general way to copy assets using env variables

.drone.yml

@@ -1,51 +0,0 @@
----
-kind: pipeline
-name: deploy to swarm-test.autonomic.zone
-steps:
-  - name: deployment
-    image: git.coopcloud.tech/coop-cloud/stack-ssh-deploy:latest
-    settings:
-      host: swarm-test.autonomic.zone
-      stack: authentik
-      generate_secrets: true
-      purge: true
-      deploy_key:
-        from_secret: drone_ssh_swarm_test
-      networks:
-        - proxy
-    environment:
-      DOMAIN: authentik.swarm-test.autonomic.zone
-      STACK_NAME: authentik
-      LETS_ENCRYPT_ENV: production
-      CUSTOM_CSS_VERSION: v1
-      FLOW_AUTHENTICATION_VERSION: v1
-      FLOW_INVITATION_VERSION: v1
-      FLOW_INVALIDATION_VERSION: v1
-      FLOW_RECOVERY_VERSION: v1
-      FLOW_TRANSLATION_VERSION: v1
-      SYSTEM_TENANT_VERSION: v1
-      NEXTCLOUD_CONFIG_VERSION: v1
-      SECRET_SECRET_KEY_VERSION: v1
-      SECRET_DB_PASSWORD_VERSION: v1
-      SECRET_ADMIN_TOKEN_VERSION: v1
-      SECRET_ADMIN_PASS_VERSION: v1
-      SECRET_EMAIL_PASS_VERSION: v1
-trigger:
-  branch:
-    - main
----
-kind: pipeline
-name: generate recipe catalogue
-steps:
-  - name: release a new version
-    image: plugins/downstream
-    settings:
-      server: https://build.coopcloud.tech
-      token:
-        from_secret: drone_abra-bot_token
-      fork: true
-      repositories:
-        - coop-cloud/auto-recipes-catalogue-json
-
-trigger:
-  event: tag

.env.sample

@@ -1,53 +1,42 @@
 TYPE=authentik
 LETS_ENCRYPT_ENV=production
 
-DOMAIN=authentik.example.com
-COMPOSE_FILE="compose.yml"
-AUTHENTIK_DEFAULT_USER_CHANGE_USERNAME=false
-AUTHENTIK_LOG_LEVEL=info
-# AUTHENTIK_IMPERSONATION=true
-# AUTHENTIK_FOOTER_LINKS='[{"name": "My Organization","href":"https://example.com"}]'
+DOMAIN={{ .Domain }}
+POSTGRES_PASSWORD=secret
+AUTHENTIK_POSTGRESQL__PASSWORD=secret
+POSTGRES_USER=authentik
+AUTHENTIK_POSTGRESQL__USER=authentik
+POSTGRES_DB=authentik
+AUTHENTIK_POSTGRESQL__NAME=authentik
+AUTHENTIK_POSTGRESQL__HOST=db
+AUTHENTIK_REDIS__HOST=redis
+AUTHENTIK_ERROR_REPORTING__ENABLED=true
 # WORKERS=1
+AUTHENTIK_SECRET_KEY=secret
+AK_ADMIN_TOKEN=secret
+AK_ADMIN_PASS=secret
 
-## EMAIL
+# EMAIL
 AUTHENTIK_EMAIL__HOST=smtp
-AUTHENTIK_EMAIL__PORT=587
-AUTHENTIK_EMAIL__USERNAME="noreply@example.com"
-AUTHENTIK_EMAIL__USE_TLS=true
+AUTHENTIK_EMAIL__PORT=25
+# AUTHENTIK_EMAIL__USERNAME=""
+# AUTHENTIK_EMAIL__PASSWORD=""
+AUTHENTIK_EMAIL__USE_TLS=false
 AUTHENTIK_EMAIL__USE_SSL=false
 AUTHENTIK_EMAIL__TIMEOUT=10
 AUTHENTIK_EMAIL__FROM=noreply@example.com
+AUTHENTIK_LOG_LEVEL=info
 
-## Secret Versions
-SECRET_SECRET_KEY_VERSION=v1
-SECRET_DB_PASSWORD_VERSION=v1
-SECRET_ADMIN_TOKEN_VERSION=v1
-SECRET_ADMIN_PASS_VERSION=v1
-SECRET_EMAIL_PASS_VERSION=v1
+# Secret Versions
+# SECRET_SECRET_KEY_VERSION=v1
+# SECRET_ADMIN_TOKEN_VERSION=v1
+# SECRET_ADMIN_PASS_VERSION=v1
 
 # X_FRAME_OPTIONS_ALLOW_FROM=dashboard.example.org
 AUTHENTIK_COLOR_BACKGROUND_LIGHT=#1c1e21
 
 ## FLOW OPTIONS
-# WELCOME_MESSAGE="Welcome to Authentik"
-# DEFAULT_LANGUAGE=en
-# LOGOUT_REDIRECT="https://$DOMAIN"
-# EMAIL_SUBJECT="Account Recovery"
-# EMAIL_TOKEN_EXPIRY_MINUTES=30
-
-COPY_ASSETS="flow_background.jpg|app:/web/dist/assets/images/"
-COPY_ASSETS="$COPY_ASSETS icon_left_brand.svg|app:/web/dist/assets/icons/"
-COPY_ASSETS="$COPY_ASSETS icon.png|app:/web/dist/assets/icons/"
-
-# COMPOSE_FILE="$COMPOSE_FILE:compose.nextcloud.yml"
-# NEXTCLOUD_DOMAIN=nextcloud.example.com
-# SECRET_NEXTCLOUD_ID_VERSION=v1
-# SECRET_NEXTCLOUD_SECRET_VERSION=v1
-# APP_ICONS="nextcloud:~/.abra/recipes/authentik/icons/nextcloud.png"
-
-
-# COMPOSE_FILE="$COMPOSE_FILE:compose.wordpress.yml"
-# WORDPRESS_DOMAIN=wordpress.example.com
-# SECRET_WORDPRESS_ID_VERSION=v1
-# SECRET_WORDPRESS_SECRET_VERSION=v1
-# APP_ICONS="$APP_ICONS wordpress:~/.abra/recipes/authentik/icons/wordpress.png"
+WELCOME_MESSAGE="Welcome to Authentik"
+DEFAULT_LANGUAGE=en
+AUTHENTIK_FOOTER_LINKS='[{"name": "My Organization","href":"https://example.com"}]'
+COPY_ASSETS="flow_background.jpg|app:/web/dist/assets/images/ icon_left_brand.svg|app:/web/dist/assets/icons/ icon.png|app:/web/dist/assets/icons/"

README.md

@@ -9,7 +9,7 @@
 
 * **Category**: Apps
 * **Status**: 0, work-in-progress
-* **Image**: [ghcr/goauthentik/server](https://ghcr.io/goauthentik/server), 4, upstream
+* **Image**: [ghcr/goauthentik/server](https://ghcr.io/goauthentik/server)
 * **Healthcheck**: Yes
 * **Backups**: Yes
 * **Email**: Yes
@@ -20,103 +20,20 @@
 
 ## Quick start
 
-* `abra app new authentik`
+* `abra app new authentik --secrets`
 * `abra app config <app-name>`
-* `abra app secret insert <app_name> email_pass v1 <password>`
-* `abra app secret generate -a <app_name>`
 * `abra app deploy <app-name>`
-* `abra app cmd <app_name> app set_admin_pass`
-* `abra app cmd <app_name> worker apply_blueprints`
-
-## Rotate Secrets
-
-Increment the secret versions using `abra app config <app_name>`
-
-```
-abra app secret generate -a <app_name>
-abra app undeploy <app_name>
-abra app deploy <app_name>
-abra app cmd <app_name> db rotate_db_pass
-abra app cmd <app_name> app set_admin_pass
-```
-
-## Add SSO for Nextcloud
-
-Uncomment Nextcloud configuration and set `NEXTCLOUD_DOMAIN` the using `abra app config <app_name>`:
-
-```
-COMPOSE_FILE="$COMPOSE_FILE:compose.nextcloud.yml"
-NEXTCLOUD_DOMAIN=nextcloud.example.com
-SECRET_NEXTCLOUD_ID_VERSION=v1
-SECRET_NEXTCLOUD_SECRET_VERSION=v1
-APP_ICONS="nextcloud:~/.abra/recipes/authentik/icons/nextcloud.png"
-```
-
-Set the nextcloud Icon using `abra app cmd -l -d <app_name> set_icons`
-
-The configuration inside Nextcloud can be found in the [nextcloud recipe](https://git.coopcloud.tech/coop-cloud/nextcloud#authentik-integration)
 
 ## Customization
 
-Place the files you want to overwrite in a directory `<assets_path>`.
-Run `abra app config <app_name>` and define the env variable `COPY_ASSETS` in the following format:
-
-```
-"<source_file1>|<service>:<target_directory1> <source_file2>|<service>:<target_directory2> ...
-```
-
-For example:
-
-```
-COPY_ASSETS="flow_background.jpg|app:/web/dist/assets/images/"
-COPY_ASSETS="$COPY_ASSETS icon_left_brand.svg|app:/web/dist/assets/icons/
-COPY_ASSETS="$COPY_ASSETS icon.png|app:/web/dist/assets/icons/"
-```
-
 Run this command after every deploy/upgrade:
 
 `abra app command --local <app-name> customize <assets_path>`
 
-## Blueprints
-
-Blueprint Dependency Requirements:
-
-- Recovery with email verification
-    - Default - Password change flow
-    - Default - Authentication flow
-- Custom Authentication Flow
-    - Default - Authentication flow
-    - Recovery with email verification
-- Invitation Enrollment Flow
-    - Default - User settings flow
-    - Default - Authentication flow
-    - Default - Source enrollment flow
-- Custom Invalidation Flow
-    - Default - Invalidation flow
-- Flow Translations
-    - Recovery with email verification
-    - Default - Password change flow
-    - Default - User settings flow
-    - Default - Source enrollment flow
-- Custom System Tenant
-    - Default - Tenant
-    - Recovery with email verification
-
-
-Blueprint Dependency Graph:
-
-5. Custom System Tenant
-    - Default - Tenant
-    4. Invitation Enrollment Flow
-        3. Flow Translations
-            - Default - User settings flow
-            - Default - Source enrollment flow
-            2. Custom Authentication Flow
-                1. Recovery with email verification
-                    - Default - Authentication flow
-                        - Default - Password change flow
-6. Custom Invalidation Flow
-    - Default - Invalidation flow
+This command replaces the background image, the logo and the favicon with the following files placed in the `<assets_path>` directory:
+* `flow_background.jpg`
+* `icon_left_brand.svg`
+* `icon.png`
 
 
 For more, see [`docs.coopcloud.tech`](https://docs.coopcloud.tech).

abra.sh

@@ -1,12 +1,6 @@
 export CUSTOM_CSS_VERSION=v2
-export FLOW_AUTHENTICATION_VERSION=v1
-export FLOW_INVITATION_VERSION=v1
-export FLOW_INVALIDATION_VERSION=v1
-export FLOW_RECOVERY_VERSION=v1
-export FLOW_TRANSLATION_VERSION=v1
-export SYSTEM_TENANT_VERSION=v1
-export NEXTCLOUD_CONFIG_VERSION=v1
-export WORDPRESS_CONFIG_VERSION=v1
+export CUSTOM_FLOWS_VERSION=v2
+export RECOVERY_TEMPLATE_DE_VERSION=v1
 
 customize() {
     if [ -z "$1" ]
@@ -22,120 +16,3 @@ customize() {
         abra app cp $APP_NAME $asset_dir/$source $target
     done
 }
-
-set_admin_pass() {
-password=$(cat /run/secrets/admin_pass)
-token=$(cat /run/secrets/admin_token)
-/manage.py shell -c """
-akadmin = User.objects.get(username='akadmin')
-akadmin.set_password('$password')
-akadmin.save()
-print('Changed akadmin password')
-
-from authentik.core.models import TokenIntents
-key='$token'
-if (token:= Token.objects.filter(identifier='authentik-bootstrap-token').first()):
-    token.key=key
-    token.save()
-    print('Changed authentik-bootstrap-token')
-else:
-    Token.objects.create(
-        identifier='authentik-bootstrap-token',
-        user=akadmin,
-        intent=TokenIntents.INTENT_API,
-        expiring=False,
-        key=key,
-    )
-    print('Created authentik-bootstrap-token')
-"""
-}
-
-rotate_db_pass() {
-    db_password=$(cat /run/secrets/db_password)
-    psql -U authentik -c """ALTER USER authentik WITH PASSWORD '$db_password';"""
-}
-
-apply_blueprints() {
-    enable_blueprint default/flow-default-authentication-flow.yaml
-    enable_blueprint default/flow-default-user-settings-flow.yaml
-    enable_blueprint default/flow-password-change.yaml
-    ak apply_blueprint 6_flow_invalidation.yaml 
-    ak apply_blueprint 5_system_tenant.yaml
-    disable_blueprint default/flow-default-authentication-flow.yaml
-    disable_blueprint default/flow-default-user-settings-flow.yaml
-    disable_blueprint default/flow-password-change.yaml
-}
-
-disable_blueprint() {
-    blueprint_state False $@
-}
-
-enable_blueprint() {
-    blueprint_state True $@
-}
-
-blueprint_state() {
-TOKEN=$(cat /run/secrets/admin_token)
-python -c """
-import requests
-session = requests.Session()
-my_token='$TOKEN'
-blueprint_state=$1
-blueprint_path='$2'
-resp = session.get(f'https://$DOMAIN/api/v3/managed/blueprints/?path={blueprint_path}', headers={'Authorization':f'Bearer {my_token}'})
-if not resp.ok:
-    print(f'Error fetching blueprint: {resp.content}')
-    exit()
-auth_flow_uuid = resp.json()['results'][0]['pk']
-blueprint_name = resp.json()['results'][0]['name']
-params = {'name': blueprint_name,'path': blueprint_path,'context':{},'enabled': blueprint_state}
-resp = session.put(f'https://$DOMAIN/api/v3/managed/blueprints/{auth_flow_uuid}/', json=params, headers={'Authorization':f'Bearer {my_token}'})
-if resp.ok:
-    print(f'{blueprint_name} enabled: {blueprint_state}')
-else:
-    print(f'Error changing blueprint state: {resp.content}')
-"""
-
-}
-
-set_icons(){
-for icon in $APP_ICONS; do
-    app=$(echo $icon | cut -d ":" -f1)
-    file_path=$(eval echo $(echo $icon | cut -d ":" -f2))
-    file=$(basename $file_path)
-    echo copy icon $file_path for $app
-    abra app cp $APP_NAME $file_path app:/media/
-    abra app cmd -T $APP_NAME app set_app_icon $app /media/$file
-done
-}
-
-set_app_icon() {
-TOKEN=$(cat /run/secrets/admin_token)
-python -c """
-import requests
-import os
-my_token = '$TOKEN'
-application = '$1'
-icon_path = '$2'
-url = f'https://$DOMAIN/api/v3/core/applications/{application}/set_icon/'
-headers = {'Authorization':f'Bearer {my_token}'}
-with open(icon_path, 'rb') as img:
-  name_img = os.path.basename(icon_path)
-  files= {'file': (name_img,img,'image/png') }
-  with requests.Session() as s:
-    r = s.post(url,files=files,headers=headers)
-    print(r.status_code)
-"""
-
-}
-
-blueprint_cleanup() {
-/manage.py shell -c """
-delete_flows = ['default-recovery-flow' , 'custom-authentication-flow' , 'invitation-enrollment-flow' , 'initial-setup']
-Flow.objects.filter(slug__in=delete_flows).delete()
-Stage.objects.filter(flow=None).delete()
-Prompt.objects.filter(promptstage=None).delete()
-Tenant.objects.filter(default=True).delete()
-"""
-apply_blueprints
-}

compose.nextcloud.yml

@@ -1,26 +0,0 @@
-version: "3.8"
-services:
-  worker:
-    secrets:
-      - nextcloud_id
-      - nextcloud_secret
-    environment:
-      - NEXTCLOUD_DOMAIN
-    configs:
-      - source: nextcloud
-        target: /blueprints/nextcloud.yaml
-
-secrets:
-  nextcloud_id:
-    external: true
-    name: ${STACK_NAME}_nextcloud_id_${SECRET_NEXTCLOUD_ID_VERSION}
-  nextcloud_secret:
-    external: true
-    name: ${STACK_NAME}_nextcloud_secret_${SECRET_NEXTCLOUD_SECRET_VERSION}
-
-
-configs:
-  nextcloud:
-    name: ${STACK_NAME}_nextcloud_${NEXTCLOUD_CONFIG_VERSION}
-    file: nextcloud.yaml.tmpl
-    template_driver: golang

compose.wordpress.yml

@@ -1,26 +0,0 @@
-version: "3.8"
-services:
-  worker:
-    secrets:
-      - wordpress_id
-      - wordpress_secret
-    environment:
-      - WORDPRESS_DOMAIN
-    configs:
-      - source: wordpress
-        target: /blueprints/wordpress.yaml
-
-secrets:
-  wordpress_id:
-    external: true
-    name: ${STACK_NAME}_wordpress_id_${SECRET_WORDPRESS_ID_VERSION}
-  wordpress_secret:
-    external: true
-    name: ${STACK_NAME}_wordpress_secret_${SECRET_WORDPRESS_SECRET_VERSION}
-
-
-configs:
-  wordpress:
-    name: ${STACK_NAME}_wordpress_${WORDPRESS_CONFIG_VERSION}
-    file: wordpress.yaml.tmpl
-    template_driver: golang

compose.yml

@@ -1,17 +1,19 @@
 ---
 
 x-env: &env
-    - AUTHENTIK_POSTGRESQL__PASSWORD=file:///run/secrets/db_password
-    - AUTHENTIK_POSTGRESQL__USER=authentik
-    - AUTHENTIK_POSTGRESQL__NAME=authentik
-    - AUTHENTIK_POSTGRESQL__HOST=db
-    - AUTHENTIK_REDIS__HOST=redis
+    - AUTHENTIK_POSTGRESQL__PASSWORD
+    - AUTHENTIK_POSTGRESQL__USER
+    - AUTHENTIK_POSTGRESQL__NAME
+    - AUTHENTIK_POSTGRESQL__HOST
+    - AUTHENTIK_REDIS__HOST
     - AUTHENTIK_ERROR_REPORTING__ENABLED
-    - AUTHENTIK_SECRET_KEY=file:///run/secrets/secret_key
+    - AUTHENTIK_SECRET_KEY= #file:///run/secrets/secret_key
+    - AK_ADMIN_TOKEN= #file:///run/secrets/admin_token
+    - AK_ADMIN_PASS= #file:///run/secrets/admin_pass
     - AUTHENTIK_EMAIL__HOST
     - AUTHENTIK_EMAIL__PORT
     - AUTHENTIK_EMAIL__USERNAME
-    - AUTHENTIK_EMAIL__PASSWORD=file:///run/secrets/email_pass
+    - AUTHENTIK_EMAIL__PASSWORD
     - AUTHENTIK_EMAIL__USE_TLS
     - AUTHENTIK_EMAIL__USE_SSL
     - AUTHENTIK_EMAIL__TIMEOUT
@@ -20,31 +22,28 @@ x-env: &env
     - AUTHENTIK_SETTINGS__THEME__BACKGROUND
     - AUTHENTIK_COLOR_BACKGROUND_LIGHT
     - AUTHENTIK_FOOTER_LINKS
-    - AUTHENTIK_IMPERSONATION
     - WELCOME_MESSAGE
     - DEFAULT_LANGUAGE
-    - EMAIL_SUBJECT
-    - EMAIL_TOKEN_EXPIRY_MINUTES
     - DOMAIN
-    - LOGOUT_REDIRECT
 
 version: '3.8'
 services:
   app:
-    image: ghcr.io/goauthentik/server:2023.3.1
+    image: ghcr.io/goauthentik/server:2022.10.1
     command: server
-    secrets:
-      - db_password
-      - admin_pass
-      - admin_token
-      - secret_key
-      - email_pass
+    # secrets:
+    #   - db_password
+    #   - admin_pass
+    #   - admin_token
+    #   - secret_key
     volumes:
       - media:/media
-      - assets:/web/dist/assets
+      - custom-templates:/templates
     configs:
       - source: custom_css
         target: /web/dist/custom.css
+      - source: recovery_template_de
+        target: /templates/password_reset_de.html
     networks:
       - internal
       - proxy
@@ -71,17 +70,16 @@ services:
         - "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}"
         - "traefik.http.middlewares.${STACK_NAME}-frameOptions.headers.customFrameOptionsValue=SAMEORIGIN"
         - "traefik.http.middlewares.${STACK_NAME}-frameOptions.headers.contentSecurityPolicy=frame-ancestors ${X_FRAME_OPTIONS_ALLOW_FROM}"
-        - "coop-cloud.${STACK_NAME}.version=3.1.0+2023.3.1"
+        - "coop-cloud.${STACK_NAME}.version=0.6.0+2022.10.1"
 
