feat: adds envs and rename function to group and rename apps

Reviewed-on: #15
Reviewed-by: decentral1se <decentral1se@noreply.git.coopcloud.tech>

.env.sample

@@ -9,9 +9,14 @@ ENABLE_BACKUPS=true
 DOMAIN=authentik.example.com
 ## Domain aliases
 #EXTRA_DOMAINS=', `www.authentik.example.com`'
+# Redirects
+# All redirect domains have to be added to extra_domains as well)
+# multiple redirects can be added by seperating them with a | character
+#REDIRECTS=www.authentik.example.com
 COMPOSE_FILE="compose.yml"
 AUTHENTIK_DEFAULT_USER_CHANGE_USERNAME=false
 AUTHENTIK_LOG_LEVEL=info
+# AUTHENTIK_DISABLE_UPDATE_CHECK=false
 # AUTHENTIK_IMPERSONATION=true
 # AUTHENTIK_FOOTER_LINKS='[{"name": "My Organization","href":"https://example.com"}]'
 # WORKERS=1
@@ -64,11 +69,22 @@ COPY_ASSETS="$COPY_ASSETS icon.png|app:/web/dist/assets/icons/"
 # BACKGROUND_BOX_COLOR='#eaeaeacf'
 # THEME_BACKGROUND="url('https://authentik.example.com/static/dist/assets/images/flow_background.jpg'); background-position: center; background-repeat: no-repeat; background-size: cover;"
 
+# Group Name Variables to cluster Applications
+# GROUP_SUPPORT=Support
+# GROUP_HELP=Help
+# GROUP_ORGANISATION=Organisation
+# GROUP_COMMUNICATION=Communication
+# GROUP_COLLABORATION=Collaboration
+# GROUP_DOCUMENTATION=Documentation
+# GROUP_DEVELOPMENT=Development
+# GROUP_INFRASTRUCTURE=Infrastructure
+
 # COMPOSE_FILE="$COMPOSE_FILE:compose.nextcloud.yml"
 # NEXTCLOUD_DOMAIN=nextcloud.example.com
 # SECRET_NEXTCLOUD_ID_VERSION=v1
 # SECRET_NEXTCLOUD_SECRET_VERSION=v1
 # APP_ICONS="nextcloud:~/.abra/recipes/authentik/icons/nextcloud.png"
+# NEXTCLOUD_APPGROUP="$GROUP_ORGANISATION"
 
 # COMPOSE_FILE="$COMPOSE_FILE:compose.wordpress.yml"
 # WORDPRESS_DOMAIN=wordpress.example.com
@@ -76,6 +92,7 @@ COPY_ASSETS="$COPY_ASSETS icon.png|app:/web/dist/assets/icons/"
 # SECRET_WORDPRESS_ID_VERSION=v1
 # SECRET_WORDPRESS_SECRET_VERSION=v1
 # APP_ICONS="$APP_ICONS wordpress:~/.abra/recipes/authentik/icons/wordpress.png"
+# WORDPRESS_APPGROUP="$GROUP_DEVELOPMENT"
 
 # COMPOSE_FILE="$COMPOSE_FILE:compose.matrix.yml"
 # ELEMENT_DOMAIN=element-web.example.com
@@ -83,52 +100,61 @@ COPY_ASSETS="$COPY_ASSETS icon.png|app:/web/dist/assets/icons/"
 # SECRET_MATRIX_ID_VERSION=v1
 # SECRET_MATRIX_SECRET_VERSION=v1
 # APP_ICONS="$APP_ICONS matrix:~/.abra/recipes/authentik/icons/matrix.svg"
+# MATRIX_APPGROUP="$GROUP_COMMUNICATION"
 
 # COMPOSE_FILE="$COMPOSE_FILE:compose.wekan.yml"
 # WEKAN_DOMAIN=wekan.example.com
 # SECRET_WEKAN_ID_VERSION=v1
 # SECRET_WEKAN_SECRET_VERSION=v1
 # APP_ICONS="$APP_ICONS wekan:~/.abra/recipes/authentik/icons/wekan.png"
+# WEKAN_APPGROUP="$GROUP_ORGANISATION"
 
 # COMPOSE_FILE="$COMPOSE_FILE:compose.vikunja.yml"
 # VIKUNJA_DOMAIN=vikunja.example.com
 # SECRET_VIKUNJA_ID_VERSION=v1
 # SECRET_VIKUNJA_SECRET_VERSION=v1
 # APP_ICONS="$APP_ICONS vikunja:~/.abra/recipes/authentik/icons/vikunja.svg"
+# VIKUNJA_APPGROUP="$GROUP_ORGANISATION"
 
