{ depot, config, lib, pkgs, ... }: with lib; { options.services.pomerium = { enable = mkEnableOption "the Pomerium authenticating reverse proxy"; bindLowPort = mkOption { type = with types; bool; default = true; description = "If true, allows Pomerium to bind low-numbered ports (e.g. 80 and 443)."; }; configFile = mkOption { type = with types; path; description = "Path to Pomerium config file."; }; secretsFile = mkOption { type = with types; path; description = "Path to file containing secrets for Pomerium, in systemd EnvironmentFile format."; }; }; config = let cfg = config.services.pomerium; in mkIf cfg.enable { systemd.services.pomerium = { description = "Pomerium authenticating reverse proxy"; wants = [ "network.target" ]; after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; serviceConfig = { DynamicUser = true; ExecStart = pkgs.writeShellScript "run-pomerium" '' if [[ -v CREDENTIALS_DIRECTORY ]]; then cd "$CREDENTIALS_DIRECTORY" fi exec ${depot.pkgs.pomerium}/bin/pomerium -config ${cfg.configFile} ''; StateDirectory = "pomerium"; PrivateUsers = !cfg.bindLowPort; # breaks CAP_NET_BIND_SERVICE NoNewPrivileges = true; PrivateTmp = true; PrivateDevices = true; DevicePolicy = "closed"; ProtectSystem = "strict"; ProtectHome = true; ProtectControlGroups = true; ProtectKernelModules = true; ProtectKernelTunables = true; ProtectKernelLogs = true; RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6 AF_NETLINK"; RestrictNamespaces = true; RestrictRealtime = true; RestrictSUIDSGID = true; MemoryDenyWriteExecute = true; LockPersonality = true; EnvironmentFile = cfg.secretsFile; AmbientCapabilities = lib.mkIf cfg.bindLowPort [ "CAP_NET_BIND_SERVICE" ]; CapabilityBoundingSet = lib.mkIf cfg.bindLowPort [ "CAP_NET_BIND_SERVICE" ]; Restart = "on-failure"; RestartSec = "2s"; }; }; }; }