hosts/kazuki/zitadel: add master key

hosts/kazuki/zitadel.nix

@@ -1,44 +1,79 @@
-{ config, ... }:
+{ config, inputs, ... }:
 {
   age.secrets.rabulinski-com-cf = {
     file = ../../secrets/rabulinski-com-cf.age;
     owner = config.services.nginx.user;
   };
 
-  settei.containers.zitadel.config = {
-    services.zitadel = {
-      enable = true;
-      settings = {
-        Port = 80;
-        Database.postgres = {
-          Host = "localhost";
-          Port = 5432;
-          Database = "zitadel";
-          User = {
-            Username = "zitadel";
-            SSL.Mode = "disable";
-          };
-        };
-        ExternalDomain = "zitadel.rabulinski.com";
-        ExternalPort = 443;
-        ExternalSecure = true;
+  settei.containers.zitadel.config =
+    { config, ... }:
+    {
+      imports = [ inputs.agenix.nixosModules.age ];
+      age.identityPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+      age.secrets.zitadel-master = {
+        file = ../../secrets/zitadel-master.age;
+        owner = config.services.zitadel.user;
       };
-      openFirewall = true;
-    };
 
-    services.postgresql = {
-      enable = true;
-      enableJIT = true;
-      ensureDatabases = [ "zitadel" ];
-      ensureUsers = [
-        {
-          name = "zitadel";
-          ensureDBOwnership = true;
-          ensureClauses.login = true;
-        }
-      ];
+      services.zitadel = {
+        enable = true;
+        masterKeyFile = config.age.secrets.zitadel-master.path;
+        settings = {
+          Port = 8080;
+          Database.postgres = {
+            Host = "/var/run/postgresql/";
+            Port = 5432;
+            Database = "zitadel";
+            User = {
+              Username = "zitadel";
+              SSL.Mode = "disable";
+            };
+            Admin = {
+              Username = "zitadel";
+              SSL.Mode = "disable";
+              ExistingDatabase = "zitadel";
+            };
+          };
+          ExternalDomain = "zi.rabulinski.com";
+          ExternalPort = 443;
+          ExternalSecure = true;
+        };
+        steps.FirstInstance = {
+          InstanceName = "zi";
+          Org = {
+            Name = "ZI";
+            Human = {
+              UserName = "nikodem@rabulinski.com";
+              FirstName = "Nikodem";
+              LastName = "Rabulinski";
+              Email.Verified = true;
+              Password = "Password1!";
+              PasswordChangeRequired = true;
+            };
+          };
+          LoginPolicy.AllowRegister = false;
+        };
+        openFirewall = true;
+      };
+      systemd.services.zitadel = {
+        requires = [ "postgresql.service" ];
+        after = [ "postgresql.service" ];
+      };
+
+      services.postgresql = {
+        enable = true;
+        enableJIT = true;
+        ensureDatabases = [ "zitadel" ];
+        ensureUsers = [
+          {
+            name = "zitadel";
+            ensureDBOwnership = true;
+            ensureClauses.login = true;
+            ensureClauses.superuser = true;
+          }
+        ];
+      };
     };
-  };
 
   users.users.nginx.extraGroups = [ "acme" ];
   networking.firewall.allowedTCPPorts = [
@@ -52,20 +87,20 @@
     recommendedGzipSettings = true;
     recommendedOptimisation = true;
     recommendedTlsSettings = true;
-    virtualHosts."zitadel.rabulinski.com" = {
+    virtualHosts."zi.rabulinski.com" = {
       forceSSL = true;
       enableACME = true;
       acmeRoot = null;
       locations."/" = {
         extraConfig = ''
-          grpc_pass grpc://${config.settei.containers.zitadel.localAddress}:80;
+          grpc_pass grpc://${config.settei.containers.zitadel.localAddress}:8080;
           grpc_set_header Host $host:$server_port;
         '';
       };
     };
   };
 
