mirror of
https://github.com/NixOS/nixpkgs.git
synced 2025-06-27 03:26:50 +03:00
4f0dadbf38
After final improvements to the official formatter implementation,
this commit now performs the first treewide reformat of Nix files using it.
This is part of the implementation of RFC 166.
Only "inactive" files are reformatted, meaning only files that
aren't being touched by any PR with activity in the past 2 months.
This is to avoid conflicts for PRs that might soon be merged.
Later we can do a full treewide reformat to get the rest,
which should not cause as many conflicts.
A CI check has already been running for some time to ensure that new and
already-formatted files are formatted, so the files being reformatted here
should also stay formatted.
This commit was automatically created and can be verified using
nix-build https://github.com/infinisil/treewide-nixpkgs-reformat-script/archive/a08b3a4d199c6124ac5b36a889d9099b4383463f.tar.gz \
--argstr baseRev b32a094368
result/bin/apply-formatting $NIXPKGS_PATH
242 lines
6.9 KiB
Nix
242 lines
6.9 KiB
Nix
{
|
|
config,
|
|
pkgs,
|
|
lib,
|
|
...
|
|
}:
|
|
|
|
let
|
|
cfg = config.services.zitadel;
|
|
|
|
settingsFormat = pkgs.formats.yaml { };
|
|
in
|
|
{
|
|
options.services.zitadel =
|
|
let
|
|
inherit (lib)
|
|
mkEnableOption
|
|
mkOption
|
|
mkPackageOption
|
|
types
|
|
;
|
|
in
|
|
{
|
|
enable = mkEnableOption "ZITADEL, a user and identity access management platform";
|
|
|
|
package = mkPackageOption pkgs "ZITADEL" { default = [ "zitadel" ]; };
|
|
|
|
user = mkOption {
|
|
type = types.str;
|
|
default = "zitadel";
|
|
description = "The user to run ZITADEL under.";
|
|
};
|
|
|
|
group = mkOption {
|
|
type = types.str;
|
|
default = "zitadel";
|
|
description = "The group to run ZITADEL under.";
|
|
};
|
|
|
|
openFirewall = mkOption {
|
|
type = types.bool;
|
|
default = false;
|
|
description = ''
|
|
Whether to open the port specified in `listenPort` in the firewall.
|
|
'';
|
|
};
|
|
|
|
masterKeyFile = mkOption {
|
|
type = types.path;
|
|
description = ''
|
|
Path to a file containing a master encryption key for ZITADEL. The
|
|
key must be 32 bytes.
|
|
'';
|
|
};
|
|
|
|
tlsMode = mkOption {
|
|
type = types.enum [
|
|
"external"
|
|
"enabled"
|
|
"disabled"
|
|
];
|
|
default = "external";
|
|
example = "enabled";
|
|
description = ''
|
|
The TLS mode to use. Options are:
|
|
|
|
- enabled: ZITADEL accepts HTTPS connections directly. You must
|
|
configure TLS if this option is selected.
|
|
- external: ZITADEL forces HTTPS connections, with TLS terminated at a
|
|
reverse proxy.
|
|
- disabled: ZITADEL accepts HTTP connections only. Should only be used
|
|
for testing.
|
|
'';
|
|
};
|
|
|
|
settings = mkOption {
|
|
type = lib.types.submodule {
|
|
freeformType = settingsFormat.type;
|
|
|
|
options = {
|
|
Port = mkOption {
|
|
type = types.port;
|
|
default = 8080;
|
|
description = "The port that ZITADEL listens on.";
|
|
};
|
|
|
|
TLS = {
|
|
KeyPath = mkOption {
|
|
type = types.nullOr types.path;
|
|
default = null;
|
|
description = "Path to the TLS certificate private key.";
|
|
};
|
|
Key = mkOption {
|
|
type = types.nullOr types.str;
|
|
default = null;
|
|
description = ''
|
|
The TLS certificate private key, as a base64-encoded string.
|
|
|
|
Note that the contents of this option will be added to the Nix
|
|
store as world-readable plain text. Set
|
|
[KeyPath](#opt-services.zitadel.settings.TLS.KeyPath) instead
|
|
if this is undesired.
|
|
'';
|
|
};
|
|
CertPath = mkOption {
|
|
type = types.nullOr types.path;
|
|
default = null;
|
|
description = "Path to the TLS certificate.";
|
|
};
|
|
Cert = mkOption {
|
|
type = types.nullOr types.str;
|
|
default = null;
|
|
description = ''
|
|
The TLS certificate, as a base64-encoded string.
