chris/sneeuwvlok
chris/sneeuwvlok
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

initial attempt to install zitadel

Browse source
This commit is contained in:
Chris Kruining 2025-07-17 11:57:22 +02:00
parent 9b8ed8dde0
commit 4509427389
No known key found for this signature in database
GPG key ID: EB894A3560CCCAD2
10 changed files with 151 additions and 37 deletions
Download patch file Download diff file Expand all files Collapse all files

5
hosts/manwe/default.nix
View file

@ -21,6 +21,11 @@
boot.supportedFilesystems = [ "nfs" ]; boot.supportedFilesystems = [ "nfs" ];
modules = { modules = {
boot = {
silentBoot = true;
animatedBoot = true;
};
system.audio.enable = true; system.audio.enable = true;
root = { root = {

3
hosts/ulmo/default.nix
View file

@ -13,7 +13,8 @@
}; };
services = { services = {
auth.enable = true; auth.authelia.enable = true;
auth.zitadel.enable = true;
media.enable = true; media.enable = true;
nextcloud.enable = true; nextcloud.enable = true;
}; };

1
modules/home/themes/default.nix
View file

@ -6,7 +6,6 @@ let
cfg = config.modules.${user}.themes; cfg = config.modules.${user}.themes;
in { in {
options.modules.${user}.themes = { options.modules.${user}.themes = {
enable = mkEnableOption "Theming (Stylix)"; enable = mkEnableOption "Theming (Stylix)";

53
modules/system/boot.nix
View file

@ -1,25 +1,48 @@
{ ... }: { config, options, lib, pkgs, ... }:
let
inherit (lib) mkMerge mkIf mkEnableOption mkDefault mkForce;
cfg = config.modules.boot;
in
{ {
options.modules.boot =
{
silentBoot = mkEnableOption "Enable silent boot";
animatedBoot = mkEnableOption "Enable boot animation";
};
config = mkMerge [
({
boot.loader = { boot.loader = {
efi.canTouchEfiVariables = true; efi.canTouchEfiVariables = true;
# grub = {
# enable = true;
# efiSupport = cfg.mode == "uefi";
# devices = [ "nodev" ];
# configurationLimit = 1;
# };
systemd-boot.enable = true; systemd-boot.enable = true;
timeout = 0; timeout = mkDefault 0;
}; };
# nixos-boot = {
# enable = true;
# bgColor = { red = 17; green = 17; blue = 27; };
# };
time.timeZone = "Europe/Amsterdam"; time.timeZone = "Europe/Amsterdam";
})
(mkIf (cfg.silentBoot == true) {
boot = {
consoleLogLevel = 0;
initrd.verbose = false;
kernelParams = [ "quiet" "splash" "boot.shell_on_fail" "udev.log_priority=3" "rd.systemd.show_status=auto" ];
loader.timeout = mkDefault 0;
};
})
(mkIf (cfg.animatedBoot == true) {
boot.plymouth = {
enable = true;
theme = mkForce "pixels";
themePackages = with pkgs; [
(adi1090x-plymouth-themes.override {
selected_themes = [ "pixels" ];
})
];
};
})
];
} }

4
modules/system/security.nix
View file

@ -11,8 +11,8 @@
]; ];
sops = { sops = {
defaultSopsFile = ./secrets/secrets.yml; defaultSopsFile = ../../secrets/secrets.yaml;
defaultSopsFormat = "yml"; defaultSopsFormat = "yaml";
age.keyFile = "/home/"; age.keyFile = "/home/";
}; };

10
modules/system/services/auth.nix → modules/system/services/auth/authelia.nix
View file

@ -1,16 +1,16 @@
{ config, lib, pkgs, ... }: { config, lib, pkgs, ... }:
let let
inherit (lib.options) mkEnableOption; inherit (lib) mkIf mkEnableOption;
inherit (lib.modules) mkIf;
user = "authelia-testing"; user = "authelia-testing";
cfg = config.modules.services.auth.authelia;
in in
{ {
options.modules.services.auth = { options.modules.services.auth.authelia = {
enable = mkEnableOption "Auth"; enable = mkEnableOption "Authelia";
}; };
config = mkIf config.modules.services.auth.enable { config = mkIf cfg.enable {
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
authelia authelia
]; ];

86
modules/system/services/auth/zitadel.nix Normal file
View file

@ -0,0 +1,86 @@
{ config, options, lib, pkgs, ... }:
let
inherit (lib) mkIf mkEnableOption;
cfg = config.modules.services.auth.zitadel;
db_name = "zitadel";
db_user = "zitadel";
in
{
options.modules.services.auth.zitadel = {
enable = mkEnableOption "Zitadel";
};
config = mkIf cfg.enable {
environment.systemPackages = with pkgs; [
zitadel
];
services = {
zitadel = {
enable = true;
openFirewall = true;
masterKeyFile = config.sops.secrets."zitadel/masterKey".path;
tlsMode = "external";
settings = {
Port = 9092;
Database = {
Host = "/run/postgresql";
# Zitadel will report error if port is not set
Port = 5432;
Database = db_name;
User.Username = db_user;
};
};
steps = {
TestInstance = {
InstanceName = "Zitadel test";
Org = {
Name = "Kruining.eu";
Human = {
UserName = "admin";
Password = "kaas";
};
};
};
};
};
postgresql = {
enable = true;
ensureDatabases = [ db_name ];
ensureUsers = [
{
name = db_user;
ensureDBOwnership = true;
}
];
};
caddy = {
enable = true;
virtualHosts = {
"auth-z.kruining.eu".extraConfig = ''
reverse_proxy h2c://127.0.0.1:9092
'';
};
# extraConfig = ''
# (auth) {
# forward_auth h2c://127.0.0.1:9092 {
# uri /api/authz/forward-auth
# copy_headers Remote-User Remote-Groups Remote-Email Remote-Name
# }
# }
# '';
};
};
# Secrets
sops.secrets."zitadel/masterKey" = {
owner = "zitadel";
group = "zitadel";
restartUnits = [ "zitadel.service" ];
};
};
}

2
modules/system/services/security.nix
View file

@ -7,7 +7,7 @@ inherit (lib.options) mkEnableOption;
in in
{ {
options.modules.services.security = { options.modules.services.security = {
enable = mkEnableOption "Auth"; enable = mkEnableOption "Security service(s): Vaultwarden";
}; };
config = mkIf cfg.enable { config = mkIf cfg.enable {

7
modules/system/virtualisation/default.nix
View file

@ -1,10 +1,7 @@
{ config, options, lib, pkgs, ... }: { config, options, lib, pkgs, ... }:
let let
inherit (lib.modules) mkIf; inherit (lib) mkIf mkEnableOption;
in in
{ {
options.modules.virtualisation = let options.modules.virtualisation = {};
inherit (lib.options) mkEnableOption;
in
{};
} }

3
secrets/secrets.yml → secrets/secrets.yaml
View file

@ -25,3 +25,6 @@ sops:
pgp: [] pgp: []
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.9.4 version: 3.9.4
zitadel:
masterKey: thisWillBeAnEncryptedValueInTheFuture