| 17 Oct 2022 |
 Winter (she/her) | though that's definitely an issue i considered, and maybe there's some race condition or something | 11:11:53 |
| Winter (she/her) | In reply to @hexa:lossy.network
do you have a setup with non-persistent mountpoints? what do you mean by that? (probably not, but want to clarify what you mean) | 11:12:09 |
 hexa | yeah, the wording is weird | 11:12:17 |
| hexa | uhm, erase your darlings blogpost | 11:12:22 |
| hexa | like data below / is not persistent, but instead tmpfs or zfs with rollbacks to a clean state | 11:12:47 |
| hexa | I'm wondering whether some state that tracks whether a timer has execute is not being persisted | 11:13:26 |
| hexa | and with Persist=yes it thinks it has to rerun everytime | 11:13:35 |
| Winter (she/her) | it's bring persisted | 11:20:29 |
| Winter (she/her) | that's the stamp file i'm talking about | 11:20:42 |
| Winter (she/her) | In reply to @winterqt:nixos.dev
It gets recreated as expected, gonna reboot again. I assume it won't be updated. here i show that my path is being persisted correctly, but systemd isn't stamping the file at boot after that initial creation | 11:21:49 |
| Winter (she/her) | maybe it's nginx depending on the renewal target 🤔 | 11:35:40 |
| Winter (she/her) | that would make sense lmfao | 11:40:35 |
| 19 Oct 2022 |
 m1cr0man | Depending on the renewal target in nginx shouldn't be triggering the timer? Unless, the timer is aware of when the unit last ran? Maybe I'm wrong though. | 22:57:28 |
| 20 Oct 2022 |
|  hjulle joined the room. | 12:04:33 |
| 24 Oct 2022 |
 Andreas Schrägle | the acme nixos test broke recently https://hydra.nixos.org/job/nixos/trunk-combined/nixos.tests.acme.x86_64-linux / https://hydra.nixos.org/log/hv4qwbrhmnxf6h0fq70m8lxy5an0xf89-vm-test-run-acme.drv
logs indicate minica being denied a system call, if I'm not reading them wrong. any ideas why this might be happening? | 08:30:55 |
 Arian | odd | 08:32:13 |
| Arian | seems both minica and lego dumped core | 08:33:26 |
| Arian | this is really odd. maybe the go package broke? | 08:34:10 |
| Arian | aaah wait | 08:34:45 |
| Arian | We have a whitelist of syscalls here: | 08:35:15 |
| Arian | https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/security/acme/default.nix#L63-L70 | 08:35:16 |
| Arian | so maybe lego and minica are doing new syscalls that aren't in this list | 08:35:27 |
| Arian | lego seems to be calling setrlimit (which tbh is a weird thing for a process to do themselves) and idk if that one is allowed by default | 08:36:04 |
| Arian | minica stacktrace is very... uninformative | 08:36:14 |
| Arian | anyhow this means that the acme module is properly broken. this is a release blocker | 08:36:44 |
| Arian | Andreas Schrägle: could you please open an issue so we can add it to the release blocker list? | 08:37:07 |
| Andreas Schrägle | In reply to @arianvp:matrix.org
Andreas Schrägle: could you please open an issue so we can add it to the release blocker list? does this not block the (non -small) channel anyways? | 08:38:39 |
| Arian | idk if this VM test is in the list. | 08:38:57 |
| Arian | if it is then we're good :) | 08:39:00 |
| Andreas Schrägle | looks like it isn't. I'll open an issue. | 08:41:04 |
