From ced72fb7bb8e8689f629f416b28d608563574b10 Mon Sep 17 00:00:00 2001 From: oddlama Date: Sat, 26 Apr 2025 10:28:33 +0200 Subject: [PATCH] feat: switch from actual -> firefly-iii --- README.md | 2 +- config/users.nix | 3 +- hosts/sentinel/firezone.nix | 2 +- hosts/sentinel/oauth2.nix | 5 + hosts/sire/default.nix | 1 - hosts/sire/guests/actual.nix | 96 ------------------ hosts/sire/secrets/actual/host.pub | 1 - hosts/ward/default.nix | 3 +- hosts/ward/guests/adguardhome.nix | 2 +- hosts/ward/guests/firefly.nix | 87 ++++++++++++++++ hosts/ward/guests/kanidm.nix | 18 ---- hosts/ward/secrets/firefly/host.pub | 1 + .../sentinel/loki-basic-auth-hashes.age | Bin 2999 -> 2643 bytes .../ward-firefly/firefly-app-key.age | 12 +++ .../promtail-loki-basic-auth-password.age | Bin 0 -> 461 bytes .../ward-firefly/telegraf-influxdb-token.age | 11 ++ .../ward-kanidm/kanidm-oauth2-actual.age | Bin 416 -> 0 bytes ...5b4b19316ff9c31-loki-basic-auth-hashes.age | Bin 0 -> 2575 bytes ...2a56e0490ecf616-loki-basic-auth-hashes.age | Bin 2876 -> 0 bytes ...4-telegraf-influxdb-token-ward-firefly.age | 7 ++ ...41-telegraf-influxdb-token-sire-actual.age | Bin 355 -> 0 bytes ...22a0-promtail-loki-basic-auth-password.age | 7 ++ ...uard-proxy-home-psks-ward+ward-firefly.age | 7 ++ ...0be2e4f069e5168e906326-firefly-app-key.age | 7 ++ ...3acdb69b0e0f6f-telegraf-influxdb-token.age | 7 ++ ...wireguard-proxy-home-priv-ward-firefly.age | 8 ++ ...bbf8cfc65e0d83c02-kanidm-oauth2-actual.age | 7 -- ...2c07814074b7899-loki-basic-auth-hashes.age | Bin 0 -> 2577 bytes ...725c0b860f1b3ec-loki-basic-auth-hashes.age | Bin 2902 -> 0 bytes ...uard-proxy-home-psks-ward+ward-firefly.age | 7 ++ ...guard-proxy-home-psks-sire-actual+ward.age | Bin 401 -> 0 bytes .../proxy-home/keys/ward-firefly.age | 10 ++ .../proxy-home/keys/ward-firefly.pub | 1 + .../proxy-home/psks/ward+ward-firefly.age | 9 ++ 34 files changed, 193 insertions(+), 128 deletions(-) delete mode 100644 hosts/sire/guests/actual.nix delete mode 100644 hosts/sire/secrets/actual/host.pub create mode 100644 hosts/ward/guests/firefly.nix create mode 100644 hosts/ward/secrets/firefly/host.pub create mode 100644 secrets/generated/ward-firefly/firefly-app-key.age create mode 100644 secrets/generated/ward-firefly/promtail-loki-basic-auth-password.age create mode 100644 secrets/generated/ward-firefly/telegraf-influxdb-token.age delete mode 100644 secrets/generated/ward-kanidm/kanidm-oauth2-actual.age create mode 100644 secrets/rekeyed/sentinel/5f448f5955218081b5b4b19316ff9c31-loki-basic-auth-hashes.age delete mode 100644 secrets/rekeyed/sentinel/dcaec2abd18128d1b2a56e0490ecf616-loki-basic-auth-hashes.age create mode 100644 secrets/rekeyed/sire-influxdb/25afc8a55a3c3646f3d5b63f1626e324-telegraf-influxdb-token-ward-firefly.age delete mode 100644 secrets/rekeyed/sire-influxdb/8196d12330a68e89f67fbcb713703941-telegraf-influxdb-token-sire-actual.age create mode 100644 secrets/rekeyed/ward-firefly/0eff09bca0aa5407477fdab03dab22a0-promtail-loki-basic-auth-password.age create mode 100644 secrets/rekeyed/ward-firefly/59ca141d3c7c82f99abe5213fc3adbc4-wireguard-proxy-home-psks-ward+ward-firefly.age create mode 100644 secrets/rekeyed/ward-firefly/86c634d8210be2e4f069e5168e906326-firefly-app-key.age create mode 100644 secrets/rekeyed/ward-firefly/c3a5933f8184ecafaa3acdb69b0e0f6f-telegraf-influxdb-token.age create mode 100644 secrets/rekeyed/ward-firefly/fa954ae2f809b3a55d9c93ca0ac2e078-wireguard-proxy-home-priv-ward-firefly.age delete mode 100644 secrets/rekeyed/ward-kanidm/60542dbad9f5a1dbbf8cfc65e0d83c02-kanidm-oauth2-actual.age create mode 100644 secrets/rekeyed/ward-web-proxy/90ab11485712f95db2c07814074b7899-loki-basic-auth-hashes.age delete mode 100644 secrets/rekeyed/ward-web-proxy/9ac62b3f616089c30725c0b860f1b3ec-loki-basic-auth-hashes.age create mode 100644 secrets/rekeyed/ward/ca883e2bce6ceff39bb8dc133d3a092e-wireguard-proxy-home-psks-ward+ward-firefly.age delete mode 100644 secrets/rekeyed/ward/f443ca4d40a215b56ee3673f09d46eba-wireguard-proxy-home-psks-sire-actual+ward.age create mode 100644 secrets/wireguard/proxy-home/keys/ward-firefly.age create mode 100644 secrets/wireguard/proxy-home/keys/ward-firefly.pub create mode 100644 secrets/wireguard/proxy-home/psks/ward+ward-firefly.age diff --git a/README.md b/README.md index 230774c..fc45502 100644 --- a/README.md +++ b/README.md @@ -46,7 +46,7 @@ I've included the major components in the lists below. | ~~~~~~~~~~~~ | Service | Source | Description ---|---|---|--- -💸 Budgeting | Actual Budget | [Link](./hosts/sire/guests/actual.nix) | Budgeting application to track income and expenses +💸 Budgeting | Firefly III \& Firefly Pico | [Link](./hosts/ward/guests/firefly.nix) | Budgeting application to track income and expenses 🛡️ Adblock | AdGuard Home | [Link](./hosts/ward/guests/adguardhome.nix) | DNS level adblocker 🔒 SSO | Kanidm | [Link](./hosts/ward/guests/kanidm.nix) | Identity provider for Single-Sign-On on my hosted services, with provisioning. 🐙 Git | Forgejo | [Link](./hosts/ward/guests/forgejo.nix) | Forgejo with SSO diff --git a/config/users.nix b/config/users.nix index 78d5ed0..cb06188 100644 --- a/config/users.nix +++ b/config/users.nix @@ -38,10 +38,11 @@ # 973 gamemode = uidGid 972; plausible = uidGid 971; - actual = uidGid 970; + # actual = uidGid 970; # flatpak = uidGid 969; unifi = uidGid 968; plugdev.gid = 967; tss = uidGid 966; + firefly-iii = uidGid 965; }; } diff --git a/hosts/sentinel/firezone.nix b/hosts/sentinel/firezone.nix index f55cdf7..b2f73b2 100644 --- a/hosts/sentinel/firezone.nix +++ b/hosts/sentinel/firezone.nix @@ -12,7 +12,7 @@ let # FIXME: new entry here? make new firezone gateway on ward entry too. homeDomains = [ globals.services.grafana.domain - globals.services.actual.domain + globals.services.firefly.domain globals.services.immich.domain globals.services.influxdb.domain globals.services.loki.domain diff --git a/hosts/sentinel/oauth2.nix b/hosts/sentinel/oauth2.nix index df7adfb..0acbe3c 100644 --- a/hosts/sentinel/oauth2.nix +++ b/hosts/sentinel/oauth2.nix @@ -18,6 +18,11 @@ group = "oauth2-proxy"; }; + # FIXME: switch to loadcredential + start wrapper. + # TODO: define nixos option to do this for us, it's recurring. like systemd.services.a.secretEnv = { + # ABC = ./path.to.secret.file; # or runtime path. + # }; + # Mirror the original oauth2 secret, but prepend OAUTH2_PROXY_CLIENT_SECRET= # so it can be used as an EnvironmentFile age.secrets.oauth2-client-secret = { diff --git a/hosts/sire/default.nix b/hosts/sire/default.nix index 5d9cf88..960c27e 100644 --- a/hosts/sire/default.nix +++ b/hosts/sire/default.nix @@ -134,7 +134,6 @@ in lib.mkIf (!minimal) ( { } - // mkMicrovm "actual" { } // mkMicrovm "samba" { enableStorageDataset = true; enableBunkerDataset = true; diff --git a/hosts/sire/guests/actual.nix b/hosts/sire/guests/actual.nix deleted file mode 100644 index a136f23..0000000 --- a/hosts/sire/guests/actual.nix +++ /dev/null @@ -1,96 +0,0 @@ -{ - config, - globals, - lib, - pkgs, - nodes, - ... -}: -let - actualDomain = "finance.${globals.domains.me}"; - # client_id = "actual"; -in -{ - wireguard.proxy-home = { - client.via = "ward"; - firewallRuleForNode.ward-web-proxy.allowedTCPPorts = [ config.services.actual.settings.port ]; - }; - - # Mirror the original oauth2 secret - age.secrets.actual-oauth2-client-secret = { - inherit (nodes.ward-kanidm.config.age.secrets.kanidm-oauth2-actual) rekeyFile; - }; - - environment.persistence."/persist".directories = [ - { - directory = "/var/lib/private/actual"; - mode = "0700"; - } - ]; - - services.actual = { - enable = true; - settings.trustedProxies = [ nodes.ward-web-proxy.config.wireguard.proxy-home.ipv4 ]; - }; - - # NOTE: state: to enable openid, we need to call their enable-openid script once - # which COPIES this data to the database :( so changing these values later will - # require manual intervention. - systemd.services.actual = { - serviceConfig.ExecStart = lib.mkForce [ - (pkgs.writeShellScript "start-actual" '' - export ACTUAL_OPENID_CLIENT_SECRET=$(< "$CREDENTIALS_DIRECTORY"/oauth2-client-secret) - exec ${lib.getExe config.services.actual.package} - '') - ]; - serviceConfig.LoadCredential = [ - "oauth2-client-secret:${config.age.secrets.actual-oauth2-client-secret.path}" - ]; - # NOTE: openid is disabled for now. too experimental, many rough edges. - # only admins can use sync, every admin can open anyones finances. not good enough yet. - # environment = { - # ACTUAL_OPENID_ENFORCE = "true"; - # ACTUAL_TOKEN_EXPIRATION = "openid-provider"; - # - # ACTUAL_OPENID_DISCOVERY_URL = "https://${globals.services.kanidm.domain}/oauth2/openid/${client_id}/.well-known/openid-configuration"; - # ACTUAL_OPENID_CLIENT_ID = client_id; - # ACTUAL_OPENID_SERVER_HOSTNAME = "https://${actualDomain}"; - # }; - }; - - globals.services.actual.domain = actualDomain; - # FIXME: monitor from internal network - # globals.monitoring.http.actual = { - # url = "https://${actualDomain}/"; - # expectedBodyRegex = "Actual"; - # network = "local-${config.node.name}"; - # }; - - nodes.ward-web-proxy = { - services.nginx = { - upstreams.actual = { - servers."${config.wireguard.proxy-home.ipv4}:${toString config.services.actual.settings.port}" = - { }; - extraConfig = '' - zone actual 64k; - keepalive 2; - ''; - monitoring = { - enable = true; - expectedBodyRegex = "Actual"; - }; - }; - virtualHosts.${actualDomain} = { - forceSSL = true; - useACMEWildcardHost = true; - extraConfig = '' - client_max_body_size 256M; - ''; - locations."/" = { - proxyPass = "http://actual"; - proxyWebsockets = true; - }; - }; - }; - }; -} diff --git a/hosts/sire/secrets/actual/host.pub b/hosts/sire/secrets/actual/host.pub deleted file mode 100644 index 18801bd..0000000 --- a/hosts/sire/secrets/actual/host.pub +++ /dev/null @@ -1 +0,0 @@ -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIARJ59yifkMFmcWWM4sAwhQN6u+H4Bv+VVboPBslHqZj diff --git a/hosts/ward/default.nix b/hosts/ward/default.nix index a56b215..75b1a29 100644 --- a/hosts/ward/default.nix +++ b/hosts/ward/default.nix @@ -13,7 +13,7 @@ let # FIXME: new entry here? make new firezone entry too. homeDomains = [ globals.services.grafana.domain - globals.services.actual.domain + globals.services.firefly.domain globals.services.immich.domain globals.services.influxdb.domain globals.services.loki.domain @@ -135,6 +135,7 @@ in lib.mkIf (!minimal) ( { } // mkMicrovm "adguardhome" + // mkMicrovm "firefly" // mkMicrovm "forgejo" // mkMicrovm "kanidm" // mkMicrovm "radicale" diff --git a/hosts/ward/guests/adguardhome.nix b/hosts/ward/guests/adguardhome.nix index 8952bbf..d4a23ee 100644 --- a/hosts/ward/guests/adguardhome.nix +++ b/hosts/ward/guests/adguardhome.nix @@ -112,7 +112,7 @@ in # FIXME: new entry here? make new firezone entry too. # FIXME: new entry here? make new firezone gateway on ward entry too. globals.services.grafana.domain - globals.services.actual.domain + globals.services.firefly.domain globals.services.immich.domain globals.services.influxdb.domain globals.services.loki.domain diff --git a/hosts/ward/guests/firefly.nix b/hosts/ward/guests/firefly.nix new file mode 100644 index 0000000..c86dba0 --- /dev/null +++ b/hosts/ward/guests/firefly.nix @@ -0,0 +1,87 @@ +{ + config, + globals, + nodes, + ... +}: +let + fireflyDomain = "firefly.${globals.domains.me}"; + wardWebProxyCfg = nodes.ward-web-proxy.config; +in +{ + wireguard.proxy-home = { + client.via = "ward"; + firewallRuleForNode.sausebiene.allowedTCPPorts = [ config.services.firefly.port ]; + }; + + globals.services.firefly.domain = fireflyDomain; + globals.monitoring.http.firefly = { + url = "https://${fireflyDomain}"; + expectedBodyRegex = "Firefly-III"; + network = "home-lan.vlans.services"; + }; + + age.secrets.firefly-app-key = { + generator.script = _: '' + echo "base64:$(head -c 32 /dev/urandom | base64)" + ''; + owner = "firefly-iii"; + }; + + environment.persistence."/persist".directories = [ + { + directory = "/var/lib/firefly-iii"; + user = "firefly-iii"; + } + ]; + + i18n.supportedLocales = [ "all" ]; + services.firefly-iii = { + enable = true; + enableNginx = true; + virtualHost = globals.services.firefly.domain; + settings = { + APP_URL = "https://${globals.services.firefly.domain}"; + TZ = "Europe/Berlin"; + TRUSTED_PROXIES = wardWebProxyCfg.wireguard.proxy-home.ipv4; + SITE_OWNER = "admin@${globals.domains.me}"; + APP_KEY_FILE = config.age.secrets.firefly-app-key.path; + AUTHENTICATION_GUARD = "remote_user_guard"; + AUTHENTICATION_GUARD_HEADER = "X-User"; + AUTHENTICATION_GUARD_EMAIL = "X-Email"; + }; + }; + + nodes.ward-web-proxy = { + services.nginx = { + upstreams.firefly = { + servers."${config.wireguard.proxy-home.ipv4}:${toString config.services.firefly.settings.server.http_port}" = + { }; + extraConfig = '' + zone firefly 64k; + keepalive 2; + ''; + monitoring = { + enable = true; + expectedBodyRegex = "Firefly"; + }; + }; + virtualHosts.${fireflyDomain} = { + forceSSL = true; + useACMEWildcardHost = true; + locations."/" = { + proxyPass = "http://firefly"; + proxyWebsockets = true; + }; + extraConfig = '' + allow ${globals.net.home-lan.vlans.home.cidrv4}; + allow ${globals.net.home-lan.vlans.home.cidrv6}; + # Firezone traffic + allow ${globals.net.home-lan.vlans.services.hosts.ward.ipv4}; + allow ${globals.net.home-lan.vlans.services.hosts.ward.ipv6}; + deny all; + ''; + }; + }; + }; +} diff --git a/hosts/ward/guests/kanidm.nix b/hosts/ward/guests/kanidm.nix index 7995222..010bfa2 100644 --- a/hosts/ward/guests/kanidm.nix +++ b/hosts/ward/guests/kanidm.nix @@ -35,7 +35,6 @@ in age.secrets.kanidm-admin-password = mkRandomSecret; age.secrets.kanidm-idm-admin-password = mkRandomSecret; - age.secrets.kanidm-oauth2-actual = mkRandomSecret; age.secrets.kanidm-oauth2-forgejo = mkRandomSecret; age.secrets.kanidm-oauth2-grafana = mkRandomSecret; age.secrets.kanidm-oauth2-immich = mkRandomSecret; @@ -137,23 +136,6 @@ in ]; }; - # Actual - groups."actual.access" = { }; - systems.oauth2.actual = { - displayName = "Actual Budget"; - originUrl = "https://${globals.services.actual.domain}/openid/callback"; - originLanding = "https://${globals.services.actual.domain}/"; - basicSecretFile = config.age.secrets.kanidm-oauth2-actual.path; - preferShortUsername = true; - # XXX: RS256 is used instead of ES256 so additionally we need legacy crypto - enableLegacyCrypto = true; - scopeMaps."actual.access" = [ - "openid" - "email" - "profile" - ]; - }; - # Firezone groups."firezone.access" = { }; systems.oauth2.firezone = { diff --git a/hosts/ward/secrets/firefly/host.pub b/hosts/ward/secrets/firefly/host.pub new file mode 100644 index 0000000..f9a633d --- /dev/null +++ b/hosts/ward/secrets/firefly/host.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDI93VlzePCcQnAF3MmgcvfJPhWrLmT+9uWCzgVl3YV+ diff --git a/secrets/generated/sentinel/loki-basic-auth-hashes.age b/secrets/generated/sentinel/loki-basic-auth-hashes.age index 724f4f2d4bad5d5427b62b3d68092132db5c1a37..b5cef56a927d0873485dcd4fe43a473107c7fd41 100644 GIT binary patch delta 2638 zcmV-U3bFOK7t<7wAb(RgIcs?{LSb<=V@N@1Z&_3^PEmDIXLMILMO14K|^N>b6O=Jw9c%NYMZq5+U&v=`=TY-TO6rVv>^Hvv^ZN+ z65K(KuA3i7+T9KH;d+3|7rRlSw18TU@arE2`WiyYynm7mf9Wg

skZ9yOFU%QcnBk~kSQZHAzb$vxs4c3(v9C5*5j(laz3}~}n%K33jgsYIQa3Ui| znA7r<{eRNl4o`^*;D&qMaia51LbUb~ue3G2rb@Ewb=`G-E;Rz1FbOpe6;#QW450}H zUg_mpCtk9~grV#t9|d*kt#Ca?l~e5cx;2wC$9?-Bldp=14#8RJIP@!N^Mnl$hN_;V zySsJ_x$2B@j9p4?65@C$?-@nQX!9C3gV0mV-hU<}XcUzBZInQsmBmAj3o~aMz-SYW ztgN7{>I<+?X+!$D1mYGBAPyjf3-Yru30#nv#!BVK^JYVHDA925T>YquFSu5Y%k&A! zb_5DP5W%U%15n|q0Fb&KG&#M0d0TuLL!hB&#jx89te_C)9f-j!K&mM1dU&B{@CATY%9>UF#w}UEzGXJ(P*!8#=aCBJ1^?qr1}Y7 zODc5ivqarx%Cm7T*v84)sN=3ELD_7ns(-Rw>LULR-Fov)+2c4rXkeOsN)hqw619}M z?y8?*S~|)cevc{5dS;_sVQH$yL&wX7$?XcBr84iA^@S4I!a`@%7JX2d3JkAit_rOu zOH(WWp{d`V_OF?0gF$A-?y1J;-2SKfvgN$LA^~iZpA-yO@mVngHMt@09 zdqgvAzG4R1pkX2`!w#O9G#FMrlCcuQu+2}(+Ksf6F0a+GBjlZ%Z(fL+p_%|M)G zwh@w=xH~_q$v<{0!;%-Hr&L7}m!!}qpi91E3F$5*M?z;KldMe_+qk1(D26x2yrJUVX3L-m*4t$*k86-IYCbMGL>gDaLmy>bCOHrwf2TRs4-GcUIspA`Qf z(DeXs6;ar;=7aKB`YL8$8JFRGnaoy$(g^ zyJFYpb{wEks=;$JDxNja=S?8`nysLvDEAb$=lX*H}_$O47@ zYUE@*hoe+=~J zwSoF$3967vIl?%CkzMeu3(cNsng5xGV9>~ngmx8zZ?XrHfhZuq+Mok_@m!zDuNF%R zL?k)Zlx$CDjUW?TC`WMc^AcpK{#QKuM}h_%a;8LP+Eu_#TFGy66l5`ASyKUkC6M*& zKx_F&>Ik5v#D7xs7Z9Gyohk^oz;YQFwD5}d5Zq9iuXnuXKaW`pKi>y%ldSt;jc=}9 z#+m?=;DCzc8P-VJIKgS|e*=cvf*JLj^ijy9D0;Y#HdQb}bSb`R2^jelH^@3MfNjo! z0){w`sjV{lJ}WORPYcjPDOa~iuB6p&SNi;@q9%}tY=5d&kBKC=vDsYI52tbpbNc0u zT9J{QY59AOeLGbkyB-q%CdQL*4-EPuT>ro2gxJYWle|}aRwXV(H%W5XWsXMXpU0 zNwU=rp?`5*aJ63j-DEd(`}!wv`nY~5bhHaU8%JYJrAKD6?}lh|ZcDL?VQ1jUvZ_}O z00L$4XdM>jVOE!Enpc`Sa^NOswn`{b-;rI7ZMwJn;~w_-LJnY>heeyGzLjI@4;K4g za+F>21_p7JdDr=^Sm{4ObA59wZ8+u`5{O7C)PD&y)yBjSu^SMkIU4qhOqWOB|8!9Q9KY6k#djH}QCv@M}l-Uv2q) zHuJGwctb3zS@xdeKN2vQ78M7_Xp!J wHyml*kFSw66h{9)KEUaINkU+QG^8pO9NFtZuOAdz6VU*P|I9!KUT2*!B_q|-2mk;8 delta 2997 zcmV;m3rh6U6t@?UAb(g)V@6O|ZA>e(1d3s_-b9Hn$F>7r^WI;H2K?*HC zAaH4REpRe5HXwL$Q)M_&AVF_!cy3fzIdOGMa#>h#PEkxZdVfz-OHVOkXH!#7WI<9i zVnR7^Q%G<{Wl0KXIdOC~Y&lwVc58ZVK`%*Kcxg&dcX@Pkc4Kljc4=yJNm67ua5H36 zdUpyfJ|J*lZfRj|ay%_(a%Ew2Wgt>{B{MxcD&c1|$IL#RrtrW=ROpJsN2bVFbsufCY2A58rM=sW_85~y1_U)_U-efec8_f$%`oGL z-lp2YNPn)ei+?*Sxtq-4HQZC5bBo7NSWU5jXuXNA10|!sNqSAgP{w298dtmD^VGZM zjn=nf>o}=BBf8Zu$9c^g6AqBy+7HZFo&jz7c2ps8SM=E30f-8Lekw<*;XetFB`*iX zY~mrsKU>bJPnFrXdxF&l=nT zfcC|nU&1iaF+xa{)_6zn0F&+zz0E0xo_{DdhV9+6(hbNqQWQ-_d=q>6V-Os6@apHx zQ#hPNMqu;;?kMC**vz(=<;WK&T?>uf((kIi+!wPeE+O%cHI89^2RRXXjB*RHUP{fN zHh5ej6zkkP7TbbB^-8QaUlNHv{goPluU0Aex|Z&*+n{I|iBOQw3}(Ys^6C;;G=E`( z11u}R1PBgNd$*tWK~9-MxuCgpWXuqbC49(E4(r^8MyYKo8IAE%AiIK`RfD%0+oy;XuG8TL7fNpYgfAlZ?c&O2_nv;q}3q{bO@!}~AmaJIpXf7c18V~TpM_et9~ z10@ac<|2#CN`X31(ZtOE9;>CReTpB~C-&5!MB7{`aM$RcZ~Cz)Xh{agkblli>A)*X z@suvFK-FV#AVrw#6bP;AsH46$Sa0Zhi$3$^GNFqX5iDPKOK}a zUc;C}{r(!%Bb-?Rn;ZS0>zwr!ViPmY*@U-oM_!h6Al#)wUJh8}Wd}8-G+!MYt3Ak~Nk} zQlL9=XY^TGGBUX1`i$MDVz=PJAfoBS*w~J!n6kb8eO$a6wOC^aEG`s2>@^rw>FM_K zdbA#Kuy{?)j+CU?N`_Galy@o;~>PxzdJt>{}<&&+X-|E97(aSL)?l*H!dA{{}JhoKe$2)E_* z$%B!z5xgQBsXOa{it*A8;)%l!gCH#_rnpOOj6MNvc@SziPJdnJMl{h_TcEYpDtvLH zJ7Q4EGx$knz_U~cUasNwAM9c#X#{D)wr@dSL2&c6;0ZC}crILx{m?O6wOIcPBfJiv zT_2elA=!ugut4$uO*=Sv9&w@iHJE@W-2cAsXleeKW*~8u+piMr%iu|5%dt^Pgf8x zWVN~mbix8r{ck(%gh6}d=)y6r)x;y)I<7PeN_!!UA99Zz1^kwg%i{l7=Q9`mKJO*w{9E=-~&x}=oIFD zT8-&2{Lm00_3X})8D9;b&y+}bvxi98k0O}4MaC`5tMH=aoPp0plXnAswy@4%)ZHKY!s@ydxujIz!ba zENY|-Gtw@x#iMSJ8z88pO;sxQ*V8NZo;xd+FWVAW=z8Qj#*w20rst61A(37M57L83 z1ePV;bI~x|OgUM4*SzkNZKvcQC?pj@?8ZnBe1FZZ-%>$>va*h2J^kE!jADR8R+bY+%GD?DrYPVTV8?^gw@v36ABEl8I?_g{IC;kh-rJ^nIFA6 zx}WjBQHt_Vgr*LNt%Eh}hLoC6+*A0N#ASPw{GWes?_L6E zdxJbpL2)!$oFbx^ud!H{fGk!>un?$)Od;cvxe~R+3k>CHTkWy}+htFNI=V(>SAPwA z5zx~wk|MbKtya<6%^yl@GUd*hgV40?7l)$qd&ov$#dg5YZqDA%4o)b?