From b6786323cf7bd0d58357efa1bbce974d8a3ac606 Mon Sep 17 00:00:00 2001
From: "DGNum [bot]" <admins+lon-bot@dgnum.eu>
Date: Tue, 17 Jun 2025 12:59:04 +0000
Subject: [PATCH 1/6] lon: update nixos-unstable
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

  3e3afe5174c561dee0df6f2c2b2236990146329f
→ ee930f9755f58096ac6e8ca94a1887e0534e2d81

Last 50 commits:
  ba8c114 vengi-tools: 0.0.37 -> 0.0.38
  9a4b659 app2unit: 0-unstable-2025-05-09 -> 0.9.0 (#415367)
  40f1bb6 arrayUtilities: init (#385960)
  ab2a6c5 hyprlandPlugins.hyprsplit: 0.48.1-unstable-2025-05-03 -> 0.49.0 (#415722)
  fb85ed7 firefly-iii-data-importer: 1.6.1 -> 1.6.3 (#415606)
  bc0b002 ghidra-extensions.kaiju: 250417 -> 250610 (#415734)
  22e95fb nanovna-saver: 0.6.8 -> 0.7.3 (#415518)
  562fcb2 Merge: nextcloud: 30.0.11 -> 30.0.12, 31.0.5 -> 31.0.6 (#416098)
  6b74a79 nixos-rebuild-ng: run systemd-run with / as the working directory (#416132)
  3018ad2 helmfile: 1.1.1 -> 1.1.2
  6f656f2 yafc-ce: 2.11.1 -> 2.13.0 (#415000)
  320a9cb go-licence-detector: 0.7.0 -> 0.8.0
  85eb8fa fastly: 11.2.0 -> 11.3.0 (#415940)
  3f2c473 vscode-extensions.ms-kubernetes-tools.vscode-kubernetes-tools: 1.3.23 -> 1.3.24 (#416136)
  86b5a39 trufflehog: 3.89.0 -> 3.89.1 (#415910)
  0015082 git-machete: 3.34.1 -> 3.36.0 (#409291)
  f6b0d7c sums: 0.13 -> 0.15 (#416133)
  c88e955 fan2go: 0.9.0 -> 0.10.0
  8c443ed stalwart-mail: 0.12.2 -> 0.12.4
  80cf90d pritunl-client: 1.3.4220.57 -> 1.3.4275.94 (#415816)
  1cf88f3 beekeeper-studio: 5.2.9 -> 5.2.12 (#413510)
  2d6dbce megasync: 5.9.0.3 -> 5.12.0.1 (#413878)
  616387c vault-tasks: 0.11.2 -> 0.12.0 (#414695)
  95b70cc drone-cli: 1.8.0 -> 1.9.0
  25145ee python3Packages.craft-store: 3.2.1 -> 3.2.2
  959cf4c streamripper: fix build
  780f0c7 hoppscotch: improve update script (#404828)
  1ae214f check-meta: fix 'hasNoMaintainers'
  a4f2cc0 streamripper: fix build (#415992)
  b36cd27 t1lib: drop (#416001)
  41c7117 fan2go: 0.9.0 -> 0.10.0 (#405283)
  f6b3452 python3Packages.aioesphomeapi: 30.2.0 -> 32.2.1 (#405130)
  3dbb883 python312Packages.datapoint: 0.9.9 -> 0.12.1
  5f55217 python3Packages.apsystems-ez1: 2.6.0 -> 2.7.0
  1924668 python3Packages.bluetooth-auto-recovery: 1.5.1 -> 1.5.2
  f1e80d2 python313Packages.deebot-client: 13.2.1 -> 13.3.0
  2e3768e python3Packages.env-canada: 0.10.2 -> 0.11.2
  e9c4658 python3Packages.habiticalib: 0.3.7 -> 0.4.0 (#409714)
  9364443 python313Packages.habluetooth: 3.48.2 -> 3.49.0 (#413814)
  5ac88b8 python3Packages.go2rtc-client: 0.1.2 -> 0.2.1
  3897d29 python313Packages.hass-nabucasa: 0.96.0 -> 0.101.0
  bfb5f44 python3Packages.hdate: 1.1.0 -> 1.1.1
  385226f python3Packages.homematicip: 2.0.1.1 -> 2.0.4 (#407427)
  fb43cbd python3Packages.lektricowifi: 0.0.43 -> 0.1
  2d3a349 python3Packages.mcstatus: 11.1.1 -> 12.0.1 (#406269)
  5eed43d python3Packages.py-synologydsm-api: 2.7.2 -> 2.7.3
  38c6500 python313Packages.pyatmo: 9.0.0 -> 9.2.1 (#408883)
  96f47f3 python313Packages.pypck: 0.8.5 -> 0.8.6 (#401804)
  892445e python3Packages.pydrawise: 2025.3.0 -> 2025.6.0
  7a34be6 python313Packages.pymiele: 0.4.3 -> 0.5.2
---
 lon.lock | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/lon.lock b/lon.lock
index 089e164..3799e93 100644
--- a/lon.lock
+++ b/lon.lock
@@ -257,9 +257,9 @@
       "owner": "NixOS",
       "repo": "nixpkgs",
       "branch": "nixos-unstable",
-      "revision": "3e3afe5174c561dee0df6f2c2b2236990146329f",
-      "url": "https://github.com/NixOS/nixpkgs/archive/3e3afe5174c561dee0df6f2c2b2236990146329f.tar.gz",
-      "hash": "sha256-frdhQvPbmDYaScPFiCnfdh3B/Vh81Uuoo0w5TkWmmjU="
+      "revision": "ee930f9755f58096ac6e8ca94a1887e0534e2d81",
+      "url": "https://github.com/NixOS/nixpkgs/archive/ee930f9755f58096ac6e8ca94a1887e0534e2d81.tar.gz",
+      "hash": "sha256-Kh9K4taXbVuaLC0IL+9HcfvxsSUx8dPB5s5weJcc9pc="
     },
     "proxmox-nixos": {
       "type": "Git",

