fix nextcloud integration

Reviewed-on: coop-cloud/authentik#8

.drone.yml

@@ -23,13 +23,15 @@ steps:
       FLOW_INVALIDATION_VERSION: v1
       FLOW_RECOVERY_VERSION: v1
       FLOW_TRANSLATION_VERSION: v1
-      SYSTEM_TENANT_VERSION: v1
+      SYSTEM_BRAND_VERSION: v1
       NEXTCLOUD_CONFIG_VERSION: v1
       SECRET_SECRET_KEY_VERSION: v1
       SECRET_DB_PASSWORD_VERSION: v1
       SECRET_ADMIN_TOKEN_VERSION: v1
       SECRET_ADMIN_PASS_VERSION: v1
       SECRET_EMAIL_PASS_VERSION: v1
+      DB_ENTRYPOINT_VERSION: v1
+      PG_BACKUP_VERSION: v2
 trigger:
   branch:
     - main

.env.sample

@@ -1,8 +1,10 @@
 TYPE=authentik
-TIMEOUT=300
+TIMEOUT=900
 ENABLE_AUTO_UPDATE=true
-# POST_DEPLOY_CMDS="worker set_admin_pass|worker apply_blueprints|worker add_applications"
+POST_DEPLOY_CMDS="worker set_admin_pass"
+# Example values for post deploy cmds: "worker set_admin_pass|worker apply_blueprints|worker add_applications"
 LETS_ENCRYPT_ENV=production
+ENABLE_BACKUPS=true
 
 DOMAIN=authentik.example.com
 ## Domain aliases
@@ -16,6 +18,11 @@ AUTHENTIK_LOG_LEVEL=info
 
 ## Outpost Integration
 # COMPOSE_FILE="$COMPOSE_FILE:compose.outposts.yml"
+# COMPOSE_FILE="$COMPOSE_FILE:compose.outposts.ldap.yml"
+# SECRET_LDAP_TOKEN_VERSION=v1
+
+## ADMIN
+AUTHENTIK_BOOTSTRAP_EMAIL=admin@example.com
 
 ## EMAIL
 AUTHENTIK_EMAIL__HOST=smtp
@@ -34,7 +41,6 @@ SECRET_ADMIN_PASS_VERSION=v1
 SECRET_EMAIL_PASS_VERSION=v1
 
 # X_FRAME_OPTIONS_ALLOW_FROM=dashboard.example.org
-AUTHENTIK_COLOR_BACKGROUND_LIGHT=#1c1e21
 
 ## FLOW OPTIONS
 # WELCOME_MESSAGE="Welcome to Authentik"
@@ -47,6 +53,12 @@ COPY_ASSETS="flow_background.jpg|app:/web/dist/assets/images/"
 COPY_ASSETS="$COPY_ASSETS icon_left_brand.svg|app:/web/dist/assets/icons/"
 COPY_ASSETS="$COPY_ASSETS icon.png|app:/web/dist/assets/icons/"
 
+# Default CSS customisation
+# COMPOSE_FILE="$COMPOSE_FILE:compose.css.yml"
+# BACKGROUND_FONT_COLOR=white
+# BACKGROUND_BOX_COLOR='#eaeaeacf'
+# THEME_BACKGROUND="url('https://authentik.example.com/static/dist/assets/images/flow_background.jpg'); background-position: center; background-repeat: no-repeat; background-size: cover;"
+
 # COMPOSE_FILE="$COMPOSE_FILE:compose.nextcloud.yml"
 # NEXTCLOUD_DOMAIN=nextcloud.example.com
 # SECRET_NEXTCLOUD_ID_VERSION=v1
@@ -62,6 +74,7 @@ COPY_ASSETS="$COPY_ASSETS icon.png|app:/web/dist/assets/icons/"
 
 # COMPOSE_FILE="$COMPOSE_FILE:compose.matrix.yml"
 # ELEMENT_DOMAIN=element-web.example.com
+# MATRIX_DOMAIN=matrix-synapse.example.com
 # SECRET_MATRIX_ID_VERSION=v1
 # SECRET_MATRIX_SECRET_VERSION=v1
 # APP_ICONS="$APP_ICONS matrix:~/.abra/recipes/authentik/icons/matrix.svg"
@@ -78,13 +91,40 @@ COPY_ASSETS="$COPY_ASSETS icon.png|app:/web/dist/assets/icons/"
 # SECRET_VIKUNJA_SECRET_VERSION=v1
 # APP_ICONS="$APP_ICONS vikunja:~/.abra/recipes/authentik/icons/vikunja.svg"
 
+# COMPOSE_FILE="$COMPOSE_FILE:compose.outline.yml"
+# OUTLINE_DOMAIN=outline.example.com
+# SECRET_OUTLINE_ID_VERSION=v1
+# SECRET_OUTLINE_SECRET_VERSION=v1
+# APP_ICONS="$APP_ICONS outline:~/.abra/recipes/authentik/icons/outline.png"
+
+# COMPOSE_FILE="$COMPOSE_FILE:compose.kimai.yml"
+# KIMAI_DOMAIN=kimai.example.com
+# SECRET_KIMAI_ID_VERSION=v1
+# SECRET_KIMAI_SECRET_VERSION=v1
+# APP_ICONS="$APP_ICONS kimai:~/.abra/recipes/authentik/icons/kimai_logo.png"
+
+# COMPOSE_FILE="$COMPOSE_FILE:compose.zammad.yml"
+# ZAMMAD_DOMAIN=zammad.example.com
+# APP_ICONS="$APP_ICONS zammad:~/.abra/recipes/authentik/icons/zammad.svg"
+
 # COMPOSE_FILE="$COMPOSE_FILE:compose.monitoring.yml"
 # MONITORING_DOMAIN=monitoring.example.com
 # SECRET_MONITORING_ID_VERSION=v1
 # SECRET_MONITORING_SECRET_VERSION=v1
-# APP_ICONS="$APP_ICONS monitoring:~/.abra/recipes/authentik/icons/monitoring.png"
+# APP_ICONS="$APP_ICONS monitoring:~/.abra/recipes/authentik/icons/monitoring.svg"
 
-# APPLICATIONS='{"Calendar": "https://nextcloud.example.com/apps/calendar/", "BBB": "https://nextcloud.example.com/apps/bbb/", "Rallly":"https://rallly.example.cloud/"}'
+# COMPOSE_FILE="$COMPOSE_FILE:compose.rallly.yml"
+# RALLLY_DOMAIN=rallly.example.com
+# SECRET_RALLLY_ID_VERSION=v1
+# SECRET_RALLLY_SECRET_VERSION=v1
+# APP_ICONS="$APP_ICONS rallly:~/.abra/recipes/authentik/icons/rallly.png"
+
+# COMPOSE_FILE="$COMPOSE_FILE:compose.hedgedoc.yml"
+# HEDGEDOC_DOMAIN=hedgedoc.example.com
+# SECRET_HEDGEDOC_ID_VERSION=v1
+# SECRET_HEDGEDOC_SECRET_VERSION=v1
+# APP_ICONS="$APP_ICONS hedgedoc:~/.abra/recipes/authentik/icons/hedgedoc.png"
+
+# APPLICATIONS='{"Calendar": "https://nextcloud.example.com/apps/calendar/", "BBB": "https://nextcloud.example.com/apps/bbb/"}'
 # APP_ICONS="$APP_ICONS Calendar:~/.abra/recipes/authentik/icons/calendar.svg"
-# APP_ICONS="$APP_ICONS Rallly:~/.abra/recipes/authentik/icons/rallly.png"
-# APP_ICONS="$APP_ICONS BBB:~/.abra/recipes/authentik/icons/bbb.jpg"
+# APP_ICONS="$APP_ICONS BBB:~/.abra/recipes/authentik/icons/bbb.png"

README.md

@@ -54,6 +54,14 @@ Set the nextcloud Icon using `abra app cmd -l -d <app_name> set_icons`
 
 The configuration inside Nextcloud can be found in the [nextcloud recipe](https://git.coopcloud.tech/coop-cloud/nextcloud#authentik-integration)
 
+## Add LDAP outpost
+
+- Follow [this official guide](https://docs.goauthentik.io/docs/add-secure-apps/providers/ldap/generic_setup) and skip the LDAP Flow as we don't need it.
+- Copy token under `Applications` -> `Outposts` `-> `View Deployment Info` 
+- Comment in envs for compose.outposts.ldap.yaml and secret version
+- Insert token as secret `abra app secret insert <DOMAIN> ldap_token v1 <TOKEN>`
+- Update deployment -> Outpost should be up and running
+
 ## Import User from CSV
 
 Users can be imported from a CSV file of the following format:
@@ -167,9 +175,9 @@ The `abra.sh` function `apply_blueprints` needs to be executed to deactivate the
     - Default - Source enrollment flow
         - OVERWRITE:
             - `default-source-enrollment-field-username`
-- Custom System Tenant
-    - Default - Tenant
-        - APPEND: `authentik_tenants.tenant  domain: authentik-default`
+- Custom System Brand
+    - Default - Brand
+        - APPEND: `authentik_brands.brand  domain: authentik-default`
     - Recovery with email verification
         - USE:
             - `default-recovery-flow`
@@ -177,8 +185,8 @@ The `abra.sh` function `apply_blueprints` needs to be executed to deactivate the
 
 ### Blueprint Dependency Execution Order
 
-5. Custom System Tenant
-    - Default - Tenant
+5. Custom System Brand
+    - Default - Brand
     1. Recovery with email verification
         - Default - Authentication flow
             - Default - Password change flow

abra.sh

@@ -1,16 +1,23 @@
-export CUSTOM_CSS_VERSION=v2
-export FLOW_AUTHENTICATION_VERSION=v3
-export FLOW_INVITATION_VERSION=v1
+export CUSTOM_CSS_VERSION=v3
+export FLOW_AUTHENTICATION_VERSION=v4
+export FLOW_INVITATION_VERSION=v2
 export FLOW_INVALIDATION_VERSION=v2
 export FLOW_RECOVERY_VERSION=v1
-export FLOW_TRANSLATION_VERSION=v2
-export SYSTEM_TENANT_VERSION=v2
-export NEXTCLOUD_CONFIG_VERSION=v1
-export WORDPRESS_CONFIG_VERSION=v2
-export MATRIX_CONFIG_VERSION=v1
-export WEKAN_CONFIG_VERSION=v3
-export VIKUNJA_CONFIG_VERSION=v1
-export MONITORING_CONFIG_VERSION=v1
+export FLOW_TRANSLATION_VERSION=v3
+export SYSTEM_BRAND_VERSION=v4
+export NEXTCLOUD_CONFIG_VERSION=v2
+export WORDPRESS_CONFIG_VERSION=v3
+export MATRIX_CONFIG_VERSION=v2
+export WEKAN_CONFIG_VERSION=v4
+export VIKUNJA_CONFIG_VERSION=v2
+export OUTLINE_CONFIG_VERSION=v3
+export KIMAI_CONFIG_VERSION=v2
+export ZAMMAD_CONFIG_VERSION=v3
+export RALLLY_CONFIG_VERSION=v3
+export HEDGEDOC_CONFIG_VERSION=v2
+export MONITORING_CONFIG_VERSION=v3
+export DB_ENTRYPOINT_VERSION=v1
+export PG_BACKUP_VERSION=v2
 
 customize() {
     if [ -z "$1" ]
@@ -51,15 +58,19 @@ with open('/tmp/$1', newline='') as file:
     email = row[2].strip()
     groups = row[3].split(';')
     if User.objects.filter(username=username):
+        print(f'{username} already exists')
         continue
     new_user = User.objects.create(name=name, username=username, email=email)
+    print(f'{username} created')
     for group_name in groups:
         group_name = group_name.strip()
         if Group.objects.filter(name=group_name):
             group = Group.objects.get(name=group_name)
         else:
             group = Group.objects.create(name=group_name)
+            print(f'{group_name} created')
         group.users.add(new_user)
+        print(f'add {username} to group {group_name}')
 """ 2>&1 | quieten
 }
 
@@ -167,7 +178,9 @@ for name, url in applications.items():
 
 
 quieten(){
-    grep -v -e '{"event"' -e '{"action"'
+    # 'SyntaxWarning|version_regex|"http\['
+    # is a workaround to get rid of some verbose syntax warnings, this might be fixed with another version
+    grep -Pv '"level": "(info|debug)"|SyntaxWarning|version_regex|"http\[|RuntimeWarning:'
 }
 
 add_email_templates(){
@@ -214,7 +227,26 @@ delete_flows = ['default-recovery-flow' , 'custom-authentication-flow' , 'invita
 Flow.objects.filter(slug__in=delete_flows).delete()
 Stage.objects.filter(flow=None).delete()
 Prompt.objects.filter(promptstage=None).delete()
-Tenant.objects.filter(default=True).delete()
+Brand.objects.filter(default=True).delete()
 """ 2>&1 | quieten
 apply_blueprints
 }
+
+get_certificate() {
+/manage.py shell -c """
+provider_name='$1'
+if not provider_name:
+    print('no Provider Name given')
+    exit(1)
+provider = Provider.objects.filter(name=provider_name).first()
+saml = provider.samlprovider
+cert = saml.signing_kp
+print(''.join(cert.certificate_data.splitlines()[1:-1]))
+""" 2>&1 | quieten
+}
+
+get_user_uid() {
+/manage.py shell -c """
+print(User.objects.filter(username='$1').first().uid)
+""" 2>&1 | quieten
+}

alaconnect.yml

@@ -0,0 +1,89 @@
+nextcloud:
+    uncomment:
+        - compose.nextcloud.yml
+        - NEXTCLOUD_DOMAIN
+        - SECRET_NEXTCLOUD_ID_VERSION
+        - SECRET_NEXTCLOUD_SECRET_VERSION
+        - nextcloud.png
+wordpress:
+    uncomment:
+        - compose.wordpress.yml
+        - WORDPRESS_DOMAIN
+        - WORDPRESS_GROUP
+        - SECRET_WORDPRESS_ID_VERSION
+        - SECRET_WORDPRESS_SECRET_VERSION
+        - wordpress.png
+matrix-synapse:
+    uncomment:
+        - compose.matrix.yml
+        - ELEMENT_DOMAIN
+        - MATRIX_DOMAIN
+        - SECRET_MATRIX_ID_VERSION
+        - SECRET_MATRIX_SECRET_VERSION
+        - matrix.svg
+    secrets:
+        matrix_id: matrix
+wekan:
+    uncomment:
+        - compose.wekan.yml
+        - WEKAN_DOMAIN
+        - SECRET_WEKAN_ID_VERSION
+        - SECRET_WEKAN_SECRET_VERSION
+        - wekan.png
+    secrets:
+        wekan_id: wekan
+vikunja:
+    uncomment:
+        - compose.vikunja.yml
+        - VIKUNJA_DOMAIN
+        - SECRET_VIKUNJA_ID_VERSION
+        - SECRET_VIKUNJA_SECRET_VERSION
+        - vikunja.svg
+    secrets:
+        vikunja_id: vikunja
+kimai:
+    uncomment:
+        - compose.kimai.yml
+        - KIMAI_DOMAIN
+        - SECRET_KIMAI_ID_VERSION
+        - SECRET_KIMAI_SECRET_VERSION
+        - kimai_logo.png
+zammad:
+    uncomment:
+        - compose.zammad.yml
+        - ZAMMAD_DOMAIN
+        - zammad.svg
+monitoring-ng:
+    uncomment:
+        - compose.monitoring.yml
+        - MONITORING_DOMAIN
+        - SECRET_MONITORING_ID_VERSION
+        - SECRET_MONITORING_SECRET_VERSION
+        - monitoring.png
+outline:
+    uncomment:
+        - compose.outline.yml
+        - OUTLINE_DOMAIN
+        - SECRET_OUTLINE_ID_VERSION
+        - SECRET_OUTLINE_SECRET_VERSION
+        - outline.png
+    secrets:
+        outline_id: outline
+rallly:
+    uncomment:  
+        - compose.rallly.yml
+        - RALLLY_DOMAIN
+        - SECRET_RALLLY_ID_VERSION
+        - SECRET_RALLLY_SECRET_VERSION
+        - rallly.png
+    secrets:
+        rallly_id: rallly
+hedgedoc:
+    uncomment:  
+        - compose.hedgedoc.yml
+        - HEDGEDOC_DOMAIN
+        - SECRET_HEDGEDOC_ID_VERSION
+        - SECRET_HEDGEDOC_SECRET_VERSION
+        - hedgedoc.png
+    secrets:
+        hedgedoc_id: hedgedoc

compose.css.yml

@@ -0,0 +1,14 @@
+---
+version: '3.8'
+
+services:
+  app:
+    configs: 
+      - source: custom_css
+        target: /web/dist/custom.css
+
+configs:
+  custom_css:
+    name: ${STACK_NAME}_custom_css_${CUSTOM_CSS_VERSION}
+    file: custom.css.tmpl
+    template_driver: golang

compose.hedgedoc.yml

@@ -0,0 +1,26 @@
+version: "3.8"
+services:
+  worker:
+    secrets:
+      - hedgedoc_id
+      - hedgedoc_secret
+    environment:
+      - HEDGEDOC_DOMAIN
+    configs:
+      - source: hedgedoc
+        target: /blueprints/hedgedoc.yaml
+
+secrets:
+  hedgedoc_id:
+    external: true
+    name: ${STACK_NAME}_hedgedoc_id_${SECRET_HEDGEDOC_ID_VERSION}
+  hedgedoc_secret:
+    external: true
+    name: ${STACK_NAME}_hedgedoc_secret_${SECRET_HEDGEDOC_SECRET_VERSION}
+
+
+configs:
+  hedgedoc:
+    name: ${STACK_NAME}_hedgedoc_${HEDGEDOC_CONFIG_VERSION}
+    file: hedgedoc.yaml.tmpl
+    template_driver: golang

compose.kimai.yml

@@ -0,0 +1,14 @@
+version: "3.8"
+services:
+  worker:
+    environment:
+      - KIMAI_DOMAIN
+    configs:
+      - source: kimai
+        target: /blueprints/kimai.yaml
+
+configs:
+  kimai:
+    name: ${STACK_NAME}_kimai_${KIMAI_CONFIG_VERSION}
+    file: kimai.yaml.tmpl
+    template_driver: golang

compose.matrix.yml

@@ -1,5 +1,11 @@
 version: "3.8"
 services:
+  app:
+    deploy:
+      labels:
+        - "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect-matrix-well-known"
+        - "traefik.http.middlewares.${STACK_NAME}-redirect-matrix-well-known.redirectregex.regex=^https://(.*)/.well-known/matrix/(.*)"
+        - "traefik.http.middlewares.${STACK_NAME}-redirect-matrix-well-known.redirectregex.replacement=https://${MATRIX_DOMAIN}/.well-known/matrix/$$2"
   worker:
     secrets:
       - matrix_id

compose.outline.yml

@@ -0,0 +1,26 @@
+version: "3.8"
+services:
+  worker:
+    secrets:
+      - outline_id
+      - outline_secret
+    environment:
+      - OUTLINE_DOMAIN
+    configs:
+      - source: outline
+        target: /blueprints/outline.yaml
+
+secrets:
+  outline_id:
+    external: true
+    name: ${STACK_NAME}_outline_id_${SECRET_OUTLINE_ID_VERSION}
+  outline_secret:
+    external: true
+    name: ${STACK_NAME}_outline_secret_${SECRET_OUTLINE_SECRET_VERSION}
+
+
+configs:
+  outline:
+    name: ${STACK_NAME}_outline_${OUTLINE_CONFIG_VERSION}
+    file: outline.yaml.tmpl
+    template_driver: golang

compose.outposts.ldap.yml

@@ -0,0 +1,23 @@
+version: "3.8"
+services:
+  authentik_ldap:
+      image: ghcr.io/goauthentik/ldap:2024.10.5
+      # Optionally specify which networks the container should be
+      # might be needed to reach the core authentik server
+      networks:
+        - internal
+        - proxy
+      ports:
+        - 389:3389
+        - 636:6636
+      secrets:
+        - ldap_token
+      environment:
+        - AUTHENTIK_HOST=https://${DOMAIN}
+        - AUTHENTIK_INSECURE=true
+        - AUTHENTIK_TOKEN=file:///run/secrets/ldap_token
+
+secrets:
+  ldap_token:
+    external: true
+    name: ${STACK_NAME}_ldap_token_${SECRET_LDAP_TOKEN_VERSION}

compose.rallly.yml

@@ -0,0 +1,26 @@
+version: "3.8"
+services:
+  worker:
+    secrets:
+      - rallly_id
+      - rallly_secret
+    environment:
+      - RALLLY_DOMAIN
+    configs:
+      - source: rallly
+        target: /blueprints/rallly.yaml
+
+secrets:
+  rallly_id:
+    external: true
+    name: ${STACK_NAME}_rallly_id_${SECRET_RALLLY_ID_VERSION}
+  rallly_secret:
+    external: true
+    name: ${STACK_NAME}_rallly_secret_${SECRET_RALLLY_SECRET_VERSION}
+
+
+configs:
+  rallly:
+    name: ${STACK_NAME}_rallly_${RALLLY_CONFIG_VERSION}
+    file: rallly.yaml.tmpl
+    template_driver: golang

compose.yml

@@ -17,10 +17,11 @@ x-env: &env
     - AUTHENTIK_EMAIL__TIMEOUT
     - AUTHENTIK_EMAIL__FROM
     - AUTHENTIK_LOG_LEVEL
-    - AUTHENTIK_SETTINGS__THEME__BACKGROUND
-    - AUTHENTIK_COLOR_BACKGROUND_LIGHT
+    - BACKGROUND_FONT_COLOR=${BACKGROUND_FONT_COLOR:-white}
+    - BACKGROUND_BOX_COLOR=${BACKGROUND_BOX_COLOR:-#eaeaeacf}
     - AUTHENTIK_FOOTER_LINKS
     - AUTHENTIK_IMPERSONATION
+    - AUTHENTIK_BOOTSTRAP_EMAIL
     - WELCOME_MESSAGE
     - DEFAULT_LANGUAGE
     - EMAIL_SUBJECT
@@ -28,12 +29,16 @@ x-env: &env
     - DOMAIN
     - LOGOUT_REDIRECT
     - APPLICATIONS
+    - THEME_BACKGROUND
 
 version: '3.8'
 services:
   app:
-    image: ghcr.io/goauthentik/server:2023.6.1
+    image: ghcr.io/goauthentik/server:2024.10.5
     command: server
+    depends_on:
+      - db
+      - redis
     secrets:
       - db_password
       - admin_pass
@@ -44,23 +49,17 @@ services:
       - media:/media
       - assets:/web/dist/assets
       - templates:/templates
-    configs:
-      - source: custom_css
-        target: /web/dist/custom.css
     networks:
       - internal
       - proxy
     healthcheck:
-      test: "bash -c 'printf \"GET / HTTP/1.1\n\n\" > /dev/tcp/127.0.0.1/9000; exit $$?;'"
+      test: "ak healthcheck"
       interval: 30s
-      timeout: 10s
+      timeout: 30s
       retries: 10
       start_period: 5m
     environment: *env
     deploy:
-      update_config:
-        failure_action: rollback
-        order: start-first
       labels:
         - "traefik.enable=true"
         - "traefik.docker.network=proxy"
@@ -73,12 +72,15 @@ services:
         - "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}"
         - "traefik.http.middlewares.${STACK_NAME}-frameOptions.headers.customFrameOptionsValue=SAMEORIGIN"
         - "traefik.http.middlewares.${STACK_NAME}-frameOptions.headers.contentSecurityPolicy=frame-ancestors ${X_FRAME_OPTIONS_ALLOW_FROM}"
-        - "coop-cloud.${STACK_NAME}.version=3.2.4+2023.6.1"
+        - "coop-cloud.${STACK_NAME}.version=6.11.0+2024.10.5"
         - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT:-120}"
 
   worker:
-    image: ghcr.io/goauthentik/server:2023.6.1
+    image: ghcr.io/goauthentik/server:2024.10.5
     command: worker
+    depends_on:
+      - db
+      - redis
     secrets:
       - db_password
       - admin_pass
@@ -89,10 +91,10 @@ services:
       - internal
       - proxy
     volumes:
-      - backups:/backups
       - media:/media
       - /dev/null:/blueprints/default/flow-oobe.yaml
       - templates:/templates
+      - certs:/certs
     configs:
       - source: flow_recovery
         target: /blueprints/1_flow_recovery.yaml
@@ -102,16 +104,31 @@ services:
         target: /blueprints/3_flow_translation.yaml
       - source: flow_invitation
         target: /blueprints/4_flow_invitation.yaml
-      - source: system_tenant
-        target: /blueprints/5_system_tenant.yaml
+      - source: system_brand
+        target: /blueprints/5_system_brand.yaml
       - source: flow_invalidation
         target: /blueprints/6_flow_invalidation.yaml
     environment: *env
+    healthcheck:
+      test: "ak healthcheck"
+      interval: 30s
+      timeout: 30s
+      retries: 10
+      start_period: 5m
 
