diff --git a/nix/pkgs/pomerium/module.nix b/nix/pkgs/pomerium/module.nix new file mode 100644 index 0000000000..99c1a5acae --- /dev/null +++ b/nix/pkgs/pomerium/module.nix @@ -0,0 +1,65 @@ +{ depot, config, lib, pkgs, ... }: + +with lib; + +{ + options.services.pomerium = { + enable = mkEnableOption "the Pomerium authenticating reverse proxy"; + + bindLowPort = mkOption { + type = with types; bool; + default = true; + description = "If true, allows Pomerium to bind low-numbered ports (e.g. 80 and 443)."; + }; + + configFile = mkOption { + type = with types; path; + description = "Path to Pomerium config file."; + }; + + secretsFile = mkOption { + type = with types; path; + description = "Path to file containing secrets for Pomerium, in systemd EnvironmentFile format."; + }; + }; + + config = let cfg = config.services.pomerium; in mkIf cfg.enable { + systemd.services.pomerium = { + description = "Pomerium authenticating reverse proxy"; + wants = [ "network.target" ]; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + + serviceConfig = { + DynamicUser = true; + ExecStart = "${depot.pkgs.pomerium}/bin/pomerium -config ${cfg.configFile}"; + StateDirectory = "pomerium"; + + PrivateUsers = !cfg.bindLowPort; # breaks CAP_NET_BIND_SERVICE + + NoNewPrivileges = true; + PrivateTmp = true; + PrivateDevices = true; + DevicePolicy = "closed"; + ProtectSystem = "strict"; + ProtectHome = true; + ProtectControlGroups = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectKernelLogs = true; + RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6 AF_NETLINK"; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + MemoryDenyWriteExecute = true; + LockPersonality = true; + + EnvironmentFile = cfg.secretsFile; + AmbientCapabilities = lib.mkIf cfg.bindLowPort [ "CAP_NET_BIND_SERVICE" ]; + CapabilityBoundingSet = lib.mkIf cfg.bindLowPort [ "CAP_NET_BIND_SERVICE" ]; + Restart = "on-failure"; + RestartSec = "2s"; + }; + }; + }; +} diff --git a/ops/nixos/etheroute-lon01/default.nix b/ops/nixos/etheroute-lon01/default.nix index 3836185420..a33ca9121e 100644 --- a/ops/nixos/etheroute-lon01/default.nix +++ b/ops/nixos/etheroute-lon01/default.nix @@ -10,6 +10,8 @@ in { imports = [ ../lib/bgp.nix ../lib/zfs.nix + + ../../../nix/pkgs/pomerium/module.nix ]; boot.initrd = { @@ -164,5 +166,40 @@ in { (bindMountSvc "/var/lib/tailscale" "tailscaled.service") ]; + services.pomerium = { + enable = true; + configFile = ./pomerium.yaml; + secretsFile = machineSecrets.pomeriumSecrets; + }; + systemd.services.pomerium.serviceConfig = { + After = [ "acme-finished-int.lukegb.com.target" ]; + Wants = [ "acme-finished-int.lukegb.com.target" ]; + SetCredential = [ + "certfullchain.pem:/var/lib/acme/int.lukegb.com/fullchain.pem" + "certkey.pem:/var/lib/acme/int.lukegb.com/key.pem" + ]; + ExecStartPre = [ + ''cp ''${CREDENTIALS_DIRECTORY}/certfullchain.pem /tmp/certfullchain.pem'' + ''cp ''${CREDENTIALS_DIRECTORY}/certkey.pem /tmp/certkey.pem'' + ]; + Environment = [ + "CERTIFICATE_FILE=/tmp/certfullchain.pem" + "CERTIFICATE_KEY_FILE=/tmp/certkey.pem" + ]; + }; + security.acme = { + acceptTerms = true; + email = "letsencrypt@lukegb.com"; + certs."int.lukegb.com" = { + domain = "*.int.lukegb.com"; + dnsProvider = "cloudflare"; + credentialsFile = secrets.cloudflareCredentials; + extraDomainNames = ["int.lukegb.com"]; + postRun = '' + systemctl restart pomerium + ''; + }; + }; + system.stateVersion = "20.09"; } diff --git a/ops/nixos/etheroute-lon01/pomerium.yaml b/ops/nixos/etheroute-lon01/pomerium.yaml new file mode 100644 index 0000000000..ebee149c41 --- /dev/null +++ b/ops/nixos/etheroute-lon01/pomerium.yaml @@ -0,0 +1,10 @@ +idp_provider: google +idp_client_id: 136257844546-qsa6hi1oqqoq2bnt93deo4e70ggbn1p8.apps.googleusercontent.com + +forward_auth_url: https://fwdauth.int.lukegb.com +authenticate_service_url: https://auth.int.lukegb.com + +policy: + - from: https://httpbin.int.lukegb.com + to: https://verify.pomerium.com + pass_identity_headers: true