Merge pull request #163673 from lukegb/pomerium
pomerium: 0.15.7 -> 0.17.0
This commit is contained in:
commit
8035c513e3
6 changed files with 86 additions and 8 deletions
|
@ -1374,6 +1374,16 @@
|
|||
warning.
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
The <literal>pomerium-cli</literal> command has been moved out
|
||||
of the <literal>pomerium</literal> package into the
|
||||
<literal>pomerium-cli</literal> package, following upstream’s
|
||||
repository split. If you are using the
|
||||
<literal>pomerium-cli</literal> command, you should now
|
||||
install the <literal>pomerium-cli</literal> package.
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
The option
|
||||
|
|
|
@ -503,6 +503,11 @@ In addition to numerous new and upgraded packages, this release has the followin
|
|||
Reason is that the old name has been deprecated upstream.
|
||||
Using the old option name will still work, but produce a warning.
|
||||
|
||||
- The `pomerium-cli` command has been moved out of the `pomerium` package into
|
||||
the `pomerium-cli` package, following upstream's repository split. If you are
|
||||
using the `pomerium-cli` command, you should now install the `pomerium-cli`
|
||||
package.
|
||||
|
||||
- The option
|
||||
[services.networking.networkmanager.enableFccUnlock](#opt-networking.networkmanager.enableFccUnlock)
|
||||
was added to support FCC unlock procedures. Since release 1.18.4, the ModemManager
|
||||
|
|
|
@ -69,11 +69,16 @@ in
|
|||
CERTIFICATE_KEY_FILE = "key.pem";
|
||||
};
|
||||
startLimitIntervalSec = 60;
|
||||
script = ''
|
||||
if [[ -v CREDENTIALS_DIRECTORY ]]; then
|
||||
cd "$CREDENTIALS_DIRECTORY"
|
||||
fi
|
||||
exec "${pkgs.pomerium}/bin/pomerium" -config "${cfgFile}"
|
||||
'';
|
||||
|
||||
serviceConfig = {
|
||||
DynamicUser = true;
|
||||
StateDirectory = [ "pomerium" ];
|
||||
ExecStart = "${pkgs.pomerium}/bin/pomerium -config ${cfgFile}";
|
||||
|
||||
PrivateUsers = false; # breaks CAP_NET_BIND_SERVICE
|
||||
MemoryDenyWriteExecute = false; # breaks LuaJIT
|
||||
|
@ -99,7 +104,6 @@ in
|
|||
AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
|
||||
CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
|
||||
|
||||
WorkingDirectory = mkIf (cfg.useACMEHost != null) "$CREDENTIALS_DIRECTORY";
|
||||
LoadCredential = optionals (cfg.useACMEHost != null) [
|
||||
"fullchain.pem:/var/lib/acme/${cfg.useACMEHost}/fullchain.pem"
|
||||
"key.pem:/var/lib/acme/${cfg.useACMEHost}/key.pem"
|
||||
|
@ -124,7 +128,7 @@ in
|
|||
Type = "oneshot";
|
||||
TimeoutSec = 60;
|
||||
ExecCondition = "/run/current-system/systemd/bin/systemctl -q is-active pomerium.service";
|
||||
ExecStart = "/run/current-system/systemd/bin/systemctl restart pomerium.service";
|
||||
ExecStart = "/run/current-system/systemd/bin/systemctl --no-block restart pomerium.service";
|
||||
};
|
||||
};
|
||||
});
|
||||
|
|
|
@ -4,6 +4,7 @@
|
|||
, envoy
|
||||
, zip
|
||||
, nixosTests
|
||||
, pomerium-cli
|
||||
}:
|
||||
|
||||
let
|
||||
|
@ -11,18 +12,17 @@ let
|
|||
in
|
||||
buildGoModule rec {
|
||||
pname = "pomerium";
|
||||
version = "0.15.7";
|
||||
version = "0.17.0";
|
||||
src = fetchFromGitHub {