From c1afcb77689fe96544a9d19c97e3846a2473ffdb Mon Sep 17 00:00:00 2001
From: catvayor <catvayor@katvayor.net>
Date: Sat, 14 Jun 2025 22:15:27 +0200
Subject: [PATCH 2/6] refactor(systemd-notify): take it from nix-modules

---
 modules/nixos/default.nix        |  2 +-
 modules/nixos/systemd-notify.nix | 49 ++++++++++++++++++++++++++++++++
 2 files changed, 50 insertions(+), 1 deletion(-)
 create mode 100644 modules/nixos/systemd-notify.nix

diff --git a/modules/nixos/default.nix b/modules/nixos/default.nix
index 0485145..c3900ed 100644
--- a/modules/nixos/default.nix
+++ b/modules/nixos/default.nix
@@ -39,6 +39,7 @@
       "extranix"
       "openbao"
       "forgejo-multiuser-nix-runners"
+      "systemd-notify"
     ])
     ++ [
       "${sources.agenix}/modules/age.nix"
@@ -52,7 +53,6 @@
         "services/forgejo-nix-runners"
         "services/nginx-sni"
         "services/reaction"
-        "services/systemd-notify"
         "services/victorialogs"
         "services/victoriametrics"
       ]
diff --git a/modules/nixos/systemd-notify.nix b/modules/nixos/systemd-notify.nix
new file mode 100644
index 0000000..4e55a59
--- /dev/null
+++ b/modules/nixos/systemd-notify.nix
@@ -0,0 +1,49 @@
+# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
+#
+# SPDX-License-Identifier: EUPL-1.2
+
+{ config, lib, ... }:
+
+let
+  inherit (lib)
+    mkEnableOption
+    mkIf
+    mkOption
+    mkForce
+    optional
+    ;
+  inherit (lib.types) attrsOf str submodule;
+
+  cfg = config.services.systemd-notify;
+in
+
+{
+  options.services.systemd-notify = {
+    enable = mkEnableOption "notifications when a systemd unit fails.";
+
+    command = mkOption {
+      type = str;
+      description = ''
+        Command to run on failure of a systemd unit.
+        Takes the name of the failed unit as an argument.
+      '';
+    };
+  };
+
+  options.systemd.services = mkOption {
+    type = attrsOf (submodule {
+      config.onFailure = optional cfg.enable "email@%n.service";
+    });
+  };
+
+  config = mkIf cfg.enable {
+    systemd.services."email@" = {
+      description = "Sends a status mail via sendmail on service failures.";
+      onFailure = mkForce [ ]; # Avoid recursive failures
+      serviceConfig = {
+        ExecStart = "${cfg.command} %i";
+        Type = "oneshot";
+      };
+    };
+  };
+}

From d6300e6e1974bbcb168cd2d393400463d995a1d4 Mon Sep 17 00:00:00 2001
From: catvayor <catvayor@katvayor.net>
Date: Sat, 14 Jun 2025 22:30:19 +0200
Subject: [PATCH 3/6] feat(systemd-notify): allow multiple failure scripts

