fricloud/server-configs
2
0
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity Actions

gerd.authelia: adds smtp support w/ stalwart

Browse source
This commit is contained in:
eyjhb 2024-08-21 13:21:20 +02:00
parent eab1162cfd
commit 6f261c6b78
No known key found for this signature in database
GPG key ID: 609F508E3239F920
4 changed files with 29 additions and 10 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

28
machines/gerd/services/authelia/authelia.nix
View file

@ -3,13 +3,16 @@
let
svc_domain = "auth.${config.mine.shared.settings.domain}";
authelia_user = "authelia-main";
autheliaStateDir = "/var/lib/authelia-main";
smtp_username = "authelia";
port = 9091;
in {
services.authelia.instances.main = {
enable = true;
environmentVariables.AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE = config.age.secrets.lldap-bind-user-pass.path;
environmentVariables.AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE = config.age.secrets.authelia-smtp-password.path;
secrets = {
jwtSecretFile = config.age.secrets.authelia-jwt.path;
storageEncryptionKeyFile = config.age.secrets.authelia-storage.path;
@ -26,14 +29,18 @@ in {
server.address = "tcp://127.0.0.1:${builtins.toString port}";
# totp - disable for now, as it requires email server
access_control.default_policy = "one_factor";
# totp.disable = true;
# webauthn.disable = true;
# default_2fa_method = "totp";
# totp.issuer = "auth.fricloud.dk";
access_control.default_policy = "two_factor";
totp.issuer = svc_domain;
storage.local.path = "${autheliaStateDir}/authelia.sqlite3";
notifier.filesystem.filename = "${autheliaStateDir}/authelia_notifier.txt";
notifier.smtp = rec {
address = "submissions://${config.mine.shared.settings.mail.domain_smtp}:${builtins.toString config.mine.shared.settings.mail.ports.submissions}";
username = smtp_username;
sender = "Authelia <${username}@${config.mine.shared.settings.domain}>";
identifier = config.networking.hostName;
tls.server_name = config.mine.shared.settings.mail.domain_smtp;
};
authentication_backend = {
password_reset.disable = false;
@ -87,10 +94,11 @@ in {
# setup secrets for authelia
age.secrets = {
authelia-jwt.owner = "authelia-main";
authelia-storage.owner = "authelia-main";
authelia-session.owner = "authelia-main";
authelia-oidc-issuer-privatekey-pem.owner = "authelia-main";
authelia-jwt.owner = authelia_user;
authelia-storage.owner = authelia_user;
authelia-session.owner = authelia_user;
authelia-oidc-issuer-privatekey-pem.owner = authelia_user;
authelia-smtp-password.owner = authelia_user;
};
users.groups."${config.age.secrets.lldap-bind-user-pass.group}".members = [ config.users.users.authelia-main.name ];

9
secrets/authelia/smtp-password.age Normal file
View file

@ -0,0 +1,9 @@
age-encryption.org/v1
-> ssh-ed25519 QSDXqg ukkpdyQwjxQ5ZSDRNp3scWW/UaL9KkvYjgOohagME2E
TBz/F6ki/WRQ36dwWGya/+jk6d/CVit0uk6ftUGwkM0
-> ssh-ed25519 n8n9DQ 4tAfBISscjJkXdT2ze7qwjSgXsKVORQdJ6BU2FWziBI
KsgjA34+cX5JP5zQDJu2S42T07L1bUH6rFNLnGpGsCk
-> ssh-ed25519 BTp6UA MN57AovukP5h7xP0TtdZJnbGUVGem9Ag4yrXeQPLOmc
XvlsXC6kI6gbzrujxfGQII2bwPoXd7pAQfP3oXGqe4U
--- qWkj5My+16z9Qjge9GR0ezFkzi4zONiEny+I/5j9qpQ
*ヲ{|<7C>o訒<6F>i_k}oセ暉<EFBDBE>ー乕z)ァ讐ネQウオク、ニc弥戻€ヲH「、<]約・g\{W<><57>7:

1
secrets/default.nix
View file

@ -8,6 +8,7 @@
authelia-session.file = ./authelia/session.age;
authelia-oidc-issuer-privatekey-pem.file = ./authelia/oidc-issuer-privatekey-pem.age;
authelia-oidc-issuer-privatekey-crt.file = ./authelia/oidc-issuer-privatekey-crt.age;
authelia-smtp-password.file = ./authelia/smtp-password.age;
# lldap
lldap-admin-user-pass.file = ./lldap/admin-user-pass.age;

1
secrets/secrets.nix
View file

@ -16,6 +16,7 @@ in
"authelia/session.age".publicKeys = defaultAccess;
"authelia/oidc-issuer-privatekey-pem.age".publicKeys = defaultAccess;
"authelia/oidc-issuer-privatekey-crt.age".publicKeys = defaultAccess;
"authelia/smtp-password.age".publicKeys = defaultAccess;
# lldap
"lldap/admin-user-pass.age".publicKeys = defaultAccess;