--- # **.env** is shell `KEY=value` syntax (not YAML). Source it like **noble_velero** does. - name: Stat repository .env for Authentik ansible.builtin.stat: path: "{{ noble_repo_root }}/.env" register: noble_authentik_dotenv_stat changed_when: false - name: Load NOBLE_AUTHENTIK_SECRET_KEY from .env when unset ansible.builtin.shell: | set -a . "{{ noble_repo_root }}/.env" set +a printf '%s' "${NOBLE_AUTHENTIK_SECRET_KEY:-}" register: noble_authentik_secret_key_from_env when: - noble_authentik_dotenv_stat.stat.exists | default(false) - noble_authentik_secret_key | default('') | length == 0 changed_when: false no_log: true - name: Apply NOBLE_AUTHENTIK_SECRET_KEY from .env ansible.builtin.set_fact: noble_authentik_secret_key: "{{ noble_authentik_secret_key_from_env.stdout | trim }}" when: - noble_authentik_secret_key_from_env is defined - (noble_authentik_secret_key_from_env.stdout | default('') | trim | length) > 0 no_log: true - name: Load NOBLE_AUTHENTIK_POSTGRES_PASSWORD from .env when unset ansible.builtin.shell: | set -a . "{{ noble_repo_root }}/.env" set +a printf '%s' "${NOBLE_AUTHENTIK_POSTGRES_PASSWORD:-}" register: noble_authentik_pg_from_env when: - noble_authentik_dotenv_stat.stat.exists | default(false) - noble_authentik_postgresql_password | default('') | length == 0 changed_when: false no_log: true - name: Apply NOBLE_AUTHENTIK_POSTGRES_PASSWORD from .env ansible.builtin.set_fact: noble_authentik_postgresql_password: "{{ noble_authentik_pg_from_env.stdout | trim }}" when: - noble_authentik_pg_from_env is defined - (noble_authentik_pg_from_env.stdout | default('') | trim | length) > 0 no_log: true - name: Load NOBLE_AUTHENTIK_BOOTSTRAP_TOKEN from .env when unset ansible.builtin.shell: | set -a . "{{ noble_repo_root }}/.env" set +a printf '%s' "${NOBLE_AUTHENTIK_BOOTSTRAP_TOKEN:-}" register: noble_authentik_bt_from_env when: - noble_authentik_dotenv_stat.stat.exists | default(false) - noble_authentik_bootstrap_token | default('') | length == 0 changed_when: false no_log: true - name: Apply NOBLE_AUTHENTIK_BOOTSTRAP_TOKEN from .env ansible.builtin.set_fact: noble_authentik_bootstrap_token: "{{ noble_authentik_bt_from_env.stdout | trim }}" when: - noble_authentik_bt_from_env is defined - (noble_authentik_bt_from_env.stdout | default('') | trim | length) > 0 no_log: true - name: Load NOBLE_AUTHENTIK_BOOTSTRAP_EMAIL from .env when unset ansible.builtin.shell: | set -a . "{{ noble_repo_root }}/.env" set +a printf '%s' "${NOBLE_AUTHENTIK_BOOTSTRAP_EMAIL:-}" register: noble_authentik_be_from_env when: - noble_authentik_dotenv_stat.stat.exists | default(false) - noble_authentik_bootstrap_email | default('') | length == 0 changed_when: false no_log: true - name: Apply NOBLE_AUTHENTIK_BOOTSTRAP_EMAIL from .env ansible.builtin.set_fact: noble_authentik_bootstrap_email: "{{ noble_authentik_be_from_env.stdout | trim }}" when: - noble_authentik_be_from_env is defined - (noble_authentik_be_from_env.stdout | default('') | trim | length) > 0 no_log: true - name: Load NOBLE_AUTHENTIK_BOOTSTRAP_PASSWORD from .env when unset ansible.builtin.shell: | set -a . "{{ noble_repo_root }}/.env" set +a printf '%s' "${NOBLE_AUTHENTIK_BOOTSTRAP_PASSWORD:-}" register: noble_authentik_bp_from_env when: - noble_authentik_dotenv_stat.stat.exists | default(false) - noble_authentik_bootstrap_password | default('') | length == 0 changed_when: false no_log: true - name: Apply NOBLE_AUTHENTIK_BOOTSTRAP_PASSWORD from .env ansible.builtin.set_fact: noble_authentik_bootstrap_password: "{{ noble_authentik_bp_from_env.stdout | trim }}" when: - noble_authentik_bp_from_env is defined - (noble_authentik_bp_from_env.stdout | default('') | trim | length) > 0 no_log: true - name: Load NOBLE_AUTHENTIK_CLIENT_SECRET_ARGOCD from .env when unset ansible.builtin.shell: | set -a . "{{ noble_repo_root }}/.env" set +a printf '%s' "${NOBLE_AUTHENTIK_CLIENT_SECRET_ARGOCD:-}" register: noble_authentik_cs_argo_from_env when: - noble_authentik_dotenv_stat.stat.exists | default(false) - noble_authentik_client_secret_argocd | default('') | length == 0 changed_when: false no_log: true - name: Apply NOBLE_AUTHENTIK_CLIENT_SECRET_ARGOCD from .env ansible.builtin.set_fact: noble_authentik_client_secret_argocd: "{{ noble_authentik_cs_argo_from_env.stdout | trim }}" when: - noble_authentik_cs_argo_from_env is defined - (noble_authentik_cs_argo_from_env.stdout | default('') | trim | length) > 0 no_log: true - name: Load NOBLE_AUTHENTIK_CLIENT_SECRET_GRAFANA from .env when unset ansible.builtin.shell: | set -a . "{{ noble_repo_root }}/.env" set +a printf '%s' "${NOBLE_AUTHENTIK_CLIENT_SECRET_GRAFANA:-}" register: noble_authentik_cs_graf_from_env when: - noble_authentik_dotenv_stat.stat.exists | default(false) - noble_authentik_client_secret_grafana | default('') | length == 0 changed_when: false no_log: true - name: Apply NOBLE_AUTHENTIK_CLIENT_SECRET_GRAFANA from .env ansible.builtin.set_fact: noble_authentik_client_secret_grafana: "{{ noble_authentik_cs_graf_from_env.stdout | trim }}" when: - noble_authentik_cs_graf_from_env is defined - (noble_authentik_cs_graf_from_env.stdout | default('') | trim | length) > 0 no_log: true - name: Load NOBLE_AUTHENTIK_CLIENT_SECRET_HEADLAMP from .env when unset ansible.builtin.shell: | set -a . "{{ noble_repo_root }}/.env" set +a printf '%s' "${NOBLE_AUTHENTIK_CLIENT_SECRET_HEADLAMP:-}" register: noble_authentik_cs_hl_from_env when: - noble_authentik_dotenv_stat.stat.exists | default(false) - noble_authentik_client_secret_headlamp | default('') | length == 0 changed_when: false no_log: true - name: Apply NOBLE_AUTHENTIK_CLIENT_SECRET_HEADLAMP from .env ansible.builtin.set_fact: noble_authentik_client_secret_headlamp: "{{ noble_authentik_cs_hl_from_env.stdout | trim }}" when: - noble_authentik_cs_hl_from_env is defined - (noble_authentik_cs_hl_from_env.stdout | default('') | trim | length) > 0 no_log: true - name: Load NOBLE_AUTHENTIK_CLIENT_SECRET_OAUTH2_PROXY from .env when unset ansible.builtin.shell: | set -a . "{{ noble_repo_root }}/.env" set +a printf '%s' "${NOBLE_AUTHENTIK_CLIENT_SECRET_OAUTH2_PROXY:-}" register: noble_authentik_cs_o2_from_env when: - noble_authentik_dotenv_stat.stat.exists | default(false) - noble_authentik_client_secret_oauth2_proxy | default('') | length == 0 changed_when: false no_log: true - name: Apply NOBLE_AUTHENTIK_CLIENT_SECRET_OAUTH2_PROXY from .env ansible.builtin.set_fact: noble_authentik_client_secret_oauth2_proxy: "{{ noble_authentik_cs_o2_from_env.stdout | trim }}" when: - noble_authentik_cs_o2_from_env is defined - (noble_authentik_cs_o2_from_env.stdout | default('') | trim | length) > 0 no_log: true - name: Load NOBLE_AUTHENTIK_OAUTH2_PROXY_COOKIE_SECRET from .env when unset ansible.builtin.shell: | set -a . "{{ noble_repo_root }}/.env" set +a printf '%s' "${NOBLE_AUTHENTIK_OAUTH2_PROXY_COOKIE_SECRET:-}" register: noble_authentik_cs_cookie_from_env when: - noble_authentik_dotenv_stat.stat.exists | default(false) - noble_authentik_oauth2_proxy_cookie_secret | default('') | length == 0 changed_when: false no_log: true - name: Apply NOBLE_AUTHENTIK_OAUTH2_PROXY_COOKIE_SECRET from .env ansible.builtin.set_fact: noble_authentik_oauth2_proxy_cookie_secret: "{{ noble_authentik_cs_cookie_from_env.stdout | trim }}" when: - noble_authentik_cs_cookie_from_env is defined - (noble_authentik_cs_cookie_from_env.stdout | default('') | trim | length) > 0 no_log: true # --- S3 media (reuse Velero endpoint + AWS keys from .env unless Authentik-specific vars are set) --- - name: Load NOBLE_AUTHENTIK_MEDIA_S3_BUCKET from .env when unset ansible.builtin.shell: | set -a . "{{ noble_repo_root }}/.env" set +a printf '%s' "${NOBLE_AUTHENTIK_MEDIA_S3_BUCKET:-}" register: noble_authentik_media_s3_bucket_from_env when: - noble_authentik_dotenv_stat.stat.exists | default(false) - noble_authentik_media_s3_bucket | default('') | length == 0 changed_when: false no_log: true - name: Apply NOBLE_AUTHENTIK_MEDIA_S3_BUCKET from .env ansible.builtin.set_fact: noble_authentik_media_s3_bucket: "{{ noble_authentik_media_s3_bucket_from_env.stdout | trim }}" when: - noble_authentik_media_s3_bucket_from_env is defined - (noble_authentik_media_s3_bucket_from_env.stdout | default('') | trim | length) > 0 no_log: true - name: Resolve Authentik S3 endpoint from .env (Authentik-specific URL or Velero S3 URL) ansible.builtin.shell: | set -a . "{{ noble_repo_root }}/.env" set +a if [ -n "${NOBLE_AUTHENTIK_S3_URL:-}" ]; then printf '%s' "${NOBLE_AUTHENTIK_S3_URL}" elif [ -n "${NOBLE_VELERO_S3_URL:-}" ]; then printf '%s' "${NOBLE_VELERO_S3_URL}" else printf '' fi register: noble_authentik_s3_endpoint_from_env when: - noble_authentik_dotenv_stat.stat.exists | default(false) - noble_authentik_s3_endpoint | default('') | length == 0 changed_when: false no_log: true - name: Apply resolved Authentik S3 endpoint from .env ansible.builtin.set_fact: noble_authentik_s3_endpoint: "{{ noble_authentik_s3_endpoint_from_env.stdout | trim }}" when: - noble_authentik_s3_endpoint_from_env is defined - (noble_authentik_s3_endpoint_from_env.stdout | default('') | trim | length) > 0 no_log: true - name: Resolve Authentik S3 access key from .env (override or Velero AWS key) ansible.builtin.shell: | set -a . "{{ noble_repo_root }}/.env" set +a if [ -n "${NOBLE_AUTHENTIK_S3_ACCESS_KEY:-}" ]; then printf '%s' "${NOBLE_AUTHENTIK_S3_ACCESS_KEY}" elif [ -n "${NOBLE_VELERO_AWS_ACCESS_KEY_ID:-}" ]; then printf '%s' "${NOBLE_VELERO_AWS_ACCESS_KEY_ID}" else printf '' fi register: noble_authentik_s3_access_from_env when: - noble_authentik_dotenv_stat.stat.exists | default(false) - noble_authentik_s3_access_key | default('') | length == 0 changed_when: false no_log: true - name: Apply resolved Authentik S3 access key from .env ansible.builtin.set_fact: noble_authentik_s3_access_key: "{{ noble_authentik_s3_access_from_env.stdout | trim }}" when: - noble_authentik_s3_access_from_env is defined - (noble_authentik_s3_access_from_env.stdout | default('') | trim | length) > 0 no_log: true - name: Resolve Authentik S3 secret key from .env (override or Velero AWS secret) ansible.builtin.shell: | set -a . "{{ noble_repo_root }}/.env" set +a if [ -n "${NOBLE_AUTHENTIK_S3_SECRET_KEY:-}" ]; then printf '%s' "${NOBLE_AUTHENTIK_S3_SECRET_KEY}" elif [ -n "${NOBLE_VELERO_AWS_SECRET_ACCESS_KEY:-}" ]; then printf '%s' "${NOBLE_VELERO_AWS_SECRET_ACCESS_KEY}" else printf '' fi register: noble_authentik_s3_secret_from_env when: - noble_authentik_dotenv_stat.stat.exists | default(false) - noble_authentik_s3_secret_key | default('') | length == 0 changed_when: false no_log: true - name: Apply resolved Authentik S3 secret key from .env ansible.builtin.set_fact: noble_authentik_s3_secret_key: "{{ noble_authentik_s3_secret_from_env.stdout | trim }}" when: - noble_authentik_s3_secret_from_env is defined - (noble_authentik_s3_secret_from_env.stdout | default('') | trim | length) > 0 no_log: true - name: Load NOBLE_AUTHENTIK_S3_REGION from .env when set ansible.builtin.shell: | set -a . "{{ noble_repo_root }}/.env" set +a printf '%s' "${NOBLE_AUTHENTIK_S3_REGION:-}" register: noble_authentik_s3_region_from_env when: - noble_authentik_dotenv_stat.stat.exists | default(false) changed_when: false no_log: true - name: Apply NOBLE_AUTHENTIK_S3_REGION from .env ansible.builtin.set_fact: noble_authentik_s3_region: "{{ noble_authentik_s3_region_from_env.stdout | trim }}" when: - noble_authentik_s3_region_from_env is defined - (noble_authentik_s3_region_from_env.stdout | default('') | trim | length) > 0 no_log: true - name: Load NOBLE_AUTHENTIK_S3_ADDRESSING_STYLE from .env when set ansible.builtin.shell: | set -a . "{{ noble_repo_root }}/.env" set +a printf '%s' "${NOBLE_AUTHENTIK_S3_ADDRESSING_STYLE:-}" register: noble_authentik_s3_addr_from_env when: - noble_authentik_dotenv_stat.stat.exists | default(false) changed_when: false no_log: true - name: Apply NOBLE_AUTHENTIK_S3_ADDRESSING_STYLE from .env ansible.builtin.set_fact: noble_authentik_s3_addressing_style: "{{ noble_authentik_s3_addr_from_env.stdout | trim }}" when: - noble_authentik_s3_addr_from_env is defined - (noble_authentik_s3_addr_from_env.stdout | default('') | trim | length) > 0 no_log: true # --- Optional SMTP (AUTHENTIK_EMAIL__* via Helm global.env) --- - name: Load NOBLE_AUTHENTIK_SMTP_HOST from .env when unset ansible.builtin.shell: | set -a . "{{ noble_repo_root }}/.env" set +a printf '%s' "${NOBLE_AUTHENTIK_SMTP_HOST:-}" register: noble_authentik_smtp_host_from_env when: - noble_authentik_dotenv_stat.stat.exists | default(false) - noble_authentik_smtp_host | default('') | length == 0 changed_when: false no_log: true - name: Apply NOBLE_AUTHENTIK_SMTP_HOST from .env ansible.builtin.set_fact: noble_authentik_smtp_host: "{{ noble_authentik_smtp_host_from_env.stdout | trim }}" when: - noble_authentik_smtp_host_from_env is defined - (noble_authentik_smtp_host_from_env.stdout | default('') | trim | length) > 0 no_log: true - name: Load NOBLE_AUTHENTIK_SMTP_FROM from .env when unset ansible.builtin.shell: | set -a . "{{ noble_repo_root }}/.env" set +a printf '%s' "${NOBLE_AUTHENTIK_SMTP_FROM:-}" register: noble_authentik_smtp_from_from_env when: - noble_authentik_dotenv_stat.stat.exists | default(false) - noble_authentik_smtp_from | default('') | length == 0 changed_when: false no_log: true - name: Apply NOBLE_AUTHENTIK_SMTP_FROM from .env ansible.builtin.set_fact: noble_authentik_smtp_from: "{{ noble_authentik_smtp_from_from_env.stdout | trim }}" when: - noble_authentik_smtp_from_from_env is defined - (noble_authentik_smtp_from_from_env.stdout | default('') | trim | length) > 0 no_log: true - name: Load NOBLE_AUTHENTIK_SMTP_USERNAME from .env when unset ansible.builtin.shell: | set -a . "{{ noble_repo_root }}/.env" set +a printf '%s' "${NOBLE_AUTHENTIK_SMTP_USERNAME:-}" register: noble_authentik_smtp_username_from_env when: - noble_authentik_dotenv_stat.stat.exists | default(false) - noble_authentik_smtp_username | default('') | length == 0 changed_when: false no_log: true - name: Apply NOBLE_AUTHENTIK_SMTP_USERNAME from .env