   worker:
-    image: ghcr.io/goauthentik/server:2023.3.1
+    image: ghcr.io/goauthentik/server:2022.10.1
     command: worker
-    secrets:
-      - db_password
-      - admin_pass
-      - admin_token
-      - secret_key
-      - email_pass
+    # secrets:
+      # - db_password
+      # - admin_pass
+      # - admin_token
+      # - secret_key
     networks:
       - internal
       - proxy
@@ -90,26 +88,17 @@ services:
       - backups:/backups
       - media:/media
       - /var/run/docker.sock:/var/run/docker.sock
-      - /dev/null:/blueprints/default/flow-oobe.yaml
+      - custom-templates:/templates
+      - /dev/null:/blueprints/default/10-flow-default-authentication-flow.yaml
     configs:
-      - source: flow_recovery
-        target: /blueprints/1_flow_recovery.yaml
-      - source: flow_authentication
-        target: /blueprints/2_flow_authentication.yaml
-      - source: flow_translation
-        target: /blueprints/3_flow_translation.yaml
-      - source: flow_invitation
-        target: /blueprints/4_flow_invitation.yaml
-      - source: system_tenant
-        target: /blueprints/5_system_tenant.yaml
-      - source: flow_invalidation
-        target: /blueprints/6_flow_invalidation.yaml
+      - source: custom_flows
+        target: /blueprints/custom_flows.yaml
     environment: *env
 
   db:
-    image: postgres:12.14-alpine
-    secrets:
-      - db_password
+    image: postgres:12.12-alpine
+    # secrets:
+      # - db_password
     volumes:
       - database:/var/lib/postgresql/data
     networks:
@@ -121,18 +110,18 @@ services:
       retries: 10
       start_period: 1m
     environment:
-      - POSTGRES_PASSWORD_FILE=/run/secrets/db_password
-      - POSTGRES_USER=authentik
-      - POSTGRES_DB=authentik
+      - POSTGRES_PASSWORD
+      - POSTGRES_USER
+      - POSTGRES_DB
     deploy:
       labels:
           backupbot.backup: "true"
-          backupbot.backup.pre-hook: "mkdir -p /tmp/backup/ && PGPASSWORD=$$(cat /run/secrets/db_password) pg_dump -U $${POSTGRES_USER} $${POSTGRES_DB} > /tmp/backup/backup.sql"
+          backupbot.backup.pre-hook: "mkdir -p /tmp/backup/ && PGPASSWORD=${POSTGRES_PASSWORD} pg_dump -U ${POSTGRES_USER} ${POSTGRES_DB} > /tmp/backup/backup.sql"
           backupbot.backup.post-hook: "rm -rf /tmp/backup"
           backupbot.backup.path: "/tmp/backup/"
 
   redis:
-    image:  redis:7.0.10-alpine
+    image:  redis:7.0.5-alpine
     networks:
       - internal
     healthcheck:
@@ -142,22 +131,19 @@ services:
       retries: 10
       start_period: 1m
 
-secrets:
-  db_password:
-    external: true
-    name: ${STACK_NAME}_db_password_${SECRET_DB_PASSWORD_VERSION}
-  secret_key:
-    external: true
-    name: ${STACK_NAME}_secret_key_${SECRET_SECRET_KEY_VERSION}
-  admin_token:
-    external: true
-    name: ${STACK_NAME}_admin_token_${SECRET_ADMIN_TOKEN_VERSION}
-  admin_pass:
-    external: true
-    name: ${STACK_NAME}_admin_pass_${SECRET_ADMIN_PASS_VERSION}
-  email_pass:
-    external: true
-    name: ${STACK_NAME}_email_pass_${SECRET_EMAIL_PASS_VERSION}
+# secrets:
+  # db_password:
+  #   external: true
+  #   name: ${STACK_NAME}_db_password
+  # secret_key:
+  #   external: true
+  #   name: ${STACK_NAME}_secret_key_${SECRET_SECRET_KEY_VERSION}
+  # admin_token:
+  #   external: true
+  #   name: ${STACK_NAME}_admin_token_${SECRET_ADMIN_TOKEN_VERSION}
+  # admin_pass:
+  #   external: true
+  #   name: ${STACK_NAME}_admin_pass_${SECRET_ADMIN_PASS_VERSION}
 
 networks:
   proxy:
@@ -167,7 +153,7 @@ networks:
 volumes:
   backups:
   media:
-  assets:
+  custom-templates:
   database:
 
 configs:
@@ -175,27 +161,10 @@ configs:
     name: ${STACK_NAME}_custom_css_${CUSTOM_CSS_VERSION}
     file: custom.css.tmpl
     template_driver: golang
-  flow_authentication:
-    name: ${STACK_NAME}_flow_authentication_${FLOW_AUTHENTICATION_VERSION}
-    file: flow_authentication.yaml.tmpl
-    template_driver: golang
-  flow_invitation:
-    name: ${STACK_NAME}_flow_invitation_${FLOW_INVITATION_VERSION}
-    file: flow_invitation.yaml.tmpl
-    template_driver: golang
-  flow_invalidation:
-    name: ${STACK_NAME}_flow_invalidation_${FLOW_INVALIDATION_VERSION}
-    file: flow_invalidation.yaml.tmpl
-    template_driver: golang
-  flow_recovery:
-    name: ${STACK_NAME}_flow_recovery_${FLOW_RECOVERY_VERSION}
-    file: flow_recovery.yaml.tmpl
-    template_driver: golang
-  flow_translation:
-    name: ${STACK_NAME}_flow_translation_${FLOW_TRANSLATION_VERSION}
-    file: flow_translation.yaml.tmpl
-    template_driver: golang
-  system_tenant:
-    name: ${STACK_NAME}_system_tenant_${SYSTEM_TENANT_VERSION}
-    file: system_tenant.yaml.tmpl
+  recovery_template_de:
+    name: ${STACK_NAME}_recovery_template_de_${RECOVERY_TEMPLATE_DE_VERSION}
+    file: password_reset_de.html
+  custom_flows:
+    name: ${STACK_NAME}_custom_flows_${CUSTOM_FLOWS_VERSION}
+    file: custom_flows.yaml.tmpl
     template_driver: golang

custom_flows.yaml.tmpl

@@ -4,16 +4,16 @@ metadata:
     blueprints.goauthentik.io/instantiate: "true"
   name: Custom - Flows
 context:
-  welcome_message: {{ if eq (env "WELCOME_MESSAGE") "" }} "Welcome to authentik!" {{ else }} {{ env "WELCOME_MESSAGE" }} {{ end }}
 ####### Translations ########
-  transl_recovery: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} "Passwort Zurücksetzen" {{ else }} "Reset your password" {{ end }}
-  transl_password: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} "Passwort" {{ else }} "Password" {{ end }}
-  transl_password_repeat: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} "Passwort (wiederholen)" {{ else }} "Password (repeat)" {{ end }}
-  transl_username: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} "Benutzername" {{ else }} "Username" {{ end }}
-  transl_name: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} "Vor- und Nachname" {{ else }} "Full name" {{ end }}
+  transl_recovery: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} Passwort Zurücksetzen {{ else }} Reset your password {{ end }}
+  transl_password: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} Passwort {{ else }} Password {{ end }}
+  transl_password_repeat: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} Passwort (wiederholen) {{ else }} Password (repeat) {{ end }}
+  transl_username: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} Benutzername {{ else }} Username {{ end }}
+  transl_name: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} Vor- und Nachname {{ else }} Full name {{ end }}
+  transl_template_recovery: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} password_reset_de.html {{ else }} email/password_reset.html {{ end }}
 
 entries:
-######## Email Recovery Flow ########
+######## Email Recovery Flow ######## 
 - identifiers:
     slug: default-recovery-flow
   id: recovery_flow
@@ -26,10 +26,10 @@ entries:
 ### PROMPTS
 - identifiers:
     field_key: password
+    label: !Context transl_password
   id: prompt-field-password
   model: authentik_stages_prompt.prompt
   attrs:
-    label: !Context transl_password
     type: password
     required: true
     placeholder: !Context transl_password
@@ -37,10 +37,10 @@ entries:
     placeholder_expression: false
 - identifiers:
     field_key: password_repeat
+    label: !Context transl_password_repeat
   id: prompt-field-password-repeat
   model: authentik_stages_prompt.prompt
   attrs:
-    label: !Context transl_password_repeat
     type: password
     required: true
     placeholder: !Context transl_password_repeat
@@ -55,9 +55,9 @@ entries:
   model: authentik_stages_email.emailstage
   attrs:
     use_global_settings: true
-    token_expiry: {{ if eq (env "EMAIL_TOKEN_EXPIRY_MINUTES") "" }} 30 {{ else }} {{ env "EMAIL_TOKEN_EXPIRY_MINUTES" }} {{ end }}
-    subject: {{ if eq (env "EMAIL_SUBJECT") "" }} "Account Recovery" {{ else }} "{{ env "EMAIL_SUBJECT" }}" {{ end }} 
-    template: email/password_reset.html
+    token_expiry: 30
+    subject: authentik
+    template: !Context transl_template_recovery
     activate_user_on_success: true
 - identifiers:
     name: default-recovery-user-write
@@ -175,11 +175,11 @@ entries:
 
 
 
-######## Authentication Flow ########
+######## Authentication Flow ######## 
 - attrs:
     designation: authentication
     name: custom-authentication-flow
-    title: !Context welcome_message
+    title: {{ env "WELCOME_MESSAGE" }}
   identifiers:
     slug: custom-authentication-flow
   id: authentication_flow
@@ -237,11 +237,11 @@ entries:
     target: !KeyOf authentication_flow
   model: authentik_flows.flowstagebinding
 
-######## Invitation Enrollment Flow ########
+######## Invitation Enrollment Flow ######## 
 - attrs:
     designation: enrollment
     name: invitation-enrollment-flow
-    title: !Context welcome_message
+    title: {{ env "WELCOME_MESSAGE" }}
   identifiers:
     slug: invitation-enrollment-flow
   id: invitation-enrollment-flow
@@ -250,10 +250,10 @@ entries:
 ### PROMPTS
 - identifiers:
     field_key: username
+    label: !Context transl_username
   id: prompt-field-username
   model: authentik_stages_prompt.prompt
   attrs:
-    label: !Context transl_username
     type: username
     required: true
     placeholder: !Context transl_username
@@ -261,10 +261,10 @@ entries:
     placeholder_expression: false
 - identifiers:
     field_key: name
+    label: !Context transl_name
   id: prompt-field-name
   model: authentik_stages_prompt.prompt
   attrs:
-    label: !Context transl_name
     type: text
     required: true
     placeholder: !Context transl_name
@@ -335,60 +335,11 @@ entries:
     target: !KeyOf invitation-enrollment-flow
   model: authentik_flows.flowstagebinding
 
-######## Invalidation Flow ########
-- identifiers:
-    slug: logout-flow
-  id: logout-flow
-  model: authentik_flows.flow
-  attrs:
-    name: Logout
-    title: Logout Flow
-    designation: invalidation
-
-### STAGES
-
-- id: logout-stage
-  identifiers:
-    name: logout-stage
-  model: authentik_stages_user_logout.userlogoutstage
-
-### STAGE BINDINGS
-
-- identifiers:
-    order: 0
-    stage: !KeyOf logout-stage
-    target: !KeyOf logout-flow
-  model: authentik_flows.flowstagebinding
-  attrs:
-    re_evaluate_policies: true
-  id: logout-stage-binding
-
-### POLICIES
-- attrs:
-    execution_logging: true
-    expression: 'context[''flow_plan''].context[''redirect''] = ''{{ env "LOGOUT_REDIRECT" }}''
-
-    return True'
-  identifiers:
-    name: redirect-policy
-  id: redirect-policy
-  model: authentik_policies_expression.expressionpolicy
-
-### POLICY BINDINGS
-- identifiers:
-    policy: !KeyOf redirect-policy
-    target: !KeyOf logout-stage-binding
-    order: 0
-  model: authentik_policies.policybinding
-  attrs:
-    enabled: {{ if eq (env "LOGOUT_REDIRECT") "" }} false {{ else }} true {{ end }}
-    timeout: 30
-
 ######## System Tenant ##########
 - attrs:
-    attributes:
+    attributes: 
       settings:
-        locale: {{ if eq (env "DEFAULT_LANGUAGE") "" }} en {{ else }} {{ env "DEFAULT_LANGUAGE" }} {{ end }}
+        locale: {{ env "DEFAULT_LANGUAGE" }}
     # branding_favicon: /static/dist/assets/icons/icon.png
     # branding_logo: /static/dist/assets/icons/icon_left_brand.svg
     # branding_title: Authentik
@@ -397,7 +348,7 @@ entries:
     # event_retention: days=365
     flow_authentication: !KeyOf authentication_flow
     flow_recovery: !KeyOf recovery_flow
-    flow_invalidation: !KeyOf logout-flow
+    flow_invalidation: !Find [authentik_flows.flow, [slug, default-invalidation-flow]]
     flow_user_settings: !Find [authentik_flows.flow, [slug, default-user-settings-flow]]
   identifiers:
     pk: 047cce25-aae2-4b02-9f96-078e155f803d

