diff --git a/config/users.nix b/config/users.nix
index 0ea6f90..cf30a62 100644
--- a/config/users.nix
+++ b/config/users.nix
@@ -47,5 +47,6 @@
       # firefly-pico = uidGid 964;
       avahi = uidGid 963;
       ente = uidGid 962;
+      minio = uidGid 961;
     };
 }
diff --git a/hosts/sentinel/default.nix b/hosts/sentinel/default.nix
index 774f011..6e9f76f 100644
--- a/hosts/sentinel/default.nix
+++ b/hosts/sentinel/default.nix
@@ -54,4 +54,15 @@
     # This node shall monitor the infrastructure
     availableMonitoringNetworks = [ "internet" ];
   };
+
+  services.ente.web = {
+    enable = true;
+    domains = {
+      api = "api.photos.${globals.domains.me}";
+      accounts = "accounts.photos.${globals.domains.me}";
+      albums = "albums.photos.${globals.domains.me}";
+      cast = "cast.photos.${globals.domains.me}";
+      photos = "photos.${globals.domains.me}";
+    };
+  };
 }
diff --git a/hosts/sentinel/firezone.nix b/hosts/sentinel/firezone.nix
index dceb1a8..94dbb4d 100644
--- a/hosts/sentinel/firezone.nix
+++ b/hosts/sentinel/firezone.nix
@@ -12,7 +12,12 @@ let
   # FIXME: new entry here? make new firezone gateway on ward entry too.
   homeDomains = [
     globals.services.grafana.domain
-    globals.services.ente.domain
+    "accounts.photos.${globals.domains.me}"
+    "albums.photos.${globals.domains.me}"
+    "api.photos.${globals.domains.me}"
+    "cast.photos.${globals.domains.me}"
+    "photos.${globals.domains.me}"
+    "s3.photos.${globals.domains.me}"
     globals.services.immich.domain
     globals.services.influxdb.domain
     globals.services.loki.domain
diff --git a/hosts/sentinel/secrets/local.nix.age b/hosts/sentinel/secrets/local.nix.age
index e4a317b..0039011 100644
Binary files a/hosts/sentinel/secrets/local.nix.age and b/hosts/sentinel/secrets/local.nix.age differ
diff --git a/hosts/sire/default.nix b/hosts/sire/default.nix
index 277d7e1..6287694 100644
--- a/hosts/sire/default.nix
+++ b/hosts/sire/default.nix
@@ -150,7 +150,9 @@
       }
       // mkMicrovm "ai" { }
       // mkMicrovm "minecraft" { }
-      // mkMicrovm "ente" { }
+      // mkMicrovm "ente" {
+        enableStorageDataset = true;
+      }
       #// mkMicrovm "fasten-health" {}
     );
 }
diff --git a/hosts/sire/guests/ente.nix b/hosts/sire/guests/ente.nix
new file mode 100644
index 0000000..b1b3fa0
--- /dev/null
+++ b/hosts/sire/guests/ente.nix
@@ -0,0 +1,238 @@
+{
+  config,
+  globals,
+  lib,
+  pkgs,
+  ...
+}:
+let
+  enteAccountsDomain = "accounts.photos.${globals.domains.me}";
+  enteAlbumsDomain = "albums.photos.${globals.domains.me}";
+  enteApiDomain = "api.photos.${globals.domains.me}";
+  enteCastDomain = "cast.photos.${globals.domains.me}";
+  entePhotosDomain = "photos.${globals.domains.me}";
+  s3Domain = "s3.photos.${globals.domains.me}";
+
+  proxyConfig = remoteAddr: nginxExtraConfig: {
+    upstreams.ente = {
+      servers."${remoteAddr}:80" = { };
+      extraConfig = ''
+        zone ente 64k;
+        keepalive 20;
+      '';
+      monitoring.enable = true;
+    };
+
+    upstreams.museum = {
+      servers."${remoteAddr}:8080" = { };
+      extraConfig = ''
+        zone museum 64k;
+        keepalive 20;
+      '';
+    };
+
+    upstreams.minio = {
+      servers."${remoteAddr}:9000" = { };
+      extraConfig = ''
+        zone minio 64k;
+        keepalive 20;
+      '';
+    };
+
+    virtualHosts =
+      {
+        ${enteApiDomain} = {
+          forceSSL = true;
+          useACMEWildcardHost = true;
+          locations."/".proxyPass = "http://museum";
+          extraConfig = ''
+            client_max_body_size 4M;
+            ${nginxExtraConfig}
+          '';
+        };
+        ${s3Domain} = {
+          forceSSL = true;
+          useACMEWildcardHost = true;
+          locations."/".proxyPass = "http://minio";
+          extraConfig = ''
+            client_max_body_size 32M;
+            proxy_buffering off;
+            proxy_request_buffering off;
+            ${nginxExtraConfig}
+          '';
+        };
+      }
+      // lib.genAttrs
+        [
+          enteAccountsDomain
+          enteAlbumsDomain
+          enteCastDomain
+          entePhotosDomain
+        ]
+        (_domain: {
+          useACMEWildcardHost = true;
+          extraConfig = nginxExtraConfig;
+        });
+  };
+in
+{
+  wireguard.proxy-sentinel = {
+    client.via = "sentinel";
+    firewallRuleForNode.sentinel.allowedTCPPorts = [
+      80
+      9000
+    ];
+  };
+
+  wireguard.proxy-home = {
+    client.via = "ward";
+    firewallRuleForNode.ward-web-proxy.allowedTCPPorts = [
+      80
+      9000
+    ];
+  };
+
+  globals.services.ente.domain = entePhotosDomain;
+  # FIXME: also monitor from internal network
+  globals.monitoring.http.ente = {
+    url = "https://${entePhotosDomain}";
+    expectedBodyRegex = "Ente Photos";
+    network = "internet";
+  };
+
+  fileSystems."/storage".neededForBoot = true;
+  environment.persistence."/storage".directories = [
+    {
+      directory = "/var/lib/minio";
+      user = "minio";
+      group = "minio";
+      mode = "0750";
+    }
+  ];
+
+  environment.persistence."/persist".directories = [
+    {
+      directory = "/var/lib/ente";
+      user = "ente";
+      group = "ente";
+      mode = "0750";
+    }
+  ];
+
+  # NOTE: don't use the root user for access. In this case it doesn't matter
+  # since the whole minio server is only for ente anyway, but it would be a
+  # good practice.
+  age.secrets.minio-access-key = {
+    generator.script = "alnum";
+    mode = "440";
+    group = "ente";
+  };
+  age.secrets.minio-secret-key = {
+    generator.script = "alnum";
+    mode = "440";
+    group = "ente";
+  };
+  age.secrets.minio-root-credentials = {
+    generator.dependencies = [
+      config.age.secrets.minio-access-key
+      config.age.secrets.minio-secret-key
+    ];
+    generator.script =
+      {
+        lib,
+        decrypt,
+        deps,
+        ...
