From a7d62018d88ac29a253d6b784195ea282d321e0c Mon Sep 17 00:00:00 2001
From: geemili <opensource@geemili.xyz>
Date: Tue, 9 Jan 2024 18:10:43 -0700
Subject: [PATCH] feat: headscale: add OIDC authentication for single-sign on

---
 agenix-config-module.nix                      |   5 +++++
 configuration.nix                             |  17 +++++++++++++++--
 secrets/samsehu_DEX_ENVIRONMENT_FILE.age      |  12 ++++++------
 secrets/samsehu_OIDC_APP_SECRET_FORGEJO.age   |   8 ++++++++
 secrets/samsehu_OIDC_APP_SECRET_HEADSCALE.age | Bin 0 -> 363 bytes
 secrets/secrets.nix                           |   2 ++
 6 files changed, 36 insertions(+), 8 deletions(-)
 create mode 100644 secrets/samsehu_OIDC_APP_SECRET_FORGEJO.age
 create mode 100644 secrets/samsehu_OIDC_APP_SECRET_HEADSCALE.age

diff --git a/agenix-config-module.nix b/agenix-config-module.nix
index c2e445f..65160f5 100644
--- a/agenix-config-module.nix
+++ b/agenix-config-module.nix
@@ -14,4 +14,9 @@
     owner = "dex";
     group = "dex";
   };
+  age.secrets.OIDC_APP_SECRET_HEADSCALE = {
+    file = ./secrets/samsehu_OIDC_APP_SECRET_HEADSCALE.age;
+    owner = "dex";
+    group = "dex";
+  };
 }
diff --git a/configuration.nix b/configuration.nix
index 3382d43..b8322e5 100644
--- a/configuration.nix
+++ b/configuration.nix
@@ -237,10 +237,16 @@
       staticClients = [
         {
           id = "forgejo";
-          secret = "forgejo-secret";
+          secretEnv = "OIDC_APP_SECRET_FORGEJO";
           name = "Forgejo";
           redirectURIs = [ "https://git.samsehu.perli.casa/user/oauth2/dex/callback" ];
         }
+        {
+          id = "headscale";
+          secretEnv = "OIDC_APP_SECRET_HEADSCALE";
+          name = "Headscale";
+          redirectURIs = [ "https://headscale.samsehu.perli.casa/oidc/callback" ];
+        }
       ];
 
       # authentication sources
@@ -343,7 +349,7 @@
   services.lldap = {
     enable = true;
     settings = {
-      ldap_base_dn = "dc=twins,dc=pearson";
+      ldap_base_dn = "dc=samsehu,dc=perli,dc=casa";
       # Sets the root administrator's user name
       ldap_user_dn = "admin";
       http_host = "127.0.0.1";
@@ -563,6 +569,13 @@
         ];
       };
 
+      oidc = {
+        issuer = "https://dex.samsehu.perli.casa/";
+        client_id = "headscale";
+        client_secret_path = config.age.secrets.OIDC_APP_SECRET_HEADSCALE.path;
+        scope = [ "openid" "profile" "email" ];
+      };
+
       acl_policy_path = pkgs.writeText "acl_policy.hujson" ''
         {
           "groups": {
diff --git a/secrets/samsehu_DEX_ENVIRONMENT_FILE.age b/secrets/samsehu_DEX_ENVIRONMENT_FILE.age
index 52e32c7..8b1affe 100644
--- a/secrets/samsehu_DEX_ENVIRONMENT_FILE.age
+++ b/secrets/samsehu_DEX_ENVIRONMENT_FILE.age
@@ -1,7 +1,7 @@
 age-encryption.org/v1
--> ssh-ed25519 yXNDbw WGHFPF/AcEzQkhP87YmUNvtzewbMLvkgcEQds8giMWY
-iz3KcER4Y8LA20MKMYQAaHoUlXvj/xl4pv8fqTQIXOA
--> ssh-ed25519 BTX+xA u1WTouBBLOzc7+HpOc7A5D4X3vXX4LM4+YZE78JRjhg
-u/9GN4oXlf5BAsjooVbxrKscFD2yeyqSzZlMF9HNsS8
---- VNX3icfWlZl+ho+RSFhizGvPuEApzTmjhOvJGnmMPrw
->ú“æµ*8³À,ëbx×›©ÉGÜjÿ·ôˆ`‚7žâ!þ´üäèž^í¬º&6ž‰F¾µ!cŠB¡’_-!íÆZnA½ä=¾Q›7‰™†ëpõ}•ÒušY$“WF«ƒÿ}
\ No newline at end of file
+-> ssh-ed25519 yXNDbw /VDH/MtMdPiirOsyEn9RSUTq9sZ0tas+Cdc7GujyCQQ
+tk5qyTuehb/jJ7g7Tms+lA0Mw0lSKO/eNpoXO/x0RYc
+-> ssh-ed25519 BTX+xA UjuVR8SWpsUBdP2gkgKndQytGn3MYjvHkWog5YOjAT0
+gKFJaOKJ2SfWZnPG1gow68Ht3Lbpdw8tJcw0Svuv3Zw
+--- AYi1kv3/G35esUgQCa90a7sfPoh74C9xQQKoGFa2Vwc
+ÊÎfLxÖÒ5}KILº~½éŸ	ºý&/t±ùÜˆ-ˆŠ©ðÁÞ¾ÅObê÷ÆÌ#LàaPN1(²²~’u§FèÄiv°€ªì5€ÉË ^#ë†ùSê³káÿGÄ=ªS0#Ñí¯MyÖ4”îb· ðäD3Bœ/úDèðv÷vÒ(èŸÿWf´N·ö×ÿ¨ü­ïîZ6ÙÞÞï¿!lÊm)_¥3î®s5Wi5Æ.£‚\ÆSËÖK¹óç¡™Ôª Š3ÅºƒUX‘~C¥,®l¦ÐìG²îgžwX±’ÚÑ
\ No newline at end of file
diff --git a/secrets/samsehu_OIDC_APP_SECRET_FORGEJO.age b/secrets/samsehu_OIDC_APP_SECRET_FORGEJO.age
new file mode 100644
index 0000000..8bf1757
--- /dev/null
+++ b/secrets/samsehu_OIDC_APP_SECRET_FORGEJO.age
@@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 yXNDbw rq3zM6yBAOw27casxuak0MTrhHXXfQranR8pL0osS3A
+6aDqYlDmYLLvxdorIxs4WB24mouWUHqbT5s3qgIx/lA
+-> ssh-ed25519 BTX+xA 1zd7nxWxmVfu1yMI4K5McNSV0ULLcZ0fVCGNNXIBw3k
+n1clgjKA4UjBRnokQm99x+q9OBi4muPdD70l1XMak4o
+--- URplj0eiKdqp222NxhGDYUmz+bho1zxam1hsf7trJ/g
+‡
+g(ÒÚÅàÑÁÑÕÔ«Ì1{ëï¡.YÌIqQ³úÓ”<%½-£6¼CEKüv9#Aóö³%@Vì·çˆKWŸ”‹ï
\ No newline at end of file
diff --git a/secrets/samsehu_OIDC_APP_SECRET_HEADSCALE.age b/secrets/samsehu_OIDC_APP_SECRET_HEADSCALE.age
new file mode 100644
index 0000000000000000000000000000000000000000..37430db8d4558c099336c60df26c4338599c1dba
GIT binary patch
literal 363
zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCTyjPP?wDpxS_@bD?g
z2n;YPcJwxNt4MY9G)OTHj|g%u%hb;CP00vzD@*nYa?y7V4CSiwD#`J8_cE?@45|#x
zFAcQFbuM-fPArdd%F<5qGj~t(%X0A#PYtWI$VRu#DI`L>!coC3I3Ok5IoZS|)56iv
z!>Ot?IKtP&ASKJQ(A2{;)GfEjx3sj<CAHKn#DvQ^G$_x-FD=xkEITVD%-btHH7z11
zP}?ju(5x^gz}&*g*vKn1IjG9tvzSX)S69KyJHjhG$|Jbay)?V5+}|U~(cjspsv<eh
z)ZE<B#W2ax%OEdGKP%FtyqJsgh(j-{^`)YMkS#S$hc0R|7}`60kG*oB<dDs&>92}Y
ww@t8nHut(>V8QqB>oXT02=}l#x8w<T)ydv9a-tqFtLtQMKWd$^_b!J901#q;r~m)}

literal 0
HcmV?d00001

diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 5b2fcbf..72f8903 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -8,4 +8,6 @@ in
   "samsehu_DUCK_DNS_TOKEN.age".publicKeys = geemili ++ [ samsehu ];
   "LLDAP_DEFAULT_ADMIN_PASSWORD.age".publicKeys = geemili ++ [ samsehu ];
   "samsehu_DEX_ENVIRONMENT_FILE.age".publicKeys = geemili ++ [ samsehu ];
+  "samsehu_OIDC_APP_SECRET_HEADSCALE.age".publicKeys = geemili ++ [ samsehu ];
+  "samsehu_OIDC_APP_SECRET_FORGEJO.age".publicKeys = geemili ++ [ samsehu ];
 }