diff --git a/.env.sample b/.env.sample index 60013f7..c05830c 100644 --- a/.env.sample +++ b/.env.sample @@ -49,11 +49,11 @@ COPY_ASSETS="flow_background.jpg|app:/web/dist/assets/images/" COPY_ASSETS="$COPY_ASSETS icon_left_brand.svg|app:/web/dist/assets/icons/" COPY_ASSETS="$COPY_ASSETS icon.png|app:/web/dist/assets/icons/" -# Default CSS customisation, just background colour -COMPOSE_FILE="$COMPOSE_FILE:compose.css.yml" -AUTHENTIK_COLOR_BACKGROUND_LIGHT=#1c1e21 -# Custommise the entire custom CSS file -#COMPOSE_FILE="$COMPOSE_FILE:compose.css.yml" +# Default CSS customisation +# COMPOSE_FILE="$COMPOSE_FILE:compose.css.yml" +# BACKGROUND_FONT_COLOR=white +# BACKGROUND_BOX_COLOR='#eaeaeacf' +# THEME_BACKGROUND="url('https://authentik.example.com/static/dist/assets/images/flow_background.jpg'); background-position: center; background-repeat: no-repeat; background-size: cover;" # COMPOSE_FILE="$COMPOSE_FILE:compose.nextcloud.yml" # NEXTCLOUD_DOMAIN=nextcloud.example.com diff --git a/abra.sh b/abra.sh index e69a363..d687f66 100644 --- a/abra.sh +++ b/abra.sh @@ -4,7 +4,7 @@ export FLOW_INVITATION_VERSION=v2 export FLOW_INVALIDATION_VERSION=v2 export FLOW_RECOVERY_VERSION=v1 export FLOW_TRANSLATION_VERSION=v3 -export SYSTEM_BRAND_VERSION=v3 +export SYSTEM_BRAND_VERSION=v4 export NEXTCLOUD_CONFIG_VERSION=v1 export WORDPRESS_CONFIG_VERSION=v2 export MATRIX_CONFIG_VERSION=v1 diff --git a/compose.yml b/compose.yml index f9682c9..81aeac4 100644 --- a/compose.yml +++ b/compose.yml @@ -17,8 +17,8 @@ x-env: &env - AUTHENTIK_EMAIL__TIMEOUT - AUTHENTIK_EMAIL__FROM - AUTHENTIK_LOG_LEVEL - - AUTHENTIK_SETTINGS__THEME__BACKGROUND - - AUTHENTIK_COLOR_BACKGROUND_LIGHT + - BACKGROUND_FONT_COLOR=${BACKGROUND_FONT_COLOR:-white} + - BACKGROUND_BOX_COLOR=${BACKGROUND_BOX_COLOR:-#eaeaeacf} - AUTHENTIK_FOOTER_LINKS - AUTHENTIK_IMPERSONATION - AUTHENTIK_BOOTSTRAP_EMAIL @@ -29,6 +29,7 @@ x-env: &env - DOMAIN - LOGOUT_REDIRECT - APPLICATIONS + - THEME_BACKGROUND version: '3.8' services: diff --git a/custom.css.tmpl b/custom.css.tmpl index 780eb76..41b4400 100644 --- a/custom.css.tmpl +++ b/custom.css.tmpl @@ -1,24 +1,13 @@ /* my custom css */ - :root { - --ak-accent: #fd4b2d; - - --ak-dark-foreground: #fafafa; - --ak-dark-foreground-darker: #bebebe; - --ak-dark-foreground-link: #5a5cb9; - --ak-dark-background: #18191a; - --ak-dark-background-darker: #000000; - - - --ak-dark-background-light: {{ env "AUTHENTIK_COLOR_BACKGROUND_LIGHT" }}; - --ak-dark-background-light-ish: #212427; - --ak-dark-background-lighter: #2b2e33; - - --pf-c-background-image--BackgroundImage: var(--ak-flow-background); - --pf-c-background-image--BackgroundImage-2x: var(--ak-flow-background); - --pf-c-background-image--BackgroundImage--sm: var(--ak-flow-background); - --pf-c-background-image--BackgroundImage--sm-2x: var(--ak-flow-background); - --pf-c-background-image--BackgroundImage--lg: var(--ak-flow-background); + --pf-global--BackgroundColor--100: {{ env "BACKGROUND_BOX_COLOR" }} !important; } +.pf-c-login__main { + background-color: {{ env "BACKGROUND_BOX_COLOR" }}; +} + +.pf-c-content h1 { + color: {{ env "BACKGROUND_FONT_COLOR" }}; +} diff --git a/custom_flows.yaml.tmpl b/custom_flows.yaml.tmpl deleted file mode 100644 index bd32114..0000000 --- a/custom_flows.yaml.tmpl +++ /dev/null @@ -1,405 +0,0 @@ -version: 1 -metadata: - labels: - blueprints.goauthentik.io/instantiate: "true" - name: Custom - Flows -context: - welcome_message: {{ if eq (env "WELCOME_MESSAGE") "" }} "Welcome to authentik!" {{ else }} {{ env "WELCOME_MESSAGE" }} {{ end }} -####### Translations ######## - transl_recovery: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} "Passwort Zurücksetzen" {{ else }} "Reset your password" {{ end }} - transl_password: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} "Passwort" {{ else }} "Password" {{ end }} - transl_password_repeat: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} "Passwort (wiederholen)" {{ else }} "Password (repeat)" {{ end }} - transl_username: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} "Benutzername" {{ else }} "Username" {{ end }} - transl_name: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} "Vor- und Nachname" {{ else }} "Full name" {{ end }} - -entries: -######## Email Recovery Flow ######## -- identifiers: - slug: default-recovery-flow - id: recovery_flow - model: authentik_flows.flow - attrs: - name: Default recovery flow - title: !Context transl_recovery - designation: recovery - -### PROMPTS -- identifiers: - field_key: password - id: prompt-field-password - model: authentik_stages_prompt.prompt - attrs: - label: !Context transl_password - type: password - required: true - placeholder: !Context transl_password - order: 30 - placeholder_expression: false -- identifiers: - field_key: password_repeat - id: prompt-field-password-repeat - model: authentik_stages_prompt.prompt - attrs: - label: !Context transl_password_repeat - type: password - required: true - placeholder: !Context transl_password_repeat - order: 31 - placeholder_expression: false - - -### STAGES -- identifiers: - name: default-recovery-email - id: default-recovery-email - model: authentik_stages_email.emailstage - attrs: - use_global_settings: true - token_expiry: {{ if eq (env "EMAIL_TOKEN_EXPIRY_MINUTES") "" }} 30 {{ else }} {{ env "EMAIL_TOKEN_EXPIRY_MINUTES" }} {{ end }} - subject: {{ if eq (env "EMAIL_SUBJECT") "" }} "Account Recovery" {{ else }} "{{ env "EMAIL_SUBJECT" }}" {{ end }} - template: email/password_reset.html - activate_user_on_success: true -- identifiers: - name: default-recovery-user-write - id: default-recovery-user-write - model: authentik_stages_user_write.userwritestage -- identifiers: - name: default-recovery-identification - id: default-recovery-identification - model: authentik_stages_identification.identificationstage - attrs: - user_fields: - - email - - username -- identifiers: - name: default-recovery-user-login - id: default-recovery-user-login - model: authentik_stages_user_login.userloginstage - attrs: - session_duration: seconds=0 -- identifiers: - name: Change your password - id: stage-prompt-password - model: authentik_stages_prompt.promptstage - attrs: - fields: - - !KeyOf prompt-field-password - - !KeyOf prompt-field-password-repeat - validation_policies: [] - -### STAGE BINDINGS -- identifiers: - target: !KeyOf recovery_flow - stage: !KeyOf default-recovery-identification - order: 10 - model: authentik_flows.flowstagebinding - id: flow-binding-identification - attrs: - evaluate_on_plan: true - re_evaluate_policies: true - policy_engine_mode: any - invalid_response_action: retry -- identifiers: - target: !KeyOf recovery_flow - stage: !KeyOf default-recovery-email - order: 20 - model: authentik_flows.flowstagebinding - id: flow-binding-email - attrs: - evaluate_on_plan: true - re_evaluate_policies: true - policy_engine_mode: any - invalid_response_action: retry -- identifiers: - target: !KeyOf recovery_flow - stage: !KeyOf stage-prompt-password - order: 30 - model: authentik_flows.flowstagebinding - attrs: - evaluate_on_plan: true - re_evaluate_policies: false - policy_engine_mode: any - invalid_response_action: retry -- identifiers: - target: !KeyOf recovery_flow - stage: !KeyOf default-recovery-user-write - order: 40 - model: authentik_flows.flowstagebinding - attrs: - evaluate_on_plan: true - re_evaluate_policies: false - policy_engine_mode: any - invalid_response_action: retry -- identifiers: - target: !KeyOf recovery_flow - stage: !KeyOf default-recovery-user-login - order: 100 - model: authentik_flows.flowstagebinding - attrs: - evaluate_on_plan: true - re_evaluate_policies: false - policy_engine_mode: any - invalid_response_action: retry - -### POLICIES -## ISSUES with this