init pocketid

ansible/auth.yaml

@@ -4,3 +4,5 @@
   roles:
     - common
     - ldap_client
+    - docker
+    - pocketid

ansible/inventories/production/host_vars/auth.home.jthan.io/vars.yaml

@@ -0,0 +1,3 @@
+pocket_id_encryption_key: "{{ lookup('bitwarden.secrets.lookup', '6a5549a9-0f64-4791-94d1-b43b00254c42') }}"
+pocket_id_version: 2.6.2
+pocket_id_sha256: "348c2cfb6457d31078327c203896c29509d0417982c78bfac185d07859dc5b86"

ansible/roles/pocketid/tasks/main.yaml

@@ -0,0 +1,44 @@
+- name: Create a pocketid group
+  group:
+    name: pocketid
+    state: present
+    gid: 1050 
+
+- name: Create a pocketid user
+  user:
+    name: pocketid
+    uid: 1050
+    group: 1050
+    comment: "pocketid user"
+    shell: /bin/bash
+    state: present
+    create_home: yes
+
+- name: Create pocketid directory
+  file:
+    path: /home/pocketid/pocketid
+    state: directory
+    mode: '0755'
+
+- name: Create encryption key file
+  template:
+    src: pocket_id_encryption_key.j2
+    dest: /home/pocketid/pocketid/pocket_id_encryption_key
+    owner: pocketid
+    group: pocketid
+    mode: '0600'  
+  no_log: true    # Prevents secret from appearing in logs
+
+- name: Create or update docker-compose
+  template:
+    src: templates/docker-compose.yaml.j2
+    dest: /home/pocketid/pocketid/docker-compose.yaml
+    owner: pocketid
+    group: pocketid
+    mode: 0600
+
+- name: Create and start pocketid
+  community.docker.docker_compose_v2:
+    project_src: /home/pocketid/pocketid/pocketid
+    build: always
+  register: output

ansible/roles/pocketid/tasks/templates/docker-compose.yaml.j2

@@ -0,0 +1,21 @@
+secrets:
+  pocket_id_encryption_key:
+    file: ./pocket_id_encryption_key
+services:
+  pocket-id:
+    image: ghcr.io/pocket-id/pocket-id:v{{ pocket_id_version }}
+    restart: unless-stopped
+    env_file: .env
+    ports:
+      - 1411:1411
+    volumes:
+      - "./data:/app/data"
+    # Optional healthcheck
+    healthcheck:
+      test: [ "CMD", "/app/pocket-id", "healthcheck" ]
+      interval: 1m30s
+      timeout: 5s
+      retries: 2
+      start_period: 10s
+    secrets:
+      - pocket_id_encryption_key

ansible/roles/pocketid/tasks/templates/pocket_id_encryption_key.j2

@@ -0,0 +1 @@
+{{ pocket_id_encryption_key }}

ansible/roles/pocketid/tasks/templates/pocketid.env.j2

@@ -0,0 +1,18 @@
+# See the documentation for more information: https://pocket-id.org/docs/configuration/environment-variables
+
+# These variables must be configured for your deployment:
+APP_URL=https://{{ inventory_hostname }}
+
+# Encryption key (choose one method):
+# Method 1: Direct key (simple but less secure)
+# Generate with: openssl rand -base64 32
+# ENCRYPTION_KEY=
+# Method 2: File-based key (recommended)
+# Put the base64 key in a file and point to it here.
+ENCRYPTION_KEY_FILE=/run/secrets/pocket_id_encryption_key
+
+# These variables are optional but recommended to review:
+TRUST_PROXY=false
+MAXMIND_LICENSE_KEY=
+PUID=1050
+PGID=1050