depot/ops/nixos/lib/pomerium.nix

61 lines
1.8 KiB
Nix

{ config, ... }:
{
services.pomerium = {
enable = true;
secretsFile = config.my.vault.secrets.pomerium.path;
settings = {
address = ":443";
grpc_address = ":5443";
http_redirect_addr = ":80";
dns_lookup_family = "AUTO";
idp_provider = "google";
idp_client_id = "136257844546-qsa6hi1oqqoq2bnt93deo4e70ggbn1p8.apps.googleusercontent.com";
idp_request_params = {
hd = "lukegb.com";
login_hint = "lukegb@lukegb.com";
};
jwt_claims_headers = [
"email"
"user"
];
# Note autocert = true; not set here.
autocert_ca = "https://dv.acme-v02.api.pki.goog/directory";
autocert_email = "acme@lukegb.com";
autocert_must_staple = true;
autocert_dir = "/var/lib/pomerium/autocert";
grpc_insecure = true;
timeout_read = "0"; # We have some long-lived connections...
timeout_write = "0";
timeout_idle = "0";
forward_auth_url = "https://fwdauth.int.lukegb.com";
authenticate_service_url = "https://auth.int.lukegb.com";
signout_redirect_url = "https://logged-out.int.lukegb.com";
authorize_service_url = "http://etheroute-lon01.int.as205479.net:5443";
databroker_service_url = "http://etheroute-lon01.int.as205479.net:5443";
};
};
my.vault.secrets.pomerium = {
template = ''
{{ with secret "kv/apps/pomerium" }}
COOKIE_SECRET={{ .Data.data.cookieSecret }}
SHARED_SECRET={{ .Data.data.sharedSecret }}
IDP_CLIENT_SECRET={{ .Data.data.idpClientSecret }}
SIGNING_KEY={{ .Data.data.signingKey }}
IDP_SERVICE_ACCOUNT={{ .Data.data.googleServiceAccount }}
AUTOCERT_EAB_KEY_ID={{ .Data.data.eabKeyID }}
AUTOCERT_EAB_MAC_KEY={{ .Data.data.eabMacKey }}
{{ end }}
'';
group = "root";
reloadOrRestartUnits = [ "pomerium.service" ];
};
}