general way to copy assets using env variables

2022-11-16 16:15:00 +01:00
74 changed files with 546 additions and 2508 deletions
--- a/.drone.yml
+++ b/.drone.yml
@ -1,53 +0,0 @@
---
-kind: pipeline
-name: deploy to swarm-test.autonomic.zone
-steps:
-  - name: deployment
-    image: git.coopcloud.tech/coop-cloud/stack-ssh-deploy:latest
-    settings:
-      host: swarm-test.autonomic.zone
-      stack: authentik
-      generate_secrets: true
-      purge: true
-      deploy_key:
-        from_secret: drone_ssh_swarm_test
-      networks:
-        - proxy
-    environment:
-      DOMAIN: authentik.swarm-test.autonomic.zone
-      STACK_NAME: authentik
-      LETS_ENCRYPT_ENV: production
-      CUSTOM_CSS_VERSION: v1
-      FLOW_AUTHENTICATION_VERSION: v1
-      FLOW_INVITATION_VERSION: v1
-      FLOW_INVALIDATION_VERSION: v1
-      FLOW_RECOVERY_VERSION: v1
-      FLOW_TRANSLATION_VERSION: v1
-      SYSTEM_BRAND_VERSION: v1
-      NEXTCLOUD_CONFIG_VERSION: v1
-      SECRET_SECRET_KEY_VERSION: v1
-      SECRET_DB_PASSWORD_VERSION: v1
-      SECRET_ADMIN_TOKEN_VERSION: v1
-      SECRET_ADMIN_PASS_VERSION: v1
-      SECRET_EMAIL_PASS_VERSION: v1
-      DB_ENTRYPOINT_VERSION: v1
-      PG_BACKUP_VERSION: v2
-trigger:
-  branch:
-    - main
---
-kind: pipeline
-name: generate recipe catalogue
-steps:
-  - name: release a new version
-    image: plugins/downstream
-    settings:
-      server: https://build.coopcloud.tech
-      token:
-        from_secret: drone_abra-bot_token
-      fork: true
-      repositories:
-        - toolshed/auto-recipes-catalogue-json
-
-trigger:
-  event: tag
--- a/.env.sample
+++ b/.env.sample
@ -1,134 +1,42 @@
 TYPE=authentik
-TIMEOUT=900
-ENABLE_AUTO_UPDATE=true
-POST_DEPLOY_CMDS="worker set_admin_pass"
-# Example values for post deploy cmds: "worker set_admin_pass|worker apply_blueprints|worker add_applications"
 LETS_ENCRYPT_ENV=production
-ENABLE_BACKUPS=true

-DOMAIN=authentik.example.com
-## Domain aliases
-#EXTRA_DOMAINS=', `www.authentik.example.com`'
-COMPOSE_FILE="compose.yml"
-AUTHENTIK_DEFAULT_USER_CHANGE_USERNAME=false
-AUTHENTIK_LOG_LEVEL=info
-# AUTHENTIK_IMPERSONATION=true
-# AUTHENTIK_FOOTER_LINKS='[{"name": "My Organization","href":"https://example.com"}]'
+DOMAIN={{ .Domain }}
+POSTGRES_PASSWORD=secret
+AUTHENTIK_POSTGRESQL__PASSWORD=secret
+POSTGRES_USER=authentik
+AUTHENTIK_POSTGRESQL__USER=authentik
+POSTGRES_DB=authentik
+AUTHENTIK_POSTGRESQL__NAME=authentik
+AUTHENTIK_POSTGRESQL__HOST=db
+AUTHENTIK_REDIS__HOST=redis
+AUTHENTIK_ERROR_REPORTING__ENABLED=true
 # WORKERS=1
+AUTHENTIK_SECRET_KEY=secret
+AK_ADMIN_TOKEN=secret
+AK_ADMIN_PASS=secret

-## Outpost Integration
-# COMPOSE_FILE="$COMPOSE_FILE:compose.outposts.yml"
-# COMPOSE_FILE="$COMPOSE_FILE:compose.outposts.ldap.yml"
-# SECRET_LDAP_TOKEN_VERSION=v1
-
-## ADMIN
-AUTHENTIK_BOOTSTRAP_EMAIL=admin@example.com
-
-## EMAIL
+# EMAIL
 AUTHENTIK_EMAIL__HOST=smtp
-AUTHENTIK_EMAIL__PORT=587
-AUTHENTIK_EMAIL__USERNAME="noreply@example.com"
-AUTHENTIK_EMAIL__USE_TLS=true
+AUTHENTIK_EMAIL__PORT=25
+# AUTHENTIK_EMAIL__USERNAME=""
+# AUTHENTIK_EMAIL__PASSWORD=""
+AUTHENTIK_EMAIL__USE_TLS=false
 AUTHENTIK_EMAIL__USE_SSL=false
 AUTHENTIK_EMAIL__TIMEOUT=10
 AUTHENTIK_EMAIL__FROM=noreply@example.com
+AUTHENTIK_LOG_LEVEL=info

-## Secret Versions
-SECRET_SECRET_KEY_VERSION=v1
-SECRET_DB_PASSWORD_VERSION=v1
-SECRET_ADMIN_TOKEN_VERSION=v1
-SECRET_ADMIN_PASS_VERSION=v1
-SECRET_EMAIL_PASS_VERSION=v1
+# Secret Versions
+# SECRET_SECRET_KEY_VERSION=v1
+# SECRET_ADMIN_TOKEN_VERSION=v1
+# SECRET_ADMIN_PASS_VERSION=v1

 # X_FRAME_OPTIONS_ALLOW_FROM=dashboard.example.org
+AUTHENTIK_COLOR_BACKGROUND_LIGHT=#1c1e21

 ## FLOW OPTIONS
-# WELCOME_MESSAGE="Welcome to Authentik"
-# DEFAULT_LANGUAGE=en
-# LOGOUT_REDIRECT="https://$DOMAIN"
-# EMAIL_SUBJECT="Account Recovery"
-# EMAIL_TOKEN_EXPIRY_MINUTES=30
-
-## assets
-COPY_ASSETS="flow_background.jpg|app:/web/dist/assets/images/"
-COPY_ASSETS="$COPY_ASSETS icon_left_brand.svg|app:/web/dist/assets/icons/"
-COPY_ASSETS="$COPY_ASSETS icon.png|app:/web/dist/assets/icons/"
-
-# store custom CSS in a css-volume
-#COMPOSE_FILE="$COMPOSE_FILE:compose.css-volume.yml"
-# NOTE: this causes the authentik container to run as `root` initially; it uses `su` to drop privileges but technically could introduce a security risk. proceed with caution!
-
-# Default CSS customisation
-# COMPOSE_FILE="$COMPOSE_FILE:compose.css.yml"
-# BACKGROUND_FONT_COLOR=white
-# BACKGROUND_BOX_COLOR='#eaeaeacf'
-# THEME_BACKGROUND="url('https://authentik.example.com/static/dist/assets/images/flow_background.jpg'); background-position: center; background-repeat: no-repeat; background-size: cover;"
-
-# COMPOSE_FILE="$COMPOSE_FILE:compose.nextcloud.yml"
-# NEXTCLOUD_DOMAIN=nextcloud.example.com
-# SECRET_NEXTCLOUD_ID_VERSION=v1
-# SECRET_NEXTCLOUD_SECRET_VERSION=v1
-# APP_ICONS="nextcloud:~/.abra/recipes/authentik/icons/nextcloud.png"
-
-# COMPOSE_FILE="$COMPOSE_FILE:compose.wordpress.yml"
-# WORDPRESS_DOMAIN=wordpress.example.com
-# WORDPRESS_GROUP='wordpress Admins'
-# SECRET_WORDPRESS_ID_VERSION=v1
-# SECRET_WORDPRESS_SECRET_VERSION=v1
-# APP_ICONS="$APP_ICONS wordpress:~/.abra/recipes/authentik/icons/wordpress.png"
-
-# COMPOSE_FILE="$COMPOSE_FILE:compose.matrix.yml"
-# ELEMENT_DOMAIN=element-web.example.com
-# MATRIX_DOMAIN=matrix-synapse.example.com
-# SECRET_MATRIX_ID_VERSION=v1
-# SECRET_MATRIX_SECRET_VERSION=v1
-# APP_ICONS="$APP_ICONS matrix:~/.abra/recipes/authentik/icons/matrix.svg"
-
-# COMPOSE_FILE="$COMPOSE_FILE:compose.wekan.yml"
-# WEKAN_DOMAIN=wekan.example.com
-# SECRET_WEKAN_ID_VERSION=v1
-# SECRET_WEKAN_SECRET_VERSION=v1
-# APP_ICONS="$APP_ICONS wekan:~/.abra/recipes/authentik/icons/wekan.png"
-
-# COMPOSE_FILE="$COMPOSE_FILE:compose.vikunja.yml"
-# VIKUNJA_DOMAIN=vikunja.example.com
-# SECRET_VIKUNJA_ID_VERSION=v1
-# SECRET_VIKUNJA_SECRET_VERSION=v1
-# APP_ICONS="$APP_ICONS vikunja:~/.abra/recipes/authentik/icons/vikunja.svg"
-
-# COMPOSE_FILE="$COMPOSE_FILE:compose.outline.yml"
-# OUTLINE_DOMAIN=outline.example.com
-# SECRET_OUTLINE_ID_VERSION=v1
-# SECRET_OUTLINE_SECRET_VERSION=v1
-# APP_ICONS="$APP_ICONS outline:~/.abra/recipes/authentik/icons/outline.png"
-
-# COMPOSE_FILE="$COMPOSE_FILE:compose.kimai.yml"
-# KIMAI_DOMAIN=kimai.example.com
-# SECRET_KIMAI_ID_VERSION=v1
-# SECRET_KIMAI_SECRET_VERSION=v1
-# APP_ICONS="$APP_ICONS kimai:~/.abra/recipes/authentik/icons/kimai_logo.png"
-
-# COMPOSE_FILE="$COMPOSE_FILE:compose.zammad.yml"
-# ZAMMAD_DOMAIN=zammad.example.com
-# APP_ICONS="$APP_ICONS zammad:~/.abra/recipes/authentik/icons/zammad.svg"
-
-# COMPOSE_FILE="$COMPOSE_FILE:compose.monitoring.yml"
-# MONITORING_DOMAIN=monitoring.example.com
-# SECRET_MONITORING_ID_VERSION=v1
-# SECRET_MONITORING_SECRET_VERSION=v1
-# APP_ICONS="$APP_ICONS monitoring:~/.abra/recipes/authentik/icons/monitoring.svg"
-
-# COMPOSE_FILE="$COMPOSE_FILE:compose.rallly.yml"
-# RALLLY_DOMAIN=rallly.example.com
-# SECRET_RALLLY_ID_VERSION=v1
-# SECRET_RALLLY_SECRET_VERSION=v1
-# APP_ICONS="$APP_ICONS rallly:~/.abra/recipes/authentik/icons/rallly.png"
-
-# COMPOSE_FILE="$COMPOSE_FILE:compose.hedgedoc.yml"
-# HEDGEDOC_DOMAIN=hedgedoc.example.com
-# SECRET_HEDGEDOC_ID_VERSION=v1
-# SECRET_HEDGEDOC_SECRET_VERSION=v1
-# APP_ICONS="$APP_ICONS hedgedoc:~/.abra/recipes/authentik/icons/hedgedoc.png"
-
-# APPLICATIONS='{"Calendar": "https://nextcloud.example.com/apps/calendar/", "BBB": "https://nextcloud.example.com/apps/bbb/", "Pretix": "https://pretix.example.com/control/"}'
-# EXTRA_ICONS={"Calendar": "~/.abra/recipes/authentik/icons/calendar.svg", "BBB": "~/.abra/recipes/authentik/icons/bbb.png", "Pretix": "~/.abra/recipes/authentik/icons/pretix.svg"}
+WELCOME_MESSAGE="Welcome to Authentik"
+DEFAULT_LANGUAGE=en
+AUTHENTIK_FOOTER_LINKS='[{"name": "My Organization","href":"https://example.com"}]'
+COPY_ASSETS="flow_background.jpg|app:/web/dist/assets/images/ icon_left_brand.svg|app:/web/dist/assets/icons/ icon.png|app:/web/dist/assets/icons/"
--- a/README.md
+++ b/README.md
@ -9,7 +9,7 @@

 * **Category**: Apps
 * **Status**: 0, work-in-progress
-* **Image**: [ghcr/goauthentik/server](https://ghcr.io/goauthentik/server), 4, upstream
+* **Image**: [ghcr/goauthentik/server](https://ghcr.io/goauthentik/server)
 * **Healthcheck**: Yes
 * **Backups**: Yes
 * **Email**: Yes
@ -20,218 +20,20 @@

 ## Quick start

-* `abra app new authentik`
+* `abra app new authentik --secrets`
 * `abra app config <app-name>`
-* `abra app secret insert <app_name> email_pass v1 <password>`
-* `abra app secret generate -a <app_name>`
 * `abra app deploy <app-name>`

-## Rotate Secrets
-
-Increment the secret versions using `abra app config <app_name>`
-
-```
-abra app secret generate -a <app_name>
-abra app undeploy <app_name>
-abra app deploy <app_name>
-abra app cmd <app_name> db rotate_db_pass
-abra app cmd <app_name> app set_admin_pass
-```
-
-## Add SSO for Nextcloud
-
-Uncomment Nextcloud configuration and set `NEXTCLOUD_DOMAIN` the using `abra app config <app_name>`:
-
-```
-COMPOSE_FILE="$COMPOSE_FILE:compose.nextcloud.yml"
-NEXTCLOUD_DOMAIN=nextcloud.example.com
-SECRET_NEXTCLOUD_ID_VERSION=v1
-SECRET_NEXTCLOUD_SECRET_VERSION=v1
-APP_ICONS="nextcloud:~/.abra/recipes/authentik/icons/nextcloud.png"
-```
-
-Set the nextcloud Icon using `abra app cmd -l -d <app_name> set_icons`
-
-Generate OAuth client id and secret using `abra app secret generate <app_name> -a` (all secrets) or individually:
- `abra app secret generate <app_name> nextcloud_id`
- `abra app secret generate <app_name> nextcloud_secret`
-
-Add the id and secret to nextcloud as secrets with:
- `abra app secret insert <nextcloud_app_name> authentik_id v1 <id>`
- `abra app secret insert <nextcloud_app_name> authentik_secret v1 <secret>`
-
-Redeploy Authentik to enable the nextcloud client.
-
-The configuration inside Nextcloud can be found in the [nextcloud recipe](https://git.coopcloud.tech/coop-cloud/nextcloud#authentik-integration)
-
-## Add LDAP outpost
-
- Follow [this official guide](https://docs.goauthentik.io/docs/add-secure-apps/providers/ldap/generic_setup) and skip the LDAP Flow as we don't need it.
- Copy token under `Applications` -> `Outposts` `-> `View Deployment Info` 
- Comment in envs for compose.outposts.ldap.yaml and secret version
- Insert token as secret `abra app secret insert <DOMAIN> ldap_token v1 <TOKEN>`
- Update deployment -> Outpost should be up and running
-
-## Import User from CSV
-
-Users can be imported from a CSV file of the following format:
-
-`First and last name, username, email@example.com, group1;group2;group3`
-
-Run the following command to import the file `users.csv`:
-
-`abra app cmd -l <app_name> import_user users.csv`
-
-Users will only be created if the username does not exits. I a group does not exists it will be created.
-
 ## Customization

-Place the files you want to overwrite in a directory `<assets_path>`.
-Run `abra app config <app_name>` and define the env variable `COPY_ASSETS` in the following format:
-
-```
-"<source_file1>|<service>:<target_directory1> <source_file2>|<service>:<target_directory2> ...
-```
-
-For example:
-
-```
-COPY_ASSETS="flow_background.jpg|app:/web/dist/assets/images/"
-COPY_ASSETS="$COPY_ASSETS icon_left_brand.svg|app:/web/dist/assets/icons/
-COPY_ASSETS="$COPY_ASSETS icon.png|app:/web/dist/assets/icons/"
-```
-
 Run this command after every deploy/upgrade:

 `abra app command --local <app-name> customize <assets_path>`

-## Custom CSS
-
-Uncomment the following env:
-
-```
-COMPOSE_FILE="$COMPOSE_FILE:compose.css-volume.yml"
-```
-
-Redeploy the app:
-```
-abra app deploy -f <app_name>
-```
-
-Copy the CSS and restart the container:
-```
-abra app cp <app_name> my_custom.css app:/web/dist/assets/custom.css
-abra app restart <app_name> app
-```
-
-## Email templates
-
-Add custom [email templates](https://goauthentik.io/docs/flow/stages/email/#custom-templates):
-
-`abra app cmd -l <app_name> add_email_templates local/path/to/mail_template.html`
-
-## Blueprints
-
-These blueprints overwrite default blueprint values:
-
- `flow_translation.yaml`
- `flow_authentication.yaml`
-
-The following default blueprints will be overwritten by customizations:
-
- `flow-password-change.yaml`
- `flow-default-authentication-flow.yaml`
- `flow-default-user-settings-flow.yaml`
- `flow-default-source-enrollment.yaml`
-
-The `abra.sh` function `apply_blueprints` needs to be executed to deactivate these blueprints to ensure that the customizations won't be overwritten. It will further execute flow_translation.yaml and flow_authentication.yaml again.
-
-
-### Blueprint Overwrite/Use Dependencies
-
- Recovery with email verification
-    - Default - Password change flow
-        - USE:
-            - `default-password-change-prompt`
-            - `default-password-change-write`
-    - Default - Authentication flow
-        - USE:
-            - `default-authentication-login`
- Custom Authentication Flow
-    - Default - Authentication flow
-        - USE:
-            - `default-authentication-password`
-        - OVERWRITE:
-            - `default-authentication-flow`
-        - APPEND:
-            - `default-authentication-identification`
-            - `default-authentication-login`
-        - REMOVE: `authentik_flows.flowstagebinding order:20`
-    - Recovery with email verification
-        - USE:
-            - `default-recovery-flow`
- Invitation Enrollment Flow
-    - Default - User settings flow
-        - USE:
-            - `default-user-settings-field-name`
-            - `default-user-settings-field-email`
-    - Default - Password change flow
-        - USE:
-            - `default-password-change-field-password`
-            - `default-password-change-field-password-repeat`
-    - Default - Authentication flow
-        - USE:
-            - `default-authentication-login`
-    - Default - Source enrollment flow
-        - USE:
-            - `default-source-enrollment-field-username`
-            - `default-source-enrollment-write`
- Custom Invalidation Flow
-    - Default - Invalidation flow
-        - APPEND_ATTR:
-            - `authentik_flows.flowstagebinding order: 0`
- Flow Translations
-    - Recovery with email verification
-        - APPEND: `default-recovery-flow`
-    - Default - Password change flow
-        - OVERWRITE:
-           - `default-password-change-field-password`
-           - `default-password-change-field-password-repeat`
-    - Default - User settings flow
-        - OVERWRITE:
-            - `default-user-settings-field-username`
-            - `default-user-settings-field-name`
-    - Default - Source enrollment flow
-        - OVERWRITE:
-            - `default-source-enrollment-field-username`
- Custom System Brand
-    - Default - Brand
-        - APPEND: `authentik_brands.brand  domain: authentik-default`
-    - Recovery with email verification
-        - USE:
-            - `default-recovery-flow`
-
-
-### Blueprint Dependency Execution Order
-
-5. Custom System Brand
-    - Default - Brand
-    1. Recovery with email verification
-        - Default - Authentication flow
-            - Default - Password change flow
-4. Invitation Enrollment Flow
-    3. Flow Translations
-        - Default - User settings flow
-        - Default - Source enrollment flow
-        1. Recovery with email verification
-            - Default - Authentication flow
-                - Default - Password change flow
-2. Custom Authentication Flow
-    1. Recovery with email verification
-        - Default - Authentication flow
-            - Default - Password change flow
-6. Custom Invalidation Flow
-    - Default - Invalidation flow
+This command replaces the background image, the logo and the favicon with the following files placed in the `<assets_path>` directory:
+* `flow_background.jpg`
+* `icon_left_brand.svg`
+* `icon.png`


