chore: publish 2.0.0+2023.2.3 release

chore: publish 1.4.2+2023.2.3 release
chore: publish 1.4.1+2023.2.3 release
2023-03-07 16:48:41 +01:00 · 2023-03-06 17:05:12 +01:00 · 2023-03-06 16:55:31 +01:00 · 2023-03-01 13:29:58 +01:00 · 2023-01-27 14:20:47 +01:00 · 2023-01-27 14:19:06 +01:00
9 changed files with 676 additions and 54 deletions
--- a/.drone.yml
+++ b/.drone.yml
@ -0,0 +1,45 @@
 ---
 kind: pipeline
 name: deploy to swarm-test.autonomic.zone
 steps:
  - name: deployment
    image: git.coopcloud.tech/coop-cloud/stack-ssh-deploy:latest
    settings:
      host: swarm-test.autonomic.zone
      stack: authentik
      generate_secrets: true
      purge: true
      deploy_key:
        from_secret: drone_ssh_swarm_test
      networks:
        - proxy
    environment:
      DOMAIN: authentik.swarm-test.autonomic.zone
      STACK_NAME: authentik
      LETS_ENCRYPT_ENV: production
      CUSTOM_CSS_VERSION: v1
      CUSTOM_FLOWS_VERSION: v1
      SECRET_SECRET_KEY_VERSION: v1
      SECRET_DB_PASSWORD_VERSION: v1
      SECRET_ADMIN_TOKEN_VERSION: v1
      SECRET_ADMIN_PASS_VERSION: v1
      SECRET_EMAIL_PASS_VERSION: v1
 trigger:
  branch:
    - main
 ---
 kind: pipeline
 name: generate recipe catalogue
 steps:
  - name: release a new version
    image: plugins/downstream
    settings:
      server: https://build.coopcloud.tech
      token:
        from_secret: drone_abra-bot_token
      fork: true
      repositories:
        - coop-cloud/auto-recipes-catalogue-json
 trigger:
  event: tag
--- a/.env.sample
+++ b/.env.sample
@ -1,26 +1,18 @@
 TYPE=authentik
 LETS_ENCRYPT_ENV=production
-DOMAIN=sso.example.com
+DOMAIN=authentik.example.com
 POSTGRES_PASSWORD=secret
 AUTHENTIK_POSTGRESQL__PASSWORD=secret
 POSTGRES_USER=authentik
 AUTHENTIK_POSTGRESQL__USER=authentik
 POSTGRES_DB=authentik
 AUTHENTIK_POSTGRESQL__NAME=authentik
 AUTHENTIK_POSTGRESQL__HOST=db
 AUTHENTIK_REDIS__HOST=redis
 AUTHENTIK_ERROR_REPORTING__ENABLED=true
 # WORKERS=1
 AUTHENTIK_SECRET_KEY=secret
 AK_ADMIN_TOKEN=secret
 AK_ADMIN_PASS=secret
 # EMAIL
 AUTHENTIK_EMAIL__HOST=smtp
 AUTHENTIK_EMAIL__PORT=25
 # AUTHENTIK_EMAIL__USERNAME=""
 # AUTHENTIK_EMAIL__PASSWORD=""
 AUTHENTIK_EMAIL__USE_TLS=false
 AUTHENTIK_EMAIL__USE_SSL=false
 AUTHENTIK_EMAIL__TIMEOUT=10
@ -28,6 +20,26 @@ AUTHENTIK_EMAIL__FROM=noreply@example.com
 AUTHENTIK_LOG_LEVEL=info
 # Secret Versions
-# SECRET_SECRET_KEY_VERSION=v1
+SECRET_SECRET_KEY_VERSION=v1
-# SECRET_ADMIN_TOKEN_VERSION=v1
+SECRET_DB_PASSWORD_VERSION=v1
-# SECRET_ADMIN_PASS_VERSION=v1
+SECRET_ADMIN_TOKEN_VERSION=v1
 SECRET_ADMIN_PASS_VERSION=v1
 SECRET_EMAIL_PASS_VERSION=v1
 # X_FRAME_OPTIONS_ALLOW_FROM=dashboard.example.org
 AUTHENTIK_COLOR_BACKGROUND_LIGHT=#1c1e21
 AUTHENTIK_IMPERSONATION=true
 ## FLOW OPTIONS
 WELCOME_MESSAGE="Welcome to Authentik"
 DEFAULT_LANGUAGE=en
 AUTHENTIK_FOOTER_LINKS='[{"name": "My Organization","href":"https://example.com"}]'
 LOGOUT_REDIRECT="https://$DOMAIN"
 #COPY_ASSETS="flow_background.jpg|app:/web/dist/assets/images/"
 #COPY_ASSETS="$COPY_ASSETS icon_left_brand.svg|app:/web/dist/assets/icons/
 #COPY_ASSETS="$COPY_ASSETS icon.png|app:/web/dist/assets/icons/"
 EMAIL_SUBJECT="Account Recovery"
 EMAIL_TOKEN_EXPIRY_MINUTES=30
 LOGOUT_REDIRECT=$DOMAIN
--- a/README.md
+++ b/README.md
@ -9,7 +9,7 @@
 * **Category**: Apps
 * **Status**: 0, work-in-progress
-* **Image**: [ghcr/goauthentik/server](https://ghcr.io/goauthentik/server)
+* **Image**: [ghcr/goauthentik/server](https://ghcr.io/goauthentik/server), 4, upstream
 * **Healthcheck**: Yes
 * **Backups**: Yes
 * **Email**: Yes
@ -20,8 +20,44 @@
 ## Quick start
-* `abra app new authentik --secrets`
+* `abra app new authentik`
 * `abra app config <app-name>`
 * `abra app secret insert <app_name> email_pass v1 <password>`
 * `abra app secret generate -a <app_name>`
 * `abra app deploy <app-name>`
 * `abra app cmd <app_name> app set_admin_pass`
 ## Rotate Secrets
 Increment the secret versions using `abra app config <app_name>`
 ```
 abra app secret generate -a <app_name>
 abra app undeploy <app_name>
 abra app deploy <app_name>
 abra app cmd <app_name> db rotate_db_pass
 abra app cmd <app_name> app set_admin_pass
 ```
 ## Customization
 Place the files you want to overwrite in a directory `<assets_path>`.
 Run `abra app config <app_name>` and define the env variable `COPY_ASSETS` in the following format:
 ```
 "<source_file1>|<service>:<target_directory1> <source_file2>|<service>:<target_directory2> ...
 ```
 For example:
 ```
 COPY_ASSETS="flow_background.jpg|app:/web/dist/assets/images/"
 COPY_ASSETS="$COPY_ASSETS icon_left_brand.svg|app:/web/dist/assets/icons/
 COPY_ASSETS="$COPY_ASSETS icon.png|app:/web/dist/assets/icons/"
 ```
 Run this command after every deploy/upgrade:
 `abra app command --local <app-name> customize <assets_path>`
 For more, see [`docs.coopcloud.tech`](https://docs.coopcloud.tech).
--- a/abra.sh
+++ b/abra.sh
@ -0,0 +1,49 @@
 export CUSTOM_CSS_VERSION=v2
 export CUSTOM_FLOWS_VERSION=v4
 customize() {
    if [ -z "$1" ]
    then
            echo "Usage: ... customize <assets_path>"
            exit 1
    fi
    asset_dir=$1
    for asset in $COPY_ASSETS; do
        source=$(echo $asset | cut -d "|" -f1)
        target=$(echo $asset | cut -d "|" -f2)
        echo copy $source to $target
        abra app cp $APP_NAME $asset_dir/$source $target
    done
 }
 set_admin_pass() {
 password=$(cat /run/secrets/admin_pass)
 token=$(cat /run/secrets/admin_token)
 /manage.py shell -c """
 akadmin = User.objects.get(username='akadmin')
 akadmin.set_password('$password')
 akadmin.save()
 print('Changed akadmin password')
 from authentik.core.models import TokenIntents
 key='$token'
 if (token:= Token.objects.filter(identifier='authentik-bootstrap-token').first()):
    token.key=key
    token.save()
    print('Changed authentik-bootstrap-token')
 else:
    Token.objects.create(
        identifier='authentik-bootstrap-token',
        user=akadmin,
        intent=TokenIntents.INTENT_API,
        expiring=False,
        key=key,
    )
    print('Created authentik-bootstrap-token')
 """
 }
 rotate_db_pass() {
    db_password=$(cat /run/secrets/db_password)
    psql -U authentik -c """ALTER USER authentik WITH PASSWORD '$db_password';"""
 }
--- a/compose.yml
+++ b/compose.yml
@ -1,39 +1,50 @@
 ---
 x-env: &env
-    - AUTHENTIK_POSTGRESQL__PASSWORD
+    - AUTHENTIK_POSTGRESQL__PASSWORD=file:///run/secrets/db_password
    - AUTHENTIK_POSTGRESQL__USER
    - AUTHENTIK_POSTGRESQL__NAME
    - AUTHENTIK_POSTGRESQL__HOST
    - AUTHENTIK_REDIS__HOST
    - AUTHENTIK_ERROR_REPORTING__ENABLED
-    - AUTHENTIK_SECRET_KEY= #file:///run/secrets/secret_key
+    - AUTHENTIK_SECRET_KEY=file:///run/secrets/secret_key
    - AK_ADMIN_TOKEN= #file:///run/secrets/admin_token
    - AK_ADMIN_PASS= #file:///run/secrets/admin_pass
    - AUTHENTIK_EMAIL__HOST
    - AUTHENTIK_EMAIL__PORT
    - AUTHENTIK_EMAIL__USERNAME
-    - AUTHENTIK_EMAIL__PASSWORD
+    - AUTHENTIK_EMAIL__PASSWORD=file:///run/secrets/email_pass
    - AUTHENTIK_EMAIL__USE_TLS
    - AUTHENTIK_EMAIL__USE_SSL
    - AUTHENTIK_EMAIL__TIMEOUT
    - AUTHENTIK_EMAIL__FROM
    - AUTHENTIK_LOG_LEVEL
-
+    - AUTHENTIK_SETTINGS__THEME__BACKGROUND
    - AUTHENTIK_COLOR_BACKGROUND_LIGHT
    - AUTHENTIK_FOOTER_LINKS
    - AUTHENTIK_IMPERSONATION
    - WELCOME_MESSAGE
    - DEFAULT_LANGUAGE
