Add comprehensive authentik documentation and improve role configuration

- Add authentik-deployment-guide.md: Complete step-by-step deployment guide
- Add architecture-decisions.md: Document native DB vs containerized rationale
- Add authentication-architecture.md: SSO strategy and integration patterns
- Update deployment-guide.md: Integrate authentik deployment procedures
- Update security-hardening.md: Add multi-layer security documentation
- Update service-integration-guide.md: Add authentik integration examples
- Update README.md: Professional project overview with architecture benefits
- Update authentik role: Fix HTTP binding, add security configs, improve templates
- Remove unused authentik task files: containers.yml, networking.yml

Key improvements:
* Document security benefits of native databases over containers
* Document Unix socket IPC architecture advantages
* Provide comprehensive troubleshooting and deployment procedures
* Add forward auth integration patterns for services
* Fix authentik HTTP binding from 127.0.0.1 to 0.0.0.0
* Add shared memory and IPC security configurations

roles/authentik/tasks/main.yml

@@ -2,55 +2,9 @@
 # Authentik Authentication Role - Main Tasks
 # Self-contained deployment with Podman and Unix sockets
 
-- name: Create authentik group
-  group:
-    name: "{{ authentik_group }}"
-    system: true
-
-- name: Create authentik system user
-  user:
-    name: "{{ authentik_user }}"
-    system: true
-    shell: /bin/bash
-    home: "{{ authentik_home }}"
-    create_home: true
-    group: "{{ authentik_group }}"
-
-- name: Create authentik directories
-  file:
-    path: "{{ item }}"
-    state: directory
-    owner: "{{ authentik_user }}"
-    group: "{{ authentik_group }}"
-    mode: '0755'
-  loop:
-    - "{{ authentik_home }}"
-    - "{{ authentik_data_dir }}"
-    - "{{ authentik_media_dir }}"
-    - "{{ authentik_user_quadlet_dir }}"
-    - "{{ authentik_log_dir }}"
-
-
-- name: Enable lingering for authentik user (services persist without login)
-  command: loginctl enable-linger {{ authentik_user }}
-  register: linger_result
-  changed_when: linger_result.rc == 0
-
-
-
-- name: Get authentik user UID and GID for container configuration
-  shell: |
-    echo "uid=$(id -u {{ authentik_user }})"
-    echo "gid=$(id -g {{ authentik_user }})"
-  register: authentik_user_info
-  changed_when: false
-  tags: [setup]
-
-- name: Set authentik UID/GID facts for container templates
-  set_fact:
-    authentik_uid: "{{ authentik_user_info.stdout_lines[0] | regex_replace('uid=', '') }}"
-    authentik_gid: "{{ authentik_user_info.stdout_lines[1] | regex_replace('gid=', '') }}"
-  tags: [setup]
+- name: Setup authentik user and container namespaces
+  include_tasks: user.yml
+  tags: [user, setup]
 
 - name: Setup database access and permissions
   include_tasks: database.yml
@@ -60,6 +14,26 @@
   include_tasks: cache.yml
   tags: [cache, setup]
 
+- name: Pull authentik container image
+  containers.podman.podman_image:
+    name: "{{ authentik_image }}:{{ authentik_version }}"
+    state: present
+  become: true
+  become_user: "{{ authentik_user }}"
+  tags: [containers, image-pull]
+
+- name: Create media directory structure
+  file:
+    path: "{{ authentik_media_dir }}/{{ item }}"
+    state: directory
+    owner: "{{ authentik_user }}"
+    group: "{{ authentik_group }}"
+    mode: '0755'
+  loop:
+    - public
+    - private
+  tags: [setup, media]
+
 - name: Deploy environment configuration
   template:
     src: authentik.env.j2
@@ -154,13 +128,12 @@
 
 - name: Wait for Authentik to be ready
   uri:
-    url: "https://{{ authentik_domain }}/if/health/live/"
+    url: "http://127.0.0.1:{{ authentik_http_port }}/"
     method: GET
-    status_code: [200]
+    status_code: [200, 302]
     timeout: 30
-    validate_certs: true
   retries: 10
-  delay: 30
+  delay: 15
   register: authentik_health_check
   tags: [verification, health-check]