Add renovate.json

Intermediate step for upgrading to 2026.2.x.
Bump authentik to 2025.12.4, postgres to 15.17.

.drone.yml

@@ -23,13 +23,15 @@ steps:
       FLOW_INVALIDATION_VERSION: v1
       FLOW_RECOVERY_VERSION: v1
       FLOW_TRANSLATION_VERSION: v1
-      SYSTEM_TENANT_VERSION: v1
+      SYSTEM_BRAND_VERSION: v1
       NEXTCLOUD_CONFIG_VERSION: v1
       SECRET_SECRET_KEY_VERSION: v1
       SECRET_DB_PASSWORD_VERSION: v1
       SECRET_ADMIN_TOKEN_VERSION: v1
       SECRET_ADMIN_PASS_VERSION: v1
       SECRET_EMAIL_PASS_VERSION: v1
+      DB_ENTRYPOINT_VERSION: v1
+      PG_BACKUP_VERSION: v2
 trigger:
   branch:
     - main
@@ -45,7 +47,7 @@ steps:
         from_secret: drone_abra-bot_token
       fork: true
       repositories:
-        - coop-cloud/auto-recipes-catalogue-json
+        - toolshed/auto-recipes-catalogue-json
 
 trigger:
   event: tag

.env.sample

@@ -1,17 +1,34 @@
 TYPE=authentik
-TIMEOUT=300
+#TIMEOUT=900
 ENABLE_AUTO_UPDATE=true
-POST_DEPLOY_CMDS="app set_admin_pass|worker apply_blueprints"
+POST_DEPLOY_CMDS="worker set_admin_pass"
+# Example values for post deploy cmds: "worker set_admin_pass|worker apply_blueprints|worker add_applications"
 LETS_ENCRYPT_ENV=production
+ENABLE_BACKUPS=true
 
 DOMAIN=authentik.example.com
+## Domain aliases
+#EXTRA_DOMAINS=', `www.authentik.example.com`'
+# Redirects
+# All redirect domains have to be added to extra_domains as well)
+# multiple redirects can be added by seperating them with a | character
+#REDIRECTS=www.authentik.example.com
 COMPOSE_FILE="compose.yml"
 AUTHENTIK_DEFAULT_USER_CHANGE_USERNAME=false
 AUTHENTIK_LOG_LEVEL=info
+# AUTHENTIK_DISABLE_UPDATE_CHECK=false
 # AUTHENTIK_IMPERSONATION=true
 # AUTHENTIK_FOOTER_LINKS='[{"name": "My Organization","href":"https://example.com"}]'
 # WORKERS=1
 
+## Outpost Integration
+# COMPOSE_FILE="$COMPOSE_FILE:compose.outposts.yml"
+# COMPOSE_FILE="$COMPOSE_FILE:compose.outposts.ldap.yml"
+# SECRET_LDAP_TOKEN_VERSION=v1
+
+## ADMIN
+AUTHENTIK_BOOTSTRAP_EMAIL=admin@example.com
+
 ## EMAIL
 AUTHENTIK_EMAIL__HOST=smtp
 AUTHENTIK_EMAIL__PORT=587
@@ -29,7 +46,6 @@ SECRET_ADMIN_PASS_VERSION=v1
 SECRET_EMAIL_PASS_VERSION=v1
 
 # X_FRAME_OPTIONS_ALLOW_FROM=dashboard.example.org
-AUTHENTIK_COLOR_BACKGROUND_LIGHT=#1c1e21
 
 ## FLOW OPTIONS
 # WELCOME_MESSAGE="Welcome to Authentik"
@@ -38,30 +54,114 @@ AUTHENTIK_COLOR_BACKGROUND_LIGHT=#1c1e21
 # EMAIL_SUBJECT="Account Recovery"
 # EMAIL_TOKEN_EXPIRY_MINUTES=30
 
+## assets
 COPY_ASSETS="flow_background.jpg|app:/web/dist/assets/images/"
 COPY_ASSETS="$COPY_ASSETS icon_left_brand.svg|app:/web/dist/assets/icons/"
 COPY_ASSETS="$COPY_ASSETS icon.png|app:/web/dist/assets/icons/"
 
+# store custom CSS in a css-volume
+#COMPOSE_FILE="$COMPOSE_FILE:compose.css-volume.yml"
+# NOTE: this causes the authentik container to run as `root` initially; it uses `su` to drop privileges but technically could introduce a security risk. proceed with caution!
+
+# Default CSS customisation
+# COMPOSE_FILE="$COMPOSE_FILE:compose.css.yml"
+# BACKGROUND_FONT_COLOR=white
+# BACKGROUND_BOX_COLOR='#eaeaeacf'
+# THEME_BACKGROUND="url('https://authentik.example.com/static/dist/assets/images/flow_background.jpg'); background-position: center; background-repeat: no-repeat; background-size: cover;"
+
+# Group Name Variables to cluster Applications
+# GROUP_SUPPORT=Support
+# GROUP_HELP=Help
+# GROUP_ORGANISATION=Organisation
+# GROUP_COMMUNICATION=Communication
+# GROUP_COLLABORATION=Collaboration
+# GROUP_DOCUMENTATION=Documentation
+# GROUP_DEVELOPMENT=Development
+# GROUP_INFRASTRUCTURE=Infrastructure
+
 # COMPOSE_FILE="$COMPOSE_FILE:compose.nextcloud.yml"
 # NEXTCLOUD_DOMAIN=nextcloud.example.com
 # SECRET_NEXTCLOUD_ID_VERSION=v1
 # SECRET_NEXTCLOUD_SECRET_VERSION=v1
 # APP_ICONS="nextcloud:~/.abra/recipes/authentik/icons/nextcloud.png"
+# NEXTCLOUD_APPGROUP="$GROUP_ORGANISATION"
 
 # COMPOSE_FILE="$COMPOSE_FILE:compose.wordpress.yml"
 # WORDPRESS_DOMAIN=wordpress.example.com
+# WORDPRESS_GROUP='wordpress Admins'
 # SECRET_WORDPRESS_ID_VERSION=v1
 # SECRET_WORDPRESS_SECRET_VERSION=v1
 # APP_ICONS="$APP_ICONS wordpress:~/.abra/recipes/authentik/icons/wordpress.png"
+# WORDPRESS_APPGROUP="$GROUP_DEVELOPMENT"
 
 # COMPOSE_FILE="$COMPOSE_FILE:compose.matrix.yml"
-# ELEMENT_DOMAIN=element.example.com
+# ELEMENT_DOMAIN=element-web.example.com
+# MATRIX_DOMAIN=matrix-synapse.example.com
 # SECRET_MATRIX_ID_VERSION=v1
 # SECRET_MATRIX_SECRET_VERSION=v1
 # APP_ICONS="$APP_ICONS matrix:~/.abra/recipes/authentik/icons/matrix.svg"
+# MATRIX_APPGROUP="$GROUP_COMMUNICATION"
 
 # COMPOSE_FILE="$COMPOSE_FILE:compose.wekan.yml"
 # WEKAN_DOMAIN=wekan.example.com
 # SECRET_WEKAN_ID_VERSION=v1
 # SECRET_WEKAN_SECRET_VERSION=v1
 # APP_ICONS="$APP_ICONS wekan:~/.abra/recipes/authentik/icons/wekan.png"
+# WEKAN_APPGROUP="$GROUP_ORGANISATION"
+
+# COMPOSE_FILE="$COMPOSE_FILE:compose.vikunja.yml"
+# VIKUNJA_DOMAIN=vikunja.example.com
+# SECRET_VIKUNJA_ID_VERSION=v1
+# SECRET_VIKUNJA_SECRET_VERSION=v1
+# APP_ICONS="$APP_ICONS vikunja:~/.abra/recipes/authentik/icons/vikunja.svg"
+# VIKUNJA_APPGROUP="$GROUP_ORGANISATION"
+
+# COMPOSE_FILE="$COMPOSE_FILE:compose.outline.yml"
+# OUTLINE_DOMAIN=outline.example.com
+# SECRET_OUTLINE_ID_VERSION=v1
+# SECRET_OUTLINE_SECRET_VERSION=v1
+# APP_ICONS="$APP_ICONS outline:~/.abra/recipes/authentik/icons/outline.png"
+# OUTLINE_APPGROUP="$GROUP_DOCUMENTATION"
+
+# COMPOSE_FILE="$COMPOSE_FILE:compose.kimai.yml"
+# KIMAI_DOMAIN=kimai.example.com
+# SECRET_KIMAI_ID_VERSION=v1
+# SECRET_KIMAI_SECRET_VERSION=v1
+# APP_ICONS="$APP_ICONS kimai:~/.abra/recipes/authentik/icons/kimai_logo.png"
+# KIMAI_APPGROUP="$GROUP_ORGANISATION"
+
+# COMPOSE_FILE="$COMPOSE_FILE:compose.zammad.yml"
+# ZAMMAD_DOMAIN=zammad.example.com
+# APP_ICONS="$APP_ICONS zammad:~/.abra/recipes/authentik/icons/zammad.svg"
+# ZAMMAD_APPGROUP="$GROUP_SUPPORT"
+
+# COMPOSE_FILE="$COMPOSE_FILE:compose.monitoring.yml"
+# MONITORING_DOMAIN=monitoring.example.com
+# SECRET_MONITORING_ID_VERSION=v1
+# SECRET_MONITORING_SECRET_VERSION=v1
+# APP_ICONS="$APP_ICONS monitoring:~/.abra/recipes/authentik/icons/monitoring.svg"
+# MONITORING_APPGROUP="$GROUP_INFRASTRUCTURE"
+
+# COMPOSE_FILE="$COMPOSE_FILE:compose.rallly.yml"
+# RALLLY_DOMAIN=rallly.example.com
+# SECRET_RALLLY_ID_VERSION=v1
+# SECRET_RALLLY_SECRET_VERSION=v1
+# APP_ICONS="$APP_ICONS rallly:~/.abra/recipes/authentik/icons/rallly.png"
+# RALLLY_APPGROUP="$GROUP_ORGANISATION"
+
+# COMPOSE_FILE="$COMPOSE_FILE:compose.hedgedoc.yml"
+# HEDGEDOC_DOMAIN=hedgedoc.example.com
+# SECRET_HEDGEDOC_ID_VERSION=v1
+# SECRET_HEDGEDOC_SECRET_VERSION=v1
+# APP_ICONS="$APP_ICONS hedgedoc:~/.abra/recipes/authentik/icons/hedgedoc.png"
+# HEDGEDOC_APPGROUP="$GROUP_DOCUMENTATION"
+
+# COMPOSE_FILE="$COMPOSE_FILE:compose.mila.yml"
+# MILA_DOMAIN=mila.example.com
+# SECRET_MILA_ID_VERSION=v1
+# SECRET_MILA_SECRET_VERSION=v1
+# APP_ICONS="$APP_ICONS mila:~/.abra/recipes/authentik/icons/mila.svg"
+# MILA_APPGROUP=""
+
+# APPLICATIONS='{"Calendar": {"url":"https://nextcloud.example.com/apps/calendar/", "group": ""}, "BBB": {"url":"https://nextcloud.example.com/apps/bbb/", "group":""}, "Pretix": {"url":"https://pretix.example.com/control/", "group":""}}'
+# EXTRA_ICONS={"Calendar": "~/.abra/recipes/authentik/icons/calendar.svg", "BBB": "~/.abra/recipes/authentik/icons/bbb.png", "Pretix": "~/.abra/recipes/authentik/icons/pretix.svg"}

.gitignore

@@ -1 +1,2 @@
 .envrc
+.cursorignore

README.md

@@ -52,8 +52,38 @@ APP_ICONS="nextcloud:~/.abra/recipes/authentik/icons/nextcloud.png"
 
 Set the nextcloud Icon using `abra app cmd -l -d <app_name> set_icons`
 
+Generate OAuth client id and secret using `abra app secret generate <app_name> -a` (all secrets) or individually:
+- `abra app secret generate <app_name> nextcloud_id`
+- `abra app secret generate <app_name> nextcloud_secret`
+
+Add the id and secret to nextcloud as secrets with:
+- `abra app secret insert <nextcloud_app_name> authentik_id v1 <id>`
+- `abra app secret insert <nextcloud_app_name> authentik_secret v1 <secret>`
+
+Redeploy Authentik to enable the nextcloud client.
+
 The configuration inside Nextcloud can be found in the [nextcloud recipe](https://git.coopcloud.tech/coop-cloud/nextcloud#authentik-integration)
 
+## Add LDAP outpost
+
+- Follow [this official guide](https://docs.goauthentik.io/docs/add-secure-apps/providers/ldap/generic_setup) and skip the LDAP Flow as we don't need it.
+- Copy token under `Applications` -> `Outposts` `-> `View Deployment Info` 
+- Comment in envs for compose.outposts.ldap.yaml and secret version
+- Insert token as secret `abra app secret insert <DOMAIN> ldap_token v1 <TOKEN>`
+- Update deployment -> Outpost should be up and running
+
+## Import User from CSV
+
+Users can be imported from a CSV file of the following format:
+
+`First and last name, username, email@example.com, group1;group2;group3`
+
+Run the following command to import the file `users.csv`:
+
+`abra app cmd -l <app_name> import_user users.csv`
+
+Users will only be created if the username does not exits. I a group does not exists it will be created.
+
 ## Customization
 
 Place the files you want to overwrite in a directory `<assets_path>`.
@@ -75,44 +105,131 @@ Run this command after every deploy/upgrade:
 
 `abra app command --local <app-name> customize <assets_path>`
 
+## Custom CSS
+
+Uncomment the following env:
+
+```
+COMPOSE_FILE="$COMPOSE_FILE:compose.css-volume.yml"
+```
+
+Redeploy the app:
+```
+abra app deploy -f <app_name>
+```
+
+Copy the CSS and restart the container:
+```
+abra app cp <app_name> my_custom.css app:/web/dist/assets/custom.css
+abra app restart <app_name> app
+```
+
+## Email templates
+
+Add custom [email templates](https://goauthentik.io/docs/flow/stages/email/#custom-templates):
+
+`abra app cmd -l <app_name> add_email_templates local/path/to/mail_template.html`
+
 ## Blueprints
 
-Blueprint Dependency Requirements:
+These blueprints overwrite default blueprint values:
+
+- `flow_translation.yaml`
+- `flow_authentication.yaml`
+
+The following default blueprints will be overwritten by customizations:
+
+- `flow-password-change.yaml`
+- `flow-default-authentication-flow.yaml`
+- `flow-default-user-settings-flow.yaml`
+- `flow-default-source-enrollment.yaml`
+
+The `abra.sh` function `apply_blueprints` needs to be executed to deactivate these blueprints to ensure that the customizations won't be overwritten. It will further execute flow_translation.yaml and flow_authentication.yaml again.
+
+
+### Blueprint Overwrite/Use Dependencies
 
 - Recovery with email verification
     - Default - Password change flow
+        - USE:
+            - `default-password-change-prompt`
+            - `default-password-change-write`
     - Default - Authentication flow
+        - USE:
+            - `default-authentication-login`
 - Custom Authentication Flow
     - Default - Authentication flow
+        - USE:
+            - `default-authentication-password`
+        - OVERWRITE:
+            - `default-authentication-flow`
+        - APPEND:
+            - `default-authentication-identification`
+            - `default-authentication-login`
+        - REMOVE: `authentik_flows.flowstagebinding order:20`
     - Recovery with email verification
+        - USE:
+            - `default-recovery-flow`
 - Invitation Enrollment Flow
     - Default - User settings flow
+        - USE:
+            - `default-user-settings-field-name`
+            - `default-user-settings-field-email`
+    - Default - Password change flow
+        - USE:
+            - `default-password-change-field-password`
+            - `default-password-change-field-password-repeat`
     - Default - Authentication flow
+        - USE:
+            - `default-authentication-login`
     - Default - Source enrollment flow
+        - USE:
+            - `default-source-enrollment-field-username`
+            - `default-source-enrollment-write`
 - Custom Invalidation Flow
     - Default - Invalidation flow
+        - APPEND_ATTR:
+            - `authentik_flows.flowstagebinding order: 0`
 - Flow Translations
     - Recovery with email verification
+        - APPEND: `default-recovery-flow`
     - Default - Password change flow
+        - OVERWRITE:
+           - `default-password-change-field-password`
+           - `default-password-change-field-password-repeat`
     - Default - User settings flow
+        - OVERWRITE:
+            - `default-user-settings-field-username`
+            - `default-user-settings-field-name`
     - Default - Source enrollment flow
-- Custom System Tenant
-    - Default - Tenant
+        - OVERWRITE:
+            - `default-source-enrollment-field-username`
+- Custom System Brand
+    - Default - Brand
+        - APPEND: `authentik_brands.brand  domain: authentik-default`
     - Recovery with email verification
+        - USE:
+            - `default-recovery-flow`
 
 
-Blueprint Dependency Graph:
+### Blueprint Dependency Execution Order
 
-5. Custom System Tenant
-    - Default - Tenant
-    4. Invitation Enrollment Flow
-        3. Flow Translations
-            - Default - User settings flow
-            - Default - Source enrollment flow
-            2. Custom Authentication Flow
-                1. Recovery with email verification
-                    - Default - Authentication flow
-                        - Default - Password change flow
+5. Custom System Brand
+    - Default - Brand
+    1. Recovery with email verification
+        - Default - Authentication flow
+            - Default - Password change flow
+4. Invitation Enrollment Flow
+    3. Flow Translations
+        - Default - User settings flow
+        - Default - Source enrollment flow
+        1. Recovery with email verification
+            - Default - Authentication flow
+                - Default - Password change flow
+2. Custom Authentication Flow
+    1. Recovery with email verification
+        - Default - Authentication flow
+            - Default - Password change flow
 6. Custom Invalidation Flow
     - Default - Invalidation flow
 

abra.sh

@@ -1,34 +1,114 @@
-export CUSTOM_CSS_VERSION=v2
-export FLOW_AUTHENTICATION_VERSION=v1
-export FLOW_INVITATION_VERSION=v1
-export FLOW_INVALIDATION_VERSION=v1
-export FLOW_RECOVERY_VERSION=v1
-export FLOW_TRANSLATION_VERSION=v1
-export SYSTEM_TENANT_VERSION=v1
-export NEXTCLOUD_CONFIG_VERSION=v1
-export WORDPRESS_CONFIG_VERSION=v1
-export MATRIX_CONFIG_VERSION=v1
-export WEKAN_CONFIG_VERSION=v1
+export CUSTOM_CSS_VERSION=v3
+export FLOW_AUTHENTICATION_VERSION=v4
+export FLOW_INVITATION_VERSION=v2
+export FLOW_INVALIDATION_VERSION=v2
+export FLOW_RECOVERY_VERSION=v2
+export FLOW_TRANSLATION_VERSION=v3
+export SYSTEM_BRAND_VERSION=v4
+export NEXTCLOUD_CONFIG_VERSION=v3
+export WORDPRESS_CONFIG_VERSION=v6
+export MATRIX_CONFIG_VERSION=v3
+export WEKAN_CONFIG_VERSION=v5
+export VIKUNJA_CONFIG_VERSION=v3
+export OUTLINE_CONFIG_VERSION=v4
+export KIMAI_CONFIG_VERSION=v3
+export ZAMMAD_CONFIG_VERSION=v4
+export RALLLY_CONFIG_VERSION=v4
+export HEDGEDOC_CONFIG_VERSION=v3
+export MONITORING_CONFIG_VERSION=v4
+export MILA_CONFIG_VERSION=v1
+export DB_ENTRYPOINT_VERSION=v1
+export PG_BACKUP_VERSION=v2
+export ENTRYPOINT_CSS_VERSION=v1
 
 customize() {
-    if [ -z "$1" ]
-    then
-            echo "Usage: ... customize <assets_path>"
-            exit 1
-    fi
-    asset_dir=$1
-    for asset in $COPY_ASSETS; do
-        source=$(echo $asset | cut -d "|" -f1)
-        target=$(echo $asset | cut -d "|" -f2)
-        echo copy $source to $target
-        abra app cp $APP_NAME $asset_dir/$source $target
-    done
+  if [ -z "$1" ]; then
+    echo "Usage: ... customize <assets_path>"
+    exit 1
+  fi
+  asset_dir=$1
+  for asset in $COPY_ASSETS; do
+    source=$(echo $asset | cut -d "|" -f1)
+    target=$(echo $asset | cut -d "|" -f2)
+    echo copy $source to $target
+    abra app cp $APP_NAME $asset_dir/$source $target
+  done
+}
+
+shell() {
+  if [ -z "$1" ]; then
+    echo "Usage: ... shell <python code>"
+    exit 1
+  fi
+  ak shell -c "$1" 2>&1 | quieten
+}
+
+import_user() {
+  if [ -z "$1" ]; then
+    echo "Usage: ... import_user <users.csv>"
+    exit 1
+  fi
+  source_file=$1
+  filename=$(basename $source_file)
+  abra app cp -C $APP_NAME $source_file worker:/tmp/
+  abra app cmd -C -T $APP_NAME worker _import_user $filename
+}
+
+_import_user() {
+  /manage.py shell -c """
+from authentik.core.models import Group
+import csv
+new_user = User()
+with open('/tmp/$1', newline='') as file:
+  reader = csv.reader(file)
+  for row in reader:
+    name = row[0].strip()
+    username = row[1].strip()
+    email = row[2].strip()
+    groups = row[3].split(';')
+    if User.objects.filter(username=username):
+        print(f'{username} already exists')
+        continue
+    new_user = User.objects.create(name=name, username=username, email=email)
+    print(f'{username} created')
+    for group_name in groups:
+        group_name = group_name.strip()
+        if Group.objects.filter(name=group_name):
+            group = Group.objects.get(name=group_name)
+        else:
+            group = Group.objects.create(name=group_name)
+            print(f'{group_name} created')
+        group.users.add(new_user)
+        print(f'add {username} to group {group_name}')
+""" 2>&1 | quieten
+}
+
+set_user_pass() {
+  username="$1"
+  password="$2"
+  /manage.py shell -c """
+user = User.objects.get(username='$username')
+user.set_password('$password')
+user.save()
+print('Changed $username password')
+""" 2>&1 | quieten
+
 }
 
 set_admin_pass() {
-password=$(cat /run/secrets/admin_pass)
-token=$(cat /run/secrets/admin_token)
-/manage.py shell -c """
+  password=$(cat /run/secrets/admin_pass)
+  token=$(cat /run/secrets/admin_token)
+  /manage.py shell -c """
+import time
+i = 0
+while (not User.objects.filter(username='akadmin')):
+    print('Waiting for akadmin to be created...')
+    time.sleep(10)
+    i += 1
+    if i > 6:
+        print('Failed to find admin user!')
+        exit()
+
 akadmin = User.objects.get(username='akadmin')
 akadmin.set_password('$password')
 akadmin.save()
@@ -49,82 +129,262 @@ else:
         key=key,
     )
     print('Created authentik-bootstrap-token')
-"""
+""" 2>&1 | quieten
 }
 
 rotate_db_pass() {
-    db_password=$(cat /run/secrets/db_password)
-    psql -U authentik -c """ALTER USER authentik WITH PASSWORD '$db_password';"""
+  db_password=$(cat /run/secrets/db_password)
+  psql -U authentik -c """ALTER USER authentik WITH PASSWORD '$db_password';"""
 }
 
+# This function is for blueprints that are overwriting custom blueprints
+# It deactivates the affected custom blueprints to avoid changes to be reverted
 apply_blueprints() {
-    enable_blueprint default/flow-default-authentication-flow.yaml
-    enable_blueprint default/flow-default-user-settings-flow.yaml
-    enable_blueprint default/flow-password-change.yaml
-    ak apply_blueprint 6_flow_invalidation.yaml 
-    ak apply_blueprint 5_system_tenant.yaml
-    disable_blueprint default/flow-default-authentication-flow.yaml
-    disable_blueprint default/flow-default-user-settings-flow.yaml
-    disable_blueprint default/flow-password-change.yaml
+  update_and_disable_blueprint default/flow-password-change.yaml
+  update_and_disable_blueprint default/flow-default-authentication-flow.yaml
+  update_and_disable_blueprint default/flow-default-user-settings-flow.yaml
+  update_and_disable_blueprint default/flow-default-source-enrollment.yaml
+
+  apply_blueprint 3_flow_translation.yaml
+  apply_blueprint 2_flow_authentication.yaml
+}
+
+update_and_disable_blueprint() {
+  enable_blueprint $@ 2>&1 | quieten
+  sleep 1
+  apply_blueprint $@
+  sleep 1
+  disable_blueprint $@ 2>&1 | quieten
 }
 
 disable_blueprint() {
-    blueprint_state False $@
+  blueprint_state False $@
 }
 
 enable_blueprint() {
-    blueprint_state True $@
+  blueprint_state True $@
+}
+
+apply_blueprint() {
+  echo apply blueprint $@
+  ak apply_blueprint $@ 2>&1 | quieten
 }
 
 blueprint_state() {
-/manage.py shell -c """
+  /manage.py shell -c """
+import time
 blueprint_state=$1
 blueprint_path='$2'
 blueprint = BlueprintInstance.objects.filter(path=blueprint_path).first()
 blueprint.enabled = blueprint_state
+# Hacky workaround to reduce chance of a race condition
+blueprint.save()
+time.sleep(1)
+blueprint.save()
+time.sleep(1)
+blueprint.save()
 print(f'{blueprint.name} enabled: {blueprint.enabled}')
-"""
+""" 2>&1 | quieten
 
 }
 
-set_icons(){
-for icon in $APP_ICONS; do
+# This function adds each application with its name, slug and group if passed
+add_applications() {
+  export APPLICATIONS
+  /manage.py shell -c """
+import json
+import os
+if os.environ['APPLICATIONS'] == '':
+    exit()
+applications = json.loads(os.environ['APPLICATIONS'])
+for name, details in applications.items():
+    url = details['url']
+    app = Application.objects.filter(name=name).first()
+    if not app:
+        app = Application()
+    app.name = name
+    app.slug = name.replace(' ', '-')
+    app.meta_launch_url = url
+    group = details['group']
+    if group:
+        app.group = group
+        print(f'Add {name}: {url} in group: {group}')
+    else:
+        app.group = ''
+        print(f'Add {name}: {url}')
+    app.open_in_new_tab = True
+    app.save()
+""" 2>&1 | quieten
+}
+
+# This function adds one application with its name, slug and group if passed
+add_single_application() {
+  if [ -z "$2" ]; then
+    echo "Usage: ... add_single_application <name> <url> <group>"
+    exit 1
+  fi
+  /manage.py shell -c """
+import json
+import os
+name = '$1'
+url = '$2'
+app = Application.objects.filter(name=name).first()
+if not app:
+    app = Application()
+app.name = name
+app.slug = name.replace(' ', '-')
+app.meta_launch_url = url
+group = '$3'
+if group:
+    app.group = group
+    print(f'Add {name}: {url} in group: {group}')
+else:
+    app.group = ''
+    print(f'Add {name}: {url}')
+app.open_in_new_tab = True
+app.save()
+""" 2>&1 | quieten
+}
+
+## This function is for renaming apps - usage: rename "old name" "new name"
+rename() {
+  /manage.py shell -c """
+old_name = '$1'
+new_name = '$2' if '$2' else old_name
+
+app = Application.objects.filter(name=old_name).first()
+if app:
+    app.name = new_name
+    app.save()
+    print(f'Renamed application from {old_name} to {new_name}')
+else:
+    print(f'No application found with name: {old_name}')
+""" 2>&1 | quieten
+}
+
+quieten() {
+  # 'SyntaxWarning|version_regex|"http\['
+  # is a workaround to get rid of some verbose syntax warnings, this might be fixed with another version
+  grep -Pv '"level": "(info|debug)"|SyntaxWarning|version_regex|"http\[|RuntimeWarning:|### authentik shell|### Node| objects imported automatically|^$'
+}
+
+add_email_templates() {
+  for file_path in "$@"; do
+    echo copy template $file_path
+    abra app cp $APP_NAME $file_path app:/templates/
+  done
+}
+
+set_icons() {
+  if [ -n "$1" ]; then
+    APP_ICONS="$1"
+  fi
+  for icon in $APP_ICONS; do
     app=$(echo $icon | cut -d ":" -f1)
     file_path=$(eval echo $(echo $icon | cut -d ":" -f2))
     file=$(basename $file_path)
     echo copy icon $file_path for $app
-    abra app cp $APP_NAME $file_path app:/media/
-    abra app cmd -T $APP_NAME app set_app_icon $app /media/$file
-done
+    abra app cp -C $APP_NAME $file_path app:/media/
+    abra app cmd -C -T $APP_NAME app set_app_icon $app /media/$file
+  done
+}
+
+set_extra_icons() {
+  if [ -z "$EXTRA_ICONS" ]; then
+    echo "Variable EXTRA_ICONS is not set"
+    exit 1
+  fi
+  export EXTRA_ICONS
+  icon_key_values=$(python3 -c "
+import json
+import os
+for key, value in json.loads(os.environ['EXTRA_ICONS']).items():
+  slug = key.replace(' ','-')
+  print(f'{slug}:{value}')
+")
+  set_icons "$icon_key_values"
 }
 
 set_app_icon() {
-TOKEN=$(cat /run/secrets/admin_token)
-python -c """
+  TOKEN=$(cat /run/secrets/admin_token)
+  python -c """
 import requests
 import os
 my_token = '$TOKEN'
 application = '$1'
 icon_path = '$2'
-url = f'https://$DOMAIN/api/v3/core/applications/{application}/set_icon/'
-headers = {'Authorization':f'Bearer {my_token}'}
+base_url = f'https://$DOMAIN/api/v3'
+headers = {'Authorization': f'Bearer {my_token}'}
+
+name_img = os.path.basename(icon_path)
+
+# Upload file via the file management API
 with open(icon_path, 'rb') as img:
-  name_img = os.path.basename(icon_path)
-  files= {'file': (name_img,img,'image/png') }
-  with requests.Session() as s:
-    r = s.post(url,files=files,headers=headers)
-    print(r.status_code)
+  r = requests.post(
+    f'{base_url}/admin/file/',
+    files={'file': (name_img, img, 'image/png')},
+    data={'name': name_img},
+    headers=headers,
+  )
+  if r.status_code == 400 and 'already exists' in r.text:
+    print(f'{name_img} already uploaded')
+  elif r.status_code != 200:
+    print(f'Upload failed: {r.status_code} {r.text}')
+    exit(1)
+  else:
+    print(f'Uploaded {name_img}')
+
+# Set the icon on the application
+r = requests.patch(
+  f'{base_url}/core/applications/{application}/',
+  json={'meta_icon': name_img},
+  headers=headers,
+)
+if r.status_code == 200:
+  print(f'Set icon for {application}')
+else:
+  print(f'Failed to set icon: {r.status_code} {r.text}')
 """
 
 }
 
 blueprint_cleanup() {
-/manage.py shell -c """
+  /manage.py shell -c """
 delete_flows = ['default-recovery-flow' , 'custom-authentication-flow' , 'invitation-enrollment-flow' , 'initial-setup']
 Flow.objects.filter(slug__in=delete_flows).delete()
 Stage.objects.filter(flow=None).delete()
 Prompt.objects.filter(promptstage=None).delete()
-Tenant.objects.filter(default=True).delete()
-"""
-apply_blueprints
+Brand.objects.filter(default=True).delete()
+""" 2>&1 | quieten
+  apply_blueprints
+}
+
+get_certificate() {
+  /manage.py shell -c """
+provider_name='$1'
+if not provider_name:
+    print('no Provider Name given')
+    exit(1)
+provider = Provider.objects.filter(name=provider_name).first()
+saml = provider.samlprovider
+cert = saml.signing_kp
+print(''.join(cert.certificate_data.splitlines()[1:-1]))
+""" 2>&1 | quieten
+}
+
+get_user_uid() {
+  /manage.py shell -c """
+print(User.objects.filter(username='$1').first().uid)
+""" 2>&1 | quieten
+}
+
+get_secrets() {
+  grep "" -r /var/run/secrets
+}
+
+fix_collation_mismatch() {
+  psql -U ${POSTGRES_USER} -d authentik -c "ALTER DATABASE authentik REFRESH COLLATION VERSION;"
+  psql -U ${POSTGRES_USER} -d authentik -c "REINDEX DATABASE authentik;"
+  psql -U ${POSTGRES_USER} -d postgres -c "ALTER DATABASE postgres REFRESH COLLATION VERSION;"
+  psql -U ${POSTGRES_USER} -d postgres -c "REINDEX DATABASE postgres;"
 }

alaconnect.yml

@@ -0,0 +1,98 @@
+nextcloud:
+    uncomment:
+        - compose.nextcloud.yml
+        - NEXTCLOUD_DOMAIN
+        - SECRET_NEXTCLOUD_ID_VERSION
+        - SECRET_NEXTCLOUD_SECRET_VERSION
+        - nextcloud.png
+wordpress:
+    uncomment:
+        - compose.wordpress.yml
+        - WORDPRESS_DOMAIN
+        - WORDPRESS_GROUP
+        - SECRET_WORDPRESS_ID_VERSION
+        - SECRET_WORDPRESS_SECRET_VERSION
+        - wordpress.png
+matrix-synapse:
+    uncomment:
+        - compose.matrix.yml
+        - ELEMENT_DOMAIN
+        - MATRIX_DOMAIN
+        - SECRET_MATRIX_ID_VERSION
+        - SECRET_MATRIX_SECRET_VERSION
+        - matrix.svg
+    secrets:
+        matrix_id: matrix
+wekan:
+    uncomment:
+        - compose.wekan.yml
+        - WEKAN_DOMAIN
+        - SECRET_WEKAN_ID_VERSION
+        - SECRET_WEKAN_SECRET_VERSION
+        - wekan.png
+    secrets:
+        wekan_id: wekan
+vikunja:
+    uncomment:
+        - compose.vikunja.yml
+        - VIKUNJA_DOMAIN
+        - SECRET_VIKUNJA_ID_VERSION
+        - SECRET_VIKUNJA_SECRET_VERSION
+        - vikunja.svg
+    secrets:
+        vikunja_id: vikunja
+kimai:
+    uncomment:
+        - compose.kimai.yml
+        - KIMAI_DOMAIN
+        - SECRET_KIMAI_ID_VERSION
+        - SECRET_KIMAI_SECRET_VERSION
+        - kimai_logo.png
+zammad:
+    uncomment:
+        - compose.zammad.yml
+        - ZAMMAD_DOMAIN
+        - zammad.svg
+monitoring-ng:
+    uncomment:
+        - compose.monitoring.yml
+        - MONITORING_DOMAIN
+        - SECRET_MONITORING_ID_VERSION
+        - SECRET_MONITORING_SECRET_VERSION
+        - monitoring.png
+outline:
+    uncomment:
+        - compose.outline.yml
+        - OUTLINE_DOMAIN
+        - SECRET_OUTLINE_ID_VERSION
+        - SECRET_OUTLINE_SECRET_VERSION
+        - outline.png
+    secrets:
+        outline_id: outline
+rallly:
+    uncomment:  
+        - compose.rallly.yml
+        - RALLLY_DOMAIN
+        - SECRET_RALLLY_ID_VERSION
+        - SECRET_RALLLY_SECRET_VERSION
+        - rallly.png
+    secrets:
+        rallly_id: rallly
+hedgedoc:
+    uncomment:  
+        - compose.hedgedoc.yml
+        - HEDGEDOC_DOMAIN
+        - SECRET_HEDGEDOC_ID_VERSION
+        - SECRET_HEDGEDOC_SECRET_VERSION
+        - hedgedoc.png
+    secrets:
+        hedgedoc_id: hedgedoc
+mila:
+    uncomment:
+        - compose.mila.yml
+        - MILA_DOMAIN
+        - SECRET_MILA_ID_VERSION
+        - SECRET_MILA_SECRET_VERSION
+        - mila.svg
+    secrets:
+        mila_id: mila

compose.css-volume.yml

@@ -0,0 +1,16 @@
+---
+version: "3.8"
+
+services:
+  app:
+    user: root
+    entrypoint: /docker-entrypoint.sh
+    configs:
+      - source: entrypoint_css
+        target: /docker-entrypoint.sh
+        mode: 0555
+
+configs:
+  entrypoint_css:
+    name: ${STACK_NAME}_entrypoint_css_${ENTRYPOINT_CSS_VERSION}
+    file: entrypoint-css-volume.sh

