Fix zitadel config

Flake lock file updates:

• Updated input 'secrets':
    'git+ssh://git@git.vimium.com/jordan/nix-secrets.git?ref=refs/heads/master&rev=0cf25cbc71fcfe7c16250847e5f31abd730e04c4' (2024-08-11)
  → 'git+ssh://git@git.vimium.com/jordan/nix-secrets.git?ref=refs/heads/master&rev=b47efe67031e12a2d5560b94fdb4de7dca3df80c' (2024-08-11)

flake.lock

@@ -107,11 +107,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1723685519,
+        "lastModified": 1723080788,
-        "narHash": "sha256-GkXQIoZmW2zCPp1YFtAYGg/xHNyFH/Mgm79lcs81rq0=",
+        "narHash": "sha256-C5LbM5VMdcolt9zHeLQ0bYMRjUL+N+AL5pK7/tVTdes=",
         "owner": "nix-community",
         "repo": "disko",
-        "rev": "276a0d055a720691912c6a34abb724e395c8e38a",
+        "rev": "ffc1f95f6c28e1c6d1e587b51a2147027a3e45ed",
         "type": "github"
       },
       "original": {
@@ -233,11 +233,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1723202784,
+        "lastModified": 1722857853,
-        "narHash": "sha256-qbhjc/NEGaDbyy0ucycubq4N3//gDFFH3DOmp1D3u1Q=",
+        "narHash": "sha256-3Zx53oz/MSIyevuWO/SumxABkrIvojnB7g9cimxkhiE=",
         "owner": "cachix",
         "repo": "git-hooks.nix",
-        "rev": "c7012d0c18567c889b948781bc74a501e92275d1",
+        "rev": "06939f6b7ec4d4f465bf3132a05367cccbbf64da",
         "type": "github"
       },
       "original": {
@@ -459,11 +459,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1723637854,
+        "lastModified": 1723175592,
-        "narHash": "sha256-med8+5DSWa2UnOqtdICndjDAEjxr5D7zaIiK4pn0Q7c=",
+        "narHash": "sha256-M0xJ3FbDUc4fRZ84dPGx5VvgFsOzds77KiBMW/mMTnI=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "c3aa7b8938b17aebd2deecf7be0636000d62a2b9",
+        "rev": "5e0ca22929f3342b19569b21b2f3462f053e497b",
         "type": "github"
       },
       "original": {
@@ -490,11 +490,11 @@
     },
     "nixpkgs_3": {
       "locked": {
-        "lastModified": 1723688146,
+        "lastModified": 1723282977,
-        "narHash": "sha256-sqLwJcHYeWLOeP/XoLwAtYjr01TISlkOfz+NG82pbdg=",
+        "narHash": "sha256-oTK91aOlA/4IsjNAZGMEBz7Sq1zBS0Ltu4/nIQdYDOg=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "c3d4ac725177c030b1e289015989da2ad9d56af0",
+        "rev": "a781ff33ae258bbcfd4ed6e673860c3e923bf2cc",
         "type": "github"
       },
       "original": {
@@ -517,11 +517,11 @@
         "treefmt-nix": "treefmt-nix"
       },
       "locked": {
-        "lastModified": 1723536338,
+        "lastModified": 1722925293,
-        "narHash": "sha256-1bSEOtZBsAeCkg5vdDbDgOT3z91K8L/KE2s7J9hLYHw=",
+        "narHash": "sha256-saXm5dd/e3PMsYTEcp1Qbzifm3KsZtNFkrWjmLhXHGE=",
         "owner": "nix-community",
         "repo": "nixvim",
-        "rev": "0b6aa80acbcb8387f2a4affb3dd22960ac2899aa",
+        "rev": "170df9814c3e41d5a4d6e3339e611801b1f02ce2",
         "type": "github"
       },
       "original": {
@@ -541,11 +541,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1723804780,
+        "lastModified": 1723232379,
-        "narHash": "sha256-uuiu1UAfYr2Lo+5Ul6eA0UIYouoPvH9aIfYbq7wVF6c=",
+        "narHash": "sha256-F4Y3f9305aHGWKqAd3s2GyNRONdpDBuNuK4TCSdaHz8=",
         "owner": "nix-community",
         "repo": "plasma-manager",
-        "rev": "8726ecaa8b8c06910ef31abced57bf08a59730a1",
+        "rev": "22bea90404c5ff6457913a03c1a54a3caa5b1c57",
         "type": "github"
       },
       "original": {
@@ -576,11 +576,11 @@
     "secrets": {
       "flake": false,
       "locked": {
-        "lastModified": 1723415003,
+        "lastModified": 1723385164,
-        "narHash": "sha256-zSzDvI0sHayG5se7ALXhJhl41tConoWYbdqeow6OmBo=",
+        "narHash": "sha256-/z4nBwpHsGWl1gmGv7FQQgoOcPwUaVzL7rfjI5nTOLg=",
         "ref": "refs/heads/master",
-        "rev": "db951141cab2de0b4176f4f6fc42a50b30dd3950",
+        "rev": "b47efe67031e12a2d5560b94fdb4de7dca3df80c",
-        "revCount": 26,
+        "revCount": 24,
         "type": "git",
         "url": "ssh://git@git.vimium.com/jordan/nix-secrets.git"
       },
@@ -658,11 +658,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1723454642,
+        "lastModified": 1722330636,
-        "narHash": "sha256-S0Gvsenh0II7EAaoc9158ZB4vYyuycvMGKGxIbERNAM=",
+        "narHash": "sha256-uru7JzOa33YlSRwf9sfXpJG+UAV+bnBEYMjrzKrQZFw=",
         "owner": "numtide",
         "repo": "treefmt-nix",
-        "rev": "349de7bc435bdff37785c2466f054ed1766173be",
+        "rev": "768acdb06968e53aa1ee8de207fd955335c754b7",
         "type": "github"
       },
       "original": {

flake.nix

@@ -112,12 +112,7 @@
         magicRollback = true;
         autoRollback = true;
         sshUser = "root";
-        nodes = lib.genAttrs [
+        nodes = lib.genAttrs [ "mail" "pi" "skycam" "vps1" ] mkDeployNode;
-          "mail"
-          # "pi"
-          # "skycam"
-          "vps1"
-        ] mkDeployNode;
       };
 
       checks = builtins.mapAttrs (system: deployLib: deployLib.deployChecks self.deploy) inputs.deploy-rs.lib;

hosts/desktop.nix

@@ -6,7 +6,7 @@
   ];
 
   nixpkgs.overlays = [
-    (import ../overlays/gnome.nix)
+    (import ../overlays/gnome)
   ];
 
   services.printing.enable = true;

hosts/skycam/default.nix

@@ -55,7 +55,7 @@
   '';
 
   nixpkgs.overlays = [
-    (import ./../../overlays/libcamera.nix)
+    (import ./../../overlays/libcamera)
   ];
 
   networking = {

hosts/vps1/default.nix

@@ -1,4 +1,4 @@
-{ config, lib, ... }:
+{ config, lib, self, ... }:
 
 {
   imports = [
@@ -37,43 +37,91 @@
     groups = {
       jellyfin = { };
     };
-    extraGroups.acme.members = [ "kanidm" "nginx" ];
   };
 
   services.openssh.settings.PermitRootLogin = lib.mkForce "prohibit-password";
 
-  security.acme.certs."auth.vimium.com" = {
+  services.postgresql = {
-    postRun = "systemctl restart kanidm.service";
+    ensureUsers = [
-    group = "acme";
+      {
+        name = "zitadel";
+        ensureDBOwnership = true;
+        ensureClauses = {
+          superuser = true;
+        };
+      }
+    ];
+    ensureDatabases = [ "zitadel" ];
   };
 
