New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
nixos/security/acme: order after nss-lookup.target #99901
Conversation
This should hopefully solve races with DNS servers (such as unbound) during the activation of a new generation. Previously unbound could still be unavailable and thus the acme script would fail.
This would also be a good candidate for a backport to 20.09 (cc @NixOS/nixos-release-managers @Nixos/acme) |
I approve of a backport of this |
Still regularly seeing errors like the one below on 20.09, even with this change.
|
Yeah, I saw them as well. This might be related to the DNS servers being "ready" before they actually are? This is likely not a complete fix for it but still IMHO a change that is worth carrying as the order is explicitly stated. |
Having a socket-activated dns server like resolved should help here. As systemd will buffer the requests whilst the server is down or restarting. |
Then we need to rebuild unbound with |
Unfortunately I do not consider resolved production ready in any sense. Also (in my case) unbound does proper systemd readiness indication and thus the startup ordering should be fine. I have a WIP branch for rewriting the unbound expression in nixpkgs as currently it is just cr*p. |
Previously mentioned unbound rework that might help with this situation: https://github.com/andir/nixpkgs/tree/unbound-systemd |
Motivation for this change
This should hopefully solve races with DNS servers (such as unbound)
during the activation of a new generation. Previously unbound could
still be unavailable and thus the acme script would fail.
Things done
sandbox
innix.conf
on non-NixOS linux)