3p/nixpkgs: remove handrolled pomerium fixes, migrate to upstream PR
This commit is contained in:
parent
c98f3312a7
commit
75a5b40962
4 changed files with 252 additions and 43 deletions
29
third_party/nixpkgs/patches/pomerium-fix.patch
vendored
29
third_party/nixpkgs/patches/pomerium-fix.patch
vendored
|
@ -1,29 +0,0 @@
|
|||
diff --git a/nixos/modules/services/web-servers/pomerium.nix b/nixos/modules/services/web-servers/pomerium.nix
|
||||
--- a/nixos/modules/services/web-servers/pomerium.nix
|
||||
+++ b/nixos/modules/services/web-servers/pomerium.nix
|
||||
@@ -69,11 +69,16 @@ in
|
||||
CERTIFICATE_KEY_FILE = "key.pem";
|
||||
};
|
||||
startLimitIntervalSec = 60;
|
||||
+ script = ''
|
||||
+ if [[ -v CREDENTIALS_DIRECTORY ]]; then
|
||||
+ cd "$CREDENTIALS_DIRECTORY"
|
||||
+ fi
|
||||
+ exec "${pkgs.pomerium}/bin/pomerium" -config "${cfgFile}"
|
||||
+ '';
|
||||
|
||||
serviceConfig = {
|
||||
DynamicUser = true;
|
||||
StateDirectory = [ "pomerium" ];
|
||||
- ExecStart = "${pkgs.pomerium}/bin/pomerium -config ${cfgFile}";
|
||||
|
||||
PrivateUsers = false; # breaks CAP_NET_BIND_SERVICE
|
||||
MemoryDenyWriteExecute = false; # breaks LuaJIT
|
||||
@@ -99,7 +104,6 @@ in
|
||||
AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
|
||||
CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
|
||||
|
||||
- WorkingDirectory = mkIf (cfg.useACMEHost != null) "$CREDENTIALS_DIRECTORY";
|
||||
LoadCredential = optionals (cfg.useACMEHost != null) [
|
||||
"fullchain.pem:/var/lib/acme/${cfg.useACMEHost}/fullchain.pem"
|
||||
"key.pem:/var/lib/acme/${cfg.useACMEHost}/key.pem"
|
12
third_party/nixpkgs/patches/pomerium-fix2.patch
vendored
12
third_party/nixpkgs/patches/pomerium-fix2.patch
vendored
|
@ -1,12 +0,0 @@
|
|||
diff --git a/nixos/modules/services/web-servers/pomerium.nix b/third_party/nixpkgs/nixos/modules/services/web-servers/pomerium.nix
|
||||
--- a/nixos/modules/services/web-servers/pomerium.nix
|
||||
+++ b/nixos/modules/services/web-servers/pomerium.nix
|
||||
@@ -128,7 +128,7 @@ in
|
||||
Type = "oneshot";
|
||||
TimeoutSec = 60;
|
||||
ExecCondition = "/run/current-system/systemd/bin/systemctl -q is-active pomerium.service";
|
||||
- ExecStart = "/run/current-system/systemd/bin/systemctl restart pomerium.service";
|
||||
+ ExecStart = "/run/current-system/systemd/bin/systemctl --no-block restart pomerium.service";
|
||||
};
|
||||
};
|
||||
});
|
251
third_party/nixpkgs/patches/pr163673.patch
vendored
Normal file
251
third_party/nixpkgs/patches/pr163673.patch
vendored
Normal file
|
@ -0,0 +1,251 @@
|
|||
From 860cc90fec86ea49d1f73ac5f5920f11afaba28d Mon Sep 17 00:00:00 2001
|
||||
From: Luke Granger-Brown <git@lukegb.com>
|
||||
Date: Fri, 11 Mar 2022 13:54:14 +0000
|
||||
Subject: [PATCH 1/4] pomerium: 0.15.7 -> 0.17.0
|
||||
|
||||
---
|
||||
pkgs/servers/http/pomerium/default.nix | 8 +++-----
|
||||
1 file changed, 3 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/pkgs/servers/http/pomerium/default.nix b/pkgs/servers/http/pomerium/default.nix
|
||||
index cbf2fe1943542..4a8381bccc996 100644
|
||||
--- a/pkgs/servers/http/pomerium/default.nix
|
||||
+++ b/pkgs/servers/http/pomerium/default.nix
