chore: publish 6.5.2+2024.6.5 release

.drone.yml

@@ -31,7 +31,6 @@ steps:
       SECRET_ADMIN_PASS_VERSION: v1
       SECRET_EMAIL_PASS_VERSION: v1
       DB_ENTRYPOINT_VERSION: v1
-      PG_BACKUP_VERSION: v2
 trigger:
   branch:
     - main
@@ -47,7 +46,7 @@ steps:
         from_secret: drone_abra-bot_token
       fork: true
       repositories:
-        - toolshed/auto-recipes-catalogue-json
+        - coop-cloud/auto-recipes-catalogue-json
 
 trigger:
   event: tag

.env.sample

@@ -1,30 +1,21 @@
 TYPE=authentik
-#TIMEOUT=900
+TIMEOUT=900
 ENABLE_AUTO_UPDATE=true
-POST_DEPLOY_CMDS="worker set_admin_pass"
-# Example values for post deploy cmds: "worker set_admin_pass|worker apply_blueprints|worker add_applications"
+# POST_DEPLOY_CMDS="worker set_admin_pass|worker apply_blueprints|worker add_applications"
 LETS_ENCRYPT_ENV=production
-ENABLE_BACKUPS=true
 
 DOMAIN=authentik.example.com
 ## Domain aliases
 #EXTRA_DOMAINS=', `www.authentik.example.com`'
-# Redirects
-# All redirect domains have to be added to extra_domains as well)
-# multiple redirects can be added by seperating them with a | character
-#REDIRECTS=www.authentik.example.com
 COMPOSE_FILE="compose.yml"
 AUTHENTIK_DEFAULT_USER_CHANGE_USERNAME=false
 AUTHENTIK_LOG_LEVEL=info
-# AUTHENTIK_DISABLE_UPDATE_CHECK=false
 # AUTHENTIK_IMPERSONATION=true
 # AUTHENTIK_FOOTER_LINKS='[{"name": "My Organization","href":"https://example.com"}]'
 # WORKERS=1
 
 ## Outpost Integration
 # COMPOSE_FILE="$COMPOSE_FILE:compose.outposts.yml"
-# COMPOSE_FILE="$COMPOSE_FILE:compose.outposts.ldap.yml"
-# SECRET_LDAP_TOKEN_VERSION=v1
 
 ## ADMIN
 AUTHENTIK_BOOTSTRAP_EMAIL=admin@example.com
@@ -54,37 +45,21 @@ SECRET_EMAIL_PASS_VERSION=v1
 # EMAIL_SUBJECT="Account Recovery"
 # EMAIL_TOKEN_EXPIRY_MINUTES=30
 
-## assets
 COPY_ASSETS="flow_background.jpg|app:/web/dist/assets/images/"
 COPY_ASSETS="$COPY_ASSETS icon_left_brand.svg|app:/web/dist/assets/icons/"
 COPY_ASSETS="$COPY_ASSETS icon.png|app:/web/dist/assets/icons/"
 
-# store custom CSS in a css-volume
-#COMPOSE_FILE="$COMPOSE_FILE:compose.css-volume.yml"
-# NOTE: this causes the authentik container to run as `root` initially; it uses `su` to drop privileges but technically could introduce a security risk. proceed with caution!
-
 # Default CSS customisation
 # COMPOSE_FILE="$COMPOSE_FILE:compose.css.yml"
 # BACKGROUND_FONT_COLOR=white
 # BACKGROUND_BOX_COLOR='#eaeaeacf'
 # THEME_BACKGROUND="url('https://authentik.example.com/static/dist/assets/images/flow_background.jpg'); background-position: center; background-repeat: no-repeat; background-size: cover;"
 
-# Group Name Variables to cluster Applications
-# GROUP_SUPPORT=Support
-# GROUP_HELP=Help
-# GROUP_ORGANISATION=Organisation
-# GROUP_COMMUNICATION=Communication
-# GROUP_COLLABORATION=Collaboration
-# GROUP_DOCUMENTATION=Documentation
-# GROUP_DEVELOPMENT=Development
-# GROUP_INFRASTRUCTURE=Infrastructure
-
 # COMPOSE_FILE="$COMPOSE_FILE:compose.nextcloud.yml"
 # NEXTCLOUD_DOMAIN=nextcloud.example.com
 # SECRET_NEXTCLOUD_ID_VERSION=v1
 # SECRET_NEXTCLOUD_SECRET_VERSION=v1
 # APP_ICONS="nextcloud:~/.abra/recipes/authentik/icons/nextcloud.png"
-# NEXTCLOUD_APPGROUP="$GROUP_ORGANISATION"
 
 # COMPOSE_FILE="$COMPOSE_FILE:compose.wordpress.yml"
 # WORDPRESS_DOMAIN=wordpress.example.com
@@ -92,7 +67,6 @@ COPY_ASSETS="$COPY_ASSETS icon.png|app:/web/dist/assets/icons/"
 # SECRET_WORDPRESS_ID_VERSION=v1
 # SECRET_WORDPRESS_SECRET_VERSION=v1
 # APP_ICONS="$APP_ICONS wordpress:~/.abra/recipes/authentik/icons/wordpress.png"
-# WORDPRESS_APPGROUP="$GROUP_DEVELOPMENT"
 
 # COMPOSE_FILE="$COMPOSE_FILE:compose.matrix.yml"
 # ELEMENT_DOMAIN=element-web.example.com
@@ -100,68 +74,53 @@ COPY_ASSETS="$COPY_ASSETS icon.png|app:/web/dist/assets/icons/"
 # SECRET_MATRIX_ID_VERSION=v1
 # SECRET_MATRIX_SECRET_VERSION=v1
 # APP_ICONS="$APP_ICONS matrix:~/.abra/recipes/authentik/icons/matrix.svg"
-# MATRIX_APPGROUP="$GROUP_COMMUNICATION"
 
 # COMPOSE_FILE="$COMPOSE_FILE:compose.wekan.yml"
 # WEKAN_DOMAIN=wekan.example.com
 # SECRET_WEKAN_ID_VERSION=v1
 # SECRET_WEKAN_SECRET_VERSION=v1
 # APP_ICONS="$APP_ICONS wekan:~/.abra/recipes/authentik/icons/wekan.png"
-# WEKAN_APPGROUP="$GROUP_ORGANISATION"
 
 # COMPOSE_FILE="$COMPOSE_FILE:compose.vikunja.yml"
 # VIKUNJA_DOMAIN=vikunja.example.com
 # SECRET_VIKUNJA_ID_VERSION=v1
 # SECRET_VIKUNJA_SECRET_VERSION=v1
 # APP_ICONS="$APP_ICONS vikunja:~/.abra/recipes/authentik/icons/vikunja.svg"
-# VIKUNJA_APPGROUP="$GROUP_ORGANISATION"
 
 # COMPOSE_FILE="$COMPOSE_FILE:compose.outline.yml"
 # OUTLINE_DOMAIN=outline.example.com
 # SECRET_OUTLINE_ID_VERSION=v1
 # SECRET_OUTLINE_SECRET_VERSION=v1
 # APP_ICONS="$APP_ICONS outline:~/.abra/recipes/authentik/icons/outline.png"
-# OUTLINE_APPGROUP="$GROUP_DOCUMENTATION"
 
 # COMPOSE_FILE="$COMPOSE_FILE:compose.kimai.yml"
 # KIMAI_DOMAIN=kimai.example.com
 # SECRET_KIMAI_ID_VERSION=v1
 # SECRET_KIMAI_SECRET_VERSION=v1
 # APP_ICONS="$APP_ICONS kimai:~/.abra/recipes/authentik/icons/kimai_logo.png"
-# KIMAI_APPGROUP="$GROUP_ORGANISATION"
 
 # COMPOSE_FILE="$COMPOSE_FILE:compose.zammad.yml"
 # ZAMMAD_DOMAIN=zammad.example.com
 # APP_ICONS="$APP_ICONS zammad:~/.abra/recipes/authentik/icons/zammad.svg"
-# ZAMMAD_APPGROUP="$GROUP_SUPPORT"
 
 # COMPOSE_FILE="$COMPOSE_FILE:compose.monitoring.yml"
 # MONITORING_DOMAIN=monitoring.example.com
 # SECRET_MONITORING_ID_VERSION=v1
 # SECRET_MONITORING_SECRET_VERSION=v1
 # APP_ICONS="$APP_ICONS monitoring:~/.abra/recipes/authentik/icons/monitoring.svg"
-# MONITORING_APPGROUP="$GROUP_INFRASTRUCTURE"
 
 # COMPOSE_FILE="$COMPOSE_FILE:compose.rallly.yml"
 # RALLLY_DOMAIN=rallly.example.com
 # SECRET_RALLLY_ID_VERSION=v1
 # SECRET_RALLLY_SECRET_VERSION=v1
 # APP_ICONS="$APP_ICONS rallly:~/.abra/recipes/authentik/icons/rallly.png"
-# RALLLY_APPGROUP="$GROUP_ORGANISATION"
 
 # COMPOSE_FILE="$COMPOSE_FILE:compose.hedgedoc.yml"
 # HEDGEDOC_DOMAIN=hedgedoc.example.com
 # SECRET_HEDGEDOC_ID_VERSION=v1
 # SECRET_HEDGEDOC_SECRET_VERSION=v1
 # APP_ICONS="$APP_ICONS hedgedoc:~/.abra/recipes/authentik/icons/hedgedoc.png"
-# HEDGEDOC_APPGROUP="$GROUP_DOCUMENTATION"
 
