Merge pull request #163673 from lukegb/pomerium
pomerium: 0.15.7 -> 0.17.0
This commit is contained in:
commit
8035c513e3
|
@ -1374,6 +1374,16 @@
|
||||||
warning.
|
warning.
|
||||||
</para>
|
</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
<listitem>
|
||||||
|
<para>
|
||||||
|
The <literal>pomerium-cli</literal> command has been moved out
|
||||||
|
of the <literal>pomerium</literal> package into the
|
||||||
|
<literal>pomerium-cli</literal> package, following upstream’s
|
||||||
|
repository split. If you are using the
|
||||||
|
<literal>pomerium-cli</literal> command, you should now
|
||||||
|
install the <literal>pomerium-cli</literal> package.
|
||||||
|
</para>
|
||||||
|
</listitem>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>
|
<para>
|
||||||
The option
|
The option
|
||||||
|
|
|
@ -503,6 +503,11 @@ In addition to numerous new and upgraded packages, this release has the followin
|
||||||
Reason is that the old name has been deprecated upstream.
|
Reason is that the old name has been deprecated upstream.
|
||||||
Using the old option name will still work, but produce a warning.
|
Using the old option name will still work, but produce a warning.
|
||||||
|
|
||||||
|
- The `pomerium-cli` command has been moved out of the `pomerium` package into
|
||||||
|
the `pomerium-cli` package, following upstream's repository split. If you are
|
||||||
|
using the `pomerium-cli` command, you should now install the `pomerium-cli`
|
||||||
|
package.
|
||||||
|
|
||||||
- The option
|
- The option
|
||||||
[services.networking.networkmanager.enableFccUnlock](#opt-networking.networkmanager.enableFccUnlock)
|
[services.networking.networkmanager.enableFccUnlock](#opt-networking.networkmanager.enableFccUnlock)
|
||||||
was added to support FCC unlock procedures. Since release 1.18.4, the ModemManager
|
was added to support FCC unlock procedures. Since release 1.18.4, the ModemManager
|
||||||
|
|
|
@ -69,11 +69,16 @@ in
|
||||||
CERTIFICATE_KEY_FILE = "key.pem";
|
CERTIFICATE_KEY_FILE = "key.pem";
|
||||||
};
|
};
|
||||||
startLimitIntervalSec = 60;
|
startLimitIntervalSec = 60;
|
||||||
|
script = ''
|
||||||
|
if [[ -v CREDENTIALS_DIRECTORY ]]; then
|
||||||
|
cd "$CREDENTIALS_DIRECTORY"
|
||||||
|
fi
|
||||||
|
exec "${pkgs.pomerium}/bin/pomerium" -config "${cfgFile}"
|
||||||
|
'';
|
||||||
|
|
||||||
serviceConfig = {
|
serviceConfig = {
|
||||||
DynamicUser = true;
|
DynamicUser = true;
|
||||||
StateDirectory = [ "pomerium" ];
|
StateDirectory = [ "pomerium" ];
|
||||||
ExecStart = "${pkgs.pomerium}/bin/pomerium -config ${cfgFile}";
|
|
||||||
|
|
||||||
PrivateUsers = false; # breaks CAP_NET_BIND_SERVICE
|
PrivateUsers = false; # breaks CAP_NET_BIND_SERVICE
|
||||||
MemoryDenyWriteExecute = false; # breaks LuaJIT
|
MemoryDenyWriteExecute = false; # breaks LuaJIT
|
||||||
|
@ -99,7 +104,6 @@ in
|
||||||
AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
|
AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
|
||||||
CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
|
CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
|
||||||
|
|
||||||
WorkingDirectory = mkIf (cfg.useACMEHost != null) "$CREDENTIALS_DIRECTORY";
|
|
||||||
LoadCredential = optionals (cfg.useACMEHost != null) [
|
LoadCredential = optionals (cfg.useACMEHost != null) [
|
||||||
"fullchain.pem:/var/lib/acme/${cfg.useACMEHost}/fullchain.pem"
|
"fullchain.pem:/var/lib/acme/${cfg.useACMEHost}/fullchain.pem"
|
||||||
"key.pem:/var/lib/acme/${cfg.useACMEHost}/key.pem"
|
"key.pem:/var/lib/acme/${cfg.useACMEHost}/key.pem"
|
||||||
|
@ -124,7 +128,7 @@ in
|
||||||
Type = "oneshot";
|
Type = "oneshot";
|
||||||
TimeoutSec = 60;
|
TimeoutSec = 60;
|
||||||
ExecCondition = "/run/current-system/systemd/bin/systemctl -q is-active pomerium.service";
|
ExecCondition = "/run/current-system/systemd/bin/systemctl -q is-active pomerium.service";
|
||||||
ExecStart = "/run/current-system/systemd/bin/systemctl restart pomerium.service";
|
ExecStart = "/run/current-system/systemd/bin/systemctl --no-block restart pomerium.service";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
});
|
});
|
||||||
|
|
|
@ -4,6 +4,7 @@
|
||||||
, envoy
|
, envoy
|
||||||
, zip
|
, zip
|
||||||
, nixosTests
|
, nixosTests
|
||||||
|
, pomerium-cli
