https://wiki.nixos.org/w/index.php?action=history&feed=atom&title=Zitadel
Zitadel - Revision history
2026-04-06T17:58:33Z
Revision history for this page on the wiki
MediaWiki 1.45.0
https://wiki.nixos.org/w/index.php?title=Zitadel&diff=30971&oldid=prev
Lyamc: Created this first-draft page in order to document the service.
2026-03-29T06:29:37Z
<p>Created this first-draft page in order to document the service.</p>
<p><b>New page</b></p><div>'''[https://zitadel.com/ Zitadel]''' is an open-source identity and access management platform built for the cloud-native era. It provides authentication, authorization, and user management with support for OIDC, SAML, MFA, and more.<br />
<br />
== Setup (Native / Containerless) ==<br />
The following configuration provides a complete, declarative setup for Zitadel with:<br />
<br />
* [[PostgreSQL]] (no Docker)<br />
* [[Nginx]] reverse proxy using existing ACME certificates<br />
* Declarative creation<br />
<br />
== Configuration ==<br />
Modify and save the configuration as <code>/etc/nixos/services/zitadel.n</code><code>ix</code><br />
<br />
nix<br />
{ config, pkgs, lib, ... }:<br />
<br />
let<br />
<nowiki> </nowiki> # Root domain, using Wildcard Certificate as per <nowiki>https://wiki.nixos.org/wiki/ACME</nowiki> CloudFlare section<br />
<nowiki> </nowiki> # If using per-domain certificates, change to the appropriate subdomain.<br />
<nowiki> </nowiki> rootDomain = "example.com";<br />
<br />
<nowiki> </nowiki> # Domain where Zitadel will be available.<br />
<nowiki> </nowiki> # Change to rootDomain if using per-domain ACME certificates<br />
<nowiki> </nowiki> zitadelDomain = "auth.${rootDomain}";<br />
<br />
<nowiki> </nowiki> # Strong password for the dedicated PostgreSQL user<br />
<nowiki> </nowiki> dbPassword = "make-sure-this-is-secure-and-long";<br />
<br />
<nowiki> </nowiki> # Initial admin password for the Zitadel console<br />
<nowiki> </nowiki> # Change this immediately after first login!<br />
<nowiki> </nowiki> adminPassword = "change-this-immediately-to-a-strong-password";<br />
<br />
<nowiki> </nowiki> # Email address for the initial admin user<br />
<nowiki> </nowiki> initialAdminEmail = "admin@${rootDomain}";<br />
<br />
<nowiki> </nowiki> # Internal port Zitadel listens on (chosen to avoid conflict with other services on port 80)<br />
<nowiki> </nowiki> internalPort = 2080;<br />
<br />
<nowiki> </nowiki> # External port when using TLS Enabled or for reverse proxy with external TLS mode<br />
<nowiki> </nowiki> # Currently only works with 443, see <nowiki>https://github.com/zitadel/zitadel/issues/11380</nowiki><br />
<nowiki> </nowiki> externalPort = 443;<br />
<br />
<nowiki> </nowiki> # false = HTTP, true = HTTPS<br />
<nowiki> </nowiki> externalSecure = true;<br />
<br />
<nowiki> </nowiki> # Zitadel TLS Mode (disabled, enabled, external)<br />
<nowiki> </nowiki> tlsMode = "disabled";<br />
<br />
in<br />
{<br />
<nowiki> </nowiki> # === PostgreSQL ===<br />
<nowiki> </nowiki> services.postgresql = {<br />
<nowiki> </nowiki> enable = true;<br />
