Updated release notes

style: updated help and support icons
feat: adds envs and rename function to group and rename apps
2025-09-15 16:57:08 +02:00 · 2025-09-15 16:50:59 +02:00 · 2025-09-10 11:00:55 +02:00 · 2025-09-03 13:35:00 +02:00 · 2025-08-13 18:27:09 +02:00 · 2025-07-23 17:29:37 +01:00
58 changed files with 1175 additions and 528 deletions
--- a/.drone.yml
+++ b/.drone.yml
@ -23,13 +23,15 @@ steps:
      FLOW_INVALIDATION_VERSION: v1
      FLOW_RECOVERY_VERSION: v1
      FLOW_TRANSLATION_VERSION: v1
-      SYSTEM_TENANT_VERSION: v1
+      SYSTEM_BRAND_VERSION: v1
      NEXTCLOUD_CONFIG_VERSION: v1
      SECRET_SECRET_KEY_VERSION: v1
      SECRET_DB_PASSWORD_VERSION: v1
      SECRET_ADMIN_TOKEN_VERSION: v1
      SECRET_ADMIN_PASS_VERSION: v1
      SECRET_EMAIL_PASS_VERSION: v1
      DB_ENTRYPOINT_VERSION: v1
      PG_BACKUP_VERSION: v2
 trigger:
  branch:
    - main
@ -45,7 +47,7 @@ steps:
        from_secret: drone_abra-bot_token
      fork: true
      repositories:
-        - coop-cloud/auto-recipes-catalogue-json
+        - toolshed/auto-recipes-catalogue-json
 trigger:
  event: tag
--- a/.env.sample
+++ b/.env.sample
@ -1,17 +1,34 @@
 TYPE=authentik
-TIMEOUT=300
+TIMEOUT=900
 ENABLE_AUTO_UPDATE=true
-POST_DEPLOY_CMDS="worker set_admin_pass|worker apply_blueprints|worker add_applications"
+POST_DEPLOY_CMDS="worker set_admin_pass"
 # Example values for post deploy cmds: "worker set_admin_pass|worker apply_blueprints|worker add_applications"
 LETS_ENCRYPT_ENV=production
 ENABLE_BACKUPS=true
 DOMAIN=authentik.example.com
 ## Domain aliases
 #EXTRA_DOMAINS=', `www.authentik.example.com`'
 # Redirects
 # All redirect domains have to be added to extra_domains as well)
 # multiple redirects can be added by seperating them with a | character
 #REDIRECTS=www.authentik.example.com
 COMPOSE_FILE="compose.yml"
 AUTHENTIK_DEFAULT_USER_CHANGE_USERNAME=false
 AUTHENTIK_LOG_LEVEL=info
 # AUTHENTIK_DISABLE_UPDATE_CHECK=false
 # AUTHENTIK_IMPERSONATION=true
 # AUTHENTIK_FOOTER_LINKS='[{"name": "My Organization","href":"https://example.com"}]'
 # WORKERS=1
 ## Outpost Integration
 # COMPOSE_FILE="$COMPOSE_FILE:compose.outposts.yml"
 # COMPOSE_FILE="$COMPOSE_FILE:compose.outposts.ldap.yml"
 # SECRET_LDAP_TOKEN_VERSION=v1
 ## ADMIN
 AUTHENTIK_BOOTSTRAP_EMAIL=admin@example.com
 ## EMAIL
 AUTHENTIK_EMAIL__HOST=smtp
 AUTHENTIK_EMAIL__PORT=587
@ -29,7 +46,6 @@ SECRET_ADMIN_PASS_VERSION=v1
 SECRET_EMAIL_PASS_VERSION=v1
 # X_FRAME_OPTIONS_ALLOW_FROM=dashboard.example.org
 AUTHENTIK_COLOR_BACKGROUND_LIGHT=#1c1e21
 ## FLOW OPTIONS
 # WELCOME_MESSAGE="Welcome to Authentik"
@ -38,15 +54,37 @@ AUTHENTIK_COLOR_BACKGROUND_LIGHT=#1c1e21
 # EMAIL_SUBJECT="Account Recovery"
 # EMAIL_TOKEN_EXPIRY_MINUTES=30
 ## assets
 COPY_ASSETS="flow_background.jpg|app:/web/dist/assets/images/"
 COPY_ASSETS="$COPY_ASSETS icon_left_brand.svg|app:/web/dist/assets/icons/"
 COPY_ASSETS="$COPY_ASSETS icon.png|app:/web/dist/assets/icons/"
 # store custom CSS in a css-volume
 #COMPOSE_FILE="$COMPOSE_FILE:compose.css-volume.yml"
 # NOTE: this causes the authentik container to run as `root` initially; it uses `su` to drop privileges but technically could introduce a security risk. proceed with caution!
 # Default CSS customisation
 # COMPOSE_FILE="$COMPOSE_FILE:compose.css.yml"
 # BACKGROUND_FONT_COLOR=white
 # BACKGROUND_BOX_COLOR='#eaeaeacf'
 # THEME_BACKGROUND="url('https://authentik.example.com/static/dist/assets/images/flow_background.jpg'); background-position: center; background-repeat: no-repeat; background-size: cover;"
 # Group Name Variables to cluster Applications
 # GROUP_SUPPORT=Support
 # GROUP_HELP=Help
 # GROUP_ORGANISATION=Organisation
 # GROUP_COMMUNICATION=Communication
 # GROUP_COLLABORATION=Collaboration
 # GROUP_DOCUMENTATION=Documentation
 # GROUP_DEVELOPMENT=Development
 # GROUP_INFRASTRUCTURE=Infrastructure
 # COMPOSE_FILE="$COMPOSE_FILE:compose.nextcloud.yml"
 # NEXTCLOUD_DOMAIN=nextcloud.example.com
 # SECRET_NEXTCLOUD_ID_VERSION=v1
 # SECRET_NEXTCLOUD_SECRET_VERSION=v1
 # APP_ICONS="nextcloud:~/.abra/recipes/authentik/icons/nextcloud.png"
 # NEXTCLOUD_APPGROUP="$GROUP_ORGANISATION"
 # COMPOSE_FILE="$COMPOSE_FILE:compose.wordpress.yml"
 # WORDPRESS_DOMAIN=wordpress.example.com
@ -54,32 +92,69 @@ COPY_ASSETS="$COPY_ASSETS icon.png|app:/web/dist/assets/icons/"
 # SECRET_WORDPRESS_ID_VERSION=v1
 # SECRET_WORDPRESS_SECRET_VERSION=v1
 # APP_ICONS="$APP_ICONS wordpress:~/.abra/recipes/authentik/icons/wordpress.png"
 # WORDPRESS_APPGROUP="$GROUP_DEVELOPMENT"
 # COMPOSE_FILE="$COMPOSE_FILE:compose.matrix.yml"
-# ELEMENT_DOMAIN=element.example.com
+# ELEMENT_DOMAIN=element-web.example.com
 # MATRIX_DOMAIN=matrix-synapse.example.com
 # SECRET_MATRIX_ID_VERSION=v1
 # SECRET_MATRIX_SECRET_VERSION=v1
 # APP_ICONS="$APP_ICONS matrix:~/.abra/recipes/authentik/icons/matrix.svg"
 # MATRIX_APPGROUP="$GROUP_COMMUNICATION"
 # COMPOSE_FILE="$COMPOSE_FILE:compose.wekan.yml"
 # WEKAN_DOMAIN=wekan.example.com
 # SECRET_WEKAN_ID_VERSION=v1
 # SECRET_WEKAN_SECRET_VERSION=v1
 # APP_ICONS="$APP_ICONS wekan:~/.abra/recipes/authentik/icons/wekan.png"
 # WEKAN_APPGROUP="$GROUP_ORGANISATION"
 # COMPOSE_FILE="$COMPOSE_FILE:compose.vikunja.yml"
 # VIKUNJA_DOMAIN=vikunja.example.com
 # SECRET_VIKUNJA_ID_VERSION=v1
 # SECRET_VIKUNJA_SECRET_VERSION=v1
 # APP_ICONS="$APP_ICONS vikunja:~/.abra/recipes/authentik/icons/vikunja.svg"
 # VIKUNJA_APPGROUP="$GROUP_ORGANISATION"
 # COMPOSE_FILE="$COMPOSE_FILE:compose.outline.yml"
 # OUTLINE_DOMAIN=outline.example.com
 # SECRET_OUTLINE_ID_VERSION=v1
 # SECRET_OUTLINE_SECRET_VERSION=v1
 # APP_ICONS="$APP_ICONS outline:~/.abra/recipes/authentik/icons/outline.png"
 # OUTLINE_APPGROUP="$GROUP_DOCUMENTATION"
 # COMPOSE_FILE="$COMPOSE_FILE:compose.kimai.yml"
 # KIMAI_DOMAIN=kimai.example.com
 # SECRET_KIMAI_ID_VERSION=v1
 # SECRET_KIMAI_SECRET_VERSION=v1
 # APP_ICONS="$APP_ICONS kimai:~/.abra/recipes/authentik/icons/kimai_logo.png"
 # KIMAI_APPGROUP="$GROUP_ORGANISATION"
 # COMPOSE_FILE="$COMPOSE_FILE:compose.zammad.yml"
 # ZAMMAD_DOMAIN=zammad.example.com
 # APP_ICONS="$APP_ICONS zammad:~/.abra/recipes/authentik/icons/zammad.svg"
 # ZAMMAD_APPGROUP="$GROUP_SUPPORT"
 # COMPOSE_FILE="$COMPOSE_FILE:compose.monitoring.yml"
 # MONITORING_DOMAIN=monitoring.example.com
 # SECRET_MONITORING_ID_VERSION=v1
 # SECRET_MONITORING_SECRET_VERSION=v1
-# APP_ICONS="$APP_ICONS monitoring:~/.abra/recipes/authentik/icons/monitoring.png"
+# APP_ICONS="$APP_ICONS monitoring:~/.abra/recipes/authentik/icons/monitoring.svg"
 # MONITORING_APPGROUP="$GROUP_INFRASTRUCTURE"
-# APPLICATIONS='{"Calendar": "https://nextcloud.example.com/apps/calendar/", "Rallly":"https://rallly.example.cloud/"}'
+# COMPOSE_FILE="$COMPOSE_FILE:compose.rallly.yml"
-# APP_ICONS="$APP_ICONS Calendar:~/.abra/recipes/authentik/icons/calendar.svg"
+# RALLLY_DOMAIN=rallly.example.com
-# APP_ICONS="$APP_ICONS Rallly:~/.abra/recipes/authentik/icons/rallly.png"
+# SECRET_RALLLY_ID_VERSION=v1
 # SECRET_RALLLY_SECRET_VERSION=v1
 # APP_ICONS="$APP_ICONS rallly:~/.abra/recipes/authentik/icons/rallly.png"
 # RALLLY_APPGROUP="$GROUP_ORGANISATION"
 # COMPOSE_FILE="$COMPOSE_FILE:compose.hedgedoc.yml"
 # HEDGEDOC_DOMAIN=hedgedoc.example.com
 # SECRET_HEDGEDOC_ID_VERSION=v1
 # SECRET_HEDGEDOC_SECRET_VERSION=v1
 # APP_ICONS="$APP_ICONS hedgedoc:~/.abra/recipes/authentik/icons/hedgedoc.png"
 # HEDGEDOC_APPGROUP="$GROUP_DOCUMENTATION"
 # APPLICATIONS='{"Calendar": {"url":"https://nextcloud.example.com/apps/calendar/", "group": ""}, "BBB": {"url":"https://nextcloud.example.com/apps/bbb/", "group":""}, "Pretix": {"url":"https://pretix.example.com/control/", "group":""}}'
 # EXTRA_ICONS={"Calendar": "~/.abra/recipes/authentik/icons/calendar.svg", "BBB": "~/.abra/recipes/authentik/icons/bbb.png", "Pretix": "~/.abra/recipes/authentik/icons/pretix.svg"}
--- a/README.md
+++ b/README.md
@ -52,8 +52,26 @@ APP_ICONS="nextcloud:~/.abra/recipes/authentik/icons/nextcloud.png"
 Set the nextcloud Icon using `abra app cmd -l -d <app_name> set_icons`
 Generate OAuth client id and secret using `abra app secret generate <app_name> -a` (all secrets) or individually:
 - `abra app secret generate <app_name> nextcloud_id`
 - `abra app secret generate <app_name> nextcloud_secret`
 Add the id and secret to nextcloud as secrets with:
 - `abra app secret insert <nextcloud_app_name> authentik_id v1 <id>`
 - `abra app secret insert <nextcloud_app_name> authentik_secret v1 <secret>`
 Redeploy Authentik to enable the nextcloud client.
 The configuration inside Nextcloud can be found in the [nextcloud recipe](https://git.coopcloud.tech/coop-cloud/nextcloud#authentik-integration)
 ## Add LDAP outpost
 - Follow [this official guide](https://docs.goauthentik.io/docs/add-secure-apps/providers/ldap/generic_setup) and skip the LDAP Flow as we don't need it.
 - Copy token under `Applications` -> `Outposts` `-> `View Deployment Info` 
 - Comment in envs for compose.outposts.ldap.yaml and secret version
 - Insert token as secret `abra app secret insert <DOMAIN> ldap_token v1 <TOKEN>`
 - Update deployment -> Outpost should be up and running
 ## Import User from CSV
 Users can be imported from a CSV file of the following format:
@ -87,44 +105,131 @@ Run this command after every deploy/upgrade:
 `abra app command --local <app-name> customize <assets_path>`
 ## Custom CSS
 Uncomment the following env:
 ```
 COMPOSE_FILE="$COMPOSE_FILE:compose.css-volume.yml"
 ```
 Redeploy the app:
 ```
 abra app deploy -f <app_name>
 ```
 Copy the CSS and restart the container:
 ```
 abra app cp <app_name> my_custom.css app:/web/dist/assets/custom.css
 abra app restart <app_name> app
 ```
 ## Email templates
 Add custom [email templates](https://goauthentik.io/docs/flow/stages/email/#custom-templates):
 `abra app cmd -l <app_name> add_email_templates local/path/to/mail_template.html`
 ## Blueprints
-Blueprint Dependency Requirements:
+These blueprints overwrite default blueprint values:
 - `flow_translation.yaml`
 - `flow_authentication.yaml`
 The following default blueprints will be overwritten by customizations:
 - `flow-password-change.yaml`
 - `flow-default-authentication-flow.yaml`
 - `flow-default-user-settings-flow.yaml`
 - `flow-default-source-enrollment.yaml`
 The `abra.sh` function `apply_blueprints` needs to be executed to deactivate these blueprints to ensure that the customizations won't be overwritten. It will further execute flow_translation.yaml and flow_authentication.yaml again.
 ### Blueprint Overwrite/Use Dependencies
 - Recovery with email verification
    - Default - Password change flow
        - USE:
            - `default-password-change-prompt`
            - `default-password-change-write`
    - Default - Authentication flow
        - USE:
            - `default-authentication-login`
 - Custom Authentication Flow
    - Default - Authentication flow
        - USE:
            - `default-authentication-password`
        - OVERWRITE:
            - `default-authentication-flow`
        - APPEND:
            - `default-authentication-identification`
            - `default-authentication-login`
        - REMOVE: `authentik_flows.flowstagebinding order:20`
    - Recovery with email verification
        - USE:
            - `default-recovery-flow`
 - Invitation Enrollment Flow
    - Default - User settings flow
        - USE:
            - `default-user-settings-field-name`
            - `default-user-settings-field-email`
    - Default - Password change flow
        - USE:
            - `default-password-change-field-password`
            - `default-password-change-field-password-repeat`
    - Default - Authentication flow
        - USE:
            - `default-authentication-login`
    - Default - Source enrollment flow
        - USE:
            - `default-source-enrollment-field-username`
            - `default-source-enrollment-write`
 - Custom Invalidation Flow
    - Default - Invalidation flow
        - APPEND_ATTR:
            - `authentik_flows.flowstagebinding order: 0`
 - Flow Translations
    - Recovery with email verification
        - APPEND: `default-recovery-flow`
    - Default - Password change flow
        - OVERWRITE:
           - `default-password-change-field-password`
           - `default-password-change-field-password-repeat`
    - Default - User settings flow
        - OVERWRITE:
            - `default-user-settings-field-username`
            - `default-user-settings-field-name`
    - Default - Source enrollment flow
- Custom System Tenant
+        - OVERWRITE:
-    - Default - Tenant
+            - `default-source-enrollment-field-username`
 - Custom System Brand
    - Default - Brand
        - APPEND: `authentik_brands.brand  domain: authentik-default`
    - Recovery with email verification
        - USE:
            - `default-recovery-flow`
-Blueprint Dependency Graph:
+### Blueprint Dependency Execution Order
-5. Custom System Tenant
+5. Custom System Brand
-    - Default - Tenant
+    - Default - Brand
-    4. Invitation Enrollment Flow
+    1. Recovery with email verification
-        3. Flow Translations
+        - Default - Authentication flow
-            - Default - User settings flow
+            - Default - Password change flow
-            - Default - Source enrollment flow
+4. Invitation Enrollment Flow
-            2. Custom Authentication Flow
+    3. Flow Translations
-                1. Recovery with email verification
+        - Default - User settings flow
-                    - Default - Authentication flow
+        - Default - Source enrollment flow
-                        - Default - Password change flow
+        1. Recovery with email verification
            - Default - Authentication flow
                - Default - Password change flow
 2. Custom Authentication Flow
    1. Recovery with email verification
        - Default - Authentication flow
            - Default - Password change flow
 6. Custom Invalidation Flow
    - Default - Invalidation flow
--- a/abra.sh
+++ b/abra.sh
@ -1,16 +1,24 @@
-export CUSTOM_CSS_VERSION=v2
+export CUSTOM_CSS_VERSION=v3
-export FLOW_AUTHENTICATION_VERSION=v1
+export FLOW_AUTHENTICATION_VERSION=v4
-export FLOW_INVITATION_VERSION=v1
+export FLOW_INVITATION_VERSION=v2
-export FLOW_INVALIDATION_VERSION=v1
+export FLOW_INVALIDATION_VERSION=v2
-export FLOW_RECOVERY_VERSION=v1
+export FLOW_RECOVERY_VERSION=v2
-export FLOW_TRANSLATION_VERSION=v1
+export FLOW_TRANSLATION_VERSION=v3
-export SYSTEM_TENANT_VERSION=v1
+export SYSTEM_BRAND_VERSION=v4
-export NEXTCLOUD_CONFIG_VERSION=v1
+export NEXTCLOUD_CONFIG_VERSION=v3
-export WORDPRESS_CONFIG_VERSION=v2
+export WORDPRESS_CONFIG_VERSION=v4
-export MATRIX_CONFIG_VERSION=v1
+export MATRIX_CONFIG_VERSION=v3
-export WEKAN_CONFIG_VERSION=v3
+export WEKAN_CONFIG_VERSION=v5
-export VIKUNJA_CONFIG_VERSION=v1
+export VIKUNJA_CONFIG_VERSION=v3
-export MONITORING_CONFIG_VERSION=v1
+export OUTLINE_CONFIG_VERSION=v4
 export KIMAI_CONFIG_VERSION=v3
 export ZAMMAD_CONFIG_VERSION=v4
 export RALLLY_CONFIG_VERSION=v4
 export HEDGEDOC_CONFIG_VERSION=v3
 export MONITORING_CONFIG_VERSION=v4
 export DB_ENTRYPOINT_VERSION=v1
 export PG_BACKUP_VERSION=v2
 export ENTRYPOINT_CSS_VERSION=v1
 customize() {
    if [ -z "$1" ]
@ -27,6 +35,15 @@ customize() {
    done
 }
 shell(){
    if [ -z "$1" ]
    then
            echo "Usage: ... shell <python code>"
            exit 1
    fi
    ak shell -c "$1" 2>&1 | quieten
 }
 import_user() {
    if [ -z "$1" ]
    then
@ -51,15 +68,19 @@ with open('/tmp/$1', newline='') as file:
    email = row[2].strip()
    groups = row[3].split(';')
    if User.objects.filter(username=username):
        print(f'{username} already exists')
        continue
    new_user = User.objects.create(name=name, username=username, email=email)
    print(f'{username} created')
    for group_name in groups:
        group_name = group_name.strip()
        if Group.objects.filter(name=group_name):
            group = Group.objects.get(name=group_name)
        else:
            group = Group.objects.create(name=group_name)
            print(f'{group_name} created')
        group.users.add(new_user)
        print(f'add {username} to group {group_name}')
 """ 2>&1 | quieten
 }
@ -67,6 +88,16 @@ set_admin_pass() {
 password=$(cat /run/secrets/admin_pass)
 token=$(cat /run/secrets/admin_token)
 /manage.py shell -c """
 import time
 i = 0
 while (not User.objects.filter(username='akadmin')):
    print('Waiting for akadmin to be created...')
    time.sleep(10)
    i += 1
    if i > 6:
        print('Failed to find admin user!')
        exit()
 akadmin = User.objects.get(username='akadmin')
 akadmin.set_password('$password')
 akadmin.save()
@ -95,15 +126,24 @@ rotate_db_pass() {
    psql -U authentik -c """ALTER USER authentik WITH PASSWORD '$db_password';"""
 }
 # This function is for blueprints that are overwriting custom blueprints
 # It deactivates the affected custom blueprints to avoid changes to be reverted
 apply_blueprints() {
-    enable_blueprint default/flow-default-authentication-flow.yaml
+    update_and_disable_blueprint default/flow-password-change.yaml
-    enable_blueprint default/flow-default-user-settings-flow.yaml
+    update_and_disable_blueprint default/flow-default-authentication-flow.yaml
-    enable_blueprint default/flow-password-change.yaml
+    update_and_disable_blueprint default/flow-default-user-settings-flow.yaml
-    ak apply_blueprint 6_flow_invalidation.yaml 2>&1 | quieten
+    update_and_disable_blueprint default/flow-default-source-enrollment.yaml
-    ak apply_blueprint 5_system_tenant.yaml 2>&1 | quieten
+    
-    disable_blueprint default/flow-default-authentication-flow.yaml
+    apply_blueprint 3_flow_translation.yaml
-    disable_blueprint default/flow-default-user-settings-flow.yaml
+    apply_blueprint 2_flow_authentication.yaml
-    disable_blueprint default/flow-password-change.yaml
+}
 update_and_disable_blueprint() {
    enable_blueprint $@ 2>&1 | quieten
    sleep 1
    apply_blueprint $@
    sleep 1
    disable_blueprint $@ 2>&1 | quieten
 }
 disable_blueprint() {
@ -114,42 +154,93 @@ enable_blueprint() {
    blueprint_state True $@
 }
 apply_blueprint() {
    echo apply blueprint $@
    ak apply_blueprint $@ 2>&1 | quieten
 }
 blueprint_state() {
 /manage.py shell -c """
 import time
 blueprint_state=$1
 blueprint_path='$2'
 blueprint = BlueprintInstance.objects.filter(path=blueprint_path).first()
 blueprint.enabled = blueprint_state
 # Hacky workaround to reduce chance of a race condition
 blueprint.save()
 time.sleep(1)
 blueprint.save()
 time.sleep(1)
 blueprint.save()
 print(f'{blueprint.name} enabled: {blueprint.enabled}')
 """ 2>&1 | quieten
 }
 # This function adds each application with its name, slug and group if passed
 add_applications(){
 export APPLICATIONS
 /manage.py shell -c """
 import json
-if '$APPLICATIONS' == '':
+import os
 if os.environ['APPLICATIONS'] == '':
    exit()
-applications = json.loads('$APPLICATIONS')
+applications = json.loads(os.environ['APPLICATIONS'])
-for name, url in applications.items():
+for name, details in applications.items():
-    print(f'Add {name}: {url}')
+    url = details['url']
    app = Application.objects.filter(name=name).first()
    if not app:
        app = Application()
    app.name = name
    app.slug = name.replace(' ', '-')
    app.meta_launch_url = url
    group = details['group']
    if group:
        app.group = group
        print(f'Add {name}: {url} in group: {group}')
    else:
        print(f'Add {name}: {url}')
    app.open_in_new_tab = True
    app.save()
 """ 2>&1 | quieten
 }
 ## This function is for renaming apps - usage: rename "old name" "new name"
 rename() {
    /manage.py shell -c """
    old_name = '$1'
    new_name = '$2' if '$2' else old_name
    app = Application.objects.filter(name=old_name).first()
    if app:
        app.name = new_name
        app.save()
        print(f'Renamed application from {old_name} to {new_name}')
    else:
        print(f'No application found with name: {old_name}')
    """ > /dev/null 2>&1
 }
 quieten(){
-    grep -v '{"event"'
+    # 'SyntaxWarning|version_regex|"http\['
    # is a workaround to get rid of some verbose syntax warnings, this might be fixed with another version
    grep -Pv '"level": "(info|debug)"|SyntaxWarning|version_regex|"http\[|RuntimeWarning:'
 }
 add_email_templates(){
 for file_path in "$@"; do
    echo copy template $file_path
    abra app cp $APP_NAME $file_path app:/templates/
 done
 }
 set_icons(){
 if [ -n "$1" ]
 then
 APP_ICONS="$1"
 fi
 for icon in $APP_ICONS; do
    app=$(echo $icon | cut -d ":" -f1)
    file_path=$(eval echo $(echo $icon | cut -d ":" -f2))
@ -160,6 +251,22 @@ for icon in $APP_ICONS; do
 done
 }
 set_extra_icons(){
    if [ -z "$EXTRA_ICONS" ]
    then
        echo "Variable EXTRA_ICONS is not set"
        exit 1
    fi
    export EXTRA_ICONS
    icon_key_values=$(python3 -c "
 import json
 import os
 for key, value in json.loads(os.environ['EXTRA_ICONS']).items():
    print(f'{key}:{value}')
 ")
    set_icons "$icon_key_values"
 }
 set_app_icon() {
 TOKEN=$(cat /run/secrets/admin_token)
 python -c """
@ -186,7 +293,26 @@ delete_flows = ['default-recovery-flow' , 'custom-authentication-flow' , 'invita
 Flow.objects.filter(slug__in=delete_flows).delete()
 Stage.objects.filter(flow=None).delete()
 Prompt.objects.filter(promptstage=None).delete()
-Tenant.objects.filter(default=True).delete()
+Brand.objects.filter(default=True).delete()
 """ 2>&1 | quieten
 apply_blueprints
 }
 get_certificate() {
 /manage.py shell -c """
 provider_name='$1'
 if not provider_name:
    print('no Provider Name given')
    exit(1)
 provider = Provider.objects.filter(name=provider_name).first()
 saml = provider.samlprovider
 cert = saml.signing_kp
 print(''.join(cert.certificate_data.splitlines()[1:-1]))
 """ 2>&1 | quieten
 }
 get_user_uid() {
 /manage.py shell -c """
 print(User.objects.filter(username='$1').first().uid)
 """ 2>&1 | quieten
 }
--- a/alaconnect.yml
+++ b/alaconnect.yml
@ -0,0 +1,89 @@
 nextcloud:
    uncomment:
        - compose.nextcloud.yml
        - NEXTCLOUD_DOMAIN
        - SECRET_NEXTCLOUD_ID_VERSION
        - SECRET_NEXTCLOUD_SECRET_VERSION
        - nextcloud.png
 wordpress:
    uncomment:
        - compose.wordpress.yml
        - WORDPRESS_DOMAIN
        - WORDPRESS_GROUP
        - SECRET_WORDPRESS_ID_VERSION
        - SECRET_WORDPRESS_SECRET_VERSION
        - wordpress.png
 matrix-synapse:
    uncomment:
        - compose.matrix.yml
        - ELEMENT_DOMAIN
        - MATRIX_DOMAIN
        - SECRET_MATRIX_ID_VERSION
        - SECRET_MATRIX_SECRET_VERSION
        - matrix.svg
    secrets:
        matrix_id: matrix
 wekan:
    uncomment:
        - compose.wekan.yml
        - WEKAN_DOMAIN
        - SECRET_WEKAN_ID_VERSION
        - SECRET_WEKAN_SECRET_VERSION
        - wekan.png
    secrets:
        wekan_id: wekan
 vikunja:
    uncomment:
        - compose.vikunja.yml
        - VIKUNJA_DOMAIN
        - SECRET_VIKUNJA_ID_VERSION
        - SECRET_VIKUNJA_SECRET_VERSION
        - vikunja.svg
    secrets:
        vikunja_id: vikunja
 kimai:
    uncomment:
        - compose.kimai.yml
        - KIMAI_DOMAIN
        - SECRET_KIMAI_ID_VERSION
        - SECRET_KIMAI_SECRET_VERSION
        - kimai_logo.png
 zammad:
    uncomment:
        - compose.zammad.yml
        - ZAMMAD_DOMAIN
        - zammad.svg
 monitoring-ng:
    uncomment:
        - compose.monitoring.yml
        - MONITORING_DOMAIN
        - SECRET_MONITORING_ID_VERSION
        - SECRET_MONITORING_SECRET_VERSION
        - monitoring.png
 outline:
    uncomment:
        - compose.outline.yml
        - OUTLINE_DOMAIN
        - SECRET_OUTLINE_ID_VERSION
        - SECRET_OUTLINE_SECRET_VERSION
        - outline.png
    secrets:
        outline_id: outline
 rallly:
    uncomment:  
        - compose.rallly.yml
        - RALLLY_DOMAIN
        - SECRET_RALLLY_ID_VERSION
        - SECRET_RALLLY_SECRET_VERSION
        - rallly.png
    secrets:
        rallly_id: rallly
 hedgedoc:
    uncomment:  
        - compose.hedgedoc.yml
        - HEDGEDOC_DOMAIN
        - SECRET_HEDGEDOC_ID_VERSION
        - SECRET_HEDGEDOC_SECRET_VERSION
        - hedgedoc.png
    secrets:
        hedgedoc_id: hedgedoc
--- a/compose.css-volume.yml
+++ b/compose.css-volume.yml
@ -0,0 +1,16 @@
 ---
 version: "3.8"
 services:
  app:
    user: root
    entrypoint: /docker-entrypoint.sh
    configs:
      - source: entrypoint_css
        target: /docker-entrypoint.sh
        mode: 0555
 configs:
  entrypoint_css:
    name: ${STACK_NAME}_entrypoint_css_${ENTRYPOINT_CSS_VERSION}
    file: entrypoint-css-volume.sh
--- a/compose.css.yml
+++ b/compose.css.yml
@ -0,0 +1,14 @@
 ---
 version: '3.8'
 services:
  app:
    configs: 
      - source: custom_css
        target: /web/dist/custom.css
 configs:
  custom_css:
    name: ${STACK_NAME}_custom_css_${CUSTOM_CSS_VERSION}
    file: custom.css.tmpl
    template_driver: golang
--- a/compose.hedgedoc.yml
+++ b/compose.hedgedoc.yml
@ -0,0 +1,26 @@
 version: "3.8"
 services:
  worker:
    secrets:
      - hedgedoc_id
      - hedgedoc_secret
    environment:
      - HEDGEDOC_DOMAIN
    configs:
      - source: hedgedoc
        target: /blueprints/hedgedoc.yaml
 secrets:
  hedgedoc_id:
    external: true
    name: ${STACK_NAME}_hedgedoc_id_${SECRET_HEDGEDOC_ID_VERSION}
  hedgedoc_secret:
    external: true
    name: ${STACK_NAME}_hedgedoc_secret_${SECRET_HEDGEDOC_SECRET_VERSION}
 configs:
  hedgedoc:
    name: ${STACK_NAME}_hedgedoc_${HEDGEDOC_CONFIG_VERSION}
    file: hedgedoc.yaml.tmpl
    template_driver: golang
--- a/compose.kimai.yml
+++ b/compose.kimai.yml
@ -0,0 +1,14 @@
 version: "3.8"
 services:
  worker:
    environment:
      - KIMAI_DOMAIN
    configs:
      - source: kimai
        target: /blueprints/kimai.yaml
 configs:
  kimai:
    name: ${STACK_NAME}_kimai_${KIMAI_CONFIG_VERSION}
    file: kimai.yaml.tmpl
    template_driver: golang
--- a/compose.matrix.yml
+++ b/compose.matrix.yml
@ -1,11 +1,18 @@
 version: "3.8"
 services:
  app:
    deploy:
      labels:
        - "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect,${STACK_NAME}-frameOptions,${STACK_NAME}-redirect,${STACK_NAME}-redirect-matrix-well-known"
        - "traefik.http.middlewares.${STACK_NAME}-redirect-matrix-well-known.redirectregex.regex=^https://(.*)/.well-known/matrix/(.*)"
        - "traefik.http.middlewares.${STACK_NAME}-redirect-matrix-well-known.redirectregex.replacement=https://${MATRIX_DOMAIN}/.well-known/matrix/$$2"
  worker:
    secrets:
      - matrix_id
      - matrix_secret
    environment:
      - ELEMENT_DOMAIN
      - MATRIX_DOMAIN
    configs:
      - source: matrix
        target: /blueprints/matrix.yaml
--- a/compose.outline.yml
+++ b/compose.outline.yml
@ -0,0 +1,26 @@
 version: "3.8"
 services:
  worker:
    secrets:
      - outline_id
      - outline_secret
    environment:
      - OUTLINE_DOMAIN
    configs:
      - source: outline
        target: /blueprints/outline.yaml
 secrets:
  outline_id:
    external: true
    name: ${STACK_NAME}_outline_id_${SECRET_OUTLINE_ID_VERSION}
  outline_secret:
    external: true
    name: ${STACK_NAME}_outline_secret_${SECRET_OUTLINE_SECRET_VERSION}
 configs:
  outline:
    name: ${STACK_NAME}_outline_${OUTLINE_CONFIG_VERSION}
    file: outline.yaml.tmpl
    template_driver: golang
--- a/compose.outposts.ldap.yml
+++ b/compose.outposts.ldap.yml
@ -0,0 +1,23 @@
 version: "3.8"
 services:
  authentik_ldap:
      image: ghcr.io/goauthentik/ldap:2025.8.1
      # Optionally specify which networks the container should be
      # might be needed to reach the core authentik server
      networks:
        - internal
        - proxy
      ports:
        - 389:3389
        - 636:6636
      secrets:
        - ldap_token
      environment:
        - AUTHENTIK_HOST=https://${DOMAIN}
        - AUTHENTIK_INSECURE=true
        - AUTHENTIK_TOKEN=file:///run/secrets/ldap_token
 secrets:
  ldap_token:
    external: true
    name: ${STACK_NAME}_ldap_token_${SECRET_LDAP_TOKEN_VERSION}
--- a/compose.outposts.yml
+++ b/compose.outposts.yml
@ -0,0 +1,6 @@
 version: "3.8"
 services:
  worker:
    user: root
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
--- a/compose.rallly.yml
+++ b/compose.rallly.yml
@ -0,0 +1,26 @@
 version: "3.8"
 services:
  worker:
    secrets:
      - rallly_id
      - rallly_secret
    environment:
      - RALLLY_DOMAIN
    configs:
      - source: rallly
        target: /blueprints/rallly.yaml
 secrets:
  rallly_id:
    external: true
    name: ${STACK_NAME}_rallly_id_${SECRET_RALLLY_ID_VERSION}
  rallly_secret:
    external: true
    name: ${STACK_NAME}_rallly_secret_${SECRET_RALLLY_SECRET_VERSION}
 configs:
  rallly:
    name: ${STACK_NAME}_rallly_${RALLLY_CONFIG_VERSION}
    file: rallly.yaml.tmpl
    template_driver: golang
--- a/compose.yml
+++ b/compose.yml
@ -17,10 +17,12 @@ x-env: &env
    - AUTHENTIK_EMAIL__TIMEOUT
    - AUTHENTIK_EMAIL__FROM
    - AUTHENTIK_LOG_LEVEL
-    - AUTHENTIK_SETTINGS__THEME__BACKGROUND
+    - AUTHENTIK_DISABLE_UPDATE_CHECK
-    - AUTHENTIK_COLOR_BACKGROUND_LIGHT
+    - BACKGROUND_FONT_COLOR=${BACKGROUND_FONT_COLOR:-white}
    - BACKGROUND_BOX_COLOR=${BACKGROUND_BOX_COLOR:-#eaeaeacf}
    - AUTHENTIK_FOOTER_LINKS
    - AUTHENTIK_IMPERSONATION
    - AUTHENTIK_BOOTSTRAP_EMAIL
    - WELCOME_MESSAGE
    - DEFAULT_LANGUAGE
    - EMAIL_SUBJECT
@ -28,12 +30,16 @@ x-env: &env
    - DOMAIN
    - LOGOUT_REDIRECT
    - APPLICATIONS
    - THEME_BACKGROUND
 version: '3.8'
 services:
  app:
-    image: ghcr.io/goauthentik/server:2023.3.1
+    image: ghcr.io/goauthentik/server:2025.8.1
    command: server
    depends_on:
      - db
      - redis
    secrets:
      - db_password
      - admin_pass
@ -43,41 +49,40 @@ services:
    volumes:
      - media:/media
      - assets:/web/dist/assets
-    configs:
+      - templates:/templates
      - source: custom_css
        target: /web/dist/custom.css
    networks:
      - internal
      - proxy
    healthcheck:
-      test: ["CMD", "curl", "-f", "localhost:9000/-/health/live/"]
+      test: "ak healthcheck"
      interval: 30s
-      timeout: 10s
+      timeout: 30s
      retries: 10
      start_period: 5m
    environment: *env
    deploy:
      update_config:
        failure_action: rollback
        order: start-first
      labels:
        - "traefik.enable=true"
        - "traefik.docker.network=proxy"
        - "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=9000"
-        - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`)"
+        - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`${EXTRA_DOMAINS})"
        - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
        - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
-        - "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect,${STACK_NAME}-frameOptions"
+        - "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect,${STACK_NAME}-frameOptions,${STACK_NAME}-redirect"
        - "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLForceHost=true"
        - "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}"
        - "traefik.http.middlewares.${STACK_NAME}-frameOptions.headers.customFrameOptionsValue=SAMEORIGIN"
        - "traefik.http.middlewares.${STACK_NAME}-frameOptions.headers.contentSecurityPolicy=frame-ancestors ${X_FRAME_OPTIONS_ALLOW_FROM}"
-        - "coop-cloud.${STACK_NAME}.version=3.1.2+2023.3.1"
+        - "coop-cloud.${STACK_NAME}.version=8.0.0+2025.8.1"
        - "traefik.http.middlewares.${STACK_NAME}-redirect.redirectregex.regex=^https://(${REDIRECTS})/(.*)"
        - "traefik.http.middlewares.${STACK_NAME}-redirect.redirectregex.replacement=https://${DOMAIN}/$${2}"
        - "traefik.http.middlewares.${STACK_NAME}-redirect.redirectregex.permanent=true"
        - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT:-120}"
  worker:
-    image: ghcr.io/goauthentik/server:2023.3.1
+    image: ghcr.io/goauthentik/server:2025.8.1
    command: worker
    depends_on:
      - db
      - redis
    secrets:
      - db_password
      - admin_pass
@ -87,12 +92,11 @@ services:
    networks:
      - internal
      - proxy
    user: root
    volumes:
      - backups:/backups
      - media:/media
      - /var/run/docker.sock:/var/run/docker.sock
      - /dev/null:/blueprints/default/flow-oobe.yaml
      - templates:/templates
      - certs:/certs
    configs:
      - source: flow_recovery
        target: /blueprints/1_flow_recovery.yaml
@ -102,16 +106,31 @@ services:
        target: /blueprints/3_flow_translation.yaml
      - source: flow_invitation
        target: /blueprints/4_flow_invitation.yaml
-      - source: system_tenant
+      - source: system_brand
-        target: /blueprints/5_system_tenant.yaml
+        target: /blueprints/5_system_brand.yaml
      - source: flow_invalidation
        target: /blueprints/6_flow_invalidation.yaml
    environment: *env
    healthcheck:
      test: "ak healthcheck"
      interval: 30s
      timeout: 30s
      retries: 10
      start_period: 5m
  db:
-    image: postgres:12.14-alpine
+    image: postgres:15.13
    secrets:
      - db_password
    configs:
      - source: db_entrypoint
        target: /docker-entrypoint.sh
        mode: 0555
      - source: pg_backup
        target: /pg_backup.sh
        mode: 0555
    entrypoint:
      /docker-entrypoint.sh
    volumes:
      - database:/var/lib/postgresql/data
    networks:
@ -128,21 +147,25 @@ services:
      - POSTGRES_DB=authentik
    deploy:
      labels:
-          backupbot.backup: "true"
+          backupbot.backup: "${ENABLE_BACKUPS:-true}"
-          backupbot.backup.pre-hook: "PGPASSWORD=$$(cat /run/secrets/db_password) pg_dump -U $${POSTGRES_USER} $${POSTGRES_DB} > /var/lib/postgresql/data/backup.sql"
+          backupbot.backup.pre-hook: "/pg_backup.sh backup"
-          backupbot.backup.post-hook: "rm -rf /var/lib/postgresql/data/backup.sql"
+          backupbot.backup.volumes.database.path: "backup.sql"
-          backupbot.backup.path: "/var/lib/postgresql/data"
+          backupbot.backup.volumes.redis: "false"
          backupbot.restore.post-hook: '/pg_backup.sh restore'
  redis:
-    image:  redis:7.0.10-alpine
+    image:  redis:8.2.1-alpine
    command: --save 60 1 --loglevel warning
    networks:
      - internal
    healthcheck:
-      test: ["CMD", "redis-cli","ping"]
+      test: ["CMD-SHELL", "redis-cli ping | grep PONG"]
      interval: 30s
      timeout: 10s
      retries: 10
      start_period: 1m
    volumes:
        - redis:/data
 secrets:
  db_password:
@ -167,16 +190,14 @@ networks:
  internal:
 volumes:
  backups:
  media:
  certs:
  redis:
  templates:
  assets:
  database:
 configs:
  custom_css:
    name: ${STACK_NAME}_custom_css_${CUSTOM_CSS_VERSION}
    file: custom.css.tmpl
    template_driver: golang
  flow_authentication:
    name: ${STACK_NAME}_flow_authentication_${FLOW_AUTHENTICATION_VERSION}
    file: flow_authentication.yaml.tmpl
@ -197,7 +218,14 @@ configs:
    name: ${STACK_NAME}_flow_translation_${FLOW_TRANSLATION_VERSION}
    file: flow_translation.yaml.tmpl
