Post-X-Society/Post-Tyranny-Tech-Infrastructure
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
Post-Tyranny-Tech-Infrastru.../ansible/roles/authentik/files/custom-flows.yaml
Pieter 669d70f98e feat: Implement Authentik flow configuration via blueprints 
- Created custom-flows.yaml blueprint for:
  * Invitation stage configuration
  * Recovery flow setup in brand
  * 2FA enforcement (TOTP required)

- Replaced Python API scripts with YAML blueprint approach
- Blueprint is copied to /blueprints/ in authentik containers
- Authentik auto-discovers and applies blueprints

This is the official Authentik way to configure flows.
The blueprint uses Authentik-specific YAML tags: !Find, !KeyOf
2026-01-14 14:15:58 +01:00

48 lines
1.6 KiB
YAML
Raw Blame History

version: 1
metadata:
name: custom-flow-configuration
labels:
blueprints.goauthentik.io/description: "Configure invitation, recovery, and 2FA enforcement"
blueprints.goauthentik.io/instantiate: "true"
entries:
# 1. CREATE INVITATION STAGE
# This stage allows enrollment flows to work with or without invitation tokens
- model: authentik_stages_invitation.invitationstage
identifiers:
name: default-enrollment-invitation
id: invitation-stage
attrs:
continue_flow_without_invitation: true
# 2. BIND INVITATION STAGE TO ENROLLMENT FLOW
# Adds the invitation stage as the first stage in the enrollment flow
- model: authentik_flows.flowstagebinding
identifiers:
target: !Find [authentik_flows.flow, [slug, default-enrollment-flow]]
stage: !KeyOf invitation-stage
order: 0
attrs:
evaluate_on_plan: true
re_evaluate_policies: false
# 3. SET RECOVERY FLOW IN BRAND
# Configures the default brand to use the recovery flow
- model: authentik_core.brand
identifiers:
domain: authentik-default
attrs:
flow_recovery: !Find [authentik_flows.flow, [designation, recovery]]
# 4. ENFORCE 2FA CONFIGURATION
# Updates MFA validation stage to force users to configure TOTP
- model: authentik_stages_authenticator_validate.authenticatorvalidatestage
identifiers:
name: default-authentication-mfa-validation
attrs:
not_configured_action: configure
device_classes:
- totp
- webauthn
configuration_stages:
- !Find [authentik_stages_authenticator_totp.authenticatortotpstage, [name, default-authenticator-totp-setup]]
Reference in a new issue View git blame Copy permalink