 For more, see [`docs.coopcloud.tech`](https://docs.coopcloud.tech).
--- a/abra.sh
+++ b/abra.sh
@ -1,24 +1,6 @@
-export CUSTOM_CSS_VERSION=v3
-export FLOW_AUTHENTICATION_VERSION=v4
-export FLOW_INVITATION_VERSION=v2
-export FLOW_INVALIDATION_VERSION=v2
-export FLOW_RECOVERY_VERSION=v1
-export FLOW_TRANSLATION_VERSION=v3
-export SYSTEM_BRAND_VERSION=v4
-export NEXTCLOUD_CONFIG_VERSION=v3
-export WORDPRESS_CONFIG_VERSION=v4
-export MATRIX_CONFIG_VERSION=v3
-export WEKAN_CONFIG_VERSION=v5
-export VIKUNJA_CONFIG_VERSION=v3
-export OUTLINE_CONFIG_VERSION=v4
-export KIMAI_CONFIG_VERSION=v3
-export ZAMMAD_CONFIG_VERSION=v4
-export RALLLY_CONFIG_VERSION=v4
-export HEDGEDOC_CONFIG_VERSION=v3
-export MONITORING_CONFIG_VERSION=v4
-export DB_ENTRYPOINT_VERSION=v1
-export PG_BACKUP_VERSION=v2
-export ENTRYPOINT_CSS_VERSION=v1
+export CUSTOM_CSS_VERSION=v2
+export CUSTOM_FLOWS_VERSION=v2
+export RECOVERY_TEMPLATE_DE_VERSION=v1

 customize() {
    if [ -z "$1" ]
@ -34,261 +16,3 @@ customize() {
        abra app cp $APP_NAME $asset_dir/$source $target
    done
 }
-
-shell(){
-    if [ -z "$1" ]
-    then
-            echo "Usage: ... shell <python code>"
-            exit 1
-    fi
-    ak shell -c "$1" 2>&1 | quieten
-}
-
-import_user() {
-    if [ -z "$1" ]
-    then
-            echo "Usage: ... import_user <users.csv>"
-            exit 1
-    fi
-    source_file=$1
-    filename=$(basename $source_file)
-    abra app cp $APP_NAME $source_file worker:/tmp/
-    abra app cmd -T $APP_NAME worker _import_user $filename
-}
-
-_import_user() {
-/manage.py shell -c """
-import csv
-new_user = User()
-with open('/tmp/$1', newline='') as file:
-  reader = csv.reader(file)
-  for row in reader:
-    name = row[0].strip()
-    username = row[1].strip()
-    email = row[2].strip()
-    groups = row[3].split(';')
-    if User.objects.filter(username=username):
-        print(f'{username} already exists')
-        continue
-    new_user = User.objects.create(name=name, username=username, email=email)
-    print(f'{username} created')
-    for group_name in groups:
-        group_name = group_name.strip()
-        if Group.objects.filter(name=group_name):
-            group = Group.objects.get(name=group_name)
-        else:
-            group = Group.objects.create(name=group_name)
-            print(f'{group_name} created')
-        group.users.add(new_user)
-        print(f'add {username} to group {group_name}')
-""" 2>&1 | quieten
-}
-
-set_admin_pass() {
-password=$(cat /run/secrets/admin_pass)
-token=$(cat /run/secrets/admin_token)
-/manage.py shell -c """
-import time
-i = 0
-while (not User.objects.filter(username='akadmin')):
-    print('Waiting for akadmin to be created...')
-    time.sleep(10)
-    i += 1
-    if i > 6:
-        print('Failed to find admin user!')
-        exit()
-
-akadmin = User.objects.get(username='akadmin')
-akadmin.set_password('$password')
-akadmin.save()
-print('Changed akadmin password')
-
-from authentik.core.models import TokenIntents
-key='$token'
-if (token:= Token.objects.filter(identifier='authentik-bootstrap-token').first()):
-    token.key=key
-    token.save()
-    print('Changed authentik-bootstrap-token')
-else:
-    Token.objects.create(
-        identifier='authentik-bootstrap-token',
-        user=akadmin,
-        intent=TokenIntents.INTENT_API,
-        expiring=False,
-        key=key,
-    )
-    print('Created authentik-bootstrap-token')
-""" 2>&1 | quieten
-}
-
-rotate_db_pass() {
-    db_password=$(cat /run/secrets/db_password)
-    psql -U authentik -c """ALTER USER authentik WITH PASSWORD '$db_password';"""
-}
-
-# This function is for blueprints that are overwriting custom blueprints
-# It deactivates the affected custom blueprints to avoid changes to be reverted
-apply_blueprints() {
-    update_and_disable_blueprint default/flow-password-change.yaml
-    update_and_disable_blueprint default/flow-default-authentication-flow.yaml
-    update_and_disable_blueprint default/flow-default-user-settings-flow.yaml
-    update_and_disable_blueprint default/flow-default-source-enrollment.yaml
-    
-    apply_blueprint 3_flow_translation.yaml
-    apply_blueprint 2_flow_authentication.yaml
-}
-
-update_and_disable_blueprint() {
-    enable_blueprint $@ 2>&1 | quieten
-    sleep 1
-    apply_blueprint $@
-    sleep 1
-    disable_blueprint $@ 2>&1 | quieten
-}
-
-disable_blueprint() {
-    blueprint_state False $@
-}
-
-enable_blueprint() {
-    blueprint_state True $@
-}
-
-apply_blueprint() {
-    echo apply blueprint $@
-    ak apply_blueprint $@ 2>&1 | quieten
-}
-
-blueprint_state() {
-/manage.py shell -c """
-import time
-blueprint_state=$1
-blueprint_path='$2'
-blueprint = BlueprintInstance.objects.filter(path=blueprint_path).first()
-blueprint.enabled = blueprint_state
-# Hacky workaround to reduce chance of a race condition
-blueprint.save()
-time.sleep(1)
-blueprint.save()
-time.sleep(1)
-blueprint.save()
-print(f'{blueprint.name} enabled: {blueprint.enabled}')
-""" 2>&1 | quieten
-
-}
-
-add_applications(){
-export APPLICATIONS
-/manage.py shell -c """
-import json
-import os
-if os.environ['APPLICATIONS'] == '':
-    exit()
-applications = json.loads(os.environ['APPLICATIONS'])
-for name, url in applications.items():
-    print(f'Add {name}: {url}')
-    app = Application.objects.filter(name=name).first()
-    if not app:
-        app = Application()
-    app.name = name
-    app.slug = name.replace(' ', '-')
-    app.meta_launch_url = url
-    app.open_in_new_tab = True
-    app.save()
-""" 2>&1 | quieten
-}
-
-
-quieten(){
-    # 'SyntaxWarning|version_regex|"http\['
-    # is a workaround to get rid of some verbose syntax warnings, this might be fixed with another version
-    grep -Pv '"level": "(info|debug)"|SyntaxWarning|version_regex|"http\[|RuntimeWarning:'
-}
-
-add_email_templates(){
-for file_path in "$@"; do
-    echo copy template $file_path
-    abra app cp $APP_NAME $file_path app:/templates/
-done
-}
-
-set_icons(){
-if [ -n "$1" ]
-then
-APP_ICONS="$1"
-fi
-for icon in $APP_ICONS; do
-    app=$(echo $icon | cut -d ":" -f1)
-    file_path=$(eval echo $(echo $icon | cut -d ":" -f2))
-    file=$(basename $file_path)
-    echo copy icon $file_path for $app
-    abra app cp $APP_NAME $file_path app:/media/
-    abra app cmd -T $APP_NAME app set_app_icon $app /media/$file
-done
-}
-
-set_extra_icons(){
-    if [ -z "$EXTRA_ICONS" ]
-    then
-        echo "Variable EXTRA_ICONS is not set"
-        exit 1
-    fi
-    export EXTRA_ICONS
-    icon_key_values=$(python3 -c "
-import json
-import os
-for key, value in json.loads(os.environ['EXTRA_ICONS']).items():
-    print(f'{key}:{value}')
-")
-    set_icons "$icon_key_values"
-}
-
-set_app_icon() {
-TOKEN=$(cat /run/secrets/admin_token)
-python -c """
-import requests
-import os
-my_token = '$TOKEN'
-application = '$1'
-icon_path = '$2'
-url = f'https://$DOMAIN/api/v3/core/applications/{application}/set_icon/'
-headers = {'Authorization':f'Bearer {my_token}'}
-with open(icon_path, 'rb') as img:
-  name_img = os.path.basename(icon_path)
-  files= {'file': (name_img,img,'image/png') }
-  with requests.Session() as s:
-    r = s.post(url,files=files,headers=headers)
-    print(r.status_code)
-"""
-
-}
-
-blueprint_cleanup() {
-/manage.py shell -c """
-delete_flows = ['default-recovery-flow' , 'custom-authentication-flow' , 'invitation-enrollment-flow' , 'initial-setup']
-Flow.objects.filter(slug__in=delete_flows).delete()
-Stage.objects.filter(flow=None).delete()
-Prompt.objects.filter(promptstage=None).delete()
-Brand.objects.filter(default=True).delete()
-""" 2>&1 | quieten
-apply_blueprints
-}
-
-get_certificate() {
-/manage.py shell -c """
-provider_name='$1'
-if not provider_name:
-    print('no Provider Name given')
-    exit(1)
-provider = Provider.objects.filter(name=provider_name).first()
-saml = provider.samlprovider
-cert = saml.signing_kp
-print(''.join(cert.certificate_data.splitlines()[1:-1]))
-""" 2>&1 | quieten
-}
-
-get_user_uid() {
-/manage.py shell -c """
-print(User.objects.filter(username='$1').first().uid)
-""" 2>&1 | quieten
-}
--- a/alaconnect.yml
+++ b/alaconnect.yml
@ -1,89 +0,0 @@
-nextcloud:
-    uncomment:
-        - compose.nextcloud.yml
-        - NEXTCLOUD_DOMAIN
-        - SECRET_NEXTCLOUD_ID_VERSION
-        - SECRET_NEXTCLOUD_SECRET_VERSION
-        - nextcloud.png
-wordpress:
-    uncomment:
-        - compose.wordpress.yml
-        - WORDPRESS_DOMAIN
-        - WORDPRESS_GROUP
-        - SECRET_WORDPRESS_ID_VERSION
-        - SECRET_WORDPRESS_SECRET_VERSION
-        - wordpress.png
-matrix-synapse:
-    uncomment:
-        - compose.matrix.yml
-        - ELEMENT_DOMAIN
-        - MATRIX_DOMAIN
-        - SECRET_MATRIX_ID_VERSION
-        - SECRET_MATRIX_SECRET_VERSION
-        - matrix.svg
-    secrets:
-        matrix_id: matrix
-wekan:
-    uncomment:
-        - compose.wekan.yml
-        - WEKAN_DOMAIN
-        - SECRET_WEKAN_ID_VERSION
-        - SECRET_WEKAN_SECRET_VERSION
-        - wekan.png
-    secrets:
-        wekan_id: wekan
-vikunja:
-    uncomment:
-        - compose.vikunja.yml
-        - VIKUNJA_DOMAIN
-        - SECRET_VIKUNJA_ID_VERSION
-        - SECRET_VIKUNJA_SECRET_VERSION
-        - vikunja.svg
-    secrets:
-        vikunja_id: vikunja
-kimai:
-    uncomment:
-        - compose.kimai.yml
-        - KIMAI_DOMAIN
-        - SECRET_KIMAI_ID_VERSION
-        - SECRET_KIMAI_SECRET_VERSION
-        - kimai_logo.png
-zammad:
-    uncomment:
-        - compose.zammad.yml
-        - ZAMMAD_DOMAIN
-        - zammad.svg
-monitoring-ng:
-    uncomment:
-        - compose.monitoring.yml
-        - MONITORING_DOMAIN
-        - SECRET_MONITORING_ID_VERSION
-        - SECRET_MONITORING_SECRET_VERSION
-        - monitoring.png
-outline:
-    uncomment:
-        - compose.outline.yml
-        - OUTLINE_DOMAIN
-        - SECRET_OUTLINE_ID_VERSION
-        - SECRET_OUTLINE_SECRET_VERSION
-        - outline.png
-    secrets:
-        outline_id: outline
-rallly:
-    uncomment:  
-        - compose.rallly.yml
-        - RALLLY_DOMAIN
-        - SECRET_RALLLY_ID_VERSION
-        - SECRET_RALLLY_SECRET_VERSION
-        - rallly.png
-    secrets:
-        rallly_id: rallly
-hedgedoc:
-    uncomment:  
-        - compose.hedgedoc.yml
-        - HEDGEDOC_DOMAIN
-        - SECRET_HEDGEDOC_ID_VERSION
-        - SECRET_HEDGEDOC_SECRET_VERSION
-        - hedgedoc.png
-    secrets:
-        hedgedoc_id: hedgedoc
--- a/compose.css-volume.yml
+++ b/compose.css-volume.yml
@ -1,16 +0,0 @@
---
-version: "3.8"
-
-services:
-  app:
-    user: root
-    entrypoint: /docker-entrypoint.sh
-    configs:
-      - source: entrypoint_css
-        target: /docker-entrypoint.sh
-        mode: 0555
-
-configs:
-  entrypoint_css:
-    name: ${STACK_NAME}_entrypoint_css_${ENTRYPOINT_CSS_VERSION}
-    file: entrypoint-css-volume.sh
--- a/compose.css.yml
+++ b/compose.css.yml
@ -1,14 +0,0 @@
---
-version: '3.8'
-
-services:
-  app:
-    configs: 
-      - source: custom_css
-        target: /web/dist/custom.css
-
-configs:
-  custom_css:
-    name: ${STACK_NAME}_custom_css_${CUSTOM_CSS_VERSION}
-    file: custom.css.tmpl
-    template_driver: golang
--- a/compose.hedgedoc.yml
+++ b/compose.hedgedoc.yml
@ -1,26 +0,0 @@
-version: "3.8"
-services:
-  worker:
-    secrets:
-      - hedgedoc_id
-      - hedgedoc_secret
-    environment:
-      - HEDGEDOC_DOMAIN
-    configs:
-      - source: hedgedoc
-        target: /blueprints/hedgedoc.yaml
-
-secrets:
-  hedgedoc_id:
-    external: true
-    name: ${STACK_NAME}_hedgedoc_id_${SECRET_HEDGEDOC_ID_VERSION}
-  hedgedoc_secret:
-    external: true
-    name: ${STACK_NAME}_hedgedoc_secret_${SECRET_HEDGEDOC_SECRET_VERSION}
-
-
-configs:
-  hedgedoc:
-    name: ${STACK_NAME}_hedgedoc_${HEDGEDOC_CONFIG_VERSION}
-    file: hedgedoc.yaml.tmpl
-    template_driver: golang
--- a/compose.kimai.yml
+++ b/compose.kimai.yml
@ -1,14 +0,0 @@
-version: "3.8"
-services:
-  worker:
-    environment:
-      - KIMAI_DOMAIN
-    configs:
-      - source: kimai
-        target: /blueprints/kimai.yaml
-
-configs:
-  kimai:
-    name: ${STACK_NAME}_kimai_${KIMAI_CONFIG_VERSION}
-    file: kimai.yaml.tmpl
-    template_driver: golang
--- a/compose.matrix.yml
+++ b/compose.matrix.yml
@ -1,33 +0,0 @@
-version: "3.8"
-services:
-  app:
-    deploy:
-      labels:
-        - "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect-matrix-well-known"
-        - "traefik.http.middlewares.${STACK_NAME}-redirect-matrix-well-known.redirectregex.regex=^https://(.*)/.well-known/matrix/(.*)"
-        - "traefik.http.middlewares.${STACK_NAME}-redirect-matrix-well-known.redirectregex.replacement=https://${MATRIX_DOMAIN}/.well-known/matrix/$$2"
-  worker:
-    secrets:
-      - matrix_id
-      - matrix_secret
-    environment:
-      - ELEMENT_DOMAIN
-      - MATRIX_DOMAIN
-    configs:
-      - source: matrix
-        target: /blueprints/matrix.yaml
-
-secrets:
-  matrix_id:
-    external: true
-    name: ${STACK_NAME}_matrix_id_${SECRET_MATRIX_ID_VERSION}
-  matrix_secret:
-    external: true
-    name: ${STACK_NAME}_matrix_secret_${SECRET_MATRIX_SECRET_VERSION}
-
-
-configs:
-  matrix:
-    name: ${STACK_NAME}_matrix_${MATRIX_CONFIG_VERSION}
-    file: matrix.yaml.tmpl
-    template_driver: golang
--- a/compose.monitoring.yml
+++ b/compose.monitoring.yml
@ -1,26 +0,0 @@
-version: "3.8"
-services:
-  worker:
-    secrets:
-      - monitoring_id
-      - monitoring_secret
-    environment:
-      - MONITORING_DOMAIN 
-    configs:
-      - source: monitoring
-        target: /blueprints/monitoring.yaml
-
-secrets:
-  monitoring_id:
-    external: true
-    name: ${STACK_NAME}_monitoring_id_${SECRET_MONITORING_ID_VERSION}
-  monitoring_secret:
-    external: true
-    name: ${STACK_NAME}_monitoring_secret_${SECRET_MONITORING_SECRET_VERSION}
-
-
-configs:
-  monitoring:
-    name: ${STACK_NAME}_monitoring_${MONITORING_CONFIG_VERSION}
-    file: monitoring.yaml.tmpl
-    template_driver: golang
--- a/compose.nextcloud.yml
+++ b/compose.nextcloud.yml
@ -1,26 +0,0 @@
-version: "3.8"
-services:
-  worker:
-    secrets:
-      - nextcloud_id
-      - nextcloud_secret
-    environment:
-      - NEXTCLOUD_DOMAIN
-    configs:
-      - source: nextcloud
-        target: /blueprints/nextcloud.yaml
-
-secrets:
-  nextcloud_id:
-    external: true
-    name: ${STACK_NAME}_nextcloud_id_${SECRET_NEXTCLOUD_ID_VERSION}
-  nextcloud_secret:
-    external: true
-    name: ${STACK_NAME}_nextcloud_secret_${SECRET_NEXTCLOUD_SECRET_VERSION}
-
-
-configs:
-  nextcloud:
-    name: ${STACK_NAME}_nextcloud_${NEXTCLOUD_CONFIG_VERSION}
-    file: nextcloud.yaml.tmpl
-    template_driver: golang
--- a/compose.outline.yml
+++ b/compose.outline.yml
@ -1,26 +0,0 @@
-version: "3.8"
-services:
-  worker:
-    secrets:
-      - outline_id
-      - outline_secret
-    environment:
-      - OUTLINE_DOMAIN
-    configs:
-      - source: outline
-        target: /blueprints/outline.yaml
-
-secrets:
-  outline_id:
-    external: true
-    name: ${STACK_NAME}_outline_id_${SECRET_OUTLINE_ID_VERSION}
-  outline_secret:
-    external: true
-    name: ${STACK_NAME}_outline_secret_${SECRET_OUTLINE_SECRET_VERSION}
-
-
-configs:
-  outline:
-    name: ${STACK_NAME}_outline_${OUTLINE_CONFIG_VERSION}
-    file: outline.yaml.tmpl
-    template_driver: golang
--- a/compose.outposts.ldap.yml
+++ b/compose.outposts.ldap.yml
@ -1,23 +0,0 @@
-version: "3.8"
-services:
-  authentik_ldap:
-      image: ghcr.io/goauthentik/ldap:2025.2.4
-      # Optionally specify which networks the container should be
-      # might be needed to reach the core authentik server
-      networks:
-        - internal
-        - proxy
-      ports:
-        - 389:3389
-        - 636:6636
-      secrets:
-        - ldap_token
-      environment:
-        - AUTHENTIK_HOST=https://${DOMAIN}
-        - AUTHENTIK_INSECURE=true
-        - AUTHENTIK_TOKEN=file:///run/secrets/ldap_token
-
-secrets:
-  ldap_token:
-    external: true
-    name: ${STACK_NAME}_ldap_token_${SECRET_LDAP_TOKEN_VERSION}
--- a/compose.outposts.yml
+++ b/compose.outposts.yml
@ -1,6 +0,0 @@
-version: "3.8"
-services:
-  worker:
-    user: root
-    volumes:
-      - /var/run/docker.sock:/var/run/docker.sock
--- a/compose.rallly.yml
+++ b/compose.rallly.yml
@ -1,26 +0,0 @@
-version: "3.8"
-services:
-  worker:
-    secrets:
-      - rallly_id
-      - rallly_secret
-    environment:
-      - RALLLY_DOMAIN
-    configs:
-      - source: rallly
-        target: /blueprints/rallly.yaml
-
-secrets:
-  rallly_id:
-    external: true
-    name: ${STACK_NAME}_rallly_id_${SECRET_RALLLY_ID_VERSION}
-  rallly_secret:
-    external: true
-    name: ${STACK_NAME}_rallly_secret_${SECRET_RALLLY_SECRET_VERSION}
-
-
-configs:
-  rallly:
-    name: ${STACK_NAME}_rallly_${RALLLY_CONFIG_VERSION}
-    file: rallly.yaml.tmpl
-    template_driver: golang
--- a/compose.vikunja.yml
+++ b/compose.vikunja.yml
@ -1,26 +0,0 @@
-version: "3.8"
-services:
-  worker:
-    secrets:
-      - vikunja_id
-      - vikunja_secret
-    environment:
-      - VIKUNJA_DOMAIN
-    configs:
-      - source: vikunja
-        target: /blueprints/vikunja.yaml
-
-secrets:
-  vikunja_id:
-    external: true
-    name: ${STACK_NAME}_vikunja_id_${SECRET_VIKUNJA_ID_VERSION}
-  vikunja_secret:
-    external: true
-    name: ${STACK_NAME}_vikunja_secret_${SECRET_VIKUNJA_SECRET_VERSION}
-
-
-configs:
-  vikunja:
-    name: ${STACK_NAME}_vikunja_${VIKUNJA_CONFIG_VERSION}
-    file: vikunja.yaml.tmpl
-    template_driver: golang
--- a/compose.wekan.yml
+++ b/compose.wekan.yml
@ -1,26 +0,0 @@
-version: "3.8"
-services:
-  worker:
-    secrets:
-      - wekan_id
-      - wekan_secret
-    environment:
-      - WEKAN_DOMAIN
-    configs:
-      - source: wekan
-        target: /blueprints/wekan.yaml
-
-secrets:
-  wekan_id:
-    external: true
-    name: ${STACK_NAME}_wekan_id_${SECRET_WEKAN_ID_VERSION}
-  wekan_secret:
-    external: true
-    name: ${STACK_NAME}_wekan_secret_${SECRET_WEKAN_SECRET_VERSION}
-
-
-configs:
-  wekan:
-    name: ${STACK_NAME}_wekan_${WEKAN_CONFIG_VERSION}
-    file: wekan.yaml.tmpl
-    template_driver: golang
--- a/compose.wordpress.yml
+++ b/compose.wordpress.yml
@ -1,27 +0,0 @@
-version: "3.8"
-services:
-  worker:
-    secrets:
-      - wordpress_id
-      - wordpress_secret
-    environment:
-      - WORDPRESS_DOMAIN
-      - WORDPRESS_GROUP
-    configs:
-      - source: wordpress
-        target: /blueprints/wordpress.yaml
-
-secrets:
-  wordpress_id:
-    external: true
-    name: ${STACK_NAME}_wordpress_id_${SECRET_WORDPRESS_ID_VERSION}
-  wordpress_secret:
-    external: true
-    name: ${STACK_NAME}_wordpress_secret_${SECRET_WORDPRESS_SECRET_VERSION}
-
-
-configs:
-  wordpress:
-    name: ${STACK_NAME}_wordpress_${WORDPRESS_CONFIG_VERSION}
-    file: wordpress.yaml.tmpl
-    template_driver: golang
--- a/compose.yml
+++ b/compose.yml
@ -1,70 +1,68 @@
 ---

