feat: add netbird (and coturn)

2025-10-10 23:00:39 +02:00 · 2024-05-15 22:17:21 +02:00 · 2024-05-15 22:17:21 +02:00 · 9daa744334
commit 9daa744334
parent 4f3a379b3f
32 changed files with 372 additions and 5 deletions
--- a/hosts/sentinel/coturn.nix
+++ b/hosts/sentinel/coturn.nix
@ -0,0 +1,81 @@
 {
  config,
  lib,
  pkgs,
  ...
 }: let
  inherit
    (lib)
    getExe
    mkAfter
    mkForce
    ;
  hostDomain = config.repo.secrets.global.domains.me;
  coturnDomain = "coturn.${hostDomain}";
 in {
  age.secrets.coturn-password-netbird = {
    generator.script = "alnum";
    group = "turnserver";
    mode = "440";
  };
  networking.firewall.allowedUDPPorts = [
    config.services.coturn.listening-port
    config.services.coturn.alt-listening-port
    config.services.coturn.tls-listening-port
    config.services.coturn.alt-tls-listening-port
  ];
  networking.firewall.allowedTCPPorts = [
    config.services.coturn.listening-port
    config.services.coturn.alt-listening-port
    config.services.coturn.tls-listening-port
    config.services.coturn.alt-tls-listening-port
  ];
  networking.firewall.allowedUDPPortRanges = [
    {
      from = config.services.coturn.min-port;
      to = config.services.coturn.max-port;
    }
  ];
  networking.providedDomains.coturn = coturnDomain;
  services.coturn = {
    enable = true;
    realm = coturnDomain;
    lt-cred-mech = true;
    no-cli = true;
    extraConfig = ''
      fingerprint
      user=netbird:@password@
      no-software-attribute
    '';
    cert = "@cert@";
    pkey = "@pkey@";
  };
  systemd.services.coturn = let
    certsDir = config.security.acme.certs.${hostDomain}.directory;
  in {
    preStart = mkAfter ''
      ${getExe pkgs.replace-secret} @password@ ${config.age.secrets.coturn-password-netbird.path} /run/coturn/turnserver.cfg
      ${getExe pkgs.replace-secret} @cert@ <(echo "$CREDENTIALS_DIRECTORY/cert.pem") /run/coturn/turnserver.cfg
      ${getExe pkgs.replace-secret} @pkey@ <(echo "$CREDENTIALS_DIRECTORY/pkey.pem") /run/coturn/turnserver.cfg
    '';
    serviceConfig = {
      LoadCredential = [
        "cert.pem:${certsDir}/fullchain.pem"
        "pkey.pem:${certsDir}/key.pem"
      ];
      Restart = mkForce "always";
      RestartSec = "60"; # Retry every minute
    };
  };
  security.acme.certs.${hostDomain}.postRun = ''
    systemctl restart coturn.service
  '';
 }
--- a/hosts/sentinel/default.nix
+++ b/hosts/sentinel/default.nix
@ -11,6 +11,7 @@
    ../../modules/optional/zfs.nix
    ./acme.nix
    ./coturn.nix
    ./fs.nix
    ./net.nix
    ./oauth2.nix
--- a/hosts/ward/default.nix
+++ b/hosts/ward/default.nix
@ -107,6 +107,7 @@
      // mkMicrovm "adguardhome"
      // mkMicrovm "forgejo"
      // mkMicrovm "kanidm"
      // mkMicrovm "netbird"
      // mkMicrovm "radicale"
      // mkMicrovm "vaultwarden"
    );
--- a/hosts/ward/guests/kanidm.nix
+++ b/hosts/ward/guests/kanidm.nix
@ -106,12 +106,24 @@ in {
        basicSecretFile = config.age.secrets.kanidm-oauth2-immich.path;
        preferShortUsername = true;
        # XXX: PKCE is currently not supported by immich
        # XXX: Also RS256 is used instead of ES256 so additionally needed:
        # kanidm system oauth2 warning-enable-legacy-crypto immich
        allowInsecureClientDisablePkce = true;
        # XXX: RS256 is used instead of ES256 so additionally we need legacy crypto
        enableLegacyCrypto = true;
        scopeMaps."immich.access" = ["openid" "email" "profile"];
      };
      # Netbird
      groups."netbird.access" = {};
      systems.oauth2.netbird = {
        public = true;
        displayName = "Netbird";
        originUrl = "https://${sentinelCfg.networking.providedDomains.netbird}/";
        preferShortUsername = true;
        enableLocalhostRedirects = true;
        enableLegacyCrypto = true;
        scopeMaps."netbird.access" = ["openid" "email" "profile"];
      };
      # Paperless
      groups."paperless.access" = {};
      systems.oauth2.paperless = {
--- a/hosts/ward/guests/netbird.nix
+++ b/hosts/ward/guests/netbird.nix
@ -0,0 +1,134 @@
 {
  config,
  lib,
  nodes,
  ...
 }: let
  sentinelCfg = nodes.sentinel.config;
  netbirdDomain = "netbird.${config.repo.secrets.global.domains.me}";
 in {
  wireguard.proxy-sentinel = {
    client.via = "sentinel";
    firewallRuleForNode.sentinel.allowedTCPPorts = [3000 3001];
  };
  # Mirror the original coturn password
  age.secrets.coturn-password-netbird = {
    inherit (sentinelCfg.age.secrets.coturn-password-netbird) rekeyFile;
  };
  age.secrets.coturn-secret = {
    generator.script = "alnum";
  };
  age.secrets.netbird-data-store-encryption-key = {
    generator.script = {pkgs, ...}: ''
      ${lib.getExe pkgs.openssl} rand -base64 32
    '';
  };
  environment.persistence."/persist".directories = [
    {
      directory = "/var/lib/netbird-mgmt";
      mode = "640";
      user = "netbird";
      group = "netbird";
    }
  ];
  services.netbird = {
    server = {
      enable = true;
      domain = netbirdDomain;
      dashboard.settings.AUTH_AUTHORITY = "https://${sentinelCfg.networking.providedDomains.kanidm}/oauth2/openid/netbird";
      management = {
        port = 3000;
        dnsDomain = "internal.${config.repo.secrets.global.domains.me}";
        singleAccountModeDomain = "home.lan";
        oidcConfigEndpoint = "https://${sentinelCfg.networking.providedDomains.kanidm}/oauth2/openid/netbird/.well-known/openid-configuration";
        turnDomain = sentinelCfg.networking.providedDomains.coturn;
        turnPort = sentinelCfg.services.coturn.tls-listening-port;
        settings = {
          TURNConfig = {
            Secret._secret = config.age.secrets.coturn-secret.path;
            Turns = [
              {
                Proto = "udp";
                URI = "turn:${config.services.netbird.server.management.turnDomain}:${builtins.toString config.services.netbird.server.management.turnPort}";
                Username = "netbird";
                Password._secret = config.age.secrets.coturn-password-netbird.path;
              }
            ];
          };
          DataStoreEncryptionKey._secret = config.age.secrets.netbird-data-store-encryption-key.path;
        };
      };
    };
  };
  nodes.sentinel = {
    networking.providedDomains.netbird = netbirdDomain;
    services.nginx = {
      upstreams.netbird = {
        servers."${config.wireguard.proxy-sentinel.ipv4}:80" = {};
        extraConfig = ''
          zone netbird 64k;
          keepalive 5;
        '';
      };
      upstreams.netbird-mgmt = {
        servers."${config.wireguard.proxy-sentinel.ipv4}:3000" = {};
        extraConfig = ''
          zone netbird 64k;
          keepalive 5;
        '';
      };
      upstreams.netbird-signal = {
        servers."${config.wireguard.proxy-sentinel.ipv4}:3001" = {};
        extraConfig = ''
          zone netbird 64k;
          keepalive 5;
        '';
      };
      virtualHosts.${netbirdDomain} = {
        forceSSL = true;
        useACMEWildcardHost = true;
        locations = {
          "/" = {
            root = config.services.netbird.server.dashboard.finalDrv;
            tryFiles = "$uri $uri.html $uri/ =404";
            X-Frame-Options = "SAMEORIGIN";
          };
          "/signalexchange.SignalExchange/".extraConfig = ''
            grpc_pass grpc://netbird-signal;
            grpc_read_timeout 1d;
