will-holdsworth/dots
1
1
Fork 0
Code Issues 22 Pull requests Projects 1 Releases Packages Wiki Activity Actions 1

feat(tailscale-nginx-auth): protect reverse proxied services behind tailscale authentication

Browse source
This commit is contained in:
wi11-holdsworth 2026-01-17 16:59:26 +11:00
parent dcbee4635b
commit 63c2583d21
24 changed files with 311 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

13
modules/nixos/features/bazarr.nix
View file

@ -19,6 +19,19 @@ in
]; ];
caddy.virtualHosts."bazarr.fi33.buzz".extraConfig = '' caddy.virtualHosts."bazarr.fi33.buzz".extraConfig = ''
forward_auth unix//run/tailscale-nginx-auth/tailscale-nginx-auth.sock {
uri /auth
header_up Remote-Addr {remote_host}
header_up Remote-Port {remote_port}
header_up Original-URI {uri}
copy_headers {
Tailscale-User>X-Webauth-User
Tailscale-Name>X-Webauth-Name
Tailscale-Login>X-Webauth-Login
Tailscale-Tailnet>X-Webauth-Tailnet
Tailscale-Profile-Picture>X-Webauth-Profile-Picture
}
}
reverse_proxy localhost:${toString port} reverse_proxy localhost:${toString port}
tls ${certloc}/cert.pem ${certloc}/key.pem { tls ${certloc}/cert.pem ${certloc}/key.pem {
protocols tls1.3 protocols tls1.3

13
modules/nixos/features/copyparty.nix
View file

@ -35,6 +35,19 @@ in
}; };
caddy.virtualHosts."copyparty.fi33.buzz".extraConfig = '' caddy.virtualHosts."copyparty.fi33.buzz".extraConfig = ''
forward_auth unix//run/tailscale-nginx-auth/tailscale-nginx-auth.sock {
uri /auth
header_up Remote-Addr {remote_host}
header_up Remote-Port {remote_port}
header_up Original-URI {uri}
copy_headers {
Tailscale-User>X-Webauth-User
Tailscale-Name>X-Webauth-Name
Tailscale-Login>X-Webauth-Login
Tailscale-Tailnet>X-Webauth-Tailnet
Tailscale-Profile-Picture>X-Webauth-Profile-Picture
}
}
reverse_proxy localhost:${toString port} reverse_proxy localhost:${toString port}
tls ${certloc}/cert.pem ${certloc}/key.pem { tls ${certloc}/cert.pem ${certloc}/key.pem {
protocols tls1.3 protocols tls1.3

13
modules/nixos/features/couchdb.nix
View file

@ -36,6 +36,19 @@ in
}; };
caddy.virtualHosts."couchdb.fi33.buzz".extraConfig = '' caddy.virtualHosts."couchdb.fi33.buzz".extraConfig = ''
forward_auth unix//run/tailscale-nginx-auth/tailscale-nginx-auth.sock {
uri /auth
header_up Remote-Addr {remote_host}
header_up Remote-Port {remote_port}
header_up Original-URI {uri}
copy_headers {
Tailscale-User>X-Webauth-User
Tailscale-Name>X-Webauth-Name
Tailscale-Login>X-Webauth-Login
Tailscale-Tailnet>X-Webauth-Tailnet
Tailscale-Profile-Picture>X-Webauth-Profile-Picture
}
}
reverse_proxy localhost:${toString port} reverse_proxy localhost:${toString port}
tls ${certloc}/cert.pem ${certloc}/key.pem { tls ${certloc}/cert.pem ${certloc}/key.pem {
protocols tls1.3 protocols tls1.3

13
modules/nixos/features/homepage-dashboard.nix
View file

@ -378,6 +378,19 @@ in
}; };
caddy.virtualHosts."homepage-dashboard.fi33.buzz".extraConfig = '' caddy.virtualHosts."homepage-dashboard.fi33.buzz".extraConfig = ''
forward_auth unix//run/tailscale-nginx-auth/tailscale-nginx-auth.sock {
uri /auth
header_up Remote-Addr {remote_host}
header_up Remote-Port {remote_port}
header_up Original-URI {uri}
copy_headers {
Tailscale-User>X-Webauth-User
Tailscale-Name>X-Webauth-Name
Tailscale-Login>X-Webauth-Login
Tailscale-Tailnet>X-Webauth-Tailnet
Tailscale-Profile-Picture>X-Webauth-Profile-Picture
}
}
reverse_proxy localhost:${toString port} reverse_proxy localhost:${toString port}
tls ${certloc}/cert.pem ${certloc}/key.pem { tls ${certloc}/cert.pem ${certloc}/key.pem {
protocols tls1.3 protocols tls1.3

13
modules/nixos/features/immich.nix
View file

@ -20,6 +20,19 @@ in
]; ];
caddy.virtualHosts."immich.fi33.buzz".extraConfig = '' caddy.virtualHosts."immich.fi33.buzz".extraConfig = ''
forward_auth unix//run/tailscale-nginx-auth/tailscale-nginx-auth.sock {
uri /auth
header_up Remote-Addr {remote_host}
header_up Remote-Port {remote_port}
header_up Original-URI {uri}
copy_headers {
Tailscale-User>X-Webauth-User
Tailscale-Name>X-Webauth-Name
Tailscale-Login>X-Webauth-Login
Tailscale-Tailnet>X-Webauth-Tailnet
Tailscale-Profile-Picture>X-Webauth-Profile-Picture
}
}
reverse_proxy localhost:${toString port} reverse_proxy localhost:${toString port}
tls ${certloc}/cert.pem ${certloc}/key.pem { tls ${certloc}/cert.pem ${certloc}/key.pem {
protocols tls1.3 protocols tls1.3

13
modules/nixos/features/jellyfin.nix
View file

@ -18,6 +18,19 @@ in
]; ];
caddy.virtualHosts."jellyfin.fi33.buzz".extraConfig = '' caddy.virtualHosts."jellyfin.fi33.buzz".extraConfig = ''
forward_auth unix//run/tailscale-nginx-auth/tailscale-nginx-auth.sock {
uri /auth
header_up Remote-Addr {remote_host}
header_up Remote-Port {remote_port}
header_up Original-URI {uri}
copy_headers {
Tailscale-User>X-Webauth-User
Tailscale-Name>X-Webauth-Name
Tailscale-Login>X-Webauth-Login
Tailscale-Tailnet>X-Webauth-Tailnet
Tailscale-Profile-Picture>X-Webauth-Profile-Picture
}
}
reverse_proxy localhost:${toString port} reverse_proxy localhost:${toString port}
tls ${certloc}/cert.pem ${certloc}/key.pem { tls ${certloc}/cert.pem ${certloc}/key.pem {
protocols tls1.3 protocols tls1.3

13
modules/nixos/features/karakeep.nix
View file

@ -20,6 +20,19 @@ in
]; ];
caddy.virtualHosts."karakeep.fi33.buzz".extraConfig = '' caddy.virtualHosts."karakeep.fi33.buzz".extraConfig = ''
forward_auth unix//run/tailscale-nginx-auth/tailscale-nginx-auth.sock {
uri /auth
header_up Remote-Addr {remote_host}
header_up Remote-Port {remote_port}
header_up Original-URI {uri}
copy_headers {
Tailscale-User>X-Webauth-User
Tailscale-Name>X-Webauth-Name
Tailscale-Login>X-Webauth-Login
Tailscale-Tailnet>X-Webauth-Tailnet
Tailscale-Profile-Picture>X-Webauth-Profile-Picture
}
}
reverse_proxy localhost:${toString port} reverse_proxy localhost:${toString port}
tls ${certloc}/cert.pem ${certloc}/key.pem { tls ${certloc}/cert.pem ${certloc}/key.pem {
protocols tls1.3 protocols tls1.3

13
modules/nixos/features/kavita.nix
View file

@ -23,6 +23,19 @@ in
]; ];
caddy.virtualHosts."kavita.fi33.buzz".extraConfig = '' caddy.virtualHosts."kavita.fi33.buzz".extraConfig = ''
forward_auth unix//run/tailscale-nginx-auth/tailscale-nginx-auth.sock {
uri /auth
header_up Remote-Addr {remote_host}
header_up Remote-Port {remote_port}
header_up Original-URI {uri}
copy_headers {
Tailscale-User>X-Webauth-User
Tailscale-Name>X-Webauth-Name
Tailscale-Login>X-Webauth-Login
Tailscale-Tailnet>X-Webauth-Tailnet
Tailscale-Profile-Picture>X-Webauth-Profile-Picture
}
}
reverse_proxy localhost:${toString port} reverse_proxy localhost:${toString port}
tls ${certloc}/cert.pem ${certloc}/key.pem { tls ${certloc}/cert.pem ${certloc}/key.pem {
protocols tls1.3 protocols tls1.3

13
modules/nixos/features/lidarr.nix
View file

@ -21,6 +21,19 @@ in
]; ];
caddy.virtualHosts."lidarr.fi33.buzz".extraConfig = '' caddy.virtualHosts."lidarr.fi33.buzz".extraConfig = ''
forward_auth unix//run/tailscale-nginx-auth/tailscale-nginx-auth.sock {
uri /auth
header_up Remote-Addr {remote_host}
header_up Remote-Port {remote_port}
header_up Original-URI {uri}
copy_headers {
Tailscale-User>X-Webauth-User
Tailscale-Name>X-Webauth-Name
Tailscale-Login>X-Webauth-Login
Tailscale-Tailnet>X-Webauth-Tailnet
Tailscale-Profile-Picture>X-Webauth-Profile-Picture
}
}
reverse_proxy localhost:${toString port} reverse_proxy localhost:${toString port}
tls ${certloc}/cert.pem ${certloc}/key.pem { tls ${certloc}/cert.pem ${certloc}/key.pem {
protocols tls1.3 protocols tls1.3

13
modules/nixos/features/miniflux.nix
View file

@ -27,6 +27,19 @@ in
]; ];
caddy.virtualHosts."miniflux.fi33.buzz".extraConfig = '' caddy.virtualHosts."miniflux.fi33.buzz".extraConfig = ''
forward_auth unix//run/tailscale-nginx-auth/tailscale-nginx-auth.sock {
uri /auth
header_up Remote-Addr {remote_host}
header_up Remote-Port {remote_port}
header_up Original-URI {uri}
copy_headers {
Tailscale-User>X-Webauth-User
Tailscale-Name>X-Webauth-Name
Tailscale-Login>X-Webauth-Login
Tailscale-Tailnet>X-Webauth-Tailnet
Tailscale-Profile-Picture>X-Webauth-Profile-Picture
}
}
reverse_proxy localhost:${toString port} reverse_proxy localhost:${toString port}
tls ${certloc}/cert.pem ${certloc}/key.pem { tls ${certloc}/cert.pem ${certloc}/key.pem {
protocols tls1.3 protocols tls1.3

13
modules/nixos/features/ntfy-sh.nix
View file

@ -14,6 +14,19 @@ in
}; };
caddy.virtualHosts."ntfy-sh.fi33.buzz".extraConfig = '' caddy.virtualHosts."ntfy-sh.fi33.buzz".extraConfig = ''
forward_auth unix//run/tailscale-nginx-auth/tailscale-nginx-auth.sock {
uri /auth
header_up Remote-Addr {remote_host}
header_up Remote-Port {remote_port}
header_up Original-URI {uri}
copy_headers {
Tailscale-User>X-Webauth-User
Tailscale-Name>X-Webauth-Name
Tailscale-Login>X-Webauth-Login
Tailscale-Tailnet>X-Webauth-Tailnet
Tailscale-Profile-Picture>X-Webauth-Profile-Picture
}
}
reverse_proxy localhost:${toString port} reverse_proxy localhost:${toString port}
tls ${certloc}/cert.pem ${certloc}/key.pem { tls ${certloc}/cert.pem ${certloc}/key.pem {
protocols tls1.3 protocols tls1.3

13
modules/nixos/features/nzbget.nix
View file

@ -18,6 +18,19 @@ in
}; };
caddy.virtualHosts."nzbget.fi33.buzz".extraConfig = '' caddy.virtualHosts."nzbget.fi33.buzz".extraConfig = ''
forward_auth unix//run/tailscale-nginx-auth/tailscale-nginx-auth.sock {
uri /auth
header_up Remote-Addr {remote_host}
header_up Remote-Port {remote_port}
header_up Original-URI {uri}
copy_headers {
Tailscale-User>X-Webauth-User
Tailscale-Name>X-Webauth-Name
Tailscale-Login>X-Webauth-Login
Tailscale-Tailnet>X-Webauth-Tailnet
Tailscale-Profile-Picture>X-Webauth-Profile-Picture
}
}
reverse_proxy localhost:${toString port} reverse_proxy localhost:${toString port}
tls ${certloc}/cert.pem ${certloc}/key.pem { tls ${certloc}/cert.pem ${certloc}/key.pem {
protocols tls1.3 protocols tls1.3

13
modules/nixos/features/paperless.nix
View file

@ -31,6 +31,19 @@ in
}; };
caddy.virtualHosts."paperless.fi33.buzz".extraConfig = '' caddy.virtualHosts."paperless.fi33.buzz".extraConfig = ''
forward_auth unix//run/tailscale-nginx-auth/tailscale-nginx-auth.sock {
uri /auth
header_up Remote-Addr {remote_host}
header_up Remote-Port {remote_port}
header_up Original-URI {uri}
copy_headers {
Tailscale-User>X-Webauth-User
Tailscale-Name>X-Webauth-Name
Tailscale-Login>X-Webauth-Login
Tailscale-Tailnet>X-Webauth-Tailnet
Tailscale-Profile-Picture>X-Webauth-Profile-Picture
}
}
reverse_proxy localhost:${toString port} reverse_proxy localhost:${toString port}
tls ${certloc}/cert.pem ${certloc}/key.pem { tls ${certloc}/cert.pem ${certloc}/key.pem {
protocols tls1.3 protocols tls1.3

13
modules/nixos/features/prowlarr.nix
View file

@ -20,6 +20,19 @@ in
]; ];
caddy.virtualHosts."prowlarr.fi33.buzz".extraConfig = '' caddy.virtualHosts."prowlarr.fi33.buzz".extraConfig = ''
forward_auth unix//run/tailscale-nginx-auth/tailscale-nginx-auth.sock {
uri /auth
header_up Remote-Addr {remote_host}
header_up Remote-Port {remote_port}
header_up Original-URI {uri}
copy_headers {
Tailscale-User>X-Webauth-User
Tailscale-Name>X-Webauth-Name
Tailscale-Login>X-Webauth-Login
Tailscale-Tailnet>X-Webauth-Tailnet
Tailscale-Profile-Picture>X-Webauth-Profile-Picture
}
}
reverse_proxy localhost:${toString port} reverse_proxy localhost:${toString port}
tls ${certloc}/cert.pem ${certloc}/key.pem { tls ${certloc}/cert.pem ${certloc}/key.pem {
protocols tls1.3 protocols tls1.3

13
modules/nixos/features/qbittorrent.nix
View file

@ -15,6 +15,19 @@ in
}; };
caddy.virtualHosts."qbittorrent.fi33.buzz".extraConfig = '' caddy.virtualHosts."qbittorrent.fi33.buzz".extraConfig = ''
forward_auth unix//run/tailscale-nginx-auth/tailscale-nginx-auth.sock {
uri /auth
header_up Remote-Addr {remote_host}
header_up Remote-Port {remote_port}
header_up Original-URI {uri}
copy_headers {
Tailscale-User>X-Webauth-User
Tailscale-Name>X-Webauth-Name
Tailscale-Login>X-Webauth-Login
Tailscale-Tailnet>X-Webauth-Tailnet
Tailscale-Profile-Picture>X-Webauth-Profile-Picture
}
}
reverse_proxy localhost:${toString port} reverse_proxy localhost:${toString port}
tls ${certloc}/cert.pem ${certloc}/key.pem { tls ${certloc}/cert.pem ${certloc}/key.pem {
protocols tls1.3 protocols tls1.3

13
modules/nixos/features/qui.nix
View file

@ -31,6 +31,19 @@ in
]; ];
services.caddy.virtualHosts."qui.fi33.buzz".extraConfig = '' services.caddy.virtualHosts."qui.fi33.buzz".extraConfig = ''
forward_auth unix//run/tailscale-nginx-auth/tailscale-nginx-auth.sock {
uri /auth
header_up Remote-Addr {remote_host}
header_up Remote-Port {remote_port}
header_up Original-URI {uri}
copy_headers {
Tailscale-User>X-Webauth-User
Tailscale-Name>X-Webauth-Name
Tailscale-Login>X-Webauth-Login
Tailscale-Tailnet>X-Webauth-Tailnet
Tailscale-Profile-Picture>X-Webauth-Profile-Picture
}
}
reverse_proxy localhost:${toString port} reverse_proxy localhost:${toString port}
tls ${certloc}/cert.pem ${certloc}/key.pem { tls ${certloc}/cert.pem ${certloc}/key.pem {
protocols tls1.3 protocols tls1.3

13
modules/nixos/features/radarr.nix
View file

@ -21,6 +21,19 @@ in
]; ];
caddy.virtualHosts."radarr.fi33.buzz".extraConfig = '' caddy.virtualHosts."radarr.fi33.buzz".extraConfig = ''
forward_auth unix//run/tailscale-nginx-auth/tailscale-nginx-auth.sock {
uri /auth
header_up Remote-Addr {remote_host}
header_up Remote-Port {remote_port}
header_up Original-URI {uri}
copy_headers {
Tailscale-User>X-Webauth-User
Tailscale-Name>X-Webauth-Name
Tailscale-Login>X-Webauth-Login
Tailscale-Tailnet>X-Webauth-Tailnet
Tailscale-Profile-Picture>X-Webauth-Profile-Picture
}
}
reverse_proxy localhost:${toString port} reverse_proxy localhost:${toString port}
tls ${certloc}/cert.pem ${certloc}/key.pem { tls ${certloc}/cert.pem ${certloc}/key.pem {
protocols tls1.3 protocols tls1.3

13
modules/nixos/features/radicale.nix
View file

@ -29,6 +29,19 @@ in
}; };
caddy.virtualHosts."radicale.fi33.buzz".extraConfig = '' caddy.virtualHosts."radicale.fi33.buzz".extraConfig = ''
forward_auth unix//run/tailscale-nginx-auth/tailscale-nginx-auth.sock {
uri /auth
header_up Remote-Addr {remote_host}
header_up Remote-Port {remote_port}
header_up Original-URI {uri}
copy_headers {
Tailscale-User>X-Webauth-User
Tailscale-Name>X-Webauth-Name
Tailscale-Login>X-Webauth-Login
Tailscale-Tailnet>X-Webauth-Tailnet
Tailscale-Profile-Picture>X-Webauth-Profile-Picture
}
}
reverse_proxy localhost:${toString port} reverse_proxy localhost:${toString port}
tls ${certloc}/cert.pem ${certloc}/key.pem { tls ${certloc}/cert.pem ${certloc}/key.pem {
protocols tls1.3 protocols tls1.3

13
modules/nixos/features/readarr.nix
View file

@ -21,6 +21,19 @@ in
]; ];
caddy.virtualHosts."readarr.fi33.buzz".extraConfig = '' caddy.virtualHosts."readarr.fi33.buzz".extraConfig = ''
forward_auth unix//run/tailscale-nginx-auth/tailscale-nginx-auth.sock {
uri /auth
header_up Remote-Addr {remote_host}
header_up Remote-Port {remote_port}
header_up Original-URI {uri}
copy_headers {
Tailscale-User>X-Webauth-User
Tailscale-Name>X-Webauth-Name
Tailscale-Login>X-Webauth-Login
Tailscale-Tailnet>X-Webauth-Tailnet
Tailscale-Profile-Picture>X-Webauth-Profile-Picture
}
}
reverse_proxy localhost:${toString port} reverse_proxy localhost:${toString port}
tls ${certloc}/cert.pem ${certloc}/key.pem { tls ${certloc}/cert.pem ${certloc}/key.pem {
protocols tls1.3 protocols tls1.3

