coop-cloud/authentik
coop-cloud/authentik
1
2
Fork 4
Code Issues 1 Pull Requests 1 Projects Releases Wiki Activity

Compare commits

base: coop-cloud:main
Branches Tags
coop-cloud:main
coop-cloud:nextcloud
coop-cloud:list
coop-cloud:event_delete_model
coop-cloud:patch_kimai_integration
coop-cloud:password_bootstrap
coop-cloud:custom-css
coop-cloud:validate-username
coop-cloud:custom_theme
coop-cloud:copy_assets
coop-cloud:7.3.1+2025.6.1
coop-cloud:7.3.0+2025.6.0
coop-cloud:7.2.0+2025.4.1
coop-cloud:7.1.0+2025.2.4
coop-cloud:7.0.3+2025.2.3
coop-cloud:7.0.2+2025.2.2
coop-cloud:7.0.1+2025.2.0
coop-cloud:7.0.0+2025.2.0
coop-cloud:6.12.0+2024.12.3
coop-cloud:6.11.1+2024.10.5
coop-cloud:6.11.0+2024.10.5
coop-cloud:6.10.1+2024.10.4
coop-cloud:6.9.0+2024.10.0
coop-cloud:6.8.1+2024.10.0
coop-cloud:6.8.0+2024.10.0
coop-cloud:6.7.1+2024.8.3
coop-cloud:6.5.3+2024.6.5
coop-cloud:6.5.2+2024.6.5
coop-cloud:6.7.0+2024.8.3
coop-cloud:6.5.1+2024.6.5
coop-cloud:6.6.0+2024.8.2
coop-cloud:6.5.0+2024.6.3
coop-cloud:6.3.1+2024.6.1
coop-cloud:6.4.0+2024.6.3
coop-cloud:6.3.1+2024.6.2
coop-cloud:6.3.0+2024.6.1
coop-cloud:5.1.2+2024.2.3
coop-cloud:6.2.0+2024.4.2
coop-cloud:6.1.1+2024.4.2
coop-cloud:6.1.0+2024.4.2
coop-cloud:6.0.0+2024.4.0
coop-cloud:5.2.1+2024.4.0
coop-cloud:5.2.0+2024.4.0
coop-cloud:5.1.1+2024.2.3
coop-cloud:5.1.0+2024.2.3
coop-cloud:5.0.2+2024.2.2
coop-cloud:5.0.1+2024.2.2
coop-cloud:5.0.0+2024.2.2
coop-cloud:4.3.0+2023.10.7
coop-cloud:4.2.0+2023.10.7
coop-cloud:4.1.1+2023.10.7
coop-cloud:4.1.0+2023.10.5
coop-cloud:4.0.0+2023.10.5
coop-cloud:3.3.1+2023.8.5
coop-cloud:3.3.0+2023.8.5
coop-cloud:3.2.4+2023.6.1
coop-cloud:3.2.3+2023.6.1
coop-cloud:3.2.2+2023.6.1
coop-cloud:3.2.1+2023.6.1
coop-cloud:3.1.0+2023.3.1
coop-cloud:3.0.0+2023.2.3
coop-cloud:3.2.0+2023.6.1
coop-cloud:3.1.2+2023.3.1
coop-cloud:3.1.1+2023.3.1
coop-cloud:2.0.0+2023.2.3
coop-cloud:1.4.2+2023.2.3
coop-cloud:1.4.1+2023.2.3
coop-cloud:1.4.0+2023.1.0
coop-cloud:1.3.0+2022.12.2
coop-cloud:1.2.0+2022.11.3
coop-cloud:1.1.1+2022.11.1
coop-cloud:0.7.0+2022.11.1
coop-cloud:1.1.0+2022.11.1
coop-cloud:1.0.0+2022.10.1
coop-cloud:0.6.0+2022.10.1
coop-cloud:0.6.0+2022.10.0
coop-cloud:0.5.0+2022.9.0
coop-cloud:0.4.0+2022.8.2
coop-cloud:0.3.0+2022.7.3
coop-cloud:0.2.0+2022.6.3
coop-cloud:0.1.0+2022.6.2
..
compare: coop-cloud:custom_theme
Branches Tags
coop-cloud:main
coop-cloud:nextcloud
coop-cloud:list
coop-cloud:event_delete_model
coop-cloud:patch_kimai_integration
coop-cloud:password_bootstrap
coop-cloud:custom-css
coop-cloud:validate-username
coop-cloud:custom_theme
coop-cloud:copy_assets
coop-cloud:7.3.1+2025.6.1
coop-cloud:7.3.0+2025.6.0
coop-cloud:7.2.0+2025.4.1
coop-cloud:7.1.0+2025.2.4
coop-cloud:7.0.3+2025.2.3
coop-cloud:7.0.2+2025.2.2
coop-cloud:7.0.1+2025.2.0
coop-cloud:7.0.0+2025.2.0
coop-cloud:6.12.0+2024.12.3
coop-cloud:6.11.1+2024.10.5
coop-cloud:6.11.0+2024.10.5
coop-cloud:6.10.1+2024.10.4
coop-cloud:6.9.0+2024.10.0
coop-cloud:6.8.1+2024.10.0
coop-cloud:6.8.0+2024.10.0
coop-cloud:6.7.1+2024.8.3
coop-cloud:6.5.3+2024.6.5
coop-cloud:6.5.2+2024.6.5
coop-cloud:6.7.0+2024.8.3
coop-cloud:6.5.1+2024.6.5
coop-cloud:6.6.0+2024.8.2
coop-cloud:6.5.0+2024.6.3
coop-cloud:6.3.1+2024.6.1
coop-cloud:6.4.0+2024.6.3
coop-cloud:6.3.1+2024.6.2
coop-cloud:6.3.0+2024.6.1
coop-cloud:5.1.2+2024.2.3
coop-cloud:6.2.0+2024.4.2
coop-cloud:6.1.1+2024.4.2
coop-cloud:6.1.0+2024.4.2
coop-cloud:6.0.0+2024.4.0
coop-cloud:5.2.1+2024.4.0
coop-cloud:5.2.0+2024.4.0
coop-cloud:5.1.1+2024.2.3
coop-cloud:5.1.0+2024.2.3
coop-cloud:5.0.2+2024.2.2
coop-cloud:5.0.1+2024.2.2
coop-cloud:5.0.0+2024.2.2
coop-cloud:4.3.0+2023.10.7
coop-cloud:4.2.0+2023.10.7
coop-cloud:4.1.1+2023.10.7
coop-cloud:4.1.0+2023.10.5
coop-cloud:4.0.0+2023.10.5
coop-cloud:3.3.1+2023.8.5
coop-cloud:3.3.0+2023.8.5
coop-cloud:3.2.4+2023.6.1
coop-cloud:3.2.3+2023.6.1
coop-cloud:3.2.2+2023.6.1
coop-cloud:3.2.1+2023.6.1
coop-cloud:3.1.0+2023.3.1
coop-cloud:3.0.0+2023.2.3
coop-cloud:3.2.0+2023.6.1
coop-cloud:3.1.2+2023.3.1
coop-cloud:3.1.1+2023.3.1
coop-cloud:2.0.0+2023.2.3
coop-cloud:1.4.2+2023.2.3
coop-cloud:1.4.1+2023.2.3
coop-cloud:1.4.0+2023.1.0
coop-cloud:1.3.0+2022.12.2
coop-cloud:1.2.0+2022.11.3
coop-cloud:1.1.1+2022.11.1
coop-cloud:0.7.0+2022.11.1
coop-cloud:1.1.0+2022.11.1
coop-cloud:1.0.0+2022.10.1
coop-cloud:0.6.0+2022.10.1
coop-cloud:0.6.0+2022.10.0
coop-cloud:0.5.0+2022.9.0
coop-cloud:0.4.0+2022.8.2
coop-cloud:0.3.0+2022.7.3
coop-cloud:0.2.0+2022.6.3
coop-cloud:0.1.0+2022.6.2

1 Commits
main ... custom_the

Author SHA1 Message Date
Moritz
0db0d8eeaf set theme colors with envs 2023-11-14 17:49:54 +01:00
52 changed files with 515 additions and 983 deletions
Show Stats Expand all files Collapse all files

6
.drone.yml
View File

@ -23,15 +23,13 @@ steps:
FLOW_INVALIDATION_VERSION: v1
FLOW_RECOVERY_VERSION: v1
FLOW_TRANSLATION_VERSION: v1
SYSTEM_BRAND_VERSION: v1
SYSTEM_TENANT_VERSION: v1
NEXTCLOUD_CONFIG_VERSION: v1
SECRET_SECRET_KEY_VERSION: v1
SECRET_DB_PASSWORD_VERSION: v1
SECRET_ADMIN_TOKEN_VERSION: v1
SECRET_ADMIN_PASS_VERSION: v1
SECRET_EMAIL_PASS_VERSION: v1
DB_ENTRYPOINT_VERSION: v1
PG_BACKUP_VERSION: v2
trigger:
branch:
- main
@ -47,7 +45,7 @@ steps:
from_secret: drone_abra-bot_token
fork: true
repositories:
- toolshed/auto-recipes-catalogue-json
- coop-cloud/auto-recipes-catalogue-json
trigger:
event: tag

67
.env.sample
View File

@ -1,10 +1,8 @@
TYPE=authentik
TIMEOUT=900
TIMEOUT=300
ENABLE_AUTO_UPDATE=true
POST_DEPLOY_CMDS="worker set_admin_pass"
# Example values for post deploy cmds: "worker set_admin_pass|worker apply_blueprints|worker add_applications"
# POST_DEPLOY_CMDS="worker set_admin_pass|worker apply_blueprints|worker add_applications"
LETS_ENCRYPT_ENV=production
ENABLE_BACKUPS=true
DOMAIN=authentik.example.com
## Domain aliases
@ -18,11 +16,6 @@ AUTHENTIK_LOG_LEVEL=info
## Outpost Integration
# COMPOSE_FILE="$COMPOSE_FILE:compose.outposts.yml"
# COMPOSE_FILE="$COMPOSE_FILE:compose.outposts.ldap.yml"
# SECRET_LDAP_TOKEN_VERSION=v1
## ADMIN
AUTHENTIK_BOOTSTRAP_EMAIL=admin@example.com
## EMAIL
AUTHENTIK_EMAIL__HOST=smtp
@ -41,6 +34,14 @@ SECRET_ADMIN_PASS_VERSION=v1
SECRET_EMAIL_PASS_VERSION=v1
# X_FRAME_OPTIONS_ALLOW_FROM=dashboard.example.org
# AUTHENTIK_COLOR_FOREGROUND=fafafa
# AUTHENTIK_COLOR_FOREGROUND_DARKER=bebebe
# AUTHENTIK_COLOR_FOREGROUND_LINK=5a5cb9
# AUTHENTIK_COLOR_BACKGROUND=18191a
# AUTHENTIK_COLOR_BACKGROUND_DARKER=000000
# AUTHENTIK_COLOR_BACKGROUND_LIGHT=1c1e21
# AUTHENTIK_COLOR_BACKGROUND_LIGHTISH=212427
# AUTHENTIK_COLOR_BACKGROUND_LIGHTER=2b2e33
## FLOW OPTIONS
# WELCOME_MESSAGE="Welcome to Authentik"
@ -49,21 +50,10 @@ SECRET_EMAIL_PASS_VERSION=v1
# EMAIL_SUBJECT="Account Recovery"
# EMAIL_TOKEN_EXPIRY_MINUTES=30
## assets
COPY_ASSETS="flow_background.jpg|app:/web/dist/assets/images/"
COPY_ASSETS="$COPY_ASSETS icon_left_brand.svg|app:/web/dist/assets/icons/"
COPY_ASSETS="$COPY_ASSETS icon.png|app:/web/dist/assets/icons/"
# store custom CSS in a css-volume
#COMPOSE_FILE="$COMPOSE_FILE:compose.css-volume.yml"
# NOTE: this causes the authentik container to run as `root` initially; it uses `su` to drop privileges but technically could introduce a security risk. proceed with caution!
# Default CSS customisation
# COMPOSE_FILE="$COMPOSE_FILE:compose.css.yml"
# BACKGROUND_FONT_COLOR=white
# BACKGROUND_BOX_COLOR='#eaeaeacf'
# THEME_BACKGROUND="url('https://authentik.example.com/static/dist/assets/images/flow_background.jpg'); background-position: center; background-repeat: no-repeat; background-size: cover;"
# COMPOSE_FILE="$COMPOSE_FILE:compose.nextcloud.yml"
# NEXTCLOUD_DOMAIN=nextcloud.example.com
# SECRET_NEXTCLOUD_ID_VERSION=v1
@ -79,7 +69,6 @@ COPY_ASSETS="$COPY_ASSETS icon.png|app:/web/dist/assets/icons/"
# COMPOSE_FILE="$COMPOSE_FILE:compose.matrix.yml"
# ELEMENT_DOMAIN=element-web.example.com
# MATRIX_DOMAIN=matrix-synapse.example.com
# SECRET_MATRIX_ID_VERSION=v1
# SECRET_MATRIX_SECRET_VERSION=v1
# APP_ICONS="$APP_ICONS matrix:~/.abra/recipes/authentik/icons/matrix.svg"
@ -96,39 +85,13 @@ COPY_ASSETS="$COPY_ASSETS icon.png|app:/web/dist/assets/icons/"
# SECRET_VIKUNJA_SECRET_VERSION=v1
# APP_ICONS="$APP_ICONS vikunja:~/.abra/recipes/authentik/icons/vikunja.svg"
# COMPOSE_FILE="$COMPOSE_FILE:compose.outline.yml"
# OUTLINE_DOMAIN=outline.example.com
# SECRET_OUTLINE_ID_VERSION=v1
# SECRET_OUTLINE_SECRET_VERSION=v1
# APP_ICONS="$APP_ICONS outline:~/.abra/recipes/authentik/icons/outline.png"
# COMPOSE_FILE="$COMPOSE_FILE:compose.kimai.yml"
# KIMAI_DOMAIN=kimai.example.com
# SECRET_KIMAI_ID_VERSION=v1
# SECRET_KIMAI_SECRET_VERSION=v1
# APP_ICONS="$APP_ICONS kimai:~/.abra/recipes/authentik/icons/kimai_logo.png"
# COMPOSE_FILE="$COMPOSE_FILE:compose.zammad.yml"
# ZAMMAD_DOMAIN=zammad.example.com
# APP_ICONS="$APP_ICONS zammad:~/.abra/recipes/authentik/icons/zammad.svg"
# COMPOSE_FILE="$COMPOSE_FILE:compose.monitoring.yml"
# MONITORING_DOMAIN=monitoring.example.com
# SECRET_MONITORING_ID_VERSION=v1
# SECRET_MONITORING_SECRET_VERSION=v1
# APP_ICONS="$APP_ICONS monitoring:~/.abra/recipes/authentik/icons/monitoring.svg"
# APP_ICONS="$APP_ICONS monitoring:~/.abra/recipes/authentik/icons/monitoring.png"
# COMPOSE_FILE="$COMPOSE_FILE:compose.rallly.yml"
# RALLLY_DOMAIN=rallly.example.com
# SECRET_RALLLY_ID_VERSION=v1
# SECRET_RALLLY_SECRET_VERSION=v1
# APP_ICONS="$APP_ICONS rallly:~/.abra/recipes/authentik/icons/rallly.png"
# COMPOSE_FILE="$COMPOSE_FILE:compose.hedgedoc.yml"
# HEDGEDOC_DOMAIN=hedgedoc.example.com
# SECRET_HEDGEDOC_ID_VERSION=v1
# SECRET_HEDGEDOC_SECRET_VERSION=v1
# APP_ICONS="$APP_ICONS hedgedoc:~/.abra/recipes/authentik/icons/hedgedoc.png"
# APPLICATIONS='{"Calendar": "https://nextcloud.example.com/apps/calendar/", "BBB": "https://nextcloud.example.com/apps/bbb/", "Pretix": "https://pretix.example.com/control/"}'
# EXTRA_ICONS={"Calendar": "~/.abra/recipes/authentik/icons/calendar.svg", "BBB": "~/.abra/recipes/authentik/icons/bbb.png", "Pretix": "~/.abra/recipes/authentik/icons/pretix.svg"}
# APPLICATIONS='{"Calendar": "https://nextcloud.example.com/apps/calendar/", "BBB": "https://nextcloud.example.com/apps/bbb/", "Rallly":"https://rallly.example.cloud/"}'
# APP_ICONS="$APP_ICONS Calendar:~/.abra/recipes/authentik/icons/calendar.svg"
# APP_ICONS="$APP_ICONS Rallly:~/.abra/recipes/authentik/icons/rallly.png"
# APP_ICONS="$APP_ICONS BBB:~/.abra/recipes/authentik/icons/bbb.jpg"

59
README.md
View File

@ -52,26 +52,8 @@ APP_ICONS="nextcloud:~/.abra/recipes/authentik/icons/nextcloud.png"
Set the nextcloud Icon using `abra app cmd -l -d <app_name> set_icons`
Generate OAuth client id and secret using `abra app secret generate <app_name> -a` (all secrets) or individually:
- `abra app secret generate <app_name> nextcloud_id`
- `abra app secret generate <app_name> nextcloud_secret`
Add the id and secret to nextcloud as secrets with:
- `abra app secret insert <nextcloud_app_name> authentik_id v1 <id>`
- `abra app secret insert <nextcloud_app_name> authentik_secret v1 <secret>`
Redeploy Authentik to enable the nextcloud client.
The configuration inside Nextcloud can be found in the [nextcloud recipe](https://git.coopcloud.tech/coop-cloud/nextcloud#authentik-integration)
## Add LDAP outpost
- Follow [this official guide](https://docs.goauthentik.io/docs/add-secure-apps/providers/ldap/generic_setup) and skip the LDAP Flow as we don't need it.
- Copy token under `Applications` -> `Outposts` `-> `View Deployment Info`
- Comment in envs for compose.outposts.ldap.yaml and secret version
- Insert token as secret `abra app secret insert <DOMAIN> ldap_token v1 <TOKEN>`
- Update deployment -> Outpost should be up and running
## Import User from CSV
Users can be imported from a CSV file of the following format:
@ -105,25 +87,6 @@ Run this command after every deploy/upgrade:
`abra app command --local <app-name> customize <assets_path>`
## Custom CSS
Uncomment the following env:
```
COMPOSE_FILE="$COMPOSE_FILE:compose.css-volume.yml"
```
Redeploy the app:
```
abra app deploy -f <app_name>
```
Copy the CSS and restart the container:
```
abra app cp <app_name> my_custom.css app:/web/dist/assets/custom.css
abra app restart <app_name> app
```
## Email templates
Add custom [email templates](https://goauthentik.io/docs/flow/stages/email/#custom-templates):
@ -134,15 +97,15 @@ Add custom [email templates](https://goauthentik.io/docs/flow/stages/email/#cust
These blueprints overwrite default blueprint values:
- `flow_translation.yaml`
- `flow_authentication.yaml`
- flow_translation.yaml
- flow_authentication.yaml
The following default blueprints will be overwritten by customizations:
- `flow-password-change.yaml`
- `flow-default-authentication-flow.yaml`
- `flow-default-user-settings-flow.yaml`
- `flow-default-source-enrollment.yaml`
- flow-password-change.yaml
- flow-default-authentication-flow.yaml
- flow-default-user-settings-flow.yaml
- flow-default-source-enrollment.yaml
The `abra.sh` function `apply_blueprints` needs to be executed to deactivate these blueprints to ensure that the customizations won't be overwritten. It will further execute flow_translation.yaml and flow_authentication.yaml again.
@ -204,9 +167,9 @@ The `abra.sh` function `apply_blueprints` needs to be executed to deactivate the
- Default - Source enrollment flow
- OVERWRITE:
- `default-source-enrollment-field-username`
- Custom System Brand
- Default - Brand
- APPEND: `authentik_brands.brand domain: authentik-default`
- Custom System Tenant
- Default - Tenant
- APPEND: `authentik_tenants.tenant domain: authentik-default`
- Recovery with email verification
- USE:
- `default-recovery-flow`
@ -214,8 +177,8 @@ The `abra.sh` function `apply_blueprints` needs to be executed to deactivate the
### Blueprint Dependency Execution Order
5. Custom System Brand
- Default - Brand
5. Custom System Tenant
- Default - Tenant
1. Recovery with email verification
- Default - Authentication flow
- Default - Password change flow

