From 3d37e2959fa5add87dce0bd591e01cc3a105c0dc Mon Sep 17 00:00:00 2001
From: oddlama <oddlama@oddlama.org>
Date: Sun, 26 Jan 2025 01:43:01 +0100
Subject: [PATCH] feat: configure homeassistant and esphome on new machine

---
 flake.lock                                    | 106 ++++++++--------
 globals.nix                                   |   4 +
 hosts/sausebiene/default.nix                  |   4 +
 hosts/sausebiene/esphome.nix                  |  59 +++++++++
 .../home-assistant.nix                        | 120 +++++++++---------
 hosts/sausebiene/mosquitto.nix                |  42 ++++++
 hosts/sausebiene/net.nix                      | 110 +++++++++++++---
 .../secrets/home-assistant-secrets.yaml.age   |   0
 hosts/sausebiene/secrets/host.pub             |   2 +-
 hosts/sentinel/postgresql.nix                 |   2 +-
 hosts/sentinel/secrets/local.nix.age          | Bin 781 -> 820 bytes
 hosts/ward/guests/adguardhome.nix             |   5 +-
 hosts/ward/guests/web-proxy.nix               |   2 +-
 hosts/ward/secrets/web-proxy/local.nix.age    |  19 ++-
 hosts/zackbiene/default.nix                   |  61 ---------
 hosts/zackbiene/esphome.nix                   |  57 ---------
 hosts/zackbiene/fs.nix                        |  29 -----
 hosts/zackbiene/hostapd.nix                   |  43 -------
 hosts/zackbiene/kea.nix                       |  54 --------
 hosts/zackbiene/mosquitto.nix                 |  36 ------
 hosts/zackbiene/net.nix                       |  94 --------------
 hosts/zackbiene/secrets/host.pub              |   1 -
 hosts/zackbiene/secrets/local.nix.age         |  11 --
 .../secrets/mosquitto-pw-home_assistant.age   | Bin 356 -> 0 bytes
 .../secrets/mosquitto-pw-zigbee2mqtt.age      |  11 --
 .../secrets/mosquitto-pw-zigbee2mqtt.yaml.age | Bin 454 -> 0 bytes
 hosts/zackbiene/secrets/wifi-clients.age      | Bin 970 -> 0 bytes
 hosts/zackbiene/zigbee2mqtt.nix               |  62 ---------
 .../sausebiene/hass-influxdb-token.age        |  10 ++
 .../mosquitto-pw-home-assistant.age           |  11 ++
 ...roxy-sentinel-psks-sausebiene+sentinel.age |   7 -
 ...af69-promtail-loki-basic-auth-password.age |   8 --
 ...578c00a159-home-assistant-secrets.yaml.age | Bin 0 -> 392 bytes
 ...45baa19fe718fb-telegraf-influxdb-token.age |   7 +
 ...8d5c49ca620d10f2f0-hass-influxdb-token.age |   8 ++
 ...ff5346409c0398-telegraf-influxdb-token.age |   7 -
 ...12d7ee41c42af1-initrd_host_ed25519_key.age |   8 --
 ...4a53ca34112e89-initrd_host_ed25519_key.age | Bin 0 -> 692 bytes
 ...eguard-proxy-home-psks-sausebiene+ward.age |   7 +
 ...755f69f18f-mosquitto-pw-home-assistant.age | Bin 0 -> 280 bytes
 ...f633-promtail-loki-basic-auth-password.age | Bin 0 -> 393 bytes
 ...reguard-proxy-sentinel-priv-sausebiene.age |   7 -
 ...a-wireguard-proxy-home-priv-sausebiene.age |  10 ++
 ...roxy-sentinel-psks-sausebiene+sentinel.age |   7 -
 ...0ef4b290-hass-influxdb-token-zackbiene.age |   7 -
 ...6044-telegraf-influxdb-token-zackbiene.age |   9 --
 ...reguard-proxy-home-psks-ward+zackbiene.age |   7 -
 ...eguard-proxy-home-psks-sausebiene+ward.age |   9 ++
 .../wireguard/proxy-home/keys/sausebiene.age  |  11 ++
 .../wireguard/proxy-home/keys/sausebiene.pub  |   1 +
 .../proxy-home/psks/sausebiene+ward.age       | Bin 0 -> 405 bytes
 users/myuser/secrets/user.nix.age             | Bin 4861 -> 4806 bytes
 52 files changed, 403 insertions(+), 672 deletions(-)
 create mode 100644 hosts/sausebiene/esphome.nix
 rename hosts/{zackbiene => sausebiene}/home-assistant.nix (61%)
 create mode 100644 hosts/sausebiene/mosquitto.nix
 rename hosts/{zackbiene => sausebiene}/secrets/home-assistant-secrets.yaml.age (100%)
 delete mode 100644 hosts/zackbiene/default.nix
 delete mode 100644 hosts/zackbiene/esphome.nix
 delete mode 100644 hosts/zackbiene/fs.nix
 delete mode 100644 hosts/zackbiene/hostapd.nix
 delete mode 100644 hosts/zackbiene/kea.nix
 delete mode 100644 hosts/zackbiene/mosquitto.nix
 delete mode 100644 hosts/zackbiene/net.nix
 delete mode 100644 hosts/zackbiene/secrets/host.pub
 delete mode 100644 hosts/zackbiene/secrets/local.nix.age
 delete mode 100644 hosts/zackbiene/secrets/mosquitto-pw-home_assistant.age
 delete mode 100644 hosts/zackbiene/secrets/mosquitto-pw-zigbee2mqtt.age
 delete mode 100644 hosts/zackbiene/secrets/mosquitto-pw-zigbee2mqtt.yaml.age
 delete mode 100644 hosts/zackbiene/secrets/wifi-clients.age
 delete mode 100644 hosts/zackbiene/zigbee2mqtt.nix
 create mode 100644 secrets/generated/sausebiene/hass-influxdb-token.age
 create mode 100644 secrets/generated/sausebiene/mosquitto-pw-home-assistant.age
 delete mode 100644 secrets/rekeyed/sausebiene/34864ef8aacb6e6353bdfba82d09d1d8-wireguard-proxy-sentinel-psks-sausebiene+sentinel.age
 delete mode 100644 secrets/rekeyed/sausebiene/3cdab872b440e17c0eaecc593377af69-promtail-loki-basic-auth-password.age
 create mode 100644 secrets/rekeyed/sausebiene/53f39d7f712f1c3ebef413578c00a159-home-assistant-secrets.yaml.age
 create mode 100644 secrets/rekeyed/sausebiene/58c7c17dce96a7969845baa19fe718fb-telegraf-influxdb-token.age
 create mode 100644 secrets/rekeyed/sausebiene/79db0ca2a784348d5c49ca620d10f2f0-hass-influxdb-token.age
 delete mode 100644 secrets/rekeyed/sausebiene/a8d47755584aba5b43ff5346409c0398-telegraf-influxdb-token.age
 delete mode 100644 secrets/rekeyed/sausebiene/ad206793369835b18012d7ee41c42af1-initrd_host_ed25519_key.age
 create mode 100644 secrets/rekeyed/sausebiene/b66a188ea311a3346a4a53ca34112e89-initrd_host_ed25519_key.age
 create mode 100644 secrets/rekeyed/sausebiene/b7c5ba1a8c07d44ea4743e95b8ad4122-wireguard-proxy-home-psks-sausebiene+ward.age
 create mode 100644 secrets/rekeyed/sausebiene/c60e70bd6ab61b86e0e4dd755f69f18f-mosquitto-pw-home-assistant.age
 create mode 100644 secrets/rekeyed/sausebiene/cb80bbbc4a9dc18c5d38b8c2b5c6f633-promtail-loki-basic-auth-password.age
 delete mode 100644 secrets/rekeyed/sausebiene/ddbb8b51177f6ab5921645a30e3f50df-wireguard-proxy-sentinel-priv-sausebiene.age
 create mode 100644 secrets/rekeyed/sausebiene/e86ea6650fb14c3285819b1a905bd24a-wireguard-proxy-home-priv-sausebiene.age
 delete mode 100644 secrets/rekeyed/sentinel/f6bf0b7bd3d2c8815cba951e47ead8fc-wireguard-proxy-sentinel-psks-sausebiene+sentinel.age
 delete mode 100644 secrets/rekeyed/sire-influxdb/8af19159b484f7ee716bbd8d0ef4b290-hass-influxdb-token-zackbiene.age
 delete mode 100644 secrets/rekeyed/sire-influxdb/9bab2d8f641a0468b6e89c4c424e6044-telegraf-influxdb-token-zackbiene.age
 delete mode 100644 secrets/rekeyed/ward/020fd8ddc9ee58c7e32a968d26d3b765-wireguard-proxy-home-psks-ward+zackbiene.age
 create mode 100644 secrets/rekeyed/ward/baa7d2d1fdf01b6ede3a39bd0971636b-wireguard-proxy-home-psks-sausebiene+ward.age
 create mode 100644 secrets/wireguard/proxy-home/keys/sausebiene.age
 create mode 100644 secrets/wireguard/proxy-home/keys/sausebiene.pub
 create mode 100644 secrets/wireguard/proxy-home/psks/sausebiene+ward.age

diff --git a/flake.lock b/flake.lock
index 85d314d..46f2aba 100644
--- a/flake.lock
+++ b/flake.lock
@@ -36,11 +36,11 @@
         "treefmt-nix": "treefmt-nix"
       },
       "locked": {
-        "lastModified": 1737124467,
-        "narHash": "sha256-askwM5GDYo4xy/UARNXUvn7lKERyNp31BcES/t4Ki2Y=",
+        "lastModified": 1737808592,
+        "narHash": "sha256-zSr8rSnaDlsifQhKW6kLKr+zZj0h9jbx/DQ8V7PENhM=",
         "owner": "oddlama",
         "repo": "agenix-rekey",
-        "rev": "27c5fc5b763321054832d0c96a9259d849b2f58a",
+        "rev": "a1dcdd27ff12a24f0d3ac1fe016ed08e1a89291f",
         "type": "github"
       },
       "original": {
@@ -663,12 +663,12 @@
     },
     "flake-compat_9": {
       "locked": {
-        "lastModified": 1696426674,
-        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
-        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
-        "revCount": 57,
+        "lastModified": 1733328505,
+        "narHash": "sha256-NeCCThCEP3eCl2l/+27kNNK7QrwZB1IJCrXfrbv5oqU=",
+        "rev": "ff81ac966bb2cae68946d5ed5fc4994f96d0ffec",
+        "revCount": 69,
         "type": "tarball",
-        "url": "https://api.flakehub.com/f/pinned/edolstra/flake-compat/1.0.1/018afb31-abd1-7bff-a5e4-cff7e18efb7a/source.tar.gz"
+        "url": "https://api.flakehub.com/f/pinned/edolstra/flake-compat/1.1.0/01948eb7-9cba-704f-bbf3-3fa956735b52/source.tar.gz"
       },
       "original": {
         "type": "tarball",
@@ -968,11 +968,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1737043064,
-        "narHash": "sha256-I/OuxGwXwRi5gnFPsyCvVR+IfFstA+QXEpHu1hvsgD8=",
+        "lastModified": 1737465171,
+        "narHash": "sha256-R10v2hoJRLq8jcL4syVFag7nIGE7m13qO48wRIukWNg=",
         "owner": "cachix",
         "repo": "git-hooks.nix",
-        "rev": "94ee657f6032d913fe0ef49adaa743804635b0bb",
+        "rev": "9364dc02281ce2d37a1f55b6e51f7c0f65a75f17",
         "type": "github"
       },
       "original": {
@@ -1250,11 +1250,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1737299337,
-        "narHash": "sha256-0NBrY2A7buujKmeCbieopOMSbLxTu8TFcTLqAbTnQDw=",
+        "lastModified": 1737762889,
+        "narHash": "sha256-5HGG09bh/Yx0JA8wtBMAzt0HMCL1bYZ93x4IqzVExio=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "f8ef4541bb8a54a8b52f19b52912119e689529b3",
+        "rev": "daf04c5950b676f47a794300657f1d3d14c1a120",
         "type": "github"
       },
       "original": {
@@ -1271,11 +1271,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1737075266,
-        "narHash": "sha256-u1gk5I1an975FOAMMdS6oBKnSIsZza5ZKhaeBZAskVo=",
+        "lastModified": 1737762889,
+        "narHash": "sha256-5HGG09bh/Yx0JA8wtBMAzt0HMCL1bYZ93x4IqzVExio=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "12851ae7467bad8ef422b20806ab4d6d81e12d29",
+        "rev": "daf04c5950b676f47a794300657f1d3d14c1a120",
         "type": "github"
       },
       "original": {
@@ -1311,11 +1311,11 @@
     },
     "impermanence": {
       "locked": {
-        "lastModified": 1736688610,
-        "narHash": "sha256-1Zl9xahw399UiZSJ9Vxs1W4WRFjO1SsNdVZQD4nghz0=",
+        "lastModified": 1737831083,
+        "narHash": "sha256-LJggUHbpyeDvNagTUrdhe/pRVp4pnS6wVKALS782gRI=",
         "owner": "nix-community",
         "repo": "impermanence",
-        "rev": "c64bed13b562fc3bb454b48773d4155023ac31b7",
+        "rev": "4b3e914cdf97a5b536a889e939fb2fd2b043a170",
         "type": "github"
       },
       "original": {
@@ -1364,11 +1364,11 @@
         "rust-overlay": "rust-overlay_3"
       },
       "locked": {
-        "lastModified": 1737299073,
-        "narHash": "sha256-hOydnO9trHDo3qURqLSDdmE/pHNWDzlhkmyZ/gcBX2s=",
+        "lastModified": 1737639419,
+        "narHash": "sha256-AEEDktApTEZ5PZXNDkry2YV2k6t0dTgLPEmAZbnigXU=",
         "owner": "nix-community",
         "repo": "lanzaboote",
-        "rev": "64d20cb2afaad8b73f4e38de41d27fb30a782bb5",
+        "rev": "a65905a09e2c43ff63be8c0e86a93712361f871e",
         "type": "github"
       },
       "original": {
@@ -1506,11 +1506,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1736819234,
-        "narHash": "sha256-deQVtIH4UJueELJqluAICUtX7OosD9paTP+5FgbiSwI=",
+        "lastModified": 1737504076,
+        "narHash": "sha256-/B4XJnzYU/6K1ZZOBIgsa3K4pqDJrnC2579c44c+4rI=",
         "owner": "lnl7",
         "repo": "nix-darwin",
-        "rev": "bd921223ba7cdac346477d7ea5204d6f4736fcc6",
+        "rev": "65cc1fa8e36ceff067daf6cfb142331f02f524d3",
         "type": "github"
       },
       "original": {
@@ -1588,11 +1588,11 @@
         "pre-commit-hooks": "pre-commit-hooks_5"
       },
       "locked": {
-        "lastModified": 1735860340,
-        "narHash": "sha256-8bgRXOHpLmgUHmg6CKFnm6LJzIdInDzE6wO+OotedCI=",
+        "lastModified": 1737813840,
+        "narHash": "sha256-XuaDHWeUGsCTvGb+61ztE/6kFPC70ZU2LtBnJvRf2ag=",
         "owner": "oddlama",
         "repo": "nixos-extra-modules",
-        "rev": "2502ff50abc8e29606824ac4e67d4a5279b1cb0d",
+        "rev": "0660c722cf4b703214022a7ca5fbda8a5fe428ee",
         "type": "github"
       },
       "original": {
@@ -1624,11 +1624,11 @@
     },
     "nixos-hardware": {
       "locked": {
-        "lastModified": 1737359802,
-        "narHash": "sha256-utplyRM6pqnN940gfaLFBb9oUCSzkan86IvmkhsVlN8=",
+        "lastModified": 1737751639,
+        "narHash": "sha256-ZEbOJ9iT72iwqXsiEMbEa8wWjyFvRA9Ugx8utmYbpz4=",
         "owner": "NixOS",
         "repo": "nixos-hardware",
-        "rev": "61c79181e77ef774ab0468b28a24bc2647d498d6",
+        "rev": "dfad538f751a5aa5d4436d9781ab27a6128ec9d4",
         "type": "github"
       },
       "original": {
@@ -1660,11 +1660,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1737062831,
-        "narHash": "sha256-Tbk1MZbtV2s5aG+iM99U8FqwxU/YNArMcWAv6clcsBc=",
+        "lastModified": 1737746512,
+        "narHash": "sha256-nU6AezEX4EuahTO1YopzueAXfjFfmCHylYEFCagduHU=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "5df43628fdf08d642be8ba5b3625a6c70731c19c",
+        "rev": "825479c345a7f806485b7f00dbe3abb50641b083",
         "type": "github"
       },
       "original": {
@@ -1845,11 +1845,11 @@
         "treefmt-nix": "treefmt-nix_4"
       },
       "locked": {
-        "lastModified": 1737384599,
-        "narHash": "sha256-oTmfKi+q5Lxa/zbqxraV/pRbomDASC5SdcBPu+ehP58=",
+        "lastModified": 1737832569,
+        "narHash": "sha256-VkK73VRVgvSQOPw9qx9HzvbulvUM9Ae4nNd3xNP+pkI=",
         "owner": "nix-community",
         "repo": "nixvim",
-        "rev": "780d3eec7209c7a08a585f5b680ed359ed68e62c",
+        "rev": "d7df58321110d3b0e12a829bbd110db31ccd34b1",
         "type": "github"
       },
       "original": {
@@ -1868,11 +1868,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1735854821,
-        "narHash": "sha256-Iv59gMDZajNfezTO0Fw6LHE7uKAShxbvMidmZREit7c=",
+        "lastModified": 1737372689,
+        "narHash": "sha256-nH3zK2ki0fd5o5qvbGHxukE4qnOLJa1uCzoDObG5vrE=",
         "owner": "NuschtOS",
         "repo": "search",
-        "rev": "836908e3bddd837ae0f13e215dd48767aee355f0",
+        "rev": "570cc17bbc25650eb7d69e4fcda8cfd2f1656922",
         "type": "github"
       },
       "original": {
@@ -2087,11 +2087,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1737301351,
-        "narHash": "sha256-2UNmLCKORvdBRhPGI8Vx0b6l7M8/QBey/nHLIxOl4jE=",
+        "lastModified": 1737465171,
+        "narHash": "sha256-R10v2hoJRLq8jcL4syVFag7nIGE7m13qO48wRIukWNg=",
         "owner": "cachix",
         "repo": "pre-commit-hooks.nix",
-        "rev": "15a87cedeb67e3dbc8d2f7b9831990dffcf4e69f",
+        "rev": "9364dc02281ce2d37a1f55b6e51f7c0f65a75f17",
         "type": "github"
       },
       "original": {
@@ -2407,11 +2407,11 @@
         "tinted-zed": "tinted-zed"
       },
       "locked": {
-        "lastModified": 1737207873,
-        "narHash": "sha256-XTCuMv753lpm8DvdVf9q2mH3rhlfsKrCUYbaADPC/bA=",
+        "lastModified": 1737833281,
+        "narHash": "sha256-+hCZqNMvcjGinYinsITX+kJvqkEqcWheaNX5WGGcRow=",
         "owner": "danth",
         "repo": "stylix",
-        "rev": "51ad2cec11e773a949bdbec88bed2524f098f49a",
+        "rev": "7c1c3259283f2da9c3d15c9096e7b8864f82bd4c",
         "type": "github"
       },
       "original": {
@@ -2699,11 +2699,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1737054102,
-        "narHash": "sha256-saLiCRQ5RtdTnznT/fja7GxcYRAzeY3k8S+IF/2s/2A=",
+        "lastModified": 1737483750,
+        "narHash": "sha256-5An1wq5U8sNycOBBg3nsDDgpwBmR9liOpDGlhliA6Xo=",
         "owner": "numtide",
         "repo": "treefmt-nix",
-        "rev": "97871d416166803134ba64597a1006f3f670fbde",
+        "rev": "f2cc121df15418d028a59c9737d38e3a90fbaf8f",
         "type": "github"
       },
       "original": {
@@ -2719,11 +2719,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1737103437,
-        "narHash": "sha256-uPNWcYbhY2fjY3HOfRCR5jsfzdzemhfxLSxwjXYXqNc=",
+        "lastModified": 1737483750,
+        "narHash": "sha256-5An1wq5U8sNycOBBg3nsDDgpwBmR9liOpDGlhliA6Xo=",
         "owner": "numtide",
         "repo": "treefmt-nix",
-        "rev": "d1ed3b385f8130e392870cfb1dbfaff8a63a1899",
+        "rev": "f2cc121df15418d028a59c9737d38e3a90fbaf8f",
         "type": "github"
       },
       "original": {
diff --git a/globals.nix b/globals.nix
index 4dcd2d3..d26b518 100644
--- a/globals.nix
+++ b/globals.nix
@@ -44,6 +44,7 @@ in
               id = 4;
               inherit (nodes.ward-web-proxy.config.lib.microvm.interfaces.vlan-services) mac;
             };
+            hosts.sausebiene.id = 5;
             hosts.sire-samba = {
               id = 10;
               inherit (nodes.sire-samba.config.lib.microvm.interfaces.vlan-services) mac;
@@ -55,6 +56,7 @@ in
             cidrv6 = "fd10::/64";
             hosts.ward.id = 1;
             hosts.sire.id = 2;
+            hosts.sausebiene.id = 5;
           };
           devices = {
             id = 20;
@@ -62,6 +64,7 @@ in
             cidrv6 = "fd20::/64";
             hosts.ward.id = 1;
             hosts.sire.id = 2;
+            hosts.sausebiene.id = 5;
             hosts.scanner-ads-4300n = {
               id = 23;
               mac = globals.macs.scanner-ads-4300n;
@@ -85,6 +88,7 @@ in
             cidrv4 = "192.168.30.0/24";
             cidrv6 = "fd30::/64";
             hosts.ward.id = 1;
+            hosts.sausebiene.id = 5;
           };
           guests = {
             id = 50;
diff --git a/hosts/sausebiene/default.nix b/hosts/sausebiene/default.nix
index 9e03cd9..e675672 100644
--- a/hosts/sausebiene/default.nix
+++ b/hosts/sausebiene/default.nix
@@ -19,6 +19,10 @@
 
     ./fs.nix
     ./net.nix
+
+    ./esphome.nix
+    ./home-assistant.nix
+    ./mosquitto.nix
   ];
 
   topology.self.hardware.info = "Intel N100, 16GB RAM";
diff --git a/hosts/sausebiene/esphome.nix b/hosts/sausebiene/esphome.nix
new file mode 100644
index 0000000..89da3d6
--- /dev/null
+++ b/hosts/sausebiene/esphome.nix
@@ -0,0 +1,59 @@
+{
+  config,
+  globals,
+  ...
+}:
+let
+  esphomeDomain = "esphome.${globals.domains.personal}";
+in
+{
+  wireguard.proxy-home.firewallRuleForNode.ward-web-proxy.allowedTCPPorts = [
+    config.services.esphome.port
+  ];
+
+  environment.persistence."/persist".directories = [
+    {
+      directory = "/var/lib/private/esphome";
+      mode = "0700";
+    }
+  ];
+
+  globals.services.esphome.domain = esphomeDomain;
+  # globals.monitoring.http.esphome = {
+  #   url = "https://${esphomeDomain}";
+  #   expectedBodyRegex = "esphome";
+  #   network = "internet";
+  # };
+
+  topology.self.services.esphome.info = "https://${esphomeDomain}";
+  services.esphome = {
+    enable = true;
+    address = "0.0.0.0";
+    port = 3001;
+  };
+
+  nodes.ward-web-proxy = {
+    services.nginx = {
+      upstreams."esphome" = {
+        servers."${config.wireguard.proxy-home.ipv4}:${toString config.services.esphome.port}" = { };
+        extraConfig = ''
+          zone esphome 64k;
+          keepalive 2;
+        '';
+      };
+      virtualHosts.${esphomeDomain} = {
+        forceSSL = true;
+        useACMEWildcardHost = true;
+        locations."/" = {
+          proxyPass = "http://esphome";
+          proxyWebsockets = true;
+        };
+        extraConfig = ''
+          allow ${globals.net.home-lan.vlans.home.cidrv4};
+          allow ${globals.net.home-lan.vlans.home.cidrv6};
+          deny all;
+        '';
+      };
+    };
+  };
+}
diff --git a/hosts/zackbiene/home-assistant.nix b/hosts/sausebiene/home-assistant.nix
similarity index 61%
rename from hosts/zackbiene/home-assistant.nix
rename to hosts/sausebiene/home-assistant.nix
index 66e7c19..23aab33 100644
--- a/hosts/zackbiene/home-assistant.nix
+++ b/hosts/sausebiene/home-assistant.nix
@@ -7,7 +7,7 @@
   ...
 }:
 let
-  homeDomain = "home.${globals.domains.me}";
+  homeassistantDomain = "home.${globals.domains.personal}";
   fritzboxDomain = "fritzbox.${globals.domains.me}";
 in
 {
@@ -24,11 +24,17 @@ in
     }
   ];
 
-  topology.self.services.home-assistant.info = "https://${homeDomain}";
+  globals.services.home-assistant.domain = homeassistantDomain;
+  # globals.monitoring.http.homeassistant = {
+  #   url = "https://${homeasisstantDomain}";
+  #   expectedBodyRegex = "homeassistant";
+  #   network = "internet";
+  # };
+
+  topology.self.services.home-assistant.info = "https://${homeassistantDomain}";
   services.home-assistant = {
     enable = true;
     extraComponents = [
-      "default_config"
       "radio_browser"
       "met"
       "esphome"
@@ -38,8 +44,27 @@ in
       "matter"
       #"zha"
       "mqtt"
+      "ollama"
     ];
+
+    customLovelaceModules =
+      let
+        mods = pkgs.home-assistant-custom-lovelace-modules;
+      in
+      [
+        mods.bubble-card
+        mods.weather-card
+        mods.mini-graph-card
+        mods.card-mod
+        mods.mushroom
+        mods.multiple-entity-row
+        mods.button-card
+        mods.weather-chart-card
+        mods.hourly-weather
+      ];
+
     config = {
+      default_config = { };
       http = {
         server_host = [ "0.0.0.0" ];
         server_port = 8123;
@@ -56,56 +81,37 @@ in
         time_zone = "Europe/Berlin";
         unit_system = "metric";
         #external_url = "https://";
-        packages = {
-          manual = "!include manual.yaml";
-        };
+        packages.manual = "!include manual.yaml";
       };
 
-      #### only selected components from default_config ####
-
-      assist_pipeline = { };
-      backup = { };
-      bluetooth = { };
-      config = { };
-      #cloud = {};
-      #conversation = {};
-      dhcp = { };
-      energy = { };
-      history = { };
-      homeassistant_alerts = { };
-      logbook = { };
-      #media_source = {};
-      mobile_app = { };
-      my = { };
-      ssdp = { };
-      stream = { };
-      sun = { };
-      #usb = {};
-      webhook = { };
-      zeroconf = { };
-
-      ### Components not from default_config
+      lovelace.mode = "yaml";
 
       frontend = {
-        #themes = "!include_dir_merge_named themes";
+        themes = "!include_dir_merge_named themes";
       };
+      "automation ui" = "!include automations.yaml";
+
+      # influxdb = {
+      #   api_version = 2;
+      #   host = globals.services.influxdb.domain;
+      #   port = "443";
+      #   max_retries = 10;
+      #   ssl = true;
+      #   verify_ssl = true;
+      #   token = "!secret influxdb_token";
+      #   organization = "home";
+      #   bucket = "home_assistant";
+      # };
 
-      influxdb = {
-        api_version = 2;
-        host = globals.services.influxdb.domain;
-        port = "443";
-        max_retries = 10;
-        ssl = true;
-        verify_ssl = true;
-        token = "!secret influxdb_token";
-        organization = "home";
-        bucket = "home_assistant";
-      };
     };
     extraPackages =
       python3Packages: with python3Packages; [
         psycopg2
         gtts
+        fritzconnection
+        adguardhome
+        zlib-ng
+        pymodbus
       ];
   };
 
@@ -138,20 +144,20 @@ in
     group = "hass";
   };
 
-  nodes.sire-influxdb = {
-    # Mirror the original secret on the influx host
-    age.secrets."hass-influxdb-token-${config.node.name}" = {
-      inherit (config.age.secrets.hass-influxdb-token) rekeyFile;
-      mode = "440";
-      group = "influxdb2";
-    };
-
-    services.influxdb2.provision.organizations.home.auths."home-assistant (${config.node.name})" = {
-      readBuckets = [ "home_assistant" ];
-      writeBuckets = [ "home_assistant" ];
-      tokenFile = nodes.sire-influxdb.config.age.secrets."hass-influxdb-token-${config.node.name}".path;
-    };
-  };
+  # nodes.sire-influxdb = {
+  #   # Mirror the original secret on the influx host
+  #   age.secrets."hass-influxdb-token-${config.node.name}" = {
+  #     inherit (config.age.secrets.hass-influxdb-token) rekeyFile;
+  #     mode = "440";
+  #     group = "influxdb2";
+  #   };
+  #
+  #   services.influxdb2.provision.organizations.home.auths."home-assistant (${config.node.name})" = {
+  #     readBuckets = [ "home_assistant" ];
+  #     writeBuckets = [ "home_assistant" ];
+  #     tokenFile = nodes.sire-influxdb.config.age.secrets."hass-influxdb-token-${config.node.name}".path;
+  #   };
+  # };
 
   # Connect to fritzbox via https proxy (to ensure valid cert)
   networking.hosts.${globals.net.home-lan.vlans.services.hosts.ward-web-proxy.ipv4} = [
@@ -168,7 +174,7 @@ in
           keepalive 2;
         '';
       };
-      virtualHosts.${homeDomain} = {
+      virtualHosts.${homeassistantDomain} = {
         forceSSL = true;
         useACMEWildcardHost = true;
         locations."/" = {
diff --git a/hosts/sausebiene/mosquitto.nix b/hosts/sausebiene/mosquitto.nix
new file mode 100644
index 0000000..aa02959
--- /dev/null
+++ b/hosts/sausebiene/mosquitto.nix
@@ -0,0 +1,42 @@
+{ config, ... }:
+{
+  age.secrets.mosquitto-pw-home-assistant = {
+    mode = "440";
+    owner = "hass";
+    group = "mosquitto";
+    generator.script = "alnum";
+  };
+
+  services.mosquitto = {
+    enable = true;
+    persistence = true;
+    listeners = [
+      {
+        acl = [ "pattern readwrite #" ];
+        users = {
+          # zigbee2mqtt = {
+          #   passwordFile = config.age.secrets.mosquitto-pw-zigbee2mqtt.path;
+          #   acl = [ "readwrite #" ];
+          # };
+          home_assistant = {
+            passwordFile = config.age.secrets.mosquitto-pw-home-assistant.path;
+            acl = [ "readwrite #" ];
+          };
+        };
+        settings.allow_anonymous = false;
+      }
+    ];
+  };
+
+  networking.nftables.firewall.rules = {
+    # Allow devices and iot VLANs to access the MQTT server
+    access-mqtt = {
+      from = [
+        "vlan-devices"
+        "vlan-iot"
+      ];
+      to = [ "local" ];
+      allowedTCPPorts = [ 1883 ];
+    };
+  };
+}
diff --git a/hosts/sausebiene/net.nix b/hosts/sausebiene/net.nix
index 34cfd45..d14e0ff 100644
--- a/hosts/sausebiene/net.nix
+++ b/hosts/sausebiene/net.nix
@@ -1,42 +1,110 @@
 {
   config,
+  globals,
+  lib,
   ...
 }:
+let
+  localVlans = lib.genAttrs [ "services" "home" "devices" "iot" ] (
+    x: globals.net.home-lan.vlans.${x}
+  );
+in
 {
   networking.hostId = config.repo.secrets.local.networking.hostId;
 
-  # FIXME: aaaaaaaaa
-  # globals.monitoring.ping.sausebiene = {
-  #   hostv4 = lib.net.cidr.ip globals.net.home-lan.vlans.services.hosts.sausebiene.cidrv4;
-  #   hostv6 = lib.net.cidr.ip globals.net.home-lan.vlans.services.hosts.sausebiene.cidrv6;
-  #   network = "home-lan.vlans.services";
-  # };
+  globals.monitoring.ping.sausebiene = {
+    hostv4 = lib.net.cidr.ip globals.net.home-lan.vlans.services.hosts.sausebiene.cidrv4;
+    hostv6 = lib.net.cidr.ip globals.net.home-lan.vlans.services.hosts.sausebiene.cidrv6;
+    network = "home-lan.vlans.services";
+  };
 
   boot.initrd.availableKernelModules = [ "8021q" ];
   boot.initrd.systemd.network = {
     enable = true;
+    netdevs."30-vlan-services" = {
+      netdevConfig = {
+        Kind = "vlan";
+        Name = "vlan-services";
+      };
+      vlanConfig.Id = globals.net.home-lan.vlans.services.id;
+    };
     networks = {
-      inherit (config.systemd.network.networks) "10-lan";
+      "10-lan" = {
+        matchConfig.Name = "lan";
+        networkConfig.LinkLocalAddressing = "no";
+        linkConfig.RequiredForOnline = "carrier";
+        vlan = [ "vlan-services" ];
+      };
+      "30-vlan-services" = {
+        address = [
+          globals.net.home-lan.vlans.services.hosts.sausebiene.cidrv4
+          globals.net.home-lan.vlans.services.hosts.sausebiene.cidrv6
+        ];
+        gateway = [ globals.net.home-lan.vlans.services.hosts.ward.ipv4 ];
+        matchConfig.Name = "vlan-services";
+        networkConfig = {
+          IPv6PrivacyExtensions = "yes";
+          MulticastDNS = true;
+        };
+        linkConfig.RequiredForOnline = "routable";
+      };
     };
   };
 
-  systemd.network.networks = {
-    "10-lan" = {
-      address = [ "192.168.1.17/24" ];
-      gateway = [ "192.168.1.1" ];
-      matchConfig.MACAddress = config.repo.secrets.local.networking.interfaces.lan.mac;
-      networkConfig = {
-        IPv6PrivacyExtensions = "yes";
-        MulticastDNS = true;
+  systemd.network.netdevs = lib.flip lib.concatMapAttrs localVlans (
+    vlanName: vlanCfg: {
+      # Add an interface for each VLAN
+      "30-vlan-${vlanName}" = {
+        netdevConfig = {
+          Kind = "vlan";
+          Name = "vlan-${vlanName}";
+        };
+        vlanConfig.Id = vlanCfg.id;
       };
-      linkConfig.RequiredForOnline = "routable";
-    };
-  };
+    }
+  );
+
+  systemd.network.networks =
+    {
+      "10-lan" = {
+        matchConfig.Name = "lan";
+        # This interface should only be used from attached vlans.
+        # So don't acquire a link local address and only wait for
+        # this interface to gain a carrier.
+        networkConfig.LinkLocalAddressing = "no";
+        linkConfig.RequiredForOnline = "carrier";
+        vlan = map (name: "vlan-${name}") (builtins.attrNames localVlans);
+      };
+    }
+    // lib.flip lib.concatMapAttrs localVlans (
+      vlanName: vlanCfg: {
+        "30-vlan-${vlanName}" = {
+          address = [
+            vlanCfg.hosts.sausebiene.cidrv4
+            vlanCfg.hosts.sausebiene.cidrv6
+          ];
+          gateway = [ vlanCfg.hosts.ward.ipv4 ];
+          matchConfig.Name = "vlan-${vlanName}";
+          networkConfig = {
+            IPv6PrivacyExtensions = "yes";
+            MulticastDNS = true;
+          };
+          linkConfig.RequiredForOnline = "routable";
+        };
+      }
+    );
 
   networking.nftables.firewall = {
-    zones.untrusted.interfaces = [ "lan" ];
+    zones =
+      {
+        untrusted.interfaces = [ "vlan-services" ];
+      }
+      // lib.flip lib.concatMapAttrs localVlans (
+        vlanName: _: {
+          "vlan-${vlanName}".interfaces = [ "vlan-${vlanName}" ];
+        }
+      );
   };
 
-  # Allow accessing influx
-  wireguard.proxy-sentinel.client.via = "sentinel";
+  wireguard.proxy-home.client.via = "ward";
 }
diff --git a/hosts/zackbiene/secrets/home-assistant-secrets.yaml.age b/hosts/sausebiene/secrets/home-assistant-secrets.yaml.age
similarity index 100%
rename from hosts/zackbiene/secrets/home-assistant-secrets.yaml.age
rename to hosts/sausebiene/secrets/home-assistant-secrets.yaml.age
diff --git a/hosts/sausebiene/secrets/host.pub b/hosts/sausebiene/secrets/host.pub
index e0788b4..8929c95 100644
--- a/hosts/sausebiene/secrets/host.pub
+++ b/hosts/sausebiene/secrets/host.pub
@@ -1 +1 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIC+ziFZSELVG9MmbkMDE9xwKHlm4lnr2uHtVNXk+rTu
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINBDwxSNMyY1EF+xQP+hQ/d/mfK6PapwUWiuDtvealr0
diff --git a/hosts/sentinel/postgresql.nix b/hosts/sentinel/postgresql.nix
index 18fd15c..ad050d7 100644
--- a/hosts/sentinel/postgresql.nix
+++ b/hosts/sentinel/postgresql.nix
@@ -4,7 +4,7 @@
     enable = true;
     package = pkgs.postgresql_16_jit;
 
-    # Doesn't work with plausible, since it wants to connect as the postgres
+    # Doesn't work with plausible, since it wants to connect as the postgres user
     # for some (probably unecessary) reason.
     #
     # authentication = lib.mkForce ''
diff --git a/hosts/sentinel/secrets/local.nix.age b/hosts/sentinel/secrets/local.nix.age
index 711dec8f4a3a23518c1680d5e0655778944af657..f447518406b438899c6ce2f97f60b94896fb9f60 100644
GIT binary patch
delta 801
zcmV++1K#|N2DAo{Ab)m8H)(cuP)|y2VM=6lM090RZcJ)JLRCj`Nib76W_2|%XhLK(
zbXGWSK?-klYF1c7a7j)=c0ol}W<^M3FELLsOJqZCMnXencu6Zrcvw(KN@YYsa|$g!
zAaH4REpRe5HXwL$Q)M_&AVG6yZAdF-H%xV5NjOL`Su{pUP=88VT4*yddQxvyZ&yz<
zMs99SL``IJQAG+tZbEZIYc^0vH*YshY<NL$QEW~~QE^dsdQCPrW@AZbZZJh=WJq;q
zR%Z$=J|IFOZgMSWa%Ew2WeQDgR916jLt{~AOjl%8S8{7@PBTS!LPb?}S8zyiH$!A{
zZZc|OLpfDuHGghwc`#COMo4IHGI@1yVMZ%YYBg>O3N0-yAaO!NOKEFrS9C*ID_Jyf
zOl4<sbYoL%GeLPyNku|uZ7W%Ca$-|PMN?@o3a2u~a+r-u;mpJdqdQmTA@IOHqME!?
zhC77JTA~&x)uWn*gL@3^COAMu45{K!%Nd}l3zYIN1AisrQ4LPS=gmX{z({yK=yomL
z*bF}9j7Y&cPq||v2En-1^<U^f!agQ0BJdtwUkJ$<{36CuR6~)(_WG12(7=djt1oD+
z3A99N;ghKST8Okd=1#y}=}R}D5|G|*9!*#uj7_pp-FfbOVEcY>Mty$+D&>}#)ytn=
z1Z5hcpMN8}@k*yB+S0Al$d}c>XU^bd1i>WcHF%-{3slt~qZpWJ)c+y14UDS3^-U?R
zT{_Kf)0BpA-{`5}Z-*OAiwjDEb<djCA~e0AtMaqH456W5)IgoXQ&cx5z9*x0E9Dp(
zfh3$@PdfM2fP=|9jdqnQarJ>gWrggKYzN0{iGOY%G!G%Z3?Q`}QL2Us@KtTqC|EM#
zd4{C!V4Ap4&_YjrmxNeAGr}e+%RbJLjE{fD)G)Ir6!h^TO}_xHSS-2BqZ{lpv+Jbt
ze(br(F~9j*y0*Yk5O1Zg$dzRzdK^$Ls{`lK^;hy|e@%Ik9<XFlBzmu6k3n}_MTN(>
f5E?rKUpm8oju#T{p(po@_^wOVmZrSgVc`^j|1eYZ

delta 761
zcmV<V0tWrG28{-gAb)dmW=K<UVs$ZVL~D9yNOfsiG-Y*ANpxXVG)F^eG+I<aR7q7!
zG&w6XI0|tzO-?jLIcHLGY)yA@PfS`^No`PYR!2s7c1%+_W_2q@X;EQ0SWir7Sqd#a
zAaH4REpRe5HXwL$Q)M_&AVD{BY&BSGWKC^0LP&LVSx9OtPk&l(OfYmsZgWvrZe~(7
zM{;;|M`luXdQb{RL3c%XW_oKdHZpKHI80h$aaUq+c4A~lVQN@xXi{xuQd4DWXE9Ag
zQ8)@MJ|KNSA}%5=XL4m>b7de=NiIe>Mj&w@G;KNxSvO2kS#WblNi<PWbV+DwZboHH
zIdo@H3N0-yAb&<iST9I2Pfl56I8R0|SypgUXHs@`cT6&3HFZdCHB3-wFmge8WKe5H
zX9}yyG23?{vjUznuKCyUoGtJVd`ho;C0|)IPmF&#{pt&tyBuESg99k#sg|QckAw3p
z<Sm$Y6O0#T8ai(r{VXdy+sZV^9l?hBh{l~ZsVg?!M1ODhtp&x}`90we8u~T>Vc@9b
zO)+@wFMSYT+rXI{N5F^?r5(`gGU0i5-q<8a_UH$%dJgb|PA%;7V~n1WVpnQsTA@>`
zK&TtC1rIlT9!1-`*PFxo^lmel7b>CMeUSELG6<S!YL+jT`Xxq>tJ#s)A`X=h^AX#p
z@8VI7ntvqU30v{1dIXLY)nFaMI{lW`Dp7Awr!3cMN(HdyrBKtD;~N3kpD*S(E3bj<
z{KC?|5q>}XTn}0e$=>Kvws*_`&h!q7WYoEH*q=lv)Bu~u35kR${a{@w4r6_)<o;Bu
zGsdRiipT*}-J01}$c`>c4csbN@i7j_=>6WkVRGWAZ}IUQC3-^lS?Af^$mk6=+aP^e
zyuM88WE$RJ^G?8Bjj$ZoP`p9O)eXn36xMHUa+z56rZcx~Ri9x~u`4=s{4h^=SXcpx
rbkMU@l*7wTl%EVjoX<H5dIJi?9rkGqF=x43XpbpfBkmb6%==|)oEAoK

diff --git a/hosts/ward/guests/adguardhome.nix b/hosts/ward/guests/adguardhome.nix
index 98fdcee..63b67c3 100644
--- a/hosts/ward/guests/adguardhome.nix
+++ b/hosts/ward/guests/adguardhome.nix
@@ -108,8 +108,9 @@ in
               globals.services.influxdb.domain
               globals.services.loki.domain
               globals.services.paperless.domain
-              "home.${globals.domains.me}"
-              "fritzbox.${globals.domains.me}"
+              globals.services.esphome.domain
+              globals.services.home-assistant.domain
+              "fritzbox.${globals.domains.personal}"
             ];
       filters = [
         {
diff --git a/hosts/ward/guests/web-proxy.nix b/hosts/ward/guests/web-proxy.nix
index d55c39f..4f0484f 100644
--- a/hosts/ward/guests/web-proxy.nix
+++ b/hosts/ward/guests/web-proxy.nix
@@ -5,7 +5,7 @@
 }:
 let
   inherit (config.repo.secrets.local) acme;
-  fritzboxDomain = "fritzbox.${globals.domains.me}";
+  fritzboxDomain = "fritzbox.${globals.domains.personal}";
 in
 {
   microvm.mem = 1024 * 4; # Need more /tmp space so nginx can store intermediary files
diff --git a/hosts/ward/secrets/web-proxy/local.nix.age b/hosts/ward/secrets/web-proxy/local.nix.age
index ff1f21f..e7a636b 100644
--- a/hosts/ward/secrets/web-proxy/local.nix.age
+++ b/hosts/ward/secrets/web-proxy/local.nix.age
@@ -1,11 +1,10 @@
 age-encryption.org/v1
--> X25519 NIQfcq9fdcwAm3/7bqVw9XKuHxH6r2r7Lbqjjr/u+2w
-Cfz/aTYCh4gNWo+dOzDKXNBaAlt0W/aqTb30ho/i5nM
--> piv-p256 xqSe8Q Al+FYiIKhA9B31HjuxCNE65MfYWKIxO+ZefbPsDWljxu
-+K47WX1YQpRkvIzR4ALVucSj21YIv9WUluEQ62ccEWk
--> a"CCg7E9-grease ~ &+9|O
-fuXdG2v+8S2Bti9ifpvRPfRZfh9ioXzOuYXcPkyPynbQPy2isAksKx83FgQeRoID
-VHH/CKTjy/qFCDec9MXX2i9GCWWrva1n2tfOXl9kh2IZ1Zl2te2rsA
---- Tg/N4zk19YF7LCLd9wb95nyQJs0B59SHO4nh76xif0c
-��N��9ޝ}����w��2�
Q/�zbC�Au��{O
&��iR��,E�1���9=є���Ӈ�M
C��������p�F:9�=�"��[�ߖ6�����&}�3E&%���Y�A��))�Ĵ͇m��
-_�o�V@U*�Q1���_L�
\ No newline at end of file
+-> X25519 NeZ/7R8+CU7toGb1FkB7QwVloo1McdlWTuCxjN/sK38
+WPiUyA6EZgPSu3quzi7X+7kCcye96TT1bTd0VmxrYLg
+-> piv-p256 xqSe8Q AiXv0jbX7EQwvBec7xW0GG8dTN1c+bKc+pTyDI/g/srU
+l1EaAd6JJYVR5HzJCZqDySb/LyD19sqc7gxR0mKoRjk
+-> bO76-grease
+HwGf1RlEpc/KEI3vmJwMRSTsZOlukX6hWN4K5VVuuDWh+wxyPD9Sm7cwlzV9p2tZ
+XheXpkX3mFHB/ayZL+i48Qo1Fzeti3ZjNMolKBKKRWLqUAGEEVAvJg
+--- aEo4S/06W/U+PLhGzF1Ff6f4O3GIqcrH2X+To428ShE
+c� �{�`V�y����M��x��K.�Ui��O���,�)c�0f4����J�;g�}'lj����N�2o��v���ߗ�^�$0��7���v լ��8p\���ө|�K<rz�*�Ev.���D:�)��~
��9�-$S�E>v-� }�U>f7b���߰d�7L�޻)�s����1G������qƉ�d0G�LɃ��P�@��y*o�
\ No newline at end of file
diff --git a/hosts/zackbiene/default.nix b/hosts/zackbiene/default.nix
deleted file mode 100644
index d0aa7e6..0000000
--- a/hosts/zackbiene/default.nix
+++ /dev/null
@@ -1,61 +0,0 @@
-{
-  config,
-  globals,
-  lib,
-  nodes,
-  ...
-}:
-let
-  sentinelCfg = nodes.sentinel.config;
-  wardWebProxyCfg = nodes.ward-web-proxy.config;
-in
-{
-  imports = [
-    ../../config
-    ../../config/hardware/odroid-n2plus.nix
-    ../../config/hardware/physical.nix
-    ../../config/optional/zfs.nix
-
-    #./esphome.nix
-    ./fs.nix
-    ./home-assistant.nix
-    ./hostapd.nix
-    #./mosquitto.nix
-    ./kea.nix
-    ./net.nix
-    #./zigbee2mqtt.nix
-  ];
-
-  topology.self.name = "🥔  zackbiene"; # yes this is 2x U+2009, don't ask (satori 🤬).
-  topology.self.hardware.image = ../../topology/images/odroid-n2plus.png;
-  topology.self.hardware.info = "O-Droid N2+";
-
-  nixpkgs.hostPlatform = "aarch64-linux";
-  boot.mode = "efi";
-
-  meta.promtail = {
-    enable = true;
-    proxy = "sentinel";
-  };
-
-  # Connect safely via wireguard to skip http authentication
-  networking.hosts.${
-    if config.wireguard ? proxy-home then
-      wardWebProxyCfg.wireguard.proxy-home.ipv4
-    else
-      sentinelCfg.wireguard.proxy-sentinel.ipv4
-  } = [ globals.services.influxdb.domain ];
-
-  meta.telegraf = {
-    enable = true;
-    influxdb2 = {
-      inherit (globals.services.influxdb) domain;
-      organization = "machines";
-      bucket = "telegraf";
-      node = "sire-influxdb";
-    };
-  };
-
-  # Fails if there are no SMART devices
-  services.smartd.enable = lib.mkForce false;
-}
diff --git a/hosts/zackbiene/esphome.nix b/hosts/zackbiene/esphome.nix
deleted file mode 100644
index 9a85925..0000000
--- a/hosts/zackbiene/esphome.nix
+++ /dev/null
@@ -1,57 +0,0 @@
-{
-  config,
-  nodes,
-  ...
-}:
-let
-  sentinelCfg = nodes.sentinel.config;
-  esphomeDomain = "esphome.${sentinelCfg.repo.secrets.global.domains.personal}";
-in
-{
-  environment.persistence."/persist".directories = [
-    {
-      directory = "/var/lib/private/esphome";
-      mode = "0700";
-    }
-  ];
-
-  topology.self.services.esphome.info = "https://${esphomeDomain}";
-  services.esphome = {
-    enable = true;
-    enableUnixSocket = true;
-    #allowedDevices = lib.mkForce ["/dev/serial/by-id/usb-Silicon_Labs_CP2102_USB_to_UART_Bridge_Controller_0001-if00-port0"];
-    # TODO instead deny the zigbee device
-  };
-
-  #security.acme.certs."home.${personalDomain}".extraDomainNames = [
-  #  "esphome.home.${personalDomain}"
-  #];
-  systemd.services.nginx = {
-    serviceConfig.SupplementaryGroups = [ "esphome" ];
-    requires = [ "esphome.service" ];
-  };
-
-  services.nginx = {
-    upstreams."esphome" = {
-      servers."unix:/run/esphome/esphome.sock" = { };
-      extraConfig = ''
-        zone esphome 64k;
-        keepalive 2;
-      '';
-    };
-    virtualHosts."${esphomeDomain}" = {
-      forceSSL = true;
-      #enableACME = true;
-      sslCertificate = config.age.secrets."selfcert.crt".path;
-      sslCertificateKey = config.age.secrets."selfcert.key".path;
-      locations."/" = {
-        proxyPass = "http://esphome";
-        proxyWebsockets = true;
-      };
-      # TODO dynamic definitions for the "local" network, IPv6
-      extraConfig = ''
-        deny all;
-      '';
-    };
-  };
-}
diff --git a/hosts/zackbiene/fs.nix b/hosts/zackbiene/fs.nix
deleted file mode 100644
index 25d546c..0000000
--- a/hosts/zackbiene/fs.nix
+++ /dev/null
@@ -1,29 +0,0 @@
-{
-  config,
-  lib,
-  ...
-}:
-let
-  inherit (config.repo.secrets.local) disks;
-in
-{
-  disko.devices = {
-    disk = {
-      mmc = {
-        type = "disk";
-        device = "/dev/disk/by-id/${disks.mmc}";
-        content = {
-          type = "gpt";
-          partitions = {
-            efi = lib.disko.gpt.partEfi "1G";
-            swap = lib.disko.gpt.partSwap "8G";
-            rpool = lib.disko.gpt.partLuksZfs disks.mmc "rpool" "100%";
-          };
-        };
-      };
-    };
-    zpool = {
-      rpool = lib.disko.zfs.mkZpool { datasets = lib.disko.zfs.impermanenceZfsDatasets; };
-    };
-  };
-}
diff --git a/hosts/zackbiene/hostapd.nix b/hosts/zackbiene/hostapd.nix
deleted file mode 100644
index f242254..0000000
--- a/hosts/zackbiene/hostapd.nix
+++ /dev/null
@@ -1,43 +0,0 @@
-{ config, ... }:
-{
-  # Associates a mandatory and unique password to each client
-  # TODO: autogenerate? via secret generators and derived secrets?
-  age.secrets.wifi-clients.rekeyFile = ./secrets/wifi-clients.age;
-
-  hardware.wirelessRegulatoryDatabase = true;
-
-  services.hostapd = {
-    enable = true;
-    radios.wlan1 = {
-      band = "2g";
-      countryCode = "DE";
-      channel = 13; # Automatic Channel Selection (ACS) is unfortunately not implemented for mt7612u.
-      wifi4.capabilities = [
-        "LDPC"
-        "HT40+"
-        "HT40-"
-        "GF"
-        "SHORT-GI-20"
-        "SHORT-GI-40"
-        "TX-STBC"
-        "RX-STBC1"
-      ];
-      networks.wlan1 = {
-        inherit (config.repo.secrets.local.hostapd) ssid;
-        macAcl = "allow";
-        apIsolate = true;
-        authentication = {
-          saePasswordsFile = config.age.secrets.wifi-clients.path;
-          saeAddToMacAllow = true;
-          enableRecommendedPairwiseCiphers = true;
-        };
-        bssid = "00:c0:ca:b1:4f:9f";
-      };
-      #networks.wlan1-2 = {
-      #  inherit (config.repo.secrets.local.hostapd) ssid;
-      #  authentication.mode = "none";
-      #  bssid = "02:c0:ca:b1:4f:9f";
-      #};
-    };
-  };
-}
diff --git a/hosts/zackbiene/kea.nix b/hosts/zackbiene/kea.nix
deleted file mode 100644
index 3b1fe6b..0000000
--- a/hosts/zackbiene/kea.nix
+++ /dev/null
@@ -1,54 +0,0 @@
-{
-  lib,
-  utils,
-  ...
-}:
-let
-  inherit (lib) net;
-  iotCidrv4 = "10.0.90.0/24"; # FIXME: make all subnet allocations accessible via global.net or smth
-in
-{
-  environment.persistence."/persist".directories = [
-    {
-      directory = "/var/lib/private/kea";
-      mode = "0700";
-    }
-  ];
-
-  services.kea.dhcp4 = {
-    enable = true;
-    settings = {
-      lease-database = {
-        name = "/var/lib/kea/dhcp4.leases";
-        persist = true;
-        type = "memfile";
-      };
-      valid-lifetime = 86400;
-      renew-timer = 3600;
-      interfaces-config = {
-        interfaces = [ "wlan1" ];
-        service-sockets-max-retries = -1;
-      };
-      subnet4 = [
-        {
-          id = 1;
-          interface = "wlan1";
-          subnet = iotCidrv4;
-          pools = [
-            { pool = "${net.cidr.host 20 iotCidrv4} - ${net.cidr.host (-6) iotCidrv4}"; }
-          ];
-          option-data = [
-            {
-              name = "routers";
-              data = net.cidr.host 1 iotCidrv4;
-            }
-          ];
-        }
-      ];
-    };
-  };
-
-  systemd.services.kea-dhcp4-server.after = [
-    "sys-subsystem-net-devices-${utils.escapeSystemdPath "wlan1"}.device"
-  ];
-}
diff --git a/hosts/zackbiene/mosquitto.nix b/hosts/zackbiene/mosquitto.nix
deleted file mode 100644
index fa82b3b..0000000
--- a/hosts/zackbiene/mosquitto.nix
+++ /dev/null
@@ -1,36 +0,0 @@
-{ config, ... }:
-{
-  age.secrets.mosquitto-pw-zigbee2mqtt = {
-    rekeyFile = ./secrets/mosquitto-pw-zigbee2mqtt.age;
-    mode = "440";
-    owner = "zigbee2mqtt";
-    group = "mosquitto";
-  };
-  age.secrets.mosquitto-pw-home_assistant = {
-    rekeyFile = ./secrets/mosquitto-pw-home_assistant.age;
-    mode = "440";
-    owner = "hass";
-    group = "mosquitto";
-  };
-
-  services.mosquitto = {
-    enable = true;
-    persistence = true;
-    listeners = [
-      {
-        acl = [ "pattern readwrite #" ];
-        users = {
-          zigbee2mqtt = {
-            passwordFile = config.age.secrets.mosquitto-pw-zigbee2mqtt.path;
-            acl = [ "readwrite #" ];
-          };
-          home_assistant = {
-            passwordFile = config.age.secrets.mosquitto-pw-home_assistant.path;
-            acl = [ "readwrite #" ];
-          };
-        };
-        settings.allow_anonymous = false;
-      }
-    ];
-  };
-}
diff --git a/hosts/zackbiene/net.nix b/hosts/zackbiene/net.nix
deleted file mode 100644
index 0c44fdf..0000000
--- a/hosts/zackbiene/net.nix
+++ /dev/null
@@ -1,94 +0,0 @@
-{
-  config,
-  globals,
-  lib,
-  ...
-}:
-let
-  iotCidrv4 = "10.90.0.0/24";
-  iotCidrv6 = "fd00:90::/64";
-in
-{
-  networking.hostId = config.repo.secrets.local.networking.hostId;
-
-  globals.monitoring.ping.zackbiene = {
-    hostv4 = "zackbiene.local";
-    hostv6 = "zackbiene.local";
-    network = "home-lan.vlans.services";
-  };
-
-  wireguard.proxy-home.client.via = "ward";
-
-  boot.initrd.systemd.network = {
-    enable = true;
-    networks = {
-      inherit (config.systemd.network.networks) "10-lan1";
-    };
-  };
-
-  systemd.network.networks = {
-    "10-lan1" = {
-      DHCP = "yes";
-      dhcpV4Config.UseDNS = false;
-      dhcpV6Config.UseDNS = false;
-      ipv6AcceptRAConfig.UseDNS = false;
-      matchConfig.MACAddress = config.repo.secrets.local.networking.interfaces.lan1.mac;
-      networkConfig = {
-        IPv6PrivacyExtensions = "yes";
-        MulticastDNS = true;
-      };
-      linkConfig.RequiredForOnline = "routable";
-    };
-    "10-wlan1" = {
-      address = [
-        (lib.net.cidr.hostCidr 1 iotCidrv4)
-        (lib.net.cidr.hostCidr 1 iotCidrv6)
-      ];
-      matchConfig.MACAddress = config.repo.secrets.local.networking.interfaces.wlan1.mac;
-      networkConfig = {
-        IPv4Forwarding = "yes";
-        IPv6PrivacyExtensions = "yes";
-        IPv6SendRA = true;
-        MulticastDNS = true;
-      };
-      # Announce a static prefix
-      ipv6Prefixes = [
-        { Prefix = iotCidrv6; }
-      ];
-      linkConfig.RequiredForOnline = "no";
-    };
-  };
-
-  networking.nftables.firewall = {
-    snippets.nnf-icmp.ipv6Types = [
-      "mld-listener-query"
-      "nd-router-solicit"
-    ];
-
-    zones = {
-      untrusted.interfaces = [ "lan1" ];
-      lan-interface.interfaces = [ "lan1" ];
-      lan = {
-        parent = "lan-interface";
-        ipv4Addresses = [ globals.net.home-lan.vlans.services.cidrv4 ];
-        ipv6Addresses = [ globals.net.home-lan.vlans.services.cidrv6 ];
-      };
-      iot.interfaces = [ "wlan1" ];
-    };
-
-    rules = {
-      masquerade-iot = {
-        from = [ "lan" ];
-        to = [ "iot" ];
-        masquerade = true;
-      };
-
-      outbound = {
-        from = [ "lan" ];
-        to = [ "iot" ];
-        late = true; # Only accept after any rejects have been processed
-        verdict = "accept";
-      };
-    };
-  };
-}
diff --git a/hosts/zackbiene/secrets/host.pub b/hosts/zackbiene/secrets/host.pub
deleted file mode 100644
index b694d85..0000000
--- a/hosts/zackbiene/secrets/host.pub
+++ /dev/null
@@ -1 +0,0 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILaKQa+gcGMvtm9d1LM11lvsXRtE3Tvo+o40nG+eXYgo
diff --git a/hosts/zackbiene/secrets/local.nix.age b/hosts/zackbiene/secrets/local.nix.age
deleted file mode 100644
index 8fdcd2f..0000000
--- a/hosts/zackbiene/secrets/local.nix.age
+++ /dev/null
@@ -1,11 +0,0 @@
-age-encryption.org/v1
--> X25519 tE4e6O7Qv5OeZYC9hPYaN7SdCDq1Nl9rYBkGfKHo2XM
-b7c3Hwfvm8GmRjpe/0I1FbADK6S5ZI9axR7cLO9kja8
--> piv-p256 xqSe8Q Ar49h1MV117LH71oyK7kkBpKJv4t1XyDrNxWOK6cAMTL
-xkQzAhG8snR+B+Bzv1OIYScslCN7yKk2iMvWH/WyRm4
--> `G&J4E-grease 5AwMc]> Tgl>j1Z:
-GShgbkXFvntIBUbz2aSg4QHWdLvyxSg
---- tAQKeRaBrOxd7wnnfMn2M36WlqzFFl7GZxak7wUkg+s
-�c��?�"e�P�r]�>���%�(�)�ӊI��B�
�
-�nܑ�I�Ž��gA��v��ʮ�g��9wVF�Z���r��4�}1�QZ��3��1����
�٧[���S��$���}j��_V�Se��+	��H/
-�bLYU��i����a��Y��|h�8Tr�-��;�'�Y~�/'���ATQ��7�ƨ{{x�X`�&�qH�hw���Øxvr"��hSXY��9�f#,#���U�[KI�Ɯ:�j�7�=�WH�/�'C
a�Dq������m$`?�j��%��:
\ No newline at end of file
diff --git a/hosts/zackbiene/secrets/mosquitto-pw-home_assistant.age b/hosts/zackbiene/secrets/mosquitto-pw-home_assistant.age
deleted file mode 100644
index c4626c82ac8105e4026eca347764ef9642fce246..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 356
zcmWm8J4}O606<aWCX<_s13N(qZ7nR-mh?j@ZC-(fb}R4-SPBpN0jjGpan{7Rm^d39
z9dt8sw39I|j>gHs!NC|~JKy2lo&`zh8DWCPj_+;xp+!w;jLhR2lg-i`UaiS=tV>$A
zol?dI1)Pb@IlkR;y@5;FiCIqRKx;P_mBnI4A%aFUw)|?R<EoY*^b7^+)Rd=#OtBfV
z^q^EWV#N2sQb5j>L`-%Yj{_O9051@#qH!}eL(y!`9>x-q)c`<CuM8?6DM+&#Q>qD~
zUXN%KD{`}3t4=5-t+VHg!^E6`nd-?%N+AywhDFJ&H`9%RZba77@^?AX3Sn;qafje1
z5!P8OkR(2pVmlD}t+d1Ofe`!MuEM8!Ockk#4I|K3-G;pf`HEPJu=&dI>uBfdTD-Z#
v!2Rvn!P@1a%RReZ*?s!r{@zZ0FCM<<FFzkgoBQXv_xuLG+Ikc}*H8ZeeyV>Q

diff --git a/hosts/zackbiene/secrets/mosquitto-pw-zigbee2mqtt.age b/hosts/zackbiene/secrets/mosquitto-pw-zigbee2mqtt.age
deleted file mode 100644
index 5d4df35..0000000
--- a/hosts/zackbiene/secrets/mosquitto-pw-zigbee2mqtt.age
+++ /dev/null
@@ -1,11 +0,0 @@
-age-encryption.org/v1
--> X25519 fnG14tqQJow7aCttB48iukNYbIENNYSCOdnGmzsUR08
-CUgbzHmMTVDjVvwXoJ1Li1HJuCQcexOwTA8vyI1qBy0
--> piv-p256 xqSe8Q A2lUZF0cZPhAduYPGQg/vrpLPVidJQuIXMh1KCIw2fJu
-SVtOdeJXECGJtNsJkDGnrljvO1xWqmCueMS7dISppP0
--> 97L6-grease 9 Uv0 :8=|&
-5sV9Y2boLn0oRELbKB1PHp/1YbofZfNprKwUjrcXHTl2qsc02mVOVGBcoghUg7qa
-z99fVBeVj+nR/E6In8lDKR7mUf7ZF8oHxIDEGQcQ9hysO3jbWFA6CMH48h9ICcen
-hEI
---- gP2qI8vwLWirtwKRpx3iyNc+MUi03qQ353vfzxjYA+8
-RN��c<��{r�2_Z�j|��A�.��*=9C�����qp�ʕ/P�@��O-��
\ No newline at end of file
diff --git a/hosts/zackbiene/secrets/mosquitto-pw-zigbee2mqtt.yaml.age b/hosts/zackbiene/secrets/mosquitto-pw-zigbee2mqtt.yaml.age
deleted file mode 100644
index 10aa99485a7d2ffde371d54f61033d2f2a4e3a6a..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 454
zcmWm7KaZ18003~^3=YP`^>R3zOXc{}2bP$4p-@VX_S#3m(u>hROCSFpP+m)EbBl>F
zadB|COE*_Pg}Uh{aB_0+L!41_zc29fP{0J)tlSo>D9?`b60sFeG0$jM5Jg_5r)#`r
z18eAa1}itM$E19o5Bg^jaHd%A4gq!)2N+LsX_8Q|<2Xw@6f78}OI0v~0VlL@(yQWp
z#P%Dz)5)0M)hw@tt(&2UDy9%biLRI9pap3~Ud}c)S#12+p4Xk&%5t(v1%R7<Wz^v8
zZLh1sj-MH-lTiJHL-rz#5R~S4Z1+QD)2PmyXVuyaqF_Fel%2WI96vr!Zm#CVgnPPV
zP#Jh6pn0m*HpG03R#95JZrc?~SQ6klZmnS>(L$1_BH>Y->GCQnL7;&IH5IHCeyng~
zTY^+C>@`4lD1gySV+~7<z#O&{!=xC7p)*9R0*Jb2h_d6ar+{dZ><<U?sEK7B>bWt%
zdAhSO0o41SKRolU^zQ!QpQHAo{CIQ+Jve!D_384uygdFp`u*YC{@&+DGJJL0d$>P1
a(6d{I(71m4^2_Mz#h(84_1|~+`1OB#pP8xv

