From 75a5b409627f17123ad43f8e30213d9e9d8b9c54 Mon Sep 17 00:00:00 2001 From: Luke Granger-Brown Date: Fri, 11 Mar 2022 14:41:08 +0000 Subject: [PATCH] 3p/nixpkgs: remove handrolled pomerium fixes, migrate to upstream PR --- .../nixpkgs/patches/pomerium-fix.patch | 29 -- .../nixpkgs/patches/pomerium-fix2.patch | 12 - third_party/nixpkgs/patches/pr163673.patch | 251 ++++++++++++++++++ third_party/nixpkgs/patches/series | 3 +- 4 files changed, 252 insertions(+), 43 deletions(-) delete mode 100644 third_party/nixpkgs/patches/pomerium-fix.patch delete mode 100644 third_party/nixpkgs/patches/pomerium-fix2.patch create mode 100644 third_party/nixpkgs/patches/pr163673.patch diff --git a/third_party/nixpkgs/patches/pomerium-fix.patch b/third_party/nixpkgs/patches/pomerium-fix.patch deleted file mode 100644 index f425d75982..0000000000 --- a/third_party/nixpkgs/patches/pomerium-fix.patch +++ /dev/null @@ -1,29 +0,0 @@ -diff --git a/nixos/modules/services/web-servers/pomerium.nix b/nixos/modules/services/web-servers/pomerium.nix ---- a/nixos/modules/services/web-servers/pomerium.nix -+++ b/nixos/modules/services/web-servers/pomerium.nix -@@ -69,11 +69,16 @@ in - CERTIFICATE_KEY_FILE = "key.pem"; - }; - startLimitIntervalSec = 60; -+ script = '' -+ if [[ -v CREDENTIALS_DIRECTORY ]]; then -+ cd "$CREDENTIALS_DIRECTORY" -+ fi -+ exec "${pkgs.pomerium}/bin/pomerium" -config "${cfgFile}" -+ ''; - - serviceConfig = { - DynamicUser = true; - StateDirectory = [ "pomerium" ]; -- ExecStart = "${pkgs.pomerium}/bin/pomerium -config ${cfgFile}"; - - PrivateUsers = false; # breaks CAP_NET_BIND_SERVICE - MemoryDenyWriteExecute = false; # breaks LuaJIT -@@ -99,7 +104,6 @@ in - AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ]; - CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ]; - -- WorkingDirectory = mkIf (cfg.useACMEHost != null) "$CREDENTIALS_DIRECTORY"; - LoadCredential = optionals (cfg.useACMEHost != null) [ - "fullchain.pem:/var/lib/acme/${cfg.useACMEHost}/fullchain.pem" - "key.pem:/var/lib/acme/${cfg.useACMEHost}/key.pem" diff --git a/third_party/nixpkgs/patches/pomerium-fix2.patch b/third_party/nixpkgs/patches/pomerium-fix2.patch deleted file mode 100644 index 6939b2fc88..0000000000 --- a/third_party/nixpkgs/patches/pomerium-fix2.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff --git a/nixos/modules/services/web-servers/pomerium.nix b/third_party/nixpkgs/nixos/modules/services/web-servers/pomerium.nix ---- a/nixos/modules/services/web-servers/pomerium.nix -+++ b/nixos/modules/services/web-servers/pomerium.nix -@@ -128,7 +128,7 @@ in - Type = "oneshot"; - TimeoutSec = 60; - ExecCondition = "/run/current-system/systemd/bin/systemctl -q is-active pomerium.service"; -- ExecStart = "/run/current-system/systemd/bin/systemctl restart pomerium.service"; -+ ExecStart = "/run/current-system/systemd/bin/systemctl --no-block restart pomerium.service"; - }; - }; - }); diff --git a/third_party/nixpkgs/patches/pr163673.patch b/third_party/nixpkgs/patches/pr163673.patch new file mode 100644 index 0000000000..1c26e465bf --- /dev/null +++ b/third_party/nixpkgs/patches/pr163673.patch @@ -0,0 +1,251 @@ +From 860cc90fec86ea49d1f73ac5f5920f11afaba28d Mon Sep 17 00:00:00 2001 +From: Luke Granger-Brown +Date: Fri, 11 Mar 2022 13:54:14 +0000 +Subject: [PATCH 1/4] pomerium: 0.15.7 -> 0.17.0 + +--- + pkgs/servers/http/pomerium/default.nix | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +diff --git a/pkgs/servers/http/pomerium/default.nix b/pkgs/servers/http/pomerium/default.nix +index cbf2fe1943542..4a8381bccc996 100644 +--- a/pkgs/servers/http/pomerium/default.nix ++++ b/pkgs/servers/http/pomerium/default.nix +@@ -11,18 +11,17 @@ let + in + buildGoModule rec { + pname = "pomerium"; +- version = "0.15.7"; ++ version = "0.17.0"; + src = fetchFromGitHub { + owner = "pomerium"; + repo = "pomerium"; + rev = "v${version}"; +- hash = "sha256:0adlk4ylny1z43x1dw3ny0s1932vhb61hpf5wdz4r65y8k9qyfgr"; ++ hash = "sha256:1hv76i6k9f0kp527nxlxqhklsvkh2cmfnqlszmlk2hxij31qnf8q"; + }; + +- vendorSha256 = "sha256:1fszfbra84pcs8v1h2kf7iy603vf9v2ysg6il76aqmqrxmb1p7nv"; ++ vendorSha256 = "sha256:1cq4m5a7z64yg3v1c68d15ilw78il6p53vaqzxgn338zjggr3kig"; + subPackages = [ + "cmd/pomerium" +- "cmd/pomerium-cli" + ]; + + ldflags = let +@@ -74,7 +73,6 @@ buildGoModule rec { + + installPhase = '' + install -Dm0755 $GOPATH/bin/pomerium $out/bin/pomerium +- install -Dm0755 $GOPATH/bin/pomerium-cli $out/bin/pomerium-cli + ''; + + passthru.tests = { + +From 6659ba52480b2881c89c104370c2e7528fb34a0e Mon Sep 17 00:00:00 2001 +From: Luke Granger-Brown +Date: Fri, 11 Mar 2022 14:01:27 +0000 +Subject: [PATCH 2/4] pomerium-cli: init at 0.17.0 + +--- + pkgs/servers/http/pomerium/default.nix | 2 + + pkgs/tools/security/pomerium-cli/default.nix | 58 ++++++++++++++++++++ + pkgs/top-level/all-packages.nix | 1 + + 3 files changed, 61 insertions(+) + create mode 100644 pkgs/tools/security/pomerium-cli/default.nix + +diff --git a/pkgs/servers/http/pomerium/default.nix b/pkgs/servers/http/pomerium/default.nix +index 4a8381bccc996..8a5580d5d0dba 100644 +--- a/pkgs/servers/http/pomerium/default.nix ++++ b/pkgs/servers/http/pomerium/default.nix +@@ -4,6 +4,7 @@ + , envoy + , zip + , nixosTests ++, pomerium-cli + }: + + let +@@ -77,6 +78,7 @@ buildGoModule rec { + + passthru.tests = { + inherit (nixosTests) pomerium; ++ inherit pomerium-cli; + }; + + meta = with lib; { +diff --git a/pkgs/tools/security/pomerium-cli/default.nix b/pkgs/tools/security/pomerium-cli/default.nix +new file mode 100644 +index 0000000000000..7dc7e3a7a903c +--- /dev/null ++++ b/pkgs/tools/security/pomerium-cli/default.nix +@@ -0,0 +1,58 @@ ++{ buildGoModule ++, fetchFromGitHub ++, lib ++, pomerium ++}: ++ ++let ++ inherit (lib) concatStringsSep concatMap id mapAttrsToList; ++in ++buildGoModule rec { ++ pname = "pomerium-cli"; ++ version = pomerium.version; ++ src = fetchFromGitHub { ++ owner = "pomerium"; ++ repo = "cli"; ++ rev = "v${version}"; ++ hash = "sha256:0230b22xjnpykj8bcdahzzlsvlrd63z2cmg6yb246c5ngjs835q1"; ++ }; ++ ++ vendorSha256 = "sha256:0xx22lmh6wip1d1bjrp4lgab3q9yilw54v4lg24lf3xhbsr5si9b"; ++ subPackages = [ ++ "cmd/pomerium-cli" ++ ]; ++ ++ ldflags = let ++ # Set a variety of useful meta variables for stamping the build with. ++ setVars = { ++ "github.com/pomerium/cli/version" = { ++ Version = "v${version}"; ++ BuildMeta = "nixpkgs"; ++ ProjectName = "pomerium-cli"; ++ ProjectURL = "github.com/pomerium/cli"; ++ }; ++ }; ++ concatStringsSpace = list: concatStringsSep " " list; ++ mapAttrsToFlatList = fn: list: concatMap id (mapAttrsToList fn list); ++ varFlags = concatStringsSpace ( ++ mapAttrsToFlatList (package: packageVars: ++ mapAttrsToList (variable: value: ++ "-X ${package}.${variable}=${value}" ++ ) packageVars ++ ) setVars); ++ in [ ++ "${varFlags}" ++ ]; ++ ++ installPhase = '' ++ install -Dm0755 $GOPATH/bin/pomerium-cli $out/bin/pomerium-cli ++ ''; ++ ++ meta = with lib; { ++ homepage = "https://pomerium.io"; ++ description = "Client-side helper for Pomerium authenticating reverse proxy"; ++ license = licenses.asl20; ++ maintainers = with maintainers; [ lukegb ]; ++ platforms = platforms.unix; ++ }; ++} +diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix +index a2880d70e6457..7b01dfe3fe72d 100644 +--- a/pkgs/top-level/all-packages.nix ++++ b/pkgs/top-level/all-packages.nix +@@ -21613,6 +21613,7 @@ with pkgs; + pflogsumm = callPackage ../servers/mail/postfix/pflogsumm.nix { }; + + pomerium = callPackage ../servers/http/pomerium { }; ++ pomerium-cli = callPackage ../tools/security/pomerium-cli { }; + + postgrey = callPackage ../servers/mail/postgrey { }; + + +From 3004e58f6a0817080f40db34dc96fdf4d5da6c18 Mon Sep 17 00:00:00 2001 +From: Luke Granger-Brown +Date: Fri, 11 Mar 2022 14:03:22 +0000 +Subject: [PATCH 3/4] nixos/pomerium: avoid blocking when renewing ACME + certificates + +--- + nixos/modules/services/web-servers/pomerium.nix | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/nixos/modules/services/web-servers/pomerium.nix b/nixos/modules/services/web-servers/pomerium.nix +index 2bc7d01c7c287..0b460755f50ef 100644 +--- a/nixos/modules/services/web-servers/pomerium.nix ++++ b/nixos/modules/services/web-servers/pomerium.nix +@@ -69,11 +69,16 @@ in + CERTIFICATE_KEY_FILE = "key.pem"; + }; + startLimitIntervalSec = 60; ++ script = '' ++ if [[ -v CREDENTIALS_DIRECTORY ]]; then ++ cd "$CREDENTIALS_DIRECTORY" ++ fi ++ exec "${pkgs.pomerium}/bin/pomerium" -config "${cfgFile}" ++ ''; + + serviceConfig = { + DynamicUser = true; + StateDirectory = [ "pomerium" ]; +- ExecStart = "${pkgs.pomerium}/bin/pomerium -config ${cfgFile}"; + + PrivateUsers = false; # breaks CAP_NET_BIND_SERVICE + MemoryDenyWriteExecute = false; # breaks LuaJIT +@@ -99,7 +104,6 @@ in + AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ]; + CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ]; + +- WorkingDirectory = mkIf (cfg.useACMEHost != null) "$CREDENTIALS_DIRECTORY"; + LoadCredential = optionals (cfg.useACMEHost != null) [ + "fullchain.pem:/var/lib/acme/${cfg.useACMEHost}/fullchain.pem" + "key.pem:/var/lib/acme/${cfg.useACMEHost}/key.pem" +@@ -124,7 +128,7 @@ in + Type = "oneshot"; + TimeoutSec = 60; + ExecCondition = "/run/current-system/systemd/bin/systemctl -q is-active pomerium.service"; +- ExecStart = "/run/current-system/systemd/bin/systemctl restart pomerium.service"; ++ ExecStart = "/run/current-system/systemd/bin/systemctl --no-block restart pomerium.service"; + }; + }; + }); + +From c19e76b29f7bd0d225ab89feb0a3726676f915c8 Mon Sep 17 00:00:00 2001 +From: Luke Granger-Brown +Date: Fri, 11 Mar 2022 14:07:12 +0000 +Subject: [PATCH 4/4] pomerium: note changes in packaging in 22.05 release + notes + +--- + .../manual/from_md/release-notes/rl-2205.section.xml | 10 ++++++++++ + nixos/doc/manual/release-notes/rl-2205.section.md | 5 +++++ + 2 files changed, 15 insertions(+) + +diff --git a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml +index 9cf27e56827a1..333994c0957d6 100644 +--- a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml ++++ b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml +@@ -1322,6 +1322,16 @@ + warning. + + ++ ++ ++ The pomerium-cli command has been moved out ++ of the pomerium package into the ++ pomerium-cli package, following upstream’s ++ repository split. If you are using the ++ pomerium-cli command, you should now ++ install the pomerium-cli package. ++ ++ + + + The option +diff --git a/nixos/doc/manual/release-notes/rl-2205.section.md b/nixos/doc/manual/release-notes/rl-2205.section.md +index 58a1b23d17bf6..222c101a2842d 100644 +--- a/nixos/doc/manual/release-notes/rl-2205.section.md ++++ b/nixos/doc/manual/release-notes/rl-2205.section.md +@@ -479,6 +479,11 @@ In addition to numerous new and upgraded packages, this release has the followin + Reason is that the old name has been deprecated upstream. + Using the old option name will still work, but produce a warning. + ++- The `pomerium-cli` command has been moved out of the `pomerium` package into ++ the `pomerium-cli` package, following upstream's repository split. If you are ++ using the `pomerium-cli` command, you should now install the `pomerium-cli` ++ package. ++ + - The option + [services.networking.networkmanager.enableFccUnlock](#opt-networking.networkmanager.enableFccUnlock) + was added to support FCC unlock procedures. Since release 1.18.4, the ModemManager diff --git a/third_party/nixpkgs/patches/series b/third_party/nixpkgs/patches/series index f2cc68009d..f5c44a2f9f 100644 --- a/third_party/nixpkgs/patches/series +++ b/third_party/nixpkgs/patches/series @@ -1,3 +1,2 @@ -pomerium-fix.patch -pomerium-fix2.patch nvidia-sideband-socket.patch +pr163673.patch