From 5514618d21453f204511db1f4443b5e985ec5185 Mon Sep 17 00:00:00 2001
From: catvayor <catvayor@katvayor.net>
Date: Wed, 11 Jun 2025 17:14:30 +0200
Subject: [PATCH] feat(nimbolus): init a http terraform backend

---
 machines/nixos/compute01/_configuration.nix   |   1 +
 machines/nixos/compute01/nimbolus/default.nix |  42 ++++++++
 machines/nixos/compute01/nimbolus/module.nix  |  96 ++++++++++++++++++
 .../nixos/compute01/secrets/nimbolus-kms_key  | Bin 0 -> 1804 bytes
 .../compute01/secrets/nimbolus-s3_secret      | Bin 0 -> 1743 bytes
 machines/nixos/compute01/secrets/secrets.nix  |   2 +
 modules/nixos/default.nix                     |   2 +-
 7 files changed, 142 insertions(+), 1 deletion(-)
 create mode 100644 machines/nixos/compute01/nimbolus/default.nix
 create mode 100644 machines/nixos/compute01/nimbolus/module.nix
 create mode 100644 machines/nixos/compute01/secrets/nimbolus-kms_key
 create mode 100644 machines/nixos/compute01/secrets/nimbolus-s3_secret

diff --git a/machines/nixos/compute01/_configuration.nix b/machines/nixos/compute01/_configuration.nix
index 7e45eea..6689130 100644
--- a/machines/nixos/compute01/_configuration.nix
+++ b/machines/nixos/compute01/_configuration.nix
@@ -28,6 +28,7 @@ lib.extra.mkConfig {
     "mastodon"
     # "netbox"
     "nextcloud"
+    "nimbolus"
     "ollama-proxy"
     "opengist"
     "outline"
diff --git a/machines/nixos/compute01/nimbolus/default.nix b/machines/nixos/compute01/nimbolus/default.nix
new file mode 100644
index 0000000..5150323
--- /dev/null
+++ b/machines/nixos/compute01/nimbolus/default.nix
@@ -0,0 +1,42 @@
+# SPDX-FileCopyrightText: 2025 Lubin Bailly <lubin@dgnum.eu>
+#
+# SPDX-License-Identifier: EUPL-1.2
+
+{
+  pkgs,
+  sources,
+  config,
+  ...
+}:
+let
+  host = "nimbolus.dgnum.eu";
+  port = 9008;
+in
+{
+  import = [ ./module.nix ];
+  services.nimbolus-tf = {
+    enable = true;
+    package = (import sources.kat-pkgs { inherit pkgs; }).nimbolus-tf-backend;
+    settings = {
+      LISTEN_ADDR = "127.0.0.1:${toString port}";
+      KMS_KEY_PATH = config.age.secrets."nimbolus-kms_key".path;
+
+      STORAGE_BACKEND = "s3";
+      STORAGE_S3_ENDPOINT = "s3.dgnum.eu";
+      STORAGE_S3_USE_SSL = "true";
+      STORAGE_S3_BUCKET = "nimbolus-dgnum";
+      STORAGE_S3_ACCESS_KEY = "GKefa111701f349de3988f0010";
+      STORAGE_S3_SECRET_KEY_FILE = config.age.secrets."nimbolus-s3_secret".path;
+
+      # TODO: configure openBAO
+      # AUTH_BASIC_ENABLED = "false";
+      # AUTH_JWT_OIDC_ISSUER_URL = "https://vault.dgnum.eu/v1/identity/oidc";
+    };
+  };
+
+  age-secrets.autoMatch = [ "nimbolus" ];
+
+  dgn-web.simpleProxies.nimbolus = {
+    inherit host port;
+  };
+}
diff --git a/machines/nixos/compute01/nimbolus/module.nix b/machines/nixos/compute01/nimbolus/module.nix
new file mode 100644
index 0000000..10d1bcc
--- /dev/null
+++ b/machines/nixos/compute01/nimbolus/module.nix
@@ -0,0 +1,96 @@
+# SPDX-FileCopyrightText: 2025 Lubin Bailly <lubin@dgnum.eu>
+#
+# SPDX-License-Identifier: EUPL-1.2
+
+{
+  lib,
+  config,
+  sources,
+  pkgs,
+  ...
