{ lib, pkgs, ... }: let inherit (builtins) readFile; in { _class = "clan.service"; manifest = { name = "amarth-services/zitadel"; description = "Zitadel service module"; categories = [ "System" "Identity" "IAM" ]; readme = readFile ./README.md; }; #============================================================================================================== # Controller configuration #============================================================================================================== roles.controller = { interface = { options = {}; }; perInstance = instanceArgs: { nixosModule = lib.modules.importApply ./roles/controller.nix (instanceArgs // { inherit pkgs; }); }; }; #============================================================================================================== # Peer configuration #============================================================================================================== roles.peer = { interface = { options = {}; }; perInstance = instanceArgs: { nixosModule = lib.modules.importApply ./roles/peer.nix (instanceArgs // { inherit pkgs; }); }; }; perMachine = { instances, machine, ... }: { nixosModule = { config, ... }: { config = { clan.core.vars.generators.zitadel = { shared = false; files.masterKey = { deploy = true; secret = true; }; # https://zitadel.com/docs/self-hosting/manage/configure#masterkey # The master key has to be 32 bytes script = '' head -c 32 /dev/urandom > $out/masterKey ''; }; services.zitadel = { enable = true; masterKeyFile = config.clan.core.vars.generators.zitadel.masterKey.path; settings = { Port = 9092; ExternalDomain = "auth.amarth.cloud"; ExternalPort = 443; ExternalSecure = true; Metrics.Type = "otel"; Tracing.Type = "otel"; Telemetry.Enabled = true; SystemDefaults = { PasswordHasher.Hasher.Algorithm = "argon2id"; SecretHasher.Hasher.Algorithm = "argon2id"; }; }; }; }; }; }; }