!MthpOIxqJhTgrMNxDS:nixos.org

NixOS ACME / LetsEncrypt

106 Members
Another day, another cert renewal46 Servers

Load older messages


SenderMessageTime
5 Mar 2022
@winterqt:nixos.devWinter (she/her) it'll just give the acme owned ones 19:54:55
@winterqt:nixos.devWinter (she/her)like, i get the issue in theory, and i agree with it but not practically?19:55:08
@winterqt:nixos.devWinter (she/her)like i guess it's just about reducing attack surface no matter the setup19:55:18
@m1cr0man:m1cr0man.comm1cr0manwell if you aren't using wildcards its more apparent - certs for each service, with the group assigned appropriately19:55:39
@winterqt:nixos.devWinter (she/her) but giving the acme group won't give access to those? 19:55:58
@winterqt:nixos.devWinter (she/her)that's the point i'm trying to make, unless i'm wrong19:56:07
@m1cr0man:m1cr0man.comm1cr0manyeah but then you're granting acme group to N service accounts rather than just setting the cert group19:56:14
@winterqt:nixos.devWinter (she/her)right19:56:36
@m1cr0man:m1cr0man.comm1cr0man it's definitely easier for end users to set the cert group, hence that group = mkDefault cfg.group in the nginx/httpd cert config 19:56:45
@m1cr0man:m1cr0man.comm1cr0man * it's definitely easier for end users to set the cert group, hence that group = mkDefault cfg.group in the nginx/httpd cert config rather than add a user to a group 19:56:57
@winterqt:nixos.devWinter (she/her)right19:57:16
@winterqt:nixos.devWinter (she/her) mind if i tag you in on the issue, m1cr0man 19:59:48
@winterqt:nixos.devWinter (she/her) * mind if i tag you in on the issue, m1cr0man? 19:59:53
@m1cr0man:m1cr0man.comm1cr0mannope go ahead!19:59:57
@winterqt:nixos.devWinter (she/her)wording could be refined, but i hope i got my point across.20:00:54
@m1cr0man:m1cr0man.comm1cr0manIt reads just fine to me! :) I'm gonna echo my earlier points in there for visibility20:04:53
@m1cr0man:m1cr0man.comm1cr0manWinter have you ever seen this issue? https://github.com/NixOS/nixpkgs/issues/84633 this one is where a lot of the design decisions were made wrt the current module20:12:54
@m1cr0man:m1cr0man.comm1cr0manWhat's funny is that Emily actually proposed in 2020 that we use just the acme group, and flokli suggested a really interesting solution for multi-group access using setfacl https://github.com/NixOS/nixpkgs/issues/84633#issuecomment-61141366420:29:42
@m1cr0man:m1cr0man.comm1cr0manOkay, I have finished my essay of a comment 😅 I made some new points there20:35:33
@m1cr0man:m1cr0man.comm1cr0man

I hope it doesn't come across as me shutting down the idea btw, I'm really happy that someone is taking the time to be critical about the implementation in its current state.

I just had an idea though. What do you think of using users.users.${serviceUser}.extraGroups instead of SupplementaryGroups? That way it's easier for users to understand/see how their services can access the certs, and it avoids adding another layer to the cake of ACME permissions management. This is also what most users are going to do/doing to fix permission issues today.

20:44:27
@winterqt:nixos.devWinter (she/her)I have no issues with that at all!20:50:11
@winterqt:nixos.devWinter (she/her)I mainly brought up systemd because that's what Caddy did20:50:25
@winterqt:nixos.devWinter (she/her)Maybe we could switch Caddy over to that, then.20:50:34
@winterqt:nixos.devWinter (she/her)(Did you already propose that in the issue?)20:50:42
@m1cr0man:m1cr0man.comm1cr0manNo I will now though :)20:50:49
@m1cr0man:m1cr0man.comm1cr0manThere we go20:51:28
8 Mar 2022
@finn:tomesh.netfinn joined the room.16:06:50
30 Mar 2022
@zach:ghostcorp.netZach joined the room.01:30:17
@zach:ghostcorp.netZach changed their display name from zach to Zach.01:54:07
@zach:ghostcorp.netZach set a profile picture.01:54:10

Show newer messages


Back to Room ListRoom Version: 6