!MthpOIxqJhTgrMNxDS:nixos.org

NixOS ACME / LetsEncrypt

107 Members
Another day, another cert renewal43 Servers

Load older messages


SenderMessageTime
18 Dec 2021
@m1cr0man:m1cr0man.comm1cr0mannb! Fixed now and I have written a test for it :)14:48:41
@hexa:lossy.networkhexa❤️14:48:50
@m1cr0man:m1cr0man.comm1cr0manhttps://github.com/NixOS/nixpkgs/pull/147784 ok so this PR technically still needs a review from someone on the ACME team that isn't me ;) 15:08:08
@m1cr0man:m1cr0man.comm1cr0manugh ffs I hate rebases15:09:53
@m1cr0man:m1cr0man.comm1cr0manok, third time's a charm15:17:59
26 Dec 2021
@winterqt:nixos.devWinter (she/her) joined the room.05:15:35
@winterqt:nixos.devWinter (she/her)

hi all, wonderful work on the acme module :)

i have two questions:

  1. where is /var/lib/acme created? i cannot for the life of me find how that directory is initially created
  2. curious: why are these permission fixing services and such required?

thanks!

05:17:39
@arianvp:matrix.orgArianIt's created by the StateDirectory stanza in the systemd unit07:06:53
@arianvp:matrix.orgArianThe permission fixing is to work around a bug we introduced at some point in a previous release07:07:19
@hexa:lossy.networkhexa m1cr0man: happy to merge, needs a rebase though 10:47:46
@winterqt:nixos.devWinter (she/her)
In reply to @arianvp:matrix.org
The permission fixing is to work around a bug we introduced at some point in a previous release
Ah, makes sense. Why does this require the /var/lib/acme path to be hardcoded, though? Just to make things simpler on the module side?
15:22:19
@raitobezarius:matrix.orgraitobezarius (DECT: 7248) joined the room.15:45:30
@m1cr0man:m1cr0man.comm1cr0man@Winter On top of what Arian said, there's two other reasons for acme-fixperms service and other various chgrp/chmods. The first is to fix permission changes that happened back in 19.09 (I think) where we went from root-owned to acme-owned certs. The second is for supporting changes of the group of an active cert. Additionally, in the new PR, it'll also support toggling useRoot. 16:20:48
@m1cr0man:m1cr0man.comm1cr0man hexa: thanks I'll do that rebase now 16:20:59
@winterqt:nixos.devWinter (she/her)Got it.16:21:48
@m1cr0man:m1cr0man.comm1cr0manIf you have any other questions feel free to ask. I'm trying to ensure that the test suite has 100% coverage of all use cases and features at all times. If you are ever wondering something technical it might help to give those a read and see what we're testing for.16:23:25
@winterqt:nixos.devWinter (she/her)Can I ask questions that relate to the Nginx’s module’s ACME integration? I assume that’s in scope of this channel, but let me know if it’s not.16:27:30
@m1cr0man:m1cr0man.comm1cr0manyeah absolutely16:30:05
@m1cr0man:m1cr0man.comm1cr0manit's in scope, we maintain it :)16:30:15
@winterqt:nixos.devWinter (she/her)

https://github.com/NixOS/nixpkgs/blob/b0f154fd440bdf43a483b8ca46020d7d6cec5fbf/nixos/modules/services/web-servers/nginx/default.nix#L952

Why is mkDefault used here, in what scenario would this value need to be changed from the Nginx group?

17:03:56
@m1cr0man:m1cr0man.comm1cr0man good question! It's very simple. we want security.acme.defaults.group or security.acme.certs.<cert>.group to take precedence 17:08:11
@m1cr0man:m1cr0man.comm1cr0manactually, defaults.group won't override it I don't think, but the <cert>.group definitely will17:09:16
@m1cr0man:m1cr0man.comm1cr0manIt gets even wilder in the next PR ;) https://github.com/NixOS/nixpkgs/pull/147784/files#diff-9b5561c4bb76ed61cd945467b6ccacb8343bb8ed8d2ad8a1e43505db34352722R943-R94917:10:21
@winterqt:nixos.devWinter (she/her)oh no.17:10:47
@winterqt:nixos.devWinter (she/her)lol17:10:49
@winterqt:nixos.devWinter (she/her) where is security.acme.defaults even defined? can’t find that anywhere >.< 17:11:10
@m1cr0man:m1cr0man.comm1cr0manit's in that PR17:11:14
@m1cr0man:m1cr0man.comm1cr0manit's not in master yet17:11:19
@winterqt:nixos.devWinter (she/her)ahh17:11:30
@m1cr0man:m1cr0man.comm1cr0manit's also fully doc'd in that PR, in case you were looking for docs too lol17:11:38

Show newer messages


Back to Room ListRoom Version: 6