+      }:
+      ''
+        echo -n "MINIO_ROOT_USER="
+        ${decrypt} ${lib.escapeShellArg (builtins.elemAt deps 0).file}
+        echo -n "MINIO_ROOT_PASSWORD="
+        ${decrypt} ${lib.escapeShellArg (builtins.elemAt deps 1).file}
+      '';
+    mode = "440";
+    group = "minio";
+  };
+
+  # base64 (url)
+  age.secrets.ente-jwt = {
+    generator.script =
+      { pkgs, ... }: "${pkgs.openssl}/bin/openssl rand -base64 32 | tr -d '\n' | tr '/+' '_-'";
+    mode = "440";
+    group = "ente";
+  };
+  # base64 (standard)
+  age.secrets.ente-encryption-key = {
+    generator.script = "base64";
+    mode = "440";
+    group = "ente";
+  };
+  # base64 (standard)
+  age.secrets.ente-hash-key = {
+    generator.script = { pkgs, ... }: "${pkgs.openssl}/bin/openssl rand -base64 64 | tr -d '\n'";
+    mode = "440";
+    group = "ente";
+  };
+
+  services.minio = {
+    enable = true;
+    rootCredentialsFile = config.age.secrets.minio-root-credentials.path;
+  };
+  systemd.services.minio = {
+    environment.MINIO_SERVER_URL = "https://${s3Domain}";
+    postStart = ''
+      # Wait until minio is up
+      ${lib.getExe pkgs.curl} --retry 5 --retry-connrefused --fail --no-progress-meter -o /dev/null "http://localhost:9000/minio/health/live"
+
+      # Make sure bucket exists
+      mkdir -p ${lib.escapeShellArg config.services.minio.dataDir}/data/ente
+    '';
+  };
+
+  systemd.services.ente.after = [ "minio.service" ];
+  services.ente.api = {
+    enable = true;
+    enableLocalDB = true;
+    domain = enteApiDomain;
+    settings = {
+      apps = {
+        accounts = "https://${enteAccountsDomain}";
+        cast = "https://${enteCastDomain}";
+        public-albums = "https://${enteAlbumsDomain}";
+      };
+
+      webauthn = {
+        rpid = enteAccountsDomain;
+        rporigins = [ "https://${enteAccountsDomain}" ];
+      };
+
+      s3 = {
+        use_path_style_urls = true;
+        b2-eu-cen = {
+          endpoint = "https://${s3Domain}";
+          region = "us-east-1";
+          bucket = "ente";
+          key._secret = config.age.secrets.minio-access-key.path;
+          secret._secret = config.age.secrets.minio-secret-key.path;
+        };
+      };
+
+      jwt.secret._secret = config.age.secrets.ente-jwt.path;
+      key = {
+        encryption._secret = config.age.secrets.ente-encryption-key.path;
+        hash._secret = config.age.secrets.ente-hash-key.path;
+      };
+    };
+  };
+
+  # NOTE: services.ente.web is configured separately on both proxy servers!
+  nodes.sentinel.services.nginx = proxyConfig config.wireguard.proxy-sentinel.ipv4 "";
+  nodes.ward-web-prox.services.nginxy = proxyConfig config.wireguard.proxy-home.ipv4 ''
+    allow ${globals.net.home-lan.vlans.home.cidrv4};
+    allow ${globals.net.home-lan.vlans.home.cidrv6};
+    # Firezone traffic
+    allow ${globals.net.home-lan.vlans.services.hosts.ward.ipv4};
+    allow ${globals.net.home-lan.vlans.services.hosts.ward.ipv6};
+    deny all;
+  '';
+}
diff --git a/hosts/sire/secrets/ente/host.pub b/hosts/sire/secrets/ente/host.pub
new file mode 100644
index 0000000..83f16da
--- /dev/null
+++ b/hosts/sire/secrets/ente/host.pub
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILPHm23XtSiwueXpmqJqFWIxYVWU/eq+dQ0PcwMrsN+c
diff --git a/hosts/ward/default.nix b/hosts/ward/default.nix
index b5207b7..518ee23 100644
--- a/hosts/ward/default.nix
+++ b/hosts/ward/default.nix
@@ -13,7 +13,13 @@ let
   # FIXME: new entry here? make new firezone entry too.
   homeDomains = [
     globals.services.grafana.domain
-    globals.services.ente.domain
+    # TODO: allow multiple domains per global service.
+    "accounts.photos.${globals.domains.me}"
+    "albums.photos.${globals.domains.me}"
+    "api.photos.${globals.domains.me}"
+    "cast.photos.${globals.domains.me}"
+    "photos.${globals.domains.me}"
+    "s3.photos.${globals.domains.me}"
     globals.services.immich.domain
     globals.services.influxdb.domain
     globals.services.loki.domain
diff --git a/hosts/ward/guests/adguardhome.nix b/hosts/ward/guests/adguardhome.nix
index f7b6bbd..626859d 100644
--- a/hosts/ward/guests/adguardhome.nix
+++ b/hosts/ward/guests/adguardhome.nix
@@ -112,7 +112,12 @@ in
               # FIXME: new entry here? make new firezone entry too.
               # FIXME: new entry here? make new firezone gateway on ward entry too.
               globals.services.grafana.domain
-              globals.services.ente.domain
+              "accounts.photos.${globals.domains.me}"
+              "albums.photos.${globals.domains.me}"
+              "api.photos.${globals.domains.me}"
+              "cast.photos.${globals.domains.me}"
+              "photos.${globals.domains.me}"
+              "s3.photos.${globals.domains.me}"
               globals.services.immich.domain
               globals.services.influxdb.domain
               globals.services.loki.domain
diff --git a/hosts/ward/guests/web-proxy.nix b/hosts/ward/guests/web-proxy.nix
index efb50bd..45ffe09 100644
--- a/hosts/ward/guests/web-proxy.nix
+++ b/hosts/ward/guests/web-proxy.nix
@@ -85,4 +85,15 @@ in
   users.groups.acme.members = [ "nginx" ];
   services.nginx.enable = true;
   services.nginx.recommendedSetup = true;
+
+  services.ente.web = {
+    enable = true;
+    domains = {
+      api = "api.photos.${globals.domains.me}";
+      accounts = "accounts.photos.${globals.domains.me}";
+      albums = "albums.photos.${globals.domains.me}";
+      cast = "cast.photos.${globals.domains.me}";
+      photos = "photos.${globals.domains.me}";
+    };
+  };
 }
diff --git a/modules/default.nix b/modules/default.nix
index fe00f12..a1176f9 100644
--- a/modules/default.nix
+++ b/modules/default.nix
@@ -4,6 +4,7 @@
     ./backups.nix
     ./deterministic-ids.nix
     ./distributed-config.nix
+    ./ente.nix
     ./globals.nix
     ./meta.nix
     ./nginx-upstream-monitoring.nix
diff --git a/modules/ente.nix b/modules/ente.nix
new file mode 100644
index 0000000..2cceb5e
--- /dev/null
+++ b/modules/ente.nix
@@ -0,0 +1,346 @@
+{
+  config,
+  lib,
+  pkgs,
+  utils,
+  ...
+}:
+let
+  inherit (lib)
+    getExe
+    mkDefault
+    mkEnableOption
+    mkIf
+    mkMerge
+    mkOption
+    mkPackageOption
+    optional
+    types
+    ;
+
+  cfgApi = config.services.ente.api;
+  cfgWeb = config.services.ente.web;
+
+  webPackage =
+    enteApp:
+    cfgWeb.package.override {
+      inherit enteApp;
+      enteMainUrl = "https://${cfgWeb.domains.photos}";
+      extraBuildEnv = {
+        NEXT_PUBLIC_ENTE_ENDPOINT = "https://${cfgWeb.domains.api}";
+        NEXT_PUBLIC_ENTE_ALBUMS_ENDPOINT = "https://${cfgWeb.domains.albums}";
+        NEXT_TELEMETRY_DISABLED = "1";
+      };
+    };
+
+  defaultUser = "ente";
+  defaultGroup = "ente";
+  dataDir = "/var/lib/ente";
+
+  yamlFormat = pkgs.formats.yaml { };
+in
+{
+  options.services.ente = {
+    web = {
+      enable = mkEnableOption "Ente web frontend (Photos, Albums)";
+      package = mkPackageOption pkgs "ente-web" { };
+
+      domains = {
+        api = mkOption {
+          type = types.str;
+          description = ''
+            The domain under which the api is served. This will NOT serve the api itself,
+            but is a required setting to host the frontends! This will automatically be set
+            for you if you enable both the api server and web frontends.