   db:
-    image: postgres:12.15-alpine
+    image: postgres:15.8
     secrets:
       - db_password
+    configs:
+      - source: db_entrypoint
+        target: /docker-entrypoint.sh
+        mode: 0555
+      - source: pg_backup
+        target: /pg_backup.sh
+        mode: 0555
+    entrypoint:
+      /docker-entrypoint.sh
     volumes:
       - database:/var/lib/postgresql/data
     networks:
@@ -128,21 +145,25 @@ services:
       - POSTGRES_DB=authentik
     deploy:
       labels:
-          backupbot.backup: "true"
-          backupbot.backup.pre-hook: "PGPASSWORD=$$(cat /run/secrets/db_password) pg_dump -U $${POSTGRES_USER} $${POSTGRES_DB} > /var/lib/postgresql/data/backup.sql"
-          backupbot.backup.post-hook: "rm -rf /var/lib/postgresql/data/backup.sql"
-          backupbot.backup.path: "/var/lib/postgresql/data"
+          backupbot.backup: "${ENABLE_BACKUPS:-true}"
+          backupbot.backup.pre-hook: "/pg_backup.sh backup"
+          backupbot.backup.volumes.database.path: "backup.sql"
+          backupbot.backup.volumes.redis: "false"
+          backupbot.restore.post-hook: '/pg_backup.sh restore'
 
   redis:
-    image:  redis:7.0.12-alpine
+    image:  redis:7.4.1-alpine
+    command: --save 60 1 --loglevel warning
     networks:
       - internal
     healthcheck:
-      test: ["CMD", "redis-cli","ping"]
+      test: ["CMD-SHELL", "redis-cli ping | grep PONG"]
       interval: 30s
       timeout: 10s
       retries: 10
       start_period: 1m
+    volumes:
+        - redis:/data
 
 secrets:
   db_password:
@@ -167,17 +188,14 @@ networks:
   internal:
 
 volumes:
-  backups:
   media:
+  certs:
+  redis:
   templates:
   assets:
   database:
 
 configs:
-  custom_css:
-    name: ${STACK_NAME}_custom_css_${CUSTOM_CSS_VERSION}
-    file: custom.css.tmpl
-    template_driver: golang
   flow_authentication:
     name: ${STACK_NAME}_flow_authentication_${FLOW_AUTHENTICATION_VERSION}
     file: flow_authentication.yaml.tmpl
@@ -198,7 +216,14 @@ configs:
     name: ${STACK_NAME}_flow_translation_${FLOW_TRANSLATION_VERSION}
     file: flow_translation.yaml.tmpl
     template_driver: golang
-  system_tenant:
-    name: ${STACK_NAME}_system_tenant_${SYSTEM_TENANT_VERSION}
-    file: system_tenant.yaml.tmpl
+  system_brand:
+    name: ${STACK_NAME}_system_brand_${SYSTEM_BRAND_VERSION}
+    file: system_brand.yaml.tmpl
     template_driver: golang
+  db_entrypoint:
+    name: ${STACK_NAME}_db_entrypoint_${DB_ENTRYPOINT_VERSION}
+    file: entrypoint.postgres.sh.tmpl
+    template_driver: golang
+  pg_backup:
+    name: ${STACK_NAME}_pg_backup_${PG_BACKUP_VERSION}
+    file: pg_backup.sh

compose.zammad.yml

@@ -0,0 +1,14 @@
+version: "3.8"
+services:
+  worker:
+    environment:
+      - ZAMMAD_DOMAIN
+    configs:
+      - source: zammad
+        target: /blueprints/zammad.yaml
+
+configs:
+  zammad:
+    name: ${STACK_NAME}_zammad_${ZAMMAD_CONFIG_VERSION}
+    file: zammad.yaml.tmpl
+    template_driver: golang

custom.css.tmpl

@@ -1,24 +1,13 @@
 /* my custom css */
 
-
 :root {
-    --ak-accent: #fd4b2d;
-
-    --ak-dark-foreground: #fafafa;
-    --ak-dark-foreground-darker: #bebebe;
-    --ak-dark-foreground-link: #5a5cb9;
-    --ak-dark-background: #18191a;
-    --ak-dark-background-darker: #000000;
-
-
-    --ak-dark-background-light: {{ env "AUTHENTIK_COLOR_BACKGROUND_LIGHT" }};
-    --ak-dark-background-light-ish: #212427;
-    --ak-dark-background-lighter: #2b2e33;
-
-    --pf-c-background-image--BackgroundImage: var(--ak-flow-background);
-    --pf-c-background-image--BackgroundImage-2x: var(--ak-flow-background);
-    --pf-c-background-image--BackgroundImage--sm: var(--ak-flow-background);
-    --pf-c-background-image--BackgroundImage--sm-2x: var(--ak-flow-background);
-    --pf-c-background-image--BackgroundImage--lg: var(--ak-flow-background);
+        --pf-global--BackgroundColor--100: {{ env "BACKGROUND_BOX_COLOR" }} !important;
 }
 
+.pf-c-login__main {
+        background-color: {{ env "BACKGROUND_BOX_COLOR" }};
+}
+
+.pf-c-content h1 {
+        color: {{ env "BACKGROUND_FONT_COLOR" }};
+}

custom_flows.yaml.tmpl

@@ -1,405 +0,0 @@
-version: 1
-metadata:
-  labels:
-    blueprints.goauthentik.io/instantiate: "true"
-  name: Custom - Flows
-context:
-  welcome_message: {{ if eq (env "WELCOME_MESSAGE") "" }} "Welcome to authentik!" {{ else }} {{ env "WELCOME_MESSAGE" }} {{ end }}
-####### Translations ########
-  transl_recovery: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} "Passwort Zurücksetzen" {{ else }} "Reset your password" {{ end }}
-  transl_password: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} "Passwort" {{ else }} "Password" {{ end }}
-  transl_password_repeat: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} "Passwort (wiederholen)" {{ else }} "Password (repeat)" {{ end }}
-  transl_username: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} "Benutzername" {{ else }} "Username" {{ end }}
-  transl_name: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} "Vor- und Nachname" {{ else }} "Full name" {{ end }}
-
-entries:
-######## Email Recovery Flow ########
-- identifiers:
-    slug: default-recovery-flow
-  id: recovery_flow
-  model: authentik_flows.flow
-  attrs:
-    name: Default recovery flow
-    title: !Context transl_recovery
-    designation: recovery
-
-### PROMPTS
-- identifiers:
-    field_key: password
-  id: prompt-field-password
-  model: authentik_stages_prompt.prompt
-  attrs:
-    label: !Context transl_password
-    type: password
-    required: true
-    placeholder: !Context transl_password
-    order: 30
-    placeholder_expression: false
-- identifiers:
-    field_key: password_repeat
-  id: prompt-field-password-repeat
-  model: authentik_stages_prompt.prompt
-  attrs:
-    label: !Context transl_password_repeat
-    type: password
-    required: true
-    placeholder: !Context transl_password_repeat
-    order: 31
-    placeholder_expression: false
-
-
-### STAGES
-- identifiers:
-    name: default-recovery-email
-  id: default-recovery-email
-  model: authentik_stages_email.emailstage
-  attrs:
-    use_global_settings: true
-    token_expiry: {{ if eq (env "EMAIL_TOKEN_EXPIRY_MINUTES") "" }} 30 {{ else }} {{ env "EMAIL_TOKEN_EXPIRY_MINUTES" }} {{ end }}
-    subject: {{ if eq (env "EMAIL_SUBJECT") "" }} "Account Recovery" {{ else }} "{{ env "EMAIL_SUBJECT" }}" {{ end }} 
-    template: email/password_reset.html
-    activate_user_on_success: true
-- identifiers:
-    name: default-recovery-user-write
-  id: default-recovery-user-write
-  model: authentik_stages_user_write.userwritestage
-- identifiers:
-    name: default-recovery-identification
-  id: default-recovery-identification
-  model: authentik_stages_identification.identificationstage
-  attrs:
-    user_fields:
-      - email
-      - username
-- identifiers:
-    name: default-recovery-user-login
-  id: default-recovery-user-login
-  model: authentik_stages_user_login.userloginstage
-  attrs:
-    session_duration: seconds=0
-- identifiers:
-    name: Change your password
-  id: stage-prompt-password
-  model: authentik_stages_prompt.promptstage
-  attrs:
-    fields:
-      - !KeyOf prompt-field-password
-      - !KeyOf prompt-field-password-repeat
-    validation_policies: []
-
-### STAGE BINDINGS
-- identifiers:
-    target: !KeyOf recovery_flow
-    stage: !KeyOf default-recovery-identification
-    order: 10
-  model: authentik_flows.flowstagebinding
-  id: flow-binding-identification
-  attrs:
-    evaluate_on_plan: true
-    re_evaluate_policies: true
-    policy_engine_mode: any
-    invalid_response_action: retry
-- identifiers:
-    target: !KeyOf recovery_flow
-    stage: !KeyOf default-recovery-email
-    order: 20
-  model: authentik_flows.flowstagebinding
-  id: flow-binding-email
-  attrs:
-    evaluate_on_plan: true
-    re_evaluate_policies: true
-    policy_engine_mode: any
-    invalid_response_action: retry
-- identifiers:
-    target: !KeyOf recovery_flow
-    stage: !KeyOf stage-prompt-password
-    order: 30
-  model: authentik_flows.flowstagebinding
-  attrs:
-    evaluate_on_plan: true
-    re_evaluate_policies: false
-    policy_engine_mode: any
-    invalid_response_action: retry
-- identifiers:
-    target: !KeyOf recovery_flow
-    stage: !KeyOf default-recovery-user-write
-    order: 40
-  model: authentik_flows.flowstagebinding
-  attrs:
-    evaluate_on_plan: true
-    re_evaluate_policies: false
-    policy_engine_mode: any
-    invalid_response_action: retry
-- identifiers:
-    target: !KeyOf recovery_flow
-    stage: !KeyOf default-recovery-user-login
-    order: 100
-  model: authentik_flows.flowstagebinding
-  attrs:
-    evaluate_on_plan: true
-    re_evaluate_policies: false
-    policy_engine_mode: any
-    invalid_response_action: retry
-
-### POLICIES
-## ISSUES with this policy
-## https://github.com/goauthentik/authentik/blob/493cdd5c0f8caaec7a7dd474f1aa131e32fd39c3/blueprints/example/flows-recovery-email-verification.yaml#L37
-## https://github.com/goauthentik/authentik/commit/317e9ec6053742e17ba74fb6aa38dc15aaf6657f#diff-a5c56bb7c60e27dda1b131b3fc2a17e3af6624e7cfaaa2337ec6b077ca489f34
-# - identifiers:
-#     name: default-recovery-skip-if-restored
-#   id: default-recovery-skip-if-restored
-#   model: authentik_policies_expression.expressionpolicy
-#   attrs:
-#     expression: |
-#       return request.context.get('is_restored', False)
-
-### POLICY BINDINGS
-# - identifiers:
-#     policy: !KeyOf default-recovery-skip-if-restored
-#     target: !KeyOf flow-binding-identification
-#     order: 0
-#   model: authentik_policies.policybinding
-#   attrs:
-#     negate: false
-#     enabled: true
-#     timeout: 30
-# - identifiers:
-#     policy: !KeyOf default-recovery-skip-if-restored
-#     target: !KeyOf flow-binding-email
-#     order: 0
-#   model: authentik_policies.policybinding
-#   attrs:
-#     negate: false
-#     enabled: true
-#     timeout: 30
-
-
-
-######## Authentication Flow ########
-- attrs:
-    designation: authentication
-    name: custom-authentication-flow
-    title: !Context welcome_message
-  identifiers:
-    slug: custom-authentication-flow
-  id: authentication_flow
-  model: authentik_flows.flow
-
-### STAGES
-- attrs:
-    backends:
-    - authentik.core.auth.InbuiltBackend
-    - authentik.sources.ldap.auth.LDAPBackend
-    - authentik.core.auth.TokenBackend
-    configure_flow: !Find [authentik_flows.flow, [slug, default-password-change]]
-  identifiers:
-    name: custom-authentication-password
-  id: custom-authentication-password
-  model: authentik_stages_password.passwordstage
-
-- identifiers:
-    name: custom-authentication-mfa-validation
-  id: custom-authentication-mfa-validation
-  model: authentik_stages_authenticator_validate.authenticatorvalidatestage
-
-- attrs:
-    password_stage: !KeyOf custom-authentication-password
-    recovery_flow: !KeyOf recovery_flow  # !Find [authentik_flows.flow, [slug, default-recovery-flow]]
-    user_fields:
-    - email
-    - username
-  identifiers:
-    name: custom-authentication-identification
-  id: custom-authentication-identification
-  model: authentik_stages_identification.identificationstage
-
-- attrs:
-    session_duration: seconds=0
-  identifiers:
-    name: custom-authentication-login
-  id: custom-authentication-login
-  model: authentik_stages_user_login.userloginstage
-
-### STAGE BINDINGS
-- identifiers:
-    order: 10
-    stage: !KeyOf custom-authentication-identification
-    target: !KeyOf authentication_flow
-  model: authentik_flows.flowstagebinding
-- identifiers:
-    order: 30
-    stage: !KeyOf custom-authentication-mfa-validation
-    target: !KeyOf authentication_flow
-  model: authentik_flows.flowstagebinding
-- identifiers:
-    order: 100
-    stage: !KeyOf custom-authentication-login
-    target: !KeyOf authentication_flow
-  model: authentik_flows.flowstagebinding
-
-######## Invitation Enrollment Flow ########
-- attrs:
-    designation: enrollment
-    name: invitation-enrollment-flow
-    title: !Context welcome_message
-  identifiers:
-    slug: invitation-enrollment-flow
-  id: invitation-enrollment-flow
-  model: authentik_flows.flow
-
-### PROMPTS
-- identifiers:
-    field_key: username
-  id: prompt-field-username
-  model: authentik_stages_prompt.prompt
-  attrs:
-    label: !Context transl_username
-    type: username
-    required: true
-    placeholder: !Context transl_username
-    order: 0
-    placeholder_expression: false
-- identifiers:
-    field_key: name
-  id: prompt-field-name
-  model: authentik_stages_prompt.prompt
-  attrs:
-    label: !Context transl_name
-    type: text
-    required: true
-    placeholder: !Context transl_name
-    order: 1
-    placeholder_expression: false
-- identifiers:
-    field_key: email
-    label: Email
-  id: prompt-field-email
-  model: authentik_stages_prompt.prompt
-  attrs:
-    type: email
-    required: true
-    placeholder: muster@example.com
-    order: 2
-    placeholder_expression: false
-
-### STAGES
-
-- id: invitation-stage
-  identifiers:
-    name: invitation-stage
-  model: authentik_stages_invitation.invitationstage
-
-- attrs:
-    fields:
-      - !KeyOf prompt-field-username
-      - !KeyOf prompt-field-name
-      - !KeyOf prompt-field-email
-      - !KeyOf prompt-field-password
-      - !KeyOf prompt-field-password-repeat
-  id: enrollment-prompt-userdata
-  identifiers:
-    name: enrollment-prompt-userdata
-  model: authentik_stages_prompt.promptstage
-
-- id: enrollment-user-write
-  identifiers:
-    name: enrollment-user-write
-  model: authentik_stages_user_write.userwritestage
-
-- attrs:
-    session_duration: seconds=0
-  id: enrollment-user-login
-  identifiers:
-    name: enrollment-user-login
-  model: authentik_stages_user_login.userloginstage
-
-### STAGE BINDINGS
-- identifiers:
-    order: 1
-    stage: !KeyOf invitation-stage
-    target: !KeyOf invitation-enrollment-flow
-  model: authentik_flows.flowstagebinding
-- identifiers:
-    order: 10
-    stage: !KeyOf enrollment-prompt-userdata
-    target: !KeyOf invitation-enrollment-flow
-  model: authentik_flows.flowstagebinding
-- identifiers:
-    order: 20
-    stage: !KeyOf enrollment-user-write
-    target: !KeyOf invitation-enrollment-flow
-  model: authentik_flows.flowstagebinding
-- identifiers:
-    order: 100
-    stage: !KeyOf enrollment-user-login
-    target: !KeyOf invitation-enrollment-flow
-  model: authentik_flows.flowstagebinding
-
-######## Invalidation Flow ########
-- identifiers:
-    slug: logout-flow
-  id: logout-flow
-  model: authentik_flows.flow
-  attrs:
-    name: Logout
-    title: Logout Flow
-    designation: invalidation
-
-### STAGES
-
-- id: logout-stage
-  identifiers:
-    name: logout-stage
-  model: authentik_stages_user_logout.userlogoutstage
-
-### STAGE BINDINGS
-
-- identifiers:
-    order: 0
-    stage: !KeyOf logout-stage
-    target: !KeyOf logout-flow
-  model: authentik_flows.flowstagebinding
-  attrs:
-    re_evaluate_policies: true
-  id: logout-stage-binding
-
-### POLICIES
-- attrs:
-    execution_logging: true
-    expression: 'context[''flow_plan''].context[''redirect''] = ''{{ env "LOGOUT_REDIRECT" }}''
-
-    return True'
-  identifiers:
-    name: redirect-policy
-  id: redirect-policy
-  model: authentik_policies_expression.expressionpolicy
-
-### POLICY BINDINGS
-- identifiers:
-    policy: !KeyOf redirect-policy
-    target: !KeyOf logout-stage-binding
-    order: 0
-  model: authentik_policies.policybinding
-  attrs:
-    enabled: {{ if eq (env "LOGOUT_REDIRECT") "" }} false {{ else }} true {{ end }}
-    timeout: 30
-
-######## System Tenant ##########
-- attrs:
-    attributes:
-      settings:
-        locale: {{ if eq (env "DEFAULT_LANGUAGE") "" }} en {{ else }} {{ env "DEFAULT_LANGUAGE" }} {{ end }}
-    # branding_favicon: /static/dist/assets/icons/icon.png
-    # branding_logo: /static/dist/assets/icons/icon_left_brand.svg
-    # branding_title: Authentik
-    # default: true
-    domain: {{ env "DOMAIN" }}
-    # event_retention: days=365
-    flow_authentication: !KeyOf authentication_flow
-    flow_recovery: !KeyOf recovery_flow
-    flow_invalidation: !KeyOf logout-flow
-    flow_user_settings: !Find [authentik_flows.flow, [slug, default-user-settings-flow]]
-  identifiers:
-    pk: 047cce25-aae2-4b02-9f96-078e155f803d
-  id: system_tenant
-  model: authentik_tenants.tenant

entrypoint.postgres.sh.tmpl

@@ -0,0 +1,45 @@
+#!/bin/bash
+
+set -e
+
+MIGRATION_MARKER=$PGDATA/migration_in_progress
+OLDDATA=$PGDATA/old_data
+NEWDATA=$PGDATA/new_data
+
+if [ -e $MIGRATION_MARKER ]; then
+  echo "FATAL: migration was started but did not complete in a previous run. manual recovery necessary"
+  exit 1
+fi
+
+if [ -f $PGDATA/PG_VERSION ]; then
+  DATA_VERSION=$(cat $PGDATA/PG_VERSION)
+
+  if [ -n "$DATA_VERSION" -a "$PG_MAJOR" != "$DATA_VERSION" ]; then
+    echo "postgres data version $DATA_VERSION found, but need $PG_MAJOR. Starting migration"
+    echo "Installing postgres $DATA_VERSION"
+    sed -i "s/$/ $DATA_VERSION/" /etc/apt/sources.list.d/pgdg.list
+    apt-get update && apt-get install -y --no-install-recommends \
+      postgresql-$DATA_VERSION \
+      && rm -rf /var/lib/apt/lists/*
+    echo "shuffling around"
+    chown -R postgres:postgres $PGDATA
+    gosu postgres mkdir $OLDDATA $NEWDATA
+    chmod 700 $OLDDATA $NEWDATA
+    mv $PGDATA/* $OLDDATA/ || true
+    touch $MIGRATION_MARKER
+    echo "running initdb"
+    # abuse entrypoint script for initdb by making server error out
+    gosu postgres bash -c "export PGDATA=$NEWDATA ; /usr/local/bin/docker-entrypoint.sh --invalid-arg || true"
+    echo "running pg_upgrade"
+    cd /tmp
+    gosu postgres pg_upgrade --link -b /usr/lib/postgresql/$DATA_VERSION/bin -d $OLDDATA -D $NEWDATA -U $POSTGRES_USER
+    cp $OLDDATA/pg_hba.conf $NEWDATA/
+    mv $NEWDATA/* $PGDATA
+    rm -rf $OLDDATA
+    rmdir $NEWDATA
+    rm $MIGRATION_MARKER
+    echo "migration complete"
+  fi
+fi
+
+/usr/local/bin/docker-entrypoint.sh postgres

flow_authentication.yaml.tmpl

@@ -37,7 +37,7 @@ entries:
     name: default-authentication-login
   model: authentik_stages_user_login.userloginstage
   attrs:
-    session_duration: seconds=0
+    session_duration: days=30
 
 # After the first run this will produce a RelatedObjectDoesNotExist error
 - identifiers:

flow_invitation.yaml.tmpl

@@ -24,6 +24,18 @@ entries:
   id: invitation-enrollment-flow
   model: authentik_flows.flow
 
+### POLICIES
+- attrs:
+    expression: |
+      if not regex_match(request.context.get('prompt_data').get('username'), '\s'):
+          return True
+      ak_message("Username must not contain any whitespace!")
+      return False
+  id: username-without-spaces-policy
+  identifiers:
+    name: username-without-spaces-policy
+  model: authentik_policies_expression.expressionpolicy
+
 ### STAGES
 - identifiers:
     name: invitation-stage
@@ -41,6 +53,8 @@ entries:
       - !Find [authentik_stages_prompt.prompt, [name, default-user-settings-field-email]]
       - !Find [authentik_stages_prompt.prompt, [name, default-password-change-field-password]]
       - !Find [authentik_stages_prompt.prompt, [name, default-password-change-field-password-repeat]]
+    validation_policies:
+      - !Find [ authentik_policies_expression.expressionpolicy, [name, username-without-spaces-policy]]
 
 ### STAGE BINDINGS
 - identifiers:

hedgedoc.yaml.tmpl

@@ -0,0 +1,45 @@
+version: 1
+metadata:
+  labels:
+    blueprints.goauthentik.io/instantiate: "true"
+  name: hedgedoc
+
+entries:
+
+- attrs:
+    access_code_validity: minutes=1
+    authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
+    authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
+    invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
+    client_id: {{ secret  "hedgedoc_id" }}
+    client_secret: {{ secret  "hedgedoc_secret" }}
+    client_type: confidential
+    include_claims_in_id_token: true
+    issuer_mode: per_provider
+    name: Hedgedoc
+    property_mappings:
+    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
+    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, email]]
+    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, profile]]
+    signing_key: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]]
+    sub_mode: hashed_user_id
+    token_validity: days=30
+  conditions: []
+  id: hedgedoc_provider
+  identifiers:
+    pk: 9992
+  model: authentik_providers_oauth2.oauth2provider
+  state: present
+
+- attrs:
+    meta_launch_url: https://{{ env  "HEDGEDOC_DOMAIN" }}
+    open_in_new_tab: true
+    policy_engine_mode: any
+    provider: !KeyOf hedgedoc_provider
+    slug: hedgedoc
+  conditions: []
+  id: hedgedoc_application
+  identifiers:
+    name: Hedgedoc
+  model: authentik_core.application
+  state: present

icons/zammad.svg

@@ -0,0 +1,30 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<svg width="126px" height="108px" viewBox="0 0 42 36" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:sketch="http://www.bohemiancoding.com/sketch/ns">
+    <!-- Generator: Sketch 3.3.2 (12043) - http://www.bohemiancoding.com/sketch -->
+    <title>logo</title>
+    <desc>Created with Sketch.</desc>
+    <defs/>
+    <g id="Page-1" stroke="none" stroke-width="1" fill="none" fill-rule="evenodd" sketch:type="MSPage">
+        <g id="logo" sketch:type="MSArtboardGroup">
+            <g sketch:type="MSLayerGroup" transform="translate(1.000000, 0.000000)" id="Shape">
+                <path d="M27.3375,12.6 L36.72,9.72 L31.1625,13.2525 L27.3375,12.6 Z" fill="#CA2317" sketch:type="MSShapeGroup"/>
+                <path d="M33.0525,19.62 L31.1625,13.2525 L36.72,9.72 L35.055,15.435 L33.0525,19.62 Z" fill="#E84F83" sketch:type="MSShapeGroup"/>
+                <path d="M39.465,7.9875 L38.43,9.72 L35.055,15.435 L36.72,9.72 L39.465,7.9875 Z" fill="#CA2317" sketch:type="MSShapeGroup"/>
+                <path d="M39.8025,9.1125 L37.1925,11.79 L38.43,9.72 L39.8025,9.1125 Z" fill="#E54011" sketch:type="MSShapeGroup"/>
+                <path d="M27.9,10.8225 L35.5725,10.0575 L30.24,11.7 L27.9,10.8225 Z" fill="#E54011" sketch:type="MSShapeGroup"/>
+                <path d="M28.1925,15.165 L31.1625,13.2525 L33.0525,19.62 L32.0625,21.645 L28.1925,15.165 Z" fill="#CA2317" sketch:type="MSShapeGroup"/>
+                <path d="M23.76,22.725 L22.3425,5.4 L32.0625,21.645 L23.76,22.725 Z" fill="#B7DFF2" sketch:type="MSShapeGroup"/>
+                <path d="M19.7325,27.1575 L23.76,22.725 L32.0625,21.645 L19.7325,27.1575 Z" fill="#E54011" sketch:type="MSShapeGroup"/>
+                <path d="M0.1575,35.865 L19.7325,27.1575 L23.76,22.725 L17.37,22.0725 L0.1575,35.865 Z" fill="#FFCE33" sketch:type="MSShapeGroup"/>
+                <path d="M0.9,28.755 L10.9575,27.225 L14.085,24.705 L12.555,24.03 L0.9,28.755 Z" fill="#D6B12D" sketch:type="MSShapeGroup"/>
+                <path d="M4.5225,20.5425 L14.085,24.705 L17.37,22.0725 L4.5225,20.5425 Z" fill="#FFDE85" sketch:type="MSShapeGroup"/>
+                <path d="M21.6225,11.6775 L20.4075,11.88 L17.37,22.0725 L20.655,20.0025 L21.6225,11.6775 Z" fill="#009EC6" sketch:type="MSShapeGroup"/>
+                <path d="M23.4,18.2475 L20.655,20.0025 L22.3425,5.4 L23.4,18.2475 Z" fill="#5EAFCE" sketch:type="MSShapeGroup"/>
+                <path d="M13.0275,13.05 L21.6225,11.6775 L22.005,8.28 L13.0275,13.05 Z" fill="#045972" sketch:type="MSShapeGroup"/>
+                <path d="M12.105,5.085 L19.575,9.585 L22.005,8.28 L22.0725,7.8075 L12.105,5.085 Z" fill="#5A8591" sketch:type="MSShapeGroup"/>
+                <path d="M13.5675,0.18 L20.3625,7.335 L22.0725,7.8075 L22.3425,5.4 L13.5675,0.18 Z" fill="#009EC6" sketch:type="MSShapeGroup"/>
+                <path d="M17.37,22.0725 L23.4,18.2475 L23.76,22.725 L17.37,22.0725 Z" fill="#F39804" sketch:type="MSShapeGroup"/>
+            </g>
+        </g>
+    </g>
+</svg>

kimai.yaml.tmpl

@@ -0,0 +1,50 @@
+version: 1
+metadata:
+  labels:
+    blueprints.goauthentik.io/instantiate: "true"
+  name: kimai
+
+entries:
+- attrs:
+    acs_url: https://{{ env  "KIMAI_DOMAIN" }}/auth/saml/acs
+    assertion_valid_not_before: minutes=-5
+    assertion_valid_not_on_or_after: minutes=5
+    audience: https://{{ env  "KIMAI_DOMAIN" }}/auth/saml
+    authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
+    authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
+    invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
+    digest_algorithm: http://www.w3.org/2001/04/xmlenc#sha256
+    issuer: https://{{ env  "DOMAIN" }}
+    name: Kimai
+    name_id_mapping: !Find [authentik_providers_saml.samlpropertymapping, [name, "authentik default SAML Mapping: Username"]]
+    property_mappings:
+    - !Find [authentik_providers_saml.samlpropertymapping, [name, "authentik default SAML Mapping: Name"]]
+    - !Find [authentik_providers_saml.samlpropertymapping, [name, "authentik default SAML Mapping: Email"]]
+    - !Find [authentik_providers_saml.samlpropertymapping, [name, "authentik default SAML Mapping: User ID"]]
+    - !Find [authentik_providers_saml.samlpropertymapping, [name, "authentik default SAML Mapping: Username"]]
+    - !Find [authentik_providers_saml.samlpropertymapping, [name, "authentik default SAML Mapping: Groups"]]
+    - !Find [authentik_providers_saml.samlpropertymapping, [name, "authentik default SAML Mapping: UPN"]]
+    session_valid_not_on_or_after: minutes=86400
+    sign_assertion: true
+    signature_algorithm: http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
+    signing_kp: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]]
+    sp_binding: post
+  conditions: []
+  id: kimai_provider
+  identifiers:
+    pk: 9991
+  model: authentik_providers_saml.samlprovider
+  state: present
+
+- attrs:
+    meta_launch_url: https://{{ env  "KIMAI_DOMAIN" }}
+    open_in_new_tab: true
+    policy_engine_mode: any
+    provider: !KeyOf kimai_provider
+    slug: kimai
+  conditions: []
+  id: kimai_application
+  identifiers:
+    name: Kimai
+  model: authentik_core.application
+  state: present

matrix.yaml.tmpl

@@ -8,7 +8,9 @@ entries:
 
 - attrs:
     access_code_validity: minutes=1
+    authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
     authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
+    invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
     client_id: {{ secret  "matrix_id" }}
     client_secret: {{ secret  "matrix_secret" }}
     client_type: confidential

monitoring.yaml.tmpl

@@ -8,7 +8,9 @@ entries:
 
 - attrs:
     access_code_validity: minutes=1
+    authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
     authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
+    invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
     client_id: {{ secret  "monitoring_id" }}
     client_secret: {{ secret  "monitoring_secret" }}
     client_type: confidential
@@ -25,7 +27,7 @@ entries:
   conditions: []
   id: monitoring_provider
   identifiers:
-    pk: 9994
+    pk: 9990
   model: authentik_providers_oauth2.oauth2provider
   state: present
 

nextcloud.yaml.tmpl

@@ -20,10 +20,15 @@ entries:
 
 - attrs:
     access_code_validity: minutes=1
+    authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
     authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
+    invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
     client_id: {{ secret  "nextcloud_id" }}
     client_secret: {{ secret  "nextcloud_secret" }}
     client_type: confidential
+    redirect_uris:
+    - url: https://{{ env  "NEXTCLOUD_DOMAIN" }}
+      matching_mode: strict
     include_claims_in_id_token: true
     issuer_mode: per_provider
     name: Nextcloud

outline.yaml.tmpl

@@ -0,0 +1,45 @@
+version: 1
+metadata:
+  labels:
+    blueprints.goauthentik.io/instantiate: "true"
+  name: outline
+
+entries:
+
+- attrs:
+    access_code_validity: minutes=1
+    authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
+    authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
+    invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
+    client_id: {{ secret  "outline_id" }}
+    client_secret: {{ secret  "outline_secret" }}
+    client_type: confidential
+    include_claims_in_id_token: true
+    issuer_mode: per_provider
+    name: Outline
+    property_mappings:
+    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
+    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, email]]
+    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, profile]]
+    signing_key: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]]
+    sub_mode: hashed_user_id
+    token_validity: days=30
+  conditions: []
+  id: outline_provider
+  identifiers:
+    pk: 9994
+  model: authentik_providers_oauth2.oauth2provider
+  state: present
+
+- attrs:
+    meta_launch_url: https://{{ env  "OUTLINE_DOMAIN" }}
+    open_in_new_tab: true
+    policy_engine_mode: any
+    provider: !KeyOf outline_provider
+    slug: outline
+  conditions: []
+  id: outline_application
+  identifiers:
+    name: Outline
+  model: authentik_core.application
+  state: present

