starred/headscale
1
0
Fork 0
mirror of https://github.com/juanfont/headscale.git synced 2026-01-11 20:00:28 +01:00
Code Issues 98 Packages Projects Releases 10 Wiki Activity

[Bug] Issues with OIDC, Authelia and Nix Agenix together #726

New Issue
Closed
opened 2025-12-29 02:22:58 +01:00 by adam · 5 comments
adam commented 2025-12-29 02:22:58 +01:00
Owner
Copy Link

Originally created by @font44 on GitHub (Jun 6, 2024).

Is this a support request?

  • This is not a support request

Is there an existing issue for this?

  • I have searched the existing issues

Current Behavior

OIDC authentication should succeed.

Expected Behavior

OIDC authentication fails.

Steps To Reproduce

Setup:

  • I am running Headscale through NixOS on a publicly available VM.
  • Use Agenix to encrypt the OIDC client secret.
  • OIDC provider is Authelia.

This is the relevant Nix flake snippet:

  age.secrets.tailscaleOidcClientSecret = {
    file = ../secrets/tailscale-oidc-client-secret.age;
    owner = config.services.headscale.user;
  };

  services = {
    headscale = {
      # Check /etc/headscale/config.yaml file to inspect the Nix-generated configuration.
      enable = true;
      port = ...;

      settings = {
        server_url = "https://headscale.foo.com";

        oidc = {
          issuer = "https://authelia.foo.com";
          client_id = "headscale-1";
          strip_email_domain = false;
          
          client_secret = "foo"; # Works fine.
          # client_secret_path = config.age.secrets.tailscaleOidcClientSecret.path; # Doesn't work.
        };
      };
    };

Here, if I specify the OIDC secret via client_secret, OIDC authentication succeeds. But it doesn't if I use client_secret_path. (On the Authelia side, it seems like Headscale is passing an empty client-secret.)

However, I see that Nix created the /etc/headscale/config.yaml file as expected:

oidc:
  client_id: headscale-1
  client_secret_path: /run/agenix/tailscaleOidcClientSecret

I also verified that /run/agenix/tailscaleOidcClientSecret has the same secret as the one that I supplied in client_secret.

Environment

- OS: NixOS.
- Headscale version: v0.22.3
- Tailscale version: Latest on Android.

Runtime environment

  • Headscale is behind a (reverse) proxy
  • Headscale runs in a container

Anything else?

No response

Originally created by @font44 on GitHub (Jun 6, 2024). ### Is this a support request? - [X] This is not a support request ### Is there an existing issue for this? - [X] I have searched the existing issues ### Current Behavior OIDC authentication should succeed. ### Expected Behavior OIDC authentication fails. ### Steps To Reproduce Setup: - I am running Headscale through NixOS on a publicly available VM. - Use [Agenix](https://github.com/ryantm/agenix) to encrypt the OIDC _client secret_. - OIDC provider is Authelia. This is the relevant Nix flake snippet: ``` age.secrets.tailscaleOidcClientSecret = { file = ../secrets/tailscale-oidc-client-secret.age; owner = config.services.headscale.user; }; services = { headscale = { # Check /etc/headscale/config.yaml file to inspect the Nix-generated configuration. enable = true; port = ...; settings = { server_url = "https://headscale.foo.com"; oidc = { issuer = "https://authelia.foo.com"; client_id = "headscale-1"; strip_email_domain = false; client_secret = "foo"; # Works fine. # client_secret_path = config.age.secrets.tailscaleOidcClientSecret.path; # Doesn't work. }; }; }; ``` Here, if I specify the OIDC secret via `client_secret`, OIDC authentication succeeds. But it doesn't if I use `client_secret_path`. (On the Authelia side, it seems like Headscale is passing an empty client-secret.) However, I see that Nix created the _/etc/headscale/config.yaml_ file as expected: ``` oidc: client_id: headscale-1 client_secret_path: /run/agenix/tailscaleOidcClientSecret ``` I also verified that _/run/agenix/tailscaleOidcClientSecret_ has the same secret as the one that I supplied in `client_secret`. ### Environment ```markdown - OS: NixOS. - Headscale version: v0.22.3 - Tailscale version: Latest on Android. ``` ### Runtime environment - [X] Headscale is behind a (reverse) proxy - [ ] Headscale runs in a container ### Anything else? _No response_
adam added the bug label 2025-12-29 02:22:58 +01:00
adam closed this issue 2025-12-29 02:22:59 +01:00
adam commented 2025-12-29 02:22:59 +01:00
Author
Owner
Copy Link

@ohdearaugustin commented on GitHub (Jun 6, 2024):

This seems to be a really specific problem with Agenix and Authenia.

I think this is a bit out of the scope for headscale, as it is an external dependency.

@ohdearaugustin commented on GitHub (Jun 6, 2024): This seems to be a really specific problem with Agenix and Authenia. I think this is a bit out of the scope for headscale, as it is an external dependency.
adam commented 2025-12-29 02:22:59 +01:00
Author
Owner
Copy Link

@kradalby commented on GitHub (Jun 8, 2024):

Hi, I just set this up for one of my environments with the same setup as you, and I did not have any issues with this. In any case, its quite external to Headscale as this is the server/oidc/config env and there is little we can do about it.

@kradalby commented on GitHub (Jun 8, 2024): Hi, I just set this up for one of my environments with the same setup as you, and I did not have any issues with this. In any case, its quite external to Headscale as this is the server/oidc/config env and there is little we can do about it.
adam commented 2025-12-29 02:23:00 +01:00
Author
Owner
Copy Link

@adamcstephens commented on GitHub (Jun 10, 2024):

I was running into this same problem on NixOS with kanidm, and solved it by backporting https://github.com/juanfont/headscale/pull/1697 to 0.22.3. I triple checked my secret file was being created without a trailing newline, but it didn't seem to matter.

@adamcstephens commented on GitHub (Jun 10, 2024): I was running into this same problem on NixOS with kanidm, and solved it by backporting https://github.com/juanfont/headscale/pull/1697 to 0.22.3. I triple checked my secret file was being created without a trailing newline, but it didn't seem to matter.
adam commented 2025-12-29 02:23:00 +01:00
Author
Owner
Copy Link

@font44 commented on GitHub (Jun 11, 2024):

@adamcstephens Could you share your code snippet on how you backported? (I am still new to Nix.)

@font44 commented on GitHub (Jun 11, 2024): @adamcstephens Could you share your code snippet on how you backported? (I am still new to Nix.)
adam commented 2025-12-29 02:23:00 +01:00
Author
Owner
Copy Link

@phanirithvij commented on GitHub (Jun 11, 2024):

I think you can wait for the above linked nixpkgs pr to land in unstable if you are using unstable or you can setup an overlay with the same code from that.

@phanirithvij commented on GitHub (Jun 11, 2024): I think you can wait for the above linked nixpkgs pr to land in unstable if you are using unstable or you can setup an overlay with the same code from that.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
CLI
DERP
DNS
Nix
OIDC
SSH
bug
database
documentation
duplicate
enhancement
faq
good first issue
grants
help wanted
might-come
needs design doc
needs investigation
no-stale-bot
out of scope
performance
policy 📝
pull-request
Mirrored from GitHub Pull Request
 question
regression
routes
stale
tags
tailscale-feature-gap
well described ❤️
wontfix
No Label bug
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
adam
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/headscale#726
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?