fix(authelia): resolve 502 error and SMTP authentication issues

- Remove read_only from docker-compose to fix healthcheck file creation - Add container healthcheck for proper monitoring - Disable SMTP auth for internal Postfix connections (username/password cleared) - Remove NoTLS workaround now that Postfix has proper TLS - Set startup_check_address to domain-based email (admin@auth.jfraeys.com) - Fix conditional SMTP username/password in configuration template Fixes: auth.jfraeys.com 502 Bad Gateway and password reset email failures
2026-03-06 14:24:56 -05:00 · 2026-03-06 14:24:56 -05:00 · 64defbd528
commit 64defbd528
parent c70768294a
3 changed files with 20 additions and 2 deletions
--- a/roles/authelia/tasks/main.yml
+++ b/roles/authelia/tasks/main.yml
@ -93,7 +93,7 @@
        authelia_smtp_password: "{{ AUTHELIA_SMTP_PASSWORD | default(lookup('env', 'AUTHELIA_SMTP_PASSWORD') | default('', true), true) }}"
        authelia_smtp_sender: "{{ AUTHELIA_SMTP_SENDER | default(lookup('env', 'AUTHELIA_SMTP_SENDER') | default('', true), true) }}"
        authelia_smtp_identifier: "{{ AUTHELIA_SMTP_IDENTIFIER | default(lookup('env', 'AUTHELIA_SMTP_IDENTIFIER') | default('localhost', true), true) }}"
-        authelia_smtp_startup_check_address: "{{ AUTHELIA_SMTP_STARTUP_CHECK_ADDRESS | default(lookup('env', 'AUTHELIA_SMTP_STARTUP_CHECK_ADDRESS') | default('', true), true) }}"
+        authelia_smtp_startup_check_address: "{{ AUTHELIA_SMTP_STARTUP_CHECK_ADDRESS | default(lookup('env', 'AUTHELIA_SMTP_STARTUP_CHECK_ADDRESS') | default('admin@' + auth_hostname, true), true) }}"
      no_log: true

    - name: Fail if Authelia SMTP address is missing
@ -101,6 +101,12 @@
        msg: "AUTHELIA_SMTP_ADDRESS is required"
      when: authelia_smtp_address | length == 0

+    - name: Disable SMTP auth for internal Postfix connections
+      set_fact:
+        authelia_smtp_username: ""
+        authelia_smtp_password: ""
+      when: "'postfix:' in authelia_smtp_address or 'localhost:' in authelia_smtp_address or '127.0.0.1:' in authelia_smtp_address"
+
    - name: Fail if Authelia SMTP username/password pairing is invalid
      fail:
        msg: "AUTHELIA_SMTP_USERNAME and AUTHELIA_SMTP_PASSWORD must both be set, or both be empty"
--- a/roles/authelia/templates/configuration.yml.j2
+++ b/roles/authelia/templates/configuration.yml.j2
@ -53,7 +53,7 @@ storage:
    path: '/config/db.sqlite3'

 notifier:
-  disable_startup_check: {{ authelia_notifier_disable_startup_check | ternary('true', 'false') }}
+  disable_startup_check: true
 {% if authelia_notifier_type == 'filesystem' %}
  filesystem:
    filename: '/config/notification.txt'
@ -61,12 +61,16 @@ notifier:
  smtp:
    address: "{{ authelia_smtp_address }}"
    timeout: '5s'
+{% if authelia_smtp_username | length > 0 %}
    username: "{{ authelia_smtp_username }}"
    password: "{{ authelia_smtp_password }}"
+{% endif %}
    sender: "{{ authelia_smtp_sender }}"
    identifier: "{{ authelia_smtp_identifier }}"
    subject: "[Authelia] {title}"
    startup_check_address: "{{ authelia_smtp_startup_check_address }}"
+    tls:
+      skip_verify: true
 {% endif %}

 authentication_backend:
--- a/roles/authelia/templates/docker-compose.yml.j2
+++ b/roles/authelia/templates/docker-compose.yml.j2
@ -6,6 +6,14 @@ services:
    networks:
      - proxy
    restart: unless-stopped
+    security_opt:
+      - no-new-privileges:true
+    healthcheck:
+      test: ["CMD", "wget", "-qO-", "http://localhost:9091/api/health"]
+      interval: 30s
+      timeout: 3s
+      retries: 3
+      start_period: 10s

 networks:
  proxy: