chore: publish 7.3.1+2025.6.1 release

Reviewed-on: #15
Reviewed-by: decentral1se <decentral1se@noreply.git.coopcloud.tech>

.drone.yml

@@ -23,13 +23,15 @@ steps:
       FLOW_INVALIDATION_VERSION: v1
       FLOW_RECOVERY_VERSION: v1
       FLOW_TRANSLATION_VERSION: v1
-      SYSTEM_TENANT_VERSION: v1
+      SYSTEM_BRAND_VERSION: v1
       NEXTCLOUD_CONFIG_VERSION: v1
       SECRET_SECRET_KEY_VERSION: v1
       SECRET_DB_PASSWORD_VERSION: v1
       SECRET_ADMIN_TOKEN_VERSION: v1
       SECRET_ADMIN_PASS_VERSION: v1
       SECRET_EMAIL_PASS_VERSION: v1
+      DB_ENTRYPOINT_VERSION: v1
+      PG_BACKUP_VERSION: v2
 trigger:
   branch:
     - main
@@ -45,7 +47,7 @@ steps:
         from_secret: drone_abra-bot_token
       fork: true
       repositories:
-        - coop-cloud/auto-recipes-catalogue-json
+        - toolshed/auto-recipes-catalogue-json
 
 trigger:
   event: tag

.env.sample

@@ -1,8 +1,10 @@
 TYPE=authentik
-TIMEOUT=300
+TIMEOUT=900
 ENABLE_AUTO_UPDATE=true
-# POST_DEPLOY_CMDS="worker set_admin_pass|worker apply_blueprints|worker add_applications"
+POST_DEPLOY_CMDS="worker set_admin_pass"
+# Example values for post deploy cmds: "worker set_admin_pass|worker apply_blueprints|worker add_applications"
 LETS_ENCRYPT_ENV=production
+ENABLE_BACKUPS=true
 
 DOMAIN=authentik.example.com
 ## Domain aliases
@@ -16,6 +18,11 @@ AUTHENTIK_LOG_LEVEL=info
 
 ## Outpost Integration
 # COMPOSE_FILE="$COMPOSE_FILE:compose.outposts.yml"
+# COMPOSE_FILE="$COMPOSE_FILE:compose.outposts.ldap.yml"
+# SECRET_LDAP_TOKEN_VERSION=v1
+
+## ADMIN
+AUTHENTIK_BOOTSTRAP_EMAIL=admin@example.com
 
 ## EMAIL
 AUTHENTIK_EMAIL__HOST=smtp
@@ -34,14 +41,6 @@ SECRET_ADMIN_PASS_VERSION=v1
 SECRET_EMAIL_PASS_VERSION=v1
 
 # X_FRAME_OPTIONS_ALLOW_FROM=dashboard.example.org
-# AUTHENTIK_COLOR_FOREGROUND=fafafa
-# AUTHENTIK_COLOR_FOREGROUND_DARKER=bebebe
-# AUTHENTIK_COLOR_FOREGROUND_LINK=5a5cb9
-# AUTHENTIK_COLOR_BACKGROUND=18191a
-# AUTHENTIK_COLOR_BACKGROUND_DARKER=000000
-# AUTHENTIK_COLOR_BACKGROUND_LIGHT=1c1e21
-# AUTHENTIK_COLOR_BACKGROUND_LIGHTISH=212427
-# AUTHENTIK_COLOR_BACKGROUND_LIGHTER=2b2e33
 
 ## FLOW OPTIONS
 # WELCOME_MESSAGE="Welcome to Authentik"
@@ -50,10 +49,21 @@ SECRET_EMAIL_PASS_VERSION=v1
 # EMAIL_SUBJECT="Account Recovery"
 # EMAIL_TOKEN_EXPIRY_MINUTES=30
 
+## assets
 COPY_ASSETS="flow_background.jpg|app:/web/dist/assets/images/"
 COPY_ASSETS="$COPY_ASSETS icon_left_brand.svg|app:/web/dist/assets/icons/"
 COPY_ASSETS="$COPY_ASSETS icon.png|app:/web/dist/assets/icons/"
 
+# store custom CSS in a css-volume
+#COMPOSE_FILE="$COMPOSE_FILE:compose.css-volume.yml"
+# NOTE: this causes the authentik container to run as `root` initially; it uses `su` to drop privileges but technically could introduce a security risk. proceed with caution!
+
+# Default CSS customisation
+# COMPOSE_FILE="$COMPOSE_FILE:compose.css.yml"
+# BACKGROUND_FONT_COLOR=white
+# BACKGROUND_BOX_COLOR='#eaeaeacf'
+# THEME_BACKGROUND="url('https://authentik.example.com/static/dist/assets/images/flow_background.jpg'); background-position: center; background-repeat: no-repeat; background-size: cover;"
+
 # COMPOSE_FILE="$COMPOSE_FILE:compose.nextcloud.yml"
 # NEXTCLOUD_DOMAIN=nextcloud.example.com
 # SECRET_NEXTCLOUD_ID_VERSION=v1
@@ -69,6 +79,7 @@ COPY_ASSETS="$COPY_ASSETS icon.png|app:/web/dist/assets/icons/"
 
 # COMPOSE_FILE="$COMPOSE_FILE:compose.matrix.yml"
 # ELEMENT_DOMAIN=element-web.example.com
+# MATRIX_DOMAIN=matrix-synapse.example.com
 # SECRET_MATRIX_ID_VERSION=v1
 # SECRET_MATRIX_SECRET_VERSION=v1
 # APP_ICONS="$APP_ICONS matrix:~/.abra/recipes/authentik/icons/matrix.svg"
@@ -85,13 +96,39 @@ COPY_ASSETS="$COPY_ASSETS icon.png|app:/web/dist/assets/icons/"
 # SECRET_VIKUNJA_SECRET_VERSION=v1
 # APP_ICONS="$APP_ICONS vikunja:~/.abra/recipes/authentik/icons/vikunja.svg"
 
+# COMPOSE_FILE="$COMPOSE_FILE:compose.outline.yml"
+# OUTLINE_DOMAIN=outline.example.com
+# SECRET_OUTLINE_ID_VERSION=v1
+# SECRET_OUTLINE_SECRET_VERSION=v1
+# APP_ICONS="$APP_ICONS outline:~/.abra/recipes/authentik/icons/outline.png"
+
+# COMPOSE_FILE="$COMPOSE_FILE:compose.kimai.yml"
+# KIMAI_DOMAIN=kimai.example.com
+# SECRET_KIMAI_ID_VERSION=v1
+# SECRET_KIMAI_SECRET_VERSION=v1
+# APP_ICONS="$APP_ICONS kimai:~/.abra/recipes/authentik/icons/kimai_logo.png"
+
+# COMPOSE_FILE="$COMPOSE_FILE:compose.zammad.yml"
+# ZAMMAD_DOMAIN=zammad.example.com
+# APP_ICONS="$APP_ICONS zammad:~/.abra/recipes/authentik/icons/zammad.svg"
+
 # COMPOSE_FILE="$COMPOSE_FILE:compose.monitoring.yml"
 # MONITORING_DOMAIN=monitoring.example.com
 # SECRET_MONITORING_ID_VERSION=v1
 # SECRET_MONITORING_SECRET_VERSION=v1
-# APP_ICONS="$APP_ICONS monitoring:~/.abra/recipes/authentik/icons/monitoring.png"
+# APP_ICONS="$APP_ICONS monitoring:~/.abra/recipes/authentik/icons/monitoring.svg"
 
-# APPLICATIONS='{"Calendar": "https://nextcloud.example.com/apps/calendar/", "BBB": "https://nextcloud.example.com/apps/bbb/", "Rallly":"https://rallly.example.cloud/"}'
-# APP_ICONS="$APP_ICONS Calendar:~/.abra/recipes/authentik/icons/calendar.svg"
-# APP_ICONS="$APP_ICONS Rallly:~/.abra/recipes/authentik/icons/rallly.png"
-# APP_ICONS="$APP_ICONS BBB:~/.abra/recipes/authentik/icons/bbb.jpg"
+# COMPOSE_FILE="$COMPOSE_FILE:compose.rallly.yml"
+# RALLLY_DOMAIN=rallly.example.com
+# SECRET_RALLLY_ID_VERSION=v1
+# SECRET_RALLLY_SECRET_VERSION=v1
+# APP_ICONS="$APP_ICONS rallly:~/.abra/recipes/authentik/icons/rallly.png"
+
+# COMPOSE_FILE="$COMPOSE_FILE:compose.hedgedoc.yml"
+# HEDGEDOC_DOMAIN=hedgedoc.example.com
+# SECRET_HEDGEDOC_ID_VERSION=v1
+# SECRET_HEDGEDOC_SECRET_VERSION=v1
+# APP_ICONS="$APP_ICONS hedgedoc:~/.abra/recipes/authentik/icons/hedgedoc.png"
+
+# APPLICATIONS='{"Calendar": "https://nextcloud.example.com/apps/calendar/", "BBB": "https://nextcloud.example.com/apps/bbb/", "Pretix": "https://pretix.example.com/control/"}'
+# EXTRA_ICONS={"Calendar": "~/.abra/recipes/authentik/icons/calendar.svg", "BBB": "~/.abra/recipes/authentik/icons/bbb.png", "Pretix": "~/.abra/recipes/authentik/icons/pretix.svg"}

README.md

@@ -52,8 +52,26 @@ APP_ICONS="nextcloud:~/.abra/recipes/authentik/icons/nextcloud.png"
 
 Set the nextcloud Icon using `abra app cmd -l -d <app_name> set_icons`
 
+Generate OAuth client id and secret using `abra app secret generate <app_name> -a` (all secrets) or individually:
+- `abra app secret generate <app_name> nextcloud_id`
+- `abra app secret generate <app_name> nextcloud_secret`
+
+Add the id and secret to nextcloud as secrets with:
+- `abra app secret insert <nextcloud_app_name> authentik_id v1 <id>`
+- `abra app secret insert <nextcloud_app_name> authentik_secret v1 <secret>`
+
+Redeploy Authentik to enable the nextcloud client.
+
 The configuration inside Nextcloud can be found in the [nextcloud recipe](https://git.coopcloud.tech/coop-cloud/nextcloud#authentik-integration)
 
+## Add LDAP outpost
+
+- Follow [this official guide](https://docs.goauthentik.io/docs/add-secure-apps/providers/ldap/generic_setup) and skip the LDAP Flow as we don't need it.
+- Copy token under `Applications` -> `Outposts` `-> `View Deployment Info` 
+- Comment in envs for compose.outposts.ldap.yaml and secret version
+- Insert token as secret `abra app secret insert <DOMAIN> ldap_token v1 <TOKEN>`
+- Update deployment -> Outpost should be up and running
+
 ## Import User from CSV
 
 Users can be imported from a CSV file of the following format:
@@ -87,6 +105,25 @@ Run this command after every deploy/upgrade:
 
 `abra app command --local <app-name> customize <assets_path>`
 
+## Custom CSS
+
+Uncomment the following env:
+
+```
+COMPOSE_FILE="$COMPOSE_FILE:compose.css-volume.yml"
+```
+
+Redeploy the app:
+```
+abra app deploy -f <app_name>
+```
+
+Copy the CSS and restart the container:
+```
+abra app cp <app_name> my_custom.css app:/web/dist/assets/custom.css
+abra app restart <app_name> app
+```
+
 ## Email templates
 
 Add custom [email templates](https://goauthentik.io/docs/flow/stages/email/#custom-templates):
@@ -97,15 +134,15 @@ Add custom [email templates](https://goauthentik.io/docs/flow/stages/email/#cust
 
 These blueprints overwrite default blueprint values:
 
-- flow_translation.yaml
-- flow_authentication.yaml
+- `flow_translation.yaml`
+- `flow_authentication.yaml`
 
 The following default blueprints will be overwritten by customizations:
 
-- flow-password-change.yaml
-- flow-default-authentication-flow.yaml
-- flow-default-user-settings-flow.yaml
-- flow-default-source-enrollment.yaml
+- `flow-password-change.yaml`
+- `flow-default-authentication-flow.yaml`
+- `flow-default-user-settings-flow.yaml`
+- `flow-default-source-enrollment.yaml`
 
 The `abra.sh` function `apply_blueprints` needs to be executed to deactivate these blueprints to ensure that the customizations won't be overwritten. It will further execute flow_translation.yaml and flow_authentication.yaml again.
 
@@ -167,9 +204,9 @@ The `abra.sh` function `apply_blueprints` needs to be executed to deactivate the
     - Default - Source enrollment flow
         - OVERWRITE:
             - `default-source-enrollment-field-username`
-- Custom System Tenant
-    - Default - Tenant
-        - APPEND: `authentik_tenants.tenant  domain: authentik-default`
+- Custom System Brand
+    - Default - Brand
+        - APPEND: `authentik_brands.brand  domain: authentik-default`
     - Recovery with email verification
         - USE:
             - `default-recovery-flow`
@@ -177,8 +214,8 @@ The `abra.sh` function `apply_blueprints` needs to be executed to deactivate the
 
 ### Blueprint Dependency Execution Order
 
-5. Custom System Tenant
-    - Default - Tenant
+5. Custom System Brand
+    - Default - Brand
     1. Recovery with email verification
         - Default - Authentication flow
             - Default - Password change flow

abra.sh

@@ -1,16 +1,24 @@
 export CUSTOM_CSS_VERSION=v3
-export FLOW_AUTHENTICATION_VERSION=v3
-export FLOW_INVITATION_VERSION=v1
+export FLOW_AUTHENTICATION_VERSION=v4
+export FLOW_INVITATION_VERSION=v2
 export FLOW_INVALIDATION_VERSION=v2
 export FLOW_RECOVERY_VERSION=v1
-export FLOW_TRANSLATION_VERSION=v2
-export SYSTEM_TENANT_VERSION=v2
-export NEXTCLOUD_CONFIG_VERSION=v1
-export WORDPRESS_CONFIG_VERSION=v2
-export MATRIX_CONFIG_VERSION=v1
-export WEKAN_CONFIG_VERSION=v3
-export VIKUNJA_CONFIG_VERSION=v1
-export MONITORING_CONFIG_VERSION=v1
+export FLOW_TRANSLATION_VERSION=v3
+export SYSTEM_BRAND_VERSION=v4
+export NEXTCLOUD_CONFIG_VERSION=v3
+export WORDPRESS_CONFIG_VERSION=v4
+export MATRIX_CONFIG_VERSION=v3
+export WEKAN_CONFIG_VERSION=v5
+export VIKUNJA_CONFIG_VERSION=v3
+export OUTLINE_CONFIG_VERSION=v4
+export KIMAI_CONFIG_VERSION=v3
+export ZAMMAD_CONFIG_VERSION=v4
+export RALLLY_CONFIG_VERSION=v4
+export HEDGEDOC_CONFIG_VERSION=v3
+export MONITORING_CONFIG_VERSION=v4
+export DB_ENTRYPOINT_VERSION=v1
+export PG_BACKUP_VERSION=v2
+export ENTRYPOINT_CSS_VERSION=v1
 
 customize() {
     if [ -z "$1" ]
@@ -27,6 +35,15 @@ customize() {
     done
 }
 
+shell(){
+    if [ -z "$1" ]
+    then
+            echo "Usage: ... shell <python code>"
+            exit 1
+    fi
+    ak shell -c "$1" 2>&1 | quieten
+}
+
 import_user() {
     if [ -z "$1" ]
     then
@@ -51,15 +68,19 @@ with open('/tmp/$1', newline='') as file:
     email = row[2].strip()
     groups = row[3].split(';')
     if User.objects.filter(username=username):
+        print(f'{username} already exists')
         continue
     new_user = User.objects.create(name=name, username=username, email=email)
+    print(f'{username} created')
     for group_name in groups:
         group_name = group_name.strip()
         if Group.objects.filter(name=group_name):
             group = Group.objects.get(name=group_name)
         else:
             group = Group.objects.create(name=group_name)
+            print(f'{group_name} created')
         group.users.add(new_user)
+        print(f'add {username} to group {group_name}')
 """ 2>&1 | quieten
 }
 
@@ -67,6 +88,16 @@ set_admin_pass() {
 password=$(cat /run/secrets/admin_pass)
 token=$(cat /run/secrets/admin_token)
 /manage.py shell -c """
+import time
+i = 0
+while (not User.objects.filter(username='akadmin')):
+    print('Waiting for akadmin to be created...')
+    time.sleep(10)
+    i += 1
+    if i > 6:
+        print('Failed to find admin user!')
+        exit()
+
 akadmin = User.objects.get(username='akadmin')
 akadmin.set_password('$password')
 akadmin.save()
@@ -147,11 +178,13 @@ print(f'{blueprint.name} enabled: {blueprint.enabled}')
 }
 
 add_applications(){
+export APPLICATIONS
 /manage.py shell -c """
 import json
-if '$APPLICATIONS' == '':
+import os
+if os.environ['APPLICATIONS'] == '':
     exit()
-applications = json.loads('$APPLICATIONS')
+applications = json.loads(os.environ['APPLICATIONS'])
 for name, url in applications.items():
     print(f'Add {name}: {url}')
     app = Application.objects.filter(name=name).first()
@@ -167,7 +200,9 @@ for name, url in applications.items():
 
 
 quieten(){
-    grep -v -e '{"event"' -e '{"action"'
+    # 'SyntaxWarning|version_regex|"http\['
+    # is a workaround to get rid of some verbose syntax warnings, this might be fixed with another version
+    grep -Pv '"level": "(info|debug)"|SyntaxWarning|version_regex|"http\[|RuntimeWarning:'
 }
 
 add_email_templates(){
@@ -178,6 +213,10 @@ done
 }
 
 set_icons(){
+if [ -n "$1" ]
+then
+APP_ICONS="$1"
+fi
 for icon in $APP_ICONS; do
     app=$(echo $icon | cut -d ":" -f1)
     file_path=$(eval echo $(echo $icon | cut -d ":" -f2))
@@ -188,6 +227,22 @@ for icon in $APP_ICONS; do
 done
 }
 
+set_extra_icons(){
+    if [ -z "$EXTRA_ICONS" ]
+    then
+        echo "Variable EXTRA_ICONS is not set"
+        exit 1
+    fi
+    export EXTRA_ICONS
+    icon_key_values=$(python3 -c "
+import json
+import os
+for key, value in json.loads(os.environ['EXTRA_ICONS']).items():
+    print(f'{key}:{value}')
+")
+    set_icons "$icon_key_values"
+}
+
 set_app_icon() {
 TOKEN=$(cat /run/secrets/admin_token)
 python -c """
@@ -214,7 +269,26 @@ delete_flows = ['default-recovery-flow' , 'custom-authentication-flow' , 'invita
 Flow.objects.filter(slug__in=delete_flows).delete()
 Stage.objects.filter(flow=None).delete()
 Prompt.objects.filter(promptstage=None).delete()
-Tenant.objects.filter(default=True).delete()
+Brand.objects.filter(default=True).delete()
 """ 2>&1 | quieten
 apply_blueprints
 }
+
+get_certificate() {
+/manage.py shell -c """
+provider_name='$1'
+if not provider_name:
+    print('no Provider Name given')
+    exit(1)
+provider = Provider.objects.filter(name=provider_name).first()
+saml = provider.samlprovider
+cert = saml.signing_kp
+print(''.join(cert.certificate_data.splitlines()[1:-1]))
+""" 2>&1 | quieten
+}
+
+get_user_uid() {
+/manage.py shell -c """
+print(User.objects.filter(username='$1').first().uid)
+""" 2>&1 | quieten
+}

alaconnect.yml

@@ -0,0 +1,89 @@
+nextcloud:
+    uncomment:
+        - compose.nextcloud.yml
+        - NEXTCLOUD_DOMAIN
+        - SECRET_NEXTCLOUD_ID_VERSION
+        - SECRET_NEXTCLOUD_SECRET_VERSION
+        - nextcloud.png
+wordpress:
+    uncomment:
+        - compose.wordpress.yml
+        - WORDPRESS_DOMAIN
+        - WORDPRESS_GROUP
+        - SECRET_WORDPRESS_ID_VERSION
+        - SECRET_WORDPRESS_SECRET_VERSION
+        - wordpress.png
+matrix-synapse:
+    uncomment:
+        - compose.matrix.yml
+        - ELEMENT_DOMAIN
+        - MATRIX_DOMAIN
+        - SECRET_MATRIX_ID_VERSION
+        - SECRET_MATRIX_SECRET_VERSION
+        - matrix.svg
+    secrets:
+        matrix_id: matrix
+wekan:
+    uncomment:
+        - compose.wekan.yml
+        - WEKAN_DOMAIN
+        - SECRET_WEKAN_ID_VERSION
+        - SECRET_WEKAN_SECRET_VERSION
+        - wekan.png
+    secrets:
+        wekan_id: wekan
+vikunja:
+    uncomment:
+        - compose.vikunja.yml
+        - VIKUNJA_DOMAIN
+        - SECRET_VIKUNJA_ID_VERSION
+        - SECRET_VIKUNJA_SECRET_VERSION
+        - vikunja.svg
+    secrets:
+        vikunja_id: vikunja
+kimai:
+    uncomment:
+        - compose.kimai.yml
+        - KIMAI_DOMAIN
+        - SECRET_KIMAI_ID_VERSION
+        - SECRET_KIMAI_SECRET_VERSION
+        - kimai_logo.png
+zammad:
+    uncomment:
+        - compose.zammad.yml
+        - ZAMMAD_DOMAIN
+        - zammad.svg
+monitoring-ng:
+    uncomment:
+        - compose.monitoring.yml
+        - MONITORING_DOMAIN
+        - SECRET_MONITORING_ID_VERSION
+        - SECRET_MONITORING_SECRET_VERSION
+        - monitoring.png
+outline:
+    uncomment:
+        - compose.outline.yml
+        - OUTLINE_DOMAIN
+        - SECRET_OUTLINE_ID_VERSION
+        - SECRET_OUTLINE_SECRET_VERSION
+        - outline.png
+    secrets:
+        outline_id: outline
+rallly:
+    uncomment:  
+        - compose.rallly.yml
+        - RALLLY_DOMAIN
+        - SECRET_RALLLY_ID_VERSION
+        - SECRET_RALLLY_SECRET_VERSION
+        - rallly.png
+    secrets:
+        rallly_id: rallly
+hedgedoc:
+    uncomment:  
+        - compose.hedgedoc.yml
+        - HEDGEDOC_DOMAIN
+        - SECRET_HEDGEDOC_ID_VERSION
+        - SECRET_HEDGEDOC_SECRET_VERSION
+        - hedgedoc.png
+    secrets:
+        hedgedoc_id: hedgedoc

