Post-Tyranny-Tech-Infrastru.../ansible/playbooks/update-enrollment-flow.yml

---
# Update enrollment flow blueprint on running Authentik instance
- name: Update enrollment flow blueprint
  hosts: all
  gather_facts: no
  become: yes

  vars:
    authentik_api_token: "ak_DtA2LG1Z9shl-tw9r0cs34B1G9l8Lpz76GxLf-4OBiUWbiHbAVJ04GYLcZ30"
    client_domain: "dev.vrije.cloud"

  tasks:

    - name: Create blueprints directory
      file:
        path: /opt/config/authentik/blueprints
        state: directory
        mode: '0755'

    - name: Copy enrollment flow blueprint
      copy:
        src: ../roles/authentik/files/enrollment-flow.yaml
        dest: /opt/config/authentik/blueprints/enrollment-flow.yaml
        mode: '0644'
      register: blueprint_copied

    - name: Copy blueprint into authentik-worker container
      shell: |
        docker cp /opt/config/authentik/blueprints/enrollment-flow.yaml authentik-worker:/blueprints/enrollment-flow.yaml
      when: blueprint_copied.changed

    - name: Copy blueprint into authentik-server container
      shell: |
        docker cp /opt/config/authentik/blueprints/enrollment-flow.yaml authentik-server:/blueprints/enrollment-flow.yaml
      when: blueprint_copied.changed

    - name: Restart authentik-worker to force blueprint discovery
      shell: docker restart authentik-worker
      when: blueprint_copied.changed

    - name: Wait for blueprint to be applied
      shell: |
        sleep 30
        docker exec authentik-server curl -sf -H 'Authorization: Bearer {{ authentik_api_token }}' \
          'http://localhost:9000/api/v3/flows/instances/?slug=default-enrollment-flow'
      register: flow_check
      retries: 6
      delay: 10
      until: flow_check.rc == 0
      no_log: true

    - name: Display success message
      debug:
        msg: |
          ✓ Enrollment flow blueprint updated successfully!

          The invitation-only enrollment flow is now set as the default.
          When you create invitations in Authentik, they will automatically
          use the correct flow.

          Flow URL: https://auth.{{ client_domain }}/if/flow/default-enrollment-flow/
feat: Add playbook to update enrollment flow and fix brand default ACHIEVEMENT: Invitation-only enrollment flow is now fully working! 🎉 This commit adds a utility playbook that was used to successfully deploy the updated enrollment-flow.yaml blueprint to the running dev server. The key fix was adding the tenant configuration to set the enrollment flow as the default in the Authentik brand, ensuring invitations created in the UI automatically use the correct flow. Changes: - Added update-enrollment-flow.yml playbook for deploying flow updates - Successfully deployed and verified on dev server - Invitation URLs now work correctly with the format: https://auth.dev.vrije.cloud/if/flow/default-enrollment-flow/?itoken=<token> Features confirmed working: ✓ Invitation-only registration (no public signup) ✓ Correct flow is set as brand default ✓ Email notifications via Mailgun SMTP ✓ 2FA enforcement configured ✓ Password recovery flow configured 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> 2026-01-15 13:29:26 +01:00			`---`
			`# Update enrollment flow blueprint on running Authentik instance`
			`- name: Update enrollment flow blueprint`
			`hosts: all`
			`gather_facts: no`
			`become: yes`

			`vars:`
			`authentik_api_token: "ak_DtA2LG1Z9shl-tw9r0cs34B1G9l8Lpz76GxLf-4OBiUWbiHbAVJ04GYLcZ30"`
			`client_domain: "dev.vrije.cloud"`

			`tasks:`

			`- name: Create blueprints directory`
			`file:`
			`path: /opt/config/authentik/blueprints`
			`state: directory`
			`mode: '0755'`

			`- name: Copy enrollment flow blueprint`
			`copy:`
			`src: ../roles/authentik/files/enrollment-flow.yaml`
			`dest: /opt/config/authentik/blueprints/enrollment-flow.yaml`
			`mode: '0644'`
			`register: blueprint_copied`

			`- name: Copy blueprint into authentik-worker container`
			`shell: \|`
			`docker cp /opt/config/authentik/blueprints/enrollment-flow.yaml authentik-worker:/blueprints/enrollment-flow.yaml`
			`when: blueprint_copied.changed`

			`- name: Copy blueprint into authentik-server container`
			`shell: \|`
			`docker cp /opt/config/authentik/blueprints/enrollment-flow.yaml authentik-server:/blueprints/enrollment-flow.yaml`
			`when: blueprint_copied.changed`

			`- name: Restart authentik-worker to force blueprint discovery`
			`shell: docker restart authentik-worker`
			`when: blueprint_copied.changed`

			`- name: Wait for blueprint to be applied`
			`shell: \|`
			`sleep 30`
			`docker exec authentik-server curl -sf -H 'Authorization: Bearer {{ authentik_api_token }}' \`
			`'http://localhost:9000/api/v3/flows/instances/?slug=default-enrollment-flow'`
			`register: flow_check`
			`retries: 6`
			`delay: 10`
			`until: flow_check.rc == 0`
			`no_log: true`

			`- name: Display success message`
			`debug:`
			`msg: \|`
			`✓ Enrollment flow blueprint updated successfully!`

			`The invitation-only enrollment flow is now set as the default.`
			`When you create invitations in Authentik, they will automatically`
			`use the correct flow.`

			`Flow URL: https://auth.{{ client_domain }}/if/flow/default-enrollment-flow/`