| 26 Jul 2021 |
 Arian | This shouldn't block a version bump. Even though I'd like to have it | 17:10:45 |
| Arian | Most of the FIDO2 dependencies are already in closure through openSSH atm though. (Which is kind of a bug on its own IMO) | 17:11:22 |
| Arian | Most of these dependencies are only interesting in initrd anyway. And we already build initrd 'on demand' todau | 17:12:29 |
| Arian | So having it optional isn't all that crazy | 17:12:37 |
 andi- | I've also played around with DNSoTLS support in resolved for a few weeks now on a spare device. It has been working fine so far in "opportunistic" mode. | 17:51:58 |
| andi- | Unfortunately I haven't managed to be stuck in a DB train for several hours yet to verify if that hobby-dns-resolved improved :) | 17:52:35 |
| andi- | My WIP stuff: https://github.com/NixOS/nixpkgs/pull/131618
The systemd test works as it starts a graphical interface.. anything else doesn't seem to work.. Not entirely sure what the issue with resolution of units is. I've create a log if anyone feels like digging through that while I sleep: https://gist.github.com/andir/04bc585ace6722c86bb8e3b731101c9c | 21:14:04 |
|  Jeremy Cantrell joined the room. | 23:45:34 |
| 27 Jul 2021 |
| Jeremy Cantrell left the room. | 00:30:37 |
|  hexagonk joined the room. | 14:34:15 |
 aanderse | ok i'm pretty sure i've confirmed it (through testing, not reading source code): systemd-tmpfiles is bad news and should be used very sparingly
why? when you use d to create a directory it wipes out ACLs when it actually operates on that directory | 20:30:45 |
| aanderse | example: add d '/var/lib/foo' 0700 root somesystemuser to your systemd.tmpfiles.rules, then imperatively run sudo setfacl -m u:yourownuser:rx /var/lib/foo after your system has activated
activate your system again (or run sudo systemd-tmpfiles --create) and note your ACLs are mucked up | 20:34:18 |
| aanderse | hmm... "wips out ACLs" was the wrong thing to say
it mucks the mask and makes them ineffective | 20:34:47 |
| andi- | and if you use D? Isn't that supposed to be (almost) a no-op if it already exists? | 20:47:42 |
| aanderse | D removes the directory after a period | 20:54:39 |
| aanderse | we use d extensively in NixOS to provision directories | 20:54:47 |
| aanderse | for many users that probably isn't a problem
but it has bitten me in the ass hard for web server logs :\ | 20:55:10 |
 Roos | Can you use systemd-tmpfiles as a user ? | 20:56:17 |
| * Roos has a bunch of home-manager-activated .keep files... | 20:56:34 |
| aanderse | Roos: yes, though not really in NixOS - we would have to patch our systemd for that, or get them to make a change upstream
i think there is an issue open upstream IIRC... | 20:58:04 |
| Roos |
though not really in NixOS
You mean, it's particularly easy in NixOS :D
| 20:58:52 |
| Roos | Although that probably recompiles half the world... | 20:59:32 |
| aanderse | Roos: hmm... yeah my memory is foggy, maybe i'm wrong on that
would have to look again | 21:00:26 |
| andi- | In reply to @aanderse:nixos.dev
for many users that probably isn't a problem
but it has bitten me in the ass hard for web server logs :\ oh, you really have a thing for webservers? :D First apache noch fancy ACLs on the logs. | 21:17:18 |
| andi- | In reply to @aanderse:nixos.dev
for many users that probably isn't a problem
but it has bitten me in the ass hard for web server logs :\ * oh, you really have a thing for webservers? :D First apache now fancy ACLs on the logs. | 21:17:24 |
| andi- | aanderse: could we create a tool that is more useful or shall we try to fix systemd-tmpfiles? I really don't want to go back to people adding prestart = "mkdir $foo"; all over the place | 21:18:22 |
| aanderse | lol yeah i have to play apache sysadmin for something like 200 websites | 21:19:18 |
| andi- | We could try to introduce d+ /path/to-create-and-keep ... :d | 21:20:15 |
| andi- | * We could try to introduce d+ /path/to-create-and-keep ... :D | 21:20:18 |
| aanderse | yeah we don't want mkdir
I'm not sure if I'm doing something "wrong"
i guess I'll file an issue/question upstream | 21:20:20 |
