diff --git a/ansible/roles/noble_authentik/README.md b/ansible/roles/noble_authentik/README.md index 9aee536..b98f13b 100644 --- a/ansible/roles/noble_authentik/README.md +++ b/ansible/roles/noble_authentik/README.md @@ -66,11 +66,13 @@ Tune titles via **`noble_authentik_blueprint_lab_brand_title`** and **`noble_aut Use **``** that matches the experience you want: -- **Public / Nikflix** — an FQDN from **`noble_authentik_ingress_extra_hosts`**: use flow slug **`noble_authentik_blueprint_public_invitation_enrollment_flow_slug`** (default **`noble-public-invitation-enrollment`**). New users are added to **`noble_authentik_blueprint_public_invitation_user_group`** (default **`noble-public-users`**; override to **`nikflix-users`** if that is your only audience group). Tune **`noble_authentik_blueprint_public_invitation_user_type`** (**`external`** / **`internal`**) and **`noble_authentik_blueprint_public_invitation_user_path`** as needed. +- **Public / Nikflix** — an FQDN from **`noble_authentik_ingress_extra_hosts`**: use flow slug **`noble_authentik_blueprint_public_invitation_enrollment_flow_slug`** (default **`noble-public-invitation-enrollment`**). New users are added to **`noble_authentik_blueprint_public_invitation_user_group`** (default **`noble-public-users`**; override to **`nikflix-users`** if that is your only audience group). **`noble_authentik_blueprint_public_invitation_user_type`** defaults to **`internal`** so invitees behave like normal users; set **`external`** only if you need that isolation (see [Invitations — “Permission denied” for external users](https://docs.goauthentik.io/users-sources/user/invitations/)). Tune **`noble_authentik_blueprint_public_invitation_user_path`** as needed. - **Lab** — **`noble_authentik_host`** only when you intend to onboard someone who will later get **`noble_authentik_blueprint_lab_operator_groups`** access: use **`noble_authentik_blueprint_lab_invitation_enrollment_flow_slug`** (default **`noble-lab-invitation-enrollment`**). The blueprint creates **`noble_authentik_blueprint_lab_invitee_group_name`** (default **`noble-lab-invited`**) and assigns new enrollments there; **promote** people to **`noble-admins`** / **`authentik Admins`** (or your configured operator groups) in the admin UI when they should sign in on the lab URL. Blueprint **22** does **not** create sample **Invitation** rows (no placeholder emails). Create invitations in the UI after blueprints apply. For richer patterns (prefilled attributes, extra policies), see [Invitations](https://docs.goauthentik.io/users-sources/user/invitations/) and the upstream example blueprint **`flows-invitation-enrollment.yaml`** ([download](https://goauthentik.io/blueprints/example/flows-invitation-enrollment.yaml)). Password strength for enrollment prompts is **not** duplicated from the lab **authentication** flow here; add **Prompt** validation policies or a dedicated policy if you need parity. +**Users already created as `external`:** change **User type** to **Internal** under **Directory → Users** (or edit the **User write** stage in **Flows** and re-run the playbook so future invitees use **`noble_authentik_blueprint_public_invitation_user_type: internal`** in **`group_vars`**). + #### Blueprint: directory groups Three inventory lists are concatenated **in this order** into **`10-noble-public-groups.yaml.j2`**: diff --git a/ansible/roles/noble_authentik/defaults/main.yml b/ansible/roles/noble_authentik/defaults/main.yml index 313d07f..2ced066 100644 --- a/ansible/roles/noble_authentik/defaults/main.yml +++ b/ansible/roles/noble_authentik/defaults/main.yml @@ -93,7 +93,8 @@ noble_authentik_blueprint_lab_invitation_flow_name: Noble lab invitation enrollm noble_authentik_blueprint_lab_invitation_flow_title: Lab access — complete enrollment # **User write** for public invites: must match an existing **Group** name from **`10-noble-public-groups`** (default **`noble-public-users`**; use **`nikflix-users`** if you only maintain Nikflix groups). noble_authentik_blueprint_public_invitation_user_group: noble-public-users -noble_authentik_blueprint_public_invitation_user_type: external +# **`internal`** — normal directory users (default). Use **`external`** only when you intentionally isolate invitees from admin / “internal-only” surfaces (see [Invitations troubleshooting](https://docs.goauthentik.io/users-sources/user/invitations/)). +noble_authentik_blueprint_public_invitation_user_type: internal noble_authentik_blueprint_public_invitation_user_path: users/noble/public # Lab invites: blueprint creates **`noble_authentik_blueprint_lab_invitee_group_name`**; add members to **`noble_authentik_blueprint_lab_operator_groups`** manually when they should use the lab URL. noble_authentik_blueprint_lab_invitee_group_name: noble-lab-invited diff --git a/ansible/roles/noble_authentik/tasks/main.yml b/ansible/roles/noble_authentik/tasks/main.yml index c1e0758..1e60e77 100644 --- a/ansible/roles/noble_authentik/tasks/main.yml +++ b/ansible/roles/noble_authentik/tasks/main.yml @@ -97,7 +97,7 @@ - noble_authentik_blueprint_lab_invitation_enrollment_flow_slug | default('') | trim | length > 0 - noble_authentik_blueprint_public_invitation_user_group | default('') | trim | length > 0 - noble_authentik_blueprint_lab_invitee_group_name | default('') | trim | length > 0 - - (noble_authentik_blueprint_public_invitation_user_type | default('external') | trim | lower) in ['external', 'internal'] + - (noble_authentik_blueprint_public_invitation_user_type | default('internal') | trim | lower) in ['external', 'internal'] - (noble_authentik_blueprint_lab_invitation_user_type | default('internal') | trim | lower) in ['external', 'internal'] fail_msg: >- When noble_authentik_blueprints_enabled is true, set at least one entry across