From 20a5e1e66a26a1b2c2be738d4b8a4d5fbec7f88c Mon Sep 17 00:00:00 2001 From: oddlama Date: Mon, 20 May 2024 02:30:17 +0200 Subject: [PATCH] feat: add internal proxy to high-volume applications at home --- hosts/sire/guests/common.nix | 8 ++- hosts/sire/guests/grafana.nix | 6 ++ hosts/sire/guests/immich.nix | 31 ++++++++++ hosts/sire/guests/influxdb.nix | 40 +++++++++++++ hosts/sire/guests/loki.nix | 53 ++++++++++++++++++ hosts/sire/guests/paperless.nix | 43 ++++++++++++-- hosts/ward/guests/adguardhome.nix | 35 ++++++------ ...-wireguard-proxy-home-priv-sire-immich.age | 8 +++ ...guard-proxy-home-psks-sire-immich+ward.age | 7 +++ ...ard-proxy-home-psks-sire-influxdb+ward.age | Bin 0 -> 328 bytes ...ireguard-proxy-home-priv-sire-influxdb.age | Bin 0 -> 327 bytes ...0c-wireguard-proxy-home-priv-sire-loki.age | Bin 0 -> 402 bytes ...reguard-proxy-home-psks-sire-loki+ward.age | 9 +++ ...rd-proxy-home-psks-sire-paperless+ward.age | Bin 0 -> 428 bytes ...reguard-proxy-home-priv-sire-paperless.age | 9 +++ ...5e5cfe39a4f132d-loki-basic-auth-hashes.age | Bin 0 -> 2666 bytes ...ard-proxy-home-psks-sire-influxdb+ward.age | Bin 0 -> 310 bytes ...rd-proxy-home-psks-sire-paperless+ward.age | 7 +++ ...reguard-proxy-home-psks-sire-loki+ward.age | 9 +++ ...guard-proxy-home-psks-sire-immich+ward.age | 7 +++ .../wireguard/proxy-home/keys/sire-immich.age | 9 +++ .../wireguard/proxy-home/keys/sire-immich.pub | 1 + .../proxy-home/keys/sire-influxdb.age | Bin 0 -> 380 bytes .../proxy-home/keys/sire-influxdb.pub | 1 + .../wireguard/proxy-home/keys/sire-loki.age | 9 +++ .../wireguard/proxy-home/keys/sire-loki.pub | 1 + .../proxy-home/keys/sire-paperless.age | Bin 0 -> 391 bytes .../proxy-home/keys/sire-paperless.pub | 1 + .../proxy-home/psks/sire-immich+ward.age | 9 +++ .../proxy-home/psks/sire-influxdb+ward.age | 9 +++ .../proxy-home/psks/sire-loki+ward.age | 10 ++++ .../proxy-home/psks/sire-paperless+ward.age | Bin 0 -> 459 bytes 32 files changed, 301 insertions(+), 21 deletions(-) create mode 100644 secrets/rekeyed/sire-immich/48210b29550be1724e0e6a5603af581a-wireguard-proxy-home-priv-sire-immich.age create mode 100644 secrets/rekeyed/sire-immich/489ba5990cd27a548ef61bf66d994759-wireguard-proxy-home-psks-sire-immich+ward.age create mode 100644 secrets/rekeyed/sire-influxdb/861b8ef09e38949cccff27c22ee55340-wireguard-proxy-home-psks-sire-influxdb+ward.age create mode 100644 secrets/rekeyed/sire-influxdb/dc32381081efcf32fe844db1932a1ef4-wireguard-proxy-home-priv-sire-influxdb.age create mode 100644 secrets/rekeyed/sire-loki/158c4b0ca6a0f395e7398e0f9ddea00c-wireguard-proxy-home-priv-sire-loki.age create mode 100644 secrets/rekeyed/sire-loki/d381aba6054f5103c1ba555f0e7911cf-wireguard-proxy-home-psks-sire-loki+ward.age create mode 100644 secrets/rekeyed/sire-paperless/716cd0e8de5551b6bb6a87f8421141f3-wireguard-proxy-home-psks-sire-paperless+ward.age create mode 100644 secrets/rekeyed/sire-paperless/78eac1248b5d98935bfdc3703e175cb3-wireguard-proxy-home-priv-sire-paperless.age create mode 100644 secrets/rekeyed/ward-web-proxy/b74c1fb0e8aba210e5e5cfe39a4f132d-loki-basic-auth-hashes.age create mode 100644 secrets/rekeyed/ward/7a86bc5ecb46f75a01bf1b27ae49cf76-wireguard-proxy-home-psks-sire-influxdb+ward.age create mode 100644 secrets/rekeyed/ward/d8a468ed875aef4509e9c0af53e44831-wireguard-proxy-home-psks-sire-paperless+ward.age create mode 100644 secrets/rekeyed/ward/f6b12ebdf2efc6a7892f2e5458d95cf6-wireguard-proxy-home-psks-sire-loki+ward.age create mode 100644 secrets/rekeyed/ward/fb12194e159c81499ee0ad944efd427d-wireguard-proxy-home-psks-sire-immich+ward.age create mode 100644 secrets/wireguard/proxy-home/keys/sire-immich.age create mode 100644 secrets/wireguard/proxy-home/keys/sire-immich.pub create mode 100644 secrets/wireguard/proxy-home/keys/sire-influxdb.age create mode 100644 secrets/wireguard/proxy-home/keys/sire-influxdb.pub create mode 100644 secrets/wireguard/proxy-home/keys/sire-loki.age create mode 100644 secrets/wireguard/proxy-home/keys/sire-loki.pub create mode 100644 secrets/wireguard/proxy-home/keys/sire-paperless.age create mode 100644 secrets/wireguard/proxy-home/keys/sire-paperless.pub create mode 100644 secrets/wireguard/proxy-home/psks/sire-immich+ward.age create mode 100644 secrets/wireguard/proxy-home/psks/sire-influxdb+ward.age create mode 100644 secrets/wireguard/proxy-home/psks/sire-loki+ward.age create mode 100644 secrets/wireguard/proxy-home/psks/sire-paperless+ward.age diff --git a/hosts/sire/guests/common.nix b/hosts/sire/guests/common.nix index c301f6b..81bc212 100644 --- a/hosts/sire/guests/common.nix +++ b/hosts/sire/guests/common.nix @@ -5,6 +5,7 @@ ... }: let sentinelCfg = nodes.sentinel.config; + wardWebProxyCfg = nodes.ward-web-proxy.config; in { meta.promtail = { enable = true; @@ -12,7 +13,12 @@ in { }; # Connect safely via wireguard to skip http authentication - networking.hosts.${sentinelCfg.wireguard.proxy-sentinel.ipv4} = [sentinelCfg.networking.providedDomains.influxdb]; + networking.hosts.${ + if config.wireguard ? proxy-home + then wardWebProxyCfg.wireguard.proxy-home.ipv4 + else sentinelCfg.wireguard.proxy-sentinel.ipv4 + } = [sentinelCfg.networking.providedDomains.influxdb]; + meta.telegraf = lib.mkIf (!config.boot.isContainer) { enable = true; scrapeSensors = false; diff --git a/hosts/sire/guests/grafana.nix b/hosts/sire/guests/grafana.nix index a6c2f48..ffbf9d2 100644 --- a/hosts/sire/guests/grafana.nix +++ b/hosts/sire/guests/grafana.nix @@ -4,6 +4,7 @@ ... }: let sentinelCfg = nodes.sentinel.config; + wardWebProxyCfg = nodes.ward-web-proxy.config; grafanaDomain = "grafana.${config.repo.secrets.global.domains.me}"; in { wireguard.proxy-sentinel = { @@ -116,6 +117,11 @@ in { } ]; + networking.hosts.${wardWebProxyCfg.wireguard.proxy-home.ipv4} = [ + sentinelCfg.networking.providedDomains.influxdb # technically a duplicate (see ./common.nix)... + sentinelCfg.networking.providedDomains.loki + ]; + services.grafana = { enable = true; settings = { diff --git a/hosts/sire/guests/immich.nix b/hosts/sire/guests/immich.nix index 05fec63..4dbce30 100644 --- a/hosts/sire/guests/immich.nix +++ b/hosts/sire/guests/immich.nix @@ -5,6 +5,7 @@ ... }: let sentinelCfg = nodes.sentinel.config; + wardWebProxyCfg = nodes.ward-web-proxy.config; immichDomain = "immich.${config.repo.secrets.global.domains.me}"; ipImmichMachineLearning = "10.89.0.10"; @@ -169,10 +170,15 @@ in { client.via = "sentinel"; firewallRuleForNode.sentinel.allowedTCPPorts = [2283]; }; + wireguard.proxy-home = { + client.via = "ward"; + firewallRuleForNode.ward-web-proxy.allowedTCPPorts = [2283]; + }; networking.nftables.chains.forward.into-immich-container = { after = ["conntrack"]; rules = [ "iifname proxy-sentinel ip saddr ${sentinelCfg.wireguard.proxy-sentinel.ipv4} tcp dport 3001 accept" + "iifname proxy-home ip saddr ${wardWebProxyCfg.wireguard.proxy-home.ipv4} tcp dport 3001 accept" "iifname podman1 oifname lan accept" ]; }; @@ -202,6 +208,31 @@ in { }; }; + nodes.ward-web-proxy = { + services.nginx = { + upstreams.immich = { + servers."${config.wireguard.proxy-home.ipv4}:2283" = {}; + extraConfig = '' + zone immich 64k; + keepalive 2; + ''; + }; + virtualHosts.${immichDomain} = { + forceSSL = true; + useACMEWildcardHost = true; + locations."/" = { + proxyPass = "http://immich"; + proxyWebsockets = true; + }; + extraConfig = '' + client_max_body_size 10G; + allow 192.168.1.0/24; + deny all; + ''; + }; + }; + }; + systemd.tmpfiles.settings = { "10-immich" = { ${upload_folder}.d = { diff --git a/hosts/sire/guests/influxdb.nix b/hosts/sire/guests/influxdb.nix index cc68e6e..e5465ef 100644 --- a/hosts/sire/guests/influxdb.nix +++ b/hosts/sire/guests/influxdb.nix @@ -6,6 +6,7 @@ ... }: let sentinelCfg = nodes.sentinel.config; + wardCfg = nodes.ward.config; influxdbDomain = "influxdb.${config.repo.secrets.global.domains.me}"; influxdbPort = 8086; in { @@ -14,6 +15,11 @@ in { firewallRuleForNode.sentinel.allowedTCPPorts = [influxdbPort]; }; + wireguard.proxy-home = { + client.via = "ward"; + firewallRuleForNode.ward-web-proxy.allowedTCPPorts = [influxdbPort]; + }; + nodes.sentinel = { networking.providedDomains.influxdb = influxdbDomain; @@ -50,6 +56,40 @@ in { }; }; + nodes.ward-web-proxy = { + services.nginx = { + upstreams.influxdb = { + servers."${config.wireguard.proxy-home.ipv4}:${toString influxdbPort}" = {}; + extraConfig = '' + zone influxdb 64k; + keepalive 2; + ''; + }; + virtualHosts.${influxdbDomain} = let + accessRules = '' + ${lib.concatMapStrings (ip: "allow ${ip};\n") wardCfg.wireguard.proxy-home.server.reservedAddresses} + deny all; + ''; + in { + forceSSL = true; + useACMEWildcardHost = true; + locations."/" = { + proxyPass = "http://influxdb"; + proxyWebsockets = true; + extraConfig = accessRules; + }; + locations."/api/v2/write" = { + proxyPass = "http://influxdb/api/v2/write"; + proxyWebsockets = true; + extraConfig = '' + ${accessRules} + access_log off; + ''; + }; + }; + }; + }; + age.secrets.influxdb-admin-password = { generator.script = "alnum"; mode = "440"; diff --git a/hosts/sire/guests/loki.nix b/hosts/sire/guests/loki.nix index 2b9cabe..6f8b517 100644 --- a/hosts/sire/guests/loki.nix +++ b/hosts/sire/guests/loki.nix @@ -1,9 +1,12 @@ { config, + lib, nodes, ... }: let sentinelCfg = nodes.sentinel.config; + wardWebProxyCfg = nodes.ward-web-proxy.config; + wardCfg = nodes.ward.config; lokiDomain = "loki.${config.repo.secrets.global.domains.me}"; in { wireguard.proxy-sentinel = { @@ -11,6 +14,11 @@ in { firewallRuleForNode.sentinel.allowedTCPPorts = [config.services.loki.configuration.server.http_listen_port]; }; + wireguard.proxy-home = { + client.via = "ward"; + firewallRuleForNode.ward-web-proxy.allowedTCPPorts = [config.services.loki.configuration.server.http_listen_port]; + }; + nodes.sentinel = { networking.providedDomains.loki = lokiDomain; @@ -28,6 +36,51 @@ in { keepalive 2; ''; }; + virtualHosts.${lokiDomain} = { + forceSSL = true; + useACMEWildcardHost = true; + locations."/" = { + proxyPass = "http://loki"; + proxyWebsockets = true; + extraConfig = '' + auth_basic "Authentication required"; + auth_basic_user_file ${wardWebProxyCfg.age.secrets.loki-basic-auth-hashes.path}; + + proxy_read_timeout 1800s; + proxy_connect_timeout 1600s; + + ${lib.concatMapStrings (ip: "allow ${ip};\n") wardCfg.wireguard.proxy-home.server.reservedAddresses} + deny all; + + access_log off; + ''; + }; + locations."= /ready" = { + proxyPass = "http://loki"; + extraConfig = '' + auth_basic off; + access_log off; + ''; + }; + }; + }; + }; + + nodes.ward-web-proxy = { + age.secrets.loki-basic-auth-hashes = { + inherit (nodes.sentinel.config.age.secrets.loki-basic-auth-hashes) rekeyFile; + mode = "440"; + group = "nginx"; + }; + + services.nginx = { + upstreams.loki = { + servers."${config.wireguard.proxy-home.ipv4}:${toString config.services.loki.configuration.server.http_listen_port}" = {}; + extraConfig = '' + zone loki 64k; + keepalive 2; + ''; + }; virtualHosts.${lokiDomain} = { forceSSL = true; useACMEWildcardHost = true; diff --git a/hosts/sire/guests/paperless.nix b/hosts/sire/guests/paperless.nix index 1aec3d1..3265062 100644 --- a/hosts/sire/guests/paperless.nix +++ b/hosts/sire/guests/paperless.nix @@ -6,12 +6,23 @@ ... }: let sentinelCfg = nodes.sentinel.config; + wardWebProxyCfg = nodes.ward-web-proxy.config; paperlessDomain = "paperless.${config.repo.secrets.global.domains.me}"; paperlessBackupDir = "/var/cache/paperless-backup"; in { microvm.mem = 1024 * 9; microvm.vcpu = 8; + wireguard.proxy-sentinel = { + client.via = "sentinel"; + firewallRuleForNode.sentinel.allowedTCPPorts = [config.services.paperless.port]; + }; + + wireguard.proxy-home = { + client.via = "ward"; + firewallRuleForNode.ward-web-proxy.allowedTCPPorts = [config.services.paperless.port]; + }; + nodes.sentinel = { networking.providedDomains.paperless = paperlessDomain; @@ -38,9 +49,30 @@ in { }; }; - wireguard.proxy-sentinel = { - client.via = "sentinel"; - firewallRuleForNode.sentinel.allowedTCPPorts = [config.services.paperless.port]; + nodes.ward-web-proxy = { + services.nginx = { + upstreams.paperless = { + servers."${config.wireguard.proxy-home.ipv4}:${toString config.services.paperless.port}" = {}; + extraConfig = '' + zone paperless 64k; + keepalive 2; + ''; + }; + virtualHosts.${paperlessDomain} = { + forceSSL = true; + useACMEWildcardHost = true; + extraConfig = '' + client_max_body_size 512M; + allow 192.168.1.0/24; + deny all; + ''; + locations."/" = { + proxyPass = "http://paperless"; + proxyWebsockets = true; + X-Frame-Options = "SAMEORIGIN"; + }; + }; + }; }; age.secrets.paperless-admin-password = { @@ -75,7 +107,10 @@ in { PAPERLESS_URL = "https://${paperlessDomain}"; PAPERLESS_ALLOWED_HOSTS = paperlessDomain; PAPERLESS_CORS_ALLOWED_HOSTS = "https://${paperlessDomain}"; - PAPERLESS_TRUSTED_PROXIES = sentinelCfg.wireguard.proxy-sentinel.ipv4; + PAPERLESS_TRUSTED_PROXIES = lib.concatStringSep "," [ + sentinelCfg.wireguard.proxy-sentinel.ipv4 + wardWebProxyCfg.wireguard.proxy-home.ipv4 + ]; # Authentication via kanidm PAPERLESS_APPS = "allauth.socialaccount.providers.openid_connect"; diff --git a/hosts/ward/guests/adguardhome.nix b/hosts/ward/guests/adguardhome.nix index a3ce9fe..711c552 100644 --- a/hosts/ward/guests/adguardhome.nix +++ b/hosts/ward/guests/adguardhome.nix @@ -74,23 +74,26 @@ in { ]; dhcp.enabled = false; }; - filtering.rewrites = [ - # Undo the /etc/hosts entry so we don't answer with the internal - # wireguard address for influxdb - { - domain = nodes.sentinel.config.networking.providedDomains.influxdb; - answer = config.repo.secrets.global.domains.me; - } + filtering.rewrites = + [ + # Undo the /etc/hosts entry so we don't answer with the internal + # wireguard address for influxdb + { + domain = nodes.sentinel.config.networking.providedDomains.influxdb; + answer = config.repo.secrets.global.domains.me; + } + ] # Use the local mirror-proxy for some services (not necessary, just for speed) - { - domain = nodes.sentinel.config.networking.providedDomains.grafana; - answer = "192.168.1.4"; # web-proxy - } - { - domain = nodes.sentinel.config.networking.providedDomains.immich; - answer = "192.168.1.4"; # web-proxy - } - ]; + ++ map (domain: { + inherit domain; + answer = "192.168.1.4"; + }) [ + nodes.sentinel.config.networking.providedDomains.grafana + nodes.sentinel.config.networking.providedDomains.immich + nodes.sentinel.config.networking.providedDomains.influxdb + nodes.sentinel.config.networking.providedDomains.loki + nodes.sentinel.config.networking.providedDomains.paperless + ]; filters = [ { name = "AdGuard DNS filter"; diff --git a/secrets/rekeyed/sire-immich/48210b29550be1724e0e6a5603af581a-wireguard-proxy-home-priv-sire-immich.age b/secrets/rekeyed/sire-immich/48210b29550be1724e0e6a5603af581a-wireguard-proxy-home-priv-sire-immich.age new file mode 100644 index 0000000..6a97cdd --- /dev/null +++ b/secrets/rekeyed/sire-immich/48210b29550be1724e0e6a5603af581a-wireguard-proxy-home-priv-sire-immich.age @@ -0,0 +1,8 @@ +age-encryption.org/v1 +-> ssh-ed25519 U8ytLQ ZDczMuStTpVUMGlObtJB5uA07U/OsrOXaocAGJQ5SUQ +D4Lg2MwHZVFHhTBlCDB3ZAnigTCVnNOFII5Hs9FxoL0 +-> oV-grease Y>Wk^oz +lG4J8UNTiqKwws8XmfgOZBtLBf83/OciQN+bWAFbbVd5JSl1SSUDuyu94bp34Udq +MyziULMJLT/tgjRM8H/TmBbuuIhWImHegnSA0WAZ +--- lSARhYuFG3dOCOJmNhgEhToUWyUxwBDQaYTrJ4KJQM0 + * }R@]F \HGl}4'Jg<% 1>=R03I\J \ No newline at end of file diff --git a/secrets/rekeyed/sire-immich/489ba5990cd27a548ef61bf66d994759-wireguard-proxy-home-psks-sire-immich+ward.age b/secrets/rekeyed/sire-immich/489ba5990cd27a548ef61bf66d994759-wireguard-proxy-home-psks-sire-immich+ward.age new file mode 100644 index 0000000..90cbe43 --- /dev/null +++ b/secrets/rekeyed/sire-immich/489ba5990cd27a548ef61bf66d994759-wireguard-proxy-home-psks-sire-immich+ward.age @@ -0,0 +1,7 @@ +age-encryption.org/v1 +-> ssh-ed25519 U8ytLQ Q49jP/1k8wgMHasJRs3j4qw4kDjmYMxzx190cqJpD34 +97gvdGUGDqP2LMdxuIM6u0FdNgKbUuKZl6p5irO+BeM +-> 4FcwR4h*-grease Yn]g)b %taX> 066d`Ecg +6cpXlQaMcTQU7dHNzQgZMeExv0KnJxzAov0BPBpFeiVfQPJqoDc+qgU +--- 94bvmt9LqBAL3sqQRhc1k9vYo91+Fa7/r8nDpqnyXZ4 +Lp#VP%7 dH~}c|/UvF{[sDCy>Z V@0Õ^}1ޤ$( \ No newline at end of file diff --git a/secrets/rekeyed/sire-influxdb/861b8ef09e38949cccff27c22ee55340-wireguard-proxy-home-psks-sire-influxdb+ward.age b/secrets/rekeyed/sire-influxdb/861b8ef09e38949cccff27c22ee55340-wireguard-proxy-home-psks-sire-influxdb+ward.age new file mode 100644 index 0000000000000000000000000000000000000000..3822fc0cd0f332aec4ed14b73e8c9ccfd6f1d777 GIT binary patch literal 328 zcmV-O0k{5PXJsvAZewzJaCB*JZZ29TQHEKv}P()I5XLw>~LS{BWMo3p^c`yoTcT-w6L_#li zW^`3jc0_GTXHj@HVoqgcP(x{RK~ps^FgIsbYD{5nWi$#cJ|JL6N-{T1IUy})a%Ew2 zWgtXWGcax-H9k5oAR<95Svg#03U^|0Y-LbGV^&p9FlBL4N<(5aLs2nhSxPu(F*9ye zRSGRFEg)?|R%a`ANOW3iXH{BRWNt5FH)%6P~cK?>x? zs6xMfy0A#4O;@RxBxy}Org)KOHKJ85?@8!GO a8yn5{4AA`3l;%wh<*rB4IQ|;yAbmcOMt3m) literal 0 HcmV?d00001 diff --git a/secrets/rekeyed/sire-influxdb/dc32381081efcf32fe844db1932a1ef4-wireguard-proxy-home-priv-sire-influxdb.age b/secrets/rekeyed/sire-influxdb/dc32381081efcf32fe844db1932a1ef4-wireguard-proxy-home-priv-sire-influxdb.age new file mode 100644 index 0000000000000000000000000000000000000000..251ea4744b5c8bf4d01f310c703c0783f8bd8020 GIT binary patch literal 327 zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCSPEJ=y-4pb;f(+}~r zNY5?G)6U5CFwe^j@pTI~$jHdZtqgL`^3F_lwr~zI3`#E!PUbQR&Gd5fPAjhTH3%>% zO|0~GDs;)vF7XYC3NebTaCHxGE;ceuHT5pnb_Cg0nr)+Fq?=xpnpm8wpqP}W5Mf!A z;hgEJkmP2Q5gf;5<`wDW<(utQ;_g(G8XTtYukYfPmz5N05EAaD?VT4`0W?KdS0U0T zKRGDEC(0<;BfmT)peU)_FTgCx-KEMiG0Z>Q)Uzlesj{S~vc${7ge!w%f7;Rumzr$N zHz&()$@1FFytdd&BJ*Waz}mQ=yKX!7ZJ4$&nfZWA;9tX(w>%7a%p9wpcyI}McWxm@GwJ&uf literal 0 HcmV?d00001 diff --git a/secrets/rekeyed/sire-loki/158c4b0ca6a0f395e7398e0f9ddea00c-wireguard-proxy-home-priv-sire-loki.age b/secrets/rekeyed/sire-loki/158c4b0ca6a0f395e7398e0f9ddea00c-wireguard-proxy-home-priv-sire-loki.age new file mode 100644 index 0000000000000000000000000000000000000000..9274337209e2324f6e3548dee0817b1631c195f0 GIT binary patch literal 402 zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCT4Nh&c*c2o!t3&}Il zugv!F@-`1m3yHMwcg{)m3(WUSH#N2J3P~#sc8e;l()KA1G~sgci8S^!NvS9>FLyDF zGIsL`FiJJ_N;UGg4E6~zH}!EW49U#%a|^DtEC$);uB4k@l$uzas$fyh6&e*%5*p#0 ztMBR?W>n%AQkmuBnObh1Yn&XGu5DCOW*TZ-UJ~V=TB==H?BVE9>hDz&8E#r;WagV^ zVwB^U!sT9;QdJya<{j#ln4V;mpYNaNn-!XsXIkjxq@Ppnp6F;E?5CgMQSR?y=30 ssh-ed25519 Dbt6cA 3F3ffVdjqoNE4nNpgk03uASXUQqblxHp7fRRd6fyQWY +e2zBfUZrG+9ABnB0FJ5nk30akz1It0w2tCz/KJVSpjg +-> HR^-grease +4p8h4NkKY88xZf5Xk63KxigmHQP8WUDMQPD0Vyfe8qCZ5YbhSgVcDHaTuUj858yw +5xUPwfAjlWsonle5KdBtc0ym7AstzWTTrA10oM6chm/mUvRYDJDQslp5Cw +--- fp/its46uEjme2IwXthKFS8GhsIwXqmDDKnLgAFxRAQ + +.KݬX$^w bT[9_U\lC JQ)ߦr7?yʰ \ No newline at end of file diff --git a/secrets/rekeyed/sire-paperless/716cd0e8de5551b6bb6a87f8421141f3-wireguard-proxy-home-psks-sire-paperless+ward.age b/secrets/rekeyed/sire-paperless/716cd0e8de5551b6bb6a87f8421141f3-wireguard-proxy-home-psks-sire-paperless+ward.age new file mode 100644 index 0000000000000000000000000000000000000000..1050ee4d7cf2cd4ea9c71074ba646b04c9232367 GIT binary patch literal 428 zcmWm7yKd7^002zErmfyJ>MJB}Zz9lt8Nl&K6b zu)@OBfhj{77&{>bBm@I<5es5q2MKY0;Ml%Lc!`rWtMwvH?x&d#N(v($;CUVpo=bBa zCF12V9P1S>Fe+Hi7jwV|&Oz!7B`yU`CHEgHV!@@FYti;Wl`F81+L%XEv6d_37?D*I z)-k2wX~H7N&cI4Q7^2opr#(}4%W}>qoD7kT zN$d&P*Gv@Ey{^!!CbKnH8EPAfd!n#*b-)^kl74bQkJ>M`wzpp2JZt^f{Mkfro_%6avi ssh-ed25519 vqFVQw cCoX+F+7E65ZyrMstKoMuXiml6Cto+mbEXlZj42EgFM +wuV8ZDpI3ARBI7/JLGQd9lbtXEIYBPeIwnmAl7m9uBQ +-> :d>Hp-grease tCr`4 p4^OM^c r _s0m +fiVaHu4f3uYpHnJIoUZQXvF7eNMbsRvLPGdJ2/7jDno9oieC9RpISOLmiFpfagwR +QcW/E5mYFqqxTSBj5qsdln8pr6Ngq7UCNyP9LTIinQo +--- xmil/cv39XF68x2ukoH0bIHwxgcFVE3L/pczAcJ4dHI +WtOoK9, +F~@?JJ`w| +x7Ֆ[^%Au5]쾹Pl? \ No newline at end of file diff --git a/secrets/rekeyed/ward-web-proxy/b74c1fb0e8aba210e5e5cfe39a4f132d-loki-basic-auth-hashes.age b/secrets/rekeyed/ward-web-proxy/b74c1fb0e8aba210e5e5cfe39a4f132d-loki-basic-auth-hashes.age new file mode 100644 index 0000000000000000000000000000000000000000..ecf5aa99809c5f56f821f89ab654b1fcc9913b37 GIT binary patch literal 2666 zcmV-w3YGO?XJsvAZewzJaCB*JZZ2W{GDk;FP;PoSQB4XhJ|Jj!c`avhWnpt=ASf?# zNklDtAU9YbVqqvcdhGC5LZRSGRFEg*R@crSBTad|>|F)&JXQ%hD+bZ12{PGV#@VN)__ zMQ?U^NeaWtfw_4IO`@~OQe5QA)CLb!_x5;`Z5noWc=VuOsTn*O-8P@(b`v$6 zk2tLr$K^4=xfP^gD%~aN@S`PMvC9Nm;Lu>Kn_4PUb?;n*Z4FpLOGzL>tnecIqURRGh1Y&UMmfLf_)9U9m0lrax>V=^E zZdeoWF9&`@silIRtV+q`KIP=6XJ@j%(E=LrKm$(SY#Vb3GbE8GG0)(`O)adcnR?_M z&d={Vsl6ZCWt)N#S`#!V@Z>vD1czwjzwdGG1zu1N(8`o&2&#Q2$zm(r@vuS%SH@a$ z*fWC`WfQF0I7h=#2*YI|gT$E|0-p=kL5VO_Db`NOkeXBU!f>t!D7;!nx4)L94{4&_ z>1x>zKaW{72Ix^98^@kkp+@(ti$=M|4RA$<7k3f__Mgjb5ecQg@u0R>Vjzc?6?HUL zOEjQQChwEEOBgjt14j>7+ERs)TT6a{(jiX&}4DQlF5 zN!oAmbjb2-Ft|KaXXiZ=2gD=-_cs&!9xOpX za!UAa^0b*t%D+J-{omAY*y(n##>d(Z#d`Iok-n~py4Sn+TO4Qm)h}d22P0z{%q7=u zBlj^AswbHkP`HZBA@-qPFA5$I z)Q$eo<~`LSD}&;<4RJjHecP(-Qewo`J^}SFDb$NGb3ifj(dk=w*E2yNUcw>b#F~ZA z@h7Ts%>}RXGO>Gi^R=Il_IWq6?Wk;bHP*u%>2dV=#a?T_Vhv%I-Jv|Z;ng|G7xxOD zoMRWd?fcV`n676JdZh#>`DK&mJ_XD-;~P;!!aWuT?XQa@cFL*gd2BM5- z8U^ZttIK~a`2UY;@&}pI7r3x7n5^SujVUgLt3& zSQ3w8D`T*%>I^0pk)Ar{Y9szvKYbP|h8o&|LqigYW{CY3*(XUGhx|Z9nhOB5ieP?R z0`}M)J<~&Csl^la$SYHCi(Gj-9MIyw>H7@t`M(823!_crX(E8Ne$!+=@LZlH%dbZ* zTtlL0gcCl^AgkQYJRUE0;vIx;?k7jAj=nkdqkqn=5XNMffy@!