Compare commits
	
		
			64 Commits
		
	
	
		
			password_b
			...
			main
		
	
	| Author | SHA1 | Date | |
|---|---|---|---|
| d6bd030880 | |||
| 7a2c45137f | |||
| 86ce0820bc | |||
| 6fcba9ff03 | |||
| 43700b2562 | |||
| 35d48cc4c4 | |||
| 64100ce3a4 | |||
| abc1ed307c | |||
| a5b5395bdf | |||
| 97ce2e451a | |||
| 98a5d4b726 | |||
| d0c924a864 | |||
| 5df1f34cd7 | |||
| bc62831e58 | |||
| fa854f6490 | |||
| 6abe8e67d4 | |||
| d494d3ea5f | |||
| 344db235b0 | |||
| 40e613f861 | |||
| 47793df102 | |||
| e2a8f2340f | |||
| fc846af1e3 | |||
| 52719f8d3a | |||
| 0175c0b0f4 | |||
| 9db9d077ca | |||
| 66e31d8632 | |||
| f1aec8ce90 | |||
| 03797a34db | |||
| 5e5da361e5 | |||
| 830214b1fd | |||
| 6d46686a24 | |||
| 912691844e | |||
| 84f8f5b165 | |||
| aa107d0ad4 | |||
| 5e49903b3f | |||
| 9124dab6ab | |||
| 197feb32f3 | |||
| df670cea2b | |||
| eeef43529e | |||
| 6b0195e5a1 | |||
| f342673d43 | |||
| f6f6f90bed | |||
| f1f5b96309 | |||
| 3cba20afd9 | |||
| bed917a28c | |||
| 5c9e4e5372 | |||
| f281c5f902 | |||
| ed41b0f113 | |||
| 4f8b505e1e | |||
| 18559defc1 | |||
| 453e3d442a | |||
| 9214157959 | |||
| 99bd647613 | |||
| 88333e2068 | |||
| a3f114834f | |||
| e6e13eb1c7 | |||
| 3bc925d3fa | |||
| f322f6a09e | |||
| 24ff7ee444 | |||
| 38911193db | |||
| 3b9bea3681 | |||
| e8016868fe | |||
| a00c7deb2c | |||
| c1f0358f29 | 
| @ -31,6 +31,7 @@ steps: | |||||||
|       SECRET_ADMIN_PASS_VERSION: v1 |       SECRET_ADMIN_PASS_VERSION: v1 | ||||||
|       SECRET_EMAIL_PASS_VERSION: v1 |       SECRET_EMAIL_PASS_VERSION: v1 | ||||||
|       DB_ENTRYPOINT_VERSION: v1 |       DB_ENTRYPOINT_VERSION: v1 | ||||||
|  |       PG_BACKUP_VERSION: v2 | ||||||
| trigger: | trigger: | ||||||
|   branch: |   branch: | ||||||
|     - main |     - main | ||||||
| @ -46,7 +47,7 @@ steps: | |||||||
|         from_secret: drone_abra-bot_token |         from_secret: drone_abra-bot_token | ||||||
|       fork: true |       fork: true | ||||||
|       repositories: |       repositories: | ||||||
|         - coop-cloud/auto-recipes-catalogue-json |         - toolshed/auto-recipes-catalogue-json | ||||||
|  |  | ||||||
| trigger: | trigger: | ||||||
|   event: tag |   event: tag | ||||||
|  | |||||||
							
								
								
									
										38
									
								
								.env.sample
									
									
									
									
									
								
							
							
						
						| @ -1,8 +1,10 @@ | |||||||
| TYPE=authentik | TYPE=authentik | ||||||
| TIMEOUT=900 | TIMEOUT=900 | ||||||
| ENABLE_AUTO_UPDATE=true | ENABLE_AUTO_UPDATE=true | ||||||
| # POST_DEPLOY_CMDS="worker set_admin_pass|worker apply_blueprints|worker add_applications" | POST_DEPLOY_CMDS="worker set_admin_pass" | ||||||
|  | # Example values for post deploy cmds: "worker set_admin_pass|worker apply_blueprints|worker add_applications" | ||||||
| LETS_ENCRYPT_ENV=production | LETS_ENCRYPT_ENV=production | ||||||
|  | ENABLE_BACKUPS=true | ||||||
|  |  | ||||||
| DOMAIN=authentik.example.com | DOMAIN=authentik.example.com | ||||||
| ## Domain aliases | ## Domain aliases | ||||||
| @ -16,6 +18,11 @@ AUTHENTIK_LOG_LEVEL=info | |||||||
|  |  | ||||||
| ## Outpost Integration | ## Outpost Integration | ||||||
| # COMPOSE_FILE="$COMPOSE_FILE:compose.outposts.yml" | # COMPOSE_FILE="$COMPOSE_FILE:compose.outposts.yml" | ||||||
|  | # COMPOSE_FILE="$COMPOSE_FILE:compose.outposts.ldap.yml" | ||||||
|  | # SECRET_LDAP_TOKEN_VERSION=v1 | ||||||
|  |  | ||||||
|  | ## ADMIN | ||||||
|  | AUTHENTIK_BOOTSTRAP_EMAIL=admin@example.com | ||||||
|  |  | ||||||
| ## EMAIL | ## EMAIL | ||||||
| AUTHENTIK_EMAIL__HOST=smtp | AUTHENTIK_EMAIL__HOST=smtp | ||||||
| @ -42,15 +49,20 @@ SECRET_EMAIL_PASS_VERSION=v1 | |||||||
| # EMAIL_SUBJECT="Account Recovery" | # EMAIL_SUBJECT="Account Recovery" | ||||||
| # EMAIL_TOKEN_EXPIRY_MINUTES=30 | # EMAIL_TOKEN_EXPIRY_MINUTES=30 | ||||||
|  |  | ||||||
|  | ## assets | ||||||
| COPY_ASSETS="flow_background.jpg|app:/web/dist/assets/images/" | COPY_ASSETS="flow_background.jpg|app:/web/dist/assets/images/" | ||||||
| COPY_ASSETS="$COPY_ASSETS icon_left_brand.svg|app:/web/dist/assets/icons/" | COPY_ASSETS="$COPY_ASSETS icon_left_brand.svg|app:/web/dist/assets/icons/" | ||||||
| COPY_ASSETS="$COPY_ASSETS icon.png|app:/web/dist/assets/icons/" | COPY_ASSETS="$COPY_ASSETS icon.png|app:/web/dist/assets/icons/" | ||||||
|  |  | ||||||
| # Default CSS customisation, just background colour | # store custom CSS in a css-volume | ||||||
| COMPOSE_FILE="$COMPOSE_FILE:compose.css.yml" | #COMPOSE_FILE="$COMPOSE_FILE:compose.css-volume.yml" | ||||||
| AUTHENTIK_COLOR_BACKGROUND_LIGHT=#1c1e21 | # NOTE: this causes the authentik container to run as `root` initially; it uses `su` to drop privileges but technically could introduce a security risk. proceed with caution! | ||||||
| # Custommise the entire custom CSS file |  | ||||||
| #COMPOSE_FILE="$COMPOSE_FILE:compose.css.yml" | # Default CSS customisation | ||||||
|  | # COMPOSE_FILE="$COMPOSE_FILE:compose.css.yml" | ||||||
|  | # BACKGROUND_FONT_COLOR=white | ||||||
|  | # BACKGROUND_BOX_COLOR='#eaeaeacf' | ||||||
|  | # THEME_BACKGROUND="url('https://authentik.example.com/static/dist/assets/images/flow_background.jpg'); background-position: center; background-repeat: no-repeat; background-size: cover;" | ||||||
|  |  | ||||||
| # COMPOSE_FILE="$COMPOSE_FILE:compose.nextcloud.yml" | # COMPOSE_FILE="$COMPOSE_FILE:compose.nextcloud.yml" | ||||||
| # NEXTCLOUD_DOMAIN=nextcloud.example.com | # NEXTCLOUD_DOMAIN=nextcloud.example.com | ||||||
| @ -67,6 +79,7 @@ AUTHENTIK_COLOR_BACKGROUND_LIGHT=#1c1e21 | |||||||
|  |  | ||||||
| # COMPOSE_FILE="$COMPOSE_FILE:compose.matrix.yml" | # COMPOSE_FILE="$COMPOSE_FILE:compose.matrix.yml" | ||||||
| # ELEMENT_DOMAIN=element-web.example.com | # ELEMENT_DOMAIN=element-web.example.com | ||||||
|  | # MATRIX_DOMAIN=matrix-synapse.example.com | ||||||
| # SECRET_MATRIX_ID_VERSION=v1 | # SECRET_MATRIX_ID_VERSION=v1 | ||||||
| # SECRET_MATRIX_SECRET_VERSION=v1 | # SECRET_MATRIX_SECRET_VERSION=v1 | ||||||
| # APP_ICONS="$APP_ICONS matrix:~/.abra/recipes/authentik/icons/matrix.svg" | # APP_ICONS="$APP_ICONS matrix:~/.abra/recipes/authentik/icons/matrix.svg" | ||||||
| @ -93,13 +106,17 @@ AUTHENTIK_COLOR_BACKGROUND_LIGHT=#1c1e21 | |||||||
| # KIMAI_DOMAIN=kimai.example.com | # KIMAI_DOMAIN=kimai.example.com | ||||||
| # SECRET_KIMAI_ID_VERSION=v1 | # SECRET_KIMAI_ID_VERSION=v1 | ||||||
| # SECRET_KIMAI_SECRET_VERSION=v1 | # SECRET_KIMAI_SECRET_VERSION=v1 | ||||||
| # APP_ICONS="$APP_ICONS kimai:~/.abra/recipes/authentik/icons/kimai.png" | # APP_ICONS="$APP_ICONS kimai:~/.abra/recipes/authentik/icons/kimai_logo.png" | ||||||
|  |  | ||||||
|  | # COMPOSE_FILE="$COMPOSE_FILE:compose.zammad.yml" | ||||||
|  | # ZAMMAD_DOMAIN=zammad.example.com | ||||||
|  | # APP_ICONS="$APP_ICONS zammad:~/.abra/recipes/authentik/icons/zammad.svg" | ||||||
|  |  | ||||||
| # COMPOSE_FILE="$COMPOSE_FILE:compose.monitoring.yml" | # COMPOSE_FILE="$COMPOSE_FILE:compose.monitoring.yml" | ||||||
| # MONITORING_DOMAIN=monitoring.example.com | # MONITORING_DOMAIN=monitoring.example.com | ||||||
| # SECRET_MONITORING_ID_VERSION=v1 | # SECRET_MONITORING_ID_VERSION=v1 | ||||||
| # SECRET_MONITORING_SECRET_VERSION=v1 | # SECRET_MONITORING_SECRET_VERSION=v1 | ||||||
| # APP_ICONS="$APP_ICONS monitoring:~/.abra/recipes/authentik/icons/monitoring.png" | # APP_ICONS="$APP_ICONS monitoring:~/.abra/recipes/authentik/icons/monitoring.svg" | ||||||
|  |  | ||||||
| # COMPOSE_FILE="$COMPOSE_FILE:compose.rallly.yml" | # COMPOSE_FILE="$COMPOSE_FILE:compose.rallly.yml" | ||||||
| # RALLLY_DOMAIN=rallly.example.com | # RALLLY_DOMAIN=rallly.example.com | ||||||
| @ -113,6 +130,5 @@ AUTHENTIK_COLOR_BACKGROUND_LIGHT=#1c1e21 | |||||||
| # SECRET_HEDGEDOC_SECRET_VERSION=v1 | # SECRET_HEDGEDOC_SECRET_VERSION=v1 | ||||||
| # APP_ICONS="$APP_ICONS hedgedoc:~/.abra/recipes/authentik/icons/hedgedoc.png" | # APP_ICONS="$APP_ICONS hedgedoc:~/.abra/recipes/authentik/icons/hedgedoc.png" | ||||||
|  |  | ||||||
| # APPLICATIONS='{"Calendar": "https://nextcloud.example.com/apps/calendar/", "BBB": "https://nextcloud.example.com/apps/bbb/"}' | # APPLICATIONS='{"Calendar": "https://nextcloud.example.com/apps/calendar/", "BBB": "https://nextcloud.example.com/apps/bbb/", "Pretix": "https://pretix.example.com/control/"}' | ||||||
| # APP_ICONS="$APP_ICONS Calendar:~/.abra/recipes/authentik/icons/calendar.svg" | # EXTRA_ICONS={"Calendar": "~/.abra/recipes/authentik/icons/calendar.svg", "BBB": "~/.abra/recipes/authentik/icons/bbb.png", "Pretix": "~/.abra/recipes/authentik/icons/pretix.svg"} | ||||||
| # APP_ICONS="$APP_ICONS BBB:~/.abra/recipes/authentik/icons/bbb.jpg" |  | ||||||
|  | |||||||
| @ -54,6 +54,14 @@ Set the nextcloud Icon using `abra app cmd -l -d <app_name> set_icons` | |||||||
|  |  | ||||||
| The configuration inside Nextcloud can be found in the [nextcloud recipe](https://git.coopcloud.tech/coop-cloud/nextcloud#authentik-integration) | The configuration inside Nextcloud can be found in the [nextcloud recipe](https://git.coopcloud.tech/coop-cloud/nextcloud#authentik-integration) | ||||||
|  |  | ||||||
|  | ## Add LDAP outpost | ||||||
|  |  | ||||||
|  | - Follow [this official guide](https://docs.goauthentik.io/docs/add-secure-apps/providers/ldap/generic_setup) and skip the LDAP Flow as we don't need it. | ||||||
|  | - Copy token under `Applications` -> `Outposts` `-> `View Deployment Info`  | ||||||
|  | - Comment in envs for compose.outposts.ldap.yaml and secret version | ||||||
|  | - Insert token as secret `abra app secret insert <DOMAIN> ldap_token v1 <TOKEN>` | ||||||
|  | - Update deployment -> Outpost should be up and running | ||||||
|  |  | ||||||
| ## Import User from CSV | ## Import User from CSV | ||||||
|  |  | ||||||
| Users can be imported from a CSV file of the following format: | Users can be imported from a CSV file of the following format: | ||||||
|  | |||||||
							
