From 05f020ecb3646a4380545a094333d4e222da5e2d Mon Sep 17 00:00:00 2001
From: Pim Kunis <pim@kunis.nl>
Date: Thu, 6 Feb 2025 10:55:05 +0100
Subject: [PATCH] authelia: enable 2fa authelia: configure SMTP for
 notifications

---
 modules/authelia.nix | 34 ++++++++++++++++++++++++++++++----
 secrets.yml          |  7 ++++---
 2 files changed, 34 insertions(+), 7 deletions(-)

diff --git a/modules/authelia.nix b/modules/authelia.nix
index d8152fb..0eb45cc 100644
--- a/modules/authelia.nix
+++ b/modules/authelia.nix
@@ -47,10 +47,23 @@
               key = "users";
               path = "users";
             }
+            {
+              key = "smtpPassword";
+              path = "smtpPassword";
+            }
           ];
 
           configMap = {
-            access_control.default_policy = "one_factor";
+            access_control = {
+              default_policy = "one_factor";
+
+              rules = [
+                {
+                  domain = "cyberchef.kun.is";
+                  policy = "two_factor";
+                }
+              ];
+            };
 
             authentication_backend = {
               password_reset.disable = true;
@@ -90,9 +103,21 @@
               ];
             };
 
-            notifier.filesystem = {
-              enabled = true;
-              filename = "/tmp/notifications.txt";
+            notifier = {
+              filesystem.enabled = false;
+
+              smtp = {
+                enabled = true;
+                address = "submission://mail.smtp2go.com:2525";
+                identifier = "auth.kun.is";
+                sender = "Authelia <authelia@kun.is>";
+                username = "uxY88HYzbBTAoWYm4PUxpT76u";
+
+                password = {
+                  secret_name = "authelia";
+                  path = "smtpPassword";
+                };
+              };
             };
           };
         };
@@ -113,6 +138,7 @@
         secrets.authelia.stringData = {
           storage = "ref+sops://secrets.yml#/authelia/encryption_keys/storage";
           session = "ref+sops://secrets.yml#/authelia/encryption_keys/session";
+          smtpPassword = "ref+sops://secrets.yml#/authelia/smtpPassword";
           users = "ref+sops://secrets.yml#/authelia/users";
         };
       };
diff --git a/secrets.yml b/secrets.yml
index 843cc1e..4c1dc37 100644
--- a/secrets.yml
+++ b/secrets.yml
@@ -33,7 +33,8 @@ authelia:
     encryption_keys:
         storage: ENC[AES256_GCM,data:RbD5StdFItHooBt/ESeAqnBRWV8USKedplz9cnZTA5K9k2EIE99yDdwkL+UNpRjN5oTImqQtWo3ESuBiq439ftSMeMyWT++qkV3ImbPOEYInLPdwHTxb28CC5zbY3FGH+GdB5q9V3zK+Pofslw6BMCsoL++tV8EWjX2isCfkWSk=,iv:e83TCcMW2qEc+R2E8209dhRUJvLZw2MPu4IWMSQVMy8=,tag:opewKZtNr4VT5Gj9l9B71Q==,type:str]