102
abra.sh
View File

@ -1,24 +1,16 @@
export CUSTOM_CSS_VERSION=v3
export FLOW_AUTHENTICATION_VERSION=v4
export FLOW_INVITATION_VERSION=v2
export FLOW_AUTHENTICATION_VERSION=v3
export FLOW_INVITATION_VERSION=v1
export FLOW_INVALIDATION_VERSION=v2
export FLOW_RECOVERY_VERSION=v1
export FLOW_TRANSLATION_VERSION=v3
export SYSTEM_BRAND_VERSION=v4
export NEXTCLOUD_CONFIG_VERSION=v3
export WORDPRESS_CONFIG_VERSION=v4
export MATRIX_CONFIG_VERSION=v3
export WEKAN_CONFIG_VERSION=v5
export VIKUNJA_CONFIG_VERSION=v3
export OUTLINE_CONFIG_VERSION=v4
export KIMAI_CONFIG_VERSION=v3
export ZAMMAD_CONFIG_VERSION=v4
export RALLLY_CONFIG_VERSION=v4
export HEDGEDOC_CONFIG_VERSION=v3
export MONITORING_CONFIG_VERSION=v4
export DB_ENTRYPOINT_VERSION=v1
export PG_BACKUP_VERSION=v2
export ENTRYPOINT_CSS_VERSION=v1
export FLOW_TRANSLATION_VERSION=v2
export SYSTEM_TENANT_VERSION=v2
export NEXTCLOUD_CONFIG_VERSION=v1
export WORDPRESS_CONFIG_VERSION=v2
export MATRIX_CONFIG_VERSION=v1
export WEKAN_CONFIG_VERSION=v3
export VIKUNJA_CONFIG_VERSION=v1
export MONITORING_CONFIG_VERSION=v1
customize() {
if [ -z "$1" ]
@ -35,15 +27,6 @@ customize() {
done
}
shell(){
if [ -z "$1" ]
then
echo "Usage: ... shell <python code>"
exit 1
fi
ak shell -c "$1" 2>&1 | quieten
}
import_user() {
if [ -z "$1" ]
then
@ -68,19 +51,15 @@ with open('/tmp/$1', newline='') as file:
email = row[2].strip()
groups = row[3].split(';')
if User.objects.filter(username=username):
print(f'{username} already exists')
continue
new_user = User.objects.create(name=name, username=username, email=email)
print(f'{username} created')
for group_name in groups:
group_name = group_name.strip()
if Group.objects.filter(name=group_name):
group = Group.objects.get(name=group_name)
else:
group = Group.objects.create(name=group_name)
print(f'{group_name} created')
group.users.add(new_user)
print(f'add {username} to group {group_name}')
""" 2>&1 | quieten
}
@ -88,16 +67,6 @@ set_admin_pass() {
password=$(cat /run/secrets/admin_pass)
token=$(cat /run/secrets/admin_token)
/manage.py shell -c """
import time
i = 0
while (not User.objects.filter(username='akadmin')):
print('Waiting for akadmin to be created...')
time.sleep(10)
i += 1
if i > 6:
print('Failed to find admin user!')
exit()
akadmin = User.objects.get(username='akadmin')
akadmin.set_password('$password')
akadmin.save()
@ -178,13 +147,11 @@ print(f'{blueprint.name} enabled: {blueprint.enabled}')
}
add_applications(){
export APPLICATIONS
/manage.py shell -c """
import json
import os
if os.environ['APPLICATIONS'] == '':
if '$APPLICATIONS' == '':
exit()
applications = json.loads(os.environ['APPLICATIONS'])
applications = json.loads('$APPLICATIONS')
for name, url in applications.items():
print(f'Add {name}: {url}')
app = Application.objects.filter(name=name).first()
@ -200,9 +167,7 @@ for name, url in applications.items():
quieten(){
# 'SyntaxWarning|version_regex|"http\['
# is a workaround to get rid of some verbose syntax warnings, this might be fixed with another version
grep -Pv '"level": "(info|debug)"|SyntaxWarning|version_regex|"http\[|RuntimeWarning:'
grep -v -e '{"event"' -e '{"action"'
}
add_email_templates(){
@ -213,10 +178,6 @@ done
}
set_icons(){
if [ -n "$1" ]
then
APP_ICONS="$1"
fi
for icon in $APP_ICONS; do
app=$(echo $icon | cut -d ":" -f1)
file_path=$(eval echo $(echo $icon | cut -d ":" -f2))
@ -227,22 +188,6 @@ for icon in $APP_ICONS; do
done
}
set_extra_icons(){
if [ -z "$EXTRA_ICONS" ]
then
echo "Variable EXTRA_ICONS is not set"
exit 1
fi
export EXTRA_ICONS
icon_key_values=$(python3 -c "
import json
import os
for key, value in json.loads(os.environ['EXTRA_ICONS']).items():
print(f'{key}:{value}')
")
set_icons "$icon_key_values"
}
set_app_icon() {
TOKEN=$(cat /run/secrets/admin_token)
python -c """
@ -269,26 +214,7 @@ delete_flows = ['default-recovery-flow' , 'custom-authentication-flow' , 'invita
Flow.objects.filter(slug__in=delete_flows).delete()
Stage.objects.filter(flow=None).delete()
Prompt.objects.filter(promptstage=None).delete()
Brand.objects.filter(default=True).delete()
Tenant.objects.filter(default=True).delete()
""" 2>&1 | quieten
apply_blueprints
}
get_certificate() {
/manage.py shell -c """
provider_name='$1'
if not provider_name:
print('no Provider Name given')
exit(1)
provider = Provider.objects.filter(name=provider_name).first()
saml = provider.samlprovider
cert = saml.signing_kp
print(''.join(cert.certificate_data.splitlines()[1:-1]))
""" 2>&1 | quieten
}
get_user_uid() {
/manage.py shell -c """
print(User.objects.filter(username='$1').first().uid)
""" 2>&1 | quieten
}

89
alaconnect.yml
View File

@ -1,89 +0,0 @@
nextcloud:
uncomment:
- compose.nextcloud.yml
- NEXTCLOUD_DOMAIN
- SECRET_NEXTCLOUD_ID_VERSION
- SECRET_NEXTCLOUD_SECRET_VERSION
- nextcloud.png
wordpress:
uncomment:
- compose.wordpress.yml
- WORDPRESS_DOMAIN
- WORDPRESS_GROUP
- SECRET_WORDPRESS_ID_VERSION
- SECRET_WORDPRESS_SECRET_VERSION
- wordpress.png
matrix-synapse:
uncomment:
- compose.matrix.yml
- ELEMENT_DOMAIN
- MATRIX_DOMAIN
- SECRET_MATRIX_ID_VERSION
- SECRET_MATRIX_SECRET_VERSION
- matrix.svg
secrets:
matrix_id: matrix
wekan:
uncomment:
- compose.wekan.yml
- WEKAN_DOMAIN
- SECRET_WEKAN_ID_VERSION
- SECRET_WEKAN_SECRET_VERSION
- wekan.png
secrets:
wekan_id: wekan
vikunja:
uncomment:
- compose.vikunja.yml
- VIKUNJA_DOMAIN
- SECRET_VIKUNJA_ID_VERSION
- SECRET_VIKUNJA_SECRET_VERSION
- vikunja.svg
secrets:
vikunja_id: vikunja
kimai:
uncomment:
- compose.kimai.yml
- KIMAI_DOMAIN
- SECRET_KIMAI_ID_VERSION
- SECRET_KIMAI_SECRET_VERSION
- kimai_logo.png
zammad:
uncomment:
- compose.zammad.yml
- ZAMMAD_DOMAIN
- zammad.svg
monitoring-ng:
uncomment:
- compose.monitoring.yml
- MONITORING_DOMAIN
- SECRET_MONITORING_ID_VERSION
- SECRET_MONITORING_SECRET_VERSION
- monitoring.png
outline:
uncomment:
- compose.outline.yml
- OUTLINE_DOMAIN
- SECRET_OUTLINE_ID_VERSION
- SECRET_OUTLINE_SECRET_VERSION
- outline.png
secrets:
outline_id: outline
rallly:
uncomment:
- compose.rallly.yml
- RALLLY_DOMAIN
- SECRET_RALLLY_ID_VERSION
- SECRET_RALLLY_SECRET_VERSION
- rallly.png
secrets:
rallly_id: rallly
hedgedoc:
uncomment:
- compose.hedgedoc.yml
- HEDGEDOC_DOMAIN
- SECRET_HEDGEDOC_ID_VERSION
- SECRET_HEDGEDOC_SECRET_VERSION
- hedgedoc.png
secrets:
hedgedoc_id: hedgedoc

16
compose.css-volume.yml
View File

@ -1,16 +0,0 @@
---
version: "3.8"
services:
app:
user: root
entrypoint: /docker-entrypoint.sh
configs:
- source: entrypoint_css
target: /docker-entrypoint.sh
mode: 0555
configs:
entrypoint_css:
name: ${STACK_NAME}_entrypoint_css_${ENTRYPOINT_CSS_VERSION}
file: entrypoint-css-volume.sh

14
compose.css.yml
View File

@ -1,14 +0,0 @@
---
version: '3.8'
services:
app:
configs:
- source: custom_css
target: /web/dist/custom.css
configs:
custom_css:
name: ${STACK_NAME}_custom_css_${CUSTOM_CSS_VERSION}
file: custom.css.tmpl
template_driver: golang

26
compose.hedgedoc.yml
View File

@ -1,26 +0,0 @@
version: "3.8"
services:
worker:
secrets:
- hedgedoc_id
- hedgedoc_secret
environment:
- HEDGEDOC_DOMAIN
configs:
- source: hedgedoc
target: /blueprints/hedgedoc.yaml
secrets:
hedgedoc_id:
external: true
name: ${STACK_NAME}_hedgedoc_id_${SECRET_HEDGEDOC_ID_VERSION}
hedgedoc_secret:
external: true
name: ${STACK_NAME}_hedgedoc_secret_${SECRET_HEDGEDOC_SECRET_VERSION}
configs:
hedgedoc:
name: ${STACK_NAME}_hedgedoc_${HEDGEDOC_CONFIG_VERSION}
file: hedgedoc.yaml.tmpl
template_driver: golang

14
compose.kimai.yml
View File

@ -1,14 +0,0 @@
version: "3.8"
services:
worker:
environment:
- KIMAI_DOMAIN
configs:
- source: kimai
target: /blueprints/kimai.yaml
configs:
kimai:
name: ${STACK_NAME}_kimai_${KIMAI_CONFIG_VERSION}
file: kimai.yaml.tmpl
template_driver: golang

7
compose.matrix.yml
View File

@ -1,18 +1,11 @@
version: "3.8"
services:
app:
deploy:
labels:
- "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect-matrix-well-known"
- "traefik.http.middlewares.${STACK_NAME}-redirect-matrix-well-known.redirectregex.regex=^https://(.*)/.well-known/matrix/(.*)"
- "traefik.http.middlewares.${STACK_NAME}-redirect-matrix-well-known.redirectregex.replacement=https://${MATRIX_DOMAIN}/.well-known/matrix/$$2"
worker:
secrets:
- matrix_id
- matrix_secret
environment:
- ELEMENT_DOMAIN
- MATRIX_DOMAIN
configs:
- source: matrix
target: /blueprints/matrix.yaml

26
compose.outline.yml
View File

@ -1,26 +0,0 @@
version: "3.8"
services:
worker:
secrets:
- outline_id
- outline_secret
environment:
- OUTLINE_DOMAIN
configs:
- source: outline
target: /blueprints/outline.yaml
secrets:
outline_id:
external: true
name: ${STACK_NAME}_outline_id_${SECRET_OUTLINE_ID_VERSION}
outline_secret:
external: true
name: ${STACK_NAME}_outline_secret_${SECRET_OUTLINE_SECRET_VERSION}
configs:
outline:
name: ${STACK_NAME}_outline_${OUTLINE_CONFIG_VERSION}
file: outline.yaml.tmpl
template_driver: golang

23
compose.outposts.ldap.yml
View File

@ -1,23 +0,0 @@
version: "3.8"
services:
authentik_ldap:
image: ghcr.io/goauthentik/ldap:2025.6.1
# Optionally specify which networks the container should be
# might be needed to reach the core authentik server
networks:
- internal
- proxy
ports:
- 389:3389
- 636:6636
secrets:
- ldap_token
environment:
- AUTHENTIK_HOST=https://${DOMAIN}
- AUTHENTIK_INSECURE=true
- AUTHENTIK_TOKEN=file:///run/secrets/ldap_token
secrets:
ldap_token:
external: true
name: ${STACK_NAME}_ldap_token_${SECRET_LDAP_TOKEN_VERSION}

26
compose.rallly.yml
View File

@ -1,26 +0,0 @@
version: "3.8"
services:
worker:
secrets:
- rallly_id
- rallly_secret
environment:
- RALLLY_DOMAIN
configs:
- source: rallly
target: /blueprints/rallly.yaml
secrets:
rallly_id:
external: true
name: ${STACK_NAME}_rallly_id_${SECRET_RALLLY_ID_VERSION}
rallly_secret:
external: true
name: ${STACK_NAME}_rallly_secret_${SECRET_RALLLY_SECRET_VERSION}
configs:
rallly:
name: ${STACK_NAME}_rallly_${RALLLY_CONFIG_VERSION}
file: rallly.yaml.tmpl
template_driver: golang

94
compose.yml
View File

@ -17,11 +17,17 @@ x-env: &env
- AUTHENTIK_EMAIL__TIMEOUT
- AUTHENTIK_EMAIL__FROM
- AUTHENTIK_LOG_LEVEL
- BACKGROUND_FONT_COLOR=${BACKGROUND_FONT_COLOR:-white}
- BACKGROUND_BOX_COLOR=${BACKGROUND_BOX_COLOR:-#eaeaeacf}
- AUTHENTIK_SETTINGS__THEME__BACKGROUND
- AUTHENTIK_COLOR_FOREGROUND=${AUTHENTIK_COLOR_FOREGROUND:-fafafa}
- AUTHENTIK_COLOR_FOREGROUND_DARKER=${AUTHENTIK_COLOR_FOREGROUND_DARKER:-bebebe}
- AUTHENTIK_COLOR_FOREGROUND_LINK=${AUTHENTIK_COLOR_FOREGROUND_LINK:-5a5cb9}
- AUTHENTIK_COLOR_BACKGROUND=${AUTHENTIK_COLOR_BACKGROUND:-18191a}
- AUTHENTIK_COLOR_BACKGROUND_DARKER=${AUTHENTIK_COLOR_BACKGROUND_DARKER:-000000}
- AUTHENTIK_COLOR_BACKGROUND_LIGHT=${AUTHENTIK_COLOR_BACKGROUND_LIGHT:-1c1e21}
- AUTHENTIK_COLOR_BACKGROUND_LIGHTISH=${AUTHENTIK_COLOR_BACKGROUND_LIGHTISH:-212427}
- AUTHENTIK_COLOR_BACKGROUND_LIGHTER=${AUTHENTIK_COLOR_BACKGROUND_LIGHTER:-2b2e33}
- AUTHENTIK_FOOTER_LINKS
- AUTHENTIK_IMPERSONATION
- AUTHENTIK_BOOTSTRAP_EMAIL
- WELCOME_MESSAGE
- DEFAULT_LANGUAGE
- EMAIL_SUBJECT
@ -29,16 +35,12 @@ x-env: &env
- DOMAIN
- LOGOUT_REDIRECT
- APPLICATIONS
- THEME_BACKGROUND
version: '3.8'
services:
app:
image: ghcr.io/goauthentik/server:2025.6.1
image: ghcr.io/goauthentik/server:2023.6.1
command: server
depends_on:
- db
- redis
secrets:
- db_password
- admin_pass
@ -49,17 +51,23 @@ services:
- media:/media
- assets:/web/dist/assets
- templates:/templates
configs:
- source: custom_css
target: /web/dist/custom.css
networks:
- internal
- proxy
healthcheck:
test: "ak healthcheck"
test: "bash -c 'printf \"GET / HTTP/1.1\n\n\" > /dev/tcp/127.0.0.1/9000; exit $$?;'"
interval: 30s
timeout: 30s
timeout: 10s
retries: 10
start_period: 5m
environment: *env
deploy:
update_config:
failure_action: rollback
order: start-first
labels:
- "traefik.enable=true"
- "traefik.docker.network=proxy"
@ -72,15 +80,12 @@ services:
- "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}"
- "traefik.http.middlewares.${STACK_NAME}-frameOptions.headers.customFrameOptionsValue=SAMEORIGIN"
- "traefik.http.middlewares.${STACK_NAME}-frameOptions.headers.contentSecurityPolicy=frame-ancestors ${X_FRAME_OPTIONS_ALLOW_FROM}"
- "coop-cloud.${STACK_NAME}.version=7.3.1+2025.6.1"
- "coop-cloud.${STACK_NAME}.version=3.2.4+2023.6.1"
- "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT:-120}"
worker:
image: ghcr.io/goauthentik/server:2025.6.1
image: ghcr.io/goauthentik/server:2023.6.1
command: worker
depends_on:
- db
- redis
secrets:
- db_password
- admin_pass
@ -91,10 +96,10 @@ services:
- internal
- proxy
volumes:
- backups:/backups
- media:/media
- /dev/null:/blueprints/default/flow-oobe.yaml
- templates:/templates
- certs:/certs
configs:
- source: flow_recovery
target: /blueprints/1_flow_recovery.yaml
@ -104,31 +109,16 @@ services:
target: /blueprints/3_flow_translation.yaml
- source: flow_invitation
target: /blueprints/4_flow_invitation.yaml
- source: system_brand
target: /blueprints/5_system_brand.yaml
- source: system_tenant
target: /blueprints/5_system_tenant.yaml
- source: flow_invalidation
target: /blueprints/6_flow_invalidation.yaml
environment: *env
healthcheck:
test: "ak healthcheck"
interval: 30s
timeout: 30s
retries: 10
start_period: 5m
db:
image: postgres:15.13
image: postgres:12.15-alpine
secrets:
- db_password
configs:
- source: db_entrypoint
target: /docker-entrypoint.sh
mode: 0555
- source: pg_backup
target: /pg_backup.sh
mode: 0555
entrypoint:
/docker-entrypoint.sh
volumes:
- database:/var/lib/postgresql/data
networks:
@ -145,25 +135,21 @@ services:
- POSTGRES_DB=authentik
deploy:
labels:
backupbot.backup: "${ENABLE_BACKUPS:-true}"
backupbot.backup.pre-hook: "/pg_backup.sh backup"
backupbot.backup.volumes.database.path: "backup.sql"
backupbot.backup.volumes.redis: "false"
backupbot.restore.post-hook: '/pg_backup.sh restore'
backupbot.backup: "true"
backupbot.backup.pre-hook: "PGPASSWORD=$$(cat /run/secrets/db_password) pg_dump -U $${POSTGRES_USER} $${POSTGRES_DB} > /var/lib/postgresql/data/backup.sql"
backupbot.backup.post-hook: "rm -rf /var/lib/postgresql/data/backup.sql"
backupbot.backup.path: "/var/lib/postgresql/data"
redis:
image: redis:8.0.2-alpine
command: --save 60 1 --loglevel warning
image: redis:7.0.12-alpine
networks:
- internal
healthcheck:
test: ["CMD-SHELL", "redis-cli ping | grep PONG"]
test: ["CMD", "redis-cli","ping"]
interval: 30s
timeout: 10s
retries: 10
start_period: 1m
volumes:
- redis:/data
secrets:
db_password:
@ -188,14 +174,17 @@ networks:
internal:
volumes:
backups:
media:
certs:
redis:
templates:
assets:
database:
configs:
custom_css:
name: ${STACK_NAME}_custom_css_${CUSTOM_CSS_VERSION}
file: custom.css.tmpl
template_driver: golang
flow_authentication:
name: ${STACK_NAME}_flow_authentication_${FLOW_AUTHENTICATION_VERSION}
file: flow_authentication.yaml.tmpl
@ -216,14 +205,7 @@ configs:
name: ${STACK_NAME}_flow_translation_${FLOW_TRANSLATION_VERSION}
file: flow_translation.yaml.tmpl
template_driver: golang
system_brand:
name: ${STACK_NAME}_system_brand_${SYSTEM_BRAND_VERSION}
file: system_brand.yaml.tmpl
system_tenant:
name: ${STACK_NAME}_system_tenant_${SYSTEM_TENANT_VERSION}
file: system_tenant.yaml.tmpl
template_driver: golang
db_entrypoint:
name: ${STACK_NAME}_db_entrypoint_${DB_ENTRYPOINT_VERSION}
file: entrypoint.postgres.sh.tmpl
template_driver: golang
pg_backup:
name: ${STACK_NAME}_pg_backup_${PG_BACKUP_VERSION}
file: pg_backup.sh

14
compose.zammad.yml
View File

@ -1,14 +0,0 @@
version: "3.8"
services:
worker:
environment:
- ZAMMAD_DOMAIN
configs:
- source: zammad
target: /blueprints/zammad.yaml
configs:
zammad:
name: ${STACK_NAME}_zammad_${ZAMMAD_CONFIG_VERSION}
file: zammad.yaml.tmpl
template_driver: golang

27
custom.css.tmpl
View File

@ -1,13 +1,24 @@
/* my custom css */
:root {
--pf-global--BackgroundColor--100: {{ env "BACKGROUND_BOX_COLOR" }} !important;
--ak-accent: #fd4b2d;
--ak-dark-foreground: #{{ env "AUTHENTIK_COLOR_FOREGROUND" }};
--ak-dark-foreground-darker: #{{ env "AUTHENTIK_COLOR_FOREGROUND_DARKER" }};
--ak-dark-foreground-link: #{{ env "AUTHENTIK_COLOR_FOREGROUND_LINK" }};
--ak-dark-background: #{{ env "AUTHENTIK_COLOR_BACKGROUND" }};
--ak-dark-background-darker: #{{ env "AUTHENTIK_COLOR_BACKGROUND_DARKER" }};
--ak-dark-background-light: #{{ env "AUTHENTIK_COLOR_BACKGROUND_LIGHT" }};
--ak-dark-background-light-ish: #{{ env "AUTHENTIK_COLOR_BACKGROUND_LIGHTISH" }};
--ak-dark-background-lighter: #{{ env "AUTHENTIK_COLOR_BACKGROUND_LIGHTER" }};
--pf-c-background-image--BackgroundImage: var(--ak-flow-background);
--pf-c-background-image--BackgroundImage-2x: var(--ak-flow-background);
--pf-c-background-image--BackgroundImage--sm: var(--ak-flow-background);
--pf-c-background-image--BackgroundImage--sm-2x: var(--ak-flow-background);
--pf-c-background-image--BackgroundImage--lg: var(--ak-flow-background);
}
.pf-c-login__main {
background-color: {{ env "BACKGROUND_BOX_COLOR" }};
}
.pf-c-content h1 {
color: {{ env "BACKGROUND_FONT_COLOR" }};
}

405
custom_flows.yaml.tmpl Normal file
View File

@ -0,0 +1,405 @@
version: 1
metadata:
labels:
blueprints.goauthentik.io/instantiate: "true"
name: Custom - Flows
context:
welcome_message: {{ if eq (env "WELCOME_MESSAGE") "" }} "Welcome to authentik!" {{ else }} {{ env "WELCOME_MESSAGE" }} {{ end }}
####### Translations ########
transl_recovery: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} "Passwort Zurücksetzen" {{ else }} "Reset your password" {{ end }}
transl_password: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} "Passwort" {{ else }} "Password" {{ end }}
transl_password_repeat: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} "Passwort (wiederholen)" {{ else }} "Password (repeat)" {{ end }}
transl_username: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} "Benutzername" {{ else }} "Username" {{ end }}
transl_name: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} "Vor- und Nachname" {{ else }} "Full name" {{ end }}
entries:
######## Email Recovery Flow ########
- identifiers:
slug: default-recovery-flow
id: recovery_flow
model: authentik_flows.flow
attrs:
name: Default recovery flow
title: !Context transl_recovery
designation: recovery
### PROMPTS
- identifiers:
field_key: password
id: prompt-field-password
model: authentik_stages_prompt.prompt
attrs:
label: !Context transl_password
type: password
required: true
placeholder: !Context transl_password
order: 30
placeholder_expression: false
- identifiers:
field_key: password_repeat
id: prompt-field-password-repeat
model: authentik_stages_prompt.prompt
attrs:
label: !Context transl_password_repeat
type: password
required: true
placeholder: !Context transl_password_repeat
order: 31
placeholder_expression: false
### STAGES
- identifiers:
name: default-recovery-email
id: default-recovery-email
model: authentik_stages_email.emailstage
attrs:
use_global_settings: true
token_expiry: {{ if eq (env "EMAIL_TOKEN_EXPIRY_MINUTES") "" }} 30 {{ else }} {{ env "EMAIL_TOKEN_EXPIRY_MINUTES" }} {{ end }}
subject: {{ if eq (env "EMAIL_SUBJECT") "" }} "Account Recovery" {{ else }} "{{ env "EMAIL_SUBJECT" }}" {{ end }}
template: email/password_reset.html
activate_user_on_success: true
- identifiers:
name: default-recovery-user-write
id: default-recovery-user-write
model: authentik_stages_user_write.userwritestage
- identifiers:
name: default-recovery-identification
id: default-recovery-identification
model: authentik_stages_identification.identificationstage
attrs:
user_fields:
- email
- username
- identifiers:
name: default-recovery-user-login
id: default-recovery-user-login
model: authentik_stages_user_login.userloginstage
attrs:
session_duration: seconds=0
- identifiers:
name: Change your password
id: stage-prompt-password
model: authentik_stages_prompt.promptstage
attrs:
fields:
- !KeyOf prompt-field-password
- !KeyOf prompt-field-password-repeat
validation_policies: []
### STAGE BINDINGS
- identifiers:
target: !KeyOf recovery_flow
stage: !KeyOf default-recovery-identification
order: 10
model: authentik_flows.flowstagebinding
id: flow-binding-identification
attrs:
evaluate_on_plan: true
re_evaluate_policies: true
policy_engine_mode: any
invalid_response_action: retry
- identifiers:
target: !KeyOf recovery_flow
stage: !KeyOf default-recovery-email
order: 20
model: authentik_flows.flowstagebinding
id: flow-binding-email
attrs:
evaluate_on_plan: true
re_evaluate_policies: true
policy_engine_mode: any
invalid_response_action: retry
- identifiers:
target: !KeyOf recovery_flow
stage: !KeyOf stage-prompt-password
order: 30
model: authentik_flows.flowstagebinding
attrs:
evaluate_on_plan: true
re_evaluate_policies: false
policy_engine_mode: any
invalid_response_action: retry
- identifiers:
target: !KeyOf recovery_flow
stage: !KeyOf default-recovery-user-write
order: 40
model: authentik_flows.flowstagebinding
attrs:
evaluate_on_plan: true
re_evaluate_policies: false
policy_engine_mode: any
invalid_response_action: retry
- identifiers:
target: !KeyOf recovery_flow
stage: !KeyOf default-recovery-user-login
order: 100
model: authentik_flows.flowstagebinding
attrs:
evaluate_on_plan: true
re_evaluate_policies: false
policy_engine_mode: any
invalid_response_action: retry
### POLICIES
## ISSUES with this policy
## https://github.com/goauthentik/authentik/blob/493cdd5c0f8caaec7a7dd474f1aa131e32fd39c3/blueprints/example/flows-recovery-email-verification.yaml#L37
## https://github.com/goauthentik/authentik/commit/317e9ec6053742e17ba74fb6aa38dc15aaf6657f#diff-a5c56bb7c60e27dda1b131b3fc2a17e3af6624e7cfaaa2337ec6b077ca489f34
# - identifiers:
# name: default-recovery-skip-if-restored
# id: default-recovery-skip-if-restored
# model: authentik_policies_expression.expressionpolicy
# attrs:
# expression: |
# return request.context.get('is_restored', False)
### POLICY BINDINGS
# - identifiers:
# policy: !KeyOf default-recovery-skip-if-restored
# target: !KeyOf flow-binding-identification
# order: 0
# model: authentik_policies.policybinding
# attrs:
# negate: false
# enabled: true
# timeout: 30
# - identifiers:
# policy: !KeyOf default-recovery-skip-if-restored
# target: !KeyOf flow-binding-email
# order: 0
# model: authentik_policies.policybinding
# attrs:
# negate: false
# enabled: true
# timeout: 30
######## Authentication Flow ########
- attrs:
designation: authentication
name: custom-authentication-flow
title: !Context welcome_message
identifiers:
slug: custom-authentication-flow
id: authentication_flow
model: authentik_flows.flow
### STAGES
- attrs:
backends:
- authentik.core.auth.InbuiltBackend
- authentik.sources.ldap.auth.LDAPBackend
- authentik.core.auth.TokenBackend
configure_flow: !Find [authentik_flows.flow, [slug, default-password-change]]
identifiers:
name: custom-authentication-password
id: custom-authentication-password
model: authentik_stages_password.passwordstage
- identifiers:
name: custom-authentication-mfa-validation
id: custom-authentication-mfa-validation
model: authentik_stages_authenticator_validate.authenticatorvalidatestage
- attrs:
password_stage: !KeyOf custom-authentication-password
recovery_flow: !KeyOf recovery_flow # !Find [authentik_flows.flow, [slug, default-recovery-flow]]
user_fields:
- email
- username
identifiers:
name: custom-authentication-identification
id: custom-authentication-identification
model: authentik_stages_identification.identificationstage
- attrs:
session_duration: seconds=0
identifiers:
name: custom-authentication-login
id: custom-authentication-login
model: authentik_stages_user_login.userloginstage
### STAGE BINDINGS
- identifiers:
order: 10
stage: !KeyOf custom-authentication-identification
target: !KeyOf authentication_flow
model: authentik_flows.flowstagebinding
- identifiers:
order: 30
stage: !KeyOf custom-authentication-mfa-validation
target: !KeyOf authentication_flow
model: authentik_flows.flowstagebinding
- identifiers:
order: 100
stage: !KeyOf custom-authentication-login
target: !KeyOf authentication_flow
model: authentik_flows.flowstagebinding
######## Invitation Enrollment Flow ########
- attrs:
designation: enrollment
name: invitation-enrollment-flow
title: !Context welcome_message
identifiers:
slug: invitation-enrollment-flow
id: invitation-enrollment-flow
model: authentik_flows.flow
### PROMPTS
- identifiers:
field_key: username
id: prompt-field-username
model: authentik_stages_prompt.prompt
attrs:
label: !Context transl_username
type: username
required: true
placeholder: !Context transl_username
order: 0
placeholder_expression: false
- identifiers:
field_key: name
id: prompt-field-name
model: authentik_stages_prompt.prompt
attrs:
label: !Context transl_name
type: text
required: true
placeholder: !Context transl_name
order: 1
placeholder_expression: false
- identifiers:
field_key: email
label: Email
id: prompt-field-email
model: authentik_stages_prompt.prompt
attrs:
type: email
required: true
placeholder: muster@example.com
order: 2
placeholder_expression: false
### STAGES
- id: invitation-stage
identifiers:
name: invitation-stage
model: authentik_stages_invitation.invitationstage
- attrs:
fields:
- !KeyOf prompt-field-username
- !KeyOf prompt-field-name
- !KeyOf prompt-field-email
- !KeyOf prompt-field-password
- !KeyOf prompt-field-password-repeat
id: enrollment-prompt-userdata
identifiers:
name: enrollment-prompt-userdata
model: authentik_stages_prompt.promptstage
- id: enrollment-user-write
identifiers:
name: enrollment-user-write
model: authentik_stages_user_write.userwritestage
- attrs:
session_duration: seconds=0
id: enrollment-user-login
identifiers:
name: enrollment-user-login
model: authentik_stages_user_login.userloginstage
### STAGE BINDINGS
- identifiers:
order: 1
stage: !KeyOf invitation-stage
target: !KeyOf invitation-enrollment-flow
model: authentik_flows.flowstagebinding
- identifiers:
order: 10
stage: !KeyOf enrollment-prompt-userdata
target: !KeyOf invitation-enrollment-flow
model: authentik_flows.flowstagebinding
- identifiers:
order: 20
stage: !KeyOf enrollment-user-write
target: !KeyOf invitation-enrollment-flow
model: authentik_flows.flowstagebinding
- identifiers:
order: 100
stage: !KeyOf enrollment-user-login
target: !KeyOf invitation-enrollment-flow
model: authentik_flows.flowstagebinding
######## Invalidation Flow ########
- identifiers:
slug: logout-flow
id: logout-flow
model: authentik_flows.flow
attrs:
name: Logout
title: Logout Flow
designation: invalidation
### STAGES
- id: logout-stage
identifiers:
name: logout-stage
model: authentik_stages_user_logout.userlogoutstage
### STAGE BINDINGS
- identifiers:
order: 0
stage: !KeyOf logout-stage
target: !KeyOf logout-flow
model: authentik_flows.flowstagebinding
attrs:
re_evaluate_policies: true
id: logout-stage-binding
### POLICIES
- attrs:
execution_logging: true
expression: 'context[''flow_plan''].context[''redirect''] = ''{{ env "LOGOUT_REDIRECT" }}''
return True'
identifiers:
name: redirect-policy
id: redirect-policy
model: authentik_policies_expression.expressionpolicy
### POLICY BINDINGS
- identifiers:
policy: !KeyOf redirect-policy
target: !KeyOf logout-stage-binding
order: 0
model: authentik_policies.policybinding
attrs:
enabled: {{ if eq (env "LOGOUT_REDIRECT") "" }} false {{ else }} true {{ end }}
timeout: 30
######## System Tenant ##########
- attrs:
attributes:
settings:
locale: {{ if eq (env "DEFAULT_LANGUAGE") "" }} en {{ else }} {{ env "DEFAULT_LANGUAGE" }} {{ end }}
# branding_favicon: /static/dist/assets/icons/icon.png
# branding_logo: /static/dist/assets/icons/icon_left_brand.svg
# branding_title: Authentik
# default: true
domain: {{ env "DOMAIN" }}
# event_retention: days=365
flow_authentication: !KeyOf authentication_flow
flow_recovery: !KeyOf recovery_flow
flow_invalidation: !KeyOf logout-flow
flow_user_settings: !Find [authentik_flows.flow, [slug, default-user-settings-flow]]
identifiers:
pk: 047cce25-aae2-4b02-9f96-078e155f803d
id: system_tenant
model: authentik_tenants.tenant

