| 3 Feb 2023 |
 hexa | hm, nvm. I did indeed add SupplementaryGroup with BindPaths | 00:15:39 |
 m1cr0man | LoadCredentials isn't the best option unfortunately because it means you must always restart the service, as a reload won't reload the creds from disk. | 21:42:13 |
| m1cr0man | TemporaryFilesystem suffers the same caveat | 21:42:23 |
| m1cr0man | For things where restart is viable/standard, then LoadCredential can work quite well | 21:42:39 |
| hexa | yeah, LoadCredential= would need to inotify the original file and sighup the process or something to be useful | 22:47:36 |
| m1cr0man | Or systemd needs to provide a mechanism for reloading credential files in cases where the application will auto-reload all files itself. Like, if I could do systemctl reload httpd --credentials that would do the trick so long as credentials are reloaded before the process itself | 22:51:31 |
| hexa | how does BindPaths suffer from the same caveat, then its just a bind mount? | 22:55:13 |
| hexa | * how does BindPaths suffer from the same caveat, when its just a bind mount? | 22:55:35 |
| 4 Feb 2023 |
| m1cr0man | I was only referring to LoadCredentials. BindPaths is fine if you are also ok with extending the service user's groups in some fashion. | 11:47:57 |
| 7 Feb 2023 |
| m1cr0man | I just saw #215124, will look into it tonight | 15:19:02 |
| m1cr0man | Exit code 11 means that renew was attempted with lego but failed, and renewal is definitely required (the cert is expired). I should add an error message there instead of just exiting with a unique code. I've asked the reporter to scroll up + check the rest of their logs as it probably contains a lego failure that has been happening for > 30 days. This is however a prime example of why we set -x :) | 21:11:51 |
| 9 Feb 2023 |
| m1cr0man | https://github.com/NixOS/nixpkgs/pull/199033 hm, this person is being a little awkward. I still just want to close that PR, the changes aren't worthwhile | 19:07:20 |
 Winter (she/her) | so reiterate it and close it m1cr0man | 19:43:58 |
| Winter (she/her) | your judgement is trusted for a reason, and it seems that theyre not even responding to (or understanding?) your claims | 19:44:24 |
| m1cr0man | Okay yeah, I'll do that. Thanks :) | 19:44:48 |
| 10 Feb 2023 |
 Andreas Schrägle | Huh, I guessed correctly who that was before opening it. He's... not always easy to deal with, which kind of sucks, because he does sometimes contribute quite useful stuff. | 13:54:55 |
| hexa | you would think there is a language barrier | 16:11:40 |
| hexa | but sometimes the communication works quite flawlessly | 16:11:48 |
| 12 Feb 2023 |
| m1cr0man | :( They are not happy about me closing the PR | 18:18:54 |
| m1cr0man | I'm trying to figure out if it would solve this but I don't think it does. At least then it has some technical merit beyond "keep the generated config cleaner" | 18:25:07 |
| m1cr0man | Oh right I finally understand 180980 properly, better than I did in September :P | 18:31:20 |
| m1cr0man | There, I left a big reply in 199033, I did out a truth table for his proposal, which a) took way too long to figure out the implications and b) turned out to be needlessly complicated and I would think harmful to some existing configs. | 20:25:04 |
| 16 Feb 2023 |
| m1cr0man | Hm, interesting https://github.com/NixOS/nixpkgs/issues/216487 I'll do my best to explain why it exists. | 09:29:55 |
| m1cr0man | Tldr the conditionPathExists is needed to ensure successful reload when vhosts with new certs are added, and it performs batching too | 09:32:27 |
| m1cr0man | Actually, there might be a way to reduce the number of reloads with some file touching | 09:35:22 |
| m1cr0man | But that's extra complexity to solve a non issue afaik. What harm does extra reloading do? | 09:35:55 |
| 23 Feb 2023 |
 raitobezarius | Breaking TCP connections basically | 05:04:00 |
| raitobezarius | Hm no reload keeps the existing ones * | 05:04:40 |
| 4 Mar 2023 |
| raitobezarius | I have a NixOS test using curl to test TLS-related stuff:
webserver # * Server certificate:
webserver # * subject: CN=*.test.nix
webserver # * start date: Jan 30 03:41:18 2023 GMT
webserver # * expire date: Jan 30 03:41:18 2043 GMT
webserver # * subjectAltName does not match direct.noproxy.test.nix
webserver # * SSL: no alternative certificate subject name matches target host name 'direct.noproxy.test.nix'
I am using ACME snakeoil certs, but for some reason, my wildcard cert with CN=.test.nix and SAN=[.test.nix] is not considered as valid by curl, though openssl -showcerts -connect validates the chain properly… (I used security.pki.certificateFiles)
| 19:41:47 |
| raitobezarius | Does anyone understand how I can get curl to debug this or is it an instance of curl failing because the CN contain * and this is not really allowed? | 19:42:06 |
