From 364073c19778d7a965111152f803ebb0f5157df0 Mon Sep 17 00:00:00 2001 From: oddlama Date: Sat, 20 Jan 2024 23:16:43 +0100 Subject: [PATCH] feat: add immich via oci containers --- hosts/sire/default.nix | 4 +- hosts/sire/guests/immich.nix | 192 +++++++++++++++++- hosts/sire/guests/paperless.nix | 2 + hosts/sire/secrets/immich/host.pub | 1 + hosts/ward/guests/kanidm.nix | 2 + hosts/ward/guests/vaultwarden.nix | 2 + modules/config/users.nix | 1 + .../sentinel/loki-basic-auth-hashes.age | Bin 2045 -> 2119 bytes .../sire-immich/postgres_password.age | 9 + .../promtail-loki-basic-auth-password.age | 10 + .../sire-immich/telegraf-influxdb-token.age | 11 + secrets/global.nix.age | Bin 1870 -> 2042 bytes .../proxy-sentinel/keys/sire-immich.age | Bin 0 -> 465 bytes .../proxy-sentinel/keys/sire-immich.pub | 1 + .../psks/sentinel+sire-immich.age | 10 + 15 files changed, 239 insertions(+), 6 deletions(-) create mode 100644 hosts/sire/secrets/immich/host.pub create mode 100644 secrets/generated/sire-immich/postgres_password.age create mode 100644 secrets/generated/sire-immich/promtail-loki-basic-auth-password.age create mode 100644 secrets/generated/sire-immich/telegraf-influxdb-token.age create mode 100644 secrets/wireguard/proxy-sentinel/keys/sire-immich.age create mode 100644 secrets/wireguard/proxy-sentinel/keys/sire-immich.pub create mode 100644 secrets/wireguard/proxy-sentinel/psks/sentinel+sire-immich.age diff --git a/hosts/sire/default.nix b/hosts/sire/default.nix index 1dd172c..51af57a 100644 --- a/hosts/sire/default.nix +++ b/hosts/sire/default.nix @@ -129,8 +129,10 @@ // mkMicrovm "paperless" { enablePaperlessDataset = true; } + // mkMicrovm "immich" { + enableStorageDataset = true; + } #// mkMicrovm "minecraft" - #// mkMicrovm "immich" #// mkMicrovm "firefly" #// mkMicrovm "fasten-health" ); diff --git a/hosts/sire/guests/immich.nix b/hosts/sire/guests/immich.nix index c645955..0045868 100644 --- a/hosts/sire/guests/immich.nix +++ b/hosts/sire/guests/immich.nix @@ -1,19 +1,54 @@ { + pkgs, config, nodes, ... }: let sentinelCfg = nodes.sentinel.config; immichDomain = "immich.${sentinelCfg.repo.secrets.local.personalDomain}"; + + ipImmichMachineLearning = "10.89.0.10"; + ipImmichMicroservices = "10.89.0.11"; + ipImmichPostgres = "10.89.0.12"; + ipImmichRedis = "10.89.0.13"; + ipImmichServer = "10.89.0.14"; + + version = "v1.93.3"; + environment = { + DB_DATABASE_NAME = "immich"; + DB_HOSTNAME = ipImmichPostgres; + DB_PASSWORD_FILE = config.age.secrets.postgres_password.path; + DB_USERNAME = "postgres"; + IMMICH_VERSION = "${version}"; + UPLOAD_LOCATION = upload_folder; + IMMICH_SERVER_URL = "http://${ipImmichServer}:3001/"; + IMMICH_MACHINE_LEARNING_URL = "http://${ipImmichMachineLearning}:3003"; + REDIS_HOSTNAME = ipImmichRedis; + }; + + upload_folder = "/storage/immich"; + pgdata_folder = "/persist/immich/pgdata"; + model_folder = "/state/immich/modeldata"; + + serviceConfig = { + serviceConfig.Restart = "always"; + after = ["podman-network-immich-default.service"]; + requires = ["podman-network-immich-default.service"]; + partOf = ["podman-compose-immich-root.target"]; + wantedBy = ["podman-compose-immich-root.target"]; + }; in { - meta.wireguard-proxy.sentinel.allowedTCPPorts = [config.services.immich.web_port]; + microvm.mem = 1024 * 8; + microvm.vcpu = 20; + + meta.wireguard-proxy.sentinel.allowedTCPPorts = [2283]; nodes.sentinel = { networking.providedDomains.immich = immichDomain; services.nginx = { upstreams.immich = { - servers."${config.meta.wireguard.proxy-sentinel.ipv4}:${toString config.services.immich.settings.bind_port}" = {}; + servers."${config.meta.wireguard.proxy-sentinel.ipv4}:2283" = {}; extraConfig = '' zone immich 64k; keepalive 2; @@ -32,9 +67,156 @@ in { }; }; - services.immich = { - enable = true; + systemd.tmpfiles.settings = { + "10-immich" = { + ${upload_folder}.d = { + mode = "0770"; + }; + ${pgdata_folder}.d = { + mode = "0770"; + }; + ${model_folder}.d = { + mode = "0770"; + }; + }; }; - systemd.services.grafana.serviceConfig.RestartSec = "600"; # Retry every 10 minutes + age.secrets.postgres_password.generator.script = "alnum"; + + # Runtime + virtualisation.podman = { + enable = true; + autoPrune.enable = true; + dockerCompat = true; + }; + virtualisation.oci-containers.backend = "podman"; + + # Containers + virtualisation.oci-containers.containers."immich_machine_learning" = { + image = "ghcr.io/immich-app/immich-machine-learning:${version}"; + inherit environment; + volumes = [ + "${model_folder}:/cache:rw" + ]; + log-driver = "journald"; + extraOptions = [ + "--network-alias=immich-machine-learning" + "--network=immich-default" + "--ip=${ipImmichMachineLearning}" + ]; + }; + systemd.services."podman-immich_machine_learning" = serviceConfig; + virtualisation.oci-containers.containers."immich_microservices" = { + image = "ghcr.io/immich-app/immich-server:${version}"; + inherit environment; + volumes = [ + "${config.age.secrets.postgres_password.path}:${config.age.secrets.postgres_password.path}:ro" + "/etc/localtime:/etc/localtime:ro" + "${upload_folder}:/usr/src/app/upload:rw" + ]; + cmd = ["start.sh" "microservices"]; + dependsOn = [ + "immich_postgres" + "immich_redis" + ]; + log-driver = "journald"; + extraOptions = [ + "--network-alias=immich-microservices" + "--network=immich-default" + "--ip=${ipImmichMicroservices}" + ]; + }; + systemd.services."podman-immich_microservices" = + serviceConfig + // { + unitConfig.UpheldBy = [ + "podman-immich_postgres.service" + "podman-immich_redis.service" + ]; + }; + virtualisation.oci-containers.containers."immich_postgres" = { + image = "tensorchord/pgvecto-rs:pg14-v0.1.11@sha256:0335a1a22f8c5dd1b697f14f079934f5152eaaa216c09b61e293be285491f8ee"; + environment = { + POSTGRES_DB = environment.DB_DATABASE_NAME; + POSTGRES_PASSWORD_FILE = environment.DB_PASSWORD_FILE; + POSTGRES_USER = environment.DB_USERNAME; + }; + volumes = [ + "${config.age.secrets.postgres_password.path}:${config.age.secrets.postgres_password.path}:ro" + "${pgdata_folder}:/var/lib/postgresql/data:rw" + ]; + log-driver = "journald"; + extraOptions = [ + "--network-alias=immich_postgres" + "--network=immich-default" + "--ip=${ipImmichPostgres}" + ]; + }; + systemd.services."podman-immich_postgres" = serviceConfig; + virtualisation.oci-containers.containers."immich_redis" = { + image = "redis:6.2-alpine@sha256:c5a607fb6e1bb15d32bbcf14db22787d19e428d59e31a5da67511b49bb0f1ccc"; + log-driver = "journald"; + extraOptions = [ + "--network-alias=immich_redis" + "--network=immich-default" + "--ip=${ipImmichRedis}" + ]; + }; + systemd.services."podman-immich_redis" = serviceConfig; + virtualisation.oci-containers.containers."immich_server" = { + image = "ghcr.io/immich-app/immich-server:${version}"; + inherit environment; + volumes = [ + "${config.age.secrets.postgres_password.path}:${config.age.secrets.postgres_password.path}:ro" + "/etc/localtime:/etc/localtime:ro" + "${upload_folder}:/usr/src/app/upload:rw" + ]; + ports = [ + "2283:3001/tcp" + ]; + cmd = ["start.sh" "immich"]; + dependsOn = [ + "immich_postgres" + "immich_redis" + ]; + log-driver = "journald"; + extraOptions = [ + "--network-alias=immich-server" + "--network=immich-default" + "--ip=${ipImmichServer}" + ]; + }; + systemd.services."podman-immich_server" = + serviceConfig + // { + unitConfig.UpheldBy = [ + "podman-immich_postgres.service" + "podman-immich_redis.service" + ]; + }; + + # Networks + systemd.services."podman-network-immich-default" = { + path = [pkgs.podman]; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + ExecStop = "${pkgs.podman}/bin/podman network rm -f immich-default"; + }; + script = '' + podman network inspect immich-default || podman network create immich-default --opt isolate=true --subnet=10.89.0.0/24 + ''; + partOf = ["podman-compose-immich-root.target"]; + wantedBy = ["podman-compose-immich-root.target"]; + }; + + # Root service + # When started, this will automatically create all resources and start + # the containers. When stopped, this will teardown all resources. + systemd.targets."podman-compose-immich-root" = { + unitConfig = { + Description = "Root target generated by compose2nix."; + }; + wantedBy = ["multi-user.target"]; + }; } diff --git a/hosts/sire/guests/paperless.nix b/hosts/sire/guests/paperless.nix index 72e4d7f..ecdc90f 100644 --- a/hosts/sire/guests/paperless.nix +++ b/hosts/sire/guests/paperless.nix @@ -115,6 +115,8 @@ in { before = ["restic-backups-storage-box-dusk.service"]; }; + # Needed so we don't run out of tmpfs space for large backups. + # Technically this could be cleared each boot but whatever. environment.persistence."/state".directories = [ { directory = paperlessBackupDir; diff --git a/hosts/sire/secrets/immich/host.pub b/hosts/sire/secrets/immich/host.pub new file mode 100644 index 0000000..9c7563b --- /dev/null +++ b/hosts/sire/secrets/immich/host.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKE+geXK2RVVNwZVoYOuX7pW+6mbgCa9SIghJCdHmbSB diff --git a/hosts/ward/guests/kanidm.nix b/hosts/ward/guests/kanidm.nix index cf52f31..0ea07ce 100644 --- a/hosts/ward/guests/kanidm.nix +++ b/hosts/ward/guests/kanidm.nix @@ -148,6 +148,7 @@ in { groups.web-sentinel = {}; groups."web-sentinel.adguardhome" = {}; groups."web-sentinel.influxdb" = {}; + groups."web-sentinel.immich" = {}; systems.oauth2.web-sentinel = { displayName = "Web Sentinel"; originUrl = "https://oauth2.${personalDomain}"; @@ -156,6 +157,7 @@ in { supplementaryScopeMaps = { "web-sentinel.adguardhome" = ["access_adguardhome"]; "web-sentinel.influxdb" = ["access_influxdb"]; + "web-sentinel.immich" = ["access_immich"]; }; }; }; diff --git a/hosts/ward/guests/vaultwarden.nix b/hosts/ward/guests/vaultwarden.nix index adb4560..15706c8 100644 --- a/hosts/ward/guests/vaultwarden.nix +++ b/hosts/ward/guests/vaultwarden.nix @@ -84,6 +84,8 @@ in { RestartSec = "600"; # Retry every 10 minutes }; + # Needed so we don't run out of tmpfs space for large backups. + # Technically this could be cleared each boot but whatever. environment.persistence."/state".directories = [ { directory = config.services.vaultwarden.backupDir; diff --git a/modules/config/users.nix b/modules/config/users.nix index af179af..df68bed 100644 --- a/modules/config/users.nix +++ b/modules/config/users.nix @@ -29,5 +29,6 @@ msr = uidGid 980; fwupd-refresh = uidGid 979; radicale = uidGid 978; + podman = uidGid 977; }; } diff --git a/secrets/generated/sentinel/loki-basic-auth-hashes.age b/secrets/generated/sentinel/loki-basic-auth-hashes.age index 7f63ee831d5cb467ff2f7afe0ffad0d403fc73aa..d641be9f9105d275fa59e88224f56d2f386693f9 100644 GIT binary patch delta 2110 zcmV-E2*LOL562LYAb)miXizmxIZ$$WNp?b7X-R5iXi#NyVR2P1RyRypS$}#=D`IXdQB5~la(7m6 zL`zCCGcssbWkm{bL`qX^VMQx-N<~aTD^yl^S9WwVcR^`GGgozaHB~fKa%pZxIYDY^ zY*h*^J|K2JTsLrIEoX9NVRL05P(w{EBp_f#J}@acAax31QB_hgNH}hKV`@oRHd0Sn zD^gixcV=2xG=F7sHdRkcD=TbfWL9i7WMz6sPIF0lF;z=(YIh1PEiE8rMr3eINpCnx zPdGVHXi8ZtGi6FpadBr$Fi>J2T%ieDTG2sF?RW!VRKzBZ2{~KI}tACsBS*(qEJEROkGR9Ii@oRlTJSF%IVLCzNq&yflvC>3elGZoZCJX8>D=+m z`)SwiuV7+R68L0{N%`_V!V^8pRjF3T} z#!!(zq4iLc4y#~^>^ZE^Irw~u9EpIPT`&Z{@FT49j2)DSV`BYKyf%mMjewcCMMhdd z)R-<1t|wW1hhjGuof#JJMpNHzxYXo+YBL0JAj(#6zhwrM1mDCFlCn~0{hb?q(83tax#^Nw#rUDq5bNR{MiI)C+*Af|&g zY`zoN&fB+cH=_VV)|06{_&0)jU6pE_8>$gVdx^6-X;kI&yyO}mlIGT$8h-=e5C0SE z;q}lW{Q&{XyerP>lq0rq_h!~}Hk;_?qHr$1EYF!{3UB7>lf?ZSo$>KC5I#lxmAYoe zSDZR`uW%zT1ov-t%ml0D*nf)C;6Y}gfN}yOL|NIY51;1qE9^7K}=GW1A<-q@WBVNp1|aCBB|JF^nM%WXzPwxt@_L39N@R zwljFF_qdGAMXsaUbJN6Pl1gVf%}!+@Hi`2)qZ(K$0B#jG987DoB7gYlGsBGoe*#OG zmrjcxdnB~_?em8O!TW!5eR`ravLbBpo*PahL1xI0k!pa#e zHFCEPq4$9QGnFv*gVb%@n|KGYS4owQ{t{{lpc)5XsdvmT3*M{DQGf-wuXWnj z1a)WVem$1B`2b>eKnH*Os%a!gq@Kk2C-WNbZR~L&`1Pu+5|=+7`at6T%EURNL8P^z zZw(2%s(^J62>m#7k!wFFFP7qrf)&J`iBbOpCKI*VA2)t*^C(1bu&qJhi&{vQ4r(?n*AwZ;j_CYL&c1(4Tz!Xpiu$np8x;= delta 2035 zcmVcX@bCRA)kGFK~KST1_-Jc13wvF*Qt5bzw_0P^ zG;2?JO$tp!cw{tYG*mWuH&an+ZbN!$L1J2UWpFt&P+@XyZdgr6ZDDk3GiGu$Sqd#a zAaH4REpRe5HXwL$Q)M_&AVF|)Qb#y#Z+S&RW;SLrLS;>DPJcCULN;zMoCIyIB`N%YhpxmX+?2IV+uDkNJcYvFIQ@4K}AkCOj9*zHbG}< zS4mb*ZALFJbuxBgYeq*aX?IIO3N0-yATMJtG&MnUac*HZbT~0gSSxQxHfVWDFnBd> zc{x#8cxg;XS4(O{N@`Yf3UYGlXIolL_#?BmC2|N5Lw~sB&F*wD~sejegD8jVB{Jr~M=~K(1rV=4NAY4=k z=UsmSM@E2V9qvdavSSITHObfy>k&9&KfBAwcB9>#;A1l91F*6t?d6r8V$l6RUyU51Cw7=s~boE7kvZr{y@FjtbG zd4CK)$=>ct8`%ki@5x2Nw6Jp8!4`|3144=a{O1~Ytet9qRX*F2NR{|GH zl?w*tUBT=>k;Wz8tscRs1((m&1$~-Tv7!GiR$t2)W`5Cd<^mg=IR-O;$WyoWrm{_w zZFF;z%oFnZ3Z{(sK9|Y3g|<52HrDsUkbhvR?2u2J;F^Mgk?