+          '';
+        };
+
+        accounts = mkOption {
+          type = types.str;
+          description = "The domain under which the accounts frontend will be served.";
+        };
+
+        cast = mkOption {
+          type = types.str;
+          description = "The domain under which the cast frontend will be served.";
+        };
+
+        albums = mkOption {
+          type = types.str;
+          description = "The domain under which the albums frontend will be served.";
+        };
+
+        photos = mkOption {
+          type = types.str;
+          description = "The domain under which the photos frontend will be served.";
+        };
+      };
+    };
+
+    api = {
+      enable = mkEnableOption "Museum (API server for ente.io)";
+      package = mkPackageOption pkgs "museum" { };
+      nginx.enable = mkEnableOption "nginx proxy for the API server";
+
+      user = mkOption {
+        type = types.str;
+        default = defaultUser;
+        description = "User under which museum runs.";
+      };
+
+      group = mkOption {
+        type = types.str;
+        default = defaultGroup;
+        description = "Group under which museum runs.";
+      };
+
+      domain = mkOption {
+        type = types.str;
+        description = "The domain under which the api will be served.";
+      };
+
+      enableLocalDB = mkEnableOption "the automatic creation of a local postgres database for museum.";
+
+      settings = mkOption {
+        description = ''
+          Museum yaml configuration. Refer to upstream [local.yaml](https://github.com/ente-io/ente/blob/main/server/configurations/local.yaml) for more information.
+          You can specify secret values in this configuration by setting `somevalue._secret = "/path/to/file"` instead of setting `somevalue` directly.
+        '';
+        default = { };
+        type = types.submodule {
+          freeformType = yamlFormat.type;
+          options = {
+            apps = {
+              public-albums = mkOption {
+                type = types.str;
+                default = "https://albums.ente.io";
+                description = ''
+                  If you're running a self hosted instance and wish to serve public links,
+                  set this to the URL where your albums web app is running.
+                '';
+              };
+
+              cast = mkOption {
+                type = types.str;
+                default = "https://cast.ente.io";
+                description = ''
+                  Set this to the URL where your cast page is running.
+                  This is for browser and chromecast casting support.
+                '';
+              };
+
+              accounts = mkOption {
+                type = types.str;
+                default = "https://accounts.ente.io";
+                description = ''
+                  Set this to the URL where your accounts page is running.
+                  This is primarily for passkey support.
+                '';
+              };
+            };
+
+            db = {
+              host = mkOption {
+                type = types.str;
+                description = "The database host";
+              };
+
+              port = mkOption {
+                type = types.port;
+                default = 5432;
+                description = "The database port";
+              };
+
+              name = mkOption {
+                type = types.str;
+                description = "The database name";
+              };
+
+              user = mkOption {
+                type = types.str;
+                description = "The database user";
+              };
+            };
+          };
+        };
+      };
+    };
+  };
+
+  config = mkMerge [
+    (mkIf cfgApi.enable {
+      services.postgresql = mkIf cfgApi.enableLocalDB {
+        enable = true;
+        ensureUsers = [
+          {
+            name = "ente";
+            ensureDBOwnership = true;
+          }
+        ];
+        ensureDatabases = [ "ente" ];
+      };
+
+      services.ente.web.domains.api = mkIf cfgWeb.enable cfgApi.domain;
+      services.ente.api.settings = {
+        log-file = mkDefault "";
+        db = mkIf cfgApi.enableLocalDB {
+          host = "/run/postgresql";
+          port = 5432;
+          name = "ente";
+          user = "ente";
+        };
+      };
+
+      systemd.services.ente = {
+        description = "Ente.io Museum API Server";
+        after = [ "network.target" ] ++ optional cfgApi.enableLocalDB "postgresql.service";
+        requires = optional cfgApi.enableLocalDB "postgresql.service";
+        wantedBy = [ "multi-user.target" ];
+
+        preStart = ''
+          # Generate config including secret values. YAML is a superset of JSON, so we can use this here.
+          ${utils.genJqSecretsReplacementSnippet cfgApi.settings "/run/ente/local.yaml"}
+
+          # Setup paths
+          mkdir -p ${dataDir}/configurations
+          ln -sTf /run/ente/local.yaml ${dataDir}/configurations/local.yaml
+        '';
+
+        serviceConfig = {
+          ExecStart = getExe cfgApi.package;
+          Type = "simple";
+          Restart = "on-failure";
+
+          AmbientCapablities = [ ];
+          CapabilityBoundingSet = [ ];
+          LockPersonality = true;
+          MemoryDenyWriteExecute = true;
+          NoNewPrivileges = true;
+          PrivateMounts = true;
+          PrivateTmp = true;
+          PrivateUsers = false;
+          ProcSubset = "pid";
+          ProtectClock = true;
+          ProtectControlGroups = true;
+          ProtectHome = true;
+          ProtectHostname = true;
+          ProtectKernelLogs = true;
+          ProtectKernelModules = true;
+          ProtectKernelTunables = true;
+          ProtectProc = "invisible";
+          ProtectSystem = "strict";
+          RestrictAddressFamilies = [
+            "AF_INET"
+            "AF_INET6"
+            "AF_NETLINK"
+            "AF_UNIX"
+          ];
+          RestrictNamespaces = true;
+          RestrictRealtime = true;
+          RestrictSUIDSGID = true;
+          SystemCallArchitectures = "native";
+          SystemCallFilter = "@system-service";
+          UMask = "077";
+
+          BindReadOnlyPaths = [
+            "${cfgApi.package}/share/museum/migrations:${dataDir}/migrations"
+            "${cfgApi.package}/share/museum/mail-templates:${dataDir}/mail-templates"
+          ];
+
+          User = cfgApi.user;
+          Group = cfgApi.group;
+
+          SyslogIdentifier = "ente";
+          StateDirectory = "ente";
+          WorkingDirectory = dataDir;
+          RuntimeDirectory = "ente";
+        };
+
+        # Environment MUST be called local, otherwise we cannot log to stdout
+        environment = {
+          ENVIRONMENT = "local";
+          GIN_MODE = "release";
+        };
+      };
+
+      users = {
+        users = mkIf (cfgApi.user == defaultUser) {
+          ${defaultUser} = {
+            description = "ente.io museum service user";
+            inherit (cfgApi) group;
+            isSystemUser = true;
+            home = dataDir;
+          };
+        };
+        groups = mkIf (cfgApi.group == defaultGroup) { ${defaultGroup} = { }; };
+      };
+
+      services.nginx = mkIf cfgApi.nginx.enable {
+        enable = true;
+        upstreams.museum = {
+          servers."localhost:8080" = { };
+          extraConfig = ''
+            zone museum 64k;
+            keepalive 20;
+          '';
+        };
+
+        virtualHosts.${cfgApi.domain} = {
+          forceSSL = mkDefault true;
+          locations."/".proxyPass = "http://museum";
+          extraConfig = ''
+            client_max_body_size 4M;
+          '';
+        };
+      };
+    })
+    (mkIf cfgWeb.enable {
+      services.ente.api.settings = mkIf cfgApi.enable {
+        apps = {
+          accounts = "https://${cfgWeb.domains.accounts}";
+          cast = "https://${cfgWeb.domains.cast}";
+          public-albums = "https://${cfgWeb.domains.albums}";
+        };
+
+        webauthn = {
+          rpid = cfgWeb.domains.accounts;
+          rporigins = [ "https://${cfgWeb.domains.accounts}" ];
+        };
+      };
+
+      services.nginx =
+        let
+          domainFor = app: cfgWeb.domains.${app};
+        in
+        {
+          enable = true;
+          virtualHosts.${domainFor "accounts"} = {
+            forceSSL = mkDefault true;
+            locations."/" = {
+              root = webPackage "accounts";
+              tryFiles = "$uri $uri.html /index.html";
+            };
+          };
+          virtualHosts.${domainFor "cast"} = {
+            forceSSL = mkDefault true;
+            locations."/" = {
+              root = webPackage "cast";
+              tryFiles = "$uri $uri.html /index.html";
+            };
+          };
+          virtualHosts.${domainFor "photos"} = {
+            serverAliases = [
+              (domainFor "albums") # the albums app is shared with the photos frontend
+            ];
+            forceSSL = mkDefault true;
+            locations."/" = {
+              root = webPackage "photos";
+              tryFiles = "$uri $uri.html /index.html";
+            };
+          };
+        };
+    })
+  ];
+
+  meta.maintainers = with lib.maintainers; [ oddlama ];
+}
diff --git a/pkgs/default.nix b/pkgs/default.nix
index df2d242..ef5abf1 100644
--- a/pkgs/default.nix
+++ b/pkgs/default.nix
@@ -18,6 +18,8 @@ _inputs: [
     #   })
     # ];
 
+    ente-web = prev.callPackage ./ente-web.nix { };
+
     formats = prev.formats // {
       ron = import ./ron.nix { inherit (prev) lib pkgs; };
     };
diff --git a/pkgs/ente-web.nix b/pkgs/ente-web.nix
new file mode 100644
index 0000000..71453b8
--- /dev/null
+++ b/pkgs/ente-web.nix
@@ -0,0 +1,91 @@
+{
+  lib,
+  stdenv,
+  fetchFromGitHub,
+  fetchYarnDeps,
+  nodejs,
+  yarnConfigHook,
+  yarnBuildHook,
+  nix-update-script,
+  extraBuildEnv ? { },
+  # This package contains serveral sub-applications. This specifies which of them you want to build.
+  enteApp ? "photos",
+  # Accessing some apps (such as account) directly will result in a hardcoded redirect to ente.io.
+  # To prevent users from accidentally logging in to ente.io instead of the selfhosted instance, you
+  # can set this parameter to override these occurrences with your own url. Must include the schema.
+  # Example: https://my-ente.example.com
+  enteMainUrl ? null,
+}:
+
+stdenv.mkDerivation (finalAttrs: {
+  pname = "ente-web-${enteApp}";
+  version = "1.0.4";
+
+  src = fetchFromGitHub {
+    owner = "ente-io";
+    repo = "ente";
+    sparseCheckout = [ "web" ];
+    tag = "photos-v${finalAttrs.version}";
+    fetchSubmodules = true;
+    hash = "sha256-M1kAZgqjbWNn6LqymtWRmAk/v0vWEGbyS50lVrsr85o=";
+  };
+  sourceRoot = "${finalAttrs.src.name}/web";
+
+  offlineCache = fetchYarnDeps {
+    yarnLock = "${finalAttrs.src}/web/yarn.lock";
+    hash = "sha256-EYhYwy6+7bgWckU/7SfL1PREWw9JUgKxWadSVtoZwXs=";
+  };
+
+  nativeBuildInputs = [
+    yarnConfigHook
