| 12 Jan 2026 |
 hexa | and then determine the total duration from the certificate | 01:01:04 |
| hexa | * and then determine the total duration from the certificate instead | 01:01:08 |
| hexa | yeah, implemented … I think | 01:18:32 |
 emily | I was just thinking we could run it much more often with no randomization if it's getting an ARI time from the CA | 01:28:59 |
| emily | because then the CA does its own load balancing across renewal times | 01:29:15 |
| emily | I implemented the skew back before ARI was a thing | 01:29:47 |
| hexa | https://github.com/NixOS/nixpkgs/pull/479209 | 01:50:33 |
| hexa | I wish we could do something similar for the timer intervall | 01:51:24 |
 Tom | is there that much harm in just runniung it more often as the new default? | 01:53:10 |
| Tom | * is there that much harm in just running it more often as the new default? | 01:53:40 |
| hexa | we're a multiplier, so yes it matters | 01:56:59 |
| Tom | from my understanding the check on whether to proceed with the renewal is done locally. So it would "only" affect local resources from my understanding? | 02:04:35 |
| hexa | Redacted or Malformed Event | 02:05:05 |
| hexa | * only while above validMinDays | 02:05:10 |
| hexa | * we only fail if above valid min days | 02:05:24 |
| hexa | Redacted or Malformed Event | 02:05:28 |
| hexa | we run renew always, but only fail if below validMinDays | 02:06:02 |
| hexa | if is_expiration_skippable out/full.pem; then
echo 1>&2 "nixos-acme: Ignoring failed renewal because expiration isn't within the coming ${toString data.validMinDays} days"
else
# High number to avoid Systemd reserved codes.
exit 11
| 02:06:31 |
| hexa | that's this logic | 02:06:33 |
| hexa | * if ! lego ${renewOpts} --days ${toString data.validMinDays}; then
if is_expiration_skippable out/full.pem; then
echo 1>&2 "nixos-acme: Ignoring failed renewal because expiration isn't within the coming ${toString data.validMinDays} days"
else
# High number to avoid Systemd reserved codes.
exit 11
| 02:06:46 |
| Tom | ah, okay | 02:07:36 |
| hexa | Tom: feel free to test https://github.com/NixOS/nixpkgs/pull/479212 | 02:12:04 |
 Sandro 🐧 | Since I don't want to renew all acme certs for all nixos users again, I leave that to someone experienced | 15:53:31 |
| hexa | 
Download image.png | 19:21:06 |
| hexa | 🤔 | 19:21:10 |
| hexa | well, we use the email as kind of an account name | 19:26:23 |
| hexa | tough | 19:26:27 |
| hexa | I suppose these are created by lego | 19:28:44 |
| hexa | so the question would be how it names them with no email given | 19:28:53 |
| hexa |
I decorrelated the email (used by the LE account) and the user ID (used to create files and directories).
| 19:40:47 |
