WIP delete user policy

.drone.yml

@@ -31,7 +31,6 @@ steps:
       SECRET_ADMIN_PASS_VERSION: v1
       SECRET_EMAIL_PASS_VERSION: v1
       DB_ENTRYPOINT_VERSION: v1
-      PG_BACKUP_VERSION: v2
 trigger:
   branch:
     - main

.env.sample

@@ -1,10 +1,8 @@
 TYPE=authentik
 TIMEOUT=900
 ENABLE_AUTO_UPDATE=true
-POST_DEPLOY_CMDS="worker set_admin_pass"
+# POST_DEPLOY_CMDS="worker set_admin_pass|worker apply_blueprints|worker add_applications"
-# Example values for post deploy cmds: "worker set_admin_pass|worker apply_blueprints|worker add_applications"
 LETS_ENCRYPT_ENV=production
-ENABLE_BACKUPS=true
 
 DOMAIN=authentik.example.com
 ## Domain aliases
@@ -18,11 +16,6 @@ AUTHENTIK_LOG_LEVEL=info
 
 ## Outpost Integration
 # COMPOSE_FILE="$COMPOSE_FILE:compose.outposts.yml"
-# COMPOSE_FILE="$COMPOSE_FILE:compose.outposts.ldap.yml"
-# SECRET_LDAP_TOKEN_VERSION=v1
-
-## ADMIN
-AUTHENTIK_BOOTSTRAP_EMAIL=admin@example.com
 
 ## EMAIL
 AUTHENTIK_EMAIL__HOST=smtp
@@ -53,11 +46,11 @@ COPY_ASSETS="flow_background.jpg|app:/web/dist/assets/images/"
 COPY_ASSETS="$COPY_ASSETS icon_left_brand.svg|app:/web/dist/assets/icons/"
 COPY_ASSETS="$COPY_ASSETS icon.png|app:/web/dist/assets/icons/"
 
-# Default CSS customisation
+# Default CSS customisation, just background colour
-# COMPOSE_FILE="$COMPOSE_FILE:compose.css.yml"
+COMPOSE_FILE="$COMPOSE_FILE:compose.css.yml"
-# BACKGROUND_FONT_COLOR=white
+AUTHENTIK_COLOR_BACKGROUND_LIGHT=#1c1e21
-# BACKGROUND_BOX_COLOR='#eaeaeacf'
+# Custommise the entire custom CSS file
-# THEME_BACKGROUND="url('https://authentik.example.com/static/dist/assets/images/flow_background.jpg'); background-position: center; background-repeat: no-repeat; background-size: cover;"
+#COMPOSE_FILE="$COMPOSE_FILE:compose.css.yml"
 
 # COMPOSE_FILE="$COMPOSE_FILE:compose.nextcloud.yml"
 # NEXTCLOUD_DOMAIN=nextcloud.example.com
@@ -74,7 +67,6 @@ COPY_ASSETS="$COPY_ASSETS icon.png|app:/web/dist/assets/icons/"
 
 # COMPOSE_FILE="$COMPOSE_FILE:compose.matrix.yml"
 # ELEMENT_DOMAIN=element-web.example.com
-# MATRIX_DOMAIN=matrix-synapse.example.com
 # SECRET_MATRIX_ID_VERSION=v1
 # SECRET_MATRIX_SECRET_VERSION=v1
 # APP_ICONS="$APP_ICONS matrix:~/.abra/recipes/authentik/icons/matrix.svg"
@@ -101,17 +93,13 @@ COPY_ASSETS="$COPY_ASSETS icon.png|app:/web/dist/assets/icons/"
 # KIMAI_DOMAIN=kimai.example.com
 # SECRET_KIMAI_ID_VERSION=v1
 # SECRET_KIMAI_SECRET_VERSION=v1
-# APP_ICONS="$APP_ICONS kimai:~/.abra/recipes/authentik/icons/kimai_logo.png"
+# APP_ICONS="$APP_ICONS kimai:~/.abra/recipes/authentik/icons/kimai.png"
-
-# COMPOSE_FILE="$COMPOSE_FILE:compose.zammad.yml"
-# ZAMMAD_DOMAIN=zammad.example.com
-# APP_ICONS="$APP_ICONS zammad:~/.abra/recipes/authentik/icons/zammad.svg"
 
 # COMPOSE_FILE="$COMPOSE_FILE:compose.monitoring.yml"
 # MONITORING_DOMAIN=monitoring.example.com
 # SECRET_MONITORING_ID_VERSION=v1
 # SECRET_MONITORING_SECRET_VERSION=v1
-# APP_ICONS="$APP_ICONS monitoring:~/.abra/recipes/authentik/icons/monitoring.svg"
+# APP_ICONS="$APP_ICONS monitoring:~/.abra/recipes/authentik/icons/monitoring.png"
 
 # COMPOSE_FILE="$COMPOSE_FILE:compose.rallly.yml"
 # RALLLY_DOMAIN=rallly.example.com
@@ -127,4 +115,4 @@ COPY_ASSETS="$COPY_ASSETS icon.png|app:/web/dist/assets/icons/"
 
 # APPLICATIONS='{"Calendar": "https://nextcloud.example.com/apps/calendar/", "BBB": "https://nextcloud.example.com/apps/bbb/"}'
 # APP_ICONS="$APP_ICONS Calendar:~/.abra/recipes/authentik/icons/calendar.svg"
-# APP_ICONS="$APP_ICONS BBB:~/.abra/recipes/authentik/icons/bbb.png"
+# APP_ICONS="$APP_ICONS BBB:~/.abra/recipes/authentik/icons/bbb.jpg"

README.md

@@ -54,14 +54,6 @@ Set the nextcloud Icon using `abra app cmd -l -d <app_name> set_icons`
 
