Enhance Authentik configuration by introducing dedicated authentication flows for public and lab brands, including stricter password policies and MFA requirements. Update README to clarify flow distinctions and invitation enrollment processes. Improve validation in Ansible tasks to ensure all necessary blueprint variables are set, enhancing deployment robustness.

2026-05-14 22:59:40 -04:00
parent 7b337f7128
commit 7fed8820ce
7 changed files with 435 additions and 21 deletions
--- a/ansible/roles/noble_authentik/tasks/main.yml
+++ b/ansible/roles/noble_authentik/tasks/main.yml
@@ -90,11 +90,23 @@
              + (noble_authentik_blueprint_nikflix_groups | default([])) | length) > 0
          - noble_authentik_blueprint_lab_operator_groups | default([]) | length > 0
          - noble_authentik_blueprint_lab_flow_slug | default('') | trim | length > 0
+          - noble_authentik_blueprint_public_auth_flow_slug | default('') | trim | length > 0
+          - (noble_authentik_blueprint_lab_mfa_not_configured_action | default('configure') | trim | lower)
+            in ['skip', 'deny', 'configure']
+          - noble_authentik_blueprint_public_invitation_enrollment_flow_slug | default('') | trim | length > 0
+          - noble_authentik_blueprint_lab_invitation_enrollment_flow_slug | default('') | trim | length > 0
+          - noble_authentik_blueprint_public_invitation_user_group | default('') | trim | length > 0
+          - noble_authentik_blueprint_lab_invitee_group_name | default('') | trim | length > 0
+          - (noble_authentik_blueprint_public_invitation_user_type | default('external') | trim | lower) in ['external', 'internal']
+          - (noble_authentik_blueprint_lab_invitation_user_type | default('internal') | trim | lower) in ['external', 'internal']
        fail_msg: >-
          When noble_authentik_blueprints_enabled is true, set at least one entry across
          noble_authentik_blueprint_public_groups, noble_authentik_blueprint_extra_directory_groups,
          and/or noble_authentik_blueprint_nikflix_groups,
-          plus noble_authentik_blueprint_lab_operator_groups (non-empty) and noble_authentik_blueprint_lab_flow_slug.
+          plus noble_authentik_blueprint_lab_operator_groups (non-empty), noble_authentik_blueprint_lab_flow_slug,
+          noble_authentik_blueprint_public_auth_flow_slug, noble_authentik_blueprint_lab_mfa_not_configured_action
+          (skip, deny, or configure), invitation enrollment flow slugs, noble_authentik_blueprint_public_invitation_user_group,
+          noble_authentik_blueprint_lab_invitee_group_name, and invitation user_type values (external or internal).
          See ansible/roles/noble_authentik/defaults/main.yml and README.
      when: noble_authentik_blueprints_enabled | default(false) | bool

@@ -118,6 +130,8 @@
      loop:
        - 10-noble-public-groups.yaml
        - 20-noble-lab-operator-authentication-flow.yaml
+        - 21-noble-public-authentication-flow.yaml
+        - 22-noble-invitation-enrollment-flows.yaml
        - 30-noble-brands-domain-split.yaml
      when: noble_authentik_blueprints_enabled | default(false) | bool