-# COMPOSE_FILE="$COMPOSE_FILE:compose.mila.yml"
-# MILA_DOMAIN=mila.example.com
-# SECRET_MILA_ID_VERSION=v1
-# SECRET_MILA_SECRET_VERSION=v1
-# APP_ICONS="$APP_ICONS mila:~/.abra/recipes/authentik/icons/mila.svg"
-# MILA_APPGROUP=""
-
-# APPLICATIONS='{"Calendar": {"url":"https://nextcloud.example.com/apps/calendar/", "group": ""}, "BBB": {"url":"https://nextcloud.example.com/apps/bbb/", "group":""}, "Pretix": {"url":"https://pretix.example.com/control/", "group":""}}'
-# EXTRA_ICONS={"Calendar": "~/.abra/recipes/authentik/icons/calendar.svg", "BBB": "~/.abra/recipes/authentik/icons/bbb.png", "Pretix": "~/.abra/recipes/authentik/icons/pretix.svg"}
+# APPLICATIONS='{"Calendar": "https://nextcloud.example.com/apps/calendar/", "BBB": "https://nextcloud.example.com/apps/bbb/"}'
+# APP_ICONS="$APP_ICONS Calendar:~/.abra/recipes/authentik/icons/calendar.svg"
+# APP_ICONS="$APP_ICONS BBB:~/.abra/recipes/authentik/icons/bbb.png"

.gitignore

@@ -1,2 +1 @@
 .envrc
-.cursorignore

README.md

@@ -52,26 +52,8 @@ APP_ICONS="nextcloud:~/.abra/recipes/authentik/icons/nextcloud.png"
 
 Set the nextcloud Icon using `abra app cmd -l -d <app_name> set_icons`
 
-Generate OAuth client id and secret using `abra app secret generate <app_name> -a` (all secrets) or individually:
-- `abra app secret generate <app_name> nextcloud_id`
-- `abra app secret generate <app_name> nextcloud_secret`
-
-Add the id and secret to nextcloud as secrets with:
-- `abra app secret insert <nextcloud_app_name> authentik_id v1 <id>`
-- `abra app secret insert <nextcloud_app_name> authentik_secret v1 <secret>`
-
-Redeploy Authentik to enable the nextcloud client.
-
 The configuration inside Nextcloud can be found in the [nextcloud recipe](https://git.coopcloud.tech/coop-cloud/nextcloud#authentik-integration)
 
-## Add LDAP outpost
-
-- Follow [this official guide](https://docs.goauthentik.io/docs/add-secure-apps/providers/ldap/generic_setup) and skip the LDAP Flow as we don't need it.
-- Copy token under `Applications` -> `Outposts` `-> `View Deployment Info` 
-- Comment in envs for compose.outposts.ldap.yaml and secret version
-- Insert token as secret `abra app secret insert <DOMAIN> ldap_token v1 <TOKEN>`
-- Update deployment -> Outpost should be up and running
-
 ## Import User from CSV
 
 Users can be imported from a CSV file of the following format:
@@ -105,25 +87,6 @@ Run this command after every deploy/upgrade:
 
 `abra app command --local <app-name> customize <assets_path>`
 
-## Custom CSS
-
-Uncomment the following env:
-
-```
-COMPOSE_FILE="$COMPOSE_FILE:compose.css-volume.yml"
-```
-
-Redeploy the app:
-```
-abra app deploy -f <app_name>
-```
-
-Copy the CSS and restart the container:
-```
-abra app cp <app_name> my_custom.css app:/web/dist/assets/custom.css
-abra app restart <app_name> app
-```
-
 ## Email templates
 
 Add custom [email templates](https://goauthentik.io/docs/flow/stages/email/#custom-templates):
@@ -134,15 +97,15 @@ Add custom [email templates](https://goauthentik.io/docs/flow/stages/email/#cust
 
 These blueprints overwrite default blueprint values:
 
-- `flow_translation.yaml`
-- `flow_authentication.yaml`
+- flow_translation.yaml
+- flow_authentication.yaml
 
 The following default blueprints will be overwritten by customizations:
 
-- `flow-password-change.yaml`
-- `flow-default-authentication-flow.yaml`
-- `flow-default-user-settings-flow.yaml`
-- `flow-default-source-enrollment.yaml`
+- flow-password-change.yaml
+- flow-default-authentication-flow.yaml
+- flow-default-user-settings-flow.yaml
+- flow-default-source-enrollment.yaml
 
 The `abra.sh` function `apply_blueprints` needs to be executed to deactivate these blueprints to ensure that the customizations won't be overwritten. It will further execute flow_translation.yaml and flow_authentication.yaml again.
 

abra.sh

@@ -1,62 +1,52 @@
-export CUSTOM_CSS_VERSION=v3
+export CUSTOM_CSS_VERSION=v2
 export FLOW_AUTHENTICATION_VERSION=v4
 export FLOW_INVITATION_VERSION=v2
 export FLOW_INVALIDATION_VERSION=v2
-export FLOW_RECOVERY_VERSION=v2
+export FLOW_RECOVERY_VERSION=v1
 export FLOW_TRANSLATION_VERSION=v3
 export SYSTEM_BRAND_VERSION=v4
-export NEXTCLOUD_CONFIG_VERSION=v3
-export WORDPRESS_CONFIG_VERSION=v6
-export MATRIX_CONFIG_VERSION=v3
-export WEKAN_CONFIG_VERSION=v5
-export VIKUNJA_CONFIG_VERSION=v3
-export OUTLINE_CONFIG_VERSION=v4
-export KIMAI_CONFIG_VERSION=v3
-export ZAMMAD_CONFIG_VERSION=v4
-export RALLLY_CONFIG_VERSION=v4
-export HEDGEDOC_CONFIG_VERSION=v3
-export MONITORING_CONFIG_VERSION=v4
-export MILA_CONFIG_VERSION=v1
+export NEXTCLOUD_CONFIG_VERSION=v1
+export WORDPRESS_CONFIG_VERSION=v2
+export MATRIX_CONFIG_VERSION=v1
+export WEKAN_CONFIG_VERSION=v3
+export VIKUNJA_CONFIG_VERSION=v1
+export OUTLINE_CONFIG_VERSION=v2
+export KIMAI_CONFIG_VERSION=v1
+export ZAMMAD_CONFIG_VERSION=v1
+export RALLLY_CONFIG_VERSION=v2
+export HEDGEDOC_CONFIG_VERSION=v1
+export MONITORING_CONFIG_VERSION=v2
 export DB_ENTRYPOINT_VERSION=v1
-export PG_BACKUP_VERSION=v2
-export ENTRYPOINT_CSS_VERSION=v1
 
 customize() {
-  if [ -z "$1" ]; then
-    echo "Usage: ... customize <assets_path>"
-    exit 1
-  fi
-  asset_dir=$1
-  for asset in $COPY_ASSETS; do
-    source=$(echo $asset | cut -d "|" -f1)
-    target=$(echo $asset | cut -d "|" -f2)
-    echo copy $source to $target
-    abra app cp $APP_NAME $asset_dir/$source $target
-  done
-}
-
-shell() {
-  if [ -z "$1" ]; then
-    echo "Usage: ... shell <python code>"
-    exit 1
-  fi
-  ak shell -c "$1" 2>&1 | quieten
+    if [ -z "$1" ]
+    then
+            echo "Usage: ... customize <assets_path>"
+            exit 1
+    fi
+    asset_dir=$1
+    for asset in $COPY_ASSETS; do
+        source=$(echo $asset | cut -d "|" -f1)
+        target=$(echo $asset | cut -d "|" -f2)
+        echo copy $source to $target
+        abra app cp $APP_NAME $asset_dir/$source $target
+    done
 }
 
 import_user() {
-  if [ -z "$1" ]; then
-    echo "Usage: ... import_user <users.csv>"
-    exit 1
-  fi
-  source_file=$1
-  filename=$(basename $source_file)
-  abra app cp -C $APP_NAME $source_file worker:/tmp/
-  abra app cmd -C -T $APP_NAME worker _import_user $filename
+    if [ -z "$1" ]
+    then
+            echo "Usage: ... import_user <users.csv>"
+            exit 1
+    fi
+    source_file=$1
+    filename=$(basename $source_file)
+    abra app cp $APP_NAME $source_file worker:/tmp/
+    abra app cmd -T $APP_NAME worker _import_user $filename
 }
 
 _import_user() {
-  /manage.py shell -c """
-from authentik.core.models import Group
+/manage.py shell -c """
 import csv
 new_user = User()
 with open('/tmp/$1', newline='') as file:
@@ -83,32 +73,10 @@ with open('/tmp/$1', newline='') as file:
 """ 2>&1 | quieten
 }
 
-set_user_pass() {
-  username="$1"
-  password="$2"
-  /manage.py shell -c """
-user = User.objects.get(username='$username')
-user.set_password('$password')
-user.save()
-print('Changed $username password')
-""" 2>&1 | quieten
-
-}
-
 set_admin_pass() {
-  password=$(cat /run/secrets/admin_pass)
-  token=$(cat /run/secrets/admin_token)
-  /manage.py shell -c """
-import time
-i = 0
-while (not User.objects.filter(username='akadmin')):
-    print('Waiting for akadmin to be created...')
-    time.sleep(10)
-    i += 1
-    if i > 6:
-        print('Failed to find admin user!')
-        exit()
-
+password=$(cat /run/secrets/admin_pass)
+token=$(cat /run/secrets/admin_token)
+/manage.py shell -c """
 akadmin = User.objects.get(username='akadmin')
 akadmin.set_password('$password')
 akadmin.save()
@@ -133,45 +101,45 @@ else:
 }
 
 rotate_db_pass() {
-  db_password=$(cat /run/secrets/db_password)
-  psql -U authentik -c """ALTER USER authentik WITH PASSWORD '$db_password';"""
+    db_password=$(cat /run/secrets/db_password)
+    psql -U authentik -c """ALTER USER authentik WITH PASSWORD '$db_password';"""
 }
 
 # This function is for blueprints that are overwriting custom blueprints
 # It deactivates the affected custom blueprints to avoid changes to be reverted
 apply_blueprints() {
-  update_and_disable_blueprint default/flow-password-change.yaml
-  update_and_disable_blueprint default/flow-default-authentication-flow.yaml
-  update_and_disable_blueprint default/flow-default-user-settings-flow.yaml
-  update_and_disable_blueprint default/flow-default-source-enrollment.yaml
-
-  apply_blueprint 3_flow_translation.yaml
-  apply_blueprint 2_flow_authentication.yaml
+    update_and_disable_blueprint default/flow-password-change.yaml
+    update_and_disable_blueprint default/flow-default-authentication-flow.yaml
+    update_and_disable_blueprint default/flow-default-user-settings-flow.yaml
+    update_and_disable_blueprint default/flow-default-source-enrollment.yaml
+    
+    apply_blueprint 3_flow_translation.yaml
+    apply_blueprint 2_flow_authentication.yaml
 }
 
 update_and_disable_blueprint() {
-  enable_blueprint $@ 2>&1 | quieten
-  sleep 1
-  apply_blueprint $@
-  sleep 1
-  disable_blueprint $@ 2>&1 | quieten
+    enable_blueprint $@ 2>&1 | quieten
+    sleep 1
+    apply_blueprint $@
+    sleep 1
+    disable_blueprint $@ 2>&1 | quieten
 }
 
 disable_blueprint() {
-  blueprint_state False $@
+    blueprint_state False $@
 }
 
 enable_blueprint() {
-  blueprint_state True $@
+    blueprint_state True $@
 }
 
 apply_blueprint() {
-  echo apply blueprint $@
-  ak apply_blueprint $@ 2>&1 | quieten
+    echo apply blueprint $@
+    ak apply_blueprint $@ 2>&1 | quieten
 }
 
 blueprint_state() {
-  /manage.py shell -c """
+/manage.py shell -c """
 import time
 blueprint_state=$1
 blueprint_path='$2'
@@ -188,179 +156,83 @@ print(f'{blueprint.name} enabled: {blueprint.enabled}')
 
 }
 
-# This function adds each application with its name, slug and group if passed
-add_applications() {
-  export APPLICATIONS
-  /manage.py shell -c """
+add_applications(){
+/manage.py shell -c """
 import json
-import os
-if os.environ['APPLICATIONS'] == '':
+if '$APPLICATIONS' == '':
     exit()
-applications = json.loads(os.environ['APPLICATIONS'])
-for name, details in applications.items():
-    url = details['url']
+applications = json.loads('$APPLICATIONS')
+for name, url in applications.items():
+    print(f'Add {name}: {url}')
     app = Application.objects.filter(name=name).first()
     if not app:
         app = Application()
     app.name = name
     app.slug = name.replace(' ', '-')
     app.meta_launch_url = url
-    group = details['group']
-    if group:
-        app.group = group
-        print(f'Add {name}: {url} in group: {group}')
-    else:
-        app.group = ''
-        print(f'Add {name}: {url}')
     app.open_in_new_tab = True
     app.save()
 """ 2>&1 | quieten
 }
 
-# This function adds one application with its name, slug and group if passed
-add_single_application() {
-  if [ -z "$2" ]; then
-    echo "Usage: ... add_single_application <name> <url> <group>"
-    exit 1
-  fi
-  /manage.py shell -c """
-import json
-import os
-name = '$1'
-url = '$2'
-app = Application.objects.filter(name=name).first()
-if not app:
-    app = Application()
-app.name = name
-app.slug = name.replace(' ', '-')
-app.meta_launch_url = url
-group = '$3'
-if group:
-    app.group = group
-    print(f'Add {name}: {url} in group: {group}')
-else:
-    app.group = ''
-    print(f'Add {name}: {url}')
-app.open_in_new_tab = True
-app.save()
-""" 2>&1 | quieten
+
+quieten(){
+    # 'SyntaxWarning|version_regex|"http\['
+    # is a workaround to get rid of some verbose syntax warnings, this might be fixed with another version
+    grep -Pv '"level": "(info|debug)"|SyntaxWarning|version_regex|"http\[|RuntimeWarning:'
 }
 
-## This function is for renaming apps - usage: rename "old name" "new name"
-rename() {
-  /manage.py shell -c """
-old_name = '$1'
-new_name = '$2' if '$2' else old_name
-
-app = Application.objects.filter(name=old_name).first()
-if app:
-    app.name = new_name
-    app.save()
-    print(f'Renamed application from {old_name} to {new_name}')
-else:
-    print(f'No application found with name: {old_name}')
-""" 2>&1 | quieten
-}
-
-quieten() {
-  # 'SyntaxWarning|version_regex|"http\['
-  # is a workaround to get rid of some verbose syntax warnings, this might be fixed with another version
-  grep -Pv '"level": "(info|debug)"|SyntaxWarning|version_regex|"http\[|RuntimeWarning:|### authentik shell|### Node| objects imported automatically|^$'
-}
-
-add_email_templates() {
-  for file_path in "$@"; do
+add_email_templates(){
+for file_path in "$@"; do
     echo copy template $file_path
     abra app cp $APP_NAME $file_path app:/templates/
-  done
+done
 }
 
-set_icons() {
-  if [ -n "$1" ]; then
-    APP_ICONS="$1"
-  fi
-  for icon in $APP_ICONS; do
+set_icons(){
+for icon in $APP_ICONS; do
     app=$(echo $icon | cut -d ":" -f1)
     file_path=$(eval echo $(echo $icon | cut -d ":" -f2))
     file=$(basename $file_path)
     echo copy icon $file_path for $app
-    abra app cp -C $APP_NAME $file_path app:/media/
-    abra app cmd -C -T $APP_NAME app set_app_icon $app /media/$file
-  done
-}
-
-set_extra_icons() {
-  if [ -z "$EXTRA_ICONS" ]; then
-    echo "Variable EXTRA_ICONS is not set"
-    exit 1
-  fi
-  export EXTRA_ICONS
-  icon_key_values=$(python3 -c "
-import json
-import os
-for key, value in json.loads(os.environ['EXTRA_ICONS']).items():
-  slug = key.replace(' ','-')
-  print(f'{slug}:{value}')
-")
-  set_icons "$icon_key_values"
+    abra app cp $APP_NAME $file_path app:/media/
+    abra app cmd -T $APP_NAME app set_app_icon $app /media/$file
+done
 }
 
 set_app_icon() {
-  TOKEN=$(cat /run/secrets/admin_token)
-  python -c """
+TOKEN=$(cat /run/secrets/admin_token)
+python -c """
 import requests
 import os
 my_token = '$TOKEN'
 application = '$1'
 icon_path = '$2'
-base_url = f'https://$DOMAIN/api/v3'
-headers = {'Authorization': f'Bearer {my_token}'}
-
-name_img = os.path.basename(icon_path)
-
-# Upload file via the file management API
+url = f'https://$DOMAIN/api/v3/core/applications/{application}/set_icon/'
+headers = {'Authorization':f'Bearer {my_token}'}
 with open(icon_path, 'rb') as img:
-  r = requests.post(
-    f'{base_url}/admin/file/',
-    files={'file': (name_img, img, 'image/png')},
-    data={'name': name_img},
-    headers=headers,
-  )
-  if r.status_code == 400 and 'already exists' in r.text:
-    print(f'{name_img} already uploaded')
-  elif r.status_code != 200:
-    print(f'Upload failed: {r.status_code} {r.text}')
-    exit(1)
-  else:
-    print(f'Uploaded {name_img}')
-
-# Set the icon on the application
-r = requests.patch(
-  f'{base_url}/core/applications/{application}/',
-  json={'meta_icon': name_img},
-  headers=headers,
-)
-if r.status_code == 200:
-  print(f'Set icon for {application}')
-else:
-  print(f'Failed to set icon: {r.status_code} {r.text}')
+  name_img = os.path.basename(icon_path)
+  files= {'file': (name_img,img,'image/png') }
+  with requests.Session() as s:
+    r = s.post(url,files=files,headers=headers)
+    print(r.status_code)
 """
 
