all repos — nixfiles @ 2b97748822d8f8c4698b96a91701d8636922ea26

System and user configuration, managed by nix and home-manager

linde: use tailscale auth for paperless

Alan Pearce
commit

2b97748822d8f8c4698b96a91701d8636922ea26

parent

de1e5ecf311a20b28846563854b3cc544e5fcca3

1 file changed, 20 insertions(+), 0 deletions(-)

jump to
M system/linde.nixsystem/linde.nix
@@ -853,6 +853,10 @@ openFirewall = true;
permitCertUid = "caddy"; port = tsPort; }; + services.tailscaleAuth = { + enable = true; + group = "caddy"; + }; services.caddy = { enable = true; email = "caddy@alanpearce.eu";
@@ -874,6 +878,19 @@ handle_path /static/* {
root * ${config.services.paperless.package}/lib/paperless-ngx/static file_server } + forward_auth unix//run/tailscale-nginx-auth/tailscale-nginx-auth.sock { + uri /auth + header_up Remote-Addr {remote_host} + header_up Remote-Port {remote_port} + header_up Original-URI {uri} + copy_headers { + Tailscale-User>X-Webauth-User + Tailscale-Name>X-Webauth-Name + Tailscale-Login>X-Webauth-Login + Tailscale-Tailnet>X-Webauth-Tailnet + Tailscale-Profile-Picture>X-Webauth-Profile-Picture + } + } reverse_proxy [::1]:${toString config.services.paperless.port} ''; };
@@ -892,6 +909,9 @@ PAPERLESS_USE_X_FORWARD_HOST = true;
PAPERLESS_USE_X_FORWARD_PORT = true; PAPERLESS_PROXY_SSL_HEADER = [ "HTTP_X_FORWARDED_PROTO" "https" ]; PAPERLESS_ENABLE_COMPRESSION = false; # let caddy do it + + PAPERLESS_ENABLE_HTTP_REMOTE_USER = true; + PAPERLESS_HTTP_REMOTE_USER_HEADER_NAME = "HTTP_X_WEBAUTH_USER"; PAPERLESS_OCR_SKIP_ARCHIVE_FILE = "with_text"; PAPERLESS_OCR_LANGUAGE = "deu+eng";