ops/nixos: fixups for upstream pomerium module
This commit is contained in:
parent
0943931a6a
commit
bb03f5ea0d
4 changed files with 19 additions and 15 deletions
|
@ -10,8 +10,6 @@ in {
|
||||||
imports = [
|
imports = [
|
||||||
../lib/bgp.nix
|
../lib/bgp.nix
|
||||||
../lib/zfs.nix
|
../lib/zfs.nix
|
||||||
|
|
||||||
../../../nix/pkgs/pomerium/module.nix
|
|
||||||
];
|
];
|
||||||
|
|
||||||
boot.initrd = {
|
boot.initrd = {
|
||||||
|
@ -174,8 +172,9 @@ in {
|
||||||
services.pomerium = {
|
services.pomerium = {
|
||||||
enable = true;
|
enable = true;
|
||||||
secretsFile = machineSecrets.pomeriumSecrets;
|
secretsFile = machineSecrets.pomeriumSecrets;
|
||||||
|
useACMEHost = "int.lukegb.com";
|
||||||
|
|
||||||
config = {
|
settings = {
|
||||||
address = ":443";
|
address = ":443";
|
||||||
http_redirect_addr = ":80";
|
http_redirect_addr = ":80";
|
||||||
|
|
||||||
|
@ -251,17 +250,9 @@ in {
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
systemd.services.pomerium.serviceConfig = {
|
systemd.services.pomerium = {
|
||||||
After = [ "acme-finished-int.lukegb.com.target" "redis.service" ];
|
wants = lib.mkAfter [ "redis.service" ];
|
||||||
Wants = [ "acme-finished-int.lukegb.com.target" "redis.service" ];
|
after = lib.mkAfter [ "redis.service" ];
|
||||||
LoadCredential = [
|
|
||||||
"certfullchain.pem:/var/lib/acme/int.lukegb.com/fullchain.pem"
|
|
||||||
"certkey.pem:/var/lib/acme/int.lukegb.com/key.pem"
|
|
||||||
];
|
|
||||||
Environment = [
|
|
||||||
"CERTIFICATE_FILE=certfullchain.pem"
|
|
||||||
"CERTIFICATE_KEY_FILE=certkey.pem"
|
|
||||||
];
|
|
||||||
};
|
};
|
||||||
security.acme = {
|
security.acme = {
|
||||||
acceptTerms = true;
|
acceptTerms = true;
|
||||||
|
|
|
@ -119,7 +119,7 @@ in
|
||||||
before = [ "acme-finished-${cfg.useACMEHost}.target" ];
|
before = [ "acme-finished-${cfg.useACMEHost}.target" ];
|
||||||
after = [ "acme-${cfg.useACMEHost}.service" ];
|
after = [ "acme-${cfg.useACMEHost}.service" ];
|
||||||
# Block reloading if not all certs exist yet.
|
# Block reloading if not all certs exist yet.
|
||||||
unitConfig.ConditionPathExists = [ "${certs.${cfg.useACMEHost}.directory}/fullchain.pem" ];
|
unitConfig.ConditionPathExists = [ "${config.security.acme.certs.${cfg.useACMEHost}.directory}/fullchain.pem" ];
|
||||||
serviceConfig = {
|
serviceConfig = {
|
||||||
Type = "oneshot";
|
Type = "oneshot";
|
||||||
TimeoutSec = 60;
|
TimeoutSec = 60;
|
||||||
|
|
12
third_party/nixpkgs/patches/pomerium-fix.patch
vendored
Normal file
12
third_party/nixpkgs/patches/pomerium-fix.patch
vendored
Normal file
|
@ -0,0 +1,12 @@
|
||||||
|
diff --git a/nixos/modules/services/web-servers/pomerium.nix b/nixos/modules/services/web-servers/pomerium.nix
|
||||||
|
--- a/nixos/modules/services/web-servers/pomerium.nix
|
||||||
|
+++ b/nixos/modules/services/web-servers/pomerium.nix
|
||||||
|
@@ -119,7 +119,7 @@ in
|
||||||
|
before = [ "acme-finished-${cfg.useACMEHost}.target" ];
|
||||||
|
after = [ "acme-${cfg.useACMEHost}.service" ];
|
||||||
|
# Block reloading if not all certs exist yet.
|
||||||
|
- unitConfig.ConditionPathExists = [ "${certs.${cfg.useACMEHost}.directory}/fullchain.pem" ];
|
||||||
|
+ unitConfig.ConditionPathExists = [ "${config.security.acme.certs.${cfg.useACMEHost}.directory}/fullchain.pem" ];
|
||||||
|
serviceConfig = {
|
||||||
|
Type = "oneshot";
|
||||||
|
TimeoutSec = 60;
|
1
third_party/nixpkgs/patches/series
vendored
1
third_party/nixpkgs/patches/series
vendored
|
@ -1,2 +1,3 @@
|
||||||
various.patch
|
various.patch
|
||||||
patch-cherrypy.patch
|
patch-cherrypy.patch
|
||||||
|
pomerium-fix.patch
|
||||||
|
|
Loading…
Reference in a new issue