From ec51278987d1dca4a26e36616e25ae60f4e2b504 Mon Sep 17 00:00:00 2001
From: Jordan Holt <jordan@vimium.com>
Date: Sun, 11 Aug 2024 22:27:14 +0100
Subject: [PATCH] Fix zitadel config

---
 hosts/vps1/default.nix           | 44 +++++++++++++++++---------------
 modules/databases/postgresql.nix |  1 +
 2 files changed, 24 insertions(+), 21 deletions(-)

diff --git a/hosts/vps1/default.nix b/hosts/vps1/default.nix
index 64522ee..2500864 100644
--- a/hosts/vps1/default.nix
+++ b/hosts/vps1/default.nix
@@ -47,8 +47,7 @@
         name = "zitadel";
         ensureDBOwnership = true;
         ensureClauses = {
-          createdb = true;
-          createrole = true;
+          superuser = true;
         };
       }
     ];
@@ -61,7 +60,11 @@
     group = "zitadel";
   };
 
-  systemd.services.zitadel.after = [ "postgresql.service" ];
+  systemd.services.zitadel = {
+    requires = [ "postgresql.service" ];
+    after = [ "postgresql.service" ];
+  };
+
   services.zitadel = {
     enable = true;
     masterKeyFile = config.age.secrets."files/services/zitadel/masterkey".path;
@@ -80,32 +83,34 @@
           SSL.Mode = "disable";
         };
       };
-      DefaultInstance = {
-        InstanceName = "Vimium";
-        Org = {
-          Name = "Vimium";
-          Human = {
-            UserName = "admin@vimium.com";
-            FirstName = "Vimium";
-            LastName = "Admin";
-          };
-        };
-        DomainPolicy.UserLoginMustBeDomain = true;
-      };
       ExternalDomain = "id.vimium.com";
       ExternalPort = 443;
       ExternalSecure = true;
+      Machine = {
+        Identification = {
+          Hostname.Enabled = true;
+          PrivateIp.Enabled = false;
+          Webhook.Enabled = false;
+        };
+      };
       Port = 8081;
       WebAuthNName = "Vimium";
     };
     steps.FirstInstance = {
       InstanceName = "Vimium";
+      Org.Name = "Vimium";
       Org.Human = {
         UserName = "jordan@vimium.com";
         FirstName = "Jordan";
         LastName = "Holt";
-        Email.Address = "jordan@vimium.com";
+        Email = {
+          Address = "jordan@vimium.com";
+          Verified = true;
+        };
+        Password = "Password1!";
+        PasswordChangeRequired = true;
       };
+      LoginPolicy.AllowRegister = false;
     };
   };
 
@@ -113,12 +118,9 @@
     enableACME = true;
     forceSSL = true;
     locations."/" = {
-      proxyPass = "http://localhost:${builtins.toString config.services.zitadel.settings.Port}";
       extraConfig = ''
-        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        proxy_set_header X-Forwarded-Proto $scheme;
-        proxy_set_header X-Real-IP $remote_addr;
-        proxy_set_header Host $host;
+        grpc_pass grpc://localhost:${builtins.toString config.services.zitadel.settings.Port};
+        grpc_set_header Host $host:$server_port;
       '';
     };
   };
diff --git a/modules/databases/postgresql.nix b/modules/databases/postgresql.nix
index 4f8cde6..461d15d 100644
--- a/modules/databases/postgresql.nix
+++ b/modules/databases/postgresql.nix
@@ -17,6 +17,7 @@ in {
   config = lib.mkIf cfg.enable {
     services.postgresql = {
       enable = true;
+      enableJIT = true;
       initdbArgs = [
         "--allow-group-access"
         "--encoding=UTF8"