feat: add new host envoy for mail, switch disko to partlabel

hosts.toml

@@ -1,3 +1,5 @@
+# Desktops
+
 [kroma]
 type = "nixos"
 system = "x86_64-linux"
@@ -6,18 +8,26 @@ system = "x86_64-linux"
 type = "nixos"
 system = "x86_64-linux"
 
+# Cloud Server
+
+[envoy]
+type = "nixos"
+system = "x86_64-linux"
+
 [sentinel]
 type = "nixos"
 system = "x86_64-linux"
 
+# Home Server
+
+[sire]
+type = "nixos"
+system = "x86_64-linux"
+
 [ward]
 type = "nixos"
 system = "x86_64-linux"
 
-[sire]
-type = "nixos"
-system = "x86_64-linux"
-
 [zackbiene]
 type = "nixos"
 system = "aarch64-linux"

hosts/envoy/acme.nix

@@ -0,0 +1,30 @@
+{config, ...}: let
+  inherit (config.repo.secrets.local) acme;
+in {
+  age.secrets.acme-cloudflare-dns-token = {
+    rekeyFile = ./secrets/acme-cloudflare-dns-token.age;
+    mode = "440";
+    group = "acme";
+  };
+
+  age.secrets.acme-cloudflare-zone-token = {
+    rekeyFile = ./secrets/acme-cloudflare-zone-token.age;
+    mode = "440";
+    group = "acme";
+  };
+
+  security.acme = {
+    acceptTerms = true;
+    defaults = {
+      inherit (acme) email;
+      credentialFiles = {
+        CF_DNS_API_TOKEN_FILE = config.age.secrets.acme-cloudflare-dns-token.path;
+        CF_ZONE_API_TOKEN_FILE = config.age.secrets.acme-cloudflare-zone-token.path;
+      };
+      dnsProvider = "cloudflare";
+      dnsPropagationCheck = true;
+      reloadServices = ["nginx"];
+    };
+    wildcardDomains = acme.domains;
+  };
+}

hosts/envoy/default.nix

@@ -0,0 +1,42 @@
+{
+  config,
+  nodes,
+  ...
+}: {
+  imports = [
+    ../../modules/optional/hardware/hetzner-cloud.nix
+
+    ../../modules
+    ../../modules/optional/initrd-ssh.nix
+    ../../modules/optional/zfs.nix
+
+    ./acme.nix
+    ./fs.nix
+    ./net.nix
+  ];
+
+  boot.mode = "bios";
+
+  users.groups.acme.members = ["nginx"];
+  wireguard.proxy-sentinel.firewallRuleForAll.allowedTCPPorts = [80 443];
+  services.nginx.enable = true;
+  services.nginx.recommendedSetup = true;
+
+  meta.promtail = {
+    enable = true;
+    proxy = "sentinel";
+  };
+
+  # Connect safely via wireguard to skip authentication
+  networking.hosts.${nodes.sentinel.config.wireguard.proxy-sentinel.ipv4} = [nodes.sentinel.config.networking.providedDomains.influxdb];
+  meta.telegraf = {
+    enable = true;
+    scrapeSensors = false;
+    influxdb2 = {
+      domain = config.networking.providedDomains.influxdb;
+      organization = "machines";
+      bucket = "telegraf";
+      node = "sire-influxdb";
+    };
+  };
+}

hosts/envoy/fs.nix

@@ -0,0 +1,29 @@
+{
+  config,
+  lib,
+  ...
+}: let
+  inherit (config.repo.secrets.local) disks;
+in {
+  disko.devices = {
+    disk = {
+      main = {
+        type = "disk";
+        device = "/dev/disk/by-id/${disks.main}";
+        content = with lib.disko.gpt; {
+          type = "gpt";
+          partitions = {
+            grub = partGrub;
+            bios = partBoot "512M";
+            rpool = partLuksZfs disks.main "rpool" "100%";
+          };
+        };
+      };
+    };
+    zpool = with lib.disko.zfs; {
+      rpool = mkZpool {datasets = impermanenceZfsDatasets;};
+    };
+  };
+
+  boot.loader.grub.devices = ["/dev/disk/by-id/${disks.main}"];
+}

