From f37768b7894d7a9c458fc73306a40bee14fa7360 Mon Sep 17 00:00:00 2001 From: Nikholas Pcenicni <82239765+nikpcenicni@users.noreply.github.com> Date: Thu, 14 May 2026 23:15:34 -0400 Subject: [PATCH] Update Authentik configuration to default public invitation user type to internal, enhancing clarity on user isolation. Revise README to reflect changes in user type settings and provide guidance for managing existing external users. Improve validation in Ansible tasks to ensure correct user type configuration. --- ansible/roles/noble_authentik/README.md | 4 +++- ansible/roles/noble_authentik/defaults/main.yml | 3 ++- ansible/roles/noble_authentik/tasks/main.yml | 2 +- 3 files changed, 6 insertions(+), 3 deletions(-) diff --git a/ansible/roles/noble_authentik/README.md b/ansible/roles/noble_authentik/README.md index 9aee536..b98f13b 100644 --- a/ansible/roles/noble_authentik/README.md +++ b/ansible/roles/noble_authentik/README.md @@ -66,11 +66,13 @@ Tune titles via **`noble_authentik_blueprint_lab_brand_title`** and **`noble_aut Use **``** that matches the experience you want: -- **Public / Nikflix** — an FQDN from **`noble_authentik_ingress_extra_hosts`**: use flow slug **`noble_authentik_blueprint_public_invitation_enrollment_flow_slug`** (default **`noble-public-invitation-enrollment`**). New users are added to **`noble_authentik_blueprint_public_invitation_user_group`** (default **`noble-public-users`**; override to **`nikflix-users`** if that is your only audience group). Tune **`noble_authentik_blueprint_public_invitation_user_type`** (**`external`** / **`internal`**) and **`noble_authentik_blueprint_public_invitation_user_path`** as needed. +- **Public / Nikflix** — an FQDN from **`noble_authentik_ingress_extra_hosts`**: use flow slug **`noble_authentik_blueprint_public_invitation_enrollment_flow_slug`** (default **`noble-public-invitation-enrollment`**). New users are added to **`noble_authentik_blueprint_public_invitation_user_group`** (default **`noble-public-users`**; override to **`nikflix-users`** if that is your only audience group). **`noble_authentik_blueprint_public_invitation_user_type`** defaults to **`internal`** so invitees behave like normal users; set **`external`** only if you need that isolation (see [Invitations — “Permission denied” for external users](https://docs.goauthentik.io/users-sources/user/invitations/)). Tune **`noble_authentik_blueprint_public_invitation_user_path`** as needed. - **Lab** — **`noble_authentik_host`** only when you intend to onboard someone who will later get **`noble_authentik_blueprint_lab_operator_groups`** access: use **`noble_authentik_blueprint_lab_invitation_enrollment_flow_slug`** (default **`noble-lab-invitation-enrollment`**). The blueprint creates **`noble_authentik_blueprint_lab_invitee_group_name`** (default **`noble-lab-invited`**) and assigns new enrollments there; **promote** people to **`noble-admins`** / **`authentik Admins`** (or your configured operator groups) in the admin UI when they should sign in on the lab URL. Blueprint **22** does **not** create sample **Invitation** rows (no placeholder emails). Create invitations in the UI after blueprints apply. For richer patterns (prefilled attributes, extra policies), see [Invitations](https://docs.goauthentik.io/users-sources/user/invitations/) and the upstream example blueprint **`flows-invitation-enrollment.yaml`** ([download](https://goauthentik.io/blueprints/example/flows-invitation-enrollment.yaml)). Password strength for enrollment prompts is **not** duplicated from the lab **authentication** flow here; add **Prompt** validation policies or a dedicated policy if you need parity. +**Users already created as `external`:** change **User type** to **Internal** under **Directory → Users** (or edit the **User write** stage in **Flows** and re-run the playbook so future invitees use **`noble_authentik_blueprint_public_invitation_user_type: internal`** in **`group_vars`**). + #### Blueprint: directory groups Three inventory lists are concatenated **in this order** into **`10-noble-public-groups.yaml.j2`**: diff --git a/ansible/roles/noble_authentik/defaults/main.yml b/ansible/roles/noble_authentik/defaults/main.yml index 313d07f..2ced066 100644 --- a/ansible/roles/noble_authentik/defaults/main.yml +++ b/ansible/roles/noble_authentik/defaults/main.yml @@ -93,7 +93,8 @@ noble_authentik_blueprint_lab_invitation_flow_name: Noble lab invitation enrollm noble_authentik_blueprint_lab_invitation_flow_title: Lab access — complete enrollment # **User write** for public invites: must match an existing **Group** name from **`10-noble-public-groups`** (default **`noble-public-users`**; use **`nikflix-users`** if you only maintain Nikflix groups). noble_authentik_blueprint_public_invitation_user_group: noble-public-users -noble_authentik_blueprint_public_invitation_user_type: external +# **`internal`** — normal directory users (default). Use **`external`** only when you intentionally isolate invitees from admin / “internal-only” surfaces (see [Invitations troubleshooting](https://docs.goauthentik.io/users-sources/user/invitations/)). +noble_authentik_blueprint_public_invitation_user_type: internal noble_authentik_blueprint_public_invitation_user_path: users/noble/public # Lab invites: blueprint creates **`noble_authentik_blueprint_lab_invitee_group_name`**; add members to **`noble_authentik_blueprint_lab_operator_groups`** manually when they should use the lab URL. noble_authentik_blueprint_lab_invitee_group_name: noble-lab-invited diff --git a/ansible/roles/noble_authentik/tasks/main.yml b/ansible/roles/noble_authentik/tasks/main.yml index c1e0758..1e60e77 100644 --- a/ansible/roles/noble_authentik/tasks/main.yml +++ b/ansible/roles/noble_authentik/tasks/main.yml @@ -97,7 +97,7 @@ - noble_authentik_blueprint_lab_invitation_enrollment_flow_slug | default('') | trim | length > 0 - noble_authentik_blueprint_public_invitation_user_group | default('') | trim | length > 0 - noble_authentik_blueprint_lab_invitee_group_name | default('') | trim | length > 0 - - (noble_authentik_blueprint_public_invitation_user_type | default('external') | trim | lower) in ['external', 'internal'] + - (noble_authentik_blueprint_public_invitation_user_type | default('internal') | trim | lower) in ['external', 'internal'] - (noble_authentik_blueprint_lab_invitation_user_type | default('internal') | trim | lower) in ['external', 'internal'] fail_msg: >- When noble_authentik_blueprints_enabled is true, set at least one entry across