mirrors_public/oddlama_nix-config
1
1
Fork 1
mirror of https://github.com/oddlama/nix-config.git synced 2025-10-10 23:00:39 +02:00
Code Activity

feat: add ente

Browse source
This commit is contained in:
oddlama 2025-05-18 13:55:20 +02:00
parent ac34b94f87
commit 4c2f98f9e4
No known key found for this signature in database
GPG key ID: 14EFE510775FE39A
48 changed files with 904 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

1
config/users.nix
View file

@ -47,5 +47,6 @@
# firefly-pico = uidGid 964;
avahi = uidGid 963;
ente = uidGid 962;
minio = uidGid 961;
};
}

11
hosts/sentinel/default.nix
View file

@ -54,4 +54,15 @@
# This node shall monitor the infrastructure
availableMonitoringNetworks = [ "internet" ];
};
services.ente.web = {
enable = true;
domains = {
api = "api.photos.${globals.domains.me}";
accounts = "accounts.photos.${globals.domains.me}";
albums = "albums.photos.${globals.domains.me}";
cast = "cast.photos.${globals.domains.me}";
photos = "photos.${globals.domains.me}";
};
};
}

7
hosts/sentinel/firezone.nix
View file

@ -12,7 +12,12 @@ let
# FIXME: new entry here? make new firezone gateway on ward entry too.
homeDomains = [
globals.services.grafana.domain
globals.services.ente.domain
"accounts.photos.${globals.domains.me}"
"albums.photos.${globals.domains.me}"
"api.photos.${globals.domains.me}"
"cast.photos.${globals.domains.me}"
"photos.${globals.domains.me}"
"s3.photos.${globals.domains.me}"
globals.services.immich.domain
globals.services.influxdb.domain
globals.services.loki.domain

BIN
hosts/sentinel/secrets/local.nix.age
View file

Binary file not shown.

4
hosts/sire/default.nix
View file

@ -150,7 +150,9 @@
}
// mkMicrovm "ai" { }
// mkMicrovm "minecraft" { }
// mkMicrovm "ente" { }
// mkMicrovm "ente" {
enableStorageDataset = true;
}
#// mkMicrovm "fasten-health" {}
);
}

238
hosts/sire/guests/ente.nix Normal file
View file

@ -0,0 +1,238 @@
{
config,
globals,
lib,
pkgs,
...
}:
let
enteAccountsDomain = "accounts.photos.${globals.domains.me}";
enteAlbumsDomain = "albums.photos.${globals.domains.me}";
enteApiDomain = "api.photos.${globals.domains.me}";
enteCastDomain = "cast.photos.${globals.domains.me}";
entePhotosDomain = "photos.${globals.domains.me}";
s3Domain = "s3.photos.${globals.domains.me}";
proxyConfig = remoteAddr: nginxExtraConfig: {
upstreams.ente = {
servers."${remoteAddr}:80" = { };
extraConfig = ''
zone ente 64k;
keepalive 20;
'';
monitoring.enable = true;
};
upstreams.museum = {
servers."${remoteAddr}:8080" = { };
extraConfig = ''
zone museum 64k;
keepalive 20;
'';
};
upstreams.minio = {
servers."${remoteAddr}:9000" = { };
extraConfig = ''
zone minio 64k;
keepalive 20;
'';
};
virtualHosts =
{
${enteApiDomain} = {
forceSSL = true;
useACMEWildcardHost = true;
locations."/".proxyPass = "http://museum";
extraConfig = ''
client_max_body_size 4M;
${nginxExtraConfig}
'';
};
${s3Domain} = {
forceSSL = true;
useACMEWildcardHost = true;
locations."/".proxyPass = "http://minio";
extraConfig = ''
client_max_body_size 32M;
proxy_buffering off;
proxy_request_buffering off;
${nginxExtraConfig}
'';
};
}
// lib.genAttrs
[
enteAccountsDomain
enteAlbumsDomain
enteCastDomain
entePhotosDomain
]
(_domain: {
useACMEWildcardHost = true;
extraConfig = nginxExtraConfig;
});
};
in
{
wireguard.proxy-sentinel = {
client.via = "sentinel";
firewallRuleForNode.sentinel.allowedTCPPorts = [
80
9000
];
};
wireguard.proxy-home = {
client.via = "ward";
firewallRuleForNode.ward-web-proxy.allowedTCPPorts = [
80
9000
];
};
globals.services.ente.domain = entePhotosDomain;
# FIXME: also monitor from internal network
globals.monitoring.http.ente = {
url = "https://${entePhotosDomain}";
expectedBodyRegex = "Ente Photos";
network = "internet";
};
fileSystems."/storage".neededForBoot = true;
environment.persistence."/storage".directories = [
{
directory = "/var/lib/minio";
user = "minio";
group = "minio";
mode = "0750";
}
];
environment.persistence."/persist".directories = [
{
directory = "/var/lib/ente";
user = "ente";
group = "ente";
mode = "0750";
}
];
# NOTE: don't use the root user for access. In this case it doesn't matter
# since the whole minio server is only for ente anyway, but it would be a
# good practice.
age.secrets.minio-access-key = {
generator.script = "alnum";
mode = "440";
group = "ente";
};
age.secrets.minio-secret-key = {
generator.script = "alnum";
mode = "440";
group = "ente";
};
age.secrets.minio-root-credentials = {
generator.dependencies = [
config.age.secrets.minio-access-key
config.age.secrets.minio-secret-key
];
generator.script =
{
lib,
decrypt,
deps,
...
}:
''
echo -n "MINIO_ROOT_USER="
${decrypt} ${lib.escapeShellArg (builtins.elemAt deps 0).file}
echo -n "MINIO_ROOT_PASSWORD="
${decrypt} ${lib.escapeShellArg (builtins.elemAt deps 1).file}
'';
mode = "440";
group = "minio";
};
# base64 (url)
age.secrets.ente-jwt = {
generator.script =
{ pkgs, ... }: "${pkgs.openssl}/bin/openssl rand -base64 32 | tr -d '\n' | tr '/+' '_-'";
mode = "440";
group = "ente";
};
# base64 (standard)
age.secrets.ente-encryption-key = {
generator.script = "base64";
mode = "440";
group = "ente";
};
# base64 (standard)
age.secrets.ente-hash-key = {
generator.script = { pkgs, ... }: "${pkgs.openssl}/bin/openssl rand -base64 64 | tr -d '\n'";
mode = "440";
group = "ente";
};
services.minio = {
enable = true;
rootCredentialsFile = config.age.secrets.minio-root-credentials.path;
};
systemd.services.minio = {
environment.MINIO_SERVER_URL = "https://${s3Domain}";
postStart = ''
# Wait until minio is up
${lib.getExe pkgs.curl} --retry 5 --retry-connrefused --fail --no-progress-meter -o /dev/null "http://localhost:9000/minio/health/live"
# Make sure bucket exists
mkdir -p ${lib.escapeShellArg config.services.minio.dataDir}/data/ente
'';
};
systemd.services.ente.after = [ "minio.service" ];
services.ente.api = {
enable = true;
enableLocalDB = true;
domain = enteApiDomain;
settings = {
apps = {
accounts = "https://${enteAccountsDomain}";
cast = "https://${enteCastDomain}";
public-albums = "https://${enteAlbumsDomain}";
};
webauthn = {
rpid = enteAccountsDomain;
rporigins = [ "https://${enteAccountsDomain}" ];
};
s3 = {
use_path_style_urls = true;
b2-eu-cen = {
endpoint = "https://${s3Domain}";
region = "us-east-1";
bucket = "ente";
key._secret = config.age.secrets.minio-access-key.path;
secret._secret = config.age.secrets.minio-secret-key.path;
};
};
jwt.secret._secret = config.age.secrets.ente-jwt.path;
key = {
encryption._secret = config.age.secrets.ente-encryption-key.path;
hash._secret = config.age.secrets.ente-hash-key.path;
};
};
};
# NOTE: services.ente.web is configured separately on both proxy servers!
nodes.sentinel.services.nginx = proxyConfig config.wireguard.proxy-sentinel.ipv4 "";
nodes.ward-web-prox.services.nginxy = proxyConfig config.wireguard.proxy-home.ipv4 ''
allow ${globals.net.home-lan.vlans.home.cidrv4};
allow ${globals.net.home-lan.vlans.home.cidrv6};
# Firezone traffic
allow ${globals.net.home-lan.vlans.services.hosts.ward.ipv4};
allow ${globals.net.home-lan.vlans.services.hosts.ward.ipv6};
deny all;
'';
}

1
hosts/sire/secrets/ente/host.pub Normal file
View file

@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILPHm23XtSiwueXpmqJqFWIxYVWU/eq+dQ0PcwMrsN+c

8
hosts/ward/default.nix
View file

@ -13,7 +13,13 @@ let
# FIXME: new entry here? make new firezone entry too.
homeDomains = [
globals.services.grafana.domain
globals.services.ente.domain
# TODO: allow multiple domains per global service.
"accounts.photos.${globals.domains.me}"
"albums.photos.${globals.domains.me}"
"api.photos.${globals.domains.me}"
"cast.photos.${globals.domains.me}"
"photos.${globals.domains.me}"
"s3.photos.${globals.domains.me}"
globals.services.immich.domain
globals.services.influxdb.domain
globals.services.loki.domain

7
hosts/ward/guests/adguardhome.nix
View file

@ -112,7 +112,12 @@ in
# FIXME: new entry here? make new firezone entry too.
# FIXME: new entry here? make new firezone gateway on ward entry too.
globals.services.grafana.domain
globals.services.ente.domain
"accounts.photos.${globals.domains.me}"
"albums.photos.${globals.domains.me}"
"api.photos.${globals.domains.me}"
"cast.photos.${globals.domains.me}"
"photos.${globals.domains.me}"
"s3.photos.${globals.domains.me}"
globals.services.immich.domain
globals.services.influxdb.domain
globals.services.loki.domain

11
hosts/ward/guests/web-proxy.nix
View file

@ -85,4 +85,15 @@ in
users.groups.acme.members = [ "nginx" ];
services.nginx.enable = true;
services.nginx.recommendedSetup = true;
services.ente.web = {
enable = true;
domains = {
api = "api.photos.${globals.domains.me}";
accounts = "accounts.photos.${globals.domains.me}";
albums = "albums.photos.${globals.domains.me}";
cast = "cast.photos.${globals.domains.me}";
photos = "photos.${globals.domains.me}";
};
};
}

1
modules/default.nix
View file

@ -4,6 +4,7 @@
./backups.nix
./deterministic-ids.nix
./distributed-config.nix
./ente.nix
./globals.nix
./meta.nix
./nginx-upstream-monitoring.nix

346
modules/ente.nix Normal file
View file

@ -0,0 +1,346 @@
{
config,
lib,
pkgs,
utils,
...
}:
let
inherit (lib)
getExe
mkDefault
mkEnableOption
mkIf
mkMerge
mkOption
mkPackageOption
optional
types
;
cfgApi = config.services.ente.api;
cfgWeb = config.services.ente.web;
webPackage =
enteApp:
cfgWeb.package.override {
inherit enteApp;
enteMainUrl = "https://${cfgWeb.domains.photos}";
extraBuildEnv = {
NEXT_PUBLIC_ENTE_ENDPOINT = "https://${cfgWeb.domains.api}";
NEXT_PUBLIC_ENTE_ALBUMS_ENDPOINT = "https://${cfgWeb.domains.albums}";
NEXT_TELEMETRY_DISABLED = "1";
};
};
defaultUser = "ente";
defaultGroup = "ente";
dataDir = "/var/lib/ente";
yamlFormat = pkgs.formats.yaml { };
in
{
options.services.ente = {
web = {
enable = mkEnableOption "Ente web frontend (Photos, Albums)";
package = mkPackageOption pkgs "ente-web" { };
domains = {
api = mkOption {
type = types.str;
description = ''
The domain under which the api is served. This will NOT serve the api itself,
but is a required setting to host the frontends! This will automatically be set
for you if you enable both the api server and web frontends.
'';
};
accounts = mkOption {
type = types.str;
description = "The domain under which the accounts frontend will be served.";
};
cast = mkOption {
type = types.str;
description = "The domain under which the cast frontend will be served.";
};
albums = mkOption {
type = types.str;
description = "The domain under which the albums frontend will be served.";
};
photos = mkOption {
type = types.str;
description = "The domain under which the photos frontend will be served.";
};
};
};
api = {
enable = mkEnableOption "Museum (API server for ente.io)";
package = mkPackageOption pkgs "museum" { };
nginx.enable = mkEnableOption "nginx proxy for the API server";
user = mkOption {
type = types.str;
default = defaultUser;
description = "User under which museum runs.";
};
group = mkOption {
type = types.str;
default = defaultGroup;
description = "Group under which museum runs.";
};
domain = mkOption {
type = types.str;
description = "The domain under which the api will be served.";
};
enableLocalDB = mkEnableOption "the automatic creation of a local postgres database for museum.";
settings = mkOption {
description = ''
Museum yaml configuration. Refer to upstream [local.yaml](https://github.com/ente-io/ente/blob/main/server/configurations/local.yaml) for more information.
You can specify secret values in this configuration by setting `somevalue._secret = "/path/to/file"` instead of setting `somevalue` directly.
'';
default = { };
type = types.submodule {
freeformType = yamlFormat.type;
options = {
apps = {
public-albums = mkOption {
type = types.str;
default = "https://albums.ente.io";
description = ''
If you're running a self hosted instance and wish to serve public links,
set this to the URL where your albums web app is running.
'';
};
cast = mkOption {
type = types.str;
default = "https://cast.ente.io";
description = ''
Set this to the URL where your cast page is running.
This is for browser and chromecast casting support.
'';
};
accounts = mkOption {
type = types.str;
default = "https://accounts.ente.io";
description = ''
Set this to the URL where your accounts page is running.
This is primarily for passkey support.
'';
};
};
db = {
host = mkOption {
type = types.str;
description = "The database host";
};
port = mkOption {
type = types.port;
default = 5432;
description = "The database port";
};
name = mkOption {
type = types.str;
description = "The database name";
};
user = mkOption {
type = types.str;
description = "The database user";
};
};
};
};
};
};
};
config = mkMerge [
(mkIf cfgApi.enable {
services.postgresql = mkIf cfgApi.enableLocalDB {
enable = true;
ensureUsers = [
{
name = "ente";
ensureDBOwnership = true;
}
];
ensureDatabases = [ "ente" ];
};
services.ente.web.domains.api = mkIf cfgWeb.enable cfgApi.domain;
services.ente.api.settings = {
log-file = mkDefault "";
db = mkIf cfgApi.enableLocalDB {
host = "/run/postgresql";
port = 5432;
name = "ente";
user = "ente";
};
};
systemd.services.ente = {
description = "Ente.io Museum API Server";
after = [ "network.target" ] ++ optional cfgApi.enableLocalDB "postgresql.service";
requires = optional cfgApi.enableLocalDB "postgresql.service";
wantedBy = [ "multi-user.target" ];
preStart = ''
# Generate config including secret values. YAML is a superset of JSON, so we can use this here.
${utils.genJqSecretsReplacementSnippet cfgApi.settings "/run/ente/local.yaml"}
# Setup paths
mkdir -p ${dataDir}/configurations
ln -sTf /run/ente/local.yaml ${dataDir}/configurations/local.yaml
'';
serviceConfig = {
ExecStart = getExe cfgApi.package;
Type = "simple";
Restart = "on-failure";
AmbientCapablities = [ ];
CapabilityBoundingSet = [ ];
LockPersonality = true;
MemoryDenyWriteExecute = true;
NoNewPrivileges = true;
PrivateMounts = true;
PrivateTmp = true;
PrivateUsers = false;
ProcSubset = "pid";
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
ProtectSystem = "strict";
RestrictAddressFamilies = [
"AF_INET"
"AF_INET6"
"AF_NETLINK"
"AF_UNIX"
];
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
SystemCallFilter = "@system-service";
UMask = "077";
BindReadOnlyPaths = [
"${cfgApi.package}/share/museum/migrations:${dataDir}/migrations"
"${cfgApi.package}/share/museum/mail-templates:${dataDir}/mail-templates"
];
User = cfgApi.user;
Group = cfgApi.group;
SyslogIdentifier = "ente";
StateDirectory = "ente";
WorkingDirectory = dataDir;
RuntimeDirectory = "ente";
};
# Environment MUST be called local, otherwise we cannot log to stdout
environment = {
ENVIRONMENT = "local";
GIN_MODE = "release";
};
};
users = {
users = mkIf (cfgApi.user == defaultUser) {
${defaultUser} = {
description = "ente.io museum service user";
inherit (cfgApi) group;
isSystemUser = true;
home = dataDir;
};
};
groups = mkIf (cfgApi.group == defaultGroup) { ${defaultGroup} = { }; };
};
services.nginx = mkIf cfgApi.nginx.enable {
enable = true;
upstreams.museum = {
servers."localhost:8080" = { };
extraConfig = ''
zone museum 64k;
keepalive 20;
'';
};
virtualHosts.${cfgApi.domain} = {
forceSSL = mkDefault true;
locations."/".proxyPass = "http://museum";
extraConfig = ''
client_max_body_size 4M;
'';
};
};
})
(mkIf cfgWeb.enable {
services.ente.api.settings = mkIf cfgApi.enable {
apps = {
accounts = "https://${cfgWeb.domains.accounts}";
cast = "https://${cfgWeb.domains.cast}";
public-albums = "https://${cfgWeb.domains.albums}";
};
webauthn = {
rpid = cfgWeb.domains.accounts;
rporigins = [ "https://${cfgWeb.domains.accounts}" ];
};
};
services.nginx =
let
domainFor = app: cfgWeb.domains.${app};
in
{
enable = true;
virtualHosts.${domainFor "accounts"} = {
forceSSL = mkDefault true;
locations."/" = {
root = webPackage "accounts";
tryFiles = "$uri $uri.html /index.html";
};
};
virtualHosts.${domainFor "cast"} = {
forceSSL = mkDefault true;
locations."/" = {
root = webPackage "cast";
tryFiles = "$uri $uri.html /index.html";
};
};
virtualHosts.${domainFor "photos"} = {
serverAliases = [
(domainFor "albums") # the albums app is shared with the photos frontend
];
forceSSL = mkDefault true;
locations."/" = {
root = webPackage "photos";
tryFiles = "$uri $uri.html /index.html";
};
};
};
})
];
meta.maintainers = with lib.maintainers; [ oddlama ];
}

2
pkgs/default.nix
View file

@ -18,6 +18,8 @@ _inputs: [
# })
# ];
ente-web = prev.callPackage ./ente-web.nix { };
formats = prev.formats // {
ron = import ./ron.nix { inherit (prev) lib pkgs; };
};

91
pkgs/ente-web.nix Normal file
View file

@ -0,0 +1,91 @@
{
lib,
stdenv,
fetchFromGitHub,
fetchYarnDeps,
nodejs,
yarnConfigHook,
yarnBuildHook,
nix-update-script,
extraBuildEnv ? { },
# This package contains serveral sub-applications. This specifies which of them you want to build.
enteApp ? "photos",
# Accessing some apps (such as account) directly will result in a hardcoded redirect to ente.io.
# To prevent users from accidentally logging in to ente.io instead of the selfhosted instance, you
# can set this parameter to override these occurrences with your own url. Must include the schema.
# Example: https://my-ente.example.com
enteMainUrl ? null,
}:
stdenv.mkDerivation (finalAttrs: {
pname = "ente-web-${enteApp}";
version = "1.0.4";
src = fetchFromGitHub {
owner = "ente-io";
repo = "ente";
sparseCheckout = [ "web" ];
tag = "photos-v${finalAttrs.version}";
fetchSubmodules = true;
hash = "sha256-M1kAZgqjbWNn6LqymtWRmAk/v0vWEGbyS50lVrsr85o=";
};
sourceRoot = "${finalAttrs.src.name}/web";
offlineCache = fetchYarnDeps {
yarnLock = "${finalAttrs.src}/web/yarn.lock";
hash = "sha256-EYhYwy6+7bgWckU/7SfL1PREWw9JUgKxWadSVtoZwXs=";
};
nativeBuildInputs = [
yarnConfigHook
yarnBuildHook
nodejs
];
# See: https://github.com/ente-io/ente/blob/main/web/apps/photos/.env
env = extraBuildEnv;
# Replace hardcoded ente.io urls if desired
postPatch = lib.optionalString (enteMainUrl != null) ''
substituteInPlace \
apps/payments/src/services/billing.ts \
apps/photos/src/pages/shared-albums.tsx \
--replace-fail "https://ente.io" ${lib.escapeShellArg enteMainUrl}
substituteInPlace \
apps/accounts/src/pages/index.tsx \
--replace-fail "https://web.ente.io" ${lib.escapeShellArg enteMainUrl}
'';
yarnBuildScript = "build:${enteApp}";
installPhase =
let
distName = if enteApp == "payments" then "dist" else "out";
in
''
runHook preInstall
cp -r apps/${enteApp}/${distName} $out
runHook postInstall
'';
passthru.updateScript = nix-update-script {
extraArgs = [
"--version-regex"
"photos-v(.*)"
];
};
meta = {
description = "Ente application web frontends";
homepage = "https://ente.io/";
changelog = "https://github.com/ente-io/ente/releases";
license = lib.licenses.agpl3Only;
maintainers = with lib.maintainers; [
pinpox
oddlama
];
platforms = lib.platforms.all;
};
})

BIN
secrets/generated/sentinel/loki-basic-auth-hashes.age
View file

Binary file not shown.

9
secrets/generated/sire-ente/ente-encryption-key.age Normal file
View file

@ -0,0 +1,9 @@
age-encryption.org/v1
-> X25519 zRngxioYpKJbERi6At0Wiuy9D9vVfieDcpElvJWeIUI
qYMaG1W7b42179kEL2NJsuCoREGrZBPs+U8+rNdFyOM
-> piv-p256 xqSe8Q AmC86Dj5laQaiH2OIrcZG2AiGB4T5wgzIhLMPgBzJaKn
VjFnsl5UgDDw3sap9mgd3jJR/jqlRL4KS3/jxxcuLQM
-> ,?FIg-grease iYX?nyr *z|V}ruN
i/j/P1jbT8hP6RHqUKAzg94nWWWk5E8EJXomFBc9tQ
--- S7mlAB35SMtQSlUn5dPpNjj9ekUkOJTPvLuEAPGJNXQ
¹8ݾ ‚x•|?-‚N¬X-v¼žS™ìôB$ŸeVZpÊ\·m— º‰Àò2¢Ó³ãÎôBÍBB§æ,þ‡êí‹–Üò%®P_”

BIN
secrets/generated/sire-ente/ente-hash-key.age Normal file
View file

Binary file not shown.

