| 16 May 2025 |
 m1cr0man | In reply to @emilazy:matrix.org
I think it is long past due for m1cr0man to get commit bit tbh (and I am sorry for not putting more time into ACME the past few years, though I do still look at/sometimes comment on PRs) Aren't you on the steering committee plus half a dozen other projects? 😂 Yeah don't worry about it. I appreciate the time you put in here helping steer the design back when you started contributing | 13:06:29 |
 emily | I think it's more responsibility than commitment :) | 13:06:36 |
| emily | as long as you/the project get value out of you being able to hit the merge button, and you hit it responsibly, it's all good for any level of activity > 0 | 13:07:00 |
| emily | (not on the SC, thank god) | 13:07:46 |
| emily | (but I do try to juggle too many hats) | 13:07:53 |
| m1cr0man | Ah sorry, mixing people up 😅 but I still see you everywhere | 13:08:05 |
| emily | I can't believe the rewrite was half a decade ago now… | 13:08:16 |
| m1cr0man | .pfffff. I did it for my uni's network society and I'm pretty sure it's still doing the heavy lifting to this day. Isn't it over half a decade like 2019? Jeez | 13:09:35 |
| emily | it was 2020 | 13:15:19 |
| emily | feels like yesterday, though | 13:15:35 |
| m1cr0man | https://github.com/m1cr0man/nixpkgs/commit/8fb8d665ddc993f859a96e73a1c51982eac72b94 wrote a wee changelog hexa , not sure if you want to commit this up to codemaster's branch or if I create a separate PR | 13:34:28 |
 hexa | picking | 14:02:43 |
| 21 May 2025 |
|  Philipp joined the room. | 10:57:09 |
| 23 May 2025 |
 woobilicious | Is there an easy way to disable acme for test servers/vms? I know nixos-rebuild has a profile system, would that be how you do it? | 00:15:39 |
| hexa | not an acme specific question | 00:36:18 |
| hexa | you would need to nuke security.acme.certs to an empty attreset | 00:37:25 |
| hexa | and also things like enableACME on nginx | 00:37:37 |
| hexa | #users:nixos.org | 00:37:44 |
| hexa | * #users:nixos.org is the room tbh | 00:37:49 |
| m1cr0man | woobilicious: Ditto what hexa said - however you can DIY your own "disable all ACME" option. Just add a config option of your own (config.woobilicious.enableACME for example), then predicate your security.acme.certs and enableACME on that wherever you have it declared | 18:55:38 |
| m1cr0man | I assume you're dealing with a test vm, is the root of this issue that ACME is looking for internet access to renew certs whilst testing your real system config? I personally don't know how to deal with that just for the test system, but IIRC there is some flag/marker that you are in a test vm? | 18:57:06 |
| 24 May 2025 |
| woobilicious | m1cr0man:
Yeah I'm wanting to use nixos-rebuild test-vm, I used to use it before I hooked up ACME but I knew instantly it would cause issues, so I just started testing in production lol.
My real issue is that I still need certs for some of my config to work correctly. I guess I'll have to look in to profile system and how ACME works to have it generate certs but not try sign them. | 03:49:08 |
| woobilicious | I want to add anubis to my server, so it's going to be a whole ordeal getting the proxy setup and the certs working correctly. | 03:54:13 |
 Benedikt | In reply to @woobilicious:matrix.org
m1cr0man:
Yeah I'm wanting to use nixos-rebuild test-vm, I used to use it before I hooked up ACME but I knew instantly it would cause issues, so I just started testing in production lol.
My real issue is that I still need certs for some of my config to work correctly. I guess I'll have to look in to profile system and how ACME works to have it generate certs but not try sign them. This might be overkill for your use case, but we set up an additional acme and name_server nodes that we can use to replace the real acme servers in tests | 08:13:07 |
| Benedikt | The souce is here: https://git.foss-syndicate.org/vhack.eu/nixos-server/tree/tests/common/acme | 08:13:29 |
| woobilicious | oh interesting, yeah might be a bit overkill, but maybe it'll be some good insperation. | 08:15:33 |
| woobilicious | I could probably just disable the acme renewal service. | 08:17:33 |
| 25 May 2025 |
| m1cr0man | In reply to @soispha:vhack.eu
This might be overkill for your use case, but we set up an additional acme and name_server nodes that we can use to replace the real acme servers in tests That's nice. Seems to be based on the acme tests in nixpkgs? | 11:36:45 |
| Benedikt | In reply to @m1cr0man:m1cr0man.com
That's nice. Seems to be based on the acme tests in nixpkgs? Yes, initially I used the acme files directly, but had to vendor and significantly alter them to work as a drop in server (i.e. I did not understand how nixpkgs test acme stuff sets the CA root from pebble and they seemed to lack the dns server support) | 14:58:10 |
| m1cr0man | I never considered this use case. I might look into making the test suite stuff reusable and having some form of support for nixos-ebuild build-vm | 19:19:31 |
