From 0c526c0588fb9a51955754267a3e1118aa3eec07 Mon Sep 17 00:00:00 2001
From: TheWanderingCrow <contact@wanderingcrow.net>
Date: Thu, 19 Feb 2026 09:42:46 -0500
Subject: [PATCH] add octoprint

---
 hosts/nixos/HandlerOne/backup.nix      |  1 +
 hosts/nixos/HandlerOne/default.nix     |  9 +++++++++
 modules/services/octoprint/default.nix | 26 ++++++++++++++++++++++++++
 3 files changed, 36 insertions(+)
 create mode 100644 modules/services/octoprint/default.nix

diff --git a/hosts/nixos/HandlerOne/backup.nix b/hosts/nixos/HandlerOne/backup.nix
index 537a16b..279d299 100644
--- a/hosts/nixos/HandlerOne/backup.nix
+++ b/hosts/nixos/HandlerOne/backup.nix
@@ -23,6 +23,7 @@ let
 
       "/var/lib/tuwunel"
       "/var/lib/paperless/export"
+      "/var/lib/octoprint"
 
     ];
   };
diff --git a/hosts/nixos/HandlerOne/default.nix b/hosts/nixos/HandlerOne/default.nix
index ca02a2b..a9c82a6 100644
--- a/hosts/nixos/HandlerOne/default.nix
+++ b/hosts/nixos/HandlerOne/default.nix
@@ -54,6 +54,7 @@
       "modules/services/fail2ban"
       "modules/services/mesh/client.nix"
       "modules/services/auth-provider"
+      "modules/services/octoprint"
       "modules/services/paperless"
       "modules/services/matrix"
       "modules/services/forgejo"
@@ -137,6 +138,14 @@
           inject header Remote-User from name
           inject header Remote-Role from groups
         }
+
+        authorization policy octoprint {
+          set auth url /caddy-security/oauth2/generic
+          allow roles octoprint
+          inject headers with claims
+          inject header Remote-User from name
+          inject header Remote-Role from groups
+        }
       }
     '';
   };
diff --git a/modules/services/octoprint/default.nix b/modules/services/octoprint/default.nix
new file mode 100644
index 0000000..104ba96
--- /dev/null
+++ b/modules/services/octoprint/default.nix
@@ -0,0 +1,26 @@
+{ config, lib, ... }:
+let
+  port = lib.custom.autoport "octoprint";
+in
+{
+  services.caddy.virtualHosts."octoprint.wanderingcrow.net".extraConfig = ''
+    @auth {
+      path /caddy-security/*
+    }
+
+    route @auth {
+      authenticate with myportal
+    }
+    route /* {
+      authorize with octoprint
+      reverse_proxy http://localhost:${builtins.toString config.services.octoprint.port}
+    }
+  '';
+
+  services.octoprint = {
+    inherit port;
+    enable = true;
+    openFirewall = true;
+  };
+
+}