diff --git a/.env.example b/.env.example index e386729..b03ff47 100644 --- a/.env.example +++ b/.env.example @@ -59,10 +59,21 @@ HOMEPAGE_VAR_WEATHER_CITY= HOMEPAGE_VAR_WEATHER_LAT= HOMEPAGE_VAR_WEATHER_LONG= HOMEPAGE_VAR_WEATHER_UNIT=metric -# Homepage Basic Authentication (Optional) - Generate hash with htpasswd (e.g., `htpasswd -nb user password`) -# See README for details. Leave blank to disable auth. -HOMEPAGE_AUTH_USER= -HOMEPAGE_AUTH_HASH= + +# --- Authelia Settings --- +# Generate strong random secrets for these using tools like `openssl rand -hex 32` +AUTHELIA_JWT_SECRET= # Example: your_strong_jwt_secret +AUTHELIA_SESSION_SECRET= # Example: your_strong_session_secret +AUTHELIA_STORAGE_ENCRYPTION_KEY= # Example: your_strong_storage_encryption_key +AUTHELIA_REDIS_PASSWORD= # Example: your_strong_redis_password + +# Google OIDC Provider Settings (Get from Google Cloud Console - https://console.cloud.google.com/apis/credentials) +AUTHELIA_GOOGLE_OIDC_CLIENT_ID= # Example: your-google-client-id.apps.googleusercontent.com +AUTHELIA_GOOGLE_OIDC_CLIENT_SECRET= # Example: GOCSPX-your-google-client-secret + +# Authelia Session Configuration +AUTHELIA_SESSION_DOMAIN=${TAILSCALE_HOSTNAME}.${TAILSCALE_TAILNET_DOMAIN} +AUTHELIA_DEFAULT_REDIRECT_URL=https://${TAILSCALE_HOSTNAME}.${TAILSCALE_TAILNET_DOMAIN}/home # --- API Keys & Integration Tokens (Optional - Mainly for Homepage Widgets) --- # Find API keys within each application's settings (usually Settings > General or Security) diff --git a/README.md b/README.md index 043a36a..678c1d6 100644 --- a/README.md +++ b/README.md @@ -86,7 +86,7 @@ These are fundamental for basic operation and permissions. * **Note:** Using the correct IDs is crucial for file permissions, especially for accessing media files on the host. * `TIMEZONE`: Your local timezone (e.g., `America/New_York`, `Europe/London`, `Asia/Manila`). Find yours from [this list](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones). * *Default:* `America/New_York` -* `HOSTNAME`: The primary hostname or IP address you intend to use to access your services. Traefik uses this for routing. Can be a local IP or a fully qualified domain name (e.g., `tailscale-nas.your-tailnet.ts.net`). +* `HOSTNAME`: **(Deprecated - Now derived)** The primary hostname used by Traefik for routing. This is now automatically constructed from `TAILSCALE_HOSTNAME` and `TAILSCALE_TAILNET_DOMAIN`. You generally don't need to set this directly unless overriding the default behavior. * *Default:* `${TAILSCALE_HOSTNAME}.${TAILSCALE_TAILNET_DOMAIN}` --- @@ -203,18 +203,29 @@ These settings are for enabling automatic HTTPS certificate generation via Let's ## Service Access -With the default Tailscale setup, services are securely accessible via HTTPS using your Tailscale node's name or IP, followed by the service path: +With the default Tailscale setup, services are securely accessible via HTTPS using your Tailscale node's name or IP, followed by the service path. Replace `` with your Tailscale device name (e.g., `tailscale-nas.your-tailnet.ts.net`) or its Tailscale IP address. -* **Homepage:** `https:///` +* **Homepage:** `https:///home` * **Sonarr:** `https:///sonarr` * **Radarr:** `https:///radarr` +* **Lidarr:** `https:///lidarr` (If profile enabled) +* **Bazarr:** `https:///bazarr` +* **Jellyseerr:** `https:///jellyseerr` +* **Prowlarr:** `https:///prowlarr` * **qBittorrent:** `https:///qbittorrent` +* **SABnzbd:** `https:///sabnzbd` (If profile enabled) * **Jellyfin:** `https:///jellyfin` -* ...and so on. +* **Calibre-Web:** `https:///calibre` (If profile enabled) +* **AdGuard Home:** `http://:3000` (If profile enabled, access via IP/port initially) +* **Tandoor Recipes:** `https:///recipes` (If profile enabled) +* **Joplin Server:** `https:///joplin` (If profile enabled) +* **Home Assistant:** `http://:8123` (If profile enabled, access via IP/port initially) +* **Immich:** `http://:2283` (If profile enabled, access via IP/port initially) -Replace `` with your Tailscale device name (e.g., `tailscale-nas.your-tailnet.ts.net`) or its