Post-X-Society/Post-Tyranny-Tech-Infrastructure
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
Post-Tyranny-Tech-Infrastru.../ansible/roles/authentik/tasks/main.yml
Pieter 2d94df6a8a feat: Add automated 2FA/MFA enforcement for Authentik 
Implements automatic configuration of 2FA enforcement via Authentik API:

**Features:**
- Forces users to configure TOTP authenticator on first login
- Supports multiple 2FA methods: TOTP, WebAuthn, Static backup codes
- Idempotent: detects existing configuration and skips update
- Fully automated via Ansible deployment

**Implementation:**
- New task file: ansible/roles/authentik/tasks/mfa.yml
- Updates default-authentication-mfa-validation stage via API
- Sets not_configured_action to "configure"
- Links default-authenticator-totp-setup as configuration stage

**Configuration:**
```yaml
not_configured_action: configure
device_classes: [totp, webauthn, static]
configuration_stages: [default-authenticator-totp-setup]
```

**Testing:**
 Deployed to dev server successfully
 MFA enforcement verified via API
 Status: "Already configured" (idempotent check works)

Users will now be required to set up 2FA on their next login.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
2026-01-14 16:11:08 +01:00

28 lines
921 B
YAML
Raw Blame History

---
# Main tasks file for Authentik role
- name: Include Docker Compose setup
include_tasks: docker.yml
- name: Include bootstrap setup
include_tasks: bootstrap.yml
when: authentik_bootstrap | default(true)
- name: Include OIDC provider configuration
include_tasks: providers.yml
tags: ['authentik', 'oidc']
- name: Include email configuration
include_tasks: email.yml
when: mailgun_smtp_user is defined or (client_secrets.mailgun_smtp_user is defined and client_secrets.mailgun_smtp_user != "" and "PLACEHOLDER" not in client_secrets.mailgun_smtp_user)
tags: ['authentik', 'email']
- name: Include flows configuration (recovery, invitation)
include_tasks: flows.yml
when: authentik_bootstrap | default(true)
tags: ['authentik', 'flows']
- name: Include MFA/2FA enforcement configuration
include_tasks: mfa.yml
when: authentik_bootstrap | default(true)
tags: ['authentik', 'mfa', '2fa']
Reference in a new issue View git blame Copy permalink