feat: headscale: add OIDC authentication for single-sign on
parent
78ea01ebec
commit
a7d62018d8
|
@ -14,4 +14,9 @@
|
||||||
owner = "dex";
|
owner = "dex";
|
||||||
group = "dex";
|
group = "dex";
|
||||||
};
|
};
|
||||||
|
age.secrets.OIDC_APP_SECRET_HEADSCALE = {
|
||||||
|
file = ./secrets/samsehu_OIDC_APP_SECRET_HEADSCALE.age;
|
||||||
|
owner = "dex";
|
||||||
|
group = "dex";
|
||||||
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -237,10 +237,16 @@
|
||||||
staticClients = [
|
staticClients = [
|
||||||
{
|
{
|
||||||
id = "forgejo";
|
id = "forgejo";
|
||||||
secret = "forgejo-secret";
|
secretEnv = "OIDC_APP_SECRET_FORGEJO";
|
||||||
name = "Forgejo";
|
name = "Forgejo";
|
||||||
redirectURIs = [ "https://git.samsehu.perli.casa/user/oauth2/dex/callback" ];
|
redirectURIs = [ "https://git.samsehu.perli.casa/user/oauth2/dex/callback" ];
|
||||||
}
|
}
|
||||||
|
{
|
||||||
|
id = "headscale";
|
||||||
|
secretEnv = "OIDC_APP_SECRET_HEADSCALE";
|
||||||
|
name = "Headscale";
|
||||||
|
redirectURIs = [ "https://headscale.samsehu.perli.casa/oidc/callback" ];
|
||||||
|
}
|
||||||
];
|
];
|
||||||
|
|
||||||
# authentication sources
|
# authentication sources
|
||||||
|
@ -343,7 +349,7 @@
|
||||||
services.lldap = {
|
services.lldap = {
|
||||||
enable = true;
|
enable = true;
|
||||||
settings = {
|
settings = {
|
||||||
ldap_base_dn = "dc=twins,dc=pearson";
|
ldap_base_dn = "dc=samsehu,dc=perli,dc=casa";
|
||||||
# Sets the root administrator's user name
|
# Sets the root administrator's user name
|
||||||
ldap_user_dn = "admin";
|
ldap_user_dn = "admin";
|
||||||
http_host = "127.0.0.1";
|
http_host = "127.0.0.1";
|
||||||
|
@ -563,6 +569,13 @@
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
|
||||||
|
oidc = {
|
||||||
|
issuer = "https://dex.samsehu.perli.casa/";
|
||||||
|
client_id = "headscale";
|
||||||
|
client_secret_path = config.age.secrets.OIDC_APP_SECRET_HEADSCALE.path;
|
||||||
|
scope = [ "openid" "profile" "email" ];
|
||||||
|
};
|
||||||
|
|
||||||
acl_policy_path = pkgs.writeText "acl_policy.hujson" ''
|
acl_policy_path = pkgs.writeText "acl_policy.hujson" ''
|
||||||
{
|
{
|
||||||
"groups": {
|
"groups": {
