 | NixOS ACME / LetsEncrypt | 107 Members |
| Another day, another cert renewal | 46 Servers |
| NixOS ACME / LetsEncrypt | 107 Members |
| Another day, another cert renewal | 46 Servers |
| Sender | Message | Time |
|---|---|---|
| 30 Dec 2021 | ||
 Winter (she/her) | Got it. I feel like that can definitely be documented better, I’ll PR if I can think of adequate wording. Question: why can’t we assume, though? In what scenario would someone be using one certificate across multiple HTTP servers? idk, just seems unlikely, it’s definitely best not to assume but i can’t think of an actual practical use case unless I’m just missing something obvious… | 20:05:16 |
| Winter (she/her) | maybe something something different ports something something? | 20:07:50 |
 m1cr0man | one wildcard for mail and web is a use case I used to maintain for a deployment | 21:14:33 |
| m1cr0man | I added nginx + dovecot + postfix users to acme group | 21:14:56 |
| Winter (she/her) | Redacted or Malformed Event | 23:18:59 |
| 31 Dec 2021 | ||
| m1cr0man | woohoo finally nixos-unstable is updated :) | 13:28:55 |
| Winter (she/her) changed their display name from Winter to Winter (she/her). | 22:07:41 | |
| 2 Jan 2022 | ||
| m1cr0man | https://nixos.org/manual/nixos/unstable/index.html#module-security-acme-config-dns lol XD | 18:50:16 |
| m1cr0man | so uh | 18:50:19 |
| m1cr0man | This is in the example on how to auto generate TSIG keys with a systemd service. https://nixos.org/manual/nixos/unstable/index.html#module-security-acme-config-dns | 18:51:11 |
| m1cr0man | Winter I was thinking that it might be possible to add an assertion in nginx/httpd/caddy to check acme cert access too, which would at least cover your concern about it unexpectedly failing. It would be complex though, idk if nix does anything in the config tree to merge users.users.<name>.extraGroups and users.groups.<name>.extraUsers that I could reference | 18:52:32 |
| Winter (she/her) | In reply to @m1cr0man:m1cr0man.comDo you mean users.groups..members? | 21:14:59 |
| m1cr0man | yeah sorry, trying to remember it off the top of my head | 21:15:28 |
| Winter (she/her) | m1cr0man: You’ll be pleased to know that it does do merging of them, users.groups.<name>.members is the source of truth. (https://github.com/NixOS/nixpkgs/blob/59bfda72480496f32787cec8c557182738b1bd3f/nixos/modules/config/users-groups.nix#L362) | 23:03:14 |
| Winter (she/her) | I’d be happy to take a stab at adding the assertions to the modules, if you’d be okay with that. | 23:03:36 |
| m1cr0man | Awesome find! :D Yeah absolutely, I'll review it as soon as I can (but I'll be going offline soon for tonight) | 23:08:49 |
| Winter (she/her) | I’ll do it sometime tomorrow most likely, so that’s perfectly fine. | 23:16:11 |
| Winter (she/her) | There has to be some way that we can centralize the assertion, but I’m not really sure where a function to generate it can be stored in a way that it can easily be imported by all the modules. Unless I can do something like putting it next to the acme module (probably by making a folder and moving acme into there), then importing it in the other modules? Like, is that “allowed?” (Obviously it would work, but would it be accepted?) | 23:18:23 |
| Winter (she/her) | * There has to be some way that we can centralize the assertion generation, but I’m not really sure where a function to generate it can be stored in a way that it can easily be imported by all the modules. Unless I can do something like putting it next to the acme module (probably by making a folder and moving acme into there), then importing it in the other modules? Like, is that “allowed?” (Obviously it would work, but would it be accepted?) | 23:18:30 |
| 3 Jan 2022 | ||
| m1cr0man | Maybe you can just add a file under the lib/tests (https://github.com/NixOS/nixpkgs/blob/master/lib/tests) folder? But fwiw, there is already quite a lot of duplication between nginx + http, and adding some assertions isn't going to break the bank, at least not yet. | 00:07:52 |
| Winter (she/her) | Why tests specifically? Seems like a strange place for stuff in modules tbh... | 00:49:39 |
| m1cr0man | On second look, maybe not there. I took a quick look last night and noticed some option/module specific assertions in that folder but they seem to be designed to be run manually to validate nixpkgs as a whole. I also thought lib itself felt wrong because it's such a specific thing. Maybe ask nixpkgs/NixOS Dev where the best place would be? I'm really not sure myself | 14:02:09 |
| Winter (she/her) | Sure, will do. | 14:02:25 |
| m1cr0man | V curious to know what the answer is. Acme isn't the only module that is a dependency in other modules (namely I'm thinking of all the services that can auto configure virtual hosts). There doesn't seem to be a set place for these sort of helpers right now | 14:04:23 |
| Winter (she/her) | In reply to @m1cr0man:m1cr0man.comThe answer is that the solution I described (moving acme.nix to acme/default.nix and making a new file with the function in it to import) is fine, and is apparently how problems like this are currently handled in tree. | 14:55:26 |
| Winter (she/her) | I’ll try to get a patch out tonight. | 14:55:43 |
| 4 Jan 2022 | ||
 hexa | acme inside nixos containers are a temporary lookup failure waiting to happen | 19:35:31 |
| hexa | * acme (dns01) inside nixos containers are a temporary lookup failure waiting to happen | 19:52:14 |
| 6 Jan 2022 | ||
| Winter (she/her) | m1cr0man: I promise I haven't forgotten about the assertions, it's just been a long week and want to do this the right way. If not sometime this week, I'll get a PR open this weekend. My apologies! | 03:24:19 |
| m1cr0man | In reply to @winterqt:nixos.devYeah don't worry about it! First week of a new year is always a busy one, I doubt I'd have time to review until the weekend anyway 😅 | 07:00:30 |