DGNum/infrastructure
9
6
Fork 3
Code Issues 31 Pull requests 32 Projects 1 Releases Packages Wiki Activity Actions

Compare commits

base: DGNum:01dc9b142b5c395b8ff85340b9153d9753b046a4
Branches Tags
DGNum:main
DGNum:ntfy-monitoring
DGNum:snmp-pdu
DGNum:lon/lon
DGNum:lon/proxmox-nixos
DGNum:lon/nixos-unstable
DGNum:lon/nixos-25.05
DGNum:lon/nixos-24.11
DGNum:lon/lix
DGNum:lon/disko
DGNum:lon/agenix
DGNum:disko-remove
DGNum:declarative-buckets
DGNum:nixos-25.05
DGNum:vault01-isp
DGNum:lix-diff
DGNum:zulip
DGNum:netbird-relay
DGNum:demarches01
DGNum:hackdays-ap
DGNum:raito/zulip
DGNum:staging-cas
DGNum:mattermost
DGNum:feature/hackdays01
DGNum:by-name
DGNum:www-eleves
DGNum:audit
DGNum:testing02
DGNum:openwrt-exporter
DGNum:ban_git_scrappers
DGNum:meta-isp
DGNum:mdebray/ap-dev
DGNum:ap-poc-v01
DGNum:hypervisor
DGNum:victoria-metrics
DGNum:init-dgnum-page
DGNum:takumi-can-do-ollama
DGNum:hackdays2025
DGNum:poc-v1.0
..
compare: DGNum:5514618d21453f204511db1f4443b5e985ec5185
Branches Tags
DGNum:ntfy-monitoring
DGNum:snmp-pdu
DGNum:main
DGNum:lon/lon
DGNum:lon/proxmox-nixos
DGNum:lon/nixos-unstable
DGNum:lon/nixos-25.05
DGNum:lon/nixos-24.11
DGNum:lon/lix
DGNum:lon/disko
DGNum:lon/agenix
DGNum:disko-remove
DGNum:declarative-buckets
DGNum:nixos-25.05
DGNum:vault01-isp
DGNum:lix-diff
DGNum:zulip
DGNum:netbird-relay
DGNum:demarches01
DGNum:hackdays-ap
DGNum:raito/zulip
DGNum:staging-cas
DGNum:mattermost
DGNum:feature/hackdays01
DGNum:by-name
DGNum:www-eleves
DGNum:audit
DGNum:testing02
DGNum:openwrt-exporter
DGNum:ban_git_scrappers
DGNum:meta-isp
DGNum:mdebray/ap-dev
DGNum:ap-poc-v01
DGNum:hypervisor
DGNum:victoria-metrics
DGNum:init-dgnum-page
DGNum:takumi-can-do-ollama
DGNum:hackdays2025
DGNum:poc-v1.0

1 commit
01dc9b142b ... 5514618d21

Author SHA1 Message Date
catvayor
5514618d21
feat(nimbolus): init a http terraform backend
Some checks failed
Check meta / check_dns (pull_request) Successful in 16s
Details
Check workflows / check_workflows (pull_request) Successful in 19s
Details
Build all the nodes / Jaccess01 (pull_request) Successful in 23s
Details
Build all the nodes / Jaccess04 (pull_request) Successful in 26s
Details
Run pre-commit on all files / pre-commit (push) Successful in 29s
Details
Build all the nodes / compute01 (pull_request) Failing after 28s
Details
Run pre-commit on all files / pre-commit (pull_request) Successful in 32s
Details
Build all the nodes / ap01 (pull_request) Successful in 40s
Details
Build all the nodes / netcore01 (pull_request) Successful in 23s
Details
Build all the nodes / hypervisor01 (pull_request) Successful in 54s
Details
Build all the nodes / cof02 (pull_request) Successful in 57s
Details
Build all the nodes / bridge01 (pull_request) Successful in 59s
Details
Build all the nodes / geo01 (pull_request) Successful in 57s
Details
Build all the nodes / geo02 (pull_request) Successful in 58s
Details
Build all the nodes / build01 (pull_request) Successful in 1m2s
Details
Build all the nodes / hypervisor02 (pull_request) Successful in 49s
Details
Build all the nodes / hypervisor03 (pull_request) Successful in 49s
Details
Build all the nodes / netcore02 (pull_request) Successful in 27s
Details
Build all the nodes / lab-router01 (pull_request) Successful in 46s
Details
Build all the nodes / iso (pull_request) Successful in 57s
Details
Build the shell / build-shell (pull_request) Successful in 22s
Details
Build all the nodes / tower01 (pull_request) Successful in 45s
Details
Build all the nodes / web02 (pull_request) Successful in 54s
Details
Build all the nodes / web03 (pull_request) Successful in 1m5s
Details
Build all the nodes / krz01 (pull_request) Successful in 1m45s
Details
Build all the nodes / zulip01 (pull_request) Successful in 1m4s
Details
Build all the nodes / vault01 (pull_request) Successful in 1m14s
Details
Build all the nodes / rescue01 (pull_request) Successful in 1m21s
Details
Build all the nodes / web01 (pull_request) Successful in 1m14s
Details
Build all the nodes / storage01 (pull_request) Successful in 1m21s
Details
2025-06-15 13:37:27 +02:00
5 changed files with 34 additions and 77 deletions
Download patch file Download diff file Expand all files Collapse all files

15
machines/nixos/compute01/nimbolus.nix → machines/nixos/compute01/nimbolus/default.nix
View file

@ -13,26 +13,29 @@ let
port = 9008;
in
{
import = [ ./module.nix ];
services.nimbolus-tf = {
enable = true;
package = (import sources.kat-pkgs { inherit pkgs; }).nimbolus-tf-backend;
environment = {
settings = {
LISTEN_ADDR = "127.0.0.1:${toString port}";
KMS_KEY_PATH = config.age.secrets."nimbolus-kms_key".path;
STORAGE_BACKEND = "s3";
STORAGE_S3_ENDPOINT = "s3.dgnum.eu";
STORAGE_S3_USE_SSL = "true";
STORAGE_S3_BUCKET = "nimbolus-dgnum";
STORAGE_S3_ACCESS_KEY = "GKefa111701f349de3988f0010";
STORAGE_S3_SECRET_KEY_FILE = config.age.secrets."nimbolus-s3_secret".path;
# TODO: configure openBAO
# AUTH_BASIC_ENABLED = "false";
# AUTH_JWT_OIDC_ISSUER_URL = "https://vault.dgnum.eu/v1/identity/oidc";
};
secretEnvironment = {
KMS_KEY = config.age.secrets."nimbolus-kms_key".path;
STORAGE_S3_ACCESS_KEY = config.age.secrets."nimbolus-s3_access".path;
STORAGE_S3_SECRET_KEY = config.age.secrets."nimbolus-s3_secret".path;
};
};
age-secrets.autoMatch = [ "nimbolus" ];
dgn-web.simpleProxies.nimbolus = {
inherit host port;
};

62
modules/nixos/nimbolus-tf.nix → machines/nixos/compute01/nimbolus/module.nix
View file

@ -5,83 +5,71 @@
{
lib,
config,
sources,
pkgs,
...
}:
let
inherit (lib)
escapeShellArg
getExe
mapAttrsToList
mkEnableOption
mkIf
mkPackageOption
mkOption
;
inherit (lib.types)
attrsOf
package
path
str
;
# from nixpkgs, commit b1371135b5db3fcf728114d92d5bd0218109598a
# FIXME: Should be replaced by nixpkgs lib when going to nixos-25.05
concatMapAttrsStringSep =
sep: f: attrs:
lib.concatStringsSep sep (lib.attrValues (lib.mapAttrs f attrs));
cfg = config.services.nimbolus-tf;
in
{
options.services.nimbolus-tf = {
enable = mkEnableOption "the nimbolus terraform http backend";
package = mkOption {
type = package;
enable = mkEnableOption "the nimbolus terraform http backend" { pkgsText = "kat-pkgs"; };
package = mkPackageOption (import sources.kat-pkgs { inherit pkgs; }) "nimbolus-tf-backend";
user = mkOption {
type = str;
description = ''
The hello package to use.
User used by the nimbolus server.
'';
example = "kat-pkgs.nimbolus-tf-backend";
default = "nimbolus";
};
environment = mkOption {
group = mkOption {
type = str;
description = ''
Group used by the nimbolus server.
'';
default = "nimbolus";
};
settings = mkOption {
type = attrsOf str;
default = { };
description = ''
Environment variables for nimbolus configuration.
'';
};
secretEnvironment = mkOption {
type = attrsOf path;
default = { };
description = ''
Files for secret environment variables for nimbolus configuration.
'';
};
};
config = mkIf cfg.enable {
users = {
users.${cfg.user}.isSystemUser = true;
groups.${cfg.group} = { };
};
systemd.services."nimbolus-tf" = {
description = "Nimbolus terraform http backend";
wantedBy = [ "multi-user.target" ];
serviceConfig = {
EnvironmentFile = "-/run/nimbolus-tf/env-file";
ExecStart = "${getExe cfg.package}";
ExecStartPre = "+${pkgs.writeShellScript "nimbolus-prestart" ''
echo -n > /run/nimbolus-tf/env-file
${concatMapAttrsStringSep "\n" (
key: value: "echo ${escapeShellArg "${key}=${value}"} >> /run/nimbolus-tf/env-file"
) cfg.environment}
${concatMapAttrsStringSep "\n" (
key: value: ''echo "${key}=$(cat ${value})" >> /run/nimbolus-tf/env-file''
) cfg.secretEnvironment}
chmod a+r /run/nimbolus-tf/env-file
''}";
ExecStart = getExe cfg.package;
Environment = mapAttrsToList (name: value: "${name}=${value}") cfg.settings;
User = cfg.user;
Group = cfg.group;
RuntimeDirectory = "nimbolus-tf";
RuntimeDirectoryMode = "0700";
StateDirectory = "nimbolus-tf";
StateDirectoryMode = "0700";
WorkingDirectory = "/var/lib/nimbolus-tf";
# Hardening
DynamicUser = true;
CapabilityBoundingSet = "";
PrivateDevices = true;
ProtectClock = true;

32
machines/nixos/compute01/secrets/nimbolus-s3_access
View file

@ -1,32 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 ZIo4kw POP274mkHkdXwYJ/yaU9li2G2t9p0tAQ0qOQslPFoCA
p5yYZyPRNMYRV9KPM7oMuu1LTTDMrmQ8il0r77Pi4rI
-> ssh-ed25519 9/PCvA o1gN3ulajleNwhPm40inSZluZ09SOuNKIfLr8mB8G08
OMoMGTxI/rwojuWiSgDj5WAU58eOATL5VSkzvsVZuRY
-> ssh-ed25519 prNEsA S3ekdfgp2pf9/jL32HAtuhQKuYPxaWz/lOjD+FkPplg
Qs+Cw/Gbjn2FfUgJTvgobpk9swv5b+Rq059DsyHbWCg
-> ssh-ed25519 jIXfPA LAtduj5GKqSHoYC+9fkRu3VYD1r9QzCxkGAx0if+OkU
KEa96ZNVFoRoLyO0jjjPbE2bwjhfdMveIYbz1FZqaY4
-> ssh-ed25519 QlRB9Q HJLzZP4ZRAQnppS8h23UY906doGq14Z4rpVu8tVVIhA
3tT2RANs5JKBl229MEhQQqHekvwMKIMtdDTrPUK9iDk
-> ssh-ed25519 r+nK/Q e4CBPPh8S1Cpb/tDW5zsJbBGw4yZBt5R1va06fsA6D4
UPLQ0Tp0TJigQZNK3vHMZ7Svg4YSAJtWNmXwQW+Kij0
-> ssh-rsa krWCLQ
P4oOUJ8k3OzSmUScG3zux7xmPcYYVU1U2AbUb2OLVcoGPoRwiWMybjH7EfG9Ueor
aqUqe1MMsIXD9NILZyM9Sczqlyevuynxhu278Q6zuU717PfG6bRGd3BoQAJ69z+F
X8qifC9xc2qdQyrM++sH0h36q9fDC7O5h7nMQz+zWNWNEXiC0dsz1P4yIeIBpqQM
myalb7rTu+/W20LcdbDOMZeuxakNcJ3W/szQMOPNSRy8wPOga1MSpeuHZc1cS1ba
0KsSkx0tI6FLXeKSQR9nqlmvAkxm17dxVDF0qkXySQoEfiwhZ1iAu5ZeJgJIQEmv
FmkJayZk3hk9+mihZObi+A
-> ssh-ed25519 /vwQcQ 4WrpX5IptFqXZ/GBMvyF1KJBIeaOXk7ISt0N85KYi1A
G647eAYBiLyNT7xhm4TQ2lWy55GGI8SS7mXc+2SQ1ZY
-> ssh-ed25519 0R97PA DicfWMBlCXplVkn7EO+G/vyJ0xgUqJIP4FjYj4ed/Hg
BShfq85PHCbQpYTG1pD/Zx8TJ7ppzZYYd5QpVFGnMj4
-> ssh-ed25519 JGx7Ng 37y90Dug3tzTulq9Fd/4ZynuG6OCDqckIqXHR2G5GFA
zZNB/MJDNcm8CDByA23CBGqEBTbbX73cSXy7V7927vk
-> ssh-ed25519 bUjjig jjnr0nN3S7CBkF77EkUYV/yZ0os2H3t3Vy6r2XuxF14
wz6x/Rvqq3oUCYJaGcWIK9xEEY6aZUqnk0Ve7trFfF0
-> ssh-ed25519 tDqJRg RDDHbdgqHh8flC0QO2hwQxX0caS+tbiM8OzIpVrNqBw
yVxHVzLPYd1F3upLpaQzu1d3V7il7aZBocBegL6DdJ4
--- eiwmc9p33AICiJ3GOnfj3n2+gfS39jf0NgD681w8HG4
Ðqo¦ÔÊþ‰/Taï`´­ù<C2AD>Žº—ö?AæBeÌ«ÒÛj |Šâ©¥õœÐWBÈýCˆ<43>©å¿

1
machines/nixos/compute01/secrets/secrets.nix
View file

@ -26,7 +26,6 @@
"nextcloud-adminpass_file"
"nextcloud-s3_secret_file"
"nimbolus-kms_key"
"nimbolus-s3_access"
"nimbolus-s3_secret"
"opengist-environment_file"
"outline-oidc_client_secret_file"

1
modules/nixos/default.nix
View file

@ -38,7 +38,6 @@
"django-apps"
"extranix"
"forgejo-multiuser-nix-runners"
"nimbolus-tf"
"openbao"
])
++ [