|
||||
@@ -11,18 +11,17 @@ let
|
||||
in
|
||||
buildGoModule rec {
|
||||
pname = "pomerium";
|
||||
- version = "0.15.7";
|
||||
+ version = "0.17.0";
|
||||
src = fetchFromGitHub {
|
||||
owner = "pomerium";
|
||||
repo = "pomerium";
|
||||
rev = "v${version}";
|
||||
- hash = "sha256:0adlk4ylny1z43x1dw3ny0s1932vhb61hpf5wdz4r65y8k9qyfgr";
|
||||
+ hash = "sha256:1hv76i6k9f0kp527nxlxqhklsvkh2cmfnqlszmlk2hxij31qnf8q";
|
||||
};
|
||||
|
||||
- vendorSha256 = "sha256:1fszfbra84pcs8v1h2kf7iy603vf9v2ysg6il76aqmqrxmb1p7nv";
|
||||
+ vendorSha256 = "sha256:1cq4m5a7z64yg3v1c68d15ilw78il6p53vaqzxgn338zjggr3kig";
|
||||
subPackages = [
|
||||
"cmd/pomerium"
|
||||
- "cmd/pomerium-cli"
|
||||
];
|
||||
|
||||
ldflags = let
|
||||
@@ -74,7 +73,6 @@ buildGoModule rec {
|
||||
|
||||
installPhase = ''
|
||||
install -Dm0755 $GOPATH/bin/pomerium $out/bin/pomerium
|
||||
- install -Dm0755 $GOPATH/bin/pomerium-cli $out/bin/pomerium-cli
|
||||
'';
|
||||
|
||||
passthru.tests = {
|
||||
|
||||
From 6659ba52480b2881c89c104370c2e7528fb34a0e Mon Sep 17 00:00:00 2001
|
||||
From: Luke Granger-Brown <git@lukegb.com>
|
||||
Date: Fri, 11 Mar 2022 14:01:27 +0000
|
||||
Subject: [PATCH 2/4] pomerium-cli: init at 0.17.0
|
||||
|
||||
---
|
||||
pkgs/servers/http/pomerium/default.nix | 2 +
|
||||
pkgs/tools/security/pomerium-cli/default.nix | 58 ++++++++++++++++++++
|
||||
pkgs/top-level/all-packages.nix | 1 +
|
||||
3 files changed, 61 insertions(+)
|
||||
create mode 100644 pkgs/tools/security/pomerium-cli/default.nix
|
||||
|
||||
diff --git a/pkgs/servers/http/pomerium/default.nix b/pkgs/servers/http/pomerium/default.nix
|
||||
index 4a8381bccc996..8a5580d5d0dba 100644
|
||||
--- a/pkgs/servers/http/pomerium/default.nix
|
||||
+++ b/pkgs/servers/http/pomerium/default.nix
|
||||
@@ -4,6 +4,7 @@
|
||||
, envoy
|
||||
, zip
|
||||
, nixosTests
|
||||
+, pomerium-cli
|
||||
}:
|
||||
|
||||
let
|
||||
@@ -77,6 +78,7 @@ buildGoModule rec {
|
||||
|
||||
passthru.tests = {
|
||||
inherit (nixosTests) pomerium;
|
||||
+ inherit pomerium-cli;
|
||||
};
|
||||
|
||||
meta = with lib; {
|
||||
diff --git a/pkgs/tools/security/pomerium-cli/default.nix b/pkgs/tools/security/pomerium-cli/default.nix
|
||||
new file mode 100644
|
||||
index 0000000000000..7dc7e3a7a903c
|
||||
--- /dev/null
|
||||
+++ b/pkgs/tools/security/pomerium-cli/default.nix
|
||||
@@ -0,0 +1,58 @@
|
||||
+{ buildGoModule
|
||||
+, fetchFromGitHub
|
||||
+, lib
|
||||
+, pomerium
|
||||
+}:
|
||||
+
|
||||
+let
|
||||
+ inherit (lib) concatStringsSep concatMap id mapAttrsToList;
|
||||
+in
|
||||
+buildGoModule rec {
|
||||
+ pname = "pomerium-cli";
|
||||
+ version = pomerium.version;
|
||||
+ src = fetchFromGitHub {
|
||||
+ owner = "pomerium";
|
||||
+ repo = "cli";
|
||||
+ rev = "v${version}";
|
||||
+ hash = "sha256:0230b22xjnpykj8bcdahzzlsvlrd63z2cmg6yb246c5ngjs835q1";
|
||||
+ };
|
||||
+
|
||||
+ vendorSha256 = "sha256:0xx22lmh6wip1d1bjrp4lgab3q9yilw54v4lg24lf3xhbsr5si9b";
|
||||
+ subPackages = [
|
||||
+ "cmd/pomerium-cli"
|
||||
+ ];
|
||||
+
|
||||
+ ldflags = let
|
||||
+ # Set a variety of useful meta variables for stamping the build with.
|
||||
+ setVars = {
|
||||
+ "github.com/pomerium/cli/version" = {
|
||||
+ Version = "v${version}";
|
||||
+ BuildMeta = "nixpkgs";
|
||||
+ ProjectName = "pomerium-cli";
|
||||
+ ProjectURL = "github.com/pomerium/cli";
|
||||
+ };
|
||||
+ };
|
||||
+ concatStringsSpace = list: concatStringsSep " " list;
|
||||
+ mapAttrsToFlatList = fn: list: concatMap id (mapAttrsToList fn list);
|
||||
+ varFlags = concatStringsSpace (
|
||||
+ mapAttrsToFlatList (package: packageVars:
|
||||
+ mapAttrsToList (variable: value:
|
||||
+ "-X ${package}.${variable}=${value}"
|
||||
+ ) packageVars
|
||||
+ ) setVars);
|
||||
+ in [
|
||||
+ "${varFlags}"
|
||||
+ ];
|
||||
+
|
||||
+ installPhase = ''
|
||||
+ install -Dm0755 $GOPATH/bin/pomerium-cli $out/bin/pomerium-cli
|
||||
+ '';
|
||||
+
|
||||
+ meta = with lib; {
|
||||
+ homepage = "https://pomerium.io";
|
||||
+ description = "Client-side helper for Pomerium authenticating reverse proxy";
|
||||
+ license = licenses.asl20;
|
||||
+ maintainers = with maintainers; [ lukegb ];
|
||||
+ platforms = platforms.unix;
|
||||
+ };
|
||||
+}
|
||||
diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
|
||||
index a2880d70e6457..7b01dfe3fe72d 100644
|
||||
--- a/pkgs/top-level/all-packages.nix
|
||||
+++ b/pkgs/top-level/all-packages.nix
|
||||
@@ -21613,6 +21613,7 @@ with pkgs;
|
||||
pflogsumm = callPackage ../servers/mail/postfix/pflogsumm.nix { };
|
||||
|
||||
pomerium = callPackage ../servers/http/pomerium { };
|
||||
+ pomerium-cli = callPackage ../tools/security/pomerium-cli { };
|
||||
|
||||
postgrey = callPackage ../servers/mail/postgrey { };
|
||||
|
||||
|
||||
From 3004e58f6a0817080f40db34dc96fdf4d5da6c18 Mon Sep 17 00:00:00 2001
|
||||
From: Luke Granger-Brown <git@lukegb.com>
|
||||
Date: Fri, 11 Mar 2022 14:03:22 +0000
|
||||
Subject: [PATCH 3/4] nixos/pomerium: avoid blocking when renewing ACME
|
||||
certificates
|
||||
|
||||
---
|
||||
nixos/modules/services/web-servers/pomerium.nix | 10 +++++++---
|
||||
1 file changed, 7 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/nixos/modules/services/web-servers/pomerium.nix b/nixos/modules/services/web-servers/pomerium.nix
|
||||
index 2bc7d01c7c287..0b460755f50ef 100644
|
||||
--- a/nixos/modules/services/web-servers/pomerium.nix
|
||||
+++ b/nixos/modules/services/web-servers/pomerium.nix
|
||||
@@ -69,11 +69,16 @@ in
|
||||
CERTIFICATE_KEY_FILE = "key.pem";
|
||||
};
|
||||
startLimitIntervalSec = 60;
|
||||
+ script = ''
|
||||
+ if [[ -v CREDENTIALS_DIRECTORY ]]; then
|
||||
+ cd "$CREDENTIALS_DIRECTORY"
|
||||
+ fi
|
||||
+ exec "${pkgs.pomerium}/bin/pomerium" -config "${cfgFile}"
|
||||
+ '';
|
||||
|
||||
serviceConfig = {
|
||||
DynamicUser = true;
|
||||
StateDirectory = [ "pomerium" ];
|
||||
- ExecStart = "${pkgs.pomerium}/bin/pomerium -config ${cfgFile}";
|
||||
|
||||
PrivateUsers = false; # breaks CAP_NET_BIND_SERVICE
|
||||
MemoryDenyWriteExecute = false; # breaks LuaJIT
|
||||
@@ -99,7 +104,6 @@ in
|
||||
AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
|
||||
CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
|
||||
|
||||
- WorkingDirectory = mkIf (cfg.useACMEHost != null) "$CREDENTIALS_DIRECTORY";
|
||||
LoadCredential = optionals (cfg.useACMEHost != null) [
|
||||
"fullchain.pem:/var/lib/acme/${cfg.useACMEHost}/fullchain.pem"
|
||||
"key.pem:/var/lib/acme/${cfg.useACMEHost}/key.pem"
|
||||
@@ -124,7 +128,7 @@ in
|
||||
Type = "oneshot";
|
||||
TimeoutSec = 60;
|
||||
ExecCondition = "/run/current-system/systemd/bin/systemctl -q is-active pomerium.service";
|
||||
- ExecStart = "/run/current-system/systemd/bin/systemctl restart pomerium.service";
|
||||
+ ExecStart = "/run/current-system/systemd/bin/systemctl --no-block restart pomerium.service";
|
||||
};
|
||||
};
|
||||
});
|
||||
|
||||
From c19e76b29f7bd0d225ab89feb0a3726676f915c8 Mon Sep 17 00:00:00 2001
|
||||
From: Luke Granger-Brown <git@lukegb.com>
|
||||
Date: Fri, 11 Mar 2022 14:07:12 +0000
|
||||
Subject: [PATCH 4/4] pomerium: note changes in packaging in 22.05 release
|
||||
notes
|
||||
|
||||
---
|
||||
.../manual/from_md/release-notes/rl-2205.section.xml | 10 ++++++++++
|
||||
nixos/doc/manual/release-notes/rl-2205.section.md | 5 +++++
|
||||
2 files changed, 15 insertions(+)
|
||||
|
||||
diff --git a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml
|
||||
index 9cf27e56827a1..333994c0957d6 100644
|
||||
--- a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml
|
||||
+++ b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml
|
||||
@@ -1322,6 +1322,16 @@
|
||||
warning.
|
||||
</para>
|
||||
</listitem>
|
||||
+ <listitem>
|
||||
+ <para>
|
||||
+ The <literal>pomerium-cli</literal> command has been moved out
|
||||
+ of the <literal>pomerium</literal> package into the
|
||||
+ <literal>pomerium-cli</literal> package, following upstream’s
|
||||
+ repository split. If you are using the
|
||||
+ <literal>pomerium-cli</literal> command, you should now
|
||||
+ install the <literal>pomerium-cli</literal> package.
|
||||
+ </para>
|
||||
+ </listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
The option
|
||||
diff --git a/nixos/doc/manual/release-notes/rl-2205.section.md b/nixos/doc/manual/release-notes/rl-2205.section.md
|
||||
index 58a1b23d17bf6..222c101a2842d 100644
|
||||
--- a/nixos/doc/manual/release-notes/rl-2205.section.md
|
||||
+++ b/nixos/doc/manual/release-notes/rl-2205.section.md
|
||||
@@ -479,6 +479,11 @@ In addition to numerous new and upgraded packages, this release has the followin
|
||||
Reason is that the old name has been deprecated upstream.
|
||||
Using the old option name will still work, but produce a warning.
|
||||
|
||||
+- The `pomerium-cli` command has been moved out of the `pomerium` package into
|
||||
+ the `pomerium-cli` package, following upstream's repository split. If you are
|
||||
+ using the `pomerium-cli` command, you should now install the `pomerium-cli`
|
||||
+ package.
|
||||
+
|
||||
- The option
|
||||
[services.networking.networkmanager.enableFccUnlock](#opt-networking.networkmanager.enableFccUnlock)
|
||||
was added to support FCC unlock procedures. Since release 1.18.4, the ModemManager
|
3
third_party/nixpkgs/patches/series
vendored
3
third_party/nixpkgs/patches/series
vendored
|
@ -1,3 +1,2 @@
|
|||
pomerium-fix.patch
|
||||
pomerium-fix2.patch
|
||||
nvidia-sideband-socket.patch
|
||||
pr163673.patch
|
||||
|
|
Loading…
Reference in a new issue