Added zitadel database and default user. Removed zitadel encrypted config file

secrets/default.nix

@@ -29,10 +29,6 @@ in {
       # owner = serviceUser "stalwart-mail"; #FIXME: revert when stopped using docker for stalwart.
       file = ./mail-admin.age;
     };
-    zitadel = mkIf server {
-      file = ./zitadel.age;
-      owner = abstrServiceUser "zitadel";
-    };
     zitadel-key = mkIf server {
       file = ./zitadel-key.age;
       owner = abstrServiceUser "zitadel";

secrets/secrets.nix

@@ -19,6 +19,5 @@ in {
   "bread-dcbot.age".publicKeys = keys;
   "matrix-registration.age".publicKeys = keys;
   "mail-admin.age".publicKeys = keys;
-  "zitadel.age".publicKeys = keys;
   "zitadel-key.age".publicKeys = keys;
 }

secrets/zitadel.age

@@ -1,15 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 GQzYWA fz19CbZPbHDcTz3uKZwJPn5ZN4cvl7GcED5eG0D+ElM
-HHCdqkDUcqK4Oo+AGp04q3nVJs2KpeIM3ZwKwOsPWYo
--> ssh-ed25519 MfR7VA IXjIOdECEgdKvxs3K2lYVhqHa6IbGYhciFlPamEl9AQ
-HVDNbo0Y8rAHy2nUiiP11XKcJ5AdEGhQQt30GCdve1E
--> ssh-ed25519 +cvRTg ipfUrJdALMna/5EQfLzAo28r65e1W62P5FzSxqSkYCI
-qzhYJjzB6NsHa0obHsyD3nylsucBcIcWFcJ8g/P1HHo
--> ssh-ed25519 WCPLrA fAWkqW/ucxI8d+92obW2j1X3+FC/HfR32JGl/jEbUwQ
-CVxiMB5COMiikBiubXJlzNAmq2KIpiqBUPgks5bD/3Y
--> ssh-ed25519 7/ziYw vdFHVmAee1B7y7dG9JsV0Q5oJAHkARCwcjZAyAzCuRY
-8BMNoikJKNPdxxk61A/zgRykiFGgNu7JUCm+Hhdy9Vw
--> ssh-ed25519 VQy60Q SUSqfYDbeljqVLip253DQtxcag48UYVkUQDZ+6mA1n4
-j3zzmyOADOQprP8/db/Q8iswQucbjgylpt3s4GnHR2A
---- v9F0L3av1OwiVGZfhdGzM0NCsg9j611ihVaKlmHpdoY
-
ƺ–íÊB2Ò•_bw<>2¯Ž‚°ñ"ér<C3A9>›oö¾èc

system/server/zitadel.nix

@@ -13,14 +13,74 @@ in {
         reverse_proxy localhost:${builtins.toString Port}
       '';
 
-      services.zitadel = {
-        enable = true;
-        masterKeyFile = config.age.secrets.zitadel-key.path;
-        settings = {
-          inherit Port ExternalDomain;
-          ExternalPort = 443;
+      # services.zitadel = {
+      #   enable = true;
+      #   masterKeyFile = config.age.secrets.zitadel-key.path;
+      #   settings = {
+      #     inherit Port ExternalDomain;
+      #     ExternalPort = 443;
+      #   };
+      #   extraSettingsPaths = [config.age.secrets.zitadel.path];
+      # };
+      systemd.services.zitadel = {
+        requires = ["postgresql.service"];
+        after = ["postgresql.service"];
+      };
+
+      services = {
+        zitadel = {
+          enable = true;
+          masterKeyFile = config.age.secrets.zitadel-key.path;
+          settings = {
+            inherit Port ExternalDomain;
+            ExternalPort = 443;
+            Database.postgres = {
+              Host = "/var/run/postgresql/";
+              Port = 5432;
+              Database = "zitadel";
+              User = {
+                Username = "zitadel";
+                SSL.Mode = "disable";
+              };
+              Admin = {
+                Username = "zitadel";
+                SSL.Mode = "disable";
+                ExistingDatabase = "zitadel";
+              };
+            };
+            ExternalSecure = true;
+          };
+          steps.FirstInstance = {
+            InstanceName = "jsw";
+            Org = {
+              Name = "jsw";
+              Human = {
+                UserName = "jsw@jsw.tf";
+                FirstName = "Jurn";
+                LastName = "Wubben";
+                Email.Verified = true;
+                Password = "changeme";
+                PasswordChangeRequired = true;
+              };
+            };
+            LoginPolicy.AllowRegister = false;
+          };
+          openFirewall = true;
+        };
+
+        postgresql = {
+          enable = true;
+          enableJIT = true;
+          ensureDatabases = ["zitadel"];
+          ensureUsers = [
+            {
+              name = "zitadel";
+              ensureDBOwnership = true;
+              ensureClauses.login = true;
+              ensureClauses.superuser = true;
+            }
+          ];
         };
-        extraSettingsPaths = [config.age.secrets.zitadel.path];
       };
     };
 }