chore: updates docs

Author: jsiebens

mkdocs/docs/configuration/auth-oidc.md

@@ -0,0 +1,191 @@
+# Configuring authentication with OIDC
+
+While ionscale can operate without an OIDC (OpenID Connect) provider using only static keys, configuring an OIDC provider is highly recommended for enhanced security, user management, and a smoother administrative experience.
+
+## Why configure an OIDC provider?
+
+Without an OIDC provider, ionscale operates in a key-only mode:
+
+- System administrators can only use the system admin key for administrative tasks
+- Tailscale devices can only connect using [tags](https://tailscale.com/kb/1068/tags) and [pre-authentication keys](https://tailscale.com/kb/1085/auth-keys)
+- No user accounts or user-specific permissions are available
+
+With an OIDC provider configured:
+
+- Users can authenticate using their existing identity provider credentials
+- Administrators can assign specific permissions to users
+- System administration can be delegated to specific users
+- Fine-grained access control based on user identity becomes possible
+- More seamless user experience with browser-based authentication
+
+## Supported OIDC providers
+
+ionscale supports any standard OIDC provider, including:
+
+- Google Workspace
+- Auth0
+- Okta
+- Azure AD / Microsoft Entra ID
+- Keycloak
+- GitLab
+- GitHub (OAuth 2.0 with OIDC extensions)
+- And many others
+
+## Basic OIDC configuration
+
+To configure an OIDC provider, update your ionscale configuration file (`config.yaml`) with the following settings:
+
+```yaml
+auth:
+  provider:
+    # OIDC issuer URL where ionscale can find the OpenID Provider Configuration Document
+    issuer: "https://your-oidc-provider.com"
+    # OIDC client ID and secret
+    client_id: "your-client-id"
+    client_secret: "your-client-secret"
+    # Optional: additional OIDC scopes used in the OIDC flow
+    additional_scopes: "groups"
+```
+
+### Required configuration fields
+
+- `issuer`: The URL to your OIDC provider's issuer. This URL is used to discover your provider's endpoints.
+- `client_id`: The client ID from your OIDC provider application registration.
+- `client_secret`: The client secret from your OIDC provider application registration.
+
+### Optional configuration
+
+- `additional_scopes`: A space-separated list of additional OAuth scopes to request during authentication.
+  By default, ionscale requests the `openid`, `email`, and `profile` scopes.
+
+## Configuring your OIDC provider
+
+When registering ionscale with your OIDC provider, you'll need to configure the following:
+
+**Redirect URI**: Set to `https://your-ionscale-domain.com/auth/callback`
+
+## System administrator access
+
+With OIDC configured, you'll want to specify which users have system administrator privileges.
+This is done in the `auth.system_admins` section of your configuration:
+
+```yaml
+auth:
+  # Configuration from previous section...
+
+  system_admins:
+    # By email address
+    emails:
+      - "admin@example.com"
+      - "secadmin@example.com"
+    
+    # By subject identifier (sub claim from OIDC)
+    subs:
+      - "user|123456"
+    
+    # By attribute expression (using BEXPR syntax)
+    filters:
+      - "token.groups contains \"admin\""
+      - "domain == \"admin.example.com\""
+```
+
+You can use one or more of these methods to designate system administrators:
+
+1. **By Email**: List specific email addresses that should have admin privileges.
+2. **By Subject ID**: List specific user IDs (the `sub` claim from your OIDC provider).
+3. **By Expression**: Use BEXPR filters to determine admin status based on token claims.
+
+## OIDC authentication flow
+
+When a user attempts to authenticate with ionscale:
+
+1. The user is redirected to the OIDC provider's login page.
+2. After successful authentication, the user is redirected back to ionscale.
+3. ionscale verifies the authentication and checks if:
+   - The user is a system administrator (based on the `system_admins` configuration).
+   - The user has access to any tailnets (based on IAM policies configured for individual tailnets).
+
+## Provider-specific setup instructions
+
+### Google
+
+1. Go to the [Google Cloud Console](https://console.cloud.google.com/).
+2. Create a new project or select an existing one.
+3. Navigate to "APIs & Services" > "Credentials".
+4. Click "Create Credentials" > "OAuth client ID".
+5. Select "Web application" as the application type.
+6. Add `https://your-ionscale-domain.com/auth/callback` as an authorized redirect URI.
+7. Copy the client ID and client secret.
+
+Configure ionscale:
+```yaml
+auth:
+  provider:
+    issuer: "https://accounts.google.com"
+    client_id: "your-client-id.apps.googleusercontent.com"
+    client_secret: "your-client-secret"
+```
+
+### Auth0
+
+1. Go to the [Auth0 Dashboard](https://manage.auth0.com/).
+2. Create a new application or select an existing one of type "Regular Web Application".
+3. Under "Settings", configure:
+   - Allowed Callback URLs: `https://your-ionscale-domain.com/auth/callback`
+4. Copy the Domain, Client ID, and Client Secret.
+
+Configure ionscale:
+```yaml
+auth:
+  provider:
+    issuer: "https://your-tenant.auth0.com/"
+    client_id: "your-client-id"
+    client_secret: "your-client-secret"
+```
+
+### Microsoft Azure AD / Entra ID
+
+1. Go to the [Azure Portal](https://portal.azure.com/).
+2. Navigate to "Azure Active Directory" > "App registrations".
+3. Create a new registration.
+4. Add `https://your-ionscale-domain.com/auth/callback` as a redirect URI of type "Web".
+5. Under "Certificates & secrets", create a new client secret.
+6. Copy the Application (client) ID and the new secret.
+
+Configure ionscale:
+```yaml
+auth:
+  provider:
+    issuer: "https://login.microsoftonline.com/your-tenant-id/v2.0"
+    client_id: "your-client-id"
+    client_secret: "your-client-secret"
+    additional_scopes: "offline_access"
+```
+
+## Complete configuration example
+
+```yaml
+auth:
+  provider:
+    issuer: "https://accounts.google.com"
+    client_id: "your-client-id.apps.googleusercontent.com"
+    client_secret: "your-client-secret"
+    additional_scopes: "groups"
+  
+  system_admins:
+    emails:
+      - "admin@example.com"
+    filters:
+      - "domain == \"example.com\" && token.groups contains \"admin\""
+```
+
+## OIDC without system admin
+
+If you've configured OIDC but no system administrators, you can still use the system admin key from your initial setup for administrative tasks:
+
+```bash
+export IONSCALE_URL="https://your-ionscale-domain.com"
+export IONSCALE_KEY="your-system-admin-key"
+ionscale tailnet list
+```
+

mkdocs/docs/configuration/dns-providers.md

@@ -0,0 +1,176 @@
+# Configuring DNS providers
+
+ionscale supports integration with various DNS providers to enable Tailscale's HTTPS certificate functionality. When a DNS provider is properly configured, ionscale can automatically manage TXT records required for the DNS-01 challenge when requesting certificates.
+
+## Why configure a DNS provider
+
+While not strictly required for basic ionscale operation, configuring a DNS provider enables important Tailscale features:
+
+1. **Tailscale HTTPS Certificates**: Allows nodes to receive valid HTTPS certificates for their Tailscale hostnames, enabling secure web services within your tailnet.
+2. **Tailscale Serve**: Supports the `tailscale serve` feature, which allows users to easily share web services with proper HTTPS.
+
+Without a configured DNS provider, these features will not be available to your users.
+
+## Supported DNS providers
+
+ionscale uses the [libdns](https://github.com/libdns) libraries to support the following DNS providers:
+
+- [Azure DNS](https://github.com/libdns/azure)
+- [Cloudflare](https://github.com/libdns/cloudflare)
+- [DigitalOcean](https://github.com/libdns/digitalocean)
+- [Google Cloud DNS](https://github.com/libdns/googleclouddns)
+- [Amazon Route 53](https://github.com/libdns/route53)
+
+!!! info "Provider availability"
+    These are the DNS providers supported at the time of this writing. Since ionscale uses the libdns ecosystem, additional providers may be added in future releases as the ecosystem expands.
+    
+    If you need support for a different DNS provider, check the [libdns GitHub organization](https://github.com/libdns) for newly available providers or consider contributing an implementation for your provider.
+
+!!! note "Future plugin system"
+    A plugin system for DNS providers is currently in the ideation phase. This would make it significantly easier to add and configure additional DNS providers without modifying the core ionscale code. Stay tuned for updates on this feature in future releases.
+
+## DNS provider configuration
+
+To configure a DNS provider, add the appropriate settings to your ionscale configuration file (`config.yaml`):
+
+```yaml
+dns:
+  # The base domain for MagicDNS FQDN hostnames
+  magic_dns_suffix: "ionscale.net"
+  
+  # DNS provider configuration for HTTPS certificates
+  provider:
+    # Name of your DNS provider
+    name: "cloudflare"
+    # The DNS zone to use (typically your domain name)
+    zone: "example.com"
+    # Provider-specific configuration (varies by provider)
+    config:
+      # Provider-specific credentials and settings go here
+      # See provider-specific examples below
+```
+
+### Important requirements
+
+1. The `magic_dns_suffix` must be a subdomain of the provider's zone (or the zone itself).
+2. MagicDNS must be enabled for the tailnet to use HTTPS certificates.
+3. You must have administrative access to the DNS zone to configure the provider.
+
+## Provider-specific examples
+
+### Cloudflare
+
+```yaml
+dns:
+  magic_dns_suffix: "ts.example.com"
+  provider:
+    name: "cloudflare"
+    zone: "example.com"
+    config:
+      auth_token: "your-cloudflare-api-token"
+      # OR use email/api_key authentication 
+      # email: "your-email@example.com"
+      # api_key: "your-global-api-key"
+```
+
+For Cloudflare, create an API token with the "Edit" permission for "Zone:DNS".
+
+### Azure DNS
+
+```yaml
+dns:
+  magic_dns_suffix: "ts.example.com"
+  provider:
+    name: "azure"
+    zone: "example.com"
+    config:
+      tenant_id: "your-tenant-id"
+      client_id: "your-client-id"
+      client_secret: "your-client-secret"
+      subscription_id: "your-subscription-id"
+      resource_group_name: "your-resource-group"
+```
+
+For Azure, create a service principal with "DNS Zone Contributor" role for your DNS zone's resource group.
+
+### Amazon Route 53
+
+```yaml
+dns:
+  magic_dns_suffix: "ts.example.com"
+  provider:
+    name: "route53"
+    zone: "example.com"
+    config:
+      access_key_id: "your-access-key-id"
+      secret_access_key: "your-secret-access-key"
+      # Optional region, defaults to us-east-1
+      region: "us-east-1"
+```
+
+For AWS Route 53, create an IAM user with permissions to modify records in your hosted zone.
+
+### Google Cloud DNS
+
+```yaml
+dns:
+  magic_dns_suffix: "ts.example.com"
+  provider:
+    name: "googleclouddns"
+    zone: "example-com" # Note: GCP uses zone names without dots
+    config:
+      project: "your-project-id"
+      # Either provide service account JSON directly
+      service_account_json: '{"type":"service_account","project_id":"your-project",...}'
+      # OR specify a path to a service account key file
+      # service_account_key_file: "/path/to/service-account-key.json"
+```
+
+For Google Cloud DNS, create a service account with the "DNS Administrator" role.
+
+### DigitalOcean
+
+```yaml
+dns:
+  magic_dns_suffix: "ts.example.com"
+  provider:
+    name: "digitalocean"
+    zone: "example.com"
+    config:
+      token: "your-digitalocean-api-token"
+```
+
+For DigitalOcean, create an API token with read and write access.
+
+## Enabling HTTPS certificates for a tailnet
+
+After configuring a DNS provider in your ionscale server, you can enable HTTPS certificates for a tailnet:
+
+```bash
+# Enable MagicDNS and HTTPS certificates for a tailnet
+ionscale dns update --tailnet "my-tailnet" --magic-dns --https-certs
+```
+
+## Verifying DNS provider configuration
+
+To verify that your DNS provider is correctly configured:
+
+1. Configure a tailnet with MagicDNS and HTTPS certificates enabled.
+2. Connect a device to the tailnet.
+3. On the device, run:
+   ```bash
+   tailscale cert <hostname>
+   ```
+4. If successful, the command will obtain a certificate for the hostname.
+5. You should see TXT records created in your DNS zone for the ACME challenge.
+
+## Troubleshooting
+
+If you encounter issues with DNS provider integration:
+
+1. **Check DNS Provider Credentials**: Ensure the credentials in your configuration have sufficient permissions.
+2. **Verify Zone Configuration**: Make sure the zone in your configuration matches your actual DNS zone.
+3. **Check MagicDNS Settings**: Confirm that `magic_dns_suffix` is properly configured as a subdomain of your zone.
+4. **Review Server Logs**: The ionscale server logs may contain error messages related to DNS provider integration.
+5. **Test DNS Record Creation**: Some providers offer tools to test API access for creating and updating DNS records.
+