amarth/services
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat: start implementation of zitadel helm chart

Browse source
This commit is contained in:
Chris Kruining 2025-11-05 13:13:54 +01:00
parent f2bb2757b8
commit 7dd0da6d5f
No known key found for this signature in database
GPG key ID: EB894A3560CCCAD2
1 changed files with 138 additions and 117 deletions
Download patch file Download diff file Expand all files Collapse all files

255
clanServices/zitadel/default.nix
View file

@ -75,6 +75,8 @@ in
})
];
};
valuesYamlKey = "amarth/service/zitadel-${instanceName}-values.yml";
in
{
assertions =
@ -112,128 +114,147 @@ in
'';
};
services.zitadel = {
enable = true;
services.k3s.autoDeployCharts.zitadel = {
name = "zitadel";
repo = "https://charts.zitadel.com";
version = "";
hash = lib.fakeHash;
openFirewall = true;
targetNamespace = "zitadel-system";
createNamespace = true;
masterKeyFile = config.clan.core.vars.generators.zitadel.files.masterKey.path;
tlsMode = "external";
settings = {
Port = 9092;
ExternalDomain = settings.hostName;
ExternalPort = 443;
ExternalSecure = true;
Metrics.Type = "otel";
Tracing.Type = "otel";
Telemetry.Enabled = true;
SystemDefaults = {
PasswordHasher.Hasher.Algorithm = "argon2id";
SecretHasher.Hasher.Algorithm = "argon2id";
};
DefaultInstance = {
PasswordComplexityPolicy = {
MinLength = 20;
HasLowercase = false;
HasUppercase = false;
HasNumber = false;
HasSymbol = false;
};
LoginPolicy = {
AllowRegister = false;
ForceMFA = true;
};
LockoutPolicy = {
MaxPasswordAttempts = 5;
MaxOTPAttempts = 10;
};
SMTPConfiguration = {
SMTP = {
Host = "black-mail.nl:587";
User = "info@amarth.cloud";
Password = ""; #config.clan.core.vars.generators.zitadel.files.emailPassword.value;
};
FromName = "Amarth Zitadel";
};
};
Database.postgres = {
Host = "localhost";
# Zitadel will report error if port is not set
Port = 5432;
Database = "zitadel";
User = {
Username = "zitadel";
SSL.Mode = "disable";
};
Admin = {
Username = "postgres";
SSL.Mode = "disable";
};
};
Machine.Identification = {
PrivateIp.Enabled = true;
# In the docs this uses a google service. I want a self hosted one
# TODO :: Figure out how to self-host webhooks, if I want them at all
Webhook.Enabled = false;
};
SystemAPIUsers = {
emergencyAccess = {
# Path = settings.emergencyAccessPublicKey;
KeyData = settings.emergencyAccessPublicKey;
# This is the default value
# Memberships = [
# { MemberType = "System"; Roles = [ "SYSTEM_OWNER" ]; }
# ];
};
};
};
steps.FirstInstance = {
InstanceName = settings.hostName;
Org = {
Name = settings.displayName;
Human = {
UserName = "chris";
FirstName = "Chris";
LastName = "Kruining";
Email = {
Address = "chris@kruining.eu";
Verified = true;
};
Password = config.clan.core.vars.generators.zitadel.files.initialAdminPassword.value;
};
};
};
values = config.sops.templates.${valuesYamlKey}.path;
};
services.postgresql = {
enable = true;
authentication = ''
# Generated file, do not edit!
# TYPE DATABASE USER ADDRESS METHOD
local all all trust
host all all 127.0.0.1/32 trust
host all all ::1/128 trust
sops = {
templates.${valuesYamlKey}.content = ''
zitadel:
masterKey: ${config.sops.placeholder."vars/zitadel/masterKey"}
'';
ensureDatabases = [ "zitadel" ];
ensureUsers = [
{
name = "zitadel";
ensureDBOwnership = true;
}
];
};
# services.zitadel = {
# enable = true;
# openFirewall = true;
# masterKeyFile = config.clan.core.vars.generators.zitadel.files.masterKey.path;
# tlsMode = "external";
# settings = {
# Port = 9092;
# ExternalDomain = settings.hostName;
# ExternalPort = 443;
# ExternalSecure = true;
# Metrics.Type = "otel";
# Tracing.Type = "otel";
# Telemetry.Enabled = true;
# SystemDefaults = {
# PasswordHasher.Hasher.Algorithm = "argon2id";
# SecretHasher.Hasher.Algorithm = "argon2id";
# };
# DefaultInstance = {
# PasswordComplexityPolicy = {
# MinLength = 20;
# HasLowercase = false;
# HasUppercase = false;
# HasNumber = false;
# HasSymbol = false;
# };
# LoginPolicy = {
# AllowRegister = false;
# ForceMFA = true;
# };
# LockoutPolicy = {
# MaxPasswordAttempts = 5;
# MaxOTPAttempts = 10;
# };
# SMTPConfiguration = {
# SMTP = {
# Host = "black-mail.nl:587";
# User = "info@amarth.cloud";
# Password = ""; #config.clan.core.vars.generators.zitadel.files.emailPassword.value;
# };
# FromName = "Amarth Zitadel";
# };
# };
# Database.postgres = {
# Host = "localhost";
# # Zitadel will report error if port is not set
# Port = 5432;
# Database = "zitadel";
# User = {
# Username = "zitadel";
# SSL.Mode = "disable";
# };
# Admin = {
# Username = "postgres";
# SSL.Mode = "disable";
# };
# };
# Machine.Identification = {
# PrivateIp.Enabled = true;
# # In the docs this uses a google service. I want a self hosted one
# # TODO :: Figure out how to self-host webhooks, if I want them at all
# Webhook.Enabled = false;
# };
# SystemAPIUsers = {
# emergencyAccess = {
# # Path = settings.emergencyAccessPublicKey;
# KeyData = settings.emergencyAccessPublicKey;
# # This is the default value
# # Memberships = [
# # { MemberType = "System"; Roles = [ "SYSTEM_OWNER" ]; }
# # ];
# };
# };
# };
# steps.FirstInstance = {
# InstanceName = settings.hostName;
# Org = {
# Name = settings.displayName;
# Human = {
# UserName = "chris";
# FirstName = "Chris";
# LastName = "Kruining";
# Email = {
# Address = "chris@kruining.eu";
# Verified = true;
# };
# Password = config.clan.core.vars.generators.zitadel.files.initialAdminPassword.value;
# };
# };
# };
# };
# services.postgresql = {
# enable = true;
# authentication = ''
# # Generated file, do not edit!
# # TYPE DATABASE USER ADDRESS METHOD
# local all all trust
# host all all 127.0.0.1/32 trust
# host all all ::1/128 trust
# '';
# ensureDatabases = [ "zitadel" ];
# ensureUsers = [
# {
# name = "zitadel";
# ensureDBOwnership = true;
# }
# ];
# };
};
};
};
@ -243,7 +264,7 @@ in
#==============================================================================================================
roles.peer = {
description = "A peer";
interface = {
options = {};
};