| 26 Nov 2021 |
 hexa | though I don't actually hash stuff, I just remember the previously used args | 22:50:48 |
 m1cr0man | heh nice :) | 22:52:11 |
| m1cr0man | wish I could use nixos or acme at my place 😠😛 | 22:52:34 |
| m1cr0man | stuck with ansible + paid wildcard certs | 22:52:54 |
| m1cr0man | [ -e "$CERT" ] && ! cmp -s "$CERT" out/fullchain.pem why did I check for existence before cmp? if it doesn't exist, cmp will exit non-0 anyway :P | 22:53:51 |
| m1cr0man | I did this in like 3 places | 22:53:55 |
| m1cr0man | * I did this in like 2 places | 22:54:24 |
| hexa | In reply to @m1cr0man:m1cr0man.com
wish I could use nixos or acme at my place 😠😛 same. | 22:56:27 |
| 27 Nov 2021 |
| m1cr0man | https://github.com/NixOS/nixpkgs/issues/140709#issuecomment-980482912 thoughts? I kinda hope someone counter argues against it but honestly I can't think of a good reason we can't support this other than the work involved (which isn't even that bad, from a glance, but ill need to write some tests for it) | 01:38:34 |
| m1cr0man | I'll have PR to fix like 5 issues tomorrow | 01:38:48 |
 aanderse | m1cr0man: don't get hit by a truck! 😄 | 01:42:18 |
| m1cr0man | For those that might miss it: Long discussion about how to handle https://github.com/NixOS/nixpkgs/issues/138478 and I was convinced on a security.acme.defaults + security.acme.certs.<cert>.useDefault toggleable in the main Nix channel. | 16:24:10 |
| m1cr0man | https://matrix.to/#/!KqkRjyTEzAGRiZFBYT:nixos.org/$-6c8VrmpZ_1aoWLNFyo-PXpAzkH4Z-ekCCaMgTY7n8M?via=nixos.org&via=matrix.org&via=tchncs.de | 16:24:23 |
| 28 Nov 2021 |
 Andreas Schrägle | nice. we have a bunch of bespoke default options (e.g. defaultKeyType, defaultDnsProvider) in our fork of the module, because we kin d of needed them, but I never got around to upstreaming them. the more generic approach you suggested seems much better though, so I'm all in favor of that. | 15:49:37 |
| Andreas Schrägle | * nice. we have a bunch of bespoke default options (e.g. defaultKeyType, defaultDnsProvider) in our fork of the module, because we kind of needed them, but I never got around to upstreaming them. the more generic approach you suggested seems much better though, so I'm all in favor of that. | 15:49:44 |
| m1cr0man | Glad to hear it! :D The more people the design helps the better. | 15:56:22 |
| m1cr0man | webserver # Nov 28 22:15:41 webserver systemd[1]: Condition check resulted in Generate self-signed certificate authority being skipped.
webserver # Nov 28 22:15:41 webserver systemd[1]: acme-selfsigned-ca.service: Start request repeated too quickly.
webserver # Nov 28 22:15:41 webserver systemd[1]: acme-selfsigned-ca.service: Failed with result 'start-limit-hit'.
Lol, look what I just reproduced ;)
| 22:18:35 |
| m1cr0man | in the test suite no less | 22:18:42 |
| m1cr0man | Added StartLimitIntervalSec=0 with all ConditionPathExists and sure enough it's fine now. It only happens on some runs, which is baffling, but oh well life's too short to debug systemd ;) | 22:47:26 |
| m1cr0man | https://github.com/NixOS/nixpkgs/pull/147784 started a draft PR for the work so far, just so ticket creators know what's up | 23:17:03 |
| m1cr0man | also yous can check out security.acme.defaults ;) | 23:17:12 |
| 3 Dec 2021 |
|  Patryk Gronkiewicz joined the room. | 13:01:15 |
| Patryk Gronkiewicz | Hi there,
I'm trying to set up Nginx reverse proxy with DNS-01 challenge, but I can't
Can you help me with that?
I've described it better on reddit -> https://www.reddit.com/r/NixOS/comments/r7y5vy/nginx_reverse_proxy_with_dns01_challenge/ | 13:54:30 |
| hexa | instead of enableACME = true; use useACMEHost | 14:32:44 |
| hexa | * instead of enableACME = true; use useACMEHost = "gitea.domain.org"; | 14:33:27 |
| hexa | * Patryk Gronkiewicz: instead of enableACME = true; use useACMEHost = "gitea.domain.org"; | 14:33:36 |
| Patryk Gronkiewicz | In reply to @hexa:lossy.network
Patryk Gronkiewicz: instead of enableACME = true; use useACMEHost = "gitea.domain.org"; I can't finish rebuild then - nginx crashes and something else just hangs (I don't know what, but I can wait indefinitely and nothing changes) | 15:01:56 |
| hexa | well, can't help you when you can't apply the config 😲 | 15:13:56 |
| 4 Dec 2021 |
| m1cr0man | In reply to @pgronkievitz:matrix.org
I can't finish rebuild then - nginx crashes and something else just hangs (I don't know what, but I can wait indefinitely and nothing changes) Check that you have assigned the security.acme.certs."gitea.domain.org".group to nginx or added nginx to the acme group | 16:36:30 |
| m1cr0man | https://github.com/NixOS/nixpkgs/pull/147784 ready for review for real now :) | 19:06:13 |