         session: ENC[AES256_GCM,data:N50TuHkiOvjxbhTzwy7cjYSyMM9txYCas8x+zEhC2vshWi4pD0dHNDVz90jS0waDYAKLxTMYUT9v9zpkXoQ+X2VWa+tzDU3IWixclHktew/ufWN7nXCRBCW/ZEw8Tm4bB61GTalXfpra3q8Z88bMhGcEfaCiHwfnMbhVn5jjQtM=,iv:QPTVCPzuLAZI06rRPCLYiyW/hd3P/r/nxocI4u3qRtk=,tag:1oqJoQedqGsln48jQphENw==,type:str]
-    users: ENC[AES256_GCM,data:Bstr2ZYDwUdcw0AXG/UxRcabEOk2k/cix+L73IHQugmSNG2wGSNbDhZdvPxLbyZcxlpa7MU9o63YIjk+f+5zl7NZsARSw1NSUtrXzk62mz/lvQzGW+gZXIG78Q5vLOp652xFRwt0L/5x3wEoP64T6E3AMn23sfntf/OA04CMCbeleTkR+MzeLD+k1A2qHb7zZV7k44IMHToBOkZ15ICfZ27wN7NWOoQ+cqlJeKQWSG34I0DWW+iKjnT4H5YIcSWlLSEhA7c2pzxzkPmxwgnLCIyCXF1WesIUqxor3klpYGkW9A==,iv:3bJOTCAW2QWmNQgX3duXLQGki1FoaJ1aZvDXvX0T2Z0=,tag:kbiDE0M7KQRuyV9PiIg0Vw==,type:str]
+    smtpPassword: ENC[AES256_GCM,data:Zd2F237gWaL555lf022zjr7VHVcAFUyFxg==,iv:ka8YuGFclNrWV1U0g2ERypiKy6rN5ppPIVlsjBqkFrI=,tag:e+5fO6VR1z1cqYTXJ6Yo+Q==,type:str]
+    users: ENC[AES256_GCM,data:Az1vmno1PPpFAqIpZKiMtdAP5TqgoCSzu+x2P3eI2h4C+FPbdRjQrnybpLdKRmaQaVvfGS8p4+RbM8jF1H4sSgAZRcBQIzanWtW4fl+KK4aHxPmRIbH75bGUGnSK8u94jCYMotll5tpMbkR+st6xEkh+IkPz+CSIopZ1o6VeFu9od7qJ2LBwnl+FzZp3XFoLXHLNFf4J01gUwtlxvbLHOD5tFxOFHXDi/CKsYJOBr3m9wUoHKGwaeuYpNfy+3C5dcwf0eiXOkxYyjwjlxQ0MumcyzSdVBCTWJRRTwFa1akw6P/sl0Cdw/9GL83zBGLSfFK+DaIaHzG+h51KcELj9lVbNHPbC1UwRnwy0SdxYXiPz7Y8R9J/u5wI5eyyimDtJp83+c4eqOO7+animxUJ8EIuKEiUPMr5mQg0KtK5P3jTu/wZuGgxdqi1nR44+UHKmWrD62qDwjcjv60RDlQxcm4dBOL3wCaV7V8K5UBF0UhiyA2/N0XFHLnibQ1LS/vRfgXjrsjZ6JYzVeY7mDCGa0Kb4NkJJLeMvEEmwsw9sGst9um1w7AQevQPowBST4nkRVdb12JGWrq4S77gDa19Qbm2a0z5XvwvEq1C/47OOEDoSFh/uY2Ycn8tOIZw7S53h5z++cAVKBgYAFVI0fw==,iv:9hm49dFfD6O0YV5YdyXqyiU1vjSHNuH4/+JcXiN+PWI=,tag:jM6atf1M0cgDcAiFOd626Q==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -58,8 +59,8 @@ sops:
             azR0UkJyL0RwUVk4ZzdkSWptcDlWVjAK5FU9B5TBSnV3azO4eCv13T6i3dGGuI68
             UgBrVEb1/Fv+4XTjeSEhpiOaH8sNWYoNa3Aa7uTZYlHDRWga2GC7zw==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-02-05T16:59:14Z"
-    mac: ENC[AES256_GCM,data:hfH7il2xkxaz+Uzv4V4BaLv3RnS4nmAic2G4RVJmB7jc9mEBthcPdf0OPo6pXZ14YqVgfzsR3zNdqnaPwPIks07BZ27zo7pKvpdiJACGi6RXIpJwzgd3bwrVm5P11gBmPZbMv+vkoTVNl3EENOOKsfqoDNI3/Pwj6fXSWIJ5m1o=,iv:d3K/3gOLpo8bd6JfpiYhC/KHU/SsgQ9vSgc5lYvkdhk=,tag:PAB+jDOnP1z9IiR5gHdImA==,type:str]
+    lastmodified: "2025-02-06T09:44:26Z"
+    mac: ENC[AES256_GCM,data:1KuTjnTtXftuVzE18ULskydigmLavdy740+/K0PN7p8FSJ7IKU1XP9L93mmxoQOFN1MrVl7ENrY0Wu9/UOG6xSK0S3HcfQKyO8i0Jtgj1tUodcWR/kb7BTwJ3oylQ5xXnHd2rdlaE1y3ZfarFvZqokBsNyux0t9tZYGcRA5W6ZQ=,iv:hnHbV2oNeFu+EJXZS39oa7QMOSL9tuHCVpvjIg6TSFk=,tag:4EijW78hQ4IHb6atatJktQ==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.9.2