---
 modules/nixos/dgn-notify/default.nix | 21 ++++++--------
 modules/nixos/systemd-notify.nix     | 42 ++++++++++++++--------------
 2 files changed, 30 insertions(+), 33 deletions(-)

diff --git a/modules/nixos/dgn-notify/default.nix b/modules/nixos/dgn-notify/default.nix
index d9818db..5c83242 100644
--- a/modules/nixos/dgn-notify/default.nix
+++ b/modules/nixos/dgn-notify/default.nix
@@ -54,19 +54,16 @@ in
     };
 
     services.systemd-notify = {
-      enable = true;
-      command = builtins.toString (
-        pkgs.writeShellScript "sendmail" ''
-          ${pkgs.msmtp}/bin/sendmail -i -t <<ERRMAIL
-          To: admins+monitoring@dgnum.eu, ${emails}
-          Subject: [$HOSTNAME] Systemd failure: $1
-          Content-Transfer-Encoding: 8bit
-          Content-Type: text/plain; charset=UTF-8
+      mail = pkgs.writeShellScript "sendmail" ''
+        ${pkgs.msmtp}/bin/sendmail -i -t <<ERRMAIL
+        To: admins+monitoring@dgnum.eu, ${emails}
+        Subject: [$HOSTNAME] Systemd failure: $1
+        Content-Transfer-Encoding: 8bit
+        Content-Type: text/plain; charset=UTF-8
 
-          $(systemctl status --full "$1")
-          ERRMAIL
-        ''
-      );
+        $(systemctl status --full "$1")
+        ERRMAIL
+      '';
     };
     age-secrets.sources = [ ./. ];
   };
diff --git a/modules/nixos/systemd-notify.nix b/modules/nixos/systemd-notify.nix
index 4e55a59..4b1e6ea 100644
--- a/modules/nixos/systemd-notify.nix
+++ b/modules/nixos/systemd-notify.nix
@@ -6,44 +6,44 @@
 
 let
   inherit (lib)
-    mkEnableOption
-    mkIf
+    getExe
+    mapAttrs'
+    mapAttrsToList
     mkOption
     mkForce
-    optional
+    nameValuePair
     ;
-  inherit (lib.types) attrsOf str submodule;
+  inherit (lib.types) attrsOf package submodule;
 
   cfg = config.services.systemd-notify;
 in
 
 {
-  options.services.systemd-notify = {
-    enable = mkEnableOption "notifications when a systemd unit fails.";
-
-    command = mkOption {
-      type = str;
-      description = ''
-        Command to run on failure of a systemd unit.
-        Takes the name of the failed unit as an argument.
-      '';
-    };
+  options.services.systemd-notify = mkOption {
+    type = attrsOf package;
+    description = ''
+      Commands to execute when a systemd unit fails.
+      Attrs keys will be the unit name and attrs value is the command that
+      will be run with the name of the failed unit as an argument.
+    '';
+    default = { };
   };
 
   options.systemd.services = mkOption {
     type = attrsOf (submodule {
-      config.onFailure = optional cfg.enable "email@%n.service";
+      config.onFailure = mapAttrsToList (name: _: "${name}@%n.service") cfg;
     });
   };
 
-  config = mkIf cfg.enable {
-    systemd.services."email@" = {
-      description = "Sends a status mail via sendmail on service failures.";
+  config.systemd.services = mapAttrs' (
+    name: script:
+    nameValuePair "${name}@" {
+      description = "Run ${name} script on service failures.";
       onFailure = mkForce [ ]; # Avoid recursive failures
       serviceConfig = {
-        ExecStart = "${cfg.command} %i";
+        ExecStart = "${getExe script} %i";
         Type = "oneshot";
       };
-    };
-  };
+    }
+  ) cfg;
 }

From a7def32a75209cc8d4e5392e26c5a923359c67b1 Mon Sep 17 00:00:00 2001
From: catvayor <catvayor@katvayor.net>
Date: Wed, 11 Jun 2025 17:14:30 +0200
Subject: [PATCH 4/6] feat(nimbolus): init a http terraform backend

---
 machines/nixos/compute01/_configuration.nix   |   1 +
 machines/nixos/compute01/nimbolus/default.nix |  43 ++++++++
 machines/nixos/compute01/nimbolus/module.nix  | 104 ++++++++++++++++++
 .../nixos/compute01/secrets/nimbolus-kms_key  | Bin 0 -> 1804 bytes
 .../compute01/secrets/nimbolus-s3_secret      | Bin 0 -> 1743 bytes
 machines/nixos/compute01/secrets/secrets.nix  |   2 +
 modules/nixos/default.nix                     |   2 +-
 7 files changed, 151 insertions(+), 1 deletion(-)
 create mode 100644 machines/nixos/compute01/nimbolus/default.nix
 create mode 100644 machines/nixos/compute01/nimbolus/module.nix
 create mode 100644 machines/nixos/compute01/secrets/nimbolus-kms_key
 create mode 100644 machines/nixos/compute01/secrets/nimbolus-s3_secret

diff --git a/machines/nixos/compute01/_configuration.nix b/machines/nixos/compute01/_configuration.nix
index 7e45eea..6689130 100644
--- a/machines/nixos/compute01/_configuration.nix
+++ b/machines/nixos/compute01/_configuration.nix
@@ -28,6 +28,7 @@ lib.extra.mkConfig {
     "mastodon"
     # "netbox"
     "nextcloud"
+    "nimbolus"
     "ollama-proxy"
     "opengist"
     "outline"
diff --git a/machines/nixos/compute01/nimbolus/default.nix b/machines/nixos/compute01/nimbolus/default.nix
new file mode 100644
index 0000000..45188a0
--- /dev/null
+++ b/machines/nixos/compute01/nimbolus/default.nix
@@ -0,0 +1,43 @@
+# SPDX-FileCopyrightText: 2025 Lubin Bailly <lubin@dgnum.eu>
+#
+# SPDX-License-Identifier: EUPL-1.2
+
+{
+  pkgs,
+  sources,
+  config,
+  ...
+}:
+let
+  host = "nimbolus.dgnum.eu";
+  port = 9008;
+in
+{
+  imports = [ ./module.nix ];
+  services.nimbolus-tf = {
+    enable = true;
+    package = (import sources.kat-pkgs { inherit pkgs; }).nimbolus-tf-backend;
+    settings = {
+      LISTEN_ADDR = "127.0.0.1:${toString port}";
+
+      STORAGE_BACKEND = "s3";
+      STORAGE_S3_ENDPOINT = "s3.dgnum.eu";
+      STORAGE_S3_USE_SSL = "true";
+      STORAGE_S3_BUCKET = "nimbolus-dgnum";
+      STORAGE_S3_ACCESS_KEY = "GKefa111701f349de3988f0010";
+
+      # TODO: configure openBAO
+      # AUTH_BASIC_ENABLED = "false";
+      # AUTH_JWT_OIDC_ISSUER_URL = "https://vault.dgnum.eu/v1/identity/oidc";
+    };
+
+    credentials = {
+      KMS_KEY_FILE = config.age.secrets."nimbolus-kms_key".path;
+      STORAGE_S3_SECRET_KEY_FILE = config.age.secrets."nimbolus-s3_secret".path;
+    };
+  };
+
+  dgn-web.simpleProxies.nimbolus = {
+    inherit host port;
+  };
+}
diff --git a/machines/nixos/compute01/nimbolus/module.nix b/machines/nixos/compute01/nimbolus/module.nix
new file mode 100644
index 0000000..626dc61
--- /dev/null
+++ b/machines/nixos/compute01/nimbolus/module.nix
@@ -0,0 +1,104 @@
+# SPDX-FileCopyrightText: 2025 Lubin Bailly <lubin@dgnum.eu>
+#
+# SPDX-License-Identifier: EUPL-1.2
+
+{
+  lib,
+  config,
+  sources,
+  pkgs,
+  ...
+}:
+let
+  inherit (lib)
+    getExe
+    mapAttrsToList
+    mkEnableOption
+    mkIf
+    mkPackageOption
+    mkOption
+    ;
+  inherit (lib.types)
+    attrsOf
+    path
+    str
+    ;
+
+  cfg = config.services.nimbolus-tf;
+in
+{
+  options.services.nimbolus-tf = {
+    enable = mkEnableOption "the nimbolus terraform http backend";
+    package = mkPackageOption (import sources.kat-pkgs { inherit pkgs; }) "nimbolus-tf-backend" {
+      pkgsText = "kat-pkgs";
+    };
+    user = mkOption {
+      type = str;
+      description = ''
+        User used by the nimbolus server.
+      '';
+      default = "nimbolus";
+    };
+    group = mkOption {
+      type = str;
+      description = ''
+        Group used by the nimbolus server.
+      '';
+      default = "nimbolus";
+    };
+    settings = mkOption {
+      type = attrsOf str;
+      default = { };
+      description = ''
+        Environment variables for nimbolus configuration.
+      '';
+    };
+    credentials = mkOption {
+      type = attrsOf path;
+      default = { };
+      description = ''
+        Files to pass by systemd LoadCredentials.
+      '';
+    };
+  };
+  config = mkIf cfg.enable {
+    systemd.services.nimbolus-tf = {
+      description = "Nimbolus terraform http backend";
+      wantedBy = [ "multi-user.target" ];
