Revise Authentik configuration to reflect the transition from public to Nikflix branding, updating directory group settings and invitation flows accordingly. Adjust README to clarify group merging and user invitation processes, ensuring consistency with the new branding. Enhance blueprint templates to support the updated structure for directory groups.

ansible/roles/noble_authentik/defaults/main.yml

@@ -29,24 +29,18 @@ noble_authentik_ingress_extra_hosts: []
 # Mounted **blueprints** (ConfigMap → worker `/blueprints/mounted/cm-*`). See README § split routing / two-Brand.
 noble_authentik_blueprints_enabled: false
 noble_authentik_blueprints_configmap_name: authentik-noble-blueprints
-# Directory groups for the public Brand(s), merged with **`noble_authentik_blueprint_extra_directory_groups`**
-# and **`noble_authentik_blueprint_nikflix_groups`** into **`templates/blueprints/10-noble-public-groups.yaml.j2`**. Each item may be:
+# Directory groups blueprint (**`10-noble-public-groups.yaml.j2`**): merges **`noble_authentik_blueprint_public_groups`**
+# (optional — often empty), **`noble_authentik_blueprint_extra_directory_groups`**, and **`noble_authentik_blueprint_nikflix_groups`**
+# (defaults: **`nikflix-users`** / **`nikflix-admins`**). Lab onboarding uses **`noble_authentik_blueprint_lab_invitee_group_name`**
+# from blueprint **22**, not this list. Each item may be:
 #   - a **string** (group name only), or
 #   - a **dict** with **`name`** (required) and optional **`is_superuser`** (bool), **`attributes`** (dict → JSON in blueprint),
 #     **`parents`** (list of **existing** group names — list parents *before* children in these lists, or use built-in groups).
-noble_authentik_blueprint_public_groups:
-  - name: noble-public-users
-    attributes:
-      "noble.ak/audience": public
-  - name: noble-public-admins
-    parents:
-      - noble-public-users
-    attributes:
-      "noble.ak/audience": public
-# Additional directory groups (same entry shape as **`noble_authentik_blueprint_public_groups`**); merged into one blueprint.
+noble_authentik_blueprint_public_groups: []
+# Additional directory groups (same entry shape as **`noble_authentik_blueprint_public_groups`**); merged into blueprint **10** after **`public_groups`**.
 noble_authentik_blueprint_extra_directory_groups: []
-# Nikflix (e.g. **auth.nikflix.ca**) directory groups — merged **after** public + extra so **`parents`** can reference those.
-# Prefer **audience** groups (`nikflix-users` / `nikflix-admins`); add per-service groups only when an app needs a distinct binding.
+# Nikflix (e.g. **auth.nikflix.ca**) directory groups — merged **after** optional **`public_groups`** + **`extra_directory_groups`**
+# so **`parents`** can reference those. Prefer **`nikflix-users`** / **`nikflix-admins`** for the internet-facing Brand.
 noble_authentik_blueprint_nikflix_groups:
   - name: nikflix-users
     attributes:
@@ -67,7 +61,7 @@ noble_authentik_blueprint_lab_operator_groups:
   - noble-admins
   - authentik Admins
 noble_authentik_blueprint_lab_brand_title: Noble lab (operators)
-noble_authentik_blueprint_public_brand_title_prefix: Noble public
+noble_authentik_blueprint_public_brand_title_prefix: Nikflix
 # Public hostname Brand(s) → dedicated authentication flow (**21-noble-public-…** blueprint).
 noble_authentik_blueprint_public_auth_flow_slug: noble-public-authentication-flow
 # Lab flow: password stage (**failed_attempts_before_cancel**) and strength checks (expression policy; skips when **password** not yet in request context).
@@ -84,18 +78,18 @@ noble_authentik_blueprint_lab_password_policy_error_message: >-
 # Lab MFA when user has no compatible device: **skip** (like stock), **deny** (block), **configure** (TOTP setup via default stage).
 noble_authentik_blueprint_lab_mfa_not_configured_action: configure
 # Invitation-based **enrollment** flows (blueprint **22**). Brands do not select enrollment; each **Invitation** picks a flow.
-# Link shape: **`https://<host>/if/flow/<slug>/?itoken=<uuid>`** — use the **public** hostname for **`noble_authentik_blueprint_public_invitation_enrollment_flow_slug`** invites.
-noble_authentik_blueprint_public_invitation_enrollment_flow_slug: noble-public-invitation-enrollment
+# Link shape: **`https://<host>/if/flow/<slug>/?itoken=<uuid>`** — use your **Nikflix / extra_hosts** FQDN for this flow’s invites.
+noble_authentik_blueprint_public_invitation_enrollment_flow_slug: nikflix-invitation-enrollment
 noble_authentik_blueprint_lab_invitation_enrollment_flow_slug: noble-lab-invitation-enrollment
-noble_authentik_blueprint_public_invitation_flow_name: Noble public invitation enrollment
+noble_authentik_blueprint_public_invitation_flow_name: Nikflix invitation enrollment
 noble_authentik_blueprint_public_invitation_flow_title: Complete your signup
 noble_authentik_blueprint_lab_invitation_flow_name: Noble lab invitation enrollment
 noble_authentik_blueprint_lab_invitation_flow_title: Lab access — complete enrollment
-# **User write** for public invites: must match an existing **Group** name from **`10-noble-public-groups`** (default **`noble-public-users`**; use **`nikflix-users`** if you only maintain Nikflix groups).
-noble_authentik_blueprint_public_invitation_user_group: noble-public-users
+# **User write** for Nikflix (internet) invites: must match a **Group** created in blueprint **10** (default **`nikflix-users`**).
+noble_authentik_blueprint_public_invitation_user_group: nikflix-users
 # **`internal`** — normal directory users (default). Use **`external`** only when you intentionally isolate invitees from admin / “internal-only” surfaces (see [Invitations troubleshooting](https://docs.goauthentik.io/users-sources/user/invitations/)).
 noble_authentik_blueprint_public_invitation_user_type: internal
-noble_authentik_blueprint_public_invitation_user_path: users/noble/public
+noble_authentik_blueprint_public_invitation_user_path: users/noble/nikflix
 # Lab invites: blueprint creates **`noble_authentik_blueprint_lab_invitee_group_name`**; add members to **`noble_authentik_blueprint_lab_operator_groups`** manually when they should use the lab URL.
 noble_authentik_blueprint_lab_invitee_group_name: noble-lab-invited
 noble_authentik_blueprint_lab_invitation_user_type: internal