chore: publish 9.0.0+2025.8.1 release

Reviewed-on: #15
Reviewed-by: decentral1se <decentral1se@noreply.git.coopcloud.tech>

.drone.yml

@@ -47,7 +47,7 @@ steps:
         from_secret: drone_abra-bot_token
       fork: true
       repositories:
-        - coop-cloud/auto-recipes-catalogue-json
+        - toolshed/auto-recipes-catalogue-json
 
 trigger:
   event: tag

.env.sample

@@ -9,9 +9,14 @@ ENABLE_BACKUPS=true
 DOMAIN=authentik.example.com
 ## Domain aliases
 #EXTRA_DOMAINS=', `www.authentik.example.com`'
+# Redirects
+# All redirect domains have to be added to extra_domains as well)
+# multiple redirects can be added by seperating them with a | character
+#REDIRECTS=www.authentik.example.com
 COMPOSE_FILE="compose.yml"
 AUTHENTIK_DEFAULT_USER_CHANGE_USERNAME=false
 AUTHENTIK_LOG_LEVEL=info
+# AUTHENTIK_DISABLE_UPDATE_CHECK=false
 # AUTHENTIK_IMPERSONATION=true
 # AUTHENTIK_FOOTER_LINKS='[{"name": "My Organization","href":"https://example.com"}]'
 # WORKERS=1
@@ -49,21 +54,37 @@ SECRET_EMAIL_PASS_VERSION=v1
 # EMAIL_SUBJECT="Account Recovery"
 # EMAIL_TOKEN_EXPIRY_MINUTES=30
 
+## assets
 COPY_ASSETS="flow_background.jpg|app:/web/dist/assets/images/"
 COPY_ASSETS="$COPY_ASSETS icon_left_brand.svg|app:/web/dist/assets/icons/"
 COPY_ASSETS="$COPY_ASSETS icon.png|app:/web/dist/assets/icons/"
 
+# store custom CSS in a css-volume
+#COMPOSE_FILE="$COMPOSE_FILE:compose.css-volume.yml"
+# NOTE: this causes the authentik container to run as `root` initially; it uses `su` to drop privileges but technically could introduce a security risk. proceed with caution!
+
 # Default CSS customisation
 # COMPOSE_FILE="$COMPOSE_FILE:compose.css.yml"
 # BACKGROUND_FONT_COLOR=white
 # BACKGROUND_BOX_COLOR='#eaeaeacf'
 # THEME_BACKGROUND="url('https://authentik.example.com/static/dist/assets/images/flow_background.jpg'); background-position: center; background-repeat: no-repeat; background-size: cover;"
 
+# Group Name Variables to cluster Applications
+# GROUP_SUPPORT=Support
+# GROUP_HELP=Help
+# GROUP_ORGANISATION=Organisation
+# GROUP_COMMUNICATION=Communication
+# GROUP_COLLABORATION=Collaboration
+# GROUP_DOCUMENTATION=Documentation
+# GROUP_DEVELOPMENT=Development
+# GROUP_INFRASTRUCTURE=Infrastructure
+
 # COMPOSE_FILE="$COMPOSE_FILE:compose.nextcloud.yml"
 # NEXTCLOUD_DOMAIN=nextcloud.example.com
 # SECRET_NEXTCLOUD_ID_VERSION=v1
 # SECRET_NEXTCLOUD_SECRET_VERSION=v1
 # APP_ICONS="nextcloud:~/.abra/recipes/authentik/icons/nextcloud.png"
+# NEXTCLOUD_APPGROUP="$GROUP_ORGANISATION"
 
 # COMPOSE_FILE="$COMPOSE_FILE:compose.wordpress.yml"
 # WORDPRESS_DOMAIN=wordpress.example.com
@@ -71,6 +92,7 @@ COPY_ASSETS="$COPY_ASSETS icon.png|app:/web/dist/assets/icons/"
 # SECRET_WORDPRESS_ID_VERSION=v1
 # SECRET_WORDPRESS_SECRET_VERSION=v1
 # APP_ICONS="$APP_ICONS wordpress:~/.abra/recipes/authentik/icons/wordpress.png"
+# WORDPRESS_APPGROUP="$GROUP_DEVELOPMENT"
 
 # COMPOSE_FILE="$COMPOSE_FILE:compose.matrix.yml"
 # ELEMENT_DOMAIN=element-web.example.com
@@ -78,53 +100,61 @@ COPY_ASSETS="$COPY_ASSETS icon.png|app:/web/dist/assets/icons/"
 # SECRET_MATRIX_ID_VERSION=v1
 # SECRET_MATRIX_SECRET_VERSION=v1
 # APP_ICONS="$APP_ICONS matrix:~/.abra/recipes/authentik/icons/matrix.svg"
+# MATRIX_APPGROUP="$GROUP_COMMUNICATION"
 
 # COMPOSE_FILE="$COMPOSE_FILE:compose.wekan.yml"
 # WEKAN_DOMAIN=wekan.example.com
 # SECRET_WEKAN_ID_VERSION=v1
 # SECRET_WEKAN_SECRET_VERSION=v1
 # APP_ICONS="$APP_ICONS wekan:~/.abra/recipes/authentik/icons/wekan.png"
+# WEKAN_APPGROUP="$GROUP_ORGANISATION"
 
 # COMPOSE_FILE="$COMPOSE_FILE:compose.vikunja.yml"
 # VIKUNJA_DOMAIN=vikunja.example.com
 # SECRET_VIKUNJA_ID_VERSION=v1
 # SECRET_VIKUNJA_SECRET_VERSION=v1
 # APP_ICONS="$APP_ICONS vikunja:~/.abra/recipes/authentik/icons/vikunja.svg"
+# VIKUNJA_APPGROUP="$GROUP_ORGANISATION"
 
 # COMPOSE_FILE="$COMPOSE_FILE:compose.outline.yml"
 # OUTLINE_DOMAIN=outline.example.com
 # SECRET_OUTLINE_ID_VERSION=v1
 # SECRET_OUTLINE_SECRET_VERSION=v1
 # APP_ICONS="$APP_ICONS outline:~/.abra/recipes/authentik/icons/outline.png"
+# OUTLINE_APPGROUP="$GROUP_DOCUMENTATION"
 
 # COMPOSE_FILE="$COMPOSE_FILE:compose.kimai.yml"
 # KIMAI_DOMAIN=kimai.example.com
 # SECRET_KIMAI_ID_VERSION=v1
 # SECRET_KIMAI_SECRET_VERSION=v1
 # APP_ICONS="$APP_ICONS kimai:~/.abra/recipes/authentik/icons/kimai_logo.png"
+# KIMAI_APPGROUP="$GROUP_ORGANISATION"
 
 # COMPOSE_FILE="$COMPOSE_FILE:compose.zammad.yml"
 # ZAMMAD_DOMAIN=zammad.example.com
 # APP_ICONS="$APP_ICONS zammad:~/.abra/recipes/authentik/icons/zammad.svg"
+# ZAMMAD_APPGROUP="$GROUP_SUPPORT"
 
 # COMPOSE_FILE="$COMPOSE_FILE:compose.monitoring.yml"
 # MONITORING_DOMAIN=monitoring.example.com
 # SECRET_MONITORING_ID_VERSION=v1
 # SECRET_MONITORING_SECRET_VERSION=v1
 # APP_ICONS="$APP_ICONS monitoring:~/.abra/recipes/authentik/icons/monitoring.svg"
+# MONITORING_APPGROUP="$GROUP_INFRASTRUCTURE"
 
 # COMPOSE_FILE="$COMPOSE_FILE:compose.rallly.yml"
 # RALLLY_DOMAIN=rallly.example.com
 # SECRET_RALLLY_ID_VERSION=v1
 # SECRET_RALLLY_SECRET_VERSION=v1
 # APP_ICONS="$APP_ICONS rallly:~/.abra/recipes/authentik/icons/rallly.png"
+# RALLLY_APPGROUP="$GROUP_ORGANISATION"
 
 # COMPOSE_FILE="$COMPOSE_FILE:compose.hedgedoc.yml"
 # HEDGEDOC_DOMAIN=hedgedoc.example.com
 # SECRET_HEDGEDOC_ID_VERSION=v1
 # SECRET_HEDGEDOC_SECRET_VERSION=v1
 # APP_ICONS="$APP_ICONS hedgedoc:~/.abra/recipes/authentik/icons/hedgedoc.png"
+# HEDGEDOC_APPGROUP="$GROUP_DOCUMENTATION"
 
-# APPLICATIONS='{"Calendar": "https://nextcloud.example.com/apps/calendar/", "BBB": "https://nextcloud.example.com/apps/bbb/"}'
-# APP_ICONS="$APP_ICONS Calendar:~/.abra/recipes/authentik/icons/calendar.svg"
-# APP_ICONS="$APP_ICONS BBB:~/.abra/recipes/authentik/icons/bbb.png"
+# APPLICATIONS='{"Calendar": {"url":"https://nextcloud.example.com/apps/calendar/", "group": ""}, "BBB": {"url":"https://nextcloud.example.com/apps/bbb/", "group":""}, "Pretix": {"url":"https://pretix.example.com/control/", "group":""}}'
+# EXTRA_ICONS={"Calendar": "~/.abra/recipes/authentik/icons/calendar.svg", "BBB": "~/.abra/recipes/authentik/icons/bbb.png", "Pretix": "~/.abra/recipes/authentik/icons/pretix.svg"}

README.md

@@ -52,6 +52,16 @@ APP_ICONS="nextcloud:~/.abra/recipes/authentik/icons/nextcloud.png"
 
 Set the nextcloud Icon using `abra app cmd -l -d <app_name> set_icons`
 
+Generate OAuth client id and secret using `abra app secret generate <app_name> -a` (all secrets) or individually:
+- `abra app secret generate <app_name> nextcloud_id`
+- `abra app secret generate <app_name> nextcloud_secret`
+
+Add the id and secret to nextcloud as secrets with:
+- `abra app secret insert <nextcloud_app_name> authentik_id v1 <id>`
+- `abra app secret insert <nextcloud_app_name> authentik_secret v1 <secret>`
+
+Redeploy Authentik to enable the nextcloud client.
+
 The configuration inside Nextcloud can be found in the [nextcloud recipe](https://git.coopcloud.tech/coop-cloud/nextcloud#authentik-integration)
 
 ## Add LDAP outpost
@@ -95,6 +105,25 @@ Run this command after every deploy/upgrade:
 
 `abra app command --local <app-name> customize <assets_path>`
 
+## Custom CSS
+
+Uncomment the following env:
+
+```
+COMPOSE_FILE="$COMPOSE_FILE:compose.css-volume.yml"
+```
+
+Redeploy the app:
+```
+abra app deploy -f <app_name>
+```
+
+Copy the CSS and restart the container:
+```
+abra app cp <app_name> my_custom.css app:/web/dist/assets/custom.css
+abra app restart <app_name> app
+```
+
 ## Email templates
 
 Add custom [email templates](https://goauthentik.io/docs/flow/stages/email/#custom-templates):
@@ -105,15 +134,15 @@ Add custom [email templates](https://goauthentik.io/docs/flow/stages/email/#cust
 
 These blueprints overwrite default blueprint values:
 
-- flow_translation.yaml
-- flow_authentication.yaml
+- `flow_translation.yaml`
+- `flow_authentication.yaml`
 
 The following default blueprints will be overwritten by customizations:
 
-- flow-password-change.yaml
-- flow-default-authentication-flow.yaml
-- flow-default-user-settings-flow.yaml
-- flow-default-source-enrollment.yaml
+- `flow-password-change.yaml`
+- `flow-default-authentication-flow.yaml`
+- `flow-default-user-settings-flow.yaml`
+- `flow-default-source-enrollment.yaml`
 
 The `abra.sh` function `apply_blueprints` needs to be executed to deactivate these blueprints to ensure that the customizations won't be overwritten. It will further execute flow_translation.yaml and flow_authentication.yaml again.
 

