chore: publish 12.0.0+2026.5.2 release

Intermediate step for upgrading to 2026.2.x.
Bump authentik to 2025.12.4, postgres to 15.17.

.env.sample

@@ -1,5 +1,5 @@
 TYPE=authentik
-TIMEOUT=900
+#TIMEOUT=900
 ENABLE_AUTO_UPDATE=true
 POST_DEPLOY_CMDS="worker set_admin_pass"
 # Example values for post deploy cmds: "worker set_admin_pass|worker apply_blueprints|worker add_applications"
@@ -156,5 +156,13 @@ COPY_ASSETS="$COPY_ASSETS icon.png|app:/web/dist/assets/icons/"
 # APP_ICONS="$APP_ICONS hedgedoc:~/.abra/recipes/authentik/icons/hedgedoc.png"
 # HEDGEDOC_APPGROUP="$GROUP_DOCUMENTATION"
 
+# COMPOSE_FILE="$COMPOSE_FILE:compose.mila.yml"
+# MILA_DOMAIN=mila.example.com
+# SECRET_MILA_ID_VERSION=v1
+# SECRET_MILA_SECRET_VERSION=v1
+# APP_ICONS="$APP_ICONS mila:~/.abra/recipes/authentik/icons/mila.svg"
+# MILA_APPGROUP=""
+# MILA_GROUP='mv_admin'
+
 # APPLICATIONS='{"Calendar": {"url":"https://nextcloud.example.com/apps/calendar/", "group": ""}, "BBB": {"url":"https://nextcloud.example.com/apps/bbb/", "group":""}, "Pretix": {"url":"https://pretix.example.com/control/", "group":""}}'
 # EXTRA_ICONS={"Calendar": "~/.abra/recipes/authentik/icons/calendar.svg", "BBB": "~/.abra/recipes/authentik/icons/bbb.png", "Pretix": "~/.abra/recipes/authentik/icons/pretix.svg"}

.gitignore

@@ -1 +1,2 @@
 .envrc
+.cursorignore

abra.sh

@@ -1,63 +1,88 @@
 export CUSTOM_CSS_VERSION=v3
 export FLOW_AUTHENTICATION_VERSION=v4
-export FLOW_INVITATION_VERSION=v2
+export FLOW_INVITATION_VERSION=v3
 export FLOW_INVALIDATION_VERSION=v2
 export FLOW_RECOVERY_VERSION=v2
 export FLOW_TRANSLATION_VERSION=v3
 export SYSTEM_BRAND_VERSION=v4
-export NEXTCLOUD_CONFIG_VERSION=v3
-export WORDPRESS_CONFIG_VERSION=v4
-export MATRIX_CONFIG_VERSION=v3
-export WEKAN_CONFIG_VERSION=v5
-export VIKUNJA_CONFIG_VERSION=v3
-export OUTLINE_CONFIG_VERSION=v4
+export NEXTCLOUD_CONFIG_VERSION=v4
+export WORDPRESS_CONFIG_VERSION=v8
+export MATRIX_CONFIG_VERSION=v4
+export WEKAN_CONFIG_VERSION=v6
+export VIKUNJA_CONFIG_VERSION=v4
+export OUTLINE_CONFIG_VERSION=v5
 export KIMAI_CONFIG_VERSION=v3
 export ZAMMAD_CONFIG_VERSION=v4
-export RALLLY_CONFIG_VERSION=v4
-export HEDGEDOC_CONFIG_VERSION=v3
-export MONITORING_CONFIG_VERSION=v4
+export RALLLY_CONFIG_VERSION=v5
+export HEDGEDOC_CONFIG_VERSION=v4
+export MONITORING_CONFIG_VERSION=v5
+export MILA_CONFIG_VERSION=v2
 export DB_ENTRYPOINT_VERSION=v1
 export PG_BACKUP_VERSION=v2
 export ENTRYPOINT_CSS_VERSION=v1
 
 customize() {
-    if [ -z "$1" ]
-    then
-            echo "Usage: ... customize <assets_path>"
-            exit 1
-    fi
-    asset_dir=$1
-    for asset in $COPY_ASSETS; do
-        source=$(echo $asset | cut -d "|" -f1)
-        target=$(echo $asset | cut -d "|" -f2)
-        echo copy $source to $target
-        abra app cp $APP_NAME $asset_dir/$source $target
-    done
+  if [ -z "$1" ]; then
+    echo "Usage: ... customize <assets_path>"
+    exit 1
+  fi
+  asset_dir=$1
+  for asset in $COPY_ASSETS; do
+    source=$(echo $asset | cut -d "|" -f1)
+    target=$(echo $asset | cut -d "|" -f2)
+    echo copy $source to $target
+    abra app cp $APP_NAME $asset_dir/$source $target
+  done
 }
 
-shell(){
-    if [ -z "$1" ]
-    then
-            echo "Usage: ... shell <python code>"
-            exit 1
-    fi
-    ak shell -c "$1" 2>&1 | quieten
+shell() {
+  if [ -z "$1" ]; then
+    echo "Usage: ... shell <python code>"
+    exit 1
+  fi
+  ak shell -c "$1" 2>&1 | quieten
 }
 
 import_user() {
-    if [ -z "$1" ]
-    then
-            echo "Usage: ... import_user <users.csv>"
-            exit 1
-    fi
-    source_file=$1
-    filename=$(basename $source_file)
-    abra app cp $APP_NAME $source_file worker:/tmp/
-    abra app cmd -T $APP_NAME worker _import_user $filename
+  if [ -z "$1" ]; then
+    echo "Usage: ... import_user <users.csv>"
+    exit 1
+  fi
+  source_file=$1
+  filename=$(basename $source_file)
+  abra app cp -C $APP_NAME $source_file worker:/tmp/
+  abra app cmd -C -T $APP_NAME worker _import_user $filename
+}
+
+init_admin_groups() {
+
+  /manage.py shell -c """
+from authentik.core.models import Group
+
+groups = [
+    os.environ.get('WORDPRESS_GROUP', ''),
+    os.environ.get('MILA_GROUP', '')
+]
+groups = [g.strip() for g in groups if g.strip()]
+if not groups:
+    print('Keine Gruppen definiert.')
+admin = User.objects.get(username='akadmin')
+for group_name in groups:
+    group_name = group_name.strip()
+    if Group.objects.filter(name=group_name):
+        group = Group.objects.get(name=group_name)
+    else:
+        group = Group.objects.create(name=group_name)
+        print(f'{group_name} created')
+    group.users.add(admin)
+    print(f'add akadmin to group {group_name}')
+""" 2>&1 | quieten
+
 }
 
 _import_user() {
-/manage.py shell -c """
+  /manage.py shell -c """
+from authentik.core.models import Group
 import csv
 new_user = User()
 with open('/tmp/$1', newline='') as file:
@@ -84,10 +109,22 @@ with open('/tmp/$1', newline='') as file:
 """ 2>&1 | quieten
 }
 
+set_user_pass() {
+  username="$1"
+  password="$2"
+  /manage.py shell -c """
+user = User.objects.get(username='$username')
+user.set_password('$password')
+user.save()
+print('Changed $username password')
+""" 2>&1 | quieten
+
+}
+
 set_admin_pass() {
-password=$(cat /run/secrets/admin_pass)
-token=$(cat /run/secrets/admin_token)
-/manage.py shell -c """
+  password=$(cat /run/secrets/admin_pass)
+  token=$(cat /run/secrets/admin_token)
+  /manage.py shell -c """
 import time
 i = 0
 while (not User.objects.filter(username='akadmin')):
@@ -122,45 +159,45 @@ else:
 }
 
 rotate_db_pass() {
-    db_password=$(cat /run/secrets/db_password)
-    psql -U authentik -c """ALTER USER authentik WITH PASSWORD '$db_password';"""
+  db_password=$(cat /run/secrets/db_password)
+  psql -U authentik -c """ALTER USER authentik WITH PASSWORD '$db_password';"""
 }
 
 # This function is for blueprints that are overwriting custom blueprints
 # It deactivates the affected custom blueprints to avoid changes to be reverted
 apply_blueprints() {
-    update_and_disable_blueprint default/flow-password-change.yaml
-    update_and_disable_blueprint default/flow-default-authentication-flow.yaml
-    update_and_disable_blueprint default/flow-default-user-settings-flow.yaml
-    update_and_disable_blueprint default/flow-default-source-enrollment.yaml
-    
-    apply_blueprint 3_flow_translation.yaml
-    apply_blueprint 2_flow_authentication.yaml
+  update_and_disable_blueprint default/flow-password-change.yaml
+  update_and_disable_blueprint default/flow-default-authentication-flow.yaml
+  update_and_disable_blueprint default/flow-default-user-settings-flow.yaml
+  update_and_disable_blueprint default/flow-default-source-enrollment.yaml
+
+  apply_blueprint 3_flow_translation.yaml
+  apply_blueprint 2_flow_authentication.yaml
 }
 
 update_and_disable_blueprint() {
-    enable_blueprint $@ 2>&1 | quieten
-    sleep 1
-    apply_blueprint $@
-    sleep 1
-    disable_blueprint $@ 2>&1 | quieten
+  enable_blueprint $@ 2>&1 | quieten
+  sleep 1
+  apply_blueprint $@
+  sleep 1
+  disable_blueprint $@ 2>&1 | quieten
 }
 
 disable_blueprint() {
-    blueprint_state False $@
+  blueprint_state False $@
 }
 
 enable_blueprint() {
-    blueprint_state True $@
+  blueprint_state True $@
 }
 
 apply_blueprint() {
-    echo apply blueprint $@
-    ak apply_blueprint $@ 2>&1 | quieten
+  echo apply blueprint $@
+  ak apply_blueprint $@ 2>&1 | quieten
 }
 
 blueprint_state() {
-/manage.py shell -c """
+  /manage.py shell -c """
 import time
 blueprint_state=$1
 blueprint_path='$2'
@@ -178,9 +215,9 @@ print(f'{blueprint.name} enabled: {blueprint.enabled}')
 }
 
 # This function adds each application with its name, slug and group if passed
-add_applications(){
-export APPLICATIONS
-/manage.py shell -c """
+add_applications() {
+  export APPLICATIONS
+  /manage.py shell -c """
 import json
 import os
 if os.environ['APPLICATIONS'] == '':
@@ -199,107 +236,157 @@ for name, details in applications.items():
         app.group = group
         print(f'Add {name}: {url} in group: {group}')
     else:
+        app.group = ''
         print(f'Add {name}: {url}')
     app.open_in_new_tab = True
     app.save()
 """ 2>&1 | quieten
 }
 
+# This function adds one application with its name, slug and group if passed
+add_single_application() {
+  if [ -z "$2" ]; then
+    echo "Usage: ... add_single_application <name> <url> <group>"
+    exit 1
+  fi
+  /manage.py shell -c """
+import json
+import os
+name = '$1'
+url = '$2'
+app = Application.objects.filter(name=name).first()
+if not app:
+    app = Application()
+app.name = name
+app.slug = name.replace(' ', '-')
+app.meta_launch_url = url
+group = '$3'
+if group:
+    app.group = group
+    print(f'Add {name}: {url} in group: {group}')
+else:
+    app.group = ''
+    print(f'Add {name}: {url}')
+app.open_in_new_tab = True
+app.save()
+""" 2>&1 | quieten
+}
+
 ## This function is for renaming apps - usage: rename "old name" "new name"
 rename() {
-    /manage.py shell -c """
-    old_name = '$1'
-    new_name = '$2' if '$2' else old_name
+  /manage.py shell -c """
+old_name = '$1'
+new_name = '$2' if '$2' else old_name
 
-    app = Application.objects.filter(name=old_name).first()
-    if app:
-        app.name = new_name
-        app.save()
-        print(f'Renamed application from {old_name} to {new_name}')
-    else:
-        print(f'No application found with name: {old_name}')
-    """ > /dev/null 2>&1
+app = Application.objects.filter(name=old_name).first()
+if app:
+    app.name = new_name
+    app.save()
+    print(f'Renamed application from {old_name} to {new_name}')
+else:
+    print(f'No application found with name: {old_name}')
+""" 2>&1 | quieten
 }
 
-
-
-quieten(){
-    # 'SyntaxWarning|version_regex|"http\['
-    # is a workaround to get rid of some verbose syntax warnings, this might be fixed with another version
-    grep -Pv '"level": "(info|debug)"|SyntaxWarning|version_regex|"http\[|RuntimeWarning:'
+quieten() {
+  # 'SyntaxWarning|version_regex|"http\['
+  # is a workaround to get rid of some verbose syntax warnings, this might be fixed with another version
+  grep -Pv '"level": "(info|debug)"|SyntaxWarning|version_regex|"http\[|RuntimeWarning:|### authentik shell|### Node| objects imported automatically|^$'
 }
 
-add_email_templates(){
-for file_path in "$@"; do
+add_email_templates() {
+  for file_path in "$@"; do
     echo copy template $file_path
     abra app cp $APP_NAME $file_path app:/templates/
-done
+  done
 }
 
-set_icons(){
-if [ -n "$1" ]
-then
-APP_ICONS="$1"
-fi
-for icon in $APP_ICONS; do
+set_icons() {
+  if [ -n "$1" ]; then
+    APP_ICONS="$1"
+  fi
+  for icon in $APP_ICONS; do
     app=$(echo $icon | cut -d ":" -f1)
     file_path=$(eval echo $(echo $icon | cut -d ":" -f2))
     file=$(basename $file_path)
     echo copy icon $file_path for $app
-    abra app cp $APP_NAME $file_path app:/media/
-    abra app cmd -T $APP_NAME app set_app_icon $app /media/$file
-done
+    abra app cp -C $APP_NAME $file_path app:/media/
+    abra app cmd -C -T $APP_NAME app set_app_icon $app /media/$file
+  done
 }
 
-set_extra_icons(){
-    if [ -z "$EXTRA_ICONS" ]
-    then
-        echo "Variable EXTRA_ICONS is not set"
-        exit 1
-    fi
-    export EXTRA_ICONS
-    icon_key_values=$(python3 -c "
+set_extra_icons() {
+  if [ -z "$EXTRA_ICONS" ]; then
+    echo "Variable EXTRA_ICONS is not set"
+    exit 1
+  fi
+  export EXTRA_ICONS
+  icon_key_values=$(python3 -c "
 import json
 import os
 for key, value in json.loads(os.environ['EXTRA_ICONS']).items():
-    print(f'{key}:{value}')
+  slug = key.replace(' ','-')
+  print(f'{slug}:{value}')
 ")
-    set_icons "$icon_key_values"
+  set_icons "$icon_key_values"
 }
 
 set_app_icon() {
-TOKEN=$(cat /run/secrets/admin_token)
-python -c """
+  TOKEN=$(cat /run/secrets/admin_token)
+  python -c """
 import requests
 import os
 my_token = '$TOKEN'
 application = '$1'
 icon_path = '$2'
-url = f'https://$DOMAIN/api/v3/core/applications/{application}/set_icon/'
-headers = {'Authorization':f'Bearer {my_token}'}
+base_url = f'https://$DOMAIN/api/v3'
+headers = {'Authorization': f'Bearer {my_token}'}
+
+name_img = os.path.basename(icon_path)
+
+# Upload file via the file management API
 with open(icon_path, 'rb') as img:
-  name_img = os.path.basename(icon_path)
-  files= {'file': (name_img,img,'image/png') }
-  with requests.Session() as s:
-    r = s.post(url,files=files,headers=headers)
-    print(r.status_code)
+  r = requests.post(
+    f'{base_url}/admin/file/',
+    files={'file': (name_img, img, 'image/png')},
+    data={'name': name_img},
+    headers=headers,
+  )
+  if r.status_code == 400 and 'already exists' in r.text:
+    print(f'{name_img} already uploaded')
+  elif r.status_code != 200:
+    print(f'Upload failed: {r.status_code} {r.text}')
+    exit(1)
+  else:
+    print(f'Uploaded {name_img}')
+
+# Set the icon on the application
+r = requests.patch(
+  f'{base_url}/core/applications/{application}/',
+  json={'meta_icon': name_img},
+  headers=headers,
+)
+if r.status_code == 200:
+  print(f'Set icon for {application}')
+else:
+  print(f'Failed to set icon: {r.status_code} {r.text}')
 """
 
 }
 
 blueprint_cleanup() {
-/manage.py shell -c """
+  /manage.py shell -c """
 delete_flows = ['default-recovery-flow' , 'custom-authentication-flow' , 'invitation-enrollment-flow' , 'initial-setup']
 Flow.objects.filter(slug__in=delete_flows).delete()
 Stage.objects.filter(flow=None).delete()
 Prompt.objects.filter(promptstage=None).delete()
 Brand.objects.filter(default=True).delete()
 """ 2>&1 | quieten
-apply_blueprints
+  apply_blueprints
 }
 
 get_certificate() {
-/manage.py shell -c """
+  /manage.py shell -c """
 provider_name='$1'
 if not provider_name:
     print('no Provider Name given')
@@ -312,7 +399,18 @@ print(''.join(cert.certificate_data.splitlines()[1:-1]))
 }
 
 get_user_uid() {
-/manage.py shell -c """
+  /manage.py shell -c """
 print(User.objects.filter(username='$1').first().uid)
 """ 2>&1 | quieten
 }
+
+get_secrets() {
+  grep "" -r /var/run/secrets
+}
+
+fix_collation_mismatch() {
+  psql -U ${POSTGRES_USER} -d authentik -c "ALTER DATABASE authentik REFRESH COLLATION VERSION;"
+  psql -U ${POSTGRES_USER} -d authentik -c "REINDEX DATABASE authentik;"
+  psql -U ${POSTGRES_USER} -d postgres -c "ALTER DATABASE postgres REFRESH COLLATION VERSION;"
+  psql -U ${POSTGRES_USER} -d postgres -c "REINDEX DATABASE postgres;"
+}

alaconnect.yml

@@ -87,3 +87,12 @@ hedgedoc:
         - hedgedoc.png
     secrets:
         hedgedoc_id: hedgedoc
+mila:
+    uncomment:
+        - compose.mila.yml
+        - MILA_DOMAIN
+        - SECRET_MILA_ID_VERSION
+        - SECRET_MILA_SECRET_VERSION
+        - mila.svg
+    secrets:
+        mila_id: mila

compose.mila.yml

@@ -0,0 +1,27 @@
+version: "3.8"
+services:
+  worker:
+    secrets:
+      - mila_id
+      - mila_secret
+    environment:
+      - MILA_DOMAIN
+    configs:
+      - source: mila
+        target: /blueprints/mila.yaml
+
+secrets:
+  mila_id:
+    external: true
+    name: ${STACK_NAME}_mila_id_${SECRET_MILA_ID_VERSION}
+  mila_secret:
+    external: true
+    name: ${STACK_NAME}_mila_secret_${SECRET_MILA_SECRET_VERSION}
+
+
+configs:
+  mila:
+    name: ${STACK_NAME}_mila_${MILA_CONFIG_VERSION}
+    file: mila.yaml.tmpl
+    template_driver: golang
+

compose.outposts.ldap.yml

@@ -1,7 +1,7 @@
 version: "3.8"
 services:
   authentik_ldap:
-      image: ghcr.io/goauthentik/ldap:2025.8.1
+      image: ghcr.io/goauthentik/ldap:2026.5.2
       # Optionally specify which networks the container should be
       # might be needed to reach the core authentik server
       networks:

compose.yml

@@ -5,7 +5,6 @@ x-env: &env
     - AUTHENTIK_POSTGRESQL__USER=authentik
     - AUTHENTIK_POSTGRESQL__NAME=authentik
     - AUTHENTIK_POSTGRESQL__HOST=db
-    - AUTHENTIK_REDIS__HOST=redis
     - AUTHENTIK_ERROR_REPORTING__ENABLED
     - AUTHENTIK_SECRET_KEY=file:///run/secrets/secret_key
     - AUTHENTIK_EMAIL__HOST
@@ -35,11 +34,10 @@ x-env: &env
 version: '3.8'
 services:
   app:
-    image: ghcr.io/goauthentik/server:2025.8.1
+    image: ghcr.io/goauthentik/server:2026.5.2
     command: server
     depends_on:
       - db
-      - redis
     secrets:
       - db_password
       - admin_pass
@@ -47,8 +45,9 @@ services:
       - secret_key
       - email_pass
     volumes:
+      - data:/data
       - media:/media
-      - assets:/web/dist/assets
+      - custom_assets:/web/dist/assets
       - templates:/templates
     networks:
       - internal
@@ -63,7 +62,7 @@ services:
     deploy:
       labels:
         - "traefik.enable=true"
-        - "traefik.docker.network=proxy"
+        - "traefik.swarm.network=proxy"
         - "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=9000"
         - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`${EXTRA_DOMAINS})"
         - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
@@ -71,18 +70,17 @@ services:
         - "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect,${STACK_NAME}-frameOptions,${STACK_NAME}-redirect"
         - "traefik.http.middlewares.${STACK_NAME}-frameOptions.headers.customFrameOptionsValue=SAMEORIGIN"
         - "traefik.http.middlewares.${STACK_NAME}-frameOptions.headers.contentSecurityPolicy=frame-ancestors ${X_FRAME_OPTIONS_ALLOW_FROM}"
-        - "coop-cloud.${STACK_NAME}.version=8.0.0+2025.8.1"
+        - "coop-cloud.${STACK_NAME}.version=12.0.0+2026.5.2"
         - "traefik.http.middlewares.${STACK_NAME}-redirect.redirectregex.regex=^https://(${REDIRECTS})/(.*)"
         - "traefik.http.middlewares.${STACK_NAME}-redirect.redirectregex.replacement=https://${DOMAIN}/$${2}"
         - "traefik.http.middlewares.${STACK_NAME}-redirect.redirectregex.permanent=true"
-        - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT:-120}"
+        - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT}"
 
   worker:
-    image: ghcr.io/goauthentik/server:2025.8.1
+    image: ghcr.io/goauthentik/server:2026.5.2
     command: worker
     depends_on:
       - db
-      - redis
     secrets:
       - db_password
       - admin_pass
@@ -93,6 +91,7 @@ services:
       - internal
       - proxy
     volumes:
+      - data:/data
       - media:/media
       - /dev/null:/blueprints/default/flow-oobe.yaml
       - templates:/templates
@@ -119,18 +118,13 @@ services:
       start_period: 5m
 
   db:
-    image: postgres:15.13
+    image: pgautoupgrade/pgautoupgrade:16-trixie
     secrets:
       - db_password
     configs:
-      - source: db_entrypoint
-        target: /docker-entrypoint.sh
-        mode: 0555
       - source: pg_backup
         target: /pg_backup.sh
         mode: 0555
-    entrypoint:
-      /docker-entrypoint.sh
     volumes:
       - database:/var/lib/postgresql/data
     networks:
@@ -150,22 +144,8 @@ services:
           backupbot.backup: "${ENABLE_BACKUPS:-true}"
           backupbot.backup.pre-hook: "/pg_backup.sh backup"
           backupbot.backup.volumes.database.path: "backup.sql"
-          backupbot.backup.volumes.redis: "false"
           backupbot.restore.post-hook: '/pg_backup.sh restore'
 
-  redis:
-    image:  redis:8.2.1-alpine
-    command: --save 60 1 --loglevel warning
-    networks:
-      - internal
-    healthcheck:
-      test: ["CMD-SHELL", "redis-cli ping | grep PONG"]
-      interval: 30s
-      timeout: 10s
-      retries: 10
-      start_period: 1m
-    volumes:
-        - redis:/data
 
 secrets:
   db_password:
@@ -190,11 +170,11 @@ networks:
   internal:
 
 volumes:
+  data:
   media:
   certs:
-  redis:
   templates:
-  assets:
+  custom_assets:
   database:
 
 configs:
@@ -222,10 +202,6 @@ configs:
     name: ${STACK_NAME}_system_brand_${SYSTEM_BRAND_VERSION}
     file: system_brand.yaml.tmpl
     template_driver: golang
-  db_entrypoint:
-    name: ${STACK_NAME}_db_entrypoint_${DB_ENTRYPOINT_VERSION}
-    file: entrypoint.postgres.sh.tmpl
-    template_driver: golang
   pg_backup:
     name: ${STACK_NAME}_pg_backup_${PG_BACKUP_VERSION}
     file: pg_backup.sh

entrypoint.postgres.sh.tmpl

@@ -1,45 +0,0 @@
-#!/bin/bash
-
-set -e
-
-MIGRATION_MARKER=$PGDATA/migration_in_progress
-OLDDATA=$PGDATA/old_data
-NEWDATA=$PGDATA/new_data
-
-if [ -e $MIGRATION_MARKER ]; then
-  echo "FATAL: migration was started but did not complete in a previous run. manual recovery necessary"
-  exit 1
-fi
-
-if [ -f $PGDATA/PG_VERSION ]; then
-  DATA_VERSION=$(cat $PGDATA/PG_VERSION)
-
-  if [ -n "$DATA_VERSION" -a "$PG_MAJOR" != "$DATA_VERSION" ]; then
-    echo "postgres data version $DATA_VERSION found, but need $PG_MAJOR. Starting migration"
-    echo "Installing postgres $DATA_VERSION"
-    sed -i "s/$/ $DATA_VERSION/" /etc/apt/sources.list.d/pgdg.list
-    apt-get update && apt-get install -y --no-install-recommends \
-      postgresql-$DATA_VERSION \
-      && rm -rf /var/lib/apt/lists/*
-    echo "shuffling around"
-    chown -R postgres:postgres $PGDATA
-    gosu postgres mkdir $OLDDATA $NEWDATA
-    chmod 700 $OLDDATA $NEWDATA
-    mv $PGDATA/* $OLDDATA/ || true
-    touch $MIGRATION_MARKER
-    echo "running initdb"
-    # abuse entrypoint script for initdb by making server error out
-    gosu postgres bash -c "export PGDATA=$NEWDATA ; /usr/local/bin/docker-entrypoint.sh --invalid-arg || true"
-    echo "running pg_upgrade"
-    cd /tmp
-    gosu postgres pg_upgrade --link -b /usr/lib/postgresql/$DATA_VERSION/bin -d $OLDDATA -D $NEWDATA -U $POSTGRES_USER
-    cp $OLDDATA/pg_hba.conf $NEWDATA/
-    mv $NEWDATA/* $PGDATA
-    rm -rf $OLDDATA
-    rmdir $NEWDATA
-    rm $MIGRATION_MARKER
-    echo "migration complete"
-  fi
-fi
-
-/usr/local/bin/docker-entrypoint.sh postgres

