feat(nimbolus): init a http terraform backend

machines/nixos/compute01/_configuration.nix

@@ -28,6 +28,7 @@ lib.extra.mkConfig {
     "mastodon"
     # "netbox"
     "nextcloud"
+    "nimbolus"
     "ollama-proxy"
     "opengist"
     "outline"

machines/nixos/compute01/nimbolus.nix

@@ -0,0 +1,39 @@
+# SPDX-FileCopyrightText: 2025 Lubin Bailly <lubin@dgnum.eu>
+#
+# SPDX-License-Identifier: EUPL-1.2
+
+{
+  pkgs,
+  sources,
+  config,
+  ...
+}:
+let
+  host = "nimbolus.dgnum.eu";
+  port = 9008;
+in
+{
+  services.nimbolus-tf = {
+    enable = true;
+    package = (import sources.kat-pkgs { inherit pkgs; }).nimbolus-tf-backend;
+    environment = {
+      LISTEN_ADDR = "127.0.0.1:${toString port}";
+      STORAGE_BACKEND = "s3";
+      STORAGE_S3_ENDPOINT = "s3.dgnum.eu";
+      STORAGE_S3_USE_SSL = "true";
+      STORAGE_S3_BUCKET = "monorepo-terraform-state";
+
+      # TODO: configure openBAO
+      # AUTH_BASIC_ENABLED = "false";
+      # AUTH_JWT_OIDC_ISSUER_URL = "https://vault.dgnum.eu/v1/identity/oidc";
+    };
+    secretEnvironment = {
+      KMS_KEY = config.age.secrets."nimbolus-kms_key".path;
+      STORAGE_S3_ACCESS_KEY = config.age.secrets."nimbolus-s3_access".path;
+      STORAGE_S3_SECRET_KEY = config.age.secrets."nimbolus-s3_secret".path;
+    };
+  };
+  dgn-web.simpleProxies.nimbolus = {
+    inherit host port;
+  };
+}

machines/nixos/compute01/secrets/secrets.nix

@@ -25,6 +25,9 @@
     "netbox-environment_file"
     "nextcloud-adminpass_file"
     "nextcloud-s3_secret_file"
+    "nimbolus-kms_key"
+    "nimbolus-s3_access"
+    "nimbolus-s3_secret"
     "opengist-environment_file"
     "outline-oidc_client_secret_file"
     "outline-smtp_password_file"

meta/dns.nix

@@ -82,6 +82,7 @@ let
           "gist" # Opengist
           "grafana" # Grafana
           "netbox-v2" # Netbox
+          "nimbolus" # Nimbolus Terraform Backend
           "nms" # LibreNMS
           "pads" # Hedgedoc
           "pass" # Vaultwarden

modules/nixos/default.nix

@@ -37,8 +37,9 @@
       "dgn-web"
       "django-apps"
       "extranix"
-      "openbao"
       "forgejo-multiuser-nix-runners"
+      "nimbolus-tf"
+      "openbao"
     ])
     ++ [
       "${sources.agenix}/modules/age.nix"

modules/nixos/nimbolus-tf.nix

@@ -0,0 +1,108 @@
+# SPDX-FileCopyrightText: 2025 Lubin Bailly <lubin@dgnum.eu>
+#
+# SPDX-License-Identifier: EUPL-1.2
+
+{
+  lib,
+  config,
+  pkgs,
+  ...
+}:
+let
+  inherit (lib)
+    escapeShellArg
+    getExe
+    mkEnableOption
+    mkIf
+    mkOption
+    ;
+  inherit (lib.types)
+    attrsOf
+    package
+    path
+    str
+    ;
+
+  # from nixpkgs, commit b1371135b5db3fcf728114d92d5bd0218109598a
+  # FIXME: Should be replaced by nixpkgs lib when going to nixos-25.05
+  concatMapAttrsStringSep =
+    sep: f: attrs:
+    lib.concatStringsSep sep (lib.attrValues (lib.mapAttrs f attrs));
+
+  cfg = config.services.nimbolus-tf;
+in
+{
+  options.services.nimbolus-tf = {
+    enable = mkEnableOption "the nimbolus terraform http backend";
+    package = mkOption {
+      type = package;
+      description = ''
+        The hello package to use.
+      '';
+      example = "kat-pkgs.nimbolus-tf-backend";
+    };
+    environment = mkOption {
+      type = attrsOf str;
+      default = { };
+      description = ''
+        Environment variables for nimbolus configuration.
+      '';
+    };
+    secretEnvironment = mkOption {
+      type = attrsOf path;
+      default = { };
+      description = ''
+        Files for secret environment variables for nimbolus configuration.
+      '';
+    };
+  };
+  config = mkIf cfg.enable {
+    systemd.services."nimbolus-tf" = {
+      description = "Nimbolus terraform http backend";
+      wantedBy = [ "multi-user.target" ];
+      serviceConfig = {
+        EnvironmentFile = "-/run/nimbolus-tf/env-file";
+        ExecStart = "${getExe cfg.package}";
+        ExecStartPre = "+${pkgs.writeShellScript "nimbolus-prestart" ''
+          echo -n > /run/nimbolus-tf/env-file
+          ${concatMapAttrsStringSep "\n" (
+            key: value: "echo ${escapeShellArg "${key}=${value}"} >> /run/nimbolus-tf/env-file"
+          ) cfg.environment}
+          ${concatMapAttrsStringSep "\n" (
+            key: value: ''echo "${key}=$(cat ${value})" >> /run/nimbolus-tf/env-file''
+          ) cfg.secretEnvironment}
+          chmod a+r /run/nimbolus-tf/env-file
+        ''}";
+
+        RuntimeDirectory = "nimbolus-tf";
+        RuntimeDirectoryMode = "0700";
+        StateDirectory = "nimbolus-tf";
+        StateDirectoryMode = "0700";
+        WorkingDirectory = "/var/lib/nimbolus-tf";
+
+        # Hardening
+        DynamicUser = true;
+        CapabilityBoundingSet = "";
+        PrivateDevices = true;
+        ProtectClock = true;
+        ProtectKernelLogs = true;
+        ProtectControlGroups = true;
+        ProtectKernelModules = true;
+        RestrictNamespaces = true;
+        ProtectHostname = true;
+        LockPersonality = true;
+        RestrictRealtime = true;
+        ProtectHome = true;
+        ProtectProc = "noaccess";
+        ProcSubset = "pid";
+        PrivateUsers = true;
+        UMask = "0077";
+        ProtectKernelTunables = true;
+        RestrictAddressFamilies = "AF_INET AF_INET6";
+        SystemCallFilter = "~@clock @cpu-emulation @debug @module @mount @obsolete @privileged @raw-io @reboot @resources @swap";
+        MemoryDenyWriteExecute = true;
+        SystemCallArchitectures = "native";
+      };
+    };
+  };
+}