 }
 
 blueprint_cleanup() {
-  /manage.py shell -c """
+/manage.py shell -c """
 delete_flows = ['default-recovery-flow' , 'custom-authentication-flow' , 'invitation-enrollment-flow' , 'initial-setup']
 Flow.objects.filter(slug__in=delete_flows).delete()
 Stage.objects.filter(flow=None).delete()
 Prompt.objects.filter(promptstage=None).delete()
 Brand.objects.filter(default=True).delete()
 """ 2>&1 | quieten
-  apply_blueprints
+apply_blueprints
 }
 
 get_certificate() {
-  /manage.py shell -c """
+/manage.py shell -c """
 provider_name='$1'
 if not provider_name:
     print('no Provider Name given')
@@ -373,18 +245,7 @@ print(''.join(cert.certificate_data.splitlines()[1:-1]))
 }
 
 get_user_uid() {
-  /manage.py shell -c """
+/manage.py shell -c """
 print(User.objects.filter(username='$1').first().uid)
 """ 2>&1 | quieten
 }
-
-get_secrets() {
-  grep "" -r /var/run/secrets
-}
-
-fix_collation_mismatch() {
-  psql -U ${POSTGRES_USER} -d authentik -c "ALTER DATABASE authentik REFRESH COLLATION VERSION;"
-  psql -U ${POSTGRES_USER} -d authentik -c "REINDEX DATABASE authentik;"
-  psql -U ${POSTGRES_USER} -d postgres -c "ALTER DATABASE postgres REFRESH COLLATION VERSION;"
-  psql -U ${POSTGRES_USER} -d postgres -c "REINDEX DATABASE postgres;"
-}

alaconnect.yml

@@ -87,12 +87,3 @@ hedgedoc:
         - hedgedoc.png
     secrets:
         hedgedoc_id: hedgedoc
-mila:
-    uncomment:
-        - compose.mila.yml
-        - MILA_DOMAIN
-        - SECRET_MILA_ID_VERSION
-        - SECRET_MILA_SECRET_VERSION
-        - mila.svg
-    secrets:
-        mila_id: mila

compose.css-volume.yml

@@ -1,16 +0,0 @@
----
-version: "3.8"
-
-services:
-  app:
-    user: root
-    entrypoint: /docker-entrypoint.sh
-    configs:
-      - source: entrypoint_css
-        target: /docker-entrypoint.sh
-        mode: 0555
-
-configs:
-  entrypoint_css:
-    name: ${STACK_NAME}_entrypoint_css_${ENTRYPOINT_CSS_VERSION}
-    file: entrypoint-css-volume.sh

compose.matrix.yml

@@ -3,16 +3,15 @@ services:
   app:
     deploy:
       labels:
-        - "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect,${STACK_NAME}-frameOptions,${STACK_NAME}-redirect,${STACK_NAME}-redirect-matrix-well-known"
-        - "traefik.http.middlewares.${STACK_NAME}-redirect-matrix-well-known.redirectregex.regex=^https://(.*)/.well-known/matrix/(.*)"
-        - "traefik.http.middlewares.${STACK_NAME}-redirect-matrix-well-known.redirectregex.replacement=https://${MATRIX_DOMAIN}/.well-known/matrix/$$2"
+        - "traefik.http.routers.${STACK_NAME}.middlewares=redirect-matrix-well-known"
+        - "traefik.http.middlewares.redirect-matrix-well-known.redirectregex.regex=^https://(.*)/.well-known/matrix/(.*)"
+        - "traefik.http.middlewares.redirect-matrix-well-known.redirectregex.replacement=https://${MATRIX_DOMAIN}/.well-known/matrix/$$2"
   worker:
     secrets:
       - matrix_id
       - matrix_secret
     environment:
       - ELEMENT_DOMAIN
-      - MATRIX_DOMAIN
     configs:
       - source: matrix
         target: /blueprints/matrix.yaml

compose.mila.yml

@@ -1,27 +0,0 @@
-version: "3.8"
-services:
-  worker:
-    secrets:
-      - mila_id
-      - mila_secret
-    environment:
-      - MILA_DOMAIN
-    configs:
-      - source: mila
-        target: /blueprints/mila.yaml
-
-secrets:
-  mila_id:
-    external: true
-    name: ${STACK_NAME}_mila_id_${SECRET_MILA_ID_VERSION}
-  mila_secret:
-    external: true
-    name: ${STACK_NAME}_mila_secret_${SECRET_MILA_SECRET_VERSION}
-
-
-configs:
-  mila:
-    name: ${STACK_NAME}_mila_${MILA_CONFIG_VERSION}
-    file: mila.yaml.tmpl
-    template_driver: golang
-

compose.outposts.ldap.yml

@@ -1,23 +0,0 @@
-version: "3.8"
-services:
-  authentik_ldap:
-      image: ghcr.io/goauthentik/ldap:2026.2.1
-      # Optionally specify which networks the container should be
-      # might be needed to reach the core authentik server
-      networks:
-        - internal
-        - proxy
-      ports:
-        - 389:3389
-        - 636:6636
-      secrets:
-        - ldap_token
-      environment:
-        - AUTHENTIK_HOST=https://${DOMAIN}
-        - AUTHENTIK_INSECURE=true
-        - AUTHENTIK_TOKEN=file:///run/secrets/ldap_token
-
-secrets:
-  ldap_token:
-    external: true
-    name: ${STACK_NAME}_ldap_token_${SECRET_LDAP_TOKEN_VERSION}

compose.yml

@@ -5,6 +5,7 @@ x-env: &env
     - AUTHENTIK_POSTGRESQL__USER=authentik
     - AUTHENTIK_POSTGRESQL__NAME=authentik
     - AUTHENTIK_POSTGRESQL__HOST=db
+    - AUTHENTIK_REDIS__HOST=redis
     - AUTHENTIK_ERROR_REPORTING__ENABLED
     - AUTHENTIK_SECRET_KEY=file:///run/secrets/secret_key
     - AUTHENTIK_EMAIL__HOST
@@ -16,7 +17,6 @@ x-env: &env
     - AUTHENTIK_EMAIL__TIMEOUT
     - AUTHENTIK_EMAIL__FROM
     - AUTHENTIK_LOG_LEVEL
-    - AUTHENTIK_DISABLE_UPDATE_CHECK
     - BACKGROUND_FONT_COLOR=${BACKGROUND_FONT_COLOR:-white}
     - BACKGROUND_BOX_COLOR=${BACKGROUND_BOX_COLOR:-#eaeaeacf}
     - AUTHENTIK_FOOTER_LINKS
@@ -34,10 +34,11 @@ x-env: &env
 version: '3.8'
 services:
   app:
-    image: ghcr.io/goauthentik/server:2026.2.1
+    image: ghcr.io/goauthentik/server:2024.6.5
     command: server
     depends_on:
       - db
+      - redis
     secrets:
       - db_password
       - admin_pass
@@ -45,9 +46,8 @@ services:
       - secret_key
       - email_pass
     volumes:
-      - data:/data
       - media:/media
-      - custom_assets:/web/dist/assets
+      - assets:/web/dist/assets
       - templates:/templates
     networks:
       - internal
@@ -62,25 +62,25 @@ services:
     deploy:
       labels:
         - "traefik.enable=true"
-        - "traefik.swarm.network=proxy"
+        - "traefik.docker.network=proxy"
         - "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=9000"
         - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`${EXTRA_DOMAINS})"
         - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
         - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
-        - "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect,${STACK_NAME}-frameOptions,${STACK_NAME}-redirect"
+        - "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect,${STACK_NAME}-frameOptions"
+        - "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLForceHost=true"
+        - "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}"
         - "traefik.http.middlewares.${STACK_NAME}-frameOptions.headers.customFrameOptionsValue=SAMEORIGIN"
         - "traefik.http.middlewares.${STACK_NAME}-frameOptions.headers.contentSecurityPolicy=frame-ancestors ${X_FRAME_OPTIONS_ALLOW_FROM}"
-        - "coop-cloud.${STACK_NAME}.version=11.0.4+2026.2.1"
-        - "traefik.http.middlewares.${STACK_NAME}-redirect.redirectregex.regex=^https://(${REDIRECTS})/(.*)"
-        - "traefik.http.middlewares.${STACK_NAME}-redirect.redirectregex.replacement=https://${DOMAIN}/$${2}"
-        - "traefik.http.middlewares.${STACK_NAME}-redirect.redirectregex.permanent=true"
-        - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT}"
+        - "coop-cloud.${STACK_NAME}.version=6.5.2+2024.6.5"
+        - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT:-120}"
 
   worker:
-    image: ghcr.io/goauthentik/server:2026.2.1
+    image: ghcr.io/goauthentik/server:2024.6.5
     command: worker
     depends_on:
       - db
+      - redis
     secrets:
       - db_password
       - admin_pass
@@ -91,7 +91,6 @@ services:
       - internal
       - proxy
     volumes:
-      - data:/data
       - media:/media
       - /dev/null:/blueprints/default/flow-oobe.yaml
       - templates:/templates
@@ -118,16 +117,13 @@ services:
       start_period: 5m
 
   db:
-    image: postgres:15.17
+    image: postgres:15.7
     secrets:
       - db_password
     configs:
       - source: db_entrypoint
         target: /docker-entrypoint.sh
         mode: 0555
-      - source: pg_backup
-        target: /pg_backup.sh
-        mode: 0555
     entrypoint:
       /docker-entrypoint.sh
     volumes:
@@ -146,11 +142,26 @@ services:
       - POSTGRES_DB=authentik
     deploy:
       labels:
-          backupbot.backup: "${ENABLE_BACKUPS:-true}"
-          backupbot.backup.pre-hook: "/pg_backup.sh backup"
+          backupbot.backup: "true"
+          backupbot.backup.pre-hook: "PGPASSWORD=$$(cat /run/secrets/db_password) pg_dump -U $${POSTGRES_USER} $${POSTGRES_DB} > /var/lib/postgresql/data/backup.sql"
+          backupbot.backup.post-hook: "rm -rf /var/lib/postgresql/data/backup.sql"
           backupbot.backup.volumes.database.path: "backup.sql"
-          backupbot.restore.post-hook: '/pg_backup.sh restore'
+          backupbot.backup.volumes.redis: "false"
+          backupbot.restore.post-hook: 'psql -U authentik -d postgres -c "DROP DATABASE authentik WITH (FORCE);" && createdb -U authentik authentik && psql -U authentik -d authentik -f /var/lib/postgresql/data/backup.sql'
 
