147 lines
3.8 KiB
Nix
147 lines
3.8 KiB
Nix
{ config, lib, pkgs, namespace, ... }:
|
|
let
|
|
inherit (lib) mkIf mkEnableOption mkForce;
|
|
|
|
cfg = config.${namespace}.services.authentication.zitadel;
|
|
|
|
db_name = "zitadel";
|
|
db_user = "zitadel";
|
|
in
|
|
{
|
|
options.${namespace}.services.authentication.zitadel = {
|
|
enable = mkEnableOption "Zitadel";
|
|
};
|
|
|
|
config = mkIf cfg.enable {
|
|
environment.systemPackages = with pkgs; [
|
|
zitadel
|
|
];
|
|
|
|
services = {
|
|
zitadel = {
|
|
enable = true;
|
|
openFirewall = true;
|
|
# masterKeyFile = config.sops.secrets."zitadel/masterKey".path;
|
|
masterKeyFile = "/var/lib/zitadel/master_key";
|
|
tlsMode = "external";
|
|
settings = {
|
|
Port = 9092;
|
|
|
|
ExternalDomain = "auth.amarth.cloud";
|
|
ExternalPort = 443;
|
|
ExternalSecure = true;
|
|
|
|
Metrics.Type = "otel";
|
|
Tracing.Type = "otel";
|
|
Telemetry.Enabled = true;
|
|
|
|
SystemDefaults = {
|
|
PasswordHasher.Hasher.Algorithm = "argon2id";
|
|
SecretHasher.Hasher.Algorithm = "argon2id";
|
|
};
|
|
|
|
DefaultInstance = {
|
|
PasswordComplexityPolicy = {
|
|
MinLength = 20;
|
|
HasLowercase = false;
|
|
HasUppercase = false;
|
|
HasNumber = false;
|
|
HasSymbol = false;
|
|
};
|
|
LoginPolicy = {
|
|
AllowRegister = false;
|
|
ForceMFA = true;
|
|
};
|
|
LockoutPolicy = {
|
|
MaxPasswordAttempts = 5;
|
|
MaxOTPAttempts = 10;
|
|
};
|
|
SMTPConfiguration = {
|
|
SMTP = {
|
|
Host = "black-mail.nl:587";
|
|
User = "info@amarth.cloud";
|
|
Password = "__TODO_USE_SOPS__";
|
|
};
|
|
FromName = "Amarth Zitadel";
|
|
};
|
|
};
|
|
|
|
Database.postgres = {
|
|
Host = "localhost";
|
|
# Zitadel will report error if port is not set
|
|
Port = 5432;
|
|
Database = db_name;
|
|
User = {
|
|
Username = db_user;
|
|
SSL.Mode = "disable";
|
|
};
|
|
Admin = {
|
|
Username = "postgres";
|
|
SSL.Mode = "disable";
|
|
};
|
|
};
|
|
};
|
|
steps = {
|
|
FirstInstance = {
|
|
InstanceName = "auth.amarth.cloud";
|
|
Org = {
|
|
Name = "Amarth";
|
|
Human = {
|
|
UserName = "chris";
|
|
FirstName = "Chris";
|
|
LastName = "Kruining";
|
|
Email = {
|
|
Address = "chris@kruining.eu";
|
|
Verified = true;
|
|
};
|
|
Password = "KaasIsAwesome1!";
|
|
};
|
|
};
|
|
};
|
|
};
|
|
};
|
|
|
|
postgresql = {
|
|
enable = true;
|
|
ensureDatabases = [ db_name ];
|
|
ensureUsers = [
|
|
{
|
|
name = db_user;
|
|
ensureDBOwnership = true;
|
|
}
|
|
];
|
|
authentication = mkForce ''
|
|
# Generated file, do not edit!
|
|
# TYPE DATABASE USER ADDRESS METHOD
|
|
local all all trust
|
|
host all all 127.0.0.1/32 trust
|
|
host all all ::1/128 trust
|
|
'';
|
|
};
|
|
|
|
caddy = {
|
|
enable = true;
|
|
virtualHosts = {
|
|
"auth.amarth.cloud".extraConfig = ''
|
|
reverse_proxy h2c://127.0.0.1:9092
|
|
'';
|
|
};
|
|
extraConfig = ''
|
|
(auth-z) {
|
|
forward_auth h2c://127.0.0.1:9092 {
|
|
uri /api/authz/forward-auth
|
|
copy_headers Remote-User Remote-Groups Remote-Email Remote-Name
|
|
}
|
|
}
|
|
'';
|
|
};
|
|
};
|
|
|
|
# Secrets
|
|
sops.secrets."zitadel/masterKey" = {
|
|
owner = "zitadel";
|
|
group = "zitadel";
|
|
restartUnits = [ "zitadel.service" ];
|
|
};
|
|
};
|
|
}
|