diff --git a/machines/gerd/services/authelia/authelia.nix b/machines/gerd/services/authelia/authelia.nix index a79834e..ea9d51a 100644 --- a/machines/gerd/services/authelia/authelia.nix +++ b/machines/gerd/services/authelia/authelia.nix @@ -3,13 +3,16 @@ let svc_domain = "auth.${config.mine.shared.settings.domain}"; + authelia_user = "authelia-main"; autheliaStateDir = "/var/lib/authelia-main"; + smtp_username = "authelia"; port = 9091; in { services.authelia.instances.main = { enable = true; environmentVariables.AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE = config.age.secrets.lldap-bind-user-pass.path; + environmentVariables.AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE = config.age.secrets.authelia-smtp-password.path; secrets = { jwtSecretFile = config.age.secrets.authelia-jwt.path; storageEncryptionKeyFile = config.age.secrets.authelia-storage.path; @@ -26,14 +29,18 @@ in { server.address = "tcp://127.0.0.1:${builtins.toString port}"; # totp - disable for now, as it requires email server - access_control.default_policy = "one_factor"; - # totp.disable = true; - # webauthn.disable = true; - # default_2fa_method = "totp"; - # totp.issuer = "auth.fricloud.dk"; + access_control.default_policy = "two_factor"; + totp.issuer = svc_domain; storage.local.path = "${autheliaStateDir}/authelia.sqlite3"; - notifier.filesystem.filename = "${autheliaStateDir}/authelia_notifier.txt"; + + notifier.smtp = rec { + address = "submissions://${config.mine.shared.settings.mail.domain_smtp}:${builtins.toString config.mine.shared.settings.mail.ports.submissions}"; + username = smtp_username; + sender = "Authelia <${username}@${config.mine.shared.settings.domain}>"; + identifier = config.networking.hostName; + tls.server_name = config.mine.shared.settings.mail.domain_smtp; + }; authentication_backend = { password_reset.disable = false; @@ -87,10 +94,11 @@ in { # setup secrets for authelia age.secrets = { - authelia-jwt.owner = "authelia-main"; - authelia-storage.owner = "authelia-main"; - authelia-session.owner = "authelia-main"; - authelia-oidc-issuer-privatekey-pem.owner = "authelia-main"; + authelia-jwt.owner = authelia_user; + authelia-storage.owner = authelia_user; + authelia-session.owner = authelia_user; + authelia-oidc-issuer-privatekey-pem.owner = authelia_user; + authelia-smtp-password.owner = authelia_user; }; users.groups."${config.age.secrets.lldap-bind-user-pass.group}".members = [ config.users.users.authelia-main.name ]; diff --git a/secrets/authelia/smtp-password.age b/secrets/authelia/smtp-password.age new file mode 100644 index 0000000..b092662 --- /dev/null +++ b/secrets/authelia/smtp-password.age @@ -0,0 +1,9 @@ +age-encryption.org/v1 +-> ssh-ed25519 QSDXqg ukkpdyQwjxQ5ZSDRNp3scWW/UaL9KkvYjgOohagME2E +TBz/F6ki/WRQ36dwWGya/+jk6d/CVit0uk6ftUGwkM0 +-> ssh-ed25519 n8n9DQ 4tAfBISscjJkXdT2ze7qwjSgXsKVORQdJ6BU2FWziBI +KsgjA34+cX5JP5zQDJu2S42T07L1bUH6rFNLnGpGsCk +-> ssh-ed25519 BTp6UA MN57AovukP5h7xP0TtdZJnbGUVGem9Ag4yrXeQPLOmc +XvlsXC6kI6gbzrujxfGQII2bwPoXd7pAQfP3oXGqe4U +--- qWkj5My+16z9Qjge9GR0ezFkzi4zONiEny+I/5j9qpQ + *{|Rogi_k}ohz)QQc߀H<]g\{W7: \ No newline at end of file diff --git a/secrets/default.nix b/secrets/default.nix index d8a633c..bb514ff 100644 --- a/secrets/default.nix +++ b/secrets/default.nix @@ -8,6 +8,7 @@ authelia-session.file = ./authelia/session.age; authelia-oidc-issuer-privatekey-pem.file = ./authelia/oidc-issuer-privatekey-pem.age; authelia-oidc-issuer-privatekey-crt.file = ./authelia/oidc-issuer-privatekey-crt.age; + authelia-smtp-password.file = ./authelia/smtp-password.age; # lldap lldap-admin-user-pass.file = ./lldap/admin-user-pass.age; diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 3fe90fd..4f6006e 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -16,6 +16,7 @@ in "authelia/session.age".publicKeys = defaultAccess; "authelia/oidc-issuer-privatekey-pem.age".publicKeys = defaultAccess; "authelia/oidc-issuer-privatekey-crt.age".publicKeys = defaultAccess; + "authelia/smtp-password.age".publicKeys = defaultAccess; # lldap "lldap/admin-user-pass.age".publicKeys = defaultAccess;