From 30a882b1e1945afa8d916c3ce425f187df0bdcb8 Mon Sep 17 00:00:00 2001
From: Joakim <joakim@jnss.me>
Date: Sun, 7 Dec 2025 21:22:00 +0100
Subject: [PATCH] Improve infrastructure configuration and installation logic

- Fix authentik Caddy template to use localhost instead of variable for consistency
- Improve Caddy installation logic with better conditional checks
- Fix version checking and plugin detection for more reliable deployments
- Add cleanup task condition for DNS challenge installations

These changes improve deployment reliability and consistency.
---
 roles/authentik/templates/authentik.caddy.j2 |  4 ++--
 roles/caddy/tasks/main.yml                   | 10 +++++++---
 2 files changed, 9 insertions(+), 5 deletions(-)

diff --git a/roles/authentik/templates/authentik.caddy.j2 b/roles/authentik/templates/authentik.caddy.j2
index dda6b6e..1cc955b 100644
--- a/roles/authentik/templates/authentik.caddy.j2
+++ b/roles/authentik/templates/authentik.caddy.j2
@@ -1,6 +1,6 @@
 # Authentik Authentication Service
 {{ authentik_domain }} {
-    reverse_proxy http://{{ authentik_bind_address }}:{{ authentik_http_port }} {
+    reverse_proxy http://127.0.0.1:{{ authentik_http_port }} {
         header_up Host {host}
         header_up X-Real-IP {remote_host}
         header_up X-Forwarded-Proto https
@@ -19,7 +19,7 @@
 
     # Authentik-specific paths
     handle_path /outpost.goauthentik.io/* {
-        reverse_proxy http://{{ authentik_bind_address }}:{{ authentik_http_port }}
+        reverse_proxy http://127.0.0.1:{{ authentik_http_port }}
     }
     
     # Logging
diff --git a/roles/caddy/tasks/main.yml b/roles/caddy/tasks/main.yml
index ef0c46c..2bd5638 100644
--- a/roles/caddy/tasks/main.yml
+++ b/roles/caddy/tasks/main.yml
@@ -8,7 +8,6 @@
   register: caddy_version_check
   failed_when: false
   changed_when: false
-  when: dns_challenge_needed | bool
 
 - name: Check if installed Caddy has Cloudflare plugin
   command: /usr/bin/caddy list-modules --packages
@@ -21,7 +20,9 @@
   pacman:
     name: caddy
     state: present
-  when: not dns_challenge_needed and not caddy_version_check | bool
+  when: 
+    - not dns_challenge_needed
+    - caddy_version_check.rc != 0
   notify: restart caddy
 
 - name: Download Caddy with Cloudflare plugin (if DNS challenge needed)
@@ -40,13 +41,16 @@
     mode: '0755'
     remote_src: yes
     backup: yes
-  when: dns_challenge_needed and caddy_version_check | bool
+  when: 
+    - dns_challenge_needed | bool
+    - caddy_version_check.rc != 0 or 'github.com/caddy-dns/cloudflare' not in caddy_modules_check.stdout | default('')
   notify: restart caddy
 
 - name: Clean up temporary Caddy binary
   file:
     path: /tmp/caddy-with-cloudflare
     state: absent
+  when: dns_challenge_needed | bool
 
 - name: Create caddy user and group
   user: