From 3dc6133a1a59917d20d2c7226275c22f92243d7f Mon Sep 17 00:00:00 2001 From: oddlama Date: Sun, 14 Sep 2025 17:31:40 +0200 Subject: [PATCH] chore: rekey immich secrets, allow influx access from local service net --- flake/agenix-rekey.nix | 2 +- hosts/sire/guests/immich.nix | 9 ++++++--- hosts/sire/guests/influxdb.nix | 2 ++ hosts/sire/secrets/immich/host.pub | 2 +- modules/ente.nix | 12 ++++++++++-- secrets/global.nix.age | Bin 3782 -> 4029 bytes ...eguard-proxy-sentinel-priv-sire-immich.age | 8 ++++++++ ...oxy-sentinel-psks-sentinel+sire-immich.age | 8 ++++++++ ...eguard-proxy-sentinel-priv-sire-immich.age | Bin 341 -> 0 bytes ...guard-proxy-home-psks-sire-immich+ward.age | Bin 0 -> 355 bytes ...3ca454174a-immich-oauth2-client-secret.age | 7 ------- ...oxy-sentinel-psks-sentinel+sire-immich.age | 7 ------- ...6b28-promtail-loki-basic-auth-password.age | 7 ------- ...5367-promtail-loki-basic-auth-password.age | 8 ++++++++ ...6c86b417719fdb-telegraf-influxdb-token.age | 7 +++++++ ...f9c5bf33b8-immich-oauth2-client-secret.age | Bin 0 -> 397 bytes ...78c994777bcc62-telegraf-influxdb-token.age | Bin 287 -> 0 bytes ...-wireguard-proxy-home-priv-sire-immich.age | 7 ------- ...guard-proxy-home-psks-sire-immich+ward.age | 8 -------- ...-wireguard-proxy-home-priv-sire-immich.age | Bin 0 -> 412 bytes 20 files changed, 51 insertions(+), 43 deletions(-) create mode 100644 secrets/rekeyed/sire-immich/272a347ebd724a722fe452ccf88c5717-wireguard-proxy-sentinel-priv-sire-immich.age create mode 100644 secrets/rekeyed/sire-immich/473bd83be339750b7105eecefcaef7f1-wireguard-proxy-sentinel-psks-sentinel+sire-immich.age delete mode 100644 secrets/rekeyed/sire-immich/5070709ada98675000d61ce0cae80b46-wireguard-proxy-sentinel-priv-sire-immich.age create mode 100644 secrets/rekeyed/sire-immich/5a140530eeaf232ef669c3bf14336924-wireguard-proxy-home-psks-sire-immich+ward.age delete mode 100644 secrets/rekeyed/sire-immich/6055cb73daacbb7a0841103ca454174a-immich-oauth2-client-secret.age delete mode 100644 secrets/rekeyed/sire-immich/6d6412638f56d57f4ca694913136adfb-wireguard-proxy-sentinel-psks-sentinel+sire-immich.age delete mode 100644 secrets/rekeyed/sire-immich/6d800e1415841a524ca00a4bc0886b28-promtail-loki-basic-auth-password.age create mode 100644 secrets/rekeyed/sire-immich/7390493ba0250d48db36b91e78cd5367-promtail-loki-basic-auth-password.age create mode 100644 secrets/rekeyed/sire-immich/7c45bd9af65e9bf02c6c86b417719fdb-telegraf-influxdb-token.age create mode 100644 secrets/rekeyed/sire-immich/9654640f4ad0b7a78ce21df9c5bf33b8-immich-oauth2-client-secret.age delete mode 100644 secrets/rekeyed/sire-immich/ab981c567dd4581cbe78c994777bcc62-telegraf-influxdb-token.age delete mode 100644 secrets/rekeyed/sire-immich/b50e7c654824daae359bcf87642131de-wireguard-proxy-home-priv-sire-immich.age delete mode 100644 secrets/rekeyed/sire-immich/bbbf9beb0367145565e8795b2f8e8b23-wireguard-proxy-home-psks-sire-immich+ward.age create mode 100644 secrets/rekeyed/sire-immich/ea03e492361c8f9b4c8df68598f02edf-wireguard-proxy-home-priv-sire-immich.age diff --git a/flake/agenix-rekey.nix b/flake/agenix-rekey.nix index c304257..ee6e08b 100644 --- a/flake/agenix-rekey.nix +++ b/flake/agenix-rekey.nix @@ -12,7 +12,7 @@ # The identities that are used to rekey agenix secrets and to # decrypt all repository-wide secrets. secretsConfig = { - masterIdentities = [ "\"$PRJ_ROOT\"/secrets/yk1-nix-rage.pub" ]; + masterIdentities = [ ../secrets/yk1-nix-rage.pub ]; extraEncryptionPubkeys = [ ../secrets/backup.pub ]; }; }; diff --git a/hosts/sire/guests/immich.nix b/hosts/sire/guests/immich.nix index 8fd8aa2..626bf7f 100644 --- a/hosts/sire/guests/immich.nix +++ b/hosts/sire/guests/immich.nix @@ -52,11 +52,14 @@ in services.immich = { enable = true; + host = "0.0.0.0"; # We use VectorChord from the beginning database.enableVectors = false; environment = { IMMICH_LOG_LEVEL = "verbose"; IMMICH_TRUSTED_PROXIES = lib.concatStringsSep "," [ + globals.wireguard.proxy-home.hosts.ward-web-proxy.ipv4 + globals.wireguard.proxy-sentinel.hosts.sentinel.ipv4 ]; }; settings = { @@ -269,9 +272,9 @@ in client_max_body_size 50G; proxy_buffering off; proxy_request_buffering off; - proxy_read_timeout 600s; - proxy_send_timeout 600s; - send_timeout 600s; + proxy_read_timeout 1200s; + proxy_send_timeout 1200s; + send_timeout 1200s; allow ${globals.net.home-lan.vlans.home.cidrv4}; allow ${globals.net.home-lan.vlans.home.cidrv6}; # Firezone traffic diff --git a/hosts/sire/guests/influxdb.nix b/hosts/sire/guests/influxdb.nix index 8fe7962..867988e 100644 --- a/hosts/sire/guests/influxdb.nix +++ b/hosts/sire/guests/influxdb.nix @@ -105,6 +105,8 @@ in virtualHosts.${influxdbDomain} = let accessRules = '' + allow ${globals.net.home-lan.vlans.services.cidrv4}; + allow ${globals.net.home-lan.vlans.services.cidrv6}; allow ${globals.wireguard.proxy-home.cidrv4}; allow ${globals.wireguard.proxy-home.cidrv6}; deny all; diff --git a/hosts/sire/secrets/immich/host.pub b/hosts/sire/secrets/immich/host.pub index 9c7563b..18e86ac 100644 --- a/hosts/sire/secrets/immich/host.pub +++ b/hosts/sire/secrets/immich/host.pub @@ -1 +1 @@ -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKE+geXK2RVVNwZVoYOuX7pW+6mbgCa9SIghJCdHmbSB +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFAKUJTsBJfQTTVZMS2qTYYIBe2sM56XYRCrvlUm/UtF diff --git a/modules/ente.nix b/modules/ente.nix index 845932d..d36c1f9 100644 --- a/modules/ente.nix +++ b/modules/ente.nix @@ -48,6 +48,7 @@ in domains = { api = mkOption { type = types.str; + example = "api.ente.example.com"; description = '' The domain under which the api is served. This will NOT serve the api itself, but is a required setting to host the frontends! This will automatically be set @@ -57,21 +58,25 @@ in accounts = mkOption { type = types.str; + example = "accounts.ente.example.com"; description = "The domain under which the accounts frontend will be served."; }; cast = mkOption { type = types.str; + example = "cast.ente.example.com"; description = "The domain under which the cast frontend will be served."; }; albums = mkOption { type = types.str; + example = "albums.ente.example.com"; description = "The domain under which the albums frontend will be served."; }; photos = mkOption { type = types.str; + example = "photos.ente.example.com"; description = "The domain under which the photos frontend will be served."; }; }; @@ -85,17 +90,18 @@ in user = mkOption { type = types.str; default = defaultUser; - description = "User under which museum runs."; + description = "User under which museum runs. If you set this option you must make sure the user exists."; }; group = mkOption { type = types.str; default = defaultGroup; - description = "Group under which museum runs."; + description = "Group under which museum runs. If you set this option you must make sure the group exists."; }; domain = mkOption { type = types.str; + example = "api.ente.example.com"; description = "The domain under which the api will be served."; }; @@ -182,6 +188,7 @@ in services.ente.web.domains.api = mkIf cfgWeb.enable cfgApi.domain; services.ente.api.settings = { + # This will cause logs to be written to stdout/err, which then end up in the journal log-file = mkDefault ""; db = mkIf cfgApi.enableLocalDB { host = "/run/postgresql"; @@ -245,6 +252,7 @@ in BindReadOnlyPaths = [ "${cfgApi.package}/share/museum/migrations:${dataDir}/migrations" "${cfgApi.package}/share/museum/mail-templates:${dataDir}/mail-templates" + "${cfgApi.package}/share/museum/web-templates:${dataDir}/web-templates" ]; User = cfgApi.user; diff --git a/secrets/global.nix.age b/secrets/global.nix.age index 8dca345b3f23abdfef22d08a47b06cfd9f0c8afe..e594cadb1f119f1eb929f73b685a6a70d2226ead 100644 GIT binary patch literal 4029 zcmV;u4?^%^XJsvAZewzJaCB*JZZ2D*r zSW!n;G)_x;Q$$&CY*lbDMsia%S7c~MI96jgMQaLaHZUtyOHfEKT1rHBG-zQ~OIS`} zSxHGbSvf^+P(f2NN=rpqd3ID{P*n;oJ|J*ub}eu+H8vo4aZ_bDQ6NEiL_tJWbwzns zayM*8XL?V1H#1o;Pcvm&QgTfzRZTQjaY1t{acpukS!W7tV|Gt@QZiv?P-ZkVO;crZ zWl&doH!yTsV@Ekha!@ikF?KXmcSuZHXk!X3J|K8aGkz*eEoX9NVRL05BVQmxcRwmz zAR=95DMbo-PiII-a7B4_LT6HKPG)m;H$^KmdQoa=MQ2ueHCS&{G%_)IFKOv^3!TH)*_FXrh@lF}GF(>^R8p}%Un_b(P@G*l+F&=3$kt3>L7zxv37Xt&Bq++*g|t9<+YUj%J))HofA&Sr<7 zRa&q&8@RW0g_r=xYJ|Z{u&)R;PfK!`(i! z+2{)i@A77knOXZ|-8vH{VFAlBl>Uv+eXid12wc7&7YEK>fT{C_XHRYHa&%2s&=Vl1^m>7UU*>G=xpr)z!o;7q3s>;1Rvy@a-89@>NV_y

s<;Tr-6!RA2hEfW!a~^@%BSv*W_YS$s@G)_q)gMkaF#lnEZR{tVrK1 z4kr441c(kpvbXHf&(zYt?Cdu44kv6;?Br^%(gRX}OAAX)=T|WfA5mm$1eF-kE4NKg$4A$b)-A~onpmi4=_I3f)H!4}A1A=dZtrpAxWx~#~^zK<_?IM@Ui&+;Z0PM9XqJuawz z?Ti8EJmjjJF=vK>nWF036z%mQ9ZIyozSUi1#g1Gm?%)cTY2l&r?rZ-?=cpPOM4O#7 zGXpDmhV3*!l(nJ&-P(HILyy!MvhpY0ziJNT!;yl@7?u}PHFUJ77#ocF`X9Vu{HER0 zr;K?m#VMxxnV*Aa_eP;W(jGo+R9HF4mCViR%b8-ujIX0wNDtj7mq4sbaml~h>2`~K z-z^+>FB40mA${gv@vFXz)9GR9I8sTCmb2_VBJ1hIb})(AkX!QFz$A(2BJ9^mJ)ujj z)Bh{#Vvcc^g0t6fP&O`dvPjKpZ|GerEtU{U*kWESmdNiRNlPM-+0-#ofv15*1k}f+ zPab|nUeF>{6_1%ygfI$f+SM}2Lpy|UPr05W>*QNfnT2HCB(*Ym=EB+y{{^3i79}CI z^|Q-0DMYh}7Ae6Avr6!Pc~<%(G|qdr3I_m8H?^XR!NYqWUK zaSo`}y6D{IbQQZs$@~LzCV$tmff^roJE^hXx@tgh(-bR*84)KvCn zgaAIQeYp2f%_)fyEpTL1ud?KcHxX-_!VgU7CAiwmhI#QoRe??A`J{F`Pt5e;qiaf2 z=5dWWhqTKQRPUtRBGT==jQa5s#cp@M&?p{n93Dvs69ZUI`5Dv3`Vjg;@1Q^Imc3LjDuF5~+Mq=D-F?W-SM58_;Uf2akT}`L!`k8*q>E7jF`}Z9b{JC5o(;&Mhx6MmR2}pCQ z0Um?i4ew>H`z)a|n=$2gee`<%CappJtPP+q8-N*J6XOTY3evltK)Dk5A)3P=cZd~J zNak#*>zddBL62-X@Fwngu?tog@O6;aY&8;Vez&-D0QPzn8)l21 zx`E#A{Vh-6YfS!rOdO)7M7&?7hEr{ecs=+qj=(LFuiIc@YjouYFRp2b^k)NWbeJgd zxwez3$D1OGJoJ#ROoDW&7f9haztscpuBWH9NyQ!f`2Hm=W@V!uEEdRC#o{vIZA`mF zfG6`+-|`daL#y_rZYxsnMy{UpRO=m2U*k3icl}x^^Zq&FVqn558sAvx%6rKmzB}HBy9uf@O zY)lf@b;2g<4Q{Fwz4nrilctHV4=5YpmFwobhjbqgUnQ&2cPV%uvdRnq>`zoYZ#TfZ zjVVUGUBFVgN~S6^?Sq&B&W4~+Q?OL0s-Ntal~Or`S}L7J(!>eY07IN#bIta!jBE7O z3*NEk)~&qhpf}J4GK7PgTBfz?WPI7BQJAAQgRaccPAma#1U-mtkmEP+;%cDkW%`2w zS4fbk#4;B5o7t_3ZuVVy>KfHOfFF~2I=BG!I%yOKdLk?)+JF3G{W{|j9=|RM4qdV_ z{UP*=OY~g%DTtM-6mn&|vyTpAg7PaWOP%5O&KA5Sh5?&F%T6-o4pBi!_``|s*S(`lZ_iGJ9W3}lNFnV_-{kmPeoY~AdQqM|&Le{H zvPlIKOjN`P&EzL+mDaM8F>J=JW%iizO5TbX|C7qa#Zt~vaj0ZkA`-M&m^k}1TQ<`j zDeAWgFdtaFmaEG@pFy>Ec)|)-F&8)3bxL4$v!IGV0ZCj-j<$OP63t)udL; z8`^$!=>c)sPaE)+z>^U2rY39hd}E0#gQK{VVPqGE6g6Ls&lxRp<1}>~j^kJX|tDz5b!6r7T=^la|Mi478xT`3IqIiE0EO$eEDws`T=F zKV=U+vk+Bg78AG9e%S)t9fh3q_XGJt=KpX4qLS%Eps^iD_Okpd!qLN@yz~wHX2+5O zP~JjJ+MCGQa86{tUc3Xgrz6<-zWfQtmD@XdKL%0ZdyY|XZ}P1|Nnb!jBR6tWv8PR z$1pqLkS#Ztxywe@KuhJ2C3kxO;yq)(q$T0B)mGtQ%W5h7`=~A5lo=3^#YCU-T_w4$ zB95B5{GZ+3P4b~DK`Vc0ts^D_G!0*j9A&c`llixMe+!S=^Q>x|IQ2D9$TfM?upBGE z-+_S5oN;`Tkk9H-J9*yXP|nMor*3u^ne&O92Cy__g6kBMUrxMwvx726)GwU>A=3N; z&nRabZ=jHHtMc__^{Kd*80@)`S~LEjxN0bIZDc(1g4J03Za>IdmVp}D+U|0CJ*SlU zmp|21#HJ9@AhNuE(~(aFX2TsZwOaT9+-(x6s~X5)@HPA94}jvY1;s5dlU^gK?V8ZL z@1A4*kwC=|mg_|3MrIB;=N zFlA_KHgHB+cuq@rLozivZgx0IS!6hGYe@<%J|HP#W-VuOWnpt=3S~5B3N0-yAVN!2 zVRKVQIeAY^Z$nFZK{hgBR90<6Sz|;naCL5GadlH;MPzj=LQHKm3g7KwphC3e|B`?W zz-|XlTASd8>BS|CzNMI5LC^UMAnl}ikSDOj{{^vpUbvoHqAS@1 z|2u!pK;c&c1PqJ0%v-vF#3A0vG&&7tODF0{uwM`taTGvkD6S9Q>dRAN$lTeI>gGh^ z+8Q@Y?PRpOtyVm*oeeMFK+CFPSKbJr zR1Wb3^KkzUx_ZIn{X$`ziO1{R<6#<782%(LmX%d3xn$m!c3r=!Ljd=3| zW>(wa8s4DL+)`WhM8v}UV4euDp2Es#PU39F8kP@w(a)}og{yoHzCeLm*XPS}6&e9Y z{XN0OluQLr5eE|$G~JwCw~N_{-rUvfmKRBMJ1!nE$4uaC{<(9#ZzPt~lmDeQ;9kJ1 zk2^H<+JxYlC_z`qd2xo*{bjHem1}`Tw@HusTTz>c+ikC#;`8m(CE4Vn34g51@tvVD zIf3qhiJND^S( zmc#+@CF7Xgm;)!#LzTQ|lNLvyHYilqXs=cvvWb^$SB*+_=FN4gf;FVO3@IaOxvZm4 zH>Q2Ys&mTPv;>Wp)T{#vZInPb24Sm0_d2bxlOS3k&tJILGV%avz&N4A7vwEIj0n9gnK5`NidPIx2Kz

ZeKd2uU<(obMEg<72ic`EoL zE1D=wMVLkE?5=y&w9|nmV53Du=@!k%e`(uw;FB|-c+VnB0bFKoBX3TIzl%hb+Zzl1 zRSMa;4U_XZ7}W_2#0aQ>mrJoK)v?aaotsu91J#o14De1*WPeWsih;6l-c@u{Y-`&* zDD&wV7{ZX(>M-SfprnoR4Z#VZ7pGeE6Ewydu)_#V)&}h6#cHoFr<(@nf2w1g;jytY zyj?n-l5Czb&~S~Vk15cS2!cyHaD-ec_IND-TPBRZBg5J61|DcJ$jH6vhDQc2Y!ml} z61<3thZhIHz_l~+F zgPoUg)Qye_c@!7^V3;O=E@69Za^E;VdBW}_UW)C7^?{OjjAFgP)HhJHc7e1F9!i3% z2(cm^`(ySL@_L8{KQQVGRpD`N1Z8xR+6skA%s%SL*WFztLfgyL zAS7S^Bv(rq44bLaWO*}Htj3iv{(hRn8h)Q=5X z0Pb$q&fWE7rbJ5m9okXdA6gAjHkvf!TJYLA+;YjBlHePxPL$vz0e#+@f9ttQUG53^ zu9h^x1Lm?GB;y72EIOvvm3B%5r>vy+WaO`>dE(ATH=t5V!aWsOc!fN|G2dv(tTpc+ z>W3eER#VPfu{9XK8)&*lXl^*xHsodb^*MX+JUEtRAg5~p0izt3F1WfBX=ASE6jp5< zmz%^0b;R8#_X=67t4!R){&)4cK&niYQs1>fnHkBabURNsb?MHvD~>xB{_IC6_$`@9 z9hl>MN^MEz9Z!d>zrqM^<*c3(TaX7cX31>;MWYc9@=UHZ&ASuO#Sji4f3zqG*h(O$<@NhSP2xA#Y z@^bD^3W6E7xbavgg&m}zgX%6Y&YveLEtpuI1Ar8G`xg9hqR%MGCLRuG_04Uxn|ZhN z3Cp2`r*LXNk>b>{m_=D&l)q3hK^Qc=df>OU)azj~d$*hhM4D-EF3`AVu(DDGN&jzh zi*L;cE$E_8V^d;N*6?tl?&~`QAZ-I6(w|-rmyI)^H5s_grEU`xy}cf9P}{{M7<;-i z1*?0W7u`!jlB_W9o4>lPz%*JC z0S|7JRd@ef9mmxSgI0%vwyGwSQAs+e{Zb0)FPV}!L?IE1?1{d;azVujRs%P=fRr}+Wt1^RSi zeP$A2ghKWZY>`wp8DTQhrPz#^=Hq>11$iORh{=X;)`=K0GB5FnC)Jhi1&+8y&MxJ5 zJ7IOs&m7y4rcr@ATr_xBF{2ivZ$KOPS(~%DUnbr$DmJO;{4&iV?RI`6;0YO2R1KV8a zD)n81kl}nVOi=9DkRolU7}b@9iDoNcob9mM8hMA%r#(bt;!$?N`pBQ2+|dkB8KGU+ z^N*@v8wp3{h|kQ_&lgSE7cG6|_pjIdo4v{aHD?DRl04DZ{Qa;h__Kbs96Wnd6W4YE zhoI&{t-unR92OnF_RyeJs_e{DEZbX%iz91r-cn)ePY_4>=05b^s3N63zU9&g3l+R6 zkEM^UG%zxGJu=+^-fdUcOVVj;(cw7H3KqWd7#ep;cg7HY^k{!wz(U6riubzB#I{)zgZYe(ZlrQk;LlXZQ=6P|9Ju%WSRo)7*2|6L>fO6dil zN5#vpg`m2x9&%Hc&=#QVpl;wN&&OJxGNK*dH~K9#i;E#?2BltzASuD4ebmvs)Daw7 zaZlAO_e{iQ1H%+eJ%YfmnDB9-$4Zc`{;~CI!Z%21SH`q#+TvbO&HnH*!4)>546y=^ zt8dgco26k1zYL=&apYJ%XddkWl2%O_{@gH&MytL>SKY3Vd=S>S${+Qk38Y-g^D_pt z3&*?yUvlVZGh%#ukpvnMRnpjY$)7;9l>2hth|E!J-r`&SAtuT&hKwY)*ze?2we{zv18>rG$C>_X<^sQ9jh_{bcVo3F6*YW}Z)o_)z)V>8b7M^9&Ps5ExE4KO2T~p2G8kSxsY9 z$&RaM06+Cv;187JJ*kY#sewm#WbTKUiw_3rAYnctt|o<>9wYioQX_re>mA20&6-oX z=zy_U6aHg^3rN)Sx&p->RU;6WMj8t#!^dkEx}4~zb8J86jN@Ql3U7jJV&yOBv459` z6Fwm}P*l_QJEw*7_1w~jT%COM8ZS5+U1Sa1P*pPca+3h0j-?UcwvCkmwdZib9bH?R zLclYOjAAq3=F#gdn|n=Gl>}J3Kd<1^Y`w&WVJ4e|6K3Hnr!OVC5>Jlm_zV2TPa97+ zr5a8NzGXGlIPz9GXvZX*?zf})H93&{2^$CC9cd5TD5J z4(@q;#sb~^+OdBQAj@EAr@`$AnNV4h0rY5yq>yCm9tImZh#dFE$BjT4u*6neE_><8 w4yK;2f24KOG+8FQa9MYD7$FR0=2KTe)vck-s~@frVrRq`8ub|gm_ik$5=w ssh-ed25519 08+xhQ AZXVC7nTbtFBasccwllDvt3ic4NMeJu73tkzTooLORs +2yGRtqkypbochm/I1CowFSJZZ8qNPulmApP4ABlKvsU +-> 4`V#:p2-grease +yhfMojghx2Ne+5JDobIA +--- fH0ZmRzP4/lsJ9ykQVGDEPlyUohPuKJPgqXOlIilyL4 +v7T^SN#N&u_bx&U9 DJ +L{Q F[G&B \ No newline at end of file diff --git a/secrets/rekeyed/sire-immich/473bd83be339750b7105eecefcaef7f1-wireguard-proxy-sentinel-psks-sentinel+sire-immich.age b/secrets/rekeyed/sire-immich/473bd83be339750b7105eecefcaef7f1-wireguard-proxy-sentinel-psks-sentinel+sire-immich.age new file mode 100644 index 0000000..9b4df20 --- /dev/null +++ b/secrets/rekeyed/sire-immich/473bd83be339750b7105eecefcaef7f1-wireguard-proxy-sentinel-psks-sentinel+sire-immich.age @@ -0,0 +1,8 @@ +age-encryption.org/v1 +-> ssh-ed25519 08+xhQ zg3qtzqOOj46luUhOUenMw3dfVz/PafKgVhj+7vljmY +hKRXQOn+qJ2qe82pIqbFqU7dkNt5p0zq6lC9q8vI0ys +-> E-grease 8#' Em.z$3-F +qNx4gWPSptpfLup7uDupqbkB0MoCBsFn7ZJhAILgRnzgkLYlG8rTSbxT +--- rEocn7eWbz8gSpaJOnC7YswKcci0Jmy87dxABXILzqg +cV>Ҟ~N0R6n/Z[m.3G'\$Cͣyc kG.QlȐ]E/ +9 \ No newline at end of file diff --git a/secrets/rekeyed/sire-immich/5070709ada98675000d61ce0cae80b46-wireguard-proxy-sentinel-priv-sire-immich.age b/secrets/rekeyed/sire-immich/5070709ada98675000d61ce0cae80b46-wireguard-proxy-sentinel-priv-sire-immich.age deleted file mode 100644 index 9166b12f2df28faca438f33e9b165a4390b04d8e..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 341 zcmV-b0jmCCXJsvAZewzJaCB*JZZ2^= zNpM0mHAs3?cTs0JH&{7oR98<*PH;|7Ib?Y&LRCt4K{9PLb}w^vR7naoQAtd3dQe3x zd1+&EHZxW=M07z{aY;5pD{O5=IdE-SRdrcHL@`ikRZR*lJ|Ip(VJ>JbXL4m>b7de@ zD_@zF?3`x zXEIrGLTN>IFjRAISwRXdEiE8PHFHsVZ!2>(VR2?SI7>-sa&2^RM{_S{M|d?uV@^3^ zLq%v$W>Qf|GEE8$v1aYto?8hC=Afak?+^oloQ6qZdH7gJNVC nr~y4wVj%7tjIn{(g`CxFIRHe3$|}FeSk3WRGrlge;Ct%|gvxmC diff --git a/secrets/rekeyed/sire-immich/5a140530eeaf232ef669c3bf14336924-wireguard-proxy-home-psks-sire-immich+ward.age b/secrets/rekeyed/sire-immich/5a140530eeaf232ef669c3bf14336924-wireguard-proxy-home-psks-sire-immich+ward.age new file mode 100644 index 0000000000000000000000000000000000000000..9dc03a73e63bd94b8234f400e50af17c31b02015 GIT binary patch literal 355 zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCSPu+Xl^2vqPebT7{} z$xYKYE>5iUuFUqy3w0^TEX=FOcJtK^FL5#{F9-@r@sG+*cjO9j3O5cduka5^&&VzE z*LKRtcFp(CtMH4`PBSpd*AFPnOYsXxE(~)GHvrk@XB3iT;Nzg1UX+?xoT^~r8xk2B zWT@a!VISk8;H!|9o8f1mU#-IB9_1REY*}I+l@ySbmXhpisGaTWU!WZtTCtE=E2TIBBQ6YgT>k(OALZCF-roStc#pP%oS zT;i%9QCv}#99$VxQ07+T6UpVF!6tb&>SLwrhh>~DQ%U!BuWm0`5(TBdS<+)V2O88WP^V#!V{X&NYOM1Eeeojqze7_F>5;A=R literal 0 HcmV?d00001 diff --git a/secrets/rekeyed/sire-immich/6055cb73daacbb7a0841103ca454174a-immich-oauth2-client-secret.age b/secrets/rekeyed/sire-immich/6055cb73daacbb7a0841103ca454174a-immich-oauth2-client-secret.age deleted file mode 100644 index 4370cc8..0000000 --- a/secrets/rekeyed/sire-immich/6055cb73daacbb7a0841103ca454174a-immich-oauth2-client-secret.age +++ /dev/null @@ -1,7 +0,0 @@ -age-encryption.org/v1 --> ssh-ed25519 U8ytLQ veKTrJX4Srbh92lE3hPO4NTpeNzP/NuUmfZHWIAcTEU -jW3uyW7qos8LSsAyQ56gZa5NBCJVUqZVu8KZHe0v0iE --> sVVZ{H-grease ~J3,Ud i+P -wb4kp+Ii ---- PJ20pWfjTwBwh2Dr+q6Gob16aGbH61ilptbCzQn0jEQ -;VvK_sqP0=QbXs..i]vA->mFSxT|;{vUjfs \ No newline at end of file diff --git a/secrets/rekeyed/sire-immich/6d6412638f56d57f4ca694913136adfb-wireguard-proxy-sentinel-psks-sentinel+sire-immich.age b/secrets/rekeyed/sire-immich/6d6412638f56d57f4ca694913136adfb-wireguard-proxy-sentinel-psks-sentinel+sire-immich.age deleted file mode 100644 index de7fef8..0000000 --- a/secrets/rekeyed/sire-immich/6d6412638f56d57f4ca694913136adfb-wireguard-proxy-sentinel-psks-sentinel+sire-immich.age +++ /dev/null @@ -1,7 +0,0 @@ -age-encryption.org/v1 --> ssh-ed25519 U8ytLQ kjGqE0PbVbxIqRS4RdHdmhNFr8Sv3jDfFPdjnnlVj0Q -lz5h6PSyLBXMTUTdS4uzBiPi3yNXdhsxvYw5TT3i8Uc --> ?~Rt$#-grease uWLiw,w> ZfFM;) -guaxvIRwfg ---- UFQfXS855+dhnxARJ4M5W0qHdsgTjkfgRu0yjd/tBYU -x(ZTVJ ssh-ed25519 U8ytLQ 1x2w+U7iZ59hW1cymklltoWgBoo9Iao1YnsP0dYsJyE -8Yax1Uq2UZCEPysMfcu/mvkO0cLdnTFJ+lLTglZEhD0 --> Mo>ig-grease -gyxTtneFjCxPTo53gPgqBMm/dUTNqw7SSGXZ9wFTK3I ---- 2kvAlqhkxaAZcY0qewhgWahfiafgZSKZm7T3x8O5wxI -,Cc-z#5#,UVev;N"բɬi\()[R\7@vܲƾNϹΎ{4 \ No newline at end of file diff --git a/secrets/rekeyed/sire-immich/7390493ba0250d48db36b91e78cd5367-promtail-loki-basic-auth-password.age b/secrets/rekeyed/sire-immich/7390493ba0250d48db36b91e78cd5367-promtail-loki-basic-auth-password.age new file mode 100644 index 0000000..8572a1f --- /dev/null +++ b/secrets/rekeyed/sire-immich/7390493ba0250d48db36b91e78cd5367-promtail-loki-basic-auth-password.age @@ -0,0 +1,8 @@ +age-encryption.org/v1 +-> ssh-ed25519 08+xhQ GOn8a+tEBtiwUxioNd2fk5PrWNkT+awF+XzbClQJ6Qg +xltPAmFpS3qUO8sNKRuvsdSaf72RvDnZO+RijXg6Qg0 +-> 39!T/O'-grease ~v?U;y +egK+Kho4rgecwrv9gmcK/C2dJnbd+SGF73FGl3XIzlJwfkRzRvamV978lA4uyrcF +vw +--- Nkp782AMG8OclXPvKR7fy334Umjsa/x1jXe6MA1q6CM +[>@QRMmG`*OT;x!T?_,DŽ ֶ {'լY&GkfMH|UΠ _b \ No newline at end of file diff --git a/secrets/rekeyed/sire-immich/7c45bd9af65e9bf02c6c86b417719fdb-telegraf-influxdb-token.age b/secrets/rekeyed/sire-immich/7c45bd9af65e9bf02c6c86b417719fdb-telegraf-influxdb-token.age new file mode 100644 index 0000000..d267d71 --- /dev/null +++ b/secrets/rekeyed/sire-immich/7c45bd9af65e9bf02c6c86b417719fdb-telegraf-influxdb-token.age @@ -0,0 +1,7 @@ +age-encryption.org/v1 +-> ssh-ed25519 08+xhQ CFoQPo0bwvS1VyUbOOq4fk/DHs6EZNoxf9patvaAyis +2U2S/yiSKY7+eE28APeakHdTrVTp4BAb9T2T0G26wfU +-> g8r-grease :K-IEEo5 +PQV599Ol7XmAsiS5r6E86w +--- 6iGZ2tBk1eTu+zztYN2oLUXZr5vb8iYCQR92gqf50zo +g0[B?n'xo:枾 w'AӨa \ No newline at end of file diff --git a/secrets/rekeyed/sire-immich/9654640f4ad0b7a78ce21df9c5bf33b8-immich-oauth2-client-secret.age b/secrets/rekeyed/sire-immich/9654640f4ad0b7a78ce21df9c5bf33b8-immich-oauth2-client-secret.age new file mode 100644 index 0000000000000000000000000000000000000000..55ffa5beb1497d19acb832949d5b25ffdc00a18d GIT binary patch literal 397 zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCSPu+Xl^2vkT52+S)f z^3Mt>3C#`84k$JDh)j2K_wh-xtT2uW4@&azat;Vc4st7XHQ+K253VYTFbzm5N-0S# z3e8G&&&>6Ya`mZn3Uu)<&CCxgG}g~^bjd1lv;f%_8xReIy6Hu!iN&c3!3rw5*$PTZ z>8gslid-crKJFE6MnPf822o)}UTL|3i3ZN58J3=*7S3e`S)m>|Wk%j9Ma4x~Mn#2T zInKeJIaNtj8D5@=6^`CP73Ey1Nv6qFiB%Rs>0Ty@5vDn1d0rW=j+v&ORq4i+!9l@M z5gzGg+OAx>y1EJ`#TCw}=D~i(VUF$wVcLHA$xgu*McyuXq5c8cL4J+}=_Q`7DHdMI z7U^8uY@O^! zOKMGXS4LMeHgk3{6?934rfc03_fpk le0hedJ&CYs1F7Wzxd{-Polr7Sab&J!eFGqZZZqDi?KzqYX*&P_ diff --git a/secrets/rekeyed/sire-immich/b50e7c654824daae359bcf87642131de-wireguard-proxy-home-priv-sire-immich.age b/secrets/rekeyed/sire-immich/b50e7c654824daae359bcf87642131de-wireguard-proxy-home-priv-sire-immich.age deleted file mode 100644 index f4cd5a8..0000000 --- a/secrets/rekeyed/sire-immich/b50e7c654824daae359bcf87642131de-wireguard-proxy-home-priv-sire-immich.age +++ /dev/null @@ -1,7 +0,0 @@ -age-encryption.org/v1 --> ssh-ed25519 U8ytLQ QRKqBGrzPBO8uDJtAjIpOVcir6L5beNr0wS3iVXQFiY -YjTxSInhMSU0yogxBupf2311z5OXeNrSSkQpU4d34OM --> o3E-grease ~ E Y+:|pOC -/8vpx1EmpwyfX3vwNpjAMMFCoRuoP3w1RLWAgqj5J1tIb48O0Wc ---- EIeRKimHpArrdLioRUJ2rEa6uBOiAolXK1J1Sej37WE -9CKڕOu1G1F/0b=L0dsAjS؀|^1Eͪ C(9Sc: \ No newline at end of file diff --git a/secrets/rekeyed/sire-immich/bbbf9beb0367145565e8795b2f8e8b23-wireguard-proxy-home-psks-sire-immich+ward.age b/secrets/rekeyed/sire-immich/bbbf9beb0367145565e8795b2f8e8b23-wireguard-proxy-home-psks-sire-immich+ward.age deleted file mode 100644 index cec4abb..0000000 --- a/secrets/rekeyed/sire-immich/bbbf9beb0367145565e8795b2f8e8b23-wireguard-proxy-home-psks-sire-immich+ward.age +++ /dev/null @@ -1,8 +0,0 @@ -age-encryption.org/v1 --> ssh-ed25519 U8ytLQ odwIDreVyKb1UHckjz1/1PKET4rluHdxFVJ2naBOKhM -PJyoiRA65kd2272oq3Irup5gBq9sWDMgkIbkPbIa+IU --> HDe/yru:-grease ee~+ -g5uaAbBGEy/dJPeFuKdCqdvlIbcxeoVQMQ/y7hwgJQI68DOwpdAggi12cMYt+mlM -yNE2Lb6p4xO8BRF0 ---- Xl6hjCyuuxnKdBNe3/x6jqvDsoaHDBYIzO8nV0DRuVs -f01VzVsit%}H ۍ=F: _wy)v0Pl"%-ybQ줜K \ No newline at end of file diff --git a/secrets/rekeyed/sire-immich/ea03e492361c8f9b4c8df68598f02edf-wireguard-proxy-home-priv-sire-immich.age b/secrets/rekeyed/sire-immich/ea03e492361c8f9b4c8df68598f02edf-wireguard-proxy-home-priv-sire-immich.age new file mode 100644 index 0000000000000000000000000000000000000000..22ede35d849d799e735e1a8098a256544de25f44 GIT binary patch literal 412 zcmWm7J8#oK003Yn29HdPUg%<(JKOQAL!}Zs=QM5-r*>jnVsMg^<0O96S3i=71u9il z2L=QS5)~VNp+iR&22_cGjR7IS)&)Tsc!=*0d_jm=oJ{gnb`+(_{WK3j$x-YMO~{PJ zQ(hD~m4*sa&n$XaPgKEotVw}9*pyAdI4D$gl)wjGF1Djes{U_qqszl+n+p`62Y{~^ z9nh8M@zffmnw^+RE8^jpW9+_ytahtrmM&a2_@%LGf@&Nfq^L-7xxI9fQfoPhRlgRc z!)TC@_G}zWWI8bQF!$DStQ8|6Hr*;zpkq2sV-bujRTjV@ztGzj#j-4IEH#*g8E(wG zQ?9}~DR(8+7c~PRE%wt^#O(H0vCW8OMGaqmaxT9-fBoUqI@bWf^hx8FV