| 27 Feb 2025 |
|  w changed their display name from w - out for 🚬 to w. | 19:25:29 |
| 28 Mar 2025 |
|  Rayane Nakib (ريّان نقيب) changed their display name from Rayane Nakib (ريان نقيب) to Rayane Nakib (ريّان نقيب). | 22:52:02 |
| 1 Apr 2025 |
|  Sandro 🐧 changed their display name from Sandro 🐧 to Sandro 🐧 [c3d2]. | 13:57:36 |
| Sandro 🐧 changed their display name from Sandro 🐧 [c3d2] to Sandro 🐧. | 13:59:16 |
| 4 Apr 2025 |
|  qbit left the room. | 15:55:33 |
| 5 Apr 2025 |
|  underpantsgnome removed their display name underpantsgnome. | 15:53:09 |
| underpantsgnome left the room. | 15:56:20 |
| 19 Apr 2025 |
 hexa | ok, so bummer | 22:48:50 |
| hexa | enabling ARI caused lego to keep waiting | 22:49:54 |
| hexa | 2025/04/19 22:39:09 [INFO] [music.lossy.network] acme: renewalInfo endpoint indicates that renewal is needed
2025/04/19 22:39:09 [INFO] [music.lossy.network] Sleeping 21h43m27.656213001s until renewal time 2025-04-20 20:22:37.463135258 +0000 UTC
| 22:49:56 |
| hexa | but that resulted in nginx not starting up | 22:50:03 |
| hexa | because it depends on all the acme-${domain}.service units | 22:50:28 |
 emily | hm, I thought we were going to set it to just not wait? | 22:52:10 |
| hexa | and we did not set it to anything in nixpkgs | 22:54:08 |
| hexa | but I set it to something on my private infra | 22:54:16 |
| emily | right | 23:00:12 |
| emily | I think the current format will only work well when set to not wait at all | 23:00:19 |
| emily | (which should be fine as the cron job runs often anyway, though we might want to bump it) | 23:00:29 |
| 21 Apr 2025 |
 m1cr0man | There was some talk about bumping it when they announced the lower lifetime certs. Wouldn't be the worst thing to do. | 19:18:58 |
| 22 Apr 2025 |
| hexa | now 47 days was announced to be the next shorter lifespan | 23:08:50 |
| hexa | and I don't think it warrants trying more than daily for 7-14 days | 23:09:13 |
| hexa | * and I don't think it warrants trying more than daily | 23:09:33 |
| hexa | for 6 days that changes of course | 23:09:45 |
| 28 Apr 2025 |
| m1cr0man | https://github.com/NixOS/nixpkgs/pull/376334#pullrequestreview-2801003367 this is ready to go. I tested it too. | 21:26:09 |
| 29 Apr 2025 |
|  @ygt:matrix.org left the room. | 23:42:45 |
| 5 May 2025 |
 netpleb | hi everyone, does anybody have a workaround that fixes this pesky dns resolution issue when acme.certs... and BIND are running in a declarative nixos container?
Could not create client: get directory at 'https://acme-v02.api.letsencrypt.org/directory': Get "https://acme-v02.api.letsencrypt.org/directory": GET https://acme-v02.api.letsencrypt.org/directory giving up after 6 attempt(s): Get "https://acme-v02.api.letsencrypt.org/directory": dial tcp: lookup acme-v02.api.letsencrypt.org: Temporary failure in name resolution
| 17:59:16 |
| netpleb | what seems to be happening is that acme is starting so early that the container is unable to route things yet. Maybe the host has not installed routes yet? but that somehow acme blocks until it times out. | 18:00:34 |
| netpleb | once it times out, then everything works fine. I have whittled it down to acme, because when I remove any acme things the container boots up just fine and is able to route/ping quite quickly | 18:01:46 |
| netpleb | so, by that, I mean that the issue does not seem to be pertaining to (in my case) networking.wireguard nor networking.bind which are both used and operate completely fine in the container. It is only after adding something like (per the manual):
security.acme.certs."<redacted>"= {
domain = "*<redacted>";
dnsProvider = "rfc2136"; # allows us to do dns acme validation with local dns server
environmentFile = "/var/lib/secrets/<redacted>.certs.secret";
# We don't need to wait for propagation since this is a local DNS server
dnsPropagationCheck = false;
};
that the behavior occurs.
| 18:04:57 |
| netpleb | what I am most confused about (and why I am posting here) is why the call to lego --accept-tos --path . -d '*.<redacted>' --email <redacted> --key-type ec256 --dns rfc2136 --dns.propagation-disable-ans --dns.resolvers 127.0.0.1:53 --server https://acme-v02.api.letsencrypt.org/directory renew --no-random-sleep --days 30 seems to block all network traffic, even for other services (like wireguard, bind, etc) | 18:07:29 |
