59 lines
2.1 KiB
YAML
59 lines
2.1 KiB
YAML
identity_providers:
|
|
oidc:
|
|
hmac_secret: {{ secret "/run/secrets/IDENTITY_PROVIDERS_OIDC_HMAC_SECRET" }}
|
|
jwks:
|
|
- key: {{ secret "/run/secrets/IDENTITY_PROVIDERS_OIDC_JWKS_KEY" | mindent 10 "|" | msquote }}
|
|
|
|
authorization_policies:
|
|
|
|
headscale:
|
|
default_policy: deny
|
|
rules:
|
|
- policy: one_factor
|
|
subject: group:headscale
|
|
# To generate secrets:
|
|
# docker exec -it authelia authelia crypto hash generate pbkdf2 --variant sha512 --random --random.length 72 --random.charset rfc3986
|
|
clients:
|
|
|
|
- client_id: headscale
|
|
client_name: Headscale
|
|
client_secret: {{ secret "/run/secrets/CLIENT_SECRET_HEADSCALE" }}
|
|
public: false
|
|
authorization_policy: headscale
|
|
consent_mode: implicit
|
|
scopes:
|
|
- openid
|
|
- email
|
|
- profile
|
|
redirect_uris:
|
|
- https://headscale.{{ env "TRAEFIK_DOMAIN" }}/oidc/callback
|
|
- https://headscale.{{ env "TRAEFIK_DOMAIN" }}/admin/oidc/callback # headplane on same domain as headscale
|
|
- https://headadmin.{{ env "TRAEFIK_DOMAIN" }}/oidc_callback
|
|
# - https://headplane.{{ env "TRAEFIK_DOMAIN" }}/admin/oidc/callback # headplane on it's own domain
|
|
userinfo_signed_response_alg: none
|
|
- client_id: headadmin
|
|
client_name: headadmin
|
|
client_secret: {{ secret "/run/secrets/CLIENT_SECRET_HEADADMIN" }}
|
|
public: false
|
|
authorization_policy: one_factor
|
|
consent_mode: implicit
|
|
scopes:
|
|
- openid
|
|
- email
|
|
- profile
|
|
redirect_uris:
|
|
- https://headadmin.{{ env "TRAEFIK_DOMAIN" }}/oidc_callback
|
|
userinfo_signed_response_alg: none
|
|
- client_id: git
|
|
client_name: git
|
|
client_secret: {{ secret "/run/secrets/CLIENT_SECRET_GIT" }}
|
|
public: false
|
|
authorization_policy: one_factor
|
|
consent_mode: implicit
|
|
scopes:
|
|
- openid
|
|
- email
|
|
- profile
|
|
redirect_uris:
|
|
- https://git.{{ env "TRAEFIK_DOMAIN" }}/oidc_callback
|
|
userinfo_signed_response_alg: none |