home-server/ansible/roles/noble_authentik/templates/blueprints/30-noble-brands-domain-split.yaml.j2

# Noble — Brands so **Host** selects authentication flow: lab hostname → operator-only hardened flow; extra hosts → public flow (**21**).
version: 1
metadata:
  name: noble-brands-domain-split
  labels:
    blueprints.goauthentik.io/instantiate: "true"
entries:
  - model: authentik_brands.brand
    identifiers:
      domain: {{ noble_authentik_host | trim | to_json }}
    attrs:
      default: false
      title: {{ noble_authentik_blueprint_lab_brand_title | trim | to_json }}
      flow_authentication: !Find [authentik_flows.flow, [slug, {{ noble_authentik_blueprint_lab_flow_slug | trim | to_json }}]]
      flow_invalidation: !Find [authentik_flows.flow, [slug, default-invalidation-flow]]
      flow_user_settings: !Find [authentik_flows.flow, [slug, default-user-settings-flow]]
{% for host in noble_authentik_ingress_extra_hosts | default([]) %}
  - model: authentik_brands.brand
    identifiers:
      domain: {{ host | trim | to_json }}
    attrs:
      default: false
      title: {{ ((noble_authentik_blueprint_public_brand_title_prefix | default('Noble public')) ~ ' (' ~ (host | trim) ~ ')') | to_json }}
      flow_authentication: !Find [authentik_flows.flow, [slug, {{ noble_authentik_blueprint_public_auth_flow_slug | trim | to_json }}]]
      flow_invalidation: !Find [authentik_flows.flow, [slug, default-invalidation-flow]]
      flow_user_settings: !Find [authentik_flows.flow, [slug, default-user-settings-flow]]
{% endfor %}