version: 1
metadata:
  name: "Initial User Setup"
  labels:
    blueprint-type: core
entries:
  # Locate the binding for the root user setup flow and disable it
  - model: authentik_flows.flowstagebinding
    identifiers:
      target: "ak-root-user-fill"
    attrs:
      enabled: false

  # Optionally, disable the default enrollment flow entirely
  - model: authentik_flows.flow
    identifiers:
      slug: "default-enrollment-flow"
    attrs:
      designation: "enrollment"
      enabled: false
  # --- GROUPS ---
  - model: authentik_core.group
    identifiers:
      name: "admin"
    attrs:
      is_superuser: true

  - model: authentik_core.group
    identifiers:
      name: "cloud"
    attrs:
      is_superuser: false

  - model: authentik_core.group
    identifiers:
      name: "dev"
    attrs:
      is_superuser: false

  - model: authentik_core.group
    identifiers:
      name: "flix"
    attrs:
      is_superuser: false

  - model: authentik_core.group
    identifiers:
      name: "family"
    attrs:
      is_superuser: false

  # --- ADMIN USERS ---
  - model: authentik_core.user
    identifiers:
      username: !env [DEFAULT_ADMIN_USERNAME]
    attrs:
      name: !env [DEFAULT_ADMIN_USERNAME]
      email: "{{ env('DEFAULT_ADMIN_USERNAME') }}@{{ env('DOMAIN') }}"
      password: !env [DEFAULT_ADMIN_PASSWORD]
      path: "users"
      groups:
        - name: "admin"