 x-env: &env
-    - AUTHENTIK_POSTGRESQL__PASSWORD=file:///run/secrets/db_password
-    - AUTHENTIK_POSTGRESQL__USER=authentik
-    - AUTHENTIK_POSTGRESQL__NAME=authentik
-    - AUTHENTIK_POSTGRESQL__HOST=db
-    - AUTHENTIK_REDIS__HOST=redis
+    - AUTHENTIK_POSTGRESQL__PASSWORD
+    - AUTHENTIK_POSTGRESQL__USER
+    - AUTHENTIK_POSTGRESQL__NAME
+    - AUTHENTIK_POSTGRESQL__HOST
+    - AUTHENTIK_REDIS__HOST
    - AUTHENTIK_ERROR_REPORTING__ENABLED
-    - AUTHENTIK_SECRET_KEY=file:///run/secrets/secret_key
+    - AUTHENTIK_SECRET_KEY= #file:///run/secrets/secret_key
+    - AK_ADMIN_TOKEN= #file:///run/secrets/admin_token
+    - AK_ADMIN_PASS= #file:///run/secrets/admin_pass
    - AUTHENTIK_EMAIL__HOST
    - AUTHENTIK_EMAIL__PORT
    - AUTHENTIK_EMAIL__USERNAME
-    - AUTHENTIK_EMAIL__PASSWORD=file:///run/secrets/email_pass
+    - AUTHENTIK_EMAIL__PASSWORD
    - AUTHENTIK_EMAIL__USE_TLS
    - AUTHENTIK_EMAIL__USE_SSL
    - AUTHENTIK_EMAIL__TIMEOUT
    - AUTHENTIK_EMAIL__FROM
    - AUTHENTIK_LOG_LEVEL
-    - BACKGROUND_FONT_COLOR=${BACKGROUND_FONT_COLOR:-white}
-    - BACKGROUND_BOX_COLOR=${BACKGROUND_BOX_COLOR:-#eaeaeacf}
+    - AUTHENTIK_SETTINGS__THEME__BACKGROUND
+    - AUTHENTIK_COLOR_BACKGROUND_LIGHT
    - AUTHENTIK_FOOTER_LINKS
-    - AUTHENTIK_IMPERSONATION
-    - AUTHENTIK_BOOTSTRAP_EMAIL
    - WELCOME_MESSAGE
    - DEFAULT_LANGUAGE
-    - EMAIL_SUBJECT
-    - EMAIL_TOKEN_EXPIRY_MINUTES
    - DOMAIN
-    - LOGOUT_REDIRECT
-    - APPLICATIONS
-    - THEME_BACKGROUND

 version: '3.8'
 services:
  app:
-    image: ghcr.io/goauthentik/server:2025.2.4
+    image: ghcr.io/goauthentik/server:2022.10.1
    command: server
-    depends_on:
-      - db
-      - redis
-    secrets:
-      - db_password
-      - admin_pass
-      - admin_token
-      - secret_key
-      - email_pass
+    # secrets:
+    #   - db_password
+    #   - admin_pass
+    #   - admin_token
+    #   - secret_key
    volumes:
      - media:/media
-      - assets:/web/dist/assets
-      - templates:/templates
+      - custom-templates:/templates
+    configs:
+      - source: custom_css
+        target: /web/dist/custom.css
+      - source: recovery_template_de
+        target: /templates/password_reset_de.html
    networks:
      - internal
      - proxy
    healthcheck:
-      test: "ak healthcheck"
+      test: ["CMD", "curl", "-f", "localhost:9000/-/health/live/"]
      interval: 30s
-      timeout: 30s
+      timeout: 10s
      retries: 10
-      start_period: 5m
+      start_period: 1m
    environment: *env
    deploy:
+      update_config:
+        failure_action: rollback
+        order: start-first
      labels:
        - "traefik.enable=true"
        - "traefik.docker.network=proxy"
        - "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=9000"
-        - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`${EXTRA_DOMAINS})"
+        - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`)"
        - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
        - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
        - "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect,${STACK_NAME}-frameOptions"
@ -72,115 +70,80 @@ services:
        - "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}"
        - "traefik.http.middlewares.${STACK_NAME}-frameOptions.headers.customFrameOptionsValue=SAMEORIGIN"
        - "traefik.http.middlewares.${STACK_NAME}-frameOptions.headers.contentSecurityPolicy=frame-ancestors ${X_FRAME_OPTIONS_ALLOW_FROM}"
-        - "coop-cloud.${STACK_NAME}.version=7.1.0+2025.2.4"
-        - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT:-120}"
+        - "coop-cloud.${STACK_NAME}.version=0.6.0+2022.10.1"

  worker:
-    image: ghcr.io/goauthentik/server:2025.2.4
+    image: ghcr.io/goauthentik/server:2022.10.1
    command: worker
-    depends_on:
-      - db
-      - redis
-    secrets:
-      - db_password
-      - admin_pass
-      - admin_token
-      - secret_key
-      - email_pass
+    # secrets:
+      # - db_password
+      # - admin_pass
+      # - admin_token
+      # - secret_key
    networks:
      - internal
      - proxy
+    user: root
    volumes:
+      - backups:/backups
      - media:/media
-      - /dev/null:/blueprints/default/flow-oobe.yaml
-      - templates:/templates
-      - certs:/certs
+      - /var/run/docker.sock:/var/run/docker.sock
+      - custom-templates:/templates
+      - /dev/null:/blueprints/default/10-flow-default-authentication-flow.yaml
    configs:
-      - source: flow_recovery
-        target: /blueprints/1_flow_recovery.yaml
-      - source: flow_authentication
-        target: /blueprints/2_flow_authentication.yaml
-      - source: flow_translation
-        target: /blueprints/3_flow_translation.yaml
-      - source: flow_invitation
-        target: /blueprints/4_flow_invitation.yaml
-      - source: system_brand
-        target: /blueprints/5_system_brand.yaml
-      - source: flow_invalidation
-        target: /blueprints/6_flow_invalidation.yaml
+      - source: custom_flows
+        target: /blueprints/custom_flows.yaml
    environment: *env
-    healthcheck:
-      test: "ak healthcheck"
-      interval: 30s
-      timeout: 30s
-      retries: 10
-      start_period: 5m

  db:
-    image: postgres:15.12
-    secrets:
-      - db_password
-    configs:
-      - source: db_entrypoint
-        target: /docker-entrypoint.sh
-        mode: 0555
-      - source: pg_backup
-        target: /pg_backup.sh
-        mode: 0555
-    entrypoint:
-      /docker-entrypoint.sh
+    image: postgres:12.12-alpine
+    # secrets:
+      # - db_password
    volumes:
      - database:/var/lib/postgresql/data
    networks:
      - internal
    healthcheck:
-      test: ["CMD", "pg_isready", "-U", "authentik"]
+      test: ["CMD", "pg_isready"]
      interval: 30s
      timeout: 10s
      retries: 10
      start_period: 1m
    environment:
-      - POSTGRES_PASSWORD_FILE=/run/secrets/db_password
-      - POSTGRES_USER=authentik
-      - POSTGRES_DB=authentik
+      - POSTGRES_PASSWORD
+      - POSTGRES_USER
+      - POSTGRES_DB
    deploy:
      labels:
-          backupbot.backup: "${ENABLE_BACKUPS:-true}"
-          backupbot.backup.pre-hook: "/pg_backup.sh backup"
-          backupbot.backup.volumes.database.path: "backup.sql"
-          backupbot.backup.volumes.redis: "false"
-          backupbot.restore.post-hook: '/pg_backup.sh restore'
+          backupbot.backup: "true"
+          backupbot.backup.pre-hook: "mkdir -p /tmp/backup/ && PGPASSWORD=${POSTGRES_PASSWORD} pg_dump -U ${POSTGRES_USER} ${POSTGRES_DB} > /tmp/backup/backup.sql"
+          backupbot.backup.post-hook: "rm -rf /tmp/backup"
+          backupbot.backup.path: "/tmp/backup/"

  redis:
-    image:  redis:7.4.2-alpine
-    command: --save 60 1 --loglevel warning
+    image:  redis:7.0.5-alpine
    networks:
      - internal
    healthcheck:
-      test: ["CMD-SHELL", "redis-cli ping | grep PONG"]
+      test: ["CMD", "redis-cli","ping"]
      interval: 30s
      timeout: 10s
      retries: 10
      start_period: 1m
-    volumes:
-        - redis:/data

-secrets:
-  db_password:
-    external: true
-    name: ${STACK_NAME}_db_password_${SECRET_DB_PASSWORD_VERSION}
-  secret_key:
-    external: true
-    name: ${STACK_NAME}_secret_key_${SECRET_SECRET_KEY_VERSION}
-  admin_token:
-    external: true
-    name: ${STACK_NAME}_admin_token_${SECRET_ADMIN_TOKEN_VERSION}
-  admin_pass:
-    external: true
-    name: ${STACK_NAME}_admin_pass_${SECRET_ADMIN_PASS_VERSION}
-  email_pass:
-    external: true
-    name: ${STACK_NAME}_email_pass_${SECRET_EMAIL_PASS_VERSION}
+# secrets:
+  # db_password:
+  #   external: true
+  #   name: ${STACK_NAME}_db_password
+  # secret_key:
+  #   external: true
+  #   name: ${STACK_NAME}_secret_key_${SECRET_SECRET_KEY_VERSION}
+  # admin_token:
+  #   external: true
+  #   name: ${STACK_NAME}_admin_token_${SECRET_ADMIN_TOKEN_VERSION}
+  # admin_pass:
+  #   external: true
+  #   name: ${STACK_NAME}_admin_pass_${SECRET_ADMIN_PASS_VERSION}

 networks:
  proxy:
@ -188,42 +151,20 @@ networks:
  internal:

 volumes:
+  backups:
  media:
-  certs:
-  redis:
-  templates:
-  assets:
+  custom-templates:
  database:

 configs:
-  flow_authentication:
-    name: ${STACK_NAME}_flow_authentication_${FLOW_AUTHENTICATION_VERSION}
-    file: flow_authentication.yaml.tmpl
+  custom_css:
+    name: ${STACK_NAME}_custom_css_${CUSTOM_CSS_VERSION}
+    file: custom.css.tmpl
    template_driver: golang
-  flow_invitation:
-    name: ${STACK_NAME}_flow_invitation_${FLOW_INVITATION_VERSION}
-    file: flow_invitation.yaml.tmpl
+  recovery_template_de:
+    name: ${STACK_NAME}_recovery_template_de_${RECOVERY_TEMPLATE_DE_VERSION}
+    file: password_reset_de.html
+  custom_flows:
+    name: ${STACK_NAME}_custom_flows_${CUSTOM_FLOWS_VERSION}
+    file: custom_flows.yaml.tmpl
    template_driver: golang
-  flow_invalidation:
-    name: ${STACK_NAME}_flow_invalidation_${FLOW_INVALIDATION_VERSION}
-    file: flow_invalidation.yaml.tmpl
-    template_driver: golang
-  flow_recovery:
-    name: ${STACK_NAME}_flow_recovery_${FLOW_RECOVERY_VERSION}
-    file: flow_recovery.yaml.tmpl
-    template_driver: golang
-  flow_translation:
-    name: ${STACK_NAME}_flow_translation_${FLOW_TRANSLATION_VERSION}
-    file: flow_translation.yaml.tmpl
-    template_driver: golang
-  system_brand:
-    name: ${STACK_NAME}_system_brand_${SYSTEM_BRAND_VERSION}
-    file: system_brand.yaml.tmpl
-    template_driver: golang
-  db_entrypoint:
-    name: ${STACK_NAME}_db_entrypoint_${DB_ENTRYPOINT_VERSION}
-    file: entrypoint.postgres.sh.tmpl
-    template_driver: golang
-  pg_backup:
-    name: ${STACK_NAME}_pg_backup_${PG_BACKUP_VERSION}
-    file: pg_backup.sh
--- a/compose.zammad.yml
+++ b/compose.zammad.yml
@ -1,14 +0,0 @@
-version: "3.8"
-services:
-  worker:
-    environment:
-      - ZAMMAD_DOMAIN
-    configs:
-      - source: zammad
-        target: /blueprints/zammad.yaml
-
-configs:
-  zammad:
-    name: ${STACK_NAME}_zammad_${ZAMMAD_CONFIG_VERSION}
-    file: zammad.yaml.tmpl
-    template_driver: golang
--- a/custom.css.tmpl
+++ b/custom.css.tmpl
@ -1,13 +1,24 @@
 /* my custom css */

+
 :root {
-        --pf-global--BackgroundColor--100: {{ env "BACKGROUND_BOX_COLOR" }} !important;
+    --ak-accent: #fd4b2d;
+
+    --ak-dark-foreground: #fafafa;
+    --ak-dark-foreground-darker: #bebebe;
+    --ak-dark-foreground-link: #5a5cb9;
+    --ak-dark-background: #18191a;
+    --ak-dark-background-darker: #000000;
+
+
+    --ak-dark-background-light: {{ env "AUTHENTIK_COLOR_BACKGROUND_LIGHT" }};
+    --ak-dark-background-light-ish: #212427;
+    --ak-dark-background-lighter: #2b2e33;
+
+    --pf-c-background-image--BackgroundImage: var(--ak-flow-background);
+    --pf-c-background-image--BackgroundImage-2x: var(--ak-flow-background);
+    --pf-c-background-image--BackgroundImage--sm: var(--ak-flow-background);
+    --pf-c-background-image--BackgroundImage--sm-2x: var(--ak-flow-background);
+    --pf-c-background-image--BackgroundImage--lg: var(--ak-flow-background);
 }

