diff --git a/machines/nixos/compute01/nimbolus.nix b/machines/nixos/compute01/nimbolus/default.nix
similarity index 71%
rename from machines/nixos/compute01/nimbolus.nix
rename to machines/nixos/compute01/nimbolus/default.nix
index c981d12..5150323 100644
--- a/machines/nixos/compute01/nimbolus.nix
+++ b/machines/nixos/compute01/nimbolus/default.nix
@@ -13,26 +13,29 @@ let
   port = 9008;
 in
 {
+  import = [ ./module.nix ];
   services.nimbolus-tf = {
     enable = true;
     package = (import sources.kat-pkgs { inherit pkgs; }).nimbolus-tf-backend;
-    environment = {
+    settings = {
       LISTEN_ADDR = "127.0.0.1:${toString port}";
+      KMS_KEY_PATH = config.age.secrets."nimbolus-kms_key".path;
+
       STORAGE_BACKEND = "s3";
       STORAGE_S3_ENDPOINT = "s3.dgnum.eu";
       STORAGE_S3_USE_SSL = "true";
       STORAGE_S3_BUCKET = "nimbolus-dgnum";
+      STORAGE_S3_ACCESS_KEY = "GKefa111701f349de3988f0010";
+      STORAGE_S3_SECRET_KEY_FILE = config.age.secrets."nimbolus-s3_secret".path;
 
       # TODO: configure openBAO
       # AUTH_BASIC_ENABLED = "false";
       # AUTH_JWT_OIDC_ISSUER_URL = "https://vault.dgnum.eu/v1/identity/oidc";
     };
-    secretEnvironment = {
-      KMS_KEY = config.age.secrets."nimbolus-kms_key".path;
-      STORAGE_S3_ACCESS_KEY = config.age.secrets."nimbolus-s3_access".path;
-      STORAGE_S3_SECRET_KEY = config.age.secrets."nimbolus-s3_secret".path;
-    };
   };
+
+  age-secrets.autoMatch = [ "nimbolus" ];
+
   dgn-web.simpleProxies.nimbolus = {
     inherit host port;
   };
diff --git a/modules/nixos/nimbolus-tf.nix b/machines/nixos/compute01/nimbolus/module.nix
similarity index 57%
rename from modules/nixos/nimbolus-tf.nix
rename to machines/nixos/compute01/nimbolus/module.nix
index 01a8c3e..10d1bcc 100644
--- a/modules/nixos/nimbolus-tf.nix
+++ b/machines/nixos/compute01/nimbolus/module.nix
@@ -5,83 +5,71 @@
 {
   lib,
   config,
+  sources,
   pkgs,
   ...
 }:
 let
   inherit (lib)
-    escapeShellArg
     getExe
+    mapAttrsToList
     mkEnableOption
     mkIf
+    mkPackageOption
     mkOption
     ;
   inherit (lib.types)
     attrsOf
-    package
-    path
     str
     ;
 
-  # from nixpkgs, commit b1371135b5db3fcf728114d92d5bd0218109598a
-  # FIXME: Should be replaced by nixpkgs lib when going to nixos-25.05
-  concatMapAttrsStringSep =
-    sep: f: attrs:
-    lib.concatStringsSep sep (lib.attrValues (lib.mapAttrs f attrs));
-
   cfg = config.services.nimbolus-tf;
 in
 {
   options.services.nimbolus-tf = {
-    enable = mkEnableOption "the nimbolus terraform http backend";
-    package = mkOption {
-      type = package;
+    enable = mkEnableOption "the nimbolus terraform http backend" { pkgsText = "kat-pkgs"; };
+    package = mkPackageOption (import sources.kat-pkgs { inherit pkgs; }) "nimbolus-tf-backend";
+    user = mkOption {
+      type = str;
       description = ''
-        The hello package to use.
+        User used by the nimbolus server.
       '';
-      example = "kat-pkgs.nimbolus-tf-backend";
+      default = "nimbolus";
     };
-    environment = mkOption {
+    group = mkOption {
+      type = str;
+      description = ''
+        Group used by the nimbolus server.
+      '';
+      default = "nimbolus";
+    };
+    settings = mkOption {
       type = attrsOf str;
       default = { };
       description = ''
         Environment variables for nimbolus configuration.
       '';
     };
-    secretEnvironment = mkOption {
-      type = attrsOf path;
-      default = { };
-      description = ''
-        Files for secret environment variables for nimbolus configuration.
-      '';
-    };
   };
   config = mkIf cfg.enable {
+    users = {
+      users.${cfg.user}.isSystemUser = true;
+      groups.${cfg.group} = { };
+    };
     systemd.services."nimbolus-tf" = {
       description = "Nimbolus terraform http backend";
       wantedBy = [ "multi-user.target" ];
       serviceConfig = {
-        EnvironmentFile = "-/run/nimbolus-tf/env-file";
-        ExecStart = "${getExe cfg.package}";
-        ExecStartPre = "+${pkgs.writeShellScript "nimbolus-prestart" ''
-          echo -n > /run/nimbolus-tf/env-file
-          ${concatMapAttrsStringSep "\n" (
-            key: value: "echo ${escapeShellArg "${key}=${value}"} >> /run/nimbolus-tf/env-file"
-          ) cfg.environment}
-          ${concatMapAttrsStringSep "\n" (
-            key: value: ''echo "${key}=$(cat ${value})" >> /run/nimbolus-tf/env-file''
-          ) cfg.secretEnvironment}
-          chmod a+r /run/nimbolus-tf/env-file
-        ''}";
+        ExecStart = getExe cfg.package;
+        Environment = mapAttrsToList (name: value: "${name}=${value}") cfg.settings;
+        User = cfg.user;
+        Group = cfg.group;
 
