From d756a39e0960960ec9e076cb99eaef953469d4a2 Mon Sep 17 00:00:00 2001 From: catvayor Date: Wed, 11 Jun 2025 17:14:30 +0200 Subject: [PATCH 1/2] feat(nimbolus): init a http terraform backend --- machines/nixos/compute01/_configuration.nix | 1 + machines/nixos/compute01/nimbolus.nix | 35 +++++++ meta/dns.nix | 1 + modules/nixos/default.nix | 3 +- modules/nixos/nimbolus-tf.nix | 103 ++++++++++++++++++++ 5 files changed, 142 insertions(+), 1 deletion(-) create mode 100644 machines/nixos/compute01/nimbolus.nix create mode 100644 modules/nixos/nimbolus-tf.nix diff --git a/machines/nixos/compute01/_configuration.nix b/machines/nixos/compute01/_configuration.nix index 7e45eea..6689130 100644 --- a/machines/nixos/compute01/_configuration.nix +++ b/machines/nixos/compute01/_configuration.nix @@ -28,6 +28,7 @@ lib.extra.mkConfig { "mastodon" # "netbox" "nextcloud" + "nimbolus" "ollama-proxy" "opengist" "outline" diff --git a/machines/nixos/compute01/nimbolus.nix b/machines/nixos/compute01/nimbolus.nix new file mode 100644 index 0000000..51c8f9e --- /dev/null +++ b/machines/nixos/compute01/nimbolus.nix @@ -0,0 +1,35 @@ +# SPDX-FileCopyrightText: 2025 Lubin Bailly +# +# SPDX-License-Identifier: EUPL-1.2 + +{ pkgs, sources, ... }: +let + host = "nimbolus.dgnum.eu"; + port = 9008; +in +{ + services.nimbolus-tf = { + enable = true; + package = (import sources.kat-pkgs { inherit pkgs; }).nimbolus-tf-backend; + environment = { + LISTEN_ADDR = "127.0.0.1:${toString port}"; + STORAGE_BACKEND = "s3"; + STORAGE_S3_ENDPOINT = "s3.dgnum.eu"; + STORAGE_S3_USE_SSL = "true"; + STORAGE_S3_BUCKET = "monorepo-terraform-state"; + + # TODO: configure openBAO + # AUTH_BASIC_ENABLED = "false"; + # AUTH_JWT_OIDC_ISSUER_URL = "https://vault.dgnum.eu/v1/identity/oidc"; + }; + secretEnvironment = { + # FIXME: use agenix and real secrets + KMS_KEY = pkgs.writeText "nimbolus-kms-unsecure" "nVbFN9o4rIP2qi0SWtcgNZlWolrF61/Drx3YxeQTSZk="; + STORAGE_S3_ACCESS_KEY = pkgs.writeText "unsecure" "KEYID"; + STORAGE_S3_SECRET_KEY = pkgs.writeText "unsecure" "KEYSECRET"; + }; + }; + dgn-web.simpleProxies.nimbolus = { + inherit host port; + }; +} diff --git a/meta/dns.nix b/meta/dns.nix index fa3fd56..f9aa64e 100644 --- a/meta/dns.nix +++ b/meta/dns.nix @@ -82,6 +82,7 @@ let "gist" # Opengist "grafana" # Grafana "netbox-v2" # Netbox + "nimbolus" # Nimbolus Terraform Backend "nms" # LibreNMS "pads" # Hedgedoc "pass" # Vaultwarden diff --git a/modules/nixos/default.nix b/modules/nixos/default.nix index 0485145..1fa0209 100644 --- a/modules/nixos/default.nix +++ b/modules/nixos/default.nix @@ -37,8 +37,9 @@ "dgn-web" "django-apps" "extranix" - "openbao" "forgejo-multiuser-nix-runners" + "nimbolus-tf" + "openbao" ]) ++ [ "${sources.agenix}/modules/age.nix" diff --git a/modules/nixos/nimbolus-tf.nix b/modules/nixos/nimbolus-tf.nix new file mode 100644 index 0000000..dd72517 --- /dev/null +++ b/modules/nixos/nimbolus-tf.nix @@ -0,0 +1,103 @@ +# SPDX-FileCopyrightText: 2025 Lubin Bailly +# +# SPDX-License-Identifier: EUPL-1.2 + +{ + lib, + config, + pkgs, + ... +}: +let + inherit (lib) + concatMapAttrsStringSep + escapeShellArg + getExe + mkEnableOption + mkIf + mkOption + ; + inherit (lib.types) + attrsOf + package + path + str + ; + + cfg = config.services.nimbolus-tf; +in +{ + options.services.nimbolus-tf = { + enable = mkEnableOption "the nimbolus terraform http backend"; + package = mkOption { + type = package; + description = '' + The hello package to use. + ''; + example = "kat-pkgs.nimbolus-tf-backend"; + }; + environment = mkOption { + type = attrsOf str; + default = { }; + description = '' + Environment variables for nimbolus configuration. + ''; + }; + secretEnvironment = mkOption { + type = attrsOf path; + default = { }; + description = '' + Files for secret environment variables for nimbolus configuration. + ''; + }; + }; + config = mkIf cfg.enable { + systemd.services."nimbolus-tf" = { + description = "Nimbolus terraform http backend"; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + EnvironmentFile = "-/run/nimbolus-tf/env-file"; + ExecStart = "${getExe cfg.package}"; + ExecStartPre = "+${pkgs.writeShellScript "nimbolus-prestart" '' + echo -n > /run/nimbolus-tf/env-file + ${concatMapAttrsStringSep "\n" ( + key: value: "echo ${escapeShellArg "${key}=${value}"} >> /run/nimbolus-tf/env-file" + ) cfg.environment} + ${concatMapAttrsStringSep "\n" ( + key: value: ''echo "${key}=$(cat ${value})" >> /run/nimbolus-tf/env-file'' + ) cfg.secretEnvironment} + chmod a+r /run/nimbolus-tf/env-file + ''}"; + + RuntimeDirectory = "nimbolus-tf"; + RuntimeDirectoryMode = "0700"; + StateDirectory = "nimbolus-tf"; + StateDirectoryMode = "0700"; + WorkingDirectory = "/var/lib/nimbolus-tf"; + + # Hardening + DynamicUser = true; + CapabilityBoundingSet = ""; + PrivateDevices = true; + ProtectClock = true; + ProtectKernelLogs = true; + ProtectControlGroups = true; + ProtectKernelModules = true; + RestrictNamespaces = true; + ProtectHostname = true; + LockPersonality = true; + RestrictRealtime = true; + ProtectHome = true; + ProtectProc = "noaccess"; + ProcSubset = "pid"; + PrivateUsers = true; + UMask = "0077"; + ProtectKernelTunables = true; + RestrictAddressFamilies = "AF_INET AF_INET6"; + SystemCallFilter = "~@clock @cpu-emulation @debug @module @mount @obsolete @privileged @raw-io @reboot @resources @swap"; + MemoryDenyWriteExecute = true; + SystemCallArchitectures = "native"; + }; + }; + }; +} From 41fb436140f193a70d9b16b30125ab1686eb97b9 Mon Sep 17 00:00:00 2001 From: catvayor Date: Wed, 11 Jun 2025 17:14:30 +0200 Subject: [PATCH 2/2] feat(nimbolus): init a http terraform backend --- machines/nixos/compute01/_configuration.nix | 1 + machines/nixos/compute01/nimbolus.nix | 35 +++++++ meta/dns.nix | 1 + modules/nixos/default.nix | 3 +- modules/nixos/nimbolus-tf.nix | 108 ++++++++++++++++++++ 5 files changed, 147 insertions(+), 1 deletion(-) create mode 100644 machines/nixos/compute01/nimbolus.nix create mode 100644 modules/nixos/nimbolus-tf.nix diff --git a/machines/nixos/compute01/_configuration.nix b/machines/nixos/compute01/_configuration.nix index 7e45eea..6689130 100644 --- a/machines/nixos/compute01/_configuration.nix +++ b/machines/nixos/compute01/_configuration.nix @@ -28,6 +28,7 @@ lib.extra.mkConfig { "mastodon" # "netbox" "nextcloud" + "nimbolus" "ollama-proxy" "opengist" "outline" diff --git a/machines/nixos/compute01/nimbolus.nix b/machines/nixos/compute01/nimbolus.nix new file mode 100644 index 0000000..51c8f9e --- /dev/null +++ b/machines/nixos/compute01/nimbolus.nix @@ -0,0 +1,35 @@ +# SPDX-FileCopyrightText: 2025 Lubin Bailly +# +# SPDX-License-Identifier: EUPL-1.2 + +{ pkgs, sources, ... }: +let + host = "nimbolus.dgnum.eu"; + port = 9008; +in +{ + services.nimbolus-tf = { + enable = true; + package = (import sources.kat-pkgs { inherit pkgs; }).nimbolus-tf-backend; + environment = { + LISTEN_ADDR = "127.0.0.1:${toString port}"; + STORAGE_BACKEND = "s3"; + STORAGE_S3_ENDPOINT = "s3.dgnum.eu"; + STORAGE_S3_USE_SSL = "true"; + STORAGE_S3_BUCKET = "monorepo-terraform-state"; + + # TODO: configure openBAO + # AUTH_BASIC_ENABLED = "false"; + # AUTH_JWT_OIDC_ISSUER_URL = "https://vault.dgnum.eu/v1/identity/oidc"; + }; + secretEnvironment = { + # FIXME: use agenix and real secrets + KMS_KEY = pkgs.writeText "nimbolus-kms-unsecure" "nVbFN9o4rIP2qi0SWtcgNZlWolrF61/Drx3YxeQTSZk="; + STORAGE_S3_ACCESS_KEY = pkgs.writeText "unsecure" "KEYID"; + STORAGE_S3_SECRET_KEY = pkgs.writeText "unsecure" "KEYSECRET"; + }; + }; + dgn-web.simpleProxies.nimbolus = { + inherit host port; + }; +} diff --git a/meta/dns.nix b/meta/dns.nix index fa3fd56..f9aa64e 100644 --- a/meta/dns.nix +++ b/meta/dns.nix @@ -82,6 +82,7 @@ let "gist" # Opengist "grafana" # Grafana "netbox-v2" # Netbox + "nimbolus" # Nimbolus Terraform Backend "nms" # LibreNMS "pads" # Hedgedoc "pass" # Vaultwarden diff --git a/modules/nixos/default.nix b/modules/nixos/default.nix index 0485145..1fa0209 100644 --- a/modules/nixos/default.nix +++ b/modules/nixos/default.nix @@ -37,8 +37,9 @@ "dgn-web" "django-apps" "extranix" - "openbao" "forgejo-multiuser-nix-runners" + "nimbolus-tf" + "openbao" ]) ++ [ "${sources.agenix}/modules/age.nix" diff --git a/modules/nixos/nimbolus-tf.nix b/modules/nixos/nimbolus-tf.nix new file mode 100644 index 0000000..01a8c3e --- /dev/null +++ b/modules/nixos/nimbolus-tf.nix @@ -0,0 +1,108 @@ +# SPDX-FileCopyrightText: 2025 Lubin Bailly +# +# SPDX-License-Identifier: EUPL-1.2 + +{ + lib, + config, + pkgs, + ... +}: +let + inherit (lib) + escapeShellArg + getExe + mkEnableOption + mkIf + mkOption + ; + inherit (lib.types) + attrsOf + package + path + str + ; + + # from nixpkgs, commit b1371135b5db3fcf728114d92d5bd0218109598a + # FIXME: Should be replaced by nixpkgs lib when going to nixos-25.05 + concatMapAttrsStringSep = + sep: f: attrs: + lib.concatStringsSep sep (lib.attrValues (lib.mapAttrs f attrs)); + + cfg = config.services.nimbolus-tf; +in +{ + options.services.nimbolus-tf = { + enable = mkEnableOption "the nimbolus terraform http backend"; + package = mkOption { + type = package; + description = '' + The hello package to use. + ''; + example = "kat-pkgs.nimbolus-tf-backend"; + }; + environment = mkOption { + type = attrsOf str; + default = { }; + description = '' + Environment variables for nimbolus configuration. + ''; + }; + secretEnvironment = mkOption { + type = attrsOf path; + default = { }; + description = '' + Files for secret environment variables for nimbolus configuration. + ''; + }; + }; + config = mkIf cfg.enable { + systemd.services."nimbolus-tf" = { + description = "Nimbolus terraform http backend"; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + EnvironmentFile = "-/run/nimbolus-tf/env-file"; + ExecStart = "${getExe cfg.package}"; + ExecStartPre = "+${pkgs.writeShellScript "nimbolus-prestart" '' + echo -n > /run/nimbolus-tf/env-file + ${concatMapAttrsStringSep "\n" ( + key: value: "echo ${escapeShellArg "${key}=${value}"} >> /run/nimbolus-tf/env-file" + ) cfg.environment} + ${concatMapAttrsStringSep "\n" ( + key: value: ''echo "${key}=$(cat ${value})" >> /run/nimbolus-tf/env-file'' + ) cfg.secretEnvironment} + chmod a+r /run/nimbolus-tf/env-file + ''}"; + + RuntimeDirectory = "nimbolus-tf"; + RuntimeDirectoryMode = "0700"; + StateDirectory = "nimbolus-tf"; + StateDirectoryMode = "0700"; + WorkingDirectory = "/var/lib/nimbolus-tf"; + + # Hardening + DynamicUser = true; + CapabilityBoundingSet = ""; + PrivateDevices = true; + ProtectClock = true; + ProtectKernelLogs = true; + ProtectControlGroups = true; + ProtectKernelModules = true; + RestrictNamespaces = true; + ProtectHostname = true; + LockPersonality = true; + RestrictRealtime = true; + ProtectHome = true; + ProtectProc = "noaccess"; + ProcSubset = "pid"; + PrivateUsers = true; + UMask = "0077"; + ProtectKernelTunables = true; + RestrictAddressFamilies = "AF_INET AF_INET6"; + SystemCallFilter = "~@clock @cpu-emulation @debug @module @mount @obsolete @privileged @raw-io @reboot @resources @swap"; + MemoryDenyWriteExecute = true; + SystemCallArchitectures = "native"; + }; + }; + }; +}