chore: publish 3.1.0+2023.3.1 release

.drone.yml

@@ -0,0 +1,51 @@
+---
+kind: pipeline
+name: deploy to swarm-test.autonomic.zone
+steps:
+  - name: deployment
+    image: git.coopcloud.tech/coop-cloud/stack-ssh-deploy:latest
+    settings:
+      host: swarm-test.autonomic.zone
+      stack: authentik
+      generate_secrets: true
+      purge: true
+      deploy_key:
+        from_secret: drone_ssh_swarm_test
+      networks:
+        - proxy
+    environment:
+      DOMAIN: authentik.swarm-test.autonomic.zone
+      STACK_NAME: authentik
+      LETS_ENCRYPT_ENV: production
+      CUSTOM_CSS_VERSION: v1
+      FLOW_AUTHENTICATION_VERSION: v1
+      FLOW_INVITATION_VERSION: v1
+      FLOW_INVALIDATION_VERSION: v1
+      FLOW_RECOVERY_VERSION: v1
+      FLOW_TRANSLATION_VERSION: v1
+      SYSTEM_TENANT_VERSION: v1
+      NEXTCLOUD_CONFIG_VERSION: v1
+      SECRET_SECRET_KEY_VERSION: v1
+      SECRET_DB_PASSWORD_VERSION: v1
+      SECRET_ADMIN_TOKEN_VERSION: v1
+      SECRET_ADMIN_PASS_VERSION: v1
+      SECRET_EMAIL_PASS_VERSION: v1
+trigger:
+  branch:
+    - main
+---
+kind: pipeline
+name: generate recipe catalogue
+steps:
+  - name: release a new version
+    image: plugins/downstream
+    settings:
+      server: https://build.coopcloud.tech
+      token:
+        from_secret: drone_abra-bot_token
+      fork: true
+      repositories:
+        - coop-cloud/auto-recipes-catalogue-json
+
+trigger:
+  event: tag

.env.sample

@@ -1,33 +1,53 @@
 TYPE=authentik
 LETS_ENCRYPT_ENV=production
 
-DOMAIN=sso.example.com
-POSTGRES_PASSWORD=secret
-AUTHENTIK_POSTGRESQL__PASSWORD=secret
-POSTGRES_USER=authentik
-AUTHENTIK_POSTGRESQL__USER=authentik
-POSTGRES_DB=authentik
-AUTHENTIK_POSTGRESQL__NAME=authentik
-AUTHENTIK_POSTGRESQL__HOST=db
-AUTHENTIK_REDIS__HOST=redis
-AUTHENTIK_ERROR_REPORTING__ENABLED=true
+DOMAIN=authentik.example.com
+COMPOSE_FILE="compose.yml"
+AUTHENTIK_DEFAULT_USER_CHANGE_USERNAME=false
+AUTHENTIK_LOG_LEVEL=info
+# AUTHENTIK_IMPERSONATION=true
+# AUTHENTIK_FOOTER_LINKS='[{"name": "My Organization","href":"https://example.com"}]'
 # WORKERS=1
-AUTHENTIK_SECRET_KEY=secret
-AK_ADMIN_TOKEN=secret
-AK_ADMIN_PASS=secret
 
-# EMAIL
+## EMAIL
 AUTHENTIK_EMAIL__HOST=smtp
-AUTHENTIK_EMAIL__PORT=25
-# AUTHENTIK_EMAIL__USERNAME=""
-# AUTHENTIK_EMAIL__PASSWORD=""
-AUTHENTIK_EMAIL__USE_TLS=false
+AUTHENTIK_EMAIL__PORT=587
+AUTHENTIK_EMAIL__USERNAME="noreply@example.com"
+AUTHENTIK_EMAIL__USE_TLS=true
 AUTHENTIK_EMAIL__USE_SSL=false
 AUTHENTIK_EMAIL__TIMEOUT=10
 AUTHENTIK_EMAIL__FROM=noreply@example.com
-AUTHENTIK_LOG_LEVEL=info
 
-# Secret Versions
-# SECRET_SECRET_KEY_VERSION=v1
-# SECRET_ADMIN_TOKEN_VERSION=v1
-# SECRET_ADMIN_PASS_VERSION=v1
+## Secret Versions
+SECRET_SECRET_KEY_VERSION=v1
+SECRET_DB_PASSWORD_VERSION=v1
+SECRET_ADMIN_TOKEN_VERSION=v1
+SECRET_ADMIN_PASS_VERSION=v1
+SECRET_EMAIL_PASS_VERSION=v1
+
+# X_FRAME_OPTIONS_ALLOW_FROM=dashboard.example.org
+AUTHENTIK_COLOR_BACKGROUND_LIGHT=#1c1e21
+
+## FLOW OPTIONS
+# WELCOME_MESSAGE="Welcome to Authentik"
+# DEFAULT_LANGUAGE=en
+# LOGOUT_REDIRECT="https://$DOMAIN"
+# EMAIL_SUBJECT="Account Recovery"
+# EMAIL_TOKEN_EXPIRY_MINUTES=30
+
+COPY_ASSETS="flow_background.jpg|app:/web/dist/assets/images/"
+COPY_ASSETS="$COPY_ASSETS icon_left_brand.svg|app:/web/dist/assets/icons/"
+COPY_ASSETS="$COPY_ASSETS icon.png|app:/web/dist/assets/icons/"
+
+# COMPOSE_FILE="$COMPOSE_FILE:compose.nextcloud.yml"
+# NEXTCLOUD_DOMAIN=nextcloud.example.com
+# SECRET_NEXTCLOUD_ID_VERSION=v1
+# SECRET_NEXTCLOUD_SECRET_VERSION=v1
+# APP_ICONS="nextcloud:~/.abra/recipes/authentik/icons/nextcloud.png"
+
+
+# COMPOSE_FILE="$COMPOSE_FILE:compose.wordpress.yml"
+# WORDPRESS_DOMAIN=wordpress.example.com
+# SECRET_WORDPRESS_ID_VERSION=v1
+# SECRET_WORDPRESS_SECRET_VERSION=v1
+# APP_ICONS="$APP_ICONS wordpress:~/.abra/recipes/authentik/icons/wordpress.png"

README.md

@@ -9,7 +9,7 @@
 
 * **Category**: Apps
 * **Status**: 0, work-in-progress
-* **Image**: [ghcr/goauthentik/server](https://ghcr.io/goauthentik/server)
+* **Image**: [ghcr/goauthentik/server](https://ghcr.io/goauthentik/server), 4, upstream
 * **Healthcheck**: Yes
 * **Backups**: Yes
 * **Email**: Yes
@@ -20,8 +20,103 @@
 
 ## Quick start
 
-* `abra app new authentik --secrets`
+* `abra app new authentik`
 * `abra app config <app-name>`
+* `abra app secret insert <app_name> email_pass v1 <password>`
+* `abra app secret generate -a <app_name>`
 * `abra app deploy <app-name>`
+* `abra app cmd <app_name> app set_admin_pass`
+* `abra app cmd <app_name> worker apply_blueprints`
+
+## Rotate Secrets
+
+Increment the secret versions using `abra app config <app_name>`
+
+```
+abra app secret generate -a <app_name>
+abra app undeploy <app_name>
+abra app deploy <app_name>
+abra app cmd <app_name> db rotate_db_pass
+abra app cmd <app_name> app set_admin_pass
+```
+
+## Add SSO for Nextcloud
+
+Uncomment Nextcloud configuration and set `NEXTCLOUD_DOMAIN` the using `abra app config <app_name>`:
+
+```
+COMPOSE_FILE="$COMPOSE_FILE:compose.nextcloud.yml"
+NEXTCLOUD_DOMAIN=nextcloud.example.com
+SECRET_NEXTCLOUD_ID_VERSION=v1
+SECRET_NEXTCLOUD_SECRET_VERSION=v1
+APP_ICONS="nextcloud:~/.abra/recipes/authentik/icons/nextcloud.png"
+```
+
+Set the nextcloud Icon using `abra app cmd -l -d <app_name> set_icons`
+
+The configuration inside Nextcloud can be found in the [nextcloud recipe](https://git.coopcloud.tech/coop-cloud/nextcloud#authentik-integration)
+
+## Customization
+
+Place the files you want to overwrite in a directory `<assets_path>`.
+Run `abra app config <app_name>` and define the env variable `COPY_ASSETS` in the following format:
+
+```
+"<source_file1>|<service>:<target_directory1> <source_file2>|<service>:<target_directory2> ...
+```
+
+For example:
+
+```
+COPY_ASSETS="flow_background.jpg|app:/web/dist/assets/images/"
+COPY_ASSETS="$COPY_ASSETS icon_left_brand.svg|app:/web/dist/assets/icons/
+COPY_ASSETS="$COPY_ASSETS icon.png|app:/web/dist/assets/icons/"
+```
+
+Run this command after every deploy/upgrade:
+
+`abra app command --local <app-name> customize <assets_path>`
+
+## Blueprints
+
+Blueprint Dependency Requirements:
+
+- Recovery with email verification
+    - Default - Password change flow
+    - Default - Authentication flow
+- Custom Authentication Flow
+    - Default - Authentication flow
+    - Recovery with email verification
+- Invitation Enrollment Flow
+    - Default - User settings flow
+    - Default - Authentication flow
+    - Default - Source enrollment flow
+- Custom Invalidation Flow
+    - Default - Invalidation flow
+- Flow Translations
+    - Recovery with email verification
+    - Default - Password change flow
+    - Default - User settings flow
+    - Default - Source enrollment flow
+- Custom System Tenant
+    - Default - Tenant
+    - Recovery with email verification
+
+
+Blueprint Dependency Graph:
+
+5. Custom System Tenant
+    - Default - Tenant
+    4. Invitation Enrollment Flow
+        3. Flow Translations
+            - Default - User settings flow
+            - Default - Source enrollment flow
+            2. Custom Authentication Flow
+                1. Recovery with email verification
+                    - Default - Authentication flow
+                        - Default - Password change flow
+6. Custom Invalidation Flow
+    - Default - Invalidation flow
+
 
 For more, see [`docs.coopcloud.tech`](https://docs.coopcloud.tech).

abra.sh

@@ -0,0 +1,141 @@
+export CUSTOM_CSS_VERSION=v2
+export FLOW_AUTHENTICATION_VERSION=v1
+export FLOW_INVITATION_VERSION=v1
+export FLOW_INVALIDATION_VERSION=v1
+export FLOW_RECOVERY_VERSION=v1
+export FLOW_TRANSLATION_VERSION=v1
+export SYSTEM_TENANT_VERSION=v1
+export NEXTCLOUD_CONFIG_VERSION=v1
+export WORDPRESS_CONFIG_VERSION=v1
+
+customize() {
+    if [ -z "$1" ]
+    then
+            echo "Usage: ... customize <assets_path>"
+            exit 1
+    fi
+    asset_dir=$1
+    for asset in $COPY_ASSETS; do
+        source=$(echo $asset | cut -d "|" -f1)
+        target=$(echo $asset | cut -d "|" -f2)
+        echo copy $source to $target
+        abra app cp $APP_NAME $asset_dir/$source $target
+    done
+}
+
+set_admin_pass() {
+password=$(cat /run/secrets/admin_pass)
+token=$(cat /run/secrets/admin_token)
+/manage.py shell -c """
+akadmin = User.objects.get(username='akadmin')
+akadmin.set_password('$password')
+akadmin.save()
+print('Changed akadmin password')
+
+from authentik.core.models import TokenIntents
+key='$token'
+if (token:= Token.objects.filter(identifier='authentik-bootstrap-token').first()):
+    token.key=key
+    token.save()
+    print('Changed authentik-bootstrap-token')
+else:
+    Token.objects.create(
+        identifier='authentik-bootstrap-token',
+        user=akadmin,
+        intent=TokenIntents.INTENT_API,
+        expiring=False,
+        key=key,
+    )
+    print('Created authentik-bootstrap-token')
+"""
+}
+
+rotate_db_pass() {
+    db_password=$(cat /run/secrets/db_password)
+    psql -U authentik -c """ALTER USER authentik WITH PASSWORD '$db_password';"""
+}
+
+apply_blueprints() {
+    enable_blueprint default/flow-default-authentication-flow.yaml
+    enable_blueprint default/flow-default-user-settings-flow.yaml
+    enable_blueprint default/flow-password-change.yaml
+    ak apply_blueprint 6_flow_invalidation.yaml 
+    ak apply_blueprint 5_system_tenant.yaml
+    disable_blueprint default/flow-default-authentication-flow.yaml
+    disable_blueprint default/flow-default-user-settings-flow.yaml
+    disable_blueprint default/flow-password-change.yaml
+}
+
+disable_blueprint() {
+    blueprint_state False $@
+}
+
+enable_blueprint() {
+    blueprint_state True $@
+}
+
+blueprint_state() {
+TOKEN=$(cat /run/secrets/admin_token)
+python -c """
+import requests
+session = requests.Session()
+my_token='$TOKEN'
+blueprint_state=$1
+blueprint_path='$2'
+resp = session.get(f'https://$DOMAIN/api/v3/managed/blueprints/?path={blueprint_path}', headers={'Authorization':f'Bearer {my_token}'})
+if not resp.ok:
+    print(f'Error fetching blueprint: {resp.content}')
+    exit()
+auth_flow_uuid = resp.json()['results'][0]['pk']
+blueprint_name = resp.json()['results'][0]['name']
+params = {'name': blueprint_name,'path': blueprint_path,'context':{},'enabled': blueprint_state}
+resp = session.put(f'https://$DOMAIN/api/v3/managed/blueprints/{auth_flow_uuid}/', json=params, headers={'Authorization':f'Bearer {my_token}'})
+if resp.ok:
+    print(f'{blueprint_name} enabled: {blueprint_state}')
+else:
+    print(f'Error changing blueprint state: {resp.content}')
+"""
+
+}
+
+set_icons(){
+for icon in $APP_ICONS; do
+    app=$(echo $icon | cut -d ":" -f1)
+    file_path=$(eval echo $(echo $icon | cut -d ":" -f2))
+    file=$(basename $file_path)
+    echo copy icon $file_path for $app
+    abra app cp $APP_NAME $file_path app:/media/
+    abra app cmd -T $APP_NAME app set_app_icon $app /media/$file
+done
+}
+
+set_app_icon() {
+TOKEN=$(cat /run/secrets/admin_token)
+python -c """
+import requests
+import os
+my_token = '$TOKEN'
+application = '$1'
+icon_path = '$2'
+url = f'https://$DOMAIN/api/v3/core/applications/{application}/set_icon/'
+headers = {'Authorization':f'Bearer {my_token}'}
+with open(icon_path, 'rb') as img:
+  name_img = os.path.basename(icon_path)
+  files= {'file': (name_img,img,'image/png') }
+  with requests.Session() as s:
+    r = s.post(url,files=files,headers=headers)
+    print(r.status_code)
+"""
+
+}
+
+blueprint_cleanup() {
+/manage.py shell -c """
+delete_flows = ['default-recovery-flow' , 'custom-authentication-flow' , 'invitation-enrollment-flow' , 'initial-setup']
+Flow.objects.filter(slug__in=delete_flows).delete()
+Stage.objects.filter(flow=None).delete()
+Prompt.objects.filter(promptstage=None).delete()
+Tenant.objects.filter(default=True).delete()
+"""
+apply_blueprints
+}

compose.nextcloud.yml

@@ -0,0 +1,26 @@
+version: "3.8"
+services:
+  worker:
+    secrets:
+      - nextcloud_id
+      - nextcloud_secret
+    environment:
+      - NEXTCLOUD_DOMAIN
+    configs:
+      - source: nextcloud
+        target: /blueprints/nextcloud.yaml
+
+secrets:
+  nextcloud_id:
+    external: true
+    name: ${STACK_NAME}_nextcloud_id_${SECRET_NEXTCLOUD_ID_VERSION}
+  nextcloud_secret:
+    external: true
+    name: ${STACK_NAME}_nextcloud_secret_${SECRET_NEXTCLOUD_SECRET_VERSION}
+
+
+configs:
+  nextcloud:
+    name: ${STACK_NAME}_nextcloud_${NEXTCLOUD_CONFIG_VERSION}
+    file: nextcloud.yaml.tmpl
+    template_driver: golang

compose.wordpress.yml

@@ -0,0 +1,26 @@
+version: "3.8"
+services:
+  worker:
+    secrets:
+      - wordpress_id
+      - wordpress_secret
+    environment:
+      - WORDPRESS_DOMAIN
+    configs:
+      - source: wordpress
+        target: /blueprints/wordpress.yaml
+
+secrets:
+  wordpress_id:
+    external: true
+    name: ${STACK_NAME}_wordpress_id_${SECRET_WORDPRESS_ID_VERSION}
+  wordpress_secret:
+    external: true
+    name: ${STACK_NAME}_wordpress_secret_${SECRET_WORDPRESS_SECRET_VERSION}
+
+
+configs:
+  wordpress:
+    name: ${STACK_NAME}_wordpress_${WORDPRESS_CONFIG_VERSION}
+    file: wordpress.yaml.tmpl
+    template_driver: golang

compose.yml

@@ -1,39 +1,50 @@
 ---
 
 x-env: &env
-    - AUTHENTIK_POSTGRESQL__PASSWORD
-    - AUTHENTIK_POSTGRESQL__USER
-    - AUTHENTIK_POSTGRESQL__NAME
-    - AUTHENTIK_POSTGRESQL__HOST
-    - AUTHENTIK_REDIS__HOST
+    - AUTHENTIK_POSTGRESQL__PASSWORD=file:///run/secrets/db_password
+    - AUTHENTIK_POSTGRESQL__USER=authentik
+    - AUTHENTIK_POSTGRESQL__NAME=authentik
+    - AUTHENTIK_POSTGRESQL__HOST=db
+    - AUTHENTIK_REDIS__HOST=redis
     - AUTHENTIK_ERROR_REPORTING__ENABLED
-    - AUTHENTIK_SECRET_KEY= #file:///run/secrets/secret_key
-    - AK_ADMIN_TOKEN= #file:///run/secrets/admin_token
-    - AK_ADMIN_PASS= #file:///run/secrets/admin_pass
+    - AUTHENTIK_SECRET_KEY=file:///run/secrets/secret_key
     - AUTHENTIK_EMAIL__HOST
     - AUTHENTIK_EMAIL__PORT
     - AUTHENTIK_EMAIL__USERNAME
-    - AUTHENTIK_EMAIL__PASSWORD
+    - AUTHENTIK_EMAIL__PASSWORD=file:///run/secrets/email_pass
     - AUTHENTIK_EMAIL__USE_TLS
     - AUTHENTIK_EMAIL__USE_SSL
     - AUTHENTIK_EMAIL__TIMEOUT
     - AUTHENTIK_EMAIL__FROM
     - AUTHENTIK_LOG_LEVEL
-
+    - AUTHENTIK_SETTINGS__THEME__BACKGROUND
+    - AUTHENTIK_COLOR_BACKGROUND_LIGHT
+    - AUTHENTIK_FOOTER_LINKS
+    - AUTHENTIK_IMPERSONATION
+    - WELCOME_MESSAGE
+    - DEFAULT_LANGUAGE
+    - EMAIL_SUBJECT
+    - EMAIL_TOKEN_EXPIRY_MINUTES
+    - DOMAIN
+    - LOGOUT_REDIRECT
 
 version: '3.8'
 services:
   app:
-    image: ghcr.io/goauthentik/server:2022.6.2
+    image: ghcr.io/goauthentik/server:2023.3.1
     command: server
-    # secrets:
-    #   - db_password
-    #   - admin_pass
-    #   - admin_token
-    #   - secret_key
+    secrets:
+      - db_password
+      - admin_pass
+      - admin_token
+      - secret_key
+      - email_pass
     volumes:
       - media:/media
-      - custom-templates:/templates
+      - assets:/web/dist/assets
+    configs:
+      - source: custom_css
+        target: /web/dist/custom.css
     networks:
       - internal
       - proxy
@@ -55,16 +66,22 @@ services:
         - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`)"
         - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
         - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
-        - "coop-cloud.${STACK_NAME}.version=0.1.0+2022.6.2"
+        - "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect,${STACK_NAME}-frameOptions"
+        - "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLForceHost=true"
+        - "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}"
+        - "traefik.http.middlewares.${STACK_NAME}-frameOptions.headers.customFrameOptionsValue=SAMEORIGIN"
+        - "traefik.http.middlewares.${STACK_NAME}-frameOptions.headers.contentSecurityPolicy=frame-ancestors ${X_FRAME_OPTIONS_ALLOW_FROM}"
+        - "coop-cloud.${STACK_NAME}.version=3.1.0+2023.3.1"
 
   worker:
-    image: ghcr.io/goauthentik/server:2022.6.2
+    image: ghcr.io/goauthentik/server:2023.3.1
     command: worker
-    # secrets:
-      # - db_password
-      # - admin_pass
-      # - admin_token
-      # - secret_key
+    secrets:
+      - db_password
+      - admin_pass
+      - admin_token
+      - secret_key
+      - email_pass
     networks:
       - internal
       - proxy
@@ -73,13 +90,26 @@ services:
       - backups:/backups
       - media:/media
       - /var/run/docker.sock:/var/run/docker.sock
-      - custom-templates:/templates
+      - /dev/null:/blueprints/default/flow-oobe.yaml
+    configs:
+      - source: flow_recovery
+        target: /blueprints/1_flow_recovery.yaml
+      - source: flow_authentication
+        target: /blueprints/2_flow_authentication.yaml
+      - source: flow_translation
+        target: /blueprints/3_flow_translation.yaml
+      - source: flow_invitation
+        target: /blueprints/4_flow_invitation.yaml
+      - source: system_tenant
+        target: /blueprints/5_system_tenant.yaml
+      - source: flow_invalidation
+        target: /blueprints/6_flow_invalidation.yaml
     environment: *env
 
   db:
-    image: postgres:12.8-alpine
-    # secrets:
-      # - db_password
+    image: postgres:12.14-alpine
+    secrets:
+      - db_password
     volumes:
       - database:/var/lib/postgresql/data
     networks:
@@ -91,18 +121,18 @@ services:
       retries: 10
       start_period: 1m
     environment:
-      - POSTGRES_PASSWORD
-      - POSTGRES_USER
-      - POSTGRES_DB
+      - POSTGRES_PASSWORD_FILE=/run/secrets/db_password
+      - POSTGRES_USER=authentik
+      - POSTGRES_DB=authentik
     deploy:
       labels:
           backupbot.backup: "true"
-          backupbot.backup.pre-hook: "mkdir -p /tmp/backup/ && PGPASSWORD=${POSTGRES_PASSWORD} pg_dump -U ${POSTGRES_USER} ${POSTGRES_DB} > /tmp/backup/backup.sql"
+          backupbot.backup.pre-hook: "mkdir -p /tmp/backup/ && PGPASSWORD=$$(cat /run/secrets/db_password) pg_dump -U $${POSTGRES_USER} $${POSTGRES_DB} > /tmp/backup/backup.sql"
           backupbot.backup.post-hook: "rm -rf /tmp/backup"
           backupbot.backup.path: "/tmp/backup/"
 
   redis:
-    image:  redis:7.0.0-alpine
+    image:  redis:7.0.10-alpine
     networks:
       - internal
     healthcheck:
@@ -112,19 +142,22 @@ services:
       retries: 10
       start_period: 1m
 
-# secrets:
-  # db_password:
-  #   external: true
-  #   name: ${STACK_NAME}_db_password
-  # secret_key:
-  #   external: true
-  #   name: ${STACK_NAME}_secret_key_${SECRET_SECRET_KEY_VERSION}
-  # admin_token:
-  #   external: true
-  #   name: ${STACK_NAME}_admin_token_${SECRET_ADMIN_TOKEN_VERSION}
-  # admin_pass:
-  #   external: true
-  #   name: ${STACK_NAME}_admin_pass_${SECRET_ADMIN_PASS_VERSION}
+secrets:
+  db_password:
+    external: true
+    name: ${STACK_NAME}_db_password_${SECRET_DB_PASSWORD_VERSION}
+  secret_key:
+    external: true
+    name: ${STACK_NAME}_secret_key_${SECRET_SECRET_KEY_VERSION}
+  admin_token:
+    external: true
+    name: ${STACK_NAME}_admin_token_${SECRET_ADMIN_TOKEN_VERSION}
+  admin_pass:
+    external: true
+    name: ${STACK_NAME}_admin_pass_${SECRET_ADMIN_PASS_VERSION}
+  email_pass:
+    external: true
+    name: ${STACK_NAME}_email_pass_${SECRET_EMAIL_PASS_VERSION}
 
 networks:
   proxy:
@@ -134,5 +167,35 @@ networks:
 volumes:
   backups:
   media:
-  custom-templates:
+  assets:
   database:
+
+configs:
+  custom_css:
+    name: ${STACK_NAME}_custom_css_${CUSTOM_CSS_VERSION}
+    file: custom.css.tmpl
+    template_driver: golang
+  flow_authentication:
+    name: ${STACK_NAME}_flow_authentication_${FLOW_AUTHENTICATION_VERSION}
+    file: flow_authentication.yaml.tmpl
+    template_driver: golang
+  flow_invitation:
+    name: ${STACK_NAME}_flow_invitation_${FLOW_INVITATION_VERSION}
+    file: flow_invitation.yaml.tmpl
+    template_driver: golang
+  flow_invalidation:
+    name: ${STACK_NAME}_flow_invalidation_${FLOW_INVALIDATION_VERSION}
+    file: flow_invalidation.yaml.tmpl
+    template_driver: golang
+  flow_recovery:
+    name: ${STACK_NAME}_flow_recovery_${FLOW_RECOVERY_VERSION}
+    file: flow_recovery.yaml.tmpl
+    template_driver: golang
+  flow_translation:
+    name: ${STACK_NAME}_flow_translation_${FLOW_TRANSLATION_VERSION}
+    file: flow_translation.yaml.tmpl
+    template_driver: golang
+  system_tenant:
+    name: ${STACK_NAME}_system_tenant_${SYSTEM_TENANT_VERSION}
+    file: system_tenant.yaml.tmpl
+    template_driver: golang

custom.css.tmpl

@@ -0,0 +1,24 @@
+/* my custom css */
+
+
+:root {
+    --ak-accent: #fd4b2d;
+
+    --ak-dark-foreground: #fafafa;
+    --ak-dark-foreground-darker: #bebebe;
+    --ak-dark-foreground-link: #5a5cb9;
+    --ak-dark-background: #18191a;
+    --ak-dark-background-darker: #000000;
+
+
+    --ak-dark-background-light: {{ env "AUTHENTIK_COLOR_BACKGROUND_LIGHT" }};
+    --ak-dark-background-light-ish: #212427;
+    --ak-dark-background-lighter: #2b2e33;
+
+    --pf-c-background-image--BackgroundImage: var(--ak-flow-background);
+    --pf-c-background-image--BackgroundImage-2x: var(--ak-flow-background);
+    --pf-c-background-image--BackgroundImage--sm: var(--ak-flow-background);
+    --pf-c-background-image--BackgroundImage--sm-2x: var(--ak-flow-background);
+    --pf-c-background-image--BackgroundImage--lg: var(--ak-flow-background);
+}
+

custom_flows.yaml.tmpl

@@ -0,0 +1,405 @@
+version: 1
+metadata:
+  labels:
+    blueprints.goauthentik.io/instantiate: "true"
+  name: Custom - Flows
+context:
+  welcome_message: {{ if eq (env "WELCOME_MESSAGE") "" }} "Welcome to authentik!" {{ else }} {{ env "WELCOME_MESSAGE" }} {{ end }}
+####### Translations ########
+  transl_recovery: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} "Passwort Zurücksetzen" {{ else }} "Reset your password" {{ end }}
+  transl_password: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} "Passwort" {{ else }} "Password" {{ end }}
+  transl_password_repeat: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} "Passwort (wiederholen)" {{ else }} "Password (repeat)" {{ end }}
+  transl_username: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} "Benutzername" {{ else }} "Username" {{ end }}
+  transl_name: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} "Vor- und Nachname" {{ else }} "Full name" {{ end }}
+
+entries:
+######## Email Recovery Flow ########
+- identifiers:
+    slug: default-recovery-flow
+  id: recovery_flow
+  model: authentik_flows.flow
+  attrs:
+    name: Default recovery flow
+    title: !Context transl_recovery
+    designation: recovery
+
+### PROMPTS
+- identifiers:
+    field_key: password
+  id: prompt-field-password
+  model: authentik_stages_prompt.prompt
+  attrs:
+    label: !Context transl_password
+    type: password
+    required: true
+    placeholder: !Context transl_password
+    order: 30
+    placeholder_expression: false
+- identifiers:
+    field_key: password_repeat
+  id: prompt-field-password-repeat
+  model: authentik_stages_prompt.prompt
+  attrs:
+    label: !Context transl_password_repeat
+    type: password
+    required: true
+    placeholder: !Context transl_password_repeat
+    order: 31
+    placeholder_expression: false
+
+
+### STAGES
+- identifiers:
+    name: default-recovery-email
+  id: default-recovery-email
+  model: authentik_stages_email.emailstage
+  attrs:
+    use_global_settings: true
+    token_expiry: {{ if eq (env "EMAIL_TOKEN_EXPIRY_MINUTES") "" }} 30 {{ else }} {{ env "EMAIL_TOKEN_EXPIRY_MINUTES" }} {{ end }}
+    subject: {{ if eq (env "EMAIL_SUBJECT") "" }} "Account Recovery" {{ else }} "{{ env "EMAIL_SUBJECT" }}" {{ end }} 
+    template: email/password_reset.html
+    activate_user_on_success: true
+- identifiers:
+    name: default-recovery-user-write
+  id: default-recovery-user-write
+  model: authentik_stages_user_write.userwritestage
+- identifiers:
+    name: default-recovery-identification
+  id: default-recovery-identification
+  model: authentik_stages_identification.identificationstage
+  attrs:
+    user_fields:
+      - email
+      - username
+- identifiers:
+    name: default-recovery-user-login
+  id: default-recovery-user-login
+  model: authentik_stages_user_login.userloginstage
+  attrs:
+    session_duration: seconds=0
+- identifiers:
+    name: Change your password
+  id: stage-prompt-password
+  model: authentik_stages_prompt.promptstage
+  attrs:
+    fields:
+      - !KeyOf prompt-field-password
+      - !KeyOf prompt-field-password-repeat
+    validation_policies: []
+
+### STAGE BINDINGS
+- identifiers:
+    target: !KeyOf recovery_flow
+    stage: !KeyOf default-recovery-identification
+    order: 10
+  model: authentik_flows.flowstagebinding
+  id: flow-binding-identification
+  attrs:
+    evaluate_on_plan: true
+    re_evaluate_policies: true
+    policy_engine_mode: any
+    invalid_response_action: retry
+- identifiers:
+    target: !KeyOf recovery_flow
+    stage: !KeyOf default-recovery-email
+    order: 20
+  model: authentik_flows.flowstagebinding
+  id: flow-binding-email
+  attrs:
+    evaluate_on_plan: true
+    re_evaluate_policies: true
+    policy_engine_mode: any
+    invalid_response_action: retry
+- identifiers:
+    target: !KeyOf recovery_flow
+    stage: !KeyOf stage-prompt-password
+    order: 30
+  model: authentik_flows.flowstagebinding
+  attrs:
+    evaluate_on_plan: true
+    re_evaluate_policies: false
+    policy_engine_mode: any
+    invalid_response_action: retry
+- identifiers:
+    target: !KeyOf recovery_flow
+    stage: !KeyOf default-recovery-user-write
+    order: 40
+  model: authentik_flows.flowstagebinding
+  attrs:
+    evaluate_on_plan: true
+    re_evaluate_policies: false
+    policy_engine_mode: any
+    invalid_response_action: retry
+- identifiers:
+    target: !KeyOf recovery_flow
+    stage: !KeyOf default-recovery-user-login
+    order: 100
+  model: authentik_flows.flowstagebinding
+  attrs:
+    evaluate_on_plan: true
+    re_evaluate_policies: false
+    policy_engine_mode: any
+    invalid_response_action: retry
+
+### POLICIES
+## ISSUES with this policy
+## https://github.com/goauthentik/authentik/blob/493cdd5c0f8caaec7a7dd474f1aa131e32fd39c3/blueprints/example/flows-recovery-email-verification.yaml#L37
+## https://github.com/goauthentik/authentik/commit/317e9ec6053742e17ba74fb6aa38dc15aaf6657f#diff-a5c56bb7c60e27dda1b131b3fc2a17e3af6624e7cfaaa2337ec6b077ca489f34
+# - identifiers:
+#     name: default-recovery-skip-if-restored
+#   id: default-recovery-skip-if-restored
+#   model: authentik_policies_expression.expressionpolicy
+#   attrs:
+#     expression: |
+#       return request.context.get('is_restored', False)
+
+### POLICY BINDINGS
+# - identifiers:
+#     policy: !KeyOf default-recovery-skip-if-restored
+#     target: !KeyOf flow-binding-identification
+#     order: 0
+#   model: authentik_policies.policybinding
+#   attrs:
+#     negate: false
+#     enabled: true
+#     timeout: 30
+# - identifiers:
+#     policy: !KeyOf default-recovery-skip-if-restored
+#     target: !KeyOf flow-binding-email
+#     order: 0
+#   model: authentik_policies.policybinding
+#   attrs:
+#     negate: false
+#     enabled: true
+#     timeout: 30
+
+
+
+######## Authentication Flow ########
+- attrs:
+    designation: authentication
+    name: custom-authentication-flow
+    title: !Context welcome_message
+  identifiers:
+    slug: custom-authentication-flow
+  id: authentication_flow
+  model: authentik_flows.flow
+
+### STAGES
+- attrs:
+    backends:
+    - authentik.core.auth.InbuiltBackend
+    - authentik.sources.ldap.auth.LDAPBackend
+    - authentik.core.auth.TokenBackend
+    configure_flow: !Find [authentik_flows.flow, [slug, default-password-change]]
+  identifiers:
+    name: custom-authentication-password
+  id: custom-authentication-password
+  model: authentik_stages_password.passwordstage
+
+- identifiers:
+    name: custom-authentication-mfa-validation
+  id: custom-authentication-mfa-validation
+  model: authentik_stages_authenticator_validate.authenticatorvalidatestage
+
+- attrs:
+    password_stage: !KeyOf custom-authentication-password
+    recovery_flow: !KeyOf recovery_flow  # !Find [authentik_flows.flow, [slug, default-recovery-flow]]
+    user_fields:
+    - email
+    - username
+  identifiers:
+    name: custom-authentication-identification
+  id: custom-authentication-identification
+  model: authentik_stages_identification.identificationstage
+
+- attrs:
+    session_duration: seconds=0
+  identifiers:
+    name: custom-authentication-login
+  id: custom-authentication-login
+  model: authentik_stages_user_login.userloginstage
+
+### STAGE BINDINGS
+- identifiers:
+    order: 10
+    stage: !KeyOf custom-authentication-identification
+    target: !KeyOf authentication_flow
+  model: authentik_flows.flowstagebinding
+- identifiers:
+    order: 30
+    stage: !KeyOf custom-authentication-mfa-validation
+    target: !KeyOf authentication_flow
+  model: authentik_flows.flowstagebinding
+- identifiers:
+    order: 100
+    stage: !KeyOf custom-authentication-login
+    target: !KeyOf authentication_flow
+  model: authentik_flows.flowstagebinding
+
+######## Invitation Enrollment Flow ########
+- attrs:
+    designation: enrollment
+    name: invitation-enrollment-flow
+    title: !Context welcome_message
+  identifiers:
+    slug: invitation-enrollment-flow
+  id: invitation-enrollment-flow
+  model: authentik_flows.flow
+
+### PROMPTS
+- identifiers:
+    field_key: username
+  id: prompt-field-username
+  model: authentik_stages_prompt.prompt
+  attrs:
+    label: !Context transl_username
+    type: username
+    required: true
+    placeholder: !Context transl_username
+    order: 0
+    placeholder_expression: false
+- identifiers:
+    field_key: name
+  id: prompt-field-name
+  model: authentik_stages_prompt.prompt
+  attrs:
+    label: !Context transl_name
+    type: text
+    required: true
+    placeholder: !Context transl_name
+    order: 1
+    placeholder_expression: false
+- identifiers:
+    field_key: email
+    label: Email
+  id: prompt-field-email
+  model: authentik_stages_prompt.prompt
+  attrs:
+    type: email
+    required: true
+    placeholder: muster@example.com
+    order: 2
+    placeholder_expression: false
+
+### STAGES
+
+- id: invitation-stage
+  identifiers:
+    name: invitation-stage
+  model: authentik_stages_invitation.invitationstage
+
+- attrs:
+    fields:
+      - !KeyOf prompt-field-username
+      - !KeyOf prompt-field-name
+      - !KeyOf prompt-field-email
+      - !KeyOf prompt-field-password
+      - !KeyOf prompt-field-password-repeat
+  id: enrollment-prompt-userdata
+  identifiers:
+    name: enrollment-prompt-userdata
+  model: authentik_stages_prompt.promptstage
+
+- id: enrollment-user-write
+  identifiers:
+    name: enrollment-user-write
+  model: authentik_stages_user_write.userwritestage
+
+- attrs:
+    session_duration: seconds=0
+  id: enrollment-user-login
+  identifiers:
+    name: enrollment-user-login
+  model: authentik_stages_user_login.userloginstage
+
+### STAGE BINDINGS
+- identifiers:
+    order: 1
+    stage: !KeyOf invitation-stage
+    target: !KeyOf invitation-enrollment-flow
+  model: authentik_flows.flowstagebinding
+- identifiers:
+    order: 10
+    stage: !KeyOf enrollment-prompt-userdata
+    target: !KeyOf invitation-enrollment-flow
+  model: authentik_flows.flowstagebinding
+- identifiers:
+    order: 20
+    stage: !KeyOf enrollment-user-write
+    target: !KeyOf invitation-enrollment-flow
+  model: authentik_flows.flowstagebinding
+- identifiers:
+    order: 100
+    stage: !KeyOf enrollment-user-login
+    target: !KeyOf invitation-enrollment-flow
+  model: authentik_flows.flowstagebinding
+
+######## Invalidation Flow ########
+- identifiers:
+    slug: logout-flow
+  id: logout-flow
+  model: authentik_flows.flow
+  attrs:
+    name: Logout
+    title: Logout Flow
+    designation: invalidation
+
+### STAGES
+
+- id: logout-stage
+  identifiers:
+    name: logout-stage
+  model: authentik_stages_user_logout.userlogoutstage
+
+### STAGE BINDINGS
+
+- identifiers:
+    order: 0
+    stage: !KeyOf logout-stage
+    target: !KeyOf logout-flow
+  model: authentik_flows.flowstagebinding
+  attrs:
+    re_evaluate_policies: true
+  id: logout-stage-binding
+
+### POLICIES
+- attrs:
+    execution_logging: true
+    expression: 'context[''flow_plan''].context[''redirect''] = ''{{ env "LOGOUT_REDIRECT" }}''
+
+    return True'
+  identifiers:
+    name: redirect-policy
+  id: redirect-policy
+  model: authentik_policies_expression.expressionpolicy
+
+### POLICY BINDINGS
+- identifiers:
+    policy: !KeyOf redirect-policy
+    target: !KeyOf logout-stage-binding
+    order: 0
+  model: authentik_policies.policybinding
+  attrs:
+    enabled: {{ if eq (env "LOGOUT_REDIRECT") "" }} false {{ else }} true {{ end }}
+    timeout: 30
+
+######## System Tenant ##########
+- attrs:
+    attributes:
+      settings:
+        locale: {{ if eq (env "DEFAULT_LANGUAGE") "" }} en {{ else }} {{ env "DEFAULT_LANGUAGE" }} {{ end }}
+    # branding_favicon: /static/dist/assets/icons/icon.png
+    # branding_logo: /static/dist/assets/icons/icon_left_brand.svg
+    # branding_title: Authentik
+    # default: true
+    domain: {{ env "DOMAIN" }}
+    # event_retention: days=365
+    flow_authentication: !KeyOf authentication_flow
+    flow_recovery: !KeyOf recovery_flow
+    flow_invalidation: !KeyOf logout-flow
+    flow_user_settings: !Find [authentik_flows.flow, [slug, default-user-settings-flow]]
+  identifiers:
+    pk: 047cce25-aae2-4b02-9f96-078e155f803d
+  id: system_tenant
+  model: authentik_tenants.tenant

flow_authentication.yaml.tmpl

@@ -0,0 +1,45 @@
+version: 1
+metadata:
+  labels:
+    blueprints.goauthentik.io/instantiate: "true"
+  name: Custom Authentication Flow
+context:
+  welcome_message: {{ if eq (env "WELCOME_MESSAGE") "" }} "Welcome to authentik!" {{ else }} {{ env "WELCOME_MESSAGE" }} {{ end }}
+
+entries:
+### DEPENDENCIES
+- model: authentik_blueprints.metaapplyblueprint
+  attrs:
+    identifiers:
+      name: Recovery with email verification
+    required: true
+
+### FLOW
+- model: authentik_flows.flow
+  identifiers:
+    slug: default-authentication-flow
+  id: flow
+  attrs:
+    name: !Context welcome_message
+    title: !Context welcome_message
+
+### STAGES
+- identifiers:
+    name: default-authentication-identification
+  model: authentik_stages_identification.identificationstage
+  attrs:
+    password_stage: !Find [authentik_stages_password.passwordstage, [name, default-authentication-password]]
+    recovery_flow: !Find [authentik_flows.flow, [slug, default-recovery-flow]]
+
+- identifiers:
+    name: default-authentication-login
+  model: authentik_stages_user_login.userloginstage
+  attrs:
+    session_duration: seconds=0
+
+- identifiers:
+    order: 20
+    stage: !Find [authentik_stages_password.passwordstage, [name, default-authentication-password]]
+    target: !KeyOf flow
+  model: authentik_flows.flowstagebinding
+  state: absent

flow_invalidation.yaml.tmpl

@@ -0,0 +1,44 @@
+version: 1
+metadata:
+  labels:
+    blueprints.goauthentik.io/instantiate: "true"
+  name: Custom Invalidation Flow
+entries:
+### DEPENDENCIES
+- model: authentik_blueprints.metaapplyblueprint
+  attrs:
+    identifiers:
+      name: Default - Invalidation flow
+    required: true
+
+### STAGE BINDINGS
+
+- identifiers:
+    order: 0
+    stage: !Find [authentik_stages_user_logout.userlogoutstage, [name, default-invalidation-logout]]
+    target: !Find [authentik_flows.flow, [slug, default-invalidation-flow]]
+  model: authentik_flows.flowstagebinding
+  attrs:
+    re_evaluate_policies: true
+  id: logout-stage-binding
+
+### POLICIES
+- attrs:
+    execution_logging: true
+    expression: 'context[''flow_plan''].context[''redirect''] = ''{{ env "LOGOUT_REDIRECT" }}''
+
+    return True'
+  identifiers:
+    name: redirect-policy
+  id: redirect-policy
+  model: authentik_policies_expression.expressionpolicy
+
+### POLICY BINDINGS
+- identifiers:
+    policy: !KeyOf redirect-policy
+    target: !KeyOf logout-stage-binding
+    order: 0
+  model: authentik_policies.policybinding
+  attrs:
+    enabled: {{ if eq (env "LOGOUT_REDIRECT") "" }} false {{ else }} true {{ end }}
+    timeout: 30

