Use AUTHENTIK_BOOTSTRAP_PASSWORD env instead of set_admin_pass function

This reverts commit e07d57718a.

.drone.yml

@@ -23,13 +23,14 @@ steps:
       FLOW_INVALIDATION_VERSION: v1
       FLOW_RECOVERY_VERSION: v1
       FLOW_TRANSLATION_VERSION: v1
-      SYSTEM_TENANT_VERSION: v1
+      SYSTEM_BRAND_VERSION: v1
       NEXTCLOUD_CONFIG_VERSION: v1
       SECRET_SECRET_KEY_VERSION: v1
       SECRET_DB_PASSWORD_VERSION: v1
       SECRET_ADMIN_TOKEN_VERSION: v1
       SECRET_ADMIN_PASS_VERSION: v1
       SECRET_EMAIL_PASS_VERSION: v1
+      DB_ENTRYPOINT_VERSION: v1
 trigger:
   branch:
     - main

.env.sample

@@ -1,10 +1,12 @@
 TYPE=authentik
-TIMEOUT=300
+TIMEOUT=900
 ENABLE_AUTO_UPDATE=true
-POST_DEPLOY_CMDS="worker set_admin_pass|worker apply_blueprints|worker add_applications"
+# POST_DEPLOY_CMDS="worker worker apply_blueprints|worker add_applications"
 LETS_ENCRYPT_ENV=production
 
 DOMAIN=authentik.example.com
+## Domain aliases
+#EXTRA_DOMAINS=', `www.authentik.example.com`'
 COMPOSE_FILE="compose.yml"
 AUTHENTIK_DEFAULT_USER_CHANGE_USERNAME=false
 AUTHENTIK_LOG_LEVEL=info
@@ -12,6 +14,9 @@ AUTHENTIK_LOG_LEVEL=info
 # AUTHENTIK_FOOTER_LINKS='[{"name": "My Organization","href":"https://example.com"}]'
 # WORKERS=1
 
+## Outpost Integration
+# COMPOSE_FILE="$COMPOSE_FILE:compose.outposts.yml"
+
 ## EMAIL
 AUTHENTIK_EMAIL__HOST=smtp
 AUTHENTIK_EMAIL__PORT=587
@@ -29,7 +34,6 @@ SECRET_ADMIN_PASS_VERSION=v1
 SECRET_EMAIL_PASS_VERSION=v1
 
 # X_FRAME_OPTIONS_ALLOW_FROM=dashboard.example.org
-AUTHENTIK_COLOR_BACKGROUND_LIGHT=#1c1e21
 
 ## FLOW OPTIONS
 # WELCOME_MESSAGE="Welcome to Authentik"
@@ -42,6 +46,12 @@ COPY_ASSETS="flow_background.jpg|app:/web/dist/assets/images/"
 COPY_ASSETS="$COPY_ASSETS icon_left_brand.svg|app:/web/dist/assets/icons/"
 COPY_ASSETS="$COPY_ASSETS icon.png|app:/web/dist/assets/icons/"
 
+# Default CSS customisation, just background colour
+COMPOSE_FILE="$COMPOSE_FILE:compose.css.yml"
+AUTHENTIK_COLOR_BACKGROUND_LIGHT=#1c1e21
+# Custommise the entire custom CSS file
+#COMPOSE_FILE="$COMPOSE_FILE:compose.css.yml"
+
 # COMPOSE_FILE="$COMPOSE_FILE:compose.nextcloud.yml"
 # NEXTCLOUD_DOMAIN=nextcloud.example.com
 # SECRET_NEXTCLOUD_ID_VERSION=v1
@@ -56,7 +66,7 @@ COPY_ASSETS="$COPY_ASSETS icon.png|app:/web/dist/assets/icons/"
 # APP_ICONS="$APP_ICONS wordpress:~/.abra/recipes/authentik/icons/wordpress.png"
 
 # COMPOSE_FILE="$COMPOSE_FILE:compose.matrix.yml"
-# ELEMENT_DOMAIN=element.example.com
+# ELEMENT_DOMAIN=element-web.example.com
 # SECRET_MATRIX_ID_VERSION=v1
 # SECRET_MATRIX_SECRET_VERSION=v1
 # APP_ICONS="$APP_ICONS matrix:~/.abra/recipes/authentik/icons/matrix.svg"
@@ -73,13 +83,36 @@ COPY_ASSETS="$COPY_ASSETS icon.png|app:/web/dist/assets/icons/"
 # SECRET_VIKUNJA_SECRET_VERSION=v1
 # APP_ICONS="$APP_ICONS vikunja:~/.abra/recipes/authentik/icons/vikunja.svg"
 
+# COMPOSE_FILE="$COMPOSE_FILE:compose.outline.yml"
+# OUTLINE_DOMAIN=outline.example.com
+# SECRET_OUTLINE_ID_VERSION=v1
+# SECRET_OUTLINE_SECRET_VERSION=v1
+# APP_ICONS="$APP_ICONS outline:~/.abra/recipes/authentik/icons/outline.png"
+
+# COMPOSE_FILE="$COMPOSE_FILE:compose.kimai.yml"
+# KIMAI_DOMAIN=kimai.example.com
+# SECRET_KIMAI_ID_VERSION=v1
+# SECRET_KIMAI_SECRET_VERSION=v1
+# APP_ICONS="$APP_ICONS kimai:~/.abra/recipes/authentik/icons/kimai.png"
+
 # COMPOSE_FILE="$COMPOSE_FILE:compose.monitoring.yml"
 # MONITORING_DOMAIN=monitoring.example.com
 # SECRET_MONITORING_ID_VERSION=v1
 # SECRET_MONITORING_SECRET_VERSION=v1
 # APP_ICONS="$APP_ICONS monitoring:~/.abra/recipes/authentik/icons/monitoring.png"
 
-# APPLICATIONS='{"Calendar": "https://nextcloud.example.com/apps/calendar/", "Rallly":"https://rallly.example.cloud/"}'
-# APP_ICONS="$APP_ICONS Calendar:~/.abra/recipes/authentik/icons/calendar.svg"
-# APP_ICONS="$APP_ICONS Rallly:~/.abra/recipes/authentik/icons/rallly.png"
+# COMPOSE_FILE="$COMPOSE_FILE:compose.rallly.yml"
+# RALLLY_DOMAIN=rallly.example.com
+# SECRET_RALLLY_ID_VERSION=v1
+# SECRET_RALLLY_SECRET_VERSION=v1
+# APP_ICONS="$APP_ICONS rallly:~/.abra/recipes/authentik/icons/rallly.png"
 
+# COMPOSE_FILE="$COMPOSE_FILE:compose.hedgedoc.yml"
+# HEDGEDOC_DOMAIN=hedgedoc.example.com
+# SECRET_HEDGEDOC_ID_VERSION=v1
+# SECRET_HEDGEDOC_SECRET_VERSION=v1
+# APP_ICONS="$APP_ICONS hedgedoc:~/.abra/recipes/authentik/icons/hedgedoc.png"
+
+# APPLICATIONS='{"Calendar": "https://nextcloud.example.com/apps/calendar/", "BBB": "https://nextcloud.example.com/apps/bbb/"}'
+# APP_ICONS="$APP_ICONS Calendar:~/.abra/recipes/authentik/icons/calendar.svg"
+# APP_ICONS="$APP_ICONS BBB:~/.abra/recipes/authentik/icons/bbb.jpg"

