 | NixOS ACME / LetsEncrypt | 104 Members |
| Another day, another cert renewal | 44 Servers |
| NixOS ACME / LetsEncrypt | 104 Members |
| Another day, another cert renewal | 44 Servers |
| Sender | Message | Time |
|---|---|---|
| 29 Dec 2021 | ||
 Winter (she/her) | * But then wouldn't the permissions of 0750 still disallow access to the cert specified groups? | 03:10:27 |
| Winter (she/her) | ...ah. | 03:16:37 |
 m1cr0man | yeah, we really went all-in on statedirectory/systemd activation logic for the folder creation. It ended up solving all previous permissions issues we were encountering, whilst also providing systemctl clean --what=state acme-mydomain.service for easy full renewals | 13:22:39 |
| m1cr0man | There's a bunch of really difficult to figure out logic wrt when directories need to be created, recreated or permissions changed which all depend on systemd service activation. Hence, it was best to leave it to systemd where possible | 13:30:20 |
| 30 Dec 2021 | ||
| Winter (she/her) | Redacted or Malformed Event | 04:44:03 |
| Winter (she/her) | Also: the useACMEHost option in Nginx vhosts doesn't set the group for the certificate, so it (unexpectedly) fails to start. I can't find any documentation that requires anything other than setting useACMEHost, though, so I don't think I'm doing anything wrong. | 04:54:21 |
| m1cr0man | You do need to set the group explicitly when using useACMEHost. We can't assume that the cert is being used for other purposes in that scenario, thus it would be unsafe to set the group automatically | 15:01:20 |
| m1cr0man | * You do need to set the group explicitly when using useACMEHost. We can't assume that the cert is being used for only ngnix/apache in that scenario, thus it would be unsafe to set the group automatically | 15:01:37 |
| Winter (she/her) | Got it. I feel like that can definitely be documented better, I’ll PR if I can think of adequate wording. Question: why can’t we assume, though? In what scenario would someone be using one certificate across multiple HTTP servers? idk, just seems unlikely, it’s definitely best not to assume but i can’t think of an actual practical use case unless I’m just missing something obvious… | 20:05:16 |
| Winter (she/her) | maybe something something different ports something something? | 20:07:50 |
| m1cr0man | one wildcard for mail and web is a use case I used to maintain for a deployment | 21:14:33 |
| m1cr0man | I added nginx + dovecot + postfix users to acme group | 21:14:56 |
| Winter (she/her) | Redacted or Malformed Event | 23:18:59 |
| 31 Dec 2021 | ||
| m1cr0man | woohoo finally nixos-unstable is updated :) | 13:28:55 |
| Winter (she/her) changed their display name from Winter to Winter (she/her). | 22:07:41 | |
| 2 Jan 2022 | ||
| m1cr0man | https://nixos.org/manual/nixos/unstable/index.html#module-security-acme-config-dns lol XD | 18:50:16 |
| m1cr0man | so uh | 18:50:19 |
| m1cr0man | This is in the example on how to auto generate TSIG keys with a systemd service. https://nixos.org/manual/nixos/unstable/index.html#module-security-acme-config-dns | 18:51:11 |
| m1cr0man | Winter I was thinking that it might be possible to add an assertion in nginx/httpd/caddy to check acme cert access too, which would at least cover your concern about it unexpectedly failing. It would be complex though, idk if nix does anything in the config tree to merge users.users.<name>.extraGroups and users.groups.<name>.extraUsers that I could reference | 18:52:32 |
| Winter (she/her) | In reply to @m1cr0man:m1cr0man.comDo you mean users.groups..members? | 21:14:59 |
| m1cr0man | yeah sorry, trying to remember it off the top of my head | 21:15:28 |
| Winter (she/her) | m1cr0man: You’ll be pleased to know that it does do merging of them, users.groups.<name>.members is the source of truth. (https://github.com/NixOS/nixpkgs/blob/59bfda72480496f32787cec8c557182738b1bd3f/nixos/modules/config/users-groups.nix#L362) | 23:03:14 |
| Winter (she/her) | I’d be happy to take a stab at adding the assertions to the modules, if you’d be okay with that. | 23:03:36 |
| m1cr0man | Awesome find! :D Yeah absolutely, I'll review it as soon as I can (but I'll be going offline soon for tonight) | 23:08:49 |
| Winter (she/her) | I’ll do it sometime tomorrow most likely, so that’s perfectly fine. | 23:16:11 |
| Winter (she/her) | There has to be some way that we can centralize the assertion, but I’m not really sure where a function to generate it can be stored in a way that it can easily be imported by all the modules. Unless I can do something like putting it next to the acme module (probably by making a folder and moving acme into there), then importing it in the other modules? Like, is that “allowed?” (Obviously it would work, but would it be accepted?) | 23:18:23 |
| Winter (she/her) | * There has to be some way that we can centralize the assertion generation, but I’m not really sure where a function to generate it can be stored in a way that it can easily be imported by all the modules. Unless I can do something like putting it next to the acme module (probably by making a folder and moving acme into there), then importing it in the other modules? Like, is that “allowed?” (Obviously it would work, but would it be accepted?) | 23:18:30 |
| 3 Jan 2022 | ||
| m1cr0man | Maybe you can just add a file under the lib/tests (https://github.com/NixOS/nixpkgs/blob/master/lib/tests) folder? But fwiw, there is already quite a lot of duplication between nginx + http, and adding some assertions isn't going to break the bank, at least not yet. | 00:07:52 |
| Winter (she/her) | Why tests specifically? Seems like a strange place for stuff in modules tbh... | 00:49:39 |
| m1cr0man | On second look, maybe not there. I took a quick look last night and noticed some option/module specific assertions in that folder but they seem to be designed to be run manually to validate nixpkgs as a whole. I also thought lib itself felt wrong because it's such a specific thing. Maybe ask nixpkgs/NixOS Dev where the best place would be? I'm really not sure myself | 14:02:09 |