chore: publish 2.0.0+2023.2.3 release

.drone.yml

@@ -0,0 +1,45 @@
+---
+kind: pipeline
+name: deploy to swarm-test.autonomic.zone
+steps:
+  - name: deployment
+    image: git.coopcloud.tech/coop-cloud/stack-ssh-deploy:latest
+    settings:
+      host: swarm-test.autonomic.zone
+      stack: authentik
+      generate_secrets: true
+      purge: true
+      deploy_key:
+        from_secret: drone_ssh_swarm_test
+      networks:
+        - proxy
+    environment:
+      DOMAIN: authentik.swarm-test.autonomic.zone
+      STACK_NAME: authentik
+      LETS_ENCRYPT_ENV: production
+      CUSTOM_CSS_VERSION: v1
+      CUSTOM_FLOWS_VERSION: v1
+      SECRET_SECRET_KEY_VERSION: v1
+      SECRET_DB_PASSWORD_VERSION: v1
+      SECRET_ADMIN_TOKEN_VERSION: v1
+      SECRET_ADMIN_PASS_VERSION: v1
+      SECRET_EMAIL_PASS_VERSION: v1
+trigger:
+  branch:
+    - main
+---
+kind: pipeline
+name: generate recipe catalogue
+steps:
+  - name: release a new version
+    image: plugins/downstream
+    settings:
+      server: https://build.coopcloud.tech
+      token:
+        from_secret: drone_abra-bot_token
+      fork: true
+      repositories:
+        - coop-cloud/auto-recipes-catalogue-json
+
+trigger:
+  event: tag

.env.sample

@@ -28,8 +28,18 @@ SECRET_EMAIL_PASS_VERSION=v1
 
 # X_FRAME_OPTIONS_ALLOW_FROM=dashboard.example.org
 AUTHENTIK_COLOR_BACKGROUND_LIGHT=#1c1e21
+AUTHENTIK_IMPERSONATION=true
 
 ## FLOW OPTIONS
 WELCOME_MESSAGE="Welcome to Authentik"
 DEFAULT_LANGUAGE=en
 AUTHENTIK_FOOTER_LINKS='[{"name": "My Organization","href":"https://example.com"}]'
+LOGOUT_REDIRECT="https://$DOMAIN"
+#COPY_ASSETS="flow_background.jpg|app:/web/dist/assets/images/"
+#COPY_ASSETS="$COPY_ASSETS icon_left_brand.svg|app:/web/dist/assets/icons/
+#COPY_ASSETS="$COPY_ASSETS icon.png|app:/web/dist/assets/icons/"
+
+EMAIL_SUBJECT="Account Recovery"
+EMAIL_TOKEN_EXPIRY_MINUTES=30
+
+LOGOUT_REDIRECT=$DOMAIN

README.md

@@ -9,7 +9,7 @@
 
 * **Category**: Apps
 * **Status**: 0, work-in-progress
-* **Image**: [ghcr/goauthentik/server](https://ghcr.io/goauthentik/server)
+* **Image**: [ghcr/goauthentik/server](https://ghcr.io/goauthentik/server), 4, upstream
 * **Healthcheck**: Yes
 * **Backups**: Yes
 * **Email**: Yes
@@ -20,15 +20,17 @@
 
 ## Quick start
 
-* `abra app new authentik --secrets`
+* `abra app new authentik`
 * `abra app config <app-name>`
 * `abra app secret insert <app_name> email_pass v1 <password>`
-* `abra app secret generate -a <app_name>
+* `abra app secret generate -a <app_name>`
 * `abra app deploy <app-name>`
 * `abra app cmd <app_name> app set_admin_pass`
 
 ## Rotate Secrets
 
+Increment the secret versions using `abra app config <app_name>`
+
 ```
 abra app secret generate -a <app_name>
 abra app undeploy <app_name>
@@ -39,14 +41,23 @@ abra app cmd <app_name> app set_admin_pass
 
 ## Customization
 
+Place the files you want to overwrite in a directory `<assets_path>`.
+Run `abra app config <app_name>` and define the env variable `COPY_ASSETS` in the following format:
+
+```
+"<source_file1>|<service>:<target_directory1> <source_file2>|<service>:<target_directory2> ...
+```
+
+For example:
+
+```
+COPY_ASSETS="flow_background.jpg|app:/web/dist/assets/images/"
+COPY_ASSETS="$COPY_ASSETS icon_left_brand.svg|app:/web/dist/assets/icons/
+COPY_ASSETS="$COPY_ASSETS icon.png|app:/web/dist/assets/icons/"
+```
+
 Run this command after every deploy/upgrade:
 
 `abra app command --local <app-name> customize <assets_path>`
 
-This command replaces the background image, the logo and the favicon with the following files placed in the `<assets_path>` directory:
-* `flow_background.jpg`
-* `icon_left_brand.svg`
-* `icon.png`
-
-
 For more, see [`docs.coopcloud.tech`](https://docs.coopcloud.tech).

abra.sh

@@ -1,5 +1,5 @@
 export CUSTOM_CSS_VERSION=v2
-export CUSTOM_FLOWS_VERSION=v2
+export CUSTOM_FLOWS_VERSION=v4
 
 customize() {
     if [ -z "$1" ]
@@ -7,22 +7,13 @@ customize() {
             echo "Usage: ... customize <assets_path>"
             exit 1
     fi
-    # TODO: use env to specify source and target files
-    if [ -e $1/flow_background.jpg ]
-    then
-        echo copy flow_background.jpg
-        abra app cp $APP_NAME $1/flow_background.jpg app:/web/dist/assets/images/
-    fi
-    if [ -e $1/icon_left_brand.svg ]
-    then
-        echo copy icon_left_brand.svg
-        abra app cp $APP_NAME $1/icon_left_brand.svg app:/web/dist/assets/icons/
-    fi
-    if [ -e $1/icon.png ]
-    then
-        echo copy icon.png
-        abra app cp $APP_NAME $1/icon.png app:/web/dist/assets/icons/
-    fi
+    asset_dir=$1
+    for asset in $COPY_ASSETS; do
+        source=$(echo $asset | cut -d "|" -f1)
+        target=$(echo $asset | cut -d "|" -f2)
+        echo copy $source to $target
+        abra app cp $APP_NAME $asset_dir/$source $target
+    done
 }
 
 set_admin_pass() {

compose.yml

@@ -20,14 +20,18 @@ x-env: &env
     - AUTHENTIK_SETTINGS__THEME__BACKGROUND
     - AUTHENTIK_COLOR_BACKGROUND_LIGHT
     - AUTHENTIK_FOOTER_LINKS
+    - AUTHENTIK_IMPERSONATION
     - WELCOME_MESSAGE
     - DEFAULT_LANGUAGE
+    - EMAIL_SUBJECT
+    - EMAIL_TOKEN_EXPIRY_MINUTES
     - DOMAIN
+    - LOGOUT_REDIRECT
 
 version: '3.8'
 services:
   app:
-    image: ghcr.io/goauthentik/server:2022.11.1
+    image: ghcr.io/goauthentik/server:2023.2.3
     command: server
     secrets:
       - db_password
@@ -67,10 +71,10 @@ services:
         - "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}"
         - "traefik.http.middlewares.${STACK_NAME}-frameOptions.headers.customFrameOptionsValue=SAMEORIGIN"
         - "traefik.http.middlewares.${STACK_NAME}-frameOptions.headers.contentSecurityPolicy=frame-ancestors ${X_FRAME_OPTIONS_ALLOW_FROM}"
-        - "coop-cloud.${STACK_NAME}.version=1.1.1+2022.11.1"
+        - "coop-cloud.${STACK_NAME}.version=2.0.0+2023.2.3"
 
   worker:
-    image: ghcr.io/goauthentik/server:2022.11.1
+    image: ghcr.io/goauthentik/server:2023.2.3
     command: worker
     secrets:
       - db_password
@@ -88,13 +92,14 @@ services:
       - /var/run/docker.sock:/var/run/docker.sock
       - custom-templates:/templates
       - /dev/null:/blueprints/default/10-flow-default-authentication-flow.yaml
+      - /dev/null:/blueprints/default/10-flow-default-invalidation-flow.yaml
     configs:
       - source: custom_flows
         target: /blueprints/custom_flows.yaml
     environment: *env
 
   db:
-    image: postgres:12.13-alpine
+    image: postgres:12.14-alpine
     secrets:
       - db_password
     volumes:
@@ -114,12 +119,12 @@ services:
     deploy:
       labels:
           backupbot.backup: "true"
-          backupbot.backup.pre-hook: "mkdir -p /tmp/backup/ && PGPASSWORD=$(cat /run/secrets/db_password) pg_dump -U ${POSTGRES_USER} ${POSTGRES_DB} > /tmp/backup/backup.sql"
+          backupbot.backup.pre-hook: "mkdir -p /tmp/backup/ && PGPASSWORD=$$(cat /run/secrets/db_password) pg_dump -U $${POSTGRES_USER} $${POSTGRES_DB} > /tmp/backup/backup.sql"
           backupbot.backup.post-hook: "rm -rf /tmp/backup"
           backupbot.backup.path: "/tmp/backup/"
 
   redis:
-    image:  redis:7.0.5-alpine
+    image:  redis:7.0.9-alpine
     networks:
       - internal
     healthcheck:

custom_flows.yaml.tmpl

@@ -54,8 +54,8 @@ entries:
   model: authentik_stages_email.emailstage
   attrs:
     use_global_settings: true
-    token_expiry: 30
-    subject: authentik
+    token_expiry: {{ env "EMAIL_TOKEN_EXPIRY_MINUTES" }}
+    subject: "{{ env "EMAIL_SUBJECT" }}"
     template: email/password_reset.html
     activate_user_on_success: true
 - identifiers:
@@ -334,6 +334,55 @@ entries:
     target: !KeyOf invitation-enrollment-flow
   model: authentik_flows.flowstagebinding
 
+######## Invalidation Flow ########
+- identifiers:
+    slug: logout-flow
+  id: logout-flow
+  model: authentik_flows.flow
+  attrs:
+    name: Logout
+    title: Logout Flow
+    designation: invalidation
+
+### STAGES
+
+- id: logout-stage
+  identifiers:
+    name: logout-stage
+  model: authentik_stages_user_logout.userlogoutstage
+
+### STAGE BINDINGS
+
+- identifiers:
+    order: 0
+    stage: !KeyOf logout-stage
+    target: !KeyOf logout-flow
+  model: authentik_flows.flowstagebinding
+  attrs:
+    re_evaluate_policies: true
+  id: logout-stage-binding
+
+### POLICIES
+- attrs:
+    execution_logging: true
+    expression: 'context[''flow_plan''].context[''redirect''] = ''{{ env "LOGOUT_REDIRECT" }}''
+
+    return True'
+  identifiers:
+    name: redirect-policy
+  id: redirect-policy
+  model: authentik_policies_expression.expressionpolicy
+
+### POLICY BINDINGS
+- identifiers:
+    policy: !KeyOf redirect-policy
+    target: !KeyOf logout-stage-binding
+    order: 0
+  model: authentik_policies.policybinding
+  attrs:
+    enabled: {{ if eq (env "LOGOUT_REDIRECT") "" }} false {{ else }} true {{ end }}
+    timeout: 30
+
 ######## System Tenant ##########
 - attrs:
     attributes:
@@ -347,7 +396,7 @@ entries:
     # event_retention: days=365
     flow_authentication: !KeyOf authentication_flow
     flow_recovery: !KeyOf recovery_flow
-    flow_invalidation: !Find [authentik_flows.flow, [slug, default-invalidation-flow]]
+    flow_invalidation: !KeyOf logout-flow
     flow_user_settings: !Find [authentik_flows.flow, [slug, default-user-settings-flow]]
   identifiers:
     pk: 047cce25-aae2-4b02-9f96-078e155f803d

password_reset_de.html

@@ -1,53 +0,0 @@
-{% extends "email/base.html" %}
-
-{% load i18n %}
-{% load humanize %}
-
-{% block content %}
-<tr>
-    <td class="alert alert-success">
-        {% blocktrans with username=user.username %}
-        Herzlich Willkommen {{ username }},
-        {% endblocktrans %}
-    </td>
-</tr>
-<tr>
-    <td class="content-wrap">
-        <table width="100%" cellpadding="0" cellspacing="0">
-            <tr>
-                <td class="content-block">
-                    {% blocktrans %}
-                    Klicke auf folgenden Link um ein Passwort für deinen Account zu erstellen:
-                    {% endblocktrans %}
-                </td>
-            </tr>
-            <tr>
-                <td class="content-block">
-                    <table role="presentation" border="0" cellpadding="0" cellspacing="0" class="btn btn-primary">
-                        <tbody>
-                        <tr>
-                            <td align="center">
-                            <table role="presentation" border="0" cellpadding="0" cellspacing="0">
-                                <tbody>
-                                <tr>
-                                    <td> <a id="confirm" href="{{ url }}" rel="noopener noreferrer" target="_blank">Passwort Erstellen</a> </td>
-                                </tr>
-                                </tbody>
-                            </table>
-                            </td>
-                        </tr>
-                        </tbody>
-                    </table>
-                </td>
-            </tr>
-            <tr>
-                <td class="content-block">
-                    {% blocktrans with expires=expires|naturaltime %}
-                    Falls du diese E-Mail fälschlicherweise erhalten hast, ignoriere sie bitte. Der obige Link ist gültig für: {{ expires }}.
-                    {% endblocktrans %}
-                </td>
-            </tr>
-        </table>
-    </td>
-</tr>
-{% endblock %}

releases/2.0.0+2023.2.3

@@ -0,0 +1,2 @@
+Logout URL changes from `https://login.example.org/if/flow/default-invalidation-flow/` to `https://login.example.org/if/flow/logout-flow/`
+Replace it in any app that uses this logout url.