| 26 Dec 2021 |
 m1cr0man | yeah absolutely | 16:30:05 |
| m1cr0man | it's in scope, we maintain it :) | 16:30:15 |
 Winter (she/her) | https://github.com/NixOS/nixpkgs/blob/b0f154fd440bdf43a483b8ca46020d7d6cec5fbf/nixos/modules/services/web-servers/nginx/default.nix#L952
Why is mkDefault used here, in what scenario would this value need to be changed from the Nginx group? | 17:03:56 |
| m1cr0man | good question! It's very simple. we want security.acme.defaults.group or security.acme.certs.<cert>.group to take precedence | 17:08:11 |
| m1cr0man | actually, defaults.group won't override it I don't think, but the <cert>.group definitely will | 17:09:16 |
| m1cr0man | It gets even wilder in the next PR ;) https://github.com/NixOS/nixpkgs/pull/147784/files#diff-9b5561c4bb76ed61cd945467b6ccacb8343bb8ed8d2ad8a1e43505db34352722R943-R949 | 17:10:21 |
| Winter (she/her) | oh no. | 17:10:47 |
| Winter (she/her) | lol | 17:10:49 |
| Winter (she/her) | where is security.acme.defaults even defined? can’t find that anywhere >.< | 17:11:10 |
| m1cr0man | it's in that PR | 17:11:14 |
| m1cr0man | it's not in master yet | 17:11:19 |
| Winter (she/her) | ahh | 17:11:30 |
| m1cr0man | it's also fully doc'd in that PR, in case you were looking for docs too lol | 17:11:38 |
| m1cr0man | I specifically document how to make use of the nginx vhost stuff for DNS-01 validation, which includes making use of that webroot logic | 17:12:27 |
| m1cr0man | Wrote a test for caddy to cover https://github.com/NixOS/nixpkgs/pull/147973 . Once it passes I'll push + we'll be good for merge | 17:24:13 |
| Winter (she/her) | Is there any reason the acme user doesn’t have a preset UID/GID like other modules’ users do? | 20:01:48 |
 hexa | because it doesn't really matter? It is always referenced by name. | 20:11:20 |
| Winter (she/her) | that’s fair | 20:20:50 |
| m1cr0man | It did up until recently, but then some other maintainer removed its fixed UID. I was not against it - for the reason hexa says but also you're not transporting certs between systems anyway and the UID will never change when randomly picked. | 20:34:44 |
| m1cr0man | * It did up until recently, but then some other maintainer removed its fixed UID. I was not against it - for the reason hexa says but also you're not transporting certs between systems anyway and the UID will never change once randomly picked. | 20:34:50 |
| m1cr0man | so it turns out my tests found a bug in caddy ;D | 20:35:11 |
| Winter (she/her) | In reply to @m1cr0man:m1cr0man.com
It did up until recently, but then some other maintainer removed its fixed UID. I was not against it - for the reason hexa says but also you're not transporting certs between systems anyway and the UID will never change once randomly picked.
the UID will never change once randomly picked.
unless you’re wiping your rootdir on every boot (hi), which regenerates /etc/passwd, so then you’re at the mercy of JSON ordering
| 21:07:07 |
| Winter (she/her) | * In reply to @m1cr0man:m1cr0man.com
It did up until recently, but then some other maintainer removed its fixed UID. I was not against it - for the reason hexa says but also you're not transporting certs between systems anyway and the UID will never change once randomly picked.
the UID will never change once randomly picked.
unless you’re wiping your rootdir on every boot (hi), which regenerates /etc/passwd, so then you’re at the mercy of JSON ordering
| 21:07:14 |
| Winter (she/her) | * In reply to @m1cr0man:m1cr0man.com
It did up until recently, but then some other maintainer removed its fixed UID. I was not against it - for the reason hexa says but also you're not transporting certs between systems anyway and the UID will never change once randomly picked.
the UID will never change once randomly picked.
unless you’re wiping your rootdir on every boot (hi), which regenerates /etc/passwd, so then you’re at the mercy of JSON ordering | 21:07:23 |
| m1cr0man | you can always set your own UID :) | 21:07:36 |
| m1cr0man | just set user.users.acme.uid = 123; | 21:07:48 |
| hexa | yeah, I'm reluctant to spend fixed uids on something if we don't have to 🙂 | 21:08:06 |
| m1cr0man | We also can't solve for every case, which is a lesson I've learned the hard way with this module | 21:08:29 |
| hexa | bingo | 21:08:47 |
| Winter (she/her) | In reply to @m1cr0man:m1cr0man.com
you can always set your own UID :) yeah of course | 21:10:14 |
