diff --git a/hosts/lab/default.nix b/hosts/lab/default.nix
index af6e9a1..458ef3d 100644
--- a/hosts/lab/default.nix
+++ b/hosts/lab/default.nix
@@ -10,6 +10,7 @@
     ./sites.nix
     ./fail2ban.nix
     ./uptime-kuma.nix
+    ./tinyauth.nix
   ];
 
   networking.hostName = "lab";
diff --git a/hosts/lab/tinyauth.nix b/hosts/lab/tinyauth.nix
new file mode 100644
index 0000000..cd782e3
--- /dev/null
+++ b/hosts/lab/tinyauth.nix
@@ -0,0 +1,46 @@
+{ config, ... }:
+{
+  sops.secrets.tinyauth-users = {
+    sopsFile = ../../secrets/tinyauth.yaml;
+    owner = "podman";
+  };
+
+  services.caddy.extraConfig = ''
+    (tinyauth) {
+      forward_auth localhost:3002 {
+        uri /api/auth/caddy
+        copy_headers Remote-User Remote-Name Remote-Email Remote-Groups
+      }
+    }
+  '';
+
+  services.caddy.virtualHosts."auth.ily.rs" = {
+    extraConfig = ''
+      reverse_proxy localhost:3002
+      encode zstd gzip
+    '';
+  };
+
+  virtualisation.oci-containers.containers.tinyauth = {
+    image = "ghcr.io/steveiliop56/tinyauth:v5.0.6";
+    podman.user = "podman";
+    volumes = [
+      "/srv/tinyauth/data:/data"
+      "${config.sops.secrets.tinyauth-users.path}:/data/users:ro"
+    ];
+    ports = [ "127.0.0.1:3002:3000" ];
+    environment = {
+      TINYAUTH_APPURL = "https://auth.ily.rs";
+      TINYAUTH_AUTH_USERSFILE = "/data/users";
+      TINYAUTH_AUTH_SECURECOOKIE = "true";
+      TINYAUTH_AUTH_TRUSTEDPROXIES = "127.0.0.1";
+      TINYAUTH_ANALYTICS_ENABLED = "false";
+    };
+  };
+
+  systemd.tmpfiles.rules = [
+    "d /srv/tinyauth/data 0750 podman podman -"
+  ];
+
+  systemd.services.podman-tinyauth.serviceConfig.Delegate = true;
+}
diff --git a/secrets/tinyauth.yaml b/secrets/tinyauth.yaml
new file mode 100644
index 0000000..2b2d3c7
--- /dev/null
+++ b/secrets/tinyauth.yaml
@@ -0,0 +1,25 @@
+tinyauth-users: ENC[AES256_GCM,data:AsaAMGZjj2gqeWq/zrK+fIg8wJbVb3r1S2bnPdtn5PujYBOZLWTB49z06u3ResxKEJFUa5AxXhgq5BOmAaNBcg==,iv:aKft/YtN8RNwOsiLcmD6g8RtUfDPaKje+lw0Wka99R4=,tag:NxVhDvdgTyp0n7Ftaa2JbQ==,type:str]
+sops:
+    age:
+        - recipient: age1r8h6gy2f4mu8xvx609qeadl82v2hua74xaevsp982zyfh4tm9qlsu80s0f
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQRlNRQzA1OW5zRkJYU04y
+            bFNheWFCellWZ3RPcnJmODFSTFBPWmtBaVhrCndKdE1INm5IRVo3WEVGcFJ3Zjds
+            RThyUHVpNmd4RnlUZkFnV0gvRU00enMKLS0tIFU1Vk96WWJwbUUzT0tGMHF1cmpn
+            enhnQzk5UUxsRy8zZ0tCei9IbnlkV1UKMXd0PvSyhA7tShqpkIpD0xXIFxOTX0dr
+            fr4C77LiUMuzHKGwUeJAuetrQGukRc7UR0yut7bmJcNAaZX3pFM0Gg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1nq4z2ms4vruhces2f8e7tvgsr0pfg5ha92w0hrmde3n2ulxe4qhqxv05xl
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyNURGK3JlQWFiSWpKenNO
+            dXR4eGd5ckFWeWQwNWNtdE9kb2E1RGhUcjJjCnFhS0FKODNzQWpEcnJZSDVtMGdB
+            TE5aZkJsbGpkYnhpbG5USXRHalNrU0UKLS0tIGg0MmNPOW1PN2NsaWF0UnhKRTda
+            Mll0WFJDNWNscHNNM1hNR1c1SGpzN1EKgPW5BTGOy1B1q88phGfrh/ig5T4NoOqm
+            0oRWhc1gibMQ7yeOgaIDyIcQ8uPBcF478DFyDp7JwaTOqIAK+FxUqg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2026-04-07T21:05:12Z"
+    mac: ENC[AES256_GCM,data:gF3C6c2P9nf0CXhhowVdFDBD38YiasmT+aP7J/nkAQj8T0gDhuwfs6zae5qlGj8JTHAwmpTQszxPHvfNCYpjZVFhxCh2fmZPNfzYPDwLa/6SU6NRkMcHQV9mpIUlD/gznZ+xn2EkCm4c6zpUv2nkuApap25fOk+prMVRS4Ng7rc=,iv:udLiICujJBezn4xtel4bmEdtQiEqv8FyMK/MG5EPBSU=,tag:2sY31wqMT9YZ0FxRtpTwOA==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.12.2