3p/nixpkgs: fix pomerium working directory

This commit is contained in:
Luke Granger-Brown 2021-04-07 11:56:26 +00:00
parent 31811e480b
commit fcf39e6738
2 changed files with 26 additions and 3 deletions

View file

@ -69,11 +69,16 @@ in
CERTIFICATE_KEY_FILE = "key.pem";
};
startLimitIntervalSec = 60;
script = ''
if [[ -v CREDENTIALS_DIRECTORY ]]; then
cd "$CREDENTIALS_DIRECTORY"
fi
exec "${pkgs.pomerium}/bin/pomerium" -config "${cfgFile}"
'';
serviceConfig = {
DynamicUser = true;
StateDirectory = [ "pomerium" ];
ExecStart = "${pkgs.pomerium}/bin/pomerium -config ${cfgFile}";
PrivateUsers = false; # breaks CAP_NET_BIND_SERVICE
MemoryDenyWriteExecute = false; # breaks LuaJIT

View file

@ -1,7 +1,25 @@
diff --git a/nixos/modules/services/web-servers/pomerium.nix b/nixos/modules/services/web-servers/pomerium.nix
--- a/nixos/modules/services/web-servers/pomerium.nix
+++ b/nixos/modules/services/web-servers/pomerium.nix
@@ -99,7 +99,6 @@ in
@@ -69,11 +69,16 @@ in
CERTIFICATE_KEY_FILE = "key.pem";
};
startLimitIntervalSec = 60;
+ script = ''
+ if [[ -v CREDENTIALS_DIRECTORY ]]; then
+ cd "$CREDENTIALS_DIRECTORY"
+ fi
+ exec "${pkgs.pomerium}/bin/pomerium" -config "${cfgFile}"
+ '';
serviceConfig = {
DynamicUser = true;
StateDirectory = [ "pomerium" ];
- ExecStart = "${pkgs.pomerium}/bin/pomerium -config ${cfgFile}";
PrivateUsers = false; # breaks CAP_NET_BIND_SERVICE
MemoryDenyWriteExecute = false; # breaks LuaJIT
@@ -99,7 +104,6 @@ in
AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
@ -9,7 +27,7 @@ diff --git a/nixos/modules/services/web-servers/pomerium.nix b/nixos/modules/ser
LoadCredential = optionals (cfg.useACMEHost != null) [
"fullchain.pem:/var/lib/acme/${cfg.useACMEHost}/fullchain.pem"
"key.pem:/var/lib/acme/${cfg.useACMEHost}/key.pem"
@@ -119,7 +118,7 @@ in
@@ -119,7 +123,7 @@ in
before = [ "acme-finished-${cfg.useACMEHost}.target" ];
after = [ "acme-${cfg.useACMEHost}.service" ];
# Block reloading if not all certs exist yet.