tsuki/headscale: start working on oidc login

hosts/tsuki/services/headscale.nix

@@ -1,33 +1,50 @@
 { pkgs, secrets, config, ... }:
 {
+  sops.secrets."headscale/oauth2_secret" = rec {
+    restartUnits = [ "headscale.service" ];
+    owner = config.services.headscale.user;
+    group = config.users.users.${owner}.group;
+  };
+  sops.secrets."postgres/headscale" = rec {
+    restartUnits = [ "headscale.service" ];
+    owner = config.services.headscale.user;
+    group = config.users.users.${owner}.group;
+  };
+
   services.headscale = {
     enable = true;
 
     # TODO: make PR
     # dataDir = "${config.machineVars.dataDrives.default}/var/headscale";
 
-    serverUrl = "https://vpn.nani.wtf";
     port = secrets.ports.headscale;
 
-    database = {
+    settings = {
-      type = "postgres";
+      server_url = "https://vpn.nani.wtf";
-      user = "headscale";
+      log.level = "warn";
-      name = "headscale";
+      ip_prefixes = [ "10.8.0.0/24" ];
-      host = "localhost";
-      port = secrets.ports.postgres;
-      passwordFile = "${config.machineVars.dataDrives.default}/keys/postgres/headscale";
-    };
 
-    dns = {
+      dns_config = {
-      magicDns = true;
+        magic_dns = true;
         nameservers = [
           "1.1.1.1"
         ];
       };
 
-    settings = {
+      db_type = "postgres";
-      log.level = "warn";
+      db_user = "headscale";
-      ip_prefixes = [ "10.8.0.0/24" ];
+      db_name = "headscale";
+      db_host = "localhost";
+      db_port = secrets.ports.postgres;
+      db_password_file = config.sops.secrets."postgres/headscale".path;
+
+      oidc = {
+        issuer = "https://auth.nani.wtf/oauth2/openid/headscale";
+        client_id = "headscale";
+        client_secret_file = config.sops.secrets."headscale/oauth2_secret".path;
+        # allowed_domains = [ "nani.wtf" ];
+        allowed_groups = [ "headscale_users" ];
+      };
     };
   };
 

secrets/default.yaml

@@ -13,6 +13,7 @@ postgres:
     gitea: ENC[AES256_GCM,data:HyYgEgOzeOnaEvPDEXoL+fRhrnqCeGbb/wOYf2kHulxrU9PKIAcRzmNljsc=,iv:1N/N2RUQ++rAWw4VNQzhee2aV9LzOJym6cyM6CAnZUU=,tag:o7dblJrIAPd4/S8X2LKdcQ==,type:str]
     invidious: ENC[AES256_GCM,data:r/Jzs7U1fkCi2j5L/tOcBfakR3virj8HGrDrVZdP7VwubG4BJLvoeb14eJo=,iv:3plNFOds+HeF0HAliedczpNgPL4ZgqhCOwqbnb2e8Ag=,tag:DHm/KM9UuPiqaRxqNDb7QA==,type:str]
     nextcloud: ENC[AES256_GCM,data:E1tD6Z2SDbi5TUDAACjXSJJIn+/ySu0+8xhvRVFxumxjex4ZsEw+mofKIxM=,iv:E4iPVF3M8GOoQghVQtn/kCEpXl0b8MueCbtyvzFM8AA=,tag:IF4kWOuTsylqrXMoXzQaVQ==,type:str]
+    headscale: ENC[AES256_GCM,data:UVPCZjcpm9j2dMwyAvrPfwOj84JJHrwoU5rs672FEeA=,iv:zq3J4mL/PB3EAl8LHxxC77Y4FMrZWT4QF+DOih+FIGk=,tag:UwfjKnjfJ3a6RwAWg/8BzQ==,type:str]
 pgadmin:
     oauth2_secret: ENC[AES256_GCM,data:A1Upe1Ja76++ZdOx5YhuKjpaont4m5ChRzn/YVpJbnFzWy1tFlBkOr6UgBj7Wopg,iv:hY+b7AVSrSgHu/10reIjUjJ8+yR4FrZe2JgGiAowfGs=,tag:thy6O1Y3FGTWaQXqlU9aYg==,type:str]
     initialPassword: ENC[AES256_GCM,data:674lqcGTDCOYBNocf0LQuQB1cbMus0iZOcvwbadpAXrF4DPQSetqrg==,iv:y8hfzLh6i7LxR11fmM9T0z2t7202JMAiZzi/1iCWPvM=,tag:lHwCBWaWsArrAJ0rZ8Xk/w==,type:str]
@@ -31,8 +32,8 @@ sops:
             UE1YWkplaFBhV01CU0FDYTQ3NlkwVkUKMJyCfyh/vcj/VU7shtFF4YRRVaWdcMNh
             rp9lZmRZpc9mARXYAj9RlkI/uuSzxshtqb5AGXKmSV0hncazxu75kg==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-05-08T00:26:32Z"
+    lastmodified: "2023-05-08T00:32:18Z"
-    mac: ENC[AES256_GCM,data:ESAcNcZu6MyT2h1gyXd7UHK5UK5slm+btmWAAaOjP4LVxn2ybNU9/K25gbiuDngH+xEclPXN8t/QtjKpHT1PtJW/nRcT7VDJ7+x50YTixvzrC7PSz2ebdm/HOG7Pb/y+Jo/I/LqKzdYmrbBfug61z84DJJqLHjzuDaWT/9s6U90=,iv:Yco3AQerNcDmO2H36Osm0XsbE7G/Yp4sTcYfutQZ7gM=,tag:/7VZifOICO+7Ebjt6RDe0g==,type:str]
+    mac: ENC[AES256_GCM,data:t+2E4Qp2LNCHnsj1zJMzryHu9rLkOsGetG52ZJIae1zOP1vkpyxi3XztgnW2hWmDJzldZLroF0AkCQgHH6e0vo1fxZFZ+3rtFjke91IKq4ahi86LFT0RZnWfjppclwEhsUNGlKUul3AXwJqPnW3jOPOUf4nrWBS0yrTYB/2sk24=,iv:By+DMhUhUQ7s9jND3F1hdKT8hTTsZKkxl2PYYEdZQtA=,tag:Qk3yBB2/ML+iT3O0cNcgiQ==,type:str]
     pgp:
         - created_at: "2023-03-07T12:32:53Z"
           enc: |