5
entrypoint-css-volume.sh
View File

@ -1,5 +0,0 @@
#!/bin/sh
cp -f /web/dist/assets/custom.css /web/dist/custom.css
su $(id -un 1000) -s /bin/bash -c 'dumb-init -- ak server'

45
entrypoint.postgres.sh.tmpl
View File

@ -1,45 +0,0 @@
#!/bin/bash
set -e
MIGRATION_MARKER=$PGDATA/migration_in_progress
OLDDATA=$PGDATA/old_data
NEWDATA=$PGDATA/new_data
if [ -e $MIGRATION_MARKER ]; then
echo "FATAL: migration was started but did not complete in a previous run. manual recovery necessary"
exit 1
fi
if [ -f $PGDATA/PG_VERSION ]; then
DATA_VERSION=$(cat $PGDATA/PG_VERSION)
if [ -n "$DATA_VERSION" -a "$PG_MAJOR" != "$DATA_VERSION" ]; then
echo "postgres data version $DATA_VERSION found, but need $PG_MAJOR. Starting migration"
echo "Installing postgres $DATA_VERSION"
sed -i "s/$/ $DATA_VERSION/" /etc/apt/sources.list.d/pgdg.list
apt-get update && apt-get install -y --no-install-recommends \
postgresql-$DATA_VERSION \
&& rm -rf /var/lib/apt/lists/*
echo "shuffling around"
chown -R postgres:postgres $PGDATA
gosu postgres mkdir $OLDDATA $NEWDATA
chmod 700 $OLDDATA $NEWDATA
mv $PGDATA/* $OLDDATA/ || true
touch $MIGRATION_MARKER
echo "running initdb"
# abuse entrypoint script for initdb by making server error out
gosu postgres bash -c "export PGDATA=$NEWDATA ; /usr/local/bin/docker-entrypoint.sh --invalid-arg || true"
echo "running pg_upgrade"
cd /tmp
gosu postgres pg_upgrade --link -b /usr/lib/postgresql/$DATA_VERSION/bin -d $OLDDATA -D $NEWDATA -U $POSTGRES_USER
cp $OLDDATA/pg_hba.conf $NEWDATA/
mv $NEWDATA/* $PGDATA
rm -rf $OLDDATA
rmdir $NEWDATA
rm $MIGRATION_MARKER
echo "migration complete"
fi
fi
/usr/local/bin/docker-entrypoint.sh postgres

2
flow_authentication.yaml.tmpl
View File

@ -37,7 +37,7 @@ entries:
name: default-authentication-login
model: authentik_stages_user_login.userloginstage
attrs:
session_duration: days=30
session_duration: seconds=0
# After the first run this will produce a RelatedObjectDoesNotExist error
- identifiers:

14
flow_invitation.yaml.tmpl
View File

@ -24,18 +24,6 @@ entries:
id: invitation-enrollment-flow
model: authentik_flows.flow
### POLICIES
- attrs:
expression: |
if not regex_match(request.context.get('prompt_data').get('username'), '\s'):
return True
ak_message("Username must not contain any whitespace!")
return False
id: username-without-spaces-policy
identifiers:
name: username-without-spaces-policy
model: authentik_policies_expression.expressionpolicy
### STAGES
- identifiers:
name: invitation-stage
@ -53,8 +41,6 @@ entries:
- !Find [authentik_stages_prompt.prompt, [name, default-user-settings-field-email]]
- !Find [authentik_stages_prompt.prompt, [name, default-password-change-field-password]]
- !Find [authentik_stages_prompt.prompt, [name, default-password-change-field-password-repeat]]
validation_policies:
- !Find [ authentik_policies_expression.expressionpolicy, [name, username-without-spaces-policy]]
### STAGE BINDINGS
- identifiers:

48
hedgedoc.yaml.tmpl
View File

@ -1,48 +0,0 @@
version: 1
metadata:
labels:
blueprints.goauthentik.io/instantiate: "true"
name: hedgedoc
entries:
- attrs:
access_code_validity: minutes=1
authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
client_id: {{ secret "hedgedoc_id" }}
client_secret: {{ secret "hedgedoc_secret" }}
client_type: confidential
include_claims_in_id_token: true
issuer_mode: per_provider
redirect_uris:
- matching_mode: strict
url: https://{{ env "HEDGEDOC_DOMAIN" }}/auth/oauth2/callback
name: Hedgedoc
property_mappings:
- !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
- !Find [authentik_providers_oauth2.scopemapping, [scope_name, email]]
- !Find [authentik_providers_oauth2.scopemapping, [scope_name, profile]]
signing_key: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]]
sub_mode: hashed_user_id
token_validity: days=30
conditions: []
id: hedgedoc_provider
identifiers:
pk: 9992
model: authentik_providers_oauth2.oauth2provider
state: present
- attrs:
meta_launch_url: https://{{ env "HEDGEDOC_DOMAIN" }}/auth/oauth2
open_in_new_tab: true
policy_engine_mode: any
provider: !KeyOf hedgedoc_provider
slug: hedgedoc
conditions: []
id: hedgedoc_application
identifiers:
name: Hedgedoc
model: authentik_core.application
state: present

BIN
icons/bbb.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 6.7 KiB

BIN
icons/bbb.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 94 KiB

BIN
icons/hedgedoc.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 9.2 KiB

8
icons/help.svg
View File

@ -1,8 +0,0 @@
<?xml version="1.0" encoding="UTF-8"?>
<!-- Uploaded to: SVG Repo, www.svgrepo.com, Generator: SVG Repo Mixer Tools -->
<svg width="800px" height="800px" viewBox="0 0 48 48" fill="none" xmlns="http://www.w3.org/2000/svg">
<rect width="48" height="48" fill="white" fill-opacity="0.01"/>
<path d="M24 44C29.5228 44 34.5228 41.7614 38.1421 38.1421C41.7614 34.5228 44 29.5228 44 24C44 18.4772 41.7614 13.4772 38.1421 9.85786C34.5228 6.23858 29.5228 4 24 4C18.4772 4 13.4772 6.23858 9.85786 9.85786C6.23858 13.4772 4 18.4772 4 24C4 29.5228 6.23858 34.5228 9.85786 38.1421C13.4772 41.7614 18.4772 44 24 44Z" fill="#2F88FF" stroke="#000000" stroke-width="4" stroke-linejoin="round"/>
<path d="M24 28.6249V24.6249C27.3137 24.6249 30 21.9386 30 18.6249C30 15.3112 27.3137 12.6249 24 12.6249C20.6863 12.6249 18 15.3112 18 18.6249" stroke="white" stroke-width="4" stroke-linecap="round" stroke-linejoin="round"/>
<path fill-rule="evenodd" clip-rule="evenodd" d="M24 37.6249C25.3807 37.6249 26.5 36.5056 26.5 35.1249C26.5 33.7442 25.3807 32.6249 24 32.6249C22.6193 32.6249 21.5 33.7442 21.5 35.1249C21.5 36.5056 22.6193 37.6249 24 37.6249Z" fill="white"/>
</svg>
Side by Side

Before

Width:  |  Height:  |  Size: 1.1 KiB

BIN
icons/kimai_logo.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 30 KiB

BIN
icons/outline.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 6.9 KiB

1
icons/pretix.svg
View File

@ -1 +0,0 @@
<?xml version="1.0" encoding="UTF-8"?><svg id="Ebene_1" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 128 128"><defs><style>.cls-1{fill:#3b1c4a;}</style></defs><path class="cls-1" d="m50.67,56.95c-.72.1-1.22.3-1.66.5l2.38,16.91c.41.08.95.13,1.6.04,3.52-.5,4.61-3.64,3.81-9.39-.83-5.87-2.53-8.56-6.12-8.06Z"/><path class="cls-1" d="m116.04,35.05c.71-.17,1.16-.76,1.06-1.48L112.54,1.13c-.1-.72-.77-1.22-1.49-1.12l-37.5,5.27.73,5.22c.16,1.12-.62,2.15-1.74,2.31s-2.15-.62-2.31-1.74l-.73-5.22L1.13,15.46c-.72.1-1.22.77-1.12,1.49l4.56,32.44c.1.72.7,1.17,1.42,1.13,11.25-.92,21.43,7.1,23.03,18.46,1.6,11.36-5.99,21.81-17.07,23.96-.71.17-1.16.76-1.06,1.48l4.56,32.44c.1.72.77,1.22,1.49,1.12l68.37-9.61-.73-5.22c-.16-1.15.59-2.15,1.74-2.31s2.15.62,2.31,1.74l.73,5.22,37.5-5.27c.72-.1,1.22-.77,1.12-1.49l-4.56-32.44c-.1-.72-.7-1.17-1.42-1.13-11.25.92-21.42-7.04-23.02-18.4-1.6-11.36,5.98-21.87,17.06-24.03Zm-59.84,44.75c-1.76.25-3.29.26-4.04.17l1.59,11.29-9.92,1.39-5.3-37.73c2.5-1.62,5.96-3.03,11.38-3.8,8.68-1.22,15.27,2.58,16.66,12.44,1.25,8.88-3.12,15.21-10.36,16.23Zm30.73,20.71c.16,1.12-.62,2.15-1.74,2.31-1.12.16-2.15-.62-2.31-1.74l-1.47-10.44c-.16-1.12.62-2.15,1.74-2.31s2.16.66,2.31,1.74l1.47,10.44Zm-3.17-22.58c.15,1.08-.66,2.16-1.74,2.31s-2.16-.66-2.31-1.74l-1.47-10.44c-.16-1.15.59-2.15,1.74-2.31,1.12-.16,2.15.62,2.31,1.74l1.47,10.44Zm-3.16-22.45c.16,1.12-.62,2.15-1.74,2.31-1.12.16-2.15-.62-2.31-1.74l-1.47-10.44c-.16-1.12.62-2.15,1.74-2.31s2.16.66,2.31,1.74l1.47,10.44Zm-3.17-22.58c.15,1.08-.66,2.16-1.74,2.31s-2.16-.66-2.31-1.74l-1.47-10.44c-.16-1.15.59-2.15,1.74-2.31s2.15.62,2.31,1.74l1.47,10.44Z"/></svg>
Side by Side

Before

Width:  |  Height:  |  Size: 1.6 KiB

12
icons/support.svg
View File

@ -1,12 +0,0 @@
<?xml version="1.0" encoding="UTF-8"?>
<!-- Uploaded to: SVG Repo, www.svgrepo.com, Generator: SVG Repo Mixer Tools -->
<svg width="800px" height="800px" viewBox="0 0 512 512" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
<title>support</title>
<g id="Page-1" stroke="none" stroke-width="1" fill="none" fill-rule="evenodd">
<g id="support" fill="#000000" transform="translate(42.666667, 42.666667)">
<path d="M379.734355,174.506667 C373.121022,106.666667 333.014355,-2.13162821e-14 209.067688,-2.13162821e-14 C85.1210217,-2.13162821e-14 45.014355,106.666667 38.4010217,174.506667 C15.2012632,183.311569 -0.101643453,205.585799 0.000508304259,230.4 L0.000508304259,260.266667 C0.000508304259,293.256475 26.7445463,320 59.734355,320 C92.7241638,320 119.467688,293.256475 119.467688,260.266667 L119.467688,230.4 C119.360431,206.121456 104.619564,184.304973 82.134355,175.146667 C86.4010217,135.893333 107.307688,42.6666667 209.067688,42.6666667 C310.827688,42.6666667 331.521022,135.893333 335.787688,175.146667 C313.347976,184.324806 298.68156,206.155851 298.667688,230.4 L298.667688,260.266667 C298.760356,283.199651 311.928618,304.070103 332.587688,314.026667 C323.627688,330.88 300.801022,353.706667 244.694355,360.533333 C233.478863,343.50282 211.780225,336.789048 192.906491,344.509658 C174.032757,352.230268 163.260418,372.226826 167.196286,392.235189 C171.132153,412.243552 188.675885,426.666667 209.067688,426.666667 C225.181549,426.577424 239.870491,417.417465 247.041022,402.986667 C338.561022,392.533333 367.787688,345.386667 376.961022,317.653333 C401.778455,309.61433 418.468885,286.351502 418.134355,260.266667 L418.134355,230.4 C418.23702,205.585799 402.934114,183.311569 379.734355,174.506667 Z M76.8010217,260.266667 C76.8010217,269.692326 69.1600148,277.333333 59.734355,277.333333 C50.3086953,277.333333 42.6676884,269.692326 42.6676884,260.266667 L42.6676884,230.4 C42.6676884,224.302667 45.9205765,218.668499 51.2010216,215.619833 C56.4814667,212.571166 62.9872434,212.571166 68.2676885,215.619833 C73.5481336,218.668499 76.8010217,224.302667 76.8010217,230.4 L76.8010217,260.266667 Z M341.334355,230.4 C341.334355,220.97434 348.975362,213.333333 358.401022,213.333333 C367.826681,213.333333 375.467688,220.97434 375.467688,230.4 L375.467688,260.266667 C375.467688,269.692326 367.826681,277.333333 358.401022,277.333333 C348.975362,277.333333 341.334355,269.692326 341.334355,260.266667 L341.334355,230.4 Z">
</path>
</g>
</g>
</svg>
Side by Side

Before

Width:  |  Height:  |  Size: 2.5 KiB

6
icons/vaultwarden.svg
View File

File diff suppressed because one or more lines are too long
Side by Side

Before

Width:  |  Height:  |  Size: 6.8 KiB

30
icons/zammad.svg
View File

@ -1,30 +0,0 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<svg width="126px" height="108px" viewBox="0 0 42 36" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:sketch="http://www.bohemiancoding.com/sketch/ns">
<!-- Generator: Sketch 3.3.2 (12043) - http://www.bohemiancoding.com/sketch -->
<title>logo</title>
<desc>Created with Sketch.</desc>
<defs/>
<g id="Page-1" stroke="none" stroke-width="1" fill="none" fill-rule="evenodd" sketch:type="MSPage">
<g id="logo" sketch:type="MSArtboardGroup">
<g sketch:type="MSLayerGroup" transform="translate(1.000000, 0.000000)" id="Shape">
<path d="M27.3375,12.6 L36.72,9.72 L31.1625,13.2525 L27.3375,12.6 Z" fill="#CA2317" sketch:type="MSShapeGroup"/>
<path d="M33.0525,19.62 L31.1625,13.2525 L36.72,9.72 L35.055,15.435 L33.0525,19.62 Z" fill="#E84F83" sketch:type="MSShapeGroup"/>
<path d="M39.465,7.9875 L38.43,9.72 L35.055,15.435 L36.72,9.72 L39.465,7.9875 Z" fill="#CA2317" sketch:type="MSShapeGroup"/>
<path d="M39.8025,9.1125 L37.1925,11.79 L38.43,9.72 L39.8025,9.1125 Z" fill="#E54011" sketch:type="MSShapeGroup"/>
<path d="M27.9,10.8225 L35.5725,10.0575 L30.24,11.7 L27.9,10.8225 Z" fill="#E54011" sketch:type="MSShapeGroup"/>
<path d="M28.1925,15.165 L31.1625,13.2525 L33.0525,19.62 L32.0625,21.645 L28.1925,15.165 Z" fill="#CA2317" sketch:type="MSShapeGroup"/>
<path d="M23.76,22.725 L22.3425,5.4 L32.0625,21.645 L23.76,22.725 Z" fill="#B7DFF2" sketch:type="MSShapeGroup"/>
<path d="M19.7325,27.1575 L23.76,22.725 L32.0625,21.645 L19.7325,27.1575 Z" fill="#E54011" sketch:type="MSShapeGroup"/>
<path d="M0.1575,35.865 L19.7325,27.1575 L23.76,22.725 L17.37,22.0725 L0.1575,35.865 Z" fill="#FFCE33" sketch:type="MSShapeGroup"/>
<path d="M0.9,28.755 L10.9575,27.225 L14.085,24.705 L12.555,24.03 L0.9,28.755 Z" fill="#D6B12D" sketch:type="MSShapeGroup"/>
<path d="M4.5225,20.5425 L14.085,24.705 L17.37,22.0725 L4.5225,20.5425 Z" fill="#FFDE85" sketch:type="MSShapeGroup"/>
<path d="M21.6225,11.6775 L20.4075,11.88 L17.37,22.0725 L20.655,20.0025 L21.6225,11.6775 Z" fill="#009EC6" sketch:type="MSShapeGroup"/>
<path d="M23.4,18.2475 L20.655,20.0025 L22.3425,5.4 L23.4,18.2475 Z" fill="#5EAFCE" sketch:type="MSShapeGroup"/>
<path d="M13.0275,13.05 L21.6225,11.6775 L22.005,8.28 L13.0275,13.05 Z" fill="#045972" sketch:type="MSShapeGroup"/>
<path d="M12.105,5.085 L19.575,9.585 L22.005,8.28 L22.0725,7.8075 L12.105,5.085 Z" fill="#5A8591" sketch:type="MSShapeGroup"/>
<path d="M13.5675,0.18 L20.3625,7.335 L22.0725,7.8075 L22.3425,5.4 L13.5675,0.18 Z" fill="#009EC6" sketch:type="MSShapeGroup"/>
<path d="M17.37,22.0725 L23.4,18.2475 L23.76,22.725 L17.37,22.0725 Z" fill="#F39804" sketch:type="MSShapeGroup"/>
</g>
</g>
</g>
</svg>
Side by Side

Before

Width:  |  Height:  |  Size: 3.0 KiB

50
kimai.yaml.tmpl
View File

@ -1,50 +0,0 @@
version: 1
metadata:
labels:
blueprints.goauthentik.io/instantiate: "true"
name: kimai
entries:
- attrs:
acs_url: https://{{ env "KIMAI_DOMAIN" }}/auth/saml/acs
assertion_valid_not_before: minutes=-5
assertion_valid_not_on_or_after: minutes=5
audience: https://{{ env "KIMAI_DOMAIN" }}/auth/saml
authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
digest_algorithm: http://www.w3.org/2001/04/xmlenc#sha256
issuer: https://{{ env "DOMAIN" }}
name: Kimai
name_id_mapping: !Find [authentik_providers_saml.samlpropertymapping, [name, "authentik default SAML Mapping: Username"]]
property_mappings:
- !Find [authentik_providers_saml.samlpropertymapping, [name, "authentik default SAML Mapping: Name"]]
- !Find [authentik_providers_saml.samlpropertymapping, [name, "authentik default SAML Mapping: Email"]]
- !Find [authentik_providers_saml.samlpropertymapping, [name, "authentik default SAML Mapping: User ID"]]
- !Find [authentik_providers_saml.samlpropertymapping, [name, "authentik default SAML Mapping: Username"]]
- !Find [authentik_providers_saml.samlpropertymapping, [name, "authentik default SAML Mapping: Groups"]]
- !Find [authentik_providers_saml.samlpropertymapping, [name, "authentik default SAML Mapping: UPN"]]
session_valid_not_on_or_after: minutes=86400
sign_assertion: true
signature_algorithm: http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
signing_kp: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]]
sp_binding: post
conditions: []
id: kimai_provider
identifiers:
pk: 9991
model: authentik_providers_saml.samlprovider
state: present
- attrs:
meta_launch_url: https://{{ env "KIMAI_DOMAIN" }}/auth/saml/login
open_in_new_tab: true
policy_engine_mode: any
provider: !KeyOf kimai_provider
slug: kimai
conditions: []
id: kimai_application
identifiers:
name: Kimai
model: authentik_core.application
state: present

9
matrix.yaml.tmpl
View File

@ -8,17 +8,12 @@ entries:
- attrs:
access_code_validity: minutes=1
authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
client_id: {{ secret "matrix_id" }}
client_secret: {{ secret "matrix_secret" }}
client_type: confidential
include_claims_in_id_token: true
issuer_mode: per_provider
redirect_uris:
- matching_mode: strict
url: https://{{ env "MATRIX_DOMAIN" }}/_synapse/client/oidc/callback
name: Matrix
property_mappings:
- !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
@ -39,10 +34,10 @@ entries:
open_in_new_tab: true
policy_engine_mode: any
provider: !KeyOf matrix_provider
name: Element
slug: matrix
conditions: []
id: matrix_application
identifiers:
slug: matrix
name: Matrix
model: authentik_core.application
state: present

7
monitoring.yaml.tmpl
View File

@ -8,17 +8,12 @@ entries:
- attrs:
access_code_validity: minutes=1
authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
client_id: {{ secret "monitoring_id" }}
client_secret: {{ secret "monitoring_secret" }}
client_type: confidential
include_claims_in_id_token: true
issuer_mode: per_provider
redirect_uris:
- matching_mode: strict
url: https://{{ env "MONITORING_DOMAIN" }}/login/generic_oauth
name: Monitoring
property_mappings:
- !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
@ -30,7 +25,7 @@ entries:
conditions: []
id: monitoring_provider
identifiers:
pk: 9990
pk: 9994
model: authentik_providers_oauth2.oauth2provider
state: present

