fb945c8737
Replaced placeholder stub scripts with functional implementations that configure Authentik flows using the REST API. Changes: - Added configure_invitation_flow.py: Creates invitation stage and binds it to the default enrollment flow - Added configure_recovery_flow.py: Verifies default recovery flow exists - Added configure_2fa_enforcement.py: Configures default MFA validation stage to force TOTP setup on login - Updated flows.yml to call new configuration scripts - Removed placeholder create_invitation_flow.py and create_recovery_flow.py The scripts properly configure Authentik via API to enable: 1. User invitations via email with enrollment flow 2. Password recovery via email 3. Enforced 2FA/TOTP setup on first login These configurations will work automatically on all future deployments. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
84 lines
2.8 KiB
YAML
84 lines
2.8 KiB
YAML
---
|
|
# Configure Authentik flows (invitation, recovery, 2FA) via API
|
|
|
|
- name: Use bootstrap token for API access
|
|
set_fact:
|
|
authentik_api_token: "{{ client_secrets.authentik_bootstrap_token }}"
|
|
|
|
- name: Copy invitation flow configuration script to server
|
|
copy:
|
|
src: configure_invitation_flow.py
|
|
dest: /tmp/configure_invitation_flow.py
|
|
mode: '0755'
|
|
|
|
- name: Copy recovery flow configuration script to server
|
|
copy:
|
|
src: configure_recovery_flow.py
|
|
dest: /tmp/configure_recovery_flow.py
|
|
mode: '0755'
|
|
|
|
- name: Copy 2FA enforcement configuration script to server
|
|
copy:
|
|
src: configure_2fa_enforcement.py
|
|
dest: /tmp/configure_2fa_enforcement.py
|
|
mode: '0755'
|
|
|
|
- name: Copy scripts into container
|
|
shell: |
|
|
docker cp /tmp/configure_invitation_flow.py authentik-server:/tmp/
|
|
docker cp /tmp/configure_recovery_flow.py authentik-server:/tmp/
|
|
docker cp /tmp/configure_2fa_enforcement.py authentik-server:/tmp/
|
|
changed_when: false
|
|
|
|
- name: Configure invitation flow
|
|
shell: |
|
|
docker exec authentik-server python3 /tmp/configure_invitation_flow.py \
|
|
"http://localhost:9000" \
|
|
"{{ authentik_api_token }}"
|
|
register: invitation_result
|
|
changed_when: "'success' in invitation_result.stdout"
|
|
|
|
- name: Configure recovery flow
|
|
shell: |
|
|
docker exec authentik-server python3 /tmp/configure_recovery_flow.py \
|
|
"http://localhost:9000" \
|
|
"{{ authentik_api_token }}"
|
|
register: recovery_result
|
|
changed_when: "'success' in recovery_result.stdout"
|
|
|
|
- name: Configure 2FA enforcement
|
|
shell: |
|
|
docker exec authentik-server python3 /tmp/configure_2fa_enforcement.py \
|
|
"http://localhost:9000" \
|
|
"{{ authentik_api_token }}"
|
|
register: twofa_result
|
|
changed_when: "'success' in twofa_result.stdout"
|
|
|
|
- name: Cleanup configuration scripts from host
|
|
file:
|
|
path: "{{ item }}"
|
|
state: absent
|
|
loop:
|
|
- /tmp/configure_invitation_flow.py
|
|
- /tmp/configure_recovery_flow.py
|
|
- /tmp/configure_2fa_enforcement.py
|
|
|
|
- name: Display flows configuration status
|
|
debug:
|
|
msg: |
|
|
========================================
|
|
Authentik Flows Configuration
|
|
========================================
|
|
|
|
✓ Invitation Flow: {{ 'Configured' if invitation_result.rc == 0 else 'Failed' }}
|
|
{{ (invitation_result.stdout | from_json).message | default('') }}
|
|
|
|
✓ Recovery Flow: {{ 'Configured' if recovery_result.rc == 0 else 'Failed' }}
|
|
{{ (recovery_result.stdout | from_json).message | default('') }}
|
|
|
|
✓ 2FA Enforcement: {{ 'Configured' if twofa_result.rc == 0 else 'Failed' }}
|
|
{{ (twofa_result.stdout | from_json).message | default('') }}
|
|
|
|
Email configuration is active and flows
|
|
will send emails via Mailgun SMTP.
|
|
========================================
|