!tCyGickeVqkHsYjWnh:nixos.org

NixOS Networking

908 Members
Declaratively manage your switching, routing, wireless, tunneling and more.263 Servers

Load older messages

SenderMessageTime
15 Jun 2025
@k900:0upti.meK900 Or even begin to state 19:29:56
@k900:0upti.meK900Genuinely I don't see a problem with doing the same thing with subdomains19:30:10
@k900:0upti.meK900And that comes with a significantly smaller number of footguns19:30:20
@luke:vuksta.comLuke
In reply to @k900:0upti.me
That's a lot of assumptions

I didn’t think I’d need to tell anyone not to expose their manufactuing machinary to the public internet 😆

But yeah, the same setup could be performed with DNS, but clearly there are users that serve it at a subpath instead - Moonraker or Fluidd would not support this otherwise? I imagine the subpath could be simpler to manage from an infrastructure configuration perspective, which might be the reason it exists at all

19:46:15
@luke:vuksta.comLuke *

It is a fairly uncommon setup (because most people with printers tend not to go about using a domain at all from my time in the 3D printing community), but some people like myself end up exposing these machines under a subpath that only gets served if the request comes from behind a VPN subnet. If you have many machines, like a print farm, you would also benefit from this sort of setup - easier to serve at a subpath than manage a ton of DNS entries for subdomains etc.

But if you mean, “why do Moonraker and the web interface share a domain?” That seems to be the default configuration already for the most part, given that Moonraker gets served at “/websocket” as this combination of apps usually runs from the same SBC and is tightly coupled to control a 3D printer running Klipper.

The pattern for these printers is as follows:

  1. Klipper opens a unix socket that acts as its API endpoint
  2. Moonraker interacts with that API socket to control Klipper, and exposes a websocket.
  3. Web frontends like Fluidd or Mainsail interact with the Moonraker websocket for user control via a GUI (nobody is running their printer directly from API calls to Moonraker)
20:09:34
@luke:vuksta.comLukeI have asked the Moonraker and Fluidd devs if they see a security issue with this pattern - I'll see what they have to say regarding how much of a bad idea this is 😆 If they think it is a bad pattern to support then I will close the PR (and possibly make a flake for my own purposes), otherwise I will respond with more info on the PR20:22:27
16 Jun 2025
@luke:vuksta.comLuke The other thing that is a bit odd is the fact that the Moonraker websocket is currently configured with nginx in the Fluidd service (as well as Mainsail)… that doesn’t quite seem like the right pattern? 00:40:31
@luke:vuksta.comLuke The websocket and regex parts of this nginx configuration probably belong in the moonraker service? 00:42:06
@hexa:lossy.networkhexa I was today years old when I found out that systemd.network.enable also enables resolved 03:48:25
@hexa:lossy.networkhexaI kinda get that this is required for the DNS-related settings in networkd to work03:48:52
@hexa:lossy.networkhexabut when you have a proper resolver enabled and they keep fighting over resolv.conf …03:49:13
@hexa:lossy.networkhexaI wish we could do better, but I fear there is no clear way out03:49:29
@zhaofeng:zhaofeng.liZhaofeng Li

proper resolver

oof

03:50:57
@zhaofeng:zhaofeng.liZhaofeng LiI want to love systemd, but a lot of the non-init pieces are too half-baked. Went all in with the declarative networkd configs but kept running into paper cuts03:52:30
@hexa:lossy.networkhexaby proper resolver I mean a recursor03:53:05
@hexa:lossy.networkhexa* by proper resolver I mean a recursor as opposed to a stub03:53:11
@hexa:lossy.networkhexaone that can actually validate dnssec for dane03:53:22
@hexa:lossy.networkhexa* one that can actually validate dnssec, e.g. for dane03:53:26
@emilazy:matrix.orgemilyresolved can talk to your resolver04:20:31
@emilazy:matrix.orgemily(and provides services like mDNS on top)04:20:37
@hexa:lossy.networkhexanot interesting for my server04:20:58
@hexa:lossy.networkhexa* not interesting for my servers04:21:03
@emilazy:matrix.orgemilyit's pretty much the supported configuration for better or worse. like, it also provides the D-Bus resolved API etc. and works with the NSS stuff04:21:24
@hexa:lossy.networkhexahttps://github.com/NixOS/infra/commit/67eb34a7534e9caeda495fbbfea50767a23fb8a004:21:40
@emilazy:matrix.orgemily you set services.resolved.fallbackDns and ensure UseDNS=no for networks 04:21:49
@hexa:lossy.networkhexa you could also just set services.resolved.enable = false and services.{unbound,kresd,pdns-recursor}.enable instead 04:22:32
@emilazy:matrix.orgemilysure04:22:39
@hexa:lossy.networkhexa they already set networking.dns.useLocalResolver 04:22:54
@hexa:lossy.networkhexa its just not helpful that resolved will fight useLocalResolver 04:23:15
@emilazy:matrix.orgemily but I suspect the dependencies on nss-resolve(8) and org.freedesktop.resolve1(5) will likely increase over time, that's all 04:23:20

Show newer messages

Back to Room ListRoom Version: 6