Gollum with CloudFlare Zero Trust for simple SSO

Gollum is cool, but it comes with no authentication at all. I was content for a day to just keep access to my instance limited to my Tailscale network, but that didn't sit well, so I decided to give Cloudflare Zero Trust a shot, since it's free for small teams and I've got a few other things that currently live behind basic http auth here and there that I wouldn't mind securing a little better.

I set it up by running a cloudflared container on my Synology, which creates a tunnel to Cloudflare. Then I configured Gollum in Cloudflare's Zero Trust dashboard, pointing the config at the local-to-my-network address/port of my Gollum instance. That set up a DNS entry under my infra domain, which allows a basic connection to the app without any auth at all.

With the tunnel in place, you can create policies to apply to a given app. Policies determine what kinds of login methods are available, along with a bunch of other zeroey-trusty endpoint checks including things like FIDO2 hardware tokens.  Included in the methods are all sorts of SSO providers (Google, Azure, OpenID, GitHub, Okta, etc. etc.) I set up GitHub by creating an OAuth app in my account and adding it to the ZeroTrust console, then added my GitHub email address to the list of policy requirements.

It was a pretty simple operation I can extend to other stuff running on the Syno. Next up, I think  I'll move imgup off of Heroku. 

(Update: I guess I'd done a lot to Dockerize imgup before moving it into Heroku, so I didn't have much to do to make it work with Portainer on the Syno. It's up and running and behind GitHub OAuth now. Nice!)