---
# Database setup for Authentik - Self-contained socket permissions

- name: Add authentik user to postgres group for socket access
  user:
    name: "{{ authentik_user }}"
    groups: postgres
    append: true

- name: Ensure authentik can access PostgreSQL socket directory
  file:
    path: "{{ postgresql_unix_socket_directories }}"
    mode: '0770'
    group: postgres
  become: true

- name: Test PostgreSQL socket connectivity
  postgresql_ping:
    login_unix_socket: "{{ postgresql_unix_socket_directories }}"
    login_user: "{{ authentik_user }}"
  become: true
  become_user: "{{ authentik_user }}"

- name: Create Authentik database user via socket  
  postgresql_user:
    name: "{{ authentik_db_user }}"
    password: "{{ authentik_db_password }}"
    login_unix_socket: "{{ postgresql_unix_socket_directories }}"
    login_user: postgres
  become: true
  become_user: postgres

- name: Create Authentik database via socket
  postgresql_db:
    name: "{{ authentik_db_name }}"
    owner: "{{ authentik_db_user }}"
    login_unix_socket: "{{ postgresql_unix_socket_directories }}"
    login_user: postgres
  become: true
  become_user: postgres

- name: Grant Authentik database privileges
  postgresql_privs:
    db: "{{ authentik_db_name }}"
    privs: ALL
    type: database
    role: "{{ authentik_db_user }}"
    login_unix_socket: "{{ postgresql_unix_socket_directories }}"
    login_user: postgres
  become: true
  become_user: postgres

- name: Display database setup status
  debug:
    msg: |
      ✅ Authentik database setup complete!
      
      📊 Database: {{ authentik_db_name }}
      👤 User: {{ authentik_db_user }}
      🔌 Connection: Unix socket ({{ postgresql_unix_socket_directories }})
      
      🏗️ Ready for Authentik container deployment