 # COMPOSE_FILE="$COMPOSE_FILE:compose.outline.yml"
 # OUTLINE_DOMAIN=outline.example.com
 # SECRET_OUTLINE_ID_VERSION=v1
 # SECRET_OUTLINE_SECRET_VERSION=v1
 # APP_ICONS="$APP_ICONS outline:~/.abra/recipes/authentik/icons/outline.png"
+# OUTLINE_APPGROUP="$GROUP_DOCUMENTATION"
 
 # COMPOSE_FILE="$COMPOSE_FILE:compose.kimai.yml"
 # KIMAI_DOMAIN=kimai.example.com
 # SECRET_KIMAI_ID_VERSION=v1
 # SECRET_KIMAI_SECRET_VERSION=v1
 # APP_ICONS="$APP_ICONS kimai:~/.abra/recipes/authentik/icons/kimai_logo.png"
+# KIMAI_APPGROUP="$GROUP_ORGANISATION"
 
 # COMPOSE_FILE="$COMPOSE_FILE:compose.zammad.yml"
 # ZAMMAD_DOMAIN=zammad.example.com
 # APP_ICONS="$APP_ICONS zammad:~/.abra/recipes/authentik/icons/zammad.svg"
+# ZAMMAD_APPGROUP="$GROUP_SUPPORT"
 
 # COMPOSE_FILE="$COMPOSE_FILE:compose.monitoring.yml"
 # MONITORING_DOMAIN=monitoring.example.com
 # SECRET_MONITORING_ID_VERSION=v1
 # SECRET_MONITORING_SECRET_VERSION=v1
 # APP_ICONS="$APP_ICONS monitoring:~/.abra/recipes/authentik/icons/monitoring.svg"
+# MONITORING_APPGROUP="$GROUP_INFRASTRUCTURE"
 
 # COMPOSE_FILE="$COMPOSE_FILE:compose.rallly.yml"
 # RALLLY_DOMAIN=rallly.example.com
 # SECRET_RALLLY_ID_VERSION=v1
 # SECRET_RALLLY_SECRET_VERSION=v1
 # APP_ICONS="$APP_ICONS rallly:~/.abra/recipes/authentik/icons/rallly.png"
+# RALLLY_APPGROUP="$GROUP_ORGANISATION"
 
 # COMPOSE_FILE="$COMPOSE_FILE:compose.hedgedoc.yml"
 # HEDGEDOC_DOMAIN=hedgedoc.example.com
 # SECRET_HEDGEDOC_ID_VERSION=v1
 # SECRET_HEDGEDOC_SECRET_VERSION=v1
 # APP_ICONS="$APP_ICONS hedgedoc:~/.abra/recipes/authentik/icons/hedgedoc.png"
+# HEDGEDOC_APPGROUP="$GROUP_DOCUMENTATION"
 
-# APPLICATIONS='{"Calendar": "https://nextcloud.example.com/apps/calendar/", "BBB": "https://nextcloud.example.com/apps/bbb/", "Pretix": "https://pretix.example.com/control/"}'
+# APPLICATIONS='{"Calendar": {"url":"https://nextcloud.example.com/apps/calendar/", "group": ""}, "BBB": {"url":"https://nextcloud.example.com/apps/bbb/", "group":""}, "Pretix": {"url":"https://pretix.example.com/control/", "group":""}}'
 # EXTRA_ICONS={"Calendar": "~/.abra/recipes/authentik/icons/calendar.svg", "BBB": "~/.abra/recipes/authentik/icons/bbb.png", "Pretix": "~/.abra/recipes/authentik/icons/pretix.svg"}

README.md

@@ -52,6 +52,16 @@ APP_ICONS="nextcloud:~/.abra/recipes/authentik/icons/nextcloud.png"
 
 Set the nextcloud Icon using `abra app cmd -l -d <app_name> set_icons`
 
+Generate OAuth client id and secret using `abra app secret generate <app_name> -a` (all secrets) or individually:
+- `abra app secret generate <app_name> nextcloud_id`
+- `abra app secret generate <app_name> nextcloud_secret`
+
+Add the id and secret to nextcloud as secrets with:
+- `abra app secret insert <nextcloud_app_name> authentik_id v1 <id>`
+- `abra app secret insert <nextcloud_app_name> authentik_secret v1 <secret>`
+
+Redeploy Authentik to enable the nextcloud client.
+
 The configuration inside Nextcloud can be found in the [nextcloud recipe](https://git.coopcloud.tech/coop-cloud/nextcloud#authentik-integration)
 
