Use AUTHENTIK_BOOTSTRAP_PASSWORD env instead of set_admin_pass function

2024-06-07 11:56:52 +02:00
36 changed files with 486 additions and 505 deletions
--- a/.drone.yml
+++ b/.drone.yml
@ -31,7 +31,6 @@ steps:
      SECRET_ADMIN_PASS_VERSION: v1
      SECRET_EMAIL_PASS_VERSION: v1
      DB_ENTRYPOINT_VERSION: v1
      PG_BACKUP_VERSION: v2
 trigger:
  branch:
    - main
@ -47,7 +46,7 @@ steps:
        from_secret: drone_abra-bot_token
      fork: true
      repositories:
-        - toolshed/auto-recipes-catalogue-json
+        - coop-cloud/auto-recipes-catalogue-json
 trigger:
  event: tag
--- a/.env.sample
+++ b/.env.sample
@ -1,10 +1,8 @@
 TYPE=authentik
 TIMEOUT=900
 ENABLE_AUTO_UPDATE=true
-POST_DEPLOY_CMDS="worker set_admin_pass"
+# POST_DEPLOY_CMDS="worker worker apply_blueprints|worker add_applications"
 # Example values for post deploy cmds: "worker set_admin_pass|worker apply_blueprints|worker add_applications"
 LETS_ENCRYPT_ENV=production
 ENABLE_BACKUPS=true
 DOMAIN=authentik.example.com
 ## Domain aliases
@ -18,11 +16,6 @@ AUTHENTIK_LOG_LEVEL=info
 ## Outpost Integration
 # COMPOSE_FILE="$COMPOSE_FILE:compose.outposts.yml"
 # COMPOSE_FILE="$COMPOSE_FILE:compose.outposts.ldap.yml"
 # SECRET_LDAP_TOKEN_VERSION=v1
 ## ADMIN
 AUTHENTIK_BOOTSTRAP_EMAIL=admin@example.com
 ## EMAIL
 AUTHENTIK_EMAIL__HOST=smtp
@ -49,20 +42,15 @@ SECRET_EMAIL_PASS_VERSION=v1
 # EMAIL_SUBJECT="Account Recovery"
 # EMAIL_TOKEN_EXPIRY_MINUTES=30
 ## assets
 COPY_ASSETS="flow_background.jpg|app:/web/dist/assets/images/"
 COPY_ASSETS="$COPY_ASSETS icon_left_brand.svg|app:/web/dist/assets/icons/"
 COPY_ASSETS="$COPY_ASSETS icon.png|app:/web/dist/assets/icons/"
-# store custom CSS in a css-volume
+# Default CSS customisation, just background colour
-#COMPOSE_FILE="$COMPOSE_FILE:compose.css-volume.yml"
+COMPOSE_FILE="$COMPOSE_FILE:compose.css.yml"
-# NOTE: this causes the authentik container to run as `root` initially; it uses `su` to drop privileges but technically could introduce a security risk. proceed with caution!
+AUTHENTIK_COLOR_BACKGROUND_LIGHT=#1c1e21
-
+# Custommise the entire custom CSS file
 # Default CSS customisation
 #COMPOSE_FILE="$COMPOSE_FILE:compose.css.yml"
 # BACKGROUND_FONT_COLOR=white
 # BACKGROUND_BOX_COLOR='#eaeaeacf'
 # THEME_BACKGROUND="url('https://authentik.example.com/static/dist/assets/images/flow_background.jpg'); background-position: center; background-repeat: no-repeat; background-size: cover;"
 # COMPOSE_FILE="$COMPOSE_FILE:compose.nextcloud.yml"
 # NEXTCLOUD_DOMAIN=nextcloud.example.com
@ -79,7 +67,6 @@ COPY_ASSETS="$COPY_ASSETS icon.png|app:/web/dist/assets/icons/"
 # COMPOSE_FILE="$COMPOSE_FILE:compose.matrix.yml"
 # ELEMENT_DOMAIN=element-web.example.com
 # MATRIX_DOMAIN=matrix-synapse.example.com
 # SECRET_MATRIX_ID_VERSION=v1
 # SECRET_MATRIX_SECRET_VERSION=v1
 # APP_ICONS="$APP_ICONS matrix:~/.abra/recipes/authentik/icons/matrix.svg"
@ -106,17 +93,13 @@ COPY_ASSETS="$COPY_ASSETS icon.png|app:/web/dist/assets/icons/"
 # KIMAI_DOMAIN=kimai.example.com
 # SECRET_KIMAI_ID_VERSION=v1
 # SECRET_KIMAI_SECRET_VERSION=v1
-# APP_ICONS="$APP_ICONS kimai:~/.abra/recipes/authentik/icons/kimai_logo.png"
+# APP_ICONS="$APP_ICONS kimai:~/.abra/recipes/authentik/icons/kimai.png"
 # COMPOSE_FILE="$COMPOSE_FILE:compose.zammad.yml"
 # ZAMMAD_DOMAIN=zammad.example.com
 # APP_ICONS="$APP_ICONS zammad:~/.abra/recipes/authentik/icons/zammad.svg"
 # COMPOSE_FILE="$COMPOSE_FILE:compose.monitoring.yml"
 # MONITORING_DOMAIN=monitoring.example.com
 # SECRET_MONITORING_ID_VERSION=v1
 # SECRET_MONITORING_SECRET_VERSION=v1
-# APP_ICONS="$APP_ICONS monitoring:~/.abra/recipes/authentik/icons/monitoring.svg"
+# APP_ICONS="$APP_ICONS monitoring:~/.abra/recipes/authentik/icons/monitoring.png"
 # COMPOSE_FILE="$COMPOSE_FILE:compose.rallly.yml"
 # RALLLY_DOMAIN=rallly.example.com
@ -130,5 +113,6 @@ COPY_ASSETS="$COPY_ASSETS icon.png|app:/web/dist/assets/icons/"
 # SECRET_HEDGEDOC_SECRET_VERSION=v1
 # APP_ICONS="$APP_ICONS hedgedoc:~/.abra/recipes/authentik/icons/hedgedoc.png"
-# APPLICATIONS='{"Calendar": "https://nextcloud.example.com/apps/calendar/", "BBB": "https://nextcloud.example.com/apps/bbb/", "Pretix": "https://pretix.example.com/control/"}'
+# APPLICATIONS='{"Calendar": "https://nextcloud.example.com/apps/calendar/", "BBB": "https://nextcloud.example.com/apps/bbb/"}'
-# EXTRA_ICONS={"Calendar": "~/.abra/recipes/authentik/icons/calendar.svg", "BBB": "~/.abra/recipes/authentik/icons/bbb.png", "Pretix": "~/.abra/recipes/authentik/icons/pretix.svg"}
+# APP_ICONS="$APP_ICONS Calendar:~/.abra/recipes/authentik/icons/calendar.svg"
 # APP_ICONS="$APP_ICONS BBB:~/.abra/recipes/authentik/icons/bbb.jpg"
--- a/README.md
+++ b/README.md
@ -35,7 +35,6 @@ abra app secret generate -a <app_name>
 abra app undeploy <app_name>
 abra app deploy <app_name>
 abra app cmd <app_name> db rotate_db_pass
 abra app cmd <app_name> app set_admin_pass
 ```
 ## Add SSO for Nextcloud
@ -52,26 +51,8 @@ APP_ICONS="nextcloud:~/.abra/recipes/authentik/icons/nextcloud.png"
 Set the nextcloud Icon using `abra app cmd -l -d <app_name> set_icons`
 Generate OAuth client id and secret using `abra app secret generate <app_name> -a` (all secrets) or individually:
 - `abra app secret generate <app_name> nextcloud_id`
 - `abra app secret generate <app_name> nextcloud_secret`
 Add the id and secret to nextcloud as secrets with:
 - `abra app secret insert <nextcloud_app_name> authentik_id v1 <id>`
 - `abra app secret insert <nextcloud_app_name> authentik_secret v1 <secret>`
 Redeploy Authentik to enable the nextcloud client.
 The configuration inside Nextcloud can be found in the [nextcloud recipe](https://git.coopcloud.tech/coop-cloud/nextcloud#authentik-integration)
 ## Add LDAP outpost
 - Follow [this official guide](https://docs.goauthentik.io/docs/add-secure-apps/providers/ldap/generic_setup) and skip the LDAP Flow as we don't need it.
 - Copy token under `Applications` -> `Outposts` `-> `View Deployment Info` 
 - Comment in envs for compose.outposts.ldap.yaml and secret version
 - Insert token as secret `abra app secret insert <DOMAIN> ldap_token v1 <TOKEN>`
 - Update deployment -> Outpost should be up and running
 ## Import User from CSV
 Users can be imported from a CSV file of the following format:
@ -105,25 +86,6 @@ Run this command after every deploy/upgrade:
 `abra app command --local <app-name> customize <assets_path>`
 ## Custom CSS
 Uncomment the following env:
 ```
 COMPOSE_FILE="$COMPOSE_FILE:compose.css-volume.yml"
 ```
 Redeploy the app:
 ```
 abra app deploy -f <app_name>
 ```
 Copy the CSS and restart the container:
 ```
 abra app cp <app_name> my_custom.css app:/web/dist/assets/custom.css
 abra app restart <app_name> app
 ```
 ## Email templates
 Add custom [email templates](https://goauthentik.io/docs/flow/stages/email/#custom-templates):
@ -134,15 +96,15 @@ Add custom [email templates](https://goauthentik.io/docs/flow/stages/email/#cust
 These blueprints overwrite default blueprint values:
- `flow_translation.yaml`
+- flow_translation.yaml
- `flow_authentication.yaml`
+- flow_authentication.yaml
 The following default blueprints will be overwritten by customizations:
- `flow-password-change.yaml`
+- flow-password-change.yaml
- `flow-default-authentication-flow.yaml`
+- flow-default-authentication-flow.yaml
- `flow-default-user-settings-flow.yaml`
+- flow-default-user-settings-flow.yaml
- `flow-default-source-enrollment.yaml`
+- flow-default-source-enrollment.yaml
 The `abra.sh` function `apply_blueprints` needs to be executed to deactivate these blueprints to ensure that the customizations won't be overwritten. It will further execute flow_translation.yaml and flow_authentication.yaml again.
--- a/abra.sh
+++ b/abra.sh
@ -1,24 +1,21 @@
-export CUSTOM_CSS_VERSION=v3
+export CUSTOM_CSS_VERSION=v2
 export FLOW_AUTHENTICATION_VERSION=v4
 export FLOW_INVITATION_VERSION=v2
 export FLOW_INVALIDATION_VERSION=v2
 export FLOW_RECOVERY_VERSION=v1
 export FLOW_TRANSLATION_VERSION=v3
-export SYSTEM_BRAND_VERSION=v4
+export SYSTEM_BRAND_VERSION=v3
-export NEXTCLOUD_CONFIG_VERSION=v3
+export NEXTCLOUD_CONFIG_VERSION=v1
-export WORDPRESS_CONFIG_VERSION=v4
+export WORDPRESS_CONFIG_VERSION=v2
-export MATRIX_CONFIG_VERSION=v3
+export MATRIX_CONFIG_VERSION=v1
-export WEKAN_CONFIG_VERSION=v5
+export WEKAN_CONFIG_VERSION=v3
-export VIKUNJA_CONFIG_VERSION=v3
+export VIKUNJA_CONFIG_VERSION=v1
-export OUTLINE_CONFIG_VERSION=v4
+export OUTLINE_CONFIG_VERSION=v2
-export KIMAI_CONFIG_VERSION=v3
+export KIMAI_CONFIG_VERSION=v1
-export ZAMMAD_CONFIG_VERSION=v4
+export RALLLY_CONFIG_VERSION=v2
-export RALLLY_CONFIG_VERSION=v4
+export HEDGEDOC_CONFIG_VERSION=v1
-export HEDGEDOC_CONFIG_VERSION=v3
+export MONITORING_CONFIG_VERSION=v1
 export MONITORING_CONFIG_VERSION=v4
 export DB_ENTRYPOINT_VERSION=v1
 export PG_BACKUP_VERSION=v2
 export ENTRYPOINT_CSS_VERSION=v1
 customize() {
    if [ -z "$1" ]
@ -35,15 +32,6 @@ customize() {
    done
 }
 shell(){
    if [ -z "$1" ]
    then
            echo "Usage: ... shell <python code>"
            exit 1
    fi
    ak shell -c "$1" 2>&1 | quieten
 }
 import_user() {
    if [ -z "$1" ]
    then
@ -85,40 +73,7 @@ with open('/tmp/$1', newline='') as file:
 }
 set_admin_pass() {
-password=$(cat /run/secrets/admin_pass)
+echo "The set_admin_pass function is depricated"
 token=$(cat /run/secrets/admin_token)
 /manage.py shell -c """
 import time
 i = 0
 while (not User.objects.filter(username='akadmin')):
    print('Waiting for akadmin to be created...')
    time.sleep(10)
    i += 1
    if i > 6:
        print('Failed to find admin user!')
        exit()
 akadmin = User.objects.get(username='akadmin')
 akadmin.set_password('$password')
 akadmin.save()
 print('Changed akadmin password')
 from authentik.core.models import TokenIntents
 key='$token'
 if (token:= Token.objects.filter(identifier='authentik-bootstrap-token').first()):
    token.key=key
    token.save()
    print('Changed authentik-bootstrap-token')
 else:
    Token.objects.create(
        identifier='authentik-bootstrap-token',
        user=akadmin,
        intent=TokenIntents.INTENT_API,
        expiring=False,
        key=key,
    )
    print('Created authentik-bootstrap-token')
 """ 2>&1 | quieten
 }
 rotate_db_pass() {
@ -178,13 +133,11 @@ print(f'{blueprint.name} enabled: {blueprint.enabled}')
 }
 add_applications(){
 export APPLICATIONS
 /manage.py shell -c """
 import json
-import os
+if '$APPLICATIONS' == '':
 if os.environ['APPLICATIONS'] == '':
    exit()
-applications = json.loads(os.environ['APPLICATIONS'])
+applications = json.loads('$APPLICATIONS')
 for name, url in applications.items():
    print(f'Add {name}: {url}')
    app = Application.objects.filter(name=name).first()
@ -213,10 +166,6 @@ done
 }
 set_icons(){
 if [ -n "$1" ]
 then
 APP_ICONS="$1"
 fi
 for icon in $APP_ICONS; do
    app=$(echo $icon | cut -d ":" -f1)
    file_path=$(eval echo $(echo $icon | cut -d ":" -f2))
@ -227,22 +176,6 @@ for icon in $APP_ICONS; do
 done
 }
 set_extra_icons(){
    if [ -z "$EXTRA_ICONS" ]
    then
        echo "Variable EXTRA_ICONS is not set"
        exit 1
    fi
    export EXTRA_ICONS
    icon_key_values=$(python3 -c "
 import json
 import os
 for key, value in json.loads(os.environ['EXTRA_ICONS']).items():
    print(f'{key}:{value}')
 ")
    set_icons "$icon_key_values"
 }
 set_app_icon() {
 TOKEN=$(cat /run/secrets/admin_token)
 python -c """
@ -286,9 +219,3 @@ cert = saml.signing_kp
 print(''.join(cert.certificate_data.splitlines()[1:-1]))
 """ 2>&1 | quieten
 }
 get_user_uid() {
 /manage.py shell -c """
 print(User.objects.filter(username='$1').first().uid)
 """ 2>&1 | quieten
 }
--- a/alaconnect.yml
+++ b/alaconnect.yml
@ -17,7 +17,6 @@ matrix-synapse:
    uncomment:
        - compose.matrix.yml
        - ELEMENT_DOMAIN
        - MATRIX_DOMAIN
        - SECRET_MATRIX_ID_VERSION
        - SECRET_MATRIX_SECRET_VERSION
        - matrix.svg
@ -41,19 +40,7 @@ vikunja:
        - vikunja.svg
    secrets:
        vikunja_id: vikunja
-kimai:
+monitoring:
    uncomment:
        - compose.kimai.yml
        - KIMAI_DOMAIN
        - SECRET_KIMAI_ID_VERSION
        - SECRET_KIMAI_SECRET_VERSION
        - kimai_logo.png
 zammad:
    uncomment:
        - compose.zammad.yml
        - ZAMMAD_DOMAIN
        - zammad.svg
 monitoring-ng:
    uncomment:
        - compose.monitoring.yml
        - MONITORING_DOMAIN
--- a/compose.css-volume.yml
+++ b/compose.css-volume.yml
@ -1,16 +0,0 @@
 ---
 version: "3.8"
 services:
  app:
    user: root
    entrypoint: /docker-entrypoint.sh
    configs:
      - source: entrypoint_css
        target: /docker-entrypoint.sh
        mode: 0555
 configs:
  entrypoint_css:
    name: ${STACK_NAME}_entrypoint_css_${ENTRYPOINT_CSS_VERSION}
    file: entrypoint-css-volume.sh
--- a/compose.matrix.yml
+++ b/compose.matrix.yml
@ -1,18 +1,11 @@
 version: "3.8"
 services:
  app:
    deploy:
      labels:
        - "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect-matrix-well-known"
        - "traefik.http.middlewares.${STACK_NAME}-redirect-matrix-well-known.redirectregex.regex=^https://(.*)/.well-known/matrix/(.*)"
        - "traefik.http.middlewares.${STACK_NAME}-redirect-matrix-well-known.redirectregex.replacement=https://${MATRIX_DOMAIN}/.well-known/matrix/$$2"
  worker:
    secrets:
      - matrix_id
      - matrix_secret
    environment:
      - ELEMENT_DOMAIN
      - MATRIX_DOMAIN
    configs:
      - source: matrix
        target: /blueprints/matrix.yaml
--- a/compose.outposts.ldap.yml
+++ b/compose.outposts.ldap.yml
@ -1,23 +0,0 @@
 version: "3.8"
 services:
  authentik_ldap:
      image: ghcr.io/goauthentik/ldap:2025.6.1
      # Optionally specify which networks the container should be
      # might be needed to reach the core authentik server
      networks:
        - internal
        - proxy
      ports:
        - 389:3389
        - 636:6636
      secrets:
        - ldap_token
      environment:
        - AUTHENTIK_HOST=https://${DOMAIN}
        - AUTHENTIK_INSECURE=true
        - AUTHENTIK_TOKEN=file:///run/secrets/ldap_token
 secrets:
  ldap_token:
    external: true
    name: ${STACK_NAME}_ldap_token_${SECRET_LDAP_TOKEN_VERSION}
--- a/compose.yml
+++ b/compose.yml
@ -8,6 +8,8 @@ x-env: &env
    - AUTHENTIK_REDIS__HOST=redis
    - AUTHENTIK_ERROR_REPORTING__ENABLED
    - AUTHENTIK_SECRET_KEY=file:///run/secrets/secret_key
    - AUTHENTIK_BOOTSTRAP_PASSWORD=file:///run/secrets/admin_pass
    - AUTHENTIK_BOOTSTRAP_TOKEN=file:///run/secrets/admin_token
    - AUTHENTIK_EMAIL__HOST
    - AUTHENTIK_EMAIL__PORT
    - AUTHENTIK_EMAIL__USERNAME
@ -17,11 +19,10 @@ x-env: &env
    - AUTHENTIK_EMAIL__TIMEOUT
    - AUTHENTIK_EMAIL__FROM
    - AUTHENTIK_LOG_LEVEL
-    - BACKGROUND_FONT_COLOR=${BACKGROUND_FONT_COLOR:-white}
+    - AUTHENTIK_SETTINGS__THEME__BACKGROUND
-    - BACKGROUND_BOX_COLOR=${BACKGROUND_BOX_COLOR:-#eaeaeacf}
+    - AUTHENTIK_COLOR_BACKGROUND_LIGHT
    - AUTHENTIK_FOOTER_LINKS
    - AUTHENTIK_IMPERSONATION
    - AUTHENTIK_BOOTSTRAP_EMAIL
    - WELCOME_MESSAGE
    - DEFAULT_LANGUAGE
    - EMAIL_SUBJECT
@ -29,12 +30,11 @@ x-env: &env
    - DOMAIN
    - LOGOUT_REDIRECT
    - APPLICATIONS
    - THEME_BACKGROUND
 version: '3.8'
 services:
  app:
-    image: ghcr.io/goauthentik/server:2025.6.1
+    image: ghcr.io/goauthentik/server:2024.4.2
    command: server
    depends_on:
      - db
@ -53,13 +53,16 @@ services:
      - internal
      - proxy
    healthcheck:
-      test: "ak healthcheck"
+      test: "bash -c 'printf \"GET / HTTP/1.1\n\n\" > /dev/tcp/127.0.0.1/9000; exit $$?;'"
      interval: 30s
-      timeout: 30s
+      timeout: 10s
      retries: 10
      start_period: 5m
    environment: *env
    deploy:
      update_config:
        failure_action: rollback
        order: start-first
      labels:
        - "traefik.enable=true"
        - "traefik.docker.network=proxy"
@ -72,11 +75,11 @@ services:
        - "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}"
        - "traefik.http.middlewares.${STACK_NAME}-frameOptions.headers.customFrameOptionsValue=SAMEORIGIN"
        - "traefik.http.middlewares.${STACK_NAME}-frameOptions.headers.contentSecurityPolicy=frame-ancestors ${X_FRAME_OPTIONS_ALLOW_FROM}"
-        - "coop-cloud.${STACK_NAME}.version=7.3.1+2025.6.1"
+        - "coop-cloud.${STACK_NAME}.version=6.1.1+2024.4.2"
        - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT:-120}"
  worker:
-    image: ghcr.io/goauthentik/server:2025.6.1
+    image: ghcr.io/goauthentik/server:2024.4.2
    command: worker
    depends_on:
      - db
@ -91,10 +94,10 @@ services:
      - internal
      - proxy
    volumes:
      - backups:/backups
      - media:/media
      - /dev/null:/blueprints/default/flow-oobe.yaml
      - templates:/templates
      - certs:/certs
    configs:
      - source: flow_recovery
        target: /blueprints/1_flow_recovery.yaml
@ -109,24 +112,15 @@ services:
      - source: flow_invalidation
        target: /blueprints/6_flow_invalidation.yaml
    environment: *env
    healthcheck:
      test: "ak healthcheck"
      interval: 30s
      timeout: 30s
      retries: 10
      start_period: 5m
  db:
-    image: postgres:15.13
+    image: postgres:15.7
    secrets:
      - db_password
    configs:
      - source: db_entrypoint
        target: /docker-entrypoint.sh
        mode: 0555
      - source: pg_backup
        target: /pg_backup.sh
        mode: 0555
    entrypoint:
      /docker-entrypoint.sh
    volumes:
@ -145,15 +139,13 @@ services:
      - POSTGRES_DB=authentik
    deploy:
      labels:
-          backupbot.backup: "${ENABLE_BACKUPS:-true}"
+          backupbot.backup: "true"
-          backupbot.backup.pre-hook: "/pg_backup.sh backup"
+          backupbot.backup.pre-hook: "PGPASSWORD=$$(cat /run/secrets/db_password) pg_dump -U $${POSTGRES_USER} $${POSTGRES_DB} > /var/lib/postgresql/data/backup.sql"
-          backupbot.backup.volumes.database.path: "backup.sql"
+          backupbot.backup.post-hook: "rm -rf /var/lib/postgresql/data/backup.sql"
-          backupbot.backup.volumes.redis: "false"
+          backupbot.backup.path: "/var/lib/postgresql/data"
          backupbot.restore.post-hook: '/pg_backup.sh restore'
  redis:
-    image:  redis:8.0.2-alpine
+    image:  redis:7.2.4-alpine
    command: --save 60 1 --loglevel warning
    networks:
      - internal
    healthcheck:
@ -162,8 +154,6 @@ services:
      timeout: 10s
      retries: 10
      start_period: 1m
    volumes:
        - redis:/data
 secrets:
  db_password:
@ -188,9 +178,8 @@ networks:
  internal:
 volumes:
  backups:
  media:
  certs:
  redis:
  templates:
  assets:
  database:
@ -224,6 +213,3 @@ configs:
    name: ${STACK_NAME}_db_entrypoint_${DB_ENTRYPOINT_VERSION}
    file: entrypoint.postgres.sh.tmpl
    template_driver: golang
  pg_backup:
    name: ${STACK_NAME}_pg_backup_${PG_BACKUP_VERSION}
    file: pg_backup.sh
--- a/compose.zammad.yml
+++ b/compose.zammad.yml
@ -1,14 +0,0 @@
 version: "3.8"
 services:
  worker:
    environment:
      - ZAMMAD_DOMAIN
    configs:
      - source: zammad
        target: /blueprints/zammad.yaml
 configs:
  zammad:
    name: ${STACK_NAME}_zammad_${ZAMMAD_CONFIG_VERSION}
    file: zammad.yaml.tmpl
    template_driver: golang
--- a/custom.css.tmpl
+++ b/custom.css.tmpl
@ -1,13 +1,24 @@
 /* my custom css */
 :root {
-        --pf-global--BackgroundColor--100: {{ env "BACKGROUND_BOX_COLOR" }} !important;
+    --ak-accent: #fd4b2d;
    --ak-dark-foreground: #fafafa;
    --ak-dark-foreground-darker: #bebebe;
    --ak-dark-foreground-link: #5a5cb9;
    --ak-dark-background: #18191a;
    --ak-dark-background-darker: #000000;
    --ak-dark-background-light: {{ env "AUTHENTIK_COLOR_BACKGROUND_LIGHT" }};
    --ak-dark-background-light-ish: #212427;
    --ak-dark-background-lighter: #2b2e33;
    --pf-c-background-image--BackgroundImage: var(--ak-flow-background);
    --pf-c-background-image--BackgroundImage-2x: var(--ak-flow-background);
    --pf-c-background-image--BackgroundImage--sm: var(--ak-flow-background);
    --pf-c-background-image--BackgroundImage--sm-2x: var(--ak-flow-background);
    --pf-c-background-image--BackgroundImage--lg: var(--ak-flow-background);
 }
 .pf-c-login__main {
        background-color: {{ env "BACKGROUND_BOX_COLOR" }};
 }
 .pf-c-content h1 {
        color: {{ env "BACKGROUND_FONT_COLOR" }};
 }
--- a/custom_flows.yaml.tmpl
+++ b/custom_flows.yaml.tmpl
@ -0,0 +1,405 @@
 version: 1
 metadata:
  labels:
    blueprints.goauthentik.io/instantiate: "true"
  name: Custom - Flows
 context:
  welcome_message: {{ if eq (env "WELCOME_MESSAGE") "" }} "Welcome to authentik!" {{ else }} {{ env "WELCOME_MESSAGE" }} {{ end }}
 ####### Translations ########
  transl_recovery: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} "Passwort Zurücksetzen" {{ else }} "Reset your password" {{ end }}
  transl_password: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} "Passwort" {{ else }} "Password" {{ end }}
  transl_password_repeat: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} "Passwort (wiederholen)" {{ else }} "Password (repeat)" {{ end }}
  transl_username: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} "Benutzername" {{ else }} "Username" {{ end }}
  transl_name: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} "Vor- und Nachname" {{ else }} "Full name" {{ end }}
 entries:
 ######## Email Recovery Flow ########
 - identifiers:
    slug: default-recovery-flow
  id: recovery_flow
  model: authentik_flows.flow
  attrs:
    name: Default recovery flow
    title: !Context transl_recovery
    designation: recovery
 ### PROMPTS
 - identifiers:
    field_key: password
  id: prompt-field-password
  model: authentik_stages_prompt.prompt
  attrs:
    label: !Context transl_password
    type: password
    required: true
    placeholder: !Context transl_password
    order: 30
    placeholder_expression: false
 - identifiers:
    field_key: password_repeat
  id: prompt-field-password-repeat
  model: authentik_stages_prompt.prompt
  attrs:
    label: !Context transl_password_repeat
    type: password
    required: true
    placeholder: !Context transl_password_repeat
    order: 31
    placeholder_expression: false
 ### STAGES
 - identifiers:
    name: default-recovery-email
  id: default-recovery-email
  model: authentik_stages_email.emailstage
  attrs:
    use_global_settings: true
    token_expiry: {{ if eq (env "EMAIL_TOKEN_EXPIRY_MINUTES") "" }} 30 {{ else }} {{ env "EMAIL_TOKEN_EXPIRY_MINUTES" }} {{ end }}
    subject: {{ if eq (env "EMAIL_SUBJECT") "" }} "Account Recovery" {{ else }} "{{ env "EMAIL_SUBJECT" }}" {{ end }} 
    template: email/password_reset.html
    activate_user_on_success: true
 - identifiers:
    name: default-recovery-user-write
  id: default-recovery-user-write
  model: authentik_stages_user_write.userwritestage
 - identifiers:
    name: default-recovery-identification
  id: default-recovery-identification
  model: authentik_stages_identification.identificationstage
  attrs:
    user_fields:
      - email
      - username
 - identifiers:
    name: default-recovery-user-login
  id: default-recovery-user-login
  model: authentik_stages_user_login.userloginstage
  attrs:
    session_duration: seconds=0
 - identifiers:
    name: Change your password
  id: stage-prompt-password
  model: authentik_stages_prompt.promptstage
  attrs:
    fields:
      - !KeyOf prompt-field-password
      - !KeyOf prompt-field-password-repeat
    validation_policies: []
 ### STAGE BINDINGS
 - identifiers:
    target: !KeyOf recovery_flow
    stage: !KeyOf default-recovery-identification
    order: 10
  model: authentik_flows.flowstagebinding
  id: flow-binding-identification
  attrs:
    evaluate_on_plan: true
    re_evaluate_policies: true
    policy_engine_mode: any
    invalid_response_action: retry
 - identifiers:
    target: !KeyOf recovery_flow
    stage: !KeyOf default-recovery-email
    order: 20
  model: authentik_flows.flowstagebinding
  id: flow-binding-email
  attrs:
    evaluate_on_plan: true
    re_evaluate_policies: true
    policy_engine_mode: any
    invalid_response_action: retry
 - identifiers:
    target: !KeyOf recovery_flow
    stage: !KeyOf stage-prompt-password
    order: 30
  model: authentik_flows.flowstagebinding
  attrs:
    evaluate_on_plan: true
    re_evaluate_policies: false
    policy_engine_mode: any
    invalid_response_action: retry
 - identifiers:
    target: !KeyOf recovery_flow
    stage: !KeyOf default-recovery-user-write
    order: 40
  model: authentik_flows.flowstagebinding
  attrs:
    evaluate_on_plan: true
    re_evaluate_policies: false
    policy_engine_mode: any
    invalid_response_action: retry
 - identifiers:
    target: !KeyOf recovery_flow
    stage: !KeyOf default-recovery-user-login
    order: 100
  model: authentik_flows.flowstagebinding
  attrs:
    evaluate_on_plan: true
    re_evaluate_policies: false
    policy_engine_mode: any
    invalid_response_action: retry
 ### POLICIES
 ## ISSUES with this policy
 ## https://github.com/goauthentik/authentik/blob/493cdd5c0f8caaec7a7dd474f1aa131e32fd39c3/blueprints/example/flows-recovery-email-verification.yaml#L37
 ## https://github.com/goauthentik/authentik/commit/317e9ec6053742e17ba74fb6aa38dc15aaf6657f#diff-a5c56bb7c60e27dda1b131b3fc2a17e3af6624e7cfaaa2337ec6b077ca489f34
 # - identifiers:
 #     name: default-recovery-skip-if-restored
 #   id: default-recovery-skip-if-restored
 #   model: authentik_policies_expression.expressionpolicy
 #   attrs:
 #     expression: |
 #       return request.context.get('is_restored', False)
 ### POLICY BINDINGS
 # - identifiers:
 #     policy: !KeyOf default-recovery-skip-if-restored
 #     target: !KeyOf flow-binding-identification
 #     order: 0
 #   model: authentik_policies.policybinding
 #   attrs:
 #     negate: false
 #     enabled: true
 #     timeout: 30
 # - identifiers:
 #     policy: !KeyOf default-recovery-skip-if-restored
 #     target: !KeyOf flow-binding-email
 #     order: 0
 #   model: authentik_policies.policybinding
 #   attrs:
 #     negate: false
 #     enabled: true
 #     timeout: 30
 ######## Authentication Flow ########
 - attrs:
    designation: authentication
    name: custom-authentication-flow
    title: !Context welcome_message
  identifiers:
    slug: custom-authentication-flow
  id: authentication_flow
  model: authentik_flows.flow
 ### STAGES
 - attrs:
    backends:
    - authentik.core.auth.InbuiltBackend
    - authentik.sources.ldap.auth.LDAPBackend
    - authentik.core.auth.TokenBackend
    configure_flow: !Find [authentik_flows.flow, [slug, default-password-change]]
  identifiers:
    name: custom-authentication-password
  id: custom-authentication-password
  model: authentik_stages_password.passwordstage
 - identifiers:
    name: custom-authentication-mfa-validation
  id: custom-authentication-mfa-validation
  model: authentik_stages_authenticator_validate.authenticatorvalidatestage
 - attrs:
    password_stage: !KeyOf custom-authentication-password
    recovery_flow: !KeyOf recovery_flow  # !Find [authentik_flows.flow, [slug, default-recovery-flow]]
    user_fields:
    - email
    - username
  identifiers:
    name: custom-authentication-identification
  id: custom-authentication-identification
  model: authentik_stages_identification.identificationstage
 - attrs:
    session_duration: seconds=0
  identifiers:
    name: custom-authentication-login
  id: custom-authentication-login
  model: authentik_stages_user_login.userloginstage
 ### STAGE BINDINGS
 - identifiers:
    order: 10
    stage: !KeyOf custom-authentication-identification
    target: !KeyOf authentication_flow
  model: authentik_flows.flowstagebinding
 - identifiers:
    order: 30
    stage: !KeyOf custom-authentication-mfa-validation
    target: !KeyOf authentication_flow
  model: authentik_flows.flowstagebinding
 - identifiers:
    order: 100
    stage: !KeyOf custom-authentication-login
    target: !KeyOf authentication_flow
  model: authentik_flows.flowstagebinding
 ######## Invitation Enrollment Flow ########
 - attrs:
    designation: enrollment
    name: invitation-enrollment-flow
    title: !Context welcome_message
  identifiers:
    slug: invitation-enrollment-flow
  id: invitation-enrollment-flow
  model: authentik_flows.flow
 ### PROMPTS
 - identifiers:
    field_key: username
  id: prompt-field-username
  model: authentik_stages_prompt.prompt
  attrs:
    label: !Context transl_username
    type: username
    required: true
    placeholder: !Context transl_username
    order: 0
    placeholder_expression: false
 - identifiers:
    field_key: name
  id: prompt-field-name
  model: authentik_stages_prompt.prompt
  attrs:
    label: !Context transl_name
    type: text
    required: true
    placeholder: !Context transl_name
    order: 1
    placeholder_expression: false
 - identifiers:
    field_key: email
    label: Email
  id: prompt-field-email
  model: authentik_stages_prompt.prompt
  attrs:
    type: email
    required: true
    placeholder: muster@example.com
    order: 2
    placeholder_expression: false
 ### STAGES
 - id: invitation-stage
  identifiers:
    name: invitation-stage
  model: authentik_stages_invitation.invitationstage
 - attrs:
    fields:
      - !KeyOf prompt-field-username
      - !KeyOf prompt-field-name
      - !KeyOf prompt-field-email
      - !KeyOf prompt-field-password
      - !KeyOf prompt-field-password-repeat
  id: enrollment-prompt-userdata
  identifiers:
    name: enrollment-prompt-userdata
  model: authentik_stages_prompt.promptstage
 - id: enrollment-user-write
  identifiers:
    name: enrollment-user-write
  model: authentik_stages_user_write.userwritestage
 - attrs:
    session_duration: seconds=0
  id: enrollment-user-login
  identifiers:
    name: enrollment-user-login
  model: authentik_stages_user_login.userloginstage
 ### STAGE BINDINGS
 - identifiers:
    order: 1
    stage: !KeyOf invitation-stage
    target: !KeyOf invitation-enrollment-flow
  model: authentik_flows.flowstagebinding
 - identifiers:
    order: 10
    stage: !KeyOf enrollment-prompt-userdata
    target: !KeyOf invitation-enrollment-flow
  model: authentik_flows.flowstagebinding
 - identifiers:
    order: 20
    stage: !KeyOf enrollment-user-write
    target: !KeyOf invitation-enrollment-flow
  model: authentik_flows.flowstagebinding
 - identifiers:
    order: 100
    stage: !KeyOf enrollment-user-login
    target: !KeyOf invitation-enrollment-flow
  model: authentik_flows.flowstagebinding
 ######## Invalidation Flow ########
 - identifiers:
    slug: logout-flow
  id: logout-flow
  model: authentik_flows.flow
  attrs:
    name: Logout
    title: Logout Flow
    designation: invalidation
 ### STAGES
 - id: logout-stage
  identifiers:
    name: logout-stage
  model: authentik_stages_user_logout.userlogoutstage
 ### STAGE BINDINGS
 - identifiers:
    order: 0
    stage: !KeyOf logout-stage
    target: !KeyOf logout-flow
  model: authentik_flows.flowstagebinding
  attrs:
    re_evaluate_policies: true
  id: logout-stage-binding
 ### POLICIES
 - attrs:
    execution_logging: true
    expression: 'context[''flow_plan''].context[''redirect''] = ''{{ env "LOGOUT_REDIRECT" }}''
    return True'
  identifiers:
    name: redirect-policy
  id: redirect-policy
  model: authentik_policies_expression.expressionpolicy
 ### POLICY BINDINGS
 - identifiers:
    policy: !KeyOf redirect-policy
    target: !KeyOf logout-stage-binding
    order: 0
  model: authentik_policies.policybinding
  attrs:
    enabled: {{ if eq (env "LOGOUT_REDIRECT") "" }} false {{ else }} true {{ end }}
    timeout: 30
 ######## System Brand ##########
 - attrs:
    attributes:
      settings:
        locale: {{ if eq (env "DEFAULT_LANGUAGE") "" }} en {{ else }} {{ env "DEFAULT_LANGUAGE" }} {{ end }}
    # branding_favicon: /static/dist/assets/icons/icon.png
    # branding_logo: /static/dist/assets/icons/icon_left_brand.svg
    # branding_title: Authentik
    # default: true
    domain: {{ env "DOMAIN" }}
    # event_retention: days=365
    flow_authentication: !KeyOf authentication_flow
    flow_recovery: !KeyOf recovery_flow
    flow_invalidation: !KeyOf logout-flow
    flow_user_settings: !Find [authentik_flows.flow, [slug, default-user-settings-flow]]
  identifiers:
    pk: 047cce25-aae2-4b02-9f96-078e155f803d
  id: system_brand
  model: authentik_brands.brand
--- a/entrypoint-css-volume.sh
+++ b/entrypoint-css-volume.sh
@ -1,5 +0,0 @@
 #!/bin/sh
 cp -f /web/dist/assets/custom.css /web/dist/custom.css
 su $(id -un 1000) -s /bin/bash -c 'dumb-init -- ak server'
--- a/hedgedoc.yaml.tmpl
+++ b/hedgedoc.yaml.tmpl
@ -8,17 +8,12 @@ entries:
 - attrs:
    access_code_validity: minutes=1
    authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
    authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
    invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
    client_id: {{ secret  "hedgedoc_id" }}
    client_secret: {{ secret  "hedgedoc_secret" }}
    client_type: confidential
    include_claims_in_id_token: true
    issuer_mode: per_provider
    redirect_uris:
    - matching_mode: strict
      url: https://{{ env  "HEDGEDOC_DOMAIN" }}/auth/oauth2/callback
    name: Hedgedoc
    property_mappings:
    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
@ -35,7 +30,7 @@ entries:
  state: present
 - attrs:
-    meta_launch_url: https://{{ env  "HEDGEDOC_DOMAIN" }}/auth/oauth2
+    meta_launch_url: https://{{ env  "HEDGEDOC_DOMAIN" }}
    open_in_new_tab: true
    policy_engine_mode: any
    provider: !KeyOf hedgedoc_provider
--- a/icons/bbb.jpg
+++ b/icons/bbb.jpg
--- a/icons/bbb.png
+++ b/icons/bbb.png
--- a/icons/help.svg
+++ b/icons/help.svg
@ -1,8 +0,0 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!-- Uploaded to: SVG Repo, www.svgrepo.com, Generator: SVG Repo Mixer Tools -->
 <svg width="800px" height="800px" viewBox="0 0 48 48" fill="none" xmlns="http://www.w3.org/2000/svg">
 <rect width="48" height="48" fill="white" fill-opacity="0.01"/>
 <path d="M24 44C29.5228 44 34.5228 41.7614 38.1421 38.1421C41.7614 34.5228 44 29.5228 44 24C44 18.4772 41.7614 13.4772 38.1421 9.85786C34.5228 6.23858 29.5228 4 24 4C18.4772 4 13.4772 6.23858 9.85786 9.85786C6.23858 13.4772 4 18.4772 4 24C4 29.5228 6.23858 34.5228 9.85786 38.1421C13.4772 41.7614 18.4772 44 24 44Z" fill="#2F88FF" stroke="#000000" stroke-width="4" stroke-linejoin="round"/>
 <path d="M24 28.6249V24.6249C27.3137 24.6249 30 21.9386 30 18.6249C30 15.3112 27.3137 12.6249 24 12.6249C20.6863 12.6249 18 15.3112 18 18.6249" stroke="white" stroke-width="4" stroke-linecap="round" stroke-linejoin="round"/>
 <path fill-rule="evenodd" clip-rule="evenodd" d="M24 37.6249C25.3807 37.6249 26.5 36.5056 26.5 35.1249C26.5 33.7442 25.3807 32.6249 24 32.6249C22.6193 32.6249 21.5 33.7442 21.5 35.1249C21.5 36.5056 22.6193 37.6249 24 37.6249Z" fill="white"/>
 </svg>
--- a/icons/pretix.svg
+++ b/icons/pretix.svg
@ -1 +0,0 @@
 <?xml version="1.0" encoding="UTF-8"?><svg id="Ebene_1" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 128 128"><defs><style>.cls-1{fill:#3b1c4a;}</style></defs><path class="cls-1" d="m50.67,56.95c-.72.1-1.22.3-1.66.5l2.38,16.91c.41.08.95.13,1.6.04,3.52-.5,4.61-3.64,3.81-9.39-.83-5.87-2.53-8.56-6.12-8.06Z"/><path class="cls-1" d="m116.04,35.05c.71-.17,1.16-.76,1.06-1.48L112.54,1.13c-.1-.72-.77-1.22-1.49-1.12l-37.5,5.27.73,5.22c.16,1.12-.62,2.15-1.74,2.31s-2.15-.62-2.31-1.74l-.73-5.22L1.13,15.46c-.72.1-1.22.77-1.12,1.49l4.56,32.44c.1.72.7,1.17,1.42,1.13,11.25-.92,21.43,7.1,23.03,18.46,1.6,11.36-5.99,21.81-17.07,23.96-.71.17-1.16.76-1.06,1.48l4.56,32.44c.1.72.77,1.22,1.49,1.12l68.37-9.61-.73-5.22c-.16-1.15.59-2.15,1.74-2.31s2.15.62,2.31,1.74l.73,5.22,37.5-5.27c.72-.1,1.22-.77,1.12-1.49l-4.56-32.44c-.1-.72-.7-1.17-1.42-1.13-11.25.92-21.42-7.04-23.02-18.4-1.6-11.36,5.98-21.87,17.06-24.03Zm-59.84,44.75c-1.76.25-3.29.26-4.04.17l1.59,11.29-9.92,1.39-5.3-37.73c2.5-1.62,5.96-3.03,11.38-3.8,8.68-1.22,15.27,2.58,16.66,12.44,1.25,8.88-3.12,15.21-10.36,16.23Zm30.73,20.71c.16,1.12-.62,2.15-1.74,2.31-1.12.16-2.15-.62-2.31-1.74l-1.47-10.44c-.16-1.12.62-2.15,1.74-2.31s2.16.66,2.31,1.74l1.47,10.44Zm-3.17-22.58c.15,1.08-.66,2.16-1.74,2.31s-2.16-.66-2.31-1.74l-1.47-10.44c-.16-1.15.59-2.15,1.74-2.31,1.12-.16,2.15.62,2.31,1.74l1.47,10.44Zm-3.16-22.45c.16,1.12-.62,2.15-1.74,2.31-1.12.16-2.15-.62-2.31-1.74l-1.47-10.44c-.16-1.12.62-2.15,1.74-2.31s2.16.66,2.31,1.74l1.47,10.44Zm-3.17-22.58c.15,1.08-.66,2.16-1.74,2.31s-2.16-.66-2.31-1.74l-1.47-10.44c-.16-1.15.59-2.15,1.74-2.31s2.15.62,2.31,1.74l1.47,10.44Z"/></svg>
--- a/icons/support.svg
+++ b/icons/support.svg
@ -1,12 +0,0 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!-- Uploaded to: SVG Repo, www.svgrepo.com, Generator: SVG Repo Mixer Tools -->
 <svg width="800px" height="800px" viewBox="0 0 512 512" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
    <title>support</title>
    <g id="Page-1" stroke="none" stroke-width="1" fill="none" fill-rule="evenodd">
        <g id="support" fill="#000000" transform="translate(42.666667, 42.666667)">
            <path d="M379.734355,174.506667 C373.121022,106.666667 333.014355,-2.13162821e-14 209.067688,-2.13162821e-14 C85.1210217,-2.13162821e-14 45.014355,106.666667 38.4010217,174.506667 C15.2012632,183.311569 -0.101643453,205.585799 0.000508304259,230.4 L0.000508304259,260.266667 C0.000508304259,293.256475 26.7445463,320 59.734355,320 C92.7241638,320 119.467688,293.256475 119.467688,260.266667 L119.467688,230.4 C119.360431,206.121456 104.619564,184.304973 82.134355,175.146667 C86.4010217,135.893333 107.307688,42.6666667 209.067688,42.6666667 C310.827688,42.6666667 331.521022,135.893333 335.787688,175.146667 C313.347976,184.324806 298.68156,206.155851 298.667688,230.4 L298.667688,260.266667 C298.760356,283.199651 311.928618,304.070103 332.587688,314.026667 C323.627688,330.88 300.801022,353.706667 244.694355,360.533333 C233.478863,343.50282 211.780225,336.789048 192.906491,344.509658 C174.032757,352.230268 163.260418,372.226826 167.196286,392.235189 C171.132153,412.243552 188.675885,426.666667 209.067688,426.666667 C225.181549,426.577424 239.870491,417.417465 247.041022,402.986667 C338.561022,392.533333 367.787688,345.386667 376.961022,317.653333 C401.778455,309.61433 418.468885,286.351502 418.134355,260.266667 L418.134355,230.4 C418.23702,205.585799 402.934114,183.311569 379.734355,174.506667 Z M76.8010217,260.266667 C76.8010217,269.692326 69.1600148,277.333333 59.734355,277.333333 C50.3086953,277.333333 42.6676884,269.692326 42.6676884,260.266667 L42.6676884,230.4 C42.6676884,224.302667 45.9205765,218.668499 51.2010216,215.619833 C56.4814667,212.571166 62.9872434,212.571166 68.2676885,215.619833 C73.5481336,218.668499 76.8010217,224.302667 76.8010217,230.4 L76.8010217,260.266667 Z M341.334355,230.4 C341.334355,220.97434 348.975362,213.333333 358.401022,213.333333 C367.826681,213.333333 375.467688,220.97434 375.467688,230.4 L375.467688,260.266667 C375.467688,269.692326 367.826681,277.333333 358.401022,277.333333 C348.975362,277.333333 341.334355,269.692326 341.334355,260.266667 L341.334355,230.4 Z">
 </path>
        </g>
    </g>
 </svg>
--- a/icons/vaultwarden.svg
+++ b/icons/vaultwarden.svg
--- a/icons/zammad.svg
+++ b/icons/zammad.svg
@ -1,30 +0,0 @@
 <?xml version="1.0" encoding="UTF-8" standalone="no"?>
 <svg width="126px" height="108px" viewBox="0 0 42 36" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:sketch="http://www.bohemiancoding.com/sketch/ns">
    <!-- Generator: Sketch 3.3.2 (12043) - http://www.bohemiancoding.com/sketch -->
    <title>logo</title>
    <desc>Created with Sketch.</desc>
    <defs/>
    <g id="Page-1" stroke="none" stroke-width="1" fill="none" fill-rule="evenodd" sketch:type="MSPage">
        <g id="logo" sketch:type="MSArtboardGroup">
            <g sketch:type="MSLayerGroup" transform="translate(1.000000, 0.000000)" id="Shape">
                <path d="M27.3375,12.6 L36.72,9.72 L31.1625,13.2525 L27.3375,12.6 Z" fill="#CA2317" sketch:type="MSShapeGroup"/>
                <path d="M33.0525,19.62 L31.1625,13.2525 L36.72,9.72 L35.055,15.435 L33.0525,19.62 Z" fill="#E84F83" sketch:type="MSShapeGroup"/>
                <path d="M39.465,7.9875 L38.43,9.72 L35.055,15.435 L36.72,9.72 L39.465,7.9875 Z" fill="#CA2317" sketch:type="MSShapeGroup"/>
                <path d="M39.8025,9.1125 L37.1925,11.79 L38.43,9.72 L39.8025,9.1125 Z" fill="#E54011" sketch:type="MSShapeGroup"/>
                <path d="M27.9,10.8225 L35.5725,10.0575 L30.24,11.7 L27.9,10.8225 Z" fill="#E54011" sketch:type="MSShapeGroup"/>
                <path d="M28.1925,15.165 L31.1625,13.2525 L33.0525,19.62 L32.0625,21.645 L28.1925,15.165 Z" fill="#CA2317" sketch:type="MSShapeGroup"/>
                <path d="M23.76,22.725 L22.3425,5.4 L32.0625,21.645 L23.76,22.725 Z" fill="#B7DFF2" sketch:type="MSShapeGroup"/>
                <path d="M19.7325,27.1575 L23.76,22.725 L32.0625,21.645 L19.7325,27.1575 Z" fill="#E54011" sketch:type="MSShapeGroup"/>
                <path d="M0.1575,35.865 L19.7325,27.1575 L23.76,22.725 L17.37,22.0725 L0.1575,35.865 Z" fill="#FFCE33" sketch:type="MSShapeGroup"/>
                <path d="M0.9,28.755 L10.9575,27.225 L14.085,24.705 L12.555,24.03 L0.9,28.755 Z" fill="#D6B12D" sketch:type="MSShapeGroup"/>
                <path d="M4.5225,20.5425 L14.085,24.705 L17.37,22.0725 L4.5225,20.5425 Z" fill="#FFDE85" sketch:type="MSShapeGroup"/>
                <path d="M21.6225,11.6775 L20.4075,11.88 L17.37,22.0725 L20.655,20.0025 L21.6225,11.6775 Z" fill="#009EC6" sketch:type="MSShapeGroup"/>
                <path d="M23.4,18.2475 L20.655,20.0025 L22.3425,5.4 L23.4,18.2475 Z" fill="#5EAFCE" sketch:type="MSShapeGroup"/>
                <path d="M13.0275,13.05 L21.6225,11.6775 L22.005,8.28 L13.0275,13.05 Z" fill="#045972" sketch:type="MSShapeGroup"/>
