depot/ops/nixos/lib/pomerium.nix

{ config, ... }:

{
  services.pomerium = {
    enable = true;
    secretsFile = config.my.vault.secrets.pomerium.path;

    settings = {
      address = ":443";
      grpc_address = ":5443";
      http_redirect_addr = ":80";
      dns_lookup_family = "AUTO";

      idp_provider = "google";
      idp_client_id = "136257844546-qsa6hi1oqqoq2bnt93deo4e70ggbn1p8.apps.googleusercontent.com";
      idp_request_params = {
        hd = "lukegb.com";
        login_hint = "lukegb@lukegb.com";
      };

      jwt_claims_headers = [
        "email"
        "user"
      ];

      # Note autocert = true; not set here.
      autocert_ca = "https://dv.acme-v02.api.pki.goog/directory";
      autocert_email = "acme@lukegb.com";
      autocert_must_staple = true;
      autocert_dir = "/var/lib/pomerium/autocert";

      grpc_insecure = true;

      timeout_read = "0";  # We have some long-lived connections...
      timeout_write = "0";
      timeout_idle = "0";

      forward_auth_url = "https://fwdauth.int.lukegb.com";
      authenticate_service_url = "https://auth.int.lukegb.com";
      signout_redirect_url = "https://logged-out.int.lukegb.com";
      authorize_service_url = "http://etheroute-lon01.int.as205479.net:5443";
      databroker_service_url = "http://etheroute-lon01.int.as205479.net:5443";
    };
  };

  my.vault.secrets.pomerium = {
    template = ''
      {{ with secret "kv/apps/pomerium" }}
      COOKIE_SECRET={{ .Data.data.cookieSecret }}
      SHARED_SECRET={{ .Data.data.sharedSecret }}
      IDP_CLIENT_SECRET={{ .Data.data.idpClientSecret }}
      SIGNING_KEY={{ .Data.data.signingKey }}
      IDP_SERVICE_ACCOUNT={{ .Data.data.googleServiceAccount }}
      AUTOCERT_EAB_KEY_ID={{ .Data.data.eabKeyID }}
      AUTOCERT_EAB_MAC_KEY={{ .Data.data.eabMacKey }}
      {{ end }}
    '';
    group = "root";
    reloadOrRestartUnits = [ "pomerium.service" ];
  };
}
ops/nixos: bvm-forgejo + pomerium 2024-11-10 21:55:37 +00:00			`{ config, ... }:`

			`{`
			`services.pomerium = {`
			`enable = true;`
			`secretsFile = config.my.vault.secrets.pomerium.path;`

			`settings = {`
			`address = ":443";`
			`grpc_address = ":5443";`
			`http_redirect_addr = ":80";`
			`dns_lookup_family = "AUTO";`

			`idp_provider = "google";`
			`idp_client_id = "136257844546-qsa6hi1oqqoq2bnt93deo4e70ggbn1p8.apps.googleusercontent.com";`
			`idp_request_params = {`
			`hd = "lukegb.com";`
			`login_hint = "lukegb@lukegb.com";`
			`};`

			`jwt_claims_headers = [`
			`"email"`
			`"user"`
			`];`

			`# Note autocert = true; not set here.`
			`autocert_ca = "https://dv.acme-v02.api.pki.goog/directory";`
			`autocert_email = "acme@lukegb.com";`
			`autocert_must_staple = true;`
			`autocert_dir = "/var/lib/pomerium/autocert";`

			`grpc_insecure = true;`

			`timeout_read = "0"; # We have some long-lived connections...`
			`timeout_write = "0";`
			`timeout_idle = "0";`

			`forward_auth_url = "https://fwdauth.int.lukegb.com";`
			`authenticate_service_url = "https://auth.int.lukegb.com";`
			`signout_redirect_url = "https://logged-out.int.lukegb.com";`
			`authorize_service_url = "http://etheroute-lon01.int.as205479.net:5443";`
			`databroker_service_url = "http://etheroute-lon01.int.as205479.net:5443";`
			`};`
			`};`

			`my.vault.secrets.pomerium = {`
			`template = ''`
			`{{ with secret "kv/apps/pomerium" }}`
			`COOKIE_SECRET={{ .Data.data.cookieSecret }}`
			`SHARED_SECRET={{ .Data.data.sharedSecret }}`
			`IDP_CLIENT_SECRET={{ .Data.data.idpClientSecret }}`
			`SIGNING_KEY={{ .Data.data.signingKey }}`
			`IDP_SERVICE_ACCOUNT={{ .Data.data.googleServiceAccount }}`
			`AUTOCERT_EAB_KEY_ID={{ .Data.data.eabKeyID }}`
			`AUTOCERT_EAB_MAC_KEY={{ .Data.data.eabMacKey }}`
			`{{ end }}`
			`'';`
			`group = "root";`
			`reloadOrRestartUnits = [ "pomerium.service" ];`
			`};`
			`}`