*!LZk}m-Zjwtebc~t1 zKa_!)V|5v-yLj2gzTS;N1atXDx-bfM=<@(-4m>X6IouROH z#I*2aI9Iu7X)`1Jih_*usK#LvcO|!cmRsqvd2#CQGDL$a(KO*7hVx=yYbZ*}I+v&< zZ(AVv#JFlnZ#;<5z?isgbdq{dY=3oJ5X3h1UwIM6cK~$uZ(MQeCN8H+$F;T?M+G)h zu%3Mnp>ZGmpAEiUL$HM2FYpNE$COG*J@eFd3ZfDZHDsr_L)>YRU)K>Xe~pA#Kq(D@ z!6_DaSi%8EFR|ESWtKbRc%ERG$XKSqdM6qSfn?+r$I+7I^pvXAfBv-shkp?DPW|H1 z3*r>ljPSA~4WwCU7-M034TH2#bdo$w^XYo)J;%v=UW4SxM6Xh<~TNl{fXFh}YbQ1b5vHadXtVKsePv{!>#w92R+IM0v<^ z#KGd$JbyoYWxkvhajA?YtZ=s*iv%Uj5IU;t_YwdQcYv z0%Q}cx)LaRXn*AAs-#!WDEE=um}2`zOmr{xLR#zlF@bOFE7EZasDGhvbjI?lkA1)L z6!jy%EH7kCNHwfFtdwls4+;pMkAZ;_3r+OfM%C?E99Z=mu!Yg9wEi)bVt9{ok`I&H zck1Pk*AL*0fdt3581x5`WM16RljyPVm#HVwmB6`y_)&(2ioRv$Fd z$%{KjjGDWpIC0|=by z!J=I6ES!+7N*;|FseYgbC1yPp@DGFa+vS4{OwLw zoS+9Ik#-S?d2GGBrAm}ahE8UnLg^G_p}#_K68Nq&4O RRMiTO_^Giaw#0iZM|d%7y1xJb diff --git a/secrets/generated/sire-immich/postgres_password.age b/secrets/generated/sire-immich/postgres_password.age new file mode 100644 index 0000000..414a5f7 --- /dev/null +++ b/secrets/generated/sire-immich/postgres_password.age @@ -0,0 +1,9 @@ +age-encryption.org/v1 +-> X25519 lxcs64hgn5qiaMjFfFKIdS7a4DYzsSIp2rYWu9Sxg1o +DWoXP55lOfYh26BQyMTWtJpZXD6RAYYT4ArCNy2RmPQ +-> piv-p256 xqSe8Q ApSmxT6ujEnuH3c0Avr7g/DGdbSf906OFhOiMvi9ONmt +UmLDT5AJkIc8GgLgaVgS6KWk7d0rf/P29V4l2JU1lgI +-> )-grease p4kI HFcVp +dPSUp6CWnLW6gpi6a2g+mWKIZ+OEYiRvTc6YcSLY +--- 7pImagsw0LryRQOHCqzwJxCQNyoESpJsrztMaUqrwPg +NbǬ Е7MNPr>+8zJĒo\LWsڳz0;ipRiK.wvK \ No newline at end of file diff --git a/secrets/generated/sire-immich/promtail-loki-basic-auth-password.age b/secrets/generated/sire-immich/promtail-loki-basic-auth-password.age new file mode 100644 index 0000000..fe40ad7 --- /dev/null +++ b/secrets/generated/sire-immich/promtail-loki-basic-auth-password.age @@ -0,0 +1,10 @@ +age-encryption.org/v1 +-> X25519 ks4qXV3qPJeADOguclgvlOS/81Wd7fgcVKdlhg3FgzI +PLKauYQ+46t8RSPD73M18RUOL/z4SjikoNsDbL3X/cc +-> piv-p256 xqSe8Q A2xu0dbsgARRnDBak5Cd6YG3JF5zOuZlqzPdbg9lgP2x ++tbb9URbCrPqIWOp0O26ptbXRUh/6koKhdONNz5p494 +-> Yy),Z@(\-grease %R <|> I]- G +1t94Jtghka4vBg2VMzDqPO2qwzpovhNT0W+fe0K82obdDaajCa3pfiFz4Nrfbm+7 +hsJyVaViVGio7BVDPso +--- 8JU+s4Yn2DCmSHfRx4EPn8pa8RRWTn8BfEkCLhVn+DI +~loLNu앵 zt5žcW0g8,{5tK>mH? \ No newline at end of file diff --git a/secrets/generated/sire-immich/telegraf-influxdb-token.age b/secrets/generated/sire-immich/telegraf-influxdb-token.age new file mode 100644 index 0000000..3f3dfa9 --- /dev/null +++ b/secrets/generated/sire-immich/telegraf-influxdb-token.age @@ -0,0 +1,11 @@ +age-encryption.org/v1 +-> X25519 SQp3X/pCRAK0LDysYw/iO5XbD5DknZDqrfYVsF4Wryc +MToFiMkEqhq0uJlDE3peo/1r2eG8SGfYj6XZDcHJHsE +-> piv-p256 xqSe8Q AjwjDiFrzD8Zvc7Xx9fA7WcxG+nsF2mUgmMlFswinh/l +ONrzVVrUpWWfy4on9Vouz3D3VxSYu4Rb2+DnRSyBtWU +-> J)C?2Kps-grease ", ++w4vydh7txIfUxLLwNztvo6nDva4zEfkJJZn2Kbh1agtjfiaqVh9hznQyHjY+bKX +TTro7bJoHrdBOj7RX6CV1BO0w2ToeQ1XnkhZv/8GE2xm3aehsSEFt5AqU8f2ucrt + +--- ISE4KQBHYV8vazUMaRG9y8BTag3zVtMN32n3lwiTp48 + dѲTAvuW 9lPFg. T FS!5ۤTo LvΦ,2TH7a!lj*GG \ No newline at end of file diff --git a/secrets/global.nix.age b/secrets/global.nix.age index 4cc52dd0622be259fbeba8173b83d17dfd9e6741..ade9174b0aae482a042a862fcdfbfedfe827f425 100644 GIT binary patch delta 2032 zcmVwNNRI1abrP4XJu|hT5LyCRCYp3XJkrYN=I#RMPW2!Lv$}O zYFa`wNeWX`QfNzLazR*dWolYuaab@yWkXsqY;IUZN=Il#Lsd&NL{T|ZGf8Vc2!qtYh`g$NqR#{L~>O(R#;|hcT#OHc1}c2S7&us zLvso(J|IOSHEu0ua%Ew2WeQeTS6FLsGc<8mSVc@_byZq7GfPTrM@3CXacg&RH)BCE zQByBSMp-sTZhufSWlu{~GHFdpQ)5O%S9wNlVPSL%Lozv3Rc=8uIc;QmV|77FR6|B$ zOmJ3VcS})MWLI@VV=!1SOHo=(K{P^5ICey8Mlo1+GdOPwEiEk|LvvVaPDyQJPj*I6 zXhCl)YD{c;csEXMSV1#tbVqA-X>nLERby#pVmD_Blz;Vn!NDykfQzc$#662FY&Gg& z&lP@=xsJQ*JMD6U2>8jr$mc};9n_q_(Ob<88dkB(ZpyTciaytX=4!A0wk(q(_4ni| z65V@rSXJwCTyF{;&BD{7;ttKjRa-<6XZOTaeoxD)h~yKKMkB>d6)??k_cb1k9uHbbdIkgCQ?32YW%Wj5AR`ZqCQRw6ThQe}R zqjMf%V7SA-1&A6aTpR^>NayTuw%B+fzFq{I*?&S;#Gv8okL?GGx{K)2N-Lc0c2|^h z7vwPiAn2CeNiZ^*8+7bcUm?vLilV%(EyoF_2enc^K?)+M)>DJvK1K+H`@D}4II+`d z!^%Pp;dL0;%{Eq`ilv56OT4OhfT6v{M0Y2o_Z@`7d~YTu20~id>yLR^0$d;c2b0nD zlYf1x0z|>nbVmat=^tLG&yUv!vpd`u>i&s7a6gP#X*OQ5-k7mf(OPI3+{B9V4fU`67w09w7@l)@fvo1s4xyjwngD>1Z#i+ z@E!^_e#YF5XB}LQMVe6MeMXEWqDQ*>dA4zOME<34Ao{qNmogRwWbOxec++yt+B3^ZvcqWX0(jD| zmCZ;Y*V#pDkDH?$Z0rubnt#|&{a~N1XW%GfmoOOcpj3E&;tMy-y;~=mabT3$)knLO z+ss0^?Bh3j>=c=#f}q|H=Hw|sWY|w>8clfJk0#F!zn&=*CBQ#pHbr}(=HuG0XIh9w z5*kh1fNAN*MGljkhu;)%&Cue)$)XzDT9dMXpReTVZRKPXMz71Lmw#_V2m}p(A?ZN+ zs5L`PvWaN|RiH?D6rKv~ok#SW3dj?w?c#m;)RI`%D7lE($++FA+ zx1-5&5iOBJHximFj~E~TA64eQeZmm1_bd9q00xPDs37ysjG{@XU)uBTt0PH8K#q;( z-;azWYiY19L@uZ#$A4J($M&ClnDWszst=6Y9=>F}7UgUN8qlT3i4K*9y#UzSxiX7z zI!$Hwm?&D90l56vaen?db1^kG-;jJrS@qI?JP@q+M~)9i&bY+A!=X1AI9vsO2S|=W z=udq7vu;Yz50=*k&XVyclkd3xpKdi#8Y{RR3EN-eGsX{#E`RLAqYP_>!e0C^ELV** z9$B-|8g0k_$`l8D?DAfF<1YxNdj#8l1*%q((ix(i| z_zp7D;CIwMrN9w5#WM=)M|RSe8g3p6d$mx=L8vabZI?$+(WIU1ASNg=7*3a26zAxt zTFwj{uc`e1$7z@PDM;UV0a++=p&?PB1AGWw6BO0cozO)QdJ5R_hsn|8F1CD8OhHpZ zNl6MVJ|J6iEoX9NVRL05EITrDBYtjLAV)$hAU=ILX-#Kccp!BONJ(fzaduI4M{#jD zMP_kn3N0-yAb)aWRX2G_V?