wiro.world / dotfiles
yep, more dotfiles
fork atom

server: headscale: apply authelia fix claims

wiro.world bf341a6a 0bb9b274

verified
+8 -6
+8 -6
nixos/profiles/server.nix
··· 398 398 }; 399 399 400 400 oidc = { 401 + only_start_if_oidc_is_available = true; 401 402 issuer = "https://auth.wiro.world"; 402 403 client_id = "headscale"; 403 404 client_secret_path = config.age.secrets.headscale-oidc-secret.path; 404 - pkce.enable = true; 405 + scope = [ "openid" "profile" "email" "groups" ]; 406 + pkce.enabled = true; 405 407 }; 406 408 }; 407 409 }; ··· 509 511 in 510 512 { 511 513 headscale = mkStrictPolicy "two_factor" [ "group:headscale" ]; 514 + tailscale = mkStrictPolicy "two_factor" [ "group:headscale" ]; 512 515 grafana = mkStrictPolicy "one_factor" [ "group:grafana" ]; 513 516 miniflux = mkStrictPolicy "one_factor" [ "group:miniflux" ]; 514 517 }; 518 + 519 + claims_policies.headscale = { id_token = [ "email" "name" "preferred_username" "picture" "groups" ]; }; 515 520 516 521 clients = [ 517 522 { ··· 519 524 client_id = "headscale"; 520 525 client_secret = "$pbkdf2-sha256$310000$XY680D9gkSoWhD0UtYHNFg$ptWB3exOYCga6uq1N.oimuV3ILjK3F8lBWBpsBpibos"; 521 526 redirect_uris = [ "https://${headscale-hostname}/oidc/callback" ]; 522 - 523 527 authorization_policy = "headscale"; 528 + claims_policy = "headscale"; 524 529 } 525 530 { 526 531 client_name = "Tailscale"; 527 532 client_id = "tailscale"; 528 533 client_secret = "$pbkdf2-sha256$310000$PcUaup9aWKI9ZLeCF6.avw$FpsTxkDaxcoQlBi8aIacegXpjEDiCI6nXcaHyZ2Sxyc"; 529 534 redirect_uris = [ "https://login.tailscale.com/a/oauth_response" ]; 530 - 531 - authorization_policy = "headscale"; 535 + authorization_policy = "tailscale"; 532 536 } 533 537 { 534 538 client_name = "Grafana Console"; 535 539 client_id = "grafana"; 536 540 client_secret = "$pbkdf2-sha256$310000$UkwrqxTZodGMs9.Ca2cXAA$HCWFgQbFHGXZpuz.I3HHdkTZLUevRVGlhKEFaOlPmKs"; 537 541 redirect_uris = [ "https://${grafana-hostname}/login/generic_oauth" ]; 538 - 539 542 authorization_policy = "grafana"; 540 543 } 541 544 { ··· 543 546 client_id = "miniflux"; 544 547 client_secret = "$pbkdf2-sha256$310000$uPqbWfCOBXDY6nV1vsx3uA$HOWG2hL.c/bs9Dwaee3b9DxjH7KFO.SaZMbasXV9Vdw"; 545 548 redirect_uris = [ "https://${miniflux-hostname}/oauth2/oidc/callback" ]; 546 - 547 549 authorization_policy = "miniflux"; 548 550 } 549 551 ];