general way to copy assets using env variables

2022-11-16 16:15:00 +01:00
74 changed files with 546 additions and 2508 deletions
--- a/.drone.yml
+++ b/.drone.yml
@ -1,53 +0,0 @@
 ---
 kind: pipeline
 name: deploy to swarm-test.autonomic.zone
 steps:
  - name: deployment
    image: git.coopcloud.tech/coop-cloud/stack-ssh-deploy:latest
    settings:
      host: swarm-test.autonomic.zone
      stack: authentik
      generate_secrets: true
      purge: true
      deploy_key:
        from_secret: drone_ssh_swarm_test
      networks:
        - proxy
    environment:
      DOMAIN: authentik.swarm-test.autonomic.zone
      STACK_NAME: authentik
      LETS_ENCRYPT_ENV: production
      CUSTOM_CSS_VERSION: v1
      FLOW_AUTHENTICATION_VERSION: v1
      FLOW_INVITATION_VERSION: v1
      FLOW_INVALIDATION_VERSION: v1
      FLOW_RECOVERY_VERSION: v1
      FLOW_TRANSLATION_VERSION: v1
      SYSTEM_BRAND_VERSION: v1
      NEXTCLOUD_CONFIG_VERSION: v1
      SECRET_SECRET_KEY_VERSION: v1
      SECRET_DB_PASSWORD_VERSION: v1
      SECRET_ADMIN_TOKEN_VERSION: v1
      SECRET_ADMIN_PASS_VERSION: v1
      SECRET_EMAIL_PASS_VERSION: v1
      DB_ENTRYPOINT_VERSION: v1
      PG_BACKUP_VERSION: v2
 trigger:
  branch:
    - main
 ---
 kind: pipeline
 name: generate recipe catalogue
 steps:
  - name: release a new version
    image: plugins/downstream
    settings:
      server: https://build.coopcloud.tech
      token:
        from_secret: drone_abra-bot_token
      fork: true
      repositories:
        - toolshed/auto-recipes-catalogue-json
 trigger:
  event: tag
--- a/.env.sample
+++ b/.env.sample
@ -1,134 +1,42 @@
 TYPE=authentik
 TIMEOUT=900
 ENABLE_AUTO_UPDATE=true
 POST_DEPLOY_CMDS="worker set_admin_pass"
 # Example values for post deploy cmds: "worker set_admin_pass|worker apply_blueprints|worker add_applications"
 LETS_ENCRYPT_ENV=production
 ENABLE_BACKUPS=true
-DOMAIN=authentik.example.com
+DOMAIN={{ .Domain }}
-## Domain aliases
+POSTGRES_PASSWORD=secret
-#EXTRA_DOMAINS=', `www.authentik.example.com`'
+AUTHENTIK_POSTGRESQL__PASSWORD=secret
-COMPOSE_FILE="compose.yml"
+POSTGRES_USER=authentik
-AUTHENTIK_DEFAULT_USER_CHANGE_USERNAME=false
+AUTHENTIK_POSTGRESQL__USER=authentik
-AUTHENTIK_LOG_LEVEL=info
+POSTGRES_DB=authentik
-# AUTHENTIK_IMPERSONATION=true
+AUTHENTIK_POSTGRESQL__NAME=authentik
-# AUTHENTIK_FOOTER_LINKS='[{"name": "My Organization","href":"https://example.com"}]'
+AUTHENTIK_POSTGRESQL__HOST=db
 AUTHENTIK_REDIS__HOST=redis
 AUTHENTIK_ERROR_REPORTING__ENABLED=true
 # WORKERS=1
 AUTHENTIK_SECRET_KEY=secret
 AK_ADMIN_TOKEN=secret
 AK_ADMIN_PASS=secret
-## Outpost Integration
+# EMAIL
 # COMPOSE_FILE="$COMPOSE_FILE:compose.outposts.yml"
 # COMPOSE_FILE="$COMPOSE_FILE:compose.outposts.ldap.yml"
 # SECRET_LDAP_TOKEN_VERSION=v1
 ## ADMIN
 AUTHENTIK_BOOTSTRAP_EMAIL=admin@example.com
 ## EMAIL
 AUTHENTIK_EMAIL__HOST=smtp
-AUTHENTIK_EMAIL__PORT=587
+AUTHENTIK_EMAIL__PORT=25
-AUTHENTIK_EMAIL__USERNAME="noreply@example.com"
+# AUTHENTIK_EMAIL__USERNAME=""
-AUTHENTIK_EMAIL__USE_TLS=true
+# AUTHENTIK_EMAIL__PASSWORD=""
 AUTHENTIK_EMAIL__USE_TLS=false
 AUTHENTIK_EMAIL__USE_SSL=false
 AUTHENTIK_EMAIL__TIMEOUT=10
 AUTHENTIK_EMAIL__FROM=noreply@example.com
 AUTHENTIK_LOG_LEVEL=info
-## Secret Versions
+# Secret Versions
-SECRET_SECRET_KEY_VERSION=v1
+# SECRET_SECRET_KEY_VERSION=v1
-SECRET_DB_PASSWORD_VERSION=v1
+# SECRET_ADMIN_TOKEN_VERSION=v1
-SECRET_ADMIN_TOKEN_VERSION=v1
+# SECRET_ADMIN_PASS_VERSION=v1
 SECRET_ADMIN_PASS_VERSION=v1
 SECRET_EMAIL_PASS_VERSION=v1
 # X_FRAME_OPTIONS_ALLOW_FROM=dashboard.example.org
 AUTHENTIK_COLOR_BACKGROUND_LIGHT=#1c1e21
 ## FLOW OPTIONS
-# WELCOME_MESSAGE="Welcome to Authentik"
+WELCOME_MESSAGE="Welcome to Authentik"
-# DEFAULT_LANGUAGE=en
+DEFAULT_LANGUAGE=en
-# LOGOUT_REDIRECT="https://$DOMAIN"
+AUTHENTIK_FOOTER_LINKS='[{"name": "My Organization","href":"https://example.com"}]'
-# EMAIL_SUBJECT="Account Recovery"
+COPY_ASSETS="flow_background.jpg|app:/web/dist/assets/images/ icon_left_brand.svg|app:/web/dist/assets/icons/ icon.png|app:/web/dist/assets/icons/"
 # EMAIL_TOKEN_EXPIRY_MINUTES=30
 ## assets
 COPY_ASSETS="flow_background.jpg|app:/web/dist/assets/images/"
 COPY_ASSETS="$COPY_ASSETS icon_left_brand.svg|app:/web/dist/assets/icons/"
 COPY_ASSETS="$COPY_ASSETS icon.png|app:/web/dist/assets/icons/"
 # store custom CSS in a css-volume
 #COMPOSE_FILE="$COMPOSE_FILE:compose.css-volume.yml"
 # NOTE: this causes the authentik container to run as `root` initially; it uses `su` to drop privileges but technically could introduce a security risk. proceed with caution!
 # Default CSS customisation
 # COMPOSE_FILE="$COMPOSE_FILE:compose.css.yml"
 # BACKGROUND_FONT_COLOR=white
 # BACKGROUND_BOX_COLOR='#eaeaeacf'
 # THEME_BACKGROUND="url('https://authentik.example.com/static/dist/assets/images/flow_background.jpg'); background-position: center; background-repeat: no-repeat; background-size: cover;"
 # COMPOSE_FILE="$COMPOSE_FILE:compose.nextcloud.yml"
 # NEXTCLOUD_DOMAIN=nextcloud.example.com
 # SECRET_NEXTCLOUD_ID_VERSION=v1
 # SECRET_NEXTCLOUD_SECRET_VERSION=v1
 # APP_ICONS="nextcloud:~/.abra/recipes/authentik/icons/nextcloud.png"
 # COMPOSE_FILE="$COMPOSE_FILE:compose.wordpress.yml"
 # WORDPRESS_DOMAIN=wordpress.example.com
 # WORDPRESS_GROUP='wordpress Admins'
 # SECRET_WORDPRESS_ID_VERSION=v1
 # SECRET_WORDPRESS_SECRET_VERSION=v1
 # APP_ICONS="$APP_ICONS wordpress:~/.abra/recipes/authentik/icons/wordpress.png"
 # COMPOSE_FILE="$COMPOSE_FILE:compose.matrix.yml"
 # ELEMENT_DOMAIN=element-web.example.com
 # MATRIX_DOMAIN=matrix-synapse.example.com
 # SECRET_MATRIX_ID_VERSION=v1
 # SECRET_MATRIX_SECRET_VERSION=v1
 # APP_ICONS="$APP_ICONS matrix:~/.abra/recipes/authentik/icons/matrix.svg"
 # COMPOSE_FILE="$COMPOSE_FILE:compose.wekan.yml"
 # WEKAN_DOMAIN=wekan.example.com
 # SECRET_WEKAN_ID_VERSION=v1
 # SECRET_WEKAN_SECRET_VERSION=v1
 # APP_ICONS="$APP_ICONS wekan:~/.abra/recipes/authentik/icons/wekan.png"
 # COMPOSE_FILE="$COMPOSE_FILE:compose.vikunja.yml"
 # VIKUNJA_DOMAIN=vikunja.example.com
 # SECRET_VIKUNJA_ID_VERSION=v1
 # SECRET_VIKUNJA_SECRET_VERSION=v1
 # APP_ICONS="$APP_ICONS vikunja:~/.abra/recipes/authentik/icons/vikunja.svg"
 # COMPOSE_FILE="$COMPOSE_FILE:compose.outline.yml"
 # OUTLINE_DOMAIN=outline.example.com
 # SECRET_OUTLINE_ID_VERSION=v1
 # SECRET_OUTLINE_SECRET_VERSION=v1
 # APP_ICONS="$APP_ICONS outline:~/.abra/recipes/authentik/icons/outline.png"
 # COMPOSE_FILE="$COMPOSE_FILE:compose.kimai.yml"
 # KIMAI_DOMAIN=kimai.example.com
 # SECRET_KIMAI_ID_VERSION=v1
 # SECRET_KIMAI_SECRET_VERSION=v1
 # APP_ICONS="$APP_ICONS kimai:~/.abra/recipes/authentik/icons/kimai_logo.png"
 # COMPOSE_FILE="$COMPOSE_FILE:compose.zammad.yml"
 # ZAMMAD_DOMAIN=zammad.example.com
 # APP_ICONS="$APP_ICONS zammad:~/.abra/recipes/authentik/icons/zammad.svg"
 # COMPOSE_FILE="$COMPOSE_FILE:compose.monitoring.yml"
 # MONITORING_DOMAIN=monitoring.example.com
 # SECRET_MONITORING_ID_VERSION=v1
 # SECRET_MONITORING_SECRET_VERSION=v1
 # APP_ICONS="$APP_ICONS monitoring:~/.abra/recipes/authentik/icons/monitoring.svg"
 # COMPOSE_FILE="$COMPOSE_FILE:compose.rallly.yml"
 # RALLLY_DOMAIN=rallly.example.com
 # SECRET_RALLLY_ID_VERSION=v1
 # SECRET_RALLLY_SECRET_VERSION=v1
 # APP_ICONS="$APP_ICONS rallly:~/.abra/recipes/authentik/icons/rallly.png"
 # COMPOSE_FILE="$COMPOSE_FILE:compose.hedgedoc.yml"
 # HEDGEDOC_DOMAIN=hedgedoc.example.com
 # SECRET_HEDGEDOC_ID_VERSION=v1
 # SECRET_HEDGEDOC_SECRET_VERSION=v1
 # APP_ICONS="$APP_ICONS hedgedoc:~/.abra/recipes/authentik/icons/hedgedoc.png"
 # APPLICATIONS='{"Calendar": "https://nextcloud.example.com/apps/calendar/", "BBB": "https://nextcloud.example.com/apps/bbb/", "Pretix": "https://pretix.example.com/control/"}'
 # EXTRA_ICONS={"Calendar": "~/.abra/recipes/authentik/icons/calendar.svg", "BBB": "~/.abra/recipes/authentik/icons/bbb.png", "Pretix": "~/.abra/recipes/authentik/icons/pretix.svg"}
--- a/README.md
+++ b/README.md
@ -9,7 +9,7 @@
 * **Category**: Apps
 * **Status**: 0, work-in-progress
-* **Image**: [ghcr/goauthentik/server](https://ghcr.io/goauthentik/server), 4, upstream
+* **Image**: [ghcr/goauthentik/server](https://ghcr.io/goauthentik/server)
 * **Healthcheck**: Yes
 * **Backups**: Yes
 * **Email**: Yes
@ -20,218 +20,20 @@
 ## Quick start
-* `abra app new authentik`
+* `abra app new authentik --secrets`
 * `abra app config <app-name>`
 * `abra app secret insert <app_name> email_pass v1 <password>`
 * `abra app secret generate -a <app_name>`
 * `abra app deploy <app-name>`
 ## Rotate Secrets
 Increment the secret versions using `abra app config <app_name>`
 ```
 abra app secret generate -a <app_name>
 abra app undeploy <app_name>
 abra app deploy <app_name>
 abra app cmd <app_name> db rotate_db_pass
 abra app cmd <app_name> app set_admin_pass
 ```
 ## Add SSO for Nextcloud
 Uncomment Nextcloud configuration and set `NEXTCLOUD_DOMAIN` the using `abra app config <app_name>`:
 ```
 COMPOSE_FILE="$COMPOSE_FILE:compose.nextcloud.yml"
 NEXTCLOUD_DOMAIN=nextcloud.example.com
 SECRET_NEXTCLOUD_ID_VERSION=v1
 SECRET_NEXTCLOUD_SECRET_VERSION=v1
 APP_ICONS="nextcloud:~/.abra/recipes/authentik/icons/nextcloud.png"
 ```
 Set the nextcloud Icon using `abra app cmd -l -d <app_name> set_icons`
 Generate OAuth client id and secret using `abra app secret generate <app_name> -a` (all secrets) or individually:
 - `abra app secret generate <app_name> nextcloud_id`
 - `abra app secret generate <app_name> nextcloud_secret`
 Add the id and secret to nextcloud as secrets with:
 - `abra app secret insert <nextcloud_app_name> authentik_id v1 <id>`
 - `abra app secret insert <nextcloud_app_name> authentik_secret v1 <secret>`
 Redeploy Authentik to enable the nextcloud client.
 The configuration inside Nextcloud can be found in the [nextcloud recipe](https://git.coopcloud.tech/coop-cloud/nextcloud#authentik-integration)
 ## Add LDAP outpost
 - Follow [this official guide](https://docs.goauthentik.io/docs/add-secure-apps/providers/ldap/generic_setup) and skip the LDAP Flow as we don't need it.
 - Copy token under `Applications` -> `Outposts` `-> `View Deployment Info` 
 - Comment in envs for compose.outposts.ldap.yaml and secret version
 - Insert token as secret `abra app secret insert <DOMAIN> ldap_token v1 <TOKEN>`
 - Update deployment -> Outpost should be up and running
 ## Import User from CSV
 Users can be imported from a CSV file of the following format:
 `First and last name, username, email@example.com, group1;group2;group3`
 Run the following command to import the file `users.csv`:
 `abra app cmd -l <app_name> import_user users.csv`
 Users will only be created if the username does not exits. I a group does not exists it will be created.
 ## Customization
 Place the files you want to overwrite in a directory `<assets_path>`.
 Run `abra app config <app_name>` and define the env variable `COPY_ASSETS` in the following format:
 ```
 "<source_file1>|<service>:<target_directory1> <source_file2>|<service>:<target_directory2> ...
 ```
 For example:
 ```
 COPY_ASSETS="flow_background.jpg|app:/web/dist/assets/images/"
 COPY_ASSETS="$COPY_ASSETS icon_left_brand.svg|app:/web/dist/assets/icons/
 COPY_ASSETS="$COPY_ASSETS icon.png|app:/web/dist/assets/icons/"
 ```
 Run this command after every deploy/upgrade:
 `abra app command --local <app-name> customize <assets_path>`
-## Custom CSS
+This command replaces the background image, the logo and the favicon with the following files placed in the `<assets_path>` directory:
-
+* `flow_background.jpg`
-Uncomment the following env:
+* `icon_left_brand.svg`
-
+* `icon.png`
 ```
 COMPOSE_FILE="$COMPOSE_FILE:compose.css-volume.yml"
 ```
 Redeploy the app:
 ```
 abra app deploy -f <app_name>
 ```
 Copy the CSS and restart the container:
 ```
 abra app cp <app_name> my_custom.css app:/web/dist/assets/custom.css
 abra app restart <app_name> app
 ```
 ## Email templates
 Add custom [email templates](https://goauthentik.io/docs/flow/stages/email/#custom-templates):
 `abra app cmd -l <app_name> add_email_templates local/path/to/mail_template.html`
 ## Blueprints
 These blueprints overwrite default blueprint values:
 - `flow_translation.yaml`
 - `flow_authentication.yaml`
 The following default blueprints will be overwritten by customizations:
 - `flow-password-change.yaml`
 - `flow-default-authentication-flow.yaml`
 - `flow-default-user-settings-flow.yaml`
 - `flow-default-source-enrollment.yaml`
 The `abra.sh` function `apply_blueprints` needs to be executed to deactivate these blueprints to ensure that the customizations won't be overwritten. It will further execute flow_translation.yaml and flow_authentication.yaml again.
 ### Blueprint Overwrite/Use Dependencies
 - Recovery with email verification
    - Default - Password change flow
        - USE:
            - `default-password-change-prompt`
            - `default-password-change-write`
    - Default - Authentication flow
        - USE:
            - `default-authentication-login`
 - Custom Authentication Flow
    - Default - Authentication flow
        - USE:
            - `default-authentication-password`
        - OVERWRITE:
            - `default-authentication-flow`
        - APPEND:
            - `default-authentication-identification`
            - `default-authentication-login`
        - REMOVE: `authentik_flows.flowstagebinding order:20`
    - Recovery with email verification
        - USE:
            - `default-recovery-flow`
 - Invitation Enrollment Flow
    - Default - User settings flow
        - USE:
            - `default-user-settings-field-name`
            - `default-user-settings-field-email`
    - Default - Password change flow
        - USE:
            - `default-password-change-field-password`
            - `default-password-change-field-password-repeat`
    - Default - Authentication flow
        - USE:
            - `default-authentication-login`
    - Default - Source enrollment flow
        - USE:
            - `default-source-enrollment-field-username`
            - `default-source-enrollment-write`
 - Custom Invalidation Flow
    - Default - Invalidation flow
        - APPEND_ATTR:
            - `authentik_flows.flowstagebinding order: 0`
 - Flow Translations
    - Recovery with email verification
        - APPEND: `default-recovery-flow`
    - Default - Password change flow
        - OVERWRITE:
           - `default-password-change-field-password`
           - `default-password-change-field-password-repeat`
    - Default - User settings flow
        - OVERWRITE:
            - `default-user-settings-field-username`
            - `default-user-settings-field-name`
    - Default - Source enrollment flow
        - OVERWRITE:
            - `default-source-enrollment-field-username`
 - Custom System Brand
    - Default - Brand
        - APPEND: `authentik_brands.brand  domain: authentik-default`
    - Recovery with email verification
        - USE:
            - `default-recovery-flow`
 ### Blueprint Dependency Execution Order
 5. Custom System Brand
    - Default - Brand
    1. Recovery with email verification
        - Default - Authentication flow
            - Default - Password change flow
 4. Invitation Enrollment Flow
    3. Flow Translations
        - Default - User settings flow
        - Default - Source enrollment flow
        1. Recovery with email verification
            - Default - Authentication flow
                - Default - Password change flow
 2. Custom Authentication Flow
    1. Recovery with email verification
        - Default - Authentication flow
            - Default - Password change flow
 6. Custom Invalidation Flow
    - Default - Invalidation flow
 For more, see [`docs.coopcloud.tech`](https://docs.coopcloud.tech).
--- a/abra.sh
+++ b/abra.sh
@ -1,24 +1,6 @@
-export CUSTOM_CSS_VERSION=v3
+export CUSTOM_CSS_VERSION=v2
-export FLOW_AUTHENTICATION_VERSION=v4
+export CUSTOM_FLOWS_VERSION=v2
-export FLOW_INVITATION_VERSION=v2
+export RECOVERY_TEMPLATE_DE_VERSION=v1
 export FLOW_INVALIDATION_VERSION=v2
 export FLOW_RECOVERY_VERSION=v1
 export FLOW_TRANSLATION_VERSION=v3
 export SYSTEM_BRAND_VERSION=v4
 export NEXTCLOUD_CONFIG_VERSION=v3
 export WORDPRESS_CONFIG_VERSION=v4
 export MATRIX_CONFIG_VERSION=v3
 export WEKAN_CONFIG_VERSION=v5
 export VIKUNJA_CONFIG_VERSION=v3
 export OUTLINE_CONFIG_VERSION=v4
 export KIMAI_CONFIG_VERSION=v3
 export ZAMMAD_CONFIG_VERSION=v4
 export RALLLY_CONFIG_VERSION=v4
 export HEDGEDOC_CONFIG_VERSION=v3
 export MONITORING_CONFIG_VERSION=v4
 export DB_ENTRYPOINT_VERSION=v1
 export PG_BACKUP_VERSION=v2
 export ENTRYPOINT_CSS_VERSION=v1
 customize() {
    if [ -z "$1" ]
@ -34,261 +16,3 @@ customize() {
        abra app cp $APP_NAME $asset_dir/$source $target
    done
 }
 shell(){
    if [ -z "$1" ]
    then
            echo "Usage: ... shell <python code>"
            exit 1
    fi
    ak shell -c "$1" 2>&1 | quieten
 }
 import_user() {
    if [ -z "$1" ]
    then
            echo "Usage: ... import_user <users.csv>"
            exit 1
    fi
    source_file=$1
    filename=$(basename $source_file)
    abra app cp $APP_NAME $source_file worker:/tmp/
    abra app cmd -T $APP_NAME worker _import_user $filename
 }
 _import_user() {
 /manage.py shell -c """
 import csv
 new_user = User()
 with open('/tmp/$1', newline='') as file:
  reader = csv.reader(file)
  for row in reader:
    name = row[0].strip()
    username = row[1].strip()
    email = row[2].strip()
    groups = row[3].split(';')
    if User.objects.filter(username=username):
        print(f'{username} already exists')
        continue
    new_user = User.objects.create(name=name, username=username, email=email)
    print(f'{username} created')
    for group_name in groups:
        group_name = group_name.strip()
        if Group.objects.filter(name=group_name):
            group = Group.objects.get(name=group_name)
        else:
            group = Group.objects.create(name=group_name)
            print(f'{group_name} created')
        group.users.add(new_user)
        print(f'add {username} to group {group_name}')
 """ 2>&1 | quieten
 }
 set_admin_pass() {
 password=$(cat /run/secrets/admin_pass)
 token=$(cat /run/secrets/admin_token)
 /manage.py shell -c """
 import time
 i = 0
 while (not User.objects.filter(username='akadmin')):
    print('Waiting for akadmin to be created...')
    time.sleep(10)
    i += 1
    if i > 6:
        print('Failed to find admin user!')
        exit()
 akadmin = User.objects.get(username='akadmin')
 akadmin.set_password('$password')
 akadmin.save()
 print('Changed akadmin password')
 from authentik.core.models import TokenIntents
 key='$token'
 if (token:= Token.objects.filter(identifier='authentik-bootstrap-token').first()):
    token.key=key
    token.save()
    print('Changed authentik-bootstrap-token')
 else:
    Token.objects.create(
        identifier='authentik-bootstrap-token',
        user=akadmin,
        intent=TokenIntents.INTENT_API,
        expiring=False,
        key=key,
    )
    print('Created authentik-bootstrap-token')
 """ 2>&1 | quieten
 }
 rotate_db_pass() {
    db_password=$(cat /run/secrets/db_password)
    psql -U authentik -c """ALTER USER authentik WITH PASSWORD '$db_password';"""
 }
 # This function is for blueprints that are overwriting custom blueprints
 # It deactivates the affected custom blueprints to avoid changes to be reverted
 apply_blueprints() {
    update_and_disable_blueprint default/flow-password-change.yaml
    update_and_disable_blueprint default/flow-default-authentication-flow.yaml
    update_and_disable_blueprint default/flow-default-user-settings-flow.yaml
    update_and_disable_blueprint default/flow-default-source-enrollment.yaml
    apply_blueprint 3_flow_translation.yaml
    apply_blueprint 2_flow_authentication.yaml
 }
 update_and_disable_blueprint() {
    enable_blueprint $@ 2>&1 | quieten
    sleep 1
    apply_blueprint $@
    sleep 1
    disable_blueprint $@ 2>&1 | quieten
 }
 disable_blueprint() {
    blueprint_state False $@
 }
 enable_blueprint() {
    blueprint_state True $@
 }
 apply_blueprint() {
    echo apply blueprint $@
    ak apply_blueprint $@ 2>&1 | quieten
 }
 blueprint_state() {
 /manage.py shell -c """
 import time
 blueprint_state=$1
 blueprint_path='$2'
 blueprint = BlueprintInstance.objects.filter(path=blueprint_path).first()
 blueprint.enabled = blueprint_state
 # Hacky workaround to reduce chance of a race condition
 blueprint.save()
 time.sleep(1)
 blueprint.save()
 time.sleep(1)
 blueprint.save()
 print(f'{blueprint.name} enabled: {blueprint.enabled}')
 """ 2>&1 | quieten
 }
 add_applications(){
 export APPLICATIONS
 /manage.py shell -c """
 import json
 import os
 if os.environ['APPLICATIONS'] == '':
    exit()
 applications = json.loads(os.environ['APPLICATIONS'])
 for name, url in applications.items():
    print(f'Add {name}: {url}')
    app = Application.objects.filter(name=name).first()
    if not app:
        app = Application()
    app.name = name
    app.slug = name.replace(' ', '-')
    app.meta_launch_url = url
    app.open_in_new_tab = True
    app.save()
 """ 2>&1 | quieten
 }
 quieten(){
    # 'SyntaxWarning|version_regex|"http\['
    # is a workaround to get rid of some verbose syntax warnings, this might be fixed with another version
    grep -Pv '"level": "(info|debug)"|SyntaxWarning|version_regex|"http\[|RuntimeWarning:'
 }
 add_email_templates(){
 for file_path in "$@"; do
    echo copy template $file_path
    abra app cp $APP_NAME $file_path app:/templates/
 done
 }
 set_icons(){
 if [ -n "$1" ]
 then
 APP_ICONS="$1"
 fi
 for icon in $APP_ICONS; do
    app=$(echo $icon | cut -d ":" -f1)
    file_path=$(eval echo $(echo $icon | cut -d ":" -f2))
    file=$(basename $file_path)
    echo copy icon $file_path for $app
    abra app cp $APP_NAME $file_path app:/media/
    abra app cmd -T $APP_NAME app set_app_icon $app /media/$file
 done
 }
 set_extra_icons(){
    if [ -z "$EXTRA_ICONS" ]
    then
        echo "Variable EXTRA_ICONS is not set"
        exit 1
    fi
    export EXTRA_ICONS
    icon_key_values=$(python3 -c "
 import json
 import os
 for key, value in json.loads(os.environ['EXTRA_ICONS']).items():
    print(f'{key}:{value}')
 ")
    set_icons "$icon_key_values"
 }
 set_app_icon() {
 TOKEN=$(cat /run/secrets/admin_token)
 python -c """
 import requests
 import os
 my_token = '$TOKEN'
 application = '$1'
 icon_path = '$2'
 url = f'https://$DOMAIN/api/v3/core/applications/{application}/set_icon/'
 headers = {'Authorization':f'Bearer {my_token}'}
 with open(icon_path, 'rb') as img:
  name_img = os.path.basename(icon_path)
  files= {'file': (name_img,img,'image/png') }
  with requests.Session() as s:
    r = s.post(url,files=files,headers=headers)
    print(r.status_code)
 """
 }
 blueprint_cleanup() {
 /manage.py shell -c """
 delete_flows = ['default-recovery-flow' , 'custom-authentication-flow' , 'invitation-enrollment-flow' , 'initial-setup']
 Flow.objects.filter(slug__in=delete_flows).delete()
 Stage.objects.filter(flow=None).delete()
 Prompt.objects.filter(promptstage=None).delete()
 Brand.objects.filter(default=True).delete()
 """ 2>&1 | quieten
 apply_blueprints
 }
 get_certificate() {
 /manage.py shell -c """
 provider_name='$1'
 if not provider_name:
    print('no Provider Name given')
    exit(1)
 provider = Provider.objects.filter(name=provider_name).first()
 saml = provider.samlprovider
 cert = saml.signing_kp
 print(''.join(cert.certificate_data.splitlines()[1:-1]))
 """ 2>&1 | quieten
 }
 get_user_uid() {
 /manage.py shell -c """
 print(User.objects.filter(username='$1').first().uid)
 """ 2>&1 | quieten
 }
--- a/alaconnect.yml
+++ b/alaconnect.yml
@ -1,89 +0,0 @@
 nextcloud:
    uncomment:
        - compose.nextcloud.yml
        - NEXTCLOUD_DOMAIN
        - SECRET_NEXTCLOUD_ID_VERSION
        - SECRET_NEXTCLOUD_SECRET_VERSION
        - nextcloud.png
 wordpress:
    uncomment:
        - compose.wordpress.yml
        - WORDPRESS_DOMAIN
        - WORDPRESS_GROUP
        - SECRET_WORDPRESS_ID_VERSION
        - SECRET_WORDPRESS_SECRET_VERSION
        - wordpress.png
 matrix-synapse:
    uncomment:
        - compose.matrix.yml
        - ELEMENT_DOMAIN
        - MATRIX_DOMAIN
        - SECRET_MATRIX_ID_VERSION
        - SECRET_MATRIX_SECRET_VERSION
        - matrix.svg
    secrets:
        matrix_id: matrix
 wekan:
    uncomment:
        - compose.wekan.yml
        - WEKAN_DOMAIN
        - SECRET_WEKAN_ID_VERSION
        - SECRET_WEKAN_SECRET_VERSION
        - wekan.png
    secrets:
        wekan_id: wekan
 vikunja:
    uncomment:
        - compose.vikunja.yml
        - VIKUNJA_DOMAIN
        - SECRET_VIKUNJA_ID_VERSION
        - SECRET_VIKUNJA_SECRET_VERSION
        - vikunja.svg
    secrets:
        vikunja_id: vikunja
 kimai:
    uncomment:
        - compose.kimai.yml
        - KIMAI_DOMAIN
        - SECRET_KIMAI_ID_VERSION
        - SECRET_KIMAI_SECRET_VERSION
        - kimai_logo.png
 zammad:
    uncomment:
        - compose.zammad.yml
        - ZAMMAD_DOMAIN
        - zammad.svg
 monitoring-ng:
    uncomment:
        - compose.monitoring.yml
        - MONITORING_DOMAIN
        - SECRET_MONITORING_ID_VERSION
        - SECRET_MONITORING_SECRET_VERSION
        - monitoring.png
 outline:
    uncomment:
        - compose.outline.yml
        - OUTLINE_DOMAIN
        - SECRET_OUTLINE_ID_VERSION
        - SECRET_OUTLINE_SECRET_VERSION
        - outline.png
    secrets:
        outline_id: outline
 rallly:
    uncomment:  
        - compose.rallly.yml
        - RALLLY_DOMAIN
        - SECRET_RALLLY_ID_VERSION
        - SECRET_RALLLY_SECRET_VERSION
        - rallly.png
    secrets:
        rallly_id: rallly
 hedgedoc:
    uncomment:  
        - compose.hedgedoc.yml
        - HEDGEDOC_DOMAIN
        - SECRET_HEDGEDOC_ID_VERSION
        - SECRET_HEDGEDOC_SECRET_VERSION
        - hedgedoc.png
    secrets:
        hedgedoc_id: hedgedoc
--- a/compose.css-volume.yml
+++ b/compose.css-volume.yml
@ -1,16 +0,0 @@
 ---
 version: "3.8"
 services:
  app:
    user: root
    entrypoint: /docker-entrypoint.sh
    configs:
      - source: entrypoint_css
        target: /docker-entrypoint.sh
        mode: 0555
 configs:
  entrypoint_css:
    name: ${STACK_NAME}_entrypoint_css_${ENTRYPOINT_CSS_VERSION}
    file: entrypoint-css-volume.sh
--- a/compose.css.yml
+++ b/compose.css.yml
@ -1,14 +0,0 @@
 ---
 version: '3.8'
 services:
  app:
    configs: 
      - source: custom_css
        target: /web/dist/custom.css
 configs:
  custom_css:
    name: ${STACK_NAME}_custom_css_${CUSTOM_CSS_VERSION}
    file: custom.css.tmpl
    template_driver: golang
--- a/compose.hedgedoc.yml
+++ b/compose.hedgedoc.yml
@ -1,26 +0,0 @@
 version: "3.8"
 services:
  worker:
    secrets:
      - hedgedoc_id
      - hedgedoc_secret
    environment:
      - HEDGEDOC_DOMAIN
    configs:
      - source: hedgedoc
        target: /blueprints/hedgedoc.yaml
 secrets:
  hedgedoc_id:
    external: true
    name: ${STACK_NAME}_hedgedoc_id_${SECRET_HEDGEDOC_ID_VERSION}
  hedgedoc_secret:
    external: true
    name: ${STACK_NAME}_hedgedoc_secret_${SECRET_HEDGEDOC_SECRET_VERSION}
 configs:
  hedgedoc:
    name: ${STACK_NAME}_hedgedoc_${HEDGEDOC_CONFIG_VERSION}
    file: hedgedoc.yaml.tmpl
    template_driver: golang
--- a/compose.kimai.yml
+++ b/compose.kimai.yml
@ -1,14 +0,0 @@
 version: "3.8"
 services:
  worker:
    environment:
      - KIMAI_DOMAIN
    configs:
      - source: kimai
        target: /blueprints/kimai.yaml
 configs:
  kimai:
    name: ${STACK_NAME}_kimai_${KIMAI_CONFIG_VERSION}
    file: kimai.yaml.tmpl
    template_driver: golang
--- a/compose.matrix.yml
+++ b/compose.matrix.yml
@ -1,33 +0,0 @@
 version: "3.8"
 services:
  app:
    deploy:
      labels:
        - "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect-matrix-well-known"
        - "traefik.http.middlewares.${STACK_NAME}-redirect-matrix-well-known.redirectregex.regex=^https://(.*)/.well-known/matrix/(.*)"
        - "traefik.http.middlewares.${STACK_NAME}-redirect-matrix-well-known.redirectregex.replacement=https://${MATRIX_DOMAIN}/.well-known/matrix/$$2"
  worker:
    secrets:
      - matrix_id
      - matrix_secret
    environment:
      - ELEMENT_DOMAIN
      - MATRIX_DOMAIN
    configs:
      - source: matrix
        target: /blueprints/matrix.yaml
 secrets:
  matrix_id:
    external: true
    name: ${STACK_NAME}_matrix_id_${SECRET_MATRIX_ID_VERSION}
  matrix_secret:
    external: true
    name: ${STACK_NAME}_matrix_secret_${SECRET_MATRIX_SECRET_VERSION}
 configs:
  matrix:
    name: ${STACK_NAME}_matrix_${MATRIX_CONFIG_VERSION}
    file: matrix.yaml.tmpl
    template_driver: golang
--- a/compose.monitoring.yml
+++ b/compose.monitoring.yml
@ -1,26 +0,0 @@
 version: "3.8"
 services:
  worker:
    secrets:
      - monitoring_id
      - monitoring_secret
    environment:
      - MONITORING_DOMAIN 
    configs:
      - source: monitoring
        target: /blueprints/monitoring.yaml
 secrets:
  monitoring_id:
    external: true
    name: ${STACK_NAME}_monitoring_id_${SECRET_MONITORING_ID_VERSION}
  monitoring_secret:
    external: true
    name: ${STACK_NAME}_monitoring_secret_${SECRET_MONITORING_SECRET_VERSION}
 configs:
  monitoring:
    name: ${STACK_NAME}_monitoring_${MONITORING_CONFIG_VERSION}
    file: monitoring.yaml.tmpl
    template_driver: golang
--- a/compose.nextcloud.yml
+++ b/compose.nextcloud.yml
@ -1,26 +0,0 @@
 version: "3.8"
 services:
  worker:
    secrets:
      - nextcloud_id
      - nextcloud_secret
    environment:
      - NEXTCLOUD_DOMAIN
    configs:
      - source: nextcloud
        target: /blueprints/nextcloud.yaml
 secrets:
  nextcloud_id:
    external: true
    name: ${STACK_NAME}_nextcloud_id_${SECRET_NEXTCLOUD_ID_VERSION}
  nextcloud_secret:
    external: true
    name: ${STACK_NAME}_nextcloud_secret_${SECRET_NEXTCLOUD_SECRET_VERSION}
 configs:
  nextcloud:
    name: ${STACK_NAME}_nextcloud_${NEXTCLOUD_CONFIG_VERSION}
    file: nextcloud.yaml.tmpl
    template_driver: golang
--- a/compose.outline.yml
+++ b/compose.outline.yml
@ -1,26 +0,0 @@
 version: "3.8"
 services:
  worker:
    secrets:
      - outline_id
      - outline_secret
    environment:
      - OUTLINE_DOMAIN
    configs:
      - source: outline
        target: /blueprints/outline.yaml
 secrets:
  outline_id:
    external: true
    name: ${STACK_NAME}_outline_id_${SECRET_OUTLINE_ID_VERSION}
  outline_secret:
    external: true
    name: ${STACK_NAME}_outline_secret_${SECRET_OUTLINE_SECRET_VERSION}
 configs:
  outline:
    name: ${STACK_NAME}_outline_${OUTLINE_CONFIG_VERSION}
    file: outline.yaml.tmpl
    template_driver: golang
--- a/compose.outposts.ldap.yml
+++ b/compose.outposts.ldap.yml
@ -1,23 +0,0 @@
 version: "3.8"
 services:
  authentik_ldap:
      image: ghcr.io/goauthentik/ldap:2025.2.4
      # Optionally specify which networks the container should be
      # might be needed to reach the core authentik server
      networks:
        - internal
        - proxy
      ports:
        - 389:3389
        - 636:6636
      secrets:
        - ldap_token
      environment:
        - AUTHENTIK_HOST=https://${DOMAIN}
        - AUTHENTIK_INSECURE=true
        - AUTHENTIK_TOKEN=file:///run/secrets/ldap_token
 secrets:
  ldap_token:
    external: true
    name: ${STACK_NAME}_ldap_token_${SECRET_LDAP_TOKEN_VERSION}
--- a/compose.outposts.yml
+++ b/compose.outposts.yml
@ -1,6 +0,0 @@
 version: "3.8"
 services:
  worker:
    user: root
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
--- a/compose.rallly.yml
+++ b/compose.rallly.yml
@ -1,26 +0,0 @@
 version: "3.8"
 services:
  worker:
    secrets:
      - rallly_id
      - rallly_secret
    environment:
      - RALLLY_DOMAIN
    configs:
      - source: rallly
        target: /blueprints/rallly.yaml
 secrets:
  rallly_id:
    external: true
    name: ${STACK_NAME}_rallly_id_${SECRET_RALLLY_ID_VERSION}
  rallly_secret:
    external: true
    name: ${STACK_NAME}_rallly_secret_${SECRET_RALLLY_SECRET_VERSION}
 configs:
  rallly:
    name: ${STACK_NAME}_rallly_${RALLLY_CONFIG_VERSION}
    file: rallly.yaml.tmpl
    template_driver: golang
--- a/compose.vikunja.yml
+++ b/compose.vikunja.yml
@ -1,26 +0,0 @@
 version: "3.8"
 services:
  worker:
    secrets:
      - vikunja_id
      - vikunja_secret
    environment:
      - VIKUNJA_DOMAIN
    configs:
      - source: vikunja
        target: /blueprints/vikunja.yaml
 secrets:
  vikunja_id:
    external: true
    name: ${STACK_NAME}_vikunja_id_${SECRET_VIKUNJA_ID_VERSION}
  vikunja_secret:
    external: true
    name: ${STACK_NAME}_vikunja_secret_${SECRET_VIKUNJA_SECRET_VERSION}
 configs:
  vikunja:
    name: ${STACK_NAME}_vikunja_${VIKUNJA_CONFIG_VERSION}
    file: vikunja.yaml.tmpl
    template_driver: golang
--- a/compose.wekan.yml
+++ b/compose.wekan.yml
@ -1,26 +0,0 @@
 version: "3.8"
 services:
  worker:
    secrets:
      - wekan_id
      - wekan_secret
