From 5ed12c64d0e975bdde78fcd39c9689e6b9ebc2d5 Mon Sep 17 00:00:00 2001
From: Bert-Jan Fikse <bert-jan@whatwedo.ch>
Date: Wed, 14 Jan 2026 16:50:33 +0100
Subject: [PATCH 1/2] chore: add authentik_login_user_fields to allow showing
 custom fields, or removing them

e.g when using social + local logins
---
 roles/authentik/defaults/main.yml                        | 6 ++++++
 .../templates/blueprints/blueprint-login-sources.yaml.j2 | 9 +++++++--
 2 files changed, 13 insertions(+), 2 deletions(-)

diff --git a/roles/authentik/defaults/main.yml b/roles/authentik/defaults/main.yml
index 85e8a15..5f88df1 100644
--- a/roles/authentik/defaults/main.yml
+++ b/roles/authentik/defaults/main.yml
@@ -99,6 +99,12 @@ authentik_login_source_ids: []
 # - "source-entra-entra-id"
 authentik_identification_stage_name: default-authentication-identification
 
+# Local login fields to show on login screen (username, email, upn)
+# Set to empty list to hide local login form entirely
+authentik_login_user_fields:
+  - username
+  - email
+
 # Local users to provision
 authentik_local_users: []
 # - username: admin
diff --git a/roles/authentik/templates/blueprints/blueprint-login-sources.yaml.j2 b/roles/authentik/templates/blueprints/blueprint-login-sources.yaml.j2
index 9a7b76d..610dee8 100644
--- a/roles/authentik/templates/blueprints/blueprint-login-sources.yaml.j2
+++ b/roles/authentik/templates/blueprints/blueprint-login-sources.yaml.j2
@@ -4,14 +4,19 @@ metadata:
   name: "login-sources"
   labels:
     blueprints.goauthentik.io/instantiate: "true"
-    blueprints.goauthentik.io/description: "Set sources on the identification stage"
+    blueprints.goauthentik.io/description: "Set sources and user fields on the identification stage"
 
 entries:
   - model: authentik_stages_identification.identificationstage
     identifiers:
       name: "{{ authentik_identification_stage_name }}"
     attrs:
-      # NOTE: this SETS the sources list (it doesn’t append).
+      # Local login fields (username, email, upn)
+      user_fields:
+{% for field in authentik_login_user_fields %}
+        - {{ field }}
+{% endfor %}
+      # OAuth/social login sources
       sources:
 {% for src_id in authentik_login_source_ids %}
         - !KeyOf {{ src_id }}

From 7f639e81916c75aa51e4438f80df52590d364ddf Mon Sep 17 00:00:00 2001
From: Bert-Jan Fikse <bert-jan@whatwedo.ch>
Date: Wed, 14 Jan 2026 17:36:07 +0100
Subject: [PATCH 2/2] fix: add lock_timout to apt cache update

should prevent errors with new vagrant machines, where apt is still locked by vagrant
---
 roles/base/tasks/main.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/roles/base/tasks/main.yml b/roles/base/tasks/main.yml
index 6a6eabb..57910d9 100644
--- a/roles/base/tasks/main.yml
+++ b/roles/base/tasks/main.yml
@@ -6,6 +6,7 @@
   ansible.builtin.apt:
     update_cache: true
     cache_valid_time: 3600
+    lock_timeout: 180
   when: ansible_facts["os_family"] == "Debian"
 
 - name: Install required packages for Docker
@@ -20,7 +21,6 @@
     state: present
   when: ansible_facts["os_family"] == "Debian"
 
-
 - name: Install convenience packages
   ansible.builtin.apt:
     name: