Update build-certs to use verbose logging

Add mail and update gitea to use authelia sso
Change policy to only apply to servarr
2025-11-23 18:39:57 -06:00 · 2025-11-23 18:38:26 -06:00 · 2025-11-23 18:37:27 -06:00 · 2025-11-23 13:25:07 -06:00
3 changed files with 89 additions and 14 deletions
--- a/authelia/configuration.yml
+++ b/authelia/configuration.yml
@@ -6,7 +6,7 @@ authentication_backend:
  password_change:
    disable: false
  file:
-    path: '/config/users.yml'
+    path: '/data/users.yml'
    watch: false
    search:
      email: false
@@ -37,18 +37,72 @@ session:
      remember_me: '1d'
 notifier:
  disable_startup_check: false
-  filesystem:
-    filename: '/config/notification.txt'
+  # filesystem:
+  #   filename: '/data/notification.txt'
+  smtp:
+    address: 'smtp://mail:25'
+    sender: 'Authelia <auth@loadingm.xyz>'
+    disable_require_tls: true # Determine if this is needed
+    disable_starttls: true
 storage:
  local:
-    path: '/config/db.sqlite3'
+    path: '/data/db.sqlite3'
 access_control:
  default_policy: deny
  rules:
-    - domain: '*.loadingm.xyz'
+    - domain: 'servarr.loadingm.xyz'
+      subject:
+        - 'group:admins'
      policy: one_factor
+    # - domain: '*.loadingm.xyz'
+    #   policy: one_factor
 server:
  endpoints:
    authz:
      auth-request:
        implementation: 'AuthRequest'
+identity_providers:
+  oidc:
+    # enable_client_debug_messages: false
+    # minimum_parameter_entropy: 8
+    # enforce_pkce: 'public_clients_only'
+    # enable_pkce_plain_challenge: false
+    # enable_jwt_access_token_stateless_introspection: false
+    # discovery_signed_response_alg: 'none'
+    # discovery_signed_response_key_id: ''
+    # require_pushed_authorization_requests: false
+    # authorization_policies:
+    #   policy_name:
+    #     default_policy: 'two_factor'
+    #     rules:
+    #       - policy: 'deny'
+    #         subject: 'group:services'
+    #         networks:
+    #           - '192.168.1.0/24'
+    #           - '192.168.2.51'
+    lifespans:
+      access_token: '1h'
+      authorize_code: '1m'
+      id_token: '1h'
+      refresh_token: '90m'
+    # claims_policies:
+    #   policy_name:
+    #     id_token: []
+    #     access_token: []
+    #     id_token_audience_mode: 'specification'
+    #     custom_claims:
+    #       claim_name:
+    #         name: 'claim_name'
+    #         attribute: 'attribute_name'
+    # scopes:
+    #   scope_name:
+    #     claims: []
+    # cors:
+    #   endpoints:
+    #     - 'authorization'
+    #     - 'token'
+    #     - 'revocation'
+    #     - 'introspection'
+    #   allowed_origins:
+    #     - 'https://example.com'
+    #   allowed_origins_from_client_redirect_uris: false
--- a/build-certs.sh
+++ b/build-certs.sh
@@ -1,5 +1,5 @@

-docker compose run --rm certbot certonly --webroot --webroot-path /var/www/certbot/ \
+docker compose run --rm certbot certonly -v --webroot --webroot-path /var/www/certbot/ \
  -d loadingm.xyz \
  -d gitea.loadingm.xyz \
  -d auth.loadingm.xyz \
--- a/docker-compose.yaml
+++ b/docker-compose.yaml
@@ -3,13 +3,13 @@ include:
  - ./jellyfin-compose.yaml
 secrets:
  JWT_SECRET:
-    file: './authelia/secrets/JWT_SECRET'
+    file: '/data/authelia/secrets/JWT_SECRET'
  SESSION_SECRET:
-    file: './authelia/secrets/SESSION_SECRET'
+    file: '/data/authelia/secrets/SESSION_SECRET'
  STORAGE_PASSWORD:
-    file: './authelia/secrets/STORAGE_PASSWORD'
+    file: '/data/authelia/secrets/STORAGE_PASSWORD'
  STORAGE_ENCRYPTION_KEY:
-    file: './authelia/secrets/STORAGE_ENCRYPTION_KEY'
+    file: '/data/authelia/secrets/STORAGE_ENCRYPTION_KEY'
 volumes:
  meilisearch:
  karakeep:
@@ -34,6 +34,8 @@ networks:
    external: false
  memos:
    external: false
+  mail:
+    external: false
 services:
  web:
    image: "nginx"
@@ -88,12 +90,13 @@ services:
    secrets: ['JWT_SECRET', 'SESSION_SECRET', 'STORAGE_PASSWORD', 'STORAGE_ENCRYPTION_KEY']
    networks:
      - auth
+      - mail
    environment:
      AUTHELIA_IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET_FILE: '/run/secrets/JWT_SECRET'
      AUTHELIA_SESSION_SECRET_FILE: '/run/secrets/SESSION_SECRET'
      AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE: '/run/secrets/STORAGE_ENCRYPTION_KEY'
    volumes:
-      - './authelia/:/config'
+      - './authelia/:/config:ro'
      - '/data/authelia/:/data'
    logging: *logging
  minecraft:
@@ -128,18 +131,24 @@ services:
  gitea:
    image: docker.gitea.com/gitea:1.24
    environment:
-      - USER_UID=1000
-      - USER_GID=1000
+      - USER_UID=106
+      - USER_GID=110
+      - ENABLE_NOTIFY_MAIL=true
+      # - 
    restart: unless-stopped
    networks:
      - gitea
+      - mail
    volumes:
      - /data/gitea/data:/data
+      - /home/git/.ssh/:/data/git/.ssh
      - /etc/timezone:/etc/timezone:ro
      - /etc/localtime:/etc/localtime:ro
    ports:
      - "222:22"
    logging: *logging
+    depends_on:
+      - authelia
  gitea-runner:
    image: docker.gitea.com/act_runner:latest
    restart: unless-stopped
@@ -187,7 +196,19 @@ services:
      - MEMOS_PORT=5230
    restart: unless-stopped
    logging: *logging
-
+  mail:
+    image: boky/postfix
+    restart: unless-stopped
+    logging: *logging
+    environment:
+      - ALLOWED_SENDER_DOMAINS=loadingm.xyz
+      - POSTFIX_myhostname=mail
+    volumes:
+      - /data/mail:/etc/opendkim/keys
+    networks:
+      - mail
+    ports:
+      - 127.0.0.1:25:25
  # calibre:
  #   image: "linuxserver/calibre-web"
  # 5d-diplomacy-frontend:
Author	SHA1	Message	Date
Matthew Pomes	e3d3ade4f7	Update build-certs to use verbose logging	2025-11-23 18:39:57 -06:00
Matthew Pomes	b41ad62aa1	Add mail and update gitea to use authelia sso	2025-11-23 18:38:26 -06:00
Matthew Pomes	0566bf8a2d	Change policy to only apply to servarr	2025-11-23 18:37:27 -06:00
Matthew Pomes	46344bf719	Split authelia config so secrets aren't in repo	2025-11-23 13:25:07 -06:00