-.pf-c-login__main {
-        background-color: {{ env "BACKGROUND_BOX_COLOR" }};
-}
-
-.pf-c-content h1 {
-        color: {{ env "BACKGROUND_FONT_COLOR" }};
-}
--- a/custom_flows.yaml.tmpl
+++ b/custom_flows.yaml.tmpl
@ -0,0 +1,356 @@
+version: 1
+metadata:
+  labels:
+    blueprints.goauthentik.io/instantiate: "true"
+  name: Custom - Flows
+context:
+####### Translations ########
+  transl_recovery: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} Passwort Zurücksetzen {{ else }} Reset your password {{ end }}
+  transl_password: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} Passwort {{ else }} Password {{ end }}
+  transl_password_repeat: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} Passwort (wiederholen) {{ else }} Password (repeat) {{ end }}
+  transl_username: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} Benutzername {{ else }} Username {{ end }}
+  transl_name: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} Vor- und Nachname {{ else }} Full name {{ end }}
+  transl_template_recovery: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} password_reset_de.html {{ else }} email/password_reset.html {{ end }}
+
+entries:
+######## Email Recovery Flow ######## 
+- identifiers:
+    slug: default-recovery-flow
+  id: recovery_flow
+  model: authentik_flows.flow
+  attrs:
+    name: Default recovery flow
+    title: !Context transl_recovery
+    designation: recovery
+
+### PROMPTS
+- identifiers:
+    field_key: password
+    label: !Context transl_password
+  id: prompt-field-password
+  model: authentik_stages_prompt.prompt
+  attrs:
+    type: password
+    required: true
+    placeholder: !Context transl_password
+    order: 30
+    placeholder_expression: false
+- identifiers:
+    field_key: password_repeat
+    label: !Context transl_password_repeat
+  id: prompt-field-password-repeat
+  model: authentik_stages_prompt.prompt
+  attrs:
+    type: password
+    required: true
+    placeholder: !Context transl_password_repeat
+    order: 31
+    placeholder_expression: false
+
+
+### STAGES
+- identifiers:
+    name: default-recovery-email
+  id: default-recovery-email
+  model: authentik_stages_email.emailstage
+  attrs:
+    use_global_settings: true
+    token_expiry: 30
+    subject: authentik
+    template: !Context transl_template_recovery
+    activate_user_on_success: true
+- identifiers:
+    name: default-recovery-user-write
+  id: default-recovery-user-write
+  model: authentik_stages_user_write.userwritestage
+- identifiers:
+    name: default-recovery-identification
+  id: default-recovery-identification
+  model: authentik_stages_identification.identificationstage
+  attrs:
+    user_fields:
+      - email
+      - username
+- identifiers:
+    name: default-recovery-user-login
+  id: default-recovery-user-login
+  model: authentik_stages_user_login.userloginstage
+  attrs:
+    session_duration: seconds=0
+- identifiers:
+    name: Change your password
+  id: stage-prompt-password
+  model: authentik_stages_prompt.promptstage
+  attrs:
+    fields:
+      - !KeyOf prompt-field-password
+      - !KeyOf prompt-field-password-repeat
+    validation_policies: []
+
+### STAGE BINDINGS
+- identifiers:
+    target: !KeyOf recovery_flow
+    stage: !KeyOf default-recovery-identification
+    order: 10
+  model: authentik_flows.flowstagebinding
+  id: flow-binding-identification
+  attrs:
+    evaluate_on_plan: true
+    re_evaluate_policies: true
+    policy_engine_mode: any
+    invalid_response_action: retry
+- identifiers:
+    target: !KeyOf recovery_flow
+    stage: !KeyOf default-recovery-email
+    order: 20
+  model: authentik_flows.flowstagebinding
+  id: flow-binding-email
+  attrs:
+    evaluate_on_plan: true
+    re_evaluate_policies: true
+    policy_engine_mode: any
+    invalid_response_action: retry
+- identifiers:
+    target: !KeyOf recovery_flow
+    stage: !KeyOf stage-prompt-password
+    order: 30
+  model: authentik_flows.flowstagebinding
+  attrs:
+    evaluate_on_plan: true
+    re_evaluate_policies: false
+    policy_engine_mode: any
+    invalid_response_action: retry
+- identifiers:
+    target: !KeyOf recovery_flow
+    stage: !KeyOf default-recovery-user-write
+    order: 40
+  model: authentik_flows.flowstagebinding
+  attrs:
+    evaluate_on_plan: true
+    re_evaluate_policies: false
+    policy_engine_mode: any
+    invalid_response_action: retry
+- identifiers:
+    target: !KeyOf recovery_flow
+    stage: !KeyOf default-recovery-user-login
+    order: 100
+  model: authentik_flows.flowstagebinding
+  attrs:
+    evaluate_on_plan: true
+    re_evaluate_policies: false
+    policy_engine_mode: any
+    invalid_response_action: retry
+
+### POLICIES
+## ISSUES with this policy
+## https://github.com/goauthentik/authentik/blob/493cdd5c0f8caaec7a7dd474f1aa131e32fd39c3/blueprints/example/flows-recovery-email-verification.yaml#L37
+## https://github.com/goauthentik/authentik/commit/317e9ec6053742e17ba74fb6aa38dc15aaf6657f#diff-a5c56bb7c60e27dda1b131b3fc2a17e3af6624e7cfaaa2337ec6b077ca489f34
+# - identifiers:
+#     name: default-recovery-skip-if-restored
+#   id: default-recovery-skip-if-restored
+#   model: authentik_policies_expression.expressionpolicy
+#   attrs:
+#     expression: |
+#       return request.context.get('is_restored', False)
+
+### POLICY BINDINGS
+# - identifiers:
+#     policy: !KeyOf default-recovery-skip-if-restored
+#     target: !KeyOf flow-binding-identification
+#     order: 0
+#   model: authentik_policies.policybinding
+#   attrs:
+#     negate: false
+#     enabled: true
+#     timeout: 30
+# - identifiers:
+#     policy: !KeyOf default-recovery-skip-if-restored
+#     target: !KeyOf flow-binding-email
+#     order: 0
+#   model: authentik_policies.policybinding
+#   attrs:
+#     negate: false
+#     enabled: true
+#     timeout: 30
+
+
+
+######## Authentication Flow ######## 
+- attrs:
+    designation: authentication
+    name: custom-authentication-flow
+    title: {{ env "WELCOME_MESSAGE" }}
+  identifiers:
+    slug: custom-authentication-flow
+  id: authentication_flow
+  model: authentik_flows.flow
+
+### STAGES
+- attrs:
+    backends:
+    - authentik.core.auth.InbuiltBackend
+    - authentik.sources.ldap.auth.LDAPBackend
+    - authentik.core.auth.TokenBackend
+    configure_flow: !Find [authentik_flows.flow, [slug, default-password-change]]
+  identifiers:
+    name: custom-authentication-password
+  id: custom-authentication-password
+  model: authentik_stages_password.passwordstage
+
+- identifiers:
+    name: custom-authentication-mfa-validation
+  id: custom-authentication-mfa-validation
+  model: authentik_stages_authenticator_validate.authenticatorvalidatestage
+
+- attrs:
+    password_stage: !KeyOf custom-authentication-password
+    recovery_flow: !KeyOf recovery_flow  # !Find [authentik_flows.flow, [slug, default-recovery-flow]]
+    user_fields:
+    - email
+    - username
+  identifiers:
+    name: custom-authentication-identification
+  id: custom-authentication-identification
+  model: authentik_stages_identification.identificationstage
+
+- attrs:
+    session_duration: seconds=0
+  identifiers:
+    name: custom-authentication-login
+  id: custom-authentication-login
+  model: authentik_stages_user_login.userloginstage
+
+### STAGE BINDINGS
+- identifiers:
+    order: 10
+    stage: !KeyOf custom-authentication-identification
+    target: !KeyOf authentication_flow
+  model: authentik_flows.flowstagebinding
+- identifiers:
+    order: 30
+    stage: !KeyOf custom-authentication-mfa-validation
+    target: !KeyOf authentication_flow
+  model: authentik_flows.flowstagebinding
+- identifiers:
+    order: 100
+    stage: !KeyOf custom-authentication-login
+    target: !KeyOf authentication_flow
+  model: authentik_flows.flowstagebinding
+
+######## Invitation Enrollment Flow ######## 
+- attrs:
+    designation: enrollment
+    name: invitation-enrollment-flow
+    title: {{ env "WELCOME_MESSAGE" }}
+  identifiers:
+    slug: invitation-enrollment-flow
+  id: invitation-enrollment-flow
+  model: authentik_flows.flow
+
+### PROMPTS
+- identifiers:
+    field_key: username
+    label: !Context transl_username
+  id: prompt-field-username
+  model: authentik_stages_prompt.prompt
+  attrs:
+    type: username
+    required: true
+    placeholder: !Context transl_username
+    order: 0
+    placeholder_expression: false
+- identifiers:
+    field_key: name
+    label: !Context transl_name
+  id: prompt-field-name
+  model: authentik_stages_prompt.prompt
+  attrs:
+    type: text
+    required: true
+    placeholder: !Context transl_name
+    order: 1
+    placeholder_expression: false
+- identifiers:
+    field_key: email
+    label: Email
+  id: prompt-field-email
+  model: authentik_stages_prompt.prompt
+  attrs:
+    type: email
+    required: true
+    placeholder: muster@example.com
+    order: 2
+    placeholder_expression: false
+
+### STAGES
+
+- id: invitation-stage
+  identifiers:
+    name: invitation-stage
+  model: authentik_stages_invitation.invitationstage
+
+- attrs:
+    fields:
+      - !KeyOf prompt-field-username
+      - !KeyOf prompt-field-name
+      - !KeyOf prompt-field-email
+      - !KeyOf prompt-field-password
+      - !KeyOf prompt-field-password-repeat
+  id: enrollment-prompt-userdata
+  identifiers:
+    name: enrollment-prompt-userdata
+  model: authentik_stages_prompt.promptstage
+
+- id: enrollment-user-write
+  identifiers:
+    name: enrollment-user-write
+  model: authentik_stages_user_write.userwritestage
+
+- attrs:
+    session_duration: seconds=0
+  id: enrollment-user-login
+  identifiers:
+    name: enrollment-user-login
+  model: authentik_stages_user_login.userloginstage
+
+### STAGE BINDINGS
+- identifiers:
+    order: 1
+    stage: !KeyOf invitation-stage
+    target: !KeyOf invitation-enrollment-flow
+  model: authentik_flows.flowstagebinding
+- identifiers:
+    order: 10
+    stage: !KeyOf enrollment-prompt-userdata
+    target: !KeyOf invitation-enrollment-flow
+  model: authentik_flows.flowstagebinding
+- identifiers:
+    order: 20
+    stage: !KeyOf enrollment-user-write
+    target: !KeyOf invitation-enrollment-flow
+  model: authentik_flows.flowstagebinding
+- identifiers:
+    order: 100
+    stage: !KeyOf enrollment-user-login
+    target: !KeyOf invitation-enrollment-flow
+  model: authentik_flows.flowstagebinding
+
+######## System Tenant ##########
+- attrs:
+    attributes: 
+      settings:
+        locale: {{ env "DEFAULT_LANGUAGE" }}
+    # branding_favicon: /static/dist/assets/icons/icon.png
+    # branding_logo: /static/dist/assets/icons/icon_left_brand.svg
+    # branding_title: Authentik
+    # default: true
+    domain: {{ env "DOMAIN" }}
+    # event_retention: days=365
+    flow_authentication: !KeyOf authentication_flow
+    flow_recovery: !KeyOf recovery_flow
+    flow_invalidation: !Find [authentik_flows.flow, [slug, default-invalidation-flow]]
+    flow_user_settings: !Find [authentik_flows.flow, [slug, default-user-settings-flow]]
+  identifiers:
+    pk: 047cce25-aae2-4b02-9f96-078e155f803d
+  id: system_tenant
+  model: authentik_tenants.tenant
--- a/entrypoint-css-volume.sh
+++ b/entrypoint-css-volume.sh
@ -1,5 +0,0 @@
-#!/bin/sh
-
-cp -f /web/dist/assets/custom.css /web/dist/custom.css
-
-su $(id -un 1000) -s /bin/bash -c 'dumb-init -- ak server'
--- a/entrypoint.postgres.sh.tmpl
+++ b/entrypoint.postgres.sh.tmpl
@ -1,45 +0,0 @@
-#!/bin/bash
-
-set -e
-
-MIGRATION_MARKER=$PGDATA/migration_in_progress
-OLDDATA=$PGDATA/old_data
-NEWDATA=$PGDATA/new_data
-
-if [ -e $MIGRATION_MARKER ]; then
-  echo "FATAL: migration was started but did not complete in a previous run. manual recovery necessary"
-  exit 1
-fi
-
-if [ -f $PGDATA/PG_VERSION ]; then
-  DATA_VERSION=$(cat $PGDATA/PG_VERSION)
-
-  if [ -n "$DATA_VERSION" -a "$PG_MAJOR" != "$DATA_VERSION" ]; then
-    echo "postgres data version $DATA_VERSION found, but need $PG_MAJOR. Starting migration"
-    echo "Installing postgres $DATA_VERSION"
-    sed -i "s/$/ $DATA_VERSION/" /etc/apt/sources.list.d/pgdg.list
-    apt-get update && apt-get install -y --no-install-recommends \
-      postgresql-$DATA_VERSION \
-      && rm -rf /var/lib/apt/lists/*
-    echo "shuffling around"
-    chown -R postgres:postgres $PGDATA
-    gosu postgres mkdir $OLDDATA $NEWDATA
-    chmod 700 $OLDDATA $NEWDATA
-    mv $PGDATA/* $OLDDATA/ || true
-    touch $MIGRATION_MARKER
-    echo "running initdb"
-    # abuse entrypoint script for initdb by making server error out
-    gosu postgres bash -c "export PGDATA=$NEWDATA ; /usr/local/bin/docker-entrypoint.sh --invalid-arg || true"
-    echo "running pg_upgrade"
-    cd /tmp
-    gosu postgres pg_upgrade --link -b /usr/lib/postgresql/$DATA_VERSION/bin -d $OLDDATA -D $NEWDATA -U $POSTGRES_USER
-    cp $OLDDATA/pg_hba.conf $NEWDATA/
-    mv $NEWDATA/* $PGDATA
-    rm -rf $OLDDATA
-    rmdir $NEWDATA
-    rm $MIGRATION_MARKER
-    echo "migration complete"
-  fi
-fi
-
-/usr/local/bin/docker-entrypoint.sh postgres
--- a/flow_authentication.yaml.tmpl
+++ b/flow_authentication.yaml.tmpl
@ -1,48 +0,0 @@
-version: 1
-metadata:
-  labels:
-    blueprints.goauthentik.io/instantiate: "true"
-  name: Custom Authentication Flow
-context:
-  welcome_message: {{ if eq (env "WELCOME_MESSAGE") "" }} "Welcome to authentik!" {{ else }} {{ env "WELCOME_MESSAGE" }} {{ end }}
-
-entries:
-### DEPENDENCIES
- model: authentik_blueprints.metaapplyblueprint
-  attrs:
-    identifiers:
-      name: Recovery with email verification
-    required: true
-
-### FLOW
- model: authentik_flows.flow
-  identifiers:
-    slug: default-authentication-flow
-  id: flow
-  attrs:
-    name: !Context welcome_message
-    title: !Context welcome_message
-### STAGES
- identifiers:
-    name: default-authentication-identification
-  model: authentik_stages_identification.identificationstage
-  attrs:
-    password_stage: !Find [authentik_stages_password.passwordstage, [name, default-authentication-password]]
-    recovery_flow: !Find [authentik_flows.flow, [slug, default-recovery-flow]]
-    user_fields:
-    - email
-    - username
-
- identifiers:
-    name: default-authentication-login
-  model: authentik_stages_user_login.userloginstage
-  attrs:
-    session_duration: days=30
-
-# After the first run this will produce a RelatedObjectDoesNotExist error
- identifiers:
-    order: 20
-    stage: !Find [authentik_stages_password.passwordstage, [name, default-authentication-password]]
-    target: !KeyOf flow
-  model: authentik_flows.flowstagebinding
-  state: absent
--- a/flow_invalidation.yaml.tmpl
+++ b/flow_invalidation.yaml.tmpl
@ -1,45 +0,0 @@
-version: 1
-metadata:
-  labels:
-    blueprints.goauthentik.io/instantiate: "true"
-  name: Custom Invalidation Flow
-entries:
-### DEPENDENCIES
- model: authentik_blueprints.metaapplyblueprint
-  attrs:
-    identifiers:
-      name: Default - Invalidation flow
-    required: true
-
-### STAGE BINDINGS
-
-# This is specified only for setting an id (this stagebinding does not have an identifier)
- identifiers:
-    order: 0
-    stage: !Find [authentik_stages_user_logout.userlogoutstage, [name, default-invalidation-logout]]
-    target: !Find [authentik_flows.flow, [slug, default-invalidation-flow]]
-  model: authentik_flows.flowstagebinding
-  attrs:
-    re_evaluate_policies: true
-  id: logout-stage-binding
-
-### POLICIES
- attrs:
-    execution_logging: true
-    expression: 'context[''flow_plan''].context[''redirect''] = ''{{ env "LOGOUT_REDIRECT" }}''
-
-    return True'
-  identifiers:
-    name: redirect-policy
-  id: redirect-policy
-  model: authentik_policies_expression.expressionpolicy
-
-### POLICY BINDINGS
- identifiers:
-    policy: !KeyOf redirect-policy
-    target: !KeyOf logout-stage-binding
-    order: 0
-  model: authentik_policies.policybinding
-  attrs:
-    enabled: {{ if eq (env "LOGOUT_REDIRECT") "" }} false {{ else }} true {{ end }}
-    timeout: 30
--- a/flow_invitation.yaml.tmpl
+++ b/flow_invitation.yaml.tmpl
@ -1,79 +0,0 @@
-version: 1
-metadata:
