add env REDIRECTS

.env.sample

@@ -135,5 +135,5 @@ COPY_ASSETS="$COPY_ASSETS icon.png|app:/web/dist/assets/icons/"
 # SECRET_HEDGEDOC_SECRET_VERSION=v1
 # APP_ICONS="$APP_ICONS hedgedoc:~/.abra/recipes/authentik/icons/hedgedoc.png"
 
-# APPLICATIONS='{"Calendar": "https://nextcloud.example.com/apps/calendar/", "BBB": "https://nextcloud.example.com/apps/bbb/", "Pretix": "https://pretix.example.com/control/"}'
-# EXTRA_ICONS={"Calendar": "~/.abra/recipes/authentik/icons/calendar.svg", "BBB": "~/.abra/recipes/authentik/icons/bbb.png", "Pretix": "~/.abra/recipes/authentik/icons/pretix.svg"}
+# APPLICATIONS='{"Calendar": "https://nextcloud.example.com/apps/calendar/", "BBB": "https://nextcloud.example.com/apps/bbb/"}'
+# EXTRA_ICONS={"Calendar": "~/.abra/recipes/authentik/icons/calendar.svg", "BBB": "~/.abra/recipes/authentik/icons/bbb.png"}

README.md

@@ -52,16 +52,6 @@ APP_ICONS="nextcloud:~/.abra/recipes/authentik/icons/nextcloud.png"
 
 Set the nextcloud Icon using `abra app cmd -l -d <app_name> set_icons`
 
-Generate OAuth client id and secret using `abra app secret generate <app_name> -a` (all secrets) or individually:
-- `abra app secret generate <app_name> nextcloud_id`
-- `abra app secret generate <app_name> nextcloud_secret`
-
-Add the id and secret to nextcloud as secrets with:
-- `abra app secret insert <nextcloud_app_name> authentik_id v1 <id>`
-- `abra app secret insert <nextcloud_app_name> authentik_secret v1 <secret>`
-
-Redeploy Authentik to enable the nextcloud client.
-
 The configuration inside Nextcloud can be found in the [nextcloud recipe](https://git.coopcloud.tech/coop-cloud/nextcloud#authentik-integration)
 
 ## Add LDAP outpost
@@ -105,25 +95,6 @@ Run this command after every deploy/upgrade:
 
 `abra app command --local <app-name> customize <assets_path>`
 
-## Custom CSS
-
-Uncomment the following env:
-
-```
-COMPOSE_FILE="$COMPOSE_FILE:compose.css-volume.yml"
-```
-
-Redeploy the app:
-```
-abra app deploy -f <app_name>
-```
-
-Copy the CSS and restart the container:
-```
-abra app cp <app_name> my_custom.css app:/web/dist/assets/custom.css
-abra app restart <app_name> app
-```
-
 ## Email templates
 
 Add custom [email templates](https://goauthentik.io/docs/flow/stages/email/#custom-templates):
@@ -134,15 +105,15 @@ Add custom [email templates](https://goauthentik.io/docs/flow/stages/email/#cust
 
 These blueprints overwrite default blueprint values:
 
-- `flow_translation.yaml`
-- `flow_authentication.yaml`
+- flow_translation.yaml
+- flow_authentication.yaml
 
 The following default blueprints will be overwritten by customizations:
 
-- `flow-password-change.yaml`
-- `flow-default-authentication-flow.yaml`
-- `flow-default-user-settings-flow.yaml`
-- `flow-default-source-enrollment.yaml`
+- flow-password-change.yaml
+- flow-default-authentication-flow.yaml
+- flow-default-user-settings-flow.yaml
+- flow-default-source-enrollment.yaml
 
 The `abra.sh` function `apply_blueprints` needs to be executed to deactivate these blueprints to ensure that the customizations won't be overwritten. It will further execute flow_translation.yaml and flow_authentication.yaml again.
 

abra.sh

@@ -2,7 +2,7 @@ export CUSTOM_CSS_VERSION=v3
 export FLOW_AUTHENTICATION_VERSION=v4
 export FLOW_INVITATION_VERSION=v2
 export FLOW_INVALIDATION_VERSION=v2
-export FLOW_RECOVERY_VERSION=v2
+export FLOW_RECOVERY_VERSION=v1
 export FLOW_TRANSLATION_VERSION=v3
 export SYSTEM_BRAND_VERSION=v4
 export NEXTCLOUD_CONFIG_VERSION=v3
@@ -35,15 +35,6 @@ customize() {
     done
 }
 
-shell(){
-    if [ -z "$1" ]
-    then
-            echo "Usage: ... shell <python code>"
-            exit 1
-    fi
-    ak shell -c "$1" 2>&1 | quieten
-}
-
 import_user() {
     if [ -z "$1" ]
     then
@@ -88,16 +79,6 @@ set_admin_pass() {
 password=$(cat /run/secrets/admin_pass)
 token=$(cat /run/secrets/admin_token)
 /manage.py shell -c """
-import time
-i = 0
-while (not User.objects.filter(username='akadmin')):
-    print('Waiting for akadmin to be created...')
-    time.sleep(10)
-    i += 1
-    if i > 6:
-        print('Failed to find admin user!')
-        exit()
-
 akadmin = User.objects.get(username='akadmin')
 akadmin.set_password('$password')
 akadmin.save()

compose.outposts.ldap.yml

@@ -1,7 +1,7 @@
 version: "3.8"
 services:
   authentik_ldap:
-      image: ghcr.io/goauthentik/ldap:2025.8.1
+      image: ghcr.io/goauthentik/ldap:2024.10.5
       # Optionally specify which networks the container should be
       # might be needed to reach the core authentik server
       networks:

compose.yml

@@ -35,7 +35,7 @@ x-env: &env
 version: '3.8'
 services:
   app:
-    image: ghcr.io/goauthentik/server:2025.8.1
+    image: ghcr.io/goauthentik/server:2024.10.5
     command: server
     depends_on:
       - db
@@ -68,17 +68,17 @@ services:
         - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`${EXTRA_DOMAINS})"
         - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
         - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
-        - "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect,${STACK_NAME}-frameOptions,${STACK_NAME}-redirect"
         - "traefik.http.middlewares.${STACK_NAME}-frameOptions.headers.customFrameOptionsValue=SAMEORIGIN"
         - "traefik.http.middlewares.${STACK_NAME}-frameOptions.headers.contentSecurityPolicy=frame-ancestors ${X_FRAME_OPTIONS_ALLOW_FROM}"
-        - "coop-cloud.${STACK_NAME}.version=8.0.0+2025.8.1"
+        - "coop-cloud.${STACK_NAME}.version=6.11.1+2024.10.5"
+        - "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect,${STACK_NAME}-frameOptions,${STACK_NAME}-redirect"
         - "traefik.http.middlewares.${STACK_NAME}-redirect.redirectregex.regex=^https://(${REDIRECTS})/(.*)"
         - "traefik.http.middlewares.${STACK_NAME}-redirect.redirectregex.replacement=https://${DOMAIN}/$${2}"
         - "traefik.http.middlewares.${STACK_NAME}-redirect.redirectregex.permanent=true"
         - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT:-120}"
 
   worker:
-    image: ghcr.io/goauthentik/server:2025.8.1
+    image: ghcr.io/goauthentik/server:2024.10.5
     command: worker
     depends_on:
       - db
@@ -119,7 +119,7 @@ services:
       start_period: 5m
 
   db:
-    image: postgres:15.13
+    image: postgres:15.8
     secrets:
       - db_password
     configs:
@@ -154,7 +154,7 @@ services:
           backupbot.restore.post-hook: '/pg_backup.sh restore'
 
   redis:
-    image:  redis:8.2.1-alpine
+    image:  redis:7.4.1-alpine
     command: --save 60 1 --loglevel warning
     networks:
       - internal

flow_recovery.yaml.tmpl

@@ -4,7 +4,7 @@ metadata:
     blueprints.goauthentik.io/instantiate: "true"
   name: Recovery with email verification
 context:
-  token_expiry: minutes={{ if eq (env "EMAIL_TOKEN_EXPIRY_MINUTES") "" }}30{{ else }}{{ env "EMAIL_TOKEN_EXPIRY_MINUTES" }}{{ end }}
+  token_expiry: {{ if eq (env "EMAIL_TOKEN_EXPIRY_MINUTES") "" }} 30 {{ else }} {{ env "EMAIL_TOKEN_EXPIRY_MINUTES" }} {{ end }}
   subject: {{ if eq (env "EMAIL_SUBJECT") "" }} Account Recovery {{ else }} {{ env "EMAIL_SUBJECT" }} {{ end }} 
 entries:
 ### DEPENDENCIES

icons/pretix.svg

@@ -1 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?><svg id="Ebene_1" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 128 128"><defs><style>.cls-1{fill:#3b1c4a;}</style></defs><path class="cls-1" d="m50.67,56.95c-.72.1-1.22.3-1.66.5l2.38,16.91c.41.08.95.13,1.6.04,3.52-.5,4.61-3.64,3.81-9.39-.83-5.87-2.53-8.56-6.12-8.06Z"/><path class="cls-1" d="m116.04,35.05c.71-.17,1.16-.76,1.06-1.48L112.54,1.13c-.1-.72-.77-1.22-1.49-1.12l-37.5,5.27.73,5.22c.16,1.12-.62,2.15-1.74,2.31s-2.15-.62-2.31-1.74l-.73-5.22L1.13,15.46c-.72.1-1.22.77-1.12,1.49l4.56,32.44c.1.72.7,1.17,1.42,1.13,11.25-.92,21.43,7.1,23.03,18.46,1.6,11.36-5.99,21.81-17.07,23.96-.71.17-1.16.76-1.06,1.48l4.56,32.44c.1.72.77,1.22,1.49,1.12l68.37-9.61-.73-5.22c-.16-1.15.59-2.15,1.74-2.31s2.15.62,2.31,1.74l.73,5.22,37.5-5.27c.72-.1,1.22-.77,1.12-1.49l-4.56-32.44c-.1-.72-.7-1.17-1.42-1.13-11.25.92-21.42-7.04-23.02-18.4-1.6-11.36,5.98-21.87,17.06-24.03Zm-59.84,44.75c-1.76.25-3.29.26-4.04.17l1.59,11.29-9.92,1.39-5.3-37.73c2.5-1.62,5.96-3.03,11.38-3.8,8.68-1.22,15.27,2.58,16.66,12.44,1.25,8.88-3.12,15.21-10.36,16.23Zm30.73,20.71c.16,1.12-.62,2.15-1.74,2.31-1.12.16-2.15-.62-2.31-1.74l-1.47-10.44c-.16-1.12.62-2.15,1.74-2.31s2.16.66,2.31,1.74l1.47,10.44Zm-3.17-22.58c.15,1.08-.66,2.16-1.74,2.31s-2.16-.66-2.31-1.74l-1.47-10.44c-.16-1.15.59-2.15,1.74-2.31,1.12-.16,2.15.62,2.31,1.74l1.47,10.44Zm-3.16-22.45c.16,1.12-.62,2.15-1.74,2.31-1.12.16-2.15-.62-2.31-1.74l-1.47-10.44c-.16-1.12.62-2.15,1.74-2.31s2.16.66,2.31,1.74l1.47,10.44Zm-3.17-22.58c.15,1.08-.66,2.16-1.74,2.31s-2.16-.66-2.31-1.74l-1.47-10.44c-.16-1.15.59-2.15,1.74-2.31s2.15.62,2.31,1.74l1.47,10.44Z"/></svg>

nextcloud.yaml.tmpl

@@ -30,7 +30,7 @@ entries:
     issuer_mode: per_provider
     redirect_uris:
     - matching_mode: strict
-      url: https://{{ env  "NEXTCLOUD_DOMAIN" }}/apps/sociallogin/custom_oidc/{{ env "AUTHENTIK_USER_PREFIX" }}
+      url: https://{{ env  "NEXTCLOUD_DOMAIN" }}/apps/sociallogin/custom_oidc/authentik
     name: Nextcloud
     property_mappings:
     - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]

release/7.4.0+2025.6.3

@@ -1,3 +0,0 @@
-Adds following new envs: 
-  REDIRECTS
-  AUTHENTIK_DISABLE_UPDATE_CHECK