From 3d12add14d81a97ab9250f92b2ef4487cb1c3e1c Mon Sep 17 00:00:00 2001 From: oddlama Date: Sun, 19 May 2024 15:33:06 +0200 Subject: [PATCH] feat: prepare local mirror web-proxy to speed up internal service access --- hosts/kroma/default.nix | 8 +++- hosts/sentinel/default.nix | 2 +- hosts/sire/guests/grafana.nix | 25 ++++++++++++ hosts/ward/default.nix | 1 + hosts/ward/guests/netbird.nix | 3 +- hosts/ward/guests/web-proxy.nix | 37 ++++++++++++++++++ .../web-proxy/acme-cloudflare-dns-token.age | 10 +++++ .../web-proxy/acme-cloudflare-zone-token.age | 10 +++++ hosts/ward/secrets/web-proxy/host.pub | 1 + hosts/ward/secrets/web-proxy/local.nix.age | 11 ++++++ .../sentinel/loki-basic-auth-hashes.age | Bin 2615 -> 2770 bytes .../generated/ward-web-proxy/dhparams.pem.age | Bin 0 -> 1152 bytes .../promtail-loki-basic-auth-password.age | 10 +++++ .../telegraf-influxdb-token.age | 9 +++++ ...4e52aece39a18f5-loki-basic-auth-hashes.age | Bin 2521 -> 0 bytes ...4782d3d45463711-loki-basic-auth-hashes.age | Bin 0 -> 2628 bytes ...telegraf-influxdb-token-ward-web-proxy.age | 8 ++++ ...169c62b1666-acme-cloudflare-zone-token.age | Bin 0 -> 419 bytes ...4fb44bd0cf027d-telegraf-influxdb-token.age | Bin 0 -> 326 bytes ...7dc2d4ba24de6f1f1ed0b9e1c-dhparams.pem.age | Bin 0 -> 1094 bytes ...3cac-promtail-loki-basic-auth-password.age | Bin 0 -> 385 bytes ...95305acd07c7-acme-cloudflare-dns-token.age | 7 ++++ 22 files changed, 139 insertions(+), 3 deletions(-) create mode 100644 hosts/ward/guests/web-proxy.nix create mode 100644 hosts/ward/secrets/web-proxy/acme-cloudflare-dns-token.age create mode 100644 hosts/ward/secrets/web-proxy/acme-cloudflare-zone-token.age create mode 100644 hosts/ward/secrets/web-proxy/host.pub create mode 100644 hosts/ward/secrets/web-proxy/local.nix.age create mode 100644 secrets/generated/ward-web-proxy/dhparams.pem.age create mode 100644 secrets/generated/ward-web-proxy/promtail-loki-basic-auth-password.age create mode 100644 secrets/generated/ward-web-proxy/telegraf-influxdb-token.age delete mode 100644 secrets/rekeyed/sentinel/089eda6d3476434194e52aece39a18f5-loki-basic-auth-hashes.age create mode 100644 secrets/rekeyed/sentinel/45fcec727e61235564782d3d45463711-loki-basic-auth-hashes.age create mode 100644 secrets/rekeyed/sire-influxdb/77e41d6d4f1ee94ad7d26e00c3363352-telegraf-influxdb-token-ward-web-proxy.age create mode 100644 secrets/rekeyed/ward-web-proxy/16cd8ee5ae22b74c03ca5169c62b1666-acme-cloudflare-zone-token.age create mode 100644 secrets/rekeyed/ward-web-proxy/3b347f2a2024cd71914fb44bd0cf027d-telegraf-influxdb-token.age create mode 100644 secrets/rekeyed/ward-web-proxy/3ecb8cd7dc2d4ba24de6f1f1ed0b9e1c-dhparams.pem.age create mode 100644 secrets/rekeyed/ward-web-proxy/7a373fa309ea4806998a5716906f3cac-promtail-loki-basic-auth-password.age create mode 100644 secrets/rekeyed/ward-web-proxy/fe0973a0966ad375770995305acd07c7-acme-cloudflare-dns-token.age diff --git a/hosts/kroma/default.nix b/hosts/kroma/default.nix index 4fdb82a..0db6658 100644 --- a/hosts/kroma/default.nix +++ b/hosts/kroma/default.nix @@ -82,14 +82,20 @@ port = 51820; name = "netbird-home"; interface = "wt-home"; + autoStart = false; openFirewall = true; config.ServerSSHAllowed = false; environment = rec { NB_MANAGEMENT_URL = "https://${nodes.sentinel.config.networking.providedDomains.netbird}"; NB_ADMIN_URL = NB_MANAGEMENT_URL; - NB_HOSTNAME = "home-gateway"; }; }; + environment.persistence."