pyrox.dev / nixpkgs
lol
fork atom

headscale: support PKCE verifier

The headscale 0.24.0 introduced support for PKCE verifier. Add options
to set these parameters in the config.

Andrey Albershteyn 13a041b1 4b44b240

options
unified split
Changed files
+25
nixos
modules
services
networking
headscale.nix
+25
nixos/modules/services/networking/headscale.nix 
···

       
406

       
 

       
                '';


     

       
407

       
 

       
                example = [ "alice@example.com" ];


     

       
408

       
 

       
              };


     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       
409

       
 

       
            };


     

       
410

       
 

       



     

       
411

       
 

       
            tls_letsencrypt_hostname = lib.mkOption {


     
···

       
406

       
 

       
                '';


     

       
407

       
 

       
                example = [ "alice@example.com" ];


     

       
408

       
 

       
              };


     

       
409

       
+

       



     

       
410

       
+

       
              pkce = {


     

       
411

       
+

       
                enabled = lib.mkOption {


     

       
412

       
+

       
                  type = lib.types.bool;


     

       
413

       
+

       
                  default = false;


     

       
414

       
+

       
                  description = ''


     

       
415

       
+

       
                    Enable or disable PKCE (Proof Key for Code Exchange) support.


     

       
416

       
+

       
                    PKCE adds an additional layer of security to the OAuth 2.0


     

       
417

       
+

       
                    authorization code flow by preventing authorization code


     

       
418

       
+

       
                    interception attacks


     

       
419

       
+

       
                    See https://datatracker.ietf.org/doc/html/rfc7636


     

       
420

       
+

       
                  '';


     

       
421

       
+

       
                  example = true;


     

       
422

       
+

       
                };


     

       
423

       
+

       



     

       
424

       
+

       
                method = lib.mkOption {


     

       
425

       
+

       
                  type = lib.types.str;


     

       
426

       
+

       
                  default = "S256";


     

       
427

       
+

       
                  description = ''


     

       
428

       
+

       
                    PKCE method to use:


     

       
429

       
+

       
                      - plain: Use plain code verifier


     

       
430

       
+

       
                      - S256: Use SHA256 hashed code verifier (default, recommended)


     

       
431

       
+

       
                  '';


     

       
432

       
+

       
                };


     

       
433

       
+

       
              };


     

       
434

       
 

       
            };


     

       
435

       
 

       



     

       
436

       
 

       
            tls_letsencrypt_hostname = lib.mkOption {