feat: TinyAuth + traefik dash + sonarr forward auth

ansible/inventories/group_vars/all/main.yml

@@ -19,3 +19,15 @@ cloudflare_api_token: "{{ vault_cloudflare_api_token }}"
 
 # Pocket ID configuration
 pocketid_encryption_key: "{{ vault_pocketid_encryption_key }}"
+
+sonarr_host: 10.0.2.25
+sonarr_port: 8989
+
+pocketid_host: 10.0.4.10
+pocketid_port: 8001
+
+tinyauth_host: 10.0.4.10
+tinyauth_port: 3000
+tinyauth_oidc_provider: "https://auth.{{ domain }}"
+tinyauth_client_id: "{{ vault_tinyauth_client_id }}"
+tinyauth_client_secret: "{{ vault_tinyauth_client_secret }}"

ansible/inventories/group_vars/all/vault.yml

@@ -1,18 +1,24 @@
 $ANSIBLE_VAULT;1.1;AES256
-30623838356139653230313437646430626633636134313435643139663435393536616662633161
+30313630303965636564373566613935316136353337323334613363356630356437616461303566
-3439346361646265653936616664653839373935333238350a643737393965313736316434356536
+6436623763356437366662356536313762366635373964640a323036636138346435386135313164
-34323934386661303032306431306533356335633339633165366530323464336330343862313236
+30303835353434666535656532636662613762643236353263636163313930313335386466663235
-3366373465393263300a353033623763396561646133363666326232306239656662326137386135
+6337613933633234390a643963326530353732363837373936623363336638316238623930323732
-62623530656162303137326433353431653334343731333934316263316563343164383263386331
+31633238376462323435626635373161346230666131656161633961633531343938303164303231
-31643766343934386162336335316431343766666361306333396163383863363866346536366436
+30333139396462663963626263353161333964643334666562646161366534613764333366663161
-35303839333038653635353336343436663130666638656664643639633238613030656533386264
+65306661323134383434626266663934333365383133373632373739316532396663333835303761
-64643063663934303062376261313535636230376264386265616531323131636130363962646665
+36366131343664653161666364636430316535363734386139323833646239613264393365306365
-30303430366530356438626231613630393739656162383435643539366530313162393963613530
+66376166663361323337646663633836613664393934323664613664616362313931643965646138
-39663533666337393238386437633036336332333738666234353261333932366537303936663432
+37663064623563633561346166326163616261663533333462383933313437346537336538613737
-33383062303362313463333935336430303032363237373836666430343664316638363336656662
+32336336383836343337653538346661303834623433626239313132303437613366363032356633
-32383962353638616433326466393239396364643533373761326461383365663163323861353533
+34303039306534613730613663323736303034333136343735363962643537613961323334376563
-33646564373363656632333935333330356561393733663133393161363763313330626263663639
+34383966306537613237346434376132306364333137633065373234393865393735396235326639
-66653065323432303931313461623764366135613233666131353335373431623032386264623962
+38616239386362653730613865643361386339313337336161386530636235383433636333623437
-39653963353234623265376432656137656633613636363535616166323438313030383539343330
+37396239306330346237323133623166636532323132353833356432386336353165663134366363
-64633963666634636666313335356130613762643863653761366661663063613465386530363738
+63336166363161386238356438633538313638353939393932653638616462626631666230623432
-6537
+37626131383362636561373563366362613230366266346664643735373138383837303736333336
+66343139666533313965656137303364376230366664646633323561626436643134313834396436
+65373537353233343062333339653633313134343636316535633561633832353232313435653563
+36386232333631633062396363636634663536346266396266343634313466303561633935376466
+62303431313461356665323163376638336564353665363464326163396364353736613935666663
+62306530306566383335633039323764643163303663346661653262393232343537663166363162
+373636316466363066323461306161383737

ansible/playbooks/provision_vms.yml

@@ -1,8 +1,8 @@
 ---
-- hosts: localhost
+# - hosts: localhost
-  gather_facts: no
+#   gather_facts: no
-  roles:
+#   roles:
-    - proxmox_vm
+#     - proxmox_vm
 
 - hosts: edge
   become: yes
@@ -17,6 +17,7 @@
   roles:
     - base
     - docker
+    - tinyauth
     - pocketid
 
 # - hosts: all

ansible/roles/pocketid/tasks/main.yml

@@ -64,6 +64,6 @@
     dest: /opt/pocketid/docker-compose.yml
     mode: '0644'
 - name: Start Pocket ID
-  shell: cd /opt/pocketid && docker compose up -d
+  shell: cd /opt/pocketid && docker compose down && docker compose up -d
   args:
     chdir: /opt/pocketid

ansible/roles/tinyauth/tasks/main.yml

@@ -0,0 +1,17 @@
+---
+- name: Create tinyauth directory
+  file:
+    path: /opt/tinyauth
+    state: directory
+    mode: '0755'
+
+- name: Create docker-compose file for tinyauth
+  template:
+    src: docker-compose.yml.j2
+    dest: /opt/tinyauth/docker-compose.yml
+    mode: '0644'
+
+- name: Start tinyauth
+  shell: cd /opt/tinyauth && docker compose down && docker compose up -d
+  args:
+    chdir: /opt/tinyauth

