Skip to main content

email (component)

A Kustomize component that gives an app the credentials it needs to send transactional email through the homelab's outbound SMTP relay. Apps that send password-reset emails, notification digests, alerts, etc. pull this in and get a uniform set of env vars they can read.

The relay itself isn't documented as a component — it's an upstream provider with rate-limited send credentials. The component packages the credentials in a way the apps know how to consume.

What it composes

  • Secret <app>-smtp — SOPS-encrypted, holding:
    • SMTP_HOST
    • SMTP_PORT
    • SMTP_USERNAME
    • SMTP_PASSWORD
    • SMTP_FROM
  • A baseline set of env-var mounts that the app's Deployment can envFrom: to pull all four into one go.

The naming is deliberate — every app in the homelab that sends email uses the same env vars, so the upstream image's docs ("set SMTP_HOST to ...") apply without translation.

How an app uses it

# k8s/apps/talos/<app>/kustomization.yaml
components:
  - ../../../components/talos/email

In the Deployment, mount the secret:

envFrom:
  - secretRef:
      name: <app>-smtp

The app reads SMTP_HOST, SMTP_PORT, etc. from its environment as if they were always there.

Why one component, not per-app credentials

  • One place to rotate. When the SMTP password changes, edit the SOPS source once and every consuming app picks it up on next reconciliation.
  • Naming uniformity. Every app speaks SMTP_HOST regardless of what its upstream image's documentation calls the variable. The component is the translation layer.
  • Rate-limit visibility. A single relay account makes "how much email is the homelab sending" trivially answerable from the provider's dashboard.

Operational notes

  • The Secret is SOPS-encrypted at rest; the cluster decrypts via Flux + the age key. See Operations → SOPS for the encrypt/decrypt loop, and Topics → SOPS / age key rotation for password rotation.
  • A throwaway SMTP target (Mailpit, MailHog) is useful in the k3d local-dev cluster. Don't point real apps at it; opt-in only.
  • If the SMTP provider rate-limits, individual apps will see send failures in their logs. The monitoring stack scrapes these via app-specific dashboards; ntfy alerts surface the throttle.

Composition source

No partial — there's no README.md in k8s/components/talos/email/ yet. See k8s/components/talos/email for the actual manifests.