quadlets/README.md

Podman Quadlets

Collection of Podman Quadlets, with plenty of documentation!

I personally find that Podman Quadlets do not require that much documentation, but it can be confusing for anyone who isn't already familiar with Docker or Podman. While I am not an expert, I have been figuring out how Quadlets work, and believe I can set up my homeserver in an order that would be considered "good".

My own personal choices

There are a lot of ways to set up Quadlets, but here I will cover the cleanest setup possible that is also functional.

Environment files will be stored in the users home directory named .envs, with the naming scheme of SERVICE.env. In an ideal world you will be able to easily spot whatever file you should be editing. In the Environment files I will include a variable (Q_DOCS) with a link to the documentation of the service, plus the most common variables you will probably need to set up the service.

location /api/authz/auth-request {

internal;

proxy_set_header Host $host;

proxy_set_header X-Original-URL $scheme://$http_host$request_uri;

proxy_set_header X-Forwarded-Proto $scheme;

proxy_set_header X-Forwarded-Host $http_host;

proxy_set_header X-Forwarded-URI $request_uri;

proxy_set_header X-Forwarded-For $remote_addr;

extra settings, don't pass the entire body to auth_request

proxy_set_header Content-Length "";

proxy_set_header Connection "";

proxy_pass_request_body off;

url to send auth_request. Should be ${APP_URL}/api/authz/auth-request

proxy_pass http://localhost:3005/api/authz/auth-request;

}

location /{

proxy_set_header Host $host;

proxy_set_header X-Original-URL $scheme://$http_host$request_uri;

proxy_set_header X-Forwarded-Proto $scheme;

proxy_set_header X-Forwarded-Host $http_host;

proxy_set_header X-Forwarded-URI $request_uri;

proxy_set_header X-Forwarded-For $remote_addr;

proxy_set_header Upgrade $http_upgrade;

proxy_set_header Connection "upgrade";

auth_request /api/authz/auth-request;

--- FIX STARTS HERE ---

You must "capture" the headers into variables first

auth_request_set $user $upstream_http_remote_user;

auth_request_set $groups $upstream_http_remote_groups;

auth_request_set $email $upstream_http_remote_email;

auth_request_set $name $upstream_http_remote_name;

Then pass those variables as headers to Navidrome

proxy_set_header Remote-User $user;

proxy_set_header Remote-Groups $groups;

proxy_set_header Remote-Email $email;

proxy_set_header Remote-Name $name;

--- FIX ENDS HERE ---

If response 401 or 407 code, try to redirect to Location Header as if 302.

NGINX auth_request cannot handle codes except 2xx and 4xx, this is a workaround

auth_request_set $redirection_url $upstream_http_location;

error_page 401 =302 $redirection_url;

error_page 407 =302 $redirection_url;

proxy_pass $forward_scheme://$server:$port;

}