13
modules/nixos/features/sonarr.nix
View file

@ -21,6 +21,19 @@ in
]; ];
caddy.virtualHosts."sonarr.fi33.buzz".extraConfig = '' caddy.virtualHosts."sonarr.fi33.buzz".extraConfig = ''
forward_auth unix//run/tailscale-nginx-auth/tailscale-nginx-auth.sock {
uri /auth
header_up Remote-Addr {remote_host}
header_up Remote-Port {remote_port}
header_up Original-URI {uri}
copy_headers {
Tailscale-User>X-Webauth-User
Tailscale-Name>X-Webauth-Name
Tailscale-Login>X-Webauth-Login
Tailscale-Tailnet>X-Webauth-Tailnet
Tailscale-Profile-Picture>X-Webauth-Profile-Picture
}
}
reverse_proxy localhost:${toString port} reverse_proxy localhost:${toString port}
tls ${certloc}/cert.pem ${certloc}/key.pem { tls ${certloc}/cert.pem ${certloc}/key.pem {
protocols tls1.3 protocols tls1.3

13
modules/nixos/features/syncthing.nix
View file

@ -68,6 +68,19 @@ in
null; null;
caddy.virtualHosts."syncthing.fi33.buzz".extraConfig = '' caddy.virtualHosts."syncthing.fi33.buzz".extraConfig = ''
forward_auth unix//run/tailscale-nginx-auth/tailscale-nginx-auth.sock {
uri /auth
header_up Remote-Addr {remote_host}
header_up Remote-Port {remote_port}
header_up Original-URI {uri}
copy_headers {
Tailscale-User>X-Webauth-User
Tailscale-Name>X-Webauth-Name
Tailscale-Login>X-Webauth-Login
Tailscale-Tailnet>X-Webauth-Tailnet
Tailscale-Profile-Picture>X-Webauth-Profile-Picture
}
}
reverse_proxy http://localhost:${toString port} reverse_proxy http://localhost:${toString port}
tls ${certloc}/cert.pem ${certloc}/key.pem { tls ${certloc}/cert.pem ${certloc}/key.pem {
protocols tls1.3 protocols tls1.3

9
modules/nixos/features/tailscale.nix
View file

@ -1,8 +1,15 @@
{ {
services.tailscale = { services = {
tailscale = {
enable = true; enable = true;
extraSetFlags = [ extraSetFlags = [
"--accept-dns=true" "--accept-dns=true"
]; ];
}; };
tailscaleAuth = {
enable = true;
user = "caddy";
group = "caddy";
};
};
} }

13
modules/nixos/features/upbank2firefly.nix
View file

@ -50,6 +50,19 @@ in
}; };
services.caddy.virtualHosts."upbank2firefly.fi33.buzz".extraConfig = '' services.caddy.virtualHosts."upbank2firefly.fi33.buzz".extraConfig = ''
forward_auth unix//run/tailscale-nginx-auth/tailscale-nginx-auth.sock {
uri /auth
header_up Remote-Addr {remote_host}
header_up Remote-Port {remote_port}
header_up Original-URI {uri}
copy_headers {
Tailscale-User>X-Webauth-User
Tailscale-Name>X-Webauth-Name
Tailscale-Login>X-Webauth-Login
Tailscale-Tailnet>X-Webauth-Tailnet
Tailscale-Profile-Picture>X-Webauth-Profile-Picture
}
}
reverse_proxy localhost:${toString port} reverse_proxy localhost:${toString port}
tls ${certloc}/cert.pem ${certloc}/key.pem { tls ${certloc}/cert.pem ${certloc}/key.pem {
protocols tls1.3 protocols tls1.3

13
modules/nixos/features/vaultwarden.nix
View file

@ -31,6 +31,19 @@ in
]; ];
caddy.virtualHosts."vaultwarden.fi33.buzz".extraConfig = '' caddy.virtualHosts."vaultwarden.fi33.buzz".extraConfig = ''
forward_auth unix//run/tailscale-nginx-auth/tailscale-nginx-auth.sock {
uri /auth
header_up Remote-Addr {remote_host}
header_up Remote-Port {remote_port}
header_up Original-URI {uri}
copy_headers {
Tailscale-User>X-Webauth-User
Tailscale-Name>X-Webauth-Name
Tailscale-Login>X-Webauth-Login
Tailscale-Tailnet>X-Webauth-Tailnet
Tailscale-Profile-Picture>X-Webauth-Profile-Picture
}
}
reverse_proxy localhost:${toString port} reverse_proxy localhost:${toString port}
tls ${certloc}/cert.pem ${certloc}/key.pem { tls ${certloc}/cert.pem ${certloc}/key.pem {
protocols tls1.3 protocols tls1.3