---
# Authentik User Management - Service-Specific User Setup

- name: Create authentik group
  group:
    name: "{{ authentik_group }}"
    system: yes

- name: Create authentik user
  user:
    name: "{{ authentik_user }}"
    group: "{{ authentik_group }}"
    system: yes
    shell: /bin/bash
    home: "{{ authentik_home }}"
    create_home: yes
    comment: "Authentik authentication service"

- name: Set up subuid for authentik user
  lineinfile:
    path: /etc/subuid
    line: "{{ authentik_user }}:{{ authentik_subuid_start }}:{{ authentik_subuid_size }}"
    create: yes
    mode: '0644'

- name: Set up subgid for authentik user
  lineinfile:
    path: /etc/subgid
    line: "{{ authentik_user }}:{{ authentik_subgid_start }}:{{ authentik_subgid_size }}"
    create: yes
    mode: '0644'

- name: Create authentik directories
  file:
    path: "{{ item }}"
    state: directory
    owner: "{{ authentik_user }}"
    group: "{{ authentik_group }}"
    mode: '0755'
  loop:
    - "{{ authentik_home }}"
    - "{{ authentik_home }}/.config"
    - "{{ authentik_home }}/.config/systemd"
    - "{{ authentik_home }}/.config/systemd/user"
    - "{{ authentik_home }}/.config/containers"
    - "{{ authentik_home }}/.config/containers/systemd"
    - "{{ authentik_home }}/data"
    - "{{ authentik_home }}/media"

- name: Enable lingering for authentik user
  command: loginctl enable-linger {{ authentik_user }}
  args:
    creates: "/var/lib/systemd/linger/{{ authentik_user }}"

- name: Initialize user systemd for authentik
  systemd:
    daemon_reload: yes
    scope: user
  become: yes
  become_user: "{{ authentik_user }}"