feat: adds TinyAuth

2026-04-07 22:05:59 +01:00 · 2026-04-07 22:05:59 +01:00 · c8120daf41
commit c8120daf41
parent b006551173
3 changed files with 72 additions and 0 deletions
--- a/hosts/lab/default.nix
+++ b/hosts/lab/default.nix
@ -10,6 +10,7 @@
    ./sites.nix
    ./fail2ban.nix
    ./uptime-kuma.nix
+    ./tinyauth.nix
  ];

  networking.hostName = "lab";
--- a/hosts/lab/tinyauth.nix
+++ b/hosts/lab/tinyauth.nix
@ -0,0 +1,46 @@
+{ config, ... }:
+{
+  sops.secrets.tinyauth-users = {
+    sopsFile = ../../secrets/tinyauth.yaml;
+    owner = "podman";
+  };
+
+  services.caddy.extraConfig = ''
+    (tinyauth) {
+      forward_auth localhost:3002 {
+        uri /api/auth/caddy
+        copy_headers Remote-User Remote-Name Remote-Email Remote-Groups
+      }
+    }
+  '';
+
+  services.caddy.virtualHosts."auth.ily.rs" = {
+    extraConfig = ''
+      reverse_proxy localhost:3002
+      encode zstd gzip
+    '';
+  };
+
+  virtualisation.oci-containers.containers.tinyauth = {
+    image = "ghcr.io/steveiliop56/tinyauth:v5.0.6";
+    podman.user = "podman";
+    volumes = [
+      "/srv/tinyauth/data:/data"
+      "${config.sops.secrets.tinyauth-users.path}:/data/users:ro"
+    ];
+    ports = [ "127.0.0.1:3002:3000" ];
+    environment = {
+      TINYAUTH_APPURL = "https://auth.ily.rs";
+      TINYAUTH_AUTH_USERSFILE = "/data/users";
+      TINYAUTH_AUTH_SECURECOOKIE = "true";
+      TINYAUTH_AUTH_TRUSTEDPROXIES = "127.0.0.1";
+      TINYAUTH_ANALYTICS_ENABLED = "false";
+    };
+  };
+
+  systemd.tmpfiles.rules = [
+    "d /srv/tinyauth/data 0750 podman podman -"
+  ];
+
+  systemd.services.podman-tinyauth.serviceConfig.Delegate = true;
+}