| 17 Dec 2024 |
 ThinkChaos | Could someone please review the fix for cert ownership error message causing an unrelated exception PR, #362271? It's a tiny diff :)
Users are getting misleading errors due to this throwing ATM | 23:57:19 |
| 19 Dec 2024 |
| ThinkChaos | K900 I looked at the log for the this failure, httpd only started after the ACME validation happened: Starting Apache HTTPD vs Attempting to validate w/ HTTP
I think this is a switch-to-configuration-ng regression 😕
The perl script starts all services in a single systemctl call, so a single Systemd transaction. That means httpd's Before relationship with the certs is enforced.
Whereas -ng uses the Systemd D-BUS API to start services one by one, meaning multiple transactions. So Before is not enforced.
I guess we can try and disable -ng for the ACME tests, see how it goes for a week or so and then potentially raise an issue with -ng. | 01:31:18 |
| ThinkChaos | BTW thanks for the review + merge on the PR from above! | 01:39:02 |
 K900 | In reply to@thinkchaos:matrix.org
K900 I looked at the log for the this failure, httpd only started after the ACME validation happened: Starting Apache HTTPD vs Attempting to validate w/ HTTP
I think this is a switch-to-configuration-ng regression 😕
The perl script starts all services in a single systemctl call, so a single Systemd transaction. That means httpd's Before relationship with the certs is enforced.
Whereas -ng uses the Systemd D-BUS API to start services one by one, meaning multiple transactions. So Before is not enforced.
I guess we can try and disable -ng for the ACME tests, see how it goes for a week or so and then potentially raise an issue with -ng. Uhh | 06:55:59 |
| K900 | Can you please report this in #NixOS systemd | 06:56:24 |
 Arian | There is no api for starting multiple services in a single transaction. This has always been a lie | 10:46:30 |
| Arian | I think systemctl start also is a for loop around starting single units through dbus afaicr | 10:46:51 |
| ThinkChaos | Yeah I need to dig a bit more before I make too much noise, I'll look at systemctl's code, thanks for the hint | 13:38:17 |
| ThinkChaos | Either way I think we'll need to make the link between the certs and web server stronger to fix this: I'm thinking certs using HTTP validation can Require the relevant web server | 13:45:07 |
| 21 Dec 2024 |
|  @stablejoy:matrix.org joined the room. | 06:43:11 |
 m1cr0man | In reply to @arianvp:matrix.org
I think systemctl start also is a for loop around starting single units through dbus afaicr Really? This completely blows my understanding of service relation chains | 22:43:00 |
| Arian | Yeh pretty sure | 22:43:42 |
| Arian | There is a mutable list of jobs and "dependencies" are some rules that cause some jobs to cancel others out | 22:44:36 |
| Arian | The whole dependency model is kind of a lie | 22:44:45 |
| Arian | https://blog.darknedgy.net/technology/2020/05/02/0/ is a nice read | 22:44:57 |
| 22 Dec 2024 |
| m1cr0man | How are we feeling about the acme-setup.service refactor now? https://github.com/NixOS/nixpkgs/pull/355087 I still want to get this merged, it really simplifies the systemd side of things a bit. | 12:31:30 |
| m1cr0man | In reply to @thinkchaos:matrix.org
Either way I think we'll need to make the link between the certs and web server stronger to fix this: I'm thinking certs using HTTP validation can Require the relevant web server I totally forgot that we had a discussion about this a while ago 😅 tl;dr we could add a target for http01 renewal specifically. The web servers can be configured to want + before on it, and the renewals can require + after. This gives us a generic mechanism of linking whatever web server is running on port 80 to the certs using HTTP01. | 12:36:53 |
| m1cr0man | We do have to be careful about circular dependencies, but that's expected. HTTP01 server startup is complicated regardless. | 12:37:36 |
| m1cr0man | In reply to @thinkchaos:matrix.org
Either way I think we'll need to make the link between the certs and web server stronger to fix this: I'm thinking certs using HTTP validation can Require the relevant web server * I totally forgot that we had a discussion about this a while ago 😅 tl;dr we could add a target for http01 renewal specifically. The web servers can be configured to requiredBy + before on it, and the renewals can require + after. This gives us a generic mechanism of linking whatever web server is running on port 80 to the certs using HTTP01. | 12:41:42 |
| @stablejoy:matrix.org left the room. | 13:25:10 |
|  allrealmsoflife joined the room. | 15:55:13 |
| 27 Dec 2024 |
|  raitobezarius changed their display name from raitobezarius to raitobezarius (DECT: 3538 / EPVPN 2681). | 07:32:42 |
| 30 Dec 2024 |
| raitobezarius changed their display name from raitobezarius (DECT: 3538 / EPVPN 2681) to raitobezarius. | 16:28:56 |
| 31 Dec 2024 |
| K900 | I don't know what's up with that | 07:24:05 |
| K900 | If there was a change or it's just unlucky | 07:24:12 |
| K900 | But it feels like the tests are flakier now again | 07:24:20 |
| 1 Jan 2025 |
|  NixOS Moderation Botchanged room power levels. | 14:26:30 |
| 12 Jan 2025 |
|  Rayane Nakib (ريّان نقيب) joined the room. | 12:39:36 |
| 19 Jan 2025 |
| K900 | OK we need to do something | 08:50:49 |
| K900 | The tests are flaking horribly again | 08:50:53 |