ansible.builtin.set_fact: noble_authentik_smtp_username: "{{ noble_authentik_smtp_username_from_env.stdout | trim }}" when: - noble_authentik_smtp_username_from_env is defined - (noble_authentik_smtp_username_from_env.stdout | default('') | trim | length) > 0 no_log: true - name: Load NOBLE_AUTHENTIK_SMTP_PASSWORD from .env when unset ansible.builtin.shell: | set -a . "{{ noble_repo_root }}/.env" set +a printf '%s' "${NOBLE_AUTHENTIK_SMTP_PASSWORD:-}" register: noble_authentik_smtp_password_from_env when: - noble_authentik_dotenv_stat.stat.exists | default(false) - noble_authentik_smtp_password | default('') | length == 0 changed_when: false no_log: true - name: Apply NOBLE_AUTHENTIK_SMTP_PASSWORD from .env ansible.builtin.set_fact: noble_authentik_smtp_password: "{{ noble_authentik_smtp_password_from_env.stdout | trim }}" when: - noble_authentik_smtp_password_from_env is defined - (noble_authentik_smtp_password_from_env.stdout | default('') | trim | length) > 0 no_log: true - name: Load NOBLE_AUTHENTIK_SMTP_PORT from .env ansible.builtin.shell: | set -a . "{{ noble_repo_root }}/.env" set +a printf '%s' "${NOBLE_AUTHENTIK_SMTP_PORT:-}" register: noble_authentik_smtp_port_from_env when: - noble_authentik_dotenv_stat.stat.exists | default(false) changed_when: false no_log: true - name: Apply NOBLE_AUTHENTIK_SMTP_PORT from .env ansible.builtin.set_fact: noble_authentik_smtp_port: "{{ noble_authentik_smtp_port_from_env.stdout | trim }}" when: - noble_authentik_smtp_port_from_env is defined - (noble_authentik_smtp_port_from_env.stdout | default('') | trim | length) > 0 no_log: true - name: Load NOBLE_AUTHENTIK_SMTP_USE_TLS from .env ansible.builtin.shell: | set -a . "{{ noble_repo_root }}/.env" set +a printf '%s' "${NOBLE_AUTHENTIK_SMTP_USE_TLS:-}" register: noble_authentik_smtp_use_tls_from_env when: - noble_authentik_dotenv_stat.stat.exists | default(false) changed_when: false no_log: true - name: Apply NOBLE_AUTHENTIK_SMTP_USE_TLS from .env ansible.builtin.set_fact: noble_authentik_smtp_use_tls: "{{ noble_authentik_smtp_use_tls_from_env.stdout | trim }}" when: - noble_authentik_smtp_use_tls_from_env is defined - (noble_authentik_smtp_use_tls_from_env.stdout | default('') | trim | length) > 0 no_log: true - name: Load NOBLE_AUTHENTIK_SMTP_USE_SSL from .env ansible.builtin.shell: | set -a . "{{ noble_repo_root }}/.env" set +a printf '%s' "${NOBLE_AUTHENTIK_SMTP_USE_SSL:-}" register: noble_authentik_smtp_use_ssl_from_env when: - noble_authentik_dotenv_stat.stat.exists | default(false) changed_when: false no_log: true - name: Apply NOBLE_AUTHENTIK_SMTP_USE_SSL from .env ansible.builtin.set_fact: noble_authentik_smtp_use_ssl: "{{ noble_authentik_smtp_use_ssl_from_env.stdout | trim }}" when: - noble_authentik_smtp_use_ssl_from_env is defined - (noble_authentik_smtp_use_ssl_from_env.stdout | default('') | trim | length) > 0 no_log: true - name: Load NOBLE_AUTHENTIK_SMTP_TIMEOUT from .env ansible.builtin.shell: | set -a . "{{ noble_repo_root }}/.env" set +a printf '%s' "${NOBLE_AUTHENTIK_SMTP_TIMEOUT:-}" register: noble_authentik_smtp_timeout_from_env when: - noble_authentik_dotenv_stat.stat.exists | default(false) changed_when: false no_log: true - name: Apply NOBLE_AUTHENTIK_SMTP_TIMEOUT from .env ansible.builtin.set_fact: noble_authentik_smtp_timeout: "{{ noble_authentik_smtp_timeout_from_env.stdout | trim }}" when: - noble_authentik_smtp_timeout_from_env is defined - (noble_authentik_smtp_timeout_from_env.stdout | default('') | trim | length) > 0 no_log: true