diff --git a/secrets/default.nix b/secrets/default.nix index 642ae61..2e96df6 100644 --- a/secrets/default.nix +++ b/secrets/default.nix @@ -29,10 +29,6 @@ in { # owner = serviceUser "stalwart-mail"; #FIXME: revert when stopped using docker for stalwart. file = ./mail-admin.age; }; - zitadel = mkIf server { - file = ./zitadel.age; - owner = abstrServiceUser "zitadel"; - }; zitadel-key = mkIf server { file = ./zitadel-key.age; owner = abstrServiceUser "zitadel"; diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 032f1bb..5f4df5c 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -19,6 +19,5 @@ in { "bread-dcbot.age".publicKeys = keys; "matrix-registration.age".publicKeys = keys; "mail-admin.age".publicKeys = keys; - "zitadel.age".publicKeys = keys; "zitadel-key.age".publicKeys = keys; } diff --git a/secrets/zitadel.age b/secrets/zitadel.age deleted file mode 100644 index 9a647df..0000000 --- a/secrets/zitadel.age +++ /dev/null @@ -1,15 +0,0 @@ -age-encryption.org/v1 --> ssh-ed25519 GQzYWA fz19CbZPbHDcTz3uKZwJPn5ZN4cvl7GcED5eG0D+ElM -HHCdqkDUcqK4Oo+AGp04q3nVJs2KpeIM3ZwKwOsPWYo --> ssh-ed25519 MfR7VA IXjIOdECEgdKvxs3K2lYVhqHa6IbGYhciFlPamEl9AQ -HVDNbo0Y8rAHy2nUiiP11XKcJ5AdEGhQQt30GCdve1E --> ssh-ed25519 +cvRTg ipfUrJdALMna/5EQfLzAo28r65e1W62P5FzSxqSkYCI -qzhYJjzB6NsHa0obHsyD3nylsucBcIcWFcJ8g/P1HHo --> ssh-ed25519 WCPLrA fAWkqW/ucxI8d+92obW2j1X3+FC/HfR32JGl/jEbUwQ -CVxiMB5COMiikBiubXJlzNAmq2KIpiqBUPgks5bD/3Y --> ssh-ed25519 7/ziYw vdFHVmAee1B7y7dG9JsV0Q5oJAHkARCwcjZAyAzCuRY -8BMNoikJKNPdxxk61A/zgRykiFGgNu7JUCm+Hhdy9Vw --> ssh-ed25519 VQy60Q SUSqfYDbeljqVLip253DQtxcag48UYVkUQDZ+6mA1n4 -j3zzmyOADOQprP8/db/Q8iswQucbjgylpt3s4GnHR2A ---- v9F0L3av1OwiVGZfhdGzM0NCsg9j611ihVaKlmHpdoY -ƺB2ҕ_bw2"roc \ No newline at end of file diff --git a/system/server/zitadel.nix b/system/server/zitadel.nix index 646b8d2..1484a25 100644 --- a/system/server/zitadel.nix +++ b/system/server/zitadel.nix @@ -13,14 +13,74 @@ in { reverse_proxy localhost:${builtins.toString Port} ''; - services.zitadel = { - enable = true; - masterKeyFile = config.age.secrets.zitadel-key.path; - settings = { - inherit Port ExternalDomain; - ExternalPort = 443; + # services.zitadel = { + # enable = true; + # masterKeyFile = config.age.secrets.zitadel-key.path; + # settings = { + # inherit Port ExternalDomain; + # ExternalPort = 443; + # }; + # extraSettingsPaths = [config.age.secrets.zitadel.path]; + # }; + systemd.services.zitadel = { + requires = ["postgresql.service"]; + after = ["postgresql.service"]; + }; + + services = { + zitadel = { + enable = true; + masterKeyFile = config.age.secrets.zitadel-key.path; + settings = { + inherit Port ExternalDomain; + ExternalPort = 443; + Database.postgres = { + Host = "/var/run/postgresql/"; + Port = 5432; + Database = "zitadel"; + User = { + Username = "zitadel"; + SSL.Mode = "disable"; + }; + Admin = { + Username = "zitadel"; + SSL.Mode = "disable"; + ExistingDatabase = "zitadel"; + }; + }; + ExternalSecure = true; + }; + steps.FirstInstance = { + InstanceName = "jsw"; + Org = { + Name = "jsw"; + Human = { + UserName = "jsw@jsw.tf"; + FirstName = "Jurn"; + LastName = "Wubben"; + Email.Verified = true; + Password = "changeme"; + PasswordChangeRequired = true; + }; + }; + LoginPolicy.AllowRegister = false; + }; + openFirewall = true; + }; + + postgresql = { + enable = true; + enableJIT = true; + ensureDatabases = ["zitadel"]; + ensureUsers = [ + { + name = "zitadel"; + ensureDBOwnership = true; + ensureClauses.login = true; + ensureClauses.superuser = true; + } + ]; }; - extraSettingsPaths = [config.age.secrets.zitadel.path]; }; }; }