gsdavidp/home-server
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update Authentik configuration to default public invitation user type to internal, enhancing clarity on user isolation. Revise README to reflect changes in user type settings and provide guidance for managing existing external users. Improve validation in Ansible tasks to ensure correct user type configuration.

Browse Source
This commit is contained in:
Nikholas Pcenicni
2026-05-14 23:15:34 -04:00
parent 7fed8820ce
commit f37768b789
3 changed files with 6 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
ansible/roles/noble_authentik/README.md
View File

@@ -66,11 +66,13 @@ Tune titles via **`noble_authentik_blueprint_lab_brand_title`** and **`noble_aut
Use **`<host>`** that matches the experience you want:
- **Public / Nikflix** — an FQDN from **`noble_authentik_ingress_extra_hosts`**: use flow slug **`noble_authentik_blueprint_public_invitation_enrollment_flow_slug`** (default **`noble-public-invitation-enrollment`**). New users are added to **`noble_authentik_blueprint_public_invitation_user_group`** (default **`noble-public-users`**; override to **`nikflix-users`** if that is your only audience group). Tune **`noble_authentik_blueprint_public_invitation_user_type`** (**`external`** / **`internal`**) and **`noble_authentik_blueprint_public_invitation_user_path`** as needed.
- **Public / Nikflix** — an FQDN from **`noble_authentik_ingress_extra_hosts`**: use flow slug **`noble_authentik_blueprint_public_invitation_enrollment_flow_slug`** (default **`noble-public-invitation-enrollment`**). New users are added to **`noble_authentik_blueprint_public_invitation_user_group`** (default **`noble-public-users`**; override to **`nikflix-users`** if that is your only audience group). **`noble_authentik_blueprint_public_invitation_user_type`** defaults to **`internal`** so invitees behave like normal users; set **`external`** only if you need that isolation (see [Invitations — “Permission denied” for external users](https://docs.goauthentik.io/users-sources/user/invitations/)). Tune **`noble_authentik_blueprint_public_invitation_user_path`** as needed.
- **Lab** — **`noble_authentik_host`** only when you intend to onboard someone who will later get **`noble_authentik_blueprint_lab_operator_groups`** access: use **`noble_authentik_blueprint_lab_invitation_enrollment_flow_slug`** (default **`noble-lab-invitation-enrollment`**). The blueprint creates **`noble_authentik_blueprint_lab_invitee_group_name`** (default **`noble-lab-invited`**) and assigns new enrollments there; **promote** people to **`noble-admins`** / **`authentik Admins`** (or your configured operator groups) in the admin UI when they should sign in on the lab URL.
Blueprint **22** does **not** create sample **Invitation** rows (no placeholder emails). Create invitations in the UI after blueprints apply. For richer patterns (prefilled attributes, extra policies), see [Invitations](https://docs.goauthentik.io/users-sources/user/invitations/) and the upstream example blueprint **`flows-invitation-enrollment.yaml`** ([download](https://goauthentik.io/blueprints/example/flows-invitation-enrollment.yaml)). Password strength for enrollment prompts is **not** duplicated from the lab **authentication** flow here; add **Prompt** validation policies or a dedicated policy if you need parity.
**Users already created as `external`:** change **User type** to **Internal** under **Directory → Users** (or edit the **User write** stage in **Flows** and re-run the playbook so future invitees use **`noble_authentik_blueprint_public_invitation_user_type: internal`** in **`group_vars`**).
#### Blueprint: directory groups
Three inventory lists are concatenated **in this order** into **`10-noble-public-groups.yaml.j2`**:

3
ansible/roles/noble_authentik/defaults/main.yml
View File

@@ -93,7 +93,8 @@ noble_authentik_blueprint_lab_invitation_flow_name: Noble lab invitation enrollm
noble_authentik_blueprint_lab_invitation_flow_title: Lab access — complete enrollment
# **User write** for public invites: must match an existing **Group** name from **`10-noble-public-groups`** (default **`noble-public-users`**; use **`nikflix-users`** if you only maintain Nikflix groups).
noble_authentik_blueprint_public_invitation_user_group: noble-public-users
noble_authentik_blueprint_public_invitation_user_type: external
# **`internal`** — normal directory users (default). Use **`external`** only when you intentionally isolate invitees from admin / “internal-only” surfaces (see [Invitations troubleshooting](https://docs.goauthentik.io/users-sources/user/invitations/)).
noble_authentik_blueprint_public_invitation_user_type: internal
noble_authentik_blueprint_public_invitation_user_path: users/noble/public
# Lab invites: blueprint creates **`noble_authentik_blueprint_lab_invitee_group_name`**; add members to **`noble_authentik_blueprint_lab_operator_groups`** manually when they should use the lab URL.
noble_authentik_blueprint_lab_invitee_group_name: noble-lab-invited

2
ansible/roles/noble_authentik/tasks/main.yml
View File

@@ -97,7 +97,7 @@
- noble_authentik_blueprint_lab_invitation_enrollment_flow_slug | default('') | trim | length > 0
- noble_authentik_blueprint_public_invitation_user_group | default('') | trim | length > 0
- noble_authentik_blueprint_lab_invitee_group_name | default('') | trim | length > 0
- (noble_authentik_blueprint_public_invitation_user_type | default('external') | trim | lower) in ['external', 'internal']
- (noble_authentik_blueprint_public_invitation_user_type | default('internal') | trim | lower) in ['external', 'internal']
- (noble_authentik_blueprint_lab_invitation_user_type | default('internal') | trim | lower) in ['external', 'internal']
fail_msg: >-
When noble_authentik_blueprints_enabled is true, set at least one entry across