From 06ad805206e5af2deb0dca62a954902fa76efd63 Mon Sep 17 00:00:00 2001
From: Chris Kruining <c.kruining@4dotnet.nl>
Date: Thu, 14 Aug 2025 15:33:27 +0200
Subject: [PATCH] got zitadel and forgejo mostly up and running

---
 .../authentication/zitadel/default.nix        | 16 +++++-----
 .../services/development/forgejo/default.nix  | 31 +++++++++++++++++--
 2 files changed, 37 insertions(+), 10 deletions(-)

diff --git a/modules/nixos/services/authentication/zitadel/default.nix b/modules/nixos/services/authentication/zitadel/default.nix
index 94915e1..aa1a0dd 100644
--- a/modules/nixos/services/authentication/zitadel/default.nix
+++ b/modules/nixos/services/authentication/zitadel/default.nix
@@ -90,14 +90,14 @@ in
             reverse_proxy h2c://127.0.0.1:9092
           '';
         };
-        # extraConfig = ''
-        #   (auth) {
-        #     forward_auth h2c://127.0.0.1:9092 {
-        #       uri /api/authz/forward-auth
-        #       copy_headers Remote-User Remote-Groups Remote-Email Remote-Name
-        #     }
-        #   }
-        # '';
+        extraConfig = ''
+          (auth-z) {
+            forward_auth h2c://127.0.0.1:9092 {
+              uri /api/authz/forward-auth
+              copy_headers Remote-User Remote-Groups Remote-Email Remote-Name
+            }
+          }
+        '';
       };
     };
 
diff --git a/modules/nixos/services/development/forgejo/default.nix b/modules/nixos/services/development/forgejo/default.nix
index baa70cb..5342b56 100644
--- a/modules/nixos/services/development/forgejo/default.nix
+++ b/modules/nixos/services/development/forgejo/default.nix
@@ -11,24 +11,47 @@ in
   };
 
   config = mkIf cfg.enable {
+    environment.systemPackages = with pkgs; [ forgejo ];
+
     services = {
       forgejo = {
         enable = true;
+        useWizard = false;
         database.type = "postgres";
 
         settings = {
+          DEFAULT = {
+            APP_NAME = "Chris' Forge";
+          };
+
           server = {
             DOMAIN = domain;
             ROOT_URL = "https://${domain}/";
             HTTP_PORT = 5002;
           };
 
+          security = {
+            PASSWORD_HASH_ALGO = "argon2";
+          };
+
           service = {
+            REQUIRE_SIGNIN_VIEW = true; # must be signed in to see anything
             DISABLE_REGISTRATION = true;
-            ALLOW_ONLY_EXTERNAL_REGISTRATION = false;
+            ALLOW_ONLY_EXTERNAL_REGISTRATION = true;
             SHOW_REGISTRATION_BUTTON = false;
           };
 
+          openid = {
+            ENABLE_OPENID_SIGNIN = true;
+            ENABLE_OPENID_SIGNUP = true;
+            WHITELISTED_URIS = "https://auth-z.kruining.eu";
+          };
+
+          oauth2_client = {
+            ENABLE_AUTO_REGISTRATION = true;
+            UPDATE_AVATAR = true;
+          };
+
           # actions = {
           #   ENABLED = true;
           #   DEFAULT_ACTIONS_URL = "forgejo";
@@ -63,7 +86,11 @@ in
         enable = true;
         virtualHosts = {
           ${domain}.extraConfig = ''
-            import auth
+            # import auth-z
+
+            # stupid dumb way to prevent the login page and go to zitadel instead
+            # be aware that this does not disable local login at all!
+            rewrite /user/login /user/oauth2/Zitadel
 
             reverse_proxy http://127.0.0.1:5002
           '';