diff --git a/roles/authentik/defaults/main.yml b/roles/authentik/defaults/main.yml
index 85e8a15..5f88df1 100644
--- a/roles/authentik/defaults/main.yml
+++ b/roles/authentik/defaults/main.yml
@@ -99,6 +99,12 @@ authentik_login_source_ids: []
 # - "source-entra-entra-id"
 authentik_identification_stage_name: default-authentication-identification
 
+# Local login fields to show on login screen (username, email, upn)
+# Set to empty list to hide local login form entirely
+authentik_login_user_fields:
+  - username
+  - email
+
 # Local users to provision
 authentik_local_users: []
 # - username: admin
diff --git a/roles/authentik/templates/blueprints/blueprint-login-sources.yaml.j2 b/roles/authentik/templates/blueprints/blueprint-login-sources.yaml.j2
index 9a7b76d..610dee8 100644
--- a/roles/authentik/templates/blueprints/blueprint-login-sources.yaml.j2
+++ b/roles/authentik/templates/blueprints/blueprint-login-sources.yaml.j2
@@ -4,14 +4,19 @@ metadata:
   name: "login-sources"
   labels:
     blueprints.goauthentik.io/instantiate: "true"
-    blueprints.goauthentik.io/description: "Set sources on the identification stage"
+    blueprints.goauthentik.io/description: "Set sources and user fields on the identification stage"
 
 entries:
   - model: authentik_stages_identification.identificationstage
     identifiers:
       name: "{{ authentik_identification_stage_name }}"
     attrs:
-      # NOTE: this SETS the sources list (it doesn’t append).
+      # Local login fields (username, email, upn)
+      user_fields:
+{% for field in authentik_login_user_fields %}
+        - {{ field }}
+{% endfor %}
+      # OAuth/social login sources
       sources:
 {% for src_id in authentik_login_source_ids %}
         - !KeyOf {{ src_id }}
diff --git a/roles/base/tasks/main.yml b/roles/base/tasks/main.yml
index 6a6eabb..57910d9 100644
--- a/roles/base/tasks/main.yml
+++ b/roles/base/tasks/main.yml
@@ -6,6 +6,7 @@
   ansible.builtin.apt:
     update_cache: true
     cache_valid_time: 3600
+    lock_timeout: 180
   when: ansible_facts["os_family"] == "Debian"
 
 - name: Install required packages for Docker
@@ -20,7 +21,6 @@
     state: present
   when: ansible_facts["os_family"] == "Debian"
 
-
 - name: Install convenience packages
   ansible.builtin.apt:
     name: