Add optional SMTP configuration for Authentik, including email host, port, and credentials. Update README and .env.sample to clarify usage for outbound email settings. Introduce blueprint support for enhanced deployment flexibility, with assertions in Ansible tasks to ensure required variables are set when enabled.

ansible/roles/noble_authentik/tasks/main.yml

@@ -39,6 +39,15 @@
           or reuse Velero's NOBLE_VELERO_S3_URL and NOBLE_VELERO_AWS_ACCESS_KEY_ID / NOBLE_VELERO_AWS_SECRET_ACCESS_KEY
           in .env (see .env.sample and clusters/noble/bootstrap/velero/README.md).
 
+    - name: Require Authentik SMTP From when SMTP host is set
+      ansible.builtin.assert:
+        that:
+          - noble_authentik_smtp_from | default('') | trim | length > 0
+        fail_msg: >-
+          When NOBLE_AUTHENTIK_SMTP_HOST is set, set NOBLE_AUTHENTIK_SMTP_FROM (sender address).
+          See repository .env.sample and https://docs.goauthentik.io/install-config/configuration/#email-settings
+      when: noble_authentik_smtp_host | default('') | trim | length > 0
+
     - name: Ensure Ansible temp dir for rendered Helm values
       ansible.builtin.file:
         path: "{{ noble_repo_root }}/ansible/.ansible-tmp"
@@ -65,6 +74,47 @@
         KUBECONFIG: "{{ noble_kubeconfig }}"
       changed_when: true
 
+    - name: Ensure dir for rendered Authentik blueprints
+      ansible.builtin.file:
+        path: "{{ noble_repo_root }}/ansible/.ansible-tmp/authentik-blueprints"
+        state: directory
+        mode: "0700"
+      when: noble_authentik_blueprints_enabled | default(false) | bool
+
+    - name: Assert noble Authentik blueprint variables (when blueprints enabled)
+      ansible.builtin.assert:
+        that:
+          - noble_authentik_blueprint_public_groups | default([]) | length > 0
+          - noble_authentik_blueprint_lab_operator_groups | default([]) | length > 0
+          - noble_authentik_blueprint_lab_flow_slug | default('') | trim | length > 0
+        fail_msg: >-
+          When noble_authentik_blueprints_enabled is true, set noble_authentik_blueprint_public_groups (non-empty),
+          noble_authentik_blueprint_lab_operator_groups (non-empty), and noble_authentik_blueprint_lab_flow_slug.
+          See ansible/roles/noble_authentik/defaults/main.yml and README.
+      when: noble_authentik_blueprints_enabled | default(false) | bool
+
+    - name: Render Authentik noble blueprint YAML files
+      ansible.builtin.template:
+        src: "blueprints/{{ item }}.j2"
+        dest: "{{ noble_repo_root }}/ansible/.ansible-tmp/authentik-blueprints/{{ item }}"
+        mode: "0600"
+      loop:
+        - 10-noble-public-groups.yaml
+        - 20-noble-lab-operator-authentication-flow.yaml
+        - 30-noble-brands-domain-split.yaml
+      when: noble_authentik_blueprints_enabled | default(false) | bool
+
+    - name: Apply Authentik noble blueprints ConfigMap (worker mounts under /blueprints/mounted/cm-*)
+      ansible.builtin.shell: |
+        set -euo pipefail
+        kubectl -n "{{ noble_authentik_namespace }}" create configmap "{{ noble_authentik_blueprints_configmap_name }}" \
+          --from-file="{{ noble_repo_root }}/ansible/.ansible-tmp/authentik-blueprints" \
+          --dry-run=client -o yaml | kubectl apply -f -
+      environment:
+        KUBECONFIG: "{{ noble_kubeconfig }}"
+      when: noble_authentik_blueprints_enabled | default(false) | bool
+      changed_when: true
+
     - name: Install Authentik (Helm)
       ansible.builtin.command:
         argv: