From 125068399604765114d4bdca213c8ab1ea962508 Mon Sep 17 00:00:00 2001
From: Jordan Holt <jordan@vimium.com>
Date: Sun, 11 Aug 2024 17:06:17 +0100
Subject: [PATCH] Add zitadel config

---
 hosts/vps1/default.nix | 84 +++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 83 insertions(+), 1 deletion(-)

diff --git a/hosts/vps1/default.nix b/hosts/vps1/default.nix
index a195559..64522ee 100644
--- a/hosts/vps1/default.nix
+++ b/hosts/vps1/default.nix
@@ -1,4 +1,4 @@
-{ lib, ... }:
+{ config, lib, self, ... }:
 
 {
   imports = [
@@ -41,6 +41,88 @@
 
   services.openssh.settings.PermitRootLogin = lib.mkForce "prohibit-password";
 
+  services.postgresql = {
+    ensureUsers = [
+      {
+        name = "zitadel";
+        ensureDBOwnership = true;
+        ensureClauses = {
+          createdb = true;
+          createrole = true;
+        };
+      }
+    ];
+    ensureDatabases = [ "zitadel" ];
+  };
+
+  age.secrets."files/services/zitadel/masterkey" = {
+    file = "${self.inputs.secrets}/files/services/zitadel/masterkey.age";
+    owner = "zitadel";
+    group = "zitadel";
+  };
+
+  systemd.services.zitadel.after = [ "postgresql.service" ];
+  services.zitadel = {
+    enable = true;
+    masterKeyFile = config.age.secrets."files/services/zitadel/masterkey".path;
+    settings = {
+      Database.postgres = {
+        Host = "/run/postgresql";
+        Port = 5432;
+        Database = "zitadel";
+        User = {
+          Username = "zitadel";
+          SSL.Mode = "disable";
+        };
+        Admin = {
+          ExistingDatabase = "zitadel";
+          Username = "zitadel";
+          SSL.Mode = "disable";
+        };
+      };
+      DefaultInstance = {
+        InstanceName = "Vimium";
+        Org = {
+          Name = "Vimium";
+          Human = {
+            UserName = "admin@vimium.com";
+            FirstName = "Vimium";
+            LastName = "Admin";
+          };
+        };
+        DomainPolicy.UserLoginMustBeDomain = true;
+      };
+      ExternalDomain = "id.vimium.com";
+      ExternalPort = 443;
+      ExternalSecure = true;
+      Port = 8081;
+      WebAuthNName = "Vimium";
+    };
+    steps.FirstInstance = {
+      InstanceName = "Vimium";
+      Org.Human = {
+        UserName = "jordan@vimium.com";
+        FirstName = "Jordan";
+        LastName = "Holt";
+        Email.Address = "jordan@vimium.com";
+      };
+    };
+  };
+
+  services.nginx.virtualHosts."id.vimium.com" = {
+    enableACME = true;
+    forceSSL = true;
+    locations."/" = {
+      proxyPass = "http://localhost:${builtins.toString config.services.zitadel.settings.Port}";
+      extraConfig = ''
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header Host $host;
+      '';
+    };
+  };
+
   modules = rec {
     databases.postgresql.enable = true;
     services = {