            grpc_send_timeout 1d;
            grpc_socket_keepalive on;
          '';
          "/api".proxyPass = "http://netbird-mgmt";
          "/management.ManagementService/".extraConfig = ''
            grpc_pass grpc://netbird-mgmt;
            grpc_read_timeout 1d;
            grpc_send_timeout 1d;
            grpc_socket_keepalive on;
          '';
        };
        extraConfig = ''
          client_max_body_size 500M ;
          client_header_timeout 1d;
          client_body_timeout 1d;
        '';
      };
    };
  };
  systemd.services.netbird-signal.serviceConfig.RestartSec = "60"; # Retry every minute
  systemd.services.netbird-management.serviceConfig.RestartSec = "60"; # Retry every minute
 }
--- a/hosts/ward/net.nix
+++ b/hosts/ward/net.nix
@ -110,9 +110,29 @@ in {
        late = true; # Only accept after any rejects have been processed
        verdict = "accept";
      };
      #masquerade-vpn = {
      #  from = ["wg-home"];
      #  to = ["lan"];
      #  masquerade = true;
      #};
      #outbound-vpn = {
      #  from = ["wg-home"];
      #  to = ["lan"];
      #  late = true; # Only accept after any rejects have been processed
      #  verdict = "accept";
      #};
    };
  };
  # Allow accessing influx
  wireguard.proxy-sentinel.client.via = "sentinel";
  #wireguard.home.server = {
  #  host = todo # config.networking.fqdn;
  #  port = 51192;
  #  reservedAddresses = ["10.10.0.1/24" "fd00:10::/120"];
  #  openFirewall = true;
  #};
 }
--- a/hosts/ward/secrets/netbird/host.pub
+++ b/hosts/ward/secrets/netbird/host.pub
@ -0,0 +1 @@
 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJt2DE0HJjmePYjuZVRcsb0/SfoHSmm06T4ayzIgxUOp
--- a/modules/config/nftables.nix
+++ b/modules/config/nftables.nix
@ -48,7 +48,9 @@
        inherit
          (config.networking.firewall)
          allowedTCPPorts
          allowedTCPPortRanges
          allowedUDPPorts
          allowedUDPPortRanges
          ;
      };
    };
--- a/modules/kanidm.nix
+++ b/modules/kanidm.nix
@ -450,6 +450,12 @@ in {
          options = {
            present = mkPresentOption "oauth2 resource server";
            public = mkOption {
              description = "Whether this is a public client (enforces PKCE, doesn't use a basic secret)";
              type = types.bool;
              default = false;
            };
            displayName = mkOption {
              description = "Display name";
              type = types.str;
@ -479,10 +485,23 @@ in {
              default = null;
            };
            enableLocalhostRedirects = mkOption {
              description = "Allow localhost redirects. Only for public clients.";
              type = types.bool;
              default = false;
            };
            enableLegacyCrypto = mkOption {
              description = "Enable legacy crypto on this client. Allows JWT signing algorthms like RS256.";
              type = types.bool;
              default = false;
            };
            allowInsecureClientDisablePkce = mkOption {
              description = ''
                Disable PKCE on this oauth2 resource server to work around insecure clients
                that may not support it. You should request the client to enable PKCE!
                Only for non-public clients.