<nowiki> </nowiki> package = pkgs.postgresql_17;<br />
<br />
<nowiki> </nowiki> ensureDatabases = [ "zitadel" ];<br />
<br />
<nowiki> </nowiki> # Enable TCP/IP for localhost connections<br />
<nowiki> </nowiki> enableTCPIP = true;<br />
<br />
<nowiki> </nowiki> # Authentication rules<br />
<nowiki> </nowiki> authentication = pkgs.lib.mkOverride 10 <nowiki>''</nowiki><br />
<nowiki> </nowiki> # Local Unix socket connections use peer authentication<br />
<nowiki> </nowiki> local all all peer<br />
<br />
<nowiki> </nowiki> # TCP localhost: allow zitadel user to connect to any database<br />
<nowiki> </nowiki> host all zitadel 127.0.0.1/32 trust<br />
<nowiki> </nowiki> host all zitadel ::1/128 trust<br />
<nowiki> </nowiki> <nowiki>''</nowiki>;<br />
<br />
<nowiki> </nowiki> # Initial database setup<br />
<nowiki> </nowiki> initialScript = pkgs.writeText "zitadel-init.sql" <nowiki>''</nowiki><br />
<nowiki> </nowiki> CREATE ROLE zitadel WITH LOGIN PASSWORD '${dbPassword}' CREATEDB CREATEROLE;<br />
<nowiki> </nowiki> GRANT ALL PRIVILEGES ON DATABASE zitadel TO zitadel;<br />
<nowiki> </nowiki> <nowiki>''</nowiki>;<br />
<br />
<nowiki> </nowiki> settings = {<br />
<nowiki> </nowiki> max_connections = 100;<br />
<nowiki> </nowiki> shared_buffers = "256MB";<br />
<nowiki> </nowiki> };<br />
<nowiki> </nowiki> };<br />
<br />
<nowiki> </nowiki> # Ensure the zitadel role always has CREATEROLE for migrations<br />
<nowiki> </nowiki> systemd.services.zitadel-postgres-setup = {<br />
<nowiki> </nowiki> description = "Ensure Zitadel PostgreSQL user has required privileges";<br />
<nowiki> </nowiki> wantedBy = [ "multi-user.target" ];<br />
<nowiki> </nowiki> after = [ "postgresql.service" ];<br />
<nowiki> </nowiki> requires = [ "postgresql.service" ];<br />
<br />
<nowiki> </nowiki> serviceConfig = {<br />
<nowiki> </nowiki> Type = "oneshot";<br />
<nowiki> </nowiki> RemainAfterExit = true;<br />
<nowiki> </nowiki> User = "postgres";<br />
<nowiki> </nowiki> };<br />
<br />
<nowiki> </nowiki> script = <nowiki>''</nowiki><br />
<nowiki> </nowiki> ${config.services.postgresql.package}/bin/psql -d postgres <<'EOF'<br />
<nowiki> </nowiki> DO $$<br />
<nowiki> </nowiki> BEGIN<br />
<nowiki> </nowiki> IF NOT EXISTS (SELECT FROM pg_roles WHERE rolname = 'zitadel') THEN<br />
<nowiki> </nowiki> CREATE ROLE zitadel WITH LOGIN PASSWORD '${dbPassword}' CREATEDB CREATEROLE;<br />
<nowiki> </nowiki> ELSE<br />
<nowiki> </nowiki> ALTER ROLE zitadel WITH PASSWORD '${dbPassword}' CREATEDB CREATEROLE;<br />
<nowiki> </nowiki> END IF;<br />
<nowiki> </nowiki> END<br />
<nowiki> </nowiki> $$;<br />
<br />
<nowiki> </nowiki> GRANT ALL PRIVILEGES ON DATABASE zitadel TO zitadel;<br />
<nowiki> </nowiki> EOF<br />
<nowiki> </nowiki> <nowiki>''</nowiki>;<br />
<nowiki> </nowiki> };<br />
<br />
<nowiki> </nowiki> # === Zitadel ===<br />
<nowiki> </nowiki> services.zitadel = {<br />
<nowiki> </nowiki> enable = true;<br />
<br />
<nowiki> </nowiki> masterKeyFile = "/var/lib/zitadel/master.key";<br />
<br />
<nowiki> </nowiki> tlsMode = tlsMode;<br />
<nowiki> </nowiki> settings = {<br />
<nowiki> </nowiki> Port = httpPort;<br />
<nowiki> </nowiki> ExternalPort = httpsPort;<br />
<nowiki> </nowiki> ExternalDomain = zitadelDomain;<br />
<nowiki> </nowiki> ExternalSecure = externalSecure;<br />
<br />
<nowiki> </nowiki> Database = {<br />
<nowiki> </nowiki> postgres = {<br />
<nowiki> </nowiki> Host = "127.0.0.1";<br />
<nowiki> </nowiki> Port = 5432;<br />
<nowiki> </nowiki> Database = "zitadel";<br />
<br />
<nowiki> </nowiki> User = {<br />
<nowiki> </nowiki> Username = "zitadel";<br />
<nowiki> </nowiki> Password = dbPassword;<br />
<nowiki> </nowiki> SSL = { Mode = "disable"; };<br />
<nowiki> </nowiki> };<br />
<br />
<nowiki> </nowiki> Admin = {<br />
<nowiki> </nowiki> Username = "zitadel";<br />
<nowiki> </nowiki> Password = dbPassword;<br />
<nowiki> </nowiki> SSL = { Mode = "disable"; };<br />
<nowiki> </nowiki> };<br />
<nowiki> </nowiki> };<br />
<nowiki> </nowiki> };<br />
<nowiki> </nowiki> };<br />
<br />
<nowiki> </nowiki> # Declarative first instance and admin user<br />
<nowiki> </nowiki> steps = {<br />
<nowiki> </nowiki> FirstInstance = {<br />
<nowiki> </nowiki> InstanceName = "Zitadel";<br />
<nowiki> </nowiki> Org = {<br />
<nowiki> </nowiki> Human = {<br />
<nowiki> </nowiki> UserName = "admin";<br />
<nowiki> </nowiki> FirstName = "Admin";<br />
<nowiki> </nowiki> LastName = "User";<br />
<nowiki> </nowiki> DisplayName = "Administrator";<br />
<nowiki> </nowiki> Password = adminPassword;<br />
<nowiki> </nowiki> PasswordChangeRequired = false;<br />
<nowiki> </nowiki> Email = {<br />
<nowiki> </nowiki> Address = initialAdminEmail;<br />
<nowiki> </nowiki> Verified = true;<br />
<nowiki> </nowiki> };<br />
<nowiki> </nowiki> };<br />
<nowiki> </nowiki> };<br />
<nowiki> </nowiki> };<br />
<nowiki> </nowiki> };<br />
<nowiki> </nowiki> };<br />
<br />
<nowiki> </nowiki> # Generate persistent master key (only once)<br />
<nowiki> </nowiki> system.activationScripts.zitadelMasterKey = lib.stringAfter [ "var" ] <nowiki>''</nowiki><br />
<nowiki> </nowiki> mkdir -p /var/lib/zitadel<br />
<nowiki> </nowiki> if [ ! -f /var/lib/zitadel/master.key ]; then<br />
<nowiki> </nowiki> ${pkgs.coreutils}/bin/tr -dc 'A-Za-z0-9' </dev/urandom | head -c 32 > /var/lib/zitadel/master.key<br />
<nowiki> </nowiki> chmod 400 /var/lib/zitadel/master.key<br />
<nowiki> </nowiki> chown zitadel:zitadel /var/lib/zitadel/master.key || true<br />
<nowiki> </nowiki> chown zitadel:zitadel /var/lib/zitadel || true<br />
<nowiki> </nowiki> fi<br />
<nowiki> </nowiki> <nowiki>''</nowiki>;<br />
<br />
<nowiki> </nowiki> # === Nginx reverse proxy (HTTPS only) example ===<br />
<nowiki> </nowiki> services.nginx.enable = true;<br />
<br />
<nowiki> </nowiki> services.nginx.virtualHosts."${zitadelDomain}" = {<br />
<nowiki> </nowiki> forceSSL = true;<br />
<nowiki> </nowiki> sslCertificate = "/var/lib/acme/${rootDomain}/fullchain.pem";<br />
<nowiki> </nowiki> sslCertificateKey = "/var/lib/acme/${rootDomain}/key.pem";<br />
<br />
<nowiki> </nowiki> http2 = true; # Enables HTTP/2 support<br />
<br />
<nowiki> </nowiki> # Necessary for non-default HTTPS port<br />
<nowiki> </nowiki> listen = [<br />
<nowiki> </nowiki> { addr = "0.0.0.0"; port = externalPort; ssl = true; }<br />
<nowiki> </nowiki> { addr = "[::]"; port = externalPort; ssl = true; }<br />
<nowiki> </nowiki> ];<br />
<br />
<nowiki> </nowiki> locations = {<br />
<nowiki> </nowiki> # Zitadel Login V2 UI<br />
<nowiki> </nowiki> "/ui/v2/login" = {<br />
<nowiki> </nowiki> proxyPass = "<nowiki>http://127.0.0.1:${toString</nowiki> internalPort}";<br />
<nowiki> </nowiki> extraConfig = <nowiki>''</nowiki><br />
<nowiki> </nowiki> proxy_set_header Host $host;<br />
<nowiki> </nowiki> proxy_set_header X-Real-IP $remote_addr;<br />
<nowiki> </nowiki> proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;<br />
<nowiki> </nowiki> proxy_set_header X-Forwarded-Proto $scheme;<br />
<nowiki> </nowiki> <nowiki>''</nowiki>;<br />
<nowiki> </nowiki> };<br />
<br />
<nowiki> </nowiki> # gRPC for Console, API, etc.<br />
<nowiki> </nowiki> "/" = {<br />
<nowiki> </nowiki> extraConfig = <nowiki>''</nowiki><br />
<nowiki> </nowiki> grpc_pass grpc://127.0.0.1:${toString internalPort};<br />
<nowiki> </nowiki> grpc_set_header Host $host;<br />
<nowiki> </nowiki> grpc_set_header X-Forwarded-Proto $scheme;<br />
<nowiki> </nowiki> <nowiki>''</nowiki>;<br />
<nowiki> </nowiki> };<br />
<nowiki> </nowiki> };<br />
<nowiki> </nowiki> };<br />
<nowiki> </nowiki> };<br />
<br />
<nowiki> </nowiki> systemd.services.zitadel = {<br />
<nowiki> </nowiki> after = [ "postgresql.service" "zitadel-postgres-setup.service" ];<br />
<nowiki> </nowiki> requires = [ "postgresql.service" "zitadel-postgres-setup.service" ];<br />
<nowiki> </nowiki> };<br />
}<br />
Add the module to your configuration.nix:<br />
<br />
nix<br />
imports = [ ./services/zitadel.nix ];<br />
After a successful rebuild, Zitadel will be available at <nowiki>https://auth.example.com</nowiki> (replace with your domain).<br />
<br />
== Usage ==<br />
Log in with username '''admin''' and the adminPassword you set. '''Change the password''' in the Zitadel console.<br />
<br />
For further usage, refer to the official Zitadel documentation.<br />
<br />
== Verification ==<br />
Check that services are running:<br />
<br />
Bash<syntaxhighlight lang="bash"><br />
systemctl status zitadel-postgres-setup<br />
systemctl status postgresql<br />
systemctl status zitadel<br />
systemctl status nginx<br />
sudo tail /var/logs/ngnix/error.log<br />
</syntaxhighlight><br />
<br />
== Notes ==<br />
<br />
* This setup uses trust authentication for the zitadel user on localhost for a single-machine deployment.<br />
* The zitadel-postgres-setup service ensures the database user has the CREATEROLE attribute required by Zitadel's initialization.<br />
* TLS termination happens at Nginx using existing ACME certificates<br />
<br />
== See Also ==<br />
[[ACME]]<br />
<br />
[[Keycloak]]<br />
<br />
[https://zitadel.com/ Zitadel Offical Homepage]<br />
<br />
[https://github.com/zitadel/zitadel/issues Zitadel GitHub Issue Tracker]</div>
Lyamc