README.md

@@ -35,7 +35,6 @@ abra app secret generate -a <app_name>
 abra app undeploy <app_name>
 abra app deploy <app_name>
 abra app cmd <app_name> db rotate_db_pass
-abra app cmd <app_name> app set_admin_pass
 ```
 
 ## Add SSO for Nextcloud
@@ -87,44 +86,112 @@ Run this command after every deploy/upgrade:
 
 `abra app command --local <app-name> customize <assets_path>`
 
+## Email templates
+
+Add custom [email templates](https://goauthentik.io/docs/flow/stages/email/#custom-templates):
+
+`abra app cmd -l <app_name> add_email_templates local/path/to/mail_template.html`
+
 ## Blueprints
 
-Blueprint Dependency Requirements:
+These blueprints overwrite default blueprint values:
+
+- flow_translation.yaml
+- flow_authentication.yaml
+
+The following default blueprints will be overwritten by customizations:
+
+- flow-password-change.yaml
+- flow-default-authentication-flow.yaml
+- flow-default-user-settings-flow.yaml
+- flow-default-source-enrollment.yaml
+
+The `abra.sh` function `apply_blueprints` needs to be executed to deactivate these blueprints to ensure that the customizations won't be overwritten. It will further execute flow_translation.yaml and flow_authentication.yaml again.
+
+
+### Blueprint Overwrite/Use Dependencies
 
 - Recovery with email verification
     - Default - Password change flow
+        - USE:
+            - `default-password-change-prompt`
+            - `default-password-change-write`
     - Default - Authentication flow
+        - USE:
+            - `default-authentication-login`
 - Custom Authentication Flow
     - Default - Authentication flow
+        - USE:
+            - `default-authentication-password`
+        - OVERWRITE:
+            - `default-authentication-flow`
+        - APPEND:
+            - `default-authentication-identification`
+            - `default-authentication-login`
+        - REMOVE: `authentik_flows.flowstagebinding order:20`
     - Recovery with email verification
+        - USE:
+            - `default-recovery-flow`
 - Invitation Enrollment Flow
     - Default - User settings flow
+        - USE:
+            - `default-user-settings-field-name`
+            - `default-user-settings-field-email`
+    - Default - Password change flow
+        - USE:
+            - `default-password-change-field-password`
+            - `default-password-change-field-password-repeat`
     - Default - Authentication flow
+        - USE:
+            - `default-authentication-login`
     - Default - Source enrollment flow
+        - USE:
+            - `default-source-enrollment-field-username`
+            - `default-source-enrollment-write`
 - Custom Invalidation Flow
     - Default - Invalidation flow
+        - APPEND_ATTR:
+            - `authentik_flows.flowstagebinding order: 0`
 - Flow Translations
     - Recovery with email verification
+        - APPEND: `default-recovery-flow`
     - Default - Password change flow
+        - OVERWRITE:
+           - `default-password-change-field-password`
+           - `default-password-change-field-password-repeat`
     - Default - User settings flow
+        - OVERWRITE:
+            - `default-user-settings-field-username`
+            - `default-user-settings-field-name`
     - Default - Source enrollment flow
-- Custom System Tenant
-    - Default - Tenant
+        - OVERWRITE:
+            - `default-source-enrollment-field-username`
+- Custom System Brand
+    - Default - Brand
+        - APPEND: `authentik_brands.brand  domain: authentik-default`
     - Recovery with email verification
+        - USE:
+            - `default-recovery-flow`
 
 
-Blueprint Dependency Graph:
+### Blueprint Dependency Execution Order
 
-5. Custom System Tenant
-    - Default - Tenant
-    4. Invitation Enrollment Flow
-        3. Flow Translations
-            - Default - User settings flow
-            - Default - Source enrollment flow
-            2. Custom Authentication Flow
-                1. Recovery with email verification
-                    - Default - Authentication flow
-                        - Default - Password change flow
+5. Custom System Brand
+    - Default - Brand
+    1. Recovery with email verification
+        - Default - Authentication flow
+            - Default - Password change flow
+4. Invitation Enrollment Flow
+    3. Flow Translations
+        - Default - User settings flow
+        - Default - Source enrollment flow
+        1. Recovery with email verification
+            - Default - Authentication flow
+                - Default - Password change flow
+2. Custom Authentication Flow
+    1. Recovery with email verification
+        - Default - Authentication flow
+            - Default - Password change flow
 6. Custom Invalidation Flow
     - Default - Invalidation flow
 

abra.sh

@@ -1,16 +1,21 @@
 export CUSTOM_CSS_VERSION=v2
-export FLOW_AUTHENTICATION_VERSION=v1
-export FLOW_INVITATION_VERSION=v1
-export FLOW_INVALIDATION_VERSION=v1
+export FLOW_AUTHENTICATION_VERSION=v4
+export FLOW_INVITATION_VERSION=v2
+export FLOW_INVALIDATION_VERSION=v2
 export FLOW_RECOVERY_VERSION=v1
-export FLOW_TRANSLATION_VERSION=v1
-export SYSTEM_TENANT_VERSION=v1
+export FLOW_TRANSLATION_VERSION=v3
+export SYSTEM_BRAND_VERSION=v3
 export NEXTCLOUD_CONFIG_VERSION=v1
 export WORDPRESS_CONFIG_VERSION=v2
 export MATRIX_CONFIG_VERSION=v1
 export WEKAN_CONFIG_VERSION=v3
 export VIKUNJA_CONFIG_VERSION=v1
+export OUTLINE_CONFIG_VERSION=v2
+export KIMAI_CONFIG_VERSION=v1
+export RALLLY_CONFIG_VERSION=v2
+export HEDGEDOC_CONFIG_VERSION=v1
 export MONITORING_CONFIG_VERSION=v1
+export DB_ENTRYPOINT_VERSION=v1
 
