From b2b2e60725f3ccef988fcfd38aa77ad8a3097f31 Mon Sep 17 00:00:00 2001 From: oddlama Date: Tue, 25 Jul 2023 18:48:42 +0200 Subject: [PATCH] feat(zackbiene): start clean; add kea instead of dhcpcd chore: switch to hosts.toml --- README.md | 2 +- flake.lock | 24 ++-- flake.nix | 17 +-- hosts.toml | 15 +++ hosts/ward/kea.nix | 107 ++++++++---------- hosts/ward/microvms/common.nix | 2 +- .../secrets/loki/loki-basic-auth-hashes.age | Bin 1391 -> 1463 bytes hosts/zackbiene/default.nix | 27 ++++- hosts/zackbiene/dnsmasq.nix | 21 ---- hosts/zackbiene/hostapd.nix | 12 +- hosts/zackbiene/kea.nix | 43 +++++++ hosts/zackbiene/net.nix | 10 ++ hosts/zackbiene/nginx.nix | 20 ---- hosts/zackbiene/secrets/host.pub | 2 +- .../promtail-loki-basic-auth-password.age | 11 ++ .../secrets/telegraf-influxdb-token.age | 13 +++ .../proxy-sentinel/keys/zackbiene.age | 10 ++ .../proxy-sentinel/keys/zackbiene.pub | 1 + .../psks/sentinel+zackbiene.age | Bin 0 -> 387 bytes 19 files changed, 195 insertions(+), 142 deletions(-) create mode 100644 hosts.toml delete mode 100644 hosts/zackbiene/dnsmasq.nix create mode 100644 hosts/zackbiene/kea.nix delete mode 100644 hosts/zackbiene/nginx.nix create mode 100644 hosts/zackbiene/secrets/promtail-loki-basic-auth-password.age create mode 100644 hosts/zackbiene/secrets/telegraf-influxdb-token.age create mode 100644 secrets/wireguard/proxy-sentinel/keys/zackbiene.age create mode 100644 secrets/wireguard/proxy-sentinel/keys/zackbiene.pub create mode 100644 secrets/wireguard/proxy-sentinel/psks/sentinel+zackbiene.age diff --git a/README.md b/README.md index 53046e1..26d8da0 100644 --- a/README.md +++ b/README.md @@ -79,7 +79,7 @@ but here's a quick breakdown of the what you will find where. Afterwards: - Run `install-system` in the live environment and reboot -- Retrieve the new host identity by using `ssh-keyscan | grep -o 'ed25519.*' > host//secrets/host.pub` +- Retrieve the new host identity by using `ssh-keyscan | grep -o 'ssh-ed25519.*' > hosts//secrets/host.pub` - (If the host has microvms, also retrieve their identities!) - Rekey the secrets for the new identity `nix run .#rekey` - Deploy again remotely via colmena diff --git a/flake.lock b/flake.lock index a2c43d2..7210b7a 100644 --- a/flake.lock +++ b/flake.lock @@ -27,11 +27,11 @@ ] }, "locked": { - "lastModified": 1689334118, - "narHash": "sha256-djk5AZv1yU84xlKFaVHqFWvH73U7kIRstXwUAnDJPsk=", + "lastModified": 1690228878, + "narHash": "sha256-9Xe7JV0krp4RJC9W9W9WutZVlw6BlHTFMiUP/k48LQY=", "owner": "ryantm", "repo": "agenix", - "rev": "0d8c5325fc81daf00532e3e26c6752f7bcde1143", + "rev": "d8c973fd228949736dedf61b7f8cc1ece3236792", "type": "github" }, "original": { @@ -159,11 +159,11 @@ ] }, "locked": { - "lastModified": 1690148072, - "narHash": "sha256-R7bk2ij1b06Wc8S3L/guz6Mape5HtKp/YZUyJaxSFa8=", + "lastModified": 1690278259, + "narHash": "sha256-0Ujy0ZD1Yg5+QDaEnk4TeYhIZ6AckRORrXLGsAEhFKE=", "owner": "nix-community", "repo": "disko", - "rev": "713eb78002e69bd77f5a69595756fd2e564233f3", + "rev": "5b19fb2e74df312751cecbf0f668217eb59d9170", "type": "github" }, "original": { @@ -364,11 +364,11 @@ ] }, "locked": { - "lastModified": 1690208251, - "narHash": "sha256-eb/KANeuQADVl5j4wVid4jyPCOMTorSI2+gqoXp3LME=", + "lastModified": 1690269402, + "narHash": "sha256-SybA24IOGigiHfcTB5eBge4UZQI6a0z8Ah+EzD17tdk=", "owner": "nix-community", "repo": "home-manager", - "rev": "d309a62ee81faec56dd31a263a0184b0e3227e36", + "rev": "0306d5ed7e9d1662b55ec0d08afc73d4cb5eadca", "type": "github" }, "original": { @@ -499,11 +499,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1690031011, - "narHash": "sha256-kzK0P4Smt7CL53YCdZCBbt9uBFFhE0iNvCki20etAf4=", + "lastModified": 1690179384, + "narHash": "sha256-+arbgqFTAtoeKtepW9wCnA0njCOyoiDFyl0Q0SBSOtE=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "12303c652b881435065a98729eb7278313041e49", + "rev": "b12803b6d90e2e583429bb79b859ca53c348b39a", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index 812b09a..da8a50d 100644 --- a/flake.nix +++ b/flake.nix @@ -92,19 +92,10 @@ extraEncryptionPubkeys = [./secrets/backup.pub]; }; - # This is the list of hosts that this flake defines, plus the minimum - # amount of metadata that is necessary to instanciate it correctly. - hosts = let - nixos = system: { - type = "nixos"; - inherit system; - }; - in { - nom = nixos "x86_64-linux"; - sentinel = nixos "x86_64-linux"; - ward = nixos "x86_64-linux"; - zackbiene = nixos "aarch64-linux"; - }; + # Load the list of hosts that this flake defines, which + # associates the minimum amount of metadata that is necessary + # to instanciate hosts correctly. + hosts = builtins.fromTOML (builtins.readFile ./hosts.toml); # This will process all defined hosts of type "nixos" and # generate the required colmena definition for each host. diff --git a/hosts.toml b/hosts.toml new file mode 100644 index 0000000..c7480ec --- /dev/null +++ b/hosts.toml @@ -0,0 +1,15 @@ +[nom] +type = "nixos" +system = "x86_64-linux" + +[sentinel] +type = "nixos" +system = "x86_64-linux" + +[ward] +type = "nixos" +system = "x86_64-linux" + +[zackbiene] +type = "nixos" +system = "aarch64-linux" diff --git a/hosts/ward/kea.nix b/hosts/ward/kea.nix index 71f4691..f59156a 100644 --- a/hosts/ward/kea.nix +++ b/hosts/ward/kea.nix @@ -1,77 +1,60 @@ { - config, lib, utils, nodes, ... }: let - inherit - (lib) - flip - mapAttrsToList - mkOption - net - types - ; - + inherit (lib) net; lanCidrv4 = "192.168.100.0/24"; dnsIp = net.cidr.host 2 lanCidrv4; in { # TODO make meta.kea module? # TODO reserve by default using assignIps algo? - options.networking.dhcp4Reservations = mkOption { - default = {}; - type = types.attrsOf (types.net.ipv4-in lanCidrv4); - description = "Maps MAC addresses to their reserved ipv4 address."; - }; - - config = { - services.kea.dhcp4 = { - enable = true; - settings = { - lease-database = { - name = "/var/lib/kea/dhcp4.leases"; - persist = true; - type = "memfile"; - }; - valid-lifetime = 4000; - renew-timer = 1000; - rebind-timer = 2000; - interfaces-config = { - # XXX: why does this bind other macvtaps? - interfaces = ["lan-self"]; - service-sockets-max-retries = -1; - }; - option-data = [ - { - name = "domain-name-servers"; - data = dnsIp; - } - ]; - subnet4 = [ - { - interface = "lan-self"; - subnet = lanCidrv4; - pools = [ - {pool = "${net.cidr.host 20 lanCidrv4} - ${net.cidr.host (-6) lanCidrv4}";} - ]; - option-data = [ - { - name = "routers"; - data = net.cidr.host 1 lanCidrv4; - } - ]; - reservations = [ - { - hw-address = nodes.ward-adguardhome.config.lib.microvm.mac; - ip-address = dnsIp; - } - ]; - } - ]; + services.kea.dhcp4 = { + enable = true; + settings = { + lease-database = { + name = "/var/lib/kea/dhcp4.leases"; + persist = true; + type = "memfile"; }; + valid-lifetime = 4000; + renew-timer = 1000; + rebind-timer = 2000; + interfaces-config = { + # XXX: why does this bind other macvtaps? + interfaces = ["lan-self"]; + service-sockets-max-retries = -1; + }; + option-data = [ + { + name = "domain-name-servers"; + data = dnsIp; + } + ]; + subnet4 = [ + { + interface = "lan-self"; + subnet = lanCidrv4; + pools = [ + {pool = "${net.cidr.host 20 lanCidrv4} - ${net.cidr.host (-6) lanCidrv4}";} + ]; + option-data = [ + { + name = "routers"; + data = net.cidr.host 1 lanCidrv4; + } + ]; + reservations = [ + { + hw-address = nodes.ward-adguardhome.config.lib.microvm.mac; + ip-address = dnsIp; + } + ]; + } + ]; }; - - systemd.services.kea-dhcp4-server.after = ["sys-subsystem-net-devices-${utils.escapeSystemdPath "lan-self"}.device"]; }; + + systemd.services.kea-dhcp4-server.after = ["sys-subsystem-net-devices-${utils.escapeSystemdPath "lan-self"}.device"]; } diff --git a/hosts/ward/microvms/common.nix b/hosts/ward/microvms/common.nix index c26df64..6e61ffd 100644 --- a/hosts/ward/microvms/common.nix +++ b/hosts/ward/microvms/common.nix @@ -7,7 +7,7 @@ in { proxy = "sentinel"; }; - # Connect safely via wireguard to skip authentication + # Connect safely via wireguard to skip http authentication networking.hosts.${sentinelCfg.meta.wireguard.proxy-sentinel.ipv4} = [sentinelCfg.networking.providedDomains.influxdb]; meta.telegraf = { enable = true; diff --git a/hosts/ward/secrets/loki/loki-basic-auth-hashes.age b/hosts/ward/secrets/loki/loki-basic-auth-hashes.age index 25345663faf19fa00d9171d0adb2da63d637134e..957822ed64dfe79deecc83a032a58cba4e77125a 100644 GIT binary patch delta 1449 zcmV;a1y=g+3bzZ8Ab&_qR$@&_a8_zBP&rOda&uN`PjEwFPgE;-Nojd7ac*NPazu7` zcy>`$Q3^OvRz+2KV`WTiN?28HSvhQRST|8CdP`+BVslb(Pj^9hNH0(@NKQHKt5>R9FK5Faj*+?U~jXW)Vmg#|FU}$ z%dX@cC)dab%FMP(M9yk#k}a_O8LK>g1mNeq?^ns|et*L(Ke#$oI7)4JunI#}wk90i zVjG&;7J%zaQku}eegznT=XjtNoP=qyHCnpqmllW1&1tUxJj!S}KKqJNd>P;Qr5WrG z{V5nL9#kB7ddyD*FvC&!8_RAa8H+QBqvIBB3M$J}JQ7@!(j^y+6HH{6jh?LG;lV1| z)SMXU0e^6$p2-<}=k$9tgig?6pp&q(BB|}t@i;pZ94umitxecv%L~n z%4~Z+oVe|T;`Lv^`IKKv*&M|JNZmg2Y=*^G3V(?AZmPC{|C|axxRB7Owf9?pEYIfH$SnUvcA>{K4HQ&^au7o0=J2WKa4RxG+gIRy8jsJWFLCrV@&Q5MEn zFn7DBD-kU+G7zkZ>4zR?HuY9G4eXlFv45s#Ul-hCleVmcPlqVX=kWg$8NFv(6J5J7 zzm7xwMIE@5>NPPL;9?`n7_>qfe<`EG4oJFC-Qi);R=in9gYWRfQBbrj<57)~0)%;c z4}a_vl=brTUwg-wz2OLn^Y$9fRLEC`dKznf32C&_%F4!i+kemc zEXX`+z6t<(W4i9&GYT2y8p-j!>Ar4xikO9c@HaKOjJaxeC8gm7^OdC)>(E}%3Nis0 zemWx72i#o~t5db(R#*XolzWn2d8Wl$B&_vi$KS0AZMTDR-?(+-k5F9>WoWF-6>MfJ zmIZ^Ah917i6%8fEQaeI*3y|FqTYnF?D9gsS+4BSGm&~OG87Icv5?z5SeDGxnOv@b6 z4yP$>#u61N3=TV~gH)kU6)M+z<1^>03>VDqropBvV!;AEj^o3ZxYS4a^;h?d8)#&z z+g=?RwT-KCH)}u>DY^r#1P|>_K6Yih8{PiNMqU2_|BHo5BjJlG3b*(@LVt01`nBbw z(firbu7Yx1@(e=bvqJ&!Y=QG24E_?d`hXZWs?!zBkz`x=`Mf5CYVYHk&IL#K3@t}P?Kp4+QrDEW&4X%@}8Ds#uPl)#MLR> z|E}lJMWL-!g`8zGHD?9JxFY=F{sqBsVfAx)pycXiY4|Y96NYlnwcOx5^0QH~%{_;n D_gtH3 delta 1376 zcmV-m1)uu23-1b$Ab&DNQgm%*P-HhkS2l1faZoFEPj^XWF;RDUNn%(|G&4sqXL3kZ zPH$gW_L{(yGY&Ju2ICw}eH!yc?Wl?8UYcx?$NeV4K zAaH4REpRe5HXwL$Q)M_&AVE1+QZ;8cOgCChZ8tYZT5m%)Z+}8sT5xtuD_J&6YGYzK zb2&(BWJD`XH8u)%MKM(|Y%+0LQFv`IYFcJxYgR~PSx7KZO-FZka#JuxG&x5|MlWeK zFIfsLJ|KEEHEmu%LoH`=Wnpt=AareODlj%SOdum^DRFCEM<7-=Phc@jrF@JA$WH)APH*qm}ba_uobvHL|LNjGBX>?{rRcU!Id2cptR%%dFY)?Ts zK~^w0HF9Y%Sy2itEiE8rWpZgkWi(7nNqJ*QbWn0yS#NYSS9McVVR?3TNLOhuLREQT zL3waVS8objo5qPyAV46veJzOVO7#`c3Fzj=oU# zLusOi$SLXxUJ^-Jh?;Vm%vxlxjAfz8m-C8FzsV6}lwg$+5ak>n3p}Rn0Cumu!aH>a ztp$Zx!B%*dJ*RAnzxJy?_nCeJ)yn7K=!BTi(9-ByY6A+Bb#P+)FTo`(YjUktr*>eI z-ain(e&*kYjy>a)lOsKeIEbjs+3xeW7f5M?Qhy(UOcI~a$jG}^Mcd-E_$yAii!%ku zqFM9CrxuRfKL;r9?;@d!%3}4sMF_oC>(6Phho%=8Ik3&#LGWMvDV}NkdYu;~^aNEM z%6%(b?C})Lt6n^vYWmL!>c2;kIbd1y-~LdlV5v-9r~kY9r=4G_qtt3D;acpZA2if! zynk>637|Q@=`KdvJyAn4X8#dUPX#`);sRqjrY}I#Hv>cL?4F<7V<*opt=R8S&*|$8 zd$d^bP)%*iAxg8%-xnPA*YA#Pg(B_}6W!NrLnF)R(PlscQb^FxBhJL?(2SO_@D&uo z+_jv9P0p8HNPl~$Vyec~MkI76UMka|M}HonmYCJ4*FW_NP$T;_#-@^ILr))+YgP<# z8I_eFGRI6dx*E_wi)Pj!HzzbUA;qaD@6#H^w9mnpu!i!Y&JLk0tE7zkg;yqXv6Wnwy)NnIF`P70xMEpj%7rl8Z)nB;j3^s4B0=HS;tsy~OY-FYvOo>+{y#bA(ciCGlyPZjD*#^^Y z@)xGt;E}vq>kMS6rzVT+udl}^DP3K>()z0QH%_>2y)w%`kgcD*>J*h%kKk-mBj(D@ zz#zvZh3fX_sXr%d5H!uW;IN((&duU&}=NvCTZDTzChq+y_r44H$p`XKGclwt|@P3-{N0Kp5n(}UP+3Q iu5n{%6LD+Xn4a-k0bK%a4K6H7(?r|25-e_x1pl!9#c+WD diff --git a/hosts/zackbiene/default.nix b/hosts/zackbiene/default.nix index 8e34795..1529bab 100644 --- a/hosts/zackbiene/default.nix +++ b/hosts/zackbiene/default.nix @@ -1,4 +1,10 @@ -{lib, ...}: { +{ + lib, + nodes, + ... +}: let + sentinelCfg = nodes.sentinel.config; +in { imports = [ ../../modules/optional/hardware/odroid-n2plus.nix @@ -7,17 +13,32 @@ ../../modules/optional/initrd-ssh.nix ../../modules/optional/zfs.nix - #./dnsmasq.nix #./esphome.nix ./fs.nix #./home-assistant.nix - #./hostapd.nix + ./hostapd.nix #./mosquitto.nix + ./kea.nix ./net.nix #./nginx.nix #./zigbee2mqtt.nix ]; + meta.wireguard-proxy.sentinel = {}; + meta.promtail = { + enable = true; + proxy = "sentinel"; + }; + + # Connect safely via wireguard to skip http authentication + networking.hosts.${sentinelCfg.meta.wireguard.proxy-sentinel.ipv4} = [sentinelCfg.networking.providedDomains.influxdb]; + meta.telegraf = { + enable = true; + influxdb2.domain = sentinelCfg.networking.providedDomains.influxdb; + influxdb2.organization = "servers"; + influxdb2.bucket = "telegraf"; + }; + # Fails if there are no SMART devices services.smartd.enable = lib.mkForce false; } diff --git a/hosts/zackbiene/dnsmasq.nix b/hosts/zackbiene/dnsmasq.nix deleted file mode 100644 index 4208369..0000000 --- a/hosts/zackbiene/dnsmasq.nix +++ /dev/null @@ -1,21 +0,0 @@ -{ - services.dnsmasq = { - enable = true; - resolveLocalQueries = false; - settings = { - interface = "wlan1"; - dhcp-authoritative = true; - dhcp-range = [ - "10.0.90.10,10.0.90.240,24h" - "fd90::10,fd90::ff0,24h" - ]; - - # Enable ipv6 router advertisements - enable-ra = true; - # Don't use anything from /etc/resolv.conf - no-resolv = true; - # Never forward addresses in the non-routed address spaces. - bogus-priv = true; - }; - }; -} diff --git a/hosts/zackbiene/hostapd.nix b/hosts/zackbiene/hostapd.nix index c475552..d409bd9 100644 --- a/hosts/zackbiene/hostapd.nix +++ b/hosts/zackbiene/hostapd.nix @@ -1,9 +1,4 @@ -{ - lib, - config, - pkgs, - ... -}: { +{config, ...}: { # Associates each known client to a unique password age.secrets.wifi-clients.rekeyFile = ./secrets/wifi-clients.age; @@ -12,7 +7,7 @@ services.hostapd = { enable = true; radios.wlan1 = { - hwMode = "g"; + band = "2g"; countryCode = "DE"; channel = 13; # Automatic Channel Selection (ACS) is unfortunately not implemented for mt7612u. wifi4.capabilities = ["LDPC" "HT40+" "HT40-" "GF" "SHORT-GI-20" "SHORT-GI-40" "TX-STBC" "RX-STBC1"]; @@ -22,7 +17,8 @@ apIsolate = true; authentication = { saePasswordsFile = config.age.secrets.wifi-clients.path; - saeAddToMacAllow = true; + # TODO reenable when nixpkgs#245413 is merged + # saeAddToMacAllow = true; enableRecommendedPairwiseCiphers = true; }; bssid = "00:c0:ca:b1:4f:9f"; diff --git a/hosts/zackbiene/kea.nix b/hosts/zackbiene/kea.nix new file mode 100644 index 0000000..dc605f4 --- /dev/null +++ b/hosts/zackbiene/kea.nix @@ -0,0 +1,43 @@ +{ + lib, + utils, + ... +}: let + inherit (lib) net; + iotCidrv4 = "10.0.90.0/24"; +in { + services.kea.dhcp4 = { + enable = true; + settings = { + lease-database = { + name = "/var/lib/kea/dhcp4.leases"; + persist = true; + type = "memfile"; + }; + valid-lifetime = 4000; + renew-timer = 1000; + rebind-timer = 2000; + interfaces-config = { + interfaces = ["wlan1"]; + service-sockets-max-retries = -1; + }; + subnet4 = [ + { + interface = "wlan1"; + subnet = iotCidrv4; + pools = [ + {pool = "${net.cidr.host 20 iotCidrv4} - ${net.cidr.host (-6) iotCidrv4}";} + ]; + option-data = [ + { + name = "routers"; + data = net.cidr.host 1 iotCidrv4; + } + ]; + } + ]; + }; + }; + + systemd.services.kea-dhcp4-server.after = ["sys-subsystem-net-devices-${utils.escapeSystemdPath "wlan1"}.device"]; +} diff --git a/hosts/zackbiene/net.nix b/hosts/zackbiene/net.nix index fb540fa..aa3a50d 100644 --- a/hosts/zackbiene/net.nix +++ b/hosts/zackbiene/net.nix @@ -32,6 +32,16 @@ in { (lib.net.cidr.hostCidr 1 iotCidrv6) ]; matchConfig.MACAddress = config.repo.secrets.local.networking.interfaces.wlan1.mac; + networkConfig = { + IPForward = "yes"; + IPv6PrivacyExtensions = "yes"; + IPv6SendRA = true; + MulticastDNS = true; + }; + # Announce a static prefix + ipv6Prefixes = [ + {ipv6PrefixConfig.Prefix = iotCidrv6;} + ]; linkConfig.RequiredForOnline = "no"; }; }; diff --git a/hosts/zackbiene/nginx.nix b/hosts/zackbiene/nginx.nix deleted file mode 100644 index 991c2c4..0000000 --- a/hosts/zackbiene/nginx.nix +++ /dev/null @@ -1,20 +0,0 @@ -{ - lib, - config, - ... -}: { - age.secrets."selfcert.crt" = { - rekeyFile = ./secrets/selfcert.crt.age; - mode = "440"; - group = "nginx"; - }; - age.secrets."selfcert.key" = { - rekeyFile = ./secrets/selfcert.key.age; - mode = "440"; - group = "nginx"; - }; - - #security.acme.acceptTerms = true; - #security.acme.defaults.email = "admin+acme@example.com"; - services.nginx.enable = true; -} diff --git a/hosts/zackbiene/secrets/host.pub b/hosts/zackbiene/secrets/host.pub index e320b99..b694d85 100644 --- a/hosts/zackbiene/secrets/host.pub +++ b/hosts/zackbiene/secrets/host.pub @@ -1 +1 @@ -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJVBhqJKfIBWOwXHGNjlskKMIpCuL3qjOjKiXyF8hkGT +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILaKQa+gcGMvtm9d1LM11lvsXRtE3Tvo+o40nG+eXYgo diff --git a/hosts/zackbiene/secrets/promtail-loki-basic-auth-password.age b/hosts/zackbiene/secrets/promtail-loki-basic-auth-password.age new file mode 