Add optional SMTP configuration for Authentik, including email host, port, and credentials. Update README and .env.sample to clarify usage for outbound email settings. Introduce blueprint support for enhanced deployment flexibility, with assertions in Ansible tasks to ensure required variables are set when enabled.

komodo/s3/versitygw/.env.sample

@@ -26,11 +26,30 @@ VERSITYGW_WEBUI_PORT=8080
 # VGW_WEBUI_GATEWAYS=https://s3.example.com
 VGW_WEBUI_GATEWAYS=
 
-# Public origin of the **WebUI** page (Pangolin → :8080), e.g. https://s3-ui.example.com
-# Required when UI and API are on different hosts so the browser can call the API (CORS).
+# Public origin of the **browser app** that calls the S3 API (no path, no trailing slash).
+# Use this when the UI is on a different hostname than the API — e.g. third-party S3 consoles,
+# or the built-in WebUI behind Pangolin on another host than :10000.
+# Example: VGW_CORS_ALLOW_ORIGIN=https://s3-ui.pcenicni.dev
+#
+# VersityGW maps the browser’s preflight Access-Control-Request-Headers into
+# Access-Control-Allow-Headers (Authorization, X-Amz-Date, X-Amz-Content-Sha256, Content-Type, …)
+# when there is **no** per-bucket CORS configuration. You do not set those headers separately here.
+#
+# If you used PutBucketCors on a bucket, that config replaces this fallback for that bucket: add
+# the same Origin and AllowedHeader entries (or *) there, or delete bucket CORS to rely on this.
 # VGW_CORS_ALLOW_ORIGIN=https://s3-ui.example.com
 VGW_CORS_ALLOW_ORIGIN=
 
+# --- Pangolin (edge) vs Versity CORS ---
+# If VGW_CORS_ALLOW_ORIGIN is correct but the browser still says CORS failed, the edge often
+# never returns Versity’s Access-Control-* headers: Pangolin can answer OPTIONS / block preflight
+# before Newt reaches :10000. S3 clients send OPTIONS without SigV4 auth; Pangolin SSO or
+# “authorization” on the HTTP resource can reject that (see https://github.com/fosrl/pangolin/issues/2369 ).
+# Mitigations: make the **S3 API** hostname resource public (no Pangolin auth on that resource),
+# or add a rule that allows OPTIONS to pass through when Pangolin supports method-based rules;
+# confirm with: curl -sv -X OPTIONS -H "Origin: https://your-s3-ui" -H "Access-Control-Request-Method: PUT" \
+#   -H "Access-Control-Request-Headers: authorization,content-type" "https://your-s3-api-host/" 2>&1 | head -40
+
 # NFS: object metadata defaults to xattrs; most NFS mounts need sidecar mode
 # (compose.yaml uses --sidecar /data/sidecar). Create the host path, e.g.
 #   mkdir -p /mnt/nfs/versity/sidecar

komodo/s3/versitygw/compose.yaml

@@ -26,7 +26,8 @@ services:
       # Public base URL of the *S3 API* only (Pangolin → :10000). Not the WebUI hostname.
       # No trailing slash. If this points at the UI URL, bucket ops return 404/wrong host.
       VGW_WEBUI_GATEWAYS: ${VGW_WEBUI_GATEWAYS}
-      # Browser Origin when WebUI and API use different HTTPS hostnames (see wiki / WebGUI CORS).
+      # Browser Origin for cross-host S3 from the UI (maps to --cors-allow-origin). See .env.sample
+      # for third-party consoles vs bucket PutBucketCors overrides.
       VGW_CORS_ALLOW_ORIGIN: ${VGW_CORS_ALLOW_ORIGIN}
     ports:
       - "${VERSITYGW_PORT:-10000}:10000"