@@ -853,6 +853,10 @@ openFirewall = true;
           permitCertUid = "caddy";
           port = tsPort;
         };
+        services.tailscaleAuth = {
+          enable = true;
+          group = "caddy";
+        };
         services.caddy = {
           enable = true;
           email = "caddy@alanpearce.eu";
@@ -874,6 +878,19 @@ handle_path /static/* {
                   root * ${config.services.paperless.package}/lib/paperless-ngx/static
                   file_server
                 }
+                forward_auth unix//run/tailscale-nginx-auth/tailscale-nginx-auth.sock {
+                  uri /auth
+                  header_up Remote-Addr {remote_host}
+                  header_up Remote-Port {remote_port}
+                  header_up Original-URI {uri}
+                  copy_headers {
+                    Tailscale-User>X-Webauth-User
+                    Tailscale-Name>X-Webauth-Name
+                    Tailscale-Login>X-Webauth-Login
+                    Tailscale-Tailnet>X-Webauth-Tailnet
+                    Tailscale-Profile-Picture>X-Webauth-Profile-Picture
+                  }
+                }
                 reverse_proxy [::1]:${toString config.services.paperless.port}
               '';
             };
@@ -892,6 +909,9 @@ PAPERLESS_USE_X_FORWARD_HOST = true;
             PAPERLESS_USE_X_FORWARD_PORT = true;
             PAPERLESS_PROXY_SSL_HEADER = [ "HTTP_X_FORWARDED_PROTO" "https" ];
             PAPERLESS_ENABLE_COMPRESSION = false; # let caddy do it
+
+            PAPERLESS_ENABLE_HTTP_REMOTE_USER = true;
+            PAPERLESS_HTTP_REMOTE_USER_HEADER_NAME = "HTTP_X_WEBAUTH_USER";
 
             PAPERLESS_OCR_SKIP_ARCHIVE_FILE = "with_text";
             PAPERLESS_OCR_LANGUAGE = "deu+eng";