flow_invitation.yaml.tmpl

@@ -0,0 +1,65 @@
+version: 1
+metadata:
+  labels:
+    blueprints.goauthentik.io/instantiate: "true"
+  name: Invitation Enrollment Flow
+context:
+  welcome_message: {{ if eq (env "WELCOME_MESSAGE") "" }} "Welcome to authentik!" {{ else }} {{ env "WELCOME_MESSAGE" }} {{ end }}
+
+entries:
+### DEPENDENCIES
+- model: authentik_blueprints.metaapplyblueprint
+  attrs:
+    identifiers:
+      name: Flow Translations
+    required: true
+
+### FLOW
+- attrs:
+    designation: enrollment
+    name: invitation-enrollment-flow
+    title: !Context welcome_message
+  identifiers:
+    slug: invitation-enrollment-flow
+  id: invitation-enrollment-flow
+  model: authentik_flows.flow
+
+### STAGES
+- identifiers:
+    name: invitation-stage
+  id: invitation-stage
+  model: authentik_stages_invitation.invitationstage
+
+- identifiers:
+    name: enrollment-prompt-userdata
+  id: enrollment-prompt-userdata
+  model: authentik_stages_prompt.promptstage
+  attrs:
+    fields:
+      - !Find [authentik_stages_prompt.prompt, [name, default-source-enrollment-field-username]]
+      - !Find [authentik_stages_prompt.prompt, [name, default-user-settings-field-name]]
+      - !Find [authentik_stages_prompt.prompt, [name, default-user-settings-field-email]]
+      - !Find [authentik_stages_prompt.prompt, [name, default-password-change-field-password]]
+      - !Find [authentik_stages_prompt.prompt, [name, default-password-change-field-password-repeat]]
+
+### STAGE BINDINGS
+- identifiers:
+    order: 1
+    stage: !KeyOf invitation-stage
+    target: !KeyOf invitation-enrollment-flow
+  model: authentik_flows.flowstagebinding
+- identifiers:
+    order: 10
+    stage: !KeyOf enrollment-prompt-userdata
+    target: !KeyOf invitation-enrollment-flow
+  model: authentik_flows.flowstagebinding
+- identifiers:
+    order: 20
+    stage: !Find [authentik_stages_user_write.userwritestage, [name,  default-source-enrollment-write]]
+    target: !KeyOf invitation-enrollment-flow
+  model: authentik_flows.flowstagebinding
+- identifiers:
+    order: 100
+    stage: !Find [authentik_stages_user_login.userloginstage, [name,  default-authentication-login]]
+    target: !KeyOf invitation-enrollment-flow
+  model: authentik_flows.flowstagebinding

flow_recovery.yaml.tmpl

@@ -0,0 +1,128 @@
+version: 1
+metadata:
+  labels:
+    blueprints.goauthentik.io/instantiate: "true"
+  name: Recovery with email verification
+context:
+  token_expiry: {{ if eq (env "EMAIL_TOKEN_EXPIRY_MINUTES") "" }} 30 {{ else }} {{ env "EMAIL_TOKEN_EXPIRY_MINUTES" }} {{ end }}
+  subject: {{ if eq (env "EMAIL_SUBJECT") "" }} Account Recovery {{ else }} {{ env "EMAIL_SUBJECT" }} {{ end }} 
+entries:
+### DEPENDENCIES
+- model: authentik_blueprints.metaapplyblueprint
+  attrs:
+    identifiers:
+      name: Default - Authentication flow
+    required: true
+
+### FLOW
+- identifiers:
+    slug: default-recovery-flow
+  model: authentik_flows.flow
+  state: created
+  attrs:
+    name: Default recovery flow
+    title: Reset your password
+    designation: recovery
+    authentication: require_unauthenticated
+
+### STAGES
+- identifiers:
+    name: default-recovery-email
+  id: default-recovery-email
+  model: authentik_stages_email.emailstage
+  attrs:
+    use_global_settings: true
+    token_expiry: !Context token_expiry
+    subject: !Context subject
+    template: email/password_reset.html
+    activate_user_on_success: true
+- identifiers:
+    name: default-recovery-identification
+  id: default-recovery-identification
+  model: authentik_stages_identification.identificationstage
+  attrs:
+    user_fields:
+      - email
+      - username
+
+### STAGE BINDINGS
+- identifiers:
+    target: !Find [authentik_flows.flow, [slug, default-recovery-flow]]
+    stage: !KeyOf default-recovery-identification
+    order: 10
+  model: authentik_flows.flowstagebinding
+  id: flow-binding-identification
+  attrs:
+    evaluate_on_plan: true
+    re_evaluate_policies: true
+    policy_engine_mode: any
+    invalid_response_action: retry
+- identifiers:
+    target: !Find [authentik_flows.flow, [slug, default-recovery-flow]]
+    stage: !KeyOf default-recovery-email
+    order: 20
+  model: authentik_flows.flowstagebinding
+  id: flow-binding-email
+  attrs:
+    evaluate_on_plan: true
+    re_evaluate_policies: true
+    policy_engine_mode: any
+    invalid_response_action: retry
+- identifiers:
+    target: !Find [authentik_flows.flow, [slug, default-recovery-flow]]
+    stage: !Find [authentik_stages_prompt.promptstage, [name,  default-password-change-prompt]]
+    order: 30
+  model: authentik_flows.flowstagebinding
+  attrs:
+    evaluate_on_plan: true
+    re_evaluate_policies: false
+    policy_engine_mode: any
+    invalid_response_action: retry
+- identifiers:
+    target: !Find [authentik_flows.flow, [slug, default-recovery-flow]]
+    stage: !Find [authentik_stages_user_write.userwritestage, [name,  default-password-change-write]]
+    order: 40
+  model: authentik_flows.flowstagebinding
+  attrs:
+    evaluate_on_plan: true
+    re_evaluate_policies: false
+    policy_engine_mode: any
+    invalid_response_action: retry
+- identifiers:
+    target: !Find [authentik_flows.flow, [slug, default-recovery-flow]]
+    stage: !Find [authentik_stages_user_login.userloginstage, [name,  default-authentication-login]]
+    order: 100
+  model: authentik_flows.flowstagebinding
+  attrs:
+    evaluate_on_plan: true
+    re_evaluate_policies: false
+    policy_engine_mode: any
+    invalid_response_action: retry
+
+### POLICIES
+- identifiers:
+    name: default-recovery-skip-if-restored
+  id: default-recovery-skip-if-restored
+  model: authentik_policies_expression.expressionpolicy
+  attrs:
+    expression: |
+      return request.context.get('is_restored', False)
+- identifiers:
+    policy: !KeyOf default-recovery-skip-if-restored
+    target: !KeyOf flow-binding-identification
+    order: 0
+  model: authentik_policies.policybinding
+  attrs:
+    negate: false
+    enabled: false # TODO: why does this doesn't work?
+    timeout: 30
+- identifiers:
+    policy: !KeyOf default-recovery-skip-if-restored
+    target: !KeyOf flow-binding-email
+    order: 0
+  state: absent
+  model: authentik_policies.policybinding
+  attrs:
+    negate: false
+    enabled: true
+    timeout: 30

flow_translation.yaml.tmpl

@@ -0,0 +1,71 @@
+version: 1
+metadata:
+  labels:
+    blueprints.goauthentik.io/instantiate: "true"
+  name: Flow Translations
+context:
+  transl_recovery: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} "Passwort Zurücksetzen" {{ else }} "Reset your password" {{ end }}
+  transl_password: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} "Passwort" {{ else }} "Password" {{ end }}
+  transl_password_repeat: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} "Passwort (wiederholen)" {{ else }} "Password (repeat)" {{ end }}
+  transl_username: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} "Benutzername" {{ else }} "Username" {{ end }}
+  transl_name: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} "Vor- und Nachname" {{ else }} "Full name" {{ end }}
+
+entries:
+### DEPENDENCIES
+- model: authentik_blueprints.metaapplyblueprint
+  attrs:
+    identifiers:
+      name: Custom Authentication Flow
+    required: true
+- model: authentik_blueprints.metaapplyblueprint
+  attrs:
+    identifiers:
+      name: Default - User settings flow
+    required: true
+- model: authentik_blueprints.metaapplyblueprint
+  attrs:
+    identifiers:
+      name: Default - Source enrollment flow
+    required: true
+
+### FLOWS
+- model: authentik_flows.flow 
+  identifiers:
+    slug: default-recovery-flow
+  id: recovery_flow
+  model: authentik_flows.flow
+  attrs:
+    name: Default recovery flow
+    title: !Context transl_recovery
+    designation: recovery
+
+
+### PROMPTS
+- model: authentik_stages_prompt.prompt
+  identifiers:
+    name: default-password-change-field-password
+  attrs:
+    label: !Context transl_password
+    placeholder: !Context transl_password
+- model: authentik_stages_prompt.prompt
+  identifiers:
+    name: default-password-change-field-password-repeat
+  attrs:
+    label: !Context transl_password_repeat
+    placeholder: !Context transl_password_repeat
+- model: authentik_stages_prompt.prompt
+  identifiers:
+    name: default-user-settings-field-username
+  attrs:
+    label: !Context transl_username
+- model: authentik_stages_prompt.prompt
+  identifiers:
+    name: default-user-settings-field-name
+  attrs:
+    label: !Context transl_name
+- model: authentik_stages_prompt.prompt
+  identifiers:
+    name: default-source-enrollment-field-username
+  attrs:
+    label: !Context transl_username
+    placeholder: !Context transl_username

nextcloud.yaml.tmpl

@@ -0,0 +1,56 @@
+version: 1
+metadata:
+  labels:
+    blueprints.goauthentik.io/instantiate: "true"
+  name: Nextcloud
+
+entries:
+- attrs:
+    description: nextcloud
+    expression: 'return { "nextcloud_groups": [{"gid": group.name, "displayName":
+      group.name} for group in request.user.ak_groups.all()], }'
+    managed: null
+    scope_name: nextcloud
+  conditions: []
+  id: nextcloud_group_mapping
+  identifiers:
+    name: nextcloud
+  model: authentik_providers_oauth2.scopemapping
+  state: present
+
+- attrs:
+    access_code_validity: minutes=1
+    authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
+    client_id: {{ secret  "nextcloud_id" }}
+    client_secret: {{ secret  "nextcloud_secret" }}
+    client_type: confidential
+    include_claims_in_id_token: true
+    issuer_mode: per_provider
+    name: Nextcloud
+    property_mappings:
+    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
+    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, email]]
+    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, profile]]
+    - !KeyOf nextcloud_group_mapping
+    signing_key: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]]
+    sub_mode: user_username
+    token_validity: days=30
+  conditions: []
+  id: nextcloud_provider
+  identifiers:
+    pk: 9999
+  model: authentik_providers_oauth2.oauth2provider
+  state: present
+
+- attrs:
+    meta_launch_url: https://{{ env  "NEXTCLOUD_DOMAIN" }}
+    open_in_new_tab: true
+    policy_engine_mode: any
+    provider: !KeyOf nextcloud_provider
+    slug: nextcloud
+  conditions: []
+  id: nextcloud_application
+  identifiers:
+    name: Nextcloud
+  model: authentik_core.application
+  state: present

release/1.0.0+2022.10.1

@@ -0,0 +1,15 @@
+This upgrade replaces the passwords stored in env variables by docker secrets.
+You need to insert the following passwords as secret:
+
+`POSTGRES_PASSWORD` / `AUTHENTIK_POSTGRESQL__PASSWORD`:
+    `abra app secret insert <app_name> db_password v1 <password>`
+`AUTHENTIK_SECRET_KEY`:
+    `abra app secret insert <app_name> secret_key v1 <password>`
+`AK_ADMIN_TOKEN`:
+    `abra app secret insert <app_name> admin_token v1 <password>`
+`AK_ADMIN_PASS`:
+    `abra app secret insert <app_name> admin_pass v1 <password>`
+`AUTHENTIK_EMAIL__PASSWORD`:
+    `abra app secret insert <app_name> email_pass v1 <password>`
+
+These variables should be removed from the .env file.

release/2.0.0+2023.2.3

@@ -0,0 +1,2 @@
+Logout URL changes from `https://login.example.org/if/flow/default-invalidation-flow/` to `https://login.example.org/if/flow/logout-flow/`
+Replace it in any app that uses this logout url.

release/3.0.0+2023.2.3

@@ -0,0 +1,16 @@
+Run `abra app cmd <app_name> worker blueprint_cleanup` to apply the new blueprint configuration and delete the old configuration.
+
+If the nextcloud provider should be managed by abra add the following to the env:
+
+    COMPOSE_FILE="compose.yml:compose.nextcloud.yml"
+    NEXTCLOUD_DOMAIN=nextcloud.example.com
+    SECRET_NEXTCLOUD_ID_VERSION=v1
+    SECRET_NEXTCLOUD_SECRET_VERSION=v1
+
+and generate the secrets:
+
+    abra app secret generate -a <app_name>
+
+Eventuelly you need to manually remove the old nextcloud provider and application
+
+Don't forget to update the nextcloud config for authentik as well.

release/3.1.0+2023.3.1

@@ -0,0 +1,3 @@
+Env recommendation: AUTHENTIK_DEFAULT_USER_CHANGE_USERNAME=false
+This prevents users from changing their username.
+Changing the username can be a security risk and it can break things.

system_tenant.yaml.tmpl

@@ -0,0 +1,35 @@
+version: 1
+metadata:
+  labels:
+    blueprints.goauthentik.io/instantiate: "true"
+  name: Custom System Tenant
+entries:
+### DEPENDENCIES
+- model: authentik_blueprints.metaapplyblueprint
+  attrs:
+    identifiers:
+      name: Default - Tenant
+    required: true
+- model: authentik_blueprints.metaapplyblueprint
+  attrs:
+    identifiers:
+      name: Invitation Enrollment Flow
+    required: true
+
+
+### SYSTEM TENANT
+# remove custom tenant from old recipe
+- identifiers:
+    domain: {{ env "DOMAIN" }}
+  model: authentik_tenants.tenant
+  state: absent
+
+- attrs:
+    attributes:
+      settings:
+        locale: {{ if eq (env "DEFAULT_LANGUAGE") "" }} en {{ else }} {{ env "DEFAULT_LANGUAGE" }} {{ end }}
+    flow_recovery: !Find [authentik_flows.flow, [slug,  default-recovery-flow]]
+  identifiers:
+    default: true
+    domain: authentik-default
+  model: authentik_tenants.tenant

wordpress.yaml.tmpl

@@ -0,0 +1,43 @@
+version: 1
+metadata:
+  labels:
+    blueprints.goauthentik.io/instantiate: "true"
+  name: Wordpress
+
+entries:
+
+- attrs:
+    access_code_validity: minutes=1
+    authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
+    client_id: {{ secret  "wordpress_id" }}
+    client_secret: {{ secret  "wordpress_secret" }}
+    client_type: confidential
+    include_claims_in_id_token: true
+    issuer_mode: per_provider
+    name: Wordpress
+    property_mappings:
+    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
+    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, email]]
+    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, profile]]
+    signing_key: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]]
+    sub_mode: user_username
+    token_validity: days=30
+  conditions: []
+  id: wordpress_provider
+  identifiers:
+    pk: 9998
+  model: authentik_providers_oauth2.oauth2provider
+  state: present
+
+- attrs:
+    meta_launch_url: https://{{ env  "WORDPRESS_DOMAIN" }}/wp-login.php
+    open_in_new_tab: true
+    policy_engine_mode: any
+    provider: !KeyOf wordpress_provider
+    slug: wordpress
+  conditions: []
+  id: wordpress_application
+  identifiers:
+    name: Wordpress
+  model: authentik_core.application
+  state: present