Merge branch 'main' into authentik-upgrade

Intermediate step for upgrading to 2026.2.x.
Bump authentik to 2025.12.4, postgres to 15.17.

.env.sample

@@ -1,5 +1,5 @@
 TYPE=authentik
-TIMEOUT=900
+#TIMEOUT=900
 ENABLE_AUTO_UPDATE=true
 POST_DEPLOY_CMDS="worker set_admin_pass"
 # Example values for post deploy cmds: "worker set_admin_pass|worker apply_blueprints|worker add_applications"

abra.sh

@@ -50,12 +50,13 @@ import_user() {
   fi
   source_file=$1
   filename=$(basename $source_file)
-  abra app cp $APP_NAME $source_file worker:/tmp/
-  abra app cmd -T $APP_NAME worker _import_user $filename
+  abra app cp -C $APP_NAME $source_file worker:/tmp/
+  abra app cmd -C -T $APP_NAME worker _import_user $filename
 }
 
 _import_user() {
   /manage.py shell -c """
+from authentik.core.models import Group
 import csv
 new_user = User()
 with open('/tmp/$1', newline='') as file:
@@ -216,6 +217,35 @@ for name, details in applications.items():
 """ 2>&1 | quieten
 }
 
+# This function adds one application with its name, slug and group if passed
+add_single_application() {
+  if [ -z "$2" ]; then
+    echo "Usage: ... add_single_application <name> <url> <group>"
+    exit 1
+  fi
+  /manage.py shell -c """
+import json
+import os
+name = '$1'
+url = '$2'
+app = Application.objects.filter(name=name).first()
+if not app:
+    app = Application()
+app.name = name
+app.slug = name.replace(' ', '-')
+app.meta_launch_url = url
+group = '$3'
+if group:
+    app.group = group
+    print(f'Add {name}: {url} in group: {group}')
+else:
+    app.group = ''
+    print(f'Add {name}: {url}')
+app.open_in_new_tab = True
+app.save()
+""" 2>&1 | quieten
+}
+
 ## This function is for renaming apps - usage: rename "old name" "new name"
 rename() {
   /manage.py shell -c """
@@ -235,7 +265,7 @@ else:
 quieten() {
   # 'SyntaxWarning|version_regex|"http\['
   # is a workaround to get rid of some verbose syntax warnings, this might be fixed with another version
-  grep -Pv '"level": "(info|debug)"|SyntaxWarning|version_regex|"http\[|RuntimeWarning:'
+  grep -Pv '"level": "(info|debug)"|SyntaxWarning|version_regex|"http\[|RuntimeWarning:|### authentik shell|### Node| objects imported automatically|^$'
 }
 
 add_email_templates() {
@@ -254,8 +284,8 @@ set_icons() {
     file_path=$(eval echo $(echo $icon | cut -d ":" -f2))
     file=$(basename $file_path)
     echo copy icon $file_path for $app
-    abra app cp $APP_NAME $file_path app:/media/
-    abra app cmd -T $APP_NAME app set_app_icon $app /media/$file
+    abra app cp -C $APP_NAME $file_path app:/media/
+    abra app cmd -C -T $APP_NAME app set_app_icon $app /media/$file
   done
 }
 
@@ -283,14 +313,37 @@ import os
 my_token = '$TOKEN'
 application = '$1'
 icon_path = '$2'
-url = f'https://$DOMAIN/api/v3/core/applications/{application}/set_icon/'
-headers = {'Authorization':f'Bearer {my_token}'}
+base_url = f'https://$DOMAIN/api/v3'
+headers = {'Authorization': f'Bearer {my_token}'}
+
+name_img = os.path.basename(icon_path)
+
+# Upload file via the file management API
 with open(icon_path, 'rb') as img:
-  name_img = os.path.basename(icon_path)
-  files= {'file': (name_img,img,'image/png') }
-  with requests.Session() as s:
-    r = s.post(url,files=files,headers=headers)
-    print(r.status_code)
+  r = requests.post(
+    f'{base_url}/admin/file/',
+    files={'file': (name_img, img, 'image/png')},
+    data={'name': name_img},
+    headers=headers,
+  )
+  if r.status_code == 400 and 'already exists' in r.text:
+    print(f'{name_img} already uploaded')
+  elif r.status_code != 200:
+    print(f'Upload failed: {r.status_code} {r.text}')
+    exit(1)
+  else:
+    print(f'Uploaded {name_img}')
+
+# Set the icon on the application
+r = requests.patch(
+  f'{base_url}/core/applications/{application}/',
+  json={'meta_icon': name_img},
+  headers=headers,
+)
+if r.status_code == 200:
+  print(f'Set icon for {application}')
+else:
+  print(f'Failed to set icon: {r.status_code} {r.text}')
 """
 
 }

compose.outposts.ldap.yml

@@ -1,7 +1,7 @@
 version: "3.8"
 services:
   authentik_ldap:
-      image: ghcr.io/goauthentik/ldap:2025.10.2
+      image: ghcr.io/goauthentik/ldap:2026.2.1
       # Optionally specify which networks the container should be
       # might be needed to reach the core authentik server
       networks:

compose.yml

@@ -34,7 +34,7 @@ x-env: &env
 version: '3.8'
 services:
   app:
-    image: ghcr.io/goauthentik/server:2025.10.2
+    image: ghcr.io/goauthentik/server:2026.2.1
     command: server
     depends_on:
       - db
@@ -45,6 +45,7 @@ services:
       - secret_key
       - email_pass
     volumes:
+      - data:/data
       - media:/media
       - assets:/web/dist/assets
       - templates:/templates
@@ -69,14 +70,14 @@ services:
         - "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect,${STACK_NAME}-frameOptions,${STACK_NAME}-redirect"
         - "traefik.http.middlewares.${STACK_NAME}-frameOptions.headers.customFrameOptionsValue=SAMEORIGIN"
         - "traefik.http.middlewares.${STACK_NAME}-frameOptions.headers.contentSecurityPolicy=frame-ancestors ${X_FRAME_OPTIONS_ALLOW_FROM}"
-        - "coop-cloud.${STACK_NAME}.version=10.1.0+2025.10.2"
+        - "coop-cloud.${STACK_NAME}.version=10.2.0+2026.2.1"
         - "traefik.http.middlewares.${STACK_NAME}-redirect.redirectregex.regex=^https://(${REDIRECTS})/(.*)"
         - "traefik.http.middlewares.${STACK_NAME}-redirect.redirectregex.replacement=https://${DOMAIN}/$${2}"
         - "traefik.http.middlewares.${STACK_NAME}-redirect.redirectregex.permanent=true"
-        - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT:-120}"
+        - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT}"
 
   worker:
-    image: ghcr.io/goauthentik/server:2025.10.2
+    image: ghcr.io/goauthentik/server:2026.2.1
     command: worker
     depends_on:
       - db
@@ -90,6 +91,7 @@ services:
       - internal
       - proxy
     volumes:
+      - data:/data
       - media:/media
       - /dev/null:/blueprints/default/flow-oobe.yaml
       - templates:/templates
@@ -116,7 +118,7 @@ services:
       start_period: 5m
 
   db:
-    image: postgres:15.15
+    image: postgres:15.17
     secrets:
       - db_password
     configs:
@@ -173,6 +175,7 @@ networks:
   internal:
 
 volumes:
+  data:
   media:
   certs:
   templates:

icons/mila.svg

@@ -1,5 +1,22 @@
-<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 100 100" width="100" height="100">
-  <rect width="100" height="100" rx="12" fill="#4f46e5"/>
-  <text x="50" y="65" font-family="Arial, sans-serif" font-size="48" font-weight="bold" fill="white" text-anchor="middle">M</text>
-</svg>
+<?xml version="1.0" encoding="UTF-8"?>
+<svg id="a" data-name="Ebene 1" xmlns="http://www.w3.org/2000/svg" viewBox="80 60 430 410">
+  <defs>
+    <style>
+      .b {
+        fill: #346180;
+      }
 