compose.css-volume.yml

@@ -0,0 +1,16 @@
+---
+version: "3.8"
+
+services:
+  app:
+    user: root
+    entrypoint: /docker-entrypoint.sh
+    configs:
+      - source: entrypoint_css
+        target: /docker-entrypoint.sh
+        mode: 0555
+
+configs:
+  entrypoint_css:
+    name: ${STACK_NAME}_entrypoint_css_${ENTRYPOINT_CSS_VERSION}
+    file: entrypoint-css-volume.sh

compose.css.yml

@@ -0,0 +1,14 @@
+---
+version: '3.8'
+
+services:
+  app:
+    configs: 
+      - source: custom_css
+        target: /web/dist/custom.css
+
+configs:
+  custom_css:
+    name: ${STACK_NAME}_custom_css_${CUSTOM_CSS_VERSION}
+    file: custom.css.tmpl
+    template_driver: golang

compose.hedgedoc.yml

@@ -0,0 +1,26 @@
+version: "3.8"
+services:
+  worker:
+    secrets:
+      - hedgedoc_id
+      - hedgedoc_secret
+    environment:
+      - HEDGEDOC_DOMAIN
+    configs:
+      - source: hedgedoc
+        target: /blueprints/hedgedoc.yaml
+
+secrets:
+  hedgedoc_id:
+    external: true
+    name: ${STACK_NAME}_hedgedoc_id_${SECRET_HEDGEDOC_ID_VERSION}
+  hedgedoc_secret:
+    external: true
+    name: ${STACK_NAME}_hedgedoc_secret_${SECRET_HEDGEDOC_SECRET_VERSION}
+
+
+configs:
+  hedgedoc:
+    name: ${STACK_NAME}_hedgedoc_${HEDGEDOC_CONFIG_VERSION}
+    file: hedgedoc.yaml.tmpl
+    template_driver: golang

compose.kimai.yml

@@ -0,0 +1,14 @@
+version: "3.8"
+services:
+  worker:
+    environment:
+      - KIMAI_DOMAIN
+    configs:
+      - source: kimai
+        target: /blueprints/kimai.yaml
+
+configs:
+  kimai:
+    name: ${STACK_NAME}_kimai_${KIMAI_CONFIG_VERSION}
+    file: kimai.yaml.tmpl
+    template_driver: golang

compose.matrix.yml

@@ -1,11 +1,18 @@
 version: "3.8"
 services:
+  app:
+    deploy:
+      labels:
+        - "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect-matrix-well-known"
+        - "traefik.http.middlewares.${STACK_NAME}-redirect-matrix-well-known.redirectregex.regex=^https://(.*)/.well-known/matrix/(.*)"
+        - "traefik.http.middlewares.${STACK_NAME}-redirect-matrix-well-known.redirectregex.replacement=https://${MATRIX_DOMAIN}/.well-known/matrix/$$2"
   worker:
     secrets:
       - matrix_id
       - matrix_secret
     environment:
       - ELEMENT_DOMAIN
+      - MATRIX_DOMAIN
     configs:
       - source: matrix
         target: /blueprints/matrix.yaml

compose.outline.yml

@@ -0,0 +1,26 @@
+version: "3.8"
+services:
+  worker:
+    secrets:
+      - outline_id
+      - outline_secret
+    environment:
+      - OUTLINE_DOMAIN
+    configs:
+      - source: outline
+        target: /blueprints/outline.yaml
+
+secrets:
+  outline_id:
+    external: true
+    name: ${STACK_NAME}_outline_id_${SECRET_OUTLINE_ID_VERSION}
+  outline_secret:
+    external: true
+    name: ${STACK_NAME}_outline_secret_${SECRET_OUTLINE_SECRET_VERSION}
+
+
+configs:
+  outline:
+    name: ${STACK_NAME}_outline_${OUTLINE_CONFIG_VERSION}
+    file: outline.yaml.tmpl
+    template_driver: golang

compose.outposts.ldap.yml

@@ -0,0 +1,23 @@
+version: "3.8"
+services:
+  authentik_ldap:
+      image: ghcr.io/goauthentik/ldap:2025.6.1
+      # Optionally specify which networks the container should be
+      # might be needed to reach the core authentik server
+      networks:
+        - internal
+        - proxy
+      ports:
+        - 389:3389
+        - 636:6636
+      secrets:
+        - ldap_token
+      environment:
+        - AUTHENTIK_HOST=https://${DOMAIN}
+        - AUTHENTIK_INSECURE=true
+        - AUTHENTIK_TOKEN=file:///run/secrets/ldap_token
+
+secrets:
+  ldap_token:
+    external: true
+    name: ${STACK_NAME}_ldap_token_${SECRET_LDAP_TOKEN_VERSION}

compose.rallly.yml

@@ -0,0 +1,26 @@
+version: "3.8"
+services:
+  worker:
+    secrets:
+      - rallly_id
+      - rallly_secret
+    environment:
+      - RALLLY_DOMAIN
+    configs:
+      - source: rallly
+        target: /blueprints/rallly.yaml
+
+secrets:
+  rallly_id:
+    external: true
+    name: ${STACK_NAME}_rallly_id_${SECRET_RALLLY_ID_VERSION}
+  rallly_secret:
+    external: true
+    name: ${STACK_NAME}_rallly_secret_${SECRET_RALLLY_SECRET_VERSION}
+
+
+configs:
+  rallly:
+    name: ${STACK_NAME}_rallly_${RALLLY_CONFIG_VERSION}
+    file: rallly.yaml.tmpl
+    template_driver: golang

compose.yml

@@ -17,17 +17,11 @@ x-env: &env
     - AUTHENTIK_EMAIL__TIMEOUT
     - AUTHENTIK_EMAIL__FROM
     - AUTHENTIK_LOG_LEVEL
-    - AUTHENTIK_SETTINGS__THEME__BACKGROUND
-    - AUTHENTIK_COLOR_FOREGROUND=${AUTHENTIK_COLOR_FOREGROUND:-fafafa}
-    - AUTHENTIK_COLOR_FOREGROUND_DARKER=${AUTHENTIK_COLOR_FOREGROUND_DARKER:-bebebe}
-    - AUTHENTIK_COLOR_FOREGROUND_LINK=${AUTHENTIK_COLOR_FOREGROUND_LINK:-5a5cb9}
-    - AUTHENTIK_COLOR_BACKGROUND=${AUTHENTIK_COLOR_BACKGROUND:-18191a}
-    - AUTHENTIK_COLOR_BACKGROUND_DARKER=${AUTHENTIK_COLOR_BACKGROUND_DARKER:-000000}
-    - AUTHENTIK_COLOR_BACKGROUND_LIGHT=${AUTHENTIK_COLOR_BACKGROUND_LIGHT:-1c1e21}
-    - AUTHENTIK_COLOR_BACKGROUND_LIGHTISH=${AUTHENTIK_COLOR_BACKGROUND_LIGHTISH:-212427}
-    - AUTHENTIK_COLOR_BACKGROUND_LIGHTER=${AUTHENTIK_COLOR_BACKGROUND_LIGHTER:-2b2e33}
+    - BACKGROUND_FONT_COLOR=${BACKGROUND_FONT_COLOR:-white}
+    - BACKGROUND_BOX_COLOR=${BACKGROUND_BOX_COLOR:-#eaeaeacf}
     - AUTHENTIK_FOOTER_LINKS
     - AUTHENTIK_IMPERSONATION
+    - AUTHENTIK_BOOTSTRAP_EMAIL
     - WELCOME_MESSAGE
     - DEFAULT_LANGUAGE
     - EMAIL_SUBJECT
@@ -35,12 +29,16 @@ x-env: &env
     - DOMAIN
     - LOGOUT_REDIRECT
     - APPLICATIONS
+    - THEME_BACKGROUND
 
 version: '3.8'
 services:
   app:
-    image: ghcr.io/goauthentik/server:2023.6.1
+    image: ghcr.io/goauthentik/server:2025.6.1
     command: server
+    depends_on:
+      - db
+      - redis
     secrets:
       - db_password
       - admin_pass
@@ -51,23 +49,17 @@ services:
       - media:/media
       - assets:/web/dist/assets
       - templates:/templates
-    configs:
-      - source: custom_css
-        target: /web/dist/custom.css
     networks:
       - internal
       - proxy
     healthcheck:
-      test: "bash -c 'printf \"GET / HTTP/1.1\n\n\" > /dev/tcp/127.0.0.1/9000; exit $$?;'"
+      test: "ak healthcheck"
       interval: 30s
-      timeout: 10s
+      timeout: 30s
       retries: 10
       start_period: 5m
     environment: *env
     deploy:
-      update_config:
-        failure_action: rollback
-        order: start-first
       labels:
         - "traefik.enable=true"
         - "traefik.docker.network=proxy"
@@ -80,12 +72,15 @@ services:
         - "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}"
         - "traefik.http.middlewares.${STACK_NAME}-frameOptions.headers.customFrameOptionsValue=SAMEORIGIN"
         - "traefik.http.middlewares.${STACK_NAME}-frameOptions.headers.contentSecurityPolicy=frame-ancestors ${X_FRAME_OPTIONS_ALLOW_FROM}"
-        - "coop-cloud.${STACK_NAME}.version=3.2.4+2023.6.1"
+        - "coop-cloud.${STACK_NAME}.version=7.3.1+2025.6.1"
         - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT:-120}"
 
   worker:
-    image: ghcr.io/goauthentik/server:2023.6.1
+    image: ghcr.io/goauthentik/server:2025.6.1
     command: worker
+    depends_on:
+      - db
+      - redis
     secrets:
       - db_password
       - admin_pass
@@ -96,10 +91,10 @@ services:
       - internal
       - proxy
     volumes:
-      - backups:/backups
       - media:/media
       - /dev/null:/blueprints/default/flow-oobe.yaml
       - templates:/templates
+      - certs:/certs
     configs:
       - source: flow_recovery
         target: /blueprints/1_flow_recovery.yaml
@@ -109,16 +104,31 @@ services:
         target: /blueprints/3_flow_translation.yaml
       - source: flow_invitation
         target: /blueprints/4_flow_invitation.yaml
-      - source: system_tenant
-        target: /blueprints/5_system_tenant.yaml
+      - source: system_brand
+        target: /blueprints/5_system_brand.yaml
       - source: flow_invalidation
         target: /blueprints/6_flow_invalidation.yaml
     environment: *env
+    healthcheck:
+      test: "ak healthcheck"
+      interval: 30s
+      timeout: 30s
+      retries: 10
+      start_period: 5m
 
   db:
-    image: postgres:12.15-alpine
+    image: postgres:15.13
     secrets:
       - db_password
+    configs:
+      - source: db_entrypoint
+        target: /docker-entrypoint.sh
+        mode: 0555
+      - source: pg_backup
+        target: /pg_backup.sh
+        mode: 0555
+    entrypoint:
+      /docker-entrypoint.sh
     volumes:
       - database:/var/lib/postgresql/data
     networks:
@@ -135,21 +145,25 @@ services:
       - POSTGRES_DB=authentik
     deploy:
       labels:
-          backupbot.backup: "true"
-          backupbot.backup.pre-hook: "PGPASSWORD=$$(cat /run/secrets/db_password) pg_dump -U $${POSTGRES_USER} $${POSTGRES_DB} > /var/lib/postgresql/data/backup.sql"
-          backupbot.backup.post-hook: "rm -rf /var/lib/postgresql/data/backup.sql"
-          backupbot.backup.path: "/var/lib/postgresql/data"
+          backupbot.backup: "${ENABLE_BACKUPS:-true}"
+          backupbot.backup.pre-hook: "/pg_backup.sh backup"
+          backupbot.backup.volumes.database.path: "backup.sql"
+          backupbot.backup.volumes.redis: "false"
+          backupbot.restore.post-hook: '/pg_backup.sh restore'
 
   redis:
-    image:  redis:7.0.12-alpine
+    image:  redis:8.0.2-alpine
+    command: --save 60 1 --loglevel warning
     networks:
       - internal
     healthcheck:
-      test: ["CMD", "redis-cli","ping"]
+      test: ["CMD-SHELL", "redis-cli ping | grep PONG"]
       interval: 30s
       timeout: 10s
       retries: 10
       start_period: 1m
+    volumes:
+        - redis:/data
 
 secrets:
   db_password:
@@ -174,17 +188,14 @@ networks:
   internal:
 
 volumes:
-  backups:
   media:
+  certs:
+  redis:
   templates:
   assets:
   database:
 
 configs:
-  custom_css:
-    name: ${STACK_NAME}_custom_css_${CUSTOM_CSS_VERSION}
-    file: custom.css.tmpl
-    template_driver: golang
   flow_authentication:
     name: ${STACK_NAME}_flow_authentication_${FLOW_AUTHENTICATION_VERSION}
     file: flow_authentication.yaml.tmpl
@@ -205,7 +216,14 @@ configs:
     name: ${STACK_NAME}_flow_translation_${FLOW_TRANSLATION_VERSION}
     file: flow_translation.yaml.tmpl
     template_driver: golang
-  system_tenant:
-    name: ${STACK_NAME}_system_tenant_${SYSTEM_TENANT_VERSION}
-    file: system_tenant.yaml.tmpl
+  system_brand:
+    name: ${STACK_NAME}_system_brand_${SYSTEM_BRAND_VERSION}
+    file: system_brand.yaml.tmpl
     template_driver: golang
+  db_entrypoint:
+    name: ${STACK_NAME}_db_entrypoint_${DB_ENTRYPOINT_VERSION}
+    file: entrypoint.postgres.sh.tmpl
+    template_driver: golang
+  pg_backup:
+    name: ${STACK_NAME}_pg_backup_${PG_BACKUP_VERSION}
+    file: pg_backup.sh

compose.zammad.yml

@@ -0,0 +1,14 @@
+version: "3.8"
+services:
+  worker:
+    environment:
+      - ZAMMAD_DOMAIN
+    configs:
+      - source: zammad
+        target: /blueprints/zammad.yaml
+
+configs:
+  zammad:
+    name: ${STACK_NAME}_zammad_${ZAMMAD_CONFIG_VERSION}
+    file: zammad.yaml.tmpl
+    template_driver: golang

custom.css.tmpl

@@ -1,24 +1,13 @@
 /* my custom css */
 
-
 :root {
-    --ak-accent: #fd4b2d;
-
-    --ak-dark-foreground: #{{ env "AUTHENTIK_COLOR_FOREGROUND" }};
-    --ak-dark-foreground-darker: #{{ env "AUTHENTIK_COLOR_FOREGROUND_DARKER" }};
-    --ak-dark-foreground-link: #{{ env "AUTHENTIK_COLOR_FOREGROUND_LINK" }};
-    --ak-dark-background: #{{ env "AUTHENTIK_COLOR_BACKGROUND" }};
-    --ak-dark-background-darker: #{{ env "AUTHENTIK_COLOR_BACKGROUND_DARKER" }};
-
-
-    --ak-dark-background-light: #{{ env "AUTHENTIK_COLOR_BACKGROUND_LIGHT" }};
-    --ak-dark-background-light-ish: #{{ env "AUTHENTIK_COLOR_BACKGROUND_LIGHTISH" }};
-    --ak-dark-background-lighter: #{{ env "AUTHENTIK_COLOR_BACKGROUND_LIGHTER" }};
-
-    --pf-c-background-image--BackgroundImage: var(--ak-flow-background);
-    --pf-c-background-image--BackgroundImage-2x: var(--ak-flow-background);
-    --pf-c-background-image--BackgroundImage--sm: var(--ak-flow-background);
-    --pf-c-background-image--BackgroundImage--sm-2x: var(--ak-flow-background);
-    --pf-c-background-image--BackgroundImage--lg: var(--ak-flow-background);
+        --pf-global--BackgroundColor--100: {{ env "BACKGROUND_BOX_COLOR" }} !important;
 }
 
+.pf-c-login__main {
+        background-color: {{ env "BACKGROUND_BOX_COLOR" }};
+}
+
+.pf-c-content h1 {
+        color: {{ env "BACKGROUND_FONT_COLOR" }};
+}

custom_flows.yaml.tmpl

@@ -1,405 +0,0 @@
-version: 1
-metadata:
-  labels:
-    blueprints.goauthentik.io/instantiate: "true"
-  name: Custom - Flows
-context:
-  welcome_message: {{ if eq (env "WELCOME_MESSAGE") "" }} "Welcome to authentik!" {{ else }} {{ env "WELCOME_MESSAGE" }} {{ end }}
-####### Translations ########
-  transl_recovery: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} "Passwort Zurücksetzen" {{ else }} "Reset your password" {{ end }}
-  transl_password: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} "Passwort" {{ else }} "Password" {{ end }}
-  transl_password_repeat: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} "Passwort (wiederholen)" {{ else }} "Password (repeat)" {{ end }}
-  transl_username: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} "Benutzername" {{ else }} "Username" {{ end }}
-  transl_name: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} "Vor- und Nachname" {{ else }} "Full name" {{ end }}
-
-entries:
-######## Email Recovery Flow ########
-- identifiers:
-    slug: default-recovery-flow
-  id: recovery_flow
-  model: authentik_flows.flow
-  attrs:
-    name: Default recovery flow
-    title: !Context transl_recovery
-    designation: recovery
-
-### PROMPTS
-- identifiers:
-    field_key: password
-  id: prompt-field-password
-  model: authentik_stages_prompt.prompt
-  attrs:
-    label: !Context transl_password
-    type: password
-    required: true
-    placeholder: !Context transl_password
-    order: 30
-    placeholder_expression: false
-- identifiers:
-    field_key: password_repeat
-  id: prompt-field-password-repeat
-  model: authentik_stages_prompt.prompt
-  attrs:
-    label: !Context transl_password_repeat
-    type: password
-    required: true
-    placeholder: !Context transl_password_repeat
-    order: 31
-    placeholder_expression: false
-
-
-### STAGES
-- identifiers:
-    name: default-recovery-email
-  id: default-recovery-email
-  model: authentik_stages_email.emailstage
-  attrs:
-    use_global_settings: true
-    token_expiry: {{ if eq (env "EMAIL_TOKEN_EXPIRY_MINUTES") "" }} 30 {{ else }} {{ env "EMAIL_TOKEN_EXPIRY_MINUTES" }} {{ end }}
-    subject: {{ if eq (env "EMAIL_SUBJECT") "" }} "Account Recovery" {{ else }} "{{ env "EMAIL_SUBJECT" }}" {{ end }} 
-    template: email/password_reset.html
-    activate_user_on_success: true
-- identifiers:
-    name: default-recovery-user-write
-  id: default-recovery-user-write
-  model: authentik_stages_user_write.userwritestage
-- identifiers:
-    name: default-recovery-identification
-  id: default-recovery-identification
-  model: authentik_stages_identification.identificationstage
-  attrs:
-    user_fields:
-      - email
-      - username
-- identifiers:
-    name: default-recovery-user-login
-  id: default-recovery-user-login
-  model: authentik_stages_user_login.userloginstage
-  attrs:
-    session_duration: seconds=0
-- identifiers:
-    name: Change your password
-  id: stage-prompt-password
-  model: authentik_stages_prompt.promptstage
-  attrs:
-    fields:
-      - !KeyOf prompt-field-password
-      - !KeyOf prompt-field-password-repeat
-    validation_policies: []
-
-### STAGE BINDINGS
-- identifiers:
-    target: !KeyOf recovery_flow
-    stage: !KeyOf default-recovery-identification
-    order: 10
-  model: authentik_flows.flowstagebinding
-  id: flow-binding-identification
-  attrs:
-    evaluate_on_plan: true
-    re_evaluate_policies: true
-    policy_engine_mode: any
-    invalid_response_action: retry
-- identifiers:
-    target: !KeyOf recovery_flow
-    stage: !KeyOf default-recovery-email
-    order: 20
-  model: authentik_flows.flowstagebinding
-  id: flow-binding-email
-  attrs:
-    evaluate_on_plan: true
-    re_evaluate_policies: true
-    policy_engine_mode: any
-    invalid_response_action: retry
-- identifiers:
-    target: !KeyOf recovery_flow
-    stage: !KeyOf stage-prompt-password
-    order: 30
-  model: authentik_flows.flowstagebinding
-  attrs:
-    evaluate_on_plan: true
-    re_evaluate_policies: false
-    policy_engine_mode: any
-    invalid_response_action: retry
-- identifiers:
-    target: !KeyOf recovery_flow
-    stage: !KeyOf default-recovery-user-write
-    order: 40
-  model: authentik_flows.flowstagebinding
-  attrs:
-    evaluate_on_plan: true
-    re_evaluate_policies: false
-    policy_engine_mode: any
-    invalid_response_action: retry
-- identifiers:
-    target: !KeyOf recovery_flow
-    stage: !KeyOf default-recovery-user-login
-    order: 100
-  model: authentik_flows.flowstagebinding
-  attrs:
-    evaluate_on_plan: true
-    re_evaluate_policies: false
-    policy_engine_mode: any
-    invalid_response_action: retry
-
-### POLICIES
-## ISSUES with this policy
-## https://github.com/goauthentik/authentik/blob/493cdd5c0f8caaec7a7dd474f1aa131e32fd39c3/blueprints/example/flows-recovery-email-verification.yaml#L37
-## https://github.com/goauthentik/authentik/commit/317e9ec6053742e17ba74fb6aa38dc15aaf6657f#diff-a5c56bb7c60e27dda1b131b3fc2a17e3af6624e7cfaaa2337ec6b077ca489f34
-# - identifiers:
-#     name: default-recovery-skip-if-restored
-#   id: default-recovery-skip-if-restored
-#   model: authentik_policies_expression.expressionpolicy
-#   attrs:
-#     expression: |
-#       return request.context.get('is_restored', False)
-
-### POLICY BINDINGS
-# - identifiers:
-#     policy: !KeyOf default-recovery-skip-if-restored
-#     target: !KeyOf flow-binding-identification
-#     order: 0
-#   model: authentik_policies.policybinding
-#   attrs:
-#     negate: false
-#     enabled: true
-#     timeout: 30
-# - identifiers:
-#     policy: !KeyOf default-recovery-skip-if-restored
-#     target: !KeyOf flow-binding-email
-#     order: 0
-#   model: authentik_policies.policybinding
-#   attrs:
-#     negate: false
-#     enabled: true
-#     timeout: 30
-
-
-
-######## Authentication Flow ########
-- attrs:
-    designation: authentication
-    name: custom-authentication-flow
-    title: !Context welcome_message
-  identifiers:
-    slug: custom-authentication-flow
-  id: authentication_flow
-  model: authentik_flows.flow
-
-### STAGES
-- attrs:
-    backends:
-    - authentik.core.auth.InbuiltBackend
-    - authentik.sources.ldap.auth.LDAPBackend
-    - authentik.core.auth.TokenBackend
-    configure_flow: !Find [authentik_flows.flow, [slug, default-password-change]]
-  identifiers:
-    name: custom-authentication-password
-  id: custom-authentication-password
-  model: authentik_stages_password.passwordstage
-
-- identifiers:
-    name: custom-authentication-mfa-validation
-  id: custom-authentication-mfa-validation
-  model: authentik_stages_authenticator_validate.authenticatorvalidatestage
-
-- attrs:
-    password_stage: !KeyOf custom-authentication-password
-    recovery_flow: !KeyOf recovery_flow  # !Find [authentik_flows.flow, [slug, default-recovery-flow]]
-    user_fields:
-    - email
-    - username
-  identifiers:
-    name: custom-authentication-identification
-  id: custom-authentication-identification
-  model: authentik_stages_identification.identificationstage
-
-- attrs:
-    session_duration: seconds=0
-  identifiers:
-    name: custom-authentication-login
-  id: custom-authentication-login
-  model: authentik_stages_user_login.userloginstage
-
-### STAGE BINDINGS
-- identifiers:
-    order: 10
-    stage: !KeyOf custom-authentication-identification
-    target: !KeyOf authentication_flow
-  model: authentik_flows.flowstagebinding
-- identifiers:
-    order: 30
-    stage: !KeyOf custom-authentication-mfa-validation
-    target: !KeyOf authentication_flow
-  model: authentik_flows.flowstagebinding
-- identifiers:
-    order: 100
-    stage: !KeyOf custom-authentication-login
-    target: !KeyOf authentication_flow
-  model: authentik_flows.flowstagebinding
-
-######## Invitation Enrollment Flow ########
-- attrs:
-    designation: enrollment
-    name: invitation-enrollment-flow
-    title: !Context welcome_message
-  identifiers:
-    slug: invitation-enrollment-flow
-  id: invitation-enrollment-flow
-  model: authentik_flows.flow
-
-### PROMPTS
-- identifiers:
-    field_key: username
-  id: prompt-field-username
-  model: authentik_stages_prompt.prompt
-  attrs:
-    label: !Context transl_username
-    type: username
-    required: true
-    placeholder: !Context transl_username
-    order: 0
-    placeholder_expression: false
-- identifiers:
-    field_key: name
-  id: prompt-field-name
-  model: authentik_stages_prompt.prompt
-  attrs:
-    label: !Context transl_name
-    type: text
-    required: true
-    placeholder: !Context transl_name
-    order: 1
-    placeholder_expression: false
-- identifiers:
-    field_key: email
-    label: Email
-  id: prompt-field-email
-  model: authentik_stages_prompt.prompt
-  attrs:
-    type: email
-    required: true
-    placeholder: muster@example.com
-    order: 2
-    placeholder_expression: false
-
-### STAGES
-
-- id: invitation-stage
-  identifiers:
-    name: invitation-stage
-  model: authentik_stages_invitation.invitationstage
-
-- attrs:
-    fields:
-      - !KeyOf prompt-field-username
-      - !KeyOf prompt-field-name
-      - !KeyOf prompt-field-email
-      - !KeyOf prompt-field-password
-      - !KeyOf prompt-field-password-repeat
-  id: enrollment-prompt-userdata
-  identifiers:
-    name: enrollment-prompt-userdata
-  model: authentik_stages_prompt.promptstage
-
-- id: enrollment-user-write
-  identifiers:
-    name: enrollment-user-write
-  model: authentik_stages_user_write.userwritestage
-
-- attrs:
-    session_duration: seconds=0
-  id: enrollment-user-login
-  identifiers:
-    name: enrollment-user-login
-  model: authentik_stages_user_login.userloginstage
-
-### STAGE BINDINGS
-- identifiers:
-    order: 1
-    stage: !KeyOf invitation-stage
-    target: !KeyOf invitation-enrollment-flow
-  model: authentik_flows.flowstagebinding
-- identifiers:
-    order: 10
-    stage: !KeyOf enrollment-prompt-userdata
-    target: !KeyOf invitation-enrollment-flow
-  model: authentik_flows.flowstagebinding
-- identifiers:
-    order: 20
-    stage: !KeyOf enrollment-user-write
-    target: !KeyOf invitation-enrollment-flow
-  model: authentik_flows.flowstagebinding
-- identifiers:
-    order: 100
-    stage: !KeyOf enrollment-user-login
-    target: !KeyOf invitation-enrollment-flow
-  model: authentik_flows.flowstagebinding
-
-######## Invalidation Flow ########
-- identifiers:
-    slug: logout-flow
-  id: logout-flow
-  model: authentik_flows.flow
-  attrs:
-    name: Logout
-    title: Logout Flow
-    designation: invalidation
-
-### STAGES
-
-- id: logout-stage
-  identifiers:
-    name: logout-stage
-  model: authentik_stages_user_logout.userlogoutstage
-
-### STAGE BINDINGS
-
-- identifiers:
-    order: 0
-    stage: !KeyOf logout-stage
-    target: !KeyOf logout-flow
-  model: authentik_flows.flowstagebinding
-  attrs:
-    re_evaluate_policies: true
-  id: logout-stage-binding
-
-### POLICIES
-- attrs:
-    execution_logging: true
-    expression: 'context[''flow_plan''].context[''redirect''] = ''{{ env "LOGOUT_REDIRECT" }}''
-
-    return True'
-  identifiers:
-    name: redirect-policy
-  id: redirect-policy
-  model: authentik_policies_expression.expressionpolicy
-
-### POLICY BINDINGS
-- identifiers:
-    policy: !KeyOf redirect-policy
-    target: !KeyOf logout-stage-binding
-    order: 0
-  model: authentik_policies.policybinding
-  attrs:
-    enabled: {{ if eq (env "LOGOUT_REDIRECT") "" }} false {{ else }} true {{ end }}
-    timeout: 30
-
-######## System Tenant ##########
-- attrs:
-    attributes:
-      settings:
-        locale: {{ if eq (env "DEFAULT_LANGUAGE") "" }} en {{ else }} {{ env "DEFAULT_LANGUAGE" }} {{ end }}
-    # branding_favicon: /static/dist/assets/icons/icon.png
-    # branding_logo: /static/dist/assets/icons/icon_left_brand.svg
-    # branding_title: Authentik
-    # default: true
-    domain: {{ env "DOMAIN" }}
-    # event_retention: days=365
-    flow_authentication: !KeyOf authentication_flow
-    flow_recovery: !KeyOf recovery_flow
-    flow_invalidation: !KeyOf logout-flow
-    flow_user_settings: !Find [authentik_flows.flow, [slug, default-user-settings-flow]]
-  identifiers:
-    pk: 047cce25-aae2-4b02-9f96-078e155f803d
-  id: system_tenant
-  model: authentik_tenants.tenant

entrypoint-css-volume.sh

@@ -0,0 +1,5 @@
+#!/bin/sh
+
+cp -f /web/dist/assets/custom.css /web/dist/custom.css
+
+su $(id -un 1000) -s /bin/bash -c 'dumb-init -- ak server'

entrypoint.postgres.sh.tmpl

@@ -0,0 +1,45 @@
+#!/bin/bash
+
+set -e
+
+MIGRATION_MARKER=$PGDATA/migration_in_progress
+OLDDATA=$PGDATA/old_data
+NEWDATA=$PGDATA/new_data
+
+if [ -e $MIGRATION_MARKER ]; then
+  echo "FATAL: migration was started but did not complete in a previous run. manual recovery necessary"
+  exit 1
+fi
+
+if [ -f $PGDATA/PG_VERSION ]; then
+  DATA_VERSION=$(cat $PGDATA/PG_VERSION)
+
+  if [ -n "$DATA_VERSION" -a "$PG_MAJOR" != "$DATA_VERSION" ]; then
+    echo "postgres data version $DATA_VERSION found, but need $PG_MAJOR. Starting migration"
+    echo "Installing postgres $DATA_VERSION"
+    sed -i "s/$/ $DATA_VERSION/" /etc/apt/sources.list.d/pgdg.list
+    apt-get update && apt-get install -y --no-install-recommends \
+      postgresql-$DATA_VERSION \
+      && rm -rf /var/lib/apt/lists/*
+    echo "shuffling around"
+    chown -R postgres:postgres $PGDATA
+    gosu postgres mkdir $OLDDATA $NEWDATA
+    chmod 700 $OLDDATA $NEWDATA
+    mv $PGDATA/* $OLDDATA/ || true
+    touch $MIGRATION_MARKER
+    echo "running initdb"
+    # abuse entrypoint script for initdb by making server error out
+    gosu postgres bash -c "export PGDATA=$NEWDATA ; /usr/local/bin/docker-entrypoint.sh --invalid-arg || true"
+    echo "running pg_upgrade"
+    cd /tmp
+    gosu postgres pg_upgrade --link -b /usr/lib/postgresql/$DATA_VERSION/bin -d $OLDDATA -D $NEWDATA -U $POSTGRES_USER
+    cp $OLDDATA/pg_hba.conf $NEWDATA/
+    mv $NEWDATA/* $PGDATA
+    rm -rf $OLDDATA
+    rmdir $NEWDATA
+    rm $MIGRATION_MARKER
+    echo "migration complete"
+  fi
+fi
+
+/usr/local/bin/docker-entrypoint.sh postgres

flow_authentication.yaml.tmpl

@@ -37,7 +37,7 @@ entries:
     name: default-authentication-login
   model: authentik_stages_user_login.userloginstage
   attrs:
-    session_duration: seconds=0
+    session_duration: days=30
 
 # After the first run this will produce a RelatedObjectDoesNotExist error
 - identifiers:

flow_invitation.yaml.tmpl

@@ -24,6 +24,18 @@ entries:
   id: invitation-enrollment-flow
   model: authentik_flows.flow
 
+### POLICIES
+- attrs:
+    expression: |
+      if not regex_match(request.context.get('prompt_data').get('username'), '\s'):
+          return True
+      ak_message("Username must not contain any whitespace!")
+      return False
+  id: username-without-spaces-policy
+  identifiers:
+    name: username-without-spaces-policy
+  model: authentik_policies_expression.expressionpolicy
+
 ### STAGES
 - identifiers:
     name: invitation-stage
@@ -41,6 +53,8 @@ entries:
       - !Find [authentik_stages_prompt.prompt, [name, default-user-settings-field-email]]
       - !Find [authentik_stages_prompt.prompt, [name, default-password-change-field-password]]
       - !Find [authentik_stages_prompt.prompt, [name, default-password-change-field-password-repeat]]
+    validation_policies:
+      - !Find [ authentik_policies_expression.expressionpolicy, [name, username-without-spaces-policy]]
 
 ### STAGE BINDINGS
 - identifiers:

hedgedoc.yaml.tmpl

@@ -0,0 +1,48 @@
+version: 1
+metadata:
+  labels:
+    blueprints.goauthentik.io/instantiate: "true"
+  name: hedgedoc
+
+entries:
+
+- attrs:
+    access_code_validity: minutes=1
+    authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
+    authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
+    invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
+    client_id: {{ secret  "hedgedoc_id" }}
+    client_secret: {{ secret  "hedgedoc_secret" }}
+    client_type: confidential
+    include_claims_in_id_token: true
+    issuer_mode: per_provider
+    redirect_uris:
+    - matching_mode: strict
+      url: https://{{ env  "HEDGEDOC_DOMAIN" }}/auth/oauth2/callback
+    name: Hedgedoc
+    property_mappings:
+    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
+    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, email]]
+    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, profile]]
+    signing_key: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]]
+    sub_mode: hashed_user_id
+    token_validity: days=30
+  conditions: []
+  id: hedgedoc_provider
+  identifiers:
+    pk: 9992
+  model: authentik_providers_oauth2.oauth2provider
+  state: present
+
+- attrs:
+    meta_launch_url: https://{{ env  "HEDGEDOC_DOMAIN" }}/auth/oauth2
+    open_in_new_tab: true
+    policy_engine_mode: any
+    provider: !KeyOf hedgedoc_provider
+    slug: hedgedoc
+  conditions: []
+  id: hedgedoc_application
+  identifiers:
+    name: Hedgedoc
+  model: authentik_core.application
+  state: present

icons/help.svg

@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!-- Uploaded to: SVG Repo, www.svgrepo.com, Generator: SVG Repo Mixer Tools -->
+<svg width="800px" height="800px" viewBox="0 0 48 48" fill="none" xmlns="http://www.w3.org/2000/svg">
+<rect width="48" height="48" fill="white" fill-opacity="0.01"/>
+<path d="M24 44C29.5228 44 34.5228 41.7614 38.1421 38.1421C41.7614 34.5228 44 29.5228 44 24C44 18.4772 41.7614 13.4772 38.1421 9.85786C34.5228 6.23858 29.5228 4 24 4C18.4772 4 13.4772 6.23858 9.85786 9.85786C6.23858 13.4772 4 18.4772 4 24C4 29.5228 6.23858 34.5228 9.85786 38.1421C13.4772 41.7614 18.4772 44 24 44Z" fill="#2F88FF" stroke="#000000" stroke-width="4" stroke-linejoin="round"/>
+<path d="M24 28.6249V24.6249C27.3137 24.6249 30 21.9386 30 18.6249C30 15.3112 27.3137 12.6249 24 12.6249C20.6863 12.6249 18 15.3112 18 18.6249" stroke="white" stroke-width="4" stroke-linecap="round" stroke-linejoin="round"/>
+<path fill-rule="evenodd" clip-rule="evenodd" d="M24 37.6249C25.3807 37.6249 26.5 36.5056 26.5 35.1249C26.5 33.7442 25.3807 32.6249 24 32.6249C22.6193 32.6249 21.5 33.7442 21.5 35.1249C21.5 36.5056 22.6193 37.6249 24 37.6249Z" fill="white"/>
+</svg>

icons/pretix.svg

@@ -0,0 +1 @@
+<?xml version="1.0" encoding="UTF-8"?><svg id="Ebene_1" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 128 128"><defs><style>.cls-1{fill:#3b1c4a;}</style></defs><path class="cls-1" d="m50.67,56.95c-.72.1-1.22.3-1.66.5l2.38,16.91c.41.08.95.13,1.6.04,3.52-.5,4.61-3.64,3.81-9.39-.83-5.87-2.53-8.56-6.12-8.06Z"/><path class="cls-1" d="m116.04,35.05c.71-.17,1.16-.76,1.06-1.48L112.54,1.13c-.1-.72-.77-1.22-1.49-1.12l-37.5,5.27.73,5.22c.16,1.12-.62,2.15-1.74,2.31s-2.15-.62-2.31-1.74l-.73-5.22L1.13,15.46c-.72.1-1.22.77-1.12,1.49l4.56,32.44c.1.72.7,1.17,1.42,1.13,11.25-.92,21.43,7.1,23.03,18.46,1.6,11.36-5.99,21.81-17.07,23.96-.71.17-1.16.76-1.06,1.48l4.56,32.44c.1.72.77,1.22,1.49,1.12l68.37-9.61-.73-5.22c-.16-1.15.59-2.15,1.74-2.31s2.15.62,2.31,1.74l.73,5.22,37.5-5.27c.72-.1,1.22-.77,1.12-1.49l-4.56-32.44c-.1-.72-.7-1.17-1.42-1.13-11.25.92-21.42-7.04-23.02-18.4-1.6-11.36,5.98-21.87,17.06-24.03Zm-59.84,44.75c-1.76.25-3.29.26-4.04.17l1.59,11.29-9.92,1.39-5.3-37.73c2.5-1.62,5.96-3.03,11.38-3.8,8.68-1.22,15.27,2.58,16.66,12.44,1.25,8.88-3.12,15.21-10.36,16.23Zm30.73,20.71c.16,1.12-.62,2.15-1.74,2.31-1.12.16-2.15-.62-2.31-1.74l-1.47-10.44c-.16-1.12.62-2.15,1.74-2.31s2.16.66,2.31,1.74l1.47,10.44Zm-3.17-22.58c.15,1.08-.66,2.16-1.74,2.31s-2.16-.66-2.31-1.74l-1.47-10.44c-.16-1.15.59-2.15,1.74-2.31,1.12-.16,2.15.62,2.31,1.74l1.47,10.44Zm-3.16-22.45c.16,1.12-.62,2.15-1.74,2.31-1.12.16-2.15-.62-2.31-1.74l-1.47-10.44c-.16-1.12.62-2.15,1.74-2.31s2.16.66,2.31,1.74l1.47,10.44Zm-3.17-22.58c.15,1.08-.66,2.16-1.74,2.31s-2.16-.66-2.31-1.74l-1.47-10.44c-.16-1.15.59-2.15,1.74-2.31s2.15.62,2.31,1.74l1.47,10.44Z"/></svg>

icons/support.svg

@@ -0,0 +1,12 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!-- Uploaded to: SVG Repo, www.svgrepo.com, Generator: SVG Repo Mixer Tools -->
+<svg width="800px" height="800px" viewBox="0 0 512 512" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
+    <title>support</title>
+    <g id="Page-1" stroke="none" stroke-width="1" fill="none" fill-rule="evenodd">
+        <g id="support" fill="#000000" transform="translate(42.666667, 42.666667)">
+            <path d="M379.734355,174.506667 C373.121022,106.666667 333.014355,-2.13162821e-14 209.067688,-2.13162821e-14 C85.1210217,-2.13162821e-14 45.014355,106.666667 38.4010217,174.506667 C15.2012632,183.311569 -0.101643453,205.585799 0.000508304259,230.4 L0.000508304259,260.266667 C0.000508304259,293.256475 26.7445463,320 59.734355,320 C92.7241638,320 119.467688,293.256475 119.467688,260.266667 L119.467688,230.4 C119.360431,206.121456 104.619564,184.304973 82.134355,175.146667 C86.4010217,135.893333 107.307688,42.6666667 209.067688,42.6666667 C310.827688,42.6666667 331.521022,135.893333 335.787688,175.146667 C313.347976,184.324806 298.68156,206.155851 298.667688,230.4 L298.667688,260.266667 C298.760356,283.199651 311.928618,304.070103 332.587688,314.026667 C323.627688,330.88 300.801022,353.706667 244.694355,360.533333 C233.478863,343.50282 211.780225,336.789048 192.906491,344.509658 C174.032757,352.230268 163.260418,372.226826 167.196286,392.235189 C171.132153,412.243552 188.675885,426.666667 209.067688,426.666667 C225.181549,426.577424 239.870491,417.417465 247.041022,402.986667 C338.561022,392.533333 367.787688,345.386667 376.961022,317.653333 C401.778455,309.61433 418.468885,286.351502 418.134355,260.266667 L418.134355,230.4 C418.23702,205.585799 402.934114,183.311569 379.734355,174.506667 Z M76.8010217,260.266667 C76.8010217,269.692326 69.1600148,277.333333 59.734355,277.333333 C50.3086953,277.333333 42.6676884,269.692326 42.6676884,260.266667 L42.6676884,230.4 C42.6676884,224.302667 45.9205765,218.668499 51.2010216,215.619833 C56.4814667,212.571166 62.9872434,212.571166 68.2676885,215.619833 C73.5481336,218.668499 76.8010217,224.302667 76.8010217,230.4 L76.8010217,260.266667 Z M341.334355,230.4 C341.334355,220.97434 348.975362,213.333333 358.401022,213.333333 C367.826681,213.333333 375.467688,220.97434 375.467688,230.4 L375.467688,260.266667 C375.467688,269.692326 367.826681,277.333333 358.401022,277.333333 C348.975362,277.333333 341.334355,269.692326 341.334355,260.266667 L341.334355,230.4 Z">
+
+</path>
+        </g>
+    </g>
+</svg>

icons/zammad.svg

@@ -0,0 +1,30 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<svg width="126px" height="108px" viewBox="0 0 42 36" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:sketch="http://www.bohemiancoding.com/sketch/ns">
+    <!-- Generator: Sketch 3.3.2 (12043) - http://www.bohemiancoding.com/sketch -->
+    <title>logo</title>
+    <desc>Created with Sketch.</desc>
+    <defs/>
+    <g id="Page-1" stroke="none" stroke-width="1" fill="none" fill-rule="evenodd" sketch:type="MSPage">
+        <g id="logo" sketch:type="MSArtboardGroup">
+            <g sketch:type="MSLayerGroup" transform="translate(1.000000, 0.000000)" id="Shape">
+                <path d="M27.3375,12.6 L36.72,9.72 L31.1625,13.2525 L27.3375,12.6 Z" fill="#CA2317" sketch:type="MSShapeGroup"/>
+                <path d="M33.0525,19.62 L31.1625,13.2525 L36.72,9.72 L35.055,15.435 L33.0525,19.62 Z" fill="#E84F83" sketch:type="MSShapeGroup"/>
+                <path d="M39.465,7.9875 L38.43,9.72 L35.055,15.435 L36.72,9.72 L39.465,7.9875 Z" fill="#CA2317" sketch:type="MSShapeGroup"/>
+                <path d="M39.8025,9.1125 L37.1925,11.79 L38.43,9.72 L39.8025,9.1125 Z" fill="#E54011" sketch:type="MSShapeGroup"/>
+                <path d="M27.9,10.8225 L35.5725,10.0575 L30.24,11.7 L27.9,10.8225 Z" fill="#E54011" sketch:type="MSShapeGroup"/>
+                <path d="M28.1925,15.165 L31.1625,13.2525 L33.0525,19.62 L32.0625,21.645 L28.1925,15.165 Z" fill="#CA2317" sketch:type="MSShapeGroup"/>
+                <path d="M23.76,22.725 L22.3425,5.4 L32.0625,21.645 L23.76,22.725 Z" fill="#B7DFF2" sketch:type="MSShapeGroup"/>
+                <path d="M19.7325,27.1575 L23.76,22.725 L32.0625,21.645 L19.7325,27.1575 Z" fill="#E54011" sketch:type="MSShapeGroup"/>
+                <path d="M0.1575,35.865 L19.7325,27.1575 L23.76,22.725 L17.37,22.0725 L0.1575,35.865 Z" fill="#FFCE33" sketch:type="MSShapeGroup"/>
+                <path d="M0.9,28.755 L10.9575,27.225 L14.085,24.705 L12.555,24.03 L0.9,28.755 Z" fill="#D6B12D" sketch:type="MSShapeGroup"/>
+                <path d="M4.5225,20.5425 L14.085,24.705 L17.37,22.0725 L4.5225,20.5425 Z" fill="#FFDE85" sketch:type="MSShapeGroup"/>
+                <path d="M21.6225,11.6775 L20.4075,11.88 L17.37,22.0725 L20.655,20.0025 L21.6225,11.6775 Z" fill="#009EC6" sketch:type="MSShapeGroup"/>
+                <path d="M23.4,18.2475 L20.655,20.0025 L22.3425,5.4 L23.4,18.2475 Z" fill="#5EAFCE" sketch:type="MSShapeGroup"/>
+                <path d="M13.0275,13.05 L21.6225,11.6775 L22.005,8.28 L13.0275,13.05 Z" fill="#045972" sketch:type="MSShapeGroup"/>
+                <path d="M12.105,5.085 L19.575,9.585 L22.005,8.28 L22.0725,7.8075 L12.105,5.085 Z" fill="#5A8591" sketch:type="MSShapeGroup"/>
+                <path d="M13.5675,0.18 L20.3625,7.335 L22.0725,7.8075 L22.3425,5.4 L13.5675,0.18 Z" fill="#009EC6" sketch:type="MSShapeGroup"/>
+                <path d="M17.37,22.0725 L23.4,18.2475 L23.76,22.725 L17.37,22.0725 Z" fill="#F39804" sketch:type="MSShapeGroup"/>
+            </g>
+        </g>
+    </g>
+</svg>

kimai.yaml.tmpl

@@ -0,0 +1,50 @@
+version: 1
+metadata:
+  labels:
+    blueprints.goauthentik.io/instantiate: "true"
+  name: kimai
+
+entries:
+- attrs:
+    acs_url: https://{{ env  "KIMAI_DOMAIN" }}/auth/saml/acs
+    assertion_valid_not_before: minutes=-5
+    assertion_valid_not_on_or_after: minutes=5
+    audience: https://{{ env  "KIMAI_DOMAIN" }}/auth/saml
+    authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
+    authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
+    invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
+    digest_algorithm: http://www.w3.org/2001/04/xmlenc#sha256
+    issuer: https://{{ env  "DOMAIN" }}
+    name: Kimai
+    name_id_mapping: !Find [authentik_providers_saml.samlpropertymapping, [name, "authentik default SAML Mapping: Username"]]
+    property_mappings:
+    - !Find [authentik_providers_saml.samlpropertymapping, [name, "authentik default SAML Mapping: Name"]]
+    - !Find [authentik_providers_saml.samlpropertymapping, [name, "authentik default SAML Mapping: Email"]]
+    - !Find [authentik_providers_saml.samlpropertymapping, [name, "authentik default SAML Mapping: User ID"]]
+    - !Find [authentik_providers_saml.samlpropertymapping, [name, "authentik default SAML Mapping: Username"]]
+    - !Find [authentik_providers_saml.samlpropertymapping, [name, "authentik default SAML Mapping: Groups"]]
+    - !Find [authentik_providers_saml.samlpropertymapping, [name, "authentik default SAML Mapping: UPN"]]
+    session_valid_not_on_or_after: minutes=86400
+    sign_assertion: true
+    signature_algorithm: http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
+    signing_kp: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]]
+    sp_binding: post
+  conditions: []
+  id: kimai_provider
+  identifiers:
+    pk: 9991
+  model: authentik_providers_saml.samlprovider
+  state: present
+
+- attrs:
+    meta_launch_url: https://{{ env  "KIMAI_DOMAIN" }}/auth/saml/login
+    open_in_new_tab: true
+    policy_engine_mode: any
+    provider: !KeyOf kimai_provider
+    slug: kimai
+  conditions: []
+  id: kimai_application
+  identifiers:
+    name: Kimai
+  model: authentik_core.application
+  state: present

matrix.yaml.tmpl

@@ -8,12 +8,17 @@ entries:
 
 - attrs:
     access_code_validity: minutes=1
+    authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
     authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
+    invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
     client_id: {{ secret  "matrix_id" }}
     client_secret: {{ secret  "matrix_secret" }}
     client_type: confidential
     include_claims_in_id_token: true
     issuer_mode: per_provider
+    redirect_uris:
+    - matching_mode: strict
+      url: https://{{ env  "MATRIX_DOMAIN" }}/_synapse/client/oidc/callback
     name: Matrix
     property_mappings:
     - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
@@ -34,10 +39,10 @@ entries:
     open_in_new_tab: true
     policy_engine_mode: any
     provider: !KeyOf matrix_provider
-    slug: matrix
+    name: Element
   conditions: []
   id: matrix_application
   identifiers:
-    name: Matrix
+    slug: matrix
   model: authentik_core.application
   state: present

monitoring.yaml.tmpl

@@ -8,12 +8,17 @@ entries:
 
 - attrs:
     access_code_validity: minutes=1
+    authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
     authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
+    invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
     client_id: {{ secret  "monitoring_id" }}
     client_secret: {{ secret  "monitoring_secret" }}
     client_type: confidential
     include_claims_in_id_token: true
     issuer_mode: per_provider
+    redirect_uris:
+    - matching_mode: strict
+      url: https://{{ env  "MONITORING_DOMAIN" }}/login/generic_oauth
     name: Monitoring
     property_mappings:
     - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
@@ -25,7 +30,7 @@ entries:
   conditions: []
   id: monitoring_provider
   identifiers:
-    pk: 9994
+    pk: 9990
   model: authentik_providers_oauth2.oauth2provider
   state: present
 

nextcloud.yaml.tmpl

@@ -20,12 +20,17 @@ entries:
 
