---
# Authentik Container Deployment - Podman Quadlets

- name: Deploy authentik environment file
  template:
    src: authentik.env.j2
    dest: "{{ authentik_home }}/.config/containers/authentik.env"
    owner: "{{ authentik_user }}"
    group: "{{ authentik_group }}"
    mode: '0600'
  notify: restart authentik pod

- name: Deploy authentik pod quadlet
  template:
    src: authentik.pod.j2
    dest: "{{ authentik_home }}/.config/containers/systemd/{{ authentik_pod_name }}.pod"
    owner: "{{ authentik_user }}"
    group: "{{ authentik_group }}"
    mode: '0644'
  notify:
    - reload user systemd for authentik
    - restart authentik pod

- name: Deploy authentik server container quadlet
  template:
    src: authentik-server.container.j2
    dest: "{{ authentik_home }}/.config/containers/systemd/authentik-server.container"
    owner: "{{ authentik_user }}"
    group: "{{ authentik_group }}"
    mode: '0644'
  notify:
    - reload user systemd for authentik
    - restart authentik pod

- name: Deploy authentik worker container quadlet
  template:
    src: authentik-worker.container.j2
    dest: "{{ authentik_home }}/.config/containers/systemd/authentik-worker.container"
    owner: "{{ authentik_user }}"
    group: "{{ authentik_group }}"
    mode: '0644'
  notify:
    - reload user systemd for authentik
    - restart authentik pod

- name: Reload user systemd to recognize quadlets
  systemd:
    daemon_reload: yes
    scope: user
  become: yes
  become_user: "{{ authentik_user }}"

- name: Enable and start authentik pod
  systemd:
    name: "{{ authentik_pod_name }}-pod"
    enabled: "{{ authentik_service_enabled }}"
    state: "{{ authentik_service_state }}"
    scope: user
  become: yes
  become_user: "{{ authentik_user }}"

- name: Wait for Authentik to be ready
  uri:
    url: "http://127.0.0.1:{{ authentik_http_port }}/if/flow/initial-setup/"
    method: GET
    status_code: [200, 302]
  retries: 30
  delay: 2
  when: authentik_service_state == "started"