Add Authentik blueprints for automated OAuth2/OIDC setup

Automate the manual Authentik configuration process using native YAML blueprints
that are applied on container startup.

Changes:
- Add kaboot-setup.yaml blueprint for local development
- Add kaboot-setup-production.yaml.example for production with configurable domains
- Update docker-compose.yml and docker-compose.prod.yml to mount blueprints
- Add AUTHENTIK_BOOTSTRAP_PASSWORD/TOKEN env vars for automated admin setup
- Update setup.sh to generate bootstrap credentials and display admin password
- Update Caddyfile.example with proper proxy headers for Authentik
- Add Caddyfile to .gitignore (user-specific config)
- Update docs with Quick Start sections for automated setup

The blueprints create:
- OAuth2/OIDC provider (public client, client_id: kaboot-spa)
- Kaboot application with redirect URIs
- kaboot-users group with application binding
- Enrollment flow with sign-up capability
- Password complexity policy
- Test user and service account (passwords set manually)

authentik/blueprints/kaboot-setup-production.yaml.example

@@ -0,0 +1,216 @@
+# Kaboot Authentik Blueprint - PRODUCTION
+# Copy this file to kaboot-setup-production.yaml and update the domain.
+#
+# IMPORTANT: Remove or rename kaboot-setup.yaml when using this file
+#            to avoid conflicting configurations.
+#
+# Prerequisites:
+#   - Set AUTHENTIK_BOOTSTRAP_PASSWORD and AUTHENTIK_BOOTSTRAP_TOKEN in .env
+#   - Mount this directory to /blueprints/custom in docker-compose.yml
+#   - Update KABOOT_DOMAIN and AUTH_DOMAIN below with your actual domains
+#
+# yaml-language-server: $schema=https://goauthentik.io/blueprints/schema.json
+---
+version: 1
+metadata:
+  name: Kaboot Application Setup (Production)
+  labels:
+    blueprints.goauthentik.io/description: "Complete Kaboot OAuth2/OIDC setup for production"
+
+context:
+  kaboot_domain: kaboot.example.com
+  auth_domain: auth.example.com
+
+entries:
+  # ═══════════════════════════════════════════════════════════════════════════════
+  # GROUPS
+  # ═══════════════════════════════════════════════════════════════════════════════
+
+  - id: kaboot-users-group
+    model: authentik_core.group
+    identifiers:
+      name: kaboot-users
+    attrs:
+      name: kaboot-users
+
+  # ═══════════════════════════════════════════════════════════════════════════════
+  # OAUTH2/OIDC PROVIDER
+  # ═══════════════════════════════════════════════════════════════════════════════
+
+  - id: kaboot-oauth2-provider
+    model: authentik_providers_oauth2.oauth2provider
+    identifiers:
+      name: Kaboot OAuth2
+    attrs:
+      name: Kaboot OAuth2
+      authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
+      invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
+      client_type: public
+      client_id: kaboot-spa
+      redirect_uris:
+        - url: !Format ["https://%s/callback", !Context kaboot_domain]
+          matching_mode: strict
+        - url: !Format ["https://%s/silent-renew.html", !Context kaboot_domain]
+          matching_mode: strict
+        - url: !Format ["https://%s", !Context kaboot_domain]
+          matching_mode: strict
+      access_code_validity: minutes=1
+      access_token_validity: minutes=30
+      refresh_token_validity: days=30
+      sub_mode: hashed_user_id
+      include_claims_in_id_token: true
+      issuer_mode: per_provider
+      property_mappings:
+        - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
+        - !Find [authentik_providers_oauth2.scopemapping, [scope_name, profile]]
+        - !Find [authentik_providers_oauth2.scopemapping, [scope_name, email]]
+        - !Find [authentik_providers_oauth2.scopemapping, [scope_name, offline_access]]
+
+  # ═══════════════════════════════════════════════════════════════════════════════
+  # APPLICATION
+  # ═══════════════════════════════════════════════════════════════════════════════
+
+  - id: kaboot-application
+    model: authentik_core.application
+    identifiers:
+      slug: kaboot
+    attrs:
+      name: Kaboot
+      slug: kaboot
+      provider: !KeyOf kaboot-oauth2-provider
+      policy_engine_mode: any
+      meta_launch_url: !Format ["https://%s", !Context kaboot_domain]
+
+  - id: kaboot-group-policy-binding
+    model: authentik_policies.policybinding
+    identifiers:
+      target: !KeyOf kaboot-application