/persist".directories = [ + { + directory = "/var/lib/netbird-home"; + mode = "0700"; + } + ]; topology.self.icon = "devices.desktop"; } diff --git a/hosts/sentinel/default.nix b/hosts/sentinel/default.nix index 9158772..ab86487 100644 --- a/hosts/sentinel/default.nix +++ b/hosts/sentinel/default.nix @@ -19,9 +19,9 @@ boot.mode = "bios"; - users.groups.acme.members = ["nginx"]; wireguard.proxy-sentinel.firewallRuleForAll.allowedTCPPorts = [80 443]; + users.groups.acme.members = ["nginx"]; services.nginx.enable = true; services.nginx.recommendedSetup = true; diff --git a/hosts/sire/guests/grafana.nix b/hosts/sire/guests/grafana.nix index bef0d3a..ca5bcb6 100644 --- a/hosts/sire/guests/grafana.nix +++ b/hosts/sire/guests/grafana.nix @@ -9,6 +9,7 @@ in { wireguard.proxy-sentinel = { client.via = "sentinel"; firewallRuleForNode.sentinel.allowedTCPPorts = [config.services.grafana.settings.server.http_port]; + firewallRuleForNode.ward-web-proxy.allowedTCPPorts = [config.services.grafana.settings.server.http_port]; }; age.secrets.grafana-secret-key = { @@ -78,6 +79,30 @@ in { }; }; + nodes.ward-web-proxy = { + services.nginx = { + upstreams.grafana = { + servers."${config.wireguard.proxy-sentinel.ipv4}:${toString config.services.grafana.settings.server.http_port}" = {}; + extraConfig = '' + zone grafana 64k; + keepalive 2; + ''; + }; + virtualHosts.${grafanaDomain} = { + forceSSL = true; + useACMEWildcardHost = true; + locations."/" = { + proxyPass = "http://grafana"; + proxyWebsockets = true; + }; + extraConfig = '' + allow 192.168.1.0/24; + deny all; + ''; + }; + }; + }; + environment.persistence."/persist".directories = [ { directory = config.services.grafana.dataDir; diff --git a/hosts/ward/default.nix b/hosts/ward/default.nix index 9501433..4dbc650 100644 --- a/hosts/ward/default.nix +++ b/hosts/ward/default.nix @@ -111,5 +111,6 @@ // mkMicrovm "netbird" // mkMicrovm "radicale" // mkMicrovm "vaultwarden" + // mkMicrovm "web-proxy" ); } diff --git a/hosts/ward/guests/netbird.nix b/hosts/ward/guests/netbird.nix index 391da9e..1a0eee3 100644 --- a/hosts/ward/guests/netbird.nix +++ b/hosts/ward/guests/netbird.nix @@ -47,8 +47,9 @@ in { dashboard.settings.AUTH_AUTHORITY = "https://${sentinelCfg.networking.providedDomains.kanidm}/oauth2/openid/netbird"; management = { + singleAccountModeDomain = "internal.${config.repo.secrets.global.domains.me}"; dnsDomain = "internal.${config.repo.secrets.global.domains.me}"; - singleAccountModeDomain = "home.lan"; + disableAnonymousMetrics = true; oidcConfigEndpoint = "https://${sentinelCfg.networking.providedDomains.kanidm}/oauth2/openid/netbird/.well-known/openid-configuration"; turnDomain = sentinelCfg.networking.providedDomains.coturn; turnPort = sentinelCfg.services.coturn.tls-listening-port; diff --git a/hosts/ward/guests/web-proxy.nix b/hosts/ward/guests/web-proxy.nix new file mode 100644 index 0000000..1918410 --- /dev/null +++ b/hosts/ward/guests/web-proxy.nix @@ -0,0 +1,37 @@ +{config, ...}: let + inherit (config.repo.secrets.local) acme; +in { + age.secrets.acme-cloudflare-dns-token = { + rekeyFile = config.node.secretsDir + "/acme-cloudflare-dns-token.age"; + mode = "440"; + group = "acme"; + }; + + age.secrets.acme-cloudflare-zone-token = { + rekeyFile = config.node.secretsDir + "/acme-cloudflare-zone-token.age"; + mode = "440"; + group = "acme"; + }; + + security.acme = { + acceptTerms = true; + defaults = { + credentialFiles = { + CF_DNS_API_TOKEN_FILE = config.age.secrets.acme-cloudflare-dns-token.path; + CF_ZONE_API_TOKEN_FILE = config.age.secrets.acme-cloudflare-zone-token.path; + }; + dnsProvider = "cloudflare"; + dnsPropagationCheck = true; + reloadServices = ["nginx"]; + }; + inherit (acme) certs wildcardDomains; + }; + + #nodes.sentinel = { + # # port forward 80,443 (ward) to 80,443 (web-proxy) + #}; + + users.groups.acme.members = ["nginx"]; + services.nginx.enable = true; + services.nginx.recommendedSetup = true; +} diff --git a/hosts/ward/secrets/web-proxy/acme-cloudflare-dns-token.age b/hosts/ward/secrets/web-proxy/acme-cloudflare-dns-token.age new file mode 100644 index 0000000..49e3559 --- /dev/null +++ b/hosts/ward/secrets/web-proxy/acme-cloudflare-dns-token.age @@ -0,0 +1,10 @@ +age-encryption.org/v1 +-> X25519 GLh/xkRHD1zOOGYiWxlORV+qzYaTNvnXZoGe9qdxXUI +2TMHIo8emk76HOEgOpSOR3t1ib87kAGcH9FmZSLyhlU +-> piv-p256 xqSe8Q A6KvjXG2UNrpvNfY924v9/DVz7Ooncem24keDbtWXp7i +fNiibPhEaeRaXV8AxKFL2T7Er8byHmGCGT8ciwye1Kw +-> l1G-grease w;*@H4 +r4rvf0/eUQYWuhKWMIR94Uww+bgbr2GBP4oEWM8TftQFcioNNEK1Zm8bwocMvhM9 +i/KA6H6qw5yR68gKU3CPDzlMaIM99Oit3p7+3NdM2QPFKqvdYr9MdBcI +--- RGaCUY59RAiy0MUYasVeUf2cCfJqil3YTJmL0cXrmjA +M~B{`\BvWϞ4b`aR^l8K; Z5\W .[P,~Aq \ No newline at end of file diff --git a/hosts/ward/secrets/web-proxy/acme-cloudflare-zone-token.age b/hosts/ward/secrets/web-proxy/acme-cloudflare-zone-token.age new file mode 100644 index 0000000..c26ae7a --- /dev/null +++ b/hosts/ward/secrets/web-proxy/acme-cloudflare-zone-token.age @@ -0,0 +1,10 @@ +age-encryption.org/v1 +-> X25519 Y7J0KmGssDwytzJSMTKnb2qVfCBEl4nMiKeg4PDhbhM +R+FV22jr0XcybGJk8Z2o40O5ptRK3NPgQOxJ7HlORho +-> piv-p256 xqSe8Q AyC1XlhbGhbfUBn4gV56t48AazKi5Lt9H5BCOZqbTtOp +s3mrvVrMZ/kTdUSjKyBWa5hUFL2fwL2xRo7UFF0AwP0 +-> Ao-grease vp@ m_b +oV7D7L5dZtF75bJ6Ms0yZr92rENJmE4xKpdlBp4h40onYWv1Z17R2/bmygv5MD9+ +S7J25g3rxfk00fUOK8cwDcWyRtp4jQqcooJyrQ +--- J/aXuudcbUAfU06R065fsvPTX2qZr0w0eZ9gI6I+McY +v-##=|ڕ-IRn X25519 NIQfcq9fdcwAm3/7bqVw9XKuHxH6r2r7Lbqjjr/u+2w +Cfz/aTYCh4gNWo+dOzDKXNBaAlt0W/aqTb30ho/i5nM +-> piv-p256 xqSe8Q Al+FYiIKhA9B31HjuxCNE65MfYWKIxO+ZefbPsDWljxu ++K47WX1YQpRkvIzR4ALVucSj21YIv9WUluEQ62ccEWk +-> a"CCg7E9-grease ~ &+9|O +fuXdG2v+8S2Bti9ifpvRPfRZfh9ioXzOuYXcPkyPynbQPy2isAksKx83FgQeRoID +VHH/CKTjy/qFCDec9MXX2i9GCWWrva1n2tfOXl9kh2IZ1Zl2te2rsA +--- Tg/N4zk19YF7LCLd9wb95nyQJs0B59SHO4nh76xif0c +N9ޝ}w2 Q/zbCAu{O&iR,E19=єӇM CpF:9="[ߖ6&}3E&%YA))Ĵ͇m +_oV@U*Q1_L \ No newline at end of file diff --git a/secrets/generated/sentinel/loki-basic-auth-hashes.age b/secrets/generated/sentinel/loki-basic-auth-hashes.age index e425eb1fe832579e1e12c6b90cfcd6425409f1ae..c13a4bb3c8420c6c15968b090ed86c9ffd4def91 100644 GIT binary patch delta 2766 zcmV;<3NiJ!6w(!tAb(IrZ&X88M=*3)X>Ubjc1l)bSVCH9HFsG_Hbr4rW?DfxM@(8y zPg*cXI0{2#Nm_L@SVwYtFEBJXS~*WfWh-S>Wn(u?IeJt}bz((Q)z5!H9}cpRCPgPL25BM zLo^C4J|HtXEoX9NVRL05B_L2cKSo6^P9RSwG73{ubvJfcbvbfLa&~l8X;@iTHB2jW zVNrTwSxs(7D}PUEb$K~XSW|drPI@&{Z&OWAVM;GWcy>f|IAaPeEiE7~R#-J|a!zDq zNoI0bOj$}!Mp$=HGIcXoR&8}eYC%o%Ajnti0uUi%?utxR zI>~h%+M*J!XpEJJ-NCaFDm3AYOqig_&cD|EYfzrRF|Ym0BFt3c*4?u`YCX4rlB_|B z50|_VcPhsheY|;_u2X8_u1&}S-yOpd__5qin=h&9mYrGSkvi>aBIrS=)%va8V#_(L zcci0m0DljYMtm1m#W5OtHw-A$h7*#3u~5AD_4{%x0$yEm z5Rv{OkEw~Wk{McQ8&AOR7=-(d9Jed%1Im55NhIYA%uR{Fqz^8-t35A#N@S-4`e1|8 zxepSjKlgO)j!!$O^buD2CWX-B$qnaoSbk-HhJO?$F!tUvG8B3jsD}|R1%2}7%=@kw z+-RKgm|;pMaT&x7fF!L}%{jI9%IRnfGSxX3W$P{(C8gi@0evWOkpjo&x9=D`S!+!3 zQVhMUV+ZEcAEzG)sat^n>p9&D&PDE}%PUGL5LM%x>wUq5U;Fp;)V8xot&aj_8r)a_ z6o0Ca&x{^Tqa<(0Jp)3UA6`w-2x4?BLc{AhQlGFEq61WGivX6TE@{+Unq0(5)nBL9 zWX5S70<9&R-0x$P;lB#lhB;numU|N|NvqNO2u_K{n!1|{=}DBQ*@8S+AR|@m98Pl% zF=!@tVKn>iIUs6u5(H?pX(U>Q0UGp6^?&(9#qM|_=86_H_VFoP!K z2#Ut2OB;B$8w2E5G+3v07q;H51o{mIC=2V8J%kDro7*!ct*}P0?n>dx6Q4+rdDELh zqN_o3mftS6s*eL5>HjIzh)dsY%>31x8(?~A(9|!alusUEz{8ZHB#HamRzS{QK7W9N z%;U~T?4{UMuBNPOeg7gB&8p*wZlZP+ugkDD#An=t1iY>Y;=SD1qO3v!)dE}IgHAxh znEF~#6~8cZv2yAt6P6k9c6G+ICj^A$FU)&G42BZlDfq&uTJ4>3j4V1scI5U@6SD43 zFgGJY0DuOyB6c~g^8fGM$C`Y%6~s6-)%0~>QrjM?m=G@Cw0}|^^tW4>mB*mTN_|fq9Syc6yxQ8vd8=N|tg;ERZFATc zcC~~(+(7*-n(YQ@A<+U;(Cqn-H&dhdi9kibi+D+}REJs%^H+kuNyVP7HrO$k8&;jF z?PfL7qN2OC!Ff5bt?kizl@ACtXN|F-J#}LLFU@2G*lmGf=jSR;9e+&d$)@L}PPxDe zuQE8y!F#RXkx(P$a{fhYfH9i=&+gu>banzg)FvjBrh) z!zogp29}&`?eg;bMw8SUljKYcaArr2ICC&hC_`Odkj1uF4uNa6kB^wxg!p$XEHN>+ zYdidlPktbqKB;9FC7bzu`rTLA7bomgs)KF(<(qYD zd{NX}YXrYu-EjxAp%^Y#{%FACjgpVG$*ewu1B8~8>bg7BQGZWrijUGb6eI2qKu#gX zwQjiRodF;45Ot2g4oQ64yBqvsG;LqA>F9&V!1lzA7w84Z1z|!aExs|KUKY``OV0H{ zI5A;xDutXb(Umrr?o$=(i`BVRYe}$T-DtDM>ecHed@Z|z?$|W_PoB`EXiAB4(itTc zQLv?X+ERAXNq_V$UEbHOHcs{DxbWahx}To`w$Y<1Lb9F6kc@h~_yLz@Yu6CK2)OT2 zNQ=Q@utNJB>uDz$sAR--4H?6v@7m>KsLmZQHj)myiRz>0;T?f55{>cB1ur0pcx@ zx*mmkP%*bOJK?el${q6+(Y8fn>U|W4DA<=Y|_f2~CXj{|$v zMJje12hWNi*l__`MzUYdwJ^MfO zbICwZaFrMg^Ng^Mj=3D>y`;2;U$_gX$Rb}F;=75zYG*8|LSy!u$l0vbJ=KPV7FMtK zxEEztLaN$6(N9rvHC^Oe+`J5U>PI?*Yd7~r4kuDB>8|eDsL{Pvtj0g3yVombR8(%k z%YWAs5RFqKF^=yo6#NLm|DBVgXq~kiZ{-(N_+kKjM z6>v8*4bgk+C8cZ;nWj?oj}p42uLFGpof*Q-K4~{SW9N(`o81TgbOuo-Ug(AdWk;!k zq*e(b(W$|c`}j!KJB;3%JdZYp|G3{)-Bc#Y*cgSbQ=S&HxG0Bb3`>VUHEO2|O99o9 U?Fu8AOEC2b$iU4A;c_gMT|LSmi2wiq delta 2610 zcmV-23eEM>6}J?SAb&V)R8m2DR5(gfW-Db^a#~4YL{D)^a93|DGbPGzu*~ zAaH4REpRe5HXwL$Q)M_&AVD%^LP<6_NOD<7H&jwLN_kjPX@6ERPBTV86D{o9R zQDX`%J|IO`cVco{C@(E%a%Ew2WgsMNUn~k`QF=2;x#IX=K8DmwzrJOUQzoK=fj@GN1Tre=ioSE3zEenc!