flow_invitation.yaml.tmpl

@@ -27,7 +27,7 @@ entries:
 ### POLICIES
 - attrs:
     expression: |
-      if not regex_match(request.context.get('prompt_data').get('username'), '\s'):
+      if not regex_match(request.context.get('prompt_data').get('username'), '\\s'):
           return True
       ak_message("Username must not contain any whitespace!")
       return False

hedgedoc.yaml.tmpl

@@ -27,6 +27,9 @@ entries:
     signing_key: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]]
     sub_mode: hashed_user_id
     token_validity: days=30
+    grant_types:
+      - authorization_code
+      - refresh_token
   conditions: []
   id: hedgedoc_provider
   identifiers:

icons/calendar.svg

@@ -1,2 +1,40 @@
 <?xml version="1.0" encoding="UTF-8" standalone="no"?>
-<svg xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns="http://www.w3.org/2000/svg" version="1.1" xml:space="preserve" height="32" width="32" enable-background="new 0 0 595.275 311.111" y="0px" x="0px" xmlns:cc="http://creativecommons.org/ns#" xmlns:dc="http://purl.org/dc/elements/1.1/" viewBox="0 0 32 32"><rect rx="5" ry="5" height="32" width="32" y="-.0000052588" x="0" fill="#0082c9"/><g transform="matrix(.89286 0 0 .89286 520.21 -.19331)"><path fill="#fff" d="m-572.71 3.5765c-1.108 0-2 0.892-2 2v4c0 1.108 0.892 2 2 2s2-0.892 2-2v-4c0-1.108-0.892-2-2-2zm16 0c-1.108 0-2 0.892-2 2v4c0 1.108 0.892 2 2 2s2-0.892 2-2v-4c0-1.108-0.892-2-2-2zm-13 4v2c0 1.662-1.338 3-3 3s-3-1.338-3-3v-1.875c-1.728 0.44254-3 2.0052-3 3.875v16c0 2.216 1.784 4 4 4h20c2.216 0 4-1.784 4-4v-16c0-1.8698-1.272-3.4325-3-3.875v1.875c0 1.662-1.338 3-3 3s-3-1.338-3-3v-2h-10zm-5.9062 9h21.812c0.0554 0 0.0937 0.03835 0.0937 0.09375v11.812c0 0.0554-0.0384 0.09375-0.0937 0.09375h-21.812c-0.0554 0-0.0937-0.03835-0.0937-0.09375v-11.812c0-0.0554 0.0384-0.09375 0.0937-0.09375z"/></g></svg>
+<svg
+   version="1.1"
+   xml:space="preserve"
+   height="200"
+   width="200"
+   enable-background="new 0 0 595.275 311.111"
+   y="0px"
+   x="0px"
+   viewBox="0 0 200 200"
+   id="svg8"
+   sodipodi:docname="calendar.svg"
+   xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
+   xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
+   xmlns="http://www.w3.org/2000/svg"
+   xmlns:svg="http://www.w3.org/2000/svg"><defs
+     id="defs12" /><sodipodi:namedview
+     id="namedview10"
+     pagecolor="#ffffff"
+     bordercolor="#000000"
+     borderopacity="0.25"
+     inkscape:showpageshadow="2"
+     inkscape:pageopacity="0.0"
+     inkscape:pagecheckerboard="0"
+     inkscape:deskcolor="#d1d1d1"
+     showgrid="false" /><rect
+     rx="31.25"
+     ry="31.25"
+     height="200"
+     width="200"
+     y="-5.2587998e-06"
+     x="0"
+     fill="#0082c9"
+     id="rect2"
+     style="stroke-width:6.25" /><g
+     transform="matrix(5.580375,0,0,5.580375,3251.3125,-1.2081599)"
+     id="g6"><path
+       fill="#ffffff"
+       d="m -572.71,3.5765 c -1.108,0 -2,0.892 -2,2 v 4 c 0,1.108 0.892,2 2,2 1.108,0 2,-0.892 2,-2 v -4 c 0,-1.108 -0.892,-2 -2,-2 z m 16,0 c -1.108,0 -2,0.892 -2,2 v 4 c 0,1.108 0.892,2 2,2 1.108,0 2,-0.892 2,-2 v -4 c 0,-1.108 -0.892,-2 -2,-2 z m -13,4 v 2 c 0,1.662 -1.338,3 -3,3 -1.662,0 -3,-1.338 -3,-3 v -1.875 c -1.728,0.44254 -3,2.0052 -3,3.875 v 16 c 0,2.216 1.784,4 4,4 h 20 c 2.216,0 4,-1.784 4,-4 v -16 c 0,-1.8698 -1.272,-3.4325 -3,-3.875 v 1.875 c 0,1.662 -1.338,3 -3,3 -1.662,0 -3,-1.338 -3,-3 v -2 z m -5.9062,9 h 21.812 c 0.0554,0 0.0937,0.03835 0.0937,0.09375 v 11.812 c 0,0.0554 -0.0384,0.09375 -0.0937,0.09375 h -21.812 c -0.0554,0 -0.0937,-0.03835 -0.0937,-0.09375 v -11.812 c 0,-0.0554 0.0384,-0.09375 0.0937,-0.09375 z"
+       id="path4" /></g></svg>

icons/help.svg

@@ -1,10 +1,60 @@
-<svg width="24" height="24" viewBox="0 0 24 24" fill="none" xmlns="http://www.w3.org/2000/svg">
-<g clip-path="url(#clip0_1735_3439)">
-<path d="M12 18.0093V12.7593M12 12.7593C12.5179 12.7593 13.0206 12.6937 13.5 12.5703M12 12.7593C11.4821 12.7593 10.9794 12.6937 10.5 12.5703M14.25 20.0487C13.5212 20.187 12.769 20.2593 12 20.2593C11.231 20.2593 10.4788 20.187 9.75 20.0487M13.5 22.4313C13.007 22.4828 12.5066 22.5093 12 22.5093C11.4934 22.5093 10.993 22.4828 10.5 22.4313M14.25 18.0093V17.8176C14.25 16.8347 14.9083 15.9943 15.7585 15.501C17.9955 14.203 19.5 11.7818 19.5 9.00928C19.5 4.86714 16.1421 1.50928 12 1.50928C7.85786 1.50928 4.5 4.86714 4.5 9.00928C4.5 11.7818 6.00446 14.203 8.24155 15.501C9.09173 15.9943 9.75 16.8347 9.75 17.8176V18.0093" stroke="#0F172A" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round"/>
-</g>
-<defs>
-<clipPath id="clip0_1735_3439">
-<rect width="24" height="24" fill="white" transform="translate(0 0.00927734)"/>
-</clipPath>
-</defs>
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<svg
+   width="200"
+   height="200"
+   viewBox="0 0 200 200"
+   fill="none"
+   version="1.1"
+   id="svg171"
+   sodipodi:docname="help.svg"
+   inkscape:version="1.2.2 (b0a8486541, 2022-12-01)"
+   xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
+   xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
+   xmlns="http://www.w3.org/2000/svg"
+   xmlns:svg="http://www.w3.org/2000/svg">
+  <sodipodi:namedview
+     id="namedview173"
+     pagecolor="#ffffff"
+     bordercolor="#000000"
+     borderopacity="0.25"
+     inkscape:showpageshadow="2"
+     inkscape:pageopacity="0.0"
+     inkscape:pagecheckerboard="0"
+     inkscape:deskcolor="#d1d1d1"
+     showgrid="false"
+     inkscape:zoom="2.3032421"
+     inkscape:cx="119.614"
+     inkscape:cy="76.631111"
+     inkscape:window-width="1871"
+     inkscape:window-height="1011"
+     inkscape:window-x="0"
+     inkscape:window-y="0"
+     inkscape:window-maximized="1"
+     inkscape:current-layer="svg171" />
+  <g
+     clip-path="url(#clip0_1735_3439)"
+     id="g164"
+     transform="matrix(8.4444369,0,0,8.4444369,-1.3332428,-1.4116916)">
+    <path
+       d="m 12,18.0093 v -5.25 m 0,0 c 0.5179,0 1.0206,-0.0656 1.5,-0.189 m -1.5,0.189 c -0.5179,0 -1.0206,-0.0656 -1.5,-0.189 m 3.75,7.4784 c -0.7288,0.1383 -1.481,0.2106 -2.25,0.2106 -0.769,0 -1.5212,-0.0723 -2.25,-0.2106 m 3.75,2.3826 c -0.493,0.0515 -0.9934,0.078 -1.5,0.078 -0.5066,0 -1.007,-0.0265 -1.5,-0.078 m 3.75,-4.422 v -0.1917 c 0,-0.9829 0.6583,-1.8233 1.5085,-2.3166 2.237,-1.298 3.7415,-3.7192 3.7415,-6.49172 0,-4.14214 -3.3579,-7.5 -7.5,-7.5 -4.14214,0 -7.5,3.35786 -7.5,7.5 C 4.5,11.7818 6.00446,14.203 8.24155,15.501 9.09173,15.9943 9.75,16.8347 9.75,17.8176 v 0.1917"
+       stroke="#0f172a"
+       stroke-width="1.5"
+       stroke-linecap="round"
+       stroke-linejoin="round"
+       id="path162" />
+  </g>
+  <defs
+     id="defs169">
+    <clipPath
+       id="clip0_1735_3439">
+      <rect
+         width="24"
+         height="24"
+         fill="#ffffff"
+         transform="translate(0,0.00927734)"
+         id="rect166"
+         x="0"
+         y="0" />
+    </clipPath>
+  </defs>
 </svg>

icons/mila.svg

@@ -0,0 +1,22 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<svg id="a" data-name="Ebene 1" xmlns="http://www.w3.org/2000/svg" viewBox="80 60 430 410">
+  <defs>
+    <style>
+      .b {
+        fill: #346180;
+      }
+
+      .c {
+        fill: #009aa5;
+      }
+    </style>
+  </defs>
+  <g>
+    <path class="c" d="M319.57,303.39c41.78,18.41,74.43,42.48,87.64,89.83,4.52,16.2,12.63,44.75-10.72,48.82H101.39c-2.63-.09-9.25-2.82-11.12-4.38-.3-.25-4.06-6.12-4.22-6.49-5.78-13.4,2.35-35.12,7.31-47.71,9.49-24.09,25.75-44.44,46.62-59.63,16.07-11.7,34.34-20.54,53.51-25.78,32.68-8.93,94.96-8.37,126.07,5.34Z"/>
+    <path class="c" d="M299.53,126.4c7.22,5.55,16.92,15.59,20.81,23.69,14.47,30.14,13.54,62.8-6.99,90.82-32.64,44.55-106.51,39.41-133.59-8.24-45.73-80.48,49.74-160.1,119.77-106.26Z"/>
+  </g>
+  <g>
+    <path class="b" d="M395.52,128.43c50.29,40.71,28.84,125.79-34.37,141.27-7.94,1.94-34,4.45-40.2-.24-.7-.53-1.73-1.28-1.25-2.3.2-.42.58-.72.95-1.01,6.58-5.05,11.45-13.02,15.71-20.08s7.99-14.88,10.77-22.84c5.4-15.47,7.48-32.13,5.27-48.4-2.36-17.34-9.63-33.63-20.49-47.31-2.75-3.46-6.2-6.45-9.27-9.63-1.09-1.14-3.73-3.05-4.21-4.6-.9-2.93,2.98-3.72,5.51-4.06,23.02-3.1,46.39,1.77,65.63,14.81,2.04,1.38,4.02,2.84,5.94,4.39Z"/>
+    <path class="b" d="M433.88,441.36c-2.64-2.97.77-10.22,1.03-13.89,3.54-49.03-30.24-100.05-69.07-126.89-1.99-1.38-11.43-6.12-11.91-6.6-1.42-1.44.09-1.81,1.48-1.99,7.36-.93,17.29,1.08,24.7,2.32,16.51,2.77,33.53,8.05,48.48,15.52,18.53,9.24,34.94,22.72,47.79,38.94,11.65,14.7,54.83,91.93,8.76,92.91-15.76.33-31.52.67-47.28,1-1.97.04-3.23-.46-3.99-1.31Z"/>
+  </g>
+</svg>

icons/poll.svg

@@ -0,0 +1,46 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<svg
+   width="200"
+   height="200"
+   viewBox="0 0 200 200"
+   fill="none"
+   version="1.1"
+   id="svg282"
+   sodipodi:docname="poll.svg"
+   inkscape:version="1.2.2 (b0a8486541, 2022-12-01)"
+   inkscape:export-filename="poll_tall.svg"
+   inkscape:export-xdpi="96"
+   inkscape:export-ydpi="96"
+   xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
+   xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
+   xmlns="http://www.w3.org/2000/svg"
+   xmlns:svg="http://www.w3.org/2000/svg">
+  <defs
+     id="defs286" />
+  <sodipodi:namedview
+     id="namedview284"
+     pagecolor="#ffffff"
+     bordercolor="#000000"
+     borderopacity="0.25"
+     inkscape:showpageshadow="2"
+     inkscape:pageopacity="0.0"
+     inkscape:pagecheckerboard="0"
+     inkscape:deskcolor="#d1d1d1"
+     showgrid="false"
+     inkscape:zoom="4.3999736"
+     inkscape:cx="116.47797"
+     inkscape:cy="125.79621"
+     inkscape:window-width="1871"
+     inkscape:window-height="1011"
+     inkscape:window-x="0"
+     inkscape:window-y="0"
+     inkscape:window-maximized="1"
+     inkscape:current-layer="svg282" />
+  <path
+     d="M 51.538464,16.923263 V 37.692495 M 148.46154,16.923263 V 37.692495 M 16.923078,162.30751 V 58.461725 c 0,-11.470523 9.298709,-20.76923 20.769232,-20.76923 h 124.61538 c 11.47016,0 20.76923,9.298707 20.76923,20.76923 V 162.30751 m -166.153842,0 c 0,11.47108 9.298709,20.76923 20.769232,20.76923 h 124.61538 c 11.47016,0 20.76923,-9.29815 20.76923,-20.76923 m -166.153842,0 V 93.076741 c 0,-11.470154 9.298709,-20.768862 20.769232,-20.768862 h 124.61538 c 11.47016,0 20.76923,9.298708 20.76923,20.768862 V 162.30751 M 100,106.92289 h 0.0692 v 0.0692 H 100 Z m 0,20.76924 h 0.0692 v 0.0692 H 100 Z m 0,20.76923 h 0.0692 v 0.0692 H 100 Z M 79.230771,127.69213 h 0.06923 v 0.0692 h -0.06923 z m 0,20.76923 h 0.06923 v 0.0692 h -0.06923 z M 58.46154,127.69213 h 0.06923 v 0.0692 h -0.06923 z m 0,20.76923 h 0.06923 v 0.0692 h -0.06923 z m 62.30769,-41.53847 h 0.0692 v 0.0692 h -0.0692 z m 0,20.76924 h 0.0692 v 0.0692 h -0.0692 z m 0,20.76923 h 0.0692 v 0.0692 h -0.0692 z m 20.76923,-41.53847 h 0.0692 v 0.0692 h -0.0692 z m 0,20.76924 h 0.0692 v 0.0692 h -0.0692 z"
+     stroke="#0f172a"
+     stroke-width="13.8462"
+     stroke-linecap="round"
+     stroke-linejoin="round"
+     id="path280" />
+</svg>

icons/support.svg

@@ -1,3 +1,33 @@
-<svg width="24" height="24" viewBox="0 0 24 24" fill="none" xmlns="http://www.w3.org/2000/svg">
-<path d="M9.87891 7.51884C11.0505 6.49372 12.95 6.49372 14.1215 7.51884C15.2931 8.54397 15.2931 10.206 14.1215 11.2312C13.9176 11.4096 13.6917 11.5569 13.4513 11.6733C12.7056 12.0341 12.0002 12.6716 12.0002 13.5V14.25M21 12C21 16.9706 16.9706 21 12 21C7.02944 21 3 16.9706 3 12C3 7.02944 7.02944 3 12 3C16.9706 3 21 7.02944 21 12ZM12 17.25H12.0075V17.2575H12V17.25Z" stroke="#0F172A" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round"/>
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<svg
+   width="200"
+   height="200"
+   viewBox="0 0 200 200"
+   fill="none"
+   version="1.1"
+   id="svg346"
+   sodipodi:docname="support.svg"
+   xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
+   xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
+   xmlns="http://www.w3.org/2000/svg"
+   xmlns:svg="http://www.w3.org/2000/svg">
+  <defs
+     id="defs350" />
+  <sodipodi:namedview
+     id="namedview348"
+     pagecolor="#ffffff"
+     bordercolor="#000000"
+     borderopacity="0.25"
+     inkscape:showpageshadow="2"
+     inkscape:pageopacity="0.0"
+     inkscape:pagecheckerboard="0"
+     inkscape:deskcolor="#d1d1d1"
+     showgrid="false" />
+  <path
+     d="m 79.332968,56.337414 c 11.415493,-9.988348 29.923442,-9.988348 41.338062,0 11.41559,9.988447 11.41559,26.182585 0,36.171713 -1.98672,1.738257 -4.1878,3.173487 -6.53016,4.307641 -7.26579,3.515482 -14.13892,9.727022 -14.13892,17.798612 v 7.3077 m 87.69036,-21.923081 c 0,48.431491 -39.26082,87.692311 -87.692311,87.692311 -48.431097,0 -87.692308,-39.26082 -87.692308,-87.692311 0,-48.431097 39.261211,-87.692308 87.692308,-87.692308 48.431491,0 87.692311,39.261211 87.692311,87.692308 z M 99.999999,151.15385 h 0.07308 v 0.0731 h -0.07308 z"
+     stroke="#0f172a"
+     stroke-width="14.6154"
+     stroke-linecap="round"
+     stroke-linejoin="round"
+     id="path344" />
 </svg>

icons/talk.svg

@@ -0,0 +1,68 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<svg
+   xmlns:dc="http://purl.org/dc/elements/1.1/"
+   xmlns:cc="http://creativecommons.org/ns#"
+   xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
+   xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
+   inkscape:version="1.1-dev (f9311a1, 2019-12-25)"
+   sodipodi:docname="talk8.svg"
+   id="svg19"
+   xml:space="preserve"
+   viewBox="0 0 1024 1024"
+   version="1.1"
+   stroke-miterlimit="1.4142"
+   stroke-linejoin="round"
+   fill-rule="evenodd"
+   clip-rule="evenodd"><metadata
+   id="metadata23"><rdf:RDF><cc:Work
+       rdf:about=""><dc:format>image/svg+xml</dc:format><dc:type
+         rdf:resource="http://purl.org/dc/dcmitype/StillImage" /><dc:title></dc:title></cc:Work></rdf:RDF></metadata><sodipodi:namedview
+   inkscape:current-layer="svg19"
+   inkscape:window-maximized="1"
+   inkscape:window-y="23"
+   inkscape:window-x="1440"
+   inkscape:cy="522.40348"
+   inkscape:cx="510.51379"
+   inkscape:zoom="0.67285156"
+   showgrid="false"
+   id="namedview21"
+   inkscape:window-height="1035"
+   inkscape:window-width="1920"
+   inkscape:pageshadow="2"
+   inkscape:pageopacity="0"
+   guidetolerance="10"
+   gridtolerance="10"
+   objecttolerance="10"
+   borderopacity="1"
+   inkscape:document-rotation="0"
+   bordercolor="#666666"
+   pagecolor="#ffffff" /><defs
+   id="defs15"><linearGradient
+     gradientUnits="userSpaceOnUse"
+     gradientTransform="matrix(8.96 0 0 8.96 -7.8457e-5 .00019795)"
+     y2="-7.6294e-6"
+     y1="150"
+     x2="150"
+     x1="18.23"
+     id="a"><stop
+       id="stop10"
+       offset="0"
+       stop-color="#0082c9" /><stop
+       id="stop12"
+       offset="1"
+       stop-color="#1cafff" /></linearGradient></defs>
+<rect
+   id="rect17"
+   fill-rule="evenodd"
+   fill="url(#a)"
+   height="1024"
+   width="1024" /><path
+   style="fill:#ffffff"
+   inkscape:connector-curvature="0"
+   d="M 511.95919,186 A 325.96385,325.95103 0 0 0 186,511.96034 325.96385,325.95103 0 0 0 511.95919,837.91133 325.96385,325.95103 0 0 0 681.04889,790.22529 c 40.06218,15.91895 129.79781,63.14682 151.15526,42.74701 22.3177,-21.31206 -26.20129,-121.61808 -37.83331,-158.89148 A 325.96385,325.95103 0 0 0 837.91466,511.95755 325.96385,325.95103 0 0 0 511.96013,186.01118 Z m 0.0373,123.92323 A 202.1178,202.11161 0 0 1 714.11425,512.03485 202.1178,202.11161 0 0 1 511.99645,714.13247 202.1178,202.11161 0 0 1 309.87866,512.03485 202.1178,202.11161 0 0 1 511.99645,309.92323 Z"
+   stroke-width="0.14"
+   fill="#000"
+   id="path25" /></svg>

