feat: setup SSO for navidrome

modules/nixos/server/freshrss.nix

@@ -42,7 +42,7 @@
       enable = true;
       virtualHost = "signpost.swarsel.win";
       baseUrl = "https://signpost.swarsel.win";
-      authType = "none";
+      authType = "form";
       dataDir = "/Vault/data/tt-rss";
       defaultUser = "Swarsel";
       passwordFile = config.sops.secrets.fresh.path;
@@ -66,11 +66,15 @@
 
                 # pass information via X-User and X-Email headers to backend,
                 # requires running with --set-xauthrequest flag (done by NixOS)
-                auth_request_set $user   $upstream_http_x_auth_request_preferred_username;
-                # Set the email to our own domain in case user change their mail
-                auth_request_set $email  "''${upstream_http_x_auth_request_preferred_username}@swarsel.win";
+                auth_request_set $user   $upstream_http_x_auth_request_user;
+                auth_request_set $email  $upstream_http_x_auth_request_email;
                 proxy_set_header X-User  $user;
                 proxy_set_header X-Email $email;
+                proxy_set_header Remote-User  $user;
+
+                # if you enabled --pass-access-token, this will pass the token to the backend
+                auth_request_set $token  $upstream_http_x_auth_request_access_token;
+                proxy_set_header X-Access-Token $token;
 
                 # if you enabled --cookie-refresh, this is needed for it to work with auth_request
                 auth_request_set $auth_cookie $upstream_http_set_cookie;

modules/nixos/server/kanidm.nix

@@ -84,24 +84,9 @@ in
             "freshrss.access" = { };
             "firefly.access" = { };
           };
-          persons = {
-            swarsel = {
-              present = true;
-              mailAddresses = [ "leon@swarsel.win" ];
-              legalName = "Leon Schwarzäugl";
-              groups = [
-                "immich.access"
-                "paperless.access"
-                "grafana.access"
-                "forgejo.access"
-                "nextcloud.access"
-                "freshrss.access"
-                "navidrome.access"
-                "firefly.access"
-              ];
-              displayName = "Swarsel";
-            };
-          };
+
+          inherit (config.repo.secrets.local) persons;
+
           systems = {
             oauth2 = {
               immich = {

modules/nixos/server/navidrome.nix

@@ -47,6 +47,8 @@
         ScanSchedule = "@every 24h";
         MPVPath = "${pkgs.mpv}/bin/mpv";
         MPVCommandTemplate = "mpv --audio-device=%d --no-audio-display --pause %f";
+        ReverseProxyWhitelist = "0.0.0.0/0";
+        ReverseProxyUserHeader = "X-User";
         Jukebox = {
           Enabled = true;
           Default = "default";
@@ -79,6 +81,23 @@
               proxyPass = "http://localhost:4040";
               proxyWebsockets = true;
               extraConfig = ''
+                auth_request /oauth2/auth;
+                error_page 401 = /oauth2/sign_in;
+
+                # pass information via X-User and X-Email headers to backend,
+                # requires running with --set-xauthrequest flag (done by NixOS)
+                auth_request_set $user   $upstream_http_x_auth_request_user;
+                auth_request_set $email  $upstream_http_x_auth_request_email;
+                proxy_set_header X-User  $user;
+                proxy_set_header X-Email $email;
+
+                # if you enabled --pass-access-token, this will pass the token to the backend
+                auth_request_set $token  $upstream_http_x_auth_request_access_token;
+                proxy_set_header X-Access-Token $token;
+
+                # if you enabled --cookie-refresh, this is needed for it to work with auth_request
+                auth_request_set $auth_cookie $upstream_http_set_cookie;
+                add_header Set-Cookie $auth_cookie;
                 proxy_redirect          http:// https://;
                 proxy_read_timeout      600s;
                 proxy_send_timeout      600s;
@@ -87,6 +106,52 @@
                 client_max_body_size    0;
               '';
             };
+            "/oauth2/" = {
+              proxyPass = "http://oauth2-proxy";
+              extraConfig = ''
+                proxy_set_header X-Scheme                $scheme;
+                proxy_set_header X-Auth-Request-Redirect $scheme://$host$request_uri;
+              '';
+            };
+            "= /oauth2/auth" = {
+              proxyPass = "http://oauth2-proxy/oauth2/auth";
+              extraConfig = ''
+                internal;
+
+                proxy_set_header X-Scheme         $scheme;
+                # nginx auth_request includes headers but not body
+                proxy_set_header Content-Length   "";
+                proxy_pass_request_body           off;
+              '';
+            };
+            "/share" = {
+              proxyPass = "http://localhost:4040";
+              proxyWebsockets = true;
+              extraConfig = ''
+                proxy_redirect          http:// https://;
+                proxy_read_timeout      600s;
+                proxy_send_timeout      600s;
+                proxy_buffering         off;
+                proxy_request_buffering off;
+                client_max_body_size    0;
+                proxy_set_header X-User  "";
+                proxy_set_header X-Email "";
+              '';
+            };
+            "/rest" = {
+              proxyPass = "http://localhost:4040";
+              proxyWebsockets = true;
+              extraConfig = ''
+                proxy_redirect          http:// https://;
+                proxy_read_timeout      600s;
+                proxy_send_timeout      600s;
+                proxy_buffering         off;
+                proxy_request_buffering off;
+                client_max_body_size    0;
+                proxy_set_header X-User  "";
+                proxy_set_header X-Email "";
+              '';
+            };
           };
         };
       };