3p/nixpkgs: remove handrolled pomerium fixes, migrate to upstream PR
This commit is contained in:
parent
c98f3312a7
commit
75a5b40962
4 changed files with 252 additions and 43 deletions
29
third_party/nixpkgs/patches/pomerium-fix.patch
vendored
29
third_party/nixpkgs/patches/pomerium-fix.patch
vendored
|
@ -1,29 +0,0 @@
|
||||||
diff --git a/nixos/modules/services/web-servers/pomerium.nix b/nixos/modules/services/web-servers/pomerium.nix
|
|
||||||
--- a/nixos/modules/services/web-servers/pomerium.nix
|
|
||||||
+++ b/nixos/modules/services/web-servers/pomerium.nix
|
|
||||||
@@ -69,11 +69,16 @@ in
|
|
||||||
CERTIFICATE_KEY_FILE = "key.pem";
|
|
||||||
};
|
|
||||||
startLimitIntervalSec = 60;
|
|
||||||
+ script = ''
|
|
||||||
+ if [[ -v CREDENTIALS_DIRECTORY ]]; then
|
|
||||||
+ cd "$CREDENTIALS_DIRECTORY"
|
|
||||||
+ fi
|
|
||||||
+ exec "${pkgs.pomerium}/bin/pomerium" -config "${cfgFile}"
|
|
||||||
+ '';
|
|
||||||
|
|
||||||
serviceConfig = {
|
|
||||||
DynamicUser = true;
|
|
||||||
StateDirectory = [ "pomerium" ];
|
|
||||||
- ExecStart = "${pkgs.pomerium}/bin/pomerium -config ${cfgFile}";
|
|
||||||
|
|
||||||
PrivateUsers = false; # breaks CAP_NET_BIND_SERVICE
|
|
||||||
MemoryDenyWriteExecute = false; # breaks LuaJIT
|
|
||||||
@@ -99,7 +104,6 @@ in
|
|
||||||
AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
|
|
||||||
CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
|
|
||||||
|
|
||||||
- WorkingDirectory = mkIf (cfg.useACMEHost != null) "$CREDENTIALS_DIRECTORY";
|
|
||||||
LoadCredential = optionals (cfg.useACMEHost != null) [
|
|
||||||
"fullchain.pem:/var/lib/acme/${cfg.useACMEHost}/fullchain.pem"
|
|
||||||
"key.pem:/var/lib/acme/${cfg.useACMEHost}/key.pem"
|
|
12
third_party/nixpkgs/patches/pomerium-fix2.patch
vendored
12
third_party/nixpkgs/patches/pomerium-fix2.patch
vendored
|
@ -1,12 +0,0 @@
|
||||||
diff --git a/nixos/modules/services/web-servers/pomerium.nix b/third_party/nixpkgs/nixos/modules/services/web-servers/pomerium.nix
|
|
||||||
--- a/nixos/modules/services/web-servers/pomerium.nix
|
|
||||||
+++ b/nixos/modules/services/web-servers/pomerium.nix
|
|
||||||
@@ -128,7 +128,7 @@ in
|
|
||||||
Type = "oneshot";
|
|
||||||
TimeoutSec = 60;
|
|
||||||
ExecCondition = "/run/current-system/systemd/bin/systemctl -q is-active pomerium.service";
|
|
||||||
- ExecStart = "/run/current-system/systemd/bin/systemctl restart pomerium.service";
|
|
||||||
+ ExecStart = "/run/current-system/systemd/bin/systemctl --no-block restart pomerium.service";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
});
|
|
251
third_party/nixpkgs/patches/pr163673.patch
vendored
Normal file
251
third_party/nixpkgs/patches/pr163673.patch
vendored
Normal file
|
@ -0,0 +1,251 @@
|
||||||
|
From 860cc90fec86ea49d1f73ac5f5920f11afaba28d Mon Sep 17 00:00:00 2001
|
||||||
|
From: Luke Granger-Brown <git@lukegb.com>
|
||||||
|
Date: Fri, 11 Mar 2022 13:54:14 +0000
|
||||||
|
Subject: [PATCH 1/4] pomerium: 0.15.7 -> 0.17.0
|
||||||
|
|
||||||
|
---
|
||||||
|
pkgs/servers/http/pomerium/default.nix | 8 +++-----
|
||||||
|
1 file changed, 3 insertions(+), 5 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/pkgs/servers/http/pomerium/default.nix b/pkgs/servers/http/pomerium/default.nix
|
||||||
|
index cbf2fe1943542..4a8381bccc996 100644
|
||||||
|
--- a/pkgs/servers/http/pomerium/default.nix
|
||||||
|
+++ b/pkgs/servers/http/pomerium/default.nix
|
||||||
|
@@ -11,18 +11,17 @@ let
|
||||||
|
in
|
||||||
|
buildGoModule rec {
|
||||||
|
pname = "pomerium";
|
||||||
|
- version = "0.15.7";
|
||||||
|
+ version = "0.17.0";
|
||||||
|
src = fetchFromGitHub {
|
||||||
|
owner = "pomerium";
|
||||||
|
repo = "pomerium";
|
||||||
|
rev = "v${version}";
|
||||||
|
- hash = "sha256:0adlk4ylny1z43x1dw3ny0s1932vhb61hpf5wdz4r65y8k9qyfgr";
|
||||||
|
+ hash = "sha256:1hv76i6k9f0kp527nxlxqhklsvkh2cmfnqlszmlk2hxij31qnf8q";
|
||||||
|
};
|
||||||
|
|
||||||
|
- vendorSha256 = "sha256:1fszfbra84pcs8v1h2kf7iy603vf9v2ysg6il76aqmqrxmb1p7nv";
|
||||||
|
+ vendorSha256 = "sha256:1cq4m5a7z64yg3v1c68d15ilw78il6p53vaqzxgn338zjggr3kig";
|
||||||
|
subPackages = [
|
||||||
|
"cmd/pomerium"
|
||||||
|
- "cmd/pomerium-cli"
|
||||||
|
];
|
||||||
|
|
||||||
|
ldflags = let
|
||||||
|
@@ -74,7 +73,6 @@ buildGoModule rec {
|
||||||
|
|
||||||
|
installPhase = ''
|
||||||
|
install -Dm0755 $GOPATH/bin/pomerium $out/bin/pomerium
|
||||||
|
- install -Dm0755 $GOPATH/bin/pomerium-cli $out/bin/pomerium-cli
|
||||||
|
'';
|
||||||
|
|
||||||
|
passthru.tests = {
|
||||||
|
|
||||||
|
From 6659ba52480b2881c89c104370c2e7528fb34a0e Mon Sep 17 00:00:00 2001
|
||||||
|
From: Luke Granger-Brown <git@lukegb.com>
|
||||||
|
Date: Fri, 11 Mar 2022 14:01:27 +0000
|
||||||
|
Subject: [PATCH 2/4] pomerium-cli: init at 0.17.0
|
||||||
|
|
||||||
|
---
|
||||||
|
pkgs/servers/http/pomerium/default.nix | 2 +
|
||||||
|
pkgs/tools/security/pomerium-cli/default.nix | 58 ++++++++++++++++++++
|
||||||
|
pkgs/top-level/all-packages.nix | 1 +
|
||||||
|
3 files changed, 61 insertions(+)
|
||||||
|
create mode 100644 pkgs/tools/security/pomerium-cli/default.nix
|
||||||
|
|
||||||
|
diff --git a/pkgs/servers/http/pomerium/default.nix b/pkgs/servers/http/pomerium/default.nix
|
||||||
|
index 4a8381bccc996..8a5580d5d0dba 100644
|
||||||
|
--- a/pkgs/servers/http/pomerium/default.nix
|
||||||
|
+++ b/pkgs/servers/http/pomerium/default.nix
|
||||||
|
@@ -4,6 +4,7 @@
|
||||||
|
, envoy
|
||||||
|
, zip
|
||||||
|
, nixosTests
|
||||||
|
+, pomerium-cli
|
||||||
|
}:
|
||||||
|
|
||||||
|
let
|
||||||
|
@@ -77,6 +78,7 @@ buildGoModule rec {
|
||||||
|
|
||||||
|
passthru.tests = {
|
||||||
|
inherit (nixosTests) pomerium;
|
||||||
|
+ inherit pomerium-cli;
|
||||||
|
};
|
||||||
|
|
||||||
|
meta = with lib; {
|
||||||
|
diff --git a/pkgs/tools/security/pomerium-cli/default.nix b/pkgs/tools/security/pomerium-cli/default.nix
|
||||||
|
new file mode 100644
|
||||||
|
index 0000000000000..7dc7e3a7a903c
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/pkgs/tools/security/pomerium-cli/default.nix
|
||||||
|
@@ -0,0 +1,58 @@
|
||||||
|
+{ buildGoModule
|
||||||
|
+, fetchFromGitHub
|
||||||
|
+, lib
|
||||||
|
+, pomerium
|
||||||
|
+}:
|
||||||
|
+
|
||||||
|
+let
|
||||||
|
+ inherit (lib) concatStringsSep concatMap id mapAttrsToList;
|
||||||
|
+in
|
||||||
|
+buildGoModule rec {
|
||||||
|
+ pname = "pomerium-cli";
|
||||||
|
+ version = pomerium.version;
|
||||||
|
+ src = fetchFromGitHub {
|
||||||
|
+ owner = "pomerium";
|
||||||
|
+ repo = "cli";
|
||||||
|
+ rev = "v${version}";
|
||||||
|
+ hash = "sha256:0230b22xjnpykj8bcdahzzlsvlrd63z2cmg6yb246c5ngjs835q1";
|
||||||
|
+ };
|
||||||
|
+
|
||||||
|
+ vendorSha256 = "sha256:0xx22lmh6wip1d1bjrp4lgab3q9yilw54v4lg24lf3xhbsr5si9b";
|
||||||
|
+ subPackages = [
|
||||||
|
+ "cmd/pomerium-cli"
|
||||||
|
+ ];
|
||||||
|
+
|
||||||
|
+ ldflags = let
|
||||||
|
+ # Set a variety of useful meta variables for stamping the build with.
|
||||||
|
+ setVars = {
|
||||||
|
+ "github.com/pomerium/cli/version" = {
|
||||||
|
+ Version = "v${version}";
|
||||||
|
+ BuildMeta = "nixpkgs";
|
||||||
|
+ ProjectName = "pomerium-cli";
|
||||||
|
+ ProjectURL = "github.com/pomerium/cli";
|
||||||
|
+ };
|
||||||
|
+ };
|
||||||
|
+ concatStringsSpace = list: concatStringsSep " " list;
|
||||||
|
+ mapAttrsToFlatList = fn: list: concatMap id (mapAttrsToList fn list);
|
||||||
|
+ varFlags = concatStringsSpace (
|
||||||
|
+ mapAttrsToFlatList (package: packageVars:
|
||||||
|
+ mapAttrsToList (variable: value:
|
||||||
|
+ "-X ${package}.${variable}=${value}"
|
||||||
|
+ ) packageVars
|
||||||
|
+ ) setVars);
|
||||||
|
+ in [
|
||||||
|
+ "${varFlags}"
|
||||||
|
+ ];
|
||||||
|
+
|
||||||
|
+ installPhase = ''
|
||||||
|
+ install -Dm0755 $GOPATH/bin/pomerium-cli $out/bin/pomerium-cli
|
||||||
|
+ '';
|
||||||
|
+
|
||||||
|
+ meta = with lib; {
|
||||||
|
+ homepage = "https://pomerium.io";
|
||||||
|
+ description = "Client-side helper for Pomerium authenticating reverse proxy";
|
||||||
|
+ license = licenses.asl20;
|
||||||
|
+ maintainers = with maintainers; [ lukegb ];
|
||||||
|
+ platforms = platforms.unix;
|
||||||
|
+ };
|
||||||
|
+}
|
||||||
|
diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
|
||||||
|
index a2880d70e6457..7b01dfe3fe72d 100644
|
||||||
|
--- a/pkgs/top-level/all-packages.nix
|
||||||
|
+++ b/pkgs/top-level/all-packages.nix
|
||||||
|
@@ -21613,6 +21613,7 @@ with pkgs;
|
||||||
|
pflogsumm = callPackage ../servers/mail/postfix/pflogsumm.nix { };
|
||||||
|
|
||||||
|
pomerium = callPackage ../servers/http/pomerium { };
|
||||||
|
+ pomerium-cli = callPackage ../tools/security/pomerium-cli { };
|
||||||
|
|
||||||
|
postgrey = callPackage ../servers/mail/postgrey { };
|
||||||
|
|
||||||
|
|
||||||
|
From 3004e58f6a0817080f40db34dc96fdf4d5da6c18 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Luke Granger-Brown <git@lukegb.com>
|
||||||
|
Date: Fri, 11 Mar 2022 14:03:22 +0000
|
||||||
|
Subject: [PATCH 3/4] nixos/pomerium: avoid blocking when renewing ACME
|
||||||
|
certificates
|
||||||
|
|
||||||
|
---
|
||||||
|
nixos/modules/services/web-servers/pomerium.nix | 10 +++++++---
|
||||||
|
1 file changed, 7 insertions(+), 3 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/nixos/modules/services/web-servers/pomerium.nix b/nixos/modules/services/web-servers/pomerium.nix
|
||||||
|
index 2bc7d01c7c287..0b460755f50ef 100644
|
||||||
|
--- a/nixos/modules/services/web-servers/pomerium.nix
|
||||||
|
+++ b/nixos/modules/services/web-servers/pomerium.nix
|
||||||
|
@@ -69,11 +69,16 @@ in
|
||||||
|
CERTIFICATE_KEY_FILE = "key.pem";
|
||||||
|
};
|
||||||
|
startLimitIntervalSec = 60;
|
||||||
|
+ script = ''
|
||||||
|
+ if [[ -v CREDENTIALS_DIRECTORY ]]; then
|
||||||
|
+ cd "$CREDENTIALS_DIRECTORY"
|
||||||
|
+ fi
|
||||||
|
+ exec "${pkgs.pomerium}/bin/pomerium" -config "${cfgFile}"
|
||||||
|
+ '';
|
||||||
|
|
||||||
|
serviceConfig = {
|
||||||
|
DynamicUser = true;
|
||||||
|
StateDirectory = [ "pomerium" ];
|
||||||
|
- ExecStart = "${pkgs.pomerium}/bin/pomerium -config ${cfgFile}";
|
||||||
|
|
||||||
|
PrivateUsers = false; # breaks CAP_NET_BIND_SERVICE
|
||||||
|
MemoryDenyWriteExecute = false; # breaks LuaJIT
|
||||||
|
@@ -99,7 +104,6 @@ in
|
||||||
|
AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
|
||||||
|
CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
|
||||||
|
|
||||||
|
- WorkingDirectory = mkIf (cfg.useACMEHost != null) "$CREDENTIALS_DIRECTORY";
|
||||||
|
LoadCredential = optionals (cfg.useACMEHost != null) [
|
||||||
|
"fullchain.pem:/var/lib/acme/${cfg.useACMEHost}/fullchain.pem"
|
||||||
|
"key.pem:/var/lib/acme/${cfg.useACMEHost}/key.pem"
|
||||||
|
@@ -124,7 +128,7 @@ in
|
||||||
|
Type = "oneshot";
|
||||||
|
TimeoutSec = 60;
|
||||||
|
ExecCondition = "/run/current-system/systemd/bin/systemctl -q is-active pomerium.service";
|
||||||
|
- ExecStart = "/run/current-system/systemd/bin/systemctl restart pomerium.service";
|
||||||
|
+ ExecStart = "/run/current-system/systemd/bin/systemctl --no-block restart pomerium.service";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
});
|
||||||
|
|
||||||
|
