feat(authentik): wire SMTP (noreply@) for TripIt signup verification + recovery email (ADR-0020)
All checks were successful
ci/woodpecker/push/default Pipeline was successful
All checks were successful
ci/woodpecker/push/default Pipeline was successful
Authentik email was unconfigured (localhost), so the TripIt enrollment flow's email-verification stage couldn't send. Add AUTHENTIK_EMAIL__* to server.env + worker.env pointing at the in-cluster mailserver as noreply@viktorbarzin.me (587/STARTTLS), with the SASL password synced from Vault secret/authentik.smtp_password via a new authentik-email ExternalSecret (reloader-annotated). Image pin unchanged (2026.2.4 == live). Prereq for the tripit-enrollment flow. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
Viktor Barzin
parent
8a2a3d9eca
commit
c3d0c121bb
2 changed files with 78 additions and 0 deletions
|
|
@ -47,6 +47,26 @@ server:
|
|||
value: "1800"
|
||||
- name: AUTHENTIK_CACHE__TIMEOUT_POLICIES
|
||||
value: "900"
|
||||
# SMTP for signup verification + recovery email (tripit ADR-0020): send via
|
||||
# the in-cluster mailserver as noreply@viktorbarzin.me (SASL, 587/STARTTLS);
|
||||
# password from the authentik-email ExternalSecret (Vault
|
||||
# secret/authentik.smtp_password). Set on server AND worker — the worker
|
||||
# runs the email tasks, the server validates the Email stage config.
|
||||
- name: AUTHENTIK_EMAIL__HOST
|
||||
value: "mailserver.mailserver.svc.cluster.local"
|
||||
- name: AUTHENTIK_EMAIL__PORT
|
||||
value: "587"
|
||||
- name: AUTHENTIK_EMAIL__USE_TLS
|
||||
value: "true"
|
||||
- name: AUTHENTIK_EMAIL__USERNAME
|
||||
value: "noreply@viktorbarzin.me"
|
||||
- name: AUTHENTIK_EMAIL__FROM
|
||||
value: "TripIt <noreply@viktorbarzin.me>"
|
||||
- name: AUTHENTIK_EMAIL__PASSWORD
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: authentik-email
|
||||
key: AUTHENTIK_EMAIL__PASSWORD
|
||||
# Do NOT set AUTHENTIK_POSTGRESQL__CONN_MAX_AGE here. With PgBouncer in
|
||||
# session mode every persistent Django connection pins a server connection
|
||||
# 1:1, so the 3x(20+5) pool saturated during the 2026-06-10 rolling
|
||||
|
|
@ -121,6 +141,24 @@ worker:
|
|||
value: "1800"
|
||||
- name: AUTHENTIK_CACHE__TIMEOUT_POLICIES
|
||||
value: "900"
|
||||
# SMTP (same as server.env) — the worker runs Authentik's email tasks, so it
|
||||
# needs the transport too (tripit ADR-0020). noreply@viktorbarzin.me via the
|
||||
# in-cluster mailserver; password from the authentik-email ExternalSecret.
|
||||
- name: AUTHENTIK_EMAIL__HOST
|
||||
value: "mailserver.mailserver.svc.cluster.local"
|
||||
- name: AUTHENTIK_EMAIL__PORT
|
||||
value: "587"
|
||||
- name: AUTHENTIK_EMAIL__USE_TLS
|
||||
value: "true"
|
||||
- name: AUTHENTIK_EMAIL__USERNAME
|
||||
value: "noreply@viktorbarzin.me"
|
||||
- name: AUTHENTIK_EMAIL__FROM
|
||||
value: "TripIt <noreply@viktorbarzin.me>"
|
||||
- name: AUTHENTIK_EMAIL__PASSWORD
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: authentik-email
|
||||
key: AUTHENTIK_EMAIL__PASSWORD
|
||||
strategy:
|
||||
type: RollingUpdate
|
||||
rollingUpdate:
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue