init: adds basic setup

.env.sample

@@ -6,3 +6,12 @@ DOMAIN=tinyauth.example.com
 #EXTRA_DOMAINS=', `www.tinyauth.example.com`'
 
 LETS_ENCRYPT_ENV=production
+
+SECRET_USERS_VERSION=v1
+SECRET_CLIENT_SECRET_VERSION=v1
+
+AUTH_URL=https://example.com/auth/v1/oidc/authorize
+CLIENT_ID=tinyauth_id
+SCOPES=openid,profile,email
+TOKEN_URL=https://example.com/auth/v1/oidc/token
+USER_INFO_URL=https://example.com/auth/v1/oidc/userinfo

compose.yml

@@ -1,7 +1,7 @@
 ---
 services:
   app:
-    image: nginx:1.27.5
+    image: ghcr.io/steveiliop56/tinyauth:v4
     networks:
       - proxy
     deploy:
@@ -9,10 +9,11 @@ services:
         condition: on-failure
       labels:
         - "traefik.enable=true"
-        - "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=80"
+        - "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=3000"
         - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`${EXTRA_DOMAINS})"
         - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
         - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
+        - "traefik.http.middlewares.${STACK_NAME}.forwardauth.address=http://${STACK_NAME}_app:3000/api/auth/traefik"
         ## Edit the following line if you are using one, but not both, "Redirect" sections below
         #- "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirectscheme,${STACK_NAME}-redirecthostname"
         ## Redirect from EXTRA_DOMAINS to DOMAIN
@@ -27,12 +28,33 @@ services:
         ## Enable backups: https://docs.coopcloud.tech/maintainers/handbook/#how-do-i-configure-backuprestore
         # - "backupbot.backup=true"
         # - "backupbot.backup.path=/some/path"
-    healthcheck:
-      test: ["CMD", "curl", "-f", "http://localhost"]
-      interval: 30s
-      timeout: 10s
-      retries: 10
-      start_period: 1m
+    environment:
+      APP_URL: "https://${DOMAIN}"
+      DISABLE_ANALYTICS: "true"
+      #USERS_FILE: /run/secrets/users
+      PROVIDERS_SSO_AUTH_URL: ${AUTH_URL}	
+      PROVIDERS_SSO_CLIENT_ID: ${CLIENT_ID}
+      PROVIDERS_SSO_CLIENT_SECRET_FILE: /run/secrets/client_secret	
+      PROVIDERS_SSO_REDIRECT_URL:	https://${DOMAIN}/api/oauth/callback/sso
+      PROVIDERS_SSO_SCOPES:	${SCOPES}
+      PROVIDERS_SSO_TOKEN_URL: ${TOKEN_URL}
+      PROVIDERS_SSO_USER_INFO_URL: ${USER_INFO_URL}
+    secrets:
+      - users
+      - client_secret 
+    # healthcheck:
+    #   test: ["CMD", "curl", "-f", "http://localhost:3000/api/healthz"]
+    #   interval: 5s
+    #   timeout: 3s
+    #   retries: 10
+    #   start_period: 1m
+secrets:
+  users:
+    name: ${STACK_NAME}_users_${SECRET_USERS_VERSION}
+    external: true
+  client_secret:
+    name: ${STACK_NAME}_client_secret_${SECRET_CLIENT_SECRET_VERSION}
+    external: true
 
 networks:
   proxy: