Automated recovery flow setup via blueprints was too complex and
unreliable. Recovery flows (password reset via email) must now be
configured manually in Authentik admin UI.
Changes:
- Removed recovery-flow.yaml blueprint
- Removed configure_recovery_flow.py script
- Removed update-recovery-flow.yml playbook
- Updated flows.yml to remove recovery references
- Updated custom-flows.yaml to remove brand recovery flow config
- Updated comments to reflect manual recovery flow requirement
Automated configuration still includes:
- Enrollment flow with invitation support
- 2FA/MFA enforcement
- OIDC provider for Nextcloud
- Email configuration via SMTP
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Created custom-flows.yaml blueprint for:
* Invitation stage configuration
* Recovery flow setup in brand
* 2FA enforcement (TOTP required)
- Replaced Python API scripts with YAML blueprint approach
- Blueprint is copied to /blueprints/ in authentik containers
- Authentik auto-discovers and applies blueprints
This is the official Authentik way to configure flows.
The blueprint uses Authentik-specific YAML tags: !Find, !KeyOf
