---
# **.env** is shell `KEY=value` syntax (not YAML). Source it like **noble_velero** does.
- name: Stat repository .env for Authentik
  ansible.builtin.stat:
    path: "{{ noble_repo_root }}/.env"
  register: noble_authentik_dotenv_stat
  changed_when: false

- name: Load NOBLE_AUTHENTIK_SECRET_KEY from .env when unset
  ansible.builtin.shell: |
    set -a
    . "{{ noble_repo_root }}/.env"
    set +a
    printf '%s' "${NOBLE_AUTHENTIK_SECRET_KEY:-}"
  register: noble_authentik_secret_key_from_env
  when:
    - noble_authentik_dotenv_stat.stat.exists | default(false)
    - noble_authentik_secret_key | default('') | length == 0
  changed_when: false
  no_log: true

- name: Apply NOBLE_AUTHENTIK_SECRET_KEY from .env
  ansible.builtin.set_fact:
    noble_authentik_secret_key: "{{ noble_authentik_secret_key_from_env.stdout | trim }}"
  when:
    - noble_authentik_secret_key_from_env is defined
    - (noble_authentik_secret_key_from_env.stdout | default('') | trim | length) > 0
  no_log: true

- name: Load NOBLE_AUTHENTIK_POSTGRES_PASSWORD from .env when unset
  ansible.builtin.shell: |
    set -a
    . "{{ noble_repo_root }}/.env"
    set +a
    printf '%s' "${NOBLE_AUTHENTIK_POSTGRES_PASSWORD:-}"
  register: noble_authentik_pg_from_env
  when:
    - noble_authentik_dotenv_stat.stat.exists | default(false)
    - noble_authentik_postgresql_password | default('') | length == 0
  changed_when: false
  no_log: true

- name: Apply NOBLE_AUTHENTIK_POSTGRES_PASSWORD from .env
  ansible.builtin.set_fact:
    noble_authentik_postgresql_password: "{{ noble_authentik_pg_from_env.stdout | trim }}"
  when:
    - noble_authentik_pg_from_env is defined
    - (noble_authentik_pg_from_env.stdout | default('') | trim | length) > 0
  no_log: true

- name: Load NOBLE_AUTHENTIK_BOOTSTRAP_TOKEN from .env when unset
  ansible.builtin.shell: |
    set -a
    . "{{ noble_repo_root }}/.env"
    set +a
    printf '%s' "${NOBLE_AUTHENTIK_BOOTSTRAP_TOKEN:-}"
  register: noble_authentik_bt_from_env
  when:
    - noble_authentik_dotenv_stat.stat.exists | default(false)
    - noble_authentik_bootstrap_token | default('') | length == 0
  changed_when: false
  no_log: true

- name: Apply NOBLE_AUTHENTIK_BOOTSTRAP_TOKEN from .env
  ansible.builtin.set_fact:
    noble_authentik_bootstrap_token: "{{ noble_authentik_bt_from_env.stdout | trim }}"
  when:
    - noble_authentik_bt_from_env is defined
    - (noble_authentik_bt_from_env.stdout | default('') | trim | length) > 0
  no_log: true

- name: Load NOBLE_AUTHENTIK_BOOTSTRAP_EMAIL from .env when unset
  ansible.builtin.shell: |
    set -a
    . "{{ noble_repo_root }}/.env"
    set +a
    printf '%s' "${NOBLE_AUTHENTIK_BOOTSTRAP_EMAIL:-}"
  register: noble_authentik_be_from_env
  when:
    - noble_authentik_dotenv_stat.stat.exists | default(false)
    - noble_authentik_bootstrap_email | default('') | length == 0
  changed_when: false
  no_log: true

- name: Apply NOBLE_AUTHENTIK_BOOTSTRAP_EMAIL from .env
  ansible.builtin.set_fact:
    noble_authentik_bootstrap_email: "{{ noble_authentik_be_from_env.stdout | trim }}"
  when:
    - noble_authentik_be_from_env is defined
    - (noble_authentik_be_from_env.stdout | default('') | trim | length) > 0
  no_log: true

- name: Load NOBLE_AUTHENTIK_BOOTSTRAP_PASSWORD from .env when unset
  ansible.builtin.shell: |
    set -a
    . "{{ noble_repo_root }}/.env"
    set +a
    printf '%s' "${NOBLE_AUTHENTIK_BOOTSTRAP_PASSWORD:-}"
  register: noble_authentik_bp_from_env
  when:
    - noble_authentik_dotenv_stat.stat.exists | default(false)
    - noble_authentik_bootstrap_password | default('') | length == 0
  changed_when: false
  no_log: true

- name: Apply NOBLE_AUTHENTIK_BOOTSTRAP_PASSWORD from .env
  ansible.builtin.set_fact:
    noble_authentik_bootstrap_password: "{{ noble_authentik_bp_from_env.stdout | trim }}"
  when:
    - noble_authentik_bp_from_env is defined
    - (noble_authentik_bp_from_env.stdout | default('') | trim | length) > 0
  no_log: true

