ultisuite-backend/deploy/authentik/blueprints/01-ulti-enrollment.yaml

# Ultimail — inscription self-service (email, mot de passe, profil, avatar optionnel)
version: 1
metadata:
  name: Ultimail enrollment
  labels:
    blueprints.goauthentik.io/instantiate: "true"
entries:
  - model: authentik_flows.flow
    id: ulti-enrollment-flow
    identifiers:
      slug: ulti-enrollment
    attrs:
      name: Ultimail — Créer un compte
      title: Créer votre compte Ultimail
      designation: enrollment
      authentication: require_unauthenticated

  - model: authentik_stages_prompt.prompt
    id: ulti-enroll-field-email
    identifiers:
      name: ulti-enrollment-field-email
    attrs:
      field_key: username
      label: Adresse e-mail
      type: text
      required: true
      placeholder: prenom.nom
      placeholder_expression: false
      order: 0

  - model: authentik_stages_prompt.prompt
    id: ulti-enroll-field-email-sync
    identifiers:
      name: ulti-enrollment-field-email-sync
    attrs:
      field_key: email
      label: E-mail
      type: hidden
      required: true
      initial_value: "{{ prompt_data.username }}@ultisuite.fr"
      initial_value_expression: true
      placeholder_expression: false
      order: 1

  - model: authentik_stages_prompt.prompt
    id: ulti-enroll-field-password
    identifiers:
      name: ulti-enrollment-field-password
    attrs:
      field_key: password
      label: Mot de passe
      type: password
      required: true
      placeholder: Mot de passe
      placeholder_expression: false
      order: 1

  - model: authentik_stages_prompt.prompt
    id: ulti-enroll-field-password-repeat
    identifiers:
      name: ulti-enrollment-field-password-repeat
    attrs:
      field_key: password_repeat
      label: Confirmer le mot de passe
      type: password
      required: true
      placeholder: Confirmer le mot de passe
      placeholder_expression: false
      order: 2

  - model: authentik_stages_prompt.prompt
    id: ulti-enroll-field-name
    identifiers:
      name: ulti-enrollment-field-name
    attrs:
      field_key: name
      label: Nom et prénom
      type: text
      required: true
      placeholder: Jean Dupont
      placeholder_expression: false
      order: 0

  - model: authentik_stages_prompt.prompt
    id: ulti-enroll-field-phone
    identifiers:
      name: ulti-enrollment-field-phone
    attrs:
      field_key: attributes.phone
      label: Numéro de téléphone (optionnel)
      type: text
      required: false
      placeholder: +33 6 12 34 56 78
      placeholder_expression: false
      order: 1

  - model: authentik_stages_prompt.prompt
    id: ulti-enroll-field-avatar
    identifiers:
      name: ulti-enrollment-field-avatar
    attrs:
      field_key: attributes.avatar
      label: Photo de profil (optionnel)
      type: file
      required: false
      placeholder: ""
      placeholder_expression: false
      order: 2

  - model: authentik_stages_prompt.promptstage
    id: ulti-enroll-prompt-credentials
    identifiers:
      name: ulti-enrollment-prompt-credentials
    attrs:
      fields:
        - !KeyOf ulti-enroll-field-email
        - !KeyOf ulti-enroll-field-email-sync
        - !KeyOf ulti-enroll-field-password
        - !KeyOf ulti-enroll-field-password-repeat

  - model: authentik_stages_prompt.promptstage
    id: ulti-enroll-prompt-profile
    identifiers:
      name: ulti-enrollment-prompt-profile
    attrs:
      fields:
        - !KeyOf ulti-enroll-field-name
        - !KeyOf ulti-enroll-field-phone
        - !KeyOf ulti-enroll-field-avatar

  - model: authentik_stages_user_write.userwritestage
    id: ulti-enroll-user-write
    identifiers:
      name: ulti-enrollment-user-write
    attrs:
      user_creation_mode: always_create
      create_users_as_inactive: false

  - model: authentik_stages_user_login.userloginstage
    id: ulti-enroll-user-login
    identifiers:
      name: ulti-enrollment-user-login

  - model: authentik_policies_expression.expressionpolicy
    id: ulti-enroll-policy-username-available
    identifiers:
      name: ulti-enrollment-username-available
    attrs:
      name: Ultimail — adresse disponible
      expression: |
        import json
        from urllib.request import urlopen
        local = (request.context.get("prompt_data") or {}).get("username", "").strip().lower()
        if not local or len(local) < 2:
            return False
        url = f"http://ultid:8080/api/v1/mail/addresses/check?local={local}&domain=ultisuite.fr"
        try:
            with urlopen(url, timeout=5) as resp:
                data = json.loads(resp.read().decode("utf-8"))
            return data.get("available") is True
        except Exception:
            return False        

  - model: authentik_policies.policybinding
    identifiers:
      order: 0
      target: !KeyOf ulti-enroll-prompt-credentials
      policy: !KeyOf ulti-enroll-policy-username-available
    attrs:
      enabled: true
      timeout: 10
      failure_result: false

  - model: authentik_stages_webhook.webhookstage
    id: ulti-enroll-provision-webhook
    identifiers:
      name: ulti-enrollment-provision-webhook
    attrs:
      url: http://ultid:8080/internal/provision/user?secret=changeme-provision-webhook
      method: POST
      headers:
        X-Provision-Secret: changeme-provision-webhook
        Content-Type: application/json
      body: |
        {
          "email": "{{ prompt_data.email }}",
          "username": "{{ prompt_data.username }}",
          "password": "{{ prompt_data.password }}",
          "name": "{{ prompt_data.name }}",
          "external_id": "{{ user.uuid }}"
        }        

  - model: authentik_flows.flowstagebinding
    identifiers:
      target: !KeyOf ulti-enrollment-flow
      stage: !KeyOf ulti-enroll-prompt-credentials
      order: 10

  - model: authentik_flows.flowstagebinding
    identifiers:
      target: !KeyOf ulti-enrollment-flow
      stage: !KeyOf ulti-enroll-prompt-profile
      order: 20

  - model: authentik_flows.flowstagebinding
    identifiers:
      target: !KeyOf ulti-enrollment-flow
      stage: !KeyOf ulti-enroll-user-write
      order: 30

  - model: authentik_flows.flowstagebinding
    identifiers:
      target: !KeyOf ulti-enrollment-flow
      stage: !KeyOf ulti-enroll-provision-webhook
      order: 40

  - model: authentik_flows.flowstagebinding
    identifiers:
      target: !KeyOf ulti-enrollment-flow
      stage: !KeyOf ulti-enroll-user-login
      order: 100