ringofstorms/dotfiles
ringofstorms/dotfiles
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

zitadel functioning on h001

Browse source
This commit is contained in:
RingOfStorms (Joshua Bell) 2025-08-18 21:06:17 -05:00
parent 8bf46bde79
commit 4978a98cc7
6 changed files with 60 additions and 119 deletions
Download patch file Download diff file Expand all files Collapse all files

5
common/secrets/default.nix
View file

@ -118,6 +118,11 @@ in
file = ./secrets/us_chi_wg.age; file = ./secrets/us_chi_wg.age;
owner = users_cfg.primary; owner = users_cfg.primary;
}; };
zitadel_master_key = {
file = ./secrets/zitadel_master_key.age;
owner = users_cfg.primary;
mode = "444"; # World readable!
};
}; };
}; };
}; };

35
flake.lock generated
View file

@ -153,22 +153,6 @@
"type": "github" "type": "github"
} }
}, },
"nixpkgs-unstable": {
"locked": {
"lastModified": 1753694789,
"narHash": "sha256-cKgvtz6fKuK1Xr5LQW/zOUiAC0oSQoA9nOISB0pJZqM=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "dc9637876d0dcc8c9e5e22986b857632effeb727",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_2": { "nixpkgs_2": {
"locked": { "locked": {
"lastModified": 1753694789, "lastModified": 1753694789,
@ -201,23 +185,6 @@
"type": "github" "type": "github"
} }
}, },
"opencode": {
"flake": false,
"locked": {
"lastModified": 1754890102,
"narHash": "sha256-3o8bHU5vSG+MxbvjLzlqeagnW9hnekl0hlj3EiNFaaQ=",
"owner": "sst",
"repo": "opencode",
"rev": "4580c88c0b38519e8187d2df1035e9538b51ec2a",
"type": "github"
},
"original": {
"owner": "sst",
"ref": "v0.4.12",
"repo": "opencode",
"type": "github"
}
},
"ragenix": { "ragenix": {
"inputs": { "inputs": {
"agenix": "agenix", "agenix": "agenix",
@ -245,8 +212,6 @@
"home-manager": "home-manager", "home-manager": "home-manager",
"nix-flatpak": "nix-flatpak", "nix-flatpak": "nix-flatpak",
"nixpkgs": "nixpkgs_2", "nixpkgs": "nixpkgs_2",
"nixpkgs-unstable": "nixpkgs-unstable",
"opencode": "opencode",
"ragenix": "ragenix" "ragenix": "ragenix"
} }
}, },

1
hosts/h001/containers/default.nix
View file

@ -11,6 +11,7 @@ in
common.nixosModules.containers.forgejo common.nixosModules.containers.forgejo
./opengist.nix ./opengist.nix
./homarr.nix ./homarr.nix
./zitadel.nix
]; ];
config = { config = {

40
hosts/h001/containers/zitadel.nix
View file

@ -31,10 +31,17 @@ let
uid = config.ids.uids.postgres; uid = config.ids.uids.postgres;
gid = config.ids.gids.postgres; gid = config.ids.gids.postgres;
} }
# secret
{
host = config.age.secrets.zitadel_master_key.path;
container = "/var/secrets/zitadel_master_key.age";
readOnly = true;
}
]; ];
bindsWithUsers = lib.filter (b: b ? user) binds;
uniqueUsers = lib.foldl' ( uniqueUsers = lib.foldl' (
acc: bind: if lib.lists.any (item: item.user == bind.user) acc then acc else acc ++ [ bind ] acc: bind: if lib.lists.any (item: item.user == bind.user) acc then acc else acc ++ [ bind ]
) [ ] binds; ) [ ] bindsWithUsers;
users = { users = {
users = lib.listToAttrs ( users = lib.listToAttrs (
lib.map (u: { lib.map (u: {
@ -64,11 +71,31 @@ in
locations = { locations = {
"/" = { "/" = {
proxyWebsockets = true; proxyWebsockets = true;
recommendedProxySettings = true;
proxyPass = "http://${containerAddress}:8080"; proxyPass = "http://${containerAddress}:8080";
extraConfig = ''
proxy_set_header X-Forwarded-Proto https;
'';
}; };
}; };
}; };
networking.firewall.allowedTCPPorts = [ 8080 ];
# Ensure users exist on host machine
inherit users;
# Ensure directories exist on host machine
system.activationScripts."createDirsFor${name}" = ''
${lib.concatStringsSep "\n" (
lib.map (bind: ''
mkdir -p ${bind.host}
chown -R ${toString bind.user}:${toString bind.gid} ${bind.host}
chmod -R 750 ${bind.host}
'') bindsWithUsers
)}
'';
containers.${name} = { containers.${name} = {
ephemeral = true; ephemeral = true;
autoStart = true; autoStart = true;
@ -82,7 +109,7 @@ in
{ {
"${bind.container}" = { "${bind.container}" = {
hostPath = bind.host; hostPath = bind.host;
isReadOnly = false; isReadOnly = bind.readOnly or false;
}; };
} }
// acc // acc
@ -96,8 +123,7 @@ in
firewall = { firewall = {
enable = true; enable = true;
allowedTCPPorts = [ allowedTCPPorts = [
3000 8080
3032
]; ];
}; };
# Use systemd-resolved inside the container # Use systemd-resolved inside the container
@ -137,7 +163,7 @@ in
services.zitadel = { services.zitadel = {
enable = true; enable = true;
# masterKeyFile = "TODO"; masterKeyFile = "/var/secrets/zitadel_master_key.age";
settings = { settings = {
Port = 8080; Port = 8080;
Database.postgres = { Database.postgres = {
@ -159,9 +185,9 @@ in
ExternalSecure = true; ExternalSecure = true;
}; };
steps.FirstInstance = { steps.FirstInstance = {
InstanceName = "ros_sso"; InstanceName = "sso";
Org = { Org = {
Name = "ZI"; Name = "SSO";
Human = { Human = {
UserName = "admin@joshuabell.xyz"; UserName = "admin@joshuabell.xyz";
FirstName = "admin"; FirstName = "admin";

94
hosts/h001/flake.lock generated
View file

@ -29,24 +29,17 @@
"inputs": { "inputs": {
"home-manager": "home-manager", "home-manager": "home-manager",
"nix-flatpak": "nix-flatpak", "nix-flatpak": "nix-flatpak",
"nixpkgs": "nixpkgs_2",
"nixpkgs-unstable": "nixpkgs-unstable",
"opencode": "opencode",
"ragenix": "ragenix" "ragenix": "ragenix"
}, },
"locked": { "locked": {
"lastModified": 1753294571, "path": "../../common",
"narHash": "sha256-o5pjY2Mh/gbbD2GT2zStATKN3AOvYfMmGOkN4L3qrgo=", "type": "path"
"ref": "refs/heads/master",
"rev": "bb90226e5e1731652b7ed64d0ab038e68a999dee",
"revCount": 551,
"type": "git",
"url": "https://git.joshuabell.xyz/ringofstorms/dotfiles"
}, },
"original": { "original": {
"type": "git", "path": "../../common",
"url": "https://git.joshuabell.xyz/ringofstorms/dotfiles" "type": "path"
} },
"parent": []
}, },
"crane": { "crane": {
"locked": { "locked": {
@ -110,11 +103,11 @@
"nixpkgs": "nixpkgs" "nixpkgs": "nixpkgs"
}, },
"locked": { "locked": {
"lastModified": 1753055804, "lastModified": 1753592768,
"narHash": "sha256-KerePGJYX47ex6OY3CWsid4AltO2gDtQROunYJ0eCEE=", "narHash": "sha256-oV695RvbAE4+R9pcsT9shmp6zE/+IZe6evHWX63f2Qg=",
"owner": "rycee", "owner": "rycee",
"repo": "home-manager", "repo": "home-manager",
"rev": "adf195f021a8cbb0c317f75b52e96c82616526f9", "rev": "fc3add429f21450359369af74c2375cb34a2d204",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -165,7 +158,7 @@
}, },
"nixarr": { "nixarr": {
"inputs": { "inputs": {
"nixpkgs": "nixpkgs_4", "nixpkgs": "nixpkgs_3",
"vpnconfinement": "vpnconfinement", "vpnconfinement": "vpnconfinement",
"website-builder": "website-builder" "website-builder": "website-builder"
}, },
@ -185,11 +178,11 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1752620740, "lastModified": 1753345091,
"narHash": "sha256-f3pO+9lg66mV7IMmmIqG4PL3223TYMlnlw+pnpelbss=", "narHash": "sha256-CdX2Rtvp5I8HGu9swBmYuq+ILwRxpXdJwlpg8jvN4tU=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "32a4e87942101f1c9f9865e04dc3ddb175f5f32e", "rev": "3ff0e34b1383648053bba8ed03f201d3466f90c9",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -199,39 +192,7 @@
"type": "github" "type": "github"
} }
}, },
"nixpkgs-unstable": {
"locked": {
"lastModified": 1752950548,
"narHash": "sha256-NS6BLD0lxOrnCiEOcvQCDVPXafX1/ek1dfJHX1nUIzc=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "c87b95e25065c028d31a94f06a62927d18763fdf",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_2": { "nixpkgs_2": {
"locked": {
"lastModified": 1752950548,
"narHash": "sha256-NS6BLD0lxOrnCiEOcvQCDVPXafX1/ek1dfJHX1nUIzc=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "c87b95e25065c028d31a94f06a62927d18763fdf",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_3": {
"locked": { "locked": {
"lastModified": 1741379970, "lastModified": 1741379970,
"narHash": "sha256-Wh7esNh7G24qYleLvgOSY/7HlDUzWaL/n4qzlBePpiw=", "narHash": "sha256-Wh7esNh7G24qYleLvgOSY/7HlDUzWaL/n4qzlBePpiw=",
@ -247,7 +208,7 @@
"type": "github" "type": "github"
} }
}, },
"nixpkgs_4": { "nixpkgs_3": {
"locked": { "locked": {