+}:
+let
+  inherit (lib)
+    getExe
+    mapAttrsToList
+    mkEnableOption
+    mkIf
+    mkPackageOption
+    mkOption
+    ;
+  inherit (lib.types)
+    attrsOf
+    str
+    ;
+
+  cfg = config.services.nimbolus-tf;
+in
+{
+  options.services.nimbolus-tf = {
+    enable = mkEnableOption "the nimbolus terraform http backend" { pkgsText = "kat-pkgs"; };
+    package = mkPackageOption (import sources.kat-pkgs { inherit pkgs; }) "nimbolus-tf-backend";
+    user = mkOption {
+      type = str;
+      description = ''
+        User used by the nimbolus server.
+      '';
+      default = "nimbolus";
+    };
+    group = mkOption {
+      type = str;
+      description = ''
+        Group used by the nimbolus server.
+      '';
+      default = "nimbolus";
+    };
+    settings = mkOption {
+      type = attrsOf str;
+      default = { };
+      description = ''
+        Environment variables for nimbolus configuration.
+      '';
+    };
+  };
+  config = mkIf cfg.enable {
+    users = {
+      users.${cfg.user}.isSystemUser = true;
+      groups.${cfg.group} = { };
+    };
+    systemd.services."nimbolus-tf" = {
+      description = "Nimbolus terraform http backend";
+      wantedBy = [ "multi-user.target" ];
+      serviceConfig = {
+        ExecStart = getExe cfg.package;
+        Environment = mapAttrsToList (name: value: "${name}=${value}") cfg.settings;
+        User = cfg.user;
+        Group = cfg.group;
+
+        StateDirectory = "nimbolus-tf";
+        StateDirectoryMode = "0700";
+        WorkingDirectory = "/var/lib/nimbolus-tf";
+
+        # Hardening
+        CapabilityBoundingSet = "";
+        PrivateDevices = true;
+        ProtectClock = true;
+        ProtectKernelLogs = true;
+        ProtectControlGroups = true;
+        ProtectKernelModules = true;
+        RestrictNamespaces = true;
+        ProtectHostname = true;
+        LockPersonality = true;
+        RestrictRealtime = true;
+        ProtectHome = true;
+        ProtectProc = "noaccess";
+        ProcSubset = "pid";
+        PrivateUsers = true;
+        UMask = "0077";
+        ProtectKernelTunables = true;
+        RestrictAddressFamilies = "AF_INET AF_INET6";
+        SystemCallFilter = "~@clock @cpu-emulation @debug @module @mount @obsolete @privileged @raw-io @reboot @resources @swap";
+        MemoryDenyWriteExecute = true;
+        SystemCallArchitectures = "native";
+      };
+    };
+  };
+}
diff --git a/machines/nixos/compute01/secrets/nimbolus-kms_key b/machines/nixos/compute01/secrets/nimbolus-kms_key