100644 index 0000000..411d2cb --- /dev/null +++ b/hosts/zackbiene/secrets/promtail-loki-basic-auth-password.age @@ -0,0 +1,11 @@ +age-encryption.org/v1 +-> X25519 GORopMcTgwBFuvljV/6TrebfoW4aL13meWOk0tjX2Fg +A9OOzSPEqT8dPNYeKHcvVVdZOfYMnEzaSdudKzyals4 +-> piv-p256 xqSe8Q As7KMtJM+NWObNYdVxTjfePy8MThyA6PkOv32lvMNbth +LkC4vtpHWjizzs3qEyJF+L5yBniMH9XdMH6Y/H5RfTc +-> WQ0T*-grease ;xyW-]= 5tB %=C(B9M jM X25519 DCVhASEENA4z7QkZIAz+7shz69B3UGfuR4QwV28e3w4 +KcvcVb5PxsRMlA5n35c/4nRLdv7WoIL2bqJn6Ry0tBU +-> piv-p256 xqSe8Q ArDV5TYzLEFhnRxXIY1OMPe4nPE7rtNhsUhU+7J2La3o +SoqSbbPvxlF4uaGSRNKSumajM9aEr2EoHE8PyPr3sMk +-> e\9`z-grease +PtN7lO2jjyBoMojXSiPLmWGgv23uUbzd9TxrAwwDiCcBbW5RL5vvR2HFzc+k+ZVa +RA3xLg5UeIzjsZdkWBezPHX1p7OALN49ZxtJ21fzfDhdUCTfVIKK4mi++At2hEJF +6g +--- FdR7X/jFWv+BhzuO8kpGr8xC3SKgmrwHg4YaHRxnwHE + p 6SDW(YR3s_۪/2g}ܶW?ub +)/ ,{&F-5/u.p \%ɟ4qӉyKQk4W3ˌ +ӈ[t__4y q^/F* \ No newline at end of file diff --git a/secrets/wireguard/proxy-sentinel/keys/zackbiene.age b/secrets/wireguard/proxy-sentinel/keys/zackbiene.age new file mode 100644 index 0000000..e247137 --- /dev/null +++ b/secrets/wireguard/proxy-sentinel/keys/zackbiene.age @@ -0,0 +1,10 @@ +age-encryption.org/v1 +-> X25519 yiNmRDhm4J2Kbdl23JqK806GwpAyxxhyPD7UzwQOd14 +YdtV6fwtI8Hi/Fl3viJa6Kdlg6jipWX8qY9yZ7AvCYk +-> piv-p256 xqSe8Q AxvoyuMwR6SeHcqsLOLFxaXHJnjGePz+ROnwlWDiUSgP +B4lYcmboqDpr747GYCFAGWXfOvpHK04uyM5UbEeNORI +-> x4pfd28-grease f+4S \ +BuQCPPOZhXqwnKl74fCB4eF5LYtULBuGiYX4BCOrS+sNP5svpj2pnGFvA5/VAJqv +9NE3mc0a9B41xJMSISdomiU +--- 3bUnrQO3LUeKPFet5T2s9XAe455gONeBR6TiIN0nf0Q +{jD˖I]'7KEmU"\^'}`K4A%P%M+G' \ No newline at end of file diff --git a/secrets/wireguard/proxy-sentinel/keys/zackbiene.pub b/secrets/wireguard/proxy-sentinel/keys/zackbiene.pub new file mode 100644 index 0000000..c11fca2 --- /dev/null +++ b/secrets/wireguard/proxy-sentinel/keys/zackbiene.pub @@ -0,0 +1 @@ +m92MMTe8d8vtfKcRxel+8ptDcFFILyvzOThTt2rdiWU= diff --git a/secrets/wireguard/proxy-sentinel/psks/sentinel+zackbiene.age b/secrets/wireguard/proxy-sentinel/psks/sentinel+zackbiene.age new file mode 100644 index 0000000000000000000000000000000000000000..19c3d6c8a69b83790bc19b752ff72686c7e71e89 GIT binary patch literal 387 zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR2FFfuhYv{VQT3Mn_UG!HHaudp!Jx5&>5 z$aFOJvT!rCNcJ*vO3Ny%G);1k@F@+c@Z|Dybq)*5Eh>l%D~K}ob}aJsaQ1Xh3eYdj zcQ>)f403TcbSsU@2nY_(%m&#|kXfc%U}S2hP*E71Y7wa5SYA=?5nK`8F zQxfW1;9-^@lv|lr;bM`KXqHxNY+z|o6c}#FRpB35l4n_vot@|D=;U1LUtZ}Mlv$bT z=jxM_>TXzN7U-JhpXBHnoLl7xvMaMpQ#ZXRHL*BVA+<`u#mSPZGATGUH&Q>PFfAaH zOIKG{Av4m#sKT(=KQbaSw8SSp)yYWPIn6P!(#zjF+^@L8$kM>bUEkB#RNKdsYiZ+_ z4GKSW|0QcKa7pJnyY6lZ!;R*+#2%%Rbk4G+J2p?&eav*KZ(o9D;uVc6_w;=ZNxu40 e%wx`e;dsD7y$e4d&%G=?e_G9ya@JD2*^2=V4u~iK literal 0 HcmV?d00001