Enhance Authentik configuration by introducing dedicated authentication flows for public and lab brands, including stricter password policies and MFA requirements. Update README to clarify flow distinctions and invitation enrollment processes. Improve validation in Ansible tasks to ensure all necessary blueprint variables are set, enhancing deployment robustness.

ansible/roles/noble_authentik/templates/blueprints/22-noble-invitation-enrollment-flows.yaml.j2

@@ -0,0 +1,227 @@
+# Noble — two **enrollment** flows (public vs lab) with separate **Invitation** stages (invitation token required).
+# Create rows under **Directory → Invitations** in the admin UI and pick the matching flow; share links with the
+# correct **Host** so the right Brand applies. Does **not** ship example **Invitation** objects (no prefilled emails).
+version: 1
+metadata:
+  name: noble-invitation-enrollment-flows
+  labels:
+    blueprints.goauthentik.io/instantiate: "true"
+entries:
+  - model: authentik_core.group
+    id: noble-lab-invited-group
+    identifiers:
+      name: {{ noble_authentik_blueprint_lab_invitee_group_name | trim | to_json }}
+    attrs:
+      is_superuser: false
+      attributes:
+        "noble.ak/audience": lab
+        "noble.ak/role": lab-invited
+
+  - model: authentik_flows.flow
+    id: noble-inv-flow-public
+    identifiers:
+      slug: {{ noble_authentik_blueprint_public_invitation_enrollment_flow_slug | trim | to_json }}
+    attrs:
+      name: {{ noble_authentik_blueprint_public_invitation_flow_name | trim | to_json }}
+      title: {{ noble_authentik_blueprint_public_invitation_flow_title | trim | to_json }}
+      designation: enrollment
+      authentication: require_unauthenticated
+
+  - model: authentik_flows.flow
+    id: noble-inv-flow-lab
+    identifiers:
+      slug: {{ noble_authentik_blueprint_lab_invitation_enrollment_flow_slug | trim | to_json }}
+    attrs:
+      name: {{ noble_authentik_blueprint_lab_invitation_flow_name | trim | to_json }}
+      title: {{ noble_authentik_blueprint_lab_invitation_flow_title | trim | to_json }}
+      designation: enrollment
+      authentication: require_unauthenticated
+
+  - model: authentik_stages_invitation.invitationstage
+    id: noble-inv-stage-public
+    identifiers:
+      name: noble-invitation-enrollment-invitation-public
+    attrs:
+      continue_flow_without_invitation: false
+
+  - model: authentik_stages_invitation.invitationstage
+    id: noble-inv-stage-lab
+    identifiers:
+      name: noble-invitation-enrollment-invitation-lab
+    attrs:
+      continue_flow_without_invitation: false
+
+  - id: noble-inv-prompt-field-username
+    model: authentik_stages_prompt.prompt
+    identifiers:
+      name: noble-inv-enroll-field-username
+    attrs:
+      field_key: username
+      label: Username
+      type: username
+      required: true
+      placeholder: Username
+      placeholder_expression: false
+      order: 0
+
+  - id: noble-inv-prompt-field-password
+    model: authentik_stages_prompt.prompt
+    identifiers:
+      name: noble-inv-enroll-field-password
+    attrs:
+      field_key: password
+      label: Password
+      type: password
+      required: true
+      placeholder: Password
+      placeholder_expression: false
+      order: 1
+
+  - id: noble-inv-prompt-field-password-repeat
+    model: authentik_stages_prompt.prompt
+    identifiers:
+      name: noble-inv-enroll-field-password-repeat
+    attrs:
+      field_key: password_repeat
+      label: Password (repeat)
+      type: password
+      required: true
+      placeholder: Password (repeat)
+      placeholder_expression: false
+      order: 2
+
+  - id: noble-inv-prompt-field-name
+    model: authentik_stages_prompt.prompt
+    identifiers:
+      name: noble-inv-enroll-field-name
+    attrs:
+      field_key: name
+      label: Name
+      type: text
+      required: true
+      placeholder: Name
+      placeholder_expression: false
+      order: 0
+
+  - id: noble-inv-prompt-field-email
+    model: authentik_stages_prompt.prompt
+    identifiers:
+      name: noble-inv-enroll-field-email
+    attrs:
+      field_key: email
+      label: Email
+      type: email
+      required: true
+      placeholder: Email
+      placeholder_expression: false
+      order: 1
+
+  - id: noble-inv-prompt-stage-credentials
+    model: authentik_stages_prompt.promptstage
+    identifiers:
+      name: noble-inv-enroll-prompt-credentials
+    attrs:
+      fields:
+        - !KeyOf noble-inv-prompt-field-username
+        - !KeyOf noble-inv-prompt-field-password
+        - !KeyOf noble-inv-prompt-field-password-repeat
+
+  - id: noble-inv-prompt-stage-details
+    model: authentik_stages_prompt.promptstage
+    identifiers:
+      name: noble-inv-enroll-prompt-details
+    attrs:
+      fields:
+        - !KeyOf noble-inv-prompt-field-name
+        - !KeyOf noble-inv-prompt-field-email
+
+  - id: noble-inv-user-write-public
+    model: authentik_stages_user_write.userwritestage
+    identifiers:
+      name: noble-inv-enroll-user-write-public
+    attrs:
+      user_creation_mode: always_create
+      user_type: {{ noble_authentik_blueprint_public_invitation_user_type | trim | lower | to_json }}
+      user_path_template: {{ noble_authentik_blueprint_public_invitation_user_path | trim | to_json }}
+      create_users_group: !Find [authentik_core.group, [name, {{ noble_authentik_blueprint_public_invitation_user_group | trim | to_json }}]]
+
+  - id: noble-inv-user-write-lab
+    model: authentik_stages_user_write.userwritestage
+    identifiers:
+      name: noble-inv-enroll-user-write-lab
+    attrs:
+      user_creation_mode: always_create
+      user_type: {{ noble_authentik_blueprint_lab_invitation_user_type | trim | lower | to_json }}
+      user_path_template: {{ noble_authentik_blueprint_lab_invitation_user_path | trim | to_json }}
+      create_users_group: !KeyOf noble-lab-invited-group
+
+  - id: noble-inv-user-login
+    model: authentik_stages_user_login.userloginstage
+    identifiers:
+      name: noble-inv-enroll-user-login
+
+  - model: authentik_flows.flowstagebinding
+    identifiers:
+      target: !KeyOf noble-inv-flow-public
+      stage: !KeyOf noble-inv-stage-public
+      order: 5
+    attrs:
+      evaluate_on_plan: true
+      re_evaluate_policies: true
+
+  - model: authentik_flows.flowstagebinding
+    identifiers:
+      target: !KeyOf noble-inv-flow-public
+      stage: !KeyOf noble-inv-prompt-stage-credentials
+      order: 10
+
+  - model: authentik_flows.flowstagebinding
+    identifiers:
+      target: !KeyOf noble-inv-flow-public
+      stage: !KeyOf noble-inv-prompt-stage-details
+      order: 15
+
+  - model: authentik_flows.flowstagebinding
+    identifiers:
+      target: !KeyOf noble-inv-flow-public
+      stage: !KeyOf noble-inv-user-write-public
+      order: 20
+
+  - model: authentik_flows.flowstagebinding
+    identifiers:
+      target: !KeyOf noble-inv-flow-public
+      stage: !KeyOf noble-inv-user-login
+      order: 100
+
+  - model: authentik_flows.flowstagebinding
+    identifiers:
+      target: !KeyOf noble-inv-flow-lab
+      stage: !KeyOf noble-inv-stage-lab
+      order: 5
+    attrs:
+      evaluate_on_plan: true
+      re_evaluate_policies: true
+
+  - model: authentik_flows.flowstagebinding
+    identifiers:
+      target: !KeyOf noble-inv-flow-lab
+      stage: !KeyOf noble-inv-prompt-stage-credentials
+      order: 10
+
+  - model: authentik_flows.flowstagebinding
+    identifiers:
+      target: !KeyOf noble-inv-flow-lab
+      stage: !KeyOf noble-inv-prompt-stage-details
+      order: 15
+
+  - model: authentik_flows.flowstagebinding
+    identifiers:
+      target: !KeyOf noble-inv-flow-lab
+      stage: !KeyOf noble-inv-user-write-lab
+      order: 20
+
+  - model: authentik_flows.flowstagebinding
+    identifiers:
+      target: !KeyOf noble-inv-flow-lab
+      stage: !KeyOf noble-inv-user-login
+      order: 100