gerd.authelia: adds smtp support w/ stalwart

2024-08-21 13:21:20 +02:00 · 2024-08-21 13:21:20 +02:00 · 6f261c6b78
commit 6f261c6b78
parent eab1162cfd
4 changed files with 29 additions and 10 deletions
--- a/machines/gerd/services/authelia/authelia.nix
+++ b/machines/gerd/services/authelia/authelia.nix
@ -3,13 +3,16 @@
 let
  svc_domain = "auth.${config.mine.shared.settings.domain}";

+  authelia_user = "authelia-main";
  autheliaStateDir = "/var/lib/authelia-main";
+  smtp_username = "authelia";
  port = 9091;
 in {
  services.authelia.instances.main = {
    enable = true;

    environmentVariables.AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE = config.age.secrets.lldap-bind-user-pass.path;
+    environmentVariables.AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE = config.age.secrets.authelia-smtp-password.path;
    secrets = {
      jwtSecretFile = config.age.secrets.authelia-jwt.path;
      storageEncryptionKeyFile = config.age.secrets.authelia-storage.path;
@ -26,14 +29,18 @@ in {
      server.address = "tcp://127.0.0.1:${builtins.toString port}";

      # totp - disable for now, as it requires email server
-      access_control.default_policy = "one_factor";
-      # totp.disable = true;
-      # webauthn.disable = true;
-      # default_2fa_method = "totp";
-      # totp.issuer = "auth.fricloud.dk";
+      access_control.default_policy = "two_factor";
+      totp.issuer = svc_domain;

      storage.local.path = "${autheliaStateDir}/authelia.sqlite3";
-      notifier.filesystem.filename = "${autheliaStateDir}/authelia_notifier.txt";
+
+      notifier.smtp = rec {
+        address = "submissions://${config.mine.shared.settings.mail.domain_smtp}:${builtins.toString config.mine.shared.settings.mail.ports.submissions}";
+        username = smtp_username;
+        sender = "Authelia <${username}@${config.mine.shared.settings.domain}>";
+        identifier = config.networking.hostName;
+        tls.server_name = config.mine.shared.settings.mail.domain_smtp;
+      };

      authentication_backend = {
        password_reset.disable = false;
@ -87,10 +94,11 @@ in {

  # setup secrets for authelia
  age.secrets = {
-    authelia-jwt.owner = "authelia-main";
-    authelia-storage.owner = "authelia-main";
-    authelia-session.owner = "authelia-main";
-    authelia-oidc-issuer-privatekey-pem.owner = "authelia-main";
+    authelia-jwt.owner = authelia_user;
+    authelia-storage.owner = authelia_user;
+    authelia-session.owner = authelia_user;
+    authelia-oidc-issuer-privatekey-pem.owner = authelia_user;
+    authelia-smtp-password.owner = authelia_user;
  };

  users.groups."${config.age.secrets.lldap-bind-user-pass.group}".members = [ config.users.users.authelia-main.name ];