New approach to custom CSS relying on COPY_ASSETS

.drone.yml

@@ -23,7 +23,7 @@ steps:
       FLOW_INVALIDATION_VERSION: v1
       FLOW_RECOVERY_VERSION: v1
       FLOW_TRANSLATION_VERSION: v1
-      SYSTEM_TENANT_VERSION: v1
+      SYSTEM_BRAND_VERSION: v1
       NEXTCLOUD_CONFIG_VERSION: v1
       SECRET_SECRET_KEY_VERSION: v1
       SECRET_DB_PASSWORD_VERSION: v1

.env.sample

@@ -1,10 +1,12 @@
 TYPE=authentik
-TIMEOUT=300
+TIMEOUT=900
 ENABLE_AUTO_UPDATE=true
-POST_DEPLOY_CMDS="app set_admin_pass|worker apply_blueprints"
+# POST_DEPLOY_CMDS="worker set_admin_pass|worker apply_blueprints|worker add_applications"
 LETS_ENCRYPT_ENV=production
 
 DOMAIN=authentik.example.com
+## Domain aliases
+#EXTRA_DOMAINS=', `www.authentik.example.com`'
 COMPOSE_FILE="compose.yml"
 AUTHENTIK_DEFAULT_USER_CHANGE_USERNAME=false
 AUTHENTIK_LOG_LEVEL=info
@@ -12,6 +14,9 @@ AUTHENTIK_LOG_LEVEL=info
 # AUTHENTIK_FOOTER_LINKS='[{"name": "My Organization","href":"https://example.com"}]'
 # WORKERS=1
 
+## Outpost Integration
+# COMPOSE_FILE="$COMPOSE_FILE:compose.outposts.yml"
+
 ## EMAIL
 AUTHENTIK_EMAIL__HOST=smtp
 AUTHENTIK_EMAIL__PORT=587
@@ -29,7 +34,6 @@ SECRET_ADMIN_PASS_VERSION=v1
 SECRET_EMAIL_PASS_VERSION=v1
 
 # X_FRAME_OPTIONS_ALLOW_FROM=dashboard.example.org
-AUTHENTIK_COLOR_BACKGROUND_LIGHT=#1c1e21
 
 ## FLOW OPTIONS
 # WELCOME_MESSAGE="Welcome to Authentik"
@@ -42,6 +46,12 @@ COPY_ASSETS="flow_background.jpg|app:/web/dist/assets/images/"
 COPY_ASSETS="$COPY_ASSETS icon_left_brand.svg|app:/web/dist/assets/icons/"
 COPY_ASSETS="$COPY_ASSETS icon.png|app:/web/dist/assets/icons/"
 
+# Default CSS customisation, just background colour
+COMPOSE_FILE="$COMPOSE_FILE:compose.css.yml"
+AUTHENTIK_COLOR_BACKGROUND_LIGHT=#1c1e21
+# Custommise the entire custom CSS file
+#COMPOSE_FILE="$COMPOSE_FILE:compose.css.yml"
+
 # COMPOSE_FILE="$COMPOSE_FILE:compose.nextcloud.yml"
 # NEXTCLOUD_DOMAIN=nextcloud.example.com
 # SECRET_NEXTCLOUD_ID_VERSION=v1
@@ -50,12 +60,13 @@ COPY_ASSETS="$COPY_ASSETS icon.png|app:/web/dist/assets/icons/"
 
 # COMPOSE_FILE="$COMPOSE_FILE:compose.wordpress.yml"
 # WORDPRESS_DOMAIN=wordpress.example.com
+# WORDPRESS_GROUP='wordpress Admins'
 # SECRET_WORDPRESS_ID_VERSION=v1
 # SECRET_WORDPRESS_SECRET_VERSION=v1
 # APP_ICONS="$APP_ICONS wordpress:~/.abra/recipes/authentik/icons/wordpress.png"
 
 # COMPOSE_FILE="$COMPOSE_FILE:compose.matrix.yml"
-# ELEMENT_DOMAIN=element.example.com
+# ELEMENT_DOMAIN=element-web.example.com
 # SECRET_MATRIX_ID_VERSION=v1
 # SECRET_MATRIX_SECRET_VERSION=v1
 # APP_ICONS="$APP_ICONS matrix:~/.abra/recipes/authentik/icons/matrix.svg"
@@ -65,3 +76,37 @@ COPY_ASSETS="$COPY_ASSETS icon.png|app:/web/dist/assets/icons/"
 # SECRET_WEKAN_ID_VERSION=v1
 # SECRET_WEKAN_SECRET_VERSION=v1
 # APP_ICONS="$APP_ICONS wekan:~/.abra/recipes/authentik/icons/wekan.png"
+
+# COMPOSE_FILE="$COMPOSE_FILE:compose.vikunja.yml"
+# VIKUNJA_DOMAIN=vikunja.example.com
+# SECRET_VIKUNJA_ID_VERSION=v1
+# SECRET_VIKUNJA_SECRET_VERSION=v1
+# APP_ICONS="$APP_ICONS vikunja:~/.abra/recipes/authentik/icons/vikunja.svg"
+
+# COMPOSE_FILE="$COMPOSE_FILE:compose.outline.yml"
+# OUTLINE_DOMAIN=outline.example.com
+# SECRET_OUTLINE_ID_VERSION=v1
+# SECRET_OUTLINE_SECRET_VERSION=v1
+# APP_ICONS="$APP_ICONS outline:~/.abra/recipes/authentik/icons/outline.png"
+
+# COMPOSE_FILE="$COMPOSE_FILE:compose.monitoring.yml"
+# MONITORING_DOMAIN=monitoring.example.com
+# SECRET_MONITORING_ID_VERSION=v1
+# SECRET_MONITORING_SECRET_VERSION=v1
+# APP_ICONS="$APP_ICONS monitoring:~/.abra/recipes/authentik/icons/monitoring.png"
+
+# COMPOSE_FILE="$COMPOSE_FILE:compose.rallly.yml"
+# RALLLY_DOMAIN=rallly.example.com
+# SECRET_RALLLY_ID_VERSION=v1
+# SECRET_RALLLY_SECRET_VERSION=v1
+# APP_ICONS="$APP_ICONS rallly:~/.abra/recipes/authentik/icons/rallly.png"
+
+# COMPOSE_FILE="$COMPOSE_FILE:compose.hedgedoc.yml"
+# HEDGEDOC_DOMAIN=hedgedoc.example.com
+# SECRET_HEDGEDOC_ID_VERSION=v1
+# SECRET_HEDGEDOC_SECRET_VERSION=v1
+# APP_ICONS="$APP_ICONS hedgedoc:~/.abra/recipes/authentik/icons/hedgedoc.png"
+
+# APPLICATIONS='{"Calendar": "https://nextcloud.example.com/apps/calendar/", "BBB": "https://nextcloud.example.com/apps/bbb/"}'
+# APP_ICONS="$APP_ICONS Calendar:~/.abra/recipes/authentik/icons/calendar.svg"
+# APP_ICONS="$APP_ICONS BBB:~/.abra/recipes/authentik/icons/bbb.jpg"

README.md

@@ -54,6 +54,18 @@ Set the nextcloud Icon using `abra app cmd -l -d <app_name> set_icons`
 
 The configuration inside Nextcloud can be found in the [nextcloud recipe](https://git.coopcloud.tech/coop-cloud/nextcloud#authentik-integration)
 
+## Import User from CSV
+
+Users can be imported from a CSV file of the following format:
+
+`First and last name, username, email@example.com, group1;group2;group3`
+
+Run the following command to import the file `users.csv`:
+
+`abra app cmd -l <app_name> import_user users.csv`
+
+Users will only be created if the username does not exits. I a group does not exists it will be created.
+
 ## Customization
 
 Place the files you want to overwrite in a directory `<assets_path>`.
@@ -75,40 +87,108 @@ Run this command after every deploy/upgrade:
 
 `abra app command --local <app-name> customize <assets_path>`
 
+## Email templates
+
+Add custom [email templates](https://goauthentik.io/docs/flow/stages/email/#custom-templates):
+
+`abra app cmd -l <app_name> add_email_templates local/path/to/mail_template.html`
+
 ## Blueprints
 
-Blueprint Dependency Requirements:
+These blueprints overwrite default blueprint values:
+
+- flow_translation.yaml
+- flow_authentication.yaml
+
+The following default blueprints will be overwritten by customizations:
+
+- flow-password-change.yaml
+- flow-default-authentication-flow.yaml
+- flow-default-user-settings-flow.yaml
+- flow-default-source-enrollment.yaml
+
+The `abra.sh` function `apply_blueprints` needs to be executed to deactivate these blueprints to ensure that the customizations won't be overwritten. It will further execute flow_translation.yaml and flow_authentication.yaml again.
+
+
+### Blueprint Overwrite/Use Dependencies
 
 - Recovery with email verification
     - Default - Password change flow
+        - USE:
+            - `default-password-change-prompt`
+            - `default-password-change-write`
     - Default - Authentication flow
+        - USE:
+            - `default-authentication-login`
 - Custom Authentication Flow
     - Default - Authentication flow
+        - USE:
+            - `default-authentication-password`
+        - OVERWRITE:
+            - `default-authentication-flow`
+        - APPEND:
+            - `default-authentication-identification`
+            - `default-authentication-login`
+        - REMOVE: `authentik_flows.flowstagebinding order:20`
     - Recovery with email verification
+        - USE:
+            - `default-recovery-flow`
 - Invitation Enrollment Flow
     - Default - User settings flow
+        - USE:
+            - `default-user-settings-field-name`
+            - `default-user-settings-field-email`
+    - Default - Password change flow
+        - USE:
+            - `default-password-change-field-password`
+            - `default-password-change-field-password-repeat`
     - Default - Authentication flow
+        - USE:
+            - `default-authentication-login`
     - Default - Source enrollment flow
+        - USE:
+            - `default-source-enrollment-field-username`
+            - `default-source-enrollment-write`
 - Custom Invalidation Flow
     - Default - Invalidation flow
+        - APPEND_ATTR:
+            - `authentik_flows.flowstagebinding order: 0`
 - Flow Translations
     - Recovery with email verification
+        - APPEND: `default-recovery-flow`
     - Default - Password change flow
+        - OVERWRITE:
+           - `default-password-change-field-password`
+           - `default-password-change-field-password-repeat`
     - Default - User settings flow
+        - OVERWRITE:
+            - `default-user-settings-field-username`
+            - `default-user-settings-field-name`
     - Default - Source enrollment flow
-- Custom System Tenant
-    - Default - Tenant
+        - OVERWRITE:
+            - `default-source-enrollment-field-username`
+- Custom System Brand
+    - Default - Brand
+        - APPEND: `authentik_brands.brand  domain: authentik-default`
     - Recovery with email verification
+        - USE:
+            - `default-recovery-flow`
 
 
-Blueprint Dependency Graph:
+### Blueprint Dependency Execution Order
 
-5. Custom System Tenant
-    - Default - Tenant
+5. Custom System Brand
+    - Default - Brand
+    1. Recovery with email verification
+        - Default - Authentication flow
+            - Default - Password change flow
 4. Invitation Enrollment Flow
     3. Flow Translations
         - Default - User settings flow
         - Default - Source enrollment flow
+        1. Recovery with email verification
+            - Default - Authentication flow
+                - Default - Password change flow
 2. Custom Authentication Flow
     1. Recovery with email verification
         - Default - Authentication flow

abra.sh

@@ -1,14 +1,20 @@
 export CUSTOM_CSS_VERSION=v2
-export FLOW_AUTHENTICATION_VERSION=v1
-export FLOW_INVITATION_VERSION=v1
-export FLOW_INVALIDATION_VERSION=v1
+export FLOW_AUTHENTICATION_VERSION=v4
+export FLOW_INVITATION_VERSION=v2
+export FLOW_INVALIDATION_VERSION=v2
 export FLOW_RECOVERY_VERSION=v1
-export FLOW_TRANSLATION_VERSION=v1
-export SYSTEM_TENANT_VERSION=v1
+export FLOW_TRANSLATION_VERSION=v3
+export SYSTEM_BRAND_VERSION=v3
 export NEXTCLOUD_CONFIG_VERSION=v1
-export WORDPRESS_CONFIG_VERSION=v1
+export WORDPRESS_CONFIG_VERSION=v2
 export MATRIX_CONFIG_VERSION=v1
-export WEKAN_CONFIG_VERSION=v1
+export WEKAN_CONFIG_VERSION=v3
+export VIKUNJA_CONFIG_VERSION=v1
+export OUTLINE_CONFIG_VERSION=v2
+export RALLLY_CONFIG_VERSION=v2
+export HEDGEDOC_CONFIG_VERSION=v1
+export MONITORING_CONFIG_VERSION=v1
+export DB_ENTRYPOINT_VERSION=v1
 
 customize() {
     if [ -z "$1" ]
@@ -25,6 +31,42 @@ customize() {
     done
 }
 
+import_user() {
+    if [ -z "$1" ]
+    then
+            echo "Usage: ... import_user <users.csv>"
+            exit 1
+    fi
+    source_file=$1
+    filename=$(basename $source_file)
+    abra app cp $APP_NAME $source_file worker:/tmp/
+    abra app cmd -T $APP_NAME worker _import_user $filename
+}
+
+_import_user() {
+/manage.py shell -c """
+import csv
+new_user = User()
+with open('/tmp/$1', newline='') as file:
+  reader = csv.reader(file)
+  for row in reader:
+    name = row[0].strip()
+    username = row[1].strip()
+    email = row[2].strip()
+    groups = row[3].split(';')
+    if User.objects.filter(username=username):
+        continue
+    new_user = User.objects.create(name=name, username=username, email=email)
+    for group_name in groups:
+        group_name = group_name.strip()
+        if Group.objects.filter(name=group_name):
+            group = Group.objects.get(name=group_name)
+        else:
+            group = Group.objects.create(name=group_name)
+        group.users.add(new_user)
+""" 2>&1 | quieten
+}
+
 set_admin_pass() {
 password=$(cat /run/secrets/admin_pass)
 token=$(cat /run/secrets/admin_token)
@@ -49,7 +91,7 @@ else:
         key=key,
     )
     print('Created authentik-bootstrap-token')
-"""
+""" 2>&1 | quieten
 }
 
 rotate_db_pass() {
@@ -57,15 +99,24 @@ rotate_db_pass() {
     psql -U authentik -c """ALTER USER authentik WITH PASSWORD '$db_password';"""
 }
 
+# This function is for blueprints that are overwriting custom blueprints
+# It deactivates the affected custom blueprints to avoid changes to be reverted
 apply_blueprints() {
-    enable_blueprint default/flow-default-authentication-flow.yaml
-    enable_blueprint default/flow-default-user-settings-flow.yaml
-    enable_blueprint default/flow-password-change.yaml
-    ak apply_blueprint 6_flow_invalidation.yaml 
-    ak apply_blueprint 5_system_tenant.yaml
-    disable_blueprint default/flow-default-authentication-flow.yaml
-    disable_blueprint default/flow-default-user-settings-flow.yaml
-    disable_blueprint default/flow-password-change.yaml
+    update_and_disable_blueprint default/flow-password-change.yaml
+    update_and_disable_blueprint default/flow-default-authentication-flow.yaml
+    update_and_disable_blueprint default/flow-default-user-settings-flow.yaml
+    update_and_disable_blueprint default/flow-default-source-enrollment.yaml
+    
+    apply_blueprint 3_flow_translation.yaml
+    apply_blueprint 2_flow_authentication.yaml
+}
+
+update_and_disable_blueprint() {
+    enable_blueprint $@ 2>&1 | quieten
+    sleep 1
+    apply_blueprint $@
+    sleep 1
+    disable_blueprint $@ 2>&1 | quieten
 }
 
 disable_blueprint() {
@@ -76,17 +127,60 @@ enable_blueprint() {
     blueprint_state True $@
 }
 
+apply_blueprint() {
+    echo apply blueprint $@
+    ak apply_blueprint $@ 2>&1 | quieten
+}
+
 blueprint_state() {
 /manage.py shell -c """
+import time
 blueprint_state=$1
 blueprint_path='$2'
 blueprint = BlueprintInstance.objects.filter(path=blueprint_path).first()
 blueprint.enabled = blueprint_state
+# Hacky workaround to reduce chance of a race condition
+blueprint.save()
+time.sleep(1)
+blueprint.save()
+time.sleep(1)
+blueprint.save()
 print(f'{blueprint.name} enabled: {blueprint.enabled}')
-"""
+""" 2>&1 | quieten
 
 }
 
+add_applications(){
+/manage.py shell -c """
+import json
+if '$APPLICATIONS' == '':
+    exit()
+applications = json.loads('$APPLICATIONS')
+for name, url in applications.items():
+    print(f'Add {name}: {url}')
+    app = Application.objects.filter(name=name).first()
+    if not app:
+        app = Application()
+    app.name = name
+    app.slug = name.replace(' ', '-')
+    app.meta_launch_url = url
+    app.open_in_new_tab = True
+    app.save()
+""" 2>&1 | quieten
+}
+
+
+quieten(){
+    grep -v -e '{"event"' -e '{"action"'
+}
+
+add_email_templates(){
+for file_path in "$@"; do
+    echo copy template $file_path
+    abra app cp $APP_NAME $file_path app:/templates/
+done
+}
+
 set_icons(){
 for icon in $APP_ICONS; do
     app=$(echo $icon | cut -d ":" -f1)
@@ -124,7 +218,7 @@ delete_flows = ['default-recovery-flow' , 'custom-authentication-flow' , 'invita
 Flow.objects.filter(slug__in=delete_flows).delete()
 Stage.objects.filter(flow=None).delete()
 Prompt.objects.filter(promptstage=None).delete()
-Tenant.objects.filter(default=True).delete()
-"""
+Brand.objects.filter(default=True).delete()
+""" 2>&1 | quieten
 apply_blueprints
 }

compose.css.yml

@@ -0,0 +1,14 @@
+---
+version: '3.8'
+
+services:
+  app:
+    configs: 
+      - source: custom_css
+        target: /web/dist/custom.css
+
+configs:
+  custom_css:
+    name: ${STACK_NAME}_custom_css_${CUSTOM_CSS_VERSION}
+    file: custom.css.tmpl
+    template_driver: golang

compose.hedgedoc.yml

@@ -0,0 +1,26 @@
+version: "3.8"
+services:
+  worker:
+    secrets:
+      - hedgedoc_id
+      - hedgedoc_secret
+    environment:
+      - HEDGEDOC_DOMAIN
+    configs:
+      - source: hedgedoc
+        target: /blueprints/hedgedoc.yaml
+
+secrets:
+  hedgedoc_id:
+    external: true
+    name: ${STACK_NAME}_hedgedoc_id_${SECRET_HEDGEDOC_ID_VERSION}
+  hedgedoc_secret:
+    external: true
+    name: ${STACK_NAME}_hedgedoc_secret_${SECRET_HEDGEDOC_SECRET_VERSION}
+
+
+configs:
+  hedgedoc:
+    name: ${STACK_NAME}_hedgedoc_${HEDGEDOC_CONFIG_VERSION}
+    file: hedgedoc.yaml.tmpl
+    template_driver: golang

compose.monitoring.yml

@@ -0,0 +1,26 @@
+version: "3.8"
+services:
+  worker:
+    secrets:
+      - monitoring_id
+      - monitoring_secret
+    environment:
+      - MONITORING_DOMAIN 
+    configs:
+      - source: monitoring
+        target: /blueprints/monitoring.yaml
+
+secrets:
+  monitoring_id:
+    external: true
+    name: ${STACK_NAME}_monitoring_id_${SECRET_MONITORING_ID_VERSION}
+  monitoring_secret:
+    external: true
+    name: ${STACK_NAME}_monitoring_secret_${SECRET_MONITORING_SECRET_VERSION}
+
+
+configs:
+  monitoring:
+    name: ${STACK_NAME}_monitoring_${MONITORING_CONFIG_VERSION}
+    file: monitoring.yaml.tmpl
+    template_driver: golang

compose.outline.yml

@@ -0,0 +1,26 @@
+version: "3.8"
+services:
+  worker:
+    secrets:
+      - outline_id
+      - outline_secret
+    environment:
+      - OUTLINE_DOMAIN
+    configs:
+      - source: outline
+        target: /blueprints/outline.yaml
+
+secrets:
+  outline_id:
+    external: true
+    name: ${STACK_NAME}_outline_id_${SECRET_OUTLINE_ID_VERSION}
+  outline_secret:
+    external: true
+    name: ${STACK_NAME}_outline_secret_${SECRET_OUTLINE_SECRET_VERSION}
+
+
+configs:
+  outline:
+    name: ${STACK_NAME}_outline_${OUTLINE_CONFIG_VERSION}
+    file: outline.yaml.tmpl
+    template_driver: golang

compose.outposts.yml

@@ -0,0 +1,6 @@
+version: "3.8"
+services:
+  worker:
+    user: root
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock

compose.rallly.yml

@@ -0,0 +1,26 @@
+version: "3.8"
+services:
+  worker:
+    secrets:
+      - rallly_id
+      - rallly_secret
+    environment:
+      - RALLLY_DOMAIN
+    configs:
+      - source: rallly
+        target: /blueprints/rallly.yaml
+
+secrets:
+  rallly_id:
+    external: true
+    name: ${STACK_NAME}_rallly_id_${SECRET_RALLLY_ID_VERSION}
+  rallly_secret:
+    external: true
+    name: ${STACK_NAME}_rallly_secret_${SECRET_RALLLY_SECRET_VERSION}
+
+
+configs:
+  rallly:
+    name: ${STACK_NAME}_rallly_${RALLLY_CONFIG_VERSION}
+    file: rallly.yaml.tmpl
+    template_driver: golang

compose.vikunja.yml

@@ -0,0 +1,26 @@
+version: "3.8"
+services:
+  worker:
+    secrets:
+      - vikunja_id
+      - vikunja_secret
+    environment:
+      - VIKUNJA_DOMAIN
+    configs:
+      - source: vikunja
+        target: /blueprints/vikunja.yaml
+
+secrets:
+  vikunja_id:
+    external: true
+    name: ${STACK_NAME}_vikunja_id_${SECRET_VIKUNJA_ID_VERSION}
+  vikunja_secret:
+    external: true
+    name: ${STACK_NAME}_vikunja_secret_${SECRET_VIKUNJA_SECRET_VERSION}
+
+
+configs:
+  vikunja:
+    name: ${STACK_NAME}_vikunja_${VIKUNJA_CONFIG_VERSION}
+    file: vikunja.yaml.tmpl
+    template_driver: golang

compose.wordpress.yml

@@ -6,6 +6,7 @@ services:
       - wordpress_secret
     environment:
       - WORDPRESS_DOMAIN
+      - WORDPRESS_GROUP
     configs:
       - source: wordpress
         target: /blueprints/wordpress.yaml

compose.yml

@@ -27,12 +27,16 @@ x-env: &env
     - EMAIL_TOKEN_EXPIRY_MINUTES
     - DOMAIN
     - LOGOUT_REDIRECT
+    - APPLICATIONS
 
 version: '3.8'
 services:
   app:
-    image: ghcr.io/goauthentik/server:2023.3.1
+    image: ghcr.io/goauthentik/server:2024.4.0
     command: server
+    depends_on:
+      - db
+      - redis
     secrets:
       - db_password
       - admin_pass
@@ -42,18 +46,16 @@ services:
     volumes:
       - media:/media
       - assets:/web/dist/assets
-    configs:
-      - source: custom_css
-        target: /web/dist/custom.css
+      - templates:/templates
     networks:
       - internal
       - proxy
     healthcheck:
-      test: ["CMD", "curl", "-f", "localhost:9000/-/health/live/"]
+      test: "bash -c 'printf \"GET / HTTP/1.1\n\n\" > /dev/tcp/127.0.0.1/9000; exit $$?;'"
       interval: 30s
       timeout: 10s
       retries: 10
-      start_period: 1m
+      start_period: 5m
     environment: *env
     deploy:
       update_config:
@@ -63,7 +65,7 @@ services:
         - "traefik.enable=true"
         - "traefik.docker.network=proxy"
         - "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=9000"
-        - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`)"
+        - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`${EXTRA_DOMAINS})"
         - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
         - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
         - "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect,${STACK_NAME}-frameOptions"
@@ -71,12 +73,15 @@ services:
         - "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}"
         - "traefik.http.middlewares.${STACK_NAME}-frameOptions.headers.customFrameOptionsValue=SAMEORIGIN"
         - "traefik.http.middlewares.${STACK_NAME}-frameOptions.headers.contentSecurityPolicy=frame-ancestors ${X_FRAME_OPTIONS_ALLOW_FROM}"
-        - "coop-cloud.${STACK_NAME}.version=3.1.1+2023.3.1"
+        - "coop-cloud.${STACK_NAME}.version=5.2.1+2024.4.0"
         - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT:-120}"
 
   worker:
-    image: ghcr.io/goauthentik/server:2023.3.1
+    image: ghcr.io/goauthentik/server:2024.4.0
     command: worker
+    depends_on:
+      - db
+      - redis
     secrets:
       - db_password
       - admin_pass
@@ -86,12 +91,11 @@ services:
     networks:
       - internal
       - proxy
-    user: root
     volumes:
       - backups:/backups
       - media:/media
-      - /var/run/docker.sock:/var/run/docker.sock
       - /dev/null:/blueprints/default/flow-oobe.yaml
+      - templates:/templates
     configs:
       - source: flow_recovery
         target: /blueprints/1_flow_recovery.yaml
@@ -101,22 +105,28 @@ services:
         target: /blueprints/3_flow_translation.yaml
       - source: flow_invitation
         target: /blueprints/4_flow_invitation.yaml
-      - source: system_tenant
-        target: /blueprints/5_system_tenant.yaml
+      - source: system_brand
+        target: /blueprints/5_system_brand.yaml
       - source: flow_invalidation
         target: /blueprints/6_flow_invalidation.yaml
     environment: *env
 
   db:
-    image: postgres:12.14-alpine
+    image: postgres:15.5
     secrets:
       - db_password
+    configs:
+      - source: db_entrypoint
+        target: /docker-entrypoint.sh
+        mode: 0555
+    entrypoint:
+      /docker-entrypoint.sh
     volumes:
       - database:/var/lib/postgresql/data
     networks:
       - internal
     healthcheck:
-      test: ["CMD", "pg_isready"]
+      test: ["CMD", "pg_isready", "-U", "authentik"]
       interval: 30s
       timeout: 10s
       retries: 10
@@ -128,16 +138,16 @@ services:
     deploy:
       labels:
           backupbot.backup: "true"
-          backupbot.backup.pre-hook: "mkdir -p /tmp/backup/ && PGPASSWORD=$$(cat /run/secrets/db_password) pg_dump -U $${POSTGRES_USER} $${POSTGRES_DB} > /tmp/backup/backup.sql"
-          backupbot.backup.post-hook: "rm -rf /tmp/backup"
-          backupbot.backup.path: "/tmp/backup/"
+          backupbot.backup.pre-hook: "PGPASSWORD=$$(cat /run/secrets/db_password) pg_dump -U $${POSTGRES_USER} $${POSTGRES_DB} > /var/lib/postgresql/data/backup.sql"
+          backupbot.backup.post-hook: "rm -rf /var/lib/postgresql/data/backup.sql"
+          backupbot.backup.path: "/var/lib/postgresql/data"
 
   redis:
-    image:  redis:7.0.10-alpine
+    image:  redis:7.2.4-alpine
     networks:
       - internal
     healthcheck:
-      test: ["CMD", "redis-cli","ping"]
+      test: ["CMD-SHELL", "redis-cli ping | grep PONG"]
       interval: 30s
       timeout: 10s
       retries: 10
@@ -168,14 +178,11 @@ networks:
 volumes:
   backups:
   media:
+  templates:
   assets:
   database:
 
 configs:
-  custom_css:
-    name: ${STACK_NAME}_custom_css_${CUSTOM_CSS_VERSION}
-    file: custom.css.tmpl
-    template_driver: golang
   flow_authentication:
     name: ${STACK_NAME}_flow_authentication_${FLOW_AUTHENTICATION_VERSION}
     file: flow_authentication.yaml.tmpl
@@ -196,7 +203,11 @@ configs:
     name: ${STACK_NAME}_flow_translation_${FLOW_TRANSLATION_VERSION}
     file: flow_translation.yaml.tmpl
     template_driver: golang
-  system_tenant:
-    name: ${STACK_NAME}_system_tenant_${SYSTEM_TENANT_VERSION}
-    file: system_tenant.yaml.tmpl
+  system_brand:
+    name: ${STACK_NAME}_system_brand_${SYSTEM_BRAND_VERSION}
+    file: system_brand.yaml.tmpl
+    template_driver: golang
+  db_entrypoint:
+    name: ${STACK_NAME}_db_entrypoint_${DB_ENTRYPOINT_VERSION}
+    file: entrypoint.postgres.sh.tmpl
     template_driver: golang

custom_flows.yaml.tmpl

@@ -384,7 +384,7 @@ entries:
     enabled: {{ if eq (env "LOGOUT_REDIRECT") "" }} false {{ else }} true {{ end }}
     timeout: 30
 
-######## System Tenant ##########
+######## System Brand ##########
 - attrs:
     attributes:
       settings:
@@ -401,5 +401,5 @@ entries:
     flow_user_settings: !Find [authentik_flows.flow, [slug, default-user-settings-flow]]
   identifiers:
     pk: 047cce25-aae2-4b02-9f96-078e155f803d
-  id: system_tenant
-  model: authentik_tenants.tenant
+  id: system_brand
+  model: authentik_brands.brand

entrypoint.postgres.sh.tmpl

@@ -0,0 +1,45 @@
+#!/bin/bash
+
+set -e
+
+MIGRATION_MARKER=$PGDATA/migration_in_progress
+OLDDATA=$PGDATA/old_data
+NEWDATA=$PGDATA/new_data
+
+if [ -e $MIGRATION_MARKER ]; then
+  echo "FATAL: migration was started but did not complete in a previous run. manual recovery necessary"
+  exit 1
+fi
+
+if [ -f $PGDATA/PG_VERSION ]; then
+  DATA_VERSION=$(cat $PGDATA/PG_VERSION)
+
+  if [ -n "$DATA_VERSION" -a "$PG_MAJOR" != "$DATA_VERSION" ]; then
+    echo "postgres data version $DATA_VERSION found, but need $PG_MAJOR. Starting migration"
+    echo "Installing postgres $DATA_VERSION"
+    sed -i "s/$/ $DATA_VERSION/" /etc/apt/sources.list.d/pgdg.list
+    apt-get update && apt-get install -y --no-install-recommends \
+      postgresql-$DATA_VERSION \
+      && rm -rf /var/lib/apt/lists/*
+    echo "shuffling around"
+    chown -R postgres:postgres $PGDATA
+    gosu postgres mkdir $OLDDATA $NEWDATA
+    chmod 700 $OLDDATA $NEWDATA
+    mv $PGDATA/* $OLDDATA/ || true
+    touch $MIGRATION_MARKER
+    echo "running initdb"
+    # abuse entrypoint script for initdb by making server error out
+    gosu postgres bash -c "export PGDATA=$NEWDATA ; /usr/local/bin/docker-entrypoint.sh --invalid-arg || true"
+    echo "running pg_upgrade"
+    cd /tmp
+    gosu postgres pg_upgrade --link -b /usr/lib/postgresql/$DATA_VERSION/bin -d $OLDDATA -D $NEWDATA -U $POSTGRES_USER
+    cp $OLDDATA/pg_hba.conf $NEWDATA/
+    mv $NEWDATA/* $PGDATA
+    rm -rf $OLDDATA
+    rmdir $NEWDATA
+    rm $MIGRATION_MARKER
+    echo "migration complete"
+  fi
+fi
+
+/usr/local/bin/docker-entrypoint.sh postgres

flow_authentication.yaml.tmpl

@@ -22,7 +22,6 @@ entries:
   attrs:
     name: !Context welcome_message
     title: !Context welcome_message
-
 ### STAGES
 - identifiers:
     name: default-authentication-identification
@@ -30,13 +29,17 @@ entries:
   attrs:
     password_stage: !Find [authentik_stages_password.passwordstage, [name, default-authentication-password]]
     recovery_flow: !Find [authentik_flows.flow, [slug, default-recovery-flow]]
+    user_fields:
+    - email
+    - username
 
 - identifiers:
     name: default-authentication-login
   model: authentik_stages_user_login.userloginstage
   attrs:
-    session_duration: seconds=0
+    session_duration: days=30
 
+# After the first run this will produce a RelatedObjectDoesNotExist error
 - identifiers:
     order: 20
     stage: !Find [authentik_stages_password.passwordstage, [name, default-authentication-password]]

flow_invalidation.yaml.tmpl

@@ -13,6 +13,7 @@ entries:
 
 ### STAGE BINDINGS
 
+# This is specified only for setting an id (this stagebinding does not have an identifier)
 - identifiers:
     order: 0
     stage: !Find [authentik_stages_user_logout.userlogoutstage, [name, default-invalidation-logout]]

flow_invitation.yaml.tmpl

@@ -24,6 +24,18 @@ entries:
   id: invitation-enrollment-flow
   model: authentik_flows.flow
 
+### POLICIES
+- attrs:
+    expression: |
+      if not regex_match(request.context.get('prompt_data').get('username'), '\s'):
+          return True
+      ak_message("Username must not contain any whitespace!")
+      return False
+  id: username-without-spaces-policy
+  identifiers:
+    name: username-without-spaces-policy
+  model: authentik_policies_expression.expressionpolicy
+
 ### STAGES
 - identifiers:
     name: invitation-stage
@@ -41,6 +53,8 @@ entries:
       - !Find [authentik_stages_prompt.prompt, [name, default-user-settings-field-email]]
       - !Find [authentik_stages_prompt.prompt, [name, default-password-change-field-password]]
       - !Find [authentik_stages_prompt.prompt, [name, default-password-change-field-password-repeat]]
+    validation_policies:
+      - !Find [ authentik_policies_expression.expressionpolicy, [name, username-without-spaces-policy]]
 
 ### STAGE BINDINGS
 - identifiers:

flow_translation.yaml.tmpl

@@ -4,7 +4,7 @@ metadata:
     blueprints.goauthentik.io/instantiate: "true"
   name: Flow Translations
 context:
-  transl_recovery: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} "Passwort Zurücksetzen" {{ else }} "Reset your password" {{ end }}
+  transl_recovery: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} "Passwort zurücksetzen" {{ else }} "Reset your password" {{ end }}
   transl_password: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} "Passwort" {{ else }} "Password" {{ end }}
   transl_password_repeat: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} "Passwort (wiederholen)" {{ else }} "Password (repeat)" {{ end }}
   transl_username: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} "Benutzername" {{ else }} "Username" {{ end }}
@@ -15,7 +15,7 @@ entries:
 - model: authentik_blueprints.metaapplyblueprint
   attrs:
     identifiers:
-      name: Custom Authentication Flow
+      name: Recovery with email verification
     required: true
 - model: authentik_blueprints.metaapplyblueprint
   attrs:

hedgedoc.yaml.tmpl

@@ -0,0 +1,43 @@
+version: 1
+metadata:
+  labels:
+    blueprints.goauthentik.io/instantiate: "true"
+  name: hedgedoc
+
+entries:
+
+- attrs:
+    access_code_validity: minutes=1
+    authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
+    client_id: {{ secret  "hedgedoc_id" }}
+    client_secret: {{ secret  "hedgedoc_secret" }}
+    client_type: confidential
+    include_claims_in_id_token: true
+    issuer_mode: per_provider
+    name: Hedgedoc
+    property_mappings:
+    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
+    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, email]]
+    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, profile]]
+    signing_key: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]]
+    sub_mode: hashed_user_id
+    token_validity: days=30
+  conditions: []
+  id: hedgedoc_provider
+  identifiers:
+    pk: 9992
+  model: authentik_providers_oauth2.oauth2provider
+  state: present
+
+- attrs:
+    meta_launch_url: https://{{ env  "HEDGEDOC_DOMAIN" }}
+    open_in_new_tab: true
+    policy_engine_mode: any
+    provider: !KeyOf hedgedoc_provider
+    slug: hedgedoc
+  conditions: []
+  id: hedgedoc_application
+  identifiers:
+    name: Hedgedoc
+  model: authentik_core.application
+  state: present

icons/calendar.svg

@@ -0,0 +1,2 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<svg xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns="http://www.w3.org/2000/svg" version="1.1" xml:space="preserve" height="32" width="32" enable-background="new 0 0 595.275 311.111" y="0px" x="0px" xmlns:cc="http://creativecommons.org/ns#" xmlns:dc="http://purl.org/dc/elements/1.1/" viewBox="0 0 32 32"><rect rx="5" ry="5" height="32" width="32" y="-.0000052588" x="0" fill="#0082c9"/><g transform="matrix(.89286 0 0 .89286 520.21 -.19331)"><path fill="#fff" d="m-572.71 3.5765c-1.108 0-2 0.892-2 2v4c0 1.108 0.892 2 2 2s2-0.892 2-2v-4c0-1.108-0.892-2-2-2zm16 0c-1.108 0-2 0.892-2 2v4c0 1.108 0.892 2 2 2s2-0.892 2-2v-4c0-1.108-0.892-2-2-2zm-13 4v2c0 1.662-1.338 3-3 3s-3-1.338-3-3v-1.875c-1.728 0.44254-3 2.0052-3 3.875v16c0 2.216 1.784 4 4 4h20c2.216 0 4-1.784 4-4v-16c0-1.8698-1.272-3.4325-3-3.875v1.875c0 1.662-1.338 3-3 3s-3-1.338-3-3v-2h-10zm-5.9062 9h21.812c0.0554 0 0.0937 0.03835 0.0937 0.09375v11.812c0 0.0554-0.0384 0.09375-0.0937 0.09375h-21.812c-0.0554 0-0.0937-0.03835-0.0937-0.09375v-11.812c0-0.0554 0.0384-0.09375 0.0937-0.09375z"/></g></svg>

icons/monitoring.svg

@@ -0,0 +1,70 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!-- Generator: Adobe Illustrator 21.0.0, SVG Export Plug-In . SVG Version: 6.00 Build 0)  -->
+<svg version="1.1" id="Layer_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px"
+	 viewBox="0 0 142.5 145.6" style="enable-background:new 0 0 142.5 145.6;" xml:space="preserve">
+<style type="text/css">
+	.st0{fill:#565656;}
+	.st1{fill:url(#SVGID_1_);}
+</style>
+<g>
+	<path class="st0" d="M28.7,131.5c-0.3,7.9-6.6,14.1-14.4,14.1C6.1,145.6,0,139,0,130.9s6.6-14.7,14.7-14.7c3.6,0,7.2,1.6,10.2,4.4
+		l-2.3,2.9c-2.3-2-5.1-3.4-7.9-3.4c-5.9,0-10.8,4.8-10.8,10.8c0,6.1,4.6,10.8,10.4,10.8c5.2,0,9.3-3.8,10.2-8.8H12.6v-3.5h16.1
+		V131.5z"/>
+	<path class="st0" d="M42.3,129.5h-2.2c-2.4,0-4.4,2-4.4,4.4v11.4h-3.9v-19.6H35v1.6c1.1-1.1,2.7-1.6,4.6-1.6h4.2L42.3,129.5z"/>
+	<path class="st0" d="M63.7,145.3h-3.4v-2.5c-2.6,2.5-6.6,3.7-10.7,1.9c-3-1.3-5.3-4.1-5.9-7.4c-1.2-6.3,3.7-11.9,9.9-11.9
+		c2.6,0,5,1.1,6.7,2.8v-2.5h3.4V145.3z M59.7,137c0.9-4-2.1-7.6-6-7.6c-3.4,0-6.1,2.8-6.1,6.1c0,3.8,3.3,6.7,7.2,6.1
+		C57.1,141.2,59.1,139.3,59.7,137z"/>
+	<path class="st0" d="M71.5,124.7v1.1h6.2v3.4h-6.2v16.1h-3.8v-20.5c0-4.3,3.1-6.8,7-6.8h4.7l-1.6,3.7h-3.1
+		C72.9,121.6,71.5,123,71.5,124.7z"/>
+	<path class="st0" d="M98.5,145.3h-3.3v-2.5c-2.6,2.5-6.6,3.7-10.7,1.9c-3-1.3-5.3-4.1-5.9-7.4c-1.2-6.3,3.7-11.9,9.9-11.9
+		c2.6,0,5,1.1,6.7,2.8v-2.5h3.4v19.6H98.5z M94.5,137c0.9-4-2.1-7.6-6-7.6c-3.4,0-6.1,2.8-6.1,6.1c0,3.8,3.3,6.7,7.2,6.1
+		C92,141.2,93.9,139.3,94.5,137z"/>
+	<path class="st0" d="M119.4,133.8v11.5h-3.9v-11.6c0-2.4-2-4.4-4.4-4.4c-2.5,0-4.4,2-4.4,4.4v11.6h-3.9v-19.6h3.2v1.7
+		c1.4-1.3,3.3-2,5.2-2C115.8,125.5,119.4,129.2,119.4,133.8z"/>
+	<path class="st0" d="M142.4,145.3h-3.3v-2.5c-2.6,2.5-6.6,3.7-10.7,1.9c-3-1.3-5.3-4.1-5.9-7.4c-1.2-6.3,3.7-11.9,9.9-11.9
+		c2.6,0,5,1.1,6.7,2.8v-2.5h3.4v19.6H142.4z M138.4,137c0.9-4-2.1-7.6-6-7.6c-3.4,0-6.1,2.8-6.1,6.1c0,3.8,3.3,6.7,7.2,6.1
+		C135.9,141.2,137.8,139.3,138.4,137z"/>
+</g>
+<linearGradient id="SVGID_1_" gradientUnits="userSpaceOnUse" x1="71.25" y1="10.4893" x2="71.25" y2="113.3415" gradientTransform="matrix(1 0 0 -1 0 148.6)">
+	<stop  offset="0" style="stop-color:#FCEE1F"/>
+	<stop  offset="1" style="stop-color:#F15B2A"/>
+</linearGradient>
+<path class="st1" d="M122.9,49.9c-0.2-1.9-0.5-4.1-1.1-6.5c-0.6-2.4-1.6-5-2.9-7.8c-1.4-2.7-3.1-5.6-5.4-8.3
+	c-0.9-1.1-1.9-2.1-2.9-3.2c1.6-6.3-1.9-11.8-1.9-11.8c-6.1-0.4-9.9,1.9-11.3,2.9c-0.2-0.1-0.5-0.2-0.7-0.3c-1-0.4-2.1-0.8-3.2-1.2
+	c-1.1-0.3-2.2-0.7-3.3-0.9c-1.1-0.3-2.3-0.5-3.5-0.7c-0.2,0-0.4-0.1-0.6-0.1C83.5,3.6,75.9,0,75.9,0c-8.7,5.6-10.4,13.1-10.4,13.1
+	s0,0.2-0.1,0.4c-0.5,0.1-0.9,0.3-1.4,0.4c-0.6,0.2-1.3,0.4-1.9,0.7c-0.6,0.3-1.3,0.5-1.9,0.8c-1.3,0.6-2.5,1.2-3.8,1.9
+	c-1.2,0.7-2.4,1.4-3.5,2.2c-0.2-0.1-0.3-0.2-0.3-0.2c-11.7-4.5-22.1,0.9-22.1,0.9c-0.9,12.5,4.7,20.3,5.8,21.7
+	c-0.3,0.8-0.5,1.5-0.8,2.3c-0.9,2.8-1.5,5.7-1.9,8.7c-0.1,0.4-0.1,0.9-0.2,1.3c-10.8,5.3-14,16.3-14,16.3c9,10.4,19.6,11,19.6,11
+	l0,0c1.3,2.4,2.9,4.7,4.6,6.8c0.7,0.9,1.5,1.7,2.3,2.6c-3.3,9.4,0.5,17.3,0.5,17.3c10.1,0.4,16.7-4.4,18.1-5.5c1,0.3,2,0.6,3,0.9
+	c3.1,0.8,6.3,1.3,9.4,1.4c0.8,0,1.6,0,2.4,0h0.4H80h0.5H81l0,0c4.7,6.8,13.1,7.7,13.1,7.7c5.9-6.3,6.3-12.4,6.3-13.8l0,0
+	c0,0,0,0,0-0.1s0-0.2,0-0.2l0,0c0-0.1,0-0.2,0-0.3c1.2-0.9,2.4-1.8,3.6-2.8c2.4-2.1,4.4-4.6,6.2-7.2c0.2-0.2,0.3-0.5,0.5-0.7
+	c6.7,0.4,11.4-4.2,11.4-4.2c-1.1-7-5.1-10.4-5.9-11l0,0c0,0,0,0-0.1-0.1l-0.1-0.1l0,0l-0.1-0.1c0-0.4,0.1-0.8,0.1-1.3
+	c0.1-0.8,0.1-1.5,0.1-2.3v-0.6v-0.3v-0.1c0-0.2,0-0.1,0-0.2v-0.5v-0.6c0-0.2,0-0.4,0-0.6s0-0.4-0.1-0.6l-0.1-0.6l-0.1-0.6
+	c-0.1-0.8-0.3-1.5-0.4-2.3c-0.7-3-1.9-5.9-3.4-8.4c-1.6-2.6-3.5-4.8-5.7-6.8c-2.2-1.9-4.6-3.5-7.2-4.6c-2.6-1.2-5.2-1.9-7.9-2.2
+	c-1.3-0.2-2.7-0.2-4-0.2h-0.5h-0.1h-0.2h-0.2h-0.5c-0.2,0-0.4,0-0.5,0c-0.7,0.1-1.4,0.2-2,0.3c-2.7,0.5-5.2,1.5-7.4,2.8
+	c-2.2,1.3-4.1,3-5.7,4.9s-2.8,3.9-3.6,6.1c-0.8,2.1-1.3,4.4-1.4,6.5c0,0.5,0,1.1,0,1.6c0,0.1,0,0.3,0,0.4v0.4c0,0.3,0,0.5,0.1,0.8
+	c0.1,1.1,0.3,2.1,0.6,3.1c0.6,2,1.5,3.8,2.7,5.4s2.5,2.8,4,3.8s3,1.7,4.6,2.2c1.6,0.5,3.1,0.7,4.5,0.6c0.2,0,0.4,0,0.5,0
+	c0.1,0,0.2,0,0.3,0s0.2,0,0.3,0c0.2,0,0.3,0,0.5,0h0.1h0.1c0.1,0,0.2,0,0.3,0c0.2,0,0.4-0.1,0.5-0.1c0.2,0,0.3-0.1,0.5-0.1
+	c0.3-0.1,0.7-0.2,1-0.3c0.6-0.2,1.2-0.5,1.8-0.7c0.6-0.3,1.1-0.6,1.5-0.9c0.1-0.1,0.3-0.2,0.4-0.3c0.5-0.4,0.6-1.1,0.2-1.6
+	c-0.4-0.4-1-0.5-1.5-0.3C88,74,87.9,74,87.7,74.1c-0.4,0.2-0.9,0.4-1.3,0.5c-0.5,0.1-1,0.3-1.5,0.4c-0.3,0-0.5,0.1-0.8,0.1
+	c-0.1,0-0.3,0-0.4,0c-0.1,0-0.3,0-0.4,0s-0.3,0-0.4,0c-0.2,0-0.3,0-0.5,0c0,0-0.1,0,0,0h-0.1h-0.1c-0.1,0-0.1,0-0.2,0
+	s-0.3,0-0.4-0.1c-1.1-0.2-2.3-0.5-3.4-1c-1.1-0.5-2.2-1.2-3.1-2.1c-1-0.9-1.8-1.9-2.5-3.1c-0.7-1.2-1.1-2.5-1.3-3.8
+	c-0.1-0.7-0.2-1.4-0.1-2.1c0-0.2,0-0.4,0-0.6c0,0.1,0,0,0,0v-0.1v-0.1c0-0.1,0-0.2,0-0.3c0-0.4,0.1-0.7,0.2-1.1c0.5-3,2-5.9,4.3-8.1
+	c0.6-0.6,1.2-1.1,1.9-1.5c0.7-0.5,1.4-0.9,2.1-1.2c0.7-0.3,1.5-0.6,2.3-0.8s1.6-0.4,2.4-0.4c0.4,0,0.8-0.1,1.2-0.1
+	c0.1,0,0.2,0,0.3,0h0.3h0.2c0.1,0,0,0,0,0h0.1h0.3c0.9,0.1,1.8,0.2,2.6,0.4c1.7,0.4,3.4,1,5,1.9c3.2,1.8,5.9,4.5,7.5,7.8
+	c0.8,1.6,1.4,3.4,1.7,5.3c0.1,0.5,0.1,0.9,0.2,1.4v0.3V66c0,0.1,0,0.2,0,0.3c0,0.1,0,0.2,0,0.3v0.3v0.3c0,0.2,0,0.6,0,0.8
+	c0,0.5-0.1,1-0.1,1.5c-0.1,0.5-0.1,1-0.2,1.5s-0.2,1-0.3,1.5c-0.2,1-0.6,1.9-0.9,2.9c-0.7,1.9-1.7,3.7-2.9,5.3
+	c-2.4,3.3-5.7,6-9.4,7.7c-1.9,0.8-3.8,1.5-5.8,1.8c-1,0.2-2,0.3-3,0.3H81h-0.2h-0.3H80h-0.3c0.1,0,0,0,0,0h-0.1
+	c-0.5,0-1.1,0-1.6-0.1c-2.2-0.2-4.3-0.6-6.4-1.2c-2.1-0.6-4.1-1.4-6-2.4c-3.8-2-7.2-4.9-9.9-8.2c-1.3-1.7-2.5-3.5-3.5-5.4
+	s-1.7-3.9-2.3-5.9c-0.6-2-0.9-4.1-1-6.2v-0.4v-0.1v-0.1v-0.2V60v-0.1v-0.1v-0.2v-0.5V59l0,0v-0.2c0-0.3,0-0.5,0-0.8
+	c0-1,0.1-2.1,0.3-3.2c0.1-1.1,0.3-2.1,0.5-3.2c0.2-1.1,0.5-2.1,0.8-3.2c0.6-2.1,1.3-4.1,2.2-6c1.8-3.8,4.1-7.2,6.8-9.9
+	c0.7-0.7,1.4-1.3,2.2-1.9c0.3-0.3,1-0.9,1.8-1.4c0.8-0.5,1.6-1,2.5-1.4c0.4-0.2,0.8-0.4,1.3-0.6c0.2-0.1,0.4-0.2,0.7-0.3
+	c0.2-0.1,0.4-0.2,0.7-0.3c0.9-0.4,1.8-0.7,2.7-1c0.2-0.1,0.5-0.1,0.7-0.2c0.2-0.1,0.5-0.1,0.7-0.2c0.5-0.1,0.9-0.2,1.4-0.4
+	c0.2-0.1,0.5-0.1,0.7-0.2c0.2,0,0.5-0.1,0.7-0.1c0.2,0,0.5-0.1,0.7-0.1l0.4-0.1l0.4-0.1c0.2,0,0.5-0.1,0.7-0.1
+	c0.3,0,0.5-0.1,0.8-0.1c0.2,0,0.6-0.1,0.8-0.1c0.2,0,0.3,0,0.5-0.1h0.3h0.2h0.2c0.3,0,0.5,0,0.8-0.1h0.4c0,0,0.1,0,0,0h0.1h0.2
+	c0.2,0,0.5,0,0.7,0c0.9,0,1.8,0,2.7,0c1.8,0.1,3.6,0.3,5.3,0.6c3.4,0.6,6.7,1.7,9.6,3.2c2.9,1.4,5.6,3.2,7.8,5.1
+	c0.1,0.1,0.3,0.2,0.4,0.4c0.1,0.1,0.3,0.2,0.4,0.4c0.3,0.2,0.5,0.5,0.8,0.7c0.3,0.2,0.5,0.5,0.8,0.7c0.2,0.3,0.5,0.5,0.7,0.8
+	c1,1,1.9,2.1,2.7,3.1c1.6,2.1,2.9,4.2,3.9,6.2c0.1,0.1,0.1,0.2,0.2,0.4c0.1,0.1,0.1,0.2,0.2,0.4s0.2,0.5,0.4,0.7
+	c0.1,0.2,0.2,0.5,0.3,0.7c0.1,0.2,0.2,0.5,0.3,0.7c0.4,0.9,0.7,1.8,1,2.7c0.5,1.4,0.8,2.6,1.1,3.6c0.1,0.4,0.5,0.7,0.9,0.7
+	c0.5,0,0.8-0.4,0.8-0.9C123,52.7,123,51.4,122.9,49.9z"/>
+</svg>

icons/vikunja.svg

@@ -0,0 +1,12 @@
+<svg xmlns="http://www.w3.org/2000/svg" xml:space="preserve" viewBox="0 0 256 256" width="256" height="256">
+  <path d="M2268.2 2512.3a953.7 953.7 0 0 1-50 57c-180.5 189.5-426.2 294-691.6 294A953.7 953.7 0 0 1 847.8 2582a952.7 952.7 0 0 1-281.2-678.8 953.8 953.8 0 0 1 281.2-678.9 953.7 953.7 0 0 1 678.8-281.1 953.7 953.7 0 0 1 678.8 281.1 953.7 953.7 0 0 1 281.2 678.9c0 219.2-78.9 437.2-218.4 609" style="fill:#196aff;fill-opacity:1;fill-rule:nonzero;stroke:none;stroke-width:.36633128" transform="matrix(.13333 0 0 -.13333 -75.5 381.8)"/>
+  <path d="M1823.7 1650.9c35.7 104.2 94.7 136.1 102 297 2.6 56.5-14.7 236-14.7 236s28 72-25.8 152.3c-83.5 124.3-255.4 132.8-345.7 132.8-90.3 0-260.2-8.5-343.7-132.8C1142 2256 1170 2184 1170 2184s-9.5-92.4-16.7-173.8c-1.7-19.1.1-94.7 2.4-113a453 453 0 0 1 25.8-96.2c14.4-39.6 36.8-79.9 54-120.5 51.8-122.8 8.4-274.9 11.1-407.3 2.2-94-20-189.3-28.7-281.2a960.4 960.4 0 0 1 308.7-50.6 958.6 958.6 0 0 1 344.9 63.6c-20.4 115-44.1 224.2-47.8 265.9-10.6 125.9-41.3 259.4 0 380" style="fill:#fff;fill-opacity:1;fill-rule:nonzero;stroke:none;stroke-width:.36655635" transform="matrix(.13333 0 0 -.13333 -75.5 381.8)"/>
+  <path d="M1162.9 2383.9c1.1-18.8 3-38 8.3-56.2 1.6-5.7 4-19.7 11.4-21.8 9-2.6 25.9 8.3 32.3 13 12.3 9 23.9 18.5 36.2 27.6 8 6 16.5 10.5 24.3 16.5 8.4 6.6 14.7 14.5 21.7 22.2 8.4 9.4 14.8 19 21.3 29.5 5.1 8.2 37.1 13.5 42.2 21 5.6 8.3 1 18.6 1 28.7 0 74.2 4.4 147.6 6.1 220.3 1.8 50 21.4 109.2-53.4 85.8-160.3-50-158.5-271.3-151.4-386.6M1869.1 2279.7c-1.6 1.8-4.2 3.2-6.3 4.8a208 208 0 0 0-25.1 21.5c-9.4 9.6-19.2 19-28.2 28.9-7.9 8.7-17.3 16.6-25 25.6-5.1 6-10 12.3-14.6 18.5-2.3 3.2-3.5 7-5.3 10.4-2.7 5-40 10.1-36.2 15 6.3 8.3 20.3 15.4 23.7 25 17.2 48.6 24.8 244.5 26.8 294.5 5.4 127.8 117.6-6.3 137.2-57.7 57-149.7 23.2-258.8-46.3-386.6" style="fill:#fff;fill-opacity:1;fill-rule:nonzero;stroke:none;stroke-width:.36633128" transform="matrix(.13333 0 0 -.13333 -75.5 381.8)"/>
+  <path d="M1716.5 1787.9c-.1 73.8-9.3 103.6-50.4 139.7-25.8 22.6-55.9 31.2-103.8 30-47.9 1.2-82.4-13.4-107.3-39.2-37.5-39-47.4-62-47.5-135.9 0-39.9 43-128.1 55.7-148.5 21.3-36 60.6-48.9 99.1-46.2 38.6-2.7 77.9 10.3 99.1 46.2 12.8 20.4 55.1 107 55 153.9" style="fill:#f1e6d3;fill-opacity:1;fill-rule:nonzero;stroke:none;stroke-width:.36633128" transform="matrix(.13333 0 0 -.13333 -75.5 381.8)"/>
+  <path d="M1226.6 2316c-9.6 86.2-38.6 240 61.5 331.3 11 10.1 14-24.2 15.8-38 2.6-19 0-73.5.4-92.6.7-36.1 8.3-55 4.7-71.5-9.6-45-17.3-42.2-26.5-69.6-18.3-54.4-53.3-83-55.9-59.5M1851.7 2333c10.3-18.2 37 80.3 45.4 123.2 8 40.3 18 93.8 4 133.9-7.4 21.5-53 84.5-58.4 62.9-2-8.5-3.2-71.1-8.3-101.1-6.4-37.1-18-73.8-18-111.6-.2-84.5 25.3-88 35.3-107.2" style="fill:#f1d7d4;fill-opacity:1;fill-rule:nonzero;stroke:none;stroke-width:.36633128" transform="matrix(.13333 0 0 -.13333 -75.5 381.8)"/>
+  <path d="M1522 1319.7c-2.2-6.5-18.6-11.4-24.8-13.3-14.9-4.9-28.1 6.9-36.4 16.8-11.6 13.7-11.3 35.6-16.2 51.6-2.9 9.7-19.5 11-24.5 2-16.6-29.8-81.1 26.4-66.1 45.2 9.9 12.3-13.8 23.2-23.6 11-29-36.1 49-103.4 93.6-85.2 2-9 4-18 8-26.6 7.4-16.9 23.9-27.8 41-37 23.1-12.4 68.2 9.5 75 30.3 4.9 14.5-21.2 19.7-26 5.2M1727.6 1538.2c2.4-10 2.8-44-16-25.4-7.5 7.5-22.6 3-23.2-7-1.4-23.4-24.9-24-45.1-16.9-16 5.6-24.6-16.6-8.6-22.1 29.7-10.4 62-4.6 74.7 17.8 10.1-4.7 21.5-6 30.7 2.6 16 15 18.4 36.2 13.7 55.7-3.5 14.8-29.7 10.1-26.2-4.7M1775 1049.2c-7-14.3-19.8-13.4-33.6-7.4-10.1 4.4-22.6-2.8-19.6-13 6.2-20.6-19.7-26.6-37.3-19.3-15.4 6.5-28.8-13.8-13.2-20.3 31.6-13.2 71.7-1.6 77.5 26.2 20.4-3.3 39.8 2.4 49.4 22.3 6.7 13.6-16.4 25.4-23.2 11.5M1569.8 2153.3c-3.3-20.2-41.1 3.3-50.5 9.7-8.3 5.5-19 2.1-20-7.3-1.4-12.7-18.5-9-26.3-7.4-14.8 3-27.4 12.2-27.7 26-.4 13.6 8.2 27.7 12.6 40.4 2.9 8-8.7 17-17.2 11.5-15.2-9.7-88.7-18.5-59.4 13.6 9.3 10.2-7.1 24.8-16.6 14.5-13.5-14.8-22.6-48.7 6.6-56 15.5-3.7 37.8-3.5 56.8.8-8-25.5-9.6-48.8 23.2-65.1 22.1-11.1 52.5-11 65.4 6 27.2-14.5 69.7-28.7 75.6 7.8 2.1 13-20.4 18.5-22.5 5.5" style="fill:#faeee0;fill-opacity:1;fill-rule:nonzero;stroke:none;stroke-width:.36633128" transform="matrix(.13333 0 0 -.13333 -75.5 381.8)"/>
+  <path d="M1443 1685.6c39.4-3.4 78.8-12.3 118.5-10.9 25.4 1 51.7 4.5 76.8 8.2 18.2 2.7 40.5 6 52.7 19.4 1-45-92.6-59.1-128.9-60-42.1-1-89.5 17.2-119 43.3" style="fill:#494949;fill-opacity:1;fill-rule:nonzero;stroke:none;stroke-width:.36633128" transform="matrix(.13333 0 0 -.13333 -75.5 381.8)"/>
+  <path d="M1549.4 1779.5a353.5 353.5 0 0 1-2.7-87.3c.7-7.6-1.3-25.7 8.8-29.5 8.2-3 18.3 2.7 19.7 10.1 2.2 12.5-3 28.2-3.5 41-.5 14.9 0 29.8 1.6 44.7 1 8.8 5.9 20.7-4.2 27-7.4 4.5-18.3 2.8-19.7-6" style="fill:#494949;fill-opacity:1;fill-rule:nonzero;stroke:none;stroke-width:.36633128" transform="matrix(.13333 0 0 -.13333 -75.5 381.8)"/>
+  <path d="M1626 1849.7c-23.7-1-45.7-14.2-63.4-27-16.1 10.7-40.5 20.5-60.7 14.8-12-3.4-1.1-7.1 4-10.3 9.2-6.2 16.8-14.2 23.7-22.4 10.3-12.6 19.6-25.8 30.7-38 7.6 5.6 15 11.1 21.6 17.6 3.1 3 28.5 37 32.4 42.7 2.4 3.6 5 7.4 7.8 10.8 2.9 3.5 11 9 3.9 11.8" style="fill:#494949;fill-opacity:1;fill-rule:nonzero;stroke:none;stroke-width:.36633128" transform="matrix(.13333 0 0 -.13333 -75.5 381.8)"/>
+  <path d="M1326.5 2010c11.7 30.3 24.3 68.4 56.3 62.4 24.2-5.2 56.7-86.2 36-78.2-11.3 4.4-20.3 41.1-41.4 46-13.4 3-32-43.6-50-48.4-8.7-2.3-4.3 10.4-.9 18.2M1670.6 2010c11.7 30.3 24.2 68.4 56.3 62.4 24.2-5.2 56.7-86.2 35.9-78.2-11.3 4.4-20.2 41.1-41.3 46-13.5 3-32-43.6-50-48.4-8.7-2.3-4.4 10.4-1 18.2" style="fill:#2c3844;fill-opacity:1;fill-rule:nonzero;stroke:none;stroke-width:.36633128" transform="matrix(.13333 0 0 -.13333 -75.5 381.8)"/>
+</svg>

monitoring.yaml.tmpl

@@ -0,0 +1,43 @@
+version: 1
+metadata:
+  labels:
+    blueprints.goauthentik.io/instantiate: "true"
+  name: monitoring 
+
+entries:
+
+- attrs:
+    access_code_validity: minutes=1
+    authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
+    client_id: {{ secret  "monitoring_id" }}
+    client_secret: {{ secret  "monitoring_secret" }}
+    client_type: confidential
+    include_claims_in_id_token: true
+    issuer_mode: per_provider
+    name: Monitoring
+    property_mappings:
+    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
+    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, email]]
+    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, profile]]
+    signing_key: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]]
+    sub_mode: user_username
+    token_validity: days=30
+  conditions: []
+  id: monitoring_provider
+  identifiers:
+    pk: 9994
+  model: authentik_providers_oauth2.oauth2provider
+  state: present
+
+- attrs:
+    meta_launch_url: https://{{ env  "MONITORING_DOMAIN" }}
+    open_in_new_tab: true
+    policy_engine_mode: any
+    provider: !KeyOf monitoring_provider
+    slug: monitoring 
+  conditions: []
+  id: monitoring_application
+  identifiers:
+    name: Monitoring 
+  model: authentik_core.application
+  state: present

outline.yaml.tmpl

@@ -0,0 +1,43 @@
+version: 1
+metadata:
+  labels:
+    blueprints.goauthentik.io/instantiate: "true"
+  name: outline
+
+entries:
+
+- attrs:
+    access_code_validity: minutes=1
+    authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
+    client_id: {{ secret  "outline_id" }}
+    client_secret: {{ secret  "outline_secret" }}
+    client_type: confidential
+    include_claims_in_id_token: true
+    issuer_mode: per_provider
+    name: Outline
+    property_mappings:
+    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
+    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, email]]
+    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, profile]]
+    signing_key: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]]
+    sub_mode: hashed_user_id
+    token_validity: days=30
+  conditions: []
+  id: outline_provider
+  identifiers:
+    pk: 9994
+  model: authentik_providers_oauth2.oauth2provider
+  state: present
+
+- attrs:
+    meta_launch_url: https://{{ env  "OUTLINE_DOMAIN" }}
+    open_in_new_tab: true
+    policy_engine_mode: any
+    provider: !KeyOf outline_provider
+    slug: outline
+  conditions: []
+  id: outline_application
+  identifiers:
+    name: Outline
+  model: authentik_core.application
+  state: present

rallly.yaml.tmpl

@@ -0,0 +1,43 @@
+version: 1
+metadata:
+  labels:
+    blueprints.goauthentik.io/instantiate: "true"
+  name: rallly
+
+entries:
+
+- attrs:
+    access_code_validity: minutes=1
+    authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
+    client_id: {{ secret  "rallly_id" }}
+    client_secret: {{ secret  "rallly_secret" }}
+    client_type: confidential
+    include_claims_in_id_token: true
+    issuer_mode: per_provider
+    name: Rallly
+    property_mappings:
+    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
+    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, email]]
+    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, profile]]
+    signing_key: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]]
+    sub_mode: hashed_user_id
+    token_validity: days=30
+  conditions: []
+  id: rallly_provider
+  identifiers:
+    pk: 9993
+  model: authentik_providers_oauth2.oauth2provider
+  state: present
+
+- attrs:
+    meta_launch_url: https://{{ env  "RALLLY_DOMAIN" }}
+    open_in_new_tab: true
+    policy_engine_mode: any
+    provider: !KeyOf rallly_provider
+    slug: rallly
+  conditions: []
+  id: rallly_application
+  identifiers:
+    name: Rallly
+  model: authentik_core.application
+  state: present

release/3.2.0+2023.6.1

@@ -0,0 +1 @@
+If you use your own outpost you need to uncomment COMPOSE_FILE="$COMPOSE_FILE:compose.outposts.yml" to expose the docker socket again.

release/4.0.0+2023.10.5

@@ -0,0 +1 @@
+It is only possible to upgrade to 2023.10 from 2023.8, you need to update to 2023.8.x before applying this update

release/5.0.0+2024.2.2

@@ -0,0 +1 @@
+Blueprint changes are applied and automatic migrations should work, however, manual action may be required: https://docs.goauthentik.io/docs/releases/2024.2

release/5.1.0+2024.2.3

@@ -0,0 +1 @@
+Due to blueprint changes, you need to run the following command after upgrading: abra app cmd -C <Domain> worker apply_blueprints

system_brand.yaml.tmpl

@@ -2,26 +2,26 @@ version: 1
 metadata:
   labels:
     blueprints.goauthentik.io/instantiate: "true"
-  name: Custom System Tenant
+  name: Custom System brand
 entries:
 ### DEPENDENCIES
 - model: authentik_blueprints.metaapplyblueprint
   attrs:
     identifiers:
-      name: Default - Tenant
+      name: Default - Brand
     required: true
 - model: authentik_blueprints.metaapplyblueprint
   attrs:
     identifiers:
-      name: Invitation Enrollment Flow
+      name: Recovery with email verification
     required: true
 
 
-### SYSTEM TENANT
-# remove custom tenant from old recipe
+### SYSTEM BRAND
+# remove custom brand from old recipe
 - identifiers:
     domain: {{ env "DOMAIN" }}
-  model: authentik_tenants.tenant
+  model: authentik_brands.brand
   state: absent
 
 - attrs:
@@ -32,4 +32,4 @@ entries:
   identifiers:
     default: true
     domain: authentik-default
-  model: authentik_tenants.tenant
+  model: authentik_brands.brand

vikunja.yaml.tmpl

@@ -0,0 +1,43 @@
+version: 1
+metadata:
+  labels:
+    blueprints.goauthentik.io/instantiate: "true"
+  name: vikunja
+
+entries:
+
+- attrs:
+    access_code_validity: minutes=1
+    authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
+    client_id: {{ secret  "vikunja_id" }}
+    client_secret: {{ secret  "vikunja_secret" }}
+    client_type: confidential
+    include_claims_in_id_token: true
+    issuer_mode: per_provider
+    name: Vikunja
+    property_mappings:
+    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
+    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, email]]
+    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, profile]]
+    signing_key: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]]
+    sub_mode: hashed_user_id
+    token_validity: days=30
+  conditions: []
+  id: vikunja_provider
+  identifiers:
+    pk: 9995
+  model: authentik_providers_oauth2.oauth2provider
+  state: present
+
+- attrs:
+    meta_launch_url: https://{{ env  "VIKUNJA_DOMAIN" }}
+    open_in_new_tab: true
+    policy_engine_mode: any
+    provider: !KeyOf vikunja_provider
+    slug: vikunja
+  conditions: []
+  id: vikunja_application
+  identifiers:
+    name: Vikunja
+  model: authentik_core.application
+  state: present

wekan.yaml.tmpl

@@ -5,6 +5,23 @@ metadata:
   name: wekan
 
 entries:
+- attrs:
+    description: wekan
+    expression: "groupsDict = {\"wekanGroups\": []}\nfor group in request.user.ak_groups.all():\n\
+      \  my_attributes = group.attributes\n  my_attributes[\"displayName\"] = group.name\n\
+      \  my_attributes[\"isAdmin\"] = group.attributes[\"isAdmin\"] if 'isAdmin' in group.attributes else group.is_superuser\n\
+      \  my_attributes[\"isActive\"] = group.attributes[\"\
+      isActive\"] if 'isActive' in group.attributes else True\n  my_attributes[\"\
+      forceCreate\"] = group.attributes[\"forceCreate\"] if 'forceCreate' in group.attributes\
+      \ else True\n  groupsDict[\"wekanGroups\"].append(my_attributes)\nreturn groupsDict"
+    managed: null
+    scope_name: wekan
+  conditions: []
+  id: wekan_group_mapping
+  identifiers:
+    name: wekan
+  model: authentik_providers_oauth2.scopemapping
+  state: present
 
 - attrs:
     access_code_validity: minutes=1
@@ -19,8 +36,9 @@ entries:
     - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
     - !Find [authentik_providers_oauth2.scopemapping, [scope_name, email]]
     - !Find [authentik_providers_oauth2.scopemapping, [scope_name, profile]]
+    - !KeyOf wekan_group_mapping
     signing_key: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]]
-    sub_mode: user_username
+    sub_mode: hashed_user_id
     token_validity: days=30
   conditions: []
   id: wekan_provider

wordpress.yaml.tmpl

@@ -41,3 +41,19 @@ entries:
     name: Wordpress
   model: authentik_core.application
   state: present
+
+{{ if ne (env "WORDPRESS_GROUP") "" }} 
+- identifiers:
+    name: {{ env "WORDPRESS_GROUP" }}
+  attrs:
+    users:
+    - 1
+  id: wordpress_group
+  model: authentik_core.group
+
+- identifiers:
+    group: !KeyOf wordpress_group
+    target: !KeyOf wordpress_application
+    order: 0
+  model: authentik_policies.policybinding
+{{ end }}