    template_driver: golang
-  system_tenant:
+  system_brand:
-    name: ${STACK_NAME}_system_tenant_${SYSTEM_TENANT_VERSION}
+    name: ${STACK_NAME}_system_brand_${SYSTEM_BRAND_VERSION}
-    file: system_tenant.yaml.tmpl
+    file: system_brand.yaml.tmpl
    template_driver: golang
  db_entrypoint:
    name: ${STACK_NAME}_db_entrypoint_${DB_ENTRYPOINT_VERSION}
    file: entrypoint.postgres.sh.tmpl
    template_driver: golang
  pg_backup:
    name: ${STACK_NAME}_pg_backup_${PG_BACKUP_VERSION}
    file: pg_backup.sh
--- a/compose.zammad.yml
+++ b/compose.zammad.yml
@ -0,0 +1,14 @@
 version: "3.8"
 services:
  worker:
    environment:
      - ZAMMAD_DOMAIN
    configs:
      - source: zammad
        target: /blueprints/zammad.yaml
 configs:
  zammad:
    name: ${STACK_NAME}_zammad_${ZAMMAD_CONFIG_VERSION}
    file: zammad.yaml.tmpl
    template_driver: golang
--- a/custom.css.tmpl
+++ b/custom.css.tmpl
@ -1,24 +1,13 @@
 /* my custom css */
 :root {
-    --ak-accent: #fd4b2d;
+        --pf-global--BackgroundColor--100: {{ env "BACKGROUND_BOX_COLOR" }} !important;
    --ak-dark-foreground: #fafafa;
    --ak-dark-foreground-darker: #bebebe;
    --ak-dark-foreground-link: #5a5cb9;
    --ak-dark-background: #18191a;
    --ak-dark-background-darker: #000000;
    --ak-dark-background-light: {{ env "AUTHENTIK_COLOR_BACKGROUND_LIGHT" }};
    --ak-dark-background-light-ish: #212427;
    --ak-dark-background-lighter: #2b2e33;
    --pf-c-background-image--BackgroundImage: var(--ak-flow-background);
    --pf-c-background-image--BackgroundImage-2x: var(--ak-flow-background);
    --pf-c-background-image--BackgroundImage--sm: var(--ak-flow-background);
    --pf-c-background-image--BackgroundImage--sm-2x: var(--ak-flow-background);
    --pf-c-background-image--BackgroundImage--lg: var(--ak-flow-background);
 }
 .pf-c-login__main {
        background-color: {{ env "BACKGROUND_BOX_COLOR" }};
 }
 .pf-c-content h1 {
        color: {{ env "BACKGROUND_FONT_COLOR" }};
 }
--- a/custom_flows.yaml.tmpl
+++ b/custom_flows.yaml.tmpl
@ -1,405 +0,0 @@
 version: 1
 metadata:
  labels:
    blueprints.goauthentik.io/instantiate: "true"
  name: Custom - Flows
 context:
  welcome_message: {{ if eq (env "WELCOME_MESSAGE") "" }} "Welcome to authentik!" {{ else }} {{ env "WELCOME_MESSAGE" }} {{ end }}
 ####### Translations ########
  transl_recovery: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} "Passwort Zurücksetzen" {{ else }} "Reset your password" {{ end }}
  transl_password: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} "Passwort" {{ else }} "Password" {{ end }}
  transl_password_repeat: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} "Passwort (wiederholen)" {{ else }} "Password (repeat)" {{ end }}
  transl_username: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} "Benutzername" {{ else }} "Username" {{ end }}
  transl_name: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} "Vor- und Nachname" {{ else }} "Full name" {{ end }}
 entries:
 ######## Email Recovery Flow ########
 - identifiers:
    slug: default-recovery-flow
  id: recovery_flow
  model: authentik_flows.flow
  attrs:
    name: Default recovery flow
    title: !Context transl_recovery
    designation: recovery
 ### PROMPTS
 - identifiers:
    field_key: password
  id: prompt-field-password
  model: authentik_stages_prompt.prompt
  attrs:
    label: !Context transl_password
    type: password
    required: true
    placeholder: !Context transl_password
    order: 30
    placeholder_expression: false
 - identifiers:
    field_key: password_repeat
  id: prompt-field-password-repeat
  model: authentik_stages_prompt.prompt
  attrs:
    label: !Context transl_password_repeat
    type: password
    required: true
    placeholder: !Context transl_password_repeat
    order: 31
    placeholder_expression: false
 ### STAGES
 - identifiers:
    name: default-recovery-email
  id: default-recovery-email
  model: authentik_stages_email.emailstage
  attrs:
    use_global_settings: true
    token_expiry: {{ if eq (env "EMAIL_TOKEN_EXPIRY_MINUTES") "" }} 30 {{ else }} {{ env "EMAIL_TOKEN_EXPIRY_MINUTES" }} {{ end }}
    subject: {{ if eq (env "EMAIL_SUBJECT") "" }} "Account Recovery" {{ else }} "{{ env "EMAIL_SUBJECT" }}" {{ end }} 
    template: email/password_reset.html
    activate_user_on_success: true
 - identifiers:
    name: default-recovery-user-write
  id: default-recovery-user-write
  model: authentik_stages_user_write.userwritestage
 - identifiers:
    name: default-recovery-identification
  id: default-recovery-identification
  model: authentik_stages_identification.identificationstage
  attrs:
    user_fields:
      - email
      - username
 - identifiers:
    name: default-recovery-user-login
  id: default-recovery-user-login
  model: authentik_stages_user_login.userloginstage
  attrs:
    session_duration: seconds=0
 - identifiers:
    name: Change your password
  id: stage-prompt-password
  model: authentik_stages_prompt.promptstage
  attrs:
    fields:
      - !KeyOf prompt-field-password
      - !KeyOf prompt-field-password-repeat
    validation_policies: []
 ### STAGE BINDINGS
 - identifiers:
    target: !KeyOf recovery_flow
    stage: !KeyOf default-recovery-identification
    order: 10
  model: authentik_flows.flowstagebinding
  id: flow-binding-identification
  attrs:
    evaluate_on_plan: true
    re_evaluate_policies: true
    policy_engine_mode: any
    invalid_response_action: retry
 - identifiers:
    target: !KeyOf recovery_flow
    stage: !KeyOf default-recovery-email
    order: 20
  model: authentik_flows.flowstagebinding
  id: flow-binding-email
  attrs:
    evaluate_on_plan: true
    re_evaluate_policies: true
    policy_engine_mode: any
    invalid_response_action: retry
 - identifiers:
    target: !KeyOf recovery_flow
    stage: !KeyOf stage-prompt-password
    order: 30
  model: authentik_flows.flowstagebinding
  attrs:
    evaluate_on_plan: true
    re_evaluate_policies: false
    policy_engine_mode: any
    invalid_response_action: retry
 - identifiers:
    target: !KeyOf recovery_flow
    stage: !KeyOf default-recovery-user-write
    order: 40
  model: authentik_flows.flowstagebinding
  attrs:
    evaluate_on_plan: true
    re_evaluate_policies: false
    policy_engine_mode: any
    invalid_response_action: retry
 - identifiers:
    target: !KeyOf recovery_flow
    stage: !KeyOf default-recovery-user-login
    order: 100
  model: authentik_flows.flowstagebinding
  attrs:
    evaluate_on_plan: true
    re_evaluate_policies: false
    policy_engine_mode: any
    invalid_response_action: retry
 ### POLICIES
 ## ISSUES with this policy
 ## https://github.com/goauthentik/authentik/blob/493cdd5c0f8caaec7a7dd474f1aa131e32fd39c3/blueprints/example/flows-recovery-email-verification.yaml#L37
 ## https://github.com/goauthentik/authentik/commit/317e9ec6053742e17ba74fb6aa38dc15aaf6657f#diff-a5c56bb7c60e27dda1b131b3fc2a17e3af6624e7cfaaa2337ec6b077ca489f34
 # - identifiers:
 #     name: default-recovery-skip-if-restored
 #   id: default-recovery-skip-if-restored
 #   model: authentik_policies_expression.expressionpolicy
 #   attrs:
 #     expression: |
 #       return request.context.get('is_restored', False)
 ### POLICY BINDINGS
 # - identifiers:
 #     policy: !KeyOf default-recovery-skip-if-restored
 #     target: !KeyOf flow-binding-identification
 #     order: 0
 #   model: authentik_policies.policybinding
 #   attrs:
 #     negate: false
 #     enabled: true
 #     timeout: 30
 # - identifiers:
 #     policy: !KeyOf default-recovery-skip-if-restored
 #     target: !KeyOf flow-binding-email
 #     order: 0
 #   model: authentik_policies.policybinding
 #   attrs:
 #     negate: false
 #     enabled: true
 #     timeout: 30
 ######## Authentication Flow ########
 - attrs:
    designation: authentication
    name: custom-authentication-flow
    title: !Context welcome_message
  identifiers:
    slug: custom-authentication-flow
  id: authentication_flow
  model: authentik_flows.flow
 ### STAGES
 - attrs:
    backends:
    - authentik.core.auth.InbuiltBackend
    - authentik.sources.ldap.auth.LDAPBackend
    - authentik.core.auth.TokenBackend
    configure_flow: !Find [authentik_flows.flow, [slug, default-password-change]]
  identifiers:
    name: custom-authentication-password
  id: custom-authentication-password
  model: authentik_stages_password.passwordstage
 - identifiers:
    name: custom-authentication-mfa-validation
  id: custom-authentication-mfa-validation
  model: authentik_stages_authenticator_validate.authenticatorvalidatestage
 - attrs:
    password_stage: !KeyOf custom-authentication-password
    recovery_flow: !KeyOf recovery_flow  # !Find [authentik_flows.flow, [slug, default-recovery-flow]]
    user_fields:
    - email
    - username
  identifiers:
    name: custom-authentication-identification
  id: custom-authentication-identification
  model: authentik_stages_identification.identificationstage
 - attrs:
    session_duration: seconds=0
  identifiers:
    name: custom-authentication-login
  id: custom-authentication-login
  model: authentik_stages_user_login.userloginstage
 ### STAGE BINDINGS
 - identifiers:
    order: 10
    stage: !KeyOf custom-authentication-identification
    target: !KeyOf authentication_flow
  model: authentik_flows.flowstagebinding
 - identifiers:
    order: 30
    stage: !KeyOf custom-authentication-mfa-validation
    target: !KeyOf authentication_flow
  model: authentik_flows.flowstagebinding
 - identifiers:
    order: 100
    stage: !KeyOf custom-authentication-login
    target: !KeyOf authentication_flow
  model: authentik_flows.flowstagebinding
 ######## Invitation Enrollment Flow ########
 - attrs:
    designation: enrollment
    name: invitation-enrollment-flow
    title: !Context welcome_message
  identifiers:
    slug: invitation-enrollment-flow
  id: invitation-enrollment-flow
  model: authentik_flows.flow
 ### PROMPTS
 - identifiers:
    field_key: username
  id: prompt-field-username
  model: authentik_stages_prompt.prompt
  attrs:
    label: !Context transl_username
    type: username
    required: true
    placeholder: !Context transl_username
    order: 0
    placeholder_expression: false
 - identifiers:
    field_key: name
  id: prompt-field-name
  model: authentik_stages_prompt.prompt
  attrs:
    label: !Context transl_name
    type: text
    required: true
    placeholder: !Context transl_name
    order: 1
    placeholder_expression: false
 - identifiers:
    field_key: email
    label: Email
  id: prompt-field-email
  model: authentik_stages_prompt.prompt
  attrs:
    type: email
    required: true
    placeholder: muster@example.com
    order: 2
    placeholder_expression: false
 ### STAGES
 - id: invitation-stage
  identifiers:
    name: invitation-stage
  model: authentik_stages_invitation.invitationstage
 - attrs:
    fields:
      - !KeyOf prompt-field-username
      - !KeyOf prompt-field-name
      - !KeyOf prompt-field-email
      - !KeyOf prompt-field-password
      - !KeyOf prompt-field-password-repeat
  id: enrollment-prompt-userdata
  identifiers:
    name: enrollment-prompt-userdata
  model: authentik_stages_prompt.promptstage
 - id: enrollment-user-write
  identifiers:
    name: enrollment-user-write
  model: authentik_stages_user_write.userwritestage
 - attrs:
    session_duration: seconds=0
  id: enrollment-user-login
  identifiers:
    name: enrollment-user-login
  model: authentik_stages_user_login.userloginstage
 ### STAGE BINDINGS
 - identifiers:
    order: 1
    stage: !KeyOf invitation-stage
    target: !KeyOf invitation-enrollment-flow
  model: authentik_flows.flowstagebinding
 - identifiers:
    order: 10
    stage: !KeyOf enrollment-prompt-userdata
    target: !KeyOf invitation-enrollment-flow
  model: authentik_flows.flowstagebinding
 - identifiers:
    order: 20
    stage: !KeyOf enrollment-user-write
    target: !KeyOf invitation-enrollment-flow
  model: authentik_flows.flowstagebinding
 - identifiers:
    order: 100
    stage: !KeyOf enrollment-user-login
    target: !KeyOf invitation-enrollment-flow
  model: authentik_flows.flowstagebinding
 ######## Invalidation Flow ########
 - identifiers:
    slug: logout-flow
  id: logout-flow
  model: authentik_flows.flow
  attrs:
    name: Logout
    title: Logout Flow
    designation: invalidation
 ### STAGES
 - id: logout-stage
  identifiers:
    name: logout-stage
  model: authentik_stages_user_logout.userlogoutstage
 ### STAGE BINDINGS
 - identifiers:
    order: 0
    stage: !KeyOf logout-stage
    target: !KeyOf logout-flow
  model: authentik_flows.flowstagebinding
  attrs:
    re_evaluate_policies: true
  id: logout-stage-binding
 ### POLICIES
 - attrs:
    execution_logging: true
    expression: 'context[''flow_plan''].context[''redirect''] = ''{{ env "LOGOUT_REDIRECT" }}''
    return True'
  identifiers:
    name: redirect-policy
  id: redirect-policy
  model: authentik_policies_expression.expressionpolicy
 ### POLICY BINDINGS
 - identifiers:
    policy: !KeyOf redirect-policy
    target: !KeyOf logout-stage-binding
    order: 0
  model: authentik_policies.policybinding
  attrs:
    enabled: {{ if eq (env "LOGOUT_REDIRECT") "" }} false {{ else }} true {{ end }}
    timeout: 30
 ######## System Tenant ##########
 - attrs:
    attributes:
      settings:
        locale: {{ if eq (env "DEFAULT_LANGUAGE") "" }} en {{ else }} {{ env "DEFAULT_LANGUAGE" }} {{ end }}
    # branding_favicon: /static/dist/assets/icons/icon.png
    # branding_logo: /static/dist/assets/icons/icon_left_brand.svg
    # branding_title: Authentik
    # default: true
    domain: {{ env "DOMAIN" }}
    # event_retention: days=365
    flow_authentication: !KeyOf authentication_flow
    flow_recovery: !KeyOf recovery_flow
    flow_invalidation: !KeyOf logout-flow
    flow_user_settings: !Find [authentik_flows.flow, [slug, default-user-settings-flow]]
  identifiers:
    pk: 047cce25-aae2-4b02-9f96-078e155f803d
  id: system_tenant
  model: authentik_tenants.tenant
--- a/entrypoint-css-volume.sh
+++ b/entrypoint-css-volume.sh
@ -0,0 +1,5 @@
 #!/bin/sh
 cp -f /web/dist/assets/custom.css /web/dist/custom.css
 su $(id -un 1000) -s /bin/bash -c 'dumb-init -- ak server'
--- a/entrypoint.postgres.sh.tmpl
+++ b/entrypoint.postgres.sh.tmpl
@ -0,0 +1,45 @@
 #!/bin/bash
 set -e
 MIGRATION_MARKER=$PGDATA/migration_in_progress
 OLDDATA=$PGDATA/old_data
 NEWDATA=$PGDATA/new_data
 if [ -e $MIGRATION_MARKER ]; then
  echo "FATAL: migration was started but did not complete in a previous run. manual recovery necessary"
  exit 1
 fi
 if [ -f $PGDATA/PG_VERSION ]; then
  DATA_VERSION=$(cat $PGDATA/PG_VERSION)
  if [ -n "$DATA_VERSION" -a "$PG_MAJOR" != "$DATA_VERSION" ]; then
    echo "postgres data version $DATA_VERSION found, but need $PG_MAJOR. Starting migration"
    echo "Installing postgres $DATA_VERSION"
    sed -i "s/$/ $DATA_VERSION/" /etc/apt/sources.list.d/pgdg.list
    apt-get update && apt-get install -y --no-install-recommends \
      postgresql-$DATA_VERSION \
      && rm -rf /var/lib/apt/lists/*
    echo "shuffling around"
    chown -R postgres:postgres $PGDATA
    gosu postgres mkdir $OLDDATA $NEWDATA
    chmod 700 $OLDDATA $NEWDATA
    mv $PGDATA/* $OLDDATA/ || true
    touch $MIGRATION_MARKER
    echo "running initdb"
    # abuse entrypoint script for initdb by making server error out
    gosu postgres bash -c "export PGDATA=$NEWDATA ; /usr/local/bin/docker-entrypoint.sh --invalid-arg || true"
    echo "running pg_upgrade"
    cd /tmp
    gosu postgres pg_upgrade --link -b /usr/lib/postgresql/$DATA_VERSION/bin -d $OLDDATA -D $NEWDATA -U $POSTGRES_USER
    cp $OLDDATA/pg_hba.conf $NEWDATA/
    mv $NEWDATA/* $PGDATA
    rm -rf $OLDDATA
    rmdir $NEWDATA
    rm $MIGRATION_MARKER
    echo "migration complete"
  fi
 fi
 /usr/local/bin/docker-entrypoint.sh postgres
--- a/flow_authentication.yaml.tmpl
+++ b/flow_authentication.yaml.tmpl
@ -22,7 +22,6 @@ entries:
  attrs:
    name: !Context welcome_message
    title: !Context welcome_message
 ### STAGES
 - identifiers:
    name: default-authentication-identification
@ -30,13 +29,17 @@ entries:
  attrs:
    password_stage: !Find [authentik_stages_password.passwordstage, [name, default-authentication-password]]
    recovery_flow: !Find [authentik_flows.flow, [slug, default-recovery-flow]]
    user_fields:
    - email
    - username
 - identifiers:
    name: default-authentication-login
  model: authentik_stages_user_login.userloginstage
  attrs:
-    session_duration: seconds=0
+    session_duration: days=30
 # After the first run this will produce a RelatedObjectDoesNotExist error
 - identifiers:
    order: 20
    stage: !Find [authentik_stages_password.passwordstage, [name, default-authentication-password]]
--- a/flow_invalidation.yaml.tmpl
+++ b/flow_invalidation.yaml.tmpl
@ -13,6 +13,7 @@ entries:
 ### STAGE BINDINGS
 # This is specified only for setting an id (this stagebinding does not have an identifier)
 - identifiers:
    order: 0
    stage: !Find [authentik_stages_user_logout.userlogoutstage, [name, default-invalidation-logout]]
--- a/flow_invitation.yaml.tmpl
+++ b/flow_invitation.yaml.tmpl
@ -24,6 +24,18 @@ entries:
  id: invitation-enrollment-flow
  model: authentik_flows.flow
 ### POLICIES
 - attrs:
    expression: |
      if not regex_match(request.context.get('prompt_data').get('username'), '\s'):
          return True
      ak_message("Username must not contain any whitespace!")
      return False
  id: username-without-spaces-policy
  identifiers:
    name: username-without-spaces-policy
  model: authentik_policies_expression.expressionpolicy
 ### STAGES
 - identifiers:
    name: invitation-stage
@ -41,6 +53,8 @@ entries:
      - !Find [authentik_stages_prompt.prompt, [name, default-user-settings-field-email]]
      - !Find [authentik_stages_prompt.prompt, [name, default-password-change-field-password]]
      - !Find [authentik_stages_prompt.prompt, [name, default-password-change-field-password-repeat]]
    validation_policies:
      - !Find [ authentik_policies_expression.expressionpolicy, [name, username-without-spaces-policy]]
 ### STAGE BINDINGS
 - identifiers:
--- a/flow_recovery.yaml.tmpl
+++ b/flow_recovery.yaml.tmpl
@ -4,7 +4,7 @@ metadata:
    blueprints.goauthentik.io/instantiate: "true"
  name: Recovery with email verification
 context:
-  token_expiry: {{ if eq (env "EMAIL_TOKEN_EXPIRY_MINUTES") "" }} 30 {{ else }} {{ env "EMAIL_TOKEN_EXPIRY_MINUTES" }} {{ end }}
+  token_expiry: minutes={{ if eq (env "EMAIL_TOKEN_EXPIRY_MINUTES") "" }}30{{ else }}{{ env "EMAIL_TOKEN_EXPIRY_MINUTES" }}{{ end }}
  subject: {{ if eq (env "EMAIL_SUBJECT") "" }} Account Recovery {{ else }} {{ env "EMAIL_SUBJECT" }} {{ end }} 
 entries:
 ### DEPENDENCIES
--- a/flow_translation.yaml.tmpl
+++ b/flow_translation.yaml.tmpl
@ -4,7 +4,7 @@ metadata:
    blueprints.goauthentik.io/instantiate: "true"
  name: Flow Translations
 context:
-  transl_recovery: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} "Passwort Zurücksetzen" {{ else }} "Reset your password" {{ end }}
+  transl_recovery: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} "Passwort zurücksetzen" {{ else }} "Reset your password" {{ end }}
  transl_password: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} "Passwort" {{ else }} "Password" {{ end }}
  transl_password_repeat: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} "Passwort (wiederholen)" {{ else }} "Password (repeat)" {{ end }}
  transl_username: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} "Benutzername" {{ else }} "Username" {{ end }}
@ -15,7 +15,7 @@ entries:
 - model: authentik_blueprints.metaapplyblueprint
  attrs:
    identifiers:
-      name: Custom Authentication Flow
+      name: Recovery with email verification
    required: true
 - model: authentik_blueprints.metaapplyblueprint
  attrs:
--- a/hedgedoc.yaml.tmpl
+++ b/hedgedoc.yaml.tmpl
@ -0,0 +1,48 @@
 version: 1
 metadata:
  labels:
    blueprints.goauthentik.io/instantiate: "true"
  name: hedgedoc
 entries:
 - attrs:
    access_code_validity: minutes=1
    authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
    authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
    invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
    client_id: {{ secret  "hedgedoc_id" }}
    client_secret: {{ secret  "hedgedoc_secret" }}
    client_type: confidential
    include_claims_in_id_token: true
    issuer_mode: per_provider
    redirect_uris:
    - matching_mode: strict
      url: https://{{ env  "HEDGEDOC_DOMAIN" }}/auth/oauth2/callback
    name: Hedgedoc
    property_mappings:
    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, email]]
    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, profile]]
    signing_key: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]]
    sub_mode: hashed_user_id
    token_validity: days=30
  conditions: []
  id: hedgedoc_provider
  identifiers:
    pk: 9992
  model: authentik_providers_oauth2.oauth2provider
  state: present
 - attrs:
    meta_launch_url: https://{{ env  "HEDGEDOC_DOMAIN" }}/auth/oauth2
    open_in_new_tab: true
    policy_engine_mode: any
    provider: !KeyOf hedgedoc_provider
    slug: hedgedoc
  conditions: []
  id: hedgedoc_application
  identifiers:
    name: Hedgedoc
  model: authentik_core.application
  state: present
--- a/icons/bbb.png
+++ b/icons/bbb.png
--- a/icons/hedgedoc.png
+++ b/icons/hedgedoc.png
--- a/icons/help.svg
+++ b/icons/help.svg
@ -0,0 +1,10 @@
 <svg width="24" height="24" viewBox="0 0 24 24" fill="none" xmlns="http://www.w3.org/2000/svg">
 <g clip-path="url(#clip0_1735_3439)">
 <path d="M12 18.0093V12.7593M12 12.7593C12.5179 12.7593 13.0206 12.6937 13.5 12.5703M12 12.7593C11.4821 12.7593 10.9794 12.6937 10.5 12.5703M14.25 20.0487C13.5212 20.187 12.769 20.2593 12 20.2593C11.231 20.2593 10.4788 20.187 9.75 20.0487M13.5 22.4313C13.007 22.4828 12.5066 22.5093 12 22.5093C11.4934 22.5093 10.993 22.4828 10.5 22.4313M14.25 18.0093V17.8176C14.25 16.8347 14.9083 15.9943 15.7585 15.501C17.9955 14.203 19.5 11.7818 19.5 9.00928C19.5 4.86714 16.1421 1.50928 12 1.50928C7.85786 1.50928 4.5 4.86714 4.5 9.00928C4.5 11.7818 6.00446 14.203 8.24155 15.501C9.09173 15.9943 9.75 16.8347 9.75 17.8176V18.0093" stroke="#0F172A" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round"/>
 </g>
 <defs>
 <clipPath id="clip0_1735_3439">
 <rect width="24" height="24" fill="white" transform="translate(0 0.00927734)"/>
 </clipPath>
 </defs>
 </svg>
--- a/icons/kimai_logo.png
+++ b/icons/kimai_logo.png
--- a/icons/outline.png
+++ b/icons/outline.png
--- a/icons/pretix.svg
+++ b/icons/pretix.svg
@ -0,0 +1 @@
 <?xml version="1.0" encoding="UTF-8"?><svg id="Ebene_1" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 128 128"><defs><style>.cls-1{fill:#3b1c4a;}</style></defs><path class="cls-1" d="m50.67,56.95c-.72.1-1.22.3-1.66.5l2.38,16.91c.41.08.95.13,1.6.04,3.52-.5,4.61-3.64,3.81-9.39-.83-5.87-2.53-8.56-6.12-8.06Z"/><path class="cls-1" d="m116.04,35.05c.71-.17,1.16-.76,1.06-1.48L112.54,1.13c-.1-.72-.77-1.22-1.49-1.12l-37.5,5.27.73,5.22c.16,1.12-.62,2.15-1.74,2.31s-2.15-.62-2.31-1.74l-.73-5.22L1.13,15.46c-.72.1-1.22.77-1.12,1.49l4.56,32.44c.1.72.7,1.17,1.42,1.13,11.25-.92,21.43,7.1,23.03,18.46,1.6,11.36-5.99,21.81-17.07,23.96-.71.17-1.16.76-1.06,1.48l4.56,32.44c.1.72.77,1.22,1.49,1.12l68.37-9.61-.73-5.22c-.16-1.15.59-2.15,1.74-2.31s2.15.62,2.31,1.74l.73,5.22,37.5-5.27c.72-.1,1.22-.77,1.12-1.49l-4.56-32.44c-.1-.72-.7-1.17-1.42-1.13-11.25.92-21.42-7.04-23.02-18.4-1.6-11.36,5.98-21.87,17.06-24.03Zm-59.84,44.75c-1.76.25-3.29.26-4.04.17l1.59,11.29-9.92,1.39-5.3-37.73c2.5-1.62,5.96-3.03,11.38-3.8,8.68-1.22,15.27,2.58,16.66,12.44,1.25,8.88-3.12,15.21-10.36,16.23Zm30.73,20.71c.16,1.12-.62,2.15-1.74,2.31-1.12.16-2.15-.62-2.31-1.74l-1.47-10.44c-.16-1.12.62-2.15,1.74-2.31s2.16.66,2.31,1.74l1.47,10.44Zm-3.17-22.58c.15,1.08-.66,2.16-1.74,2.31s-2.16-.66-2.31-1.74l-1.47-10.44c-.16-1.15.59-2.15,1.74-2.31,1.12-.16,2.15.62,2.31,1.74l1.47,10.44Zm-3.16-22.45c.16,1.12-.62,2.15-1.74,2.31-1.12.16-2.15-.62-2.31-1.74l-1.47-10.44c-.16-1.12.62-2.15,1.74-2.31s2.16.66,2.31,1.74l1.47,10.44Zm-3.17-22.58c.15,1.08-.66,2.16-1.74,2.31s-2.16-.66-2.31-1.74l-1.47-10.44c-.16-1.15.59-2.15,1.74-2.31s2.15.62,2.31,1.74l1.47,10.44Z"/></svg>
--- a/icons/support.svg
+++ b/icons/support.svg
@ -0,0 +1,3 @@
 <svg width="24" height="24" viewBox="0 0 24 24" fill="none" xmlns="http://www.w3.org/2000/svg">
