From 4c2f98f9e4190b8e40cce7873a401fe159f6f5d0 Mon Sep 17 00:00:00 2001 From: oddlama Date: Sun, 18 May 2025 13:55:20 +0200 Subject: [PATCH] feat: add ente --- config/users.nix | 1 + hosts/sentinel/default.nix | 11 + hosts/sentinel/firezone.nix | 7 +- hosts/sentinel/secrets/local.nix.age | Bin 1016 -> 1019 bytes hosts/sire/default.nix | 4 +- hosts/sire/guests/ente.nix | 238 ++++++++++++ hosts/sire/secrets/ente/host.pub | 1 + hosts/ward/default.nix | 8 +- hosts/ward/guests/adguardhome.nix | 7 +- hosts/ward/guests/web-proxy.nix | 11 + modules/default.nix | 1 + modules/ente.nix | 346 ++++++++++++++++++ pkgs/default.nix | 2 + pkgs/ente-web.nix | 91 +++++ .../sentinel/loki-basic-auth-hashes.age | Bin 2643 -> 2634 bytes .../sire-ente/ente-encryption-key.age | 9 + secrets/generated/sire-ente/ente-hash-key.age | Bin 0 -> 418 bytes secrets/generated/sire-ente/ente-jwt.age | 9 + .../generated/sire-ente/minio-access-key.age | 10 + .../sire-ente/minio-root-credentials.age | 9 + .../generated/sire-ente/minio-secret-key.age | Bin 0 -> 465 bytes .../promtail-loki-basic-auth-password.age | Bin 0 -> 398 bytes .../sire-ente/telegraf-influxdb-token.age | Bin 0 -> 467 bytes ...7f5b14bf1f05cdf-loki-basic-auth-hashes.age | Bin 0 -> 2551 bytes ...5b4b19316ff9c31-loki-basic-auth-hashes.age | Bin 2575 -> 0 bytes ...proxy-sentinel-psks-sentinel+sire-ente.age | 7 + ...031974a30ce0d150b5-ente-encryption-key.age | 8 + ...f3a6-promtail-loki-basic-auth-password.age | 7 + ...4a9ea29b7eaa7b-telegraf-influxdb-token.age | 7 + ...4abd2ee1ab5829fc3ac741d6-ente-hash-key.age | 8 + ...ireguard-proxy-sentinel-priv-sire-ente.age | 7 + ...5a9be337a42f7ceccabcb94e58c7d-ente-jwt.age | 9 + ...9f83111fceb6e17-minio-root-credentials.age | 7 + ...proxy-sentinel-psks-sentinel+sire-ente.age | 7 + ...eaf93e5314de87b7ddc1f-minio-access-key.age | 8 + ...651cf0fb3baa35f8717e5-minio-secret-key.age | 8 + ...b5-wireguard-proxy-home-priv-sire-ente.age | 7 + ...reguard-proxy-home-psks-sire-ente+ward.age | 8 + ...1261-telegraf-influxdb-token-sire-ente.age | 7 + ...3aa1c34b6ed6dfd-loki-basic-auth-hashes.age | Bin 0 -> 2526 bytes ...2c07814074b7899-loki-basic-auth-hashes.age | Bin 2577 -> 0 bytes ...reguard-proxy-home-psks-sire-ente+ward.age | 7 + .../wireguard/proxy-home/keys/sire-ente.age | 10 + .../wireguard/proxy-home/keys/sire-ente.pub | 1 + .../proxy-home/psks/sire-ente+ward.age | 9 + .../proxy-sentinel/keys/sire-ente.age | 10 + .../proxy-sentinel/keys/sire-ente.pub | 1 + .../psks/sentinel+sire-ente.age | Bin 0 -> 518 bytes 48 files changed, 904 insertions(+), 4 deletions(-) create mode 100644 hosts/sire/guests/ente.nix create mode 100644 hosts/sire/secrets/ente/host.pub create mode 100644 modules/ente.nix create mode 100644 pkgs/ente-web.nix create mode 100644 secrets/generated/sire-ente/ente-encryption-key.age create mode 100644 secrets/generated/sire-ente/ente-hash-key.age create mode 100644 secrets/generated/sire-ente/ente-jwt.age create mode 100644 secrets/generated/sire-ente/minio-access-key.age create mode 100644 secrets/generated/sire-ente/minio-root-credentials.age create mode 100644 secrets/generated/sire-ente/minio-secret-key.age create mode 100644 secrets/generated/sire-ente/promtail-loki-basic-auth-password.age create mode 100644 secrets/generated/sire-ente/telegraf-influxdb-token.age create mode 100644 secrets/rekeyed/sentinel/0eaa4bb18cbfcecdc7f5b14bf1f05cdf-loki-basic-auth-hashes.age delete mode 100644 secrets/rekeyed/sentinel/5f448f5955218081b5b4b19316ff9c31-loki-basic-auth-hashes.age create mode 100644 secrets/rekeyed/sentinel/7dd21124a6116b64884cc34b22d128b0-wireguard-proxy-sentinel-psks-sentinel+sire-ente.age create mode 100644 secrets/rekeyed/sire-ente/0a655191d8a00f031974a30ce0d150b5-ente-encryption-key.age create mode 100644 secrets/rekeyed/sire-ente/39ed4aee39bb5284ed82d595b57af3a6-promtail-loki-basic-auth-password.age create mode 100644 secrets/rekeyed/sire-ente/48afcb0cd2c5ea7e134a9ea29b7eaa7b-telegraf-influxdb-token.age create mode 100644 secrets/rekeyed/sire-ente/4fddd2864abd2ee1ab5829fc3ac741d6-ente-hash-key.age create mode 100644 secrets/rekeyed/sire-ente/50b5f9785853d40bd74d52dde6d57c11-wireguard-proxy-sentinel-priv-sire-ente.age create mode 100644 secrets/rekeyed/sire-ente/6bd5a9be337a42f7ceccabcb94e58c7d-ente-jwt.age create mode 100644 secrets/rekeyed/sire-ente/8dabe142e6ad67a259f83111fceb6e17-minio-root-credentials.age create mode 100644 secrets/rekeyed/sire-ente/a3d4334dfab58cfbb82ce922dbb23c50-wireguard-proxy-sentinel-psks-sentinel+sire-ente.age create mode 100644 secrets/rekeyed/sire-ente/b196a04930eeaf93e5314de87b7ddc1f-minio-access-key.age create mode 100644 secrets/rekeyed/sire-ente/c286daba571651cf0fb3baa35f8717e5-minio-secret-key.age create mode 100644 secrets/rekeyed/sire-ente/cff35fe4c607c5c2d57af131e14080b5-wireguard-proxy-home-priv-sire-ente.age create mode 100644 secrets/rekeyed/sire-ente/d0a3d1a9285c9e295e71bd59a2399ec6-wireguard-proxy-home-psks-sire-ente+ward.age create mode 100644 secrets/rekeyed/sire-influxdb/d7176dcef3b2245267cb9d77723a1261-telegraf-influxdb-token-sire-ente.age create mode 100644 secrets/rekeyed/ward-web-proxy/09683ecb6ba69322f3aa1c34b6ed6dfd-loki-basic-auth-hashes.age delete mode 100644 secrets/rekeyed/ward-web-proxy/90ab11485712f95db2c07814074b7899-loki-basic-auth-hashes.age create mode 100644 secrets/rekeyed/ward/82fb2774f6a5e08a0e4bd8b8cdc09238-wireguard-proxy-home-psks-sire-ente+ward.age create mode 100644 secrets/wireguard/proxy-home/keys/sire-ente.age create mode 100644 secrets/wireguard/proxy-home/keys/sire-ente.pub