gerd.authelia: adds smtp support w/ stalwart

machines/gerd/services/authelia/authelia.nix

@@ -3,13 +3,16 @@
 let
   svc_domain = "auth.${config.mine.shared.settings.domain}";
 
+  authelia_user = "authelia-main";
   autheliaStateDir = "/var/lib/authelia-main";
+  smtp_username = "authelia";
   port = 9091;
 in {
   services.authelia.instances.main = {
     enable = true;
 
     environmentVariables.AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE = config.age.secrets.lldap-bind-user-pass.path;
+    environmentVariables.AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE = config.age.secrets.authelia-smtp-password.path;
     secrets = {
       jwtSecretFile = config.age.secrets.authelia-jwt.path;
       storageEncryptionKeyFile = config.age.secrets.authelia-storage.path;
@@ -26,14 +29,18 @@ in {
       server.address = "tcp://127.0.0.1:${builtins.toString port}";
 
       # totp - disable for now, as it requires email server
-      access_control.default_policy = "one_factor";
+      access_control.default_policy = "two_factor";
-      # totp.disable = true;
+      totp.issuer = svc_domain;
-      # webauthn.disable = true;
-      # default_2fa_method = "totp";
-      # totp.issuer = "auth.fricloud.dk";
 
       storage.local.path = "${autheliaStateDir}/authelia.sqlite3";
-      notifier.filesystem.filename = "${autheliaStateDir}/authelia_notifier.txt";
+
+      notifier.smtp = rec {
+        address = "submissions://${config.mine.shared.settings.mail.domain_smtp}:${builtins.toString config.mine.shared.settings.mail.ports.submissions}";
+        username = smtp_username;
+        sender = "Authelia <${username}@${config.mine.shared.settings.domain}>";
+        identifier = config.networking.hostName;
+        tls.server_name = config.mine.shared.settings.mail.domain_smtp;
+      };
 
       authentication_backend = {
         password_reset.disable = false;
@@ -87,10 +94,11 @@ in {
 
   # setup secrets for authelia
   age.secrets = {
-    authelia-jwt.owner = "authelia-main";
+    authelia-jwt.owner = authelia_user;
-    authelia-storage.owner = "authelia-main";
+    authelia-storage.owner = authelia_user;
-    authelia-session.owner = "authelia-main";
+    authelia-session.owner = authelia_user;
-    authelia-oidc-issuer-privatekey-pem.owner = "authelia-main";
+    authelia-oidc-issuer-privatekey-pem.owner = authelia_user;
+    authelia-smtp-password.owner = authelia_user;
   };
 
   users.groups."${config.age.secrets.lldap-bind-user-pass.group}".members = [ config.users.users.authelia-main.name ];

secrets/authelia/smtp-password.age

@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 QSDXqg ukkpdyQwjxQ5ZSDRNp3scWW/UaL9KkvYjgOohagME2E
+TBz/F6ki/WRQ36dwWGya/+jk6d/CVit0uk6ftUGwkM0
+-> ssh-ed25519 n8n9DQ 4tAfBISscjJkXdT2ze7qwjSgXsKVORQdJ6BU2FWziBI
+KsgjA34+cX5JP5zQDJu2S42T07L1bUH6rFNLnGpGsCk
+-> ssh-ed25519 BTp6UA MN57AovukP5h7xP0TtdZJnbGUVGem9Ag4yrXeQPLOmc
+XvlsXC6kI6gbzrujxfGQII2bwPoXd7pAQfP3oXGqe4U
+--- qWkj5My+16z9Qjge9GR0ezFkzi4zONiEny+I/5j9qpQ
+
*ｦ{|<7C>o訒<6F>i_k}oｾ暉<EFBDBE>ｰ乕z)ｧ讐ﾈQｳｵｸ､ﾆc弥戻€ｦH｢､<]約･g\{W<><57>7:

secrets/default.nix

@@ -8,6 +8,7 @@
     authelia-session.file = ./authelia/session.age;
     authelia-oidc-issuer-privatekey-pem.file = ./authelia/oidc-issuer-privatekey-pem.age;
     authelia-oidc-issuer-privatekey-crt.file = ./authelia/oidc-issuer-privatekey-crt.age;
+    authelia-smtp-password.file = ./authelia/smtp-password.age;
 
     # lldap
     lldap-admin-user-pass.file = ./lldap/admin-user-pass.age;

secrets/secrets.nix

@@ -16,6 +16,7 @@ in
   "authelia/session.age".publicKeys = defaultAccess;
   "authelia/oidc-issuer-privatekey-pem.age".publicKeys = defaultAccess;
   "authelia/oidc-issuer-privatekey-crt.age".publicKeys = defaultAccess;
+  "authelia/smtp-password.age".publicKeys = defaultAccess;
 
   # lldap
   "lldap/admin-user-pass.age".publicKeys = defaultAccess;