crowJan 30
Setup my blog today, and made my first post detailing a Nix flake that I include on all my nixosSystem builds that sets some sensible defaults

Check it out: https://blog.xvrqt.com/nix-defaults.html

#nix #nixos #rust #flakes #programming #coder #hacking #crows
nix defaults

Sensible Nix Defaults If you're using Nix you are probably more accustomed to nonsense, and I am no...

xvrqt
Show threadcrowFeb 2
Got tricked into writing a blog post better explaining the linux kernel's audit system and setting it up in Nix

It's a moving work of art and you should read it; it will look great on your wedding day: https://blog.xvrqt.com/nix-audit.html

#nix #nixos #linux #kernelsecurity
nix audit

Nix Audit The linux kernel has an audit module which can keep track of which files are accessed, an...

xvrqt
lizzie moratti11h ago
Show threadcrow
https://blog.xvrqt.com/nix-wireguard.html

Writing a new series on using Nix to configure Wireguard. It's probably overly ambitious as I have had the completed flake done for personal use for weeks now, but writing the blog means redoing it step by step in excruciating detail.

I had to keep cutting scope for each post and now, after typing all day, I finally have... the basic option setup for it. How is writing so hard? Why would a loving god cause such agony?

Feedback welcome, as I think part of my problem is I don't understand who my audience is so I never know what I can leave out and what I should explain further.

#nix #nixos #linux #wireguard #kernel #flakes #foss
nix wireguard

Wireguard1 is a Linux Kernel Module which allows you to easily configure encrypted network interfac...

xvrqt
5:52amWeb
Show threadThe Incredible Laser9h ago

@crow there is the short mkEnableOption which is usually used for whatever.enable, doesn't save much but I find it somewhat convenient

One thing I don't understand about your code is wgqt.machines' default value, where is "defaults" coming from? I'd have expected something like "{}"

Show threadcrow2h ago
@IncredibleLaser I know about mkEnable but it defaults to "false" so I have to instantiate manually. Some times I make my own mkEnabled option which is just mkEnable with the default being true lol

As for the defaults let me look, it might be leftover cruft from my finished flake where I set the defaults to values in a defaults.nix so I can just import the module and do no setup. I thought I changed it to '{}' but I might have accidentally copied it back while editing 😛
Show threadcrow2h ago
@IncredibleLaser Good catch, it's correct in https://blog.xvrqt.com/nix-wireguard.html#set-of-machines but sneaks back in to the final config here https://blog.xvrqt.com/nix-wireguard.html#what-have-we-wrought

Thank you!!!
nix wireguard

Wireguard1 is a Linux Kernel Module which allows you to easily configure encrypted network interfac...

xvrqt
Show threadThe Incredible Laser1h ago

@crow no problem.

I can't comment on how understandable your guide is because I've already written modules before (yes, even with type attrsOf submodule...)

Also, something I just spotted: you're using "with lib;" which is an antipattern: https://nix.dev/guides/best-practices#with-scopes rather inherit from lib.

What I do like is that your options live in a separate flake. I wrote a blog post about that as well.

Anyhow, nice to see a practical example, I think most people tend not to use options.

Best practices — nix.dev documentation

Show threadcrow1h ago
@IncredibleLaser

Yeah over time I have been using options more and more; realized having special flake outputs with data structures other flakes need to be insync was a serious anti-pattern and those should just be part of the config and referenced from there.

Nix gives me the feeling of learning cpp half a lifetime ago; everyone uses a different subset of features in different ways and it takes blowing your own feet off several times to realize what "good nix/cpp" should look like

Thanks for the feedback!
Show threadJuuso Haavisto9h ago
@crow You might find wirenix interesting (autogen via agenix implemented there already) https://man.sr.ht/~msalerno/wirenix/
Show threadcrow2h ago
@juuso truly nothing new under the sun 🥲

in the next post we autogen keys and encrypt with agenix but you have to do it in a separate step so you can save the keys to the flake so they are the same for each peer using the flake

i'll check this out to see if they do something more clever where you can have deterministic key gen without leaking the seed via the config
Show threadJuuso Haavisto2h ago
@crow in wirenix the keys can also be saved to the flake. But it's not deterministic -- it uses agenix-rekey to generate new keys whenever the mesh topology changes. It's also ipv6 only. But yeah, no secrets are leaked, instead it can use hmac secrets of Yubikeys and such which can be public. And agenix encrypts host secrets against hosts persistent SSH private keys (ed25519). Would be interesting to hear about alternative methods though!
Show threadcrow2h ago
@juuso Oh yeah, in mine you just set your agenix public keys in your config and it generates all the keys and rekeys the Wireguard keys on mesh changes. I wasn't sure how to get Machine A and Machine B to generate the same Wireguard keys when running without saving them somewhere though

Mine is IPv4 only, already at my limit writing Nix code to deal with that