From a27ed384e7b344de77a39312254c4f83aa247737 Mon Sep 17 00:00:00 2001 From: Fizzlepoof Date: Sun, 24 May 2026 19:16:48 +0000 Subject: [PATCH] Add Authentik SMTP configuration --- identity-authentik/.env.example | 8 ++++++++ identity-authentik/README.md | 19 +++++++++++-------- identity-authentik/docker-compose.yaml | 16 ++++++++++++++++ 3 files changed, 35 insertions(+), 8 deletions(-) diff --git a/identity-authentik/.env.example b/identity-authentik/.env.example index 72c7c1c..7e93f17 100644 --- a/identity-authentik/.env.example +++ b/identity-authentik/.env.example @@ -4,3 +4,11 @@ AUTHENTIK_POSTGRES_PASSWORD=CHANGE_ME AUTHENTIK_SECRET_KEY=CHANGE_ME AUTHENTIK_BOOTSTRAP_PASSWORD=CHANGE_ME AUTHENTIK_BOOTSTRAP_TOKEN=CHANGE_ME +AUTHENTIK_EMAIL__HOST=smtp.example.com +AUTHENTIK_EMAIL__PORT=587 +AUTHENTIK_EMAIL__USERNAME=mailer@example.com +AUTHENTIK_EMAIL__PASSWORD=CHANGE_ME +AUTHENTIK_EMAIL__USE_TLS=true +AUTHENTIK_EMAIL__USE_SSL=false +AUTHENTIK_EMAIL__TIMEOUT=10 +AUTHENTIK_EMAIL__FROM=auth@example.com diff --git a/identity-authentik/README.md b/identity-authentik/README.md index c61e8ec..91bcb89 100644 --- a/identity-authentik/README.md +++ b/identity-authentik/README.md @@ -28,30 +28,33 @@ Bootstrap: 1. Copy this directory to PD at /mnt/docker-ssd/docker/compose/identity-authentik 2. Copy .env.example to .env and replace every CHANGE_ME -3. Create the Authentik database/user in shared Postgres -4. Validate and start: +3. If email-based password resets or invitations are needed, set the SMTP vars in `.env` using the official Authentik email settings (`AUTHENTIK_EMAIL__HOST`, `__PORT`, `__USERNAME`, `__PASSWORD`, `__USE_TLS` or `__USE_SSL`, `__TIMEOUT`, `__FROM`). Port 587 normally means `AUTHENTIK_EMAIL__USE_TLS=true` and `AUTHENTIK_EMAIL__USE_SSL=false`. +4. Create the Authentik database/user in shared Postgres +5. Validate and start: cd /mnt/docker-ssd/docker/compose/identity-authentik docker compose --env-file .env config docker compose --env-file .env up -d -5. Verify readiness: +6. Verify readiness: docker compose ps docker logs authentik-server --tail=50 curl -fsS http://127.0.0.1:9000/-/health/ready/ -6. Complete initial login with the bootstrap admin on the internal URL first, then wire the public Pangolin hostname `https://authentik.paccoco.com`. Grafana and other OIDC clients should use that public hostname instead of the LAN-only `http://10.5.30.6:9000` base URL. -7. Build providers before cutover: +7. If SMTP is enabled, send a test mail from inside the Authentik server container before relying on password reset or invitation flows. + +8. Complete initial login with the bootstrap admin on the internal URL first, then wire the public Pangolin hostname `https://authentik.paccoco.com`. Grafana and other OIDC clients should use that public hostname instead of the LAN-only `http://10.5.30.6:9000` base URL. +9. Build providers before cutover: - Grafana: OAuth2/OIDC provider - Gitea: proxy provider, forward auth, single application - Technitium: proxy provider, forward auth, single application - Traefik dashboard: proxy provider, forward auth, single application -8. Bind those proxy providers to the embedded outpost. -9. Cut apps over one at a time from Authelia forward-auth to Authentik forward-auth. -10. Only remove Authelia after every migrated app and logout flow is verified. +10. Bind those proxy providers to the embedded outpost. +11. Cut apps over one at a time from Authelia forward-auth to Authentik forward-auth. +12. Only remove Authelia after every migrated app and logout flow is verified. Notes: diff --git a/identity-authentik/docker-compose.yaml b/identity-authentik/docker-compose.yaml index 24223f9..c17f05b 100644 --- a/identity-authentik/docker-compose.yaml +++ b/identity-authentik/docker-compose.yaml @@ -19,6 +19,14 @@ services: AUTHENTIK_POSTGRESQL__SSLMODE: disable AUTHENTIK_BOOTSTRAP_PASSWORD: ${AUTHENTIK_BOOTSTRAP_PASSWORD} AUTHENTIK_BOOTSTRAP_TOKEN: ${AUTHENTIK_BOOTSTRAP_TOKEN} + AUTHENTIK_EMAIL__HOST: ${AUTHENTIK_EMAIL__HOST} + AUTHENTIK_EMAIL__PORT: ${AUTHENTIK_EMAIL__PORT} + AUTHENTIK_EMAIL__USERNAME: ${AUTHENTIK_EMAIL__USERNAME} + AUTHENTIK_EMAIL__PASSWORD: ${AUTHENTIK_EMAIL__PASSWORD} + AUTHENTIK_EMAIL__USE_TLS: ${AUTHENTIK_EMAIL__USE_TLS} + AUTHENTIK_EMAIL__USE_SSL: ${AUTHENTIK_EMAIL__USE_SSL} + AUTHENTIK_EMAIL__TIMEOUT: ${AUTHENTIK_EMAIL__TIMEOUT} + AUTHENTIK_EMAIL__FROM: ${AUTHENTIK_EMAIL__FROM} volumes: - /mnt/tank/docker/appdata/authentik:/data - /mnt/docker-ssd/docker/compose/identity-authentik/custom-templates:/templates @@ -49,6 +57,14 @@ services: AUTHENTIK_POSTGRESQL__SSLMODE: disable AUTHENTIK_BOOTSTRAP_PASSWORD: ${AUTHENTIK_BOOTSTRAP_PASSWORD} AUTHENTIK_BOOTSTRAP_TOKEN: ${AUTHENTIK_BOOTSTRAP_TOKEN} + AUTHENTIK_EMAIL__HOST: ${AUTHENTIK_EMAIL__HOST} + AUTHENTIK_EMAIL__PORT: ${AUTHENTIK_EMAIL__PORT} + AUTHENTIK_EMAIL__USERNAME: ${AUTHENTIK_EMAIL__USERNAME} + AUTHENTIK_EMAIL__PASSWORD: ${AUTHENTIK_EMAIL__PASSWORD} + AUTHENTIK_EMAIL__USE_TLS: ${AUTHENTIK_EMAIL__USE_TLS} + AUTHENTIK_EMAIL__USE_SSL: ${AUTHENTIK_EMAIL__USE_SSL} + AUTHENTIK_EMAIL__TIMEOUT: ${AUTHENTIK_EMAIL__TIMEOUT} + AUTHENTIK_EMAIL__FROM: ${AUTHENTIK_EMAIL__FROM} volumes: - /mnt/tank/docker/appdata/authentik:/data - /mnt/docker-ssd/docker/compose/identity-authentik/custom-templates:/templates