feat: setup SSO for navidrome

2025-12-06 00:57:22 +01:00 · 2025-06-13 03:30:31 +02:00 · 2025-06-13 03:30:31 +02:00 · 86e1e1984b
commit 86e1e1984b
parent 3efa748383
6 changed files with 350 additions and 186 deletions
--- a/modules/nixos/server/freshrss.nix
+++ b/modules/nixos/server/freshrss.nix
@ -42,7 +42,7 @@
      enable = true;
      virtualHost = "signpost.swarsel.win";
      baseUrl = "https://signpost.swarsel.win";
-      authType = "none";
+      authType = "form";
      dataDir = "/Vault/data/tt-rss";
      defaultUser = "Swarsel";
      passwordFile = config.sops.secrets.fresh.path;
@ -66,11 +66,15 @@

                # pass information via X-User and X-Email headers to backend,
                # requires running with --set-xauthrequest flag (done by NixOS)
-                auth_request_set $user   $upstream_http_x_auth_request_preferred_username;
-                # Set the email to our own domain in case user change their mail
-                auth_request_set $email  "''${upstream_http_x_auth_request_preferred_username}@swarsel.win";
+                auth_request_set $user   $upstream_http_x_auth_request_user;
+                auth_request_set $email  $upstream_http_x_auth_request_email;
                proxy_set_header X-User  $user;
                proxy_set_header X-Email $email;
+                proxy_set_header Remote-User  $user;
+
+                # if you enabled --pass-access-token, this will pass the token to the backend
+                auth_request_set $token  $upstream_http_x_auth_request_access_token;
+                proxy_set_header X-Access-Token $token;

                # if you enabled --cookie-refresh, this is needed for it to work with auth_request
                auth_request_set $auth_cookie $upstream_http_set_cookie;