Fix zitadel config

2024-08-11 22:27:14 +01:00 · 2024-08-11 22:27:14 +01:00 · ec51278987
commit ec51278987
parent 1250683996
2 changed files with 24 additions and 21 deletions
--- a/hosts/vps1/default.nix
+++ b/hosts/vps1/default.nix
@ -47,8 +47,7 @@
        name = "zitadel";
        ensureDBOwnership = true;
        ensureClauses = {
-          createdb = true;
-          createrole = true;
+          superuser = true;
        };
      }
    ];
@ -61,7 +60,11 @@
    group = "zitadel";
  };

-  systemd.services.zitadel.after = [ "postgresql.service" ];
+  systemd.services.zitadel = {
+    requires = [ "postgresql.service" ];
+    after = [ "postgresql.service" ];
+  };
+
  services.zitadel = {
    enable = true;
    masterKeyFile = config.age.secrets."files/services/zitadel/masterkey".path;
@ -80,32 +83,34 @@
          SSL.Mode = "disable";
        };
      };
-      DefaultInstance = {
-        InstanceName = "Vimium";
-        Org = {
-          Name = "Vimium";
-          Human = {
-            UserName = "admin@vimium.com";
-            FirstName = "Vimium";
-            LastName = "Admin";
-          };
-        };
-        DomainPolicy.UserLoginMustBeDomain = true;
-      };
      ExternalDomain = "id.vimium.com";
      ExternalPort = 443;
      ExternalSecure = true;
+      Machine = {
+        Identification = {
+          Hostname.Enabled = true;
+          PrivateIp.Enabled = false;
+          Webhook.Enabled = false;
+        };
+      };
      Port = 8081;
      WebAuthNName = "Vimium";
    };
    steps.FirstInstance = {
      InstanceName = "Vimium";
+      Org.Name = "Vimium";
      Org.Human = {
        UserName = "jordan@vimium.com";
        FirstName = "Jordan";
        LastName = "Holt";
-        Email.Address = "jordan@vimium.com";
+        Email = {
+          Address = "jordan@vimium.com";
+          Verified = true;
+        };
+        Password = "Password1!";
+        PasswordChangeRequired = true;
      };
+      LoginPolicy.AllowRegister = false;
    };
  };

@ -113,12 +118,9 @@
    enableACME = true;
    forceSSL = true;
    locations."/" = {
-      proxyPass = "http://localhost:${builtins.toString config.services.zitadel.settings.Port}";
      extraConfig = ''
-        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        proxy_set_header X-Forwarded-Proto $scheme;
-        proxy_set_header X-Real-IP $remote_addr;
-        proxy_set_header Host $host;
+        grpc_pass grpc://localhost:${builtins.toString config.services.zitadel.settings.Port};
+        grpc_set_header Host $host:$server_port;
      '';
    };
  };
--- a/modules/databases/postgresql.nix
+++ b/modules/databases/postgresql.nix
@ -17,6 +17,7 @@ in {
  config = lib.mkIf cfg.enable {
    services.postgresql = {
      enable = true;
+      enableJIT = true;
      initdbArgs = [
        "--allow-group-access"
        "--encoding=UTF8"