style: add nextcloud talk icon

Reviewed-on: coop-cloud/authentik#20

.env.sample

@@ -1,5 +1,5 @@
 TYPE=authentik
-TIMEOUT=900
+#TIMEOUT=900
 ENABLE_AUTO_UPDATE=true
 POST_DEPLOY_CMDS="worker set_admin_pass"
 # Example values for post deploy cmds: "worker set_admin_pass|worker apply_blueprints|worker add_applications"
@@ -156,5 +156,12 @@ COPY_ASSETS="$COPY_ASSETS icon.png|app:/web/dist/assets/icons/"
 # APP_ICONS="$APP_ICONS hedgedoc:~/.abra/recipes/authentik/icons/hedgedoc.png"
 # HEDGEDOC_APPGROUP="$GROUP_DOCUMENTATION"
 
+# COMPOSE_FILE="$COMPOSE_FILE:compose.mila.yml"
+# MILA_DOMAIN=mila.example.com
+# SECRET_MILA_ID_VERSION=v1
+# SECRET_MILA_SECRET_VERSION=v1
+# APP_ICONS="$APP_ICONS mila:~/.abra/recipes/authentik/icons/mila.svg"
+# MILA_APPGROUP=""
+
 # APPLICATIONS='{"Calendar": {"url":"https://nextcloud.example.com/apps/calendar/", "group": ""}, "BBB": {"url":"https://nextcloud.example.com/apps/bbb/", "group":""}, "Pretix": {"url":"https://pretix.example.com/control/", "group":""}}'
 # EXTRA_ICONS={"Calendar": "~/.abra/recipes/authentik/icons/calendar.svg", "BBB": "~/.abra/recipes/authentik/icons/bbb.png", "Pretix": "~/.abra/recipes/authentik/icons/pretix.svg"}

.gitignore

@@ -1 +1,2 @@
 .envrc
+.cursorignore

abra.sh

@@ -16,6 +16,7 @@ export ZAMMAD_CONFIG_VERSION=v4
 export RALLLY_CONFIG_VERSION=v4
 export HEDGEDOC_CONFIG_VERSION=v3
 export MONITORING_CONFIG_VERSION=v4
+export MILA_CONFIG_VERSION=v1
 export DB_ENTRYPOINT_VERSION=v1
 export PG_BACKUP_VERSION=v2
 export ENTRYPOINT_CSS_VERSION=v1
@@ -49,12 +50,13 @@ import_user() {
   fi
   source_file=$1
   filename=$(basename $source_file)
-  abra app cp $APP_NAME $source_file worker:/tmp/
-  abra app cmd -T $APP_NAME worker _import_user $filename
+  abra app cp -C $APP_NAME $source_file worker:/tmp/
+  abra app cmd -C -T $APP_NAME worker _import_user $filename
 }
 
 _import_user() {
   /manage.py shell -c """
+from authentik.core.models import Group
 import csv
 new_user = User()
 with open('/tmp/$1', newline='') as file:
@@ -81,6 +83,18 @@ with open('/tmp/$1', newline='') as file:
 """ 2>&1 | quieten
 }
 
+set_user_pass() {
+  username="$1"
+  password="$2"
+  /manage.py shell -c """
+user = User.objects.get(username='$username')
+user.set_password('$password')
+user.save()
+print('Changed $username password')
+""" 2>&1 | quieten
+
+}
+
 set_admin_pass() {
   password=$(cat /run/secrets/admin_pass)
   token=$(cat /run/secrets/admin_token)
@@ -196,12 +210,42 @@ for name, details in applications.items():
         app.group = group
         print(f'Add {name}: {url} in group: {group}')
     else:
+        app.group = ''
         print(f'Add {name}: {url}')
     app.open_in_new_tab = True
     app.save()
 """ 2>&1 | quieten
 }
 
+# This function adds one application with its name, slug and group if passed
+add_single_application() {
+  if [ -z "$2" ]; then
+    echo "Usage: ... add_single_application <name> <url> <group>"
+    exit 1
+  fi
+  /manage.py shell -c """
+import json
+import os
+name = '$1'
+url = '$2'
+app = Application.objects.filter(name=name).first()
+if not app:
+    app = Application()
+app.name = name
+app.slug = name.replace(' ', '-')
+app.meta_launch_url = url
+group = '$3'
+if group:
+    app.group = group
+    print(f'Add {name}: {url} in group: {group}')
+else:
+    app.group = ''
+    print(f'Add {name}: {url}')
+app.open_in_new_tab = True
+app.save()
+""" 2>&1 | quieten
+}
+
 ## This function is for renaming apps - usage: rename "old name" "new name"
 rename() {
   /manage.py shell -c """
@@ -221,7 +265,7 @@ else:
 quieten() {
   # 'SyntaxWarning|version_regex|"http\['
   # is a workaround to get rid of some verbose syntax warnings, this might be fixed with another version
-  grep -Pv '"level": "(info|debug)"|SyntaxWarning|version_regex|"http\[|RuntimeWarning:'
+  grep -Pv '"level": "(info|debug)"|SyntaxWarning|version_regex|"http\[|RuntimeWarning:|### authentik shell|### Node| objects imported automatically|^$'
 }
 
 add_email_templates() {
@@ -240,8 +284,8 @@ set_icons() {
     file_path=$(eval echo $(echo $icon | cut -d ":" -f2))
     file=$(basename $file_path)
     echo copy icon $file_path for $app
-    abra app cp $APP_NAME $file_path app:/media/
-    abra app cmd -T $APP_NAME app set_app_icon $app /media/$file
+    abra app cp -C $APP_NAME $file_path app:/media/
+    abra app cmd -C -T $APP_NAME app set_app_icon $app /media/$file
   done
 }
 
@@ -255,7 +299,8 @@ set_extra_icons() {
 import json
 import os
 for key, value in json.loads(os.environ['EXTRA_ICONS']).items():
-    print(f'{key}:{value}')
+  slug = key.replace(' ','-')
+  print(f'{slug}:{value}')
 ")
   set_icons "$icon_key_values"
 }
@@ -310,6 +355,10 @@ print(User.objects.filter(username='$1').first().uid)
 """ 2>&1 | quieten
 }
 
+get_secrets() {
+  grep "" -r /var/run/secrets
+}
+
 fix_collation_mismatch() {
   psql -U ${POSTGRES_USER} -d authentik -c "ALTER DATABASE authentik REFRESH COLLATION VERSION;"
   psql -U ${POSTGRES_USER} -d authentik -c "REINDEX DATABASE authentik;"

alaconnect.yml

@@ -87,3 +87,12 @@ hedgedoc:
         - hedgedoc.png
     secrets:
         hedgedoc_id: hedgedoc
+mila:
+    uncomment:
+        - compose.mila.yml
+        - MILA_DOMAIN
+        - SECRET_MILA_ID_VERSION
+        - SECRET_MILA_SECRET_VERSION
+        - mila.svg
+    secrets:
+        mila_id: mila

compose.mila.yml

@@ -0,0 +1,27 @@
+version: "3.8"
+services:
+  worker:
+    secrets:
+      - mila_id
+      - mila_secret
+    environment:
+      - MILA_DOMAIN
+    configs:
+      - source: mila
+        target: /blueprints/mila.yaml
+
+secrets:
+  mila_id:
+    external: true
+    name: ${STACK_NAME}_mila_id_${SECRET_MILA_ID_VERSION}
+  mila_secret:
+    external: true
+    name: ${STACK_NAME}_mila_secret_${SECRET_MILA_SECRET_VERSION}
+
+
+configs:
+  mila:
+    name: ${STACK_NAME}_mila_${MILA_CONFIG_VERSION}
+    file: mila.yaml.tmpl
+    template_driver: golang
+

compose.outposts.ldap.yml

@@ -1,7 +1,7 @@
 version: "3.8"
 services:
   authentik_ldap:
-      image: ghcr.io/goauthentik/ldap:2025.8.1
+      image: ghcr.io/goauthentik/ldap:2025.10.2
       # Optionally specify which networks the container should be
       # might be needed to reach the core authentik server
       networks:

compose.yml

@@ -5,7 +5,6 @@ x-env: &env
     - AUTHENTIK_POSTGRESQL__USER=authentik
     - AUTHENTIK_POSTGRESQL__NAME=authentik
     - AUTHENTIK_POSTGRESQL__HOST=db
-    - AUTHENTIK_REDIS__HOST=redis
     - AUTHENTIK_ERROR_REPORTING__ENABLED
     - AUTHENTIK_SECRET_KEY=file:///run/secrets/secret_key
     - AUTHENTIK_EMAIL__HOST
@@ -35,11 +34,10 @@ x-env: &env
 version: '3.8'
 services:
   app:
-    image: ghcr.io/goauthentik/server:2025.8.1
+    image: ghcr.io/goauthentik/server:2025.10.2
     command: server
     depends_on:
       - db
-      - redis
     secrets:
       - db_password
       - admin_pass
@@ -71,18 +69,17 @@ services:
         - "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect,${STACK_NAME}-frameOptions,${STACK_NAME}-redirect"
         - "traefik.http.middlewares.${STACK_NAME}-frameOptions.headers.customFrameOptionsValue=SAMEORIGIN"
         - "traefik.http.middlewares.${STACK_NAME}-frameOptions.headers.contentSecurityPolicy=frame-ancestors ${X_FRAME_OPTIONS_ALLOW_FROM}"
-        - "coop-cloud.${STACK_NAME}.version=9.0.1+2025.8.1"
+        - "coop-cloud.${STACK_NAME}.version=10.1.4+2025.10.2"
         - "traefik.http.middlewares.${STACK_NAME}-redirect.redirectregex.regex=^https://(${REDIRECTS})/(.*)"
         - "traefik.http.middlewares.${STACK_NAME}-redirect.redirectregex.replacement=https://${DOMAIN}/$${2}"
         - "traefik.http.middlewares.${STACK_NAME}-redirect.redirectregex.permanent=true"
-        - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT:-120}"
+        - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT}"
 
   worker:
-    image: ghcr.io/goauthentik/server:2025.8.1
+    image: ghcr.io/goauthentik/server:2025.10.2
     command: worker
     depends_on:
       - db
-      - redis
     secrets:
       - db_password
       - admin_pass
@@ -119,7 +116,7 @@ services:
       start_period: 5m
 
   db:
-    image: postgres:15.13
+    image: postgres:15.15
     secrets:
       - db_password
     configs:
@@ -150,22 +147,8 @@ services:
           backupbot.backup: "${ENABLE_BACKUPS:-true}"
           backupbot.backup.pre-hook: "/pg_backup.sh backup"
           backupbot.backup.volumes.database.path: "backup.sql"
-          backupbot.backup.volumes.redis: "false"
           backupbot.restore.post-hook: '/pg_backup.sh restore'
 
-  redis:
-    image:  redis:8.2.1-alpine
-    command: --save 60 1 --loglevel warning
-    networks:
-      - internal
-    healthcheck:
-      test: ["CMD-SHELL", "redis-cli ping | grep PONG"]
-      interval: 30s
-      timeout: 10s
-      retries: 10
-      start_period: 1m
-    volumes:
-        - redis:/data
 
 secrets:
   db_password:
@@ -192,7 +175,6 @@ networks:
 volumes:
   media:
   certs:
-  redis:
   templates:
   assets:
   database:

icons/collectives.svg

@@ -0,0 +1,12 @@
+<svg version="1.1" xmlns="http://www.w3.org/2000/svg" height="16" width="16" viewBox="0 0 16 16">
+<g>
+	<path d="M2.9,8.8c0-1.2,0.4-2.4,1.2-3.3L0.3,6c-0.2,0-0.3,0.3-0.1,0.4l2.7,2.6C2.9,9,2.9,8.9,2.9,8.8z" />
+	<path d="M8,3.7c0.7,0,1.3,0.1,1.9,0.4L8.2,0.6c-0.1-0.2-0.3-0.2-0.4,0L6.1,4C6.7,3.8,7.3,3.7,8,3.7z" />
+	<path d="M3.7,11.5L3,15.2c0,0.2,0.2,0.4,0.4,0.3l3.3-1.7C5.4,13.4,4.4,12.6,3.7,11.5z" />
+	<path d="M15.7,6l-3.7-0.5c0.7,0.9,1.2,2,1.2,3.3c0,0.1,0,0.2,0,0.3l2.7-2.6C15.9,6.3,15.9,6.1,15.7,6z" />
+	<path d="M12.3,11.5c-0.7,1.1-1.8,1.9-3,2.2l3.3,1.7c0.2,0.1,0.4-0.1,0.4-0.3L12.3,11.5z" />
+	<path d="M9.6,10.1c-0.4,0.5-1,0.8-1.6,0.8c-1.1,0-2-0.9-2.1-2C5.9,7.7,6.8,6.7,8,6.7c0.6,0,1.1,0.3,1.5,0.7
+		c0.1,0.1,0.1,0.1,0.2,0.1h1.4c0.2,0,0.4-0.2,0.3-0.5c-0.7-1.3-2.1-2.2-3.8-2.1C5.8,5,4.3,6.6,4.1,8.5C4,10.8,5.8,12.7,8,12.7
+		c1.6,0,2.9-0.9,3.5-2.3c0.1-0.2-0.1-0.4-0.3-0.4H9.9C9.8,10,9.7,10,9.6,10.1z" />
+</g>
+</svg>

icons/mila.svg

@@ -0,0 +1,22 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<svg id="a" data-name="Ebene 1" xmlns="http://www.w3.org/2000/svg" viewBox="80 60 430 410">
+  <defs>
+    <style>
+      .b {
+        fill: #346180;
+      }
+
+      .c {
+        fill: #009aa5;
+      }
+    </style>
+  </defs>
+  <g>
+    <path class="c" d="M319.57,303.39c41.78,18.41,74.43,42.48,87.64,89.83,4.52,16.2,12.63,44.75-10.72,48.82H101.39c-2.63-.09-9.25-2.82-11.12-4.38-.3-.25-4.06-6.12-4.22-6.49-5.78-13.4,2.35-35.12,7.31-47.71,9.49-24.09,25.75-44.44,46.62-59.63,16.07-11.7,34.34-20.54,53.51-25.78,32.68-8.93,94.96-8.37,126.07,5.34Z"/>
+    <path class="c" d="M299.53,126.4c7.22,5.55,16.92,15.59,20.81,23.69,14.47,30.14,13.54,62.8-6.99,90.82-32.64,44.55-106.51,39.41-133.59-8.24-45.73-80.48,49.74-160.1,119.77-106.26Z"/>
+  </g>
+  <g>
+    <path class="b" d="M395.52,128.43c50.29,40.71,28.84,125.79-34.37,141.27-7.94,1.94-34,4.45-40.2-.24-.7-.53-1.73-1.28-1.25-2.3.2-.42.58-.72.95-1.01,6.58-5.05,11.45-13.02,15.71-20.08s7.99-14.88,10.77-22.84c5.4-15.47,7.48-32.13,5.27-48.4-2.36-17.34-9.63-33.63-20.49-47.31-2.75-3.46-6.2-6.45-9.27-9.63-1.09-1.14-3.73-3.05-4.21-4.6-.9-2.93,2.98-3.72,5.51-4.06,23.02-3.1,46.39,1.77,65.63,14.81,2.04,1.38,4.02,2.84,5.94,4.39Z"/>
+    <path class="b" d="M433.88,441.36c-2.64-2.97.77-10.22,1.03-13.89,3.54-49.03-30.24-100.05-69.07-126.89-1.99-1.38-11.43-6.12-11.91-6.6-1.42-1.44.09-1.81,1.48-1.99,7.36-.93,17.29,1.08,24.7,2.32,16.51,2.77,33.53,8.05,48.48,15.52,18.53,9.24,34.94,22.72,47.79,38.94,11.65,14.7,54.83,91.93,8.76,92.91-15.76.33-31.52.67-47.28,1-1.97.04-3.23-.46-3.99-1.31Z"/>
+  </g>
+</svg>

icons/poll.svg

@@ -0,0 +1,3 @@
+<svg width="24" height="24" viewBox="0 0 24 24" fill="none" xmlns="http://www.w3.org/2000/svg">
+<path d="M6.75 3.00464V5.25464M17.25 3.00464V5.25464M3 18.7546V7.50464C3 6.262 4.00736 5.25464 5.25 5.25464H18.75C19.9926 5.25464 21 6.262 21 7.50464V18.7546M3 18.7546C3 19.9973 4.00736 21.0046 5.25 21.0046H18.75C19.9926 21.0046 21 19.9973 21 18.7546M3 18.7546V11.2546C3 10.012 4.00736 9.00464 5.25 9.00464H18.75C19.9926 9.00464 21 10.012 21 11.2546V18.7546M12 12.7546H12.0075V12.7621H12V12.7546ZM12 15.0046H12.0075V15.0121H12V15.0046ZM12 17.2546H12.0075V17.2621H12V17.2546ZM9.75 15.0046H9.7575V15.0121H9.75V15.0046ZM9.75 17.2546H9.7575V17.2621H9.75V17.2546ZM7.5 15.0046H7.5075V15.0121H7.5V15.0046ZM7.5 17.2546H7.5075V17.2621H7.5V17.2546ZM14.25 12.7546H14.2575V12.7621H14.25V12.7546ZM14.25 15.0046H14.2575V15.0121H14.25V15.0046ZM14.25 17.2546H14.2575V17.2621H14.25V17.2546ZM16.5 12.7546H16.5075V12.7621H16.5V12.7546ZM16.5 15.0046H16.5075V15.0121H16.5V15.0046Z" stroke="#0F172A" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round"/>
+</svg>

icons/talk.svg

@@ -0,0 +1,68 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<svg
+   xmlns:dc="http://purl.org/dc/elements/1.1/"
+   xmlns:cc="http://creativecommons.org/ns#"
+   xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
+   xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
+   inkscape:version="1.1-dev (f9311a1, 2019-12-25)"
+   sodipodi:docname="talk8.svg"
+   id="svg19"
+   xml:space="preserve"
+   viewBox="0 0 1024 1024"
+   version="1.1"
+   stroke-miterlimit="1.4142"
+   stroke-linejoin="round"
+   fill-rule="evenodd"
+   clip-rule="evenodd"><metadata
+   id="metadata23"><rdf:RDF><cc:Work
+       rdf:about=""><dc:format>image/svg+xml</dc:format><dc:type
+         rdf:resource="http://purl.org/dc/dcmitype/StillImage" /><dc:title></dc:title></cc:Work></rdf:RDF></metadata><sodipodi:namedview
+   inkscape:current-layer="svg19"
+   inkscape:window-maximized="1"
+   inkscape:window-y="23"
+   inkscape:window-x="1440"
+   inkscape:cy="522.40348"
+   inkscape:cx="510.51379"
+   inkscape:zoom="0.67285156"
+   showgrid="false"
+   id="namedview21"
+   inkscape:window-height="1035"
+   inkscape:window-width="1920"
+   inkscape:pageshadow="2"
+   inkscape:pageopacity="0"
+   guidetolerance="10"
+   gridtolerance="10"
+   objecttolerance="10"
+   borderopacity="1"
+   inkscape:document-rotation="0"
+   bordercolor="#666666"
+   pagecolor="#ffffff" /><defs
+   id="defs15"><linearGradient
+     gradientUnits="userSpaceOnUse"
+     gradientTransform="matrix(8.96 0 0 8.96 -7.8457e-5 .00019795)"
+     y2="-7.6294e-6"
+     y1="150"
+     x2="150"
+     x1="18.23"
+     id="a"><stop
+       id="stop10"
+       offset="0"
+       stop-color="#0082c9" /><stop
+       id="stop12"
+       offset="1"
+       stop-color="#1cafff" /></linearGradient></defs>
+<rect
+   id="rect17"
+   fill-rule="evenodd"
+   fill="url(#a)"
+   height="1024"
+   width="1024" /><path
+   style="fill:#ffffff"
+   inkscape:connector-curvature="0"
+   d="M 511.95919,186 A 325.96385,325.95103 0 0 0 186,511.96034 325.96385,325.95103 0 0 0 511.95919,837.91133 325.96385,325.95103 0 0 0 681.04889,790.22529 c 40.06218,15.91895 129.79781,63.14682 151.15526,42.74701 22.3177,-21.31206 -26.20129,-121.61808 -37.83331,-158.89148 A 325.96385,325.95103 0 0 0 837.91466,511.95755 325.96385,325.95103 0 0 0 511.96013,186.01118 Z m 0.0373,123.92323 A 202.1178,202.11161 0 0 1 714.11425,512.03485 202.1178,202.11161 0 0 1 511.99645,714.13247 202.1178,202.11161 0 0 1 309.87866,512.03485 202.1178,202.11161 0 0 1 511.99645,309.92323 Z"
+   stroke-width="0.14"
+   fill="#000"
+   id="path25" /></svg>

mila.yaml.tmpl

@@ -0,0 +1,49 @@
+version: 1
+metadata:
+  labels:
+    blueprints.goauthentik.io/instantiate: "true"
+  name: mila
+
+entries:
+
+- attrs:
+    access_code_validity: minutes=1
+    authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
+    authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
+    invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
+    client_id: {{ secret  "mila_id" }}
+    client_secret: {{ secret  "mila_secret" }}
+    client_type: confidential
+    include_claims_in_id_token: true
+    issuer_mode: per_provider
+    redirect_uris:
+    - matching_mode: strict
+      url: https://{{ env  "MILA_DOMAIN" }}/auth/user/oidc/callback
+    name: Mila
+    property_mappings:
+    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
+    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, email]]
+    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, profile]]
+    signing_key: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]]
+    sub_mode: hashed_user_id
+    token_validity: days=30
+  conditions: []
+  id: mila_provider
+  identifiers:
+    pk: 9990
+  model: authentik_providers_oauth2.oauth2provider
+  state: present
+
+- attrs:
+    meta_launch_url: https://{{ env  "MILA_DOMAIN" }}
+    open_in_new_tab: true
+    policy_engine_mode: any
+    provider: !KeyOf mila_provider
+    slug: mila
+  conditions: []
+  id: mila_application
+  identifiers:
+    name: Mila
+  model: authentik_core.application
+  state: present
+

release/10.0.0+2025.10.2

@@ -0,0 +1 @@
+2025.10 removes redis. Since 2025.8 all redis tasks have been migrated to postgres.