chore: publish 1.0.0+2022.10.1 release

.drone.yml

@@ -1,45 +0,0 @@
----
-kind: pipeline
-name: deploy to swarm-test.autonomic.zone
-steps:
-  - name: deployment
-    image: git.coopcloud.tech/coop-cloud/stack-ssh-deploy:latest
-    settings:
-      host: swarm-test.autonomic.zone
-      stack: authentik
-      generate_secrets: true
-      purge: true
-      deploy_key:
-        from_secret: drone_ssh_swarm_test
-      networks:
-        - proxy
-    environment:
-      DOMAIN: authentik.swarm-test.autonomic.zone
-      STACK_NAME: authentik
-      LETS_ENCRYPT_ENV: production
-      CUSTOM_CSS_VERSION: v1
-      CUSTOM_FLOWS_VERSION: v1
-      SECRET_SECRET_KEY_VERSION: v1
-      SECRET_DB_PASSWORD_VERSION: v1
-      SECRET_ADMIN_TOKEN_VERSION: v1
-      SECRET_ADMIN_PASS_VERSION: v1
-      SECRET_EMAIL_PASS_VERSION: v1
-trigger:
-  branch:
-    - main
----
-kind: pipeline
-name: generate recipe catalogue
-steps:
-  - name: release a new version
-    image: plugins/downstream
-    settings:
-      server: https://build.coopcloud.tech
-      token:
-        from_secret: drone_abra-bot_token
-      fork: true
-      repositories:
-        - coop-cloud/auto-recipes-catalogue-json
-
-trigger:
-  event: tag

.env.sample

@@ -1,7 +1,7 @@
 TYPE=authentik
 LETS_ENCRYPT_ENV=production
 
-DOMAIN=authentik.example.com
+DOMAIN={{ .Domain }}
 AUTHENTIK_POSTGRESQL__USER=authentik
 AUTHENTIK_POSTGRESQL__NAME=authentik
 AUTHENTIK_POSTGRESQL__HOST=db
@@ -21,25 +21,15 @@ AUTHENTIK_LOG_LEVEL=info
 
 # Secret Versions
 SECRET_SECRET_KEY_VERSION=v1
-SECRET_DB_PASSWORD_VERSION=v1
+SECRET_DB_PASSWORD_VERSION=V1
 SECRET_ADMIN_TOKEN_VERSION=v1
 SECRET_ADMIN_PASS_VERSION=v1
 SECRET_EMAIL_PASS_VERSION=v1
 
 # X_FRAME_OPTIONS_ALLOW_FROM=dashboard.example.org
 AUTHENTIK_COLOR_BACKGROUND_LIGHT=#1c1e21
-AUTHENTIK_IMPERSONATION=true
 
 ## FLOW OPTIONS
 WELCOME_MESSAGE="Welcome to Authentik"
 DEFAULT_LANGUAGE=en
 AUTHENTIK_FOOTER_LINKS='[{"name": "My Organization","href":"https://example.com"}]'
-LOGOUT_REDIRECT="https://$DOMAIN"
-#COPY_ASSETS="flow_background.jpg|app:/web/dist/assets/images/"
-#COPY_ASSETS="$COPY_ASSETS icon_left_brand.svg|app:/web/dist/assets/icons/
-#COPY_ASSETS="$COPY_ASSETS icon.png|app:/web/dist/assets/icons/"
-
-EMAIL_SUBJECT="Account Recovery"
-EMAIL_TOKEN_EXPIRY_MINUTES=30
-
-LOGOUT_REDIRECT=$DOMAIN

README.md

@@ -9,7 +9,7 @@
 
 * **Category**: Apps
 * **Status**: 0, work-in-progress
-* **Image**: [ghcr/goauthentik/server](https://ghcr.io/goauthentik/server), 4, upstream
+* **Image**: [ghcr/goauthentik/server](https://ghcr.io/goauthentik/server)
 * **Healthcheck**: Yes
 * **Backups**: Yes
 * **Email**: Yes
@@ -20,17 +20,15 @@
 
 ## Quick start
 
-* `abra app new authentik`
+* `abra app new authentik --secrets`
 * `abra app config <app-name>`
 * `abra app secret insert <app_name> email_pass v1 <password>`
-* `abra app secret generate -a <app_name>`
+* `abra app secret generate -a <app_name>
 * `abra app deploy <app-name>`
 * `abra app cmd <app_name> app set_admin_pass`
 
 ## Rotate Secrets
 
-Increment the secret versions using `abra app config <app_name>`
-
 ```
 abra app secret generate -a <app_name>
 abra app undeploy <app_name>
@@ -41,23 +39,14 @@ abra app cmd <app_name> app set_admin_pass
 
 ## Customization
 
-Place the files you want to overwrite in a directory `<assets_path>`.
-Run `abra app config <app_name>` and define the env variable `COPY_ASSETS` in the following format:
-
-```
-"<source_file1>|<service>:<target_directory1> <source_file2>|<service>:<target_directory2> ...
-```
-
-For example:
-
-```
-COPY_ASSETS="flow_background.jpg|app:/web/dist/assets/images/"
-COPY_ASSETS="$COPY_ASSETS icon_left_brand.svg|app:/web/dist/assets/icons/
-COPY_ASSETS="$COPY_ASSETS icon.png|app:/web/dist/assets/icons/"
-```
-
 Run this command after every deploy/upgrade:
 
 `abra app command --local <app-name> customize <assets_path>`
 
+This command replaces the background image, the logo and the favicon with the following files placed in the `<assets_path>` directory:
+* `flow_background.jpg`
+* `icon_left_brand.svg`
+* `icon.png`
+
+
 For more, see [`docs.coopcloud.tech`](https://docs.coopcloud.tech).

abra.sh

@@ -1,5 +1,6 @@
 export CUSTOM_CSS_VERSION=v2
-export CUSTOM_FLOWS_VERSION=v4
+export CUSTOM_FLOWS_VERSION=v2
+export RECOVERY_TEMPLATE_DE_VERSION=v1
 
 customize() {
     if [ -z "$1" ]
@@ -7,13 +8,22 @@ customize() {
             echo "Usage: ... customize <assets_path>"
             exit 1
     fi
-    asset_dir=$1
-    for asset in $COPY_ASSETS; do
-        source=$(echo $asset | cut -d "|" -f1)
-        target=$(echo $asset | cut -d "|" -f2)
-        echo copy $source to $target
-        abra app cp $APP_NAME $asset_dir/$source $target
-    done
+    # TODO: use env to specify source and target files
+    if [ -e $1/flow_background.jpg ]
+    then
+        echo copy flow_background.jpg
+        abra app cp $APP_NAME $1/flow_background.jpg app:/web/dist/assets/images/
+    fi
+    if [ -e $1/icon_left_brand.svg ]
+    then
+        echo copy icon_left_brand.svg
+        abra app cp $APP_NAME $1/icon_left_brand.svg app:/web/dist/assets/icons/
+    fi
+    if [ -e $1/icon.png ]
+    then
+        echo copy icon.png
+        abra app cp $APP_NAME $1/icon.png app:/web/dist/assets/icons/
+    fi
 }
 
 set_admin_pass() {
@@ -31,7 +41,7 @@ if (token:= Token.objects.filter(identifier='authentik-bootstrap-token').first()
     token.key=key
     token.save()
     print('Changed authentik-bootstrap-token')
-else:
+else: 
     Token.objects.create(
         identifier='authentik-bootstrap-token',
         user=akadmin,

blueprints/email-recovery.yaml

@@ -0,0 +1,158 @@
+version: 1
+metadata:
+  labels:
+    blueprints.goauthentik.io/instantiate: "true"
+  name: Example - Recovery with email verification
+entries:
+  - identifiers:
+      slug: default-recovery-flow
+    id: flow
+    model: authentik_flows.flow
+    attrs:
+      name: Default recovery flow
+      title: Reset your password
+      designation: recovery
+  - identifiers:
+      field_key: password
+      label: Password
+    id: prompt-field-password
+    model: authentik_stages_prompt.prompt
+    attrs:
+      type: password
+      required: true
+      placeholder: Password
+      order: 0
+      placeholder_expression: false
+  - identifiers:
+      field_key: password_repeat
+      label: Password (repeat)
+    id: prompt-field-password-repeat
+    model: authentik_stages_prompt.prompt
+    attrs:
+      type: password
+      required: true
+      placeholder: Password (repeat)
+      order: 1
+      placeholder_expression: false
+  - identifiers:
+      name: default-recovery-skip-if-restored
+    id: default-recovery-skip-if-restored
+    model: authentik_policies_expression.expressionpolicy
+    attrs:
+      expression: |
+        return request.context.get('is_restored', False)
+  - identifiers:
+      name: default-recovery-email
+    id: default-recovery-email
+    model: authentik_stages_email.emailstage
+    attrs:
+      use_global_settings: true
+      host: localhost
+      port: 25
+      username: ""
+      use_tls: false
+      use_ssl: false
+      timeout: 10
+      from_address: system@authentik.local
+      token_expiry: 30
+      subject: authentik
+      template: email/password_reset.html
+      activate_user_on_success: true
+  - identifiers:
+      name: default-recovery-user-write
+    id: default-recovery-user-write
+    model: authentik_stages_user_write.userwritestage
+  - identifiers:
+      name: default-recovery-identification
+    id: default-recovery-identification
+    model: authentik_stages_identification.identificationstage
+    attrs:
+      user_fields:
+        - email
+        - username
+  - identifiers:
+      name: default-recovery-user-login
+    id: default-recovery-user-login
+    model: authentik_stages_user_login.userloginstage
+    attrs:
+      session_duration: seconds=0
+  - identifiers:
+      name: Change your password
+    id: stages-prompt-password
+    model: authentik_stages_prompt.promptstage
+    attrs:
+      fields:
+        - !KeyOf prompt-field-password
+        - !KeyOf prompt-field-password-repeat
+      validation_policies: []
+  - identifiers:
+      target: !KeyOf flow
+      stage: !KeyOf default-recovery-identification
+      order: 10
+    model: authentik_flows.flowstagebinding
+    id: flow-binding-identification
+    attrs:
+      evaluate_on_plan: true
+      re_evaluate_policies: true
+      policy_engine_mode: any
+      invalid_response_action: retry
+  - identifiers:
+      target: !KeyOf flow
+      stage: !KeyOf default-recovery-email
+      order: 20
+    model: authentik_flows.flowstagebinding
+    id: flow-binding-email
+    attrs:
+      evaluate_on_plan: true
+      re_evaluate_policies: true
+      policy_engine_mode: any
+      invalid_response_action: retry
+  - identifiers:
+      pk: 1219d06e-2c06-4c5b-a162-78e3959c6cf0
+      target: !KeyOf flow
+      stage: !KeyOf stages-prompt-password
+      order: 30
+    model: authentik_flows.flowstagebinding
+    attrs:
+      evaluate_on_plan: true
+      re_evaluate_policies: false
+      policy_engine_mode: any
+      invalid_response_action: retry
+  - identifiers:
+      target: !KeyOf flow
+      stage: !KeyOf default-recovery-user-write
+      order: 40
+    model: authentik_flows.flowstagebinding
+    attrs:
+      evaluate_on_plan: true
+      re_evaluate_policies: false
+      policy_engine_mode: any
+      invalid_response_action: retry
+  - identifiers:
+      target: !KeyOf flow
+      stage: !KeyOf default-recovery-user-login
+      order: 100
+    model: authentik_flows.flowstagebinding
+    attrs:
+      evaluate_on_plan: true
+      re_evaluate_policies: false
+      policy_engine_mode: any
+      invalid_response_action: retry
+  - identifiers:
+      policy: !KeyOf default-recovery-skip-if-restored
+      target: !KeyOf flow-binding-identification
+      order: 0
+    model: authentik_policies.policybinding
+    attrs:
+      negate: false
+      enabled: true
+      timeout: 30
+  - identifiers:
+      policy: !KeyOf default-recovery-skip-if-restored
+      target: !KeyOf flow-binding-email
+      order: 0
+    model: authentik_policies.policybinding
+    attrs:
+      negate: false
+      enabled: true
+      timeout: 30

blueprints/invitation-enrollment.yaml

@@ -0,0 +1,151 @@
+context: {}
+entries:
+- attrs:
+    compatibility_mode: true
+    denied_action: message_continue
+    designation: enrollment
+    layout: stacked
+    name: Willkommen zur Heimatbund Cloud!
+    policy_engine_mode: any
+    title: Willkommen zur Heimatbund Cloud!
+  id: null
+  identifiers:
+    pk: 235f1d35-302e-426f-8875-bb75c40e8a96
+    slug: invitation-enrollment
+  model: authentik_flows.flow
+- attrs:
+    field_key: password
+    label: Passwort
+    order: 300
+    placeholder: Passwort
+    required: true
+    type: password
+  id: null
+  identifiers:
+    pk: 872c7220-0c42-4cef-b21c-9896820d86a3
+  model: authentik_stages_prompt.prompt
+- attrs:
+    field_key: username
+    label: Benutzername
+    order: 0
+    placeholder: Benutzername
+    required: true
+    type: username
+  id: null
+  identifiers:
+    pk: 8c7cca12-afd7-42f9-92b2-df06d29bc0b5
+  model: authentik_stages_prompt.prompt
+- attrs:
+    field_key: name
+    label: Vor- und Nachname
+    order: 0
+    placeholder: Name
+    required: true
+    type: text
+  id: null
+  identifiers:
+    pk: 52777e44-cbe7-4187-abc3-7f44327e4577
+  model: authentik_stages_prompt.prompt
+- attrs:
+    field_key: password_repeat
+    label: Passwort (wiederholung)
+    order: 301
+    placeholder: Passwort (wiederholung)
+    required: true
+    type: password
+  id: null
+  identifiers:
+    pk: 4c6820c2-711d-4450-b977-70d225c6cbd1
+  model: authentik_stages_prompt.prompt
+- attrs:
+    field_key: email
+    label: Email
+    order: 1
+    placeholder: Email
+    required: true
+    type: email
+  id: null
+  identifiers:
+    pk: 0fd026ab-228a-4aff-adde-e566f1dcee6a
+  model: authentik_stages_prompt.prompt
+
+- attrs:
+    fields:
+    - 872c7220-0c42-4cef-b21c-9896820d86a3
+    - 8c7cca12-afd7-42f9-92b2-df06d29bc0b5
+    - 52777e44-cbe7-4187-abc3-7f44327e4577
+    - 4c6820c2-711d-4450-b977-70d225c6cbd1
+    - 0fd026ab-228a-4aff-adde-e566f1dcee6a
+  id: null
+  identifiers:
+    name: default-enrollment-prompt-first
+    pk: b96f518c-6313-4091-8b52-20dd7557e868
+  model: authentik_stages_prompt.promptstage
+- attrs: {}
+  id: null
+  identifiers:
+    name: invitation
+    pk: 9780069a-0f1d-4f0f-b7c4-4592a9cdb333
+  model: authentik_stages_invitation.invitationstage
+- attrs: {}
+  id: null
+  identifiers:
+    name: default-enrollment-user-write
+    pk: 21667fc4-05b2-4b2f-8861-c8b40a6331b1
+  model: authentik_stages_user_write.userwritestage
+- attrs:
+    session_duration: seconds=0
+  id: null
+  identifiers:
+    name: default-enrollment-user-login
+    pk: 6cdec92f-cd1f-40b1-b808-d6a5d50877ed
+  model: authentik_stages_user_login.userloginstage
+- attrs:
+    evaluate_on_plan: true
+    invalid_response_action: retry
+    policy_engine_mode: any
+  id: null
+  identifiers:
+    order: 1
+    pk: eac283e8-2342-405e-a592-72b950f307c0
+    stage: 9780069a-0f1d-4f0f-b7c4-4592a9cdb333
+    target: 235f1d35-302e-426f-8875-bb75c40e8a96
+  model: authentik_flows.flowstagebinding
+- attrs:
+    evaluate_on_plan: true
+    invalid_response_action: retry
+    policy_engine_mode: any
+  id: null
+  identifiers:
+    order: 10
+    pk: 56276785-e6f5-42c7-9201-e63ec44281aa
+    stage: b96f518c-6313-4091-8b52-20dd7557e868
+    target: 235f1d35-302e-426f-8875-bb75c40e8a96
+  model: authentik_flows.flowstagebinding
+- attrs:
+    evaluate_on_plan: true
+    invalid_response_action: retry
+    policy_engine_mode: any
+  id: null
+  identifiers:
+    order: 20
+    pk: 471de0f4-3e03-4bc8-873d-689860dc9efb
+    stage: 21667fc4-05b2-4b2f-8861-c8b40a6331b1
+    target: 235f1d35-302e-426f-8875-bb75c40e8a96
+  model: authentik_flows.flowstagebinding
+- attrs:
+    evaluate_on_plan: true
+    invalid_response_action: retry
+    policy_engine_mode: any
+  id: null
+  identifiers:
+    order: 100
+    pk: 58903955-e33a-4d9a-b882-edd93f4261f9
+    stage: 6cdec92f-cd1f-40b1-b808-d6a5d50877ed
+    target: 235f1d35-302e-426f-8875-bb75c40e8a96
+  model: authentik_flows.flowstagebinding
+metadata:
+  labels:
+    blueprints.goauthentik.io/generated: 'true'
+  name: authentik Export - 2022-10-19 12:52:52.154491+00:00
+version: 1

compose.yml

@@ -20,18 +20,14 @@ x-env: &env
     - AUTHENTIK_SETTINGS__THEME__BACKGROUND
     - AUTHENTIK_COLOR_BACKGROUND_LIGHT
     - AUTHENTIK_FOOTER_LINKS
-    - AUTHENTIK_IMPERSONATION
     - WELCOME_MESSAGE
     - DEFAULT_LANGUAGE
-    - EMAIL_SUBJECT
-    - EMAIL_TOKEN_EXPIRY_MINUTES
     - DOMAIN
-    - LOGOUT_REDIRECT
 
 version: '3.8'
 services:
   app:
-    image: ghcr.io/goauthentik/server:2023.2.3
+    image: ghcr.io/goauthentik/server:2022.10.1
     command: server
     secrets:
       - db_password
@@ -45,6 +41,8 @@ services:
     configs:
       - source: custom_css
         target: /web/dist/custom.css
+      - source: recovery_template_de
+        target: /templates/password_reset_de.html
     networks:
       - internal
       - proxy
@@ -71,10 +69,10 @@ services:
         - "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}"
         - "traefik.http.middlewares.${STACK_NAME}-frameOptions.headers.customFrameOptionsValue=SAMEORIGIN"
         - "traefik.http.middlewares.${STACK_NAME}-frameOptions.headers.contentSecurityPolicy=frame-ancestors ${X_FRAME_OPTIONS_ALLOW_FROM}"
-        - "coop-cloud.${STACK_NAME}.version=1.4.2+2023.2.3"
+        - "coop-cloud.${STACK_NAME}.version=1.0.0+2022.10.1"
 
   worker:
-    image: ghcr.io/goauthentik/server:2023.2.3
+    image: ghcr.io/goauthentik/server:2022.10.1
     command: worker
     secrets:
       - db_password
@@ -92,14 +90,13 @@ services:
       - /var/run/docker.sock:/var/run/docker.sock
       - custom-templates:/templates
       - /dev/null:/blueprints/default/10-flow-default-authentication-flow.yaml
-      - /dev/null:/blueprints/default/10-flow-default-invalidation-flow.yaml
     configs:
       - source: custom_flows
         target: /blueprints/custom_flows.yaml
     environment: *env
 
   db:
-    image: postgres:12.14-alpine
+    image: postgres:12.12-alpine
     secrets:
