diff --git a/flake.nix b/flake.nix index 9a9b537..4234e3b 100644 --- a/flake.nix +++ b/flake.nix @@ -62,6 +62,7 @@ age.secrets.root-passwd-hash.file = ./secrets/root_passwd_hash.age; age.secrets.zfs-passphrase-vno1-oh2.file = ./secrets/vno1-oh2/zfs-passphrase.age; + age.secrets.headscale-client-oidc.file = ./secrets/hel1-a/headscale/oidc_client_secret2.age; age.secrets.borgbackup-password.file = ./secrets/hel1-a/borgbackup/password.age; age.secrets.sasl-passwd.file = ./secrets/postfix_sasl_passwd.age; age.secrets.synapse-jakstys-signing-key.file = ./secrets/hel1-a/synapse/jakstys_lt_signing_key.age; diff --git a/hosts/hel1-a/configuration.nix b/hosts/hel1-a/configuration.nix index 1148662..e0bb94e 100644 --- a/hosts/hel1-a/configuration.nix +++ b/hosts/hel1-a/configuration.nix @@ -158,8 +158,10 @@ }; oidc = { issuer = "https://git.jakstys.lt/"; - client_id = "1c5fe796-452c-458d-b295-71a9967642fc"; - client_secret_path = "/var/lib/headscale/oidc_client_secret"; # TODO move to secrets + client_id = "e25c15ea-41ca-4bf0-9ebf-2be9f2d1ccea"; + # TODO https://github.com/NixOS/nixpkgs/pull/249101/files + #client_secret_path = "\${CREDENTIALS_DIRECTORY}/oidc-client-secret"; + client_secret_path = "/run/credentials/headscale.service/oidc-client-secret"; }; }; }; @@ -402,6 +404,9 @@ # is higher. unitConfig.StartLimitBurst = 50; serviceConfig.RestartSec = 1; + serviceConfig.LoadCredential = [ + "oidc-client-secret:${config.age.secrets.headscale-client-oidc.path}" + ]; }; matrix-synapse = let diff --git a/secrets/hel1-a/headscale/oidc_client_secret2.age b/secrets/hel1-a/headscale/oidc_client_secret2.age index 57f0ed7..5fb2ba1 100644 --- a/secrets/hel1-a/headscale/oidc_client_secret2.age +++ b/secrets/hel1-a/headscale/oidc_client_secret2.age @@ -1,13 +1,14 @@ age-encryption.org/v1 --> ssh-ed25519 vDjOfg jz7H8dAXkaJmMtiU0pZqbbAyH8ls1rp/EXB4uK+sy3Y -kjuwJfVg487SwSoacVJ+gCW+A2xdrVSK68KMAlu7xnU --> X25519 QWggCwIAPPXvQujRNbFVJByU2E6715tGfMHWQ8c3xhY -MEhNJuYeOfoGr0B1oTzBXplq5oTGz6CKuSt2McSZTpw --> piv-p256 +y2G/w A8QLUewPleBm7W05T1LODNvHxdUIjgVmOuyqiljmyH7M -C1Ug1YcN0mcCcgMsXIq5mZkNNP8d7FCw8oAQOivHoWE --> piv-p256 jNqd3A AxZ7nMY31GeVSnFjRklcxrWA2wFJgj3ndDM+0aof7XG0 -BQl4VBR/5Elo+b4gtTtqiOtpmfbh0BhZnXI9nphcmiI --> >Y-grease X4W[ "h W@8'&0 -db5asa9gnAIJyUFnRA ---- qw4PzG5ZRzpKRQlHYwKnGoqYNiRk3YNjEeKGz6rSh0I -LYmWb~ɖ0>4i,X'2lΩ$خ"V0![IfZZՎD*EuM_Jꪊ \ No newline at end of file +-> ssh-ed25519 vDjOfg sAjhspks5Q/qv3Fl4AbdbDyEL29obLgpCPtW2WuQo1U +JsB1x798R/e0pG95tZdQ1Z9kLsGLkfyx7XZNOGlvA3k +-> X25519 ygp9KuSaJuBxrCIwj1GN3lJOpIer0i+r4h7CpzyyfjA +gLtz+fz6IeGk8jVmtp7hfltKW0Udx6qQut7BVEhCM+s +-> piv-p256 +y2G/w AinLJm4uMiDT5M5a6qPeRY2SN5p7t2IIHoYoWKW0G3ch +omsNwBxcE6tl5HVVK08t9BijPizfa89wHZTwjgMiFpY +-> piv-p256 jNqd3A AzMvos7g+Eir5nMP1jln4pOaqzRsu3r5n7RYcUBylY/R +UwCFQeu2zsx8T0f0ewpbqazWW4wVZCFNNACkabwpeIQ +-> *i-grease +FumYnZkzriGEw3nsGS99JWeU5bw/msa3SfAPBxm4BQva4Q +--- ciKXMioSP8Jm6BpLFcx3zjvRgK232dt+GZ6k0ZzBEtE +S{ ǝc-ƶ9x@?ftFq#꟒8gtS+sr=9]sָK-Mު!(B7_o-OG +2 \ No newline at end of file