-        RuntimeDirectory = "nimbolus-tf";
-        RuntimeDirectoryMode = "0700";
         StateDirectory = "nimbolus-tf";
         StateDirectoryMode = "0700";
         WorkingDirectory = "/var/lib/nimbolus-tf";
 
         # Hardening
-        DynamicUser = true;
         CapabilityBoundingSet = "";
         PrivateDevices = true;
         ProtectClock = true;
diff --git a/machines/nixos/compute01/secrets/nimbolus-s3_access b/machines/nixos/compute01/secrets/nimbolus-s3_access
deleted file mode 100644
index ef8f005..0000000
--- a/machines/nixos/compute01/secrets/nimbolus-s3_access
+++ /dev/null
@@ -1,32 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 ZIo4kw POP274mkHkdXwYJ/yaU9li2G2t9p0tAQ0qOQslPFoCA
-p5yYZyPRNMYRV9KPM7oMuu1LTTDMrmQ8il0r77Pi4rI
--> ssh-ed25519 9/PCvA o1gN3ulajleNwhPm40inSZluZ09SOuNKIfLr8mB8G08
-OMoMGTxI/rwojuWiSgDj5WAU58eOATL5VSkzvsVZuRY
--> ssh-ed25519 prNEsA S3ekdfgp2pf9/jL32HAtuhQKuYPxaWz/lOjD+FkPplg
-Qs+Cw/Gbjn2FfUgJTvgobpk9swv5b+Rq059DsyHbWCg
--> ssh-ed25519 jIXfPA LAtduj5GKqSHoYC+9fkRu3VYD1r9QzCxkGAx0if+OkU
-KEa96ZNVFoRoLyO0jjjPbE2bwjhfdMveIYbz1FZqaY4
--> ssh-ed25519 QlRB9Q HJLzZP4ZRAQnppS8h23UY906doGq14Z4rpVu8tVVIhA
-3tT2RANs5JKBl229MEhQQqHekvwMKIMtdDTrPUK9iDk
--> ssh-ed25519 r+nK/Q e4CBPPh8S1Cpb/tDW5zsJbBGw4yZBt5R1va06fsA6D4
-UPLQ0Tp0TJigQZNK3vHMZ7Svg4YSAJtWNmXwQW+Kij0
--> ssh-rsa krWCLQ
-P4oOUJ8k3OzSmUScG3zux7xmPcYYVU1U2AbUb2OLVcoGPoRwiWMybjH7EfG9Ueor
-aqUqe1MMsIXD9NILZyM9Sczqlyevuynxhu278Q6zuU717PfG6bRGd3BoQAJ69z+F
-X8qifC9xc2qdQyrM++sH0h36q9fDC7O5h7nMQz+zWNWNEXiC0dsz1P4yIeIBpqQM
-myalb7rTu+/W20LcdbDOMZeuxakNcJ3W/szQMOPNSRy8wPOga1MSpeuHZc1cS1ba
-0KsSkx0tI6FLXeKSQR9nqlmvAkxm17dxVDF0qkXySQoEfiwhZ1iAu5ZeJgJIQEmv
-FmkJayZk3hk9+mihZObi+A
--> ssh-ed25519 /vwQcQ 4WrpX5IptFqXZ/GBMvyF1KJBIeaOXk7ISt0N85KYi1A
-G647eAYBiLyNT7xhm4TQ2lWy55GGI8SS7mXc+2SQ1ZY
--> ssh-ed25519 0R97PA DicfWMBlCXplVkn7EO+G/vyJ0xgUqJIP4FjYj4ed/Hg
-BShfq85PHCbQpYTG1pD/Zx8TJ7ppzZYYd5QpVFGnMj4
--> ssh-ed25519 JGx7Ng 37y90Dug3tzTulq9Fd/4ZynuG6OCDqckIqXHR2G5GFA
-zZNB/MJDNcm8CDByA23CBGqEBTbbX73cSXy7V7927vk
--> ssh-ed25519 bUjjig jjnr0nN3S7CBkF77EkUYV/yZ0os2H3t3Vy6r2XuxF14
-wz6x/Rvqq3oUCYJaGcWIK9xEEY6aZUqnk0Ve7trFfF0
--> ssh-ed25519 tDqJRg RDDHbdgqHh8flC0QO2hwQxX0caS+tbiM8OzIpVrNqBw
-yVxHVzLPYd1F3upLpaQzu1d3V7il7aZBocBegL6DdJ4
---- eiwmc9p33AICiJ3GOnfj3n2+gfS39jf0NgD681w8HG4
-�qo������/Ta�`��������?A�B�e̫��j�|�⩥���WB��C����
\ No newline at end of file
diff --git a/machines/nixos/compute01/secrets/secrets.nix b/machines/nixos/compute01/secrets/secrets.nix
index e2c0571..442f9ad 100644
--- a/machines/nixos/compute01/secrets/secrets.nix
+++ b/machines/nixos/compute01/secrets/secrets.nix
@@ -26,7 +26,6 @@
     "nextcloud-adminpass_file"
     "nextcloud-s3_secret_file"
     "nimbolus-kms_key"
-    "nimbolus-s3_access"
     "nimbolus-s3_secret"
     "opengist-environment_file"
     "outline-oidc_client_secret_file"
diff --git a/modules/nixos/default.nix b/modules/nixos/default.nix
index 1fa0209..1477855 100644
--- a/modules/nixos/default.nix
+++ b/modules/nixos/default.nix
@@ -38,7 +38,6 @@
       "django-apps"
       "extranix"
       "forgejo-multiuser-nix-runners"
-      "nimbolus-tf"
       "openbao"
     ])
     ++ [