--- # Authentik Authentication Role - Main Tasks # Self-contained deployment with Podman and Unix sockets - name: Create authentik group group: name: "{{ authentik_group }}" system: true - name: Create authentik system user user: name: "{{ authentik_user }}" system: true shell: /bin/bash home: "{{ authentik_home }}" create_home: true group: "{{ authentik_group }}" - name: Create authentik directories file: path: "{{ item }}" state: directory owner: "{{ authentik_user }}" group: "{{ authentik_group }}" mode: '0755' loop: - "{{ authentik_home }}" - "{{ authentik_data_dir }}" - "{{ authentik_media_dir }}" - "{{ authentik_user_quadlet_dir }}" - name: Get authentik user UID getent: database: passwd key: "{{ authentik_user }}" register: authentik_user_info - name: Set authentik UID variable set_fact: authentik_uid: "{{ authentik_user_info.ansible_facts.getent_passwd[authentik_user][1] }}" - name: Enable lingering for authentik user (services persist without login) command: loginctl enable-linger {{ authentik_user }} register: linger_result changed_when: linger_result.rc == 0 - name: Ensure XDG runtime directory exists file: path: "/run/user/{{ authentik_uid }}" state: directory owner: "{{ authentik_user }}" group: "{{ authentik_group }}" mode: '0700' - name: Setup database access and permissions include_tasks: database.yml tags: [database, setup] - name: Setup cache access and permissions include_tasks: cache.yml tags: [cache, setup] - name: Deploy environment configuration template: src: authentik.env.j2 dest: "{{ authentik_home }}/.env" owner: "{{ authentik_user }}" group: "{{ authentik_group }}" mode: '0600' backup: true notify: - restart authentik pod - restart authentik server - restart authentik worker tags: [config] - name: Create Quadlet systemd directory (user scope) file: path: "{{ authentik_quadlet_dir }}" state: directory owner: "{{ authentik_user }}" group: "{{ authentik_group }}" mode: '0755' - name: Deploy Quadlet pod and container files (user scope) template: src: "{{ item.src }}" dest: "{{ authentik_quadlet_dir }}/{{ item.dest }}" owner: "{{ authentik_user }}" group: "{{ authentik_group }}" mode: '0644' loop: - { src: 'authentik.pod', dest: 'authentik.pod' } - { src: 'authentik-server.container', dest: 'authentik-server.container' } - { src: 'authentik-worker.container', dest: 'authentik-worker.container' } become: true become_user: "{{ authentik_user }}" notify: - reload systemd user - restart authentik pod - restart authentik server - restart authentik worker tags: [containers, deployment] - name: Deploy Caddy configuration template: src: authentik.caddy.j2 dest: "{{ caddy_sites_enabled_dir }}/authentik.caddy" owner: root group: "{{ caddy_user }}" mode: '0644' backup: true notify: reload caddy tags: [caddy, reverse-proxy] - name: Ensure system dependencies are running systemd: name: "{{ item }}" state: started loop: - postgresql - valkey register: system_deps - name: Wait for PostgreSQL socket to be ready wait_for: path: "{{ postgresql_unix_socket_directories }}/.s.PGSQL.{{ postgresql_port }}" timeout: 30 when: postgresql_unix_socket_enabled - name: Wait for Valkey socket to be ready wait_for: path: "{{ valkey_unix_socket_path }}" timeout: 30 when: valkey_unix_socket_enabled - name: Reload systemd daemon for Quadlet (user scope) systemd: daemon_reload: true scope: user become: true become_user: "{{ authentik_user }}" environment: XDG_RUNTIME_DIR: "/run/user/{{ authentik_uid }}" tags: [containers, deployment] - name: Enable and start Authentik pod (user scope) systemd: name: "authentik-pod" enabled: "{{ authentik_service_enabled }}" state: "{{ authentik_service_state }}" scope: user daemon_reload: true become: true become_user: "{{ authentik_user }}" environment: XDG_RUNTIME_DIR: "/run/user/{{ authentik_uid }}" tags: [containers, service] - name: Enable and start Authentik server (user scope) systemd: name: "{{ authentik_container_server_name }}" enabled: "{{ authentik_service_enabled }}" state: "{{ authentik_service_state }}" scope: user daemon_reload: true become: true become_user: "{{ authentik_user }}" environment: XDG_RUNTIME_DIR: "/run/user/{{ authentik_uid }}" tags: [containers, service] - name: Enable and start Authentik worker (user scope) systemd: name: "{{ authentik_container_worker_name }}" enabled: "{{ authentik_service_enabled }}" state: "{{ authentik_service_state }}" scope: user daemon_reload: true become: true become_user: "{{ authentik_user }}" environment: XDG_RUNTIME_DIR: "/run/user/{{ authentik_uid }}" tags: [containers, service] - name: Wait for Authentik to be ready uri: url: "https://{{ authentik_domain }}/if/health/live/" method: GET status_code: [200] timeout: 30 validate_certs: true retries: 10 delay: 30 register: authentik_health_check tags: [verification, health-check] - name: Display Authentik deployment status debug: msg: | ✅ Authentik Authentication deployed successfully! 🌐 Domain: {{ authentik_domain }} 🗄️ Database: {{ authentik_db_name }} (Unix socket) 🗄️ Cache: Valkey DB {{ authentik_valkey_db }} (Unix socket) 🐳 Containers: Pod with server + worker 🔒 Admin: {{ authentik_default_admin_email }} 🚀 Ready for SSO configuration! 📋 Next Steps: - Access {{ authentik_domain }} to complete setup - Configure applications and providers - Set up SSO for services tags: [verification]