feat: headscale: add OIDC authentication for single-sign on
parent
78ea01ebec
commit
a7d62018d8
|
@ -14,4 +14,9 @@
|
|||
owner = "dex";
|
||||
group = "dex";
|
||||
};
|
||||
age.secrets.OIDC_APP_SECRET_HEADSCALE = {
|
||||
file = ./secrets/samsehu_OIDC_APP_SECRET_HEADSCALE.age;
|
||||
owner = "dex";
|
||||
group = "dex";
|
||||
};
|
||||
}
|
||||
|
|
|
@ -237,10 +237,16 @@
|
|||
staticClients = [
|
||||
{
|
||||
id = "forgejo";
|
||||
secret = "forgejo-secret";
|
||||
secretEnv = "OIDC_APP_SECRET_FORGEJO";
|
||||
name = "Forgejo";
|
||||
redirectURIs = [ "https://git.samsehu.perli.casa/user/oauth2/dex/callback" ];
|
||||
}
|
||||
{
|
||||
id = "headscale";
|
||||
secretEnv = "OIDC_APP_SECRET_HEADSCALE";
|
||||
name = "Headscale";
|
||||
redirectURIs = [ "https://headscale.samsehu.perli.casa/oidc/callback" ];
|
||||
}
|
||||
];
|
||||
|
||||
# authentication sources
|
||||
|
@ -343,7 +349,7 @@
|
|||
services.lldap = {
|
||||
enable = true;
|
||||
settings = {
|
||||
ldap_base_dn = "dc=twins,dc=pearson";
|
||||
ldap_base_dn = "dc=samsehu,dc=perli,dc=casa";
|
||||
# Sets the root administrator's user name
|
||||
ldap_user_dn = "admin";
|
||||
http_host = "127.0.0.1";
|
||||
|
@ -563,6 +569,13 @@
|
|||
];
|
||||
};
|
||||
|
||||
oidc = {
|
||||
issuer = "https://dex.samsehu.perli.casa/";
|
||||
client_id = "headscale";
|
||||
client_secret_path = config.age.secrets.OIDC_APP_SECRET_HEADSCALE.path;
|
||||
scope = [ "openid" "profile" "email" ];
|
||||
};
|
||||
|
||||
acl_policy_path = pkgs.writeText "acl_policy.hujson" ''
|
||||
{
|
||||
"groups": {
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
age-encryption.org/v1
|
||||
-> ssh-ed25519 yXNDbw WGHFPF/AcEzQkhP87YmUNvtzewbMLvkgcEQds8giMWY
|
||||
iz3KcER4Y8LA20MKMYQAaHoUlXvj/xl4pv8fqTQIXOA
|
||||
-> ssh-ed25519 BTX+xA u1WTouBBLOzc7+HpOc7A5D4X3vXX4LM4+YZE78JRjhg
|
||||
u/9GN4oXlf5BAsjooVbxrKscFD2yeyqSzZlMF9HNsS8
|
||||
--- VNX3icfWlZl+ho+RSFhizGvPuEApzTmjhOvJGnmMPrw
|
||||
>ú“æµ*8³À,ëbx×›©ÉGÜjÿ·ôˆ`‚7<E2809A>žâ!þ´üäèž^í¬º&6ž‰F¾µ!cŠB<C5A0>¡’_-!íÆZnA½ä=¾Q›7‰™†ëpõ}•ÒušY<C5A1>$“WF<57>«ƒÿ}
|
||||
-> ssh-ed25519 yXNDbw /VDH/MtMdPiirOsyEn9RSUTq9sZ0tas+Cdc7GujyCQQ
|
||||
tk5qyTuehb/jJ7g7Tms+lA0Mw0lSKO/eNpoXO/x0RYc
|
||||
-> ssh-ed25519 BTX+xA UjuVR8SWpsUBdP2gkgKndQytGn3MYjvHkWog5YOjAT0
|
||||
gKFJaOKJ2SfWZnPG1gow68Ht3Lbpdw8tJcw0Svuv3Zw
|
||||
--- AYi1kv3/G35esUgQCa90a7sfPoh74C9xQQKoGFa2Vwc
|
||||
ÊÎfLxÖÒ5}KILº~½éŸ ºý&/t±ù܈-ˆŠ©ðÁÞ¾ÅObê÷ÆÌ#LàaPN1(²²~’u§FèÄiv°€ªì5€<35>ÉË ^#ë†ùSê³<C3AA>káÿGÄ=ªS0#Ñí¯MyÖ4”îb· ðäD3Bœ/úDèðv÷vÒ(èŸÿWf´N<C2B4>·ö×ÿ¨üïîZ6ÙÞÞï¿!lÊm)_¥3î®s5Wi5Æ.£‚\ÆSËÖK¹óç¡™Ôª Š3źƒUX‘~C¥,®l¦ÐìG²îgžwX±’ÚÑ
|
|
@ -0,0 +1,8 @@
|
|||
age-encryption.org/v1
|
||||
-> ssh-ed25519 yXNDbw rq3zM6yBAOw27casxuak0MTrhHXXfQranR8pL0osS3A
|
||||
6aDqYlDmYLLvxdorIxs4WB24mouWUHqbT5s3qgIx/lA
|
||||
-> ssh-ed25519 BTX+xA 1zd7nxWxmVfu1yMI4K5McNSV0ULLcZ0fVCGNNXIBw3k
|
||||
n1clgjKA4UjBRnokQm99x+q9OBi4muPdD70l1XMak4o
|
||||
--- URplj0eiKdqp222NxhGDYUmz+bho1zxam1hsf7trJ/g
|
||||
‡
|
||||
g(ÒÚÅàÑÁÑÕÔ«Ì1{ëï¡.YÌIqQ³úÓ”<%½-£6¼CEKüv9#Aóö³%@Vì·çˆKWŸ”‹ï
|
Binary file not shown.
|
@ -8,4 +8,6 @@ in
|
|||
"samsehu_DUCK_DNS_TOKEN.age".publicKeys = geemili ++ [ samsehu ];
|
||||
"LLDAP_DEFAULT_ADMIN_PASSWORD.age".publicKeys = geemili ++ [ samsehu ];
|
||||
"samsehu_DEX_ENVIRONMENT_FILE.age".publicKeys = geemili ++ [ samsehu ];
|
||||
"samsehu_OIDC_APP_SECRET_HEADSCALE.age".publicKeys = geemili ++ [ samsehu ];
|
||||
"samsehu_OIDC_APP_SECRET_FORGEJO.age".publicKeys = geemili ++ [ samsehu ];
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue