diff --git a/config/finances-fireflyiii.nix b/config/finances-fireflyiii.nix index 4e265d9..1eab243 100644 --- a/config/finances-fireflyiii.nix +++ b/config/finances-fireflyiii.nix @@ -25,9 +25,9 @@ in DB_DATABASE = name; DB_USERNAME = name; DB_PASSWORD = config.my-lxc.finances.db.password; - # AUTHENTICATION_GUARD = "remote_user_guard"; - # AUTHENTICATION_GUARD_HEADER = "HTTP_X_AUTHENTIK_EMAIL"; - # AUTHENTICATION_GUARD_EMAIL = "HTTP_X_AUTHENTIK_EMAIL"; + AUTHENTICATION_GUARD = "remote_user_guard"; + AUTHENTICATION_GUARD_HEADER = "HTTP_X_AUTHENTIK_EMAIL"; + AUTHENTICATION_GUARD_EMAIL = "HTTP_X_AUTHENTIK_EMAIL"; APP_URL = "https://${tools.build_hostname "finances"}"; APP_KEY_FILE = "/etc/firefly-iii/app.key"; TRUSTED_PROXIES = tools.build_ip "proxy"; diff --git a/config/proxy-traefik.nix b/config/proxy-traefik.nix index 1a394c7..01174d0 100644 --- a/config/proxy-traefik.nix +++ b/config/proxy-traefik.nix @@ -175,6 +175,10 @@ in "Remote-Name" ]; }; + fix-headers.headers.customRequestHeaders = { + X-Forwarded-Proto = "https"; + X-Forwarded-Ssl = "on"; + }; matrix-wellknown-mw = { plugin = { staticResponse = { @@ -204,7 +208,13 @@ in ); service = "${d.subdomain}-service"; entryPoints = [ "websecure" ]; - middlewares = if (d.auth) then [ "authentik" ] else [ ]; + middlewares = + if (d.auth) then + [ + "authentik" + ] + else + [ ]; tls.certResolver = "letsencrypt"; }; } @@ -215,7 +225,14 @@ in rule = "Host(`${ct}${dmn}`) " + (if (def.private == true) then internal else ""); service = "${ct}-service"; entryPoints = [ "websecure" ]; - middlewares = if (def.auth) then [ "authentik" ] else [ ]; + middlewares = + if (def.auth) then + [ + "authentik" + "fix-headers" + ] + else + [ ]; tls.certResolver = "letsencrypt"; }; }) diff --git a/containers/finances.nix b/containers/finances.nix index 4a91955..4a97cfa 100644 --- a/containers/finances.nix +++ b/containers/finances.nix @@ -36,6 +36,6 @@ in password = db_pass.finances; }; private = true; - auth = false; + auth = true; }; }