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
age-encryption.org/v1
|
age-encryption.org/v1
|
||||||
-> ssh-ed25519 yXNDbw WGHFPF/AcEzQkhP87YmUNvtzewbMLvkgcEQds8giMWY
|
-> ssh-ed25519 yXNDbw /VDH/MtMdPiirOsyEn9RSUTq9sZ0tas+Cdc7GujyCQQ
|
||||||
iz3KcER4Y8LA20MKMYQAaHoUlXvj/xl4pv8fqTQIXOA
|
tk5qyTuehb/jJ7g7Tms+lA0Mw0lSKO/eNpoXO/x0RYc
|
||||||
-> ssh-ed25519 BTX+xA u1WTouBBLOzc7+HpOc7A5D4X3vXX4LM4+YZE78JRjhg
|
-> ssh-ed25519 BTX+xA UjuVR8SWpsUBdP2gkgKndQytGn3MYjvHkWog5YOjAT0
|
||||||
u/9GN4oXlf5BAsjooVbxrKscFD2yeyqSzZlMF9HNsS8
|
gKFJaOKJ2SfWZnPG1gow68Ht3Lbpdw8tJcw0Svuv3Zw
|
||||||
--- VNX3icfWlZl+ho+RSFhizGvPuEApzTmjhOvJGnmMPrw
|
--- AYi1kv3/G35esUgQCa90a7sfPoh74C9xQQKoGFa2Vwc
|
||||||
>ú“æµ*8³À,ëbx×›©ÉGÜjÿ·ôˆ`‚7<E2809A>žâ!þ´üäèž^í¬º&6ž‰F¾µ!cŠB<C5A0>¡’_-!íÆZnA½ä=¾Q›7‰™†ëpõ}•ÒušY<C5A1>$“WF<57>«ƒÿ}
|
ÊÎfLxÖÒ5}KILº~½éŸ ºý&/t±ù܈-ˆŠ©ðÁÞ¾ÅObê÷ÆÌ#LàaPN1(²²~’u§FèÄiv°€ªì5€<35>ÉË ^#ë†ùSê³<C3AA>káÿGÄ=ªS0#Ñí¯MyÖ4”îb· ðäD3Bœ/úDèðv÷vÒ(èŸÿWf´N<C2B4>·ö×ÿ¨üïîZ6ÙÞÞï¿!lÊm)_¥3î®s5Wi5Æ.£‚\ÆSËÖK¹óç¡™Ôª Š3źƒUX‘~C¥,®l¦ÐìG²îgžwX±’ÚÑ
|
|
@ -0,0 +1,8 @@
|
||||||
|
age-encryption.org/v1
|
||||||
|
-> ssh-ed25519 yXNDbw rq3zM6yBAOw27casxuak0MTrhHXXfQranR8pL0osS3A
|
||||||
|
6aDqYlDmYLLvxdorIxs4WB24mouWUHqbT5s3qgIx/lA
|
||||||
|
-> ssh-ed25519 BTX+xA 1zd7nxWxmVfu1yMI4K5McNSV0ULLcZ0fVCGNNXIBw3k
|
||||||
|
n1clgjKA4UjBRnokQm99x+q9OBi4muPdD70l1XMak4o
|
||||||
|
--- URplj0eiKdqp222NxhGDYUmz+bho1zxam1hsf7trJ/g
|
||||||
|
‡
|
||||||
|
g(ÒÚÅàÑÁÑÕÔ«Ì1{ëï¡.YÌIqQ³úÓ”<%½-£6¼CEKüv9#Aóö³%@Vì·çˆKWŸ”‹ï
|
Binary file not shown.
|
@ -8,4 +8,6 @@ in
|
||||||
"samsehu_DUCK_DNS_TOKEN.age".publicKeys = geemili ++ [ samsehu ];
|
"samsehu_DUCK_DNS_TOKEN.age".publicKeys = geemili ++ [ samsehu ];
|
||||||
"LLDAP_DEFAULT_ADMIN_PASSWORD.age".publicKeys = geemili ++ [ samsehu ];
|
"LLDAP_DEFAULT_ADMIN_PASSWORD.age".publicKeys = geemili ++ [ samsehu ];
|
||||||
"samsehu_DEX_ENVIRONMENT_FILE.age".publicKeys = geemili ++ [ samsehu ];
|
"samsehu_DEX_ENVIRONMENT_FILE.age".publicKeys = geemili ++ [ samsehu ];
|
||||||
|
"samsehu_OIDC_APP_SECRET_HEADSCALE.age".publicKeys = geemili ++ [ samsehu ];
|
||||||
|
"samsehu_OIDC_APP_SECRET_FORGEJO.age".publicKeys = geemili ++ [ samsehu ];
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue