diff options
author | Luke Granger-Brown <git@lukegb.com> | 2022-03-11 14:03:22 +0000 |
---|---|---|
committer | Luke Granger-Brown <git@lukegb.com> | 2022-03-11 14:09:19 +0000 |
commit | 3004e58f6a0817080f40db34dc96fdf4d5da6c18 (patch) | |
tree | 5f0adda58f744e0b93fd456df06a19dc4f2ef400 /nixos/modules/services/web-servers/pomerium.nix | |
parent | 6659ba52480b2881c89c104370c2e7528fb34a0e (diff) | |
download | nixpkgs-3004e58f6a0817080f40db34dc96fdf4d5da6c18.tar nixpkgs-3004e58f6a0817080f40db34dc96fdf4d5da6c18.tar.gz nixpkgs-3004e58f6a0817080f40db34dc96fdf4d5da6c18.tar.bz2 nixpkgs-3004e58f6a0817080f40db34dc96fdf4d5da6c18.tar.lz nixpkgs-3004e58f6a0817080f40db34dc96fdf4d5da6c18.tar.xz nixpkgs-3004e58f6a0817080f40db34dc96fdf4d5da6c18.tar.zst nixpkgs-3004e58f6a0817080f40db34dc96fdf4d5da6c18.zip |
nixos/pomerium: avoid blocking when renewing ACME certificates
Diffstat (limited to 'nixos/modules/services/web-servers/pomerium.nix')
-rw-r--r-- | nixos/modules/services/web-servers/pomerium.nix | 10 |
1 files changed, 7 insertions, 3 deletions
diff --git a/nixos/modules/services/web-servers/pomerium.nix b/nixos/modules/services/web-servers/pomerium.nix index 2bc7d01c7c2..0b460755f50 100644 --- a/nixos/modules/services/web-servers/pomerium.nix +++ b/nixos/modules/services/web-servers/pomerium.nix @@ -69,11 +69,16 @@ in CERTIFICATE_KEY_FILE = "key.pem"; }; startLimitIntervalSec = 60; + script = '' + if [[ -v CREDENTIALS_DIRECTORY ]]; then + cd "$CREDENTIALS_DIRECTORY" + fi + exec "${pkgs.pomerium}/bin/pomerium" -config "${cfgFile}" + ''; serviceConfig = { DynamicUser = true; StateDirectory = [ "pomerium" ]; - ExecStart = "${pkgs.pomerium}/bin/pomerium -config ${cfgFile}"; PrivateUsers = false; # breaks CAP_NET_BIND_SERVICE MemoryDenyWriteExecute = false; # breaks LuaJIT @@ -99,7 +104,6 @@ in AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ]; CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ]; - WorkingDirectory = mkIf (cfg.useACMEHost != null) "$CREDENTIALS_DIRECTORY"; LoadCredential = optionals (cfg.useACMEHost != null) [ "fullchain.pem:/var/lib/acme/${cfg.useACMEHost}/fullchain.pem" "key.pem:/var/lib/acme/${cfg.useACMEHost}/key.pem" @@ -124,7 +128,7 @@ in Type = "oneshot"; TimeoutSec = 60; ExecCondition = "/run/current-system/systemd/bin/systemctl -q is-active pomerium.service"; - ExecStart = "/run/current-system/systemd/bin/systemctl restart pomerium.service"; + ExecStart = "/run/current-system/systemd/bin/systemctl --no-block restart pomerium.service"; }; }; }); |