Add Authentik SMTP configuration
Some checks failed
secret-guardrails / artifact-secret-scan (push) Has been cancelled
secret-guardrails / gitleaks (push) Has been cancelled

This commit is contained in:
Fizzlepoof
2026-05-24 19:16:48 +00:00
parent 2057c8aaa5
commit a27ed384e7
3 changed files with 35 additions and 8 deletions

View File

@@ -4,3 +4,11 @@ AUTHENTIK_POSTGRES_PASSWORD=CHANGE_ME
AUTHENTIK_SECRET_KEY=CHANGE_ME
AUTHENTIK_BOOTSTRAP_PASSWORD=CHANGE_ME
AUTHENTIK_BOOTSTRAP_TOKEN=CHANGE_ME
AUTHENTIK_EMAIL__HOST=smtp.example.com
AUTHENTIK_EMAIL__PORT=587
AUTHENTIK_EMAIL__USERNAME=mailer@example.com
AUTHENTIK_EMAIL__PASSWORD=CHANGE_ME
AUTHENTIK_EMAIL__USE_TLS=true
AUTHENTIK_EMAIL__USE_SSL=false
AUTHENTIK_EMAIL__TIMEOUT=10
AUTHENTIK_EMAIL__FROM=auth@example.com

View File

@@ -28,30 +28,33 @@ Bootstrap:
1. Copy this directory to PD at /mnt/docker-ssd/docker/compose/identity-authentik
2. Copy .env.example to .env and replace every CHANGE_ME
3. Create the Authentik database/user in shared Postgres
4. Validate and start:
3. If email-based password resets or invitations are needed, set the SMTP vars in `.env` using the official Authentik email settings (`AUTHENTIK_EMAIL__HOST`, `__PORT`, `__USERNAME`, `__PASSWORD`, `__USE_TLS` or `__USE_SSL`, `__TIMEOUT`, `__FROM`). Port 587 normally means `AUTHENTIK_EMAIL__USE_TLS=true` and `AUTHENTIK_EMAIL__USE_SSL=false`.
4. Create the Authentik database/user in shared Postgres
5. Validate and start:
cd /mnt/docker-ssd/docker/compose/identity-authentik
docker compose --env-file .env config
docker compose --env-file .env up -d
5. Verify readiness:
6. Verify readiness:
docker compose ps
docker logs authentik-server --tail=50
curl -fsS http://127.0.0.1:9000/-/health/ready/
6. Complete initial login with the bootstrap admin on the internal URL first, then wire the public Pangolin hostname `https://authentik.paccoco.com`. Grafana and other OIDC clients should use that public hostname instead of the LAN-only `http://10.5.30.6:9000` base URL.
7. Build providers before cutover:
7. If SMTP is enabled, send a test mail from inside the Authentik server container before relying on password reset or invitation flows.
8. Complete initial login with the bootstrap admin on the internal URL first, then wire the public Pangolin hostname `https://authentik.paccoco.com`. Grafana and other OIDC clients should use that public hostname instead of the LAN-only `http://10.5.30.6:9000` base URL.
9. Build providers before cutover:
- Grafana: OAuth2/OIDC provider
- Gitea: proxy provider, forward auth, single application
- Technitium: proxy provider, forward auth, single application
- Traefik dashboard: proxy provider, forward auth, single application
8. Bind those proxy providers to the embedded outpost.
9. Cut apps over one at a time from Authelia forward-auth to Authentik forward-auth.
10. Only remove Authelia after every migrated app and logout flow is verified.
10. Bind those proxy providers to the embedded outpost.
11. Cut apps over one at a time from Authelia forward-auth to Authentik forward-auth.
12. Only remove Authelia after every migrated app and logout flow is verified.
Notes:

View File

@@ -19,6 +19,14 @@ services:
AUTHENTIK_POSTGRESQL__SSLMODE: disable
AUTHENTIK_BOOTSTRAP_PASSWORD: ${AUTHENTIK_BOOTSTRAP_PASSWORD}
AUTHENTIK_BOOTSTRAP_TOKEN: ${AUTHENTIK_BOOTSTRAP_TOKEN}
AUTHENTIK_EMAIL__HOST: ${AUTHENTIK_EMAIL__HOST}
AUTHENTIK_EMAIL__PORT: ${AUTHENTIK_EMAIL__PORT}
AUTHENTIK_EMAIL__USERNAME: ${AUTHENTIK_EMAIL__USERNAME}
AUTHENTIK_EMAIL__PASSWORD: ${AUTHENTIK_EMAIL__PASSWORD}
AUTHENTIK_EMAIL__USE_TLS: ${AUTHENTIK_EMAIL__USE_TLS}
AUTHENTIK_EMAIL__USE_SSL: ${AUTHENTIK_EMAIL__USE_SSL}
AUTHENTIK_EMAIL__TIMEOUT: ${AUTHENTIK_EMAIL__TIMEOUT}
AUTHENTIK_EMAIL__FROM: ${AUTHENTIK_EMAIL__FROM}
volumes:
- /mnt/tank/docker/appdata/authentik:/data
- /mnt/docker-ssd/docker/compose/identity-authentik/custom-templates:/templates
@@ -49,6 +57,14 @@ services:
AUTHENTIK_POSTGRESQL__SSLMODE: disable
AUTHENTIK_BOOTSTRAP_PASSWORD: ${AUTHENTIK_BOOTSTRAP_PASSWORD}
AUTHENTIK_BOOTSTRAP_TOKEN: ${AUTHENTIK_BOOTSTRAP_TOKEN}
AUTHENTIK_EMAIL__HOST: ${AUTHENTIK_EMAIL__HOST}
AUTHENTIK_EMAIL__PORT: ${AUTHENTIK_EMAIL__PORT}
AUTHENTIK_EMAIL__USERNAME: ${AUTHENTIK_EMAIL__USERNAME}
AUTHENTIK_EMAIL__PASSWORD: ${AUTHENTIK_EMAIL__PASSWORD}
AUTHENTIK_EMAIL__USE_TLS: ${AUTHENTIK_EMAIL__USE_TLS}
AUTHENTIK_EMAIL__USE_SSL: ${AUTHENTIK_EMAIL__USE_SSL}
AUTHENTIK_EMAIL__TIMEOUT: ${AUTHENTIK_EMAIL__TIMEOUT}
AUTHENTIK_EMAIL__FROM: ${AUTHENTIK_EMAIL__FROM}
volumes:
- /mnt/tank/docker/appdata/authentik:/data
- /mnt/docker-ssd/docker/compose/identity-authentik/custom-templates:/templates