abra.sh

@@ -2,22 +2,23 @@ export CUSTOM_CSS_VERSION=v3
 export FLOW_AUTHENTICATION_VERSION=v4
 export FLOW_INVITATION_VERSION=v2
 export FLOW_INVALIDATION_VERSION=v2
-export FLOW_RECOVERY_VERSION=v1
+export FLOW_RECOVERY_VERSION=v2
 export FLOW_TRANSLATION_VERSION=v3
 export SYSTEM_BRAND_VERSION=v4
-export NEXTCLOUD_CONFIG_VERSION=v2
-export WORDPRESS_CONFIG_VERSION=v3
-export MATRIX_CONFIG_VERSION=v2
-export WEKAN_CONFIG_VERSION=v4
-export VIKUNJA_CONFIG_VERSION=v2
-export OUTLINE_CONFIG_VERSION=v3
-export KIMAI_CONFIG_VERSION=v2
-export ZAMMAD_CONFIG_VERSION=v3
-export RALLLY_CONFIG_VERSION=v3
-export HEDGEDOC_CONFIG_VERSION=v2
-export MONITORING_CONFIG_VERSION=v3
+export NEXTCLOUD_CONFIG_VERSION=v3
+export WORDPRESS_CONFIG_VERSION=v4
+export MATRIX_CONFIG_VERSION=v3
+export WEKAN_CONFIG_VERSION=v5
+export VIKUNJA_CONFIG_VERSION=v3
+export OUTLINE_CONFIG_VERSION=v4
+export KIMAI_CONFIG_VERSION=v3
+export ZAMMAD_CONFIG_VERSION=v4
+export RALLLY_CONFIG_VERSION=v4
+export HEDGEDOC_CONFIG_VERSION=v3
+export MONITORING_CONFIG_VERSION=v4
 export DB_ENTRYPOINT_VERSION=v1
 export PG_BACKUP_VERSION=v2
+export ENTRYPOINT_CSS_VERSION=v1
 
 customize() {
     if [ -z "$1" ]
@@ -34,6 +35,15 @@ customize() {
     done
 }
 
+shell(){
+    if [ -z "$1" ]
+    then
+            echo "Usage: ... shell <python code>"
+            exit 1
+    fi
+    ak shell -c "$1" 2>&1 | quieten
+}
+
 import_user() {
     if [ -z "$1" ]
     then
@@ -78,6 +88,16 @@ set_admin_pass() {
 password=$(cat /run/secrets/admin_pass)
 token=$(cat /run/secrets/admin_token)
 /manage.py shell -c """
+import time
+i = 0
+while (not User.objects.filter(username='akadmin')):
+    print('Waiting for akadmin to be created...')
+    time.sleep(10)
+    i += 1
+    if i > 6:
+        print('Failed to find admin user!')
+        exit()
+
 akadmin = User.objects.get(username='akadmin')
 akadmin.set_password('$password')
 akadmin.save()
@@ -157,25 +177,51 @@ print(f'{blueprint.name} enabled: {blueprint.enabled}')
 
 }
 
+# This function adds each application with its name, slug and group if passed
 add_applications(){
+export APPLICATIONS
 /manage.py shell -c """
 import json
-if '$APPLICATIONS' == '':
+import os
+if os.environ['APPLICATIONS'] == '':
     exit()
-applications = json.loads('$APPLICATIONS')
-for name, url in applications.items():
-    print(f'Add {name}: {url}')
+applications = json.loads(os.environ['APPLICATIONS'])
+for name, details in applications.items():
+    url = details['url']
     app = Application.objects.filter(name=name).first()
     if not app:
         app = Application()
     app.name = name
     app.slug = name.replace(' ', '-')
     app.meta_launch_url = url
+    group = details['group']
+    if group:
+        app.group = group
+        print(f'Add {name}: {url} in group: {group}')
+    else:
+        print(f'Add {name}: {url}')
     app.open_in_new_tab = True
     app.save()
 """ 2>&1 | quieten
 }
 
+## This function is for renaming apps - usage: rename "old name" "new name"
+rename() {
+/manage.py shell -c """
+old_name = '$1'
+new_name = '$2' if '$2' else old_name
+
+app = Application.objects.filter(name=old_name).first()
+if app:
+    app.name = new_name
+    app.save()
+    print(f'Renamed application from {old_name} to {new_name}')
+else:
+    print(f'No application found with name: {old_name}')
+""" 2>&1 | quieten
+}
+
+
 
 quieten(){
     # 'SyntaxWarning|version_regex|"http\['
@@ -191,6 +237,10 @@ done
 }
 
 set_icons(){
+if [ -n "$1" ]
+then
+APP_ICONS="$1"
+fi
 for icon in $APP_ICONS; do
     app=$(echo $icon | cut -d ":" -f1)
     file_path=$(eval echo $(echo $icon | cut -d ":" -f2))
@@ -201,6 +251,22 @@ for icon in $APP_ICONS; do
 done
 }
 
+set_extra_icons(){
+    if [ -z "$EXTRA_ICONS" ]
+    then
+        echo "Variable EXTRA_ICONS is not set"
+        exit 1
+    fi
+    export EXTRA_ICONS
+    icon_key_values=$(python3 -c "
+import json
+import os
+for key, value in json.loads(os.environ['EXTRA_ICONS']).items():
+    print(f'{key}:{value}')
+")
+    set_icons "$icon_key_values"
+}
+
 set_app_icon() {
 TOKEN=$(cat /run/secrets/admin_token)
 python -c """

compose.css-volume.yml

@@ -0,0 +1,16 @@
+---
+version: "3.8"
+
+services:
+  app:
+    user: root
+    entrypoint: /docker-entrypoint.sh
+    configs:
+      - source: entrypoint_css
+        target: /docker-entrypoint.sh
+        mode: 0555
+
+configs:
+  entrypoint_css:
+    name: ${STACK_NAME}_entrypoint_css_${ENTRYPOINT_CSS_VERSION}
+    file: entrypoint-css-volume.sh

compose.matrix.yml

@@ -3,7 +3,7 @@ services:
   app:
     deploy:
       labels:
-        - "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect-matrix-well-known"
+        - "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect,${STACK_NAME}-frameOptions,${STACK_NAME}-redirect,${STACK_NAME}-redirect-matrix-well-known"
         - "traefik.http.middlewares.${STACK_NAME}-redirect-matrix-well-known.redirectregex.regex=^https://(.*)/.well-known/matrix/(.*)"
         - "traefik.http.middlewares.${STACK_NAME}-redirect-matrix-well-known.redirectregex.replacement=https://${MATRIX_DOMAIN}/.well-known/matrix/$$2"
   worker:
@@ -12,6 +12,7 @@ services:
       - matrix_secret
     environment:
       - ELEMENT_DOMAIN
+      - MATRIX_DOMAIN
     configs:
       - source: matrix
         target: /blueprints/matrix.yaml

compose.outposts.ldap.yml

@@ -1,7 +1,7 @@
 version: "3.8"
 services:
   authentik_ldap:
-      image: ghcr.io/goauthentik/ldap:2024.10.5
+      image: ghcr.io/goauthentik/ldap:2025.8.1
       # Optionally specify which networks the container should be
       # might be needed to reach the core authentik server
       networks:

compose.yml

@@ -17,6 +17,7 @@ x-env: &env
     - AUTHENTIK_EMAIL__TIMEOUT
     - AUTHENTIK_EMAIL__FROM
     - AUTHENTIK_LOG_LEVEL
+    - AUTHENTIK_DISABLE_UPDATE_CHECK
     - BACKGROUND_FONT_COLOR=${BACKGROUND_FONT_COLOR:-white}
     - BACKGROUND_BOX_COLOR=${BACKGROUND_BOX_COLOR:-#eaeaeacf}
     - AUTHENTIK_FOOTER_LINKS
@@ -34,7 +35,7 @@ x-env: &env
 version: '3.8'
 services:
   app:
-    image: ghcr.io/goauthentik/server:2024.10.5
+    image: ghcr.io/goauthentik/server:2025.8.1
     command: server
     depends_on:
       - db
@@ -67,16 +68,17 @@ services:
         - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`${EXTRA_DOMAINS})"
         - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
         - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
-        - "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect,${STACK_NAME}-frameOptions"
-        - "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLForceHost=true"
-        - "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}"
+        - "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect,${STACK_NAME}-frameOptions,${STACK_NAME}-redirect"
         - "traefik.http.middlewares.${STACK_NAME}-frameOptions.headers.customFrameOptionsValue=SAMEORIGIN"
         - "traefik.http.middlewares.${STACK_NAME}-frameOptions.headers.contentSecurityPolicy=frame-ancestors ${X_FRAME_OPTIONS_ALLOW_FROM}"
-        - "coop-cloud.${STACK_NAME}.version=6.11.0+2024.10.5"
+        - "coop-cloud.${STACK_NAME}.version=9.0.0+2025.8.1"
+        - "traefik.http.middlewares.${STACK_NAME}-redirect.redirectregex.regex=^https://(${REDIRECTS})/(.*)"
+        - "traefik.http.middlewares.${STACK_NAME}-redirect.redirectregex.replacement=https://${DOMAIN}/$${2}"
+        - "traefik.http.middlewares.${STACK_NAME}-redirect.redirectregex.permanent=true"
         - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT:-120}"
 
