diff --git a/modules/nixos/features/bazarr.nix b/modules/nixos/features/bazarr.nix index b1cd4a9..9d96f52 100644 --- a/modules/nixos/features/bazarr.nix +++ b/modules/nixos/features/bazarr.nix @@ -19,6 +19,19 @@ in ]; caddy.virtualHosts."bazarr.fi33.buzz".extraConfig = '' + forward_auth unix//run/tailscale-nginx-auth/tailscale-nginx-auth.sock { + uri /auth + header_up Remote-Addr {remote_host} + header_up Remote-Port {remote_port} + header_up Original-URI {uri} + copy_headers { + Tailscale-User>X-Webauth-User + Tailscale-Name>X-Webauth-Name + Tailscale-Login>X-Webauth-Login + Tailscale-Tailnet>X-Webauth-Tailnet + Tailscale-Profile-Picture>X-Webauth-Profile-Picture + } + } reverse_proxy localhost:${toString port} tls ${certloc}/cert.pem ${certloc}/key.pem { protocols tls1.3 diff --git a/modules/nixos/features/copyparty.nix b/modules/nixos/features/copyparty.nix index bd31797..334b149 100644 --- a/modules/nixos/features/copyparty.nix +++ b/modules/nixos/features/copyparty.nix @@ -35,6 +35,19 @@ in }; caddy.virtualHosts."copyparty.fi33.buzz".extraConfig = '' + forward_auth unix//run/tailscale-nginx-auth/tailscale-nginx-auth.sock { + uri /auth + header_up Remote-Addr {remote_host} + header_up Remote-Port {remote_port} + header_up Original-URI {uri} + copy_headers { + Tailscale-User>X-Webauth-User + Tailscale-Name>X-Webauth-Name + Tailscale-Login>X-Webauth-Login + Tailscale-Tailnet>X-Webauth-Tailnet + Tailscale-Profile-Picture>X-Webauth-Profile-Picture + } + } reverse_proxy localhost:${toString port} tls ${certloc}/cert.pem ${certloc}/key.pem { protocols tls1.3 diff --git a/modules/nixos/features/couchdb.nix b/modules/nixos/features/couchdb.nix index 0f0d44d..9ca9fbe 100644 --- a/modules/nixos/features/couchdb.nix +++ b/modules/nixos/features/couchdb.nix @@ -36,6 +36,19 @@ in }; caddy.virtualHosts."couchdb.fi33.buzz".extraConfig = '' + forward_auth unix//run/tailscale-nginx-auth/tailscale-nginx-auth.sock { + uri /auth + header_up Remote-Addr {remote_host} + header_up Remote-Port {remote_port} + header_up Original-URI {uri} + copy_headers { + Tailscale-User>X-Webauth-User + Tailscale-Name>X-Webauth-Name + Tailscale-Login>X-Webauth-Login + Tailscale-Tailnet>X-Webauth-Tailnet + Tailscale-Profile-Picture>X-Webauth-Profile-Picture + } + } reverse_proxy localhost:${toString port} tls ${certloc}/cert.pem ${certloc}/key.pem { protocols tls1.3 diff --git a/modules/nixos/features/homepage-dashboard.nix b/modules/nixos/features/homepage-dashboard.nix index 3ab99c5..b084e98 100644 --- a/modules/nixos/features/homepage-dashboard.nix +++ b/modules/nixos/features/homepage-dashboard.nix @@ -378,6 +378,19 @@ in }; caddy.virtualHosts."homepage-dashboard.fi33.buzz".extraConfig = '' + forward_auth unix//run/tailscale-nginx-auth/tailscale-nginx-auth.sock { + uri /auth + header_up Remote-Addr {remote_host} + header_up Remote-Port {remote_port} + header_up Original-URI {uri} + copy_headers { + Tailscale-User>X-Webauth-User + Tailscale-Name>X-Webauth-Name + Tailscale-Login>X-Webauth-Login + Tailscale-Tailnet>X-Webauth-Tailnet + Tailscale-Profile-Picture>X-Webauth-Profile-Picture + } + } reverse_proxy