+    yarnBuildHook
+    nodejs
+  ];
+
+  # See: https://github.com/ente-io/ente/blob/main/web/apps/photos/.env
+  env = extraBuildEnv;
+
+  # Replace hardcoded ente.io urls if desired
+  postPatch = lib.optionalString (enteMainUrl != null) ''
+    substituteInPlace \
+      apps/payments/src/services/billing.ts \
+      apps/photos/src/pages/shared-albums.tsx \
+      --replace-fail "https://ente.io" ${lib.escapeShellArg enteMainUrl}
+
+    substituteInPlace \
+      apps/accounts/src/pages/index.tsx \
+      --replace-fail "https://web.ente.io" ${lib.escapeShellArg enteMainUrl}
+  '';
+
+  yarnBuildScript = "build:${enteApp}";
+  installPhase =
+    let
+      distName = if enteApp == "payments" then "dist" else "out";
+    in
+    ''
+      runHook preInstall
+
+      cp -r apps/${enteApp}/${distName} $out
+
+      runHook postInstall
+    '';
+
+  passthru.updateScript = nix-update-script {
+    extraArgs = [
+      "--version-regex"
+      "photos-v(.*)"
+    ];
+  };
+
+  meta = {
+    description = "Ente application web frontends";
+    homepage = "https://ente.io/";
+    changelog = "https://github.com/ente-io/ente/releases";
+    license = lib.licenses.agpl3Only;
+    maintainers = with lib.maintainers; [
+      pinpox
+      oddlama
+    ];
+    platforms = lib.platforms.all;
+  };
+})
diff --git a/secrets/generated/sentinel/loki-basic-auth-hashes.age b/secrets/generated/sentinel/loki-basic-auth-hashes.age
index b5cef56..858f27a 100644
Binary files a/secrets/generated/sentinel/loki-basic-auth-hashes.age and b/secrets/generated/sentinel/loki-basic-auth-hashes.age differ
diff --git a/secrets/generated/sire-ente/ente-encryption-key.age b/secrets/generated/sire-ente/ente-encryption-key.age
new file mode 100644
index 0000000..6c1e565
--- /dev/null
+++ b/secrets/generated/sire-ente/ente-encryption-key.age
@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> X25519 zRngxioYpKJbERi6At0Wiuy9D9vVfieDcpElvJWeIUI
+qYMaG1W7b42179kEL2NJsuCoREGrZBPs+U8+rNdFyOM
+-> piv-p256 xqSe8Q AmC86Dj5laQaiH2OIrcZG2AiGB4T5wgzIhLMPgBzJaKn
+VjFnsl5UgDDw3sap9mgd3jJR/jqlRL4KS3/jxxcuLQM
+-> ,?FIg-grease iYX?nyr *z|V}ruN
+i/j/P1jbT8hP6RHqUKAzg94nWWWk5E8EJXomFBc9tQ
+--- S7mlAB35SMtQSlUn5dPpNjj9ekUkOJTPvLuEAPGJNXQ
+�8ݾ �x�|?-�N�X-v��S���B$�eVZp�\�m� ����2�ӳ���B�BB��,���틖��%�P_�
\ No newline at end of file
diff --git a/secrets/generated/sire-ente/ente-hash-key.age b/secrets/generated/sire-ente/ente-hash-key.age
new file mode 100644
index 0000000..47c6e0f
Binary files /dev/null and b/secrets/generated/sire-ente/ente-hash-key.age differ
diff --git a/secrets/generated/sire-ente/ente-jwt.age b/secrets/generated/sire-ente/ente-jwt.age
new file mode 100644
index 0000000..7eb095a
--- /dev/null
+++ b/secrets/generated/sire-ente/ente-jwt.age
@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> X25519 fSjolShGCdhJfr1tdcTeYmkpWG3iiA8QEKZjgHjIMUM
+Wc0uFJRebFT6xVzxpNStdGyNkC1l+SrtbKBe0vYEX/w
+-> piv-p256 xqSe8Q AhhzkRFNoGd0Sv9t08g/wxkCqiKjcMUAutwztgIs+x9U
+Q8Y8SEIcGrSQbp//vTWIFAfXcy6LADNEJ6Q0GxFQOpI
+-> 754F*-grease k$4zy* >% { og8qk-
+r8c9fTLupld7X0fmQ6OLuuBSITL4xU/m0G0eTBcau7o
+--- nQo78/W1zOcPeBsXIEEepU5WOCvlllLwB6+Fqrc9OY8
+����:��f�;���o�QY9;
���2��Y� e]vbU�����ﳕ���[�p�(We�t�^���v������d8:�
\ No newline at end of file
diff --git a/secrets/generated/sire-ente/minio-access-key.age b/secrets/generated/sire-ente/minio-access-key.age
new file mode 100644
index 0000000..cc1a5ca
--- /dev/null
+++ b/secrets/generated/sire-ente/minio-access-key.age
@@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> X25519 RUswhRVBILKxzva+FcHu69TNIDotls9+FTqL3IYiZio
+MwXFm8JK7Viy6cQZXjBT5U2ERhH6jAckfU0bph6BixU
+-> piv-p256 xqSe8Q A6dYQvH4lZ8FSM00u8YCyYHQQvu9xy+UfzBhXepKDWdu
+eBb9JP+MLrQ5sttl2MDOyrYI0V1fI7spw57DbAGriVI
+-> w.wd]R-grease >g2~Z~ \ ,6
+2S+12Sh/Bjvx0wFMVU4ApN4aVMTkHOqitD9OjcxwuG6Z22Cz04H4e7FD/9VQ57uD
+BcvbmzU/sN52h/7K8/wBjHj43V+3L9SVafm2+WF+VfVON6CfcznCfgCq2w
+--- wFSnGM1uYgDGmVkYKoARx7uKyV0KEbyYWzeYIA3bxNg
+��m�Qj�dfv��~��2X�0�Y�����B�x��[
�#�_S���`�C��/�#Kl�)�����Q��C���:"���
\ No newline at end of file
diff --git a/secrets/generated/sire-ente/minio-root-credentials.age b/secrets/generated/sire-ente/minio-root-credentials.age
new file mode 100644
index 0000000..520d61f
--- /dev/null
+++ b/secrets/generated/sire-ente/minio-root-credentials.age
@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> X25519 1g/zXfi1yIQ8Gr7s8vXVcqY2SqSY54wIm2K5jZw2FGU
+20yDp5BbvL4/Dwj5wUsqICutjmcdEzQzHzhYn2wGxa4
+-> piv-p256 xqSe8Q A0hl01YjJvSgNoVVgqbXtbJebphdyC1KfXuq0KHsGLEY
+/tp18Vk3vM2UUxfB+rCi6a1hKvtNi1E+o/CkfEdejBM
+-> AR0.!FY-grease jw9K!j
+eujGLw
+--- 5iSrLf3Tc9d65fjQZvzv2XO5E2FnOKIAcG0aViBQ3T0
+G�N���N)��o�@�"���)�a<p���; wڙ}
�$!�qqÂs�t�
,E�3R#�xq�,=^=��S��B
6��_48�j�Y�;�Y�[`��q':���v8�$���Bۣ�?���yx� �p��1���v
���!���r50+lrڦ
�sg���
\ No newline at end of file
diff --git a/secrets/generated/sire-ente/minio-secret-key.age b/secrets/generated/sire-ente/minio-secret-key.age
new file mode 100644
index 0000000..70a6a7c
Binary files /dev/null and b/secrets/generated/sire-ente/minio-secret-key.age differ
diff --git a/secrets/generated/sire-ente/promtail-loki-basic-auth-password.age b/secrets/generated/sire-ente/promtail-loki-basic-auth-password.age
new file mode 100644
index 0000000..d2b658a
Binary files /dev/null and b/secrets/generated/sire-ente/promtail-loki-basic-auth-password.age differ
diff --git a/secrets/generated/sire-ente/telegraf-influxdb-token.age b/secrets/generated/sire-ente/telegraf-influxdb-token.age
new file mode 100644
index 0000000..739f604