-  security.acme.certs."zitadel.rabulinski.com" = {
+  security.acme.certs."zi.rabulinski.com" = {
     dnsProvider = "cloudflare";
     credentialsFile = config.age.secrets.rabulinski-com-cf.path;
   };

secrets/legion-niko-pass.age

@@ -1,7 +1,7 @@
 age-encryption.org/v1
--> ssh-ed25519 ioPMHA Swzz0jWR8ergR4rY0Mht17fW281TfqCIMpCvZihB6Ek
-9ZTI7oWuFheb42d2tHJEH+IITrbLmNeELzQ2st3MuIg
--> ssh-ed25519 GKhvwg 37Rw1F7e8ZMopUAKhm/L+fwTzAC8wYpNm3Ingt5xXWQ
-g7hTguWj+c/atzV8GvCS0TxAILqEAHijJqsG28FEgoM
---- wp7RhCcX8WQng29KppL/B/4Vn7PbX9YptE15FDOENRU
-â`lj6ý \ºUD0ù·ë<C2B7>Ì:{Ú0¥ƒ°á`–x´ÙŒï¼ïö€gˆÂ.‰ÑÂ?ñEU¶”¹Ħõé©yX§a,ásÂC[üÌáMùÞÿœ‡ÎNŽëXÔ÷…ûùࢉӭ
+-> ssh-ed25519 ioPMHA wC40k2E26e/5foBXXf43FFKYGSlnoQyFzjJtQRshJw0
+F7LlDuPFfyKjKTT9orFBBUqcmON7DSFrsqHC24x/7jc
+-> ssh-ed25519 GKhvwg LvajdH8hQ9LQ09qgzIjxYyQfoyJJr649Ks41rmFNWEA
+8kLSIbryosex94KkLqJILIUWplrf5vtf59QjJdprOTY
+--- 0XLL9dP31jyO/WdtwUu+C38NqCVcOjkdHKhB82rPUiQ
+}î§æ5Úày(i~íB+…‰0<11>q¼:!Í-V1Ð΋‰ˆóçŒ"ÎÓ§F>ÀlÍ	“ UäæB¼œÈ7"†eË<>âìo§ˆ»%p<>•+‘CÞ§˜Ú:,,åüWü¶þT¦Ó3

secrets/nrab-lol-cf.age

@@ -1,8 +1,7 @@
 age-encryption.org/v1
--> ssh-ed25519 84j9mw ILWqHbxvEqIrjjXBJM57buPfjqUzShGomwOsLXP1aCw
-JSyo00R8+WemsEX3hnOchb3tPwdATp8pKFyAJxMzqlE
--> ssh-ed25519 GKhvwg k5C6W1n0hD+NPMUXcJF9CHgcUoRGGSmHOd2J3gDFeWU
-wXHLNK21wC9nno9CFyRDozFJxikyRdaXyG1vnsn2Hf4
---- 5CTApyYf69lPis/nqSnSez5JZKV/sdG9IxhsRPh97dI
-±Bw<42>„^# ÁA+Ôå²Ç<1F>ô·nýC/Èláܬ­œ(Fq~‰jçxÄúJo_ò†eÍøkEÚìÐÆ¡~V„·–Šu1óÂ'sù[-¸a
-”„
+-> ssh-ed25519 84j9mw ohlOIpKzRlZtkYBMgi1734hmjfOlOmElKSwkDz7Eh2k
+74RT2Nozr3Zv16Ph4UGkVVgmBQmm2YxI15QTyIhINIM
+-> ssh-ed25519 GKhvwg i4Ek89wcdeLvPY/U8xgwV6WXJzQOu6NYXqOrN6s3CW4
+G9gAx1FRpqYxA+JmnFSvRajOHcADu8mYAXcPdOuSymQ
+--- A+gFn/mv5ThI3Tg+SdQfI49l8PfvcLBWQZBwr3s1S7U
+ôQb#›’ë¶Zö ο
R‡ë24ûçP‚ZÍî윲@¦ñ(ŽTTpôrÇÃ˱Õóälåéûµ©–¯	Å"篊WÑáJð”¥õ8Þèh,ŠÚëÀ1p