{N9y{4_1Gq z^}Wt2humSiep=ka=f7y1&z5n)VYuQkJre=q5V@z~Nq?bn5Q_Cp6n#xvFA8;LeGN2u z-c?ig%bO=W{`tzcoPnftO|JMt0WA}hSO4q=aUtgfU4NwrOF9>h8+R0U2C;#%enjq? zCk)L7Q*9tP2C0hE+Q_8O0CK?{u;R!dA($U(b}dVWAUQaXFnSF-4x`!q@zyUkX^^Y2 znfo2ae}5X+=W-ZhmvDBF{ULa>?;TX=)6Bu1eAGJ~?UkT_^M0G-9g*m`xfKlxiIgq8 z-YFDL5w;yO_U0VoR7rZTTxU%fyDTM_Qdr=+>7`VdK!&l*9Uy<@}x8gnX7E4)n+dAlHO3@^M4RsL7IknI!q9%2)>-MqYj?M2gVuH z-Ts3?|Ir6DAiw4pvQ!Zkj4{9nD;KsaTle-dR)5=0glWX5wF1p=5d6+N`5d$lJvm;; zBp&-m`Z&u)aC!6bxa>_AKX~-+vSpPAmAC))ra1){q&_nR3pWSOZ0Pqahepm=Y0MDq zI)CVkrBwtU4Wac>-d-b&V#9$<7#-$%#9KF4ws}cUD6Pa2A~uJtfvLmarJ!7!GHbY$zHL4yvy-y?k&p3qB*O+p@qKn$fQSiM_2LjV!keNRTIZ{77miz<<8oj|Lz z5}!FPetM{tf^95kvF~@Vp1~Y=4=U9(pf(ad1atuOgc=ui{j>JA3P8E6DYO8B3L= z^)O>`;9FVpf{5-9fTv6|mMGS)v6@<-yB7H-7_W7fx;6--4*BRB``TFVdLoxYUca%0 z=Ma{eeSGOL#BGAjs7>A(nNm~HyGPls-E_x5U7KPZQr;7SLZ9Wi7L2?bWPe?eE3nnO zXv~+YYSfZ7kI{1bVLBwklIIqU0uSndo0yaUX&fV8z=fP;Uvy`GkTxn<0=OD$JH(G( zr5)gG%`_mHg5&@zK&CG(gzX&X8IMT5RqAWbaWuRT>`sz)EI;&Ir7G1T-)bgT{AwTv zvkiCph}(RV<>JW%EkuV_E`Od$Md@D8>LX{K9Yq&^cw}NfQqheNqHOWtS@87P;0)bq z6{A^~(N&8zD}f~~rHHm#V$bAF?0<9d0<^D4jnut+-5m<_(j?2N~6bAKR5omJ!-M@pj3 znAq4%MQU<)#FA(iX8F5-QDG*U!vjLbUk$^#L|r$OLewr2*sUB}hCKSymY%6gSUQVF zA+N?mz>8@YMhYpYcGB{0uNjYe&%W0AtfW<+NUHG_u{w>hLQkb#s)!!BT{*@~=#ND7 zt}OAT-C9#-r6tT`4}Zu$FF{dLOOh^u!TEy{NCxIc`uz!yPT-v*mlSwf=La*>y zCqF^YKpl3OtxGBd`X(2>wc{hv+N4IDfp7PcUqii)euZF^zen!aK`UeU_o*J>D_JO2 z%_zqXK2dsux{Y)V7%+CPmE2qZArrGU2us~T{#Yh@;X92{X$=!#L1G`73?@&Q<06*xI zalEiG7=OqCbfT4%g50~tQ9B{WshH|i3YrB6ljz}D$=Nn}+l&ErLEzH%K@6D1ql{~N z*%=i_4fGs9XZNHKJ9HphmPzZR*(LtZIMCdsVfL}6^MBQBL*^Me8RtwoK8D+&dD3qP zqG57gs>Ja2k?o>jM!D5m5C`*D3?UzuRH#gnKNq1VR23GV^0QXQ>r8;I5Ap zi7l}!@)5RevuBz$=tg_+6S{7*m-0!Q#=a3*n}^S4F5yS)gU)wKi-E|pXGibCf-Ph*+4AM z|9{j}O#Xzc6gqJ}yr9vdgsk=Q+O&EQ>>gebq~m}qYY!e;Y>I(*Ml3$ZYL5atxztM% ziGR3421A+Dxn#i-VVr!BA@n2|WUEyFeX{uw@5qVnxn1mc{z_c`qQtR6cW5PZ#mV z*OI(%+0OS&@K{XazizOi^a7%1gH&8h_ zPjh)#N_S&wWp+$@XLoX8X-qFRHc?ABZ8QokJ|JsFEoX9NVRL05TU34^V_R%vSw<)z zG)Ev~UwU*e3TbdPRdz^rW>rvmIdeutcyx1TWic{NM>TL^Fi}o2V^?=IGB`_FMhY!0 zEg&&^LTGg|S3+`HN^x~UP%%@6mzs9Kpl+8O-a7wpM(uKjayhKh(8H5A+l&}B%7;(09QJPkfe68eIjG5_C=!RcyS9Cg{Kd?-#D!IH zVBKurRP6`g1N1WKrI3E8KMEp@mKk89i(fJQDWrj4J}>JDk!7m*%efewT4xmS>GUvg znCvwiW}8i3%i7RPP+kj}`Q<|l1FDxnJe#Q7P)nS>fh5{R%cvDRXqg;I>Ilj%ZqH?- z&+%B>sK0bxN@_*6XzQ-Qrxl=3!94mu#5zwNSu>tZ*v>M z$Y%~qj2}V}=TkmXI-3f0Eh>Nlo6Glw0@g;4HyyJZ8|WPR7Y=uitt@7~TY%gp)k2wS zFGqmIY`guofpcg&f^@?rcZF&KZbR&k0>oXVya(3Q_o&#rO7pR7;D&w(-z6_zWI!OI z?`2xLJ3Te>+wfLnW;pQ8xCZMeP;3g$>;;TOt>vGY3vVh#R7*S#fr?WM}EL zf9S7cb8r5OQV@>3)L>)t4Gfssf0%J|>~FeqVGv`&7XhWccV|5~SKbi)Rx=o6T6WT5 z(AYkfo`XW3@SJk$RIjAVJUQF}64Ktl=rm_rgw{s(Yl(6z?5$#E44^OR94OWtVA!7> zj*AXRXlm|V$243(dt2{DsK^?V`M(SitS^S92f@F2M^ zXpusa(hbA_?1OoS=cet)-fA?RV;*M1Bj>n4|3fLR!EdvA>R<$@>5vu+b`{H@TtgLb z9oyM>ra|rp9c8Q`xMQ%}(oIwc+D6H)A3`k21xOv3146zNS83s&McK%NQb1zr0@U#w zVZ}=~YoH^`I}ei*mHOXkaKnpF8tK}qv* X25519 L5QeScr47cZuTXA2+suY1Z859dDPG7NAiiYUgIA/6Bs ++9/qfyYCn3E4Pt3AiIe1y0ikuCDKn2TxPr2n8P9pbRI +-> piv-p256 xqSe8Q AgqCoxqf5/kIfGz/w1ISInjhla9GM2/E7vbQ4xM2m6BI +wqJBvegatDBotrMVu4Mtu/Ti+ZxmnqM+9S79WrnwGwY +-> cJ+g)As-grease 17 halok $29WPO mJYp +BhQNUu5asGzmfKDEQ9uJc5EBKzR5h62BAXMlE2hRs2YdyTDHGYnPt8W3fqPthnw2 +zujauJioA5apYZqEXT6rji9D9LY12tO3Kg +--- dmVnPmT3cgoN8+PLw6VOeN34MCwv9xiq8Dz/moyR3aw +3Fevܫw8ϯJE0YϿkޖ)!#6"# Vqi I mb.J{~ \ No newline at end of file diff --git a/secrets/generated/ward-web-proxy/telegraf-influxdb-token.age b/secrets/generated/ward-web-proxy/telegraf-influxdb-token.age new file mode 100644 index 0000000..a988c47 --- /dev/null +++ b/secrets/generated/ward-web-proxy/telegraf-influxdb-token.age @@ -0,0 +1,9 @@ +age-encryption.org/v1 +-> X25519 mDqiVQOWk7oHh8Fe+XfsJuBVYQKX64OBbJJHAlp9+go +Y//Pun+q8oxIoygP4KNdqPQuF4ofsAsrcKBkJAxP+Q4 +-> piv-p256 xqSe8Q AlfJ9Pf9lseof2TLRM13YZn73LypMipUKDWjI9tWe/PS +FwEwUcxtggjuZDQmAHagbBh6PsqnCR2qrAbhei3KYEI +-> k-grease ^kKsR3EO g< S3? +W[LIq2, +5HUcLZxeuBAD+LNu60mipaKZxS1iC50/pM1j5s8SULOjaYsHGkhgcgsuRK/R +--- KzXceMOxfzRsGRXP99cvYn1Al3OHcebz80sGPWF2rww +WGVT"}&m:+3R9D!0"'r%?8_lYnnuaHLׅv \ No newline at end of file diff --git a/secrets/rekeyed/sentinel/089eda6d3476434194e52aece39a18f5-loki-basic-auth-hashes.age b/secrets/rekeyed/sentinel/089eda6d3476434194e52aece39a18f5-loki-basic-auth-hashes.age deleted file mode 100644 index d0f42eba2dd41db5933b9f0cfc0423c8e71f350e..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 2521 zcmV;~2`2VoXJsvAZewzJaCB*JZZ2b7dem zc3>bh3Qt3JMszn~V|O`tVOmX7SZ-u6M=L=JEiEk|PLnyg`W#gK7|mHvYS?*k`y%1B+U5=d5`q?kIm(5>@T!C#`sTnKM4B9x z4xIOlVLR77~n_D{n zSFtv-_b_d@FRZ@FVCfhH$oyyJ2C8h#Ov1)i?>bV%LZzSqja6#%2lp8Ezt9sP+^avZ zh44L8tADxz&gO|o9RHGKaLg3%n(g9r1ALDAH}AE_NeO!DUj`dH`r05Q#J*zCx(Xy_ zwP^?#aEffhowMo@GUrk4bn@*QISGBaLNESUBiNzVC|lV>vF3H#X#H3DWrxebi|s7% z-Z@pmJY>1tjFt9_?|h9qQ6-Neu`pi_M~LClA8dr=z#&vdzPD}dT`pg0kOb-fFg@dx z8IMGZSO$0B#cS=}!9^l%Q#UAsxYX)_0)CPGDE?`F84O=Lq#jgxz!q_)e(N&X$qVY- z1YE;T6=F_WaZ~(@6dp-Jo+_?-o2rM&JOWh~p<9IT{FyM{?=Ot3>5*Mfo5`-#tu=C= z{0!V{&wS01Plym+e}=Y!KYj%$4i7OI9;bPxaD`^z?j5iN6fX1}|9~-dUELAqu>cFv z7xBO4s$JeEwc48~OsmCWh;>FD8LB8AdNopm=SQl)axYKlI%j|ANGyf~Sd>l3U3>%n zT~$U8dj2)eQpoifsXNu&;UzY8OhBavd;EnIk7M_aJSrLuGC zs`3}<3FO&}Ehc#ACf>ti3_G5x9VhP&9N@pGn(kvN z5>vFu%|>hKpPZGx79H?HjjtkUU$nd0ms2~@v6-(>NQL++BCP!0@RS8V$FQ3-?*gmx zglSSsV~cMuVZLRsX?|-GE|=>y={@wEkdTBJ{Z_Z=Qv;_+ihPEC5C7iS=G+j?E5d1; zE8?nx1Q*ylAmTpvZA6OY#}6WS>Jk{GISDZ6-pTZ6x4{R~Vv1J>f6aUsn|0B4D@V6& z#4UEf7B4RBs>fUI;jY-{r((5UbZfUQLN&{%>o`gHa;<{x)u=>M-XLpYgq!IvjH2#_ zQLCX=SYZ2M=yrs&zJz5+rS51PsX2s!;~N{+{A%OidQi1(v(<#ITX+R8p12e72y<_YaEXDBHVK&iVl-7Kr@<7{h zB%fx4v6}2jWJ%=bOhY=PSS>ie(!^!GOMo5m2R7 z14jW(;?aq#*{&W(NT}SNG$P91aJ zj2Ro7v-+z|y5arxcgYOlPM1SG#-3dr!m<334UcAv-%FySLG0&<$P4t~qz6oyUkn$B zT<43eA43USUA@(Ek;KQSpnB?