From ef0c19e2dd1bafbccffaf12f3178b25246ad0509 Mon Sep 17 00:00:00 2001 From: irl Date: Mon, 25 May 2026 09:45:29 +0100 Subject: [PATCH] feat: oidc --- .../home/podman/headscale-config/config.yaml | 85 +++---------------- 1 file changed, 12 insertions(+), 73 deletions(-) diff --git a/roles/podman_headscale/templates/home/podman/headscale-config/config.yaml b/roles/podman_headscale/templates/home/podman/headscale-config/config.yaml index 2406c74..47d094f 100644 --- a/roles/podman_headscale/templates/home/podman/headscale-config/config.yaml +++ b/roles/podman_headscale/templates/home/podman/headscale-config/config.yaml @@ -188,82 +188,21 @@ dns: # Headscale processes this file on each change. # extra_records_path: /var/lib/headscale/extra-records.json -# Unix socket used for the CLI to connect without authentication -# Note: for production you will want to set this to something like: unix_socket: /var/run/headscale/headscale.sock unix_socket_permission: "0770" -# OpenID Connect -# oidc: -# # Block startup until the identity provider is available and healthy. -# only_start_if_oidc_is_available: true -# -# # OpenID Connect Issuer URL from the identity provider -# issuer: "https://your-oidc.issuer.com/path" -# -# # Client ID from the identity provider -# client_id: "your-oidc-client-id" -# -# # Client secret generated by the identity provider -# # Note: client_secret and client_secret_path are mutually exclusive. -# client_secret: "your-oidc-client-secret" -# # Alternatively, set `client_secret_path` to read the secret from the file. -# # It resolves environment variables, making integration to systemd's -# # `LoadCredential` straightforward: -# client_secret_path: "${CREDENTIALS_DIRECTORY}/oidc_client_secret" -# -# # The amount of time a node is authenticated with OpenID until it expires -# # and needs to reauthenticate. -# # Setting the value to "0" will mean no expiry. -# expiry: 180d -# -# # Use the expiry from the token received from OpenID when the user logged -# # in. This will typically lead to frequent need to reauthenticate and should -# # only be enabled if you know what you are doing. -# # Note: enabling this will cause `oidc.expiry` to be ignored. -# use_expiry_from_token: false -# -# # The OIDC scopes to use, defaults to "openid", "profile" and "email". -# # Custom scopes can be configured as needed, be sure to always include the -# # required "openid" scope. -# scope: ["openid", "profile", "email"] -# -# # Only verified email addresses are synchronized to the user profile by -# # default. Unverified emails may be allowed in case an identity provider -# # does not send the "email_verified: true" claim or email verification is -# # not required. -# email_verified_required: true -# -# # Provide custom key/value pairs which get sent to the identity provider's -# # authorization endpoint. -# extra_params: -# domain_hint: example.com -# -# # Only accept users whose email domain is part of the allowed_domains list. -# allowed_domains: -# - example.com -# -# # Only accept users whose email address is part of the allowed_users list. -# allowed_users: -# - alice@example.com -# -# # Only accept users which are members of at least one group in the -# # allowed_groups list. -# allowed_groups: -# - /headscale -# -# # Optional: PKCE (Proof Key for Code Exchange) configuration -# # PKCE adds an additional layer of security to the OAuth 2.0 authorization code flow -# # by preventing authorization code interception attacks -# # See https://datatracker.ietf.org/doc/html/rfc7636 -# pkce: -# # Enable or disable PKCE support (default: false) -# enabled: false -# -# # PKCE method to use: -# # - plain: Use plain code verifier -# # - S256: Use SHA256 hashed code verifier (default, recommended) -# method: S256 +oidc: + only_start_if_oidc_is_available: false + issuer: "{{ podman_headscale_oidc_issuer }}" + client_id: "{{ podman_headscale_oidc_client_id }}" + client_secret: "{{ podman_headscale_oidc_client_secret }}" + expiry: 180d + use_expiry_from_token: false + scope: ["openid", "profile", "email"] + email_verified_required: true + pkce: + enabled: true + method: S256 logtail: enabled: false