9
secrets/generated/sire-ente/ente-jwt.age Normal file
View file

@ -0,0 +1,9 @@
age-encryption.org/v1
-> X25519 fSjolShGCdhJfr1tdcTeYmkpWG3iiA8QEKZjgHjIMUM
Wc0uFJRebFT6xVzxpNStdGyNkC1l+SrtbKBe0vYEX/w
-> piv-p256 xqSe8Q AhhzkRFNoGd0Sv9t08g/wxkCqiKjcMUAutwztgIs+x9U
Q8Y8SEIcGrSQbp//vTWIFAfXcy6LADNEJ6Q0GxFQOpI
-> 754F*-grease k$4zy* >% { og8qk-
r8c9fTLupld7X0fmQ6OLuuBSITL4xU/m0G0eTBcau7o
--- nQo78/W1zOcPeBsXIEEepU5WOCvlllLwB6+Fqrc9OY8
öþ¼¶:¼Ìf�;»ÈÈoûQY9; Š–Ã2¥®Y­ e]vbU¹û´°áﳕšëÀ[ØpŒ(Weøt¿^™þÒví«½Úèæd8:ì

10
secrets/generated/sire-ente/minio-access-key.age Normal file
View file

@ -0,0 +1,10 @@
age-encryption.org/v1
-> X25519 RUswhRVBILKxzva+FcHu69TNIDotls9+FTqL3IYiZio
MwXFm8JK7Viy6cQZXjBT5U2ERhH6jAckfU0bph6BixU
-> piv-p256 xqSe8Q A6dYQvH4lZ8FSM00u8YCyYHQQvu9xy+UfzBhXepKDWdu
eBb9JP+MLrQ5sttl2MDOyrYI0V1fI7spw57DbAGriVI
-> w.wd]R-grease >g2~Z~ \ ,6
2S+12Sh/Bjvx0wFMVU4ApN4aVMTkHOqitD9OjcxwuG6Z22Cz04H4e7FD/9VQ57uD
BcvbmzU/sN52h/7K8/wBjHj43V+3L9SVafm2+WF+VfVON6CfcznCfgCq2w
--- wFSnGM1uYgDGmVkYKoARx7uKyV0KEbyYWzeYIA3bxNg
ºæmºQjždfvÎå ~–º2X™0ÑẎêÁÓBªxÊÐ[ å#Õ_S–¬½`áC…¯/Ò#Klçƒ)œþ øàQöÊC¤Åê:"À¯ô

9
secrets/generated/sire-ente/minio-root-credentials.age Normal file
View file

@ -0,0 +1,9 @@
age-encryption.org/v1
-> X25519 1g/zXfi1yIQ8Gr7s8vXVcqY2SqSY54wIm2K5jZw2FGU
20yDp5BbvL4/Dwj5wUsqICutjmcdEzQzHzhYn2wGxa4
-> piv-p256 xqSe8Q A0hl01YjJvSgNoVVgqbXtbJebphdyC1KfXuq0KHsGLEY
/tp18Vk3vM2UUxfB+rCi6a1hKvtNi1E+o/CkfEdejBM
-> AR0.!FY-grease jw9K!j
eujGLw
--- 5iSrLf3Tc9d65fjQZvzv2XO5E2FnOKIAcG0aViBQ3T0
G­N¿ý­N)—™o…@Ü"Êðî)Ÿa<p¾Öô; wÚ™} Õ$!îqqÂsüt ˆ ,Eã3R#�xqû,=^=ížéS�ÅB6’’_48‘jêY¡;€YÃ[`“‹ q':¬ �v8î$€šºBÛ£¸?ñ½ÂÉyxË ‚pžŸ1��¿vѲ¢!ÆÐÕr50+lrÚ¦¬sg�êî

BIN
secrets/generated/sire-ente/minio-secret-key.age Normal file
View file

Binary file not shown.

BIN
secrets/generated/sire-ente/promtail-loki-basic-auth-password.age Normal file
View file

Binary file not shown.

BIN
secrets/generated/sire-ente/telegraf-influxdb-token.age Normal file
View file

Binary file not shown.

BIN
secrets/rekeyed/sentinel/0eaa4bb18cbfcecdc7f5b14bf1f05cdf-loki-basic-auth-hashes.age Normal file
View file

Binary file not shown.

BIN
secrets/rekeyed/sentinel/5f448f5955218081b5b4b19316ff9c31-loki-basic-auth-hashes.age
View file

Binary file not shown.

7
secrets/rekeyed/sentinel/7dd21124a6116b64884cc34b22d128b0-wireguard-proxy-sentinel-psks-sentinel+sire-ente.age Normal file
View file

@ -0,0 +1,7 @@
age-encryption.org/v1
-> ssh-ed25519 yV7lcA tb9kSCCrR4ZsCY2rFru596/nvJ3Ls0CAIx1SbeBb3jE
sFwhpTJtUKZLI05/Pka9UN+/AhqRr1T2qOsoXqnJm+I
-> M{JlUebq-grease <v+'>UsK ZwN> .2j<
q7Jcr9NMDZPmnfX7OE9ul+ABFA
--- caLIQEMxZ2TikSZVAKd4ms6qcoOsd0pCgC3Q0UwXTIU
/0daïà*�/�-I<â"&é Ë—ðUmc™RKtk,†1§RY ÏËãàÆÚÌIç´eËXx¤üÕî5ÿÚÀªëøÕUqYŽ“¿ÇÊ

8
secrets/rekeyed/sire-ente/0a655191d8a00f031974a30ce0d150b5-ente-encryption-key.age Normal file
View file

@ -0,0 +1,8 @@
age-encryption.org/v1
-> ssh-ed25519 JgWCuA E7lVaNWH6szAllQ8QNG1vHT5aNf9oJ4qC6NhQmJDwAc
59GgmOFiryp/c0/R+u3xPZCQg5E2D7xLiABGn/iYfPc
-> V?-grease Lb\VjM_
DH5djc92LmIQFfn2wJSdLgz+OsGY+7y9AqtYiOfWZyClDaTOGvY2GxqzJS7k8Wh0
zQ
--- R/ulTpEmTlZhlnlmlp+MQxe2pLvONgXqEiDQOM0xZQA
|‚…†®Æ8½3 ÇhœËÄAXæC=�Ü^ùÔü¸wœ0Gä1A›GËbÍàèÄ §‡ ê¿;ôŠ¸VÙ4o—/™ƒÓ3

7
secrets/rekeyed/sire-ente/39ed4aee39bb5284ed82d595b57af3a6-promtail-loki-basic-auth-password.age Normal file
View file

@ -0,0 +1,7 @@
age-encryption.org/v1
-> ssh-ed25519 JgWCuA 7g34bQN2G4hf4lTxDLfPJog/r8rgjQnmwPZW277jpQk
nhnGg8CcoVzuASxf2SAVBeVA5gcpNBB0LNHMSnHvvzA
-> EXviAf-grease `>N4
HByrqYnzlTIEjr6cRuJ1Eg
--- 4/1YuJpu8rbYPKqcyYbtDCSaq9doFKbdNvhHTGoL0e8
7KøAXü|» ñ!Üp8'ÓôŒ.×w�Ü Žêf:Ú~÷Z [/¤Þºušïl2Ì'ÔWYG€F��Nd:ÐPkÒ1BO=å¶ñøæ+àÔê

7
secrets/rekeyed/sire-ente/48afcb0cd2c5ea7e134a9ea29b7eaa7b-telegraf-influxdb-token.age Normal file
View file

@ -0,0 +1,7 @@
age-encryption.org/v1
-> ssh-ed25519 JgWCuA PHWocAK4Uq2RlRBQRJmlYytDt1UDys9oSSkqkqGoagE
TAkHn01nLHkhdTRT1KFdrnxkxRM+1Kpr1JaUaVrf6Cc
-> ~f-grease $"CHQ ;>^KKwf[ $Ets\o1
4g0E9jf4hAzb0A
--- gGNrPcfze2eOkJg/PPrgVHnffTmOX58dOukGGYVM3Qc
ƒè’ÐÅ��(yêCÀ�!ÿ;ƒ“¿dÛkL€q·GÛIÏÉý¿œNJE B¾Fòc À Ã<Z*‚„Š2òÿd�Ý’RˆLÒצ(~]oÌ®Ùc¥

8
secrets/rekeyed/sire-ente/4fddd2864abd2ee1ab5829fc3ac741d6-ente-hash-key.age Normal file
View file

@ -0,0 +1,8 @@
age-encryption.org/v1
-> ssh-ed25519 JgWCuA ibIMzo1GidK7NjVdRwLtW/ZBmEYJljlEQBDpzcS7u3g
gJO2mEFR7VpiZ66lo1C2DICFthKDrBbK3b9yvvv2OUk
-> L`^@f-grease
6KFxCBHS1sez24DemcAVbP/2DA1qMH6G4Slt36Be+7XN/pc21NTm15Y2WAOdfnfr
hYtLONwqTGd9M9309Nyf431l/92Hpvg0ZT0on4iwqA
--- rzYINbMisctAhV6j6uTIFtZeOgl4LylFpwql2QpJAhU
4;±l¸øÇúm(ô‘φÓL½ê©’ýjk8N@ø¶gPØýº¡1tÕBpÅ<'²A§u Vž\ýç‘Q]}]y¢-eÖð¢¢ÀH[âd#b_F´J뷟ܺLèP|Ì)Á€šw¿ü¨„Èm³Œ©�

7
secrets/rekeyed/sire-ente/50b5f9785853d40bd74d52dde6d57c11-wireguard-proxy-sentinel-priv-sire-ente.age Normal file
View file

@ -0,0 +1,7 @@
age-encryption.org/v1
-> ssh-ed25519 JgWCuA Nwy2LY1REyI7LRKDFNbaS2FF1R+Erl6KrdrumvS/XX4
1S9sYJnsgMmDTXvBO1/RDxlcEIYfDH+cO0MkZuo40VU
-> )-grease )!nP Q@Q@ur{3 dcBOk*]
D1GIlaWvcD2KUvCe7m+aClC3OEsWGn0WRlsG25o8YWJq48TgZOezeZSaNco
--- Rcndrv1V5ZhAiFHZe1WdTMEeZ5+jqu2ES16D1aN/1wg
½Étk�Ãü]8É8 ÙœöèR·2– ±—íÒ’üŠgZáÓ©(™r—½ÅëižV\Py ªf½¦¤ÕÜ‹Lü_.ýµ£ûƒ

9
secrets/rekeyed/sire-ente/6bd5a9be337a42f7ceccabcb94e58c7d-ente-jwt.age Normal file
View file

@ -0,0 +1,9 @@
age-encryption.org/v1
-> ssh-ed25519 JgWCuA FRpqXDi8hsKKuScuMTNJWP8hyeDsEiT0cKeRCtcSHDo
9ws3OouI1gl6WCjTVeGL1FLlzjoc5r3KuIicz1Hxvvk
-> B$<$\Y-grease /HHpi >/9 -!*14 GB#8+TJ
YCQ/DeYqBopIh5w11DrHtJnJJ32yaFQ9qE6yOXGAbVfrSik5sVf/Txn2dBNb+nTG
3jQTR5kKOkGFLIUul83ix6A
--- wG6qOXsr8udyFHqA4WDFTGQASgtnG39UC8SXiyoCH24
Ú«ì¤wÇ "NÞ*³
� ç¹tñ¯T¼1e™cwÂè=‚Ü�m»_Â¥l‰ç4hA{e<“<Lʪ”£á�èµÖú 90kÓzl—rûÇ

7
secrets/rekeyed/sire-ente/8dabe142e6ad67a259f83111fceb6e17-minio-root-credentials.age Normal file
View file

@ -0,0 +1,7 @@
age-encryption.org/v1
-> ssh-ed25519 JgWCuA 8gWuOL3ItuZnJLSV4wJSKIavVdU1mZZOYSDP9X5pkjg
H32gHbisIG+aVXOU/fkAHVmoVyH6BMhR1yVN+grYnbI
-> KE-grease #rT+&3B& :$ @
JQuPHa3Y1qlRkw
--- akx1iJc1tHixZXIOYzC+59TIvfFrUoTvgHCPnujR6Zc
Ðb§êˆË“éxâC�P×õX° ãÒeÙ#0�}ø­št9Þ=KdêK��/¢â3aùs.‘mÄV{ùªfå@7G¹çûujG¼1Oâ…v)æNøöÿÊj4ãf*¾b¿Õ•ÅQzY0ÿ‹I½¶õŸçåš6EÖw~ÉÇ^.„îA�øæMhnÔ sàŠ{ÒB¸Hd?Có»É) oêÞ˥̡F"q\ê—#c

7
secrets/rekeyed/sire-ente/a3d4334dfab58cfbb82ce922dbb23c50-wireguard-proxy-sentinel-psks-sentinel+sire-ente.age Normal file
View file

@ -0,0 +1,7 @@
age-encryption.org/v1
-> ssh-ed25519 JgWCuA R/2IkDfac3BnlHNqFlXEBDEKUAFkOJPzMuydNFZAzWo
ub21BfD8Q5GaLr8IdLwHkdZqSVAjG2q3MuDrB4KozJA
-> $a|&-grease k!M4 NZQL R,s4mUU ]y
zoxZDA
--- 41/Orge3q+gN8+MgvL745C/fatbvxkpeS7jrdiyphTk
5P°‡/ƒÖ©Z+B|ÖV$ƒx~Ž†‘e 0hµ  _Mˆ`ruBôi“y–¥~îxg?Ù£>LÎœ>&äw!Ös—?p�…61ü�÷j

8
secrets/rekeyed/sire-ente/b196a04930eeaf93e5314de87b7ddc1f-minio-access-key.age Normal file
View file

@ -0,0 +1,8 @@
age-encryption.org/v1
-> ssh-ed25519 JgWCuA BhciDbzGldKHFga2iDU/xYnMv7eGi1LZb+lGXJC5BHY
sG8HF+9adDtroTygekl57kNWmdPxBOoUKDxFHKEBQ8U
-> 4W-grease
9sX0u6PKO6b5tCx5KEMzpHUyIX81ZtbCrXkCy/5H/6MrziNyG3hm9RlmYfjroA8w
JInJF5/S
--- nu0Fb0V8USP+6NdT6egQ13gUHjsBDh3e1vTIeU1koWk
n”hþµûÄâ·€¡º#×ÒE“»7m`zcä”BŸAîóÔ�°ÑÇ5­œ<ÂB¹1gñO5+Øž3r9‰º¾×!<²�ñˆø2:¨Ýk“\ g~

8
secrets/rekeyed/sire-ente/c286daba571651cf0fb3baa35f8717e5-minio-secret-key.age Normal file
View file

@ -0,0 +1,8 @@
age-encryption.org/v1
-> ssh-ed25519 JgWCuA qCQiUbrSa9VHQmnGxUzAKnIXnz1iCaGltMtlekJtSik
n1C2khtbkEjU06GoLlV/cGqKiHJPC45esUUXzSrqUdY
-> G-grease ~;bV'qp 6[ 2=41r2
6XoXhm9137td0dfyVG9y+aoXgnZ/DHyEz/Mm7bWTVOALBjNiND962acconiU+YAV
rNjORyxn
--- FbizueAYs+ySyCsYHz2nSOP9ZK1B3cwY0tfnbCUSZSo
9æñQ¨P« ÜÉ:û pò2Í‚Œž}HÙÜ_P¦ÛrC¨óÛPö>kæã+ø@¹ëbá\U_EῲɌioV²ˆš*NNºR'î=H´¿UÆ

7
secrets/rekeyed/sire-ente/cff35fe4c607c5c2d57af131e14080b5-wireguard-proxy-home-priv-sire-ente.age Normal file
View file

@ -0,0 +1,7 @@
age-encryption.org/v1
-> ssh-ed25519 JgWCuA 4Yb3GrxVz12WnVG/xOLQ5v+AfvQnfu8rz+KF2z2hzzY
sGXnAMSxc9L47Zzvnovmq0jIHnEIogVN5XG7FBurTn4
-> cwlzzK-grease
15ku+cw
--- JMaYeYHOTTH0E93AnU0hKwp/bdHg6wkmdK5WxFdIKLg
¦.µÜ…$5Z¸{uÎËÇs�»L‡9,¿�k ¢)Ý6Ïv#¤Éò§+ï;Þp¡§˜nÓÓšnŽõ­íx[0›f؈¼›v!Tè#ëÜä

8
secrets/rekeyed/sire-ente/d0a3d1a9285c9e295e71bd59a2399ec6-wireguard-proxy-home-psks-sire-ente+ward.age Normal file
View file

@ -0,0 +1,8 @@
age-encryption.org/v1
-> ssh-ed25519 JgWCuA fLErDkfDNMgSF0E/ZoBB6OVIrofuDzXnNSh0UwfwBAs
87BAmP1neIBVz/sPnx32S+y+EgV3uKQyWNI1wkj/rok
-> 6b=-grease aZPivQ
9Wkt0eTctqiZ2uajuNkl5su0tKGudpCKnl43cS3nOX2/tjXEIKB0Pe4bc1ImIJvV
z+2FuJju8Q5o+mx2/NKZINhT0VnXzQFpjgwWsZs2mntMCxI0GMwPUyt8pg
--- urAXMUjYZJ/Q1ezsnn4uu20993E3EkK2Fqmhu5TgWcE
›0‡]îJæn¶ü“ý;??^E©e=ÍÒ!{MòÙNÔÙ!™+÷§yõ™ËèNq/¤×sºˆlªÒÔadòx*qtǪU¥± v%0

7
secrets/rekeyed/sire-influxdb/d7176dcef3b2245267cb9d77723a1261-telegraf-influxdb-token-sire-ente.age Normal file
View file

@ -0,0 +1,7 @@
age-encryption.org/v1
-> ssh-ed25519 1tdZKQ uVXynHs0BZZu7YlnLtqEOy7DBrylGwAsuw2V5Xe1tlc
OhgF8N3bDlZC4XD7PAZFdBqtJPoaRX7ChQSEbnjsnKY
-> Z8-grease j jA Kr?3M$?
Qh8AQ2InqiJFZg
--- VaYAzDhieUncCVKxqNSG4PA9RGiHG1lmjy/s/1dSwFs
=exµ1*Ù[áYj<Ð ö¸ŠåÝîò%&¯Æ»)PyŸ¾¢íqÁ8*Fµ“7¼Ôùìf½ÊÀNÏݹ ,ÿÇáÓx0J‹¢ò‚Õ¤Iu2)á2

BIN
secrets/rekeyed/ward-web-proxy/09683ecb6ba69322f3aa1c34b6ed6dfd-loki-basic-auth-hashes.age Normal file
View file

Binary file not shown.

