diff options
author | Daniel Olsen <daniel.olsen99@gmail.com> | 2023-02-27 15:13:29 +0100 |
---|---|---|
committer | Daniel Olsen <daniel.olsen99@gmail.com> | 2023-02-27 15:17:16 +0100 |
commit | ea31ef91afc7997264ceeb8736fea6e5429d677a (patch) | |
tree | 31c3f31050d3c7ccd8a3e9c637e5a2719a1bcc02 /nixos | |
parent | 572d4f4ce780e4b4e0728c6c4121281f86fe28dd (diff) |
nixos/headscale: update oidc options
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/modules/services/networking/headscale.nix | 49 |
1 files changed, 43 insertions, 6 deletions
diff --git a/nixos/modules/services/networking/headscale.nix b/nixos/modules/services/networking/headscale.nix index cc46819eed5a6..390a448ab5842 100644 --- a/nixos/modules/services/networking/headscale.nix +++ b/nixos/modules/services/networking/headscale.nix @@ -299,17 +299,51 @@ in { ''; }; - domain_map = mkOption { + scope = mkOption { + type = types.listOf types.str; + default = ["openid" "profile" "email"]; + description = lib.mdDoc '' + Scopes used in the OIDC flow. + ''; + }; + + extra_params = mkOption { type = types.attrsOf types.str; - default = {}; + default = { }; description = lib.mdDoc '' - Domain map is used to map incomming users (by their email) to - a namespace. The key can be a string, or regex. + Custom query parameters to send with the Authorize Endpoint request. ''; example = { - ".*" = "default-namespace"; + domain_hint = "example.com"; }; }; + + allowed_domains = mkOption { + type = types.listOf types.str; + default = [ ]; + description = lib.mdDoc '' + Allowed principal domains. if an authenticated user's domain + is not in this list authentication request will be rejected. + ''; + example = [ "example.com" ]; + }; + + allowed_users = mkOption { + type = types.listOf types.str; + default = [ ]; + description = lib.mdDoc '' + Users allowed to authenticate even if not in allowedDomains. + ''; + example = [ "alice@example.com" ]; + }; + + strip_email_domain = mkOption { + type = types.bool; + default = true; + description = lib.mdDoc '' + Whether the domain part of the email address should be removed when generating namespaces. + ''; + }; }; tls_letsencrypt_hostname = mkOption { @@ -392,13 +426,16 @@ in { (mkRenamedOptionModule ["services" "headscale" "openIdConnect" "issuer"] ["services" "headscale" "settings" "oidc" "issuer"]) (mkRenamedOptionModule ["services" "headscale" "openIdConnect" "clientId"] ["services" "headscale" "settings" "oidc" "client_id"]) (mkRenamedOptionModule ["services" "headscale" "openIdConnect" "clientSecretFile"] ["services" "headscale" "settings" "oidc" "client_secret_file"]) - (mkRenamedOptionModule ["services" "headscale" "openIdConnect" "domainMap"] ["services" "headscale" "settings" "oidc" "domain_map"]) (mkRenamedOptionModule ["services" "headscale" "tls" "letsencrypt" "hostname"] ["services" "headscale" "settings" "tls_letsencrypt_hostname"]) (mkRenamedOptionModule ["services" "headscale" "tls" "letsencrypt" "challengeType"] ["services" "headscale" "settings" "tls_letsencrypt_challenge_type"]) (mkRenamedOptionModule ["services" "headscale" "tls" "letsencrypt" "httpListen"] ["services" "headscale" "settings" "tls_letsencrypt_listen"]) (mkRenamedOptionModule ["services" "headscale" "tls" "certFile"] ["services" "headscale" "settings" "tls_cert_path"]) (mkRenamedOptionModule ["services" "headscale" "tls" "keyFile"] ["services" "headscale" "settings" "tls_key_path"]) (mkRenamedOptionModule ["services" "headscale" "aclPolicyFile"] ["services" "headscale" "settings" "acl_policy_path"]) + + (mkRemovedOptionModule ["services" "headscale" "openIdConnect" "domainMap"] '' + Headscale no longer uses domain_map. If you're using an old version of headscale you can still set this option via services.headscale.settings.oidc.domain_map. + '') ]; config = mkIf cfg.enable { |