lino/homelab
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: TinyAuth + traefik dash + sonarr forward auth

Browse Source
This commit is contained in:
Lino Silva
2026-04-01 00:11:23 +01:00
parent d71caea7d0
commit f17526afc3
9 changed files with 138 additions and 41 deletions
Download Patch File Download Diff File Expand all files Collapse all files
ansible/roles/traefik/templates/docker-compose.yml.j2
+1 -17
View File
@@ -10,7 +10,7 @@ services:
ports:
- "80:80"
- "443:443"
- "8080:8080" # Dashboard
- "8080:8080"
environment:
- CF_DNS_API_TOKEN={{ cloudflare_api_token | default('') }}
volumes:
@@ -21,22 +21,6 @@ services:
- ./data/acme.json:/acme.json
labels:
- "traefik.enable=true"
# HTTP to HTTPS redirect
- "traefik.http.routers.traefik.entrypoints=http"
- "traefik.http.routers.traefik.rule=Host(`traefik.{{ domain | default('local') }}`)"
- "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https"
- "traefik.http.routers.traefik.middlewares=traefik-https-redirect"
# HTTPS with auth
- "traefik.http.routers.traefik-secure.entrypoints=https"
- "traefik.http.routers.traefik-secure.rule=Host(`traefik.{{ domain | default('local') }}`)"
- "traefik.http.routers.traefik-secure.tls=true"
- "traefik.http.routers.traefik-secure.tls.certresolver=cloudflare"
- "traefik.http.routers.traefik-secure.service=api@internal"
# ForwardAuth middleware pointing to Pocket ID
- "traefik.http.middlewares.pocketid-auth.forwardauth.address=http://auth.{{ domain }}/api/oidc/authorize?client_id=traefik&redirect_uri=https://traefik.{{ domain }}/callback"
- "traefik.http.middlewares.pocketid-auth.forwardauth.trustForwardHeader=true"
- "traefik.http.middlewares.pocketid-auth.forwardauth.authResponseHeaders=X-Forwarded-User"
- "traefik.http.routers.traefik-secure.middlewares=pocketid-auth"
networks:
proxy:
ansible/roles/traefik/templates/remote-services.yml.j2
+61 -1
View File
@@ -1,5 +1,45 @@
http:
middlewares:
pocketid-auth:
forwardAuth:
address: "https://auth-proxy.{{ domain }}/api/auth/traefik"
trustForwardHeader: true
authResponseHeaders:
- "X-Auth-User"
- "X-Auth-Email"
- "X-Auth-Name"
- Authorization
- Remote-Email
- Remote-Name
- Remote-User
- Remote-Groups
traefik-https-redirect:
redirectScheme:
scheme: https
permanent: true
routers:
traefik-secure:
rule: "Host(`traefik.{{ domain }}`)"
entryPoints:
- https
middlewares:
- pocketid-auth
service: api@internal
tls:
certResolver: cloudflare
sonarr:
rule: "Host(`sonarr.{{ domain }}`)"
entryPoints:
- https
middlewares:
- pocketid-auth
service: sonarr
tls:
certResolver: cloudflare
pocketid:
rule: "Host(`auth.{{ domain }}`)"
entryPoints:
@@ -7,10 +47,30 @@ http:
service: pocketid
tls:
certResolver: cloudflare
tinyauth:
rule: "Host(`auth-proxy.{{ domain }}`)"
entryPoints:
- https
service: tinyauth
tls:
certResolver: cloudflare
services:
sonarr:
loadBalancer:
passHostHeader: true
servers:
- url: "http://{{ sonarr_host }}:{{ sonarr_port }}"
pocketid:
loadBalancer:
passHostHeader: true
servers:
- url: "http://10.0.4.10:8001"
- url: "http://{{ pocketid_host }}:{{ pocketid_port }}"
tinyauth:
loadBalancer:
passHostHeader: true
servers:
- url: "http://{{ tinyauth_host }}:{{ tinyauth_port }}"