depot/nix/pkgs/pomerium/module.nix

70 lines
2.1 KiB
Nix

{ depot, config, lib, pkgs, ... }:
with lib;
{
options.services.pomerium = {
enable = mkEnableOption "the Pomerium authenticating reverse proxy";
bindLowPort = mkOption {
type = with types; bool;
default = true;
description = "If true, allows Pomerium to bind low-numbered ports (e.g. 80 and 443).";
};
configFile = mkOption {
type = with types; path;
description = "Path to Pomerium config file.";
};
secretsFile = mkOption {
type = with types; path;
description = "Path to file containing secrets for Pomerium, in systemd EnvironmentFile format.";
};
};
config = let cfg = config.services.pomerium; in mkIf cfg.enable {
systemd.services.pomerium = {
description = "Pomerium authenticating reverse proxy";
wants = [ "network.target" ];
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
DynamicUser = true;
ExecStart = pkgs.writeShellScript "run-pomerium" ''
if [[ -v CREDENTIALS_DIRECTORY ]]; then
cd "$CREDENTIALS_DIRECTORY"
fi
exec ${depot.pkgs.pomerium}/bin/pomerium -config ${cfg.configFile}
'';
StateDirectory = "pomerium";
PrivateUsers = !cfg.bindLowPort; # breaks CAP_NET_BIND_SERVICE
NoNewPrivileges = true;
PrivateTmp = true;
PrivateDevices = true;
DevicePolicy = "closed";
ProtectSystem = "strict";
ProtectHome = true;
ProtectControlGroups = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectKernelLogs = true;
RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6 AF_NETLINK";
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
MemoryDenyWriteExecute = true;
LockPersonality = true;
EnvironmentFile = cfg.secretsFile;
AmbientCapabilities = lib.mkIf cfg.bindLowPort [ "CAP_NET_BIND_SERVICE" ];
CapabilityBoundingSet = lib.mkIf cfg.bindLowPort [ "CAP_NET_BIND_SERVICE" ];
Restart = "on-failure";
RestartSec = "2s";
};
};
};
}