| 28 Nov 2021 |
 Andreas Schrägle | nice. we have a bunch of bespoke default options (e.g. defaultKeyType, defaultDnsProvider) in our fork of the module, because we kin d of needed them, but I never got around to upstreaming them. the more generic approach you suggested seems much better though, so I'm all in favor of that. | 15:49:37 |
| Andreas Schrägle | * nice. we have a bunch of bespoke default options (e.g. defaultKeyType, defaultDnsProvider) in our fork of the module, because we kind of needed them, but I never got around to upstreaming them. the more generic approach you suggested seems much better though, so I'm all in favor of that. | 15:49:44 |
 m1cr0man | Glad to hear it! :D The more people the design helps the better. | 15:56:22 |
| m1cr0man | webserver # Nov 28 22:15:41 webserver systemd[1]: Condition check resulted in Generate self-signed certificate authority being skipped.
webserver # Nov 28 22:15:41 webserver systemd[1]: acme-selfsigned-ca.service: Start request repeated too quickly.
webserver # Nov 28 22:15:41 webserver systemd[1]: acme-selfsigned-ca.service: Failed with result 'start-limit-hit'.
Lol, look what I just reproduced ;)
| 22:18:35 |
| m1cr0man | in the test suite no less | 22:18:42 |
| m1cr0man | Added StartLimitIntervalSec=0 with all ConditionPathExists and sure enough it's fine now. It only happens on some runs, which is baffling, but oh well life's too short to debug systemd ;) | 22:47:26 |
| m1cr0man | https://github.com/NixOS/nixpkgs/pull/147784 started a draft PR for the work so far, just so ticket creators know what's up | 23:17:03 |
| m1cr0man | also yous can check out security.acme.defaults ;) | 23:17:12 |
| 3 Dec 2021 |
|  Patryk Gronkiewicz joined the room. | 13:01:15 |
| Patryk Gronkiewicz | Hi there,
I'm trying to set up Nginx reverse proxy with DNS-01 challenge, but I can't
Can you help me with that?
I've described it better on reddit -> https://www.reddit.com/r/NixOS/comments/r7y5vy/nginx_reverse_proxy_with_dns01_challenge/ | 13:54:30 |
 hexa | instead of enableACME = true; use useACMEHost | 14:32:44 |
| hexa | * instead of enableACME = true; use useACMEHost = "gitea.domain.org"; | 14:33:27 |
| hexa | * Patryk Gronkiewicz: instead of enableACME = true; use useACMEHost = "gitea.domain.org"; | 14:33:36 |
| Patryk Gronkiewicz | In reply to @hexa:lossy.network
Patryk Gronkiewicz: instead of enableACME = true; use useACMEHost = "gitea.domain.org"; I can't finish rebuild then - nginx crashes and something else just hangs (I don't know what, but I can wait indefinitely and nothing changes) | 15:01:56 |
| hexa | well, can't help you when you can't apply the config 😲 | 15:13:56 |
| 4 Dec 2021 |
| m1cr0man | In reply to @pgronkievitz:matrix.org
I can't finish rebuild then - nginx crashes and something else just hangs (I don't know what, but I can wait indefinitely and nothing changes) Check that you have assigned the security.acme.certs."gitea.domain.org".group to nginx or added nginx to the acme group | 16:36:30 |
| m1cr0man | https://github.com/NixOS/nixpkgs/pull/147784 ready for review for real now :) | 19:06:13 |
| m1cr0man | 7 ticket closures in one :D that always feels good | 19:07:16 |
| 11 Dec 2021 |
| m1cr0man | Systemd 250 notes from Phoronix:
There is also a new tool called systemd-creds for dealing with the credentials. This can be used for SSL certificates, passwords, and other similar data.
| 12:05:15 |
| m1cr0man | It seems to kind of be like ansible-vault, where decryption happens when the service is started. Kind of neat because it can/will use a TPM module | 13:53:17 |
| hexa | ohhhh | 14:02:23 |
| hexa | I wish element had a sensible forwarding mode … for #tpm:nixos.org | 14:02:57 |
| hexa | where the general consensus was, that tpm tooling on linux is abysmal | 14:03:20 |
| m1cr0man | Oh yeah, I know that XD Tried to set up my server's ZFS to unlock via the TPM once. Did not find a workable solution :P | 14:04:29 |
| m1cr0man | There's some other nice stuff in here that seems generally applicable too. The systemd-homed updates are super intriguing. I've always wondered if it would be possible to set up on-demand services for users via homed (namely jupyter notebooks) and safe SSH environments for student-esque use with it. Seems like a lot of these things would make that a bit easier | 14:06:52 |
 andi- | The TPM tooling is "by spec" and that is probably the issue. The spec is horible and allows everything but isn't tailored for 99% of the usecases. | 15:03:41 |
| 13 Dec 2021 |
| m1cr0man | Trying to rebase my PR and write a test for listenHTTP. Found a bug in the log for handling ports < 1024, even when running as root. Not sure why yet. It must be one of the systemd protection flags on the service but I haven't narrowed down which one. It's not SystemCallFilters | 23:12:06 |
 Moritz Hedtke | The capabilities one? | 23:44:31 |
| 14 Dec 2021 |
| m1cr0man | To be specific, lego is giving bind: permission denied even when running as root. I haven't looked into it any further, just reread that msg I sent and realised how unclear it was :P | 22:39:49 |
| hexa | need to see the systemd unit to make a proper statement on the matter - but the first thing is … privateusers will prevent passing of capabiltiies | 23:56:33 |
