Add zitadel config

2024-08-11 17:06:17 +01:00
parent bbb7548659
commit 1250683996
1 changed files with 83 additions and 1 deletions
--- a/hosts/vps1/default.nix
+++ b/hosts/vps1/default.nix
@ -1,4 +1,4 @@
-{ lib, ... }:
+{ config, lib, self, ... }:

 {
  imports = [
@ -41,6 +41,88 @@

  services.openssh.settings.PermitRootLogin = lib.mkForce "prohibit-password";

+  services.postgresql = {
+    ensureUsers = [
+      {
+        name = "zitadel";
+        ensureDBOwnership = true;
+        ensureClauses = {
+          createdb = true;
+          createrole = true;
+        };
+      }
+    ];
+    ensureDatabases = [ "zitadel" ];
+  };
+
+  age.secrets."files/services/zitadel/masterkey" = {
+    file = "${self.inputs.secrets}/files/services/zitadel/masterkey.age";
+    owner = "zitadel";
+    group = "zitadel";
+  };
+
+  systemd.services.zitadel.after = [ "postgresql.service" ];
+  services.zitadel = {
+    enable = true;
+    masterKeyFile = config.age.secrets."files/services/zitadel/masterkey".path;
+    settings = {
+      Database.postgres = {
+        Host = "/run/postgresql";
+        Port = 5432;
+        Database = "zitadel";
+        User = {
+          Username = "zitadel";
+          SSL.Mode = "disable";
+        };
+        Admin = {
+          ExistingDatabase = "zitadel";
+          Username = "zitadel";
+          SSL.Mode = "disable";
+        };
+      };
+      DefaultInstance = {
+        InstanceName = "Vimium";
+        Org = {
+          Name = "Vimium";
+          Human = {
+            UserName = "admin@vimium.com";
+            FirstName = "Vimium";
+            LastName = "Admin";
+          };
+        };
+        DomainPolicy.UserLoginMustBeDomain = true;
+      };
+      ExternalDomain = "id.vimium.com";
+      ExternalPort = 443;
+      ExternalSecure = true;
+      Port = 8081;
+      WebAuthNName = "Vimium";
+    };
+    steps.FirstInstance = {
+      InstanceName = "Vimium";
+      Org.Human = {
+        UserName = "jordan@vimium.com";
+        FirstName = "Jordan";
+        LastName = "Holt";
+        Email.Address = "jordan@vimium.com";
+      };
+    };
+  };
+
+  services.nginx.virtualHosts."id.vimium.com" = {
+    enableACME = true;
+    forceSSL = true;
+    locations."/" = {
+      proxyPass = "http://localhost:${builtins.toString config.services.zitadel.settings.Port}";
+      extraConfig = ''
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header Host $host;
+      '';
+    };
+  };
+
  modules = rec {
    databases.postgresql.enable = true;
    services = {