BIN
secrets/rekeyed/ward-web-proxy/90ab11485712f95db2c07814074b7899-loki-basic-auth-hashes.age
View file

Binary file not shown.

7
secrets/rekeyed/ward/82fb2774f6a5e08a0e4bd8b8cdc09238-wireguard-proxy-home-psks-sire-ente+ward.age Normal file
View file

@ -0,0 +1,7 @@
age-encryption.org/v1
-> ssh-ed25519 iNceIg BmCXt086D1EkeS07iplFsR6T33WyWAyiCT1mRLB32hw
fy0OpMuK/8qPw3Ryb5EAwnPSzlUx2YoYawzzKP75RFo
-> ah,luV-grease 7%Q {Zju_"(b
MqKtQw
--- DhDp8jYeynd1OUpCU61SpPZVPXnFokxX2Usixo7/ZG8
…¤¸øϨol¹í¦‹öïtAn-Wq¥ëoUÚH)ïæ:2:¤d²#Ô*ô"aØã2œ1qJ6ð÷†¸5ô1<‰DåÑyBãF

10
secrets/wireguard/proxy-home/keys/sire-ente.age Normal file
View file

@ -0,0 +1,10 @@
age-encryption.org/v1
-> X25519 AKZ+AtI/m8zX6g0lWM7NrNhtRTzn99G3Hzd4xTLmP2o
k06IWa/NYnJWHctoRtOuONWPRc3TeFKWGq62EEtPK2w
-> piv-p256 xqSe8Q ArPIpreqaxqoRvOr68Iyh6LhfzH+GbUbmZ24PMy6v6CR
/1AcoGVvZgOW2IIIiU6Kya37CT4N5igi5tGyuJCMfaw
-> b'2Yw/88-grease
hNHp2mtaChpVqJXW6+rZtdGdabmmtHxpSo64gPxsoTED9Jm+A36HtQTovZ2hfxWG
jwQadJT4WS9CJIvdqFRWi25FLAbS3c8
--- /qAMQiLi2hgue66lXzk08Hl5FEgO4daK/TqisxvKhC0
Õq( ÂÔÎ)¡ûå7ê®ÆG»¿£Åõ*µ%¢%%ž[ t`¦¬ÌèÀ÷jØw€OÕ›ÎÈE¼ç :Ûö;ÍÇêxbi�

1
secrets/wireguard/proxy-home/keys/sire-ente.pub Normal file
View file

@ -0,0 +1 @@
AOGA/huE+l8LA7VsqTVuu8Idf/CljsEz2w9r3HF0xF8=

9
secrets/wireguard/proxy-home/psks/sire-ente+ward.age Normal file
View file

@ -0,0 +1,9 @@
age-encryption.org/v1
-> X25519 BFrpqy55NcKEF7q772I17T0wjQ02Ut2rWrMZ1rtjWwI
yH1f7HWIRcqlm6uRwBUcOBbz0gceyio8iL9Ggnt3Fb0
-> piv-p256 xqSe8Q Anx1LI2vbGG5xYzIF5rKnHaqP6Lh5wf4xyNd4lsQSay3
OePEiNdGFCd+xrGv7ARUaNKHMNWQgng4Q21Q+sbF5BA
-> /lY8-grease
MuwhaBG4mNhGQrxArOVAeqpkXtqhORkH40vnttBf4A
--- R2ZE5vy2h7+LiQF946AhQXTaGuZzhar5QthG8zQXeOQ
/hNűžš®Q ŔÄüäÝtľ>”ZŚüT-Şßç¶Qă”™jeŐőN«dă {Ľ ˆ5gáüöů-Ż�>˘őÁ›‹–×m.¦

10
secrets/wireguard/proxy-sentinel/keys/sire-ente.age Normal file
View file

@ -0,0 +1,10 @@
age-encryption.org/v1
-> X25519 vQk4YSBJ4lAhykKSn6EQVJt3N5knDwFojKKkGXIpkko
VFMoGYvz3Ghr2yDvkKVBhBk0RXwKvAa/1tc0XvAksqo
-> piv-p256 xqSe8Q Ao8pq7XVm2sW7pWJwY5xV+OENbydQYPDHFyW3D4Zcypy
804ByjdNfiNjYE1pETvtq2+Qf9XOpPSfTBTnaMYpWx0
-> Bm!-grease
mTATrQka+LR7fjxFRq9eK2w4OC7Da+Rx2mgoT0jRRw2urXAN3m25hupRhmXjAmUT
UXCI6XLGG0gc+Fb5SOBXSPIjwMoVI3h8BgIRQsKUECM39iwN8j95kR9uDiP10Q
--- kOS9Fo+PrmUqGDLRkYYMEJcoSKeVoPudmLzD/M4rwzY
Ø¿9Sê)à)`J@´_�‹<îØèÐÁì‰N;ëHå›ä=NgÙTÞ\5;gtæÏy{ùºÏN H€…bÔeM6ñ¦îùmáÅ3

1
secrets/wireguard/proxy-sentinel/keys/sire-ente.pub Normal file
View file

@ -0,0 +1 @@
TQLqvOZp/FoELpqnkuls/wio9ET7KurTE9XW6m+BegU=

BIN
secrets/wireguard/proxy-sentinel/psks/sentinel+sire-ente.age Normal file
View file

Binary file not shown.