From 5aeef62cbe3245494dab86162870782d1c21cfa9 Mon Sep 17 00:00:00 2001
From: Teal Bauer <teal@starsong.eu>
Date: Mon, 19 Jan 2026 17:36:17 +0100
Subject: [PATCH] feat(relay): add relive-ui support with authentik SSO

---
 .../templates/nginx/relay-consul.ctmpl.j2     | 56 +++++++++++++++++++
 1 file changed, 56 insertions(+)

diff --git a/ansible/roles/relay/templates/nginx/relay-consul.ctmpl.j2 b/ansible/roles/relay/templates/nginx/relay-consul.ctmpl.j2
index 0ecbda25..a5eaa708 100644
--- a/ansible/roles/relay/templates/nginx/relay-consul.ctmpl.j2
+++ b/ansible/roles/relay/templates/nginx/relay-consul.ctmpl.j2
@@ -56,6 +56,13 @@ upstream icecast {
   keepalive 1000;
 }
 
+{% if relay_relive_ui is defined and relay_relive_ui|bool %}
+# relive-ui Rails app
+upstream relive-ui {
+  server unix:///var/run/relive-ui/puma.sock fail_timeout=0;
+}
+{% endif %}
+
 # relay vhost
 server {
   server_name _;
@@ -503,4 +510,53 @@ server {
     proxy_set_header Host $host;
     proxy_set_header X-Real-IP $remote_addr;
   }
+
+{% if relay_relive_ui is defined and relay_relive_ui|bool %}
+  # authentik outpost for SSO
+  location /outpost.goauthentik.io {
+    proxy_pass              https://{{ relay_relive_ui_sso_host | default('sso.c3voc.de') }}/outpost.goauthentik.io;
+    proxy_set_header        Host $host;
+    proxy_set_header        X-Original-URL $scheme://$http_host$request_uri;
+    add_header              Set-Cookie $auth_cookie;
+    auth_request_set        $auth_cookie $upstream_http_set_cookie;
+    proxy_pass_request_body off;
+    proxy_set_header        Content-Length "";
+  }
+
+  location @goauthentik_proxy_signin {
+    internal;
+    add_header Set-Cookie $auth_cookie;
+    return 302 /outpost.goauthentik.io/start?rd=$scheme://$http_host$request_uri;
+  }
+
+  # relive-ui Rails app (fallback for unmatched paths)
+  location / {
+    auth_request     /outpost.goauthentik.io/auth/nginx;
+    error_page       401 = @goauthentik_proxy_signin;
+    auth_request_set $auth_cookie $upstream_http_set_cookie;
+    add_header       Set-Cookie $auth_cookie;
+
+    # translate headers from the outpost back to the upstream
+    auth_request_set $authentik_username $upstream_http_x_authentik_username;
+    auth_request_set $authentik_groups $upstream_http_x_authentik_groups;
+    auth_request_set $authentik_entitlements $upstream_http_x_authentik_entitlements;
+    auth_request_set $authentik_email $upstream_http_x_authentik_email;
+    auth_request_set $authentik_name $upstream_http_x_authentik_name;
+    auth_request_set $authentik_uid $upstream_http_x_authentik_uid;
+
+    proxy_pass http://relive-ui;
+    proxy_set_header Host $host;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto $scheme;
+
+    # Pass authentik headers to upstream
+    proxy_set_header X-authentik-username $authentik_username;
+    proxy_set_header X-authentik-name $authentik_name;
+    proxy_set_header X-authentik-email $authentik_email;
+    proxy_set_header X-authentik-uid $authentik_uid;
+    proxy_set_header X-authentik-groups $authentik_groups;
+    proxy_set_header X-authentik-entitlements $authentik_entitlements;
+  }
+{% endif %}
 }