tinyauth: init

2026-01-12 16:19:38 +11:00 · 2026-01-12 16:19:38 +11:00 · 59e9e26fcb
commit 59e9e26fcb
parent 0d346e5ae6
3 changed files with 65 additions and 5 deletions
--- a/flake.nix
+++ b/flake.nix
@ -30,6 +30,7 @@

        ./modules/services/uptime-kuma.nix
        ./modules/services/auth/kanidm.nix
+        ./modules/services/auth/tinyauth.nix
        ./modules/services/caddy.nix
        ./modules/services/forgejo.nix
        ./modules/services/miniflux.nix
--- a/modules/services/auth/tinyauth.nix
+++ b/modules/services/auth/tinyauth.nix
@ -0,0 +1,43 @@
+{ config, lib, pkgs, ... }:
+
+{
+  virtualisation.oci-containers.backend = "podman";
+  virtualisation.oci-containers.containers.tinyauth = {
+    image = "ghcr.io/steveiliop56/tinyauth:v4";
+    ports = [
+      "3009:3000"
+    ];
+    environment = {
+      "APP_URL" = "https://tinyauth.${config.homelab.domain}";
+
+      "PROVIDERS_KANIDM_CLIENT_ID" = "tinyauth";
+      "PROVIDERS_KANIDM_AUTH_URL" = "https://${config.homelab.authDomain}/ui/oauth2";
+      "PROVIDERS_KANIDM_TOKEN_URL" = "https://${config.homelab.authDomain}/oauth2/token";
+      "PROVIDERS_KANIDM_USER_INFO_URL" = "https://${config.homelab.authDomain}/oauth2/openid/tinyauth/userinfo";
+      "PROVIDERS_KANIDM_REDIRECT_URL" = "https://tinyauth.${config.homelab.domain}/api/oauth/callback/kanidm";
+      "PROVIDERS_KANIDM_SCOPES" = "openid email profile groups";
+      "PROVIDERS_KANIDM_NAME" = "${config.homelab.authDomain}";
+    };
+
+  environmentFiles = [
+      # set variable PROVIDERS_KANIDM_CLIENT_SECRET here
+      /var/lib/tinyauth
+    ];
+  };
+
+  services.caddy.extraConfig = ''
+    (tinyauth_forwarder) {
+      forward_auth 127.0.0.1:3009 {
+        uri /api/auth/caddy
+      }
+    }
+  '';
+
+
+  services.caddy.virtualHosts."tinyauth.${config.homelab.domain}" = {
+    useACMEHost = config.homelab.domain;
+    extraConfig = ''
+      reverse_proxy http://localhost:3009
+    '';
+  };
+}
--- a/modules/services/media/arr.nix
+++ b/modules/services/media/arr.nix
@ -15,8 +15,12 @@
  services.caddy.virtualHosts."radarr.${config.homelab.domain}" = {
    useACMEHost = config.homelab.domain;
    extraConfig = ''
-      reverse_proxy http://localhost:7878
+      # For tinyauth
+      reverse_proxy http://localhost:7878 {
+        header_up -X-Forwarded-For
+      }
      import block_non_private_ips
+      import tinyauth_forwarder *
    '';
  };

@ -32,8 +36,11 @@
  services.caddy.virtualHosts."sonarr.${config.homelab.domain}" = {
    useACMEHost = config.homelab.domain;
    extraConfig = ''
-      reverse_proxy http://localhost:8989
+      reverse_proxy http://localhost:8989 {
+        header_up -X-Forwarded-For
+      }
      import block_non_private_ips
+      import tinyauth_forwarder *
    '';
  };

@ -47,7 +54,10 @@
  services.caddy.virtualHosts."prowlarr.${config.homelab.domain}" = {
    useACMEHost = config.homelab.domain;
    extraConfig = ''
-      reverse_proxy http://localhost:9696
+      reverse_proxy http://localhost:9696 {
+        header_up -X-Forwarded-For
+      }
+      import tinyauth_forwarder *
      import block_non_private_ips
    '';
  };
@ -63,7 +73,10 @@
  services.caddy.virtualHosts."bazarr.${config.homelab.domain}" = {
    useACMEHost = config.homelab.domain;
    extraConfig = ''
-      reverse_proxy http://localhost:6767
+      reverse_proxy http://localhost:6767 {
+        header_up -X-Forwarded-For
+      }
+      import tinyauth_forwarder *
      import block_non_private_ips
    '';
  };
@ -80,7 +93,10 @@
  services.caddy.virtualHosts."deluge.${config.homelab.domain}" = {
    useACMEHost = config.homelab.domain;
    extraConfig = ''
-      reverse_proxy http://localhost:8112
+      reverse_proxy http://localhost:8112 {
+        header_up -X-Forwarded-For
+      }
+      import tinyauth_forwarder *
      import block_non_private_ips
    '';
  };