2 Feb 2023 |
hexa | In reply to @raitobezarius:matrix.org I personally do that alternatively LoadCredentials= , but generally SupplementaryGroups= | 22:43:20 |
hexa | hey and what about TemporaryFilesystem= and BindPath= | 22:46:40 |
hexa | * hey and what about TemporaryFilesystem= and BindPaths= | 22:46:55 |
hexa | choices! | 22:47:04 |
hexa | * hey and what about TemporaryFilesystem= and BindReadOnlyPaths= | 22:47:58 |
raitobezarius | can BindReadOnlyPaths work hexa | 23:40:14 |
raitobezarius | I thought it was supposed to honor the classical permissions | 23:40:22 |
raitobezarius | So even if you bind it, you cannot read it because it's not a+r or you're not in the group (or it's not g+r, whatever) | 23:40:42 |
raitobezarius | Or am I confusing it with ReadOnlyPaths | 23:40:50 |
hexa | I don't think you need extra permissions, when systemd provides the mount for the service | 23:49:16 |
3 Feb 2023 |
hexa | hm, nvm. I did indeed add SupplementaryGroup with BindPaths | 00:15:39 |
m1cr0man | LoadCredentials isn't the best option unfortunately because it means you must always restart the service, as a reload won't reload the creds from disk. | 21:42:13 |
m1cr0man | TemporaryFilesystem suffers the same caveat | 21:42:23 |
m1cr0man | For things where restart is viable/standard, then LoadCredential can work quite well | 21:42:39 |
hexa | yeah, LoadCredential= would need to inotify the original file and sighup the process or something to be useful | 22:47:36 |
m1cr0man | Or systemd needs to provide a mechanism for reloading credential files in cases where the application will auto-reload all files itself. Like, if I could do systemctl reload httpd --credentials that would do the trick so long as credentials are reloaded before the process itself | 22:51:31 |
hexa | how does BindPaths suffer from the same caveat, then its just a bind mount? | 22:55:13 |
hexa | * how does BindPaths suffer from the same caveat, when its just a bind mount? | 22:55:35 |
4 Feb 2023 |
m1cr0man | I was only referring to LoadCredentials. BindPaths is fine if you are also ok with extending the service user's groups in some fashion. | 11:47:57 |
7 Feb 2023 |
m1cr0man | I just saw #215124, will look into it tonight | 15:19:02 |
m1cr0man | Exit code 11 means that renew was attempted with lego but failed, and renewal is definitely required (the cert is expired). I should add an error message there instead of just exiting with a unique code. I've asked the reporter to scroll up + check the rest of their logs as it probably contains a lego failure that has been happening for > 30 days. This is however a prime example of why we set -x :) | 21:11:51 |
9 Feb 2023 |
m1cr0man | https://github.com/NixOS/nixpkgs/pull/199033 hm, this person is being a little awkward. I still just want to close that PR, the changes aren't worthwhile | 19:07:20 |
Winter (she/her) | so reiterate it and close it m1cr0man | 19:43:58 |
Winter (she/her) | your judgement is trusted for a reason, and it seems that theyre not even responding to (or understanding?) your claims | 19:44:24 |
m1cr0man | Okay yeah, I'll do that. Thanks :) | 19:44:48 |
10 Feb 2023 |
@andreas.schraegle:helsinki-systems.de | Huh, I guessed correctly who that was before opening it. He's... not always easy to deal with, which kind of sucks, because he does sometimes contribute quite useful stuff. | 13:54:55 |
hexa | you would think there is a language barrier | 16:11:40 |
hexa | but sometimes the communication works quite flawlessly | 16:11:48 |
12 Feb 2023 |
m1cr0man | :( They are not happy about me closing the PR | 18:18:54 |
m1cr0man | I'm trying to figure out if it would solve this but I don't think it does. At least then it has some technical merit beyond "keep the generated config cleaner" | 18:25:07 |