 customize() {
     if [ -z "$1" ]
@@ -51,43 +56,24 @@ with open('/tmp/$1', newline='') as file:
     email = row[2].strip()
     groups = row[3].split(';')
     if User.objects.filter(username=username):
+        print(f'{username} already exists')
         continue
     new_user = User.objects.create(name=name, username=username, email=email)
+    print(f'{username} created')
     for group_name in groups:
         group_name = group_name.strip()
         if Group.objects.filter(name=group_name):
             group = Group.objects.get(name=group_name)
         else:
             group = Group.objects.create(name=group_name)
+            print(f'{group_name} created')
         group.users.add(new_user)
+        print(f'add {username} to group {group_name}')
 """ 2>&1 | quieten
 }
 
 set_admin_pass() {
-password=$(cat /run/secrets/admin_pass)
-token=$(cat /run/secrets/admin_token)
-/manage.py shell -c """
-akadmin = User.objects.get(username='akadmin')
-akadmin.set_password('$password')
-akadmin.save()
-print('Changed akadmin password')
-
-from authentik.core.models import TokenIntents
-key='$token'
-if (token:= Token.objects.filter(identifier='authentik-bootstrap-token').first()):
-    token.key=key
-    token.save()
-    print('Changed authentik-bootstrap-token')
-else:
-    Token.objects.create(
-        identifier='authentik-bootstrap-token',
-        user=akadmin,
-        intent=TokenIntents.INTENT_API,
-        expiring=False,
-        key=key,
-    )
-    print('Created authentik-bootstrap-token')
-""" 2>&1 | quieten
+echo "The set_admin_pass function is depricated"
 }
 
 rotate_db_pass() {
@@ -95,15 +81,24 @@ rotate_db_pass() {
     psql -U authentik -c """ALTER USER authentik WITH PASSWORD '$db_password';"""
 }
 
+# This function is for blueprints that are overwriting custom blueprints
+# It deactivates the affected custom blueprints to avoid changes to be reverted
 apply_blueprints() {
-    enable_blueprint default/flow-default-authentication-flow.yaml
-    enable_blueprint default/flow-default-user-settings-flow.yaml
-    enable_blueprint default/flow-password-change.yaml
-    ak apply_blueprint 6_flow_invalidation.yaml 2>&1 | quieten
-    ak apply_blueprint 5_system_tenant.yaml 2>&1 | quieten
-    disable_blueprint default/flow-default-authentication-flow.yaml
-    disable_blueprint default/flow-default-user-settings-flow.yaml
-    disable_blueprint default/flow-password-change.yaml
+    update_and_disable_blueprint default/flow-password-change.yaml
+    update_and_disable_blueprint default/flow-default-authentication-flow.yaml
+    update_and_disable_blueprint default/flow-default-user-settings-flow.yaml
+    update_and_disable_blueprint default/flow-default-source-enrollment.yaml
+    
+    apply_blueprint 3_flow_translation.yaml
+    apply_blueprint 2_flow_authentication.yaml
+}
+
+update_and_disable_blueprint() {
+    enable_blueprint $@ 2>&1 | quieten
+    sleep 1
+    apply_blueprint $@
+    sleep 1
+    disable_blueprint $@ 2>&1 | quieten
 }
 
 disable_blueprint() {
@@ -114,12 +109,24 @@ enable_blueprint() {
     blueprint_state True $@
 }
 
+apply_blueprint() {
+    echo apply blueprint $@
+    ak apply_blueprint $@ 2>&1 | quieten
+}
+
 blueprint_state() {
 /manage.py shell -c """
+import time
 blueprint_state=$1
 blueprint_path='$2'
 blueprint = BlueprintInstance.objects.filter(path=blueprint_path).first()
 blueprint.enabled = blueprint_state
+# Hacky workaround to reduce chance of a race condition
+blueprint.save()
+time.sleep(1)
+blueprint.save()
+time.sleep(1)
+blueprint.save()
 print(f'{blueprint.name} enabled: {blueprint.enabled}')
 """ 2>&1 | quieten
 
@@ -146,7 +153,16 @@ for name, url in applications.items():
 
 
 quieten(){
-    grep -v '{"event"'
+    # 'SyntaxWarning|version_regex|"http\['
+    # is a workaround to get rid of some verbose syntax warnings, this might be fixed with another version
+    grep -Pv '"level": "(info|debug)"|SyntaxWarning|version_regex|"http\[|RuntimeWarning:'
+}
+
+add_email_templates(){
+for file_path in "$@"; do
+    echo copy template $file_path
+    abra app cp $APP_NAME $file_path app:/templates/
+done
 }
 
 set_icons(){
@@ -186,7 +202,20 @@ delete_flows = ['default-recovery-flow' , 'custom-authentication-flow' , 'invita
 Flow.objects.filter(slug__in=delete_flows).delete()
 Stage.objects.filter(flow=None).delete()
 Prompt.objects.filter(promptstage=None).delete()
-Tenant.objects.filter(default=True).delete()
+Brand.objects.filter(default=True).delete()
 """ 2>&1 | quieten
 apply_blueprints
 }
+
+get_certificate() {
+/manage.py shell -c """
+provider_name='$1'
+if not provider_name:
+    print('no Provider Name given')
+    exit(1)
+provider = Provider.objects.filter(name=provider_name).first()
+saml = provider.samlprovider
+cert = saml.signing_kp
+print(''.join(cert.certificate_data.splitlines()[1:-1]))
+""" 2>&1 | quieten
+}

alaconnect.yml

@@ -0,0 +1,76 @@
+nextcloud:
+    uncomment:
+        - compose.nextcloud.yml
+        - NEXTCLOUD_DOMAIN
+        - SECRET_NEXTCLOUD_ID_VERSION
+        - SECRET_NEXTCLOUD_SECRET_VERSION
+        - nextcloud.png
+wordpress:
+    uncomment:
+        - compose.wordpress.yml
+        - WORDPRESS_DOMAIN
+        - WORDPRESS_GROUP
+        - SECRET_WORDPRESS_ID_VERSION
+        - SECRET_WORDPRESS_SECRET_VERSION
+        - wordpress.png
+matrix-synapse:
+    uncomment:
+        - compose.matrix.yml
+        - ELEMENT_DOMAIN
+        - SECRET_MATRIX_ID_VERSION
+        - SECRET_MATRIX_SECRET_VERSION
+        - matrix.svg
+    secrets:
+        matrix_id: matrix
+wekan:
+    uncomment:
+        - compose.wekan.yml
+        - WEKAN_DOMAIN
+        - SECRET_WEKAN_ID_VERSION
+        - SECRET_WEKAN_SECRET_VERSION
+        - wekan.png
+    secrets:
+        wekan_id: wekan
+vikunja:
+    uncomment:
+        - compose.vikunja.yml
+        - VIKUNJA_DOMAIN
+        - SECRET_VIKUNJA_ID_VERSION
+        - SECRET_VIKUNJA_SECRET_VERSION
+        - vikunja.svg
+    secrets:
+        vikunja_id: vikunja
+monitoring:
+    uncomment:
+        - compose.monitoring.yml
+        - MONITORING_DOMAIN
+        - SECRET_MONITORING_ID_VERSION
+        - SECRET_MONITORING_SECRET_VERSION
+        - monitoring.png
+outline:
+    uncomment:
+        - compose.outline.yml
+        - OUTLINE_DOMAIN
+        - SECRET_OUTLINE_ID_VERSION
+        - SECRET_OUTLINE_SECRET_VERSION
+        - outline.png
+    secrets:
+        outline_id: outline
+rallly:
+    uncomment:  
+        - compose.rallly.yml
+        - RALLLY_DOMAIN
+        - SECRET_RALLLY_ID_VERSION
+        - SECRET_RALLLY_SECRET_VERSION
+        - rallly.png
+    secrets:
+        rallly_id: rallly
+hedgedoc:
+    uncomment:  
+        - compose.hedgedoc.yml
+        - HEDGEDOC_DOMAIN
+        - SECRET_HEDGEDOC_ID_VERSION
+        - SECRET_HEDGEDOC_SECRET_VERSION
+        - hedgedoc.png
+    secrets:
+        hedgedoc_id: hedgedoc

compose.css.yml

@@ -0,0 +1,14 @@
+---
+version: '3.8'
+
+services:
+  app:
+    configs: 
+      - source: custom_css
+        target: /web/dist/custom.css
+
+configs:
+  custom_css:
+    name: ${STACK_NAME}_custom_css_${CUSTOM_CSS_VERSION}
+    file: custom.css.tmpl
+    template_driver: golang

compose.hedgedoc.yml

@@ -0,0 +1,26 @@
+version: "3.8"
+services:
+  worker:
+    secrets:
+      - hedgedoc_id
+      - hedgedoc_secret
+    environment:
+      - HEDGEDOC_DOMAIN
+    configs:
+      - source: hedgedoc
+        target: /blueprints/hedgedoc.yaml
+
+secrets:
+  hedgedoc_id:
+    external: true
+    name: ${STACK_NAME}_hedgedoc_id_${SECRET_HEDGEDOC_ID_VERSION}
+  hedgedoc_secret:
+    external: true
+    name: ${STACK_NAME}_hedgedoc_secret_${SECRET_HEDGEDOC_SECRET_VERSION}
+
+
+configs:
+  hedgedoc:
+    name: ${STACK_NAME}_hedgedoc_${HEDGEDOC_CONFIG_VERSION}
+    file: hedgedoc.yaml.tmpl
+    template_driver: golang

compose.kimai.yml

@@ -0,0 +1,14 @@
+version: "3.8"
+services:
+  worker:
+    environment:
+      - KIMAI_DOMAIN
+    configs:
+      - source: kimai
+        target: /blueprints/kimai.yaml
+
+configs:
+  kimai:
+    name: ${STACK_NAME}_kimai_${KIMAI_CONFIG_VERSION}
+    file: kimai.yaml.tmpl
+    template_driver: golang

compose.outline.yml

@@ -0,0 +1,26 @@
+version: "3.8"
+services:
+  worker:
+    secrets:
+      - outline_id
+      - outline_secret
+    environment:
+      - OUTLINE_DOMAIN
+    configs:
+      - source: outline
+        target: /blueprints/outline.yaml
+
+secrets:
+  outline_id:
+    external: true
+    name: ${STACK_NAME}_outline_id_${SECRET_OUTLINE_ID_VERSION}
+  outline_secret:
+    external: true
+    name: ${STACK_NAME}_outline_secret_${SECRET_OUTLINE_SECRET_VERSION}
+
+
+configs:
+  outline:
+    name: ${STACK_NAME}_outline_${OUTLINE_CONFIG_VERSION}
+    file: outline.yaml.tmpl
+    template_driver: golang

compose.outposts.yml

@@ -0,0 +1,6 @@
+version: "3.8"
+services:
+  worker:
+    user: root
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock

compose.rallly.yml

@@ -0,0 +1,26 @@
+version: "3.8"
+services:
+  worker:
+    secrets:
+      - rallly_id
+      - rallly_secret
+    environment:
+      - RALLLY_DOMAIN
+    configs:
+      - source: rallly
+        target: /blueprints/rallly.yaml
+
+secrets:
+  rallly_id:
+    external: true
+    name: ${STACK_NAME}_rallly_id_${SECRET_RALLLY_ID_VERSION}
+  rallly_secret:
+    external: true
+    name: ${STACK_NAME}_rallly_secret_${SECRET_RALLLY_SECRET_VERSION}
+
+
+configs:
+  rallly:
+    name: ${STACK_NAME}_rallly_${RALLLY_CONFIG_VERSION}
+    file: rallly.yaml.tmpl
+    template_driver: golang

compose.yml

@@ -8,6 +8,8 @@ x-env: &env
     - AUTHENTIK_REDIS__HOST=redis
     - AUTHENTIK_ERROR_REPORTING__ENABLED
     - AUTHENTIK_SECRET_KEY=file:///run/secrets/secret_key
+    - AUTHENTIK_BOOTSTRAP_PASSWORD=file:///run/secrets/admin_pass
+    - AUTHENTIK_BOOTSTRAP_TOKEN=file:///run/secrets/admin_token
     - AUTHENTIK_EMAIL__HOST
     - AUTHENTIK_EMAIL__PORT
     - AUTHENTIK_EMAIL__USERNAME
@@ -32,8 +34,11 @@ x-env: &env
 version: '3.8'
 services:
   app:
-    image: ghcr.io/goauthentik/server:2023.3.1
+    image: ghcr.io/goauthentik/server:2024.4.2
     command: server
+    depends_on:
+      - db
+      - redis
     secrets:
       - db_password
       - admin_pass
@@ -43,14 +48,12 @@ services:
     volumes:
       - media:/media
       - assets:/web/dist/assets
-    configs:
-      - source: custom_css
-        target: /web/dist/custom.css
+      - templates:/templates
     networks:
       - internal
       - proxy
     healthcheck:
-      test: ["CMD", "curl", "-f", "localhost:9000/-/health/live/"]
+      test: "bash -c 'printf \"GET / HTTP/1.1\n\n\" > /dev/tcp/127.0.0.1/9000; exit $$?;'"
       interval: 30s
       timeout: 10s
       retries: 10
@@ -64,7 +67,7 @@ services:
         - "traefik.enable=true"
         - "traefik.docker.network=proxy"
         - "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=9000"
-        - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`)"
+        - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`${EXTRA_DOMAINS})"
         - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
         - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
         - "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect,${STACK_NAME}-frameOptions"
@@ -72,12 +75,15 @@ services:
         - "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}"
         - "traefik.http.middlewares.${STACK_NAME}-frameOptions.headers.customFrameOptionsValue=SAMEORIGIN"
         - "traefik.http.middlewares.${STACK_NAME}-frameOptions.headers.contentSecurityPolicy=frame-ancestors ${X_FRAME_OPTIONS_ALLOW_FROM}"
-        - "coop-cloud.${STACK_NAME}.version=3.1.2+2023.3.1"
+        - "coop-cloud.${STACK_NAME}.version=6.1.1+2024.4.2"
         - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT:-120}"
 
   worker:
-    image: ghcr.io/goauthentik/server:2023.3.1
+    image: ghcr.io/goauthentik/server:2024.4.2
     command: worker
+    depends_on:
+      - db
+      - redis
     secrets:
       - db_password
       - admin_pass
@@ -87,12 +93,11 @@ services:
     networks:
       - internal
       - proxy
-    user: root
     volumes:
       - backups:/backups
       - media:/media
-      - /var/run/docker.sock:/var/run/docker.sock
       - /dev/null:/blueprints/default/flow-oobe.yaml
+      - templates:/templates
     configs:
       - source: flow_recovery
         target: /blueprints/1_flow_recovery.yaml
@@ -102,16 +107,22 @@ services:
         target: /blueprints/3_flow_translation.yaml
       - source: flow_invitation
         target: /blueprints/4_flow_invitation.yaml
-      - source: system_tenant
-        target: /blueprints/5_system_tenant.yaml
+      - source: system_brand
+        target: /blueprints/5_system_brand.yaml
       - source: flow_invalidation
         target: /blueprints/6_flow_invalidation.yaml
     environment: *env
 
   db:
-    image: postgres:12.14-alpine
+    image: postgres:15.7
     secrets:
       - db_password
+    configs:
+      - source: db_entrypoint
+        target: /docker-entrypoint.sh
+        mode: 0555
+    entrypoint:
+      /docker-entrypoint.sh
     volumes:
       - database:/var/lib/postgresql/data
     networks:
@@ -134,11 +145,11 @@ services:
           backupbot.backup.path: "/var/lib/postgresql/data"
 
   redis:
-    image:  redis:7.0.10-alpine
+    image:  redis:7.2.4-alpine
     networks:
       - internal
     healthcheck:
-      test: ["CMD", "redis-cli","ping"]
+      test: ["CMD-SHELL", "redis-cli ping | grep PONG"]
       interval: 30s
       timeout: 10s
       retries: 10
@@ -169,14 +180,11 @@ networks:
 volumes:
   backups:
   media:
+  templates:
   assets:
   database:
 
 configs:
-  custom_css:
-    name: ${STACK_NAME}_custom_css_${CUSTOM_CSS_VERSION}
-    file: custom.css.tmpl
-    template_driver: golang
   flow_authentication:
     name: ${STACK_NAME}_flow_authentication_${FLOW_AUTHENTICATION_VERSION}
     file: flow_authentication.yaml.tmpl
@@ -197,7 +205,11 @@ configs:
     name: ${STACK_NAME}_flow_translation_${FLOW_TRANSLATION_VERSION}
     file: flow_translation.yaml.tmpl
     template_driver: golang
-  system_tenant:
-    name: ${STACK_NAME}_system_tenant_${SYSTEM_TENANT_VERSION}
-    file: system_tenant.yaml.tmpl
+  system_brand:
+    name: ${STACK_NAME}_system_brand_${SYSTEM_BRAND_VERSION}
+    file: system_brand.yaml.tmpl
+    template_driver: golang
+  db_entrypoint:
+    name: ${STACK_NAME}_db_entrypoint_${DB_ENTRYPOINT_VERSION}
+    file: entrypoint.postgres.sh.tmpl
     template_driver: golang

custom_flows.yaml.tmpl

@@ -384,7 +384,7 @@ entries:
     enabled: {{ if eq (env "LOGOUT_REDIRECT") "" }} false {{ else }} true {{ end }}
     timeout: 30
 
-######## System Tenant ##########
+######## System Brand ##########
 - attrs:
     attributes:
       settings:
@@ -401,5 +401,5 @@ entries:
     flow_user_settings: !Find [authentik_flows.flow, [slug, default-user-settings-flow]]
   identifiers:
     pk: 047cce25-aae2-4b02-9f96-078e155f803d
-  id: system_tenant
-  model: authentik_tenants.tenant
+  id: system_brand
+  model: authentik_brands.brand

entrypoint.postgres.sh.tmpl

@@ -0,0 +1,45 @@
+#!/bin/bash
+
+set -e
+
+MIGRATION_MARKER=$PGDATA/migration_in_progress
+OLDDATA=$PGDATA/old_data
+NEWDATA=$PGDATA/new_data
+
+if [ -e $MIGRATION_MARKER ]; then
+  echo "FATAL: migration was started but did not complete in a previous run. manual recovery necessary"
+  exit 1
+fi
+
+if [ -f $PGDATA/PG_VERSION ]; then
+  DATA_VERSION=$(cat $PGDATA/PG_VERSION)
+
+  if [ -n "$DATA_VERSION" -a "$PG_MAJOR" != "$DATA_VERSION" ]; then
+    echo "postgres data version $DATA_VERSION found, but need $PG_MAJOR. Starting migration"
+    echo "Installing postgres $DATA_VERSION"
+    sed -i "s/$/ $DATA_VERSION/" /etc/apt/sources.list.d/pgdg.list
+    apt-get update && apt-get install -y --no-install-recommends \
+      postgresql-$DATA_VERSION \
+      && rm -rf /var/lib/apt/lists/*
+    echo "shuffling around"
+    chown -R postgres:postgres $PGDATA
+    gosu postgres mkdir $OLDDATA $NEWDATA
+    chmod 700 $OLDDATA $NEWDATA
+    mv $PGDATA/* $OLDDATA/ || true
+    touch $MIGRATION_MARKER
+    echo "running initdb"
+    # abuse entrypoint script for initdb by making server error out
+    gosu postgres bash -c "export PGDATA=$NEWDATA ; /usr/local/bin/docker-entrypoint.sh --invalid-arg || true"
+    echo "running pg_upgrade"
+    cd /tmp
+    gosu postgres pg_upgrade --link -b /usr/lib/postgresql/$DATA_VERSION/bin -d $OLDDATA -D $NEWDATA -U $POSTGRES_USER
+    cp $OLDDATA/pg_hba.conf $NEWDATA/
+    mv $NEWDATA/* $PGDATA
+    rm -rf $OLDDATA
+    rmdir $NEWDATA
+    rm $MIGRATION_MARKER
+    echo "migration complete"
+  fi
+fi
+
+/usr/local/bin/docker-entrypoint.sh postgres

flow_authentication.yaml.tmpl

