feat: add internal proxy to high-volume applications at home

2025-10-10 23:00:39 +02:00 · 2024-05-20 02:30:17 +02:00 · 2024-05-20 02:30:17 +02:00 · 20a5e1e66a
commit 20a5e1e66a
parent b01c521830
32 changed files with 301 additions and 21 deletions
--- a/hosts/sire/guests/common.nix
+++ b/hosts/sire/guests/common.nix
@ -5,6 +5,7 @@
  ...
 }: let
  sentinelCfg = nodes.sentinel.config;
+  wardWebProxyCfg = nodes.ward-web-proxy.config;
 in {
  meta.promtail = {
    enable = true;
@ -12,7 +13,12 @@ in {
  };

  # Connect safely via wireguard to skip http authentication
-  networking.hosts.${sentinelCfg.wireguard.proxy-sentinel.ipv4} = [sentinelCfg.networking.providedDomains.influxdb];
+  networking.hosts.${
+    if config.wireguard ? proxy-home
+    then wardWebProxyCfg.wireguard.proxy-home.ipv4
+    else sentinelCfg.wireguard.proxy-sentinel.ipv4
+  } = [sentinelCfg.networking.providedDomains.influxdb];
+
  meta.telegraf = lib.mkIf (!config.boot.isContainer) {
    enable = true;
    scrapeSensors = false;
--- a/hosts/sire/guests/grafana.nix
+++ b/hosts/sire/guests/grafana.nix
@ -4,6 +4,7 @@
  ...
 }: let
  sentinelCfg = nodes.sentinel.config;
+  wardWebProxyCfg = nodes.ward-web-proxy.config;
  grafanaDomain = "grafana.${config.repo.secrets.global.domains.me}";
 in {
  wireguard.proxy-sentinel = {
@ -116,6 +117,11 @@ in {
    }
  ];

+  networking.hosts.${wardWebProxyCfg.wireguard.proxy-home.ipv4} = [
+    sentinelCfg.networking.providedDomains.influxdb # technically a duplicate (see ./common.nix)...
+    sentinelCfg.networking.providedDomains.loki
+  ];
+
  services.grafana = {
    enable = true;
    settings = {
--- a/hosts/sire/guests/immich.nix
+++ b/hosts/sire/guests/immich.nix
@ -5,6 +5,7 @@
  ...
 }: let
  sentinelCfg = nodes.sentinel.config;
+  wardWebProxyCfg = nodes.ward-web-proxy.config;
  immichDomain = "immich.${config.repo.secrets.global.domains.me}";

  ipImmichMachineLearning = "10.89.0.10";
@ -169,10 +170,15 @@ in {
    client.via = "sentinel";
    firewallRuleForNode.sentinel.allowedTCPPorts = [2283];
  };
+  wireguard.proxy-home = {
+    client.via = "ward";
+    firewallRuleForNode.ward-web-proxy.allowedTCPPorts = [2283];
+  };
  networking.nftables.chains.forward.into-immich-container = {
    after = ["conntrack"];
    rules = [
      "iifname proxy-sentinel ip saddr ${sentinelCfg.wireguard.proxy-sentinel.ipv4} tcp dport 3001 accept"
+      "iifname proxy-home ip saddr ${wardWebProxyCfg.wireguard.proxy-home.ipv4} tcp dport 3001 accept"
      "iifname podman1 oifname lan accept"
    ];
  };
@ -202,6 +208,31 @@ in {
    };
  };

+  nodes.ward-web-proxy = {
+    services.nginx = {
+      upstreams.immich = {
+        servers."${config.wireguard.proxy-home.ipv4}:2283" = {};
+        extraConfig = ''
+          zone immich 64k;
+          keepalive 2;
+        '';
+      };
+      virtualHosts.${immichDomain} = {
+        forceSSL = true;
+        useACMEWildcardHost = true;
+        locations."/" = {
+          proxyPass = "http://immich";
+          proxyWebsockets = true;
+        };
+        extraConfig = ''
+          client_max_body_size 10G;
+          allow 192.168.1.0/24;
+          deny all;
+        '';
+      };
+    };
+  };
+
  systemd.tmpfiles.settings = {
    "10-immich" = {
      ${upload_folder}.d = {
--- a/hosts/sire/guests/influxdb.nix
+++ b/hosts/sire/guests/influxdb.nix
@ -6,6 +6,7 @@
  ...
 }: let
  sentinelCfg = nodes.sentinel.config;
+  wardCfg = nodes.ward.config;
  influxdbDomain = "influxdb.${config.repo.secrets.global.domains.me}";
  influxdbPort = 8086;
 in {
@ -14,6 +15,11 @@ in {
    firewallRuleForNode.sentinel.allowedTCPPorts = [influxdbPort];
  };

+  wireguard.proxy-home = {
+    client.via = "ward";
+    firewallRuleForNode.ward-web-proxy.allowedTCPPorts = [influxdbPort];
+  };
+
  nodes.sentinel = {
    networking.providedDomains.influxdb = influxdbDomain;

@ -50,6 +56,40 @@ in {
    };
  };

+  nodes.ward-web-proxy = {
+    services.nginx = {
+      upstreams.influxdb = {
+        servers."${config.wireguard.proxy-home.ipv4}:${toString influxdbPort}" = {};
+        extraConfig = ''
+          zone influxdb 64k;
+          keepalive 2;
+        '';
+      };
+      virtualHosts.${influxdbDomain} = let
+        accessRules = ''
+          ${lib.concatMapStrings (ip: "allow ${ip};\n") wardCfg.wireguard.proxy-home.server.reservedAddresses}
+          deny all;
+        '';
+      in {
+        forceSSL = true;
+        useACMEWildcardHost = true;
+        locations."/" = {
+          proxyPass = "http://influxdb";
+          proxyWebsockets = true;
+          extraConfig = accessRules;
+        };
+        locations."/api/v2/write" = {
+          proxyPass = "http://influxdb/api/v2/write";
+          proxyWebsockets = true;
+          extraConfig = ''
+            ${accessRules}
+            access_log off;
+          '';
+        };
+      };
+    };
+  };
+
  age.secrets.influxdb-admin-password = {
    generator.script = "alnum";
    mode = "440";
--- a/hosts/sire/guests/loki.nix
+++ b/hosts/sire/guests/loki.nix
@ -1,9 +1,12 @@
 {
  config,
+  lib,
  nodes,
  ...
 }: let
  sentinelCfg = nodes.sentinel.config;
+  wardWebProxyCfg = nodes.ward-web-proxy.config;
+  wardCfg = nodes.ward.config;
  lokiDomain = "loki.${config.repo.secrets.global.domains.me}";
 in {
  wireguard.proxy-sentinel = {
@ -11,6 +14,11 @@ in {
    firewallRuleForNode.sentinel.allowedTCPPorts = [config.services.loki.configuration.server.http_listen_port];
  };

+  wireguard.proxy-home = {
+    client.via = "ward";
+    firewallRuleForNode.ward-web-proxy.allowedTCPPorts = [config.services.loki.configuration.server.http_listen_port];
+  };
+
  nodes.sentinel = {
    networking.providedDomains.loki = lokiDomain;

@ -28,6 +36,51 @@ in {
          keepalive 2;
        '';
      };
+      virtualHosts.${lokiDomain} = {
+        forceSSL = true;
+        useACMEWildcardHost = true;
+        locations."/" = {
+          proxyPass = "http://loki";
+          proxyWebsockets = true;
+          extraConfig = ''
+            auth_basic "Authentication required";
+            auth_basic_user_file ${wardWebProxyCfg.age.secrets.loki-basic-auth-hashes.path};
+
+            proxy_read_timeout 1800s;
+            proxy_connect_timeout 1600s;
+
+            ${lib.concatMapStrings (ip: "allow ${ip};\n") wardCfg.wireguard.proxy-home.server.reservedAddresses}
+            deny all;
+
+            access_log off;
+          '';
+        };
+        locations."= /ready" = {
+          proxyPass = "http://loki";
+          extraConfig = ''
+            auth_basic off;
+            access_log off;
+          '';
+        };
+      };
+    };
+  };
+
+  nodes.ward-web-proxy = {
+    age.secrets.loki-basic-auth-hashes = {
+      inherit (nodes.sentinel.config.age.secrets.loki-basic-auth-hashes) rekeyFile;
+      mode = "440";
+      group = "nginx";
+    };
+
+    services.nginx = {
+      upstreams.loki = {
+        servers."${config.wireguard.proxy-home.ipv4}:${toString config.services.loki.configuration.server.http_listen_port}" = {};
+        extraConfig = ''
+          zone loki 64k;
+          keepalive 2;
+        '';
+      };
      virtualHosts.${lokiDomain} = {
        forceSSL = true;
        useACMEWildcardHost = true;
--- a/hosts/sire/guests/paperless.nix
+++ b/hosts/sire/guests/paperless.nix
@ -6,12 +6,23 @@
  ...
 }: let
  sentinelCfg = nodes.sentinel.config;
+  wardWebProxyCfg = nodes.ward-web-proxy.config;
  paperlessDomain = "paperless.${config.repo.secrets.global.domains.me}";
  paperlessBackupDir = "/var/cache/paperless-backup";
 in {
  microvm.mem = 1024 * 9;
  microvm.vcpu = 8;

+  wireguard.proxy-sentinel = {
+    client.via = "sentinel";
+    firewallRuleForNode.sentinel.allowedTCPPorts = [config.services.paperless.port];
+  };
+
+  wireguard.proxy-home = {
+    client.via = "ward";
+    firewallRuleForNode.ward-web-proxy.allowedTCPPorts = [config.services.paperless.port];
+  };
+
  nodes.sentinel = {
    networking.providedDomains.paperless = paperlessDomain;

@ -38,9 +49,30 @@ in {
    };
  };

-  wireguard.proxy-sentinel = {
-    client.via = "sentinel";
-    firewallRuleForNode.sentinel.allowedTCPPorts = [config.services.paperless.port];
+  nodes.ward-web-proxy = {
+    services.nginx = {
+      upstreams.paperless = {
+        servers."${config.wireguard.proxy-home.ipv4}:${toString config.services.paperless.port}" = {};
+        extraConfig = ''
+          zone paperless 64k;
+          keepalive 2;
+        '';
+      };
+      virtualHosts.${paperlessDomain} = {
+        forceSSL = true;
+        useACMEWildcardHost = true;
+        extraConfig = ''
+          client_max_body_size 512M;
+          allow 192.168.1.0/24;
+          deny all;
+        '';
+        locations."/" = {
+          proxyPass = "http://paperless";
+          proxyWebsockets = true;
+          X-Frame-Options = "SAMEORIGIN";
+        };
+      };
+    };
  };

  age.secrets.paperless-admin-password = {
@ -75,7 +107,10 @@ in {
      PAPERLESS_URL = "https://${paperlessDomain}";
      PAPERLESS_ALLOWED_HOSTS = paperlessDomain;
      PAPERLESS_CORS_ALLOWED_HOSTS = "https://${paperlessDomain}";
-      PAPERLESS_TRUSTED_PROXIES = sentinelCfg.wireguard.proxy-sentinel.ipv4;
+      PAPERLESS_TRUSTED_PROXIES = lib.concatStringSep "," [
+        sentinelCfg.wireguard.proxy-sentinel.ipv4
+        wardWebProxyCfg.wireguard.proxy-home.ipv4
+      ];

      # Authentication via kanidm
      PAPERLESS_APPS = "allauth.socialaccount.providers.openid_connect";
--- a/hosts/ward/guests/adguardhome.nix
+++ b/hosts/ward/guests/adguardhome.nix
@ -74,23 +74,26 @@ in {
        ];
        dhcp.enabled = false;
      };
-      filtering.rewrites = [
-        # Undo the /etc/hosts entry so we don't answer with the internal
-        # wireguard address for influxdb
-        {
-          domain = nodes.sentinel.config.networking.providedDomains.influxdb;
-          answer = config.repo.secrets.global.domains.me;
-        }
+      filtering.rewrites =
+        [
+          # Undo the /etc/hosts entry so we don't answer with the internal
+          # wireguard address for influxdb
+          {
+            domain = nodes.sentinel.config.networking.providedDomains.influxdb;
+            answer = config.repo.secrets.global.domains.me;
+          }
+        ]
        # Use the local mirror-proxy for some services (not necessary, just for speed)
-        {
-          domain = nodes.sentinel.config.networking.providedDomains.grafana;
-          answer = "192.168.1.4"; # web-proxy
-        }
-        {
-          domain = nodes.sentinel.config.networking.providedDomains.immich;
-          answer = "192.168.1.4"; # web-proxy
-        }
-      ];
+        ++ map (domain: {
+          inherit domain;
+          answer = "192.168.1.4";
+        }) [
+          nodes.sentinel.config.networking.providedDomains.grafana
+          nodes.sentinel.config.networking.providedDomains.immich
+          nodes.sentinel.config.networking.providedDomains.influxdb
+          nodes.sentinel.config.networking.providedDomains.loki
+          nodes.sentinel.config.networking.providedDomains.paperless
+        ];
      filters = [
        {
          name = "AdGuard DNS filter";
--- a/secrets/rekeyed/sire-immich/48210b29550be1724e0e6a5603af581a-wireguard-proxy-home-priv-sire-immich.age
+++ b/secrets/rekeyed/sire-immich/48210b29550be1724e0e6a5603af581a-wireguard-proxy-home-priv-sire-immich.age
@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 U8ytLQ ZDczMuStTpVUMGlObtJB5uA07U/OsrOXaocAGJQ5SUQ
+D4Lg2MwHZVFHhTBlCDB3ZAnigTCVnNOFII5Hs9FxoL0
+-> oV-grease Y>Wk^oz
+lG4J8UNTiqKwws8XmfgOZBtLBf83/OciQN+bWAFbbVd5JSl1SSUDuyu94bp34Udq
+MyziULMJLT/tgjRM8H/TmBbuuIhWImHegnSA0WAZ
+--- lSARhYuFG3dOCOJmNhgEhToUWyUxwBDQaYTrJ4KJQM0
+*¿�ù}Œ˜ãêR@íŸï§]F… ÕÞ\ª‰ŒH€Gl}Õûœ¸�4¥™¿'J‘‚g³<å%	‚ä1>€µï=Rë03Iˆª\Jñ�
--- a/secrets/rekeyed/sire-immich/489ba5990cd27a548ef61bf66d994759-wireguard-proxy-home-psks-sire-immich+ward.age
+++ b/secrets/rekeyed/sire-immich/489ba5990cd27a548ef61bf66d994759-wireguard-proxy-home-psks-sire-immich+ward.age
@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 U8ytLQ Q49jP/1k8wgMHasJRs3j4qw4kDjmYMxzx190cqJpD34
+97gvdGUGDqP2LMdxuIM6u0FdNgKbUuKZl6p5irO+BeM
+-> 4FcwR4h*-grease Yn]g)b %taX> 066d`Ecg
+6cpXlQaMcTQU7dHNzQgZMeExv0KnJxzAov0BPBpFeiVfQPJqoDc+qgU
+--- 94bvmt9LqBAL3sqQRhc1k9vYo91+Fa7/r8nDpqnyXZ4
+ËLp#VÎP%7º†
…çdÖH~Æ}c¬�“|ž/UvF{[�¶Èö›sD¼ªÂC©y>š®Z°®õ³V@0Ã•–éáÙ^}1Þ¤ý$(�
--- a/secrets/rekeyed/sire-influxdb/861b8ef09e38949cccff27c22ee55340-wireguard-proxy-home-psks-sire-influxdb+ward.age
+++ b/secrets/rekeyed/sire-influxdb/861b8ef09e38949cccff27c22ee55340-wireguard-proxy-home-psks-sire-influxdb+ward.age
--- a/secrets/rekeyed/sire-influxdb/dc32381081efcf32fe844db1932a1ef4-wireguard-proxy-home-priv-sire-influxdb.age
+++ b/secrets/rekeyed/sire-influxdb/dc32381081efcf32fe844db1932a1ef4-wireguard-proxy-home-priv-sire-influxdb.age
--- a/secrets/rekeyed/sire-loki/158c4b0ca6a0f395e7398e0f9ddea00c-wireguard-proxy-home-priv-sire-loki.age
+++ b/secrets/rekeyed/sire-loki/158c4b0ca6a0f395e7398e0f9ddea00c-wireguard-proxy-home-priv-sire-loki.age
--- a/secrets/rekeyed/sire-loki/d381aba6054f5103c1ba555f0e7911cf-wireguard-proxy-home-psks-sire-loki+ward.age
+++ b/secrets/rekeyed/sire-loki/d381aba6054f5103c1ba555f0e7911cf-wireguard-proxy-home-psks-sire-loki+ward.age
@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 Dbt6cA 3F3ffVdjqoNE4nNpgk03uASXUQqblxHp7fRRd6fyQWY
+e2zBfUZrG+9ABnB0FJ5nk30akz1It0w2tCz/KJVSpjg
+-> HR^-grease
+4p8h4NkKY88xZf5Xk63KxigmHQP8WUDMQPD0Vyfe8qCZ5YbhSgVcDHaTuUj858yw
+5xUPwfAjlWsonle5KdBtc0ym7AstzWTTrA10oM6chm/mUvRYDJDQslp5Cw
+--- fp/its46uEjme2IwXthKFS8GhsIwXqmDDKnLgAFxRAQ
+ó
+.å•öKÝ¬âX‚$^®•w˜	ÕbËTŸª[Ë9_¾U\lòØ¹šC¹ïJQÅ¯)âß¦ÑÄÀrÍÚ7æ…?y¯Ê°
--- a/secrets/rekeyed/sire-paperless/716cd0e8de5551b6bb6a87f8421141f3-wireguard-proxy-home-psks-sire-paperless+ward.age
+++ b/secrets/rekeyed/sire-paperless/716cd0e8de5551b6bb6a87f8421141f3-wireguard-proxy-home-psks-sire-paperless+ward.age
--- a/secrets/rekeyed/sire-paperless/78eac1248b5d98935bfdc3703e175cb3-wireguard-proxy-home-priv-sire-paperless.age
+++ b/secrets/rekeyed/sire-paperless/78eac1248b5d98935bfdc3703e175cb3-wireguard-proxy-home-priv-sire-paperless.age
@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 vqFVQw cCoX+F+7E65ZyrMstKoMuXiml6Cto+mbEXlZj42EgFM
+wuV8ZDpI3ARBI7/JLGQd9lbtXEIYBPeIwnmAl7m9uBQ
+-> :d>Hp-grease tCr`4 p4^OM^c r _s0m
+fiVaHu4f3uYpHnJIoUZQXvF7eNMbsRvLPGdJ2/7jDno9oieC9RpISOLmiFpfagwR
+QcW/E5mYFqqxTSBj5qsdln8pr6Ngq7UCNyP9LTIinQo
+--- xmil/cv39XF68x2ukoH0bIHwxgcFVE3L/pczAcJ4dHI
+éˆ·WtOoK�9�ì,+F—~Í@Á?JçJòŒÄ`‚wÃ|íû
+x7Õ–[õÕ^%ïŸíAuÞ•5Î]ì¾¹ŒPl®ƒ¡ðŠÑ?
--- a/secrets/rekeyed/ward-web-proxy/b74c1fb0e8aba210e5e5cfe39a4f132d-loki-basic-auth-hashes.age
+++ b/secrets/rekeyed/ward-web-proxy/b74c1fb0e8aba210e5e5cfe39a4f132d-loki-basic-auth-hashes.age
--- a/secrets/rekeyed/ward/7a86bc5ecb46f75a01bf1b27ae49cf76-wireguard-proxy-home-psks-sire-influxdb+ward.age
+++ b/secrets/rekeyed/ward/7a86bc5ecb46f75a01bf1b27ae49cf76-wireguard-proxy-home-psks-sire-influxdb+ward.age
--- a/secrets/rekeyed/ward/d8a468ed875aef4509e9c0af53e44831-wireguard-proxy-home-psks-sire-paperless+ward.age
+++ b/secrets/rekeyed/ward/d8a468ed875aef4509e9c0af53e44831-wireguard-proxy-home-psks-sire-paperless+ward.age
@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 iNceIg A1acm4APgJopInZlGV0zzs5kRZpTJuftDRsU6CIuBVs
+XkY/QRvKvaKJjLQ9wlGp+emQ+uamn+K62Beqsru61r8
+-> iuB-grease /U =s~<Mo
+Qt03xgKv
+--- DaTakn+mx7c6rJk97gDfUvKwSRRjwOxvRHbyogd3Zx8
+ê6{ûšÊÑ0—|�O%Qœl´%dÃ³yƒ±š¶BhÕÌtQd›úuòxåìd¦xÄøÞtßc€6�!»—Ÿ“•Ò8’UÆ…ï‘†=í.Ù1.
--- a/secrets/rekeyed/ward/f6b12ebdf2efc6a7892f2e5458d95cf6-wireguard-proxy-home-psks-sire-loki+ward.age
+++ b/secrets/rekeyed/ward/f6b12ebdf2efc6a7892f2e5458d95cf6-wireguard-proxy-home-psks-sire-loki+ward.age
@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 iNceIg sXXiTAH7s2O/UyUZHmuMHnQMRAvOVIXxEc65AXqewXI
+Smfsb4y9aHWTX9KJKCRkiDCfOkSTNsci4kzFKHQ73WM
+-> CKelskGG-grease i[ 7 +}sM
+NlSd4X9OnX5luuy7kGXpJeOoeQg6Nbb4TK+/CyrmkMyRU+3swH+KOfKlcqr90pNV
+S+2cOg
+--- 727nBW/4ALXLr7W79wMIPyqhJbPzxCI3+W14kbRHx84
+ÙI£šåÃ‰O�0V^ …N ÓL8jÇ#gÞvÄÊû Š£ìü
+ð@Záè¦ùÕ€"œ*;ØmGÊ&KÙHj68×g#e#_Mì�-È
--- a/secrets/rekeyed/ward/fb12194e159c81499ee0ad944efd427d-wireguard-proxy-home-psks-sire-immich+ward.age
+++ b/secrets/rekeyed/ward/fb12194e159c81499ee0ad944efd427d-wireguard-proxy-home-psks-sire-immich+ward.age
@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 iNceIg JvzQt+2ZkDJMDm1KlZQdDml8H4ycJ6AokJPSoZP5cU4
+wpodFTm/MHvNUgNMfKsRkBcqixtW01beo6sAiEdClcM
+-> ]s%j-grease F80K
+qNWHTRpraF9RkyWQgtAKTyx6zHnRE186qaTSMkEA6aRCsT6Gg
+--- eVGyjUp6M/kxFZahyFU1yzoLJSYuGduGZHf6tqkblCI
+(=qÕ“±›É<š$S±BãY©³a9jû~´Ý|Az®±·./€Å~JMÀw˜_¨%ò•9ÿbqg(Y>*3V^ÝèÇ&•ù»+Ja
--- a/secrets/wireguard/proxy-home/keys/sire-immich.age
+++ b/secrets/wireguard/proxy-home/keys/sire-immich.age
@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> X25519 uJ3uiXX1C9PpMhT3kcYvUf8mIGxD8KTB6gGKdPGJnCs
+ei8KR51jD/rWUp494k6M20oTrwDTiGpdkbOOmW4lOXo
+-> piv-p256 xqSe8Q A92Qea9NZuHlV2xGjSo53jlPVnKjwBTbMPF23PeXXDrq
+IfzttqGs1jW3RlOKGm08vKtJIIkzwRT1fUoMwkbMbuU
+-> (-grease ;&ILFt\Z \H g&6+q2Xa Z
+ZribRa/ctUpGLy4veZe+BF+3YnF6tku94bsH72Exo2WulHZS
+--- Std/62CowuRVpxSYuzhJLHy5jNWMpnl6ILk4U7oW54s
+÷÷È:Äˆrês[á	½¹oÞ�ýïlâø£;Þl]m3�ÌŽnmËÐ5:Rk§§”Ù4Ç�xN°E#Å$®éd£/ÒünY�2r
--- a/secrets/wireguard/proxy-home/keys/sire-immich.pub
+++ b/secrets/wireguard/proxy-home/keys/sire-immich.pub
@ -0,0 +1 @@
+7Vu1OqBCLq6WNvah8QFBjnwNZUfZqzToFyQH2g/RJR4=
--- a/secrets/wireguard/proxy-home/keys/sire-influxdb.age
+++ b/secrets/wireguard/proxy-home/keys/sire-influxdb.age
--- a/secrets/wireguard/proxy-home/keys/sire-influxdb.pub
+++ b/secrets/wireguard/proxy-home/keys/sire-influxdb.pub
@ -0,0 +1 @@
+X2gXwt3IDGXOsg8Vy/yEhEQKCUS6ziLu5Kl8POMa1Sc=
--- a/secrets/wireguard/proxy-home/keys/sire-loki.age
+++ b/secrets/wireguard/proxy-home/keys/sire-loki.age
@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> X25519 srRVmbOIPGk6sUIAARd6RLzzpKBVwIn+9RyuAPJ7aFI
+fxqhR+q4BDsscusJKTZTjKxeMPfLMnp/yZpIbvv6+SE
+-> piv-p256 xqSe8Q A/GX9EkFhcY/IjNQju+YdWMPyKVUj4YWuOoWxmszc1ws
+rGgn/7HdLObcwxYw8GthJxgiR6XTE3C0kY6UFMlMhfo
+-> ?-#-grease s<AE@O? nco.4{
+dWT6UI5KRbFdDQCI8WTikEjBNQ
+--- ot7MrclD1E66EW1DGzR9g1wHDWZ3wr1/dzCR8SmwBXI
+D´z¨±uQ…bD¼©ÿ�[›û¥PŠ¢:SäŸQ&œv4Ž˜¡¾ÔÎ®„håUæ’•2¢=RYãZµå©Â²Žz&ï²{‚
--- a/secrets/wireguard/proxy-home/keys/sire-loki.pub
+++ b/secrets/wireguard/proxy-home/keys/sire-loki.pub
@ -0,0 +1 @@
+ZCoXjgt4eb4uEkxXDluY8t7aM5EKeHeUpqvVFhFcHFA=
--- a/secrets/wireguard/proxy-home/keys/sire-paperless.age
+++ b/secrets/wireguard/proxy-home/keys/sire-paperless.age
--- a/secrets/wireguard/proxy-home/keys/sire-paperless.pub
+++ b/secrets/wireguard/proxy-home/keys/sire-paperless.pub
@ -0,0 +1 @@
+BuccuL6/E5B1xnuhaLQf/pOll+TPeeFEGU1ZPd8PpjA=
--- a/secrets/wireguard/proxy-home/psks/sire-immich+ward.age
+++ b/secrets/wireguard/proxy-home/psks/sire-immich+ward.age
@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> X25519 ocNApTQlwFHphPMWeXS60TWO8RY4kXv1/G7mpvCRfno
+q4tgumwcZKxNrObdkxLpU9tPttrDe5oZzOZYu+boNCE
+-> piv-p256 xqSe8Q A8FzxSYN5kOVb8VG57H105SMUC8P+IRBz5oCN4QX7F6D
+7YesnMqNXTyR5Ojtli9R8atxm5dqi9cjEvnnuyT6I1g
+-> %5P"-grease ,Wf aH@;2_dA ~4s:8[
+opJOhAN4Evvp4x7ndCEfALKDUMvvpqlbwUTSplehbPI
+--- oMT/RknMnLIf0ujr+Q/xOCxN8qDOVkNYCVEjoJ3AscA
+¥vŒúYv](Õ¬–¥*þ™nÛ‡
Eö1›x”Í˜]¯Œ:;ÿi' -µÑ«Klú=úñúPÎô·nv}i|5QÝ £’s
--- a/secrets/wireguard/proxy-home/psks/sire-influxdb+ward.age
+++ b/secrets/wireguard/proxy-home/psks/sire-influxdb+ward.age
@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> X25519 n0ZRfnfbYjTn81ODTPvPNmKsBXDGwV6Jwgn4ZMgF/Us
+SrmR4Z6rteUSVrji5cbRlj5tSQAcBoWHKvsombOI9O4
+-> piv-p256 xqSe8Q A1lLYmIImnShNJs/w0ZVFj6s3RDNvo/nGq9KeqK9Ig7b
+6GRcS3PVrcL6zhW/1XpMup1fcCPgelPuXmdt3t+J08s
+-> EG"Ke-grease N
+37HKhYODIAQxbHJI
+--- ub+9rWPOnVMWpczIB/ForaQp96zRfOVV7bMuTij/1oQ
+.hý®ÿ6õÄ{JÎ©†¨—Åš×Î!˜,õ¤½X2™ºÿŽPLçF{GXœ¹B†ÈÉõm&ŠÃcÿuZoÜ£B0Gì’ÍŽa×ßöç
--- a/secrets/wireguard/proxy-home/psks/sire-loki+ward.age
+++ b/secrets/wireguard/proxy-home/psks/sire-loki+ward.age
@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> X25519 8SGiO7KFBiQdJk1Jo4E+56tO0pLmMYm+bPKR6g1DIhI
+Cw0mWE+UCF3FWQ2FIdgK4kzRSZFfwgWdByHv4z0Abis
+-> piv-p256 xqSe8Q AxtYXQlcKaqNDVzSMhqnznLAbkoeK2H0AP077+zm2prm
+dWzLjMjdV5ymJ2BNcHB7PbIBFHJffmRr3/gX+U8XCpM
+-> `-grease " &J
+U2DWpgjq1+nj62O9GDB0BNRgrqHy5fb53tYKHmmK9Q
+--- Y1GEP2kbfAqpVO4qWxnvkP3hloEyAAwIzy4PllrnTQc
+faˆ�©U¦’yGòYP©hï"pnxÍ’ìV*ÚÅóíGÁÖK=‡÷ß‡ÛYît5?QuaÞµKBQ…y>²
+ûÏ<h&ÕtnÌý2ëyœç
--- a/secrets/wireguard/proxy-home/psks/sire-paperless+ward.age
+++ b/secrets/wireguard/proxy-home/psks/sire-paperless+ward.age
				`@ -0,0 +1 @@`
				`7Vu1OqBCLq6WNvah8QFBjnwNZUfZqzToFyQH2g/RJR4=`
				`@ -0,0 +1 @@`
				`X2gXwt3IDGXOsg8Vy/yEhEQKCUS6ziLu5Kl8POMa1Sc=`
				`@ -0,0 +1 @@`
				`ZCoXjgt4eb4uEkxXDluY8t7aM5EKeHeUpqvVFhFcHFA=`
				`@ -0,0 +1 @@`
				`BuccuL6/E5B1xnuhaLQf/pOll+TPeeFEGU1ZPd8PpjA=`