From c19e76b29f7bd0d225ab89feb0a3726676f915c8 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Luke Granger-Brown <git@lukegb.com>
|
||||||
|
Date: Fri, 11 Mar 2022 14:07:12 +0000
|
||||||
|
Subject: [PATCH 4/4] pomerium: note changes in packaging in 22.05 release
|
||||||
|
notes
|
||||||
|
|
||||||
|
---
|
||||||
|
.../manual/from_md/release-notes/rl-2205.section.xml | 10 ++++++++++
|
||||||
|
nixos/doc/manual/release-notes/rl-2205.section.md | 5 +++++
|
||||||
|
2 files changed, 15 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml
|
||||||
|
index 9cf27e56827a1..333994c0957d6 100644
|
||||||
|
--- a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml
|
||||||
|
+++ b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml
|
||||||
|
@@ -1322,6 +1322,16 @@
|
||||||
|
warning.
|
||||||
|
</para>
|
||||||
|
</listitem>
|
||||||
|
+ <listitem>
|
||||||
|
+ <para>
|
||||||
|
+ The <literal>pomerium-cli</literal> command has been moved out
|
||||||
|
+ of the <literal>pomerium</literal> package into the
|
||||||
|
+ <literal>pomerium-cli</literal> package, following upstream’s
|
||||||
|
+ repository split. If you are using the
|
||||||
|
+ <literal>pomerium-cli</literal> command, you should now
|
||||||
|
+ install the <literal>pomerium-cli</literal> package.
|
||||||
|
+ </para>
|
||||||
|
+ </listitem>
|
||||||
|
<listitem>
|
||||||
|
<para>
|
||||||
|
The option
|
||||||
|
diff --git a/nixos/doc/manual/release-notes/rl-2205.section.md b/nixos/doc/manual/release-notes/rl-2205.section.md
|
||||||
|
index 58a1b23d17bf6..222c101a2842d 100644
|
||||||
|
--- a/nixos/doc/manual/release-notes/rl-2205.section.md
|
||||||
|
+++ b/nixos/doc/manual/release-notes/rl-2205.section.md
|
||||||
|
@@ -479,6 +479,11 @@ In addition to numerous new and upgraded packages, this release has the followin
|
||||||
|
Reason is that the old name has been deprecated upstream.
|
||||||
|
Using the old option name will still work, but produce a warning.
|
||||||
|
|
||||||
|
+- The `pomerium-cli` command has been moved out of the `pomerium` package into
|
||||||
|
+ the `pomerium-cli` package, following upstream's repository split. If you are
|
||||||
|
+ using the `pomerium-cli` command, you should now install the `pomerium-cli`
|
||||||
|
+ package.
|
||||||
|
+
|
||||||
|
- The option
|
||||||
|
[services.networking.networkmanager.enableFccUnlock](#opt-networking.networkmanager.enableFccUnlock)
|
||||||
|
was added to support FCC unlock procedures. Since release 1.18.4, the ModemManager
|
3
third_party/nixpkgs/patches/series
vendored
3
third_party/nixpkgs/patches/series
vendored
|
@ -1,3 +1,2 @@
|
||||||
pomerium-fix.patch
|
|
||||||
pomerium-fix2.patch
|
|
||||||
nvidia-sideband-socket.patch
|
nvidia-sideband-socket.patch
|
||||||
|
pr163673.patch
|
||||||
|
|
Loading…
Reference in a new issue