compose.css.yml

@@ -0,0 +1,14 @@
+---
+version: '3.8'
+
+services:
+  app:
+    configs: 
+      - source: custom_css
+        target: /web/dist/custom.css
+
+configs:
+  custom_css:
+    name: ${STACK_NAME}_custom_css_${CUSTOM_CSS_VERSION}
+    file: custom.css.tmpl
+    template_driver: golang

compose.hedgedoc.yml

@@ -0,0 +1,26 @@
+version: "3.8"
+services:
+  worker:
+    secrets:
+      - hedgedoc_id
+      - hedgedoc_secret
+    environment:
+      - HEDGEDOC_DOMAIN
+    configs:
+      - source: hedgedoc
+        target: /blueprints/hedgedoc.yaml
+
+secrets:
+  hedgedoc_id:
+    external: true
+    name: ${STACK_NAME}_hedgedoc_id_${SECRET_HEDGEDOC_ID_VERSION}
+  hedgedoc_secret:
+    external: true
+    name: ${STACK_NAME}_hedgedoc_secret_${SECRET_HEDGEDOC_SECRET_VERSION}
+
+
+configs:
+  hedgedoc:
+    name: ${STACK_NAME}_hedgedoc_${HEDGEDOC_CONFIG_VERSION}
+    file: hedgedoc.yaml.tmpl
+    template_driver: golang

compose.kimai.yml

@@ -0,0 +1,14 @@
+version: "3.8"
+services:
+  worker:
+    environment:
+      - KIMAI_DOMAIN
+    configs:
+      - source: kimai
+        target: /blueprints/kimai.yaml
+
+configs:
+  kimai:
+    name: ${STACK_NAME}_kimai_${KIMAI_CONFIG_VERSION}
+    file: kimai.yaml.tmpl
+    template_driver: golang

compose.matrix.yml

@@ -1,11 +1,18 @@
 version: "3.8"
 services:
+  app:
+    deploy:
+      labels:
+        - "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect,${STACK_NAME}-frameOptions,${STACK_NAME}-redirect,${STACK_NAME}-redirect-matrix-well-known"
+        - "traefik.http.middlewares.${STACK_NAME}-redirect-matrix-well-known.redirectregex.regex=^https://(.*)/.well-known/matrix/(.*)"
+        - "traefik.http.middlewares.${STACK_NAME}-redirect-matrix-well-known.redirectregex.replacement=https://${MATRIX_DOMAIN}/.well-known/matrix/$$2"
   worker:
     secrets:
       - matrix_id
       - matrix_secret
     environment:
       - ELEMENT_DOMAIN
+      - MATRIX_DOMAIN
     configs:
       - source: matrix
         target: /blueprints/matrix.yaml

compose.mila.yml

@@ -0,0 +1,27 @@
+version: "3.8"
+services:
+  worker:
+    secrets:
+      - mila_id
+      - mila_secret
+    environment:
+      - MILA_DOMAIN
+    configs:
+      - source: mila
+        target: /blueprints/mila.yaml
+
+secrets:
+  mila_id:
+    external: true
+    name: ${STACK_NAME}_mila_id_${SECRET_MILA_ID_VERSION}
+  mila_secret:
+    external: true
+    name: ${STACK_NAME}_mila_secret_${SECRET_MILA_SECRET_VERSION}
+
+
+configs:
+  mila:
+    name: ${STACK_NAME}_mila_${MILA_CONFIG_VERSION}
+    file: mila.yaml.tmpl
+    template_driver: golang
+

compose.monitoring.yml

@@ -0,0 +1,26 @@
+version: "3.8"
+services:
+  worker:
+    secrets:
+      - monitoring_id
+      - monitoring_secret
+    environment:
+      - MONITORING_DOMAIN 
+    configs:
+      - source: monitoring
+        target: /blueprints/monitoring.yaml
+
+secrets:
+  monitoring_id:
+    external: true
+    name: ${STACK_NAME}_monitoring_id_${SECRET_MONITORING_ID_VERSION}
+  monitoring_secret:
+    external: true
+    name: ${STACK_NAME}_monitoring_secret_${SECRET_MONITORING_SECRET_VERSION}
+
+
+configs:
+  monitoring:
+    name: ${STACK_NAME}_monitoring_${MONITORING_CONFIG_VERSION}
+    file: monitoring.yaml.tmpl
+    template_driver: golang

compose.outline.yml

@@ -0,0 +1,26 @@
+version: "3.8"
+services:
+  worker:
+    secrets:
+      - outline_id
+      - outline_secret
+    environment:
+      - OUTLINE_DOMAIN
+    configs:
+      - source: outline
+        target: /blueprints/outline.yaml
+
+secrets:
+  outline_id:
+    external: true
+    name: ${STACK_NAME}_outline_id_${SECRET_OUTLINE_ID_VERSION}
+  outline_secret:
+    external: true
+    name: ${STACK_NAME}_outline_secret_${SECRET_OUTLINE_SECRET_VERSION}
+
+
+configs:
+  outline:
+    name: ${STACK_NAME}_outline_${OUTLINE_CONFIG_VERSION}
+    file: outline.yaml.tmpl
+    template_driver: golang

compose.outposts.ldap.yml

@@ -0,0 +1,23 @@
+version: "3.8"
+services:
+  authentik_ldap:
+      image: ghcr.io/goauthentik/ldap:2026.2.1
+      # Optionally specify which networks the container should be
+      # might be needed to reach the core authentik server
+      networks:
+        - internal
+        - proxy
+      ports:
+        - 389:3389
+        - 636:6636
+      secrets:
+        - ldap_token
+      environment:
+        - AUTHENTIK_HOST=https://${DOMAIN}
+        - AUTHENTIK_INSECURE=true
+        - AUTHENTIK_TOKEN=file:///run/secrets/ldap_token
+
+secrets:
+  ldap_token:
+    external: true
+    name: ${STACK_NAME}_ldap_token_${SECRET_LDAP_TOKEN_VERSION}

compose.outposts.yml

@@ -0,0 +1,6 @@
+version: "3.8"
+services:
+  worker:
+    user: root
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock

compose.rallly.yml

@@ -0,0 +1,26 @@
+version: "3.8"
+services:
+  worker:
+    secrets:
+      - rallly_id
+      - rallly_secret
+    environment:
+      - RALLLY_DOMAIN
+    configs:
+      - source: rallly
+        target: /blueprints/rallly.yaml
+
+secrets:
+  rallly_id:
+    external: true
+    name: ${STACK_NAME}_rallly_id_${SECRET_RALLLY_ID_VERSION}
+  rallly_secret:
+    external: true
+    name: ${STACK_NAME}_rallly_secret_${SECRET_RALLLY_SECRET_VERSION}
+
+
+configs:
+  rallly:
+    name: ${STACK_NAME}_rallly_${RALLLY_CONFIG_VERSION}
+    file: rallly.yaml.tmpl
+    template_driver: golang

compose.vikunja.yml

@@ -0,0 +1,26 @@
+version: "3.8"
+services:
+  worker:
+    secrets:
+      - vikunja_id
+      - vikunja_secret
+    environment:
+      - VIKUNJA_DOMAIN
+    configs:
+      - source: vikunja
+        target: /blueprints/vikunja.yaml
+
+secrets:
+  vikunja_id:
+    external: true
+    name: ${STACK_NAME}_vikunja_id_${SECRET_VIKUNJA_ID_VERSION}
+  vikunja_secret:
+    external: true
+    name: ${STACK_NAME}_vikunja_secret_${SECRET_VIKUNJA_SECRET_VERSION}
+
+
+configs:
+  vikunja:
+    name: ${STACK_NAME}_vikunja_${VIKUNJA_CONFIG_VERSION}
+    file: vikunja.yaml.tmpl
+    template_driver: golang

compose.wordpress.yml

@@ -6,6 +6,7 @@ services:
       - wordpress_secret
     environment:
       - WORDPRESS_DOMAIN
+      - WORDPRESS_GROUP
     configs:
       - source: wordpress
         target: /blueprints/wordpress.yaml

compose.yml

@@ -5,7 +5,6 @@ x-env: &env
     - AUTHENTIK_POSTGRESQL__USER=authentik
     - AUTHENTIK_POSTGRESQL__NAME=authentik
     - AUTHENTIK_POSTGRESQL__HOST=db
-    - AUTHENTIK_REDIS__HOST=redis
     - AUTHENTIK_ERROR_REPORTING__ENABLED
     - AUTHENTIK_SECRET_KEY=file:///run/secrets/secret_key
     - AUTHENTIK_EMAIL__HOST
@@ -17,22 +16,28 @@ x-env: &env
     - AUTHENTIK_EMAIL__TIMEOUT
     - AUTHENTIK_EMAIL__FROM
     - AUTHENTIK_LOG_LEVEL
-    - AUTHENTIK_SETTINGS__THEME__BACKGROUND
-    - AUTHENTIK_COLOR_BACKGROUND_LIGHT
+    - AUTHENTIK_DISABLE_UPDATE_CHECK
+    - BACKGROUND_FONT_COLOR=${BACKGROUND_FONT_COLOR:-white}
+    - BACKGROUND_BOX_COLOR=${BACKGROUND_BOX_COLOR:-#eaeaeacf}
     - AUTHENTIK_FOOTER_LINKS
     - AUTHENTIK_IMPERSONATION
+    - AUTHENTIK_BOOTSTRAP_EMAIL
     - WELCOME_MESSAGE
     - DEFAULT_LANGUAGE
     - EMAIL_SUBJECT
     - EMAIL_TOKEN_EXPIRY_MINUTES
     - DOMAIN
     - LOGOUT_REDIRECT
+    - APPLICATIONS
+    - THEME_BACKGROUND
 
 version: '3.8'
 services:
   app:
-    image: ghcr.io/goauthentik/server:2023.3.1
+    image: ghcr.io/goauthentik/server:2026.2.1
     command: server
+    depends_on:
+      - db
     secrets:
       - db_password
       - admin_pass
@@ -40,43 +45,42 @@ services:
       - secret_key
       - email_pass
     volumes:
+      - data:/data
       - media:/media
-      - assets:/web/dist/assets
-    configs:
-      - source: custom_css
-        target: /web/dist/custom.css
+      - custom_assets:/web/dist/assets
+      - templates:/templates
     networks:
       - internal
       - proxy
     healthcheck:
-      test: ["CMD", "curl", "-f", "localhost:9000/-/health/live/"]
+      test: "ak healthcheck"
       interval: 30s
-      timeout: 10s
+      timeout: 30s
       retries: 10
-      start_period: 1m
+      start_period: 5m
     environment: *env
     deploy:
-      update_config:
-        failure_action: rollback
-        order: start-first
       labels:
         - "traefik.enable=true"
-        - "traefik.docker.network=proxy"
+        - "traefik.swarm.network=proxy"
         - "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=9000"
-        - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`)"
+        - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`${EXTRA_DOMAINS})"
         - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
         - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
-        - "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect,${STACK_NAME}-frameOptions"
-        - "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLForceHost=true"
-        - "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}"
+        - "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect,${STACK_NAME}-frameOptions,${STACK_NAME}-redirect"
         - "traefik.http.middlewares.${STACK_NAME}-frameOptions.headers.customFrameOptionsValue=SAMEORIGIN"
         - "traefik.http.middlewares.${STACK_NAME}-frameOptions.headers.contentSecurityPolicy=frame-ancestors ${X_FRAME_OPTIONS_ALLOW_FROM}"
-        - "coop-cloud.${STACK_NAME}.version=3.1.1+2023.3.1"
-        - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT:-120}"
+        - "coop-cloud.${STACK_NAME}.version=11.0.4+2026.2.1"
+        - "traefik.http.middlewares.${STACK_NAME}-redirect.redirectregex.regex=^https://(${REDIRECTS})/(.*)"
+        - "traefik.http.middlewares.${STACK_NAME}-redirect.redirectregex.replacement=https://${DOMAIN}/$${2}"
+        - "traefik.http.middlewares.${STACK_NAME}-redirect.redirectregex.permanent=true"
+        - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT}"
 
   worker:
-    image: ghcr.io/goauthentik/server:2023.3.1
+    image: ghcr.io/goauthentik/server:2026.2.1
     command: worker
+    depends_on:
+      - db
     secrets:
       - db_password
       - admin_pass
@@ -86,12 +90,12 @@ services:
     networks:
       - internal
       - proxy
-    user: root
     volumes:
-      - backups:/backups
+      - data:/data
       - media:/media
-      - /var/run/docker.sock:/var/run/docker.sock
       - /dev/null:/blueprints/default/flow-oobe.yaml
+      - templates:/templates
+      - certs:/certs
     configs:
       - source: flow_recovery
         target: /blueprints/1_flow_recovery.yaml
@@ -101,22 +105,37 @@ services:
         target: /blueprints/3_flow_translation.yaml
       - source: flow_invitation
         target: /blueprints/4_flow_invitation.yaml
-      - source: system_tenant
-        target: /blueprints/5_system_tenant.yaml
+      - source: system_brand
+        target: /blueprints/5_system_brand.yaml
       - source: flow_invalidation
         target: /blueprints/6_flow_invalidation.yaml
     environment: *env
+    healthcheck:
+      test: "ak healthcheck"
+      interval: 30s
+      timeout: 30s
+      retries: 10
+      start_period: 5m
 
   db:
-    image: postgres:12.14-alpine
+    image: postgres:15.17
     secrets:
       - db_password
+    configs:
+      - source: db_entrypoint
+        target: /docker-entrypoint.sh
+        mode: 0555
+      - source: pg_backup
+        target: /pg_backup.sh
+        mode: 0555
+    entrypoint:
+      /docker-entrypoint.sh
     volumes:
       - database:/var/lib/postgresql/data
     networks:
       - internal
     healthcheck:
-      test: ["CMD", "pg_isready"]
+      test: ["CMD", "pg_isready", "-U", "authentik"]
       interval: 30s
       timeout: 10s
       retries: 10
@@ -127,21 +146,11 @@ services:
       - POSTGRES_DB=authentik
     deploy:
       labels:
-          backupbot.backup: "true"
-          backupbot.backup.pre-hook: "mkdir -p /tmp/backup/ && PGPASSWORD=$$(cat /run/secrets/db_password) pg_dump -U $${POSTGRES_USER} $${POSTGRES_DB} > /tmp/backup/backup.sql"
-          backupbot.backup.post-hook: "rm -rf /tmp/backup"
-          backupbot.backup.path: "/tmp/backup/"
+          backupbot.backup: "${ENABLE_BACKUPS:-true}"
+          backupbot.backup.pre-hook: "/pg_backup.sh backup"
+          backupbot.backup.volumes.database.path: "backup.sql"
+          backupbot.restore.post-hook: '/pg_backup.sh restore'
 
-  redis:
-    image:  redis:7.0.10-alpine
-    networks:
-      - internal
-    healthcheck:
-      test: ["CMD", "redis-cli","ping"]
-      interval: 30s
-      timeout: 10s
-      retries: 10
-      start_period: 1m
 
 secrets:
   db_password:
@@ -166,16 +175,14 @@ networks:
   internal:
 
 volumes:
-  backups:
+  data:
   media:
-  assets:
+  certs:
+  templates:
+  custom_assets:
   database:
 
 configs:
-  custom_css:
-    name: ${STACK_NAME}_custom_css_${CUSTOM_CSS_VERSION}
-    file: custom.css.tmpl
-    template_driver: golang
   flow_authentication:
     name: ${STACK_NAME}_flow_authentication_${FLOW_AUTHENTICATION_VERSION}
     file: flow_authentication.yaml.tmpl
@@ -196,7 +203,14 @@ configs:
     name: ${STACK_NAME}_flow_translation_${FLOW_TRANSLATION_VERSION}
     file: flow_translation.yaml.tmpl
     template_driver: golang
-  system_tenant:
-    name: ${STACK_NAME}_system_tenant_${SYSTEM_TENANT_VERSION}
-    file: system_tenant.yaml.tmpl
+  system_brand:
+    name: ${STACK_NAME}_system_brand_${SYSTEM_BRAND_VERSION}
+    file: system_brand.yaml.tmpl
     template_driver: golang
+  db_entrypoint:
+    name: ${STACK_NAME}_db_entrypoint_${DB_ENTRYPOINT_VERSION}
+    file: entrypoint.postgres.sh.tmpl
+    template_driver: golang
+  pg_backup:
+    name: ${STACK_NAME}_pg_backup_${PG_BACKUP_VERSION}
+    file: pg_backup.sh

compose.zammad.yml

@@ -0,0 +1,14 @@
+version: "3.8"
+services:
+  worker:
+    environment:
+      - ZAMMAD_DOMAIN
+    configs:
+      - source: zammad
+        target: /blueprints/zammad.yaml
+
+configs:
+  zammad:
+    name: ${STACK_NAME}_zammad_${ZAMMAD_CONFIG_VERSION}
+    file: zammad.yaml.tmpl
+    template_driver: golang

custom.css.tmpl

@@ -1,24 +1,13 @@
 /* my custom css */
 
-
 :root {
-    --ak-accent: #fd4b2d;
-
-    --ak-dark-foreground: #fafafa;
-    --ak-dark-foreground-darker: #bebebe;
-    --ak-dark-foreground-link: #5a5cb9;
-    --ak-dark-background: #18191a;
-    --ak-dark-background-darker: #000000;
-
-
-    --ak-dark-background-light: {{ env "AUTHENTIK_COLOR_BACKGROUND_LIGHT" }};
-    --ak-dark-background-light-ish: #212427;
-    --ak-dark-background-lighter: #2b2e33;
-
-    --pf-c-background-image--BackgroundImage: var(--ak-flow-background);
-    --pf-c-background-image--BackgroundImage-2x: var(--ak-flow-background);
-    --pf-c-background-image--BackgroundImage--sm: var(--ak-flow-background);
-    --pf-c-background-image--BackgroundImage--sm-2x: var(--ak-flow-background);
-    --pf-c-background-image--BackgroundImage--lg: var(--ak-flow-background);
+        --pf-global--BackgroundColor--100: {{ env "BACKGROUND_BOX_COLOR" }} !important;
 }
 
