Enhance Authentik role in noble cluster setup by adding support for resolving OAuth2 flow, signing key, and scope mapping UUIDs from the worker database, improving API access under 2026+ RBAC. Update README with troubleshooting steps for common OAuth2 provider issues and adjust default variables for better configuration management. Ensure seamless integration with oauth2-proxy by allowing unverified email handling in development environments.

ansible/roles/talos_phase_a/tasks/main.yml

@@ -114,38 +114,12 @@
       apply-config: {{ 'maintenance (--insecure)' if noble_talos_apply_insecure | bool else 'joined (TALOSCONFIG)' }}
       (noble_talos_apply_mode={{ noble_talos_apply_mode | default('auto') }})
 
-- name: Apply machine config to each node (first install — insecure)
-  ansible.builtin.command:
-    argv:
-      - talosctl
-      - apply-config
-      - --insecure
-      - -n
-      - "{{ item.ip }}"
-      - --file
-      - "{{ noble_talos_dir }}/out/{{ item.machine }}"
+- name: Apply machine config to each Talos node (TLS or insecure; per-node CA fallback when joined)
+  ansible.builtin.include_tasks: apply_talos_node_config.yml
   loop: "{{ noble_talos_nodes }}"
   loop_control:
-    label: "{{ item.ip }}"
-  when: noble_talos_apply_insecure | bool
-  changed_when: true
-
-- name: Apply machine config to each node (cluster already has TLS — no insecure)
-  ansible.builtin.command:
-    argv:
-      - talosctl
-      - apply-config
-      - -n
-      - "{{ item.ip }}"
-      - --file
-      - "{{ noble_talos_dir }}/out/{{ item.machine }}"
-  environment:
-    TALOSCONFIG: "{{ noble_talos_dir }}/out/talosconfig"
-  loop: "{{ noble_talos_nodes }}"
-  loop_control:
-    label: "{{ item.ip }}"
-  when: not (noble_talos_apply_insecure | bool)
-  changed_when: true
+    label: "{{ talos_node.ip }}"
+    loop_var: talos_node
 
 # apply-config triggers reboots; apid on :50000 must accept connections before talosctl bootstrap / kubeconfig.
 - name: Wait for Talos machine API (apid) on bootstrap node