+      serviceConfig = {
+        ExecStart = getExe cfg.package;
+        Environment =
+          mapAttrsToList (name: value: "${name}=${value}") cfg.settings
+          ++ mapAttrsToList (name: _: "${name}=%d/${name}") cfg.credentials;
+        LoadCredential = mapAttrsToList (name: file: "${name}:${file}") cfg.credentials;
+
+        StateDirectory = "nimbolus-tf";
+        StateDirectoryMode = "0700";
+        WorkingDirectory = "/var/lib/nimbolus-tf";
+
+        # Hardening
+        DynamicUser = true;
+        CapabilityBoundingSet = "";
+        PrivateDevices = true;
+        ProtectClock = true;
+        ProtectKernelLogs = true;
+        ProtectControlGroups = true;
+        ProtectKernelModules = true;
+        RestrictNamespaces = true;
+        ProtectHostname = true;
+        LockPersonality = true;
+        RestrictRealtime = true;
+        ProtectHome = true;
+        ProtectProc = "noaccess";
+        ProcSubset = "pid";
+        PrivateUsers = true;
+        UMask = "0077";
+        ProtectKernelTunables = true;
+        RestrictAddressFamilies = "AF_INET AF_INET6";
+        SystemCallFilter = "~@clock @cpu-emulation @debug @module @mount @obsolete @privileged @raw-io @reboot @resources @swap";
+        MemoryDenyWriteExecute = true;
+        SystemCallArchitectures = "native";
+      };
+    };
+  };
+}
diff --git a/machines/nixos/compute01/secrets/nimbolus-kms_key b/machines/nixos/compute01/secrets/nimbolus-kms_key
new file mode 100644
index 0000000000000000000000000000000000000000..323599072b3853d415189c01168ab67f7ae8e010
GIT binary patch
literal 1804
zcmZXUxvu;M8O7-$3_=7c{q)0)cYEBR*dBYljQ8E5@pwF5$NL^BLP#_q0jW~t1>gw~
zqKTB`1yUfWD50VS2?{R7pW@Pf&F?!$=bR`_UXnWQw|2~%`opGA!5Ic#esmay>?OG)
zI1W>XP;9VrIRqf%?IMwb%#oG_jTwwg-*q<#?b(5|fl@Wi4pyX<U<Ejq4{$0$D$NAk
zo3(xwpA)9wIwN1YsM04FG-UAFU}C7erBR^H&h(*__4$luYJ_A-2}Y}1k4H?A?~j1k
znqC<VJhw-y5UD~0EI(@Sd+Y^5>gl@@4vU#%Ec$S?=vgZ+QF@#qf+raBu(!0fSGj>c
z2ur15!ou?VL=ozJB8p2^Q%BKe^P7j#Px36V5YAt4W&x_0PSaC1nTFoNO|}K*NS~im
z>CcLSL+jmG3zRlVxxu)%v_kYBI(=vrEAq0bQ!B>_ueng{kx5-GNx3n@#E*^PSKF*i
znzK0oS9t!A9$&>0d=+3rf_53aUlrzwXAl?><McSO$ERM<&Rd#MnG9tdI;8H^!MUh#
zJh%H3<Ia`<l^GVTF>W}LfGjahu20N=Vt~PEnbNX3&z3SX4s%tXSWuny@ZQ#Na%or{
zVj&aZI5c=m>yNbz8ixkFDP;o9%OebUqQ~zWuG|t0c^t<Rq+oZ)Bgnb6<$_OvRP|F#
z@-y-}Sd?;qvbuw!>=s-0w7Lr0gac9uYjvlt%R5>>M2E8X*sB2)>c9kP8e=4+Vl!Of
z)hQzg#RetVzGD|WJNk8K>(}y%_A^eT7MBPsR*)+Gm`|N80!*S`hGH{0x*w30F?gQ7
z741y+&+P0LDH2m&;+I!{L0T`?RgW)JO-CO*mnX0}$0Kk(iTtU%Ky?O(^VM+~{%(en
zF^(roabl*N3f}IWT?|W$tB?MyC6x3eR)0NjIyST&P%kb_PKvY+5Ew8d6Yw2zPAi+_
zMvssmwy8CWit|VGH6l(rqkHUjv5O8YBvj?1B7mZ%JH7WrR~H_%%QsN=tc#a`cbP}2
zp+u~uVp2;?3k}q~S`NES@EPogqtESJyUy_X0sq*2t97OD*2%^Q3EDX}-nsp50l;}N
zV&hQoj>1;uoG>?`YTevSZCjTe48+`rwq$-)B1%Pe<?5yYbbn^5yrTKwb*C6Bl7WG&
z+a5*>Z`5b?V&3-rA@t*XrQgyZlOkVRa?x5Q&uYXZpS8eI^*)}<BJZ(1O3cP=q}MvM
z4Su^vc?s|_trBpSNwuT;78Vh&_wXu-JX#Ve8Zt{M=1pg@(lorKNtcyW(}QL_vsyRp
zRk>XTwbB!&6CK@>5NsPkW9Zdt$NeVDPe=>|6DYKlyR_2<d7U&iCm85#Z`QUZ$V!!}
zak7gke{gy5zudla^5zspo*vE{ao#7DKho@VF5)sytR>q;+CQ>hX86d=ogJ&@?%5>(
z?xdw&k{Ipch-3)XPk1^P0=T9`u{f&mHCGw3vFT}-|8D`tb0?YULDz)So!~oPhPZs-
zwj?QoqXL_OW=vTu<kqd9^5BH?ya6!iy^Q=^Rg=6cmGtb5PmM!KUD}4)o<t><i&%42
z1U#4jb@Jm{pkC5GiH79x@qzhBIaEJ%7a&&icJH)A44oU3WNgDa>vOza)MVaiJHD`>
z)(_<x_GSc^LBwF{L#1A0_wsVccx{9ku_osz@h-NsNqRbBWBq7Pq;81Mc&!L#6LS8z
z0N?%kli&Wu{gZS0;2+=l-e<@3U-+-T`Pt(B^7bp^{qV(I|Mue_{Qg^C{4?`E|Nh^-
pZ-0^h;-lZVfBxeiKDmAR@8A6u`%3&0`pNt6wLi^F<GtqR{{cu$Pdxwt

