7c1bdb2c54
- Added Keycloak service with PostgreSQL backend - Configured OIDC for both Headscale and Headplane - Added systemd service to auto-create /var/lib/headplane directory - Updated Keycloak realm JSON with required client scopes (openid, profile, email) - Generated and configured Headscale API key for Headplane OIDC - Added production hardening: auto-restart, garbage collection, boot cleanup The setup now supports: - User login via Keycloak OIDC at https://auth.kennys.mom - Headplane web UI with SSO at https://headplane.kennys.mom/admin - Fallback API key authentication - Automated secret generation and permissions management
128 lines
3.2 KiB
JSON
128 lines
3.2 KiB
JSON
{
|
|
"id": "headscale",
|
|
"realm": "headscale",
|
|
"displayName": "Headscale",
|
|
"enabled": true,
|
|
"sslRequired": "external",
|
|
"registrationAllowed": false,
|
|
"loginWithEmailAllowed": true,
|
|
"duplicateEmailsAllowed": false,
|
|
"resetPasswordAllowed": true,
|
|
"editUsernameAllowed": false,
|
|
"bruteForceProtected": true,
|
|
"permanentLockout": false,
|
|
"maxFailureWaitSeconds": 900,
|
|
"minimumQuickLoginWaitSeconds": 60,
|
|
"waitIncrementSeconds": 60,
|
|
"quickLoginCheckMilliSeconds": 1000,
|
|
"maxDeltaTimeSeconds": 43200,
|
|
"failureFactor": 5,
|
|
"defaultSignatureAlgorithm": "RS256",
|
|
"offlineSessionMaxLifespanEnabled": false,
|
|
"offlineSessionMaxLifespan": 5184000,
|
|
"clients": [
|
|
{
|
|
"clientId": "headplane",
|
|
"name": "Headplane Web UI",
|
|
"description": "Headscale web administration interface",
|
|
"enabled": true,
|
|
"clientAuthenticatorType": "client-secret",
|
|
"secret": "**************",
|
|
"redirectUris": [
|
|
"https://headplane.kennys.mom/*"
|
|
],
|
|
"webOrigins": [
|
|
"https://headplane.kennys.mom"
|
|
],
|
|
"protocol": "openid-connect",
|
|
"attributes": {},
|
|
"fullScopeAllowed": true,
|
|
"publicClient": false,
|
|
"standardFlowEnabled": true,
|
|
"implicitFlowEnabled": false,
|
|
"directAccessGrantsEnabled": true,
|
|
"serviceAccountsEnabled": false,
|
|
"authorizationServicesEnabled": true,
|
|
"alwaysDisplayInConsole": false,
|
|
"rootUrl": "https://headplane.kennys.mom",
|
|
"baseUrl": "/admin"
|
|
}
|
|
],
|
|
"clientScopes": [
|
|
{
|
|
"name": "openid",
|
|
"protocol": "openid-connect",
|
|
"attributes": {},
|
|
"protocolMappers": []
|
|
},
|
|
{
|
|
"name": "profile",
|
|
"protocol": "openid-connect",
|
|
"attributes": {},
|
|
"protocolMappers": [
|
|
{
|
|
"name": "username",
|
|
"protocol": "openid-connect",
|
|
"protocolMapper": "oidc-usermodel-property-mapper",
|
|
"consentRequired": false,
|
|
"config": {
|
|
"userinfo.token.claim": "true",
|
|
"user.attribute": "username",
|
|
"id.token.claim": "true",
|
|
"access.token.claim": "true",
|
|
"claim.name": "preferred_username",
|
|
"jsonType.label": "String"
|
|
}
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"name": "email",
|
|
"protocol": "openid-connect",
|
|
"attributes": {},
|
|
"protocolMappers": [
|
|
{
|
|
"name": "email",
|
|
"protocol": "openid-connect",
|
|
"protocolMapper": "oidc-usermodel-property-mapper",
|
|
"consentRequired": false,
|
|
"config": {
|
|
"userinfo.token.claim": "true",
|
|
"user.attribute": "email",
|
|
"id.token.claim": "true",
|
|
"access.token.claim": "true",
|
|
"claim.name": "email",
|
|
"jsonType.label": "String"
|
|
}
|
|
}
|
|
]
|
|
}
|
|
],
|
|
"defaultDefaultClientScopes": [
|
|
"role_list",
|
|
"profile",
|
|
"email",
|
|
"roles",
|
|
"web-origins",
|
|
"acr"
|
|
],
|
|
"defaultOptionalClientScopes": [
|
|
"offline_access",
|
|
"address",
|
|
"phone",
|
|
"microprofile-jwt"
|
|
],
|
|
"users": [],
|
|
"roles": {
|
|
"realm": [
|
|
{
|
|
"name": "user",
|
|
"description": "Standard Headscale user"
|
|
},
|
|
{
|
|
"name": "admin",
|
|
"description": "Headscale administrator"
|
|
}
|
|
]
|
|
}
|
|
} |