Add renovate.json

Intermediate step for upgrading to 2026.2.x.
Bump authentik to 2025.12.4, postgres to 15.17.

.env.sample

@@ -1,5 +1,5 @@
 TYPE=authentik
-TIMEOUT=900
+#TIMEOUT=900
 ENABLE_AUTO_UPDATE=true
 POST_DEPLOY_CMDS="worker set_admin_pass"
 # Example values for post deploy cmds: "worker set_admin_pass|worker apply_blueprints|worker add_applications"
@@ -156,5 +156,12 @@ COPY_ASSETS="$COPY_ASSETS icon.png|app:/web/dist/assets/icons/"
 # APP_ICONS="$APP_ICONS hedgedoc:~/.abra/recipes/authentik/icons/hedgedoc.png"
 # HEDGEDOC_APPGROUP="$GROUP_DOCUMENTATION"
 
+# COMPOSE_FILE="$COMPOSE_FILE:compose.mila.yml"
+# MILA_DOMAIN=mila.example.com
+# SECRET_MILA_ID_VERSION=v1
+# SECRET_MILA_SECRET_VERSION=v1
+# APP_ICONS="$APP_ICONS mila:~/.abra/recipes/authentik/icons/mila.svg"
+# MILA_APPGROUP=""
+
 # APPLICATIONS='{"Calendar": {"url":"https://nextcloud.example.com/apps/calendar/", "group": ""}, "BBB": {"url":"https://nextcloud.example.com/apps/bbb/", "group":""}, "Pretix": {"url":"https://pretix.example.com/control/", "group":""}}'
 # EXTRA_ICONS={"Calendar": "~/.abra/recipes/authentik/icons/calendar.svg", "BBB": "~/.abra/recipes/authentik/icons/bbb.png", "Pretix": "~/.abra/recipes/authentik/icons/pretix.svg"}

.gitignore

@@ -1 +1,2 @@
 .envrc
+.cursorignore

abra.sh

@@ -6,7 +6,7 @@ export FLOW_RECOVERY_VERSION=v2
 export FLOW_TRANSLATION_VERSION=v3
 export SYSTEM_BRAND_VERSION=v4
 export NEXTCLOUD_CONFIG_VERSION=v3
-export WORDPRESS_CONFIG_VERSION=v4
+export WORDPRESS_CONFIG_VERSION=v6
 export MATRIX_CONFIG_VERSION=v3
 export WEKAN_CONFIG_VERSION=v5
 export VIKUNJA_CONFIG_VERSION=v3
@@ -16,48 +16,47 @@ export ZAMMAD_CONFIG_VERSION=v4
 export RALLLY_CONFIG_VERSION=v4
 export HEDGEDOC_CONFIG_VERSION=v3
 export MONITORING_CONFIG_VERSION=v4
+export MILA_CONFIG_VERSION=v1
 export DB_ENTRYPOINT_VERSION=v1
 export PG_BACKUP_VERSION=v2
 export ENTRYPOINT_CSS_VERSION=v1
 
 customize() {
-    if [ -z "$1" ]
-    then
-            echo "Usage: ... customize <assets_path>"
-            exit 1
-    fi
-    asset_dir=$1
-    for asset in $COPY_ASSETS; do
-        source=$(echo $asset | cut -d "|" -f1)
-        target=$(echo $asset | cut -d "|" -f2)
-        echo copy $source to $target
-        abra app cp $APP_NAME $asset_dir/$source $target
-    done
+  if [ -z "$1" ]; then
+    echo "Usage: ... customize <assets_path>"
+    exit 1
+  fi
+  asset_dir=$1
+  for asset in $COPY_ASSETS; do
+    source=$(echo $asset | cut -d "|" -f1)
+    target=$(echo $asset | cut -d "|" -f2)
+    echo copy $source to $target
+    abra app cp $APP_NAME $asset_dir/$source $target
+  done
 }
 
-shell(){
-    if [ -z "$1" ]
-    then
-            echo "Usage: ... shell <python code>"
-            exit 1
-    fi
-    ak shell -c "$1" 2>&1 | quieten
+shell() {
+  if [ -z "$1" ]; then
+    echo "Usage: ... shell <python code>"
+    exit 1
+  fi
+  ak shell -c "$1" 2>&1 | quieten
 }
 
 import_user() {
-    if [ -z "$1" ]
-    then
-            echo "Usage: ... import_user <users.csv>"
-            exit 1
-    fi
-    source_file=$1
-    filename=$(basename $source_file)
-    abra app cp $APP_NAME $source_file worker:/tmp/
-    abra app cmd -T $APP_NAME worker _import_user $filename
+  if [ -z "$1" ]; then
+    echo "Usage: ... import_user <users.csv>"
+    exit 1
+  fi
+  source_file=$1
+  filename=$(basename $source_file)
+  abra app cp -C $APP_NAME $source_file worker:/tmp/
+  abra app cmd -C -T $APP_NAME worker _import_user $filename
 }
 
 _import_user() {
-/manage.py shell -c """
+  /manage.py shell -c """
+from authentik.core.models import Group
 import csv
 new_user = User()
 with open('/tmp/$1', newline='') as file:
@@ -84,10 +83,22 @@ with open('/tmp/$1', newline='') as file:
 """ 2>&1 | quieten
 }
 
+set_user_pass() {
+  username="$1"
+  password="$2"
+  /manage.py shell -c """
+user = User.objects.get(username='$username')
+user.set_password('$password')
+user.save()
+print('Changed $username password')
+""" 2>&1 | quieten
+
+}
+
 set_admin_pass() {
-password=$(cat /run/secrets/admin_pass)
-token=$(cat /run/secrets/admin_token)
-/manage.py shell -c """
+  password=$(cat /run/secrets/admin_pass)
+  token=$(cat /run/secrets/admin_token)
+  /manage.py shell -c """
 import time
 i = 0
 while (not User.objects.filter(username='akadmin')):
@@ -122,45 +133,45 @@ else:
 }
 
 rotate_db_pass() {
-    db_password=$(cat /run/secrets/db_password)
-    psql -U authentik -c """ALTER USER authentik WITH PASSWORD '$db_password';"""
+  db_password=$(cat /run/secrets/db_password)
+  psql -U authentik -c """ALTER USER authentik WITH PASSWORD '$db_password';"""
 }
 
 # This function is for blueprints that are overwriting custom blueprints
 # It deactivates the affected custom blueprints to avoid changes to be reverted
 apply_blueprints() {
-    update_and_disable_blueprint default/flow-password-change.yaml
-    update_and_disable_blueprint default/flow-default-authentication-flow.yaml
-    update_and_disable_blueprint default/flow-default-user-settings-flow.yaml
-    update_and_disable_blueprint default/flow-default-source-enrollment.yaml
-    
-    apply_blueprint 3_flow_translation.yaml
-    apply_blueprint 2_flow_authentication.yaml
+  update_and_disable_blueprint default/flow-password-change.yaml
+  update_and_disable_blueprint default/flow-default-authentication-flow.yaml
+  update_and_disable_blueprint default/flow-default-user-settings-flow.yaml
+  update_and_disable_blueprint default/flow-default-source-enrollment.yaml
+
+  apply_blueprint 3_flow_translation.yaml
+  apply_blueprint 2_flow_authentication.yaml
 }
 
 update_and_disable_blueprint() {
-    enable_blueprint $@ 2>&1 | quieten
-    sleep 1
-    apply_blueprint $@
-    sleep 1
-    disable_blueprint $@ 2>&1 | quieten
+  enable_blueprint $@ 2>&1 | quieten
+  sleep 1
+  apply_blueprint $@
+  sleep 1
+  disable_blueprint $@ 2>&1 | quieten
 }
 
 disable_blueprint() {
-    blueprint_state False $@
+  blueprint_state False $@
 }
 
 enable_blueprint() {
-    blueprint_state True $@
+  blueprint_state True $@
 }
 
 apply_blueprint() {
-    echo apply blueprint $@
-    ak apply_blueprint $@ 2>&1 | quieten
+  echo apply blueprint $@
+  ak apply_blueprint $@ 2>&1 | quieten
 }
 
 blueprint_state() {
-/manage.py shell -c """
+  /manage.py shell -c """
 import time
 blueprint_state=$1
 blueprint_path='$2'
@@ -178,9 +189,9 @@ print(f'{blueprint.name} enabled: {blueprint.enabled}')
 }
 
 # This function adds each application with its name, slug and group if passed
-add_applications(){
-export APPLICATIONS
-/manage.py shell -c """
+add_applications() {
+  export APPLICATIONS
+  /manage.py shell -c """
 import json
 import os
 if os.environ['APPLICATIONS'] == '':
@@ -199,15 +210,45 @@ for name, details in applications.items():
         app.group = group
         print(f'Add {name}: {url} in group: {group}')
     else:
+        app.group = ''
         print(f'Add {name}: {url}')
     app.open_in_new_tab = True
     app.save()
 """ 2>&1 | quieten
 }
 
+# This function adds one application with its name, slug and group if passed
+add_single_application() {
+  if [ -z "$2" ]; then
+    echo "Usage: ... add_single_application <name> <url> <group>"
+    exit 1
+  fi
+  /manage.py shell -c """
+import json
+import os
+name = '$1'
+url = '$2'
+app = Application.objects.filter(name=name).first()
+if not app:
+    app = Application()
+app.name = name
+app.slug = name.replace(' ', '-')
+app.meta_launch_url = url
+group = '$3'
+if group:
+    app.group = group
+    print(f'Add {name}: {url} in group: {group}')
+else:
+    app.group = ''
+    print(f'Add {name}: {url}')
+app.open_in_new_tab = True
+app.save()
+""" 2>&1 | quieten
+}
+
 ## This function is for renaming apps - usage: rename "old name" "new name"
 rename() {
-/manage.py shell -c """
+  /manage.py shell -c """
 old_name = '$1'
 new_name = '$2' if '$2' else old_name
 
@@ -221,85 +262,105 @@ else:
 """ 2>&1 | quieten
 }
 
-
-
-quieten(){
-    # 'SyntaxWarning|version_regex|"http\['
-    # is a workaround to get rid of some verbose syntax warnings, this might be fixed with another version
-    grep -Pv '"level": "(info|debug)"|SyntaxWarning|version_regex|"http\[|RuntimeWarning:'
+quieten() {
+  # 'SyntaxWarning|version_regex|"http\['
+  # is a workaround to get rid of some verbose syntax warnings, this might be fixed with another version
+  grep -Pv '"level": "(info|debug)"|SyntaxWarning|version_regex|"http\[|RuntimeWarning:|### authentik shell|### Node| objects imported automatically|^$'
 }
 
-add_email_templates(){
-for file_path in "$@"; do
+add_email_templates() {
+  for file_path in "$@"; do
     echo copy template $file_path
     abra app cp $APP_NAME $file_path app:/templates/
-done
+  done
 }
 
-set_icons(){
-if [ -n "$1" ]
-then
-APP_ICONS="$1"
-fi
-for icon in $APP_ICONS; do
+set_icons() {
+  if [ -n "$1" ]; then
+    APP_ICONS="$1"
+  fi
+  for icon in $APP_ICONS; do
     app=$(echo $icon | cut -d ":" -f1)
     file_path=$(eval echo $(echo $icon | cut -d ":" -f2))
     file=$(basename $file_path)
     echo copy icon $file_path for $app
-    abra app cp $APP_NAME $file_path app:/media/
-    abra app cmd -T $APP_NAME app set_app_icon $app /media/$file
-done
+    abra app cp -C $APP_NAME $file_path app:/media/
+    abra app cmd -C -T $APP_NAME app set_app_icon $app /media/$file
+  done
 }
 
-set_extra_icons(){
-    if [ -z "$EXTRA_ICONS" ]
-    then
-        echo "Variable EXTRA_ICONS is not set"
-        exit 1
-    fi
-    export EXTRA_ICONS
-    icon_key_values=$(python3 -c "
+set_extra_icons() {
+  if [ -z "$EXTRA_ICONS" ]; then
+    echo "Variable EXTRA_ICONS is not set"
+    exit 1
+  fi
+  export EXTRA_ICONS
+  icon_key_values=$(python3 -c "
 import json
 import os
 for key, value in json.loads(os.environ['EXTRA_ICONS']).items():
-    print(f'{key}:{value}')
+  slug = key.replace(' ','-')
+  print(f'{slug}:{value}')
 ")
-    set_icons "$icon_key_values"
+  set_icons "$icon_key_values"
 }
 
 set_app_icon() {
-TOKEN=$(cat /run/secrets/admin_token)
-python -c """
+  TOKEN=$(cat /run/secrets/admin_token)
+  python -c """
 import requests
 import os
 my_token = '$TOKEN'
 application = '$1'
 icon_path = '$2'
-url = f'https://$DOMAIN/api/v3/core/applications/{application}/set_icon/'
-headers = {'Authorization':f'Bearer {my_token}'}
+base_url = f'https://$DOMAIN/api/v3'
+headers = {'Authorization': f'Bearer {my_token}'}
+
+name_img = os.path.basename(icon_path)
+
+# Upload file via the file management API
 with open(icon_path, 'rb') as img:
-  name_img = os.path.basename(icon_path)
-  files= {'file': (name_img,img,'image/png') }
-  with requests.Session() as s:
-    r = s.post(url,files=files,headers=headers)
-    print(r.status_code)
+  r = requests.post(
+    f'{base_url}/admin/file/',
+    files={'file': (name_img, img, 'image/png')},
+    data={'name': name_img},
+    headers=headers,
+  )
+  if r.status_code == 400 and 'already exists' in r.text:
+    print(f'{name_img} already uploaded')
+  elif r.status_code != 200:
+    print(f'Upload failed: {r.status_code} {r.text}')
+    exit(1)
+  else:
+    print(f'Uploaded {name_img}')
+
+# Set the icon on the application
+r = requests.patch(
+  f'{base_url}/core/applications/{application}/',
+  json={'meta_icon': name_img},
+  headers=headers,
+)
+if r.status_code == 200:
+  print(f'Set icon for {application}')
+else:
+  print(f'Failed to set icon: {r.status_code} {r.text}')
 """
 
 }
 
 blueprint_cleanup() {
-/manage.py shell -c """
+  /manage.py shell -c """
 delete_flows = ['default-recovery-flow' , 'custom-authentication-flow' , 'invitation-enrollment-flow' , 'initial-setup']
 Flow.objects.filter(slug__in=delete_flows).delete()
 Stage.objects.filter(flow=None).delete()
 Prompt.objects.filter(promptstage=None).delete()
 Brand.objects.filter(default=True).delete()
 """ 2>&1 | quieten
-apply_blueprints
+  apply_blueprints
 }
 
 get_certificate() {
-/manage.py shell -c """
+  /manage.py shell -c """
 provider_name='$1'
 if not provider_name:
     print('no Provider Name given')
@@ -312,7 +373,18 @@ print(''.join(cert.certificate_data.splitlines()[1:-1]))
 }
 
 get_user_uid() {
-/manage.py shell -c """
+  /manage.py shell -c """
 print(User.objects.filter(username='$1').first().uid)
 """ 2>&1 | quieten
 }
+
+get_secrets() {
+  grep "" -r /var/run/secrets
+}
+
+fix_collation_mismatch() {
+  psql -U ${POSTGRES_USER} -d authentik -c "ALTER DATABASE authentik REFRESH COLLATION VERSION;"
+  psql -U ${POSTGRES_USER} -d authentik -c "REINDEX DATABASE authentik;"
+  psql -U ${POSTGRES_USER} -d postgres -c "ALTER DATABASE postgres REFRESH COLLATION VERSION;"
+  psql -U ${POSTGRES_USER} -d postgres -c "REINDEX DATABASE postgres;"
+}

alaconnect.yml

@@ -87,3 +87,12 @@ hedgedoc:
         - hedgedoc.png
     secrets:
         hedgedoc_id: hedgedoc
+mila:
+    uncomment:
+        - compose.mila.yml
+        - MILA_DOMAIN
+        - SECRET_MILA_ID_VERSION
+        - SECRET_MILA_SECRET_VERSION
+        - mila.svg
+    secrets:
+        mila_id: mila

compose.mila.yml

@@ -0,0 +1,27 @@
+version: "3.8"
+services:
+  worker:
+    secrets:
+      - mila_id
+      - mila_secret
+    environment:
+      - MILA_DOMAIN
+    configs:
+      - source: mila
+        target: /blueprints/mila.yaml
+
+secrets:
+  mila_id:
+    external: true
+    name: ${STACK_NAME}_mila_id_${SECRET_MILA_ID_VERSION}
+  mila_secret:
+    external: true
+    name: ${STACK_NAME}_mila_secret_${SECRET_MILA_SECRET_VERSION}
+
+
+configs:
+  mila:
+    name: ${STACK_NAME}_mila_${MILA_CONFIG_VERSION}
+    file: mila.yaml.tmpl
+    template_driver: golang
+

compose.outposts.ldap.yml

@@ -1,7 +1,7 @@
 version: "3.8"
 services:
   authentik_ldap:
-      image: ghcr.io/goauthentik/ldap:2025.8.1
+      image: ghcr.io/goauthentik/ldap:2026.2.1
       # Optionally specify which networks the container should be
       # might be needed to reach the core authentik server
       networks:

compose.yml

@@ -5,7 +5,6 @@ x-env: &env
     - AUTHENTIK_POSTGRESQL__USER=authentik
     - AUTHENTIK_POSTGRESQL__NAME=authentik
     - AUTHENTIK_POSTGRESQL__HOST=db
-    - AUTHENTIK_REDIS__HOST=redis
     - AUTHENTIK_ERROR_REPORTING__ENABLED
     - AUTHENTIK_SECRET_KEY=file:///run/secrets/secret_key
     - AUTHENTIK_EMAIL__HOST
@@ -35,11 +34,10 @@ x-env: &env
 version: '3.8'
 services:
   app:
-    image: ghcr.io/goauthentik/server:2025.8.1
+    image: ghcr.io/goauthentik/server:2026.2.1
     command: server
     depends_on:
       - db
-      - redis
     secrets:
       - db_password
       - admin_pass
@@ -47,8 +45,9 @@ services:
       - secret_key
       - email_pass
     volumes:
+      - data:/data
       - media:/media
-      - assets:/web/dist/assets
+      - custom_assets:/web/dist/assets
       - templates:/templates
     networks:
       - internal
@@ -63,7 +62,7 @@ services:
     deploy:
       labels:
         - "traefik.enable=true"
-        - "traefik.docker.network=proxy"
+        - "traefik.swarm.network=proxy"
         - "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=9000"
         - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`${EXTRA_DOMAINS})"
         - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
@@ -71,18 +70,17 @@ services:
         - "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect,${STACK_NAME}-frameOptions,${STACK_NAME}-redirect"
         - "traefik.http.middlewares.${STACK_NAME}-frameOptions.headers.customFrameOptionsValue=SAMEORIGIN"
         - "traefik.http.middlewares.${STACK_NAME}-frameOptions.headers.contentSecurityPolicy=frame-ancestors ${X_FRAME_OPTIONS_ALLOW_FROM}"
-        - "coop-cloud.${STACK_NAME}.version=9.0.0+2025.8.1"
+        - "coop-cloud.${STACK_NAME}.version=11.0.4+2026.2.1"
         - "traefik.http.middlewares.${STACK_NAME}-redirect.redirectregex.regex=^https://(${REDIRECTS})/(.*)"
         - "traefik.http.middlewares.${STACK_NAME}-redirect.redirectregex.replacement=https://${DOMAIN}/$${2}"
         - "traefik.http.middlewares.${STACK_NAME}-redirect.redirectregex.permanent=true"
-        - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT:-120}"
+        - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT}"
 
   worker:
-    image: ghcr.io/goauthentik/server:2025.8.1
+    image: ghcr.io/goauthentik/server:2026.2.1
     command: worker
     depends_on:
       - db
-      - redis
     secrets:
       - db_password
       - admin_pass
@@ -93,6 +91,7 @@ services:
       - internal
       - proxy
     volumes:
+      - data:/data
       - media:/media
       - /dev/null:/blueprints/default/flow-oobe.yaml
       - templates:/templates
@@ -119,7 +118,7 @@ services:
       start_period: 5m
 
   db:
-    image: postgres:15.13
+    image: postgres:15.17
     secrets:
       - db_password
     configs:
@@ -150,22 +149,8 @@ services:
           backupbot.backup: "${ENABLE_BACKUPS:-true}"
           backupbot.backup.pre-hook: "/pg_backup.sh backup"
           backupbot.backup.volumes.database.path: "backup.sql"
-          backupbot.backup.volumes.redis: "false"
           backupbot.restore.post-hook: '/pg_backup.sh restore'
 
-  redis:
-    image:  redis:8.2.1-alpine
-    command: --save 60 1 --loglevel warning
-    networks:
-      - internal
-    healthcheck:
-      test: ["CMD-SHELL", "redis-cli ping | grep PONG"]
-      interval: 30s
-      timeout: 10s
-      retries: 10
-      start_period: 1m
-    volumes:
-        - redis:/data
 
 secrets:
   db_password:
@@ -190,11 +175,11 @@ networks:
   internal:
 
 volumes:
+  data:
   media:
   certs:
-  redis:
   templates:
-  assets:
+  custom_assets:
   database:
 
 configs:

