identity_providers: oidc: hmac_secret: {{ secret "/run/secrets/IDENTITY_PROVIDERS_OIDC_HMAC_SECRET" }} jwks: - key: {{ secret "/run/secrets/IDENTITY_PROVIDERS_OIDC_JWKS_KEY" | mindent 10 "|" | msquote }} authorization_policies: headscale: default_policy: deny rules: - policy: one_factor subject: group:headscale # To generate secrets: # docker exec -it authelia authelia crypto hash generate pbkdf2 --variant sha512 --random --random.length 72 --random.charset rfc3986 clients: - client_id: headscale client_name: Headscale client_secret: {{ secret "/run/secrets/CLIENT_SECRET_HEADSCALE" }} public: false authorization_policy: headscale consent_mode: implicit scopes: - openid - email - profile redirect_uris: - https://headscale.{{ env "TRAEFIK_DOMAIN" }}/oidc/callback - https://headscale.{{ env "TRAEFIK_DOMAIN" }}/admin/oidc/callback # headplane on same domain as headscale # - https://headplane.{{ env "TRAEFIK_DOMAIN" }}/admin/oidc/callback # headplane on it's own domain userinfo_signed_response_alg: none - client_id: headadmin client_name: headadmin client_secret: {{ secret "/run/secrets/CLIENT_SECRET_HEADADMIN" }} public: false authorization_policy: one_factor consent_mode: implicit scopes: - openid - email - profile redirect_uris: - https://headadmin.{{ env "TRAEFIK_DOMAIN" }}/oidc_callback userinfo_signed_response_alg: none - client_id: portainer client_name: Portainer client_secret: {{ secret "/run/secrets/CLIENT_SECRET_PORTAINER" }} public: false authorization_policy: one_factor consent_mode: implicit scopes: - openid - email - profile - groups redirect_uris: - https://portainer.{{ env "TRAEFIK_DOMAIN" }}/ userinfo_signed_response_alg: none - client_id: gitea client_name: Gitea client_secret: {{ secret "/run/secrets/CLIENT_SECRET_GITEA" }} public: false authorization_policy: one_factor consent_mode: implicit scopes: - openid - email - profile - groups redirect_uris: - https://git.{{ env "TRAEFIK_DOMAIN" }}/user/oauth2/authelia/callback userinfo_signed_response_alg: none