policy -## https://github.com/goauthentik/authentik/blob/493cdd5c0f8caaec7a7dd474f1aa131e32fd39c3/blueprints/example/flows-recovery-email-verification.yaml#L37 -## https://github.com/goauthentik/authentik/commit/317e9ec6053742e17ba74fb6aa38dc15aaf6657f#diff-a5c56bb7c60e27dda1b131b3fc2a17e3af6624e7cfaaa2337ec6b077ca489f34 -# - identifiers: -# name: default-recovery-skip-if-restored -# id: default-recovery-skip-if-restored -# model: authentik_policies_expression.expressionpolicy -# attrs: -# expression: | -# return request.context.get('is_restored', False) - -### POLICY BINDINGS -# - identifiers: -# policy: !KeyOf default-recovery-skip-if-restored -# target: !KeyOf flow-binding-identification -# order: 0 -# model: authentik_policies.policybinding -# attrs: -# negate: false -# enabled: true -# timeout: 30 -# - identifiers: -# policy: !KeyOf default-recovery-skip-if-restored -# target: !KeyOf flow-binding-email -# order: 0 -# model: authentik_policies.policybinding -# attrs: -# negate: false -# enabled: true -# timeout: 30 - - - -######## Authentication Flow ######## -- attrs: - designation: authentication - name: custom-authentication-flow - title: !Context welcome_message - identifiers: - slug: custom-authentication-flow - id: authentication_flow - model: authentik_flows.flow - -### STAGES -- attrs: - backends: - - authentik.core.auth.InbuiltBackend - - authentik.sources.ldap.auth.LDAPBackend - - authentik.core.auth.TokenBackend - configure_flow: !Find [authentik_flows.flow, [slug, default-password-change]] - identifiers: - name: custom-authentication-password - id: custom-authentication-password - model: authentik_stages_password.passwordstage - -- identifiers: - name: custom-authentication-mfa-validation - id: custom-authentication-mfa-validation - model: authentik_stages_authenticator_validate.authenticatorvalidatestage - -- attrs: - password_stage: !KeyOf custom-authentication-password - recovery_flow: !KeyOf recovery_flow # !Find [authentik_flows.flow, [slug, default-recovery-flow]] - user_fields: - - email - - username - identifiers: - name: custom-authentication-identification - id: custom-authentication-identification - model: authentik_stages_identification.identificationstage - -- attrs: - session_duration: seconds=0 - identifiers: - name: custom-authentication-login - id: custom-authentication-login - model: authentik_stages_user_login.userloginstage - -### STAGE BINDINGS -- identifiers: - order: 10 - stage: !KeyOf custom-authentication-identification - target: !KeyOf authentication_flow - model: authentik_flows.flowstagebinding -- identifiers: - order: 30 - stage: !KeyOf custom-authentication-mfa-validation - target: !KeyOf authentication_flow - model: authentik_flows.flowstagebinding -- identifiers: - order: 100 - stage: !KeyOf custom-authentication-login - target: !KeyOf authentication_flow - model: authentik_flows.flowstagebinding - -######## Invitation Enrollment Flow ######## -- attrs: - designation: enrollment - name: invitation-enrollment-flow - title: !Context welcome_message - identifiers: - slug: invitation-enrollment-flow - id: invitation-enrollment-flow - model: authentik_flows.flow - -### PROMPTS -- identifiers: - field_key: username - id: prompt-field-username - model: authentik_stages_prompt.prompt - attrs: - label: !Context transl_username - type: username - required: true - placeholder: !Context transl_username - order: 0 - placeholder_expression: false -- identifiers: - field_key: name - id: prompt-field-name - model: authentik_stages_prompt.prompt - attrs: - label: !Context transl_name - type: text - required: true - placeholder: !Context transl_name - order: 1 - placeholder_expression: false -- identifiers: - field_key: email - label: Email - id: prompt-field-email - model: authentik_stages_prompt.prompt - attrs: - type: email - required: true - placeholder: muster@example.com - order: 2 - placeholder_expression: false - -### STAGES - -- id: invitation-stage - identifiers: - name: invitation-stage - model: authentik_stages_invitation.invitationstage - -- attrs: - fields: - - !KeyOf prompt-field-username - - !KeyOf prompt-field-name - - !KeyOf prompt-field-email - - !KeyOf prompt-field-password - - !KeyOf prompt-field-password-repeat - id: enrollment-prompt-userdata - identifiers: - name: enrollment-prompt-userdata - model: authentik_stages_prompt.promptstage - -- id: enrollment-user-write - identifiers: - name: enrollment-user-write - model: authentik_stages_user_write.userwritestage - -- attrs: - session_duration: seconds=0 - id: enrollment-user-login - identifiers: - name: enrollment-user-login - model: authentik_stages_user_login.userloginstage - -### STAGE BINDINGS -- identifiers: - order: 1 - stage: !KeyOf invitation-stage - target: !KeyOf invitation-enrollment-flow - model: authentik_flows.flowstagebinding -- identifiers: - order: 10 - stage: !KeyOf enrollment-prompt-userdata - target: !KeyOf invitation-enrollment-flow - model: authentik_flows.flowstagebinding -- identifiers: - order: 20 - stage: !KeyOf enrollment-user-write - target: !KeyOf invitation-enrollment-flow - model: authentik_flows.flowstagebinding -- identifiers: - order: 100 - stage: !KeyOf enrollment-user-login - target: !KeyOf invitation-enrollment-flow - model: authentik_flows.flowstagebinding - -######## Invalidation Flow ######## -- identifiers: - slug: logout-flow - id: logout-flow - model: authentik_flows.flow - attrs: - name: Logout - title: Logout Flow - designation: invalidation - -### STAGES - -- id: logout-stage - identifiers: - name: logout-stage - model: authentik_stages_user_logout.userlogoutstage - -### STAGE BINDINGS - -- identifiers: - order: 0 - stage: !KeyOf logout-stage - target: !KeyOf logout-flow - model: authentik_flows.flowstagebinding - attrs: - re_evaluate_policies: true - id: logout-stage-binding - -### POLICIES -- attrs: - execution_logging: true - expression: 'context[''flow_plan''].context[''redirect''] = ''{{ env "LOGOUT_REDIRECT" }}'' - - return True' - identifiers: - name: redirect-policy - id: redirect-policy - model: authentik_policies_expression.expressionpolicy - -### POLICY BINDINGS -- identifiers: - policy: !KeyOf redirect-policy - target: !KeyOf logout-stage-binding - order: 0 - model: authentik_policies.policybinding - attrs: - enabled: {{ if eq (env "LOGOUT_REDIRECT") "" }} false {{ else }} true {{ end }} - timeout: 30 - -######## System Brand ########## -- attrs: - attributes: - settings: - locale: {{ if eq (env "DEFAULT_LANGUAGE") "" }} en {{ else }} {{ env "DEFAULT_LANGUAGE" }} {{ end }} - # branding_favicon: /static/dist/assets/icons/icon.png - # branding_logo: /static/dist/assets/icons/icon_left_brand.svg - # branding_title: Authentik - # default: true - domain: {{ env "DOMAIN" }} - # event_retention: days=365 - flow_authentication: !KeyOf authentication_flow - flow_recovery: !KeyOf recovery_flow - flow_invalidation: !KeyOf logout-flow - flow_user_settings: !Find [authentik_flows.flow, [slug, default-user-settings-flow]] - identifiers: - pk: 047cce25-aae2-4b02-9f96-078e155f803d - id: system_brand - model: authentik_brands.brand diff --git a/system_brand.yaml.tmpl b/system_brand.yaml.tmpl index 9ce850f..9063141 100644 --- a/system_brand.yaml.tmpl +++ b/system_brand.yaml.tmpl @@ -27,7 +27,10 @@ entries: - attrs: attributes: settings: - locale: {{ if eq (env "DEFAULT_LANGUAGE") "" }} en {{ else }} {{ env "DEFAULT_LANGUAGE" }} {{ end }} + locale: {{ if eq (env "DEFAULT_LANGUAGE") "" }} en {{ else }} {{ env "DEFAULT_LANGUAGE" }} {{ end }} {{ if ne (env "THEME_BACKGROUND") "" }} + theme: + background: > + background: {{ env "THEME_BACKGROUND" }} {{ end }} flow_recovery: !Find [authentik_flows.flow, [slug, default-recovery-flow]] identifiers: default: true