are any of you interested in a better Codeberg Pages server?
okay check this out https://grebedoc.dev/
@whitequark why is the webhook HTTP instead of HTTPS? Haven't used webhooks in a while, but that feels strange.
@esoterra it's because i provision TLS on-demand; the first time you fire the webhook i will not have a certificate (and provisioning a cert to anything in a Host: header is not recommended by ACME)
Have you considered getting a wildcard cert? On the face of it I'd expect it to simplify provisioning significantly, but maybe your separation between repositories relies on this (cert transparency logs do show different public keys for different subdomains after all).
@whitequark apparently I can't see robryk's messages so this is all showing up really confusingly in my notifications.
@esoterra fedi is great bc i have absolutely no visibility into this failure mode (their post is set to public)
I suspect this is some kind of fallout from instances silencing other instances years ago.
Mechanistically, you get notified when sender's instance sends something to receiver's instance. The sending instance might refuse to do so, or the receiving one might refuse to accept (generally based on either the identity of the sending instance or the sending user).
Whether you can call up a post (by URL) in your Mastodon client[^1] is a question of whether the post's hosting instance is willing to serve it to your (which in practice might be more restricted than viewing it using the sending instance's web UI; how do they know who's fetching? -> Authorized Fetch) and whether yours is willing to contemplate storing the post at all (see the case above).
What appears when you look for replies to a particular post is more mysterious for me.
[^1] I'm less sure about other fedi instance software
@whitequark @robryk @esoterra the DNS challenge basically involves putting a special value derived from a random token of your choosing and your client key into TXT _acme-challenge.yourdomain.example.com
The hardest part is probably setting up the automated DNS updates. Also you may need to account for the time between submitting a RR update and it actually propagating across the authoritative DNS infra depending on your provider (i.e. desec.io needs a few minutes nowadays)
@whitequark @robryk @esoterra truth be told I just read the RFC and it's easier than expected, next time I need to do this I will probably write a shell script to handle it from scratch because it's gonna be easier than dealing with obscure issues I've had with pre-made acme clients
@lunareclipse @robryk @esoterra oh so it's implemented exactly the same as the DNS challenge i added to the pages server myself, heh
i don't really want to either be interfacing with my registrar's API or be responsible for running my own DNS just for this, so i think having caddy ask for certificates is probably fine?
@robryk @esoterra i have to issue per-domain certs with HTTP challenge for custom domains, so i didn't feel like adding a different code path just to save some ACME calls when the exact same one works just fine already