|
||||
owner = "pomerium";
|
||||
repo = "pomerium";
|
||||
rev = "v${version}";
|
||||
hash = "sha256:0adlk4ylny1z43x1dw3ny0s1932vhb61hpf5wdz4r65y8k9qyfgr";
|
||||
hash = "sha256:1hv76i6k9f0kp527nxlxqhklsvkh2cmfnqlszmlk2hxij31qnf8q";
|
||||
};
|
||||
|
||||
vendorSha256 = "sha256:1fszfbra84pcs8v1h2kf7iy603vf9v2ysg6il76aqmqrxmb1p7nv";
|
||||
vendorSha256 = "sha256:1cq4m5a7z64yg3v1c68d15ilw78il6p53vaqzxgn338zjggr3kig";
|
||||
subPackages = [
|
||||
"cmd/pomerium"
|
||||
"cmd/pomerium-cli"
|
||||
];
|
||||
|
||||
ldflags = let
|
||||
|
@ -74,11 +74,11 @@ buildGoModule rec {
|
|||
|
||||
installPhase = ''
|
||||
install -Dm0755 $GOPATH/bin/pomerium $out/bin/pomerium
|
||||
install -Dm0755 $GOPATH/bin/pomerium-cli $out/bin/pomerium-cli
|
||||
'';
|
||||
|
||||
passthru.tests = {
|
||||
inherit (nixosTests) pomerium;
|
||||
inherit pomerium-cli;
|
||||
};
|
||||
|
||||
meta = with lib; {
|
||||
|
|
58
pkgs/tools/security/pomerium-cli/default.nix
Normal file
58
pkgs/tools/security/pomerium-cli/default.nix
Normal file
|
@ -0,0 +1,58 @@
|
|||
{ buildGoModule
|
||||
, fetchFromGitHub
|
||||
, lib
|
||||
, pomerium
|
||||
}:
|
||||
|
||||
let
|
||||
inherit (lib) concatStringsSep concatMap id mapAttrsToList;
|
||||
in
|
||||
buildGoModule rec {
|
||||
pname = "pomerium-cli";
|
||||
version = pomerium.version;
|
||||
src = fetchFromGitHub {
|
||||
owner = "pomerium";
|
||||
repo = "cli";
|
||||
rev = "v${version}";
|
||||
hash = "sha256:0230b22xjnpykj8bcdahzzlsvlrd63z2cmg6yb246c5ngjs835q1";
|
||||
};
|
||||
|
||||
vendorSha256 = "sha256:0xx22lmh6wip1d1bjrp4lgab3q9yilw54v4lg24lf3xhbsr5si9b";
|
||||
subPackages = [
|
||||
"cmd/pomerium-cli"
|
||||
];
|
||||
|
||||
ldflags = let
|
||||
# Set a variety of useful meta variables for stamping the build with.
|
||||
setVars = {
|
||||
"github.com/pomerium/cli/version" = {
|
||||
Version = "v${version}";
|
||||
BuildMeta = "nixpkgs";
|
||||
ProjectName = "pomerium-cli";
|
||||
ProjectURL = "github.com/pomerium/cli";
|
||||
};
|
||||
};
|
||||
concatStringsSpace = list: concatStringsSep " " list;
|
||||
mapAttrsToFlatList = fn: list: concatMap id (mapAttrsToList fn list);
|
||||
varFlags = concatStringsSpace (
|
||||
mapAttrsToFlatList (package: packageVars:
|
||||
mapAttrsToList (variable: value:
|
||||
"-X ${package}.${variable}=${value}"
|
||||
) packageVars
|
||||
) setVars);
|
||||
in [
|
||||
"${varFlags}"
|
||||
];
|
||||
|
||||
installPhase = ''
|
||||
install -Dm0755 $GOPATH/bin/pomerium-cli $out/bin/pomerium-cli
|
||||
'';
|
||||
|
||||
meta = with lib; {
|
||||
homepage = "https://pomerium.io";
|
||||
description = "Client-side helper for Pomerium authenticating reverse proxy";
|
||||
license = licenses.asl20;
|
||||
maintainers = with maintainers; [ lukegb ];
|
||||
platforms = platforms.unix;
|
||||
};
|
||||
}
|
|
@ -21618,6 +21618,7 @@ with pkgs;
|
|||
pflogsumm = callPackage ../servers/mail/postfix/pflogsumm.nix { };
|
||||
|
||||
pomerium = callPackage ../servers/http/pomerium { };
|
||||
pomerium-cli = callPackage ../tools/security/pomerium-cli { };
|
||||
|
||||
postgrey = callPackage ../servers/mail/postgrey { };
|
||||
|
||||
|
|
Loading…
Reference in a new issue