30 Jul 2021 |
andi- | yeah | 16:01:21 |
andi- | you could try facls again ;-) | 16:01:40 |
aanderse | i mean... i thought thats what acme was | 16:01:44 |
aanderse | ha ha ha | 16:01:50 |
andi- | well but that gives all the services access not just those that should access those keys | 16:01:59 |
aanderse | oh boy... acls + systemd = not a fun time apparently | 16:02:04 |
aanderse | yeah, fair point | 16:02:13 |
andi- | sounds like your kink entirely | 16:02:18 |
aanderse | not mine! forced into it! | 16:02:31 |
aanderse | you wouldn't believe the things i'm forced into :P | 16:02:37 |
1 Aug 2021 |
| Jamie joined the room. | 08:10:56 |
8 Aug 2021 |
hexa | m1cr0man: merged the hardening pr, you seemed content with it, and I felt I couldn't improve it any further. now for some more real world testing. | 13:51:18 |
m1cr0man | Awesome ok. :) | 13:51:32 |
m1cr0man | I might try updating my server today so | 14:08:13 |
hexa | same | 14:21:59 |
hexa | didn't fail on activation, so that's good 😂 | 14:31:38 |
17 Aug 2021 |
@grahamc:nixos.org | sometimes when acme does the wrong thing I force a new certificate by rm -rf'ing /var/lib/acme and reboot. this manages to fix everything, but if I just restart the service, `acme-domainname.service, it fails here: https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/security/acme.nix#L344-L353 what service typically sets this up where a reboot works fine? | 20:32:26 |
@grahamc:nixos.org | I also wonder if there is a good way to communicate that extraLegoFlags isn't the same as adding the same value to bothextraLegoRunFlags and extraLegoRenewFlags (position in the command is different) my naive reading of the options left me thinking it would be the same | 20:38:09 |
@grahamc:nixos.org | For some backstory I needed to add "--preferred-chain" "ISRG Root X1" to extraLegoRunFlags to get an ipxe-compatible certificate a few months ago. A couple days ago the certificate was renewed without that flag, so I moved it from extraLegoRunFlags to extraLegoFlags -- this didn't work, so then I copied the block and added it to both Run and Renew. To make it stick, I rm -rf 'd the acme directory because in the past I've had a hard time making it do what I expected by deleting anything less. | 20:42:28 |
3 Sep 2021 |
| mbprtpmnr joined the room. | 04:07:41 |
5 Sep 2021 |
| ilkecan joined the room. | 13:04:05 |
6 Sep 2021 |
mbprtpmnr | Hi everyone. | 06:16:08 |
17 Sep 2021 |
| pinecamp joined the room. | 02:26:32 |
24 Sep 2021 |
hexa | https://github.com/NixOS/nixpkgs/pull/139311 | 13:21:37 |
hexa | fallout from the hardening changes | 13:21:50 |
25 Sep 2021 |
| sugi joined the room. | 15:03:27 |
30 Sep 2021 |
| Robby O'Connor joined the room. | 01:17:56 |
| Robby O'Connor left the room. | 05:50:09 |
4 Oct 2021 |
aanderse | any chance we need to update LEGO? ... or iunno... anything? i think the letsencrypt root cert expired recently and one of my certs is having issues when being used with prosody
i don't have many details, sorry, short on time | 12:11:11 |
hexa | I don't believe so | 12:14:30 |