From fa37c3eb503d22403ddd6fde652da30def5a7e12 Mon Sep 17 00:00:00 2001
From: Chris Kruining <c.kruining@4dotnet.nl>
Date: Wed, 12 Nov 2025 17:23:40 +0100
Subject: [PATCH] feat(zitadel): add extra users via secrets

---
 .../authentication/zitadel/default.nix        | 59 ++++++++++++++++---
 1 file changed, 50 insertions(+), 9 deletions(-)

diff --git a/modules/nixos/services/authentication/zitadel/default.nix b/modules/nixos/services/authentication/zitadel/default.nix
index 402d59d..c4ceaac 100644
--- a/modules/nixos/services/authentication/zitadel/default.nix
+++ b/modules/nixos/services/authentication/zitadel/default.nix
@@ -1,6 +1,6 @@
 { config, lib, pkgs, namespace, system, inputs, ... }:
 let
-  inherit (lib) mkIf mkEnableOption mkOption types toUpper toSentenceCase nameValuePair mapAttrs' concatMapAttrs filterAttrsRecursive listToAttrs imap0 head drop length;
+  inherit (lib) mkIf mkEnableOption mkOption types toUpper toSentenceCase nameValuePair mapAttrs mapAttrs' concatMapAttrs filterAttrsRecursive listToAttrs imap0 head drop length literalExpression attrNames;
   inherit (lib.${namespace}.strings) toSnakeCase;
 
   cfg = config.${namespace}.services.authentication.zitadel;
@@ -336,6 +336,21 @@ in
               jwt_profile_file = "/var/lib/zitadel/machine-key.json";
             };
 
+            locals = {
+              extra_users = lib.tfRef "
+                flatten([ for org, users in jsondecode(file(\"${config'.sops.secrets."zitadel/users".path}\")): [
+                  for name, details in users: {
+                    org = org
+                    name = name
+                    email = details.email
+                    firstName = details.firstName
+                    lastName = details.lastName
+                  }
+                ] ])
+              ";
+              orgs = cfg.organization |> mapAttrs (org: _: lib.tfRef "resource.zitadel_org.${org}.id"); 
+            };
+
             resource = {
               # Organizations
               zitadel_org = cfg.organization |> select [] (name: { isDefault, ... }: 
@@ -384,15 +399,35 @@ in
               );
 
               # Users
-              zitadel_human_user = cfg.organization |> select [ "user" ] (org: name: { email, userName, firstName, lastName, ... }: 
-                {
-                  inherit email userName firstName lastName;
+              zitadel_human_user = 
+                (cfg.organization 
+                |> select [ "user" ] (org: name: { email, userName, firstName, lastName, ... }: 
+                  {
+                    inherit email userName firstName lastName;
 
-                  isEmailVerified = true;
-                } 
-                |> withRef "org" org
-                |> toResource "${org}_${name}"
-              );
+                    isEmailVerified = true;
+                  } 
+                  |> withRef "org" org
+                  |> toResource "${org}_${name}"
+                ))
+                
+                // {
+                  "extra_users" = {
+                    for_each = lib.tfRef ''{
+                      for user in local.extra_users :
+                      "''${user.org}_''${user.name}" => user
+                    }'';
+
+                    org_id = lib.tfRef "local.orgs[each.value.org]";
+                    user_name = lib.tfRef "each.value.name";
+                    email = lib.tfRef "each.value.email";
+                    first_name = lib.tfRef "each.value.firstName";
+                    last_name = lib.tfRef "each.value.lastName";
+                    
+                    is_email_verified = true;
+                  };
+                }
+              ;
 
               # Global user roles
               zitadel_instance_member = 
@@ -648,6 +683,12 @@ in
           key = "email/chris_kruining_eu";
           restartUnits = [ "zitadel.service" ];
         };
+
+        "zitadel/users" = {
+          owner = "zitadel";
+          group = "zitadel";
+          restartUnits = [ "zitadelApplyTerraform.service" ];
+        };
       };
     };
   };