251 lines
8.8 KiB
Diff
251 lines
8.8 KiB
Diff
From 860cc90fec86ea49d1f73ac5f5920f11afaba28d Mon Sep 17 00:00:00 2001
|
||
From: Luke Granger-Brown <git@lukegb.com>
|
||
Date: Fri, 11 Mar 2022 13:54:14 +0000
|
||
Subject: [PATCH 1/4] pomerium: 0.15.7 -> 0.17.0
|
||
|
||
---
|
||
pkgs/servers/http/pomerium/default.nix | 8 +++-----
|
||
1 file changed, 3 insertions(+), 5 deletions(-)
|
||
|
||
diff --git a/pkgs/servers/http/pomerium/default.nix b/pkgs/servers/http/pomerium/default.nix
|
||
index cbf2fe1943542..4a8381bccc996 100644
|
||
--- a/pkgs/servers/http/pomerium/default.nix
|
||
+++ b/pkgs/servers/http/pomerium/default.nix
|
||
@@ -11,18 +11,17 @@ let
|
||
in
|
||
buildGoModule rec {
|
||
pname = "pomerium";
|
||
- version = "0.15.7";
|
||
+ version = "0.17.0";
|
||
src = fetchFromGitHub {
|
||
owner = "pomerium";
|
||
repo = "pomerium";
|
||
rev = "v${version}";
|
||
- hash = "sha256:0adlk4ylny1z43x1dw3ny0s1932vhb61hpf5wdz4r65y8k9qyfgr";
|
||
+ hash = "sha256:1hv76i6k9f0kp527nxlxqhklsvkh2cmfnqlszmlk2hxij31qnf8q";
|
||
};
|
||
|
||
- vendorSha256 = "sha256:1fszfbra84pcs8v1h2kf7iy603vf9v2ysg6il76aqmqrxmb1p7nv";
|
||
+ vendorSha256 = "sha256:1cq4m5a7z64yg3v1c68d15ilw78il6p53vaqzxgn338zjggr3kig";
|
||
subPackages = [
|
||
"cmd/pomerium"
|
||
- "cmd/pomerium-cli"
|
||
];
|
||
|
||
ldflags = let
|
||
@@ -74,7 +73,6 @@ buildGoModule rec {
|
||
|
||
installPhase = ''
|
||
install -Dm0755 $GOPATH/bin/pomerium $out/bin/pomerium
|
||
- install -Dm0755 $GOPATH/bin/pomerium-cli $out/bin/pomerium-cli
|
||
'';
|
||
|
||
passthru.tests = {
|
||
|
||
From 6659ba52480b2881c89c104370c2e7528fb34a0e Mon Sep 17 00:00:00 2001
|
||
From: Luke Granger-Brown <git@lukegb.com>
|
||
Date: Fri, 11 Mar 2022 14:01:27 +0000
|
||
Subject: [PATCH 2/4] pomerium-cli: init at 0.17.0
|
||
|
||
---
|
||
pkgs/servers/http/pomerium/default.nix | 2 +
|
||
pkgs/tools/security/pomerium-cli/default.nix | 58 ++++++++++++++++++++
|
||
pkgs/top-level/all-packages.nix | 1 +
|
||
3 files changed, 61 insertions(+)
|
||
create mode 100644 pkgs/tools/security/pomerium-cli/default.nix
|
||
|
||
diff --git a/pkgs/servers/http/pomerium/default.nix b/pkgs/servers/http/pomerium/default.nix
|
||
index 4a8381bccc996..8a5580d5d0dba 100644
|
||
--- a/pkgs/servers/http/pomerium/default.nix
|
||
+++ b/pkgs/servers/http/pomerium/default.nix
|
||
@@ -4,6 +4,7 @@
|
||
, envoy
|
||
, zip
|
||
, nixosTests
|
||
+, pomerium-cli
|
||
}:
|
||
|
||
let
|
||
@@ -77,6 +78,7 @@ buildGoModule rec {
|
||
|
||
passthru.tests = {
|
||
inherit (nixosTests) pomerium;
|
||
+ inherit pomerium-cli;
|
||
};
|
||
|
||
meta = with lib; {
|
||
diff --git a/pkgs/tools/security/pomerium-cli/default.nix b/pkgs/tools/security/pomerium-cli/default.nix
|
||
new file mode 100644
|
||
index 0000000000000..7dc7e3a7a903c
|
||
--- /dev/null
|
||
+++ b/pkgs/tools/security/pomerium-cli/default.nix
|
||
@@ -0,0 +1,58 @@
|
||
+{ buildGoModule
|
||
+, fetchFromGitHub
|
||
+, lib
|
||
+, pomerium
|
||
+}:
|
||
+
|
||
+let
|
||
+ inherit (lib) concatStringsSep concatMap id mapAttrsToList;
|
||
+in
|
||
+buildGoModule rec {
|
||
+ pname = "pomerium-cli";
|
||
+ version = pomerium.version;
|
||
+ src = fetchFromGitHub {
|
||
+ owner = "pomerium";
|
||
+ repo = "cli";
|
||
+ rev = "v${version}";
|
||
+ hash = "sha256:0230b22xjnpykj8bcdahzzlsvlrd63z2cmg6yb246c5ngjs835q1";
|
||
+ };
|
||
+
|
||
+ vendorSha256 = "sha256:0xx22lmh6wip1d1bjrp4lgab3q9yilw54v4lg24lf3xhbsr5si9b";
|
||
+ subPackages = [
|
||
+ "cmd/pomerium-cli"
|
||
+ ];
|
||
+
|
||
+ ldflags = let
|
||
+ # Set a variety of useful meta variables for stamping the build with.
|
||
+ setVars = {
|
||
+ "github.com/pomerium/cli/version" = {
|
||
+ Version = "v${version}";
|
||
+ BuildMeta = "nixpkgs";
|
||
+ ProjectName = "pomerium-cli";
|
||
+ ProjectURL = "github.com/pomerium/cli";
|
||
+ };
|
||
+ };
|
||
+ concatStringsSpace = list: concatStringsSep " " list;
|
||
+ mapAttrsToFlatList = fn: list: concatMap id (mapAttrsToList fn list);
|
||
+ varFlags = concatStringsSpace (
|
||
+ mapAttrsToFlatList (package: packageVars:
|
||
+ mapAttrsToList (variable: value:
|
||
+ "-X ${package}.${variable}=${value}"
|
||
+ ) packageVars
|
||
+ ) setVars);
|
||
+ in [
|
||
+ "${varFlags}"
|
||
+ ];
|
||
+
|
||
+ installPhase = ''
|
||
+ install -Dm0755 $GOPATH/bin/pomerium-cli $out/bin/pomerium-cli
|
||
+ '';
|
||
+
|
||
+ meta = with lib; {
|
||
+ homepage = "https://pomerium.io";
|
||
+ description = "Client-side helper for Pomerium authenticating reverse proxy";
|
||
+ license = licenses.asl20;
|
||
+ maintainers = with maintainers; [ lukegb ];
|
||
+ platforms = platforms.unix;
|
||
+ };
|
||
+}
|
||
diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
|
||
index a2880d70e6457..7b01dfe3fe72d 100644
|
||
--- a/pkgs/top-level/all-packages.nix
|
||
+++ b/pkgs/top-level/all-packages.nix
|
||
@@ -21613,6 +21613,7 @@ with pkgs;
|
||
pflogsumm = callPackage ../servers/mail/postfix/pflogsumm.nix { };
|
||
|
||
pomerium = callPackage ../servers/http/pomerium { };
|
||
+ pomerium-cli = callPackage ../tools/security/pomerium-cli { };
|
||
|
||
postgrey = callPackage ../servers/mail/postgrey { };
|
||
|
||
|
||
From 3004e58f6a0817080f40db34dc96fdf4d5da6c18 Mon Sep 17 00:00:00 2001
|
||
From: Luke Granger-Brown <git@lukegb.com>
|
||
Date: Fri, 11 Mar 2022 14:03:22 +0000
|
||
Subject: [PATCH 3/4] nixos/pomerium: avoid blocking when renewing ACME
|
||
certificates
|
||
|
||
---
|
||
nixos/modules/services/web-servers/pomerium.nix | 10 +++++++---
|
||
1 file changed, 7 insertions(+), 3 deletions(-)
|
||
|
||
diff --git a/nixos/modules/services/web-servers/pomerium.nix b/nixos/modules/services/web-servers/pomerium.nix
|
||
index 2bc7d01c7c287..0b460755f50ef 100644
|
||
--- a/nixos/modules/services/web-servers/pomerium.nix
|
||
+++ b/nixos/modules/services/web-servers/pomerium.nix
|
||
@@ -69,11 +69,16 @@ in
|
||
CERTIFICATE_KEY_FILE = "key.pem";
|
||
};
|
||
startLimitIntervalSec = 60;
|
||
+ script = ''
|
||
+ if [[ -v CREDENTIALS_DIRECTORY ]]; then
|
||
+ cd "$CREDENTIALS_DIRECTORY"
|
||
+ fi
|
||
+ exec "${pkgs.pomerium}/bin/pomerium" -config "${cfgFile}"
|
||
+ '';
|
||
|
||
serviceConfig = {
|
||
DynamicUser = true;
|
||
StateDirectory = [ "pomerium" ];
|
||
- ExecStart = "${pkgs.pomerium}/bin/pomerium -config ${cfgFile}";
|
||
|
||
PrivateUsers = false; # breaks CAP_NET_BIND_SERVICE
|
||
MemoryDenyWriteExecute = false; # breaks LuaJIT
|
||
@@ -99,7 +104,6 @@ in
|
||
AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
|
||
CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
|
||
|
||
- WorkingDirectory = mkIf (cfg.useACMEHost != null) "$CREDENTIALS_DIRECTORY";
|
||
LoadCredential = optionals (cfg.useACMEHost != null) [
|
||
"fullchain.pem:/var/lib/acme/${cfg.useACMEHost}/fullchain.pem"
|
||
"key.pem:/var/lib/acme/${cfg.useACMEHost}/key.pem"
|
||
@@ -124,7 +128,7 @@ in
|
||
Type = "oneshot";
|
||
TimeoutSec = 60;
|
||
ExecCondition = "/run/current-system/systemd/bin/systemctl -q is-active pomerium.service";
|
||
- ExecStart = "/run/current-system/systemd/bin/systemctl restart pomerium.service";
|
||
+ ExecStart = "/run/current-system/systemd/bin/systemctl --no-block restart pomerium.service";
|
||
};
|
||
};
|
||
});
|
||
|
||
From c19e76b29f7bd0d225ab89feb0a3726676f915c8 Mon Sep 17 00:00:00 2001
|
||
From: Luke Granger-Brown <git@lukegb.com>
|
||
Date: Fri, 11 Mar 2022 14:07:12 +0000
|
||
Subject: [PATCH 4/4] pomerium: note changes in packaging in 22.05 release
|
||
notes
|
||
|
||
---
|
||
.../manual/from_md/release-notes/rl-2205.section.xml | 10 ++++++++++
|
||
nixos/doc/manual/release-notes/rl-2205.section.md | 5 +++++
|
||
2 files changed, 15 insertions(+)
|
||
|
||
diff --git a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml
|
||
index 9cf27e56827a1..333994c0957d6 100644
|
||
--- a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml
|
||
+++ b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml
|
||
@@ -1322,6 +1322,16 @@
|
||
warning.
|
||
</para>
|
||
</listitem>
|
||
+ <listitem>
|
||
+ <para>
|
||
+ The <literal>pomerium-cli</literal> command has been moved out
|
||
+ of the <literal>pomerium</literal> package into the
|
||
+ <literal>pomerium-cli</literal> package, following upstream’s
|
||
+ repository split. If you are using the
|
||
+ <literal>pomerium-cli</literal> command, you should now
|
||
+ install the <literal>pomerium-cli</literal> package.
|
||
+ </para>
|
||
+ </listitem>
|
||
<listitem>
|
||
<para>
|
||
The option
|
||
diff --git a/nixos/doc/manual/release-notes/rl-2205.section.md b/nixos/doc/manual/release-notes/rl-2205.section.md
|
||
index 58a1b23d17bf6..222c101a2842d 100644
|
||
--- a/nixos/doc/manual/release-notes/rl-2205.section.md
|
||
+++ b/nixos/doc/manual/release-notes/rl-2205.section.md
|
||
@@ -479,6 +479,11 @@ In addition to numerous new and upgraded packages, this release has the followin
|
||
Reason is that the old name has been deprecated upstream.
|
||
Using the old option name will still work, but produce a warning.
|
||
|
||
+- The `pomerium-cli` command has been moved out of the `pomerium` package into
|
||
+ the `pomerium-cli` package, following upstream's repository split. If you are
|
||
+ using the `pomerium-cli` command, you should now install the `pomerium-cli`
|
||
+ package.
|
||
+
|
||
- The option
|
||
[services.networking.networkmanager.enableFccUnlock](#opt-networking.networkmanager.enableFccUnlock)
|
||
was added to support FCC unlock procedures. Since release 1.18.4, the ModemManager
|