2021-04-07 00:46:15 +00:00
|
|
|
diff --git a/nixos/modules/services/web-servers/pomerium.nix b/nixos/modules/services/web-servers/pomerium.nix
|
|
|
|
|
--- a/nixos/modules/services/web-servers/pomerium.nix
|
|
|
|
|
+++ b/nixos/modules/services/web-servers/pomerium.nix
|
2021-04-07 11:56:26 +00:00
|
|
|
@@ -69,11 +69,16 @@ in
|
|
|
|
|
CERTIFICATE_KEY_FILE = "key.pem";
|
|
|
|
|
};
|
|
|
|
|
startLimitIntervalSec = 60;
|
|
|
|
|
+ script = ''
|
|
|
|
|
+ if [[ -v CREDENTIALS_DIRECTORY ]]; then
|
|
|
|
|
+ cd "$CREDENTIALS_DIRECTORY"
|
|
|
|
|
+ fi
|
|
|
|
|
+ exec "${pkgs.pomerium}/bin/pomerium" -config "${cfgFile}"
|
|
|
|
|
+ '';
|
|
|
|
|
|
|
|
|
|
serviceConfig = {
|
|
|
|
|
DynamicUser = true;
|
|
|
|
|
StateDirectory = [ "pomerium" ];
|
|
|
|
|
- ExecStart = "${pkgs.pomerium}/bin/pomerium -config ${cfgFile}";
|
|
|
|
|
|
|
|
|
|
PrivateUsers = false; # breaks CAP_NET_BIND_SERVICE
|
|
|
|
|
MemoryDenyWriteExecute = false; # breaks LuaJIT
|
|
|
|
|
@@ -99,7 +104,6 @@ in
|
2021-04-07 11:41:32 +00:00
|
|
|
AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
|
|
|
|
|
CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
|
|
|
|
|
|
|
|
|
|
- WorkingDirectory = mkIf (cfg.useACMEHost != null) "$CREDENTIALS_DIRECTORY";
|
|
|
|
|
LoadCredential = optionals (cfg.useACMEHost != null) [
|
|
|
|
|
"fullchain.pem:/var/lib/acme/${cfg.useACMEHost}/fullchain.pem"
|
|
|
|
|
"key.pem:/var/lib/acme/${cfg.useACMEHost}/key.pem"
|
