5 Mar 2022 |
Winter (she/her) | it'll just give the acme owned ones | 19:54:55 |
Winter (she/her) | like, i get the issue in theory, and i agree with it
but not practically? | 19:55:08 |
Winter (she/her) | like i guess it's just about reducing attack surface no matter the setup | 19:55:18 |
m1cr0man | well if you aren't using wildcards its more apparent - certs for each service, with the group assigned appropriately | 19:55:39 |
Winter (she/her) | but giving the acme group won't give access to those? | 19:55:58 |
Winter (she/her) | that's the point i'm trying to make, unless i'm wrong | 19:56:07 |
m1cr0man | yeah but then you're granting acme group to N service accounts rather than just setting the cert group | 19:56:14 |
Winter (she/her) | right | 19:56:36 |
m1cr0man | it's definitely easier for end users to set the cert group, hence that group = mkDefault cfg.group in the nginx/httpd cert config | 19:56:45 |
m1cr0man | * it's definitely easier for end users to set the cert group, hence that group = mkDefault cfg.group in the nginx/httpd cert config rather than add a user to a group | 19:56:57 |
Winter (she/her) | right | 19:57:16 |
Winter (she/her) | mind if i tag you in on the issue, m1cr0man | 19:59:48 |
Winter (she/her) | * mind if i tag you in on the issue, m1cr0man? | 19:59:53 |
m1cr0man | nope go ahead! | 19:59:57 |
Winter (she/her) | wording could be refined, but i hope i got my point across. | 20:00:54 |
m1cr0man | It reads just fine to me! :) I'm gonna echo my earlier points in there for visibility | 20:04:53 |
m1cr0man | Winter have you ever seen this issue? https://github.com/NixOS/nixpkgs/issues/84633 this one is where a lot of the design decisions were made wrt the current module | 20:12:54 |
m1cr0man | What's funny is that Emily actually proposed in 2020 that we use just the acme group, and flokli suggested a really interesting solution for multi-group access using setfacl https://github.com/NixOS/nixpkgs/issues/84633#issuecomment-611413664 | 20:29:42 |
m1cr0man | Okay, I have finished my essay of a comment 😅 I made some new points there | 20:35:33 |
m1cr0man | I hope it doesn't come across as me shutting down the idea btw, I'm really happy that someone is taking the time to be critical about the implementation in its current state.
I just had an idea though. What do you think of using users.users.${serviceUser}.extraGroups instead of SupplementaryGroups? That way it's easier for users to understand/see how their services can access the certs, and it avoids adding another layer to the cake of ACME permissions management. This is also what most users are going to do/doing to fix permission issues today.
| 20:44:27 |
Winter (she/her) | I have no issues with that at all! | 20:50:11 |
Winter (she/her) | I mainly brought up systemd because that's what Caddy did | 20:50:25 |
Winter (she/her) | Maybe we could switch Caddy over to that, then. | 20:50:34 |
Winter (she/her) | (Did you already propose that in the issue?) | 20:50:42 |
m1cr0man | No I will now though :) | 20:50:49 |
m1cr0man | There we go | 20:51:28 |
8 Mar 2022 |
| finn joined the room. | 16:06:50 |
30 Mar 2022 |
| Zach joined the room. | 01:30:17 |
| Zach changed their display name from zach to Zach. | 01:54:07 |
| Zach set a profile picture. | 01:54:10 |