Igor Solutions — Access Control
OAuth architecture for the igorai.* domains. Deployed 2026-06-28.
Architecture
VPS (nginx)
│
┌─────────────────────┼─────────────────────┐
│ │ │
igorai.info igorai.online igorai.org
igorai.store
│ │ │
🌐 PUBLIC 🔐 oauth2-proxy 🌐 PUBLIC
static site :4181 CouchDB
│
┌────┴────┐
│ Google │
│ Sign-In │
└────┬────┘
│
┌──────────┴──────────┐
│ allowed_emails │
│ _igorai.txt │
└─────────────────────┘
OAuth Instances (on VPS)
Instance Port Domains Allowlist File Service oauth2-proxy4180 *.igorio.spaceallowed_emails_igorio.txtsystemctl restart oauth2-proxyoauth2-proxy-igorai4181 igorai.online, igorai.storeallowed_emails_igorai.txtsystemctl restart oauth2-proxy-igorai
⚠️ Never modify allowed_emails_igorio.txt. It is locked to hhlkoon@gmail.com only and controls access to personal infrastructure (JDownloader, file shares, Spiff).
Managing Igor Solutions Access
Add someone
ssh root@vps echo "person@gmail.com" >> /etc/oauth2-proxy/allowed_emails_igorai.txt systemctl restart oauth2-proxy-igorai Remove someone
ssh root@vps vim /etc/oauth2-proxy/allowed_emails_igorai.txt # Delete the line containing their email, save systemctl restart oauth2-proxy-igorai See current allowlist
ssh root@vps cat /etc/oauth2-proxy/allowed_emails_igorai.txt Verify the service is running
ssh root@vps systemctl status oauth2-proxy-igorai ss -tlnp | grep oauth2 Config Files (on VPS)
File Purpose /etc/oauth2-proxy/oauth2-proxy.tomlPrimary proxy config (igorio.space, port 4180) /etc/oauth2-proxy/oauth2-proxy-igorai.tomlIgor Solutions proxy config (port 4181) /etc/oauth2-proxy/allowed_emails_igorio.txt🔒 Personal allowlist /etc/oauth2-proxy/allowed_emails_igorai.txt🔐 Igor Solutions allowlist /etc/systemd/system/oauth2-proxy.servicePrimary systemd unit /etc/systemd/system/oauth2-proxy-igorai.serviceIgor Solutions systemd unit
Google OAuth Client
Field Value Client ID 589785179942-7d05kq53j693p3k1vib7lh6i4sp2lvi0.apps.googleusercontent.comClient Secret Stored in oauth2-proxy config on VPS Authorized Redirect URIs https://igorai.online/oauth2/callback, https://igorai.store/oauth2/callbackScopes profile, email
To add redirect URIs for new domains, go to Google Cloud Console → find the OAuth 2.0 Client ID → add URI.
Adding a New Gated Domain
# 1. Add DNS ionos-manage add igorai.online newsub 66.179.137.105
# 2. Create nginx config on VPS (copy pattern from igorai.online) ssh root@vps cp /etc/nginx/sites-available/igorai.online /etc/nginx/sites-available/newsub.igorai.online vim /etc/nginx/sites-available/newsub.igorai.online # Change server_name, update proxy_pass if needed
# 3. Enable and get SSL ln -s /etc/nginx/sites-available/newsub.igorai.online /etc/nginx/sites-enabled/ certbot --nginx -d newsub.igorai.online
# 4. Add redirect URI to Google Cloud Console # https://newsub.igorai.online/oauth2/callback
# 5. Update oauth2-proxy-igorai.toml cookie_domains and whitelist_domains vim /etc/oauth2-proxy/oauth2-proxy-igorai.toml systemctl restart oauth2-proxy-igorai systemctl reload nginx Troubleshooting
Symptom Check ”Sign in with Google” button loops back Redirect URI not added in Google Cloud Console 401 / 403 after Google sign-in Email not in allowed_emails_igorai.txt, restart oauth2-proxy-igorai 502 Bad Gateway Igor Private Server down or unreachable via Tailscale SSL cert expired Run certbot renew --dry-run to check renewal Service not listening journalctl -u oauth2-proxy-igorai -n 50