Binary files /dev/null and b/secrets/generated/sire-ente/telegraf-influxdb-token.age differ
diff --git a/secrets/rekeyed/sentinel/0eaa4bb18cbfcecdc7f5b14bf1f05cdf-loki-basic-auth-hashes.age b/secrets/rekeyed/sentinel/0eaa4bb18cbfcecdc7f5b14bf1f05cdf-loki-basic-auth-hashes.age
new file mode 100644
index 0000000..c7cb0c0
Binary files /dev/null and b/secrets/rekeyed/sentinel/0eaa4bb18cbfcecdc7f5b14bf1f05cdf-loki-basic-auth-hashes.age differ
diff --git a/secrets/rekeyed/sentinel/5f448f5955218081b5b4b19316ff9c31-loki-basic-auth-hashes.age b/secrets/rekeyed/sentinel/5f448f5955218081b5b4b19316ff9c31-loki-basic-auth-hashes.age
deleted file mode 100644
index 51d8015..0000000
Binary files a/secrets/rekeyed/sentinel/5f448f5955218081b5b4b19316ff9c31-loki-basic-auth-hashes.age and /dev/null differ
diff --git a/secrets/rekeyed/sentinel/7dd21124a6116b64884cc34b22d128b0-wireguard-proxy-sentinel-psks-sentinel+sire-ente.age b/secrets/rekeyed/sentinel/7dd21124a6116b64884cc34b22d128b0-wireguard-proxy-sentinel-psks-sentinel+sire-ente.age
new file mode 100644
index 0000000..3d566bd
--- /dev/null
+++ b/secrets/rekeyed/sentinel/7dd21124a6116b64884cc34b22d128b0-wireguard-proxy-sentinel-psks-sentinel+sire-ente.age
@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 yV7lcA tb9kSCCrR4ZsCY2rFru596/nvJ3Ls0CAIx1SbeBb3jE
+sFwhpTJtUKZLI05/Pka9UN+/AhqRr1T2qOsoXqnJm+I
+-> M{JlUebq-grease <v+'>UsK ZwN> .2j<
+q7Jcr9NMDZPmnfX7OE9ul+ABFA
+--- caLIQEMxZ2TikSZVAKd4ms6qcoOsd0pCgC3Q0UwXTIU
+/0da��*�/�-I<�"&�˗�Umc�RKtk,�1�RY��������I�e�Xx����5�������UqY�����
\ No newline at end of file
diff --git a/secrets/rekeyed/sire-ente/0a655191d8a00f031974a30ce0d150b5-ente-encryption-key.age b/secrets/rekeyed/sire-ente/0a655191d8a00f031974a30ce0d150b5-ente-encryption-key.age
new file mode 100644
index 0000000..41030bb
--- /dev/null
+++ b/secrets/rekeyed/sire-ente/0a655191d8a00f031974a30ce0d150b5-ente-encryption-key.age
@@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 JgWCuA E7lVaNWH6szAllQ8QNG1vHT5aNf9oJ4qC6NhQmJDwAc
+59GgmOFiryp/c0/R+u3xPZCQg5E2D7xLiABGn/iYfPc
+-> V?-grease Lb\VjM_
+DH5djc92LmIQFfn2wJSdLgz+OsGY+7y9AqtYiOfWZyClDaTOGvY2GxqzJS7k8Wh0
+zQ
+--- R/ulTpEmTlZhlnlmlp+MQxe2pLvONgXqEiDQOM0xZQA
+|�����8�3	�h���AX�C=��^����w�0G�1A�G�b������
�¿;��V�4o�/���3
\ No newline at end of file
diff --git a/secrets/rekeyed/sire-ente/39ed4aee39bb5284ed82d595b57af3a6-promtail-loki-basic-auth-password.age b/secrets/rekeyed/sire-ente/39ed4aee39bb5284ed82d595b57af3a6-promtail-loki-basic-auth-password.age
new file mode 100644
index 0000000..d1d7fed
--- /dev/null
+++ b/secrets/rekeyed/sire-ente/39ed4aee39bb5284ed82d595b57af3a6-promtail-loki-basic-auth-password.age
@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 JgWCuA 7g34bQN2G4hf4lTxDLfPJog/r8rgjQnmwPZW277jpQk
+nhnGg8CcoVzuASxf2SAVBeVA5gcpNBB0LNHMSnHvvzA
+-> EXviAf-grease `>N4
+HByrqYnzlTIEjr6cRuJ1Eg
+--- 4/1YuJpu8rbYPKqcyYbtDCSaq9doFKbdNvhHTGoL0e8
+7K�AX�|� �!�p8'��.�w����f:�~�Z�[/�޺u��l2�'�WYG�F��Nd:�Pk�1BO=����+���
\ No newline at end of file
diff --git a/secrets/rekeyed/sire-ente/48afcb0cd2c5ea7e134a9ea29b7eaa7b-telegraf-influxdb-token.age b/secrets/rekeyed/sire-ente/48afcb0cd2c5ea7e134a9ea29b7eaa7b-telegraf-influxdb-token.age
new file mode 100644
index 0000000..92fb41e
--- /dev/null
+++ b/secrets/rekeyed/sire-ente/48afcb0cd2c5ea7e134a9ea29b7eaa7b-telegraf-influxdb-token.age
@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 JgWCuA PHWocAK4Uq2RlRBQRJmlYytDt1UDys9oSSkqkqGoagE
+TAkHn01nLHkhdTRT1KFdrnxkxRM+1Kpr1JaUaVrf6Cc
+-> ~f-grease $"CHQ ;>^KKwf[ $Ets\o1
+4g0E9jf4hAzb0A
+--- gGNrPcfze2eOkJg/PPrgVHnffTmOX58dOukGGYVM3Qc
+������(y�C��!�;���d�kL�q�G�I�����NJE
B�F�c
�	�<Z*���2ò�d�ݒR�L�צ(~]o̮�c�
\ No newline at end of file
diff --git a/secrets/rekeyed/sire-ente/4fddd2864abd2ee1ab5829fc3ac741d6-ente-hash-key.age b/secrets/rekeyed/sire-ente/4fddd2864abd2ee1ab5829fc3ac741d6-ente-hash-key.age
new file mode 100644
index 0000000..cb04faf
--- /dev/null
+++ b/secrets/rekeyed/sire-ente/4fddd2864abd2ee1ab5829fc3ac741d6-ente-hash-key.age
@@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 JgWCuA ibIMzo1GidK7NjVdRwLtW/ZBmEYJljlEQBDpzcS7u3g
+gJO2mEFR7VpiZ66lo1C2DICFthKDrBbK3b9yvvv2OUk
+-> L`^@f-grease
+6KFxCBHS1sez24DemcAVbP/2DA1qMH6G4Slt36Be+7XN/pc21NTm15Y2WAOdfnfr
+hYtLONwqTGd9M9309Nyf431l/92Hpvg0ZT0on4iwqA
+--- rzYINbMisctAhV6j6uTIFtZeOgl4LylFpwql2QpJAhU
+4;�l����m(��φ�L�꩒�jk8N@��gP����1t�Bp�<'�A�u�V�\���Q]}]y�-e�����H[�d#b_F�J뷟ܺL�P|�)���w����Èm����
\ No newline at end of file
diff --git a/secrets/rekeyed/sire-ente/50b5f9785853d40bd74d52dde6d57c11-wireguard-proxy-sentinel-priv-sire-ente.age b/secrets/rekeyed/sire-ente/50b5f9785853d40bd74d52dde6d57c11-wireguard-proxy-sentinel-priv-sire-ente.age
new file mode 100644
index 0000000..9eb7e18
--- /dev/null
+++ b/secrets/rekeyed/sire-ente/50b5f9785853d40bd74d52dde6d57c11-wireguard-proxy-sentinel-priv-sire-ente.age
@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 JgWCuA Nwy2LY1REyI7LRKDFNbaS2FF1R+Erl6KrdrumvS/XX4
+1S9sYJnsgMmDTXvBO1/RDxlcEIYfDH+cO0MkZuo40VU
+-> )-grease )!nP Q@Q@ur{3 dcBOk*]
+D1GIlaWvcD2KUvCe7m+aClC3OEsWGn0WRlsG25o8YWJq48TgZOezeZSaNco
+--- Rcndrv1V5ZhAiFHZe1WdTMEeZ5+jqu2ES16D1aN/1wg
+��tk���]8�8�ٜ��R�2�
���Ғ��gZ�ө(�r�������i�V\Py �f����܋L�_.�����
\ No newline at end of file
diff --git a/secrets/rekeyed/sire-ente/6bd5a9be337a42f7ceccabcb94e58c7d-ente-jwt.age b/secrets/rekeyed/sire-ente/6bd5a9be337a42f7ceccabcb94e58c7d-ente-jwt.age
new file mode 100644
index 0000000..050dc20
--- /dev/null
+++ b/secrets/rekeyed/sire-ente/6bd5a9be337a42f7ceccabcb94e58c7d-ente-jwt.age
