142 lines
2.9 KiB
Markdown
142 lines
2.9 KiB
Markdown
# Podman Quadlets
|
|
|
|
Collection of Podman Quadlets, with plenty of documentation!
|
|
|
|
I personally find that Podman Quadlets do not require that much documentation, but it can be confusing for anyone who isn't already familiar with Docker or Podman. While I am not an expert, I have been figuring out how Quadlets work, and believe I can set up my homeserver in an order that would be considered "good".
|
|
|
|
## My own personal choices
|
|
|
|
There are a lot of ways to set up Quadlets, but here I will cover the cleanest setup possible that is also functional.
|
|
|
|
Environment files will be stored in the users home directory named `.envs`, with the naming scheme of `SERVICE.env`. In an ideal world you will be able to easily spot whatever file you should be editing. In the Environment files I will include a variable (`Q_DOCS`) with a link to the documentation of the service, plus the most common variables you will probably need to set up the service.
|
|
|
|
location /api/authz/auth-request {
|
|
|
|
|
|
internal;
|
|
|
|
|
|
|
|
proxy_set_header Host $host;
|
|
|
|
|
|
proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
|
|
|
|
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
|
|
|
|
proxy_set_header X-Forwarded-Host $http_host;
|
|
|
|
|
|
proxy_set_header X-Forwarded-URI $request_uri;
|
|
|
|
|
|
proxy_set_header X-Forwarded-For $remote_addr;
|
|
|
|
|
|
|
|
# extra settings, don't pass the entire body to auth_request
|
|
|
|
|
|
proxy_set_header Content-Length "";
|
|
|
|
|
|
proxy_set_header Connection "";
|
|
|
|
|
|
proxy_pass_request_body off;
|
|
|
|
|
|
|
|
# url to send auth_request. Should be ${APP_URL}/api/authz/auth-request
|
|
|
|
|
|
proxy_pass http://localhost:3005/api/authz/auth-request;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
location /{
|
|
|
|
|
|
proxy_set_header Host $host;
|
|
|
|
|
|
proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
|
|
|
|
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
|
|
|
|
proxy_set_header X-Forwarded-Host $http_host;
|
|
|
|
|
|
proxy_set_header X-Forwarded-URI $request_uri;
|
|
|
|
|
|
proxy_set_header X-Forwarded-For $remote_addr;
|
|
|
|
|
|
|
|
|
|
|
|
proxy_set_header Upgrade $http_upgrade;
|
|
|
|
|
|
proxy_set_header Connection "upgrade";
|
|
|
|
|
|
|
|
auth_request /api/authz/auth-request;
|
|
|
|
|
|
|
|
# --- FIX STARTS HERE ---
|
|
|
|
# You must "capture" the headers into variables first
|
|
|
|
auth_request_set $user $upstream_http_remote_user;
|
|
|
|
auth_request_set $groups $upstream_http_remote_groups;
|
|
|
|
auth_request_set $email $upstream_http_remote_email;
|
|
|
|
auth_request_set $name $upstream_http_remote_name;
|
|
|
|
|
|
# Then pass those variables as headers to Navidrome
|
|
|
|
proxy_set_header Remote-User $user;
|
|
|
|
proxy_set_header Remote-Groups $groups;
|
|
|
|
proxy_set_header Remote-Email $email;
|
|
|
|
proxy_set_header Remote-Name $name;
|
|
|
|
# --- FIX ENDS HERE ---
|
|
|
|
|
|
|
|
# If response 401 or 407 code, try to redirect to Location Header as if 302.
|
|
|
|
|
|
# NGINX auth_request cannot handle codes except 2xx and 4xx, this is a workaround
|
|
|
|
|
|
auth_request_set $redirection_url $upstream_http_location;
|
|
|
|
|
|
error_page 401 =302 $redirection_url;
|
|
|
|
|
|
error_page 407 =302 $redirection_url;
|
|
|
|
|
|
proxy_pass $forward_scheme://$server:$port;
|
|
|
|
|
|
} |