I’m trying to self-host more things, including, starting recently, my music library. After some research, it seems like Navidrome is what everyone uses for this. I set up a copy on my NAS¹, and exposed it onto my Tailscale network with Tailscale Serve, because it prevents me from having to worry about SSL certificate renewal stuff.

Annoyingly, it seems like the only authentication scheme that Navidrome supports is username/password. If it supported OIDC, I might be able to use something like tsidp to delegate authentication to presence on the tailnet itself, but it seems like that doesn’t exist yet.

What does exist, however, is Reverse Proxy Authentication. Basically, if your reverse proxy can authenticate the user and put the username in an HTTP header, Navidrome will believe it. Because that is horrifyingly dangerous, the only way to enable this is to provide an IP allowlist of trusted reverse proxy addresses. Fair enough, I suppose.

It also lets you specify a custom HTTP header that the claimed username will be in, which is good because that means I can use the identity headers that Serve provides to its upstreams². Specifically, Tailscale-User-Login will be populated by the client’s Tailscale login (either their email address or something like tendstofortytwo@passkey).

So if your Navidrome is exposed over Tailscale Serve and you add this to your navidrome.toml:

ReverseProxyUserHeader = "Tailscale-User-Login"
ReverseProxyWhitelist = "127.0.0.0/8,::1/128"

You get authentication for free! Also, anything on that machine’s localhost might be able to impersonate any user by setting that header manually, but I asked my threat model and she said it’s okay³.