added mfa

2026-05-24 08:37:27 +00:00
parent a1d9ed86e1
commit 3ab54f812a
10 changed files with 398 additions and 33 deletions
@@ -31,6 +31,8 @@ Change with `-setlogin` before first use.
 | `-certreset` | — | Remove stored cert, revert to self-signed |
 | `-log <path>` | `gotermix.log` next to binary | Auth log file path |
 | `-log off` | — | Disable file logging (console output always on) |
+| `-mfa <user> on` | — | Enable TOTP MFA for user — prints secret + QR code |
+| `-mfa <user> off` | — | Disable TOTP MFA for user |

 ---

@@ -97,6 +99,29 @@ Structured JSON-lines, one entry per login attempt:
 - Compatible with CrowdSec and fail2ban custom parsers
 - Console output always on; file output controlled by `-log`

+## Run as service
+- `gotermix.service` is pretty limitted, you can change settings there to suit your needs
+```bash
+# 1. Create unprivileged system user (no shell, no home)
+useradd --system --no-create-home --shell /sbin/nologin gotermix
+
+# 2. Deploy binary and set ownership
+mkdir -p /opt/gotermix
+cp gotermix /opt/gotermix/
+chown -R gotermix:gotermix /opt/gotermix
+chmod 750 /opt/gotermix
+chmod 750 /opt/gotermix/gotermix
+
+# 3. Install and enable service
+cp gotermix.service /etc/systemd/system/
+systemctl daemon-reload
+systemctl enable --now gotermix
+
+# 4. Check it's up
+systemctl status gotermix
+journalctl -u gotermix -f
+```
+
 ---

 ## Keyboard shortcuts