+      .c {
+        fill: #009aa5;
+      }
+    </style>
+  </defs>
+  <g>
+    <path class="c" d="M319.57,303.39c41.78,18.41,74.43,42.48,87.64,89.83,4.52,16.2,12.63,44.75-10.72,48.82H101.39c-2.63-.09-9.25-2.82-11.12-4.38-.3-.25-4.06-6.12-4.22-6.49-5.78-13.4,2.35-35.12,7.31-47.71,9.49-24.09,25.75-44.44,46.62-59.63,16.07-11.7,34.34-20.54,53.51-25.78,32.68-8.93,94.96-8.37,126.07,5.34Z"/>
+    <path class="c" d="M299.53,126.4c7.22,5.55,16.92,15.59,20.81,23.69,14.47,30.14,13.54,62.8-6.99,90.82-32.64,44.55-106.51,39.41-133.59-8.24-45.73-80.48,49.74-160.1,119.77-106.26Z"/>
+  </g>
+  <g>
+    <path class="b" d="M395.52,128.43c50.29,40.71,28.84,125.79-34.37,141.27-7.94,1.94-34,4.45-40.2-.24-.7-.53-1.73-1.28-1.25-2.3.2-.42.58-.72.95-1.01,6.58-5.05,11.45-13.02,15.71-20.08s7.99-14.88,10.77-22.84c5.4-15.47,7.48-32.13,5.27-48.4-2.36-17.34-9.63-33.63-20.49-47.31-2.75-3.46-6.2-6.45-9.27-9.63-1.09-1.14-3.73-3.05-4.21-4.6-.9-2.93,2.98-3.72,5.51-4.06,23.02-3.1,46.39,1.77,65.63,14.81,2.04,1.38,4.02,2.84,5.94,4.39Z"/>
+    <path class="b" d="M433.88,441.36c-2.64-2.97.77-10.22,1.03-13.89,3.54-49.03-30.24-100.05-69.07-126.89-1.99-1.38-11.43-6.12-11.91-6.6-1.42-1.44.09-1.81,1.48-1.99,7.36-.93,17.29,1.08,24.7,2.32,16.51,2.77,33.53,8.05,48.48,15.52,18.53,9.24,34.94,22.72,47.79,38.94,11.65,14.7,54.83,91.93,8.76,92.91-15.76.33-31.52.67-47.28,1-1.97.04-3.23-.46-3.99-1.31Z"/>
+  </g>
+</svg>

icons/poll.svg

@@ -0,0 +1,3 @@
+<svg width="24" height="24" viewBox="0 0 24 24" fill="none" xmlns="http://www.w3.org/2000/svg">
+<path d="M6.75 3.00464V5.25464M17.25 3.00464V5.25464M3 18.7546V7.50464C3 6.262 4.00736 5.25464 5.25 5.25464H18.75C19.9926 5.25464 21 6.262 21 7.50464V18.7546M3 18.7546C3 19.9973 4.00736 21.0046 5.25 21.0046H18.75C19.9926 21.0046 21 19.9973 21 18.7546M3 18.7546V11.2546C3 10.012 4.00736 9.00464 5.25 9.00464H18.75C19.9926 9.00464 21 10.012 21 11.2546V18.7546M12 12.7546H12.0075V12.7621H12V12.7546ZM12 15.0046H12.0075V15.0121H12V15.0046ZM12 17.2546H12.0075V17.2621H12V17.2546ZM9.75 15.0046H9.7575V15.0121H9.75V15.0046ZM9.75 17.2546H9.7575V17.2621H9.75V17.2546ZM7.5 15.0046H7.5075V15.0121H7.5V15.0046ZM7.5 17.2546H7.5075V17.2621H7.5V17.2546ZM14.25 12.7546H14.2575V12.7621H14.25V12.7546ZM14.25 15.0046H14.2575V15.0121H14.25V15.0046ZM14.25 17.2546H14.2575V17.2621H14.25V17.2546ZM16.5 12.7546H16.5075V12.7621H16.5V12.7546ZM16.5 15.0046H16.5075V15.0121H16.5V15.0046Z" stroke="#0F172A" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round"/>
+</svg>

icons/talk.svg

@@ -0,0 +1,68 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<svg
+   xmlns:dc="http://purl.org/dc/elements/1.1/"
+   xmlns:cc="http://creativecommons.org/ns#"
+   xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
+   xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
+   inkscape:version="1.1-dev (f9311a1, 2019-12-25)"
+   sodipodi:docname="talk8.svg"
+   id="svg19"
+   xml:space="preserve"
+   viewBox="0 0 1024 1024"
+   version="1.1"
+   stroke-miterlimit="1.4142"
+   stroke-linejoin="round"
+   fill-rule="evenodd"
+   clip-rule="evenodd"><metadata
+   id="metadata23"><rdf:RDF><cc:Work
+       rdf:about=""><dc:format>image/svg+xml</dc:format><dc:type
+         rdf:resource="http://purl.org/dc/dcmitype/StillImage" /><dc:title></dc:title></cc:Work></rdf:RDF></metadata><sodipodi:namedview
+   inkscape:current-layer="svg19"
+   inkscape:window-maximized="1"
+   inkscape:window-y="23"
+   inkscape:window-x="1440"
+   inkscape:cy="522.40348"
+   inkscape:cx="510.51379"
+   inkscape:zoom="0.67285156"
+   showgrid="false"
+   id="namedview21"
+   inkscape:window-height="1035"
+   inkscape:window-width="1920"
+   inkscape:pageshadow="2"
+   inkscape:pageopacity="0"
+   guidetolerance="10"
+   gridtolerance="10"
+   objecttolerance="10"
+   borderopacity="1"
+   inkscape:document-rotation="0"
+   bordercolor="#666666"
+   pagecolor="#ffffff" /><defs
+   id="defs15"><linearGradient
+     gradientUnits="userSpaceOnUse"
+     gradientTransform="matrix(8.96 0 0 8.96 -7.8457e-5 .00019795)"
+     y2="-7.6294e-6"
+     y1="150"
+     x2="150"
+     x1="18.23"
+     id="a"><stop
+       id="stop10"
+       offset="0"
+       stop-color="#0082c9" /><stop
+       id="stop12"
+       offset="1"
+       stop-color="#1cafff" /></linearGradient></defs>
+<rect
+   id="rect17"
+   fill-rule="evenodd"
+   fill="url(#a)"
+   height="1024"
+   width="1024" /><path
+   style="fill:#ffffff"
+   inkscape:connector-curvature="0"
+   d="M 511.95919,186 A 325.96385,325.95103 0 0 0 186,511.96034 325.96385,325.95103 0 0 0 511.95919,837.91133 325.96385,325.95103 0 0 0 681.04889,790.22529 c 40.06218,15.91895 129.79781,63.14682 151.15526,42.74701 22.3177,-21.31206 -26.20129,-121.61808 -37.83331,-158.89148 A 325.96385,325.95103 0 0 0 837.91466,511.95755 325.96385,325.95103 0 0 0 511.96013,186.01118 Z m 0.0373,123.92323 A 202.1178,202.11161 0 0 1 714.11425,512.03485 202.1178,202.11161 0 0 1 511.99645,714.13247 202.1178,202.11161 0 0 1 309.87866,512.03485 202.1178,202.11161 0 0 1 511.99645,309.92323 Z"
+   stroke-width="0.14"
+   fill="#000"
+   id="path25" /></svg>

mila.yaml.tmpl

@@ -18,7 +18,7 @@ entries:
     issuer_mode: per_provider
     redirect_uris:
     - matching_mode: strict
-      url: https://{{ env  "MILA_DOMAIN" }}/auth/user/rauthy/callback
+      url: https://{{ env  "MILA_DOMAIN" }}/auth/user/oidc/callback
     name: Mila
     property_mappings:
     - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]

release/10.1.5+2025.12.4

@@ -0,0 +1 @@
+This is an intermediate release (required for migrations) before upgrading to 2026.x.

release/10.2.0+2026.2.1

@@ -0,0 +1,3 @@
+You must deploy 10.1.5+2025.12.4 first, before deploying this version, if upgrading from 2025.10 or earlier.
+Skipping the intermediate version will cause a migration error (although rolled back safely, no data loss).
+