pg_backup.sh

@@ -0,0 +1,34 @@
+#!/bin/bash
+
+set -e
+
+BACKUP_FILE='/var/lib/postgresql/data/backup.sql'
+
+function backup {
+  export PGPASSWORD=$(cat /run/secrets/db_password)
+  pg_dump -U ${POSTGRES_USER} ${POSTGRES_DB} > $BACKUP_FILE
+}
+
+function restore {
+    cd /var/lib/postgresql/data/
+    restore_config(){
+        # Restore allowed connections
+        cat pg_hba.conf.bak > pg_hba.conf
+        su postgres -c 'pg_ctl reload'
+    }
+    # Don't allow any other connections than local
+    cp pg_hba.conf pg_hba.conf.bak
+    echo "local all all trust" > pg_hba.conf
+    su postgres -c 'pg_ctl reload'
+    trap restore_config EXIT INT TERM
+
+    # Recreate Database
+    psql -U ${POSTGRES_USER} -d postgres -c "DROP DATABASE ${POSTGRES_DB} WITH (FORCE);" 
+    createdb -U ${POSTGRES_USER} ${POSTGRES_DB}
+    psql -U ${POSTGRES_USER} -d ${POSTGRES_DB} -1 -f $BACKUP_FILE
+
+    trap - EXIT INT TERM
+    restore_config
+}
+
+$@

rallly.yaml.tmpl

@@ -0,0 +1,45 @@
+version: 1
+metadata:
+  labels:
+    blueprints.goauthentik.io/instantiate: "true"
+  name: rallly
+
+entries:
+
+- attrs:
+    access_code_validity: minutes=1
+    authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
+    authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
+    invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
+    client_id: {{ secret  "rallly_id" }}
+    client_secret: {{ secret  "rallly_secret" }}
+    client_type: confidential
+    include_claims_in_id_token: true
+    issuer_mode: per_provider
+    name: Rallly
+    property_mappings:
+    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
+    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, email]]
+    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, profile]]
+    signing_key: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]]
+    sub_mode: hashed_user_id
+    token_validity: days=30
+  conditions: []
+  id: rallly_provider
+  identifiers:
+    pk: 9993
+  model: authentik_providers_oauth2.oauth2provider
+  state: present
+
+- attrs:
+    meta_launch_url: https://{{ env  "RALLLY_DOMAIN" }}
+    open_in_new_tab: true
+    policy_engine_mode: any
+    provider: !KeyOf rallly_provider
+    slug: rallly
+  conditions: []
+  id: rallly_application
+  identifiers:
+    name: Rallly
+  model: authentik_core.application
+  state: present

release/4.0.0+2023.10.5

@@ -0,0 +1 @@
+It is only possible to upgrade to 2023.10 from 2023.8, you need to update to 2023.8.x before applying this update

release/5.0.0+2024.2.2

@@ -0,0 +1 @@
+Blueprint changes are applied and automatic migrations should work, however, manual action may be required: https://docs.goauthentik.io/docs/releases/2024.2

release/5.1.0+2024.2.3

@@ -0,0 +1 @@
+Due to blueprint changes, you need to run the following command after upgrading: abra app cmd -C <Domain> worker apply_blueprints

release/6.0.0+2024.4.0

@@ -0,0 +1 @@
+Alerta! ⚠️ If you are using AUTHENTIK_COLOR_BACKGROUND_LIGHT, you will need to set COMPOSE_FILE="$COMPOSE_FILE:compose.css.yml"

release/6.1.0+2024.4.2

@@ -0,0 +1 @@
+Blueprint for Kimai SSO integration added

release/6.11.0+2024.10.5

@@ -0,0 +1 @@
+Fix Impersonate Bug

release/6.6.0+2024.8.2

@@ -0,0 +1 @@
+Replaced icon bbb.jpg with icon.png - configs need to be updated when upgrading!

release/6.7.0+2024.8.3

@@ -0,0 +1,3 @@
+Two critical vulnerabilities were closed:
+https://github.com/goauthentik/authentik/security/advisories/GHSA-7jxf-mmg9-9hg7
+https://github.com/goauthentik/authentik/security/advisories/GHSA-8gfm-pr6x-pfh9

system_brand.yaml.tmpl

@@ -2,13 +2,13 @@ version: 1
 metadata:
   labels:
     blueprints.goauthentik.io/instantiate: "true"
-  name: Custom System Tenant
+  name: Custom System brand
 entries:
 ### DEPENDENCIES
 - model: authentik_blueprints.metaapplyblueprint
   attrs:
     identifiers:
-      name: Default - Tenant
+      name: Default - Brand
     required: true
 - model: authentik_blueprints.metaapplyblueprint
   attrs:
@@ -17,19 +17,22 @@ entries:
     required: true
 
 
-### SYSTEM TENANT
-# remove custom tenant from old recipe
+### SYSTEM BRAND
+# remove custom brand from old recipe
 - identifiers:
     domain: {{ env "DOMAIN" }}
-  model: authentik_tenants.tenant
+  model: authentik_brands.brand
   state: absent
 
 - attrs:
     attributes:
       settings:
-        locale: {{ if eq (env "DEFAULT_LANGUAGE") "" }} en {{ else }} {{ env "DEFAULT_LANGUAGE" }} {{ end }}
+        locale: {{ if eq (env "DEFAULT_LANGUAGE") "" }} en {{ else }} {{ env "DEFAULT_LANGUAGE" }} {{ end }} {{ if ne (env "THEME_BACKGROUND") "" }}
+        theme:
+          background: >
+            background: {{ env "THEME_BACKGROUND" }} {{ end }}
     flow_recovery: !Find [authentik_flows.flow, [slug,  default-recovery-flow]]
   identifiers:
     default: true
     domain: authentik-default
-  model: authentik_tenants.tenant
+  model: authentik_brands.brand

vikunja.yaml.tmpl

@@ -8,7 +8,9 @@ entries:
 
 - attrs:
     access_code_validity: minutes=1
+    authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
     authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
+    invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
     client_id: {{ secret  "vikunja_id" }}
     client_secret: {{ secret  "vikunja_secret" }}
     client_type: confidential

wekan.yaml.tmpl

@@ -25,7 +25,9 @@ entries:
 
 - attrs:
     access_code_validity: minutes=1
+    authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
     authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
+    invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
     client_id: {{ secret  "wekan_id" }}
     client_secret: {{ secret  "wekan_secret" }}
     client_type: confidential

wordpress.yaml.tmpl

@@ -8,7 +8,9 @@ entries:
 
 - attrs:
     access_code_validity: minutes=1
+    authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
     authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
+    invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
     client_id: {{ secret  "wordpress_id" }}
     client_secret: {{ secret  "wordpress_secret" }}
     client_type: confidential

zammad.yaml.tmpl

@@ -0,0 +1,69 @@
+version: 1
+metadata:
+  labels:
+    blueprints.goauthentik.io/instantiate: "true"
+  name: zammad
+
+entries:
+- attrs:
+    expression: return request.user.name
+    managed: null
+    name: 'Zammad SAML Mapping: name'
+    saml_name: name
+  conditions: []
+  identifiers:
+    name: zammad_name_mapping
+  id: zammad_name_mapping
+  model: authentik_providers_saml.samlpropertymapping
+  state: present
+
+- attrs:
+    expression: return request.user.email
+    managed: null
+    name: 'Zammad SAML Mapping: email'
+    saml_name: email
+  conditions: []
+  identifiers:
+    name: zammad_email_mapping
+  id: zammad_email_mapping
+  model: authentik_providers_saml.samlpropertymapping
+  state: present
+
+- attrs:
+    acs_url: https://{{ env  "ZAMMAD_DOMAIN" }}/auth/saml/callback
+    assertion_valid_not_before: minutes=-5
+    assertion_valid_not_on_or_after: minutes=5
+    audience: https://{{ env  "ZAMMAD_DOMAIN" }}/auth/saml/metadata
+    authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
+    authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
+    invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
+    digest_algorithm: http://www.w3.org/2001/04/xmlenc#sha256
+    issuer: https://{{ env  "ZAMMAD_DOMAIN" }}/auth/saml/metadata
+    name: zammad
+    property_mappings:
+    - !KeyOf zammad_name_mapping
+    - !KeyOf zammad_email_mapping
+    session_valid_not_on_or_after: minutes=86400
+    sign_assertion: true
+    signature_algorithm: http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
+    signing_kp: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]]
+    sp_binding: post
+  conditions: []
+  id: zammad_provider
+  identifiers:
+    pk: 9989
+  model: authentik_providers_saml.samlprovider
+  state: present
+
+- attrs:
+    meta_launch_url: ""
+    open_in_new_tab: true
+    policy_engine_mode: any
+    provider: !KeyOf zammad_provider
+    slug: zammad
+  conditions: []
+  id: zammad_application
+  identifiers:
+    name: Zammad
+  model: authentik_core.application
+  state: present