localhost:${toString port} tls ${certloc}/cert.pem ${certloc}/key.pem { protocols tls1.3 diff --git a/modules/nixos/features/immich.nix b/modules/nixos/features/immich.nix index de5443f..84308e8 100644 --- a/modules/nixos/features/immich.nix +++ b/modules/nixos/features/immich.nix @@ -20,6 +20,19 @@ in ]; caddy.virtualHosts."immich.fi33.buzz".extraConfig = '' + forward_auth unix//run/tailscale-nginx-auth/tailscale-nginx-auth.sock { + uri /auth + header_up Remote-Addr {remote_host} + header_up Remote-Port {remote_port} + header_up Original-URI {uri} + copy_headers { + Tailscale-User>X-Webauth-User + Tailscale-Name>X-Webauth-Name + Tailscale-Login>X-Webauth-Login + Tailscale-Tailnet>X-Webauth-Tailnet + Tailscale-Profile-Picture>X-Webauth-Profile-Picture + } + } reverse_proxy localhost:${toString port} tls ${certloc}/cert.pem ${certloc}/key.pem { protocols tls1.3 diff --git a/modules/nixos/features/jellyfin.nix b/modules/nixos/features/jellyfin.nix index b6cbcc4..028e1af 100644 --- a/modules/nixos/features/jellyfin.nix +++ b/modules/nixos/features/jellyfin.nix @@ -18,6 +18,19 @@ in ]; caddy.virtualHosts."jellyfin.fi33.buzz".extraConfig = '' + forward_auth unix//run/tailscale-nginx-auth/tailscale-nginx-auth.sock { + uri /auth + header_up Remote-Addr {remote_host} + header_up Remote-Port {remote_port} + header_up Original-URI {uri} + copy_headers { + Tailscale-User>X-Webauth-User + Tailscale-Name>X-Webauth-Name + Tailscale-Login>X-Webauth-Login + Tailscale-Tailnet>X-Webauth-Tailnet + Tailscale-Profile-Picture>X-Webauth-Profile-Picture + } + } reverse_proxy localhost:${toString port} tls ${certloc}/cert.pem ${certloc}/key.pem { protocols tls1.3 diff --git a/modules/nixos/features/karakeep.nix b/modules/nixos/features/karakeep.nix index 0eb9bba..22acea6 100644 --- a/modules/nixos/features/karakeep.nix +++ b/modules/nixos/features/karakeep.nix @@ -20,6 +20,19 @@ in ]; caddy.virtualHosts."karakeep.fi33.buzz".extraConfig = '' + forward_auth unix//run/tailscale-nginx-auth/tailscale-nginx-auth.sock { + uri /auth + header_up Remote-Addr {remote_host} + header_up Remote-Port {remote_port} + header_up Original-URI {uri} + copy_headers { + Tailscale-User>X-Webauth-User + Tailscale-Name>X-Webauth-Name + Tailscale-Login>X-Webauth-Login + Tailscale-Tailnet>X-Webauth-Tailnet + Tailscale-Profile-Picture>X-Webauth-Profile-Picture + } + } reverse_proxy localhost:${toString port} tls ${certloc}/cert.pem ${certloc}/key.pem { protocols tls1.3 diff --git a/modules/nixos/features/kavita.nix b/modules/nixos/features/kavita.nix index d1fe035..e25cc73 100644 --- a/modules/nixos/features/kavita.nix +++ b/modules/nixos/features/kavita.nix @@ -23,6 +23,19 @@ in ]; caddy.virtualHosts."kavita.fi33.buzz".extraConfig = '' + forward_auth unix//run/tailscale-nginx-auth/tailscale-nginx-auth.sock { + uri /auth + header_up Remote-Addr {remote_host} + header_up Remote-Port {remote_port} + header_up Original-URI {uri} + copy_headers { + Tailscale-User>X-Webauth-User + Tailscale-Name>X-Webauth-Name + Tailscale-Login>X-Webauth-Login + Tailscale-Tailnet>X-Webauth-Tailnet + Tailscale-Profile-Picture>X-Webauth-Profile-Picture + } + } reverse_proxy localhost:${toString port} tls ${certloc}/cert.pem ${certloc}/key.pem { protocols tls1.3 diff --git a/modules/nixos/features/lidarr.nix b/modules/nixos/features/lidarr.nix index 5c297d7..a995e50 100644 --- a/modules/nixos/features/lidarr.nix +++ b/modules/nixos/features/lidarr.nix @@ -21,6 +21,19 @@ in ]; caddy.virtualHosts."lidarr.fi33.buzz".extraConfig = '' + forward_auth unix//run/tailscale-nginx-auth/tailscale-nginx-auth.sock { + uri /auth + header_up Remote-Addr {remote_host} + header_up Remote-Port {remote_port} + header_up Original-URI {uri} + copy_headers { + Tailscale-User>X-Webauth-User + Tailscale-Name>X-Webauth-Name + Tailscale-Login>X-Webauth-Login + Tailscale-Tailnet>X-Webauth-Tailnet + Tailscale-Profile-Picture>X-Webauth-Profile-Picture + } + } reverse_proxy localhost:${toString port} tls ${certloc}/cert.pem ${certloc}/key.pem { protocols tls1.3 diff --git a/modules/nixos/features/miniflux.nix b/modules/nixos/features/miniflux.nix index 82aeeb5..813bd37 100644 --- a/modules/nixos/features/miniflux.nix +++ b/modules/nixos/features/miniflux.nix @@ -27,6 +27,19 @@ in ]; caddy.virtualHosts."miniflux.fi33.buzz".extraConfig = '' + forward_auth unix//run/tailscale-nginx-auth/tailscale-nginx-auth.sock { + uri /auth + header_up Remote-Addr {remote_host} + header_up Remote-Port {remote_port} + header_up Original-URI {uri} + copy_headers { + Tailscale-User>X-Webauth-User + Tailscale-Name>X-Webauth-Name + Tailscale-Login>X-Webauth-Login + Tailscale-Tailnet>X-Webauth-Tailnet + Tailscale-Profile-Picture>X-Webauth-Profile-Picture + } + } reverse_proxy localhost:${toString port} tls ${certloc}/cert.pem ${certloc}/key.pem { protocols tls1.3 diff --git a/modules/nixos/features/ntfy-sh.nix b/modules/nixos/features/ntfy-sh.nix index e53a792..f17c3d4 100644 --- a/modules/nixos/features/ntfy-sh.nix +++ b/modules/nixos/features/ntfy-sh.nix @@ -14,6 +14,19 @@ in }; caddy.virtualHosts."ntfy-sh.fi33.buzz".extraConfig = '' + forward_auth unix//run/tailscale-nginx-auth/tailscale-nginx-auth.sock { + uri /auth + header_up Remote-Addr {remote_host} + header_up Remote-Port {remote_port} + header_up Original-URI {uri} + copy_headers { + Tailscale-User>X-Webauth-User + Tailscale-Name>X-Webauth-Name + Tailscale-Login>X-Webauth-Login + Tailscale-Tailnet>X-Webauth-Tailnet + Tailscale-Profile-Picture>X-Webauth-Profile-Picture + } + } reverse_proxy localhost:${toString port} tls ${certloc}/cert.pem ${certloc}/key.pem { protocols tls1.3 diff --git a/modules/nixos/features/nzbget.nix b/modules/nixos/features/nzbget.nix index ba469f2..6215f2d 100644 --- a/modules/nixos/features/nzbget.nix +++ b/modules/nixos/features/nzbget.nix @@ -18,6 +18,19 @@ in }; caddy.virtualHosts."nzbget.fi33.buzz".extraConfig = '' + forward_auth unix//run/tailscale-nginx-auth/tailscale-nginx-auth.sock { + uri /auth + header_up Remote-Addr {remote_host} + header_up Remote-Port {remote_port} + header_up Original-URI {uri} + copy_headers { + Tailscale-User>X-Webauth-User + Tailscale-Name>X-Webauth-Name + Tailscale-Login>X-Webauth-Login + Tailscale-Tailnet>X-Webauth-Tailnet + Tailscale-Profile-Picture>X-Webauth-Profile-Picture + } + } reverse_proxy localhost:${toString port} tls ${certloc}/cert.pem ${certloc}/key.pem { protocols tls1.3 diff --git a/modules/nixos/features/paperless.nix b/modules/nixos/features/paperless.nix index 174eb40..7d36999 100644 --- a/modules/nixos/features/paperless.nix +++ b/modules/nixos/features/paperless.nix @@ -31,6 +31,19 @@ in }; caddy.virtualHosts."paperless.fi33.buzz".extraConfig = '' + forward_auth unix//run/tailscale-nginx-auth/tailscale-nginx-auth.sock { + uri /auth + header_up Remote-Addr {remote_host} + header_up Remote-Port {remote_port} + header_up Original-URI {uri} + copy_headers { + Tailscale-User>X-Webauth-User + Tailscale-Name>X-Webauth-Name + Tailscale-Login>X-Webauth-Login + Tailscale-Tailnet>X-Webauth-Tailnet + Tailscale-Profile-Picture>X-Webauth-Profile-Picture + } + } reverse_proxy localhost:${toString port} tls ${certloc}/cert.pem ${certloc}/key.pem { protocols tls1.3 diff --git a/modules/nixos/features/prowlarr.nix b/modules/nixos/features/prowlarr.nix index d5f24e7..5c85f38 100644 --- a/modules/nixos/features/prowlarr.nix +++ b/modules/nixos/features/prowlarr.nix @@ -20,6 +20,19 @@ in ]; caddy.virtualHosts."prowlarr.fi33.buzz".extraConfig = '' + forward_auth unix//run/tailscale-nginx-auth/tailscale-nginx-auth.sock { + uri /auth + header_up Remote-Addr {remote_host} + header_up Remote-Port {remote_port} + header_up Original-URI {uri} + copy_headers { + Tailscale-User>X-Webauth-User + Tailscale-Name>X-Webauth-Name + Tailscale-Login>X-Webauth-Login + Tailscale-Tailnet>X-Webauth-Tailnet + Tailscale-Profile-Picture>X-Webauth-Profile-Picture + } + } reverse_proxy localhost:${toString port} tls ${certloc}/cert.pem ${certloc}/key.pem { protocols tls1.3 diff --git a/modules/nixos/features/qbittorrent.nix b/modules/nixos/features/qbittorrent.nix index 577f0c9..d2dda1b 100644 --- a/modules/nixos/features/qbittorrent.nix +++ b/modules/nixos/features/qbittorrent.nix @@ -15,6 +15,19 @@ in }; caddy.virtualHosts."qbittorrent.fi33.buzz".extraConfig = '' + forward_auth unix//run/tailscale-nginx-auth/tailscale-nginx-auth.sock { + uri /auth + header_up Remote-Addr {remote_host} + header_up Remote-Port {remote_port} + header_up Original-URI {uri} + copy_headers { + Tailscale-User>X-Webauth-User + Tailscale-Name>X-Webauth-Name + Tailscale-Login>X-Webauth-Login + Tailscale-Tailnet>X-Webauth-Tailnet + Tailscale-Profile-Picture>X-Webauth-Profile-Picture + } + } reverse_proxy localhost:${toString port} tls ${certloc}/cert.pem ${certloc}/key.pem { protocols tls1.3 diff --git a/modules/nixos/features/qui.nix b/modules/nixos/features/qui.nix index bcb5c96..0bfaa0b 100644 --- a/modules/nixos/features/qui.nix +++ b/modules/nixos/features/qui.nix @@ -31,6 +31,19 @@ in ]; services.caddy.virtualHosts."qui.fi33.buzz".extraConfig = '' + forward_auth unix//run/tailscale-nginx-auth/tailscale-nginx-auth.sock { + uri /auth + header_up Remote-Addr {remote_host} + header_up Remote-Port {remote_port} + header_up Original-URI {uri} + copy_headers { + Tailscale-User>X-Webauth-User + Tailscale-Name>X-Webauth-Name + Tailscale-Login>X-Webauth-Login + Tailscale-Tailnet>X-Webauth-Tailnet + Tailscale-Profile-Picture>X-Webauth-Profile-Picture + } + } reverse_proxy localhost:${toString port} tls ${certloc}/cert.pem ${certloc}/key.pem { protocols tls1.3 diff --git a/modules/nixos/features/radarr.nix b/modules/nixos/features/radarr.nix index 2c5c019..5c7c773 100644 --- a/modules/nixos/features/radarr.nix +++ b/modules/nixos/features/radarr.nix @@ -21,6 +21,19 @@ in ]; caddy.virtualHosts."radarr.fi33.buzz".extraConfig = '' + forward_auth unix//run/tailscale-nginx-auth/tailscale-nginx-auth.sock { + uri /auth + header_up Remote-Addr {remote_host} + header_up Remote-Port {remote_port} + header_up Original-URI {uri} + copy_headers { + Tailscale-User>X-Webauth-User + Tailscale-Name>X-Webauth-Name + Tailscale-Login>X-Webauth-Login + Tailscale-Tailnet>X-Webauth-Tailnet + Tailscale-Profile-Picture>X-Webauth-Profile-Picture + } + } reverse_proxy localhost:${toString port} tls ${certloc}/cert.pem ${certloc}/key.pem { protocols tls1.3 diff --git a/modules/nixos/features/radicale.nix b/modules/nixos/features/radicale.nix index 73155e6..b936ef9 100644 --- a/modules/nixos/features/radicale.nix +++ b/modules/nixos/features/radicale.nix @@ -29,6 +29,19 @@ in }; caddy.virtualHosts."radicale.fi33.buzz".extraConfig = '' + forward_auth unix//run/tailscale-nginx-auth/tailscale-nginx-auth.sock { + uri /auth + header_up Remote-Addr {remote_host} + header_up Remote-Port {remote_port} + header_up Original-URI {uri} + copy_headers { + Tailscale-User>X-Webauth-User + Tailscale-Name>X-Webauth-Name + Tailscale-Login>X-Webauth-Login + Tailscale-Tailnet>X-Webauth-Tailnet + Tailscale-Profile-Picture>X-Webauth-Profile-Picture + } + } reverse_proxy localhost:${toString port} tls ${certloc}/cert.pem ${certloc}/key.pem { protocols tls1.3 diff --git a/modules/nixos/features/readarr.nix b/modules/nixos/features/readarr.nix index f616480..f518067 100644 --- a/modules/nixos/features/readarr.nix +++ b/modules/nixos/features/readarr.nix @@ -21,6 +21,19 @@ in ]; caddy.virtualHosts."readarr.fi33.buzz".extraConfig = '' + forward_auth unix//run/tailscale-nginx-auth/tailscale-nginx-auth.sock { + uri /auth + header_up Remote-Addr {remote_host} + header_up Remote-Port {remote_port} + header_up Original-URI {uri} + copy_headers { + Tailscale-User>X-Webauth-User + Tailscale-Name>X-Webauth-Name + Tailscale-Login>X-Webauth-Login + Tailscale-Tailnet>X-Webauth-Tailnet + Tailscale-Profile-Picture>X-Webauth-Profile-Picture + } + } reverse_proxy localhost:${toString port} tls ${certloc}/cert.pem ${certloc}/key.pem { protocols tls1.3 diff --git a/modules/nixos/features/sonarr.nix b/modules/nixos/features/sonarr.nix index 4be089e..f2c1ddf 100644 --- a/modules/nixos/features/sonarr.nix +++ b/modules/nixos/features/sonarr.nix @@ -21,6 +21,19 @@ in ]; caddy.virtualHosts."sonarr.fi33.buzz".extraConfig = '' + forward_auth unix//run/tailscale-nginx-auth/tailscale-nginx-auth.sock { + uri /auth + header_up Remote-Addr {remote_host} + header_up Remote-Port {remote_port} + header_up Original-URI {uri} + copy_headers { + Tailscale-User>X-Webauth-User + Tailscale-Name>X-Webauth-Name + Tailscale-Login>X-Webauth-Login + Tailscale-Tailnet>X-Webauth-Tailnet + Tailscale-Profile-Picture>X-Webauth-Profile-Picture + } + } reverse_proxy localhost:${toString port} tls ${certloc}/cert.pem ${certloc}/key.pem { protocols tls1.3 diff --git a/modules/nixos/features/syncthing.nix b/modules/nixos/features/syncthing.nix index d9624c3..96cc32b 100644 --- a/modules/nixos/features/syncthing.nix +++ b/modules/nixos/features/syncthing.nix @@ -68,6 +68,19 @@ in null; caddy.virtualHosts."syncthing.fi33.buzz".extraConfig = '' + forward_auth unix//run/tailscale-nginx-auth/tailscale-nginx-auth.sock { + uri /auth + header_up Remote-Addr {remote_host} + header_up Remote-Port {remote_port} + header_up Original-URI {uri} + copy_headers { + Tailscale-User>X-Webauth-User + Tailscale-Name>X-Webauth-Name + Tailscale-Login>X-Webauth-Login + Tailscale-Tailnet>X-Webauth-Tailnet + Tailscale-Profile-Picture>X-Webauth-Profile-Picture + } + } reverse_proxy http://localhost:${toString port} tls ${certloc}/cert.pem ${certloc}/key.pem { protocols tls1.3 diff --git a/modules/nixos/features/tailscale.nix b/modules/nixos/features/tailscale.nix index 6c4f1fa..bef8d9a 100644 --- a/modules/nixos/features/tailscale.nix +++ b/modules/nixos/features/tailscale.nix @@ -1,8 +1,15 @@ { - services.tailscale = { - enable = true; - extraSetFlags = [ - "--accept-dns=true" - ]; + services = { + tailscale = { + enable = true; + extraSetFlags = [ + "--accept-dns=true" + ]; + }; + tailscaleAuth = { + enable = true; + user = "caddy"; + group = "caddy"; + }; }; } diff --git a/modules/nixos/features/upbank2firefly.nix b/modules/nixos/features/upbank2firefly.nix index e711bb8..778603e 100644 --- a/modules/nixos/features/upbank2firefly.nix +++ b/modules/nixos/features/upbank2firefly.nix @@ -50,6 +50,19 @@ in }; services.caddy.virtualHosts."upbank2firefly.fi33.buzz".extraConfig = '' + forward_auth unix//run/tailscale-nginx-auth/tailscale-nginx-auth.sock { + uri /auth + header_up Remote-Addr {remote_host} + header_up Remote-Port {remote_port} + header_up Original-URI {uri} + copy_headers { + Tailscale-User>X-Webauth-User + Tailscale-Name>X-Webauth-Name + Tailscale-Login>X-Webauth-Login + Tailscale-Tailnet>X-Webauth-Tailnet + Tailscale-Profile-Picture>X-Webauth-Profile-Picture + } + } reverse_proxy localhost:${toString port} tls ${certloc}/cert.pem ${certloc}/key.pem { protocols tls1.3 diff --git a/modules/nixos/features/vaultwarden.nix b/modules/nixos/features/vaultwarden.nix index 76d8acc..abb3fa9 100644 --- a/modules/nixos/features/vaultwarden.nix +++ b/modules/nixos/features/vaultwarden.nix @@ -31,6 +31,19 @@ in ]; caddy.virtualHosts."vaultwarden.fi33.buzz".extraConfig = '' + forward_auth unix//run/tailscale-nginx-auth/tailscale-nginx-auth.sock { + uri /auth + header_up Remote-Addr {remote_host} + header_up Remote-Port {remote_port} + header_up Original-URI {uri} + copy_headers { + Tailscale-User>X-Webauth-User + Tailscale-Name>X-Webauth-Name + Tailscale-Login>X-Webauth-Login + Tailscale-Tailnet>X-Webauth-Tailnet + Tailscale-Profile-Picture>X-Webauth-Profile-Picture + } + } reverse_proxy localhost:${toString port} tls ${certloc}/cert.pem ${certloc}/key.pem { protocols tls1.3