c3d0c121bb
All checks were successful
ci/woodpecker/push/default Pipeline was successful
Authentik email was unconfigured (localhost), so the TripIt enrollment flow's email-verification stage couldn't send. Add AUTHENTIK_EMAIL__* to server.env + worker.env pointing at the in-cluster mailserver as noreply@viktorbarzin.me (587/STARTTLS), with the SASL password synced from Vault secret/authentik.smtp_password via a new authentik-email ExternalSecret (reloader-annotated). Image pin unchanged (2026.2.4 == live). Prereq for the tripit-enrollment flow. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
40 lines
1.2 KiB
HCL
40 lines
1.2 KiB
HCL
# SMTP password for Authentik's signup-verification + recovery email (tripit
|
|
# ADR-0020). Synced from Vault secret/authentik.smtp_password into the authentik
|
|
# namespace as the `authentik-email` Secret, referenced by
|
|
# AUTHENTIK_EMAIL__PASSWORD in values.yaml (server.env + worker.env). The sender
|
|
# account is noreply@viktorbarzin.me (a mailserver SASL account); host/port/from
|
|
# are non-secret and live in values.yaml. The reloader annotation rolls the
|
|
# authentik pods if the password ever changes.
|
|
resource "kubernetes_manifest" "authentik_email_secret" {
|
|
manifest = {
|
|
apiVersion = "external-secrets.io/v1beta1"
|
|
kind = "ExternalSecret"
|
|
metadata = {
|
|
name = "authentik-email"
|
|
namespace = "authentik"
|
|
}
|
|
spec = {
|
|
refreshInterval = "1h"
|
|
secretStoreRef = {
|
|
name = "vault-kv"
|
|
kind = "ClusterSecretStore"
|
|
}
|
|
target = {
|
|
name = "authentik-email"
|
|
template = {
|
|
metadata = {
|
|
annotations = {
|
|
"reloader.stakater.com/match" = "true"
|
|
}
|
|
}
|
|
}
|
|
}
|
|
data = [
|
|
{
|
|
secretKey = "AUTHENTIK_EMAIL__PASSWORD"
|
|
remoteRef = { key = "authentik", property = "smtp_password" }
|
|
},
|
|
]
|
|
}
|
|
}
|
|
}
|