@@ -22,7 +22,6 @@ entries:
   attrs:
     name: !Context welcome_message
     title: !Context welcome_message
-
 ### STAGES
 - identifiers:
     name: default-authentication-identification
@@ -30,13 +29,17 @@ entries:
   attrs:
     password_stage: !Find [authentik_stages_password.passwordstage, [name, default-authentication-password]]
     recovery_flow: !Find [authentik_flows.flow, [slug, default-recovery-flow]]
+    user_fields:
+    - email
+    - username
 
 - identifiers:
     name: default-authentication-login
   model: authentik_stages_user_login.userloginstage
   attrs:
-    session_duration: seconds=0
+    session_duration: days=30
 
+# After the first run this will produce a RelatedObjectDoesNotExist error
 - identifiers:
     order: 20
     stage: !Find [authentik_stages_password.passwordstage, [name, default-authentication-password]]

flow_invalidation.yaml.tmpl

@@ -13,6 +13,7 @@ entries:
 
 ### STAGE BINDINGS
 
+# This is specified only for setting an id (this stagebinding does not have an identifier)
 - identifiers:
     order: 0
     stage: !Find [authentik_stages_user_logout.userlogoutstage, [name, default-invalidation-logout]]

flow_invitation.yaml.tmpl

@@ -24,6 +24,18 @@ entries:
   id: invitation-enrollment-flow
   model: authentik_flows.flow
 
+### POLICIES
+- attrs:
+    expression: |
+      if not regex_match(request.context.get('prompt_data').get('username'), '\s'):
+          return True
+      ak_message("Username must not contain any whitespace!")
+      return False
+  id: username-without-spaces-policy
+  identifiers:
+    name: username-without-spaces-policy
+  model: authentik_policies_expression.expressionpolicy
+
 ### STAGES
 - identifiers:
     name: invitation-stage
@@ -41,6 +53,8 @@ entries:
       - !Find [authentik_stages_prompt.prompt, [name, default-user-settings-field-email]]
       - !Find [authentik_stages_prompt.prompt, [name, default-password-change-field-password]]
       - !Find [authentik_stages_prompt.prompt, [name, default-password-change-field-password-repeat]]
+    validation_policies:
+      - !Find [ authentik_policies_expression.expressionpolicy, [name, username-without-spaces-policy]]
 
 ### STAGE BINDINGS
 - identifiers:

flow_translation.yaml.tmpl

@@ -4,7 +4,7 @@ metadata:
     blueprints.goauthentik.io/instantiate: "true"
   name: Flow Translations
 context:
-  transl_recovery: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} "Passwort Zurücksetzen" {{ else }} "Reset your password" {{ end }}
+  transl_recovery: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} "Passwort zurücksetzen" {{ else }} "Reset your password" {{ end }}
   transl_password: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} "Passwort" {{ else }} "Password" {{ end }}
   transl_password_repeat: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} "Passwort (wiederholen)" {{ else }} "Password (repeat)" {{ end }}
   transl_username: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} "Benutzername" {{ else }} "Username" {{ end }}
@@ -15,7 +15,7 @@ entries:
 - model: authentik_blueprints.metaapplyblueprint
   attrs:
     identifiers:
-      name: Custom Authentication Flow
+      name: Recovery with email verification
     required: true
 - model: authentik_blueprints.metaapplyblueprint
   attrs:

hedgedoc.yaml.tmpl

@@ -0,0 +1,43 @@
+version: 1
+metadata:
+  labels:
+    blueprints.goauthentik.io/instantiate: "true"
+  name: hedgedoc
+
+entries:
+
+- attrs:
+    access_code_validity: minutes=1
+    authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
+    client_id: {{ secret  "hedgedoc_id" }}
+    client_secret: {{ secret  "hedgedoc_secret" }}
+    client_type: confidential
+    include_claims_in_id_token: true
+    issuer_mode: per_provider
+    name: Hedgedoc
+    property_mappings:
+    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
+    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, email]]
+    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, profile]]
+    signing_key: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]]
+    sub_mode: hashed_user_id
+    token_validity: days=30
+  conditions: []
+  id: hedgedoc_provider
+  identifiers:
+    pk: 9992
+  model: authentik_providers_oauth2.oauth2provider
+  state: present
+
+- attrs:
+    meta_launch_url: https://{{ env  "HEDGEDOC_DOMAIN" }}
+    open_in_new_tab: true
+    policy_engine_mode: any
+    provider: !KeyOf hedgedoc_provider
+    slug: hedgedoc
+  conditions: []
+  id: hedgedoc_application
+  identifiers:
+    name: Hedgedoc
+  model: authentik_core.application
+  state: present

kimai.yaml.tmpl

@@ -0,0 +1,48 @@
+version: 1
+metadata:
+  labels:
+    blueprints.goauthentik.io/instantiate: "true"
+  name: kimai
+
+entries:
+- attrs:
+    acs_url: https://{{ env  "KIMAI_DOMAIN" }}/auth/saml/acs
+    assertion_valid_not_before: minutes=-5
+    assertion_valid_not_on_or_after: minutes=5
+    audience: https://{{ env  "KIMAI_DOMAIN" }}/auth/saml
+    authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
+    authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
+    digest_algorithm: http://www.w3.org/2001/04/xmlenc#sha256
+    issuer: https://{{ env  "DOMAIN" }}
+    name: Kimai
+    name_id_mapping: !Find [authentik_providers_saml.samlpropertymapping, [name, "authentik default SAML Mapping: Username"]]
+    property_mappings:
+    - !Find [authentik_providers_saml.samlpropertymapping, [name, "authentik default SAML Mapping: Name"]]
+    - !Find [authentik_providers_saml.samlpropertymapping, [name, "authentik default SAML Mapping: Email"]]
