ops/nixos: fixups for upstream pomerium module

This commit is contained in:
Luke Granger-Brown 2021-04-07 00:46:15 +00:00
parent 0943931a6a
commit bb03f5ea0d
4 changed files with 19 additions and 15 deletions

View file

@ -10,8 +10,6 @@ in {
imports = [
../lib/bgp.nix
../lib/zfs.nix
../../../nix/pkgs/pomerium/module.nix
];
boot.initrd = {
@ -174,8 +172,9 @@ in {
services.pomerium = {
enable = true;
secretsFile = machineSecrets.pomeriumSecrets;
useACMEHost = "int.lukegb.com";
config = {
settings = {
address = ":443";
http_redirect_addr = ":80";
@ -251,17 +250,9 @@ in {
];
};
};
systemd.services.pomerium.serviceConfig = {
After = [ "acme-finished-int.lukegb.com.target" "redis.service" ];
Wants = [ "acme-finished-int.lukegb.com.target" "redis.service" ];
LoadCredential = [
"certfullchain.pem:/var/lib/acme/int.lukegb.com/fullchain.pem"
"certkey.pem:/var/lib/acme/int.lukegb.com/key.pem"
];
Environment = [
"CERTIFICATE_FILE=certfullchain.pem"
"CERTIFICATE_KEY_FILE=certkey.pem"
];
systemd.services.pomerium = {
wants = lib.mkAfter [ "redis.service" ];
after = lib.mkAfter [ "redis.service" ];
};
security.acme = {
acceptTerms = true;

View file

@ -119,7 +119,7 @@ in
before = [ "acme-finished-${cfg.useACMEHost}.target" ];
after = [ "acme-${cfg.useACMEHost}.service" ];
# Block reloading if not all certs exist yet.
unitConfig.ConditionPathExists = [ "${certs.${cfg.useACMEHost}.directory}/fullchain.pem" ];
unitConfig.ConditionPathExists = [ "${config.security.acme.certs.${cfg.useACMEHost}.directory}/fullchain.pem" ];
serviceConfig = {
Type = "oneshot";
TimeoutSec = 60;

View file

@ -0,0 +1,12 @@
diff --git a/nixos/modules/services/web-servers/pomerium.nix b/nixos/modules/services/web-servers/pomerium.nix
--- a/nixos/modules/services/web-servers/pomerium.nix
+++ b/nixos/modules/services/web-servers/pomerium.nix
@@ -119,7 +119,7 @@ in
before = [ "acme-finished-${cfg.useACMEHost}.target" ];
after = [ "acme-${cfg.useACMEHost}.service" ];
# Block reloading if not all certs exist yet.
- unitConfig.ConditionPathExists = [ "${certs.${cfg.useACMEHost}.directory}/fullchain.pem" ];
+ unitConfig.ConditionPathExists = [ "${config.security.acme.certs.${cfg.useACMEHost}.directory}/fullchain.pem" ];
serviceConfig = {
Type = "oneshot";
TimeoutSec = 60;

View file

@ -1,2 +1,3 @@
various.patch
patch-cherrypy.patch
pomerium-fix.patch