logoalt Hacker News

ninjinyesterday at 1:58 AM0 repliesview on HN

Beautiful, thoughtful writing. In an era where taking time to understand something thoroughly seem to fall to the wayside over skimming, this warmed my heart: "Originally I planned to make this post a simple recipe. Just follow these steps, and you have your website running in no time. But now I know it won't work like that. At least not for everyone. Instead, I'll just give you the list of resources I used and the first version of the configuration files that worked. The ingredient you need to add is some time and effort".

As a somewhat more senior OpenBSD user (daily driver on my work laptop, work desktop, maintaining two servers, and reading misc@ and tech@), I think you can drop your reliance on relayd(8) and make your configuration much simpler. Yes, you lose caching granularity, but I doubt you see the amount of traffic needed to justify monthly and annual cache limits. Here is a sketch which I have typed out without any testing.

/etc/acme-client.conf

    domain ewintr.nl {
        domain key "/etc/ssl/private/ewintr.nl.key"
        domain full chain certificate "/etc/ssl/ewintr.nl.fullchain.pem"
        sign with letsencrypt
    }
    
    domain vrijkorteverhalen.nl {
        domain key "/etc/ssl/private/vrijkorteverhalen.nl.key"
        domain full chain certificate "/etc/ssl/vrijkorteverhalen.nl.fullchain.pem"
        sign with letsencrypt
    }
/etc/httpd.conf:

    types {
        include "/usr/share/misc/mime.types"
    }
    
    server http {
        listen on * port 80
        location "/.well-known/acme-challenge/*" {
                root "/acme"
                request strip 2
        }
        location * {
                block return 301 "https://$HTTP_HOST$REQUEST_URI"
        }
    }

    server "ewintr.nl" {
        listen on * port 80
        listen on * tls port 443
        root "/htdocs/ewintr.nl"
        tls {
            certificate "/etc/ssl/ewintr.nl.fullchain.pem"
            key "/etc/ssl/private/ewintr.nl.key"
        }
        
        location match "/linklog/%d*/links%-([%d%-]*)" {
            block return 302 "$REQUEST_SCHEME://$HTTP_HOST/linklog/#links-%1"
        }
        location "/feed/" {
            block return 302 "$REQUEST_SCHEME://$HTTP_HOST/atom.xml"
        }
    
        location "/quick-go-test-clycle-with-reflex" {
            block return 301 "$REQUEST_SCHEME://$HTTP_HOST/posts/2020/quick-go-test-cycle-with-reflex/"
        }
        # ---&<---
    }
    
    server "vrijkorteverhalen.nl" {
        listen on * port 80
        listen on * tls port 443
        root "/htdocs/vrijkorteverhalen.nl"
        tls {
            certificate "/etc/ssl/vrijkorteverhalen.nl.fullchain.pem"
            key "/etc/ssl/private/vrijkorteverhalen.nl.key"
        }
    }
Do not forget to add your acme-client calls to crontab(1) (as is of course noted on the manpage).

My philosophy so far is that the shorter my configuration files, the easier it is to read/comprehend, the more defaults I rely on, and the happier I am as a user. Learning to live with defaults and resisting nearly all urges to deviate from them is a virtue that OpenBSD teaches very well.

Now if only I could figure out why streaming 1440p60 x11grab to 1080p60 always leads to massive frame drops if anything else is running on the system (Is it the kernel not being preemptive? Xenocara?) I would have all my own use cases covered.