set theme colors with envs

.drone.yml

@@ -23,7 +23,7 @@ steps:
       FLOW_INVALIDATION_VERSION: v1
       FLOW_RECOVERY_VERSION: v1
       FLOW_TRANSLATION_VERSION: v1
-      SYSTEM_BRAND_VERSION: v1
+      SYSTEM_TENANT_VERSION: v1
       NEXTCLOUD_CONFIG_VERSION: v1
       SECRET_SECRET_KEY_VERSION: v1
       SECRET_DB_PASSWORD_VERSION: v1

.env.sample

@@ -1,5 +1,5 @@
 TYPE=authentik
-TIMEOUT=900
+TIMEOUT=300
 ENABLE_AUTO_UPDATE=true
 # POST_DEPLOY_CMDS="worker set_admin_pass|worker apply_blueprints|worker add_applications"
 LETS_ENCRYPT_ENV=production
@@ -34,7 +34,14 @@ SECRET_ADMIN_PASS_VERSION=v1
 SECRET_EMAIL_PASS_VERSION=v1
 
 # X_FRAME_OPTIONS_ALLOW_FROM=dashboard.example.org
-AUTHENTIK_COLOR_BACKGROUND_LIGHT=#1c1e21
+# AUTHENTIK_COLOR_FOREGROUND=fafafa
+# AUTHENTIK_COLOR_FOREGROUND_DARKER=bebebe
+# AUTHENTIK_COLOR_FOREGROUND_LINK=5a5cb9
+# AUTHENTIK_COLOR_BACKGROUND=18191a
+# AUTHENTIK_COLOR_BACKGROUND_DARKER=000000
+# AUTHENTIK_COLOR_BACKGROUND_LIGHT=1c1e21
+# AUTHENTIK_COLOR_BACKGROUND_LIGHTISH=212427
+# AUTHENTIK_COLOR_BACKGROUND_LIGHTER=2b2e33
 
 ## FLOW OPTIONS
 # WELCOME_MESSAGE="Welcome to Authentik"
@@ -78,36 +85,13 @@ COPY_ASSETS="$COPY_ASSETS icon.png|app:/web/dist/assets/icons/"
 # SECRET_VIKUNJA_SECRET_VERSION=v1
 # APP_ICONS="$APP_ICONS vikunja:~/.abra/recipes/authentik/icons/vikunja.svg"
 
-# COMPOSE_FILE="$COMPOSE_FILE:compose.outline.yml"
-# OUTLINE_DOMAIN=outline.example.com
-# SECRET_OUTLINE_ID_VERSION=v1
-# SECRET_OUTLINE_SECRET_VERSION=v1
-# APP_ICONS="$APP_ICONS outline:~/.abra/recipes/authentik/icons/outline.png"
-
-# COMPOSE_FILE="$COMPOSE_FILE:compose.kimai.yml"
-# KIMAI_DOMAIN=kimai.example.com
-# SECRET_KIMAI_ID_VERSION=v1
-# SECRET_KIMAI_SECRET_VERSION=v1
-# APP_ICONS="$APP_ICONS kimai:~/.abra/recipes/authentik/icons/kimai.png"
-
 # COMPOSE_FILE="$COMPOSE_FILE:compose.monitoring.yml"
 # MONITORING_DOMAIN=monitoring.example.com
 # SECRET_MONITORING_ID_VERSION=v1
 # SECRET_MONITORING_SECRET_VERSION=v1
 # APP_ICONS="$APP_ICONS monitoring:~/.abra/recipes/authentik/icons/monitoring.png"
 
-# COMPOSE_FILE="$COMPOSE_FILE:compose.rallly.yml"
-# RALLLY_DOMAIN=rallly.example.com
-# SECRET_RALLLY_ID_VERSION=v1
-# SECRET_RALLLY_SECRET_VERSION=v1
-# APP_ICONS="$APP_ICONS rallly:~/.abra/recipes/authentik/icons/rallly.png"
-
-# COMPOSE_FILE="$COMPOSE_FILE:compose.hedgedoc.yml"
-# HEDGEDOC_DOMAIN=hedgedoc.example.com
-# SECRET_HEDGEDOC_ID_VERSION=v1
-# SECRET_HEDGEDOC_SECRET_VERSION=v1
-# APP_ICONS="$APP_ICONS hedgedoc:~/.abra/recipes/authentik/icons/hedgedoc.png"
-
-# APPLICATIONS='{"Calendar": "https://nextcloud.example.com/apps/calendar/", "BBB": "https://nextcloud.example.com/apps/bbb/"}'
+# APPLICATIONS='{"Calendar": "https://nextcloud.example.com/apps/calendar/", "BBB": "https://nextcloud.example.com/apps/bbb/", "Rallly":"https://rallly.example.cloud/"}'
 # APP_ICONS="$APP_ICONS Calendar:~/.abra/recipes/authentik/icons/calendar.svg"
+# APP_ICONS="$APP_ICONS Rallly:~/.abra/recipes/authentik/icons/rallly.png"
 # APP_ICONS="$APP_ICONS BBB:~/.abra/recipes/authentik/icons/bbb.jpg"

README.md

@@ -167,9 +167,9 @@ The `abra.sh` function `apply_blueprints` needs to be executed to deactivate the
     - Default - Source enrollment flow
         - OVERWRITE:
             - `default-source-enrollment-field-username`
-- Custom System Brand
-    - Default - Brand
-        - APPEND: `authentik_brands.brand  domain: authentik-default`
+- Custom System Tenant
+    - Default - Tenant
+        - APPEND: `authentik_tenants.tenant  domain: authentik-default`
     - Recovery with email verification
         - USE:
             - `default-recovery-flow`
@@ -177,8 +177,8 @@ The `abra.sh` function `apply_blueprints` needs to be executed to deactivate the
 
 ### Blueprint Dependency Execution Order
 
-5. Custom System Brand
-    - Default - Brand
+5. Custom System Tenant
+    - Default - Tenant
     1. Recovery with email verification
         - Default - Authentication flow
             - Default - Password change flow

abra.sh

@@ -1,21 +1,16 @@
-export CUSTOM_CSS_VERSION=v2
-export FLOW_AUTHENTICATION_VERSION=v4
-export FLOW_INVITATION_VERSION=v2
+export CUSTOM_CSS_VERSION=v3
+export FLOW_AUTHENTICATION_VERSION=v3
+export FLOW_INVITATION_VERSION=v1
 export FLOW_INVALIDATION_VERSION=v2
 export FLOW_RECOVERY_VERSION=v1
-export FLOW_TRANSLATION_VERSION=v3
-export SYSTEM_BRAND_VERSION=v3
+export FLOW_TRANSLATION_VERSION=v2
+export SYSTEM_TENANT_VERSION=v2
 export NEXTCLOUD_CONFIG_VERSION=v1
 export WORDPRESS_CONFIG_VERSION=v2
 export MATRIX_CONFIG_VERSION=v1
 export WEKAN_CONFIG_VERSION=v3
 export VIKUNJA_CONFIG_VERSION=v1
-export OUTLINE_CONFIG_VERSION=v2
-export KIMAI_CONFIG_VERSION=v1
-export RALLLY_CONFIG_VERSION=v2
-export HEDGEDOC_CONFIG_VERSION=v1
 export MONITORING_CONFIG_VERSION=v1
-export DB_ENTRYPOINT_VERSION=v1
 
 customize() {
     if [ -z "$1" ]
@@ -219,7 +214,7 @@ delete_flows = ['default-recovery-flow' , 'custom-authentication-flow' , 'invita
 Flow.objects.filter(slug__in=delete_flows).delete()
 Stage.objects.filter(flow=None).delete()
 Prompt.objects.filter(promptstage=None).delete()
-Brand.objects.filter(default=True).delete()
+Tenant.objects.filter(default=True).delete()
 """ 2>&1 | quieten
 apply_blueprints
 }

compose.hedgedoc.yml

@@ -1,26 +0,0 @@
-version: "3.8"
-services:
-  worker:
-    secrets:
-      - hedgedoc_id
-      - hedgedoc_secret
-    environment:
-      - HEDGEDOC_DOMAIN
-    configs:
-      - source: hedgedoc
-        target: /blueprints/hedgedoc.yaml
-
-secrets:
-  hedgedoc_id:
-    external: true
-    name: ${STACK_NAME}_hedgedoc_id_${SECRET_HEDGEDOC_ID_VERSION}
-  hedgedoc_secret:
-    external: true
-    name: ${STACK_NAME}_hedgedoc_secret_${SECRET_HEDGEDOC_SECRET_VERSION}
-
-
-configs:
-  hedgedoc:
-    name: ${STACK_NAME}_hedgedoc_${HEDGEDOC_CONFIG_VERSION}
-    file: hedgedoc.yaml.tmpl
-    template_driver: golang