=E#^m3;C||&@YKsv z?2@yEsB)y0^dL4^guHpS1)GsOMjZD(*7@;gjUHqCYYyM|H$VzS<@CoNr)brX+12zI zudiS_#>4CdL^&y7z^ypZTbW9RTVPkvl)C_@4xJk z#kk+?NgUGZP#Nmj+O|s8IDM0X@9n|~5Kp-74PB4Yl}I+t^QCGoUAoI} zZSS9w&F!W;SSlb?cUfZriyEu};1=*cAVYa6u$m0?B+kC*wtdLjh+ZQ^|v+Ds26YBd%;BtKPAOe#B6yfyTWv|BK|Y zQb1pfNs++)`Gg*L3QL2o9d5mDqcFwbY9k7AtQirqO(+<5laSwY1~$0bu;? z4$O}WW^ZZ8<`SF&Al6{r0U3QsgBJZ%PHwEgQo4s-fddPCMbY~t{rwe0`e`dy2kPlg z93}igINl0g!y)4pODrlKY~)#X8d*N-g&LtgZHOl4*1vo&kL&Tx1^>dv4dz{c3|XcA z`R-3=C>@>k8ENgfa>pleWGzPRv zLgIXa2~y;EuNN5yTHa4~W;m1AM?{j2YuiXnm1-g*d^Wn~|k2D}8+rT)%)5zk$g*5spvw zvh)YsO(bgQGxB%bi@F7SO-6Fg$p>NXqq4bk^NM}baWVg_(p$U5VeM6U+j9MDl-W*) z`%Sma1v!|Lcxlb}H1`eAhfS}hy})sJg%U^I4=K<%d9yg-b>3WWNxBjIjt)iFvnLJL z9(#FJWjKS>`LD>*SZn$xlzpF~2_R;zp-nS*l$b5@FTjJWD|ApGw--i}Qz~Dy1bmqV Y9ydWOew=E#02X<*%tph0w|^8M^XUcu;Q#;t literal 0 HcmV?d00001 diff --git a/secrets/rekeyed/ward/7a86bc5ecb46f75a01bf1b27ae49cf76-wireguard-proxy-home-psks-sire-influxdb+ward.age b/secrets/rekeyed/ward/7a86bc5ecb46f75a01bf1b27ae49cf76-wireguard-proxy-home-psks-sire-influxdb+ward.age new file mode 100644 index 0000000000000000000000000000000000000000..5cbb2880b887dfa83bfc0b1daecadd01c8181df9 GIT binary patch literal 310 zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCU7^h-|lOjmI6E=YAW zD=y6O4i5{f$al;S_s=T}aw+ui^vlamkJ9$dc8&^-EH$lkHQ=&z49N;gH>z-T2@A{e zG)~H|G7d}2%y2aFjdHKdstBqwDaiIRNR7xZ3>XU>QB>}2oRk~jQ|V=95*%L6^<~1$-+GzF-A1pyPO^N6D;HADR{O~C_*BCD z`M=mX`5Ld46n ssh-ed25519 iNceIg A1acm4APgJopInZlGV0zzs5kRZpTJuftDRsU6CIuBVs +XkY/QRvKvaKJjLQ9wlGp+emQ+uamn+K62Beqsru61r8 +-> iuB-grease /U =s~ ssh-ed25519 iNceIg sXXiTAH7s2O/UyUZHmuMHnQMRAvOVIXxEc65AXqewXI +Smfsb4y9aHWTX9KJKCRkiDCfOkSTNsci4kzFKHQ73WM +-> CKelskGG-grease i[ 7 +}sM +NlSd4X9OnX5luuy7kGXpJeOoeQg6Nbb4TK+/CyrmkMyRU+3swH+KOfKlcqr90pNV +S+2cOg +--- 727nBW/4ALXLr7W79wMIPyqhJbPzxCI3+W14kbRHx84 +IÉO0V^ N L8j#gv  +@ZՀ"*;mG&KHj68g#e#_M- \ No newline at end of file diff --git a/secrets/rekeyed/ward/fb12194e159c81499ee0ad944efd427d-wireguard-proxy-home-psks-sire-immich+ward.age b/secrets/rekeyed/ward/fb12194e159c81499ee0ad944efd427d-wireguard-proxy-home-psks-sire-immich+ward.age new file mode 100644 index 0000000..5f1e5af --- /dev/null +++ b/secrets/rekeyed/ward/fb12194e159c81499ee0ad944efd427d-wireguard-proxy-home-psks-sire-immich+ward.age @@ -0,0 +1,7 @@ +age-encryption.org/v1 +-> ssh-ed25519 iNceIg JvzQt+2ZkDJMDm1KlZQdDml8H4ycJ6AokJPSoZP5cU4 +wpodFTm/MHvNUgNMfKsRkBcqixtW01beo6sAiEdClcM +-> ]s%j-grease F80K ++qNWHTRpraF9RkyWQgtAKTyx6zHnRE186qaTSMkEA6aRCsT6Gg +--- eVGyjUp6M/kxFZahyFU1yzoLJSYuGduGZHf6tqkblCI +(=qՓ<$SBYa9j~|Az./~JMw_%9bqg(Y>*3V^&+Ja \ No newline at end of file diff --git a/secrets/wireguard/proxy-home/keys/sire-immich.age b/secrets/wireguard/proxy-home/keys/sire-immich.age new file mode 100644 index 0000000..7823230 --- /dev/null +++ b/secrets/wireguard/proxy-home/keys/sire-immich.age @@ -0,0 +1,9 @@ +age-encryption.org/v1 +-> X25519 uJ3uiXX1C9PpMhT3kcYvUf8mIGxD8KTB6gGKdPGJnCs +ei8KR51jD/rWUp494k6M20oTrwDTiGpdkbOOmW4lOXo +-> piv-p256 xqSe8Q A92Qea9NZuHlV2xGjSo53jlPVnKjwBTbMPF23PeXXDrq +IfzttqGs1jW3RlOKGm08vKtJIIkzwRT1fUoMwkbMbuU +-> (-grease ;&ILFt\Z \H g&6+q2Xa Z +ZribRa/ctUpGLy4veZe+BF+3YnF6tku94bsH72Exo2WulHZS +--- Std/62CowuRVpxSYuzhJLHy5jNWMpnl6ILk4U7oW54s +:Ĉrs[ oޏl;l]m3̎nm5:Rk4xNE#$d/ nY2r \ No newline at end of file diff --git a/secrets/wireguard/proxy-home/keys/sire-immich.pub b/secrets/wireguard/proxy-home/keys/sire-immich.pub new file mode 100644 index 0000000..2aa18d4 --- /dev/null +++ b/secrets/wireguard/proxy-home/keys/sire-immich.pub @@ -0,0 +1 @@ +7Vu1OqBCLq6WNvah8QFBjnwNZUfZqzToFyQH2g/RJR4= diff --git a/secrets/wireguard/proxy-home/keys/sire-influxdb.age b/secrets/wireguard/proxy-home/keys/sire-influxdb.age new file mode 100644 index 0000000000000000000000000000000000000000..a1ed48fd4fbf0e312a3791e84b68f786a5d4b1a9 GIT binary patch literal 380 zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR2FFfuhYv{VQPjVkafi*PRtG_y1fG%a^7 zHuv*LO>v5{j0#Rlwv4E#^f3=DG)OlKOXn)jaJ2MGEljH@^)xqf^smYY(l075)-Fm( z4AD*siE=A-O!X-+vM>(uCYZGiXHje#5L%S$7~o`3<>(&DW#JU%XW>@lVq)%{<7k+egMZ`Q(@*|nc`Pi;^`mc9hwie%Ob$B+*~)kC^fM-l`E$}zrwP@*)cMmOIKG{Aw0>c z%ro80(yb!BJij2^)iT&OG%?W2+`=oRAm1d>&D_P@ETy14!z3`BYqE}6e~Q+nj~iFq zYgpIjeZ;h;e$J(DpU=NHkY2R42KK= literal 0 HcmV?d00001 diff --git a/secrets/wireguard/proxy-home/keys/sire-influxdb.pub b/secrets/wireguard/proxy-home/keys/sire-influxdb.pub new file mode 100644 index 0000000..2e80a03 --- /dev/null +++ b/secrets/wireguard/proxy-home/keys/sire-influxdb.pub @@ -0,0 +1 @@ +X2gXwt3IDGXOsg8Vy/yEhEQKCUS6ziLu5Kl8POMa1Sc= diff --git a/secrets/wireguard/proxy-home/keys/sire-loki.age b/secrets/wireguard/proxy-home/keys/sire-loki.age new file mode 100644 index 0000000..60453a7 --- /dev/null +++ b/secrets/wireguard/proxy-home/keys/sire-loki.age @@ -0,0 +1,9 @@ +age-encryption.org/v1 +-> X25519 srRVmbOIPGk6sUIAARd6RLzzpKBVwIn+9RyuAPJ7aFI +fxqhR+q4BDsscusJKTZTjKxeMPfLMnp/yZpIbvv6+SE +-> piv-p256 xqSe8Q A/GX9EkFhcY/IjNQju+YdWMPyKVUj4YWuOoWxmszc1ws +rGgn/7HdLObcwxYw8GthJxgiR6XTE3C0kY6UFMlMhfo +-> ?-#-grease s4;&gb&a@W>A^cTM#TwG4HRDku&0$@NOr4|dEk z&nxyxsZ1&lEh-5uDEIaV4h7jzkXfc%U}S2hP*E71Y7wa5m|p7Ul2YzmVUb%Ipl_O; zn^zKM>>KQ6802T*SyWW&73t${YMB_|5}KaDmFr X25519 ocNApTQlwFHphPMWeXS60TWO8RY4kXv1/G7mpvCRfno +q4tgumwcZKxNrObdkxLpU9tPttrDe5oZzOZYu+boNCE +-> piv-p256 xqSe8Q A8FzxSYN5kOVb8VG57H105SMUC8P+IRBz5oCN4QX7F6D +7YesnMqNXTyR5Ojtli9R8atxm5dqi9cjEvnnuyT6I1g +-> %5P"-grease ,Wf aH@;2_dA ~4s:8[ +opJOhAN4Evvp4x7ndCEfALKDUMvvpqlbwUTSplehbPI +--- oMT/RknMnLIf0ujr+Q/xOCxN8qDOVkNYCVEjoJ3AscA +vYv](լ*nۇ E1 x͘]:;i'-Kl=Pnv}i|5Qs \ No newline at end of file diff --git a/secrets/wireguard/proxy-home/psks/sire-influxdb+ward.age b/secrets/wireguard/proxy-home/psks/sire-influxdb+ward.age new file mode 100644 index 0000000..4a1a7c0 --- /dev/null +++ b/secrets/wireguard/proxy-home/psks/sire-influxdb+ward.age @@ -0,0 +1,9 @@ +age-encryption.org/v1 +-> X25519 n0ZRfnfbYjTn81ODTPvPNmKsBXDGwV6Jwgn4ZMgF/Us +SrmR4Z6rteUSVrji5cbRlj5tSQAcBoWHKvsombOI9O4 +-> piv-p256 xqSe8Q A1lLYmIImnShNJs/w0ZVFj6s3RDNvo/nGq9KeqK9Ig7b +6GRcS3PVrcL6zhW/1XpMup1fcCPgelPuXmdt3t+J08s +-> EG"Ke-grease N +37HKhYODIAQxbHJI +--- ub+9rWPOnVMWpczIB/ForaQp96zRfOVV7bMuTij/1oQ +.h6{JΩŚ!, X2PLF{GXBm&cuZoܣB0G͎a \ No newline at end of file diff --git a/secrets/wireguard/proxy-home/psks/sire-loki+ward.age b/secrets/wireguard/proxy-home/psks/sire-loki+ward.age new file mode 100644 index 0000000..d1008ba --- /dev/null +++ b/secrets/wireguard/proxy-home/psks/sire-loki+ward.age @@ -0,0 +1,10 @@ +age-encryption.org/v1 +-> X25519 8SGiO7KFBiQdJk1Jo4E+56tO0pLmMYm+bPKR6g1DIhI +Cw0mWE+UCF3FWQ2FIdgK4kzRSZFfwgWdByHv4z0Abis +-> piv-p256 xqSe8Q AxtYXQlcKaqNDVzSMhqnznLAbkoeK2H0AP077+zm2prm +dWzLjMjdV5ymJ2BNcHB7PbIBFHJffmRr3/gX+U8XCpM +-> `-grease " &J +U2DWpgjq1+nj62O9GDB0BNRgrqHy5fb53tYKHmmK9Q +--- Y1GEP2kbfAqpVO4qWxnvkP3hloEyAAwIzy4PllrnTQc +faUyGYPh"pnx͒V*GK=߇Yt5?Qua޵KBQy> +7n)a?u+U5cd`D!lLr1@y_F3qH? z)9uPR)Eni%;T&CD9HgL&yOV;5Ac})1_xlHamhaKt!pT-i9>j~?IP)1?C+K^m0eHUN zB(YPCX2+}X1hpn8=x`d;keY|0BJBe)lLbmT^r_muZh$divXWsVI2wq0WeNso3y`v- z8CERCVy7yy7p#xsZlq++<&XrJP5|E^%T)8=kVLT6OgWco3;n5^FXw1gWNK|JF-@lg z9j62PjZ~1URQCZ#Xx(6;TQXl0QfC;&Xo;ryhzYQrPV>Nx&7f^bhVcNiz5eC3(}pYB z&pd1Ck=(MV-_i-!lE$Dy?m>4jn8!mCYdDNzsRXEyTc|gR4G`@qg<~^&wXSPV7}hRS zb;StMs9v)ZOh8|#2VUs*dxyic0wD1Tnx;v8ah%Th1CI4e$Tf3HECz`j$YA2NW_D?~ zy#^n3aONFZkodN}d7@tpFWx@mh(~{KpS|Af{5rXjU-|U7+WvRv^y2yN^YG*Osr=@? neD+7rPM&^#ch~&>>iS&V+I+qF^21tL^IzUyd-3qc&-K=ScBY~L literal 0 HcmV?d00001