              '';
              type = types.bool;
              default = false;
@ -681,6 +700,21 @@ in {
              assertion = (cfg.provision.enable && cfg.enableServer) -> any (xs: xs != []) (attrValues claimCfg.valuesByGroup);
              message = "services.kanidm.provision.systems.oauth2.${oauth2}.claimMaps.${claim} does not specify any values for any group";
            }
            # Public clients cannot define a basic secret
            {
              assertion = (cfg.provision.enable && cfg.enableServer && oauth2Cfg.public) -> oauth2Cfg.basicSecretFile == null;
              message = "services.kanidm.provision.systems.oauth2.${oauth2} is a public client and thus cannot specify a basic secret";
            }
            # Public clients cannot disable PKCE
            {
              assertion = (cfg.provision.enable && cfg.enableServer && oauth2Cfg.public) -> !oauth2Cfg.allowInsecureClientDisablePkce;
              message = "services.kanidm.provision.systems.oauth2.${oauth2} is a public client and thus cannot disable PKCE";
            }
            # Non-public clients cannot enable localhost redirects
            {
              assertion = (cfg.provision.enable && cfg.enableServer && !oauth2Cfg.public) -> !oauth2Cfg.enableLocalhostRedirects;
              message = "services.kanidm.provision.systems.oauth2.${oauth2} is a non-public client and thus cannot enable localhost redirects";
            }
          ]))
      ));
--- a/pkgs/kanidm-provision.nix
+++ b/pkgs/kanidm-provision.nix
@ -5,16 +5,16 @@
 }:
 rustPlatform.buildRustPackage rec {
  pname = "kanidm-provision";
-  version = "1.0.1";
+  version = "1.1.0";
  src = fetchFromGitHub {
    owner = "oddlama";
    repo = "kanidm-provision";
    rev = "v${version}";
-    hash = "sha256-tSr2I7bGEwJoC5C7BOmru2oh9ta04WVTz449KePYSK4=";
+    hash = "sha256-pFOFFKh3la/sZGXj+pAM8x4SMeffvvbOvTjPeHS1XPU=";
  };
-  cargoHash = "sha256-LRPpAIH+pXThS+HJ63kVbxMMoBgsky1nf99RWarX7/0=";
+  cargoHash = "sha256-oiKlKIL23xH67tCDbny9Gj97JQQm4mYt0IHXB5hzJ/A=";
  meta = with lib; {
    description = "A small utility to help with kanidm provisioning";
--- a/secrets/generated/sentinel/coturn-password-netbird.age
+++ b/secrets/generated/sentinel/coturn-password-netbird.age
@ -0,0 +1,11 @@
 age-encryption.org/v1
 -> X25519 BX1TzWJvYYuXIc5jazmoefCDOrWYCc6vtQHqiidFK0k
 KguZPOuk4LKDPogJ40mXA8okdLgG9PAx5fqYW2gkqwQ
 -> piv-p256 xqSe8Q A58MztEJBOwOK0pPa7WngTGynn0I+VUFrCtibSKSwOep
 sVyAneNoMlRnIPR502xrnFeQyI36GpzxqTRhjOpfU7w
 -> YS-grease
 WMxsZrN//DXWbO+03CQwRqPKXdeV844codU
 --- BrgOOiY9Crg771rp77VQ0i3tM770D6CjGknWYRgoIfk
 zîXNò,¹Ž1	ª?v(£oü¬›Õ®
 ØÏÛ|ÄvF9àÞ™Þ»åm"dÑ�úâù?ƒ9?
 ÒáòJn7Q-¦g‚�Q‘ïÄ^\f«Q 
--- a/secrets/generated/sentinel/loki-basic-auth-hashes.age
+++ b/secrets/generated/sentinel/loki-basic-auth-hashes.age
--- a/secrets/generated/ward-netbird/coturn-secret.age
+++ b/secrets/generated/ward-netbird/coturn-secret.age
@ -0,0 +1,9 @@
 age-encryption.org/v1
 -> X25519 pc+s+uniKbP/sMiud4xtJ9x6UMBaIdBO0iHBeznb6VI
 /baQ9J0Qcpr9sZD6LWguy7lcAcgFHq0fPSsCBkkDoKY
 -> piv-p256 xqSe8Q Ay2WPFU0XrukDvFIe0+ZiGm+5m5oJTzktnZ+7L3l4/G5
 5/CGoggDIARr02H0sUX3/HJ6PEoQMLJuhACF2MEdRts
 -> T/-grease =Cr4 B ,R1u(?
