feat: setup SSO for navidrome

2025-12-06 09:07:21 +01:00 · 2025-06-13 03:30:31 +02:00 · 2025-06-13 03:30:31 +02:00 · 86e1e1984b
commit 86e1e1984b
parent 3efa748383
6 changed files with 350 additions and 186 deletions
--- a/SwarselSystems.org
+++ b/SwarselSystems.org
@ -7221,6 +7221,8 @@ Here I am forcing =startWhenNeeded= to false so that the value will not be set t
          ScanSchedule = "@every 24h";
          MPVPath = "${pkgs.mpv}/bin/mpv";
          MPVCommandTemplate = "mpv --audio-device=%d --no-audio-display --pause %f";
+          ReverseProxyWhitelist = "0.0.0.0/0";
+          ReverseProxyUserHeader = "X-User";
          Jukebox = {
            Enabled = true;
            Default = "default";
@ -7253,6 +7255,23 @@ Here I am forcing =startWhenNeeded= to false so that the value will not be set t
                proxyPass = "http://localhost:4040";
                proxyWebsockets = true;
                extraConfig = ''
+                  auth_request /oauth2/auth;
+                  error_page 401 = /oauth2/sign_in;
+
+                  # pass information via X-User and X-Email headers to backend,
+                  # requires running with --set-xauthrequest flag (done by NixOS)
+                  auth_request_set $user   $upstream_http_x_auth_request_user;
+                  auth_request_set $email  $upstream_http_x_auth_request_email;
+                  proxy_set_header X-User  $user;
+                  proxy_set_header X-Email $email;
+
+                  # if you enabled --pass-access-token, this will pass the token to the backend
+                  auth_request_set $token  $upstream_http_x_auth_request_access_token;
+                  proxy_set_header X-Access-Token $token;
+
+                  # if you enabled --cookie-refresh, this is needed for it to work with auth_request
+                  auth_request_set $auth_cookie $upstream_http_set_cookie;
+                  add_header Set-Cookie $auth_cookie;
                  proxy_redirect          http:// https://;
                  proxy_read_timeout      600s;
                  proxy_send_timeout      600s;
@ -7261,6 +7280,52 @@ Here I am forcing =startWhenNeeded= to false so that the value will not be set t
                  client_max_body_size    0;
                '';
              };
+              "/oauth2/" = {
+                proxyPass = "http://oauth2-proxy";
+                extraConfig = ''
+                  proxy_set_header X-Scheme                $scheme;
+                  proxy_set_header X-Auth-Request-Redirect $scheme://$host$request_uri;
+                '';
+              };
+              "= /oauth2/auth" = {
+                proxyPass = "http://oauth2-proxy/oauth2/auth";
+                extraConfig = ''
+                  internal;
+
+                  proxy_set_header X-Scheme         $scheme;
+                  # nginx auth_request includes headers but not body
+                  proxy_set_header Content-Length   "";
+                  proxy_pass_request_body           off;
+                '';
+              };
+              "/share" = {
+                proxyPass = "http://localhost:4040";
+                proxyWebsockets = true;
+                extraConfig = ''
+                  proxy_redirect          http:// https://;
+                  proxy_read_timeout      600s;
+                  proxy_send_timeout      600s;
+                  proxy_buffering         off;
+                  proxy_request_buffering off;
+                  client_max_body_size    0;
+                  proxy_set_header X-User  "";
+                  proxy_set_header X-Email "";
+                '';
+              };
+              "/rest" = {
+                proxyPass = "http://localhost:4040";
+                proxyWebsockets = true;
+                extraConfig = ''
+                  proxy_redirect          http:// https://;
+                  proxy_read_timeout      600s;
+                  proxy_send_timeout      600s;
+                  proxy_buffering         off;
+                  proxy_request_buffering off;
+                  client_max_body_size    0;
+                  proxy_set_header X-User  "";
+                  proxy_set_header X-Email "";
+                '';
+              };
            };
          };
        };
@ -8601,6 +8666,8 @@ It serves both a Greader API at https://signpost.swarsel.win/api/greader.php, as

 I am using this with CapyReader on my phone, set it up as a FreshRSS account with Server URL =https://signpost.swarsel.win/api/greader.php

+FreshRSS claims to support HTTP header auth, but at least it does not work with my oauth2-proxy setup. Until this is fixed, I resorted to the "form" login, since I mostly do not use the web version anyways.
+
 #+begin_src nix :tangle modules/nixos/server/freshrss.nix
  { lib, config, ... }:
  {
@ -9009,24 +9076,9 @@ To get other URLs (token, etc.), use https://<kanidmDomain>/oauth2/openid/<clien
              "freshrss.access" = { };
              "firefly.access" = { };
            };
-            persons = {
-              swarsel = {
-                present = true;
-                mailAddresses = [ "leon@swarsel.win" ];
-                legalName = "Leon Schwarzäugl";
-                groups = [
-                  "immich.access"
-                  "paperless.access"
-                  "grafana.access"
-                  "forgejo.access"
-                  "nextcloud.access"
-                  "freshrss.access"
-                  "navidrome.access"
-                  "firefly.access"
-                ];
-                displayName = "Swarsel";
-              };
-            };
+
+            inherit (config.repo.secrets.local) persons;
+
            systems = {
              oauth2 = {
                immich = {