feat(zitadel): add remapping of exported keys

2025-11-12 17:26:17 +01:00 · 2025-11-12 17:26:17 +01:00 · 4e09252e75
commit 4e09252e75
parent fa37c3eb50
2 changed files with 31 additions and 3 deletions
--- a/modules/nixos/services/authentication/zitadel/default.nix
+++ b/modules/nixos/services/authentication/zitadel/default.nix
@ -140,6 +140,24 @@ in
                          .
                        '';
                      };
+
+                      exportMap = 
+                        let 
+                          strOpt = mkOption { type = types.nullOr types.str; default = null; };
+                        in
+                        mkOption {
+                          type = types.submodule { options = { client_id = strOpt; client_secret = strOpt; }; };
+                          default = {};
+                          example = literalExpression ''
+                            {
+                              client_id = "SSO_CLIENT_ID";
+                              client_secret = "SSO_CLIENT_SECRET";
+                            }
+                          '';
+                          description = ''
+                            Remap the outputted variables to another key.
+                          '';
+                        };
                    };
                  });
                };
@ -492,11 +510,11 @@ in
              };

              # Client credentials per app
-              local_sensitive_file = cfg.organization |> select [ "project" "application" ] (org: project: name: value: 
+              local_sensitive_file = cfg.organization |> select [ "project" "application" ] (org: project: name: { exportMap, ... }: 
                nameValuePair "${org}_${project}_${name}" {
                  content = ''
-                    CLIENT_ID=${lib.tfRef "resource.zitadel_application_oidc.${org}_${project}_${name}.client_id"}
-                    CLIENT_SECRET=${lib.tfRef "resource.zitadel_application_oidc.${org}_${project}_${name}.client_secret"}
+                    ${if exportMap.client_id != null then exportMap.client_id else "CLIENT_ID"}=${lib.tfRef "resource.zitadel_application_oidc.${org}_${project}_${name}.client_id"}
+                    ${if exportMap.client_secret != null then exportMap.client_secret else "CLIENT_SECRET"}=${lib.tfRef "resource.zitadel_application_oidc.${org}_${project}_${name}.client_secret"}
                  '';
                  filename = "/var/lib/zitadel/clients/${org}_${project}_${name}";
                }
--- a/systems/x86_64-linux/ulmo/default.nix
+++ b/systems/x86_64-linux/ulmo/default.nix
@ -95,6 +95,16 @@
                    responseTypes = [ "code" ];
                  };

+                  vaultwarden = {
+                    redirectUris = [ "https://vault.kruining.eu/identity/connect/oidc-signin" ];
+                    grantTypes = [ "authorizationCode" ];
+                    responseTypes = [ "code" ];
+                    exportMap = {
+                      client_id = "SSO_CLIENT_ID";
+                      client_secret = "SSO_CLIENT_SECRET";
+                    };
+                  };
+
                  matrix = {
                    redirectUris = [ "https://matrix.kruining.eu/_synapse/client/oidc/callback" ];
                    grantTypes = [ "authorizationCode" ];