stackryze · VishnuByrraju · Jan 17, 2026 · Jan 5, 2026 · Jan 6, 2026 · Jan 6, 2026
diff --git a/docker-compose.proxy-example.yml b/docker-compose.proxy-example.yml
@@ -0,0 +1,159 @@
+version: "3.8"
+
+# Example: Protecting applications with oauth2-proxy + Atom OIDC
+# Each app gets its own oauth2-proxy sidecar container
+
+services:
+  # ============================================================================
+  # Atom Dashboard (SSO Provider)
+  # ============================================================================
+  atom:
+    build: .
+    container_name: atom-dashboard
+    ports:
+      - "3000:3000"
+    environment:
+      - OAUTH_ISSUER_URL=http://atom:3000 # Change to your domain in production
+      - DATA_DIR=/app/data
+    volumes:
+      - ./data:/app/data
+    networks:
+      media_stack:
+        ipv4_address: 172.30.0.2
+    restart: unless-stopped
+
+  # ============================================================================
+  # Example 1: Grafana with oauth2-proxy
+  # ============================================================================
+  grafana:
+    image: grafana/grafana:latest
+    container_name: grafana
+    environment:
+      # Configure Grafana to trust proxy headers
+      - GF_AUTH_PROXY_ENABLED=true
+      - GF_AUTH_PROXY_HEADER_NAME=X-Forwarded-User
+      - GF_AUTH_PROXY_AUTO_SIGN_UP=true
+      - GF_USERS_ALLOW_SIGN_UP=false
+    volumes:
+      - grafana_data:/var/lib/grafana
+    networks:
+      media_stack:
+        ipv4_address: 172.30.0.10
+
+  grafana-auth:
+    image: quay.io/oauth2-proxy/oauth2-proxy:v7.6.0
+    container_name: grafana-auth
+    command:
+      - --provider=oidc
+      - --oidc-issuer-url=http://172.30.0.2:3000 # Atom's IP
+      - --client-id=CHANGE_ME # Create in Atom UI
+      - --client-secret=CHANGE_ME # Create in Atom UI
+      - --cookie-secret=CHANGE_ME_32_CHARS_RANDOM # Generate with: openssl rand -base64 32
+      - --redirect-url=http://localhost:8080/oauth2/callback # Change to your domain
+      - --upstream=http://172.30.0.10:3000 # Grafana's IP
+      - --email-domain=*
+      - --pass-user-headers=true
+      - --pass-access-token=true
+      - --cookie-secure=false # Set to true in production with HTTPS
+      - --http-address=0.0.0.0:4180
+    ports:
+      - "8080:4180"
+    networks:
+      media_stack:
+        ipv4_address: 172.30.0.11
+    depends_on:
+      - atom
+      - grafana
+    restart: unless-stopped
+
+  # ============================================================================
+  # Example 2: Sonarr with oauth2-proxy
+  # ============================================================================
+  sonarr:
+    image: linuxserver/sonarr:latest
+    container_name: sonarr
+    environment:
+      - PUID=1000
+      - PGID=1000
+      - TZ=Asia/Kolkata
+    volumes:
+      - ./sonarr:/config
+    networks:
+      media_stack:
+        ipv4_address: 172.30.0.12
+
+  sonarr-auth:
+    image: quay.io/oauth2-proxy/oauth2-proxy:v7.6.0
+    container_name: sonarr-auth
+    command:
+      - --provider=oidc
+      - --oidc-issuer-url=http://172.30.0.2:3000
+      - --client-id=CHANGE_ME_SONARR
+      - --client-secret=CHANGE_ME_SONARR
+      - --cookie-secret=CHANGE_ME_32_CHARS_RANDOM_DIFFERENT
+      - --redirect-url=http://localhost:8989/oauth2/callback
+      - --upstream=http://172.30.0.12:8989
