| 4 Jul 2025 |
 Christian Theune | yeah, our stack is already interesting, so i'd rather not use caddy (and we have non-http requirements anyway) and the overall integration is quite nice - it's a lot more advanced than what others have, so ... yeah. I was considering replacing the scripted stuff but it's not obvious to be better as a replacement when trying to start from the ground up ... 🙂 | 10:00:53 |
| Christian Theune | i started this week with the assumption of "lets make it a proper service" but then the dependency management around it for consumers is quite complex anyway and this means doing stuff in "systemd land" isn't going away either ... | 10:01:33 |
| Christian Theune | so, at the moment: this makes me understand the code base much better and maybe we can turn it into a proper service at another point in time. lego as the client is quite valuable, so traefik would be an option, but then it gets in the way with other http stuff or needs more layering) | 10:02:35 |
 emily | to be clear, you can use Caddy as an "issue TLS certs to files" daemon, for HTTP-01, TLS-ALPN-01, and DNS-01 | 10:21:59 |
| emily | without any HTTP server component (beyond serving .well-known/acme-challenge if you use HTTP-01) | 10:22:10 |
| emily | it is one of the few ACME implementations that gets most of the things in https://github.com/https-dev/docs/blob/master/acme-ops.md right (I mean, the author co-wrote that document so not too surprising, and some of them are irrelevant these days, but :) ) | 10:23:16 |
| emily | anyway, not the optimal solution for every setup for sure, especially if you already integrate tightly with the NixOS ACME support | 10:23:31 |
| emily | just want to throw out that it is a very competent ACME client and if you have complex scaling needs that the module isn't covering it is worth considering for that purpose | 10:23:54 |
| emily | (it used to use lego internally but moved to its own acmez implementation because of lego design limitations) | 10:25:15 |
| Christian Theune | thanks for that input! 🙂 | 10:27:56 |
| Christian Theune | interestingly the doc is a bit outdated already, though ... | 10:30:34 |
| emily | well that is just reference material for ACME client developers from >half a decade ago | 11:09:15 |
| emily | most of it is still good, it's just OCSP stapling went away and ARI changed the renewal timing landscape a bit and so on | 11:09:40 |
| Christian Theune | yup | 12:12:06 |
| Christian Theune | as an outsider that just makes it hard to estimate which parts. i did understand it that way: ocsp and ari having changed. | 12:12:30 |
| emily | well, it's only really relevant for client developers, or comparing existing implementations but then you basically have to read code to see what they get right in some cases | 12:28:14 |
| emily | the fundamental issue with lego is that things like ARI don't fit great into a cron job type format if you want the best implementation of them | 12:29:00 |
| emily | and all the hashing etc. we have to do around it is just working around the model not being quite right | 12:29:20 |
| emily | (the end result does work well though at least at medium scale, it just takes a whole bunch of complexity to make the square peg fit the round hole) | 12:29:44 |
| Christian Theune | yup | 12:34:38 |
| Christian Theune | do you know what the list of supported DNS-01 provider APIs looks like in acmez compared to lego? | 12:35:05 |
| Christian Theune | so far that's been the reason why I decided to stick with lego for now. | 12:35:14 |
| Christian Theune | I got a green bar on the refactoring I demoed above. Trying to get the other tests clean again now. On disk formats are all compatible ... \o/ | 12:35:38 |
| Christian Theune | I need to explicitly praise the test coverage in the acme module. This helps a lot to find little glitches that I didn't properly catch. | 13:21:03 |
| Christian Theune | 🎉 | 13:21:06 |
| Christian Theune | so ... anyway ... i'll have to clean this up a bit more. i'll also need to rework the locking (with systemd 258 we could leverage the slice parallel unit limits, but i'll do a small change to get rid of the static hashing from build time to put it into a runtime solution as an intermediate step) | 13:45:05 |
| Christian Theune | off from the sprint for now ... | 13:45:09 |
| emily | everything libdns supports | 14:31:00 |
| emily | it's pretty extensive | 14:31:05 |
| emily | https://github.com/orgs/libdns/repositories?type=all | 14:31:20 |
