From 31811e480b4b0ad103094922098ba6312743d34b Mon Sep 17 00:00:00 2001 From: Luke Granger-Brown Date: Wed, 7 Apr 2021 11:41:32 +0000 Subject: [PATCH] 3p/nixpkgs: remove WorkingDirectory from pomerium too --- .../nixos/modules/services/web-servers/pomerium.nix | 1 - third_party/nixpkgs/patches/pomerium-fix.patch | 10 +++++++++- 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/third_party/nixpkgs/nixos/modules/services/web-servers/pomerium.nix b/third_party/nixpkgs/nixos/modules/services/web-servers/pomerium.nix index 2bc7d01c7c..1af9caa39f 100644 --- a/third_party/nixpkgs/nixos/modules/services/web-servers/pomerium.nix +++ b/third_party/nixpkgs/nixos/modules/services/web-servers/pomerium.nix @@ -99,7 +99,6 @@ in AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ]; CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ]; - WorkingDirectory = mkIf (cfg.useACMEHost != null) "$CREDENTIALS_DIRECTORY"; LoadCredential = optionals (cfg.useACMEHost != null) [ "fullchain.pem:/var/lib/acme/${cfg.useACMEHost}/fullchain.pem" "key.pem:/var/lib/acme/${cfg.useACMEHost}/key.pem" diff --git a/third_party/nixpkgs/patches/pomerium-fix.patch b/third_party/nixpkgs/patches/pomerium-fix.patch index 9bd8b96020..e022ae618c 100644 --- a/third_party/nixpkgs/patches/pomerium-fix.patch +++ b/third_party/nixpkgs/patches/pomerium-fix.patch @@ -1,7 +1,15 @@ diff --git a/nixos/modules/services/web-servers/pomerium.nix b/nixos/modules/services/web-servers/pomerium.nix --- a/nixos/modules/services/web-servers/pomerium.nix +++ b/nixos/modules/services/web-servers/pomerium.nix -@@ -119,7 +119,7 @@ in +@@ -99,7 +99,6 @@ in + AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ]; + CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ]; + +- WorkingDirectory = mkIf (cfg.useACMEHost != null) "$CREDENTIALS_DIRECTORY"; + LoadCredential = optionals (cfg.useACMEHost != null) [ + "fullchain.pem:/var/lib/acme/${cfg.useACMEHost}/fullchain.pem" + "key.pem:/var/lib/acme/${cfg.useACMEHost}/key.pem" +@@ -119,7 +118,7 @@ in before = [ "acme-finished-${cfg.useACMEHost}.target" ]; after = [ "acme-${cfg.useACMEHost}.service" ]; # Block reloading if not all certs exist yet.