@x9J1vh^%> zpgcupAZ&7Ly@q3LQN(GYB#B9DJ-h{tf(E(=m5zCY7F56&G=??ao_O>OS%WNzsIZ-8f^~{&@Q4M(cKLbWC*U`ymJkm*!YM_#V diff --git a/secrets/generated/ward-firefly/firefly-app-key.age b/secrets/generated/ward-firefly/firefly-app-key.age new file mode 100644 index 0000000..8d380b4 --- /dev/null +++ b/secrets/generated/ward-firefly/firefly-app-key.age @@ -0,0 +1,12 @@ +age-encryption.org/v1 +-> X25519 K0iCGjPk+lIfakWRt19tUebknIoPk7CRKQgJxt6543c +1TTIJMkKIBC4mkV22/+DL6MonwX5bSFnHrI/1UMBxOA +-> piv-p256 xqSe8Q A8TmdnrAPXoyy1s69kIJ4+UDB0ecn5BGj7AOgyT46x+A +3IOxV7OkgkCq4OBN521ONImxkbZ7CA3rXcYixF1T0v0 +-> IMt/c-grease +3x3A2IBsky5I8QkGvxAv0Sf5+uuTdrLtRGVIQ7Kx7/PgZJdHrEVp7brTImvGHa7U +7R3tyMLSVAUq0fje5TuY+qt5iovMFvN9Ju9tXq0TTrR8oMQ7AuRTPVQSZCa8Sj4i +46w +--- xqksX/NXpJyr2omtpSxWZT17lzp0JsGVOAwVF3qmS88 ++TyW5*gP$G@R*<ne"p +#Nΰ|GOpA8x)-&_ \ No newline at end of file diff --git a/secrets/generated/ward-firefly/promtail-loki-basic-auth-password.age b/secrets/generated/ward-firefly/promtail-loki-basic-auth-password.age new file mode 100644 index 0000000000000000000000000000000000000000..386e73567c9db2e27bb1734a01d15987aa0e4626 GIT binary patch literal 461 zcmWm8J&V&|0Kjo^%qF6%*@{RmeUheW7x76h?d5WLPury6P;*Hx$&zYeTh2g@+@L#2o_{vW=w$ONNo=M zo<5cX79xQereK7PF*!UI<)rmU3-DfHy3YjUf=%OA95c~paZwFQw9IH kIezp0$yw*qzs;X5UcU9^!RHs>!fSV4Kh{s&m*1!V0Xhz%7XSbN literal 0 HcmV?d00001 diff --git a/secrets/generated/ward-firefly/telegraf-influxdb-token.age b/secrets/generated/ward-firefly/telegraf-influxdb-token.age new file mode 100644 index 0000000..7b0eb97 --- /dev/null +++ b/secrets/generated/ward-firefly/telegraf-influxdb-token.age @@ -0,0 +1,11 @@ +age-encryption.org/v1 +-> X25519 HgSF2a9Q3nwcydHrTdp+3OCofuM0icQ17MA20aZd3Qs +psZ9T9mQRBWDK/AEZSZaYaLX9hLaarWo3ih5TdF0KtY +-> piv-p256 xqSe8Q AlVUJIsg77JKUuLZkd3QFdVaJxZl5y7pQAvFu3hS7DBO +3GySsYAQAuR5nYJOKQ49qLBhZy8H5ozQ78dyAZuqdDw +-> -?_-R-grease +TBgbQcVKKpCzoOQ1IJhKN17FQj6sC6g/0ZWWilWPfJbhGRZBocynl1o4H492FE3k +NUjMFQFOY28JlHX1N8yT8T9AMFYdpUS3hQ +--- dFzRUdI8Gc5FA+zFzaGpWNV4s2kQFy1neRt2cyTGiTs +yzf_T(ݨ{ j֭!;Du- $ֿ 8 +g\XdIQ>" \ No newline at end of file diff --git a/secrets/generated/ward-kanidm/kanidm-oauth2-actual.age b/secrets/generated/ward-kanidm/kanidm-oauth2-actual.age deleted file mode 100644 index 654c68ecf3715d35382485c103141c307375b527..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 416 zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR2FFfuhYv{Xnh^$*JptT6R0E!2)kHum#3 zwajpGa&${f&Gtxks_=8J%B%>tD0VXqD(5Q5G0yUEH}S5@&-64e4=O42GYyP#G6@TH z4lFGz&`*y40;F9fJl4@S) zk!@^|<(cMDW?tk|WNPf@uOAi=k({5E8EG2KmFVkh6sBFOt?%a(XzuD`=@^iknd6jS zksYp|?ww*aVtT-*#E8VN8I5g3MD`i&x;-n|xJLS&DU&@;+t1Kq6;~ewVxCK+Z-^rZs zXJwe&c4PS}p$lJr?@`jLoiXuqafb#+@17|or}M8$|9pP);L(e*e7w3-WX>JlQ^!^E HPQ3>J{XdjB diff --git a/secrets/rekeyed/sentinel/5f448f5955218081b5b4b19316ff9c31-loki-basic-auth-hashes.age b/secrets/rekeyed/sentinel/5f448f5955218081b5b4b19316ff9c31-loki-basic-auth-hashes.age new file mode 100644 index 0000000000000000000000000000000000000000..51d8015df9766f3d156d66e57c1ab4fe0a586d77 GIT binary patch literal 2575 zcmV+q3h?z|XJsvAZewzJaCB*JZZ2TO;dTTT>IaFqGX*F4KN?L4JF*FKFXh|_bZg_Yx zF?nlxOEr0UXmo6ILN{qLM0!bOI7};0Z%a{RYD`mcI8h2MJ|J~wXeQY%*GBc2q?$cS$%)QF&rAMr}uOQ&|cvEiE8$Q*(H8Xjg4lOl){iP&HO> zMQSfoVrEuZc6w(*b9z>9Gih!wW?D)}NmUA!KG(FL3t_j7&tt%_cvSo_wn1giW{qL> z=Y%5{dJJ8p>K&=V0o@C4~dL-At|5p#UG7sfH@}0JC{_w+7Mz4u{m6Le8HoX!`h9ataA-aU?7@+&c^CkA{zYW z>`(dphId3RDVH?%b)WxE>$`}SI`m!9^dO?t=k=lIYrj;iWAy7cp_xZj9sSk8nU4F?KlViKQK4^;c#^u6n_7om6sh(L)WXK} zs3|nhF$&dpc7z9OvuQah<<^Db#DU&$Mn9Uqo?}B#bS3eu@9zI)#uy!FC;1jUhJ-Ux#yGad}>jQOZK;|M)9m5#C8TmL>?^v;$ zpLDbl%eN*n;xpBQXL#AWsDeTowM(lYxKv*C91(-txIw0YHq3I8D#-E5&d?qK)|%(( zbPnM}aJ~_4ioel9X;#cCyW`$#87cE5K!XNbHkJ^@Z?bmyec%0A7I>R$z=Yk`=9w8r zM$#w+ZEJX#Qhw=izg~2VVX1K5|H4y2k0?Z9eeIT0Q~75>Q$Md)g}#^@EM8s?m~tjz zh{D05m(jb}-tV+5apE?MESLfWz2WU$DL?@J1ZFEnL^ZxLgLs`{Y`@&tTm~+YiIuW? zf#m;F>c!;O1@VAXRO+GDn$k%%jx;-8y@pCl&VrQnZ#+0s)e;{WEUQ>;BhTRu*1(d{ zq=?gBGA&9e2Tu2?IVYYJ?^+QFogf`-4QkLa^j!u>-@#cvEYq4el4jiXYEV-MGxh1Z z3KCxsp}@C@AeX%l#A7`$R8Y5@ECPuR(Q`Ajuh{=*4N5*JsIb7JBlaG2X))rE?<^tn zC9wwqxlI9rDt0p;Peh^Qb(~t)|A8VIY_AlBz3!kE0758*=@RsNOEt7>Ahin~o{AS) zcI<+`%3&Lb>Gb!v{3>C84NiVw#BuC`!CBa|$@8oM>2E{1*)e8F-m|?DGLv@dO?95!i)gFJ1Ss6-xZ# zrQFGV6&&raJf>BzHWbM1V)7}-{_8c}77de~@_)W?9(|GfS&O7|w=?TT2Jdk2XVca1 zO{3l6s&PAw*{@j4tuC=3Bp;ah@vd*vcPmFs;3K?NoE0Y$+bAOk1cC)ij1UR7E&OL& zp&&&`e&Re}^h(tT*(T7QxrE5V**KJL9#kwOp!AA1I|LX2wAngNr8kf8=e+xFL6>u( z2sk!=;j1`EB}qVgW==^*O^0o9ihA9}3DwDzZU6+Hp$m=Jwy-aoMtXP*D*F~c!1Tns zJVJsZ(m->)(X;lyT4LdtQwW3D~8MnvkdN&Xqs&7k!OpESGil1HJ z+y+}y1;b!U@*;>Vk{xonBTNS8?L3o-y&Vl^zT@HSRUjk9jfBBuIPsNFCX);4-%%re?_2GweKfn27zVK{5eOx@xn-{gPIPydsi8~tcq>| zdJw4dBk=rz?D^f`3mXsy)R)HWw3aFYXPQt7kZH^jp@k%1GzQI+g3TYs(tQOmYjC(- zsCI~lt5aWH#J`l2UhZfY_7)Hq{68yvg`HojnBL8-DPRG@c^s{aG)~!}06d0bSel2# z5b;^4L%H^4$$t_uce}0ojxLo0V};!f-Sv!F7OEA#fd-%Gd6ok1OUbH;wl8_L9P7Je zC@Y68OfM49o^rq{uSc5`QFxoEqBd%CnsV(XQAp-PJNS0%oCPdDCw#cl0#&2Cj-PKT zd2bMThp%&jlj){Sob`6>=)YQ!dC4?nXZudSXxI4hYv4xIg`ZUp+@xZ&ExfPOXO4RS zT2aDz`j^J!d|xlQ#?(6Ija`U?+Dy_`*Sy?I!;iw{ZMc}47O`C2zLC=@UF)3Ckm^b_ z6}}6ydnXpissuZoHooX6OyL+4ZE8Dq=aPNkjE*YHhN!^7K)`a$ha13wN+aWvK_%IC zckT~)E^aosB{xKKqNFMKci-1=&Mh{4?Zo zASZuIRN=lxD9;jAOJ4YS&C&Qm=+ULxOJ)>mx$%GTa?o3ll?~MWM^*5S@j)tnuwg0p zGMKmRe~%+UvC9z<{qWFi3PJ$JH<}UDLY<@s(I7n8T9A8t$#rd=ujfI;Pz6MYG^A4b zLSSwrdYYM*wl7MK9|zH7-g~`1lkfJ&qEw=CVfQSu0mS;=CHkm%vMKPc%=Jy!@5LnM z)3H^;*eTIhtYMo(M#CHO#+rEzD{x0HNK_+AfORWHRDfJKw8sZ$s7Rc!48ejKawYmW z{Qz<*b&9d<`VzfAZ8ioF@8*=GIK$6uOX$k^>@i7*;4aUsbjKgXl7dfj_kkXOZGquH z?B8_EH~ri;F?DnmDcdV;k5QE@Lj@K&*jf8j|_3%^9pfr l+z6;*8kG-P&kFj)$1b!a(CYiw>t zPDeIWV>L}^NO@FKc~)mOLv(jZYeQ&6Z%|n@NkVonRapuxJ|IzfJU?tILPafSa%Ew2 zWgtW#VhT5GYDq_SL1Jh)N>6WVb!