lon: update proxmox-nixos

91c96a414e14835b84adbf775f793739a5851fab
→ 8df841766fab6c15341577b6982ddd368be72113

Last 50 commits:
  8df8417 Merge pull request #168 from 5aaee9/main
  850a1d1 fix: vm not auto start when cloud init enabled
  48f39fb Merge pull request #65 from xddxdd/declarative-bridge
  4f2c493 Add option to declaratively configure visible bridges
  b3483bb Update cache key
  0d4d626 Merge pull request #162 from SaumonNet/newcache
  b900a4b Merge pull request #161 from codgician/evergreen
  67c5fc9 pve-manager: 8.2.10 -> 8.3.5
  a9a9a07 proxmox-i18n: init at 3.2.4
  5ce11fd pve-common: 8.2.9 -> 8.3.1
  2b7758e pve-guest-common: 5.1.6 -> 5.1.7
  2567deb pve-access-control: 8.2.0 -> 8.2.2
  8fb3952 pve-common: 8.2.1 -> 8.2.9
  483faa6 pve-manager: 8.2.4 -> 8.2.10
  89a8387 Merge pull request #118 from proxmox-update/auto-update/linstor-proxmox
  b94cd64 fix: cache key
  c7740e7 Merge pull request #160 from SaumonNet/firstvmid
  32e4599 Merge pull request #114 from proxmox-update/auto-update/markedjs
  31468f3 Merge pull request #145 from proxmox-update/auto-update/pve-container
  22ef831 Merge pull request #156 from proxmox-update/auto-update/pve-ha-manager
  204532e Merge pull request #159 from SaumonNet/backup-qemu-hash-stability
  99187f3 fix: nixmoxer: find first vmid
  87ad0ba proxmox-backup-qemu: remove leaveDotGit
  1cf98ce Merge pull request #158 from SaumonNet/autoinstall
  b3c4a99 Merge pull request #147 from proxmox-update/auto-update/uuid
  8e3c6a4 Merge pull request #143 from proxmox-update/auto-update/testharness
  5a84f32 fix: force iso name
  7be8021 pve-ha-manager: 4.0.6 -> 4.0.7
  de68467 uuid: 0.36 -> 0.37
  e078b6c markedjs: 15.0.4 -> 15.0.12
  f7ca9bc pve-container: 5.2.2 -> 5.2.6
  55113bb testharness: 3.50 -> 3.52
  292e513 linstor-proxmox: 8.0.4 -> 8.1.1
  bb52ad5 Merge pull request #121 from codgician/qemu-update-script
  9937276 re-enable linstor test
  a30672b pve-qemu-server: ensure bootsplash.jpg is copied
  051f0df pve-qemu-server: fix qemu version check
  1ff2292 pve-common: migrate substituteAll to replaceVars as the former will be removed in 25.11
  1d339bd linstor-server: fix hash of source
  26bb504 proxmox-backup-qemu: fix hash of source
  6c52096 update to 25.05
  dda2c5b pve-qemu-server: 8.2.1 -> 8.3.8
  92d03a3 pve-http-server: 5.1.2 -> 5.2.2
  7df1e81 linstor-server: use protobuf_24
  b209161 pve-qemu: 9.1.2 -> 9.2.0-5
  60e72a8 Merge pull request #139 from codgician/init-sencha-touch
  c1d7666 Merge pull request #141 from SaumonNet/rework-rust
  d65932f remove useless Cargo.toml
  70a187f termproxy: 1.0.1->1.1.0
  ff142d2 perlmod: update

lon.lock

@@ -195,10 +195,10 @@
       "type": "Git",
       "fetchType": "git",
       "branch": "dgnum",
-      "revision": "44ccf96bd73c1bbbbcc849cb0f2e0d1f5f75f934",
+      "revision": "fd4ba193ea3eda529ac27b43b206e9e3618b1975",
       "url": "https://git.hubrecht.ovh/hubrecht/nix-modules",
-      "hash": "sha256-mkrCWowrCje3/TuAG0eAJplrtlz1hYmusSFn93/Ccok=",
+      "hash": "sha256-O/lMCM0qKkd+TBV43Fp9uG3aEbDSc2lI3a5TetNYs0w=",
-      "lastModified": 1749629064,
+      "lastModified": 1749739595,
       "submodules": false
     },
     "nix-pkgs": {

machines/nixos/compute01/_configuration.nix

@@ -28,6 +28,7 @@ lib.extra.mkConfig {
     "mastodon"
     # "netbox"
     "nextcloud"
+    "nimbolus"
     "ollama-proxy"
     "opengist"
     "outline"

machines/nixos/compute01/nimbolus/default.nix

@@ -0,0 +1,43 @@
+# SPDX-FileCopyrightText: 2025 Lubin Bailly <lubin@dgnum.eu>
+#
+# SPDX-License-Identifier: EUPL-1.2
+
+{
+  pkgs,
+  sources,
+  config,
+  ...
+}:
+let
+  host = "nimbolus.dgnum.eu";
+  port = 9008;
+in
+{
+  imports = [ ./module.nix ];
+  services.nimbolus-tf = {
+    enable = true;
+    package = (import sources.kat-pkgs { inherit pkgs; }).nimbolus-tf-backend;
+    settings = {
+      LISTEN_ADDR = "127.0.0.1:${toString port}";
+
+      STORAGE_BACKEND = "s3";
+      STORAGE_S3_ENDPOINT = "s3.dgnum.eu";
+      STORAGE_S3_USE_SSL = "true";
+      STORAGE_S3_BUCKET = "nimbolus-dgnum";
+      STORAGE_S3_ACCESS_KEY = "GKefa111701f349de3988f0010";
+
+      # TODO: configure openBAO
+      # AUTH_BASIC_ENABLED = "false";
+      # AUTH_JWT_OIDC_ISSUER_URL = "https://vault.dgnum.eu/v1/identity/oidc";
+    };
+
+    credentials = {
+      KMS_KEY_FILE = config.age.secrets."nimbolus-kms_key".path;
+      STORAGE_S3_SECRET_KEY_FILE = config.age.secrets."nimbolus-s3_secret".path;
+    };
+  };
+
+  dgn-web.simpleProxies.nimbolus = {
+    inherit host port;
+  };
+}

machines/nixos/compute01/nimbolus/module.nix

@@ -0,0 +1,104 @@
+# SPDX-FileCopyrightText: 2025 Lubin Bailly <lubin@dgnum.eu>
+#
+# SPDX-License-Identifier: EUPL-1.2
+
+{
+  lib,
+  config,
+  sources,
+  pkgs,
+  ...
+}:
+let
+  inherit (lib)
+    getExe
+    mapAttrsToList
+    mkEnableOption
+    mkIf
+    mkPackageOption
+    mkOption
+    ;
+  inherit (lib.types)
+    attrsOf
+    path
+    str
+    ;
+
+  cfg = config.services.nimbolus-tf;
+in
+{
+  options.services.nimbolus-tf = {
+    enable = mkEnableOption "the nimbolus terraform http backend";
+    package = mkPackageOption (import sources.kat-pkgs { inherit pkgs; }) "nimbolus-tf-backend" {
+      pkgsText = "kat-pkgs";
+    };
+    user = mkOption {
+      type = str;
+      description = ''
+        User used by the nimbolus server.
+      '';
+      default = "nimbolus";
+    };
+    group = mkOption {
+      type = str;
+      description = ''
+        Group used by the nimbolus server.
+      '';
+      default = "nimbolus";
+    };
+    settings = mkOption {
+      type = attrsOf str;
+      default = { };
+      description = ''
+        Environment variables for nimbolus configuration.
+      '';
+    };
+    credentials = mkOption {
+      type = attrsOf path;
+      default = { };
+      description = ''
+        Files to pass by systemd LoadCredentials.
+      '';
+    };
+  };
+  config = mkIf cfg.enable {
+    systemd.services.nimbolus-tf = {
+      description = "Nimbolus terraform http backend";
+      wantedBy = [ "multi-user.target" ];
+      serviceConfig = {
+        ExecStart = getExe cfg.package;
+        Environment =
+          mapAttrsToList (name: value: "${name}=${value}") cfg.settings
+          ++ mapAttrsToList (name: _: "${name}=%d/${name}") cfg.credentials;
+        LoadCredential = mapAttrsToList (name: file: "${name}:${file}") cfg.credentials;
+
+        StateDirectory = "nimbolus-tf";
+        StateDirectoryMode = "0700";
+        WorkingDirectory = "/var/lib/nimbolus-tf";
+
+        # Hardening
+        DynamicUser = true;
+        CapabilityBoundingSet = "";
+        PrivateDevices = true;
+        ProtectClock = true;
+        ProtectKernelLogs = true;
+        ProtectControlGroups = true;
+        ProtectKernelModules = true;
+        RestrictNamespaces = true;
+        ProtectHostname = true;
+        LockPersonality = true;
+        RestrictRealtime = true;
+        ProtectHome = true;
+        ProtectProc = "noaccess";
+        ProcSubset = "pid";
+        PrivateUsers = true;
+        UMask = "0077";
+        ProtectKernelTunables = true;
+        RestrictAddressFamilies = "AF_INET AF_INET6";
+        SystemCallFilter = "~@clock @cpu-emulation @debug @module @mount @obsolete @privileged @raw-io @reboot @resources @swap";
+        MemoryDenyWriteExecute = true;
+        SystemCallArchitectures = "native";
+      };
+    };
+  };
+}

machines/nixos/compute01/secrets/secrets.nix

@@ -25,6 +25,8 @@
     "netbox-environment_file"
     "nextcloud-adminpass_file"
     "nextcloud-s3_secret_file"
+    "nimbolus-kms_key"
+    "nimbolus-s3_secret"
     "opengist-environment_file"
     "outline-oidc_client_secret_file"
     "outline-smtp_password_file"

modules/nixos/default.nix

@@ -37,8 +37,9 @@
       "dgn-web"
       "django-apps"
       "extranix"
-      "openbao"
       "forgejo-multiuser-nix-runners"
+      "openbao"
+      "systemd-notify"
     ])
     ++ [
       "${sources.agenix}/modules/age.nix"
@@ -52,7 +53,6 @@
         "services/forgejo-nix-runners"
         "services/nginx-sni"
         "services/reaction"
-        "services/systemd-notify"
         "services/victorialogs"
         "services/victoriametrics"
       ]

modules/nixos/dgn-notify/default.nix

@@ -54,19 +54,16 @@ in
     };
 
     services.systemd-notify = {
-      enable = true;
+      mail = pkgs.writeShellScript "sendmail" ''
-      command = builtins.toString (
+        ${pkgs.msmtp}/bin/sendmail -i -t <<ERRMAIL
-        pkgs.writeShellScript "sendmail" ''
+        To: admins+monitoring@dgnum.eu, ${emails}
-          ${pkgs.msmtp}/bin/sendmail -i -t <<ERRMAIL
+        Subject: [$HOSTNAME] Systemd failure: $1
-          To: admins+monitoring@dgnum.eu, ${emails}
+        Content-Transfer-Encoding: 8bit
-          Subject: [$HOSTNAME] Systemd failure: $1
+        Content-Type: text/plain; charset=UTF-8
-          Content-Transfer-Encoding: 8bit
-          Content-Type: text/plain; charset=UTF-8
 
-          $(systemctl status --full "$1")
+        $(systemctl status --full "$1")
-          ERRMAIL
+        ERRMAIL
-        ''
+      '';
-      );
     };
     age-secrets.sources = [ ./. ];
   };

modules/nixos/systemd-notify.nix

@@ -0,0 +1,49 @@
+# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
+#
+# SPDX-License-Identifier: EUPL-1.2
+
+{ config, lib, ... }:
+
+let
+  inherit (lib)
+    getExe
+    mapAttrs'
+    mapAttrsToList
+    mkOption
+    mkForce
+    nameValuePair
+    ;
+  inherit (lib.types) attrsOf package submodule;
+
+  cfg = config.services.systemd-notify;
+in
+
+{
+  options.services.systemd-notify = mkOption {
+    type = attrsOf package;
+    description = ''
+      Commands to execute when a systemd unit fails.
+      Attrs keys will be the unit name and attrs value is the command that
+      will be run with the name of the failed unit as an argument.
+    '';
+    default = { };
+  };
+
+  options.systemd.services = mkOption {
+    type = attrsOf (submodule {
+      config.onFailure = mapAttrsToList (name: _: "${name}@%n.service") cfg;
+    });
+  };
+
+  config.systemd.services = mapAttrs' (
+    name: script:
+    nameValuePair "${name}@" {
+      description = "Run ${name} script on service failures.";
+      onFailure = mkForce [ ]; # Avoid recursive failures
+      serviceConfig = {
+        ExecStart = "${getExe script} %i";
+        Type = "oneshot";
+      };
+    }
+  ) cfg;
+}