+    - !Find [authentik_providers_saml.samlpropertymapping, [name, "authentik default SAML Mapping: User ID"]]
+    - !Find [authentik_providers_saml.samlpropertymapping, [name, "authentik default SAML Mapping: Username"]]
+    - !Find [authentik_providers_saml.samlpropertymapping, [name, "authentik default SAML Mapping: Groups"]]
+    - !Find [authentik_providers_saml.samlpropertymapping, [name, "authentik default SAML Mapping: UPN"]]
+    session_valid_not_on_or_after: minutes=86400
+    signature_algorithm: http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
+    signing_kp: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]]
+    sp_binding: post
+  conditions: []
+  id: kimai_provider
+  identifiers:
+    pk: 9991
+  model: authentik_providers_saml.samlprovider
+  state: present
+
+- attrs:
+    meta_launch_url: https://{{ env  "KIMAI_DOMAIN" }}
+    open_in_new_tab: true
+    policy_engine_mode: any
+    provider: !KeyOf kimai_provider
+    slug: kimai
+  conditions: []
+  id: kimai_application
+  identifiers:
+    name: Kimai
+  model: authentik_core.application
+  state: present

outline.yaml.tmpl

@@ -0,0 +1,43 @@
+version: 1
+metadata:
+  labels:
+    blueprints.goauthentik.io/instantiate: "true"
+  name: outline
+
+entries:
+
+- attrs:
+    access_code_validity: minutes=1
+    authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
+    client_id: {{ secret  "outline_id" }}
+    client_secret: {{ secret  "outline_secret" }}
+    client_type: confidential
+    include_claims_in_id_token: true
+    issuer_mode: per_provider
+    name: Outline
+    property_mappings:
+    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
+    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, email]]
+    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, profile]]
+    signing_key: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]]
+    sub_mode: hashed_user_id
+    token_validity: days=30
+  conditions: []
+  id: outline_provider
+  identifiers:
+    pk: 9994
+  model: authentik_providers_oauth2.oauth2provider
+  state: present
+
+- attrs:
+    meta_launch_url: https://{{ env  "OUTLINE_DOMAIN" }}
+    open_in_new_tab: true
+    policy_engine_mode: any
+    provider: !KeyOf outline_provider
+    slug: outline
+  conditions: []
+  id: outline_application
+  identifiers:
+    name: Outline
+  model: authentik_core.application
+  state: present

rallly.yaml.tmpl

@@ -0,0 +1,43 @@
+version: 1
+metadata:
+  labels:
+    blueprints.goauthentik.io/instantiate: "true"
+  name: rallly
+
+entries:
+
+- attrs:
+    access_code_validity: minutes=1
+    authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
+    client_id: {{ secret  "rallly_id" }}
+    client_secret: {{ secret  "rallly_secret" }}
+    client_type: confidential
+    include_claims_in_id_token: true
+    issuer_mode: per_provider
+    name: Rallly
+    property_mappings:
+    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
+    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, email]]
+    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, profile]]
+    signing_key: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]]
+    sub_mode: hashed_user_id
+    token_validity: days=30
+  conditions: []
+  id: rallly_provider
+  identifiers:
+    pk: 9993
+  model: authentik_providers_oauth2.oauth2provider
+  state: present
+
+- attrs:
+    meta_launch_url: https://{{ env  "RALLLY_DOMAIN" }}
+    open_in_new_tab: true
+    policy_engine_mode: any
+    provider: !KeyOf rallly_provider
+    slug: rallly
+  conditions: []
+  id: rallly_application
+  identifiers:
+    name: Rallly
+  model: authentik_core.application
+  state: present

release/3.2.0+2023.6.1

@@ -0,0 +1 @@
+If you use your own outpost you need to uncomment COMPOSE_FILE="$COMPOSE_FILE:compose.outposts.yml" to expose the docker socket again.

release/4.0.0+2023.10.5

@@ -0,0 +1 @@
+It is only possible to upgrade to 2023.10 from 2023.8, you need to update to 2023.8.x before applying this update

release/5.0.0+2024.2.2

@@ -0,0 +1 @@
+Blueprint changes are applied and automatic migrations should work, however, manual action may be required: https://docs.goauthentik.io/docs/releases/2024.2

release/5.1.0+2024.2.3

@@ -0,0 +1 @@
+Due to blueprint changes, you need to run the following command after upgrading: abra app cmd -C <Domain> worker apply_blueprints

release/6.0.0+2024.4.0

@@ -0,0 +1 @@
+Alerta! ⚠️ If you are using AUTHENTIK_COLOR_BACKGROUND_LIGHT, you will need to set COMPOSE_FILE="$COMPOSE_FILE:compose.css.yml"

release/6.1.0+2024.4.2

@@ -0,0 +1 @@
+Blueprint for Kimai SSO integration added

system_brand.yaml.tmpl

@@ -2,26 +2,26 @@ version: 1
 metadata:
   labels:
     blueprints.goauthentik.io/instantiate: "true"
-  name: Custom System Tenant
+  name: Custom System brand
 entries:
 ### DEPENDENCIES
 - model: authentik_blueprints.metaapplyblueprint
   attrs:
     identifiers:
-      name: Default - Tenant
+      name: Default - Brand
     required: true
 - model: authentik_blueprints.metaapplyblueprint
   attrs:
     identifiers:
-      name: Invitation Enrollment Flow
+      name: Recovery with email verification
     required: true
 
 
-### SYSTEM TENANT
-# remove custom tenant from old recipe
+### SYSTEM BRAND
+# remove custom brand from old recipe
 - identifiers:
     domain: {{ env "DOMAIN" }}
-  model: authentik_tenants.tenant
+  model: authentik_brands.brand
   state: absent
 
 - attrs:
@@ -32,4 +32,4 @@ entries:
   identifiers:
     default: true
     domain: authentik-default
-  model: authentik_tenants.tenant
+  model: authentik_brands.brand