    environment:
      - WEKAN_DOMAIN
    configs:
      - source: wekan
        target: /blueprints/wekan.yaml
 secrets:
  wekan_id:
    external: true
    name: ${STACK_NAME}_wekan_id_${SECRET_WEKAN_ID_VERSION}
  wekan_secret:
    external: true
    name: ${STACK_NAME}_wekan_secret_${SECRET_WEKAN_SECRET_VERSION}
 configs:
  wekan:
    name: ${STACK_NAME}_wekan_${WEKAN_CONFIG_VERSION}
    file: wekan.yaml.tmpl
    template_driver: golang
--- a/compose.wordpress.yml
+++ b/compose.wordpress.yml
@ -1,27 +0,0 @@
 version: "3.8"
 services:
  worker:
    secrets:
      - wordpress_id
      - wordpress_secret
    environment:
      - WORDPRESS_DOMAIN
      - WORDPRESS_GROUP
    configs:
      - source: wordpress
        target: /blueprints/wordpress.yaml
 secrets:
  wordpress_id:
    external: true
    name: ${STACK_NAME}_wordpress_id_${SECRET_WORDPRESS_ID_VERSION}
  wordpress_secret:
    external: true
    name: ${STACK_NAME}_wordpress_secret_${SECRET_WORDPRESS_SECRET_VERSION}
 configs:
  wordpress:
    name: ${STACK_NAME}_wordpress_${WORDPRESS_CONFIG_VERSION}
    file: wordpress.yaml.tmpl
    template_driver: golang
--- a/compose.yml
+++ b/compose.yml
@ -1,70 +1,68 @@
 ---
 x-env: &env
-    - AUTHENTIK_POSTGRESQL__PASSWORD=file:///run/secrets/db_password
+    - AUTHENTIK_POSTGRESQL__PASSWORD
-    - AUTHENTIK_POSTGRESQL__USER=authentik
+    - AUTHENTIK_POSTGRESQL__USER
-    - AUTHENTIK_POSTGRESQL__NAME=authentik
+    - AUTHENTIK_POSTGRESQL__NAME
-    - AUTHENTIK_POSTGRESQL__HOST=db
+    - AUTHENTIK_POSTGRESQL__HOST
-    - AUTHENTIK_REDIS__HOST=redis
+    - AUTHENTIK_REDIS__HOST
    - AUTHENTIK_ERROR_REPORTING__ENABLED
-    - AUTHENTIK_SECRET_KEY=file:///run/secrets/secret_key
+    - AUTHENTIK_SECRET_KEY= #file:///run/secrets/secret_key
    - AK_ADMIN_TOKEN= #file:///run/secrets/admin_token
    - AK_ADMIN_PASS= #file:///run/secrets/admin_pass
    - AUTHENTIK_EMAIL__HOST
    - AUTHENTIK_EMAIL__PORT
    - AUTHENTIK_EMAIL__USERNAME
-    - AUTHENTIK_EMAIL__PASSWORD=file:///run/secrets/email_pass
+    - AUTHENTIK_EMAIL__PASSWORD
    - AUTHENTIK_EMAIL__USE_TLS
    - AUTHENTIK_EMAIL__USE_SSL
    - AUTHENTIK_EMAIL__TIMEOUT
    - AUTHENTIK_EMAIL__FROM
    - AUTHENTIK_LOG_LEVEL
-    - BACKGROUND_FONT_COLOR=${BACKGROUND_FONT_COLOR:-white}
+    - AUTHENTIK_SETTINGS__THEME__BACKGROUND
-    - BACKGROUND_BOX_COLOR=${BACKGROUND_BOX_COLOR:-#eaeaeacf}
+    - AUTHENTIK_COLOR_BACKGROUND_LIGHT
    - AUTHENTIK_FOOTER_LINKS
    - AUTHENTIK_IMPERSONATION
    - AUTHENTIK_BOOTSTRAP_EMAIL
    - WELCOME_MESSAGE
    - DEFAULT_LANGUAGE
    - EMAIL_SUBJECT
    - EMAIL_TOKEN_EXPIRY_MINUTES
    - DOMAIN
    - LOGOUT_REDIRECT
    - APPLICATIONS
    - THEME_BACKGROUND
 version: '3.8'
 services:
  app:
-    image: ghcr.io/goauthentik/server:2025.2.4
+    image: ghcr.io/goauthentik/server:2022.10.1
    command: server
-    depends_on:
+    # secrets:
-      - db
+    #   - db_password
-      - redis
+    #   - admin_pass
-    secrets:
+    #   - admin_token
-      - db_password
+    #   - secret_key
      - admin_pass
      - admin_token
      - secret_key
      - email_pass
    volumes:
      - media:/media
-      - assets:/web/dist/assets
+      - custom-templates:/templates
-      - templates:/templates
+    configs:
      - source: custom_css
        target: /web/dist/custom.css
      - source: recovery_template_de
        target: /templates/password_reset_de.html
    networks:
      - internal
      - proxy
    healthcheck:
-      test: "ak healthcheck"
+      test: ["CMD", "curl", "-f", "localhost:9000/-/health/live/"]
      interval: 30s
-      timeout: 30s
+      timeout: 10s
      retries: 10
-      start_period: 5m
+      start_period: 1m
    environment: *env
    deploy:
      update_config:
        failure_action: rollback
        order: start-first
      labels:
        - "traefik.enable=true"
        - "traefik.docker.network=proxy"
        - "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=9000"
-        - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`${EXTRA_DOMAINS})"
+        - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`)"
        - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
        - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
        - "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect,${STACK_NAME}-frameOptions"
@ -72,115 +70,80 @@ services:
        - "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}"
        - "traefik.http.middlewares.${STACK_NAME}-frameOptions.headers.customFrameOptionsValue=SAMEORIGIN"
        - "traefik.http.middlewares.${STACK_NAME}-frameOptions.headers.contentSecurityPolicy=frame-ancestors ${X_FRAME_OPTIONS_ALLOW_FROM}"
-        - "coop-cloud.${STACK_NAME}.version=7.1.0+2025.2.4"
+        - "coop-cloud.${STACK_NAME}.version=0.6.0+2022.10.1"
        - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT:-120}"
  worker:
-    image: ghcr.io/goauthentik/server:2025.2.4
+    image: ghcr.io/goauthentik/server:2022.10.1
    command: worker
-    depends_on:
+    # secrets:
-      - db
+      # - db_password
-      - redis
+      # - admin_pass
-    secrets:
+      # - admin_token
-      - db_password
+      # - secret_key
      - admin_pass
      - admin_token
      - secret_key
      - email_pass
    networks:
      - internal
      - proxy
    user: root
    volumes:
      - backups:/backups
      - media:/media
-      - /dev/null:/blueprints/default/flow-oobe.yaml
+      - /var/run/docker.sock:/var/run/docker.sock
-      - templates:/templates
+      - custom-templates:/templates
-      - certs:/certs
+      - /dev/null:/blueprints/default/10-flow-default-authentication-flow.yaml
    configs:
-      - source: flow_recovery
+      - source: custom_flows
-        target: /blueprints/1_flow_recovery.yaml
+        target: /blueprints/custom_flows.yaml
      - source: flow_authentication
        target: /blueprints/2_flow_authentication.yaml
      - source: flow_translation
        target: /blueprints/3_flow_translation.yaml
      - source: flow_invitation
        target: /blueprints/4_flow_invitation.yaml
      - source: system_brand
        target: /blueprints/5_system_brand.yaml
      - source: flow_invalidation
        target: /blueprints/6_flow_invalidation.yaml
    environment: *env
    healthcheck:
      test: "ak healthcheck"
      interval: 30s
      timeout: 30s
      retries: 10
      start_period: 5m
  db:
-    image: postgres:15.12
+    image: postgres:12.12-alpine
-    secrets:
+    # secrets:
-      - db_password
+      # - db_password
    configs:
      - source: db_entrypoint
        target: /docker-entrypoint.sh
        mode: 0555
      - source: pg_backup
        target: /pg_backup.sh
        mode: 0555
    entrypoint:
      /docker-entrypoint.sh
    volumes:
      - database:/var/lib/postgresql/data
    networks:
      - internal
    healthcheck:
-      test: ["CMD", "pg_isready", "-U", "authentik"]
+      test: ["CMD", "pg_isready"]
      interval: 30s
      timeout: 10s
      retries: 10
      start_period: 1m
    environment:
-      - POSTGRES_PASSWORD_FILE=/run/secrets/db_password
+      - POSTGRES_PASSWORD
-      - POSTGRES_USER=authentik
+      - POSTGRES_USER
-      - POSTGRES_DB=authentik
+      - POSTGRES_DB
    deploy:
      labels:
-          backupbot.backup: "${ENABLE_BACKUPS:-true}"
+          backupbot.backup: "true"
-          backupbot.backup.pre-hook: "/pg_backup.sh backup"
+          backupbot.backup.pre-hook: "mkdir -p /tmp/backup/ && PGPASSWORD=${POSTGRES_PASSWORD} pg_dump -U ${POSTGRES_USER} ${POSTGRES_DB} > /tmp/backup/backup.sql"
-          backupbot.backup.volumes.database.path: "backup.sql"
+          backupbot.backup.post-hook: "rm -rf /tmp/backup"
-          backupbot.backup.volumes.redis: "false"
+          backupbot.backup.path: "/tmp/backup/"
          backupbot.restore.post-hook: '/pg_backup.sh restore'
  redis:
-    image:  redis:7.4.2-alpine
+    image:  redis:7.0.5-alpine
    command: --save 60 1 --loglevel warning
    networks:
      - internal
    healthcheck:
-      test: ["CMD-SHELL", "redis-cli ping | grep PONG"]
+      test: ["CMD", "redis-cli","ping"]
      interval: 30s
      timeout: 10s
      retries: 10
      start_period: 1m
    volumes:
        - redis:/data
-secrets:
+# secrets:
-  db_password:
+  # db_password:
-    external: true
+  #   external: true
-    name: ${STACK_NAME}_db_password_${SECRET_DB_PASSWORD_VERSION}
+  #   name: ${STACK_NAME}_db_password
-  secret_key:
+  # secret_key:
-    external: true
+  #   external: true
-    name: ${STACK_NAME}_secret_key_${SECRET_SECRET_KEY_VERSION}
+  #   name: ${STACK_NAME}_secret_key_${SECRET_SECRET_KEY_VERSION}
-  admin_token:
+  # admin_token:
-    external: true
+  #   external: true
-    name: ${STACK_NAME}_admin_token_${SECRET_ADMIN_TOKEN_VERSION}
+  #   name: ${STACK_NAME}_admin_token_${SECRET_ADMIN_TOKEN_VERSION}
-  admin_pass:
+  # admin_pass:
-    external: true
+  #   external: true
-    name: ${STACK_NAME}_admin_pass_${SECRET_ADMIN_PASS_VERSION}
+  #   name: ${STACK_NAME}_admin_pass_${SECRET_ADMIN_PASS_VERSION}
  email_pass:
    external: true
    name: ${STACK_NAME}_email_pass_${SECRET_EMAIL_PASS_VERSION}
 networks:
  proxy:
@ -188,42 +151,20 @@ networks:
  internal:
 volumes:
  backups:
  media:
-  certs:
+  custom-templates:
  redis:
  templates:
  assets:
  database:
 configs:
-  flow_authentication:
+  custom_css:
-    name: ${STACK_NAME}_flow_authentication_${FLOW_AUTHENTICATION_VERSION}
+    name: ${STACK_NAME}_custom_css_${CUSTOM_CSS_VERSION}
-    file: flow_authentication.yaml.tmpl
+    file: custom.css.tmpl
    template_driver: golang
-  flow_invitation:
+  recovery_template_de:
-    name: ${STACK_NAME}_flow_invitation_${FLOW_INVITATION_VERSION}
+    name: ${STACK_NAME}_recovery_template_de_${RECOVERY_TEMPLATE_DE_VERSION}
-    file: flow_invitation.yaml.tmpl
+    file: password_reset_de.html
  custom_flows:
    name: ${STACK_NAME}_custom_flows_${CUSTOM_FLOWS_VERSION}
    file: custom_flows.yaml.tmpl
    template_driver: golang
  flow_invalidation:
    name: ${STACK_NAME}_flow_invalidation_${FLOW_INVALIDATION_VERSION}
    file: flow_invalidation.yaml.tmpl
    template_driver: golang
  flow_recovery:
    name: ${STACK_NAME}_flow_recovery_${FLOW_RECOVERY_VERSION}
    file: flow_recovery.yaml.tmpl
    template_driver: golang
  flow_translation:
    name: ${STACK_NAME}_flow_translation_${FLOW_TRANSLATION_VERSION}
    file: flow_translation.yaml.tmpl
    template_driver: golang
  system_brand:
    name: ${STACK_NAME}_system_brand_${SYSTEM_BRAND_VERSION}
    file: system_brand.yaml.tmpl
    template_driver: golang
  db_entrypoint:
    name: ${STACK_NAME}_db_entrypoint_${DB_ENTRYPOINT_VERSION}
    file: entrypoint.postgres.sh.tmpl
    template_driver: golang
  pg_backup:
    name: ${STACK_NAME}_pg_backup_${PG_BACKUP_VERSION}
    file: pg_backup.sh
--- a/compose.zammad.yml
+++ b/compose.zammad.yml
@ -1,14 +0,0 @@
 version: "3.8"
 services:
  worker:
    environment:
      - ZAMMAD_DOMAIN
    configs:
      - source: zammad
        target: /blueprints/zammad.yaml
 configs:
  zammad:
    name: ${STACK_NAME}_zammad_${ZAMMAD_CONFIG_VERSION}
    file: zammad.yaml.tmpl
    template_driver: golang
--- a/custom.css.tmpl
+++ b/custom.css.tmpl
@ -1,13 +1,24 @@
 /* my custom css */
 :root {
-        --pf-global--BackgroundColor--100: {{ env "BACKGROUND_BOX_COLOR" }} !important;
+    --ak-accent: #fd4b2d;
    --ak-dark-foreground: #fafafa;
    --ak-dark-foreground-darker: #bebebe;
    --ak-dark-foreground-link: #5a5cb9;
    --ak-dark-background: #18191a;
    --ak-dark-background-darker: #000000;
    --ak-dark-background-light: {{ env "AUTHENTIK_COLOR_BACKGROUND_LIGHT" }};
    --ak-dark-background-light-ish: #212427;
    --ak-dark-background-lighter: #2b2e33;
    --pf-c-background-image--BackgroundImage: var(--ak-flow-background);
    --pf-c-background-image--BackgroundImage-2x: var(--ak-flow-background);
    --pf-c-background-image--BackgroundImage--sm: var(--ak-flow-background);
    --pf-c-background-image--BackgroundImage--sm-2x: var(--ak-flow-background);
    --pf-c-background-image--BackgroundImage--lg: var(--ak-flow-background);
 }
 .pf-c-login__main {
        background-color: {{ env "BACKGROUND_BOX_COLOR" }};
 }
 .pf-c-content h1 {
        color: {{ env "BACKGROUND_FONT_COLOR" }};
 }
--- a/custom_flows.yaml.tmpl
+++ b/custom_flows.yaml.tmpl
@ -0,0 +1,356 @@
 version: 1
 metadata:
  labels:
    blueprints.goauthentik.io/instantiate: "true"
  name: Custom - Flows
 context:
 ####### Translations ########
  transl_recovery: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} Passwort Zurücksetzen {{ else }} Reset your password {{ end }}
  transl_password: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} Passwort {{ else }} Password {{ end }}
  transl_password_repeat: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} Passwort (wiederholen) {{ else }} Password (repeat) {{ end }}
  transl_username: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} Benutzername {{ else }} Username {{ end }}
  transl_name: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} Vor- und Nachname {{ else }} Full name {{ end }}
  transl_template_recovery: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} password_reset_de.html {{ else }} email/password_reset.html {{ end }}
 entries:
 ######## Email Recovery Flow ######## 
 - identifiers:
    slug: default-recovery-flow
  id: recovery_flow
  model: authentik_flows.flow
  attrs:
    name: Default recovery flow
    title: !Context transl_recovery
    designation: recovery
 ### PROMPTS
 - identifiers:
    field_key: password
    label: !Context transl_password
  id: prompt-field-password
  model: authentik_stages_prompt.prompt
  attrs:
    type: password
    required: true
    placeholder: !Context transl_password
    order: 30
    placeholder_expression: false
 - identifiers:
    field_key: password_repeat
    label: !Context transl_password_repeat
  id: prompt-field-password-repeat
  model: authentik_stages_prompt.prompt
  attrs:
    type: password
    required: true
    placeholder: !Context transl_password_repeat
    order: 31
    placeholder_expression: false
 ### STAGES
 - identifiers:
    name: default-recovery-email
  id: default-recovery-email
  model: authentik_stages_email.emailstage
  attrs:
    use_global_settings: true
    token_expiry: 30
    subject: authentik
    template: !Context transl_template_recovery
    activate_user_on_success: true
 - identifiers:
    name: default-recovery-user-write
  id: default-recovery-user-write
  model: authentik_stages_user_write.userwritestage
 - identifiers:
    name: default-recovery-identification
  id: default-recovery-identification
  model: authentik_stages_identification.identificationstage
  attrs:
    user_fields:
      - email
      - username
 - identifiers:
    name: default-recovery-user-login
  id: default-recovery-user-login
  model: authentik_stages_user_login.userloginstage
  attrs:
    session_duration: seconds=0
 - identifiers:
    name: Change your password
  id: stage-prompt-password
  model: authentik_stages_prompt.promptstage
  attrs:
    fields:
      - !KeyOf prompt-field-password
      - !KeyOf prompt-field-password-repeat
    validation_policies: []
 ### STAGE BINDINGS
 - identifiers:
    target: !KeyOf recovery_flow
    stage: !KeyOf default-recovery-identification
    order: 10
  model: authentik_flows.flowstagebinding
  id: flow-binding-identification
  attrs:
    evaluate_on_plan: true
    re_evaluate_policies: true
    policy_engine_mode: any
    invalid_response_action: retry
 - identifiers:
    target: !KeyOf recovery_flow
    stage: !KeyOf default-recovery-email
    order: 20
  model: authentik_flows.flowstagebinding
  id: flow-binding-email
  attrs:
    evaluate_on_plan: true
    re_evaluate_policies: true
    policy_engine_mode: any
    invalid_response_action: retry
 - identifiers:
    target: !KeyOf recovery_flow
    stage: !KeyOf stage-prompt-password
    order: 30
  model: authentik_flows.flowstagebinding
  attrs:
    evaluate_on_plan: true
    re_evaluate_policies: false
    policy_engine_mode: any
    invalid_response_action: retry
 - identifiers:
    target: !KeyOf recovery_flow
    stage: !KeyOf default-recovery-user-write
    order: 40
  model: authentik_flows.flowstagebinding
  attrs:
    evaluate_on_plan: true
    re_evaluate_policies: false
    policy_engine_mode: any
    invalid_response_action: retry
 - identifiers:
    target: !KeyOf recovery_flow
    stage: !KeyOf default-recovery-user-login
    order: 100
  model: authentik_flows.flowstagebinding
  attrs:
    evaluate_on_plan: true
    re_evaluate_policies: false
    policy_engine_mode: any
    invalid_response_action: retry
