Post-X-Society/Post-Tyranny-Tech-Infrastructure
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
Post-Tyranny-Tech-Infrastru.../ansible/roles/authentik/tasks/recovery.yml
Pieter 2a107cbf14 fix: Pass API token as command-line arg to recovery script 
The recovery flow automation was failing because the Ansible task
was piping the API token via stdin (echo -e), but the Python script
(create_recovery_flow.py) expects command-line arguments via sys.argv.

Changed from:
  echo -e "$TOKEN\n$DOMAIN" | docker exec -i python3 script.py

To:
  docker exec python3 script.py "$TOKEN" "$DOMAIN"

This matches how the Python script is designed (line 365-370).

Tested on valk deployment - recovery flow now creates successfully
with all features:
- Password complexity policy
- Email verification
- "Forgot password?" link on login page

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
2026-01-20 18:13:10 +01:00

85 lines
3 KiB
YAML
Raw Permalink Blame History

---
# Configure Authentik password recovery flow
# This creates a complete recovery flow with email verification and password complexity validation
- name: Use bootstrap token for API access
set_fact:
authentik_api_token: "{{ client_secrets.authentik_bootstrap_token }}"
- name: Copy recovery flow creation script to server
copy:
src: create_recovery_flow.py
dest: /tmp/create_recovery_flow.py
mode: '0755'
- name: Copy recovery flow script into Authentik container
shell: docker cp /tmp/create_recovery_flow.py authentik-server:/tmp/create_recovery_flow.py
changed_when: false
- name: Create recovery flow via Authentik API
shell: |
docker exec authentik-server python3 /tmp/create_recovery_flow.py "{{ authentik_api_token }}" "{{ authentik_domain }}"
register: recovery_flow_result
failed_when: false
changed_when: "'Recovery Flow Configuration Complete' in recovery_flow_result.stdout"
- name: Cleanup recovery flow script from server
file:
path: /tmp/create_recovery_flow.py
state: absent
- name: Cleanup recovery flow script from container
shell: docker exec authentik-server rm -f /tmp/create_recovery_flow.py
changed_when: false
failed_when: false
- name: Parse recovery flow result
set_fact:
recovery_flow: "{{ recovery_flow_result.stdout | regex_search('\\{.*\\}', multiline=True) | from_json }}"
when: recovery_flow_result.rc == 0
failed_when: false
- name: Display recovery flow configuration result
debug:
msg: |
========================================
Authentik Password Recovery Flow
========================================
{% if recovery_flow is defined and recovery_flow.success | default(false) %}
Status: ✓ Configured Successfully
Recovery Flow UUID: {{ recovery_flow.recovery_flow_uuid }}
Password Policy UUID: {{ recovery_flow.password_complexity_uuid }}
Features:
- Password complexity: 12+ chars, mixed case, digit, symbol
- Recovery email with 30-minute expiry token
- Username + password on same login page
- "Forgot password?" link on login page
Test Recovery Flow:
1. Go to: https://{{ authentik_domain }}/if/flow/default-authentication-flow/
2. Click "Forgot password?" link
3. Enter username or email
4. Check email for recovery link (sent via Mailgun)
5. Set new password (must meet complexity requirements)
========================================
{% else %}
Status: ⚠ Configuration incomplete or failed
This is non-critical - recovery flow can be configured manually.
To configure manually:
1. Login to https://{{ authentik_domain }}
2. Go to Admin > Flows & Stages
3. Create recovery flow with email verification
Details: {{ recovery_flow_result.stdout | default('No output') }}
========================================
{% endif %}
- name: Set recovery flow status fact
set_fact:
recovery_flow_configured: "{{ recovery_flow is defined and recovery_flow.success | default(false) }}"
Reference in a new issue View git blame Copy permalink