lukegb/depot
1
0
Fork 0
Code Issues 1 Pull requests Projects Packages Activity Actions

3p/nixpkgs: fix pomerium working directory

Browse source
This commit is contained in:
Luke Granger-Brown 2021-04-07 11:56:26 +00:00
parent 31811e480b
commit fcf39e6738
2 changed files with 26 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
third_party/nixpkgs/nixos/modules/services/web-servers/pomerium.nix vendored
View file

@ -69,11 +69,16 @@ in
CERTIFICATE_KEY_FILE = "key.pem"; CERTIFICATE_KEY_FILE = "key.pem";
}; };
startLimitIntervalSec = 60; startLimitIntervalSec = 60;
script = ''
if [[ -v CREDENTIALS_DIRECTORY ]]; then
cd "$CREDENTIALS_DIRECTORY"
fi
exec "${pkgs.pomerium}/bin/pomerium" -config "${cfgFile}"
'';
serviceConfig = { serviceConfig = {
DynamicUser = true; DynamicUser = true;
StateDirectory = [ "pomerium" ]; StateDirectory = [ "pomerium" ];
ExecStart = "${pkgs.pomerium}/bin/pomerium -config ${cfgFile}";
PrivateUsers = false; # breaks CAP_NET_BIND_SERVICE PrivateUsers = false; # breaks CAP_NET_BIND_SERVICE
MemoryDenyWriteExecute = false; # breaks LuaJIT MemoryDenyWriteExecute = false; # breaks LuaJIT

22
third_party/nixpkgs/patches/pomerium-fix.patch vendored
View file

@ -1,7 +1,25 @@
diff --git a/nixos/modules/services/web-servers/pomerium.nix b/nixos/modules/services/web-servers/pomerium.nix diff --git a/nixos/modules/services/web-servers/pomerium.nix b/nixos/modules/services/web-servers/pomerium.nix
--- a/nixos/modules/services/web-servers/pomerium.nix --- a/nixos/modules/services/web-servers/pomerium.nix
+++ b/nixos/modules/services/web-servers/pomerium.nix +++ b/nixos/modules/services/web-servers/pomerium.nix
@@ -99,7 +99,6 @@ in @@ -69,11 +69,16 @@ in
CERTIFICATE_KEY_FILE = "key.pem";
};
startLimitIntervalSec = 60;
+ script = ''
+ if [[ -v CREDENTIALS_DIRECTORY ]]; then
+ cd "$CREDENTIALS_DIRECTORY"
+ fi
+ exec "${pkgs.pomerium}/bin/pomerium" -config "${cfgFile}"
+ '';
serviceConfig = {
DynamicUser = true;
StateDirectory = [ "pomerium" ];
- ExecStart = "${pkgs.pomerium}/bin/pomerium -config ${cfgFile}";
PrivateUsers = false; # breaks CAP_NET_BIND_SERVICE
MemoryDenyWriteExecute = false; # breaks LuaJIT
@@ -99,7 +104,6 @@ in
AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ]; AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ]; CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
@ -9,7 +27,7 @@ diff --git a/nixos/modules/services/web-servers/pomerium.nix b/nixos/modules/ser
LoadCredential = optionals (cfg.useACMEHost != null) [ LoadCredential = optionals (cfg.useACMEHost != null) [
"fullchain.pem:/var/lib/acme/${cfg.useACMEHost}/fullchain.pem" "fullchain.pem:/var/lib/acme/${cfg.useACMEHost}/fullchain.pem"
"key.pem:/var/lib/acme/${cfg.useACMEHost}/key.pem" "key.pem:/var/lib/acme/${cfg.useACMEHost}/key.pem"
@@ -119,7 +118,7 @@ in @@ -119,7 +123,7 @@ in
before = [ "acme-finished-${cfg.useACMEHost}.target" ]; before = [ "acme-finished-${cfg.useACMEHost}.target" ];
after = [ "acme-${cfg.useACMEHost}.service" ]; after = [ "acme-${cfg.useACMEHost}.service" ];
# Block reloading if not all certs exist yet. # Block reloading if not all certs exist yet.