general way to copy assets using env variables

.env.sample

@@ -1,7 +1,7 @@
 TYPE=authentik
 LETS_ENCRYPT_ENV=production
 
-DOMAIN=sso.example.com
+DOMAIN={{ .Domain }}
 POSTGRES_PASSWORD=secret
 AUTHENTIK_POSTGRESQL__PASSWORD=secret
 POSTGRES_USER=authentik
@@ -33,3 +33,10 @@ AUTHENTIK_LOG_LEVEL=info
 # SECRET_ADMIN_PASS_VERSION=v1
 
 # X_FRAME_OPTIONS_ALLOW_FROM=dashboard.example.org
+AUTHENTIK_COLOR_BACKGROUND_LIGHT=#1c1e21
+
+## FLOW OPTIONS
+WELCOME_MESSAGE="Welcome to Authentik"
+DEFAULT_LANGUAGE=en
+AUTHENTIK_FOOTER_LINKS='[{"name": "My Organization","href":"https://example.com"}]'
+COPY_ASSETS="flow_background.jpg|app:/web/dist/assets/images/ icon_left_brand.svg|app:/web/dist/assets/icons/ icon.png|app:/web/dist/assets/icons/"

README.md

@@ -24,4 +24,16 @@
 * `abra app config <app-name>`
 * `abra app deploy <app-name>`
 
+## Customization
+
+Run this command after every deploy/upgrade:
+
+`abra app command --local <app-name> customize <assets_path>`
+
+This command replaces the background image, the logo and the favicon with the following files placed in the `<assets_path>` directory:
+* `flow_background.jpg`
+* `icon_left_brand.svg`
+* `icon.png`
+
+
 For more, see [`docs.coopcloud.tech`](https://docs.coopcloud.tech).

abra.sh

@@ -0,0 +1,18 @@
+export CUSTOM_CSS_VERSION=v2
+export CUSTOM_FLOWS_VERSION=v2
+export RECOVERY_TEMPLATE_DE_VERSION=v1
+
+customize() {
+    if [ -z "$1" ]
+    then
+            echo "Usage: ... customize <assets_path>"
+            exit 1
+    fi
+    asset_dir=$1
+    for asset in $COPY_ASSETS; do
+        source=$(echo $asset | cut -d "|" -f1)
+        target=$(echo $asset | cut -d "|" -f2)
+        echo copy $source to $target
+        abra app cp $APP_NAME $asset_dir/$source $target
+    done
+}

compose.yml

@@ -19,12 +19,17 @@ x-env: &env
     - AUTHENTIK_EMAIL__TIMEOUT
     - AUTHENTIK_EMAIL__FROM
     - AUTHENTIK_LOG_LEVEL
-
+    - AUTHENTIK_SETTINGS__THEME__BACKGROUND
+    - AUTHENTIK_COLOR_BACKGROUND_LIGHT
+    - AUTHENTIK_FOOTER_LINKS
+    - WELCOME_MESSAGE
+    - DEFAULT_LANGUAGE
+    - DOMAIN
 
 version: '3.8'
 services:
   app:
-    image: ghcr.io/goauthentik/server:2022.8.2
+    image: ghcr.io/goauthentik/server:2022.10.1
     command: server
     # secrets:
     #   - db_password
@@ -34,6 +39,11 @@ services:
     volumes:
       - media:/media
       - custom-templates:/templates
+    configs:
+      - source: custom_css
+        target: /web/dist/custom.css
+      - source: recovery_template_de
+        target: /templates/password_reset_de.html
     networks:
       - internal
       - proxy
@@ -60,10 +70,10 @@ services:
         - "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}"
         - "traefik.http.middlewares.${STACK_NAME}-frameOptions.headers.customFrameOptionsValue=SAMEORIGIN"
         - "traefik.http.middlewares.${STACK_NAME}-frameOptions.headers.contentSecurityPolicy=frame-ancestors ${X_FRAME_OPTIONS_ALLOW_FROM}"
-        - "coop-cloud.${STACK_NAME}.version=0.4.0+2022.8.2"
+        - "coop-cloud.${STACK_NAME}.version=0.6.0+2022.10.1"
 
   worker:
-    image: ghcr.io/goauthentik/server:2022.8.2
+    image: ghcr.io/goauthentik/server:2022.10.1
     command: worker
     # secrets:
       # - db_password
@@ -79,6 +89,10 @@ services:
       - media:/media
       - /var/run/docker.sock:/var/run/docker.sock
       - custom-templates:/templates
+      - /dev/null:/blueprints/default/10-flow-default-authentication-flow.yaml
+    configs:
+      - source: custom_flows
+        target: /blueprints/custom_flows.yaml
     environment: *env
 
   db:
@@ -107,7 +121,7 @@ services:
           backupbot.backup.path: "/tmp/backup/"
 
   redis:
-    image:  redis:7.0.4-alpine
+    image:  redis:7.0.5-alpine
     networks:
       - internal
     healthcheck:
@@ -141,3 +155,16 @@ volumes:
   media:
   custom-templates:
   database:
+
+configs:
+  custom_css:
+    name: ${STACK_NAME}_custom_css_${CUSTOM_CSS_VERSION}
+    file: custom.css.tmpl
+    template_driver: golang
+  recovery_template_de:
+    name: ${STACK_NAME}_recovery_template_de_${RECOVERY_TEMPLATE_DE_VERSION}
+    file: password_reset_de.html
+  custom_flows:
+    name: ${STACK_NAME}_custom_flows_${CUSTOM_FLOWS_VERSION}
+    file: custom_flows.yaml.tmpl
+    template_driver: golang

custom.css.tmpl

@@ -0,0 +1,24 @@
+/* my custom css */
+
+
+:root {
+    --ak-accent: #fd4b2d;
+
+    --ak-dark-foreground: #fafafa;
+    --ak-dark-foreground-darker: #bebebe;
+    --ak-dark-foreground-link: #5a5cb9;
+    --ak-dark-background: #18191a;
+    --ak-dark-background-darker: #000000;
+
+
+    --ak-dark-background-light: {{ env "AUTHENTIK_COLOR_BACKGROUND_LIGHT" }};
+    --ak-dark-background-light-ish: #212427;
+    --ak-dark-background-lighter: #2b2e33;
+
+    --pf-c-background-image--BackgroundImage: var(--ak-flow-background);
+    --pf-c-background-image--BackgroundImage-2x: var(--ak-flow-background);
+    --pf-c-background-image--BackgroundImage--sm: var(--ak-flow-background);
+    --pf-c-background-image--BackgroundImage--sm-2x: var(--ak-flow-background);
+    --pf-c-background-image--BackgroundImage--lg: var(--ak-flow-background);
+}
+

custom_flows.yaml.tmpl

@@ -0,0 +1,356 @@
+version: 1
+metadata:
+  labels:
+    blueprints.goauthentik.io/instantiate: "true"
+  name: Custom - Flows
+context:
+####### Translations ########
+  transl_recovery: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} Passwort Zurücksetzen {{ else }} Reset your password {{ end }}
+  transl_password: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} Passwort {{ else }} Password {{ end }}
+  transl_password_repeat: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} Passwort (wiederholen) {{ else }} Password (repeat) {{ end }}
+  transl_username: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} Benutzername {{ else }} Username {{ end }}
+  transl_name: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} Vor- und Nachname {{ else }} Full name {{ end }}
+  transl_template_recovery: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} password_reset_de.html {{ else }} email/password_reset.html {{ end }}
+
+entries:
+######## Email Recovery Flow ######## 
+- identifiers:
+    slug: default-recovery-flow
+  id: recovery_flow
+  model: authentik_flows.flow
+  attrs:
+    name: Default recovery flow
+    title: !Context transl_recovery
+    designation: recovery
+
+### PROMPTS
+- identifiers:
+    field_key: password
+    label: !Context transl_password
+  id: prompt-field-password
+  model: authentik_stages_prompt.prompt
+  attrs:
+    type: password
+    required: true
+    placeholder: !Context transl_password
+    order: 30
+    placeholder_expression: false
+- identifiers:
+    field_key: password_repeat
+    label: !Context transl_password_repeat
+  id: prompt-field-password-repeat
+  model: authentik_stages_prompt.prompt
+  attrs:
+    type: password
+    required: true
+    placeholder: !Context transl_password_repeat
+    order: 31
+    placeholder_expression: false
+
+
+### STAGES
+- identifiers:
+    name: default-recovery-email
+  id: default-recovery-email
+  model: authentik_stages_email.emailstage
+  attrs:
+    use_global_settings: true
+    token_expiry: 30
+    subject: authentik
+    template: !Context transl_template_recovery
+    activate_user_on_success: true
+- identifiers:
+    name: default-recovery-user-write
+  id: default-recovery-user-write
+  model: authentik_stages_user_write.userwritestage
+- identifiers:
+    name: default-recovery-identification
+  id: default-recovery-identification
+  model: authentik_stages_identification.identificationstage
+  attrs:
+    user_fields:
+      - email
+      - username
+- identifiers:
+    name: default-recovery-user-login
+  id: default-recovery-user-login
+  model: authentik_stages_user_login.userloginstage
+  attrs:
+    session_duration: seconds=0
+- identifiers:
+    name: Change your password
+  id: stage-prompt-password
+  model: authentik_stages_prompt.promptstage
+  attrs:
+    fields:
+      - !KeyOf prompt-field-password
+      - !KeyOf prompt-field-password-repeat
+    validation_policies: []
+
+### STAGE BINDINGS
+- identifiers:
+    target: !KeyOf recovery_flow
+    stage: !KeyOf default-recovery-identification
+    order: 10
+  model: authentik_flows.flowstagebinding
+  id: flow-binding-identification
+  attrs:
+    evaluate_on_plan: true
+    re_evaluate_policies: true
+    policy_engine_mode: any
+    invalid_response_action: retry
+- identifiers:
+    target: !KeyOf recovery_flow
+    stage: !KeyOf default-recovery-email
+    order: 20
+  model: authentik_flows.flowstagebinding
+  id: flow-binding-email
+  attrs:
+    evaluate_on_plan: true
+    re_evaluate_policies: true
+    policy_engine_mode: any
+    invalid_response_action: retry
+- identifiers:
+    target: !KeyOf recovery_flow
+    stage: !KeyOf stage-prompt-password
+    order: 30
+  model: authentik_flows.flowstagebinding
+  attrs:
+    evaluate_on_plan: true
+    re_evaluate_policies: false
+    policy_engine_mode: any
+    invalid_response_action: retry
+- identifiers:
+    target: !KeyOf recovery_flow
+    stage: !KeyOf default-recovery-user-write
+    order: 40
+  model: authentik_flows.flowstagebinding
+  attrs:
+    evaluate_on_plan: true
+    re_evaluate_policies: false
+    policy_engine_mode: any
+    invalid_response_action: retry
+- identifiers:
+    target: !KeyOf recovery_flow
+    stage: !KeyOf default-recovery-user-login
+    order: 100
+  model: authentik_flows.flowstagebinding
+  attrs:
+    evaluate_on_plan: true
+    re_evaluate_policies: false
+    policy_engine_mode: any
+    invalid_response_action: retry
+
+### POLICIES
+## ISSUES with this policy
+## https://github.com/goauthentik/authentik/blob/493cdd5c0f8caaec7a7dd474f1aa131e32fd39c3/blueprints/example/flows-recovery-email-verification.yaml#L37
+## https://github.com/goauthentik/authentik/commit/317e9ec6053742e17ba74fb6aa38dc15aaf6657f#diff-a5c56bb7c60e27dda1b131b3fc2a17e3af6624e7cfaaa2337ec6b077ca489f34
+# - identifiers:
+#     name: default-recovery-skip-if-restored
+#   id: default-recovery-skip-if-restored
+#   model: authentik_policies_expression.expressionpolicy
+#   attrs:
+#     expression: |
+#       return request.context.get('is_restored', False)
+
+### POLICY BINDINGS
+# - identifiers:
+#     policy: !KeyOf default-recovery-skip-if-restored
+#     target: !KeyOf flow-binding-identification
+#     order: 0
+#   model: authentik_policies.policybinding
+#   attrs:
+#     negate: false
+#     enabled: true
+#     timeout: 30
+# - identifiers:
+#     policy: !KeyOf default-recovery-skip-if-restored
+#     target: !KeyOf flow-binding-email
+#     order: 0
+#   model: authentik_policies.policybinding
+#   attrs:
+#     negate: false
+#     enabled: true
+#     timeout: 30
+
+
+
+######## Authentication Flow ######## 
+- attrs:
+    designation: authentication
+    name: custom-authentication-flow
+    title: {{ env "WELCOME_MESSAGE" }}
+  identifiers:
+    slug: custom-authentication-flow
+  id: authentication_flow
+  model: authentik_flows.flow
+
+### STAGES
+- attrs:
+    backends:
+    - authentik.core.auth.InbuiltBackend
+    - authentik.sources.ldap.auth.LDAPBackend
+    - authentik.core.auth.TokenBackend
+    configure_flow: !Find [authentik_flows.flow, [slug, default-password-change]]
+  identifiers:
+    name: custom-authentication-password
+  id: custom-authentication-password
+  model: authentik_stages_password.passwordstage
+
+- identifiers:
+    name: custom-authentication-mfa-validation
+  id: custom-authentication-mfa-validation
+  model: authentik_stages_authenticator_validate.authenticatorvalidatestage
+
+- attrs:
+    password_stage: !KeyOf custom-authentication-password
+    recovery_flow: !KeyOf recovery_flow  # !Find [authentik_flows.flow, [slug, default-recovery-flow]]
+    user_fields:
+    - email
+    - username
+  identifiers:
+    name: custom-authentication-identification
+  id: custom-authentication-identification
+  model: authentik_stages_identification.identificationstage
+
+- attrs:
+    session_duration: seconds=0
+  identifiers:
+    name: custom-authentication-login
+  id: custom-authentication-login
+  model: authentik_stages_user_login.userloginstage
+
+### STAGE BINDINGS
+- identifiers:
+    order: 10
+    stage: !KeyOf custom-authentication-identification
+    target: !KeyOf authentication_flow
+  model: authentik_flows.flowstagebinding
+- identifiers:
+    order: 30
+    stage: !KeyOf custom-authentication-mfa-validation
+    target: !KeyOf authentication_flow
+  model: authentik_flows.flowstagebinding
+- identifiers:
+    order: 100
+    stage: !KeyOf custom-authentication-login
+    target: !KeyOf authentication_flow
+  model: authentik_flows.flowstagebinding
+
+######## Invitation Enrollment Flow ######## 
+- attrs:
+    designation: enrollment
+    name: invitation-enrollment-flow
+    title: {{ env "WELCOME_MESSAGE" }}
+  identifiers:
+    slug: invitation-enrollment-flow
+  id: invitation-enrollment-flow
+  model: authentik_flows.flow
+
+### PROMPTS
+- identifiers:
+    field_key: username
+    label: !Context transl_username
+  id: prompt-field-username
+  model: authentik_stages_prompt.prompt
+  attrs:
+    type: username
+    required: true
+    placeholder: !Context transl_username
+    order: 0
+    placeholder_expression: false
+- identifiers:
+    field_key: name
+    label: !Context transl_name
+  id: prompt-field-name
+  model: authentik_stages_prompt.prompt
+  attrs:
+    type: text
+    required: true
+    placeholder: !Context transl_name
+    order: 1
+    placeholder_expression: false
+- identifiers:
+    field_key: email
+    label: Email
+  id: prompt-field-email
+  model: authentik_stages_prompt.prompt
+  attrs:
+    type: email
+    required: true
+    placeholder: muster@example.com
+    order: 2
+    placeholder_expression: false
+
+### STAGES
+
+- id: invitation-stage
+  identifiers:
+    name: invitation-stage
+  model: authentik_stages_invitation.invitationstage
+
+- attrs:
+    fields:
+      - !KeyOf prompt-field-username
+      - !KeyOf prompt-field-name
+      - !KeyOf prompt-field-email
+      - !KeyOf prompt-field-password
+      - !KeyOf prompt-field-password-repeat
+  id: enrollment-prompt-userdata
+  identifiers:
+    name: enrollment-prompt-userdata
+  model: authentik_stages_prompt.promptstage
+
+- id: enrollment-user-write
+  identifiers:
+    name: enrollment-user-write
+  model: authentik_stages_user_write.userwritestage
+
+- attrs:
+    session_duration: seconds=0
+  id: enrollment-user-login
+  identifiers:
+    name: enrollment-user-login
+  model: authentik_stages_user_login.userloginstage
+
+### STAGE BINDINGS
+- identifiers:
+    order: 1
+    stage: !KeyOf invitation-stage
+    target: !KeyOf invitation-enrollment-flow
+  model: authentik_flows.flowstagebinding
+- identifiers:
+    order: 10
+    stage: !KeyOf enrollment-prompt-userdata
+    target: !KeyOf invitation-enrollment-flow
+  model: authentik_flows.flowstagebinding
+- identifiers:
+    order: 20
+    stage: !KeyOf enrollment-user-write
+    target: !KeyOf invitation-enrollment-flow
+  model: authentik_flows.flowstagebinding
+- identifiers:
+    order: 100
+    stage: !KeyOf enrollment-user-login
+    target: !KeyOf invitation-enrollment-flow
+  model: authentik_flows.flowstagebinding
+
+######## System Tenant ##########
+- attrs:
+    attributes: 
+      settings:
+        locale: {{ env "DEFAULT_LANGUAGE" }}
+    # branding_favicon: /static/dist/assets/icons/icon.png
+    # branding_logo: /static/dist/assets/icons/icon_left_brand.svg
+    # branding_title: Authentik
+    # default: true
+    domain: {{ env "DOMAIN" }}
+    # event_retention: days=365
+    flow_authentication: !KeyOf authentication_flow
+    flow_recovery: !KeyOf recovery_flow
+    flow_invalidation: !Find [authentik_flows.flow, [slug, default-invalidation-flow]]
+    flow_user_settings: !Find [authentik_flows.flow, [slug, default-user-settings-flow]]
+  identifiers:
+    pk: 047cce25-aae2-4b02-9f96-078e155f803d
+  id: system_tenant
+  model: authentik_tenants.tenant

password_reset_de.html

@@ -0,0 +1,53 @@
+{% extends "email/base.html" %}
+
+{% load i18n %}
+{% load humanize %}
+
+{% block content %}
+<tr>
+    <td class="alert alert-success">
+        {% blocktrans with username=user.username %}
+        Herzlich Willkommen {{ username }},
+        {% endblocktrans %}
+    </td>
+</tr>
+<tr>
+    <td class="content-wrap">
+        <table width="100%" cellpadding="0" cellspacing="0">
+            <tr>
+                <td class="content-block">
+                    {% blocktrans %}
+                    Klicke auf folgenden Link um ein Passwort für deinen Account zu erstellen:
+                    {% endblocktrans %}
+                </td>
+            </tr>
+            <tr>
+                <td class="content-block">
+                    <table role="presentation" border="0" cellpadding="0" cellspacing="0" class="btn btn-primary">
+                        <tbody>
+                        <tr>
+                            <td align="center">
+                            <table role="presentation" border="0" cellpadding="0" cellspacing="0">
+                                <tbody>
+                                <tr>
+                                    <td> <a id="confirm" href="{{ url }}" rel="noopener noreferrer" target="_blank">Passwort Erstellen</a> </td>
+                                </tr>
+                                </tbody>
+                            </table>
+                            </td>
+                        </tr>
+                        </tbody>
+                    </table>
+                </td>
+            </tr>
+            <tr>
+                <td class="content-block">
+                    {% blocktrans with expires=expires|naturaltime %}
+                    Falls du diese E-Mail fälschlicherweise erhalten hast, ignoriere sie bitte. Der obige Link ist gültig für: {{ expires }}.
+                    {% endblocktrans %}
+                </td>
+            </tr>
+        </table>
+    </td>
+</tr>
+{% endblock %}