pomerium: various fixups to make this work

This commit is contained in:
Luke Granger-Brown 2020-12-28 15:27:18 +00:00
parent 10c6ddc4c9
commit 41bdeda58a
3 changed files with 12 additions and 8 deletions

View file

@ -32,7 +32,12 @@ with lib;
serviceConfig = {
DynamicUser = true;
ExecStart = "${depot.pkgs.pomerium}/bin/pomerium -config ${cfg.configFile}";
ExecStart = pkgs.writeShellScript "run-pomerium" ''
if [[ -v CREDENTIALS_DIRECTORY ]]; then
cd "$CREDENTIALS_DIRECTORY"
fi
exec ${depot.pkgs.pomerium}/bin/pomerium -config ${cfg.configFile}
'';
StateDirectory = "pomerium";
PrivateUsers = !cfg.bindLowPort; # breaks CAP_NET_BIND_SERVICE

View file

@ -97,6 +97,7 @@ in {
ipv4.addresses = [{ address = "83.97.19.68"; prefixLength = 27; }];
ipv6.addresses = [{ address = "2a07:242:800:64::68"; prefixLength = 64; }];
};
firewall.allowedTCPPorts = [ 80 443 ];
};
my.ip.tailscale = "100.111.191.21";
@ -174,17 +175,13 @@ in {
systemd.services.pomerium.serviceConfig = {
After = [ "acme-finished-int.lukegb.com.target" ];
Wants = [ "acme-finished-int.lukegb.com.target" ];
SetCredential = [
LoadCredential = [
"certfullchain.pem:/var/lib/acme/int.lukegb.com/fullchain.pem"
"certkey.pem:/var/lib/acme/int.lukegb.com/key.pem"
];
ExecStartPre = [
''cp ''${CREDENTIALS_DIRECTORY}/certfullchain.pem /tmp/certfullchain.pem''
''cp ''${CREDENTIALS_DIRECTORY}/certkey.pem /tmp/certkey.pem''
];
Environment = [
"CERTIFICATE_FILE=/tmp/certfullchain.pem"
"CERTIFICATE_KEY_FILE=/tmp/certkey.pem"
"CERTIFICATE_FILE=certfullchain.pem"
"CERTIFICATE_KEY_FILE=certkey.pem"
];
};
security.acme = {

View file

@ -7,4 +7,6 @@ authenticate_service_url: https://auth.int.lukegb.com
policy:
- from: https://httpbin.int.lukegb.com
to: https://verify.pomerium.com
allowed_domains:
- lukegb.com
pass_identity_headers: true