icons/calendar.svg

@@ -1,2 +1,40 @@
 <?xml version="1.0" encoding="UTF-8" standalone="no"?>
-<svg xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns="http://www.w3.org/2000/svg" version="1.1" xml:space="preserve" height="32" width="32" enable-background="new 0 0 595.275 311.111" y="0px" x="0px" xmlns:cc="http://creativecommons.org/ns#" xmlns:dc="http://purl.org/dc/elements/1.1/" viewBox="0 0 32 32"><rect rx="5" ry="5" height="32" width="32" y="-.0000052588" x="0" fill="#0082c9"/><g transform="matrix(.89286 0 0 .89286 520.21 -.19331)"><path fill="#fff" d="m-572.71 3.5765c-1.108 0-2 0.892-2 2v4c0 1.108 0.892 2 2 2s2-0.892 2-2v-4c0-1.108-0.892-2-2-2zm16 0c-1.108 0-2 0.892-2 2v4c0 1.108 0.892 2 2 2s2-0.892 2-2v-4c0-1.108-0.892-2-2-2zm-13 4v2c0 1.662-1.338 3-3 3s-3-1.338-3-3v-1.875c-1.728 0.44254-3 2.0052-3 3.875v16c0 2.216 1.784 4 4 4h20c2.216 0 4-1.784 4-4v-16c0-1.8698-1.272-3.4325-3-3.875v1.875c0 1.662-1.338 3-3 3s-3-1.338-3-3v-2h-10zm-5.9062 9h21.812c0.0554 0 0.0937 0.03835 0.0937 0.09375v11.812c0 0.0554-0.0384 0.09375-0.0937 0.09375h-21.812c-0.0554 0-0.0937-0.03835-0.0937-0.09375v-11.812c0-0.0554 0.0384-0.09375 0.0937-0.09375z"/></g></svg>
+<svg
+   version="1.1"
+   xml:space="preserve"
+   height="200"
+   width="200"
+   enable-background="new 0 0 595.275 311.111"
+   y="0px"
+   x="0px"
+   viewBox="0 0 200 200"
+   id="svg8"
+   sodipodi:docname="calendar.svg"
+   xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
+   xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
+   xmlns="http://www.w3.org/2000/svg"
+   xmlns:svg="http://www.w3.org/2000/svg"><defs
+     id="defs12" /><sodipodi:namedview
+     id="namedview10"
+     pagecolor="#ffffff"
+     bordercolor="#000000"
+     borderopacity="0.25"
+     inkscape:showpageshadow="2"
+     inkscape:pageopacity="0.0"
+     inkscape:pagecheckerboard="0"
+     inkscape:deskcolor="#d1d1d1"
+     showgrid="false" /><rect
+     rx="31.25"
+     ry="31.25"
+     height="200"
+     width="200"
+     y="-5.2587998e-06"
+     x="0"
+     fill="#0082c9"
+     id="rect2"
+     style="stroke-width:6.25" /><g
+     transform="matrix(5.580375,0,0,5.580375,3251.3125,-1.2081599)"
+     id="g6"><path
+       fill="#ffffff"
+       d="m -572.71,3.5765 c -1.108,0 -2,0.892 -2,2 v 4 c 0,1.108 0.892,2 2,2 1.108,0 2,-0.892 2,-2 v -4 c 0,-1.108 -0.892,-2 -2,-2 z m 16,0 c -1.108,0 -2,0.892 -2,2 v 4 c 0,1.108 0.892,2 2,2 1.108,0 2,-0.892 2,-2 v -4 c 0,-1.108 -0.892,-2 -2,-2 z m -13,4 v 2 c 0,1.662 -1.338,3 -3,3 -1.662,0 -3,-1.338 -3,-3 v -1.875 c -1.728,0.44254 -3,2.0052 -3,3.875 v 16 c 0,2.216 1.784,4 4,4 h 20 c 2.216,0 4,-1.784 4,-4 v -16 c 0,-1.8698 -1.272,-3.4325 -3,-3.875 v 1.875 c 0,1.662 -1.338,3 -3,3 -1.662,0 -3,-1.338 -3,-3 v -2 z m -5.9062,9 h 21.812 c 0.0554,0 0.0937,0.03835 0.0937,0.09375 v 11.812 c 0,0.0554 -0.0384,0.09375 -0.0937,0.09375 h -21.812 c -0.0554,0 -0.0937,-0.03835 -0.0937,-0.09375 v -11.812 c 0,-0.0554 0.0384,-0.09375 0.0937,-0.09375 z"
+       id="path4" /></g></svg>

icons/help.svg

@@ -1,10 +1,60 @@
-<svg width="24" height="24" viewBox="0 0 24 24" fill="none" xmlns="http://www.w3.org/2000/svg">
-<g clip-path="url(#clip0_1735_3439)">
-<path d="M12 18.0093V12.7593M12 12.7593C12.5179 12.7593 13.0206 12.6937 13.5 12.5703M12 12.7593C11.4821 12.7593 10.9794 12.6937 10.5 12.5703M14.25 20.0487C13.5212 20.187 12.769 20.2593 12 20.2593C11.231 20.2593 10.4788 20.187 9.75 20.0487M13.5 22.4313C13.007 22.4828 12.5066 22.5093 12 22.5093C11.4934 22.5093 10.993 22.4828 10.5 22.4313M14.25 18.0093V17.8176C14.25 16.8347 14.9083 15.9943 15.7585 15.501C17.9955 14.203 19.5 11.7818 19.5 9.00928C19.5 4.86714 16.1421 1.50928 12 1.50928C7.85786 1.50928 4.5 4.86714 4.5 9.00928C4.5 11.7818 6.00446 14.203 8.24155 15.501C9.09173 15.9943 9.75 16.8347 9.75 17.8176V18.0093" stroke="#0F172A" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round"/>
-</g>
-<defs>
-<clipPath id="clip0_1735_3439">
-<rect width="24" height="24" fill="white" transform="translate(0 0.00927734)"/>
-</clipPath>
-</defs>
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<svg
+   width="200"
+   height="200"
+   viewBox="0 0 200 200"
+   fill="none"
+   version="1.1"
+   id="svg171"
+   sodipodi:docname="help.svg"
+   inkscape:version="1.2.2 (b0a8486541, 2022-12-01)"
+   xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
+   xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
+   xmlns="http://www.w3.org/2000/svg"
+   xmlns:svg="http://www.w3.org/2000/svg">
+  <sodipodi:namedview
+     id="namedview173"
+     pagecolor="#ffffff"
+     bordercolor="#000000"
+     borderopacity="0.25"
+     inkscape:showpageshadow="2"
+     inkscape:pageopacity="0.0"
+     inkscape:pagecheckerboard="0"
+     inkscape:deskcolor="#d1d1d1"
+     showgrid="false"
+     inkscape:zoom="2.3032421"
+     inkscape:cx="119.614"
+     inkscape:cy="76.631111"
+     inkscape:window-width="1871"
+     inkscape:window-height="1011"
+     inkscape:window-x="0"
+     inkscape:window-y="0"
+     inkscape:window-maximized="1"
+     inkscape:current-layer="svg171" />
+  <g
+     clip-path="url(#clip0_1735_3439)"
+     id="g164"
+     transform="matrix(8.4444369,0,0,8.4444369,-1.3332428,-1.4116916)">
+    <path
+       d="m 12,18.0093 v -5.25 m 0,0 c 0.5179,0 1.0206,-0.0656 1.5,-0.189 m -1.5,0.189 c -0.5179,0 -1.0206,-0.0656 -1.5,-0.189 m 3.75,7.4784 c -0.7288,0.1383 -1.481,0.2106 -2.25,0.2106 -0.769,0 -1.5212,-0.0723 -2.25,-0.2106 m 3.75,2.3826 c -0.493,0.0515 -0.9934,0.078 -1.5,0.078 -0.5066,0 -1.007,-0.0265 -1.5,-0.078 m 3.75,-4.422 v -0.1917 c 0,-0.9829 0.6583,-1.8233 1.5085,-2.3166 2.237,-1.298 3.7415,-3.7192 3.7415,-6.49172 0,-4.14214 -3.3579,-7.5 -7.5,-7.5 -4.14214,0 -7.5,3.35786 -7.5,7.5 C 4.5,11.7818 6.00446,14.203 8.24155,15.501 9.09173,15.9943 9.75,16.8347 9.75,17.8176 v 0.1917"
+       stroke="#0f172a"
+       stroke-width="1.5"
+       stroke-linecap="round"
+       stroke-linejoin="round"
+       id="path162" />
+  </g>
+  <defs
+     id="defs169">
+    <clipPath
+       id="clip0_1735_3439">
+      <rect
+         width="24"
+         height="24"
+         fill="#ffffff"
+         transform="translate(0,0.00927734)"
+         id="rect166"
+         x="0"
+         y="0" />
+    </clipPath>
+  </defs>
 </svg>

icons/mila.svg

@@ -0,0 +1,22 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<svg id="a" data-name="Ebene 1" xmlns="http://www.w3.org/2000/svg" viewBox="80 60 430 410">
+  <defs>
+    <style>
+      .b {
+        fill: #346180;
+      }
+
+      .c {
+        fill: #009aa5;
+      }
+    </style>
+  </defs>
+  <g>
+    <path class="c" d="M319.57,303.39c41.78,18.41,74.43,42.48,87.64,89.83,4.52,16.2,12.63,44.75-10.72,48.82H101.39c-2.63-.09-9.25-2.82-11.12-4.38-.3-.25-4.06-6.12-4.22-6.49-5.78-13.4,2.35-35.12,7.31-47.71,9.49-24.09,25.75-44.44,46.62-59.63,16.07-11.7,34.34-20.54,53.51-25.78,32.68-8.93,94.96-8.37,126.07,5.34Z"/>
+    <path class="c" d="M299.53,126.4c7.22,5.55,16.92,15.59,20.81,23.69,14.47,30.14,13.54,62.8-6.99,90.82-32.64,44.55-106.51,39.41-133.59-8.24-45.73-80.48,49.74-160.1,119.77-106.26Z"/>
+  </g>
+  <g>
+    <path class="b" d="M395.52,128.43c50.29,40.71,28.84,125.79-34.37,141.27-7.94,1.94-34,4.45-40.2-.24-.7-.53-1.73-1.28-1.25-2.3.2-.42.58-.72.95-1.01,6.58-5.05,11.45-13.02,15.71-20.08s7.99-14.88,10.77-22.84c5.4-15.47,7.48-32.13,5.27-48.4-2.36-17.34-9.63-33.63-20.49-47.31-2.75-3.46-6.2-6.45-9.27-9.63-1.09-1.14-3.73-3.05-4.21-4.6-.9-2.93,2.98-3.72,5.51-4.06,23.02-3.1,46.39,1.77,65.63,14.81,2.04,1.38,4.02,2.84,5.94,4.39Z"/>
+    <path class="b" d="M433.88,441.36c-2.64-2.97.77-10.22,1.03-13.89,3.54-49.03-30.24-100.05-69.07-126.89-1.99-1.38-11.43-6.12-11.91-6.6-1.42-1.44.09-1.81,1.48-1.99,7.36-.93,17.29,1.08,24.7,2.32,16.51,2.77,33.53,8.05,48.48,15.52,18.53,9.24,34.94,22.72,47.79,38.94,11.65,14.7,54.83,91.93,8.76,92.91-15.76.33-31.52.67-47.28,1-1.97.04-3.23-.46-3.99-1.31Z"/>
+  </g>
+</svg>

