diff --git a/services/keycloak/oneoffs/veles-realm-ensure-job.yaml b/services/keycloak/oneoffs/veles-realm-ensure-job.yaml
index a7e16ab9..5176cae3 100644
--- a/services/keycloak/oneoffs/veles-realm-ensure-job.yaml
+++ b/services/keycloak/oneoffs/veles-realm-ensure-job.yaml
@@ -157,7 +157,7 @@ spec:
                   create_payload = {
                       "realm": realm,
                       "enabled": True,
-                      "registrationAllowed": False,
+                      "registrationAllowed": True,
                       "resetPasswordAllowed": True,
                       "verifyEmail": True,
                       "loginWithEmailAllowed": True,
@@ -174,7 +174,7 @@ spec:
               realm_rep.update(
                   {
                       "enabled": True,
-                      "registrationAllowed": False,
+                      "registrationAllowed": True,
                       "resetPasswordAllowed": True,
                       "verifyEmail": True,
                       "loginWithEmailAllowed": True,
@@ -246,6 +246,17 @@ spec:
                   if status not in (200, 204):
                       raise SystemExit(f"Group role mapping failed for {role['name']}: status={status} body={body}")
 
+              def ensure_default_group(group_id, name):
+                  status, groups = request("GET", f"{base_url}/admin/realms/{realm}/default-groups", token)
+                  if status != 200:
+                      raise SystemExit(f"Default group lookup failed: status={status}")
+                  for group in groups or []:
+                      if group.get("id") == group_id or group.get("name") == name:
+                          return
+                  status, body = request("PUT", f"{base_url}/admin/realms/{realm}/default-groups/{group_id}", token)
+                  if status not in (200, 204):
+                      raise SystemExit(f"Default group update failed for {name}: status={status} body={body}")
+
               alpha_group_id = ensure_group("alpha")
               admin_group_id = ensure_group("admin")
               alpha_role = ensure_role("alpha")
@@ -253,6 +264,7 @@ spec:
               ensure_group_role(alpha_group_id, alpha_role)
               ensure_group_role(admin_group_id, alpha_role)
               ensure_group_role(admin_group_id, admin_role)
+              ensure_default_group(alpha_group_id, "alpha")
 
               status, clients = request(
                   "GET",
diff --git a/services/veles/backend-deployment.yaml b/services/veles/backend-deployment.yaml
index 65c99046..068f7ab2 100644
--- a/services/veles/backend-deployment.yaml
+++ b/services/veles/backend-deployment.yaml
@@ -33,7 +33,7 @@ spec:
           type: RuntimeDefault
       containers:
         - name: backend
-          image: registry.bstein.dev/veles/veles-backend:0.1.0-4 # {"$imagepolicy": "veles:veles-backend"}
+          image: registry.bstein.dev/veles/veles-backend:0.1.0-5 # {"$imagepolicy": "veles:veles-backend"}
           imagePullPolicy: IfNotPresent
           ports:
             - name: http
diff --git a/services/veles/frontend-deployment.yaml b/services/veles/frontend-deployment.yaml
index 60a7addd..11c5721b 100644
--- a/services/veles/frontend-deployment.yaml
+++ b/services/veles/frontend-deployment.yaml
@@ -48,7 +48,7 @@ spec:
           type: RuntimeDefault
       containers:
         - name: frontend
-          image: registry.bstein.dev/veles/veles-frontend:0.1.0-1 # {"$imagepolicy": "veles:veles-frontend"}
+          image: registry.bstein.dev/veles/veles-frontend:0.1.0-2 # {"$imagepolicy": "veles:veles-frontend"}
           imagePullPolicy: IfNotPresent
           ports:
             - name: http