       - db_password
     volumes:
@@ -119,12 +116,12 @@ services:
     deploy:
       labels:
           backupbot.backup: "true"
-          backupbot.backup.pre-hook: "mkdir -p /tmp/backup/ && PGPASSWORD=$$(cat /run/secrets/db_password) pg_dump -U $${POSTGRES_USER} $${POSTGRES_DB} > /tmp/backup/backup.sql"
+          backupbot.backup.pre-hook: "mkdir -p /tmp/backup/ && PGPASSWORD=$(cat /run/secrets/db_password) pg_dump -U ${POSTGRES_USER} ${POSTGRES_DB} > /tmp/backup/backup.sql"
           backupbot.backup.post-hook: "rm -rf /tmp/backup"
           backupbot.backup.path: "/tmp/backup/"
 
   redis:
-    image:  redis:7.0.9-alpine
+    image:  redis:7.0.5-alpine
     networks:
       - internal
     healthcheck:
@@ -167,6 +164,9 @@ configs:
     name: ${STACK_NAME}_custom_css_${CUSTOM_CSS_VERSION}
     file: custom.css.tmpl
     template_driver: golang
+  recovery_template_de:
+    name: ${STACK_NAME}_recovery_template_de_${RECOVERY_TEMPLATE_DE_VERSION}
+    file: password_reset_de.html
   custom_flows:
     name: ${STACK_NAME}_custom_flows_${CUSTOM_FLOWS_VERSION}
     file: custom_flows.yaml.tmpl

custom_flows.yaml.tmpl

@@ -10,9 +10,10 @@ context:
   transl_password_repeat: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} Passwort (wiederholen) {{ else }} Password (repeat) {{ end }}
   transl_username: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} Benutzername {{ else }} Username {{ end }}
   transl_name: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} Vor- und Nachname {{ else }} Full name {{ end }}
+  transl_template_recovery: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} password_reset_de.html {{ else }} email/password_reset.html {{ end }}
 
 entries:
-######## Email Recovery Flow ########
+######## Email Recovery Flow ######## 
 - identifiers:
     slug: default-recovery-flow
   id: recovery_flow
@@ -54,9 +55,9 @@ entries:
   model: authentik_stages_email.emailstage
   attrs:
     use_global_settings: true
-    token_expiry: {{ env "EMAIL_TOKEN_EXPIRY_MINUTES" }}
-    subject: "{{ env "EMAIL_SUBJECT" }}"
-    template: email/password_reset.html
+    token_expiry: 30
+    subject: authentik
+    template: !Context transl_template_recovery
     activate_user_on_success: true
 - identifiers:
     name: default-recovery-user-write
@@ -174,7 +175,7 @@ entries:
 
 
 
-######## Authentication Flow ########
+######## Authentication Flow ######## 
 - attrs:
     designation: authentication
     name: custom-authentication-flow
@@ -236,7 +237,7 @@ entries:
     target: !KeyOf authentication_flow
   model: authentik_flows.flowstagebinding
 
-######## Invitation Enrollment Flow ########
+######## Invitation Enrollment Flow ######## 
 - attrs:
     designation: enrollment
     name: invitation-enrollment-flow
@@ -334,58 +335,9 @@ entries:
     target: !KeyOf invitation-enrollment-flow
   model: authentik_flows.flowstagebinding
 
-######## Invalidation Flow ########
-- identifiers:
-    slug: logout-flow
-  id: logout-flow
-  model: authentik_flows.flow
-  attrs:
-    name: Logout
-    title: Logout Flow
-    designation: invalidation
-
-### STAGES
-
-- id: logout-stage
-  identifiers:
-    name: logout-stage
-  model: authentik_stages_user_logout.userlogoutstage
-
-### STAGE BINDINGS
-
-- identifiers:
-    order: 0
-    stage: !KeyOf logout-stage
-    target: !KeyOf logout-flow
-  model: authentik_flows.flowstagebinding
-  attrs:
-    re_evaluate_policies: true
-  id: logout-stage-binding
-
-### POLICIES
-- attrs:
-    execution_logging: true
-    expression: 'context[''flow_plan''].context[''redirect''] = ''{{ env "LOGOUT_REDIRECT" }}''
-
-    return True'
-  identifiers:
-    name: redirect-policy
-  id: redirect-policy
-  model: authentik_policies_expression.expressionpolicy
-
-### POLICY BINDINGS
-- identifiers:
-    policy: !KeyOf redirect-policy
-    target: !KeyOf logout-stage-binding
-    order: 0
-  model: authentik_policies.policybinding
-  attrs:
-    enabled: {{ if eq (env "LOGOUT_REDIRECT") "" }} false {{ else }} true {{ end }}
-    timeout: 30
-
 ######## System Tenant ##########
 - attrs:
-    attributes:
+    attributes: 
       settings:
         locale: {{ env "DEFAULT_LANGUAGE" }}
     # branding_favicon: /static/dist/assets/icons/icon.png
@@ -396,7 +348,7 @@ entries:
     # event_retention: days=365
     flow_authentication: !KeyOf authentication_flow
     flow_recovery: !KeyOf recovery_flow
-    flow_invalidation: !KeyOf logout-flow
+    flow_invalidation: !Find [authentik_flows.flow, [slug, default-invalidation-flow]]
     flow_user_settings: !Find [authentik_flows.flow, [slug, default-user-settings-flow]]
   identifiers:
     pk: 047cce25-aae2-4b02-9f96-078e155f803d

password_reset_de.html

@@ -0,0 +1,53 @@
+{% extends "email/base.html" %}
+
+{% load i18n %}
+{% load humanize %}
+
+{% block content %}
+<tr>
+    <td class="alert alert-success">
+        {% blocktrans with username=user.username %}
+        Herzlich Willkommen {{ username }},
+        {% endblocktrans %}
+    </td>
+</tr>
+<tr>
+    <td class="content-wrap">
+        <table width="100%" cellpadding="0" cellspacing="0">
+            <tr>
+                <td class="content-block">
+                    {% blocktrans %}
+                    Klicke auf folgenden Link um ein Passwort für deinen Account zu erstellen:
+                    {% endblocktrans %}
+                </td>
+            </tr>
+            <tr>
+                <td class="content-block">
+                    <table role="presentation" border="0" cellpadding="0" cellspacing="0" class="btn btn-primary">
+                        <tbody>
+                        <tr>
+                            <td align="center">
+                            <table role="presentation" border="0" cellpadding="0" cellspacing="0">
+                                <tbody>
+                                <tr>
+                                    <td> <a id="confirm" href="{{ url }}" rel="noopener noreferrer" target="_blank">Passwort Erstellen</a> </td>
+                                </tr>
+                                </tbody>
+                            </table>
+                            </td>
+                        </tr>
+                        </tbody>
+                    </table>
+                </td>
+            </tr>
+            <tr>
+                <td class="content-block">
+                    {% blocktrans with expires=expires|naturaltime %}
+                    Falls du diese E-Mail fälschlicherweise erhalten hast, ignoriere sie bitte. Der obige Link ist gültig für: {{ expires }}.
+                    {% endblocktrans %}
+                </td>
+            </tr>
+        </table>
+    </td>
+</tr>
+{% endblock %}

releases/next

@@ -1 +0,0 @@
-Logout URL changes from `https://login.example.org/if/flow/default-invalidation-flow/` to `https://login.example.org/if/flow/logout-flow/`