diff --git a/lon.lock b/lon.lock index 416724a..77ca9d7 100644 --- a/lon.lock +++ b/lon.lock @@ -195,10 +195,10 @@ "type": "Git", "fetchType": "git", "branch": "dgnum", - "revision": "44ccf96bd73c1bbbbcc849cb0f2e0d1f5f75f934", + "revision": "fd4ba193ea3eda529ac27b43b206e9e3618b1975", "url": "https://git.hubrecht.ovh/hubrecht/nix-modules", - "hash": "sha256-mkrCWowrCje3/TuAG0eAJplrtlz1hYmusSFn93/Ccok=", - "lastModified": 1749629064, + "hash": "sha256-O/lMCM0qKkd+TBV43Fp9uG3aEbDSc2lI3a5TetNYs0w=", + "lastModified": 1749739595, "submodules": false }, "nix-pkgs": { diff --git a/machines/nixos/compute01/_configuration.nix b/machines/nixos/compute01/_configuration.nix index 7e45eea..6689130 100644 --- a/machines/nixos/compute01/_configuration.nix +++ b/machines/nixos/compute01/_configuration.nix @@ -28,6 +28,7 @@ lib.extra.mkConfig { "mastodon" # "netbox" "nextcloud" + "nimbolus" "ollama-proxy" "opengist" "outline" diff --git a/machines/nixos/compute01/nimbolus/default.nix b/machines/nixos/compute01/nimbolus/default.nix new file mode 100644 index 0000000..45188a0 --- /dev/null +++ b/machines/nixos/compute01/nimbolus/default.nix @@ -0,0 +1,43 @@ +# SPDX-FileCopyrightText: 2025 Lubin Bailly +# +# SPDX-License-Identifier: EUPL-1.2 + +{ + pkgs, + sources, + config, + ... +}: +let + host = "nimbolus.dgnum.eu"; + port = 9008; +in +{ + imports = [ ./module.nix ]; + services.nimbolus-tf = { + enable = true; + package = (import sources.kat-pkgs { inherit pkgs; }).nimbolus-tf-backend; + settings = { + LISTEN_ADDR = "127.0.0.1:${toString port}"; + + STORAGE_BACKEND = "s3"; + STORAGE_S3_ENDPOINT = "s3.dgnum.eu"; + STORAGE_S3_USE_SSL = "true"; + STORAGE_S3_BUCKET = "nimbolus-dgnum"; + STORAGE_S3_ACCESS_KEY = "GKefa111701f349de3988f0010"; + + # TODO: configure openBAO + # AUTH_BASIC_ENABLED = "false"; + # AUTH_JWT_OIDC_ISSUER_URL = "https://vault.dgnum.eu/v1/identity/oidc"; + }; + + credentials = { + KMS_KEY_FILE = config.age.secrets."nimbolus-kms_key".path; + STORAGE_S3_SECRET_KEY_FILE = config.age.secrets."nimbolus-s3_secret".path; + }; + }; + + dgn-web.simpleProxies.nimbolus = { + inherit host port; + }; +} diff --git a/machines/nixos/compute01/nimbolus/module.nix b/machines/nixos/compute01/nimbolus/module.nix new file mode 100644 index 0000000..626dc61 --- /dev/null +++ b/machines/nixos/compute01/nimbolus/module.nix @@ -0,0 +1,104 @@ +# SPDX-FileCopyrightText: 2025 Lubin Bailly +# +# SPDX-License-Identifier: EUPL-1.2 + +{ + lib, + config, + sources, + pkgs, + ... +}: +let + inherit (lib) + getExe + mapAttrsToList + mkEnableOption + mkIf + mkPackageOption + mkOption + ; + inherit (lib.types) + attrsOf + path + str + ; + + cfg = config.services.nimbolus-tf; +in +{ + options.services.nimbolus-tf = { + enable = mkEnableOption "the nimbolus terraform http backend"; + package = mkPackageOption (import sources.kat-pkgs { inherit pkgs; }) "nimbolus-tf-backend" { + pkgsText = "kat-pkgs"; + }; + user = mkOption { + type = str; + description = '' + User used by the nimbolus server. + ''; + default = "nimbolus"; + }; + group = mkOption { + type = str; + description = '' + Group used by the nimbolus server. + ''; + default = "nimbolus"; + }; + settings = mkOption { + type = attrsOf str; + default = { }; + description = '' + Environment variables for nimbolus configuration. + ''; + }; + credentials = mkOption { + type = attrsOf path; + default = { }; + description = '' + Files to pass by systemd LoadCredentials. + ''; + }; + }; + config = mkIf cfg.enable { + systemd.services.nimbolus-tf = { + description = "Nimbolus terraform http backend"; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + ExecStart = getExe cfg.package; + Environment = + mapAttrsToList (name: value: "${name}=${value}") cfg.settings + ++ mapAttrsToList (name: _: "${name}=%d/${name}") cfg.credentials; + LoadCredential = mapAttrsToList (name: file: "${name}:${file}") cfg.credentials; + + StateDirectory = "nimbolus-tf"; + StateDirectoryMode = "0700"; + WorkingDirectory = "/var/lib/nimbolus-tf"; + + # Hardening + DynamicUser = true; + CapabilityBoundingSet = ""; + PrivateDevices = true; + ProtectClock = true; + ProtectKernelLogs = true; + ProtectControlGroups = true; + ProtectKernelModules = true; + RestrictNamespaces = true; + ProtectHostname = true; + LockPersonality = true; + RestrictRealtime = true; + ProtectHome = true; + ProtectProc = "noaccess"; + ProcSubset = "pid"; + PrivateUsers = true; + UMask = "0077"; + ProtectKernelTunables = true; + RestrictAddressFamilies = "AF_INET AF_INET6"; + SystemCallFilter = "~@clock @cpu-emulation @debug @module @mount @obsolete @privileged @raw-io @reboot @resources @swap"; + MemoryDenyWriteExecute = true; + SystemCallArchitectures = "native"; + }; + }; + }; +} diff --git a/machines/nixos/compute01/secrets/nimbolus-kms_key b/machines/nixos/compute01/secrets/nimbolus-kms_key new file mode 100644 index 0000000..3235990 Binary files /dev/null and b/machines/nixos/compute01/secrets/nimbolus-kms_key differ diff --git a/machines/nixos/compute01/secrets/nimbolus-s3_secret b/machines/nixos/compute01/secrets/nimbolus-s3_secret new file mode 100644 index 0000000..dc6c234 Binary files /dev/null and b/machines/nixos/compute01/secrets/nimbolus-s3_secret differ diff --git a/machines/nixos/compute01/secrets/secrets.nix b/machines/nixos/compute01/secrets/secrets.nix index 38fd800..442f9ad 100644 --- a/machines/nixos/compute01/secrets/secrets.nix +++ b/machines/nixos/compute01/secrets/secrets.nix @@ -25,6 +25,8 @@ "netbox-environment_file" "nextcloud-adminpass_file" "nextcloud-s3_secret_file" + "nimbolus-kms_key" + "nimbolus-s3_secret" "opengist-environment_file" "outline-oidc_client_secret_file" "outline-smtp_password_file" diff --git a/modules/nixos/default.nix b/modules/nixos/default.nix index 0485145..ef1c7ee 100644 --- a/modules/nixos/default.nix +++ b/modules/nixos/default.nix @@ -37,8 +37,9 @@ "dgn-web" "django-apps" "extranix" - "openbao" "forgejo-multiuser-nix-runners" + "openbao" + "systemd-notify" ]) ++ [ "${sources.agenix}/modules/age.nix" @@ -52,7 +53,6 @@ "services/forgejo-nix-runners" "services/nginx-sni" "services/reaction" - "services/systemd-notify" "services/victorialogs" "services/victoriametrics" ] diff --git a/modules/nixos/dgn-notify/default.nix b/modules/nixos/dgn-notify/default.nix index d9818db..5c83242 100644 --- a/modules/nixos/dgn-notify/default.nix +++ b/modules/nixos/dgn-notify/default.nix @@ -54,19 +54,16 @@ in }; services.systemd-notify = { - enable = true; - command = builtins.toString ( - pkgs.writeShellScript "sendmail" '' - ${pkgs.msmtp}/bin/sendmail -i -t < +# +# SPDX-License-Identifier: EUPL-1.2 + +{ config, lib, ... }: + +let + inherit (lib) + getExe + mapAttrs' + mapAttrsToList + mkOption + mkForce + nameValuePair + ; + inherit (lib.types) attrsOf package submodule; + + cfg = config.services.systemd-notify; +in + +{ + options.services.systemd-notify = mkOption { + type = attrsOf package; + description = '' + Commands to execute when a systemd unit fails. + Attrs keys will be the unit name and attrs value is the command that + will be run with the name of the failed unit as an argument. + ''; + default = { }; + }; + + options.systemd.services = mkOption { + type = attrsOf (submodule { + config.onFailure = mapAttrsToList (name: _: "${name}@%n.service") cfg; + }); + }; + + config.systemd.services = mapAttrs' ( + name: script: + nameValuePair "${name}@" { + description = "Run ${name} script on service failures."; + onFailure = mkForce [ ]; # Avoid recursive failures + serviceConfig = { + ExecStart = "${getExe script} %i"; + Type = "oneshot"; + }; + } + ) cfg; +}