@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 JgWCuA FRpqXDi8hsKKuScuMTNJWP8hyeDsEiT0cKeRCtcSHDo
+9ws3OouI1gl6WCjTVeGL1FLlzjoc5r3KuIicz1Hxvvk
+-> B$<$\Y-grease /HHpi >/9 -!*14 GB#8+TJ
+YCQ/DeYqBopIh5w11DrHtJnJJ32yaFQ9qE6yOXGAbVfrSik5sVf/Txn2dBNb+nTG
+3jQTR5kKOkGFLIUul83ix6A
+--- wG6qOXsr8udyFHqA4WDFTGQASgtnG39UC8SXiyoCH24
+ګ�w�	"N�*�
+� �t�T�1e�cw��=�ܐm�_¥l��4hA{e<�<L��������	90k�zl�r��
\ No newline at end of file
diff --git a/secrets/rekeyed/sire-ente/8dabe142e6ad67a259f83111fceb6e17-minio-root-credentials.age b/secrets/rekeyed/sire-ente/8dabe142e6ad67a259f83111fceb6e17-minio-root-credentials.age
new file mode 100644
index 0000000..8edd2be
--- /dev/null
+++ b/secrets/rekeyed/sire-ente/8dabe142e6ad67a259f83111fceb6e17-minio-root-credentials.age
@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 JgWCuA 8gWuOL3ItuZnJLSV4wJSKIavVdU1mZZOYSDP9X5pkjg
+H32gHbisIG+aVXOU/fkAHVmoVyH6BMhR1yVN+grYnbI
+-> KE-grease #rT+&3B& :$ @
+JQuPHa3Y1qlRkw
+--- akx1iJc1tHixZXIOYzC+59TIvfFrUoTvgHCPnujR6Zc
+�b��˓�x�C�P��X���e�#0�}���t9�=Kd�K��/��3a�s.�m�V{��f�@7G���ujG�1O�v)�N����j4�f*�b�Օ�QzY0��I������6E�w~��^.��A���Mhn�s��{�B�Hd?C��)
o��˥̡F"q\�#c
\ No newline at end of file
diff --git a/secrets/rekeyed/sire-ente/a3d4334dfab58cfbb82ce922dbb23c50-wireguard-proxy-sentinel-psks-sentinel+sire-ente.age b/secrets/rekeyed/sire-ente/a3d4334dfab58cfbb82ce922dbb23c50-wireguard-proxy-sentinel-psks-sentinel+sire-ente.age
new file mode 100644
index 0000000..e79099d
--- /dev/null
+++ b/secrets/rekeyed/sire-ente/a3d4334dfab58cfbb82ce922dbb23c50-wireguard-proxy-sentinel-psks-sentinel+sire-ente.age
@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 JgWCuA R/2IkDfac3BnlHNqFlXEBDEKUAFkOJPzMuydNFZAzWo
+ub21BfD8Q5GaLr8IdLwHkdZqSVAjG2q3MuDrB4KozJA
+-> $a|&-grease k!M4 NZQL R,s4mUU ]y
+zoxZDA
+--- 41/Orge3q+gN8+MgvL745C/fatbvxkpeS7jrdiyphTk
+5P��/�֩Z+B|�V$�x~���e 0h��_M�`ruB�i�y��~�xg?٣>LΜ>&�w!�s�?p��61���j
\ No newline at end of file
diff --git a/secrets/rekeyed/sire-ente/b196a04930eeaf93e5314de87b7ddc1f-minio-access-key.age b/secrets/rekeyed/sire-ente/b196a04930eeaf93e5314de87b7ddc1f-minio-access-key.age
new file mode 100644
index 0000000..c08b84a
--- /dev/null
+++ b/secrets/rekeyed/sire-ente/b196a04930eeaf93e5314de87b7ddc1f-minio-access-key.age
@@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 JgWCuA BhciDbzGldKHFga2iDU/xYnMv7eGi1LZb+lGXJC5BHY
+sG8HF+9adDtroTygekl57kNWmdPxBOoUKDxFHKEBQ8U
+-> 4W-grease
+9sX0u6PKO6b5tCx5KEMzpHUyIX81ZtbCrXkCy/5H/6MrziNyG3hm9RlmYfjroA8w
+JInJF5/S
+--- nu0Fb0V8USP+6NdT6egQ13gUHjsBDh3e1vTIeU1koWk
+n�h����ⷀ��#��E��7m`zc�B�A��ԝ���5��<�B�1g�O5+؞3r9����!<����2:��k�\
g~
\ No newline at end of file
diff --git a/secrets/rekeyed/sire-ente/c286daba571651cf0fb3baa35f8717e5-minio-secret-key.age b/secrets/rekeyed/sire-ente/c286daba571651cf0fb3baa35f8717e5-minio-secret-key.age
new file mode 100644
index 0000000..ff4d46c
--- /dev/null
+++ b/secrets/rekeyed/sire-ente/c286daba571651cf0fb3baa35f8717e5-minio-secret-key.age
@@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 JgWCuA qCQiUbrSa9VHQmnGxUzAKnIXnz1iCaGltMtlekJtSik
+n1C2khtbkEjU06GoLlV/cGqKiHJPC45esUUXzSrqUdY
+-> G-grease ~;bV'qp 6[ 2=41r2
+6XoXhm9137td0dfyVG9y+aoXgnZ/DHyEz/Mm7bWTVOALBjNiND962acconiU+YAV
+rNjORyxn
+--- FbizueAYs+ySyCsYHz2nSOP9ZK1B3cwY0tfnbCUSZSo
+9��Q�P�
��:�p�2͂��}H��_P��rC���P�>k��+�@��b�\U_EῲɌioV���*NN�R'�=H��U�
\ No newline at end of file
diff --git a/secrets/rekeyed/sire-ente/cff35fe4c607c5c2d57af131e14080b5-wireguard-proxy-home-priv-sire-ente.age b/secrets/rekeyed/sire-ente/cff35fe4c607c5c2d57af131e14080b5-wireguard-proxy-home-priv-sire-ente.age
new file mode 100644
index 0000000..7fedece
--- /dev/null
+++ b/secrets/rekeyed/sire-ente/cff35fe4c607c5c2d57af131e14080b5-wireguard-proxy-home-priv-sire-ente.age
@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 JgWCuA 4Yb3GrxVz12WnVG/xOLQ5v+AfvQnfu8rz+KF2z2hzzY
+sGXnAMSxc9L47Zzvnovmq0jIHnEIogVN5XG7FBurTn4
+-> cwlzzK-grease
+15ku+cw
+--- JMaYeYHOTTH0E93AnU0hKwp/bdHg6wkmdK5WxFdIKLg
+�.�܅$5Z�{u���s��L�9,��k 	�)�6�v#���+�
;�p���n
�Ӛn����x[0�f؈��v!T�#���
\ No newline at end of file
diff --git a/secrets/rekeyed/sire-ente/d0a3d1a9285c9e295e71bd59a2399ec6-wireguard-proxy-home-psks-sire-ente+ward.age b/secrets/rekeyed/sire-ente/d0a3d1a9285c9e295e71bd59a2399ec6-wireguard-proxy-home-psks-sire-ente+ward.age
new file mode 100644
index 0000000..db926b7
--- /dev/null
+++ b/secrets/rekeyed/sire-ente/d0a3d1a9285c9e295e71bd59a2399ec6-wireguard-proxy-home-psks-sire-ente+ward.age
@@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 JgWCuA fLErDkfDNMgSF0E/ZoBB6OVIrofuDzXnNSh0UwfwBAs
+87BAmP1neIBVz/sPnx32S+y+EgV3uKQyWNI1wkj/rok
+-> 6b=-grease aZPivQ
+9Wkt0eTctqiZ2uajuNkl5su0tKGudpCKnl43cS3nOX2/tjXEIKB0Pe4bc1ImIJvV
+z+2FuJju8Q5o+mx2/NKZINhT0VnXzQFpjgwWsZs2mntMCxI0GMwPUyt8pg
+--- urAXMUjYZJ/Q1ezsnn4uu20993E3EkK2Fqmhu5TgWcE
+�0�]�J�n����;??^E�e=��!{M��N��!�+��y����Nq/��s��l���ad�x*qtǪU��	v%0
\ No newline at end of file
diff --git a/secrets/rekeyed/sire-influxdb/d7176dcef3b2245267cb9d77723a1261-telegraf-influxdb-token-sire-ente.age b/secrets/rekeyed/sire-influxdb/d7176dcef3b2245267cb9d77723a1261-telegraf-influxdb-token-sire-ente.age
new file mode 100644
index 0000000..1c27ab9
--- /dev/null
+++ b/secrets/rekeyed/sire-influxdb/d7176dcef3b2245267cb9d77723a1261-telegraf-influxdb-token-sire-ente.age
@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 1tdZKQ uVXynHs0BZZu7YlnLtqEOy7DBrylGwAsuw2V5Xe1tlc
+OhgF8N3bDlZC4XD7PAZFdBqtJPoaRX7ChQSEbnjsnKY
+-> Z8-grease j jA Kr?3M$?