_6xVxufff@9zj9ZsKpQj$e_}y|CrU<9djgWCrwvz? zv=a-{%wgetfKO@Yb}u6@=h(bQAK0#ex}S~Tr1 zWyJj}7)p?!WwkF3e)y=04z8{Eq^AU^vsDEJ1tEyQnpx%=gkebcd2&{Yo~f zQOw%dDm?arpR<@ksasw-oq{33>kENx1JY=p7_6@2zMl>&-M}Aupy>}+u3S-4*BqO> ze`tGyG{+3+?V=7?pf-vueb@0tql^_xf!mCQ9~iH}hp#5hq)TxpT~`mNmWLpn9@4NW jch%I!w3*3T7+uIC*;fLp@G{D*LGeyQ5Ji{t5u~~XHY~nH diff --git a/secrets/rekeyed/sentinel/45fcec727e61235564782d3d45463711-loki-basic-auth-hashes.age b/secrets/rekeyed/sentinel/45fcec727e61235564782d3d45463711-loki-basic-auth-hashes.age new file mode 100644 index 0000000000000000000000000000000000000000..c53d63f68ad480322c80e2800a4b4100123e68ec GIT binary patch literal 2628 zcmV-K3cK}TXJsvAZewzJaCB*JZZ2 zLsU{oIYw|tXg6;-QevIiJ|HiBQY~k4Wnpt=AU$^q za8*fBG-y_0HfL3EQ8GzcD`8rAMKo0kEiEk|MQ%1iK~-mGMo%+qc~nqAb3|fUMQUX; zGd65QWo1WlLw7f0b609IPH0UEgn7uE@BNf7^`SjJ38AQb{h<4n z(g|j`hy_z&tX*sJDUsYv9|uyINn;1Y9}c8`zNyOyBbyBqyM70bHVpMN!bQf6f886&t?Fyt*rZbkuWQC<$pyRaO&u zk*uiglT(#m)V7=F37R*;4TqGPqKu>`qPV{`X!zM!V_BW^5(BCRBJ)W}8^L?Mvmw#5 zK~`6{fT!JeuNc+J1KsjJs@P>pTlf06XeA;R%jGjbBG{ zE31NUFqEAV6JND1O<*cJ7L%Q_KvjGWoMO<#gwj*&J6rB$$9~Bh_eFm!Y3iyjjW@q~ z2OhbNVRsIjL~NUAFBRd>!HfOX0t_{_mXrjQ^2IBT!l>9MRRiJBG)w1XovH|jk$8BW z!^E(_u$saUR}wJ<$yI{ShfIIL{aiqqkq2}YkyKk>RM>r)bgi&lYkK+Gby&?*%9QM3 z<}1?$0JlYHK*rxgqYAcq zWu!c9&J$(FdMKcVjJ2AHTXGv7YpM>CI zf5~X-OY#{V%o#Y=#=9>p)pp^p8-vudzNjI7XY#4Tvq1i7fu>~wwi0}{aQbn3OUN#D z7_)wJ8LL({H1b;bh31W@3f&p{V)CT>zXTBJQ$?xAcui)GfNecjwQW7=VD@SI;hKFw zJT2NFvD^v_6N(~po^HG zEgv9Sj1@!o)Nx`IcK*Ba`t$RYOrEaE%z`*ufnRWw)Tek!{dV{Hkz%8hh z&E7E(0K6$pVS(R8t3O(_Z10|U?{NP!WDS@qEuzEDLtM-)&J8j@(-9SmbtM?w zbGoL=Mmjq}{{pffit;Z{+%XH;6t3fcVV9v&S9BS9-!<$>5Pmc}a@G7APozx*Z+ZdU zVAg<3>@tyNB^w7vv)ZzHVR6RPeYv27)|((c^aC8{nl0*2s{WeVD6X+xENYK(TM@ z1r8r3!UYA4l`^q5RIMlH%;<1-a)}vdWt1+?miGq~2}mdfdx|mCU~|L*$JPEyV-0;y zKvI9|(eb4?H}QQVh8n?ImCNgm@8x}W#7FTwnd&VgNWSRIW}xJw9}-9((sxJkO$jsA z>F_=$T|Y|QrK8LcNi%XNspXjy!WD_!&uPh<%9Km$%gfv!OF^4+~R=Y+eaIkS97ALs<@8_dPr__BlJ=P^y7$##Z`vBED>yA zp21_@aGwXjpzr_1h*2&Hk2Q8diTVvGRv8^APMOz9)WEc$aklHt?q`Ff0-h$0cAc6M z{5W!|Z`0yZ! zl74(%J9Yf>hSXNP$c$%?r2nAfB(~P`Gd5|xcOE^8{VAYl%S9JuUdLHjHDkB_TlryP zme^P3(t0}aRmvKLBNI%IOT}v&x6-)(UprHNgb((Qu;5;4CQzq=P>#cyPeVVwb29Of zvs~(?3}(=l%wEiqOC`f5Ey)Ceu(pFVsm)1*2-u6DTR{k8XPX5Fg(Z!Ae9$b`U%I#6a+ky)!s0Fe{jFe>G%ch4K9%GH-N40A zPcA(13_Pc-6$lEOk!&{a7&P0^DeXYTv~1Uor=`O22%;du^5lYCnvmnhgi_!1Sg7 literal 0 HcmV?d00001 diff --git a/secrets/rekeyed/sire-influxdb/77e41d6d4f1ee94ad7d26e00c3363352-telegraf-influxdb-token-ward-web-proxy.age b/secrets/rekeyed/sire-influxdb/77e41d6d4f1ee94ad7d26e00c3363352-telegraf-influxdb-token-ward-web-proxy.age new file mode 100644 index 0000000..0deab71 --- /dev/null +++ b/secrets/rekeyed/sire-influxdb/77e41d6d4f1ee94ad7d26e00c3363352-telegraf-influxdb-token-ward-web-proxy.age @@ -0,0 +1,8 @@ +age-encryption.org/v1 +-> ssh-ed25519 1tdZKQ UFx8Re0mcIt2HcL5x/GaXoi2CezPo6K7dKFD+nzfURg +sPM57TihJrVuRIhAUHVfehcGOhw4w3DRHTwW12cmEoU +-> }0-grease C\z~D+j +wMZmyvzkl/4iDjjH2kq0bbiPImhlesbTgLTV09l4tiep7EEzeKm2BoG+gmTVDQ +--- PzpDgRPy2dE/rvmZoKmJUDdY6yDaP3FCgL9t63YVWUM +E 0RKI=sTF$wp IdEWP[^'w,9݄AMx 0ۃ +S]OC \ No newline at end of file diff --git a/secrets/rekeyed/ward-web-proxy/16cd8ee5ae22b74c03ca5169c62b1666-acme-cloudflare-zone-token.age b/secrets/rekeyed/ward-web-proxy/16cd8ee5ae22b74c03ca5169c62b1666-acme-cloudflare-zone-token.age new file mode 100644 index 0000000000000000000000000000000000000000..f029dc276b7c586db46c22465af386f27ed6c7e5 GIT binary patch literal 419 zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCUlEB7x5aa8b55AaAV zNlSN(bj>d=4DvC^3oc0xFfB?6jVjN{EiJ4FjW7$U2r?