literal 0
HcmV?d00001

diff --git a/machines/nixos/compute01/secrets/nimbolus-s3_secret b/machines/nixos/compute01/secrets/nimbolus-s3_secret
new file mode 100644
index 0000000000000000000000000000000000000000..dc6c23451014caddad136b2612a65b73d0e3e60d
GIT binary patch
literal 1743
zcmZY8x$E=@83%An30v4IC{tLd;kP*^nM|66oRf2MACoSV$$j6Gtae*%rQ2+`|G`_?
z3yalaB`a77!g?So9v~tJ>swj;wtk8a&+~o0VH&^0O*CxXl()^h?T|tX0=&F;7{}}-
zexNvxkcU8Qv2s1I4CA>|R>s6FLIQ_&>FbtTJWgX4x|I~fo$kaeiS;dqfi-oEQ0zb$
zF32*NW-8nJ+Y>rx#4Of@sd5q&N?9ckKKEK9A)Q&MLqdSkO4b-urs^2Pv{MRfpz~*|
z@M1yo&li}zX93rW#R!DMyjKsXF?Et(dox(L+j5Vv6L%G0-_)5K?9#Q{#}w1P*1F-!
zjnqMonUq^@^?oeyEkR6^DWiE1L@mR?Y_4)fAs|p<xodp}M*Niayc#J62{Ey#->W?e
zvFV|8^huMSnxadJN0p_xjIXsq^b?&rz~VECmr3F7ti7a}6p0m+KjG_<)I0&ZM>u#d
zK;F#+<OakYlsCr_g)GHPF9Q~<TVuhGQ;JD%$Cxoox|HKNMp@2l&8SS8G!B(j<+$Ah
zdl_u17i7FWVB_PN_!c4G>Zfmm%}PmUEkQ@XS<4pIqtL$VF~Xg=r1jk<9WSynSJ@rz
zB#9>#A*uI4eXR{(BSXeP5|~@4IH4W5+m$*VCF`tLwgn&S(;4*h6iGPKlGdw^ssNc;
z6UAeA=xC#w?6`DC@!nBZa87AVN3swn&V#Xg1Ni?-4r6#I2aiz<z{=t{KP|_bAP<;b
z$(-g*Cly*Xtis?@!qIDFZ?MTE+}sKss$0kT9#%?#i_J{C=mU7JVG)C%H{ryQ*jJj}
zJInWmNgYs*BJd&(Tphv9HfPk!o!;5Ya&a$SwjI5<ErGZOXzdsyjwHoY_&ver7~Byt
z#gJrvax%B<kH&xYFl&SoWtwbKdU%|vQI|Z;E7G;)cmd2E?DcinDCkC_Y!$J~gHLba
z*gkNE#tfQmJITYk%efB>+~r42L&c<^TmKOo9f|coJ&9y6CHYuQ*FKVRW0P=S$(%H_
z<dv4MRByJ6&h^0{7;=kxBwdec7fr?#Kw+%J08h_;o(%zuLIrp+Ez-WwwDCGyXjzTO
zIH0k^xQO7)PMx1MqL>D1;Y^#$$Oq`zey3Og4sO07u`M76?Aq5AskWx(Wm&AD^-QB-
z@{lh&q^mAy1!Gh+NGXZ0HP|GHw=Jo;D0CKjwmsbE2w!m!#I{`@vLWACJJn;du?iVw
zC94vc<oZ0CgQJ;?c1L0Vbh-q`8=e`I$%*<o$thH=Pt;`WU-?_<@+7Y5L8XRTZo|26
z-RPQZDa30blQN@53YOuh{WxL%UWdoMG5~zq$Py*aL=7V>e{qA<&hGiGfOrBu<(74F
z7*ODa-WssiyWO3l$kW3>gic?SkfG(Q46~JKj4>2bM;liO&w$dV5s`;&z)1rGQl^Um
zw9!GdU3+t2cdJB<7B`3%ca1{0cqlfhODJ>GS8|)!UNX~z{^VAUQW_zBifNG0ezYzX
z6>ig`y2~g2tZAvr?$yl_R$zKK)uQ6`Io_p)u`K-&#979AOj>OS?_uGzL50@aka-4P
zUS19oeS-~e2!{xAYbG3xphNb6&lU?~RP-7zwAk$K!wHuX`0U4j{>HC<^YQUJzx~_4
z-lYG`rw_ef2Y>j}8?*Y}Uw@?iE`0C5ZT`z&{Ns!5{ZF)ajGuq|>pwF-{jT#F@j3Z}
uFR4HN{`tiZ{~mwz<+uJ5ecrO!Jog`&9|+c`U;F;{%{M>!_fPG=c>e?G2SDrq

