wiro.world / dotfiles
yep, more dotfiles
fork atom

server: headscale: apply authelia fix claims

wiro.world bf341a6a 0bb9b274

verified
options
unified split
Changed files
+8 -6
nixos
profiles
server.nix
+8 -6
nixos/profiles/server.nix 
···

       
398

       
398

       
 

       
        };


     

       
399

       
399

       
 

       



     

       
400

       
400

       
 

       
        oidc = {


     

       

       
401

       
+

       
          only_start_if_oidc_is_available = true;


     

       
401

       
402

       
 

       
          issuer = "https://auth.wiro.world";


     

       
402

       
403

       
 

       
          client_id = "headscale";


     

       
403

       
404

       
 

       
          client_secret_path = config.age.secrets.headscale-oidc-secret.path;


     

       
404

       

       
-

       
          pkce.enable = true;


     

       

       
405

       
+

       
          scope = [ "openid" "profile" "email" "groups" ];


     

       

       
406

       
+

       
          pkce.enabled = true;


     

       
405

       
407

       
 

       
        };


     

       
406

       
408

       
 

       
      };


     

       
407

       
409

       
 

       
    };


     
···

       
509

       
511

       
 

       
            in


     

       
510

       
512

       
 

       
            {


     

       
511

       
513

       
 

       
              headscale = mkStrictPolicy "two_factor" [ "group:headscale" ];


     

       

       
514

       
+

       
              tailscale = mkStrictPolicy "two_factor" [ "group:headscale" ];


     

       
512

       
515

       
 

       
              grafana = mkStrictPolicy "one_factor" [ "group:grafana" ];


     

       
513

       
516

       
 

       
              miniflux = mkStrictPolicy "one_factor" [ "group:miniflux" ];


     

       
514

       
517

       
 

       
            };


     

       

       
518

       
+

       



     

       

       
519

       
+

       
          claims_policies.headscale = { id_token = [ "email" "name" "preferred_username" "picture" "groups" ]; };


     

       
515

       
520

       
 

       



     

       
516

       
521

       
 

       
          clients = [


     

       
517

       
522

       
 

       
            {


     
···

       
519

       
524

       
 

       
              client_id = "headscale";


     

       
520

       
525

       
 

       
              client_secret = "$pbkdf2-sha256$310000$XY680D9gkSoWhD0UtYHNFg$ptWB3exOYCga6uq1N.oimuV3ILjK3F8lBWBpsBpibos";


     

       
521

       
526

       
 

       
              redirect_uris = [ "https://${headscale-hostname}/oidc/callback" ];


     

       
522

       

       
-

       



     

       
523

       
527

       
 

       
              authorization_policy = "headscale";


     

       

       
528

       
+

       
              claims_policy = "headscale";


     

       
524

       
529

       
 

       
            }


     

       
525

       
530

       
 

       
            {


     

       
526

       
531

       
 

       
              client_name = "Tailscale";


     

       
527

       
532

       
 

       
              client_id = "tailscale";


     

       
528

       
533

       
 

       
              client_secret = "$pbkdf2-sha256$310000$PcUaup9aWKI9ZLeCF6.avw$FpsTxkDaxcoQlBi8aIacegXpjEDiCI6nXcaHyZ2Sxyc";


     

       
529

       
534

       
 

       
              redirect_uris = [ "https://login.tailscale.com/a/oauth_response" ];


     

       
530

       

       
-

       



     

       
531

       

       
-

       
              authorization_policy = "headscale";


     

       

       
535

       
+

       
              authorization_policy = "tailscale";


     

       
532

       
536

       
 

       
            }


     

       
533

       
537

       
 

       
            {


     

       
534

       
538

       
 

       
              client_name = "Grafana Console";


     

       
535

       
539

       
 

       
              client_id = "grafana";


     

       
536

       
540

       
 

       
              client_secret = "$pbkdf2-sha256$310000$UkwrqxTZodGMs9.Ca2cXAA$HCWFgQbFHGXZpuz.I3HHdkTZLUevRVGlhKEFaOlPmKs";


     

       
537

       
541

       
 

       
              redirect_uris = [ "https://${grafana-hostname}/login/generic_oauth" ];


     

       
538

       

       
-

       



     

       
539

       
542

       
 

       
              authorization_policy = "grafana";


     

       
540

       
543

       
 

       
            }


     

       
541

       
544

       
 

       
            {


     
···

       
543

       
546

       
 

       
              client_id = "miniflux";


     

       
544

       
547

       
 

       
              client_secret = "$pbkdf2-sha256$310000$uPqbWfCOBXDY6nV1vsx3uA$HOWG2hL.c/bs9Dwaee3b9DxjH7KFO.SaZMbasXV9Vdw";


     

       
545

       
548

       
 

       
              redirect_uris = [ "https://${miniflux-hostname}/oauth2/oidc/callback" ];


     

       
546

       

       
-

       



     

       
547

       
549

       
 

       
              authorization_policy = "miniflux";


     

       
548

       
550

       
 

       
            }


     

       
549

       
551

       
 

       
          ];