 ## Add LDAP outpost
@@ -95,6 +105,25 @@ Run this command after every deploy/upgrade:
 
 `abra app command --local <app-name> customize <assets_path>`
 
+## Custom CSS
+
+Uncomment the following env:
+
+```
+COMPOSE_FILE="$COMPOSE_FILE:compose.css-volume.yml"
+```
+
+Redeploy the app:
+```
+abra app deploy -f <app_name>
+```
+
+Copy the CSS and restart the container:
+```
+abra app cp <app_name> my_custom.css app:/web/dist/assets/custom.css
+abra app restart <app_name> app
+```
+
 ## Email templates
 
 Add custom [email templates](https://goauthentik.io/docs/flow/stages/email/#custom-templates):
@@ -105,15 +134,15 @@ Add custom [email templates](https://goauthentik.io/docs/flow/stages/email/#cust
 
 These blueprints overwrite default blueprint values:
 
-- flow_translation.yaml
-- flow_authentication.yaml
+- `flow_translation.yaml`
+- `flow_authentication.yaml`
 
 The following default blueprints will be overwritten by customizations:
 
-- flow-password-change.yaml
-- flow-default-authentication-flow.yaml
-- flow-default-user-settings-flow.yaml
-- flow-default-source-enrollment.yaml
+- `flow-password-change.yaml`
+- `flow-default-authentication-flow.yaml`
+- `flow-default-user-settings-flow.yaml`
+- `flow-default-source-enrollment.yaml`
 
 The `abra.sh` function `apply_blueprints` needs to be executed to deactivate these blueprints to ensure that the customizations won't be overwritten. It will further execute flow_translation.yaml and flow_authentication.yaml again.
 

abra.sh

@@ -2,7 +2,7 @@ export CUSTOM_CSS_VERSION=v3
 export FLOW_AUTHENTICATION_VERSION=v4
 export FLOW_INVITATION_VERSION=v2
 export FLOW_INVALIDATION_VERSION=v2
-export FLOW_RECOVERY_VERSION=v1
+export FLOW_RECOVERY_VERSION=v2
 export FLOW_TRANSLATION_VERSION=v3
 export SYSTEM_BRAND_VERSION=v4
 export NEXTCLOUD_CONFIG_VERSION=v3
@@ -88,6 +88,16 @@ set_admin_pass() {
 password=$(cat /run/secrets/admin_pass)
 token=$(cat /run/secrets/admin_token)
 /manage.py shell -c """
+import time
+i = 0
+while (not User.objects.filter(username='akadmin')):
+    print('Waiting for akadmin to be created...')
+    time.sleep(10)
+    i += 1
+    if i > 6:
+        print('Failed to find admin user!')
+        exit()
+
 akadmin = User.objects.get(username='akadmin')
 akadmin.set_password('$password')
 akadmin.save()
@@ -167,6 +177,7 @@ print(f'{blueprint.name} enabled: {blueprint.enabled}')
 
 }
 
+# This function adds each application with its name, slug and group if passed
 add_applications(){
 export APPLICATIONS
 /manage.py shell -c """
@@ -175,19 +186,42 @@ import os
 if os.environ['APPLICATIONS'] == '':
     exit()
 applications = json.loads(os.environ['APPLICATIONS'])
-for name, url in applications.items():
-    print(f'Add {name}: {url}')
+for name, details in applications.items():
+    url = details['url']
     app = Application.objects.filter(name=name).first()
     if not app:
         app = Application()
     app.name = name
     app.slug = name.replace(' ', '-')
     app.meta_launch_url = url
+    group = details['group']
+    if group:
+        app.group = group
+        print(f'Add {name}: {url} in group: {group}')
+    else:
+        print(f'Add {name}: {url}')
     app.open_in_new_tab = True
     app.save()
 """ 2>&1 | quieten
 }
 
+## This function is for renaming apps - usage: rename "old name" "new name"
+rename() {
+    /manage.py shell -c """
+    old_name = '$1'
+    new_name = '$2' if '$2' else old_name
+
+    app = Application.objects.filter(name=old_name).first()
+    if app:
+        app.name = new_name
+        app.save()
+        print(f'Renamed application from {old_name} to {new_name}')
+    else:
+        print(f'No application found with name: {old_name}')
+    """ > /dev/null 2>&1
+}
+
+
 
 quieten(){
     # 'SyntaxWarning|version_regex|"http\['

compose.matrix.yml

@@ -3,7 +3,7 @@ services:
   app:
     deploy:
       labels:
-        - "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect-matrix-well-known"
+        - "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect,${STACK_NAME}-frameOptions,${STACK_NAME}-redirect,${STACK_NAME}-redirect-matrix-well-known"
         - "traefik.http.middlewares.${STACK_NAME}-redirect-matrix-well-known.redirectregex.regex=^https://(.*)/.well-known/matrix/(.*)"
         - "traefik.http.middlewares.${STACK_NAME}-redirect-matrix-well-known.redirectregex.replacement=https://${MATRIX_DOMAIN}/.well-known/matrix/$$2"
   worker:

compose.outposts.ldap.yml

@@ -1,7 +1,7 @@
 version: "3.8"
 services:
   authentik_ldap:
-      image: ghcr.io/goauthentik/ldap:2025.2.0
+      image: ghcr.io/goauthentik/ldap:2025.8.1
       # Optionally specify which networks the container should be
       # might be needed to reach the core authentik server
       networks:

compose.yml

@@ -17,6 +17,7 @@ x-env: &env
     - AUTHENTIK_EMAIL__TIMEOUT
     - AUTHENTIK_EMAIL__FROM
     - AUTHENTIK_LOG_LEVEL
+    - AUTHENTIK_DISABLE_UPDATE_CHECK
     - BACKGROUND_FONT_COLOR=${BACKGROUND_FONT_COLOR:-white}
     - BACKGROUND_BOX_COLOR=${BACKGROUND_BOX_COLOR:-#eaeaeacf}
     - AUTHENTIK_FOOTER_LINKS
@@ -34,7 +35,7 @@ x-env: &env
 version: '3.8'
 services:
   app:
-    image: ghcr.io/goauthentik/server:2025.2.0
+    image: ghcr.io/goauthentik/server:2025.8.1
     command: server
     depends_on:
       - db
@@ -67,16 +68,17 @@ services:
         - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`${EXTRA_DOMAINS})"
         - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
         - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
-        - "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect,${STACK_NAME}-frameOptions"
-        - "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLForceHost=true"
-        - "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}"
+        - "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect,${STACK_NAME}-frameOptions,${STACK_NAME}-redirect"
         - "traefik.http.middlewares.${STACK_NAME}-frameOptions.headers.customFrameOptionsValue=SAMEORIGIN"
         - "traefik.http.middlewares.${STACK_NAME}-frameOptions.headers.contentSecurityPolicy=frame-ancestors ${X_FRAME_OPTIONS_ALLOW_FROM}"
-        - "coop-cloud.${STACK_NAME}.version=7.0.0+2025.2.0"
+        - "coop-cloud.${STACK_NAME}.version=8.0.0+2025.8.1"
+        - "traefik.http.middlewares.${STACK_NAME}-redirect.redirectregex.regex=^https://(${REDIRECTS})/(.*)"
+        - "traefik.http.middlewares.${STACK_NAME}-redirect.redirectregex.replacement=https://${DOMAIN}/$${2}"
+        - "traefik.http.middlewares.${STACK_NAME}-redirect.redirectregex.permanent=true"
         - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT:-120}"
 
   worker:
-    image: ghcr.io/goauthentik/server:2025.2.0
+    image: ghcr.io/goauthentik/server:2025.8.1
     command: worker
     depends_on:
       - db
@@ -117,7 +119,7 @@ services:
       start_period: 5m
 
   db:
-    image: postgres:15.12
+    image: postgres:15.13
     secrets:
       - db_password
     configs:
@@ -152,7 +154,7 @@ services:
           backupbot.restore.post-hook: '/pg_backup.sh restore'
 
   redis:
-    image:  redis:7.4.2-alpine
+    image:  redis:8.2.1-alpine
     command: --save 60 1 --loglevel warning
     networks:
       - internal

flow_recovery.yaml.tmpl

@@ -4,7 +4,7 @@ metadata:
     blueprints.goauthentik.io/instantiate: "true"
   name: Recovery with email verification
 context:
-  token_expiry: {{ if eq (env "EMAIL_TOKEN_EXPIRY_MINUTES") "" }} 30 {{ else }} {{ env "EMAIL_TOKEN_EXPIRY_MINUTES" }} {{ end }}
+  token_expiry: minutes={{ if eq (env "EMAIL_TOKEN_EXPIRY_MINUTES") "" }}30{{ else }}{{ env "EMAIL_TOKEN_EXPIRY_MINUTES" }}{{ end }}
   subject: {{ if eq (env "EMAIL_SUBJECT") "" }} Account Recovery {{ else }} {{ env "EMAIL_SUBJECT" }} {{ end }} 
 entries:
 ### DEPENDENCIES

release/7.4.0+2025.6.3

@@ -0,0 +1,3 @@
+Adds following new envs: 
+  REDIRECTS
+  AUTHENTIK_DISABLE_UPDATE_CHECK