Gitiles
Code Review Sign In
code.v1.dodo.cloud / pcloud / cc56ae935092ab4400484b31057261aab131f523^! / . / charts / headscale / templates / config.yaml
commitcc56ae935092ab4400484b31057261aab131f523[log] [tgz]
authorGiorgi Lekveishvili <lekva@gl-mbp-m1-max.local>Wed May 31 17:50:39 2023 +0400
committerGiorgi Lekveishvili <lekva@gl-mbp-m1-max.local>Wed May 31 17:50:39 2023 +0400
tree7b2fbb694a4482d095e250fa7654c3ab3bd13b17
parent0c5b8bebda895075dfc6d8ffb2c61329a0438542 [diff] [blame]
charts: headscale oidc

diff --git a/charts/headscale/templates/config.yaml b/charts/headscale/templates/config.yaml
index 88ca0de..f4de425 100644
--- a/charts/headscale/templates/config.yaml
+++ b/charts/headscale/templates/config.yaml

@@ -263,36 +263,21 @@
     # it is still being tested and might have some bugs, please
     # help us test it.
     # OpenID Connect
-    # oidc:
-    #   only_start_if_oidc_is_available: true
-    #   issuer: "https://your-oidc.issuer.com/path"
-    #   client_id: "your-oidc-client-id"
-    #   client_secret: "your-oidc-client-secret"
-    #
-    #   Customize the scopes used in the OIDC flow, defaults to "openid", "profile" and "email" and add custom query
-    #   parameters to the Authorize Endpoint request. Scopes default to "openid", "profile" and "email".
-    #
-    #   scope: ["openid", "profile", "email", "custom"]
-    #   extra_params:
-    #     domain_hint: example.com
-    #
-    #   List allowed principal domains and/or users. If an authenticated user's domain is not in this list, the
-    #   authentication request will be rejected.
-    #
-    #   allowed_domains:
-    #     - example.com
-    # Groups from keycloak have a leading '/'
-    #   allowed_groups:
-    #     - /headscale
-    #   allowed_users:
-    #     - alice@example.com
-    #
-    #   If `strip_email_domain` is set to `true`, the domain part of the username email address will be removed.
-    #   This will transform `first-name.last-name@example.com` to the namespace `first-name.last-name`
-    #   If `strip_email_domain` is set to `false` the domain part will NOT be removed resulting to the following
-    #   namespace: `first-name.last-name.example.com`
-    #
-    #   strip_email_domain: true
+    oidc:
+      only_start_if_oidc_is_available: false
+      issuer: {{ .Values.oauth2.hydraPublic }}
+      client_id: {{ .Values.oauth2.clientId }}
+      client_secret: {{ $secret }}
+      scope: ["openid", "profile", "email"]
+      extra_params:
+        domain_hint: lekva.me
+      allowed_domains:
+        - lekva.me
+      # allowed_groups:
+      #   - /headscale
+      # allowed_users:
+      #   - alice@example.com
+      strip_email_domain: true
 
     # Logtail configuration
     # Logtail is Tailscales logging and auditing infrastructure, it allows the control panel