Add README.md

README.md

@@ -0,0 +1,77 @@
+I've just set this up using Cloudflare Tunnels and a SaaS app for Immich. This assumes you've already set up an Auth Provider in Cloudflare Zero Trust Settings/Authentication. An example setup for Google can be found [here](https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/set-up-warp/).
+
+## Cloudflare Zero Trust / Networks Configuration
+
+1. **Setup a Public Hostname**  
+   Create a public hostname in `Networks/Tunnels` for your tunnel (e.g., `immich.yourdomain.com`) with no access control.
+
+2. **Create a SaaS Application**  
+   In Cloudflare Access, set up a SaaS application called **Immich**.
+
+3. **OAuth Setup**  
+   Follow the OAuth setup for Immich as detailed [here](https://developers.cloudflare.com/cloudflare-one/setup/).
+
+4. **Redirect URIs Configuration**  
+   In Cloudflare, configure the redirect URIs for Mobile, Local IP, and Hostname (the "public hostname" set in step 1):
+   - `https://immich.yourdomain.com/api/oauth/mobile-redirect`
+   - `http://local_IP:2283/auth/login`
+   - `http://local_IP:2283/user-settings`
+   - `https://immich.yourdomain.com/auth/login`
+   - `https://immich.yourdomain.com/user-settings`
+
+   **Note:** Replace `local_IP` with the local LAN IP address for the Immich server, and `immich.yourdomain.com` with your public domain.
+
+5. **OpenID Connect (OIDC) Configuration**  
+   - Choose **OpenID Connect (OIDC)**.
+   - Set **Scopes** to `openid email profile`.
+   - Ensure you have at least the following Redirect URIs/Origins configured:
+     - `https://immich.yourdomain.com/api/oauth/mobile-redirect`
+     - `http://local_IP:2283/auth/login`
+     - `http://local_IP:2283/user-settings`
+     - `https://immich.yourdomain.com/auth/login`
+     - `https://immich.yourdomain.com/user-settings`
+
+6. **Disable PKCE**  
+   Disable **Proof Key for Code Exchange (PKCE)**.
+
+7. **App Launcher URL**  
+   Set your App Launcher URL to your public hostname: `https://immich.yourdomain.com/`.
+
+8. **Custom Icon Link**  
+   Add a custom icon link.
+
+## Policy Setup
+
+Under **Policies**, add a policy:
+- **Policy Name:** email
+- **Action:** Allow
+- **Create Additional Rules:** Include Login Methods: Your Auth Provider
+
+Under Authentication, set it to whichever Identity Providers you want to support.
+
+## Immich Configuration
+
+1. Navigate to **Administration/Settings/OAuth Authentication**.
+2. Input the values provided by Cloudflare Access for:
+   - Issuer (Issuer URL)
+   - Client ID
+   - Client Secret
+3. Click **Save**.
+
+### Final Steps in Immich
+
+Once tested and confirmed working, you can do the following:
+- Enable **Auto Launch** to streamline the process.
+- Under **Password Authentication**, disable it (this will force users to use OAuth).
+
+This setup is working perfectly for me and integrates seamlessly with the app!
+
+Citations:
+[1] https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/set-up-warp/
+[2] https://developers.cloudflare.com/cloudflare-one/setup/
+[3] https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/private-net/cloudflared/
+[4] https://developers.cloudflare.com/learning-paths/secure-internet-traffic/initial-setup/create-zero-trust-org/
+[5] https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/private-net/
+[6] https://www.youtube.com/watch?v=XYWJcS31PwI
+[7] https://developers.cloudflare.com/cloudflare-one/policies/gateway/initial-setup/
+[8] https://community.cloudflare.com/t/how-do-i-set-up-zero-trust-step-by-step/658465