3 Jun 2024 |
K900 | https://github.com/SuperSandro2000/nixpkgs/blob/6e294f40db992635e4aa566789ac3560ed1f9b1a/nixos/modules/security/acme/default.nix#L16 | 08:12:00 |
Arian | so acmeServer used to be null | 08:12:19 |
Arian | and we change it to the letsencrypt uri | 08:12:35 |
K900 | But how is it leaking into CAA records then | 08:13:01 |
K900 | Is what I don't get | 08:13:03 |
Arian | You can bind your CAA record to your account ID these days | 08:13:35 |
K900 | Oh | 08:13:40 |
Arian | it's a new extension to ACME protocol | 08:13:42 |
Arian | to detect MITM attacks | 08:13:45 |
K900 | Yeeeeeah | 08:13:58 |
K900 | But then we can just migrate | 08:14:03 |
K900 | Like | 08:14:11 |
Arian | (and it's important. E.g. German government has been issueing LEtsEncrypt certificates for a lot of XMPP servers through MITM'ing through middleboxes at Hetzner datacenters and got caught redhanded multiple times last year) | 08:14:15 |
K900 | Compute old hash and new hash | 08:14:32 |
K900 | In preStart | 08:14:34 |
Arian | my idea was to make something like `${stateVersion < 23.11 ? " " : acmeServer} | 08:15:15 |
K900 | And then
if [ -d $oldHash ]; then
if [ ! -d $newHash ]; then
mv $oldHash $newHash
else
echo "You are dedge please fix"
exit 1
fi
fi
| 08:15:25 |
K900 | People who have two accounts need to manually adjust anyway | 08:15:56 |
K900 | It's too late for them | 08:16:00 |
K900 | Because we can't just roll them back either | 08:16:11 |
K900 | Or we might break them AGAIN | 08:16:17 |
Arian | yeh. Cat is out of the bag | 08:16:52 |
Arian | so I guess stateVersion also doesnt work.. as this release is already out | 08:17:02 |
Arian | I like the ExecStartPre idea | 08:17:34 |
Arian | K900: you wanna prepare a patch with that? | 08:18:02 |
K900 | No | 08:18:21 |
Arian | okay then i'll give it a shot later | 08:18:27 |
Arian | thanks for the idea though! :) | 08:18:30 |
K900 | I've got pretty bad brain fog from the cold still, I don't trust myself to not fuck this up | 08:18:44 |
Arian | Yeh load-bearing bash is fun :D | 08:19:11 |