mirror of
https://github.com/NixOS/nixpkgs.git
synced 2025-06-10 19:55:41 +03:00
374e6bcc40
Format all Nix files using the officially approved formatter,
making the CI check introduced in the previous commit succeed:
nix-build ci -A fmt.check
This is the next step of the of the [implementation](https://github.com/NixOS/nixfmt/issues/153)
of the accepted [RFC 166](https://github.com/NixOS/rfcs/pull/166).
This commit will lead to merge conflicts for a number of PRs,
up to an estimated ~1100 (~33%) among the PRs with activity in the past 2
months, but that should be lower than what it would be without the previous
[partial treewide format](https://github.com/NixOS/nixpkgs/pull/322537).
Merge conflicts caused by this commit can now automatically be resolved while rebasing using the
[auto-rebase script](8616af08d9/maintainers/scripts/auto-rebase).
If you run into any problems regarding any of this, please reach out to the
[formatting team](https://nixos.org/community/teams/formatting/) by
pinging @NixOS/nix-formatting.
152 lines
5.1 KiB
Nix
152 lines
5.1 KiB
Nix
{
|
|
config,
|
|
lib,
|
|
pkgs,
|
|
...
|
|
}:
|
|
|
|
with lib;
|
|
|
|
let
|
|
format = pkgs.formats.yaml { };
|
|
in
|
|
{
|
|
options.services.pomerium = {
|
|
enable = mkEnableOption "the Pomerium authenticating reverse proxy";
|
|
|
|
configFile = mkOption {
|
|
type = with types; nullOr path;
|
|
default = null;
|
|
description = "Path to Pomerium config YAML. If set, overrides services.pomerium.settings.";
|
|
};
|
|
|
|
useACMEHost = mkOption {
|
|
type = with types; nullOr str;
|
|
default = null;
|
|
description = ''
|
|
If set, use a NixOS-generated ACME certificate with the specified name.
|
|
|
|
Note that this will require you to use a non-HTTP-based challenge, or
|
|
disable Pomerium's in-built HTTP redirect server by setting
|
|
http_redirect_addr to null and use a different HTTP server for serving
|
|
the challenge response.
|
|
|
|
If you're using an HTTP-based challenge, you should use the
|
|
Pomerium-native autocert option instead.
|
|
'';
|
|
};
|
|
|
|
settings = mkOption {
|
|
description = ''
|
|
The contents of Pomerium's config.yaml, in Nix expressions.
|
|
|
|
Specifying configFile will override this in its entirety.
|
|
|
|
See [the Pomerium
|
|
configuration reference](https://pomerium.io/reference/) for more information about what to put
|
|
here.
|
|
'';
|
|
default = { };
|
|
type = format.type;
|
|
};
|
|
|
|
secretsFile = mkOption {
|
|
type = with types; nullOr path;
|
|
default = null;
|
|
description = ''
|
|
Path to file containing secrets for Pomerium, in systemd
|
|
EnvironmentFile format. See the {manpage}`systemd.exec(5)` man page.
|
|
'';
|
|
};
|
|
};
|
|
|
|
config =
|
|
let
|
|
cfg = config.services.pomerium;
|
|
cfgFile =
|
|
if cfg.configFile != null then cfg.configFile else (format.generate "pomerium.yaml" cfg.settings);
|
|
in
|
|
mkIf cfg.enable ({
|
|
systemd.services.pomerium = {
|
|
description = "Pomerium authenticating reverse proxy";
|
|
wants = [
|
|
"network.target"
|
|
] ++ (optional (cfg.useACMEHost != null) "acme-finished-${cfg.useACMEHost}.target");
|
|
after = [
|
|
"network.target"
|
|
] ++ (optional (cfg.useACMEHost != null) "acme-finished-${cfg.useACMEHost}.target");
|
|
wantedBy = [ "multi-user.target" ];
|
|
environment = optionalAttrs (cfg.useACMEHost != null) {
|
|
CERTIFICATE_FILE = "fullchain.pem";
|
|
CERTIFICATE_KEY_FILE = "key.pem";
|
|
};
|
|
startLimitIntervalSec = 60;
|
|
script = ''
|
|
if [[ -v CREDENTIALS_DIRECTORY ]]; then
|
|
cd "$CREDENTIALS_DIRECTORY"
|
|
fi
|
|
exec "${pkgs.pomerium}/bin/pomerium" -config "${cfgFile}"
|
|
'';
|
|
|
|
serviceConfig = {
|
|
DynamicUser = true;
|
|
StateDirectory = [ "pomerium" ];
|
|
|
|
PrivateUsers = false; # breaks CAP_NET_BIND_SERVICE
|
|
MemoryDenyWriteExecute = false; # breaks LuaJIT
|
|
|
|
NoNewPrivileges = true;
|
|
PrivateTmp = true;
|
|
PrivateDevices = true;
|
|
DevicePolicy = "closed";
|
|
ProtectSystem = "strict";
|
|
ProtectHome = true;
|
|
ProtectControlGroups = true;
|
|
ProtectKernelModules = true;
|
|
ProtectKernelTunables = true;
|
|
ProtectKernelLogs = true;
|
|
RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6 AF_NETLINK";
|
|
RestrictNamespaces = true;
|
|
RestrictRealtime = true;
|
|
RestrictSUIDSGID = true;
|
|
LockPersonality = true;
|
|
SystemCallArchitectures = "native";
|
|
|
|
EnvironmentFile = cfg.secretsFile;
|
|
AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
|
|
CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
|
|
|
|
LoadCredential = optionals (cfg.useACMEHost != null) [
|
|
"fullchain.pem:/var/lib/acme/${cfg.useACMEHost}/fullchain.pem"
|
|
"key.pem:/var/lib/acme/${cfg.useACMEHost}/key.pem"
|
|
];
|
|
};
|
|
};
|
|
|
|
# postRun hooks on cert renew can't be used to restart Nginx since renewal
|
|
# runs as the unprivileged acme user. sslTargets are added to wantedBy + before
|
|
# which allows the acme-finished-$cert.target to signify the successful updating
|
|
# of certs end-to-end.
|
|
systemd.services.pomerium-config-reload = mkIf (cfg.useACMEHost != null) {
|
|
# TODO(lukegb): figure out how to make config reloading work with credentials.
|
|
|
|
wantedBy = [
|
|
"acme-finished-${cfg.useACMEHost}.target"
|
|
"multi-user.target"
|
|
];
|
|
# Before the finished targets, after the renew services.
|
|
before = [ "acme-finished-${cfg.useACMEHost}.target" ];
|
|
after = [ "acme-${cfg.useACMEHost}.service" ];
|
|
# Block reloading if not all certs exist yet.
|
|
unitConfig.ConditionPathExists = [
|
|
"${config.security.acme.certs.${cfg.useACMEHost}.directory}/fullchain.pem"
|
|
];
|
|
serviceConfig = {
|
|
Type = "oneshot";
|
|
TimeoutSec = 60;
|
|
ExecCondition = "/run/current-system/systemd/bin/systemctl -q is-active pomerium.service";
|
|
ExecStart = "/run/current-system/systemd/bin/systemctl --no-block restart pomerium.service";
|
|
};
|
|
};
|
|
});
|
|
}
|