From 860cc90fec86ea49d1f73ac5f5920f11afaba28d Mon Sep 17 00:00:00 2001 From: Luke Granger-Brown <git@lukegb.com> Date: Fri, 11 Mar 2022 13:54:14 +0000 Subject: [PATCH 1/4] pomerium: 0.15.7 -> 0.17.0 --- pkgs/servers/http/pomerium/default.nix | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/pkgs/servers/http/pomerium/default.nix b/pkgs/servers/http/pomerium/default.nix index cbf2fe1943542..4a8381bccc996 100644 --- a/pkgs/servers/http/pomerium/default.nix +++ b/pkgs/servers/http/pomerium/default.nix @@ -11,18 +11,17 @@ let in buildGoModule rec { pname = "pomerium"; - version = "0.15.7"; + version = "0.17.0"; src = fetchFromGitHub { owner = "pomerium"; repo = "pomerium"; rev = "v${version}"; - hash = "sha256:0adlk4ylny1z43x1dw3ny0s1932vhb61hpf5wdz4r65y8k9qyfgr"; + hash = "sha256:1hv76i6k9f0kp527nxlxqhklsvkh2cmfnqlszmlk2hxij31qnf8q"; }; - vendorSha256 = "sha256:1fszfbra84pcs8v1h2kf7iy603vf9v2ysg6il76aqmqrxmb1p7nv"; + vendorSha256 = "sha256:1cq4m5a7z64yg3v1c68d15ilw78il6p53vaqzxgn338zjggr3kig"; subPackages = [ "cmd/pomerium" - "cmd/pomerium-cli" ]; ldflags = let @@ -74,7 +73,6 @@ buildGoModule rec { installPhase = '' install -Dm0755 $GOPATH/bin/pomerium $out/bin/pomerium - install -Dm0755 $GOPATH/bin/pomerium-cli $out/bin/pomerium-cli ''; passthru.tests = { From 6659ba52480b2881c89c104370c2e7528fb34a0e Mon Sep 17 00:00:00 2001 From: Luke Granger-Brown <git@lukegb.com> Date: Fri, 11 Mar 2022 14:01:27 +0000 Subject: [PATCH 2/4] pomerium-cli: init at 0.17.0 --- pkgs/servers/http/pomerium/default.nix | 2 + pkgs/tools/security/pomerium-cli/default.nix | 58 ++++++++++++++++++++ pkgs/top-level/all-packages.nix | 1 + 3 files changed, 61 insertions(+) create mode 100644 pkgs/tools/security/pomerium-cli/default.nix diff --git a/pkgs/servers/http/pomerium/default.nix b/pkgs/servers/http/pomerium/default.nix index 4a8381bccc996..8a5580d5d0dba 100644 --- a/pkgs/servers/http/pomerium/default.nix +++ b/pkgs/servers/http/pomerium/default.nix @@ -4,6 +4,7 @@ , envoy , zip , nixosTests +, pomerium-cli }: let @@ -77,6 +78,7 @@ buildGoModule rec { passthru.tests = { inherit (nixosTests) pomerium; + inherit pomerium-cli; }; meta = with lib; { diff --git a/pkgs/tools/security/pomerium-cli/default.nix b/pkgs/tools/security/pomerium-cli/default.nix new file mode 100644 index 0000000000000..7dc7e3a7a903c --- /dev/null +++ b/pkgs/tools/security/pomerium-cli/default.nix @@ -0,0 +1,58 @@ +{ buildGoModule +, fetchFromGitHub +, lib +, pomerium +}: + +let + inherit (lib) concatStringsSep concatMap id mapAttrsToList; +in +buildGoModule rec { + pname = "pomerium-cli"; + version = pomerium.version; + src = fetchFromGitHub { + owner = "pomerium"; + repo = "cli"; + rev = "v${version}"; + hash = "sha256:0230b22xjnpykj8bcdahzzlsvlrd63z2cmg6yb246c5ngjs835q1"; + }; + + vendorSha256 = "sha256:0xx22lmh6wip1d1bjrp4lgab3q9yilw54v4lg24lf3xhbsr5si9b"; + subPackages = [ + "cmd/pomerium-cli" + ]; + + ldflags = let + # Set a variety of useful meta variables for stamping the build with. + setVars = { + "github.com/pomerium/cli/version" = { + Version = "v${version}"; + BuildMeta = "nixpkgs"; + ProjectName = "pomerium-cli"; + ProjectURL = "github.com/pomerium/cli"; + }; + }; + concatStringsSpace = list: concatStringsSep " " list; + mapAttrsToFlatList = fn: list: concatMap id (mapAttrsToList fn list); + varFlags = concatStringsSpace ( + mapAttrsToFlatList (package: packageVars: + mapAttrsToList (variable: value: + "-X ${package}.${variable}=${value}" + ) packageVars + ) setVars); + in [ + "${varFlags}" + ]; + + installPhase = '' + install -Dm0755 $GOPATH/bin/pomerium-cli $out/bin/pomerium-cli + ''; + + meta = with lib; { + homepage = "https://pomerium.io"; + description = "Client-side helper for Pomerium authenticating reverse proxy"; + license = licenses.asl20; + maintainers = with maintainers; [ lukegb ]; + platforms = platforms.unix; + }; +} diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index a2880d70e6457..7b01dfe3fe72d 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -21613,6 +21613,7 @@ with pkgs; pflogsumm = callPackage ../servers/mail/postfix/pflogsumm.nix { }; pomerium = callPackage ../servers/http/pomerium { }; + pomerium-cli = callPackage ../tools/security/pomerium-cli { }; postgrey = callPackage ../servers/mail/postgrey { }; From 3004e58f6a0817080f40db34dc96fdf4d5da6c18 Mon Sep 17 00:00:00 2001 From: Luke Granger-Brown <git@lukegb.com> Date: Fri, 11 Mar 2022 14:03:22 +0000 Subject: [PATCH 3/4] nixos/pomerium: avoid blocking when renewing ACME certificates --- nixos/modules/services/web-servers/pomerium.nix | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/nixos/modules/services/web-servers/pomerium.nix b/nixos/modules/services/web-servers/pomerium.nix index 2bc7d01c7c287..0b460755f50ef 100644 --- a/nixos/modules/services/web-servers/pomerium.nix +++ b/nixos/modules/services/web-servers/pomerium.nix @@ -69,11 +69,16 @@ in CERTIFICATE_KEY_FILE = "key.pem"; }; startLimitIntervalSec = 60; + script = '' + if [[ -v CREDENTIALS_DIRECTORY ]]; then + cd "$CREDENTIALS_DIRECTORY" + fi + exec "${pkgs.pomerium}/bin/pomerium" -config "${cfgFile}" + ''; serviceConfig = { DynamicUser = true; StateDirectory = [ "pomerium" ]; - ExecStart = "${pkgs.pomerium}/bin/pomerium -config ${cfgFile}"; PrivateUsers = false; # breaks CAP_NET_BIND_SERVICE MemoryDenyWriteExecute = false; # breaks LuaJIT @@ -99,7 +104,6 @@ in AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ]; CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ]; - WorkingDirectory = mkIf (cfg.useACMEHost != null) "$CREDENTIALS_DIRECTORY"; LoadCredential = optionals (cfg.useACMEHost != null) [ "fullchain.pem:/var/lib/acme/${cfg.useACMEHost}/fullchain.pem" "key.pem:/var/lib/acme/${cfg.useACMEHost}/key.pem" @@ -124,7 +128,7 @@ in Type = "oneshot"; TimeoutSec = 60; ExecCondition = "/run/current-system/systemd/bin/systemctl -q is-active pomerium.service"; - ExecStart = "/run/current-system/systemd/bin/systemctl restart pomerium.service"; + ExecStart = "/run/current-system/systemd/bin/systemctl --no-block restart pomerium.service"; }; }; }); From c19e76b29f7bd0d225ab89feb0a3726676f915c8 Mon Sep 17 00:00:00 2001 From: Luke Granger-Brown <git@lukegb.com> Date: Fri, 11 Mar 2022 14:07:12 +0000 Subject: [PATCH 4/4] pomerium: note changes in packaging in 22.05 release notes --- .../manual/from_md/release-notes/rl-2205.section.xml | 10 ++++++++++ nixos/doc/manual/release-notes/rl-2205.section.md | 5 +++++ 2 files changed, 15 insertions(+) diff --git a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml index 9cf27e56827a1..333994c0957d6 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml @@ -1322,6 +1322,16 @@ warning. </para> </listitem> + <listitem> + <para> + The <literal>pomerium-cli</literal> command has been moved out + of the <literal>pomerium</literal> package into the + <literal>pomerium-cli</literal> package, following upstream’s + repository split. If you are using the + <literal>pomerium-cli</literal> command, you should now + install the <literal>pomerium-cli</literal> package. + </para> + </listitem> <listitem> <para> The option diff --git a/nixos/doc/manual/release-notes/rl-2205.section.md b/nixos/doc/manual/release-notes/rl-2205.section.md index 58a1b23d17bf6..222c101a2842d 100644 --- a/nixos/doc/manual/release-notes/rl-2205.section.md +++ b/nixos/doc/manual/release-notes/rl-2205.section.md @@ -479,6 +479,11 @@ In addition to numerous new and upgraded packages, this release has the followin Reason is that the old name has been deprecated upstream. Using the old option name will still work, but produce a warning. +- The `pomerium-cli` command has been moved out of the `pomerium` package into + the `pomerium-cli` package, following upstream's repository split. If you are + using the `pomerium-cli` command, you should now install the `pomerium-cli` + package. + - The option [services.networking.networkmanager.enableFccUnlock](#opt-networking.networkmanager.enableFccUnlock) was added to support FCC unlock procedures. Since release 1.18.4, the ModemManager