etheroute-lon01: install pomerium

nix/pkgs/pomerium/module.nix

@@ -0,0 +1,65 @@
+{ depot, config, lib, pkgs, ... }:
+
+with lib;
+
+{
+  options.services.pomerium = {
+    enable = mkEnableOption "the Pomerium authenticating reverse proxy";
+
+    bindLowPort = mkOption {
+      type = with types; bool;
+      default = true;
+      description = "If true, allows Pomerium to bind low-numbered ports (e.g. 80 and 443).";
+    };
+
+    configFile = mkOption {
+      type = with types; path;
+      description = "Path to Pomerium config file.";
+    };
+
+    secretsFile = mkOption {
+      type = with types; path;
+      description = "Path to file containing secrets for Pomerium, in systemd EnvironmentFile format.";
+    };
+  };
+
+  config = let cfg = config.services.pomerium; in mkIf cfg.enable {
+    systemd.services.pomerium = {
+      description = "Pomerium authenticating reverse proxy";
+      wants = [ "network.target" ];
+      after = [ "network.target" ];
+      wantedBy = [ "multi-user.target" ];
+
+      serviceConfig = {
+        DynamicUser = true;
+        ExecStart = "${depot.pkgs.pomerium}/bin/pomerium -config ${cfg.configFile}";
+        StateDirectory = "pomerium";
+
+        PrivateUsers = !cfg.bindLowPort;  # breaks CAP_NET_BIND_SERVICE
+
+        NoNewPrivileges = true;
+        PrivateTmp = true;
+        PrivateDevices = true;
+        DevicePolicy = "closed";
+        ProtectSystem = "strict";
+        ProtectHome = true;
+        ProtectControlGroups = true;
+        ProtectKernelModules = true;
+        ProtectKernelTunables = true;
+        ProtectKernelLogs = true;
+        RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6 AF_NETLINK";
+        RestrictNamespaces = true;
+        RestrictRealtime = true;
+        RestrictSUIDSGID = true;
+        MemoryDenyWriteExecute = true;
+        LockPersonality = true;
+
+        EnvironmentFile = cfg.secretsFile;
+        AmbientCapabilities = lib.mkIf cfg.bindLowPort [ "CAP_NET_BIND_SERVICE" ];
+        CapabilityBoundingSet = lib.mkIf cfg.bindLowPort [ "CAP_NET_BIND_SERVICE" ];
+        Restart = "on-failure";
+        RestartSec = "2s";
+      };
+    };
+  };
+}

ops/nixos/etheroute-lon01/default.nix

@@ -10,6 +10,8 @@ in {
   imports = [
     ../lib/bgp.nix
     ../lib/zfs.nix
+
+    ../../../nix/pkgs/pomerium/module.nix
   ];
 
   boot.initrd = {
@@ -164,5 +166,40 @@ in {
     (bindMountSvc "/var/lib/tailscale" "tailscaled.service")
   ];
 
+  services.pomerium = {
+    enable = true;
+    configFile = ./pomerium.yaml;
+    secretsFile = machineSecrets.pomeriumSecrets;
+  };
+  systemd.services.pomerium.serviceConfig = {
+    After = [ "acme-finished-int.lukegb.com.target" ];
+    Wants = [ "acme-finished-int.lukegb.com.target" ];
+    SetCredential = [
+      "certfullchain.pem:/var/lib/acme/int.lukegb.com/fullchain.pem"
+      "certkey.pem:/var/lib/acme/int.lukegb.com/key.pem"
+    ];
+    ExecStartPre = [
+      ''cp ''${CREDENTIALS_DIRECTORY}/certfullchain.pem /tmp/certfullchain.pem''
+      ''cp ''${CREDENTIALS_DIRECTORY}/certkey.pem /tmp/certkey.pem''
+    ];
+    Environment = [
+      "CERTIFICATE_FILE=/tmp/certfullchain.pem"
+      "CERTIFICATE_KEY_FILE=/tmp/certkey.pem"
+    ];
+  };
+  security.acme = {
+    acceptTerms = true;
+    email = "letsencrypt@lukegb.com";
+    certs."int.lukegb.com" = {
+      domain = "*.int.lukegb.com";
+      dnsProvider = "cloudflare";
+      credentialsFile = secrets.cloudflareCredentials;
+      extraDomainNames = ["int.lukegb.com"];
+      postRun = ''
+        systemctl restart pomerium
+      '';
+    };
+  };
+
   system.stateVersion = "20.09";
 }

ops/nixos/etheroute-lon01/pomerium.yaml

@@ -0,0 +1,10 @@
+idp_provider: google
+idp_client_id: 136257844546-qsa6hi1oqqoq2bnt93deo4e70ggbn1p8.apps.googleusercontent.com
+
+forward_auth_url: https://fwdauth.int.lukegb.com
+authenticate_service_url: https://auth.int.lukegb.com
+
+policy:
+  - from: https://httpbin.int.lukegb.com
+    to: https://verify.pomerium.com
+    pass_identity_headers: true