| 13 Dec 2021 |
 m1cr0man | Trying to rebase my PR and write a test for listenHTTP. Found a bug in the log for handling ports < 1024, even when running as root. Not sure why yet. It must be one of the systemd protection flags on the service but I haven't narrowed down which one. It's not SystemCallFilters | 23:12:06 |
 moritz.hedtke | The capabilities one? | 23:44:31 |
| 14 Dec 2021 |
| m1cr0man | To be specific, lego is giving bind: permission denied even when running as root. I haven't looked into it any further, just reread that msg I sent and realised how unclear it was :P | 22:39:49 |
 hexa | need to see the systemd unit to make a proper statement on the matter - but the first thing is … privateusers will prevent passing of capabiltiies | 23:56:33 |
| 18 Dec 2021 |
| m1cr0man | I might ask in the systemd channel | 14:25:30 |
| m1cr0man | There is no use of privateusers, fwiw. THat's good to know though :) | 14:25:49 |
| hexa | happy to take a look if you point me to the unit | 14:44:33 |
| m1cr0man | Aha! Got it | 14:45:23 |
| m1cr0man | CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ]; | 14:45:24 |
| hexa | capabilities need to be requested by the program | 14:45:42 |
| m1cr0man | A new day + a fresh mind is the best solution finder | 14:45:42 |
| hexa | only AmbientCapabilities are active without being requested | 14:45:59 |
| hexa | and the bounding set limits ambient capabilities IIRC | 14:46:12 |
| m1cr0man | Well the old line was AmbientCapabilities = "CAP_NET_BIND_SERVICE" and it couldn't bind to ports < 1024 | 14:46:38 |
| m1cr0man | so idk, the priority is capBoundingSet > AmbientCapabilities? | 14:47:05 |
| hexa | the bounding set limits capabilities altogether, so yeah | 14:47:25 |
| hexa | sorry, I missed that during review as well | 14:48:26 |
| m1cr0man | right that makes sense | 14:48:29 |
| m1cr0man | nb! Fixed now and I have written a test for it :) | 14:48:41 |
| hexa | ❤️ | 14:48:50 |
| m1cr0man | https://github.com/NixOS/nixpkgs/pull/147784 ok so this PR technically still needs a review from someone on the ACME team that isn't me ;) | 15:08:08 |
| m1cr0man | ugh ffs I hate rebases | 15:09:53 |
| m1cr0man | ok, third time's a charm | 15:17:59 |
| 26 Dec 2021 |
|  Winter (she/her) joined the room. | 05:15:35 |
| Winter (she/her) | hi all, wonderful work on the acme module :)
i have two questions:
- where is
/var/lib/acme created? i cannot for the life of me find how that directory is initially created
- curious: why are these permission fixing services and such required?
thanks! | 05:17:39 |
 Arian | It's created by the StateDirectory stanza in the systemd unit | 07:06:53 |
| Arian | The permission fixing is to work around a bug we introduced at some point in a previous release | 07:07:19 |
| hexa | m1cr0man: happy to merge, needs a rebase though | 10:47:46 |
| Winter (she/her) | In reply to @arianvp:matrix.org
The permission fixing is to work around a bug we introduced at some point in a previous release Ah, makes sense. Why does this require the /var/lib/acme path to be hardcoded, though? Just to make things simpler on the module side? | 15:22:19 |
|  raitobezarius joined the room. | 15:45:30 |
