From 720d11b3d2fea637c737bf212a209349e39fb33d Mon Sep 17 00:00:00 2001
From: catvayor <catvayor@katvayor.net>
Date: Wed, 11 Jun 2025 17:14:30 +0200
Subject: [PATCH] feat(nimbolus): init a http terraform backend

---
 machines/nixos/compute01/_configuration.nix   |   1 +
 machines/nixos/compute01/nimbolus.nix         |  39 +++++++
 .../nixos/compute01/secrets/nimbolus-kms_key  | Bin 0 -> 1804 bytes
 .../compute01/secrets/nimbolus-s3_access      | Bin 0 -> 1787 bytes
 .../compute01/secrets/nimbolus-s3_secret      | Bin 0 -> 1797 bytes
 machines/nixos/compute01/secrets/secrets.nix  |   3 +
 meta/dns.nix                                  |   1 +
 modules/nixos/default.nix                     |   3 +-
 modules/nixos/nimbolus-tf.nix                 | 108 ++++++++++++++++++
 9 files changed, 154 insertions(+), 1 deletion(-)
 create mode 100644 machines/nixos/compute01/nimbolus.nix
 create mode 100644 machines/nixos/compute01/secrets/nimbolus-kms_key
 create mode 100644 machines/nixos/compute01/secrets/nimbolus-s3_access
 create mode 100644 machines/nixos/compute01/secrets/nimbolus-s3_secret
 create mode 100644 modules/nixos/nimbolus-tf.nix

diff --git a/machines/nixos/compute01/_configuration.nix b/machines/nixos/compute01/_configuration.nix
index 7e45eea..6689130 100644
--- a/machines/nixos/compute01/_configuration.nix
+++ b/machines/nixos/compute01/_configuration.nix
@@ -28,6 +28,7 @@ lib.extra.mkConfig {
     "mastodon"
     # "netbox"
     "nextcloud"
+    "nimbolus"
     "ollama-proxy"
     "opengist"
     "outline"
diff --git a/machines/nixos/compute01/nimbolus.nix b/machines/nixos/compute01/nimbolus.nix
new file mode 100644
index 0000000..6b2b78b
--- /dev/null
+++ b/machines/nixos/compute01/nimbolus.nix
@@ -0,0 +1,39 @@
+# SPDX-FileCopyrightText: 2025 Lubin Bailly <lubin@dgnum.eu>
+#
+# SPDX-License-Identifier: EUPL-1.2
+
+{
+  pkgs,
+  sources,
+  config,
+  ...
+}:
+let
+  host = "nimbolus.dgnum.eu";
+  port = 9008;
+in
+{
+  services.nimbolus-tf = {
+    enable = true;
+    package = (import sources.kat-pkgs { inherit pkgs; }).nimbolus-tf-backend;
+    environment = {
+      LISTEN_ADDR = "127.0.0.1:${toString port}";
+      STORAGE_BACKEND = "s3";
+      STORAGE_S3_ENDPOINT = "s3.dgnum.eu";
+      STORAGE_S3_USE_SSL = "true";
+      STORAGE_S3_BUCKET = "monorepo-terraform-state";
+
+      # TODO: configure openBAO
+      # AUTH_BASIC_ENABLED = "false";
+      # AUTH_JWT_OIDC_ISSUER_URL = "https://vault.dgnum.eu/v1/identity/oidc";
+    };
+    secretEnvironment = {
+      KMS_KEY = config.age.secrets."nimbolus-kms_key".path;
+      STORAGE_S3_ACCESS_KEY = config.age.secrets."nimbolus-s3_access".path;
+      STORAGE_S3_SECRET_KEY = config.age.secrets."nimbolus-s3_secret".path;
+    };
+  };
+  dgn-web.simpleProxies.nimbolus = {
+    inherit host port;
+  };
+}
diff --git a/machines/nixos/compute01/secrets/nimbolus-kms_key b/machines/nixos/compute01/secrets/nimbolus-kms_key
new file mode 100644
index 0000000000000000000000000000000000000000..323599072b3853d415189c01168ab67f7ae8e010
GIT binary patch
literal 1804
zcmZXUxvu;M8O7-$3_=7c{q)0)cYEBR*dBYljQ8E5@pwF5$NL^BLP#_q0jW~t1>gw~
zqKTB`1yUfWD50VS2?{R7pW@Pf&F?!$=bR`_UXnWQw|2~%`opGA!5Ic#esmay>?OG)
zI1W>XP;9VrIRqf%?IMwb%#oG_jTwwg-*q<#?b(5|fl@Wi4pyX<U<Ejq4{$0$D$NAk
zo3(xwpA)9wIwN1YsM04FG-UAFU}C7erBR^H&h(*__4$luYJ_A-2}Y}1k4H?A?~j1k
znqC<VJhw-y5UD~0EI(@Sd+Y^5>gl@@4vU#%Ec$S?=vgZ+QF@#qf+raBu(!0fSGj>c
z2ur15!ou?VL=ozJB8p2^Q%BKe^P7j#Px36V5YAt4W&x_0PSaC1nTFoNO|}K*NS~im
z>CcLSL+jmG3zRlVxxu)%v_kYBI(=vrEAq0bQ!B>_ueng{kx5-GNx3n@#E*^PSKF*i
znzK0oS9t!A9$&>0d=+3rf_53aUlrzwXAl?><McSO$ERM<&Rd#MnG9tdI;8H^!MUh#
zJh%H3<Ia`<l^GVTF>W}LfGjahu20N=Vt~PEnbNX3&z3SX4s%tXSWuny@ZQ#Na%or{
zVj&aZI5c=m>yNbz8ixkFDP;o9%OebUqQ~zWuG|t0c^t<Rq+oZ)Bgnb6<$_OvRP|F#
z@-y-}Sd?;qvbuw!>=s-0w7Lr0gac9uYjvlt%R5>>M2E8X*sB2)>c9kP8e=4+Vl!Of
z)hQzg#RetVzGD|WJNk8K>(}y%_A^eT7MBPsR*)+Gm`|N80!*S`hGH{0x*w30F?gQ7
z741y+&+P0LDH2m&;+I!{L0T`?RgW)JO-CO*mnX0}$0Kk(iTtU%Ky?O(^VM+~{%(en
zF^(roabl*N3f}IWT?|W$tB?MyC6x3eR)0NjIyST&P%kb_PKvY+5Ew8d6Yw2zPAi+_
zMvssmwy8CWit|VGH6l(rqkHUjv5O8YBvj?1B7mZ%JH7WrR~H_%%QsN=tc#a`cbP}2
zp+u~uVp2;?3k}q~S`NES@EPogqtESJyUy_X0sq*2t97OD*2%^Q3EDX}-nsp50l;}N
zV&hQoj>1;uoG>?`YTevSZCjTe48+`rwq$-)B1%Pe<?5yYbbn^5yrTKwb*C6Bl7WG&
z+a5*>Z`5b?V&3-rA@t*XrQgyZlOkVRa?x5Q&uYXZpS8eI^*)}<BJZ(1O3cP=q}MvM