new file mode 100644
index 0000000000000000000000000000000000000000..323599072b3853d415189c01168ab67f7ae8e010
GIT binary patch
literal 1804
zcmZXUxvu;M8O7-$3_=7c{q)0)cYEBR*dBYljQ8E5@pwF5$NL^BLP#_q0jW~t1>gw~
zqKTB`1yUfWD50VS2?{R7pW@Pf&F?!$=bR`_UXnWQw|2~%`opGA!5Ic#esmay>?OG)
zI1W>XP;9VrIRqf%?IMwb%#oG_jTwwg-*q<#?b(5|fl@Wi4pyX<U<Ejq4{$0$D$NAk
zo3(xwpA)9wIwN1YsM04FG-UAFU}C7erBR^H&h(*__4$luYJ_A-2}Y}1k4H?A?~j1k
znqC<VJhw-y5UD~0EI(@Sd+Y^5>gl@@4vU#%Ec$S?=vgZ+QF@#qf+raBu(!0fSGj>c
z2ur15!ou?VL=ozJB8p2^Q%BKe^P7j#Px36V5YAt4W&x_0PSaC1nTFoNO|}K*NS~im
z>CcLSL+jmG3zRlVxxu)%v_kYBI(=vrEAq0bQ!B>_ueng{kx5-GNx3n@#E*^PSKF*i
znzK0oS9t!A9$&>0d=+3rf_53aUlrzwXAl?><McSO$ERM<&Rd#MnG9tdI;8H^!MUh#
zJh%H3<Ia`<l^GVTF>W}LfGjahu20N=Vt~PEnbNX3&z3SX4s%tXSWuny@ZQ#Na%or{
zVj&aZI5c=m>yNbz8ixkFDP;o9%OebUqQ~zWuG|t0c^t<Rq+oZ)Bgnb6<$_OvRP|F#
z@-y-}Sd?;qvbuw!>=s-0w7Lr0gac9uYjvlt%R5>>M2E8X*sB2)>c9kP8e=4+Vl!Of
z)hQzg#RetVzGD|WJNk8K>(}y%_A^eT7MBPsR*)+Gm`|N80!*S`hGH{0x*w30F?gQ7
z741y+&+P0LDH2m&;+I!{L0T`?RgW)JO-CO*mnX0}$0Kk(iTtU%Ky?O(^VM+~{%(en
zF^(roabl*N3f}IWT?|W$tB?MyC6x3eR)0NjIyST&P%kb_PKvY+5Ew8d6Yw2zPAi+_
zMvssmwy8CWit|VGH6l(rqkHUjv5O8YBvj?1B7mZ%JH7WrR~H_%%QsN=tc#a`cbP}2
zp+u~uVp2;?3k}q~S`NES@EPogqtESJyUy_X0sq*2t97OD*2%^Q3EDX}-nsp50l;}N
zV&hQoj>1;uoG>?`YTevSZCjTe48+`rwq$-)B1%Pe<?5yYbbn^5yrTKwb*C6Bl7WG&
z+a5*>Z`5b?V&3-rA@t*XrQgyZlOkVRa?x5Q&uYXZpS8eI^*)}<BJZ(1O3cP=q}MvM
z4Su^vc?s|_trBpSNwuT;78Vh&_wXu-JX#Ve8Zt{M=1pg@(lorKNtcyW(}QL_vsyRp
zRk>XTwbB!&6CK@>5NsPkW9Zdt$NeVDPe=>|6DYKlyR_2<d7U&iCm85#Z`QUZ$V!!}
zak7gke{gy5zudla^5zspo*vE{ao#7DKho@VF5)sytR>q;+CQ>hX86d=ogJ&@?%5>(
z?xdw&k{Ipch-3)XPk1^P0=T9`u{f&mHCGw3vFT}-|8D`tb0?YULDz)So!~oPhPZs-
zwj?QoqXL_OW=vTu<kqd9^5BH?ya6!iy^Q=^Rg=6cmGtb5PmM!KUD}4)o<t><i&%42
z1U#4jb@Jm{pkC5GiH79x@qzhBIaEJ%7a&&icJH)A44oU3WNgDa>vOza)MVaiJHD`>
z)(_<x_GSc^LBwF{L#1A0_wsVccx{9ku_osz@h-NsNqRbBWBq7Pq;81Mc&!L#6LS8z
z0N?%kli&Wu{gZS0;2+=l-e<@3U-+-T`Pt(B^7bp^{qV(I|Mue_{Qg^C{4?`E|Nh^-
pZ-0^h;-lZVfBxeiKDmAR@8A6u`%3&0`pNt6wLi^F<GtqR{{cu$Pdxwt

literal 0
HcmV?d00001

diff --git a/machines/nixos/compute01/secrets/nimbolus-s3_secret b/machines/nixos/compute01/secrets/nimbolus-s3_secret
new file mode 100644
index 0000000000000000000000000000000000000000..dc6c23451014caddad136b2612a65b73d0e3e60d
GIT binary patch
literal 1743
zcmZY8x$E=@83%An30v4IC{tLd;kP*^nM|66oRf2MACoSV$$j6Gtae*%rQ2+`|G`_?
z3yalaB`a77!g?So9v~tJ>swj;wtk8a&+~o0VH&^0O*CxXl()^h?T|tX0=&F;7{}}-
zexNvxkcU8Qv2s1I4CA>|R>s6FLIQ_&>FbtTJWgX4x|I~fo$kaeiS;dqfi-oEQ0zb$
zF32*NW-8nJ+Y>rx#4Of@sd5q&N?9ckKKEK9A)Q&MLqdSkO4b-urs^2Pv{MRfpz~*|
z@M1yo&li}zX93rW#R!DMyjKsXF?Et(dox(L+j5Vv6L%G0-_)5K?9#Q{#}w1P*1F-!
zjnqMonUq^@^?oeyEkR6^DWiE1L@mR?Y_4)fAs|p<xodp}M*Niayc#J62{Ey#->W?e
zvFV|8^huMSnxadJN0p_xjIXsq^b?&rz~VECmr3F7ti7a}6p0m+KjG_<)I0&ZM>u#d
zK;F#+<OakYlsCr_g)GHPF9Q~<TVuhGQ;JD%$Cxoox|HKNMp@2l&8SS8G!B(j<+$Ah
zdl_u17i7FWVB_PN_!c4G>Zfmm%}PmUEkQ@XS<4pIqtL$VF~Xg=r1jk<9WSynSJ@rz
zB#9>#A*uI4eXR{(BSXeP5|~@4IH4W5+m$*VCF`tLwgn&S(;4*h6iGPKlGdw^ssNc;
z6UAeA=xC#w?6`DC@!nBZa87AVN3swn&V#Xg1Ni?-4r6#I2aiz<z{=t{KP|_bAP<;b
z$(-g*Cly*Xtis?@!qIDFZ?MTE+}sKss$0kT9#%?#i_J{C=mU7JVG)C%H{ryQ*jJj}
zJInWmNgYs*BJd&(Tphv9HfPk!o!;5Ya&a$SwjI5<ErGZOXzdsyjwHoY_&ver7~Byt
z#gJrvax%B<kH&xYFl&SoWtwbKdU%|vQI|Z;E7G;)cmd2E?DcinDCkC_Y!$J~gHLba
z*gkNE#tfQmJITYk%efB>+~r42L&c<^TmKOo9f|coJ&9y6CHYuQ*FKVRW0P=S$(%H_
z<dv4MRByJ6&h^0{7;=kxBwdec7fr?#Kw+%J08h_;o(%zuLIrp+Ez-WwwDCGyXjzTO
zIH0k^xQO7)PMx1MqL>D1;Y^#$$Oq`zey3Og4sO07u`M76?Aq5AskWx(Wm&AD^-QB-
z@{lh&q^mAy1!Gh+NGXZ0HP|GHw=Jo;D0CKjwmsbE2w!m!#I{`@vLWACJJn;du?iVw
zC94vc<oZ0CgQJ;?c1L0Vbh-q`8=e`I$%*<o$thH=Pt;`WU-?_<@+7Y5L8XRTZo|26
z-RPQZDa30blQN@53YOuh{WxL%UWdoMG5~zq$Py*aL=7V>e{qA<&hGiGfOrBu<(74F
z7*ODa-WssiyWO3l$kW3>gic?SkfG(Q46~JKj4>2bM;liO&w$dV5s`;&z)1rGQl^Um
zw9!GdU3+t2cdJB<7B`3%ca1{0cqlfhODJ>GS8|)!UNX~z{^VAUQW_zBifNG0ezYzX
z6>ig`y2~g2tZAvr?$yl_R$zKK)uQ6`Io_p)u`K-&#979AOj>OS?_uGzL50@aka-4P
zUS19oeS-~e2!{xAYbG3xphNb6&lU?~RP-7zwAk$K!wHuX`0U4j{>HC<^YQUJzx~_4
z-lYG`rw_ef2Y>j}8?*Y}Uw@?iE`0C5ZT`z&{Ns!5{ZF)ajGuq|>pwF-{jT#F@j3Z}
uFR4HN{`tiZ{~mwz<+uJ5ecrO!Jog`&9|+c`U;F;{%{M>!_fPG=c>e?G2SDrq

literal 0
HcmV?d00001

diff --git a/machines/nixos/compute01/secrets/secrets.nix b/machines/nixos/compute01/secrets/secrets.nix
index 38fd800..442f9ad 100644
--- a/machines/nixos/compute01/secrets/secrets.nix
+++ b/machines/nixos/compute01/secrets/secrets.nix
@@ -25,6 +25,8 @@
     "netbox-environment_file"
     "nextcloud-adminpass_file"
     "nextcloud-s3_secret_file"
+    "nimbolus-kms_key"
+    "nimbolus-s3_secret"
     "opengist-environment_file"
     "outline-oidc_client_secret_file"
     "outline-smtp_password_file"
diff --git a/modules/nixos/default.nix b/modules/nixos/default.nix
index 0485145..1477855 100644
--- a/modules/nixos/default.nix
+++ b/modules/nixos/default.nix
@@ -37,8 +37,8 @@
       "dgn-web"
       "django-apps"
       "extranix"
-      "openbao"
       "forgejo-multiuser-nix-runners"
+      "openbao"
     ])
     ++ [
       "${sources.agenix}/modules/age.nix"