don't put stock blueprints in /data, symlink

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

Dockerfile

@@ -132,6 +132,8 @@ RUN apt-get update && \
     rm -rf /tmp/* /var/lib/apt/lists/* /var/tmp/ && \
     adduser --system --no-create-home --uid 1000 --group --home /authentik authentik && \
     mkdir -p /data/certs /data/media /data/blueprints && \
+    mkdir -p /ak-root/blueprints && \
+    ln -s /data/blueprints /ak-root/blueprints/local && \
     mkdir -p /authentik/.ssh && \
     mkdir -p /ak-root && \
     chown authentik:authentik /data/certs /data/media /authentik/.ssh /ak-root
@@ -143,7 +145,7 @@ COPY ./schemas /ak-root/schemas
 COPY ./locale /ak-root/locale
 COPY ./tests /ak-root/tests
 COPY ./manage.py /ak-root/
-COPY ./blueprints /data/blueprints
+COPY ./blueprints /ak-root/blueprints
 COPY ./lifecycle/ /ak-root/lifecycle
 COPY --from=go-builder /go/authentik /bin/authentik
 COPY --from=python-deps /ak-root/venv /ak-root/venv

authentik/lib/default.yml

@@ -57,7 +57,7 @@ paths:
   media: /data/media
   cert_discovery: /data/certs
   email_templates: /data/email-templates
-  blueprints: /data/blueprints
+  blueprints: /ak-root/blueprints
 
 debug: false
 remote_debug: false

docker-compose.yml

@@ -42,8 +42,8 @@ services:
       AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
       AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
     volumes:
-      - ./media:/media
+      - ./media:/data/media
-      - ./custom-templates:/templates
+      - ./custom-templates:/data/email-templates
     env_file:
       - .env
     ports:
@@ -71,9 +71,9 @@ services:
     user: root
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock
-      - ./media:/media
+      - ./media:/data/media
-      - ./certs:/certs
+      - ./certs:/data/certs
-      - ./custom-templates:/templates
+      - ./custom-templates:/data/email-templates
     env_file:
       - .env
     depends_on:

website/docs/core/applications.md

@@ -31,9 +31,9 @@ The following aspects can be configured:
 
 -   _Icon (URL)_: Optionally configure an Icon for the application
 
-    If the authentik server does not have a volume mounted under `/media`, you'll get a text input. This accepts absolute URLs. If you've mounted single files into the container, you can reference them using `https://authentik.company/media/my-file.png`.
+    If the authentik server does not have a volume mounted under `/data/media`, you'll get a text input. This accepts absolute URLs. If you've mounted single files into the container, you can reference them using `https://authentik.company/media/my-file.png`.
 
-    If there is a mount under `/media`, you'll instead see a field to upload a file.
+    If there is a mount under `/data/media`, you'll instead see a field to upload a file.
 
 -   _Publisher_: Text shown below the application
 -   _Description_: Subtext shown on the application card below the publisher

website/docs/core/architecture.md

@@ -29,7 +29,7 @@ Similar to [other outposts](../outposts/index.mdx), this outpost allows using [P
 
 #### Persistence
 
--   `/media` is used to store icons and such, but not required, and if not mounted, authentik will allow you to set a URL to icons in place of a file upload
+-   `/data/media` is used to store icons and such, but not required, and if not mounted, authentik will allow you to set a URL to icons in place of a file upload
 
 ### Background Worker
 
@@ -37,8 +37,8 @@ This container executes background tasks, such as sending emails, the event noti
 
 #### Persistence
 
--   `/certs` is used for authentik to import external certs, which in most cases shouldn't be used for SAML, but rather if you use authentik without a reverse proxy, this can be used for example for the [Let's Encrypt integration](../core/certificates.md#lets-encrypt)
+-   `/data/certs` is used for authentik to import external certs, which in most cases shouldn't be used for SAML, but rather if you use authentik without a reverse proxy, this can be used for example for the [Let's Encrypt integration](../core/certificates.md#lets-encrypt)
--   `/templates` is used for [custom email templates](../flow/stages/email/index.mdx#custom-templates), and as with the other ones fully optional
+-   `/data/email-templates` is used for [custom email templates](../flow/stages/email/index.mdx#custom-templates), and as with the other ones fully optional
 
 ### PostgreSQL
 

website/docs/core/certificates.md

@@ -24,9 +24,9 @@ For SAML use-cases, you can generate a Certificate that's valid for longer than
 
 To use externally managed certificates, for example generated with certbot or HashiCorp Vault, you can use the discovery feature.
 
-The docker-compose installation maps a `certs` directory to `/certs`, you can simply use this as an output directory for certbot.
+The docker-compose installation maps a `certs` directory to `/data/certs`, you can simply use this as an output directory for certbot.
 
-For Kubernetes, you can map custom secrets/volumes under `/certs`.
+For Kubernetes, you can map custom secrets/volumes under `/data/certs`.
 
 You can also bind mount single files into the folder, as long as they fall under this naming schema.
 
@@ -62,9 +62,9 @@ Files are checked every 5 minutes, and will trigger an Outpost refresh if the fi
 Starting with authentik 2022.9, you can also import certificates with any folder structure directly. To do this, run the following command within the worker container:
 
 ```shell
-ak import_certificate --certificate /certs/mycert.pem --private-key /certs/something.pem --name test
+ak import_certificate --certificate /data/certs/mycert.pem --private-key /data/certs/something.pem --name test
 # --private-key can be omitted to only import a certificate, i.e. to trust other connections
-# ak import_certificate --certificate /certs/othercert.pem --name test2
+# ak import_certificate --certificate /data/certs/othercert.pem --name test2
 ```
 
 This will import the certificate into authentik under the given name. This command is idempotent, meaning you can run it via a cron-job and authentik will only update the certificate when it changes.
@@ -84,7 +84,7 @@ services:
     certbot:
         image: certbot/dns-route53:v1.22.0
         volumes:
-            - ./certs/:/etc/letsencrypt
+            - ./data/certs/:/etc/letsencrypt
         # Variables depending on DNS Plugin
         environment:
             AWS_ACCESS_KEY_ID: ...

website/docs/flow/stages/email/index.mdx

@@ -65,7 +65,7 @@ volumes:
           name: authentik-templates
 volumeMounts:
     - name: email-templates
-      mountPath: /templates
+      mountPath: /data/email-templates
 ```
 
   </TabItem>