| 11 Nov 2024 |
 Arian | It's peak because we opened it ourselves and then ignored it for 5 years | 07:51:12 |
| Arian | 😂😭 | 07:51:19 |
 m1cr0man | Yep! 😁 | 09:40:41 |
|  ThinkChaos joined the room. | 17:17:34 |
| ThinkChaos | For simplifying the max concurrency, sem from GNU parallel seems like the right tool: https://man.archlinux.org/man/sem.1
The cert ExecStart would look like sem --id nixos-acme --fg --max-procs ${cfg.maxConcurrentRenewals} 'lego ...' | 18:47:12 |
| ThinkChaos | Account creation is still messy and I think the best thing would be to write a small CLI that creates the account and write the info where lego will look for it.
So one acme-account-${escaped-email}.service per account, and each cert using that account requires that service. And we use a negative ConditionPathExists to ensure it only actually runs when needed (but not RemainAfterExit otherwise clearing the state and starting a cert service won't rerun the service). | 18:58:06 |
| ThinkChaos | Or look at completely replacing lego but that seems much harder | 18:59:47 |
| ThinkChaos | * Or look at completely replacing lego but that seems much harder to do backwards-compatibly with existing state | 19:00:33 |
| Arian | Maybe we should run a Kubernetes apiserver and use certmanager | 19:01:26 |
| Arian | Only half joking | 19:01:30 |
| ThinkChaos | For the potential custom account creation tool https://github.com/mholt/acmez/blob/v2.0.3/examples/plumbing/main.go#L56-L88 | 19:02:18 |
 emily | I'm old enough to remember when we replaced simp_le with Lego and destroyed everyone's data | 19:02:18 |
| emily | ah, so this is how I get ACMEZ in through the back door 😂 | 19:02:33 |
| Arian | And ill do it again!! 😈 | 19:02:38 |
| emily | one day I'll write the thing that needs to exist and then you can inflict it on everyone | 19:03:14 |
| ThinkChaos | I took a quick look at other ACME clients listed in https://letsencrypt.org/docs/client-options/ and pretty sure I saw one could migrate Lego data but don't find it again | 19:04:29 |
| emily | 
Download image.png | 19:04:40 |
| emily | we were so innocent then | 19:04:41 |
| ThinkChaos | Anyways the cert dir structure was different I think so would still break users | 19:04:52 |
| emily | In reply to @thinkchaos:matrix.org
I took a quick look at other ACME clients listed in https://letsencrypt.org/docs/client-options/ and pretty sure I saw one could migrate Lego data but don't find it again nothing really exists that meets requirements and is superior to lego IMO | 19:04:55 |
| emily | Caddy builds on CertMagic/ACMEZ and is a better implementation with a much better model (a proper daemon), but it doesn't quite have the shape of the thing we need | 19:05:18 |
| ThinkChaos | Yeah that was my conclusion from a quick look, hence the custom tool proposal :) | 19:05:20 |
| emily | https://github.com/https-dev/docs/blob/master/acme-ops.md essential reading | 19:05:47 |
| emily | (primarily from the Caddy/CertMagic/ACMEZ author) | 19:06:00 |
| Arian | My website still runs 21.05 lol | 19:06:06 |
| emily | 😱 | 19:06:31 |
| Arian | If it ain't broken.... | 19:06:31 |
| emily | anything with that many CVEs is broken by definition | 19:06:43 |
| emily | or at least I can break it for you if you'd like | 19:06:48 |
| Arian | Disagree | 19:06:49 |