 ### POLICIES
 ## ISSUES with this policy
 ## https://github.com/goauthentik/authentik/blob/493cdd5c0f8caaec7a7dd474f1aa131e32fd39c3/blueprints/example/flows-recovery-email-verification.yaml#L37
 ## https://github.com/goauthentik/authentik/commit/317e9ec6053742e17ba74fb6aa38dc15aaf6657f#diff-a5c56bb7c60e27dda1b131b3fc2a17e3af6624e7cfaaa2337ec6b077ca489f34
 # - identifiers:
 #     name: default-recovery-skip-if-restored
 #   id: default-recovery-skip-if-restored
 #   model: authentik_policies_expression.expressionpolicy
 #   attrs:
 #     expression: |
 #       return request.context.get('is_restored', False)
 ### POLICY BINDINGS
 # - identifiers:
 #     policy: !KeyOf default-recovery-skip-if-restored
 #     target: !KeyOf flow-binding-identification
 #     order: 0
 #   model: authentik_policies.policybinding
 #   attrs:
 #     negate: false
 #     enabled: true
 #     timeout: 30
 # - identifiers:
 #     policy: !KeyOf default-recovery-skip-if-restored
 #     target: !KeyOf flow-binding-email
 #     order: 0
 #   model: authentik_policies.policybinding
 #   attrs:
 #     negate: false
 #     enabled: true
 #     timeout: 30
 ######## Authentication Flow ######## 
 - attrs:
    designation: authentication
    name: custom-authentication-flow
    title: {{ env "WELCOME_MESSAGE" }}
  identifiers:
    slug: custom-authentication-flow
  id: authentication_flow
  model: authentik_flows.flow
 ### STAGES
 - attrs:
    backends:
    - authentik.core.auth.InbuiltBackend
    - authentik.sources.ldap.auth.LDAPBackend
    - authentik.core.auth.TokenBackend
    configure_flow: !Find [authentik_flows.flow, [slug, default-password-change]]
  identifiers:
    name: custom-authentication-password
  id: custom-authentication-password
  model: authentik_stages_password.passwordstage
 - identifiers:
    name: custom-authentication-mfa-validation
  id: custom-authentication-mfa-validation
  model: authentik_stages_authenticator_validate.authenticatorvalidatestage
 - attrs:
    password_stage: !KeyOf custom-authentication-password
    recovery_flow: !KeyOf recovery_flow  # !Find [authentik_flows.flow, [slug, default-recovery-flow]]
    user_fields:
    - email
    - username
  identifiers:
    name: custom-authentication-identification
  id: custom-authentication-identification
  model: authentik_stages_identification.identificationstage
 - attrs:
    session_duration: seconds=0
  identifiers:
    name: custom-authentication-login
  id: custom-authentication-login
  model: authentik_stages_user_login.userloginstage
 ### STAGE BINDINGS
 - identifiers:
    order: 10
    stage: !KeyOf custom-authentication-identification
    target: !KeyOf authentication_flow
  model: authentik_flows.flowstagebinding
 - identifiers:
    order: 30
    stage: !KeyOf custom-authentication-mfa-validation
    target: !KeyOf authentication_flow
  model: authentik_flows.flowstagebinding
 - identifiers:
    order: 100
    stage: !KeyOf custom-authentication-login
    target: !KeyOf authentication_flow
  model: authentik_flows.flowstagebinding
 ######## Invitation Enrollment Flow ######## 
 - attrs:
    designation: enrollment
    name: invitation-enrollment-flow
    title: {{ env "WELCOME_MESSAGE" }}
  identifiers:
    slug: invitation-enrollment-flow
  id: invitation-enrollment-flow
  model: authentik_flows.flow
 ### PROMPTS
 - identifiers:
    field_key: username
    label: !Context transl_username
  id: prompt-field-username
  model: authentik_stages_prompt.prompt
  attrs:
    type: username
    required: true
    placeholder: !Context transl_username
    order: 0
    placeholder_expression: false
 - identifiers:
    field_key: name
    label: !Context transl_name
  id: prompt-field-name
  model: authentik_stages_prompt.prompt
  attrs:
    type: text
    required: true
    placeholder: !Context transl_name
    order: 1
    placeholder_expression: false
 - identifiers:
    field_key: email
    label: Email
  id: prompt-field-email
  model: authentik_stages_prompt.prompt
  attrs:
    type: email
    required: true
    placeholder: muster@example.com
    order: 2
    placeholder_expression: false
 ### STAGES
 - id: invitation-stage
  identifiers:
    name: invitation-stage
  model: authentik_stages_invitation.invitationstage
 - attrs:
    fields:
      - !KeyOf prompt-field-username
      - !KeyOf prompt-field-name
      - !KeyOf prompt-field-email
      - !KeyOf prompt-field-password
      - !KeyOf prompt-field-password-repeat
  id: enrollment-prompt-userdata
  identifiers:
    name: enrollment-prompt-userdata
  model: authentik_stages_prompt.promptstage
 - id: enrollment-user-write
  identifiers:
    name: enrollment-user-write
  model: authentik_stages_user_write.userwritestage
 - attrs:
    session_duration: seconds=0
  id: enrollment-user-login
  identifiers:
    name: enrollment-user-login
  model: authentik_stages_user_login.userloginstage
 ### STAGE BINDINGS
 - identifiers:
    order: 1
    stage: !KeyOf invitation-stage
    target: !KeyOf invitation-enrollment-flow
  model: authentik_flows.flowstagebinding
 - identifiers:
    order: 10
    stage: !KeyOf enrollment-prompt-userdata
    target: !KeyOf invitation-enrollment-flow
  model: authentik_flows.flowstagebinding
 - identifiers:
    order: 20
    stage: !KeyOf enrollment-user-write
    target: !KeyOf invitation-enrollment-flow
  model: authentik_flows.flowstagebinding
 - identifiers:
    order: 100
    stage: !KeyOf enrollment-user-login
    target: !KeyOf invitation-enrollment-flow
  model: authentik_flows.flowstagebinding
 ######## System Tenant ##########
 - attrs:
    attributes: 
      settings:
        locale: {{ env "DEFAULT_LANGUAGE" }}
    # branding_favicon: /static/dist/assets/icons/icon.png
    # branding_logo: /static/dist/assets/icons/icon_left_brand.svg
    # branding_title: Authentik
    # default: true
    domain: {{ env "DOMAIN" }}
    # event_retention: days=365
    flow_authentication: !KeyOf authentication_flow
    flow_recovery: !KeyOf recovery_flow
    flow_invalidation: !Find [authentik_flows.flow, [slug, default-invalidation-flow]]
    flow_user_settings: !Find [authentik_flows.flow, [slug, default-user-settings-flow]]
  identifiers:
    pk: 047cce25-aae2-4b02-9f96-078e155f803d
  id: system_tenant
  model: authentik_tenants.tenant
--- a/entrypoint-css-volume.sh
+++ b/entrypoint-css-volume.sh
@ -1,5 +0,0 @@
 #!/bin/sh
 cp -f /web/dist/assets/custom.css /web/dist/custom.css
 su $(id -un 1000) -s /bin/bash -c 'dumb-init -- ak server'
--- a/entrypoint.postgres.sh.tmpl
+++ b/entrypoint.postgres.sh.tmpl
@ -1,45 +0,0 @@
 #!/bin/bash
 set -e
 MIGRATION_MARKER=$PGDATA/migration_in_progress
 OLDDATA=$PGDATA/old_data
 NEWDATA=$PGDATA/new_data
 if [ -e $MIGRATION_MARKER ]; then
  echo "FATAL: migration was started but did not complete in a previous run. manual recovery necessary"
  exit 1
 fi
 if [ -f $PGDATA/PG_VERSION ]; then
  DATA_VERSION=$(cat $PGDATA/PG_VERSION)
  if [ -n "$DATA_VERSION" -a "$PG_MAJOR" != "$DATA_VERSION" ]; then
    echo "postgres data version $DATA_VERSION found, but need $PG_MAJOR. Starting migration"
    echo "Installing postgres $DATA_VERSION"
    sed -i "s/$/ $DATA_VERSION/" /etc/apt/sources.list.d/pgdg.list
    apt-get update && apt-get install -y --no-install-recommends \
      postgresql-$DATA_VERSION \
      && rm -rf /var/lib/apt/lists/*
    echo "shuffling around"
    chown -R postgres:postgres $PGDATA
    gosu postgres mkdir $OLDDATA $NEWDATA
    chmod 700 $OLDDATA $NEWDATA
    mv $PGDATA/* $OLDDATA/ || true
    touch $MIGRATION_MARKER
    echo "running initdb"
    # abuse entrypoint script for initdb by making server error out
    gosu postgres bash -c "export PGDATA=$NEWDATA ; /usr/local/bin/docker-entrypoint.sh --invalid-arg || true"
    echo "running pg_upgrade"
    cd /tmp
    gosu postgres pg_upgrade --link -b /usr/lib/postgresql/$DATA_VERSION/bin -d $OLDDATA -D $NEWDATA -U $POSTGRES_USER
    cp $OLDDATA/pg_hba.conf $NEWDATA/
    mv $NEWDATA/* $PGDATA
    rm -rf $OLDDATA
    rmdir $NEWDATA
    rm $MIGRATION_MARKER
    echo "migration complete"
  fi
 fi
 /usr/local/bin/docker-entrypoint.sh postgres
--- a/flow_authentication.yaml.tmpl
+++ b/flow_authentication.yaml.tmpl
@ -1,48 +0,0 @@
 version: 1
 metadata:
  labels:
    blueprints.goauthentik.io/instantiate: "true"
  name: Custom Authentication Flow
 context:
  welcome_message: {{ if eq (env "WELCOME_MESSAGE") "" }} "Welcome to authentik!" {{ else }} {{ env "WELCOME_MESSAGE" }} {{ end }}
 entries:
 ### DEPENDENCIES
 - model: authentik_blueprints.metaapplyblueprint
  attrs:
    identifiers:
      name: Recovery with email verification
    required: true
 ### FLOW
 - model: authentik_flows.flow
  identifiers:
    slug: default-authentication-flow
  id: flow
  attrs:
    name: !Context welcome_message
    title: !Context welcome_message
 ### STAGES
 - identifiers:
    name: default-authentication-identification
  model: authentik_stages_identification.identificationstage
  attrs:
    password_stage: !Find [authentik_stages_password.passwordstage, [name, default-authentication-password]]
    recovery_flow: !Find [authentik_flows.flow, [slug, default-recovery-flow]]
    user_fields:
    - email
    - username
 - identifiers:
    name: default-authentication-login
  model: authentik_stages_user_login.userloginstage
  attrs:
    session_duration: days=30
 # After the first run this will produce a RelatedObjectDoesNotExist error
 - identifiers:
    order: 20
    stage: !Find [authentik_stages_password.passwordstage, [name, default-authentication-password]]
    target: !KeyOf flow
  model: authentik_flows.flowstagebinding
  state: absent
--- a/flow_invalidation.yaml.tmpl
+++ b/flow_invalidation.yaml.tmpl
@ -1,45 +0,0 @@
 version: 1
 metadata:
  labels:
    blueprints.goauthentik.io/instantiate: "true"
  name: Custom Invalidation Flow
 entries:
 ### DEPENDENCIES
 - model: authentik_blueprints.metaapplyblueprint
  attrs:
    identifiers:
      name: Default - Invalidation flow
    required: true
 ### STAGE BINDINGS
 # This is specified only for setting an id (this stagebinding does not have an identifier)
 - identifiers:
    order: 0
    stage: !Find [authentik_stages_user_logout.userlogoutstage, [name, default-invalidation-logout]]
    target: !Find [authentik_flows.flow, [slug, default-invalidation-flow]]
  model: authentik_flows.flowstagebinding
  attrs:
    re_evaluate_policies: true
  id: logout-stage-binding
 ### POLICIES
 - attrs:
    execution_logging: true
    expression: 'context[''flow_plan''].context[''redirect''] = ''{{ env "LOGOUT_REDIRECT" }}''
    return True'
  identifiers:
    name: redirect-policy
  id: redirect-policy
  model: authentik_policies_expression.expressionpolicy
 ### POLICY BINDINGS
 - identifiers:
    policy: !KeyOf redirect-policy
    target: !KeyOf logout-stage-binding
    order: 0
  model: authentik_policies.policybinding
  attrs:
    enabled: {{ if eq (env "LOGOUT_REDIRECT") "" }} false {{ else }} true {{ end }}
    timeout: 30
--- a/flow_invitation.yaml.tmpl
+++ b/flow_invitation.yaml.tmpl
@ -1,79 +0,0 @@
 version: 1
 metadata:
  labels:
    blueprints.goauthentik.io/instantiate: "true"
  name: Invitation Enrollment Flow
 context:
  welcome_message: {{ if eq (env "WELCOME_MESSAGE") "" }} "Welcome to authentik!" {{ else }} {{ env "WELCOME_MESSAGE" }} {{ end }}
 entries:
 ### DEPENDENCIES
 - model: authentik_blueprints.metaapplyblueprint
  attrs:
    identifiers:
      name: Flow Translations
    required: true
 ### FLOW
 - attrs:
    designation: enrollment
    name: invitation-enrollment-flow
    title: !Context welcome_message
  identifiers:
    slug: invitation-enrollment-flow
  id: invitation-enrollment-flow
  model: authentik_flows.flow
 ### POLICIES
 - attrs:
    expression: |
      if not regex_match(request.context.get('prompt_data').get('username'), '\s'):
          return True
      ak_message("Username must not contain any whitespace!")
      return False
  id: username-without-spaces-policy
  identifiers:
    name: username-without-spaces-policy
  model: authentik_policies_expression.expressionpolicy
 ### STAGES
 - identifiers:
    name: invitation-stage
  id: invitation-stage
  model: authentik_stages_invitation.invitationstage
 - identifiers:
    name: enrollment-prompt-userdata
  id: enrollment-prompt-userdata
  model: authentik_stages_prompt.promptstage
  attrs:
    fields:
      - !Find [authentik_stages_prompt.prompt, [name, default-source-enrollment-field-username]]
      - !Find [authentik_stages_prompt.prompt, [name, default-user-settings-field-name]]
      - !Find [authentik_stages_prompt.prompt, [name, default-user-settings-field-email]]
      - !Find [authentik_stages_prompt.prompt, [name, default-password-change-field-password]]
      - !Find [authentik_stages_prompt.prompt, [name, default-password-change-field-password-repeat]]
    validation_policies:
      - !Find [ authentik_policies_expression.expressionpolicy, [name, username-without-spaces-policy]]
 ### STAGE BINDINGS
 - identifiers:
    order: 1
    stage: !KeyOf invitation-stage
    target: !KeyOf invitation-enrollment-flow
  model: authentik_flows.flowstagebinding
 - identifiers:
    order: 10
    stage: !KeyOf enrollment-prompt-userdata
    target: !KeyOf invitation-enrollment-flow
  model: authentik_flows.flowstagebinding
 - identifiers:
    order: 20
    stage: !Find [authentik_stages_user_write.userwritestage, [name,  default-source-enrollment-write]]
    target: !KeyOf invitation-enrollment-flow
  model: authentik_flows.flowstagebinding
 - identifiers:
    order: 100
    stage: !Find [authentik_stages_user_login.userloginstage, [name,  default-authentication-login]]
    target: !KeyOf invitation-enrollment-flow
  model: authentik_flows.flowstagebinding
--- a/flow_recovery.yaml.tmpl
+++ b/flow_recovery.yaml.tmpl
@ -1,128 +0,0 @@
 version: 1
 metadata:
  labels:
    blueprints.goauthentik.io/instantiate: "true"
  name: Recovery with email verification
 context:
  token_expiry: {{ if eq (env "EMAIL_TOKEN_EXPIRY_MINUTES") "" }} 30 {{ else }} {{ env "EMAIL_TOKEN_EXPIRY_MINUTES" }} {{ end }}
  subject: {{ if eq (env "EMAIL_SUBJECT") "" }} Account Recovery {{ else }} {{ env "EMAIL_SUBJECT" }} {{ end }} 
 entries:
 ### DEPENDENCIES
 - model: authentik_blueprints.metaapplyblueprint
  attrs:
    identifiers:
      name: Default - Authentication flow
    required: true
 ### FLOW
 - identifiers:
    slug: default-recovery-flow
  model: authentik_flows.flow
  state: created
  attrs:
    name: Default recovery flow
    title: Reset your password
    designation: recovery
    authentication: require_unauthenticated
 ### STAGES
 - identifiers:
    name: default-recovery-email
  id: default-recovery-email
  model: authentik_stages_email.emailstage
  attrs:
    use_global_settings: true
    token_expiry: !Context token_expiry
    subject: !Context subject
    template: email/password_reset.html
    activate_user_on_success: true
 - identifiers:
    name: default-recovery-identification
  id: default-recovery-identification
  model: authentik_stages_identification.identificationstage
  attrs:
    user_fields:
      - email
      - username
 ### STAGE BINDINGS
 - identifiers:
    target: !Find [authentik_flows.flow, [slug, default-recovery-flow]]
    stage: !KeyOf default-recovery-identification
    order: 10
  model: authentik_flows.flowstagebinding
  id: flow-binding-identification
  attrs:
    evaluate_on_plan: true
    re_evaluate_policies: true
    policy_engine_mode: any
    invalid_response_action: retry
 - identifiers:
    target: !Find [authentik_flows.flow, [slug, default-recovery-flow]]
    stage: !KeyOf default-recovery-email
    order: 20
  model: authentik_flows.flowstagebinding
  id: flow-binding-email
  attrs:
    evaluate_on_plan: true
    re_evaluate_policies: true
    policy_engine_mode: any
    invalid_response_action: retry
 - identifiers:
    target: !Find [authentik_flows.flow, [slug, default-recovery-flow]]
    stage: !Find [authentik_stages_prompt.promptstage, [name,  default-password-change-prompt]]
    order: 30
  model: authentik_flows.flowstagebinding
  attrs:
    evaluate_on_plan: true
    re_evaluate_policies: false
    policy_engine_mode: any
    invalid_response_action: retry
 - identifiers:
    target: !Find [authentik_flows.flow, [slug, default-recovery-flow]]
    stage: !Find [authentik_stages_user_write.userwritestage, [name,  default-password-change-write]]
    order: 40
  model: authentik_flows.flowstagebinding
  attrs:
    evaluate_on_plan: true
    re_evaluate_policies: false
    policy_engine_mode: any
    invalid_response_action: retry
 - identifiers:
    target: !Find [authentik_flows.flow, [slug, default-recovery-flow]]
    stage: !Find [authentik_stages_user_login.userloginstage, [name,  default-authentication-login]]
    order: 100
  model: authentik_flows.flowstagebinding
  attrs:
    evaluate_on_plan: true
    re_evaluate_policies: false
    policy_engine_mode: any
    invalid_response_action: retry
 ### POLICIES
 - identifiers:
    name: default-recovery-skip-if-restored
  id: default-recovery-skip-if-restored
  model: authentik_policies_expression.expressionpolicy
  attrs:
    expression: |
      return request.context.get('is_restored', False)
 - identifiers:
    policy: !KeyOf default-recovery-skip-if-restored
    target: !KeyOf flow-binding-identification
    order: 0
  model: authentik_policies.policybinding
  attrs:
    negate: false
    enabled: false # TODO: why does this doesn't work?
