From f17526afc3c5b0c81947b83551e97d4518f01518 Mon Sep 17 00:00:00 2001
From: Lino Silva <lino@dexscreener.com>
Date: Wed, 1 Apr 2026 00:11:23 +0100
Subject: [PATCH] feat: TinyAuth + traefik dash + sonarr forward auth

---
 ansible/inventories/group_vars/all/main.yml   | 12 ++++
 ansible/inventories/group_vars/all/vault.yml  | 40 +++++++-----
 ansible/playbooks/provision_vms.yml           |  9 +--
 ansible/roles/pocketid/tasks/main.yml         |  2 +-
 ansible/roles/tinyauth/tasks/main.yml         | 17 +++++
 .../tinyauth/templates/docker-compose.yml.j2  | 17 +++++
 ansible/roles/traefik/tasks/main.yml          |  2 +-
 .../traefik/templates/docker-compose.yml.j2   | 18 +-----
 .../traefik/templates/remote-services.yml.j2  | 62 ++++++++++++++++++-
 9 files changed, 138 insertions(+), 41 deletions(-)
 create mode 100644 ansible/roles/tinyauth/tasks/main.yml
 create mode 100644 ansible/roles/tinyauth/templates/docker-compose.yml.j2

diff --git a/ansible/inventories/group_vars/all/main.yml b/ansible/inventories/group_vars/all/main.yml
index 6a9d0fc..eb7c495 100644
--- a/ansible/inventories/group_vars/all/main.yml
+++ b/ansible/inventories/group_vars/all/main.yml
@@ -19,3 +19,15 @@ cloudflare_api_token: "{{ vault_cloudflare_api_token }}"
 
 # Pocket ID configuration
 pocketid_encryption_key: "{{ vault_pocketid_encryption_key }}"
+
+sonarr_host: 10.0.2.25
+sonarr_port: 8989
+
+pocketid_host: 10.0.4.10
+pocketid_port: 8001
+
+tinyauth_host: 10.0.4.10
+tinyauth_port: 3000
+tinyauth_oidc_provider: "https://auth.{{ domain }}"
+tinyauth_client_id: "{{ vault_tinyauth_client_id }}"
+tinyauth_client_secret: "{{ vault_tinyauth_client_secret }}"
diff --git a/ansible/inventories/group_vars/all/vault.yml b/ansible/inventories/group_vars/all/vault.yml
index f9e34fb..56bb3ac 100644
--- a/ansible/inventories/group_vars/all/vault.yml
+++ b/ansible/inventories/group_vars/all/vault.yml
@@ -1,18 +1,24 @@
 $ANSIBLE_VAULT;1.1;AES256
-30623838356139653230313437646430626633636134313435643139663435393536616662633161
-3439346361646265653936616664653839373935333238350a643737393965313736316434356536
-34323934386661303032306431306533356335633339633165366530323464336330343862313236
-3366373465393263300a353033623763396561646133363666326232306239656662326137386135
-62623530656162303137326433353431653334343731333934316263316563343164383263386331
-31643766343934386162336335316431343766666361306333396163383863363866346536366436
-35303839333038653635353336343436663130666638656664643639633238613030656533386264
-64643063663934303062376261313535636230376264386265616531323131636130363962646665
-30303430366530356438626231613630393739656162383435643539366530313162393963613530
-39663533666337393238386437633036336332333738666234353261333932366537303936663432
-33383062303362313463333935336430303032363237373836666430343664316638363336656662
-32383962353638616433326466393239396364643533373761326461383365663163323861353533
-33646564373363656632333935333330356561393733663133393161363763313330626263663639
-66653065323432303931313461623764366135613233666131353335373431623032386264623962
-39653963353234623265376432656137656633613636363535616166323438313030383539343330
-64633963666634636666313335356130613762643863653761366661663063613465386530363738
-6537
+30313630303965636564373566613935316136353337323334613363356630356437616461303566
+6436623763356437366662356536313762366635373964640a323036636138346435386135313164
+30303835353434666535656532636662613762643236353263636163313930313335386466663235
+6337613933633234390a643963326530353732363837373936623363336638316238623930323732
+31633238376462323435626635373161346230666131656161633961633531343938303164303231
+30333139396462663963626263353161333964643334666562646161366534613764333366663161
+65306661323134383434626266663934333365383133373632373739316532396663333835303761
+36366131343664653161666364636430316535363734386139323833646239613264393365306365
+66376166663361323337646663633836613664393934323664613664616362313931643965646138
+37663064623563633561346166326163616261663533333462383933313437346537336538613737
+32336336383836343337653538346661303834623433626239313132303437613366363032356633
+34303039306534613730613663323736303034333136343735363962643537613961323334376563
+34383966306537613237346434376132306364333137633065373234393865393735396235326639
+38616239386362653730613865643361386339313337336161386530636235383433636333623437
+37396239306330346237323133623166636532323132353833356432386336353165663134366363
+63336166363161386238356438633538313638353939393932653638616462626631666230623432
+37626131383362636561373563366362613230366266346664643735373138383837303736333336
+66343139666533313965656137303364376230366664646633323561626436643134313834396436
+65373537353233343062333339653633313134343636316535633561633832353232313435653563
+36386232333631633062396363636634663536346266396266343634313466303561633935376466
+62303431313461356665323163376638336564353665363464326163396364353736613935666663
+62306530306566383335633039323764643163303663346661653262393232343537663166363162
+373636316466363066323461306161383737
diff --git a/ansible/playbooks/provision_vms.yml b/ansible/playbooks/provision_vms.yml
index 0036b96..54cfa6d 100644
--- a/ansible/playbooks/provision_vms.yml
+++ b/ansible/playbooks/provision_vms.yml
@@ -1,8 +1,8 @@
 ---
-- hosts: localhost
-  gather_facts: no
-  roles:
-    - proxmox_vm
+# - hosts: localhost
+#   gather_facts: no
+#   roles:
+#     - proxmox_vm
 
 - hosts: edge
   become: yes
@@ -17,6 +17,7 @@
   roles:
     - base
     - docker
+    - tinyauth
     - pocketid
 
 # - hosts: all
diff --git a/ansible/roles/pocketid/tasks/main.yml b/ansible/roles/pocketid/tasks/main.yml
index 99619eb..b960f85 100644
--- a/ansible/roles/pocketid/tasks/main.yml
+++ b/ansible/roles/pocketid/tasks/main.yml
@@ -64,6 +64,6 @@
     dest: /opt/pocketid/docker-compose.yml
     mode: '0644'
 - name: Start Pocket ID
-  shell: cd /opt/pocketid && docker compose up -d
+  shell: cd /opt/pocketid && docker compose down && docker compose up -d
   args:
     chdir: /opt/pocketid
diff --git a/ansible/roles/tinyauth/tasks/main.yml b/ansible/roles/tinyauth/tasks/main.yml
new file mode 100644
index 0000000..3418312
--- /dev/null
+++ b/ansible/roles/tinyauth/tasks/main.yml
@@ -0,0 +1,17 @@
+---
+- name: Create tinyauth directory
+  file:
+    path: /opt/tinyauth
+    state: directory
+    mode: '0755'
+
+- name: Create docker-compose file for tinyauth
+  template:
+    src: docker-compose.yml.j2
+    dest: /opt/tinyauth/docker-compose.yml
+    mode: '0644'
+
+- name: Start tinyauth
+  shell: cd /opt/tinyauth && docker compose down && docker compose up -d
+  args:
+    chdir: /opt/tinyauth
diff --git a/ansible/roles/tinyauth/templates/docker-compose.yml.j2 b/ansible/roles/tinyauth/templates/docker-compose.yml.j2
new file mode 100644
index 0000000..b30042b
--- /dev/null
+++ b/ansible/roles/tinyauth/templates/docker-compose.yml.j2
@@ -0,0 +1,17 @@
+services:
+  tinyauth:
+    image: ghcr.io/steveiliop56/tinyauth:v5
+    container_name: tinyauth
+    restart: unless-stopped
+    ports:
+      - "3000:3000"
+    environment:
+      - TINYAUTH_APPURL=https://auth-proxy.{{ domain }}
+      - TINYAUTH_OAUTH_PROVIDERS_POCKETID_CLIENTID={{ tinyauth_client_id }}
+      - TINYAUTH_OAUTH_PROVIDERS_POCKETID_CLIENTSECRET={{ tinyauth_client_secret }}
+      - TINYAUTH_OAUTH_PROVIDERS_POCKETID_AUTHURL={{ tinyauth_oidc_provider }}/authorize
+      - TINYAUTH_OAUTH_PROVIDERS_POCKETID_TOKENURL={{ tinyauth_oidc_provider }}/api/oidc/token
+      - TINYAUTH_OAUTH_PROVIDERS_POCKETID_USERINFOURL={{ tinyauth_oidc_provider }}/api/oidc/userinfo
+      - TINYAUTH_OAUTH_PROVIDERS_POCKETID_REDIRECTURL=https://auth-proxy.{{ domain }}/api/oauth/callback/pocketid
+      - TINYAUTH_OAUTH_PROVIDERS_POCKETID_SCOPES=openid email profile groups
+      - TINYAUTH_OAUTH_PROVIDERS_POCKETID_NAME=Pocket ID
diff --git a/ansible/roles/traefik/tasks/main.yml b/ansible/roles/traefik/tasks/main.yml
index addcc38..fbd91b2 100644
--- a/ansible/roles/traefik/tasks/main.yml
+++ b/ansible/roles/traefik/tasks/main.yml
@@ -46,6 +46,6 @@
     mode: '0644'
 