"lastModified": 1748662220, "lastModified": 1748662220,
"narHash": "sha256-7gGa49iB9nCnFk4h/g9zwjlQAyjtpgcFkODjcOQS0Es=", "narHash": "sha256-7gGa49iB9nCnFk4h/g9zwjlQAyjtpgcFkODjcOQS0Es=",
@ -263,7 +224,7 @@
"type": "github" "type": "github"
} }
}, },
"nixpkgs_5": { "nixpkgs_4": {
"locked": { "locked": {
"lastModified": 1750400657, "lastModified": 1750400657,
"narHash": "sha256-3vkjFnxCOP6vm5Pm13wC/Zy6/VYgei/I/2DWgW4RFeA=", "narHash": "sha256-3vkjFnxCOP6vm5Pm13wC/Zy6/VYgei/I/2DWgW4RFeA=",
@ -279,7 +240,7 @@
"type": "github" "type": "github"
} }
}, },
"nixpkgs_6": { "nixpkgs_5": {
"locked": { "locked": {
"lastModified": 1750188666, "lastModified": 1750188666,
"narHash": "sha256-yAfLvtbCzSigTfbsJeOrvljS7VYLAwi2RZ6F+qd+A5E=", "narHash": "sha256-yAfLvtbCzSigTfbsJeOrvljS7VYLAwi2RZ6F+qd+A5E=",
@ -1190,29 +1151,12 @@
"type": "github" "type": "github"
} }
}, },
"opencode": {
"flake": false,
"locked": {
"lastModified": 1753194493,
"narHash": "sha256-eOsazBjkdTvGNsobb5WUBDB2udEJh9zkOeMfVH/tkQo=",
"owner": "sst",
"repo": "opencode",
"rev": "99d6a28249f10ba1fcb7d61599c008154663a51f",
"type": "github"
},
"original": {
"owner": "sst",
"ref": "v0.3.55",
"repo": "opencode",
"type": "github"
}
},
"ragenix": { "ragenix": {
"inputs": { "inputs": {
"agenix": "agenix", "agenix": "agenix",
"crane": "crane", "crane": "crane",
"flake-utils": "flake-utils", "flake-utils": "flake-utils",
"nixpkgs": "nixpkgs_3", "nixpkgs": "nixpkgs_2",
"rust-overlay": "rust-overlay" "rust-overlay": "rust-overlay"
}, },
"locked": { "locked": {
@ -1233,13 +1177,13 @@
"inputs": { "inputs": {
"common": "common", "common": "common",
"nixarr": "nixarr", "nixarr": "nixarr",
"nixpkgs": "nixpkgs_5", "nixpkgs": "nixpkgs_4",
"ros_neovim": "ros_neovim" "ros_neovim": "ros_neovim"
} }
}, },
"ros_neovim": { "ros_neovim": {
"inputs": { "inputs": {
"nixpkgs": "nixpkgs_6", "nixpkgs": "nixpkgs_5",
"nvim_plugin-Almo7aya/openingh.nvim": "nvim_plugin-Almo7aya/openingh.nvim", "nvim_plugin-Almo7aya/openingh.nvim": "nvim_plugin-Almo7aya/openingh.nvim",
"nvim_plugin-CopilotC-Nvim/CopilotChat.nvim": "nvim_plugin-CopilotC-Nvim/CopilotChat.nvim", "nvim_plugin-CopilotC-Nvim/CopilotChat.nvim": "nvim_plugin-CopilotC-Nvim/CopilotChat.nvim",
"nvim_plugin-JoosepAlviste/nvim-ts-context-commentstring": "nvim_plugin-JoosepAlviste/nvim-ts-context-commentstring", "nvim_plugin-JoosepAlviste/nvim-ts-context-commentstring": "nvim_plugin-JoosepAlviste/nvim-ts-context-commentstring",

4
hosts/h001/flake.nix
View file

@ -4,8 +4,8 @@
# nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; # nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
# Use relative to get current version for testing # Use relative to get current version for testing
# common.url = "path:../../common"; common.url = "path:../../common";
common.url = "git+https://git.joshuabell.xyz/ringofstorms/dotfiles"; # common.url = "git+https://git.joshuabell.xyz/ringofstorms/dotfiles";
ros_neovim.url = "git+https://git.joshuabell.xyz/ringofstorms/nvim"; ros_neovim.url = "git+https://git.joshuabell.xyz/ringofstorms/nvim";