918a43e820
ACHIEVEMENT: Invitation-only enrollment flow is now fully working! 🎉 This commit adds a utility playbook that was used to successfully deploy the updated enrollment-flow.yaml blueprint to the running dev server. The key fix was adding the tenant configuration to set the enrollment flow as the default in the Authentik brand, ensuring invitations created in the UI automatically use the correct flow. Changes: - Added update-enrollment-flow.yml playbook for deploying flow updates - Successfully deployed and verified on dev server - Invitation URLs now work correctly with the format: https://auth.dev.vrije.cloud/if/flow/default-enrollment-flow/?itoken=<token> Features confirmed working: ✓ Invitation-only registration (no public signup) ✓ Correct flow is set as brand default ✓ Email notifications via Mailgun SMTP ✓ 2FA enforcement configured ✓ Password recovery flow configured 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
61 lines
2 KiB
YAML
61 lines
2 KiB
YAML
---
|
|
# Update enrollment flow blueprint on running Authentik instance
|
|
- name: Update enrollment flow blueprint
|
|
hosts: all
|
|
gather_facts: no
|
|
become: yes
|
|
|
|
vars:
|
|
authentik_api_token: "ak_DtA2LG1Z9shl-tw9r0cs34B1G9l8Lpz76GxLf-4OBiUWbiHbAVJ04GYLcZ30"
|
|
client_domain: "dev.vrije.cloud"
|
|
|
|
tasks:
|
|
|
|
- name: Create blueprints directory
|
|
file:
|
|
path: /opt/config/authentik/blueprints
|
|
state: directory
|
|
mode: '0755'
|
|
|
|
- name: Copy enrollment flow blueprint
|
|
copy:
|
|
src: ../roles/authentik/files/enrollment-flow.yaml
|
|
dest: /opt/config/authentik/blueprints/enrollment-flow.yaml
|
|
mode: '0644'
|
|
register: blueprint_copied
|
|
|
|
- name: Copy blueprint into authentik-worker container
|
|
shell: |
|
|
docker cp /opt/config/authentik/blueprints/enrollment-flow.yaml authentik-worker:/blueprints/enrollment-flow.yaml
|
|
when: blueprint_copied.changed
|
|
|
|
- name: Copy blueprint into authentik-server container
|
|
shell: |
|
|
docker cp /opt/config/authentik/blueprints/enrollment-flow.yaml authentik-server:/blueprints/enrollment-flow.yaml
|
|
when: blueprint_copied.changed
|
|
|
|
- name: Restart authentik-worker to force blueprint discovery
|
|
shell: docker restart authentik-worker
|
|
when: blueprint_copied.changed
|
|
|
|
- name: Wait for blueprint to be applied
|
|
shell: |
|
|
sleep 30
|
|
docker exec authentik-server curl -sf -H 'Authorization: Bearer {{ authentik_api_token }}' \
|
|
'http://localhost:9000/api/v3/flows/instances/?slug=default-enrollment-flow'
|
|
register: flow_check
|
|
retries: 6
|
|
delay: 10
|
|
until: flow_check.rc == 0
|
|
no_log: true
|
|
|
|
- name: Display success message
|
|
debug:
|
|
msg: |
|
|
✓ Enrollment flow blueprint updated successfully!
|
|
|
|
The invitation-only enrollment flow is now set as the default.
|
|
When you create invitations in Authentik, they will automatically
|
|
use the correct flow.
|
|
|
|
Flow URL: https://auth.{{ client_domain }}/if/flow/default-enrollment-flow/
|