 The configuration inside Nextcloud can be found in the [nextcloud recipe](https://git.coopcloud.tech/coop-cloud/nextcloud#authentik-integration)
 
-## Add LDAP outpost
-
-- Follow [this official guide](https://docs.goauthentik.io/docs/add-secure-apps/providers/ldap/generic_setup) and skip the LDAP Flow as we don't need it.
-- Copy token under `Applications` -> `Outposts` `-> `View Deployment Info` 
-- Comment in envs for compose.outposts.ldap.yaml and secret version
-- Insert token as secret `abra app secret insert <DOMAIN> ldap_token v1 <TOKEN>`
-- Update deployment -> Outpost should be up and running
-
 ## Import User from CSV
 
 Users can be imported from a CSV file of the following format:

abra.sh

@@ -1,23 +1,21 @@
-export CUSTOM_CSS_VERSION=v3
+export CUSTOM_CSS_VERSION=v2
 export FLOW_AUTHENTICATION_VERSION=v4
 export FLOW_INVITATION_VERSION=v2
 export FLOW_INVALIDATION_VERSION=v2
 export FLOW_RECOVERY_VERSION=v1
 export FLOW_TRANSLATION_VERSION=v3
-export SYSTEM_BRAND_VERSION=v4
+export SYSTEM_BRAND_VERSION=v3
-export NEXTCLOUD_CONFIG_VERSION=v2
+export NEXTCLOUD_CONFIG_VERSION=v1
-export WORDPRESS_CONFIG_VERSION=v3
+export WORDPRESS_CONFIG_VERSION=v2
-export MATRIX_CONFIG_VERSION=v2
+export MATRIX_CONFIG_VERSION=v1
-export WEKAN_CONFIG_VERSION=v4
+export WEKAN_CONFIG_VERSION=v3
-export VIKUNJA_CONFIG_VERSION=v2
+export VIKUNJA_CONFIG_VERSION=v1
-export OUTLINE_CONFIG_VERSION=v3
+export OUTLINE_CONFIG_VERSION=v2
-export KIMAI_CONFIG_VERSION=v2
+export KIMAI_CONFIG_VERSION=v1
-export ZAMMAD_CONFIG_VERSION=v3
+export RALLLY_CONFIG_VERSION=v2
-export RALLLY_CONFIG_VERSION=v3
+export HEDGEDOC_CONFIG_VERSION=v1
-export HEDGEDOC_CONFIG_VERSION=v2
+export MONITORING_CONFIG_VERSION=v1
-export MONITORING_CONFIG_VERSION=v3
 export DB_ENTRYPOINT_VERSION=v1
-export PG_BACKUP_VERSION=v2
 
 customize() {
     if [ -z "$1" ]
@@ -244,9 +242,3 @@ cert = saml.signing_kp
 print(''.join(cert.certificate_data.splitlines()[1:-1]))
 """ 2>&1 | quieten
 }
-
-get_user_uid() {
-/manage.py shell -c """
-print(User.objects.filter(username='$1').first().uid)
-""" 2>&1 | quieten
-}

alaconnect.yml

@@ -17,7 +17,6 @@ matrix-synapse:
     uncomment:
         - compose.matrix.yml
         - ELEMENT_DOMAIN
-        - MATRIX_DOMAIN
         - SECRET_MATRIX_ID_VERSION
         - SECRET_MATRIX_SECRET_VERSION
         - matrix.svg
@@ -41,19 +40,7 @@ vikunja:
         - vikunja.svg
     secrets:
         vikunja_id: vikunja
-kimai:
+monitoring:
-    uncomment:
-        - compose.kimai.yml
-        - KIMAI_DOMAIN
-        - SECRET_KIMAI_ID_VERSION
-        - SECRET_KIMAI_SECRET_VERSION
-        - kimai_logo.png
-zammad:
-    uncomment:
-        - compose.zammad.yml
-        - ZAMMAD_DOMAIN
-        - zammad.svg
-monitoring-ng:
     uncomment:
         - compose.monitoring.yml
         - MONITORING_DOMAIN

compose.matrix.yml

@@ -1,11 +1,5 @@
 version: "3.8"
 services:
-  app:
-    deploy:
-      labels:
-        - "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect-matrix-well-known"
-        - "traefik.http.middlewares.${STACK_NAME}-redirect-matrix-well-known.redirectregex.regex=^https://(.*)/.well-known/matrix/(.*)"
-        - "traefik.http.middlewares.${STACK_NAME}-redirect-matrix-well-known.redirectregex.replacement=https://${MATRIX_DOMAIN}/.well-known/matrix/$$2"
   worker:
     secrets:
       - matrix_id

compose.outposts.ldap.yml

@@ -1,23 +0,0 @@
-version: "3.8"
-services:
-  authentik_ldap:
-      image: ghcr.io/goauthentik/ldap:2024.10.5
-      # Optionally specify which networks the container should be
-      # might be needed to reach the core authentik server
-      networks:
-        - internal
-        - proxy
-      ports:
-        - 389:3389
-        - 636:6636
-      secrets:
-        - ldap_token
-      environment:
-        - AUTHENTIK_HOST=https://${DOMAIN}
-        - AUTHENTIK_INSECURE=true
-        - AUTHENTIK_TOKEN=file:///run/secrets/ldap_token
-
-secrets:
-  ldap_token:
-    external: true
-    name: ${STACK_NAME}_ldap_token_${SECRET_LDAP_TOKEN_VERSION}

compose.yml

@@ -17,11 +17,10 @@ x-env: &env
     - AUTHENTIK_EMAIL__TIMEOUT
     - AUTHENTIK_EMAIL__FROM
     - AUTHENTIK_LOG_LEVEL
-    - BACKGROUND_FONT_COLOR=${BACKGROUND_FONT_COLOR:-white}
+    - AUTHENTIK_SETTINGS__THEME__BACKGROUND
-    - BACKGROUND_BOX_COLOR=${BACKGROUND_BOX_COLOR:-#eaeaeacf}
+    - AUTHENTIK_COLOR_BACKGROUND_LIGHT
     - AUTHENTIK_FOOTER_LINKS
     - AUTHENTIK_IMPERSONATION
-    - AUTHENTIK_BOOTSTRAP_EMAIL
     - WELCOME_MESSAGE
     - DEFAULT_LANGUAGE
     - EMAIL_SUBJECT
@@ -29,12 +28,11 @@ x-env: &env
     - DOMAIN
     - LOGOUT_REDIRECT
     - APPLICATIONS
-    - THEME_BACKGROUND
 
 version: '3.8'
 services:
   app:
-    image: ghcr.io/goauthentik/server:2024.10.5
+    image: ghcr.io/goauthentik/server:2024.4.2
     command: server
     depends_on:
       - db
@@ -53,13 +51,16 @@ services:
       - internal
       - proxy
     healthcheck:
-      test: "ak healthcheck"
+      test: "bash -c 'printf \"GET / HTTP/1.1\n\n\" > /dev/tcp/127.0.0.1/9000; exit $$?;'"
       interval: 30s
-      timeout: 30s
+      timeout: 10s
       retries: 10
       start_period: 5m
     environment: *env
     deploy:
+      update_config:
+        failure_action: rollback
+        order: start-first
       labels:
         - "traefik.enable=true"
         - "traefik.docker.network=proxy"
@@ -72,11 +73,11 @@ services:
         - "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}"
         - "traefik.http.middlewares.${STACK_NAME}-frameOptions.headers.customFrameOptionsValue=SAMEORIGIN"
         - "traefik.http.middlewares.${STACK_NAME}-frameOptions.headers.contentSecurityPolicy=frame-ancestors ${X_FRAME_OPTIONS_ALLOW_FROM}"
-        - "coop-cloud.${STACK_NAME}.version=6.11.0+2024.10.5"
+        - "coop-cloud.${STACK_NAME}.version=6.1.1+2024.4.2"
         - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT:-120}"
 
   worker:
-    image: ghcr.io/goauthentik/server:2024.10.5
+    image: ghcr.io/goauthentik/server:2024.4.2
     command: worker
     depends_on:
       - db
@@ -91,10 +92,10 @@ services:
       - internal
       - proxy
     volumes:
+      - backups:/backups
       - media:/media
       - /dev/null:/blueprints/default/flow-oobe.yaml
       - templates:/templates
-      - certs:/certs
     configs:
       - source: flow_recovery
         target: /blueprints/1_flow_recovery.yaml
@@ -109,24 +110,15 @@ services:
       - source: flow_invalidation
         target: /blueprints/6_flow_invalidation.yaml
     environment: *env
-    healthcheck:
-      test: "ak healthcheck"
-      interval: 30s
-      timeout: 30s
-      retries: 10
-      start_period: 5m
 
   db:
-    image: postgres:15.8
+    image: postgres:15.7
     secrets:
       - db_password
     configs:
       - source: db_entrypoint
         target: /docker-entrypoint.sh
         mode: 0555
-      - source: pg_backup
-        target: /pg_backup.sh
-        mode: 0555
     entrypoint:
       /docker-entrypoint.sh
     volumes:
@@ -145,15 +137,13 @@ services:
       - POSTGRES_DB=authentik
     deploy:
       labels:
-          backupbot.backup: "${ENABLE_BACKUPS:-true}"
+          backupbot.backup: "true"
-          backupbot.backup.pre-hook: "/pg_backup.sh backup"
+          backupbot.backup.pre-hook: "PGPASSWORD=$$(cat /run/secrets/db_password) pg_dump -U $${POSTGRES_USER} $${POSTGRES_DB} > /var/lib/postgresql/data/backup.sql"
-          backupbot.backup.volumes.database.path: "backup.sql"
+          backupbot.backup.post-hook: "rm -rf /var/lib/postgresql/data/backup.sql"
-          backupbot.backup.volumes.redis: "false"
+          backupbot.backup.path: "/var/lib/postgresql/data"
-          backupbot.restore.post-hook: '/pg_backup.sh restore'
 
   redis:
-    image:  redis:7.4.1-alpine
+    image:  redis:7.2.4-alpine
-    command: --save 60 1 --loglevel warning
     networks:
       - internal
     healthcheck:
@@ -162,8 +152,6 @@ services:
       timeout: 10s
       retries: 10
       start_period: 1m
-    volumes:
-        - redis:/data
 
 secrets:
   db_password:
@@ -188,9 +176,8 @@ networks:
   internal:
 
 volumes:
+  backups:
   media:
-  certs:
-  redis:
   templates:
   assets:
   database:
@@ -224,6 +211,3 @@ configs:
     name: ${STACK_NAME}_db_entrypoint_${DB_ENTRYPOINT_VERSION}
     file: entrypoint.postgres.sh.tmpl
     template_driver: golang
-  pg_backup:
-    name: ${STACK_NAME}_pg_backup_${PG_BACKUP_VERSION}
-    file: pg_backup.sh

compose.zammad.yml

@@ -1,14 +0,0 @@
-version: "3.8"
-services:
-  worker:
-    environment:
-      - ZAMMAD_DOMAIN
-    configs:
-      - source: zammad
-        target: /blueprints/zammad.yaml
-
-configs:
-  zammad:
-    name: ${STACK_NAME}_zammad_${ZAMMAD_CONFIG_VERSION}
-    file: zammad.yaml.tmpl
-    template_driver: golang

custom.css.tmpl

@@ -1,13 +1,24 @@
 /* my custom css */
 
+
 :root {
-        --pf-global--BackgroundColor--100: {{ env "BACKGROUND_BOX_COLOR" }} !important;
+    --ak-accent: #fd4b2d;
+
+    --ak-dark-foreground: #fafafa;
+    --ak-dark-foreground-darker: #bebebe;
+    --ak-dark-foreground-link: #5a5cb9;
+    --ak-dark-background: #18191a;
+    --ak-dark-background-darker: #000000;
+
+
+    --ak-dark-background-light: {{ env "AUTHENTIK_COLOR_BACKGROUND_LIGHT" }};
+    --ak-dark-background-light-ish: #212427;
+    --ak-dark-background-lighter: #2b2e33;
+
+    --pf-c-background-image--BackgroundImage: var(--ak-flow-background);
+    --pf-c-background-image--BackgroundImage-2x: var(--ak-flow-background);
+    --pf-c-background-image--BackgroundImage--sm: var(--ak-flow-background);
+    --pf-c-background-image--BackgroundImage--sm-2x: var(--ak-flow-background);
+    --pf-c-background-image--BackgroundImage--lg: var(--ak-flow-background);
 }
 
-.pf-c-login__main {
-        background-color: {{ env "BACKGROUND_BOX_COLOR" }};
-}
-
-.pf-c-content h1 {
-        color: {{ env "BACKGROUND_FONT_COLOR" }};
-}