{|vQbI~aQf6#9LN-uWF?Db-NJBDgayCayHES|2 za6@fT3N0-yAU91-MNd;zIb(QXcW!QHc2a3iYc_a7ZCPwmP+~}EcVuxjR98eZLv}Yo z3IL4Da=5-GTpFj@j{B%IN1`XTHIP_D+}~|v(0_B3MbYKd6}Z>SbDyn;qjSUmWJ7G; z6qria8vaBavEg8iUI&=Ulg*u3urNN_(i!kY(k5G0P=80wkqr6Gw@`GNL6Vl@6bNc9 z-H7O3&uVzyLuv4&P4ku%uJVE)wxU5z5|(zDix+j}Y4GJ}D}i z)V59YsyS0xoa2!OLzI8w(2(?q%{hC_vH-Fz!qnT{rYZ>^WALLi_Yf5Djei|dtB3ns z?%%+iY4fhHRSVE?81lZ7SLYMk#n$QJi6g4vNv>Tdp)Hx7ui*n<61W?A5NQCqW<|<@ z`A9`S%@VDJ1~Jkc79tTXEhT;GS`FzHFy%hPHkBz5k#{{%y^~YGAtj9&u1KUY3nh_X z-Jfe+0DlZ2+zwR2VJMb%c;_lEabD(52U9NGNtnKBu~yf&6w}w$#B?HdWJ=xGW>R`D zhbN3lbq?ut)h+duxmv9gc!22$x`+U1oez3}b)Y)@j2!!?aG0F=pRorne{+J8E7dMV zI9JSgB+lA{|2aFo-s@*lr7?~@{6P)b{FhzQdZ34r%@Xr(r-+on8vN5(=UW$r>eR`Q zhE6-;Ok$3FTs@hW8B+o`qxSt(*93HD*d&ymXs=FQ+$Z4PZJ-FbI2O|-aoL6b#W7?v z5Z3mPj+b5Ew#rLYym?*{s=Qo7HvRDi@_6hgK^mkxuZVUKjGKy+tMqdN$j|eoZdO!+ z4*LVNa+R=ZX#L(TMLyy!QZ4reJk^fyS)FF7<`OFfhC+N|(A$vNqObcAHU?By)Pe({1li z+na*Pj{vl6nL3&*{{_U5TVBn&)O=4OHw~F9}d zJ#+8sYg%9YxU6rFl;4{v<3yW*PB(wdp^oU}<}!bSmiW_zHW=hACIckBDX6Y8tmqAN z5;C3Z5aq2gf6QLmHx0o`1N1oRH)eZ0XLdhVq|D}$me+ni4a&pF?!@IljNB;wKgpnL z54%(&B?=q3Z)*EU&Vfjh6X{xD)d6_Lly1MHua^6jox9WZM@E8rPl{r<&D7;h?+E}BMl1m+{(K0Cn9tO5W9Ig0$F!&mcFrPW zbqT2eWXEOccKG0on7-Ohc0R_|JN^toP~BWV3P9CYmn=#!nYJC^$X3D;(MwJmkWzL) zc|b^mkBW5!xqPp2U*&K_@Yp_K5Fv;3#b%S%^^yoAp9Mjk5Wjt5N23oMrKDFoRw^rY zmpO*f`7kJfwL=SnU=v=X%L2^{3?BK_bTziU4Kq?D><8Ywb&eKiy*h)ujEdO+1zA9^ z!hL4is0F~YUkaGfWHYHDpu||EdfZEz61U?oLZeWu6y*Rpq0)5F3_mOogxHu_#8D?s zo9p6ErogxgHydO5A-I^CI43_aRJUHWfW4GZvJlx(+u~1ky-)@dDY|fS_i8-tGHpIO z*W5sAXVZR6k#J_8;+#{{`wOR9wYZOc9}E_U_{f_kWCgK=B5~+hh?lj$5M%g0u7t1x ziU(=yPhepTGH1_Ug|s}<9Y@(L*1+qraLV{#bs*1SuA9`wcIVpN(&*HG%8JT`g-#pT5cAOP#g}TD*a#1V`lcM z!)W++$-zz&kA7?d)L%57UUgcSL(b$tfZHvra8qrKC-o=EqOQT>aF5C`lQU0YhR=#c z95Dcmoe@i#^x&EBItg)IZS0$#PrOYuvt0up;la@&n*5n~Y`8;IxHDZYSX zjj9K#0HJ&k?fk2B0hZ3vb}mFtW>ffk#_j37bGGM`4V5#$CjJzk7p`2OU&YM29`>`E zdE2dd%vl?!k?@+b?`X2Kg3be=iR4cmj$e-meXC_&)!pN?rH}s7?{Y+loBsvK{VfWvvQND0CwxdpQ*fYA=hU~{M&Ne1+zpvrwlB42^f|k8P{Kgqe(m0_^+69gtxw zR(1fvwya^I(rTAUwUJ#0v$Gj^s8zf!F%IeED|UNF7ZNdfn5PJ$ESkpV&6 z?jt`Zm;T}effKd9i(dt6<~*KiFJ=z~hH2Zx=$ibF5CErSJ2NuzM+3Km{c^hNnL94| z=*~S4QgxPCfMC0$J%ndN>%~i1OGL!&Y^{;#liRSvw-wbi*nY1eM|4d5UJ&tRC$92h zdWBeX(^j=}CX!j0Ee@Ki88@+buJ2xlDEeZ>Suzvd@FO?7zpZ~#$ ssh-ed25519 1tdZKQ PhTEEKU3VbR4jKOq9yqGfCXI3LgBS9tuTniqQVs+qU0 +ZDzt7bQ03RT5W2hoxsZTrQI8PuBBrH8UiYHpVox4YU4 +-> GCS:-grease +H0Poh145lWvrCYnOXCFt1VJMpwGK/Ek +--- z76MlfKZZvOBXOhvmWY7Am5nnICI2rhS8fnNpXfj4dA +1$~[>ػ1> u^\|K^cu*gWH7{.!:)s\x \ No newline at end of file diff --git a/secrets/rekeyed/sire-influxdb/8196d12330a68e89f67fbcb713703941-telegraf-influxdb-token-sire-actual.age b/secrets/rekeyed/sire-influxdb/8196d12330a68e89f67fbcb713703941-telegraf-influxdb-token-sire-actual.age deleted file mode 100644 index 632634896992a164aa73265e51977fa28c81f098..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 355 zcmV-p0i6C}XJsvAZewzJaCB*JZZ2k_gRbvWvazRRER5?Ur zFgasFM`>0_K{;h-VRcP2MoD^fQDRbQNO@>OMNvU-He(7cJ|KQpL2D;pJ}qZ*Wnpt= zATB>3O?xn0Zh0a?3S>5UZgDnrIaO^;Z&!F?Z#GDJO*utPQek&=XKQ6pNN7W7S7Uff zb!BsTFL*dvMKNtMO?P%@a%ydDO?6RY3N0-yAa^riQDJggZ(&Y#F)K88cVt>;Q8#l& zb5==uZ#Xt+GFo~uF)KEBGjT*g3ew$V8K$SL&!{)zoZ63!vZq&mo9pN+XM<@Tbb7f> z{GkpkILiPlRERC3gt6iQ#fBTL5eG4H=egwrf?8+6H>}UIn ssh-ed25519 iMlJww E5FqXO/vzW9DHo9fCSAMUKWmjR8MFXpU3XDnRa0EJ28 +QMY3FFVIMMA7hkzgt4KFCZqnceAt3HX5nBgDMHaOoHI +-> 9eg'-grease VW\g2`l 31z" +NPUdagDQa5101Jc+IJ9q6SC+91YOK+k +--- iBSbWHLrGSanifDuwn2dobAwAlTRGEt3wNWshz96nNA +q38ng:}o{nmRr+edNz'`s[b(Ϻʭ5 \ No newline at end of file diff --git a/secrets/rekeyed/ward-firefly/59ca141d3c7c82f99abe5213fc3adbc4-wireguard-proxy-home-psks-ward+ward-firefly.age b/secrets/rekeyed/ward-firefly/59ca141d3c7c82f99abe5213fc3adbc4-wireguard-proxy-home-psks-ward+ward-firefly.age new file mode 100644 index 0000000..601123c --- /dev/null +++ b/secrets/rekeyed/ward-firefly/59ca141d3c7c82f99abe5213fc3adbc4-wireguard-proxy-home-psks-ward+ward-firefly.age @@ -0,0 +1,7 @@ +age-encryption.org/v1 +-> ssh-ed25519 iMlJww Z4Ks4fk4VNuB+NVnmWgFGe7pUdwaOEIRjHhxldrS1Rg +ryrr2czYVoljwgokZ4SueF4K86Rn5ZQ9hryeuxgzD64 +-> Sq1*-grease |:Mx~ 5qJ||" " 6!+(,I +7DhAuAnGOTWQ/3IeVR6GFBQ +--- MYFaGCLMR7pf3AOctnWoff2GI+hJ68QKO9Mh6/qPFEY +,A8> tcߎz IF*slìb Ȳ"?