@@ -0,0 +25,4 @@
+
+  # from nixpkgs, commit b1371135b5db3fcf728114d92d5bd0218109598a
+  # FIXME: Should be replaced by nixpkgs lib when going to nixos-25.05
+  concatMapAttrsStringSep =

@@ -0,0 +34,4 @@
+{
+  options.services.nimbolus-tf = {
+    enable = mkEnableOption "the nimbolus terraform http backend";
+    package = mkOption {

@@ -0,0 +48,4 @@
+        Environment variables for nimbolus configuration.
+      '';
+    };
+    secretEnvironment = mkOption {

@@ -0,0 +57,4 @@
+    };
+  };
+  config = mkIf cfg.enable {
+    systemd.services."nimbolus-tf" = {

@@ -0,0 +62,4 @@
+      wantedBy = [ "multi-user.target" ];
+      serviceConfig = {
+        EnvironmentFile = "-/run/nimbolus-tf/env-file";
+        ExecStart = "${getExe cfg.package}";

@@ -0,0 +71,4 @@
+          ${concatMapAttrsStringSep "\n" (
+            key: value: ''echo "${key}=$(cat ${value})" >> /run/nimbolus-tf/env-file''
+          ) cfg.secretEnvironment}
+          chmod a+r /run/nimbolus-tf/env-file

@@ -0,0 +26,4 @@
+      STORAGE_S3_USE_SSL = "true";
+      STORAGE_S3_BUCKET = "nimbolus-dgnum";
+      STORAGE_S3_ACCESS_KEY = "GKefa111701f349de3988f0010";
+      STORAGE_S3_SECRET_KEY_FILE = config.age.secrets."nimbolus-s3_secret".path;

@@ -0,0 +19,4 @@
+    package = (import sources.kat-pkgs { inherit pkgs; }).nimbolus-tf-backend;
+    settings = {
+      LISTEN_ADDR = "127.0.0.1:${toString port}";
+      KMS_KEY_PATH = config.age.secrets."nimbolus-kms_key".path;