version: 1
metadata:
  name: "Initial User Setup"
  labels:
    blueprint-type: core
entries:
  # Optionally, disable the default enrollment flow entirely
  - model: authentik_flows.flow
    identifiers:
      slug: "default-source-enrollment"
    attrs:
      designation: "enrollment"
      enabled: false
  # --- GROUPS ---
  - model: authentik_core.group
    state: present
    identifiers:
      name: "admin"
    attrs:
      is_superuser: true

  - model: authentik_core.group
    identifiers:
      name: "cloud"
    attrs:
      is_superuser: false

  - model: authentik_core.group
    identifiers:
      name: "dev"
    attrs:
      is_superuser: false

  - model: authentik_core.group
    identifiers:
      name: "flix"
    attrs:
      is_superuser: false

  - model: authentik_core.group
    identifiers:
      name: "family"
    attrs:
      is_superuser: false

  # --- ADMIN USERS ---
  - model: authentik_core.user
    identifiers:
      username: !Env DEFAULT_ADMIN_USERNAME
    attrs:
      name: !Env DEFAULT_ADMIN_USERNAME
      email: !Env DEFAULT_ADMIN_EMAIL
      password: !Env DEFAULT_ADMIN_PASSWORD
      path: "users"
      groups:
        - !Find [authentik_core.group, [name, "admin"]]

  # Disable the Initial Setup Flow
  - model: authentik_flows.flow
    identifiers:
      slug: "initial-setup"
    attrs:
      authentication: "require_superuser"
      enabled: false

  # Disable the default 'akadmin' if it exists
  - model: authentik_core.user
    identifiers:
      username: "akadmin"
    attrs:
      is_active: false