From 59e9e26fcb76c4500da49778581b545560c7e2c4 Mon Sep 17 00:00:00 2001 From: Nico Date: Mon, 12 Jan 2026 16:19:38 +1100 Subject: [PATCH] tinyauth: init --- flake.nix | 1 + modules/services/auth/tinyauth.nix | 43 ++++++++++++++++++++++++++++++ modules/services/media/arr.nix | 26 ++++++++++++++---- 3 files changed, 65 insertions(+), 5 deletions(-) create mode 100644 modules/services/auth/tinyauth.nix diff --git a/flake.nix b/flake.nix index c4ff1e0..4ad7357 100644 --- a/flake.nix +++ b/flake.nix @@ -30,6 +30,7 @@ ./modules/services/uptime-kuma.nix ./modules/services/auth/kanidm.nix + ./modules/services/auth/tinyauth.nix ./modules/services/caddy.nix ./modules/services/forgejo.nix ./modules/services/miniflux.nix diff --git a/modules/services/auth/tinyauth.nix b/modules/services/auth/tinyauth.nix new file mode 100644 index 0000000..c5d4f4d --- /dev/null +++ b/modules/services/auth/tinyauth.nix @@ -0,0 +1,43 @@ +{ config, lib, pkgs, ... }: + +{ + virtualisation.oci-containers.backend = "podman"; + virtualisation.oci-containers.containers.tinyauth = { + image = "ghcr.io/steveiliop56/tinyauth:v4"; + ports = [ + "3009:3000" + ]; + environment = { + "APP_URL" = "https://tinyauth.${config.homelab.domain}"; + + "PROVIDERS_KANIDM_CLIENT_ID" = "tinyauth"; + "PROVIDERS_KANIDM_AUTH_URL" = "https://${config.homelab.authDomain}/ui/oauth2"; + "PROVIDERS_KANIDM_TOKEN_URL" = "https://${config.homelab.authDomain}/oauth2/token"; + "PROVIDERS_KANIDM_USER_INFO_URL" = "https://${config.homelab.authDomain}/oauth2/openid/tinyauth/userinfo"; + "PROVIDERS_KANIDM_REDIRECT_URL" = "https://tinyauth.${config.homelab.domain}/api/oauth/callback/kanidm"; + "PROVIDERS_KANIDM_SCOPES" = "openid email profile groups"; + "PROVIDERS_KANIDM_NAME" = "${config.homelab.authDomain}"; + }; + + environmentFiles = [ + # set variable PROVIDERS_KANIDM_CLIENT_SECRET here + /var/lib/tinyauth + ]; + }; + + services.caddy.extraConfig = '' + (tinyauth_forwarder) { + forward_auth 127.0.0.1:3009 { + uri /api/auth/caddy + } + } + ''; + + + services.caddy.virtualHosts."tinyauth.${config.homelab.domain}" = { + useACMEHost = config.homelab.domain; + extraConfig = '' + reverse_proxy http://localhost:3009 + ''; + }; +} diff --git a/modules/services/media/arr.nix b/modules/services/media/arr.nix index 803a1e3..77d3118 100644 --- a/modules/services/media/arr.nix +++ b/modules/services/media/arr.nix @@ -15,8 +15,12 @@ services.caddy.virtualHosts."radarr.${config.homelab.domain}" = { useACMEHost = config.homelab.domain; extraConfig = '' - reverse_proxy http://localhost:7878 + # For tinyauth + reverse_proxy http://localhost:7878 { + header_up -X-Forwarded-For + } import block_non_private_ips + import tinyauth_forwarder * ''; }; @@ -32,8 +36,11 @@ services.caddy.virtualHosts."sonarr.${config.homelab.domain}" = { useACMEHost = config.homelab.domain; extraConfig = '' - reverse_proxy http://localhost:8989 + reverse_proxy http://localhost:8989 { + header_up -X-Forwarded-For + } import block_non_private_ips + import tinyauth_forwarder * ''; }; @@ -47,7 +54,10 @@ services.caddy.virtualHosts."prowlarr.${config.homelab.domain}" = { useACMEHost = config.homelab.domain; extraConfig = '' - reverse_proxy http://localhost:9696 + reverse_proxy http://localhost:9696 { + header_up -X-Forwarded-For + } + import tinyauth_forwarder * import block_non_private_ips ''; }; @@ -63,7 +73,10 @@ services.caddy.virtualHosts."bazarr.${config.homelab.domain}" = { useACMEHost = config.homelab.domain; extraConfig = '' - reverse_proxy http://localhost:6767 + reverse_proxy http://localhost:6767 { + header_up -X-Forwarded-For + } + import tinyauth_forwarder * import block_non_private_ips ''; }; @@ -80,7 +93,10 @@ services.caddy.virtualHosts."deluge.${config.homelab.domain}" = { useACMEHost = config.homelab.domain; extraConfig = '' - reverse_proxy http://localhost:8112 + reverse_proxy http://localhost:8112 { + header_up -X-Forwarded-For + } + import tinyauth_forwarder * import block_non_private_ips ''; };