-  labels:
-    blueprints.goauthentik.io/instantiate: "true"
-  name: Invitation Enrollment Flow
-context:
-  welcome_message: {{ if eq (env "WELCOME_MESSAGE") "" }} "Welcome to authentik!" {{ else }} {{ env "WELCOME_MESSAGE" }} {{ end }}
-
-entries:
-### DEPENDENCIES
- model: authentik_blueprints.metaapplyblueprint
-  attrs:
-    identifiers:
-      name: Flow Translations
-    required: true
-
-### FLOW
- attrs:
-    designation: enrollment
-    name: invitation-enrollment-flow
-    title: !Context welcome_message
-  identifiers:
-    slug: invitation-enrollment-flow
-  id: invitation-enrollment-flow
-  model: authentik_flows.flow
-
-### POLICIES
- attrs:
-    expression: |
-      if not regex_match(request.context.get('prompt_data').get('username'), '\s'):
-          return True
-      ak_message("Username must not contain any whitespace!")
-      return False
-  id: username-without-spaces-policy
-  identifiers:
-    name: username-without-spaces-policy
-  model: authentik_policies_expression.expressionpolicy
-
-### STAGES
- identifiers:
-    name: invitation-stage
-  id: invitation-stage
-  model: authentik_stages_invitation.invitationstage
-
- identifiers:
-    name: enrollment-prompt-userdata
-  id: enrollment-prompt-userdata
-  model: authentik_stages_prompt.promptstage
-  attrs:
-    fields:
-      - !Find [authentik_stages_prompt.prompt, [name, default-source-enrollment-field-username]]
-      - !Find [authentik_stages_prompt.prompt, [name, default-user-settings-field-name]]
-      - !Find [authentik_stages_prompt.prompt, [name, default-user-settings-field-email]]
-      - !Find [authentik_stages_prompt.prompt, [name, default-password-change-field-password]]
-      - !Find [authentik_stages_prompt.prompt, [name, default-password-change-field-password-repeat]]
-    validation_policies:
-      - !Find [ authentik_policies_expression.expressionpolicy, [name, username-without-spaces-policy]]
-
-### STAGE BINDINGS
- identifiers:
-    order: 1
-    stage: !KeyOf invitation-stage
-    target: !KeyOf invitation-enrollment-flow
-  model: authentik_flows.flowstagebinding
- identifiers:
-    order: 10
-    stage: !KeyOf enrollment-prompt-userdata
-    target: !KeyOf invitation-enrollment-flow
-  model: authentik_flows.flowstagebinding
- identifiers:
-    order: 20
-    stage: !Find [authentik_stages_user_write.userwritestage, [name,  default-source-enrollment-write]]
-    target: !KeyOf invitation-enrollment-flow
-  model: authentik_flows.flowstagebinding
- identifiers:
-    order: 100
-    stage: !Find [authentik_stages_user_login.userloginstage, [name,  default-authentication-login]]
-    target: !KeyOf invitation-enrollment-flow
-  model: authentik_flows.flowstagebinding
--- a/flow_recovery.yaml.tmpl
+++ b/flow_recovery.yaml.tmpl
@ -1,128 +0,0 @@
-version: 1
-metadata:
-  labels:
-    blueprints.goauthentik.io/instantiate: "true"
-  name: Recovery with email verification
-context:
-  token_expiry: {{ if eq (env "EMAIL_TOKEN_EXPIRY_MINUTES") "" }} 30 {{ else }} {{ env "EMAIL_TOKEN_EXPIRY_MINUTES" }} {{ end }}
-  subject: {{ if eq (env "EMAIL_SUBJECT") "" }} Account Recovery {{ else }} {{ env "EMAIL_SUBJECT" }} {{ end }} 
-entries:
-### DEPENDENCIES
- model: authentik_blueprints.metaapplyblueprint
-  attrs:
-    identifiers:
-      name: Default - Authentication flow
-    required: true
-
-### FLOW
- identifiers:
-    slug: default-recovery-flow
-  model: authentik_flows.flow
-  state: created
-  attrs:
-    name: Default recovery flow
-    title: Reset your password
-    designation: recovery
-    authentication: require_unauthenticated
-
-### STAGES
- identifiers:
-    name: default-recovery-email
-  id: default-recovery-email
-  model: authentik_stages_email.emailstage
-  attrs:
-    use_global_settings: true
-    token_expiry: !Context token_expiry
-    subject: !Context subject
-    template: email/password_reset.html
-    activate_user_on_success: true
- identifiers:
-    name: default-recovery-identification
-  id: default-recovery-identification
-  model: authentik_stages_identification.identificationstage
-  attrs:
-    user_fields:
-      - email
-      - username
-
-### STAGE BINDINGS
- identifiers:
-    target: !Find [authentik_flows.flow, [slug, default-recovery-flow]]
-    stage: !KeyOf default-recovery-identification
-    order: 10
-  model: authentik_flows.flowstagebinding
-  id: flow-binding-identification
-  attrs:
-    evaluate_on_plan: true
-    re_evaluate_policies: true
-    policy_engine_mode: any
-    invalid_response_action: retry
- identifiers:
-    target: !Find [authentik_flows.flow, [slug, default-recovery-flow]]
-    stage: !KeyOf default-recovery-email
-    order: 20
-  model: authentik_flows.flowstagebinding
-  id: flow-binding-email
-  attrs:
-    evaluate_on_plan: true
-    re_evaluate_policies: true
-    policy_engine_mode: any
-    invalid_response_action: retry
- identifiers:
-    target: !Find [authentik_flows.flow, [slug, default-recovery-flow]]
-    stage: !Find [authentik_stages_prompt.promptstage, [name,  default-password-change-prompt]]
-    order: 30
-  model: authentik_flows.flowstagebinding
-  attrs:
-    evaluate_on_plan: true
-    re_evaluate_policies: false
-    policy_engine_mode: any
-    invalid_response_action: retry
- identifiers:
-    target: !Find [authentik_flows.flow, [slug, default-recovery-flow]]
-    stage: !Find [authentik_stages_user_write.userwritestage, [name,  default-password-change-write]]
-    order: 40
-  model: authentik_flows.flowstagebinding
-  attrs:
-    evaluate_on_plan: true
-    re_evaluate_policies: false
-    policy_engine_mode: any
-    invalid_response_action: retry
- identifiers:
-    target: !Find [authentik_flows.flow, [slug, default-recovery-flow]]
-    stage: !Find [authentik_stages_user_login.userloginstage, [name,  default-authentication-login]]
-    order: 100
-  model: authentik_flows.flowstagebinding
-  attrs:
-    evaluate_on_plan: true
-    re_evaluate_policies: false
-    policy_engine_mode: any
-    invalid_response_action: retry
-
-### POLICIES
- identifiers:
-    name: default-recovery-skip-if-restored
-  id: default-recovery-skip-if-restored
-  model: authentik_policies_expression.expressionpolicy
-  attrs:
-    expression: |
-      return request.context.get('is_restored', False)
- identifiers:
-    policy: !KeyOf default-recovery-skip-if-restored
-    target: !KeyOf flow-binding-identification
-    order: 0
-  model: authentik_policies.policybinding
-  attrs:
-    negate: false
-    enabled: false # TODO: why does this doesn't work?
-    timeout: 30
- identifiers:
-    policy: !KeyOf default-recovery-skip-if-restored
-    target: !KeyOf flow-binding-email
-    order: 0
-  state: absent
-  model: authentik_policies.policybinding
-  attrs:
-    negate: false
-    enabled: true
-    timeout: 30
--- a/flow_translation.yaml.tmpl
+++ b/flow_translation.yaml.tmpl
@ -1,71 +0,0 @@
-version: 1
-metadata:
-  labels:
-    blueprints.goauthentik.io/instantiate: "true"
-  name: Flow Translations
-context:
-  transl_recovery: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} "Passwort zurücksetzen" {{ else }} "Reset your password" {{ end }}
-  transl_password: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} "Passwort" {{ else }} "Password" {{ end }}
-  transl_password_repeat: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} "Passwort (wiederholen)" {{ else }} "Password (repeat)" {{ end }}
-  transl_username: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} "Benutzername" {{ else }} "Username" {{ end }}
-  transl_name: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} "Vor- und Nachname" {{ else }} "Full name" {{ end }}
-
-entries:
-### DEPENDENCIES
- model: authentik_blueprints.metaapplyblueprint
-  attrs:
-    identifiers:
-      name: Recovery with email verification
-    required: true
- model: authentik_blueprints.metaapplyblueprint
-  attrs:
-    identifiers:
-      name: Default - User settings flow
-    required: true
- model: authentik_blueprints.metaapplyblueprint
-  attrs:
-    identifiers:
-      name: Default - Source enrollment flow
-    required: true
-
-### FLOWS
- model: authentik_flows.flow 
-  identifiers:
-    slug: default-recovery-flow
-  id: recovery_flow
-  model: authentik_flows.flow
-  attrs:
-    name: Default recovery flow
-    title: !Context transl_recovery
-    designation: recovery
-
-
-### PROMPTS
- model: authentik_stages_prompt.prompt
-  identifiers:
-    name: default-password-change-field-password
-  attrs:
-    label: !Context transl_password
-    placeholder: !Context transl_password
- model: authentik_stages_prompt.prompt
-  identifiers:
-    name: default-password-change-field-password-repeat
-  attrs:
-    label: !Context transl_password_repeat
-    placeholder: !Context transl_password_repeat
- model: authentik_stages_prompt.prompt
-  identifiers:
-    name: default-user-settings-field-username
-  attrs:
-    label: !Context transl_username
- model: authentik_stages_prompt.prompt
-  identifiers:
-    name: default-user-settings-field-name
-  attrs:
-    label: !Context transl_name
- model: authentik_stages_prompt.prompt
-  identifiers:
-    name: default-source-enrollment-field-username
-  attrs:
-    label: !Context transl_username
-    placeholder: !Context transl_username
--- a/hedgedoc.yaml.tmpl
+++ b/hedgedoc.yaml.tmpl
@ -1,48 +0,0 @@
-version: 1
-metadata:
-  labels:
-    blueprints.goauthentik.io/instantiate: "true"
-  name: hedgedoc
-
-entries:
-
- attrs:
-    access_code_validity: minutes=1
-    authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
-    authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
-    invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
-    client_id: {{ secret  "hedgedoc_id" }}
-    client_secret: {{ secret  "hedgedoc_secret" }}
-    client_type: confidential
-    include_claims_in_id_token: true
-    issuer_mode: per_provider
-    redirect_uris:
-    - matching_mode: strict
-      url: https://{{ env  "HEDGEDOC_DOMAIN" }}/auth/oauth2/callback
-    name: Hedgedoc
-    property_mappings:
-    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
-    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, email]]
-    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, profile]]
-    signing_key: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]]
-    sub_mode: hashed_user_id
-    token_validity: days=30
-  conditions: []
-  id: hedgedoc_provider
-  identifiers:
-    pk: 9992
-  model: authentik_providers_oauth2.oauth2provider
-  state: present
-
- attrs:
-    meta_launch_url: https://{{ env  "HEDGEDOC_DOMAIN" }}/auth/oauth2
-    open_in_new_tab: true
-    policy_engine_mode: any
-    provider: !KeyOf hedgedoc_provider
-    slug: hedgedoc
-  conditions: []
-  id: hedgedoc_application
-  identifiers:
-    name: Hedgedoc
-  model: authentik_core.application
-  state: present
--- a/icons/bbb.png
+++ b/icons/bbb.png
--- a/icons/calendar.svg
+++ b/icons/calendar.svg
@ -1,2 +0,0 @@
-<?xml version="1.0" encoding="UTF-8" standalone="no"?>
-<svg xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns="http://www.w3.org/2000/svg" version="1.1" xml:space="preserve" height="32" width="32" enable-background="new 0 0 595.275 311.111" y="0px" x="0px" xmlns:cc="http://creativecommons.org/ns#" xmlns:dc="http://purl.org/dc/elements/1.1/" viewBox="0 0 32 32"><rect rx="5" ry="5" height="32" width="32" y="-.0000052588" x="0" fill="#0082c9"/><g transform="matrix(.89286 0 0 .89286 520.21 -.19331)"><path fill="#fff" d="m-572.71 3.5765c-1.108 0-2 0.892-2 2v4c0 1.108 0.892 2 2 2s2-0.892 2-2v-4c0-1.108-0.892-2-2-2zm16 0c-1.108 0-2 0.892-2 2v4c0 1.108 0.892 2 2 2s2-0.892 2-2v-4c0-1.108-0.892-2-2-2zm-13 4v2c0 1.662-1.338 3-3 3s-3-1.338-3-3v-1.875c-1.728 0.44254-3 2.0052-3 3.875v16c0 2.216 1.784 4 4 4h20c2.216 0 4-1.784 4-4v-16c0-1.8698-1.272-3.4325-3-3.875v1.875c0 1.662-1.338 3-3 3s-3-1.338-3-3v-2h-10zm-5.9062 9h21.812c0.0554 0 0.0937 0.03835 0.0937 0.09375v11.812c0 0.0554-0.0384 0.09375-0.0937 0.09375h-21.812c-0.0554 0-0.0937-0.03835-0.0937-0.09375v-11.812c0-0.0554 0.0384-0.09375 0.0937-0.09375z"/></g></svg>
--- a/icons/hedgedoc.png
+++ b/icons/hedgedoc.png
--- a/icons/help.svg
+++ b/icons/help.svg
@ -1,8 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!-- Uploaded to: SVG Repo, www.svgrepo.com, Generator: SVG Repo Mixer Tools -->
-<svg width="800px" height="800px" viewBox="0 0 48 48" fill="none" xmlns="http://www.w3.org/2000/svg">
-<rect width="48" height="48" fill="white" fill-opacity="0.01"/>
-<path d="M24 44C29.5228 44 34.5228 41.7614 38.1421 38.1421C41.7614 34.5228 44 29.5228 44 24C44 18.4772 41.7614 13.4772 38.1421 9.85786C34.5228 6.23858 29.5228 4 24 4C18.4772 4 13.4772 6.23858 9.85786 9.85786C6.23858 13.4772 4 18.4772 4 24C4 29.5228 6.23858 34.5228 9.85786 38.1421C13.4772 41.7614 18.4772 44 24 44Z" fill="#2F88FF" stroke="#000000" stroke-width="4" stroke-linejoin="round"/>
-<path d="M24 28.6249V24.6249C27.3137 24.6249 30 21.9386 30 18.6249C30 15.3112 27.3137 12.6249 24 12.6249C20.6863 12.6249 18 15.3112 18 18.6249" stroke="white" stroke-width="4" stroke-linecap="round" stroke-linejoin="round"/>
-<path fill-rule="evenodd" clip-rule="evenodd" d="M24 37.6249C25.3807 37.6249 26.5 36.5056 26.5 35.1249C26.5 33.7442 25.3807 32.6249 24 32.6249C22.6193 32.6249 21.5 33.7442 21.5 35.1249C21.5 36.5056 22.6193 37.6249 24 37.6249Z" fill="white"/>
-</svg>
--- a/icons/kimai_logo.png
+++ b/icons/kimai_logo.png
--- a/icons/matrix.svg
+++ b/icons/matrix.svg
@ -1,7 +0,0 @@
-<svg width="200" height="200" viewBox="0 0 200 200" fill="none" xmlns="http://www.w3.org/2000/svg">
-<path fill-rule="evenodd" clip-rule="evenodd" d="M100 200C155.228 200 200 155.228 200 100C200 44.7715 155.228 0 100 0C44.7715 0 0 44.7715 0 100C0 155.228 44.7715 200 100 200Z" fill="#0DBD8B"/>
-<path fill-rule="evenodd" clip-rule="evenodd" d="M81.7169 46.5946C81.7169 42.5581 84.9959 39.2859 89.0408 39.2859C116.456 39.2859 138.681 61.4642 138.681 88.8225C138.681 92.859 135.401 96.1312 131.357 96.1312C127.312 96.1312 124.033 92.859 124.033 88.8225C124.033 69.5372 108.366 53.9033 89.0408 53.9033C84.9959 53.9033 81.7169 50.6311 81.7169 46.5946Z" fill="white"/>
-<path fill-rule="evenodd" clip-rule="evenodd" d="M153.39 81.5137C157.435 81.5137 160.714 84.7859 160.714 88.8224C160.714 116.181 138.49 138.359 111.075 138.359C107.03 138.359 103.751 135.087 103.751 131.05C103.751 127.014 107.03 123.742 111.075 123.742C130.4 123.742 146.066 108.108 146.066 88.8224C146.066 84.7859 149.345 81.5137 153.39 81.5137Z" fill="white"/>
-<path fill-rule="evenodd" clip-rule="evenodd" d="M118.398 153.405C118.398 157.442 115.119 160.714 111.074 160.714C83.6592 160.714 61.4347 138.536 61.4347 111.177C61.4347 107.141 64.7138 103.869 68.7587 103.869C72.8035 103.869 76.0826 107.141 76.0826 111.177C76.0826 130.463 91.7489 146.097 111.074 146.097C115.119 146.097 118.398 149.369 118.398 153.405Z" fill="white"/>
-<path fill-rule="evenodd" clip-rule="evenodd" d="M46.6097 118.486C42.5648 118.486 39.2858 115.214 39.2858 111.178C39.2858 83.8193 61.5102 61.6409 88.9255 61.6409C92.9704 61.6409 96.2494 64.9132 96.2494 68.9497C96.2494 72.9862 92.9704 76.2584 88.9255 76.2584C69.6 76.2584 53.9337 91.8922 53.9337 111.178C53.9337 115.214 50.6546 118.486 46.6097 118.486Z" fill="white"/>
-</svg>
--- a/icons/monitoring.svg
+++ b/icons/monitoring.svg
@ -1,70 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<!-- Generator: Adobe Illustrator 21.0.0, SVG Export Plug-In . SVG Version: 6.00 Build 0)  -->
-<svg version="1.1" id="Layer_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px"
-	 viewBox="0 0 142.5 145.6" style="enable-background:new 0 0 142.5 145.6;" xml:space="preserve">
-<style type="text/css">
-	.st0{fill:#565656;}
-	.st1{fill:url(#SVGID_1_);}
-</style>
-<g>
-	<path class="st0" d="M28.7,131.5c-0.3,7.9-6.6,14.1-14.4,14.1C6.1,145.6,0,139,0,130.9s6.6-14.7,14.7-14.7c3.6,0,7.2,1.6,10.2,4.4
-		l-2.3,2.9c-2.3-2-5.1-3.4-7.9-3.4c-5.9,0-10.8,4.8-10.8,10.8c0,6.1,4.6,10.8,10.4,10.8c5.2,0,9.3-3.8,10.2-8.8H12.6v-3.5h16.1
-		V131.5z"/>
