---
# Configure Authentik flows (invitation, recovery, 2FA) via API

- name: Use bootstrap token for API access
  set_fact:
    authentik_api_token: "{{ client_secrets.authentik_bootstrap_token }}"

- name: Copy invitation flow configuration script to server
  copy:
    src: configure_invitation_flow.py
    dest: /tmp/configure_invitation_flow.py
    mode: '0755'

- name: Copy recovery flow configuration script to server
  copy:
    src: configure_recovery_flow.py
    dest: /tmp/configure_recovery_flow.py
    mode: '0755'

- name: Copy 2FA enforcement configuration script to server
  copy:
    src: configure_2fa_enforcement.py
    dest: /tmp/configure_2fa_enforcement.py
    mode: '0755'

- name: Copy scripts into container
  shell: |
    docker cp /tmp/configure_invitation_flow.py authentik-server:/tmp/
    docker cp /tmp/configure_recovery_flow.py authentik-server:/tmp/
    docker cp /tmp/configure_2fa_enforcement.py authentik-server:/tmp/
  changed_when: false

- name: Configure invitation flow
  shell: |
    docker exec authentik-server python3 /tmp/configure_invitation_flow.py \
      "http://localhost:9000" \
      "{{ authentik_api_token }}"
  register: invitation_result
  changed_when: "'success' in invitation_result.stdout"

- name: Configure recovery flow
  shell: |
    docker exec authentik-server python3 /tmp/configure_recovery_flow.py \
      "http://localhost:9000" \
      "{{ authentik_api_token }}"
  register: recovery_result
  changed_when: "'success' in recovery_result.stdout"

- name: Configure 2FA enforcement
  shell: |
    docker exec authentik-server python3 /tmp/configure_2fa_enforcement.py \
      "http://localhost:9000" \
      "{{ authentik_api_token }}"
  register: twofa_result
  changed_when: "'success' in twofa_result.stdout"

- name: Cleanup configuration scripts from host
  file:
    path: "{{ item }}"
    state: absent
  loop:
    - /tmp/configure_invitation_flow.py
    - /tmp/configure_recovery_flow.py
    - /tmp/configure_2fa_enforcement.py

- name: Display flows configuration status
  debug:
    msg: |
      ========================================
      Authentik Flows Configuration
      ========================================

      ✓ Invitation Flow: {{ 'Configured' if invitation_result.rc == 0 else 'Failed' }}
        {{ (invitation_result.stdout | from_json).message | default('') }}

      ✓ Recovery Flow: {{ 'Configured' if recovery_result.rc == 0 else 'Failed' }}
        {{ (recovery_result.stdout | from_json).message | default('') }}

      ✓ 2FA Enforcement: {{ 'Configured' if twofa_result.rc == 0 else 'Failed' }}
        {{ (twofa_result.stdout | from_json).message | default('') }}

      Email configuration is active and flows
      will send emails via Mailgun SMTP.
      ========================================