^m3gimP@Ubk>ckwAqEpjo) zPRxohF3xk$G;ztXNG*#<^U6%~3eEM)&eks~HvrjYkQ1k@U7MhrUX+?xoT`v)=-{GL zYNwE{TpXd0BfPSeEWnlJ1w`U6N(uY#ClrROKCEl9O9zX_*!o zU}ou`5^n0_Qt6`|oRx22kX~%&oEBQ_l$7QjS`gut#}%36WZ~^u?B?U)>zHfgR~nd@ z98{tmQefiZ?C9s}8c)k8j~3OKke(W4P#F-C=H~5aSrO_|Q0|=J>6Tg^?927M;_I47hUzf0qU~l)7c^(* z3iyilIwhzaG1>Rxk=9f1w=Ly6IRE?dhg(Iw)L!2?ODtWMYms`p_xGLWADM?=m}e}- L@#%vQ+xvF_jZTsp literal 0 HcmV?d00001 diff --git a/secrets/rekeyed/ward-web-proxy/3b347f2a2024cd71914fb44bd0cf027d-telegraf-influxdb-token.age b/secrets/rekeyed/ward-web-proxy/3b347f2a2024cd71914fb44bd0cf027d-telegraf-influxdb-token.age new file mode 100644 index 0000000000000000000000000000000000000000..df19aeda9c47029586e8fcb9d166974d1dd6b484 GIT binary patch literal 326 zcmV-M0lEHRXJsvAZewzJaCB*JZZ2-LUS=w zZcR68cTH()QgLWTD{xR!QDbLONLn&iT2)d-Q%!hsZgUDPJ|ISXRxd3rXL4m>b7dfB zQ*?boTS6dFF-HnVWKnr)P-$0iLu-0DQh9S)W>{8QD{3`iH%E41Lsw2KXk$qVEiEk| zM{#d(VQ@%uRAxamHdruOPf1#9F>X~bGfQMrS4&whZdg}(F-c)JXKQl`?&no7x2fDg7X0HfunA?xC}?Y*OE{`e;Qom?0AN&LHKtW-fDyO+(ey-B1&8v6 Ya8lBx=k@-T;kNg3ExFxKdw0yQ8UG}Cl>h($ literal 0 HcmV?d00001 diff --git a/secrets/rekeyed/ward-web-proxy/3ecb8cd7dc2d4ba24de6f1f1ed0b9e1c-dhparams.pem.age b/secrets/rekeyed/ward-web-proxy/3ecb8cd7dc2d4ba24de6f1f1ed0b9e1c-dhparams.pem.age new file mode 100644 index 0000000000000000000000000000000000000000..c496e69c45391e6ebfc2232560e96068bf5408d3 GIT binary patch literal 1094 zcmV-M1iAZRXJsvAZewzJaCB*JZZ2b?kd22NRzfj0PdGSmR&Q)~c~dq?N=8;_b~Y<7Z#YO)SXfzZXhbt)R$4PFD=~0VO?qic zcY0<;YcW$vHEBpxaa4J43QT!rF+yTeaxyP4HBK^PIc_jnXJ~JBNN74V?=% zn7kt)pc{hOaygoAaO`dMc?oO<{7sL449#edrJf^>@TRW|3Q0elL3G1RItWBGFZA&2 zCR~3+<@~-=KyPrk1E~S)ojv-w8iDcC?7l+-HmX*}=oXI-b3x-$-0;mSBSU8*XGDqqlwe?HfouQXqCRoW`mIf#c4c&9Wal1 zU8YPYx=>#dxl7(lmMQ@^$+US;)9x}3^NMN?1Qx{Id>sN?6WV zqj{I9kr$`-P_bk*Z={@m__WL8woVbKf|atD3Nn_*5|{fjA<0JK+Lqd}GeaUEqyz+YVS9ie zTMH<}tS6>lUq_vDLGZ6|hj!BQLr#WBTI^g32wEzA?I8Zl69LdkKQvN;XRjew%9EDCqcj`dboR=Qb Mgr-}4F*B&K=4sL7jQ{`u literal 0 HcmV?d00001 diff --git a/secrets/rekeyed/ward-web-proxy/7a373fa309ea4806998a5716906f3cac-promtail-loki-basic-auth-password.age b/secrets/rekeyed/ward-web-proxy/7a373fa309ea4806998a5716906f3cac-promtail-loki-basic-auth-password.age new file mode 100644 index 0000000000000000000000000000000000000000..1df975066d3770f44402e280005bb80c4a05394e GIT binary patch literal 385 zcmWm7O;6fj007{f$kLtE`@%w^2YlgufeOS#!>0vX+CphVqcNpzURv7HPbiDVzu+HG zZ(fWS<7qo^BA(0^60_Yl|ANQuVtoFxV_0bOLaBwI~ z$co9Bsk$Y0R6Ue>T!3OstBM)1bu5qHxAC!&IsyAz0QUN&kbhA?jC%32Hu zis)w*b#5Xi@EAMWvr1+fIbNa4)@FlTMMRpRwW;>J$j7iqw7Q2 ssh-ed25519 NwOpTA phHAnMhRnbsn7xSs7aWA65U/ZQusblSQ5dx0W7BgUmQ +uYeX2njTvlGDpI7UQ3SwQJru0rc7SVcvVqy1UB9i+i4 +-> 3a@Ad*-grease 2$Q$, ghooe0R +BrufnH/DkowTfeg/KW4a3ka10mONjewEiV70ag +--- 0yFOek1QRJRzSuGzx91aB31S4jA5ieoqFw+jAFLL/Rs +ёοux܏ 6clX0v}9yuQU"\Y? ϔZHPlz \ No newline at end of file