107 lines
2.8 KiB
Nix
107 lines
2.8 KiB
Nix
{ config, inputs, ... }:
|
|
{
|
|
age.secrets.rabulinski-com-cf = {
|
|
file = ../../secrets/rabulinski-com-cf.age;
|
|
owner = config.services.nginx.user;
|
|
};
|
|
|
|
settei.containers.zitadel.config =
|
|
{ config, ... }:
|
|
{
|
|
imports = [ inputs.agenix.nixosModules.age ];
|
|
age.identityPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
|
|
age.secrets.zitadel-master = {
|
|
file = ../../secrets/zitadel-master.age;
|
|
owner = config.services.zitadel.user;
|
|
};
|
|
|
|
services.zitadel = {
|
|
enable = true;
|
|
masterKeyFile = config.age.secrets.zitadel-master.path;
|
|
settings = {
|
|
Port = 8080;
|
|
Database.postgres = {
|
|
Host = "/var/run/postgresql/";
|
|
Port = 5432;
|
|
Database = "zitadel";
|
|
User = {
|
|
Username = "zitadel";
|
|
SSL.Mode = "disable";
|
|
};
|
|
Admin = {
|
|
Username = "zitadel";
|
|
SSL.Mode = "disable";
|
|
ExistingDatabase = "zitadel";
|
|
};
|
|
};
|
|
ExternalDomain = "zi.rabulinski.com";
|
|
ExternalPort = 443;
|
|
ExternalSecure = true;
|
|
};
|
|
steps.FirstInstance = {
|
|
InstanceName = "zi";
|
|
Org = {
|
|
Name = "ZI";
|
|
Human = {
|
|
UserName = "nikodem@rabulinski.com";
|
|
FirstName = "Nikodem";
|
|
LastName = "Rabulinski";
|
|
Email.Verified = true;
|
|
Password = "Password1!";
|
|
PasswordChangeRequired = true;
|
|
};
|
|
};
|
|
LoginPolicy.AllowRegister = false;
|
|
};
|
|
openFirewall = true;
|
|
};
|
|
systemd.services.zitadel = {
|
|
requires = [ "postgresql.service" ];
|
|
after = [ "postgresql.service" ];
|
|
};
|
|
|
|
services.postgresql = {
|
|
enable = true;
|
|
enableJIT = true;
|
|
ensureDatabases = [ "zitadel" ];
|
|
ensureUsers = [
|
|
{
|
|
name = "zitadel";
|
|
ensureDBOwnership = true;
|
|
ensureClauses.login = true;
|
|
ensureClauses.superuser = true;
|
|
}
|
|
];
|
|
};
|
|
};
|
|
|
|
users.users.nginx.extraGroups = [ "acme" ];
|
|
networking.firewall.allowedTCPPorts = [
|
|
80
|
|
443
|
|
];
|
|
|
|
services.nginx = {
|
|
enable = true;
|
|
recommendedProxySettings = true;
|
|
recommendedGzipSettings = true;
|
|
recommendedOptimisation = true;
|
|
recommendedTlsSettings = true;
|
|
virtualHosts."zi.rabulinski.com" = {
|
|
forceSSL = true;
|
|
enableACME = true;
|
|
acmeRoot = null;
|
|
locations."/" = {
|
|
extraConfig = ''
|
|
grpc_pass grpc://${config.settei.containers.zitadel.localAddress}:8080;
|
|
grpc_set_header Host $host:$server_port;
|
|
'';
|
|
};
|
|
};
|
|
};
|
|
|
|
security.acme.certs."zi.rabulinski.com" = {
|
|
dnsProvider = "cloudflare";
|
|
credentialsFile = config.age.secrets.rabulinski-com-cf.path;
|
|
};
|
|
}
|