 is0bg8583EfFjiM8b+737Wm6+J4
 --- +R5bojMEBENAYEEy++5iMdhEyKCr8rCPOIOiHRa4Wls
 ´•¹„7ß9Žp¬Á¶.’Ãd¹"g½²oÉ:9”ì4äÂá÷~²©ôú“(Ù¸Q*¤ˆj“ž«ãúCD8 >eœÁÁÁìvS×ùLE#+
--- a/secrets/generated/ward-netbird/netbird-data-store-encryption-key.age
+++ b/secrets/generated/ward-netbird/netbird-data-store-encryption-key.age
--- a/secrets/generated/ward-netbird/promtail-loki-basic-auth-password.age
+++ b/secrets/generated/ward-netbird/promtail-loki-basic-auth-password.age
@ -0,0 +1,11 @@
 age-encryption.org/v1
 -> X25519 qeT9jfLCM7cn3uu9z44fa54bAQgjdK+l/uvIG5al924
 Py1wATeO86kvUJzY6MFzl2vTXSvyM93ZrTBjxrMrxBg
 -> piv-p256 xqSe8Q A8ojuCdRG5nViw0SS133NIk7/h0hWbjDYeJiO5LtxkS8
 jQUqyqhIbeUGqyrLOBJBYwCg9ucyumzjT4c/BsrVjLU
 -> {Z-grease jeRAOL 7:2"CZ u={2< 2|0e$Sqx
 Z9ZtNsDOP2sj5nmBgAfDGSEJVQ6jO/ikZuyZXOklhsWa3o1hvgXWL43S3ThRN3+t
 dsQyP7yVZ1J54/mMURTJc9pPyTqSsvoQ9/MP9VkfIhp6ZBoeQGa34UCppzX1xfo
 --- JFa18D2SE3VwuLEMvNpiiR9YY5NZBUVTxzNZcTSfFHI
 xó{·Â!Î�•ü�D™(U¡Á¹u‹næM‡¥[P7;Óçò.Kç#—àûúãÈ¾`Ú�¹x
$<˜”sü™*GH,ì-¹¿
 ÎyždåýAîTs
--- a/secrets/generated/ward-netbird/telegraf-influxdb-token.age
+++ b/secrets/generated/ward-netbird/telegraf-influxdb-token.age
--- a/secrets/global.nix.age
+++ b/secrets/global.nix.age
--- a/secrets/rekeyed/sentinel/320fd087208acc8f688f0028edca8ba5-wireguard-proxy-sentinel-psks-sentinel+ward-netbird.age
+++ b/secrets/rekeyed/sentinel/320fd087208acc8f688f0028edca8ba5-wireguard-proxy-sentinel-psks-sentinel+ward-netbird.age
@ -0,0 +1,8 @@
 age-encryption.org/v1
 -> ssh-ed25519 yV7lcA YulN0/x6Gm6SCXABynVcm2EmCKtvS8Qd9mfvJdWBHhY
 clZ+rznQkfQGnPpM2H2FaPCjg+Tou6wkvXo0SEO0QUk
 -> lSt!-grease n/_ lnzq>4 WHRbZ78. C
 C3jB9dLLqtVQOaL7tusyOvrAAxsfjHbYvUtz1XgSQYfLySmfyhVxNz2TYG2biWkE
 xnhyT65BjhSlKRCGN5ABKmUtjYQ
 --- i9Wkqqpnbnye7ndRxxXbZaVhC5x8qTldieLbzx9h5vE
 âÂ"©ñA<—œºˆ(Œ„�È!zï)_"Ncn5«èi§J/“öŒôÄãÀ’ˆ�¤Y�Ï†Š‘È¾¼ìwøèK;y$I€võä€ôR<
--- a/secrets/rekeyed/sentinel/3b515237f2eec169c6992aea9e6fe02b-loki-basic-auth-hashes.age
+++ b/secrets/rekeyed/sentinel/3b515237f2eec169c6992aea9e6fe02b-loki-basic-auth-hashes.age
--- a/secrets/rekeyed/sentinel/5bc5d5daad95fcc8f628181d006ba3a6-loki-basic-auth-hashes.age
+++ b/secrets/rekeyed/sentinel/5bc5d5daad95fcc8f628181d006ba3a6-loki-basic-auth-hashes.age
--- a/secrets/rekeyed/sentinel/88ab56073f4bca323fbe7cb973103277-coturn-password-netbird.age
+++ b/secrets/rekeyed/sentinel/88ab56073f4bca323fbe7cb973103277-coturn-password-netbird.age
@ -0,0 +1,9 @@
 age-encryption.org/v1
 -> ssh-ed25519 yV7lcA rInHh7EJiht3x4bSdusTvPZeFc6GAUkUZQGaISa0HDI
 p3HcoOg+PcPMdLVpHvn5R28GJ6n/d00EVF1KKMZOsqI
 -> :`epM2-grease 0%~=37:k @~ +-.u1/~=
 d8uTZyL9nN5Q+tS1YQzoyDxS14GT7+EtISr2LSS+/41aWiaUNsvn1/0PKR4lNBce
 vGmoEWERf9yKd6a1h9dlbPaf9jOgEaDjgNyYboYyf0EKQSM
 --- sERxxQVPG2gykXJPnD/BHzDZ2m6XqkywufcNLcinwVg
 ”gUçcœ=
 ¥ÏÇÚ©Ø[×íÂÞqqç»LäXV‹J¤oÍû…ß=»›0øšÏÐ�!C3ƒ¥gôtY„BjùŠ|ô¾>g×Ü¸!ï/¿
--- a/secrets/rekeyed/sire-influxdb/9d519a4364a78ed35630ef296bd96439-telegraf-influxdb-token-ward-netbird.age
+++ b/secrets/rekeyed/sire-influxdb/9d519a4364a78ed35630ef296bd96439-telegraf-influxdb-token-ward-netbird.age
@ -0,0 +1,7 @@
 age-encryption.org/v1
 -> ssh-ed25519 1tdZKQ UEC1qtqm46KIsl/aWeFtVQxPzY3Rb/iVnNYFaNpyShc
 le4O/7aTZ1wvwqaZ+TciQQcnFavIqele5FCyNjoPUg0
 -> @-grease
 15HI1iKmv/+MRpeT
 --- GbgkpPSiqzyooOKtrsj0HGl0gfMMT7d46CrKpwpkVTI
 #Îô/‹®¤yü„ú°MNj°
5×É¥B‡èÁÅÖ‡„]HóÏ¿ú£(ýÎë!=s·7¦Úq¦ñxž/¸�ï<³O²Ì".ƒ¸¦h^ÎŽ\
º¬É
--- a/secrets/rekeyed/ward-netbird/02c5031aff3eedbf089ac3fd3e9d8fca-coturn-secret.age
+++ b/secrets/rekeyed/ward-netbird/02c5031aff3eedbf089ac3fd3e9d8fca-coturn-secret.age
--- a/secrets/rekeyed/ward-netbird/0c9d11833b203faea5536070c92a6459-coturn-password-netbird.age
+++ b/secrets/rekeyed/ward-netbird/0c9d11833b203faea5536070c92a6459-coturn-password-netbird.age
--- a/secrets/rekeyed/ward-netbird/35e674a94d54d8987c32e52de38627ee-wireguard-proxy-sentinel-priv-ward-netbird.age
+++ b/secrets/rekeyed/ward-netbird/35e674a94d54d8987c32e52de38627ee-wireguard-proxy-sentinel-priv-ward-netbird.age
@ -0,0 +1,8 @@
 age-encryption.org/v1
 -> ssh-ed25519 2PpNmg HR+7l6qXcAXmDXTDI6J2sLwYdEo7/7eOvtbsJELHfQQ
 VpCZPyJT4syKsoby/di70g63EUZsGg36mla1jKk5fyw
 -> 1-grease T9.Y
 2qDDSDI0Yoh83qTVXki1WYPsqdjuR9e2qrNdl6H3mWYAlF5ggjLu+3MbQ2P6ouIP
 cFvso0vS56O/SOpPpj5P9El6auY
 --- sWPsDspbccjrl+UmGBwI9e959ZoMSkb6kvGcbB+NE4Q
 sH1Á�ÈbL‹ì£/Ïî¶ÌØCœ¶o3j™aÈ�²Â701Úñjæ²ƒ`	^çt›/s|¸ÌÛ~{WHŽ%.0}VÈ²AhEz~¢�è
