Add Authentik SMTP configuration
Some checks failed
secret-guardrails / artifact-secret-scan (push) Has been cancelled
secret-guardrails / gitleaks (push) Has been cancelled

This commit is contained in:
Fizzlepoof
2026-05-24 19:16:48 +00:00
parent 2057c8aaa5
commit a27ed384e7
3 changed files with 35 additions and 8 deletions

View File

@@ -4,3 +4,11 @@ AUTHENTIK_POSTGRES_PASSWORD=CHANGE_ME
AUTHENTIK_SECRET_KEY=CHANGE_ME AUTHENTIK_SECRET_KEY=CHANGE_ME
AUTHENTIK_BOOTSTRAP_PASSWORD=CHANGE_ME AUTHENTIK_BOOTSTRAP_PASSWORD=CHANGE_ME
AUTHENTIK_BOOTSTRAP_TOKEN=CHANGE_ME AUTHENTIK_BOOTSTRAP_TOKEN=CHANGE_ME
AUTHENTIK_EMAIL__HOST=smtp.example.com
AUTHENTIK_EMAIL__PORT=587
AUTHENTIK_EMAIL__USERNAME=mailer@example.com
AUTHENTIK_EMAIL__PASSWORD=CHANGE_ME
AUTHENTIK_EMAIL__USE_TLS=true
AUTHENTIK_EMAIL__USE_SSL=false
AUTHENTIK_EMAIL__TIMEOUT=10
AUTHENTIK_EMAIL__FROM=auth@example.com

View File

@@ -28,30 +28,33 @@ Bootstrap:
1. Copy this directory to PD at /mnt/docker-ssd/docker/compose/identity-authentik 1. Copy this directory to PD at /mnt/docker-ssd/docker/compose/identity-authentik
2. Copy .env.example to .env and replace every CHANGE_ME 2. Copy .env.example to .env and replace every CHANGE_ME
3. Create the Authentik database/user in shared Postgres 3. If email-based password resets or invitations are needed, set the SMTP vars in `.env` using the official Authentik email settings (`AUTHENTIK_EMAIL__HOST`, `__PORT`, `__USERNAME`, `__PASSWORD`, `__USE_TLS` or `__USE_SSL`, `__TIMEOUT`, `__FROM`). Port 587 normally means `AUTHENTIK_EMAIL__USE_TLS=true` and `AUTHENTIK_EMAIL__USE_SSL=false`.
4. Validate and start: 4. Create the Authentik database/user in shared Postgres
5. Validate and start:
cd /mnt/docker-ssd/docker/compose/identity-authentik cd /mnt/docker-ssd/docker/compose/identity-authentik
docker compose --env-file .env config docker compose --env-file .env config
docker compose --env-file .env up -d docker compose --env-file .env up -d
5. Verify readiness: 6. Verify readiness:
docker compose ps docker compose ps
docker logs authentik-server --tail=50 docker logs authentik-server --tail=50
curl -fsS http://127.0.0.1:9000/-/health/ready/ curl -fsS http://127.0.0.1:9000/-/health/ready/
6. Complete initial login with the bootstrap admin on the internal URL first, then wire the public Pangolin hostname `https://authentik.paccoco.com`. Grafana and other OIDC clients should use that public hostname instead of the LAN-only `http://10.5.30.6:9000` base URL. 7. If SMTP is enabled, send a test mail from inside the Authentik server container before relying on password reset or invitation flows.
7. Build providers before cutover:
8. Complete initial login with the bootstrap admin on the internal URL first, then wire the public Pangolin hostname `https://authentik.paccoco.com`. Grafana and other OIDC clients should use that public hostname instead of the LAN-only `http://10.5.30.6:9000` base URL.
9. Build providers before cutover:
- Grafana: OAuth2/OIDC provider - Grafana: OAuth2/OIDC provider
- Gitea: proxy provider, forward auth, single application - Gitea: proxy provider, forward auth, single application
- Technitium: proxy provider, forward auth, single application - Technitium: proxy provider, forward auth, single application
- Traefik dashboard: proxy provider, forward auth, single application - Traefik dashboard: proxy provider, forward auth, single application
8. Bind those proxy providers to the embedded outpost. 10. Bind those proxy providers to the embedded outpost.
9. Cut apps over one at a time from Authelia forward-auth to Authentik forward-auth. 11. Cut apps over one at a time from Authelia forward-auth to Authentik forward-auth.
10. Only remove Authelia after every migrated app and logout flow is verified. 12. Only remove Authelia after every migrated app and logout flow is verified.
Notes: Notes:

View File

@@ -19,6 +19,14 @@ services:
AUTHENTIK_POSTGRESQL__SSLMODE: disable AUTHENTIK_POSTGRESQL__SSLMODE: disable
AUTHENTIK_BOOTSTRAP_PASSWORD: ${AUTHENTIK_BOOTSTRAP_PASSWORD} AUTHENTIK_BOOTSTRAP_PASSWORD: ${AUTHENTIK_BOOTSTRAP_PASSWORD}
AUTHENTIK_BOOTSTRAP_TOKEN: ${AUTHENTIK_BOOTSTRAP_TOKEN} AUTHENTIK_BOOTSTRAP_TOKEN: ${AUTHENTIK_BOOTSTRAP_TOKEN}
AUTHENTIK_EMAIL__HOST: ${AUTHENTIK_EMAIL__HOST}
AUTHENTIK_EMAIL__PORT: ${AUTHENTIK_EMAIL__PORT}
AUTHENTIK_EMAIL__USERNAME: ${AUTHENTIK_EMAIL__USERNAME}
AUTHENTIK_EMAIL__PASSWORD: ${AUTHENTIK_EMAIL__PASSWORD}
AUTHENTIK_EMAIL__USE_TLS: ${AUTHENTIK_EMAIL__USE_TLS}
AUTHENTIK_EMAIL__USE_SSL: ${AUTHENTIK_EMAIL__USE_SSL}
AUTHENTIK_EMAIL__TIMEOUT: ${AUTHENTIK_EMAIL__TIMEOUT}
AUTHENTIK_EMAIL__FROM: ${AUTHENTIK_EMAIL__FROM}
volumes: volumes:
- /mnt/tank/docker/appdata/authentik:/data - /mnt/tank/docker/appdata/authentik:/data
- /mnt/docker-ssd/docker/compose/identity-authentik/custom-templates:/templates - /mnt/docker-ssd/docker/compose/identity-authentik/custom-templates:/templates
@@ -49,6 +57,14 @@ services:
AUTHENTIK_POSTGRESQL__SSLMODE: disable AUTHENTIK_POSTGRESQL__SSLMODE: disable
AUTHENTIK_BOOTSTRAP_PASSWORD: ${AUTHENTIK_BOOTSTRAP_PASSWORD} AUTHENTIK_BOOTSTRAP_PASSWORD: ${AUTHENTIK_BOOTSTRAP_PASSWORD}
AUTHENTIK_BOOTSTRAP_TOKEN: ${AUTHENTIK_BOOTSTRAP_TOKEN} AUTHENTIK_BOOTSTRAP_TOKEN: ${AUTHENTIK_BOOTSTRAP_TOKEN}
AUTHENTIK_EMAIL__HOST: ${AUTHENTIK_EMAIL__HOST}
AUTHENTIK_EMAIL__PORT: ${AUTHENTIK_EMAIL__PORT}
AUTHENTIK_EMAIL__USERNAME: ${AUTHENTIK_EMAIL__USERNAME}
AUTHENTIK_EMAIL__PASSWORD: ${AUTHENTIK_EMAIL__PASSWORD}
AUTHENTIK_EMAIL__USE_TLS: ${AUTHENTIK_EMAIL__USE_TLS}
AUTHENTIK_EMAIL__USE_SSL: ${AUTHENTIK_EMAIL__USE_SSL}
AUTHENTIK_EMAIL__TIMEOUT: ${AUTHENTIK_EMAIL__TIMEOUT}
AUTHENTIK_EMAIL__FROM: ${AUTHENTIK_EMAIL__FROM}
volumes: volumes:
- /mnt/tank/docker/appdata/authentik:/data - /mnt/tank/docker/appdata/authentik:/data
- /mnt/docker-ssd/docker/compose/identity-authentik/custom-templates:/templates - /mnt/docker-ssd/docker/compose/identity-authentik/custom-templates:/templates