| 6 Jul 2021 |
 m1cr0man | IMO it's good SEO ;P | 15:37:46 |
|  spacesbot - keeps a log of public NixOS channels changed their display name from spacesbot to spacesbot - keeps a log of public NixOS channels. | 22:11:40 |
| 8 Jul 2021 |
|  sumner left the room. | 00:16:15 |
| 9 Jul 2021 |
|  vika (she/her) 🏳️⚧️ joined the room. | 14:50:31 |
| vika (she/her) 🏳️⚧️ set a profile picture. | 16:39:11 |
|  Andreas Schrägle joined the room. | 20:15:14 |
| 10 Jul 2021 |
| m1cr0man | https://github.com/NixOS/nixpkgs/issues/129838 we're really getting to the point now where the service start script is getting as complex as it was pre-lego, and we maybe should consider writing the tool ourselves or starting to push changes upstream to lego (if they are likely to be merged).
In order to avoid reintroducing the bug that the local expiry check resolves, we would need to check internet connection and then the OCSP response and then trigger renewal if necessary :sick | 12:49:16 |
| m1cr0man | * https://github.com/NixOS/nixpkgs/issues/129838 we're really getting to the point now where the service start script is getting as complex as it was pre-lego, and we maybe should consider writing the tool ourselves or starting to push changes upstream to lego (if they are likely to be merged).
In order to avoid reintroducing the bug that the local expiry check resolves, we would need to check internet connection and then the OCSP response and then trigger renewal if necessary :sick: | 12:49:19 |
| m1cr0man | * https://github.com/NixOS/nixpkgs/issues/129838 we're really getting to the point now where the service start script is getting as complex as it was pre-lego, and we maybe should consider writing the tool ourselves or starting to push changes upstream to lego (if they are likely to be merged).
In order to avoid reintroducing the bug that the local expiry check resolves, we would need to check internet connection and then the OCSP response and then trigger renewal if necessary 🤒 | 12:49:31 |
| m1cr0man | We can probably leave checking OCSP to lego actually. So instead, we would need to check cert renewal + internet connection. If cert is expired OR there is an active internet connection, then run lego renew. | 12:51:06 |
 Arian | Start programming against the Lego API instead? | 13:24:51 |
| Arian | Like cert-manager | 13:24:55 |
| Arian | Instead of shelling out | 13:24:58 |
| Arian | It's probably more readable and maintainable. I agree | 13:25:09 |
| 13 Jul 2021 |
|  iclanzan joined the room. | 23:47:09 |
| 18 Jul 2021 |
|  aanderse joined the room. | 15:57:03 |
| aanderse changed their display name from Aaron Andersen to aanderse. | 15:58:44 |
| 19 Jul 2021 |
| aanderse | shouldn't this show me a list of all my certs on a server? sudo -u acme lego list | 15:35:27 |
| aanderse | getting No certificates found. | 15:35:40 |
| Andreas Schrägle | Hm. I'm seeing a renewal failing, because it's trying to validate domains which it shouldn't anymore.
They were removed from the cert and the lego call also doesn't list them, but it's still trying to validate them. | 21:29:35 |
| Andreas Schrägle | I just forced getting a new certificate by moving the folder for now, but this seems like a bug. Maybe in lego or the way we call it, not sure. | 21:39:34 |
| 23 Jul 2021 |
| Room Avatar Renderer. | 23:23:50 |
| 30 Jul 2021 |
| aanderse | i noticed that the nixos manual has a section on prosody which explains how to use it with ssl certs, but it results in a failure because it doesn't manage cert permissions at all :\ | 14:09:53 |
| aanderse | i'm not sure exactly what i'm supposed to do to have prosody use a ssl cert that i use for other services as well
any hints?
i think until LoadCredentials works well the cert would have group readable permissions | 14:12:02 |
 hexa | loadcredentials copies the certificate and never updates it | 15:47:30 |
| hexa | not sure why they thought this would be a good idea | 15:47:43 |
| hexa | prosody has a module you need to load so it reloads certificates as well IIRC | 15:48:01 |
 andi- | In reply to @aanderse:nixos.dev
i'm not sure exactly what i'm supposed to do to have prosody use a ssl cert that i use for other services as well
any hints?
i think until LoadCredentials works well the cert would have group readable permissions set additional groups for the cert: https://github.com/andir/infra/blob/master/config/modules/prosody/default.nix#L330 | 15:56:25 |
| aanderse | andi-: ah ok, yeah just a dedicated cert group | 16:01:07 |
| andi- | yeah | 16:01:21 |