--- a/secrets/rekeyed/ward-netbird/aebb2152acff74fc1f4af3b8d5141ee8-netbird-data-store-encryption-key.age
+++ b/secrets/rekeyed/ward-netbird/aebb2152acff74fc1f4af3b8d5141ee8-netbird-data-store-encryption-key.age
@ -0,0 +1,9 @@
 age-encryption.org/v1
 -> ssh-ed25519 2PpNmg 7/LkMYjajibcu5sLO2inuFhGEVFWmNm7qUnr632xjWk
 nlPVfytJZwJPb+yUK65F7FGlx7qr5KZf0amCyNrr59Y
 -> yFt7;"Zk-grease o>Bq cB",D: a
 FyaoFSVUSuohR/Jx7g
 --- eOCUycFPEH0Du123hXxaNyKJYaxSN++TaUB+yTaMtVM
 ×²ê…€6†
 yCs©›×télÄ©é	{í0“?Õß,|i	Gb
 "‘gšì�²ù_1;ùøy'þ’úûÔ—Ê³Lê*û,�çAðM"Ò
--- a/secrets/rekeyed/ward-netbird/b538aae13a0d8e017e3834f262ae89c7-promtail-loki-basic-auth-password.age
+++ b/secrets/rekeyed/ward-netbird/b538aae13a0d8e017e3834f262ae89c7-promtail-loki-basic-auth-password.age
@ -0,0 +1,8 @@
 age-encryption.org/v1
 -> ssh-ed25519 2PpNmg 2nliLnpdZpUd3hQj9PTbxZAbnVDhhr+BLrQ9YxCeh1k
 /8/mZbj6pE0imMg3Rm7sCJ599u45jbRJc+NtGDAiykU
 -> c7i-grease s
 1aVkJHJXdVXk0R91F3HaCV4p9/yPqrMrAFYpUjvrvp7jVkyr6fwt3xJjTigrHvS4
 bTa42nF3bxkU2u5sfD9Kr55l
 --- XzYsO6Vi2ch5tUqKn1JZQ8qXg/e9A6ujd5j189Rufc8
 «¨p{?2Jeƒ‘<Zµ"ýÏÉ}ë«-Æ.v¨É“¨ß‹Ï€EÎy¶†ªCwÛ²ŸL&ç�Û¶Í¬ß·Ûö\žWP{(ˆÜ+ÊÝz]
--- a/secrets/rekeyed/ward-netbird/ba98d6bdeb0dffac652fa15dbde10da7-wireguard-proxy-sentinel-psks-sentinel+ward-netbird.age
+++ b/secrets/rekeyed/ward-netbird/ba98d6bdeb0dffac652fa15dbde10da7-wireguard-proxy-sentinel-psks-sentinel+ward-netbird.age
--- a/secrets/rekeyed/ward-netbird/baa6e9c40b40f680bbd2c211a005fa72-telegraf-influxdb-token.age
+++ b/secrets/rekeyed/ward-netbird/baa6e9c40b40f680bbd2c211a005fa72-telegraf-influxdb-token.age
--- a/secrets/wireguard/proxy-sentinel/keys/ward-netbird.age
+++ b/secrets/wireguard/proxy-sentinel/keys/ward-netbird.age
--- a/secrets/wireguard/proxy-sentinel/keys/ward-netbird.pub
+++ b/secrets/wireguard/proxy-sentinel/keys/ward-netbird.pub
@ -0,0 +1 @@
 +rcp1Aobh/8XtB9anwQMymySe7JQ5bQMnIXg3AbPN08=
--- a/secrets/wireguard/proxy-sentinel/psks/sentinel+ward-netbird.age
+++ b/secrets/wireguard/proxy-sentinel/psks/sentinel+ward-netbird.age
		`@ -0,0 +1 @@`
							`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJt2DE0HJjmePYjuZVRcsb0/SfoHSmm06T4ayzIgxUOp`
		`@ -0,0 +1 @@`
							`+rcp1Aobh/8XtB9anwQMymySe7JQ5bQMnIXg3AbPN08=`