| 10 Jan 2022 |
 Winter (she/her) | Not a bad idea
~~RFC time?~~ | 20:39:20 |
 hexa | In reply to @winterqt:nixos.dev
it was not my intention at all to come off as pushy or demanding or anything like that, as I fear I may be coming off as don't worry about it, I think its just fair to let you know my boundaries in return. does that sound ok? | 20:39:45 |
| hexa | like nixpkgs commiters are few in numbers given the amount of changes we need to review, so it's a mess anyway | 20:40:24 |
| Winter (she/her) | In reply to @hexa:lossy.network
don't worry about it, I think its just fair to let you know my boundaries in return. does that sound ok? that’s completely fine yeah, i can’t even begin to fathom how much work it is | 20:44:56 |
 m1cr0man | In reply to @winterqt:nixos.dev
Not a bad idea
~~RFC time?~~ painful effort noises | 20:46:45 |
| hexa | I think we need to talk about maintainer expectations first | 20:47:17 |
| Winter (she/her) | What maintainers are you talking about specifically? | 20:57:54 |
| Winter (she/her) | Like, module maintainers, nixpkgs commiters? | 20:58:03 |
| hexa | package, module and test maintainers | 21:02:27 |
| hexa | basically committing to something and saying when you can no longer fulfill that committment | 21:02:58 |
| Winter (she/her) | ah | 21:28:11 |
| 20 Jan 2022 |
|  andi- left the room. | 08:30:51 |
| 24 Jan 2022 |
| m1cr0man | Wrt https://github.com/NixOS/nixpkgs/pull/156562 is this a concern? Warning: a test defined in passthru.tests did not pass The passthru test is the acme test. | 20:38:04 |
| hexa | they were built by ofborg | 20:39:18 |
| hexa | https://github.com/NixOS/nixpkgs/runs/4925831593 | 20:39:35 |
| hexa | https://github.com/NixOS/nixpkgs/runs/4925858190 | 20:39:45 |
| m1cr0man | ah awesome ok :) | 20:41:39 |
| Winter (she/her) | I wonder why r-ryantm failed but not OfBorg 🤔 | 20:59:30 |
| m1cr0man | If it's acme test pseudo-randomness, I was really under the impression I had fixed all that 😢 | 21:01:46 |
| 27 Jan 2022 |
| m1cr0man | So I hear LE is about to nuke some certs. https://www.theregister.com/2022/01/26/lets_encrypt_certificates/ this shouldn't affect most NixOS users since you'd have to really get into the weeds to configure TLS-ALPN-01 validation | 12:41:26 |
| 31 Jan 2022 |
| Winter (she/her) | in renewService, why is network-online.target in wants and after, but network.target isn't in wants (but is in after)? | 03:22:33 |
| Winter (she/her) | any reason? | 03:22:36 |
 Arian | There is no point in actively pulling in network.target. see https://www.freedesktop.org/wiki/Software/systemd/NetworkTarget/ | 10:05:42 |
| Arian | But we can probably remove the network.target altogether if network-online.target is used | 10:06:30 |
| 2 Mar 2022 |
 iclanzan | I’ve upgraded NixOS to a recent commit from unstable and ACME is not working anymore. All I see in the logs is:
Failed to start Renew ACME certificate for example.com.
acme-example.com.service: Failed to load environment files: No such file or directory
acme-example.com.service: Failed to run 'start' task: No such file or directory
acme-example.com.service: Failed with result 'resources'.
over and over again. (I replaced my actual domain with example.com)
I am using the cloudflare DNS challenge .
Does anyone have any pointers as to how I could debug this?
| 01:01:25 |
| hexa | start looking at the systemd unit | 09:33:15 |
| hexa | look for what paths are actually missing | 09:33:26 |
| 4 Mar 2022 |
| Winter (she/her) | m1cr0man: so do you remember #153942? i didn't notice it at the time but the issue that it solved may be able to be made redundant.
https://github.com/NixOS/nixpkgs/commit/81a67a3353b09c0abade5f2d17e91d23873fc7fb added SupplementalGroups=acme if ACME certs are used to the Caddy service, which gives the Caddy service access to the certs mo matter what group the Caddy service user is a part of. (In fact, I think my assertions made it so you'd have to add the acme group to the caddy user, even if it would work fine without it due to SupplementalGroups, whoops.)
I think we can make this change across the board, and (potentially) remove the assertions? Let me know what you think. | 19:34:56 |
| 5 Mar 2022 |
| m1cr0man | Heyo 👋 Sorry got distracted and forgot to reply earlier. Heading off but I'll read any replies tomorrow.
Yeah this is interesting. SupplementalGroups certainly would raise false alarms with the assertion the way it is. When you say make the change across the board, what are you thinking of doing?
I'm also thinking that depending on your plans here that assuming the cert's group is acme wouldn't be sufficient and you'd want to rely on config.security.acme.certs.<name>.group in dependant services.
| 00:43:44 |
| Winter (she/her) |
When you say make the change across the board, what are you thinking of doing?
Migrating all web servers that we support to use it instead of the assertions, ideally.
| 02:48:20 |
