2021-04-05 15:23:46 +00:00
|
|
|
{ config, lib, pkgs, ... }:
|
|
|
|
|
|
|
|
with lib;
|
|
|
|
|
|
|
|
let
|
|
|
|
format = pkgs.formats.yaml {};
|
|
|
|
in
|
|
|
|
{
|
|
|
|
options.services.pomerium = {
|
|
|
|
enable = mkEnableOption "the Pomerium authenticating reverse proxy";
|
|
|
|
|
|
|
|
configFile = mkOption {
|
|
|
|
type = with types; nullOr path;
|
|
|
|
default = null;
|
2022-08-12 12:06:08 +00:00
|
|
|
description = lib.mdDoc "Path to Pomerium config YAML. If set, overrides services.pomerium.settings.";
|
2021-04-05 15:23:46 +00:00
|
|
|
};
|
|
|
|
|
|
|
|
useACMEHost = mkOption {
|
|
|
|
type = with types; nullOr str;
|
|
|
|
default = null;
|
2022-08-12 12:06:08 +00:00
|
|
|
description = lib.mdDoc ''
|
2021-04-05 15:23:46 +00:00
|
|
|
If set, use a NixOS-generated ACME certificate with the specified name.
|
|
|
|
|
|
|
|
Note that this will require you to use a non-HTTP-based challenge, or
|
|
|
|
disable Pomerium's in-built HTTP redirect server by setting
|
|
|
|
http_redirect_addr to null and use a different HTTP server for serving
|
|
|
|
the challenge response.
|
|
|
|
|
|
|
|
If you're using an HTTP-based challenge, you should use the
|
|
|
|
Pomerium-native autocert option instead.
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
|
|
|
settings = mkOption {
|
2022-08-12 12:06:08 +00:00
|
|
|
description = lib.mdDoc ''
|
2021-04-05 15:23:46 +00:00
|
|
|
The contents of Pomerium's config.yaml, in Nix expressions.
|
|
|
|
|
|
|
|
Specifying configFile will override this in its entirety.
|
|
|
|
|
2022-08-12 12:06:08 +00:00
|
|
|
See [the Pomerium
|
|
|
|
configuration reference](https://pomerium.io/reference/) for more information about what to put
|
2021-04-05 15:23:46 +00:00
|
|
|
here.
|
|
|
|
'';
|
|
|
|
default = {};
|
|
|
|
type = format.type;
|
|
|
|
};
|
|
|
|
|
|
|
|
secretsFile = mkOption {
|
|
|
|
type = with types; nullOr path;
|
|
|
|
default = null;
|
2022-08-12 12:06:08 +00:00
|
|
|
description = lib.mdDoc ''
|
2021-04-05 15:23:46 +00:00
|
|
|
Path to file containing secrets for Pomerium, in systemd
|
|
|
|
EnvironmentFile format. See the systemd.exec(5) man page.
