hosts/kazuki/zitadel: add master key

hosts/kazuki/zitadel.nix

@@ -1,44 +1,79 @@
-{ config, ... }:
+{ config, inputs, ... }:
 {
   age.secrets.rabulinski-com-cf = {
     file = ../../secrets/rabulinski-com-cf.age;
     owner = config.services.nginx.user;
   };
 
-  settei.containers.zitadel.config = {
-    services.zitadel = {
-      enable = true;
-      settings = {
-        Port = 80;
-        Database.postgres = {
-          Host = "localhost";
-          Port = 5432;
-          Database = "zitadel";
-          User = {
-            Username = "zitadel";
-            SSL.Mode = "disable";
-          };
-        };
-        ExternalDomain = "zitadel.rabulinski.com";
-        ExternalPort = 443;
-        ExternalSecure = true;
+  settei.containers.zitadel.config =
+    { config, ... }:
+    {
+      imports = [ inputs.agenix.nixosModules.age ];
+      age.identityPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+      age.secrets.zitadel-master = {
+        file = ../../secrets/zitadel-master.age;
+        owner = config.services.zitadel.user;
       };
-      openFirewall = true;
-    };
 
-    services.postgresql = {
-      enable = true;
-      enableJIT = true;
-      ensureDatabases = [ "zitadel" ];
-      ensureUsers = [
-        {
-          name = "zitadel";
-          ensureDBOwnership = true;
-          ensureClauses.login = true;
-        }
-      ];
+      services.zitadel = {
+        enable = true;
+        masterKeyFile = config.age.secrets.zitadel-master.path;
+        settings = {
+          Port = 8080;
+          Database.postgres = {
+            Host = "/var/run/postgresql/";
+            Port = 5432;
+            Database = "zitadel";
+            User = {
+              Username = "zitadel";
+              SSL.Mode = "disable";
+            };
+            Admin = {
+              Username = "zitadel";
+              SSL.Mode = "disable";
+              ExistingDatabase = "zitadel";
+            };
+          };
+          ExternalDomain = "zi.rabulinski.com";
+          ExternalPort = 443;
+          ExternalSecure = true;
+        };
+        steps.FirstInstance = {
+          InstanceName = "zi";
+          Org = {
+            Name = "ZI";
+            Human = {
+              UserName = "nikodem@rabulinski.com";
+              FirstName = "Nikodem";
+              LastName = "Rabulinski";
+              Email.Verified = true;
+              Password = "Password1!";
+              PasswordChangeRequired = true;
+            };
+          };
+          LoginPolicy.AllowRegister = false;
+        };
+        openFirewall = true;
+      };
+      systemd.services.zitadel = {
+        requires = [ "postgresql.service" ];
+        after = [ "postgresql.service" ];
+      };
+
+      services.postgresql = {
+        enable = true;
+        enableJIT = true;
+        ensureDatabases = [ "zitadel" ];
+        ensureUsers = [
+          {
+            name = "zitadel";
+            ensureDBOwnership = true;
+            ensureClauses.login = true;
+            ensureClauses.superuser = true;
+          }
+        ];
+      };
     };
-  };
 
   users.users.nginx.extraGroups = [ "acme" ];
   networking.firewall.allowedTCPPorts = [
@@ -52,20 +87,20 @@
     recommendedGzipSettings = true;
     recommendedOptimisation = true;
     recommendedTlsSettings = true;
-    virtualHosts."zitadel.rabulinski.com" = {
+    virtualHosts."zi.rabulinski.com" = {
       forceSSL = true;
       enableACME = true;
       acmeRoot = null;
       locations."/" = {
         extraConfig = ''
-          grpc_pass grpc://${config.settei.containers.zitadel.localAddress}:80;
+          grpc_pass grpc://${config.settei.containers.zitadel.localAddress}:8080;
           grpc_set_header Host $host:$server_port;
         '';
       };
     };
   };
 
-  security.acme.certs."zitadel.rabulinski.com" = {
+  security.acme.certs."zi.rabulinski.com" = {
     dnsProvider = "cloudflare";
     credentialsFile = config.age.secrets.rabulinski-com-cf.path;
   };