+.pf-c-login__main {
+        background-color: {{ env "BACKGROUND_BOX_COLOR" }};
+}
+
+.pf-c-content h1 {
+        color: {{ env "BACKGROUND_FONT_COLOR" }};
+}

custom_flows.yaml.tmpl

@@ -1,405 +0,0 @@
-version: 1
-metadata:
-  labels:
-    blueprints.goauthentik.io/instantiate: "true"
-  name: Custom - Flows
-context:
-  welcome_message: {{ if eq (env "WELCOME_MESSAGE") "" }} "Welcome to authentik!" {{ else }} {{ env "WELCOME_MESSAGE" }} {{ end }}
-####### Translations ########
-  transl_recovery: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} "Passwort Zurücksetzen" {{ else }} "Reset your password" {{ end }}
-  transl_password: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} "Passwort" {{ else }} "Password" {{ end }}
-  transl_password_repeat: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} "Passwort (wiederholen)" {{ else }} "Password (repeat)" {{ end }}
-  transl_username: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} "Benutzername" {{ else }} "Username" {{ end }}
-  transl_name: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} "Vor- und Nachname" {{ else }} "Full name" {{ end }}
-
-entries:
-######## Email Recovery Flow ########
-- identifiers:
-    slug: default-recovery-flow
-  id: recovery_flow
-  model: authentik_flows.flow
-  attrs:
-    name: Default recovery flow
-    title: !Context transl_recovery
-    designation: recovery
-
-### PROMPTS
-- identifiers:
-    field_key: password
-  id: prompt-field-password
-  model: authentik_stages_prompt.prompt
-  attrs:
-    label: !Context transl_password
-    type: password
-    required: true
-    placeholder: !Context transl_password
-    order: 30
-    placeholder_expression: false
-- identifiers:
-    field_key: password_repeat
-  id: prompt-field-password-repeat
-  model: authentik_stages_prompt.prompt
-  attrs:
-    label: !Context transl_password_repeat
-    type: password
-    required: true
-    placeholder: !Context transl_password_repeat
-    order: 31
-    placeholder_expression: false
-
-
-### STAGES
-- identifiers:
-    name: default-recovery-email
-  id: default-recovery-email
-  model: authentik_stages_email.emailstage
-  attrs:
-    use_global_settings: true
-    token_expiry: {{ if eq (env "EMAIL_TOKEN_EXPIRY_MINUTES") "" }} 30 {{ else }} {{ env "EMAIL_TOKEN_EXPIRY_MINUTES" }} {{ end }}
-    subject: {{ if eq (env "EMAIL_SUBJECT") "" }} "Account Recovery" {{ else }} "{{ env "EMAIL_SUBJECT" }}" {{ end }} 
-    template: email/password_reset.html
-    activate_user_on_success: true
-- identifiers:
-    name: default-recovery-user-write
-  id: default-recovery-user-write
-  model: authentik_stages_user_write.userwritestage
-- identifiers:
-    name: default-recovery-identification
-  id: default-recovery-identification
-  model: authentik_stages_identification.identificationstage
-  attrs:
-    user_fields:
-      - email
-      - username
-- identifiers:
-    name: default-recovery-user-login
-  id: default-recovery-user-login
-  model: authentik_stages_user_login.userloginstage
-  attrs:
-    session_duration: seconds=0
-- identifiers:
-    name: Change your password
-  id: stage-prompt-password
-  model: authentik_stages_prompt.promptstage
-  attrs:
-    fields:
-      - !KeyOf prompt-field-password
-      - !KeyOf prompt-field-password-repeat
-    validation_policies: []
-
-### STAGE BINDINGS
-- identifiers:
-    target: !KeyOf recovery_flow
-    stage: !KeyOf default-recovery-identification
-    order: 10
-  model: authentik_flows.flowstagebinding
-  id: flow-binding-identification
-  attrs:
-    evaluate_on_plan: true
-    re_evaluate_policies: true
-    policy_engine_mode: any
-    invalid_response_action: retry
-- identifiers:
-    target: !KeyOf recovery_flow
-    stage: !KeyOf default-recovery-email
-    order: 20
-  model: authentik_flows.flowstagebinding
-  id: flow-binding-email
-  attrs:
-    evaluate_on_plan: true
-    re_evaluate_policies: true
-    policy_engine_mode: any
-    invalid_response_action: retry
-- identifiers:
-    target: !KeyOf recovery_flow
-    stage: !KeyOf stage-prompt-password
-    order: 30
-  model: authentik_flows.flowstagebinding
-  attrs:
-    evaluate_on_plan: true
-    re_evaluate_policies: false
-    policy_engine_mode: any
-    invalid_response_action: retry
-- identifiers:
-    target: !KeyOf recovery_flow
-    stage: !KeyOf default-recovery-user-write
-    order: 40
-  model: authentik_flows.flowstagebinding
-  attrs:
-    evaluate_on_plan: true
-    re_evaluate_policies: false
-    policy_engine_mode: any
-    invalid_response_action: retry
-- identifiers:
-    target: !KeyOf recovery_flow
-    stage: !KeyOf default-recovery-user-login
-    order: 100
-  model: authentik_flows.flowstagebinding
-  attrs:
-    evaluate_on_plan: true
-    re_evaluate_policies: false
-    policy_engine_mode: any
-    invalid_response_action: retry
-
-### POLICIES
-## ISSUES with this policy
-## https://github.com/goauthentik/authentik/blob/493cdd5c0f8caaec7a7dd474f1aa131e32fd39c3/blueprints/example/flows-recovery-email-verification.yaml#L37
-## https://github.com/goauthentik/authentik/commit/317e9ec6053742e17ba74fb6aa38dc15aaf6657f#diff-a5c56bb7c60e27dda1b131b3fc2a17e3af6624e7cfaaa2337ec6b077ca489f34
-# - identifiers:
-#     name: default-recovery-skip-if-restored
-#   id: default-recovery-skip-if-restored
-#   model: authentik_policies_expression.expressionpolicy
-#   attrs:
-#     expression: |
-#       return request.context.get('is_restored', False)
-
-### POLICY BINDINGS
-# - identifiers:
-#     policy: !KeyOf default-recovery-skip-if-restored
-#     target: !KeyOf flow-binding-identification
-#     order: 0
-#   model: authentik_policies.policybinding
-#   attrs:
-#     negate: false
-#     enabled: true
-#     timeout: 30
-# - identifiers:
-#     policy: !KeyOf default-recovery-skip-if-restored
-#     target: !KeyOf flow-binding-email
-#     order: 0
-#   model: authentik_policies.policybinding
-#   attrs:
-#     negate: false
-#     enabled: true
-#     timeout: 30
-
-
-
-######## Authentication Flow ########
-- attrs:
-    designation: authentication
-    name: custom-authentication-flow
-    title: !Context welcome_message
-  identifiers:
-    slug: custom-authentication-flow
-  id: authentication_flow
-  model: authentik_flows.flow
-
-### STAGES
-- attrs:
-    backends:
-    - authentik.core.auth.InbuiltBackend
-    - authentik.sources.ldap.auth.LDAPBackend
-    - authentik.core.auth.TokenBackend
-    configure_flow: !Find [authentik_flows.flow, [slug, default-password-change]]
-  identifiers:
-    name: custom-authentication-password
-  id: custom-authentication-password
-  model: authentik_stages_password.passwordstage
-
-- identifiers:
-    name: custom-authentication-mfa-validation
-  id: custom-authentication-mfa-validation
-  model: authentik_stages_authenticator_validate.authenticatorvalidatestage
-
-- attrs:
-    password_stage: !KeyOf custom-authentication-password
-    recovery_flow: !KeyOf recovery_flow  # !Find [authentik_flows.flow, [slug, default-recovery-flow]]
-    user_fields:
-    - email
-    - username
-  identifiers:
-    name: custom-authentication-identification
-  id: custom-authentication-identification
-  model: authentik_stages_identification.identificationstage
-
-- attrs:
-    session_duration: seconds=0
-  identifiers:
-    name: custom-authentication-login
-  id: custom-authentication-login
-  model: authentik_stages_user_login.userloginstage
-
-### STAGE BINDINGS
-- identifiers:
-    order: 10
-    stage: !KeyOf custom-authentication-identification
-    target: !KeyOf authentication_flow
-  model: authentik_flows.flowstagebinding
-- identifiers:
-    order: 30
-    stage: !KeyOf custom-authentication-mfa-validation
-    target: !KeyOf authentication_flow
-  model: authentik_flows.flowstagebinding
-- identifiers:
-    order: 100
-    stage: !KeyOf custom-authentication-login
-    target: !KeyOf authentication_flow
-  model: authentik_flows.flowstagebinding
-
-######## Invitation Enrollment Flow ########
-- attrs:
-    designation: enrollment
-    name: invitation-enrollment-flow
-    title: !Context welcome_message
-  identifiers:
-    slug: invitation-enrollment-flow
-  id: invitation-enrollment-flow
-  model: authentik_flows.flow
-
-### PROMPTS
-- identifiers:
-    field_key: username
-  id: prompt-field-username
-  model: authentik_stages_prompt.prompt
-  attrs:
-    label: !Context transl_username
-    type: username
-    required: true
-    placeholder: !Context transl_username
-    order: 0
-    placeholder_expression: false
-- identifiers:
-    field_key: name
-  id: prompt-field-name
-  model: authentik_stages_prompt.prompt
-  attrs:
-    label: !Context transl_name
-    type: text
-    required: true
-    placeholder: !Context transl_name
-    order: 1
-    placeholder_expression: false
-- identifiers:
-    field_key: email
-    label: Email
-  id: prompt-field-email
-  model: authentik_stages_prompt.prompt
-  attrs:
-    type: email
-    required: true
-    placeholder: muster@example.com
-    order: 2
-    placeholder_expression: false
-
-### STAGES
-
-- id: invitation-stage
-  identifiers:
-    name: invitation-stage
-  model: authentik_stages_invitation.invitationstage
-
-- attrs:
-    fields:
-      - !KeyOf prompt-field-username
-      - !KeyOf prompt-field-name
-      - !KeyOf prompt-field-email
-      - !KeyOf prompt-field-password
-      - !KeyOf prompt-field-password-repeat
-  id: enrollment-prompt-userdata
-  identifiers:
-    name: enrollment-prompt-userdata
-  model: authentik_stages_prompt.promptstage
-
-- id: enrollment-user-write
-  identifiers:
-    name: enrollment-user-write
-  model: authentik_stages_user_write.userwritestage
-
-- attrs:
-    session_duration: seconds=0
-  id: enrollment-user-login
-  identifiers:
-    name: enrollment-user-login
-  model: authentik_stages_user_login.userloginstage
-
-### STAGE BINDINGS
-- identifiers:
-    order: 1
-    stage: !KeyOf invitation-stage
-    target: !KeyOf invitation-enrollment-flow
-  model: authentik_flows.flowstagebinding
-- identifiers:
-    order: 10
-    stage: !KeyOf enrollment-prompt-userdata
-    target: !KeyOf invitation-enrollment-flow
-  model: authentik_flows.flowstagebinding
-- identifiers:
-    order: 20
-    stage: !KeyOf enrollment-user-write
-    target: !KeyOf invitation-enrollment-flow
-  model: authentik_flows.flowstagebinding
-- identifiers:
-    order: 100
-    stage: !KeyOf enrollment-user-login
-    target: !KeyOf invitation-enrollment-flow
-  model: authentik_flows.flowstagebinding
-
-######## Invalidation Flow ########
-- identifiers:
-    slug: logout-flow
-  id: logout-flow
-  model: authentik_flows.flow
-  attrs:
-    name: Logout
-    title: Logout Flow
-    designation: invalidation
-
-### STAGES
-
-- id: logout-stage
-  identifiers:
-    name: logout-stage
-  model: authentik_stages_user_logout.userlogoutstage
-
-### STAGE BINDINGS
-
-- identifiers:
-    order: 0
-    stage: !KeyOf logout-stage
-    target: !KeyOf logout-flow
-  model: authentik_flows.flowstagebinding
-  attrs:
-    re_evaluate_policies: true
-  id: logout-stage-binding
-
-### POLICIES
-- attrs:
-    execution_logging: true
-    expression: 'context[''flow_plan''].context[''redirect''] = ''{{ env "LOGOUT_REDIRECT" }}''
-
-    return True'
-  identifiers:
-    name: redirect-policy
-  id: redirect-policy
-  model: authentik_policies_expression.expressionpolicy
-
-### POLICY BINDINGS
-- identifiers:
-    policy: !KeyOf redirect-policy
-    target: !KeyOf logout-stage-binding
-    order: 0
-  model: authentik_policies.policybinding
-  attrs:
-    enabled: {{ if eq (env "LOGOUT_REDIRECT") "" }} false {{ else }} true {{ end }}
-    timeout: 30
-
-######## System Tenant ##########
-- attrs:
-    attributes:
-      settings:
-        locale: {{ if eq (env "DEFAULT_LANGUAGE") "" }} en {{ else }} {{ env "DEFAULT_LANGUAGE" }} {{ end }}
-    # branding_favicon: /static/dist/assets/icons/icon.png
-    # branding_logo: /static/dist/assets/icons/icon_left_brand.svg
-    # branding_title: Authentik
-    # default: true
-    domain: {{ env "DOMAIN" }}
-    # event_retention: days=365
-    flow_authentication: !KeyOf authentication_flow
-    flow_recovery: !KeyOf recovery_flow
-    flow_invalidation: !KeyOf logout-flow
-    flow_user_settings: !Find [authentik_flows.flow, [slug, default-user-settings-flow]]
-  identifiers:
-    pk: 047cce25-aae2-4b02-9f96-078e155f803d
-  id: system_tenant
-  model: authentik_tenants.tenant

entrypoint-css-volume.sh

@@ -0,0 +1,5 @@
+#!/bin/sh
+
+cp -f /web/dist/assets/custom.css /web/dist/custom.css
+
+su $(id -un 1000) -s /bin/bash -c 'dumb-init -- ak server'

entrypoint.postgres.sh.tmpl

@@ -0,0 +1,45 @@
+#!/bin/bash
+
+set -e
+
+MIGRATION_MARKER=$PGDATA/migration_in_progress
+OLDDATA=$PGDATA/old_data
+NEWDATA=$PGDATA/new_data
+
+if [ -e $MIGRATION_MARKER ]; then
+  echo "FATAL: migration was started but did not complete in a previous run. manual recovery necessary"
+  exit 1
+fi
+
+if [ -f $PGDATA/PG_VERSION ]; then
+  DATA_VERSION=$(cat $PGDATA/PG_VERSION)
+
+  if [ -n "$DATA_VERSION" -a "$PG_MAJOR" != "$DATA_VERSION" ]; then
+    echo "postgres data version $DATA_VERSION found, but need $PG_MAJOR. Starting migration"
+    echo "Installing postgres $DATA_VERSION"
+    sed -i "s/$/ $DATA_VERSION/" /etc/apt/sources.list.d/pgdg.list
+    apt-get update && apt-get install -y --no-install-recommends \
+      postgresql-$DATA_VERSION \
+      && rm -rf /var/lib/apt/lists/*
+    echo "shuffling around"
+    chown -R postgres:postgres $PGDATA
+    gosu postgres mkdir $OLDDATA $NEWDATA
+    chmod 700 $OLDDATA $NEWDATA
+    mv $PGDATA/* $OLDDATA/ || true
+    touch $MIGRATION_MARKER
+    echo "running initdb"
+    # abuse entrypoint script for initdb by making server error out
+    gosu postgres bash -c "export PGDATA=$NEWDATA ; /usr/local/bin/docker-entrypoint.sh --invalid-arg || true"
+    echo "running pg_upgrade"
+    cd /tmp
+    gosu postgres pg_upgrade --link -b /usr/lib/postgresql/$DATA_VERSION/bin -d $OLDDATA -D $NEWDATA -U $POSTGRES_USER
+    cp $OLDDATA/pg_hba.conf $NEWDATA/
+    mv $NEWDATA/* $PGDATA
+    rm -rf $OLDDATA
+    rmdir $NEWDATA
+    rm $MIGRATION_MARKER
+    echo "migration complete"
+  fi
+fi
+
+/usr/local/bin/docker-entrypoint.sh postgres

flow_authentication.yaml.tmpl

@@ -22,7 +22,6 @@ entries:
   attrs:
     name: !Context welcome_message
     title: !Context welcome_message
-
 ### STAGES
 - identifiers:
     name: default-authentication-identification
@@ -30,13 +29,17 @@ entries:
   attrs:
     password_stage: !Find [authentik_stages_password.passwordstage, [name, default-authentication-password]]
     recovery_flow: !Find [authentik_flows.flow, [slug, default-recovery-flow]]
+    user_fields:
+    - email
+    - username
 
 - identifiers:
     name: default-authentication-login
   model: authentik_stages_user_login.userloginstage
   attrs:
-    session_duration: seconds=0
+    session_duration: days=30
 
+# After the first run this will produce a RelatedObjectDoesNotExist error
 - identifiers:
     order: 20
     stage: !Find [authentik_stages_password.passwordstage, [name, default-authentication-password]]

flow_invalidation.yaml.tmpl

@@ -13,6 +13,7 @@ entries:
 
 ### STAGE BINDINGS
 
+# This is specified only for setting an id (this stagebinding does not have an identifier)
 - identifiers:
     order: 0
     stage: !Find [authentik_stages_user_logout.userlogoutstage, [name, default-invalidation-logout]]

flow_invitation.yaml.tmpl

@@ -24,6 +24,18 @@ entries:
   id: invitation-enrollment-flow
   model: authentik_flows.flow
 
+### POLICIES
+- attrs:
+    expression: |
+      if not regex_match(request.context.get('prompt_data').get('username'), '\s'):
+          return True
+      ak_message("Username must not contain any whitespace!")
+      return False
+  id: username-without-spaces-policy
+  identifiers:
+    name: username-without-spaces-policy
+  model: authentik_policies_expression.expressionpolicy
+
 ### STAGES
 - identifiers:
     name: invitation-stage
@@ -41,6 +53,8 @@ entries:
       - !Find [authentik_stages_prompt.prompt, [name, default-user-settings-field-email]]
       - !Find [authentik_stages_prompt.prompt, [name, default-password-change-field-password]]
       - !Find [authentik_stages_prompt.prompt, [name, default-password-change-field-password-repeat]]
+    validation_policies:
+      - !Find [ authentik_policies_expression.expressionpolicy, [name, username-without-spaces-policy]]
 
 ### STAGE BINDINGS
 - identifiers:

flow_recovery.yaml.tmpl

@@ -4,7 +4,7 @@ metadata:
     blueprints.goauthentik.io/instantiate: "true"
   name: Recovery with email verification
 context:
-  token_expiry: {{ if eq (env "EMAIL_TOKEN_EXPIRY_MINUTES") "" }} 30 {{ else }} {{ env "EMAIL_TOKEN_EXPIRY_MINUTES" }} {{ end }}
+  token_expiry: minutes={{ if eq (env "EMAIL_TOKEN_EXPIRY_MINUTES") "" }}30{{ else }}{{ env "EMAIL_TOKEN_EXPIRY_MINUTES" }}{{ end }}
   subject: {{ if eq (env "EMAIL_SUBJECT") "" }} Account Recovery {{ else }} {{ env "EMAIL_SUBJECT" }} {{ end }} 
 entries:
 ### DEPENDENCIES

flow_translation.yaml.tmpl

@@ -4,7 +4,7 @@ metadata:
     blueprints.goauthentik.io/instantiate: "true"
   name: Flow Translations
 context:
-  transl_recovery: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} "Passwort Zurücksetzen" {{ else }} "Reset your password" {{ end }}
+  transl_recovery: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} "Passwort zurücksetzen" {{ else }} "Reset your password" {{ end }}
   transl_password: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} "Passwort" {{ else }} "Password" {{ end }}
   transl_password_repeat: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} "Passwort (wiederholen)" {{ else }} "Password (repeat)" {{ end }}
   transl_username: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} "Benutzername" {{ else }} "Username" {{ end }}
@@ -15,7 +15,7 @@ entries:
 - model: authentik_blueprints.metaapplyblueprint
   attrs:
     identifiers:
-      name: Custom Authentication Flow
+      name: Recovery with email verification
     required: true
 - model: authentik_blueprints.metaapplyblueprint
   attrs:

hedgedoc.yaml.tmpl

@@ -0,0 +1,48 @@
+version: 1
+metadata:
+  labels:
+    blueprints.goauthentik.io/instantiate: "true"
+  name: hedgedoc
+
+entries:
+
+- attrs:
+    access_code_validity: minutes=1
+    authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
+    authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
+    invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
+    client_id: {{ secret  "hedgedoc_id" }}
+    client_secret: {{ secret  "hedgedoc_secret" }}
+    client_type: confidential
+    include_claims_in_id_token: true
+    issuer_mode: per_provider
+    redirect_uris:
+    - matching_mode: strict
+      url: https://{{ env  "HEDGEDOC_DOMAIN" }}/auth/oauth2/callback
+    name: Hedgedoc
+    property_mappings:
+    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
+    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, email]]
+    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, profile]]
+    signing_key: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]]
+    sub_mode: hashed_user_id
+    token_validity: days=30
+  conditions: []
+  id: hedgedoc_provider
+  identifiers:
+    pk: 9992
+  model: authentik_providers_oauth2.oauth2provider
+  state: present
+
+- attrs:
+    meta_launch_url: https://{{ env  "HEDGEDOC_DOMAIN" }}/auth/oauth2
+    open_in_new_tab: true
+    policy_engine_mode: any
+    provider: !KeyOf hedgedoc_provider
+    slug: hedgedoc
+  conditions: []
+  id: hedgedoc_application
+  identifiers:
+    name: Hedgedoc
+  model: authentik_core.application
+  state: present

icons/calendar.svg

@@ -0,0 +1,40 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<svg
+   version="1.1"
+   xml:space="preserve"
+   height="200"
+   width="200"
+   enable-background="new 0 0 595.275 311.111"
+   y="0px"
+   x="0px"
+   viewBox="0 0 200 200"
+   id="svg8"
+   sodipodi:docname="calendar.svg"
+   xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
+   xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
+   xmlns="http://www.w3.org/2000/svg"
+   xmlns:svg="http://www.w3.org/2000/svg"><defs
+     id="defs12" /><sodipodi:namedview
+     id="namedview10"
+     pagecolor="#ffffff"
+     bordercolor="#000000"
+     borderopacity="0.25"
+     inkscape:showpageshadow="2"
+     inkscape:pageopacity="0.0"
+     inkscape:pagecheckerboard="0"
+     inkscape:deskcolor="#d1d1d1"
+     showgrid="false" /><rect
+     rx="31.25"
+     ry="31.25"
+     height="200"
+     width="200"
+     y="-5.2587998e-06"
+     x="0"
+     fill="#0082c9"
+     id="rect2"
+     style="stroke-width:6.25" /><g
+     transform="matrix(5.580375,0,0,5.580375,3251.3125,-1.2081599)"
+     id="g6"><path
+       fill="#ffffff"
+       d="m -572.71,3.5765 c -1.108,0 -2,0.892 -2,2 v 4 c 0,1.108 0.892,2 2,2 1.108,0 2,-0.892 2,-2 v -4 c 0,-1.108 -0.892,-2 -2,-2 z m 16,0 c -1.108,0 -2,0.892 -2,2 v 4 c 0,1.108 0.892,2 2,2 1.108,0 2,-0.892 2,-2 v -4 c 0,-1.108 -0.892,-2 -2,-2 z m -13,4 v 2 c 0,1.662 -1.338,3 -3,3 -1.662,0 -3,-1.338 -3,-3 v -1.875 c -1.728,0.44254 -3,2.0052 -3,3.875 v 16 c 0,2.216 1.784,4 4,4 h 20 c 2.216,0 4,-1.784 4,-4 v -16 c 0,-1.8698 -1.272,-3.4325 -3,-3.875 v 1.875 c 0,1.662 -1.338,3 -3,3 -1.662,0 -3,-1.338 -3,-3 v -2 z m -5.9062,9 h 21.812 c 0.0554,0 0.0937,0.03835 0.0937,0.09375 v 11.812 c 0,0.0554 -0.0384,0.09375 -0.0937,0.09375 h -21.812 c -0.0554,0 -0.0937,-0.03835 -0.0937,-0.09375 v -11.812 c 0,-0.0554 0.0384,-0.09375 0.0937,-0.09375 z"
+       id="path4" /></g></svg>

icons/help.svg

@@ -0,0 +1,60 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<svg
+   width="200"
+   height="200"
+   viewBox="0 0 200 200"
+   fill="none"
+   version="1.1"
+   id="svg171"
+   sodipodi:docname="help.svg"
+   inkscape:version="1.2.2 (b0a8486541, 2022-12-01)"
+   xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
+   xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
+   xmlns="http://www.w3.org/2000/svg"
+   xmlns:svg="http://www.w3.org/2000/svg">
+  <sodipodi:namedview
+     id="namedview173"
+     pagecolor="#ffffff"
+     bordercolor="#000000"
+     borderopacity="0.25"
+     inkscape:showpageshadow="2"
+     inkscape:pageopacity="0.0"
+     inkscape:pagecheckerboard="0"
+     inkscape:deskcolor="#d1d1d1"
+     showgrid="false"
+     inkscape:zoom="2.3032421"
+     inkscape:cx="119.614"
+     inkscape:cy="76.631111"
+     inkscape:window-width="1871"
+     inkscape:window-height="1011"
+     inkscape:window-x="0"
+     inkscape:window-y="0"
+     inkscape:window-maximized="1"
+     inkscape:current-layer="svg171" />
+  <g
+     clip-path="url(#clip0_1735_3439)"
+     id="g164"
+     transform="matrix(8.4444369,0,0,8.4444369,-1.3332428,-1.4116916)">
+    <path
+       d="m 12,18.0093 v -5.25 m 0,0 c 0.5179,0 1.0206,-0.0656 1.5,-0.189 m -1.5,0.189 c -0.5179,0 -1.0206,-0.0656 -1.5,-0.189 m 3.75,7.4784 c -0.7288,0.1383 -1.481,0.2106 -2.25,0.2106 -0.769,0 -1.5212,-0.0723 -2.25,-0.2106 m 3.75,2.3826 c -0.493,0.0515 -0.9934,0.078 -1.5,0.078 -0.5066,0 -1.007,-0.0265 -1.5,-0.078 m 3.75,-4.422 v -0.1917 c 0,-0.9829 0.6583,-1.8233 1.5085,-2.3166 2.237,-1.298 3.7415,-3.7192 3.7415,-6.49172 0,-4.14214 -3.3579,-7.5 -7.5,-7.5 -4.14214,0 -7.5,3.35786 -7.5,7.5 C 4.5,11.7818 6.00446,14.203 8.24155,15.501 9.09173,15.9943 9.75,16.8347 9.75,17.8176 v 0.1917"
+       stroke="#0f172a"
+       stroke-width="1.5"
+       stroke-linecap="round"
+       stroke-linejoin="round"
+       id="path162" />
+  </g>
+  <defs
+     id="defs169">
+    <clipPath
+       id="clip0_1735_3439">
+      <rect
+         width="24"
+         height="24"
+         fill="#ffffff"
+         transform="translate(0,0.00927734)"
+         id="rect166"
+         x="0"
+         y="0" />
+    </clipPath>
+  </defs>
+</svg>

icons/mila.svg

@@ -0,0 +1,22 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<svg id="a" data-name="Ebene 1" xmlns="http://www.w3.org/2000/svg" viewBox="80 60 430 410">
+  <defs>
+    <style>
+      .b {
+        fill: #346180;
+      }
+
+      .c {
+        fill: #009aa5;
+      }
+    </style>
+  </defs>
+  <g>
+    <path class="c" d="M319.57,303.39c41.78,18.41,74.43,42.48,87.64,89.83,4.52,16.2,12.63,44.75-10.72,48.82H101.39c-2.63-.09-9.25-2.82-11.12-4.38-.3-.25-4.06-6.12-4.22-6.49-5.78-13.4,2.35-35.12,7.31-47.71,9.49-24.09,25.75-44.44,46.62-59.63,16.07-11.7,34.34-20.54,53.51-25.78,32.68-8.93,94.96-8.37,126.07,5.34Z"/>
+    <path class="c" d="M299.53,126.4c7.22,5.55,16.92,15.59,20.81,23.69,14.47,30.14,13.54,62.8-6.99,90.82-32.64,44.55-106.51,39.41-133.59-8.24-45.73-80.48,49.74-160.1,119.77-106.26Z"/>
+  </g>
+  <g>
+    <path class="b" d="M395.52,128.43c50.29,40.71,28.84,125.79-34.37,141.27-7.94,1.94-34,4.45-40.2-.24-.7-.53-1.73-1.28-1.25-2.3.2-.42.58-.72.95-1.01,6.58-5.05,11.45-13.02,15.71-20.08s7.99-14.88,10.77-22.84c5.4-15.47,7.48-32.13,5.27-48.4-2.36-17.34-9.63-33.63-20.49-47.31-2.75-3.46-6.2-6.45-9.27-9.63-1.09-1.14-3.73-3.05-4.21-4.6-.9-2.93,2.98-3.72,5.51-4.06,23.02-3.1,46.39,1.77,65.63,14.81,2.04,1.38,4.02,2.84,5.94,4.39Z"/>
+    <path class="b" d="M433.88,441.36c-2.64-2.97.77-10.22,1.03-13.89,3.54-49.03-30.24-100.05-69.07-126.89-1.99-1.38-11.43-6.12-11.91-6.6-1.42-1.44.09-1.81,1.48-1.99,7.36-.93,17.29,1.08,24.7,2.32,16.51,2.77,33.53,8.05,48.48,15.52,18.53,9.24,34.94,22.72,47.79,38.94,11.65,14.7,54.83,91.93,8.76,92.91-15.76.33-31.52.67-47.28,1-1.97.04-3.23-.46-3.99-1.31Z"/>
+  </g>
+</svg>

