diff --git a/clanServices/zitadel/default.nix b/clanServices/zitadel/default.nix index 24bb280..b77b7ad 100644 --- a/clanServices/zitadel/default.nix +++ b/clanServices/zitadel/default.nix @@ -71,7 +71,8 @@ in share = false; files.masterKey = { deploy = true; secret = true; owner = "zitadel"; group = "zitadel"; mode = "0400"; }; - files.initialAdminPassword = { deploy = false; secret = false; }; + files.initialAdminPassword = { deploy = false; secret = true; }; + files.emailPassword = { deploy = false; secret = true; }; runtimeInputs = with pkgs; [ pwgen ]; @@ -81,13 +82,18 @@ in # https://zitadel.com/docs/self-hosting/manage/configure#masterkey # The master key has to be 32 bytes head -c 32 /dev/urandom > "$out/masterKey" + + touch $out/emailPassword ''; }; services.zitadel = { enable = true; + openFirewall = true; + masterKeyFile = config.clan.core.vars.generators.zitadel.files.masterKey.path; + tlsMode = "external"; settings = { Port = 9092; @@ -105,6 +111,32 @@ in SecretHasher.Hasher.Algorithm = "argon2id"; }; + DefaultInstance = { + PasswordComplexityPolicy = { + MinLength = 20; + HasLowercase = false; + HasUppercase = false; + HasNumber = false; + HasSymbol = false; + }; + LoginPolicy = { + AllowRegister = false; + ForceMFA = true; + }; + LockoutPolicy = { + MaxPasswordAttempts = 5; + MaxOTPAttempts = 10; + }; + SMTPConfiguration = { + SMTP = { + Host = "black-mail.nl:587"; + User = "chris@kruining.eu"; + Password = config.clan.core.vars.generators.zitadel.files.masterKey.value; + }; + FromName = "Amarth Zitadel"; + }; + }; + Database.postgres = { Host = "localhost"; # Zitadel will report error if port is not set