| 3 Jun 2024 |
 Arian | okay then i'll give it a shot later | 08:18:27 |
| Arian | thanks for the idea though! :) | 08:18:30 |
 K900 ⚡️ | I've got pretty bad brain fog from the cold still, I don't trust myself to not fuck this up | 08:18:44 |
| Arian | Yeh load-bearing bash is fun :D | 08:19:11 |
|  Stéphan joined the room. | 08:44:56 |
| Stéphan | By no means a good attempt, but I hacked away on this: https://github.com/NixOS/nixpkgs/compare/master...stephank:nixpkgs:fix-acme?w=1 | 08:48:56 |
| Stéphan | I just have no idea how to test it | 08:49:04 |
| Stéphan | I reused the fixperms service, because I was worried about bind mounts. I'm not sure if bind mounts are preserved from ExecStartPre to ExecStart, or if they are recreated correctly when the underlying directory changed. | 08:50:13 |
| Stéphan | Now that I think about it, maybe a simple -e or -d check won't work because the $newHash directory will always be created via BindPaths? | 08:51:01 |
| Stéphan | Looks like it's always created: https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html#BindPaths= | 08:51:59 |
| Stéphan | Oh wait, the fixperms / migration service doesn't use BindPaths. So what I cooked up there may work. | 08:55:41 |
| Arian | We have quite an extensive NixOS test which we could change. But doing NixOS tests for "transitions" is always a bit tricky | 09:22:26 |
| Arian | Stéphan: dont this based on stateVersion wont work | 09:24:03 |
| Arian | * Stéphan: doing this based on stateVersion wont work I think | 09:24:23 |
| Arian | ah no nvm forget what I said | 09:26:04 |
| Arian | Hmm how do we handle people who rollback boot into a 23.11 configuration ? :/ | 09:29:01 |
| Arian | maybe we should symlink or copy the directory instead of moving? idk. Maybe it's not worth it supporting rollbacks. Just thinking out loud of another failure mode here | 09:29:39 |
| Stéphan | I like that idea, but no idea if a symlink works | 09:31:44 |
| Arian | urgh I feel bad that this shipped. The whole reason we created the ACME Team was to catch these kind of things :(
I’m kind of confused why automation didnt tag us for review. Given we’re set up as meta.maintainers for that module. maybe that automation doesn’t exist for NixOS? only for nixpkgs?
| 09:34:37 |
| Stéphan | I think BindPaths should follow a symlink, because I found this, which says not following a symlink is something you otherwise need to specify explicitely: https://github.com/systemd/systemd/issues/32366 | 09:35:27 |
| Stéphan | In reply to @arianvp:matrix.org
urgh I feel bad that this shipped. The whole reason we created the ACME Team was to catch these kind of things :(
I’m kind of confused why automation didnt tag us for review. Given we’re set up as meta.maintainers for that module. maybe that automation doesn’t exist for NixOS? only for nixpkgs?
See: https://github.com/NixOS/nixpkgs/pull/270221#issuecomment-2144652323 | 09:36:12 |
| Arian | ah awesome | 09:36:19 |
| Arian | Oh well no hard feelings. we’re all human. just makes my blood pressure go up to know I’m breaking people’s TLS setup :’) | 09:37:15 |
| Arian | Added a WIP PR to add the team to code-owners: https://github.com/NixOS/nixpkgs/pull/316854 | 09:45:09 |
| Arian | If there are any volunteers to join the team just yell ;) | 09:45:39 |
 Sandro 🐧 | You could symlink the old hash to the new one if the new directory doesn't exist and the contents are similar enough to be compatible | 09:52:47 |
| Sandro 🐧 | In reply to @arianvp:matrix.org
maybe we should symlink or copy the directory instead of moving? idk. Maybe it's not worth it supporting rollbacks. Just thinking out loud of another failure mode here Copy means you have old, potentially ran out certs | 09:52:47 |
| Sandro 🐧 | In reply to @arianvp:matrix.org
(and it's important. E.g. German government has been issueing LEtsEncrypt certificates for a lot of XMPP servers through MITM'ing through middleboxes at Hetzner datacenters and got caught redhanded multiple times last year) I know of the one case that went on Hackernews.
DNS challenge works against that, does it? | 09:52:47 |
| Sandro 🐧 | I have a PR for a test improvement open for 4 months to prevent sich issues in the future and no one really cared, so I just gave up https://github.com/NixOS/nixpkgs/pull/286999 | 09:52:47 |
| Arian | Yeh no blame on you at all. | 09:53:22 |
