diff --git a/machines/nixos/compute01/_configuration.nix b/machines/nixos/compute01/_configuration.nix index 7e45eea..6689130 100644 --- a/machines/nixos/compute01/_configuration.nix +++ b/machines/nixos/compute01/_configuration.nix @@ -28,6 +28,7 @@ lib.extra.mkConfig { "mastodon" # "netbox" "nextcloud" + "nimbolus" "ollama-proxy" "opengist" "outline" diff --git a/machines/nixos/compute01/nimbolus/default.nix b/machines/nixos/compute01/nimbolus/default.nix new file mode 100644 index 0000000..45188a0 --- /dev/null +++ b/machines/nixos/compute01/nimbolus/default.nix @@ -0,0 +1,43 @@ +# SPDX-FileCopyrightText: 2025 Lubin Bailly +# +# SPDX-License-Identifier: EUPL-1.2 + +{ + pkgs, + sources, + config, + ... +}: +let + host = "nimbolus.dgnum.eu"; + port = 9008; +in +{ + imports = [ ./module.nix ]; + services.nimbolus-tf = { + enable = true; + package = (import sources.kat-pkgs { inherit pkgs; }).nimbolus-tf-backend; + settings = { + LISTEN_ADDR = "127.0.0.1:${toString port}"; + + STORAGE_BACKEND = "s3"; + STORAGE_S3_ENDPOINT = "s3.dgnum.eu"; + STORAGE_S3_USE_SSL = "true"; + STORAGE_S3_BUCKET = "nimbolus-dgnum"; + STORAGE_S3_ACCESS_KEY = "GKefa111701f349de3988f0010"; + + # TODO: configure openBAO + # AUTH_BASIC_ENABLED = "false"; + # AUTH_JWT_OIDC_ISSUER_URL = "https://vault.dgnum.eu/v1/identity/oidc"; + }; + + credentials = { + KMS_KEY_FILE = config.age.secrets."nimbolus-kms_key".path; + STORAGE_S3_SECRET_KEY_FILE = config.age.secrets."nimbolus-s3_secret".path; + }; + }; + + dgn-web.simpleProxies.nimbolus = { + inherit host port; + }; +} diff --git a/machines/nixos/compute01/nimbolus/module.nix b/machines/nixos/compute01/nimbolus/module.nix new file mode 100644 index 0000000..626dc61 --- /dev/null +++ b/machines/nixos/compute01/nimbolus/module.nix @@ -0,0 +1,104 @@ +# SPDX-FileCopyrightText: 2025 Lubin Bailly +# +# SPDX-License-Identifier: EUPL-1.2 + +{ + lib, + config, + sources, + pkgs, + ... +}: +let + inherit (lib) + getExe + mapAttrsToList + mkEnableOption + mkIf + mkPackageOption + mkOption + ; + inherit (lib.types) + attrsOf + path + str + ; + + cfg = config.services.nimbolus-tf; +in +{ + options.services.nimbolus-tf = { + enable = mkEnableOption "the nimbolus terraform http backend"; + package = mkPackageOption (import sources.kat-pkgs { inherit pkgs; }) "nimbolus-tf-backend" { + pkgsText = "kat-pkgs"; + }; + user = mkOption { + type = str; + description = '' + User used by the nimbolus server. + ''; + default = "nimbolus"; + }; + group = mkOption { + type = str; + description = '' + Group used by the nimbolus server. + ''; + default = "nimbolus"; + }; + settings = mkOption { + type = attrsOf str; + default = { }; + description = '' + Environment variables for nimbolus configuration. + ''; + }; + credentials = mkOption { + type = attrsOf path; + default = { }; + description = '' + Files to pass by systemd LoadCredentials. + ''; + }; + }; + config = mkIf cfg.enable { + systemd.services.nimbolus-tf = { + description = "Nimbolus terraform http backend"; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + ExecStart = getExe cfg.package; + Environment = + mapAttrsToList (name: value: "${name}=${value}") cfg.settings + ++ mapAttrsToList (name: _: "${name}=%d/${name}") cfg.credentials; + LoadCredential = mapAttrsToList (name: file: "${name}:${file}") cfg.credentials; + + StateDirectory = "nimbolus-tf"; + StateDirectoryMode = "0700"; + WorkingDirectory = "/var/lib/nimbolus-tf"; + + # Hardening + DynamicUser = true; + CapabilityBoundingSet = ""; + PrivateDevices = true; + ProtectClock = true; + ProtectKernelLogs = true; + ProtectControlGroups = true; + ProtectKernelModules = true; + RestrictNamespaces = true; + ProtectHostname = true; + LockPersonality = true; + RestrictRealtime = true; + ProtectHome = true; + ProtectProc = "noaccess"; + ProcSubset = "pid"; + PrivateUsers = true; + UMask = "0077"; + ProtectKernelTunables = true; + RestrictAddressFamilies = "AF_INET AF_INET6"; + SystemCallFilter = "~@clock @cpu-emulation @debug @module @mount @obsolete @privileged @raw-io @reboot @resources @swap"; + MemoryDenyWriteExecute = true; + SystemCallArchitectures = "native"; + }; + }; + }; +} diff --git a/machines/nixos/compute01/secrets/nimbolus-kms_key b/machines/nixos/compute01/secrets/nimbolus-kms_key new file mode 100644 index 0000000..3235990 Binary files /dev/null and b/machines/nixos/compute01/secrets/nimbolus-kms_key differ diff --git a/machines/nixos/compute01/secrets/nimbolus-s3_secret b/machines/nixos/compute01/secrets/nimbolus-s3_secret new file mode 100644 index 0000000..dc6c234 Binary files /dev/null and b/machines/nixos/compute01/secrets/nimbolus-s3_secret differ diff --git a/machines/nixos/compute01/secrets/secrets.nix b/machines/nixos/compute01/secrets/secrets.nix index 38fd800..442f9ad 100644 --- a/machines/nixos/compute01/secrets/secrets.nix +++ b/machines/nixos/compute01/secrets/secrets.nix @@ -25,6 +25,8 @@ "netbox-environment_file" "nextcloud-adminpass_file" "nextcloud-s3_secret_file" + "nimbolus-kms_key" + "nimbolus-s3_secret" "opengist-environment_file" "outline-oidc_client_secret_file" "outline-smtp_password_file" diff --git a/modules/nixos/default.nix b/modules/nixos/default.nix index 0485145..1477855 100644 --- a/modules/nixos/default.nix +++ b/modules/nixos/default.nix @@ -37,8 +37,8 @@ "dgn-web" "django-apps" "extranix" - "openbao" "forgejo-multiuser-nix-runners" + "openbao" ]) ++ [ "${sources.agenix}/modules/age.nix"