custom_flows.yaml.tmpl

@@ -0,0 +1,405 @@
+version: 1
+metadata:
+  labels:
+    blueprints.goauthentik.io/instantiate: "true"
+  name: Custom - Flows
+context:
+  welcome_message: {{ if eq (env "WELCOME_MESSAGE") "" }} "Welcome to authentik!" {{ else }} {{ env "WELCOME_MESSAGE" }} {{ end }}
+####### Translations ########
+  transl_recovery: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} "Passwort Zurücksetzen" {{ else }} "Reset your password" {{ end }}
+  transl_password: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} "Passwort" {{ else }} "Password" {{ end }}
+  transl_password_repeat: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} "Passwort (wiederholen)" {{ else }} "Password (repeat)" {{ end }}
+  transl_username: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} "Benutzername" {{ else }} "Username" {{ end }}
+  transl_name: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} "Vor- und Nachname" {{ else }} "Full name" {{ end }}
+
+entries:
+######## Email Recovery Flow ########
+- identifiers:
+    slug: default-recovery-flow
+  id: recovery_flow
+  model: authentik_flows.flow
+  attrs:
+    name: Default recovery flow
+    title: !Context transl_recovery
+    designation: recovery
+
+### PROMPTS
+- identifiers:
+    field_key: password
+  id: prompt-field-password
+  model: authentik_stages_prompt.prompt
+  attrs:
+    label: !Context transl_password
+    type: password
+    required: true
+    placeholder: !Context transl_password
+    order: 30
+    placeholder_expression: false
+- identifiers:
+    field_key: password_repeat
+  id: prompt-field-password-repeat
+  model: authentik_stages_prompt.prompt
+  attrs:
+    label: !Context transl_password_repeat
+    type: password
+    required: true
+    placeholder: !Context transl_password_repeat
+    order: 31
+    placeholder_expression: false
+
+
+### STAGES
+- identifiers:
+    name: default-recovery-email
+  id: default-recovery-email
+  model: authentik_stages_email.emailstage
+  attrs:
+    use_global_settings: true
+    token_expiry: {{ if eq (env "EMAIL_TOKEN_EXPIRY_MINUTES") "" }} 30 {{ else }} {{ env "EMAIL_TOKEN_EXPIRY_MINUTES" }} {{ end }}
+    subject: {{ if eq (env "EMAIL_SUBJECT") "" }} "Account Recovery" {{ else }} "{{ env "EMAIL_SUBJECT" }}" {{ end }} 
+    template: email/password_reset.html
+    activate_user_on_success: true
+- identifiers:
+    name: default-recovery-user-write
+  id: default-recovery-user-write
+  model: authentik_stages_user_write.userwritestage
+- identifiers:
+    name: default-recovery-identification
+  id: default-recovery-identification
+  model: authentik_stages_identification.identificationstage
+  attrs:
+    user_fields:
+      - email
+      - username
+- identifiers:
+    name: default-recovery-user-login
+  id: default-recovery-user-login
+  model: authentik_stages_user_login.userloginstage
+  attrs:
+    session_duration: seconds=0
+- identifiers:
+    name: Change your password
+  id: stage-prompt-password
+  model: authentik_stages_prompt.promptstage
+  attrs:
+    fields:
+      - !KeyOf prompt-field-password
+      - !KeyOf prompt-field-password-repeat
+    validation_policies: []
+
+### STAGE BINDINGS
+- identifiers:
+    target: !KeyOf recovery_flow
+    stage: !KeyOf default-recovery-identification
+    order: 10
+  model: authentik_flows.flowstagebinding
+  id: flow-binding-identification
+  attrs:
+    evaluate_on_plan: true
+    re_evaluate_policies: true
+    policy_engine_mode: any
+    invalid_response_action: retry
+- identifiers:
+    target: !KeyOf recovery_flow
+    stage: !KeyOf default-recovery-email
+    order: 20
+  model: authentik_flows.flowstagebinding
+  id: flow-binding-email
+  attrs:
+    evaluate_on_plan: true
+    re_evaluate_policies: true
+    policy_engine_mode: any
+    invalid_response_action: retry
+- identifiers:
+    target: !KeyOf recovery_flow
+    stage: !KeyOf stage-prompt-password
+    order: 30
+  model: authentik_flows.flowstagebinding
+  attrs:
+    evaluate_on_plan: true
+    re_evaluate_policies: false
+    policy_engine_mode: any
+    invalid_response_action: retry
+- identifiers:
+    target: !KeyOf recovery_flow
+    stage: !KeyOf default-recovery-user-write
+    order: 40
+  model: authentik_flows.flowstagebinding
+  attrs:
+    evaluate_on_plan: true
+    re_evaluate_policies: false
+    policy_engine_mode: any
+    invalid_response_action: retry
+- identifiers:
+    target: !KeyOf recovery_flow
+    stage: !KeyOf default-recovery-user-login
+    order: 100
+  model: authentik_flows.flowstagebinding
+  attrs:
+    evaluate_on_plan: true
+    re_evaluate_policies: false
+    policy_engine_mode: any
+    invalid_response_action: retry
+
+### POLICIES
+## ISSUES with this policy
+## https://github.com/goauthentik/authentik/blob/493cdd5c0f8caaec7a7dd474f1aa131e32fd39c3/blueprints/example/flows-recovery-email-verification.yaml#L37
+## https://github.com/goauthentik/authentik/commit/317e9ec6053742e17ba74fb6aa38dc15aaf6657f#diff-a5c56bb7c60e27dda1b131b3fc2a17e3af6624e7cfaaa2337ec6b077ca489f34
+# - identifiers:
+#     name: default-recovery-skip-if-restored
+#   id: default-recovery-skip-if-restored
+#   model: authentik_policies_expression.expressionpolicy
+#   attrs:
+#     expression: |
+#       return request.context.get('is_restored', False)
+
+### POLICY BINDINGS
+# - identifiers:
+#     policy: !KeyOf default-recovery-skip-if-restored
+#     target: !KeyOf flow-binding-identification
+#     order: 0
+#   model: authentik_policies.policybinding
+#   attrs:
+#     negate: false
+#     enabled: true
+#     timeout: 30
+# - identifiers:
+#     policy: !KeyOf default-recovery-skip-if-restored
+#     target: !KeyOf flow-binding-email
+#     order: 0
+#   model: authentik_policies.policybinding
+#   attrs:
+#     negate: false
+#     enabled: true
+#     timeout: 30
+
+
+
+######## Authentication Flow ########
+- attrs:
+    designation: authentication
+    name: custom-authentication-flow
+    title: !Context welcome_message
+  identifiers:
+    slug: custom-authentication-flow
+  id: authentication_flow
+  model: authentik_flows.flow
+
+### STAGES
+- attrs:
+    backends:
