Post-X-Society/Post-Tyranny-Tech-Infrastructure
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
Post-Tyranny-Tech-Infrastru.../ansible/roles/authentik/tasks/recovery.yml

86 lines
3 KiB
YAML
Raw Normal View History

fix: Pass API token as command-line arg to recovery script The recovery flow automation was failing because the Ansible task was piping the API token via stdin (echo -e), but the Python script (create_recovery_flow.py) expects command-line arguments via sys.argv. Changed from: echo -e "$TOKEN\n$DOMAIN" | docker exec -i python3 script.py To: docker exec python3 script.py "$TOKEN" "$DOMAIN" This matches how the Python script is designed (line 365-370). Tested on valk deployment - recovery flow now creates successfully with all features: - Password complexity policy - Email verification - "Forgot password?" link on login page 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2026-01-20 18:13:10 +01:00
---
# Configure Authentik password recovery flow
# This creates a complete recovery flow with email verification and password complexity validation
- name: Use bootstrap token for API access
set_fact:
authentik_api_token: "{{ client_secrets.authentik_bootstrap_token }}"
- name: Copy recovery flow creation script to server
copy:
src: create_recovery_flow.py
dest: /tmp/create_recovery_flow.py
mode: '0755'
- name: Copy recovery flow script into Authentik container
shell: docker cp /tmp/create_recovery_flow.py authentik-server:/tmp/create_recovery_flow.py
changed_when: false
- name: Create recovery flow via Authentik API
shell: |
docker exec authentik-server python3 /tmp/create_recovery_flow.py "{{ authentik_api_token }}" "{{ authentik_domain }}"
register: recovery_flow_result
failed_when: false
changed_when: "'Recovery Flow Configuration Complete' in recovery_flow_result.stdout"
- name: Cleanup recovery flow script from server
file:
path: /tmp/create_recovery_flow.py
state: absent
- name: Cleanup recovery flow script from container
shell: docker exec authentik-server rm -f /tmp/create_recovery_flow.py
changed_when: false
failed_when: false
- name: Parse recovery flow result
set_fact:
recovery_flow: "{{ recovery_flow_result.stdout | regex_search('\\{.*\\}', multiline=True) | from_json }}"
when: recovery_flow_result.rc == 0
failed_when: false
- name: Display recovery flow configuration result
debug:
msg: |
========================================
Authentik Password Recovery Flow
========================================
{% if recovery_flow is defined and recovery_flow.success | default(false) %}
Status: ✓ Configured Successfully
Recovery Flow UUID: {{ recovery_flow.recovery_flow_uuid }}
Password Policy UUID: {{ recovery_flow.password_complexity_uuid }}
Features:
- Password complexity: 12+ chars, mixed case, digit, symbol
- Recovery email with 30-minute expiry token
- Username + password on same login page
- "Forgot password?" link on login page
Test Recovery Flow:
1. Go to: https://{{ authentik_domain }}/if/flow/default-authentication-flow/
2. Click "Forgot password?" link
3. Enter username or email
4. Check email for recovery link (sent via Mailgun)
5. Set new password (must meet complexity requirements)
========================================
{% else %}
Status: ⚠ Configuration incomplete or failed
This is non-critical - recovery flow can be configured manually.
To configure manually:
1. Login to https://{{ authentik_domain }}
2. Go to Admin > Flows & Stages
3. Create recovery flow with email verification
Details: {{ recovery_flow_result.stdout | default('No output') }}
========================================
{% endif %}
- name: Set recovery flow status fact
set_fact:
recovery_flow_configured: "{{ recovery_flow is defined and recovery_flow.success | default(false) }}"
Reference in a new issue Copy permalink