machines/nixos/compute01/_configuration.nix

@@ -28,6 +28,7 @@ lib.extra.mkConfig {
     "mastodon"
     # "netbox"
     "nextcloud"
+    "nimbolus"
     "ollama-proxy"
     "opengist"
     "outline"

machines/nixos/compute01/nimbolus/default.nix

@@ -0,0 +1,43 @@
+# SPDX-FileCopyrightText: 2025 Lubin Bailly <lubin@dgnum.eu>
+#
+# SPDX-License-Identifier: EUPL-1.2
+
+{
+  pkgs,
+  sources,
+  config,
+  ...
+}:
+let
+  host = "nimbolus.dgnum.eu";
+  port = 9008;
+in
+{
+  imports = [ ./module.nix ];
+  services.nimbolus-tf = {
+    enable = true;
+    package = (import sources.kat-pkgs { inherit pkgs; }).nimbolus-tf-backend;
+    settings = {
+      LISTEN_ADDR = "127.0.0.1:${toString port}";
+
+      STORAGE_BACKEND = "s3";
+      STORAGE_S3_ENDPOINT = "s3.dgnum.eu";
+      STORAGE_S3_USE_SSL = "true";
+      STORAGE_S3_BUCKET = "nimbolus-dgnum";
+      STORAGE_S3_ACCESS_KEY = "GKefa111701f349de3988f0010";
+
+      # TODO: configure openBAO
+      # AUTH_BASIC_ENABLED = "false";
+      # AUTH_JWT_OIDC_ISSUER_URL = "https://vault.dgnum.eu/v1/identity/oidc";
+    };
+
+    credentials = {
+      KMS_KEY_FILE = config.age.secrets."nimbolus-kms_key".path;
+      STORAGE_S3_SECRET_KEY_FILE = config.age.secrets."nimbolus-s3_secret".path;
+    };
+  };
+
+  dgn-web.simpleProxies.nimbolus = {
+    inherit host port;
+  };
+}

machines/nixos/compute01/nimbolus/module.nix

@@ -0,0 +1,104 @@
+# SPDX-FileCopyrightText: 2025 Lubin Bailly <lubin@dgnum.eu>
+#
+# SPDX-License-Identifier: EUPL-1.2
+
+{
+  lib,
+  config,
+  sources,
+  pkgs,
+  ...
+}:
+let
+  inherit (lib)
+    getExe
+    mapAttrsToList
+    mkEnableOption
+    mkIf
+    mkPackageOption
+    mkOption
+    ;
+  inherit (lib.types)
+    attrsOf
+    path
+    str
+    ;
+
+  cfg = config.services.nimbolus-tf;
+in
+{
+  options.services.nimbolus-tf = {
+    enable = mkEnableOption "the nimbolus terraform http backend";
+    package = mkPackageOption (import sources.kat-pkgs { inherit pkgs; }) "nimbolus-tf-backend" {
+      pkgsText = "kat-pkgs";
+    };
+    user = mkOption {
+      type = str;
+      description = ''
+        User used by the nimbolus server.
+      '';
+      default = "nimbolus";
+    };
+    group = mkOption {
+      type = str;
+      description = ''
+        Group used by the nimbolus server.
+      '';
+      default = "nimbolus";
+    };
+    settings = mkOption {
+      type = attrsOf str;
+      default = { };
+      description = ''
+        Environment variables for nimbolus configuration.
+      '';
+    };
+    credentials = mkOption {
+      type = attrsOf path;
+      default = { };
+      description = ''
+        Files to pass by systemd LoadCredentials.
+      '';
+    };
+  };
+  config = mkIf cfg.enable {
+    systemd.services.nimbolus-tf = {
+      description = "Nimbolus terraform http backend";
+      wantedBy = [ "multi-user.target" ];
+      serviceConfig = {
+        ExecStart = getExe cfg.package;
+        Environment =
+          mapAttrsToList (name: value: "${name}=${value}") cfg.settings
+          ++ mapAttrsToList (name: _: "${name}=%d/${name}") cfg.credentials;
+        LoadCredential = mapAttrsToList (name: file: "${name}:${file}") cfg.credentials;
+
+        StateDirectory = "nimbolus-tf";
+        StateDirectoryMode = "0700";
+        WorkingDirectory = "/var/lib/nimbolus-tf";
+
+        # Hardening
+        DynamicUser = true;
+        CapabilityBoundingSet = "";
+        PrivateDevices = true;
+        ProtectClock = true;
+        ProtectKernelLogs = true;
+        ProtectControlGroups = true;
+        ProtectKernelModules = true;
+        RestrictNamespaces = true;
+        ProtectHostname = true;
+        LockPersonality = true;
+        RestrictRealtime = true;
+        ProtectHome = true;
+        ProtectProc = "noaccess";
+        ProcSubset = "pid";
+        PrivateUsers = true;
+        UMask = "0077";
+        ProtectKernelTunables = true;
+        RestrictAddressFamilies = "AF_INET AF_INET6";
+        SystemCallFilter = "~@clock @cpu-emulation @debug @module @mount @obsolete @privileged @raw-io @reboot @resources @swap";
+        MemoryDenyWriteExecute = true;
+        SystemCallArchitectures = "native";
+      };
+    };
+  };
+}

machines/nixos/compute01/secrets/secrets.nix

@@ -25,6 +25,8 @@
     "netbox-environment_file"
     "nextcloud-adminpass_file"
     "nextcloud-s3_secret_file"
+    "nimbolus-kms_key"
+    "nimbolus-s3_secret"
     "opengist-environment_file"
     "outline-oidc_client_secret_file"
     "outline-smtp_password_file"

modules/nixos/default.nix

@@ -37,8 +37,8 @@
       "dgn-web"
       "django-apps"
       "extranix"
-      "openbao"
       "forgejo-multiuser-nix-runners"
+      "openbao"
       "systemd-notify"
     ])
     ++ [