initial attempt to install zitadel

hosts/manwe/default.nix

@@ -21,6 +21,11 @@
   boot.supportedFilesystems = [ "nfs" ];
 
   modules = {
+    boot = {
+      silentBoot = true;
+      animatedBoot = true;
+    };
+
     system.audio.enable = true;
 
     root = {

hosts/ulmo/default.nix

@@ -13,7 +13,8 @@
       };
 
       services = {
-        auth.enable = true;
+        auth.authelia.enable = true;
+        auth.zitadel.enable = true;
         media.enable = true;
         nextcloud.enable = true;
       };

modules/home/themes/default.nix

@@ -6,7 +6,6 @@ let
 
   cfg = config.modules.${user}.themes;
 in {
-
   options.modules.${user}.themes = {
     enable = mkEnableOption "Theming (Stylix)";
 

modules/system/boot.nix

@@ -1,25 +1,48 @@
-{ ... }:
+{ config, options, lib, pkgs, ... }:
+let
+  inherit (lib) mkMerge mkIf mkEnableOption mkDefault mkForce;
+
+  cfg = config.modules.boot;
+in
 {
-  boot.loader = {
+  options.modules.boot = 
-    efi.canTouchEfiVariables = true;
+  {
-
+    silentBoot = mkEnableOption "Enable silent boot";
-    # grub = {
+    animatedBoot = mkEnableOption "Enable boot animation";
-    #   enable = true;
-    #   efiSupport = cfg.mode == "uefi";
-    #   devices = [ "nodev" ];
-    #   configurationLimit = 1;
-    # };
-
-    systemd-boot.enable = true;
-
-    timeout = 0;
   };
 
-  # nixos-boot = {
+  config = mkMerge [
-  #   enable = true;
+    ({
+      boot.loader = {
+        efi.canTouchEfiVariables = true;
 
-  #   bgColor = { red = 17; green = 17; blue = 27; };
+        systemd-boot.enable = true;
-  # };
 
-  time.timeZone = "Europe/Amsterdam";
+        timeout = mkDefault 0;
-}
+      };
+
+      time.timeZone = "Europe/Amsterdam";
+    })
+
+    (mkIf (cfg.silentBoot == true) {
+      boot = {
+        consoleLogLevel = 0;
+        initrd.verbose = false;
+        kernelParams = [ "quiet" "splash" "boot.shell_on_fail" "udev.log_priority=3" "rd.systemd.show_status=auto" ];
+        loader.timeout = mkDefault 0;
+      };
+    })
+
+    (mkIf (cfg.animatedBoot == true) {
+      boot.plymouth = {
+        enable = true;
+        theme = mkForce "pixels";
+        themePackages = with pkgs; [
+          (adi1090x-plymouth-themes.override {
+            selected_themes = [ "pixels" ];
+          })
+        ];
+      };
+    })
+  ];
+}

modules/system/security.nix

@@ -1,8 +1,8 @@
 { inputs, pkgs, ... }:
 {
   imports = [
-      inputs.sops-nix.nixosModules.sops
+    inputs.sops-nix.nixosModules.sops
-    ];
+  ];
 
   config = {
     environment.systemPackages = with pkgs; [
@@ -11,8 +11,8 @@
     ];
 
     sops = {
-      defaultSopsFile = ./secrets/secrets.yml;
+      defaultSopsFile = ../../secrets/secrets.yaml;
-      defaultSopsFormat = "yml";
+      defaultSopsFormat = "yaml";
 
       age.keyFile = "/home/";
     };

modules/system/services/auth/authelia.nix

@@ -1,16 +1,16 @@
 { config, lib, pkgs, ... }:
 let
-inherit (lib.options) mkEnableOption;
+  inherit (lib) mkIf mkEnableOption;
-  inherit (lib.modules) mkIf;
 
   user = "authelia-testing";
+  cfg = config.modules.services.auth.authelia;
 in
 {
-  options.modules.services.auth = {
+  options.modules.services.auth.authelia = {
-    enable = mkEnableOption "Auth";
+    enable = mkEnableOption "Authelia";
   };
 
-  config = mkIf config.modules.services.auth.enable {
+  config = mkIf cfg.enable {
     environment.systemPackages = with pkgs; [
       authelia
     ];

modules/system/services/auth/zitadel.nix

@@ -0,0 +1,86 @@
+{ config, options, lib, pkgs, ... }:
+let
+  inherit (lib) mkIf mkEnableOption;
+
+  cfg = config.modules.services.auth.zitadel;
+
+  db_name = "zitadel";
+  db_user = "zitadel";
+in
+{
+  options.modules.services.auth.zitadel = {
+    enable = mkEnableOption "Zitadel";
+  };
+
+  config = mkIf cfg.enable {
+    environment.systemPackages = with pkgs; [
+      zitadel
+    ];
+
+    services = {
+      zitadel = {
+        enable = true;
+        openFirewall = true;
+        masterKeyFile = config.sops.secrets."zitadel/masterKey".path;
+        tlsMode = "external";
+        settings = {
+          Port = 9092;
+          Database = {
+            Host = "/run/postgresql";
+            # Zitadel will report error if port is not set
+            Port = 5432;
+            Database = db_name;
+            User.Username = db_user;
+          };
+        };
+        steps = {
+          TestInstance = {
+            InstanceName = "Zitadel test";
+            Org = {
+              Name = "Kruining.eu";
+              Human = {
+                UserName = "admin";
+                Password = "kaas";
+              };
+            };
+          };
+        };
+      };
+
+      postgresql = {
+        enable = true;
+        ensureDatabases = [ db_name ];
+        ensureUsers = [
+          {
+            name = db_user;
+            ensureDBOwnership = true;
+          }
+        ];
+      };
+
+      caddy = {
+        enable = true;
+        virtualHosts = {
+          "auth-z.kruining.eu".extraConfig = ''
+            reverse_proxy h2c://127.0.0.1:9092
+          '';
+        };
+        # extraConfig = ''
+        #   (auth) {
+        #     forward_auth h2c://127.0.0.1:9092 {
+        #       uri /api/authz/forward-auth
+        #       copy_headers Remote-User Remote-Groups Remote-Email Remote-Name
+        #     }
+        #   }
+        # '';
+      };
+    };
+
+    # Secrets
+    sops.secrets."zitadel/masterKey" = {
+      owner = "zitadel";
+      group = "zitadel";
+      restartUnits = [ "zitadel.service" ];
+    };
+  };
+}

modules/system/services/security.nix

@@ -7,7 +7,7 @@ inherit (lib.options) mkEnableOption;
 in
 {
   options.modules.services.security = {
-    enable = mkEnableOption "Auth";
+    enable = mkEnableOption "Security service(s): Vaultwarden";
   };
 
   config = mkIf cfg.enable {

modules/system/virtualisation/default.nix

@@ -1,10 +1,7 @@
 { config, options, lib, pkgs, ... }:
 let
-  inherit (lib.modules) mkIf;
+  inherit (lib) mkIf mkEnableOption;
 in
 {
-  options.modules.virtualisation = let
+  options.modules.virtualisation = {};
-    inherit (lib.options) mkEnableOption;
-  in
-  {};
 }

secrets/secrets.yaml

@@ -25,3 +25,6 @@ sops:
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.9.4
+
+zitadel:
+  masterKey: thisWillBeAnEncryptedValueInTheFuture