ops/nixos: fixups for upstream pomerium module
This commit is contained in:
parent
0943931a6a
commit
bb03f5ea0d
4 changed files with 19 additions and 15 deletions
|
@ -10,8 +10,6 @@ in {
|
|||
imports = [
|
||||
../lib/bgp.nix
|
||||
../lib/zfs.nix
|
||||
|
||||
../../../nix/pkgs/pomerium/module.nix
|
||||
];
|
||||
|
||||
boot.initrd = {
|
||||
|
@ -174,8 +172,9 @@ in {
|
|||
services.pomerium = {
|
||||
enable = true;
|
||||
secretsFile = machineSecrets.pomeriumSecrets;
|
||||
useACMEHost = "int.lukegb.com";
|
||||
|
||||
config = {
|
||||
settings = {
|
||||
address = ":443";
|
||||
http_redirect_addr = ":80";
|
||||
|
||||
|
@ -251,17 +250,9 @@ in {
|
|||
];
|
||||
};
|
||||
};
|
||||
systemd.services.pomerium.serviceConfig = {
|
||||
After = [ "acme-finished-int.lukegb.com.target" "redis.service" ];
|
||||
Wants = [ "acme-finished-int.lukegb.com.target" "redis.service" ];
|
||||
LoadCredential = [
|
||||
"certfullchain.pem:/var/lib/acme/int.lukegb.com/fullchain.pem"
|
||||
"certkey.pem:/var/lib/acme/int.lukegb.com/key.pem"
|
||||
];
|
||||
Environment = [
|
||||
"CERTIFICATE_FILE=certfullchain.pem"
|
||||
"CERTIFICATE_KEY_FILE=certkey.pem"
|
||||
];
|
||||
systemd.services.pomerium = {
|
||||
wants = lib.mkAfter [ "redis.service" ];
|
||||
after = lib.mkAfter [ "redis.service" ];
|
||||
};
|
||||
security.acme = {
|
||||
acceptTerms = true;
|
||||
|
|
|
@ -119,7 +119,7 @@ in
|
|||
before = [ "acme-finished-${cfg.useACMEHost}.target" ];
|
||||
after = [ "acme-${cfg.useACMEHost}.service" ];
|
||||
# Block reloading if not all certs exist yet.
|
||||
unitConfig.ConditionPathExists = [ "${certs.${cfg.useACMEHost}.directory}/fullchain.pem" ];
|
||||
unitConfig.ConditionPathExists = [ "${config.security.acme.certs.${cfg.useACMEHost}.directory}/fullchain.pem" ];
|
||||
serviceConfig = {
|
||||
Type = "oneshot";
|
||||
TimeoutSec = 60;
|
||||
|
|
12
third_party/nixpkgs/patches/pomerium-fix.patch
vendored
Normal file
12
third_party/nixpkgs/patches/pomerium-fix.patch
vendored
Normal file
|
@ -0,0 +1,12 @@
|
|||
diff --git a/nixos/modules/services/web-servers/pomerium.nix b/nixos/modules/services/web-servers/pomerium.nix
|
||||
--- a/nixos/modules/services/web-servers/pomerium.nix
|
||||
+++ b/nixos/modules/services/web-servers/pomerium.nix
|
||||
@@ -119,7 +119,7 @@ in
|
||||
before = [ "acme-finished-${cfg.useACMEHost}.target" ];
|
||||
after = [ "acme-${cfg.useACMEHost}.service" ];
|
||||
# Block reloading if not all certs exist yet.
|
||||
- unitConfig.ConditionPathExists = [ "${certs.${cfg.useACMEHost}.directory}/fullchain.pem" ];
|
||||
+ unitConfig.ConditionPathExists = [ "${config.security.acme.certs.${cfg.useACMEHost}.directory}/fullchain.pem" ];
|
||||
serviceConfig = {
|
||||
Type = "oneshot";
|
||||
TimeoutSec = 60;
|
1
third_party/nixpkgs/patches/series
vendored
1
third_party/nixpkgs/patches/series
vendored
|
@ -1,2 +1,3 @@
|
|||
various.patch
|
||||
patch-cherrypy.patch
|
||||
pomerium-fix.patch
|
||||
|
|
Loading…
Reference in a new issue