feat: TinyAuth + traefik dash + sonarr forward auth

ansible/roles/pocketid/tasks/main.yml

@@ -64,6 +64,6 @@
     dest: /opt/pocketid/docker-compose.yml
     mode: '0644'
 - name: Start Pocket ID
-  shell: cd /opt/pocketid && docker compose up -d
+  shell: cd /opt/pocketid && docker compose down && docker compose up -d
   args:
     chdir: /opt/pocketid

ansible/roles/tinyauth/tasks/main.yml

@@ -0,0 +1,17 @@
+---
+- name: Create tinyauth directory
+  file:
+    path: /opt/tinyauth
+    state: directory
+    mode: '0755'
+
+- name: Create docker-compose file for tinyauth
+  template:
+    src: docker-compose.yml.j2
+    dest: /opt/tinyauth/docker-compose.yml
+    mode: '0644'
+
+- name: Start tinyauth
+  shell: cd /opt/tinyauth && docker compose down && docker compose up -d
+  args:
+    chdir: /opt/tinyauth

ansible/roles/tinyauth/templates/docker-compose.yml.j2

@@ -0,0 +1,17 @@
+services:
+  tinyauth:
+    image: ghcr.io/steveiliop56/tinyauth:v5
+    container_name: tinyauth
+    restart: unless-stopped
+    ports:
+      - "3000:3000"
+    environment:
+      - TINYAUTH_APPURL=https://auth-proxy.{{ domain }}
+      - TINYAUTH_OAUTH_PROVIDERS_POCKETID_CLIENTID={{ tinyauth_client_id }}
+      - TINYAUTH_OAUTH_PROVIDERS_POCKETID_CLIENTSECRET={{ tinyauth_client_secret }}
+      - TINYAUTH_OAUTH_PROVIDERS_POCKETID_AUTHURL={{ tinyauth_oidc_provider }}/authorize
+      - TINYAUTH_OAUTH_PROVIDERS_POCKETID_TOKENURL={{ tinyauth_oidc_provider }}/api/oidc/token
+      - TINYAUTH_OAUTH_PROVIDERS_POCKETID_USERINFOURL={{ tinyauth_oidc_provider }}/api/oidc/userinfo
+      - TINYAUTH_OAUTH_PROVIDERS_POCKETID_REDIRECTURL=https://auth-proxy.{{ domain }}/api/oauth/callback/pocketid
+      - TINYAUTH_OAUTH_PROVIDERS_POCKETID_SCOPES=openid email profile groups
+      - TINYAUTH_OAUTH_PROVIDERS_POCKETID_NAME=Pocket ID

ansible/roles/traefik/tasks/main.yml

@@ -46,6 +46,6 @@
     mode: '0644'
 
 - name: Start Traefik
-  shell: cd /opt/traefik && docker compose up -d
+  shell: cd /opt/traefik && docker compose down && docker compose up -d
   args:
     chdir: /opt/traefik

ansible/roles/traefik/templates/docker-compose.yml.j2

@@ -10,7 +10,7 @@ services:
     ports:
       - "80:80"
       - "443:443"
-      - "8080:8080"  # Dashboard
+      - "8080:8080"
     environment:
       - CF_DNS_API_TOKEN={{ cloudflare_api_token | default('') }}
     volumes:
@@ -21,22 +21,6 @@ services:
       - ./data/acme.json:/acme.json
     labels:
       - "traefik.enable=true"
-      # HTTP to HTTPS redirect
-      - "traefik.http.routers.traefik.entrypoints=http"
-      - "traefik.http.routers.traefik.rule=Host(`traefik.{{ domain | default('local') }}`)"
-      - "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https"
-      - "traefik.http.routers.traefik.middlewares=traefik-https-redirect"
-      # HTTPS with auth
-      - "traefik.http.routers.traefik-secure.entrypoints=https"
-      - "traefik.http.routers.traefik-secure.rule=Host(`traefik.{{ domain | default('local') }}`)"
-      - "traefik.http.routers.traefik-secure.tls=true"
-      - "traefik.http.routers.traefik-secure.tls.certresolver=cloudflare"
-      - "traefik.http.routers.traefik-secure.service=api@internal"
-      # ForwardAuth middleware pointing to Pocket ID
-      - "traefik.http.middlewares.pocketid-auth.forwardauth.address=http://auth.{{ domain }}/api/oidc/authorize?client_id=traefik&redirect_uri=https://traefik.{{ domain }}/callback"
-      - "traefik.http.middlewares.pocketid-auth.forwardauth.trustForwardHeader=true"
-      - "traefik.http.middlewares.pocketid-auth.forwardauth.authResponseHeaders=X-Forwarded-User"
-      - "traefik.http.routers.traefik-secure.middlewares=pocketid-auth"
 
 networks:
   proxy:

ansible/roles/traefik/templates/remote-services.yml.j2

@@ -1,5 +1,45 @@
 http:
+  middlewares:
+    pocketid-auth:
+      forwardAuth:
+        address: "https://auth-proxy.{{ domain }}/api/auth/traefik"
+        trustForwardHeader: true
+        authResponseHeaders:
+          - "X-Auth-User"
+          - "X-Auth-Email"
+          - "X-Auth-Name"
+          - Authorization
+          - Remote-Email 
+          - Remote-Name
+          - Remote-User
+          - Remote-Groups
+    
+    traefik-https-redirect:
+      redirectScheme:
+        scheme: https
+        permanent: true
+
   routers:
+    traefik-secure:
+      rule: "Host(`traefik.{{ domain }}`)"
+      entryPoints:
+        - https
+      middlewares:
+        - pocketid-auth
+      service: api@internal
+      tls:
+        certResolver: cloudflare
+
+    sonarr:
+      rule: "Host(`sonarr.{{ domain }}`)"
+      entryPoints:
+        - https
+      middlewares:
+        - pocketid-auth
+      service: sonarr
+      tls:
+        certResolver: cloudflare
+
     pocketid:
       rule: "Host(`auth.{{ domain }}`)"
       entryPoints:
@@ -7,10 +47,30 @@ http:
       service: pocketid
       tls:
         certResolver: cloudflare
+    
+    tinyauth:
+      rule: "Host(`auth-proxy.{{ domain }}`)"
+      entryPoints:
+        - https
+      service: tinyauth
+      tls:
+        certResolver: cloudflare
   
   services:
+    sonarr:
+      loadBalancer:
+        passHostHeader: true
+        servers:
+          - url: "http://{{ sonarr_host }}:{{ sonarr_port }}"
+
     pocketid:
       loadBalancer:
         passHostHeader: true
         servers:
-          - url: "http://10.0.4.10:8001"
+          - url: "http://{{ pocketid_host }}:{{ pocketid_port  }}"
+    
+    tinyauth:
+      loadBalancer:
+        passHostHeader: true
+        servers:
+          - url: "http://{{ tinyauth_host }}:{{ tinyauth_port }}"