lon: update snix-cache

62346b99c2e1085203bc2e5bb5f07e7773977b49
→ f3d0a3146c64f8fe6bdb208b75cc680c96f524e1

Last 3 commits:
  f3d0a31 chore(sources): Switch to lon from npins
  7975caa feat(module): Allow passing extra arguments to snix-cache
  2df8b6c fix(priority): Control with cli arg

lon.lock

@@ -195,10 +195,10 @@
       "type": "Git",
       "fetchType": "git",
       "branch": "dgnum",
-      "revision": "44ccf96bd73c1bbbbcc849cb0f2e0d1f5f75f934",
+      "revision": "fd4ba193ea3eda529ac27b43b206e9e3618b1975",
       "url": "https://git.hubrecht.ovh/hubrecht/nix-modules",
-      "hash": "sha256-mkrCWowrCje3/TuAG0eAJplrtlz1hYmusSFn93/Ccok=",
-      "lastModified": 1749629064,
+      "hash": "sha256-O/lMCM0qKkd+TBV43Fp9uG3aEbDSc2lI3a5TetNYs0w=",
+      "lastModified": 1749739595,
       "submodules": false
     },
     "nix-pkgs": {

machines/nixos/compute01/_configuration.nix

@@ -28,6 +28,7 @@ lib.extra.mkConfig {
     "mastodon"
     # "netbox"
     "nextcloud"
+    "nimbolus"
     "ollama-proxy"
     "opengist"
     "outline"

machines/nixos/compute01/nimbolus/default.nix

@@ -0,0 +1,43 @@
+# SPDX-FileCopyrightText: 2025 Lubin Bailly <lubin@dgnum.eu>
+#
+# SPDX-License-Identifier: EUPL-1.2
+
+{
+  pkgs,
+  sources,
+  config,
+  ...
+}:
+let
+  host = "nimbolus.dgnum.eu";
+  port = 9008;
+in
+{
+  imports = [ ./module.nix ];
+  services.nimbolus-tf = {
+    enable = true;
+    package = (import sources.kat-pkgs { inherit pkgs; }).nimbolus-tf-backend;
+    settings = {
+      LISTEN_ADDR = "127.0.0.1:${toString port}";
+
+      STORAGE_BACKEND = "s3";
+      STORAGE_S3_ENDPOINT = "s3.dgnum.eu";
+      STORAGE_S3_USE_SSL = "true";
+      STORAGE_S3_BUCKET = "nimbolus-dgnum";
+      STORAGE_S3_ACCESS_KEY = "GKefa111701f349de3988f0010";
+
+      # TODO: configure openBAO
+      # AUTH_BASIC_ENABLED = "false";
+      # AUTH_JWT_OIDC_ISSUER_URL = "https://vault.dgnum.eu/v1/identity/oidc";
+    };
+
+    credentials = {
+      KMS_KEY_FILE = config.age.secrets."nimbolus-kms_key".path;
+      STORAGE_S3_SECRET_KEY_FILE = config.age.secrets."nimbolus-s3_secret".path;
+    };
+  };
+
+  dgn-web.simpleProxies.nimbolus = {
+    inherit host port;
+  };
+}

machines/nixos/compute01/nimbolus/module.nix

@@ -0,0 +1,104 @@
+# SPDX-FileCopyrightText: 2025 Lubin Bailly <lubin@dgnum.eu>
+#
+# SPDX-License-Identifier: EUPL-1.2
+
+{
+  lib,
+  config,
+  sources,
+  pkgs,
+  ...
+}:
+let
+  inherit (lib)
+    getExe
+    mapAttrsToList
+    mkEnableOption
+    mkIf
+    mkPackageOption
+    mkOption
+    ;
+  inherit (lib.types)
+    attrsOf
+    path
+    str
+    ;
+
+  cfg = config.services.nimbolus-tf;
+in
+{
+  options.services.nimbolus-tf = {
+    enable = mkEnableOption "the nimbolus terraform http backend";
+    package = mkPackageOption (import sources.kat-pkgs { inherit pkgs; }) "nimbolus-tf-backend" {
+      pkgsText = "kat-pkgs";
+    };
+    user = mkOption {
+      type = str;
+      description = ''
+        User used by the nimbolus server.
+      '';
+      default = "nimbolus";
+    };
+    group = mkOption {
+      type = str;
+      description = ''
+        Group used by the nimbolus server.
+      '';
+      default = "nimbolus";
+    };
+    settings = mkOption {
+      type = attrsOf str;
+      default = { };
+      description = ''
+        Environment variables for nimbolus configuration.
+      '';
+    };
+    credentials = mkOption {
+      type = attrsOf path;
+      default = { };
+      description = ''
+        Files to pass by systemd LoadCredentials.
+      '';
+    };
+  };
+  config = mkIf cfg.enable {
+    systemd.services.nimbolus-tf = {
+      description = "Nimbolus terraform http backend";
+      wantedBy = [ "multi-user.target" ];
+      serviceConfig = {
+        ExecStart = getExe cfg.package;
+        Environment =
+          mapAttrsToList (name: value: "${name}=${value}") cfg.settings
+          ++ mapAttrsToList (name: _: "${name}=%d/${name}") cfg.credentials;
+        LoadCredential = mapAttrsToList (name: file: "${name}:${file}") cfg.credentials;
+
+        StateDirectory = "nimbolus-tf";
+        StateDirectoryMode = "0700";
+        WorkingDirectory = "/var/lib/nimbolus-tf";
+
+        # Hardening
+        DynamicUser = true;
+        CapabilityBoundingSet = "";
+        PrivateDevices = true;
+        ProtectClock = true;
+        ProtectKernelLogs = true;
+        ProtectControlGroups = true;
+        ProtectKernelModules = true;
+        RestrictNamespaces = true;
+        ProtectHostname = true;
+        LockPersonality = true;
+        RestrictRealtime = true;
+        ProtectHome = true;
+        ProtectProc = "noaccess";
+        ProcSubset = "pid";
+        PrivateUsers = true;
+        UMask = "0077";
+        ProtectKernelTunables = true;
+        RestrictAddressFamilies = "AF_INET AF_INET6";
+        SystemCallFilter = "~@clock @cpu-emulation @debug @module @mount @obsolete @privileged @raw-io @reboot @resources @swap";
+        MemoryDenyWriteExecute = true;
+        SystemCallArchitectures = "native";
+      };
+    };
+  };
+}

machines/nixos/compute01/secrets/secrets.nix

@@ -25,6 +25,8 @@
     "netbox-environment_file"
     "nextcloud-adminpass_file"
     "nextcloud-s3_secret_file"
+    "nimbolus-kms_key"
+    "nimbolus-s3_secret"
     "opengist-environment_file"
     "outline-oidc_client_secret_file"
     "outline-smtp_password_file"

modules/nixos/default.nix

@@ -37,8 +37,9 @@
       "dgn-web"
       "django-apps"
       "extranix"
-      "openbao"
       "forgejo-multiuser-nix-runners"
+      "openbao"
+      "systemd-notify"
     ])
     ++ [
       "${sources.agenix}/modules/age.nix"
@@ -52,7 +53,6 @@
         "services/forgejo-nix-runners"
         "services/nginx-sni"
         "services/reaction"
-        "services/systemd-notify"
         "services/victorialogs"
         "services/victoriametrics"
       ]

modules/nixos/dgn-notify/default.nix

@@ -54,19 +54,16 @@ in
     };
 
     services.systemd-notify = {
-      enable = true;
-      command = builtins.toString (
-        pkgs.writeShellScript "sendmail" ''
-          ${pkgs.msmtp}/bin/sendmail -i -t <<ERRMAIL
-          To: admins+monitoring@dgnum.eu, ${emails}
-          Subject: [$HOSTNAME] Systemd failure: $1
-          Content-Transfer-Encoding: 8bit
-          Content-Type: text/plain; charset=UTF-8
+      mail = pkgs.writeShellScript "sendmail" ''
+        ${pkgs.msmtp}/bin/sendmail -i -t <<ERRMAIL
+        To: admins+monitoring@dgnum.eu, ${emails}
+        Subject: [$HOSTNAME] Systemd failure: $1
+        Content-Transfer-Encoding: 8bit
+        Content-Type: text/plain; charset=UTF-8
 
-          $(systemctl status --full "$1")
-          ERRMAIL
-        ''
-      );
+        $(systemctl status --full "$1")
+        ERRMAIL
+      '';
     };
     age-secrets.sources = [ ./. ];
   };

modules/nixos/systemd-notify.nix

@@ -0,0 +1,49 @@
+# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
+#
+# SPDX-License-Identifier: EUPL-1.2
+
+{ config, lib, ... }:
+
+let
+  inherit (lib)
+    getExe
+    mapAttrs'
+    mapAttrsToList
+    mkOption
+    mkForce
+    nameValuePair
+    ;
+  inherit (lib.types) attrsOf package submodule;
+
+  cfg = config.services.systemd-notify;
+in
+
+{
+  options.services.systemd-notify = mkOption {
+    type = attrsOf package;
+    description = ''
+      Commands to execute when a systemd unit fails.
+      Attrs keys will be the unit name and attrs value is the command that
+      will be run with the name of the failed unit as an argument.
+    '';
+    default = { };
+  };
+
+  options.systemd.services = mkOption {
+    type = attrsOf (submodule {
+      config.onFailure = mapAttrsToList (name: _: "${name}@%n.service") cfg;
+    });
+  };
+
+  config.systemd.services = mapAttrs' (
+    name: script:
+    nameValuePair "${name}@" {
+      description = "Run ${name} script on service failures.";
+      onFailure = mkForce [ ]; # Avoid recursive failures
+      serviceConfig = {
+        ExecStart = "${getExe script} %i";
+        Type = "oneshot";
+      };
+    }
+  ) cfg;
+}