| 27 Dec 2021 |
 m1cr0man | haha so many emails from the 8 closed tickets | 16:59:24 |
| 29 Dec 2021 |
 Winter (she/her) | In https://github.com/NixOS/nixpkgs/blob/ac169ec6371f0d835542db654a65e0f2feb07838/nixos/modules/security/acme.nix#L417, it says that this makes it readable to the group specified by the cert service, but the perms for /var/lib/acme are 0750. Wouldn't the cert be inaccessible even by the group specified by the cert service, then? | 03:03:55 |
| Winter (she/her) | ah, I see https://github.com/NixOS/nixpkgs/blob/ac169ec6371f0d835542db654a65e0f2feb07838/nixos/modules/security/acme.nix#L294 now | 03:07:40 |
| Winter (she/her) | So because of the fix permission service having its working directory set to /var/lib/acme, I guess acme:acme would be the owner of /var/lib/acme. | 03:09:35 |
| Winter (she/her) | But then wouldn't the permissions of 0750 would still disallow access to the cert specified groups? | 03:10:19 |
| Winter (she/her) | * But then wouldn't the permissions of 0750 still disallow access to the cert specified groups? | 03:10:27 |
| Winter (she/her) | # These StateDirectory entries negate the need for tmpfiles
StateDirectory = [ "acme" "acme/.lego" "acme/.lego/accounts" ];
StateDirectoryMode = 755;
WorkingDirectory = "/var/lib/acme";
...ah.
| 03:16:37 |
| m1cr0man | yeah, we really went all-in on statedirectory/systemd activation logic for the folder creation. It ended up solving all previous permissions issues we were encountering, whilst also providing systemctl clean --what=state acme-mydomain.service for easy full renewals | 13:22:39 |
| m1cr0man | There's a bunch of really difficult to figure out logic wrt when directories need to be created, recreated or permissions changed which all depend on systemd service activation. Hence, it was best to leave it to systemd where possible | 13:30:20 |
| 30 Dec 2021 |
| Winter (she/her) | Redacted or Malformed Event | 04:44:03 |
| Winter (she/her) | Also: the useACMEHost option in Nginx vhosts doesn't set the group for the certificate, so it (unexpectedly) fails to start. I can't find any documentation that requires anything other than setting useACMEHost, though, so I don't think I'm doing anything wrong. | 04:54:21 |
| m1cr0man | You do need to set the group explicitly when using useACMEHost. We can't assume that the cert is being used for other purposes in that scenario, thus it would be unsafe to set the group automatically | 15:01:20 |
| m1cr0man | * You do need to set the group explicitly when using useACMEHost. We can't assume that the cert is being used for only ngnix/apache in that scenario, thus it would be unsafe to set the group automatically | 15:01:37 |
| Winter (she/her) | Got it. I feel like that can definitely be documented better, I’ll PR if I can think of adequate wording.
Question: why can’t we assume, though? In what scenario would someone be using one certificate across multiple HTTP servers? idk, just seems unlikely, it’s definitely best not to assume but i can’t think of an actual practical use case unless I’m just missing something obvious… | 20:05:16 |
| Winter (she/her) | maybe something something different ports something something? | 20:07:50 |
| m1cr0man | one wildcard for mail and web is a use case I used to maintain for a deployment | 21:14:33 |
| m1cr0man | I added nginx + dovecot + postfix users to acme group | 21:14:56 |
| Winter (she/her) | Redacted or Malformed Event | 23:18:59 |
| 31 Dec 2021 |
| m1cr0man | woohoo finally nixos-unstable is updated :) | 13:28:55 |
| Winter (she/her) changed their display name from Winter to Winter (she/her). | 22:07:41 |
| 2 Jan 2022 |
| m1cr0man | https://nixos.org/manual/nixos/unstable/index.html#module-security-acme-config-dns lol XD | 18:50:16 |
| m1cr0man | so uh | 18:50:19 |
| m1cr0man | This is in the example on how to auto generate TSIG keys with a systemd service. https://nixos.org/manual/nixos/unstable/index.html#module-security-acme-config-dns
Spot the issue? :P
I'll do a PR at some point.. maybe tomorrow
cat > /var/lib/secrets/certs.secret << EOF
RFC2136_NAMESERVER='127.0.0.1:53'
RFC2136_TSIG_ALGORITHM='hmac-sha256.'
RFC2136_TSIG_KEY='rfc2136key.example.com'
RFC2136_TSIG_SECRET='your secret key'
EOF
| 18:51:11 |
| m1cr0man | Winter I was thinking that it might be possible to add an assertion in nginx/httpd/caddy to check acme cert access too, which would at least cover your concern about it unexpectedly failing. It would be complex though, idk if nix does anything in the config tree to merge users.users.<name>.extraGroups and users.groups.<name>.extraUsers that I could reference | 18:52:32 |
| Winter (she/her) | In reply to @m1cr0man:m1cr0man.com
Winter I was thinking that it might be possible to add an assertion in nginx/httpd/caddy to check acme cert access too, which would at least cover your concern about it unexpectedly failing. It would be complex though, idk if nix does anything in the config tree to merge users.users. .extraGroups and users.groups. .extraUsers that I could reference Do you mean users.groups..members? | 21:14:59 |
| m1cr0man | yeah sorry, trying to remember it off the top of my head | 21:15:28 |
| Winter (she/her) | m1cr0man: You’ll be pleased to know that it does do merging of them, users.groups.<name>.members is the source of truth. (https://github.com/NixOS/nixpkgs/blob/59bfda72480496f32787cec8c557182738b1bd3f/nixos/modules/config/users-groups.nix#L362) | 23:03:14 |
| Winter (she/her) | I’d be happy to take a stab at adding the assertions to the modules, if you’d be okay with that. | 23:03:36 |
| m1cr0man | Awesome find! :D Yeah absolutely, I'll review it as soon as I can (but I'll be going offline soon for tonight) | 23:08:49 |
| Winter (she/her) | I’ll do it sometime tomorrow most likely, so that’s perfectly fine. | 23:16:11 |
