summary refs log tree commit diff stats
path: root/system/linde.nix
diff options
context:
space:
mode:
Diffstat (limited to 'system/linde.nix')
-rw-r--r--system/linde.nix23
1 files changed, 22 insertions, 1 deletions
diff --git a/system/linde.nix b/system/linde.nix
index 3aa11004..573eb78e 100644
--- a/system/linde.nix
+++ b/system/linde.nix
@@ -853,6 +853,10 @@ in
           permitCertUid = "caddy";
           port = tsPort;
         };
+        services.tailscaleAuth = {
+          enable = true;
+          group = "caddy";
+        };
         services.caddy = {
           enable = true;
           email = "caddy@alanpearce.eu";
@@ -874,6 +878,19 @@ in
                   root * ${config.services.paperless.package}/lib/paperless-ngx/static
                   file_server
                 }
+                forward_auth unix//run/tailscale-nginx-auth/tailscale-nginx-auth.sock {
+                  uri /auth
+                  header_up Remote-Addr {remote_host}
+                  header_up Remote-Port {remote_port}
+                  header_up Original-URI {uri}
+                  copy_headers {
+                    Tailscale-User>X-Webauth-User
+                    Tailscale-Name>X-Webauth-Name
+                    Tailscale-Login>X-Webauth-Login
+                    Tailscale-Tailnet>X-Webauth-Tailnet
+                    Tailscale-Profile-Picture>X-Webauth-Profile-Picture
+                  }
+                }
                 reverse_proxy [::1]:${toString config.services.paperless.port}
               '';
             };
@@ -893,6 +910,9 @@ in
             PAPERLESS_PROXY_SSL_HEADER = [ "HTTP_X_FORWARDED_PROTO" "https" ];
             PAPERLESS_ENABLE_COMPRESSION = false; # let caddy do it
 
+            PAPERLESS_ENABLE_HTTP_REMOTE_USER = true;
+            PAPERLESS_HTTP_REMOTE_USER_HEADER_NAME = "HTTP_X_WEBAUTH_USER";
+
             PAPERLESS_OCR_SKIP_ARCHIVE_FILE = "with_text";
             PAPERLESS_OCR_LANGUAGE = "deu+eng";
             PAPERLESS_IGNORE_DATES = "09.08.90";
@@ -980,7 +1000,8 @@ in
           tls-port = 6379;
           tls-cert-file = "/var/lib/acme/redis.alanpearce.eu/cert.pem";
           tls-key-file = "/var/lib/acme/redis.alanpearce.eu/key.pem";
-          tla-ca-cert-file = "/etc/ssl/certs/ca-certificates.crt";
+          tls-ca-cert-file = "/etc/ssl/certs/ca-certificates.crt";
+          tls-auth-clients = false;
         };
       };
     };