ringofstorms/dotfiles
ringofstorms/dotfiles
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

zitadel functioning on h001

Browse source
This commit is contained in:
RingOfStorms (Joshua Bell) 2025-08-18 21:06:17 -05:00
parent 8bf46bde79
commit 4978a98cc7
6 changed files with 60 additions and 119 deletions
Download patch file Download diff file Expand all files Collapse all files

1
hosts/h001/containers/default.nix
View file

@ -11,6 +11,7 @@ in
common.nixosModules.containers.forgejo
./opengist.nix
./homarr.nix
./zitadel.nix
];
config = {

40
hosts/h001/containers/zitadel.nix
View file

@ -31,10 +31,17 @@ let
uid = config.ids.uids.postgres;
gid = config.ids.gids.postgres;
}
# secret
{
host = config.age.secrets.zitadel_master_key.path;
container = "/var/secrets/zitadel_master_key.age";
readOnly = true;
}
];
bindsWithUsers = lib.filter (b: b ? user) binds;
uniqueUsers = lib.foldl' (
acc: bind: if lib.lists.any (item: item.user == bind.user) acc then acc else acc ++ [ bind ]
) [ ] binds;
) [ ] bindsWithUsers;
users = {
users = lib.listToAttrs (
lib.map (u: {
@ -64,11 +71,31 @@ in
locations = {
"/" = {
proxyWebsockets = true;
recommendedProxySettings = true;
proxyPass = "http://${containerAddress}:8080";
extraConfig = ''
proxy_set_header X-Forwarded-Proto https;
'';
};
};
};
networking.firewall.allowedTCPPorts = [ 8080 ];
# Ensure users exist on host machine
inherit users;
# Ensure directories exist on host machine
system.activationScripts."createDirsFor${name}" = ''
${lib.concatStringsSep "\n" (
lib.map (bind: ''
mkdir -p ${bind.host}
chown -R ${toString bind.user}:${toString bind.gid} ${bind.host}
chmod -R 750 ${bind.host}
'') bindsWithUsers
)}
'';
containers.${name} = {
ephemeral = true;
autoStart = true;
@ -82,7 +109,7 @@ in
{
"${bind.container}" = {
hostPath = bind.host;
isReadOnly = false;
isReadOnly = bind.readOnly or false;
};
}
// acc
@ -96,8 +123,7 @@ in
firewall = {
enable = true;
allowedTCPPorts = [
3000
3032
8080
];
};
# Use systemd-resolved inside the container
@ -137,7 +163,7 @@ in
services.zitadel = {
enable = true;
# masterKeyFile = "TODO";
masterKeyFile = "/var/secrets/zitadel_master_key.age";
settings = {
Port = 8080;
Database.postgres = {
@ -159,9 +185,9 @@ in
ExternalSecure = true;
};
steps.FirstInstance = {
InstanceName = "ros_sso";
InstanceName = "sso";
Org = {
Name = "ZI";
Name = "SSO";
Human = {
UserName = "admin@joshuabell.xyz";
FirstName = "admin";

94
hosts/h001/flake.lock generated
View file

@ -29,24 +29,17 @@
"inputs": {
"home-manager": "home-manager",
"nix-flatpak": "nix-flatpak",
"nixpkgs": "nixpkgs_2",
"nixpkgs-unstable": "nixpkgs-unstable",
"opencode": "opencode",
"ragenix": "ragenix"
},
"locked": {
"lastModified": 1753294571,
"narHash": "sha256-o5pjY2Mh/gbbD2GT2zStATKN3AOvYfMmGOkN4L3qrgo=",
"ref": "refs/heads/master",
"rev": "bb90226e5e1731652b7ed64d0ab038e68a999dee",
"revCount": 551,
"type": "git",
"url": "https://git.joshuabell.xyz/ringofstorms/dotfiles"
"path": "../../common",
"type": "path"
},
"original": {
"type": "git",
"url": "https://git.joshuabell.xyz/ringofstorms/dotfiles"
}
"path": "../../common",
"type": "path"
},
"parent": []
},
"crane": {
"locked": {
@ -110,11 +103,11 @@
"nixpkgs": "nixpkgs"
},
"locked": {
"lastModified": 1753055804,
"narHash": "sha256-KerePGJYX47ex6OY3CWsid4AltO2gDtQROunYJ0eCEE=",
"lastModified": 1753592768,
"narHash": "sha256-oV695RvbAE4+R9pcsT9shmp6zE/+IZe6evHWX63f2Qg=",
"owner": "rycee",
"repo": "home-manager",
"rev": "adf195f021a8cbb0c317f75b52e96c82616526f9",
"rev": "fc3add429f21450359369af74c2375cb34a2d204",
"type": "github"
},
"original": {
@ -165,7 +158,7 @@
},
"nixarr": {
"inputs": {
"nixpkgs": "nixpkgs_4",
"nixpkgs": "nixpkgs_3",
"vpnconfinement": "vpnconfinement",
"website-builder": "website-builder"
},
@ -185,11 +178,11 @@
},
"nixpkgs": {
"locked": {
"lastModified": 1752620740,
"narHash": "sha256-f3pO+9lg66mV7IMmmIqG4PL3223TYMlnlw+pnpelbss=",
"lastModified": 1753345091,
"narHash": "sha256-CdX2Rtvp5I8HGu9swBmYuq+ILwRxpXdJwlpg8jvN4tU=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "32a4e87942101f1c9f9865e04dc3ddb175f5f32e",
"rev": "3ff0e34b1383648053bba8ed03f201d3466f90c9",
"type": "github"
},
"original": {
@ -199,39 +192,7 @@
"type": "github"
}
},
"nixpkgs-unstable": {
"locked": {
"lastModified": 1752950548,
"narHash": "sha256-NS6BLD0lxOrnCiEOcvQCDVPXafX1/ek1dfJHX1nUIzc=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "c87b95e25065c028d31a94f06a62927d18763fdf",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_2": {
"locked": {
"lastModified": 1752950548,
"narHash": "sha256-NS6BLD0lxOrnCiEOcvQCDVPXafX1/ek1dfJHX1nUIzc=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "c87b95e25065c028d31a94f06a62927d18763fdf",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_3": {
"locked": {
"lastModified": 1741379970,
"narHash": "sha256-Wh7esNh7G24qYleLvgOSY/7HlDUzWaL/n4qzlBePpiw=",
@ -247,7 +208,7 @@
"type": "github"
}
},
"nixpkgs_4": {
"nixpkgs_3": {
"locked": {
"lastModified": 1748662220,
"narHash": "sha256-7gGa49iB9nCnFk4h/g9zwjlQAyjtpgcFkODjcOQS0Es=",
@ -263,7 +224,7 @@
"type": "github"
}
},
"nixpkgs_5": {
"nixpkgs_4": {
"locked": {
"lastModified": 1750400657,
"narHash": "sha256-3vkjFnxCOP6vm5Pm13wC/Zy6/VYgei/I/2DWgW4RFeA=",
@ -279,7 +240,7 @@
"type": "github"
}
},
"nixpkgs_6": {
"nixpkgs_5": {
"locked": {
"lastModified": 1750188666,
"narHash": "sha256-yAfLvtbCzSigTfbsJeOrvljS7VYLAwi2RZ6F+qd+A5E=",
@ -1190,29 +1151,12 @@
"type": "github"
}
},
"opencode": {
"flake": false,
"locked": {
"lastModified": 1753194493,
"narHash": "sha256-eOsazBjkdTvGNsobb5WUBDB2udEJh9zkOeMfVH/tkQo=",
"owner": "sst",
"repo": "opencode",
"rev": "99d6a28249f10ba1fcb7d61599c008154663a51f",
"type": "github"
},
"original": {
"owner": "sst",
"ref": "v0.3.55",
"repo": "opencode",
"type": "github"
}
},
"ragenix": {
"inputs": {
"agenix": "agenix",
"crane": "crane",
"flake-utils": "flake-utils",
"nixpkgs": "nixpkgs_3",
"nixpkgs": "nixpkgs_2",
"rust-overlay": "rust-overlay"
},
"locked": {
@ -1233,13 +1177,13 @@
"inputs": {
"common": "common",
"nixarr": "nixarr",
"nixpkgs": "nixpkgs_5",
"nixpkgs": "nixpkgs_4",
"ros_neovim": "ros_neovim"
}
},
"ros_neovim": {
"inputs": {
"nixpkgs": "nixpkgs_6",
"nixpkgs": "nixpkgs_5",
"nvim_plugin-Almo7aya/openingh.nvim": "nvim_plugin-Almo7aya/openingh.nvim",
"nvim_plugin-CopilotC-Nvim/CopilotChat.nvim": "nvim_plugin-CopilotC-Nvim/CopilotChat.nvim",
"nvim_plugin-JoosepAlviste/nvim-ts-context-commentstring": "nvim_plugin-JoosepAlviste/nvim-ts-context-commentstring",

4
hosts/h001/flake.nix
View file

@ -4,8 +4,8 @@
# nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
# Use relative to get current version for testing
# common.url = "path:../../common";
common.url = "git+https://git.joshuabell.xyz/ringofstorms/dotfiles";
common.url = "path:../../common";
# common.url = "git+https://git.joshuabell.xyz/ringofstorms/dotfiles";
ros_neovim.url = "git+https://git.joshuabell.xyz/ringofstorms/nvim";