How to Self-Host FizzyDo Behind OAuth2 Proxy

[abdukhashimov]

This setup runs FizzyDo as a private, authenticated application accessible only to users in your Google Workspace or specified email domain.

Architecture

User → Traefik (HTTPS/443) → OAuth2-Proxy (Authentication) → FizzyDo (App)

All requests are intercepted by oauth2-proxy for authentication before reaching FizzyDo. No public registration or unauthenticated access is possible.

Prerequisites

• Docker and Docker Compose installed
• A domain name pointed to your server
• Google OAuth credentials (see setup below)

Google OAuth Setup

1. Go to [Google Cloud Console](https://console.cloud.google.com/)
2. Create a new project or select existing one
3. Navigate to APIs & Services → Credentials
4. Click Create Credentials → OAuth 2.0 Client ID
5. Configure the OAuth consent screen if prompted
6. Application type: Web application
7. Add authorized redirect URI: https://your-domain.com/oauth2/callback
8. Save the Client ID and Client Secret

Environment Configuration

Create a .env file in the same directory as docker-compose.yaml:

# Domain Configuration
FIZZY_DOMAIN=fizzy.yourdomain.com
LE_EMAIL=[email protected]

# OAuth2 Configuration
OAUTH_CLIENT_ID=your-google-client-id
OAUTH_CLIENT_SECRET=your-google-client-secret
OAUTH_COOKIE_SECRET=generated-with-openssl-rand-base64-16
OAUTH_EMAIL_DOMAIN=yourdomain.com  # or * for any Google account

# FizzyDo Configuration
FIZZY_SECRET_KEY_BASE=generate-random-secret-key

# Email Configuration (SMTP)
MAILER_FROM_ADDRESS=[email protected]
SMTP_ADDRESS=smtp.gmail.com
SMTP_PORT=587
SMTP_USERNAME=your-smtp-username
SMTP_PASSWORD=your-smtp-password

# Web Push Notifications (optional)
VAPID_PRIVATE_KEY=generate-vapid-private-key
VAPID_PUBLIC_KEY=generate-vapid-public-key

# S3 Storage (optional)
ACTIVE_STORAGE_SERVICE=local  # or 's3' for S3 storage
S3_BUCKET=your-bucket-name
S3_REGION=us-east-1
S3_ACCESS_KEY_ID=your-access-key
S3_SECRET_ACCESS_KEY=your-secret-key
S3_ENDPOINT=https://s3.amazonaws.com  # or your S3-compatible endpoint
S3_FORCE_PATH_STYLE=false
CSP_CONNECT_SRC=https://your-cdn.com

Generate Required Secrets

# OAuth Cookie Secret (MUST be exactly 16 bytes base64 encoded)
openssl rand -base64 16

# FizzyDo Secret Key Base
openssl rand -hex 64

# VAPID Keys (for web push notifications)
npx web-push generate-vapid-keys

Deployment

1. Clone or create your setup directory:

   mkdir ~/fizzy && cd ~/fizzy

2. Create the docker-compose.yaml and .env files (see above)

3. Start the services:

   docker-compose up -d

4. Check logs:

   docker-compose logs -f

5. Access your application:

   • Navigate to https://your-domain.com
   • You'll be redirected to Google OAuth login
   • After authentication, you'll access FizzyDo

Authentication Behavior

• First visit: Redirected to Google OAuth login
• Session: Cookie-based, persists across browser sessions
• No public access: All routes require authentication
• No registration page: OAuth handles user authentication

Restricting Access

Allow only specific domain:

OAUTH_EMAIL_DOMAIN=mycompany.com

Allow multiple domains:

OAUTH_EMAIL_DOMAIN=domain1.com,domain2.com

Allow any Google account:

OAUTH_EMAIL_DOMAIN=*

Maintenance

# Update all services
docker-compose pull
docker-compose up -d

# Restart specific service
docker-compose restart fizzy

# View logs
docker-compose logs -f fizzy

# Stop all services
docker-compose down

# Stop and remove volumes (WARNING: deletes all data)
docker-compose down -v

Docker Compose File

services:
  # -------------------------
  # Traefik (optional if you already run it)
  # -------------------------
  traefik:
    image: traefik:v2.11
    container_name: traefik
    restart: unless-stopped
    command:
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--entrypoints.websecure.address=:443"
      - "--certificatesresolvers.le.acme.tlschallenge=true"
      - "--certificatesresolvers.le.acme.email=${LE_EMAIL}"
      - "--certificatesresolvers.le.acme.storage=/letsencrypt/acme.json"
    ports:
      - "443:443"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./letsencrypt:/letsencrypt
    networks:
      - traefik

  # -------------------------
  # OAuth2 Proxy
  # -------------------------
  oauth2-proxy:
    image: quay.io/oauth2-proxy/oauth2-proxy:v7.6.0
    container_name: oauth2-proxy
    restart: unless-stopped
    environment:
      OAUTH_CLIENT_ID: ${OAUTH_CLIENT_ID}
      OAUTH_CLIENT_SECRET: ${OAUTH_CLIENT_SECRET}
      OAUTH_COOKIE_SECRET: ${OAUTH_COOKIE_SECRET}
    command:
      - --provider=google
      - --email-domain=${OAUTH_EMAIL_DOMAIN}
      - --http-address=0.0.0.0:4180
      # KEY CHANGE: Point upstream to FizzyDo instead of static response
      - --upstream=http://fizzy:3000
      - --cookie-secure=true
      - --cookie-secret=${OAUTH_COOKIE_SECRET}
      - --client-id=${OAUTH_CLIENT_ID}
      - --client-secret=${OAUTH_CLIENT_SECRET}
      - --redirect-url=https://${FIZZY_DOMAIN}/oauth2/callback
      # Pass headers to upstream
      - --pass-access-token=true
      - --pass-user-headers=true
      - --set-xauthrequest=true
    labels:
      - "traefik.enable=true"
      # Route ALL traffic through oauth2-proxy
      - "traefik.http.routers.oauth.rule=Host(`${FIZZY_DOMAIN}`)"
      - "traefik.http.routers.oauth.entrypoints=websecure"
      - "traefik.http.routers.oauth.tls.certresolver=le"
      - "traefik.http.services.oauth.loadbalancer.server.port=4180"
    networks:
      - traefik

  # -------------------------
  # FizzyDo
  # -------------------------
  fizzy:
    build:
      context: 'https://github.com/basecamp/fizzy.git#main'
      dockerfile: Dockerfile
    container_name: fizzy
    restart: unless-stopped
    environment:
      - SECRET_KEY_BASE=${FIZZY_SECRET_KEY_BASE}
      - BASE_URL=https://${FIZZY_DOMAIN}

      # Email
      - MAILER_FROM_ADDRESS=${MAILER_FROM_ADDRESS}
      - SMTP_ADDRESS=${SMTP_ADDRESS}
      - SMTP_PORT=${SMTP_PORT}
      - SMTP_USERNAME=${SMTP_USERNAME}
      - SMTP_PASSWORD=${SMTP_PASSWORD}

      # Web Push
      - VAPID_PRIVATE_KEY=${VAPID_PRIVATE_KEY}
      - VAPID_PUBLIC_KEY=${VAPID_PUBLIC_KEY}

      # S3 Storage
      - ACTIVE_STORAGE_SERVICE=${ACTIVE_STORAGE_SERVICE}
      - S3_BUCKET=${S3_BUCKET}
      - S3_REGION=${S3_REGION}
      - S3_ACCESS_KEY_ID=${S3_ACCESS_KEY_ID}
      - S3_SECRET_ACCESS_KEY=${S3_SECRET_ACCESS_KEY}
      - S3_ENDPOINT=${S3_ENDPOINT}
      - S3_FORCE_PATH_STYLE=${S3_FORCE_PATH_STYLE}
      - CSP_CONNECT_SRC=${CSP_CONNECT_SRC}

    volumes:
      - fizzy-storage:/rails/storage
      - fizzy-db-backup:/backup

    # FizzyDo no longer needs Traefik labels - oauth2-proxy handles routing
    networks:
      - traefik

# -------------------------
# Networks & Volumes
# -------------------------
networks:
  traefik:

volumes:
  fizzy-storage:
  fizzy-db-backup:

So far above configuration is working for me

Thanks a lot for everyone who contributed to this codebase