feat: TinyAuth + traefik dash + sonarr forward auth

2026-04-01 00:11:23 +01:00
parent d71caea7d0
commit f17526afc3
9 changed files with 138 additions and 41 deletions
@@ -46,6 +46,6 @@
    mode: '0644'

 - name: Start Traefik
-  shell: cd /opt/traefik && docker compose up -d
+  shell: cd /opt/traefik && docker compose down && docker compose up -d
  args:
    chdir: /opt/traefik
@@ -10,7 +10,7 @@ services:
    ports:
      - "80:80"
      - "443:443"
-      - "8080:8080"  # Dashboard
+      - "8080:8080"
    environment:
      - CF_DNS_API_TOKEN={{ cloudflare_api_token | default('') }}
    volumes:
@@ -21,22 +21,6 @@ services:
      - ./data/acme.json:/acme.json
    labels:
      - "traefik.enable=true"
-      # HTTP to HTTPS redirect
-      - "traefik.http.routers.traefik.entrypoints=http"
-      - "traefik.http.routers.traefik.rule=Host(`traefik.{{ domain | default('local') }}`)"
-      - "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https"
-      - "traefik.http.routers.traefik.middlewares=traefik-https-redirect"
-      # HTTPS with auth
-      - "traefik.http.routers.traefik-secure.entrypoints=https"
-      - "traefik.http.routers.traefik-secure.rule=Host(`traefik.{{ domain | default('local') }}`)"
-      - "traefik.http.routers.traefik-secure.tls=true"
-      - "traefik.http.routers.traefik-secure.tls.certresolver=cloudflare"
-      - "traefik.http.routers.traefik-secure.service=api@internal"
-      # ForwardAuth middleware pointing to Pocket ID
-      - "traefik.http.middlewares.pocketid-auth.forwardauth.address=http://auth.{{ domain }}/api/oidc/authorize?client_id=traefik&redirect_uri=https://traefik.{{ domain }}/callback"
-      - "traefik.http.middlewares.pocketid-auth.forwardauth.trustForwardHeader=true"
-      - "traefik.http.middlewares.pocketid-auth.forwardauth.authResponseHeaders=X-Forwarded-User"
-      - "traefik.http.routers.traefik-secure.middlewares=pocketid-auth"

 networks:
  proxy:
@@ -1,5 +1,45 @@
 http:
+  middlewares:
+    pocketid-auth:
+      forwardAuth:
+        address: "https://auth-proxy.{{ domain }}/api/auth/traefik"
+        trustForwardHeader: true
+        authResponseHeaders:
+          - "X-Auth-User"
+          - "X-Auth-Email"
+          - "X-Auth-Name"
+          - Authorization
+          - Remote-Email 
+          - Remote-Name
+          - Remote-User
+          - Remote-Groups
+    
+    traefik-https-redirect:
+      redirectScheme:
+        scheme: https
+        permanent: true
+
  routers:
+    traefik-secure:
+      rule: "Host(`traefik.{{ domain }}`)"
+      entryPoints:
+        - https
+      middlewares:
+        - pocketid-auth
+      service: api@internal
+      tls:
+        certResolver: cloudflare
+
+    sonarr:
+      rule: "Host(`sonarr.{{ domain }}`)"
+      entryPoints:
+        - https
+      middlewares:
+        - pocketid-auth
+      service: sonarr
+      tls:
+        certResolver: cloudflare
+
    pocketid:
      rule: "Host(`auth.{{ domain }}`)"
      entryPoints:
@@ -7,10 +47,30 @@ http:
      service: pocketid
      tls:
        certResolver: cloudflare
+    
+    tinyauth:
+      rule: "Host(`auth-proxy.{{ domain }}`)"
+      entryPoints:
+        - https
+      service: tinyauth
+      tls:
+        certResolver: cloudflare
  
  services:
+    sonarr:
+      loadBalancer:
+        passHostHeader: true
+        servers:
+          - url: "http://{{ sonarr_host }}:{{ sonarr_port }}"
+
    pocketid:
      loadBalancer:
        passHostHeader: true
        servers:
-          - url: "http://10.0.4.10:8001"
+          - url: "http://{{ pocketid_host }}:{{ pocketid_port  }}"
+    
+    tinyauth:
+      loadBalancer:
+        passHostHeader: true
+        servers:
+          - url: "http://{{ tinyauth_host }}:{{ tinyauth_port }}"