chore: publish 9.0.1+2025.8.1 release

Reviewed-on: coop-cloud/authentik#15
Reviewed-by: decentral1se <decentral1se@noreply.git.coopcloud.tech>

.env.sample

@@ -9,9 +9,14 @@ ENABLE_BACKUPS=true
 DOMAIN=authentik.example.com
 ## Domain aliases
 #EXTRA_DOMAINS=', `www.authentik.example.com`'
+# Redirects
+# All redirect domains have to be added to extra_domains as well)
+# multiple redirects can be added by seperating them with a | character
+#REDIRECTS=www.authentik.example.com
 COMPOSE_FILE="compose.yml"
 AUTHENTIK_DEFAULT_USER_CHANGE_USERNAME=false
 AUTHENTIK_LOG_LEVEL=info
+# AUTHENTIK_DISABLE_UPDATE_CHECK=false
 # AUTHENTIK_IMPERSONATION=true
 # AUTHENTIK_FOOTER_LINKS='[{"name": "My Organization","href":"https://example.com"}]'
 # WORKERS=1
@@ -64,11 +69,22 @@ COPY_ASSETS="$COPY_ASSETS icon.png|app:/web/dist/assets/icons/"
 # BACKGROUND_BOX_COLOR='#eaeaeacf'
 # THEME_BACKGROUND="url('https://authentik.example.com/static/dist/assets/images/flow_background.jpg'); background-position: center; background-repeat: no-repeat; background-size: cover;"
 
+# Group Name Variables to cluster Applications
+# GROUP_SUPPORT=Support
+# GROUP_HELP=Help
+# GROUP_ORGANISATION=Organisation
+# GROUP_COMMUNICATION=Communication
+# GROUP_COLLABORATION=Collaboration
+# GROUP_DOCUMENTATION=Documentation
+# GROUP_DEVELOPMENT=Development
+# GROUP_INFRASTRUCTURE=Infrastructure
+
 # COMPOSE_FILE="$COMPOSE_FILE:compose.nextcloud.yml"
 # NEXTCLOUD_DOMAIN=nextcloud.example.com
 # SECRET_NEXTCLOUD_ID_VERSION=v1
 # SECRET_NEXTCLOUD_SECRET_VERSION=v1
 # APP_ICONS="nextcloud:~/.abra/recipes/authentik/icons/nextcloud.png"
+# NEXTCLOUD_APPGROUP="$GROUP_ORGANISATION"
 
 # COMPOSE_FILE="$COMPOSE_FILE:compose.wordpress.yml"
 # WORDPRESS_DOMAIN=wordpress.example.com
@@ -76,6 +92,7 @@ COPY_ASSETS="$COPY_ASSETS icon.png|app:/web/dist/assets/icons/"
 # SECRET_WORDPRESS_ID_VERSION=v1
 # SECRET_WORDPRESS_SECRET_VERSION=v1
 # APP_ICONS="$APP_ICONS wordpress:~/.abra/recipes/authentik/icons/wordpress.png"
+# WORDPRESS_APPGROUP="$GROUP_DEVELOPMENT"
 
 # COMPOSE_FILE="$COMPOSE_FILE:compose.matrix.yml"
 # ELEMENT_DOMAIN=element-web.example.com
@@ -83,52 +100,61 @@ COPY_ASSETS="$COPY_ASSETS icon.png|app:/web/dist/assets/icons/"
 # SECRET_MATRIX_ID_VERSION=v1
 # SECRET_MATRIX_SECRET_VERSION=v1
 # APP_ICONS="$APP_ICONS matrix:~/.abra/recipes/authentik/icons/matrix.svg"
+# MATRIX_APPGROUP="$GROUP_COMMUNICATION"
 
 # COMPOSE_FILE="$COMPOSE_FILE:compose.wekan.yml"
 # WEKAN_DOMAIN=wekan.example.com
 # SECRET_WEKAN_ID_VERSION=v1
 # SECRET_WEKAN_SECRET_VERSION=v1
 # APP_ICONS="$APP_ICONS wekan:~/.abra/recipes/authentik/icons/wekan.png"
+# WEKAN_APPGROUP="$GROUP_ORGANISATION"
 
 # COMPOSE_FILE="$COMPOSE_FILE:compose.vikunja.yml"
 # VIKUNJA_DOMAIN=vikunja.example.com
 # SECRET_VIKUNJA_ID_VERSION=v1
 # SECRET_VIKUNJA_SECRET_VERSION=v1
 # APP_ICONS="$APP_ICONS vikunja:~/.abra/recipes/authentik/icons/vikunja.svg"
+# VIKUNJA_APPGROUP="$GROUP_ORGANISATION"
 
 # COMPOSE_FILE="$COMPOSE_FILE:compose.outline.yml"
 # OUTLINE_DOMAIN=outline.example.com
 # SECRET_OUTLINE_ID_VERSION=v1
 # SECRET_OUTLINE_SECRET_VERSION=v1
 # APP_ICONS="$APP_ICONS outline:~/.abra/recipes/authentik/icons/outline.png"
+# OUTLINE_APPGROUP="$GROUP_DOCUMENTATION"
 
 # COMPOSE_FILE="$COMPOSE_FILE:compose.kimai.yml"
 # KIMAI_DOMAIN=kimai.example.com
 # SECRET_KIMAI_ID_VERSION=v1
 # SECRET_KIMAI_SECRET_VERSION=v1
 # APP_ICONS="$APP_ICONS kimai:~/.abra/recipes/authentik/icons/kimai_logo.png"
+# KIMAI_APPGROUP="$GROUP_ORGANISATION"
 
 # COMPOSE_FILE="$COMPOSE_FILE:compose.zammad.yml"
 # ZAMMAD_DOMAIN=zammad.example.com
 # APP_ICONS="$APP_ICONS zammad:~/.abra/recipes/authentik/icons/zammad.svg"
+# ZAMMAD_APPGROUP="$GROUP_SUPPORT"
 
 # COMPOSE_FILE="$COMPOSE_FILE:compose.monitoring.yml"
 # MONITORING_DOMAIN=monitoring.example.com
 # SECRET_MONITORING_ID_VERSION=v1
 # SECRET_MONITORING_SECRET_VERSION=v1
 # APP_ICONS="$APP_ICONS monitoring:~/.abra/recipes/authentik/icons/monitoring.svg"
+# MONITORING_APPGROUP="$GROUP_INFRASTRUCTURE"
 
 # COMPOSE_FILE="$COMPOSE_FILE:compose.rallly.yml"
 # RALLLY_DOMAIN=rallly.example.com
 # SECRET_RALLLY_ID_VERSION=v1
 # SECRET_RALLLY_SECRET_VERSION=v1
 # APP_ICONS="$APP_ICONS rallly:~/.abra/recipes/authentik/icons/rallly.png"
+# RALLLY_APPGROUP="$GROUP_ORGANISATION"
 
 # COMPOSE_FILE="$COMPOSE_FILE:compose.hedgedoc.yml"
 # HEDGEDOC_DOMAIN=hedgedoc.example.com
 # SECRET_HEDGEDOC_ID_VERSION=v1
 # SECRET_HEDGEDOC_SECRET_VERSION=v1
 # APP_ICONS="$APP_ICONS hedgedoc:~/.abra/recipes/authentik/icons/hedgedoc.png"
+# HEDGEDOC_APPGROUP="$GROUP_DOCUMENTATION"
 
-# APPLICATIONS='{"Calendar": "https://nextcloud.example.com/apps/calendar/", "BBB": "https://nextcloud.example.com/apps/bbb/", "Pretix": "https://pretix.example.com/control/"}'
+# APPLICATIONS='{"Calendar": {"url":"https://nextcloud.example.com/apps/calendar/", "group": ""}, "BBB": {"url":"https://nextcloud.example.com/apps/bbb/", "group":""}, "Pretix": {"url":"https://pretix.example.com/control/", "group":""}}'
 # EXTRA_ICONS={"Calendar": "~/.abra/recipes/authentik/icons/calendar.svg", "BBB": "~/.abra/recipes/authentik/icons/bbb.png", "Pretix": "~/.abra/recipes/authentik/icons/pretix.svg"}

README.md

@@ -52,6 +52,16 @@ APP_ICONS="nextcloud:~/.abra/recipes/authentik/icons/nextcloud.png"
 
 Set the nextcloud Icon using `abra app cmd -l -d <app_name> set_icons`
 
+Generate OAuth client id and secret using `abra app secret generate <app_name> -a` (all secrets) or individually:
+- `abra app secret generate <app_name> nextcloud_id`
+- `abra app secret generate <app_name> nextcloud_secret`
+
+Add the id and secret to nextcloud as secrets with:
+- `abra app secret insert <nextcloud_app_name> authentik_id v1 <id>`
+- `abra app secret insert <nextcloud_app_name> authentik_secret v1 <secret>`
+
+Redeploy Authentik to enable the nextcloud client.
+
 The configuration inside Nextcloud can be found in the [nextcloud recipe](https://git.coopcloud.tech/coop-cloud/nextcloud#authentik-integration)
 
 ## Add LDAP outpost
@@ -95,6 +105,25 @@ Run this command after every deploy/upgrade:
 
 `abra app command --local <app-name> customize <assets_path>`
 
+## Custom CSS
+
+Uncomment the following env:
+
+```
+COMPOSE_FILE="$COMPOSE_FILE:compose.css-volume.yml"
+```
+
+Redeploy the app:
+```
+abra app deploy -f <app_name>
+```
+
+Copy the CSS and restart the container:
+```
+abra app cp <app_name> my_custom.css app:/web/dist/assets/custom.css
+abra app restart <app_name> app
+```
+
 ## Email templates
 
 Add custom [email templates](https://goauthentik.io/docs/flow/stages/email/#custom-templates):
@@ -105,15 +134,15 @@ Add custom [email templates](https://goauthentik.io/docs/flow/stages/email/#cust
 
 These blueprints overwrite default blueprint values:
 
-- flow_translation.yaml
-- flow_authentication.yaml
+- `flow_translation.yaml`
+- `flow_authentication.yaml`
 
 The following default blueprints will be overwritten by customizations:
 
-- flow-password-change.yaml
-- flow-default-authentication-flow.yaml
-- flow-default-user-settings-flow.yaml
-- flow-default-source-enrollment.yaml
+- `flow-password-change.yaml`
+- `flow-default-authentication-flow.yaml`
+- `flow-default-user-settings-flow.yaml`
+- `flow-default-source-enrollment.yaml`
 
 The `abra.sh` function `apply_blueprints` needs to be executed to deactivate these blueprints to ensure that the customizations won't be overwritten. It will further execute flow_translation.yaml and flow_authentication.yaml again.
 

abra.sh

@@ -2,7 +2,7 @@ export CUSTOM_CSS_VERSION=v3
 export FLOW_AUTHENTICATION_VERSION=v4
 export FLOW_INVITATION_VERSION=v2
 export FLOW_INVALIDATION_VERSION=v2
-export FLOW_RECOVERY_VERSION=v1
+export FLOW_RECOVERY_VERSION=v2
 export FLOW_TRANSLATION_VERSION=v3
 export SYSTEM_BRAND_VERSION=v4
 export NEXTCLOUD_CONFIG_VERSION=v3
@@ -21,43 +21,40 @@ export PG_BACKUP_VERSION=v2
 export ENTRYPOINT_CSS_VERSION=v1
 
 customize() {
-    if [ -z "$1" ]
-    then
-            echo "Usage: ... customize <assets_path>"
-            exit 1
-    fi
-    asset_dir=$1
-    for asset in $COPY_ASSETS; do
-        source=$(echo $asset | cut -d "|" -f1)
-        target=$(echo $asset | cut -d "|" -f2)
-        echo copy $source to $target
-        abra app cp $APP_NAME $asset_dir/$source $target
-    done
+  if [ -z "$1" ]; then
+    echo "Usage: ... customize <assets_path>"
+    exit 1
+  fi
+  asset_dir=$1
+  for asset in $COPY_ASSETS; do
+    source=$(echo $asset | cut -d "|" -f1)
+    target=$(echo $asset | cut -d "|" -f2)
+    echo copy $source to $target
+    abra app cp $APP_NAME $asset_dir/$source $target
+  done
 }
 
-shell(){
-    if [ -z "$1" ]
-    then
-            echo "Usage: ... shell <python code>"
-            exit 1
-    fi
-    ak shell -c "$1" 2>&1 | quieten
+shell() {
+  if [ -z "$1" ]; then
+    echo "Usage: ... shell <python code>"
+    exit 1
+  fi
+  ak shell -c "$1" 2>&1 | quieten
 }
 
 import_user() {
-    if [ -z "$1" ]
-    then
-            echo "Usage: ... import_user <users.csv>"
-            exit 1
-    fi
-    source_file=$1
-    filename=$(basename $source_file)
-    abra app cp $APP_NAME $source_file worker:/tmp/
-    abra app cmd -T $APP_NAME worker _import_user $filename
+  if [ -z "$1" ]; then
+    echo "Usage: ... import_user <users.csv>"
+    exit 1
+  fi
+  source_file=$1
+  filename=$(basename $source_file)
+  abra app cp $APP_NAME $source_file worker:/tmp/
+  abra app cmd -T $APP_NAME worker _import_user $filename
 }
 
 _import_user() {
-/manage.py shell -c """
+  /manage.py shell -c """
 import csv
 new_user = User()
 with open('/tmp/$1', newline='') as file:
@@ -85,9 +82,9 @@ with open('/tmp/$1', newline='') as file:
 }
 
 set_admin_pass() {
-password=$(cat /run/secrets/admin_pass)
-token=$(cat /run/secrets/admin_token)
-/manage.py shell -c """
+  password=$(cat /run/secrets/admin_pass)
+  token=$(cat /run/secrets/admin_token)
+  /manage.py shell -c """
 import time
 i = 0
 while (not User.objects.filter(username='akadmin')):
@@ -122,45 +119,45 @@ else:
 }
 
 rotate_db_pass() {
-    db_password=$(cat /run/secrets/db_password)
-    psql -U authentik -c """ALTER USER authentik WITH PASSWORD '$db_password';"""
+  db_password=$(cat /run/secrets/db_password)
+  psql -U authentik -c """ALTER USER authentik WITH PASSWORD '$db_password';"""
 }
 
 # This function is for blueprints that are overwriting custom blueprints
 # It deactivates the affected custom blueprints to avoid changes to be reverted
 apply_blueprints() {
-    update_and_disable_blueprint default/flow-password-change.yaml
-    update_and_disable_blueprint default/flow-default-authentication-flow.yaml
-    update_and_disable_blueprint default/flow-default-user-settings-flow.yaml
-    update_and_disable_blueprint default/flow-default-source-enrollment.yaml
-    
-    apply_blueprint 3_flow_translation.yaml
-    apply_blueprint 2_flow_authentication.yaml
+  update_and_disable_blueprint default/flow-password-change.yaml
+  update_and_disable_blueprint default/flow-default-authentication-flow.yaml
+  update_and_disable_blueprint default/flow-default-user-settings-flow.yaml
+  update_and_disable_blueprint default/flow-default-source-enrollment.yaml
+
+  apply_blueprint 3_flow_translation.yaml
+  apply_blueprint 2_flow_authentication.yaml
 }
 
 update_and_disable_blueprint() {
-    enable_blueprint $@ 2>&1 | quieten
-    sleep 1
-    apply_blueprint $@
-    sleep 1
-    disable_blueprint $@ 2>&1 | quieten
+  enable_blueprint $@ 2>&1 | quieten
+  sleep 1
+  apply_blueprint $@
+  sleep 1
+  disable_blueprint $@ 2>&1 | quieten
 }
 
 disable_blueprint() {
-    blueprint_state False $@
+  blueprint_state False $@
 }
 
 enable_blueprint() {
-    blueprint_state True $@
+  blueprint_state True $@
 }
 
 apply_blueprint() {
-    echo apply blueprint $@
-    ak apply_blueprint $@ 2>&1 | quieten
+  echo apply blueprint $@
+  ak apply_blueprint $@ 2>&1 | quieten
 }
 
 blueprint_state() {
-/manage.py shell -c """
+  /manage.py shell -c """
 import time
 blueprint_state=$1
 blueprint_path='$2'
@@ -177,75 +174,95 @@ print(f'{blueprint.name} enabled: {blueprint.enabled}')
 
 }
 
-add_applications(){
-export APPLICATIONS
-/manage.py shell -c """
+# This function adds each application with its name, slug and group if passed
+add_applications() {
+  export APPLICATIONS
+  /manage.py shell -c """
 import json
 import os
 if os.environ['APPLICATIONS'] == '':
     exit()
 applications = json.loads(os.environ['APPLICATIONS'])
-for name, url in applications.items():
-    print(f'Add {name}: {url}')
+for name, details in applications.items():
+    url = details['url']
     app = Application.objects.filter(name=name).first()
     if not app:
         app = Application()
     app.name = name
     app.slug = name.replace(' ', '-')
     app.meta_launch_url = url
+    group = details['group']
+    if group:
+        app.group = group
+        print(f'Add {name}: {url} in group: {group}')
+    else:
+        print(f'Add {name}: {url}')
     app.open_in_new_tab = True
     app.save()
 """ 2>&1 | quieten
 }
 
+## This function is for renaming apps - usage: rename "old name" "new name"
+rename() {
+  /manage.py shell -c """
+old_name = '$1'
+new_name = '$2' if '$2' else old_name
 
-quieten(){
-    # 'SyntaxWarning|version_regex|"http\['
-    # is a workaround to get rid of some verbose syntax warnings, this might be fixed with another version
-    grep -Pv '"level": "(info|debug)"|SyntaxWarning|version_regex|"http\[|RuntimeWarning:'
+app = Application.objects.filter(name=old_name).first()
+if app:
+    app.name = new_name
+    app.save()
+    print(f'Renamed application from {old_name} to {new_name}')
+else:
+    print(f'No application found with name: {old_name}')
+""" 2>&1 | quieten
 }
 
-add_email_templates(){
-for file_path in "$@"; do
+quieten() {
+  # 'SyntaxWarning|version_regex|"http\['
+  # is a workaround to get rid of some verbose syntax warnings, this might be fixed with another version
+  grep -Pv '"level": "(info|debug)"|SyntaxWarning|version_regex|"http\[|RuntimeWarning:'
+}
+
+add_email_templates() {
+  for file_path in "$@"; do
     echo copy template $file_path
     abra app cp $APP_NAME $file_path app:/templates/
-done
+  done
 }
 
-set_icons(){
-if [ -n "$1" ]
-then
-APP_ICONS="$1"
-fi
-for icon in $APP_ICONS; do
+set_icons() {
+  if [ -n "$1" ]; then
+    APP_ICONS="$1"
+  fi
+  for icon in $APP_ICONS; do
     app=$(echo $icon | cut -d ":" -f1)
     file_path=$(eval echo $(echo $icon | cut -d ":" -f2))
     file=$(basename $file_path)
     echo copy icon $file_path for $app
     abra app cp $APP_NAME $file_path app:/media/
     abra app cmd -T $APP_NAME app set_app_icon $app /media/$file
-done
+  done
 }
 
-set_extra_icons(){
-    if [ -z "$EXTRA_ICONS" ]
-    then
-        echo "Variable EXTRA_ICONS is not set"
-        exit 1
-    fi
-    export EXTRA_ICONS
-    icon_key_values=$(python3 -c "
+set_extra_icons() {
+  if [ -z "$EXTRA_ICONS" ]; then
+    echo "Variable EXTRA_ICONS is not set"
+    exit 1
+  fi
+  export EXTRA_ICONS
+  icon_key_values=$(python3 -c "
 import json
 import os
 for key, value in json.loads(os.environ['EXTRA_ICONS']).items():
     print(f'{key}:{value}')
 ")
-    set_icons "$icon_key_values"
+  set_icons "$icon_key_values"
 }
 
 set_app_icon() {
-TOKEN=$(cat /run/secrets/admin_token)
-python -c """
+  TOKEN=$(cat /run/secrets/admin_token)
+  python -c """
 import requests
 import os
 my_token = '$TOKEN'
@@ -264,18 +281,18 @@ with open(icon_path, 'rb') as img:
 }
 
 blueprint_cleanup() {
-/manage.py shell -c """
+  /manage.py shell -c """
 delete_flows = ['default-recovery-flow' , 'custom-authentication-flow' , 'invitation-enrollment-flow' , 'initial-setup']
 Flow.objects.filter(slug__in=delete_flows).delete()
 Stage.objects.filter(flow=None).delete()
 Prompt.objects.filter(promptstage=None).delete()
 Brand.objects.filter(default=True).delete()
 """ 2>&1 | quieten
-apply_blueprints
+  apply_blueprints
 }
 
 get_certificate() {
-/manage.py shell -c """
+  /manage.py shell -c """
 provider_name='$1'
 if not provider_name:
     print('no Provider Name given')
@@ -288,7 +305,14 @@ print(''.join(cert.certificate_data.splitlines()[1:-1]))
 }
 
