pomerium: various fixups to make this work
This commit is contained in:
parent
10c6ddc4c9
commit
41bdeda58a
3 changed files with 12 additions and 8 deletions
|
@ -32,7 +32,12 @@ with lib;
|
||||||
|
|
||||||
serviceConfig = {
|
serviceConfig = {
|
||||||
DynamicUser = true;
|
DynamicUser = true;
|
||||||
ExecStart = "${depot.pkgs.pomerium}/bin/pomerium -config ${cfg.configFile}";
|
ExecStart = pkgs.writeShellScript "run-pomerium" ''
|
||||||
|
if [[ -v CREDENTIALS_DIRECTORY ]]; then
|
||||||
|
cd "$CREDENTIALS_DIRECTORY"
|
||||||
|
fi
|
||||||
|
exec ${depot.pkgs.pomerium}/bin/pomerium -config ${cfg.configFile}
|
||||||
|
'';
|
||||||
StateDirectory = "pomerium";
|
StateDirectory = "pomerium";
|
||||||
|
|
||||||
PrivateUsers = !cfg.bindLowPort; # breaks CAP_NET_BIND_SERVICE
|
PrivateUsers = !cfg.bindLowPort; # breaks CAP_NET_BIND_SERVICE
|
||||||
|
|
|
@ -97,6 +97,7 @@ in {
|
||||||
ipv4.addresses = [{ address = "83.97.19.68"; prefixLength = 27; }];
|
ipv4.addresses = [{ address = "83.97.19.68"; prefixLength = 27; }];
|
||||||
ipv6.addresses = [{ address = "2a07:242:800:64::68"; prefixLength = 64; }];
|
ipv6.addresses = [{ address = "2a07:242:800:64::68"; prefixLength = 64; }];
|
||||||
};
|
};
|
||||||
|
firewall.allowedTCPPorts = [ 80 443 ];
|
||||||
};
|
};
|
||||||
my.ip.tailscale = "100.111.191.21";
|
my.ip.tailscale = "100.111.191.21";
|
||||||
|
|
||||||
|
@ -174,17 +175,13 @@ in {
|
||||||
systemd.services.pomerium.serviceConfig = {
|
systemd.services.pomerium.serviceConfig = {
|
||||||
After = [ "acme-finished-int.lukegb.com.target" ];
|
After = [ "acme-finished-int.lukegb.com.target" ];
|
||||||
Wants = [ "acme-finished-int.lukegb.com.target" ];
|
Wants = [ "acme-finished-int.lukegb.com.target" ];
|
||||||
SetCredential = [
|
LoadCredential = [
|
||||||
"certfullchain.pem:/var/lib/acme/int.lukegb.com/fullchain.pem"
|
"certfullchain.pem:/var/lib/acme/int.lukegb.com/fullchain.pem"
|
||||||
"certkey.pem:/var/lib/acme/int.lukegb.com/key.pem"
|
"certkey.pem:/var/lib/acme/int.lukegb.com/key.pem"
|
||||||
];
|
];
|
||||||
ExecStartPre = [
|
|
||||||
''cp ''${CREDENTIALS_DIRECTORY}/certfullchain.pem /tmp/certfullchain.pem''
|
|
||||||
''cp ''${CREDENTIALS_DIRECTORY}/certkey.pem /tmp/certkey.pem''
|
|
||||||
];
|
|
||||||
Environment = [
|
Environment = [
|
||||||
"CERTIFICATE_FILE=/tmp/certfullchain.pem"
|
"CERTIFICATE_FILE=certfullchain.pem"
|
||||||
"CERTIFICATE_KEY_FILE=/tmp/certkey.pem"
|
"CERTIFICATE_KEY_FILE=certkey.pem"
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
security.acme = {
|
security.acme = {
|
||||||
|
|
|
@ -7,4 +7,6 @@ authenticate_service_url: https://auth.int.lukegb.com
|
||||||
policy:
|
policy:
|
||||||
- from: https://httpbin.int.lukegb.com
|
- from: https://httpbin.int.lukegb.com
|
||||||
to: https://verify.pomerium.com
|
to: https://verify.pomerium.com
|
||||||
|
allowed_domains:
|
||||||
|
- lukegb.com
|
||||||
pass_identity_headers: true
|
pass_identity_headers: true
|
||||||
|
|
Loading…
Reference in a new issue