Nixius
/
authelia
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix: create assets directory in Dockerfile to resolve configuration error - Add mkdir -p /config/assets to satisfy Authelia's expectation - Prevents 'directory does not exist' error without unnecessary config
ci/woodpecker/push/woodpecker Pipeline was successful Details

This commit is contained in:
Your Name 2025-06-05 08:53:36 -04:00
parent fc9be0d7c7
commit 1a04d35590
4 changed files with 631 additions and 62 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

260
README.md
View File

@ -1,82 +1,218 @@
<!-- build 4 -->
# Authelia with Traefik (ATLAS) Authentication Traffic LDAP Application Security
<!-- build 5 -->
# Authelia with Traefik (ATLAS)
## Authentication Traffic LDAP Application Security
## Introduction
This setup serves as a boilerplate for deploying Authelia with Traefik, aimed at simplifying authentication traffic and application security. It's designed to be easily cloneable for quick integration into your existing deployment environments. Future iterations may incorporate LLDAP directly into this repository.
A comprehensive, production-ready authentication solution using Authelia with Traefik reverse proxy, featuring automated CI/CD, comprehensive testing, and robust secrets management.
## Installation
To get started with ATLAS, follow these steps:
1. Clone this repository to your local machine.
2. Integrate the cloned repository into your deployment by adjusting the environment variables as necessary.
3. Once configured, the system supports both OIDC and the use of Docker container labels for Traefik to manage routing and authentication requests.
## 🌟 Features
## Usage
This project is equipped to handle authentication through OIDC and to work seamlessly with Traefik for managing web traffic. After setting up, users will be able to leverage these functionalities to secure their applications.
- **🔐 Complete Authentication Stack**: Authelia + LLDAP + MariaDB + Redis
- **🚀 Production-Ready Deployment**: Docker Swarm with Traefik integration
- **🧪 Comprehensive Testing**: Automated pre-commit tests and CI/CD validation
- **🔑 Robust Secrets Management**: Automated generation and rotation capabilities
- **⚡ Development Environment**: Isolated dev setup with hot-reload capabilities
- **🔄 OIDC Integration**: Full OpenID Connect support for client applications
- **📊 Health Monitoring**: Built-in health checks and monitoring endpoints
## Deployment Cases
## 🚀 Quick Start
### Headplane (Headscale UI)
For deploying the Headscale UI, known as Headplane, apply the following labels in your Docker container configuration:
### Prerequisites
- Docker and Docker Compose
- OpenSSL (for secrets generation)
- Git with pre-commit hooks support
```yaml
labels:
us.nixc.autodeploy: "true"
traefik.enable: "true"
traefik.http.routers.production-headscale_webui.tls: "true"
traefik.http.services.production-headscale_webui.loadbalancer.server.port: "3000"
traefik.http.routers.production-headscale_webui.rule: "Host(`headscale.nixc.us`) && PathPrefix(`/admin`)"
traefik.http.routers.production-headscale_webui.entrypoints: "websecure"
traefik.http.routers.production-headscale_webui.tls.certresolver: "letsencryptresolver"
traefik.http.routers.production-headscale_webui.service: "production-headscale_webui"
traefik.docker.network: "traefik"
### Development Setup
1. **Clone the repository**:
```bash
git clone <repository-url>
cd authelia
```
2. **Start development environment**:
```bash
docker compose -f docker-compose.dev.yml up -d
```
3. **Access services**:
- **Authelia**: http://localhost:9091
- **LLDAP Admin**: http://localhost:17170
- Username: `admin`
- Password: `/ETAToLiZPWo6QK171abAUqsa3WDpd9IgneZnTA4zU0=`
4. **Run tests**:
```bash
./tests/precommit.sh
```
## 🔑 Secrets Management
### Initial Setup
Generate production secrets (⚠️ **Use with extreme caution**):
```bash
./generate-secrets.sh
```
### Headscale (Server)
For deploying the Headscale server, use the following labels:
**CRITICAL**: This script will:
- Invalidate all existing sessions and tokens
- Require updating all 10 secrets in Woodpecker CI vault
- Potentially require recreating database volumes
- Cause service downtime until deployment completes
```yaml
labels:
