The HTTPS readiness check was causing deployment timeouts because:
- DNS propagation can take up to 5 minutes
- Let's Encrypt certificate issuance takes 30-60 seconds
- Deployment would timeout waiting for HTTPS to work
This check was unnecessary because:
- Authentik health is already verified via Docker health check
- OIDC provider creation uses internal localhost API (doesn't need HTTPS)
- HTTPS will work automatically once DNS/SSL is ready
Changes:
- Removed uri check for https://{{ authentik_domain }}/
- Removed 60 retries × 15 second delay (15 minute timeout)
- Added informational note about DNS/SSL timing
- Deployment now continues immediately after Docker health check
Result: Deployment completes in ~5 minutes instead of timing out.
DNS and SSL still propagate normally in the background.
Fixes: Deployment timeout issue during fresh builds
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Increase HTTPS readiness check retries from 30 to 60
- Increase delay between retries from 10s to 15s (total max wait: 15 minutes)
- Add failed_when: false to prevent deployment failure
- Display helpful warning if HTTPS not yet accessible
- Continues deployment even if DNS/SSL not ready yet
This resolves timing issues during initial deployment when:
- DNS records are still propagating
- Let's Encrypt certificates are being issued
- Traefik is still configuring routes
Authentik runs internally on HTTP and will be accessible via
HTTPS once DNS/SSL is fully configured.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Added Authentik as the identity provider for SSO authentication:
Why Authentik:
- MIT license (truly open source, most permissive)
- Simple Docker Compose deployment (no manual wizards)
- Lightweight Python-based architecture
- Comprehensive protocol support (SAML, OAuth2/OIDC, LDAP, RADIUS)
- No Redis required as of v2025.10 (all caching in PostgreSQL)
- Active development and strong community
Implementation:
- Created complete Authentik Ansible role
- Docker Compose with server + worker architecture
- PostgreSQL 16 database backend
- Traefik integration with Let's Encrypt SSL
- Bootstrap tasks for initial setup guidance
- Health checks and proper service dependencies
Architecture decisions updated:
- Documented comparison: Authentik vs Zitadel vs Keycloak
- Explained Zitadel removal (FirstInstance bugs)
- Added deployment example and configuration notes
Next steps:
- Update documentation (PROJECT_REFERENCE.md, README.md)
- Create Authentik agent configuration
- Add secrets template
- Test deployment on test server
🤖 Generated with Claude Code
Co-Authored-By: Claude <noreply@anthropic.com>
