--- # Authentik Authentication Role - Main Tasks # Self-contained deployment with Podman and Unix sockets - name: Validate infrastructure facts are available assert: that: - postgresql_client_group_gid is defined - valkey_client_group_gid is defined fail_msg: | Required infrastructure facts are not available. Ensure PostgreSQL and Valkey roles have run and exported client group GIDs. tags: [validation] - name: Setup authentik user and container namespaces include_tasks: user.yml tags: [user, setup] - name: Setup database access and permissions include_tasks: database.yml tags: [database, setup] - name: Setup cache access and permissions include_tasks: cache.yml tags: [cache, setup] - name: Pull authentik container image containers.podman.podman_image: name: "{{ authentik_image }}:{{ authentik_version }}" state: present tags: [containers, image-pull] - name: Create media directory structure file: path: "{{ authentik_media_dir }}/{{ item }}" state: directory owner: "{{ authentik_user }}" group: "{{ authentik_group }}" mode: '0755' loop: - public - private tags: [setup, media] - name: Deploy environment configuration template: src: authentik.env.j2 dest: "{{ authentik_home }}/.env" owner: "{{ authentik_user }}" group: "{{ authentik_group }}" mode: '0600' backup: true notify: - restart authentik pod - restart authentik server - restart authentik worker tags: [config] - name: Create Quadlet systemd directory (system scope) file: path: /etc/containers/systemd state: directory mode: '0755' - name: Deploy Quadlet pod and container files (system scope) template: src: "{{ item.src }}" dest: "/etc/containers/systemd/{{ item.dest }}" mode: '0644' loop: - { src: 'authentik.pod', dest: 'authentik.pod' } - { src: 'authentik-server.container', dest: 'authentik-server.container' } - { src: 'authentik-worker.container', dest: 'authentik-worker.container' } notify: - reload systemd - restart authentik pod - restart authentik server - restart authentik worker tags: [containers, deployment] - name: Deploy Caddy configuration template: src: authentik.caddy.j2 dest: "{{ caddy_sites_enabled_dir }}/authentik.caddy" owner: root group: "{{ caddy_user }}" mode: '0644' backup: true notify: reload caddy tags: [caddy, reverse-proxy] - name: Ensure system dependencies are running systemd: name: "{{ item }}" state: started loop: - postgresql - valkey register: system_deps - name: Wait for PostgreSQL socket to be ready wait_for: path: "{{ postgresql_unix_socket_directories }}/.s.PGSQL.{{ postgresql_port }}" timeout: 30 when: postgresql_unix_socket_enabled - name: Wait for Valkey socket to be ready wait_for: path: "{{ valkey_unix_socket_path }}" timeout: 30 when: valkey_unix_socket_enabled - name: Enable and start Authentik pod (system scope) systemd: name: "authentik-pod" enabled: "{{ authentik_service_enabled }}" state: "{{ authentik_service_state }}" daemon_reload: true tags: [containers, service] - name: Wait for Authentik to be ready uri: url: "http://127.0.0.1:{{ authentik_http_port }}/" method: GET status_code: [200, 302] timeout: 30 retries: 10 delay: 15 register: authentik_health_check tags: [verification, health-check] - name: Display Authentik deployment status debug: msg: | ✅ Authentik Authentication deployed successfully! 🌐 Domain: {{ authentik_domain }} 🗄️ Database: {{ authentik_db_name }} (Unix socket) 🗄️ Cache: Valkey DB {{ authentik_valkey_db }} (Unix socket) 🐳 Containers: Pod with server + worker 🔒 Admin: {{ authentik_default_admin_email }} 🚀 Ready for SSO configuration! 📋 Next Steps: - Access {{ authentik_domain }} to complete setup - Configure applications and providers - Set up SSO for services tags: [verification]