| 28 Nov 2021 |
 m1cr0man | https://github.com/NixOS/nixpkgs/pull/147784 started a draft PR for the work so far, just so ticket creators know what's up | 23:17:03 |
| m1cr0man | also yous can check out security.acme.defaults ;) | 23:17:12 |
| 3 Dec 2021 |
|  Patryk Gronkiewicz joined the room. | 13:01:15 |
| Patryk Gronkiewicz | Hi there,
I'm trying to set up Nginx reverse proxy with DNS-01 challenge, but I can't
Can you help me with that?
I've described it better on reddit -> https://www.reddit.com/r/NixOS/comments/r7y5vy/nginx_reverse_proxy_with_dns01_challenge/ | 13:54:30 |
 hexa | instead of enableACME = true; use useACMEHost | 14:32:44 |
| hexa | * instead of enableACME = true; use useACMEHost = "gitea.domain.org"; | 14:33:27 |
| hexa | * Patryk Gronkiewicz: instead of enableACME = true; use useACMEHost = "gitea.domain.org"; | 14:33:36 |
| Patryk Gronkiewicz | In reply to @hexa:lossy.network
Patryk Gronkiewicz: instead of enableACME = true; use useACMEHost = "gitea.domain.org"; I can't finish rebuild then - nginx crashes and something else just hangs (I don't know what, but I can wait indefinitely and nothing changes) | 15:01:56 |
| hexa | well, can't help you when you can't apply the config 😲 | 15:13:56 |
| 4 Dec 2021 |
| m1cr0man | In reply to @pgronkievitz:matrix.org
I can't finish rebuild then - nginx crashes and something else just hangs (I don't know what, but I can wait indefinitely and nothing changes) Check that you have assigned the security.acme.certs."gitea.domain.org".group to nginx or added nginx to the acme group | 16:36:30 |
| m1cr0man | https://github.com/NixOS/nixpkgs/pull/147784 ready for review for real now :) | 19:06:13 |
| m1cr0man | 7 ticket closures in one :D that always feels good | 19:07:16 |
| 11 Dec 2021 |
| m1cr0man | Systemd 250 notes from Phoronix:
There is also a new tool called systemd-creds for dealing with the credentials. This can be used for SSL certificates, passwords, and other similar data.
| 12:05:15 |
| m1cr0man | It seems to kind of be like ansible-vault, where decryption happens when the service is started. Kind of neat because it can/will use a TPM module | 13:53:17 |
| hexa | ohhhh | 14:02:23 |
| hexa | I wish element had a sensible forwarding mode … for #tpm:nixos.org | 14:02:57 |
| hexa | where the general consensus was, that tpm tooling on linux is abysmal | 14:03:20 |
| m1cr0man | Oh yeah, I know that XD Tried to set up my server's ZFS to unlock via the TPM once. Did not find a workable solution :P | 14:04:29 |
| m1cr0man | There's some other nice stuff in here that seems generally applicable too. The systemd-homed updates are super intriguing. I've always wondered if it would be possible to set up on-demand services for users via homed (namely jupyter notebooks) and safe SSH environments for student-esque use with it. Seems like a lot of these things would make that a bit easier | 14:06:52 |
 andi- | The TPM tooling is "by spec" and that is probably the issue. The spec is horible and allows everything but isn't tailored for 99% of the usecases. | 15:03:41 |
| 13 Dec 2021 |
| m1cr0man | Trying to rebase my PR and write a test for listenHTTP. Found a bug in the log for handling ports < 1024, even when running as root. Not sure why yet. It must be one of the systemd protection flags on the service but I haven't narrowed down which one. It's not SystemCallFilters | 23:12:06 |
 moritz.hedtke | The capabilities one? | 23:44:31 |
| 14 Dec 2021 |
| m1cr0man | To be specific, lego is giving bind: permission denied even when running as root. I haven't looked into it any further, just reread that msg I sent and realised how unclear it was :P | 22:39:49 |
| hexa | need to see the systemd unit to make a proper statement on the matter - but the first thing is … privateusers will prevent passing of capabiltiies | 23:56:33 |
| 18 Dec 2021 |
| m1cr0man | I might ask in the systemd channel | 14:25:30 |
| m1cr0man | There is no use of privateusers, fwiw. THat's good to know though :) | 14:25:49 |
| hexa | happy to take a look if you point me to the unit | 14:44:33 |
| m1cr0man | Aha! Got it | 14:45:23 |
| m1cr0man | CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ]; | 14:45:24 |
| hexa | capabilities need to be requested by the program | 14:45:42 |
