Think about this a bit. Contemplate what happens if you use sftp, vscode remoting, or anything else nontrivial. Hint: “cloudflared access ssh-gen” is not actually any sort of proxy, and the ssh -tt command is a kludge that should, if openssh were more on the ball about inherited file descriptors, should not work at all.
The right way to to this is to use Match … exec. Or to ask openssh to add an option for a command to execute before reading IdentityFile. Or to ask for an IdentityFileCommand option. Or to use a custom ssh agent.
It tries to scrub passwords and secret keys based on some text filters by default, but it can be configured to scrub arbitrary data (via a hook in the sdk).
So I'm curious are there any good documentation available for using wireguard-go as a lib? Or is it just read the source and also read through flyctl source?
Curious about fiddling with something similar with firecracker at home.
Think it'd be neat to spin up bespoke micro-vm's with wireguard enabled.
Seriously, check out the code in pkg/wg. The code you need is like 4 lines (get a working WireGuard connection first, outside of your code, and then bring the configuration --- keys, addresses --- into your code); everything else will be normal Go code.
I would take credit for this, but it's Ben's c--- hey, wait, I paid Ben Burkert for this, I'm going to take full credit.
So I have been actually looking at the code under pkg/wg and tracing stuff back into the wireguard-go pkg and so on for a bit. (Which is some very nice and clean code haha, so you definitely got what you paid for. :P)
I guess the conceptual hurdle I'm stuck on now is, great I've got this wg tunnel open in my code go. How do I actually force packets over it? Say I've got a sshd listening on the other end of the tunnel with netfilter rules that say only allow access over this tunnel.
Can I just do normal ssh calls and use the wg tunnel remote addr to do stuff?
Is it that simple and I'm vastly over thinking things, or is it more complicated then I thought?
Incidentally, fly.io is awesome!
Might have to see about getting our workloads running on it for any customers who might want to run them.
It's definitely given me some fun ideas custom wg and sshd impls running over micro-vm's for at home haha.
Yeah UUID would be the way to go. That it doesn't do that anyway when you address them as /dev/sdX, like most of the examples online do, seems odd. I was pretty surprised to find it was tied to the system-ordering if you add them the user-friendly way—you've gotta do the translation to UUID for it, when adding the disk.
Since restoring a disk that had changed its system-ordered address meant re-silvering the whole damn thing (even though the data was already the same?) I was reluctant to do that a third time to fix it by changing to UUID. For now I just don't touch the disks. Eventually I'll replace the externals with internals and then I'll take care of it.
EDIT: that's exactly what I mean—examples strongly favor /dev/sdX (or similar) but in fact you want to use UUID and the zfs command line tools don't warn you, let alone default to transparently using UUID instead unless told otherwise, either of which would be a clear improvement.
Its true that this system blocks spammers and marketers. At the same time it also prevents a large amount of genuine users who want to take part in the dicussions because its hard to get an invite. So overall the system does more harm than good.
> Invitations are used as a mechanism for spam-control, to slow registrations to a pace we can acculturate and to encourage users to be nice, not to make the Lobsters userbase an elite club.
I'm personally not happy with the randomness of the chat invite system. I have some ideas on how to streamline it but I haven't had time to present them, and I lack the Ruby chops to actually contribute to the site's code.
It's not that hard to get an invite. Ask in an HN thread and there's a good chance somebody will hook you up, assuming they either know you, OR can tell from your HN comment/submission history that you're not some weirdo who is going to spam lobste.rs with crap.
> Ask in an HN thread and there's a good chance somebody will hook you up
That works for users who have seen this thread. How does a person who has not seen this thread knows that they have to ask in some random HN thread to get an invite? What about users who don't have an HN account?
