| 18 Dec 2021 |
 m1cr0man | nb! Fixed now and I have written a test for it :) | 14:48:41 |
 hexa | ❤️ | 14:48:50 |
| m1cr0man | https://github.com/NixOS/nixpkgs/pull/147784 ok so this PR technically still needs a review from someone on the ACME team that isn't me ;) | 15:08:08 |
| m1cr0man | ugh ffs I hate rebases | 15:09:53 |
| m1cr0man | ok, third time's a charm | 15:17:59 |
| 26 Dec 2021 |
|  Winter (she/her) joined the room. | 05:15:35 |
| Winter (she/her) | hi all, wonderful work on the acme module :)
i have two questions:
- where is
/var/lib/acme created? i cannot for the life of me find how that directory is initially created
- curious: why are these permission fixing services and such required?
thanks! | 05:17:39 |
 Arian | It's created by the StateDirectory stanza in the systemd unit | 07:06:53 |
| Arian | The permission fixing is to work around a bug we introduced at some point in a previous release | 07:07:19 |
| hexa | m1cr0man: happy to merge, needs a rebase though | 10:47:46 |
| Winter (she/her) | In reply to @arianvp:matrix.org
The permission fixing is to work around a bug we introduced at some point in a previous release Ah, makes sense. Why does this require the /var/lib/acme path to be hardcoded, though? Just to make things simpler on the module side? | 15:22:19 |
|  raitobezarius (DECT: 7248) joined the room. | 15:45:30 |
| m1cr0man | @Winter On top of what Arian said, there's two other reasons for acme-fixperms service and other various chgrp/chmods. The first is to fix permission changes that happened back in 19.09 (I think) where we went from root-owned to acme-owned certs. The second is for supporting changes of the group of an active cert. Additionally, in the new PR, it'll also support toggling useRoot. | 16:20:48 |
| m1cr0man | hexa: thanks I'll do that rebase now | 16:20:59 |
| Winter (she/her) | Got it. | 16:21:48 |
| m1cr0man | If you have any other questions feel free to ask. I'm trying to ensure that the test suite has 100% coverage of all use cases and features at all times. If you are ever wondering something technical it might help to give those a read and see what we're testing for. | 16:23:25 |
| Winter (she/her) | Can I ask questions that relate to the Nginx’s module’s ACME integration? I assume that’s in scope of this channel, but let me know if it’s not. | 16:27:30 |
| m1cr0man | yeah absolutely | 16:30:05 |
| m1cr0man | it's in scope, we maintain it :) | 16:30:15 |
| Winter (she/her) | https://github.com/NixOS/nixpkgs/blob/b0f154fd440bdf43a483b8ca46020d7d6cec5fbf/nixos/modules/services/web-servers/nginx/default.nix#L952
Why is mkDefault used here, in what scenario would this value need to be changed from the Nginx group? | 17:03:56 |
| m1cr0man | good question! It's very simple. we want security.acme.defaults.group or security.acme.certs.<cert>.group to take precedence | 17:08:11 |
| m1cr0man | actually, defaults.group won't override it I don't think, but the <cert>.group definitely will | 17:09:16 |
| m1cr0man | It gets even wilder in the next PR ;) https://github.com/NixOS/nixpkgs/pull/147784/files#diff-9b5561c4bb76ed61cd945467b6ccacb8343bb8ed8d2ad8a1e43505db34352722R943-R949 | 17:10:21 |
| Winter (she/her) | oh no. | 17:10:47 |
| Winter (she/her) | lol | 17:10:49 |
| Winter (she/her) | where is security.acme.defaults even defined? can’t find that anywhere >.< | 17:11:10 |
| m1cr0man | it's in that PR | 17:11:14 |
| m1cr0man | it's not in master yet | 17:11:19 |
| Winter (she/her) | ahh | 17:11:30 |
| m1cr0man | it's also fully doc'd in that PR, in case you were looking for docs too lol | 17:11:38 |
