diff --git a/third_party/nixpkgs/nixos/modules/services/web-servers/pomerium.nix b/third_party/nixpkgs/nixos/modules/services/web-servers/pomerium.nix index 1af9caa39f..15d83ab5c0 100644 --- a/third_party/nixpkgs/nixos/modules/services/web-servers/pomerium.nix +++ b/third_party/nixpkgs/nixos/modules/services/web-servers/pomerium.nix @@ -69,11 +69,16 @@ in CERTIFICATE_KEY_FILE = "key.pem"; }; startLimitIntervalSec = 60; + script = '' + if [[ -v CREDENTIALS_DIRECTORY ]]; then + cd "$CREDENTIALS_DIRECTORY" + fi + exec "${pkgs.pomerium}/bin/pomerium" -config "${cfgFile}" + ''; serviceConfig = { DynamicUser = true; StateDirectory = [ "pomerium" ]; - ExecStart = "${pkgs.pomerium}/bin/pomerium -config ${cfgFile}"; PrivateUsers = false; # breaks CAP_NET_BIND_SERVICE MemoryDenyWriteExecute = false; # breaks LuaJIT diff --git a/third_party/nixpkgs/patches/pomerium-fix.patch b/third_party/nixpkgs/patches/pomerium-fix.patch index e022ae618c..06f2878b5b 100644 --- a/third_party/nixpkgs/patches/pomerium-fix.patch +++ b/third_party/nixpkgs/patches/pomerium-fix.patch @@ -1,7 +1,25 @@ diff --git a/nixos/modules/services/web-servers/pomerium.nix b/nixos/modules/services/web-servers/pomerium.nix --- a/nixos/modules/services/web-servers/pomerium.nix +++ b/nixos/modules/services/web-servers/pomerium.nix -@@ -99,7 +99,6 @@ in +@@ -69,11 +69,16 @@ in + CERTIFICATE_KEY_FILE = "key.pem"; + }; + startLimitIntervalSec = 60; ++ script = '' ++ if [[ -v CREDENTIALS_DIRECTORY ]]; then ++ cd "$CREDENTIALS_DIRECTORY" ++ fi ++ exec "${pkgs.pomerium}/bin/pomerium" -config "${cfgFile}" ++ ''; + + serviceConfig = { + DynamicUser = true; + StateDirectory = [ "pomerium" ]; +- ExecStart = "${pkgs.pomerium}/bin/pomerium -config ${cfgFile}"; + + PrivateUsers = false; # breaks CAP_NET_BIND_SERVICE + MemoryDenyWriteExecute = false; # breaks LuaJIT +@@ -99,7 +104,6 @@ in AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ]; CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ]; @@ -9,7 +27,7 @@ diff --git a/nixos/modules/services/web-servers/pomerium.nix b/nixos/modules/ser LoadCredential = optionals (cfg.useACMEHost != null) [ "fullchain.pem:/var/lib/acme/${cfg.useACMEHost}/fullchain.pem" "key.pem:/var/lib/acme/${cfg.useACMEHost}/key.pem" -@@ -119,7 +118,7 @@ in +@@ -119,7 +123,7 @@ in before = [ "acme-finished-${cfg.useACMEHost}.target" ]; after = [ "acme-${cfg.useACMEHost}.service" ]; # Block reloading if not all certs exist yet.