#SPDX-License-Identifier: MIT-0
---
# tasks file for authentik

- name: Create docker compose directory
  file:
    path: "{{ authentik_docker_compose_dir }}"
    state: directory
    mode: '0755'

- name: Create authentik data directory
  file:
    path: "{{ authentik_docker_volume_dir }}/data"
    state: directory
    mode: '0755'

- name: Create authentik certs directory
  file:
    path: "{{ authentik_docker_volume_dir }}/certs"
    state: directory
    mode: '0755'

- name: Create authentik templates directory
  file:
    path: "{{ authentik_docker_volume_dir }}/templates"
    state: directory
    mode: '0755'

- name: Create postgres data directory
  file:
    path: "{{ authentik_docker_volume_dir }}/postgresql"
    state: directory
    mode: '0755'

- name: Create blueprints directory
  file:
    path: "{{ authentik_docker_volume_dir }}/blueprints"
    state: directory
    mode: '0755'

- name: Find existing blueprint files
  find:
    paths: "{{ authentik_docker_volume_dir }}/blueprints"
    patterns: "*.yaml"
  register: existing_blueprints

- name: Build list of expected blueprint files
  set_fact:
    expected_blueprints: >-
      {{
        (authentik_oidc_apps | map(attribute='slug') | map('regex_replace', '^(.*)$', '10-oidc-\1.yaml') | list) +
        (authentik_proxy_apps | map(attribute='slug') | map('regex_replace', '^(.*)$', '20-proxy-\1.yaml') | list) +
        (authentik_proxy_outposts | map(attribute='name') | map('regex_replace', '^(.*)$', '30-outpost-\1.yaml') | list) +
        (authentik_entra_sources | map(attribute='slug') | map('regex_replace', '^(.*)$', '20-source-entra-\1.yaml') | list) +
        ['21-login-sources.yaml'] +
        ((authentik_local_users | length > 0) | ternary(['05-local-users.yaml'], [])) +
        (((authentik_removed_oidc_apps | length > 0) or (authentik_removed_proxy_apps | length > 0) or (authentik_removed_local_users | length > 0)) | ternary(['00-cleanup.yaml'], []))
      }}

- name: Remove stale blueprint files
  file:
    path: "{{ item.path }}"
    state: absent
  loop: "{{ existing_blueprints.files }}"
  when: item.path | basename not in expected_blueprints

- name: Render OIDC blueprints
  ansible.builtin.template:
    src: blueprints/blueprint-oidc-app.yaml.j2
    dest: "{{ authentik_docker_volume_dir }}/blueprints/10-oidc-{{ item.slug }}.yaml"
    mode: "0644"
  loop: "{{ authentik_oidc_apps }}"
  register: oidc_templates

- name: Render Proxy blueprints
  ansible.builtin.template:
    src: blueprints/blueprint-proxy-app.yaml.j2
    dest: "{{ authentik_docker_volume_dir }}/blueprints/20-proxy-{{ item.slug }}.yaml"
    mode: "0644"
  loop: "{{ authentik_proxy_apps }}"
  register: proxy_templates

- name: Render outpost blueprints
  template:
    src: blueprints/outpost-proxy.yaml.j2
    dest: "{{ authentik_docker_volume_dir }}/blueprints/30-outpost-{{ item.name }}.yaml"
    mode: "0644"
  loop: "{{ authentik_proxy_outposts }}"
  register: outpost_bp

- name: Render Entra source blueprints
  ansible.builtin.template:
    src: blueprints/blueprint-source-entra.yaml.j2
    dest: "{{ authentik_docker_volume_dir }}/blueprints/20-source-entra-{{ item.slug }}.yaml"
    mode: "0644"
  loop: "{{ authentik_entra_sources }}"
  register: entra_bp

- name: Render login stage sources blueprint
  ansible.builtin.template:
    src: blueprints/blueprint-login-sources.yaml.j2
    dest: "{{ authentik_docker_volume_dir }}/blueprints/21-login-sources.yaml"
    mode: "0644"
  register: login_bp

- name: Render local users blueprint
  ansible.builtin.template:
    src: blueprints/blueprint-local-users.yaml.j2
    dest: "{{ authentik_docker_volume_dir }}/blueprints/05-local-users.yaml"
    mode: "0644"
  when: authentik_local_users | length > 0
  register: local_users_bp

- name: Render cleanup blueprint
  ansible.builtin.template:
    src: blueprints/blueprint-cleanup.yaml.j2
    dest: "{{ authentik_docker_volume_dir }}/blueprints/00-cleanup.yaml"
    mode: "0644"
  when: (authentik_removed_oidc_apps | length > 0) or (authentik_removed_proxy_apps | length > 0) or (authentik_removed_local_users | length > 0)
  register: cleanup_bp

- name: Create docker-compose file for authentik
  template:
    src: docker-compose.yml.j2
    dest: "{{ authentik_docker_compose_dir }}/docker-compose.yml"
    mode: '0644'

- name: Start authentik containers
  community.docker.docker_compose_v2:
    project_src: "{{ authentik_docker_compose_dir }}"
    state: present
    recreate: >-
      {{
        (
         (oidc_templates is defined and (oidc_templates.results | selectattr('changed') | list | length > 0))
         or (proxy_templates is defined and (proxy_templates.results | selectattr('changed') | list | length > 0))
         or (outpost_bp is defined and (outpost_bp.results | selectattr('changed') | list | length > 0))
         or (entra_bp is defined and (entra_bp.results | selectattr('changed') | list | length > 0))
         or (login_bp is defined and login_bp.changed)
         or (local_users_bp.changed | default(false))
         or (cleanup_bp.changed | default(false))
        ) | ternary('always','auto')
      }}