tinyauth: init

flake.nix

@@ -30,6 +30,7 @@
 
         ./modules/services/uptime-kuma.nix
         ./modules/services/auth/kanidm.nix
+        ./modules/services/auth/tinyauth.nix
         ./modules/services/caddy.nix
         ./modules/services/forgejo.nix
         ./modules/services/miniflux.nix

modules/services/auth/tinyauth.nix

@@ -0,0 +1,43 @@
+{ config, lib, pkgs, ... }:
+
+{
+  virtualisation.oci-containers.backend = "podman";
+  virtualisation.oci-containers.containers.tinyauth = {
+    image = "ghcr.io/steveiliop56/tinyauth:v4";
+    ports = [
+      "3009:3000"
+    ];
+    environment = {
+      "APP_URL" = "https://tinyauth.${config.homelab.domain}";
+
+      "PROVIDERS_KANIDM_CLIENT_ID" = "tinyauth";
+      "PROVIDERS_KANIDM_AUTH_URL" = "https://${config.homelab.authDomain}/ui/oauth2";
+      "PROVIDERS_KANIDM_TOKEN_URL" = "https://${config.homelab.authDomain}/oauth2/token";
+      "PROVIDERS_KANIDM_USER_INFO_URL" = "https://${config.homelab.authDomain}/oauth2/openid/tinyauth/userinfo";
+      "PROVIDERS_KANIDM_REDIRECT_URL" = "https://tinyauth.${config.homelab.domain}/api/oauth/callback/kanidm";
+      "PROVIDERS_KANIDM_SCOPES" = "openid email profile groups";
+      "PROVIDERS_KANIDM_NAME" = "${config.homelab.authDomain}";
+    };
+
+  environmentFiles = [
+      # set variable PROVIDERS_KANIDM_CLIENT_SECRET here
+      /var/lib/tinyauth
+    ];
+  };
+
+  services.caddy.extraConfig = ''
+    (tinyauth_forwarder) {
+      forward_auth 127.0.0.1:3009 {
+        uri /api/auth/caddy
+      }
+    }
+  '';
+
+
+  services.caddy.virtualHosts."tinyauth.${config.homelab.domain}" = {
+    useACMEHost = config.homelab.domain;
+    extraConfig = ''
+      reverse_proxy http://localhost:3009
+    '';
+  };
+}

modules/services/media/arr.nix

@@ -15,8 +15,12 @@
   services.caddy.virtualHosts."radarr.${config.homelab.domain}" = {
     useACMEHost = config.homelab.domain;
     extraConfig = ''
-      reverse_proxy http://localhost:7878
+      # For tinyauth
+      reverse_proxy http://localhost:7878 {
+        header_up -X-Forwarded-For
+      }
       import block_non_private_ips
+      import tinyauth_forwarder *
     '';
   };
 
@@ -32,8 +36,11 @@
   services.caddy.virtualHosts."sonarr.${config.homelab.domain}" = {
     useACMEHost = config.homelab.domain;
     extraConfig = ''
-      reverse_proxy http://localhost:8989
+      reverse_proxy http://localhost:8989 {
+        header_up -X-Forwarded-For
+      }
       import block_non_private_ips
+      import tinyauth_forwarder *
     '';
   };
 
@@ -47,7 +54,10 @@
   services.caddy.virtualHosts."prowlarr.${config.homelab.domain}" = {
     useACMEHost = config.homelab.domain;
     extraConfig = ''
-      reverse_proxy http://localhost:9696
+      reverse_proxy http://localhost:9696 {
+        header_up -X-Forwarded-For
+      }
+      import tinyauth_forwarder *
       import block_non_private_ips
     '';
   };
@@ -63,7 +73,10 @@
   services.caddy.virtualHosts."bazarr.${config.homelab.domain}" = {
     useACMEHost = config.homelab.domain;
     extraConfig = ''
-      reverse_proxy http://localhost:6767
+      reverse_proxy http://localhost:6767 {
+        header_up -X-Forwarded-For
+      }
+      import tinyauth_forwarder *
       import block_non_private_ips
     '';
   };
@@ -80,7 +93,10 @@
   services.caddy.virtualHosts."deluge.${config.homelab.domain}" = {
     useACMEHost = config.homelab.domain;
     extraConfig = ''
-      reverse_proxy http://localhost:8112
+      reverse_proxy http://localhost:8112 {
+        header_up -X-Forwarded-For
+      }
+      import tinyauth_forwarder *
       import block_non_private_ips
     '';
   };