flow_authentication.yaml.tmpl

@@ -1,45 +0,0 @@
-version: 1
-metadata:
-  labels:
-    blueprints.goauthentik.io/instantiate: "true"
-  name: Custom Authentication Flow
-context:
-  welcome_message: {{ if eq (env "WELCOME_MESSAGE") "" }} "Welcome to authentik!" {{ else }} {{ env "WELCOME_MESSAGE" }} {{ end }}
-
-entries:
-### DEPENDENCIES
-- model: authentik_blueprints.metaapplyblueprint
-  attrs:
-    identifiers:
-      name: Recovery with email verification
-    required: true
-
-### FLOW
-- model: authentik_flows.flow
-  identifiers:
-    slug: default-authentication-flow
-  id: flow
-  attrs:
-    name: !Context welcome_message
-    title: !Context welcome_message
-
-### STAGES
-- identifiers:
-    name: default-authentication-identification
-  model: authentik_stages_identification.identificationstage
-  attrs:
-    password_stage: !Find [authentik_stages_password.passwordstage, [name, default-authentication-password]]
-    recovery_flow: !Find [authentik_flows.flow, [slug, default-recovery-flow]]
-
-- identifiers:
-    name: default-authentication-login
-  model: authentik_stages_user_login.userloginstage
-  attrs:
-    session_duration: seconds=0
-
-- identifiers:
-    order: 20
-    stage: !Find [authentik_stages_password.passwordstage, [name, default-authentication-password]]
-    target: !KeyOf flow
-  model: authentik_flows.flowstagebinding
-  state: absent

flow_invalidation.yaml.tmpl

@@ -1,44 +0,0 @@
-version: 1
-metadata:
-  labels:
-    blueprints.goauthentik.io/instantiate: "true"
-  name: Custom Invalidation Flow
-entries:
-### DEPENDENCIES
-- model: authentik_blueprints.metaapplyblueprint
-  attrs:
-    identifiers:
-      name: Default - Invalidation flow
-    required: true
-
-### STAGE BINDINGS
-
-- identifiers:
-    order: 0
-    stage: !Find [authentik_stages_user_logout.userlogoutstage, [name, default-invalidation-logout]]
-    target: !Find [authentik_flows.flow, [slug, default-invalidation-flow]]
-  model: authentik_flows.flowstagebinding
-  attrs:
-    re_evaluate_policies: true
-  id: logout-stage-binding
-
-### POLICIES
-- attrs:
-    execution_logging: true
-    expression: 'context[''flow_plan''].context[''redirect''] = ''{{ env "LOGOUT_REDIRECT" }}''
-
-    return True'
-  identifiers:
-    name: redirect-policy
-  id: redirect-policy
-  model: authentik_policies_expression.expressionpolicy
-
-### POLICY BINDINGS
-- identifiers:
-    policy: !KeyOf redirect-policy
-    target: !KeyOf logout-stage-binding
-    order: 0
-  model: authentik_policies.policybinding
-  attrs:
-    enabled: {{ if eq (env "LOGOUT_REDIRECT") "" }} false {{ else }} true {{ end }}
-    timeout: 30

flow_invitation.yaml.tmpl

@@ -1,65 +0,0 @@
-version: 1
-metadata:
-  labels:
-    blueprints.goauthentik.io/instantiate: "true"
-  name: Invitation Enrollment Flow
-context:
-  welcome_message: {{ if eq (env "WELCOME_MESSAGE") "" }} "Welcome to authentik!" {{ else }} {{ env "WELCOME_MESSAGE" }} {{ end }}
-
-entries:
-### DEPENDENCIES
-- model: authentik_blueprints.metaapplyblueprint
-  attrs:
-    identifiers:
-      name: Flow Translations
-    required: true
-
-### FLOW
-- attrs:
-    designation: enrollment
-    name: invitation-enrollment-flow
-    title: !Context welcome_message
-  identifiers:
-    slug: invitation-enrollment-flow
-  id: invitation-enrollment-flow
-  model: authentik_flows.flow
-
-### STAGES
-- identifiers:
-    name: invitation-stage
-  id: invitation-stage
-  model: authentik_stages_invitation.invitationstage
-
-- identifiers:
-    name: enrollment-prompt-userdata
-  id: enrollment-prompt-userdata
-  model: authentik_stages_prompt.promptstage
-  attrs:
-    fields:
-      - !Find [authentik_stages_prompt.prompt, [name, default-source-enrollment-field-username]]
-      - !Find [authentik_stages_prompt.prompt, [name, default-user-settings-field-name]]
-      - !Find [authentik_stages_prompt.prompt, [name, default-user-settings-field-email]]
-      - !Find [authentik_stages_prompt.prompt, [name, default-password-change-field-password]]
-      - !Find [authentik_stages_prompt.prompt, [name, default-password-change-field-password-repeat]]
-
-### STAGE BINDINGS
-- identifiers:
-    order: 1
-    stage: !KeyOf invitation-stage
-    target: !KeyOf invitation-enrollment-flow
-  model: authentik_flows.flowstagebinding
-- identifiers:
-    order: 10
-    stage: !KeyOf enrollment-prompt-userdata
-    target: !KeyOf invitation-enrollment-flow
-  model: authentik_flows.flowstagebinding
-- identifiers:
-    order: 20
-    stage: !Find [authentik_stages_user_write.userwritestage, [name,  default-source-enrollment-write]]
-    target: !KeyOf invitation-enrollment-flow
-  model: authentik_flows.flowstagebinding
-- identifiers:
-    order: 100
-    stage: !Find [authentik_stages_user_login.userloginstage, [name,  default-authentication-login]]
-    target: !KeyOf invitation-enrollment-flow
-  model: authentik_flows.flowstagebinding

flow_recovery.yaml.tmpl

@@ -1,128 +0,0 @@
-version: 1
-metadata:
-  labels:
-    blueprints.goauthentik.io/instantiate: "true"
-  name: Recovery with email verification
-context:
-  token_expiry: {{ if eq (env "EMAIL_TOKEN_EXPIRY_MINUTES") "" }} 30 {{ else }} {{ env "EMAIL_TOKEN_EXPIRY_MINUTES" }} {{ end }}
-  subject: {{ if eq (env "EMAIL_SUBJECT") "" }} Account Recovery {{ else }} {{ env "EMAIL_SUBJECT" }} {{ end }} 
-entries:
-### DEPENDENCIES
-- model: authentik_blueprints.metaapplyblueprint
-  attrs:
-    identifiers:
-      name: Default - Authentication flow
-    required: true
-
-### FLOW
-- identifiers:
-    slug: default-recovery-flow
-  model: authentik_flows.flow
-  state: created
-  attrs:
-    name: Default recovery flow
-    title: Reset your password
-    designation: recovery
-    authentication: require_unauthenticated
-
-### STAGES
-- identifiers:
-    name: default-recovery-email
-  id: default-recovery-email
-  model: authentik_stages_email.emailstage
-  attrs:
-    use_global_settings: true
-    token_expiry: !Context token_expiry
-    subject: !Context subject
-    template: email/password_reset.html
-    activate_user_on_success: true
-- identifiers:
-    name: default-recovery-identification
-  id: default-recovery-identification
-  model: authentik_stages_identification.identificationstage
-  attrs:
-    user_fields:
-      - email
-      - username
-
-### STAGE BINDINGS
-- identifiers:
-    target: !Find [authentik_flows.flow, [slug, default-recovery-flow]]
-    stage: !KeyOf default-recovery-identification
-    order: 10
-  model: authentik_flows.flowstagebinding
-  id: flow-binding-identification
-  attrs:
-    evaluate_on_plan: true
-    re_evaluate_policies: true
-    policy_engine_mode: any
-    invalid_response_action: retry
-- identifiers:
-    target: !Find [authentik_flows.flow, [slug, default-recovery-flow]]
-    stage: !KeyOf default-recovery-email
-    order: 20
-  model: authentik_flows.flowstagebinding
-  id: flow-binding-email
-  attrs:
-    evaluate_on_plan: true
-    re_evaluate_policies: true
-    policy_engine_mode: any
-    invalid_response_action: retry
-- identifiers:
-    target: !Find [authentik_flows.flow, [slug, default-recovery-flow]]
-    stage: !Find [authentik_stages_prompt.promptstage, [name,  default-password-change-prompt]]
-    order: 30
-  model: authentik_flows.flowstagebinding
-  attrs:
-    evaluate_on_plan: true
-    re_evaluate_policies: false
-    policy_engine_mode: any
-    invalid_response_action: retry
-- identifiers:
-    target: !Find [authentik_flows.flow, [slug, default-recovery-flow]]
-    stage: !Find [authentik_stages_user_write.userwritestage, [name,  default-password-change-write]]
-    order: 40
-  model: authentik_flows.flowstagebinding
-  attrs:
-    evaluate_on_plan: true
-    re_evaluate_policies: false
-    policy_engine_mode: any
-    invalid_response_action: retry
-- identifiers:
-    target: !Find [authentik_flows.flow, [slug, default-recovery-flow]]
-    stage: !Find [authentik_stages_user_login.userloginstage, [name,  default-authentication-login]]
-    order: 100
-  model: authentik_flows.flowstagebinding
-  attrs:
-    evaluate_on_plan: true
-    re_evaluate_policies: false
-    policy_engine_mode: any
-    invalid_response_action: retry
-
-### POLICIES
-- identifiers:
-    name: default-recovery-skip-if-restored
-  id: default-recovery-skip-if-restored
-  model: authentik_policies_expression.expressionpolicy
-  attrs:
-    expression: |
-      return request.context.get('is_restored', False)
-- identifiers:
-    policy: !KeyOf default-recovery-skip-if-restored
-    target: !KeyOf flow-binding-identification
-    order: 0
-  model: authentik_policies.policybinding
-  attrs:
-    negate: false
-    enabled: false # TODO: why does this doesn't work?
-    timeout: 30
-- identifiers:
-    policy: !KeyOf default-recovery-skip-if-restored
-    target: !KeyOf flow-binding-email
-    order: 0
-  state: absent
-  model: authentik_policies.policybinding
-  attrs:
-    negate: false
-    enabled: true
-    timeout: 30

flow_translation.yaml.tmpl

@@ -1,71 +0,0 @@
-version: 1
-metadata:
-  labels:
-    blueprints.goauthentik.io/instantiate: "true"
-  name: Flow Translations
-context:
-  transl_recovery: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} "Passwort Zurücksetzen" {{ else }} "Reset your password" {{ end }}
-  transl_password: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} "Passwort" {{ else }} "Password" {{ end }}
-  transl_password_repeat: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} "Passwort (wiederholen)" {{ else }} "Password (repeat)" {{ end }}
-  transl_username: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} "Benutzername" {{ else }} "Username" {{ end }}
-  transl_name: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} "Vor- und Nachname" {{ else }} "Full name" {{ end }}
-
-entries:
-### DEPENDENCIES
-- model: authentik_blueprints.metaapplyblueprint
-  attrs:
-    identifiers:
-      name: Custom Authentication Flow
-    required: true
-- model: authentik_blueprints.metaapplyblueprint
-  attrs:
-    identifiers:
-      name: Default - User settings flow
-    required: true
-- model: authentik_blueprints.metaapplyblueprint
-  attrs:
-    identifiers:
-      name: Default - Source enrollment flow
-    required: true
-
-### FLOWS
-- model: authentik_flows.flow 
-  identifiers:
-    slug: default-recovery-flow
-  id: recovery_flow
-  model: authentik_flows.flow
-  attrs:
-    name: Default recovery flow
-    title: !Context transl_recovery
-    designation: recovery
-
-
-### PROMPTS
-- model: authentik_stages_prompt.prompt
-  identifiers:
-    name: default-password-change-field-password
-  attrs:
-    label: !Context transl_password
-    placeholder: !Context transl_password
-- model: authentik_stages_prompt.prompt
-  identifiers:
-    name: default-password-change-field-password-repeat
-  attrs:
-    label: !Context transl_password_repeat
-    placeholder: !Context transl_password_repeat
-- model: authentik_stages_prompt.prompt
-  identifiers:
-    name: default-user-settings-field-username
-  attrs:
-    label: !Context transl_username
-- model: authentik_stages_prompt.prompt
-  identifiers:
-    name: default-user-settings-field-name
-  attrs:
-    label: !Context transl_name
-- model: authentik_stages_prompt.prompt
-  identifiers:
-    name: default-source-enrollment-field-username
-  attrs:
-    label: !Context transl_username
-    placeholder: !Context transl_username

nextcloud.yaml.tmpl

@@ -1,56 +0,0 @@
-version: 1
-metadata:
-  labels:
-    blueprints.goauthentik.io/instantiate: "true"
-  name: Nextcloud
-
-entries:
-- attrs:
-    description: nextcloud
-    expression: 'return { "nextcloud_groups": [{"gid": group.name, "displayName":
-      group.name} for group in request.user.ak_groups.all()], }'
-    managed: null
-    scope_name: nextcloud
-  conditions: []
-  id: nextcloud_group_mapping
-  identifiers:
-    name: nextcloud
-  model: authentik_providers_oauth2.scopemapping
-  state: present
-
-- attrs:
-    access_code_validity: minutes=1
-    authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
-    client_id: {{ secret  "nextcloud_id" }}
-    client_secret: {{ secret  "nextcloud_secret" }}
-    client_type: confidential
-    include_claims_in_id_token: true
-    issuer_mode: per_provider
-    name: Nextcloud
-    property_mappings:
-    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
-    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, email]]
-    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, profile]]
-    - !KeyOf nextcloud_group_mapping
-    signing_key: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]]
-    sub_mode: user_username
-    token_validity: days=30
-  conditions: []
-  id: nextcloud_provider
-  identifiers:
-    pk: 9999
-  model: authentik_providers_oauth2.oauth2provider
-  state: present
-
-- attrs:
-    meta_launch_url: https://{{ env  "NEXTCLOUD_DOMAIN" }}
-    open_in_new_tab: true
-    policy_engine_mode: any
-    provider: !KeyOf nextcloud_provider
-    slug: nextcloud
-  conditions: []
-  id: nextcloud_application
-  identifiers:
-    name: Nextcloud
-  model: authentik_core.application
-  state: present

password_reset_de.html

@@ -0,0 +1,53 @@
+{% extends "email/base.html" %}
+
+{% load i18n %}
+{% load humanize %}
+
+{% block content %}
+<tr>
+    <td class="alert alert-success">
+        {% blocktrans with username=user.username %}
+        Herzlich Willkommen {{ username }},
+        {% endblocktrans %}
+    </td>
+</tr>
+<tr>
+    <td class="content-wrap">
+        <table width="100%" cellpadding="0" cellspacing="0">
+            <tr>
+                <td class="content-block">
+                    {% blocktrans %}
+                    Klicke auf folgenden Link um ein Passwort für deinen Account zu erstellen:
+                    {% endblocktrans %}
+                </td>
+            </tr>
+            <tr>
+                <td class="content-block">
+                    <table role="presentation" border="0" cellpadding="0" cellspacing="0" class="btn btn-primary">
+                        <tbody>
+                        <tr>
+                            <td align="center">
+                            <table role="presentation" border="0" cellpadding="0" cellspacing="0">
+                                <tbody>
+                                <tr>
+                                    <td> <a id="confirm" href="{{ url }}" rel="noopener noreferrer" target="_blank">Passwort Erstellen</a> </td>
+                                </tr>
+                                </tbody>
+                            </table>
+                            </td>
+                        </tr>
+                        </tbody>
+                    </table>
+                </td>
+            </tr>
+            <tr>
+                <td class="content-block">
+                    {% blocktrans with expires=expires|naturaltime %}
+                    Falls du diese E-Mail fälschlicherweise erhalten hast, ignoriere sie bitte. Der obige Link ist gültig für: {{ expires }}.
+                    {% endblocktrans %}
+                </td>
+            </tr>
+        </table>
+    </td>
+</tr>
+{% endblock %}

release/1.0.0+2022.10.1

@@ -1,15 +0,0 @@
-This upgrade replaces the passwords stored in env variables by docker secrets.
-You need to insert the following passwords as secret:
-
-`POSTGRES_PASSWORD` / `AUTHENTIK_POSTGRESQL__PASSWORD`:
-    `abra app secret insert <app_name> db_password v1 <password>`
-`AUTHENTIK_SECRET_KEY`:
-    `abra app secret insert <app_name> secret_key v1 <password>`
-`AK_ADMIN_TOKEN`:
-    `abra app secret insert <app_name> admin_token v1 <password>`
-`AK_ADMIN_PASS`:
-    `abra app secret insert <app_name> admin_pass v1 <password>`
-`AUTHENTIK_EMAIL__PASSWORD`:
-    `abra app secret insert <app_name> email_pass v1 <password>`
-
-These variables should be removed from the .env file.

release/2.0.0+2023.2.3

@@ -1,2 +0,0 @@
-Logout URL changes from `https://login.example.org/if/flow/default-invalidation-flow/` to `https://login.example.org/if/flow/logout-flow/`
-Replace it in any app that uses this logout url.

release/3.0.0+2023.2.3

@@ -1,16 +0,0 @@
-Run `abra app cmd <app_name> worker blueprint_cleanup` to apply the new blueprint configuration and delete the old configuration.
-
-If the nextcloud provider should be managed by abra add the following to the env:
-
-    COMPOSE_FILE="compose.yml:compose.nextcloud.yml"
-    NEXTCLOUD_DOMAIN=nextcloud.example.com
-    SECRET_NEXTCLOUD_ID_VERSION=v1
-    SECRET_NEXTCLOUD_SECRET_VERSION=v1
-
-and generate the secrets:
-
-    abra app secret generate -a <app_name>
-
-Eventuelly you need to manually remove the old nextcloud provider and application
-
-Don't forget to update the nextcloud config for authentik as well.

release/3.1.0+2023.3.1

@@ -1,3 +0,0 @@
-Env recommendation: AUTHENTIK_DEFAULT_USER_CHANGE_USERNAME=false
-This prevents users from changing their username.
-Changing the username can be a security risk and it can break things.

system_tenant.yaml.tmpl

@@ -1,35 +0,0 @@
-version: 1
-metadata:
-  labels:
-    blueprints.goauthentik.io/instantiate: "true"
-  name: Custom System Tenant
-entries:
-### DEPENDENCIES
-- model: authentik_blueprints.metaapplyblueprint
-  attrs:
-    identifiers:
-      name: Default - Tenant
-    required: true
-- model: authentik_blueprints.metaapplyblueprint
-  attrs:
-    identifiers:
-      name: Invitation Enrollment Flow
-    required: true
-
-
-### SYSTEM TENANT
-# remove custom tenant from old recipe
-- identifiers:
-    domain: {{ env "DOMAIN" }}
-  model: authentik_tenants.tenant
-  state: absent
-
-- attrs:
-    attributes:
-      settings:
-        locale: {{ if eq (env "DEFAULT_LANGUAGE") "" }} en {{ else }} {{ env "DEFAULT_LANGUAGE" }} {{ end }}
-    flow_recovery: !Find [authentik_flows.flow, [slug,  default-recovery-flow]]
-  identifiers:
-    default: true
-    domain: authentik-default
-  model: authentik_tenants.tenant

wordpress.yaml.tmpl

@@ -1,43 +0,0 @@
-version: 1
-metadata:
-  labels:
-    blueprints.goauthentik.io/instantiate: "true"
-  name: Wordpress
-
-entries:
-
-- attrs:
-    access_code_validity: minutes=1
-    authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
-    client_id: {{ secret  "wordpress_id" }}
-    client_secret: {{ secret  "wordpress_secret" }}
-    client_type: confidential
-    include_claims_in_id_token: true
-    issuer_mode: per_provider
-    name: Wordpress
-    property_mappings:
-    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
-    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, email]]
-    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, profile]]
-    signing_key: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]]
-    sub_mode: user_username
-    token_validity: days=30
-  conditions: []
-  id: wordpress_provider
-  identifiers:
-    pk: 9998
-  model: authentik_providers_oauth2.oauth2provider
-  state: present
-
-- attrs:
-    meta_launch_url: https://{{ env  "WORDPRESS_DOMAIN" }}/wp-login.php
-    open_in_new_tab: true
-    policy_engine_mode: any
-    provider: !KeyOf wordpress_provider
-    slug: wordpress
-  conditions: []
-  id: wordpress_application
-  identifiers:
-    name: Wordpress
-  model: authentik_core.application
-  state: present