+  redis:
+    image:  redis:7.4.0-alpine
+    command: --save 60 1 --loglevel warning
+    networks:
+      - internal
+    healthcheck:
+      test: ["CMD-SHELL", "redis-cli ping | grep PONG"]
+      interval: 30s
+      timeout: 10s
+      retries: 10
+      start_period: 1m
+    volumes:
+        - redis:/data
 
 secrets:
   db_password:
@@ -175,11 +186,11 @@ networks:
   internal:
 
 volumes:
-  data:
   media:
   certs:
+  redis:
   templates:
-  custom_assets:
+  assets:
   database:
 
 configs:
@@ -211,6 +222,3 @@ configs:
     name: ${STACK_NAME}_db_entrypoint_${DB_ENTRYPOINT_VERSION}
     file: entrypoint.postgres.sh.tmpl
     template_driver: golang
-  pg_backup:
-    name: ${STACK_NAME}_pg_backup_${PG_BACKUP_VERSION}
-    file: pg_backup.sh

entrypoint-css-volume.sh

@@ -1,5 +0,0 @@
-#!/bin/sh
-
-cp -f /web/dist/assets/custom.css /web/dist/custom.css
-
-su $(id -un 1000) -s /bin/bash -c 'dumb-init -- ak server'

flow_recovery.yaml.tmpl

@@ -4,7 +4,7 @@ metadata:
     blueprints.goauthentik.io/instantiate: "true"
   name: Recovery with email verification
 context:
-  token_expiry: minutes={{ if eq (env "EMAIL_TOKEN_EXPIRY_MINUTES") "" }}30{{ else }}{{ env "EMAIL_TOKEN_EXPIRY_MINUTES" }}{{ end }}
+  token_expiry: {{ if eq (env "EMAIL_TOKEN_EXPIRY_MINUTES") "" }} 30 {{ else }} {{ env "EMAIL_TOKEN_EXPIRY_MINUTES" }} {{ end }}
   subject: {{ if eq (env "EMAIL_SUBJECT") "" }} Account Recovery {{ else }} {{ env "EMAIL_SUBJECT" }} {{ end }} 
 entries:
 ### DEPENDENCIES

hedgedoc.yaml.tmpl

@@ -8,17 +8,12 @@ entries:
 
 - attrs:
     access_code_validity: minutes=1
-    authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
     authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
-    invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
     client_id: {{ secret  "hedgedoc_id" }}
     client_secret: {{ secret  "hedgedoc_secret" }}
     client_type: confidential
     include_claims_in_id_token: true
     issuer_mode: per_provider
-    redirect_uris:
-    - matching_mode: strict
-      url: https://{{ env  "HEDGEDOC_DOMAIN" }}/auth/oauth2/callback
     name: Hedgedoc
     property_mappings:
     - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
@@ -35,7 +30,7 @@ entries:
   state: present
 
 - attrs:
-    meta_launch_url: https://{{ env  "HEDGEDOC_DOMAIN" }}/auth/oauth2
+    meta_launch_url: https://{{ env  "HEDGEDOC_DOMAIN" }}
     open_in_new_tab: true
     policy_engine_mode: any
     provider: !KeyOf hedgedoc_provider

icons/calendar.svg

@@ -1,40 +1,2 @@
 <?xml version="1.0" encoding="UTF-8" standalone="no"?>
-<svg
-   version="1.1"
-   xml:space="preserve"
-   height="200"
-   width="200"
-   enable-background="new 0 0 595.275 311.111"
-   y="0px"
-   x="0px"
-   viewBox="0 0 200 200"
-   id="svg8"
-   sodipodi:docname="calendar.svg"
-   xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
-   xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
-   xmlns="http://www.w3.org/2000/svg"
-   xmlns:svg="http://www.w3.org/2000/svg"><defs
-     id="defs12" /><sodipodi:namedview
-     id="namedview10"
-     pagecolor="#ffffff"
-     bordercolor="#000000"
-     borderopacity="0.25"
-     inkscape:showpageshadow="2"
-     inkscape:pageopacity="0.0"
-     inkscape:pagecheckerboard="0"
-     inkscape:deskcolor="#d1d1d1"
-     showgrid="false" /><rect
-     rx="31.25"
-     ry="31.25"
-     height="200"
-     width="200"
-     y="-5.2587998e-06"
-     x="0"
-     fill="#0082c9"
-     id="rect2"
-     style="stroke-width:6.25" /><g
-     transform="matrix(5.580375,0,0,5.580375,3251.3125,-1.2081599)"
-     id="g6"><path
-       fill="#ffffff"
-       d="m -572.71,3.5765 c -1.108,0 -2,0.892 -2,2 v 4 c 0,1.108 0.892,2 2,2 1.108,0 2,-0.892 2,-2 v -4 c 0,-1.108 -0.892,-2 -2,-2 z m 16,0 c -1.108,0 -2,0.892 -2,2 v 4 c 0,1.108 0.892,2 2,2 1.108,0 2,-0.892 2,-2 v -4 c 0,-1.108 -0.892,-2 -2,-2 z m -13,4 v 2 c 0,1.662 -1.338,3 -3,3 -1.662,0 -3,-1.338 -3,-3 v -1.875 c -1.728,0.44254 -3,2.0052 -3,3.875 v 16 c 0,2.216 1.784,4 4,4 h 20 c 2.216,0 4,-1.784 4,-4 v -16 c 0,-1.8698 -1.272,-3.4325 -3,-3.875 v 1.875 c 0,1.662 -1.338,3 -3,3 -1.662,0 -3,-1.338 -3,-3 v -2 z m -5.9062,9 h 21.812 c 0.0554,0 0.0937,0.03835 0.0937,0.09375 v 11.812 c 0,0.0554 -0.0384,0.09375 -0.0937,0.09375 h -21.812 c -0.0554,0 -0.0937,-0.03835 -0.0937,-0.09375 v -11.812 c 0,-0.0554 0.0384,-0.09375 0.0937,-0.09375 z"
-       id="path4" /></g></svg>
+<svg xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns="http://www.w3.org/2000/svg" version="1.1" xml:space="preserve" height="32" width="32" enable-background="new 0 0 595.275 311.111" y="0px" x="0px" xmlns:cc="http://creativecommons.org/ns#" xmlns:dc="http://purl.org/dc/elements/1.1/" viewBox="0 0 32 32"><rect rx="5" ry="5" height="32" width="32" y="-.0000052588" x="0" fill="#0082c9"/><g transform="matrix(.89286 0 0 .89286 520.21 -.19331)"><path fill="#fff" d="m-572.71 3.5765c-1.108 0-2 0.892-2 2v4c0 1.108 0.892 2 2 2s2-0.892 2-2v-4c0-1.108-0.892-2-2-2zm16 0c-1.108 0-2 0.892-2 2v4c0 1.108 0.892 2 2 2s2-0.892 2-2v-4c0-1.108-0.892-2-2-2zm-13 4v2c0 1.662-1.338 3-3 3s-3-1.338-3-3v-1.875c-1.728 0.44254-3 2.0052-3 3.875v16c0 2.216 1.784 4 4 4h20c2.216 0 4-1.784 4-4v-16c0-1.8698-1.272-3.4325-3-3.875v1.875c0 1.662-1.338 3-3 3s-3-1.338-3-3v-2h-10zm-5.9062 9h21.812c0.0554 0 0.0937 0.03835 0.0937 0.09375v11.812c0 0.0554-0.0384 0.09375-0.0937 0.09375h-21.812c-0.0554 0-0.0937-0.03835-0.0937-0.09375v-11.812c0-0.0554 0.0384-0.09375 0.0937-0.09375z"/></g></svg>

icons/help.svg

@@ -1,60 +0,0 @@
-<?xml version="1.0" encoding="UTF-8" standalone="no"?>
-<svg
-   width="200"
-   height="200"
-   viewBox="0 0 200 200"
-   fill="none"
-   version="1.1"
-   id="svg171"
-   sodipodi:docname="help.svg"
-   inkscape:version="1.2.2 (b0a8486541, 2022-12-01)"
-   xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
-   xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
-   xmlns="http://www.w3.org/2000/svg"
-   xmlns:svg="http://www.w3.org/2000/svg">
-  <sodipodi:namedview
-     id="namedview173"
-     pagecolor="#ffffff"
-     bordercolor="#000000"
-     borderopacity="0.25"
-     inkscape:showpageshadow="2"
-     inkscape:pageopacity="0.0"
-     inkscape:pagecheckerboard="0"
-     inkscape:deskcolor="#d1d1d1"
-     showgrid="false"
-     inkscape:zoom="2.3032421"
-     inkscape:cx="119.614"
-     inkscape:cy="76.631111"
-     inkscape:window-width="1871"
-     inkscape:window-height="1011"
-     inkscape:window-x="0"
-     inkscape:window-y="0"
-     inkscape:window-maximized="1"
-     inkscape:current-layer="svg171" />
-  <g
-     clip-path="url(#clip0_1735_3439)"
-     id="g164"
-     transform="matrix(8.4444369,0,0,8.4444369,-1.3332428,-1.4116916)">
-    <path
-       d="m 12,18.0093 v -5.25 m 0,0 c 0.5179,0 1.0206,-0.0656 1.5,-0.189 m -1.5,0.189 c -0.5179,0 -1.0206,-0.0656 -1.5,-0.189 m 3.75,7.4784 c -0.7288,0.1383 -1.481,0.2106 -2.25,0.2106 -0.769,0 -1.5212,-0.0723 -2.25,-0.2106 m 3.75,2.3826 c -0.493,0.0515 -0.9934,0.078 -1.5,0.078 -0.5066,0 -1.007,-0.0265 -1.5,-0.078 m 3.75,-4.422 v -0.1917 c 0,-0.9829 0.6583,-1.8233 1.5085,-2.3166 2.237,-1.298 3.7415,-3.7192 3.7415,-6.49172 0,-4.14214 -3.3579,-7.5 -7.5,-7.5 -4.14214,0 -7.5,3.35786 -7.5,7.5 C 4.5,11.7818 6.00446,14.203 8.24155,15.501 9.09173,15.9943 9.75,16.8347 9.75,17.8176 v 0.1917"
-       stroke="#0f172a"
-       stroke-width="1.5"
-       stroke-linecap="round"
-       stroke-linejoin="round"
-       id="path162" />
-  </g>
-  <defs
-     id="defs169">
-    <clipPath
-       id="clip0_1735_3439">
-      <rect
-         width="24"
-         height="24"
-         fill="#ffffff"
-         transform="translate(0,0.00927734)"
-         id="rect166"
-         x="0"
-         y="0" />
-    </clipPath>
-  </defs>
-</svg>