|
||||||
}:
|
}:
|
||||||
|
|
||||||
let
|
let
|
||||||
|
@ -11,18 +12,17 @@ let
|
||||||
in
|
in
|
||||||
buildGoModule rec {
|
buildGoModule rec {
|
||||||
pname = "pomerium";
|
pname = "pomerium";
|
||||||
version = "0.15.7";
|
version = "0.17.0";
|
||||||
src = fetchFromGitHub {
|
src = fetchFromGitHub {
|
||||||
owner = "pomerium";
|
owner = "pomerium";
|
||||||
repo = "pomerium";
|
repo = "pomerium";
|
||||||
rev = "v${version}";
|
rev = "v${version}";
|
||||||
hash = "sha256:0adlk4ylny1z43x1dw3ny0s1932vhb61hpf5wdz4r65y8k9qyfgr";
|
hash = "sha256:1hv76i6k9f0kp527nxlxqhklsvkh2cmfnqlszmlk2hxij31qnf8q";
|
||||||
};
|
};
|
||||||
|
|
||||||
vendorSha256 = "sha256:1fszfbra84pcs8v1h2kf7iy603vf9v2ysg6il76aqmqrxmb1p7nv";
|
vendorSha256 = "sha256:1cq4m5a7z64yg3v1c68d15ilw78il6p53vaqzxgn338zjggr3kig";
|
||||||
subPackages = [
|
subPackages = [
|
||||||
"cmd/pomerium"
|
"cmd/pomerium"
|
||||||
"cmd/pomerium-cli"
|
|
||||||
];
|
];
|
||||||
|
|
||||||
ldflags = let
|
ldflags = let
|
||||||
|
@ -74,11 +74,11 @@ buildGoModule rec {
|
||||||
|
|
||||||
installPhase = ''
|
installPhase = ''
|
||||||
install -Dm0755 $GOPATH/bin/pomerium $out/bin/pomerium
|
install -Dm0755 $GOPATH/bin/pomerium $out/bin/pomerium
|
||||||
install -Dm0755 $GOPATH/bin/pomerium-cli $out/bin/pomerium-cli
|
|
||||||
'';
|
'';
|
||||||
|
|
||||||
passthru.tests = {
|
passthru.tests = {
|
||||||
inherit (nixosTests) pomerium;
|
inherit (nixosTests) pomerium;
|
||||||
|
inherit pomerium-cli;
|
||||||
};
|
};
|
||||||
|
|
||||||
meta = with lib; {
|
meta = with lib; {
|
||||||
|
|
58
pkgs/tools/security/pomerium-cli/default.nix
Normal file
58
pkgs/tools/security/pomerium-cli/default.nix
Normal file
|
@ -0,0 +1,58 @@
|
||||||
|
{ buildGoModule
|
||||||
|
, fetchFromGitHub
|
||||||
|
, lib
|
||||||
|
, pomerium
|
||||||
|
}:
|
||||||
|
|
||||||
|
let
|
||||||
|
inherit (lib) concatStringsSep concatMap id mapAttrsToList;
|
||||||
|
in
|
||||||
|
buildGoModule rec {
|
||||||
|
pname = "pomerium-cli";
|
||||||
|
version = pomerium.version;
|
||||||
|
src = fetchFromGitHub {
|
||||||
|
owner = "pomerium";
|
||||||
|
repo = "cli";
|
||||||
|
rev = "v${version}";
|
||||||
|
hash = "sha256:0230b22xjnpykj8bcdahzzlsvlrd63z2cmg6yb246c5ngjs835q1";
|
||||||
|
};
|
||||||
|
|
||||||
|
vendorSha256 = "sha256:0xx22lmh6wip1d1bjrp4lgab3q9yilw54v4lg24lf3xhbsr5si9b";
|
||||||
|
subPackages = [
|
||||||
|
"cmd/pomerium-cli"
|
||||||
|
];
|
||||||
|
|
||||||
|
ldflags = let
|
||||||
|
# Set a variety of useful meta variables for stamping the build with.
|
||||||
|
setVars = {
|
||||||
|
"github.com/pomerium/cli/version" = {
|
||||||
|
Version = "v${version}";
|
||||||
|
BuildMeta = "nixpkgs";
|
||||||
|
ProjectName = "pomerium-cli";
|
||||||
|
ProjectURL = "github.com/pomerium/cli";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
concatStringsSpace = list: concatStringsSep " " list;
|
||||||
|
mapAttrsToFlatList = fn: list: concatMap id (mapAttrsToList fn list);
|
||||||
|
varFlags = concatStringsSpace (
|
||||||
|
mapAttrsToFlatList (package: packageVars:
|
||||||
|
mapAttrsToList (variable: value:
|
||||||
|
"-X ${package}.${variable}=${value}"
|
||||||
|
) packageVars
|
||||||
|
) setVars);
|
||||||
|
in [
|
||||||
|
"${varFlags}"
|
||||||
|
];
|
||||||
|
|
||||||
|
installPhase = ''
|
||||||
|
install -Dm0755 $GOPATH/bin/pomerium-cli $out/bin/pomerium-cli
|
||||||
|
'';
|
||||||
|
|
||||||
|
meta = with lib; {
|
||||||
|
homepage = "https://pomerium.io";
|
||||||
|
description = "Client-side helper for Pomerium authenticating reverse proxy";
|
||||||
|
license = licenses.asl20;
|
||||||
|
maintainers = with maintainers; [ lukegb ];
|
||||||
|
platforms = platforms.unix;
|
||||||
|
};
|
||||||
|
}
|
|
@ -21618,6 +21618,7 @@ with pkgs;
|
||||||
pflogsumm = callPackage ../servers/mail/postfix/pflogsumm.nix { };
|
pflogsumm = callPackage ../servers/mail/postfix/pflogsumm.nix { };
|
||||||
|
|
||||||
pomerium = callPackage ../servers/http/pomerium { };
|
pomerium = callPackage ../servers/http/pomerium { };
|
||||||
|
pomerium-cli = callPackage ../tools/security/pomerium-cli { };
|
||||||
|
|
||||||
postgrey = callPackage ../servers/mail/postgrey { };
|
postgrey = callPackage ../servers/mail/postgrey { };
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue