set theme colors with envs

.env.sample

@@ -1,10 +1,12 @@
 TYPE=authentik
 TIMEOUT=300
 ENABLE_AUTO_UPDATE=true
-POST_DEPLOY_CMDS="worker set_admin_pass|worker apply_blueprints|worker add_applications"
+# POST_DEPLOY_CMDS="worker set_admin_pass|worker apply_blueprints|worker add_applications"
 LETS_ENCRYPT_ENV=production
 
 DOMAIN=authentik.example.com
+## Domain aliases
+#EXTRA_DOMAINS=', `www.authentik.example.com`'
 COMPOSE_FILE="compose.yml"
 AUTHENTIK_DEFAULT_USER_CHANGE_USERNAME=false
 AUTHENTIK_LOG_LEVEL=info
@@ -12,6 +14,9 @@ AUTHENTIK_LOG_LEVEL=info
 # AUTHENTIK_FOOTER_LINKS='[{"name": "My Organization","href":"https://example.com"}]'
 # WORKERS=1
 
+## Outpost Integration
+# COMPOSE_FILE="$COMPOSE_FILE:compose.outposts.yml"
+
 ## EMAIL
 AUTHENTIK_EMAIL__HOST=smtp
 AUTHENTIK_EMAIL__PORT=587
@@ -29,7 +34,14 @@ SECRET_ADMIN_PASS_VERSION=v1
 SECRET_EMAIL_PASS_VERSION=v1
 
 # X_FRAME_OPTIONS_ALLOW_FROM=dashboard.example.org
-AUTHENTIK_COLOR_BACKGROUND_LIGHT=#1c1e21
+# AUTHENTIK_COLOR_FOREGROUND=fafafa
+# AUTHENTIK_COLOR_FOREGROUND_DARKER=bebebe
+# AUTHENTIK_COLOR_FOREGROUND_LINK=5a5cb9
+# AUTHENTIK_COLOR_BACKGROUND=18191a
+# AUTHENTIK_COLOR_BACKGROUND_DARKER=000000
+# AUTHENTIK_COLOR_BACKGROUND_LIGHT=1c1e21
+# AUTHENTIK_COLOR_BACKGROUND_LIGHTISH=212427
+# AUTHENTIK_COLOR_BACKGROUND_LIGHTER=2b2e33
 
 ## FLOW OPTIONS
 # WELCOME_MESSAGE="Welcome to Authentik"
@@ -56,7 +68,7 @@ COPY_ASSETS="$COPY_ASSETS icon.png|app:/web/dist/assets/icons/"
 # APP_ICONS="$APP_ICONS wordpress:~/.abra/recipes/authentik/icons/wordpress.png"
 
 # COMPOSE_FILE="$COMPOSE_FILE:compose.matrix.yml"
-# ELEMENT_DOMAIN=element.example.com
+# ELEMENT_DOMAIN=element-web.example.com
 # SECRET_MATRIX_ID_VERSION=v1
 # SECRET_MATRIX_SECRET_VERSION=v1
 # APP_ICONS="$APP_ICONS matrix:~/.abra/recipes/authentik/icons/matrix.svg"
@@ -79,7 +91,7 @@ COPY_ASSETS="$COPY_ASSETS icon.png|app:/web/dist/assets/icons/"
 # SECRET_MONITORING_SECRET_VERSION=v1
 # APP_ICONS="$APP_ICONS monitoring:~/.abra/recipes/authentik/icons/monitoring.png"
 
-# APPLICATIONS='{"Calendar": "https://nextcloud.example.com/apps/calendar/", "Rallly":"https://rallly.example.cloud/"}'
+# APPLICATIONS='{"Calendar": "https://nextcloud.example.com/apps/calendar/", "BBB": "https://nextcloud.example.com/apps/bbb/", "Rallly":"https://rallly.example.cloud/"}'
 # APP_ICONS="$APP_ICONS Calendar:~/.abra/recipes/authentik/icons/calendar.svg"
 # APP_ICONS="$APP_ICONS Rallly:~/.abra/recipes/authentik/icons/rallly.png"
-
+# APP_ICONS="$APP_ICONS BBB:~/.abra/recipes/authentik/icons/bbb.jpg"

