linde: use tailscale auth for paperless
Alan Pearce alan@alanpearce.eu
Sat, 30 Nov 2024 22:53:38 +0100
1 files changed, 20 insertions(+), 0 deletions(-)
jump to
M system/linde.nix → system/linde.nix
@@ -853,6 +853,10 @@ openFirewall = true; permitCertUid = "caddy"; port = tsPort; }; + services.tailscaleAuth = { + enable = true; + group = "caddy"; + }; services.caddy = { enable = true; email = "caddy@alanpearce.eu"; @@ -874,6 +878,19 @@ handle_path /static/* { root * ${config.services.paperless.package}/lib/paperless-ngx/static file_server } + forward_auth unix//run/tailscale-nginx-auth/tailscale-nginx-auth.sock { + uri /auth + header_up Remote-Addr {remote_host} + header_up Remote-Port {remote_port} + header_up Original-URI {uri} + copy_headers { + Tailscale-User>X-Webauth-User + Tailscale-Name>X-Webauth-Name + Tailscale-Login>X-Webauth-Login + Tailscale-Tailnet>X-Webauth-Tailnet + Tailscale-Profile-Picture>X-Webauth-Profile-Picture + } + } reverse_proxy [::1]:${toString config.services.paperless.port} ''; }; @@ -892,6 +909,9 @@ PAPERLESS_USE_X_FORWARD_HOST = true; PAPERLESS_USE_X_FORWARD_PORT = true; PAPERLESS_PROXY_SSL_HEADER = [ "HTTP_X_FORWARDED_PROTO" "https" ]; PAPERLESS_ENABLE_COMPRESSION = false; # let caddy do it + + PAPERLESS_ENABLE_HTTP_REMOTE_USER = true; + PAPERLESS_HTTP_REMOTE_USER_HEADER_NAME = "HTTP_X_WEBAUTH_USER"; PAPERLESS_OCR_SKIP_ARCHIVE_FILE = "with_text"; PAPERLESS_OCR_LANGUAGE = "deu+eng";