feat: headscale: add OIDC authentication for single-sign on

2024-01-09 18:10:43 -07:00 · 2024-01-09 18:10:43 -07:00 · a7d62018d8
parent 78ea01ebec
commit a7d62018d8
6 changed files with 36 additions and 8 deletions
--- a/agenix-config-module.nix
+++ b/agenix-config-module.nix
@ -14,4 +14,9 @@
    owner = "dex";
    group = "dex";
  };
+  age.secrets.OIDC_APP_SECRET_HEADSCALE = {
+    file = ./secrets/samsehu_OIDC_APP_SECRET_HEADSCALE.age;
+    owner = "dex";
+    group = "dex";
+  };
 }
--- a/configuration.nix
+++ b/configuration.nix
@ -237,10 +237,16 @@
      staticClients = [
        {
          id = "forgejo";
-          secret = "forgejo-secret";
+          secretEnv = "OIDC_APP_SECRET_FORGEJO";
          name = "Forgejo";
          redirectURIs = [ "https://git.samsehu.perli.casa/user/oauth2/dex/callback" ];
        }
+        {
+          id = "headscale";
+          secretEnv = "OIDC_APP_SECRET_HEADSCALE";
+          name = "Headscale";
+          redirectURIs = [ "https://headscale.samsehu.perli.casa/oidc/callback" ];
+        }
      ];

      # authentication sources
@ -343,7 +349,7 @@
  services.lldap = {
    enable = true;
    settings = {
-      ldap_base_dn = "dc=twins,dc=pearson";
+      ldap_base_dn = "dc=samsehu,dc=perli,dc=casa";
      # Sets the root administrator's user name
      ldap_user_dn = "admin";
      http_host = "127.0.0.1";
@ -563,6 +569,13 @@
        ];
      };

+      oidc = {
+        issuer = "https://dex.samsehu.perli.casa/";
+        client_id = "headscale";
+        client_secret_path = config.age.secrets.OIDC_APP_SECRET_HEADSCALE.path;
+        scope = [ "openid" "profile" "email" ];
+      };
+
      acl_policy_path = pkgs.writeText "acl_policy.hujson" ''
        {
          "groups": {
--- a/secrets/samsehu_DEX_ENVIRONMENT_FILE.age
+++ b/secrets/samsehu_DEX_ENVIRONMENT_FILE.age
@ -1,7 +1,7 @@
 age-encryption.org/v1
-> ssh-ed25519 yXNDbw WGHFPF/AcEzQkhP87YmUNvtzewbMLvkgcEQds8giMWY
-iz3KcER4Y8LA20MKMYQAaHoUlXvj/xl4pv8fqTQIXOA
-> ssh-ed25519 BTX+xA u1WTouBBLOzc7+HpOc7A5D4X3vXX4LM4+YZE78JRjhg
-u/9GN4oXlf5BAsjooVbxrKscFD2yeyqSzZlMF9HNsS8
--- VNX3icfWlZl+ho+RSFhizGvPuEApzTmjhOvJGnmMPrw
->ú“æµ*8³À,ëbx×›©ÉGÜjÿ·ôˆ`‚7<E2809A>žâ!þ´üäèž^í¬º&6ž‰F¾µ!cŠB<C5A0>¡’_-!íÆZnA½ä=¾Q›7‰™†ëpõ}•ÒušY<C5A1>$“WF<57>«ƒÿ}
+-> ssh-ed25519 yXNDbw /VDH/MtMdPiirOsyEn9RSUTq9sZ0tas+Cdc7GujyCQQ
+tk5qyTuehb/jJ7g7Tms+lA0Mw0lSKO/eNpoXO/x0RYc
+-> ssh-ed25519 BTX+xA UjuVR8SWpsUBdP2gkgKndQytGn3MYjvHkWog5YOjAT0
+gKFJaOKJ2SfWZnPG1gow68Ht3Lbpdw8tJcw0Svuv3Zw
+--- AYi1kv3/G35esUgQCa90a7sfPoh74C9xQQKoGFa2Vwc
+ÊÎfLxÖÒ5}KILº~½éŸ	ºý&/t±ùÜˆ-ˆŠ©ðÁÞ¾ÅObê÷ÆÌ#LàaPN1(²²~’u§FèÄiv°€ªì5€<35>ÉË ^#ë†ùSê³<C3AA>káÿGÄ=ªS0#Ñí¯MyÖ4”îb· ðäD3Bœ/úDèðv÷vÒ(èŸÿWf´N<C2B4>·ö×ÿ¨üïîZ6ÙÞÞï¿!lÊm)_¥3î®s5Wi5Æ.£‚\ÆSËÖK¹óç¡™Ôª Š3ÅºƒUX‘~C¥,®l¦ÐìG²îgžwX±’ÚÑ
--- a/secrets/samsehu_OIDC_APP_SECRET_FORGEJO.age
+++ b/secrets/samsehu_OIDC_APP_SECRET_FORGEJO.age
@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 yXNDbw rq3zM6yBAOw27casxuak0MTrhHXXfQranR8pL0osS3A
+6aDqYlDmYLLvxdorIxs4WB24mouWUHqbT5s3qgIx/lA
+-> ssh-ed25519 BTX+xA 1zd7nxWxmVfu1yMI4K5McNSV0ULLcZ0fVCGNNXIBw3k
+n1clgjKA4UjBRnokQm99x+q9OBi4muPdD70l1XMak4o
+--- URplj0eiKdqp222NxhGDYUmz+bho1zxam1hsf7trJ/g
+‡
+g(ÒÚÅàÑÁÑÕÔ«Ì1{ëï¡.YÌIqQ³úÓ”<%½-£6¼CEKüv9#Aóö³%@Vì·çˆKWŸ”‹ï
--- a/secrets/samsehu_OIDC_APP_SECRET_HEADSCALE.age
+++ b/secrets/samsehu_OIDC_APP_SECRET_HEADSCALE.age
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -8,4 +8,6 @@ in
  "samsehu_DUCK_DNS_TOKEN.age".publicKeys = geemili ++ [ samsehu ];
  "LLDAP_DEFAULT_ADMIN_PASSWORD.age".publicKeys = geemili ++ [ samsehu ];
  "samsehu_DEX_ENVIRONMENT_FILE.age".publicKeys = geemili ++ [ samsehu ];
+  "samsehu_OIDC_APP_SECRET_HEADSCALE.age".publicKeys = geemili ++ [ samsehu ];
+  "samsehu_OIDC_APP_SECRET_FORGEJO.age".publicKeys = geemili ++ [ samsehu ];
 }