icons/monitoring.svg

@@ -0,0 +1,70 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!-- Generator: Adobe Illustrator 21.0.0, SVG Export Plug-In . SVG Version: 6.00 Build 0)  -->
+<svg version="1.1" id="Layer_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px"
+	 viewBox="0 0 142.5 145.6" style="enable-background:new 0 0 142.5 145.6;" xml:space="preserve">
+<style type="text/css">
+	.st0{fill:#565656;}
+	.st1{fill:url(#SVGID_1_);}
+</style>
+<g>
+	<path class="st0" d="M28.7,131.5c-0.3,7.9-6.6,14.1-14.4,14.1C6.1,145.6,0,139,0,130.9s6.6-14.7,14.7-14.7c3.6,0,7.2,1.6,10.2,4.4
+		l-2.3,2.9c-2.3-2-5.1-3.4-7.9-3.4c-5.9,0-10.8,4.8-10.8,10.8c0,6.1,4.6,10.8,10.4,10.8c5.2,0,9.3-3.8,10.2-8.8H12.6v-3.5h16.1
+		V131.5z"/>
+	<path class="st0" d="M42.3,129.5h-2.2c-2.4,0-4.4,2-4.4,4.4v11.4h-3.9v-19.6H35v1.6c1.1-1.1,2.7-1.6,4.6-1.6h4.2L42.3,129.5z"/>
+	<path class="st0" d="M63.7,145.3h-3.4v-2.5c-2.6,2.5-6.6,3.7-10.7,1.9c-3-1.3-5.3-4.1-5.9-7.4c-1.2-6.3,3.7-11.9,9.9-11.9
+		c2.6,0,5,1.1,6.7,2.8v-2.5h3.4V145.3z M59.7,137c0.9-4-2.1-7.6-6-7.6c-3.4,0-6.1,2.8-6.1,6.1c0,3.8,3.3,6.7,7.2,6.1
+		C57.1,141.2,59.1,139.3,59.7,137z"/>
+	<path class="st0" d="M71.5,124.7v1.1h6.2v3.4h-6.2v16.1h-3.8v-20.5c0-4.3,3.1-6.8,7-6.8h4.7l-1.6,3.7h-3.1
+		C72.9,121.6,71.5,123,71.5,124.7z"/>
+	<path class="st0" d="M98.5,145.3h-3.3v-2.5c-2.6,2.5-6.6,3.7-10.7,1.9c-3-1.3-5.3-4.1-5.9-7.4c-1.2-6.3,3.7-11.9,9.9-11.9
+		c2.6,0,5,1.1,6.7,2.8v-2.5h3.4v19.6H98.5z M94.5,137c0.9-4-2.1-7.6-6-7.6c-3.4,0-6.1,2.8-6.1,6.1c0,3.8,3.3,6.7,7.2,6.1
+		C92,141.2,93.9,139.3,94.5,137z"/>
+	<path class="st0" d="M119.4,133.8v11.5h-3.9v-11.6c0-2.4-2-4.4-4.4-4.4c-2.5,0-4.4,2-4.4,4.4v11.6h-3.9v-19.6h3.2v1.7
+		c1.4-1.3,3.3-2,5.2-2C115.8,125.5,119.4,129.2,119.4,133.8z"/>
+	<path class="st0" d="M142.4,145.3h-3.3v-2.5c-2.6,2.5-6.6,3.7-10.7,1.9c-3-1.3-5.3-4.1-5.9-7.4c-1.2-6.3,3.7-11.9,9.9-11.9
+		c2.6,0,5,1.1,6.7,2.8v-2.5h3.4v19.6H142.4z M138.4,137c0.9-4-2.1-7.6-6-7.6c-3.4,0-6.1,2.8-6.1,6.1c0,3.8,3.3,6.7,7.2,6.1
+		C135.9,141.2,137.8,139.3,138.4,137z"/>
+</g>
+<linearGradient id="SVGID_1_" gradientUnits="userSpaceOnUse" x1="71.25" y1="10.4893" x2="71.25" y2="113.3415" gradientTransform="matrix(1 0 0 -1 0 148.6)">
+	<stop  offset="0" style="stop-color:#FCEE1F"/>
+	<stop  offset="1" style="stop-color:#F15B2A"/>
+</linearGradient>
+<path class="st1" d="M122.9,49.9c-0.2-1.9-0.5-4.1-1.1-6.5c-0.6-2.4-1.6-5-2.9-7.8c-1.4-2.7-3.1-5.6-5.4-8.3
+	c-0.9-1.1-1.9-2.1-2.9-3.2c1.6-6.3-1.9-11.8-1.9-11.8c-6.1-0.4-9.9,1.9-11.3,2.9c-0.2-0.1-0.5-0.2-0.7-0.3c-1-0.4-2.1-0.8-3.2-1.2
+	c-1.1-0.3-2.2-0.7-3.3-0.9c-1.1-0.3-2.3-0.5-3.5-0.7c-0.2,0-0.4-0.1-0.6-0.1C83.5,3.6,75.9,0,75.9,0c-8.7,5.6-10.4,13.1-10.4,13.1
+	s0,0.2-0.1,0.4c-0.5,0.1-0.9,0.3-1.4,0.4c-0.6,0.2-1.3,0.4-1.9,0.7c-0.6,0.3-1.3,0.5-1.9,0.8c-1.3,0.6-2.5,1.2-3.8,1.9
+	c-1.2,0.7-2.4,1.4-3.5,2.2c-0.2-0.1-0.3-0.2-0.3-0.2c-11.7-4.5-22.1,0.9-22.1,0.9c-0.9,12.5,4.7,20.3,5.8,21.7
+	c-0.3,0.8-0.5,1.5-0.8,2.3c-0.9,2.8-1.5,5.7-1.9,8.7c-0.1,0.4-0.1,0.9-0.2,1.3c-10.8,5.3-14,16.3-14,16.3c9,10.4,19.6,11,19.6,11
+	l0,0c1.3,2.4,2.9,4.7,4.6,6.8c0.7,0.9,1.5,1.7,2.3,2.6c-3.3,9.4,0.5,17.3,0.5,17.3c10.1,0.4,16.7-4.4,18.1-5.5c1,0.3,2,0.6,3,0.9
+	c3.1,0.8,6.3,1.3,9.4,1.4c0.8,0,1.6,0,2.4,0h0.4H80h0.5H81l0,0c4.7,6.8,13.1,7.7,13.1,7.7c5.9-6.3,6.3-12.4,6.3-13.8l0,0
+	c0,0,0,0,0-0.1s0-0.2,0-0.2l0,0c0-0.1,0-0.2,0-0.3c1.2-0.9,2.4-1.8,3.6-2.8c2.4-2.1,4.4-4.6,6.2-7.2c0.2-0.2,0.3-0.5,0.5-0.7
+	c6.7,0.4,11.4-4.2,11.4-4.2c-1.1-7-5.1-10.4-5.9-11l0,0c0,0,0,0-0.1-0.1l-0.1-0.1l0,0l-0.1-0.1c0-0.4,0.1-0.8,0.1-1.3
+	c0.1-0.8,0.1-1.5,0.1-2.3v-0.6v-0.3v-0.1c0-0.2,0-0.1,0-0.2v-0.5v-0.6c0-0.2,0-0.4,0-0.6s0-0.4-0.1-0.6l-0.1-0.6l-0.1-0.6
+	c-0.1-0.8-0.3-1.5-0.4-2.3c-0.7-3-1.9-5.9-3.4-8.4c-1.6-2.6-3.5-4.8-5.7-6.8c-2.2-1.9-4.6-3.5-7.2-4.6c-2.6-1.2-5.2-1.9-7.9-2.2
+	c-1.3-0.2-2.7-0.2-4-0.2h-0.5h-0.1h-0.2h-0.2h-0.5c-0.2,0-0.4,0-0.5,0c-0.7,0.1-1.4,0.2-2,0.3c-2.7,0.5-5.2,1.5-7.4,2.8
+	c-2.2,1.3-4.1,3-5.7,4.9s-2.8,3.9-3.6,6.1c-0.8,2.1-1.3,4.4-1.4,6.5c0,0.5,0,1.1,0,1.6c0,0.1,0,0.3,0,0.4v0.4c0,0.3,0,0.5,0.1,0.8
+	c0.1,1.1,0.3,2.1,0.6,3.1c0.6,2,1.5,3.8,2.7,5.4s2.5,2.8,4,3.8s3,1.7,4.6,2.2c1.6,0.5,3.1,0.7,4.5,0.6c0.2,0,0.4,0,0.5,0
+	c0.1,0,0.2,0,0.3,0s0.2,0,0.3,0c0.2,0,0.3,0,0.5,0h0.1h0.1c0.1,0,0.2,0,0.3,0c0.2,0,0.4-0.1,0.5-0.1c0.2,0,0.3-0.1,0.5-0.1
+	c0.3-0.1,0.7-0.2,1-0.3c0.6-0.2,1.2-0.5,1.8-0.7c0.6-0.3,1.1-0.6,1.5-0.9c0.1-0.1,0.3-0.2,0.4-0.3c0.5-0.4,0.6-1.1,0.2-1.6
+	c-0.4-0.4-1-0.5-1.5-0.3C88,74,87.9,74,87.7,74.1c-0.4,0.2-0.9,0.4-1.3,0.5c-0.5,0.1-1,0.3-1.5,0.4c-0.3,0-0.5,0.1-0.8,0.1
+	c-0.1,0-0.3,0-0.4,0c-0.1,0-0.3,0-0.4,0s-0.3,0-0.4,0c-0.2,0-0.3,0-0.5,0c0,0-0.1,0,0,0h-0.1h-0.1c-0.1,0-0.1,0-0.2,0
+	s-0.3,0-0.4-0.1c-1.1-0.2-2.3-0.5-3.4-1c-1.1-0.5-2.2-1.2-3.1-2.1c-1-0.9-1.8-1.9-2.5-3.1c-0.7-1.2-1.1-2.5-1.3-3.8
+	c-0.1-0.7-0.2-1.4-0.1-2.1c0-0.2,0-0.4,0-0.6c0,0.1,0,0,0,0v-0.1v-0.1c0-0.1,0-0.2,0-0.3c0-0.4,0.1-0.7,0.2-1.1c0.5-3,2-5.9,4.3-8.1
+	c0.6-0.6,1.2-1.1,1.9-1.5c0.7-0.5,1.4-0.9,2.1-1.2c0.7-0.3,1.5-0.6,2.3-0.8s1.6-0.4,2.4-0.4c0.4,0,0.8-0.1,1.2-0.1
+	c0.1,0,0.2,0,0.3,0h0.3h0.2c0.1,0,0,0,0,0h0.1h0.3c0.9,0.1,1.8,0.2,2.6,0.4c1.7,0.4,3.4,1,5,1.9c3.2,1.8,5.9,4.5,7.5,7.8
+	c0.8,1.6,1.4,3.4,1.7,5.3c0.1,0.5,0.1,0.9,0.2,1.4v0.3V66c0,0.1,0,0.2,0,0.3c0,0.1,0,0.2,0,0.3v0.3v0.3c0,0.2,0,0.6,0,0.8
+	c0,0.5-0.1,1-0.1,1.5c-0.1,0.5-0.1,1-0.2,1.5s-0.2,1-0.3,1.5c-0.2,1-0.6,1.9-0.9,2.9c-0.7,1.9-1.7,3.7-2.9,5.3
+	c-2.4,3.3-5.7,6-9.4,7.7c-1.9,0.8-3.8,1.5-5.8,1.8c-1,0.2-2,0.3-3,0.3H81h-0.2h-0.3H80h-0.3c0.1,0,0,0,0,0h-0.1
+	c-0.5,0-1.1,0-1.6-0.1c-2.2-0.2-4.3-0.6-6.4-1.2c-2.1-0.6-4.1-1.4-6-2.4c-3.8-2-7.2-4.9-9.9-8.2c-1.3-1.7-2.5-3.5-3.5-5.4
+	s-1.7-3.9-2.3-5.9c-0.6-2-0.9-4.1-1-6.2v-0.4v-0.1v-0.1v-0.2V60v-0.1v-0.1v-0.2v-0.5V59l0,0v-0.2c0-0.3,0-0.5,0-0.8
+	c0-1,0.1-2.1,0.3-3.2c0.1-1.1,0.3-2.1,0.5-3.2c0.2-1.1,0.5-2.1,0.8-3.2c0.6-2.1,1.3-4.1,2.2-6c1.8-3.8,4.1-7.2,6.8-9.9
+	c0.7-0.7,1.4-1.3,2.2-1.9c0.3-0.3,1-0.9,1.8-1.4c0.8-0.5,1.6-1,2.5-1.4c0.4-0.2,0.8-0.4,1.3-0.6c0.2-0.1,0.4-0.2,0.7-0.3
+	c0.2-0.1,0.4-0.2,0.7-0.3c0.9-0.4,1.8-0.7,2.7-1c0.2-0.1,0.5-0.1,0.7-0.2c0.2-0.1,0.5-0.1,0.7-0.2c0.5-0.1,0.9-0.2,1.4-0.4
+	c0.2-0.1,0.5-0.1,0.7-0.2c0.2,0,0.5-0.1,0.7-0.1c0.2,0,0.5-0.1,0.7-0.1l0.4-0.1l0.4-0.1c0.2,0,0.5-0.1,0.7-0.1
+	c0.3,0,0.5-0.1,0.8-0.1c0.2,0,0.6-0.1,0.8-0.1c0.2,0,0.3,0,0.5-0.1h0.3h0.2h0.2c0.3,0,0.5,0,0.8-0.1h0.4c0,0,0.1,0,0,0h0.1h0.2
+	c0.2,0,0.5,0,0.7,0c0.9,0,1.8,0,2.7,0c1.8,0.1,3.6,0.3,5.3,0.6c3.4,0.6,6.7,1.7,9.6,3.2c2.9,1.4,5.6,3.2,7.8,5.1
+	c0.1,0.1,0.3,0.2,0.4,0.4c0.1,0.1,0.3,0.2,0.4,0.4c0.3,0.2,0.5,0.5,0.8,0.7c0.3,0.2,0.5,0.5,0.8,0.7c0.2,0.3,0.5,0.5,0.7,0.8
+	c1,1,1.9,2.1,2.7,3.1c1.6,2.1,2.9,4.2,3.9,6.2c0.1,0.1,0.1,0.2,0.2,0.4c0.1,0.1,0.1,0.2,0.2,0.4s0.2,0.5,0.4,0.7
+	c0.1,0.2,0.2,0.5,0.3,0.7c0.1,0.2,0.2,0.5,0.3,0.7c0.4,0.9,0.7,1.8,1,2.7c0.5,1.4,0.8,2.6,1.1,3.6c0.1,0.4,0.5,0.7,0.9,0.7
+	c0.5,0,0.8-0.4,0.8-0.9C123,52.7,123,51.4,122.9,49.9z"/>
+</svg>

icons/poll.svg

@@ -0,0 +1,46 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<svg
+   width="200"
+   height="200"
+   viewBox="0 0 200 200"
+   fill="none"
+   version="1.1"
+   id="svg282"
+   sodipodi:docname="poll.svg"
+   inkscape:version="1.2.2 (b0a8486541, 2022-12-01)"
+   inkscape:export-filename="poll_tall.svg"
+   inkscape:export-xdpi="96"
+   inkscape:export-ydpi="96"
+   xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
+   xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
+   xmlns="http://www.w3.org/2000/svg"
+   xmlns:svg="http://www.w3.org/2000/svg">
+  <defs
+     id="defs286" />
+  <sodipodi:namedview
+     id="namedview284"
+     pagecolor="#ffffff"
+     bordercolor="#000000"
+     borderopacity="0.25"
+     inkscape:showpageshadow="2"
+     inkscape:pageopacity="0.0"
+     inkscape:pagecheckerboard="0"
+     inkscape:deskcolor="#d1d1d1"
+     showgrid="false"
+     inkscape:zoom="4.3999736"
+     inkscape:cx="116.47797"
+     inkscape:cy="125.79621"
+     inkscape:window-width="1871"
+     inkscape:window-height="1011"
+     inkscape:window-x="0"
+     inkscape:window-y="0"
+     inkscape:window-maximized="1"
+     inkscape:current-layer="svg282" />
+  <path
+     d="M 51.538464,16.923263 V 37.692495 M 148.46154,16.923263 V 37.692495 M 16.923078,162.30751 V 58.461725 c 0,-11.470523 9.298709,-20.76923 20.769232,-20.76923 h 124.61538 c 11.47016,0 20.76923,9.298707 20.76923,20.76923 V 162.30751 m -166.153842,0 c 0,11.47108 9.298709,20.76923 20.769232,20.76923 h 124.61538 c 11.47016,0 20.76923,-9.29815 20.76923,-20.76923 m -166.153842,0 V 93.076741 c 0,-11.470154 9.298709,-20.768862 20.769232,-20.768862 h 124.61538 c 11.47016,0 20.76923,9.298708 20.76923,20.768862 V 162.30751 M 100,106.92289 h 0.0692 v 0.0692 H 100 Z m 0,20.76924 h 0.0692 v 0.0692 H 100 Z m 0,20.76923 h 0.0692 v 0.0692 H 100 Z M 79.230771,127.69213 h 0.06923 v 0.0692 h -0.06923 z m 0,20.76923 h 0.06923 v 0.0692 h -0.06923 z M 58.46154,127.69213 h 0.06923 v 0.0692 h -0.06923 z m 0,20.76923 h 0.06923 v 0.0692 h -0.06923 z m 62.30769,-41.53847 h 0.0692 v 0.0692 h -0.0692 z m 0,20.76924 h 0.0692 v 0.0692 h -0.0692 z m 0,20.76923 h 0.0692 v 0.0692 h -0.0692 z m 20.76923,-41.53847 h 0.0692 v 0.0692 h -0.0692 z m 0,20.76924 h 0.0692 v 0.0692 h -0.0692 z"
+     stroke="#0f172a"
+     stroke-width="13.8462"
+     stroke-linecap="round"
+     stroke-linejoin="round"
+     id="path280" />
+</svg>

icons/pretix.svg

@@ -0,0 +1 @@
+<?xml version="1.0" encoding="UTF-8"?><svg id="Ebene_1" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 128 128"><defs><style>.cls-1{fill:#3b1c4a;}</style></defs><path class="cls-1" d="m50.67,56.95c-.72.1-1.22.3-1.66.5l2.38,16.91c.41.08.95.13,1.6.04,3.52-.5,4.61-3.64,3.81-9.39-.83-5.87-2.53-8.56-6.12-8.06Z"/><path class="cls-1" d="m116.04,35.05c.71-.17,1.16-.76,1.06-1.48L112.54,1.13c-.1-.72-.77-1.22-1.49-1.12l-37.5,5.27.73,5.22c.16,1.12-.62,2.15-1.74,2.31s-2.15-.62-2.31-1.74l-.73-5.22L1.13,15.46c-.72.1-1.22.77-1.12,1.49l4.56,32.44c.1.72.7,1.17,1.42,1.13,11.25-.92,21.43,7.1,23.03,18.46,1.6,11.36-5.99,21.81-17.07,23.96-.71.17-1.16.76-1.06,1.48l4.56,32.44c.1.72.77,1.22,1.49,1.12l68.37-9.61-.73-5.22c-.16-1.15.59-2.15,1.74-2.31s2.15.62,2.31,1.74l.73,5.22,37.5-5.27c.72-.1,1.22-.77,1.12-1.49l-4.56-32.44c-.1-.72-.7-1.17-1.42-1.13-11.25.92-21.42-7.04-23.02-18.4-1.6-11.36,5.98-21.87,17.06-24.03Zm-59.84,44.75c-1.76.25-3.29.26-4.04.17l1.59,11.29-9.92,1.39-5.3-37.73c2.5-1.62,5.96-3.03,11.38-3.8,8.68-1.22,15.27,2.58,16.66,12.44,1.25,8.88-3.12,15.21-10.36,16.23Zm30.73,20.71c.16,1.12-.62,2.15-1.74,2.31-1.12.16-2.15-.62-2.31-1.74l-1.47-10.44c-.16-1.12.62-2.15,1.74-2.31s2.16.66,2.31,1.74l1.47,10.44Zm-3.17-22.58c.15,1.08-.66,2.16-1.74,2.31s-2.16-.66-2.31-1.74l-1.47-10.44c-.16-1.15.59-2.15,1.74-2.31,1.12-.16,2.15.62,2.31,1.74l1.47,10.44Zm-3.16-22.45c.16,1.12-.62,2.15-1.74,2.31-1.12.16-2.15-.62-2.31-1.74l-1.47-10.44c-.16-1.12.62-2.15,1.74-2.31s2.16.66,2.31,1.74l1.47,10.44Zm-3.17-22.58c.15,1.08-.66,2.16-1.74,2.31s-2.16-.66-2.31-1.74l-1.47-10.44c-.16-1.15.59-2.15,1.74-2.31s2.15.62,2.31,1.74l1.47,10.44Z"/></svg>

icons/support.svg

@@ -0,0 +1,33 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<svg
+   width="200"
+   height="200"
+   viewBox="0 0 200 200"
+   fill="none"
+   version="1.1"
+   id="svg346"
+   sodipodi:docname="support.svg"
+   xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
+   xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
+   xmlns="http://www.w3.org/2000/svg"
+   xmlns:svg="http://www.w3.org/2000/svg">
+  <defs
+     id="defs350" />
+  <sodipodi:namedview
+     id="namedview348"
+     pagecolor="#ffffff"
+     bordercolor="#000000"
+     borderopacity="0.25"
+     inkscape:showpageshadow="2"
+     inkscape:pageopacity="0.0"
+     inkscape:pagecheckerboard="0"
+     inkscape:deskcolor="#d1d1d1"
+     showgrid="false" />
+  <path
+     d="m 79.332968,56.337414 c 11.415493,-9.988348 29.923442,-9.988348 41.338062,0 11.41559,9.988447 11.41559,26.182585 0,36.171713 -1.98672,1.738257 -4.1878,3.173487 -6.53016,4.307641 -7.26579,3.515482 -14.13892,9.727022 -14.13892,17.798612 v 7.3077 m 87.69036,-21.923081 c 0,48.431491 -39.26082,87.692311 -87.692311,87.692311 -48.431097,0 -87.692308,-39.26082 -87.692308,-87.692311 0,-48.431097 39.261211,-87.692308 87.692308,-87.692308 48.431491,0 87.692311,39.261211 87.692311,87.692308 z M 99.999999,151.15385 h 0.07308 v 0.0731 h -0.07308 z"
+     stroke="#0f172a"
+     stroke-width="14.6154"
+     stroke-linecap="round"
+     stroke-linejoin="round"
+     id="path344" />
+</svg>

icons/talk.svg

@@ -0,0 +1,68 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<svg
+   xmlns:dc="http://purl.org/dc/elements/1.1/"
+   xmlns:cc="http://creativecommons.org/ns#"
+   xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
+   xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
+   inkscape:version="1.1-dev (f9311a1, 2019-12-25)"
+   sodipodi:docname="talk8.svg"
+   id="svg19"
+   xml:space="preserve"
+   viewBox="0 0 1024 1024"
+   version="1.1"
+   stroke-miterlimit="1.4142"
+   stroke-linejoin="round"
+   fill-rule="evenodd"
+   clip-rule="evenodd"><metadata
+   id="metadata23"><rdf:RDF><cc:Work
+       rdf:about=""><dc:format>image/svg+xml</dc:format><dc:type
+         rdf:resource="http://purl.org/dc/dcmitype/StillImage" /><dc:title></dc:title></cc:Work></rdf:RDF></metadata><sodipodi:namedview
+   inkscape:current-layer="svg19"
+   inkscape:window-maximized="1"
+   inkscape:window-y="23"
+   inkscape:window-x="1440"
+   inkscape:cy="522.40348"
+   inkscape:cx="510.51379"
+   inkscape:zoom="0.67285156"
+   showgrid="false"
+   id="namedview21"
+   inkscape:window-height="1035"
+   inkscape:window-width="1920"
+   inkscape:pageshadow="2"
+   inkscape:pageopacity="0"
+   guidetolerance="10"
+   gridtolerance="10"
+   objecttolerance="10"
+   borderopacity="1"
+   inkscape:document-rotation="0"
+   bordercolor="#666666"
+   pagecolor="#ffffff" /><defs
+   id="defs15"><linearGradient
+     gradientUnits="userSpaceOnUse"
+     gradientTransform="matrix(8.96 0 0 8.96 -7.8457e-5 .00019795)"
+     y2="-7.6294e-6"
+     y1="150"
+     x2="150"
+     x1="18.23"
+     id="a"><stop
+       id="stop10"
+       offset="0"
+       stop-color="#0082c9" /><stop
+       id="stop12"
+       offset="1"
+       stop-color="#1cafff" /></linearGradient></defs>
+<rect
+   id="rect17"
+   fill-rule="evenodd"
+   fill="url(#a)"
+   height="1024"
+   width="1024" /><path
+   style="fill:#ffffff"
+   inkscape:connector-curvature="0"
+   d="M 511.95919,186 A 325.96385,325.95103 0 0 0 186,511.96034 325.96385,325.95103 0 0 0 511.95919,837.91133 325.96385,325.95103 0 0 0 681.04889,790.22529 c 40.06218,15.91895 129.79781,63.14682 151.15526,42.74701 22.3177,-21.31206 -26.20129,-121.61808 -37.83331,-158.89148 A 325.96385,325.95103 0 0 0 837.91466,511.95755 325.96385,325.95103 0 0 0 511.96013,186.01118 Z m 0.0373,123.92323 A 202.1178,202.11161 0 0 1 714.11425,512.03485 202.1178,202.11161 0 0 1 511.99645,714.13247 202.1178,202.11161 0 0 1 309.87866,512.03485 202.1178,202.11161 0 0 1 511.99645,309.92323 Z"
+   stroke-width="0.14"
+   fill="#000"
+   id="path25" /></svg>