    - EMAIL_SUBJECT
    - EMAIL_TOKEN_EXPIRY_MINUTES
    - DOMAIN
    - LOGOUT_REDIRECT
 version: '3.8'
 services:
  app:
-    image: ghcr.io/goauthentik/server:2022.6.2
+    image: ghcr.io/goauthentik/server:2023.2.3
    command: server
-    # secrets:
+    secrets:
-    #   - db_password
+      - db_password
-    #   - admin_pass
+      - admin_pass
-    #   - admin_token
+      - admin_token
-    #   - secret_key
+      - secret_key
      - email_pass
    volumes:
      - media:/media
      - custom-templates:/templates
    configs:
      - source: custom_css
        target: /web/dist/custom.css
    networks:
      - internal
      - proxy
@ -55,16 +66,22 @@ services:
        - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`)"
        - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
        - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
-        - "coop-cloud.${STACK_NAME}.version=0.1.0+2022.6.2"
+        - "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect,${STACK_NAME}-frameOptions"
        - "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLForceHost=true"
        - "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}"
        - "traefik.http.middlewares.${STACK_NAME}-frameOptions.headers.customFrameOptionsValue=SAMEORIGIN"
        - "traefik.http.middlewares.${STACK_NAME}-frameOptions.headers.contentSecurityPolicy=frame-ancestors ${X_FRAME_OPTIONS_ALLOW_FROM}"
        - "coop-cloud.${STACK_NAME}.version=2.0.0+2023.2.3"
  worker:
-    image: ghcr.io/goauthentik/server:2022.6.2
+    image: ghcr.io/goauthentik/server:2023.2.3
    command: worker
-    # secrets:
+    secrets:
-      # - db_password
+      - db_password
-      # - admin_pass
+      - admin_pass
-      # - admin_token
+      - admin_token
-      # - secret_key
+      - secret_key
      - email_pass
    networks:
      - internal
      - proxy
@ -74,12 +91,17 @@ services:
      - media:/media
      - /var/run/docker.sock:/var/run/docker.sock
      - custom-templates:/templates
      - /dev/null:/blueprints/default/10-flow-default-authentication-flow.yaml
      - /dev/null:/blueprints/default/10-flow-default-invalidation-flow.yaml
    configs:
      - source: custom_flows
        target: /blueprints/custom_flows.yaml
    environment: *env
  db:
-    image: postgres:12.8-alpine
+    image: postgres:12.14-alpine
-    # secrets:
+    secrets:
-      # - db_password
+      - db_password
    volumes:
      - database:/var/lib/postgresql/data
    networks:
@ -91,18 +113,18 @@ services:
      retries: 10
      start_period: 1m
    environment:
-      - POSTGRES_PASSWORD
+      - POSTGRES_PASSWORD_FILE=/run/secrets/db_password
-      - POSTGRES_USER
+      - POSTGRES_USER=${AUTHENTIK_POSTGRESQL__USER}
-      - POSTGRES_DB
+      - POSTGRES_DB=${AUTHENTIK_POSTGRESQL__NAME}
    deploy:
      labels:
          backupbot.backup: "true"
-          backupbot.backup.pre-hook: "mkdir -p /tmp/backup/ && PGPASSWORD=${POSTGRES_PASSWORD} pg_dump -U ${POSTGRES_USER} ${POSTGRES_DB} > /tmp/backup/backup.sql"
+          backupbot.backup.pre-hook: "mkdir -p /tmp/backup/ && PGPASSWORD=$$(cat /run/secrets/db_password) pg_dump -U $${POSTGRES_USER} $${POSTGRES_DB} > /tmp/backup/backup.sql"
          backupbot.backup.post-hook: "rm -rf /tmp/backup"
          backupbot.backup.path: "/tmp/backup/"
  redis:
-    image:  redis:7.0.0-alpine
+    image:  redis:7.0.9-alpine
    networks:
      - internal
    healthcheck:
@ -112,19 +134,22 @@ services:
      retries: 10
      start_period: 1m
-# secrets:
+secrets:
-  # db_password:
+  db_password:
-  #   external: true
+    external: true
-  #   name: ${STACK_NAME}_db_password
+    name: ${STACK_NAME}_db_password_${SECRET_DB_PASSWORD_VERSION}
-  # secret_key:
+  secret_key:
-  #   external: true
+    external: true
-  #   name: ${STACK_NAME}_secret_key_${SECRET_SECRET_KEY_VERSION}
+    name: ${STACK_NAME}_secret_key_${SECRET_SECRET_KEY_VERSION}
-  # admin_token:
+  admin_token:
-  #   external: true
+    external: true
-  #   name: ${STACK_NAME}_admin_token_${SECRET_ADMIN_TOKEN_VERSION}
+    name: ${STACK_NAME}_admin_token_${SECRET_ADMIN_TOKEN_VERSION}
-  # admin_pass:
+  admin_pass:
-  #   external: true
+    external: true
-  #   name: ${STACK_NAME}_admin_pass_${SECRET_ADMIN_PASS_VERSION}
+    name: ${STACK_NAME}_admin_pass_${SECRET_ADMIN_PASS_VERSION}
  email_pass:
    external: true
    name: ${STACK_NAME}_email_pass_${SECRET_EMAIL_PASS_VERSION}
 networks:
  proxy:
@ -136,3 +161,13 @@ volumes:
  media:
  custom-templates:
  database:
 configs:
  custom_css:
    name: ${STACK_NAME}_custom_css_${CUSTOM_CSS_VERSION}
    file: custom.css.tmpl
    template_driver: golang
  custom_flows:
    name: ${STACK_NAME}_custom_flows_${CUSTOM_FLOWS_VERSION}
    file: custom_flows.yaml.tmpl
    template_driver: golang
--- a/custom.css.tmpl
+++ b/custom.css.tmpl
@ -0,0 +1,24 @@
 /* my custom css */
 :root {
    --ak-accent: #fd4b2d;
    --ak-dark-foreground: #fafafa;
    --ak-dark-foreground-darker: #bebebe;
    --ak-dark-foreground-link: #5a5cb9;
    --ak-dark-background: #18191a;
    --ak-dark-background-darker: #000000;
    --ak-dark-background-light: {{ env "AUTHENTIK_COLOR_BACKGROUND_LIGHT" }};
    --ak-dark-background-light-ish: #212427;
    --ak-dark-background-lighter: #2b2e33;
    --pf-c-background-image--BackgroundImage: var(--ak-flow-background);
    --pf-c-background-image--BackgroundImage-2x: var(--ak-flow-background);
    --pf-c-background-image--BackgroundImage--sm: var(--ak-flow-background);
    --pf-c-background-image--BackgroundImage--sm-2x: var(--ak-flow-background);
    --pf-c-background-image--BackgroundImage--lg: var(--ak-flow-background);
 }
--- a/custom_flows.yaml.tmpl
+++ b/custom_flows.yaml.tmpl
@ -0,0 +1,404 @@
 version: 1
 metadata:
  labels:
    blueprints.goauthentik.io/instantiate: "true"
  name: Custom - Flows
 context:
 ####### Translations ########
  transl_recovery: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} Passwort Zurücksetzen {{ else }} Reset your password {{ end }}
  transl_password: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} Passwort {{ else }} Password {{ end }}
  transl_password_repeat: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} Passwort (wiederholen) {{ else }} Password (repeat) {{ end }}
  transl_username: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} Benutzername {{ else }} Username {{ end }}
  transl_name: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} Vor- und Nachname {{ else }} Full name {{ end }}
 entries:
 ######## Email Recovery Flow ########
 - identifiers:
    slug: default-recovery-flow
  id: recovery_flow
  model: authentik_flows.flow
  attrs:
    name: Default recovery flow
    title: !Context transl_recovery
    designation: recovery
 ### PROMPTS
 - identifiers:
    field_key: password
    label: !Context transl_password
  id: prompt-field-password
  model: authentik_stages_prompt.prompt
  attrs:
    type: password
    required: true
    placeholder: !Context transl_password
    order: 30
    placeholder_expression: false
 - identifiers:
    field_key: password_repeat
    label: !Context transl_password_repeat
  id: prompt-field-password-repeat
  model: authentik_stages_prompt.prompt
  attrs:
    type: password
    required: true
    placeholder: !Context transl_password_repeat
    order: 31
    placeholder_expression: false
 ### STAGES
 - identifiers:
    name: default-recovery-email
  id: default-recovery-email
  model: authentik_stages_email.emailstage
  attrs:
    use_global_settings: true
    token_expiry: {{ env "EMAIL_TOKEN_EXPIRY_MINUTES" }}
    subject: "{{ env "EMAIL_SUBJECT" }}"
    template: email/password_reset.html
    activate_user_on_success: true
 - identifiers:
    name: default-recovery-user-write
  id: default-recovery-user-write
  model: authentik_stages_user_write.userwritestage
 - identifiers:
    name: default-recovery-identification
  id: default-recovery-identification
  model: authentik_stages_identification.identificationstage
  attrs:
    user_fields:
      - email
      - username
 - identifiers:
    name: default-recovery-user-login
  id: default-recovery-user-login
  model: authentik_stages_user_login.userloginstage
  attrs:
    session_duration: seconds=0
 - identifiers:
    name: Change your password
  id: stage-prompt-password
  model: authentik_stages_prompt.promptstage
  attrs:
    fields:
      - !KeyOf prompt-field-password
      - !KeyOf prompt-field-password-repeat
    validation_policies: []
 ### STAGE BINDINGS
 - identifiers:
    target: !KeyOf recovery_flow
    stage: !KeyOf default-recovery-identification
    order: 10
  model: authentik_flows.flowstagebinding
  id: flow-binding-identification
  attrs:
    evaluate_on_plan: true
    re_evaluate_policies: true
    policy_engine_mode: any
    invalid_response_action: retry
 - identifiers:
    target: !KeyOf recovery_flow
    stage: !KeyOf default-recovery-email
    order: 20
  model: authentik_flows.flowstagebinding
  id: flow-binding-email
  attrs:
    evaluate_on_plan: true
    re_evaluate_policies: true
    policy_engine_mode: any
    invalid_response_action: retry
 - identifiers:
    target: !KeyOf recovery_flow
    stage: !KeyOf stage-prompt-password
    order: 30
  model: authentik_flows.flowstagebinding
  attrs:
    evaluate_on_plan: true
    re_evaluate_policies: false
    policy_engine_mode: any
    invalid_response_action: retry
 - identifiers:
    target: !KeyOf recovery_flow
    stage: !KeyOf default-recovery-user-write
    order: 40
  model: authentik_flows.flowstagebinding
  attrs:
    evaluate_on_plan: true
    re_evaluate_policies: false
    policy_engine_mode: any
    invalid_response_action: retry
 - identifiers:
    target: !KeyOf recovery_flow
    stage: !KeyOf default-recovery-user-login
    order: 100
  model: authentik_flows.flowstagebinding
  attrs:
    evaluate_on_plan: true
    re_evaluate_policies: false
    policy_engine_mode: any
    invalid_response_action: retry
 ### POLICIES
 ## ISSUES with this policy
 ## https://github.com/goauthentik/authentik/blob/493cdd5c0f8caaec7a7dd474f1aa131e32fd39c3/blueprints/example/flows-recovery-email-verification.yaml#L37
 ## https://github.com/goauthentik/authentik/commit/317e9ec6053742e17ba74fb6aa38dc15aaf6657f#diff-a5c56bb7c60e27dda1b131b3fc2a17e3af6624e7cfaaa2337ec6b077ca489f34
 # - identifiers:
 #     name: default-recovery-skip-if-restored
 #   id: default-recovery-skip-if-restored
 #   model: authentik_policies_expression.expressionpolicy
 #   attrs:
 #     expression: |
 #       return request.context.get('is_restored', False)
 ### POLICY BINDINGS
 # - identifiers:
 #     policy: !KeyOf default-recovery-skip-if-restored
 #     target: !KeyOf flow-binding-identification
 #     order: 0
 #   model: authentik_policies.policybinding
 #   attrs:
 #     negate: false
 #     enabled: true
 #     timeout: 30
 # - identifiers:
 #     policy: !KeyOf default-recovery-skip-if-restored
 #     target: !KeyOf flow-binding-email
 #     order: 0
 #   model: authentik_policies.policybinding
 #   attrs:
 #     negate: false
 #     enabled: true
 #     timeout: 30
 ######## Authentication Flow ########
 - attrs:
    designation: authentication
    name: custom-authentication-flow
    title: {{ env "WELCOME_MESSAGE" }}
  identifiers:
    slug: custom-authentication-flow
  id: authentication_flow
  model: authentik_flows.flow
 ### STAGES
 - attrs:
    backends:
    - authentik.core.auth.InbuiltBackend
    - authentik.sources.ldap.auth.LDAPBackend
    - authentik.core.auth.TokenBackend
    configure_flow: !Find [authentik_flows.flow, [slug, default-password-change]]
  identifiers:
    name: custom-authentication-password
  id: custom-authentication-password
  model: authentik_stages_password.passwordstage
 - identifiers:
    name: custom-authentication-mfa-validation
  id: custom-authentication-mfa-validation
  model: authentik_stages_authenticator_validate.authenticatorvalidatestage
 - attrs:
    password_stage: !KeyOf custom-authentication-password
    recovery_flow: !KeyOf recovery_flow  # !Find [authentik_flows.flow, [slug, default-recovery-flow]]
    user_fields:
    - email
    - username
  identifiers:
    name: custom-authentication-identification
  id: custom-authentication-identification
  model: authentik_stages_identification.identificationstage
 - attrs:
    session_duration: seconds=0
  identifiers:
    name: custom-authentication-login
  id: custom-authentication-login
  model: authentik_stages_user_login.userloginstage
 ### STAGE BINDINGS
 - identifiers:
    order: 10
    stage: !KeyOf custom-authentication-identification
    target: !KeyOf authentication_flow
  model: authentik_flows.flowstagebinding
 - identifiers:
    order: 30
    stage: !KeyOf custom-authentication-mfa-validation
    target: !KeyOf authentication_flow
  model: authentik_flows.flowstagebinding
 - identifiers:
    order: 100
    stage: !KeyOf custom-authentication-login
    target: !KeyOf authentication_flow
  model: authentik_flows.flowstagebinding
 ######## Invitation Enrollment Flow ########
 - attrs:
    designation: enrollment
    name: invitation-enrollment-flow
    title: {{ env "WELCOME_MESSAGE" }}
  identifiers:
    slug: invitation-enrollment-flow
  id: invitation-enrollment-flow
  model: authentik_flows.flow
 ### PROMPTS
 - identifiers:
    field_key: username
    label: !Context transl_username
  id: prompt-field-username
  model: authentik_stages_prompt.prompt
  attrs:
    type: username
    required: true
    placeholder: !Context transl_username
    order: 0
    placeholder_expression: false
 - identifiers:
    field_key: name
    label: !Context transl_name
  id: prompt-field-name
  model: authentik_stages_prompt.prompt
  attrs:
    type: text
    required: true
    placeholder: !Context transl_name
    order: 1
    placeholder_expression: false
 - identifiers:
    field_key: email
    label: Email
  id: prompt-field-email
  model: authentik_stages_prompt.prompt
  attrs:
    type: email
    required: true
    placeholder: muster@example.com
    order: 2
    placeholder_expression: false
 ### STAGES
 - id: invitation-stage
  identifiers:
    name: invitation-stage
  model: authentik_stages_invitation.invitationstage
 - attrs:
    fields:
      - !KeyOf prompt-field-username
      - !KeyOf prompt-field-name
      - !KeyOf prompt-field-email
      - !KeyOf prompt-field-password
      - !KeyOf prompt-field-password-repeat
  id: enrollment-prompt-userdata
  identifiers:
    name: enrollment-prompt-userdata
  model: authentik_stages_prompt.promptstage
 - id: enrollment-user-write
  identifiers:
    name: enrollment-user-write
  model: authentik_stages_user_write.userwritestage
 - attrs:
    session_duration: seconds=0
  id: enrollment-user-login
  identifiers:
    name: enrollment-user-login
  model: authentik_stages_user_login.userloginstage
 ### STAGE BINDINGS
 - identifiers:
    order: 1
    stage: !KeyOf invitation-stage
    target: !KeyOf invitation-enrollment-flow
  model: authentik_flows.flowstagebinding
 - identifiers:
    order: 10
    stage: !KeyOf enrollment-prompt-userdata
    target: !KeyOf invitation-enrollment-flow
  model: authentik_flows.flowstagebinding
 - identifiers:
    order: 20
    stage: !KeyOf enrollment-user-write
    target: !KeyOf invitation-enrollment-flow
  model: authentik_flows.flowstagebinding
 - identifiers:
    order: 100
    stage: !KeyOf enrollment-user-login
    target: !KeyOf invitation-enrollment-flow
  model: authentik_flows.flowstagebinding
 ######## Invalidation Flow ########
 - identifiers:
    slug: logout-flow
  id: logout-flow
  model: authentik_flows.flow
  attrs:
    name: Logout
    title: Logout Flow
    designation: invalidation
 ### STAGES
 - id: logout-stage
  identifiers:
    name: logout-stage
  model: authentik_stages_user_logout.userlogoutstage
 ### STAGE BINDINGS
 - identifiers:
    order: 0
    stage: !KeyOf logout-stage
    target: !KeyOf logout-flow
  model: authentik_flows.flowstagebinding
  attrs:
    re_evaluate_policies: true
  id: logout-stage-binding
 ### POLICIES
 - attrs:
    execution_logging: true
    expression: 'context[''flow_plan''].context[''redirect''] = ''{{ env "LOGOUT_REDIRECT" }}''
    return True'
  identifiers:
    name: redirect-policy
  id: redirect-policy
  model: authentik_policies_expression.expressionpolicy
 ### POLICY BINDINGS
 - identifiers:
    policy: !KeyOf redirect-policy
    target: !KeyOf logout-stage-binding
    order: 0
  model: authentik_policies.policybinding
  attrs:
    enabled: {{ if eq (env "LOGOUT_REDIRECT") "" }} false {{ else }} true {{ end }}
    timeout: 30
 ######## System Tenant ##########
 - attrs:
    attributes:
      settings:
        locale: {{ env "DEFAULT_LANGUAGE" }}
    # branding_favicon: /static/dist/assets/icons/icon.png
    # branding_logo: /static/dist/assets/icons/icon_left_brand.svg
    # branding_title: Authentik
    # default: true
    domain: {{ env "DOMAIN" }}
    # event_retention: days=365
    flow_authentication: !KeyOf authentication_flow
    flow_recovery: !KeyOf recovery_flow
    flow_invalidation: !KeyOf logout-flow
    flow_user_settings: !Find [authentik_flows.flow, [slug, default-user-settings-flow]]
  identifiers:
    pk: 047cce25-aae2-4b02-9f96-078e155f803d
  id: system_tenant
  model: authentik_tenants.tenant
--- a/releases/1.0.0+2022.10.1
+++ b/releases/1.0.0+2022.10.1
@ -0,0 +1,15 @@
 This upgrade replaces the passwords stored in env variables by docker secrets.
 You need to insert the following passwords as secret:
 `POSTGRES_PASSWORD` / `AUTHENTIK_POSTGRESQL__PASSWORD`:
    `abra app secret insert <app_name> db_password v1 <password>`
 `AUTHENTIK_SECRET_KEY`:
    `abra app secret insert <app_name> secret_key v1 <password>`
 `AK_ADMIN_TOKEN`:
    `abra app secret insert <app_name> admin_token v1 <password>`
 `AK_ADMIN_PASS`:
    `abra app secret insert <app_name> admin_pass v1 <password>`
 `AUTHENTIK_EMAIL__PASSWORD`:
    `abra app secret insert <app_name> email_pass v1 <password>`
 These variables should be removed from the .env file.
--- a/releases/2.0.0+2023.2.3
+++ b/releases/2.0.0+2023.2.3
@ -0,0 +1,2 @@
 Logout URL changes from `https://login.example.org/if/flow/default-invalidation-flow/` to `https://login.example.org/if/flow/logout-flow/`
 Replace it in any app that uses this logout url.
Author	SHA1	Message	Date
Moritz	41396da668	chore: publish 2.0.0+2023.2.3 release	2023-03-07 16:48:41 +01:00
Philipp Rothmann	2d732e243b	chore: publish 1.4.2+2023.2.3 release	2023-03-06 17:05:12 +01:00
Philipp Rothmann	2f231fb22e	chore: publish 1.4.1+2023.2.3 release	2023-03-06 16:55:31 +01:00
Philipp Rothmann	c9f0db95dd	fix: backupbot label	2023-03-01 13:29:58 +01:00
Moritz	be0d41d9cd	chore: publish 1.4.0+2023.1.0 release	2023-01-27 14:20:47 +01:00
Moritz	0548a00902	add LOGOUT_REDIRECT to .env.sample	2023-01-27 14:19:06 +01:00
3wc	312d8f786d	Switch to self-hosted stack-ssh-deploy image [mass update]	2023-01-21 11:49:55 -08:00
3wc	b10fe24031	Add drone configs / secrets [mass update]	2023-01-20 21:32:06 -08:00
3wc	390043cf71	Add CI and catalogue generation [mass update]	2023-01-20 10:45:02 -08:00
Moritz	0c54677f57	remove german translated password reset email template file	2023-01-17 15:33:21 +01:00
Moritz	34cf7e3f65	add release note for next release: changing logout url	2023-01-17 15:19:39 +01:00
Moritz	bf6d25d9f7	prettify COPY_ASSETS default value	2023-01-05 23:42:28 +01:00
Moritz	99a90147ac	feat: add logout redirection	2023-01-05 23:36:22 +01:00
Moritz	26d02d51dd	chore: publish 1.3.0+2022.12.2 release	2023-01-05 18:23:46 +01:00
Philipp Rothmann	4bab09a1cf	feat: add token expiry and email subject template	2022-12-20 20:39:04 +01:00
Moritz	b7df357395	fix image metadata	2022-12-20 16:02:12 +01:00
Moritz	9273fbcb1a	fix README	2022-12-20 15:56:35 +01:00
Moritz	a01559d61a	add AUTHENTIK_IMPERSONATION env for disabling impersonation	2022-12-20 12:54:39 +01:00
Moritz	40afba88ae	chore: publish 1.2.0+2022.11.3 release	2022-12-20 11:28:17 +01:00
Moritz	3512cbe394	update README	2022-12-20 11:11:27 +01:00
Moritz	1dc2ba18d4	general way to copy assets using env variables	2022-12-20 10:41:32 +01:00
Philipp Rothmann	dd47cb56f6	chore: publish 1.1.1+2022.11.1 release	2022-12-02 12:14:33 +01:00
Philipp Rothmann	45f649e499	fix typo	2022-12-02 12:04:15 +01:00
3wc	c8100f0f4b	Switch to <recipe>.example.com	2022-11-24 21:13:19 -08:00
Moritz	335a65cc86	remove german translated password reset email template	2022-11-23 15:29:09 +01:00
Moritz	25fe883df3	chore: publish 1.1.0+2022.11.1 release	2022-11-23 15:20:30 +01:00
Moritz	fcb54027d0	chore: publish 1.0.0+2022.10.1 release	2022-11-22 11:12:35 +01:00
Moritz	e09cc214ab	Fix README	2022-11-17 20:15:57 +01:00
Moritz	ed8b1371e4	feat(secrets): use docker secrets and make them rotateable	2022-11-17 19:34:20 +01:00
Moritz	3be4b1356a	remove default-authentication-flow	2022-11-16 15:54:15 +01:00
Philipp Rothmann	6476fcebfb	chore: publish 0.6.0+2022.10.1 release	2022-11-12 10:26:54 +01:00
Moritz	b0f6e6c857	add AUTHENTIK_FOOTER_LINKS variable to .env	2022-10-25 18:30:44 +02:00
Moritz	93b5a89aea	chore: publish 0.6.0+2022.10.0 release	2022-10-25 18:26:13 +02:00
Moritz	eee62d6be8	add german translated password reset email template	2022-10-25 17:55:42 +02:00
Moritz	d5caa67384	add customize command to change background and logo	2022-10-25 17:47:21 +02:00
Moritz	5416fe7a7b	Merge branch 'main' of https://git.coopcloud.tech/coop-cloud/authentik	2022-10-20 13:27:58 +02:00
Moritz	af029ff773	add flow blueprint templates for authentication, email recovery and invitation enrollment with german language support	2022-10-20 13:22:01 +02:00
Philipp Rothmann	c08834ee12	make menubar color customizable	2022-10-19 13:32:27 +02:00
Philipp Rothmann	b21f73b275	chore: publish 0.5.0+2022.9.0 release	2022-10-12 10:39:20 +02:00
Philipp Rothmann	94344d29c3	add custom css	2022-10-11 13:05:29 +02:00
Philipp Rothmann	4d8e5ded27	.env.sample template domain	2022-09-13 15:33:50 +02:00
Philipp Rothmann	a67caca935	chore: publish 0.4.0+2022.8.2 release	2022-09-12 11:21:48 +02:00
Philipp Rothmann	a23fb0f209	add headers to embed authentik in iframes	2022-09-12 10:56:11 +02:00
Philipp Rothmann	d59f464378	chore: publish 0.3.0+2022.7.3 release	2022-07-21 14:24:20 +02:00
Philipp Rothmann	31d4594989	chore: publish 0.2.0+2022.6.3 release	2022-06-24 11:12:19 +02:00
		`@ -0,0 +1,2 @@`
							Logout URL changes from `https://login.example.org/if/flow/default-invalidation-flow/` to `https://login.example.org/if/flow/logout-flow/`
							`Replace it in any app that uses this logout url.`