 - attrs:
     access_code_validity: minutes=1
+    authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
     authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
+    invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
     client_id: {{ secret  "nextcloud_id" }}
     client_secret: {{ secret  "nextcloud_secret" }}
     client_type: confidential
     include_claims_in_id_token: true
     issuer_mode: per_provider
+    redirect_uris:
+    - matching_mode: strict
+      url: https://{{ env  "NEXTCLOUD_DOMAIN" }}/apps/sociallogin/custom_oidc/authentik
     name: Nextcloud
     property_mappings:
     - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]

outline.yaml.tmpl

@@ -0,0 +1,48 @@
+version: 1
+metadata:
+  labels:
+    blueprints.goauthentik.io/instantiate: "true"
+  name: outline
+
+entries:
+
+- attrs:
+    access_code_validity: minutes=1
+    authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
+    authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
+    invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
+    client_id: {{ secret  "outline_id" }}
+    client_secret: {{ secret  "outline_secret" }}
+    client_type: confidential
+    include_claims_in_id_token: true
+    issuer_mode: per_provider
+    redirect_uris:
+    - matching_mode: strict
+      url: https://{{ env  "OUTLINE_DOMAIN" }}/auth/oidc.callback
+    name: Outline
+    property_mappings:
+    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
+    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, email]]
+    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, profile]]
+    signing_key: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]]
+    sub_mode: hashed_user_id
+    token_validity: days=30
+  conditions: []
+  id: outline_provider
+  identifiers:
+    pk: 9994
+  model: authentik_providers_oauth2.oauth2provider
+  state: present
+
+- attrs:
+    meta_launch_url: https://{{ env  "OUTLINE_DOMAIN" }}/auth/oidc
+    open_in_new_tab: true
+    policy_engine_mode: any
+    provider: !KeyOf outline_provider
+    slug: outline
+  conditions: []
+  id: outline_application
+  identifiers:
+    name: Outline
+  model: authentik_core.application
+  state: present

pg_backup.sh

@@ -0,0 +1,34 @@
+#!/bin/bash
+
+set -e
+
+BACKUP_FILE='/var/lib/postgresql/data/backup.sql'
+
+function backup {
+  export PGPASSWORD=$(cat /run/secrets/db_password)
+  pg_dump -U ${POSTGRES_USER} ${POSTGRES_DB} > $BACKUP_FILE
+}
+
+function restore {
+    cd /var/lib/postgresql/data/
+    restore_config(){
+        # Restore allowed connections
+        cat pg_hba.conf.bak > pg_hba.conf
+        su postgres -c 'pg_ctl reload'
+    }
+    # Don't allow any other connections than local
+    cp pg_hba.conf pg_hba.conf.bak
+    echo "local all all trust" > pg_hba.conf
+    su postgres -c 'pg_ctl reload'
+    trap restore_config EXIT INT TERM
+
+    # Recreate Database
+    psql -U ${POSTGRES_USER} -d postgres -c "DROP DATABASE ${POSTGRES_DB} WITH (FORCE);" 
+    createdb -U ${POSTGRES_USER} ${POSTGRES_DB}
+    psql -U ${POSTGRES_USER} -d ${POSTGRES_DB} -1 -f $BACKUP_FILE
+
+    trap - EXIT INT TERM
+    restore_config
+}
+
+$@

rallly.yaml.tmpl

@@ -0,0 +1,48 @@
+version: 1
+metadata:
+  labels:
+    blueprints.goauthentik.io/instantiate: "true"
+  name: rallly
+
+entries:
+
+- attrs:
+    access_code_validity: minutes=1
+    authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
+    authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
+    invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
+    client_id: {{ secret  "rallly_id" }}
+    client_secret: {{ secret  "rallly_secret" }}
+    client_type: confidential
+    include_claims_in_id_token: true
+    issuer_mode: per_provider
+    redirect_uris:
+    - matching_mode: strict
+      url: https://{{ env  "RALLLY_DOMAIN" }}/api/auth/callback/oidc
+    name: Rallly
+    property_mappings:
+    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
+    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, email]]
+    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, profile]]
+    signing_key: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]]
+    sub_mode: hashed_user_id
+    token_validity: days=30
+  conditions: []
+  id: rallly_provider
+  identifiers:
+    pk: 9993
+  model: authentik_providers_oauth2.oauth2provider
+  state: present
+
+- attrs:
+    meta_launch_url: https://{{ env  "RALLLY_DOMAIN" }}
+    open_in_new_tab: true
+    policy_engine_mode: any
+    provider: !KeyOf rallly_provider
+    slug: rallly
+  conditions: []
+  id: rallly_application
+  identifiers:
+    name: Rallly
+  model: authentik_core.application
+  state: present

release/4.0.0+2023.10.5

@@ -0,0 +1 @@
+It is only possible to upgrade to 2023.10 from 2023.8, you need to update to 2023.8.x before applying this update

release/5.0.0+2024.2.2

@@ -0,0 +1 @@
+Blueprint changes are applied and automatic migrations should work, however, manual action may be required: https://docs.goauthentik.io/docs/releases/2024.2

release/5.1.0+2024.2.3

@@ -0,0 +1 @@
+Due to blueprint changes, you need to run the following command after upgrading: abra app cmd -C <Domain> worker apply_blueprints

release/6.0.0+2024.4.0

@@ -0,0 +1 @@
+Alerta! ⚠️ If you are using AUTHENTIK_COLOR_BACKGROUND_LIGHT, you will need to set COMPOSE_FILE="$COMPOSE_FILE:compose.css.yml"

release/6.1.0+2024.4.2

@@ -0,0 +1 @@
+Blueprint for Kimai SSO integration added

release/6.11.0+2024.10.5

@@ -0,0 +1 @@
+Fix Impersonate Bug

release/6.6.0+2024.8.2

@@ -0,0 +1 @@
+Replaced icon bbb.jpg with icon.png - configs need to be updated when upgrading!

release/6.7.0+2024.8.3

@@ -0,0 +1,3 @@
+Two critical vulnerabilities were closed:
+https://github.com/goauthentik/authentik/security/advisories/GHSA-7jxf-mmg9-9hg7
+https://github.com/goauthentik/authentik/security/advisories/GHSA-8gfm-pr6x-pfh9

system_brand.yaml.tmpl

@@ -2,13 +2,13 @@ version: 1
 metadata:
   labels:
     blueprints.goauthentik.io/instantiate: "true"
-  name: Custom System Tenant
+  name: Custom System brand
 entries:
 ### DEPENDENCIES
 - model: authentik_blueprints.metaapplyblueprint
   attrs:
     identifiers:
-      name: Default - Tenant
+      name: Default - Brand
     required: true
 - model: authentik_blueprints.metaapplyblueprint
   attrs:
@@ -17,19 +17,22 @@ entries:
     required: true
 
 
-### SYSTEM TENANT
-# remove custom tenant from old recipe
+### SYSTEM BRAND
+# remove custom brand from old recipe
 - identifiers:
     domain: {{ env "DOMAIN" }}
-  model: authentik_tenants.tenant
+  model: authentik_brands.brand
   state: absent
 
 - attrs:
     attributes:
       settings:
-        locale: {{ if eq (env "DEFAULT_LANGUAGE") "" }} en {{ else }} {{ env "DEFAULT_LANGUAGE" }} {{ end }}
+        locale: {{ if eq (env "DEFAULT_LANGUAGE") "" }} en {{ else }} {{ env "DEFAULT_LANGUAGE" }} {{ end }} {{ if ne (env "THEME_BACKGROUND") "" }}
+        theme:
+          background: >
+            background: {{ env "THEME_BACKGROUND" }} {{ end }}
     flow_recovery: !Find [authentik_flows.flow, [slug,  default-recovery-flow]]
   identifiers:
     default: true
     domain: authentik-default
-  model: authentik_tenants.tenant
+  model: authentik_brands.brand

vikunja.yaml.tmpl

@@ -8,12 +8,17 @@ entries:
 
 - attrs:
     access_code_validity: minutes=1
+    authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
     authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
+    invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
     client_id: {{ secret  "vikunja_id" }}
     client_secret: {{ secret  "vikunja_secret" }}
     client_type: confidential
     include_claims_in_id_token: true
     issuer_mode: per_provider
+    redirect_uris:
+    - matching_mode: strict
+      url: https://{{ env  "VIKUNJA_DOMAIN" }}/auth/openid/authentik
     name: Vikunja
     property_mappings:
     - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]

wekan.yaml.tmpl

@@ -25,12 +25,17 @@ entries:
 
 - attrs:
     access_code_validity: minutes=1
+    authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
     authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
+    invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
     client_id: {{ secret  "wekan_id" }}
     client_secret: {{ secret  "wekan_secret" }}
     client_type: confidential
     include_claims_in_id_token: true
     issuer_mode: per_provider
+    redirect_uris:
+    - matching_mode: strict
+      url: https://{{ env  "WEKAN_DOMAIN" }}/_oauth/oidc
     name: Wekan
     property_mappings:
     - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]

wordpress.yaml.tmpl

@@ -8,12 +8,17 @@ entries:
 
 - attrs:
     access_code_validity: minutes=1
+    authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
     authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
+    invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
     client_id: {{ secret  "wordpress_id" }}
     client_secret: {{ secret  "wordpress_secret" }}
     client_type: confidential
     include_claims_in_id_token: true
     issuer_mode: per_provider
+    redirect_uris:
+    - matching_mode: strict
+      url: https://{{ env  "WORDPRESS_DOMAIN" }}/openid-connect-authorize
     name: Wordpress
     property_mappings:
     - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]

zammad.yaml.tmpl

@@ -0,0 +1,69 @@
+version: 1
+metadata:
+  labels:
+    blueprints.goauthentik.io/instantiate: "true"
+  name: zammad
+
+entries:
+- attrs:
+    expression: return request.user.name
+    managed: null
+    name: 'Zammad SAML Mapping: name'
+    saml_name: name
+  conditions: []
+  identifiers:
+    name: zammad_name_mapping
+  id: zammad_name_mapping
+  model: authentik_providers_saml.samlpropertymapping
+  state: present
+
+- attrs:
+    expression: return request.user.email
+    managed: null
+    name: 'Zammad SAML Mapping: email'
+    saml_name: email
+  conditions: []
+  identifiers:
+    name: zammad_email_mapping
+  id: zammad_email_mapping
+  model: authentik_providers_saml.samlpropertymapping
+  state: present
+
+- attrs:
+    acs_url: https://{{ env  "ZAMMAD_DOMAIN" }}/auth/saml/callback
+    assertion_valid_not_before: minutes=-5
+    assertion_valid_not_on_or_after: minutes=5
+    audience: https://{{ env  "ZAMMAD_DOMAIN" }}/auth/saml/metadata
+    authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
+    authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
+    invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
+    digest_algorithm: http://www.w3.org/2001/04/xmlenc#sha256
+    issuer: https://{{ env  "ZAMMAD_DOMAIN" }}/auth/saml/metadata
+    name: zammad
+    property_mappings:
+    - !KeyOf zammad_name_mapping
+    - !KeyOf zammad_email_mapping
+    session_valid_not_on_or_after: minutes=86400
+    sign_assertion: true
+    signature_algorithm: http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
+    signing_kp: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]]
+    sp_binding: post
+  conditions: []
+  id: zammad_provider
+  identifiers:
+    pk: 9989
+  model: authentik_providers_saml.samlprovider
+  state: present
+
+- attrs:
+    meta_launch_url: ""
+    open_in_new_tab: true
+    policy_engine_mode: any
+    provider: !KeyOf zammad_provider
+    slug: zammad
+  conditions: []
+  id: zammad_application
+  identifiers:
+    name: Zammad
+  model: authentik_core.application
+  state: present