-	<path class="st0" d="M42.3,129.5h-2.2c-2.4,0-4.4,2-4.4,4.4v11.4h-3.9v-19.6H35v1.6c1.1-1.1,2.7-1.6,4.6-1.6h4.2L42.3,129.5z"/>
-	<path class="st0" d="M63.7,145.3h-3.4v-2.5c-2.6,2.5-6.6,3.7-10.7,1.9c-3-1.3-5.3-4.1-5.9-7.4c-1.2-6.3,3.7-11.9,9.9-11.9
-		c2.6,0,5,1.1,6.7,2.8v-2.5h3.4V145.3z M59.7,137c0.9-4-2.1-7.6-6-7.6c-3.4,0-6.1,2.8-6.1,6.1c0,3.8,3.3,6.7,7.2,6.1
-		C57.1,141.2,59.1,139.3,59.7,137z"/>
-	<path class="st0" d="M71.5,124.7v1.1h6.2v3.4h-6.2v16.1h-3.8v-20.5c0-4.3,3.1-6.8,7-6.8h4.7l-1.6,3.7h-3.1
-		C72.9,121.6,71.5,123,71.5,124.7z"/>
-	<path class="st0" d="M98.5,145.3h-3.3v-2.5c-2.6,2.5-6.6,3.7-10.7,1.9c-3-1.3-5.3-4.1-5.9-7.4c-1.2-6.3,3.7-11.9,9.9-11.9
-		c2.6,0,5,1.1,6.7,2.8v-2.5h3.4v19.6H98.5z M94.5,137c0.9-4-2.1-7.6-6-7.6c-3.4,0-6.1,2.8-6.1,6.1c0,3.8,3.3,6.7,7.2,6.1
-		C92,141.2,93.9,139.3,94.5,137z"/>
-	<path class="st0" d="M119.4,133.8v11.5h-3.9v-11.6c0-2.4-2-4.4-4.4-4.4c-2.5,0-4.4,2-4.4,4.4v11.6h-3.9v-19.6h3.2v1.7
-		c1.4-1.3,3.3-2,5.2-2C115.8,125.5,119.4,129.2,119.4,133.8z"/>
-	<path class="st0" d="M142.4,145.3h-3.3v-2.5c-2.6,2.5-6.6,3.7-10.7,1.9c-3-1.3-5.3-4.1-5.9-7.4c-1.2-6.3,3.7-11.9,9.9-11.9
-		c2.6,0,5,1.1,6.7,2.8v-2.5h3.4v19.6H142.4z M138.4,137c0.9-4-2.1-7.6-6-7.6c-3.4,0-6.1,2.8-6.1,6.1c0,3.8,3.3,6.7,7.2,6.1
-		C135.9,141.2,137.8,139.3,138.4,137z"/>
-</g>
-<linearGradient id="SVGID_1_" gradientUnits="userSpaceOnUse" x1="71.25" y1="10.4893" x2="71.25" y2="113.3415" gradientTransform="matrix(1 0 0 -1 0 148.6)">
-	<stop  offset="0" style="stop-color:#FCEE1F"/>
-	<stop  offset="1" style="stop-color:#F15B2A"/>
-</linearGradient>
-<path class="st1" d="M122.9,49.9c-0.2-1.9-0.5-4.1-1.1-6.5c-0.6-2.4-1.6-5-2.9-7.8c-1.4-2.7-3.1-5.6-5.4-8.3
-	c-0.9-1.1-1.9-2.1-2.9-3.2c1.6-6.3-1.9-11.8-1.9-11.8c-6.1-0.4-9.9,1.9-11.3,2.9c-0.2-0.1-0.5-0.2-0.7-0.3c-1-0.4-2.1-0.8-3.2-1.2
-	c-1.1-0.3-2.2-0.7-3.3-0.9c-1.1-0.3-2.3-0.5-3.5-0.7c-0.2,0-0.4-0.1-0.6-0.1C83.5,3.6,75.9,0,75.9,0c-8.7,5.6-10.4,13.1-10.4,13.1
-	s0,0.2-0.1,0.4c-0.5,0.1-0.9,0.3-1.4,0.4c-0.6,0.2-1.3,0.4-1.9,0.7c-0.6,0.3-1.3,0.5-1.9,0.8c-1.3,0.6-2.5,1.2-3.8,1.9
-	c-1.2,0.7-2.4,1.4-3.5,2.2c-0.2-0.1-0.3-0.2-0.3-0.2c-11.7-4.5-22.1,0.9-22.1,0.9c-0.9,12.5,4.7,20.3,5.8,21.7
-	c-0.3,0.8-0.5,1.5-0.8,2.3c-0.9,2.8-1.5,5.7-1.9,8.7c-0.1,0.4-0.1,0.9-0.2,1.3c-10.8,5.3-14,16.3-14,16.3c9,10.4,19.6,11,19.6,11
-	l0,0c1.3,2.4,2.9,4.7,4.6,6.8c0.7,0.9,1.5,1.7,2.3,2.6c-3.3,9.4,0.5,17.3,0.5,17.3c10.1,0.4,16.7-4.4,18.1-5.5c1,0.3,2,0.6,3,0.9
-	c3.1,0.8,6.3,1.3,9.4,1.4c0.8,0,1.6,0,2.4,0h0.4H80h0.5H81l0,0c4.7,6.8,13.1,7.7,13.1,7.7c5.9-6.3,6.3-12.4,6.3-13.8l0,0
-	c0,0,0,0,0-0.1s0-0.2,0-0.2l0,0c0-0.1,0-0.2,0-0.3c1.2-0.9,2.4-1.8,3.6-2.8c2.4-2.1,4.4-4.6,6.2-7.2c0.2-0.2,0.3-0.5,0.5-0.7
-	c6.7,0.4,11.4-4.2,11.4-4.2c-1.1-7-5.1-10.4-5.9-11l0,0c0,0,0,0-0.1-0.1l-0.1-0.1l0,0l-0.1-0.1c0-0.4,0.1-0.8,0.1-1.3
-	c0.1-0.8,0.1-1.5,0.1-2.3v-0.6v-0.3v-0.1c0-0.2,0-0.1,0-0.2v-0.5v-0.6c0-0.2,0-0.4,0-0.6s0-0.4-0.1-0.6l-0.1-0.6l-0.1-0.6
-	c-0.1-0.8-0.3-1.5-0.4-2.3c-0.7-3-1.9-5.9-3.4-8.4c-1.6-2.6-3.5-4.8-5.7-6.8c-2.2-1.9-4.6-3.5-7.2-4.6c-2.6-1.2-5.2-1.9-7.9-2.2
-	c-1.3-0.2-2.7-0.2-4-0.2h-0.5h-0.1h-0.2h-0.2h-0.5c-0.2,0-0.4,0-0.5,0c-0.7,0.1-1.4,0.2-2,0.3c-2.7,0.5-5.2,1.5-7.4,2.8
-	c-2.2,1.3-4.1,3-5.7,4.9s-2.8,3.9-3.6,6.1c-0.8,2.1-1.3,4.4-1.4,6.5c0,0.5,0,1.1,0,1.6c0,0.1,0,0.3,0,0.4v0.4c0,0.3,0,0.5,0.1,0.8
-	c0.1,1.1,0.3,2.1,0.6,3.1c0.6,2,1.5,3.8,2.7,5.4s2.5,2.8,4,3.8s3,1.7,4.6,2.2c1.6,0.5,3.1,0.7,4.5,0.6c0.2,0,0.4,0,0.5,0
-	c0.1,0,0.2,0,0.3,0s0.2,0,0.3,0c0.2,0,0.3,0,0.5,0h0.1h0.1c0.1,0,0.2,0,0.3,0c0.2,0,0.4-0.1,0.5-0.1c0.2,0,0.3-0.1,0.5-0.1
-	c0.3-0.1,0.7-0.2,1-0.3c0.6-0.2,1.2-0.5,1.8-0.7c0.6-0.3,1.1-0.6,1.5-0.9c0.1-0.1,0.3-0.2,0.4-0.3c0.5-0.4,0.6-1.1,0.2-1.6
-	c-0.4-0.4-1-0.5-1.5-0.3C88,74,87.9,74,87.7,74.1c-0.4,0.2-0.9,0.4-1.3,0.5c-0.5,0.1-1,0.3-1.5,0.4c-0.3,0-0.5,0.1-0.8,0.1
-	c-0.1,0-0.3,0-0.4,0c-0.1,0-0.3,0-0.4,0s-0.3,0-0.4,0c-0.2,0-0.3,0-0.5,0c0,0-0.1,0,0,0h-0.1h-0.1c-0.1,0-0.1,0-0.2,0
-	s-0.3,0-0.4-0.1c-1.1-0.2-2.3-0.5-3.4-1c-1.1-0.5-2.2-1.2-3.1-2.1c-1-0.9-1.8-1.9-2.5-3.1c-0.7-1.2-1.1-2.5-1.3-3.8
-	c-0.1-0.7-0.2-1.4-0.1-2.1c0-0.2,0-0.4,0-0.6c0,0.1,0,0,0,0v-0.1v-0.1c0-0.1,0-0.2,0-0.3c0-0.4,0.1-0.7,0.2-1.1c0.5-3,2-5.9,4.3-8.1
-	c0.6-0.6,1.2-1.1,1.9-1.5c0.7-0.5,1.4-0.9,2.1-1.2c0.7-0.3,1.5-0.6,2.3-0.8s1.6-0.4,2.4-0.4c0.4,0,0.8-0.1,1.2-0.1
-	c0.1,0,0.2,0,0.3,0h0.3h0.2c0.1,0,0,0,0,0h0.1h0.3c0.9,0.1,1.8,0.2,2.6,0.4c1.7,0.4,3.4,1,5,1.9c3.2,1.8,5.9,4.5,7.5,7.8
-	c0.8,1.6,1.4,3.4,1.7,5.3c0.1,0.5,0.1,0.9,0.2,1.4v0.3V66c0,0.1,0,0.2,0,0.3c0,0.1,0,0.2,0,0.3v0.3v0.3c0,0.2,0,0.6,0,0.8
-	c0,0.5-0.1,1-0.1,1.5c-0.1,0.5-0.1,1-0.2,1.5s-0.2,1-0.3,1.5c-0.2,1-0.6,1.9-0.9,2.9c-0.7,1.9-1.7,3.7-2.9,5.3
-	c-2.4,3.3-5.7,6-9.4,7.7c-1.9,0.8-3.8,1.5-5.8,1.8c-1,0.2-2,0.3-3,0.3H81h-0.2h-0.3H80h-0.3c0.1,0,0,0,0,0h-0.1
-	c-0.5,0-1.1,0-1.6-0.1c-2.2-0.2-4.3-0.6-6.4-1.2c-2.1-0.6-4.1-1.4-6-2.4c-3.8-2-7.2-4.9-9.9-8.2c-1.3-1.7-2.5-3.5-3.5-5.4
-	s-1.7-3.9-2.3-5.9c-0.6-2-0.9-4.1-1-6.2v-0.4v-0.1v-0.1v-0.2V60v-0.1v-0.1v-0.2v-0.5V59l0,0v-0.2c0-0.3,0-0.5,0-0.8
-	c0-1,0.1-2.1,0.3-3.2c0.1-1.1,0.3-2.1,0.5-3.2c0.2-1.1,0.5-2.1,0.8-3.2c0.6-2.1,1.3-4.1,2.2-6c1.8-3.8,4.1-7.2,6.8-9.9
-	c0.7-0.7,1.4-1.3,2.2-1.9c0.3-0.3,1-0.9,1.8-1.4c0.8-0.5,1.6-1,2.5-1.4c0.4-0.2,0.8-0.4,1.3-0.6c0.2-0.1,0.4-0.2,0.7-0.3
-	c0.2-0.1,0.4-0.2,0.7-0.3c0.9-0.4,1.8-0.7,2.7-1c0.2-0.1,0.5-0.1,0.7-0.2c0.2-0.1,0.5-0.1,0.7-0.2c0.5-0.1,0.9-0.2,1.4-0.4
-	c0.2-0.1,0.5-0.1,0.7-0.2c0.2,0,0.5-0.1,0.7-0.1c0.2,0,0.5-0.1,0.7-0.1l0.4-0.1l0.4-0.1c0.2,0,0.5-0.1,0.7-0.1
-	c0.3,0,0.5-0.1,0.8-0.1c0.2,0,0.6-0.1,0.8-0.1c0.2,0,0.3,0,0.5-0.1h0.3h0.2h0.2c0.3,0,0.5,0,0.8-0.1h0.4c0,0,0.1,0,0,0h0.1h0.2
-	c0.2,0,0.5,0,0.7,0c0.9,0,1.8,0,2.7,0c1.8,0.1,3.6,0.3,5.3,0.6c3.4,0.6,6.7,1.7,9.6,3.2c2.9,1.4,5.6,3.2,7.8,5.1
-	c0.1,0.1,0.3,0.2,0.4,0.4c0.1,0.1,0.3,0.2,0.4,0.4c0.3,0.2,0.5,0.5,0.8,0.7c0.3,0.2,0.5,0.5,0.8,0.7c0.2,0.3,0.5,0.5,0.7,0.8
-	c1,1,1.9,2.1,2.7,3.1c1.6,2.1,2.9,4.2,3.9,6.2c0.1,0.1,0.1,0.2,0.2,0.4c0.1,0.1,0.1,0.2,0.2,0.4s0.2,0.5,0.4,0.7
-	c0.1,0.2,0.2,0.5,0.3,0.7c0.1,0.2,0.2,0.5,0.3,0.7c0.4,0.9,0.7,1.8,1,2.7c0.5,1.4,0.8,2.6,1.1,3.6c0.1,0.4,0.5,0.7,0.9,0.7
-	c0.5,0,0.8-0.4,0.8-0.9C123,52.7,123,51.4,122.9,49.9z"/>
-</svg>
--- a/icons/nextcloud.png
+++ b/icons/nextcloud.png
--- a/icons/outline.png
+++ b/icons/outline.png
--- a/icons/pretix.svg
+++ b/icons/pretix.svg
@ -1 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?><svg id="Ebene_1" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 128 128"><defs><style>.cls-1{fill:#3b1c4a;}</style></defs><path class="cls-1" d="m50.67,56.95c-.72.1-1.22.3-1.66.5l2.38,16.91c.41.08.95.13,1.6.04,3.52-.5,4.61-3.64,3.81-9.39-.83-5.87-2.53-8.56-6.12-8.06Z"/><path class="cls-1" d="m116.04,35.05c.71-.17,1.16-.76,1.06-1.48L112.54,1.13c-.1-.72-.77-1.22-1.49-1.12l-37.5,5.27.73,5.22c.16,1.12-.62,2.15-1.74,2.31s-2.15-.62-2.31-1.74l-.73-5.22L1.13,15.46c-.72.1-1.22.77-1.12,1.49l4.56,32.44c.1.72.7,1.17,1.42,1.13,11.25-.92,21.43,7.1,23.03,18.46,1.6,11.36-5.99,21.81-17.07,23.96-.71.17-1.16.76-1.06,1.48l4.56,32.44c.1.72.77,1.22,1.49,1.12l68.37-9.61-.73-5.22c-.16-1.15.59-2.15,1.74-2.31s2.15.62,2.31,1.74l.73,5.22,37.5-5.27c.72-.1,1.22-.77,1.12-1.49l-4.56-32.44c-.1-.72-.7-1.17-1.42-1.13-11.25.92-21.42-7.04-23.02-18.4-1.6-11.36,5.98-21.87,17.06-24.03Zm-59.84,44.75c-1.76.25-3.29.26-4.04.17l1.59,11.29-9.92,1.39-5.3-37.73c2.5-1.62,5.96-3.03,11.38-3.8,8.68-1.22,15.27,2.58,16.66,12.44,1.25,8.88-3.12,15.21-10.36,16.23Zm30.73,20.71c.16,1.12-.62,2.15-1.74,2.31-1.12.16-2.15-.62-2.31-1.74l-1.47-10.44c-.16-1.12.62-2.15,1.74-2.31s2.16.66,2.31,1.74l1.47,10.44Zm-3.17-22.58c.15,1.08-.66,2.16-1.74,2.31s-2.16-.66-2.31-1.74l-1.47-10.44c-.16-1.15.59-2.15,1.74-2.31,1.12-.16,2.15.62,2.31,1.74l1.47,10.44Zm-3.16-22.45c.16,1.12-.62,2.15-1.74,2.31-1.12.16-2.15-.62-2.31-1.74l-1.47-10.44c-.16-1.12.62-2.15,1.74-2.31s2.16.66,2.31,1.74l1.47,10.44Zm-3.17-22.58c.15,1.08-.66,2.16-1.74,2.31s-2.16-.66-2.31-1.74l-1.47-10.44c-.16-1.15.59-2.15,1.74-2.31s2.15.62,2.31,1.74l1.47,10.44Z"/></svg>
--- a/icons/rallly.png
+++ b/icons/rallly.png
--- a/icons/support.svg
+++ b/icons/support.svg
@ -1,12 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!-- Uploaded to: SVG Repo, www.svgrepo.com, Generator: SVG Repo Mixer Tools -->
-<svg width="800px" height="800px" viewBox="0 0 512 512" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
-    <title>support</title>
-    <g id="Page-1" stroke="none" stroke-width="1" fill="none" fill-rule="evenodd">
-        <g id="support" fill="#000000" transform="translate(42.666667, 42.666667)">
-            <path d="M379.734355,174.506667 C373.121022,106.666667 333.014355,-2.13162821e-14 209.067688,-2.13162821e-14 C85.1210217,-2.13162821e-14 45.014355,106.666667 38.4010217,174.506667 C15.2012632,183.311569 -0.101643453,205.585799 0.000508304259,230.4 L0.000508304259,260.266667 C0.000508304259,293.256475 26.7445463,320 59.734355,320 C92.7241638,320 119.467688,293.256475 119.467688,260.266667 L119.467688,230.4 C119.360431,206.121456 104.619564,184.304973 82.134355,175.146667 C86.4010217,135.893333 107.307688,42.6666667 209.067688,42.6666667 C310.827688,42.6666667 331.521022,135.893333 335.787688,175.146667 C313.347976,184.324806 298.68156,206.155851 298.667688,230.4 L298.667688,260.266667 C298.760356,283.199651 311.928618,304.070103 332.587688,314.026667 C323.627688,330.88 300.801022,353.706667 244.694355,360.533333 C233.478863,343.50282 211.780225,336.789048 192.906491,344.509658 C174.032757,352.230268 163.260418,372.226826 167.196286,392.235189 C171.132153,412.243552 188.675885,426.666667 209.067688,426.666667 C225.181549,426.577424 239.870491,417.417465 247.041022,402.986667 C338.561022,392.533333 367.787688,345.386667 376.961022,317.653333 C401.778455,309.61433 418.468885,286.351502 418.134355,260.266667 L418.134355,230.4 C418.23702,205.585799 402.934114,183.311569 379.734355,174.506667 Z M76.8010217,260.266667 C76.8010217,269.692326 69.1600148,277.333333 59.734355,277.333333 C50.3086953,277.333333 42.6676884,269.692326 42.6676884,260.266667 L42.6676884,230.4 C42.6676884,224.302667 45.9205765,218.668499 51.2010216,215.619833 C56.4814667,212.571166 62.9872434,212.571166 68.2676885,215.619833 C73.5481336,218.668499 76.8010217,224.302667 76.8010217,230.4 L76.8010217,260.266667 Z M341.334355,230.4 C341.334355,220.97434 348.975362,213.333333 358.401022,213.333333 C367.826681,213.333333 375.467688,220.97434 375.467688,230.4 L375.467688,260.266667 C375.467688,269.692326 367.826681,277.333333 358.401022,277.333333 C348.975362,277.333333 341.334355,269.692326 341.334355,260.266667 L341.334355,230.4 Z">
-
-</path>
-        </g>
-    </g>
-</svg>
--- a/icons/vaultwarden.svg
+++ b/icons/vaultwarden.svg
--- a/icons/vikunja.svg
+++ b/icons/vikunja.svg
@ -1,12 +0,0 @@
-<svg xmlns="http://www.w3.org/2000/svg" xml:space="preserve" viewBox="0 0 256 256" width="256" height="256">
-  <path d="M2268.2 2512.3a953.7 953.7 0 0 1-50 57c-180.5 189.5-426.2 294-691.6 294A953.7 953.7 0 0 1 847.8 2582a952.7 952.7 0 0 1-281.2-678.8 953.8 953.8 0 0 1 281.2-678.9 953.7 953.7 0 0 1 678.8-281.1 953.7 953.7 0 0 1 678.8 281.1 953.7 953.7 0 0 1 281.2 678.9c0 219.2-78.9 437.2-218.4 609" style="fill:#196aff;fill-opacity:1;fill-rule:nonzero;stroke:none;stroke-width:.36633128" transform="matrix(.13333 0 0 -.13333 -75.5 381.8)"/>
-  <path d="M1823.7 1650.9c35.7 104.2 94.7 136.1 102 297 2.6 56.5-14.7 236-14.7 236s28 72-25.8 152.3c-83.5 124.3-255.4 132.8-345.7 132.8-90.3 0-260.2-8.5-343.7-132.8C1142 2256 1170 2184 1170 2184s-9.5-92.4-16.7-173.8c-1.7-19.1.1-94.7 2.4-113a453 453 0 0 1 25.8-96.2c14.4-39.6 36.8-79.9 54-120.5 51.8-122.8 8.4-274.9 11.1-407.3 2.2-94-20-189.3-28.7-281.2a960.4 960.4 0 0 1 308.7-50.6 958.6 958.6 0 0 1 344.9 63.6c-20.4 115-44.1 224.2-47.8 265.9-10.6 125.9-41.3 259.4 0 380" style="fill:#fff;fill-opacity:1;fill-rule:nonzero;stroke:none;stroke-width:.36655635" transform="matrix(.13333 0 0 -.13333 -75.5 381.8)"/>
-  <path d="M1162.9 2383.9c1.1-18.8 3-38 8.3-56.2 1.6-5.7 4-19.7 11.4-21.8 9-2.6 25.9 8.3 32.3 13 12.3 9 23.9 18.5 36.2 27.6 8 6 16.5 10.5 24.3 16.5 8.4 6.6 14.7 14.5 21.7 22.2 8.4 9.4 14.8 19 21.3 29.5 5.1 8.2 37.1 13.5 42.2 21 5.6 8.3 1 18.6 1 28.7 0 74.2 4.4 147.6 6.1 220.3 1.8 50 21.4 109.2-53.4 85.8-160.3-50-158.5-271.3-151.4-386.6M1869.1 2279.7c-1.6 1.8-4.2 3.2-6.3 4.8a208 208 0 0 0-25.1 21.5c-9.4 9.6-19.2 19-28.2 28.9-7.9 8.7-17.3 16.6-25 25.6-5.1 6-10 12.3-14.6 18.5-2.3 3.2-3.5 7-5.3 10.4-2.7 5-40 10.1-36.2 15 6.3 8.3 20.3 15.4 23.7 25 17.2 48.6 24.8 244.5 26.8 294.5 5.4 127.8 117.6-6.3 137.2-57.7 57-149.7 23.2-258.8-46.3-386.6" style="fill:#fff;fill-opacity:1;fill-rule:nonzero;stroke:none;stroke-width:.36633128" transform="matrix(.13333 0 0 -.13333 -75.5 381.8)"/>
-  <path d="M1716.5 1787.9c-.1 73.8-9.3 103.6-50.4 139.7-25.8 22.6-55.9 31.2-103.8 30-47.9 1.2-82.4-13.4-107.3-39.2-37.5-39-47.4-62-47.5-135.9 0-39.9 43-128.1 55.7-148.5 21.3-36 60.6-48.9 99.1-46.2 38.6-2.7 77.9 10.3 99.1 46.2 12.8 20.4 55.1 107 55 153.9" style="fill:#f1e6d3;fill-opacity:1;fill-rule:nonzero;stroke:none;stroke-width:.36633128" transform="matrix(.13333 0 0 -.13333 -75.5 381.8)"/>
-  <path d="M1226.6 2316c-9.6 86.2-38.6 240 61.5 331.3 11 10.1 14-24.2 15.8-38 2.6-19 0-73.5.4-92.6.7-36.1 8.3-55 4.7-71.5-9.6-45-17.3-42.2-26.5-69.6-18.3-54.4-53.3-83-55.9-59.5M1851.7 2333c10.3-18.2 37 80.3 45.4 123.2 8 40.3 18 93.8 4 133.9-7.4 21.5-53 84.5-58.4 62.9-2-8.5-3.2-71.1-8.3-101.1-6.4-37.1-18-73.8-18-111.6-.2-84.5 25.3-88 35.3-107.2" style="fill:#f1d7d4;fill-opacity:1;fill-rule:nonzero;stroke:none;stroke-width:.36633128" transform="matrix(.13333 0 0 -.13333 -75.5 381.8)"/>
-  <path d="M1522 1319.7c-2.2-6.5-18.6-11.4-24.8-13.3-14.9-4.9-28.1 6.9-36.4 16.8-11.6 13.7-11.3 35.6-16.2 51.6-2.9 9.7-19.5 11-24.5 2-16.6-29.8-81.1 26.4-66.1 45.2 9.9 12.3-13.8 23.2-23.6 11-29-36.1 49-103.4 93.6-85.2 2-9 4-18 8-26.6 7.4-16.9 23.9-27.8 41-37 23.1-12.4 68.2 9.5 75 30.3 4.9 14.5-21.2 19.7-26 5.2M1727.6 1538.2c2.4-10 2.8-44-16-25.4-7.5 7.5-22.6 3-23.2-7-1.4-23.4-24.9-24-45.1-16.9-16 5.6-24.6-16.6-8.6-22.1 29.7-10.4 62-4.6 74.7 17.8 10.1-4.7 21.5-6 30.7 2.6 16 15 18.4 36.2 13.7 55.7-3.5 14.8-29.7 10.1-26.2-4.7M1775 1049.2c-7-14.3-19.8-13.4-33.6-7.4-10.1 4.4-22.6-2.8-19.6-13 6.2-20.6-19.7-26.6-37.3-19.3-15.4 6.5-28.8-13.8-13.2-20.3 31.6-13.2 71.7-1.6 77.5 26.2 20.4-3.3 39.8 2.4 49.4 22.3 6.7 13.6-16.4 25.4-23.2 11.5M1569.8 2153.3c-3.3-20.2-41.1 3.3-50.5 9.7-8.3 5.5-19 2.1-20-7.3-1.4-12.7-18.5-9-26.3-7.4-14.8 3-27.4 12.2-27.7 26-.4 13.6 8.2 27.7 12.6 40.4 2.9 8-8.7 17-17.2 11.5-15.2-9.7-88.7-18.5-59.4 13.6 9.3 10.2-7.1 24.8-16.6 14.5-13.5-14.8-22.6-48.7 6.6-56 15.5-3.7 37.8-3.5 56.8.8-8-25.5-9.6-48.8 23.2-65.1 22.1-11.1 52.5-11 65.4 6 27.2-14.5 69.7-28.7 75.6 7.8 2.1 13-20.4 18.5-22.5 5.5" style="fill:#faeee0;fill-opacity:1;fill-rule:nonzero;stroke:none;stroke-width:.36633128" transform="matrix(.13333 0 0 -.13333 -75.5 381.8)"/>
-  <path d="M1443 1685.6c39.4-3.4 78.8-12.3 118.5-10.9 25.4 1 51.7 4.5 76.8 8.2 18.2 2.7 40.5 6 52.7 19.4 1-45-92.6-59.1-128.9-60-42.1-1-89.5 17.2-119 43.3" style="fill:#494949;fill-opacity:1;fill-rule:nonzero;stroke:none;stroke-width:.36633128" transform="matrix(.13333 0 0 -.13333 -75.5 381.8)"/>
-  <path d="M1549.4 1779.5a353.5 353.5 0 0 1-2.7-87.3c.7-7.6-1.3-25.7 8.8-29.5 8.2-3 18.3 2.7 19.7 10.1 2.2 12.5-3 28.2-3.5 41-.5 14.9 0 29.8 1.6 44.7 1 8.8 5.9 20.7-4.2 27-7.4 4.5-18.3 2.8-19.7-6" style="fill:#494949;fill-opacity:1;fill-rule:nonzero;stroke:none;stroke-width:.36633128" transform="matrix(.13333 0 0 -.13333 -75.5 381.8)"/>
-  <path d="M1626 1849.7c-23.7-1-45.7-14.2-63.4-27-16.1 10.7-40.5 20.5-60.7 14.8-12-3.4-1.1-7.1 4-10.3 9.2-6.2 16.8-14.2 23.7-22.4 10.3-12.6 19.6-25.8 30.7-38 7.6 5.6 15 11.1 21.6 17.6 3.1 3 28.5 37 32.4 42.7 2.4 3.6 5 7.4 7.8 10.8 2.9 3.5 11 9 3.9 11.8" style="fill:#494949;fill-opacity:1;fill-rule:nonzero;stroke:none;stroke-width:.36633128" transform="matrix(.13333 0 0 -.13333 -75.5 381.8)"/>
-  <path d="M1326.5 2010c11.7 30.3 24.3 68.4 56.3 62.4 24.2-5.2 56.7-86.2 36-78.2-11.3 4.4-20.3 41.1-41.4 46-13.4 3-32-43.6-50-48.4-8.7-2.3-4.3 10.4-.9 18.2M1670.6 2010c11.7 30.3 24.2 68.4 56.3 62.4 24.2-5.2 56.7-86.2 35.9-78.2-11.3 4.4-20.2 41.1-41.3 46-13.5 3-32-43.6-50-48.4-8.7-2.3-4.4 10.4-1 18.2" style="fill:#2c3844;fill-opacity:1;fill-rule:nonzero;stroke:none;stroke-width:.36633128" transform="matrix(.13333 0 0 -.13333 -75.5 381.8)"/>