- name: Load NOBLE_AUTHENTIK_CLIENT_SECRET_ARGOCD from .env when unset
  ansible.builtin.shell: |
    set -a
    . "{{ noble_repo_root }}/.env"
    set +a
    printf '%s' "${NOBLE_AUTHENTIK_CLIENT_SECRET_ARGOCD:-}"
  register: noble_authentik_cs_argo_from_env
  when:
    - noble_authentik_dotenv_stat.stat.exists | default(false)
    - noble_authentik_client_secret_argocd | default('') | length == 0
  changed_when: false
  no_log: true

- name: Apply NOBLE_AUTHENTIK_CLIENT_SECRET_ARGOCD from .env
  ansible.builtin.set_fact:
    noble_authentik_client_secret_argocd: "{{ noble_authentik_cs_argo_from_env.stdout | trim }}"
  when:
    - noble_authentik_cs_argo_from_env is defined
    - (noble_authentik_cs_argo_from_env.stdout | default('') | trim | length) > 0
  no_log: true

- name: Load NOBLE_AUTHENTIK_CLIENT_SECRET_GRAFANA from .env when unset
  ansible.builtin.shell: |
    set -a
    . "{{ noble_repo_root }}/.env"
    set +a
    printf '%s' "${NOBLE_AUTHENTIK_CLIENT_SECRET_GRAFANA:-}"
  register: noble_authentik_cs_graf_from_env
  when:
    - noble_authentik_dotenv_stat.stat.exists | default(false)
    - noble_authentik_client_secret_grafana | default('') | length == 0
  changed_when: false
  no_log: true

- name: Apply NOBLE_AUTHENTIK_CLIENT_SECRET_GRAFANA from .env
  ansible.builtin.set_fact:
    noble_authentik_client_secret_grafana: "{{ noble_authentik_cs_graf_from_env.stdout | trim }}"
  when:
    - noble_authentik_cs_graf_from_env is defined
    - (noble_authentik_cs_graf_from_env.stdout | default('') | trim | length) > 0
  no_log: true

- name: Load NOBLE_AUTHENTIK_CLIENT_SECRET_HEADLAMP from .env when unset
  ansible.builtin.shell: |
    set -a
    . "{{ noble_repo_root }}/.env"
    set +a
    printf '%s' "${NOBLE_AUTHENTIK_CLIENT_SECRET_HEADLAMP:-}"
  register: noble_authentik_cs_hl_from_env
  when:
    - noble_authentik_dotenv_stat.stat.exists | default(false)
    - noble_authentik_client_secret_headlamp | default('') | length == 0
  changed_when: false
  no_log: true

- name: Apply NOBLE_AUTHENTIK_CLIENT_SECRET_HEADLAMP from .env
  ansible.builtin.set_fact:
    noble_authentik_client_secret_headlamp: "{{ noble_authentik_cs_hl_from_env.stdout | trim }}"
  when:
    - noble_authentik_cs_hl_from_env is defined
    - (noble_authentik_cs_hl_from_env.stdout | default('') | trim | length) > 0
  no_log: true

- name: Load NOBLE_AUTHENTIK_CLIENT_SECRET_OAUTH2_PROXY from .env when unset
  ansible.builtin.shell: |
    set -a
    . "{{ noble_repo_root }}/.env"
    set +a
    printf '%s' "${NOBLE_AUTHENTIK_CLIENT_SECRET_OAUTH2_PROXY:-}"
  register: noble_authentik_cs_o2_from_env
  when:
    - noble_authentik_dotenv_stat.stat.exists | default(false)
    - noble_authentik_client_secret_oauth2_proxy | default('') | length == 0
  changed_when: false
  no_log: true

- name: Apply NOBLE_AUTHENTIK_CLIENT_SECRET_OAUTH2_PROXY from .env
  ansible.builtin.set_fact:
    noble_authentik_client_secret_oauth2_proxy: "{{ noble_authentik_cs_o2_from_env.stdout | trim }}"
  when:
    - noble_authentik_cs_o2_from_env is defined
    - (noble_authentik_cs_o2_from_env.stdout | default('') | trim | length) > 0
  no_log: true

- name: Load NOBLE_AUTHENTIK_OAUTH2_PROXY_COOKIE_SECRET from .env when unset
  ansible.builtin.shell: |
    set -a
    . "{{ noble_repo_root }}/.env"
    set +a
    printf '%s' "${NOBLE_AUTHENTIK_OAUTH2_PROXY_COOKIE_SECRET:-}"
  register: noble_authentik_cs_cookie_from_env
  when:
    - noble_authentik_dotenv_stat.stat.exists | default(false)
    - noble_authentik_oauth2_proxy_cookie_secret | default('') | length == 0
  changed_when: false
  no_log: true

- name: Apply NOBLE_AUTHENTIK_OAUTH2_PROXY_COOKIE_SECRET from .env
  ansible.builtin.set_fact:
    noble_authentik_oauth2_proxy_cookie_secret: "{{ noble_authentik_cs_cookie_from_env.stdout | trim }}"
  when:
    - noble_authentik_cs_cookie_from_env is defined
    - (noble_authentik_cs_cookie_from_env.stdout | default('') | trim | length) > 0
  no_log: true