From 9daa744334f459c640b7d0bea20f96e826064fca Mon Sep 17 00:00:00 2001 From: oddlama Date: Wed, 15 May 2024 22:17:21 +0200 Subject: [PATCH] feat: add netbird (and coturn) --- hosts/sentinel/coturn.nix | 81 +++++++++++ hosts/sentinel/default.nix | 1 + hosts/ward/default.nix | 1 + hosts/ward/guests/kanidm.nix | 16 ++- hosts/ward/guests/netbird.nix | 134 ++++++++++++++++++ hosts/ward/net.nix | 20 +++ hosts/ward/secrets/netbird/host.pub | 1 + modules/config/nftables.nix | 2 + modules/kanidm.nix | 34 +++++ pkgs/kanidm-provision.nix | 6 +- .../sentinel/coturn-password-netbird.age | 11 ++ .../sentinel/loki-basic-auth-hashes.age | Bin 2467 -> 2491 bytes .../generated/ward-netbird/coturn-secret.age | 9 ++ .../netbird-data-store-encryption-key.age | Bin 0 -> 428 bytes .../promtail-loki-basic-auth-password.age | 11 ++ .../ward-netbird/telegraf-influxdb-token.age | Bin 0 -> 405 bytes secrets/global.nix.age | Bin 2466 -> 2513 bytes ...xy-sentinel-psks-sentinel+ward-netbird.age | 8 ++ ...6992aea9e6fe02b-loki-basic-auth-hashes.age | Bin 0 -> 2498 bytes ...628181d006ba3a6-loki-basic-auth-hashes.age | Bin 2367 -> 0 bytes ...be7cb973103277-coturn-password-netbird.age | 9 ++ ...9-telegraf-influxdb-token-ward-netbird.age | 7 + ...ff3eedbf089ac3fd3e9d8fca-coturn-secret.age | Bin 0 -> 293 bytes ...536070c92a6459-coturn-password-netbird.age | Bin 0 -> 279 bytes ...guard-proxy-sentinel-priv-ward-netbird.age | 8 ++ ...1ee8-netbird-data-store-encryption-key.age | 9 ++ ...89c7-promtail-loki-basic-auth-password.age | 8 ++ ...xy-sentinel-psks-sentinel+ward-netbird.age | Bin 0 -> 296 bytes ...d2c211a005fa72-telegraf-influxdb-token.age | Bin 0 -> 354 bytes .../proxy-sentinel/keys/ward-netbird.age | Bin 0 -> 483 bytes .../proxy-sentinel/keys/ward-netbird.pub | 1 + .../psks/sentinel+ward-netbird.age | Bin 0 -> 404 bytes 32 files changed, 372 insertions(+), 5 deletions(-) create mode 100644 hosts/sentinel/coturn.nix create mode 100644 hosts/ward/guests/netbird.nix create mode 100644 hosts/ward/secrets/netbird/host.pub create mode 100644 secrets/generated/sentinel/coturn-password-netbird.age create mode 100644 secrets/generated/ward-netbird/coturn-secret.age create mode 100644 secrets/generated/ward-netbird/netbird-data-store-encryption-key.age create mode 100644 secrets/generated/ward-netbird/promtail-loki-basic-auth-password.age create mode 100644 secrets/generated/ward-netbird/telegraf-influxdb-token.age create mode 100644 secrets/rekeyed/sentinel/320fd087208acc8f688f0028edca8ba5-wireguard-proxy-sentinel-psks-sentinel+ward-netbird.age create mode 100644 secrets/rekeyed/sentinel/3b515237f2eec169c6992aea9e6fe02b-loki-basic-auth-hashes.age delete mode 100644 secrets/rekeyed/sentinel/5bc5d5daad95fcc8f628181d006ba3a6-loki-basic-auth-hashes.age create mode 100644 secrets/rekeyed/sentinel/88ab56073f4bca323fbe7cb973103277-coturn-password-netbird.age create mode 100644 secrets/rekeyed/sire-influxdb/9d519a4364a78ed35630ef296bd96439-telegraf-influxdb-token-ward-netbird.age create mode 100644 secrets/rekeyed/ward-netbird/02c5031aff3eedbf089ac3fd3e9d8fca-coturn-secret.age create mode 100644 secrets/rekeyed/ward-netbird/0c9d11833b203faea5536070c92a6459-coturn-password-netbird.age create mode 100644 secrets/rekeyed/ward-netbird/35e674a94d54d8987c32e52de38627ee-wireguard-proxy-sentinel-priv-ward-netbird.age create mode 100644 secrets/rekeyed/ward-netbird/aebb2152acff74fc1f4af3b8d5141ee8-netbird-data-store-encryption-key.age create mode 100644 secrets/rekeyed/ward-netbird/b538aae13a0d8e017e3834f262ae89c7-promtail-loki-basic-auth-password.age create mode 100644 secrets/rekeyed/ward-netbird/ba98d6bdeb0dffac652fa15dbde10da7-wireguard-proxy-sentinel-psks-sentinel+ward-netbird.age create mode 100644 secrets/rekeyed/ward-netbird/baa6e9c40b40f680bbd2c211a005fa72-telegraf-influxdb-token.age create mode 100644 secrets/wireguard/proxy-sentinel/keys/ward-netbird.age create mode 100644 secrets/wireguard/proxy-sentinel/keys/ward-netbird.pub create mode 100644 secrets/wireguard/proxy-sentinel/psks/sentinel+ward-netbird.age diff --git a/hosts/sentinel/coturn.nix b/hosts/sentinel/coturn.nix new file mode 100644 index 0000000..232e171 --- /dev/null +++ b/hosts/sentinel/coturn.nix @@ -0,0 +1,81 @@ +{ + config, + lib, + pkgs, + ... +}: let + inherit + (lib) + getExe + mkAfter + mkForce + ; + + hostDomain = config.repo.secrets.global.domains.me; + coturnDomain = "coturn.