 - name: Start Traefik
-  shell: cd /opt/traefik && docker compose up -d
+  shell: cd /opt/traefik && docker compose down && docker compose up -d
   args:
     chdir: /opt/traefik
diff --git a/ansible/roles/traefik/templates/docker-compose.yml.j2 b/ansible/roles/traefik/templates/docker-compose.yml.j2
index e2facd2..b2096d4 100644
--- a/ansible/roles/traefik/templates/docker-compose.yml.j2
+++ b/ansible/roles/traefik/templates/docker-compose.yml.j2
@@ -10,7 +10,7 @@ services:
     ports:
       - "80:80"
       - "443:443"
-      - "8080:8080"  # Dashboard
+      - "8080:8080"
     environment:
       - CF_DNS_API_TOKEN={{ cloudflare_api_token | default('') }}
     volumes:
@@ -21,22 +21,6 @@ services:
       - ./data/acme.json:/acme.json
     labels:
       - "traefik.enable=true"
-      # HTTP to HTTPS redirect
-      - "traefik.http.routers.traefik.entrypoints=http"
-      - "traefik.http.routers.traefik.rule=Host(`traefik.{{ domain | default('local') }}`)"
-      - "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https"
-      - "traefik.http.routers.traefik.middlewares=traefik-https-redirect"
-      # HTTPS with auth
-      - "traefik.http.routers.traefik-secure.entrypoints=https"
-      - "traefik.http.routers.traefik-secure.rule=Host(`traefik.{{ domain | default('local') }}`)"
-      - "traefik.http.routers.traefik-secure.tls=true"
-      - "traefik.http.routers.traefik-secure.tls.certresolver=cloudflare"
-      - "traefik.http.routers.traefik-secure.service=api@internal"
-      # ForwardAuth middleware pointing to Pocket ID
-      - "traefik.http.middlewares.pocketid-auth.forwardauth.address=http://auth.{{ domain }}/api/oidc/authorize?client_id=traefik&redirect_uri=https://traefik.{{ domain }}/callback"
-      - "traefik.http.middlewares.pocketid-auth.forwardauth.trustForwardHeader=true"
-      - "traefik.http.middlewares.pocketid-auth.forwardauth.authResponseHeaders=X-Forwarded-User"
-      - "traefik.http.routers.traefik-secure.middlewares=pocketid-auth"
 
 networks:
   proxy:
diff --git a/ansible/roles/traefik/templates/remote-services.yml.j2 b/ansible/roles/traefik/templates/remote-services.yml.j2
index b7b26ed..6393038 100644
--- a/ansible/roles/traefik/templates/remote-services.yml.j2
+++ b/ansible/roles/traefik/templates/remote-services.yml.j2
@@ -1,5 +1,45 @@
 http:
+  middlewares:
+    pocketid-auth:
+      forwardAuth:
+        address: "https://auth-proxy.{{ domain }}/api/auth/traefik"
+        trustForwardHeader: true
+        authResponseHeaders:
+          - "X-Auth-User"
+          - "X-Auth-Email"
+          - "X-Auth-Name"
+          - Authorization
+          - Remote-Email 
+          - Remote-Name
+          - Remote-User
+          - Remote-Groups
+    
+    traefik-https-redirect:
+      redirectScheme:
+        scheme: https
+        permanent: true
+
   routers:
+    traefik-secure:
+      rule: "Host(`traefik.{{ domain }}`)"
+      entryPoints:
+        - https
+      middlewares:
+        - pocketid-auth
+      service: api@internal
+      tls:
+        certResolver: cloudflare
+
+    sonarr:
+      rule: "Host(`sonarr.{{ domain }}`)"
+      entryPoints:
+        - https
+      middlewares:
+        - pocketid-auth
+      service: sonarr
+      tls:
+        certResolver: cloudflare
+
     pocketid:
       rule: "Host(`auth.{{ domain }}`)"
       entryPoints:
@@ -7,10 +47,30 @@ http:
       service: pocketid
       tls:
         certResolver: cloudflare
+    
+    tinyauth:
+      rule: "Host(`auth-proxy.{{ domain }}`)"
+      entryPoints:
+        - https
+      service: tinyauth
+      tls:
+        certResolver: cloudflare
   
   services:
+    sonarr:
+      loadBalancer:
+        passHostHeader: true
+        servers:
+          - url: "http://{{ sonarr_host }}:{{ sonarr_port }}"
+
     pocketid:
       loadBalancer:
         passHostHeader: true
         servers:
-          - url: "http://10.0.4.10:8001"
+          - url: "http://{{ pocketid_host }}:{{ pocketid_port  }}"
+    
+    tinyauth:
+      loadBalancer:
+        passHostHeader: true
+        servers:
+          - url: "http://{{ tinyauth_host }}:{{ tinyauth_port }}"