 | NixOS ACME / LetsEncrypt | 125 Members |
| Another day, another cert renewal | 54 Servers |
| NixOS ACME / LetsEncrypt | 125 Members |
| Another day, another cert renewal | 54 Servers |
| Sender | Message | Time |
|---|---|---|
| 16 Nov 2024 | ||
 ThinkChaos | And small side effect is we don't use the lockdir var in the service so it makes dependency more hidden | 20:40:15 |
| ThinkChaos | * And small side effect is we don't use the lockdir var in the service so it makes the dependency more hidden | 20:40:23 |
 m1cr0man | The acme-setup.service is a requirement of all the renewal services (and is oneshot+RemainAfterExit), but systemd-tmpfiles is not. We actually had a test failure on hydra a couple of days ago because tmpfiles had not ran when lockdir was accessed. Let me see if I can find you the logs. | 20:41:10 |
| m1cr0man |
I agree with this, however /run/acme is directly related to service activation + logic implemented in systemd services. Having its lifecycle managed as a RuntimeDirectory definitely makes things easier. I will definitely add a comment to say where it's created, that's a good call that the relation is not obvious | 20:42:16 |
| m1cr0man | In reply to @k900:0upti.meThis was the lockfiles error we saw last week. | 20:47:35 |
| ThinkChaos | Ok then RuntimeDir is ok with meI thought tmpfiles was something the activation scripts ensured ran earlier based on how it's generally used, but never confirmed that assumption. That also means lots of modules are broken 😕 | 20:47:47 |
| ThinkChaos | I'll reply and approve 🙂 | 20:47:58 |
| m1cr0man | So did I TBH, but then we had that race/permissions error, and the directory hadn't been created when acme-lockfiles ran. Maybe we could add more systemd service dependencies, but RuntimeDirectory was more appropriate IMO | 20:49:19 |
| m1cr0man | In reply to @thinkchaos:matrix.orgThank you :D | 20:51:15 |
| ThinkChaos | I still am not a fan of the RuntimeDir + RemainAfterExit to persist the dir, and the dir being used outside the service itself, but it's better than something that's broken 😄How would you feel if I just do a mkdir -p in the lock script in my PR? | 20:55:04 |
| ThinkChaos | * I still am not a fan of the RuntimeDir + RemainAfterExit to persist the dir, and the dir being used outside the service itself, but it's better than something that's broken 😄How would you feel if I just do a mkdir -p in the lock script in my (future) PR? | 20:55:17 |
| ThinkChaos | * I still am not a fan of the RuntimeDir + RemainAfterExit to persist the dir, and the dir being used outside the service itself, but it's better than something that's broken 😄~~How would you feel if I just do a mkdir -p in the lock script in my (future) PR?~~ needs root | 20:59:33 |
| ThinkChaos | * I still am not a fan of the RuntimeDir + RemainAfterExit to persist the dir, and the dir being used outside the service itself, but it's better than something that's broken 😄~How would you feel if I just do a mkdir -p in the lock script in my (future) PR?~ needs root | 20:59:39 |
| ThinkChaos | * I still am not a fan of the RuntimeDir + RemainAfterExit to persist the dir, and the dir being used outside the service itself, but it's better than something that's broken 😄mkdir -p in the lock script in my (future) PR? | 20:59:48 |
| 17 Nov 2024 | ||
| m1cr0man | Given how systemd dependent we are already, I generally prefer the systemd solution if one is available. It is very well tested and has outstandingly stable behaviour. Less bash scripting means less custom code for us to maintain | 13:15:23 |
| m1cr0man | Just got done testing an --overwrite-domains option for lego that lets us remove domainHash entirely. The delta on the module is kinda underwhelming but less code is less code | 22:50:19 |
| m1cr0man | In reply to @thinkchaos:matrix.orgSince you're blocked on merge would you mind if I reviewed on that commit itself? I don't want to keep you delayed on waiting for a review on the setup script | 22:56:06 |
| ThinkChaos | 1s let me give you a better link | 22:57:22 |
| m1cr0man | sure ok | 22:59:38 |