+      - --email-domain=*
+      - --pass-user-headers=true
+      - --cookie-secure=false
+      - --http-address=0.0.0.0:4180
+    ports:
+      - "8989:4180"
+    networks:
+      media_stack:
+        ipv4_address: 172.30.0.13
+    depends_on:
+      - atom
+      - sonarr
+    restart: unless-stopped
+
+  # ============================================================================
+  # Example 3: Radarr with oauth2-proxy
+  # ============================================================================
+  radarr:
+    image: linuxserver/radarr:latest
+    container_name: radarr
+    environment:
+      - PUID=1000
+      - PGID=1000
+      - TZ=Asia/Kolkata
+    volumes:
+      - ./radarr:/config
+    networks:
+      media_stack:
+        ipv4_address: 172.30.0.14
+
+  radarr-auth:
+    image: quay.io/oauth2-proxy/oauth2-proxy:v7.6.0
+    container_name: radarr-auth
+    command:
+      - --provider=oidc
+      - --oidc-issuer-url=http://172.30.0.2:3000
+      - --client-id=CHANGE_ME_RADARR
+      - --client-secret=CHANGE_ME_RADARR
+      - --cookie-secret=CHANGE_ME_32_CHARS_RANDOM_YET_ANOTHER
+      - --redirect-url=http://localhost:7878/oauth2/callback
+      - --upstream=http://172.30.0.14:7878
+      - --email-domain=*
+      - --pass-user-headers=true
+      - --cookie-secure=false
+      - --http-address=0.0.0.0:4180
+    ports:
+      - "7878:4180"
+    networks:
+      media_stack:
+        ipv4_address: 172.30.0.15
+    depends_on:
+      - atom
+      - radarr
+    restart: unless-stopped
+
+volumes:
+  grafana_data:
+
+networks:
+  media_stack:
+    driver: bridge
+    ipam:
+      config:
+        - subnet: 172.30.0.0/24
diff --git a/docs/QUICK_SETUP.md b/docs/QUICK_SETUP.md
@@ -0,0 +1,177 @@
+# Quick Setup Guide - oauth2-proxy with Atom
+
+## Prerequisites
+
+1. **Atom dashboard running** on `http://atom:3000` (or your domain)
+2. **Docker & Docker Compose** installed
+
+## Setup Steps
+
+### Step 1: Generate Cookie Secret
+
+For each oauth2-proxy container, generate a unique cookie secret:
+
+```bash
+openssl rand -base64 32 | tr -- '+/' '-_'
+```
+
+Example output: `abc123DEF456ghi789JKL012mno345PQR=`
+
+### Step 2: Create OAuth Clients in Atom
+
+For each application, create an OAuth client:
+
+**Via Atom UI:**
+1. Go to `http://localhost:3000/settings`
+2. Scroll to "SSO Provider" section
+3. Click "Add Application"
+4. Fill in:
+   - **Name**: `Grafana` (or app name)
+   - **Redirect URIs**: `http://localhost:8080/oauth2/callback` (match your setup)
+   - **Allowed Scopes**: Select `openid`, `profile`, `email`
+5. Click "Create"
+6. **Copy the Client ID and Client Secret** (you'll need these!)
+
+**Repeat for each app** (Sonarr, Radarr, etc.)
+
+### Step 3: Update docker-compose.yml
+
+Replace all `CHANGE_ME` values in `docker-compose.proxy-example.yml`:
+
+```yaml
+grafana-auth:
+  command:
+    - --client-id=abc123-from-atom-ui
+    - --client-secret=secret456-from-atom-ui
+    - --cookie-secret=xyz789-generated-above
+    - --redirect-url=http://localhost:8080/oauth2/callback  # Your actual URL
+```
+
+### Step 4: Start Services
+
+```bash
+docker-compose -f docker-compose.proxy-example.yml up -d
+```
+
+### Step 5: Test
+
+1. Visit `http://localhost:8080` (Grafana via proxy)
+2. You'll be redirected to Atom login
+3. Login with your Atom credentials
+4. Redirected back to Grafana (auto-logged in!)
