| 8 Nov 2024 |
 K900 | https://github.com/NixOS/nixpkgs/pull/354629/files#diff-352faa44c3da86e70bd6b5a55ff13f0a900b0f2fac44229f352ed1fd5b93a262R749-R751 | 23:11:25 |
| K900 | How did this ever work | 23:11:28 |
 m1cr0man | what's wrong with that? | 23:12:31 |
| K900 | OK this makes no sense | 23:12:38 |
| K900 | It's starting the cert renewal first | 23:12:49 |
| K900 | And then the server | 23:12:58 |
| m1cr0man | Ngl, it's pretty vindicating that someone else is witnessing the quantum hell that is the ACME test suite, and not just my imagination. | 23:13:19 |
| K900 | And I think the ordering on it is actually just all wrong | 23:13:22 |
| K900 | 
Download {A552CC2F-C32F-444C-8CDC-9B4F274FF447}.png | 23:14:17 |
| K900 | Yeah this is 100% wrong | 23:14:45 |
| K900 | The acme units need to wants httpd for this | 23:14:55 |
| K900 | If not requires | 23:15:09 |
| K900 | Actually probably requires, just so we fast-fail | 23:15:16 |
| m1cr0man | I'm not following. Part of this is from the change earlier today. That's a screenshot from a webserver module right? It's only set to before on the renewals that use HTTP-01. wanting the target means that renewal gets queued in the same job as the web server start. | 23:16:49 |
| m1cr0man | it's convoluted, but in the case of a web server it's generally as follows on startup:
- Web server start requested
want on acme-*.target queues a start job in the same transaction for any necessary renewal services.before on acme-selfsigned-*.service means webserver is up after selfsigned cert genbefore (selectively) on acme-*.service means webserver starts before renewal (HTTP-01)after (selectively) on acme-*.service means webserver can basically start any time after renewal happens
| 23:19:49 |
| m1cr0man | this all hinges on my understanding/observations of wants dependencies on a target, and how start job transactions are evaluated | 23:20:36 |
| K900 | That before isn't enough | 23:20:47 |
| K900 | You need the http-01 units to actually wants it | 23:21:07 |
| m1cr0man | I know before/after don't queue start jobs, but the target implicitly will | 23:21:10 |
| m1cr0man | iirc the target requires the renewal, so that will queue the start job, and those before/after should queue them appropriately in the same transaction | 23:21:32 |
| K900 | The target will if you start the server, yes | 23:21:33 |
| K900 | But not if you start the target | 23:21:38 |
| m1cr0man | oh fuck | 23:21:51 |
| K900 | So either the test needs to wait for the server before the target | 23:21:55 |
| K900 | Or the units need to also wants the server | 23:22:07 |
| K900 | Which I think is more correct because they actually do | 23:22:18 |
| m1cr0man | hm let me quickly check sth in the webserver units | 23:22:41 |
| m1cr0man | Yeah no, it's totally missing | 23:24:00 |
| m1cr0man |
Or the units need to also wants the server
Problem is now, from the acme module, we can't determine what web server will be serving .well-known/acme-challenge. We can solve this per-webserver, as you said flip the before to a requiredBy (actually... maybe keep before and add requiredBy).
I'm now remembering a very old conversation about having web server units register a common target, but I ended up implementing nginx-config-reload as it met the requirements at the time.
not if you start the target
I wonder how bad it would be to remove the install/wantedBy directives from the acme module, and let dependent services trigger its startup? Infact what if we had a mkDefault value for requiredBy on the ACME certs, and set an explicit value in the web servers?
| 23:30:00 |
| m1cr0man | *
Or the units need to also wants the server
Problem is now, from the acme module, we can't determine what web server will be serving .well-known/acme-challenge. We can solve this per-webserver, as you said flip the before to a requiredBy (actually... maybe keep before and add requiredBy).
I'm now remembering a very old conversation about having web server units register a common target, but I ended up implementing nginx-config-reload as it met the requirements at the time.
not if you start the target
I wonder how bad it would be to remove the install/wantedBy directives from the acme module, and let dependent services trigger its startup? Infact what if we had a mkDefault value for wantedBy on the ACME certs, and set an explicit value in the web servers?
| 23:30:16 |