    timeout: 30
 - identifiers:
    policy: !KeyOf default-recovery-skip-if-restored
    target: !KeyOf flow-binding-email
    order: 0
  state: absent
  model: authentik_policies.policybinding
  attrs:
    negate: false
    enabled: true
    timeout: 30
--- a/flow_translation.yaml.tmpl
+++ b/flow_translation.yaml.tmpl
@ -1,71 +0,0 @@
 version: 1
 metadata:
  labels:
    blueprints.goauthentik.io/instantiate: "true"
  name: Flow Translations
 context:
  transl_recovery: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} "Passwort zurücksetzen" {{ else }} "Reset your password" {{ end }}
  transl_password: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} "Passwort" {{ else }} "Password" {{ end }}
  transl_password_repeat: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} "Passwort (wiederholen)" {{ else }} "Password (repeat)" {{ end }}
  transl_username: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} "Benutzername" {{ else }} "Username" {{ end }}
  transl_name: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} "Vor- und Nachname" {{ else }} "Full name" {{ end }}
 entries:
 ### DEPENDENCIES
 - model: authentik_blueprints.metaapplyblueprint
  attrs:
    identifiers:
      name: Recovery with email verification
    required: true
 - model: authentik_blueprints.metaapplyblueprint
  attrs:
    identifiers:
      name: Default - User settings flow
    required: true
 - model: authentik_blueprints.metaapplyblueprint
  attrs:
    identifiers:
      name: Default - Source enrollment flow
    required: true
 ### FLOWS
 - model: authentik_flows.flow 
  identifiers:
    slug: default-recovery-flow
  id: recovery_flow
  model: authentik_flows.flow
  attrs:
    name: Default recovery flow
    title: !Context transl_recovery
    designation: recovery
 ### PROMPTS
 - model: authentik_stages_prompt.prompt
  identifiers:
    name: default-password-change-field-password
  attrs:
    label: !Context transl_password
    placeholder: !Context transl_password
 - model: authentik_stages_prompt.prompt
  identifiers:
    name: default-password-change-field-password-repeat
  attrs:
    label: !Context transl_password_repeat
    placeholder: !Context transl_password_repeat
 - model: authentik_stages_prompt.prompt
  identifiers:
    name: default-user-settings-field-username
  attrs:
    label: !Context transl_username
 - model: authentik_stages_prompt.prompt
  identifiers:
    name: default-user-settings-field-name
  attrs:
    label: !Context transl_name
 - model: authentik_stages_prompt.prompt
  identifiers:
    name: default-source-enrollment-field-username
  attrs:
    label: !Context transl_username
    placeholder: !Context transl_username
--- a/hedgedoc.yaml.tmpl
+++ b/hedgedoc.yaml.tmpl
@ -1,48 +0,0 @@
 version: 1
 metadata:
  labels:
    blueprints.goauthentik.io/instantiate: "true"
  name: hedgedoc
 entries:
 - attrs:
    access_code_validity: minutes=1
    authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
    authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
    invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
    client_id: {{ secret  "hedgedoc_id" }}
    client_secret: {{ secret  "hedgedoc_secret" }}
    client_type: confidential
    include_claims_in_id_token: true
    issuer_mode: per_provider
    redirect_uris:
    - matching_mode: strict
      url: https://{{ env  "HEDGEDOC_DOMAIN" }}/auth/oauth2/callback
    name: Hedgedoc
    property_mappings:
    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, email]]
    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, profile]]
    signing_key: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]]
    sub_mode: hashed_user_id
    token_validity: days=30
  conditions: []
  id: hedgedoc_provider
  identifiers:
    pk: 9992
  model: authentik_providers_oauth2.oauth2provider
  state: present
 - attrs:
    meta_launch_url: https://{{ env  "HEDGEDOC_DOMAIN" }}/auth/oauth2
    open_in_new_tab: true
    policy_engine_mode: any
    provider: !KeyOf hedgedoc_provider
    slug: hedgedoc
  conditions: []
  id: hedgedoc_application
  identifiers:
    name: Hedgedoc
  model: authentik_core.application
  state: present
--- a/icons/bbb.png
+++ b/icons/bbb.png
--- a/icons/calendar.svg
+++ b/icons/calendar.svg
@ -1,2 +0,0 @@
 <?xml version="1.0" encoding="UTF-8" standalone="no"?>
 <svg xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns="http://www.w3.org/2000/svg" version="1.1" xml:space="preserve" height="32" width="32" enable-background="new 0 0 595.275 311.111" y="0px" x="0px" xmlns:cc="http://creativecommons.org/ns#" xmlns:dc="http://purl.org/dc/elements/1.1/" viewBox="0 0 32 32"><rect rx="5" ry="5" height="32" width="32" y="-.0000052588" x="0" fill="#0082c9"/><g transform="matrix(.89286 0 0 .89286 520.21 -.19331)"><path fill="#fff" d="m-572.71 3.5765c-1.108 0-2 0.892-2 2v4c0 1.108 0.892 2 2 2s2-0.892 2-2v-4c0-1.108-0.892-2-2-2zm16 0c-1.108 0-2 0.892-2 2v4c0 1.108 0.892 2 2 2s2-0.892 2-2v-4c0-1.108-0.892-2-2-2zm-13 4v2c0 1.662-1.338 3-3 3s-3-1.338-3-3v-1.875c-1.728 0.44254-3 2.0052-3 3.875v16c0 2.216 1.784 4 4 4h20c2.216 0 4-1.784 4-4v-16c0-1.8698-1.272-3.4325-3-3.875v1.875c0 1.662-1.338 3-3 3s-3-1.338-3-3v-2h-10zm-5.9062 9h21.812c0.0554 0 0.0937 0.03835 0.0937 0.09375v11.812c0 0.0554-0.0384 0.09375-0.0937 0.09375h-21.812c-0.0554 0-0.0937-0.03835-0.0937-0.09375v-11.812c0-0.0554 0.0384-0.09375 0.0937-0.09375z"/></g></svg>
--- a/icons/hedgedoc.png
+++ b/icons/hedgedoc.png
--- a/icons/help.svg
+++ b/icons/help.svg
@ -1,8 +0,0 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!-- Uploaded to: SVG Repo, www.svgrepo.com, Generator: SVG Repo Mixer Tools -->
 <svg width="800px" height="800px" viewBox="0 0 48 48" fill="none" xmlns="http://www.w3.org/2000/svg">
 <rect width="48" height="48" fill="white" fill-opacity="0.01"/>
 <path d="M24 44C29.5228 44 34.5228 41.7614 38.1421 38.1421C41.7614 34.5228 44 29.5228 44 24C44 18.4772 41.7614 13.4772 38.1421 9.85786C34.5228 6.23858 29.5228 4 24 4C18.4772 4 13.4772 6.23858 9.85786 9.85786C6.23858 13.4772 4 18.4772 4 24C4 29.5228 6.23858 34.5228 9.85786 38.1421C13.4772 41.7614 18.4772 44 24 44Z" fill="#2F88FF" stroke="#000000" stroke-width="4" stroke-linejoin="round"/>
 <path d="M24 28.6249V24.6249C27.3137 24.6249 30 21.9386 30 18.6249C30 15.3112 27.3137 12.6249 24 12.6249C20.6863 12.6249 18 15.3112 18 18.6249" stroke="white" stroke-width="4" stroke-linecap="round" stroke-linejoin="round"/>
 <path fill-rule="evenodd" clip-rule="evenodd" d="M24 37.6249C25.3807 37.6249 26.5 36.5056 26.5 35.1249C26.5 33.7442 25.3807 32.6249 24 32.6249C22.6193 32.6249 21.5 33.7442 21.5 35.1249C21.5 36.5056 22.6193 37.6249 24 37.6249Z" fill="white"/>
 </svg>
--- a/icons/kimai_logo.png
+++ b/icons/kimai_logo.png
--- a/icons/matrix.svg
+++ b/icons/matrix.svg
@ -1,7 +0,0 @@
 <svg width="200" height="200" viewBox="0 0 200 200" fill="none" xmlns="http://www.w3.org/2000/svg">
 <path fill-rule="evenodd" clip-rule="evenodd" d="M100 200C155.228 200 200 155.228 200 100C200 44.7715 155.228 0 100 0C44.7715 0 0 44.7715 0 100C0 155.228 44.7715 200 100 200Z" fill="#0DBD8B"/>
 <path fill-rule="evenodd" clip-rule="evenodd" d="M81.7169 46.5946C81.7169 42.5581 84.9959 39.2859 89.0408 39.2859C116.456 39.2859 138.681 61.4642 138.681 88.8225C138.681 92.859 135.401 96.1312 131.357 96.1312C127.312 96.1312 124.033 92.859 124.033 88.8225C124.033 69.5372 108.366 53.9033 89.0408 53.9033C84.9959 53.9033 81.7169 50.6311 81.7169 46.5946Z" fill="white"/>
 <path fill-rule="evenodd" clip-rule="evenodd" d="M153.39 81.5137C157.435 81.5137 160.714 84.7859 160.714 88.8224C160.714 116.181 138.49 138.359 111.075 138.359C107.03 138.359 103.751 135.087 103.751 131.05C103.751 127.014 107.03 123.742 111.075 123.742C130.4 123.742 146.066 108.108 146.066 88.8224C146.066 84.7859 149.345 81.5137 153.39 81.5137Z" fill="white"/>
 <path fill-rule="evenodd" clip-rule="evenodd" d="M118.398 153.405C118.398 157.442 115.119 160.714 111.074 160.714C83.6592 160.714 61.4347 138.536 61.4347 111.177C61.4347 107.141 64.7138 103.869 68.7587 103.869C72.8035 103.869 76.0826 107.141 76.0826 111.177C76.0826 130.463 91.7489 146.097 111.074 146.097C115.119 146.097 118.398 149.369 118.398 153.405Z" fill="white"/>
 <path fill-rule="evenodd" clip-rule="evenodd" d="M46.6097 118.486C42.5648 118.486 39.2858 115.214 39.2858 111.178C39.2858 83.8193 61.5102 61.6409 88.9255 61.6409C92.9704 61.6409 96.2494 64.9132 96.2494 68.9497C96.2494 72.9862 92.9704 76.2584 88.9255 76.2584C69.6 76.2584 53.9337 91.8922 53.9337 111.178C53.9337 115.214 50.6546 118.486 46.6097 118.486Z" fill="white"/>
 </svg>
--- a/icons/monitoring.svg
+++ b/icons/monitoring.svg
@ -1,70 +0,0 @@
 <?xml version="1.0" encoding="utf-8"?>
 <!-- Generator: Adobe Illustrator 21.0.0, SVG Export Plug-In . SVG Version: 6.00 Build 0)  -->
 <svg version="1.1" id="Layer_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px"
 	 viewBox="0 0 142.5 145.6" style="enable-background:new 0 0 142.5 145.6;" xml:space="preserve">
 <style type="text/css">
 	.st0{fill:#565656;}
 	.st1{fill:url(#SVGID_1_);}
 </style>
 <g>
 	<path class="st0" d="M28.7,131.5c-0.3,7.9-6.6,14.1-14.4,14.1C6.1,145.6,0,139,0,130.9s6.6-14.7,14.7-14.7c3.6,0,7.2,1.6,10.2,4.4
 		l-2.3,2.9c-2.3-2-5.1-3.4-7.9-3.4c-5.9,0-10.8,4.8-10.8,10.8c0,6.1,4.6,10.8,10.4,10.8c5.2,0,9.3-3.8,10.2-8.8H12.6v-3.5h16.1
 		V131.5z"/>
 	<path class="st0" d="M42.3,129.5h-2.2c-2.4,0-4.4,2-4.4,4.4v11.4h-3.9v-19.6H35v1.6c1.1-1.1,2.7-1.6,4.6-1.6h4.2L42.3,129.5z"/>
 	<path class="st0" d="M63.7,145.3h-3.4v-2.5c-2.6,2.5-6.6,3.7-10.7,1.9c-3-1.3-5.3-4.1-5.9-7.4c-1.2-6.3,3.7-11.9,9.9-11.9
 		c2.6,0,5,1.1,6.7,2.8v-2.5h3.4V145.3z M59.7,137c0.9-4-2.1-7.6-6-7.6c-3.4,0-6.1,2.8-6.1,6.1c0,3.8,3.3,6.7,7.2,6.1
 		C57.1,141.2,59.1,139.3,59.7,137z"/>
 	<path class="st0" d="M71.5,124.7v1.1h6.2v3.4h-6.2v16.1h-3.8v-20.5c0-4.3,3.1-6.8,7-6.8h4.7l-1.6,3.7h-3.1
 		C72.9,121.6,71.5,123,71.5,124.7z"/>
 	<path class="st0" d="M98.5,145.3h-3.3v-2.5c-2.6,2.5-6.6,3.7-10.7,1.9c-3-1.3-5.3-4.1-5.9-7.4c-1.2-6.3,3.7-11.9,9.9-11.9
 		c2.6,0,5,1.1,6.7,2.8v-2.5h3.4v19.6H98.5z M94.5,137c0.9-4-2.1-7.6-6-7.6c-3.4,0-6.1,2.8-6.1,6.1c0,3.8,3.3,6.7,7.2,6.1
 		C92,141.2,93.9,139.3,94.5,137z"/>
 	<path class="st0" d="M119.4,133.8v11.5h-3.9v-11.6c0-2.4-2-4.4-4.4-4.4c-2.5,0-4.4,2-4.4,4.4v11.6h-3.9v-19.6h3.2v1.7
 		c1.4-1.3,3.3-2,5.2-2C115.8,125.5,119.4,129.2,119.4,133.8z"/>
 	<path class="st0" d="M142.4,145.3h-3.3v-2.5c-2.6,2.5-6.6,3.7-10.7,1.9c-3-1.3-5.3-4.1-5.9-7.4c-1.2-6.3,3.7-11.9,9.9-11.9
 		c2.6,0,5,1.1,6.7,2.8v-2.5h3.4v19.6H142.4z M138.4,137c0.9-4-2.1-7.6-6-7.6c-3.4,0-6.1,2.8-6.1,6.1c0,3.8,3.3,6.7,7.2,6.1
 		C135.9,141.2,137.8,139.3,138.4,137z"/>
 </g>
 <linearGradient id="SVGID_1_" gradientUnits="userSpaceOnUse" x1="71.25" y1="10.4893" x2="71.25" y2="113.3415" gradientTransform="matrix(1 0 0 -1 0 148.6)">
 	<stop  offset="0" style="stop-color:#FCEE1F"/>
 	<stop  offset="1" style="stop-color:#F15B2A"/>
 </linearGradient>
 <path class="st1" d="M122.9,49.9c-0.2-1.9-0.5-4.1-1.1-6.5c-0.6-2.4-1.6-5-2.9-7.8c-1.4-2.7-3.1-5.6-5.4-8.3
 	c-0.9-1.1-1.9-2.1-2.9-3.2c1.6-6.3-1.9-11.8-1.9-11.8c-6.1-0.4-9.9,1.9-11.3,2.9c-0.2-0.1-0.5-0.2-0.7-0.3c-1-0.4-2.1-0.8-3.2-1.2
 	c-1.1-0.3-2.2-0.7-3.3-0.9c-1.1-0.3-2.3-0.5-3.5-0.7c-0.2,0-0.4-0.1-0.6-0.1C83.5,3.6,75.9,0,75.9,0c-8.7,5.6-10.4,13.1-10.4,13.1
 	s0,0.2-0.1,0.4c-0.5,0.1-0.9,0.3-1.4,0.4c-0.6,0.2-1.3,0.4-1.9,0.7c-0.6,0.3-1.3,0.5-1.9,0.8c-1.3,0.6-2.5,1.2-3.8,1.9
 	c-1.2,0.7-2.4,1.4-3.5,2.2c-0.2-0.1-0.3-0.2-0.3-0.2c-11.7-4.5-22.1,0.9-22.1,0.9c-0.9,12.5,4.7,20.3,5.8,21.7
 	c-0.3,0.8-0.5,1.5-0.8,2.3c-0.9,2.8-1.5,5.7-1.9,8.7c-0.1,0.4-0.1,0.9-0.2,1.3c-10.8,5.3-14,16.3-14,16.3c9,10.4,19.6,11,19.6,11
 	l0,0c1.3,2.4,2.9,4.7,4.6,6.8c0.7,0.9,1.5,1.7,2.3,2.6c-3.3,9.4,0.5,17.3,0.5,17.3c10.1,0.4,16.7-4.4,18.1-5.5c1,0.3,2,0.6,3,0.9
 	c3.1,0.8,6.3,1.3,9.4,1.4c0.8,0,1.6,0,2.4,0h0.4H80h0.5H81l0,0c4.7,6.8,13.1,7.7,13.1,7.7c5.9-6.3,6.3-12.4,6.3-13.8l0,0
 	c0,0,0,0,0-0.1s0-0.2,0-0.2l0,0c0-0.1,0-0.2,0-0.3c1.2-0.9,2.4-1.8,3.6-2.8c2.4-2.1,4.4-4.6,6.2-7.2c0.2-0.2,0.3-0.5,0.5-0.7
 	c6.7,0.4,11.4-4.2,11.4-4.2c-1.1-7-5.1-10.4-5.9-11l0,0c0,0,0,0-0.1-0.1l-0.1-0.1l0,0l-0.1-0.1c0-0.4,0.1-0.8,0.1-1.3
 	c0.1-0.8,0.1-1.5,0.1-2.3v-0.6v-0.3v-0.1c0-0.2,0-0.1,0-0.2v-0.5v-0.6c0-0.2,0-0.4,0-0.6s0-0.4-0.1-0.6l-0.1-0.6l-0.1-0.6
 	c-0.1-0.8-0.3-1.5-0.4-2.3c-0.7-3-1.9-5.9-3.4-8.4c-1.6-2.6-3.5-4.8-5.7-6.8c-2.2-1.9-4.6-3.5-7.2-4.6c-2.6-1.2-5.2-1.9-7.9-2.2
 	c-1.3-0.2-2.7-0.2-4-0.2h-0.5h-0.1h-0.2h-0.2h-0.5c-0.2,0-0.4,0-0.5,0c-0.7,0.1-1.4,0.2-2,0.3c-2.7,0.5-5.2,1.5-7.4,2.8
 	c-2.2,1.3-4.1,3-5.7,4.9s-2.8,3.9-3.6,6.1c-0.8,2.1-1.3,4.4-1.4,6.5c0,0.5,0,1.1,0,1.6c0,0.1,0,0.3,0,0.4v0.4c0,0.3,0,0.5,0.1,0.8
 	c0.1,1.1,0.3,2.1,0.6,3.1c0.6,2,1.5,3.8,2.7,5.4s2.5,2.8,4,3.8s3,1.7,4.6,2.2c1.6,0.5,3.1,0.7,4.5,0.6c0.2,0,0.4,0,0.5,0
 	c0.1,0,0.2,0,0.3,0s0.2,0,0.3,0c0.2,0,0.3,0,0.5,0h0.1h0.1c0.1,0,0.2,0,0.3,0c0.2,0,0.4-0.1,0.5-0.1c0.2,0,0.3-0.1,0.5-0.1
 	c0.3-0.1,0.7-0.2,1-0.3c0.6-0.2,1.2-0.5,1.8-0.7c0.6-0.3,1.1-0.6,1.5-0.9c0.1-0.1,0.3-0.2,0.4-0.3c0.5-0.4,0.6-1.1,0.2-1.6
 	c-0.4-0.4-1-0.5-1.5-0.3C88,74,87.9,74,87.7,74.1c-0.4,0.2-0.9,0.4-1.3,0.5c-0.5,0.1-1,0.3-1.5,0.4c-0.3,0-0.5,0.1-0.8,0.1
 	c-0.1,0-0.3,0-0.4,0c-0.1,0-0.3,0-0.4,0s-0.3,0-0.4,0c-0.2,0-0.3,0-0.5,0c0,0-0.1,0,0,0h-0.1h-0.1c-0.1,0-0.1,0-0.2,0
 	s-0.3,0-0.4-0.1c-1.1-0.2-2.3-0.5-3.4-1c-1.1-0.5-2.2-1.2-3.1-2.1c-1-0.9-1.8-1.9-2.5-3.1c-0.7-1.2-1.1-2.5-1.3-3.8
 	c-0.1-0.7-0.2-1.4-0.1-2.1c0-0.2,0-0.4,0-0.6c0,0.1,0,0,0,0v-0.1v-0.1c0-0.1,0-0.2,0-0.3c0-0.4,0.1-0.7,0.2-1.1c0.5-3,2-5.9,4.3-8.1
 	c0.6-0.6,1.2-1.1,1.9-1.5c0.7-0.5,1.4-0.9,2.1-1.2c0.7-0.3,1.5-0.6,2.3-0.8s1.6-0.4,2.4-0.4c0.4,0,0.8-0.1,1.2-0.1
 	c0.1,0,0.2,0,0.3,0h0.3h0.2c0.1,0,0,0,0,0h0.1h0.3c0.9,0.1,1.8,0.2,2.6,0.4c1.7,0.4,3.4,1,5,1.9c3.2,1.8,5.9,4.5,7.5,7.8
 	c0.8,1.6,1.4,3.4,1.7,5.3c0.1,0.5,0.1,0.9,0.2,1.4v0.3V66c0,0.1,0,0.2,0,0.3c0,0.1,0,0.2,0,0.3v0.3v0.3c0,0.2,0,0.6,0,0.8
 	c0,0.5-0.1,1-0.1,1.5c-0.1,0.5-0.1,1-0.2,1.5s-0.2,1-0.3,1.5c-0.2,1-0.6,1.9-0.9,2.9c-0.7,1.9-1.7,3.7-2.9,5.3