icons/poll.svg

@@ -0,0 +1,46 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<svg
+   width="200"
+   height="200"
+   viewBox="0 0 200 200"
+   fill="none"
+   version="1.1"
+   id="svg282"
+   sodipodi:docname="poll.svg"
+   inkscape:version="1.2.2 (b0a8486541, 2022-12-01)"
+   inkscape:export-filename="poll_tall.svg"
+   inkscape:export-xdpi="96"
+   inkscape:export-ydpi="96"
+   xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
+   xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
+   xmlns="http://www.w3.org/2000/svg"
+   xmlns:svg="http://www.w3.org/2000/svg">
+  <defs
+     id="defs286" />
+  <sodipodi:namedview
+     id="namedview284"
+     pagecolor="#ffffff"
+     bordercolor="#000000"
+     borderopacity="0.25"
+     inkscape:showpageshadow="2"
+     inkscape:pageopacity="0.0"
+     inkscape:pagecheckerboard="0"
+     inkscape:deskcolor="#d1d1d1"
+     showgrid="false"
+     inkscape:zoom="4.3999736"
+     inkscape:cx="116.47797"
+     inkscape:cy="125.79621"
+     inkscape:window-width="1871"
+     inkscape:window-height="1011"
+     inkscape:window-x="0"
+     inkscape:window-y="0"
+     inkscape:window-maximized="1"
+     inkscape:current-layer="svg282" />
+  <path
+     d="M 51.538464,16.923263 V 37.692495 M 148.46154,16.923263 V 37.692495 M 16.923078,162.30751 V 58.461725 c 0,-11.470523 9.298709,-20.76923 20.769232,-20.76923 h 124.61538 c 11.47016,0 20.76923,9.298707 20.76923,20.76923 V 162.30751 m -166.153842,0 c 0,11.47108 9.298709,20.76923 20.769232,20.76923 h 124.61538 c 11.47016,0 20.76923,-9.29815 20.76923,-20.76923 m -166.153842,0 V 93.076741 c 0,-11.470154 9.298709,-20.768862 20.769232,-20.768862 h 124.61538 c 11.47016,0 20.76923,9.298708 20.76923,20.768862 V 162.30751 M 100,106.92289 h 0.0692 v 0.0692 H 100 Z m 0,20.76924 h 0.0692 v 0.0692 H 100 Z m 0,20.76923 h 0.0692 v 0.0692 H 100 Z M 79.230771,127.69213 h 0.06923 v 0.0692 h -0.06923 z m 0,20.76923 h 0.06923 v 0.0692 h -0.06923 z M 58.46154,127.69213 h 0.06923 v 0.0692 h -0.06923 z m 0,20.76923 h 0.06923 v 0.0692 h -0.06923 z m 62.30769,-41.53847 h 0.0692 v 0.0692 h -0.0692 z m 0,20.76924 h 0.0692 v 0.0692 h -0.0692 z m 0,20.76923 h 0.0692 v 0.0692 h -0.0692 z m 20.76923,-41.53847 h 0.0692 v 0.0692 h -0.0692 z m 0,20.76924 h 0.0692 v 0.0692 h -0.0692 z"
+     stroke="#0f172a"
+     stroke-width="13.8462"
+     stroke-linecap="round"
+     stroke-linejoin="round"
+     id="path280" />
+</svg>

icons/support.svg

@@ -1,3 +1,33 @@
-<svg width="24" height="24" viewBox="0 0 24 24" fill="none" xmlns="http://www.w3.org/2000/svg">
-<path d="M9.87891 7.51884C11.0505 6.49372 12.95 6.49372 14.1215 7.51884C15.2931 8.54397 15.2931 10.206 14.1215 11.2312C13.9176 11.4096 13.6917 11.5569 13.4513 11.6733C12.7056 12.0341 12.0002 12.6716 12.0002 13.5V14.25M21 12C21 16.9706 16.9706 21 12 21C7.02944 21 3 16.9706 3 12C3 7.02944 7.02944 3 12 3C16.9706 3 21 7.02944 21 12ZM12 17.25H12.0075V17.2575H12V17.25Z" stroke="#0F172A" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round"/>
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<svg
+   width="200"
+   height="200"
+   viewBox="0 0 200 200"
+   fill="none"
+   version="1.1"
+   id="svg346"
+   sodipodi:docname="support.svg"
+   xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
+   xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
+   xmlns="http://www.w3.org/2000/svg"
+   xmlns:svg="http://www.w3.org/2000/svg">
+  <defs
+     id="defs350" />
+  <sodipodi:namedview
+     id="namedview348"
+     pagecolor="#ffffff"
+     bordercolor="#000000"
+     borderopacity="0.25"
+     inkscape:showpageshadow="2"
+     inkscape:pageopacity="0.0"
+     inkscape:pagecheckerboard="0"
+     inkscape:deskcolor="#d1d1d1"
+     showgrid="false" />
+  <path
+     d="m 79.332968,56.337414 c 11.415493,-9.988348 29.923442,-9.988348 41.338062,0 11.41559,9.988447 11.41559,26.182585 0,36.171713 -1.98672,1.738257 -4.1878,3.173487 -6.53016,4.307641 -7.26579,3.515482 -14.13892,9.727022 -14.13892,17.798612 v 7.3077 m 87.69036,-21.923081 c 0,48.431491 -39.26082,87.692311 -87.692311,87.692311 -48.431097,0 -87.692308,-39.26082 -87.692308,-87.692311 0,-48.431097 39.261211,-87.692308 87.692308,-87.692308 48.431491,0 87.692311,39.261211 87.692311,87.692308 z M 99.999999,151.15385 h 0.07308 v 0.0731 h -0.07308 z"
+     stroke="#0f172a"
+     stroke-width="14.6154"
+     stroke-linecap="round"
+     stroke-linejoin="round"
+     id="path344" />
 </svg>

