| 31 Jan 2023 |
 m1cr0man | Actually is there system performance dashboards we can correlate against test failure? | 01:09:59 |
 Winter (she/her) | https://monitoring.nixos.org/grafana/ might have something | 01:10:41 |
| m1cr0man | Cool I'll check that out tomorrow | 01:11:05 |
| 2 Feb 2023 |
| Winter (she/her) | m1cr0man: Would you say the best way to guide users wrt DynamicUser services and permissions would be to have them set SupplementalGroups to whatever owns the given cert? | 15:18:49 |
| m1cr0man | Yep | 15:19:25 |
 hexa | https://hydra.nixos.org/build/207980199 acme 😄 | 17:44:04 |
| hexa | https://hydra.nixos.org/log/lbyjk7n05hk7s9mhccrh4h1jzs470lkl-vm-test-run-acme.drv | 17:44:29 |
| hexa | restarting | 17:44:32 |
 K900 | Saved the log to https://termbin.com/nrjp | 17:45:03 |
| hexa | thanks | 17:45:23 |
| hexa | probably as helpful as ever | 17:45:32 |
 raitobezarius | In reply to @winterqt:nixos.dev
m1cr0man: Would you say the best way to guide users wrt DynamicUser services and permissions would be to have them set SupplementalGroups to whatever owns the given cert? I personally do that | 17:58:55 |
| Winter (she/her) | In reply to@hexa:lossy.network
probably as helpful as ever you'd be right :) ``` | 22:42:18 |
| Winter (she/her) | In reply to@hexa:lossy.network
probably as helpful as ever * you'd be right :) webserver: waiting for unit acme-finished-http.example.test.target
Test "Can request certificate with Lego's built in web server" failed with error: "unit "acme-finished-http.example.test.target" is inactive and there are no pending jobs"
| 22:42:21 |
| hexa | In reply to @raitobezarius:matrix.org
I personally do that alternatively LoadCredentials=, but generally SupplementaryGroups= | 22:43:20 |
| hexa | hey and what about TemporaryFilesystem= and BindPath= | 22:46:40 |
| hexa | * hey and what about TemporaryFilesystem= and BindPaths= | 22:46:55 |
| hexa | choices! | 22:47:04 |
| hexa | * hey and what about TemporaryFilesystem= and BindReadOnlyPaths= | 22:47:58 |
| raitobezarius | can BindReadOnlyPaths work hexa | 23:40:14 |
| raitobezarius | I thought it was supposed to honor the classical permissions | 23:40:22 |
| raitobezarius | So even if you bind it, you cannot read it because it's not a+r or you're not in the group (or it's not g+r, whatever) | 23:40:42 |
| raitobezarius | Or am I confusing it with ReadOnlyPaths | 23:40:50 |
| hexa | I don't think you need extra permissions, when systemd provides the mount for the service | 23:49:16 |
| 3 Feb 2023 |
| hexa | hm, nvm. I did indeed add SupplementaryGroup with BindPaths | 00:15:39 |
| m1cr0man | LoadCredentials isn't the best option unfortunately because it means you must always restart the service, as a reload won't reload the creds from disk. | 21:42:13 |
| m1cr0man | TemporaryFilesystem suffers the same caveat | 21:42:23 |
| m1cr0man | For things where restart is viable/standard, then LoadCredential can work quite well | 21:42:39 |
| hexa | yeah, LoadCredential= would need to inotify the original file and sighup the process or something to be useful | 22:47:36 |
| m1cr0man | Or systemd needs to provide a mechanism for reloading credential files in cases where the application will auto-reload all files itself. Like, if I could do systemctl reload httpd --credentials that would do the trick so long as credentials are reloaded before the process itself | 22:51:31 |
