Sender | Message | Time |
---|---|---|
3 Jun 2024 | ||
Arian | okay then i'll give it a shot later | 08:18:27 |
Arian | thanks for the idea though! :) | 08:18:30 |
K900 | I've got pretty bad brain fog from the cold still, I don't trust myself to not fuck this up | 08:18:44 |
Arian | Yeh load-bearing bash is fun :D | 08:19:11 |
Stéphan joined the room. | 08:44:56 | |
Stéphan | By no means a good attempt, but I hacked away on this: https://github.com/NixOS/nixpkgs/compare/master...stephank:nixpkgs:fix-acme?w=1 | 08:48:56 |
Stéphan | I just have no idea how to test it | 08:49:04 |
Stéphan | I reused the fixperms service, because I was worried about bind mounts. I'm not sure if bind mounts are preserved from ExecStartPre to ExecStart, or if they are recreated correctly when the underlying directory changed. | 08:50:13 |
Stéphan | Now that I think about it, maybe a simple -e or -d check won't work because the $newHash directory will always be created via BindPaths ? | 08:51:01 |
Stéphan | Looks like it's always created: https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html#BindPaths= | 08:51:59 |
Stéphan | Oh wait, the fixperms / migration service doesn't use BindPaths. So what I cooked up there may work. | 08:55:41 |
Arian | We have quite an extensive NixOS test which we could change. But doing NixOS tests for "transitions" is always a bit tricky | 09:22:26 |
Arian | Stéphan: dont this based on stateVersion wont work | 09:24:03 |
Arian | * Stéphan: doing this based on stateVersion wont work I think | 09:24:23 |
Arian | ah no nvm forget what I said | 09:26:04 |
Arian | Hmm how do we handle people who rollback boot into a 23.11 configuration ? :/ | 09:29:01 |
Arian | maybe we should symlink or copy the directory instead of moving? idk. Maybe it's not worth it supporting rollbacks. Just thinking out loud of another failure mode here | 09:29:39 |
Stéphan | I like that idea, but no idea if a symlink works | 09:31:44 |
Arian | urgh I feel bad that this shipped. The whole reason we created the ACME Team was to catch these kind of things :( I’m kind of confused why automation didnt tag us for review. Given we’re set up as | 09:34:37 |
Stéphan | I think BindPaths should follow a symlink, because I found this, which says not following a symlink is something you otherwise need to specify explicitely: https://github.com/systemd/systemd/issues/32366 | 09:35:27 |
Stéphan | In reply to @arianvp:matrix.orgSee: https://github.com/NixOS/nixpkgs/pull/270221#issuecomment-2144652323 | 09:36:12 |
Arian | ah awesome | 09:36:19 |
Arian | Oh well no hard feelings. we’re all human. just makes my blood pressure go up to know I’m breaking people’s TLS setup :’) | 09:37:15 |
Arian | Added a WIP PR to add the team to code-owners: https://github.com/NixOS/nixpkgs/pull/316854 | 09:45:09 |
Arian | If there are any volunteers to join the team just yell ;) | 09:45:39 |
Sandro 🐧 | You could symlink the old hash to the new one if the new directory doesn't exist and the contents are similar enough to be compatible | 09:52:47 |
Sandro 🐧 | In reply to @arianvp:matrix.orgCopy means you have old, potentially ran out certs | 09:52:47 |
Sandro 🐧 | In reply to @arianvp:matrix.org I know of the one case that went on Hackernews. DNS challenge works against that, does it? | 09:52:47 |
Sandro 🐧 | I have a PR for a test improvement open for 4 months to prevent sich issues in the future and no one really cared, so I just gave up https://github.com/NixOS/nixpkgs/pull/286999 | 09:52:47 |
Arian | Yeh no blame on you at all. | 09:53:22 |