|3-ZZc3cD|R$7S4&zsF?D2WQZGR_b}?yeXhLvGc4bpS za|#l;JDc{A_qS~oSWB*tWqcpJ<(PLCjq(=U+O#3ST(bJP(#1MV+<^j=Hdy>)_Tn@) z(tuF{OOLFcSxoXCjv~KPopxdD9K6bBo1|FPrDQc@mVdca=b&B*^TxHuo$+kQqJ{+N zw3Tk;=_IJNT~Gw24i=D#6iTZ*ES+#OtA-)v;xH;n((>m&d#=NNon4Zvw>x=)3ZAx8 z)}4aA&&y(I4ssLwJ{deV!B6mEkf>fMHN7e(6v$~x>HR;jJG_Wx?z;|G5R};XG_x;y z0Tf7pSATSBZAz-284pTTt&s3vbS#btCTNbycAFyAI;}vv#?E=!v}d^4qDnsQgRfTv z1|Cc@kWb0w^qOcCrYka{KYZ+9Y~b|op>Qwq>z-mKUq*szU1xr!GVlMAUsLhzmp|)$n>kn>@J( zyMI8x9X?Q}w{l^3n6mn|Wk;sk?CX_)nV&nu_c~tiRrR51X{xJL$nff#*WiG53%blF zHMw`EQ5O|G*ZswnfhEu7L4?d_{3FyFH;F##G|_L*hpfOI+b~lDnqt(HpNYF+9&x=k z^t*W4!whFFy8blBfhmpWDfxhVoSLZOK7TLX?`DvKMpCC~w1bo^c+Goc7&}54c%B$B z)RtTln;8W$ossNIU*{Vx5tJ#B8|sX}{`1!}BBq8!Hk-}AHdNU)UBcgXEcPefnDAaE zE!j)8G=@}mk<0~PyQh6tu#<7Ohvk5-i0M&|Sgr~c12>AP0p}ap@Hp@S6Gz|PTYoWw zM?R@U!`ptRsJd-ySg}*&p!S4G%kV`EbBbJm=-8Ca-jjT6k6mPqroHRQ@}4 zfGs^9cw#(z%QjhJ23<3MVYALZ!hd(0Wz@QW-~uN4R#|7C6WmuVGxSQ@PILBe5NXct z)1V7lM(n*DAoviJ0M{5-TTp9hT~BVPxPeB5{qEI}H1jKpgNDKlbb6AV8CLoXL_SEy zX&i)!h5g;Uvn9b6#iclA>qY?criT2^sTV(Pqf4;k<~n3*#Vm%G%q9PNY=6^DiCaaL z24*D8{e<8Hj}=|f`YIw>{bGVOvtBP9Y3T*@dN7-dL>ociPR%**Ug$ng`JQad@!f%u zOt+J}%vj`R^)49rI*|8W!o<-HzMyCWs#khO zP|(~hl2xmtNaq4~ph23~wF8(XuZcY@dKH1}gJ-s|s-1T7;lm6IW=^Lpu0 z`4xj_;TtKNINV6}=70H0zmx7m#p162MCiNL_xEh_2fo?2?~8-CHjOK;qQ^SQg^&)Y zJ4dxPJ~jy!)puc}-@Mdw>9jN)3@IZ|i09OR)>Vt;(g>2~HO|?K}sKwS1eFyp)h!} zF6X&u)Wt;;7iawkbTlT$+3lvA%nioD-1iTB9!4~Z{j5qCB#G}N8D@$WMej6R!1FD! zQ9At4Q~=AG?pP8vuGu*(an?&#UfW)fIzF%=81yx)+d9SYD%R!F&t$eXkhLw$)3Qk> z(B?zZW)E5!HRCKbo{xqD>6;5r(ay$O$Ni+ zK&Ekqyc|)gKU88E?bc3YCPBg{X^%5=crW5WUoxoz6cDmchAVqC+ z!1Hjh1eT&3eJ6^jOTWnFwR`9P_D|n#?)=zvZ#;SQ;M(cacYj_9pEl0Ft>s7SAK$~X r&*9PY4fE{y`tOHdwocyMlE3~0`1Z5EFRtvp{7~K1-K!_BzaRexpZ%c- literal 0 HcmV?d00001 diff --git a/secrets/wireguard/proxy-sentinel/keys/sire-immich.pub b/secrets/wireguard/proxy-sentinel/keys/sire-immich.pub new file mode 100644 index 0000000..1c369d4 --- /dev/null +++ b/secrets/wireguard/proxy-sentinel/keys/sire-immich.pub @@ -0,0 +1 @@ +slaNaddkDDEeC9Y69VTKqAhYJcjc2u0UbbwxNzaZNR4= diff --git a/secrets/wireguard/proxy-sentinel/psks/sentinel+sire-immich.age b/secrets/wireguard/proxy-sentinel/psks/sentinel+sire-immich.age new file mode 100644 index 0000000..31a4330 --- /dev/null +++ b/secrets/wireguard/proxy-sentinel/psks/sentinel+sire-immich.age @@ -0,0 +1,10 @@ +age-encryption.org/v1 +-> X25519 YIhkI6nWo8Ud/fjZVBXO5g0NOmaXVbmLiFvSLJ/cdFg +4RZpFKtM40Q81tSAIq1xUjMy4GmGeIZ+335KiFf28M8 +-> piv-p256 xqSe8Q AuTq/W1xNTEYrBAbLgffA95slATEeMRMUIwuMyicmwcA +QlR1jm1BC/MDfSF82oJibcS5huJx0lRtdbO/dHfIkKE +-> XNC"-grease ~K@0bKg{+/0:\Ðs-5jg J =p6C?迯 \ No newline at end of file