                <path d="M12.105,5.085 L19.575,9.585 L22.005,8.28 L22.0725,7.8075 L12.105,5.085 Z" fill="#5A8591" sketch:type="MSShapeGroup"/>
                <path d="M13.5675,0.18 L20.3625,7.335 L22.0725,7.8075 L22.3425,5.4 L13.5675,0.18 Z" fill="#009EC6" sketch:type="MSShapeGroup"/>
                <path d="M17.37,22.0725 L23.4,18.2475 L23.76,22.725 L17.37,22.0725 Z" fill="#F39804" sketch:type="MSShapeGroup"/>
            </g>
        </g>
    </g>
 </svg>
--- a/kimai.yaml.tmpl
+++ b/kimai.yaml.tmpl
@ -12,7 +12,6 @@ entries:
    audience: https://{{ env  "KIMAI_DOMAIN" }}/auth/saml
    authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
    authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
    invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
    digest_algorithm: http://www.w3.org/2001/04/xmlenc#sha256
    issuer: https://{{ env  "DOMAIN" }}
    name: Kimai
@ -25,7 +24,6 @@ entries:
    - !Find [authentik_providers_saml.samlpropertymapping, [name, "authentik default SAML Mapping: Groups"]]
    - !Find [authentik_providers_saml.samlpropertymapping, [name, "authentik default SAML Mapping: UPN"]]
    session_valid_not_on_or_after: minutes=86400
    sign_assertion: true
    signature_algorithm: http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
    signing_kp: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]]
    sp_binding: post
@ -37,7 +35,7 @@ entries:
  state: present
 - attrs:
-    meta_launch_url: https://{{ env  "KIMAI_DOMAIN" }}/auth/saml/login
+    meta_launch_url: https://{{ env  "KIMAI_DOMAIN" }}
    open_in_new_tab: true
    policy_engine_mode: any
    provider: !KeyOf kimai_provider
--- a/matrix.yaml.tmpl
+++ b/matrix.yaml.tmpl
@ -8,17 +8,12 @@ entries:
 - attrs:
    access_code_validity: minutes=1
    authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
    authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
    invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
    client_id: {{ secret  "matrix_id" }}
    client_secret: {{ secret  "matrix_secret" }}
    client_type: confidential
    include_claims_in_id_token: true
    issuer_mode: per_provider
    redirect_uris:
    - matching_mode: strict
      url: https://{{ env  "MATRIX_DOMAIN" }}/_synapse/client/oidc/callback
    name: Matrix
    property_mappings:
    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
@ -39,10 +34,10 @@ entries:
    open_in_new_tab: true
    policy_engine_mode: any
    provider: !KeyOf matrix_provider
-    name: Element
+    slug: matrix
  conditions: []
  id: matrix_application
  identifiers:
-    slug: matrix
+    name: Matrix
  model: authentik_core.application
  state: present
--- a/monitoring.yaml.tmpl
+++ b/monitoring.yaml.tmpl
@ -8,17 +8,12 @@ entries:
 - attrs:
    access_code_validity: minutes=1
    authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
    authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
    invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
    client_id: {{ secret  "monitoring_id" }}
    client_secret: {{ secret  "monitoring_secret" }}
    client_type: confidential
    include_claims_in_id_token: true
    issuer_mode: per_provider
    redirect_uris:
    - matching_mode: strict
      url: https://{{ env  "MONITORING_DOMAIN" }}/login/generic_oauth
    name: Monitoring
    property_mappings:
    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
@ -30,7 +25,7 @@ entries:
  conditions: []
  id: monitoring_provider
  identifiers:
-    pk: 9990
+    pk: 9994
  model: authentik_providers_oauth2.oauth2provider
  state: present
--- a/nextcloud.yaml.tmpl
+++ b/nextcloud.yaml.tmpl
@ -20,17 +20,12 @@ entries:
 - attrs:
    access_code_validity: minutes=1
    authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
    authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
    invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
    client_id: {{ secret  "nextcloud_id" }}
    client_secret: {{ secret  "nextcloud_secret" }}
    client_type: confidential
    include_claims_in_id_token: true
    issuer_mode: per_provider
    redirect_uris:
    - matching_mode: strict
      url: https://{{ env  "NEXTCLOUD_DOMAIN" }}/apps/sociallogin/custom_oidc/authentik
    name: Nextcloud
    property_mappings:
    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
--- a/outline.yaml.tmpl
+++ b/outline.yaml.tmpl
@ -8,17 +8,12 @@ entries:
 - attrs:
    access_code_validity: minutes=1
    authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
    authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
    invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
    client_id: {{ secret  "outline_id" }}
    client_secret: {{ secret  "outline_secret" }}
    client_type: confidential
    include_claims_in_id_token: true
    issuer_mode: per_provider
    redirect_uris:
    - matching_mode: strict
      url: https://{{ env  "OUTLINE_DOMAIN" }}/auth/oidc.callback
    name: Outline
    property_mappings:
    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
@ -35,7 +30,7 @@ entries:
  state: present
 - attrs:
-    meta_launch_url: https://{{ env  "OUTLINE_DOMAIN" }}/auth/oidc
+    meta_launch_url: https://{{ env  "OUTLINE_DOMAIN" }}
    open_in_new_tab: true
    policy_engine_mode: any
    provider: !KeyOf outline_provider
--- a/pg_backup.sh
+++ b/pg_backup.sh
@ -1,34 +0,0 @@
 #!/bin/bash
 set -e
 BACKUP_FILE='/var/lib/postgresql/data/backup.sql'
 function backup {
  export PGPASSWORD=$(cat /run/secrets/db_password)
  pg_dump -U ${POSTGRES_USER} ${POSTGRES_DB} > $BACKUP_FILE
 }
 function restore {
    cd /var/lib/postgresql/data/
    restore_config(){
        # Restore allowed connections
        cat pg_hba.conf.bak > pg_hba.conf
        su postgres -c 'pg_ctl reload'
    }
    # Don't allow any other connections than local
    cp pg_hba.conf pg_hba.conf.bak
    echo "local all all trust" > pg_hba.conf
    su postgres -c 'pg_ctl reload'
    trap restore_config EXIT INT TERM
    # Recreate Database
    psql -U ${POSTGRES_USER} -d postgres -c "DROP DATABASE ${POSTGRES_DB} WITH (FORCE);" 
    createdb -U ${POSTGRES_USER} ${POSTGRES_DB}
    psql -U ${POSTGRES_USER} -d ${POSTGRES_DB} -1 -f $BACKUP_FILE
    trap - EXIT INT TERM
    restore_config
 }
 $@
--- a/rallly.yaml.tmpl
+++ b/rallly.yaml.tmpl
@ -8,17 +8,12 @@ entries:
 - attrs:
    access_code_validity: minutes=1
    authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
    authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
    invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
    client_id: {{ secret  "rallly_id" }}
    client_secret: {{ secret  "rallly_secret" }}
    client_type: confidential
    include_claims_in_id_token: true
    issuer_mode: per_provider
    redirect_uris:
    - matching_mode: strict
      url: https://{{ env  "RALLLY_DOMAIN" }}/api/auth/callback/oidc
    name: Rallly
    property_mappings:
    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
--- a/release/6.11.0+2024.10.5
+++ b/release/6.11.0+2024.10.5
@ -1 +0,0 @@
 Fix Impersonate Bug
--- a/release/6.6.0+2024.8.2
+++ b/release/6.6.0+2024.8.2
@ -1 +0,0 @@
 Replaced icon bbb.jpg with icon.png - configs need to be updated when upgrading!
