| 4 Dec 2021 |
 m1cr0man | 7 ticket closures in one :D that always feels good | 19:07:16 |
| 11 Dec 2021 |
| m1cr0man | Systemd 250 notes from Phoronix:
There is also a new tool called systemd-creds for dealing with the credentials. This can be used for SSL certificates, passwords, and other similar data.
| 12:05:15 |
| m1cr0man | It seems to kind of be like ansible-vault, where decryption happens when the service is started. Kind of neat because it can/will use a TPM module | 13:53:17 |
 hexa | ohhhh | 14:02:23 |
| hexa | I wish element had a sensible forwarding mode … for #tpm:nixos.org | 14:02:57 |
| hexa | where the general consensus was, that tpm tooling on linux is abysmal | 14:03:20 |
| m1cr0man | Oh yeah, I know that XD Tried to set up my server's ZFS to unlock via the TPM once. Did not find a workable solution :P | 14:04:29 |
| m1cr0man | There's some other nice stuff in here that seems generally applicable too. The systemd-homed updates are super intriguing. I've always wondered if it would be possible to set up on-demand services for users via homed (namely jupyter notebooks) and safe SSH environments for student-esque use with it. Seems like a lot of these things would make that a bit easier | 14:06:52 |
 andi- | The TPM tooling is "by spec" and that is probably the issue. The spec is horible and allows everything but isn't tailored for 99% of the usecases. | 15:03:41 |
| 13 Dec 2021 |
| m1cr0man | Trying to rebase my PR and write a test for listenHTTP. Found a bug in the log for handling ports < 1024, even when running as root. Not sure why yet. It must be one of the systemd protection flags on the service but I haven't narrowed down which one. It's not SystemCallFilters | 23:12:06 |
 moritz.hedtke | The capabilities one? | 23:44:31 |
| 14 Dec 2021 |
| m1cr0man | To be specific, lego is giving bind: permission denied even when running as root. I haven't looked into it any further, just reread that msg I sent and realised how unclear it was :P | 22:39:49 |
| hexa | need to see the systemd unit to make a proper statement on the matter - but the first thing is … privateusers will prevent passing of capabiltiies | 23:56:33 |
| 18 Dec 2021 |
| m1cr0man | I might ask in the systemd channel | 14:25:30 |
| m1cr0man | There is no use of privateusers, fwiw. THat's good to know though :) | 14:25:49 |
| hexa | happy to take a look if you point me to the unit | 14:44:33 |
| m1cr0man | Aha! Got it | 14:45:23 |
| m1cr0man | CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ]; | 14:45:24 |
| hexa | capabilities need to be requested by the program | 14:45:42 |
| m1cr0man | A new day + a fresh mind is the best solution finder | 14:45:42 |
| hexa | only AmbientCapabilities are active without being requested | 14:45:59 |
| hexa | and the bounding set limits ambient capabilities IIRC | 14:46:12 |
| m1cr0man | Well the old line was AmbientCapabilities = "CAP_NET_BIND_SERVICE" and it couldn't bind to ports < 1024 | 14:46:38 |
| m1cr0man | so idk, the priority is capBoundingSet > AmbientCapabilities? | 14:47:05 |
| hexa | the bounding set limits capabilities altogether, so yeah | 14:47:25 |
| hexa | sorry, I missed that during review as well | 14:48:26 |
| m1cr0man | right that makes sense | 14:48:29 |
| m1cr0man | nb! Fixed now and I have written a test for it :) | 14:48:41 |
| hexa | ❤️ | 14:48:50 |
| m1cr0man | https://github.com/NixOS/nixpkgs/pull/147784 ok so this PR technically still needs a review from someone on the ACME team that isn't me ;) | 15:08:08 |