z4Su^vc?s|_trBpSNwuT;78Vh&_wXu-JX#Ve8Zt{M=1pg@(lorKNtcyW(}QL_vsyRp
zRk>XTwbB!&6CK@>5NsPkW9Zdt$NeVDPe=>|6DYKlyR_2<d7U&iCm85#Z`QUZ$V!!}
zak7gke{gy5zudla^5zspo*vE{ao#7DKho@VF5)sytR>q;+CQ>hX86d=ogJ&@?%5>(
z?xdw&k{Ipch-3)XPk1^P0=T9`u{f&mHCGw3vFT}-|8D`tb0?YULDz)So!~oPhPZs-
zwj?QoqXL_OW=vTu<kqd9^5BH?ya6!iy^Q=^Rg=6cmGtb5PmM!KUD}4)o<t><i&%42
z1U#4jb@Jm{pkC5GiH79x@qzhBIaEJ%7a&&icJH)A44oU3WNgDa>vOza)MVaiJHD`>
z)(_<x_GSc^LBwF{L#1A0_wsVccx{9ku_osz@h-NsNqRbBWBq7Pq;81Mc&!L#6LS8z
z0N?%kli&Wu{gZS0;2+=l-e<@3U-+-T`Pt(B^7bp^{qV(I|Mue_{Qg^C{4?`E|Nh^-
pZ-0^h;-lZVfBxeiKDmAR@8A6u`%3&0`pNt6wLi^F<GtqR{{cu$Pdxwt

literal 0
HcmV?d00001

diff --git a/machines/nixos/compute01/secrets/nimbolus-s3_access b/machines/nixos/compute01/secrets/nimbolus-s3_access
new file mode 100644
index 0000000000000000000000000000000000000000..853149f473fac9578b1ee6be5aa62c0849b21a14
GIT binary patch
literal 1787
zcmZXUIm`Tf6^8AEV55av$%tYzK29ck8sV2^GTA1}WSOK8GLwDZw^pzctn9>2u+>H@
zZC=6F@-Kdh7qnA+EPRXS{Q~DY=iJ;^kVJ1${pz=N%$oW~O`n|RGxYZ3!!V?8QHbF9
znLhYpgB8m`_o<@iw`scKMOsvKv#963wgJC#h8{I3A5BJ&VWlP%kl1<6BQH+$9mY0o
z-TjH{c$7>1)T!-6d`(6haEcQzllPHEpLBKxhZ!6t1eU!ey|mK)LWH{4x{g<{%c@FO
z6q{bYQ`InIF$09h%BZXGHNqTwlOOjH7<byl*6z|tIeA=@i>!Lokz(iOBdzUk`~VK^
zZRugzNnZL(2IukW!FQZ`PMDA_Q$a6*N^_?gSSgVi5Zp*`yv>?>cUy@TG3H1xB~!s#
zI@Q8m1gW_<*Rn>4#P~?d#Ye1zL#ioRLl0B;6gP&;yz+#MMf<>stSY(@kz>Vm_>6gJ
za05-~E=a=rdMQPbSmZThGa{`u5KSuQQiyZ&SdI<4j`){oMrks%abTnzDS2f#W^$$d
ze&>}Ohuc|*%#zFD^K`-HlS-sl*<K(WfdlDmtXE<rT{Q@{mTh|%ZPydSmbZ%)%9^-#
zzIEy0kGJ*5T0R*EMfPJvcvU^ZQJWqb8o}%J6g>jH+~FG3*qol(A*)eNgmhLa+Z8<G
zfR9H;8nhb3Io1tU|60Afe(A71E*;H)`!90qhu~23E~^+&zrwB*XUxn;HEyhmz}QD(
zk1QMW-)A)CR&|Jd=A(pzjlt%@fWx)%I3^`sfb!{!kgxJ#E;4FW48|B_tKX8CW<RpR
zGg+a?ZrSBdT+#iOxdJ)jNO--Ws7<E>1L8@r<r+%29j6qGKxklMienGD(t$jlv0cvk
zM94!l4AOq{$5WyXHN&1M#bz;fm2V;yMBoTfIDE3aAy!FRUtJ8OB<K<?&A|GUFhWWK
zM;WF$B7oUwy2w~jHSFW^V4WqDJ2~<oN{Yk9lGhMZ!$M<ZkJ_Cp;dGCD>vDZuKt5lX
z5M{KdlG&vlWmQ!mlOQrwsUQFsAkG5o87XdT;ez<QyNX2`2KbomX<m$%aX7wgI*~zM
zXY&PS2;7;?5Sz8)>}wmk-*@1lRUTr;pi-enV8<KPE3DrzcAeg-CmnUGlw8QvezdB}
zun8KV*6Hbfk?sF|1DiDY-V#q_N*Fki%J8nLJm7WUEg}NNYXBS}R%Rk<U``sRW)jHY