literal 0
HcmV?d00001

diff --git a/machines/nixos/compute01/secrets/secrets.nix b/machines/nixos/compute01/secrets/secrets.nix
index 38fd800..442f9ad 100644
--- a/machines/nixos/compute01/secrets/secrets.nix
+++ b/machines/nixos/compute01/secrets/secrets.nix
@@ -25,6 +25,8 @@
     "netbox-environment_file"
     "nextcloud-adminpass_file"
     "nextcloud-s3_secret_file"
+    "nimbolus-kms_key"
+    "nimbolus-s3_secret"
     "opengist-environment_file"
     "outline-oidc_client_secret_file"
     "outline-smtp_password_file"
diff --git a/modules/nixos/default.nix b/modules/nixos/default.nix
index c3900ed..ef1c7ee 100644
--- a/modules/nixos/default.nix
+++ b/modules/nixos/default.nix
@@ -37,8 +37,8 @@
       "dgn-web"
       "django-apps"
       "extranix"
-      "openbao"
       "forgejo-multiuser-nix-runners"
+      "openbao"
       "systemd-notify"
     ])
     ++ [

From 7b58d8af0121857ef5cd98fd1a13703040530304 Mon Sep 17 00:00:00 2001
From: "DGNum [bot]" <admins+lon-bot@dgnum.eu>
Date: Tue, 17 Jun 2025 12:56:12 +0000
Subject: [PATCH 5/6] lon: update nix-modules
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

  44ccf96bd73c1bbbbcc849cb0f2e0d1f5f75f934
→ fd4ba193ea3eda529ac27b43b206e9e3618b1975

Last 1 commits:
  fd4ba19 fix(ntfy-sh/acl): use replaceVarsWith
---
 lon.lock | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/lon.lock b/lon.lock
index 089e164..1158e28 100644
--- a/lon.lock
+++ b/lon.lock
@@ -195,10 +195,10 @@
       "type": "Git",
       "fetchType": "git",
       "branch": "dgnum",
-      "revision": "44ccf96bd73c1bbbbcc849cb0f2e0d1f5f75f934",
+      "revision": "fd4ba193ea3eda529ac27b43b206e9e3618b1975",
       "url": "https://git.hubrecht.ovh/hubrecht/nix-modules",
-      "hash": "sha256-mkrCWowrCje3/TuAG0eAJplrtlz1hYmusSFn93/Ccok=",
-      "lastModified": 1749629064,
+      "hash": "sha256-O/lMCM0qKkd+TBV43Fp9uG3aEbDSc2lI3a5TetNYs0w=",
+      "lastModified": 1749739595,
       "submodules": false
     },
     "nix-pkgs": {

From 7e77b2a6266adba952ee929c3562a159abe2522f Mon Sep 17 00:00:00 2001
From: "DGNum [bot]" <admins+lon-bot@dgnum.eu>
Date: Wed, 18 Jun 2025 12:58:14 +0000
Subject: [PATCH 6/6] lon: update nixos-unstable
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

  3e3afe5174c561dee0df6f2c2b2236990146329f
→ 9e83b64f727c88a7711a2c463a7b16eedb69a84c

Last 50 commits:
  de01c86 mihomo-party: use finalAttrs
  1107c1a anubis: refactor, add updateScript, adopt (#415932)
  7f06b11 oxigraph: 0.4.9 -> 0.4.11 (#407506)
  c515a1b melonDS: 1.0rc-unstable-2025-05-15 -> 1.0rc-unstable-2025-05-27 (#411919)
  0385a34 mihomo-party: 1.7.4 -> 1.7.5 (#414906)
  d8f9a63 kubectl-view-allocations: 0.21.2 -> 0.22.0
  06c6ed6 vscode-extensions.shopify.ruby-lsp: 0.9.26 -> 0.9.28
  cf25a00 fedigroups: 0.4.5 -> 0.4.6
  26b303b svix-server: 1.66.0 -> 1.67.0
  3764e73 Feat/build deno package (#407434)
  45fa473 hawkeye: 6.0.4 -> 6.1.1
  9864f07 omekasy: 1.3.1 -> 1.3.3
  2803234 mdbook-admonish: 1.19.0 -> 1.20.0
  6369abb flutter326: drop (#414843)
  526945c Fix Flutter Android builds with Gradle 8.9+ (#412907)
  18a1685 openomf: 0.8.2 -> 0.8.3
  48ad36a eigenlayer: 0.11.2 -> 0.13.1
  77e7c3d gql: 0.38.0 -> 0.39.0
  9568033 python3Packages.pymorphy3: 2.0.3 -> 2.0.4
  6b20615 fwup: 1.12.0 -> 1.13.0
  bcebb4f azahar: 2121.2 -> 2122
  5346da3 python3Packages.google-cloud-tasks: 2.19.2 -> 2.19.3
  cad5eaf smplayer: fix hash after upstream replaced their git tag (#416891)
  b428645 python3Packages.bagit: 1.9b2 -> 1.9.0
  68358a8 terraform-providers.huaweicloud: 1.74.1 -> 1.75.3
  bd1fe9d svix-server: 1.66.0 -> 1.67.0 (#417280)
  b9ca64d autenticacao-gov-pt-bin: init at 13.3.3 (#414318)
  47e4aa2 chromium: Enable v4l2 video decoder for hardware acceleratation on aarch64 (#380546)
  ffcb49c python3Packages.duckduckgo-search: 8.0.2 -> 8.0.4
  06a4195 vscode-extensions.shopify.ruby-lsp: 0.9.26 -> 0.9.28 (#417275)
  757a3d8 mongosh: 2.5.1 -> 2.5.2 (#417236)
  df6d44e edk2: run pre/postInstall hook (#417163)
  5609759 erlang_26: 26.2.5.12 -> 26.2.5.13, erlang_27: 27.3.4 -> 27.3.4.1, erlang_28: 28.0 -> 28.0.1 (#417248)
  f2ebc96 exploitdb: 2025-06-06 -> 2025-06-10
  3876842 python3Packages.ical: 10.0.1 -> 10.0.3
  543b004 exploitdb: 2025-06-10 -> 2025-06-14
  02f4cb4 python313Packages.tencentcloud-sdk-python: 3.0.1400 -> 3.0.1401
  2e3ff8c python3Packages.google-cloud-tasks: 2.19.2 -> 2.19.3 (#417295)
  5f11c71 jellyfin-ffmpeg: 7.1.1-4 -> 7.1.1-6 (#417172)
  93e7341 python3Packages.graphviz: 0.20.3 -> 0.21 (#417019)
  7a80d20 checkov: 3.2.441 -> 3.2.442
  348d33d cdncheck: 1.1.22 -> 1.1.23
  0b2ed99 python313Packages.mcpadapt: 0.1.9 -> 0.1.10
  38a4f59 python313Packages.pybotvac: 0.0.27 -> 0.0.28
  c476747 dart: 3.7.3 -> 3.8.0 (#410532)
  22c4be7 hawkeye: 6.0.4 -> 6.1.1 (#417281)
  dfdafec newcomputermodern: add updateScript; 6.0.0 -> 7.0.2; add `meta.changelog` (#417208)
  a9cfab1 python3Packages.python-ipmi: clean up dependencies (#417116)
  fa08ae8 python3Packages.twitchapi: 4.4.0 -> 4.5.0 (#417112)
  64b695e python3Packages.ua-parser-rs: 0.1.2 -> 0.1.3 (#417084)
---
 lon.lock | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/lon.lock b/lon.lock
index 1158e28..976840d 100644
--- a/lon.lock
+++ b/lon.lock
@@ -257,9 +257,9 @@
       "owner": "NixOS",
       "repo": "nixpkgs",
       "branch": "nixos-unstable",
-      "revision": "3e3afe5174c561dee0df6f2c2b2236990146329f",
-      "url": "https://github.com/NixOS/nixpkgs/archive/3e3afe5174c561dee0df6f2c2b2236990146329f.tar.gz",
-      "hash": "sha256-frdhQvPbmDYaScPFiCnfdh3B/Vh81Uuoo0w5TkWmmjU="
+      "revision": "9e83b64f727c88a7711a2c463a7b16eedb69a84c",
+      "url": "https://github.com/NixOS/nixpkgs/archive/9e83b64f727c88a7711a2c463a7b16eedb69a84c.tar.gz",
+      "hash": "sha256-v263g4GbxXv87hMXMCpjkIxd/viIF7p3JpJrwgKdNiI="
     },
     "proxmox-nixos": {
       "type": "Git",