+Qh8AQ2InqiJFZg
+--- VaYAzDhieUncCVKxqNSG4PA9RGiHG1lmjy/s/1dSwFs
+=ex�1*�[�Yj<� �������%&���)Py����q�8*F��7����f���N�ݹ,����x0J���դIu2)�2
\ No newline at end of file
diff --git a/secrets/rekeyed/ward-web-proxy/09683ecb6ba69322f3aa1c34b6ed6dfd-loki-basic-auth-hashes.age b/secrets/rekeyed/ward-web-proxy/09683ecb6ba69322f3aa1c34b6ed6dfd-loki-basic-auth-hashes.age
new file mode 100644
index 0000000..c1b183c
Binary files /dev/null and b/secrets/rekeyed/ward-web-proxy/09683ecb6ba69322f3aa1c34b6ed6dfd-loki-basic-auth-hashes.age differ
diff --git a/secrets/rekeyed/ward-web-proxy/90ab11485712f95db2c07814074b7899-loki-basic-auth-hashes.age b/secrets/rekeyed/ward-web-proxy/90ab11485712f95db2c07814074b7899-loki-basic-auth-hashes.age
deleted file mode 100644
index 7c51e7d..0000000
Binary files a/secrets/rekeyed/ward-web-proxy/90ab11485712f95db2c07814074b7899-loki-basic-auth-hashes.age and /dev/null differ
diff --git a/secrets/rekeyed/ward/82fb2774f6a5e08a0e4bd8b8cdc09238-wireguard-proxy-home-psks-sire-ente+ward.age b/secrets/rekeyed/ward/82fb2774f6a5e08a0e4bd8b8cdc09238-wireguard-proxy-home-psks-sire-ente+ward.age
new file mode 100644
index 0000000..0c7a0a6
--- /dev/null
+++ b/secrets/rekeyed/ward/82fb2774f6a5e08a0e4bd8b8cdc09238-wireguard-proxy-home-psks-sire-ente+ward.age
@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 iNceIg BmCXt086D1EkeS07iplFsR6T33WyWAyiCT1mRLB32hw
+fy0OpMuK/8qPw3Ryb5EAwnPSzlUx2YoYawzzKP75RFo
+-> ah,luV-grease 7%Q {Zju_"(b
+MqKtQw
+--- DhDp8jYeynd1OUpCU61SpPZVPXnFokxX2Usixo7/ZG8
+����Ϩol������tAn-Wq��oU�H)��:2:�d�#�*�"a��2�1qJ6����5�1<�D��yB�F
\ No newline at end of file
diff --git a/secrets/wireguard/proxy-home/keys/sire-ente.age b/secrets/wireguard/proxy-home/keys/sire-ente.age
new file mode 100644
index 0000000..05d683e
--- /dev/null
+++ b/secrets/wireguard/proxy-home/keys/sire-ente.age
@@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> X25519 AKZ+AtI/m8zX6g0lWM7NrNhtRTzn99G3Hzd4xTLmP2o
+k06IWa/NYnJWHctoRtOuONWPRc3TeFKWGq62EEtPK2w
+-> piv-p256 xqSe8Q ArPIpreqaxqoRvOr68Iyh6LhfzH+GbUbmZ24PMy6v6CR
+/1AcoGVvZgOW2IIIiU6Kya37CT4N5igi5tGyuJCMfaw
+-> b'2Yw/88-grease
+hNHp2mtaChpVqJXW6+rZtdGdabmmtHxpSo64gPxsoTED9Jm+A36HtQTovZ2hfxWG
+jwQadJT4WS9CJIvdqFRWi25FLAbS3c8
+--- /qAMQiLi2hgue66lXzk08Hl5FEgO4daK/TqisxvKhC0
+�q(
���)���7��G�����*�%�%%�[�t`������j�w�O՛��E��:��;�
��xbi�
\ No newline at end of file
diff --git a/secrets/wireguard/proxy-home/keys/sire-ente.pub b/secrets/wireguard/proxy-home/keys/sire-ente.pub
new file mode 100644
index 0000000..4e6e920
--- /dev/null
+++ b/secrets/wireguard/proxy-home/keys/sire-ente.pub
@@ -0,0 +1 @@
+AOGA/huE+l8LA7VsqTVuu8Idf/CljsEz2w9r3HF0xF8=
diff --git a/secrets/wireguard/proxy-home/psks/sire-ente+ward.age b/secrets/wireguard/proxy-home/psks/sire-ente+ward.age
new file mode 100644
index 0000000..62bedb0
--- /dev/null
+++ b/secrets/wireguard/proxy-home/psks/sire-ente+ward.age
@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> X25519 BFrpqy55NcKEF7q772I17T0wjQ02Ut2rWrMZ1rtjWwI
+yH1f7HWIRcqlm6uRwBUcOBbz0gceyio8iL9Ggnt3Fb0
+-> piv-p256 xqSe8Q Anx1LI2vbGG5xYzIF5rKnHaqP6Lh5wf4xyNd4lsQSay3
+OePEiNdGFCd+xrGv7ARUaNKHMNWQgng4Q21Q+sbF5BA
+-> /lY8-grease
+MuwhaBG4mNhGQrxArOVAeqpkXtqhORkH40vnttBf4A
+--- R2ZE5vy2h7+LiQF946AhQXTaGuZzhar5QthG8zQXeOQ
+/hN����Q
�����t�>�Z��T-���Q���je��N�d�
{� ˆ5g����-��>�������m.�
\ No newline at end of file
diff --git a/secrets/wireguard/proxy-sentinel/keys/sire-ente.age b/secrets/wireguard/proxy-sentinel/keys/sire-ente.age
new file mode 100644
index 0000000..20de322
--- /dev/null
+++ b/secrets/wireguard/proxy-sentinel/keys/sire-ente.age
@@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> X25519 vQk4YSBJ4lAhykKSn6EQVJt3N5knDwFojKKkGXIpkko
+VFMoGYvz3Ghr2yDvkKVBhBk0RXwKvAa/1tc0XvAksqo
+-> piv-p256 xqSe8Q Ao8pq7XVm2sW7pWJwY5xV+OENbydQYPDHFyW3D4Zcypy
+804ByjdNfiNjYE1pETvtq2+Qf9XOpPSfTBTnaMYpWx0
+-> Bm!-grease
+mTATrQka+LR7fjxFRq9eK2w4OC7Da+Rx2mgoT0jRRw2urXAN3m25hupRhmXjAmUT
+UXCI6XLGG0gc+Fb5SOBXSPIjwMoVI3h8BgIRQsKUECM39iwN8j95kR9uDiP10Q
+--- kOS9Fo+PrmUqGDLRkYYMEJcoSKeVoPudmLzD/M4rwzY
+ؿ9S�)�)`J@�_��<������N;�H��=Ng�T�\5;gt��y{���NH��b�eM6���m��3
\ No newline at end of file
diff --git a/secrets/wireguard/proxy-sentinel/keys/sire-ente.pub b/secrets/wireguard/proxy-sentinel/keys/sire-ente.pub
new file mode 100644
index 0000000..eee613f
--- /dev/null
+++ b/secrets/wireguard/proxy-sentinel/keys/sire-ente.pub
@@ -0,0 +1 @@
+TQLqvOZp/FoELpqnkuls/wio9ET7KurTE9XW6m+BegU=
diff --git a/secrets/wireguard/proxy-sentinel/psks/sentinel+sire-ente.age b/secrets/wireguard/proxy-sentinel/psks/sentinel+sire-ente.age
new file mode 100644
index 0000000..262bdfa
Binary files /dev/null and b/secrets/wireguard/proxy-sentinel/psks/sentinel+sire-ente.age differ