icons/vikunja.svg

@@ -0,0 +1,12 @@
+<svg xmlns="http://www.w3.org/2000/svg" xml:space="preserve" viewBox="0 0 256 256" width="256" height="256">
+  <path d="M2268.2 2512.3a953.7 953.7 0 0 1-50 57c-180.5 189.5-426.2 294-691.6 294A953.7 953.7 0 0 1 847.8 2582a952.7 952.7 0 0 1-281.2-678.8 953.8 953.8 0 0 1 281.2-678.9 953.7 953.7 0 0 1 678.8-281.1 953.7 953.7 0 0 1 678.8 281.1 953.7 953.7 0 0 1 281.2 678.9c0 219.2-78.9 437.2-218.4 609" style="fill:#196aff;fill-opacity:1;fill-rule:nonzero;stroke:none;stroke-width:.36633128" transform="matrix(.13333 0 0 -.13333 -75.5 381.8)"/>
+  <path d="M1823.7 1650.9c35.7 104.2 94.7 136.1 102 297 2.6 56.5-14.7 236-14.7 236s28 72-25.8 152.3c-83.5 124.3-255.4 132.8-345.7 132.8-90.3 0-260.2-8.5-343.7-132.8C1142 2256 1170 2184 1170 2184s-9.5-92.4-16.7-173.8c-1.7-19.1.1-94.7 2.4-113a453 453 0 0 1 25.8-96.2c14.4-39.6 36.8-79.9 54-120.5 51.8-122.8 8.4-274.9 11.1-407.3 2.2-94-20-189.3-28.7-281.2a960.4 960.4 0 0 1 308.7-50.6 958.6 958.6 0 0 1 344.9 63.6c-20.4 115-44.1 224.2-47.8 265.9-10.6 125.9-41.3 259.4 0 380" style="fill:#fff;fill-opacity:1;fill-rule:nonzero;stroke:none;stroke-width:.36655635" transform="matrix(.13333 0 0 -.13333 -75.5 381.8)"/>
+  <path d="M1162.9 2383.9c1.1-18.8 3-38 8.3-56.2 1.6-5.7 4-19.7 11.4-21.8 9-2.6 25.9 8.3 32.3 13 12.3 9 23.9 18.5 36.2 27.6 8 6 16.5 10.5 24.3 16.5 8.4 6.6 14.7 14.5 21.7 22.2 8.4 9.4 14.8 19 21.3 29.5 5.1 8.2 37.1 13.5 42.2 21 5.6 8.3 1 18.6 1 28.7 0 74.2 4.4 147.6 6.1 220.3 1.8 50 21.4 109.2-53.4 85.8-160.3-50-158.5-271.3-151.4-386.6M1869.1 2279.7c-1.6 1.8-4.2 3.2-6.3 4.8a208 208 0 0 0-25.1 21.5c-9.4 9.6-19.2 19-28.2 28.9-7.9 8.7-17.3 16.6-25 25.6-5.1 6-10 12.3-14.6 18.5-2.3 3.2-3.5 7-5.3 10.4-2.7 5-40 10.1-36.2 15 6.3 8.3 20.3 15.4 23.7 25 17.2 48.6 24.8 244.5 26.8 294.5 5.4 127.8 117.6-6.3 137.2-57.7 57-149.7 23.2-258.8-46.3-386.6" style="fill:#fff;fill-opacity:1;fill-rule:nonzero;stroke:none;stroke-width:.36633128" transform="matrix(.13333 0 0 -.13333 -75.5 381.8)"/>
+  <path d="M1716.5 1787.9c-.1 73.8-9.3 103.6-50.4 139.7-25.8 22.6-55.9 31.2-103.8 30-47.9 1.2-82.4-13.4-107.3-39.2-37.5-39-47.4-62-47.5-135.9 0-39.9 43-128.1 55.7-148.5 21.3-36 60.6-48.9 99.1-46.2 38.6-2.7 77.9 10.3 99.1 46.2 12.8 20.4 55.1 107 55 153.9" style="fill:#f1e6d3;fill-opacity:1;fill-rule:nonzero;stroke:none;stroke-width:.36633128" transform="matrix(.13333 0 0 -.13333 -75.5 381.8)"/>
+  <path d="M1226.6 2316c-9.6 86.2-38.6 240 61.5 331.3 11 10.1 14-24.2 15.8-38 2.6-19 0-73.5.4-92.6.7-36.1 8.3-55 4.7-71.5-9.6-45-17.3-42.2-26.5-69.6-18.3-54.4-53.3-83-55.9-59.5M1851.7 2333c10.3-18.2 37 80.3 45.4 123.2 8 40.3 18 93.8 4 133.9-7.4 21.5-53 84.5-58.4 62.9-2-8.5-3.2-71.1-8.3-101.1-6.4-37.1-18-73.8-18-111.6-.2-84.5 25.3-88 35.3-107.2" style="fill:#f1d7d4;fill-opacity:1;fill-rule:nonzero;stroke:none;stroke-width:.36633128" transform="matrix(.13333 0 0 -.13333 -75.5 381.8)"/>
+  <path d="M1522 1319.7c-2.2-6.5-18.6-11.4-24.8-13.3-14.9-4.9-28.1 6.9-36.4 16.8-11.6 13.7-11.3 35.6-16.2 51.6-2.9 9.7-19.5 11-24.5 2-16.6-29.8-81.1 26.4-66.1 45.2 9.9 12.3-13.8 23.2-23.6 11-29-36.1 49-103.4 93.6-85.2 2-9 4-18 8-26.6 7.4-16.9 23.9-27.8 41-37 23.1-12.4 68.2 9.5 75 30.3 4.9 14.5-21.2 19.7-26 5.2M1727.6 1538.2c2.4-10 2.8-44-16-25.4-7.5 7.5-22.6 3-23.2-7-1.4-23.4-24.9-24-45.1-16.9-16 5.6-24.6-16.6-8.6-22.1 29.7-10.4 62-4.6 74.7 17.8 10.1-4.7 21.5-6 30.7 2.6 16 15 18.4 36.2 13.7 55.7-3.5 14.8-29.7 10.1-26.2-4.7M1775 1049.2c-7-14.3-19.8-13.4-33.6-7.4-10.1 4.4-22.6-2.8-19.6-13 6.2-20.6-19.7-26.6-37.3-19.3-15.4 6.5-28.8-13.8-13.2-20.3 31.6-13.2 71.7-1.6 77.5 26.2 20.4-3.3 39.8 2.4 49.4 22.3 6.7 13.6-16.4 25.4-23.2 11.5M1569.8 2153.3c-3.3-20.2-41.1 3.3-50.5 9.7-8.3 5.5-19 2.1-20-7.3-1.4-12.7-18.5-9-26.3-7.4-14.8 3-27.4 12.2-27.7 26-.4 13.6 8.2 27.7 12.6 40.4 2.9 8-8.7 17-17.2 11.5-15.2-9.7-88.7-18.5-59.4 13.6 9.3 10.2-7.1 24.8-16.6 14.5-13.5-14.8-22.6-48.7 6.6-56 15.5-3.7 37.8-3.5 56.8.8-8-25.5-9.6-48.8 23.2-65.1 22.1-11.1 52.5-11 65.4 6 27.2-14.5 69.7-28.7 75.6 7.8 2.1 13-20.4 18.5-22.5 5.5" style="fill:#faeee0;fill-opacity:1;fill-rule:nonzero;stroke:none;stroke-width:.36633128" transform="matrix(.13333 0 0 -.13333 -75.5 381.8)"/>
+  <path d="M1443 1685.6c39.4-3.4 78.8-12.3 118.5-10.9 25.4 1 51.7 4.5 76.8 8.2 18.2 2.7 40.5 6 52.7 19.4 1-45-92.6-59.1-128.9-60-42.1-1-89.5 17.2-119 43.3" style="fill:#494949;fill-opacity:1;fill-rule:nonzero;stroke:none;stroke-width:.36633128" transform="matrix(.13333 0 0 -.13333 -75.5 381.8)"/>
+  <path d="M1549.4 1779.5a353.5 353.5 0 0 1-2.7-87.3c.7-7.6-1.3-25.7 8.8-29.5 8.2-3 18.3 2.7 19.7 10.1 2.2 12.5-3 28.2-3.5 41-.5 14.9 0 29.8 1.6 44.7 1 8.8 5.9 20.7-4.2 27-7.4 4.5-18.3 2.8-19.7-6" style="fill:#494949;fill-opacity:1;fill-rule:nonzero;stroke:none;stroke-width:.36633128" transform="matrix(.13333 0 0 -.13333 -75.5 381.8)"/>
+  <path d="M1626 1849.7c-23.7-1-45.7-14.2-63.4-27-16.1 10.7-40.5 20.5-60.7 14.8-12-3.4-1.1-7.1 4-10.3 9.2-6.2 16.8-14.2 23.7-22.4 10.3-12.6 19.6-25.8 30.7-38 7.6 5.6 15 11.1 21.6 17.6 3.1 3 28.5 37 32.4 42.7 2.4 3.6 5 7.4 7.8 10.8 2.9 3.5 11 9 3.9 11.8" style="fill:#494949;fill-opacity:1;fill-rule:nonzero;stroke:none;stroke-width:.36633128" transform="matrix(.13333 0 0 -.13333 -75.5 381.8)"/>
+  <path d="M1326.5 2010c11.7 30.3 24.3 68.4 56.3 62.4 24.2-5.2 56.7-86.2 36-78.2-11.3 4.4-20.3 41.1-41.4 46-13.4 3-32-43.6-50-48.4-8.7-2.3-4.3 10.4-.9 18.2M1670.6 2010c11.7 30.3 24.2 68.4 56.3 62.4 24.2-5.2 56.7-86.2 35.9-78.2-11.3 4.4-20.2 41.1-41.3 46-13.5 3-32-43.6-50-48.4-8.7-2.3-4.4 10.4-1 18.2" style="fill:#2c3844;fill-opacity:1;fill-rule:nonzero;stroke:none;stroke-width:.36633128" transform="matrix(.13333 0 0 -.13333 -75.5 381.8)"/>
+</svg>

icons/zammad.svg

@@ -0,0 +1,30 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<svg width="126px" height="108px" viewBox="0 0 42 36" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:sketch="http://www.bohemiancoding.com/sketch/ns">
+    <!-- Generator: Sketch 3.3.2 (12043) - http://www.bohemiancoding.com/sketch -->
+    <title>logo</title>
+    <desc>Created with Sketch.</desc>
+    <defs/>
+    <g id="Page-1" stroke="none" stroke-width="1" fill="none" fill-rule="evenodd" sketch:type="MSPage">
+        <g id="logo" sketch:type="MSArtboardGroup">
+            <g sketch:type="MSLayerGroup" transform="translate(1.000000, 0.000000)" id="Shape">
+                <path d="M27.3375,12.6 L36.72,9.72 L31.1625,13.2525 L27.3375,12.6 Z" fill="#CA2317" sketch:type="MSShapeGroup"/>
+                <path d="M33.0525,19.62 L31.1625,13.2525 L36.72,9.72 L35.055,15.435 L33.0525,19.62 Z" fill="#E84F83" sketch:type="MSShapeGroup"/>
+                <path d="M39.465,7.9875 L38.43,9.72 L35.055,15.435 L36.72,9.72 L39.465,7.9875 Z" fill="#CA2317" sketch:type="MSShapeGroup"/>
+                <path d="M39.8025,9.1125 L37.1925,11.79 L38.43,9.72 L39.8025,9.1125 Z" fill="#E54011" sketch:type="MSShapeGroup"/>
+                <path d="M27.9,10.8225 L35.5725,10.0575 L30.24,11.7 L27.9,10.8225 Z" fill="#E54011" sketch:type="MSShapeGroup"/>
+                <path d="M28.1925,15.165 L31.1625,13.2525 L33.0525,19.62 L32.0625,21.645 L28.1925,15.165 Z" fill="#CA2317" sketch:type="MSShapeGroup"/>
+                <path d="M23.76,22.725 L22.3425,5.4 L32.0625,21.645 L23.76,22.725 Z" fill="#B7DFF2" sketch:type="MSShapeGroup"/>
+                <path d="M19.7325,27.1575 L23.76,22.725 L32.0625,21.645 L19.7325,27.1575 Z" fill="#E54011" sketch:type="MSShapeGroup"/>
+                <path d="M0.1575,35.865 L19.7325,27.1575 L23.76,22.725 L17.37,22.0725 L0.1575,35.865 Z" fill="#FFCE33" sketch:type="MSShapeGroup"/>
+                <path d="M0.9,28.755 L10.9575,27.225 L14.085,24.705 L12.555,24.03 L0.9,28.755 Z" fill="#D6B12D" sketch:type="MSShapeGroup"/>
+                <path d="M4.5225,20.5425 L14.085,24.705 L17.37,22.0725 L4.5225,20.5425 Z" fill="#FFDE85" sketch:type="MSShapeGroup"/>
+                <path d="M21.6225,11.6775 L20.4075,11.88 L17.37,22.0725 L20.655,20.0025 L21.6225,11.6775 Z" fill="#009EC6" sketch:type="MSShapeGroup"/>
+                <path d="M23.4,18.2475 L20.655,20.0025 L22.3425,5.4 L23.4,18.2475 Z" fill="#5EAFCE" sketch:type="MSShapeGroup"/>
+                <path d="M13.0275,13.05 L21.6225,11.6775 L22.005,8.28 L13.0275,13.05 Z" fill="#045972" sketch:type="MSShapeGroup"/>
+                <path d="M12.105,5.085 L19.575,9.585 L22.005,8.28 L22.0725,7.8075 L12.105,5.085 Z" fill="#5A8591" sketch:type="MSShapeGroup"/>
+                <path d="M13.5675,0.18 L20.3625,7.335 L22.0725,7.8075 L22.3425,5.4 L13.5675,0.18 Z" fill="#009EC6" sketch:type="MSShapeGroup"/>
+                <path d="M17.37,22.0725 L23.4,18.2475 L23.76,22.725 L17.37,22.0725 Z" fill="#F39804" sketch:type="MSShapeGroup"/>
+            </g>
+        </g>
+    </g>
+</svg>

kimai.yaml.tmpl

@@ -0,0 +1,50 @@
+version: 1
+metadata:
+  labels:
+    blueprints.goauthentik.io/instantiate: "true"
+  name: kimai
+
+entries:
+- attrs:
+    acs_url: https://{{ env  "KIMAI_DOMAIN" }}/auth/saml/acs
+    assertion_valid_not_before: minutes=-5
+    assertion_valid_not_on_or_after: minutes=5
+    audience: https://{{ env  "KIMAI_DOMAIN" }}/auth/saml
+    authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
+    authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
+    invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
+    digest_algorithm: http://www.w3.org/2001/04/xmlenc#sha256
+    issuer: https://{{ env  "DOMAIN" }}
+    name: Kimai
+    name_id_mapping: !Find [authentik_providers_saml.samlpropertymapping, [name, "authentik default SAML Mapping: Username"]]
+    property_mappings:
+    - !Find [authentik_providers_saml.samlpropertymapping, [name, "authentik default SAML Mapping: Name"]]
+    - !Find [authentik_providers_saml.samlpropertymapping, [name, "authentik default SAML Mapping: Email"]]
+    - !Find [authentik_providers_saml.samlpropertymapping, [name, "authentik default SAML Mapping: User ID"]]
+    - !Find [authentik_providers_saml.samlpropertymapping, [name, "authentik default SAML Mapping: Username"]]
+    - !Find [authentik_providers_saml.samlpropertymapping, [name, "authentik default SAML Mapping: Groups"]]
+    - !Find [authentik_providers_saml.samlpropertymapping, [name, "authentik default SAML Mapping: UPN"]]
+    session_valid_not_on_or_after: minutes=86400
+    sign_assertion: true
+    signature_algorithm: http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
+    signing_kp: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]]
+    sp_binding: post
+  conditions: []
+  id: kimai_provider
+  identifiers:
+    pk: 9991
+  model: authentik_providers_saml.samlprovider
+  state: present
+
+- attrs:
+    meta_launch_url: https://{{ env  "KIMAI_DOMAIN" }}/auth/saml/login
+    open_in_new_tab: true
+    policy_engine_mode: any
+    provider: !KeyOf kimai_provider
+    slug: kimai
+  conditions: []
+  id: kimai_application
+  identifiers:
+    name: Kimai
+  model: authentik_core.application
+  state: present

matrix.yaml.tmpl

@@ -8,12 +8,17 @@ entries:
 