icons/mila.svg

@@ -1,22 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<svg id="a" data-name="Ebene 1" xmlns="http://www.w3.org/2000/svg" viewBox="80 60 430 410">
-  <defs>
-    <style>
-      .b {
-        fill: #346180;
-      }
-
-      .c {
-        fill: #009aa5;
-      }
-    </style>
-  </defs>
-  <g>
-    <path class="c" d="M319.57,303.39c41.78,18.41,74.43,42.48,87.64,89.83,4.52,16.2,12.63,44.75-10.72,48.82H101.39c-2.63-.09-9.25-2.82-11.12-4.38-.3-.25-4.06-6.12-4.22-6.49-5.78-13.4,2.35-35.12,7.31-47.71,9.49-24.09,25.75-44.44,46.62-59.63,16.07-11.7,34.34-20.54,53.51-25.78,32.68-8.93,94.96-8.37,126.07,5.34Z"/>
-    <path class="c" d="M299.53,126.4c7.22,5.55,16.92,15.59,20.81,23.69,14.47,30.14,13.54,62.8-6.99,90.82-32.64,44.55-106.51,39.41-133.59-8.24-45.73-80.48,49.74-160.1,119.77-106.26Z"/>
-  </g>
-  <g>
-    <path class="b" d="M395.52,128.43c50.29,40.71,28.84,125.79-34.37,141.27-7.94,1.94-34,4.45-40.2-.24-.7-.53-1.73-1.28-1.25-2.3.2-.42.58-.72.95-1.01,6.58-5.05,11.45-13.02,15.71-20.08s7.99-14.88,10.77-22.84c5.4-15.47,7.48-32.13,5.27-48.4-2.36-17.34-9.63-33.63-20.49-47.31-2.75-3.46-6.2-6.45-9.27-9.63-1.09-1.14-3.73-3.05-4.21-4.6-.9-2.93,2.98-3.72,5.51-4.06,23.02-3.1,46.39,1.77,65.63,14.81,2.04,1.38,4.02,2.84,5.94,4.39Z"/>
-    <path class="b" d="M433.88,441.36c-2.64-2.97.77-10.22,1.03-13.89,3.54-49.03-30.24-100.05-69.07-126.89-1.99-1.38-11.43-6.12-11.91-6.6-1.42-1.44.09-1.81,1.48-1.99,7.36-.93,17.29,1.08,24.7,2.32,16.51,2.77,33.53,8.05,48.48,15.52,18.53,9.24,34.94,22.72,47.79,38.94,11.65,14.7,54.83,91.93,8.76,92.91-15.76.33-31.52.67-47.28,1-1.97.04-3.23-.46-3.99-1.31Z"/>
-  </g>
-</svg>

icons/poll.svg

@@ -1,46 +0,0 @@
-<?xml version="1.0" encoding="UTF-8" standalone="no"?>
-<svg
-   width="200"
-   height="200"
-   viewBox="0 0 200 200"
-   fill="none"
-   version="1.1"
-   id="svg282"
-   sodipodi:docname="poll.svg"
-   inkscape:version="1.2.2 (b0a8486541, 2022-12-01)"
-   inkscape:export-filename="poll_tall.svg"
-   inkscape:export-xdpi="96"
-   inkscape:export-ydpi="96"
-   xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
-   xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
-   xmlns="http://www.w3.org/2000/svg"
-   xmlns:svg="http://www.w3.org/2000/svg">
-  <defs
-     id="defs286" />
-  <sodipodi:namedview
-     id="namedview284"
-     pagecolor="#ffffff"
-     bordercolor="#000000"
-     borderopacity="0.25"
-     inkscape:showpageshadow="2"
-     inkscape:pageopacity="0.0"
-     inkscape:pagecheckerboard="0"
-     inkscape:deskcolor="#d1d1d1"
-     showgrid="false"
-     inkscape:zoom="4.3999736"
-     inkscape:cx="116.47797"
-     inkscape:cy="125.79621"
-     inkscape:window-width="1871"
-     inkscape:window-height="1011"
-     inkscape:window-x="0"
-     inkscape:window-y="0"
-     inkscape:window-maximized="1"
-     inkscape:current-layer="svg282" />
-  <path
-     d="M 51.538464,16.923263 V 37.692495 M 148.46154,16.923263 V 37.692495 M 16.923078,162.30751 V 58.461725 c 0,-11.470523 9.298709,-20.76923 20.769232,-20.76923 h 124.61538 c 11.47016,0 20.76923,9.298707 20.76923,20.76923 V 162.30751 m -166.153842,0 c 0,11.47108 9.298709,20.76923 20.769232,20.76923 h 124.61538 c 11.47016,0 20.76923,-9.29815 20.76923,-20.76923 m -166.153842,0 V 93.076741 c 0,-11.470154 9.298709,-20.768862 20.769232,-20.768862 h 124.61538 c 11.47016,0 20.76923,9.298708 20.76923,20.768862 V 162.30751 M 100,106.92289 h 0.0692 v 0.0692 H 100 Z m 0,20.76924 h 0.0692 v 0.0692 H 100 Z m 0,20.76923 h 0.0692 v 0.0692 H 100 Z M 79.230771,127.69213 h 0.06923 v 0.0692 h -0.06923 z m 0,20.76923 h 0.06923 v 0.0692 h -0.06923 z M 58.46154,127.69213 h 0.06923 v 0.0692 h -0.06923 z m 0,20.76923 h 0.06923 v 0.0692 h -0.06923 z m 62.30769,-41.53847 h 0.0692 v 0.0692 h -0.0692 z m 0,20.76924 h 0.0692 v 0.0692 h -0.0692 z m 0,20.76923 h 0.0692 v 0.0692 h -0.0692 z m 20.76923,-41.53847 h 0.0692 v 0.0692 h -0.0692 z m 0,20.76924 h 0.0692 v 0.0692 h -0.0692 z"
-     stroke="#0f172a"
-     stroke-width="13.8462"
-     stroke-linecap="round"
-     stroke-linejoin="round"
-     id="path280" />
-</svg>

icons/pretix.svg

@@ -1 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?><svg id="Ebene_1" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 128 128"><defs><style>.cls-1{fill:#3b1c4a;}</style></defs><path class="cls-1" d="m50.67,56.95c-.72.1-1.22.3-1.66.5l2.38,16.91c.41.08.95.13,1.6.04,3.52-.5,4.61-3.64,3.81-9.39-.83-5.87-2.53-8.56-6.12-8.06Z"/><path class="cls-1" d="m116.04,35.05c.71-.17,1.16-.76,1.06-1.48L112.54,1.13c-.1-.72-.77-1.22-1.49-1.12l-37.5,5.27.73,5.22c.16,1.12-.62,2.15-1.74,2.31s-2.15-.62-2.31-1.74l-.73-5.22L1.13,15.46c-.72.1-1.22.77-1.12,1.49l4.56,32.44c.1.72.7,1.17,1.42,1.13,11.25-.92,21.43,7.1,23.03,18.46,1.6,11.36-5.99,21.81-17.07,23.96-.71.17-1.16.76-1.06,1.48l4.56,32.44c.1.72.77,1.22,1.49,1.12l68.37-9.61-.73-5.22c-.16-1.15.59-2.15,1.74-2.31s2.15.62,2.31,1.74l.73,5.22,37.5-5.27c.72-.1,1.22-.77,1.12-1.49l-4.56-32.44c-.1-.72-.7-1.17-1.42-1.13-11.25.92-21.42-7.04-23.02-18.4-1.6-11.36,5.98-21.87,17.06-24.03Zm-59.84,44.75c-1.76.25-3.29.26-4.04.17l1.59,11.29-9.92,1.39-5.3-37.73c2.5-1.62,5.96-3.03,11.38-3.8,8.68-1.22,15.27,2.58,16.66,12.44,1.25,8.88-3.12,15.21-10.36,16.23Zm30.73,20.71c.16,1.12-.62,2.15-1.74,2.31-1.12.16-2.15-.62-2.31-1.74l-1.47-10.44c-.16-1.12.62-2.15,1.74-2.31s2.16.66,2.31,1.74l1.47,10.44Zm-3.17-22.58c.15,1.08-.66,2.16-1.74,2.31s-2.16-.66-2.31-1.74l-1.47-10.44c-.16-1.15.59-2.15,1.74-2.31,1.12-.16,2.15.62,2.31,1.74l1.47,10.44Zm-3.16-22.45c.16,1.12-.62,2.15-1.74,2.31-1.12.16-2.15-.62-2.31-1.74l-1.47-10.44c-.16-1.12.62-2.15,1.74-2.31s2.16.66,2.31,1.74l1.47,10.44Zm-3.17-22.58c.15,1.08-.66,2.16-1.74,2.31s-2.16-.66-2.31-1.74l-1.47-10.44c-.16-1.15.59-2.15,1.74-2.31s2.15.62,2.31,1.74l1.47,10.44Z"/></svg>

icons/support.svg

@@ -1,33 +0,0 @@
-<?xml version="1.0" encoding="UTF-8" standalone="no"?>
-<svg
-   width="200"
-   height="200"
-   viewBox="0 0 200 200"
-   fill="none"
-   version="1.1"
-   id="svg346"
-   sodipodi:docname="support.svg"
-   xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
-   xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
-   xmlns="http://www.w3.org/2000/svg"
-   xmlns:svg="http://www.w3.org/2000/svg">
-  <defs
-     id="defs350" />
-  <sodipodi:namedview
-     id="namedview348"
-     pagecolor="#ffffff"
-     bordercolor="#000000"
-     borderopacity="0.25"
-     inkscape:showpageshadow="2"
-     inkscape:pageopacity="0.0"
-     inkscape:pagecheckerboard="0"
-     inkscape:deskcolor="#d1d1d1"
-     showgrid="false" />
-  <path
-     d="m 79.332968,56.337414 c 11.415493,-9.988348 29.923442,-9.988348 41.338062,0 11.41559,9.988447 11.41559,26.182585 0,36.171713 -1.98672,1.738257 -4.1878,3.173487 -6.53016,4.307641 -7.26579,3.515482 -14.13892,9.727022 -14.13892,17.798612 v 7.3077 m 87.69036,-21.923081 c 0,48.431491 -39.26082,87.692311 -87.692311,87.692311 -48.431097,0 -87.692308,-39.26082 -87.692308,-87.692311 0,-48.431097 39.261211,-87.692308 87.692308,-87.692308 48.431491,0 87.692311,39.261211 87.692311,87.692308 z M 99.999999,151.15385 h 0.07308 v 0.0731 h -0.07308 z"
-     stroke="#0f172a"
-     stroke-width="14.6154"
-     stroke-linecap="round"
-     stroke-linejoin="round"
-     id="path344" />
-</svg>

icons/talk.svg

@@ -1,68 +0,0 @@
-<?xml version="1.0" encoding="UTF-8" standalone="no"?>
-<svg
-   xmlns:dc="http://purl.org/dc/elements/1.1/"
-   xmlns:cc="http://creativecommons.org/ns#"
-   xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
-   xmlns:svg="http://www.w3.org/2000/svg"
-   xmlns="http://www.w3.org/2000/svg"
-   xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
-   xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
-   inkscape:version="1.1-dev (f9311a1, 2019-12-25)"
-   sodipodi:docname="talk8.svg"
-   id="svg19"
-   xml:space="preserve"
-   viewBox="0 0 1024 1024"
-   version="1.1"
-   stroke-miterlimit="1.4142"
-   stroke-linejoin="round"
-   fill-rule="evenodd"
-   clip-rule="evenodd"><metadata
-   id="metadata23"><rdf:RDF><cc:Work
-       rdf:about=""><dc:format>image/svg+xml</dc:format><dc:type
-         rdf:resource="http://purl.org/dc/dcmitype/StillImage" /><dc:title></dc:title></cc:Work></rdf:RDF></metadata><sodipodi:namedview
-   inkscape:current-layer="svg19"
-   inkscape:window-maximized="1"
-   inkscape:window-y="23"
-   inkscape:window-x="1440"
-   inkscape:cy="522.40348"
-   inkscape:cx="510.51379"
-   inkscape:zoom="0.67285156"
-   showgrid="false"
-   id="namedview21"
-   inkscape:window-height="1035"
-   inkscape:window-width="1920"
-   inkscape:pageshadow="2"
-   inkscape:pageopacity="0"
-   guidetolerance="10"
-   gridtolerance="10"
-   objecttolerance="10"
-   borderopacity="1"
-   inkscape:document-rotation="0"
-   bordercolor="#666666"
-   pagecolor="#ffffff" /><defs
-   id="defs15"><linearGradient
-     gradientUnits="userSpaceOnUse"
-     gradientTransform="matrix(8.96 0 0 8.96 -7.8457e-5 .00019795)"
-     y2="-7.6294e-6"
-     y1="150"
-     x2="150"
-     x1="18.23"
-     id="a"><stop
-       id="stop10"
-       offset="0"
-       stop-color="#0082c9" /><stop
-       id="stop12"
-       offset="1"
-       stop-color="#1cafff" /></linearGradient></defs>
-<rect
-   id="rect17"
-   fill-rule="evenodd"
-   fill="url(#a)"
-   height="1024"
-   width="1024" /><path
-   style="fill:#ffffff"
-   inkscape:connector-curvature="0"
-   d="M 511.95919,186 A 325.96385,325.95103 0 0 0 186,511.96034 325.96385,325.95103 0 0 0 511.95919,837.91133 325.96385,325.95103 0 0 0 681.04889,790.22529 c 40.06218,15.91895 129.79781,63.14682 151.15526,42.74701 22.3177,-21.31206 -26.20129,-121.61808 -37.83331,-158.89148 A 325.96385,325.95103 0 0 0 837.91466,511.95755 325.96385,325.95103 0 0 0 511.96013,186.01118 Z m 0.0373,123.92323 A 202.1178,202.11161 0 0 1 714.11425,512.03485 202.1178,202.11161 0 0 1 511.99645,714.13247 202.1178,202.11161 0 0 1 309.87866,512.03485 202.1178,202.11161 0 0 1 511.99645,309.92323 Z"
-   stroke-width="0.14"
-   fill="#000"
-   id="path25" /></svg>

kimai.yaml.tmpl

@@ -12,7 +12,6 @@ entries:
     audience: https://{{ env  "KIMAI_DOMAIN" }}/auth/saml
     authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
     authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
-    invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
     digest_algorithm: http://www.w3.org/2001/04/xmlenc#sha256
     issuer: https://{{ env  "DOMAIN" }}
     name: Kimai
@@ -25,7 +24,6 @@ entries:
     - !Find [authentik_providers_saml.samlpropertymapping, [name, "authentik default SAML Mapping: Groups"]]
     - !Find [authentik_providers_saml.samlpropertymapping, [name, "authentik default SAML Mapping: UPN"]]
     session_valid_not_on_or_after: minutes=86400
-    sign_assertion: true
     signature_algorithm: http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
     signing_kp: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]]
     sp_binding: post
@@ -37,7 +35,7 @@ entries:
   state: present
 
 - attrs:
-    meta_launch_url: https://{{ env  "KIMAI_DOMAIN" }}/auth/saml/login
+    meta_launch_url: https://{{ env  "KIMAI_DOMAIN" }}
     open_in_new_tab: true
     policy_engine_mode: any
     provider: !KeyOf kimai_provider
@@ -47,4 +45,4 @@ entries:
   identifiers:
     name: Kimai
   model: authentik_core.application
-  state: present
+  state: present

matrix.yaml.tmpl

@@ -8,17 +8,12 @@ entries:
 
 - attrs:
     access_code_validity: minutes=1
-    authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
     authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
-    invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
     client_id: {{ secret  "matrix_id" }}
     client_secret: {{ secret  "matrix_secret" }}
     client_type: confidential
     include_claims_in_id_token: true
     issuer_mode: per_provider
-    redirect_uris:
-    - matching_mode: strict
-      url: https://{{ env  "MATRIX_DOMAIN" }}/_synapse/client/oidc/callback
     name: Matrix
     property_mappings:
     - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
@@ -39,10 +34,10 @@ entries:
     open_in_new_tab: true
     policy_engine_mode: any
     provider: !KeyOf matrix_provider
-    name: Element
+    slug: matrix
   conditions: []
   id: matrix_application
   identifiers:
-    slug: matrix
+    name: Matrix
   model: authentik_core.application
   state: present

mila.yaml.tmpl

@@ -1,49 +0,0 @@
-version: 1
-metadata:
-  labels:
-    blueprints.goauthentik.io/instantiate: "true"
-  name: mila
-
-entries:
-
-- attrs:
-    access_code_validity: minutes=1
-    authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
-    authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
-    invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
-    client_id: {{ secret  "mila_id" }}
-    client_secret: {{ secret  "mila_secret" }}
-    client_type: confidential
-    include_claims_in_id_token: true
-    issuer_mode: per_provider
-    redirect_uris:
-    - matching_mode: strict
-      url: https://{{ env  "MILA_DOMAIN" }}/auth/user/oidc/callback
-    name: Mila
-    property_mappings:
-    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
-    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, email]]
-    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, profile]]
-    signing_key: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]]
-    sub_mode: hashed_user_id
-    token_validity: days=30
-  conditions: []
-  id: mila_provider
-  identifiers:
-    pk: 9990
-  model: authentik_providers_oauth2.oauth2provider
-  state: present
-
-- attrs:
-    meta_launch_url: https://{{ env  "MILA_DOMAIN" }}
-    open_in_new_tab: true
-    policy_engine_mode: any
-    provider: !KeyOf mila_provider
-    slug: mila
-  conditions: []
-  id: mila_application
-  identifiers:
-    name: Mila
-  model: authentik_core.application
-  state: present
-

monitoring.yaml.tmpl

@@ -8,17 +8,12 @@ entries:
 