icons/talk.svg

@@ -0,0 +1,68 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<svg
+   xmlns:dc="http://purl.org/dc/elements/1.1/"
+   xmlns:cc="http://creativecommons.org/ns#"
+   xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
+   xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
+   inkscape:version="1.1-dev (f9311a1, 2019-12-25)"
+   sodipodi:docname="talk8.svg"
+   id="svg19"
+   xml:space="preserve"
+   viewBox="0 0 1024 1024"
+   version="1.1"
+   stroke-miterlimit="1.4142"
+   stroke-linejoin="round"
+   fill-rule="evenodd"
+   clip-rule="evenodd"><metadata
+   id="metadata23"><rdf:RDF><cc:Work
+       rdf:about=""><dc:format>image/svg+xml</dc:format><dc:type
+         rdf:resource="http://purl.org/dc/dcmitype/StillImage" /><dc:title></dc:title></cc:Work></rdf:RDF></metadata><sodipodi:namedview
+   inkscape:current-layer="svg19"
+   inkscape:window-maximized="1"
+   inkscape:window-y="23"
+   inkscape:window-x="1440"
+   inkscape:cy="522.40348"
+   inkscape:cx="510.51379"
+   inkscape:zoom="0.67285156"
+   showgrid="false"
+   id="namedview21"
+   inkscape:window-height="1035"
+   inkscape:window-width="1920"
+   inkscape:pageshadow="2"
+   inkscape:pageopacity="0"
+   guidetolerance="10"
+   gridtolerance="10"
+   objecttolerance="10"
+   borderopacity="1"
+   inkscape:document-rotation="0"
+   bordercolor="#666666"
+   pagecolor="#ffffff" /><defs
+   id="defs15"><linearGradient
+     gradientUnits="userSpaceOnUse"
+     gradientTransform="matrix(8.96 0 0 8.96 -7.8457e-5 .00019795)"
+     y2="-7.6294e-6"
+     y1="150"
+     x2="150"
+     x1="18.23"
+     id="a"><stop
+       id="stop10"
+       offset="0"
+       stop-color="#0082c9" /><stop
+       id="stop12"
+       offset="1"
+       stop-color="#1cafff" /></linearGradient></defs>
+<rect
+   id="rect17"
+   fill-rule="evenodd"
+   fill="url(#a)"
+   height="1024"
+   width="1024" /><path
+   style="fill:#ffffff"
+   inkscape:connector-curvature="0"
+   d="M 511.95919,186 A 325.96385,325.95103 0 0 0 186,511.96034 325.96385,325.95103 0 0 0 511.95919,837.91133 325.96385,325.95103 0 0 0 681.04889,790.22529 c 40.06218,15.91895 129.79781,63.14682 151.15526,42.74701 22.3177,-21.31206 -26.20129,-121.61808 -37.83331,-158.89148 A 325.96385,325.95103 0 0 0 837.91466,511.95755 325.96385,325.95103 0 0 0 511.96013,186.01118 Z m 0.0373,123.92323 A 202.1178,202.11161 0 0 1 714.11425,512.03485 202.1178,202.11161 0 0 1 511.99645,714.13247 202.1178,202.11161 0 0 1 309.87866,512.03485 202.1178,202.11161 0 0 1 511.99645,309.92323 Z"
+   stroke-width="0.14"
+   fill="#000"
+   id="path25" /></svg>

mila.yaml.tmpl

@@ -0,0 +1,49 @@
+version: 1
+metadata:
+  labels:
+    blueprints.goauthentik.io/instantiate: "true"
+  name: mila
+
+entries:
+
+- attrs:
+    access_code_validity: minutes=1
+    authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
+    authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
+    invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
+    client_id: {{ secret  "mila_id" }}
+    client_secret: {{ secret  "mila_secret" }}
+    client_type: confidential
+    include_claims_in_id_token: true
+    issuer_mode: per_provider
+    redirect_uris:
+    - matching_mode: strict
+      url: https://{{ env  "MILA_DOMAIN" }}/auth/user/oidc/callback
+    name: Mila
+    property_mappings:
+    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
+    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, email]]
+    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, profile]]
+    signing_key: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]]
+    sub_mode: hashed_user_id
+    token_validity: days=30
+  conditions: []
+  id: mila_provider
+  identifiers:
+    pk: 9990
+  model: authentik_providers_oauth2.oauth2provider
+  state: present
+
+- attrs:
+    meta_launch_url: https://{{ env  "MILA_DOMAIN" }}
+    open_in_new_tab: true
+    policy_engine_mode: any
+    provider: !KeyOf mila_provider
+    slug: mila
+  conditions: []
+  id: mila_application
+  identifiers:
+    name: Mila
+  model: authentik_core.application
+  state: present
+

release/10.0.0+2025.10.2

@@ -0,0 +1 @@
+2025.10 removes redis. Since 2025.8 all redis tasks have been migrated to postgres.

release/10.2.0+2025.12.4

@@ -0,0 +1 @@
+This is an intermediate release (required for migrations) before upgrading to 2026.x.

release/11.0.0+2026.2.1

@@ -0,0 +1,3 @@
+You must deploy 10.2.0+2025.12.4 first, before deploying this version, if upgrading from 2025.10 or earlier.
+Skipping the intermediate version will cause a migration error (although rolled back safely, no data loss).
+

release/11.0.2+2026.2.1

@@ -0,0 +1 @@
+WARNING: This update will clear all custom assets in /web/dist/asssts. You might need to run customize() again.

renovate.json

@@ -0,0 +1,6 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "extends": [
+    "config:recommended"
+  ]
+}

wordpress.yaml.tmpl

@@ -52,7 +52,7 @@ entries:
     name: {{ env "WORDPRESS_GROUP" }}
   attrs:
     users:
-    - 1
+    - !Find [authentik_core.user, [username, "akadmin"]]
   id: wordpress_group
   model: authentik_core.group