feat: oidc

roles/podman_headscale/templates/home/podman/headscale-config/config.yaml

@@ -188,82 +188,21 @@ dns:
   # Headscale processes this file on each change.
   # extra_records_path: /var/lib/headscale/extra-records.json
 
-# Unix socket used for the CLI to connect without authentication
-# Note: for production you will want to set this to something like:
 unix_socket: /var/run/headscale/headscale.sock
 unix_socket_permission: "0770"
 
-# OpenID Connect
-# oidc:
-#   # Block startup until the identity provider is available and healthy.
-#   only_start_if_oidc_is_available: true
-#
-#   # OpenID Connect Issuer URL from the identity provider
-#   issuer: "https://your-oidc.issuer.com/path"
-#
-#   # Client ID from the identity provider
-#   client_id: "your-oidc-client-id"
-#
-#   # Client secret generated by the identity provider
-#   # Note: client_secret and client_secret_path are mutually exclusive.
-#   client_secret: "your-oidc-client-secret"
-#   # Alternatively, set `client_secret_path` to read the secret from the file.
-#   # It resolves environment variables, making integration to systemd's
-#   # `LoadCredential` straightforward:
-#   client_secret_path: "${CREDENTIALS_DIRECTORY}/oidc_client_secret"
-#
-#   # The amount of time a node is authenticated with OpenID until it expires
-#   # and needs to reauthenticate.
-#   # Setting the value to "0" will mean no expiry.
-#   expiry: 180d
-#
-#   # Use the expiry from the token received from OpenID when the user logged
-#   # in. This will typically lead to frequent need to reauthenticate and should
-#   # only be enabled if you know what you are doing.
-#   # Note: enabling this will cause `oidc.expiry` to be ignored.
-#   use_expiry_from_token: false
-#
-#   # The OIDC scopes to use, defaults to "openid", "profile" and "email".
-#   # Custom scopes can be configured as needed, be sure to always include the
-#   # required "openid" scope.
-#   scope: ["openid", "profile", "email"]
-#
-#   # Only verified email addresses are synchronized to the user profile by
-#   # default. Unverified emails may be allowed in case an identity provider
-#   # does not send the "email_verified: true" claim or email verification is
-#   # not required.
-#   email_verified_required: true
-#
-#   # Provide custom key/value pairs which get sent to the identity provider's
-#   # authorization endpoint.
-#   extra_params:
-#     domain_hint: example.com
-#
-#   # Only accept users whose email domain is part of the allowed_domains list.
-#   allowed_domains:
-#     - example.com
-#
-#   # Only accept users whose email address is part of the allowed_users list.
-#   allowed_users:
-#     - alice@example.com
-#
-#   # Only accept users which are members of at least one group in the
-#   # allowed_groups list.
-#   allowed_groups:
-#     - /headscale
-#
-#   # Optional: PKCE (Proof Key for Code Exchange) configuration
-#   # PKCE adds an additional layer of security to the OAuth 2.0 authorization code flow
-#   # by preventing authorization code interception attacks
-#   # See https://datatracker.ietf.org/doc/html/rfc7636
-#   pkce:
-#     # Enable or disable PKCE support (default: false)
-#     enabled: false
-#
-#     # PKCE method to use:
-#     # - plain: Use plain code verifier
-#     # - S256: Use SHA256 hashed code verifier (default, recommended)
-#     method: S256
+oidc:
+  only_start_if_oidc_is_available: false
+  issuer: "{{ podman_headscale_oidc_issuer }}"
+  client_id: "{{ podman_headscale_oidc_client_id }}"
+  client_secret: "{{ podman_headscale_oidc_client_secret }}"
+  expiry: 180d
+  use_expiry_from_token: false
+  scope: ["openid", "profile", "email"]
+  email_verified_required: true
+  pkce:
+    enabled: true
+    method: S256
 
 logtail:
   enabled: false