-  services.kanidm = let
+  age.secrets."files/services/zitadel/masterkey" = {
-    baseDomain = "vimium.com";
+    file = "${self.inputs.secrets}/files/services/zitadel/masterkey.age";
-    domain = "auth.${baseDomain}";
+    owner = "zitadel";
-    uri = "https://${domain}";
+    group = "zitadel";
-  in {
-    enableClient = true;
-    enableServer = true;
-    clientSettings = {
-      inherit uri;
-    };
-    serverSettings = {
-      bindaddress = "[::1]:3013";
-      ldapbindaddress = "[::1]:636";
-      domain = baseDomain;
-      origin = uri;
-      tls_chain = "${config.security.acme.certs.${domain}.directory}/full.pem";
-      tls_key = "${config.security.acme.certs.${domain}.directory}/key.pem";
-    };
   };
 
-  services.nginx.virtualHosts = {
+  systemd.services.zitadel = {
-    "auth.vimium.com" = {
+    requires = [ "postgresql.service" ];
-      useACMEHost = "auth.vimium.com";
+    after = [ "postgresql.service" ];
-      forceSSL = true;
+  };
-      locations."/" = {
+
-        proxyPass = "https://[::1]:3013";
+  services.zitadel = {
+    enable = true;
+    masterKeyFile = config.age.secrets."files/services/zitadel/masterkey".path;
+    settings = {
+      Database.postgres = {
+        Host = "/run/postgresql";
+        Port = 5432;
+        Database = "zitadel";
+        User = {
+          Username = "zitadel";
+          SSL.Mode = "disable";
+        };
+        Admin = {
+          ExistingDatabase = "zitadel";
+          Username = "zitadel";
+          SSL.Mode = "disable";
+        };
       };
+      ExternalDomain = "id.vimium.com";
+      ExternalPort = 443;
+      ExternalSecure = true;
+      Machine = {
+        Identification = {
+          Hostname.Enabled = true;
+          PrivateIp.Enabled = false;
+          Webhook.Enabled = false;
+        };
+      };
+      Port = 8081;
+      WebAuthNName = "Vimium";
+    };
+    steps.FirstInstance = {
+      InstanceName = "Vimium";
+      Org.Name = "Vimium";
+      Org.Human = {
+        UserName = "jordan@vimium.com";
+        FirstName = "Jordan";
+        LastName = "Holt";
+        Email = {
+          Address = "jordan@vimium.com";
+          Verified = true;
+        };
+        Password = "Password1!";
+        PasswordChangeRequired = true;
+      };
+      LoginPolicy.AllowRegister = false;
+    };
+  };
+
+  services.nginx.virtualHosts."id.vimium.com" = {
+    enableACME = true;
+    forceSSL = true;
+    locations."/" = {
+      extraConfig = ''
+        grpc_pass grpc://localhost:${builtins.toString config.services.zitadel.settings.Port};
+        grpc_set_header Host $host:$server_port;
+      '';
     };
   };
 

modules/databases/postgresql.nix

@@ -17,6 +17,7 @@ in {
   config = lib.mkIf cfg.enable {
     services.postgresql = {
       enable = true;
+      enableJIT = true;
       initdbArgs = [
         "--allow-group-access"
         "--encoding=UTF8"

modules/services/nginx/default.nix

@@ -118,12 +118,8 @@ in {
           serverAliases = [ "www.jdholt.com" ];
           extraConfig = nginxErrorPages + nginxEdgeHeaders + nginxStrictHeaders;
           locations."/skycam/snapshot.jpg" = {
+            proxyPass = "http://skycam.mesh.vimium.net:8080/snapshot";
             extraConfig = ''
-              set $backend "skycam.mesh.vimium.net:8080";
-
-              resolver 100.100.100.100;
-
-              proxy_pass http://$backend/snapshot;
               proxy_cache skycam_cache;
               proxy_cache_valid any 10s;
               proxy_ignore_headers Cache-Control Expires Set-Cookie;