secrets/ntfy-niko-pass.age

@@ -1,8 +1,7 @@
 age-encryption.org/v1
--> ssh-ed25519 84j9mw hEtr3ET/9edzqFXoc39m5fmrEF4AA9msJJ6Q7NlPs3w
-anGy/8/x2OZV6Hvy8qt6uFH5HeDh73hDA0yPn70dwEU
--> ssh-ed25519 GKhvwg juWch3g5LsM6tz9YCuXx+apVRpmtH2M9hnweKwnoOAg
-lDiS4TsYik7oM33adKJkaJciT7e5cxdqvf6aXRRuqDo
---- tU6RdGReOS8XhGpBjpBJRu6le7xh8u4vJ/wHFeK3ewY
-($ÔI„Ž­võ
-ÿZëÿaÅùåI81€Tß©"ÎK¥‡™Ç#ڴᙦÏ<C2A6>Q
+-> ssh-ed25519 84j9mw NPno3Ox+binqR7DxgPLHoPxfp7aScR4bEyR4Sck6VEo
+jnQrnf7CrWL5nhj/GFEV5mXP8SFQV2EkL9NCV5mhgxU
+-> ssh-ed25519 GKhvwg v8SFsdzsloII81FQZ89krfNaWEKtfJAK0VuYXHSzfR0
+j3sOP5IzAINcai+kGjkCX93bkmM7FWSxj8TseWirOrI
+--- WsXIVgFQVz5CmYA7d28aanO6iaHb1DP/bcwwmNrdGQw
+#<!«0†<hŠ¿G]IâS—Ï„ʪê“æ´3®†}:zì—®>ÉÖÅðŒÀHÜD×9

secrets/secrets.nix

@@ -80,4 +80,8 @@ in
     keys.system.kazuki
     keys.other.bootstrap
   ];
+  "zitadel-master.age".publicKeys = [
+    keys.system.kazuki
+    keys.other.bootstrap
+  ];
 }

secrets/storage-box-creds.age

@@ -1,7 +1,7 @@
 age-encryption.org/v1
--> ssh-ed25519 84j9mw PC6bFOK3ckx+3BAhkeF4uQFKts+qv0iYBDfGZFvm9lI
-qQVTypBokLOfA8Dy731amUqDOMhZW7IAvscVQPpLbrk
--> ssh-ed25519 GKhvwg jRZeUjFXgdMC/wPTDTxkcCRBwWvZrrAbOyRXW9/TqWQ
-Xyfz103+dug2SjKjxCZHLR2diFU4E+CKqOsvdGupbkY
---- 4sX0V7sT9x5VYJhIJFABFDWjdwJkZ1c+tiK8aQXCjGk
-W"Ö/|5Ͳ:)°.tñvNSºo¬ÇáoQ†1þ@YÕ]±øÿ‘<C3BF>‚ca†5¤N\N="‚ÉçOùááäïòV¯Iåxõ`ý6Ac
+-> ssh-ed25519 84j9mw Hnei3vVAC9dL9O1H9GIVL0WqR8/rinZ04AM8vwacgwg
+vPzKjQDCPKdwEHvdDibg6i/LeDjFwXBnINkzwlh0hBk
+-> ssh-ed25519 GKhvwg PAvDfn/sTrH8lhbHZ/l9hmyjNXIPSdN7MCOYkD1ZC1g
+Bh+PCt3X89RJZMS6XCQRFCC9dW4BWlWPbZgdzVniW9E
+--- Ad8wu6O3CZUDHmsxhaFiVcpTLHtMmSVENddCD2Ns4r0
+»•åMgÒÎðÊÜóD_&òý‹¹ët¯ª]Vœ„"Riá<>K)·?e<>©v
™)¦ëƒ	zãÒÖ¤“9DNº<ì*1‰Gl

secrets/zitadel-master.age

@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 84j9mw EBpEqtz2Zh60+OUcGzl2dpVWkOhbf26cW7ftTN0j3l4
+chTq+MDv/RiD9hWSwVPY0X/lKp7AW+j0JqRuKOOHuns
+-> ssh-ed25519 GKhvwg 2o2gRmU9IrUTGkg2J3YFT7PwwngjXiDQ5T0/C/TKPQM
+Wnh+tniVr23bkWHGkeEQkrkuG6henkSC2VNfonMOAZQ
+--- ddtNvxlAxHvmsi7nVE5mBc5IYTVT54Sko87EABHQ5fs
+Ú–°""ˆƒBU*9­sß<73>ÁBäÿàåµktË6–fzg¦NZPUc3=„¯ÓžÿkÙ9½MŸ‰ËÕÍÄýD²