{ lib, pkgs, ... }: let inherit (builtins) readFile; inherit (lib) mkOption types; in { _class = "clan.service"; manifest = { name = "amarth-services/zitadel"; description = "Zitadel service module"; categories = [ "System" "Identity" "IAM" ]; readme = readFile ./README.md; }; #============================================================================================================== # Controller configuration #============================================================================================================== roles.controller = { interface = { options = { hostName = mkOption { type = types.str; example = "auth.example.com"; description = '' The domain at which zitadel will be hosted ''; }; displayName = mkOption { type = types.str; example = "My awesome org"; description = '' The Name of the zitadel organisation ''; }; }; }; perInstance = { instanceName, settings, machine, roles, ... }: { nixosModule = { config, pkgs, ... }: { clan.core.vars.generators.zitadel = { share = false; files.masterKey = { deploy = true; secret = true; owner = "zitadel"; group = "zitadel"; mode = "0400"; }; files.initialAdminPassword = { deploy = false; secret = false; }; runtimeInputs = with pkgs; [ pwgen ]; script = '' pwgen 50 1 > "$out/initialAdminPassword" # https://zitadel.com/docs/self-hosting/manage/configure#masterkey # The master key has to be 32 bytes head -c 32 /dev/urandom > "$out/masterKey" ''; }; services.zitadel = { enable = true; masterKeyFile = config.clan.core.vars.generators.zitadel.files.masterKey.path; settings = { Port = 9092; ExternalDomain = settings.hostName; ExternalPort = 443; ExternalSecure = true; Metrics.Type = "otel"; Tracing.Type = "otel"; Telemetry.Enabled = true; SystemDefaults = { PasswordHasher.Hasher.Algorithm = "argon2id"; SecretHasher.Hasher.Algorithm = "argon2id"; }; Database.postgres = { Host = "localhost"; # Zitadel will report error if port is not set Port = 5432; Database = "zitadel"; User = { Username = "zitadel"; SSL.Mode = "disable"; }; Admin = { Username = "postgres"; SSL.Mode = "disable"; }; }; }; steps.FirstInstance = { InstanceName = settings.hostName; Org = { Name = settings.displayName; Human = { UserName = "chris"; FirstName = "Chris"; LastName = "Kruining"; Email = { Address = "chris@kruining.eu"; Verified = true; }; Password = config.clan.core.vars.generators.zitadel.files.initialAdminPassword.value; }; }; }; }; services.postgresql = { enable = true; authentication = '' # Generated file, do not edit! # TYPE DATABASE USER ADDRESS METHOD local all all trust host all all 127.0.0.1/32 trust host all all ::1/128 trust ''; ensureDatabases = [ "zitadel" ]; ensureUsers = [ { name = "zitadel"; ensureDBOwnership = true; } ]; }; services.nginx = { enable = true; virtualHosts = { ${settings.hostName} = { enableACME = true; forceSSL = true; locations."/" = { proxyPass = "http://h2c:/127.0.0.1:9092"; }; }; }; }; }; }; }; #============================================================================================================== # Peer configuration #============================================================================================================== roles.peer = { interface = { options = {}; }; perInstance = { instanceName, settings, machine, roles, ... }: { nixosModule = {}; }; }; }