5
nextcloud.yaml.tmpl
View File

@ -20,17 +20,12 @@ entries:
- attrs:
access_code_validity: minutes=1
authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
client_id: {{ secret "nextcloud_id" }}
client_secret: {{ secret "nextcloud_secret" }}
client_type: confidential
include_claims_in_id_token: true
issuer_mode: per_provider
redirect_uris:
- matching_mode: strict
url: https://{{ env "NEXTCLOUD_DOMAIN" }}/apps/sociallogin/custom_oidc/authentik
name: Nextcloud
property_mappings:
- !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]

48
outline.yaml.tmpl
View File

@ -1,48 +0,0 @@
version: 1
metadata:
labels:
blueprints.goauthentik.io/instantiate: "true"
name: outline
entries:
- attrs:
access_code_validity: minutes=1
authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
client_id: {{ secret "outline_id" }}
client_secret: {{ secret "outline_secret" }}
client_type: confidential
include_claims_in_id_token: true
issuer_mode: per_provider
redirect_uris:
- matching_mode: strict
url: https://{{ env "OUTLINE_DOMAIN" }}/auth/oidc.callback
name: Outline
property_mappings:
- !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
- !Find [authentik_providers_oauth2.scopemapping, [scope_name, email]]
- !Find [authentik_providers_oauth2.scopemapping, [scope_name, profile]]
signing_key: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]]
sub_mode: hashed_user_id
token_validity: days=30
conditions: []
id: outline_provider
identifiers:
pk: 9994
model: authentik_providers_oauth2.oauth2provider
state: present
- attrs:
meta_launch_url: https://{{ env "OUTLINE_DOMAIN" }}/auth/oidc
open_in_new_tab: true
policy_engine_mode: any
provider: !KeyOf outline_provider
slug: outline
conditions: []
id: outline_application
identifiers:
name: Outline
model: authentik_core.application
state: present

34
pg_backup.sh
View File

@ -1,34 +0,0 @@
#!/bin/bash
set -e
BACKUP_FILE='/var/lib/postgresql/data/backup.sql'
function backup {
export PGPASSWORD=$(cat /run/secrets/db_password)
pg_dump -U ${POSTGRES_USER} ${POSTGRES_DB} > $BACKUP_FILE
}
function restore {
cd /var/lib/postgresql/data/
restore_config(){
# Restore allowed connections
cat pg_hba.conf.bak > pg_hba.conf
su postgres -c 'pg_ctl reload'
}
# Don't allow any other connections than local
cp pg_hba.conf pg_hba.conf.bak
echo "local all all trust" > pg_hba.conf
su postgres -c 'pg_ctl reload'
trap restore_config EXIT INT TERM
# Recreate Database
psql -U ${POSTGRES_USER} -d postgres -c "DROP DATABASE ${POSTGRES_DB} WITH (FORCE);"
createdb -U ${POSTGRES_USER} ${POSTGRES_DB}
psql -U ${POSTGRES_USER} -d ${POSTGRES_DB} -1 -f $BACKUP_FILE
trap - EXIT INT TERM
restore_config
}
$@

48
rallly.yaml.tmpl
View File

@ -1,48 +0,0 @@
version: 1
metadata:
labels:
blueprints.goauthentik.io/instantiate: "true"
name: rallly
entries:
- attrs:
access_code_validity: minutes=1
authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
client_id: {{ secret "rallly_id" }}
client_secret: {{ secret "rallly_secret" }}
client_type: confidential
include_claims_in_id_token: true
issuer_mode: per_provider
redirect_uris:
- matching_mode: strict
url: https://{{ env "RALLLY_DOMAIN" }}/api/auth/callback/oidc
name: Rallly
property_mappings:
- !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
- !Find [authentik_providers_oauth2.scopemapping, [scope_name, email]]
- !Find [authentik_providers_oauth2.scopemapping, [scope_name, profile]]
signing_key: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]]
sub_mode: hashed_user_id
token_validity: days=30
conditions: []
id: rallly_provider
identifiers:
pk: 9993
model: authentik_providers_oauth2.oauth2provider
state: present
- attrs:
meta_launch_url: https://{{ env "RALLLY_DOMAIN" }}
open_in_new_tab: true
policy_engine_mode: any
provider: !KeyOf rallly_provider
slug: rallly
conditions: []
id: rallly_application
identifiers:
name: Rallly
model: authentik_core.application
state: present

1
release/4.0.0+2023.10.5
View File

@ -1 +0,0 @@
It is only possible to upgrade to 2023.10 from 2023.8, you need to update to 2023.8.x before applying this update

1
release/5.0.0+2024.2.2
View File

@ -1 +0,0 @@
Blueprint changes are applied and automatic migrations should work, however, manual action may be required: https://docs.goauthentik.io/docs/releases/2024.2

1
release/5.1.0+2024.2.3
View File

@ -1 +0,0 @@
Due to blueprint changes, you need to run the following command after upgrading: abra app cmd -C <Domain> worker apply_blueprints

1
release/6.0.0+2024.4.0
View File

@ -1 +0,0 @@
Alerta! ⚠️ If you are using AUTHENTIK_COLOR_BACKGROUND_LIGHT, you will need to set COMPOSE_FILE="$COMPOSE_FILE:compose.css.yml"

1
release/6.1.0+2024.4.2
View File

@ -1 +0,0 @@
Blueprint for Kimai SSO integration added

1
release/6.11.0+2024.10.5
View File

@ -1 +0,0 @@
Fix Impersonate Bug

1
release/6.6.0+2024.8.2
View File

@ -1 +0,0 @@
Replaced icon bbb.jpg with icon.png - configs need to be updated when upgrading!

3
release/6.7.0+2024.8.3
View File

@ -1,3 +0,0 @@
Two critical vulnerabilities were closed:
https://github.com/goauthentik/authentik/security/advisories/GHSA-7jxf-mmg9-9hg7
https://github.com/goauthentik/authentik/security/advisories/GHSA-8gfm-pr6x-pfh9

17
system_brand.yaml.tmpl → system_tenant.yaml.tmpl
View File

@ -2,13 +2,13 @@ version: 1
metadata:
labels:
blueprints.goauthentik.io/instantiate: "true"
name: Custom System brand
name: Custom System Tenant
entries:
### DEPENDENCIES
- model: authentik_blueprints.metaapplyblueprint
attrs:
identifiers:
name: Default - Brand
name: Default - Tenant
required: true
- model: authentik_blueprints.metaapplyblueprint
attrs:
@ -17,22 +17,19 @@ entries:
required: true
### SYSTEM BRAND
# remove custom brand from old recipe
### SYSTEM TENANT
# remove custom tenant from old recipe
- identifiers:
domain: {{ env "DOMAIN" }}
model: authentik_brands.brand
model: authentik_tenants.tenant
state: absent
- attrs:
attributes:
settings:
locale: {{ if eq (env "DEFAULT_LANGUAGE") "" }} en {{ else }} {{ env "DEFAULT_LANGUAGE" }} {{ end }} {{ if ne (env "THEME_BACKGROUND") "" }}
theme:
background: >
background: {{ env "THEME_BACKGROUND" }} {{ end }}
locale: {{ if eq (env "DEFAULT_LANGUAGE") "" }} en {{ else }} {{ env "DEFAULT_LANGUAGE" }} {{ end }}
flow_recovery: !Find [authentik_flows.flow, [slug, default-recovery-flow]]
identifiers:
default: true
domain: authentik-default
model: authentik_brands.brand
model: authentik_tenants.tenant

5
vikunja.yaml.tmpl
View File

@ -8,17 +8,12 @@ entries:
- attrs:
access_code_validity: minutes=1
authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
client_id: {{ secret "vikunja_id" }}
client_secret: {{ secret "vikunja_secret" }}
client_type: confidential
include_claims_in_id_token: true
issuer_mode: per_provider
redirect_uris:
- matching_mode: strict
url: https://{{ env "VIKUNJA_DOMAIN" }}/auth/openid/authentik
name: Vikunja
property_mappings:
- !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]

5
wekan.yaml.tmpl
View File

@ -25,17 +25,12 @@ entries:
- attrs:
access_code_validity: minutes=1
authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
client_id: {{ secret "wekan_id" }}
client_secret: {{ secret "wekan_secret" }}
client_type: confidential
include_claims_in_id_token: true
issuer_mode: per_provider
redirect_uris:
- matching_mode: strict
url: https://{{ env "WEKAN_DOMAIN" }}/_oauth/oidc
name: Wekan
property_mappings:
- !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]

5
wordpress.yaml.tmpl
View File

@ -8,17 +8,12 @@ entries:
- attrs:
access_code_validity: minutes=1
authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
client_id: {{ secret "wordpress_id" }}
client_secret: {{ secret "wordpress_secret" }}
client_type: confidential
include_claims_in_id_token: true
issuer_mode: per_provider
redirect_uris:
- matching_mode: strict
url: https://{{ env "WORDPRESS_DOMAIN" }}/openid-connect-authorize
name: Wordpress
property_mappings:
- !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]

69
zammad.yaml.tmpl
View File

@ -1,69 +0,0 @@
version: 1
metadata:
labels:
blueprints.goauthentik.io/instantiate: "true"
name: zammad
entries:
- attrs:
expression: return request.user.name
managed: null
name: 'Zammad SAML Mapping: name'
saml_name: name
conditions: []
identifiers:
name: zammad_name_mapping
id: zammad_name_mapping
model: authentik_providers_saml.samlpropertymapping
state: present
- attrs:
expression: return request.user.email
managed: null
name: 'Zammad SAML Mapping: email'
saml_name: email
conditions: []
identifiers:
name: zammad_email_mapping
id: zammad_email_mapping
model: authentik_providers_saml.samlpropertymapping
state: present
- attrs:
acs_url: https://{{ env "ZAMMAD_DOMAIN" }}/auth/saml/callback
assertion_valid_not_before: minutes=-5
assertion_valid_not_on_or_after: minutes=5
audience: https://{{ env "ZAMMAD_DOMAIN" }}/auth/saml/metadata
authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
digest_algorithm: http://www.w3.org/2001/04/xmlenc#sha256
issuer: https://{{ env "ZAMMAD_DOMAIN" }}/auth/saml/metadata
name: zammad
property_mappings:
- !KeyOf zammad_name_mapping
- !KeyOf zammad_email_mapping
session_valid_not_on_or_after: minutes=86400
sign_assertion: true
signature_algorithm: http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
signing_kp: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]]
sp_binding: post
conditions: []
id: zammad_provider
identifiers:
pk: 9989
model: authentik_providers_saml.samlprovider
state: present
- attrs:
meta_launch_url: ""
open_in_new_tab: true
policy_engine_mode: any
provider: !KeyOf zammad_provider
slug: zammad
conditions: []
id: zammad_application
identifiers:
name: Zammad
model: authentik_core.application
state: present