pomerium: various fixups to make this work
This commit is contained in:
parent
10c6ddc4c9
commit
41bdeda58a
3 changed files with 12 additions and 8 deletions
|
@ -32,7 +32,12 @@ with lib;
|
|||
|
||||
serviceConfig = {
|
||||
DynamicUser = true;
|
||||
ExecStart = "${depot.pkgs.pomerium}/bin/pomerium -config ${cfg.configFile}";
|
||||
ExecStart = pkgs.writeShellScript "run-pomerium" ''
|
||||
if [[ -v CREDENTIALS_DIRECTORY ]]; then
|
||||
cd "$CREDENTIALS_DIRECTORY"
|
||||
fi
|
||||
exec ${depot.pkgs.pomerium}/bin/pomerium -config ${cfg.configFile}
|
||||
'';
|
||||
StateDirectory = "pomerium";
|
||||
|
||||
PrivateUsers = !cfg.bindLowPort; # breaks CAP_NET_BIND_SERVICE
|
||||
|
|
|
@ -97,6 +97,7 @@ in {
|
|||
ipv4.addresses = [{ address = "83.97.19.68"; prefixLength = 27; }];
|
||||
ipv6.addresses = [{ address = "2a07:242:800:64::68"; prefixLength = 64; }];
|
||||
};
|
||||
firewall.allowedTCPPorts = [ 80 443 ];
|
||||
};
|
||||
my.ip.tailscale = "100.111.191.21";
|
||||
|
||||
|
@ -174,17 +175,13 @@ in {
|
|||
systemd.services.pomerium.serviceConfig = {
|
||||
After = [ "acme-finished-int.lukegb.com.target" ];
|
||||
Wants = [ "acme-finished-int.lukegb.com.target" ];
|
||||
SetCredential = [
|
||||
LoadCredential = [
|
||||
"certfullchain.pem:/var/lib/acme/int.lukegb.com/fullchain.pem"
|
||||
"certkey.pem:/var/lib/acme/int.lukegb.com/key.pem"
|
||||
];
|
||||
ExecStartPre = [
|
||||
''cp ''${CREDENTIALS_DIRECTORY}/certfullchain.pem /tmp/certfullchain.pem''
|
||||
''cp ''${CREDENTIALS_DIRECTORY}/certkey.pem /tmp/certkey.pem''
|
||||
];
|
||||
Environment = [
|
||||
"CERTIFICATE_FILE=/tmp/certfullchain.pem"
|
||||
"CERTIFICATE_KEY_FILE=/tmp/certkey.pem"
|
||||
"CERTIFICATE_FILE=certfullchain.pem"
|
||||
"CERTIFICATE_KEY_FILE=certkey.pem"
|
||||
];
|
||||
};
|
||||
security.acme = {
|
||||
|
|
|
@ -7,4 +7,6 @@ authenticate_service_url: https://auth.int.lukegb.com
|
|||
policy:
|
||||
- from: https://httpbin.int.lukegb.com
|
||||
to: https://verify.pomerium.com
|
||||
allowed_domains:
|
||||
- lukegb.com
|
||||
pass_identity_headers: true
|
||||
|
|
Loading…
Reference in a new issue