feat: adds TinyAuth

2026-04-07 22:05:59 +01:00 · 2026-04-07 22:05:59 +01:00 · c8120daf41
commit c8120daf41
parent b006551173
3 changed files with 72 additions and 0 deletions
--- a/hosts/lab/default.nix
+++ b/hosts/lab/default.nix
@ -10,6 +10,7 @@
    ./sites.nix
    ./fail2ban.nix
    ./uptime-kuma.nix
+    ./tinyauth.nix
  ];

  networking.hostName = "lab";
--- a/hosts/lab/tinyauth.nix
+++ b/hosts/lab/tinyauth.nix
@ -0,0 +1,46 @@
+{ config, ... }:
+{
+  sops.secrets.tinyauth-users = {
+    sopsFile = ../../secrets/tinyauth.yaml;
+    owner = "podman";
+  };
+
+  services.caddy.extraConfig = ''
+    (tinyauth) {
+      forward_auth localhost:3002 {
+        uri /api/auth/caddy
+        copy_headers Remote-User Remote-Name Remote-Email Remote-Groups
+      }
+    }
+  '';
+
+  services.caddy.virtualHosts."auth.ily.rs" = {
+    extraConfig = ''
+      reverse_proxy localhost:3002
+      encode zstd gzip
+    '';
+  };
+
+  virtualisation.oci-containers.containers.tinyauth = {
+    image = "ghcr.io/steveiliop56/tinyauth:v5.0.6";
+    podman.user = "podman";
+    volumes = [
+      "/srv/tinyauth/data:/data"
+      "${config.sops.secrets.tinyauth-users.path}:/data/users:ro"
+    ];
+    ports = [ "127.0.0.1:3002:3000" ];
+    environment = {
+      TINYAUTH_APPURL = "https://auth.ily.rs";
+      TINYAUTH_AUTH_USERSFILE = "/data/users";
+      TINYAUTH_AUTH_SECURECOOKIE = "true";
+      TINYAUTH_AUTH_TRUSTEDPROXIES = "127.0.0.1";
+      TINYAUTH_ANALYTICS_ENABLED = "false";
+    };
+  };
+
+  systemd.tmpfiles.rules = [
+    "d /srv/tinyauth/data 0750 podman podman -"
+  ];
+
+  systemd.services.podman-tinyauth.serviceConfig.Delegate = true;
+}
--- a/secrets/tinyauth.yaml
+++ b/secrets/tinyauth.yaml
@ -0,0 +1,25 @@
+tinyauth-users: ENC[AES256_GCM,data:AsaAMGZjj2gqeWq/zrK+fIg8wJbVb3r1S2bnPdtn5PujYBOZLWTB49z06u3ResxKEJFUa5AxXhgq5BOmAaNBcg==,iv:aKft/YtN8RNwOsiLcmD6g8RtUfDPaKje+lw0Wka99R4=,tag:NxVhDvdgTyp0n7Ftaa2JbQ==,type:str]
+sops:
+    age:
+        - recipient: age1r8h6gy2f4mu8xvx609qeadl82v2hua74xaevsp982zyfh4tm9qlsu80s0f
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQRlNRQzA1OW5zRkJYU04y
+            bFNheWFCellWZ3RPcnJmODFSTFBPWmtBaVhrCndKdE1INm5IRVo3WEVGcFJ3Zjds
+            RThyUHVpNmd4RnlUZkFnV0gvRU00enMKLS0tIFU1Vk96WWJwbUUzT0tGMHF1cmpn
+            enhnQzk5UUxsRy8zZ0tCei9IbnlkV1UKMXd0PvSyhA7tShqpkIpD0xXIFxOTX0dr
+            fr4C77LiUMuzHKGwUeJAuetrQGukRc7UR0yut7bmJcNAaZX3pFM0Gg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1nq4z2ms4vruhces2f8e7tvgsr0pfg5ha92w0hrmde3n2ulxe4qhqxv05xl
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyNURGK3JlQWFiSWpKenNO
+            dXR4eGd5ckFWeWQwNWNtdE9kb2E1RGhUcjJjCnFhS0FKODNzQWpEcnJZSDVtMGdB
+            TE5aZkJsbGpkYnhpbG5USXRHalNrU0UKLS0tIGg0MmNPOW1PN2NsaWF0UnhKRTda
+            Mll0WFJDNWNscHNNM1hNR1c1SGpzN1EKgPW5BTGOy1B1q88phGfrh/ig5T4NoOqm
+            0oRWhc1gibMQ7yeOgaIDyIcQ8uPBcF478DFyDp7JwaTOqIAK+FxUqg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2026-04-07T21:05:12Z"
+    mac: ENC[AES256_GCM,data:gF3C6c2P9nf0CXhhowVdFDBD38YiasmT+aP7J/nkAQj8T0gDhuwfs6zae5qlGj8JTHAwmpTQszxPHvfNCYpjZVFhxCh2fmZPNfzYPDwLa/6SU6NRkMcHQV9mpIUlD/gznZ+xn2EkCm4c6zpUv2nkuApap25fOk+prMVRS4Ng7rc=,iv:udLiICujJBezn4xtel4bmEdtQiEqv8FyMK/MG5EPBSU=,tag:2sY31wqMT9YZ0FxRtpTwOA==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.12.2