--- a/release/6.7.0+2024.8.3
+++ b/release/6.7.0+2024.8.3
@ -1,3 +0,0 @@
 Two critical vulnerabilities were closed:
 https://github.com/goauthentik/authentik/security/advisories/GHSA-7jxf-mmg9-9hg7
 https://github.com/goauthentik/authentik/security/advisories/GHSA-8gfm-pr6x-pfh9
--- a/system_brand.yaml.tmpl
+++ b/system_brand.yaml.tmpl
@ -27,10 +27,7 @@ entries:
 - attrs:
    attributes:
      settings:
-        locale: {{ if eq (env "DEFAULT_LANGUAGE") "" }} en {{ else }} {{ env "DEFAULT_LANGUAGE" }} {{ end }} {{ if ne (env "THEME_BACKGROUND") "" }}
+        locale: {{ if eq (env "DEFAULT_LANGUAGE") "" }} en {{ else }} {{ env "DEFAULT_LANGUAGE" }} {{ end }}
        theme:
          background: >
            background: {{ env "THEME_BACKGROUND" }} {{ end }}
    flow_recovery: !Find [authentik_flows.flow, [slug,  default-recovery-flow]]
  identifiers:
    default: true
--- a/vikunja.yaml.tmpl
+++ b/vikunja.yaml.tmpl
@ -8,17 +8,12 @@ entries:
 - attrs:
    access_code_validity: minutes=1
    authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
    authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
    invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
    client_id: {{ secret  "vikunja_id" }}
    client_secret: {{ secret  "vikunja_secret" }}
    client_type: confidential
    include_claims_in_id_token: true
    issuer_mode: per_provider
    redirect_uris:
    - matching_mode: strict
      url: https://{{ env  "VIKUNJA_DOMAIN" }}/auth/openid/authentik
    name: Vikunja
    property_mappings:
    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
--- a/wekan.yaml.tmpl
+++ b/wekan.yaml.tmpl
@ -25,17 +25,12 @@ entries:
 - attrs:
    access_code_validity: minutes=1
    authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
    authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
    invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
    client_id: {{ secret  "wekan_id" }}
    client_secret: {{ secret  "wekan_secret" }}
    client_type: confidential
    include_claims_in_id_token: true
    issuer_mode: per_provider
    redirect_uris:
    - matching_mode: strict
      url: https://{{ env  "WEKAN_DOMAIN" }}/_oauth/oidc
    name: Wekan
    property_mappings:
    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
--- a/wordpress.yaml.tmpl
+++ b/wordpress.yaml.tmpl
@ -8,17 +8,12 @@ entries:
 - attrs:
    access_code_validity: minutes=1
    authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
    authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
    invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
    client_id: {{ secret  "wordpress_id" }}
    client_secret: {{ secret  "wordpress_secret" }}
    client_type: confidential
    include_claims_in_id_token: true
    issuer_mode: per_provider
    redirect_uris:
    - matching_mode: strict
      url: https://{{ env  "WORDPRESS_DOMAIN" }}/openid-connect-authorize
    name: Wordpress
    property_mappings:
    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
--- a/zammad.yaml.tmpl
+++ b/zammad.yaml.tmpl
@ -1,69 +0,0 @@
 version: 1
 metadata:
  labels:
    blueprints.goauthentik.io/instantiate: "true"
  name: zammad
 entries:
 - attrs:
    expression: return request.user.name
    managed: null
    name: 'Zammad SAML Mapping: name'
    saml_name: name
  conditions: []
  identifiers:
    name: zammad_name_mapping
  id: zammad_name_mapping
  model: authentik_providers_saml.samlpropertymapping
  state: present
 - attrs:
    expression: return request.user.email
    managed: null
    name: 'Zammad SAML Mapping: email'
    saml_name: email
  conditions: []
  identifiers:
    name: zammad_email_mapping
  id: zammad_email_mapping
  model: authentik_providers_saml.samlpropertymapping
  state: present
 - attrs:
    acs_url: https://{{ env  "ZAMMAD_DOMAIN" }}/auth/saml/callback
    assertion_valid_not_before: minutes=-5
    assertion_valid_not_on_or_after: minutes=5
    audience: https://{{ env  "ZAMMAD_DOMAIN" }}/auth/saml/metadata
    authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
    authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
    invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
    digest_algorithm: http://www.w3.org/2001/04/xmlenc#sha256
    issuer: https://{{ env  "ZAMMAD_DOMAIN" }}/auth/saml/metadata
    name: zammad
    property_mappings:
    - !KeyOf zammad_name_mapping
    - !KeyOf zammad_email_mapping
    session_valid_not_on_or_after: minutes=86400
    sign_assertion: true
    signature_algorithm: http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
    signing_kp: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]]
    sp_binding: post
  conditions: []
  id: zammad_provider
  identifiers:
    pk: 9989
  model: authentik_providers_saml.samlprovider
  state: present
 - attrs:
    meta_launch_url: ""
    open_in_new_tab: true
    policy_engine_mode: any
    provider: !KeyOf zammad_provider
    slug: zammad
  conditions: []
  id: zammad_application
  identifiers:
    name: Zammad
  model: authentik_core.application
  state: present
		`@ -1 +0,0 @@`
			<?xml version="1.0" encoding="UTF-8"?><svg id="Ebene_1" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 128 128"><defs><style>.cls-1{fill:#3b1c4a;}</style></defs><path class="cls-1" d="m50.67,56.95c-.72.1-1.22.3-1.66.5l2.38,16.91c.41.08.95.13,1.6.04,3.52-.5,4.61-3.64,3.81-9.39-.83-5.87-2.53-8.56-6.12-8.06Z"/><path class="cls-1" d="m116.04,35.05c.71-.17,1.16-.76,1.06-1.48L112.54,1.13c-.1-.72-.77-1.22-1.49-1.12l-37.5,5.27.73,5.22c.16,1.12-.62,2.15-1.74,2.31s-2.15-.62-2.31-1.74l-.73-5.22L1.13,15.46c-.72.1-1.22.77-1.12,1.49l4.56,32.44c.1.72.7,1.17,1.42,1.13,11.25-.92,21.43,7.1,23.03,18.46,1.6,11.36-5.99,21.81-17.07,23.96-.71.17-1.16.76-1.06,1.48l4.56,32.44c.1.72.77,1.22,1.49,1.12l68.37-9.61-.73-5.22c-.16-1.15.59-2.15,1.74-2.31s2.15.62,2.31,1.74l.73,5.22,37.5-5.27c.72-.1,1.22-.77,1.12-1.49l-4.56-32.44c-.1-.72-.7-1.17-1.42-1.13-11.25.92-21.42-7.04-23.02-18.4-1.6-11.36,5.98-21.87,17.06-24.03Zm-59.84,44.75c-1.76.25-3.29.26-4.04.17l1.59,11.29-9.92,1.39-5.3-37.73c2.5-1.62,5.96-3.03,11.38-3.8,8.68-1.22,15.27,2.58,16.66,12.44,1.25,8.88-3.12,15.21-10.36,16.23Zm30.73,20.71c.16,1.12-.62,2.15-1.74,2.31-1.12.16-2.15-.62-2.31-1.74l-1.47-10.44c-.16-1.12.62-2.15,1.74-2.31s2.16.66,2.31,1.74l1.47,10.44Zm-3.17-22.58c.15,1.08-.66,2.16-1.74,2.31s-2.16-.66-2.31-1.74l-1.47-10.44c-.16-1.15.59-2.15,1.74-2.31,1.12-.16,2.15.62,2.31,1.74l1.47,10.44Zm-3.16-22.45c.16,1.12-.62,2.15-1.74,2.31-1.12.16-2.15-.62-2.31-1.74l-1.47-10.44c-.16-1.12.62-2.15,1.74-2.31s2.16.66,2.31,1.74l1.47,10.44Zm-3.17-22.58c.15,1.08-.66,2.16-1.74,2.31s-2.16-.66-2.31-1.74l-1.47-10.44c-.16-1.15.59-2.15,1.74-2.31s2.15.62,2.31,1.74l1.47,10.44Z"/></svg>
		`@ -1 +0,0 @@`
			`Replaced icon bbb.jpg with icon.png - configs need to be updated when upgrading!`