Update Authentik configuration to default public invitation user type to internal, enhancing clarity on user isolation. Revise README to reflect changes in user type settings and provide guidance for managing existing external users. Improve validation in Ansible tasks to ensure correct user type configuration.

ansible/roles/noble_authentik/README.md

@@ -66,11 +66,13 @@ Tune titles via **`noble_authentik_blueprint_lab_brand_title`** and **`noble_aut
 
 Use **`<host>`** that matches the experience you want:
 
-- **Public / Nikflix** — an FQDN from **`noble_authentik_ingress_extra_hosts`**: use flow slug **`noble_authentik_blueprint_public_invitation_enrollment_flow_slug`** (default **`noble-public-invitation-enrollment`**). New users are added to **`noble_authentik_blueprint_public_invitation_user_group`** (default **`noble-public-users`**; override to **`nikflix-users`** if that is your only audience group). Tune **`noble_authentik_blueprint_public_invitation_user_type`** (**`external`** / **`internal`**) and **`noble_authentik_blueprint_public_invitation_user_path`** as needed.
+- **Public / Nikflix** — an FQDN from **`noble_authentik_ingress_extra_hosts`**: use flow slug **`noble_authentik_blueprint_public_invitation_enrollment_flow_slug`** (default **`noble-public-invitation-enrollment`**). New users are added to **`noble_authentik_blueprint_public_invitation_user_group`** (default **`noble-public-users`**; override to **`nikflix-users`** if that is your only audience group). **`noble_authentik_blueprint_public_invitation_user_type`** defaults to **`internal`** so invitees behave like normal users; set **`external`** only if you need that isolation (see [Invitations — “Permission denied” for external users](https://docs.goauthentik.io/users-sources/user/invitations/)). Tune **`noble_authentik_blueprint_public_invitation_user_path`** as needed.
 - **Lab** — **`noble_authentik_host`** only when you intend to onboard someone who will later get **`noble_authentik_blueprint_lab_operator_groups`** access: use **`noble_authentik_blueprint_lab_invitation_enrollment_flow_slug`** (default **`noble-lab-invitation-enrollment`**). The blueprint creates **`noble_authentik_blueprint_lab_invitee_group_name`** (default **`noble-lab-invited`**) and assigns new enrollments there; **promote** people to **`noble-admins`** / **`authentik Admins`** (or your configured operator groups) in the admin UI when they should sign in on the lab URL.
 
 Blueprint **22** does **not** create sample **Invitation** rows (no placeholder emails). Create invitations in the UI after blueprints apply. For richer patterns (prefilled attributes, extra policies), see [Invitations](https://docs.goauthentik.io/users-sources/user/invitations/) and the upstream example blueprint **`flows-invitation-enrollment.yaml`** ([download](https://goauthentik.io/blueprints/example/flows-invitation-enrollment.yaml)). Password strength for enrollment prompts is **not** duplicated from the lab **authentication** flow here; add **Prompt** validation policies or a dedicated policy if you need parity.
 
+**Users already created as `external`:** change **User type** to **Internal** under **Directory → Users** (or edit the **User write** stage in **Flows** and re-run the playbook so future invitees use **`noble_authentik_blueprint_public_invitation_user_type: internal`** in **`group_vars`**).
+
 #### Blueprint: directory groups
 
 Three inventory lists are concatenated **in this order** into **`10-noble-public-groups.yaml.j2`**:

ansible/roles/noble_authentik/defaults/main.yml

@@ -93,7 +93,8 @@ noble_authentik_blueprint_lab_invitation_flow_name: Noble lab invitation enrollm
 noble_authentik_blueprint_lab_invitation_flow_title: Lab access — complete enrollment
 # **User write** for public invites: must match an existing **Group** name from **`10-noble-public-groups`** (default **`noble-public-users`**; use **`nikflix-users`** if you only maintain Nikflix groups).
 noble_authentik_blueprint_public_invitation_user_group: noble-public-users
-noble_authentik_blueprint_public_invitation_user_type: external
+# **`internal`** — normal directory users (default). Use **`external`** only when you intentionally isolate invitees from admin / “internal-only” surfaces (see [Invitations troubleshooting](https://docs.goauthentik.io/users-sources/user/invitations/)).
+noble_authentik_blueprint_public_invitation_user_type: internal
 noble_authentik_blueprint_public_invitation_user_path: users/noble/public
 # Lab invites: blueprint creates **`noble_authentik_blueprint_lab_invitee_group_name`**; add members to **`noble_authentik_blueprint_lab_operator_groups`** manually when they should use the lab URL.
 noble_authentik_blueprint_lab_invitee_group_name: noble-lab-invited

ansible/roles/noble_authentik/tasks/main.yml

@@ -97,7 +97,7 @@
           - noble_authentik_blueprint_lab_invitation_enrollment_flow_slug | default('') | trim | length > 0
           - noble_authentik_blueprint_public_invitation_user_group | default('') | trim | length > 0
           - noble_authentik_blueprint_lab_invitee_group_name | default('') | trim | length > 0
-          - (noble_authentik_blueprint_public_invitation_user_type | default('external') | trim | lower) in ['external', 'internal']
+          - (noble_authentik_blueprint_public_invitation_user_type | default('internal') | trim | lower) in ['external', 'internal']
           - (noble_authentik_blueprint_lab_invitation_user_type | default('internal') | trim | lower) in ['external', 'internal']
         fail_msg: >-
           When noble_authentik_blueprints_enabled is true, set at least one entry across