chris/sneeuwvlok
chris/sneeuwvlok
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

initial attempt to install zitadel

Browse source
This commit is contained in:
Chris Kruining 2025-07-17 11:57:22 +02:00
parent 9b8ed8dde0
commit 4509427389
No known key found for this signature in database
GPG key ID: EB894A3560CCCAD2
10 changed files with 151 additions and 37 deletions
Download patch file Download diff file Expand all files Collapse all files

5
hosts/manwe/default.nix
View file

@ -21,6 +21,11 @@
boot.supportedFilesystems = [ "nfs" ];
modules = {
boot = {
silentBoot = true;
animatedBoot = true;
};
system.audio.enable = true;
root = {

3
hosts/ulmo/default.nix
View file

@ -13,7 +13,8 @@
};
services = {
auth.enable = true;
auth.authelia.enable = true;
auth.zitadel.enable = true;
media.enable = true;
nextcloud.enable = true;
};

1
modules/home/themes/default.nix
View file

@ -6,7 +6,6 @@ let
cfg = config.modules.${user}.themes;
in {
options.modules.${user}.themes = {
enable = mkEnableOption "Theming (Stylix)";

63
modules/system/boot.nix
View file

@ -1,25 +1,48 @@
{ ... }:
{ config, options, lib, pkgs, ... }:
let
inherit (lib) mkMerge mkIf mkEnableOption mkDefault mkForce;
cfg = config.modules.boot;
in
{
boot.loader = {
efi.canTouchEfiVariables = true;
# grub = {
# enable = true;
# efiSupport = cfg.mode == "uefi";
# devices = [ "nodev" ];
# configurationLimit = 1;
# };
systemd-boot.enable = true;
timeout = 0;
options.modules.boot =
{
silentBoot = mkEnableOption "Enable silent boot";
animatedBoot = mkEnableOption "Enable boot animation";
};
# nixos-boot = {
# enable = true;
config = mkMerge [
({
boot.loader = {
efi.canTouchEfiVariables = true;
# bgColor = { red = 17; green = 17; blue = 27; };
# };
systemd-boot.enable = true;
time.timeZone = "Europe/Amsterdam";
}
timeout = mkDefault 0;
};
time.timeZone = "Europe/Amsterdam";
})
(mkIf (cfg.silentBoot == true) {
boot = {
consoleLogLevel = 0;
initrd.verbose = false;
kernelParams = [ "quiet" "splash" "boot.shell_on_fail" "udev.log_priority=3" "rd.systemd.show_status=auto" ];
loader.timeout = mkDefault 0;
};
})
(mkIf (cfg.animatedBoot == true) {
boot.plymouth = {
enable = true;
theme = mkForce "pixels";
themePackages = with pkgs; [
(adi1090x-plymouth-themes.override {
selected_themes = [ "pixels" ];
})
];
};
})
];
}

8
modules/system/security.nix
View file

@ -1,8 +1,8 @@
{ inputs, pkgs, ... }:
{
imports = [
inputs.sops-nix.nixosModules.sops
];
inputs.sops-nix.nixosModules.sops
];
config = {
environment.systemPackages = with pkgs; [
@ -11,8 +11,8 @@
];
sops = {
defaultSopsFile = ./secrets/secrets.yml;
defaultSopsFormat = "yml";
defaultSopsFile = ../../secrets/secrets.yaml;
defaultSopsFormat = "yaml";
age.keyFile = "/home/";
};

10
modules/system/services/auth.nix → modules/system/services/auth/authelia.nix
View file

@ -1,16 +1,16 @@
{ config, lib, pkgs, ... }:
let
inherit (lib.options) mkEnableOption;
inherit (lib.modules) mkIf;
inherit (lib) mkIf mkEnableOption;
user = "authelia-testing";
cfg = config.modules.services.auth.authelia;
in
{
options.modules.services.auth = {
enable = mkEnableOption "Auth";
options.modules.services.auth.authelia = {
enable = mkEnableOption "Authelia";
};
config = mkIf config.modules.services.auth.enable {
config = mkIf cfg.enable {
environment.systemPackages = with pkgs; [
authelia
];

86
modules/system/services/auth/zitadel.nix Normal file
View file

@ -0,0 +1,86 @@
{ config, options, lib, pkgs, ... }:
let
inherit (lib) mkIf mkEnableOption;
cfg = config.modules.services.auth.zitadel;
db_name = "zitadel";
db_user = "zitadel";
in
{
options.modules.services.auth.zitadel = {
enable = mkEnableOption "Zitadel";
};
config = mkIf cfg.enable {
environment.systemPackages = with pkgs; [
zitadel
];
services = {
zitadel = {
enable = true;
openFirewall = true;
masterKeyFile = config.sops.secrets."zitadel/masterKey".path;
tlsMode = "external";
settings = {
Port = 9092;
Database = {
Host = "/run/postgresql";
# Zitadel will report error if port is not set
Port = 5432;
Database = db_name;
User.Username = db_user;
};
};
steps = {
TestInstance = {
InstanceName = "Zitadel test";
Org = {
Name = "Kruining.eu";
Human = {
UserName = "admin";
Password = "kaas";
};
};
};
};
};
postgresql = {
enable = true;
ensureDatabases = [ db_name ];
ensureUsers = [
{
name = db_user;
ensureDBOwnership = true;
}
];
};
caddy = {
enable = true;
virtualHosts = {
"auth-z.kruining.eu".extraConfig = ''
reverse_proxy h2c://127.0.0.1:9092
'';
};
# extraConfig = ''
# (auth) {
# forward_auth h2c://127.0.0.1:9092 {
# uri /api/authz/forward-auth
# copy_headers Remote-User Remote-Groups Remote-Email Remote-Name
# }
# }
# '';
};
};
# Secrets
sops.secrets."zitadel/masterKey" = {
owner = "zitadel";
group = "zitadel";
restartUnits = [ "zitadel.service" ];
};
};
}

2
modules/system/services/security.nix
View file

@ -7,7 +7,7 @@ inherit (lib.options) mkEnableOption;
in
{
options.modules.services.security = {
enable = mkEnableOption "Auth";
enable = mkEnableOption "Security service(s): Vaultwarden";
};
config = mkIf cfg.enable {

7
modules/system/virtualisation/default.nix
View file

@ -1,10 +1,7 @@
{ config, options, lib, pkgs, ... }:
let
inherit (lib.modules) mkIf;
inherit (lib) mkIf mkEnableOption;
in
{
options.modules.virtualisation = let
inherit (lib.options) mkEnableOption;
in
{};
options.modules.virtualisation = {};
}

3
secrets/secrets.yml → secrets/secrets.yaml
View file

@ -25,3 +25,6 @@ sops:
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.4
zitadel:
masterKey: thisWillBeAnEncryptedValueInTheFuture