| 2 Feb 2023 |
 hexa | restarting | 17:44:32 |
 K900 | Saved the log to https://termbin.com/nrjp | 17:45:03 |
| hexa | thanks | 17:45:23 |
| hexa | probably as helpful as ever | 17:45:32 |
 raitobezarius | In reply to @winterqt:nixos.dev
m1cr0man: Would you say the best way to guide users wrt DynamicUser services and permissions would be to have them set SupplementalGroups to whatever owns the given cert? I personally do that | 17:58:55 |
 Winter (she/her) | In reply to@hexa:lossy.network
probably as helpful as ever you'd be right :) ``` | 22:42:18 |
| Winter (she/her) | In reply to@hexa:lossy.network
probably as helpful as ever * you'd be right :) webserver: waiting for unit acme-finished-http.example.test.target
Test "Can request certificate with Lego's built in web server" failed with error: "unit "acme-finished-http.example.test.target" is inactive and there are no pending jobs"
| 22:42:21 |
| hexa | In reply to @raitobezarius:matrix.org
I personally do that alternatively LoadCredentials=, but generally SupplementaryGroups= | 22:43:20 |
| hexa | hey and what about TemporaryFilesystem= and BindPath= | 22:46:40 |
| hexa | * hey and what about TemporaryFilesystem= and BindPaths= | 22:46:55 |
| hexa | choices! | 22:47:04 |
| hexa | * hey and what about TemporaryFilesystem= and BindReadOnlyPaths= | 22:47:58 |
| raitobezarius | can BindReadOnlyPaths work hexa | 23:40:14 |
| raitobezarius | I thought it was supposed to honor the classical permissions | 23:40:22 |
| raitobezarius | So even if you bind it, you cannot read it because it's not a+r or you're not in the group (or it's not g+r, whatever) | 23:40:42 |
| raitobezarius | Or am I confusing it with ReadOnlyPaths | 23:40:50 |
| hexa | I don't think you need extra permissions, when systemd provides the mount for the service | 23:49:16 |
| 3 Feb 2023 |
| hexa | hm, nvm. I did indeed add SupplementaryGroup with BindPaths | 00:15:39 |
 m1cr0man | LoadCredentials isn't the best option unfortunately because it means you must always restart the service, as a reload won't reload the creds from disk. | 21:42:13 |
| m1cr0man | TemporaryFilesystem suffers the same caveat | 21:42:23 |
| m1cr0man | For things where restart is viable/standard, then LoadCredential can work quite well | 21:42:39 |
| hexa | yeah, LoadCredential= would need to inotify the original file and sighup the process or something to be useful | 22:47:36 |
| m1cr0man | Or systemd needs to provide a mechanism for reloading credential files in cases where the application will auto-reload all files itself. Like, if I could do systemctl reload httpd --credentials that would do the trick so long as credentials are reloaded before the process itself | 22:51:31 |
| hexa | how does BindPaths suffer from the same caveat, then its just a bind mount? | 22:55:13 |
| hexa | * how does BindPaths suffer from the same caveat, when its just a bind mount? | 22:55:35 |
| 4 Feb 2023 |
| m1cr0man | I was only referring to LoadCredentials. BindPaths is fine if you are also ok with extending the service user's groups in some fashion. | 11:47:57 |
| 7 Feb 2023 |
| m1cr0man | I just saw #215124, will look into it tonight | 15:19:02 |
| m1cr0man | Exit code 11 means that renew was attempted with lego but failed, and renewal is definitely required (the cert is expired). I should add an error message there instead of just exiting with a unique code. I've asked the reporter to scroll up + check the rest of their logs as it probably contains a lego failure that has been happening for > 30 days. This is however a prime example of why we set -x :) | 21:11:51 |
| 9 Feb 2023 |
| m1cr0man | https://github.com/NixOS/nixpkgs/pull/199033 hm, this person is being a little awkward. I still just want to close that PR, the changes aren't worthwhile | 19:07:20 |
| Winter (she/her) | so reiterate it and close it m1cr0man | 19:43:58 |