Tailscale IP address. - -If you configure DNS for your `HOSTNAME` variable to point to the Tailscale IP, you can use `https:///`. +**Note:** +* `` refers to the full Tailscale name (e.g., `tailscale-nas.your-tailnet.ts.net`). +* `` refers to the Tailscale IP address of the NAS. +* Some services (AdGuard, HA, Immich) might require initial setup via their direct IP and port before Tailscale/Traefik routing is fully effective or configured within the application. Authentication for most services will be handled by Authelia (configured later). ## Optional Services diff --git a/docker-compose.yml b/docker-compose.yml index 632d132..2f3263f 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -131,7 +131,7 @@ services: retries: 10 labels: - traefik.enable=true - - traefik.http.routers.bazarr.rule=PathPrefix(`/bazarr`) + - traefik.http.routers.bazarr.rule=Host(`${TAILSCALE_HOSTNAME}.${TAILSCALE_TAILNET_DOMAIN}`) && PathPrefix(`/bazarr`) - traefik.http.routers.bazarr.entrypoints=web - traefik.http.services.bazarr.loadbalancer.server.port=6767 - homepage.group=Download @@ -289,7 +289,7 @@ services: retries: 10 labels: - traefik.enable=true - - traefik.http.routers.qbittorrent.rule=PathPrefix(`/qbittorrent`) + - traefik.http.routers.qbittorrent.rule=Host(`${TAILSCALE_HOSTNAME}.${TAILSCALE_TAILNET_DOMAIN}`) && PathPrefix(`/qbittorrent`) - traefik.http.routers.qbittorrent.entrypoints=web - traefik.http.services.qbittorrent.loadbalancer.server.port=8080 - traefik.http.routers.qbittorrent.middlewares=qbittorrent-strip-slash,qbittorrent-stripprefix @@ -359,7 +359,7 @@ services: - PUID=${USER_ID} - PGID=${GROUP_ID} - TZ=${TIMEZONE} - - JELLYFIN_PublishedServerUrl=${HOSTNAME}/jellyfin + - JELLYFIN_PublishedServerUrl=${TAILSCALE_HOSTNAME}.${TAILSCALE_TAILNET_DOMAIN}/jellyfin volumes: - ${CONFIG_ROOT:-.}/jellyfin:/config:Z - ${DATA_ROOT}:/data:Z @@ -404,7 +404,7 @@ services: - traefik.http.middlewares.calibre-headers.headers.customRequestHeaders.X-Script-Name=/calibre - traefik.http.middlewares.calibre-stripprefixregex.stripPrefixRegex.regex=/calibre - traefik.http.routers.calibre.middlewares=calibre-headers,calibre-stripprefixregex - - traefik.http.routers.calibre.rule=PathPrefix(`/calibre`) + - traefik.http.routers.calibre.rule=Host(`${TAILSCALE_HOSTNAME}.${TAILSCALE_TAILNET_DOMAIN}`) && PathPrefix(`/calibre`) - traefik.http.routers.calibre.entrypoints=web - traefik.http.services.calibre.loadbalancer.server.port=8083 - homepage.group=Media @@ -467,11 +467,8 @@ services: - HOMEPAGE_VAR_WEATHER_LONG=${HOMEPAGE_VAR_WEATHER_LONG} - HOMEPAGE_VAR_WEATHER_TIME=${TIMEZONE} - HOMEPAGE_VAR_WEATHER_UNIT=${HOMEPAGE_VAR_WEATHER_UNIT} - # Allow access from localhost, the service name, and the primary HOSTNAME - - HOMEPAGE_ALLOWED_HOSTS=localhost,homepage,${HOSTNAME} - # Pass auth user/hash if set (optional, for potential future use by homepage itself, though Traefik handles it) - - HOMEPAGE_AUTH_USER=${HOMEPAGE_AUTH_USER} - - HOMEPAGE_AUTH_HASH=${HOMEPAGE_AUTH_HASH} + # Explicitly allow the hostname constructed from Tailscale variables + - HOMEPAGE_ALLOWED_HOSTS=${TAILSCALE_HOSTNAME}.${TAILSCALE_TAILNET_DOMAIN} volumes: - ${CONFIG_ROOT:-.}/homepage:/app/config:Z - /var/run/docker.sock:/var/run/docker.sock:ro @@ -481,12 +478,10 @@ services: [sh, -c, "cp -n /app/config/tpl/*.yaml /app/config && node server.js"] labels: - traefik.enable=true - - traefik.http.routers.homepage.rule=PathPrefix(`/`) + # Change path to /home and use specific Tailscale host + - traefik.http.routers.homepage.rule=Host(`${TAILSCALE_HOSTNAME}.${TAILSCALE_TAILNET_DOMAIN}`) && PathPrefix(`/home`) - traefik.http.routers.homepage.entrypoints=web - # Define Basic Auth Middleware (only active if HOMEPAGE_AUTH_HASH is set in .env) - - traefik.http.middlewares.homepage-auth.basicAuth.users=${HOMEPAGE_AUTH_HASH} - # Apply Middleware to Router - - traefik.http.routers.homepage.middlewares=homepage-auth@docker + # Authelia middleware will be added in a later commit - traefik.http.services.homepage.loadbalancer.server.port=3000 watchtower: image: ghcr.io/containrrr/watchtower:latest