nixos/hosts/homelab/sso.nix

{
  config,
  pkgsUnstable,
  ...
}: let
  port = 9190;
  rootDomain = "nickolaj.com";
  zitadelDomain = "sso.${rootDomain}";
  oathproxyDomain = "oauth2-proxy.${rootDomain}";
in {
  age.secrets.zitadel-master = {
    rekeyFile = ../../secrets/hosts/homelab/zitadel-master.age;
    owner = config.services.zitadel.user;
  };
  age.secrets.oauth2-proxy = {
    rekeyFile = ../../secrets/hosts/homelab/oauth2-proxy-keyfile.age;
    owner = "oauth2-proxy";
  };

  services.nginx.virtualHosts."${zitadelDomain}" = {
    enableACME = true;
    forceSSL = true;
    locations."/" = {
      proxyPass = "http://127.0.0.1:${toString port}";
      extraConfig = ''
        grpc_pass grpc://127.0.0.1:${toString port};
        grpc_set_header Host $host:$server_port;
      '';
    };
  };
  services.nginx.virtualHosts."${oathproxyDomain}" = {
    enableACME = true;
    forceSSL = true;
    locations."/" = {
      proxyWebsockets = true;
      proxyPass = "http://127.0.0.1:4180";
    };
  };

  services.postgresql = {
    ensureDatabases = ["zitadel"];
    ensureUsers = [
      {
        name = "zitadel";
        ensureDBOwnership = true;
        ensureClauses.login = true;
        ensureClauses.superuser = true;
      }
    ];
  };

  services.zitadel = {
    enable = true;
    package = pkgsUnstable.zitadel;
    masterKeyFile = config.age.secrets.zitadel-master.path;
    settings = {
      Port = port;
      Database.postgres = {
        Host = "/var/run/postgresql/";
        Port = 5432;
        Database = "zitadel";
        User = {
          Username = "zitadel";
          SSL.Mode = "disable";
        };
        Admin = {
          Username = "zitadel";
          SSL.Mode = "disable";
          ExistingDatabase = "zitadel";
        };
      };
      ExternalDomain = zitadelDomain;
      ExternalPort = 443;
      ExternalSecure = true;
    };
    steps.FirstInstance = {
      InstanceName = "Fireproof Auth";
      Org = {
        Name = "Fireproof Auth";
        Human = {
          UserName = "nickolaj1177@gmail.com";
          FirstName = "Nickolaj";
          LastName = "Jepsen";
          Email.Verified = true;
          Password = "Password1!";
          PasswordChangeRequired = true;
        };
      };
      LoginPolicy.AllowRegister = false;
    };
  };

  services.oauth2-proxy = {
    enable = true;
    provider = "oidc";
    reverseProxy = true;
    redirectURL = "https://${oathproxyDomain}/oauth2/callback";
    validateURL = "https://${zitadelDomain}/oauth2/";
    oidcIssuerUrl = "https://${zitadelDomain}:443";
    keyFile = config.age.secrets.oauth2-proxy.path;
    nginx.domain = oathproxyDomain;
    email.domains = ["*"];
    extraConfig = {
      whitelist-domain = ".${rootDomain}";
      cookie-domain = ".${rootDomain}";
    };
  };
}
wip: niri 2025-04-27 23:58:02 +02:00			`{`
			`config,`
			`pkgsUnstable,`
			`...`
			`}: let`
feat(homelab): implement SSO 2025-04-26 20:02:56 +02:00			`port = 9190;`
			`rootDomain = "nickolaj.com";`
			`zitadelDomain = "sso.${rootDomain}";`
			`oathproxyDomain = "oauth2-proxy.${rootDomain}";`
			`in {`
			`age.secrets.zitadel-master = {`
			`rekeyFile = ../../secrets/hosts/homelab/zitadel-master.age;`
			`owner = config.services.zitadel.user;`
			`};`
			`age.secrets.oauth2-proxy = {`
			`rekeyFile = ../../secrets/hosts/homelab/oauth2-proxy-keyfile.age;`
			`owner = "oauth2-proxy";`
			`};`

			`services.nginx.virtualHosts."${zitadelDomain}" = {`
			`enableACME = true;`
			`forceSSL = true;`
			`locations."/" = {`
			`proxyPass = "http://127.0.0.1:${toString port}";`
			`extraConfig = ''`
			`grpc_pass grpc://127.0.0.1:${toString port};`
			`grpc_set_header Host $host:$server_port;`
			`'';`
			`};`
			`};`
			`services.nginx.virtualHosts."${oathproxyDomain}" = {`
			`enableACME = true;`
			`forceSSL = true;`
			`locations."/" = {`
			`proxyWebsockets = true;`
			`proxyPass = "http://127.0.0.1:4180";`
			`};`
			`};`

			`services.postgresql = {`
			`ensureDatabases = ["zitadel"];`
			`ensureUsers = [`
			`{`
			`name = "zitadel";`
			`ensureDBOwnership = true;`
			`ensureClauses.login = true;`
			`ensureClauses.superuser = true;`
			`}`
			`];`
			`};`

			`services.zitadel = {`
			`enable = true;`
			`package = pkgsUnstable.zitadel;`
			`masterKeyFile = config.age.secrets.zitadel-master.path;`
			`settings = {`
			`Port = port;`
			`Database.postgres = {`
			`Host = "/var/run/postgresql/";`
			`Port = 5432;`
			`Database = "zitadel";`
			`User = {`
			`Username = "zitadel";`
			`SSL.Mode = "disable";`
			`};`
			`Admin = {`
			`Username = "zitadel";`
			`SSL.Mode = "disable";`
			`ExistingDatabase = "zitadel";`
			`};`
			`};`
			`ExternalDomain = zitadelDomain;`
			`ExternalPort = 443;`
			`ExternalSecure = true;`
			`};`
			`steps.FirstInstance = {`
			`InstanceName = "Fireproof Auth";`
			`Org = {`
			`Name = "Fireproof Auth";`
			`Human = {`
			`UserName = "nickolaj1177@gmail.com";`
			`FirstName = "Nickolaj";`
			`LastName = "Jepsen";`
			`Email.Verified = true;`
			`Password = "Password1!";`
			`PasswordChangeRequired = true;`
			`};`
			`};`
			`LoginPolicy.AllowRegister = false;`
			`};`
			`};`

			`services.oauth2-proxy = {`
			`enable = true;`
			`provider = "oidc";`
			`reverseProxy = true;`
			`redirectURL = "https://${oathproxyDomain}/oauth2/callback";`
			`validateURL = "https://${zitadelDomain}/oauth2/";`
			`oidcIssuerUrl = "https://${zitadelDomain}:443";`
			`keyFile = config.age.secrets.oauth2-proxy.path;`
			`nginx.domain = oathproxyDomain;`
			`email.domains = ["*"];`
			`extraConfig = {`
			`whitelist-domain = ".${rootDomain}";`
			`cookie-domain = ".${rootDomain}";`
			`};`
			`};`
			`}`