|
|
|
|
Note that the contents of this option will be added to the Nix
|
|
store as world-readable plain text. Set
|
|
[CertPath](#opt-services.zitadel.settings.TLS.CertPath) instead
|
|
if this is undesired.
|
|
'';
|
|
};
|
|
};
|
|
};
|
|
};
|
|
default = { };
|
|
example = lib.literalExpression ''
|
|
{
|
|
Port = 8123;
|
|
ExternalDomain = "example.com";
|
|
TLS = {
|
|
CertPath = "/path/to/cert.pem";
|
|
KeyPath = "/path/to/cert.key";
|
|
};
|
|
Database.cockroach.Host = "db.example.com";
|
|
};
|
|
'';
|
|
description = ''
|
|
Contents of the runtime configuration file. See
|
|
https://zitadel.com/docs/self-hosting/manage/configure for more
|
|
details.
|
|
'';
|
|
};
|
|
|
|
extraSettingsPaths = mkOption {
|
|
type = types.listOf types.path;
|
|
default = [ ];
|
|
description = ''
|
|
A list of paths to extra settings files. These will override the
|
|
values set in [settings](#opt-services.zitadel.settings). Useful if
|
|
you want to keep sensitive secrets out of the Nix store.
|
|
'';
|
|
};
|
|
|
|
steps = mkOption {
|
|
type = settingsFormat.type;
|
|
default = { };
|
|
example = lib.literalExpression ''
|
|
{
|
|
FirstInstance = {
|
|
InstanceName = "Example";
|
|
Org.Human = {
|
|
UserName = "foobar";
|
|
FirstName = "Foo";
|
|
LastName = "Bar";
|
|
};
|
|
};
|
|
}
|
|
'';
|
|
description = ''
|
|
Contents of the database initialization config file. See
|
|
https://zitadel.com/docs/self-hosting/manage/configure for more
|
|
details.
|
|
'';
|
|
};
|
|
|
|
extraStepsPaths = mkOption {
|
|
type = types.listOf types.path;
|
|
default = [ ];
|
|
description = ''
|
|
A list of paths to extra steps files. These will override the values
|
|
set in [steps](#opt-services.zitadel.steps). Useful if you want to
|
|
keep sensitive secrets out of the Nix store.
|
|
'';
|
|
};
|
|
};
|
|
|
|
config = lib.mkIf cfg.enable {
|
|
assertions = [
|
|
{
|
|
assertion =
|
|
cfg.tlsMode == "enabled"
|
|
-> (
|
|
(cfg.settings.TLS.Key != null || cfg.settings.TLS.KeyPath != null)
|
|
&& (cfg.settings.TLS.Cert != null || cfg.settings.TLS.CertPath != null)
|
|
);
|
|
message = ''
|
|
A TLS certificate and key must be configured in
|
|
services.zitadel.settings.TLS if services.zitadel.tlsMode is enabled.
|
|
'';
|
|
}
|
|
];
|
|
|
|
networking.firewall.allowedTCPPorts = lib.mkIf cfg.openFirewall [ cfg.settings.Port ];
|
|
|
|
systemd.services.zitadel =
|
|
let
|
|
configFile = settingsFormat.generate "config.yaml" cfg.settings;
|
|
stepsFile = settingsFormat.generate "steps.yaml" cfg.steps;
|
|
|
|
args = lib.cli.toGNUCommandLineShell { } {
|
|
config = cfg.extraSettingsPaths ++ [ configFile ];
|
|
steps = cfg.extraStepsPaths ++ [ stepsFile ];
|
|
masterkeyFile = cfg.masterKeyFile;
|
|
inherit (cfg) tlsMode;
|
|
};
|
|
in
|
|
{
|
|
description = "ZITADEL identity access management";
|
|
path = [ cfg.package ];
|
|
wantedBy = [ "multi-user.target" ];
|
|
|
|
script = ''
|
|
zitadel start-from-init ${args}
|
|
'';
|
|
|
|
serviceConfig = {
|
|
Type = "simple";
|
|
User = cfg.user;
|
|
Group = cfg.group;
|
|
Restart = "on-failure";
|
|
};
|
|
};
|
|
|
|
users.users.zitadel = lib.mkIf (cfg.user == "zitadel") {
|
|
isSystemUser = true;
|
|
group = cfg.group;
|
|
};
|
|
users.groups.zitadel = lib.mkIf (cfg.group == "zitadel") { };
|
|
};
|
|
|
|
meta.maintainers = [ ];
|
|
}
|