hosts/envoy/net.nix

@@ -0,0 +1,38 @@
+{config, ...}: {
+  networking.hostId = config.repo.secrets.local.networking.hostId;
+  networking.domain = config.repo.secrets.global.domains.me;
+
+  boot.initrd.systemd.network = {
+    enable = true;
+    networks = {inherit (config.systemd.network.networks) "10-wan";};
+  };
+
+  systemd.network.networks = {
+    "10-wan" = let
+      icfg = config.repo.secrets.local.networking.interfaces.wan;
+    in {
+      address = [
+        icfg.hostCidrv4
+        icfg.hostCidrv6
+      ];
+      gateway = ["fe80::1"];
+      routes = [
+        {routeConfig = {Destination = "172.31.1.1";};}
+        {
+          routeConfig = {
+            Gateway = "172.31.1.1";
+            GatewayOnLink = true;
+          };
+        }
+      ];
+      matchConfig.MACAddress = icfg.mac;
+      networkConfig.IPv6PrivacyExtensions = "yes";
+      linkConfig.RequiredForOnline = "routable";
+    };
+  };
+
+  networking.nftables.firewall.zones.untrusted.interfaces = ["wan"];
+
+  # Allow accessing influx
+  wireguard.proxy-sentinel.client.via = "sentinel";
+}

hosts/envoy/secrets/acme-cloudflare-zone-token.age

@@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> X25519 Y7J0KmGssDwytzJSMTKnb2qVfCBEl4nMiKeg4PDhbhM
+R+FV22jr0XcybGJk8Z2o40O5ptRK3NPgQOxJ7HlORho
+-> piv-p256 xqSe8Q AyC1XlhbGhbfUBn4gV56t48AazKi5Lt9H5BCOZqbTtOp
+s3mrvVrMZ/kTdUSjKyBWa5hUFL2fwL2xRo7UFF0AwP0
+-> Ao-grease vp@ m_b
+oV7D7L5dZtF75bJ6Ms0yZr92rENJmE4xKpdlBp4h40onYWv1Z17R2/bmygv5MD9+
+S7J25g3rxfk00fUOK8cwDcWyRtp4jQqcooJyrQ
+--- J/aXuudcbUAfU06R065fsvPTX2qZr0w0eZ9gI6I+McY
+vÂâ-##·¬=|Ú•˝-IÝR†·żÝn<§z´fÄ.\śő‘cU/OÓ	6÷¶ëĽ±�Üož’Ţ$ő¶8\Ň6E•ËeËí†n

hosts/envoy/secrets/host.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHgdSxSAnqaIqpr7OhyaKXGfQLUWf2bkpyF2mSG01LVv

hosts/envoy/secrets/local.nix.age

@@ -0,0 +1,11 @@
+age-encryption.org/v1
+-> X25519 Iz/ZYzOsB5ONZTT2azO8HcfvwEdS8zjYv2a+gdSa6Rw
+3RvSD6jq4IKXOWmgFiLK0OgZkvrbRQZLqlYgiVMixAY
+-> piv-p256 xqSe8Q A4BW1CqEWMOdGkIjIqvXJrzC54BBaEbnhywgd1UA9gQf
+lRdaSMaW/xFvzBYk56T6ld64vrFS4EbQdcJJarOd2hE
+-> Xw[-grease ^u-qoTf JV
+7ht6GO0MH9xXNpmbVpi/NYiy27V0XHtE+qNmMqZSj0/rVtnYWMhm4Ezu+3Y
+--- EYikW64z1mfwwVgFevfGeo4Sp4994H8WnvbJ+RfxMnc
+Pðlðb wqÚZêÿÉÞœä9‚ÁÃí—Ô«:V†ål~(Þƒ¦#xÒ£V[ã|!óæccVn»%®
kÊYðr­;hS)g�gELÀ€‘wZAôJHµÚj~a´Ëö{®*ªC8·
+ábÓi!
˜ãÏ#â	K4¶‡À/3Ð$I§c7’Uèÿ…Tš°j«×f€Ëj`LX0f•hO%~ª”¥*]Þc“Óñ­¯›œÞR¤Aß0Øy¿0¤v¯²¨#{·CÙ.BqW-ÓÄÊÁž1WÂ7/jÈ”ã}!òÓãüçò/„¡öEb%Ô ƒ—št«q¼²!éùe>g€ó)Λd~Üð„¨yA
+‰ZŽá¼NÐÏß쟞mo–|„˜ÆrX˜Íˆº6T$¿~5ÜýýÍ‚Rj>û– zh•³•K�IeÀdä}›Nó zZñãšá¢e`e¦Ý�Äb~KÆÐ]hï1—ÇÉè½yF

hosts/kroma/fs.nix

@@ -7,30 +7,15 @@
 in {
   disko.devices = {
     disk = {
-      ${disks.m2-ssd} = {
+      m2-ssd = {
         type = "disk";
         device = "/dev/disk/by-id/${disks.m2-ssd}";
         content = with lib.disko.gpt; {
           type = "gpt";
           partitions = {
-            efi =
-              partEfi "0%" "1GiB"
-              // {
-                # FIXME: Needed because partlabels are 💩: https://github.com/nix-community/disko/issues/551
-                device = "/dev/disk/by-id/${disks.m2-ssd}-part1";
-              };
-            swap =
-              partSwap "1GiB" "17GiB"
-              // {
-                # FIXME: Needed because partlabels are 💩: https://github.com/nix-community/disko/issues/551
-                device = "/dev/disk/by-id/${disks.m2-ssd}-part2";
-              };
-            "rpool_${disks.m2-ssd}" =
-              partLuksZfs disks.m2-ssd "rpool" "17GiB" "100%"
-              // {
-                # FIXME: Needed because partlabels are 💩: https://github.com/nix-community/disko/issues/551
-                device = "/dev/disk/by-id/${disks.m2-ssd}-part3";
-              };
+            efi = partEfi "1G";
+            swap = partSwap "16G";
+            rpool = partLuksZfs disks.m2-ssd "rpool" "100%";
           };
         };
       };

hosts/nom/fs.nix

@@ -7,39 +7,24 @@
 in {
   disko.devices = {
     disk = {
-      ${disks.m2-ssd} = {
+      m2-ssd = {
         type = "disk";
         device = "/dev/disk/by-id/${disks.m2-ssd}";
         content = with lib.disko.gpt; {
           type = "gpt";
           partitions = {
-            "rpool_${disks.m2-ssd}" =
-              partLuksZfs disks.m2-ssd "rpool" "0%" "100%"
-              // {
-                # FIXME: Needed because partlabels are 💩: https://github.com/nix-community/disko/issues/551
-                device = "/dev/disk/by-id/${disks.m2-ssd}-part1";
-              };
+            rpool = partLuksZfs disks.m2-ssd "rpool" "100%";
           };
         };
       };
-      ${disks.boot-ssd} = {
+      boot-ssd = {
         type = "disk";
         device = "/dev/disk/by-id/${disks.boot-ssd}";
         content = with lib.disko.gpt; {
           type = "gpt";
           partitions = {
-            efi =
-              partEfi "0%" "8GiB"
-              // {
-                # FIXME: Needed because partlabels are 💩: https://github.com/nix-community/disko/issues/551
-                device = "/dev/disk/by-id/${disks.boot-ssd}-part1";
-              };
-            swap =
-              partSwap "8GiB" "100%"
-              // {
-                # FIXME: Needed because partlabels are 💩: https://github.com/nix-community/disko/issues/551
-                device = "/dev/disk/by-id/${disks.boot-ssd}-part2";
-              };
+            efi = partEfi "8G";
+            swap = partSwap "100%";
           };
         };
       };

hosts/sentinel/fs.nix

@@ -7,30 +7,15 @@
 in {
   disko.devices = {
     disk = {
-      ${disks.main} = {
+      main = {
         type = "disk";
         device = "/dev/disk/by-id/${disks.main}";
         content = with lib.disko.gpt; {
           type = "gpt";
           partitions = {
-            grub =
-              partGrub "0%" "1MiB"
-              // {
-                # FIXME: Needed because partlabels are 💩: https://github.com/nix-community/disko/issues/551
-                device = "/dev/disk/by-id/${disks.main}-part1";
-              };
-            bios =
-              partEfi "1MiB" "512MiB"
-              // {
-                # FIXME: Needed because partlabels are 💩: https://github.com/nix-community/disko/issues/551
-                device = "/dev/disk/by-id/${disks.main}-part2";
-              };
-            "rpool_${disks.main}" =
-              partLuksZfs disks.main "rpool" "512MiB" "100%"
-              // {
-                # FIXME: Needed because partlabels are 💩: https://github.com/nix-community/disko/issues/551
-                device = "/dev/disk/by-id/${disks.main}-part3";
-              };
+            grub = partGrub;
+            bios = partBoot "512M";
+            rpool = partLuksZfs disks.main "rpool" "100%";
           };
         };
       };

hosts/sire/fs.nix

@@ -8,28 +8,18 @@ in {
   disko.devices = {
     disk =
       {
-        ${disks.m2-ssd-1} = {
+        m2-ssd-1 = {
           type = "disk";
           device = "/dev/disk/by-id/${disks.m2-ssd-1}";
           content = with lib.disko.gpt; {
             type = "gpt";
             partitions = {
-              efi =
-                partEfi "0%" "1GiB"
-                // {
-                  # FIXME: Needed because partlabels are 💩: https://github.com/nix-community/disko/issues/551
-                  device = "/dev/disk/by-id/${disks.m2-ssd-1}-part1";
-                };
-              "rpool_${disks.m2-ssd-1}" =
-                partLuksZfs disks.m2-ssd-1 "rpool" "1GiB" "100%"
-                // {
-                  # FIXME: Needed because partlabels are 💩: https://github.com/nix-community/disko/issues/551
-                  device = "/dev/disk/by-id/${disks.m2-ssd-1}-part2";
-                };
+              efi = partEfi "1G";
+              rpool = partLuksZfs disks.m2-ssd-1 "rpool" "100%";
             };
           };
         };
-        ${disks.m2-ssd-2} = {
+        m2-ssd-2 = {
           type = "disk";
           device = "/dev/disk/by-id/${disks.m2-ssd-2}";
           content = lib.disko.content.luksZfs disks.m2-ssd-2 "rpool";

hosts/ward/fs.nix

@@ -7,30 +7,15 @@
 in {
   disko.devices = {
     disk = {
-      ${disks.m2-ssd} = {
+      m2-ssd = {
         type = "disk";
         device = "/dev/disk/by-id/${disks.m2-ssd}";
         content = with lib.disko.gpt; {
           type = "gpt";
           partitions = {
-            efi =
-              partEfi "0%" "1GiB"
-              // {
-                # FIXME: Needed because partlabels are 💩: https://github.com/nix-community/disko/issues/551
-                device = "/dev/disk/by-id/${disks.m2-ssd}-part1";
-              };
-            swap =
-              partSwap "1GiB" "17GiB"
-              // {
-                # FIXME: Needed because partlabels are 💩: https://github.com/nix-community/disko/issues/551
-                device = "/dev/disk/by-id/${disks.m2-ssd}-part2";
-              };
-            "rpool_${disks.m2-ssd}" =
-              partLuksZfs disks.m2-ssd "rpool" "17GiB" "100%"
-              // {
-                # FIXME: Needed because partlabels are 💩: https://github.com/nix-community/disko/issues/551
-                device = "/dev/disk/by-id/${disks.m2-ssd}-part3";
-              };
+            efi = partEfi "1G";
+            swap = partSwap "16G";
+            rpool = partLuksZfs disks.m2-ssd "rpool" "100%";
           };
         };
       };

hosts/zackbiene/fs.nix

@@ -7,30 +7,15 @@
 in {
   disko.devices = {
     disk = {
-      ${disks.mmc} = {
+      mmc = {
         type = "disk";
         device = "/dev/disk/by-id/${disks.mmc}";
         content = with lib.disko.gpt; {
           type = "gpt";
           partitions = {
-            efi =
-              partEfi "0%" "1GiB"
-              // {
-                # FIXME: Needed because partlabels are 💩: https://github.com/nix-community/disko/issues/551
-                device = "/dev/disk/by-id/${disks.mmc}-part1";
-              };
-            swap =
-              partSwap "1GiB" "9GiB"
-              // {
-                # FIXME: Needed because partlabels are 💩: https://github.com/nix-community/disko/issues/551
-                device = "/dev/disk/by-id/${disks.mmc}-part2";
-              };
-            "rpool_${disks.mmc}" =
-              partLuksZfs disks.mmc "rpool" "9GiB" "100%"
-              // {
-                # FIXME: Needed because partlabels are 💩: https://github.com/nix-community/disko/issues/551
-                device = "/dev/disk/by-id/${disks.mmc}-part3";
-              };
+            efi = partEfi "1G";
+            swap = partSwap "8G";
+            rpool = partLuksZfs disks.mmc "rpool" "100%";
           };
         };
       };

secrets/generated/envoy/telegraf-influxdb-token.age

@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> X25519 V7BwuAWcBb8XH3Eb6tWfyfoCL1shUP1kgWFDDubzPCw
+4FlGy8DMzFpgN+wOEj4yrMgctNibQP6afuv79LlpZig
+-> piv-p256 xqSe8Q A3VKu8wLRa7PX8kdNYS5chPWZgdUOWcR6tbfq0G9QVr7
+b8Z8cCA8BRHjLxAe0o/57ifVOI/xrUChoMCikui0bgY
+-> T-grease }@.z [ ./ %/A8'7
+69b+3UIwlyGj0TrDvVVkCO/+Jvnk
+--- yPe/jQ7/2m7jqcVE1Z/+vrAbPRK9A65DbDbkOrcSnNM
+áטþojèTÝ:E—8ÜGÓÊ�%±#‰q=<óaèÈåéhI-aô�'PÚöa¦”ðqIþBRe¨‡DW<ù+¥QúéöOQ~ÿ

secrets/rekeyed/envoy/18339a3d1929a51d4e47d2541c123e2c-wireguard-proxy-sentinel-priv-envoy.age

@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 yV7lcA ro8yCQGqIdBBovM2iK7imSP88HGNQwpan0yauSw5qU8
+VbL9PnSeLvQojxZ0qrb7wJ3a6NSCQHqPQyKh70CjVqM
+-> )NZc,-grease EFSDzU\| \uz{0/ NN<#vF{
+1Cu8YWV71eWkHxA7I3dw1+sWIWtUC5sWxRKZiH64h5g
+--- JDjw2+EYI9KJSnfhUinszT2Q5531mDwcrK3kflQDbzA
+¥ÌIÉ�9HŠþþŠéê"¦!•ÜTûÊKâ³$[�óÖb|
ö¨–0›$Ÿ¿î]\Êd;9%–·‹Š¢–¤ãkË>f	@I�cÈxñ•ºÒ

secrets/rekeyed/envoy/192d6b442164766c6509bcaedc330592-promtail-loki-basic-auth-password.age

@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 yV7lcA I5wScaDWTGX1gasgX1yIrxC/ydftpHQJSCe+D45H+x4
+rL7dK7KvxBi7WjR33Uk8ApLCahQwYaH4lXJSjXfWeio
+-> `l10-grease _, &7 fe-*# /,uA
+enpbx3yatzXTsg
+--- yrSIElR05M59DbLbtVM++07G1jygBtfsD26buadiqBY
+	£;ö|…í‹J? »Šñg·”¸
*Q•tA1Ô>™€\҇󤌰mÌéŽäÿŠ•Æ‘ØÊýcžBK¡™M—&��O7Ü<�C)ÿ3Üï�Í.�`>

secrets/rekeyed/envoy/2689b787b982e885b1ba3361b7affbe2-wireguard-proxy-sentinel-psks-envoy+sentinel.age

@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 yV7lcA YJsWJO8spPFzaDtGlvw8qccQ1L9RpirgE8TPsc9aNhk
+0PuAaJS7EXN8G4vck0Pm+XOf/nLUylZDH8j53SoAuA4
+-> mh!+A:^-grease <,
++siLvQ+lKp1BU8l7t54
+--- DVzyObFZjySus/P22atP2xYm0+ZDdhgDoon8u5ijZEI
+áçô°^‚ÏÅŽ­]s–ÀX¬^Ì›¬êî¶|J®�Ce”’—:Ì_I4†ÿÓ˜dÆóF�ŠRÏ5AŽÀò)ó¶•>÷�	ªînî§è÷u

secrets/rekeyed/envoy/2ef9539ec793ecd1fce9cb9b732ca42a-initrd_host_ed25519_key.age

@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 yV7lcA 24sIrRomFFXsZ57wFq/Alchpea891THmcqcCp8WIaQI
+60isrJZAzhUyQ0WDYzIqwEarHFsJdMKaIoYsubP2sgQ
+-> i{WB:-grease 0mO
+lWfmjDoi
+--- VN5AXCQjnCaaudIcFrKrH/J6iQLeVDDs6lT24YONEws
+>i%hÀ¬4bÉ6Zîì7•âóYȦ¼¨%B:oÅ܆,?®rÀ1dÓgs€qþ](QÙÚ÷É-=^pÁöz˜}
…�Ÿ5üÈvªýÄŒîd‹^n´
ÖÉáxÇÊ¿!ª2%hy8ÀKÈ}å	?	]
ãyο»…iî0Áš¦ÏÍ9Z�
Ó†M-!ìàÑÖ™�0ŠNV�ˆ‡°™U™[©D07¢KfÌ@tIžU©Ö±ÉeÑ|‰þ­p%j(±#<¨+½-í6FÔêø=c�φamqš,ƒ]☕ˆ§m¤+�Úί5’ž„
×…0µ�&*rѯlÐ	€¡ºÞhNäuL�\ˆîM]BEíÎßFö Ýt%ðó�?ä.‚Új x†*±ý
+ãSÙo" ¹�ïánÅ+âáVðÇþ³ënʤl#ó³ÿ©ûç‚þÊÅ>,ü¦»âÝ^¦^§Š¿¨%µPi
+ä?1n¿ºŒ$ÌpÌû0o§lùŽÄâÄl÷¡î8k¡UÞŠY ºõt<龶W‡1*h—³EÃÍÑÊ{€rx�3’°Ÿ–t+¶‰­Së}ý¾ÀÙŠ

secrets/rekeyed/envoy/adc68343fd1e82562f7f6fb8666deb22-acme-cloudflare-dns-token.age

@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 yV7lcA a+d05L2QodqMakVeeKaHaTqUUQjqkZyE0yDW8L4/VkQ
+uzwmBpz1Cyaiuqp/OxQOUY5Kq7LpffGAhS8uvwvTMgw
+-> 2YW09-grease e Cpd|.76
+1gf8alzcxM/al3TN119HGyJdq3ZsGgGL2K60UUSelg
+--- sU+WGjV9XFeGHxh7CmsUWSUNCrJaFFMEQRE56HhZxms
+šÕêY*ä“f•t
a=Ö±3Íìf=Yžh^|¸Øºo©z.¹ÃG}Œ¦“Ã:Zûo+Ûd¯¡¯‘/°s��;¡F„",¹]û�÷2á

secrets/rekeyed/envoy/fbe90fea6015be22bc47a2164a0f22f0-acme-cloudflare-zone-token.age

@@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 yV7lcA Q8NjkvIVBHAbDj0dDmFkiumtDjTBCAEZVrhiklFzzFk
+SDDTiC1fxy5XOVVqyFLuunx1O5qvMWSBdKEsIceKgBQ
+-> _ef4v-grease
+FsmTbPsm7eoAjXgaegyCthI4YvOl7T0ucIwr4lCF9IViwhLaa2Pv47HEZfOgkos+
+2yYSmVj8MFI4nO2epCrLVdtdUe2PhMw+0Brv6IoX4N4S
+--- z9G4Xvmg/WK4y8qyV6aP68AVGONt5nC98Ewj2MVMOCs
+S{+
taŸ>Ÿ³¿gш0�²+nÝq\ã5¶"uá7Šs¤{Óó¯×	ÝÆŽÔa?ùY„{]¸O?žYß>›�†Ôç‰âÓõ¦–•

secrets/rekeyed/sentinel/2689b787b982e885b1ba3361b7affbe2-wireguard-proxy-sentinel-psks-envoy+sentinel.age

@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 yV7lcA FPyVM8Oy0xNsKf2cJEZ3hBpSbr1hf/hmnM7GFOuE3Q0
+Z50LLBpDRNItinG6u+xaItYW9YezvdSBjE08dtHSjXc
+-> R-grease yC`(= <jE
+f5Lwr1aWSUnQhDaIeN4
+--- Igi4vXPKAP9OqLRCdK0RVoGAGb3NqgSl/BtiDDWSxis
+Ø‚6à‚ í¦q€taO‰+Î4úƒÇºgÖó ±Ñ��åºÂPg¢'´aÁZ¤6Ö×9 ¾C®zèˆ�·•@ä_«ø¹ÔÌ€ï

secrets/rekeyed/sentinel/4cff83edc1d2b2ca516f8cb63fb06782-wireguard-proxy-sentinel-psks-sentinel+sire-ai.age

@@ -1,8 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 yV7lcA /KC8F/lM5E8cNGSk5aDjhxYEQJDZhv4fdZmY8tOd0ic
-dLzqTpJRzwb1jmaQB7MqOcMYoh/1jpm/u8AK+lG3uMI
--> NX-grease mWzYBZ k<&L`D_
-dn3tatoIJ8BZuGlJ
---- Zxr1wrJSf6CGK+EpHNZyobURdv+ISrafHBRrBLhaUZU
-‰(µ&ÄÄíî7ªËQi0§#a:6Y¦£ZÕÊvéIèÒkál=Ï¢dÜð¹îKÌ
-7vw]qãÅ`â×
±Ò!_“sÓâòóq~[a9à

secrets/rekeyed/sentinel/8df8bc7331f1c1b2112f03dbbbfe126c-wireguard-proxy-sentinel-psks-sentinel+sire-samba.age

@@ -1,9 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 yV7lcA PPKZ78iD3jThcf5YkIOC5hKTeDHcT77g11UZ0vc8IjE
-lgkPYZAMzhVZpUSk13rzBJTDW1pNeOyuVAkNpqJb4lg
--> %%JlO}-grease C[7]eK3F KX &_=S \FSSf[^<
-
---- Tww9Yj1LeH6zq/6A7TJo5i9rMUNGV0VN6Yyf44aRnpM
-ÑjD£A6%ß®Z4áäî
ˆ]ÁPq ¾Òa!b
-¹”iük®Kø† £¹
�at螨N7®-sëæ5¢³šÞþ8@b“
-‚¥.

secrets/rekeyed/sire-ai/89b98207bb1577a81049b4ce319739bf-wireguard-proxy-sentinel-psks-sentinel+sire-ai.age

@@ -1,7 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 vhmDsA nYG2Z2yA03ESRpjgbIDkEoTEH6AJc1v1RUeS+z3cyVY
-vzPGWSTfQwY4kqUjAO/SVJatgcbGd904c/SluNLgpZc
--> Ym-grease
-twk
---- WSBuW7VDmG3ToQrlbccevVe0u0NI/RZYtvcqGSm4Tco
-M�獟惉鐨V1gR'袤単1鈽"鄖
[渳擻菣�V酪uс堇爑挞x腊$囉磜渜樳YP愅箽肚B

secrets/rekeyed/sire-influxdb/556953d98099cdb7f1274d6e0bd62443-telegraf-influxdb-token-envoy.age

@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 1tdZKQ ZNcyXbeW/bii8cBafPVHi45e07DPoXfFFyPWOm6XanY
+9Jeo7X34qcyiKm1LMQdbsDVaOsgZI/lyl0hARfbcakU
+-> }zO<<U-grease ls\.$Cf
+PyKy2zpmpEwLrAikw4XFNAyujvy3dQUsRTsyEq6YRqVXd8QihnxLFVzHiA
+--- ZidPkRsL+u7okLSFiIpAuLUwbRcKj5zo1NGxDnac8oU
+Íl]K5k"2‡Ã-i™
�r­½‘mýÚ)jÈ0t·�hœ4ñ®¸� 3µš¹©õ®Wn<
…¼0q
�	«r;K¹
$œCøµìm$ÈÀ,ð

secrets/rekeyed/sire-samba/52e0b64f69eb5e84fcccee0f8141cce7-wireguard-proxy-sentinel-priv-sire-samba.age

@@ -1,9 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 rQrJ/w rBq18FEF23qZMQ1L0ZmPwes7YA6c5tcYghl+wMpH4UE
-KsWpipPanBEkM0sJO91aGEUJVLNbKfCGlB8n1AJMe58
--> -iJ@"-grease
-e0JwXaE3AG+cwHCgRoYZamBMyxEd60t3woMN4WAChA2FL1sBJ8F+3BFjZdACZDYy
-02KPJC2pCplo+rsTpMZd/XRw7+icfGcatjM5yEOuJKz3zNdsKtMnwXGR8BKV4w
---- eWHO47OEkFmhlJ+AxIutCfholFzG3SU/M5H4u1wM0Ew
-p¤¢”ü6ýS"\£€3
-O ¼¤¬,()a.ÌDe>¿»>c­„I3ÆçR
Ôoý,)èª[Ù8ml°ó“¬!9˜¤…¦)+"G·”ZøP·

secrets/rekeyed/sire-samba/9cb014e8ff14329d085de1287ff23802-wireguard-proxy-sentinel-psks-sentinel+sire-samba.age

@@ -1,7 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 rQrJ/w EuoChlYXjzab/J3l8oB5V5NJNtpcr5yAOd6y9m4rjSg
-MAJwhKjR+hBx5AEZx95wZvP6IeYAIiksy+zc5ukkQdg
--> S5c!<-grease qdoe 9a_t1FH
-YuKwOpJ1hoqJl+xYxNW6J88aGGiiceHyHy9RgajmXBsivTDbeaEeXRGdJySGWA
---- F2Mty9Hr43tH1SomwZ2vzgj1zQCdVw5pHcVOFIVjZfQ
-9»eg‚‚o«Èf�G}gNçôäi8`(ë–ª33ÇÛd^=Ê×­÷Ž×¾©-˜¾¦ÒWX*й�«ê=Liñù{Ý%3s�ÔéÇÎo"yl

secrets/rekeyed/zackbiene/2114c48ad63cd022bc589099aa7ae978-mosquitto-pw-home_assistant.age

@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 DynNMA 0jbyffbAwO0+WtJmLPgBdQ6o4BQfhtyoR3eC/CisgyY
+nx2vpN/ZWdoG6z0GVA5a4563wiySTlr+BUggqeAxfVU
+-> fHq^-grease $1R? 4g mF
+6Y3otzVbFmwsR3Jqy6G82g9wnKz5JB5tSblkn6O9UoO5
+--- wiu0ndqSrU3ofFPn8WlpLJz3JaMRSGDYcxR8A+QHSbI
+g[û^0ÄJìI‘¢¸—ÿ«3}§ß½c·m`íç-“x�‡tS'Éö˜¢»9¨$ˆ²Qb�ÝÛΆ

secrets/rekeyed/zackbiene/21fec08806b3194e39c928380133562f-mosquitto-pw-zigbee2mqtt.age

@@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 DynNMA IKMt3H+qN5Tp+klLYaeKCa0b5brlB8//VAjpAl68GCI
+MTV8wXhkCYulvS6o7Wnq/rMHeYqPxDdSMggMT6+FLyo
+-> |-:8x-grease s O3ZB {Q"
+GscWlHRccebYhiGFelYXa+GLLzprQc+k9iS//LY
+--- FgB9+ChfVo/svSZ9pgcCv+ZG/edwwIs11tNjCpkHLjg
+��
+Ô»W€%˜D´Ñ¯¯“`›¦{E[&rÕ-îÿ‘×–bMM�€õ[Óˆ=t�.&š„„›_À�Ú

secrets/wireguard/proxy-sentinel/keys/envoy.age

@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> X25519 guqR3l3I7Aa0DQ/l2D4MNpLanB4C3PgvwXm/96hPaRc
+c/k+f+fFHVObsCCTi49snWjfidRNuIny2+AefKQ9j70
+-> piv-p256 xqSe8Q AiMovFyBe+XW+kiY84vewtPf6RXoD4yCh8qgZ1jAxke8
+2eg4gF9casDTL/CZ7crqvLulzCBshR0wOaRx7F/BzP0
+-> Zg[dg@o-grease 6qG)H\ 0E
+/OA
+--- nnNkb9JT4yPw0mw6r9NQa/4JfWGjt6ZOi15cQSDmeXE
+›¢Ö-DåN Î+•ÅnHë÷‡Ó\­r#…9 �üåÓoŒõÔ4¹!
‘DÕ‡�ÚC)“ °0K9ÛÛ›Ú,ô¡§˜mûL›•‚R<>zú

secrets/wireguard/proxy-sentinel/keys/envoy.pub

@@ -0,0 +1 @@
+ikABIdsLZyLPhzujmXTxAXfCHs3FTlblv2Xza1W7jz8=

secrets/wireguard/proxy-sentinel/psks/envoy+sentinel.age

@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> X25519 Rum6P5225U0CtcafI68tq+QulUYKH7um3wEkahe33Dk
+f6YAiC/0xU3SFywiOnARpR4d4gAgJeGCAEt/TPV3Gyg
+-> piv-p256 xqSe8Q As29vYnLfn5HuZn/ybyzWvMNsDIYbYchIP8qP6f6/ngX
+vDLqOW0V7JlHOcncgkCnXpNWvIaJl8w/rhZpuQyw+v0
+-> b-grease d /|( EP:
+RfUV02LatAx4gm/RsPXq7aWe0nsGIQadTubk/XUZliOqOSMTXuXfCZrZ
+--- 4trrv3Kv3OOujp3K4WZ1buDoJ0BEnLxkr7UWeZHVxrg
+‰áÍôúŠã‡£åÒt0TWýjx;Ùņ4yOì%³5ŽC™�ÿÉ�œ‡>О£žP¾š¥R±È]Íç­УšK‘KI¦òî