								
								
									
										78
									
								
								abra.sh
									
									
									
									
									
								
							
							
						
						| @ -1,21 +1,24 @@ | |||||||
| export CUSTOM_CSS_VERSION=v2 | export CUSTOM_CSS_VERSION=v3 | ||||||
| export FLOW_AUTHENTICATION_VERSION=v4 | export FLOW_AUTHENTICATION_VERSION=v4 | ||||||
| export FLOW_INVITATION_VERSION=v2 | export FLOW_INVITATION_VERSION=v2 | ||||||
| export FLOW_INVALIDATION_VERSION=v2 | export FLOW_INVALIDATION_VERSION=v2 | ||||||
| export FLOW_RECOVERY_VERSION=v1 | export FLOW_RECOVERY_VERSION=v1 | ||||||
| export FLOW_TRANSLATION_VERSION=v3 | export FLOW_TRANSLATION_VERSION=v3 | ||||||
| export SYSTEM_BRAND_VERSION=v3 | export SYSTEM_BRAND_VERSION=v4 | ||||||
| export NEXTCLOUD_CONFIG_VERSION=v1 | export NEXTCLOUD_CONFIG_VERSION=v3 | ||||||
| export WORDPRESS_CONFIG_VERSION=v2 | export WORDPRESS_CONFIG_VERSION=v4 | ||||||
| export MATRIX_CONFIG_VERSION=v1 | export MATRIX_CONFIG_VERSION=v3 | ||||||
| export WEKAN_CONFIG_VERSION=v3 | export WEKAN_CONFIG_VERSION=v5 | ||||||
| export VIKUNJA_CONFIG_VERSION=v1 | export VIKUNJA_CONFIG_VERSION=v3 | ||||||
| export OUTLINE_CONFIG_VERSION=v2 | export OUTLINE_CONFIG_VERSION=v4 | ||||||
| export KIMAI_CONFIG_VERSION=v1 | export KIMAI_CONFIG_VERSION=v3 | ||||||
| export RALLLY_CONFIG_VERSION=v2 | export ZAMMAD_CONFIG_VERSION=v4 | ||||||
| export HEDGEDOC_CONFIG_VERSION=v1 | export RALLLY_CONFIG_VERSION=v4 | ||||||
| export MONITORING_CONFIG_VERSION=v1 | export HEDGEDOC_CONFIG_VERSION=v3 | ||||||
|  | export MONITORING_CONFIG_VERSION=v4 | ||||||
| export DB_ENTRYPOINT_VERSION=v1 | export DB_ENTRYPOINT_VERSION=v1 | ||||||
|  | export PG_BACKUP_VERSION=v2 | ||||||
|  | export ENTRYPOINT_CSS_VERSION=v1 | ||||||
|  |  | ||||||
| customize() { | customize() { | ||||||
|     if [ -z "$1" ] |     if [ -z "$1" ] | ||||||
| @ -32,6 +35,15 @@ customize() { | |||||||
|     done |     done | ||||||
| } | } | ||||||
|  |  | ||||||
|  | shell(){ | ||||||
|  |     if [ -z "$1" ] | ||||||
|  |     then | ||||||
|  |             echo "Usage: ... shell <python code>" | ||||||
|  |             exit 1 | ||||||
|  |     fi | ||||||
|  |     ak shell -c "$1" 2>&1 | quieten | ||||||
|  | } | ||||||
|  |  | ||||||
| import_user() { | import_user() { | ||||||
|     if [ -z "$1" ] |     if [ -z "$1" ] | ||||||
|     then |     then | ||||||
| @ -76,6 +88,16 @@ set_admin_pass() { | |||||||
| password=$(cat /run/secrets/admin_pass) | password=$(cat /run/secrets/admin_pass) | ||||||
| token=$(cat /run/secrets/admin_token) | token=$(cat /run/secrets/admin_token) | ||||||
| /manage.py shell -c """ | /manage.py shell -c """ | ||||||
|  | import time | ||||||
|  | i = 0 | ||||||
|  | while (not User.objects.filter(username='akadmin')): | ||||||
|  |     print('Waiting for akadmin to be created...') | ||||||
|  |     time.sleep(10) | ||||||
|  |     i += 1 | ||||||
|  |     if i > 6: | ||||||
|  |         print('Failed to find admin user!') | ||||||
|  |         exit() | ||||||
|  |  | ||||||
| akadmin = User.objects.get(username='akadmin') | akadmin = User.objects.get(username='akadmin') | ||||||
| akadmin.set_password('$password') | akadmin.set_password('$password') | ||||||
| akadmin.save() | akadmin.save() | ||||||
| @ -156,11 +178,13 @@ print(f'{blueprint.name} enabled: {blueprint.enabled}') | |||||||
| } | } | ||||||
|  |  | ||||||
| add_applications(){ | add_applications(){ | ||||||
|  | export APPLICATIONS | ||||||
| /manage.py shell -c """ | /manage.py shell -c """ | ||||||
| import json | import json | ||||||
| if '$APPLICATIONS' == '': | import os | ||||||
|  | if os.environ['APPLICATIONS'] == '': | ||||||
|     exit() |     exit() | ||||||
| applications = json.loads('$APPLICATIONS') | applications = json.loads(os.environ['APPLICATIONS']) | ||||||
| for name, url in applications.items(): | for name, url in applications.items(): | ||||||
|     print(f'Add {name}: {url}') |     print(f'Add {name}: {url}') | ||||||
|     app = Application.objects.filter(name=name).first() |     app = Application.objects.filter(name=name).first() | ||||||
| @ -189,6 +213,10 @@ done | |||||||
| } | } | ||||||
|  |  | ||||||
| set_icons(){ | set_icons(){ | ||||||
|  | if [ -n "$1" ] | ||||||
|  | then | ||||||
|  | APP_ICONS="$1" | ||||||
|  | fi | ||||||
| for icon in $APP_ICONS; do | for icon in $APP_ICONS; do | ||||||
|     app=$(echo $icon | cut -d ":" -f1) |     app=$(echo $icon | cut -d ":" -f1) | ||||||
|     file_path=$(eval echo $(echo $icon | cut -d ":" -f2)) |     file_path=$(eval echo $(echo $icon | cut -d ":" -f2)) | ||||||
| @ -199,6 +227,22 @@ for icon in $APP_ICONS; do | |||||||
| done | done | ||||||
| } | } | ||||||
|  |  | ||||||
|  | set_extra_icons(){ | ||||||
|  |     if [ -z "$EXTRA_ICONS" ] | ||||||
|  |     then | ||||||
|  |         echo "Variable EXTRA_ICONS is not set" | ||||||
|  |         exit 1 | ||||||
|  |     fi | ||||||
|  |     export EXTRA_ICONS | ||||||
|  |     icon_key_values=$(python3 -c " | ||||||
|  | import json | ||||||
|  | import os | ||||||
|  | for key, value in json.loads(os.environ['EXTRA_ICONS']).items(): | ||||||
|  |     print(f'{key}:{value}') | ||||||
|  | ") | ||||||
|  |     set_icons "$icon_key_values" | ||||||
|  | } | ||||||
|  |  | ||||||
| set_app_icon() { | set_app_icon() { | ||||||
| TOKEN=$(cat /run/secrets/admin_token) | TOKEN=$(cat /run/secrets/admin_token) | ||||||
| python -c """ | python -c """ | ||||||
| @ -242,3 +286,9 @@ cert = saml.signing_kp | |||||||
| print(''.join(cert.certificate_data.splitlines()[1:-1])) | print(''.join(cert.certificate_data.splitlines()[1:-1])) | ||||||
| """ 2>&1 | quieten | """ 2>&1 | quieten | ||||||
| } | } | ||||||
|  |  | ||||||
|  | get_user_uid() { | ||||||
|  | /manage.py shell -c """ | ||||||
|  | print(User.objects.filter(username='$1').first().uid) | ||||||
|  | """ 2>&1 | quieten | ||||||
|  | } | ||||||
|  | |||||||
| @ -17,6 +17,7 @@ matrix-synapse: | |||||||
|     uncomment: |     uncomment: | ||||||
|         - compose.matrix.yml |         - compose.matrix.yml | ||||||
|         - ELEMENT_DOMAIN |         - ELEMENT_DOMAIN | ||||||
|  |         - MATRIX_DOMAIN | ||||||
|         - SECRET_MATRIX_ID_VERSION |         - SECRET_MATRIX_ID_VERSION | ||||||
|         - SECRET_MATRIX_SECRET_VERSION |         - SECRET_MATRIX_SECRET_VERSION | ||||||
|         - matrix.svg |         - matrix.svg | ||||||
| @ -40,7 +41,19 @@ vikunja: | |||||||
|         - vikunja.svg |         - vikunja.svg | ||||||
|     secrets: |     secrets: | ||||||
|         vikunja_id: vikunja |         vikunja_id: vikunja | ||||||
| monitoring: | kimai: | ||||||
|  |     uncomment: | ||||||
|  |         - compose.kimai.yml | ||||||
|  |         - KIMAI_DOMAIN | ||||||
|  |         - SECRET_KIMAI_ID_VERSION | ||||||
|  |         - SECRET_KIMAI_SECRET_VERSION | ||||||
|  |         - kimai_logo.png | ||||||
|  | zammad: | ||||||
|  |     uncomment: | ||||||
|  |         - compose.zammad.yml | ||||||
|  |         - ZAMMAD_DOMAIN | ||||||
|  |         - zammad.svg | ||||||
|  | monitoring-ng: | ||||||
|     uncomment: |     uncomment: | ||||||
|         - compose.monitoring.yml |         - compose.monitoring.yml | ||||||
|         - MONITORING_DOMAIN |         - MONITORING_DOMAIN | ||||||
|  | |||||||
							
								
								
									
										16
									
								
								compose.css-volume.yml
									
									
									
									
									
										Normal file
									
								
							
							
						
						| @ -0,0 +1,16 @@ | |||||||
|  | --- | ||||||
|  | version: "3.8" | ||||||
|  |  | ||||||
|  | services: | ||||||
|  |   app: | ||||||
|  |     user: root | ||||||
|  |     entrypoint: /docker-entrypoint.sh | ||||||
|  |     configs: | ||||||
|  |       - source: entrypoint_css | ||||||
|  |         target: /docker-entrypoint.sh | ||||||
|  |         mode: 0555 | ||||||
|  |  | ||||||
|  | configs: | ||||||
|  |   entrypoint_css: | ||||||
|  |     name: ${STACK_NAME}_entrypoint_css_${ENTRYPOINT_CSS_VERSION} | ||||||
|  |     file: entrypoint-css-volume.sh | ||||||
| @ -1,11 +1,18 @@ | |||||||
| version: "3.8" | version: "3.8" | ||||||
| services: | services: | ||||||
|  |   app: | ||||||
|  |     deploy: | ||||||
|  |       labels: | ||||||
|  |         - "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect-matrix-well-known" | ||||||
|  |         - "traefik.http.middlewares.${STACK_NAME}-redirect-matrix-well-known.redirectregex.regex=^https://(.*)/.well-known/matrix/(.*)" | ||||||
|  |         - "traefik.http.middlewares.${STACK_NAME}-redirect-matrix-well-known.redirectregex.replacement=https://${MATRIX_DOMAIN}/.well-known/matrix/$$2" | ||||||
|   worker: |   worker: | ||||||
|     secrets: |     secrets: | ||||||
|       - matrix_id |       - matrix_id | ||||||
|       - matrix_secret |       - matrix_secret | ||||||
|     environment: |     environment: | ||||||
|       - ELEMENT_DOMAIN |       - ELEMENT_DOMAIN | ||||||
|  |       - MATRIX_DOMAIN | ||||||
|     configs: |     configs: | ||||||
|       - source: matrix |       - source: matrix | ||||||
|         target: /blueprints/matrix.yaml |         target: /blueprints/matrix.yaml | ||||||
|  | |||||||
							
								
								
									
										23
									
								
								compose.outposts.ldap.yml
									
									
									
									
									
										Normal file
									
								
							
							
						
						| @ -0,0 +1,23 @@ | |||||||
|  | version: "3.8" | ||||||
|  | services: | ||||||
|  |   authentik_ldap: | ||||||
|  |       image: ghcr.io/goauthentik/ldap:2025.2.0 | ||||||
|  |       # Optionally specify which networks the container should be | ||||||
|  |       # might be needed to reach the core authentik server | ||||||
|  |       networks: | ||||||
|  |         - internal | ||||||
|  |         - proxy | ||||||
|  |       ports: | ||||||
|  |         - 389:3389 | ||||||
|  |         - 636:6636 | ||||||
|  |       secrets: | ||||||
|  |         - ldap_token | ||||||
|  |       environment: | ||||||
|  |         - AUTHENTIK_HOST=https://${DOMAIN} | ||||||
|  |         - AUTHENTIK_INSECURE=true | ||||||
|  |         - AUTHENTIK_TOKEN=file:///run/secrets/ldap_token | ||||||
|  |  | ||||||
|  | secrets: | ||||||
|  |   ldap_token: | ||||||
|  |     external: true | ||||||
|  |     name: ${STACK_NAME}_ldap_token_${SECRET_LDAP_TOKEN_VERSION} | ||||||
							
								
								
									
										52
									
								
								compose.yml
									
									
									
									
									
								
							
							
						
						| @ -17,10 +17,11 @@ x-env: &env | |||||||
|     - AUTHENTIK_EMAIL__TIMEOUT |     - AUTHENTIK_EMAIL__TIMEOUT | ||||||
|     - AUTHENTIK_EMAIL__FROM |     - AUTHENTIK_EMAIL__FROM | ||||||
|     - AUTHENTIK_LOG_LEVEL |     - AUTHENTIK_LOG_LEVEL | ||||||
|     - AUTHENTIK_SETTINGS__THEME__BACKGROUND |     - BACKGROUND_FONT_COLOR=${BACKGROUND_FONT_COLOR:-white} | ||||||
|     - AUTHENTIK_COLOR_BACKGROUND_LIGHT |     - BACKGROUND_BOX_COLOR=${BACKGROUND_BOX_COLOR:-#eaeaeacf} | ||||||
|     - AUTHENTIK_FOOTER_LINKS |     - AUTHENTIK_FOOTER_LINKS | ||||||
|     - AUTHENTIK_IMPERSONATION |     - AUTHENTIK_IMPERSONATION | ||||||
|  |     - AUTHENTIK_BOOTSTRAP_EMAIL | ||||||
|     - WELCOME_MESSAGE |     - WELCOME_MESSAGE | ||||||
|     - DEFAULT_LANGUAGE |     - DEFAULT_LANGUAGE | ||||||
|     - EMAIL_SUBJECT |     - EMAIL_SUBJECT | ||||||
| @ -28,11 +29,12 @@ x-env: &env | |||||||
|     - DOMAIN |     - DOMAIN | ||||||
|     - LOGOUT_REDIRECT |     - LOGOUT_REDIRECT | ||||||
|     - APPLICATIONS |     - APPLICATIONS | ||||||
|  |     - THEME_BACKGROUND | ||||||
|  |  | ||||||
| version: '3.8' | version: '3.8' | ||||||
| services: | services: | ||||||
|   app: |   app: | ||||||
|     image: ghcr.io/goauthentik/server:2024.4.2 |     image: ghcr.io/goauthentik/server:2025.2.0 | ||||||
|     command: server |     command: server | ||||||
|     depends_on: |     depends_on: | ||||||
|       - db |       - db | ||||||
| @ -51,16 +53,13 @@ services: | |||||||
|       - internal |       - internal | ||||||
|       - proxy |       - proxy | ||||||
|     healthcheck: |     healthcheck: | ||||||
|       test: "bash -c 'printf \"GET / HTTP/1.1\n\n\" > /dev/tcp/127.0.0.1/9000; exit $$?;'" |       test: "ak healthcheck" | ||||||
|       interval: 30s |       interval: 30s | ||||||
|       timeout: 10s |       timeout: 30s | ||||||
|       retries: 10 |       retries: 10 | ||||||
|       start_period: 5m |       start_period: 5m | ||||||
|     environment: *env |     environment: *env | ||||||
|     deploy: |     deploy: | ||||||
|       update_config: |  | ||||||
|         failure_action: rollback |  | ||||||
|         order: start-first |  | ||||||
|       labels: |       labels: | ||||||
|         - "traefik.enable=true" |         - "traefik.enable=true" | ||||||
|         - "traefik.docker.network=proxy" |         - "traefik.docker.network=proxy" | ||||||
| @ -73,11 +72,11 @@ services: | |||||||
|         - "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}" |         - "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}" | ||||||
|         - "traefik.http.middlewares.${STACK_NAME}-frameOptions.headers.customFrameOptionsValue=SAMEORIGIN" |         - "traefik.http.middlewares.${STACK_NAME}-frameOptions.headers.customFrameOptionsValue=SAMEORIGIN" | ||||||
|         - "traefik.http.middlewares.${STACK_NAME}-frameOptions.headers.contentSecurityPolicy=frame-ancestors ${X_FRAME_OPTIONS_ALLOW_FROM}" |         - "traefik.http.middlewares.${STACK_NAME}-frameOptions.headers.contentSecurityPolicy=frame-ancestors ${X_FRAME_OPTIONS_ALLOW_FROM}" | ||||||
|         - "coop-cloud.${STACK_NAME}.version=6.1.1+2024.4.2" |         - "coop-cloud.${STACK_NAME}.version=7.0.0+2025.2.0" | ||||||
|         - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT:-120}" |         - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT:-120}" | ||||||
|  |  | ||||||
|   worker: |   worker: | ||||||
|     image: ghcr.io/goauthentik/server:2024.4.2 |     image: ghcr.io/goauthentik/server:2025.2.0 | ||||||
|     command: worker |     command: worker | ||||||
|     depends_on: |     depends_on: | ||||||
|       - db |       - db | ||||||
| @ -92,10 +91,10 @@ services: | |||||||
|       - internal |       - internal | ||||||
|       - proxy |       - proxy | ||||||
|     volumes: |     volumes: | ||||||
|       - backups:/backups |  | ||||||
|       - media:/media |       - media:/media | ||||||
|       - /dev/null:/blueprints/default/flow-oobe.yaml |       - /dev/null:/blueprints/default/flow-oobe.yaml | ||||||
|       - templates:/templates |       - templates:/templates | ||||||
|  |       - certs:/certs | ||||||
|     configs: |     configs: | ||||||
|       - source: flow_recovery |       - source: flow_recovery | ||||||
|         target: /blueprints/1_flow_recovery.yaml |         target: /blueprints/1_flow_recovery.yaml | ||||||
| @ -110,15 +109,24 @@ services: | |||||||
|       - source: flow_invalidation |       - source: flow_invalidation | ||||||
|         target: /blueprints/6_flow_invalidation.yaml |         target: /blueprints/6_flow_invalidation.yaml | ||||||
|     environment: *env |     environment: *env | ||||||
|  |     healthcheck: | ||||||
|  |       test: "ak healthcheck" | ||||||
|  |       interval: 30s | ||||||
|  |       timeout: 30s | ||||||
|  |       retries: 10 | ||||||
|  |       start_period: 5m | ||||||
|  |  | ||||||
|   db: |   db: | ||||||
|     image: postgres:15.7 |     image: postgres:15.12 | ||||||
|     secrets: |     secrets: | ||||||
|       - db_password |       - db_password | ||||||
|     configs: |     configs: | ||||||
|       - source: db_entrypoint |       - source: db_entrypoint | ||||||
|         target: /docker-entrypoint.sh |         target: /docker-entrypoint.sh | ||||||
|         mode: 0555 |         mode: 0555 | ||||||
|  |       - source: pg_backup | ||||||
|  |         target: /pg_backup.sh | ||||||
|  |         mode: 0555 | ||||||
|     entrypoint: |     entrypoint: | ||||||
|       /docker-entrypoint.sh |       /docker-entrypoint.sh | ||||||
|     volumes: |     volumes: | ||||||
| @ -137,13 +145,15 @@ services: | |||||||
|       - POSTGRES_DB=authentik |       - POSTGRES_DB=authentik | ||||||
|     deploy: |     deploy: | ||||||
|       labels: |       labels: | ||||||
|           backupbot.backup: "true" |           backupbot.backup: "${ENABLE_BACKUPS:-true}" | ||||||
|           backupbot.backup.pre-hook: "PGPASSWORD=$$(cat /run/secrets/db_password) pg_dump -U $${POSTGRES_USER} $${POSTGRES_DB} > /var/lib/postgresql/data/backup.sql" |           backupbot.backup.pre-hook: "/pg_backup.sh backup" | ||||||
|           backupbot.backup.post-hook: "rm -rf /var/lib/postgresql/data/backup.sql" |           backupbot.backup.volumes.database.path: "backup.sql" | ||||||
|           backupbot.backup.path: "/var/lib/postgresql/data" |           backupbot.backup.volumes.redis: "false" | ||||||
|  |           backupbot.restore.post-hook: '/pg_backup.sh restore' | ||||||
|  |  | ||||||
|   redis: |   redis: | ||||||
|     image:  redis:7.2.4-alpine |     image:  redis:7.4.2-alpine | ||||||
|  |     command: --save 60 1 --loglevel warning | ||||||
|     networks: |     networks: | ||||||
|       - internal |       - internal | ||||||
|     healthcheck: |     healthcheck: | ||||||
| @ -152,6 +162,8 @@ services: | |||||||
|       timeout: 10s |       timeout: 10s | ||||||
|       retries: 10 |       retries: 10 | ||||||
|       start_period: 1m |       start_period: 1m | ||||||
|  |     volumes: | ||||||
|  |         - redis:/data | ||||||
|  |  | ||||||
| secrets: | secrets: | ||||||
|   db_password: |   db_password: | ||||||
| @ -176,8 +188,9 @@ networks: | |||||||
|   internal: |   internal: | ||||||
|  |  | ||||||
| volumes: | volumes: | ||||||
|   backups: |  | ||||||
|   media: |   media: | ||||||
|  |   certs: | ||||||
|  |   redis: | ||||||
|   templates: |   templates: | ||||||
|   assets: |   assets: | ||||||
|   database: |   database: | ||||||
| @ -211,3 +224,6 @@ configs: | |||||||
|     name: ${STACK_NAME}_db_entrypoint_${DB_ENTRYPOINT_VERSION} |     name: ${STACK_NAME}_db_entrypoint_${DB_ENTRYPOINT_VERSION} | ||||||
|     file: entrypoint.postgres.sh.tmpl |     file: entrypoint.postgres.sh.tmpl | ||||||
|     template_driver: golang |     template_driver: golang | ||||||
|  |   pg_backup: | ||||||
|  |     name: ${STACK_NAME}_pg_backup_${PG_BACKUP_VERSION} | ||||||
|  |     file: pg_backup.sh | ||||||
|  | |||||||
							
