NixOS ACME / LetsEncrypt - Public Room Timeline

	NixOS ACME / LetsEncrypt	108 Members
	Another day, another cert renewal	44 Servers

Load older messages

Sender	Message	Time
10 May 2025
Arian	wait why did it fail to assign a link local address	07:20:02
Arian	that is the weird part here :P	07:20:08
Arian	link local addressing should be… instant	07:20:17
m1cr0man	In reply to @netpleb:matrix.org I have good news!! The issue is finally resolved. It turned out to be a much different problem than originally expected: ipv6 link local addressing was the cuplrit. Even though I had `networking.enableIPv6 = false` on both the host and the container, `systemd-network-wait-online` was not reaching its target because `systemd-network` was trying to assign link local ipv6 addresses. Setting `systemd.network.networks."eth0".networkConfig.LinkLocalAddressing = "no";` in my container config seemed to do the trick. Glad you figured it out :D What a weird one, I wouldn't have thought of ipv6 link local being the issue.	12:15:20
m1cr0man	In reply to @arianvp:matrix.org link local addressing should be… instant It might not necessarily be an assignment issue, but rather a routing issue. With my time on RFC108 I've observed some strange stuff with nspawn networking	12:15:55
11 May 2025
netpleb	I am not sure of what the root cause is (I am not an expert in this stuff and had to learn a bunch about systemd-network to even get this far), but all I know is that once I finally whittled it down to the smallest possible config that still worked correctly and then removed the `LinkLocalAddressing = "no"` line (thereby reverting to the default "yes" behavior), the container all of a sudden would timeout trying to reach wait-online. Who knows. I am just happy it finally works! Now the container boots typically 11 seconds (including checking certs and such) instead of the multiple minutes it was taking before.	02:47:22
netpleb	regardless, thank you all here for your help!	02:47:58
netpleb	* I am not sure of what the root cause is (I am not an expert in this stuff and had to learn a bunch about systemd-network to even get this far), but all I know is that once I finally whittled it down to the smallest possible config that still worked correctly and then removed the `LinkLocalAddressing = "no"` line (thereby reverting to the default "yes" behavior), the container all of a sudden would timeout trying to reach wait-online (thereby triggering the original issue I was having). Who knows. I am just happy it finally works! Now the container boots typically 11 seconds (including checking certs and such) instead of the multiple minutes it was taking before.	02:48:56
netpleb	* I am not sure of what the root cause is (I am not an expert in this stuff and had to learn a bunch about systemd-network to even get this far), but all I know is that once I finally whittled it down to the smallest possible config that still worked correctly and then removed the `LinkLocalAddressing = "no"` line (thereby reverting to the default "yes" behavior), the container all of a sudden would timeout trying to reach wait-online, thereby triggering the original issue I was having. Who knows though. I am just happy it finally works! Now the container boots typically 11 seconds (including checking certs and such) instead of the multiple minutes it was taking before.	02:49:18
15 May 2025
m1cr0man	Any chance of seeing this one merged soonish? https://github.com/NixOS/nixpkgs/pull/376334	20:30:23
16 May 2025
hexa	m1cr0man: in principle yes, but shouldn't the assert look at more options to to check domain && keyType \|\| csr?	09:16:10
hexa	* m1cr0man: in principle yes, but shouldn't the assert look at more options to check `domain && keyType \|\| csr`?	09:16:27
hexa	because right now they're silently unused when a csr get configuredt	09:17:04
hexa	hm, domain is the key in the attrset, so maybe not	09:25:17
hexa	and keyType always has a default	09:25:21
hexa	so yeah, no	09:25:26
hexa	also can the acme team please just dissolve?	09:26:41
hexa	it is clearly m1cr0man who reviews everything	09:27:43
hexa	and then someone active in this room merging the thing	09:27:53
hexa	aanderse, Arian please reconsider your ACME team membership	09:28:17
hexa	also https://github.com/orgs/NixOS/teams/acme has no maintainer role set	09:33:38
hexa	m1cr0man: ask in #org_owners:nixos.org to for that role	09:33:59
hexa	m1cr0man: ok, I think we're good. I pushed the test to that PR, so the only thing missing is release notes entry.	10:45:27
hexa	I'm grabbing lunch and will run the tests in the meantime	10:45:54
m1cr0man	In reply to @hexa:lossy.network m1cr0man: ask in #org_owners:nixos.org to for that role Will do, thanks	10:46:44
Arian	I have no opinions about the existence or non-existence of the team. It was created in a time where most of this was complete wild-west and it was an easy way for people to ask for review when they touched the module	10:47:33
hexa	Yeah, and no we're years in with the team rarely chiming in on any of the changes that m1cr0man reviews	10:48:04
hexa	Feels like the third release where we push some final change over the finish line just before branch-off.	10:48:20
hexa	* Yeah, and now we're years in with the team rarely chiming in on any of the changes that m1cr0man reviews	10:48:33
m1cr0man	Oh I'm not pushed about it being in before branch off, but for this user it would be nice since it has been open for a long time. I'll try write a change log entry on my lunch	10:48:56

Show newer messages

Back to Room ListRoom Version: 6