| 8 Nov 2024 |
 K900 | That before isn't enough | 23:20:47 |
| K900 | You need the http-01 units to actually wants it | 23:21:07 |
 m1cr0man | I know before/after don't queue start jobs, but the target implicitly will | 23:21:10 |
| m1cr0man | iirc the target requires the renewal, so that will queue the start job, and those before/after should queue them appropriately in the same transaction | 23:21:32 |
| K900 | The target will if you start the server, yes | 23:21:33 |
| K900 | But not if you start the target | 23:21:38 |
| m1cr0man | oh fuck | 23:21:51 |
| K900 | So either the test needs to wait for the server before the target | 23:21:55 |
| K900 | Or the units need to also wants the server | 23:22:07 |
| K900 | Which I think is more correct because they actually do | 23:22:18 |
| m1cr0man | hm let me quickly check sth in the webserver units | 23:22:41 |
| m1cr0man | Yeah no, it's totally missing | 23:24:00 |
| m1cr0man |
Or the units need to also wants the server
Problem is now, from the acme module, we can't determine what web server will be serving .well-known/acme-challenge. We can solve this per-webserver, as you said flip the before to a requiredBy (actually... maybe keep before and add requiredBy).
I'm now remembering a very old conversation about having web server units register a common target, but I ended up implementing nginx-config-reload as it met the requirements at the time.
not if you start the target
I wonder how bad it would be to remove the install/wantedBy directives from the acme module, and let dependent services trigger its startup? Infact what if we had a mkDefault value for requiredBy on the ACME certs, and set an explicit value in the web servers?
| 23:30:00 |
| m1cr0man | *
Or the units need to also wants the server
Problem is now, from the acme module, we can't determine what web server will be serving .well-known/acme-challenge. We can solve this per-webserver, as you said flip the before to a requiredBy (actually... maybe keep before and add requiredBy).
I'm now remembering a very old conversation about having web server units register a common target, but I ended up implementing nginx-config-reload as it met the requirements at the time.
not if you start the target
I wonder how bad it would be to remove the install/wantedBy directives from the acme module, and let dependent services trigger its startup? Infact what if we had a mkDefault value for wantedBy on the ACME certs, and set an explicit value in the web servers?
| 23:30:16 |
| m1cr0man | This has probably been the issue the whole damn time. How does switch-to-configuration sort/order the start requests for the units? It's probably not a stable sort 😅 | 23:32:21 |
| K900 | It doesn't | 23:37:24 |
| m1cr0man | I could do something really smart and find the webserver that serves port 80 and only mark the HTTP-01 certs as requiring that webserver as necessary. Infact, that's not even a big stretch given the existing complexity 🙃 | 23:52:17 |
| 9 Nov 2024 |
 emily | can we just integrate this into the web server modules? | 04:40:42 |
| emily | they support useACMEHost etc., could the logic be there? | 04:40:54 |
| emily | I really don't want to see more magic | 04:40:59 |
| K900 | In reply to@emilazy:matrix.org
they support useACMEHost etc., could the logic be there? It should be there, yeah | 06:30:17 |
| K900 | I guess I can just make the test wait for the server to start for now | 06:30:31 |
| K900 | OK so | 06:50:27 |
| K900 | https://github.com/NixOS/nixpkgs/pull/354629 | 06:50:27 |
| K900 | I added a commit that makes it work for now | 06:50:34 |
| K900 | webserver # [ 426.884702] (es-start)[2816]: acme-lockfiles.service: Changing to the requested working directory failed: Permission denied
webserver # [ 426.934208] (es-start)[2816]: acme-lockfiles.service: Failed at step CHDIR spawning /nix/store/n24xs3nmndyyivq3q5w52f7aqlb06hqh-unit-script-acme-lockfiles-start/bin/acme-lockfiles-start: Permission denied
| 08:03:11 |
| K900 | You fucking what | 08:03:13 |
| K900 | https://hydra.nixos.org/build/278094707/log | 08:05:12 |
| K900 | Also this thing | 08:05:13 |
| K900 | What is even happening anymore | 08:05:18 |
