Got tricked into writing a blog post better explaining the linux kernel's audit system and setting it up in Nix

It's a moving work of art and you should read it; it will look great on your wedding day: https://blog.xvrqt.com/nix-audit.html

#nix #nixos #linux #kernelsecurity

https://blog.xvrqt.com/nix-wireguard.html

Writing a new series on using Nix to configure Wireguard. It's probably overly ambitious as I have had the completed flake done for personal use for weeks now, but writing the blog means redoing it step by step in excruciating detail.

I had to keep cutting scope for each post and now, after typing all day, I finally have... the basic option setup for it. How is writing so hard? Why would a loving god cause such agony?

Feedback welcome, as I think part of my problem is I don't understand who my audience is so I never know what I can leave out and what I should explain further.

#nix #nixos #linux #wireguard #kernel #flakes #foss

@crow You might find wirenix interesting (autogen via agenix implemented there already) https://man.sr.ht/~msalerno/wirenix/

@juuso truly nothing new under the sun 🥲

in the next post we autogen keys and encrypt with agenix but you have to do it in a separate step so you can save the keys to the flake so they are the same for each peer using the flake

i'll check this out to see if they do something more clever where you can have deterministic key gen without leaking the seed via the config

@crow in wirenix the keys can also be saved to the flake. But it's not deterministic -- it uses agenix-rekey to generate new keys whenever the mesh topology changes. It's also ipv6 only. But yeah, no secrets are leaked, instead it can use hmac secrets of Yubikeys and such which can be public. And agenix encrypts host secrets against hosts persistent SSH private keys (ed25519). Would be interesting to hear about alternative methods though!