home-server/ansible/roles/noble_authentik/templates/blueprints/22-noble-invitation-enrollment-flows.yaml.j2

# Noble — two **enrollment** flows (public vs lab) with separate **Invitation** stages (invitation token required).
# Create rows under **Directory → Invitations** in the admin UI and pick the matching flow; share links with the
# correct **Host** so the right Brand applies. Does **not** ship example **Invitation** objects (no prefilled emails).
version: 1
metadata:
  name: noble-invitation-enrollment-flows
  labels:
    blueprints.goauthentik.io/instantiate: "true"
entries:
  - model: authentik_core.group
    id: noble-lab-invited-group
    identifiers:
      name: {{ noble_authentik_blueprint_lab_invitee_group_name | trim | to_json }}
    attrs:
      is_superuser: false
      attributes:
        "noble.ak/audience": lab
        "noble.ak/role": lab-invited

  - model: authentik_flows.flow
    id: noble-inv-flow-public
    identifiers:
      slug: {{ noble_authentik_blueprint_public_invitation_enrollment_flow_slug | trim | to_json }}
    attrs:
      name: {{ noble_authentik_blueprint_public_invitation_flow_name | trim | to_json }}
      title: {{ noble_authentik_blueprint_public_invitation_flow_title | trim | to_json }}
      designation: enrollment
      authentication: require_unauthenticated

  - model: authentik_flows.flow
    id: noble-inv-flow-lab
    identifiers:
      slug: {{ noble_authentik_blueprint_lab_invitation_enrollment_flow_slug | trim | to_json }}
    attrs:
      name: {{ noble_authentik_blueprint_lab_invitation_flow_name | trim | to_json }}
      title: {{ noble_authentik_blueprint_lab_invitation_flow_title | trim | to_json }}
      designation: enrollment
      authentication: require_unauthenticated

  - model: authentik_stages_invitation.invitationstage
    id: noble-inv-stage-public
    identifiers:
      name: noble-invitation-enrollment-invitation-public
    attrs:
      continue_flow_without_invitation: false

  - model: authentik_stages_invitation.invitationstage
    id: noble-inv-stage-lab
    identifiers:
      name: noble-invitation-enrollment-invitation-lab
    attrs:
      continue_flow_without_invitation: false

  - id: noble-inv-prompt-field-username
    model: authentik_stages_prompt.prompt
    identifiers:
      name: noble-inv-enroll-field-username
    attrs:
      field_key: username
      label: Username
      type: username
      required: true
      placeholder: Username
      placeholder_expression: false
      order: 0

  - id: noble-inv-prompt-field-password
    model: authentik_stages_prompt.prompt
    identifiers:
      name: noble-inv-enroll-field-password
    attrs:
      field_key: password
      label: Password
      type: password
      required: true
      placeholder: Password
      placeholder_expression: false
      order: 1

  - id: noble-inv-prompt-field-password-repeat
    model: authentik_stages_prompt.prompt
    identifiers:
      name: noble-inv-enroll-field-password-repeat
    attrs:
      field_key: password_repeat
      label: Password (repeat)
      type: password
      required: true
      placeholder: Password (repeat)
      placeholder_expression: false
      order: 2

  - id: noble-inv-prompt-field-name
    model: authentik_stages_prompt.prompt
    identifiers:
      name: noble-inv-enroll-field-name
    attrs:
      field_key: name
      label: Name
      type: text
      required: true
      placeholder: Name
      placeholder_expression: false
      order: 0

  - id: noble-inv-prompt-field-email
    model: authentik_stages_prompt.prompt
    identifiers:
      name: noble-inv-enroll-field-email
    attrs:
      field_key: email
      label: Email
      type: email
      required: true
      placeholder: Email
      placeholder_expression: false
      order: 1

  - id: noble-inv-prompt-stage-credentials
    model: authentik_stages_prompt.promptstage
    identifiers:
      name: noble-inv-enroll-prompt-credentials
    attrs:
      fields:
        - !KeyOf noble-inv-prompt-field-username
        - !KeyOf noble-inv-prompt-field-password
        - !KeyOf noble-inv-prompt-field-password-repeat

  - id: noble-inv-prompt-stage-details
    model: authentik_stages_prompt.promptstage
    identifiers:
      name: noble-inv-enroll-prompt-details
    attrs:
      fields:
        - !KeyOf noble-inv-prompt-field-name
        - !KeyOf noble-inv-prompt-field-email

  - id: noble-inv-user-write-public
    model: authentik_stages_user_write.userwritestage
    identifiers:
      name: noble-inv-enroll-user-write-public
    attrs:
      user_creation_mode: always_create
      user_type: {{ noble_authentik_blueprint_public_invitation_user_type | trim | lower | to_json }}
      user_path_template: {{ noble_authentik_blueprint_public_invitation_user_path | trim | to_json }}
      create_users_group: !Find [authentik_core.group, [name, {{ noble_authentik_blueprint_public_invitation_user_group | trim | to_json }}]]

  - id: noble-inv-user-write-lab
    model: authentik_stages_user_write.userwritestage
    identifiers:
      name: noble-inv-enroll-user-write-lab
    attrs:
      user_creation_mode: always_create
      user_type: {{ noble_authentik_blueprint_lab_invitation_user_type | trim | lower | to_json }}
      user_path_template: {{ noble_authentik_blueprint_lab_invitation_user_path | trim | to_json }}
      create_users_group: !KeyOf noble-lab-invited-group

  - id: noble-inv-user-login
    model: authentik_stages_user_login.userloginstage
    identifiers:
      name: noble-inv-enroll-user-login

  - model: authentik_flows.flowstagebinding
    identifiers:
      target: !KeyOf noble-inv-flow-public
      stage: !KeyOf noble-inv-stage-public
      order: 5
    attrs:
      evaluate_on_plan: true
      re_evaluate_policies: true

  - model: authentik_flows.flowstagebinding
    identifiers:
      target: !KeyOf noble-inv-flow-public
      stage: !KeyOf noble-inv-prompt-stage-credentials
      order: 10

  - model: authentik_flows.flowstagebinding
    identifiers:
      target: !KeyOf noble-inv-flow-public
      stage: !KeyOf noble-inv-prompt-stage-details
      order: 15

  - model: authentik_flows.flowstagebinding
    identifiers:
      target: !KeyOf noble-inv-flow-public
      stage: !KeyOf noble-inv-user-write-public
      order: 20

  - model: authentik_flows.flowstagebinding
    identifiers:
      target: !KeyOf noble-inv-flow-public
      stage: !KeyOf noble-inv-user-login
      order: 100

  - model: authentik_flows.flowstagebinding
    identifiers:
      target: !KeyOf noble-inv-flow-lab
      stage: !KeyOf noble-inv-stage-lab
      order: 5
    attrs:
      evaluate_on_plan: true
      re_evaluate_policies: true

  - model: authentik_flows.flowstagebinding
    identifiers:
      target: !KeyOf noble-inv-flow-lab
      stage: !KeyOf noble-inv-prompt-stage-credentials
      order: 10

  - model: authentik_flows.flowstagebinding
    identifiers:
      target: !KeyOf noble-inv-flow-lab
      stage: !KeyOf noble-inv-prompt-stage-details
      order: 15

  - model: authentik_flows.flowstagebinding
    identifiers:
      target: !KeyOf noble-inv-flow-lab
      stage: !KeyOf noble-inv-user-write-lab
      order: 20

  - model: authentik_flows.flowstagebinding
    identifiers:
      target: !KeyOf noble-inv-flow-lab
      stage: !KeyOf noble-inv-user-login
      order: 100