 - attrs:
     access_code_validity: minutes=1
-    authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
     authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
-    invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
     client_id: {{ secret  "monitoring_id" }}
     client_secret: {{ secret  "monitoring_secret" }}
     client_type: confidential
     include_claims_in_id_token: true
     issuer_mode: per_provider
-    redirect_uris:
-    - matching_mode: strict
-      url: https://{{ env  "MONITORING_DOMAIN" }}/login/generic_oauth
     name: Monitoring
     property_mappings:
     - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]

nextcloud.yaml.tmpl

@@ -20,17 +20,12 @@ entries:
 
 - attrs:
     access_code_validity: minutes=1
-    authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
     authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
-    invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
     client_id: {{ secret  "nextcloud_id" }}
     client_secret: {{ secret  "nextcloud_secret" }}
     client_type: confidential
     include_claims_in_id_token: true
     issuer_mode: per_provider
-    redirect_uris:
-    - matching_mode: strict
-      url: https://{{ env  "NEXTCLOUD_DOMAIN" }}/apps/sociallogin/custom_oidc/authentik
     name: Nextcloud
     property_mappings:
     - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]

outline.yaml.tmpl

@@ -8,17 +8,12 @@ entries:
 
 - attrs:
     access_code_validity: minutes=1
-    authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
     authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
-    invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
     client_id: {{ secret  "outline_id" }}
     client_secret: {{ secret  "outline_secret" }}
     client_type: confidential
     include_claims_in_id_token: true
     issuer_mode: per_provider
-    redirect_uris:
-    - matching_mode: strict
-      url: https://{{ env  "OUTLINE_DOMAIN" }}/auth/oidc.callback
     name: Outline
     property_mappings:
     - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
@@ -35,7 +30,7 @@ entries:
   state: present
 
 - attrs:
-    meta_launch_url: https://{{ env  "OUTLINE_DOMAIN" }}/auth/oidc
+    meta_launch_url: https://{{ env  "OUTLINE_DOMAIN" }}
     open_in_new_tab: true
     policy_engine_mode: any
     provider: !KeyOf outline_provider

pg_backup.sh

@@ -1,34 +0,0 @@
-#!/bin/bash
-
-set -e
-
-BACKUP_FILE='/var/lib/postgresql/data/backup.sql'
-
-function backup {
-  export PGPASSWORD=$(cat /run/secrets/db_password)
-  pg_dump -U ${POSTGRES_USER} ${POSTGRES_DB} > $BACKUP_FILE
-}
-
-function restore {
-    cd /var/lib/postgresql/data/
-    restore_config(){
-        # Restore allowed connections
-        cat pg_hba.conf.bak > pg_hba.conf
-        su postgres -c 'pg_ctl reload'
-    }
-    # Don't allow any other connections than local
-    cp pg_hba.conf pg_hba.conf.bak
-    echo "local all all trust" > pg_hba.conf
-    su postgres -c 'pg_ctl reload'
-    trap restore_config EXIT INT TERM
-
-    # Recreate Database
-    psql -U ${POSTGRES_USER} -d postgres -c "DROP DATABASE ${POSTGRES_DB} WITH (FORCE);" 
-    createdb -U ${POSTGRES_USER} ${POSTGRES_DB}
-    psql -U ${POSTGRES_USER} -d ${POSTGRES_DB} -1 -f $BACKUP_FILE
-
-    trap - EXIT INT TERM
-    restore_config
-}
-
-$@

rallly.yaml.tmpl

@@ -8,17 +8,12 @@ entries:
 
 - attrs:
     access_code_validity: minutes=1
-    authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
     authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
-    invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
     client_id: {{ secret  "rallly_id" }}
     client_secret: {{ secret  "rallly_secret" }}
     client_type: confidential
     include_claims_in_id_token: true
     issuer_mode: per_provider
-    redirect_uris:
-    - matching_mode: strict
-      url: https://{{ env  "RALLLY_DOMAIN" }}/api/auth/callback/oidc
     name: Rallly
     property_mappings:
     - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]

release/10.0.0+2025.10.2

@@ -1 +0,0 @@
-2025.10 removes redis. Since 2025.8 all redis tasks have been migrated to postgres.

release/10.2.0+2025.12.4

@@ -1 +0,0 @@
-This is an intermediate release (required for migrations) before upgrading to 2026.x.

release/11.0.0+2026.2.1

@@ -1,3 +0,0 @@
-You must deploy 10.2.0+2025.12.4 first, before deploying this version, if upgrading from 2025.10 or earlier.
-Skipping the intermediate version will cause a migration error (although rolled back safely, no data loss).
-

release/11.0.2+2026.2.1

@@ -1 +0,0 @@
-WARNING: This update will clear all custom assets in /web/dist/asssts. You might need to run customize() again.

release/6.11.0+2024.10.5

@@ -1 +0,0 @@
-Fix Impersonate Bug

release/6.5.1+2024.6.5

@@ -1,3 +1,5 @@
+Replaced icon bbb.jpg with icon.png - configs need to be updated when upgrading!
+
 Two critical vulnerabilities were closed:
 https://github.com/goauthentik/authentik/security/advisories/GHSA-7jxf-mmg9-9hg7
 https://github.com/goauthentik/authentik/security/advisories/GHSA-8gfm-pr6x-pfh9

release/6.6.0+2024.8.2

@@ -1 +0,0 @@
-Replaced icon bbb.jpg with icon.png - configs need to be updated when upgrading!

release/7.4.0+2025.6.3

@@ -1,3 +0,0 @@
-Adds following new envs: 
-  REDIRECTS
-  AUTHENTIK_DISABLE_UPDATE_CHECK

release/9.0.0+2025.8.1

@@ -1,4 +0,0 @@
-Update of config neccessary!
-Changed structure of APPLICATION env to:
-    appname: {"url":"http...", "group":"groupname"}
-Adds various new group envs to support application grouping

renovate.json

@@ -1,6 +0,0 @@
-{
-  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
-  "extends": [
-    "config:recommended"
-  ]
-}

vikunja.yaml.tmpl

@@ -8,17 +8,12 @@ entries:
 
 - attrs:
     access_code_validity: minutes=1
-    authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
     authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
-    invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
     client_id: {{ secret  "vikunja_id" }}
     client_secret: {{ secret  "vikunja_secret" }}
     client_type: confidential
     include_claims_in_id_token: true
     issuer_mode: per_provider
-    redirect_uris:
-    - matching_mode: strict
-      url: https://{{ env  "VIKUNJA_DOMAIN" }}/auth/openid/authentik
     name: Vikunja
     property_mappings:
     - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]

wekan.yaml.tmpl

@@ -25,17 +25,12 @@ entries:
 
 - attrs:
     access_code_validity: minutes=1
-    authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
     authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
-    invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
     client_id: {{ secret  "wekan_id" }}
     client_secret: {{ secret  "wekan_secret" }}
     client_type: confidential
     include_claims_in_id_token: true
     issuer_mode: per_provider
-    redirect_uris:
-    - matching_mode: strict
-      url: https://{{ env  "WEKAN_DOMAIN" }}/_oauth/oidc
     name: Wekan
     property_mappings:
     - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]

wordpress.yaml.tmpl

@@ -8,17 +8,12 @@ entries:
 
 - attrs:
     access_code_validity: minutes=1
-    authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
     authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
-    invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
     client_id: {{ secret  "wordpress_id" }}
     client_secret: {{ secret  "wordpress_secret" }}
     client_type: confidential
     include_claims_in_id_token: true
     issuer_mode: per_provider
-    redirect_uris:
-    - matching_mode: strict
-      url: https://{{ env  "WORDPRESS_DOMAIN" }}/openid-connect-authorize
     name: Wordpress
     property_mappings:
     - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
@@ -52,7 +47,7 @@ entries:
     name: {{ env "WORDPRESS_GROUP" }}
   attrs:
     users:
-    - !Find [authentik_core.user, [username, "akadmin"]]
+    - 1
   id: wordpress_group
   model: authentik_core.group
 

zammad.yaml.tmpl

@@ -36,7 +36,6 @@ entries:
     audience: https://{{ env  "ZAMMAD_DOMAIN" }}/auth/saml/metadata
     authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
     authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
-    invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
     digest_algorithm: http://www.w3.org/2001/04/xmlenc#sha256
     issuer: https://{{ env  "ZAMMAD_DOMAIN" }}/auth/saml/metadata
     name: zammad
@@ -44,7 +43,6 @@ entries:
     - !KeyOf zammad_name_mapping
     - !KeyOf zammad_email_mapping
     session_valid_not_on_or_after: minutes=86400
-    sign_assertion: true
     signature_algorithm: http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
     signing_kp: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]]
     sp_binding: post
@@ -56,7 +54,7 @@ entries:
   state: present
 
 - attrs:
-    meta_launch_url: ""
+    meta_launch_url: https://{{ env  "ZAMMAD_DOMAIN" }}
     open_in_new_tab: true
     policy_engine_mode: any
     provider: !KeyOf zammad_provider