diff --git a/common/secrets/default.nix b/common/secrets/default.nix index 54d8b61..b31e6eb 100644 --- a/common/secrets/default.nix +++ b/common/secrets/default.nix @@ -118,6 +118,11 @@ in file = ./secrets/us_chi_wg.age; owner = users_cfg.primary; }; + zitadel_master_key = { + file = ./secrets/zitadel_master_key.age; + owner = users_cfg.primary; + mode = "444"; # World readable! + }; }; }; }; diff --git a/flake.lock b/flake.lock index 603a536..28bbb05 100644 --- a/flake.lock +++ b/flake.lock @@ -153,22 +153,6 @@ "type": "github" } }, - "nixpkgs-unstable": { - "locked": { - "lastModified": 1753694789, - "narHash": "sha256-cKgvtz6fKuK1Xr5LQW/zOUiAC0oSQoA9nOISB0pJZqM=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "dc9637876d0dcc8c9e5e22986b857632effeb727", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, "nixpkgs_2": { "locked": { "lastModified": 1753694789, @@ -201,23 +185,6 @@ "type": "github" } }, - "opencode": { - "flake": false, - "locked": { - "lastModified": 1754890102, - "narHash": "sha256-3o8bHU5vSG+MxbvjLzlqeagnW9hnekl0hlj3EiNFaaQ=", - "owner": "sst", - "repo": "opencode", - "rev": "4580c88c0b38519e8187d2df1035e9538b51ec2a", - "type": "github" - }, - "original": { - "owner": "sst", - "ref": "v0.4.12", - "repo": "opencode", - "type": "github" - } - }, "ragenix": { "inputs": { "agenix": "agenix", @@ -245,8 +212,6 @@ "home-manager": "home-manager", "nix-flatpak": "nix-flatpak", "nixpkgs": "nixpkgs_2", - "nixpkgs-unstable": "nixpkgs-unstable", - "opencode": "opencode", "ragenix": "ragenix" } }, diff --git a/hosts/h001/containers/default.nix b/hosts/h001/containers/default.nix index fcef362..eeb0518 100644 --- a/hosts/h001/containers/default.nix +++ b/hosts/h001/containers/default.nix @@ -11,6 +11,7 @@ in common.nixosModules.containers.forgejo ./opengist.nix ./homarr.nix + ./zitadel.nix ]; config = { diff --git a/hosts/h001/containers/zitadel.nix b/hosts/h001/containers/zitadel.nix index 59ccfe4..5fe6add 100644 --- a/hosts/h001/containers/zitadel.nix +++ b/hosts/h001/containers/zitadel.nix @@ -31,10 +31,17 @@ let uid = config.ids.uids.postgres; gid = config.ids.gids.postgres; } + # secret + { + host = config.age.secrets.zitadel_master_key.path; + container = "/var/secrets/zitadel_master_key.age"; + readOnly = true; + } ]; + bindsWithUsers = lib.filter (b: b ? user) binds; uniqueUsers = lib.foldl' ( acc: bind: if lib.lists.any (item: item.user == bind.user) acc then acc else acc ++ [ bind ] - ) [ ] binds; + ) [ ] bindsWithUsers; users = { users = lib.listToAttrs ( lib.map (u: { @@ -64,11 +71,31 @@ in locations = { "/" = { proxyWebsockets = true; + recommendedProxySettings = true; proxyPass = "http://${containerAddress}:8080"; + extraConfig = '' + proxy_set_header X-Forwarded-Proto https; + ''; }; }; }; + networking.firewall.allowedTCPPorts = [ 8080 ]; + + # Ensure users exist on host machine + inherit users; + + # Ensure directories exist on host machine + system.activationScripts."createDirsFor${name}" = '' + ${lib.concatStringsSep "\n" ( + lib.map (bind: '' + mkdir -p ${bind.host} + chown -R ${toString bind.user}:${toString bind.gid} ${bind.host} + chmod -R 750 ${bind.host} + '') bindsWithUsers + )} + ''; + containers.${name} = { ephemeral = true; autoStart = true; @@ -82,7 +109,7 @@ in { "${bind.container}" = { hostPath = bind.host; - isReadOnly = false; + isReadOnly = bind.readOnly or false; }; } // acc @@ -96,8 +123,7 @@ in firewall = { enable = true; allowedTCPPorts = [ - 3000 - 3032 + 8080 ]; }; # Use systemd-resolved inside the container @@ -137,7 +163,7 @@ in services.zitadel = { enable = true; - # masterKeyFile = "TODO"; + masterKeyFile = "/var/secrets/zitadel_master_key.age"; settings = { Port = 8080; Database.postgres = { @@ -159,9 +185,9 @@ in ExternalSecure = true; }; steps.FirstInstance = { - InstanceName = "ros_sso"; + InstanceName = "sso"; Org = { - Name = "ZI"; + Name = "SSO"; Human = { UserName = "admin@joshuabell.xyz"; FirstName = "admin"; diff --git a/hosts/h001/flake.lock b/hosts/h001/flake.lock index 7203609..18baa04 100644 --- a/hosts/h001/flake.lock +++ b/hosts/h001/flake.lock @@ -29,24 +29,17 @@ "inputs": { "home-manager": "home-manager", "nix-flatpak": "nix-flatpak", - "nixpkgs": "nixpkgs_2", - "nixpkgs-unstable": "nixpkgs-unstable", - "opencode": "opencode", "ragenix": "ragenix" }, "locked": { - "lastModified": 