z+y~vGH5^tq`kqq&tu3I>5hdJ0t&2VUin;ry(Twn=mPo=%-jah5@*WKE6pamXCf%6V
zQj+XzFZG9jb9^y!#|S==x8l8%Ts9Wlj5~F4i)!{BSSNyFc6xF2%<o#uB-f_HPsLeh
z`H!D`+IgNOhq_3}88NlEe`3QECn@t)no6K;>k>R&V<6FHSHs2#YZ0oF{xs*=(t7<>
znqg-yR?cJt{u=YGy@uS*j8F3}xgGW;myTQ~naLsCY_kLtIawa7*f-(QcO$$ix*qa7
zO~uygtIRdAlDwjzX}K$u15ezPc9KJ)8%IwQvVh$?GcvVV&9h}ry6@b^*Z*!?eEBWu
zqhN>*=O3ou+iU004N!27)=8oRczfNi`brsPN>!l%q;t9TE*`bBJ%;AHyt-iWR7LQo
zHQ!#{yHnoY4mFV=j2Z6m85<sR>M%Tl&g+e|i+IkthhaD=CDO!c<_+j;f4TkRC;$2U
z-(UaA-_}2U_S;|l^LM}b2LI{rmh$T$`oU*^{OhMi`RcF!{JHY;Z&&~N<+r}`({FzI
OeJ#b`{XX-vKl~R@l}p<I

literal 0
HcmV?d00001

diff --git a/machines/nixos/compute01/secrets/nimbolus-s3_secret b/machines/nixos/compute01/secrets/nimbolus-s3_secret
new file mode 100644
index 0000000000000000000000000000000000000000..adec6ef919e572dc2ec9f202f606719ae7083f94
GIT binary patch
literal 1797
zcmZY9yUXkd83u40Sx9jZ?5qaSDtu0oNhS%%LMD^@{WiJCL6S`FllyHlg<EX1$|)Dw
zW*0=*Q;IBXW1)zZ$Tn)>ma<~AwP5E#IL)_z!H@TSc%Cpzo{}aWwr(og=11+2?H3q$
zdUrRD`BQR5FbpPlfzYDWx<e%Rny3|Z5>Kn&@ylh-gjTe973KX&7mU5Uq)0lCD!&3l
zd<$#Vgb&3^@-uHszMpz<ZXhjo#^{!?4M(w0YiqN_bB)~V^g`{(qYfg%ViV(IDms2z
zvhi`pP7s2Y7e3ooSB^sgU&EV80KOP0zEZ~F5gx@#S}{UhLX|z%H}}XD2l>F(Tce?}
z;Tq4iZcv$#+Fd=cMvchTEzF`kU53aSIrAKkDQyXQZH3y`m|h1KUr|7j26OV<MdeB{
zT&DOc&K(Rz_gv97gQn-8V3^CwQqqh**Gj=lb!yjSm==v!3v4;J&D_i!9vn49E*HsO
zir>hGN_Ur)j19{G9C?^WnyP}%Fi9r5uAJ2jjm0$cVjA5@tsJACh<Mw`>bYjz%oAzs
zocqMAhDPPoRBd^Bjc9}G&%?S^{s<|t@5Hmysia`#1khZD&D3>T)+2uZn1jVUD7Don
zv}>-@TJpJGOfi&FfkZvm2C$L##tu~HqIGJkyU_ED7^X%OS<o{huEJ1a_wu=jCoDS9
zpxXk6Eoyy-qPcKC_#;ON1IkdAmPDj0?#Yx^HX|fq7om~ytu~C|t{PlgHh`9?Nrwz(
z49Dwrtb#pXfc<$(XF@$XvCFmd8r&QPk(#i-9tOc3DH-=*#jwT2;5QDKERs1h(Lut+
zW?L^K*a@*aV@!$BB1@zRvQ3zK(#_4i+<or`HExePDi{WyI6@q)0Q+_y=_C_!Lsck7
zL9FI!(Fs~}JI+zrs%O(NA{_%%*+cfQgSk@0hMt0>U3pQ_4FxcWN$FkPtju5v)IGSl
z^qyvzangxkbW8l3lGyHkxT|#?cp4{4Q10hzJw|HRp?#eJp=>L76(p1~mu9)=jw{r5
z!oA(7HZZZROCXIQ7Ab!eg)((Y9vkGko-zD*&||7KalpHQ%*`^^DqxWu8RtG-C;l7R
z?w8ewja{7%EK?<CYexCIBF&fjj8kTWOL!*RT#{&<l4CY1Lt6~EDm&<Qcd{MGLX?$c
zsZqt5g6U3PtVv~4j&2Xis-Mf*+ic(N4P=t|o0jytnOi607H8$55esiU${~}nZ<YYD
zO9duUX}kMo{pdUb*q<+q_276<&8mpy<K-l}aBhYXbwW6$>=snR==!i}u<%?HxjU|A
zyNFf#!^6>QfhiXVJ;M%7fvF@$8cXTht-!=ZVN0`F4iK<4?Pa0;yhW)g(I^@b+$?!C
z=sdZ(Ve60Ub(0^J)*Hw-J{dV>S!BD0RcALQW62bzquhsCI6I~84-f0O&u@2k4~lQL
zRiX|y0rYGvZl?|9QE<q0J$}S&OLl9s7*TT7!crQC<`{BX0msj8o6fyxX1liF5$A&6
zQt3e2O%H?i)?AKo3g!3ZvTXr}C)l(_!{|alA#4!E_Gau7cUj|5>XFastZ__iNw6x4
zq~8Z(59e<Ff9>V>)%GbHl5k9RKlt%^2Z;c)p{?i#biS+#jgy9WZi2@iCytkUoX;)r
z^z^j557^nf(J67wSm%74sGeJgh9tnGSI7S0X9A;{WQkhp2>A1N{`6De)gOhgUVZ)R
zFGTbG-LL-e-xvRwmGAxX+aLVqlW%?c+I%ng^S^$W{pYv#tG|dl?(=v4{yKZ{vk&E8
w{PX=U-(`RI;g{`qfAag|M?ZfdfAx;+epbGI`SHL1da%E^eEqkVA61|J4@!hpDgXcg

literal 0
HcmV?d00001

diff --git a/machines/nixos/compute01/secrets/secrets.nix b/machines/nixos/compute01/secrets/secrets.nix
index 38fd800..e2c0571 100644
--- a/machines/nixos/compute01/secrets/secrets.nix
+++ b/machines/nixos/compute01/secrets/secrets.nix
@@ -25,6 +25,9 @@
     "netbox-environment_file"
     "nextcloud-adminpass_file"
     "nextcloud-s3_secret_file"
+    "nimbolus-kms_key"
+    "nimbolus-s3_access"
+    "nimbolus-s3_secret"
     "opengist-environment_file"
     "outline-oidc_client_secret_file"
     "outline-smtp_password_file"
diff --git a/meta/dns.nix b/meta/dns.nix
index fa3fd56..f9aa64e 100644
--- a/meta/dns.nix
+++ b/meta/dns.nix
@@ -82,6 +82,7 @@ let
           "gist" # Opengist
           "grafana" # Grafana
           "netbox-v2" # Netbox
+          "nimbolus" # Nimbolus Terraform Backend
           "nms" # LibreNMS
           "pads" # Hedgedoc
           "pass" # Vaultwarden
diff --git a/modules/nixos/default.nix b/modules/nixos/default.nix
index 0485145..1fa0209 100644
--- a/modules/nixos/default.nix
+++ b/modules/nixos/default.nix
@@ -37,8 +37,9 @@
       "dgn-web"
       "django-apps"
       "extranix"
-      "openbao"
       "forgejo-multiuser-nix-runners"
+      "nimbolus-tf"
+      "openbao"
     ])
     ++ [
       "${sources.agenix}/modules/age.nix"
diff --git a/modules/nixos/nimbolus-tf.nix b/modules/nixos/nimbolus-tf.nix
new file mode 100644
index 0000000..01a8c3e
--- /dev/null
+++ b/modules/nixos/nimbolus-tf.nix
@@ -0,0 +1,108 @@
+# SPDX-FileCopyrightText: 2025 Lubin Bailly <lubin@dgnum.eu>
+#
+# SPDX-License-Identifier: EUPL-1.2
+
+{
+  lib,
+  config,
+  pkgs,
+  ...
+}:
+let
+  inherit (lib)
+    escapeShellArg
+    getExe
+    mkEnableOption
+    mkIf
+    mkOption
+    ;
+  inherit (lib.types)
+    attrsOf
+    package
+    path
+    str
+    ;
+
+  # from nixpkgs, commit b1371135b5db3fcf728114d92d5bd0218109598a
+  # FIXME: Should be replaced by nixpkgs lib when going to nixos-25.05
+  concatMapAttrsStringSep =
+    sep: f: attrs:
+    lib.concatStringsSep sep (lib.attrValues (lib.mapAttrs f attrs));
+
+  cfg = config.services.nimbolus-tf;
+in
+{
+  options.services.nimbolus-tf = {
+    enable = mkEnableOption "the nimbolus terraform http backend";
+    package = mkOption {
+      type = package;
+      description = ''
+        The hello package to use.
+      '';
+      example = "kat-pkgs.nimbolus-tf-backend";
+    };
+    environment = mkOption {
+      type = attrsOf str;
+      default = { };
+      description = ''
+        Environment variables for nimbolus configuration.
+      '';
+    };
+    secretEnvironment = mkOption {
+      type = attrsOf path;
+      default = { };
+      description = ''
+        Files for secret environment variables for nimbolus configuration.
+      '';
+    };
+  };
+  config = mkIf cfg.enable {
+    systemd.services."nimbolus-tf" = {
+      description = "Nimbolus terraform http backend";
+      wantedBy = [ "multi-user.target" ];
+      serviceConfig = {
+        EnvironmentFile = "-/run/nimbolus-tf/env-file";
+        ExecStart = "${getExe cfg.package}";
+        ExecStartPre = "+${pkgs.writeShellScript "nimbolus-prestart" ''
+          echo -n > /run/nimbolus-tf/env-file
+          ${concatMapAttrsStringSep "\n" (
+            key: value: "echo ${escapeShellArg "${key}=${value}"} >> /run/nimbolus-tf/env-file"
+          ) cfg.environment}
+          ${concatMapAttrsStringSep "\n" (
+            key: value: ''echo "${key}=$(cat ${value})" >> /run/nimbolus-tf/env-file''
+          ) cfg.secretEnvironment}
+          chmod a+r /run/nimbolus-tf/env-file
+        ''}";
+
+        RuntimeDirectory = "nimbolus-tf";
+        RuntimeDirectoryMode = "0700";
+        StateDirectory = "nimbolus-tf";
+        StateDirectoryMode = "0700";
+        WorkingDirectory = "/var/lib/nimbolus-tf";
+
+        # Hardening
+        DynamicUser = true;
+        CapabilityBoundingSet = "";
+        PrivateDevices = true;
+        ProtectClock = true;
+        ProtectKernelLogs = true;
+        ProtectControlGroups = true;
+        ProtectKernelModules = true;
+        RestrictNamespaces = true;
+        ProtectHostname = true;
+        LockPersonality = true;
+        RestrictRealtime = true;
+        ProtectHome = true;
+        ProtectProc = "noaccess";
+        ProcSubset = "pid";
+        PrivateUsers = true;
+        UMask = "0077";
+        ProtectKernelTunables = true;
+        RestrictAddressFamilies = "AF_INET AF_INET6";
+        SystemCallFilter = "~@clock @cpu-emulation @debug @module @mount @obsolete @privileged @raw-io @reboot @resources @swap";
+        MemoryDenyWriteExecute = true;
+        SystemCallArchitectures = "native";
+      };
+    };
+  };
+}