motiejus/config
1
Fork 0
Code Packages Releases Activity

headscale: use a different oidc key

Browse Source
This commit is contained in:
Motiejus Jakštys
2023-08-14 12:58:19 +03:00
parent 83cc04f545
commit 1d95ecf211
3 changed files with 21 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
flake.nix
View File

@@ -62,6 +62,7 @@
age.secrets.root-passwd-hash.file = ./secrets/root_passwd_hash.age; age.secrets.root-passwd-hash.file = ./secrets/root_passwd_hash.age;
age.secrets.zfs-passphrase-vno1-oh2.file = ./secrets/vno1-oh2/zfs-passphrase.age; age.secrets.zfs-passphrase-vno1-oh2.file = ./secrets/vno1-oh2/zfs-passphrase.age;
age.secrets.headscale-client-oidc.file = ./secrets/hel1-a/headscale/oidc_client_secret2.age;
age.secrets.borgbackup-password.file = ./secrets/hel1-a/borgbackup/password.age; age.secrets.borgbackup-password.file = ./secrets/hel1-a/borgbackup/password.age;
age.secrets.sasl-passwd.file = ./secrets/postfix_sasl_passwd.age; age.secrets.sasl-passwd.file = ./secrets/postfix_sasl_passwd.age;
age.secrets.synapse-jakstys-signing-key.file = ./secrets/hel1-a/synapse/jakstys_lt_signing_key.age; age.secrets.synapse-jakstys-signing-key.file = ./secrets/hel1-a/synapse/jakstys_lt_signing_key.age;

9
hosts/hel1-a/configuration.nix
View File

@@ -158,8 +158,10 @@
}; };
oidc = { oidc = {
issuer = "https://git.jakstys.lt/"; issuer = "https://git.jakstys.lt/";
client_id = "1c5fe796-452c-458d-b295-71a9967642fc"; client_id = "e25c15ea-41ca-4bf0-9ebf-2be9f2d1ccea";
client_secret_path = "/var/lib/headscale/oidc_client_secret"; # TODO move to secrets # TODO https://github.com/NixOS/nixpkgs/pull/249101/files
#client_secret_path = "\${CREDENTIALS_DIRECTORY}/oidc-client-secret";
client_secret_path = "/run/credentials/headscale.service/oidc-client-secret";
}; };
}; };
}; };
@@ -402,6 +404,9 @@
# is higher. # is higher.
unitConfig.StartLimitBurst = 50; unitConfig.StartLimitBurst = 50;
serviceConfig.RestartSec = 1; serviceConfig.RestartSec = 1;
serviceConfig.LoadCredential = [
"oidc-client-secret:${config.age.secrets.headscale-client-oidc.path}"
];
}; };
matrix-synapse = let matrix-synapse = let

25
secrets/hel1-a/headscale/oidc_client_secret2.age
View File

@@ -1,13 +1,14 @@
age-encryption.org/v1 age-encryption.org/v1
-> ssh-ed25519 vDjOfg jz7H8dAXkaJmMtiU0pZqbbAyH8ls1rp/EXB4uK+sy3Y -> ssh-ed25519 vDjOfg sAjhspks5Q/qv3Fl4AbdbDyEL29obLgpCPtW2WuQo1U
kjuwJfVg487SwSoacVJ+gCW+A2xdrVSK68KMAlu7xnU JsB1x798R/e0pG95tZdQ1Z9kLsGLkfyx7XZNOGlvA3k
-> X25519 QWggCwIAPPXvQujRNbFVJByU2E6715tGfMHWQ8c3xhY -> X25519 ygp9KuSaJuBxrCIwj1GN3lJOpIer0i+r4h7CpzyyfjA
MEhNJuYeOfoGr0B1oTzBXplq5oTGz6CKuSt2McSZTpw gLtz+fz6IeGk8jVmtp7hfltKW0Udx6qQut7BVEhCM+s
-> piv-p256 +y2G/w A8QLUewPleBm7W05T1LODNvHxdUIjgVmOuyqiljmyH7M -> piv-p256 +y2G/w AinLJm4uMiDT5M5a6qPeRY2SN5p7t2IIHoYoWKW0G3ch
C1Ug1YcN0mcCcgMsXIq5mZkNNP8d7FCw8oAQOivHoWE omsNwBxcE6tl5HVVK08t9BijPizfa89wHZTwjgMiFpY
-> piv-p256 jNqd3A AxZ7nMY31GeVSnFjRklcxrWA2wFJgj3ndDM+0aof7XG0 -> piv-p256 jNqd3A AzMvos7g+Eir5nMP1jln4pOaqzRsu3r5n7RYcUBylY/R
BQl4VBR/5Elo+b4gtTtqiOtpmfbh0BhZnXI9nphcmiI UwCFQeu2zsx8T0f0ewpbqazWW4wVZCFNNACkabwpeIQ
-> >Y-grease X4W[ "h W@8'&0 -> *i-grease
db5asa9gnAIJyUFnRA FumYnZkzriGEw3nsGS99JWeU5bw/msa3SfAPBxm4BQva4Q
--- qw4PzG5ZRzpKRQlHYwKnGoqYNiRk3YNjEeKGz6rSh0I --- ciKXMioSP8Jm6BpLFcx3zjvRgK232dt+GZ6k0ZzBEtE
LYmWb~ɖ<>0<EFBFBD><30><EFBFBD><EFBFBD>><3E><><EFBFBD><EFBFBD><EFBFBD>4<EFBFBD><34><EFBFBD><EFBFBD>i<EFBFBD>,X<><14>'<27>2<EFBFBD><32><6C>$<24>خ"V<>0!<21><><EFBFBD><EFBFBD>[<5B>If<49><66><EFBFBD>ZZՎ<5A>D*E<45><7F>u<EFBFBD><75>M<EFBFBD><06>_Jꪊ <EFBFBD>S{ ǝ<>c-<2D><>ƶ<EFBFBD>9<EFBFBD><39><EFBFBD>x<19>@?f<>tF<03><>q#꟒8gtS+sr=<3D>9]<5D><>K<11><>-M<><4D><EFBFBD>ު!(<28><1E><>B<EFBFBD><42>7_o-OG
<EFBFBD><EFBFBD>2