								
								
									
										14
									
								
								compose.zammad.yml
									
									
									
									
									
										Normal file
									
								
							
							
						
						| @ -0,0 +1,14 @@ | |||||||
|  | version: "3.8" | ||||||
|  | services: | ||||||
|  |   worker: | ||||||
|  |     environment: | ||||||
|  |       - ZAMMAD_DOMAIN | ||||||
|  |     configs: | ||||||
|  |       - source: zammad | ||||||
|  |         target: /blueprints/zammad.yaml | ||||||
|  |  | ||||||
|  | configs: | ||||||
|  |   zammad: | ||||||
|  |     name: ${STACK_NAME}_zammad_${ZAMMAD_CONFIG_VERSION} | ||||||
|  |     file: zammad.yaml.tmpl | ||||||
|  |     template_driver: golang | ||||||
| @ -1,24 +1,13 @@ | |||||||
| /* my custom css */ | /* my custom css */ | ||||||
|  |  | ||||||
|  |  | ||||||
| :root { | :root { | ||||||
|     --ak-accent: #fd4b2d; |         --pf-global--BackgroundColor--100: {{ env "BACKGROUND_BOX_COLOR" }} !important; | ||||||
|  |  | ||||||
|     --ak-dark-foreground: #fafafa; |  | ||||||
|     --ak-dark-foreground-darker: #bebebe; |  | ||||||
|     --ak-dark-foreground-link: #5a5cb9; |  | ||||||
|     --ak-dark-background: #18191a; |  | ||||||
|     --ak-dark-background-darker: #000000; |  | ||||||
|  |  | ||||||
|  |  | ||||||
|     --ak-dark-background-light: {{ env "AUTHENTIK_COLOR_BACKGROUND_LIGHT" }}; |  | ||||||
|     --ak-dark-background-light-ish: #212427; |  | ||||||
|     --ak-dark-background-lighter: #2b2e33; |  | ||||||
|  |  | ||||||
|     --pf-c-background-image--BackgroundImage: var(--ak-flow-background); |  | ||||||
|     --pf-c-background-image--BackgroundImage-2x: var(--ak-flow-background); |  | ||||||
|     --pf-c-background-image--BackgroundImage--sm: var(--ak-flow-background); |  | ||||||
|     --pf-c-background-image--BackgroundImage--sm-2x: var(--ak-flow-background); |  | ||||||
|     --pf-c-background-image--BackgroundImage--lg: var(--ak-flow-background); |  | ||||||
| } | } | ||||||
|  |  | ||||||
|  | .pf-c-login__main { | ||||||
|  |         background-color: {{ env "BACKGROUND_BOX_COLOR" }}; | ||||||
|  | } | ||||||
|  |  | ||||||
|  | .pf-c-content h1 { | ||||||
|  |         color: {{ env "BACKGROUND_FONT_COLOR" }}; | ||||||
|  | } | ||||||
|  | |||||||
| @ -1,405 +0,0 @@ | |||||||
| version: 1 |  | ||||||
| metadata: |  | ||||||
|   labels: |  | ||||||
|     blueprints.goauthentik.io/instantiate: "true" |  | ||||||
|   name: Custom - Flows |  | ||||||
| context: |  | ||||||
|   welcome_message: {{ if eq (env "WELCOME_MESSAGE") "" }} "Welcome to authentik!" {{ else }} {{ env "WELCOME_MESSAGE" }} {{ end }} |  | ||||||
| ####### Translations ######## |  | ||||||
|   transl_recovery: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} "Passwort Zurücksetzen" {{ else }} "Reset your password" {{ end }} |  | ||||||
|   transl_password: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} "Passwort" {{ else }} "Password" {{ end }} |  | ||||||
|   transl_password_repeat: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} "Passwort (wiederholen)" {{ else }} "Password (repeat)" {{ end }} |  | ||||||
|   transl_username: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} "Benutzername" {{ else }} "Username" {{ end }} |  | ||||||
|   transl_name: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} "Vor- und Nachname" {{ else }} "Full name" {{ end }} |  | ||||||
|  |  | ||||||
| entries: |  | ||||||
| ######## Email Recovery Flow ######## |  | ||||||
| - identifiers: |  | ||||||
|     slug: default-recovery-flow |  | ||||||
|   id: recovery_flow |  | ||||||
|   model: authentik_flows.flow |  | ||||||
|   attrs: |  | ||||||
|     name: Default recovery flow |  | ||||||
|     title: !Context transl_recovery |  | ||||||
|     designation: recovery |  | ||||||
|  |  | ||||||
| ### PROMPTS |  | ||||||
| - identifiers: |  | ||||||
|     field_key: password |  | ||||||
|   id: prompt-field-password |  | ||||||
|   model: authentik_stages_prompt.prompt |  | ||||||
|   attrs: |  | ||||||
|     label: !Context transl_password |  | ||||||
|     type: password |  | ||||||
|     required: true |  | ||||||
|     placeholder: !Context transl_password |  | ||||||
|     order: 30 |  | ||||||
|     placeholder_expression: false |  | ||||||
| - identifiers: |  | ||||||
|     field_key: password_repeat |  | ||||||
|   id: prompt-field-password-repeat |  | ||||||
|   model: authentik_stages_prompt.prompt |  | ||||||
|   attrs: |  | ||||||
|     label: !Context transl_password_repeat |  | ||||||
|     type: password |  | ||||||
|     required: true |  | ||||||
|     placeholder: !Context transl_password_repeat |  | ||||||
|     order: 31 |  | ||||||
|     placeholder_expression: false |  | ||||||
|  |  | ||||||
|  |  | ||||||
| ### STAGES |  | ||||||
| - identifiers: |  | ||||||
|     name: default-recovery-email |  | ||||||
|   id: default-recovery-email |  | ||||||
|   model: authentik_stages_email.emailstage |  | ||||||
|   attrs: |  | ||||||
|     use_global_settings: true |  | ||||||
|     token_expiry: {{ if eq (env "EMAIL_TOKEN_EXPIRY_MINUTES") "" }} 30 {{ else }} {{ env "EMAIL_TOKEN_EXPIRY_MINUTES" }} {{ end }} |  | ||||||
|     subject: {{ if eq (env "EMAIL_SUBJECT") "" }} "Account Recovery" {{ else }} "{{ env "EMAIL_SUBJECT" }}" {{ end }}  |  | ||||||
|     template: email/password_reset.html |  | ||||||
|     activate_user_on_success: true |  | ||||||
| - identifiers: |  | ||||||
|     name: default-recovery-user-write |  | ||||||
|   id: default-recovery-user-write |  | ||||||
|   model: authentik_stages_user_write.userwritestage |  | ||||||
| - identifiers: |  | ||||||
|     name: default-recovery-identification |  | ||||||
|   id: default-recovery-identification |  | ||||||
|   model: authentik_stages_identification.identificationstage |  | ||||||
|   attrs: |  | ||||||
|     user_fields: |  | ||||||
|       - email |  | ||||||
|       - username |  | ||||||
| - identifiers: |  | ||||||
|     name: default-recovery-user-login |  | ||||||
|   id: default-recovery-user-login |  | ||||||
|   model: authentik_stages_user_login.userloginstage |  | ||||||
|   attrs: |  | ||||||
|     session_duration: seconds=0 |  | ||||||
| - identifiers: |  | ||||||
|     name: Change your password |  | ||||||
|   id: stage-prompt-password |  | ||||||
|   model: authentik_stages_prompt.promptstage |  | ||||||
|   attrs: |  | ||||||
|     fields: |  | ||||||
|       - !KeyOf prompt-field-password |  | ||||||
|       - !KeyOf prompt-field-password-repeat |  | ||||||
|     validation_policies: [] |  | ||||||
|  |  | ||||||
| ### STAGE BINDINGS |  | ||||||
| - identifiers: |  | ||||||
|     target: !KeyOf recovery_flow |  | ||||||
|     stage: !KeyOf default-recovery-identification |  | ||||||
|     order: 10 |  | ||||||
|   model: authentik_flows.flowstagebinding |  | ||||||
|   id: flow-binding-identification |  | ||||||
|   attrs: |  | ||||||
|     evaluate_on_plan: true |  | ||||||
|     re_evaluate_policies: true |  | ||||||
|     policy_engine_mode: any |  | ||||||
|     invalid_response_action: retry |  | ||||||
| - identifiers: |  | ||||||
|     target: !KeyOf recovery_flow |  | ||||||
|     stage: !KeyOf default-recovery-email |  | ||||||
|     order: 20 |  | ||||||
|   model: authentik_flows.flowstagebinding |  | ||||||
|   id: flow-binding-email |  | ||||||
|   attrs: |  | ||||||
|     evaluate_on_plan: true |  | ||||||
|     re_evaluate_policies: true |  | ||||||
|     policy_engine_mode: any |  | ||||||
|     invalid_response_action: retry |  | ||||||
| - identifiers: |  | ||||||
|     target: !KeyOf recovery_flow |  | ||||||
|     stage: !KeyOf stage-prompt-password |  | ||||||
|     order: 30 |  | ||||||
|   model: authentik_flows.flowstagebinding |  | ||||||
|   attrs: |  | ||||||
|     evaluate_on_plan: true |  | ||||||
|     re_evaluate_policies: false |  | ||||||
|     policy_engine_mode: any |  | ||||||
|     invalid_response_action: retry |  | ||||||
| - identifiers: |  | ||||||
|     target: !KeyOf recovery_flow |  | ||||||
|     stage: !KeyOf default-recovery-user-write |  | ||||||
|     order: 40 |  | ||||||
|   model: authentik_flows.flowstagebinding |  | ||||||
|   attrs: |  | ||||||
|     evaluate_on_plan: true |  | ||||||
|     re_evaluate_policies: false |  | ||||||
|     policy_engine_mode: any |  | ||||||
|     invalid_response_action: retry |  | ||||||
| - identifiers: |  | ||||||
|     target: !KeyOf recovery_flow |  | ||||||
|     stage: !KeyOf default-recovery-user-login |  | ||||||
|     order: 100 |  | ||||||
|   model: authentik_flows.flowstagebinding |  | ||||||
|   attrs: |  | ||||||
|     evaluate_on_plan: true |  | ||||||
|     re_evaluate_policies: false |  | ||||||
|     policy_engine_mode: any |  | ||||||
|     invalid_response_action: retry |  | ||||||
|  |  | ||||||
| ### POLICIES |  | ||||||
| ## ISSUES with this policy |  | ||||||
| ## https://github.com/goauthentik/authentik/blob/493cdd5c0f8caaec7a7dd474f1aa131e32fd39c3/blueprints/example/flows-recovery-email-verification.yaml#L37 |  | ||||||
| ## https://github.com/goauthentik/authentik/commit/317e9ec6053742e17ba74fb6aa38dc15aaf6657f#diff-a5c56bb7c60e27dda1b131b3fc2a17e3af6624e7cfaaa2337ec6b077ca489f34 |  | ||||||
| # - identifiers: |  | ||||||
| #     name: default-recovery-skip-if-restored |  | ||||||
| #   id: default-recovery-skip-if-restored |  | ||||||
| #   model: authentik_policies_expression.expressionpolicy |  | ||||||
| #   attrs: |  | ||||||
| #     expression: | |  | ||||||
| #       return request.context.get('is_restored', False) |  | ||||||
|  |  | ||||||
| ### POLICY BINDINGS |  | ||||||
| # - identifiers: |  | ||||||
| #     policy: !KeyOf default-recovery-skip-if-restored |  | ||||||
| #     target: !KeyOf flow-binding-identification |  | ||||||
| #     order: 0 |  | ||||||
| #   model: authentik_policies.policybinding |  | ||||||
| #   attrs: |  | ||||||
| #     negate: false |  | ||||||
| #     enabled: true |  | ||||||
| #     timeout: 30 |  | ||||||
| # - identifiers: |  | ||||||
| #     policy: !KeyOf default-recovery-skip-if-restored |  | ||||||
| #     target: !KeyOf flow-binding-email |  | ||||||
| #     order: 0 |  | ||||||
| #   model: authentik_policies.policybinding |  | ||||||
| #   attrs: |  | ||||||
| #     negate: false |  | ||||||
| #     enabled: true |  | ||||||
| #     timeout: 30 |  | ||||||
|  |  | ||||||
|  |  | ||||||
|  |  | ||||||
| ######## Authentication Flow ######## |  | ||||||
| - attrs: |  | ||||||
|     designation: authentication |  | ||||||
|     name: custom-authentication-flow |  | ||||||
|     title: !Context welcome_message |  | ||||||
|   identifiers: |  | ||||||
|     slug: custom-authentication-flow |  | ||||||
|   id: authentication_flow |  | ||||||
|   model: authentik_flows.flow |  | ||||||
|  |  | ||||||
| ### STAGES |  | ||||||
| - attrs: |  | ||||||
|     backends: |  | ||||||
|     - authentik.core.auth.InbuiltBackend |  | ||||||
|     - authentik.sources.ldap.auth.LDAPBackend |  | ||||||
|     - authentik.core.auth.TokenBackend |  | ||||||
|     configure_flow: !Find [authentik_flows.flow, [slug, default-password-change]] |  | ||||||
|   identifiers: |  | ||||||
|     name: custom-authentication-password |  | ||||||
|   id: custom-authentication-password |  | ||||||
|   model: authentik_stages_password.passwordstage |  | ||||||
|  |  | ||||||
| - identifiers: |  | ||||||
|     name: custom-authentication-mfa-validation |  | ||||||
|   id: custom-authentication-mfa-validation |  | ||||||
|   model: authentik_stages_authenticator_validate.authenticatorvalidatestage |  | ||||||
|  |  | ||||||
| - attrs: |  | ||||||
|     password_stage: !KeyOf custom-authentication-password |  | ||||||
|     recovery_flow: !KeyOf recovery_flow  # !Find [authentik_flows.flow, [slug, default-recovery-flow]] |  | ||||||
|     user_fields: |  | ||||||
|     - email |  | ||||||
|     - username |  | ||||||
|   identifiers: |  | ||||||
|     name: custom-authentication-identification |  | ||||||
|   id: custom-authentication-identification |  | ||||||
|   model: authentik_stages_identification.identificationstage |  | ||||||
|  |  | ||||||
| - attrs: |  | ||||||
|     session_duration: seconds=0 |  | ||||||
|   identifiers: |  | ||||||
|     name: custom-authentication-login |  | ||||||
|   id: custom-authentication-login |  | ||||||
|   model: authentik_stages_user_login.userloginstage |  | ||||||
|  |  | ||||||
| ### STAGE BINDINGS |  | ||||||
| - identifiers: |  | ||||||
|     order: 10 |  | ||||||
|     stage: !KeyOf custom-authentication-identification |  | ||||||
|     target: !KeyOf authentication_flow |  | ||||||
|   model: authentik_flows.flowstagebinding |  | ||||||
| - identifiers: |  | ||||||
|     order: 30 |  | ||||||
|     stage: !KeyOf custom-authentication-mfa-validation |  | ||||||
|     target: !KeyOf authentication_flow |  | ||||||
|   model: authentik_flows.flowstagebinding |  | ||||||
| - identifiers: |  | ||||||
|     order: 100 |  | ||||||
|     stage: !KeyOf custom-authentication-login |  | ||||||
|     target: !KeyOf authentication_flow |  | ||||||
|   model: authentik_flows.flowstagebinding |  | ||||||
|  |  | ||||||
| ######## Invitation Enrollment Flow ######## |  | ||||||
| - attrs: |  | ||||||
|     designation: enrollment |  | ||||||
|     name: invitation-enrollment-flow |  | ||||||
|     title: !Context welcome_message |  | ||||||
|   identifiers: |  | ||||||
|     slug: invitation-enrollment-flow |  | ||||||
|   id: invitation-enrollment-flow |  | ||||||
|   model: authentik_flows.flow |  | ||||||
|  |  | ||||||
| ### PROMPTS |  | ||||||
| - identifiers: |  | ||||||
|     field_key: username |  | ||||||
|   id: prompt-field-username |  | ||||||
|   model: authentik_stages_prompt.prompt |  | ||||||
|   attrs: |  | ||||||
|     label: !Context transl_username |  | ||||||
|     type: username |  | ||||||
|     required: true |  | ||||||
|     placeholder: !Context transl_username |  | ||||||
|     order: 0 |  | ||||||
|     placeholder_expression: false |  | ||||||
| - identifiers: |  | ||||||
|     field_key: name |  | ||||||
|   id: prompt-field-name |  | ||||||
|   model: authentik_stages_prompt.prompt |  | ||||||
|   attrs: |  | ||||||
|     label: !Context transl_name |  | ||||||
|     type: text |  | ||||||
|     required: true |  | ||||||
|     placeholder: !Context transl_name |  | ||||||
|     order: 1 |  | ||||||
|     placeholder_expression: false |  | ||||||
| - identifiers: |  | ||||||
|     field_key: email |  | ||||||
|     label: Email |  | ||||||
|   id: prompt-field-email |  | ||||||
|   model: authentik_stages_prompt.prompt |  | ||||||
|   attrs: |  | ||||||
|     type: email |  | ||||||
|     required: true |  | ||||||
|     placeholder: muster@example.com |  | ||||||
|     order: 2 |  | ||||||
|     placeholder_expression: false |  | ||||||
|  |  | ||||||
| ### STAGES |  | ||||||
|  |  | ||||||
| - id: invitation-stage |  | ||||||
|   identifiers: |  | ||||||
|     name: invitation-stage |  | ||||||
|   model: authentik_stages_invitation.invitationstage |  | ||||||
|  |  | ||||||
| - attrs: |  | ||||||
|     fields: |  | ||||||
|       - !KeyOf prompt-field-username |  | ||||||
|       - !KeyOf prompt-field-name |  | ||||||
|       - !KeyOf prompt-field-email |  | ||||||
|       - !KeyOf prompt-field-password |  | ||||||
|       - !KeyOf prompt-field-password-repeat |  | ||||||
|   id: enrollment-prompt-userdata |  | ||||||
|   identifiers: |  | ||||||
|     name: enrollment-prompt-userdata |  | ||||||
|   model: authentik_stages_prompt.promptstage |  | ||||||
|  |  | ||||||
| - id: enrollment-user-write |  | ||||||
|   identifiers: |  | ||||||
|     name: enrollment-user-write |  | ||||||
|   model: authentik_stages_user_write.userwritestage |  | ||||||
|  |  | ||||||
| - attrs: |  | ||||||
|     session_duration: seconds=0 |  | ||||||
|   id: enrollment-user-login |  | ||||||
|   identifiers: |  | ||||||
|     name: enrollment-user-login |  | ||||||
|   model: authentik_stages_user_login.userloginstage |  | ||||||
|  |  | ||||||
| ### STAGE BINDINGS |  | ||||||
| - identifiers: |  | ||||||
|     order: 1 |  | ||||||
|     stage: !KeyOf invitation-stage |  | ||||||
|     target: !KeyOf invitation-enrollment-flow |  | ||||||
|   model: authentik_flows.flowstagebinding |  | ||||||
| - identifiers: |  | ||||||
|     order: 10 |  | ||||||
|     stage: !KeyOf enrollment-prompt-userdata |  | ||||||
|     target: !KeyOf invitation-enrollment-flow |  | ||||||
|   model: authentik_flows.flowstagebinding |  | ||||||
| - identifiers: |  | ||||||
|     order: 20 |  | ||||||
|     stage: !KeyOf enrollment-user-write |  | ||||||
|     target: !KeyOf invitation-enrollment-flow |  | ||||||
|   model: authentik_flows.flowstagebinding |  | ||||||
| - identifiers: |  | ||||||
|     order: 100 |  | ||||||
|     stage: !KeyOf enrollment-user-login |  | ||||||
|     target: !KeyOf invitation-enrollment-flow |  | ||||||
|   model: authentik_flows.flowstagebinding |  | ||||||
|  |  | ||||||
| ######## Invalidation Flow ######## |  | ||||||
| - identifiers: |  | ||||||
|     slug: logout-flow |  | ||||||
|   id: logout-flow |  | ||||||
|   model: authentik_flows.flow |  | ||||||
|   attrs: |  | ||||||
|     name: Logout |  | ||||||
|     title: Logout Flow |  | ||||||
|     designation: invalidation |  | ||||||
|  |  | ||||||
| ### STAGES |  | ||||||
|  |  | ||||||
| - id: logout-stage |  | ||||||
|   identifiers: |  | ||||||
|     name: logout-stage |  | ||||||
|   model: authentik_stages_user_logout.userlogoutstage |  | ||||||
|  |  | ||||||
| ### STAGE BINDINGS |  | ||||||
|  |  | ||||||
| - identifiers: |  | ||||||
|     order: 0 |  | ||||||
|     stage: !KeyOf logout-stage |  | ||||||
|     target: !KeyOf logout-flow |  | ||||||
|   model: authentik_flows.flowstagebinding |  | ||||||
|   attrs: |  | ||||||
|     re_evaluate_policies: true |  | ||||||
|   id: logout-stage-binding |  | ||||||
|  |  | ||||||
| ### POLICIES |  | ||||||
| - attrs: |  | ||||||
|     execution_logging: true |  | ||||||
|     expression: 'context[''flow_plan''].context[''redirect''] = ''{{ env "LOGOUT_REDIRECT" }}'' |  | ||||||
|  |  | ||||||
|     return True' |  | ||||||
|   identifiers: |  | ||||||
|     name: redirect-policy |  | ||||||
|   id: redirect-policy |  | ||||||
|   model: authentik_policies_expression.expressionpolicy |  | ||||||
|  |  | ||||||
| ### POLICY BINDINGS |  | ||||||
| - identifiers: |  | ||||||
|     policy: !KeyOf redirect-policy |  | ||||||
|     target: !KeyOf logout-stage-binding |  | ||||||
|     order: 0 |  | ||||||
|   model: authentik_policies.policybinding |  | ||||||
|   attrs: |  | ||||||
|     enabled: {{ if eq (env "LOGOUT_REDIRECT") "" }} false {{ else }} true {{ end }} |  | ||||||
|     timeout: 30 |  | ||||||
|  |  | ||||||
| ######## System Brand ########## |  | ||||||
| - attrs: |  | ||||||
|     attributes: |  | ||||||
|       settings: |  | ||||||
|         locale: {{ if eq (env "DEFAULT_LANGUAGE") "" }} en {{ else }} {{ env "DEFAULT_LANGUAGE" }} {{ end }} |  | ||||||
|     # branding_favicon: /static/dist/assets/icons/icon.png |  | ||||||
|     # branding_logo: /static/dist/assets/icons/icon_left_brand.svg |  | ||||||
|     # branding_title: Authentik |  | ||||||
|     # default: true |  | ||||||
|     domain: {{ env "DOMAIN" }} |  | ||||||
|     # event_retention: days=365 |  | ||||||
|     flow_authentication: !KeyOf authentication_flow |  | ||||||
|     flow_recovery: !KeyOf recovery_flow |  | ||||||
|     flow_invalidation: !KeyOf logout-flow |  | ||||||
|     flow_user_settings: !Find [authentik_flows.flow, [slug, default-user-settings-flow]] |  | ||||||
|   identifiers: |  | ||||||
|     pk: 047cce25-aae2-4b02-9f96-078e155f803d |  | ||||||
|   id: system_brand |  | ||||||
|   model: authentik_brands.brand |  | ||||||
							
								
								
									
										5
									
								
								entrypoint-css-volume.sh
									
									
									
									
									
										Normal file
									
								
							
							
						
						| @ -0,0 +1,5 @@ | |||||||
|  | #!/bin/sh | ||||||
|  |  | ||||||
|  | cp -f /web/dist/assets/custom.css /web/dist/custom.css | ||||||
|  |  | ||||||
|  | su $(id -un 1000) -s /bin/bash -c 'dumb-init -- ak server' | ||||||
| @ -8,12 +8,17 @@ entries: | |||||||
|  |  | ||||||
| - attrs: | - attrs: | ||||||
|     access_code_validity: minutes=1 |     access_code_validity: minutes=1 | ||||||
|  |     authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]] | ||||||
|     authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]] |     authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]] | ||||||
|  |     invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]] | ||||||
|     client_id: {{ secret  "hedgedoc_id" }} |     client_id: {{ secret  "hedgedoc_id" }} | ||||||
|     client_secret: {{ secret  "hedgedoc_secret" }} |     client_secret: {{ secret  "hedgedoc_secret" }} | ||||||
|     client_type: confidential |     client_type: confidential | ||||||
|     include_claims_in_id_token: true |     include_claims_in_id_token: true | ||||||
|     issuer_mode: per_provider |     issuer_mode: per_provider | ||||||
|  |     redirect_uris: | ||||||
|  |     - matching_mode: strict | ||||||
|  |       url: https://{{ env  "HEDGEDOC_DOMAIN" }}/auth/oauth2/callback | ||||||
|     name: Hedgedoc |     name: Hedgedoc | ||||||
|     property_mappings: |     property_mappings: | ||||||
|     - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]] |     - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]] | ||||||
| @ -30,7 +35,7 @@ entries: | |||||||
|   state: present |   state: present | ||||||
|  |  | ||||||
| - attrs: | - attrs: | ||||||
|     meta_launch_url: https://{{ env  "HEDGEDOC_DOMAIN" }} |     meta_launch_url: https://{{ env  "HEDGEDOC_DOMAIN" }}/auth/oauth2 | ||||||
|     open_in_new_tab: true |     open_in_new_tab: true | ||||||
|     policy_engine_mode: any |     policy_engine_mode: any | ||||||
|     provider: !KeyOf hedgedoc_provider |     provider: !KeyOf hedgedoc_provider | ||||||
|  | |||||||
							
								
								
									
										
											BIN
										
									
								
								icons/bbb.jpg
									
									
									
									
									
								
							
							
						
						| Before Width: | Height: | Size: 6.7 KiB | 
							
								
								
									
										
											BIN
										
									
								
								icons/bbb.png
									
									
									
									
									
										Normal file
									
								
							
							
						
						| After Width: | Height: | Size: 94 KiB | 
							
								
								
									
										8
									
								
								icons/help.svg
									
									
									
									
									
										Normal file
									
								
							
							
						
						| @ -0,0 +1,8 @@ | |||||||
|  | <?xml version="1.0" encoding="UTF-8"?> | ||||||
|  | <!-- Uploaded to: SVG Repo, www.svgrepo.com, Generator: SVG Repo Mixer Tools --> | ||||||
|  | <svg width="800px" height="800px" viewBox="0 0 48 48" fill="none" xmlns="http://www.w3.org/2000/svg"> | ||||||
|  | <rect width="48" height="48" fill="white" fill-opacity="0.01"/> | ||||||
|  | <path d="M24 44C29.5228 44 34.5228 41.7614 38.1421 38.1421C41.7614 34.5228 44 29.5228 44 24C44 18.4772 41.7614 13.4772 38.1421 9.85786C34.5228 6.23858 29.5228 4 24 4C18.4772 4 13.4772 6.23858 9.85786 9.85786C6.23858 13.4772 4 18.4772 4 24C4 29.5228 6.23858 34.5228 9.85786 38.1421C13.4772 41.7614 18.4772 44 24 44Z" fill="#2F88FF" stroke="#000000" stroke-width="4" stroke-linejoin="round"/> | ||||||
|  | <path d="M24 28.6249V24.6249C27.3137 24.6249 30 21.9386 30 18.6249C30 15.3112 27.3137 12.6249 24 12.6249C20.6863 12.6249 18 15.3112 18 18.6249" stroke="white" stroke-width="4" stroke-linecap="round" stroke-linejoin="round"/> | ||||||
|  | <path fill-rule="evenodd" clip-rule="evenodd" d="M24 37.6249C25.3807 37.6249 26.5 36.5056 26.5 35.1249C26.5 33.7442 25.3807 32.6249 24 32.6249C22.6193 32.6249 21.5 33.7442 21.5 35.1249C21.5 36.5056 22.6193 37.6249 24 37.6249Z" fill="white"/> | ||||||
|  | </svg> | ||||||
| After Width: | Height: | Size: 1.1 KiB | 
							
								
								
									
										1
									
								
								icons/pretix.svg
									
									
									
									
									
										Normal file
									
								
							
							
						
						| @ -0,0 +1 @@ | |||||||
|  | <?xml version="1.0" encoding="UTF-8"?><svg id="Ebene_1" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 128 128"><defs><style>.cls-1{fill:#3b1c4a;}</style></defs><path class="cls-1" d="m50.67,56.95c-.72.1-1.22.3-1.66.5l2.38,16.91c.41.08.95.13,1.6.04,3.52-.5,4.61-3.64,3.81-9.39-.83-5.87-2.53-8.56-6.12-8.06Z"/><path class="cls-1" d="m116.04,35.05c.71-.17,1.16-.76,1.06-1.48L112.54,1.13c-.1-.72-.77-1.22-1.49-1.12l-37.5,5.27.73,5.22c.16,1.12-.62,2.15-1.74,2.31s-2.15-.62-2.31-1.74l-.73-5.22L1.13,15.46c-.72.1-1.22.77-1.12,1.49l4.56,32.44c.1.72.7,1.17,1.42,1.13,11.25-.92,21.43,7.1,23.03,18.46,1.6,11.36-5.99,21.81-17.07,23.96-.71.17-1.16.76-1.06,1.48l4.56,32.44c.1.72.77,1.22,1.49,1.12l68.37-9.61-.73-5.22c-.16-1.15.59-2.15,1.74-2.31s2.15.62,2.31,1.74l.73,5.22,37.5-5.27c.72-.1,1.22-.77,1.12-1.49l-4.56-32.44c-.1-.72-.7-1.17-1.42-1.13-11.25.92-21.42-7.04-23.02-18.4-1.6-11.36,5.98-21.87,17.06-24.03Zm-59.84,44.75c-1.76.25-3.29.26-4.04.17l1.59,11.29-9.92,1.39-5.3-37.73c2.5-1.62,5.96-3.03,11.38-3.8,8.68-1.22,15.27,2.58,16.66,12.44,1.25,8.88-3.12,15.21-10.36,16.23Zm30.73,20.71c.16,1.12-.62,2.15-1.74,2.31-1.12.16-2.15-.62-2.31-1.74l-1.47-10.44c-.16-1.12.62-2.15,1.74-2.31s2.16.66,2.31,1.74l1.47,10.44Zm-3.17-22.58c.15,1.08-.66,2.16-1.74,2.31s-2.16-.66-2.31-1.74l-1.47-10.44c-.16-1.15.59-2.15,1.74-2.31,1.12-.16,2.15.62,2.31,1.74l1.47,10.44Zm-3.16-22.45c.16,1.12-.62,2.15-1.74,2.31-1.12.16-2.15-.62-2.31-1.74l-1.47-10.44c-.16-1.12.62-2.15,1.74-2.31s2.16.66,2.31,1.74l1.47,10.44Zm-3.17-22.58c.15,1.08-.66,2.16-1.74,2.31s-2.16-.66-2.31-1.74l-1.47-10.44c-.16-1.15.59-2.15,1.74-2.31s2.15.62,2.31,1.74l1.47,10.44Z"/></svg> | ||||||
| After Width: | Height: | Size: 1.6 KiB | 
							
								
								
									
										12
									
								
								icons/support.svg
									
									
									
									
									
										Normal file
									
								
							
							
						
						| @ -0,0 +1,12 @@ | |||||||
|  | <?xml version="1.0" encoding="UTF-8"?> | ||||||
|  | <!-- Uploaded to: SVG Repo, www.svgrepo.com, Generator: SVG Repo Mixer Tools --> | ||||||
|  | <svg width="800px" height="800px" viewBox="0 0 512 512" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"> | ||||||
|  |     <title>support</title> | ||||||
|  |     <g id="Page-1" stroke="none" stroke-width="1" fill="none" fill-rule="evenodd"> | ||||||
|  |         <g id="support" fill="#000000" transform="translate(42.666667, 42.666667)"> | ||||||
|  |             <path d="M379.734355,174.506667 C373.121022,106.666667 333.014355,-2.13162821e-14 209.067688,-2.13162821e-14 C85.1210217,-2.13162821e-14 45.014355,106.666667 38.4010217,174.506667 C15.2012632,183.311569 -0.101643453,205.585799 0.000508304259,230.4 L0.000508304259,260.266667 C0.000508304259,293.256475 26.7445463,320 59.734355,320 C92.7241638,320 119.467688,293.256475 119.467688,260.266667 L119.467688,230.4 C119.360431,206.121456 104.619564,184.304973 82.134355,175.146667 C86.4010217,135.893333 107.307688,42.6666667 209.067688,42.6666667 C310.827688,42.6666667 331.521022,135.893333 335.787688,175.146667 C313.347976,184.324806 298.68156,206.155851 298.667688,230.4 L298.667688,260.266667 C298.760356,283.199651 311.928618,304.070103 332.587688,314.026667 C323.627688,330.88 300.801022,353.706667 244.694355,360.533333 C233.478863,343.50282 211.780225,336.789048 192.906491,344.509658 C174.032757,352.230268 163.260418,372.226826 167.196286,392.235189 C171.132153,412.243552 188.675885,426.666667 209.067688,426.666667 C225.181549,426.577424 239.870491,417.417465 247.041022,402.986667 C338.561022,392.533333 367.787688,345.386667 376.961022,317.653333 C401.778455,309.61433 418.468885,286.351502 418.134355,260.266667 L418.134355,230.4 C418.23702,205.585799 402.934114,183.311569 379.734355,174.506667 Z M76.8010217,260.266667 C76.8010217,269.692326 69.1600148,277.333333 59.734355,277.333333 C50.3086953,277.333333 42.6676884,269.692326 42.6676884,260.266667 L42.6676884,230.4 C42.6676884,224.302667 45.9205765,218.668499 51.2010216,215.619833 C56.4814667,212.571166 62.9872434,212.571166 68.2676885,215.619833 C73.5481336,218.668499 76.8010217,224.302667 76.8010217,230.4 L76.8010217,260.266667 Z M341.334355,230.4 C341.334355,220.97434 348.975362,213.333333 358.401022,213.333333 C367.826681,213.333333 375.467688,220.97434 375.467688,230.4 L375.467688,260.266667 C375.467688,269.692326 367.826681,277.333333 358.401022,277.333333 C348.975362,277.333333 341.334355,269.692326 341.334355,260.266667 L341.334355,230.4 Z"> | ||||||
|  |  | ||||||
|  | </path> | ||||||
|  |         </g> | ||||||
|  |     </g> | ||||||
|  | </svg> | ||||||
| After Width: | Height: | Size: 2.5 KiB | 
							
								
								
									
										6
									
								
								icons/vaultwarden.svg
									
									
									
									
									
										Normal file
									
								
							
							
						
						| After Width: | Height: | Size: 6.8 KiB | 
							
								
								
									
										30
									
								
								icons/zammad.svg
									
									
									
									
									
										Normal file
									
								
							
							
						
						| @ -0,0 +1,30 @@ | |||||||
|  | <?xml version="1.0" encoding="UTF-8" standalone="no"?> | ||||||
|  | <svg width="126px" height="108px" viewBox="0 0 42 36" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:sketch="http://www.bohemiancoding.com/sketch/ns"> | ||||||
|  |     <!-- Generator: Sketch 3.3.2 (12043) - http://www.bohemiancoding.com/sketch --> | ||||||
|  |     <title>logo</title> | ||||||
|  |     <desc>Created with Sketch.</desc> | ||||||
|  |     <defs/> | ||||||
|  |     <g id="Page-1" stroke="none" stroke-width="1" fill="none" fill-rule="evenodd" sketch:type="MSPage"> | ||||||
|  |         <g id="logo" sketch:type="MSArtboardGroup"> | ||||||
|  |             <g sketch:type="MSLayerGroup" transform="translate(1.000000, 0.000000)" id="Shape"> | ||||||
|  |                 <path d="M27.3375,12.6 L36.72,9.72 L31.1625,13.2525 L27.3375,12.6 Z" fill="#CA2317" sketch:type="MSShapeGroup"/> | ||||||
|  |                 <path d="M33.0525,19.62 L31.1625,13.2525 L36.72,9.72 L35.055,15.435 L33.0525,19.62 Z" fill="#E84F83" sketch:type="MSShapeGroup"/> | ||||||
|  |                 <path d="M39.465,7.9875 L38.43,9.72 L35.055,15.435 L36.72,9.72 L39.465,7.9875 Z" fill="#CA2317" sketch:type="MSShapeGroup"/> | ||||||
|  |                 <path d="M39.8025,9.1125 L37.1925,11.79 L38.43,9.72 L39.8025,9.1125 Z" fill="#E54011" sketch:type="MSShapeGroup"/> | ||||||
|  |                 <path d="M27.9,10.8225 L35.5725,10.0575 L30.24,11.7 L27.9,10.8225 Z" fill="#E54011" sketch:type="MSShapeGroup"/> | ||||||
|  |                 <path d="M28.1925,15.165 L31.1625,13.2525 L33.0525,19.62 L32.0625,21.645 L28.1925,15.165 Z" fill="#CA2317" sketch:type="MSShapeGroup"/> | ||||||
|  |                 <path d="M23.76,22.725 L22.3425,5.4 L32.0625,21.645 L23.76,22.725 Z" fill="#B7DFF2" sketch:type="MSShapeGroup"/> | ||||||
|  |                 <path d="M19.7325,27.1575 L23.76,22.725 L32.0625,21.645 L19.7325,27.1575 Z" fill="#E54011" sketch:type="MSShapeGroup"/> | ||||||
|  |                 <path d="M0.1575,35.865 L19.7325,27.1575 L23.76,22.725 L17.37,22.0725 L0.1575,35.865 Z" fill="#FFCE33" sketch:type="MSShapeGroup"/> | ||||||
|  |                 <path d="M0.9,28.755 L10.9575,27.225 L14.085,24.705 L12.555,24.03 L0.9,28.755 Z" fill="#D6B12D" sketch:type="MSShapeGroup"/> | ||||||
|  |                 <path d="M4.5225,20.5425 L14.085,24.705 L17.37,22.0725 L4.5225,20.5425 Z" fill="#FFDE85" sketch:type="MSShapeGroup"/> | ||||||
|  |                 <path d="M21.6225,11.6775 L20.4075,11.88 L17.37,22.0725 L20.655,20.0025 L21.6225,11.6775 Z" fill="#009EC6" sketch:type="MSShapeGroup"/> | ||||||
|  |                 <path d="M23.4,18.2475 L20.655,20.0025 L22.3425,5.4 L23.4,18.2475 Z" fill="#5EAFCE" sketch:type="MSShapeGroup"/> | ||||||
|  |                 <path d="M13.0275,13.05 L21.6225,11.6775 L22.005,8.28 L13.0275,13.05 Z" fill="#045972" sketch:type="MSShapeGroup"/> | ||||||
|  |                 <path d="M12.105,5.085 L19.575,9.585 L22.005,8.28 L22.0725,7.8075 L12.105,5.085 Z" fill="#5A8591" sketch:type="MSShapeGroup"/> | ||||||
|  |                 <path d="M13.5675,0.18 L20.3625,7.335 L22.0725,7.8075 L22.3425,5.4 L13.5675,0.18 Z" fill="#009EC6" sketch:type="MSShapeGroup"/> | ||||||
|  |                 <path d="M17.37,22.0725 L23.4,18.2475 L23.76,22.725 L17.37,22.0725 Z" fill="#F39804" sketch:type="MSShapeGroup"/> | ||||||
|  |             </g> | ||||||
|  |         </g> | ||||||
|  |     </g> | ||||||
|  | </svg> | ||||||
| After Width: | Height: | Size: 3.0 KiB | 
| @ -12,6 +12,7 @@ entries: | |||||||
|     audience: https://{{ env  "KIMAI_DOMAIN" }}/auth/saml |     audience: https://{{ env  "KIMAI_DOMAIN" }}/auth/saml | ||||||
|     authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]] |     authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]] | ||||||
|     authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]] |     authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]] | ||||||
|  |     invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]] | ||||||
|     digest_algorithm: http://www.w3.org/2001/04/xmlenc#sha256 |     digest_algorithm: http://www.w3.org/2001/04/xmlenc#sha256 | ||||||
|     issuer: https://{{ env  "DOMAIN" }} |     issuer: https://{{ env  "DOMAIN" }} | ||||||
|     name: Kimai |     name: Kimai | ||||||
| @ -24,6 +25,7 @@ entries: | |||||||
|     - !Find [authentik_providers_saml.samlpropertymapping, [name, "authentik default SAML Mapping: Groups"]] |     - !Find [authentik_providers_saml.samlpropertymapping, [name, "authentik default SAML Mapping: Groups"]] | ||||||
|     - !Find [authentik_providers_saml.samlpropertymapping, [name, "authentik default SAML Mapping: UPN"]] |     - !Find [authentik_providers_saml.samlpropertymapping, [name, "authentik default SAML Mapping: UPN"]] | ||||||
|     session_valid_not_on_or_after: minutes=86400 |     session_valid_not_on_or_after: minutes=86400 | ||||||
|  |     sign_assertion: true | ||||||
|     signature_algorithm: http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 |     signature_algorithm: http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 | ||||||
|     signing_kp: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]] |     signing_kp: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]] | ||||||
|     sp_binding: post |     sp_binding: post | ||||||
| @ -35,7 +37,7 @@ entries: | |||||||
|   state: present |   state: present | ||||||
|  |  | ||||||
| - attrs: | - attrs: | ||||||
|     meta_launch_url: https://{{ env  "KIMAI_DOMAIN" }} |     meta_launch_url: https://{{ env  "KIMAI_DOMAIN" }}/auth/saml/login | ||||||
|     open_in_new_tab: true |     open_in_new_tab: true | ||||||
|     policy_engine_mode: any |     policy_engine_mode: any | ||||||
|     provider: !KeyOf kimai_provider |     provider: !KeyOf kimai_provider | ||||||
|  | |||||||
| @ -8,12 +8,17 @@ entries: | |||||||
|  |  | ||||||
| - attrs: | - attrs: | ||||||
|     access_code_validity: minutes=1 |     access_code_validity: minutes=1 | ||||||
|  |     authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]] | ||||||
|     authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]] |     authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]] | ||||||
|  |     invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]] | ||||||
|     client_id: {{ secret  "matrix_id" }} |     client_id: {{ secret  "matrix_id" }} | ||||||
|     client_secret: {{ secret  "matrix_secret" }} |     client_secret: {{ secret  "matrix_secret" }} | ||||||
|     client_type: confidential |     client_type: confidential | ||||||
|     include_claims_in_id_token: true |     include_claims_in_id_token: true | ||||||
|     issuer_mode: per_provider |     issuer_mode: per_provider | ||||||
|  |     redirect_uris: | ||||||
|  |     - matching_mode: strict | ||||||
|  |       url: https://{{ env  "MATRIX_DOMAIN" }}/_synapse/client/oidc/callback | ||||||
|     name: Matrix |     name: Matrix | ||||||
|     property_mappings: |     property_mappings: | ||||||
|     - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]] |     - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]] | ||||||
| @ -34,10 +39,10 @@ entries: | |||||||
|     open_in_new_tab: true |     open_in_new_tab: true | ||||||
|     policy_engine_mode: any |     policy_engine_mode: any | ||||||
|     provider: !KeyOf matrix_provider |     provider: !KeyOf matrix_provider | ||||||
|     slug: matrix |     name: Element | ||||||
|   conditions: [] |   conditions: [] | ||||||
|   id: matrix_application |   id: matrix_application | ||||||
|   identifiers: |   identifiers: | ||||||
|     name: Matrix |     slug: matrix | ||||||
|   model: authentik_core.application |   model: authentik_core.application | ||||||
|   state: present |   state: present | ||||||
|  | |||||||
| @ -8,12 +8,17 @@ entries: | |||||||
|  |  | ||||||
| - attrs: | - attrs: | ||||||
|     access_code_validity: minutes=1 |     access_code_validity: minutes=1 | ||||||
|  |     authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]] | ||||||
|     authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]] |     authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]] | ||||||
|  |     invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]] | ||||||
|     client_id: {{ secret  "monitoring_id" }} |     client_id: {{ secret  "monitoring_id" }} | ||||||
|     client_secret: {{ secret  "monitoring_secret" }} |     client_secret: {{ secret  "monitoring_secret" }} | ||||||
|     client_type: confidential |     client_type: confidential | ||||||
|     include_claims_in_id_token: true |     include_claims_in_id_token: true | ||||||
|     issuer_mode: per_provider |     issuer_mode: per_provider | ||||||
|  |     redirect_uris: | ||||||
|  |     - matching_mode: strict | ||||||
|  |       url: https://{{ env  "MONITORING_DOMAIN" }}/login/generic_oauth | ||||||
|     name: Monitoring |     name: Monitoring | ||||||
|     property_mappings: |     property_mappings: | ||||||
|     - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]] |     - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]] | ||||||
| @ -25,7 +30,7 @@ entries: | |||||||
|   conditions: [] |   conditions: [] | ||||||
|   id: monitoring_provider |   id: monitoring_provider | ||||||
|   identifiers: |   identifiers: | ||||||
|     pk: 9994 |     pk: 9990 | ||||||
|   model: authentik_providers_oauth2.oauth2provider |   model: authentik_providers_oauth2.oauth2provider | ||||||
|   state: present |   state: present | ||||||
|  |  | ||||||
|  | |||||||
| @ -20,12 +20,17 @@ entries: | |||||||
|  |  | ||||||
| - attrs: | - attrs: | ||||||
|     access_code_validity: minutes=1 |     access_code_validity: minutes=1 | ||||||
|  |     authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]] | ||||||
|     authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]] |     authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]] | ||||||
|  |     invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]] | ||||||
|     client_id: {{ secret  "nextcloud_id" }} |     client_id: {{ secret  "nextcloud_id" }} | ||||||
|     client_secret: {{ secret  "nextcloud_secret" }} |     client_secret: {{ secret  "nextcloud_secret" }} | ||||||
|     client_type: confidential |     client_type: confidential | ||||||
|     include_claims_in_id_token: true |     include_claims_in_id_token: true | ||||||
|     issuer_mode: per_provider |     issuer_mode: per_provider | ||||||
|  |     redirect_uris: | ||||||
|  |     - matching_mode: strict | ||||||
|  |       url: https://{{ env  "NEXTCLOUD_DOMAIN" }}/apps/sociallogin/custom_oidc/authentik | ||||||
|     name: Nextcloud |     name: Nextcloud | ||||||
|     property_mappings: |     property_mappings: | ||||||
|     - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]] |     - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]] | ||||||
|  | |||||||
| @ -8,12 +8,17 @@ entries: | |||||||
|  |  | ||||||
| - attrs: | - attrs: | ||||||
|     access_code_validity: minutes=1 |     access_code_validity: minutes=1 | ||||||
|  |     authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]] | ||||||
|     authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]] |     authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]] | ||||||
|  |     invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]] | ||||||
|     client_id: {{ secret  "outline_id" }} |     client_id: {{ secret  "outline_id" }} | ||||||
|     client_secret: {{ secret  "outline_secret" }} |     client_secret: {{ secret  "outline_secret" }} | ||||||
|     client_type: confidential |     client_type: confidential | ||||||
|     include_claims_in_id_token: true |     include_claims_in_id_token: true | ||||||
|     issuer_mode: per_provider |     issuer_mode: per_provider | ||||||
|  |     redirect_uris: | ||||||
|  |     - matching_mode: strict | ||||||
|  |       url: https://{{ env  "OUTLINE_DOMAIN" }}/auth/oidc.callback | ||||||
|     name: Outline |     name: Outline | ||||||
|     property_mappings: |     property_mappings: | ||||||
|     - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]] |     - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]] | ||||||
| @ -30,7 +35,7 @@ entries: | |||||||
|   state: present |   state: present | ||||||
|  |  | ||||||
| - attrs: | - attrs: | ||||||
|     meta_launch_url: https://{{ env  "OUTLINE_DOMAIN" }} |     meta_launch_url: https://{{ env  "OUTLINE_DOMAIN" }}/auth/oidc | ||||||
|     open_in_new_tab: true |     open_in_new_tab: true | ||||||
|     policy_engine_mode: any |     policy_engine_mode: any | ||||||
|     provider: !KeyOf outline_provider |     provider: !KeyOf outline_provider | ||||||
|  | |||||||
							
								
								
									
										34
									
								
								pg_backup.sh
									
									
									
									
									
										Normal file
									
								
							
							
						
						| @ -0,0 +1,34 @@ | |||||||
|  | #!/bin/bash | ||||||
|  |  | ||||||
|  | set -e | ||||||
|  |  | ||||||
|  | BACKUP_FILE='/var/lib/postgresql/data/backup.sql' | ||||||
|  |  | ||||||
|  | function backup { | ||||||
|  |   export PGPASSWORD=$(cat /run/secrets/db_password) | ||||||
|  |   pg_dump -U ${POSTGRES_USER} ${POSTGRES_DB} > $BACKUP_FILE | ||||||
|  | } | ||||||
|  |  | ||||||
|  | function restore { | ||||||
|  |     cd /var/lib/postgresql/data/ | ||||||
|  |     restore_config(){ | ||||||
|  |         # Restore allowed connections | ||||||
|  |         cat pg_hba.conf.bak > pg_hba.conf | ||||||
|  |         su postgres -c 'pg_ctl reload' | ||||||
|  |     } | ||||||
|  |     # Don't allow any other connections than local | ||||||
|  |     cp pg_hba.conf pg_hba.conf.bak | ||||||
|  |     echo "local all all trust" > pg_hba.conf | ||||||
|  |     su postgres -c 'pg_ctl reload' | ||||||
|  |     trap restore_config EXIT INT TERM | ||||||
|  |  | ||||||
|  |     # Recreate Database | ||||||
|  |     psql -U ${POSTGRES_USER} -d postgres -c "DROP DATABASE ${POSTGRES_DB} WITH (FORCE);"  | ||||||
|  |     createdb -U ${POSTGRES_USER} ${POSTGRES_DB} | ||||||
|  |     psql -U ${POSTGRES_USER} -d ${POSTGRES_DB} -1 -f $BACKUP_FILE | ||||||
|  |  | ||||||
|  |     trap - EXIT INT TERM | ||||||
|  |     restore_config | ||||||
|  | } | ||||||
|  |  | ||||||
|  | $@ | ||||||
| @ -8,12 +8,17 @@ entries: | |||||||
|  |  | ||||||
| - attrs: | - attrs: | ||||||
|     access_code_validity: minutes=1 |     access_code_validity: minutes=1 | ||||||
|  |     authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]] | ||||||
|     authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]] |     authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]] | ||||||
|  |     invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]] | ||||||
|     client_id: {{ secret  "rallly_id" }} |     client_id: {{ secret  "rallly_id" }} | ||||||
|     client_secret: {{ secret  "rallly_secret" }} |     client_secret: {{ secret  "rallly_secret" }} | ||||||
|     client_type: confidential |     client_type: confidential | ||||||
|     include_claims_in_id_token: true |     include_claims_in_id_token: true | ||||||
|     issuer_mode: per_provider |     issuer_mode: per_provider | ||||||
|  |     redirect_uris: | ||||||
|  |     - matching_mode: strict | ||||||
|  |       url: https://{{ env  "RALLLY_DOMAIN" }}/api/auth/callback/oidc | ||||||
|     name: Rallly |     name: Rallly | ||||||
|     property_mappings: |     property_mappings: | ||||||
|     - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]] |     - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]] | ||||||
|  | |||||||
							
								
								
									
										1
									
								
								release/6.11.0+2024.10.5
									
									
									
									
									
										Normal file
									
								
							
							
						
						| @ -0,0 +1 @@ | |||||||
|  | Fix Impersonate Bug | ||||||
							
								
								
									
										1
									
								
								release/6.6.0+2024.8.2
									
									
									
									
									
										Normal file
									
								
							
							
						
						| @ -0,0 +1 @@ | |||||||
|  | Replaced icon bbb.jpg with icon.png - configs need to be updated when upgrading! | ||||||
							
								
								
									
										3
									
								
								release/6.7.0+2024.8.3
									
									
									
									
									
										Normal file
									
								
							
							
						
						| @ -0,0 +1,3 @@ | |||||||
|  | Two critical vulnerabilities were closed: | ||||||
|  | https://github.com/goauthentik/authentik/security/advisories/GHSA-7jxf-mmg9-9hg7 | ||||||
|  | https://github.com/goauthentik/authentik/security/advisories/GHSA-8gfm-pr6x-pfh9 | ||||||
| @ -27,7 +27,10 @@ entries: | |||||||
| - attrs: | - attrs: | ||||||
|     attributes: |     attributes: | ||||||
|       settings: |       settings: | ||||||
|         locale: {{ if eq (env "DEFAULT_LANGUAGE") "" }} en {{ else }} {{ env "DEFAULT_LANGUAGE" }} {{ end }} |         locale: {{ if eq (env "DEFAULT_LANGUAGE") "" }} en {{ else }} {{ env "DEFAULT_LANGUAGE" }} {{ end }} {{ if ne (env "THEME_BACKGROUND") "" }} | ||||||
|  |         theme: | ||||||
|  |           background: > | ||||||
|  |             background: {{ env "THEME_BACKGROUND" }} {{ end }} | ||||||
|     flow_recovery: !Find [authentik_flows.flow, [slug,  default-recovery-flow]] |     flow_recovery: !Find [authentik_flows.flow, [slug,  default-recovery-flow]] | ||||||
|   identifiers: |   identifiers: | ||||||
|     default: true |     default: true | ||||||
|  | |||||||
| @ -8,12 +8,17 @@ entries: | |||||||
|  |  | ||||||
| - attrs: | - attrs: | ||||||
|     access_code_validity: minutes=1 |     access_code_validity: minutes=1 | ||||||
|  |     authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]] | ||||||
|     authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]] |     authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]] | ||||||
|  |     invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]] | ||||||
|     client_id: {{ secret  "vikunja_id" }} |     client_id: {{ secret  "vikunja_id" }} | ||||||
|     client_secret: {{ secret  "vikunja_secret" }} |     client_secret: {{ secret  "vikunja_secret" }} | ||||||
|     client_type: confidential |     client_type: confidential | ||||||
|     include_claims_in_id_token: true |     include_claims_in_id_token: true | ||||||
|     issuer_mode: per_provider |     issuer_mode: per_provider | ||||||
|  |     redirect_uris: | ||||||
|  |     - matching_mode: strict | ||||||
|  |       url: https://{{ env  "VIKUNJA_DOMAIN" }}/auth/openid/authentik | ||||||
|     name: Vikunja |     name: Vikunja | ||||||
|     property_mappings: |     property_mappings: | ||||||
|     - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]] |     - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]] | ||||||
|  | |||||||
| @ -25,12 +25,17 @@ entries: | |||||||
|  |  | ||||||
| - attrs: | - attrs: | ||||||
|     access_code_validity: minutes=1 |     access_code_validity: minutes=1 | ||||||
|  |     authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]] | ||||||
|     authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]] |     authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]] | ||||||
|  |     invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]] | ||||||
|     client_id: {{ secret  "wekan_id" }} |     client_id: {{ secret  "wekan_id" }} | ||||||
|     client_secret: {{ secret  "wekan_secret" }} |     client_secret: {{ secret  "wekan_secret" }} | ||||||
|     client_type: confidential |     client_type: confidential | ||||||
|     include_claims_in_id_token: true |     include_claims_in_id_token: true | ||||||
|     issuer_mode: per_provider |     issuer_mode: per_provider | ||||||
|  |     redirect_uris: | ||||||
|  |     - matching_mode: strict | ||||||
|  |       url: https://{{ env  "WEKAN_DOMAIN" }}/_oauth/oidc | ||||||
|     name: Wekan |     name: Wekan | ||||||
|     property_mappings: |     property_mappings: | ||||||
|     - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]] |     - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]] | ||||||
|  | |||||||
| @ -8,12 +8,17 @@ entries: | |||||||
|  |  | ||||||
| - attrs: | - attrs: | ||||||
|     access_code_validity: minutes=1 |     access_code_validity: minutes=1 | ||||||
|  |     authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]] | ||||||
|     authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]] |     authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]] | ||||||
|  |     invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]] | ||||||
|     client_id: {{ secret  "wordpress_id" }} |     client_id: {{ secret  "wordpress_id" }} | ||||||
|     client_secret: {{ secret  "wordpress_secret" }} |     client_secret: {{ secret  "wordpress_secret" }} | ||||||
|     client_type: confidential |     client_type: confidential | ||||||
|     include_claims_in_id_token: true |     include_claims_in_id_token: true | ||||||
|     issuer_mode: per_provider |     issuer_mode: per_provider | ||||||
|  |     redirect_uris: | ||||||
|  |     - matching_mode: strict | ||||||
|  |       url: https://{{ env  "WORDPRESS_DOMAIN" }}/openid-connect-authorize | ||||||
|     name: Wordpress |     name: Wordpress | ||||||
|     property_mappings: |     property_mappings: | ||||||
|     - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]] |     - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]] | ||||||
|  | |||||||
							
								
								
									
										69
									
								
								zammad.yaml.tmpl
									
									
									
									
									
										Normal file
									
								
							
							
						
						| @ -0,0 +1,69 @@ | |||||||
|  | version: 1 | ||||||
|  | metadata: | ||||||
|  |   labels: | ||||||
|  |     blueprints.goauthentik.io/instantiate: "true" | ||||||
|  |   name: zammad | ||||||
|  |  | ||||||
|  | entries: | ||||||
|  | - attrs: | ||||||
|  |     expression: return request.user.name | ||||||
|  |     managed: null | ||||||
|  |     name: 'Zammad SAML Mapping: name' | ||||||
|  |     saml_name: name | ||||||
|  |   conditions: [] | ||||||
|  |   identifiers: | ||||||
|  |     name: zammad_name_mapping | ||||||
|  |   id: zammad_name_mapping | ||||||
|  |   model: authentik_providers_saml.samlpropertymapping | ||||||
|  |   state: present | ||||||
|  |  | ||||||
|  | - attrs: | ||||||
|  |     expression: return request.user.email | ||||||
|  |     managed: null | ||||||
|  |     name: 'Zammad SAML Mapping: email' | ||||||
|  |     saml_name: email | ||||||
|  |   conditions: [] | ||||||
|  |   identifiers: | ||||||
|  |     name: zammad_email_mapping | ||||||
|  |   id: zammad_email_mapping | ||||||
|  |   model: authentik_providers_saml.samlpropertymapping | ||||||
|  |   state: present | ||||||
|  |  | ||||||
|  | - attrs: | ||||||
|  |     acs_url: https://{{ env  "ZAMMAD_DOMAIN" }}/auth/saml/callback | ||||||
|  |     assertion_valid_not_before: minutes=-5 | ||||||
|  |     assertion_valid_not_on_or_after: minutes=5 | ||||||
|  |     audience: https://{{ env  "ZAMMAD_DOMAIN" }}/auth/saml/metadata | ||||||
|  |     authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]] | ||||||
|  |     authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]] | ||||||
|  |     invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]] | ||||||
|  |     digest_algorithm: http://www.w3.org/2001/04/xmlenc#sha256 | ||||||
|  |     issuer: https://{{ env  "ZAMMAD_DOMAIN" }}/auth/saml/metadata | ||||||
|  |     name: zammad | ||||||
|  |     property_mappings: | ||||||
|  |     - !KeyOf zammad_name_mapping | ||||||
|  |     - !KeyOf zammad_email_mapping | ||||||
|  |     session_valid_not_on_or_after: minutes=86400 | ||||||
|  |     sign_assertion: true | ||||||
|  |     signature_algorithm: http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 | ||||||
|  |     signing_kp: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]] | ||||||
|  |     sp_binding: post | ||||||
|  |   conditions: [] | ||||||
|  |   id: zammad_provider | ||||||
|  |   identifiers: | ||||||
|  |     pk: 9989 | ||||||
|  |   model: authentik_providers_saml.samlprovider | ||||||
|  |   state: present | ||||||
|  |  | ||||||
|  | - attrs: | ||||||
|  |     meta_launch_url: "" | ||||||
|  |     open_in_new_tab: true | ||||||
|  |     policy_engine_mode: any | ||||||
|  |     provider: !KeyOf zammad_provider | ||||||
|  |     slug: zammad | ||||||
|  |   conditions: [] | ||||||
|  |   id: zammad_application | ||||||
|  |   identifiers: | ||||||
|  |     name: Zammad | ||||||
|  |   model: authentik_core.application | ||||||
|  |   state: present | ||||||