compose.kimai.yml

@@ -1,14 +0,0 @@
-version: "3.8"
-services:
-  worker:
-    environment:
-      - KIMAI_DOMAIN
-    configs:
-      - source: kimai
-        target: /blueprints/kimai.yaml
-
-configs:
-  kimai:
-    name: ${STACK_NAME}_kimai_${KIMAI_CONFIG_VERSION}
-    file: kimai.yaml.tmpl
-    template_driver: golang

compose.outline.yml

@@ -1,26 +0,0 @@
-version: "3.8"
-services:
-  worker:
-    secrets:
-      - outline_id
-      - outline_secret
-    environment:
-      - OUTLINE_DOMAIN
-    configs:
-      - source: outline
-        target: /blueprints/outline.yaml
-
-secrets:
-  outline_id:
-    external: true
-    name: ${STACK_NAME}_outline_id_${SECRET_OUTLINE_ID_VERSION}
-  outline_secret:
-    external: true
-    name: ${STACK_NAME}_outline_secret_${SECRET_OUTLINE_SECRET_VERSION}
-
-
-configs:
-  outline:
-    name: ${STACK_NAME}_outline_${OUTLINE_CONFIG_VERSION}
-    file: outline.yaml.tmpl
-    template_driver: golang

compose.rallly.yml

@@ -1,26 +0,0 @@
-version: "3.8"
-services:
-  worker:
-    secrets:
-      - rallly_id
-      - rallly_secret
-    environment:
-      - RALLLY_DOMAIN
-    configs:
-      - source: rallly
-        target: /blueprints/rallly.yaml
-
-secrets:
-  rallly_id:
-    external: true
-    name: ${STACK_NAME}_rallly_id_${SECRET_RALLLY_ID_VERSION}
-  rallly_secret:
-    external: true
-    name: ${STACK_NAME}_rallly_secret_${SECRET_RALLLY_SECRET_VERSION}
-
-
-configs:
-  rallly:
-    name: ${STACK_NAME}_rallly_${RALLLY_CONFIG_VERSION}
-    file: rallly.yaml.tmpl
-    template_driver: golang

compose.yml

@@ -18,7 +18,14 @@ x-env: &env
     - AUTHENTIK_EMAIL__FROM
     - AUTHENTIK_LOG_LEVEL
     - AUTHENTIK_SETTINGS__THEME__BACKGROUND
-    - AUTHENTIK_COLOR_BACKGROUND_LIGHT
+    - AUTHENTIK_COLOR_FOREGROUND=${AUTHENTIK_COLOR_FOREGROUND:-fafafa}
+    - AUTHENTIK_COLOR_FOREGROUND_DARKER=${AUTHENTIK_COLOR_FOREGROUND_DARKER:-bebebe}
+    - AUTHENTIK_COLOR_FOREGROUND_LINK=${AUTHENTIK_COLOR_FOREGROUND_LINK:-5a5cb9}
+    - AUTHENTIK_COLOR_BACKGROUND=${AUTHENTIK_COLOR_BACKGROUND:-18191a}
+    - AUTHENTIK_COLOR_BACKGROUND_DARKER=${AUTHENTIK_COLOR_BACKGROUND_DARKER:-000000}
+    - AUTHENTIK_COLOR_BACKGROUND_LIGHT=${AUTHENTIK_COLOR_BACKGROUND_LIGHT:-1c1e21}
+    - AUTHENTIK_COLOR_BACKGROUND_LIGHTISH=${AUTHENTIK_COLOR_BACKGROUND_LIGHTISH:-212427}
+    - AUTHENTIK_COLOR_BACKGROUND_LIGHTER=${AUTHENTIK_COLOR_BACKGROUND_LIGHTER:-2b2e33}
     - AUTHENTIK_FOOTER_LINKS
     - AUTHENTIK_IMPERSONATION
     - WELCOME_MESSAGE
@@ -32,11 +39,8 @@ x-env: &env
 version: '3.8'
 services:
   app:
-    image: ghcr.io/goauthentik/server:2024.2.3
+    image: ghcr.io/goauthentik/server:2023.6.1
     command: server
-    depends_on:
-      - db
-      - redis
     secrets:
       - db_password
       - admin_pass
@@ -76,15 +80,12 @@ services:
         - "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}"
         - "traefik.http.middlewares.${STACK_NAME}-frameOptions.headers.customFrameOptionsValue=SAMEORIGIN"
         - "traefik.http.middlewares.${STACK_NAME}-frameOptions.headers.contentSecurityPolicy=frame-ancestors ${X_FRAME_OPTIONS_ALLOW_FROM}"
-        - "coop-cloud.${STACK_NAME}.version=5.1.2+2024.2.3"
+        - "coop-cloud.${STACK_NAME}.version=3.2.4+2023.6.1"
         - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT:-120}"
 
   worker:
-    image: ghcr.io/goauthentik/server:2024.2.3
+    image: ghcr.io/goauthentik/server:2023.6.1
     command: worker
-    depends_on:
-      - db
-      - redis
     secrets:
       - db_password
       - admin_pass
@@ -108,22 +109,16 @@ services:
         target: /blueprints/3_flow_translation.yaml
       - source: flow_invitation
         target: /blueprints/4_flow_invitation.yaml
-      - source: system_brand
-        target: /blueprints/5_system_brand.yaml
+      - source: system_tenant
+        target: /blueprints/5_system_tenant.yaml
       - source: flow_invalidation
         target: /blueprints/6_flow_invalidation.yaml
     environment: *env
 
   db:
-    image: postgres:15.5
+    image: postgres:12.15-alpine
     secrets:
       - db_password
-    configs:
-      - source: db_entrypoint
-        target: /docker-entrypoint.sh
-        mode: 0555
-    entrypoint:
-      /docker-entrypoint.sh
     volumes:
       - database:/var/lib/postgresql/data
     networks:
@@ -146,11 +141,11 @@ services:
           backupbot.backup.path: "/var/lib/postgresql/data"
 
   redis:
-    image:  redis:7.2.4-alpine
+    image:  redis:7.0.12-alpine
     networks:
       - internal
     healthcheck:
-      test: ["CMD-SHELL", "redis-cli ping | grep PONG"]
+      test: ["CMD", "redis-cli","ping"]
       interval: 30s
       timeout: 10s
       retries: 10
@@ -210,11 +205,7 @@ configs:
     name: ${STACK_NAME}_flow_translation_${FLOW_TRANSLATION_VERSION}
     file: flow_translation.yaml.tmpl
     template_driver: golang
-  system_brand:
-    name: ${STACK_NAME}_system_brand_${SYSTEM_BRAND_VERSION}
-    file: system_brand.yaml.tmpl
-    template_driver: golang
-  db_entrypoint:
-    name: ${STACK_NAME}_db_entrypoint_${DB_ENTRYPOINT_VERSION}
-    file: entrypoint.postgres.sh.tmpl
+  system_tenant:
+    name: ${STACK_NAME}_system_tenant_${SYSTEM_TENANT_VERSION}
+    file: system_tenant.yaml.tmpl
     template_driver: golang

custom.css.tmpl

@@ -4,16 +4,16 @@
 :root {
     --ak-accent: #fd4b2d;
 
-    --ak-dark-foreground: #fafafa;
-    --ak-dark-foreground-darker: #bebebe;
-    --ak-dark-foreground-link: #5a5cb9;
-    --ak-dark-background: #18191a;
-    --ak-dark-background-darker: #000000;
+    --ak-dark-foreground: #{{ env "AUTHENTIK_COLOR_FOREGROUND" }};
+    --ak-dark-foreground-darker: #{{ env "AUTHENTIK_COLOR_FOREGROUND_DARKER" }};
+    --ak-dark-foreground-link: #{{ env "AUTHENTIK_COLOR_FOREGROUND_LINK" }};
+    --ak-dark-background: #{{ env "AUTHENTIK_COLOR_BACKGROUND" }};
+    --ak-dark-background-darker: #{{ env "AUTHENTIK_COLOR_BACKGROUND_DARKER" }};
 
 
-    --ak-dark-background-light: {{ env "AUTHENTIK_COLOR_BACKGROUND_LIGHT" }};
-    --ak-dark-background-light-ish: #212427;
-    --ak-dark-background-lighter: #2b2e33;
+    --ak-dark-background-light: #{{ env "AUTHENTIK_COLOR_BACKGROUND_LIGHT" }};
+    --ak-dark-background-light-ish: #{{ env "AUTHENTIK_COLOR_BACKGROUND_LIGHTISH" }};
+    --ak-dark-background-lighter: #{{ env "AUTHENTIK_COLOR_BACKGROUND_LIGHTER" }};
 
     --pf-c-background-image--BackgroundImage: var(--ak-flow-background);
     --pf-c-background-image--BackgroundImage-2x: var(--ak-flow-background);

custom_flows.yaml.tmpl

@@ -384,7 +384,7 @@ entries:
     enabled: {{ if eq (env "LOGOUT_REDIRECT") "" }} false {{ else }} true {{ end }}
     timeout: 30
 
-######## System Brand ##########
+######## System Tenant ##########
 - attrs:
     attributes:
       settings:
@@ -401,5 +401,5 @@ entries:
     flow_user_settings: !Find [authentik_flows.flow, [slug, default-user-settings-flow]]
   identifiers:
     pk: 047cce25-aae2-4b02-9f96-078e155f803d
-  id: system_brand
-  model: authentik_brands.brand
+  id: system_tenant
+  model: authentik_tenants.tenant

entrypoint.postgres.sh.tmpl

@@ -1,45 +0,0 @@
-#!/bin/bash
-
-set -e
-
-MIGRATION_MARKER=$PGDATA/migration_in_progress
-OLDDATA=$PGDATA/old_data
-NEWDATA=$PGDATA/new_data
-
-if [ -e $MIGRATION_MARKER ]; then
-  echo "FATAL: migration was started but did not complete in a previous run. manual recovery necessary"
-  exit 1
-fi
-
-if [ -f $PGDATA/PG_VERSION ]; then
-  DATA_VERSION=$(cat $PGDATA/PG_VERSION)
-
-  if [ -n "$DATA_VERSION" -a "$PG_MAJOR" != "$DATA_VERSION" ]; then
-    echo "postgres data version $DATA_VERSION found, but need $PG_MAJOR. Starting migration"
-    echo "Installing postgres $DATA_VERSION"
-    sed -i "s/$/ $DATA_VERSION/" /etc/apt/sources.list.d/pgdg.list
-    apt-get update && apt-get install -y --no-install-recommends \
-      postgresql-$DATA_VERSION \
-      && rm -rf /var/lib/apt/lists/*
-    echo "shuffling around"
-    chown -R postgres:postgres $PGDATA
-    gosu postgres mkdir $OLDDATA $NEWDATA
-    chmod 700 $OLDDATA $NEWDATA
-    mv $PGDATA/* $OLDDATA/ || true
-    touch $MIGRATION_MARKER
-    echo "running initdb"
-    # abuse entrypoint script for initdb by making server error out
-    gosu postgres bash -c "export PGDATA=$NEWDATA ; /usr/local/bin/docker-entrypoint.sh --invalid-arg || true"
-    echo "running pg_upgrade"
-    cd /tmp
-    gosu postgres pg_upgrade --link -b /usr/lib/postgresql/$DATA_VERSION/bin -d $OLDDATA -D $NEWDATA -U $POSTGRES_USER
-    cp $OLDDATA/pg_hba.conf $NEWDATA/
-    mv $NEWDATA/* $PGDATA
-    rm -rf $OLDDATA
-    rmdir $NEWDATA
-    rm $MIGRATION_MARKER
-    echo "migration complete"
-  fi
-fi
-
-/usr/local/bin/docker-entrypoint.sh postgres

flow_authentication.yaml.tmpl

@@ -37,7 +37,7 @@ entries:
     name: default-authentication-login
   model: authentik_stages_user_login.userloginstage
   attrs:
-    session_duration: days=30
+    session_duration: seconds=0
 
 # After the first run this will produce a RelatedObjectDoesNotExist error
 - identifiers:

flow_invitation.yaml.tmpl

@@ -24,18 +24,6 @@ entries:
   id: invitation-enrollment-flow
   model: authentik_flows.flow
 
-### POLICIES
-- attrs:
-    expression: |
-      if not regex_match(request.context.get('prompt_data').get('username'), '\s'):
-          return True
-      ak_message("Username must not contain any whitespace!")
-      return False
-  id: username-without-spaces-policy
-  identifiers:
-    name: username-without-spaces-policy
-  model: authentik_policies_expression.expressionpolicy
-
 ### STAGES
 - identifiers:
     name: invitation-stage
@@ -53,8 +41,6 @@ entries:
       - !Find [authentik_stages_prompt.prompt, [name, default-user-settings-field-email]]
       - !Find [authentik_stages_prompt.prompt, [name, default-password-change-field-password]]
       - !Find [authentik_stages_prompt.prompt, [name, default-password-change-field-password-repeat]]
-    validation_policies:
-      - !Find [ authentik_policies_expression.expressionpolicy, [name, username-without-spaces-policy]]
 
 ### STAGE BINDINGS
 - identifiers:

hedgedoc.yaml.tmpl

@@ -1,43 +0,0 @@
-version: 1
-metadata:
-  labels:
-    blueprints.goauthentik.io/instantiate: "true"
-  name: hedgedoc
-
-entries:
-
-- attrs:
-    access_code_validity: minutes=1
-    authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
-    client_id: {{ secret  "hedgedoc_id" }}
-    client_secret: {{ secret  "hedgedoc_secret" }}
-    client_type: confidential
-    include_claims_in_id_token: true
-    issuer_mode: per_provider
-    name: Hedgedoc
-    property_mappings:
-    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
-    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, email]]
-    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, profile]]
-    signing_key: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]]
-    sub_mode: hashed_user_id
-    token_validity: days=30
-  conditions: []
-  id: hedgedoc_provider
-  identifiers:
-    pk: 9992
-  model: authentik_providers_oauth2.oauth2provider
-  state: present
-
-- attrs:
-    meta_launch_url: https://{{ env  "HEDGEDOC_DOMAIN" }}
-    open_in_new_tab: true
-    policy_engine_mode: any
-    provider: !KeyOf hedgedoc_provider
-    slug: hedgedoc
-  conditions: []
-  id: hedgedoc_application
-  identifiers:
-    name: Hedgedoc
-  model: authentik_core.application
-  state: present

kimai.yaml.tmpl

@@ -1,48 +0,0 @@
-version: 1
-metadata:
-  labels:
-    blueprints.goauthentik.io/instantiate: "true"
-  name: kimai
-
-entries:
-- attrs:
-    acs_url: https://{{ env  "KIMAI_DOMAIN" }}/auth/saml/acs
-    assertion_valid_not_before: minutes=-5
-    assertion_valid_not_on_or_after: minutes=5
-    audience: https://{{ env  "KIMAI_DOMAIN" }}/auth/saml
-    authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
-    authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
-    digest_algorithm: http://www.w3.org/2001/04/xmlenc#sha256
-    issuer: https://{{ env  "DOMAIN" }}
-    name: Kimai
-    name_id_mapping: !Find [authentik_providers_saml.samlpropertymapping, [name, "authentik default SAML Mapping: Username"]]
-    property_mappings:
-    - !Find [authentik_providers_saml.samlpropertymapping, [name, "authentik default SAML Mapping: Name"]]
-    - !Find [authentik_providers_saml.samlpropertymapping, [name, "authentik default SAML Mapping: Email"]]
-    - !Find [authentik_providers_saml.samlpropertymapping, [name, "authentik default SAML Mapping: User ID"]]
-    - !Find [authentik_providers_saml.samlpropertymapping, [name, "authentik default SAML Mapping: Username"]]
-    - !Find [authentik_providers_saml.samlpropertymapping, [name, "authentik default SAML Mapping: Groups"]]
-    - !Find [authentik_providers_saml.samlpropertymapping, [name, "authentik default SAML Mapping: UPN"]]
-    session_valid_not_on_or_after: minutes=86400
-    signature_algorithm: http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
-    signing_kp: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]]
-    sp_binding: post
-  conditions: []
-  id: kimai_provider
-  identifiers:
-    pk: 9991
-  model: authentik_providers_saml.samlprovider
-  state: present
-
-- attrs:
-    meta_launch_url: https://{{ env  "KIMAI_DOMAIN" }}
-    open_in_new_tab: true
-    policy_engine_mode: any
-    provider: !KeyOf kimai_provider
-    slug: kimai
-  conditions: []
-  id: kimai_application
-  identifiers:
-    name: Kimai
-  model: authentik_core.application
-  state: present

outline.yaml.tmpl

@@ -1,43 +0,0 @@
-version: 1
-metadata:
-  labels:
-    blueprints.goauthentik.io/instantiate: "true"
-  name: outline
-
-entries:
-
-- attrs:
-    access_code_validity: minutes=1
-    authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
-    client_id: {{ secret  "outline_id" }}
-    client_secret: {{ secret  "outline_secret" }}
-    client_type: confidential
-    include_claims_in_id_token: true
-    issuer_mode: per_provider
-    name: Outline
-    property_mappings:
-    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
-    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, email]]
-    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, profile]]
-    signing_key: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]]
-    sub_mode: hashed_user_id
-    token_validity: days=30
-  conditions: []
-  id: outline_provider
-  identifiers:
-    pk: 9994
-  model: authentik_providers_oauth2.oauth2provider
-  state: present
-
-- attrs:
-    meta_launch_url: https://{{ env  "OUTLINE_DOMAIN" }}
-    open_in_new_tab: true
-    policy_engine_mode: any
-    provider: !KeyOf outline_provider
-    slug: outline
-  conditions: []
-  id: outline_application
-  identifiers:
-    name: Outline
-  model: authentik_core.application
-  state: present

rallly.yaml.tmpl

@@ -1,43 +0,0 @@
-version: 1
-metadata:
-  labels:
-    blueprints.goauthentik.io/instantiate: "true"
-  name: rallly
-
-entries:
-
-- attrs:
-    access_code_validity: minutes=1
-    authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
-    client_id: {{ secret  "rallly_id" }}
-    client_secret: {{ secret  "rallly_secret" }}
-    client_type: confidential
-    include_claims_in_id_token: true
-    issuer_mode: per_provider
-    name: Rallly
-    property_mappings:
-    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
-    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, email]]
-    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, profile]]
-    signing_key: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]]
-    sub_mode: hashed_user_id
-    token_validity: days=30
-  conditions: []
-  id: rallly_provider
-  identifiers:
-    pk: 9993
-  model: authentik_providers_oauth2.oauth2provider
-  state: present
-
-- attrs:
-    meta_launch_url: https://{{ env  "RALLLY_DOMAIN" }}
-    open_in_new_tab: true
-    policy_engine_mode: any
-    provider: !KeyOf rallly_provider
-    slug: rallly
-  conditions: []
-  id: rallly_application
-  identifiers:
-    name: Rallly
-  model: authentik_core.application
-  state: present

release/4.0.0+2023.10.5

@@ -1 +0,0 @@
-It is only possible to upgrade to 2023.10 from 2023.8, you need to update to 2023.8.x before applying this update

release/5.0.0+2024.2.2

@@ -1 +0,0 @@
-Blueprint changes are applied and automatic migrations should work, however, manual action may be required: https://docs.goauthentik.io/docs/releases/2024.2

release/5.1.0+2024.2.3

@@ -1 +0,0 @@
-Due to blueprint changes, you need to run the following command after upgrading: abra app cmd -C <Domain> worker apply_blueprints

system_tenant.yaml.tmpl

@@ -2,13 +2,13 @@ version: 1
 metadata:
   labels:
     blueprints.goauthentik.io/instantiate: "true"
-  name: Custom System brand
+  name: Custom System Tenant
 entries:
 ### DEPENDENCIES
 - model: authentik_blueprints.metaapplyblueprint
   attrs:
     identifiers:
-      name: Default - Brand
+      name: Default - Tenant
     required: true
 - model: authentik_blueprints.metaapplyblueprint
   attrs:
@@ -17,11 +17,11 @@ entries:
     required: true
 
 
-### SYSTEM BRAND
-# remove custom brand from old recipe
+### SYSTEM TENANT
+# remove custom tenant from old recipe
 - identifiers:
     domain: {{ env "DOMAIN" }}
-  model: authentik_brands.brand
+  model: authentik_tenants.tenant
   state: absent
 
 - attrs:
@@ -32,4 +32,4 @@ entries:
   identifiers:
     default: true
     domain: authentik-default
-  model: authentik_brands.brand
+  model: authentik_tenants.tenant