viktor/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(authentik): wire SMTP (noreply@) for TripIt signup verification + recovery email (ADR-0020)
All checks were successful
ci/woodpecker/push/default Pipeline was successful
Details

Browse source 
Authentik email was unconfigured (localhost), so the TripIt enrollment flow's email-verification stage couldn't send. Add AUTHENTIK_EMAIL__* to server.env + worker.env pointing at the in-cluster mailserver as noreply@viktorbarzin.me (587/STARTTLS), with the SASL password synced from Vault secret/authentik.smtp_password via a new authentik-email ExternalSecret (reloader-annotated). Image pin unchanged (2026.2.4 == live). Prereq for the tripit-enrollment flow.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
Viktor Barzin 2026-06-17 07:04:52 +00:00
parent 8a2a3d9eca
commit c3d0c121bb
2 changed files with 78 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

40
stacks/authentik/email-secret.tf Normal file
View file

@ -0,0 +1,40 @@
# SMTP password for Authentik's signup-verification + recovery email (tripit
# ADR-0020). Synced from Vault secret/authentik.smtp_password into the authentik
# namespace as the `authentik-email` Secret, referenced by
# AUTHENTIK_EMAIL__PASSWORD in values.yaml (server.env + worker.env). The sender
# account is noreply@viktorbarzin.me (a mailserver SASL account); host/port/from
# are non-secret and live in values.yaml. The reloader annotation rolls the
# authentik pods if the password ever changes.
resource "kubernetes_manifest" "authentik_email_secret" {
manifest = {
apiVersion = "external-secrets.io/v1beta1"
kind = "ExternalSecret"
metadata = {
name = "authentik-email"
namespace = "authentik"
}
spec = {
refreshInterval = "1h"
secretStoreRef = {
name = "vault-kv"
kind = "ClusterSecretStore"
}
target = {
name = "authentik-email"
template = {
metadata = {
annotations = {
"reloader.stakater.com/match" = "true"
}
}
}
}
data = [
{
secretKey = "AUTHENTIK_EMAIL__PASSWORD"
remoteRef = { key = "authentik", property = "smtp_password" }
},
]
}
}
}

38
stacks/authentik/modules/authentik/values.yaml
View file

@ -47,6 +47,26 @@ server:
value: "1800"
- name: AUTHENTIK_CACHE__TIMEOUT_POLICIES
value: "900"
# SMTP for signup verification + recovery email (tripit ADR-0020): send via
# the in-cluster mailserver as noreply@viktorbarzin.me (SASL, 587/STARTTLS);
# password from the authentik-email ExternalSecret (Vault
# secret/authentik.smtp_password). Set on server AND worker — the worker
# runs the email tasks, the server validates the Email stage config.
- name: AUTHENTIK_EMAIL__HOST
value: "mailserver.mailserver.svc.cluster.local"
- name: AUTHENTIK_EMAIL__PORT
value: "587"
- name: AUTHENTIK_EMAIL__USE_TLS
value: "true"
- name: AUTHENTIK_EMAIL__USERNAME
value: "noreply@viktorbarzin.me"
- name: AUTHENTIK_EMAIL__FROM
value: "TripIt <noreply@viktorbarzin.me>"
- name: AUTHENTIK_EMAIL__PASSWORD
valueFrom:
secretKeyRef:
name: authentik-email
key: AUTHENTIK_EMAIL__PASSWORD
# Do NOT set AUTHENTIK_POSTGRESQL__CONN_MAX_AGE here. With PgBouncer in
# session mode every persistent Django connection pins a server connection
# 1:1, so the 3x(20+5) pool saturated during the 2026-06-10 rolling
@ -121,6 +141,24 @@ worker:
value: "1800"
- name: AUTHENTIK_CACHE__TIMEOUT_POLICIES
value: "900"
# SMTP (same as server.env) — the worker runs Authentik's email tasks, so it
# needs the transport too (tripit ADR-0020). noreply@viktorbarzin.me via the
# in-cluster mailserver; password from the authentik-email ExternalSecret.
- name: AUTHENTIK_EMAIL__HOST
value: "mailserver.mailserver.svc.cluster.local"
- name: AUTHENTIK_EMAIL__PORT
value: "587"
- name: AUTHENTIK_EMAIL__USE_TLS
value: "true"
- name: AUTHENTIK_EMAIL__USERNAME
value: "noreply@viktorbarzin.me"
- name: AUTHENTIK_EMAIL__FROM
value: "TripIt <noreply@viktorbarzin.me>"
- name: AUTHENTIK_EMAIL__PASSWORD
valueFrom:
secretKeyRef:
name: authentik-email
key: AUTHENTIK_EMAIL__PASSWORD
strategy:
type: RollingUpdate
rollingUpdate: