add sso login

2 files changed, 46 insertions, 52 deletions

diff --git a/roles/vpn/tasks/main.yml b/roles/vpn/tasks/main.yml
index 6ad0c57..60963f1 100644
--- a/roles/vpn/tasks/main.yml
+++ b/roles/vpn/tasks/main.yml
@@ -23,6 +23,14 @@
     group: root
     mode: u=rw,g=r,o=r
 
+- name: build headscale config template
+  template:
+    src: ../templates/config.yml.j2
+    dest: /etc/docker/compose/headscale/config.yml
+    owner: root
+    group: root
+    mode: u=rw,g=r,o=r
+
 - name: ensure headscale data volume exist
   file:
     path: /etc/docker/compose/headscale/data
@@ -31,12 +39,6 @@
     group: root
     mode: 0700
 
-- name: ensure headscale users
-  shell: |
-    docker exec headscale headscale user create "{{ item }}"
-  with_items:
-    - "{{ headscale_users }}"
-
 - name: daemon-reload and enable headscale
   ansible.builtin.systemd_service:
     state: restarted
diff --git a/roles/vpn/files/config/config.yml b/roles/vpn/templates/config.yml.j2
index 3942feb..926a84f 100644
--- a/roles/vpn/files/config/config.yml
+++ b/roles/vpn/templates/config.yml.j2
@@ -234,52 +234,44 @@ unix_socket_permission: "0770"
 # it is still being tested and might have some bugs, please
 # help us test it.
 # OpenID Connect
-# oidc:
-#   only_start_if_oidc_is_available: true
-#   issuer: "https://your-oidc.issuer.com/path"
-#   client_id: "your-oidc-client-id"
-#   client_secret: "your-oidc-client-secret"
-#   # Alternatively, set `client_secret_path` to read the secret from the file.
-#   # It resolves environment variables, making integration to systemd's
-#   # `LoadCredential` straightforward:
-#   client_secret_path: "${CREDENTIALS_DIRECTORY}/oidc_client_secret"
-#   # client_secret and client_secret_path are mutually exclusive.
-#
-#   # The amount of time from a node is authenticated with OpenID until it
-#   # expires and needs to reauthenticate.
-#   # Setting the value to "0" will mean no expiry.
-#   expiry: 180d
-#
-#   # Use the expiry from the token received from OpenID when the user logged
-#   # in, this will typically lead to frequent need to reauthenticate and should
-#   # only been enabled if you know what you are doing.
-#   # Note: enabling this will cause `oidc.expiry` to be ignored.
-#   use_expiry_from_token: false
-#
-#   # Customize the scopes used in the OIDC flow, defaults to "openid", "profile" and "email" and add custom query
-#   # parameters to the Authorize Endpoint request. Scopes default to "openid", "profile" and "email".
-#
-#   scope: ["openid", "profile", "email", "custom"]
-#   extra_params:
-#     domain_hint: example.com
-#
-#   # List allowed principal domains and/or users. If an authenticated user's domain is not in this list, the
-#   # authentication request will be rejected.
-#
-#   allowed_domains:
-#     - example.com
-#   # Note: Groups from keycloak have a leading '/'
-#   allowed_groups:
-#     - /headscale
-#   allowed_users:
-#     - alice@example.com
-#
-#   # If `strip_email_domain` is set to `true`, the domain part of the username email address will be removed.
-#   # This will transform `first-name.last-name@example.com` to the user `first-name.last-name`
-#   # If `strip_email_domain` is set to `false` the domain part will NOT be removed resulting to the following
-#   user: `first-name.last-name.example.com`
-#
-#   strip_email_domain: true
+oidc:
+  # Block further startup until the OIDC provider is healthy and available
+  only_start_if_oidc_is_available: true
+  # Specified by your OIDC provider
+  issuer: "https://authelia.simponic.xyz"
+  # Specified/generated by your OIDC provider
+  client_id: "simponicheadscale"
+  client_secret: "{{ headscale_oidc_secret }}"
+  # alternatively, set `client_secret_path` to read the secret from the file.
+  # It resolves environment variables, making integration to systemd's
+  # `LoadCredential` straightforward:
+  #client_secret_path: "${CREDENTIALS_DIRECTORY}/oidc_client_secret"
+
+  # Customize the scopes used in the OIDC flow, defaults to "openid", "profile" and "email" and add custom query
+  # parameters to the Authorize Endpoint request. Scopes default to "openid", "profile" and "email".
+  scope: ["openid", "profile", "email"]
+  # Optional: Passed on to the browser login request – used to tweak behaviour for the OIDC provider
+  extra_params:
+    domain_hint: simponic.xyz
+
+  # Optional: List allowed principal domains and/or users. If an authenticated user's domain is not in this list,
+  # the authentication request will be rejected.
+  allowed_domains:
+    - simponic.xyz 
+  # Optional. Note that groups from Keycloak have a leading '/'.
+  # allowed_groups:
+  #   - /admins
+  #   - admins
+  #   - people
+  # Optional.
+  allowed_users:
+    - "{{ headscale_allowed_users }}"
+
+  # If `strip_email_domain` is set to `true`, the domain part of the username email address will be removed.
+  # This will transform `first-name.last-name@example.com` to the user `first-name.last-name`
+  # If `strip_email_domain` is set to `false` the domain part will NOT be removed resulting to the following
+  # user: `first-name.last-name.example.com`
+  strip_email_domain: true
 
 # Logtail configuration
 # Logtail is Tailscales logging and auditing infrastructure, it allows the control panel