From ac07ef2849ce88a034f01c8d5ab49e2ba39c136c Mon Sep 17 00:00:00 2001 From: "RingOfStorms (Joshua Bell)" Date: Mon, 18 Aug 2025 17:39:46 -0500 Subject: [PATCH] wip zitadel --- hosts/h001/containers/zitadel.nix | 187 ++++++++++++++++++++++++++++++ hosts/lio/flake.lock | 43 +++++-- 2 files changed, 219 insertions(+), 11 deletions(-) create mode 100644 hosts/h001/containers/zitadel.nix diff --git a/hosts/h001/containers/zitadel.nix b/hosts/h001/containers/zitadel.nix new file mode 100644 index 0000000..59ccfe4 --- /dev/null +++ b/hosts/h001/containers/zitadel.nix @@ -0,0 +1,187 @@ +{ + config, + lib, + ... +}: +let + name = "zitadel"; + + hostDataDir = "/var/lib/${name}"; + + hostAddress = "10.0.0.1"; + containerAddress = "10.0.0.3"; + hostAddress6 = "fc00::1"; + containerAddress6 = "fc00::3"; + + binds = [ + # Postgres data, must use postgres user in container and host + { + host = "${hostDataDir}/postgres"; + # Adjust based on container postgres data dir + container = "/var/lib/postgresql/17"; + user = "postgres"; + uid = config.ids.uids.postgres; + gid = config.ids.gids.postgres; + } + # Postgres backups + { + host = "${hostDataDir}/backups/postgres"; + container = "/var/backup/postgresql"; + user = "postgres"; + uid = config.ids.uids.postgres; + gid = config.ids.gids.postgres; + } + ]; + uniqueUsers = lib.foldl' ( + acc: bind: if lib.lists.any (item: item.user == bind.user) acc then acc else acc ++ [ bind ] + ) [ ] binds; + users = { + users = lib.listToAttrs ( + lib.map (u: { + name = u.user; + value = { + isSystemUser = true; + name = u.user; + uid = u.uid; + group = u.user; + }; + }) uniqueUsers + ); + + groups = lib.listToAttrs ( + lib.map (g: { + name = g.user; + value.gid = g.gid; + }) uniqueUsers + ); + }; + +in +{ + options = { }; + config = { + services.nginx.virtualHosts."sso.joshuabell.xyz" = { + locations = { + "/" = { + proxyWebsockets = true; + proxyPass = "http://${containerAddress}:8080"; + }; + }; + }; + + containers.${name} = { + ephemeral = true; + autoStart = true; + privateNetwork = true; + hostAddress = hostAddress; + localAddress = containerAddress; + hostAddress6 = hostAddress6; + localAddress6 = containerAddress6; + bindMounts = lib.foldl ( + acc: bind: + { + "${bind.container}" = { + hostPath = bind.host; + isReadOnly = false; + }; + } + // acc + ) { } binds; + config = + { config, pkgs, ... }: + { + system.stateVersion = "25.05"; + + networking = { + firewall = { + enable = true; + allowedTCPPorts = [ + 3000 + 3032 + ]; + }; + # Use systemd-resolved inside the container + # Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686 + useHostResolvConf = lib.mkForce false; + }; + services.resolved.enable = true; + + # Ensure users exist on container + inherit users; + + services.postgresql = { + enable = true; + package = pkgs.postgresql_17.withJIT; + enableJIT = true; + authentication = '' + local all all trust + host all all 127.0.0.1/8 trust + host all all ::1/128 trust + host all all fc00::1/128 trust + ''; + ensureDatabases = [ "zitadel" ]; + ensureUsers = [ + { + name = "zitadel"; + ensureDBOwnership = true; + ensureClauses.login = true; + ensureClauses.superuser = true; + } + ]; + }; + + # Backup database + services.postgresqlBackup = { + enable = true; + }; + + services.zitadel = { + enable = true; + # masterKeyFile = "TODO"; + settings = { + Port = 8080; + Database.postgres = { + Host = "/var/run/postgresql/"; + Port = 5432; + Database = "zitadel"; + User = { + Username = "zitadel"; + SSL.Mode = "disable"; + }; + Admin = { + Username = "zitadel"; + SSL.Mode = "disable"; + ExistingDatabase = "zitadel"; + }; + }; + ExternalDomain = "sso.joshuabell.xyz"; + ExternalPort = 443; + ExternalSecure = true; + }; + steps.FirstInstance = { + InstanceName = "ros_sso"; + Org = { + Name = "ZI"; + Human = { + UserName = "admin@joshuabell.xyz"; + FirstName = "admin"; + LastName = "admin"; + Email.Address = "admin@joshuabell.xuz"; + Email.Verified = true; + Password = "Password1!"; + PasswordChangeRequired = true; + }; + }; + LoginPolicy.AllowRegister = false; + }; + openFirewall = true; + }; + + systemd.services.zitadel = { + requires = [ "postgresql.service" ]; + after = [ "postgresql.service" ]; + }; + }; + }; + }; +} diff --git a/hosts/lio/flake.lock b/hosts/lio/flake.lock index eb8b21e..de9731f 100644 --- a/hosts/lio/flake.lock +++ b/hosts/lio/flake.lock @@ -29,17 +29,22 @@ "inputs": { "home-manager": "home-manager", "nix-flatpak": "nix-flatpak", + "nixpkgs": "nixpkgs_2", "ragenix": "ragenix" }, "locked": { - "path": "../../common", - "type": "path" + "lastModified": 1755556726, + "narHash": "sha256-Bah1pYn3hoD/x604BftJChpSp8+ySBUvlnybCjL1zjE=", + "ref": "refs/heads/master", + "rev": "066e915e43bbe1927864548c49b380b62c2e431f", + "revCount": 597, + "type": "git", + "url": "https://git.joshuabell.xyz/ringofstorms/dotfiles" }, "original": { - "path": "../../common", - "type": "path" - }, - "parent": [] + "type": "git", + "url": "https://git.joshuabell.xyz/ringofstorms/dotfiles" + } }, "crane": { "locked": { @@ -173,6 +178,22 @@ } }, "nixpkgs_2": { + "locked": { + "lastModified": 1753694789, + "narHash": "sha256-cKgvtz6fKuK1Xr5LQW/zOUiAC0oSQoA9nOISB0pJZqM=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "dc9637876d0dcc8c9e5e22986b857632effeb727", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_3": { "locked": { "lastModified": 1741379970, "narHash": "sha256-Wh7esNh7G24qYleLvgOSY/7HlDUzWaL/n4qzlBePpiw=", @@ -188,7 +209,7 @@ "type": "github" } }, - "nixpkgs_3": { + "nixpkgs_4": { "locked": { "lastModified": 1754937576, "narHash": "sha256-3sWA5WJybUE16kIMZ3+uxcxKZY/JRR4DFBqLdSLBo7w=", @@ -204,7 +225,7 @@ "type": "github" } }, - "nixpkgs_4": { + "nixpkgs_5": { "locked": { "lastModified": 1753848940, "narHash": "sha256-jH7fqN4HzsIlj2c/SAuVWmgUIjBwDdEKVnL97xlECHY=", @@ -1104,7 +1125,7 @@ "agenix": "agenix", "crane": "crane", "flake-utils": "flake-utils", - "nixpkgs": "nixpkgs_2", + "nixpkgs": "nixpkgs_3", "rust-overlay": "rust-overlay" }, "locked": { @@ -1124,13 +1145,13 @@ "root": { "inputs": { "common": "common", - "nixpkgs": "nixpkgs_3", + "nixpkgs": "nixpkgs_4", "ros_neovim": "ros_neovim" } }, "ros_neovim": { "inputs": { - "nixpkgs": "nixpkgs_4", + "nixpkgs": "nixpkgs_5", "nvim_plugin-Almo7aya/openingh.nvim": "nvim_plugin-Almo7aya/openingh.nvim", "nvim_plugin-CopilotC-Nvim/CopilotChat.nvim": "nvim_plugin-CopilotC-Nvim/CopilotChat.nvim", "nvim_plugin-JoosepAlviste/nvim-ts-context-commentstring": "nvim_plugin-JoosepAlviste/nvim-ts-context-commentstring",