passed directly to the container role
       docker_service_suffix:

roles/authentik/tasks/main.yml

@@ -4,7 +4,7 @@
     name: service
   vars:
     docker_service: authentik
-    docker_image: "beryju/authentik:{{ authentik_tag }}"
+    docker_image: "ghcr.io/goauthentik/server:{{ authentik_tag }}"
     docker_command:
       - server
     docker_image_http_port: 9000
@@ -12,13 +12,7 @@
     docker_additional_services:
       - redis
     docker_env: "{{ authentik_common_env | combine(authentik_env) }}"
-    docker_mounts:
+    docker_mounts: "{{ _authentik_mounts }}"
-      - path: /media
-        name: "media"
-      - path: /templates
-        name: "templates"
-      - path: /certs
-        name: "certs"
 
 - name: Authentik worker container
   ansible.builtin.include_role:
@@ -26,15 +20,9 @@
   vars:
     docker_namespace: authentik
     docker_service: worker
-    docker_image: "beryju/authentik:{{ authentik_tag }}"
+    docker_image: "ghcr.io/goauthentik/server:{{ authentik_tag }}"
     docker_command:
       - worker
     reverse_proxy_type: none
     docker_env: "{{ authentik_common_env | combine(authentik_env) }}"
-    docker_mounts:
+    docker_mounts: "{{ _authentik_mounts }}"
-      - path: /media
-        name: "media"
-      - path: /templates
-        name: "templates"
-      - path: /certs
-        name: "certs"

roles/authentik/vars/main.yml

@@ -1,4 +1,12 @@
 ---
+_authentik_default_mounts:
+  - path: /media
+    name: "media"
+  - path: /templates
+    name: "templates"
+  - path: /certs
+    name: "certs"
+_authentik_mounts: "{{ _authentik_default_mounts + authentik_additional_mounts }}"
 
 authentik_common_env:
   AUTHENTIK_REDIS__HOST: authentik-redis

roles/authentik_ldap/tasks/main.yaml

@@ -4,7 +4,7 @@
     name: service
   vars:
     docker_service: authentik-ldap
-    docker_image: beryju/authentik-ldap:{{ authentik_ldap_tag }}
+    docker_image: ghcr.io/goauthentik/ldap:{{ authentik_ldap_tag }}
     reverse_proxy_type: none
     docker_env:
       AUTHENTIK_HOST: "{{ authentik_ldap_authentik_address }}"

roles/jitsi/tasks/main.yml

@@ -133,3 +133,13 @@
       - name: meet.jitsi
         aliases:
           - jvb.meet.jitsi
+
+- name: Open ports for jitsi
+  ansible.posix.firewalld:
+    port: "{{ item }}"
+    state: enabled
+    permanent: true
+    immediate: true
+  loop:
+    - 4443/tcp
+    - 10000/udp

roles/prometheus/tasks/main.yml

@@ -9,7 +9,7 @@
     docker_command:
       - "--config.file=/etc/prometheus/prometheus.yml"
       - "--storage.tsdb.path=/prometheus"
-      - "--storage.tsdb.retention={{ prometheus_storage_retention }}"
+      - "--storage.tsdb.retention.time={{ prometheus_storage_retention }}"
       - "--web.console.libraries=/usr/share/prometheus/console_libraries"
       - "--web.console.templates=/usr/share/prometheus/consoles"
     docker_mounts:

roles/service/tasks/image.yml

@@ -68,4 +68,4 @@
     image_user: "{{ container_image.Config.User }}"
   when:
     - not ansible_check_mode
-    - container_image.Config.User | int
+    - container_image.Config.User | int != 0

roles/service/tasks/main.yml

@@ -101,7 +101,7 @@
     image: "{{ container_image.Id if (not ansible_check_mode) or (container_image | length > 0) else docker_image }}"
     user: "{{ docker_user if docker_host_user else omit }}"
     mounts: "{{ docker_mount_definition }}"
-    published_ports: "{{ container_published_ports + _docker_published_ports }}"
+    published_ports: "{{ container_published_ports + docker_published_ports }}"
     labels: "{{ traefik_labels | default(omit) }}"
     env: "{{ docker_env | combine(docker_additional_env) | combine({'TZ': timezone}) }}"
     entrypoint: "{{ docker_entrypoint | default(omit) }}"