   worker:
-    image: ghcr.io/goauthentik/server:2024.10.5
+    image: ghcr.io/goauthentik/server:2025.8.1
     command: worker
     depends_on:
       - db
@@ -117,7 +119,7 @@ services:
       start_period: 5m
 
   db:
-    image: postgres:15.8
+    image: postgres:15.13
     secrets:
       - db_password
     configs:
@@ -152,7 +154,7 @@ services:
           backupbot.restore.post-hook: '/pg_backup.sh restore'
 
   redis:
-    image:  redis:7.4.1-alpine
+    image:  redis:8.2.1-alpine
     command: --save 60 1 --loglevel warning
     networks:
       - internal

entrypoint-css-volume.sh

@@ -0,0 +1,5 @@
+#!/bin/sh
+
+cp -f /web/dist/assets/custom.css /web/dist/custom.css
+
+su $(id -un 1000) -s /bin/bash -c 'dumb-init -- ak server'

flow_recovery.yaml.tmpl

@@ -4,7 +4,7 @@ metadata:
     blueprints.goauthentik.io/instantiate: "true"
   name: Recovery with email verification
 context:
-  token_expiry: {{ if eq (env "EMAIL_TOKEN_EXPIRY_MINUTES") "" }} 30 {{ else }} {{ env "EMAIL_TOKEN_EXPIRY_MINUTES" }} {{ end }}
+  token_expiry: minutes={{ if eq (env "EMAIL_TOKEN_EXPIRY_MINUTES") "" }}30{{ else }}{{ env "EMAIL_TOKEN_EXPIRY_MINUTES" }}{{ end }}
   subject: {{ if eq (env "EMAIL_SUBJECT") "" }} Account Recovery {{ else }} {{ env "EMAIL_SUBJECT" }} {{ end }} 
 entries:
 ### DEPENDENCIES

hedgedoc.yaml.tmpl

@@ -16,6 +16,9 @@ entries:
     client_type: confidential
     include_claims_in_id_token: true
     issuer_mode: per_provider
+    redirect_uris:
+    - matching_mode: strict
+      url: https://{{ env  "HEDGEDOC_DOMAIN" }}/auth/oauth2/callback
     name: Hedgedoc
     property_mappings:
     - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
@@ -32,7 +35,7 @@ entries:
   state: present
 
 - attrs:
-    meta_launch_url: https://{{ env  "HEDGEDOC_DOMAIN" }}
+    meta_launch_url: https://{{ env  "HEDGEDOC_DOMAIN" }}/auth/oauth2
     open_in_new_tab: true
     policy_engine_mode: any
     provider: !KeyOf hedgedoc_provider

icons/help.svg

@@ -0,0 +1,10 @@
+<svg width="24" height="24" viewBox="0 0 24 24" fill="none" xmlns="http://www.w3.org/2000/svg">
+<g clip-path="url(#clip0_1735_3439)">
+<path d="M12 18.0093V12.7593M12 12.7593C12.5179 12.7593 13.0206 12.6937 13.5 12.5703M12 12.7593C11.4821 12.7593 10.9794 12.6937 10.5 12.5703M14.25 20.0487C13.5212 20.187 12.769 20.2593 12 20.2593C11.231 20.2593 10.4788 20.187 9.75 20.0487M13.5 22.4313C13.007 22.4828 12.5066 22.5093 12 22.5093C11.4934 22.5093 10.993 22.4828 10.5 22.4313M14.25 18.0093V17.8176C14.25 16.8347 14.9083 15.9943 15.7585 15.501C17.9955 14.203 19.5 11.7818 19.5 9.00928C19.5 4.86714 16.1421 1.50928 12 1.50928C7.85786 1.50928 4.5 4.86714 4.5 9.00928C4.5 11.7818 6.00446 14.203 8.24155 15.501C9.09173 15.9943 9.75 16.8347 9.75 17.8176V18.0093" stroke="#0F172A" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round"/>
+</g>
+<defs>
+<clipPath id="clip0_1735_3439">
+<rect width="24" height="24" fill="white" transform="translate(0 0.00927734)"/>
+</clipPath>
+</defs>
+</svg>

icons/pretix.svg

@@ -0,0 +1 @@
+<?xml version="1.0" encoding="UTF-8"?><svg id="Ebene_1" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 128 128"><defs><style>.cls-1{fill:#3b1c4a;}</style></defs><path class="cls-1" d="m50.67,56.95c-.72.1-1.22.3-1.66.5l2.38,16.91c.41.08.95.13,1.6.04,3.52-.5,4.61-3.64,3.81-9.39-.83-5.87-2.53-8.56-6.12-8.06Z"/><path class="cls-1" d="m116.04,35.05c.71-.17,1.16-.76,1.06-1.48L112.54,1.13c-.1-.72-.77-1.22-1.49-1.12l-37.5,5.27.73,5.22c.16,1.12-.62,2.15-1.74,2.31s-2.15-.62-2.31-1.74l-.73-5.22L1.13,15.46c-.72.1-1.22.77-1.12,1.49l4.56,32.44c.1.72.7,1.17,1.42,1.13,11.25-.92,21.43,7.1,23.03,18.46,1.6,11.36-5.99,21.81-17.07,23.96-.71.17-1.16.76-1.06,1.48l4.56,32.44c.1.72.77,1.22,1.49,1.12l68.37-9.61-.73-5.22c-.16-1.15.59-2.15,1.74-2.31s2.15.62,2.31,1.74l.73,5.22,37.5-5.27c.72-.1,1.22-.77,1.12-1.49l-4.56-32.44c-.1-.72-.7-1.17-1.42-1.13-11.25.92-21.42-7.04-23.02-18.4-1.6-11.36,5.98-21.87,17.06-24.03Zm-59.84,44.75c-1.76.25-3.29.26-4.04.17l1.59,11.29-9.92,1.39-5.3-37.73c2.5-1.62,5.96-3.03,11.38-3.8,8.68-1.22,15.27,2.58,16.66,12.44,1.25,8.88-3.12,15.21-10.36,16.23Zm30.73,20.71c.16,1.12-.62,2.15-1.74,2.31-1.12.16-2.15-.62-2.31-1.74l-1.47-10.44c-.16-1.12.62-2.15,1.74-2.31s2.16.66,2.31,1.74l1.47,10.44Zm-3.17-22.58c.15,1.08-.66,2.16-1.74,2.31s-2.16-.66-2.31-1.74l-1.47-10.44c-.16-1.15.59-2.15,1.74-2.31,1.12-.16,2.15.62,2.31,1.74l1.47,10.44Zm-3.16-22.45c.16,1.12-.62,2.15-1.74,2.31-1.12.16-2.15-.62-2.31-1.74l-1.47-10.44c-.16-1.12.62-2.15,1.74-2.31s2.16.66,2.31,1.74l1.47,10.44Zm-3.17-22.58c.15,1.08-.66,2.16-1.74,2.31s-2.16-.66-2.31-1.74l-1.47-10.44c-.16-1.15.59-2.15,1.74-2.31s2.15.62,2.31,1.74l1.47,10.44Z"/></svg>

icons/support.svg

@@ -0,0 +1,3 @@
+<svg width="24" height="24" viewBox="0 0 24 24" fill="none" xmlns="http://www.w3.org/2000/svg">
+<path d="M9.87891 7.51884C11.0505 6.49372 12.95 6.49372 14.1215 7.51884C15.2931 8.54397 15.2931 10.206 14.1215 11.2312C13.9176 11.4096 13.6917 11.5569 13.4513 11.6733C12.7056 12.0341 12.0002 12.6716 12.0002 13.5V14.25M21 12C21 16.9706 16.9706 21 12 21C7.02944 21 3 16.9706 3 12C3 7.02944 7.02944 3 12 3C16.9706 3 21 7.02944 21 12ZM12 17.25H12.0075V17.2575H12V17.25Z" stroke="#0F172A" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round"/>
+</svg>

kimai.yaml.tmpl

@@ -37,7 +37,7 @@ entries:
   state: present
 
 - attrs:
-    meta_launch_url: https://{{ env  "KIMAI_DOMAIN" }}
+    meta_launch_url: https://{{ env  "KIMAI_DOMAIN" }}/auth/saml/login
     open_in_new_tab: true
     policy_engine_mode: any
     provider: !KeyOf kimai_provider

matrix.yaml.tmpl

@@ -16,6 +16,9 @@ entries:
     client_type: confidential
     include_claims_in_id_token: true
     issuer_mode: per_provider
+    redirect_uris:
+    - matching_mode: strict
+      url: https://{{ env  "MATRIX_DOMAIN" }}/_synapse/client/oidc/callback
     name: Matrix
     property_mappings:
     - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
@@ -36,10 +39,10 @@ entries:
     open_in_new_tab: true
     policy_engine_mode: any
     provider: !KeyOf matrix_provider
-    slug: matrix
+    name: Element
   conditions: []
   id: matrix_application
   identifiers:
-    name: Matrix
+    slug: matrix
   model: authentik_core.application
   state: present

monitoring.yaml.tmpl

@@ -16,6 +16,9 @@ entries:
     client_type: confidential
     include_claims_in_id_token: true
     issuer_mode: per_provider
+    redirect_uris:
+    - matching_mode: strict
+      url: https://{{ env  "MONITORING_DOMAIN" }}/login/generic_oauth
     name: Monitoring
     property_mappings:
     - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]

nextcloud.yaml.tmpl

@@ -28,6 +28,9 @@ entries:
     client_type: confidential
     include_claims_in_id_token: true
     issuer_mode: per_provider
+    redirect_uris:
+    - matching_mode: strict
+      url: https://{{ env  "NEXTCLOUD_DOMAIN" }}/apps/sociallogin/custom_oidc/authentik
     name: Nextcloud
     property_mappings:
     - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]

outline.yaml.tmpl

@@ -16,6 +16,9 @@ entries:
     client_type: confidential
     include_claims_in_id_token: true
     issuer_mode: per_provider
+    redirect_uris:
+    - matching_mode: strict
+      url: https://{{ env  "OUTLINE_DOMAIN" }}/auth/oidc.callback
     name: Outline
     property_mappings:
     - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
@@ -32,7 +35,7 @@ entries:
   state: present
 
 - attrs:
-    meta_launch_url: https://{{ env  "OUTLINE_DOMAIN" }}
+    meta_launch_url: https://{{ env  "OUTLINE_DOMAIN" }}/auth/oidc
     open_in_new_tab: true
     policy_engine_mode: any
     provider: !KeyOf outline_provider

rallly.yaml.tmpl

@@ -16,6 +16,9 @@ entries:
     client_type: confidential
     include_claims_in_id_token: true
     issuer_mode: per_provider
+    redirect_uris:
+    - matching_mode: strict
+      url: https://{{ env  "RALLLY_DOMAIN" }}/api/auth/callback/oidc
     name: Rallly
     property_mappings:
     - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]

release/7.4.0+2025.6.3

@@ -0,0 +1,3 @@
+Adds following new envs: 
+  REDIRECTS
+  AUTHENTIK_DISABLE_UPDATE_CHECK

release/9.0.0+2025.8.1

@@ -0,0 +1,4 @@
+Update of config neccessary!
+Changed structure of APPLICATION env to:
+    appname: {"url":"http...", "group":"groupname"}
+Adds various new group envs to support application grouping

vikunja.yaml.tmpl

@@ -16,6 +16,9 @@ entries:
     client_type: confidential
     include_claims_in_id_token: true
     issuer_mode: per_provider
+    redirect_uris:
+    - matching_mode: strict
+      url: https://{{ env  "VIKUNJA_DOMAIN" }}/auth/openid/authentik
     name: Vikunja
     property_mappings:
     - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]

wekan.yaml.tmpl

@@ -33,6 +33,9 @@ entries:
     client_type: confidential
     include_claims_in_id_token: true
     issuer_mode: per_provider
+    redirect_uris:
+    - matching_mode: strict
+      url: https://{{ env  "WEKAN_DOMAIN" }}/_oauth/oidc
     name: Wekan
     property_mappings:
     - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]

wordpress.yaml.tmpl

@@ -16,6 +16,9 @@ entries:
     client_type: confidential
     include_claims_in_id_token: true
     issuer_mode: per_provider
+    redirect_uris:
+    - matching_mode: strict
+      url: https://{{ env  "WORDPRESS_DOMAIN" }}/openid-connect-authorize
     name: Wordpress
     property_mappings:
     - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]