Authentik login page configuration via PostStart

- Configure flow title to "Sign in to Bloud" and identification stage
  to username-only on every PostStart, with a 2-minute retry loop that
  detects blueprint overwrites via post-patch verification
- Smoke test now reloads the page until the correct title appears,
  handling the async PostStart timing without relying on SPA polling
- Update snapshot baseline to show correct configured state
- Fix smoke test BLOUD_URL to use resolved VM IP rather than bloud.local

Author: d-buckner

apps/authentik/configurator.go

@@ -112,6 +112,11 @@ except Exception as e:
 		}
 	}
 
+	// Step 5: Apply login page configuration (flow title + username-only identification)
+	if err := client.EnsureLoginConfiguration(); err != nil {
+		return fmt.Errorf("failed to ensure login configuration: %w", err)
+	}
+
 	return nil
 }
 

cli/pve.go

@@ -1481,8 +1481,16 @@ func cmdSmokePVE(args []string) int {
 	// Clear previous report so show-report always displays current results
 	os.RemoveAll(filepath.Join(smokeDir, "playwright-report"))
 
+	// Resolve VM IP to pass as BLOUD_URL — avoids relying on mDNS (bloud.local) which
+	// doesn't work reliably when the test runner is on a different host.
+	cfg := getPVEConfig()
+	vmURL := "http://bloud.local"
+	if ip := getVMIP(cfg); ip != "" {
+		vmURL = "http://" + ip
+	}
+
 	// Run Playwright smoke tests
-	log("Running smoke tests against http://bloud.local...")
+	log("Running smoke tests against " + vmURL + "...")
 	fmt.Println()
 
 	playwrightArgs := []string{"playwright", "test", "--reporter=list"}
@@ -1526,6 +1534,7 @@ func cmdSmokePVE(args []string) int {
 	playwrightCmd.Dir = smokeDir
 	playwrightCmd.Stdout = os.Stdout
 	playwrightCmd.Stderr = os.Stderr
+	playwrightCmd.Env = append(os.Environ(), "BLOUD_URL="+vmURL)
 	if err := playwrightCmd.Run(); err != nil {
 		fmt.Println()
 		errorf("Smoke tests failed")

services/host-agent/pkg/authentik/client.go

@@ -1019,6 +1019,198 @@ func (c *Client) DeleteUser(username string) error {
 	return nil
 }
 