 <path d="M9.87891 7.51884C11.0505 6.49372 12.95 6.49372 14.1215 7.51884C15.2931 8.54397 15.2931 10.206 14.1215 11.2312C13.9176 11.4096 13.6917 11.5569 13.4513 11.6733C12.7056 12.0341 12.0002 12.6716 12.0002 13.5V14.25M21 12C21 16.9706 16.9706 21 12 21C7.02944 21 3 16.9706 3 12C3 7.02944 7.02944 3 12 3C16.9706 3 21 7.02944 21 12ZM12 17.25H12.0075V17.2575H12V17.25Z" stroke="#0F172A" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round"/>
 </svg>
--- a/icons/vaultwarden.svg
+++ b/icons/vaultwarden.svg
--- a/icons/zammad.svg
+++ b/icons/zammad.svg
@ -0,0 +1,30 @@
 <?xml version="1.0" encoding="UTF-8" standalone="no"?>
 <svg width="126px" height="108px" viewBox="0 0 42 36" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:sketch="http://www.bohemiancoding.com/sketch/ns">
    <!-- Generator: Sketch 3.3.2 (12043) - http://www.bohemiancoding.com/sketch -->
    <title>logo</title>
    <desc>Created with Sketch.</desc>
    <defs/>
    <g id="Page-1" stroke="none" stroke-width="1" fill="none" fill-rule="evenodd" sketch:type="MSPage">
        <g id="logo" sketch:type="MSArtboardGroup">
            <g sketch:type="MSLayerGroup" transform="translate(1.000000, 0.000000)" id="Shape">
                <path d="M27.3375,12.6 L36.72,9.72 L31.1625,13.2525 L27.3375,12.6 Z" fill="#CA2317" sketch:type="MSShapeGroup"/>
                <path d="M33.0525,19.62 L31.1625,13.2525 L36.72,9.72 L35.055,15.435 L33.0525,19.62 Z" fill="#E84F83" sketch:type="MSShapeGroup"/>
                <path d="M39.465,7.9875 L38.43,9.72 L35.055,15.435 L36.72,9.72 L39.465,7.9875 Z" fill="#CA2317" sketch:type="MSShapeGroup"/>
                <path d="M39.8025,9.1125 L37.1925,11.79 L38.43,9.72 L39.8025,9.1125 Z" fill="#E54011" sketch:type="MSShapeGroup"/>
                <path d="M27.9,10.8225 L35.5725,10.0575 L30.24,11.7 L27.9,10.8225 Z" fill="#E54011" sketch:type="MSShapeGroup"/>
                <path d="M28.1925,15.165 L31.1625,13.2525 L33.0525,19.62 L32.0625,21.645 L28.1925,15.165 Z" fill="#CA2317" sketch:type="MSShapeGroup"/>
                <path d="M23.76,22.725 L22.3425,5.4 L32.0625,21.645 L23.76,22.725 Z" fill="#B7DFF2" sketch:type="MSShapeGroup"/>
                <path d="M19.7325,27.1575 L23.76,22.725 L32.0625,21.645 L19.7325,27.1575 Z" fill="#E54011" sketch:type="MSShapeGroup"/>
                <path d="M0.1575,35.865 L19.7325,27.1575 L23.76,22.725 L17.37,22.0725 L0.1575,35.865 Z" fill="#FFCE33" sketch:type="MSShapeGroup"/>
                <path d="M0.9,28.755 L10.9575,27.225 L14.085,24.705 L12.555,24.03 L0.9,28.755 Z" fill="#D6B12D" sketch:type="MSShapeGroup"/>
                <path d="M4.5225,20.5425 L14.085,24.705 L17.37,22.0725 L4.5225,20.5425 Z" fill="#FFDE85" sketch:type="MSShapeGroup"/>
                <path d="M21.6225,11.6775 L20.4075,11.88 L17.37,22.0725 L20.655,20.0025 L21.6225,11.6775 Z" fill="#009EC6" sketch:type="MSShapeGroup"/>
                <path d="M23.4,18.2475 L20.655,20.0025 L22.3425,5.4 L23.4,18.2475 Z" fill="#5EAFCE" sketch:type="MSShapeGroup"/>
                <path d="M13.0275,13.05 L21.6225,11.6775 L22.005,8.28 L13.0275,13.05 Z" fill="#045972" sketch:type="MSShapeGroup"/>
                <path d="M12.105,5.085 L19.575,9.585 L22.005,8.28 L22.0725,7.8075 L12.105,5.085 Z" fill="#5A8591" sketch:type="MSShapeGroup"/>
                <path d="M13.5675,0.18 L20.3625,7.335 L22.0725,7.8075 L22.3425,5.4 L13.5675,0.18 Z" fill="#009EC6" sketch:type="MSShapeGroup"/>
                <path d="M17.37,22.0725 L23.4,18.2475 L23.76,22.725 L17.37,22.0725 Z" fill="#F39804" sketch:type="MSShapeGroup"/>
            </g>
        </g>
    </g>
 </svg>
--- a/kimai.yaml.tmpl
+++ b/kimai.yaml.tmpl
@ -0,0 +1,50 @@
 version: 1
 metadata:
  labels:
    blueprints.goauthentik.io/instantiate: "true"
  name: kimai
 entries:
 - attrs:
    acs_url: https://{{ env  "KIMAI_DOMAIN" }}/auth/saml/acs
    assertion_valid_not_before: minutes=-5
    assertion_valid_not_on_or_after: minutes=5
    audience: https://{{ env  "KIMAI_DOMAIN" }}/auth/saml
    authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
    authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
    invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
    digest_algorithm: http://www.w3.org/2001/04/xmlenc#sha256
    issuer: https://{{ env  "DOMAIN" }}
    name: Kimai
    name_id_mapping: !Find [authentik_providers_saml.samlpropertymapping, [name, "authentik default SAML Mapping: Username"]]
    property_mappings:
    - !Find [authentik_providers_saml.samlpropertymapping, [name, "authentik default SAML Mapping: Name"]]
    - !Find [authentik_providers_saml.samlpropertymapping, [name, "authentik default SAML Mapping: Email"]]
    - !Find [authentik_providers_saml.samlpropertymapping, [name, "authentik default SAML Mapping: User ID"]]
    - !Find [authentik_providers_saml.samlpropertymapping, [name, "authentik default SAML Mapping: Username"]]
    - !Find [authentik_providers_saml.samlpropertymapping, [name, "authentik default SAML Mapping: Groups"]]
    - !Find [authentik_providers_saml.samlpropertymapping, [name, "authentik default SAML Mapping: UPN"]]
    session_valid_not_on_or_after: minutes=86400
    sign_assertion: true
    signature_algorithm: http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
    signing_kp: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]]
    sp_binding: post
  conditions: []
  id: kimai_provider
  identifiers:
    pk: 9991
  model: authentik_providers_saml.samlprovider
  state: present
 - attrs:
    meta_launch_url: https://{{ env  "KIMAI_DOMAIN" }}/auth/saml/login
    open_in_new_tab: true
    policy_engine_mode: any
    provider: !KeyOf kimai_provider
    slug: kimai
  conditions: []
  id: kimai_application
  identifiers:
    name: Kimai
  model: authentik_core.application
  state: present
--- a/matrix.yaml.tmpl
+++ b/matrix.yaml.tmpl
@ -8,12 +8,17 @@ entries:
 - attrs:
    access_code_validity: minutes=1
    authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
    authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
    invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
    client_id: {{ secret  "matrix_id" }}
    client_secret: {{ secret  "matrix_secret" }}
    client_type: confidential
    include_claims_in_id_token: true
    issuer_mode: per_provider
    redirect_uris:
    - matching_mode: strict
      url: https://{{ env  "MATRIX_DOMAIN" }}/_synapse/client/oidc/callback
    name: Matrix
    property_mappings:
    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
@ -34,10 +39,10 @@ entries:
    open_in_new_tab: true
    policy_engine_mode: any
    provider: !KeyOf matrix_provider
-    slug: matrix
+    name: Element
  conditions: []
  id: matrix_application
  identifiers:
-    name: Matrix
+    slug: matrix
  model: authentik_core.application
  state: present
--- a/monitoring.yaml.tmpl
+++ b/monitoring.yaml.tmpl
@ -8,12 +8,17 @@ entries:
 - attrs:
    access_code_validity: minutes=1
    authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
    authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
    invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
    client_id: {{ secret  "monitoring_id" }}
    client_secret: {{ secret  "monitoring_secret" }}
    client_type: confidential
    include_claims_in_id_token: true
    issuer_mode: per_provider
    redirect_uris:
    - matching_mode: strict
      url: https://{{ env  "MONITORING_DOMAIN" }}/login/generic_oauth
    name: Monitoring
    property_mappings:
    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
@ -25,7 +30,7 @@ entries:
  conditions: []
  id: monitoring_provider
  identifiers:
-    pk: 9994
+    pk: 9990
  model: authentik_providers_oauth2.oauth2provider
  state: present
--- a/nextcloud.yaml.tmpl
+++ b/nextcloud.yaml.tmpl
@ -20,12 +20,17 @@ entries:
 - attrs:
    access_code_validity: minutes=1
    authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
    authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
    invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
    client_id: {{ secret  "nextcloud_id" }}
    client_secret: {{ secret  "nextcloud_secret" }}
    client_type: confidential
    include_claims_in_id_token: true
    issuer_mode: per_provider
    redirect_uris:
    - matching_mode: strict
      url: https://{{ env  "NEXTCLOUD_DOMAIN" }}/apps/sociallogin/custom_oidc/authentik
    name: Nextcloud
    property_mappings:
    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
--- a/outline.yaml.tmpl
+++ b/outline.yaml.tmpl
@ -0,0 +1,48 @@
 version: 1
 metadata:
  labels:
    blueprints.goauthentik.io/instantiate: "true"
  name: outline
 entries:
 - attrs:
    access_code_validity: minutes=1
    authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
    authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
    invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
    client_id: {{ secret  "outline_id" }}
    client_secret: {{ secret  "outline_secret" }}
    client_type: confidential
    include_claims_in_id_token: true
    issuer_mode: per_provider
    redirect_uris:
    - matching_mode: strict
      url: https://{{ env  "OUTLINE_DOMAIN" }}/auth/oidc.callback
    name: Outline
    property_mappings:
    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, email]]
    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, profile]]
    signing_key: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]]
    sub_mode: hashed_user_id
    token_validity: days=30
  conditions: []
  id: outline_provider
  identifiers:
    pk: 9994
  model: authentik_providers_oauth2.oauth2provider
  state: present
 - attrs:
    meta_launch_url: https://{{ env  "OUTLINE_DOMAIN" }}/auth/oidc
    open_in_new_tab: true
    policy_engine_mode: any
    provider: !KeyOf outline_provider
    slug: outline
  conditions: []
  id: outline_application
  identifiers:
    name: Outline
  model: authentik_core.application
  state: present
--- a/pg_backup.sh
+++ b/pg_backup.sh
@ -0,0 +1,34 @@
 #!/bin/bash
 set -e
 BACKUP_FILE='/var/lib/postgresql/data/backup.sql'
 function backup {
  export PGPASSWORD=$(cat /run/secrets/db_password)
  pg_dump -U ${POSTGRES_USER} ${POSTGRES_DB} > $BACKUP_FILE
 }
 function restore {
    cd /var/lib/postgresql/data/
    restore_config(){
        # Restore allowed connections
        cat pg_hba.conf.bak > pg_hba.conf
        su postgres -c 'pg_ctl reload'
    }
    # Don't allow any other connections than local
    cp pg_hba.conf pg_hba.conf.bak
    echo "local all all trust" > pg_hba.conf
    su postgres -c 'pg_ctl reload'
    trap restore_config EXIT INT TERM
    # Recreate Database
    psql -U ${POSTGRES_USER} -d postgres -c "DROP DATABASE ${POSTGRES_DB} WITH (FORCE);" 
    createdb -U ${POSTGRES_USER} ${POSTGRES_DB}
    psql -U ${POSTGRES_USER} -d ${POSTGRES_DB} -1 -f $BACKUP_FILE
    trap - EXIT INT TERM
    restore_config
 }
 $@
--- a/rallly.yaml.tmpl
+++ b/rallly.yaml.tmpl
@ -0,0 +1,48 @@
 version: 1
 metadata:
  labels:
    blueprints.goauthentik.io/instantiate: "true"
  name: rallly
 entries:
 - attrs:
    access_code_validity: minutes=1
    authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
    authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
    invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
    client_id: {{ secret  "rallly_id" }}
    client_secret: {{ secret  "rallly_secret" }}
    client_type: confidential
    include_claims_in_id_token: true
    issuer_mode: per_provider
    redirect_uris:
    - matching_mode: strict
      url: https://{{ env  "RALLLY_DOMAIN" }}/api/auth/callback/oidc
    name: Rallly
    property_mappings:
    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, email]]
    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, profile]]
    signing_key: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]]
    sub_mode: hashed_user_id
    token_validity: days=30
  conditions: []
  id: rallly_provider
  identifiers:
    pk: 9993
  model: authentik_providers_oauth2.oauth2provider
  state: present
 - attrs:
    meta_launch_url: https://{{ env  "RALLLY_DOMAIN" }}
    open_in_new_tab: true
    policy_engine_mode: any
    provider: !KeyOf rallly_provider
    slug: rallly
  conditions: []
  id: rallly_application
  identifiers:
    name: Rallly
  model: authentik_core.application
  state: present
--- a/release/3.2.0+2023.6.1
+++ b/release/3.2.0+2023.6.1
@ -0,0 +1 @@
 If you use your own outpost you need to uncomment COMPOSE_FILE="$COMPOSE_FILE:compose.outposts.yml" to expose the docker socket again.
--- a/release/4.0.0+2023.10.5
+++ b/release/4.0.0+2023.10.5
@ -0,0 +1 @@
 It is only possible to upgrade to 2023.10 from 2023.8, you need to update to 2023.8.x before applying this update
--- a/release/5.0.0+2024.2.2
+++ b/release/5.0.0+2024.2.2
@ -0,0 +1 @@
 Blueprint changes are applied and automatic migrations should work, however, manual action may be required: https://docs.goauthentik.io/docs/releases/2024.2
--- a/release/5.1.0+2024.2.3
+++ b/release/5.1.0+2024.2.3
@ -0,0 +1 @@
 Due to blueprint changes, you need to run the following command after upgrading: abra app cmd -C <Domain> worker apply_blueprints
--- a/release/6.0.0+2024.4.0
+++ b/release/6.0.0+2024.4.0
@ -0,0 +1 @@
 Alerta! ⚠️ If you are using AUTHENTIK_COLOR_BACKGROUND_LIGHT, you will need to set COMPOSE_FILE="$COMPOSE_FILE:compose.css.yml"
--- a/release/6.1.0+2024.4.2
+++ b/release/6.1.0+2024.4.2
@ -0,0 +1 @@
 Blueprint for Kimai SSO integration added
--- a/release/6.11.0+2024.10.5
+++ b/release/6.11.0+2024.10.5
@ -0,0 +1 @@
 Fix Impersonate Bug
--- a/release/6.6.0+2024.8.2
+++ b/release/6.6.0+2024.8.2
@ -0,0 +1 @@
 Replaced icon bbb.jpg with icon.png - configs need to be updated when upgrading!
--- a/release/6.7.0+2024.8.3
+++ b/release/6.7.0+2024.8.3
@ -0,0 +1,3 @@
 Two critical vulnerabilities were closed:
 https://github.com/goauthentik/authentik/security/advisories/GHSA-7jxf-mmg9-9hg7
 https://github.com/goauthentik/authentik/security/advisories/GHSA-8gfm-pr6x-pfh9
--- a/release/7.4.0+2025.6.3
+++ b/release/7.4.0+2025.6.3
@ -0,0 +1,3 @@
 Adds following new envs: 
  REDIRECTS
  AUTHENTIK_DISABLE_UPDATE_CHECK
--- a/release/next
+++ b/release/next
@ -0,0 +1,4 @@
 Update of config neccessary!
 Changed structure of APPLICATION env to:
    appname: {"url":"http...", "group":"groupname"}
 Adds various new group envs to support application grouping
--- a/system_tenant.yaml.tmpl
+++ b/system_tenant.yaml.tmpl
@ -2,34 +2,37 @@ version: 1
 metadata:
  labels:
    blueprints.goauthentik.io/instantiate: "true"
-  name: Custom System Tenant
+  name: Custom System brand
 entries:
 ### DEPENDENCIES
 - model: authentik_blueprints.metaapplyblueprint
  attrs:
    identifiers:
-      name: Default - Tenant
+      name: Default - Brand
    required: true
 - model: authentik_blueprints.metaapplyblueprint
  attrs:
    identifiers:
-      name: Invitation Enrollment Flow
+      name: Recovery with email verification
    required: true
-### SYSTEM TENANT
+### SYSTEM BRAND
-# remove custom tenant from old recipe
+# remove custom brand from old recipe
 - identifiers:
    domain: {{ env "DOMAIN" }}
-  model: authentik_tenants.tenant
+  model: authentik_brands.brand
  state: absent
 - attrs:
    attributes:
      settings:
-        locale: {{ if eq (env "DEFAULT_LANGUAGE") "" }} en {{ else }} {{ env "DEFAULT_LANGUAGE" }} {{ end }}
+        locale: {{ if eq (env "DEFAULT_LANGUAGE") "" }} en {{ else }} {{ env "DEFAULT_LANGUAGE" }} {{ end }} {{ if ne (env "THEME_BACKGROUND") "" }}
        theme:
          background: >
            background: {{ env "THEME_BACKGROUND" }} {{ end }}
    flow_recovery: !Find [authentik_flows.flow, [slug,  default-recovery-flow]]
  identifiers:
    default: true
    domain: authentik-default
-  model: authentik_tenants.tenant
+  model: authentik_brands.brand
--- a/vikunja.yaml.tmpl
+++ b/vikunja.yaml.tmpl
@ -8,12 +8,17 @@ entries:
 - attrs:
    access_code_validity: minutes=1
    authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
    authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
    invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
    client_id: {{ secret  "vikunja_id" }}
    client_secret: {{ secret  "vikunja_secret" }}
    client_type: confidential
    include_claims_in_id_token: true
    issuer_mode: per_provider
    redirect_uris:
    - matching_mode: strict
      url: https://{{ env  "VIKUNJA_DOMAIN" }}/auth/openid/authentik
    name: Vikunja
    property_mappings:
    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
--- a/wekan.yaml.tmpl
+++ b/wekan.yaml.tmpl
@ -25,12 +25,17 @@ entries:
 - attrs:
    access_code_validity: minutes=1
    authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
    authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
    invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
    client_id: {{ secret  "wekan_id" }}
    client_secret: {{ secret  "wekan_secret" }}
    client_type: confidential
    include_claims_in_id_token: true
    issuer_mode: per_provider
    redirect_uris:
    - matching_mode: strict
      url: https://{{ env  "WEKAN_DOMAIN" }}/_oauth/oidc
    name: Wekan
    property_mappings:
    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
--- a/wordpress.yaml.tmpl
+++ b/wordpress.yaml.tmpl
@ -8,12 +8,17 @@ entries:
 - attrs:
    access_code_validity: minutes=1
    authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
    authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
    invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
    client_id: {{ secret  "wordpress_id" }}
    client_secret: {{ secret  "wordpress_secret" }}
    client_type: confidential
    include_claims_in_id_token: true
    issuer_mode: per_provider
    redirect_uris:
    - matching_mode: strict
      url: https://{{ env  "WORDPRESS_DOMAIN" }}/openid-connect-authorize
    name: Wordpress
    property_mappings:
    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
--- a/zammad.yaml.tmpl
+++ b/zammad.yaml.tmpl
@ -0,0 +1,69 @@
 version: 1
 metadata:
  labels:
    blueprints.goauthentik.io/instantiate: "true"
  name: zammad
 entries:
 - attrs:
    expression: return request.user.name
    managed: null
    name: 'Zammad SAML Mapping: name'
    saml_name: name
  conditions: []
  identifiers:
    name: zammad_name_mapping
  id: zammad_name_mapping
  model: authentik_providers_saml.samlpropertymapping
  state: present
 - attrs:
    expression: return request.user.email
    managed: null
    name: 'Zammad SAML Mapping: email'
    saml_name: email
  conditions: []
  identifiers:
    name: zammad_email_mapping
  id: zammad_email_mapping
  model: authentik_providers_saml.samlpropertymapping
  state: present
 - attrs:
    acs_url: https://{{ env  "ZAMMAD_DOMAIN" }}/auth/saml/callback
    assertion_valid_not_before: minutes=-5
    assertion_valid_not_on_or_after: minutes=5
    audience: https://{{ env  "ZAMMAD_DOMAIN" }}/auth/saml/metadata
    authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
    authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
    invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
    digest_algorithm: http://www.w3.org/2001/04/xmlenc#sha256
    issuer: https://{{ env  "ZAMMAD_DOMAIN" }}/auth/saml/metadata
    name: zammad
    property_mappings:
    - !KeyOf zammad_name_mapping
    - !KeyOf zammad_email_mapping
    session_valid_not_on_or_after: minutes=86400
    sign_assertion: true
    signature_algorithm: http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
    signing_kp: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]]
    sp_binding: post
  conditions: []
  id: zammad_provider
  identifiers:
    pk: 9989
  model: authentik_providers_saml.samlprovider
  state: present
 - attrs:
    meta_launch_url: ""
    open_in_new_tab: true
    policy_engine_mode: any
    provider: !KeyOf zammad_provider
    slug: zammad
  conditions: []
  id: zammad_application
  identifiers:
    name: Zammad
  model: authentik_core.application
  state: present
Author	SHA1	Message	Date
carla	5c4362493f	Updated release notes	2025-09-15 16:57:08 +02:00
carla	2b4bd31889	style: updated help and support icons	2025-09-15 16:50:59 +02:00
carla	051d904c9d	feat: adds envs and rename function to group and rename apps	2025-09-10 11:00:55 +02:00
Simon	538232baed	chore: publish 8.0.0+2025.8.1 release	2025-09-03 13:35:00 +02:00
iexos	c86640b0ab	fix recovery flow blueprint	2025-08-13 18:27:09 +02:00
3wc	711b67391a	chore: publish 7.4.1+2025.6.4 release	2025-07-23 17:29:37 +01:00
Moritz	96aedac582	chore: publish 7.4.0+2025.6.3 release	2025-07-01 18:09:32 +02:00
Moritz	3eb185d96a	add env REDIRECTS	2025-07-01 17:36:41 +02:00
Moritz	9855ad16a1	add env AUTHENTIK_DISABLE_UPDATE_CHECK	2025-07-01 14:35:23 +02:00
3wc	c15f2adcba	chore: publish 7.3.2+2025.6.2 release	2025-06-18 18:32:48 +01:00
trav	08118088a8	chore: publish 7.3.1+2025.6.1 release	2025-06-11 13:24:23 -04:00
trav	14e1d61343	chore: publish 7.3.0+2025.6.0 release	2025-06-04 13:22:03 -04:00
3wc	04a370699d	chore: publish 7.2.0+2025.4.1 release	2025-05-16 20:13:46 +02:00
decentral1se	efd67032cf	Merge pull request 'add commands to generate client id and secret' (#15 ) from benjaminlyng/authentik:docs/generating_nextcloud_SSO_secrets into main Reviewed-on: coop-cloud/authentik#15 Reviewed-by: decentral1se <decentral1se@noreply.git.coopcloud.tech>	2025-04-19 07:15:05 +00:00
Benjamin Lyng Jørgensen	6b627c6db7	add commands to generate client id and secret	2025-04-19 06:26:18 +02:00
3wc	c90b3c6881	chore: publish 7.1.0+2025.2.4 release	2025-04-09 13:53:38 +01:00
3wc	e7af2b541e	README tweaks	2025-04-09 13:52:41 +01:00
Moritz	ea9b0ebd55	Update custom css readme	2025-04-01 16:44:34 +02:00
Moritz	06aafce852	README: custom css	2025-04-01 16:40:03 +02:00
3wc	3c2b248304	chore: publish 7.0.3+2025.2.3 release	2025-03-28 16:42:41 +00:00
iexos	bda409290e	chore: publish 7.0.2+2025.2.2 release	2025-03-23 12:01:40 +01:00
many	77d79b3a07	chore: publish 7.0.1+2025.2.0 release	2025-02-28 16:34:52 -05:00
marlon	ac7192e6ab	Merge pull request 'Fix race condition when setting admin password with POST_DEPLOY_CMDS' (#13 ) from virtualboys/authentik:main into main Reviewed-on: coop-cloud/authentik#13 Reviewed-by: decentral1se <decentral1se@noreply.git.coopcloud.tech> Reviewed-by: ammaratef45 <ammaratef45@proton.me>	2025-02-27 16:41:42 +00:00
many	d6bd030880	Fix race condition when setting admin password with POST_DEPLOY_CMDS	2025-02-26 17:21:09 -05:00
3wc	7a2c45137f	chore: publish 7.0.0+2025.2.0 release	2025-02-26 12:16:17 -05:00
Moritz	86ce0820bc	add vaultwarden icon	2025-02-24 15:22:15 +01:00
Simon	6fcba9ff03	add pretix icon	2025-02-13 14:45:32 +01:00
Moritz	43700b2562	add shell command	2025-02-11 15:07:52 +01:00
3wc	35d48cc4c4	chore: publish 6.12.0+2024.12.3 release	2025-02-05 12:16:36 -05:00
3wc	64100ce3a4	Merge branch 'main' of ssh://git.coopcloud.tech:2222/coop-cloud/authentik	2025-02-05 12:15:13 -05:00
3wc	abc1ed307c	Updates in response to PR feedback	2025-02-05 12:15:07 -05:00
knoflook	a5b5395bdf	update .env.sample and drop unused volume	2025-02-05 12:15:07 -05:00
knoflook	97ce2e451a	don't create a new volume	2025-02-05 12:15:07 -05:00
3wc	98a5d4b726	Work towards custom CSS in volume	2025-02-05 12:15:07 -05:00
Moritz	d0c924a864	chore: publish 6.11.1+2024.10.5 release	2025-01-20 22:28:24 +01:00
Moritz	5df1f34cd7	UX: rename matrix to element	2025-01-20 22:28:24 +01:00
Moritz	bc62831e58	fix blueprints: add redirect_uris	2025-01-20 22:28:20 +01:00
Moritz	fa854f6490	fix add_applications	2025-01-20 17:54:46 +01:00
