Add recovery.yml task include to main.yml to enable automated
password recovery flow setup. This calls the recovery.yml tasks
which use create_recovery_flow.py to configure:
- Password complexity policy (12+ chars, mixed case, digit, symbol)
- Recovery identification stage (username/email)
- Recovery email stage (30-minute token expiry)
- Integration with default authentication flow
- "Forgot password?" link on login page
This restores automated recovery flow setup that was previously
removed when the blueprint-based approach was abandoned. The new
approach uses direct API calls via Python script which is more
reliable than blueprints.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Automated recovery flow setup via blueprints was too complex and
unreliable. Recovery flows (password reset via email) must now be
configured manually in Authentik admin UI.
Changes:
- Removed recovery-flow.yaml blueprint
- Removed configure_recovery_flow.py script
- Removed update-recovery-flow.yml playbook
- Updated flows.yml to remove recovery references
- Updated custom-flows.yaml to remove brand recovery flow config
- Updated comments to reflect manual recovery flow requirement
Automated configuration still includes:
- Enrollment flow with invitation support
- 2FA/MFA enforcement
- OIDC provider for Nextcloud
- Email configuration via SMTP
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Implements automatic configuration of 2FA enforcement via Authentik API:
**Features:**
- Forces users to configure TOTP authenticator on first login
- Supports multiple 2FA methods: TOTP, WebAuthn, Static backup codes
- Idempotent: detects existing configuration and skips update
- Fully automated via Ansible deployment
**Implementation:**
- New task file: ansible/roles/authentik/tasks/mfa.yml
- Updates default-authentication-mfa-validation stage via API
- Sets not_configured_action to "configure"
- Links default-authenticator-totp-setup as configuration stage
**Configuration:**
```yaml
not_configured_action: configure
device_classes: [totp, webauthn, static]
configuration_stages: [default-authenticator-totp-setup]
```
**Testing:**
✅ Deployed to dev server successfully
✅ MFA enforcement verified via API
✅ Status: "Already configured" (idempotent check works)
Users will now be required to set up 2FA on their next login.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
This commit adds password recovery and user invitation flows for Authentik,
enabling users to reset passwords via email and admins to invite users.
Features Added:
- Recovery flow: Users can request password reset emails
- Invitation flow: Admins can send user invitation emails
- Python scripts use Authentik API (no hardcoded credentials)
- Flows task automatically verifies/creates flows on deployment
Changes:
- authentik/files/create_recovery_flow.py: Recovery flow script
- authentik/files/create_invitation_flow.py: Invitation flow script
- authentik/tasks/flows.yml: Flow configuration task
- authentik/tasks/main.yml: Include flows task
This ensures:
✓ Password recovery emails work automatically
✓ User invitations work automatically
✓ Flows are configured on every deployment
✓ No hardcoded credentials (uses bootstrap token)
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
This commit adds comprehensive email configuration for both Authentik
and Nextcloud, integrated with Mailgun SMTP credentials.
Features Added:
- Mailgun role integration in deploy.yml playbook
- Authentik email configuration display task
- Nextcloud SMTP configuration with admin email setup
- Infrastructure prerequisite checking in deploy playbook
Changes:
- deploy.yml: Added Mailgun role and base infrastructure check
- authentik/tasks/email.yml: Display email configuration status
- authentik/tasks/main.yml: Include email task when credentials exist
- nextcloud/tasks/email.yml: Configure SMTP and admin email
- nextcloud/tasks/main.yml: Include email task when credentials exist
This ensures:
✓ Mailgun SMTP credentials are created/loaded automatically
✓ Authentik email works via docker-compose environment variables
✓ Nextcloud SMTP is configured via occ commands
✓ Admin email address is set automatically
✓ Email works immediately on new deployments
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Added Authentik as the identity provider for SSO authentication:
Why Authentik:
- MIT license (truly open source, most permissive)
- Simple Docker Compose deployment (no manual wizards)
- Lightweight Python-based architecture
- Comprehensive protocol support (SAML, OAuth2/OIDC, LDAP, RADIUS)
- No Redis required as of v2025.10 (all caching in PostgreSQL)
- Active development and strong community
Implementation:
- Created complete Authentik Ansible role
- Docker Compose with server + worker architecture
- PostgreSQL 16 database backend
- Traefik integration with Let's Encrypt SSL
- Bootstrap tasks for initial setup guidance
- Health checks and proper service dependencies
Architecture decisions updated:
- Documented comparison: Authentik vs Zitadel vs Keycloak
- Explained Zitadel removal (FirstInstance bugs)
- Added deployment example and configuration notes
Next steps:
- Update documentation (PROJECT_REFERENCE.md, README.md)
- Create Authentik agent configuration
- Add secrets template
- Test deployment on test server
🤖 Generated with Claude Code
Co-Authored-By: Claude <noreply@anthropic.com>
