diff --git a/hosts/franz/arion/infrastructure/arion-compose.nix b/hosts/franz/arion/infrastructure/arion-compose.nix index b63aa3d..e09c939 100644 --- a/hosts/franz/arion/infrastructure/arion-compose.nix +++ b/hosts/franz/arion/infrastructure/arion-compose.nix @@ -38,7 +38,7 @@ }; volumes = [ "/home/ghoscht/.docker/infrastructure/traefik_config/traefik.yml:/traefik.yml:ro" - "/home/ghoscht/.docker/infrastructure/traefik_data/config.yml:/config.yml:ro" + "/home/ghoscht/.docker/infrastructure/traefik_config/conf:/conf:ro" "/storage/dataset/docker/infrastructure/traefik_data/acme.json:/acme.json" "/var/run/docker.sock:/var/run/docker.sock:ro" "traefik-logs:/var/log/traefik" diff --git a/hosts/franz/arion/infrastructure/default.nix b/hosts/franz/arion/infrastructure/default.nix index 27d4c33..1b6afc5 100644 --- a/hosts/franz/arion/infrastructure/default.nix +++ b/hosts/franz/arion/infrastructure/default.nix @@ -96,7 +96,8 @@ in { exposedByDefault: false network: dmz file: - filename: /config.yml + watch: true + directory: /conf/ certificatesResolvers: letsencrypt: acme: diff --git a/hosts/franz/arion/media/arion-compose.nix b/hosts/franz/arion/media/arion-compose.nix index 6591919..b5bf75e 100644 --- a/hosts/franz/arion/media/arion-compose.nix +++ b/hosts/franz/arion/media/arion-compose.nix @@ -112,6 +112,7 @@ "traefik.docker.network" = "dmz"; "traefik.http.routers.transmission.tls" = "true"; "traefik.http.routers.transmission.tls.certresolver" = "letsencrypt"; + "traefik.http.routers.transmission.middlewares" = "authentik@file"; }; volumes = [ "/storage/dataset/docker/media/transmission_data:/config" @@ -155,6 +156,7 @@ "traefik.docker.network" = "dmz"; "traefik.http.routers.prowlarr.tls" = "true"; "traefik.http.routers.prowlarr.tls.certresolver" = "letsencrypt"; + "traefik.http.routers.prowlarr.middlewares" = "authentik@file"; "diun.enable" = "true"; "diun.watch_repo" = "true"; @@ -185,6 +187,7 @@ "traefik.docker.network" = "dmz"; "traefik.http.routers.sonarr.tls" = "true"; "traefik.http.routers.sonarr.tls.certresolver" = "letsencrypt"; + "traefik.http.routers.sonarr.middlewares" = "authentik@file"; "diun.enable" = "true"; "diun.watch_repo" = "true"; @@ -217,6 +220,7 @@ "traefik.docker.network" = "dmz"; "traefik.http.routers.radarr.tls" = "true"; "traefik.http.routers.radarr.tls.certresolver" = "letsencrypt"; + "traefik.http.routers.radarr.middlewares" = "authentik@file"; "diun.enable" = "true"; "diun.watch_repo" = "true"; @@ -250,6 +254,7 @@ "traefik.docker.network" = "dmz"; "traefik.http.routers.lidarr.tls" = "true"; "traefik.http.routers.lidarr.tls.certresolver" = "letsencrypt"; + "traefik.http.routers.lidarr.middlewares" = "authentik@file"; }; volumes = [ "/storage/dataset/docker/media/lidarr_data:/config" @@ -280,6 +285,7 @@ "traefik.docker.network" = "dmz"; "traefik.http.routers.bazarr.tls" = "true"; "traefik.http.routers.bazarr.tls.certresolver" = "letsencrypt"; + "traefik.http.routers.bazarr.middlewares" = "authentik@file"; }; volumes = [ "/storage/dataset/docker/media/bazarr_data:/config" diff --git a/rsc/docker/franz/infrastructure/traefik_data/config.yml b/rsc/docker/franz/infrastructure/traefik_config/conf/crowdsec.yml similarity index 100% rename from rsc/docker/franz/infrastructure/traefik_data/config.yml rename to rsc/docker/franz/infrastructure/traefik_config/conf/crowdsec.yml diff --git a/rsc/docker/franz/infrastructure/traefik_config/conf/headers.yml b/rsc/docker/franz/infrastructure/traefik_config/conf/headers.yml new file mode 100644 index 0000000..78c186f --- /dev/null +++ b/rsc/docker/franz/infrastructure/traefik_config/conf/headers.yml @@ -0,0 +1,18 @@ +http: + middlewares: + authentik: + forwardAuth: + address: http://authentik:9000/outpost.goauthentik.io/auth/traefik + trustForwardHeader: true + authResponseHeaders: + - X-authentik-username + - X-authentik-groups + - X-authentik-email + - X-authentik-name + - X-authentik-uid + - X-authentik-jwt + - X-authentik-meta-jwks + - X-authentik-meta-outpost + - X-authentik-meta-provider + - X-authentik-meta-app + - X-authentik-meta-version