3p/nixpkgs: remove handrolled pomerium fixes, migrate to upstream PR

This commit is contained in:
Luke Granger-Brown 2022-03-11 14:41:08 +00:00
parent c98f3312a7
commit 75a5b40962
4 changed files with 252 additions and 43 deletions

View file

@ -1,29 +0,0 @@
diff --git a/nixos/modules/services/web-servers/pomerium.nix b/nixos/modules/services/web-servers/pomerium.nix
--- a/nixos/modules/services/web-servers/pomerium.nix
+++ b/nixos/modules/services/web-servers/pomerium.nix
@@ -69,11 +69,16 @@ in
CERTIFICATE_KEY_FILE = "key.pem";
};
startLimitIntervalSec = 60;
+ script = ''
+ if [[ -v CREDENTIALS_DIRECTORY ]]; then
+ cd "$CREDENTIALS_DIRECTORY"
+ fi
+ exec "${pkgs.pomerium}/bin/pomerium" -config "${cfgFile}"
+ '';
serviceConfig = {
DynamicUser = true;
StateDirectory = [ "pomerium" ];
- ExecStart = "${pkgs.pomerium}/bin/pomerium -config ${cfgFile}";
PrivateUsers = false; # breaks CAP_NET_BIND_SERVICE
MemoryDenyWriteExecute = false; # breaks LuaJIT
@@ -99,7 +104,6 @@ in
AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
- WorkingDirectory = mkIf (cfg.useACMEHost != null) "$CREDENTIALS_DIRECTORY";
LoadCredential = optionals (cfg.useACMEHost != null) [
"fullchain.pem:/var/lib/acme/${cfg.useACMEHost}/fullchain.pem"
"key.pem:/var/lib/acme/${cfg.useACMEHost}/key.pem"

View file

@ -1,12 +0,0 @@
diff --git a/nixos/modules/services/web-servers/pomerium.nix b/third_party/nixpkgs/nixos/modules/services/web-servers/pomerium.nix
--- a/nixos/modules/services/web-servers/pomerium.nix
+++ b/nixos/modules/services/web-servers/pomerium.nix
@@ -128,7 +128,7 @@ in
Type = "oneshot";
TimeoutSec = 60;
ExecCondition = "/run/current-system/systemd/bin/systemctl -q is-active pomerium.service";
- ExecStart = "/run/current-system/systemd/bin/systemctl restart pomerium.service";
+ ExecStart = "/run/current-system/systemd/bin/systemctl --no-block restart pomerium.service";
};
};
});

View file

@ -0,0 +1,251 @@
From 860cc90fec86ea49d1f73ac5f5920f11afaba28d Mon Sep 17 00:00:00 2001
From: Luke Granger-Brown <git@lukegb.com>
Date: Fri, 11 Mar 2022 13:54:14 +0000
Subject: [PATCH 1/4] pomerium: 0.15.7 -> 0.17.0
---
pkgs/servers/http/pomerium/default.nix | 8 +++-----
1 file changed, 3 insertions(+), 5 deletions(-)
diff --git a/pkgs/servers/http/pomerium/default.nix b/pkgs/servers/http/pomerium/default.nix
index cbf2fe1943542..4a8381bccc996 100644
--- a/pkgs/servers/http/pomerium/default.nix
+++ b/pkgs/servers/http/pomerium/default.nix
@@ -11,18 +11,17 @@ let
in
buildGoModule rec {
pname = "pomerium";
- version = "0.15.7";
+ version = "0.17.0";
src = fetchFromGitHub {
owner = "pomerium";
repo = "pomerium";
rev = "v${version}";
- hash = "sha256:0adlk4ylny1z43x1dw3ny0s1932vhb61hpf5wdz4r65y8k9qyfgr";
+ hash = "sha256:1hv76i6k9f0kp527nxlxqhklsvkh2cmfnqlszmlk2hxij31qnf8q";
};
- vendorSha256 = "sha256:1fszfbra84pcs8v1h2kf7iy603vf9v2ysg6il76aqmqrxmb1p7nv";
+ vendorSha256 = "sha256:1cq4m5a7z64yg3v1c68d15ilw78il6p53vaqzxgn338zjggr3kig";
subPackages = [
"cmd/pomerium"
- "cmd/pomerium-cli"
];
ldflags = let
@@ -74,7 +73,6 @@ buildGoModule rec {
installPhase = ''
install -Dm0755 $GOPATH/bin/pomerium $out/bin/pomerium
- install -Dm0755 $GOPATH/bin/pomerium-cli $out/bin/pomerium-cli
'';
passthru.tests = {
From 6659ba52480b2881c89c104370c2e7528fb34a0e Mon Sep 17 00:00:00 2001
From: Luke Granger-Brown <git@lukegb.com>
Date: Fri, 11 Mar 2022 14:01:27 +0000
Subject: [PATCH 2/4] pomerium-cli: init at 0.17.0
---
pkgs/servers/http/pomerium/default.nix | 2 +
pkgs/tools/security/pomerium-cli/default.nix | 58 ++++++++++++++++++++
pkgs/top-level/all-packages.nix | 1 +
3 files changed, 61 insertions(+)
create mode 100644 pkgs/tools/security/pomerium-cli/default.nix
diff --git a/pkgs/servers/http/pomerium/default.nix b/pkgs/servers/http/pomerium/default.nix
index 4a8381bccc996..8a5580d5d0dba 100644
--- a/pkgs/servers/http/pomerium/default.nix
+++ b/pkgs/servers/http/pomerium/default.nix
@@ -4,6 +4,7 @@
, envoy
, zip
, nixosTests
+, pomerium-cli
}:
let
@@ -77,6 +78,7 @@ buildGoModule rec {
passthru.tests = {
inherit (nixosTests) pomerium;
+ inherit pomerium-cli;
};
meta = with lib; {
diff --git a/pkgs/tools/security/pomerium-cli/default.nix b/pkgs/tools/security/pomerium-cli/default.nix
new file mode 100644
index 0000000000000..7dc7e3a7a903c
--- /dev/null
+++ b/pkgs/tools/security/pomerium-cli/default.nix
@@ -0,0 +1,58 @@
+{ buildGoModule
+, fetchFromGitHub
+, lib
+, pomerium
+}:
+
+let
+ inherit (lib) concatStringsSep concatMap id mapAttrsToList;
+in
+buildGoModule rec {
+ pname = "pomerium-cli";
+ version = pomerium.version;
+ src = fetchFromGitHub {
+ owner = "pomerium";
+ repo = "cli";
+ rev = "v${version}";
+ hash = "sha256:0230b22xjnpykj8bcdahzzlsvlrd63z2cmg6yb246c5ngjs835q1";
+ };
+
+ vendorSha256 = "sha256:0xx22lmh6wip1d1bjrp4lgab3q9yilw54v4lg24lf3xhbsr5si9b";
+ subPackages = [
+ "cmd/pomerium-cli"
+ ];
+
+ ldflags = let
+ # Set a variety of useful meta variables for stamping the build with.
+ setVars = {
+ "github.com/pomerium/cli/version" = {
+ Version = "v${version}";
+ BuildMeta = "nixpkgs";
+ ProjectName = "pomerium-cli";
+ ProjectURL = "github.com/pomerium/cli";
+ };
+ };
+ concatStringsSpace = list: concatStringsSep " " list;
+ mapAttrsToFlatList = fn: list: concatMap id (mapAttrsToList fn list);
+ varFlags = concatStringsSpace (
+ mapAttrsToFlatList (package: packageVars:
+ mapAttrsToList (variable: value:
+ "-X ${package}.${variable}=${value}"
+ ) packageVars
+ ) setVars);
+ in [
+ "${varFlags}"
+ ];
+
+ installPhase = ''
+ install -Dm0755 $GOPATH/bin/pomerium-cli $out/bin/pomerium-cli
+ '';
+
+ meta = with lib; {
+ homepage = "https://pomerium.io";
+ description = "Client-side helper for Pomerium authenticating reverse proxy";
+ license = licenses.asl20;
+ maintainers = with maintainers; [ lukegb ];
+ platforms = platforms.unix;
+ };
+}
diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
index a2880d70e6457..7b01dfe3fe72d 100644
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@@ -21613,6 +21613,7 @@ with pkgs;
pflogsumm = callPackage ../servers/mail/postfix/pflogsumm.nix { };
pomerium = callPackage ../servers/http/pomerium { };
+ pomerium-cli = callPackage ../tools/security/pomerium-cli { };
postgrey = callPackage ../servers/mail/postgrey { };
From 3004e58f6a0817080f40db34dc96fdf4d5da6c18 Mon Sep 17 00:00:00 2001
From: Luke Granger-Brown <git@lukegb.com>
Date: Fri, 11 Mar 2022 14:03:22 +0000
Subject: [PATCH 3/4] nixos/pomerium: avoid blocking when renewing ACME
certificates
---
nixos/modules/services/web-servers/pomerium.nix | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/nixos/modules/services/web-servers/pomerium.nix b/nixos/modules/services/web-servers/pomerium.nix
index 2bc7d01c7c287..0b460755f50ef 100644
--- a/nixos/modules/services/web-servers/pomerium.nix
+++ b/nixos/modules/services/web-servers/pomerium.nix
@@ -69,11 +69,16 @@ in
CERTIFICATE_KEY_FILE = "key.pem";
};
startLimitIntervalSec = 60;
+ script = ''
+ if [[ -v CREDENTIALS_DIRECTORY ]]; then
+ cd "$CREDENTIALS_DIRECTORY"
+ fi
+ exec "${pkgs.pomerium}/bin/pomerium" -config "${cfgFile}"
+ '';
serviceConfig = {
DynamicUser = true;
StateDirectory = [ "pomerium" ];
- ExecStart = "${pkgs.pomerium}/bin/pomerium -config ${cfgFile}";
PrivateUsers = false; # breaks CAP_NET_BIND_SERVICE
MemoryDenyWriteExecute = false; # breaks LuaJIT
@@ -99,7 +104,6 @@ in
AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
- WorkingDirectory = mkIf (cfg.useACMEHost != null) "$CREDENTIALS_DIRECTORY";
LoadCredential = optionals (cfg.useACMEHost != null) [
"fullchain.pem:/var/lib/acme/${cfg.useACMEHost}/fullchain.pem"
"key.pem:/var/lib/acme/${cfg.useACMEHost}/key.pem"
@@ -124,7 +128,7 @@ in
Type = "oneshot";
TimeoutSec = 60;
ExecCondition = "/run/current-system/systemd/bin/systemctl -q is-active pomerium.service";
- ExecStart = "/run/current-system/systemd/bin/systemctl restart pomerium.service";
+ ExecStart = "/run/current-system/systemd/bin/systemctl --no-block restart pomerium.service";
};
};
});
From c19e76b29f7bd0d225ab89feb0a3726676f915c8 Mon Sep 17 00:00:00 2001
From: Luke Granger-Brown <git@lukegb.com>
Date: Fri, 11 Mar 2022 14:07:12 +0000
Subject: [PATCH 4/4] pomerium: note changes in packaging in 22.05 release
notes
---
.../manual/from_md/release-notes/rl-2205.section.xml | 10 ++++++++++
nixos/doc/manual/release-notes/rl-2205.section.md | 5 +++++
2 files changed, 15 insertions(+)
diff --git a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml
index 9cf27e56827a1..333994c0957d6 100644
--- a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml
+++ b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml
@@ -1322,6 +1322,16 @@
warning.
</para>
</listitem>
+ <listitem>
+ <para>
+ The <literal>pomerium-cli</literal> command has been moved out
+ of the <literal>pomerium</literal> package into the
+ <literal>pomerium-cli</literal> package, following upstreams
+ repository split. If you are using the
+ <literal>pomerium-cli</literal> command, you should now
+ install the <literal>pomerium-cli</literal> package.
+ </para>
+ </listitem>
<listitem>
<para>
The option
diff --git a/nixos/doc/manual/release-notes/rl-2205.section.md b/nixos/doc/manual/release-notes/rl-2205.section.md
index 58a1b23d17bf6..222c101a2842d 100644
--- a/nixos/doc/manual/release-notes/rl-2205.section.md
+++ b/nixos/doc/manual/release-notes/rl-2205.section.md
@@ -479,6 +479,11 @@ In addition to numerous new and upgraded packages, this release has the followin
Reason is that the old name has been deprecated upstream.
Using the old option name will still work, but produce a warning.
+- The `pomerium-cli` command has been moved out of the `pomerium` package into
+ the `pomerium-cli` package, following upstream's repository split. If you are
+ using the `pomerium-cli` command, you should now install the `pomerium-cli`
+ package.
+
- The option
[services.networking.networkmanager.enableFccUnlock](#opt-networking.networkmanager.enableFccUnlock)
was added to support FCC unlock procedures. Since release 1.18.4, the ModemManager

View file

@ -1,3 +1,2 @@
pomerium-fix.patch
pomerium-fix2.patch
nvidia-sideband-socket.patch
pr163673.patch