diff --git a/roles/alpina/templates/services/authentik/blueprints/default-enrollment-internal.yaml.j2 b/roles/alpina/templates/services/authentik/blueprints/default-enrollment-internal.yaml.j2
new file mode 100644
index 0000000..ddeb77c
--- /dev/null
+++ b/roles/alpina/templates/services/authentik/blueprints/default-enrollment-internal.yaml.j2
@@ -0,0 +1,152 @@
+version: 1
+metadata:
+  labels:
+    blueprints.goauthentik.io/instantiate: "true"
+  name: Alpina - Default Enrollment by Invitation (Internal)
+entries:
+  # Flow for internal enrollment by invitation
+  - identifiers:
+      slug: enrollment-internal-invitation-flow
+    model: authentik_flows.flow
+    id: flow
+    attrs:
+      name: Default enrollment Flow
+      title: Welcome to authentik!
+      designation: enrollment
+      authentication: require_unauthenticated
+
+  # Prompt fields
+  - identifiers:
+      name: default-enrollment-field-username
+    model: authentik_stages_prompt.prompt
+    id: prompt-field-username
+    attrs:
+      field_key: username
+      label: Username
+      type: username
+      required: true
+      placeholder: Username
+      placeholder_expression: false
+      order: 0
+  - identifiers:
+      name: default-enrollment-field-password
+    model: authentik_stages_prompt.prompt
+    id: prompt-field-password
+    attrs:
+      field_key: password
+      label: Password
+      type: password
+      required: true
+      placeholder: Password
+      placeholder_expression: false
+      order: 0
+  - identifiers:
+      name: default-enrollment-field-password-repeat
+    model: authentik_stages_prompt.prompt
+    id: prompt-field-password-repeat
+    attrs:
+      field_key: password_repeat
+      label: Password (repeat)
+      type: password
+      required: true
+      placeholder: Password (repeat)
+      placeholder_expression: false
+      order: 1
+  - identifiers:
+      name: default-enrollment-field-name
+    model: authentik_stages_prompt.prompt
+    id: prompt-field-name
+    attrs:
+      field_key: name
+      label: Name
+      type: text
+      required: true
+      placeholder: Name
+      placeholder_expression: false
+      order: 0
+  - identifiers:
+      name: default-enrollment-field-email
+    model: authentik_stages_prompt.prompt
+    id: prompt-field-email
+    attrs:
+      field_key: email
+      label: Email
+      type: email
+      required: true
+      placeholder: Email
+      placeholder_expression: false
+      order: 1
+
+  # Flow stages
+  - identifiers:
+      name: default-enrollment-invitation
+    model: authentik_stages_invitation.invitationstage
+    id: default-enrollment-invitation
+  - identifiers:
+      name: default-enrollment-prompt-first
+    model: authentik_stages_prompt.promptstage
+    id: default-enrollment-prompt-first
+    attrs:
+      fields:
+        - !KeyOf prompt-field-username
+        - !KeyOf prompt-field-password
+        - !KeyOf prompt-field-password-repeat
+  - identifiers:
+      name: default-enrollment-prompt-second
+    model: authentik_stages_prompt.promptstage
+    id: default-enrollment-prompt-second
+    attrs:
+      fields:
+        - !KeyOf prompt-field-name
+        - !KeyOf prompt-field-email
+  - identifiers:
+      name: default-enrollment-user-write
+    model: authentik_stages_user_write.userwritestage
+    id: default-enrollment-user-write
+    attrs:
+      user_creation_mode: always_create
+      user_type: internal
+  - identifiers:
+      name: default-enrollment-email-verify
+    model: authentik_stages_email.emailstage
+    id: default-enrollment-email-verify
+    attrs:
+      use_global_settings: true
+      template: email/account_confirmation.html
+      activate_user_on_success: true
+  - identifiers:
+      name: default-enrollment-user-login
+    model: authentik_stages_user_login.userloginstage
+    id: default-enrollment-user-login
+
+  # Flow stage bindings
+  - identifiers:
+      target: !KeyOf flow
+      stage: !KeyOf default-enrollment-invitation
+      order: 0
+    model: authentik_flows.flowstagebinding
+  - identifiers:
+      target: !KeyOf flow
+      stage: !KeyOf default-enrollment-prompt-first
+      order: 10
+    model: authentik_flows.flowstagebinding
+  - identifiers:
+      target: !KeyOf flow
+      stage: !KeyOf default-enrollment-prompt-second
+      order: 11
+    model: authentik_flows.flowstagebinding
+  - identifiers:
+      target: !KeyOf flow
+      stage: !KeyOf default-enrollment-user-write
+      order: 20
+    model: authentik_flows.flowstagebinding
+  - identifiers:
+      target: !KeyOf flow
+      stage: !KeyOf default-enrollment-email-verify
+      order: 30
+    model: authentik_flows.flowstagebinding
+  - identifiers:
+      target: !KeyOf flow
+      stage: !KeyOf default-enrollment-user-login
+      order: 100
+    model: authentik_flows.flowstagebinding