pomerium: various fixups to make this work

This commit is contained in:
Luke Granger-Brown 2020-12-28 15:27:18 +00:00
parent 10c6ddc4c9
commit 41bdeda58a
3 changed files with 12 additions and 8 deletions

View file

@ -32,7 +32,12 @@ with lib;
serviceConfig = { serviceConfig = {
DynamicUser = true; DynamicUser = true;
ExecStart = "${depot.pkgs.pomerium}/bin/pomerium -config ${cfg.configFile}"; ExecStart = pkgs.writeShellScript "run-pomerium" ''
if [[ -v CREDENTIALS_DIRECTORY ]]; then
cd "$CREDENTIALS_DIRECTORY"
fi
exec ${depot.pkgs.pomerium}/bin/pomerium -config ${cfg.configFile}
'';
StateDirectory = "pomerium"; StateDirectory = "pomerium";
PrivateUsers = !cfg.bindLowPort; # breaks CAP_NET_BIND_SERVICE PrivateUsers = !cfg.bindLowPort; # breaks CAP_NET_BIND_SERVICE

View file

@ -97,6 +97,7 @@ in {
ipv4.addresses = [{ address = "83.97.19.68"; prefixLength = 27; }]; ipv4.addresses = [{ address = "83.97.19.68"; prefixLength = 27; }];
ipv6.addresses = [{ address = "2a07:242:800:64::68"; prefixLength = 64; }]; ipv6.addresses = [{ address = "2a07:242:800:64::68"; prefixLength = 64; }];
}; };
firewall.allowedTCPPorts = [ 80 443 ];
}; };
my.ip.tailscale = "100.111.191.21"; my.ip.tailscale = "100.111.191.21";
@ -174,17 +175,13 @@ in {
systemd.services.pomerium.serviceConfig = { systemd.services.pomerium.serviceConfig = {
After = [ "acme-finished-int.lukegb.com.target" ]; After = [ "acme-finished-int.lukegb.com.target" ];
Wants = [ "acme-finished-int.lukegb.com.target" ]; Wants = [ "acme-finished-int.lukegb.com.target" ];
SetCredential = [ LoadCredential = [
"certfullchain.pem:/var/lib/acme/int.lukegb.com/fullchain.pem" "certfullchain.pem:/var/lib/acme/int.lukegb.com/fullchain.pem"
"certkey.pem:/var/lib/acme/int.lukegb.com/key.pem" "certkey.pem:/var/lib/acme/int.lukegb.com/key.pem"
]; ];
ExecStartPre = [
''cp ''${CREDENTIALS_DIRECTORY}/certfullchain.pem /tmp/certfullchain.pem''
''cp ''${CREDENTIALS_DIRECTORY}/certkey.pem /tmp/certkey.pem''
];
Environment = [ Environment = [
"CERTIFICATE_FILE=/tmp/certfullchain.pem" "CERTIFICATE_FILE=certfullchain.pem"
"CERTIFICATE_KEY_FILE=/tmp/certkey.pem" "CERTIFICATE_KEY_FILE=certkey.pem"
]; ];
}; };
security.acme = { security.acme = {

View file

@ -7,4 +7,6 @@ authenticate_service_url: https://auth.int.lukegb.com
policy: policy:
- from: https://httpbin.int.lukegb.com - from: https://httpbin.int.lukegb.com
to: https://verify.pomerium.com to: https://verify.pomerium.com
allowed_domains:
- lukegb.com
pass_identity_headers: true pass_identity_headers: true