${hostDomain}"; +in { + age.secrets.coturn-password-netbird = { + generator.script = "alnum"; + group = "turnserver"; + mode = "440"; + }; + + networking.firewall.allowedUDPPorts = [ + config.services.coturn.listening-port + config.services.coturn.alt-listening-port + config.services.coturn.tls-listening-port + config.services.coturn.alt-tls-listening-port + ]; + networking.firewall.allowedTCPPorts = [ + config.services.coturn.listening-port + config.services.coturn.alt-listening-port + config.services.coturn.tls-listening-port + config.services.coturn.alt-tls-listening-port + ]; + networking.firewall.allowedUDPPortRanges = [ + { + from = config.services.coturn.min-port; + to = config.services.coturn.max-port; + } + ]; + networking.providedDomains.coturn = coturnDomain; + + services.coturn = { + enable = true; + + realm = coturnDomain; + lt-cred-mech = true; + no-cli = true; + + extraConfig = '' + fingerprint + user=netbird:@password@ + no-software-attribute + ''; + + cert = "@cert@"; + pkey = "@pkey@"; + }; + + systemd.services.coturn = let + certsDir = config.security.acme.certs.${hostDomain}.directory; + in { + preStart = mkAfter '' + ${getExe pkgs.replace-secret} @password@ ${config.age.secrets.coturn-password-netbird.path} /run/coturn/turnserver.cfg + ${getExe pkgs.replace-secret} @cert@ <(echo "$CREDENTIALS_DIRECTORY/cert.pem") /run/coturn/turnserver.cfg + ${getExe pkgs.replace-secret} @pkey@ <(echo "$CREDENTIALS_DIRECTORY/pkey.pem") /run/coturn/turnserver.cfg + ''; + serviceConfig = { + LoadCredential = [ + "cert.pem:${certsDir}/fullchain.pem" + "pkey.pem:${certsDir}/key.pem" + ]; + Restart = mkForce "always"; + RestartSec = "60"; # Retry every minute + }; + }; + + security.acme.certs.${hostDomain}.postRun = '' + systemctl restart coturn.service + ''; +} diff --git a/hosts/sentinel/default.nix b/hosts/sentinel/default.nix index 4db9c22..9158772 100644 --- a/hosts/sentinel/default.nix +++ b/hosts/sentinel/default.nix @@ -11,6 +11,7 @@ ../../modules/optional/zfs.nix ./acme.nix + ./coturn.nix ./fs.nix ./net.nix ./oauth2.nix diff --git a/hosts/ward/default.nix b/hosts/ward/default.nix index 5e51d7d..5eb9363 100644 --- a/hosts/ward/default.nix +++ b/hosts/ward/default.nix @@ -107,6 +107,7 @@ // mkMicrovm "adguardhome" // mkMicrovm "forgejo" // mkMicrovm "kanidm" + // mkMicrovm "netbird" // mkMicrovm "radicale" // mkMicrovm "vaultwarden" ); diff --git a/hosts/ward/guests/kanidm.nix b/hosts/ward/guests/kanidm.nix index 33cffac..65aaa1f 100644 --- a/hosts/ward/guests/kanidm.nix +++ b/hosts/ward/guests/kanidm.nix @@ -106,12 +106,24 @@ in { basicSecretFile = config.age.secrets.kanidm-oauth2-immich.path; preferShortUsername = true; # XXX: PKCE is currently not supported by immich - # XXX: Also RS256 is used instead of ES256 so additionally needed: - # kanidm system oauth2 warning-enable-legacy-crypto immich allowInsecureClientDisablePkce = true; + # XXX: RS256 is used instead of ES256 so additionally we need legacy crypto + enableLegacyCrypto = true; scopeMaps."immich.access" = ["openid" "email" "profile"]; }; + # Netbird + groups."netbird.access" = {}; + systems.oauth2.netbird = { + public = true; + displayName = "Netbird"; + originUrl = "https://${sentinelCfg.networking.providedDomains.netbird}/"; + preferShortUsername = true; + enableLocalhostRedirects = true; + enableLegacyCrypto = true; + scopeMaps."netbird.access" = ["openid" "email" "profile"]; + }; + # Paperless groups."paperless.access" = {}; systems.oauth2.paperless = { diff --git a/hosts/ward/guests/netbird.nix b/hosts/ward/guests/netbird.nix new file mode 100644 index 0000000..f36fa68 --- /dev/null +++ b/hosts/ward/guests/netbird.nix @@ -0,0 +1,134 @@ +{ + config, + lib, + nodes, + ... +}: let + sentinelCfg = nodes.sentinel.config; + netbirdDomain = "netbird.${config.repo.secrets.global.domains.me}"; +in { + wireguard.proxy-sentinel = { + client.via = "sentinel"; + firewallRuleForNode.sentinel.allowedTCPPorts = [3000 3001]; + }; + + # Mirror the original coturn password + age.secrets.coturn-password-netbird = { + inherit (sentinelCfg.age.secrets.coturn-password-netbird) rekeyFile; + }; + + age.secrets.coturn-secret = { + generator.script = "alnum"; + }; + + age.secrets.netbird-data-store-encryption-key = { + generator.script = {pkgs, ...}: '' + ${lib.getExe pkgs.openssl} rand -base64 32 + ''; + }; + + environment.persistence."/persist".directories = [ + { + directory = "/var/lib/netbird-mgmt"; + mode = "640"; + user = "netbird"; + group = "netbird"; + } + ]; + + services.netbird = { + server = { + enable = true; + domain = netbirdDomain; + + dashboard.settings.AUTH_AUTHORITY = "https://${sentinelCfg.networking.providedDomains.kanidm}/oauth2/openid/netbird"; + + management = { + port = 3000; + dnsDomain = "internal.${config.repo.secrets.global.domains.me}"; + singleAccountModeDomain = "home.lan"; + oidcConfigEndpoint = "https://${sentinelCfg.networking.providedDomains.kanidm}/oauth2/openid/netbird/.well-known/openid-configuration"; + turnDomain = sentinelCfg.networking.providedDomains.coturn; + turnPort = sentinelCfg.services.coturn.tls-listening-port; + settings = { + TURNConfig = { + Secret._secret = config.age.secrets.coturn-secret.path; + Turns = [ + { + Proto = "udp"; + URI = "turn:${config.services.netbird.server.management.turnDomain}:${builtins.toString config.services.netbird.server.management.turnPort}"; + Username = "netbird"; + Password._secret = config.age.secrets.coturn-password-netbird.path; + } + ]; + }; + DataStoreEncryptionKey._secret = config.age.secrets.netbird-data-store-encryption-key.path; + }; + }; + }; + }; + + nodes.sentinel = { + networking.providedDomains.netbird = netbirdDomain; + + services.nginx = { + upstreams.netbird = { + servers."${config.wireguard.proxy-sentinel.ipv4}:80" = {}; + extraConfig = '' + zone netbird 64k; + keepalive 5; + ''; + }; + upstreams.netbird-mgmt = { + servers."${config.wireguard.proxy-sentinel.ipv4}:3000" = {}; + extraConfig = '' + zone netbird 64k; + keepalive 5; + ''; + }; + upstreams.netbird-signal = { + servers."${config.wireguard.proxy-sentinel.ipv4}:3001" = {}; + extraConfig = '' + zone netbird 64k; + keepalive 5; + ''; + }; + virtualHosts.${netbirdDomain} = { + forceSSL = true; + useACMEWildcardHost = true; + locations = { + "/" = { + root = config.services.netbird.server.dashboard.finalDrv; + tryFiles = "$uri $uri.html $uri/ =404"; + X-Frame-Options = "SAMEORIGIN"; + }; + + "/signalexchange.SignalExchange/".extraConfig = '' + grpc_pass grpc://netbird-signal; + grpc_read_timeout 1d; + grpc_send_timeout 1d; + grpc_socket_keepalive on; + ''; + + "/api".proxyPass = "http://netbird-mgmt"; + + "/management.ManagementService/".extraConfig = '' + grpc_pass grpc://netbird-mgmt; + grpc_read_timeout 1d; + grpc_send_timeout 1d; + grpc_socket_keepalive on; + ''; + }; + + extraConfig = '' + client_max_body_size 500M ; + client_header_timeout 1d; + client_body_timeout 1d; + ''; + }; + }; + }; + + systemd.services.netbird-signal.serviceConfig.RestartSec = "60"; # Retry every minute + systemd.services.netbird-management.serviceConfig.RestartSec = "60"; # Retry every minute +} diff --git a/hosts/ward/net.nix b/hosts/ward/net.nix index 27dc583..259a854 100644 --- a/hosts/ward/net.nix +++ b/hosts/ward/net.nix @@ -110,9 +110,29 @@ in { late = true; # Only accept after any rejects have been processed verdict = "accept"; }; + + #masquerade-vpn = { + # from = ["wg-home"]; + # to = ["lan"]; + # masquerade = true; + #}; + + #outbound-vpn = { + # from = ["wg-home"]; + # to = ["lan"]; + # late = true; # Only accept after any rejects have been processed + # verdict = "accept"; + #}; }; }; # Allow accessing influx wireguard.proxy-sentinel.client.via = "sentinel"; + + #wireguard.home.server = { + # host = todo # config.networking.fqdn; + # port = 51192; + # reservedAddresses = ["10.10.0.1/24" "fd00:10::/120"]; + # openFirewall = true; + #}; } diff --git a/hosts/ward/secrets/netbird/host.pub b/hosts/ward/secrets/netbird/host.pub new file mode 100644 index 0000000..3f2ed92 --- /dev/null +++ b/hosts/ward/secrets/netbird/host.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJt2DE0HJjmePYjuZVRcsb0/SfoHSmm06T4ayzIgxUOp diff --git a/modules/config/nftables.nix b/modules/config/nftables.nix index 0d0544e..450551f 100644 --- a/modules/config/nftables.nix +++ b/modules/config/nftables.nix @@ -48,7 +48,9 @@ inherit (config.networking.firewall) allowedTCPPorts + allowedTCPPortRanges allowedUDPPorts + allowedUDPPortRanges ; }; }; diff --git a/modules/kanidm.nix b/modules/kanidm.nix index 1d1e767..16d92f9 100644 --- a/modules/kanidm.nix +++ b/modules/kanidm.nix @@ -450,6 +450,12 @@ in { options = { present = mkPresentOption "oauth2 resource server"; + public = mkOption { + description = "Whether this is a public client (enforces PKCE, doesn't use a basic secret)"; + type = types.bool; + default = false; + }; + displayName = mkOption { description = "Display name"; type = types.str; @@ -479,10 +485,23 @@ in { default = null; }; + enableLocalhostRedirects = mkOption { + description = "Allow localhost redirects. Only for public clients."; + type = types.bool; + default = false; + }; + + enableLegacyCrypto = mkOption { + description = "Enable legacy crypto on this client. Allows JWT signing algorthms like RS256."; + type = types.bool; + default = false; + }; + allowInsecureClientDisablePkce = mkOption { description = '' Disable PKCE on this oauth2 resource server to work around insecure clients that may not support it. You should request the client to enable PKCE! + Only for non-public clients. ''; type = types.bool; default = false; @@ -681,6 +700,21 @@ in { assertion = (cfg.provision.enable && cfg.enableServer) -> any (xs: xs != []) (attrValues claimCfg.valuesByGroup); message = "services.kanidm.provision.systems.oauth2.${oauth2}.claimMaps.${claim} does not specify any values for any group"; } + # Public clients cannot define a basic secret + { + assertion = (cfg.provision.enable && cfg.enableServer && oauth2Cfg.public) -> oauth2Cfg.basicSecretFile == null; + message = "services.kanidm.provision.systems.oauth2.${oauth2} is a public client and thus cannot specify a basic secret"; + } + # Public clients cannot disable PKCE + { + assertion = (cfg.provision.enable && cfg.enableServer && oauth2Cfg.public) -> !oauth2Cfg.allowInsecureClientDisablePkce; + message = "services.kanidm.provision.systems.oauth2.${oauth2} is a public client and thus cannot disable PKCE"; + } + # Non-public clients cannot enable localhost redirects + { + assertion = (cfg.provision.enable && cfg.enableServer && !oauth2Cfg.public) -> !oauth2Cfg.enableLocalhostRedirects; + message = "services.kanidm.provision.systems.oauth2.${oauth2} is a non-public client and thus cannot enable localhost redirects"; + } ])) )); diff --git a/pkgs/kanidm-provision.nix b/pkgs/kanidm-provision.nix index 9b8bf01..b076dbb 100644 --- a/pkgs/kanidm-provision.nix +++ b/pkgs/kanidm-provision.nix @@ -5,16 +5,16 @@ }: rustPlatform.buildRustPackage rec { pname = "kanidm-provision"; - version = "1.0.1"; + version = "1.1.0"; src = fetchFromGitHub { owner = "oddlama"; repo = "kanidm-provision"; rev = "v${version}"; - hash = "sha256-tSr2I7bGEwJoC5C7BOmru2oh9ta04WVTz449KePYSK4="; + hash = "sha256-pFOFFKh3la/sZGXj+pAM8x4SMeffvvbOvTjPeHS1XPU="; }; - cargoHash = "sha256-LRPpAIH+pXThS+HJ63kVbxMMoBgsky1nf99RWarX7/0="; + cargoHash = "sha256-oiKlKIL23xH67tCDbny9Gj97JQQm4mYt0IHXB5hzJ/A="; meta = with lib; { description = "A small utility to help with kanidm provisioning"; diff --git a/secrets/generated/sentinel/coturn-password-netbird.age b/secrets/generated/sentinel/coturn-password-netbird.age new file mode 100644 index 0000000..14e0070 --- /dev/null +++ b/secrets/generated/sentinel/coturn-password-netbird.age @@ -0,0 +1,11 @@ +age-encryption.org/v1 +-> X25519 BX1TzWJvYYuXIc5jazmoefCDOrWYCc6vtQHqiidFK0k +KguZPOuk4LKDPogJ40mXA8okdLgG9PAx5fqYW2gkqwQ +-> piv-p256 xqSe8Q A58MztEJBOwOK0pPa7WngTGynn0I+VUFrCtibSKSwOep +sVyAneNoMlRnIPR502xrnFeQyI36GpzxqTRhjOpfU7w +-> YS-grease +WMxsZrN//DXWbO+03CQwRqPKXdeV844codU +--- BrgOOiY9Crg771rp77VQ0i3tM770D6CjGknWYRgoIfk +zXN,1 ?v(oծ +|vF9ޙ޻m"dя?9? +Jn7Q-gQ^\fQ \ No newline at end of file diff --git a/secrets/generated/sentinel/loki-basic-auth-hashes.age b/secrets/generated/sentinel/loki-basic-auth-hashes.age index e72f442f59c478a21317305f234a68b698687033..08e1a85c8741d3696bddc06d79a035d9f1c133f0 100644 GIT binary patch delta 2485 zcmV;m2}<^(6T1_TAb&P1VnxEeS4MGZPj`A!aAYw> zD>PQ$lHZF-dwh;B0GFQn*cnyza8EwH7`#9M=ntvYM^hoWrlCD2h?!13=`S8&w zwe|^BAn=$;$Opy^R255R&7YW+O`-5Jl{GU#|AQj$?BXQ+aIXfRDCs*3s~S4SHAOG) zYEfMFpUbAVorHHr&otwv?PYqd-4?D6)+*D?_OonHK{~KU7@m;FVFyQHzi)o{k^o*LeWQk&;N}*TFs%TE!=`48*cu21S@S*- zt(oT!7g1%(Lf;6uLVGt6fs=e;%*`@nP`+z+kg7MX`NzOavhRf@l_Oq?umb8O^i&vV zpdP5_nFydn!L4{9<)U!EMckO;hB~d|=(v1?wSVLw!ZVxWH35(k{Y2T_Hv{FqD14F z)_*9ANmz|}-)*`SYMr3!gIM$O6NT#MST4Y;C;qsyUgs&-xGZs5l zE=Zm-m)$nQ-y5ktxNi^|+unQCAWT5KSbfjz&b^t~RE??15NtU(E;;JSuBu942~pSD zV;fRU`0{krpc}2Kz6<^a*qo;KQ*Nkyg{b&7|L$hr?U|_qt>dlDw;FZy$-`NU-VjpGG?0B*Ms3Qu<;+H7 z$?ngyxMe^LY{`j)EXvx0Nq^7%pMM1JKkrd7R?lCnuxo7?j*Yi^ykd)l? z=7ao}asaf6Qs+viD0WO{X++fayI5n5lNzgcs5JJkAja-6(Hyv2-NvhP;Q{gQ>oU5u zhK?d=IcGuO+ZvjrWD$+CNnTWq6CIN9Pscar1nEvZ&J!SBwGeH13V+9ZLx1W-$GABF z*()6nvvZ_I4@sZs7M?MLyux_QZI;UCOzbZYG$qPaePE+r4ZFV3$fzs?QHyuM1UpfE z>&^ZPwz6pQA1%mb0(mpBG~3UJPgjj!E+KpHT`Aw&yaP+bqv0W5p?4r69L|9?f&egG zDwOk@Gx5B@Q8_*l<5%?&^M9I3ySDF{DpooAAphjQNbg$;!FGd#EjER6zcc2hjqM{#eu!9(=gYIh*!f`)wA8OsRI0t$$k{U!T_0dgGI4 zVyC3iyeqZb61+jBe}6{3`11J8X|nJAtqG*q;Q4+0eXnV@-G_t+?@ikhR?7Nns%0bF zQBHcpqQqHir}vb{9tCMB5%+JQ1mvFu4E&0HyQWHJsFi1IP6PiDYFlf<@Z2HYL03h5 zWufuEa2557Bi^qQ%71a25bE%Qid5$D1#jEYbsDvEG8KSGmi7SNdPdRT5VT?=Y|XKh zQve>QQ5*0e+goRwbTMs7CN$ z*x|4>(G@Z^zz*z9w#b7P=uQqA$<73&EN;jOc&QE9$$Mb7Hh=7#e8_3-+?zdD6m_FX z3eHz4+yNs;eC^Ob40a67vRdut^t??$mSllw2uVO)3|iX|XyT?E!p|wHW~70F7HTXR zlXf3P-6)>+E?tB(t7X19CFlGtrvm(;@c8HFKr!gxkszmK#%BYnem^Ur8 z2h`~E&kZ|urGLgv`D)$#XJ^?8(Po3EifRQJB;F=&O%74`!5&_JxbA~-KNffsx%l@;p zkDe5|s!e!mB4_gB>K~sjmc=}GAU}I4E9Bz&-RUq25lh!PAL1DZQ0cTIM$OX`_%(%g zDH6Mq>Dc=TiJVQx9*u~S>ADa5uY)O$A73lt{nS1~(Nh#J8EVBe$a1}rxA;vSiioJ{ z(ZAZS(tr8GNI_uMVv#nt62@uW#E$YxrOo3iLwzZ{)hV$VFN9N-f3518*^x~maP1%$ z+Z|t5-5hJpU0diOaKjzE?qo4YpyWfsU<{J$?O+;(* z)9r9ZcNRLQn$;nvPs}~^8uI?FDfw)!5=}fjtA8`H`bq)|rPn$m=WqQ<$VE0IJP71s zTEpj)E7zvc+6FPF?1jxUveOcvgJlufAJw)O9_ki;pwiRPhbK>&Znqen(9OvBau*95 zG;*e)IRK)akkFtNHcV7TWRd(xQ5v9$mr~crK!@xAE-hlfU;IJkevA2u46wh&EZ!KQ z(=Gpc$YBG0~n76^NJAvez12MFG9JvL~U-`i=M7uaH%4>A!igzkhhO2-d|j delta 2461 zcmV;O31arU6QdK5Ab(X(aAr+xIcZI5cWq2$Xks->W<_Z*acD<+aZ5pUX-juOYeO$q zT30hwO$uXgF)MC3I74t#ZdfulMl?!8QDbj!MnP0*H919CSu}1+Wi>@tY%x_&FbXX` zAaH4REpRe5HXwL$Q)M_&AVG9dd232EdR9erZcs8*R$^IeFMo15P%AWSVRLsgc5rA( zFLg{*dU|waG(-wcV?$JUFIj1BVn}2+M@4CNW?Do|S~zk!WotuIYE5-`K{RqvHf=Iz zNks}RJ|I?ZF<>|?XL4m>b7deTCu$%pSy_DwP+C$iWHU@bOfXt`NNG_uL33p=O;l-c zY;`eaSw}=SHh*$cRd9DpS9mutP(&|!Mo2YPZ8dOCXH#WUcXUrNX9_`3Hg_{KZ&`Rb zYjI^%WkO_SO>H!AO;|HkO$se7Eg&~9SuZtZd1y~EGjwcbVR>dzY)^M}cW88UYB@qq zPI^aWXKhz*ba`}PMG6cIt4r{ttXD)iWsTQRmwDzs+<(?Lo&s;Fl(T}^aV|wGMBDE) zZ@vF2iv$`5jI47swtOgzfuMS2jN3aquhHrJdbTvD%nVn$m1a*$&wkC!P>C~>~^2biz(#2oRwpdC<6Q~sLg5$vkvdM{<6k4qA=HPx(RWXqIwPI$hGW| zxuX4|aI_3G6eRd10Fx!MR`Xo? zf{&>+5y^n~BOQLX=dhCv9Q8d8>X*JCZs~;hY2T@dMRW_o{KO$WJH~j!D_3mtuxYhq zkpY{tU}Q4m9tGl%!e{VDyK+MyMmpq6qlA%YyoHapkKgrT>h=(qFVv%n*{nn{v49dm zD}Pl>B&ex0u96TMfOc-}#KaY&YXY0=MR^)oc_;8V{JYnG{(tes#R89FAIN5h(u4xI z8ul^(rUXu%@cYEEQelJT$j#J%ms%pM0KD{^h;HrF_RVm*6b%+jww|B z&N%xoxz-+d+*iKZ_4$p?Rb!Ari0ZJd)_*_vKevKZ5bWlN1pR_Y6Y#I?cMFmL16^a3 zq}%LVXXWWCb&mJR2}-hPvJ$dsr`Ue)7klF7{-XdFvh^fWPS>%;(jd6|&-_t-#*nc57 z4&M^IPZT;x?R4ZZ1<_EO?neJM7wJ&je&&Ulo8sgmax8YQ<`*A_Tab~^c&8^Ypp3z$ z0SKACB|p5mR3PeUqMlIs9&~#h&aXu)ts#<kdtwHo{5Jg$Dqw7%^ z>RG2APxRik5`3lfW4AXTlP7X5M1MhipFJe_jpxiJZ-KH4z>rKOt+Ku%1~WnGQzue0 zj==o_O1?kb7D})ULq^7C(~X`9WP&cP$co1@=OEKIGTFk-gC%hD1HzF%hEq_2|6GMg ztFdtKjRD)tyPQcJvD4e0g7jEU*M^C;evKWQXL!a9z~`Cnj+{*y>I~oPu^5jP1omA=GKAx5>keDh z@IQPNaKu&Je|)q(-J7wXi7_j2RMKeTiA+zPFO}8{=~aR)dvjAeNhc^^1E9IOttOCJ zpBDsHPvt;u53R~LJ%1W|Vs>=)^O{2k3toje+Wa@v_qExdR*jEp{AHheKx+)b*1ByW zMwES7<9(~?;^TEHDeAbewh+J(#AJTi*vHjU^r$nR^V^apcY6g97u*sHcBxjKc%8Q7 zQPzsQo3W59u76n)t^))^?fXb{f`v(8&f+&q zD2%?J0HP+WMhtsWK@-L_S&f`}!pt-jkD{NGV(kKwb3F1*Q_&*oYimj4HUVTdy>=VV z&18{~R$btj2}&NrwvZ#dZS(zM0p+w#rPu&L{w32XuDc-HoP>1upSo55UZRfC3Uo4> z%|s=(@PFq8p$IDa4Nu<)OM_eSqZlYawUY;y&f%?yy6d-R>J`5iY)0&tG!^L_I9hM> zbQfq1` z6RH&cT*@ X25519 pc+s+uniKbP/sMiud4xtJ9x6UMBaIdBO0iHBeznb6VI +/baQ9J0Qcpr9sZD6LWguy7lcAcgFHq0fPSsCBkkDoKY +-> piv-p256 xqSe8Q Ay2WPFU0XrukDvFIe0+ZiGm+5m5oJTzktnZ+7L3l4/G5 +5/CGoggDIARr02H0sUX3/HJ6PEoQMLJuhACF2MEdRts +-> T/-grease =Cr4 B ,R1u(? +is0bg8583EfFjiM8b+737Wm6+J4 +--- +R5bojMEBENAYEEy++5iMdhEyKCr8rCPOIOiHRa4Wls +79 p.d"go:94~(ٸQ*jCD8> evSLE#+ \ No newline at end of file diff --git a/secrets/generated/ward-netbird/netbird-data-store-encryption-key.age b/secrets/generated/ward-netbird/netbird-data-store-encryption-key.age new file mode 100644 index 0000000000000000000000000000000000000000..fa97b65ed0338f04d0901463cf53af971f7e849f GIT binary patch literal 428 zcmWm7J#Um?007_)CMFD~?oG` ziHRmRxcCoD92yrp+eM9oiL<+lgSxnwK7ZixVSoqmakffNqa@x-G6)I+!4FWEq$r|; zavl`RA+NS_sgsRL1*W#!X9-1417VU<1mUaJz{+clFp(Cl(`hLJflEc&AwfLuo#uAG znk6h9Fp|W_ijUPgEuBnnhcqhil%#01S`31=iL%omGM32@Q|UpS+bcb&{JM7J#@HOU zbGn{*iXdwl=4co|)D}}d*4)UMkl{#OWX(g~2Wgiu6UHRwA{T}d1V($wSkmpa-)T}f z%mP0T(1%A6i|!qWNJyIiQbIAau*GpApD6wU2s&NM%#bp8Iqcb$Om-V8Cl|>`OGr>6 zIF6(9qSe*<9@}Is)^CKX-YlC X25519 qeT9jfLCM7cn3uu9z44fa54bAQgjdK+l/uvIG5al924 +Py1wATeO86kvUJzY6MFzl2vTXSvyM93ZrTBjxrMrxBg +-> piv-p256 xqSe8Q A8ojuCdRG5nViw0SS133NIk7/h0hWbjDYeJiO5LtxkS8 +jQUqyqhIbeUGqyrLOBJBYwCg9ucyumzjT4c/BsrVjLU +-> {Z-grease jeRAOL 7:2"CZ u={2< 2|0e$Sqx +Z9ZtNsDOP2sj5nmBgAfDGSEJVQ6jO/ikZuyZXOklhsWa3o1hvgXWL43S3ThRN3+t +dsQyP7yVZ1J54/mMURTJc9pPyTqSsvoQ9/MP9VkfIhp6ZBoeQGa34UCppzX1xfo +--- JFa18D2SE3VwuLEMvNpiiR9YY5NZBUVTxzNZcTSfFHI +x{!ΝD(UunM[P7;.K#Ⱦ`ڝx $<s*GH,- +ydATs \ No newline at end of file diff --git a/secrets/generated/ward-netbird/telegraf-influxdb-token.age b/secrets/generated/ward-netbird/telegraf-influxdb-token.age new file mode 100644 index 0000000000000000000000000000000000000000..7abc3c26ec1f9bc9c78314b3e18263d1815fa75e GIT binary patch literal 405 zcmWm7O>5I&003amIk@8vW15R7jx0%&G>HcxY17g+G0j)oHwQ=iHp$YhX};Qg{Db|0 z4FnH@;K~jj%1+Lc(0LJh^ic2@D2TfbWX~UXhMt2t0gQ_<^=HB1EcWmPiD0kML4{#R z9)(I#SbnODJYM#pMhLo+vLcnY`H7#NE!&E}jvH>vT| zBqzF@>*F`TrXnG zi=AQOpso}haVS7=G4E!uqc&Y!)Kp4x>YbT%(n(nj!7vQ1C~8mcHo1Y@YS}ObjZ*>! zR7CfI0HNI*CHg{>dX6WV3i9Nub+f5&`Sa)Wzs1gK+x`CI<^DzO6}Y*6x=hi{#}8-S w^?N#y_x^;-U&6|I_qq1_?s9v(H~YC>9|?oqzgM3I+_OiUFSp+w- literal 0 HcmV?d00001 diff --git a/secrets/global.nix.age b/secrets/global.nix.age index ccb88262d55217b18f471bc85133906b2d2fe16f..693d35bf1627dcfb998368272564ee55eb91c4e7 100644 GIT binary patch delta 2507 zcmV;+2{iVi6VVfpAb)x}Oh#-kcS})pMoD&BR4_s?H%oL>XIW4|Z%9gILQghNaa1>Y zdU{kba|%TR_FQFl0Yc64uVK?*HC zAaH4REpRe5HXwL$Q)M_&AVD!oT3RqSR7gZtc|mkcP)s&iHh(g9HB@;tW>hhESZ!rk zZ&E^KO=>wrY+(vdZZJb)Nla8(ZB9pFb53VYL_u$JH+FMUG-yItMl)`1Ms6!FO-(RD zSxE{lJ|H=LRa7rNWi~Bma%Ew2WeP82O*mChOhHC+Mld-wXjd{yZBlnmRAVr6YD#)| zH+XnXGe>SrRex1*R5?gAPBu_wRCP#tV{N<%AXXisV}FhNZ)cyeuJ zb#^c_dNOZw3N0-yAY(N&LU>U$FH&|_d3R4jMNu+nZdO@ZD?~+Cbz*onN>NHfFEuen zRZ(tl3VG2V*H;OT6M*<3o0hucV1fRz22(4T781A$nSX8MrfB@{*Pmv(Vq(d33eSFE z?fP4~rz;d!>Nn(4OVr=eMdPPnshb7QmHV(dIZG7tMbF6HBtF(b)rdXJ17qNcaAyP8 z;lOxdI_)Dt?&jRFKa;MC0ql3}v=$`>x**cKlx=;*=xYhxLy4S&J@eP5wgpPOos1h=B`wOX4HO3%wH66ngJ$Y5;yJ5 zzqI!!f<$hCrqU%$;k%%T6d-AQu(3x#DzdDPIq9@JQxT88qHTmZZ9Eimf(rL0BJ~=3 zxCDxG*o+*6?lL?L4Sbm&uP%>A1#*eYsE_XX5=M{ z`agiIJQxT)FwvxAI1jo-CZ6~Kj|+g3)v1ZLC<6o8U~!bU%oFX39+aOODtfhszso~9 zm&>Zj90Q(0)PZM|Ir3+za$H72q;X_c)ga`%aB}yAS>UbVDZ+AASv5A2(lBq2^%QCO z5`Udctf++jKFMMRBXwPT;Z&~Cu?dqk{Wo-V)Fg|wMt|9a7_Z$06UMF4^5yEu_|YVi z5~&`^y;HQruLNt6+ta)3=Xkf z4fMr}fell;ixtDSP0qDSWGTQIR(!E z>=~x&L9P7Lr_!8+1?A|`V*UTB;jByKUBlVC^ag)o4J22t%pUQyDfM;#*&fX5Sbqim zQnDHLTH5ii`?KrtjG_&%H}b+moo6326#`$esAb@ArK_00(l^*;%ISj(H&MLNL@k45 z^>HpgdDAwkDkB{E5j)-Q zNt#7j6KJ=~x1>1tj2kQFChmC{bK)A--OBA&{|06Yop^EtAFH~i$KM$c@_!FHRVURQ z^hiXR`T=lfiYZ!lutrgHU6NMhC-z+in6qC2w6W-vv1p3wqiTg=_?aeokoi6 zZo{qWCZU~!kS1cWht}_Os2+%SHfiJKdfBQ|)%u{Nj+)?Djgf=(s=}g8b24^poJ(m` zX(HLiEr1Z&8L+g?mJ2huAb-*&zow;jaza1jY*lkFR1hAiC57on+WfgKbyvPQuiWl+ z>m$rvkDsYF38k!>@}3KPtZ60JEQv1#8QgMVy94QdTB1XV)q%ncAW=k;`@e{lw9~O= z#~HF%YV#q(TTTI8YQ9kMnk3s&9OaQXxPTtLc2X6Qcwv8(cxSg>piQTSXt~<0JVBIEc=M!dopKl(OijX-c^o8 zMGFwBcpaQpcl+z3@<^jveu8*oo|k=slbr>Ys&Dq+dH#kx;AKSY4`@JOI_-JttVWkk z8w-^vmfYYs5+b$(fPWrGxWgtMAm9Jltr#4@5JPE-xSB-0Y-%s%#3M;gjkW8*OJByeV+AkwMC>8?lpg_GWi_1TnPYLXbrUyc{n3SKX{FRS z$f*Yh$+}Rep?^V8?Js&8>>YGYIGx6hEs4pq{dgj0Ip zZZg&`$2(+l^WROj=f`9ZRz+H4GopuvU

u?{`=Tn4% zBJ;kW!(`Q-&C+H#$hd~w-0W`PVnz9*?}43s)KMm&HjDD9VE5xiA@aqR$pYkuy)6X# zBx}Ssxyp=mAkcn8rPdl}j7XX5ZH)l3W9B0b3tz6n)e%pZ;#e#RI93MUd#9A?XGv*{ zWJDrV%o1sy8DaA`B$m!3Pe+2V%RO|OFD%UOLABiI%J@%C1W<7E57&?EV1MgPXQfVM V{Tz>DpUsv8)wKG>97hcFCsOS>t$Y9g delta 2460 zcmV;N31jxr6QUE4Ab&$MSxjk1GjLEdF)?IST2XX0MR!P9FEvh6X+bMRN@H4gP(){C zYBexxSqe;3D|2EpzZfSQ#VPrL0Sw&iS zPj?C}J|HeJI&MK`NiAn`Wnpt=AW>IrSY=&SAShrUUNlrcBnnz~YD7dbQe;|ccQs>A zFmg0#PGc`kXMas~F;HYfQbu=oZ%siqF=tpsR8v)Gc4bR)H)jehEiE8qR8?q0Wny-5 zL}+nnPgX{5W-nw>R&Q)(G*VGWLMt{*N>q4fZge?eTYrZudxi|yX;q5obQUo0SwmdI zTW~Z+AusW+pWeiZgIYNox;E80DWz`Im5LA}toD_^%K*ac)sncKs=wla$g92?rCC9o z-YMBc(m0Wy43__BqIsVbaZ&zTr1+|ddab|1nq{@<(@?!C7`JCQhe85 z!q^||98|V--kbD4;~geBbw@!?#I~nBb0F)9aoQbbXSjLunjATBgIh5SyMwhEOHH^B zfJ7=$0z1cKG(~|3m1462ShLQ{)i;MSQQ~l}yMI$EX?UU>hQ1yAFU45k5sh&yI(%e* z=pqg65md^?#j!fjc=%V zfNK1KbW^5xgDy^pmYr-$7qXk!I%pDOA(2+YN(l7E&IkCQP2@#y$ndobbXfQ%{*nb% ze1CZ$NsSM^9vwoeRuq-3kgHd;B`~|=NPr+@WOm13rJ@k!uiOZ7uAo1skluS`TLn*o z<@0+f#BMv6_kz{pe_5xxFT9?LvPIOkT+4S12xG7cQVEipWF%3&kGhq8uHG}$BnqMs zg%)X%LAdeh)0e$RzTE!FFg&ZjUD&Du*tWPH$h`yQ z4UNHPao^xm@ZMuMWSd9%!6BUwgW#rRzft!H(66N(!(^?b&*sj8PYse4t3+DOYO)vC z=_tp+nD_;*L&Kr`e1+;fpr9_t1Kp@fS)bHTZk4m@7gk;MUb!ehwYsr72wV-2(SN&7 ztjX2F#?9#ddS!$Zt!;NSu$P^d%~AgxuP*P&hV;zQinajB3N*zIzB2MeuZ!w$JK{rI zSNdtU`NUSdXC2Yo`v9e#n3SM1Zoz1tbz*REq#{t&Dm-0~g<5)Y%Dt}$XH=XdwnD*A zSS8UL*P<5ihqs(Qu!_KB+qetKo_{zbfJJ>hoMkC$99YGGBYg+h(7>^stEu~8t7d<; zi(zF(?Zj9iF07@8s__(`g`>P-eNxNrHae|e3orkHx@6(WPt1!#6-^J2wTZW!TW)}Y z>Ja9h|M1Ze3p{S=4|L_mb@RwWq@{8}uD2$r38GbJUW=gn`F)gP0G&sp(Iz%*)lHXk zR}Do@?B-1>qGWf(h1p~+;~#F!%g(i^OHNT*__BW_mqwT8R(y7P>3?cf&l3_h6M7pVzlE(oK z>n_bwb~%Bh$A49)QQp0h{X|IiP*3L?p5@8ut%%bjvi*upD>SxUI9M0UC#}h9F=7gqGd|LDgTUbb6WI~(UZst2%-k^b^!E1%Bx3tZQM>nuOsKkMVPujfAzI+uS*T(WakuFiE}J*k4p5aQy6NOI%ikAJD3yH$mA3?~h4W$u8Rt{<>8#mc(AlEYtCop*~V41gXO)zR)2=h0^y}PWog+H8#G{aw7A9v zHX~(@a6S)q&YAfm)f2gzXY~=Xj^@-NWT{<|Ro+wrjUC#6&VT&?zL86&G9E~I59d0$ zc+u}jr|*va0h~5cvzWTU-uj0ie2I6E=SkR{`}N^|Mv7$qLZ|=bH$X5esC>ci$rLJBj4Fa#hIw9{m;euT2_S ssh-ed25519 yV7lcA YulN0/x6Gm6SCXABynVcm2EmCKtvS8Qd9mfvJdWBHhY +clZ+rznQkfQGnPpM2H2FaPCjg+Tou6wkvXo0SEO0QUk +-> lSt!-grease n/_ lnzq>4 WHRbZ78. C +C3jB9dLLqtVQOaL7tusyOvrAAxsfjHbYvUtz1XgSQYfLySmfyhVxNz2TYG2biWkE +xnhyT65BjhSlKRCGN5ABKmUtjYQ +--- i9Wkqqpnbnye7ndRxxXbZaVhC5x8qTldieLbzx9h5vE +"A<(!z )_"Ncn5iJ/YȾwK;y$IvR< \ No newline at end of file diff --git a/secrets/rekeyed/sentinel/3b515237f2eec169c6992aea9e6fe02b-loki-basic-auth-hashes.age b/secrets/rekeyed/sentinel/3b515237f2eec169c6992aea9e6fe02b-loki-basic-auth-hashes.age new file mode 100644 index 0000000000000000000000000000000000000000..db279043b21093d065cfe0b63c71ccea64fd4279 GIT binary patch literal 2498 zcmV;z2|e~J|H74XL4m>b7cy5H*8B! zS~*BDWmj}@Pik{9Gjl>YIAVHmac^riRY^%`M{#CZQZYnfD=}GdHfVWnWH(P?d1OX0 zbVzwPQ)g=mR7){)P*X`|cXUZsWnyGbW^7kQNqJ#$Wj1wZNp(j`WO`96b8Ki!}rHR^?=!2ycm3j^}*dj7rujVWq0jJ)vC zun82XJ&FwAzv#`F;wZ`(8*;Ao4k(j>CfoXswLlxI4cI`<3?`MYzMhRS5EO7;iH`u4 zbGbLrRB6>szXM#rrp7~a-^}&R*r!+e_MB0J<99717QT{MSiy6yX`?Hk2~Ft(T;0G_ z5!Xj@c)>MOnb6KAPaIF0>9sLnTeCM_<*ve?vzRvveUFfTc5tR)JD_T4hoYw;M^re@ z!7zAb;vxlcgUeR)LP)QPog6)nu>k%*8j}M#wiPna;F8y|&_RN$>lx5MtUKRC2h9E! zb*jpJGeb#uxD@nB2dVy^*iC)nzh<03$+KVjyyb8E*k9yV6_Sx5Z=)x$sl-5+dO8ht zy*U=Z0t!eZ4Z2gdIm(aF9lK?uNxu5eHzF}NX6~0ITI7i}35>-`mx(b7*IIV*0k#gb zD&di`QJB5&agDp7mh!jayKpRT`w7n@j|_?I?+K(<{D+>?JiH*s17vAy`4j#3lwmEA zvx%BAzxgt>lZX;Ueer@P!tqMpBQPnCBZSw>3_8>25JypQP%9g)$;2}B@-|yE3fbpy ztB_sVpT@~~u1&LZf);WjzWj3a&4yJv#W@B!qV7a(8(x3KW1;L;*u}JXI*t!Lc^V=n z+Mnm08Z6-q$n@L4TH--Vfb{jVu`#~fiO$Z8OxoMa6rIgr;F@}nov#)s zJ3QVWQIIQ@#}WE6JELu#8LT?rZy( zEfl~#gI%Kc9U)Se7Zb`h3%=$2PK3ouy5xj$%1l<_5bj0mXP0ZL7kU=ynymwt+*~+BbUgjLWe<1Vm69!98KwijM`vwg1BAY3=7*{7-vCQWu z#5B=Aj_H2B!S$`bsTOTa;@DV12mc{>5f|<^9oFU^dL87qJmif@QV&^{wH3mnh1*|O z6f_3~WQygNRbt2G#@DUmsgY%p2UWX@*EqsT^Yz!X8F5Y8vWPZj+L| zycK|FQV%Lwl(KwU5?>S%BOV^}&8L}b$0&ODGWRHTk`)VseOF>=W2(K#E7?vl3ZU*i zA)7lqX5QE@30h9CY_?qivuujJrg9`$0D4&MbRXE*uVjLTO@OuNtHQH1EIR`$q0{N{ zC!k$!o@oIRp8h{JT+aV}+t@L^H$?b{IVcG0L>s&&7lA{6QF%I)+v=6+*op7(&qoTc zI|bG$-v#-qqdYUd6md7x`r}BS;*`^UwIC5a)O~F{%(8!Xdg9RW)4N3V0f_TH52U;H zlei$VyjGTF{non%lSGbDkG^a~@;}=ltg`^=FNH_{3-EGQZa%dR_F~u?cIc86%?BUNCSc64>c<8g&pd;|gn?xt4E>rB^`SI|5YcX;2NaV&;MZl! z3~Rsl*{us7Dvjh?R&XWz5=P1$6I6|8nfwP@d=i9xN1 zjQ_!|vUlk7g4PUZr8n~6R%Zzh%APg*Wp*u69;0lj_wB2UTjku(j%14o_!4rG_b99U zGtT*oUqD_3ezFf-5MF)TsDR~|ZR{TSKtGCU`0={I3cewmlPni%qD+gof`BvyY!c*a zL$5E;$Jg5=n84jc!xwJkB0@9hbZL<5TrTbevKoI?UP7A=8p3~ggzDT9Am0~)VX8ej zX`~Ox4uY=XAgK^V4xS(U`}``eRoNgq=n}Lajsto?8Zt=SE!#%Sf*)>SEKKV1DU;Iu zDVR(zhcS=a5T5gTGj?&|4ye-E{rV7%_0FtHGxP?-tE({TbNO_Qyur5>AZAxkJU8Ty zh{HZTXsQ$wod`^zz;`tPaj;ykKh?)UFdW>ch%_Pctx_|2x^OtN{G=-){KAIUWcyzT zF~8jx1A?T|%VpgNeLi9I*7SyGNM#Fp59;=~!Oo_OKHc)MNeMj^fOoo?nsj+Q8sc5^3~o75Vb2KzQM#z3 z3*>*!7QI%?sh`n)@87~Q_v&i!08k+Xs$*ZOQ6`9h61qx;dhU><(s@b!K)x{H99EJ> zu2?c5@QKK_caed2H_?Q6Fx#0$IU7XRpcv~l-iOb|T?jGXTsc;4zy@&R)gRl#MbPKZ zq}=Y#S*80-aN~E#R#IiX-AdVF1jvsX1-k; zV8uydwYWu;+$J90gf4mdSlydjRi_eWunUg>O9Z;yQL9Vh^kCjn_tIu>hKt@VfQF%| MT()MpLV}A?LYTy)(*OVf literal 0 HcmV?d00001 diff --git a/secrets/rekeyed/sentinel/5bc5d5daad95fcc8f628181d006ba3a6-loki-basic-auth-hashes.age b/secrets/rekeyed/sentinel/5bc5d5daad95fcc8f628181d006ba3a6-loki-basic-auth-hashes.age deleted file mode 100644 index 9c8ec0a03f886d179a1bc3e44543d0897f2c3790..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 2367 zcmV-F3BdMYXJsvAZewzJaCB*JZZ2PRUjfRLM0@8Uo{|5QY%JPJ~0YxbazT&ST${OP;)mqS4U86NO^W{Id3ax zH8M*zW^7VxQ+au1Y-CtfLqTP0QEF&YZ9z_BR8mq{cSluBXf{>~V^L~t3N0-yAUSeM za!^)8HCZ@AVPQ&BOl~)MY;tp2aBNF-Idyh%YI>(Fx?n;5QPKxF`g79LfF-4DteyI=d0P3g$TQ@MX>5e zDYdamV8_xxQ5Cm||MdVM$Cu1N?tmXrK7q)tBQSECYsS${<d_#4srCWbLO8!0GVil&TzWM?3K{?HQ5F?J*A zXz9%#`qOScNUovo=GK(h%U7reEWvRL810@=z$q1C5?l*!B298!WW6IkKC0QRGZlng z9Z7?k*{1x6`YmIuw&z-E_sY&3p{Z!aqW>0;WOGY8w1#&j2=lL2X7>B9=IwjbrHTHz(ruF)w zP~WoyQ!>$Lsm+}R5x66873PxVZC0|QjAb#rD(8L5D1JeoJ>#YqX}U7!RpIOqwHtxU zf?u>?>tM7ML{IJ7^QDaCTr4Q>Gc3N9o`e0L=HcPn2rf^3q&1snpotP=OP!uS)$Ml~ zeZ;3Aw0VITbC+DW#X_^=#rf>|9xA-Y6T$szX-k2(X?SIgCkjInKFYV>)nAxeE^}zH zIRrx&q{g}8QloTv=|F@-ckLQcx@9!VaEv1geo2 z4 ssh-ed25519 yV7lcA rInHh7EJiht3x4bSdusTvPZeFc6GAUkUZQGaISa0HDI +p3HcoOg+PcPMdLVpHvn5R28GJ6n/d00EVF1KKMZOsqI +-> :`epM2-grease 0%~=37:k @~ +-.u1/~= +d8uTZyL9nN5Q+tS1YQzoyDxS14GT7+EtISr2LSS+/41aWiaUNsvn1/0PKR4lNBce +vGmoEWERf9yKd6a1h9dlbPaf9jOgEaDjgNyYboYyf0EKQSM +--- sERxxQVPG2gykXJPnD/BHzDZ2m6XqkywufcNLcinwVg +gUc= +ک[qqLXVJo=0А!C3gtYBj|>gܸ!/ \ No newline at end of file diff --git a/secrets/rekeyed/sire-influxdb/9d519a4364a78ed35630ef296bd96439-telegraf-influxdb-token-ward-netbird.age b/secrets/rekeyed/sire-influxdb/9d519a4364a78ed35630ef296bd96439-telegraf-influxdb-token-ward-netbird.age new file mode 100644 index 0000000..57474d7 --- /dev/null +++ b/secrets/rekeyed/sire-influxdb/9d519a4364a78ed35630ef296bd96439-telegraf-influxdb-token-ward-netbird.age @@ -0,0 +1,7 @@ +age-encryption.org/v1 +-> ssh-ed25519 1tdZKQ UEC1qtqm46KIsl/aWeFtVQxPzY3Rb/iVnNYFaNpyShc +le4O/7aTZ1wvwqaZ+TciQQcnFavIqele5FCyNjoPUg0 +-> @-grease +15HI1iKmv/+MRpeT +--- GbgkpPSiqzyooOKtrsj0HGl0gfMMT7d46CrKpwpkVTI +#/yMNj 5ɥBև]HϿ( !=s7qx/YiS4m+>V{BA4a#2rBO-(pRQdtT$MMYz0T4g~? zP)9;qX>2$$N_u5*SZzl*VQ6S*a%*->VM%RGaYtHuXlDv7J|IbJEoX9NVRK~)Z!u?Y zQ#MgqMN(CBF>F{uVnGTmEiE8%N=Qy|ZFw(uV|6roL`8E{bXR6^S6WJCc{fgJT1Z1_ zHcDz?ay2$FOjQaYoa@%bik?Mo5WeI#KsoQm`n+ovWR5M%M=jO<6p-V%d&xx}9(8?F rqE7$_iJ7FGKjIbgr%3Ps@NFqRCTnsbjo)LOiytahY+K7>hPl=O8w+c% literal 0 HcmV?d00001 diff --git a/secrets/rekeyed/ward-netbird/0c9d11833b203faea5536070c92a6459-coturn-password-netbird.age b/secrets/rekeyed/ward-netbird/0c9d11833b203faea5536070c92a6459-coturn-password-netbird.age new file mode 100644 index 0000000000000000000000000000000000000000..8743ef99c3799161bbf290de26802d050b32165a GIT binary patch literal 279 zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCSP3MlZ)O;-pisWb>R z_bn+m3NOvev&>C1bT6w2atSSRN%xBiEGTpiHE>OZ zFit5qC@c>#HZ@N*^C-#p&h;=3it=?f%5(Hh4h7kk;*zeLUX+?xoXVALZo;LjtE*sU z;T{p?oL}nfQBjl~p`B(Do~Cc)Z0Ho3864%RUFni->0}sXT2h>>ZNkN2t6QHvyDlkp zT6>Va>dS1_S@Uw3B!rnC&P(*^^2_FB2%G(qA%Uk^s4~E)<;$MLiN`b-xwmE%d{7hp b-~02%bAy|+pY`=$nh|0amshyEFXtNoOY~!t literal 0 HcmV?d00001 diff --git a/secrets/rekeyed/ward-netbird/35e674a94d54d8987c32e52de38627ee-wireguard-proxy-sentinel-priv-ward-netbird.age b/secrets/rekeyed/ward-netbird/35e674a94d54d8987c32e52de38627ee-wireguard-proxy-sentinel-priv-ward-netbird.age new file mode 100644 index 0000000..a6527aa --- /dev/null +++ b/secrets/rekeyed/ward-netbird/35e674a94d54d8987c32e52de38627ee-wireguard-proxy-sentinel-priv-ward-netbird.age @@ -0,0 +1,8 @@ +age-encryption.org/v1 +-> ssh-ed25519 2PpNmg HR+7l6qXcAXmDXTDI6J2sLwYdEo7/7eOvtbsJELHfQQ +VpCZPyJT4syKsoby/di70g63EUZsGg36mla1jKk5fyw +-> 1-grease T9.Y +2qDDSDI0Yoh83qTVXki1WYPsqdjuR9e2qrNdl6H3mWYAlF5ggjLu+3MbQ2P6ouIP +cFvso0vS56O/SOpPpj5P9El6auY +--- sWPsDspbccjrl+UmGBwI9e959ZoMSkb6kvGcbB+NE4Q +sH1bL/Co3jaȍ701j沃` ^t/s|~{WH%.0}VȲAhEz~ \ No newline at end of file diff --git a/secrets/rekeyed/ward-netbird/aebb2152acff74fc1f4af3b8d5141ee8-netbird-data-store-encryption-key.age b/secrets/rekeyed/ward-netbird/aebb2152acff74fc1f4af3b8d5141ee8-netbird-data-store-encryption-key.age new file mode 100644 index 0000000..eed605b --- /dev/null +++ b/secrets/rekeyed/ward-netbird/aebb2152acff74fc1f4af3b8d5141ee8-netbird-data-store-encryption-key.age @@ -0,0 +1,9 @@ +age-encryption.org/v1 +-> ssh-ed25519 2PpNmg 7/LkMYjajibcu5sLO2inuFhGEVFWmNm7qUnr632xjWk +nlPVfytJZwJPb+yUK65F7FGlx7qr5KZf0amCyNrr59Y +-> yFt7;"Zk-grease o>Bq cB",D: a +FyaoFSVUSuohR/Jx7g +--- eOCUycFPEH0Du123hXxaNyKJYaxSN++TaUB+yTaMtVM +6 +yCstlĩ {0?,|i Gb +"g_1;y'ԗʳL*,A M" \ No newline at end of file diff --git a/secrets/rekeyed/ward-netbird/b538aae13a0d8e017e3834f262ae89c7-promtail-loki-basic-auth-password.age b/secrets/rekeyed/ward-netbird/b538aae13a0d8e017e3834f262ae89c7-promtail-loki-basic-auth-password.age new file mode 100644 index 0000000..037039d --- /dev/null +++ b/secrets/rekeyed/ward-netbird/b538aae13a0d8e017e3834f262ae89c7-promtail-loki-basic-auth-password.age @@ -0,0 +1,8 @@ +age-encryption.org/v1 +-> ssh-ed25519 2PpNmg 2nliLnpdZpUd3hQj9PTbxZAbnVDhhr+BLrQ9YxCeh1k +/8/mZbj6pE0imMg3Rm7sCJ599u45jbRJc+NtGDAiykU +-> c7i-grease s +1aVkJHJXdVXk0R91F3HaCV4p9/yPqrMrAFYpUjvrvp7jVkyr6fwt3xJjTigrHvS4 +bTa42nF3bxkU2u5sfD9Kr55l +--- XzYsO6Vi2ch5tUqKn1JZQ8qXg/e9A6ujd5j189Rufc8 +p{?2Je<Z"}-.vɓߋπEyCw۲L&۶ͬ߷\WP{(+z] \ No newline at end of file diff --git a/secrets/rekeyed/ward-netbird/ba98d6bdeb0dffac652fa15dbde10da7-wireguard-proxy-sentinel-psks-sentinel+ward-netbird.age b/secrets/rekeyed/ward-netbird/ba98d6bdeb0dffac652fa15dbde10da7-wireguard-proxy-sentinel-psks-sentinel+ward-netbird.age new file mode 100644 index 0000000000000000000000000000000000000000..d6e5f8f3ac3435b3b0068e76cb9b82a6608059b6 GIT binary patch literal 296 zcmV+@0oVRvXJsvAZewzJaCB*JZZ2bmRb@3)YGrOxPg6{8G72p%Eg(x&Get2%YGX!sRC-H#YjbWdVmWSXIc!yK zK}9x1FIO`|Vlhi=VscDnRSJM^QAnStC;G>lYa!rcB8i%20RYlrZPV2E@7z#J5q}L+ ul7_YqU;!f+zgy$ZE6K`u$yMtJWgXp|P%sU6_!K_p<$L-t$<{oiy?{jYC~Kks literal 0 HcmV?d00001 diff --git a/secrets/rekeyed/ward-netbird/baa6e9c40b40f680bbd2c211a005fa72-telegraf-influxdb-token.age b/secrets/rekeyed/ward-netbird/baa6e9c40b40f680bbd2c211a005fa72-telegraf-influxdb-token.age new file mode 100644 index 0000000000000000000000000000000000000000..8c5cfc1c4622651c1be365a24335f1b78e18e9da GIT binary patch literal 354 zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCSP3MlZ)O;?DF%rnk$ zE3GIl^YJk#^e8V&@v?MrGW8F1%@6Z2FgEl`c6AKQEA(=zaO5fsu=MhdG$^ew4e}}R z&PXoJk0|s@%&N#RF$gR32o4T6E%VAtObyH`2n5;Yr){UCYHMw+n_iTfSe&Zh=&2r2 zVW_R(o~%%tm!Mf2%~g=?m!D!(T4s>znUZXfXi{F9m7MPqR+f>K<>Tj;pIDxnm17u^ z6%}rhmS*l_mR^!ynH6Xl%B8ETs}Ph?9-(a*k!9@VlU5p@=^s^*8)W90nHW|SUYg?` zT&bVrt!)|QnG|K3%(cr&+C}l+sZ$Qu4s|If8mzs0nC+@yU5L)%FFPuYcbT|{fT1qLDQjXRQ-oB+!pg;?Si-RsMCT_Yq z=x97w<1aWJT-=R=F)=14HZgHA=AJ+BxIV;T0`fZD1)HR~$^BMIBKSRYMllT8McI6^ z;6vD@r&>?v;<}QgjZ4f=Y~a;fn$3J> zk;LlUz_3wYs-r74GTnNUV^G&s!C}4}=IF4pQB5Nr&@N9Os zjW9kOY5j1dgS00Ub!SK=3_a+<{xVkv$m!1)kL>psUN`?e{q^AU+uz?$A3uz>%NO$x z=#R$HyTjj0f0XA}-rSsw9qd`7a|XWLJv6|bC)ciLx6i(LuRb0=eJ!s_+O2qXES{#+)S>;=n zYf$DEl^$4NP-v8)Z{la-n&lJXpJ5b~7HZ;On4X{Q zY@TCL8C2+4R_Y#+;t_0aZdB|GvMW_HQa8OQHL*BVp*k==E<~X=PQ_YDG22T)-$cEj z&e%;MJ(kNQG0{26J=4_@=saCrg%ls(poq}IFz?9BsEYDT6LYg%XD16YkMuJCOh02I zG@nEZu9TAk?(s@i{O3#0B;Gq+r8U#@HBa%Z54*(vxa42H#=z;^s`ZlP u_QzLe%uH4;$u25W+hERZbJy_cvDekr6ITUz&6eDdr2Efy{nHTLo2CH6JdHyD literal 0 HcmV?d00001