chore: publish 11.0.2+2026.2.1 release

Intermediate step for upgrading to 2026.2.x.
Bump authentik to 2025.12.4, postgres to 15.17.

abra.sh

@@ -21,6 +21,11 @@ export DB_ENTRYPOINT_VERSION=v1
 export PG_BACKUP_VERSION=v2
 export ENTRYPOINT_CSS_VERSION=v1
 
+clear_assets() {
+  rm -rf /web/dist/assets/*
+  echo "Assets cleared. Redeploy to repopulate from image, then run 'customize' if needed."
+}
+
 customize() {
   if [ -z "$1" ]; then
     echo "Usage: ... customize <assets_path>"
@@ -313,14 +318,37 @@ import os
 my_token = '$TOKEN'
 application = '$1'
 icon_path = '$2'
-url = f'https://$DOMAIN/api/v3/core/applications/{application}/set_icon/'
-headers = {'Authorization':f'Bearer {my_token}'}
+base_url = f'https://$DOMAIN/api/v3'
+headers = {'Authorization': f'Bearer {my_token}'}
+
+name_img = os.path.basename(icon_path)
+
+# Upload file via the file management API
 with open(icon_path, 'rb') as img:
-  name_img = os.path.basename(icon_path)
-  files= {'file': (name_img,img,'image/png') }
-  with requests.Session() as s:
-    r = s.post(url,files=files,headers=headers)
-    print(r.status_code)
+  r = requests.post(
+    f'{base_url}/admin/file/',
+    files={'file': (name_img, img, 'image/png')},
+    data={'name': name_img},
+    headers=headers,
+  )
+  if r.status_code == 400 and 'already exists' in r.text:
+    print(f'{name_img} already uploaded')
+  elif r.status_code != 200:
+    print(f'Upload failed: {r.status_code} {r.text}')
+    exit(1)
+  else:
+    print(f'Uploaded {name_img}')
+
+# Set the icon on the application
+r = requests.patch(
+  f'{base_url}/core/applications/{application}/',
+  json={'meta_icon': name_img},
+  headers=headers,
+)
+if r.status_code == 200:
+  print(f'Set icon for {application}')
+else:
+  print(f'Failed to set icon: {r.status_code} {r.text}')
 """
 
 }

compose.outposts.ldap.yml

@@ -1,7 +1,7 @@
 version: "3.8"
 services:
   authentik_ldap:
-      image: ghcr.io/goauthentik/ldap:2025.10.2
+      image: ghcr.io/goauthentik/ldap:2026.2.1
       # Optionally specify which networks the container should be
       # might be needed to reach the core authentik server
       networks:

compose.yml

@@ -34,7 +34,7 @@ x-env: &env
 version: '3.8'
 services:
   app:
-    image: ghcr.io/goauthentik/server:2025.10.2
+    image: ghcr.io/goauthentik/server:2026.2.1
     command: server
     depends_on:
       - db
@@ -45,6 +45,7 @@ services:
       - secret_key
       - email_pass
     volumes:
+      - data:/data
       - media:/media
       - assets:/web/dist/assets
       - templates:/templates
@@ -61,7 +62,7 @@ services:
     deploy:
       labels:
         - "traefik.enable=true"
-        - "traefik.docker.network=proxy"
+        - "traefik.swarm.network=proxy"
         - "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=9000"
         - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`${EXTRA_DOMAINS})"
         - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
@@ -69,14 +70,14 @@ services:
         - "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect,${STACK_NAME}-frameOptions,${STACK_NAME}-redirect"
         - "traefik.http.middlewares.${STACK_NAME}-frameOptions.headers.customFrameOptionsValue=SAMEORIGIN"
         - "traefik.http.middlewares.${STACK_NAME}-frameOptions.headers.contentSecurityPolicy=frame-ancestors ${X_FRAME_OPTIONS_ALLOW_FROM}"
-        - "coop-cloud.${STACK_NAME}.version=10.1.4+2025.10.2"
+        - "coop-cloud.${STACK_NAME}.version=11.0.2+2026.2.1"
         - "traefik.http.middlewares.${STACK_NAME}-redirect.redirectregex.regex=^https://(${REDIRECTS})/(.*)"
         - "traefik.http.middlewares.${STACK_NAME}-redirect.redirectregex.replacement=https://${DOMAIN}/$${2}"
         - "traefik.http.middlewares.${STACK_NAME}-redirect.redirectregex.permanent=true"
         - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT}"
 
   worker:
-    image: ghcr.io/goauthentik/server:2025.10.2
+    image: ghcr.io/goauthentik/server:2026.2.1
     command: worker
     depends_on:
       - db
@@ -90,6 +91,7 @@ services:
       - internal
       - proxy
     volumes:
+      - data:/data
       - media:/media
       - /dev/null:/blueprints/default/flow-oobe.yaml
       - templates:/templates
@@ -116,7 +118,7 @@ services:
       start_period: 5m
 
   db:
-    image: postgres:15.15
+    image: postgres:15.17
     secrets:
       - db_password
     configs:
@@ -173,6 +175,7 @@ networks:
   internal:
 
 volumes:
+  data:
   media:
   certs:
   templates:

release/10.2.0+2025.12.4

@@ -0,0 +1 @@
+This is an intermediate release (required for migrations) before upgrading to 2026.x.

release/11.0.0+2026.2.1

@@ -0,0 +1,3 @@
+You must deploy 10.2.0+2025.12.4 first, before deploying this version, if upgrading from 2025.10 or earlier.
+Skipping the intermediate version will cause a migration error (although rolled back safely, no data loss).
+

release/11.0.2+2026.2.1

@@ -0,0 +1,9 @@
+This patch release adds a `clear_assets` command to fix stale font files after upgrading authentik.
+
+If fonts are missing after an upgrade (404 errors in browser console, or missing icons), the `assets` Docker volume contains stale files from the previous image. To fix:
+
+    abra app cmd <app-name> app clear_assets --user root
+    abra app undeploy <app-name> 
+    abra app deploy <app-name> 
+
+After redeploying, Docker repopulates the empty volume from the new image. If customize assets was used before, re-run `customize` afterwards.

wordpress.yaml.tmpl

@@ -52,7 +52,7 @@ entries:
     name: {{ env "WORDPRESS_GROUP" }}
   attrs:
     users:
-    - 1
+    - 6
   id: wordpress_group
   model: authentik_core.group