-</svg>
--- a/icons/wekan.png
+++ b/icons/wekan.png
--- a/icons/wordpress.png
+++ b/icons/wordpress.png
--- a/icons/zammad.svg
+++ b/icons/zammad.svg
@ -1,30 +0,0 @@
-<?xml version="1.0" encoding="UTF-8" standalone="no"?>
-<svg width="126px" height="108px" viewBox="0 0 42 36" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:sketch="http://www.bohemiancoding.com/sketch/ns">
-    <!-- Generator: Sketch 3.3.2 (12043) - http://www.bohemiancoding.com/sketch -->
-    <title>logo</title>
-    <desc>Created with Sketch.</desc>
-    <defs/>
-    <g id="Page-1" stroke="none" stroke-width="1" fill="none" fill-rule="evenodd" sketch:type="MSPage">
-        <g id="logo" sketch:type="MSArtboardGroup">
-            <g sketch:type="MSLayerGroup" transform="translate(1.000000, 0.000000)" id="Shape">
-                <path d="M27.3375,12.6 L36.72,9.72 L31.1625,13.2525 L27.3375,12.6 Z" fill="#CA2317" sketch:type="MSShapeGroup"/>
-                <path d="M33.0525,19.62 L31.1625,13.2525 L36.72,9.72 L35.055,15.435 L33.0525,19.62 Z" fill="#E84F83" sketch:type="MSShapeGroup"/>
-                <path d="M39.465,7.9875 L38.43,9.72 L35.055,15.435 L36.72,9.72 L39.465,7.9875 Z" fill="#CA2317" sketch:type="MSShapeGroup"/>
-                <path d="M39.8025,9.1125 L37.1925,11.79 L38.43,9.72 L39.8025,9.1125 Z" fill="#E54011" sketch:type="MSShapeGroup"/>
-                <path d="M27.9,10.8225 L35.5725,10.0575 L30.24,11.7 L27.9,10.8225 Z" fill="#E54011" sketch:type="MSShapeGroup"/>
-                <path d="M28.1925,15.165 L31.1625,13.2525 L33.0525,19.62 L32.0625,21.645 L28.1925,15.165 Z" fill="#CA2317" sketch:type="MSShapeGroup"/>
-                <path d="M23.76,22.725 L22.3425,5.4 L32.0625,21.645 L23.76,22.725 Z" fill="#B7DFF2" sketch:type="MSShapeGroup"/>
-                <path d="M19.7325,27.1575 L23.76,22.725 L32.0625,21.645 L19.7325,27.1575 Z" fill="#E54011" sketch:type="MSShapeGroup"/>
-                <path d="M0.1575,35.865 L19.7325,27.1575 L23.76,22.725 L17.37,22.0725 L0.1575,35.865 Z" fill="#FFCE33" sketch:type="MSShapeGroup"/>
-                <path d="M0.9,28.755 L10.9575,27.225 L14.085,24.705 L12.555,24.03 L0.9,28.755 Z" fill="#D6B12D" sketch:type="MSShapeGroup"/>
-                <path d="M4.5225,20.5425 L14.085,24.705 L17.37,22.0725 L4.5225,20.5425 Z" fill="#FFDE85" sketch:type="MSShapeGroup"/>
-                <path d="M21.6225,11.6775 L20.4075,11.88 L17.37,22.0725 L20.655,20.0025 L21.6225,11.6775 Z" fill="#009EC6" sketch:type="MSShapeGroup"/>
-                <path d="M23.4,18.2475 L20.655,20.0025 L22.3425,5.4 L23.4,18.2475 Z" fill="#5EAFCE" sketch:type="MSShapeGroup"/>
-                <path d="M13.0275,13.05 L21.6225,11.6775 L22.005,8.28 L13.0275,13.05 Z" fill="#045972" sketch:type="MSShapeGroup"/>
-                <path d="M12.105,5.085 L19.575,9.585 L22.005,8.28 L22.0725,7.8075 L12.105,5.085 Z" fill="#5A8591" sketch:type="MSShapeGroup"/>
-                <path d="M13.5675,0.18 L20.3625,7.335 L22.0725,7.8075 L22.3425,5.4 L13.5675,0.18 Z" fill="#009EC6" sketch:type="MSShapeGroup"/>
-                <path d="M17.37,22.0725 L23.4,18.2475 L23.76,22.725 L17.37,22.0725 Z" fill="#F39804" sketch:type="MSShapeGroup"/>
-            </g>
-        </g>
-    </g>
-</svg>
--- a/kimai.yaml.tmpl
+++ b/kimai.yaml.tmpl
@ -1,50 +0,0 @@
-version: 1
-metadata:
-  labels:
-    blueprints.goauthentik.io/instantiate: "true"
-  name: kimai
-
-entries:
- attrs:
-    acs_url: https://{{ env  "KIMAI_DOMAIN" }}/auth/saml/acs
-    assertion_valid_not_before: minutes=-5
-    assertion_valid_not_on_or_after: minutes=5
-    audience: https://{{ env  "KIMAI_DOMAIN" }}/auth/saml
-    authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
-    authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
-    invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
-    digest_algorithm: http://www.w3.org/2001/04/xmlenc#sha256
-    issuer: https://{{ env  "DOMAIN" }}
-    name: Kimai
-    name_id_mapping: !Find [authentik_providers_saml.samlpropertymapping, [name, "authentik default SAML Mapping: Username"]]
-    property_mappings:
-    - !Find [authentik_providers_saml.samlpropertymapping, [name, "authentik default SAML Mapping: Name"]]
-    - !Find [authentik_providers_saml.samlpropertymapping, [name, "authentik default SAML Mapping: Email"]]
-    - !Find [authentik_providers_saml.samlpropertymapping, [name, "authentik default SAML Mapping: User ID"]]
-    - !Find [authentik_providers_saml.samlpropertymapping, [name, "authentik default SAML Mapping: Username"]]
-    - !Find [authentik_providers_saml.samlpropertymapping, [name, "authentik default SAML Mapping: Groups"]]
-    - !Find [authentik_providers_saml.samlpropertymapping, [name, "authentik default SAML Mapping: UPN"]]
-    session_valid_not_on_or_after: minutes=86400
-    sign_assertion: true
-    signature_algorithm: http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
-    signing_kp: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]]
-    sp_binding: post
-  conditions: []
-  id: kimai_provider
-  identifiers:
-    pk: 9991
-  model: authentik_providers_saml.samlprovider
-  state: present
-
- attrs:
-    meta_launch_url: https://{{ env  "KIMAI_DOMAIN" }}/auth/saml/login
-    open_in_new_tab: true
-    policy_engine_mode: any
-    provider: !KeyOf kimai_provider
-    slug: kimai
-  conditions: []
-  id: kimai_application
-  identifiers:
-    name: Kimai
-  model: authentik_core.application
-  state: present
--- a/matrix.yaml.tmpl
+++ b/matrix.yaml.tmpl
@ -1,48 +0,0 @@
-version: 1
-metadata:
-  labels:
-    blueprints.goauthentik.io/instantiate: "true"
-  name: matrix
-
-entries:
-
- attrs:
-    access_code_validity: minutes=1
-    authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
-    authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
-    invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
-    client_id: {{ secret  "matrix_id" }}
-    client_secret: {{ secret  "matrix_secret" }}
-    client_type: confidential
-    include_claims_in_id_token: true
-    issuer_mode: per_provider
-    redirect_uris:
-    - matching_mode: strict
-      url: https://{{ env  "MATRIX_DOMAIN" }}/_synapse/client/oidc/callback
-    name: Matrix
-    property_mappings:
-    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
-    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, email]]
-    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, profile]]
-    signing_key: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]]
-    sub_mode: user_username
-    token_validity: days=30
-  conditions: []
-  id: matrix_provider
-  identifiers:
-    pk: 9997
-  model: authentik_providers_oauth2.oauth2provider
-  state: present
-
- attrs:
-    meta_launch_url: https://{{ env  "ELEMENT_DOMAIN" }}
-    open_in_new_tab: true
-    policy_engine_mode: any
-    provider: !KeyOf matrix_provider
-    name: Element
-  conditions: []
-  id: matrix_application
-  identifiers:
-    slug: matrix
-  model: authentik_core.application
-  state: present
--- a/monitoring.yaml.tmpl
+++ b/monitoring.yaml.tmpl
@ -1,48 +0,0 @@
-version: 1
-metadata:
-  labels:
-    blueprints.goauthentik.io/instantiate: "true"
-  name: monitoring 
-
-entries:
-
- attrs:
-    access_code_validity: minutes=1
-    authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
-    authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
-    invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
-    client_id: {{ secret  "monitoring_id" }}
-    client_secret: {{ secret  "monitoring_secret" }}
-    client_type: confidential
-    include_claims_in_id_token: true
-    issuer_mode: per_provider
-    redirect_uris:
-    - matching_mode: strict
-      url: https://{{ env  "MONITORING_DOMAIN" }}/login/generic_oauth
-    name: Monitoring
-    property_mappings:
-    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
-    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, email]]
-    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, profile]]
-    signing_key: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]]
-    sub_mode: user_username
-    token_validity: days=30
-  conditions: []
-  id: monitoring_provider
-  identifiers:
-    pk: 9990
-  model: authentik_providers_oauth2.oauth2provider
-  state: present
-
- attrs:
-    meta_launch_url: https://{{ env  "MONITORING_DOMAIN" }}
-    open_in_new_tab: true
-    policy_engine_mode: any
-    provider: !KeyOf monitoring_provider
-    slug: monitoring 
-  conditions: []
-  id: monitoring_application
-  identifiers:
-    name: Monitoring 
-  model: authentik_core.application
-  state: present
--- a/nextcloud.yaml.tmpl
+++ b/nextcloud.yaml.tmpl
@ -1,61 +0,0 @@
-version: 1
-metadata:
-  labels:
-    blueprints.goauthentik.io/instantiate: "true"
-  name: Nextcloud
-
-entries:
- attrs:
-    description: nextcloud
-    expression: 'return { "nextcloud_groups": [{"gid": group.name, "displayName":
-      group.name} for group in request.user.ak_groups.all()], }'
-    managed: null
-    scope_name: nextcloud
-  conditions: []
-  id: nextcloud_group_mapping
-  identifiers:
-    name: nextcloud
-  model: authentik_providers_oauth2.scopemapping
-  state: present
-
- attrs:
-    access_code_validity: minutes=1
-    authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
-    authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
-    invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
-    client_id: {{ secret  "nextcloud_id" }}
-    client_secret: {{ secret  "nextcloud_secret" }}
-    client_type: confidential
-    include_claims_in_id_token: true
-    issuer_mode: per_provider
-    redirect_uris:
-    - matching_mode: strict
-      url: https://{{ env  "NEXTCLOUD_DOMAIN" }}/apps/sociallogin/custom_oidc/authentik
-    name: Nextcloud
-    property_mappings:
-    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
-    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, email]]
-    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, profile]]
-    - !KeyOf nextcloud_group_mapping
-    signing_key: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]]
-    sub_mode: user_username
-    token_validity: days=30
-  conditions: []
-  id: nextcloud_provider
-  identifiers:
-    pk: 9999
-  model: authentik_providers_oauth2.oauth2provider
-  state: present
-
- attrs:
-    meta_launch_url: https://{{ env  "NEXTCLOUD_DOMAIN" }}
-    open_in_new_tab: true
-    policy_engine_mode: any
-    provider: !KeyOf nextcloud_provider
-    slug: nextcloud
-  conditions: []
-  id: nextcloud_application
-  identifiers:
-    name: Nextcloud
-  model: authentik_core.application
-  state: present
--- a/outline.yaml.tmpl
+++ b/outline.yaml.tmpl
@ -1,48 +0,0 @@
-version: 1
-metadata:
-  labels:
-    blueprints.goauthentik.io/instantiate: "true"
-  name: outline
-
-entries:
-
- attrs:
-    access_code_validity: minutes=1
-    authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
-    authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
-    invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
-    client_id: {{ secret  "outline_id" }}
-    client_secret: {{ secret  "outline_secret" }}
-    client_type: confidential
-    include_claims_in_id_token: true
-    issuer_mode: per_provider
-    redirect_uris:
-    - matching_mode: strict
-      url: https://{{ env  "OUTLINE_DOMAIN" }}/auth/oidc.callback
-    name: Outline
-    property_mappings:
-    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
-    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, email]]
-    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, profile]]
-    signing_key: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]]
-    sub_mode: hashed_user_id
-    token_validity: days=30
-  conditions: []
-  id: outline_provider
-  identifiers:
-    pk: 9994
-  model: authentik_providers_oauth2.oauth2provider
-  state: present
-
- attrs:
-    meta_launch_url: https://{{ env  "OUTLINE_DOMAIN" }}/auth/oidc
-    open_in_new_tab: true
-    policy_engine_mode: any
-    provider: !KeyOf outline_provider
-    slug: outline
-  conditions: []
-  id: outline_application
-  identifiers:
-    name: Outline
-  model: authentik_core.application
-  state: present
--- a/password_reset_de.html
+++ b/password_reset_de.html
@ -0,0 +1,53 @@
+{% extends "email/base.html" %}
+
+{% load i18n %}
+{% load humanize %}
+
+{% block content %}
+<tr>
+    <td class="alert alert-success">
+        {% blocktrans with username=user.username %}
+        Herzlich Willkommen {{ username }},
+        {% endblocktrans %}
+    </td>
+</tr>
+<tr>
+    <td class="content-wrap">
+        <table width="100%" cellpadding="0" cellspacing="0">
+            <tr>
+                <td class="content-block">
+                    {% blocktrans %}
+                    Klicke auf folgenden Link um ein Passwort für deinen Account zu erstellen:
+                    {% endblocktrans %}
+                </td>
+            </tr>
+            <tr>
+                <td class="content-block">
+                    <table role="presentation" border="0" cellpadding="0" cellspacing="0" class="btn btn-primary">
+                        <tbody>
+                        <tr>
+                            <td align="center">
+                            <table role="presentation" border="0" cellpadding="0" cellspacing="0">
+                                <tbody>
+                                <tr>
+                                    <td> <a id="confirm" href="{{ url }}" rel="noopener noreferrer" target="_blank">Passwort Erstellen</a> </td>
+                                </tr>
+                                </tbody>
+                            </table>
+                            </td>
+                        </tr>
+                        </tbody>
+                    </table>
+                </td>
+            </tr>
+            <tr>
+                <td class="content-block">
+                    {% blocktrans with expires=expires|naturaltime %}
+                    Falls du diese E-Mail fälschlicherweise erhalten hast, ignoriere sie bitte. Der obige Link ist gültig für: {{ expires }}.
+                    {% endblocktrans %}
+                </td>
+            </tr>
+        </table>
+    </td>
+</tr>
+{% endblock %}
--- a/pg_backup.sh
+++ b/pg_backup.sh
@ -1,34 +0,0 @@
-#!/bin/bash
-
-set -e
-
-BACKUP_FILE='/var/lib/postgresql/data/backup.sql'
-
-function backup {
-  export PGPASSWORD=$(cat /run/secrets/db_password)
-  pg_dump -U ${POSTGRES_USER} ${POSTGRES_DB} > $BACKUP_FILE
-}
-
-function restore {
-    cd /var/lib/postgresql/data/
-    restore_config(){
-        # Restore allowed connections
-        cat pg_hba.conf.bak > pg_hba.conf
-        su postgres -c 'pg_ctl reload'
-    }
-    # Don't allow any other connections than local
-    cp pg_hba.conf pg_hba.conf.bak
-    echo "local all all trust" > pg_hba.conf
-    su postgres -c 'pg_ctl reload'
-    trap restore_config EXIT INT TERM
-
-    # Recreate Database
-    psql -U ${POSTGRES_USER} -d postgres -c "DROP DATABASE ${POSTGRES_DB} WITH (FORCE);" 
-    createdb -U ${POSTGRES_USER} ${POSTGRES_DB}
-    psql -U ${POSTGRES_USER} -d ${POSTGRES_DB} -1 -f $BACKUP_FILE
-
-    trap - EXIT INT TERM
-    restore_config
-}
-
-$@
--- a/rallly.yaml.tmpl
+++ b/rallly.yaml.tmpl
@ -1,48 +0,0 @@
-version: 1
-metadata:
-  labels:
-    blueprints.goauthentik.io/instantiate: "true"
-  name: rallly
-
-entries:
-
- attrs:
-    access_code_validity: minutes=1
-    authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
-    authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
-    invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
-    client_id: {{ secret  "rallly_id" }}
-    client_secret: {{ secret  "rallly_secret" }}
-    client_type: confidential
-    include_claims_in_id_token: true
-    issuer_mode: per_provider
-    redirect_uris:
-    - matching_mode: strict
-      url: https://{{ env  "RALLLY_DOMAIN" }}/api/auth/callback/oidc
-    name: Rallly
-    property_mappings:
-    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