+
+## Access URLs
+
+After setup:
+
+- **Atom Dashboard**: `http://localhost:3000`
+- **Grafana** (protected): `http://localhost:8080`
+- **Sonarr** (protected): `http://localhost:8989`
+- **Radarr** (protected): `http://localhost:7878`
+
+## Adding More Apps
+
+To protect a new application:
+
+1. **Add the app service** to docker-compose.yml
+2. **Add oauth2-proxy sidecar**:
+   ```yaml
+   myapp-auth:
+     image: quay.io/oauth2-proxy/oauth2-proxy:v7.6.0
+     command:
+       - --provider=oidc
+       - --oidc-issuer-url=http://172.30.0.2:3000
+       - --client-id=myapp-client
+       - --client-secret=myapp-secret
+       - --cookie-secret=unique-32-chars
+       - --redirect-url=http://localhost:PORT/oauth2/callback
+       - --upstream=http://myapp:INTERNAL_PORT
+       - --email-domain=*
+       - --pass-user-headers=true
+     ports:
+       - "PORT:4180"
+   ```
+3. **Create OAuth client** in Atom UI
+4. **Update values** and restart
+
+## Production Tips
+
+### Use HTTPS
+
+```yaml
+command:
+  - --cookie-secure=true
+  - --redirect-url=https://grafana.yourdomain.com/oauth2/callback
+```
+
+Update Atom:
+```yaml
+atom:
+  environment:
+    - OAUTH_ISSUER_URL=https://atom.yourdomain.com
+```
+
+### Restrict Users by Email
+
+```yaml
+command:
+  - --email-domain=yourdomain.com  # Only @yourdomain.com emails
+```
+
+### Session Duration
+
+```yaml
+command:
+  - --cookie-expire=12h
+  - --cookie-refresh=1h
+```
+
+## Troubleshooting
+
+### "Invalid client" error
+
+- Check client ID and secret match what's in Atom
+- Verify OAuth client is created in Atom UI
+
+### Redirect loop
+
+- Check `redirect-url` matches the public URL
+- Ensure `cookie-secure=false` for HTTP (dev) or `true` for HTTPS (prod)
+
+### "OIDC discovery failed"
+
+- Verify Atom is running: `http://atom:3000`
+- Test discovery: `curl http://atom:3000/.well-known/openid-configuration`
+
+### Can't access app directly
+
+- This is expected! App is only accessible via oauth2-proxy
+- Access via proxy: `http://localhost:PORT` (not the app's internal port)
+
+## Environment Variables Alternative
+
+Instead of command flags, use environment variables:
+
+```yaml
+grafana-auth:
+  image: quay.io/oauth2-proxy/oauth2-proxy:v7.6.0
+  environment:
+    - OAUTH2_PROXY_PROVIDER=oidc
+    - OAUTH2_PROXY_OIDC_ISSUER_URL=http://172.30.0.2:3000
+    - OAUTH2_PROXY_CLIENT_ID=abc123
+    - OAUTH2_PROXY_CLIENT_SECRET=secret456
+    - OAUTH2_PROXY_COOKIE_SECRET=xyz789
+    - OAUTH2_PROXY_REDIRECT_URL=http://localhost:8080/oauth2/callback
+    - OAUTH2_PROXY_UPSTREAMS=http://172.30.0.10:3000
+    - OAUTH2_PROXY_EMAIL_DOMAINS=*
+    - OAUTH2_PROXY_PASS_USER_HEADERS=true
+```
+
+## Complete Example
+
+See `docker-compose.proxy-example.yml` for working examples with:
+- ✅ Grafana (with proxy header auth)
+- ✅ Sonarr (any web app)
+- ✅ Radarr (any web app)
+
+All protected by Atom SSO!