+      group: !KeyOf kaboot-users-group
+    attrs:
+      order: 0
+      enabled: true
+      negate: false
+      timeout: 30
+
+  # ═══════════════════════════════════════════════════════════════════════════════
+  # PASSWORD POLICY
+  # ═══════════════════════════════════════════════════════════════════════════════
+
+  - id: password-complexity-policy
+    model: authentik_policies_password.passwordpolicy
+    identifiers:
+      name: password-complexity
+    attrs:
+      name: password-complexity
+      password_field: password
+      length_min: 8
+      amount_uppercase: 1
+      amount_lowercase: 1
+      amount_digits: 1
+      error_message: "Password must be at least 8 characters with 1 uppercase, 1 lowercase, and 1 digit."
+
+  # ═══════════════════════════════════════════════════════════════════════════════
+  # ENROLLMENT STAGES
+  # ═══════════════════════════════════════════════════════════════════════════════
+
+  - id: enrollment-prompt-stage
+    model: authentik_stages_prompt.promptstage
+    identifiers:
+      name: enrollment-prompt
+    attrs:
+      name: enrollment-prompt
+      fields:
+        - !Find [authentik_stages_prompt.prompt, [name, default-source-enrollment-field-username]]
+        - !Find [authentik_stages_prompt.prompt, [name, default-user-settings-field-email]]
+        - !Find [authentik_stages_prompt.prompt, [name, default-password-change-field-password]]
+        - !Find [authentik_stages_prompt.prompt, [name, default-password-change-field-password-repeat]]
+      validation_policies:
+        - !KeyOf password-complexity-policy
+
+  - id: enrollment-user-write-stage
+    model: authentik_stages_user_write.userwritestage
+    identifiers:
+      name: enrollment-user-write
+    attrs:
+      name: enrollment-user-write
+      user_creation_mode: always_create
+      create_users_as_inactive: false
+      create_users_group: !KeyOf kaboot-users-group
+
+  - id: enrollment-user-login-stage
+    model: authentik_stages_user_login.userloginstage
+    identifiers:
+      name: enrollment-user-login
+    attrs:
+      name: enrollment-user-login
+      session_duration: hours=24
+      remember_me_offset: days=30
+      network_binding: no_binding
+      geoip_binding: no_binding
+      terminate_other_sessions: false
+
+  # ═══════════════════════════════════════════════════════════════════════════════
+  # ENROLLMENT FLOW
+  # ═══════════════════════════════════════════════════════════════════════════════
+
+  - id: enrollment-flow
+    model: authentik_flows.flow
+    identifiers:
+      slug: enrollment-flow
+    attrs:
+      name: Enrollment Flow
+      title: Sign Up
+      slug: enrollment-flow
+      designation: enrollment
+      authentication: none
+
+  - id: enrollment-flow-prompt-binding
+    model: authentik_flows.flowstagebinding
+    identifiers:
+      target: !KeyOf enrollment-flow
+      stage: !KeyOf enrollment-prompt-stage
+    attrs:
+      order: 10
+      evaluate_on_plan: true
+      re_evaluate_policies: false
+      invalid_response_action: retry
+
+  - id: enrollment-flow-user-write-binding
+    model: authentik_flows.flowstagebinding
+    identifiers:
+      target: !KeyOf enrollment-flow
+      stage: !KeyOf enrollment-user-write-stage
+    attrs:
+      order: 20
+      evaluate_on_plan: true
+      re_evaluate_policies: false
+      invalid_response_action: retry
+
+  - id: enrollment-flow-user-login-binding
+    model: authentik_flows.flowstagebinding
+    identifiers:
+      target: !KeyOf enrollment-flow
+      stage: !KeyOf enrollment-user-login-stage
+    attrs:
+      order: 30
+      evaluate_on_plan: true
+      re_evaluate_policies: false
+      invalid_response_action: retry
+
+  # ═══════════════════════════════════════════════════════════════════════════════
+  # LINK ENROLLMENT FLOW TO DEFAULT LOGIN
+  # ═══════════════════════════════════════════════════════════════════════════════
+
+  - id: update-identification-stage
+    model: authentik_stages_identification.identificationstage
+    identifiers:
+      name: default-authentication-identification
+    attrs:
+      enrollment_flow: !KeyOf enrollment-flow
+      user_fields:
+        - email
+        - username
+      case_insensitive_matching: true
+      show_matched_user: true
+      show_source_labels: false
+      pretend_user_exists: true

authentik/blueprints/kaboot-setup.yaml

@@ -0,0 +1,257 @@
+# Kaboot Authentik Blueprint
+# This blueprint automatically configures all Authentik resources needed for Kaboot.
+# Place in authentik/blueprints/ and it will be auto-imported on container startup.
+#
+# Prerequisites:
+#   - Set AUTHENTIK_BOOTSTRAP_PASSWORD and AUTHENTIK_BOOTSTRAP_TOKEN in .env
+#   - Mount this directory to /blueprints/custom in docker-compose.yml
+#
+#
+# What this creates:
+#   - Kaboot OAuth2/OIDC Provider (public client)
+#   - Kaboot Application
+#   - kaboot-users Group
+#   - Enrollment flow with prompt, user write, and login stages
+#   - Password complexity policy
+#   - Test user (kaboottest) - for manual browser testing
+#   - Service account (kaboot-test-service) - for API testing
+#
+# yaml-language-server: $schema=https://goauthentik.io/blueprints/schema.json
+---
+version: 1
+metadata:
+  name: Kaboot Application Setup
+  labels:
+    blueprints.goauthentik.io/description: "Complete Kaboot OAuth2/OIDC setup with enrollment flow"
+
+entries:
+  # ═══════════════════════════════════════════════════════════════════════════════
+  # GROUPS
+  # ═══════════════════════════════════════════════════════════════════════════════
+
+  - id: kaboot-users-group
+    model: authentik_core.group
+    identifiers:
+      name: kaboot-users
+    attrs:
+      name: kaboot-users
+
+  # ═══════════════════════════════════════════════════════════════════════════════
+  # OAUTH2/OIDC PROVIDER
+  # ═══════════════════════════════════════════════════════════════════════════════
+
+  - id: kaboot-oauth2-provider
+    model: authentik_providers_oauth2.oauth2provider
+    identifiers:
+      name: Kaboot OAuth2
+    attrs:
+      name: Kaboot OAuth2
+      authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
+      invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
+      client_type: public
+      client_id: kaboot-spa
+      redirect_uris:
+        - url: http://localhost:5173/callback
+          matching_mode: strict
+        - url: http://localhost:5173/silent-renew.html
+          matching_mode: strict
+        - url: http://localhost:5173
+          matching_mode: strict
+      access_code_validity: minutes=1
+      access_token_validity: minutes=30
+      refresh_token_validity: days=30
+      sub_mode: hashed_user_id
+      include_claims_in_id_token: true
+      issuer_mode: per_provider
+      property_mappings:
+        - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
+        - !Find [authentik_providers_oauth2.scopemapping, [scope_name, profile]]
+        - !Find [authentik_providers_oauth2.scopemapping, [scope_name, email]]
+        - !Find [authentik_providers_oauth2.scopemapping, [scope_name, offline_access]]
+
+  # ═══════════════════════════════════════════════════════════════════════════════
+  # APPLICATION
+  # ═══════════════════════════════════════════════════════════════════════════════
+
+  - id: kaboot-application
+    model: authentik_core.application
+    identifiers:
+      slug: kaboot
+    attrs:
+      name: Kaboot
+      slug: kaboot
+      provider: !KeyOf kaboot-oauth2-provider
+      policy_engine_mode: any
+      meta_launch_url: http://localhost:5173
+
+  - id: kaboot-group-policy-binding
+    model: authentik_policies.policybinding
+    identifiers:
+      target: !KeyOf kaboot-application
+      group: !KeyOf kaboot-users-group
+    attrs:
+      order: 0
+      enabled: true
+      negate: false
+      timeout: 30
+
+  # ═══════════════════════════════════════════════════════════════════════════════
+  # PASSWORD POLICY
+  # ═══════════════════════════════════════════════════════════════════════════════
+
+  - id: password-complexity-policy
+    model: authentik_policies_password.passwordpolicy
+    identifiers:
+      name: password-complexity
+    attrs:
+      name: password-complexity
+      password_field: password
+      length_min: 8
+      amount_uppercase: 1
+      amount_lowercase: 1
+      amount_digits: 1
+      error_message: "Password must be at least 8 characters with 1 uppercase, 1 lowercase, and 1 digit."
+
+  # ═══════════════════════════════════════════════════════════════════════════════
+  # ENROLLMENT STAGES
+  # ═══════════════════════════════════════════════════════════════════════════════
+
+  - id: enrollment-prompt-stage
+    model: authentik_stages_prompt.promptstage
+    identifiers:
+      name: enrollment-prompt
+    attrs:
+      name: enrollment-prompt
+      fields:
+        - !Find [authentik_stages_prompt.prompt, [name, default-source-enrollment-field-username]]
+        - !Find [authentik_stages_prompt.prompt, [name, default-user-settings-field-email]]
+        - !Find [authentik_stages_prompt.prompt, [name, default-password-change-field-password]]
+        - !Find [authentik_stages_prompt.prompt, [name, default-password-change-field-password-repeat]]
+      validation_policies:
+        - !KeyOf password-complexity-policy
+
+  - id: enrollment-user-write-stage
+    model: authentik_stages_user_write.userwritestage
+    identifiers:
+      name: enrollment-user-write
+    attrs:
+      name: enrollment-user-write
+      user_creation_mode: always_create
+      create_users_as_inactive: false
+      create_users_group: !KeyOf kaboot-users-group
+
+  - id: enrollment-user-login-stage
+    model: authentik_stages_user_login.userloginstage
+    identifiers:
+      name: enrollment-user-login
+    attrs:
+      name: enrollment-user-login
+      session_duration: hours=24
+      remember_me_offset: days=30
+      network_binding: no_binding
+      geoip_binding: no_binding
+      terminate_other_sessions: false
+
+  # ═══════════════════════════════════════════════════════════════════════════════
+  # ENROLLMENT FLOW
+  # ═══════════════════════════════════════════════════════════════════════════════
+
+  - id: enrollment-flow
+    model: authentik_flows.flow
+    identifiers:
+      slug: enrollment-flow
+    attrs:
+      name: Enrollment Flow
+      title: Sign Up
+      slug: enrollment-flow
+      designation: enrollment
+      authentication: none
+
+  - id: enrollment-flow-prompt-binding
+    model: authentik_flows.flowstagebinding
+    identifiers:
+      target: !KeyOf enrollment-flow
+      stage: !KeyOf enrollment-prompt-stage
+    attrs:
+      order: 10
+      evaluate_on_plan: true
+      re_evaluate_policies: false
+      invalid_response_action: retry
+
+  - id: enrollment-flow-user-write-binding
+    model: authentik_flows.flowstagebinding
+    identifiers:
+      target: !KeyOf enrollment-flow
+      stage: !KeyOf enrollment-user-write-stage
+    attrs:
+      order: 20
+      evaluate_on_plan: true
+      re_evaluate_policies: false
+      invalid_response_action: retry
+
+  - id: enrollment-flow-user-login-binding
+    model: authentik_flows.flowstagebinding
+    identifiers:
+      target: !KeyOf enrollment-flow
+      stage: !KeyOf enrollment-user-login-stage
+    attrs:
+      order: 30
+      evaluate_on_plan: true
+      re_evaluate_policies: false
+      invalid_response_action: retry
+
+  # ═══════════════════════════════════════════════════════════════════════════════
+  # LINK ENROLLMENT FLOW TO DEFAULT LOGIN
+  # ═══════════════════════════════════════════════════════════════════════════════
+
+  - id: update-identification-stage
+    model: authentik_stages_identification.identificationstage
+    identifiers:
+      name: default-authentication-identification
+    attrs:
+      enrollment_flow: !KeyOf enrollment-flow
+      user_fields:
+        - email
+        - username
+      case_insensitive_matching: true
+      show_matched_user: true
+      show_source_labels: false
+      pretend_user_exists: true
+
+  # ═══════════════════════════════════════════════════════════════════════════════
+  # TEST USER (for manual browser testing)
+  # ═══════════════════════════════════════════════════════════════════════════════
+
+  - id: kaboot-test-user
+    model: authentik_core.user
+    identifiers:
+      username: kaboottest
+    attrs:
+      username: kaboottest
+      name: Kaboot Test
+      email: kaboottest@test.com
+      path: users
+      is_active: true
+      groups:
+        - !KeyOf kaboot-users-group
+    # Note: Password must be set manually via UI or API after blueprint import
+    # Run: docker compose exec authentik-server ak setpassword kaboottest
+
+  # ═══════════════════════════════════════════════════════════════════════════════
+  # SERVICE ACCOUNT (for API/automated testing)
+  # ═══════════════════════════════════════════════════════════════════════════════
+
+  - id: kaboot-test-service-account
+    model: authentik_core.user
+    identifiers:
+      username: kaboot-test-service
+    attrs:
+      username: kaboot-test-service
+      name: Kaboot Test Service
+      path: users
+      type: service_account
+      is_active: true
+      groups:
+        - !KeyOf kaboot-users-group
+    # Note: App password must be created via UI or API after blueprint import
+    # See docs/AUTHENTIK_SETUP.md for instructions