Update Authentik configuration to default public invitation user type to internal, enhancing clarity on user isolation. Revise README to reflect changes in user type settings and provide guidance for managing existing external users. Improve validation in Ansible tasks to ensure correct user type configuration.

2026-05-14 23:15:34 -04:00
parent 7fed8820ce
commit f37768b789
3 changed files with 6 additions and 3 deletions
--- a/ansible/roles/noble_authentik/defaults/main.yml
+++ b/ansible/roles/noble_authentik/defaults/main.yml
@@ -93,7 +93,8 @@ noble_authentik_blueprint_lab_invitation_flow_name: Noble lab invitation enrollm
 noble_authentik_blueprint_lab_invitation_flow_title: Lab access — complete enrollment
 # **User write** for public invites: must match an existing **Group** name from **`10-noble-public-groups`** (default **`noble-public-users`**; use **`nikflix-users`** if you only maintain Nikflix groups).
 noble_authentik_blueprint_public_invitation_user_group: noble-public-users
-noble_authentik_blueprint_public_invitation_user_type: external
+# **`internal`** — normal directory users (default). Use **`external`** only when you intentionally isolate invitees from admin / “internal-only” surfaces (see [Invitations troubleshooting](https://docs.goauthentik.io/users-sources/user/invitations/)).
+noble_authentik_blueprint_public_invitation_user_type: internal
 noble_authentik_blueprint_public_invitation_user_path: users/noble/public
 # Lab invites: blueprint creates **`noble_authentik_blueprint_lab_invitee_group_name`**; add members to **`noble_authentik_blueprint_lab_operator_groups`** manually when they should use the lab URL.
 noble_authentik_blueprint_lab_invitee_group_name: noble-lab-invited