3 Jun 2024 |
Arian | yeh. Cat is out of the bag | 08:16:52 |
Arian | so I guess stateVersion also doesnt work.. as this release is already out | 08:17:02 |
Arian | I like the ExecStartPre idea | 08:17:34 |
Arian | K900: you wanna prepare a patch with that? | 08:18:02 |
K900 | No | 08:18:21 |
Arian | okay then i'll give it a shot later | 08:18:27 |
Arian | thanks for the idea though! :) | 08:18:30 |
K900 | I've got pretty bad brain fog from the cold still, I don't trust myself to not fuck this up | 08:18:44 |
Arian | Yeh load-bearing bash is fun :D | 08:19:11 |
| Stéphan joined the room. | 08:44:56 |
Stéphan | By no means a good attempt, but I hacked away on this: https://github.com/NixOS/nixpkgs/compare/master...stephank:nixpkgs:fix-acme?w=1 | 08:48:56 |
Stéphan | I just have no idea how to test it | 08:49:04 |
Stéphan | I reused the fixperms service, because I was worried about bind mounts. I'm not sure if bind mounts are preserved from ExecStartPre to ExecStart, or if they are recreated correctly when the underlying directory changed. | 08:50:13 |
Stéphan | Now that I think about it, maybe a simple -e or -d check won't work because the $newHash directory will always be created via BindPaths ? | 08:51:01 |
Stéphan | Looks like it's always created: https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html#BindPaths= | 08:51:59 |
Stéphan | Oh wait, the fixperms / migration service doesn't use BindPaths. So what I cooked up there may work. | 08:55:41 |
Arian | We have quite an extensive NixOS test which we could change. But doing NixOS tests for "transitions" is always a bit tricky | 09:22:26 |
Arian | Stéphan: dont this based on stateVersion wont work | 09:24:03 |
Arian | * Stéphan: doing this based on stateVersion wont work I think | 09:24:23 |
Arian | ah no nvm forget what I said | 09:26:04 |
Arian | Hmm how do we handle people who rollback boot into a 23.11 configuration ? :/ | 09:29:01 |
Arian | maybe we should symlink or copy the directory instead of moving? idk. Maybe it's not worth it supporting rollbacks. Just thinking out loud of another failure mode here | 09:29:39 |
Stéphan | I like that idea, but no idea if a symlink works | 09:31:44 |
Arian | urgh I feel bad that this shipped. The whole reason we created the ACME Team was to catch these kind of things :(
I’m kind of confused why automation didnt tag us for review. Given we’re set up as meta.maintainers for that module. maybe that automation doesn’t exist for NixOS? only for nixpkgs?
| 09:34:37 |
Stéphan | I think BindPaths should follow a symlink, because I found this, which says not following a symlink is something you otherwise need to specify explicitely: https://github.com/systemd/systemd/issues/32366 | 09:35:27 |
Stéphan | In reply to @arianvp:matrix.org
urgh I feel bad that this shipped. The whole reason we created the ACME Team was to catch these kind of things :(
I’m kind of confused why automation didnt tag us for review. Given we’re set up as meta.maintainers for that module. maybe that automation doesn’t exist for NixOS? only for nixpkgs?
See: https://github.com/NixOS/nixpkgs/pull/270221#issuecomment-2144652323 | 09:36:12 |
Arian | ah awesome | 09:36:19 |
Arian | Oh well no hard feelings. we’re all human. just makes my blood pressure go up to know I’m breaking people’s TLS setup :’) | 09:37:15 |
Arian | Added a WIP PR to add the team to code-owners: https://github.com/NixOS/nixpkgs/pull/316854 | 09:45:09 |
Arian | If there are any volunteers to join the team just yell ;) | 09:45:39 |