secrets/default.nix

@@ -36,5 +36,6 @@ in {
       #   else "root";
       file = ./mail-admin.age;
     };
+    zitadel.file = ./zitadel.age;
   };
 }

secrets/secrets.nix

@@ -20,4 +20,5 @@ in {
   "matrix-registration.age".publicKeys = keys;
   "cloudflare-acme.age".publicKeys = keys;
   "mail-admin.age".publicKeys = keys;
+  "zitadel.age".publicKeys = keys;
 }

secrets/zitadel.age

@@ -0,0 +1,15 @@
+age-encryption.org/v1
+-> ssh-ed25519 GQzYWA fz19CbZPbHDcTz3uKZwJPn5ZN4cvl7GcED5eG0D+ElM
+HHCdqkDUcqK4Oo+AGp04q3nVJs2KpeIM3ZwKwOsPWYo
+-> ssh-ed25519 MfR7VA IXjIOdECEgdKvxs3K2lYVhqHa6IbGYhciFlPamEl9AQ
+HVDNbo0Y8rAHy2nUiiP11XKcJ5AdEGhQQt30GCdve1E
+-> ssh-ed25519 +cvRTg ipfUrJdALMna/5EQfLzAo28r65e1W62P5FzSxqSkYCI
+qzhYJjzB6NsHa0obHsyD3nylsucBcIcWFcJ8g/P1HHo
+-> ssh-ed25519 WCPLrA fAWkqW/ucxI8d+92obW2j1X3+FC/HfR32JGl/jEbUwQ
+CVxiMB5COMiikBiubXJlzNAmq2KIpiqBUPgks5bD/3Y
+-> ssh-ed25519 7/ziYw vdFHVmAee1B7y7dG9JsV0Q5oJAHkARCwcjZAyAzCuRY
+8BMNoikJKNPdxxk61A/zgRykiFGgNu7JUCm+Hhdy9Vw
+-> ssh-ed25519 VQy60Q SUSqfYDbeljqVLip253DQtxcag48UYVkUQDZ+6mA1n4
+j3zzmyOADOQprP8/db/Q8iswQucbjgylpt3s4GnHR2A
+--- v9F0L3av1OwiVGZfhdGzM0NCsg9j611ihVaKlmHpdoY
+
ƺ–íÊB2Ò•_bw<>2¯Ž‚°ñ"ér<C3A9>›oö¾èc

system/server/default.nix

@@ -10,6 +10,7 @@
     ./matrix.nix
     ./seafile.nix
     ./temp.nix
+    ./zitadel.nix
   ];
   options.niksos.server = lib.mkEnableOption "server servcies (such as caddy)."; #TODO: per service option.
 }

system/server/zitadel.nix

@@ -0,0 +1,26 @@
+{
+  config,
+  lib,
+  ...
+}: let
+  ExternalDomain = "z.jsw.tf";
+  Port = 9000;
+in {
+  config =
+    lib.mkIf config.niksos.server
+    {
+      services.caddy.virtualHosts.${ExternalDomain}.extraConfig = ''
+        reverse_proxy localhost:${builtins.toString Port}
+      '';
+
+      services.zitadel = {
+        enable = true;
+        masterKeyFile = "/etc/default/zitadel";
+        settings = {
+          inherit Port ExternalDomain;
+          ExternalPort = 443;
+        };
+        extraSettingsPaths = [config.age.secrets.zitadel.path];
+      };
+    };
+}