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
config = let
|
|
|
|
cfg = config.services.pomerium;
|
|
|
|
cfgFile = if cfg.configFile != null then cfg.configFile else (format.generate "pomerium.yaml" cfg.settings);
|
|
|
|
in mkIf cfg.enable ({
|
|
|
|
systemd.services.pomerium = {
|
|
|
|
description = "Pomerium authenticating reverse proxy";
|
|
|
|
wants = [ "network.target" ] ++ (optional (cfg.useACMEHost != null) "acme-finished-${cfg.useACMEHost}.target");
|
|
|
|
after = [ "network.target" ] ++ (optional (cfg.useACMEHost != null) "acme-finished-${cfg.useACMEHost}.target");
|
|
|
|
wantedBy = [ "multi-user.target" ];
|
|
|
|
environment = optionalAttrs (cfg.useACMEHost != null) {
|
|
|
|
CERTIFICATE_FILE = "fullchain.pem";
|
|
|
|
CERTIFICATE_KEY_FILE = "key.pem";
|
|
|
|
};
|
|
|
|
startLimitIntervalSec = 60;
|
2021-04-07 11:56:26 +00:00
|
|
|
script = ''
|
|
|
|
if [[ -v CREDENTIALS_DIRECTORY ]]; then
|
|
|
|
cd "$CREDENTIALS_DIRECTORY"
|
|
|
|
fi
|
|
|
|
exec "${pkgs.pomerium}/bin/pomerium" -config "${cfgFile}"
|
|
|
|
'';
|
2021-04-05 15:23:46 +00:00
|
|
|
|
|
|
|
serviceConfig = {
|
|
|
|
DynamicUser = true;
|
|
|
|
StateDirectory = [ "pomerium" ];
|
|
|
|
|
|
|
|
PrivateUsers = false; # breaks CAP_NET_BIND_SERVICE
|
|
|
|
MemoryDenyWriteExecute = false; # breaks LuaJIT
|
|
|
|
|
|
|
|
NoNewPrivileges = true;
|
|
|
|
PrivateTmp = true;
|
|
|
|
PrivateDevices = true;
|
|
|
|
DevicePolicy = "closed";
|
|
|
|
ProtectSystem = "strict";
|
|
|
|
ProtectHome = true;
|
|
|
|
ProtectControlGroups = true;
|
|
|
|
ProtectKernelModules = true;
|
|
|
|
ProtectKernelTunables = true;
|
|
|
|
ProtectKernelLogs = true;
|
|
|
|
RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6 AF_NETLINK";
|
|
|
|
RestrictNamespaces = true;
|
|
|
|
RestrictRealtime = true;
|
|
|
|
RestrictSUIDSGID = true;
|
|
|
|
LockPersonality = true;
|
|
|
|
SystemCallArchitectures = "native";
|
|
|
|
|
|
|
|
EnvironmentFile = cfg.secretsFile;
|
|
|
|
AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
|
|
|
|
CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
|
|
|
|
|
|
|
|
LoadCredential = optionals (cfg.useACMEHost != null) [
|
|
|
|
"fullchain.pem:/var/lib/acme/${cfg.useACMEHost}/fullchain.pem"
|
|
|
|
"key.pem:/var/lib/acme/${cfg.useACMEHost}/key.pem"
|
|
|
|
];
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
# postRun hooks on cert renew can't be used to restart Nginx since renewal
|
|
|
|
# runs as the unprivileged acme user. sslTargets are added to wantedBy + before
|
|
|
|
# which allows the acme-finished-$cert.target to signify the successful updating
|
|
|
|
# of certs end-to-end.
|
|
|
|
systemd.services.pomerium-config-reload = mkIf (cfg.useACMEHost != null) {
|
|
|
|
# TODO(lukegb): figure out how to make config reloading work with credentials.
|
|
|
|
|
|
|
|
wantedBy = [ "acme-finished-${cfg.useACMEHost}.target" "multi-user.target" ];
|
|
|
|
# Before the finished targets, after the renew services.
|
|
|
|
before = [ "acme-finished-${cfg.useACMEHost}.target" ];
|
|
|
|
after = [ "acme-${cfg.useACMEHost}.service" ];
|
|
|
|
# Block reloading if not all certs exist yet.
|
2021-04-07 00:46:15 +00:00
|
|
|
unitConfig.ConditionPathExists = [ "${config.security.acme.certs.${cfg.useACMEHost}.directory}/fullchain.pem" ];
|
2021-04-05 15:23:46 +00:00
|
|
|
serviceConfig = {
|
|
|
|
Type = "oneshot";
|
|
|
|
TimeoutSec = 60;
|
|
|
|
ExecCondition = "/run/current-system/systemd/bin/systemctl -q is-active pomerium.service";
|
2021-12-07 18:06:16 +00:00
|
|
|
ExecStart = "/run/current-system/systemd/bin/systemctl --no-block restart pomerium.service";
|
2021-04-05 15:23:46 +00:00
|
|
|
};
|
|
|
|
};
|
|
|
|
});
|
|
|
|
}
|