 get_user_uid() {
-/manage.py shell -c """
+  /manage.py shell -c """
 print(User.objects.filter(username='$1').first().uid)
 """ 2>&1 | quieten
 }
+
+fix_collation_mismatch() {
+  psql -U ${POSTGRES_USER} -d authentik -c "ALTER DATABASE authentik REFRESH COLLATION VERSION;"
+  psql -U ${POSTGRES_USER} -d authentik -c "REINDEX DATABASE authentik;"
+  psql -U ${POSTGRES_USER} -d postgres -c "ALTER DATABASE postgres REFRESH COLLATION VERSION;"
+  psql -U ${POSTGRES_USER} -d postgres -c "REINDEX DATABASE postgres;"
+}

compose.matrix.yml

@@ -3,7 +3,7 @@ services:
   app:
     deploy:
       labels:
-        - "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect-matrix-well-known"
+        - "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect,${STACK_NAME}-frameOptions,${STACK_NAME}-redirect,${STACK_NAME}-redirect-matrix-well-known"
         - "traefik.http.middlewares.${STACK_NAME}-redirect-matrix-well-known.redirectregex.regex=^https://(.*)/.well-known/matrix/(.*)"
         - "traefik.http.middlewares.${STACK_NAME}-redirect-matrix-well-known.redirectregex.replacement=https://${MATRIX_DOMAIN}/.well-known/matrix/$$2"
   worker:

compose.outposts.ldap.yml

@@ -1,7 +1,7 @@
 version: "3.8"
 services:
   authentik_ldap:
-      image: ghcr.io/goauthentik/ldap:2025.2.0
+      image: ghcr.io/goauthentik/ldap:2025.8.1
       # Optionally specify which networks the container should be
       # might be needed to reach the core authentik server
       networks:

compose.yml

@@ -17,6 +17,7 @@ x-env: &env
     - AUTHENTIK_EMAIL__TIMEOUT
     - AUTHENTIK_EMAIL__FROM
     - AUTHENTIK_LOG_LEVEL
+    - AUTHENTIK_DISABLE_UPDATE_CHECK
     - BACKGROUND_FONT_COLOR=${BACKGROUND_FONT_COLOR:-white}
     - BACKGROUND_BOX_COLOR=${BACKGROUND_BOX_COLOR:-#eaeaeacf}
     - AUTHENTIK_FOOTER_LINKS
@@ -34,7 +35,7 @@ x-env: &env
 version: '3.8'
 services:
   app:
-    image: ghcr.io/goauthentik/server:2025.2.0
+    image: ghcr.io/goauthentik/server:2025.8.1
     command: server
     depends_on:
       - db
@@ -67,16 +68,17 @@ services:
         - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`${EXTRA_DOMAINS})"
         - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
         - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
-        - "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect,${STACK_NAME}-frameOptions"
-        - "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLForceHost=true"
-        - "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}"
+        - "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect,${STACK_NAME}-frameOptions,${STACK_NAME}-redirect"
         - "traefik.http.middlewares.${STACK_NAME}-frameOptions.headers.customFrameOptionsValue=SAMEORIGIN"
         - "traefik.http.middlewares.${STACK_NAME}-frameOptions.headers.contentSecurityPolicy=frame-ancestors ${X_FRAME_OPTIONS_ALLOW_FROM}"
-        - "coop-cloud.${STACK_NAME}.version=7.0.0+2025.2.0"
+        - "coop-cloud.${STACK_NAME}.version=9.0.1+2025.8.1"
+        - "traefik.http.middlewares.${STACK_NAME}-redirect.redirectregex.regex=^https://(${REDIRECTS})/(.*)"
+        - "traefik.http.middlewares.${STACK_NAME}-redirect.redirectregex.replacement=https://${DOMAIN}/$${2}"
+        - "traefik.http.middlewares.${STACK_NAME}-redirect.redirectregex.permanent=true"
         - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT:-120}"
 
   worker:
-    image: ghcr.io/goauthentik/server:2025.2.0
+    image: ghcr.io/goauthentik/server:2025.8.1
     command: worker
     depends_on:
       - db
@@ -117,7 +119,7 @@ services:
       start_period: 5m
 
   db:
-    image: postgres:15.12
+    image: postgres:15.13
     secrets:
       - db_password
     configs:
@@ -152,7 +154,7 @@ services:
           backupbot.restore.post-hook: '/pg_backup.sh restore'
 
   redis:
-    image:  redis:7.4.2-alpine
+    image:  redis:8.2.1-alpine
     command: --save 60 1 --loglevel warning
     networks:
       - internal

flow_recovery.yaml.tmpl

@@ -4,7 +4,7 @@ metadata:
     blueprints.goauthentik.io/instantiate: "true"
   name: Recovery with email verification
 context:
-  token_expiry: {{ if eq (env "EMAIL_TOKEN_EXPIRY_MINUTES") "" }} 30 {{ else }} {{ env "EMAIL_TOKEN_EXPIRY_MINUTES" }} {{ end }}
+  token_expiry: minutes={{ if eq (env "EMAIL_TOKEN_EXPIRY_MINUTES") "" }}30{{ else }}{{ env "EMAIL_TOKEN_EXPIRY_MINUTES" }}{{ end }}
   subject: {{ if eq (env "EMAIL_SUBJECT") "" }} Account Recovery {{ else }} {{ env "EMAIL_SUBJECT" }} {{ end }} 
 entries:
 ### DEPENDENCIES

icons/help.svg

@@ -1,8 +1,10 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!-- Uploaded to: SVG Repo, www.svgrepo.com, Generator: SVG Repo Mixer Tools -->
-<svg width="800px" height="800px" viewBox="0 0 48 48" fill="none" xmlns="http://www.w3.org/2000/svg">
-<rect width="48" height="48" fill="white" fill-opacity="0.01"/>
-<path d="M24 44C29.5228 44 34.5228 41.7614 38.1421 38.1421C41.7614 34.5228 44 29.5228 44 24C44 18.4772 41.7614 13.4772 38.1421 9.85786C34.5228 6.23858 29.5228 4 24 4C18.4772 4 13.4772 6.23858 9.85786 9.85786C6.23858 13.4772 4 18.4772 4 24C4 29.5228 6.23858 34.5228 9.85786 38.1421C13.4772 41.7614 18.4772 44 24 44Z" fill="#2F88FF" stroke="#000000" stroke-width="4" stroke-linejoin="round"/>
-<path d="M24 28.6249V24.6249C27.3137 24.6249 30 21.9386 30 18.6249C30 15.3112 27.3137 12.6249 24 12.6249C20.6863 12.6249 18 15.3112 18 18.6249" stroke="white" stroke-width="4" stroke-linecap="round" stroke-linejoin="round"/>
-<path fill-rule="evenodd" clip-rule="evenodd" d="M24 37.6249C25.3807 37.6249 26.5 36.5056 26.5 35.1249C26.5 33.7442 25.3807 32.6249 24 32.6249C22.6193 32.6249 21.5 33.7442 21.5 35.1249C21.5 36.5056 22.6193 37.6249 24 37.6249Z" fill="white"/>
-</svg>
+<svg width="24" height="24" viewBox="0 0 24 24" fill="none" xmlns="http://www.w3.org/2000/svg">
+<g clip-path="url(#clip0_1735_3439)">
+<path d="M12 18.0093V12.7593M12 12.7593C12.5179 12.7593 13.0206 12.6937 13.5 12.5703M12 12.7593C11.4821 12.7593 10.9794 12.6937 10.5 12.5703M14.25 20.0487C13.5212 20.187 12.769 20.2593 12 20.2593C11.231 20.2593 10.4788 20.187 9.75 20.0487M13.5 22.4313C13.007 22.4828 12.5066 22.5093 12 22.5093C11.4934 22.5093 10.993 22.4828 10.5 22.4313M14.25 18.0093V17.8176C14.25 16.8347 14.9083 15.9943 15.7585 15.501C17.9955 14.203 19.5 11.7818 19.5 9.00928C19.5 4.86714 16.1421 1.50928 12 1.50928C7.85786 1.50928 4.5 4.86714 4.5 9.00928C4.5 11.7818 6.00446 14.203 8.24155 15.501C9.09173 15.9943 9.75 16.8347 9.75 17.8176V18.0093" stroke="#0F172A" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round"/>
+</g>
+<defs>
+<clipPath id="clip0_1735_3439">
+<rect width="24" height="24" fill="white" transform="translate(0 0.00927734)"/>
+</clipPath>
+</defs>
+</svg>

