7c1bdb2c54
- Added Keycloak service with PostgreSQL backend - Configured OIDC for both Headscale and Headplane - Added systemd service to auto-create /var/lib/headplane directory - Updated Keycloak realm JSON with required client scopes (openid, profile, email) - Generated and configured Headscale API key for Headplane OIDC - Added production hardening: auto-restart, garbage collection, boot cleanup The setup now supports: - User login via Keycloak OIDC at https://auth.kennys.mom - Headplane web UI with SSO at https://headplane.kennys.mom/admin - Fallback API key authentication - Automated secret generation and permissions management
24 lines
750 B
Nix
24 lines
750 B
Nix
{ config, pkgs, lib, ... }:
|
|
{
|
|
# Store Keycloak client secret
|
|
systemd.services.headscale-oidc-secret = {
|
|
description = "Create Headscale OIDC client secret";
|
|
wantedBy = [ "multi-user.target" ];
|
|
before = [ "headscale.service" ];
|
|
serviceConfig = {
|
|
Type = "oneshot";
|
|
RemainAfterExit = true;
|
|
};
|
|
script = ''
|
|
mkdir -p /var/lib/headscale
|
|
if [ ! -f /var/lib/headscale/oidc_client_secret ]; then
|
|
echo -n "4MESLzCyNdSo91QH9hMtSMtpZgazAqtw" > /var/lib/headscale/oidc_client_secret
|
|
echo "OIDC client secret created"
|
|
fi
|
|
# Always fix permissions
|
|
chmod 640 /var/lib/headscale/oidc_client_secret
|
|
chown headscale:headscale /var/lib/headscale/oidc_client_secret
|
|
'';
|
|
};
|
|
}
|