23 Jul 2021 |
| Room Avatar Renderer. | 23:23:50 |
30 Jul 2021 |
aanderse | i noticed that the nixos manual has a section on prosody which explains how to use it with ssl certs, but it results in a failure because it doesn't manage cert permissions at all :\ | 14:09:53 |
aanderse | i'm not sure exactly what i'm supposed to do to have prosody use a ssl cert that i use for other services as well any hints? i think until LoadCredentials works well the cert would have group readable permissions | 14:12:02 |
hexa | loadcredentials copies the certificate and never updates it | 15:47:30 |
hexa | not sure why they thought this would be a good idea | 15:47:43 |
hexa | prosody has a module you need to load so it reloads certificates as well IIRC | 15:48:01 |
andi- | In reply to @aanderse:nixos.dev i'm not sure exactly what i'm supposed to do to have prosody use a ssl cert that i use for other services as well any hints? i think until LoadCredentials works well the cert would have group readable permissions set additional groups for the cert: https://github.com/andir/infra/blob/master/config/modules/prosody/default.nix#L330 | 15:56:25 |
aanderse | andi-: ah ok, yeah just a dedicated cert group | 16:01:07 |
andi- | yeah | 16:01:21 |
andi- | you could try facls again ;-) | 16:01:40 |
aanderse | i mean... i thought thats what acme was | 16:01:44 |
aanderse | ha ha ha | 16:01:50 |
andi- | well but that gives all the services access not just those that should access those keys | 16:01:59 |
aanderse | oh boy... acls + systemd = not a fun time apparently | 16:02:04 |
aanderse | yeah, fair point | 16:02:13 |
andi- | sounds like your kink entirely | 16:02:18 |
aanderse | not mine! forced into it! | 16:02:31 |
aanderse | you wouldn't believe the things i'm forced into :P | 16:02:37 |
1 Aug 2021 |
| Jamie joined the room. | 08:10:56 |
8 Aug 2021 |
hexa | m1cr0man: merged the hardening pr, you seemed content with it, and I felt I couldn't improve it any further. now for some more real world testing. | 13:51:18 |
m1cr0man | Awesome ok. :) | 13:51:32 |
m1cr0man | I might try updating my server today so | 14:08:13 |
hexa | same | 14:21:59 |
hexa | didn't fail on activation, so that's good 😂 | 14:31:38 |
17 Aug 2021 |
@grahamc:nixos.org | sometimes when acme does the wrong thing I force a new certificate by rm -rf'ing /var/lib/acme and reboot. this manages to fix everything, but if I just restart the service, `acme-domainname.service, it fails here: https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/security/acme.nix#L344-L353 what service typically sets this up where a reboot works fine? | 20:32:26 |
@grahamc:nixos.org | I also wonder if there is a good way to communicate that extraLegoFlags isn't the same as adding the same value to bothextraLegoRunFlags and extraLegoRenewFlags (position in the command is different) my naive reading of the options left me thinking it would be the same | 20:38:09 |
@grahamc:nixos.org | For some backstory I needed to add "--preferred-chain" "ISRG Root X1" to extraLegoRunFlags to get an ipxe-compatible certificate a few months ago. A couple days ago the certificate was renewed without that flag, so I moved it from extraLegoRunFlags to extraLegoFlags -- this didn't work, so then I copied the block and added it to both Run and Renew. To make it stick, I rm -rf 'd the acme directory because in the past I've had a hard time making it do what I expected by deleting anything less. | 20:42:28 |
3 Sep 2021 |
| mbprtpmnr joined the room. | 04:07:41 |
5 Sep 2021 |
| ilkecan joined the room. | 13:04:05 |
6 Sep 2021 |
mbprtpmnr | Hi everyone. | 06:16:08 |