README.md

@@ -87,41 +87,109 @@ Run this command after every deploy/upgrade:
 
 `abra app command --local <app-name> customize <assets_path>`
 
+## Email templates
+
+Add custom [email templates](https://goauthentik.io/docs/flow/stages/email/#custom-templates):
+
+`abra app cmd -l <app_name> add_email_templates local/path/to/mail_template.html`
+
 ## Blueprints
 
-Blueprint Dependency Requirements:
+These blueprints overwrite default blueprint values:
+
+- flow_translation.yaml
+- flow_authentication.yaml
+
+The following default blueprints will be overwritten by customizations:
+
+- flow-password-change.yaml
+- flow-default-authentication-flow.yaml
+- flow-default-user-settings-flow.yaml
+- flow-default-source-enrollment.yaml
+
+The `abra.sh` function `apply_blueprints` needs to be executed to deactivate these blueprints to ensure that the customizations won't be overwritten. It will further execute flow_translation.yaml and flow_authentication.yaml again.
+
+
+### Blueprint Overwrite/Use Dependencies
 
 - Recovery with email verification
     - Default - Password change flow
+        - USE:
+            - `default-password-change-prompt`
+            - `default-password-change-write`
     - Default - Authentication flow
+        - USE:
+            - `default-authentication-login`
 - Custom Authentication Flow
     - Default - Authentication flow
+        - USE:
+            - `default-authentication-password`
+        - OVERWRITE:
+            - `default-authentication-flow`
+        - APPEND:
+            - `default-authentication-identification`
+            - `default-authentication-login`
+        - REMOVE: `authentik_flows.flowstagebinding order:20`
     - Recovery with email verification
+        - USE:
+            - `default-recovery-flow`
 - Invitation Enrollment Flow
     - Default - User settings flow
+        - USE:
+            - `default-user-settings-field-name`
+            - `default-user-settings-field-email`
+    - Default - Password change flow
+        - USE:
+            - `default-password-change-field-password`
+            - `default-password-change-field-password-repeat`
     - Default - Authentication flow
+        - USE:
+            - `default-authentication-login`
     - Default - Source enrollment flow
+        - USE:
+            - `default-source-enrollment-field-username`
+            - `default-source-enrollment-write`
 - Custom Invalidation Flow
     - Default - Invalidation flow
+        - APPEND_ATTR:
+            - `authentik_flows.flowstagebinding order: 0`
 - Flow Translations
     - Recovery with email verification
+        - APPEND: `default-recovery-flow`
     - Default - Password change flow
+        - OVERWRITE:
+           - `default-password-change-field-password`
+           - `default-password-change-field-password-repeat`
     - Default - User settings flow
+        - OVERWRITE:
+            - `default-user-settings-field-username`
+            - `default-user-settings-field-name`
     - Default - Source enrollment flow
+        - OVERWRITE:
+            - `default-source-enrollment-field-username`
 - Custom System Tenant
     - Default - Tenant
+        - APPEND: `authentik_tenants.tenant  domain: authentik-default`
     - Recovery with email verification
+        - USE:
+            - `default-recovery-flow`
 
 
-Blueprint Dependency Graph:
+### Blueprint Dependency Execution Order
 
 5. Custom System Tenant
     - Default - Tenant
-    4. Invitation Enrollment Flow
+    1. Recovery with email verification
+        - Default - Authentication flow
+            - Default - Password change flow
+4. Invitation Enrollment Flow
     3. Flow Translations
         - Default - User settings flow
         - Default - Source enrollment flow
-            2. Custom Authentication Flow
+        1. Recovery with email verification
+            - Default - Authentication flow
+                - Default - Password change flow
+2. Custom Authentication Flow
     1. Recovery with email verification
         - Default - Authentication flow
             - Default - Password change flow

abra.sh

@@ -1,10 +1,10 @@
-export CUSTOM_CSS_VERSION=v2
-export FLOW_AUTHENTICATION_VERSION=v1
+export CUSTOM_CSS_VERSION=v3
+export FLOW_AUTHENTICATION_VERSION=v3
 export FLOW_INVITATION_VERSION=v1
-export FLOW_INVALIDATION_VERSION=v1
+export FLOW_INVALIDATION_VERSION=v2
 export FLOW_RECOVERY_VERSION=v1
-export FLOW_TRANSLATION_VERSION=v1
-export SYSTEM_TENANT_VERSION=v1
+export FLOW_TRANSLATION_VERSION=v2
+export SYSTEM_TENANT_VERSION=v2
 export NEXTCLOUD_CONFIG_VERSION=v1
 export WORDPRESS_CONFIG_VERSION=v2
 export MATRIX_CONFIG_VERSION=v1
@@ -95,15 +95,24 @@ rotate_db_pass() {
     psql -U authentik -c """ALTER USER authentik WITH PASSWORD '$db_password';"""
 }
 
+# This function is for blueprints that are overwriting custom blueprints
+# It deactivates the affected custom blueprints to avoid changes to be reverted
 apply_blueprints() {
-    enable_blueprint default/flow-default-authentication-flow.yaml
-    enable_blueprint default/flow-default-user-settings-flow.yaml
-    enable_blueprint default/flow-password-change.yaml
-    ak apply_blueprint 6_flow_invalidation.yaml 2>&1 | quieten
-    ak apply_blueprint 5_system_tenant.yaml 2>&1 | quieten
-    disable_blueprint default/flow-default-authentication-flow.yaml
-    disable_blueprint default/flow-default-user-settings-flow.yaml
-    disable_blueprint default/flow-password-change.yaml
+    update_and_disable_blueprint default/flow-password-change.yaml
+    update_and_disable_blueprint default/flow-default-authentication-flow.yaml
+    update_and_disable_blueprint default/flow-default-user-settings-flow.yaml
+    update_and_disable_blueprint default/flow-default-source-enrollment.yaml
+    
+    apply_blueprint 3_flow_translation.yaml
+    apply_blueprint 2_flow_authentication.yaml
+}
+
+update_and_disable_blueprint() {
+    enable_blueprint $@ 2>&1 | quieten
+    sleep 1
+    apply_blueprint $@
+    sleep 1
+    disable_blueprint $@ 2>&1 | quieten
 }
 
 disable_blueprint() {
@@ -114,12 +123,24 @@ enable_blueprint() {
     blueprint_state True $@
 }
 
+apply_blueprint() {
+    echo apply blueprint $@
+    ak apply_blueprint $@ 2>&1 | quieten
+}
+
 blueprint_state() {
 /manage.py shell -c """
+import time
 blueprint_state=$1
 blueprint_path='$2'
 blueprint = BlueprintInstance.objects.filter(path=blueprint_path).first()
 blueprint.enabled = blueprint_state
+# Hacky workaround to reduce chance of a race condition
+blueprint.save()
+time.sleep(1)
+blueprint.save()
+time.sleep(1)
+blueprint.save()
 print(f'{blueprint.name} enabled: {blueprint.enabled}')
 """ 2>&1 | quieten
 
@@ -146,7 +167,14 @@ for name, url in applications.items():
 
 
 quieten(){
-    grep -v '{"event"'
+    grep -v -e '{"event"' -e '{"action"'
+}
+
+add_email_templates(){
+for file_path in "$@"; do
+    echo copy template $file_path
+    abra app cp $APP_NAME $file_path app:/templates/
+done
 }
 
 set_icons(){

compose.outposts.yml

@@ -0,0 +1,6 @@
+version: "3.8"
+services:
+  worker:
+    user: root
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock

compose.yml

@@ -18,7 +18,14 @@ x-env: &env
     - AUTHENTIK_EMAIL__FROM
     - AUTHENTIK_LOG_LEVEL
     - AUTHENTIK_SETTINGS__THEME__BACKGROUND
-    - AUTHENTIK_COLOR_BACKGROUND_LIGHT
+    - AUTHENTIK_COLOR_FOREGROUND=${AUTHENTIK_COLOR_FOREGROUND:-fafafa}
+    - AUTHENTIK_COLOR_FOREGROUND_DARKER=${AUTHENTIK_COLOR_FOREGROUND_DARKER:-bebebe}
+    - AUTHENTIK_COLOR_FOREGROUND_LINK=${AUTHENTIK_COLOR_FOREGROUND_LINK:-5a5cb9}
+    - AUTHENTIK_COLOR_BACKGROUND=${AUTHENTIK_COLOR_BACKGROUND:-18191a}
+    - AUTHENTIK_COLOR_BACKGROUND_DARKER=${AUTHENTIK_COLOR_BACKGROUND_DARKER:-000000}
+    - AUTHENTIK_COLOR_BACKGROUND_LIGHT=${AUTHENTIK_COLOR_BACKGROUND_LIGHT:-1c1e21}
+    - AUTHENTIK_COLOR_BACKGROUND_LIGHTISH=${AUTHENTIK_COLOR_BACKGROUND_LIGHTISH:-212427}
+    - AUTHENTIK_COLOR_BACKGROUND_LIGHTER=${AUTHENTIK_COLOR_BACKGROUND_LIGHTER:-2b2e33}
     - AUTHENTIK_FOOTER_LINKS
     - AUTHENTIK_IMPERSONATION
     - WELCOME_MESSAGE
@@ -32,7 +39,7 @@ x-env: &env
 version: '3.8'
 services:
   app:
-    image: ghcr.io/goauthentik/server:2023.3.1
+    image: ghcr.io/goauthentik/server:2023.6.1
     command: server
     secrets:
       - db_password
@@ -43,6 +50,7 @@ services:
     volumes:
       - media:/media
       - assets:/web/dist/assets
+      - templates:/templates
     configs:
       - source: custom_css
         target: /web/dist/custom.css
@@ -50,7 +58,7 @@ services:
       - internal
       - proxy
     healthcheck:
-      test: ["CMD", "curl", "-f", "localhost:9000/-/health/live/"]
+      test: "bash -c 'printf \"GET / HTTP/1.1\n\n\" > /dev/tcp/127.0.0.1/9000; exit $$?;'"
       interval: 30s
       timeout: 10s
       retries: 10
@@ -64,7 +72,7 @@ services:
         - "traefik.enable=true"
         - "traefik.docker.network=proxy"
         - "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=9000"
-        - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`)"
+        - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`${EXTRA_DOMAINS})"
         - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
         - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
         - "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect,${STACK_NAME}-frameOptions"
@@ -72,11 +80,11 @@ services:
         - "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}"
         - "traefik.http.middlewares.${STACK_NAME}-frameOptions.headers.customFrameOptionsValue=SAMEORIGIN"
         - "traefik.http.middlewares.${STACK_NAME}-frameOptions.headers.contentSecurityPolicy=frame-ancestors ${X_FRAME_OPTIONS_ALLOW_FROM}"
-        - "coop-cloud.${STACK_NAME}.version=3.1.2+2023.3.1"
+        - "coop-cloud.${STACK_NAME}.version=3.2.4+2023.6.1"
         - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT:-120}"
 
   worker:
-    image: ghcr.io/goauthentik/server:2023.3.1
+    image: ghcr.io/goauthentik/server:2023.6.1
     command: worker
     secrets:
       - db_password
@@ -87,12 +95,11 @@ services:
     networks:
       - internal
       - proxy
-    user: root
     volumes:
       - backups:/backups
       - media:/media
-      - /var/run/docker.sock:/var/run/docker.sock
       - /dev/null:/blueprints/default/flow-oobe.yaml
+      - templates:/templates
     configs:
       - source: flow_recovery
         target: /blueprints/1_flow_recovery.yaml
@@ -109,7 +116,7 @@ services:
     environment: *env
 
   db:
-    image: postgres:12.14-alpine
+    image: postgres:12.15-alpine
     secrets:
       - db_password
     volumes:
@@ -134,7 +141,7 @@ services:
           backupbot.backup.path: "/var/lib/postgresql/data"
 
   redis:
-    image:  redis:7.0.10-alpine
+    image:  redis:7.0.12-alpine
     networks:
       - internal
     healthcheck:
@@ -169,6 +176,7 @@ networks:
 volumes:
   backups:
   media:
+  templates:
   assets:
   database:
 

custom.css.tmpl

@@ -4,16 +4,16 @@
 :root {
     --ak-accent: #fd4b2d;
 
