From daef0cf448af17357b552245f39067a9d340ce3d Mon Sep 17 00:00:00 2001
From: Elizabeth Hunt <me@liz.coffee>
Date: Sun, 27 Apr 2025 21:15:30 -0700
Subject: Waow

---
 playbooks/roles/outbound/templates/headscale/config/config.yaml | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

(limited to 'playbooks/roles/outbound/templates/headscale/config')

diff --git a/playbooks/roles/outbound/templates/headscale/config/config.yaml b/playbooks/roles/outbound/templates/headscale/config/config.yaml
index 6bfbfb9..2586848 100644
--- a/playbooks/roles/outbound/templates/headscale/config/config.yaml
+++ b/playbooks/roles/outbound/templates/headscale/config/config.yaml
@@ -135,11 +135,11 @@ unix_socket_permission: "0770"
 
 oidc:
   only_start_if_oidc_is_available: false
-  issuer: "https://{{ idm_domain }}"
+  issuer: "https://{{ idm_domain }}/oauth2/openid/headscale"
   client_id: "headscale"
   client_secret: "{{ headscale_oidc_secret }}"
 
-  scope: ["openid", "profile", "email"]
+  scope: ["openid", "profile", "email", "groups"]
   pkce:
     # Enable or disable PKCE support (default: false)
     enabled: true
@@ -150,7 +150,8 @@ oidc:
 
   allowed_domains:
     - {{ domain }}
-  allowed_users: {{ headscale_allowed_users }}
+  allowed_groups:
+    - vpn@{{ idm_domain }}
   strip_email_domain: true
 
 # Logtail configuration
-- 
cgit v1.2.3-70-g09d2