+// EnsureLoginConfiguration applies Bloud-specific login page settings:
+// - Sets the authentication flow title to "Sign in to Bloud"
+// - Configures the identification stage to only accept username (not email)
+// This is idempotent — safe to call on every PostStart.
+//
+// Authentik creates default flows asynchronously via blueprints after the health endpoint
+// returns ready, so we retry until our changes stick. The blueprint for the default
+// authentication flow runs during startup and can overwrite a patch applied just before it
+// completes. We detect this by re-reading the flow title 3 seconds after patching — if a
+// blueprint reset it, the outer loop retries, eventually patching after all blueprints finish.
+//
+// Refs:
+//   - PATCH /api/v3/flows/instances/:slug/ (slug path param, title body field)
+//   - GET  /api/v3/flows/instances/:slug/ (verify title)
+//   - PATCH /api/v3/stages/identification/:stage_uuid/ (UUID path param, user_fields body field)
+func (c *Client) EnsureLoginConfiguration() error {
+	const (
+		timeout  = 2 * time.Minute
+		interval = 10 * time.Second
+	)
+	deadline := time.Now().Add(timeout)
+
+	for {
+		err := c.applyAndVerifyLoginConfiguration()
+		if err == nil {
+			return nil
+		}
+
+		if time.Now().After(deadline) {
+			return fmt.Errorf("timed out waiting for login configuration to apply: %w", err)
+		}
+
+		time.Sleep(interval)
+	}
+}
+
+// applyAndVerifyLoginConfiguration patches the flow title and identification stage, then
+// waits 3 seconds and re-reads the flow title to confirm a blueprint didn't overwrite it.
+func (c *Client) applyAndVerifyLoginConfiguration() error {
+	if err := c.ensureFlowTitle("default-authentication-flow", "Sign in to Bloud"); err != nil {
+		return fmt.Errorf("ensuring flow title: %w", err)
+	}
+
+	if err := c.ensureIdentificationStageUsernameOnly("default-authentication-identification"); err != nil {
+		return fmt.Errorf("ensuring identification stage: %w", err)
+	}
+
+	// Wait briefly, then re-read the flow title to confirm no blueprint overwrote our patch.
+	time.Sleep(3 * time.Second)
+
+	title, err := c.getFlowTitle("default-authentication-flow")
+	if err != nil {
+		return fmt.Errorf("verifying flow title: %w", err)
+	}
+	if title != "Sign in to Bloud" {
+		return fmt.Errorf("flow title was reset to %q by a blueprint, will retry", title)
+	}
+
+	return nil
+}
+
+// getFlowTitle fetches the current title of a flow by slug.
+func (c *Client) getFlowTitle(slug string) (string, error) {
+	reqURL := fmt.Sprintf("%s/api/v3/flows/instances/%s/", c.baseURL, url.PathEscape(slug))
+	req, err := http.NewRequest(http.MethodGet, reqURL, nil)
+	if err != nil {
+		return "", fmt.Errorf("creating request: %w", err)
+	}
+	req.Header.Set("Authorization", "Bearer "+c.token)
+	req.Header.Set("Accept", "application/json")
+
+	resp, err := c.httpClient.Do(req)
+	if err != nil {
+		return "", fmt.Errorf("executing request: %w", err)
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		body, _ := io.ReadAll(resp.Body)
+		return "", fmt.Errorf("fetching flow: status %d: %s", resp.StatusCode, string(body))
+	}
+
+	var result struct {
+		Title string `json:"title"`
+	}
+	if err := json.NewDecoder(resp.Body).Decode(&result); err != nil {
+		return "", fmt.Errorf("decoding flow: %w", err)
+	}
+	return result.Title, nil
+}
+
+// ensureFlowTitle PATCHes the title of a flow by slug.
+// API: PATCH /api/v3/flows/instances/:slug/ — slug is the URL path parameter.
+func (c *Client) ensureFlowTitle(slug, title string) error {
+	reqURL := fmt.Sprintf("%s/api/v3/flows/instances/%s/", c.baseURL, url.PathEscape(slug))
+	payload := map[string]string{"title": title}
+	payloadBytes, _ := json.Marshal(payload)
+
+	req, err := http.NewRequest(http.MethodPatch, reqURL, bytes.NewReader(payloadBytes))
+	if err != nil {
+		return fmt.Errorf("creating request: %w", err)
+	}
+	req.Header.Set("Authorization", "Bearer "+c.token)
+	req.Header.Set("Content-Type", "application/json")
+	req.Header.Set("Accept", "application/json")
+
+	resp, err := c.httpClient.Do(req)
+	if err != nil {
+		return fmt.Errorf("executing request: %w", err)
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		body, _ := io.ReadAll(resp.Body)
+		return fmt.Errorf("patching flow title: status %d: %s", resp.StatusCode, string(body))
+	}
+
+	return nil
+}
+
+// ensureIdentificationStageUsernameOnly sets user_fields to ["username"] on an identification stage.
+// API: GET /api/v3/stages/identification/?search=name to find the stage UUID,
+// then PATCH /api/v3/stages/identification/:stage_uuid/ with user_fields.
+// Valid user_fields values: email, username, upn.
+func (c *Client) ensureIdentificationStageUsernameOnly(stageName string) error {
+	reqURL := fmt.Sprintf("%s/api/v3/stages/identification/?search=%s", c.baseURL, url.QueryEscape(stageName))
+	req, _ := http.NewRequest(http.MethodGet, reqURL, nil)
+	req.Header.Set("Authorization", "Bearer "+c.token)
+	req.Header.Set("Accept", "application/json")
+
+	resp, err := c.httpClient.Do(req)
+	if err != nil {
+		return fmt.Errorf("fetching identification stages: %w", err)
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		body, _ := io.ReadAll(resp.Body)
+		return fmt.Errorf("fetching identification stages: status %d: %s", resp.StatusCode, string(body))
+	}
+
+	// pk is a UUID string (stage_uuid), used as the path parameter for PATCH
+	var result struct {
+		Results []struct {
+			PK   string `json:"pk"`
+			Name string `json:"name"`
+		} `json:"results"`
+	}
+	if err := json.NewDecoder(resp.Body).Decode(&result); err != nil {
+		return fmt.Errorf("decoding identification stages: %w", err)
+	}
+
+	var stageUUID string
+	for _, stage := range result.Results {
+		if stage.Name == stageName {
+			stageUUID = stage.PK
+			break
+		}
+	}
+
+	if stageUUID == "" {
+		return fmt.Errorf("identification stage %q not found", stageName)
+	}
+
+	patchURL := fmt.Sprintf("%s/api/v3/stages/identification/%s/", c.baseURL, stageUUID)
+	payload := map[string]interface{}{
+		"user_fields": []string{"username"},
+	}
+	payloadBytes, _ := json.Marshal(payload)
+
+	patchReq, err := http.NewRequest(http.MethodPatch, patchURL, bytes.NewReader(payloadBytes))
+	if err != nil {
+		return fmt.Errorf("creating request: %w", err)
+	}
+	patchReq.Header.Set("Authorization", "Bearer "+c.token)
+	patchReq.Header.Set("Content-Type", "application/json")
+	patchReq.Header.Set("Accept", "application/json")
+
+	patchResp, err := c.httpClient.Do(patchReq)
+	if err != nil {
+		return fmt.Errorf("executing request: %w", err)
+	}
+	defer patchResp.Body.Close()
+
+	if patchResp.StatusCode != http.StatusOK {
+		body, _ := io.ReadAll(patchResp.Body)
+		return fmt.Errorf("patching identification stage: status %d: %s", patchResp.StatusCode, string(body))
+	}
+
+	return nil
+}
+
 // EnsureBranding updates the default Authentik brand with the provided CSS.
 // The CSS is pushed inline because Authentik uses Constructable Stylesheets
 // which forbid @import rules in branding_custom_css.

smoke/lib/api.ts

@@ -12,7 +12,7 @@ interface CreateUserResponse {
 }
 
 export class SmokeApi {
-  private readonly baseUrl = 'http://bloud.local';
+  private readonly baseUrl = process.env.BLOUD_URL ?? 'http://bloud.local';
 
   constructor(private readonly request: APIRequestContext) {}
 

smoke/tests/apps/authentik.spec.ts

@@ -1,13 +1,29 @@
 import { test, expect } from '@playwright/test';
 
-// Navigate to Authentik login page without signing in first so we see the styled login form.
-// This test exists purely to capture a screenshot as evidence that branding CSS is applied.
 test('authentik login page styling', async ({ page }) => {
   await test.step('load Authentik login page', async () => {
     await page.goto('/if/flow/default-authentication-flow/');
     await page.locator('input[name="uidField"]').waitFor({ state: 'visible', timeout: 30_000 });
   });
 
+  await test.step('shows "Sign in to Bloud" title', async () => {
+    // PostStart applies config asynchronously via systemd ExecStartPost. The Authentik SPA
+    // fetches flow data once on page load and doesn't poll, so reload until the title is set.
+    await expect(async () => {
+      await page.reload();
+      await page.locator('input[name="uidField"]').waitFor({ state: 'visible', timeout: 30_000 });
+      await expect(page.getByRole('heading', { name: 'Sign in to Bloud', level: 1 })).toBeVisible();
+    }).toPass({ timeout: 120_000, intervals: [5_000] });
+  });
+
+  await test.step('shows "Username" field (not "Email or Username")', async () => {
+    // The identification stage should be configured for username-only.
+    // Authentik renders the label as a generic element adjacent to the input.
+    await expect(page.getByText('Email or Username')).not.toBeVisible();
+    await expect(page.getByText('Username', { exact: true })).toBeVisible();
+    await expect(page.locator('input[name="uidField"]')).toHaveAttribute('placeholder', 'Username');
+  });
+
   await test.step('screenshot login page', async () => {
     await expect(page).toHaveScreenshot('authentik-login.png', { fullPage: true });
   });