tsuki/headscale: start working on oidc login

hosts/tsuki/services/headscale.nix

@@ -1,33 +1,50 @@
 { pkgs, secrets, config, ... }:
 {
+  sops.secrets."headscale/oauth2_secret" = rec {
+    restartUnits = [ "headscale.service" ];
+    owner = config.services.headscale.user;
+    group = config.users.users.${owner}.group;
+  };
+  sops.secrets."postgres/headscale" = rec {
+    restartUnits = [ "headscale.service" ];
+    owner = config.services.headscale.user;
+    group = config.users.users.${owner}.group;
+  };
+
   services.headscale = {
     enable = true;
 
     # TODO: make PR
     # dataDir = "${config.machineVars.dataDrives.default}/var/headscale";
 
-    serverUrl = "https://vpn.nani.wtf";
     port = secrets.ports.headscale;
 
-    database = {
-      type = "postgres";
-      user = "headscale";
-      name = "headscale";
-      host = "localhost";
-      port = secrets.ports.postgres;
-      passwordFile = "${config.machineVars.dataDrives.default}/keys/postgres/headscale";
-    };
-
-    dns = {
-      magicDns = true;
-      nameservers = [
-        "1.1.1.1"
-      ];
-    };
-
     settings = {
+      server_url = "https://vpn.nani.wtf";
       log.level = "warn";
       ip_prefixes = [ "10.8.0.0/24" ];
+
+      dns_config = {
+        magic_dns = true;
+        nameservers = [
+          "1.1.1.1"
+        ];
+      };
+
+      db_type = "postgres";
+      db_user = "headscale";
+      db_name = "headscale";
+      db_host = "localhost";
+      db_port = secrets.ports.postgres;
+      db_password_file = config.sops.secrets."postgres/headscale".path;
+
+      oidc = {
+        issuer = "https://auth.nani.wtf/oauth2/openid/headscale";
+        client_id = "headscale";
+        client_secret_file = config.sops.secrets."headscale/oauth2_secret".path;
+        # allowed_domains = [ "nani.wtf" ];
+        allowed_groups = [ "headscale_users" ];
+      };
     };
   };