Post-Tyranny-Tech-Infrastru.../ansible/roles/authentik/files/custom-flows.yaml

version: 1
metadata:
  name: custom-flow-configuration
  labels:
    blueprints.goauthentik.io/description: "Configure invitation and 2FA enforcement"
    blueprints.goauthentik.io/instantiate: "true"

entries:
  # 1. CREATE INVITATION STAGE
  # This stage allows enrollment flows to work with or without invitation tokens
  - model: authentik_stages_invitation.invitationstage
    identifiers:
      name: default-enrollment-invitation
    id: invitation-stage
    attrs:
      continue_flow_without_invitation: true

  # 2. BIND INVITATION STAGE TO ENROLLMENT FLOW
  # Adds the invitation stage as the first stage in the enrollment flow
  - model: authentik_flows.flowstagebinding
    identifiers:
      target: !Find [authentik_flows.flow, [slug, default-enrollment-flow]]
      stage: !KeyOf invitation-stage
      order: 0
    attrs:
      evaluate_on_plan: true
      re_evaluate_policies: false

  # 3. ENFORCE 2FA CONFIGURATION
  # Updates MFA validation stage to force users to configure TOTP
  - model: authentik_stages_authenticator_validate.authenticatorvalidatestage
    identifiers:
      name: default-authentication-mfa-validation
    attrs:
      not_configured_action: configure
      device_classes:
        - totp
        - webauthn
      configuration_stages:
        - !Find [authentik_stages_authenticator_totp.authenticatortotpstage, [name, default-authenticator-totp-setup]]
feat: Implement Authentik flow configuration via blueprints - Created custom-flows.yaml blueprint for: * Invitation stage configuration * Recovery flow setup in brand * 2FA enforcement (TOTP required) - Replaced Python API scripts with YAML blueprint approach - Blueprint is copied to /blueprints/ in authentik containers - Authentik auto-discovers and applies blueprints This is the official Authentik way to configure flows. The blueprint uses Authentik-specific YAML tags: !Find, !KeyOf 2026-01-14 14:15:58 +01:00			`version: 1`
			`metadata:`
			`name: custom-flow-configuration`
			`labels:`
Remove automated recovery flow configuration Automated recovery flow setup via blueprints was too complex and unreliable. Recovery flows (password reset via email) must now be configured manually in Authentik admin UI. Changes: - Removed recovery-flow.yaml blueprint - Removed configure_recovery_flow.py script - Removed update-recovery-flow.yml playbook - Updated flows.yml to remove recovery references - Updated custom-flows.yaml to remove brand recovery flow config - Updated comments to reflect manual recovery flow requirement Automated configuration still includes: - Enrollment flow with invitation support - 2FA/MFA enforcement - OIDC provider for Nextcloud - Email configuration via SMTP 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> 2026-01-17 09:57:07 +01:00			`blueprints.goauthentik.io/description: "Configure invitation and 2FA enforcement"`
feat: Implement Authentik flow configuration via blueprints - Created custom-flows.yaml blueprint for: * Invitation stage configuration * Recovery flow setup in brand * 2FA enforcement (TOTP required) - Replaced Python API scripts with YAML blueprint approach - Blueprint is copied to /blueprints/ in authentik containers - Authentik auto-discovers and applies blueprints This is the official Authentik way to configure flows. The blueprint uses Authentik-specific YAML tags: !Find, !KeyOf 2026-01-14 14:15:58 +01:00			`blueprints.goauthentik.io/instantiate: "true"`

			`entries:`
			`# 1. CREATE INVITATION STAGE`
			`# This stage allows enrollment flows to work with or without invitation tokens`
			`- model: authentik_stages_invitation.invitationstage`
			`identifiers:`
			`name: default-enrollment-invitation`
			`id: invitation-stage`
			`attrs:`
			`continue_flow_without_invitation: true`

			`# 2. BIND INVITATION STAGE TO ENROLLMENT FLOW`
			`# Adds the invitation stage as the first stage in the enrollment flow`
			`- model: authentik_flows.flowstagebinding`
			`identifiers:`
			`target: !Find [authentik_flows.flow, [slug, default-enrollment-flow]]`
			`stage: !KeyOf invitation-stage`
			`order: 0`
			`attrs:`
			`evaluate_on_plan: true`
			`re_evaluate_policies: false`

Remove automated recovery flow configuration Automated recovery flow setup via blueprints was too complex and unreliable. Recovery flows (password reset via email) must now be configured manually in Authentik admin UI. Changes: - Removed recovery-flow.yaml blueprint - Removed configure_recovery_flow.py script - Removed update-recovery-flow.yml playbook - Updated flows.yml to remove recovery references - Updated custom-flows.yaml to remove brand recovery flow config - Updated comments to reflect manual recovery flow requirement Automated configuration still includes: - Enrollment flow with invitation support - 2FA/MFA enforcement - OIDC provider for Nextcloud - Email configuration via SMTP 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> 2026-01-17 09:57:07 +01:00			`# 3. ENFORCE 2FA CONFIGURATION`
feat: Implement Authentik flow configuration via blueprints - Created custom-flows.yaml blueprint for: * Invitation stage configuration * Recovery flow setup in brand * 2FA enforcement (TOTP required) - Replaced Python API scripts with YAML blueprint approach - Blueprint is copied to /blueprints/ in authentik containers - Authentik auto-discovers and applies blueprints This is the official Authentik way to configure flows. The blueprint uses Authentik-specific YAML tags: !Find, !KeyOf 2026-01-14 14:15:58 +01:00			`# Updates MFA validation stage to force users to configure TOTP`
			`- model: authentik_stages_authenticator_validate.authenticatorvalidatestage`
			`identifiers:`
			`name: default-authentication-mfa-validation`
			`attrs:`
			`not_configured_action: configure`
			`device_classes:`
			`- totp`
			`- webauthn`
			`configuration_stages:`
			`- !Find [authentik_stages_authenticator_totp.authenticatortotpstage, [name, default-authenticator-totp-setup]]`