+    - authentik.core.auth.InbuiltBackend
+    - authentik.sources.ldap.auth.LDAPBackend
+    - authentik.core.auth.TokenBackend
+    configure_flow: !Find [authentik_flows.flow, [slug, default-password-change]]
+  identifiers:
+    name: custom-authentication-password
+  id: custom-authentication-password
+  model: authentik_stages_password.passwordstage
+
+- identifiers:
+    name: custom-authentication-mfa-validation
+  id: custom-authentication-mfa-validation
+  model: authentik_stages_authenticator_validate.authenticatorvalidatestage
+
+- attrs:
+    password_stage: !KeyOf custom-authentication-password
+    recovery_flow: !KeyOf recovery_flow  # !Find [authentik_flows.flow, [slug, default-recovery-flow]]
+    user_fields:
+    - email
+    - username
+  identifiers:
+    name: custom-authentication-identification
+  id: custom-authentication-identification
+  model: authentik_stages_identification.identificationstage
+
+- attrs:
+    session_duration: seconds=0
+  identifiers:
+    name: custom-authentication-login
+  id: custom-authentication-login
+  model: authentik_stages_user_login.userloginstage
+
+### STAGE BINDINGS
+- identifiers:
+    order: 10
+    stage: !KeyOf custom-authentication-identification
+    target: !KeyOf authentication_flow
+  model: authentik_flows.flowstagebinding
+- identifiers:
+    order: 30
+    stage: !KeyOf custom-authentication-mfa-validation
+    target: !KeyOf authentication_flow
+  model: authentik_flows.flowstagebinding
+- identifiers:
+    order: 100
+    stage: !KeyOf custom-authentication-login
+    target: !KeyOf authentication_flow
+  model: authentik_flows.flowstagebinding
+
+######## Invitation Enrollment Flow ########
+- attrs:
+    designation: enrollment
+    name: invitation-enrollment-flow
+    title: !Context welcome_message
+  identifiers:
+    slug: invitation-enrollment-flow
+  id: invitation-enrollment-flow
+  model: authentik_flows.flow
+
+### PROMPTS
+- identifiers:
+    field_key: username
+  id: prompt-field-username
+  model: authentik_stages_prompt.prompt
+  attrs:
+    label: !Context transl_username
+    type: username
+    required: true
+    placeholder: !Context transl_username
+    order: 0
+    placeholder_expression: false
+- identifiers:
+    field_key: name
+  id: prompt-field-name
+  model: authentik_stages_prompt.prompt
+  attrs:
+    label: !Context transl_name
+    type: text
+    required: true
+    placeholder: !Context transl_name
+    order: 1
+    placeholder_expression: false
+- identifiers:
+    field_key: email
+    label: Email
+  id: prompt-field-email
+  model: authentik_stages_prompt.prompt
+  attrs:
+    type: email
+    required: true
+    placeholder: muster@example.com
+    order: 2
+    placeholder_expression: false
+
+### STAGES
+
+- id: invitation-stage
+  identifiers:
+    name: invitation-stage
+  model: authentik_stages_invitation.invitationstage
+
+- attrs:
+    fields:
+      - !KeyOf prompt-field-username
+      - !KeyOf prompt-field-name
+      - !KeyOf prompt-field-email
+      - !KeyOf prompt-field-password
+      - !KeyOf prompt-field-password-repeat
+  id: enrollment-prompt-userdata
+  identifiers:
+    name: enrollment-prompt-userdata
+  model: authentik_stages_prompt.promptstage
+
+- id: enrollment-user-write
+  identifiers:
+    name: enrollment-user-write
+  model: authentik_stages_user_write.userwritestage
+
+- attrs:
+    session_duration: seconds=0
+  id: enrollment-user-login
+  identifiers:
+    name: enrollment-user-login
+  model: authentik_stages_user_login.userloginstage
+
+### STAGE BINDINGS
+- identifiers:
+    order: 1
+    stage: !KeyOf invitation-stage
+    target: !KeyOf invitation-enrollment-flow
+  model: authentik_flows.flowstagebinding
+- identifiers:
+    order: 10
+    stage: !KeyOf enrollment-prompt-userdata
+    target: !KeyOf invitation-enrollment-flow
+  model: authentik_flows.flowstagebinding
+- identifiers:
+    order: 20
+    stage: !KeyOf enrollment-user-write
+    target: !KeyOf invitation-enrollment-flow
+  model: authentik_flows.flowstagebinding
+- identifiers:
+    order: 100
+    stage: !KeyOf enrollment-user-login
+    target: !KeyOf invitation-enrollment-flow
+  model: authentik_flows.flowstagebinding
+
+######## Invalidation Flow ########
+- identifiers:
+    slug: logout-flow
+  id: logout-flow
+  model: authentik_flows.flow
+  attrs:
+    name: Logout
+    title: Logout Flow
+    designation: invalidation
+
+### STAGES
+
+- id: logout-stage
+  identifiers:
+    name: logout-stage
+  model: authentik_stages_user_logout.userlogoutstage
+
+### STAGE BINDINGS
+
+- identifiers:
+    order: 0
+    stage: !KeyOf logout-stage
+    target: !KeyOf logout-flow
+  model: authentik_flows.flowstagebinding
+  attrs:
+    re_evaluate_policies: true
+  id: logout-stage-binding
+
+### POLICIES
+- attrs:
+    execution_logging: true
+    expression: 'context[''flow_plan''].context[''redirect''] = ''{{ env "LOGOUT_REDIRECT" }}''
+
+    return True'
+  identifiers:
+    name: redirect-policy
+  id: redirect-policy
+  model: authentik_policies_expression.expressionpolicy
+
+### POLICY BINDINGS
+- identifiers:
+    policy: !KeyOf redirect-policy
+    target: !KeyOf logout-stage-binding
+    order: 0
+  model: authentik_policies.policybinding
+  attrs:
+    enabled: {{ if eq (env "LOGOUT_REDIRECT") "" }} false {{ else }} true {{ end }}
+    timeout: 30
+
+######## System Brand ##########
+- attrs:
+    attributes:
+      settings:
+        locale: {{ if eq (env "DEFAULT_LANGUAGE") "" }} en {{ else }} {{ env "DEFAULT_LANGUAGE" }} {{ end }}
+    # branding_favicon: /static/dist/assets/icons/icon.png
+    # branding_logo: /static/dist/assets/icons/icon_left_brand.svg
+    # branding_title: Authentik
+    # default: true
+    domain: {{ env "DOMAIN" }}
+    # event_retention: days=365
+    flow_authentication: !KeyOf authentication_flow
+    flow_recovery: !KeyOf recovery_flow
+    flow_invalidation: !KeyOf logout-flow
+    flow_user_settings: !Find [authentik_flows.flow, [slug, default-user-settings-flow]]
+  identifiers:
+    pk: 047cce25-aae2-4b02-9f96-078e155f803d
+  id: system_brand
+  model: authentik_brands.brand

delete_user.py

@@ -0,0 +1,19 @@
+model_actions = ["model_deleted"]
+model_app = "authentik_core"
+model_name = "user"
+
+event = request.context.get("event", None)
+if not event:
+    ak_logger.info("delete_user: No event")
+    return False
+if event.action not in model_actions:
+    ak_logger.info("delete_user: Non-matching action")
+    return False
+if (
+    event.context["model"]["app"] != model_app
+    or event.context["model"]["model_name"] != model_name
+):
+    ak_logger.info("delete_user: Invalid model")
+    return False
+
+ak_logger.info(f'model: {event.context["model"]}')

hedgedoc.yaml.tmpl

@@ -8,9 +8,7 @@ entries:
 
 - attrs:
     access_code_validity: minutes=1
-    authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
     authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
-    invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
     client_id: {{ secret  "hedgedoc_id" }}
     client_secret: {{ secret  "hedgedoc_secret" }}
     client_type: confidential

icons/zammad.svg

@@ -1,30 +0,0 @@
-<?xml version="1.0" encoding="UTF-8" standalone="no"?>
-<svg width="126px" height="108px" viewBox="0 0 42 36" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:sketch="http://www.bohemiancoding.com/sketch/ns">
-    <!-- Generator: Sketch 3.3.2 (12043) - http://www.bohemiancoding.com/sketch -->
-    <title>logo</title>
-    <desc>Created with Sketch.</desc>
-    <defs/>
-    <g id="Page-1" stroke="none" stroke-width="1" fill="none" fill-rule="evenodd" sketch:type="MSPage">
-        <g id="logo" sketch:type="MSArtboardGroup">
-            <g sketch:type="MSLayerGroup" transform="translate(1.000000, 0.000000)" id="Shape">
-                <path d="M27.3375,12.6 L36.72,9.72 L31.1625,13.2525 L27.3375,12.6 Z" fill="#CA2317" sketch:type="MSShapeGroup"/>
-                <path d="M33.0525,19.62 L31.1625,13.2525 L36.72,9.72 L35.055,15.435 L33.0525,19.62 Z" fill="#E84F83" sketch:type="MSShapeGroup"/>
-                <path d="M39.465,7.9875 L38.43,9.72 L35.055,15.435 L36.72,9.72 L39.465,7.9875 Z" fill="#CA2317" sketch:type="MSShapeGroup"/>
-                <path d="M39.8025,9.1125 L37.1925,11.79 L38.43,9.72 L39.8025,9.1125 Z" fill="#E54011" sketch:type="MSShapeGroup"/>
-                <path d="M27.9,10.8225 L35.5725,10.0575 L30.24,11.7 L27.9,10.8225 Z" fill="#E54011" sketch:type="MSShapeGroup"/>
-                <path d="M28.1925,15.165 L31.1625,13.2525 L33.0525,19.62 L32.0625,21.645 L28.1925,15.165 Z" fill="#CA2317" sketch:type="MSShapeGroup"/>
-                <path d="M23.76,22.725 L22.3425,5.4 L32.0625,21.645 L23.76,22.725 Z" fill="#B7DFF2" sketch:type="MSShapeGroup"/>
-                <path d="M19.7325,27.1575 L23.76,22.725 L32.0625,21.645 L19.7325,27.1575 Z" fill="#E54011" sketch:type="MSShapeGroup"/>
-                <path d="M0.1575,35.865 L19.7325,27.1575 L23.76,22.725 L17.37,22.0725 L0.1575,35.865 Z" fill="#FFCE33" sketch:type="MSShapeGroup"/>
-                <path d="M0.9,28.755 L10.9575,27.225 L14.085,24.705 L12.555,24.03 L0.9,28.755 Z" fill="#D6B12D" sketch:type="MSShapeGroup"/>
-                <path d="M4.5225,20.5425 L14.085,24.705 L17.37,22.0725 L4.5225,20.5425 Z" fill="#FFDE85" sketch:type="MSShapeGroup"/>
-                <path d="M21.6225,11.6775 L20.4075,11.88 L17.37,22.0725 L20.655,20.0025 L21.6225,11.6775 Z" fill="#009EC6" sketch:type="MSShapeGroup"/>
-                <path d="M23.4,18.2475 L20.655,20.0025 L22.3425,5.4 L23.4,18.2475 Z" fill="#5EAFCE" sketch:type="MSShapeGroup"/>
-                <path d="M13.0275,13.05 L21.6225,11.6775 L22.005,8.28 L13.0275,13.05 Z" fill="#045972" sketch:type="MSShapeGroup"/>
-                <path d="M12.105,5.085 L19.575,9.585 L22.005,8.28 L22.0725,7.8075 L12.105,5.085 Z" fill="#5A8591" sketch:type="MSShapeGroup"/>
-                <path d="M13.5675,0.18 L20.3625,7.335 L22.0725,7.8075 L22.3425,5.4 L13.5675,0.18 Z" fill="#009EC6" sketch:type="MSShapeGroup"/>
-                <path d="M17.37,22.0725 L23.4,18.2475 L23.76,22.725 L17.37,22.0725 Z" fill="#F39804" sketch:type="MSShapeGroup"/>
-            </g>
-        </g>
-    </g>
-</svg>

kimai.yaml.tmpl

@@ -12,7 +12,6 @@ entries:
     audience: https://{{ env  "KIMAI_DOMAIN" }}/auth/saml
     authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
     authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
-    invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
     digest_algorithm: http://www.w3.org/2001/04/xmlenc#sha256
     issuer: https://{{ env  "DOMAIN" }}
     name: Kimai
@@ -25,7 +24,6 @@ entries:
     - !Find [authentik_providers_saml.samlpropertymapping, [name, "authentik default SAML Mapping: Groups"]]
     - !Find [authentik_providers_saml.samlpropertymapping, [name, "authentik default SAML Mapping: UPN"]]
     session_valid_not_on_or_after: minutes=86400
-    sign_assertion: true
     signature_algorithm: http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
     signing_kp: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]]
     sp_binding: post

matrix.yaml.tmpl

@@ -8,9 +8,7 @@ entries:
 
 - attrs:
     access_code_validity: minutes=1
-    authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
     authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
-    invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
     client_id: {{ secret  "matrix_id" }}
     client_secret: {{ secret  "matrix_secret" }}
     client_type: confidential

monitoring.yaml.tmpl

@@ -8,9 +8,7 @@ entries:
 
 - attrs:
     access_code_validity: minutes=1
-    authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
     authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
-    invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
     client_id: {{ secret  "monitoring_id" }}
     client_secret: {{ secret  "monitoring_secret" }}
     client_type: confidential
@@ -27,7 +25,7 @@ entries:
   conditions: []
   id: monitoring_provider
   identifiers:
-    pk: 9990
+    pk: 9994
   model: authentik_providers_oauth2.oauth2provider
   state: present
 

nextcloud.yaml.tmpl

@@ -20,15 +20,10 @@ entries:
 
 - attrs:
     access_code_validity: minutes=1
-    authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
     authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
-    invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
     client_id: {{ secret  "nextcloud_id" }}
     client_secret: {{ secret  "nextcloud_secret" }}
     client_type: confidential
-    redirect_uris:
-    - url: https://{{ env  "NEXTCLOUD_DOMAIN" }}
-      matching_mode: strict
     include_claims_in_id_token: true
     issuer_mode: per_provider
     name: Nextcloud

outline.yaml.tmpl

@@ -8,9 +8,7 @@ entries:
 
 - attrs:
     access_code_validity: minutes=1
-    authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
     authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
-    invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
     client_id: {{ secret  "outline_id" }}
     client_secret: {{ secret  "outline_secret" }}
     client_type: confidential

pg_backup.sh

@@ -1,34 +0,0 @@
-#!/bin/bash
-
-set -e
-
-BACKUP_FILE='/var/lib/postgresql/data/backup.sql'
-
-function backup {
-  export PGPASSWORD=$(cat /run/secrets/db_password)
-  pg_dump -U ${POSTGRES_USER} ${POSTGRES_DB} > $BACKUP_FILE
-}
-
-function restore {
-    cd /var/lib/postgresql/data/
-    restore_config(){
-        # Restore allowed connections
-        cat pg_hba.conf.bak > pg_hba.conf
-        su postgres -c 'pg_ctl reload'
-    }
-    # Don't allow any other connections than local
-    cp pg_hba.conf pg_hba.conf.bak
-    echo "local all all trust" > pg_hba.conf
-    su postgres -c 'pg_ctl reload'
-    trap restore_config EXIT INT TERM
-
-    # Recreate Database
-    psql -U ${POSTGRES_USER} -d postgres -c "DROP DATABASE ${POSTGRES_DB} WITH (FORCE);" 
-    createdb -U ${POSTGRES_USER} ${POSTGRES_DB}
-    psql -U ${POSTGRES_USER} -d ${POSTGRES_DB} -1 -f $BACKUP_FILE
-
-    trap - EXIT INT TERM
-    restore_config
-}
-
-$@

rallly.yaml.tmpl

@@ -8,9 +8,7 @@ entries:
 
 - attrs:
     access_code_validity: minutes=1
-    authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
     authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
-    invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
     client_id: {{ secret  "rallly_id" }}
     client_secret: {{ secret  "rallly_secret" }}
     client_type: confidential

release/6.11.0+2024.10.5

@@ -1 +0,0 @@
-Fix Impersonate Bug

release/6.6.0+2024.8.2

@@ -1 +0,0 @@
-Replaced icon bbb.jpg with icon.png - configs need to be updated when upgrading!

release/6.7.0+2024.8.3

@@ -1,3 +0,0 @@
-Two critical vulnerabilities were closed:
-https://github.com/goauthentik/authentik/security/advisories/GHSA-7jxf-mmg9-9hg7
-https://github.com/goauthentik/authentik/security/advisories/GHSA-8gfm-pr6x-pfh9

system_brand.yaml.tmpl

@@ -27,10 +27,7 @@ entries:
 - attrs:
     attributes:
       settings:
-        locale: {{ if eq (env "DEFAULT_LANGUAGE") "" }} en {{ else }} {{ env "DEFAULT_LANGUAGE" }} {{ end }} {{ if ne (env "THEME_BACKGROUND") "" }}
+        locale: {{ if eq (env "DEFAULT_LANGUAGE") "" }} en {{ else }} {{ env "DEFAULT_LANGUAGE" }} {{ end }}
-        theme:
-          background: >
-            background: {{ env "THEME_BACKGROUND" }} {{ end }}
     flow_recovery: !Find [authentik_flows.flow, [slug,  default-recovery-flow]]
   identifiers:
     default: true

vikunja.yaml.tmpl

@@ -8,9 +8,7 @@ entries:
 
 - attrs:
     access_code_validity: minutes=1
-    authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
     authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
-    invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
     client_id: {{ secret  "vikunja_id" }}
     client_secret: {{ secret  "vikunja_secret" }}
     client_type: confidential

wekan.yaml.tmpl

@@ -25,9 +25,7 @@ entries:
 
 - attrs:
     access_code_validity: minutes=1
-    authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
     authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
-    invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
     client_id: {{ secret  "wekan_id" }}
     client_secret: {{ secret  "wekan_secret" }}
     client_type: confidential

wordpress.yaml.tmpl

@@ -8,9 +8,7 @@ entries:
 
 - attrs:
     access_code_validity: minutes=1
-    authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
     authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
-    invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
     client_id: {{ secret  "wordpress_id" }}
     client_secret: {{ secret  "wordpress_secret" }}
     client_type: confidential

zammad.yaml.tmpl

@@ -1,69 +0,0 @@
-version: 1
-metadata:
-  labels:
-    blueprints.goauthentik.io/instantiate: "true"
-  name: zammad
-
-entries:
-- attrs:
-    expression: return request.user.name
-    managed: null
-    name: 'Zammad SAML Mapping: name'
-    saml_name: name
-  conditions: []
-  identifiers:
-    name: zammad_name_mapping
-  id: zammad_name_mapping
-  model: authentik_providers_saml.samlpropertymapping
-  state: present
-
-- attrs:
-    expression: return request.user.email
-    managed: null
-    name: 'Zammad SAML Mapping: email'
-    saml_name: email
-  conditions: []
-  identifiers:
-    name: zammad_email_mapping
-  id: zammad_email_mapping
-  model: authentik_providers_saml.samlpropertymapping
-  state: present
-
-- attrs:
-    acs_url: https://{{ env  "ZAMMAD_DOMAIN" }}/auth/saml/callback
-    assertion_valid_not_before: minutes=-5
-    assertion_valid_not_on_or_after: minutes=5
-    audience: https://{{ env  "ZAMMAD_DOMAIN" }}/auth/saml/metadata
-    authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
-    authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
-    invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
-    digest_algorithm: http://www.w3.org/2001/04/xmlenc#sha256
-    issuer: https://{{ env  "ZAMMAD_DOMAIN" }}/auth/saml/metadata
-    name: zammad
-    property_mappings:
-    - !KeyOf zammad_name_mapping
-    - !KeyOf zammad_email_mapping
-    session_valid_not_on_or_after: minutes=86400
-    sign_assertion: true
-    signature_algorithm: http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
-    signing_kp: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]]
-    sp_binding: post
-  conditions: []
-  id: zammad_provider
-  identifiers:
-    pk: 9989
-  model: authentik_providers_saml.samlprovider
-  state: present
-
-- attrs:
-    meta_launch_url: ""
-    open_in_new_tab: true
-    policy_engine_mode: any
-    provider: !KeyOf zammad_provider
-    slug: zammad
-  conditions: []
-  id: zammad_application
-  identifiers:
-    name: Zammad
-  model: authentik_core.application
-  state: present