2020-12-28 14:08:24 +00:00
|
|
|
{ depot, config, lib, pkgs, ... }:
|
|
|
|
|
|
|
|
with lib;
|
|
|
|
|
|
|
|
{
|
|
|
|
options.services.pomerium = {
|
|
|
|
enable = mkEnableOption "the Pomerium authenticating reverse proxy";
|
|
|
|
|
|
|
|
bindLowPort = mkOption {
|
|
|
|
type = with types; bool;
|
|
|
|
default = true;
|
|
|
|
description = "If true, allows Pomerium to bind low-numbered ports (e.g. 80 and 443).";
|
|
|
|
};
|
|
|
|
|
|
|
|
configFile = mkOption {
|
|
|
|
type = with types; path;
|
|
|
|
description = "Path to Pomerium config file.";
|
|
|
|
};
|
|
|
|
|
|
|
|
secretsFile = mkOption {
|
|
|
|
type = with types; path;
|
|
|
|
description = "Path to file containing secrets for Pomerium, in systemd EnvironmentFile format.";
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
config = let cfg = config.services.pomerium; in mkIf cfg.enable {
|
|
|
|
systemd.services.pomerium = {
|
|
|
|
description = "Pomerium authenticating reverse proxy";
|
|
|
|
wants = [ "network.target" ];
|
|
|
|
after = [ "network.target" ];
|
|
|
|
wantedBy = [ "multi-user.target" ];
|
|
|
|
|
|
|
|
serviceConfig = {
|
|
|
|
DynamicUser = true;
|
2020-12-28 15:27:18 +00:00
|
|
|
ExecStart = pkgs.writeShellScript "run-pomerium" ''
|
|
|
|
if [[ -v CREDENTIALS_DIRECTORY ]]; then
|
|
|
|
cd "$CREDENTIALS_DIRECTORY"
|
|
|
|
fi
|
|
|
|
exec ${depot.pkgs.pomerium}/bin/pomerium -config ${cfg.configFile}
|
|
|
|
'';
|
2020-12-28 14:08:24 +00:00
|
|
|
StateDirectory = "pomerium";
|
|
|
|
|
|
|
|
PrivateUsers = !cfg.bindLowPort; # breaks CAP_NET_BIND_SERVICE
|
|
|
|
|
|
|
|
NoNewPrivileges = true;
|
|
|
|
PrivateTmp = true;
|
|
|
|
PrivateDevices = true;
|
|
|
|
DevicePolicy = "closed";
|
|
|
|
ProtectSystem = "strict";
|
|
|
|
ProtectHome = true;
|
|
|
|
ProtectControlGroups = true;
|
|
|
|
ProtectKernelModules = true;
|
|
|
|
ProtectKernelTunables = true;
|
|
|
|
ProtectKernelLogs = true;
|
|
|
|
RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6 AF_NETLINK";
|
|
|
|
RestrictNamespaces = true;
|
|
|
|
RestrictRealtime = true;
|
|
|
|
RestrictSUIDSGID = true;
|
|
|
|
MemoryDenyWriteExecute = true;
|
|
|
|
LockPersonality = true;
|
|
|
|
|
|
|
|
EnvironmentFile = cfg.secretsFile;
|
|
|
|
AmbientCapabilities = lib.mkIf cfg.bindLowPort [ "CAP_NET_BIND_SERVICE" ];
|
|
|
|
CapabilityBoundingSet = lib.mkIf cfg.bindLowPort [ "CAP_NET_BIND_SERVICE" ];
|
|
|
|
Restart = "on-failure";
|
|
|
|
RestartSec = "2s";
|
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
}
|