 | NixOS ACME / LetsEncrypt | 107 Members |
| Another day, another cert renewal | 45 Servers |
| NixOS ACME / LetsEncrypt | 107 Members |
| Another day, another cert renewal | 45 Servers |
| Sender | Message | Time |
|---|---|---|
| 8 Nov 2024 | ||
 m1cr0man | I know before/after don't queue start jobs, but the target implicitly will | 23:21:10 |
| m1cr0man | iirc the target requires the renewal, so that will queue the start job, and those before/after should queue them appropriately in the same transaction | 23:21:32 |
 K900 | The target will if you start the server, yes | 23:21:33 |
| K900 | But not if you start the target | 23:21:38 |
| m1cr0man | oh fuck | 23:21:51 |
| K900 | So either the test needs to wait for the server before the target | 23:21:55 |
| K900 | Or the units need to also wants the server | 23:22:07 |
| K900 | Which I think is more correct because they actually do | 23:22:18 |
| m1cr0man | hm let me quickly check sth in the webserver units | 23:22:41 |
| m1cr0man | Yeah no, it's totally missing | 23:24:00 |
| m1cr0man |
Problem is now, from the acme module, we can't determine what web server will be serving .well-known/acme-challenge. We can solve this per-webserver, as you said flip the before to a requiredBy (actually... maybe keep before and add requiredBy). I'm now remembering a very old conversation about having web server units register a common target, but I ended up implementing
I wonder how bad it would be to remove the install/wantedBy directives from the acme module, and let dependent services trigger its startup? Infact what if we had a | 23:30:00 |
| m1cr0man | *
Problem is now, from the acme module, we can't determine what web server will be serving .well-known/acme-challenge. We can solve this per-webserver, as you said flip the before to a requiredBy (actually... maybe keep before and add requiredBy). I'm now remembering a very old conversation about having web server units register a common target, but I ended up implementing
I wonder how bad it would be to remove the install/wantedBy directives from the acme module, and let dependent services trigger its startup? Infact what if we had a | 23:30:16 |
| m1cr0man | This has probably been the issue the whole damn time. How does switch-to-configuration sort/order the start requests for the units? It's probably not a stable sort 😅 | 23:32:21 |
| K900 | It doesn't | 23:37:24 |
| m1cr0man | I could do something really smart and find the webserver that serves port 80 and only mark the HTTP-01 certs as requiring that webserver as necessary. Infact, that's not even a big stretch given the existing complexity 🙃 | 23:52:17 |
| 9 Nov 2024 | ||
 emily | can we just integrate this into the web server modules? | 04:40:42 |
| emily | they support useACMEHost etc., could the logic be there? | 04:40:54 |
| emily | I really don't want to see more magic | 04:40:59 |
| K900 | In reply to@emilazy:matrix.orgIt should be there, yeah | 06:30:17 |
| K900 | I guess I can just make the test wait for the server to start for now | 06:30:31 |
| K900 | OK so | 06:50:27 |
| K900 | https://github.com/NixOS/nixpkgs/pull/354629 | 06:50:27 |
| K900 | I added a commit that makes it work for now | 06:50:34 |
| K900 | | 08:03:11 |
| K900 | You fucking what | 08:03:13 |
| K900 | https://hydra.nixos.org/build/278094707/log | 08:05:12 |
| K900 | Also this thing | 08:05:13 |
| K900 | What is even happening anymore | 08:05:18 |
| K900 | OK looks like that machine is just hella overloaded | 08:06:32 |
| m1cr0man | Looking into that ^ The acme-lockfiles.service is configured in a less than stellar manner. Working directory is /run/acme, but it is managed by tmpfiles instead of RuntimeDirectory, despite being RemainAfterExit (so the runtime dir should not get deleted). Gonna fix all of this now. | 21:06:42 |