zitadel: init at 2.37.2; nixos/zitadel: init (#254896)

    githubId = 53029739;

    name = "Joshua Ortiz";

  };

  Sorixelle = {

    email = "ruby+nixpkgs@srxl.me";

    matrix = "@ruby:isincredibly.gay";

    name = "Ruby Iris Juric";

    github = "Sorixelle";

    githubId = 38685302;

    keys = [{

      fingerprint = "2D76 76C7 A28E 16FC 75C7  268D 1B55 6ED8 4B0E 303A";

    }];

  };

  sorki = {

    email = "srk@48.io";

    github = "sorki";

- [audiobookshelf](https://github.com/advplyr/audiobookshelf/), a self-hosted audiobook and podcast server. Available as [services.audiobookshelf](#opt-services.audiobookshelf.enable).

- [ZITADEL](https://zitadel.com), a turnkey identity and access management platform. Available as [services.zitadel](#opt-services.zitadel.enable).

## Backward Incompatibilities {#sec-release-23.11-incompatibilities}

- The `boot.loader.raspberryPi` options have been marked deprecated, with intent for removal for NixOS 24.11. They had a limited use-case, and do not work like people expect. They required either very old installs ([before mid-2019](https://github.com/NixOS/nixpkgs/pull/62462)) or customized builds out of scope of the standard and generic AArch64 support. That option set never supported the Raspberry Pi 4 family of devices.

  ./services/web-apps/writefreely.nix

  ./services/web-apps/youtrack.nix

  ./services/web-apps/zabbix.nix

  ./services/web-apps/zitadel.nix

  ./services/web-servers/agate.nix

  ./services/web-servers/apache-httpd/default.nix

  ./services/web-servers/caddy/default.nix

{ config, pkgs, lib, ... }:

let

  cfg = config.services.zitadel;

  settingsFormat = pkgs.formats.yaml { };

in

{

  options.services.zitadel =

    let inherit (lib) mkEnableOption mkOption mkPackageOption types;

    in {

      enable = mkEnableOption "ZITADEL, a user and identity access management platform.";

      package = mkPackageOption pkgs "ZITADEL" { default = [ "zitadel" ]; };

      user = mkOption {

        type = types.str;

        default = "zitadel";

        description = "The user to run ZITADEL under.";

      };

      group = mkOption {

        type = types.str;

        default = "zitadel";

        description = "The group to run ZITADEL under.";

      };

      openFirewall = mkOption {

        type = types.bool;

        default = false;

        description = ''

          Whether to open the port specified in `listenPort` in the firewall.

        '';

      };

      masterKeyFile = mkOption {

        type = types.path;

        description = ''

          Path to a file containing a master encryption key for ZITADEL. The

          key must be 32 bytes.

        '';

      };

      tlsMode = mkOption {

        type = types.enum [ "external" "enabled" "disabled" ];

        default = "external";

        example = "enabled";

        description = ''

          The TLS mode to use. Options are:

          - enabled: ZITADEL accepts HTTPS connections directly. You must

            configure TLS if this option is selected.

          - external: ZITADEL forces HTTPS connections, with TLS terminated at a

            reverse proxy.

          - disabled: ZITADEL accepts HTTP connections only. Should only be used

            for testing.

        '';

      };

      settings = mkOption {

        type = lib.types.submodule {

          freeformType = settingsFormat.type;

          options = {

            Port = mkOption {

              type = types.port;

              default = 8080;

              description = "The port that ZITADEL listens on.";

            };

            TLS = {

              KeyPath = mkOption {

                type = types.nullOr types.path;

                default = null;

                description = "Path to the TLS certificate private key.";

              };

              Key = mkOption {

                type = types.nullOr types.str;

                default = null;

                description = ''

                  The TLS certificate private key, as a base64-encoded string.

                  Note that the contents of this option will be added to the Nix

                  store as world-readable plain text. Set

                  [KeyPath](#opt-services.zitadel.settings.TLS.KeyPath) instead

                  if this is undesired.

                '';

              };

              CertPath = mkOption {

                type = types.nullOr types.path;

                default = null;

                description = "Path to the TLS certificate.";

              };

              Cert = mkOption {

                type = types.nullOr types.str;

                default = null;

                description = ''

                  The TLS certificate, as a base64-encoded string.

                  Note that the contents of this option will be added to the Nix

                  store as world-readable plain text. Set

                  [CertPath](#opt-services.zitadel.settings.TLS.CertPath) instead

                  if this is undesired.

                '';

              };

            };

          };

        };

        default = { };

        example = lib.literalExpression ''

          {

            Port = 8123;

            ExternalDomain = "example.com";

            TLS = {

              CertPath = "/path/to/cert.pem";

              KeyPath = "/path/to/cert.key";

            };

            Database.cockroach.Host = "db.example.com";

          };

        '';

        description = ''

          Contents of the runtime configuration file. See

          https://zitadel.com/docs/self-hosting/manage/configure for more

          details.

        '';

      };

      extraSettingsPaths = mkOption {

        type = types.listOf types.path;

        default = [ ];

        description = ''

          A list of paths to extra settings files. These will override the

          values set in [settings](#opt-services.zitadel.settings). Useful if

          you want to keep sensitive secrets out of the Nix store.

        '';

      };

      steps = mkOption {

        type = settingsFormat.type;

        default = { };

        example = lib.literalExpression ''

          {

            FirstInstance = {

              InstanceName = "Example";

              Org.Human = {

                UserName = "foobar";

                FirstName = "Foo";

                LastName = "Bar";

              };

            };

          }

        '';

        description = ''

          Contents of the database initialization config file. See

          https://zitadel.com/docs/self-hosting/manage/configure for more

          details.

        '';

      };

      extraStepsPaths = mkOption {

        type = types.listOf types.path;

        default = [ ];

        description = ''

          A list of paths to extra steps files. These will override the values

          set in [steps](#opt-services.zitadel.steps). Useful if you want to

          keep sensitive secrets out of the Nix store.

        '';

      };

    };

  config = lib.mkIf cfg.enable {

    assertions = [{

      assertion = cfg.tlsMode == "enabled"

        -> ((cfg.settings.TLS.Key != null || cfg.settings.TLS.KeyPath != null)

        && (cfg.settings.TLS.Cert != null || cfg.settings.TLS.CertPath

        != null));

      message = ''

        A TLS certificate and key must be configured in

        services.zitadel.settings.TLS if services.zitadel.tlsMode is enabled.

      '';

    }];

    networking.firewall.allowedTCPPorts =

      lib.mkIf cfg.openFirewall [ cfg.settings.Port ];

    systemd.services.zitadel =

      let

        configFile = settingsFormat.generate "config.yaml" cfg.settings;

        stepsFile = settingsFormat.generate "steps.yaml" cfg.steps;

        args = lib.cli.toGNUCommandLineShell { } {

          config = cfg.extraSettingsPaths ++ [ configFile ];

          steps = cfg.extraStepsPaths ++ [ stepsFile ];

          masterkeyFile = cfg.masterKeyFile;

          inherit (cfg) tlsMode;

        };

      in

      {

        description = "ZITADEL identity access management";

        path = [ cfg.package ];

        wantedBy = [ "multi-user.target" ];

        script = ''

          zitadel start-from-init ${args}

        '';

        serviceConfig = {

          Type = "simple";

          User = cfg.user;

          Group = cfg.group;

          Restart = "on-failure";

        };

      };

    users.users.zitadel = lib.mkIf (cfg.user == "zitadel") {

      isSystemUser = true;

      group = cfg.group;

    };

    users.groups.zitadel = lib.mkIf (cfg.group == "zitadel") { };

  };

  meta.maintainers = with lib.maintainers; [ Sorixelle ];

}

{ generateProtobufCode

, version

, zitadelRepo

}:

{ mkYarnPackage

, fetchYarnDeps

, lib

}:

let

  protobufGenerated = generateProtobufCode {

    pname = "zitadel-console";

    workDir = "console";

    bufArgs = "../proto --include-imports --include-wkt";

    outputPath = "src/app/proto";

    hash = "sha256-s0dzmcjKd8ot7t+KlRlNVA9oiIDKVMnGOT/HjdaUjGI=";

  };

in

mkYarnPackage rec {

  name = "zitadel-console";

  inherit version;

  src = "${zitadelRepo}/console";

  packageJSON = ./package.json;

  offlineCache = fetchYarnDeps {

    yarnLock = "${src}/yarn.lock";

    hash = "sha256-48IC4LxqbkH+95k7rCmhRWT+qAlJ9CDXWwRjbric9no=";

  };

  postPatch = ''

    substituteInPlace src/styles.scss \

      --replace "/node_modules/flag-icons" "flag-icons"

    substituteInPlace angular.json \

      --replace "./node_modules/tinycolor2" "../../node_modules/tinycolor2"

  '';

  buildPhase = ''

    mkdir deps/console/src/app/proto

    cp -r ${protobufGenerated}/* deps/console/src/app/proto/

    yarn --offline build

  '';

  installPhase = ''

    cp -r deps/console/dist/console $out

  '';

  doDist = false;

}