Moritz	6abe8e67d4	add set_extra_icons function	2025-01-20 17:54:40 +01:00
Cassowary	d494d3ea5f	Update .drone.yml	2025-01-08 10:09:12 -08:00
3wordchant	344db235b0	Merge pull request 'Custom CSS in volume' (#9 ) from custom-css-volume into main Reviewed-on: coop-cloud/authentik#9	2025-01-07 15:16:21 +00:00
3wc	40e613f861	Updates in response to PR feedback	2025-01-07 10:15:53 -05:00
Moritz	47793df102	chore: publish 6.11.0+2024.10.5 release	2024-12-23 11:04:48 +01:00
knoflook	e2a8f2340f	update .env.sample and drop unused volume	2024-12-03 17:06:22 +01:00
knoflook	fc846af1e3	don't create a new volume	2024-12-03 16:39:32 +01:00
Simon	52719f8d3a	update readme on ldap outpost	2024-11-22 16:40:40 +01:00
Simon	0175c0b0f4	chore: publish 6.10.1+2024.10.4 release	2024-11-22 16:10:07 +01:00
Simon	9db9d077ca	chore: publish 6.10.0+2024.10.4 release	2024-11-22 16:00:34 +01:00
Simon	66e31d8632	chore: publish 6.9.0+2024.10.0 release	2024-11-22 15:56:55 +01:00
Simon	f1aec8ce90	add ldap outpost configuration	2024-11-22 15:54:52 +01:00
3wc	03797a34db	Work towards custom CSS in volume	2024-11-18 15:59:07 -05:00
Moritz	5e5da361e5	chore: publish 6.8.1+2024.10.0 release	2024-11-04 17:38:10 +01:00
Moritz	830214b1fd	fix custom css version	2024-11-04 17:26:02 +01:00
Moritz	6d46686a24	chore: publish 6.8.0+2024.10.0 release	2024-11-04 17:09:21 +01:00
Moritz	912691844e	fix provider blueprints	2024-11-04 17:09:21 +01:00
Moritz	84f8f5b165	fix traefik redirection for matrix well-known files	2024-11-04 13:13:30 +01:00
Moritz	aa107d0ad4	fix drone runner	2024-10-30 15:49:57 +01:00
Moritz	5e49903b3f	chore: publish 6.7.1+2024.8.3 release	2024-10-30 15:12:37 +01:00
Moritz	9124dab6ab	update pg_backup.sh	2024-10-22 21:32:26 +02:00
Moritz	197feb32f3	add ENABLE_BACKUPS label	2024-10-22 17:26:10 +02:00
Moritz	df670cea2b	add backup script	2024-10-15 19:39:57 +02:00
Moritz	eeef43529e	remove zammad meta_launch_url to enable autologin	2024-10-15 10:57:46 +02:00
Moritz	6b0195e5a1	update .env comment	2024-10-15 10:04:29 +02:00
moritz	f342673d43	Merge pull request 'default config sets POST_DEPLOY_CMDS, so that admin pass will get initialized' (#8 ) from marlon/authentik:main into main Reviewed-on: coop-cloud/authentik#8	2024-10-15 08:01:56 +00:00
Moritz	f6f6f90bed	update custom css	2024-10-01 22:57:54 +02:00
Moritz	f1f5b96309	chore: publish 6.7.0+2024.8.3 release	2024-09-30 15:10:48 +02:00
3wc	3cba20afd9	chore: publish 6.6.0+2024.8.2 release	2024-09-25 13:40:14 -04:00
Simon	bed917a28c	added release note for bbb icon change	2024-09-25 14:55:25 +02:00
marlon	5c9e4e5372	default config sets POST_DEPLOY_CMDS, so that admin pass will get initialized	2024-09-24 21:53:12 +00:00
Simon	f281c5f902	switch bbb icon	2024-09-24 12:40:32 +02:00
Moritz	ed41b0f113	add backup restore hook	2024-09-19 22:12:41 +02:00
Moritz	4f8b505e1e	update volumes and backupbot labels	2024-09-16 17:36:20 +02:00
Simon	18559defc1	chore: publish 6.5.0+2024.6.3 release	2024-09-11 14:23:47 +02:00
Simon	453e3d442a	add traefik redirection for matrix well-known files	2024-09-11 13:47:39 +02:00
Moritz	9214157959	update alaconnect.yml	2024-08-22 00:46:40 +02:00
Moritz	99bd647613	add zammad integration	2024-08-22 00:46:37 +02:00
Moritz	88333e2068	abra.sh: add get_user_uid() command	2024-08-21 23:05:51 +02:00
knoflook	a3f114834f	chore: publish 6.4.0+2024.6.3 release	2024-08-06 16:23:31 +02:00
3wc	e6e13eb1c7	chore: publish 6.3.1+2024.6.2 release	2024-08-01 13:21:39 -04:00
Moritz	3bc925d3fa	fix app icon paths	2024-07-17 14:42:25 +02:00
Moritz	f322f6a09e	fix monitoring blueprint pk	2024-07-17 14:27:34 +02:00
Moritz	24ff7ee444	fix alaconnect.yml for monitoring-ng	2024-07-17 13:43:12 +02:00
Moritz	38911193db	better healthchecks	2024-07-17 12:53:15 +02:00
Moritz	3b9bea3681	chore: publish 6.3.0+2024.6.1 release	2024-07-16 19:15:33 +02:00
iexos	e8016868fe	possible fix for coop-cloud/authentik#6	2024-07-11 00:14:30 +02:00
Simon	a00c7deb2c	chore: publish 6.2.0+2024.4.2 release	2024-06-10 14:31:56 +02:00
Simon	c1f0358f29	add admin mail env	2024-06-10 14:23:11 +02:00
Moritz	0be7e95f48	make abra.sh less verbose by ignoring RuntimeWarnings	2024-05-27 12:10:32 +02:00
3wc	4fe52c1e5f	Fix Drone CI	2024-05-16 15:18:09 -03:00
3wc	248a09c594	chore: publish 6.1.1+2024.4.2 release	2024-05-16 15:09:40 -03:00
Simon	b957425981	chore: publish 6.1.0+2024.4.2 release	2024-05-15 16:42:35 +02:00
Moritz	20f99b13ad	add alakazam integration file alaconnect.yml	2024-05-13 17:28:58 +02:00
Moritz	c42017839f	update quieten() function to make output less verbose	2024-05-08 21:50:39 +02:00
Moritz	cdabec1b18	make get_certificate more general	2024-05-08 21:50:09 +02:00
Moritz	a606a84a98	make import_user command more verbose	2024-05-08 21:00:19 +02:00
Simon	a0505e0dec	add function to output certificate	2024-05-08 12:52:26 +02:00
Simon	17d40711e0	add kimai saml integration	2024-05-08 12:34:07 +02:00
Moritz	fc33f285f4	make import_user command more verbose	2024-05-06 12:26:25 +02:00
3wc	d1f091da62	chore: publish 6.0.0+2024.4.0 release	2024-04-27 14:39:01 -03:00
3wc	3e339228f5	Merge branch 'custom-css'	2024-04-27 14:37:27 -03:00
3wc	c39b6ad25a	New approach to custom CSS relying on COPY_ASSETS	2024-04-27 13:55:42 -03:00
3wc	1ffb62d74a	chore: publish 5.2.1+2024.4.0 release	2024-04-26 12:47:18 -03:00
3wc	03f8810462	chore: publish 5.2.1+2024.4.0 release	2024-04-25 17:27:05 -03:00
3wc	d19bf17781	Revert "feat: make themeing easier" This reverts commit `e07d57718a`.	2024-04-25 17:26:01 -03:00
3wc	5086df24fb	chore: publish 5.2.0+2024.4.0 release	2024-04-25 14:27:52 -03:00
knoflook	e07d57718a	feat: make themeing easier	2024-04-23 16:51:50 +02:00
Simon	553b97ba21	chore: publish 5.1.1+2024.2.3 release	2024-04-18 11:35:02 +02:00
Simon	75f42db773	chore: publish 5.1.0+2024.2.3 release	2024-04-18 11:32:33 +02:00
Simon	d115d5ce38	Merge branch 'main' of ssh://git.coopcloud.tech:2222/coop-cloud/authentik	2024-04-18 10:56:04 +02:00
Simon	68eda3e2d7	WIP upgrade	2024-04-17 14:59:23 +02:00
Moritz	91756202c2	fix hedgedoc	2024-04-01 18:40:26 +02:00
Moritz	bf2397b0e9	add hedgedoc	2024-04-01 16:43:43 +02:00
Moritz	c3b01c1d27	fix primary keys for outline and rallly	2024-04-01 16:36:34 +02:00
Simon	8d32814219	chore: publish 5.0.2+2024.2.2 release	2024-03-14 10:40:25 +01:00
Simon	78cfd95198	chore: publish 5.0.1+2024.2.2 release	2024-03-12 15:00:08 +01:00
Simon	4593eb6340	bump blueprint version	2024-03-12 14:59:15 +01:00
Simon	0419ed279d	chore: publish 5.0.0+2024.2.2 release	2024-03-12 14:27:32 +01:00
Simon	abb49e7019	chore: publish 4.3.0+2023.10.7 release	2024-03-12 11:13:25 +01:00
Simon	74f654c192	WIP upgrade	2024-03-06 14:28:51 +01:00
Simon	7a4daaf475	chore: publish 4.2.0+2023.10.7 release	2024-02-13 16:57:46 +01:00
Simon	b7605f6a87	add rallly oidc	2024-02-13 15:58:58 +01:00
3wc	01ca1b4d5c	chore: publish 4.1.1+2023.10.7 release	2024-02-08 14:23:07 -03:00
Simon	287426b06a	chore: publish 4.1.0+2023.10.5 release	2024-02-08 00:22:17 +01:00
iexos	b311cadc4c	chore: publish 4.0.0+2023.10.5 release	2023-12-21 19:49:05 +01:00
Moritz	d01c539c4f	add container depedencies	2023-12-18 08:50:37 +01:00
Moritz	427644df38	increase default timeout	2023-12-07 16:32:39 +01:00
iexos	f4172f2a64	chore: publish 3.3.1+2023.8.5 release	2023-11-22 21:36:27 +01:00
iexos	126b50d4bd	chore: publish 3.3.0+2023.8.5 release	2023-11-22 19:41:48 +01:00
Moritz	3e7ceaaf25	chore: publish 3.2.4+2023.6.1 release	2023-10-31 21:10:03 +01:00
Moritz	a0ee0a357d	bump some more versions after 566bff	2023-10-31 21:08:28 +01:00
Moritz	1b74a88809	chore: publish 3.2.3+2023.6.1 release	2023-10-31 21:00:58 +01:00
Moritz	905fbdb69a	bump SYSTEM_TENANT_VERSION after 566bff	2023-10-31 21:00:06 +01:00
Moritz	fcf76aeba0	add release note for 3.2.0+2023.6.1	2023-10-31 20:53:13 +01:00
Moritz	03743063df	chore: publish 3.2.2+2023.6.1 release	2023-10-25 16:09:49 +02:00
Moritz	080ccae2ab	add EXTRA_DOMAINS env	2023-10-25 15:26:38 +02:00
Moritz	7d17f104f1	add bbb icon	2023-10-19 22:12:16 +02:00
Moritz	dcf74287c5	chore: publish 3.2.1+2023.6.1 release	2023-10-19 16:23:37 +02:00
iexos	4972e3b141	add custom email templates	2023-08-14 09:43:12 +00:00
Moritz	566bffb7af	Fix nondeterministic blueprint behaviour	2023-08-01 02:32:24 +02:00
Philipp Rothmann	3df66b1be7	chore: publish 3.2.0+2023.6.1 release	2023-07-25 11:41:33 +02:00
Moritz	159f9d767d	fix element domain env	2023-07-10 18:03:52 +02:00
Moritz	f20e087752	comment post deploy commands	2023-07-10 02:40:45 +02:00
Moritz	3de29f0135	security: don't expose docker socket by default	2023-07-06 15:15:02 +02:00
		`@ -0,0 +1 @@`
							<?xml version="1.0" encoding="UTF-8"?><svg id="Ebene_1" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 128 128"><defs><style>.cls-1{fill:#3b1c4a;}</style></defs><path class="cls-1" d="m50.67,56.95c-.72.1-1.22.3-1.66.5l2.38,16.91c.41.08.95.13,1.6.04,3.52-.5,4.61-3.64,3.81-9.39-.83-5.87-2.53-8.56-6.12-8.06Z"/><path class="cls-1" d="m116.04,35.05c.71-.17,1.16-.76,1.06-1.48L112.54,1.13c-.1-.72-.77-1.22-1.49-1.12l-37.5,5.27.73,5.22c.16,1.12-.62,2.15-1.74,2.31s-2.15-.62-2.31-1.74l-.73-5.22L1.13,15.46c-.72.1-1.22.77-1.12,1.49l4.56,32.44c.1.72.7,1.17,1.42,1.13,11.25-.92,21.43,7.1,23.03,18.46,1.6,11.36-5.99,21.81-17.07,23.96-.71.17-1.16.76-1.06,1.48l4.56,32.44c.1.72.77,1.22,1.49,1.12l68.37-9.61-.73-5.22c-.16-1.15.59-2.15,1.74-2.31s2.15.62,2.31,1.74l.73,5.22,37.5-5.27c.72-.1,1.22-.77,1.12-1.49l-4.56-32.44c-.1-.72-.7-1.17-1.42-1.13-11.25.92-21.42-7.04-23.02-18.4-1.6-11.36,5.98-21.87,17.06-24.03Zm-59.84,44.75c-1.76.25-3.29.26-4.04.17l1.59,11.29-9.92,1.39-5.3-37.73c2.5-1.62,5.96-3.03,11.38-3.8,8.68-1.22,15.27,2.58,16.66,12.44,1.25,8.88-3.12,15.21-10.36,16.23Zm30.73,20.71c.16,1.12-.62,2.15-1.74,2.31-1.12.16-2.15-.62-2.31-1.74l-1.47-10.44c-.16-1.12.62-2.15,1.74-2.31s2.16.66,2.31,1.74l1.47,10.44Zm-3.17-22.58c.15,1.08-.66,2.16-1.74,2.31s-2.16-.66-2.31-1.74l-1.47-10.44c-.16-1.15.59-2.15,1.74-2.31,1.12-.16,2.15.62,2.31,1.74l1.47,10.44Zm-3.16-22.45c.16,1.12-.62,2.15-1.74,2.31-1.12.16-2.15-.62-2.31-1.74l-1.47-10.44c-.16-1.12.62-2.15,1.74-2.31s2.16.66,2.31,1.74l1.47,10.44Zm-3.17-22.58c.15,1.08-.66,2.16-1.74,2.31s-2.16-.66-2.31-1.74l-1.47-10.44c-.16-1.15.59-2.15,1.74-2.31s2.15.62,2.31,1.74l1.47,10.44Z"/></svg>
		`@ -0,0 +1 @@`
							`If you use your own outpost you need to uncomment COMPOSE_FILE="$COMPOSE_FILE:compose.outposts.yml" to expose the docker socket again.`
		`@ -0,0 +1 @@`
							`It is only possible to upgrade to 2023.10 from 2023.8, you need to update to 2023.8.x before applying this update`
		`@ -0,0 +1 @@`
							`Blueprint changes are applied and automatic migrations should work, however, manual action may be required: https://docs.goauthentik.io/docs/releases/2024.2`
		`@ -0,0 +1 @@`
							`Due to blueprint changes, you need to run the following command after upgrading: abra app cmd -C <Domain> worker apply_blueprints`
		`@ -0,0 +1 @@`
							`Alerta! ⚠️ If you are using AUTHENTIK_COLOR_BACKGROUND_LIGHT, you will need to set COMPOSE_FILE="$COMPOSE_FILE:compose.css.yml"`
		`@ -0,0 +1 @@`
							`Replaced icon bbb.jpg with icon.png - configs need to be updated when upgrading!`