rick-infra/roles/authentik/tasks/main.yml

---
# Authentik Authentication Role - Main Tasks
# Self-contained deployment with Podman and Unix sockets

- name: Validate infrastructure facts are available
  assert:
    that:
      - postgresql_client_group_gid is defined
      - valkey_client_group_gid is defined
    fail_msg: |
      Required infrastructure facts are not available.
      Ensure PostgreSQL and Valkey roles have run and exported client group GIDs.
  tags: [validation]

- name: Setup authentik user and container namespaces
  include_tasks: user.yml
  tags: [user, setup]

- name: Setup database access and permissions
  include_tasks: database.yml
  tags: [database, setup]

- name: Setup cache access and permissions
  include_tasks: cache.yml
  tags: [cache, setup]

- name: Pull authentik container image
  containers.podman.podman_image:
    name: "{{ authentik_image }}:{{ authentik_version }}"
    state: present
  tags: [containers, image-pull]

- name: Create media directory structure
  file:
    path: "{{ authentik_media_dir }}/{{ item }}"
    state: directory
    owner: "{{ authentik_user }}"
    group: "{{ authentik_group }}"
    mode: '0755'
  loop:
    - public
    - private
  tags: [setup, media]

- name: Deploy environment configuration
  template:
    src: authentik.env.j2
    dest: "{{ authentik_home }}/.env"
    owner: "{{ authentik_user }}"
    group: "{{ authentik_group }}"
    mode: '0600'
    backup: true
  notify:
    - restart authentik pod
    - restart authentik server
    - restart authentik worker
  tags: [config]

- name: Create Quadlet systemd directory (system scope)
  file:
    path: /etc/containers/systemd
    state: directory
    mode: '0755'

- name: Deploy Quadlet pod and container files (system scope)
  template:
    src: "{{ item.src }}"
    dest: "/etc/containers/systemd/{{ item.dest }}"
    mode: '0644'
  loop:
    - { src: 'authentik.pod', dest: 'authentik.pod' }
    - { src: 'authentik-server.container', dest: 'authentik-server.container' }
    - { src: 'authentik-worker.container', dest: 'authentik-worker.container' }
  notify:
    - reload systemd
    - restart authentik pod
    - restart authentik server  
    - restart authentik worker
  tags: [containers, deployment]

- name: Deploy Caddy configuration
  template:
    src: authentik.caddy.j2
    dest: "{{ caddy_sites_enabled_dir }}/authentik.caddy"
    owner: root
    group: "{{ caddy_user }}"
    mode: '0644'
    backup: true
  notify: reload caddy
  tags: [caddy, reverse-proxy]

- name: Ensure system dependencies are running
  systemd:
    name: "{{ item }}"
    state: started
  loop:
    - postgresql
    - valkey
  register: system_deps

- name: Wait for PostgreSQL socket to be ready
  wait_for:
    path: "{{ postgresql_unix_socket_directories }}/.s.PGSQL.{{ postgresql_port }}"
    timeout: 30
  when: postgresql_unix_socket_enabled

- name: Wait for Valkey socket to be ready
  wait_for:
    path: "{{ valkey_unix_socket_path }}"
    timeout: 30
  when: valkey_unix_socket_enabled

- name: Enable and start Authentik pod (system scope)
  systemd:
    name: "authentik-pod"
    enabled: "{{ authentik_service_enabled }}"
    state: "{{ authentik_service_state }}"
    daemon_reload: true
  tags: [containers, service]

- name: Wait for Authentik to be ready
  uri:
    url: "http://127.0.0.1:{{ authentik_http_port }}/"
    method: GET
    status_code: [200, 302]
    timeout: 30
  retries: 10
  delay: 15
  register: authentik_health_check
  tags: [verification, health-check]

- name: Display Authentik deployment status
  debug:
    msg: |
      ✅ Authentik Authentication deployed successfully!
      
      🌐 Domain: {{ authentik_domain }}
      🗄️ Database: {{ authentik_db_name }} (Unix socket)
      🗄️ Cache: Valkey DB {{ authentik_valkey_db }} (Unix socket)
      🐳 Containers: Pod with server + worker
      🔒 Admin: {{ authentik_default_admin_email }}
      
      🚀 Ready for SSO configuration!
      
      📋 Next Steps:
      - Access {{ authentik_domain }} to complete setup
      - Configure applications and providers
      - Set up SSO for services
  tags: [verification]