ansible/roles/tinyauth/templates/docker-compose.yml.j2

@@ -0,0 +1,17 @@
+services:
+  tinyauth:
+    image: ghcr.io/steveiliop56/tinyauth:v5
+    container_name: tinyauth
+    restart: unless-stopped
+    ports:
+      - "3000:3000"
+    environment:
+      - TINYAUTH_APPURL=https://auth-proxy.{{ domain }}
+      - TINYAUTH_OAUTH_PROVIDERS_POCKETID_CLIENTID={{ tinyauth_client_id }}
+      - TINYAUTH_OAUTH_PROVIDERS_POCKETID_CLIENTSECRET={{ tinyauth_client_secret }}
+      - TINYAUTH_OAUTH_PROVIDERS_POCKETID_AUTHURL={{ tinyauth_oidc_provider }}/authorize
+      - TINYAUTH_OAUTH_PROVIDERS_POCKETID_TOKENURL={{ tinyauth_oidc_provider }}/api/oidc/token
+      - TINYAUTH_OAUTH_PROVIDERS_POCKETID_USERINFOURL={{ tinyauth_oidc_provider }}/api/oidc/userinfo
+      - TINYAUTH_OAUTH_PROVIDERS_POCKETID_REDIRECTURL=https://auth-proxy.{{ domain }}/api/oauth/callback/pocketid
+      - TINYAUTH_OAUTH_PROVIDERS_POCKETID_SCOPES=openid email profile groups
+      - TINYAUTH_OAUTH_PROVIDERS_POCKETID_NAME=Pocket ID

ansible/roles/traefik/tasks/main.yml

@@ -46,6 +46,6 @@
     mode: '0644'
 
 - name: Start Traefik
-  shell: cd /opt/traefik && docker compose up -d
+  shell: cd /opt/traefik && docker compose down && docker compose up -d
   args:
     chdir: /opt/traefik

ansible/roles/traefik/templates/docker-compose.yml.j2

@@ -10,7 +10,7 @@ services:
     ports:
       - "80:80"
       - "443:443"
-      - "8080:8080"  # Dashboard
+      - "8080:8080"
     environment:
       - CF_DNS_API_TOKEN={{ cloudflare_api_token | default('') }}
     volumes:
@@ -21,22 +21,6 @@ services:
       - ./data/acme.json:/acme.json
     labels:
       - "traefik.enable=true"
-      # HTTP to HTTPS redirect
-      - "traefik.http.routers.traefik.entrypoints=http"
-      - "traefik.http.routers.traefik.rule=Host(`traefik.{{ domain | default('local') }}`)"
-      - "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https"
-      - "traefik.http.routers.traefik.middlewares=traefik-https-redirect"
-      # HTTPS with auth
-      - "traefik.http.routers.traefik-secure.entrypoints=https"
-      - "traefik.http.routers.traefik-secure.rule=Host(`traefik.{{ domain | default('local') }}`)"
-      - "traefik.http.routers.traefik-secure.tls=true"
-      - "traefik.http.routers.traefik-secure.tls.certresolver=cloudflare"
-      - "traefik.http.routers.traefik-secure.service=api@internal"
-      # ForwardAuth middleware pointing to Pocket ID
-      - "traefik.http.middlewares.pocketid-auth.forwardauth.address=http://auth.{{ domain }}/api/oidc/authorize?client_id=traefik&redirect_uri=https://traefik.{{ domain }}/callback"
-      - "traefik.http.middlewares.pocketid-auth.forwardauth.trustForwardHeader=true"
-      - "traefik.http.middlewares.pocketid-auth.forwardauth.authResponseHeaders=X-Forwarded-User"
-      - "traefik.http.routers.traefik-secure.middlewares=pocketid-auth"
 
 networks:
   proxy:

ansible/roles/traefik/templates/remote-services.yml.j2

@@ -1,5 +1,45 @@
 http:
+  middlewares:
+    pocketid-auth:
+      forwardAuth:
+        address: "https://auth-proxy.{{ domain }}/api/auth/traefik"
+        trustForwardHeader: true
+        authResponseHeaders:
+          - "X-Auth-User"
+          - "X-Auth-Email"
+          - "X-Auth-Name"
+          - Authorization
+          - Remote-Email 
+          - Remote-Name
+          - Remote-User
+          - Remote-Groups
+    
+    traefik-https-redirect:
+      redirectScheme:
+        scheme: https
+        permanent: true
+
   routers:
+    traefik-secure:
+      rule: "Host(`traefik.{{ domain }}`)"
+      entryPoints:
+        - https
+      middlewares:
+        - pocketid-auth
+      service: api@internal
+      tls:
+        certResolver: cloudflare
+
+    sonarr:
+      rule: "Host(`sonarr.{{ domain }}`)"
+      entryPoints:
+        - https
+      middlewares:
+        - pocketid-auth
+      service: sonarr
+      tls:
+        certResolver: cloudflare
+
     pocketid:
       rule: "Host(`auth.{{ domain }}`)"
       entryPoints:
@@ -8,9 +48,29 @@ http:
       tls:
         certResolver: cloudflare
     
+    tinyauth:
+      rule: "Host(`auth-proxy.{{ domain }}`)"
+      entryPoints:
+        - https
+      service: tinyauth
+      tls:
+        certResolver: cloudflare
+  
   services:
+    sonarr:
+      loadBalancer:
+        passHostHeader: true
+        servers:
+          - url: "http://{{ sonarr_host }}:{{ sonarr_port }}"
+
     pocketid:
       loadBalancer:
         passHostHeader: true
         servers:
-          - url: "http://10.0.4.10:8001"
+          - url: "http://{{ pocketid_host }}:{{ pocketid_port  }}"
+    
+    tinyauth:
+      loadBalancer:
+        passHostHeader: true
+        servers:
+          - url: "http://{{ tinyauth_host }}:{{ tinyauth_port }}"