 | NixOS ACME / LetsEncrypt | 104 Members |
| Another day, another cert renewal | 44 Servers |
| NixOS ACME / LetsEncrypt | 104 Members |
| Another day, another cert renewal | 44 Servers |
| Sender | Message | Time |
|---|---|---|
| 11 Nov 2024 | ||
 Arian | It's just a static website if someone owns it I'll just make a new server 😂 | 19:07:08 |
| Arian | I don't have the ssh key anymore. If you are bored and wanna try to break in you have my consent | 19:07:30 |
 emily | it sounds like you need me to break in to get you your SSH key back | 19:08:08 |
| emily | like smashing someone's windows to unlock the door from the inside for them | 19:08:19 |
| Arian | Normalize machines with 10 years of uptime and some php 5 | 19:08:53 |
| Arian | I need this to cope with npm version bumps during day job | 19:09:18 |
| emily | that makes me feel old because I remember PHP 4 being the hot new thing | 19:24:23 |
| 12 Nov 2024 | ||
 pfhuh joined the room. | 05:55:11 | |
 ThinkChaos | I toyed with GNU parallel to replace the locking, but it's not great to say the least. It tries to re-login as the user running it to start a daemon, and can helpfully do that over SSH for you... Doesn't work well with namespaces/locked down services. And it's Perl, so anyone using the "perlless" setup it'll cause forbidden deps issues | 22:51:32 |
| ThinkChaos | As they say, never meet your heroes, nor look at a popular program's code | 22:52:04 |
| emily | did you remember to cite it? | 22:52:33 |
| ThinkChaos | Where? | 22:52:52 |
| emily | it infamously nags you to cite it in academic publications if you use it. you have to promise it that you'll cite it. | 22:53:21 |
| emily | https://git.savannah.gnu.org/cgit/parallel.git/tree/doc/citation-notice-faq.txt | 22:53:25 |
| emily | some distros patch it out. | 22:53:30 |
| ThinkChaos | I'm not going to make a PR with that, it's just not worth pursuing | 22:53:52 |
| ThinkChaos | lol didn't know that | 22:53:57 |
| ThinkChaos | I'll cite it's name in vain is what I'll do | 22:54:22 |
| ThinkChaos | * I'll cite its name in vain is what I'll do | 22:54:28 |
| ThinkChaos | But yeah I think the best for the locking would be to write a small CLI tool that's less cursed and based on FIFOs so I'm playing with that | 22:55:03 |
| ThinkChaos | Would avoid the whole round robin bit of code at the cost of one more daemon to manage the FIFO (since the FIFO's data is lost when the writer closes, so daemon required| | 22:55:57 |
| ThinkChaos | * Would avoid the whole round robin bit of code at the cost of one more daemon to manage the FIFO (since the FIFO's data is lost when the writer closes, so daemon required) | 22:55:59 |
| ThinkChaos | emily: how tempted are you by going nuclear and writing an ACME daemon? Cause my view is it's easier to write the 2 small tools to move complexity out of the module and call it a day, and I'm willing to spend time on it. But I agree a fully NixOS blessed daemon would be the best solution, just sounds like a lot more work. | 23:08:15 |
| ThinkChaos | Basically asking if I should spend more time pursuing those 2 tools now | 23:08:30 |
| emily | quite tempted, but please don't block any work on it, it is very far down my list of priorities | 23:08:41 |
| emily | I have no plans to actively write an ACME implementation and even if I developed such plans I would not expect a deliverable before late 2025 | 23:09:00 |
| emily | especially since I consider Caddy-as-ACME-client to be basically good enough | 23:10:06 |
| ThinkChaos | Ok, then I'll have my fun with and experiment more | 23:11:41 |
| 13 Nov 2024 | ||
 m1cr0man | In reply to @thinkchaos:matrix.org I would want to get a set of concrete goals for whatever daemon you are thinking of here. There's features of the systemd implementation we absolutely want to keep, and things we are implementing to get around limitations. I'm currently of the view that going nuclear isn't required. We can simplify the locking with systemd targets as I demonstrated before, and this is in line with how the account leader is implemented today. Some of the scripting can also be upstreamed to lego - specifically returning a different return code when certs are not expired but cannot be checked online. This only leaves some minor setup things to a daemon, plus perhaps evaluating a locking system. I'm not going to say don't do it, this sort of passion to solve the problem can only result in positive improvement 😄 do bare in mind though that there's a lot of skeletons in the ACME module closet - so many edge cases we've engineered it to fit. There's good reason to keep the cert:service 1:1 mapping for many of the integrations that now exist, and if there is another way, it will need careful testing. | 01:30:53 |
| ThinkChaos | In reply to @thinkchaos:matrix.orgThe daemon thing is just for locking, basically replacing GNU Parallel in that^ | 01:35:01 |