diff --git a/hosts/zackbiene/secrets/wifi-clients.age b/hosts/zackbiene/secrets/wifi-clients.age
deleted file mode 100644
index 4e80b3c5a3455a51f291090123561a234c4d55c5..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 970
zcmV;*12z0%XJsvAZewzJaCB*JZZ2<fXD@a!3N1b$STZ#=F*zVnX>LJ9Z!&Q>H%@7D
zaY0y2cr;ISOhscaR9SRzXhKR<WO_nbFIH|fSXl~EO*vF|Y-&|;cwtsIPdGU>Mt65H
zPj7B`T1szqSV}TNS}{v;WN|iGS1<}KJ|J*ub}eu+H8vo4aZ_bDQ6NEYa(6{`RZLkn
zRyAryWl=#+MK3d9WGi_|STZj}Sx;qJL2z<)VmMY~OKJ*ZR(5k*OJi$KR76-pMKwrP
zSx;y)V^cJ2Qfezvd2MWTI4dhQQg~N)Y(WYwJ|H(%P%US2Wnpt=ATvmLQd}TcC1W*w
zMrJc0XH835H92V@c334q3NJ}ddRk^QST8qiIW|&tSXD)LHdiw+G&gNUbZ<^kQ&&ni
zYhp=QHeq9QQ&vYvH8nw5PBk)la&A&gFg8g;FA8*WVKh*7c6BRJMr$@VFH%loSTRUp
zGA}hWLs$weEiE8ZQa4ydRY_AvZ*o;?M=y0}D??RmHAX~KXL?suQB_n_D^_JoPIokE
zP;&~0(EV@NA@Q#215j_B3DtHc09bcF5eEcc7;B+aZ$js3<xtX{jU{l<^4KBFzNhLV
z3Gw|{k&(q<XrDDKfP4`|vfBkICXhDA8b$xKin<#$HFRp!6;1f>;K1P;dHWf6FS(LV
z2i|TP)$^s%1d5KsFq&s!e|x{HUdER_n^Q``SOa!OL>bVgi_sYx%p;wrD=P+Iugaso
zMC2o{CwSx_=6pq}ZdQ#r_O=5t_nrX*alLEe`AqSF-@T>(sfYWN>(sICM!lc>?4JiP
zNnj_?mo?DcFqZ=rSm@CB(%E?W8NSTM4ljNu{(t0|)6Zg+YctTg3&0}OAKVJkBR22z
za_V7&LY*JJ9PSCn6nnM!tLQ?c!N%FWBFa^SycZP^>#9fyv{*7={X|?i@vyM|rw&ya
zZGW=ySr2mWg43A8V<bCgL4)5LUS<vsfQ;&JSL|E_cWcfl=k-#NmibxbtpMxVn-RkN
z(a;c|Gwr!wrbUpsy!6rZ;D2YKZyq{NO^?XD<&buD?7}qTl!GQ_#nPe5?IV<!h1}3B
za7DC3a8a7X0|4)oL(BW=xmwt#^!tuE%>)beF>^7)_=Ij_PtmVj{*l^%2v&7{_YLk*
zk0cbQX5&RbHT%2f94PH(%vy*1Za8jYs;m>}yyW?k4!$emTIW@<fVXzzxYNJ78a4E|
s$snaIZmVvx)C(NMqqDl=jx5kNiGl;sTOW<J?k((R&eF;7=`1}%xX^m0T>t<8

diff --git a/hosts/zackbiene/zigbee2mqtt.nix b/hosts/zackbiene/zigbee2mqtt.nix
deleted file mode 100644
index 8f9a7ef..0000000
--- a/hosts/zackbiene/zigbee2mqtt.nix
+++ /dev/null
@@ -1,62 +0,0 @@
-{
-  config,
-  nodes,
-  ...
-}:
-let
-  sentinelCfg = nodes.sentinel.config;
-  zigbeeDomain = "zigbee.${sentinelCfg.repo.secrets.global.domains.personal}";
-in
-{
-  age.secrets."mosquitto-pw-zigbee2mqtt.yaml" = {
-    rekeyFile = ./secrets/mosquitto-pw-zigbee2mqtt.yaml.age;
-    mode = "440";
-    owner = "zigbee2mqtt";
-    group = "mosquitto";
-  };
-
-  #security.acme.certs."home.${personalDomain}".extraDomainNames = [
-  #  "zigbee.home.${personalDomain}"
-  #];
-  topology.self.services.zigbee2mqtt.info = "https://${zigbeeDomain}";
-  services.zigbee2mqtt = {
-    enable = true;
-    settings = {
-      advanced.log_level = "warn";
-      homeassistant = true;
-      permit_join = true;
-      serial = {
-        port = "/dev/serial/by-id/usb-Silicon_Labs_Sonoff_Zigbee_3.0_USB_Dongle_Plus_0001-if00-port0";
-      };
-      mqtt = {
-        server = "mqtt://localhost:1883";
-        user = "zigbee2mqtt";
-        password = "!${config.age.secrets."mosquitto-pw-zigbee2mqtt.yaml".path} password";
-      };
-      # TODO once 1.30.3 is out
-      # frontend.host = "/run/zigbee2mqtt/zigbee2mqtt.sock";
-      frontend.port = 8072;
-    };
-  };
-
-  services.nginx = {
-    upstreams."zigbee2mqtt" = {
-      servers."localhost:8072" = { };
-      extraConfig = ''
-        zone zigbee2mqtt 64k;
-        keepalive 2;
-      '';
-    };
-    virtualHosts."${zigbeeDomain}" = {
-      forceSSL = true;
-      #enableACME = true;
-      sslCertificate = config.age.secrets."selfcert.crt".path;
-      sslCertificateKey = config.age.secrets."selfcert.key".path;
-      locations."/".proxyPass = "http://zigbee2mqtt";
-      # TODO dynamic definitions for the "local" network, IPv6
-      extraConfig = ''
-        deny all;
-      '';
-    };
-  };
-}
diff --git a/secrets/generated/sausebiene/hass-influxdb-token.age b/secrets/generated/sausebiene/hass-influxdb-token.age
new file mode 100644
index 0000000..d992678
--- /dev/null
+++ b/secrets/generated/sausebiene/hass-influxdb-token.age
@@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> X25519 UG9H+S0xpI/Vyou1YbuXyKMX24d19qjVX9GCDXLVbxE
+LWCN9OS+DtTk0mXXQw0EHlZ6lOiucQVMJgPfujMCfLA
+-> piv-p256 xqSe8Q AssJIIYkvCxgdCsTawal3/2iurumqH12qE2Z2ttHoWfc
+5sUZ1UWpHctujljDPdGWD/WYt/NhJ+GJAZkXBn+ae74
+-> en?Kc)P5-grease
+e0CbpB/vNL73y5YW9Obg4UhwinAgWti1eqFZ
+--- sg68VBPPfwBX/CH4V9S0+7C5J6k7dJASqtU/nV3Vgxw
+ܐ��m�eA�$33���|�3��s&i9?g/QzW�m�
+��`�9)	�N,���n`��)R���.�8�h�A�K �\�g��
\ No newline at end of file
diff --git a/secrets/generated/sausebiene/mosquitto-pw-home-assistant.age b/secrets/generated/sausebiene/mosquitto-pw-home-assistant.age
new file mode 100644
index 0000000..8e2cff0
--- /dev/null
+++ b/secrets/generated/sausebiene/mosquitto-pw-home-assistant.age
@@ -0,0 +1,11 @@
+age-encryption.org/v1
+-> X25519 yDlbl9rQn8eSWGxhRgbbZnNCbVqI5otCFcpXkT/rxBY
+/NcVIWnuVRgFjDuA+k31O1BUTWTXqeznhryn4ZNS3yc
+-> piv-p256 xqSe8Q A0pQxoQ9oNNIvh6u7RKniS0XdtKpfgBSVTqOXk7m0ZF0
+v91naiUeD3119teCxIiZiWg9OPnC52H2ljKVm41lPbs
+-> 'QwT}-grease gz@~<
+A4gPI7r8iA3pf8w+oQ3/v1k7QtyaAOQI+7h89bqi5USqNO5HIkykCt5qq2yRQCu0
+uxKhCljFEjzJ8XxADDLmSgZFSw
+--- Xrl4JEBgbG6NbfbebA/NkTh9voRrinz6U07Tr3PJiz4
+�D2q�kw'B~Z{Y?=�r���l��76az��>R)࠾�߼���	��
�} ��h��܌M�u��ghxW�[��
+
�
\ No newline at end of file
diff --git a/secrets/rekeyed/sausebiene/34864ef8aacb6e6353bdfba82d09d1d8-wireguard-proxy-sentinel-psks-sausebiene+sentinel.age b/secrets/rekeyed/sausebiene/34864ef8aacb6e6353bdfba82d09d1d8-wireguard-proxy-sentinel-psks-sausebiene+sentinel.age
deleted file mode 100644
index 690554b..0000000
--- a/secrets/rekeyed/sausebiene/34864ef8aacb6e6353bdfba82d09d1d8-wireguard-proxy-sentinel-psks-sausebiene+sentinel.age
+++ /dev/null
@@ -1,7 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 lOtryw w1iYfdtWut59MAfBBPuvFt4dO+ESWN3TJBpVZ8aEWWY
-HMcpeizp/s38w6Gc1lww51B2SIRnqow2TrssPK7+0Rg
--> ,J\-grease 9#8Z F/xcB#; bX$ z/
-0uWc4Xf0m+BXvFlUDirseOsYmdrX3A/cdh07qAs
---- 3TRrD3GWIzIOxbISgTHBT9+ko1SMA5HMPK1kmt3UzoU
-S��oԧzq�]���t�GWB%������������4�7/��K��3�?lM>�����>`��<��b�ml�����N
\ No newline at end of file
diff --git a/secrets/rekeyed/sausebiene/3cdab872b440e17c0eaecc593377af69-promtail-loki-basic-auth-password.age b/secrets/rekeyed/sausebiene/3cdab872b440e17c0eaecc593377af69-promtail-loki-basic-auth-password.age
deleted file mode 100644
index 8e469d0..0000000
--- a/secrets/rekeyed/sausebiene/3cdab872b440e17c0eaecc593377af69-promtail-loki-basic-auth-password.age
+++ /dev/null
@@ -1,8 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 lOtryw aT/nXWhbjH9MI8TPh7ssbJD2ROFgu88TAUAOS2WDxHY
-4pt8KmP6os7i5bLQiQoWUXDDUM17LJQn0RMDG66yBv0
--> F,g{i-grease ?%#)@ zA"s2 nw-2mc*(
-dA
---- JezLFhE4AcS1E8TcDlKZNSNncwC8AzEbWPxBM9a1BYs
-���������_��d�D�6C3�1/$c��UK۩bsb�8H9T��e度P����%�l�w�_�7R���
-э'��	�3�
\ No newline at end of file
diff --git a/secrets/rekeyed/sausebiene/53f39d7f712f1c3ebef413578c00a159-home-assistant-secrets.yaml.age b/secrets/rekeyed/sausebiene/53f39d7f712f1c3ebef413578c00a159-home-assistant-secrets.yaml.age
new file mode 100644
index 0000000000000000000000000000000000000000..86a0be1689e418128a1657c6c78b9080f2266210
GIT binary patch
literal 392
zcmV;30eAjkXJsvAZewzJaCB*JZZ2<fXD@a!3N1b$b8~1dWn?lnH8D9LF-mblPiG)x
zP-9n1QcN#MHFbGVVmWqpWkhIpM{s#=T1#+qL0EZNLSbb%GfgmgQAr9idQwzKO;bTZ
zFK2jhQ!sijZ$dCqH8@dfHh52NL1IOAZcRBWD{@mwY*7j=J|JOOJA5r?a%Ew2Wgu>7
zEg)MjN;f-nLNOp%FA8a9GgozVIWakCS~P8XWHL-`a4U31Y)f=TXlYPEc6n)MSyf_2
zO*A!4bY}`JEiE8(LUluTOEfQLRV!~cZA4*OIAm{ES7lUhMs9ITGio+OSZixXFJwh4
zGC>MQ92c!JsN*qm)<u6<s9HO8<X1eVKhYr(W=~M05|}>x-5y2?(YFM?nCah2Ei-H_
zAf~>Y)g;_q=xR_IJLv#Dgx{#Q6Pgg5{xmtj3&I4wEO+Cw*=}Rw;O5OtSAc%h4;Wp>
mx6e5Tt>8F3z3o8H@6YgX45aV~JYOW%Dc>Z%*YX@fo=v((6O%{)

literal 0
HcmV?d00001

diff --git a/secrets/rekeyed/sausebiene/58c7c17dce96a7969845baa19fe718fb-telegraf-influxdb-token.age b/secrets/rekeyed/sausebiene/58c7c17dce96a7969845baa19fe718fb-telegraf-influxdb-token.age
new file mode 100644
index 0000000..c11134a
--- /dev/null
+++ b/secrets/rekeyed/sausebiene/58c7c17dce96a7969845baa19fe718fb-telegraf-influxdb-token.age
@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 1JqBOg q7moiRexLIlGgAxtyJcPaPS5Zfeqmxxk/4Es+PmL2k0
+gWceWwHMIXGz5OCP7K5aPsyshXwTZOjtZvSpuUcNS4s
+-> A.&-grease C`D }#P*_&r
+TR1jOgFyucmKj45EbC554F8
+--- H7qFUFQRnuaI7TrJPoGhBNGZz8QcUiYFBdFeidHRWqs
+���1���fJ�^�7�r��pz.��$j��Oy#�A�G�N��q�N�a�E��6��(��[`�-
ժD}���VW>Tg�POO�
\ No newline at end of file
diff --git a/secrets/rekeyed/sausebiene/79db0ca2a784348d5c49ca620d10f2f0-hass-influxdb-token.age b/secrets/rekeyed/sausebiene/79db0ca2a784348d5c49ca620d10f2f0-hass-influxdb-token.age
new file mode 100644
index 0000000..4e4aca4
--- /dev/null
+++ b/secrets/rekeyed/sausebiene/79db0ca2a784348d5c49ca620d10f2f0-hass-influxdb-token.age
@@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 1JqBOg M+KGvzO5sOst3XBm9Rh1sdmEszJdIcRgU6K1ntg1d3Q
+ASREfivGV9iIbc2U0HO6g5RTJfz06wzHErZAtm1PkO8
+-> ["-grease ({U~x a$TW&
+p9cO/xzvEnpWuUk1TqYOLcPZGKmBaW+EQIsTOvA9TsauzVkEl1yhwa4OhQkx/Eyr
+kBDa5A4Vss60LW7l0OlLgqBYrP62JIjW4YFDCLnbGdiqKVzNURVNDGg
+--- NjOZYDOvqJse5yKaF+IkYBckPRrUcc+alQoLG1jrVJQ
+�5�.��^��}r%�L�Gi6/t���C(=\�i�{Bߚ��O��k/�fP���k��ݥ��yhG���r��;	}N��u
\ No newline at end of file
diff --git a/secrets/rekeyed/sausebiene/a8d47755584aba5b43ff5346409c0398-telegraf-influxdb-token.age b/secrets/rekeyed/sausebiene/a8d47755584aba5b43ff5346409c0398-telegraf-influxdb-token.age
deleted file mode 100644
index 869fb77..0000000
--- a/secrets/rekeyed/sausebiene/a8d47755584aba5b43ff5346409c0398-telegraf-influxdb-token.age
+++ /dev/null
@@ -1,7 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 lOtryw Ca03hL7k4AtTfrDQmUb/g3Sr1yi56jk8eYD+4XOz6g8
-GFYSiZ24vLsiK5qCVvKF28kWxWWhuno3+OIRTp3h7kY
--> Mrcg#(J-grease cFl0 >I gLKrt
-aLXwsplsL40EqXV66Pk0V8rehw
---- 5HFB3WTo33gngrI1hMj4f7ktprlLCEVXZKkjhW/ReSg
-j�A>�����j��W,�ʸ�O��ΕI�%X����i�\.��h/Aa�?b��n���Y=�1��zK��šBJ�.�9sv
\ No newline at end of file
diff --git a/secrets/rekeyed/sausebiene/ad206793369835b18012d7ee41c42af1-initrd_host_ed25519_key.age b/secrets/rekeyed/sausebiene/ad206793369835b18012d7ee41c42af1-initrd_host_ed25519_key.age
deleted file mode 100644
index 8726840..0000000
--- a/secrets/rekeyed/sausebiene/ad206793369835b18012d7ee41c42af1-initrd_host_ed25519_key.age
+++ /dev/null
@@ -1,8 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 lOtryw /A1dsOKjndYa/t1/LwhsFCToaScX5ZteViRmepMmeSs
-7SCvSxmRzw1jbKp8P1aky3zsg+bWBIQI7eq/nI9ZrvM
--> 424'-grease 72cu]< I /
-rZaO0zYGx6Mkkm20o74jEnuRng
---- GwTzHpKa38XPKJ3Ciz2fDjN7BWXuEQrJG9KtPJsD7jQ
-x+�8��ݹ�Q����7'��%im9�m�=��m�t��w�݈���D:�5}^��2ˋP@�${�.7�V��ov�)ҒJR0
���t�k��q��*�O�=\#��(^l�M�߳�VHN��Xq9�e:Ӟ��`y�6��k�C�>�lw
�Q������.�k�b$��i���d����Hat��+ĉ��:='�+4�H���X}�������Yr?����Od	\S��-�dk����O��ُ	�h��\�˘�?A���"O��ǣ���%&h2���Π;�,ݏ�k!�l�8'�/���A�+���F7鷦��"���F^��H�"�B����ۉ�d�_�vPhm(�;6�S����ӛUG����C��=�unCq����;�c�^3�\�, G����>�@��~}�4��'���!�e�~��'�����(E/��R
-���qI���P���x��e�
\ No newline at end of file
diff --git a/secrets/rekeyed/sausebiene/b66a188ea311a3346a4a53ca34112e89-initrd_host_ed25519_key.age b/secrets/rekeyed/sausebiene/b66a188ea311a3346a4a53ca34112e89-initrd_host_ed25519_key.age
new file mode 100644
index 0000000000000000000000000000000000000000..b658ddf535c30c8e974927203eccf6168548f6e0
GIT binary patch
literal 692
zcmV;l0!#g2XJsvAZewzJaCB*JZZ2<fXD@a!3N1b$b8~1dWn?lnH8D9LF-mblPiG)&
zZ)kX8YH3DkGevkxXGcgjH!yBcNM})LFGpx@OiWU0Mps5+b~R5(X+a7wWM^12QgKr=
zbxA`;Y-~(Oa8!CRMS5~<Np&(%X>dqYX-#KQOjC7qcv%W9J|J#zYcefoa%Ew2Wgufc
zMQA=CR#6~BIbL51Q$bKyR%0<XOJ`wfXG};|Sa%97EiE8IQ)FXtGi768bvJlcXirRd
zK}SP3HA`q!GgK=<I5akQXLc)hV>d`ISxE{BfXK)6b}7sL9=09>Dg&#Dgc3u~K<4GQ
z7=PEby21ybFD<%;0E6j22X`+UV4byFZ$E-IX&aG@2qP4hYW%6MFrJl#f?gPQPe){E
zIrMg&TR8l`)IoAAR|2aC-_g&yxpFVHIeSpSE!O*rt!xJMV(V|x<%Dlc<@fb<t(xN}
z5}6_pe>h(o^dr+?&KGev%2tfWN41S)rYz=Kvs1%#c8=ag=&ZXIpj;r-&91NQ<q1CM
z6zG`cJQB+s?JG#Wg2qJ=5#JRXp&0<UmhD=`-dw(w>+9nyIn<L+MY=nmgvjNG=v{Ef
z({f!73>8Kd-_)@`Zw7oq0oh&FfOx%PK;v-`s;otzc)y{hxt&hf8Er}^7e4(@nWZ)S
z3pSa=&{l=)1*9s5iPj==x}>Q#g77bH&(%%uzRgWQKT$-6_foITN0&P5<YTmX^wM#>
z{RzIu@tU8e6Gw{V982@_YaL1JOEt2HwEP-LOe!#3cvKznX%jJC;QdBo=>w)nofEJz
z$7%JbB`S^u6(BJR?N9PY%HUiF;`y<nSFYmzDVYl;<U$PQzzB~zwGZdeLOz!fTok8n
aF;&;8H5Z`)P|VYC&f?>&o!C<Rp`MVg7%zbU

literal 0
HcmV?d00001

diff --git a/secrets/rekeyed/sausebiene/b7c5ba1a8c07d44ea4743e95b8ad4122-wireguard-proxy-home-psks-sausebiene+ward.age b/secrets/rekeyed/sausebiene/b7c5ba1a8c07d44ea4743e95b8ad4122-wireguard-proxy-home-psks-sausebiene+ward.age
new file mode 100644
index 0000000..72e432e
--- /dev/null
+++ b/secrets/rekeyed/sausebiene/b7c5ba1a8c07d44ea4743e95b8ad4122-wireguard-proxy-home-psks-sausebiene+ward.age
@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 1JqBOg XGoPFeeWomE86ee08wi6w3QAy9IsNkaQCTvOKU3iWDE
+d78DsCqzJ+0e3OO7ucLGh4eLWiheaMb1qAieUdWB3Co
+-> "{%-grease ;\givGMk =U JCq/$.2z
+tlA1q3ATXgUkALoiwhaB
+--- aSVHyGQSTxu3aCYwzy073tEY9DuNolQ8zSjhhgAbP6c
+	`��'�Œ,���%��9|�^���sC��V7.uC�Ǩ&��\`u/{x����^j^7����/��]�����.�=1
\ No newline at end of file
diff --git a/secrets/rekeyed/sausebiene/c60e70bd6ab61b86e0e4dd755f69f18f-mosquitto-pw-home-assistant.age b/secrets/rekeyed/sausebiene/c60e70bd6ab61b86e0e4dd755f69f18f-mosquitto-pw-home-assistant.age
new file mode 100644
index 0000000000000000000000000000000000000000..b771431383ae9c0497a8730a50036cd0ff70ec99
GIT binary patch
literal 280
zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCSP^eS}nPgn3a^$OBX
zsdA|Ztn^DU3UVzpuF8!{b$3m3G4M35@<_>vEDi`N_jI*zFXzfmHZ7^ruguggHwbc!
z@DB{hb5AiX(sm4YObK=KsLYKlw(tqEOfqvScLdqy<)%@btD9bwnpm95WegP3)l~=x
zG6{=t%k>XViEuP84KHvt4s#E4ORmh$%S!Zf_Q=Y~bJWf)E-eZwNanJ=_&oCRkE<rz
z1ApFAz1ujiMWj#kUQj37C%G~`mRACjmi>)CH&uw-3J&}m{V^+GZL#5(iN+Rf-jxMu
cdzDr%U=W`8BK*-O>t~w_(#19B2-MsF0Fhf~ZvX%Q

literal 0
HcmV?d00001

diff --git a/secrets/rekeyed/sausebiene/cb80bbbc4a9dc18c5d38b8c2b5c6f633-promtail-loki-basic-auth-password.age b/secrets/rekeyed/sausebiene/cb80bbbc4a9dc18c5d38b8c2b5c6f633-promtail-loki-basic-auth-password.age
new file mode 100644
index 0000000000000000000000000000000000000000..7bf0b4aee1cee94776f109d46325c96e3334d93d
GIT binary patch
literal 393
zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCSP^eS}nPgls#^C=Cf
zEGSP2HqDGEF0aZkE_KPTsIUw!%C;=_&yFYzt*mg-PEHIrO6CeS&k6I;E=%@L%yIOJ
z@+}P3&vkaGG*7Se&2|m4h%hTQPj_}pjVN?Wv;f)W5vHM&AL1CMn_iTfSe&Y0UT&kH
z=^5js;F-@=YT{AsQc&cp?d<OxnB;G2YT#B_Rbb?wryZ4>U*;Yjte<A;8tLkm7m{L-
zAMEMlTxjmAot7HnYNj3PWLlWa6;+w;UmE6;>u2O)k!NC<ldr8`nv|O7ZR}>5s9lwl
z<Y`#WrK_u}VC3m+>FE_!mY(6LpPZDH>!+VpWt!n>QCVi-ZJAl6ofcS>TjC#>SQ+NX
zWqX1p{m9xE2Uv=)g|cQns$@`@eEt6w=c|eVy-SwZm0NY&TH48Evh4~<wC(H4zme7C
lC$;S5q^F*~U)LM=R~%B*h{}7WVtgg_!msBU>A3;S3IMpQiLw9y

literal 0
HcmV?d00001

diff --git a/secrets/rekeyed/sausebiene/ddbb8b51177f6ab5921645a30e3f50df-wireguard-proxy-sentinel-priv-sausebiene.age b/secrets/rekeyed/sausebiene/ddbb8b51177f6ab5921645a30e3f50df-wireguard-proxy-sentinel-priv-sausebiene.age
deleted file mode 100644
index 2955c36..0000000
--- a/secrets/rekeyed/sausebiene/ddbb8b51177f6ab5921645a30e3f50df-wireguard-proxy-sentinel-priv-sausebiene.age
+++ /dev/null
@@ -1,7 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 lOtryw 4pz2uwU94ttWbvcVLG8h6o76B5uIAVP3E9SDtzHUumA
-spuEeTgU3vudaS+HTjyNfZPYIaOuv3z/CLKoYMy+GiI
--> j-grease , \3 Yq!<2i
-FzJ0b/2/1pCPyy/GjQ5E1eOKkS8PrdCUAQVV
---- 1HYTaKU8uzFyL2tqpGehK0cNJMpYiSEGLj7GDcZo9OQ
-Rq��Ey����_8���~E����:]a�����A�ή�8fz֧ݥœ�4��愎w����ݑ�FPb���E�F�&޼
\ No newline at end of file
diff --git a/secrets/rekeyed/sausebiene/e86ea6650fb14c3285819b1a905bd24a-wireguard-proxy-home-priv-sausebiene.age b/secrets/rekeyed/sausebiene/e86ea6650fb14c3285819b1a905bd24a-wireguard-proxy-home-priv-sausebiene.age
new file mode 100644
index 0000000..d1cb298
--- /dev/null
+++ b/secrets/rekeyed/sausebiene/e86ea6650fb14c3285819b1a905bd24a-wireguard-proxy-home-priv-sausebiene.age
@@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> ssh-ed25519 1JqBOg odhTtbudrOK59V0y/conILmZ8RXC/bgaIsgcKX6+4Xo
+havbGQgB3Sw8GCl/JpXp4ahRT7jtGCtRrR1RBL3+g2g
+-> .m;fR}?5-grease :*z3u
+BBXlnqv5Tx118ObFowzxuy2JvhWx01yXAUQhh9R6amR/pCXF5z10F5YeUS/M+1vt
+v9zzsFzN9fCtwxdt8r18Wmc4di/Jlw
+--- jRhoXaZSZ/LOYww54bSkAIGn/m7OaLGWPK4FnTB80cQ
+��e �u��
+t�x�#�-8u��t�l��CpVL��;�����`��d�e�]�9�~
+tp�S��K��x�ge�`]d
\ No newline at end of file
diff --git a/secrets/rekeyed/sentinel/f6bf0b7bd3d2c8815cba951e47ead8fc-wireguard-proxy-sentinel-psks-sausebiene+sentinel.age b/secrets/rekeyed/sentinel/f6bf0b7bd3d2c8815cba951e47ead8fc-wireguard-proxy-sentinel-psks-sausebiene+sentinel.age
deleted file mode 100644
index 0cfa107..0000000
--- a/secrets/rekeyed/sentinel/f6bf0b7bd3d2c8815cba951e47ead8fc-wireguard-proxy-sentinel-psks-sausebiene+sentinel.age
+++ /dev/null
@@ -1,7 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 yV7lcA TbUU7Qe1joDj9Vz7R0dnhBiTE8/D+EcNF/y7p5lEjn0
-A7kwW/AOVy7wB7RYnSP11QIYxhiOrODgEl7AwAM1hqo
--> Pa;1-grease wep< ?nNq sM7#ln+- 4U3*y,6>
-9q3AkZ8bOWDiSg
---- vaag5FKw+gm/7ZZs2TtvCcWym2A5glZrHVmcd5OgPNM
-k=oCnj9�9�w�zφ��
���?T��5柭VM��a��>���9�O�D�E�����#pgS� �}-?�o^�
\ No newline at end of file
diff --git a/secrets/rekeyed/sire-influxdb/8af19159b484f7ee716bbd8d0ef4b290-hass-influxdb-token-zackbiene.age b/secrets/rekeyed/sire-influxdb/8af19159b484f7ee716bbd8d0ef4b290-hass-influxdb-token-zackbiene.age
deleted file mode 100644
index 026d444..0000000
--- a/secrets/rekeyed/sire-influxdb/8af19159b484f7ee716bbd8d0ef4b290-hass-influxdb-token-zackbiene.age
+++ /dev/null
@@ -1,7 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 1tdZKQ 7hRaB/jl5aAQ0OaLaE84invNGJc4iuzxk/jGA7cxMS0
-nKH9M7KqbC2yQbjRY7h9yeCUPjii/PKbaArv7vF0tgs
--> =Bq38rC-grease |< t'@ f
-WX5ZG96lJs4zzi4
---- Msg4tXQbL4PdKR//oobUKg2lvMAp1IZgimw09W6BnK4
-�	�h�}�@�h�4[������=R�J`O3���ul�bΒ�쌣⦫z�UB�ⵢ��ĸ/]�i�-��볪��N�
\ No newline at end of file
diff --git a/secrets/rekeyed/sire-influxdb/9bab2d8f641a0468b6e89c4c424e6044-telegraf-influxdb-token-zackbiene.age b/secrets/rekeyed/sire-influxdb/9bab2d8f641a0468b6e89c4c424e6044-telegraf-influxdb-token-zackbiene.age
deleted file mode 100644
index 0584b99..0000000
--- a/secrets/rekeyed/sire-influxdb/9bab2d8f641a0468b6e89c4c424e6044-telegraf-influxdb-token-zackbiene.age
+++ /dev/null
@@ -1,9 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 1tdZKQ tq3KnNzqtWpWxhvgRCtMWs4Rkw+N0wYBkubwi1aS4Cw
-VcgxThQS7G76TPaMZeY56gBwxWYx16rrHjek3XzU8qw
--> y"`K:H}%-grease DgYWO P'q< Z^L^JEA
-oK4hdyQZ5mfpNOuuxxiS1EKdIm1ALSUrxOrMAXVdGiCbSKpaAMSnVc770TI1g9aU
-T2Pn
---- nqnFYa5KoFz5V5DxB+wG6jGZer8c/lZcymvAnywXpf4
-�]}� IY$!unJ�)�mKi��(��7h���u��ד��·�[+e��P0y�s���I(�C٤C���+��H
-���my���
\ No newline at end of file
diff --git a/secrets/rekeyed/ward/020fd8ddc9ee58c7e32a968d26d3b765-wireguard-proxy-home-psks-ward+zackbiene.age b/secrets/rekeyed/ward/020fd8ddc9ee58c7e32a968d26d3b765-wireguard-proxy-home-psks-ward+zackbiene.age
deleted file mode 100644
index 2659a8c..0000000
--- a/secrets/rekeyed/ward/020fd8ddc9ee58c7e32a968d26d3b765-wireguard-proxy-home-psks-ward+zackbiene.age
+++ /dev/null
@@ -1,7 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 iNceIg iTd9PnSEFe5Zzwld5E/onR2xtvNRF1vs8uNAuiU21FE
-8id5IERQSvIiVjEIuZ6uFrO2aLGtLD3TiGUqZJIZ4UA
--> ZLaW2-grease
-OGBoLHKqHfuUnly0OEo+sSj20yKrrQ5U+xH5gBZ9ZA
---- 71by0nesi0wWF0q1HgwTlvnZL6+rC24oxGZ1ogmer9E
-��3T�����D�#���m��-�볔���7�U:��l	�Y����u���`�ظ����r_KK+��$xP�&��[/�h)
\ No newline at end of file
diff --git a/secrets/rekeyed/ward/baa7d2d1fdf01b6ede3a39bd0971636b-wireguard-proxy-home-psks-sausebiene+ward.age b/secrets/rekeyed/ward/baa7d2d1fdf01b6ede3a39bd0971636b-wireguard-proxy-home-psks-sausebiene+ward.age
new file mode 100644
index 0000000..9d7ff89
--- /dev/null
+++ b/secrets/rekeyed/ward/baa7d2d1fdf01b6ede3a39bd0971636b-wireguard-proxy-home-psks-sausebiene+ward.age
@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 iNceIg cKEtiheAFHWAs3EOoKo1chX3RWhz6aq5cRTwZ1/Z1WU
+Tdbo+qNWIaycZ2omOLs1F3m81zCDJkRT6WomuYeDRrA
+-> _i/oVPFQ-grease < dNS%z; `=D/: |u(y
++8oPOeTNfm3rVJdLKR5kMkN5uVwIsQt2epywa2B0DTMQmxc0MZ3rTa8H4ojiMUi/
+ZXYwcffbbYxeCYb0IFWlalJ28zk/sYQPhe1JgNI70w5DT6VuEOHg+A
+--- bw0j98/E8Ldp7T/16SQGGjoTGClzYNqPzAd6k4jcjvE
+�����
��� =0}�_���]����;�Tz��&:5i��E�R���1�i�N�ʋ
p񡙝U!D
*�z�Z�]�Q�
+�
\ No newline at end of file
diff --git a/secrets/wireguard/proxy-home/keys/sausebiene.age b/secrets/wireguard/proxy-home/keys/sausebiene.age
new file mode 100644
index 0000000..a091ef0
--- /dev/null
+++ b/secrets/wireguard/proxy-home/keys/sausebiene.age
@@ -0,0 +1,11 @@
+age-encryption.org/v1
+-> X25519 M9VlOylObbteCXZZtTtwitgmFOZNoZfIiTMRhP4ltzo
+iiaeU2XZ/Fiwk+ZS8FbRKCcWABls1gkF/E/qoYPEkRk
+-> piv-p256 xqSe8Q Ay2M8wNIe3AKcPy4iIxECA6LMoQKzbPe67jLfFuCpf4x
+q8jQ3XP1nFYsfqA7QhGH65NPkmGfiii31VuJtlGC+0Q
+-> bo?-grease
+OS3X7bwub+E85sXZtogYp/hE9zpSt47/PaYaFtSQLCAZmsYd659GYdXWP9MYReUE
+lW3593s9ke4hzJl+oAh7aHwUtr0GW3WT/+H7NSFVjuca5+yvgvx6psb/82hsjyM6
+JQvE
+--- 3Yf1OvQITDE1BfriGCa+uK1Y9watIjybbthHKo+sTJk
+уZ�Xy�t)�f��d�߉�y���
^|
b��^
ř	�&U¼W4&��yv�p�y݇j�+ ����L6�_���%p��R
\ No newline at end of file
diff --git a/secrets/wireguard/proxy-home/keys/sausebiene.pub b/secrets/wireguard/proxy-home/keys/sausebiene.pub
new file mode 100644
index 0000000..ea9b866
--- /dev/null
+++ b/secrets/wireguard/proxy-home/keys/sausebiene.pub
@@ -0,0 +1 @@
+rV7gk0n3DVZmRj/qQHv9dJ4gH7v1FZ1Gat+Srm9k0S4=
diff --git a/secrets/wireguard/proxy-home/psks/sausebiene+ward.age b/secrets/wireguard/proxy-home/psks/sausebiene+ward.age
new file mode 100644
index 0000000000000000000000000000000000000000..86ac83f7beecdfd96a705a2a5bb6524f2f097e41
GIT binary patch
literal 405
zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR2FFfuhYv{W#QD6BB{3QNhaG>;54vha>_
z^oz`miVRHh%gimw%XW89chL{b%5)D5&*sX@4@xpL&rL}!PL1+N@i2+VH_GuTHpp|c
z@be7HPj(A(56Cak_cS(i%Lds{kXfc%U}S2hP*E71Y7wa5XdG!?>RjTI7jA5rRAiLw
zZDCaC=bKldZx~wWY!n!kS7w=#<QVR4mgrW+l~$S;5)u{W<?kIFkX@W<tRLxEQR)_0
z8Cm8U<*4tLRN|N8Tb!Ph6=;|bvMVyqJ}z2aH@zq|u{c%1Cfc+lm@6<m&E37oB&aN>
zDBHjzz1-6^+0iesGO5%oEs{%DS63m^C^W4wGb^#uEX7#c*t9a$(9A!;DW%w}G}F?u
zFg2h!FF@PTGQ!*0znCj?#-t3*wYOyR?Azr&Y%K}RPVoP_=h3gTyA*Bz*lG4CJo$6{
wYU~ldQ@j3mB`eSTcj?qm2A%3Z71D8Pg4L%@_wW7lz3j|p3yrAA^hH}L0EpF+KmY&$

literal 0
HcmV?d00001

diff --git a/users/myuser/secrets/user.nix.age b/users/myuser/secrets/user.nix.age
index 5438195ff2fbacc58ae958efb467cd9856830c64..6d09a436f6424813afa012710b380a3068759d15 100644
GIT binary patch
literal 4806
zcmV;%5;^T*XJsvAZewzJaCB*JZZ2<fXD@a!3N1b$STZ#=F*zVeH#c=iZ+K{WYdCl-
zLMwAvWKdUeD`a|1RdH)ISWtFnb2CjyVlZksK`;tUWkzyQQEh2gZD?yZGI2sOX?0<8
zP-9dtGDKQrNk=$$H%CZEO<6cdZ(|BAJ|J*ub}eu+H8vo4aZ_bDQ6NDwaa2=jOgThx
zS4wn7T3ACdOmH($WiobCHC1L!N-#5ddTUH<bTe6Gb}|Y#YIAvMbuv~lZb)NSHdZ-G
zV@y<Oc{gh-c`;)}b#pXUVrW8baYHkAa7hX+J|Hh=K21VPXDw%PWnpt=3Q{>mIC5(%
zQ+i=}Xl77wD>6%UN>o%eL}pP6EiEk|XKGqOD^_haZFf^uF;zBWVozZ<W@|E3MoKtP
zNMv(4H)d>NVoNx6S}QOL9(@=orl+_x^fC~b>?wJbr02S+l3Xyii8j#=MiYt5h_6Om
z2<%q_R%@^sr@AO_5EM$@cVlh$N&gz=#OgX}eLxPL`)dt$Nza3H8yP+g${YX*Jw-=Q
zb^lQIKz2oKxyU;Ue`!@~Ae<_zNd0*4{aD|5J{(@0TCpsKD?-a6Cq+pB$d^fJ+)S?<
z#eL3Ta;&{EA)?DeG0BG5uVMIg8Iwm8+yBsg(8DibJHz4rD=H(id!Z`L2AqAEJGsx+
z&UuM4g+n?vYIlf`Oud|LtJtL?@ooFh&*%-siSlgOO3fbKHMx6Ayd`G%;}AG_G6AOP
z6y57url{L5x6muG2$2FcI-%ZxjQ6gB6GX53W_c;Q^}3L5iAQQJ+mlu79fxm#45(oq
zj0sm{A;#YZZ&n3Qgt5Y-WvB@`iL0IA(iMz1<mz_cMNUm&hFN-lZ5~vaE(9*yWlK!R
z1d`TxSkk4(TV4x@zCfcwU(ZWm>Sjt!Sdvz(QF}=wqE=X<p&;H_F~1zPnBpqc*)+Uk
zcP`Y-$bF4mnNqj@x<OVQK9d8>2h1Ja&~L3e-hjL&xkpsO=+^<|qy#B;|6;+MJT}m>
z*QfM1id8@N)IJBMk+h&Nv(Fo+`bHs7zaomu&~0~4yXvIli(MB>X%i$p^=HBW0T4ts
zxXKymi*}<}<S9-*UpyN5^kwx(e$F|WE%={oesZTz%QS7qz5e@^#=4m3rs76rh231r
z;;=DRI)~ti+jYjOJAUm#ZiXHNL5E{Lf{BPxI^tCaB)CjsX#@Re1mo+UWl!&bv+Rh^
z+hhZ*qs+`ZVIu!2M-fKWElfwY5C%MhWX7p8pvyYT8rJw}=HdtrwC#D0U_LDqTuX5+
zmYf3_!r)f#HR%Q2xjBS>YQBjouSW$z#c0iHHVn!9geo4t0QZEcq!*+BOS@x;vhw-f
z^2;)SK){F-T;l51Rd6#5Cba*8nbD{guIDmu#@HfUbomOSh6g?Q7`Ndbs{gMxRRME{
zst5$)Uv4>{Vw~g<m($u-pKc=!VmX3z>{Z#r*#&hBm+5CRKm%0qsjHS*=2iAt6&%Gg
zr{{wp@2bW)GMr8Ix#meQbE&{67*ca%4L+-3h?`+#p>dyI1Mn>nMiRWXrw%@E1*+mu
zkenJV#R*v5JogOWlWC-gbxj~G@q}!{Wp8<L*}4GET3JV##8E~w4@GehR<$AqF%M~(
zrqJwv*=!bl*NfZ7A8R2!K&cT+E-9I4;E=e=Ds~^YZ&L>R7Lux-NNTAMtd&Hp>vCW@
zBRtifQ;*oqLfe{j0-8K6I@7MY-@&M;c+x7NVlP^sim<nW6E+fJk=+ux<&dPWJ(9hN
zCxYASN|uQu<jKj|WQnXXVk<n~8Q%o~kw8}}f)BxF3bpSA6X207j;5T@IeCj{)zG?v
zdNM)VV+m>!H(opu+V4O*!l8`SlSxn}JU6hy)8zNPK=badI!ALeED@yF!v67xfz4cq
z#TetWKL_ng(*vN*L0l?U#ECXzabCbIeNc-{53*K;7ky(-SFt`hgkLbOEqhU{-4M3<
z<ArqI^zsRslNq_^O7|NUDxhu~%%d*+Q39!QI;!j)B{prkw*w@I6Z(xc<=n#5vjXAh
ze*+nEVDE)J=~E!)R`SQsEA3~U$Z^G11|)Ustm%;s_unfF)X2?uIip52<<9IS)gFd+
zJRojC@X$VOMcPO-(a6+HE}#Mk-x~U#ZUy7rUu8+;D7=9Cv4+PHXaI#QOj4X`en*}<
z%aDY92U*^cnTAW2PYT_Q9P_qYhq4J@p|w|y`f~QImKM$mIVp`7Ff)oS%~w?(chFWe
z1~<ODs0f|Eo!9EnHx>%nFrqOu13s>GD4Wqo$$^6eRHdUMa+&rY|L#&`DQsRX91J68
zj}%}bjB<`P$Nl>^-?S1P^9Y||?R#{TK_5L0iS)?y>BwZ$v-LGsoJa)_{}YD$CfZi~
zgOmeDh<i}e+QSdSd={vG(O)@K<T<%v;-i!#d_h;UhSW4@vt!yU@-HJvgVa!|C2#Fw
z7$b+%s{~15hT`$SRWI*3c1%4C6pcgoek~TL%&I*<$CB1`ts4V{UJhtYfWjJv1K7+(
zg#HH(i+h;dM7LWdr(OflIjR>oB{*aZNivwCBZIYVY<P_pW4=s+w5ox9r<A&rF}9<C
zbS-K>D$(0G?X_I?RC$OfCWe{q*jHzSSlKihD<qYWtCV<evAAjjr8ZK69ge_Kcu}Nf
z=F!8RaLdncfp19UZ$!?4(8cdQN*Ebp^AL&)p9wA2n4()LkbpfU?}i-&MFo=dQR6EL
zjOk0-CgZMJ@T3__A$wa)54UR1{p#h8ADc^-)*vPS7=WpaFa^fT9~+CQg4q$fyuvHE
z_dXR#w`d^xL7I*;NrvJzgGBCRwNEr<_@2OFhP5!>PpvBrR@w1U_k!E)J@smoPWqFt
zb*#fKu4Tt<O-mE*oF8ZjTYv(2IoBpz4V868Jr(hjENJEPe&Mj;ABwik_|Yf)7a?z+
zwS2c@j3?X6vD(KY{Q~3*qok*|S~mj@hP=QM(n6c{NF#SuOZFi)x2e<d0>J5$kKzCs
zP;-t5YGvY!VcH)_;&0L?&akoeVV?2}39i)MonV2V!T_*0Go$ecV3x3#$`G2u0cHK_
znanE}a{3-{M@@{iW8t)y;f;*oP5?AS)5f!M5wBSaufks@NFsziVJ4lu5ATkYrpdJY
zLhhL}pCJ*xBmgEt#RPF_e`IrHm5({Eo4v5tSG6T}G8L+9nHOXOm=nMD`0z%Q4<5^o
zydpG8AUxgyy8xG=vENyBMAN=cEDYVCHN}_MQk)>4)g-6sov6{}aTEiFihp~%>#(#t
z-_4GLT7$apSKr1TBm8#)fI~3{3gcAJ;4+H_FxeFL&Q#OD!KeBiR7dVk7sVpezO^Xe
zMt5?$y~t_Vo8!4)7*waz4(rX}BFPU`9g3RI88+A!wKu76?-(w=R=1v9(PRW0#Igz}
z>w1B|0C426TtNUg#l-UIlZ>G7*vgGvt|_BJ%Ffn1P>kv@=ePx_l;d69L0*;56U1if
zjE<#T97<re115#<XUHo90Nf{_D+p2;*0tpgFdmF8zCJs_A2a~~$h7sw>_dSag+WED
zqF0Qa@d|xfQrRq;cB6+l?;@J9ysH(;MoAN1Q%2)9)#2y7*nwC^nt`=$JDhdAgneaG
zvNyj)@oby$(WyCyDp>4%FMDwo92^3dp$K&gGMSnw-S6VnFHEzr!F5#@Dx^*4ac=7^
zikJkq^$cpMcNppG3DA3IgDHa(OsO=7Mt`>nZ0AXVJ;26kab3K<<3koSa$ctFXuV$Z
zuwZ&L>QwrFQUJxe^s;W$MjAY9XIhKcIaIg({Z>w?t4jZl&kZ5<&y8n(1CXob-pje!
zr&|yW+|7xzxE~mftxIFOv_6TK@DD$dL{;X=V2W+V96k2hHgIxh{`|Sd2+T$F=lf9N
z)xK@;ND44hr;FnS<ZrD7F<IwZww`Y29UTDYjtDdMPF-gUnNmMBReku3d5y8cj4)@v
zyI*n}y|j64W4=q$xp;A$G!eCh<ODvgX9D@M&&tZq)bWgktTAJsGHwXCH>Hy2LM08%
zN0%|MXEA89dhxRJgNk_hy^C(S`aONpE+xBm@!s#krVeM=z@k&7k3L9c5d<A@Gf{PP
zFi6@AdNV}NW$Gx@jBajZtO2wMf|FJ=Nr-U)JV$0l%mf5n*;gvgRm)A6VL)Mo+e$uI
z^`pTTe>4T=TSmyq8<p3Xw(i|TdVx@rldC1y@DIHnz!lL~OWz48MJBH?Sl6h(Ci@lc
zI)kh$8T(8wXyq~mU3MJdpn}fApOPEkG;38tP`IZ1FCuiB#MHd(4s2n(iR95OAK1@m
z)q<%^LH<T^<s)uahrs(JiF~AKi0{A#cXw^uOHBFU1xT)Iy6%M`;N@eU<C~ggI<R%M
zSA24gyBlUGZgR?mfU^plkWV!m`%X=Ml8@~oHziE5**k4}+5GDx!JA;XYa5~eC66J(
zaGXXltZP$IvjA*7tIlWx0Z5Gf`*&sjRuG%2_$E4kjhpV)D=SJ09lalgt)-AaHx+Z2
zcR6({UIJ?J&+50m{sPhX?J>itGNsMQZk=Es0sA8&4QAW(MsbdWyGb^PlJ@Ye8!*vV
zF#^^Kf{`C}JWzb%WoRt%XGOx#_jrK##tYuf$OA25pj+K1WjZZ1Qglrku_SLW3*06}
zg^vwV04L!g!3m{LUW-_YUBQn<E!#aoBXm^u9uexHToH&XR$aHx;v*Tz5<W>A?hGC)
zhRpS5q2;EYmm9Nh@AO{|PzsFbp72U75Fv&T?yCbcI194&)w;&fQdO|u7B*^T_hE@9
zy3KGsqzjv-dx9(!X{MzXE?=SO{wiA51tjh+$oO-S8IkCbB`J(X>vJiDKCc;Qc{W8H
zoN3fN9*7uG04>6YvAy38#5?~LRQB9Kd_-NfbW#J;(*G~Si1TTVI+BPAuVC{}6tp{B
zJw!1E_%9cfO6DAlg{)UN&}35=jck{W9dc}xz&W^8bd<4Q>v2;#`BdD%UHE_GAsqxb
z@MGU6`OiU65W`&woH~)TOEHq?v$_s=0uu+MC3fTlz!YZSH1E<}UDAZ9V2wf%?y)<C
z{lMG}&>;*fHV?sB=MB~p8uovV%v^Oeb8E=pd=8T2f?8H>?s@=pYatG_rSF3^h^Z_G
z_SKTa-7WKD+_KdL)4It6vD)_=G}FSmZEcl8W~LFgNt|AFewx7hN(X?3=Ucedx>4jY
zfO!yu60qu5<+>UMF&@US5Q?PlR0pfB-cT~nMCrNJj>;5Rj-S-{e&}+V<|c>Abe_Kp
zIx1;%X7wC@*W?QmG$tw{qgM6-<*`%wK>DzzUq1@nLz+9`bN6J?d4EtWkS{t|2tQ-(
zNB0pa7|k&9)1$3fWMLbR3Aca2T2<o>Jhb)5-ds==e~pPYVqXI3F3}$(tk)JHO!VXh
znSi4jVCoOxE#{+J?D)9&7u4DZNZt0Bokfap+*ZU~j)KbN?`UHaWcZil=JqH@2tF5l
z@TAue0k5l|A8Xx#HIcB_tm(!=C7Ghkn>0k8^#K!dJKHe?Dm*%qNf8tLH6IB#EDpJR
z5i0j%+8;pXOJWhFgE-2g;c9^NWbBM+PvH`-m9^BJY0tM-u<wx)(u4crRq8aAx$Tv0
z|L#S}OUqcKD4p3!kTisB?p5QX+EuAzD_ovV?b+)h2*N+nlhH{mxaqaR$L#}j%TN5S
zy55%9$@w(Kbn!QmEH+Io&yK={Rjl#MC(9npXya|j=W6h&62HYy+bmac+W_8ejh1%M
zR(YTL_LZ#eP|M_+eDLM<Ezvi)6nKU0$im1ou%F@1k)1?XRZ!6?|HNhZW9+`_Q}Q6|
zZt_l5f1<cKL0FSVm!|S_K|2!{`anOWX_&7Be?N>!qel3j1+%9cU^Vgh<9Ymr^efeD
zG>SkDBgc?xiCl^+k)w)lrKqj8=z)t>KkhSR^7QUcA&_tf@F@RXH#$F{7%%*<)ERm4
zhjzSLZPHQ-3$H1Q+p+>%Hj}wqzZ#=u^Mq^qsL2#IyjnzmIGR90?>isz3%Q+_<C{l)
zny+1w_elEQc9@GP%i?Fco^2=EG?w@jU(*sI9LlKiyZ~%D2<IWlyvJ-;Mv}i87Nas1
z-zrG-Za#5LKZS&~QrW4*#_I+rV%Tkt;{!Sro1CbJ>J;omcr(L|byHH^JeS^=nQp0I
zQT<HHIx~jlK6g`z0B1xXnZRZ7-q$nNk6YOB+b0>FJiIn|M3}dVU(}?XA;+bTn3Yv%
zCRMSNq!ffZ75&|AzQr8q^vnBiEojBdhPGpQ!jO9OdFj-vcYPsMytrr+_m1+T4+gD<
g9Dn9Pg!E|-nvu`E(tgEXB{5*<R|vXPmsnQh7lwrgW&i*H

literal 4861
zcmV<Z5(4dEXJsvAZewzJaCB*JZZ2<fXD@a!3N1b$STZ#=F*zVXcQP|lNor6-c2rnq
zaZpJ}ST!qed1FE~YBo4Aba*&6ZZ=3|S7Sm-SU3uJRx43!Ff@5JP<LfaFib0OD@tTE
zId4KuNO*8%ZDdnaXF^F#MRYiNVnGTmJ|J*ub}eu+H8vo4aZ_bDQ6NDvK}ct0Xkuhj
za#KPvWO*`Sb759)R8nd+cuaOkSZ#A*HbZVTQ8P?sQ(_8JD|kY7IBhj`SVnhpY%*kX
zbaq8@H#JN%a!PbmD{o;lYFTSJHFH!iFii?AJ|K5*UoB^HWnpt=AUSqaNFX6>CkjDj
zQEpW)D{W&zadAsgV>C8)XHG*;T5x19X?AU9WO*@6D^PS<Vs}<bFL`=JZbETmX>(>P
zcuQ$*O=)mUHBAa)b5Cklc5ezTEiE8Xa%VVHRdY;wOf*kLY;iU#G*D1uPeWu=S66mW
zb1`mONh?QTa%@6nVMPigeJCW1q}6Wp7sG`GqyTTxgbg70fCJIT%F~Smfn)`b!K%#Z
z)mR#~vw!Dv4;7u7+j53%PoDEZax^$lMS98NjN~4tX^m^|OeR2VOcO5-pFNDX3P&V<
zhOSm3t;gIP(cWR98x=18?5!zWK`l+06=i(aa=5q{I@E*C5=SvTJX9%;jYgU*WVK$a
z2>1Bi)eB$h=_kg^(&o3+U9~>q8=$n`LUWIpQ)um@#5sj5gn>~ryr<d+7cHDvmCBqE
z-}YJb8#RBSU{m<1ZXsphQt9$3Y6S5uZiBryPruczCb-jsi;heRyo#C!e)@p!-&QwE
zT9O~;;1&?|s}+KfvE26CYPW!qW}^7+4uR?Y%$2^M^jmBm(8M9G8rW6wbLwIBCNc1n
zV4XNIE`*A#0d!;9?QJL(t(!d%Q}f48xl;)C?jKEMc4U>T6)W7n__q0av*ruuElth6
zEe>MWG-vD7r{;rs+KtC`zW?iF7glYKxEB&nv&`&@2px6ZwE7Ji-voUjk4SazLGd8b
zQJRB1fF!82lf1*T+orD{3xsO<<3@KDKP5VnP*tdi7rf40pTWO!Lc+_lY}`uw!lD3v
z0|1V7kGJ&WFKU}ro67b6tVH>(Bst8_I{LNV2r=>DhTLANB?y=Zt>*eQ1LfpxuCIH^
z^oe?z2>%U#EkSb4-qv%C5_eA7Aytfz%&1r|u7X^)K21(26S7`xFcsPUb5C<6)yooL
z;LpVY=Cj8Ly!QP~pZm+X^%N1N{t7cUqVnbcY=>Np3Q779lYvnD1@JeJaXi+V<Fd<W
z+QhX`YW(2Q(Yh>Z0q}|^%%iK~<Boc#o|wCp<G7I)?q|V%C^FF>K?R0k?v1|jt+}!D
zD}SdJ)x5%!hikj>Xz4ES0{1T%H14YwB<;X|VLkjF{gxZ0`_A2bmVro!TgaG=OaCp+
zN`xf~ZsCmHe3ihP!dk9=tIn^$I0iHb+Pk)0o1f)X_0W%Z9D61TVZt|~LFb-=Xu7VQ
zQdxOaLS`pnSluQ>nJOpUZ+ExLD?2+a>Mx$eE;kr?E3bF{X>y#+Xgk#-x)}u&n%JC|
zh!B!e&%@SZQaw5VUBs4GN+SuP%&5Cf$gsfHy+e>M>SRHqV6C}XvX}OK<;++paM~1_
z$`?=!P+IHlo)c1c&e~8{pbp;g^mGQ~<xO;g1lk$}ZF*~1FxtY&3QX10KdqfL14%+^
zLL|Nj%@zVAr`~i^*1@NJfBZ}a+I81D@YNIF)=V8-Z!HF2sBS+tY{Bk*XgX2!8c?-F
z(%EKW(qH5mJv_5lQF`-ZNVzCs{)d1zEC4$b`EAmTYWNy%!7C?QlQS2C6eFH(JRQKh
zDQ4pdk?eR~vcuASB#sC4tVM0#qMRjc^+Lh;(dcGS{5txRHIcxd)4>`pxRj(0p`0Xj
zoY#zd4nz;$r*Y<)a*>%yB&V5rthAq?-zt*DNhAe+IQcE-xE<ZS;lC(-gr~F`0H}v(
zbgeI?QMHX1Kjy`lbVb4a!>Utdq}4R=bi&>&8Dq{*nZM^*&O!DCqJ9kV*AehAdTMh9
zhQkOO7_hov@Xu1na#y&bBFyp3>ndBHNLi`dAm863r7lKd_>NRT(1kW*?bHf>#eLWw
zxj4z9Y7-b_I;s3npnputmAwp#8~F)D;Oe9|mGNMfpHN_sZ!SA(GFnhWYycnwG|d(=
z)0KZVS_o_hNh2yXK9)JOLP{fOb(ug@$}~h;*deZtvu-XNqBX9*kzvwX6Q`D3X2%$1
z0kK${^@89V%I?^szE_welw0~oU~X0ym2;NS!~Q=wfx(#R^*Ue5IAuux=slquX$n_2
z98T}XoROGDk_&@c>Qk^A3~Hy8TEW)zjJLYTGO*I)dUuw#^-w$%hid=>3^p*<qZsIW
zjnI`9#XLQHKc3S2)8k|76wB@mtBzD3CwctWFTmG^v`lz6zlooA4kigL1^uF6WN0HO
zhq7uNH<as+WscA<>T#OlP3yQukWmT6)~>6Is^BBW&etSXA^$hA{Tjk`*#f>L^$Ys<
zf+xwYux!swd<NJ@A+vetk*GgxKJk*&Ohxy6uvH7lcQ&ga*>2Vct(r!sJLD!|c3;T<
zr2xg;w934z+?$8B2CQz=08^(RbJ%bMnY)Dtc<;MWeacDefuaZwRBs`tI)lrx9RZ<!
zdzl$2$rEQUF^cQ5s_@k7{0&he6_Bn+{~R#k=@Xo?5knONEYqb<)WAx9Q0Lj%`F4Cn
zui}V8#`I~tZkKp*kmFWq9yD9geY!Yh5>m_)IWzpqPQ+Ac+i=_cg`a^?|Gt(J-F8F?
zWdVU5s~jL7&-D$0sLE)5%uO1gO5?|POBML4bvPM%(bSR|P=_Lu6i<kRIt;BafQJem
zn8@}>+hSTBkleSwxwJ=2?Bcjqki}?eK&p)T*kW&xh=0FQ-GAj6qiFNo*TiFU{w0;!
zsv+N>1CHDv<eHS(_VC>H>*;6_44MB~Cjks%DnU~IDk?q`^D86iP1KyYTgVrQOV?kQ
zj*S_=yOEOvNRgvqBRRpYfkG+3#9p(k@tm~29fkGJkP+{a)4ShyZM*vZwcycLY^r^?
zBEFJ~0<1Q@%c-UEotucumSG{XsND}088q}M6hYjFH`Pm2R5EZV2*^809?lcTC(~s^
zSy4`kjrc)jA=mXUh)}>2ghrKJBoZ7kJpg57mN0H@AIaK?p0JgQN99*?f>$%E*hdXC
z^DZLaHZ2}MObZNo1NHz-w;>tsq5eK#w1|vyeM=5Kz47T>eyoVbf1Es@kG~a1bFPUL
z0h5%?GxGDN%M^VoHc$dd1^09?#3!%w=J_6?L~*$bh3e6kk~6aGl$PGkKQ2#W?4&9+
z$xrCwyBB7d9z^Wm_e$uz8sLNp%kNV}T5$73M!<V|tm0bgbt9v!DsvCVG`0m3+P!{v
z|L{;l895LHOv&W49qzvlbYO6fm|QEwp{tO--{-OBGd1XG-jqZ7oHY%R|4U6v)l}N}
zy-ifKH<yoLQu15%O(Y+_#{ibq9af!9=oN6AP95b*kVma7{kft+A<$%dbMlr{s%IOa
zT=&<pZEurp>h}@USg|D0z}(V&FSM}e^Ci;@GnwXvUAr@7#AbcIfAVi%pFC5M(cM_X
z(OqdUCB+L|cbzILl*KRuob;$jGV6>K%hlwDn_`)ss)O==8wU^3TT+p)y|C1cLz6-8
z&a7mq2i8OQkTWgKelxpcO^1;wU=~$tQi(chRo!Nvd1Qoe)3-*KgrFgSyO@RyL38Yb
z^@!&=ZASJqUOIALy3SC#Z-Y7waovphH9iHwM5t(CX&<l&&8fnoJuH5NB21tC`No8v
zhEQ`n{sr4UhbT7;B;?qoLphn`1P762)YI-}(4EQ}JN}8sRVLbTdT;zuO+lQ+M9)n@
zb`ShLfu<#-qV?IZ27Cbjz)LyJUgqr!G#RDKnFZerdS#tDd_rv+U4SJL@uzwx-0y+$
z6WCwnLrxe(2*>E}K?397+!Xu67B_N-9vmM{iay3;_BzuVngMvf?l5YH+9uT`GgLCJ
z*8lA|l|bV=e!JHPrs?NQ+&XmZCAlmae(o~@&Hn5hu3<Iq_8yFvmJ3?8)oG<0Puj)f
z0@(-Y$n6J??NV;dqMtg328CsX-F+8_qUIi}!%Shc@Nje5zZqDr!9lC;Cjq?KnxHK9
zrG<T%74ine21Z!?e+{<L?6y4~ugm>}7$MwKhOn-QZJ|jPT)SfUnGj6v-`X*RX!i!8
z2<ehc=jm`a-BI(d-M0qP^-^Xg6x7ult^pHAe%tkr%-dk2pnZKbFx~bOM?yTpDAgZ9
zrAY+>%kN7dlTdIwH|RGXLj70bQ29NByJ7=oNS^O}iHe#7z1uLgbaKWyB+&|J#94{=
zUg)K?y<@*l(}@6ir#BlAvRh&_GU&vkKC5&cnaylHCHvROC!6N;R5zjJN1UO|7bh1>
zS<hv5+TRf%CGQ9$wA}B!3XDi>udT_^H@qbpj<DP|AEGHd@UJ<7%6-`Xf&jE9twBMO
zaaS)i-*WEsnla6t2LSVHebiv38P>0j*_D)@LgCZqF_C)4AJT>Kaz#l%uJdzlDk-)0
zCpiEr<ZoS63C7AG$sD}kc{dEY52PjZ(bFZ<Xf>uX@;Tp2MY%19&wM}LkZb^eEtM^h
z1cd^s26LNO6pqTt1mV7Ymd4eM{Gh8HrTp@sLX#{JitM<SGJW0ayB1~ru@Q5;ko6+i
z%)h>z@{d8nBXk9oi@JKC?&0RhBrwa#Q{H89X_p(efBe3Bz5Do`?<xb50B4O__5^{2
z?@VG9ef;XmXhcQ8-ur>=fu0l{l$$R5FzBd8sG%5`?#ubj4rd?^6DH|__nQzAl2$go
zY8V0-65J;S{RPn%sRPWLYl7jzngu5k@Ed>I>2mIbWj*qk-Zp})5t@&PIC6b*f5EC4
zHDyr_8dVwRx6qEuv{?Ke!NXC9pCjrp4k5E(>9`JaCqy2}ivBBQ{YCTqOP9U`j|CuP
zOSjvrcfP5`!N8f8_HvM6b+SN%Cfe7i;wB#9r6%V<@LW3SPXZ`L=FU4(`x*Twz6}au
z7Trk%sLlvYGgWK2!3)3R&eX;x{?{B3Dw9l!cehMqQGI8Z8LLDAboDP7K$Hy9S|!;7
z2ntWx4Ei>7!e>a6B~FLwBTba;Z9w@3Yu?j~Pq46kOPgzG3Pw)<Y~-ElNa6aQ6wVFO
zqEYyj2fHNOfxp!532pl{MH;Cw2A3Xdk)S-v9T<!SP(=6C)c8EN<`qr5?(}Z?PTgHv
zG;D8TB;4!N-3bd$oAXZ9vTae&Z#OVodur<~PbzJpQQj_i84xc>tA}tAW<?s(@|BIL
zta2$YzH1M8(cGw7UzN|E)G%;Kx$(t`lI1{7ZdOfIgj}E+v5k@auRo@eE$|OF^$g_|
zAT`y5S6)|lq|uOe>_N+TcTSZjvtm0l^?;n8c=U51;sF1L-$1z*JNA(_N&^#AWtx5L
zS_N02*vIwKvm$x!p`Y`mhHI~oLRtqxy=Z31ihm#`hv~KzYT(9+t?0vFhA#!NaptpN
zic_AvoUmw4Fdi{@ibnYq^@CF^IxYU{*3Ix<Z3`nAoRNd$xWR~tU{3fKm^a?{WM^z^
zxtVyei}nv~Jx`8DudI=joI<!7=Yvv%8oIth8lJ?XsAhCxtV83G>;Q?#aX;V2=Jr@P
zxJglWNAJEN%7_Oi4;40`S<C7?A3KR^z{w!?x{|55U%hk{UUrRL(a0{lu+W(?gqaL#
zXeLJgkkI%G?vuTnl>#XAP?DHa*QI^1%(ayH93+={1Ws{TpJbj{1OzxUe81^rb&Jf=
zG%j+}MIrsov<yA}qc?IN-5ua4TAQzP_8M4aCQ!g;Ub%{xx2K1{=wi-h8Io1CsowdH
zd;=xZ=5q-I(FihW3uu8sj%zjH)2u;#re@|CDIrsK8~P-7X$ar(`WEhU*7Z`b39>=~
zYgH|*a(56=2iViEXtX+W2gX2>0XF!be6D;qib9lVPpT+PkbxKVT-*=7Kh(gn+NJiD
zmm=_tnna8(t_%6pGBIzF3C7jk*fyB0<B{OApgZ;g;%{^w{<*k~yV*MVdup_x_5-B+
zqHnQ*js|##WX9cg4S|fWRyZR0yOe0(-6Q_vXX?1-0K5JvRnvANPmY?vI9r3#?L;C8
z)i5!&FBuN%e5!VHISgS|6NHb?sm&SjoSCwe2@mdjFRd4=!PB)s^CaQf17ZIjFcoR3
z4_D3QF`URcB~SbS^41Wg`>3n<5wkv&j25_NvhF_-tHYGrc}9Q&pq*U(=NpP1>FV1{
zdh4fk@j>%Dk;O)`Lv7lMemKCx4@hq?=WEisylbQC4_YpMWRZ<{IDvOW^pxPqcR2~Q
ji{3_K#1HbuV#k1-JsP^K>5|2*gYdSqzfUexpN=AcBO*<F