| 26 Nov 2021 |
 hexa | saves rebase headaches between pr's possibly | 22:01:45 |
 m1cr0man | yeah, cool. | 22:06:27 |
| m1cr0man | I also just found that It would be silly (and require a rebase) to fix one of these issues and not the other in one commit :P | 22:06:45 |
| m1cr0man | Btw turns out separating domain hash from the certsDir hash was a great idea - because now i can safely remove domainhash entirely and fix your issue. Btw, can you open a ticket for that, just so that we can track the change reasoning against it? | 22:07:27 |
| hexa | https://github.com/NixOS/nixpkgs/issues/147540 | 22:12:30 |
| hexa | here we go | 22:12:31 |
| m1cr0man | ty# | 22:12:39 |
| m1cr0man | * ty | 22:12:40 |
| m1cr0man | ugh no you know what, I'm at a crossroads here with domainhash:
- If I remove it, since extraDomains + domain aren't in the certDir hash, I would have to add them otherwise a change in domains wouldn't change the certs on disk
- If I add the domains to certDir I'll regenerate everyone's certificates, so I would have to use domainhash.txt to check if I should do a "lego run" instead.
In the past changing hashData has been met with some backlash, so I think I am stuck with option 2
| 22:18:20 |
| m1cr0man | Is this our problem actually? Maybe we should open a bug report upstream to lego | 22:24:23 |
| m1cr0man | https://github.com/go-acme/lego/issues/1532 lol | 22:26:56 |
| m1cr0man | 3 days ago | 22:26:58 |
| m1cr0man | that's some oddly close timing π
| 22:27:04 |
| m1cr0man | Ok fantastic, if upstream fixes that issue as I described in the comment, we can safely remove domainHash entirely :) | 22:32:07 |
| hexa | fun fact: I ported some portions of our acme logic to an ansible role we use at work with ubuntu | 22:49:50 |
| hexa | the hash part is crucial there as well | 22:49:56 |
| hexa | though I don't actually hash stuff, I just remember the previously used args | 22:50:48 |
| m1cr0man | heh nice :) | 22:52:11 |
| m1cr0man | wish I could use nixos or acme at my place π π | 22:52:34 |
| m1cr0man | stuck with ansible + paid wildcard certs | 22:52:54 |
| m1cr0man | [ -e "$CERT" ] && ! cmp -s "$CERT" out/fullchain.pem why did I check for existence before cmp? if it doesn't exist, cmp will exit non-0 anyway :P | 22:53:51 |
| m1cr0man | I did this in like 3 places | 22:53:55 |
| m1cr0man | * I did this in like 2 places | 22:54:24 |
| hexa | In reply to @m1cr0man:m1cr0man.com
wish I could use nixos or acme at my place π π same. | 22:56:27 |
| 27 Nov 2021 |
| m1cr0man | https://github.com/NixOS/nixpkgs/issues/140709#issuecomment-980482912 thoughts? I kinda hope someone counter argues against it but honestly I can't think of a good reason we can't support this other than the work involved (which isn't even that bad, from a glance, but ill need to write some tests for it) | 01:38:34 |
| m1cr0man | I'll have PR to fix like 5 issues tomorrow | 01:38:48 |
 aanderse | m1cr0man: don't get hit by a truck! π | 01:42:18 |
| m1cr0man | For those that might miss it: Long discussion about how to handle https://github.com/NixOS/nixpkgs/issues/138478 and I was convinced on a security.acme.defaults + security.acme.certs.<cert>.useDefault toggleable in the main Nix channel. | 16:24:10 |
| m1cr0man | https://matrix.to/#/!KqkRjyTEzAGRiZFBYT:nixos.org/$-6c8VrmpZ_1aoWLNFyo-PXpAzkH4Z-ekCCaMgTY7n8M?via=nixos.org&via=matrix.org&via=tchncs.de | 16:24:23 |
| 28 Nov 2021 |
 Andreas SchrΓ€gle | nice. we have a bunch of bespoke default options (e.g. defaultKeyType, defaultDnsProvider) in our fork of the module, because we kin d of needed them, but I never got around to upstreaming them. the more generic approach you suggested seems much better though, so I'm all in favor of that. | 15:49:37 |
