tinyauth: init

2026-01-12 16:19:38 +11:00 · 2026-01-12 16:19:38 +11:00 · 59e9e26fcb
commit 59e9e26fcb
parent 0d346e5ae6
3 changed files with 65 additions and 5 deletions
--- a/modules/services/auth/tinyauth.nix
+++ b/modules/services/auth/tinyauth.nix
@ -0,0 +1,43 @@
+{ config, lib, pkgs, ... }:
+
+{
+  virtualisation.oci-containers.backend = "podman";
+  virtualisation.oci-containers.containers.tinyauth = {
+    image = "ghcr.io/steveiliop56/tinyauth:v4";
+    ports = [
+      "3009:3000"
+    ];
+    environment = {
+      "APP_URL" = "https://tinyauth.${config.homelab.domain}";
+
+      "PROVIDERS_KANIDM_CLIENT_ID" = "tinyauth";
+      "PROVIDERS_KANIDM_AUTH_URL" = "https://${config.homelab.authDomain}/ui/oauth2";
+      "PROVIDERS_KANIDM_TOKEN_URL" = "https://${config.homelab.authDomain}/oauth2/token";
+      "PROVIDERS_KANIDM_USER_INFO_URL" = "https://${config.homelab.authDomain}/oauth2/openid/tinyauth/userinfo";
+      "PROVIDERS_KANIDM_REDIRECT_URL" = "https://tinyauth.${config.homelab.domain}/api/oauth/callback/kanidm";
+      "PROVIDERS_KANIDM_SCOPES" = "openid email profile groups";
+      "PROVIDERS_KANIDM_NAME" = "${config.homelab.authDomain}";
+    };
+
+  environmentFiles = [
+      # set variable PROVIDERS_KANIDM_CLIENT_SECRET here
+      /var/lib/tinyauth
+    ];
+  };
+
+  services.caddy.extraConfig = ''
+    (tinyauth_forwarder) {
+      forward_auth 127.0.0.1:3009 {
+        uri /api/auth/caddy
+      }
+    }
+  '';
+
+
+  services.caddy.virtualHosts."tinyauth.${config.homelab.domain}" = {
+    useACMEHost = config.homelab.domain;
+    extraConfig = ''
+      reverse_proxy http://localhost:3009
+    '';
+  };
+}