 	c-2.4,3.3-5.7,6-9.4,7.7c-1.9,0.8-3.8,1.5-5.8,1.8c-1,0.2-2,0.3-3,0.3H81h-0.2h-0.3H80h-0.3c0.1,0,0,0,0,0h-0.1
 	c-0.5,0-1.1,0-1.6-0.1c-2.2-0.2-4.3-0.6-6.4-1.2c-2.1-0.6-4.1-1.4-6-2.4c-3.8-2-7.2-4.9-9.9-8.2c-1.3-1.7-2.5-3.5-3.5-5.4
 	s-1.7-3.9-2.3-5.9c-0.6-2-0.9-4.1-1-6.2v-0.4v-0.1v-0.1v-0.2V60v-0.1v-0.1v-0.2v-0.5V59l0,0v-0.2c0-0.3,0-0.5,0-0.8
 	c0-1,0.1-2.1,0.3-3.2c0.1-1.1,0.3-2.1,0.5-3.2c0.2-1.1,0.5-2.1,0.8-3.2c0.6-2.1,1.3-4.1,2.2-6c1.8-3.8,4.1-7.2,6.8-9.9
 	c0.7-0.7,1.4-1.3,2.2-1.9c0.3-0.3,1-0.9,1.8-1.4c0.8-0.5,1.6-1,2.5-1.4c0.4-0.2,0.8-0.4,1.3-0.6c0.2-0.1,0.4-0.2,0.7-0.3
 	c0.2-0.1,0.4-0.2,0.7-0.3c0.9-0.4,1.8-0.7,2.7-1c0.2-0.1,0.5-0.1,0.7-0.2c0.2-0.1,0.5-0.1,0.7-0.2c0.5-0.1,0.9-0.2,1.4-0.4
 	c0.2-0.1,0.5-0.1,0.7-0.2c0.2,0,0.5-0.1,0.7-0.1c0.2,0,0.5-0.1,0.7-0.1l0.4-0.1l0.4-0.1c0.2,0,0.5-0.1,0.7-0.1
 	c0.3,0,0.5-0.1,0.8-0.1c0.2,0,0.6-0.1,0.8-0.1c0.2,0,0.3,0,0.5-0.1h0.3h0.2h0.2c0.3,0,0.5,0,0.8-0.1h0.4c0,0,0.1,0,0,0h0.1h0.2
 	c0.2,0,0.5,0,0.7,0c0.9,0,1.8,0,2.7,0c1.8,0.1,3.6,0.3,5.3,0.6c3.4,0.6,6.7,1.7,9.6,3.2c2.9,1.4,5.6,3.2,7.8,5.1
 	c0.1,0.1,0.3,0.2,0.4,0.4c0.1,0.1,0.3,0.2,0.4,0.4c0.3,0.2,0.5,0.5,0.8,0.7c0.3,0.2,0.5,0.5,0.8,0.7c0.2,0.3,0.5,0.5,0.7,0.8
 	c1,1,1.9,2.1,2.7,3.1c1.6,2.1,2.9,4.2,3.9,6.2c0.1,0.1,0.1,0.2,0.2,0.4c0.1,0.1,0.1,0.2,0.2,0.4s0.2,0.5,0.4,0.7
 	c0.1,0.2,0.2,0.5,0.3,0.7c0.1,0.2,0.2,0.5,0.3,0.7c0.4,0.9,0.7,1.8,1,2.7c0.5,1.4,0.8,2.6,1.1,3.6c0.1,0.4,0.5,0.7,0.9,0.7
 	c0.5,0,0.8-0.4,0.8-0.9C123,52.7,123,51.4,122.9,49.9z"/>
 </svg>
--- a/icons/nextcloud.png
+++ b/icons/nextcloud.png
--- a/icons/outline.png
+++ b/icons/outline.png
--- a/icons/pretix.svg
+++ b/icons/pretix.svg
@ -1 +0,0 @@
 <?xml version="1.0" encoding="UTF-8"?><svg id="Ebene_1" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 128 128"><defs><style>.cls-1{fill:#3b1c4a;}</style></defs><path class="cls-1" d="m50.67,56.95c-.72.1-1.22.3-1.66.5l2.38,16.91c.41.08.95.13,1.6.04,3.52-.5,4.61-3.64,3.81-9.39-.83-5.87-2.53-8.56-6.12-8.06Z"/><path class="cls-1" d="m116.04,35.05c.71-.17,1.16-.76,1.06-1.48L112.54,1.13c-.1-.72-.77-1.22-1.49-1.12l-37.5,5.27.73,5.22c.16,1.12-.62,2.15-1.74,2.31s-2.15-.62-2.31-1.74l-.73-5.22L1.13,15.46c-.72.1-1.22.77-1.12,1.49l4.56,32.44c.1.72.7,1.17,1.42,1.13,11.25-.92,21.43,7.1,23.03,18.46,1.6,11.36-5.99,21.81-17.07,23.96-.71.17-1.16.76-1.06,1.48l4.56,32.44c.1.72.77,1.22,1.49,1.12l68.37-9.61-.73-5.22c-.16-1.15.59-2.15,1.74-2.31s2.15.62,2.31,1.74l.73,5.22,37.5-5.27c.72-.1,1.22-.77,1.12-1.49l-4.56-32.44c-.1-.72-.7-1.17-1.42-1.13-11.25.92-21.42-7.04-23.02-18.4-1.6-11.36,5.98-21.87,17.06-24.03Zm-59.84,44.75c-1.76.25-3.29.26-4.04.17l1.59,11.29-9.92,1.39-5.3-37.73c2.5-1.62,5.96-3.03,11.38-3.8,8.68-1.22,15.27,2.58,16.66,12.44,1.25,8.88-3.12,15.21-10.36,16.23Zm30.73,20.71c.16,1.12-.62,2.15-1.74,2.31-1.12.16-2.15-.62-2.31-1.74l-1.47-10.44c-.16-1.12.62-2.15,1.74-2.31s2.16.66,2.31,1.74l1.47,10.44Zm-3.17-22.58c.15,1.08-.66,2.16-1.74,2.31s-2.16-.66-2.31-1.74l-1.47-10.44c-.16-1.15.59-2.15,1.74-2.31,1.12-.16,2.15.62,2.31,1.74l1.47,10.44Zm-3.16-22.45c.16,1.12-.62,2.15-1.74,2.31-1.12.16-2.15-.62-2.31-1.74l-1.47-10.44c-.16-1.12.62-2.15,1.74-2.31s2.16.66,2.31,1.74l1.47,10.44Zm-3.17-22.58c.15,1.08-.66,2.16-1.74,2.31s-2.16-.66-2.31-1.74l-1.47-10.44c-.16-1.15.59-2.15,1.74-2.31s2.15.62,2.31,1.74l1.47,10.44Z"/></svg>
--- a/icons/rallly.png
+++ b/icons/rallly.png
--- a/icons/support.svg
+++ b/icons/support.svg
@ -1,12 +0,0 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!-- Uploaded to: SVG Repo, www.svgrepo.com, Generator: SVG Repo Mixer Tools -->
 <svg width="800px" height="800px" viewBox="0 0 512 512" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
    <title>support</title>
    <g id="Page-1" stroke="none" stroke-width="1" fill="none" fill-rule="evenodd">
        <g id="support" fill="#000000" transform="translate(42.666667, 42.666667)">
            <path d="M379.734355,174.506667 C373.121022,106.666667 333.014355,-2.13162821e-14 209.067688,-2.13162821e-14 C85.1210217,-2.13162821e-14 45.014355,106.666667 38.4010217,174.506667 C15.2012632,183.311569 -0.101643453,205.585799 0.000508304259,230.4 L0.000508304259,260.266667 C0.000508304259,293.256475 26.7445463,320 59.734355,320 C92.7241638,320 119.467688,293.256475 119.467688,260.266667 L119.467688,230.4 C119.360431,206.121456 104.619564,184.304973 82.134355,175.146667 C86.4010217,135.893333 107.307688,42.6666667 209.067688,42.6666667 C310.827688,42.6666667 331.521022,135.893333 335.787688,175.146667 C313.347976,184.324806 298.68156,206.155851 298.667688,230.4 L298.667688,260.266667 C298.760356,283.199651 311.928618,304.070103 332.587688,314.026667 C323.627688,330.88 300.801022,353.706667 244.694355,360.533333 C233.478863,343.50282 211.780225,336.789048 192.906491,344.509658 C174.032757,352.230268 163.260418,372.226826 167.196286,392.235189 C171.132153,412.243552 188.675885,426.666667 209.067688,426.666667 C225.181549,426.577424 239.870491,417.417465 247.041022,402.986667 C338.561022,392.533333 367.787688,345.386667 376.961022,317.653333 C401.778455,309.61433 418.468885,286.351502 418.134355,260.266667 L418.134355,230.4 C418.23702,205.585799 402.934114,183.311569 379.734355,174.506667 Z M76.8010217,260.266667 C76.8010217,269.692326 69.1600148,277.333333 59.734355,277.333333 C50.3086953,277.333333 42.6676884,269.692326 42.6676884,260.266667 L42.6676884,230.4 C42.6676884,224.302667 45.9205765,218.668499 51.2010216,215.619833 C56.4814667,212.571166 62.9872434,212.571166 68.2676885,215.619833 C73.5481336,218.668499 76.8010217,224.302667 76.8010217,230.4 L76.8010217,260.266667 Z M341.334355,230.4 C341.334355,220.97434 348.975362,213.333333 358.401022,213.333333 C367.826681,213.333333 375.467688,220.97434 375.467688,230.4 L375.467688,260.266667 C375.467688,269.692326 367.826681,277.333333 358.401022,277.333333 C348.975362,277.333333 341.334355,269.692326 341.334355,260.266667 L341.334355,230.4 Z">
 </path>
        </g>
    </g>
 </svg>
--- a/icons/vaultwarden.svg
+++ b/icons/vaultwarden.svg
--- a/icons/vikunja.svg
+++ b/icons/vikunja.svg
@ -1,12 +0,0 @@
 <svg xmlns="http://www.w3.org/2000/svg" xml:space="preserve" viewBox="0 0 256 256" width="256" height="256">
  <path d="M2268.2 2512.3a953.7 953.7 0 0 1-50 57c-180.5 189.5-426.2 294-691.6 294A953.7 953.7 0 0 1 847.8 2582a952.7 952.7 0 0 1-281.2-678.8 953.8 953.8 0 0 1 281.2-678.9 953.7 953.7 0 0 1 678.8-281.1 953.7 953.7 0 0 1 678.8 281.1 953.7 953.7 0 0 1 281.2 678.9c0 219.2-78.9 437.2-218.4 609" style="fill:#196aff;fill-opacity:1;fill-rule:nonzero;stroke:none;stroke-width:.36633128" transform="matrix(.13333 0 0 -.13333 -75.5 381.8)"/>
  <path d="M1823.7 1650.9c35.7 104.2 94.7 136.1 102 297 2.6 56.5-14.7 236-14.7 236s28 72-25.8 152.3c-83.5 124.3-255.4 132.8-345.7 132.8-90.3 0-260.2-8.5-343.7-132.8C1142 2256 1170 2184 1170 2184s-9.5-92.4-16.7-173.8c-1.7-19.1.1-94.7 2.4-113a453 453 0 0 1 25.8-96.2c14.4-39.6 36.8-79.9 54-120.5 51.8-122.8 8.4-274.9 11.1-407.3 2.2-94-20-189.3-28.7-281.2a960.4 960.4 0 0 1 308.7-50.6 958.6 958.6 0 0 1 344.9 63.6c-20.4 115-44.1 224.2-47.8 265.9-10.6 125.9-41.3 259.4 0 380" style="fill:#fff;fill-opacity:1;fill-rule:nonzero;stroke:none;stroke-width:.36655635" transform="matrix(.13333 0 0 -.13333 -75.5 381.8)"/>
  <path d="M1162.9 2383.9c1.1-18.8 3-38 8.3-56.2 1.6-5.7 4-19.7 11.4-21.8 9-2.6 25.9 8.3 32.3 13 12.3 9 23.9 18.5 36.2 27.6 8 6 16.5 10.5 24.3 16.5 8.4 6.6 14.7 14.5 21.7 22.2 8.4 9.4 14.8 19 21.3 29.5 5.1 8.2 37.1 13.5 42.2 21 5.6 8.3 1 18.6 1 28.7 0 74.2 4.4 147.6 6.1 220.3 1.8 50 21.4 109.2-53.4 85.8-160.3-50-158.5-271.3-151.4-386.6M1869.1 2279.7c-1.6 1.8-4.2 3.2-6.3 4.8a208 208 0 0 0-25.1 21.5c-9.4 9.6-19.2 19-28.2 28.9-7.9 8.7-17.3 16.6-25 25.6-5.1 6-10 12.3-14.6 18.5-2.3 3.2-3.5 7-5.3 10.4-2.7 5-40 10.1-36.2 15 6.3 8.3 20.3 15.4 23.7 25 17.2 48.6 24.8 244.5 26.8 294.5 5.4 127.8 117.6-6.3 137.2-57.7 57-149.7 23.2-258.8-46.3-386.6" style="fill:#fff;fill-opacity:1;fill-rule:nonzero;stroke:none;stroke-width:.36633128" transform="matrix(.13333 0 0 -.13333 -75.5 381.8)"/>
  <path d="M1716.5 1787.9c-.1 73.8-9.3 103.6-50.4 139.7-25.8 22.6-55.9 31.2-103.8 30-47.9 1.2-82.4-13.4-107.3-39.2-37.5-39-47.4-62-47.5-135.9 0-39.9 43-128.1 55.7-148.5 21.3-36 60.6-48.9 99.1-46.2 38.6-2.7 77.9 10.3 99.1 46.2 12.8 20.4 55.1 107 55 153.9" style="fill:#f1e6d3;fill-opacity:1;fill-rule:nonzero;stroke:none;stroke-width:.36633128" transform="matrix(.13333 0 0 -.13333 -75.5 381.8)"/>
  <path d="M1226.6 2316c-9.6 86.2-38.6 240 61.5 331.3 11 10.1 14-24.2 15.8-38 2.6-19 0-73.5.4-92.6.7-36.1 8.3-55 4.7-71.5-9.6-45-17.3-42.2-26.5-69.6-18.3-54.4-53.3-83-55.9-59.5M1851.7 2333c10.3-18.2 37 80.3 45.4 123.2 8 40.3 18 93.8 4 133.9-7.4 21.5-53 84.5-58.4 62.9-2-8.5-3.2-71.1-8.3-101.1-6.4-37.1-18-73.8-18-111.6-.2-84.5 25.3-88 35.3-107.2" style="fill:#f1d7d4;fill-opacity:1;fill-rule:nonzero;stroke:none;stroke-width:.36633128" transform="matrix(.13333 0 0 -.13333 -75.5 381.8)"/>
  <path d="M1522 1319.7c-2.2-6.5-18.6-11.4-24.8-13.3-14.9-4.9-28.1 6.9-36.4 16.8-11.6 13.7-11.3 35.6-16.2 51.6-2.9 9.7-19.5 11-24.5 2-16.6-29.8-81.1 26.4-66.1 45.2 9.9 12.3-13.8 23.2-23.6 11-29-36.1 49-103.4 93.6-85.2 2-9 4-18 8-26.6 7.4-16.9 23.9-27.8 41-37 23.1-12.4 68.2 9.5 75 30.3 4.9 14.5-21.2 19.7-26 5.2M1727.6 1538.2c2.4-10 2.8-44-16-25.4-7.5 7.5-22.6 3-23.2-7-1.4-23.4-24.9-24-45.1-16.9-16 5.6-24.6-16.6-8.6-22.1 29.7-10.4 62-4.6 74.7 17.8 10.1-4.7 21.5-6 30.7 2.6 16 15 18.4 36.2 13.7 55.7-3.5 14.8-29.7 10.1-26.2-4.7M1775 1049.2c-7-14.3-19.8-13.4-33.6-7.4-10.1 4.4-22.6-2.8-19.6-13 6.2-20.6-19.7-26.6-37.3-19.3-15.4 6.5-28.8-13.8-13.2-20.3 31.6-13.2 71.7-1.6 77.5 26.2 20.4-3.3 39.8 2.4 49.4 22.3 6.7 13.6-16.4 25.4-23.2 11.5M1569.8 2153.3c-3.3-20.2-41.1 3.3-50.5 9.7-8.3 5.5-19 2.1-20-7.3-1.4-12.7-18.5-9-26.3-7.4-14.8 3-27.4 12.2-27.7 26-.4 13.6 8.2 27.7 12.6 40.4 2.9 8-8.7 17-17.2 11.5-15.2-9.7-88.7-18.5-59.4 13.6 9.3 10.2-7.1 24.8-16.6 14.5-13.5-14.8-22.6-48.7 6.6-56 15.5-3.7 37.8-3.5 56.8.8-8-25.5-9.6-48.8 23.2-65.1 22.1-11.1 52.5-11 65.4 6 27.2-14.5 69.7-28.7 75.6 7.8 2.1 13-20.4 18.5-22.5 5.5" style="fill:#faeee0;fill-opacity:1;fill-rule:nonzero;stroke:none;stroke-width:.36633128" transform="matrix(.13333 0 0 -.13333 -75.5 381.8)"/>
  <path d="M1443 1685.6c39.4-3.4 78.8-12.3 118.5-10.9 25.4 1 51.7 4.5 76.8 8.2 18.2 2.7 40.5 6 52.7 19.4 1-45-92.6-59.1-128.9-60-42.1-1-89.5 17.2-119 43.3" style="fill:#494949;fill-opacity:1;fill-rule:nonzero;stroke:none;stroke-width:.36633128" transform="matrix(.13333 0 0 -.13333 -75.5 381.8)"/>
  <path d="M1549.4 1779.5a353.5 353.5 0 0 1-2.7-87.3c.7-7.6-1.3-25.7 8.8-29.5 8.2-3 18.3 2.7 19.7 10.1 2.2 12.5-3 28.2-3.5 41-.5 14.9 0 29.8 1.6 44.7 1 8.8 5.9 20.7-4.2 27-7.4 4.5-18.3 2.8-19.7-6" style="fill:#494949;fill-opacity:1;fill-rule:nonzero;stroke:none;stroke-width:.36633128" transform="matrix(.13333 0 0 -.13333 -75.5 381.8)"/>
  <path d="M1626 1849.7c-23.7-1-45.7-14.2-63.4-27-16.1 10.7-40.5 20.5-60.7 14.8-12-3.4-1.1-7.1 4-10.3 9.2-6.2 16.8-14.2 23.7-22.4 10.3-12.6 19.6-25.8 30.7-38 7.6 5.6 15 11.1 21.6 17.6 3.1 3 28.5 37 32.4 42.7 2.4 3.6 5 7.4 7.8 10.8 2.9 3.5 11 9 3.9 11.8" style="fill:#494949;fill-opacity:1;fill-rule:nonzero;stroke:none;stroke-width:.36633128" transform="matrix(.13333 0 0 -.13333 -75.5 381.8)"/>
  <path d="M1326.5 2010c11.7 30.3 24.3 68.4 56.3 62.4 24.2-5.2 56.7-86.2 36-78.2-11.3 4.4-20.3 41.1-41.4 46-13.4 3-32-43.6-50-48.4-8.7-2.3-4.3 10.4-.9 18.2M1670.6 2010c11.7 30.3 24.2 68.4 56.3 62.4 24.2-5.2 56.7-86.2 35.9-78.2-11.3 4.4-20.2 41.1-41.3 46-13.5 3-32-43.6-50-48.4-8.7-2.3-4.4 10.4-1 18.2" style="fill:#2c3844;fill-opacity:1;fill-rule:nonzero;stroke:none;stroke-width:.36633128" transform="matrix(.13333 0 0 -.13333 -75.5 381.8)"/>
 </svg>
--- a/icons/wekan.png
+++ b/icons/wekan.png
--- a/icons/wordpress.png
+++ b/icons/wordpress.png
--- a/icons/zammad.svg
+++ b/icons/zammad.svg
@ -1,30 +0,0 @@
 <?xml version="1.0" encoding="UTF-8" standalone="no"?>
 <svg width="126px" height="108px" viewBox="0 0 42 36" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:sketch="http://www.bohemiancoding.com/sketch/ns">
    <!-- Generator: Sketch 3.3.2 (12043) - http://www.bohemiancoding.com/sketch -->
    <title>logo</title>
    <desc>Created with Sketch.</desc>
    <defs/>
    <g id="Page-1" stroke="none" stroke-width="1" fill="none" fill-rule="evenodd" sketch:type="MSPage">
        <g id="logo" sketch:type="MSArtboardGroup">
            <g sketch:type="MSLayerGroup" transform="translate(1.000000, 0.000000)" id="Shape">
                <path d="M27.3375,12.6 L36.72,9.72 L31.1625,13.2525 L27.3375,12.6 Z" fill="#CA2317" sketch:type="MSShapeGroup"/>
                <path d="M33.0525,19.62 L31.1625,13.2525 L36.72,9.72 L35.055,15.435 L33.0525,19.62 Z" fill="#E84F83" sketch:type="MSShapeGroup"/>
                <path d="M39.465,7.9875 L38.43,9.72 L35.055,15.435 L36.72,9.72 L39.465,7.9875 Z" fill="#CA2317" sketch:type="MSShapeGroup"/>
                <path d="M39.8025,9.1125 L37.1925,11.79 L38.43,9.72 L39.8025,9.1125 Z" fill="#E54011" sketch:type="MSShapeGroup"/>
                <path d="M27.9,10.8225 L35.5725,10.0575 L30.24,11.7 L27.9,10.8225 Z" fill="#E54011" sketch:type="MSShapeGroup"/>
                <path d="M28.1925,15.165 L31.1625,13.2525 L33.0525,19.62 L32.0625,21.645 L28.1925,15.165 Z" fill="#CA2317" sketch:type="MSShapeGroup"/>
                <path d="M23.76,22.725 L22.3425,5.4 L32.0625,21.645 L23.76,22.725 Z" fill="#B7DFF2" sketch:type="MSShapeGroup"/>
                <path d="M19.7325,27.1575 L23.76,22.725 L32.0625,21.645 L19.7325,27.1575 Z" fill="#E54011" sketch:type="MSShapeGroup"/>
                <path d="M0.1575,35.865 L19.7325,27.1575 L23.76,22.725 L17.37,22.0725 L0.1575,35.865 Z" fill="#FFCE33" sketch:type="MSShapeGroup"/>
                <path d="M0.9,28.755 L10.9575,27.225 L14.085,24.705 L12.555,24.03 L0.9,28.755 Z" fill="#D6B12D" sketch:type="MSShapeGroup"/>
                <path d="M4.5225,20.5425 L14.085,24.705 L17.37,22.0725 L4.5225,20.5425 Z" fill="#FFDE85" sketch:type="MSShapeGroup"/>