-    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, email]]
-    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, profile]]
-    signing_key: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]]
-    sub_mode: hashed_user_id
-    token_validity: days=30
-  conditions: []
-  id: rallly_provider
-  identifiers:
-    pk: 9993
-  model: authentik_providers_oauth2.oauth2provider
-  state: present
-
- attrs:
-    meta_launch_url: https://{{ env  "RALLLY_DOMAIN" }}
-    open_in_new_tab: true
-    policy_engine_mode: any
-    provider: !KeyOf rallly_provider
-    slug: rallly
-  conditions: []
-  id: rallly_application
-  identifiers:
-    name: Rallly
-  model: authentik_core.application
-  state: present
--- a/release/1.0.0+2022.10.1
+++ b/release/1.0.0+2022.10.1
@ -1,15 +0,0 @@
-This upgrade replaces the passwords stored in env variables by docker secrets.
-You need to insert the following passwords as secret:
-
-`POSTGRES_PASSWORD` / `AUTHENTIK_POSTGRESQL__PASSWORD`:
-    `abra app secret insert <app_name> db_password v1 <password>`
-`AUTHENTIK_SECRET_KEY`:
-    `abra app secret insert <app_name> secret_key v1 <password>`
-`AK_ADMIN_TOKEN`:
-    `abra app secret insert <app_name> admin_token v1 <password>`
-`AK_ADMIN_PASS`:
-    `abra app secret insert <app_name> admin_pass v1 <password>`
-`AUTHENTIK_EMAIL__PASSWORD`:
-    `abra app secret insert <app_name> email_pass v1 <password>`
-
-These variables should be removed from the .env file.
--- a/release/2.0.0+2023.2.3
+++ b/release/2.0.0+2023.2.3
@ -1,2 +0,0 @@
-Logout URL changes from `https://login.example.org/if/flow/default-invalidation-flow/` to `https://login.example.org/if/flow/logout-flow/`
-Replace it in any app that uses this logout url.
--- a/release/3.0.0+2023.2.3
+++ b/release/3.0.0+2023.2.3
@ -1,16 +0,0 @@
-Run `abra app cmd <app_name> worker blueprint_cleanup` to apply the new blueprint configuration and delete the old configuration.
-
-If the nextcloud provider should be managed by abra add the following to the env:
-
-    COMPOSE_FILE="compose.yml:compose.nextcloud.yml"
-    NEXTCLOUD_DOMAIN=nextcloud.example.com
-    SECRET_NEXTCLOUD_ID_VERSION=v1
-    SECRET_NEXTCLOUD_SECRET_VERSION=v1
-
-and generate the secrets:
-
-    abra app secret generate -a <app_name>
-
-Eventuelly you need to manually remove the old nextcloud provider and application
-
-Don't forget to update the nextcloud config for authentik as well.
--- a/release/3.1.0+2023.3.1
+++ b/release/3.1.0+2023.3.1
@ -1,3 +0,0 @@
-Env recommendation: AUTHENTIK_DEFAULT_USER_CHANGE_USERNAME=false
-This prevents users from changing their username.
-Changing the username can be a security risk and it can break things.
--- a/release/3.2.0+2023.6.1
+++ b/release/3.2.0+2023.6.1
@ -1 +0,0 @@
-If you use your own outpost you need to uncomment COMPOSE_FILE="$COMPOSE_FILE:compose.outposts.yml" to expose the docker socket again.
--- a/release/4.0.0+2023.10.5
+++ b/release/4.0.0+2023.10.5
@ -1 +0,0 @@
-It is only possible to upgrade to 2023.10 from 2023.8, you need to update to 2023.8.x before applying this update
--- a/release/5.0.0+2024.2.2
+++ b/release/5.0.0+2024.2.2
@ -1 +0,0 @@
-Blueprint changes are applied and automatic migrations should work, however, manual action may be required: https://docs.goauthentik.io/docs/releases/2024.2
--- a/release/5.1.0+2024.2.3
+++ b/release/5.1.0+2024.2.3
@ -1 +0,0 @@
-Due to blueprint changes, you need to run the following command after upgrading: abra app cmd -C <Domain> worker apply_blueprints
--- a/release/6.0.0+2024.4.0
+++ b/release/6.0.0+2024.4.0
@ -1 +0,0 @@
-Alerta! ⚠️ If you are using AUTHENTIK_COLOR_BACKGROUND_LIGHT, you will need to set COMPOSE_FILE="$COMPOSE_FILE:compose.css.yml"
--- a/release/6.1.0+2024.4.2
+++ b/release/6.1.0+2024.4.2
@ -1 +0,0 @@
-Blueprint for Kimai SSO integration added
--- a/release/6.11.0+2024.10.5
+++ b/release/6.11.0+2024.10.5
@ -1 +0,0 @@
-Fix Impersonate Bug
--- a/release/6.6.0+2024.8.2
+++ b/release/6.6.0+2024.8.2
@ -1 +0,0 @@
-Replaced icon bbb.jpg with icon.png - configs need to be updated when upgrading!
--- a/release/6.7.0+2024.8.3
+++ b/release/6.7.0+2024.8.3
@ -1,3 +0,0 @@
-Two critical vulnerabilities were closed:
-https://github.com/goauthentik/authentik/security/advisories/GHSA-7jxf-mmg9-9hg7
-https://github.com/goauthentik/authentik/security/advisories/GHSA-8gfm-pr6x-pfh9
--- a/system_brand.yaml.tmpl
+++ b/system_brand.yaml.tmpl
@ -1,38 +0,0 @@
-version: 1
-metadata:
-  labels:
-    blueprints.goauthentik.io/instantiate: "true"
-  name: Custom System brand
-entries:
-### DEPENDENCIES
- model: authentik_blueprints.metaapplyblueprint
-  attrs:
-    identifiers:
-      name: Default - Brand
-    required: true
- model: authentik_blueprints.metaapplyblueprint
-  attrs:
-    identifiers:
-      name: Recovery with email verification
-    required: true
-
-
-### SYSTEM BRAND
-# remove custom brand from old recipe
- identifiers:
-    domain: {{ env "DOMAIN" }}
-  model: authentik_brands.brand
-  state: absent
-
- attrs:
-    attributes:
-      settings:
-        locale: {{ if eq (env "DEFAULT_LANGUAGE") "" }} en {{ else }} {{ env "DEFAULT_LANGUAGE" }} {{ end }} {{ if ne (env "THEME_BACKGROUND") "" }}
-        theme:
-          background: >
-            background: {{ env "THEME_BACKGROUND" }} {{ end }}
-    flow_recovery: !Find [authentik_flows.flow, [slug,  default-recovery-flow]]
-  identifiers:
-    default: true
-    domain: authentik-default
-  model: authentik_brands.brand
--- a/vikunja.yaml.tmpl
+++ b/vikunja.yaml.tmpl
@ -1,48 +0,0 @@
-version: 1
-metadata:
-  labels:
-    blueprints.goauthentik.io/instantiate: "true"
-  name: vikunja
-
-entries:
-
- attrs:
-    access_code_validity: minutes=1
-    authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
-    authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
-    invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
-    client_id: {{ secret  "vikunja_id" }}
-    client_secret: {{ secret  "vikunja_secret" }}
-    client_type: confidential
-    include_claims_in_id_token: true
-    issuer_mode: per_provider
-    redirect_uris:
-    - matching_mode: strict
-      url: https://{{ env  "VIKUNJA_DOMAIN" }}/auth/openid/authentik
-    name: Vikunja
-    property_mappings:
-    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
-    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, email]]
-    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, profile]]
-    signing_key: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]]
-    sub_mode: hashed_user_id
-    token_validity: days=30
-  conditions: []
-  id: vikunja_provider
-  identifiers:
-    pk: 9995
-  model: authentik_providers_oauth2.oauth2provider
-  state: present
-
- attrs:
-    meta_launch_url: https://{{ env  "VIKUNJA_DOMAIN" }}
-    open_in_new_tab: true
-    policy_engine_mode: any
-    provider: !KeyOf vikunja_provider
-    slug: vikunja
-  conditions: []
-  id: vikunja_application
-  identifiers:
-    name: Vikunja
-  model: authentik_core.application
-  state: present
--- a/wekan.yaml.tmpl
+++ b/wekan.yaml.tmpl
@ -1,66 +0,0 @@
-version: 1
-metadata:
-  labels:
-    blueprints.goauthentik.io/instantiate: "true"
-  name: wekan
-
-entries:
- attrs:
-    description: wekan
-    expression: "groupsDict = {\"wekanGroups\": []}\nfor group in request.user.ak_groups.all():\n\
-      \  my_attributes = group.attributes\n  my_attributes[\"displayName\"] = group.name\n\
-      \  my_attributes[\"isAdmin\"] = group.attributes[\"isAdmin\"] if 'isAdmin' in group.attributes else group.is_superuser\n\
-      \  my_attributes[\"isActive\"] = group.attributes[\"\
-      isActive\"] if 'isActive' in group.attributes else True\n  my_attributes[\"\
-      forceCreate\"] = group.attributes[\"forceCreate\"] if 'forceCreate' in group.attributes\
-      \ else True\n  groupsDict[\"wekanGroups\"].append(my_attributes)\nreturn groupsDict"
-    managed: null
-    scope_name: wekan
-  conditions: []
-  id: wekan_group_mapping
-  identifiers:
-    name: wekan
-  model: authentik_providers_oauth2.scopemapping
-  state: present
-
- attrs:
-    access_code_validity: minutes=1
-    authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
-    authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
-    invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
-    client_id: {{ secret  "wekan_id" }}
-    client_secret: {{ secret  "wekan_secret" }}
-    client_type: confidential
-    include_claims_in_id_token: true
-    issuer_mode: per_provider
-    redirect_uris:
-    - matching_mode: strict
-      url: https://{{ env  "WEKAN_DOMAIN" }}/_oauth/oidc
-    name: Wekan
-    property_mappings:
-    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
-    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, email]]
-    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, profile]]
-    - !KeyOf wekan_group_mapping
-    signing_key: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]]
-    sub_mode: hashed_user_id
-    token_validity: days=30
-  conditions: []
-  id: wekan_provider
-  identifiers:
-    pk: 9996
-  model: authentik_providers_oauth2.oauth2provider
-  state: present
-
- attrs:
-    meta_launch_url: https://{{ env  "WEKAN_DOMAIN" }}
-    open_in_new_tab: true
-    policy_engine_mode: any
-    provider: !KeyOf wekan_provider
-    slug: wekan
-  conditions: []
-  id: wekan_application
-  identifiers:
-    name: Wekan
-  model: authentik_core.application
-  state: present
--- a/wordpress.yaml.tmpl
+++ b/wordpress.yaml.tmpl
@ -1,64 +0,0 @@
-version: 1
-metadata:
-  labels:
-    blueprints.goauthentik.io/instantiate: "true"
-  name: Wordpress
-
-entries:
-
- attrs:
-    access_code_validity: minutes=1
-    authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
-    authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
-    invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
-    client_id: {{ secret  "wordpress_id" }}
-    client_secret: {{ secret  "wordpress_secret" }}
-    client_type: confidential
-    include_claims_in_id_token: true
-    issuer_mode: per_provider
-    redirect_uris:
-    - matching_mode: strict
-      url: https://{{ env  "WORDPRESS_DOMAIN" }}/openid-connect-authorize
-    name: Wordpress
-    property_mappings:
-    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
-    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, email]]
-    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, profile]]
-    signing_key: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]]
-    sub_mode: user_username
-    token_validity: days=30
-  conditions: []
-  id: wordpress_provider
-  identifiers:
-    pk: 9998
-  model: authentik_providers_oauth2.oauth2provider
-  state: present
-
- attrs:
-    meta_launch_url: https://{{ env  "WORDPRESS_DOMAIN" }}/wp-login.php
-    open_in_new_tab: true
-    policy_engine_mode: any
-    provider: !KeyOf wordpress_provider
-    slug: wordpress
-  conditions: []
-  id: wordpress_application
-  identifiers:
-    name: Wordpress
-  model: authentik_core.application
-  state: present
-
-{{ if ne (env "WORDPRESS_GROUP") "" }} 
- identifiers:
-    name: {{ env "WORDPRESS_GROUP" }}
-  attrs:
-    users:
-    - 1
-  id: wordpress_group
-  model: authentik_core.group
-
- identifiers:
-    group: !KeyOf wordpress_group
-    target: !KeyOf wordpress_application
-    order: 0
-  model: authentik_policies.policybinding
-{{ end }}
--- a/zammad.yaml.tmpl
+++ b/zammad.yaml.tmpl
@ -1,69 +0,0 @@
-version: 1
-metadata:
-  labels:
-    blueprints.goauthentik.io/instantiate: "true"
-  name: zammad
-
-entries:
- attrs:
-    expression: return request.user.name
-    managed: null
-    name: 'Zammad SAML Mapping: name'
-    saml_name: name
-  conditions: []
-  identifiers:
-    name: zammad_name_mapping
-  id: zammad_name_mapping
-  model: authentik_providers_saml.samlpropertymapping
-  state: present
-
- attrs:
-    expression: return request.user.email
-    managed: null
-    name: 'Zammad SAML Mapping: email'
-    saml_name: email
-  conditions: []
-  identifiers:
-    name: zammad_email_mapping
-  id: zammad_email_mapping
-  model: authentik_providers_saml.samlpropertymapping
-  state: present
-
- attrs:
-    acs_url: https://{{ env  "ZAMMAD_DOMAIN" }}/auth/saml/callback
-    assertion_valid_not_before: minutes=-5
-    assertion_valid_not_on_or_after: minutes=5
-    audience: https://{{ env  "ZAMMAD_DOMAIN" }}/auth/saml/metadata
-    authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
-    authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
-    invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
-    digest_algorithm: http://www.w3.org/2001/04/xmlenc#sha256
-    issuer: https://{{ env  "ZAMMAD_DOMAIN" }}/auth/saml/metadata
-    name: zammad
-    property_mappings:
-    - !KeyOf zammad_name_mapping
-    - !KeyOf zammad_email_mapping
-    session_valid_not_on_or_after: minutes=86400
-    sign_assertion: true
-    signature_algorithm: http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
-    signing_kp: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]]
-    sp_binding: post
-  conditions: []
-  id: zammad_provider
-  identifiers:
-    pk: 9989
-  model: authentik_providers_saml.samlprovider
-  state: present
-
- attrs:
-    meta_launch_url: ""
-    open_in_new_tab: true
-    policy_engine_mode: any
-    provider: !KeyOf zammad_provider
-    slug: zammad
-  conditions: []
-  id: zammad_application
-  identifiers:
-    name: Zammad
-  model: authentik_core.application
-  state: present
				`@ -1 +0,0 @@`
				<?xml version="1.0" encoding="UTF-8"?><svg id="Ebene_1" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 128 128"><defs><style>.cls-1{fill:#3b1c4a;}</style></defs><path class="cls-1" d="m50.67,56.95c-.72.1-1.22.3-1.66.5l2.38,16.91c.41.08.95.13,1.6.04,3.52-.5,4.61-3.64,3.81-9.39-.83-5.87-2.53-8.56-6.12-8.06Z"/><path class="cls-1" d="m116.04,35.05c.71-.17,1.16-.76,1.06-1.48L112.54,1.13c-.1-.72-.77-1.22-1.49-1.12l-37.5,5.27.73,5.22c.16,1.12-.62,2.15-1.74,2.31s-2.15-.62-2.31-1.74l-.73-5.22L1.13,15.46c-.72.1-1.22.77-1.12,1.49l4.56,32.44c.1.72.7,1.17,1.42,1.13,11.25-.92,21.43,7.1,23.03,18.46,1.6,11.36-5.99,21.81-17.07,23.96-.71.17-1.16.76-1.06,1.48l4.56,32.44c.1.72.77,1.22,1.49,1.12l68.37-9.61-.73-5.22c-.16-1.15.59-2.15,1.74-2.31s2.15.62,2.31,1.74l.73,5.22,37.5-5.27c.72-.1,1.22-.77,1.12-1.49l-4.56-32.44c-.1-.72-.7-1.17-1.42-1.13-11.25.92-21.42-7.04-23.02-18.4-1.6-11.36,5.98-21.87,17.06-24.03Zm-59.84,44.75c-1.76.25-3.29.26-4.04.17l1.59,11.29-9.92,1.39-5.3-37.73c2.5-1.62,5.96-3.03,11.38-3.8,8.68-1.22,15.27,2.58,16.66,12.44,1.25,8.88-3.12,15.21-10.36,16.23Zm30.73,20.71c.16,1.12-.62,2.15-1.74,2.31-1.12.16-2.15-.62-2.31-1.74l-1.47-10.44c-.16-1.12.62-2.15,1.74-2.31s2.16.66,2.31,1.74l1.47,10.44Zm-3.17-22.58c.15,1.08-.66,2.16-1.74,2.31s-2.16-.66-2.31-1.74l-1.47-10.44c-.16-1.15.59-2.15,1.74-2.31,1.12-.16,2.15.62,2.31,1.74l1.47,10.44Zm-3.16-22.45c.16,1.12-.62,2.15-1.74,2.31-1.12.16-2.15-.62-2.31-1.74l-1.47-10.44c-.16-1.12.62-2.15,1.74-2.31s2.16.66,2.31,1.74l1.47,10.44Zm-3.17-22.58c.15,1.08-.66,2.16-1.74,2.31s-2.16-.66-2.31-1.74l-1.47-10.44c-.16-1.15.59-2.15,1.74-2.31s2.15.62,2.31,1.74l1.47,10.44Z"/></svg>
				`@ -1 +0,0 @@`
				`If you use your own outpost you need to uncomment COMPOSE_FILE="$COMPOSE_FILE:compose.outposts.yml" to expose the docker socket again.`
				`@ -1 +0,0 @@`
				`It is only possible to upgrade to 2023.10 from 2023.8, you need to update to 2023.8.x before applying this update`
				`@ -1 +0,0 @@`
				`Blueprint changes are applied and automatic migrations should work, however, manual action may be required: https://docs.goauthentik.io/docs/releases/2024.2`
				`@ -1 +0,0 @@`
				`Due to blueprint changes, you need to run the following command after upgrading: abra app cmd -C <Domain> worker apply_blueprints`
				`@ -1 +0,0 @@`
				`Alerta! ⚠️ If you are using AUTHENTIK_COLOR_BACKGROUND_LIGHT, you will need to set COMPOSE_FILE="$COMPOSE_FILE:compose.css.yml"`
				`@ -1 +0,0 @@`
				`Replaced icon bbb.jpg with icon.png - configs need to be updated when upgrading!`