feat(tripit): linked-email verification (SMTP + confirm carve-out) [ci skip]
Adds outbound mail for linked-email verification: EMAIL_PROVIDER=smtp + SMTP_* app env (submits via the cluster mailserver as spam@, relayed by Brevo), SMTP_PASSWORD mapped to the existing PLANS_IMAP_PASSWORD (no new secret), and a token-gated /api/emails/confirm ingress carve-out (auth=none, like the calendar feed). Applied locally via scripts/tg. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
Viktor Barzin
parent
b8c55732e0
commit
9c4335025d
1 changed files with 33 additions and 0 deletions
|
|
@ -37,6 +37,16 @@ locals {
|
||||||
PUSH_PROVIDER = "webpush"
|
PUSH_PROVIDER = "webpush"
|
||||||
LLM_MODE = "fake"
|
LLM_MODE = "fake"
|
||||||
MAIL_INGEST_ENABLED = "false"
|
MAIL_INGEST_ENABLED = "false"
|
||||||
|
# Outbound mail for linked-email verification — submitted via the cluster
|
||||||
|
# mailserver as spam@ (which relays out via Brevo). SMTP_PASSWORD comes from
|
||||||
|
# tripit-secrets (mapped to the existing PLANS_IMAP_PASSWORD). PUBLIC_BASE_URL
|
||||||
|
# builds the confirmation link mailed to the address.
|
||||||
|
EMAIL_PROVIDER = "smtp"
|
||||||
|
SMTP_HOST = "mailserver.mailserver.svc"
|
||||||
|
SMTP_PORT = "587"
|
||||||
|
SMTP_USER = "spam@viktorbarzin.me"
|
||||||
|
SMTP_FROM = "spam@viktorbarzin.me"
|
||||||
|
PUBLIC_BASE_URL = "https://tripit.viktorbarzin.me"
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -106,6 +116,9 @@ resource "kubernetes_manifest" "external_secret" {
|
||||||
# secret/owntracks respectively.
|
# secret/owntracks respectively.
|
||||||
{ secretKey = "SLACK_BOT_TOKEN", remoteRef = { key = "tripit", property = "SLACK_BOT_TOKEN" } },
|
{ secretKey = "SLACK_BOT_TOKEN", remoteRef = { key = "tripit", property = "SLACK_BOT_TOKEN" } },
|
||||||
{ secretKey = "DAWARICH_API_KEY", remoteRef = { key = "tripit", property = "DAWARICH_API_KEY" } },
|
{ secretKey = "DAWARICH_API_KEY", remoteRef = { key = "tripit", property = "DAWARICH_API_KEY" } },
|
||||||
|
# Linked-email verification submits SMTP as spam@; reuse its existing
|
||||||
|
# password (no new secret) as SMTP_PASSWORD.
|
||||||
|
{ secretKey = "SMTP_PASSWORD", remoteRef = { key = "tripit", property = "PLANS_IMAP_PASSWORD" } },
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
@ -576,3 +589,23 @@ module "ingress_calendar" {
|
||||||
port = 8080
|
port = 8080
|
||||||
tls_secret_name = var.tls_secret_name
|
tls_secret_name = var.tls_secret_name
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# Linked-email confirm carve-out: GET /api/emails/confirm?token=… is gated by the
|
||||||
|
# verification token mailed to the address (not Authentik), so the emailed link
|
||||||
|
# works without a session — same shape as the calendar feed carve-out.
|
||||||
|
module "ingress_emails_confirm" {
|
||||||
|
source = "../../modules/kubernetes/ingress_factory"
|
||||||
|
# auth = "none": GET /api/emails/confirm?token=… is gated by the verification
|
||||||
|
# token mailed to the address (not Authentik), so the emailed link works
|
||||||
|
# without a session — same rationale as the calendar feed carve-out.
|
||||||
|
auth = "none"
|
||||||
|
anti_ai_scraping = false
|
||||||
|
dns_type = "none" # main `module.ingress` owns the DNS record for this host
|
||||||
|
namespace = kubernetes_namespace.tripit.metadata[0].name
|
||||||
|
name = "tripit-emails-confirm"
|
||||||
|
service_name = "tripit"
|
||||||
|
full_host = "tripit.viktorbarzin.me"
|
||||||
|
ingress_path = ["/api/emails/confirm"]
|
||||||
|
port = 8080
|
||||||
|
tls_secret_name = var.tls_secret_name
|
||||||
|
}
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue