feat(nimbolus): init a http terraform backend

2025-06-11 17:14:30 +02:00 · 2025-06-11 17:14:30 +02:00 · d756a39e09
commit d756a39e09
parent 4adf9b2286
5 changed files with 142 additions and 1 deletions
--- a/machines/nixos/compute01/_configuration.nix
+++ b/machines/nixos/compute01/_configuration.nix
@ -28,6 +28,7 @@ lib.extra.mkConfig {
    "mastodon"
    # "netbox"
    "nextcloud"
+    "nimbolus"
    "ollama-proxy"
    "opengist"
    "outline"
--- a/machines/nixos/compute01/nimbolus.nix
+++ b/machines/nixos/compute01/nimbolus.nix
@ -0,0 +1,35 @@
+# SPDX-FileCopyrightText: 2025 Lubin Bailly <lubin@dgnum.eu>
+#
+# SPDX-License-Identifier: EUPL-1.2
+
+{ pkgs, sources, ... }:
+let
+  host = "nimbolus.dgnum.eu";
+  port = 9008;
+in
+{
+  services.nimbolus-tf = {
+    enable = true;
+    package = (import sources.kat-pkgs { inherit pkgs; }).nimbolus-tf-backend;
+    environment = {
+      LISTEN_ADDR = "127.0.0.1:${toString port}";
+      STORAGE_BACKEND = "s3";
+      STORAGE_S3_ENDPOINT = "s3.dgnum.eu";
+      STORAGE_S3_USE_SSL = "true";
+      STORAGE_S3_BUCKET = "monorepo-terraform-state";
+
+      # TODO: configure openBAO
+      # AUTH_BASIC_ENABLED = "false";
+      # AUTH_JWT_OIDC_ISSUER_URL = "https://vault.dgnum.eu/v1/identity/oidc";
+    };
+    secretEnvironment = {
+      # FIXME: use agenix and real secrets
+      KMS_KEY = pkgs.writeText "nimbolus-kms-unsecure" "nVbFN9o4rIP2qi0SWtcgNZlWolrF61/Drx3YxeQTSZk=";
+      STORAGE_S3_ACCESS_KEY = pkgs.writeText "unsecure" "KEYID";
+      STORAGE_S3_SECRET_KEY = pkgs.writeText "unsecure" "KEYSECRET";
+    };
+  };
+  dgn-web.simpleProxies.nimbolus = {
+    inherit host port;
+  };
+}
--- a/meta/dns.nix
+++ b/meta/dns.nix
@ -82,6 +82,7 @@ let
          "gist" # Opengist
          "grafana" # Grafana
          "netbox-v2" # Netbox
+          "nimbolus" # Nimbolus Terraform Backend
          "nms" # LibreNMS
          "pads" # Hedgedoc
          "pass" # Vaultwarden
--- a/modules/nixos/default.nix
+++ b/modules/nixos/default.nix
@ -37,8 +37,9 @@
      "dgn-web"
      "django-apps"
      "extranix"
-      "openbao"
      "forgejo-multiuser-nix-runners"
+      "nimbolus-tf"
+      "openbao"
    ])
    ++ [
      "${sources.agenix}/modules/age.nix"
--- a/modules/nixos/nimbolus-tf.nix
+++ b/modules/nixos/nimbolus-tf.nix
@ -0,0 +1,103 @@
+# SPDX-FileCopyrightText: 2025 Lubin Bailly <lubin@dgnum.eu>
+#
+# SPDX-License-Identifier: EUPL-1.2
+
+{
+  lib,
+  config,
+  pkgs,
+  ...
+}:
+let
+  inherit (lib)
+    concatMapAttrsStringSep
+    escapeShellArg
+    getExe
+    mkEnableOption
+    mkIf
+    mkOption
+    ;
+  inherit (lib.types)
+    attrsOf
+    package
+    path
+    str
+    ;
+
+  cfg = config.services.nimbolus-tf;
+in
+{
+  options.services.nimbolus-tf = {
+    enable = mkEnableOption "the nimbolus terraform http backend";
+    package = mkOption {
+      type = package;
+      description = ''
+        The hello package to use.
+      '';
+      example = "kat-pkgs.nimbolus-tf-backend";
+    };
+    environment = mkOption {
+      type = attrsOf str;
+      default = { };
+      description = ''
+        Environment variables for nimbolus configuration.
+      '';
+    };
+    secretEnvironment = mkOption {
+      type = attrsOf path;
+      default = { };
+      description = ''
+        Files for secret environment variables for nimbolus configuration.
+      '';
+    };
+  };
+  config = mkIf cfg.enable {
+    systemd.services."nimbolus-tf" = {
+      description = "Nimbolus terraform http backend";
+      wantedBy = [ "multi-user.target" ];
+      serviceConfig = {
+        EnvironmentFile = "-/run/nimbolus-tf/env-file";
+        ExecStart = "${getExe cfg.package}";
+        ExecStartPre = "+${pkgs.writeShellScript "nimbolus-prestart" ''
+          echo -n > /run/nimbolus-tf/env-file
+          ${concatMapAttrsStringSep "\n" (
+            key: value: "echo ${escapeShellArg "${key}=${value}"} >> /run/nimbolus-tf/env-file"
+          ) cfg.environment}
+          ${concatMapAttrsStringSep "\n" (
+            key: value: ''echo "${key}=$(cat ${value})" >> /run/nimbolus-tf/env-file''
+          ) cfg.secretEnvironment}
+          chmod a+r /run/nimbolus-tf/env-file
+        ''}";
+
+        RuntimeDirectory = "nimbolus-tf";
+        RuntimeDirectoryMode = "0700";
+        StateDirectory = "nimbolus-tf";
+        StateDirectoryMode = "0700";
+        WorkingDirectory = "/var/lib/nimbolus-tf";
+
+        # Hardening
+        DynamicUser = true;
+        CapabilityBoundingSet = "";
+        PrivateDevices = true;
+        ProtectClock = true;
+        ProtectKernelLogs = true;
+        ProtectControlGroups = true;
+        ProtectKernelModules = true;
+        RestrictNamespaces = true;
+        ProtectHostname = true;
+        LockPersonality = true;
+        RestrictRealtime = true;
+        ProtectHome = true;
+        ProtectProc = "noaccess";
+        ProcSubset = "pid";
+        PrivateUsers = true;
+        UMask = "0077";
+        ProtectKernelTunables = true;
+        RestrictAddressFamilies = "AF_INET AF_INET6";
+        SystemCallFilter = "~@clock @cpu-emulation @debug @module @mount @obsolete @privileged @raw-io @reboot @resources @swap";
+        MemoryDenyWriteExecute = true;
+        SystemCallArchitectures = "native";
+      };
+    };
+  };
+}