matrix.yaml.tmpl

@@ -27,6 +27,9 @@ entries:
     signing_key: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]]
     sub_mode: user_username
     token_validity: days=30
+    grant_types:
+      - authorization_code
+      - refresh_token
   conditions: []
   id: matrix_provider
   identifiers:

mila.yaml.tmpl

@@ -0,0 +1,52 @@
+version: 1
+metadata:
+  labels:
+    blueprints.goauthentik.io/instantiate: "true"
+  name: mila
+
+entries:
+
+- attrs:
+    access_code_validity: minutes=1
+    authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
+    authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
+    invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
+    client_id: {{ secret  "mila_id" }}
+    client_secret: {{ secret  "mila_secret" }}
+    client_type: confidential
+    include_claims_in_id_token: true
+    issuer_mode: per_provider
+    redirect_uris:
+    - matching_mode: strict
+      url: https://{{ env  "MILA_DOMAIN" }}/auth/user/oidc/callback
+    name: Mila
+    property_mappings:
+    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
+    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, email]]
+    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, profile]]
+    signing_key: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]]
+    sub_mode: hashed_user_id
+    token_validity: days=30
+    grant_types:
+      - authorization_code
+      - refresh_token
+  conditions: []
+  id: mila_provider
+  identifiers:
+    pk: 9990
+  model: authentik_providers_oauth2.oauth2provider
+  state: present
+
+- attrs:
+    meta_launch_url: https://{{ env  "MILA_DOMAIN" }}
+    open_in_new_tab: true
+    policy_engine_mode: any
+    provider: !KeyOf mila_provider
+    slug: mila
+  conditions: []
+  id: mila_application
+  identifiers:
+    name: Mila
+  model: authentik_core.application
+  state: present
+

monitoring.yaml.tmpl

@@ -27,6 +27,9 @@ entries:
     signing_key: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]]
     sub_mode: user_username
     token_validity: days=30
+    grant_types:
+      - authorization_code
+      - refresh_token
   conditions: []
   id: monitoring_provider
   identifiers:

nextcloud.yaml.tmpl

@@ -40,6 +40,9 @@ entries:
     signing_key: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]]
     sub_mode: user_username
     token_validity: days=30
+    grant_types:
+      - authorization_code
+      - refresh_token
   conditions: []
   id: nextcloud_provider
   identifiers:

outline.yaml.tmpl

@@ -27,6 +27,9 @@ entries:
     signing_key: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]]
     sub_mode: hashed_user_id
     token_validity: days=30
+    grant_types:
+      - authorization_code
+      - refresh_token
   conditions: []
   id: outline_provider
   identifiers:

rallly.yaml.tmpl

@@ -27,6 +27,9 @@ entries:
     signing_key: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]]
     sub_mode: hashed_user_id
     token_validity: days=30
+    grant_types:
+      - authorization_code
+      - refresh_token
   conditions: []
   id: rallly_provider
   identifiers:

release/10.0.0+2025.10.2

@@ -0,0 +1 @@
+2025.10 removes redis. Since 2025.8 all redis tasks have been migrated to postgres.

release/10.2.0+2025.12.4

@@ -0,0 +1 @@
+This is an intermediate release (required for migrations) before upgrading to 2026.x.

release/11.0.0+2026.2.1

@@ -0,0 +1,3 @@
+You must deploy 10.2.0+2025.12.4 first, before deploying this version, if upgrading from 2025.10 or earlier.
+Skipping the intermediate version will cause a migration error (although rolled back safely, no data loss).
+

release/11.0.2+2026.2.1

@@ -0,0 +1 @@
+WARNING: This update will clear all custom assets in /web/dist/asssts. You might need to run customize() again.

release/12.0.0+2026.5.2

@@ -0,0 +1 @@
+postgres image was replaced py pgautoupdate. Make an database backup to prevent any dataloss before updating.

renovate.json

@@ -0,0 +1,6 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "extends": [
+    "config:recommended"
+  ]
+}

vikunja.yaml.tmpl

@@ -27,6 +27,9 @@ entries:
     signing_key: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]]
     sub_mode: hashed_user_id
     token_validity: days=30
+    grant_types:
+      - authorization_code
+      - refresh_token
   conditions: []
   id: vikunja_provider
   identifiers:

wekan.yaml.tmpl

@@ -45,6 +45,9 @@ entries:
     signing_key: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]]
     sub_mode: hashed_user_id
     token_validity: days=30
+    grant_types:
+      - authorization_code
+      - refresh_token
   conditions: []
   id: wekan_provider
   identifiers:

wordpress.yaml.tmpl

@@ -27,6 +27,9 @@ entries:
     signing_key: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]]
     sub_mode: user_username
     token_validity: days=30
+    grant_types:
+      - authorization_code
+      - refresh_token
   conditions: []
   id: wordpress_provider
   identifiers:
@@ -50,9 +53,6 @@ entries:
 {{ if ne (env "WORDPRESS_GROUP") "" }} 
 - identifiers:
     name: {{ env "WORDPRESS_GROUP" }}
-  attrs:
-    users:
-    - 1
   id: wordpress_group
   model: authentik_core.group