13:36 <Mic92> andi-: this fixed resolved for me: https://github.com/Mic92/dotfiles/blob/master/nixos/modules/0001-networkd-don-t-downgrade-dnsovertls.patch

13:36 <Mic92> Not sure yet what the best way is to get it upstream.

14:13 <andi-> Well I want it to work even on captiveportal networks. I am not very keen on downgrade protection by default. DNS encryption is another problem that should be tackled elsewhere. I am mostly keen on having a non-techy happy with resolved on their notebook while roaming between many different wifis and address families.

16:55 <Mic92> andi-: The issue is that it falls-back to udp after connection errors and never upgrades to tls-over-dns at all. My server does not support port 53.

16:56 <Mic92> andi-: I very much appreciate the android approach to portals. i.e. opening a webview that uses the DHCP's DNS. We have that in NixOS too. It's called captive-browser.

17:00 <andi-> Yeah but it requires the user to know what DNS is and why a different browser has to be started now. I would like to polish the average user case first. Starting a different browser in some situations is likely the job of Gnome/KDE/…

18:41 <aanderse> so i'm doing some hacky but useful stuff with tmpfiles that depends on ldap users existing... what is the best way i can have tmpfiles --create run again after nss-user-lookup.target is reached?

18:47 <aanderse> i suppose i'm working off the assumption that tmpfiles is needed before nss-user-lookup.target... but i think thats a pretty sound assumption

21:02 <Mic92> aanderse: I would create a different tmpfiles file that you run after this target.

21:20 <aanderse> <aanderse "i suppose i'm working off the as"> Mic92: cool thanks I'll give that a go