Change frigate proxy user header to Authentik configured user header

Expose frigate UI port to host for troubleshooting and access
Add home.docker.internal definition to Authentik container
2025-01-16 14:29:55 -08:00 · 2025-01-16 14:29:13 -08:00 · 2025-01-16 14:28:39 -08:00 · 2025-01-16 14:27:23 -08:00
5 changed files with 56 additions and 12 deletions
--- a/authentik/docker-compose.yml
+++ b/authentik/docker-compose.yml
@@ -30,7 +30,7 @@ services:
    volumes:
      - redis:/data
  app:
-    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.12.2}
+    image: ghcr.io/goauthentik/server:2024.12.2
    restart: unless-stopped
    command: server
    environment:
@@ -42,6 +42,8 @@ services:
    networks:
      - proxy-net
      - default
+    extra_hosts:
+      - "host.docker.internal:host-gateway"
    volumes:
      - ./data/media:/media
      - ./config/custom-templates:/templates
--- a/caddy/config/Caddyfile
+++ b/caddy/config/Caddyfile
@@ -74,6 +74,46 @@
 		import ttt-proxy {args[1]} {args[2]}
 	}
 }
+(authentik) {
+	{args[0]}.tremendousturtle.tools {
+		import ttt-log {args[0]}
+		import tls
+		reverse_proxy authentik-app-1:9000 {
+			header_up X-Real-IP {http.request.header.CF-Connecting-IP}
+			header_up X-Forwarded-For {http.request.header.CF-Connecting-IP}
+		}
+	}
+}
+(redirect) {
+	{args[0]}.tremendousturtle.tools {
+		import tls
+		redir https://{args[1]}.tremendousturtle.tools{uri}
+	}
+}
+(authentik-forward) {
+	{args[0]}.tremendousturtle.tools {
+		import ttt-log {args[0]}
+		import tls
+		route {
+			# always forward outpost path to actual outpost
+			reverse_proxy /outpost.goauthentik.io/* http://authentik-app-1:9000
+
+			# forward authentication to outpost
+			forward_auth http://authentik-app-1:9000 {
+				uri /outpost.goauthentik.io/auth/caddy
+
+				# capitalization of the headers is important, otherwise they will be empty
+				copy_headers X-Authentik-Username X-Authentik-Groups X-Authentik-Entitlements X-Authentik-Email X-Authentik-Name X-Authentik-Uid X-Authentik-Jwt X-Authentik-Meta-Jwks X-Authentik-Meta-Outpost X-Authentik-Meta-Provider X-Authentik-Meta-App X-Authentik-Meta-Version
+
+				# optional, in this config trust all private ranges, should probably be set to the outposts IP
+				trusted_proxies private_ranges
+			}
+
+			# actual site configuration below, for example
+			reverse_proxy {args[1]}:{args[2]}
+		}
+	}
+}

 # Web Config
 tremendousturtle.tools {
@@ -93,7 +133,7 @@ authentik.tremendousturtle.tools {

 # Define code.tremendousturtle.tools
 # Locally hosted non-docker apps (proxies to 192.168.1.234 instead of localhost)
-import ttt-app-local code 8020
+#import ttt-app-local code 8020
 import ttt-app-local pihole 1080
 import ttt-app-local sonarr 8989
 import ttt-app-local radarr 7878
@@ -101,11 +141,11 @@ import ttt-app-local prowlarr 9696
 import ttt-app-local cockpit 9090

 # Docker apps with same subdomain as docker compose project name
-import ttt-app frigate 8971
+#import ttt-app frigate 8971
 import ttt-app overseerr 5055
 import ttt-app openobserve 5080
 import ttt-app gitea 3000
-import ttt-app homepage 3000
+#import ttt-app homepage 3000
 import ttt-app requestrr 4545

 # Alternate configuration (different subdomain and docker compose project name)
@@ -114,3 +154,10 @@ import ttt-app-alt trilium triliumnext-notes-app-1 8080
 import ttt-app-alt notes triliumnext-notes-app-1 8080
 import ttt-app-alt stash stashapp-app-1 9999
 import ttt-app-alt pihole1 192.168.1.116 80
+
+# Authentik Configs
+import authentik homepage
+import redirect home homepage
+
+import authentik frigate
+import authentik code
--- a/caddy/docker-compose.yml
+++ b/caddy/docker-compose.yml
@@ -13,12 +13,10 @@ services:
      - "443:443"
      - "443:443/udp"
      - "2019:2019"
-    configs:
-      - source: caddyfile
-        target: /etc/caddy/Caddyfile
    volumes:
      - ./data/site:/srv
      - ./data/logs:/logs
+      - ./config:/etc/caddy
      - caddy_data:/data
      - caddy_config:/config

@@ -26,10 +24,6 @@ networks:
  proxy-net:
    external: true

-configs:
-  caddyfile:
-    file: ./Caddyfile
-
 volumes:
  caddy_data:
  caddy_config:
--- a/frigate/config/config.yaml
+++ b/frigate/config/config.yaml
@@ -4,7 +4,7 @@ auth:

 proxy:
  header_map:
-    user: Remote-User
+    user: X-Forwarded-Preferred-Username

 tls:
  enabled: false
--- a/frigate/docker-compose.yml
+++ b/frigate/docker-compose.yml
@@ -20,6 +20,7 @@ services:
    networks:
      - proxy-net
    ports:
+      - "8971:8971"
      - "8554:8554" # RTSP feeds
      - "8555:8555/tcp" # WebRTC over tcp
      - "8555:8555/udp" # WebRTC over udp
Author	SHA1	Message	Date
Chris King	f3bbf41add	Change frigate proxy user header to Authentik configured user header	2025-01-16 14:29:55 -08:00
Chris King	ceb05e3644	Expose frigate UI port to host for troubleshooting and access	2025-01-16 14:29:13 -08:00
Chris King	6040bcba8e	Add home.docker.internal definition to Authentik container Remove env variables from authentik container image	2025-01-16 14:28:39 -08:00
Chris King	9f394b4b97	Move Caddyfile into config/Caddyfile to allow caddy reload to work in Docker Remove caddyfile configs setup in docker-compose.yml Add authentik, redirect, and authentik-forward Caddyfile snippets Move homepage, frigate, and code into Authentik in Caddyfile Add redirect for home to homepage	2025-01-16 14:27:23 -08:00