 - attrs:
     access_code_validity: minutes=1
+    authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
     authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
+    invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
     client_id: {{ secret  "matrix_id" }}
     client_secret: {{ secret  "matrix_secret" }}
     client_type: confidential
     include_claims_in_id_token: true
     issuer_mode: per_provider
+    redirect_uris:
+    - matching_mode: strict
+      url: https://{{ env  "MATRIX_DOMAIN" }}/_synapse/client/oidc/callback
     name: Matrix
     property_mappings:
     - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
@@ -34,10 +39,10 @@ entries:
     open_in_new_tab: true
     policy_engine_mode: any
     provider: !KeyOf matrix_provider
-    slug: matrix
+    name: Element
   conditions: []
   id: matrix_application
   identifiers:
-    name: Matrix
+    slug: matrix
   model: authentik_core.application
   state: present

mila.yaml.tmpl

@@ -0,0 +1,49 @@
+version: 1
+metadata:
+  labels:
+    blueprints.goauthentik.io/instantiate: "true"
+  name: mila
+
+entries:
+
+- attrs:
+    access_code_validity: minutes=1
+    authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
+    authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
+    invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
+    client_id: {{ secret  "mila_id" }}
+    client_secret: {{ secret  "mila_secret" }}
+    client_type: confidential
+    include_claims_in_id_token: true
+    issuer_mode: per_provider
+    redirect_uris:
+    - matching_mode: strict
+      url: https://{{ env  "MILA_DOMAIN" }}/auth/user/oidc/callback
+    name: Mila
+    property_mappings:
+    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
+    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, email]]
+    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, profile]]
+    signing_key: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]]
+    sub_mode: hashed_user_id
+    token_validity: days=30
+  conditions: []
+  id: mila_provider
+  identifiers:
+    pk: 9990
+  model: authentik_providers_oauth2.oauth2provider
+  state: present
+
+- attrs:
+    meta_launch_url: https://{{ env  "MILA_DOMAIN" }}
+    open_in_new_tab: true
+    policy_engine_mode: any
+    provider: !KeyOf mila_provider
+    slug: mila
+  conditions: []
+  id: mila_application
+  identifiers:
+    name: Mila
+  model: authentik_core.application
+  state: present
+

monitoring.yaml.tmpl

@@ -0,0 +1,48 @@
+version: 1
+metadata:
+  labels:
+    blueprints.goauthentik.io/instantiate: "true"
+  name: monitoring 
+
+entries:
+
+- attrs:
+    access_code_validity: minutes=1
+    authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
+    authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
+    invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
+    client_id: {{ secret  "monitoring_id" }}
+    client_secret: {{ secret  "monitoring_secret" }}
+    client_type: confidential
+    include_claims_in_id_token: true
+    issuer_mode: per_provider
+    redirect_uris:
+    - matching_mode: strict
+      url: https://{{ env  "MONITORING_DOMAIN" }}/login/generic_oauth
+    name: Monitoring
+    property_mappings:
+    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
+    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, email]]
+    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, profile]]
+    signing_key: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]]
+    sub_mode: user_username
+    token_validity: days=30
+  conditions: []
+  id: monitoring_provider
+  identifiers:
+    pk: 9990
+  model: authentik_providers_oauth2.oauth2provider
+  state: present
+
+- attrs:
+    meta_launch_url: https://{{ env  "MONITORING_DOMAIN" }}
+    open_in_new_tab: true
+    policy_engine_mode: any
+    provider: !KeyOf monitoring_provider
+    slug: monitoring 
+  conditions: []
+  id: monitoring_application
+  identifiers:
+    name: Monitoring 
+  model: authentik_core.application
+  state: present

nextcloud.yaml.tmpl

@@ -20,12 +20,17 @@ entries:
 
 - attrs:
     access_code_validity: minutes=1
+    authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
     authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
+    invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
     client_id: {{ secret  "nextcloud_id" }}
     client_secret: {{ secret  "nextcloud_secret" }}
     client_type: confidential
     include_claims_in_id_token: true
     issuer_mode: per_provider
+    redirect_uris:
+    - matching_mode: strict
+      url: https://{{ env  "NEXTCLOUD_DOMAIN" }}/apps/sociallogin/custom_oidc/authentik
     name: Nextcloud
     property_mappings:
     - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]

outline.yaml.tmpl

@@ -0,0 +1,48 @@
+version: 1
+metadata:
+  labels:
+    blueprints.goauthentik.io/instantiate: "true"
+  name: outline
+
+entries:
+
+- attrs:
+    access_code_validity: minutes=1
+    authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
+    authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
+    invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
+    client_id: {{ secret  "outline_id" }}
+    client_secret: {{ secret  "outline_secret" }}
+    client_type: confidential
+    include_claims_in_id_token: true
+    issuer_mode: per_provider
+    redirect_uris:
+    - matching_mode: strict
+      url: https://{{ env  "OUTLINE_DOMAIN" }}/auth/oidc.callback
+    name: Outline
+    property_mappings:
+    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
+    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, email]]
+    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, profile]]
+    signing_key: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]]
+    sub_mode: hashed_user_id
+    token_validity: days=30
+  conditions: []
+  id: outline_provider
+  identifiers:
+    pk: 9994
+  model: authentik_providers_oauth2.oauth2provider
+  state: present
+
+- attrs:
+    meta_launch_url: https://{{ env  "OUTLINE_DOMAIN" }}/auth/oidc
+    open_in_new_tab: true
+    policy_engine_mode: any
+    provider: !KeyOf outline_provider
+    slug: outline
+  conditions: []
+  id: outline_application
+  identifiers:
+    name: Outline
+  model: authentik_core.application
+  state: present

pg_backup.sh

@@ -0,0 +1,34 @@
+#!/bin/bash
+
+set -e
+
+BACKUP_FILE='/var/lib/postgresql/data/backup.sql'
+
+function backup {
+  export PGPASSWORD=$(cat /run/secrets/db_password)
+  pg_dump -U ${POSTGRES_USER} ${POSTGRES_DB} > $BACKUP_FILE
+}
+
+function restore {
+    cd /var/lib/postgresql/data/
+    restore_config(){
+        # Restore allowed connections
+        cat pg_hba.conf.bak > pg_hba.conf
+        su postgres -c 'pg_ctl reload'
+    }
+    # Don't allow any other connections than local
+    cp pg_hba.conf pg_hba.conf.bak
+    echo "local all all trust" > pg_hba.conf
+    su postgres -c 'pg_ctl reload'
+    trap restore_config EXIT INT TERM
+
+    # Recreate Database
+    psql -U ${POSTGRES_USER} -d postgres -c "DROP DATABASE ${POSTGRES_DB} WITH (FORCE);" 
+    createdb -U ${POSTGRES_USER} ${POSTGRES_DB}
+    psql -U ${POSTGRES_USER} -d ${POSTGRES_DB} -1 -f $BACKUP_FILE
+
+    trap - EXIT INT TERM
+    restore_config
+}
+
+$@

rallly.yaml.tmpl

@@ -0,0 +1,48 @@
+version: 1
+metadata:
+  labels:
+    blueprints.goauthentik.io/instantiate: "true"
+  name: rallly
+
+entries:
+
+- attrs:
+    access_code_validity: minutes=1
+    authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
+    authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
+    invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
+    client_id: {{ secret  "rallly_id" }}
+    client_secret: {{ secret  "rallly_secret" }}
+    client_type: confidential
+    include_claims_in_id_token: true
+    issuer_mode: per_provider
+    redirect_uris:
+    - matching_mode: strict
+      url: https://{{ env  "RALLLY_DOMAIN" }}/api/auth/callback/oidc
+    name: Rallly
+    property_mappings:
+    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
+    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, email]]
+    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, profile]]
+    signing_key: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]]
+    sub_mode: hashed_user_id
+    token_validity: days=30
+  conditions: []
+  id: rallly_provider
+  identifiers:
+    pk: 9993
+  model: authentik_providers_oauth2.oauth2provider
+  state: present
+
+- attrs:
+    meta_launch_url: https://{{ env  "RALLLY_DOMAIN" }}
+    open_in_new_tab: true
+    policy_engine_mode: any
+    provider: !KeyOf rallly_provider
+    slug: rallly
+  conditions: []
+  id: rallly_application
+  identifiers:
+    name: Rallly
+  model: authentik_core.application
+  state: present

release/10.0.0+2025.10.2

@@ -0,0 +1 @@
+2025.10 removes redis. Since 2025.8 all redis tasks have been migrated to postgres.

release/10.2.0+2025.12.4

@@ -0,0 +1 @@
+This is an intermediate release (required for migrations) before upgrading to 2026.x.

release/11.0.0+2026.2.1

@@ -0,0 +1,3 @@
+You must deploy 10.2.0+2025.12.4 first, before deploying this version, if upgrading from 2025.10 or earlier.
+Skipping the intermediate version will cause a migration error (although rolled back safely, no data loss).
+

release/11.0.2+2026.2.1

@@ -0,0 +1 @@
+WARNING: This update will clear all custom assets in /web/dist/asssts. You might need to run customize() again.

release/3.2.0+2023.6.1

@@ -0,0 +1 @@
+If you use your own outpost you need to uncomment COMPOSE_FILE="$COMPOSE_FILE:compose.outposts.yml" to expose the docker socket again.

release/4.0.0+2023.10.5

@@ -0,0 +1 @@
+It is only possible to upgrade to 2023.10 from 2023.8, you need to update to 2023.8.x before applying this update

release/5.0.0+2024.2.2

@@ -0,0 +1 @@
+Blueprint changes are applied and automatic migrations should work, however, manual action may be required: https://docs.goauthentik.io/docs/releases/2024.2

release/5.1.0+2024.2.3

@@ -0,0 +1 @@
+Due to blueprint changes, you need to run the following command after upgrading: abra app cmd -C <Domain> worker apply_blueprints

release/6.0.0+2024.4.0

@@ -0,0 +1 @@
+Alerta! ⚠️ If you are using AUTHENTIK_COLOR_BACKGROUND_LIGHT, you will need to set COMPOSE_FILE="$COMPOSE_FILE:compose.css.yml"

release/6.1.0+2024.4.2

@@ -0,0 +1 @@
+Blueprint for Kimai SSO integration added

release/6.11.0+2024.10.5

@@ -0,0 +1 @@
+Fix Impersonate Bug

release/6.6.0+2024.8.2

@@ -0,0 +1 @@
+Replaced icon bbb.jpg with icon.png - configs need to be updated when upgrading!

release/6.7.0+2024.8.3

@@ -0,0 +1,3 @@
+Two critical vulnerabilities were closed:
+https://github.com/goauthentik/authentik/security/advisories/GHSA-7jxf-mmg9-9hg7
+https://github.com/goauthentik/authentik/security/advisories/GHSA-8gfm-pr6x-pfh9

release/7.4.0+2025.6.3

@@ -0,0 +1,3 @@
+Adds following new envs: 
+  REDIRECTS
+  AUTHENTIK_DISABLE_UPDATE_CHECK

release/9.0.0+2025.8.1

@@ -0,0 +1,4 @@
+Update of config neccessary!
+Changed structure of APPLICATION env to:
+    appname: {"url":"http...", "group":"groupname"}
+Adds various new group envs to support application grouping

renovate.json

@@ -0,0 +1,6 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "extends": [
+    "config:recommended"
+  ]
+}

system_brand.yaml.tmpl

@@ -2,34 +2,37 @@ version: 1
 metadata:
   labels:
     blueprints.goauthentik.io/instantiate: "true"
-  name: Custom System Tenant
+  name: Custom System brand
 entries:
 ### DEPENDENCIES
 - model: authentik_blueprints.metaapplyblueprint
   attrs:
     identifiers:
-      name: Default - Tenant
+      name: Default - Brand
     required: true
 - model: authentik_blueprints.metaapplyblueprint
   attrs:
     identifiers:
-      name: Invitation Enrollment Flow
+      name: Recovery with email verification
     required: true
 
 
-### SYSTEM TENANT
-# remove custom tenant from old recipe
+### SYSTEM BRAND
+# remove custom brand from old recipe
 - identifiers:
     domain: {{ env "DOMAIN" }}
-  model: authentik_tenants.tenant
+  model: authentik_brands.brand
   state: absent
 
 - attrs:
     attributes:
       settings:
-        locale: {{ if eq (env "DEFAULT_LANGUAGE") "" }} en {{ else }} {{ env "DEFAULT_LANGUAGE" }} {{ end }}
+        locale: {{ if eq (env "DEFAULT_LANGUAGE") "" }} en {{ else }} {{ env "DEFAULT_LANGUAGE" }} {{ end }} {{ if ne (env "THEME_BACKGROUND") "" }}
+        theme:
+          background: >
+            background: {{ env "THEME_BACKGROUND" }} {{ end }}
     flow_recovery: !Find [authentik_flows.flow, [slug,  default-recovery-flow]]
   identifiers:
     default: true
     domain: authentik-default
-  model: authentik_tenants.tenant
+  model: authentik_brands.brand

vikunja.yaml.tmpl

@@ -0,0 +1,48 @@
+version: 1
+metadata:
+  labels:
+    blueprints.goauthentik.io/instantiate: "true"
+  name: vikunja
+
+entries:
+
+- attrs:
+    access_code_validity: minutes=1
+    authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
+    authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
+    invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
+    client_id: {{ secret  "vikunja_id" }}
+    client_secret: {{ secret  "vikunja_secret" }}
+    client_type: confidential
+    include_claims_in_id_token: true
+    issuer_mode: per_provider
+    redirect_uris:
+    - matching_mode: strict
+      url: https://{{ env  "VIKUNJA_DOMAIN" }}/auth/openid/authentik
+    name: Vikunja
+    property_mappings:
+    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
+    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, email]]
+    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, profile]]
+    signing_key: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]]
+    sub_mode: hashed_user_id
+    token_validity: days=30
+  conditions: []
+  id: vikunja_provider
+  identifiers:
+    pk: 9995
+  model: authentik_providers_oauth2.oauth2provider
+  state: present
+
+- attrs:
+    meta_launch_url: https://{{ env  "VIKUNJA_DOMAIN" }}
+    open_in_new_tab: true
+    policy_engine_mode: any
+    provider: !KeyOf vikunja_provider
+    slug: vikunja
+  conditions: []
+  id: vikunja_application
+  identifiers:
+    name: Vikunja
+  model: authentik_core.application
+  state: present

wekan.yaml.tmpl

@@ -5,22 +5,45 @@ metadata:
   name: wekan
 
 entries:
+- attrs:
+    description: wekan
+    expression: "groupsDict = {\"wekanGroups\": []}\nfor group in request.user.ak_groups.all():\n\
+      \  my_attributes = group.attributes\n  my_attributes[\"displayName\"] = group.name\n\
+      \  my_attributes[\"isAdmin\"] = group.attributes[\"isAdmin\"] if 'isAdmin' in group.attributes else group.is_superuser\n\
+      \  my_attributes[\"isActive\"] = group.attributes[\"\
+      isActive\"] if 'isActive' in group.attributes else True\n  my_attributes[\"\
+      forceCreate\"] = group.attributes[\"forceCreate\"] if 'forceCreate' in group.attributes\
+      \ else True\n  groupsDict[\"wekanGroups\"].append(my_attributes)\nreturn groupsDict"
+    managed: null
+    scope_name: wekan
+  conditions: []
+  id: wekan_group_mapping
+  identifiers:
+    name: wekan
+  model: authentik_providers_oauth2.scopemapping
+  state: present
 
 - attrs:
     access_code_validity: minutes=1
+    authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
     authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
+    invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
     client_id: {{ secret  "wekan_id" }}
     client_secret: {{ secret  "wekan_secret" }}
     client_type: confidential
     include_claims_in_id_token: true
     issuer_mode: per_provider
+    redirect_uris:
+    - matching_mode: strict
+      url: https://{{ env  "WEKAN_DOMAIN" }}/_oauth/oidc
     name: Wekan
     property_mappings:
     - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
     - !Find [authentik_providers_oauth2.scopemapping, [scope_name, email]]
     - !Find [authentik_providers_oauth2.scopemapping, [scope_name, profile]]
+    - !KeyOf wekan_group_mapping
     signing_key: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]]
-    sub_mode: user_username
+    sub_mode: hashed_user_id
     token_validity: days=30
   conditions: []
   id: wekan_provider

wordpress.yaml.tmpl

@@ -8,12 +8,17 @@ entries:
 
 - attrs:
     access_code_validity: minutes=1
+    authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
     authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
+    invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
     client_id: {{ secret  "wordpress_id" }}
     client_secret: {{ secret  "wordpress_secret" }}
     client_type: confidential
     include_claims_in_id_token: true
     issuer_mode: per_provider
+    redirect_uris:
+    - matching_mode: strict
+      url: https://{{ env  "WORDPRESS_DOMAIN" }}/openid-connect-authorize
     name: Wordpress
     property_mappings:
     - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
@@ -41,3 +46,19 @@ entries:
     name: Wordpress
   model: authentik_core.application
   state: present
+
+{{ if ne (env "WORDPRESS_GROUP") "" }} 
+- identifiers:
+    name: {{ env "WORDPRESS_GROUP" }}
+  attrs:
+    users:
+    - !Find [authentik_core.user, [username, "akadmin"]]
+  id: wordpress_group
+  model: authentik_core.group
+
+- identifiers:
+    group: !KeyOf wordpress_group
+    target: !KeyOf wordpress_application
+    order: 0
+  model: authentik_policies.policybinding
+{{ end }}

zammad.yaml.tmpl

@@ -0,0 +1,69 @@
+version: 1
+metadata:
+  labels:
+    blueprints.goauthentik.io/instantiate: "true"
+  name: zammad
+
+entries:
+- attrs:
+    expression: return request.user.name
+    managed: null
+    name: 'Zammad SAML Mapping: name'
+    saml_name: name
+  conditions: []
+  identifiers:
+    name: zammad_name_mapping
+  id: zammad_name_mapping
+  model: authentik_providers_saml.samlpropertymapping
+  state: present
+
+- attrs:
+    expression: return request.user.email
+    managed: null
+    name: 'Zammad SAML Mapping: email'
+    saml_name: email
+  conditions: []
+  identifiers:
+    name: zammad_email_mapping
+  id: zammad_email_mapping
+  model: authentik_providers_saml.samlpropertymapping
+  state: present
+
+- attrs:
+    acs_url: https://{{ env  "ZAMMAD_DOMAIN" }}/auth/saml/callback
+    assertion_valid_not_before: minutes=-5
+    assertion_valid_not_on_or_after: minutes=5
+    audience: https://{{ env  "ZAMMAD_DOMAIN" }}/auth/saml/metadata
+    authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
+    authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
+    invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
+    digest_algorithm: http://www.w3.org/2001/04/xmlenc#sha256
+    issuer: https://{{ env  "ZAMMAD_DOMAIN" }}/auth/saml/metadata
+    name: zammad
+    property_mappings:
+    - !KeyOf zammad_name_mapping
+    - !KeyOf zammad_email_mapping
+    session_valid_not_on_or_after: minutes=86400
+    sign_assertion: true
+    signature_algorithm: http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
+    signing_kp: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]]
+    sp_binding: post
+  conditions: []
+  id: zammad_provider
+  identifiers:
+    pk: 9989
+  model: authentik_providers_saml.samlprovider
+  state: present
+
+- attrs:
+    meta_launch_url: ""
+    open_in_new_tab: true
+    policy_engine_mode: any
+    provider: !KeyOf zammad_provider
+    slug: zammad
+  conditions: []
+  id: zammad_application
+  identifiers:
+    name: Zammad
+  model: authentik_core.application
+  state: present