1753294571, - "narHash": "sha256-o5pjY2Mh/gbbD2GT2zStATKN3AOvYfMmGOkN4L3qrgo=", - "ref": "refs/heads/master", - "rev": "bb90226e5e1731652b7ed64d0ab038e68a999dee", - "revCount": 551, - "type": "git", - "url": "https://git.joshuabell.xyz/ringofstorms/dotfiles" + "path": "../../common", + "type": "path" }, "original": { - "type": "git", - "url": "https://git.joshuabell.xyz/ringofstorms/dotfiles" - } + "path": "../../common", + "type": "path" + }, + "parent": [] }, "crane": { "locked": { @@ -110,11 +103,11 @@ "nixpkgs": "nixpkgs" }, "locked": { - "lastModified": 1753055804, - "narHash": "sha256-KerePGJYX47ex6OY3CWsid4AltO2gDtQROunYJ0eCEE=", + "lastModified": 1753592768, + "narHash": "sha256-oV695RvbAE4+R9pcsT9shmp6zE/+IZe6evHWX63f2Qg=", "owner": "rycee", "repo": "home-manager", - "rev": "adf195f021a8cbb0c317f75b52e96c82616526f9", + "rev": "fc3add429f21450359369af74c2375cb34a2d204", "type": "github" }, "original": { @@ -165,7 +158,7 @@ }, "nixarr": { "inputs": { - "nixpkgs": "nixpkgs_4", + "nixpkgs": "nixpkgs_3", "vpnconfinement": "vpnconfinement", "website-builder": "website-builder" }, @@ -185,11 +178,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1752620740, - "narHash": "sha256-f3pO+9lg66mV7IMmmIqG4PL3223TYMlnlw+pnpelbss=", + "lastModified": 1753345091, + "narHash": "sha256-CdX2Rtvp5I8HGu9swBmYuq+ILwRxpXdJwlpg8jvN4tU=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "32a4e87942101f1c9f9865e04dc3ddb175f5f32e", + "rev": "3ff0e34b1383648053bba8ed03f201d3466f90c9", "type": "github" }, "original": { @@ -199,39 +192,7 @@ "type": "github" } }, - "nixpkgs-unstable": { - "locked": { - "lastModified": 1752950548, - "narHash": "sha256-NS6BLD0lxOrnCiEOcvQCDVPXafX1/ek1dfJHX1nUIzc=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "c87b95e25065c028d31a94f06a62927d18763fdf", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, "nixpkgs_2": { - "locked": { - "lastModified": 1752950548, - "narHash": "sha256-NS6BLD0lxOrnCiEOcvQCDVPXafX1/ek1dfJHX1nUIzc=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "c87b95e25065c028d31a94f06a62927d18763fdf", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_3": { "locked": { "lastModified": 1741379970, "narHash": "sha256-Wh7esNh7G24qYleLvgOSY/7HlDUzWaL/n4qzlBePpiw=", @@ -247,7 +208,7 @@ "type": "github" } }, - "nixpkgs_4": { + "nixpkgs_3": { "locked": { "lastModified": 1748662220, "narHash": "sha256-7gGa49iB9nCnFk4h/g9zwjlQAyjtpgcFkODjcOQS0Es=", @@ -263,7 +224,7 @@ "type": "github" } }, - "nixpkgs_5": { + "nixpkgs_4": { "locked": { "lastModified": 1750400657, "narHash": "sha256-3vkjFnxCOP6vm5Pm13wC/Zy6/VYgei/I/2DWgW4RFeA=", @@ -279,7 +240,7 @@ "type": "github" } }, - "nixpkgs_6": { + "nixpkgs_5": { "locked": { "lastModified": 1750188666, "narHash": "sha256-yAfLvtbCzSigTfbsJeOrvljS7VYLAwi2RZ6F+qd+A5E=", @@ -1190,29 +1151,12 @@ "type": "github" } }, - "opencode": { - "flake": false, - "locked": { - "lastModified": 1753194493, - "narHash": "sha256-eOsazBjkdTvGNsobb5WUBDB2udEJh9zkOeMfVH/tkQo=", - "owner": "sst", - "repo": "opencode", - "rev": "99d6a28249f10ba1fcb7d61599c008154663a51f", - "type": "github" - }, - "original": { - "owner": "sst", - "ref": "v0.3.55", - "repo": "opencode", - "type": "github" - } - }, "ragenix": { "inputs": { "agenix": "agenix", "crane": "crane", "flake-utils": "flake-utils", - "nixpkgs": "nixpkgs_3", + "nixpkgs": "nixpkgs_2", "rust-overlay": "rust-overlay" }, "locked": { @@ -1233,13 +1177,13 @@ "inputs": { "common": "common", "nixarr": "nixarr", - "nixpkgs": "nixpkgs_5", + "nixpkgs": "nixpkgs_4", "ros_neovim": "ros_neovim" } }, "ros_neovim": { "inputs": { - "nixpkgs": "nixpkgs_6", + "nixpkgs": "nixpkgs_5", "nvim_plugin-Almo7aya/openingh.nvim": "nvim_plugin-Almo7aya/openingh.nvim", "nvim_plugin-CopilotC-Nvim/CopilotChat.nvim": "nvim_plugin-CopilotC-Nvim/CopilotChat.nvim", "nvim_plugin-JoosepAlviste/nvim-ts-context-commentstring": "nvim_plugin-JoosepAlviste/nvim-ts-context-commentstring", diff --git a/hosts/h001/flake.nix b/hosts/h001/flake.nix index 71f3c20..148f2a7 100644 --- a/hosts/h001/flake.nix +++ b/hosts/h001/flake.nix @@ -4,8 +4,8 @@ # nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; # Use relative to get current version for testing - # common.url = "path:../../common"; - common.url = "git+https://git.joshuabell.xyz/ringofstorms/dotfiles"; + common.url = "path:../../common"; + # common.url = "git+https://git.joshuabell.xyz/ringofstorms/dotfiles"; ros_neovim.url = "git+https://git.joshuabell.xyz/ringofstorms/nvim";