$87{4fwc#,!YYƾ \ No newline at end of file diff --git a/secrets/rekeyed/ward-firefly/86c634d8210be2e4f069e5168e906326-firefly-app-key.age b/secrets/rekeyed/ward-firefly/86c634d8210be2e4f069e5168e906326-firefly-app-key.age new file mode 100644 index 0000000..2c31310 --- /dev/null +++ b/secrets/rekeyed/ward-firefly/86c634d8210be2e4f069e5168e906326-firefly-app-key.age @@ -0,0 +1,7 @@ +age-encryption.org/v1 +-> ssh-ed25519 iMlJww 2JAtq+eRbq02hjI35LQX8swDM9CHIlk04dSbWJP3zSQ +QEb6tHk4JQPXqqnYY/mY9CUB3IgzfjCW9ovp2sV1TFM +-> @-grease KM$g *!O` +izfolg +--- WILRDX5ScwJzlzULjw9xiiLn4p8wrd3wUw4h2QJCYeg +:g[XO]Jn}5F2-Y<Ǣp؋nXCoHU]V/~Q. |a \ No newline at end of file diff --git a/secrets/rekeyed/ward-firefly/c3a5933f8184ecafaa3acdb69b0e0f6f-telegraf-influxdb-token.age b/secrets/rekeyed/ward-firefly/c3a5933f8184ecafaa3acdb69b0e0f6f-telegraf-influxdb-token.age new file mode 100644 index 0000000..2486ad6 --- /dev/null +++ b/secrets/rekeyed/ward-firefly/c3a5933f8184ecafaa3acdb69b0e0f6f-telegraf-influxdb-token.age @@ -0,0 +1,7 @@ +age-encryption.org/v1 +-> ssh-ed25519 iMlJww CTRuCRd64uojf1Q0yisBkwEt42tLLqCA0X2Umw45Y3A +UcSTnVKmw7nl9Apg/ZZcGPSBm/i6AIrD82QnPY+UnVQ +-> .$Mz#d-grease f-1BU |@F!=+8 0s`)Z 9&5 ssh-ed25519 iMlJww DFczqyym2mmSZTWehkkvSPaNf7q8biiiEqoRrilbEno +hvzfFRr0rpm0pJU5AFa1LOJ8QFEBgc1sU8LUbu1iPQk +-> h;[-grease @z] EChs4o3 U`,fK; +VX4FqvfERRpfAPCw8F4D2vdVDuhS3FQ0Viw9G/Lp4Kda8/u1/LXxcCRSQ+Mvuj/o +QCOdco48EagX3CVp+a6xuPNgaxgopMgkyQr2nmvXh0W6r1s +--- e0ODGAsNYbD8EWnZgZ776iHi2Y41+zbAL7jDo2InYQM +Io;;Z$ȅ-\<ͼRPmr7JB};DlHdꚀ2b|s^D \ No newline at end of file diff --git a/secrets/rekeyed/ward-kanidm/60542dbad9f5a1dbbf8cfc65e0d83c02-kanidm-oauth2-actual.age b/secrets/rekeyed/ward-kanidm/60542dbad9f5a1dbbf8cfc65e0d83c02-kanidm-oauth2-actual.age deleted file mode 100644 index 82f4c59..0000000 --- a/secrets/rekeyed/ward-kanidm/60542dbad9f5a1dbbf8cfc65e0d83c02-kanidm-oauth2-actual.age +++ /dev/null @@ -1,7 +0,0 @@ -age-encryption.org/v1 --> ssh-ed25519 QciEZQ VcWKLWPg9nAruDvA/KXaDefLu8SF7PbMH/FJRfHteFc -1AvjkdFCx+2nqE9qvQr6/2AqxUuLgm2q9krLZ1FVqA4 --> V]-grease gujG %5pig -jiipvJVY7Td0OMyhH7nTdSf4EBwcKQ ---- eaCRPI5enSnNczltwLy4EPgf1FRgUiBxL8BoA8vekh8 -̖mI["O!05giSCZJ* ZP*S^@`j /? \ No newline at end of file diff --git a/secrets/rekeyed/ward-web-proxy/90ab11485712f95db2c07814074b7899-loki-basic-auth-hashes.age b/secrets/rekeyed/ward-web-proxy/90ab11485712f95db2c07814074b7899-loki-basic-auth-hashes.age new file mode 100644 index 0000000000000000000000000000000000000000..7c51e7da58b45948bd5acbc38557241ae2706282 GIT binary patch literal 2577 zcmV+s3hwn`XJsvAZewzJaCB*JZZ239Z8UgJLvIRWW>soLb2dXO zGf`7VMrt-yK{PN;NjNZNWmZvUaWXSTOhjaAYc^tGb5#m0J|J0KOFb=Ta%Ew2Wgu-M zPHHbB3S~`tNH#}lF?wxcOmJ2-N=#QtRZLiUMPWEda%n+YI4d_nYj5Rti#L9u#d2B5 z+19}yjudw|7|g^PwLSE}GIjn2CQV`}N*j+Z1xwT+XZU8wpweu3lZ19)ehD(0CxcY1 zWJq>p0l4AYfb%MZ^o{Sk{{50E_mGFU*p>A}HD^-SDR5wmb!lo|of73l8?wJl`xvnjrT;K{)sOd~T*02_64Sj*!NMdT3soqKbW z(XhdWCod;VIkg3wXhsuW6s0Zr?X`hv5Pt525dEz(z|0GYaT8HkN2RdO3j^C;bnsh- zR=VhD3?`|(0*vq!R02=*H^?apFDA^(UtRtia=fq91}anh(HWox+RZnm@i284AKi&f z4F#7;0D-+i@lR8rtz+qKri4H9#QALa?XiWEWx8HiBxtidbkj#Qe)nS?BZRflsJ z(4H)aQJybgdCTm`g%fadc}unES0#FyBL-<%I@qG*i?>uN$$LWF$JmdETCwVuM`YNX zZZCLW{q!2QaUh>Zu)Q}S&U*_?nU=QHPxCP2>VmMv?XQ~atY%d{PNQMn#f2SBt<2-% zftuo5$8t04;x%yM3I`saO@B;7nr?A4Y^Hg}Y{O4W0)}0x*mWmxEp#$cy*OoM$0?Nr zqG?l^u2#|mnbU4zwC%Y9@$lu=E3*zz_1?!*`pneQ%2Na=7lSF>32!LeChZ< z(7(-V?|3aNF~2-vha7Ha;e-5k)v#e|UjOT}oK%a?&z5O1K-k#WyE&2e?;UtOfYI@? zp*rf1qu;&ES^{izVb%BtET5iVj$U>0N$EFm7}&wt6LFfrTSfN@VOmAx*Ekq+jV+gp~w-Y!~9xk4mdq-;tiF_I(fK2 z#>scn6@wvJh?QJMVs&mF+Hk1TTNc)rcgUh*PEIFj>2JQ8`#IV=NoyxLmvh+sPWW0lCw_JL{`Nv<@+>E<@`A<(Q*wdPSJI$8U z$I4ZkUV#C?&*%nhFLxidT(ge~nh&la%2>jW*~nng8B%XO2(8l>@y)#h0htzoh2&qv z`|lXrCW4ro+OP1lozJ0AVMi;tXl6gEZHW04_+O&xsf~^uza>A5^BQD?pbF~`rN)29 z>$HtwnkDAn01@ezvjm@un)T#-uVAQ(L|pp=ysCOF({;@1o8sh2^N4!LM(J;9zxnV$Bxnz&EepQ{x|nfB|tEH_w|r)S05PBvqlG^g({awZQHrqw3&d( z&2fq9+AGm=gWyaD=9w~|12(+OINPDB6Zw^)#o!W7F_5L11bXa{KBJ5rr#~+2o{x5v zNH<--PAWRZEjC0Z_qp{J1ng0cS7%1tUF*rJObUo2zrMU1%CG3YGd5(JwAvR*^Y3rJ zwB%-DyGW3w0&spKWoA~!wV{w1&ZEfLq=3^FY|@w+HiW9B;lt()4vd8U#D+Cmq{=EB zvt|oRg5A&8;g2}9hf9Z~5-DYGzoUTTO$QgPTc@Dc37m4mRF#$1;C%Lnw-YVYOoB>0SPjB)GYtoQ^$t2%;>k#9 zOd?C5Kt1!zHeS|`Jf%p9dFd^m6Qz$rn?8hgrrh#P=Qy#u1d$5J*~M80C}6WTfZ@H6 zTlV;Ttv!5KQ%e*OcY4Slm0k>-n(4-C%SZ3oK_{g|3_2R46sEq#K^;>c60d#`AIou< zne=#&NO%rcO+T96AJ9*rXKk!YV)?PREpnTNffV1lunv7Z)B{q9W<3Lw{ol5ngb5xK zgleHMS1D`xfL*bsRaEMaIY%N4DYXQ(HwZ>ZnY}c#EdYm^p^pV_UIWspcSp^o^En(2 zJjh?MrEp7}aq%E(!J5(bkm2m&52i%C5-@+*%Z`AfZnq%s;Vb#3MDIB71bRSqOKn65vZG(5_OiDw{ED#ufIA>|tX$Yg(}DY;XT zsh`AS%QX-!uwDUn?O&A==`v-{bu~MrrtFUo<@elzwh6ndt>x|2nc~{PrQsa^52b#1 zDD;nXnryI>UD~5obygE)g?5F23g{xYj zTWei;vk;>m1V!?l5kpZmT`eAkaI$b?dYu_3{{hK1q?jUDyOm*o!JkI9e!8e`$q1Q> zhQJXnA*`xuLM1&WcgkZ7h!Vj7PUe4@zqwT_J7HL*3xQ1%)ZeYV3W85e&yvrSn+@Nu zlk1dpP3j@Zzunotxp~Zg2<B;+fymf;(__|t^ohLCj3j`w!Zt)Clu^|yv`48BYWoMCN@aKe<_*qxS^v`}WAMt^ zVb;;Sj_kb0i$Dr|DhWqA2jt%9$uC<2Qjr3~G$I)19`pwIxX!&R9xxWO_5ybhFI1)x z%jPZCuL~WS>q@x@t`zc0q}6DE0EWz literal 0 HcmV?d00001 diff --git a/secrets/rekeyed/ward-web-proxy/9ac62b3f616089c30725c0b860f1b3ec-loki-basic-auth-hashes.age b/secrets/rekeyed/ward-web-proxy/9ac62b3f616089c30725c0b860f1b3ec-loki-basic-auth-hashes.age deleted file mode 100644 index 8459e4c29705d4070f12afa034bc879ae96f1030..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 2902 zcmV-c3#s&BXJsvAZewzJaCB*JZZ2G|TdS?o0K~-*dPit#6 zOlDSBWH>`(c11HYS8GIiI5>JtQZ+b3Ol&kcYE(jHY-b8BJ|H7QI!rJvXL4m>b7dfT zAW9%DEPHHpV?YWsc{4UcbZJ#VR(ecFc5Zh?Phw6?WOZaVW_C+>NjE}uK}B>(cPlGJ zY;;j?PjzcVOF?N+GE{kDQ)5Y4c|~~&bXr$7M^OqbEiE8RNK$fUH)u3>Hg`))Xe&@s zNM>0>R#stmH%Ue?K~rOQF=aJkMnh0_c3BD;h8Uv?$zzXGYZl2?nv(H>i+=7KB^tS) zJTJarHDYJYtDz8qW(8bsMaiYNFf(MjsgQU~SbsBc&%P(52Rt29K+pu!Mlh4wL5KGN zJy2dJNqU;i7%a!_cJHYkEmK6VPJU?205h8AX!WKcrv%a^t4(kwZp4S9DpB7BYieb= z@S#ZhId!p8j@Y)6>w6lqPn2!D+Apn5)+Yqb4J{OKjpB2oc4wMeLHZ!N3i~BEx?F{f z&MoWB5FW`!A(0S{H|iXPKR=EC7o3%oHB%Bf`Nq)F9PRUye{U0jyH&sCQfXo3u)wA2 zm5G-}q|{OqYGr%pZPQ)lk_C}d!^-EJ)NRIct*QKpW^~)QySf|n)y-5rSH945xCl$# z%`{oQ`fj^fc>%uNdNr2{U-!=qO_CwVu}PrQXO38`iI(zym`N0mGJv@G6kEeX63Or& zY`+?z-b4u8F*w6qD?tC zd%|E|ZMY3DT^{UY3d6BHAU3@kUaN4ulc-d8#_aK}!$JK7j*7-?$<;?-r2~HRBS>6h zjabTlU7}RHvw@ErjlRKkt(*#Ou#Y}>VNE4waNRE2-0oic0HR&qniUd5JY{|zK>Yog z-75oqE`--hVTx2VMQ@oY_kL5)tFetP7q+|NIby&Ez2vx&4lm_h*zJ|{X*LkYmb;Si{<@Ahy z*&Q~kU<2KSp`siT{WoJoHfz^KNn$~`v2b>9MrmNM`Q_*&+hs9FgULvcjmf<5LslHk5_ZZqoM_L;xxMtok8^n)vD}Cm zX@+8-Sx`)+g|}T-LAu{Cqqq1VsChq|9iGePYjS0ZUTeD?d0W1ajYX$d z74n1crz}eAaEl`V(R}pzH|5_joh9e%;AG#l-iUvovZHJ`q73e6By_L?2(}1ZX;cm! z#)u-|X;dpWh|wc^u~*R%hVxT|7=`FfU{Ln1Xoq5GR+_aoM)q;e|EW$E=luNQ81(A~ z!VGU6Z!>Xn|0Su?N1l;t?K8mQqE1aQSfa*R)3tCzs$1)MYEDVht^_WEI!P1HpGYi0 zd6ZoGP40$5wd|tSOb^yTh}z0=3QrJN0#`%~dJlGl70f${3A0As9(5$z#>u5*84k}i zT;r@hqq0+0Gi!#iHS_SOKC_Q$E!$=6EPb;up^t^zBA^H`Nhm;%n~H2@Nc{?6T2I=5 z7buqvfWKA@chqr3G;b5sHfO2ZIuR~{cfB178c?g6DwSsi9&Whsoc!7fkTt@$ChmE!+yKJc`dB+{PndIih4Y z5!GG^wp2LF6l?nsKdPO(wl-4b#C%q3f_|XBiE{lvzr*i|+jfHaVey40yZ}8Mj)J5| zazz)Q1)iYtk;%uszs;p&^#gnC#wZe+R4efZVuW*q)1N7?jE`3br0*qZ{7Xm2$AjfI z3QkDR9zyujs3m9_eG`kuKfSz&|1h9_4p*g=EcolA7!2|abZP{*22Y6v?Ik!|BU>;l z-^kab2GK|-Di!kCF!H0ehqZel9~CVRBrIHUZFN_F$F8_n`NaBfWn;LKOZ}+=lP{$q zTq8C+VFwwy7NtML9)Vfy9q}?@6v7hnNQQ9WrziPzDW0vvnx;W}g)XBG=O{;X#+!yT zdcA`O7t#fgrFmJWEXXR!K z$+41_oq}zG=@WeiDe*}5$RR=(_lC)FsZAj!HH56M-T{9WhL#hno9Ib_iK?FOIzVBI z2zFltxpV8Ff)y0qs`T%RyTdl7+OE%gD_+3;?!hbb@KT9xAy3dEn?2men+RFdEnx1l zJ1SCu|HspMr%zFi5AhXtF*l!^(+gjcsWVhQ++0qW{H(WZC&E{O>w32zzgO|K0sS1M zIy{rz#+pfR-b;^Z^0~VanzIK2s6r$ek4K+^LuazW?$`wlWpV>AEEFpReY-@k{w3&W zr`i|ikPARflfjU8x#gJNjDhh$%pRkr>1}|E3jq(;GNV@TV=xtE06G=cq3s6 zh1)Z@5H0BhP5~`-=ydKD2a+%*yhjpl@UaqC+bXY*Z9-S^Vf-OnOE|r>^uC&L^#A&? zgJA=A*CNS2yluO^oDCEl%I2r_<_-21M{yC_F70MRSNaUS&FSeb#&L?nQDe={9|Qmg z0>$^DJADo07DNgVAk|dfA5-3n4ZF?U8XK6>bcO6kH@yw4b3jS!y40{@iH*t8YF~|B ABLDyZ diff --git a/secrets/rekeyed/ward/ca883e2bce6ceff39bb8dc133d3a092e-wireguard-proxy-home-psks-ward+ward-firefly.age b/secrets/rekeyed/ward/ca883e2bce6ceff39bb8dc133d3a092e-wireguard-proxy-home-psks-ward+ward-firefly.age new file mode 100644 index 0000000..b0d5adc --- /dev/null +++ b/secrets/rekeyed/ward/ca883e2bce6ceff39bb8dc133d3a092e-wireguard-proxy-home-psks-ward+ward-firefly.age @@ -0,0 +1,7 @@ +age-encryption.org/v1 +-> ssh-ed25519 iNceIg wdAnVbYVU+fgSIb4ZiNqfbV5e+Gyt7l2Pr+gqoTzt30 +iV0QOUfzJLu061EjjY+hD8SnT4Mx5udoO7tUogRPeA4 +-> rv!OK-grease 3@%B3|g +JUDryA +--- mADEX6kUWctEoYX8d/eTbYFdB+kcILfyhbUjiDMNGx0 +ƕ^$aHn GLYUbRAfuժd5>rc풪&0ׇF:j \ No newline at end of file diff --git a/secrets/rekeyed/ward/f443ca4d40a215b56ee3673f09d46eba-wireguard-proxy-home-psks-sire-actual+ward.age b/secrets/rekeyed/ward/f443ca4d40a215b56ee3673f09d46eba-wireguard-proxy-home-psks-sire-actual+ward.age deleted file mode 100644 index d9f5b0718cb90a7e26bcccf76288824f83f7ec83..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 401 zcmWm7Pixaq003~W<~s;a6g-ryuSuIfAcJO2+NL%A`%D)+nD)K=t4Z1b?h_{6a+tj`1=As+a)ZC7D=(n{5aZ*6Stbz7&Q zOKB5{g@@oU+KXcyksdC)BaIXG!YI>J_@xYc%+Q#qB&9fv1aqtA?bQpVkxzj?ee@`y)jVzuUTWoNQ%3wDv_yeNfry)Tsm z28zNe_pl?IQ>U_2s+;K=N96#OlSiD?#G~G@=?G?Z#;`04X1UXvXamcpa~UROMyIlF zw6W|3Mc7VZU*#&{d~9Z;w9Du(kB2V~Z`ZDWAAfRRy*Ul7lkevrPw)4}fB8F?H=Ub( t^hbG5cg}t)w|>3b>VK2I97txief8tR+oP`!+TwW=JpFuvF3u{_>wo^&k?Q~e diff --git a/secrets/wireguard/proxy-home/keys/ward-firefly.age b/secrets/wireguard/proxy-home/keys/ward-firefly.age new file mode 100644 index 0000000..ec57bf5 --- /dev/null +++ b/secrets/wireguard/proxy-home/keys/ward-firefly.age @@ -0,0 +1,10 @@ +age-encryption.org/v1 +-> X25519 uvlRP7EwYe9edPcApANRaV0Eqwx/CY6ElDJ8zPS6NTc +SGcubLfhsAQxjjxUfoczcKT7acC+o9YLDjAbaZxIXj8 +-> piv-p256 xqSe8Q A7hFGedcJqbSCtfnBTi52Vm3lwCojBBJg2KZoHBHzFeb +9UPcvDAwU1Kl6nRE3eakB4dPyyjeKlSVK0/MeUzMVvs +-> id2?G-grease J=PF j +3PdNbIHnMNBtH6OPbMXyMtpt2HVSW+D0BCg3qg3V3p3DDd7FEQzr7lEfsjooZwG8 +fC2jno79z1r7t7lg5VgP5s1yA2WO6sfaMvZ25iQLlg +--- V6na3Vl3HiCI97qZbIwhvJnrN9St1VaU4wLxvVaJY8k +a-X= U[mHkt~FJ1W)l(΂s/O X25519 u+GOb4it1FIuM2xQLit+Qj8FnHxog7mrgqzYB2cAF1Q +MiVwE4nNwJo7aIg+H8/1vCPsHbKIRw58xPprat9E7xk +-> piv-p256 xqSe8Q AqY1gjvBbu3vDCrksaKE9BExREcAp00pMIVyAZxvr/aw +CubJmGfOCZyLXxWgoZ+fnQu7BCs1arzt5iKZjdSIVM0 +-> ??~tD-grease i2nkSM_{ iogOoT}> +wWFu3rir4mB4RUy9 +--- K1zBn3duHmWgsphLbNn1ujFQ/X08tpW4dkmKB7S8eM4 +ۂJ/"m=fs$@f~a7 34ފ}k"!W1U6q \ No newline at end of file