icons/support.svg

@@ -1,12 +1,3 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!-- Uploaded to: SVG Repo, www.svgrepo.com, Generator: SVG Repo Mixer Tools -->
-<svg width="800px" height="800px" viewBox="0 0 512 512" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
-    <title>support</title>
-    <g id="Page-1" stroke="none" stroke-width="1" fill="none" fill-rule="evenodd">
-        <g id="support" fill="#000000" transform="translate(42.666667, 42.666667)">
-            <path d="M379.734355,174.506667 C373.121022,106.666667 333.014355,-2.13162821e-14 209.067688,-2.13162821e-14 C85.1210217,-2.13162821e-14 45.014355,106.666667 38.4010217,174.506667 C15.2012632,183.311569 -0.101643453,205.585799 0.000508304259,230.4 L0.000508304259,260.266667 C0.000508304259,293.256475 26.7445463,320 59.734355,320 C92.7241638,320 119.467688,293.256475 119.467688,260.266667 L119.467688,230.4 C119.360431,206.121456 104.619564,184.304973 82.134355,175.146667 C86.4010217,135.893333 107.307688,42.6666667 209.067688,42.6666667 C310.827688,42.6666667 331.521022,135.893333 335.787688,175.146667 C313.347976,184.324806 298.68156,206.155851 298.667688,230.4 L298.667688,260.266667 C298.760356,283.199651 311.928618,304.070103 332.587688,314.026667 C323.627688,330.88 300.801022,353.706667 244.694355,360.533333 C233.478863,343.50282 211.780225,336.789048 192.906491,344.509658 C174.032757,352.230268 163.260418,372.226826 167.196286,392.235189 C171.132153,412.243552 188.675885,426.666667 209.067688,426.666667 C225.181549,426.577424 239.870491,417.417465 247.041022,402.986667 C338.561022,392.533333 367.787688,345.386667 376.961022,317.653333 C401.778455,309.61433 418.468885,286.351502 418.134355,260.266667 L418.134355,230.4 C418.23702,205.585799 402.934114,183.311569 379.734355,174.506667 Z M76.8010217,260.266667 C76.8010217,269.692326 69.1600148,277.333333 59.734355,277.333333 C50.3086953,277.333333 42.6676884,269.692326 42.6676884,260.266667 L42.6676884,230.4 C42.6676884,224.302667 45.9205765,218.668499 51.2010216,215.619833 C56.4814667,212.571166 62.9872434,212.571166 68.2676885,215.619833 C73.5481336,218.668499 76.8010217,224.302667 76.8010217,230.4 L76.8010217,260.266667 Z M341.334355,230.4 C341.334355,220.97434 348.975362,213.333333 358.401022,213.333333 C367.826681,213.333333 375.467688,220.97434 375.467688,230.4 L375.467688,260.266667 C375.467688,269.692326 367.826681,277.333333 358.401022,277.333333 C348.975362,277.333333 341.334355,269.692326 341.334355,260.266667 L341.334355,230.4 Z">
-
-</path>
-        </g>
-    </g>
-</svg>
+<svg width="24" height="24" viewBox="0 0 24 24" fill="none" xmlns="http://www.w3.org/2000/svg">
+<path d="M9.87891 7.51884C11.0505 6.49372 12.95 6.49372 14.1215 7.51884C15.2931 8.54397 15.2931 10.206 14.1215 11.2312C13.9176 11.4096 13.6917 11.5569 13.4513 11.6733C12.7056 12.0341 12.0002 12.6716 12.0002 13.5V14.25M21 12C21 16.9706 16.9706 21 12 21C7.02944 21 3 16.9706 3 12C3 7.02944 7.02944 3 12 3C16.9706 3 21 7.02944 21 12ZM12 17.25H12.0075V17.2575H12V17.25Z" stroke="#0F172A" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round"/>
+</svg>

release/7.4.0+2025.6.3

@@ -0,0 +1,3 @@
+Adds following new envs: 
+  REDIRECTS
+  AUTHENTIK_DISABLE_UPDATE_CHECK

release/9.0.0+2025.8.1

@@ -0,0 +1,4 @@
+Update of config neccessary!
+Changed structure of APPLICATION env to:
+    appname: {"url":"http...", "group":"groupname"}
+Adds various new group envs to support application grouping