Nico
93f912d548
moves all secrets into one centralised location in /media/secrets and uses systemd-tmpfiles to set the appropriate permissions for them
47 lines
1.4 KiB
Nix
47 lines
1.4 KiB
Nix
{ config, lib, pkgs, ... }:
|
|
|
|
{
|
|
virtualisation.oci-containers.backend = "podman";
|
|
virtualisation.oci-containers.containers.tinyauth = {
|
|
image = "ghcr.io/steveiliop56/tinyauth:v4";
|
|
ports = [
|
|
"3009:3000"
|
|
];
|
|
environment = {
|
|
"APP_URL" = "https://tinyauth.${config.homelab.domain}";
|
|
|
|
"PROVIDERS_KANIDM_CLIENT_ID" = "tinyauth";
|
|
"PROVIDERS_KANIDM_AUTH_URL" = "https://${config.homelab.authDomain}/ui/oauth2";
|
|
"PROVIDERS_KANIDM_TOKEN_URL" = "https://${config.homelab.authDomain}/oauth2/token";
|
|
"PROVIDERS_KANIDM_USER_INFO_URL" = "https://${config.homelab.authDomain}/oauth2/openid/tinyauth/userinfo";
|
|
"PROVIDERS_KANIDM_REDIRECT_URL" = "https://tinyauth.${config.homelab.domain}/api/oauth/callback/kanidm";
|
|
"PROVIDERS_KANIDM_SCOPES" = "openid email profile groups";
|
|
"PROVIDERS_KANIDM_NAME" = "${config.homelab.authDomain}";
|
|
};
|
|
|
|
environmentFiles = [
|
|
# set variable PROVIDERS_KANIDM_CLIENT_SECRET here
|
|
/media/secrets/tinyauth
|
|
];
|
|
};
|
|
|
|
systemd.tmpfiles.rules = [
|
|
"f /media/secrets/tinyauth 0400 root root"
|
|
];
|
|
|
|
services.caddy.extraConfig = ''
|
|
(tinyauth_forwarder) {
|
|
forward_auth 127.0.0.1:3009 {
|
|
uri /api/auth/caddy
|
|
}
|
|
}
|
|
'';
|
|
|
|
|
|
services.caddy.virtualHosts."tinyauth.${config.homelab.domain}" = {
|
|
useACMEHost = config.homelab.domain;
|
|
extraConfig = ''
|
|
reverse_proxy http://localhost:3009
|
|
'';
|
|
};
|
|
}
|