diff --git a/hosts/kazuki/zitadel.nix b/hosts/kazuki/zitadel.nix index 71d0fe3..ae51d32 100644 --- a/hosts/kazuki/zitadel.nix +++ b/hosts/kazuki/zitadel.nix @@ -1,44 +1,79 @@ -{ config, ... }: +{ config, inputs, ... }: { age.secrets.rabulinski-com-cf = { file = ../../secrets/rabulinski-com-cf.age; owner = config.services.nginx.user; }; - settei.containers.zitadel.config = { - services.zitadel = { - enable = true; - settings = { - Port = 80; - Database.postgres = { - Host = "localhost"; - Port = 5432; - Database = "zitadel"; - User = { - Username = "zitadel"; - SSL.Mode = "disable"; - }; - }; - ExternalDomain = "zitadel.rabulinski.com"; - ExternalPort = 443; - ExternalSecure = true; + settei.containers.zitadel.config = + { config, ... }: + { + imports = [ inputs.agenix.nixosModules.age ]; + age.identityPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + age.secrets.zitadel-master = { + file = ../../secrets/zitadel-master.age; + owner = config.services.zitadel.user; }; - openFirewall = true; - }; - services.postgresql = { - enable = true; - enableJIT = true; - ensureDatabases = [ "zitadel" ]; - ensureUsers = [ - { - name = "zitadel"; - ensureDBOwnership = true; - ensureClauses.login = true; - } - ]; + services.zitadel = { + enable = true; + masterKeyFile = config.age.secrets.zitadel-master.path; + settings = { + Port = 8080; + Database.postgres = { + Host = "/var/run/postgresql/"; + Port = 5432; + Database = "zitadel"; + User = { + Username = "zitadel"; + SSL.Mode = "disable"; + }; + Admin = { + Username = "zitadel"; + SSL.Mode = "disable"; + ExistingDatabase = "zitadel"; + }; + }; + ExternalDomain = "zi.rabulinski.com"; + ExternalPort = 443; + ExternalSecure = true; + }; + steps.FirstInstance = { + InstanceName = "zi"; + Org = { + Name = "ZI"; + Human = { + UserName = "nikodem@rabulinski.com"; + FirstName = "Nikodem"; + LastName = "Rabulinski"; + Email.Verified = true; + Password = "Password1!"; + PasswordChangeRequired = true; + }; + }; + LoginPolicy.AllowRegister = false; + }; + openFirewall = true; + }; + systemd.services.zitadel = { + requires = [ "postgresql.service" ]; + after = [ "postgresql.service" ]; + }; + + services.postgresql = { + enable = true; + enableJIT = true; + ensureDatabases = [ "zitadel" ]; + ensureUsers = [ + { + name = "zitadel"; + ensureDBOwnership = true; + ensureClauses.login = true; + ensureClauses.superuser = true; + } + ]; + }; }; - }; users.users.nginx.extraGroups = [ "acme" ]; networking.firewall.allowedTCPPorts = [ @@ -52,20 +87,20 @@ recommendedGzipSettings = true; recommendedOptimisation = true; recommendedTlsSettings = true; - virtualHosts."zitadel.rabulinski.com" = { + virtualHosts."zi.rabulinski.com" = { forceSSL = true; enableACME = true; acmeRoot = null; locations."/" = { extraConfig = '' - grpc_pass grpc://${config.settei.containers.zitadel.localAddress}:80; + grpc_pass grpc://${config.settei.containers.zitadel.localAddress}:8080; grpc_set_header Host $host:$server_port; ''; }; }; }; - security.acme.certs."zitadel.rabulinski.com" = { + security.acme.certs."zi.rabulinski.com" = { dnsProvider = "cloudflare"; credentialsFile = config.age.secrets.rabulinski-com-cf.path; }; diff --git a/secrets/alert-nrab-lol-pass.age b/secrets/alert-nrab-lol-pass.age index 353ae7d..0734ba7 100644 Binary files a/secrets/alert-nrab-lol-pass.age and b/secrets/alert-nrab-lol-pass.age differ diff --git a/secrets/alert-plain-pass.age b/secrets/alert-plain-pass.age index 0509d95..3d0d103 100644 Binary files a/secrets/alert-plain-pass.age and b/secrets/alert-plain-pass.age differ diff --git a/secrets/attic-creds.age b/secrets/attic-creds.age index 18f9e54..0c7e18a 100644 Binary files a/secrets/attic-creds.age and b/secrets/attic-creds.age differ diff --git a/secrets/github-token.age b/secrets/github-token.age index b9e993b..d0473f3 100644 Binary files a/secrets/github-token.age and b/secrets/github-token.age differ diff --git a/secrets/hercules-cache.age b/secrets/hercules-cache.age index b5456e6..c8f545e 100644 Binary files a/secrets/hercules-cache.age and b/secrets/hercules-cache.age differ diff --git a/secrets/hercules-secrets.age b/secrets/hercules-secrets.age index c743767..8c204e4 100644 Binary files a/secrets/hercules-secrets.age and b/secrets/hercules-secrets.age differ diff --git a/secrets/hercules-token.age b/secrets/hercules-token.age index 6159676..c11597d 100644 Binary files a/secrets/hercules-token.age and b/secrets/hercules-token.age differ diff --git a/secrets/leet-nrab-lol-pass.age b/secrets/leet-nrab-lol-pass.age index 5d4884d..1131874 100644 Binary files a/secrets/leet-nrab-lol-pass.age and b/secrets/leet-nrab-lol-pass.age differ diff --git a/secrets/legion-niko-pass.age b/secrets/legion-niko-pass.age index 883e11d..e2ec36f 100644 --- a/secrets/legion-niko-pass.age +++ b/secrets/legion-niko-pass.age @@ -1,7 +1,7 @@ age-encryption.org/v1 --> ssh-ed25519 ioPMHA Swzz0jWR8ergR4rY0Mht17fW281TfqCIMpCvZihB6Ek -9ZTI7oWuFheb42d2tHJEH+IITrbLmNeELzQ2st3MuIg --> ssh-ed25519 GKhvwg 37Rw1F7e8ZMopUAKhm/L+fwTzAC8wYpNm3Ingt5xXWQ -g7hTguWj+c/atzV8GvCS0TxAILqEAHijJqsG28FEgoM ---- wp7RhCcX8WQng29KppL/B/4Vn7PbX9YptE15FDOENRU -`lj6\UD0:{0á`xg.?EUĦyXa,sC[M NXࢉӭ \ No newline at end of file +-> ssh-ed25519 ioPMHA wC40k2E26e/5foBXXf43FFKYGSlnoQyFzjJtQRshJw0 +F7LlDuPFfyKjKTT9orFBBUqcmON7DSFrsqHC24x/7jc +-> ssh-ed25519 GKhvwg LvajdH8hQ9LQ09qgzIjxYyQfoyJJr649Ks41rmFNWEA +8kLSIbryosex94KkLqJILIUWplrf5vtf59QjJdprOTY +--- 0XLL9dP31jyO/WdtwUu+C38NqCVcOjkdHKhB82rPUiQ +}5y(i~B+0q:!-V1΋"ӧF>l UB¼7"e˝o%p+Cާ:,,WT3 \ No newline at end of file diff --git a/secrets/nrab-lol-cf.age b/secrets/nrab-lol-cf.age index 82b9007..42c2b5b 100644 --- a/secrets/nrab-lol-cf.age +++ b/secrets/nrab-lol-cf.age @@ -1,8 +1,7 @@ age-encryption.org/v1 --> ssh-ed25519 84j9mw ILWqHbxvEqIrjjXBJM57buPfjqUzShGomwOsLXP1aCw -JSyo00R8+WemsEX3hnOchb3tPwdATp8pKFyAJxMzqlE --> ssh-ed25519 GKhvwg k5C6W1n0hD+NPMUXcJF9CHgcUoRGGSmHOd2J3gDFeWU -wXHLNK21wC9nno9CFyRDozFJxikyRdaXyG1vnsn2Hf4 ---- 5CTApyYf69lPis/nqSnSez5JZKV/sdG9IxhsRPh97dI -Bw^#A+ nC/lܬ(Fq~jçxJo_ekE ơ~Vu1's[-a - \ No newline at end of file +-> ssh-ed25519 84j9mw ohlOIpKzRlZtkYBMgi1734hmjfOlOmElKSwkDz7Eh2k +74RT2Nozr3Zv16Ph4UGkVVgmBQmm2YxI15QTyIhINIM +-> ssh-ed25519 GKhvwg i4Ek89wcdeLvPY/U8xgwV6WXJzQOu6NYXqOrN6s3CW4 +G9gAx1FRpqYxA+JmnFSvRajOHcADu8mYAXcPdOuSymQ +--- A+gFn/mv5ThI3Tg+SdQfI49l8PfvcLBWQZBwr3s1S7U +Qb#Z ο R24PZ윲@(TTprl "篊WJ8h,1p \ No newline at end of file diff --git a/secrets/ntfy-alert-pass.age b/secrets/ntfy-alert-pass.age index 59aa10a..6d157ff 100644 Binary files a/secrets/ntfy-alert-pass.age and b/secrets/ntfy-alert-pass.age differ diff --git a/secrets/ntfy-niko-pass.age b/secrets/ntfy-niko-pass.age index 8b9a9b3..0dda63e 100644 --- a/secrets/ntfy-niko-pass.age +++ b/secrets/ntfy-niko-pass.age @@ -1,8 +1,7 @@ age-encryption.org/v1 --> ssh-ed25519 84j9mw hEtr3ET/9edzqFXoc39m5fmrEF4AA9msJJ6Q7NlPs3w -anGy/8/x2OZV6Hvy8qt6uFH5HeDh73hDA0yPn70dwEU --> ssh-ed25519 GKhvwg juWch3g5LsM6tz9YCuXx+apVRpmtH2M9hnweKwnoOAg -lDiS4TsYik7oM33adKJkaJciT7e5cxdqvf6aXRRuqDo ---- tU6RdGReOS8XhGpBjpBJRu6le7xh8u4vJ/wHFeK3ewY -($ÔIv -Za I81Tߩ"K#ᙦύQ \ No newline at end of file +-> ssh-ed25519 84j9mw NPno3Ox+binqR7DxgPLHoPxfp7aScR4bEyR4Sck6VEo +jnQrnf7CrWL5nhj/GFEV5mXP8SFQV2EkL9NCV5mhgxU +-> ssh-ed25519 GKhvwg v8SFsdzsloII81FQZ89krfNaWEKtfJAK0VuYXHSzfR0 +j3sOP5IzAINcai+kGjkCX93bkmM7FWSxj8TseWirOrI +--- WsXIVgFQVz5CmYA7d28aanO6iaHb1DP/bcwwmNrdGQw +#HD9 \ No newline at end of file diff --git a/secrets/rabulinski-com-cf.age b/secrets/rabulinski-com-cf.age index 25cef0a..a68d276 100644 Binary files a/secrets/rabulinski-com-cf.age and b/secrets/rabulinski-com-cf.age differ diff --git a/secrets/secrets.nix b/secrets/secrets.nix index b58981e..f568cce 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -80,4 +80,8 @@ in keys.system.kazuki keys.other.bootstrap ]; + "zitadel-master.age".publicKeys = [ + keys.system.kazuki + keys.other.bootstrap + ]; } diff --git a/secrets/storage-box-creds.age b/secrets/storage-box-creds.age index 5042f31..dd97048 100644 --- a/secrets/storage-box-creds.age +++ b/secrets/storage-box-creds.age @@ -1,7 +1,7 @@ age-encryption.org/v1 --> ssh-ed25519 84j9mw PC6bFOK3ckx+3BAhkeF4uQFKts+qv0iYBDfGZFvm9lI -qQVTypBokLOfA8Dy731amUqDOMhZW7IAvscVQPpLbrk --> ssh-ed25519 GKhvwg jRZeUjFXgdMC/wPTDTxkcCRBwWvZrrAbOyRXW9/TqWQ -Xyfz103+dug2SjKjxCZHLR2diFU4E+CKqOsvdGupbkY ---- 4sX0V7sT9x5VYJhIJFABFDWjdwJkZ1c+tiK8aQXCjGk -W"/|5Ͳ:) .tvNSooQ1@Y]ca5N\N="OVIx`6Ac \ No newline at end of file +-> ssh-ed25519 84j9mw Hnei3vVAC9dL9O1H9GIVL0WqR8/rinZ04AM8vwacgwg +vPzKjQDCPKdwEHvdDibg6i/LeDjFwXBnINkzwlh0hBk +-> ssh-ed25519 GKhvwg PAvDfn/sTrH8lhbHZ/l9hmyjNXIPSdN7MCOYkD1ZC1g +Bh+PCt3X89RJZMS6XCQRFCC9dW4BWlWPbZgdzVniW9E +--- Ad8wu6O3CZUDHmsxhaFiVcpTLHtMmSVENddCD2Ns4r0 +MgD_&t]V"RiK)·?ev) z֤9DN<*1Gl \ No newline at end of file diff --git a/secrets/storage-box-webdav.age b/secrets/storage-box-webdav.age index 15903c5..35de89f 100644 Binary files a/secrets/storage-box-webdav.age and b/secrets/storage-box-webdav.age differ diff --git a/secrets/zitadel-master.age b/secrets/zitadel-master.age new file mode 100644 index 0000000..c10ed7e --- /dev/null +++ b/secrets/zitadel-master.age @@ -0,0 +1,7 @@ +age-encryption.org/v1 +-> ssh-ed25519 84j9mw EBpEqtz2Zh60+OUcGzl2dpVWkOhbf26cW7ftTN0j3l4 +chTq+MDv/RiD9hWSwVPY0X/lKp7AW+j0JqRuKOOHuns +-> ssh-ed25519 GKhvwg 2o2gRmU9IrUTGkg2J3YFT7PwwngjXiDQ5T0/C/TKPQM +Wnh+tniVr23bkWHGkeEQkrkuG6henkSC2VNfonMOAZQ +--- ddtNvxlAxHvmsi7nVE5mBc5IYTVT54Sko87EABHQ5fs +ږ""BU*9sߍBkt6fzgNZPUc3=Ӟk9MD \ No newline at end of file