From bb03f5ea0d2f29288fcd606f5ee6253ace530b3c Mon Sep 17 00:00:00 2001 From: Luke Granger-Brown Date: Wed, 7 Apr 2021 00:46:15 +0000 Subject: [PATCH] ops/nixos: fixups for upstream pomerium module --- ops/nixos/etheroute-lon01/default.nix | 19 +++++-------------- .../modules/services/web-servers/pomerium.nix | 2 +- .../nixpkgs/patches/pomerium-fix.patch | 12 ++++++++++++ third_party/nixpkgs/patches/series | 1 + 4 files changed, 19 insertions(+), 15 deletions(-) create mode 100644 third_party/nixpkgs/patches/pomerium-fix.patch diff --git a/ops/nixos/etheroute-lon01/default.nix b/ops/nixos/etheroute-lon01/default.nix index ed2ce31491..397d145d2b 100644 --- a/ops/nixos/etheroute-lon01/default.nix +++ b/ops/nixos/etheroute-lon01/default.nix @@ -10,8 +10,6 @@ in { imports = [ ../lib/bgp.nix ../lib/zfs.nix - - ../../../nix/pkgs/pomerium/module.nix ]; boot.initrd = { @@ -174,8 +172,9 @@ in { services.pomerium = { enable = true; secretsFile = machineSecrets.pomeriumSecrets; + useACMEHost = "int.lukegb.com"; - config = { + settings = { address = ":443"; http_redirect_addr = ":80"; @@ -251,17 +250,9 @@ in { ]; }; }; - systemd.services.pomerium.serviceConfig = { - After = [ "acme-finished-int.lukegb.com.target" "redis.service" ]; - Wants = [ "acme-finished-int.lukegb.com.target" "redis.service" ]; - LoadCredential = [ - "certfullchain.pem:/var/lib/acme/int.lukegb.com/fullchain.pem" - "certkey.pem:/var/lib/acme/int.lukegb.com/key.pem" - ]; - Environment = [ - "CERTIFICATE_FILE=certfullchain.pem" - "CERTIFICATE_KEY_FILE=certkey.pem" - ]; + systemd.services.pomerium = { + wants = lib.mkAfter [ "redis.service" ]; + after = lib.mkAfter [ "redis.service" ]; }; security.acme = { acceptTerms = true; diff --git a/third_party/nixpkgs/nixos/modules/services/web-servers/pomerium.nix b/third_party/nixpkgs/nixos/modules/services/web-servers/pomerium.nix index a96df1dbf6..2bc7d01c7c 100644 --- a/third_party/nixpkgs/nixos/modules/services/web-servers/pomerium.nix +++ b/third_party/nixpkgs/nixos/modules/services/web-servers/pomerium.nix @@ -119,7 +119,7 @@ in before = [ "acme-finished-${cfg.useACMEHost}.target" ]; after = [ "acme-${cfg.useACMEHost}.service" ]; # Block reloading if not all certs exist yet. - unitConfig.ConditionPathExists = [ "${certs.${cfg.useACMEHost}.directory}/fullchain.pem" ]; + unitConfig.ConditionPathExists = [ "${config.security.acme.certs.${cfg.useACMEHost}.directory}/fullchain.pem" ]; serviceConfig = { Type = "oneshot"; TimeoutSec = 60; diff --git a/third_party/nixpkgs/patches/pomerium-fix.patch b/third_party/nixpkgs/patches/pomerium-fix.patch new file mode 100644 index 0000000000..9bd8b96020 --- /dev/null +++ b/third_party/nixpkgs/patches/pomerium-fix.patch @@ -0,0 +1,12 @@ +diff --git a/nixos/modules/services/web-servers/pomerium.nix b/nixos/modules/services/web-servers/pomerium.nix +--- a/nixos/modules/services/web-servers/pomerium.nix ++++ b/nixos/modules/services/web-servers/pomerium.nix +@@ -119,7 +119,7 @@ in + before = [ "acme-finished-${cfg.useACMEHost}.target" ]; + after = [ "acme-${cfg.useACMEHost}.service" ]; + # Block reloading if not all certs exist yet. +- unitConfig.ConditionPathExists = [ "${certs.${cfg.useACMEHost}.directory}/fullchain.pem" ]; ++ unitConfig.ConditionPathExists = [ "${config.security.acme.certs.${cfg.useACMEHost}.directory}/fullchain.pem" ]; + serviceConfig = { + Type = "oneshot"; + TimeoutSec = 60; diff --git a/third_party/nixpkgs/patches/series b/third_party/nixpkgs/patches/series index bd8d0ba6ce..9e98ebae86 100644 --- a/third_party/nixpkgs/patches/series +++ b/third_party/nixpkgs/patches/series @@ -1,2 +1,3 @@ various.patch patch-cherrypy.patch +pomerium-fix.patch