                <path d="M21.6225,11.6775 L20.4075,11.88 L17.37,22.0725 L20.655,20.0025 L21.6225,11.6775 Z" fill="#009EC6" sketch:type="MSShapeGroup"/>
                <path d="M23.4,18.2475 L20.655,20.0025 L22.3425,5.4 L23.4,18.2475 Z" fill="#5EAFCE" sketch:type="MSShapeGroup"/>
                <path d="M13.0275,13.05 L21.6225,11.6775 L22.005,8.28 L13.0275,13.05 Z" fill="#045972" sketch:type="MSShapeGroup"/>
                <path d="M12.105,5.085 L19.575,9.585 L22.005,8.28 L22.0725,7.8075 L12.105,5.085 Z" fill="#5A8591" sketch:type="MSShapeGroup"/>
                <path d="M13.5675,0.18 L20.3625,7.335 L22.0725,7.8075 L22.3425,5.4 L13.5675,0.18 Z" fill="#009EC6" sketch:type="MSShapeGroup"/>
                <path d="M17.37,22.0725 L23.4,18.2475 L23.76,22.725 L17.37,22.0725 Z" fill="#F39804" sketch:type="MSShapeGroup"/>
            </g>
        </g>
    </g>
 </svg>
--- a/kimai.yaml.tmpl
+++ b/kimai.yaml.tmpl
@ -1,50 +0,0 @@
 version: 1
 metadata:
  labels:
    blueprints.goauthentik.io/instantiate: "true"
  name: kimai
 entries:
 - attrs:
    acs_url: https://{{ env  "KIMAI_DOMAIN" }}/auth/saml/acs
    assertion_valid_not_before: minutes=-5
    assertion_valid_not_on_or_after: minutes=5
    audience: https://{{ env  "KIMAI_DOMAIN" }}/auth/saml
    authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
    authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
    invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
    digest_algorithm: http://www.w3.org/2001/04/xmlenc#sha256
    issuer: https://{{ env  "DOMAIN" }}
    name: Kimai
    name_id_mapping: !Find [authentik_providers_saml.samlpropertymapping, [name, "authentik default SAML Mapping: Username"]]
    property_mappings:
    - !Find [authentik_providers_saml.samlpropertymapping, [name, "authentik default SAML Mapping: Name"]]
    - !Find [authentik_providers_saml.samlpropertymapping, [name, "authentik default SAML Mapping: Email"]]
    - !Find [authentik_providers_saml.samlpropertymapping, [name, "authentik default SAML Mapping: User ID"]]
    - !Find [authentik_providers_saml.samlpropertymapping, [name, "authentik default SAML Mapping: Username"]]
    - !Find [authentik_providers_saml.samlpropertymapping, [name, "authentik default SAML Mapping: Groups"]]
    - !Find [authentik_providers_saml.samlpropertymapping, [name, "authentik default SAML Mapping: UPN"]]
    session_valid_not_on_or_after: minutes=86400
    sign_assertion: true
    signature_algorithm: http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
    signing_kp: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]]
    sp_binding: post
  conditions: []
  id: kimai_provider
  identifiers:
    pk: 9991
  model: authentik_providers_saml.samlprovider
  state: present
 - attrs:
    meta_launch_url: https://{{ env  "KIMAI_DOMAIN" }}/auth/saml/login
    open_in_new_tab: true
    policy_engine_mode: any
    provider: !KeyOf kimai_provider
    slug: kimai
  conditions: []
  id: kimai_application
  identifiers:
    name: Kimai
  model: authentik_core.application
  state: present
--- a/matrix.yaml.tmpl
+++ b/matrix.yaml.tmpl
@ -1,48 +0,0 @@
 version: 1
 metadata:
  labels:
    blueprints.goauthentik.io/instantiate: "true"
  name: matrix
 entries:
 - attrs:
    access_code_validity: minutes=1
    authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
    authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
    invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
    client_id: {{ secret  "matrix_id" }}
    client_secret: {{ secret  "matrix_secret" }}
    client_type: confidential
    include_claims_in_id_token: true
    issuer_mode: per_provider
    redirect_uris:
    - matching_mode: strict
      url: https://{{ env  "MATRIX_DOMAIN" }}/_synapse/client/oidc/callback
    name: Matrix
    property_mappings:
    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, email]]
    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, profile]]
    signing_key: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]]
    sub_mode: user_username
    token_validity: days=30
  conditions: []
  id: matrix_provider
  identifiers:
    pk: 9997
  model: authentik_providers_oauth2.oauth2provider
  state: present
 - attrs:
    meta_launch_url: https://{{ env  "ELEMENT_DOMAIN" }}
    open_in_new_tab: true
    policy_engine_mode: any
    provider: !KeyOf matrix_provider
    name: Element
  conditions: []
  id: matrix_application
  identifiers:
    slug: matrix
  model: authentik_core.application
  state: present
--- a/monitoring.yaml.tmpl
+++ b/monitoring.yaml.tmpl
@ -1,48 +0,0 @@
 version: 1
 metadata:
  labels:
    blueprints.goauthentik.io/instantiate: "true"
  name: monitoring 
 entries:
 - attrs:
    access_code_validity: minutes=1
    authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
    authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
    invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
    client_id: {{ secret  "monitoring_id" }}
    client_secret: {{ secret  "monitoring_secret" }}
    client_type: confidential
    include_claims_in_id_token: true
    issuer_mode: per_provider
    redirect_uris:
    - matching_mode: strict
      url: https://{{ env  "MONITORING_DOMAIN" }}/login/generic_oauth
    name: Monitoring
    property_mappings:
    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, email]]
    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, profile]]
    signing_key: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]]
    sub_mode: user_username
    token_validity: days=30
  conditions: []
  id: monitoring_provider
  identifiers:
    pk: 9990
  model: authentik_providers_oauth2.oauth2provider
  state: present
 - attrs:
    meta_launch_url: https://{{ env  "MONITORING_DOMAIN" }}
    open_in_new_tab: true
    policy_engine_mode: any
    provider: !KeyOf monitoring_provider
    slug: monitoring 
  conditions: []
  id: monitoring_application
  identifiers:
    name: Monitoring 
  model: authentik_core.application
  state: present
--- a/nextcloud.yaml.tmpl
+++ b/nextcloud.yaml.tmpl
@ -1,61 +0,0 @@
 version: 1
 metadata:
  labels:
    blueprints.goauthentik.io/instantiate: "true"
  name: Nextcloud
 entries:
 - attrs:
    description: nextcloud
    expression: 'return { "nextcloud_groups": [{"gid": group.name, "displayName":
      group.name} for group in request.user.ak_groups.all()], }'
    managed: null
    scope_name: nextcloud
  conditions: []
  id: nextcloud_group_mapping
  identifiers:
    name: nextcloud
  model: authentik_providers_oauth2.scopemapping
  state: present
 - attrs:
    access_code_validity: minutes=1
    authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
    authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
    invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
    client_id: {{ secret  "nextcloud_id" }}
    client_secret: {{ secret  "nextcloud_secret" }}
    client_type: confidential
    include_claims_in_id_token: true
    issuer_mode: per_provider
    redirect_uris:
    - matching_mode: strict
      url: https://{{ env  "NEXTCLOUD_DOMAIN" }}/apps/sociallogin/custom_oidc/authentik
    name: Nextcloud
    property_mappings:
    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, email]]
    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, profile]]
    - !KeyOf nextcloud_group_mapping
    signing_key: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]]
    sub_mode: user_username
    token_validity: days=30
  conditions: []
  id: nextcloud_provider
  identifiers:
    pk: 9999
  model: authentik_providers_oauth2.oauth2provider
  state: present
 - attrs:
    meta_launch_url: https://{{ env  "NEXTCLOUD_DOMAIN" }}
    open_in_new_tab: true
    policy_engine_mode: any
    provider: !KeyOf nextcloud_provider
    slug: nextcloud
  conditions: []
  id: nextcloud_application
  identifiers:
    name: Nextcloud
  model: authentik_core.application
  state: present
--- a/outline.yaml.tmpl
+++ b/outline.yaml.tmpl
@ -1,48 +0,0 @@
 version: 1
 metadata:
  labels:
    blueprints.goauthentik.io/instantiate: "true"
  name: outline
 entries:
 - attrs:
    access_code_validity: minutes=1
    authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
    authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
    invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
    client_id: {{ secret  "outline_id" }}
    client_secret: {{ secret  "outline_secret" }}
    client_type: confidential
    include_claims_in_id_token: true
    issuer_mode: per_provider
    redirect_uris:
    - matching_mode: strict
      url: https://{{ env  "OUTLINE_DOMAIN" }}/auth/oidc.callback
    name: Outline
    property_mappings:
    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, email]]
    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, profile]]
    signing_key: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]]
    sub_mode: hashed_user_id
    token_validity: days=30
  conditions: []
  id: outline_provider
  identifiers:
    pk: 9994
  model: authentik_providers_oauth2.oauth2provider
  state: present
 - attrs:
    meta_launch_url: https://{{ env  "OUTLINE_DOMAIN" }}/auth/oidc
    open_in_new_tab: true
    policy_engine_mode: any
    provider: !KeyOf outline_provider
    slug: outline
  conditions: []
  id: outline_application
  identifiers:
    name: Outline
  model: authentik_core.application
  state: present
--- a/password_reset_de.html
+++ b/password_reset_de.html
@ -0,0 +1,53 @@
 {% extends "email/base.html" %}
 {% load i18n %}
 {% load humanize %}
 {% block content %}
 <tr>
    <td class="alert alert-success">
        {% blocktrans with username=user.username %}
        Herzlich Willkommen {{ username }},
        {% endblocktrans %}
    </td>
 </tr>
 <tr>
    <td class="content-wrap">
        <table width="100%" cellpadding="0" cellspacing="0">
            <tr>
                <td class="content-block">
                    {% blocktrans %}
                    Klicke auf folgenden Link um ein Passwort für deinen Account zu erstellen:
                    {% endblocktrans %}
                </td>
            </tr>
            <tr>
                <td class="content-block">
                    <table role="presentation" border="0" cellpadding="0" cellspacing="0" class="btn btn-primary">
                        <tbody>
                        <tr>
                            <td align="center">
                            <table role="presentation" border="0" cellpadding="0" cellspacing="0">
                                <tbody>
                                <tr>
                                    <td> <a id="confirm" href="{{ url }}" rel="noopener noreferrer" target="_blank">Passwort Erstellen</a> </td>
                                </tr>
                                </tbody>
                            </table>
                            </td>
                        </tr>
                        </tbody>
                    </table>
                </td>
            </tr>
            <tr>
                <td class="content-block">
                    {% blocktrans with expires=expires|naturaltime %}
                    Falls du diese E-Mail fälschlicherweise erhalten hast, ignoriere sie bitte. Der obige Link ist gültig für: {{ expires }}.
                    {% endblocktrans %}
                </td>
            </tr>
        </table>
    </td>
 </tr>
 {% endblock %}
--- a/pg_backup.sh
+++ b/pg_backup.sh
@ -1,34 +0,0 @@
 #!/bin/bash
 set -e
 BACKUP_FILE='/var/lib/postgresql/data/backup.sql'
 function backup {
  export PGPASSWORD=$(cat /run/secrets/db_password)
  pg_dump -U ${POSTGRES_USER} ${POSTGRES_DB} > $BACKUP_FILE
 }
 function restore {
    cd /var/lib/postgresql/data/
    restore_config(){
        # Restore allowed connections
        cat pg_hba.conf.bak > pg_hba.conf
        su postgres -c 'pg_ctl reload'
    }
    # Don't allow any other connections than local
    cp pg_hba.conf pg_hba.conf.bak
    echo "local all all trust" > pg_hba.conf
    su postgres -c 'pg_ctl reload'
    trap restore_config EXIT INT TERM
    # Recreate Database
    psql -U ${POSTGRES_USER} -d postgres -c "DROP DATABASE ${POSTGRES_DB} WITH (FORCE);" 
    createdb -U ${POSTGRES_USER} ${POSTGRES_DB}
    psql -U ${POSTGRES_USER} -d ${POSTGRES_DB} -1 -f $BACKUP_FILE
    trap - EXIT INT TERM
    restore_config
 }
 $@
--- a/rallly.yaml.tmpl
+++ b/rallly.yaml.tmpl
@ -1,48 +0,0 @@
 version: 1
 metadata:
  labels:
    blueprints.goauthentik.io/instantiate: "true"
  name: rallly
 entries:
 - attrs:
    access_code_validity: minutes=1
    authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
    authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
    invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
    client_id: {{ secret  "rallly_id" }}
    client_secret: {{ secret  "rallly_secret" }}
    client_type: confidential
    include_claims_in_id_token: true
    issuer_mode: per_provider
    redirect_uris:
    - matching_mode: strict
      url: https://{{ env  "RALLLY_DOMAIN" }}/api/auth/callback/oidc
    name: Rallly
    property_mappings:
    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, email]]
    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, profile]]
    signing_key: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]]
    sub_mode: hashed_user_id
    token_validity: days=30
  conditions: []
  id: rallly_provider
  identifiers:
    pk: 9993
  model: authentik_providers_oauth2.oauth2provider
  state: present
 - attrs:
    meta_launch_url: https://{{ env  "RALLLY_DOMAIN" }}
    open_in_new_tab: true
    policy_engine_mode: any
    provider: !KeyOf rallly_provider
    slug: rallly
  conditions: []
  id: rallly_application
  identifiers:
    name: Rallly
  model: authentik_core.application
  state: present
--- a/release/1.0.0+2022.10.1
+++ b/release/1.0.0+2022.10.1
@ -1,15 +0,0 @@
 This upgrade replaces the passwords stored in env variables by docker secrets.
 You need to insert the following passwords as secret:
 `POSTGRES_PASSWORD` / `AUTHENTIK_POSTGRESQL__PASSWORD`:
    `abra app secret insert <app_name> db_password v1 <password>`
 `AUTHENTIK_SECRET_KEY`:
    `abra app secret insert <app_name> secret_key v1 <password>`
 `AK_ADMIN_TOKEN`:
    `abra app secret insert <app_name> admin_token v1 <password>`
 `AK_ADMIN_PASS`:
    `abra app secret insert <app_name> admin_pass v1 <password>`
 `AUTHENTIK_EMAIL__PASSWORD`:
    `abra app secret insert <app_name> email_pass v1 <password>`
 These variables should be removed from the .env file.
--- a/release/2.0.0+2023.2.3
+++ b/release/2.0.0+2023.2.3
@ -1,2 +0,0 @@
 Logout URL changes from `https://login.example.org/if/flow/default-invalidation-flow/` to `https://login.example.org/if/flow/logout-flow/`
 Replace it in any app that uses this logout url.
--- a/release/3.0.0+2023.2.3
+++ b/release/3.0.0+2023.2.3
@ -1,16 +0,0 @@
 Run `abra app cmd <app_name> worker blueprint_cleanup` to apply the new blueprint configuration and delete the old configuration.
 If the nextcloud provider should be managed by abra add the following to the env:
    COMPOSE_FILE="compose.yml:compose.nextcloud.yml"
    NEXTCLOUD_DOMAIN=nextcloud.example.com
    SECRET_NEXTCLOUD_ID_VERSION=v1
    SECRET_NEXTCLOUD_SECRET_VERSION=v1
 and generate the secrets:
    abra app secret generate -a <app_name>
 Eventuelly you need to manually remove the old nextcloud provider and application
 Don't forget to update the nextcloud config for authentik as well.
--- a/release/3.1.0+2023.3.1
+++ b/release/3.1.0+2023.3.1
@ -1,3 +0,0 @@
 Env recommendation: AUTHENTIK_DEFAULT_USER_CHANGE_USERNAME=false
 This prevents users from changing their username.
 Changing the username can be a security risk and it can break things.
--- a/release/3.2.0+2023.6.1
+++ b/release/3.2.0+2023.6.1
@ -1 +0,0 @@
 If you use your own outpost you need to uncomment COMPOSE_FILE="$COMPOSE_FILE:compose.outposts.yml" to expose the docker socket again.
--- a/release/4.0.0+2023.10.5
+++ b/release/4.0.0+2023.10.5
@ -1 +0,0 @@
 It is only possible to upgrade to 2023.10 from 2023.8, you need to update to 2023.8.x before applying this update
--- a/release/5.0.0+2024.2.2
+++ b/release/5.0.0+2024.2.2
@ -1 +0,0 @@
 Blueprint changes are applied and automatic migrations should work, however, manual action may be required: https://docs.goauthentik.io/docs/releases/2024.2
--- a/release/5.1.0+2024.2.3
+++ b/release/5.1.0+2024.2.3
@ -1 +0,0 @@
 Due to blueprint changes, you need to run the following command after upgrading: abra app cmd -C <Domain> worker apply_blueprints
--- a/release/6.0.0+2024.4.0
+++ b/release/6.0.0+2024.4.0
@ -1 +0,0 @@
 Alerta! ⚠️ If you are using AUTHENTIK_COLOR_BACKGROUND_LIGHT, you will need to set COMPOSE_FILE="$COMPOSE_FILE:compose.css.yml"
--- a/release/6.1.0+2024.4.2
+++ b/release/6.1.0+2024.4.2
@ -1 +0,0 @@
 Blueprint for Kimai SSO integration added
--- a/release/6.11.0+2024.10.5
+++ b/release/6.11.0+2024.10.5
@ -1 +0,0 @@
 Fix Impersonate Bug
--- a/release/6.6.0+2024.8.2
+++ b/release/6.6.0+2024.8.2
@ -1 +0,0 @@
 Replaced icon bbb.jpg with icon.png - configs need to be updated when upgrading!
--- a/release/6.7.0+2024.8.3
+++ b/release/6.7.0+2024.8.3
@ -1,3 +0,0 @@
 Two critical vulnerabilities were closed:
 https://github.com/goauthentik/authentik/security/advisories/GHSA-7jxf-mmg9-9hg7
 https://github.com/goauthentik/authentik/security/advisories/GHSA-8gfm-pr6x-pfh9
--- a/system_brand.yaml.tmpl
+++ b/system_brand.yaml.tmpl
@ -1,38 +0,0 @@
 version: 1
 metadata:
  labels:
    blueprints.goauthentik.io/instantiate: "true"
  name: Custom System brand
 entries:
 ### DEPENDENCIES
 - model: authentik_blueprints.metaapplyblueprint
  attrs:
    identifiers:
      name: Default - Brand
    required: true
 - model: authentik_blueprints.metaapplyblueprint
  attrs:
    identifiers:
      name: Recovery with email verification
    required: true
 ### SYSTEM BRAND
 # remove custom brand from old recipe
 - identifiers:
    domain: {{ env "DOMAIN" }}
  model: authentik_brands.brand
  state: absent
 - attrs:
    attributes:
      settings:
        locale: {{ if eq (env "DEFAULT_LANGUAGE") "" }} en {{ else }} {{ env "DEFAULT_LANGUAGE" }} {{ end }} {{ if ne (env "THEME_BACKGROUND") "" }}
        theme:
          background: >
            background: {{ env "THEME_BACKGROUND" }} {{ end }}
    flow_recovery: !Find [authentik_flows.flow, [slug,  default-recovery-flow]]
  identifiers:
    default: true
    domain: authentik-default
  model: authentik_brands.brand
--- a/vikunja.yaml.tmpl
+++ b/vikunja.yaml.tmpl
@ -1,48 +0,0 @@
 version: 1
 metadata:
  labels:
    blueprints.goauthentik.io/instantiate: "true"
  name: vikunja
 entries:
 - attrs:
    access_code_validity: minutes=1
    authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
    authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
    invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
    client_id: {{ secret  "vikunja_id" }}
    client_secret: {{ secret  "vikunja_secret" }}
    client_type: confidential
    include_claims_in_id_token: true
    issuer_mode: per_provider
    redirect_uris:
    - matching_mode: strict
      url: https://{{ env  "VIKUNJA_DOMAIN" }}/auth/openid/authentik
    name: Vikunja
    property_mappings:
    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, email]]
    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, profile]]
    signing_key: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]]
    sub_mode: hashed_user_id
    token_validity: days=30
  conditions: []
  id: vikunja_provider
  identifiers:
    pk: 9995
  model: authentik_providers_oauth2.oauth2provider
  state: present
 - attrs:
    meta_launch_url: https://{{ env  "VIKUNJA_DOMAIN" }}
    open_in_new_tab: true
    policy_engine_mode: any
    provider: !KeyOf vikunja_provider
    slug: vikunja
  conditions: []
  id: vikunja_application
  identifiers:
    name: Vikunja
  model: authentik_core.application
  state: present
--- a/wekan.yaml.tmpl
+++ b/wekan.yaml.tmpl
@ -1,66 +0,0 @@
 version: 1
 metadata:
  labels:
    blueprints.goauthentik.io/instantiate: "true"
  name: wekan
 entries:
 - attrs:
    description: wekan
    expression: "groupsDict = {\"wekanGroups\": []}\nfor group in request.user.ak_groups.all():\n\
      \  my_attributes = group.attributes\n  my_attributes[\"displayName\"] = group.name\n\
      \  my_attributes[\"isAdmin\"] = group.attributes[\"isAdmin\"] if 'isAdmin' in group.attributes else group.is_superuser\n\
      \  my_attributes[\"isActive\"] = group.attributes[\"\
      isActive\"] if 'isActive' in group.attributes else True\n  my_attributes[\"\
      forceCreate\"] = group.attributes[\"forceCreate\"] if 'forceCreate' in group.attributes\
      \ else True\n  groupsDict[\"wekanGroups\"].append(my_attributes)\nreturn groupsDict"
    managed: null
    scope_name: wekan
  conditions: []
  id: wekan_group_mapping
  identifiers:
    name: wekan
  model: authentik_providers_oauth2.scopemapping
  state: present
 - attrs:
    access_code_validity: minutes=1
    authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
    authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
    invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
    client_id: {{ secret  "wekan_id" }}
    client_secret: {{ secret  "wekan_secret" }}
    client_type: confidential
    include_claims_in_id_token: true
    issuer_mode: per_provider
    redirect_uris:
    - matching_mode: strict
      url: https://{{ env  "WEKAN_DOMAIN" }}/_oauth/oidc
    name: Wekan
    property_mappings:
    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, email]]
    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, profile]]
    - !KeyOf wekan_group_mapping
    signing_key: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]]
    sub_mode: hashed_user_id
    token_validity: days=30
  conditions: []
  id: wekan_provider
  identifiers:
    pk: 9996
  model: authentik_providers_oauth2.oauth2provider
  state: present
 - attrs:
    meta_launch_url: https://{{ env  "WEKAN_DOMAIN" }}
    open_in_new_tab: true
    policy_engine_mode: any
    provider: !KeyOf wekan_provider
    slug: wekan
  conditions: []
  id: wekan_application
  identifiers:
    name: Wekan
  model: authentik_core.application
  state: present
--- a/wordpress.yaml.tmpl
+++ b/wordpress.yaml.tmpl
@ -1,64 +0,0 @@
 version: 1
 metadata:
  labels:
    blueprints.goauthentik.io/instantiate: "true"
  name: Wordpress
 entries:
 - attrs:
    access_code_validity: minutes=1
    authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
    authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
    invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
    client_id: {{ secret  "wordpress_id" }}
    client_secret: {{ secret  "wordpress_secret" }}
    client_type: confidential
    include_claims_in_id_token: true
    issuer_mode: per_provider
    redirect_uris:
    - matching_mode: strict
      url: https://{{ env  "WORDPRESS_DOMAIN" }}/openid-connect-authorize
    name: Wordpress
    property_mappings:
    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, email]]
    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, profile]]
    signing_key: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]]
    sub_mode: user_username
    token_validity: days=30
  conditions: []
  id: wordpress_provider
  identifiers:
    pk: 9998
  model: authentik_providers_oauth2.oauth2provider
  state: present
 - attrs:
    meta_launch_url: https://{{ env  "WORDPRESS_DOMAIN" }}/wp-login.php
    open_in_new_tab: true
    policy_engine_mode: any
    provider: !KeyOf wordpress_provider
    slug: wordpress
  conditions: []
  id: wordpress_application
  identifiers:
    name: Wordpress
  model: authentik_core.application
  state: present
 {{ if ne (env "WORDPRESS_GROUP") "" }} 
 - identifiers:
    name: {{ env "WORDPRESS_GROUP" }}
  attrs:
    users:
    - 1
  id: wordpress_group
  model: authentik_core.group
 - identifiers:
    group: !KeyOf wordpress_group
    target: !KeyOf wordpress_application
    order: 0
  model: authentik_policies.policybinding
 {{ end }}
--- a/zammad.yaml.tmpl
+++ b/zammad.yaml.tmpl
@ -1,69 +0,0 @@
 version: 1
 metadata:
  labels:
    blueprints.goauthentik.io/instantiate: "true"
  name: zammad
 entries:
 - attrs:
    expression: return request.user.name
    managed: null
    name: 'Zammad SAML Mapping: name'
    saml_name: name
  conditions: []
  identifiers:
    name: zammad_name_mapping
  id: zammad_name_mapping
  model: authentik_providers_saml.samlpropertymapping
  state: present
 - attrs:
    expression: return request.user.email
    managed: null
    name: 'Zammad SAML Mapping: email'
    saml_name: email
  conditions: []
  identifiers:
    name: zammad_email_mapping
  id: zammad_email_mapping
  model: authentik_providers_saml.samlpropertymapping
  state: present
 - attrs:
    acs_url: https://{{ env  "ZAMMAD_DOMAIN" }}/auth/saml/callback
    assertion_valid_not_before: minutes=-5
    assertion_valid_not_on_or_after: minutes=5
    audience: https://{{ env  "ZAMMAD_DOMAIN" }}/auth/saml/metadata
    authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
    authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
    invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
    digest_algorithm: http://www.w3.org/2001/04/xmlenc#sha256
    issuer: https://{{ env  "ZAMMAD_DOMAIN" }}/auth/saml/metadata
    name: zammad
    property_mappings:
    - !KeyOf zammad_name_mapping
    - !KeyOf zammad_email_mapping
    session_valid_not_on_or_after: minutes=86400
    sign_assertion: true
    signature_algorithm: http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
    signing_kp: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]]
    sp_binding: post
  conditions: []
  id: zammad_provider
  identifiers:
    pk: 9989
  model: authentik_providers_saml.samlprovider
  state: present
 - attrs:
    meta_launch_url: ""
    open_in_new_tab: true
    policy_engine_mode: any
    provider: !KeyOf zammad_provider
    slug: zammad
  conditions: []
  id: zammad_application
  identifiers:
    name: Zammad
  model: authentik_core.application
  state: present
		`@ -1,2 +0,0 @@`
			`<?xml version="1.0" encoding="UTF-8" standalone="no"?>`
			<svg xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns="http://www.w3.org/2000/svg" version="1.1" xml:space="preserve" height="32" width="32" enable-background="new 0 0 595.275 311.111" y="0px" x="0px" xmlns:cc="http://creativecommons.org/ns#" xmlns:dc="http://purl.org/dc/elements/1.1/" viewBox="0 0 32 32"><rect rx="5" ry="5" height="32" width="32" y="-.0000052588" x="0" fill="#0082c9"/><g transform="matrix(.89286 0 0 .89286 520.21 -.19331)"><path fill="#fff" d="m-572.71 3.5765c-1.108 0-2 0.892-2 2v4c0 1.108 0.892 2 2 2s2-0.892 2-2v-4c0-1.108-0.892-2-2-2zm16 0c-1.108 0-2 0.892-2 2v4c0 1.108 0.892 2 2 2s2-0.892 2-2v-4c0-1.108-0.892-2-2-2zm-13 4v2c0 1.662-1.338 3-3 3s-3-1.338-3-3v-1.875c-1.728 0.44254-3 2.0052-3 3.875v16c0 2.216 1.784 4 4 4h20c2.216 0 4-1.784 4-4v-16c0-1.8698-1.272-3.4325-3-3.875v1.875c0 1.662-1.338 3-3 3s-3-1.338-3-3v-2h-10zm-5.9062 9h21.812c0.0554 0 0.0937 0.03835 0.0937 0.09375v11.812c0 0.0554-0.0384 0.09375-0.0937 0.09375h-21.812c-0.0554 0-0.0937-0.03835-0.0937-0.09375v-11.812c0-0.0554 0.0384-0.09375 0.0937-0.09375z"/></g></svg>
		`@ -1 +0,0 @@`
			<?xml version="1.0" encoding="UTF-8"?><svg id="Ebene_1" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 128 128"><defs><style>.cls-1{fill:#3b1c4a;}</style></defs><path class="cls-1" d="m50.67,56.95c-.72.1-1.22.3-1.66.5l2.38,16.91c.41.08.95.13,1.6.04,3.52-.5,4.61-3.64,3.81-9.39-.83-5.87-2.53-8.56-6.12-8.06Z"/><path class="cls-1" d="m116.04,35.05c.71-.17,1.16-.76,1.06-1.48L112.54,1.13c-.1-.72-.77-1.22-1.49-1.12l-37.5,5.27.73,5.22c.16,1.12-.62,2.15-1.74,2.31s-2.15-.62-2.31-1.74l-.73-5.22L1.13,15.46c-.72.1-1.22.77-1.12,1.49l4.56,32.44c.1.72.7,1.17,1.42,1.13,11.25-.92,21.43,7.1,23.03,18.46,1.6,11.36-5.99,21.81-17.07,23.96-.71.17-1.16.76-1.06,1.48l4.56,32.44c.1.72.77,1.22,1.49,1.12l68.37-9.61-.73-5.22c-.16-1.15.59-2.15,1.74-2.31s2.15.62,2.31,1.74l.73,5.22,37.5-5.27c.72-.1,1.22-.77,1.12-1.49l-4.56-32.44c-.1-.72-.7-1.17-1.42-1.13-11.25.92-21.42-7.04-23.02-18.4-1.6-11.36,5.98-21.87,17.06-24.03Zm-59.84,44.75c-1.76.25-3.29.26-4.04.17l1.59,11.29-9.92,1.39-5.3-37.73c2.5-1.62,5.96-3.03,11.38-3.8,8.68-1.22,15.27,2.58,16.66,12.44,1.25,8.88-3.12,15.21-10.36,16.23Zm30.73,20.71c.16,1.12-.62,2.15-1.74,2.31-1.12.16-2.15-.62-2.31-1.74l-1.47-10.44c-.16-1.12.62-2.15,1.74-2.31s2.16.66,2.31,1.74l1.47,10.44Zm-3.17-22.58c.15,1.08-.66,2.16-1.74,2.31s-2.16-.66-2.31-1.74l-1.47-10.44c-.16-1.15.59-2.15,1.74-2.31,1.12-.16,2.15.62,2.31,1.74l1.47,10.44Zm-3.16-22.45c.16,1.12-.62,2.15-1.74,2.31-1.12.16-2.15-.62-2.31-1.74l-1.47-10.44c-.16-1.12.62-2.15,1.74-2.31s2.16.66,2.31,1.74l1.47,10.44Zm-3.17-22.58c.15,1.08-.66,2.16-1.74,2.31s-2.16-.66-2.31-1.74l-1.47-10.44c-.16-1.15.59-2.15,1.74-2.31s2.15.62,2.31,1.74l1.47,10.44Z"/></svg>
		`@ -1,2 +0,0 @@`
			Logout URL changes from `https://login.example.org/if/flow/default-invalidation-flow/` to `https://login.example.org/if/flow/logout-flow/`
			`Replace it in any app that uses this logout url.`
		`@ -1 +0,0 @@`
			`If you use your own outpost you need to uncomment COMPOSE_FILE="$COMPOSE_FILE:compose.outposts.yml" to expose the docker socket again.`
		`@ -1 +0,0 @@`
			`It is only possible to upgrade to 2023.10 from 2023.8, you need to update to 2023.8.x before applying this update`
		`@ -1 +0,0 @@`
			`Blueprint changes are applied and automatic migrations should work, however, manual action may be required: https://docs.goauthentik.io/docs/releases/2024.2`
		`@ -1 +0,0 @@`
			`Due to blueprint changes, you need to run the following command after upgrading: abra app cmd -C <Domain> worker apply_blueprints`
		`@ -1 +0,0 @@`
			`Alerta! ⚠️ If you are using AUTHENTIK_COLOR_BACKGROUND_LIGHT, you will need to set COMPOSE_FILE="$COMPOSE_FILE:compose.css.yml"`
		`@ -1 +0,0 @@`
			`Replaced icon bbb.jpg with icon.png - configs need to be updated when upgrading!`