feat(zitadel): add extra users via secrets

2025-11-12 17:23:40 +01:00 · 2025-11-12 17:23:40 +01:00 · fa37c3eb50
commit fa37c3eb50
parent df5dfa61a9
1 changed files with 50 additions and 9 deletions
--- a/modules/nixos/services/authentication/zitadel/default.nix
+++ b/modules/nixos/services/authentication/zitadel/default.nix
@ -1,6 +1,6 @@
 { config, lib, pkgs, namespace, system, inputs, ... }:
 let
-  inherit (lib) mkIf mkEnableOption mkOption types toUpper toSentenceCase nameValuePair mapAttrs' concatMapAttrs filterAttrsRecursive listToAttrs imap0 head drop length;
+  inherit (lib) mkIf mkEnableOption mkOption types toUpper toSentenceCase nameValuePair mapAttrs mapAttrs' concatMapAttrs filterAttrsRecursive listToAttrs imap0 head drop length literalExpression attrNames;
  inherit (lib.${namespace}.strings) toSnakeCase;

  cfg = config.${namespace}.services.authentication.zitadel;
@ -336,6 +336,21 @@ in
              jwt_profile_file = "/var/lib/zitadel/machine-key.json";
            };

+            locals = {
+              extra_users = lib.tfRef "
+                flatten([ for org, users in jsondecode(file(\"${config'.sops.secrets."zitadel/users".path}\")): [
+                  for name, details in users: {
+                    org = org
+                    name = name
+                    email = details.email
+                    firstName = details.firstName
+                    lastName = details.lastName
+                  }
+                ] ])
+              ";
+              orgs = cfg.organization |> mapAttrs (org: _: lib.tfRef "resource.zitadel_org.${org}.id"); 
+            };
+
            resource = {
              # Organizations
              zitadel_org = cfg.organization |> select [] (name: { isDefault, ... }: 
@ -384,7 +399,9 @@ in
              );

              # Users
-              zitadel_human_user = cfg.organization |> select [ "user" ] (org: name: { email, userName, firstName, lastName, ... }: 
+              zitadel_human_user = 
+                (cfg.organization 
+                |> select [ "user" ] (org: name: { email, userName, firstName, lastName, ... }: 
                  {
                    inherit email userName firstName lastName;

@ -392,7 +409,25 @@ in
                  } 
                  |> withRef "org" org
                  |> toResource "${org}_${name}"
-              );
+                ))
+                
+                // {
+                  "extra_users" = {
+                    for_each = lib.tfRef ''{
+                      for user in local.extra_users :
+                      "''${user.org}_''${user.name}" => user
+                    }'';
+
+                    org_id = lib.tfRef "local.orgs[each.value.org]";
+                    user_name = lib.tfRef "each.value.name";
+                    email = lib.tfRef "each.value.email";
+                    first_name = lib.tfRef "each.value.firstName";
+                    last_name = lib.tfRef "each.value.lastName";
+                    
+                    is_email_verified = true;
+                  };
+                }
+              ;

              # Global user roles
              zitadel_instance_member = 
@ -648,6 +683,12 @@ in
          key = "email/chris_kruining_eu";
          restartUnits = [ "zitadel.service" ];
        };
+
+        "zitadel/users" = {
+          owner = "zitadel";
+          group = "zitadel";
+          restartUnits = [ "zitadelApplyTerraform.service" ];
+        };
      };
    };
  };