-    --ak-dark-foreground: #fafafa;
-    --ak-dark-foreground-darker: #bebebe;
-    --ak-dark-foreground-link: #5a5cb9;
-    --ak-dark-background: #18191a;
-    --ak-dark-background-darker: #000000;
+    --ak-dark-foreground: #{{ env "AUTHENTIK_COLOR_FOREGROUND" }};
+    --ak-dark-foreground-darker: #{{ env "AUTHENTIK_COLOR_FOREGROUND_DARKER" }};
+    --ak-dark-foreground-link: #{{ env "AUTHENTIK_COLOR_FOREGROUND_LINK" }};
+    --ak-dark-background: #{{ env "AUTHENTIK_COLOR_BACKGROUND" }};
+    --ak-dark-background-darker: #{{ env "AUTHENTIK_COLOR_BACKGROUND_DARKER" }};
 
 
-    --ak-dark-background-light: {{ env "AUTHENTIK_COLOR_BACKGROUND_LIGHT" }};
-    --ak-dark-background-light-ish: #212427;
-    --ak-dark-background-lighter: #2b2e33;
+    --ak-dark-background-light: #{{ env "AUTHENTIK_COLOR_BACKGROUND_LIGHT" }};
+    --ak-dark-background-light-ish: #{{ env "AUTHENTIK_COLOR_BACKGROUND_LIGHTISH" }};
+    --ak-dark-background-lighter: #{{ env "AUTHENTIK_COLOR_BACKGROUND_LIGHTER" }};
 
     --pf-c-background-image--BackgroundImage: var(--ak-flow-background);
     --pf-c-background-image--BackgroundImage-2x: var(--ak-flow-background);

flow_authentication.yaml.tmpl

@@ -22,7 +22,6 @@ entries:
   attrs:
     name: !Context welcome_message
     title: !Context welcome_message
-
 ### STAGES
 - identifiers:
     name: default-authentication-identification
@@ -30,6 +29,9 @@ entries:
   attrs:
     password_stage: !Find [authentik_stages_password.passwordstage, [name, default-authentication-password]]
     recovery_flow: !Find [authentik_flows.flow, [slug, default-recovery-flow]]
+    user_fields:
+    - email
+    - username
 
 - identifiers:
     name: default-authentication-login
@@ -37,6 +39,7 @@ entries:
   attrs:
     session_duration: seconds=0
 
+# After the first run this will produce a RelatedObjectDoesNotExist error
 - identifiers:
     order: 20
     stage: !Find [authentik_stages_password.passwordstage, [name, default-authentication-password]]

flow_invalidation.yaml.tmpl

@@ -13,6 +13,7 @@ entries:
 
 ### STAGE BINDINGS
 
+# This is specified only for setting an id (this stagebinding does not have an identifier)
 - identifiers:
     order: 0
     stage: !Find [authentik_stages_user_logout.userlogoutstage, [name, default-invalidation-logout]]

flow_translation.yaml.tmpl

@@ -4,7 +4,7 @@ metadata:
     blueprints.goauthentik.io/instantiate: "true"
   name: Flow Translations
 context:
-  transl_recovery: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} "Passwort Zurücksetzen" {{ else }} "Reset your password" {{ end }}
+  transl_recovery: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} "Passwort zurücksetzen" {{ else }} "Reset your password" {{ end }}
   transl_password: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} "Passwort" {{ else }} "Password" {{ end }}
   transl_password_repeat: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} "Passwort (wiederholen)" {{ else }} "Password (repeat)" {{ end }}
   transl_username: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} "Benutzername" {{ else }} "Username" {{ end }}
@@ -15,7 +15,7 @@ entries:
 - model: authentik_blueprints.metaapplyblueprint
   attrs:
     identifiers:
-      name: Custom Authentication Flow
+      name: Recovery with email verification
     required: true
 - model: authentik_blueprints.metaapplyblueprint
   attrs:

release/3.2.0+2023.6.1

@@ -0,0 +1 @@
+If you use your own outpost you need to uncomment COMPOSE_FILE="$COMPOSE_FILE:compose.outposts.yml" to expose the docker socket again.

system_tenant.yaml.tmpl

@@ -13,7 +13,7 @@ entries:
 - model: authentik_blueprints.metaapplyblueprint
   attrs:
     identifiers:
-      name: Invitation Enrollment Flow
+      name: Recovery with email verification
     required: true