---
# Bootstrap tasks for initial Authentik configuration

- name: Wait for Authentik to be fully ready
  uri:
    url: "https://{{ authentik_domain }}/"
    validate_certs: yes
    status_code: [200, 302]
  register: authentik_ready
  until: authentik_ready.status in [200, 302]
  retries: 60
  delay: 15
  failed_when: false

- name: Display warning if HTTPS access not yet available
  debug:
    msg: |
      ⚠ WARNING: Authentik not yet accessible via HTTPS

      This is normal during initial deployment when:
      - DNS records are still propagating
      - Let's Encrypt certificates are being issued
      - Traefik is still configuring routes

      Authentik is running internally and will be accessible soon.
      The deployment will continue with internal checks.
  when: authentik_ready.status not in [200, 302]

- name: Display bootstrap status
  debug:
    msg: |
      ========================================
      Authentik is running!
      ========================================

      URL: https://{{ authentik_domain }}

      Bootstrap Configuration:
      ✓ Admin user 'akadmin' automatically created
      ✓ Password: (stored in secrets file)
      ✓ API token: (stored in secrets file)

      The admin account and API token are automatically configured
      via AUTHENTIK_BOOTSTRAP_* environment variables.

      Documentation: https://docs.goauthentik.io