us.nixc.autodeploy: "true"
traefik.enable: "true"
traefik.http.routers.production-headscale_headscale.rule: "Host(`headscale.nixc.us`)"
traefik.http.routers.production-headscale_headscale.entrypoints: "websecure"
traefik.http.routers.production-headscale_headscale.tls: "true"
traefik.http.routers.production-headscale_headscale.tls.certresolver: "letsencryptresolver"
traefik.http.routers.production-headscale_headscale.service: "production-headscale_headscale"
traefik.http.services.production-headscale_headscale.loadbalancer.server.port: "8080"
traefik.docker.network: "traefik"
### Required Secrets (10 total)
#### Core Secrets (5)
- `AUTHENTICATION_BACKEND_LDAP_PASSWORD` - LDAP authentication backend password
- `IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET` - JWT secret for password reset tokens
- `STORAGE_ENCRYPTION_KEY` - Database encryption key
- `SESSION_SECRET` - Session encryption secret
- `NOTIFIER_SMTP_PASSWORD` - SMTP email notifications password
#### OIDC Secrets (3)
- `IDENTITY_PROVIDERS_OIDC_HMAC_SECRET` - OIDC HMAC signing secret
- `IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY` - OIDC token signing private key (RSA)
- `IDENTITY_PROVIDERS_OIDC_JWKS_KEY` - OIDC JWKS validation key (RSA)
#### Client Secrets (2)
- `CLIENT_SECRET_HEADSCALE` - Headscale VPN OIDC client secret
- `CLIENT_SECRET_HEADADMIN` - Headscale admin panel OIDC client secret
## 🧪 Testing
### Automated Testing
The project includes comprehensive testing:
- **Pre-commit hooks**: `./tests/precommit.sh`
- **Authentication tests**: `./tests/precommit-auth.sh`
- **CI/CD pipeline**: Automated testing on every push
### Test Coverage
- ✅ Authelia health endpoints
- ✅ Web interface accessibility
- ✅ API endpoint validation
- ✅ Container health status
- ✅ LLDAP integration
- ✅ Service interconnectivity
## 🚀 Deployment
### CI/CD Pipeline
Automated deployment through Woodpecker CI:
1. **Build & Test**: Comprehensive testing on every commit
2. **Build Images**: Multi-stage Docker builds for production
3. **Secret Management**: Automatic Docker secrets recreation
4. **Deploy**: Zero-downtime deployment to Docker Swarm
5. **Verification**: Post-deployment health checks
### Manual Deployment
```bash
# Push changes to trigger CI/CD
git add .
git commit -m "your changes"
git push
# Monitor deployment
ssh macmini7 'docker service logs authelia_authelia --follow'
```
### Generic Web Service
For a generic web service, such as TubeSync, configure with these labels:
## 🔧 Configuration
### Development vs Production
- **Development**: Uses local secrets in `docker-compose.dev.yml`
- **Production**: Uses Docker Swarm secrets from CI/CD vault
### Environment Variables
Key environment variables for customization:
- `X_AUTHELIA_SITE_NAME` - Site display name
- `X_AUTHELIA_EMAIL` - Notification email address
- `TRAEFIK_DOMAIN` - Base domain for services
## 📱 Client Integration Examples
### Headscale VPN Integration
```yaml
labels:
traefik.enable: "true"
traefik.http.routers.production_tubesync.tls: "true"
traefik.http.services.production_tubesync.loadbalancer.server.port: "4848"
traefik.http.routers.production_tubesync.rule: "Host(`tubesync.nixc.us`)"
traefik.http.routers.production_tubesync.entrypoints: "websecure"
traefik.http.routers.production_tubesync.tls.certresolver: "letsencryptresolver"
traefik.http.routers.production_tubesync.service: "production_tubesync"
traefik.docker.network: "traefik"
traefik.http.routers.production_tubesync.middlewares: "authelia_authelia@docker"
traefik.http.routers.headscale.rule: "Host(`headscale.nixc.us`)"
traefik.http.routers.headscale.entrypoints: "websecure"
traefik.http.routers.headscale.tls.certresolver: "letsencryptresolver"
traefik.http.services.headscale.loadbalancer.server.port: "8080"
```
## Requirements
- Docker
- Authelia
- Gitea
- Woodpecker-CI
- Traefik
- Headscale (utilizes OIDC)
### Protected Web Service
```yaml
labels:
traefik.enable: "true"
traefik.http.routers.myapp.rule: "Host(`myapp.nixc.us`)"
traefik.http.routers.myapp.middlewares: "authelia_authelia@docker"
traefik.http.services.myapp.loadbalancer.server.port: "8080"
```
## Reporting Issues & Feature Requests
If you encounter any issues or would like to suggest improvements, please feel free to reach out via email or Discord.
## 🔍 Monitoring & Troubleshooting
## Acknowledgments
For information on the technologies used within this project, such as Authelia, Traefik, Gitea, Woodpecker-CI, and Headscale, please consult their respective project pages through Google or Bing.
### Health Checks
- **Authelia**: `http://localhost:9091/api/health`
- **Service Status**: `docker service ls`
- **Logs**: `docker service logs authelia_authelia`
## Generate Headscale client secret.
`docker exec -it authelia authelia crypto hash generate pbkdf2 --variant sha512 --random --random.length 72 --random.charset rfc3986`
The digest goes in the CLIENT_SECRET_HEADSCALE file and the random password is used in the headscale container config.yml file
### Common Issues
1. **Service won't start**: Check secrets configuration
2. **Authentication fails**: Verify LLDAP connectivity
3. **OIDC issues**: Check RSA key format in JWKS configuration
## 🛠️ Development Workflow
1. **Make changes** to configuration or code
2. **Test locally**: `./tests/precommit.sh`
3. **Commit changes**: Git pre-commit hooks run automatically
4. **Push to repository**: Triggers CI/CD pipeline
5. **Monitor deployment**: Check service health in production
## 📋 Requirements
### Core Infrastructure
- **Docker & Docker Compose**: Container orchestration
- **Traefik**: Reverse proxy and load balancer
- **Authelia**: Authentication and authorization server
- **LLDAP**: Lightweight LDAP server for user management
- **MariaDB**: Database backend
- **Redis**: Session storage and caching
### Development Tools
- **Woodpecker CI**: Continuous integration and deployment
- **Git**: Version control with pre-commit hooks
- **OpenSSL**: Cryptographic operations and secrets generation
## 🔐 Security Considerations
- **Secrets Rotation**: Use `./generate-secrets.sh` for periodic rotation
- **Database Encryption**: All sensitive data encrypted at rest
- **TLS Everywhere**: HTTPS/TLS for all client communications
- **Session Security**: Secure session management with Redis
- **OIDC Standards**: Industry-standard OpenID Connect implementation
## 📞 Support & Contributing
### Reporting Issues
- Create detailed bug reports with logs and steps to reproduce
- Include environment details and configuration (without secrets!)
### Contributing
1. Fork the repository
2. Create a feature branch
3. Add tests for new functionality
4. Ensure all tests pass
5. Submit a pull request
## 🙏 Acknowledgments
This project leverages several excellent open-source projects:
- **[Authelia](https://www.authelia.com/)** - Authentication and authorization server
- **[Traefik](https://traefik.io/)** - Cloud-native reverse proxy
- **[LLDAP](https://github.com/nitnelave/lldap)** - Lightweight LDAP implementation
- **[Woodpecker CI](https://woodpecker-ci.org/)** - Continuous integration platform
---
**⚠️ Important**: Always keep `secrets.md` secure and never commit it to version control!

4
docker/authelia/Dockerfile
View File

@ -2,6 +2,10 @@ FROM authelia/authelia:4
COPY config/ /config/
# Create assets directory to satisfy Authelia's expectation
# even though we don't use custom assets
RUN mkdir -p /config/assets
CMD ["authelia", \
"--config=/config/configuration.server.yml", \
"--config=/config/configuration.ldap.yml", \

306
generate-secrets.sh Executable file
View File

@ -0,0 +1,306 @@
#!/bin/bash
set -e
#################################################################################
# Authelia Secrets Generator
#################################################################################
#
# ⚠️ CRITICAL WARNING: DO NOT RUN THIS SCRIPT CASUALLY! ⚠️
#
# This script generates completely new secrets for Authelia. Running this will:
#
# 1. 🔑 INVALIDATE ALL EXISTING SECRETS - Users will be logged out, tokens invalid
# 2. 🗄️ REQUIRE UPDATING WOODPECKER CI VAULT - All 10 secrets must be manually
# updated in your CI/CD system before the new secrets take effect
# 3. 💾 POTENTIALLY REQUIRE RECREATING DOCKER VOLUMES - If you change encryption
# keys (STORAGE_ENCRYPTION_KEY), existing encrypted database data will be
# unreadable and you may need to recreate persistent volumes
# 4. 🔄 TRIGGER FULL REDEPLOYMENT - The CI/CD pipeline will need to run to apply
# the new secrets to production
#
# ONLY run this script when you intentionally want to rotate ALL secrets, such as:
# - Security incident requiring credential rotation
# - Periodic security maintenance (e.g., quarterly rotation)
# - Setting up a completely new environment
#
# REQUIRED STEPS AFTER RUNNING THIS SCRIPT:
# 1. Update all 10 secrets in Woodpecker CI vault with values from secrets.md
# 2. Trigger deployment (git push) to apply new secrets
# 3. Monitor deployment for successful startup
# 4. If database encryption key changed, may need to recreate volumes/data
# 5. Test authentication and OIDC functionality
#
#################################################################################
# Colors for output
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
NC='\033[0m' # No Color
echo -e "${BLUE}🔐 Authelia Secrets Generator${NC}"
echo "=================================="
# Function to check if a command exists
command_exists() {
command -v "$1" >/dev/null 2>&1
}
# Function to check for required tools
check_requirements() {
local missing_tools=()
echo -e "${BLUE}🔍 Checking required tools...${NC}"
# Check for openssl
if ! command_exists openssl; then
missing_tools+=("openssl")
else
echo -e "${GREEN}✓ openssl found${NC}"
fi
# If any tools are missing, show installation instructions
if [ ${#missing_tools[@]} -ne 0 ]; then
echo ""
echo -e "${RED}❌ Missing required tools: ${missing_tools[*]}${NC}"
echo ""
echo -e "${YELLOW}📦 Installation instructions:${NC}"
for tool in "${missing_tools[@]}"; do
case $tool in
"openssl")
echo "• OpenSSL:"
echo " - macOS: brew install openssl"
echo " - Ubuntu/Debian: sudo apt-get install openssl"
echo " - CentOS/RHEL: sudo yum install openssl"
echo " - Alpine: apk add openssl"
;;
esac
done
echo ""
echo -e "${RED}Please install the missing tools and run this script again.${NC}"
exit 1
fi
echo -e "${GREEN}✅ All required tools are available${NC}"
echo ""
}
# Function to show critical warnings
show_warnings() {
echo -e "${RED}🚨 CRITICAL WARNINGS BEFORE PROCEEDING 🚨${NC}"
echo -e "${RED}==========================================${NC}"
echo ""
echo -e "${YELLOW}This will generate completely NEW secrets that will:${NC}"
echo -e "${RED}• Invalidate ALL existing user sessions and tokens${NC}"
echo -e "${RED}• Require manual update of ALL 10 secrets in Woodpecker CI vault${NC}"
echo -e "${RED}• Potentially require recreating database volumes if encryption key changes${NC}"
echo -e "${RED}• Cause service downtime until deployment completes${NC}"
echo ""
echo -e "${YELLOW}REQUIRED FOLLOW-UP STEPS:${NC}"
echo "1. Update secrets in Woodpecker CI vault (all 10 values)"
echo "2. Commit and push to trigger deployment"
echo "3. Monitor deployment logs for successful startup"
echo "4. Test authentication functionality"
echo "5. If STORAGE_ENCRYPTION_KEY changed, may need to recreate volumes"
echo ""
echo -e "${BLUE}💡 Only proceed if you understand these implications!${NC}"
echo ""
}
# Check requirements before proceeding
check_requirements
# Show critical warnings
show_warnings
# Check if secrets.md already exists
if [[ -f "secrets.md" ]]; then
echo -e "${YELLOW}⚠️ WARNING: secrets.md already exists!${NC}"
read -p "Do you want to overwrite it? (y/N): " -n 1 -r
echo
if [[ ! $REPLY =~ ^[Yy]$ ]]; then
echo -e "${RED}❌ Cancelled by user${NC}"
exit 1
fi
echo -e "${YELLOW}📝 Backing up existing secrets.md to secrets.md.backup${NC}"
cp secrets.md secrets.md.backup
fi
# Final confirmation before generating secrets
echo -e "${RED}🔥 FINAL CONFIRMATION 🔥${NC}"
echo -e "${RED}Are you absolutely sure you want to generate NEW secrets?${NC}"
echo -e "${YELLOW}This will require updating CI vault and may cause data loss!${NC}"
read -p "Type 'YES' to confirm: " -r
echo
if [[ ! $REPLY == "YES" ]]; then
echo -e "${RED}❌ Cancelled - must type 'YES' to confirm${NC}"
exit 1
fi
echo -e "${GREEN}🔄 Generating fresh secrets...${NC}"
# Function to generate base64 secret
generate_base64_secret() {
openssl rand -base64 48
}
# Function to generate RSA private key
generate_rsa_key() {
openssl genrsa 2048 2>/dev/null
}
echo -e "${BLUE}📝 Creating secrets.md file...${NC}"
# Create the secrets.md file
cat > secrets.md << 'EOF'
# Authelia Production Secrets
**DO NOT COMMIT THIS FILE TO VERSION CONTROL**
## Core Secrets
### AUTHENTICATION_BACKEND_LDAP_PASSWORD
LDAP authentication backend password
```
EOF
# Generate and append each secret
echo "$(generate_base64_secret)" >> secrets.md
cat >> secrets.md << 'EOF'
```
### IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET
JWT secret for password reset tokens
```
EOF
echo "$(generate_base64_secret)" >> secrets.md
cat >> secrets.md << 'EOF'
```
### STORAGE_ENCRYPTION_KEY
Database encryption key
```
EOF
echo "$(generate_base64_secret)" >> secrets.md
cat >> secrets.md << 'EOF'
```
### SESSION_SECRET
Session encryption secret
```
EOF
echo "$(generate_base64_secret)" >> secrets.md
cat >> secrets.md << 'EOF'
```
### NOTIFIER_SMTP_PASSWORD
SMTP email notifications password
```
8P7ah6U5ZjbQ2Faaw1fJoehxJrMOslCu
```
## OIDC Secrets
### IDENTITY_PROVIDERS_OIDC_HMAC_SECRET
OIDC HMAC signing secret
```
EOF
echo "$(generate_base64_secret)" >> secrets.md
cat >> secrets.md << 'EOF'
```
### IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY
OIDC token signing private key
```
EOF
generate_rsa_key >> secrets.md
cat >> secrets.md << 'EOF'
```
### IDENTITY_PROVIDERS_OIDC_JWKS_KEY
OIDC JWKS validation key
```
EOF
generate_rsa_key >> secrets.md
cat >> secrets.md << 'EOF'
```
## Client Secrets
### CLIENT_SECRET_HEADSCALE
Headscale VPN OIDC client secret
```
EOF
echo "$(generate_base64_secret)" >> secrets.md
cat >> secrets.md << 'EOF'
```
### CLIENT_SECRET_HEADADMIN
Headscale admin panel OIDC client secret
```
EOF
echo "$(generate_base64_secret)" >> secrets.md
cat >> secrets.md << 'EOF'
```
EOF
echo -e "${GREEN}✅ Fresh secrets.md file generated successfully!${NC}"
echo ""
echo -e "${RED}🚨 CRITICAL NEXT STEPS - DO NOT SKIP! 🚨${NC}"
echo -e "${RED}=====================================${NC}"
echo -e "${YELLOW}1. 🗄️ UPDATE WOODPECKER CI VAULT:${NC}"
echo " - Go to your Woodpecker CI secrets management"
echo " - Update ALL 10 secret values with the new values from secrets.md"
echo " - Double-check each secret is correctly copied"
echo ""
echo -e "${YELLOW}2. 🚀 TRIGGER DEPLOYMENT:${NC}"
echo " - Commit any changes: git add . && git commit -m 'rotate secrets'"
echo " - Push to trigger CI/CD: git push"
echo " - Monitor the deployment logs for successful startup"
echo ""
echo -e "${YELLOW}3. 🔍 VERIFY DEPLOYMENT:${NC}"
echo " - Check service logs: ssh macmini7 'docker service logs authelia_authelia'"
echo " - Test authentication functionality"
echo " - Verify OIDC clients can authenticate"
echo ""
echo -e "${YELLOW}4. 💾 IF STORAGE_ENCRYPTION_KEY CHANGED:${NC}"
echo " - Existing encrypted data will be unreadable"
echo " - May need to recreate database volumes"
echo " - Users may need to re-register/re-authenticate"
echo ""
echo -e "${RED}⚠️ Remember: Keep secrets.md secure and never commit it to version control!${NC}"
# Show summary of what was generated
echo ""
echo -e "${BLUE}📊 Generated secrets summary:${NC}"
echo "• AUTHENTICATION_BACKEND_LDAP_PASSWORD (Base64)"
echo "• IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET (Base64)"
echo "• STORAGE_ENCRYPTION_KEY (Base64) ⚠️ May require volume recreation"
echo "• SESSION_SECRET (Base64) ⚠️ Will invalidate all user sessions"
echo "• NOTIFIER_SMTP_PASSWORD (Fixed production password)"
echo "• IDENTITY_PROVIDERS_OIDC_HMAC_SECRET (Base64)"
echo "• IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY (RSA 2048-bit)"
echo "• IDENTITY_PROVIDERS_OIDC_JWKS_KEY (RSA 2048-bit)"
echo "• CLIENT_SECRET_HEADSCALE (Base64) ⚠️ Will invalidate Headscale tokens"
echo "• CLIENT_SECRET_HEADADMIN (Base64) ⚠️ Will invalidate Headadmin tokens"

123
secrets.md.backup Normal file
View File

@ -0,0 +1,123 @@
# Authelia Production Secrets
**DO NOT COMMIT THIS FILE TO VERSION CONTROL**
## Core Secrets
### AUTHENTICATION_BACKEND_LDAP_PASSWORD
LDAP authentication backend password
```
M3OPMiRaWrL2RKfbf89AkdGPXtvu0HO54JkjgHfS4aKX7uZFunoRRJe6QoizcZdl
```
### IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET
JWT secret for password reset tokens
```
zvVa7SFCU4QsBYyV/ofERdhqX3S072knmWHc+vIYVR0Jf/iWLfogpVnsCO0fe84d
```
### STORAGE_ENCRYPTION_KEY
Database encryption key
```
aghKiwANaIIiDu4hsn34gok273Jn/xLjfFEm2OLoqqnVs1EnriYI7igJXc6LdYZ+
```
### SESSION_SECRET
Session encryption secret
```
hYtbSIYvh/gH3jLlmk+qrokQehytAeLQrUIwVuyEXstA2FFXDizaZF2vbdlrHCc8
```
### NOTIFIER_SMTP_PASSWORD
SMTP email notifications password
```
8P7ah6U5ZjbQ2Faaw1fJoehxJrMOslCu
```
## OIDC Secrets
### IDENTITY_PROVIDERS_OIDC_HMAC_SECRET
OIDC HMAC signing secret
```
zrnMWj61QvLebBFWphAjOMwb8TIStT+FWZaP83Zn8oVP24s1t5UnJD0syL4kREQk
```
### IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY
OIDC token signing private key
```
-----BEGIN PRIVATE KEY-----
MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCEhL7zgYaHoO28
0ZRWcqNrvhQMkN+ikCeo3Gf/XQX1BYsduvMc8EghVcB1uIdMKw7qZ4+uuBzE1kGi
qRYhsOyn5ARuKLO2SA0HuFJE3O4CK+P5jHBTP4XX64NLcGIu8HFW6a57M/R7CyZp
+hMB1TVBH1qkogw0ON188dwGqz7feAdwZLAV4yoB3DCbYNwNOx0VAmwXljpcHGqx
t4OTokHxUFqqzvAFOWAfPQ53pW/H9TV889XYME+/nf4/mfdU7mtrLBAtl1AEcuud
HAcAyggyLGmOeOqeHjPZUs/aMDlngpLG7+KMubsSSh9AyIc3HKec696Gs7J0YyLB
tJjq4vJJAgMBAAECggEADYRw6evTajBLL9B8/hhxfQMFjoaUmUN1GC9rWEwH2Id5
Ok4gkFoeMXBK0ndBLc7Slax8pojXPmjQhyQSQtuGOFX08burITPWSGxP0ABtMsGB
XqoppwQ6xdybJu3OxhT2qrPpfV2+WXK4t2Sv3ab+6KanG1YAQq9uQFl3ZSLAphC1
temZektnU5KgcNlTJ9b3gQgyX4YaTsl4rNglN/gCtxleIOWhLyE5qHAedrKJW3lF
cxtpm3+0ObKzZmPR6t8PgDwytYrcLUcVQAdE8RlPvyArES5y5cHHXtsIUEC2I7PH
IY8nglYhJ9HtnW7XWQLJCWsIlZj4qEqrkLpR/Fm0xQKBgQC5XgyJ5UZCeq/hMMiv
Q+pTNJj/k3j5gCa9f9wKCJmumtS+RFbucNQsnpmOhFEC1P4SyyPH/YrBeLtgWWKM
gxIK1VpJSPpNSL50FnyfzjJxAy6eHqNNupBPR29dxwaY3lehFVRvb+0FZ753+ATl
vc5BTf4xj//z7Ozd3jXlJ/Yk/wKBgQC3A3lfwDj4Q4IW/XaquzfsEuVKrJygwNsB
eCKMHJU0q01rOEGf5i1WXRJKRLS8EMXaawLYA+DO5ya9QlhWw+JWRcuJenBLEQ3J
x1IgJZm9sPeByGPpsz0f3TLcwMBg1f101xY4RedYCaDGhNTBww6Fs8Fx9zeLeOXA
GxCdrZGAtwKBgCxepbOwLKQnB8hoS/Ef2Yv3EBRE8XUPRrafT0Ubj+Wqa/frFb/X
RAI2KF1jsJxz7SkEdNkfCEKNKpTCcINfsEblkMnv7PHo0qWo6EW8Lni8oUD55m7p
lDdVywNwa1TWC7WkDGTsLpjXn1DKDioLx7379Dda15JEiOIGmXHzochzAoGAQJi9
UoqqkRZi6HJ2XDTQvEa/H+hlMGhh5Nbees3r7Dc6kEm/AA1im0Umm4g8stTIwRtc
WZqk0uLLzamJPLbPQNxJxzCsShKu5zWvSyF6bnX0Jp7whSB6xrBwr3JpdMSTPZZd
hWdHDM/5K5je77VFfvO/p9Y2iMgXcAMdjkohPWkCgYAl7IOXO8nFpR0Nn9nWtFca
llWXYHT16aFtWWjVNQg0LcsouaLL0/yywjIfda9fYlCcqaTF5XCCDZacn7CYTvZx
ty4l37GfJNcF7RvMpr8tUybnMk23u7jQ9xiWWuDSmKasNjdgNJmV8S4PfPK0NlLI
9bnk3nH2w/bIQdtbh7cApQ==
-----END PRIVATE KEY-----
```
### IDENTITY_PROVIDERS_OIDC_JWKS_KEY
OIDC JWKS validation key
```
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCyyQ0Rjs59GkJ+
flL1PoJfdFIeNvLZ8RNees300f5cT2KFmO/K5viuEpCp+JA/cO93EjqEUECblb41
nXzCG89anwH+ifXqWcZMDZ24A3MCLBNFVgTGJwGw1adRgJ+xDNB1uslOJ/62L8d3
Op1nm1/OXCrzVj/GJqyJDj6w5FpW6lGB5DzSQNKwUr9ngve7XQhwKI8OVHm8KjW9
tG2DZEdt4Jjj/sxycNrJFt0+jk443IehIuGstGrPYFL+JRfmDB6cvrRVF3j54L2j
qj6mk7ZMTh1AMN2AmSvIH100YqM1hj75prM/fYT+2hTse5CxzKY+SOSV2ekD5A0n
J8o5maS9AgMBAAECggEAK7gSZArB38G+JOSLMMF6bBEry4uwUy8qh14MYyO+yZ/3
/adqa/mTMi4EBixsSbc6N6nTeWuOgP1bKA085tKaIBTmDfJ6mjYd0Zc6zDa7tvpE
NB5WyIXdWfrFEZ8cbdUuXLuyYlRRawfABR3mQ+Gwyeur7RlYOwJWCqXbGrKcjMgS
lGnBT7U5BaJwvX+Hd9HaI/zWUBK8ZZ8rkcvTCE/bz/gutwWq1QCKyosgYMr9eaQQ
8FeEaoAz7OikIwviXjIIcZZH8CrAQQDqMhG55+LRkacbdI6p9blpNNm2ORUPhFuN
JEgTv5kDfldy3S3kvullNrxwNBD7I6oyMmO+Kk/XGQKBgQDwQDB3arxhDka3hTgl
yvcBYaC0NUJK/uwHHt/QkTZyqgu7wTfHaEQnwnk4tqoB2zHjEhoc+EVntSdMbvyE
pugPbr5rdDHpP9/crp8fFdmYTYxiXnlDiWWRg/2hI6kIMymuFg9xt0dwcnnbjLpE
Hki1bvAsXOGBAqrbpooB2cuRrwKBgQC+gV6R6aIk2RolV1BU55d73Ixa0UJJ9Apw
awU5jaf3dpzxmGd3HZvp9Y6MaUutkuY/qQAxth3z+SW+hXIpNa2FjayObB2PSIFS
pQv0UFcOC6cp179bRvxp1COaODlrk1tcJTmFE1U+gaiA3SOi83QHTJ7c07U7bUhO
mQaQRcRnUwKBgCDuO3Zy2+VVxp2rFfogKuE2l4d78V1EOefz9GurK9Jlunv+zP15
LjZg8qqyZvUgLWNZfNjRsvm3G+7fG5+3HQHYhSNHZvv4tF+UU9036n50yrRFDMwU
Dib295HZyHaGRMVG4tEMdS9VkZxlWraxi/fKgAMkrAg57F91IV+FkeCjAoGADFD2
2T4ekn1KuHFNqz+Rxps6o8B1paxWZHA21UK4QkJz4Ra2UbgjVVvfzGoeT2l441K8
xXn9s8E+1HNyLwHeZw0Cw+5vdsz8N2iePjxXdHwCYa0mHPOY7AqgBp9t7uuG840g
i971GuZtC2/Alw9gR/yHJMW3KNFm5FX2W6t3CCsCgYEAigFe+tPNlzk6cZcLTPB+
sX6eO2pkPlQgG1SQf4ymYs9FG1ATGtMm9u1oSZ52rgQVo74rGooZWKqtOHpcZ9no
KpEIgjO+GoWjJ8ZA/qy33OzOCkRblGy7pUEoQxaIMG9snJcBQuEiQWU+gn0EvrRx
jQ6d0U5snWDdVPexoihst/M=
-----END PRIVATE KEY-----
```
## Client Secrets
### CLIENT_SECRET_HEADSCALE
Headscale VPN OIDC client secret
```
I7tiomn7akKaKF+xOj2W8JDudQQTd5CAj88nfngQbhgn4wRf9iwEinDSQnghCmCq
```
### CLIENT_SECRET_HEADADMIN
Headscale admin panel OIDC client secret
```
fEXUwuVB7JJL3sg7fasiNoPGA4XGWYUxbyuonX6CK7ABZw5H24HMfYmpAb3VR5J0
```