From 41bdeda58acda4c44674cc8feac0c6601daa38a5 Mon Sep 17 00:00:00 2001
From: Luke Granger-Brown <hg@lukegb.com>
Date: Mon, 28 Dec 2020 15:27:18 +0000
Subject: [PATCH] pomerium: various fixups to make this work

---
 nix/pkgs/pomerium/module.nix            |  7 ++++++-
 ops/nixos/etheroute-lon01/default.nix   | 11 ++++-------
 ops/nixos/etheroute-lon01/pomerium.yaml |  2 ++
 3 files changed, 12 insertions(+), 8 deletions(-)

diff --git a/nix/pkgs/pomerium/module.nix b/nix/pkgs/pomerium/module.nix
index 99c1a5acae..eeb13c9150 100644
--- a/nix/pkgs/pomerium/module.nix
+++ b/nix/pkgs/pomerium/module.nix
@@ -32,7 +32,12 @@ with lib;
 
       serviceConfig = {
         DynamicUser = true;
-        ExecStart = "${depot.pkgs.pomerium}/bin/pomerium -config ${cfg.configFile}";
+        ExecStart = pkgs.writeShellScript "run-pomerium" ''
+          if [[ -v CREDENTIALS_DIRECTORY ]]; then
+            cd "$CREDENTIALS_DIRECTORY"
+          fi
+          exec ${depot.pkgs.pomerium}/bin/pomerium -config ${cfg.configFile}
+        '';
         StateDirectory = "pomerium";
 
         PrivateUsers = !cfg.bindLowPort;  # breaks CAP_NET_BIND_SERVICE
diff --git a/ops/nixos/etheroute-lon01/default.nix b/ops/nixos/etheroute-lon01/default.nix
index a33ca9121e..973ad7661b 100644
--- a/ops/nixos/etheroute-lon01/default.nix
+++ b/ops/nixos/etheroute-lon01/default.nix
@@ -97,6 +97,7 @@ in {
       ipv4.addresses = [{ address = "83.97.19.68"; prefixLength = 27; }];
       ipv6.addresses = [{ address = "2a07:242:800:64::68"; prefixLength = 64; }];
     };
+    firewall.allowedTCPPorts = [ 80 443 ];
   };
   my.ip.tailscale = "100.111.191.21";
 
@@ -174,17 +175,13 @@ in {
   systemd.services.pomerium.serviceConfig = {
     After = [ "acme-finished-int.lukegb.com.target" ];
     Wants = [ "acme-finished-int.lukegb.com.target" ];
-    SetCredential = [
+    LoadCredential = [
       "certfullchain.pem:/var/lib/acme/int.lukegb.com/fullchain.pem"
       "certkey.pem:/var/lib/acme/int.lukegb.com/key.pem"
     ];
-    ExecStartPre = [
-      ''cp ''${CREDENTIALS_DIRECTORY}/certfullchain.pem /tmp/certfullchain.pem''
-      ''cp ''${CREDENTIALS_DIRECTORY}/certkey.pem /tmp/certkey.pem''
-    ];
     Environment = [
-      "CERTIFICATE_FILE=/tmp/certfullchain.pem"
-      "CERTIFICATE_KEY_FILE=/tmp/certkey.pem"
+      "CERTIFICATE_FILE=certfullchain.pem"
+      "CERTIFICATE_KEY_FILE=certkey.pem"
     ];
   };
   security.acme = {
diff --git a/ops/nixos/etheroute-lon01/pomerium.yaml b/ops/nixos/etheroute-lon01/pomerium.yaml
index ebee149c41..cb016508fb 100644
--- a/ops/nixos/etheroute-lon01/pomerium.yaml
+++ b/ops/nixos/etheroute-lon01/pomerium.yaml
@@ -7,4 +7,6 @@ authenticate_service_url: https://auth.int.lukegb.com
 policy:
   - from: https://httpbin.int.lukegb.com
     to: https://verify.pomerium.com
+    allowed_domains:
+      - lukegb.com
     pass_identity_headers: true