create mode 100644 secrets/wireguard/proxy-home/psks/sire-ente+ward.age create mode 100644 secrets/wireguard/proxy-sentinel/keys/sire-ente.age create mode 100644 secrets/wireguard/proxy-sentinel/keys/sire-ente.pub create mode 100644 secrets/wireguard/proxy-sentinel/psks/sentinel+sire-ente.age diff --git a/config/users.nix b/config/users.nix index 0ea6f90..cf30a62 100644 --- a/config/users.nix +++ b/config/users.nix @@ -47,5 +47,6 @@ # firefly-pico = uidGid 964; avahi = uidGid 963; ente = uidGid 962; + minio = uidGid 961; }; } diff --git a/hosts/sentinel/default.nix b/hosts/sentinel/default.nix index 774f011..6e9f76f 100644 --- a/hosts/sentinel/default.nix +++ b/hosts/sentinel/default.nix @@ -54,4 +54,15 @@ # This node shall monitor the infrastructure availableMonitoringNetworks = [ "internet" ]; }; + + services.ente.web = { + enable = true; + domains = { + api = "api.photos.${globals.domains.me}"; + accounts = "accounts.photos.${globals.domains.me}"; + albums = "albums.photos.${globals.domains.me}"; + cast = "cast.photos.${globals.domains.me}"; + photos = "photos.${globals.domains.me}"; + }; + }; } diff --git a/hosts/sentinel/firezone.nix b/hosts/sentinel/firezone.nix index dceb1a8..94dbb4d 100644 --- a/hosts/sentinel/firezone.nix +++ b/hosts/sentinel/firezone.nix @@ -12,7 +12,12 @@ let # FIXME: new entry here? make new firezone gateway on ward entry too. homeDomains = [ globals.services.grafana.domain - globals.services.ente.domain + "accounts.photos.${globals.domains.me}" + "albums.photos.${globals.domains.me}" + "api.photos.${globals.domains.me}" + "cast.photos.${globals.domains.me}" + "photos.${globals.domains.me}" + "s3.photos.${globals.domains.me}" globals.services.immich.domain globals.services.influxdb.domain globals.services.loki.domain diff --git a/hosts/sentinel/secrets/local.nix.age b/hosts/sentinel/secrets/local.nix.age index e4a317bc09420fa2417ea1baf6d7f9b872133723..00390118bd4e35157e0cbfbcfb5d1d5b40490614 100644 GIT binary patch delta 1001 zcmVi9SQcH79D{WVKGb=+d zOHwaWP&rUaVnqsiL3DC8I8QWnP-|3DT5L*HH%M|TVJ~x4a#?kBG;3x;T3InrYc@1Q zZ$%0%J|HbSX)R}RWnpt=AUq&!Wl(EjMrR;DAX8x}C02F{Omj|nF>-l&GEXo=L^4BD zZcs;NYbaPHhZ7WeRRa!)FYeRZuYFTY^ zW;RhmOH6S@Wp7qud2VkCd9`X5NrKc7^?Lz10S22^WGq}@<3r8g6avWJPrO~=|DPf_ zTp)5nJE@27IGraB61lA86`(WZsY<^;9kITK@pQ$hRez`+YlA1xFXbc&R4AsVsF@Ju zv{ARAs+z5!L*MkiOLB%6j1^ZpjhZ%&46e8;E_vFzjy#zc{InPi68Gf+_&vDTz8F99 zo!9-gJt}s@JI&v}v1t+s9QX)}@C^h`GnhYyBe$}kfZUY+CkUTIFB<#;)d6T56I4y! z?;*|-*MF02VdINyc_6^IZb$-6v~CoCQBVO>^>>6m8Mtqx6iF}}EV&x%`(FalKEVjQTH8z}cluG5bUVr)m*evyvAagV*IU!mH^?ezX|8CX7 zKT3@Wai?U{Kju0bI%Ot08a|GcYHCgv!4NSM?0+TGFrz8&X!hGeYY%7#>AHkM|{S)frT4U%yu9#-JhMb zpnqecL_jW1zUgwI2gs^Np0ru&pHruVu{t(N&9mc8LwpkZeM6kMOq)m-UR82vH< zxj=u|p~BWYiyfr_ZbDc+VInU=as}d=Nmc5%n9_iJg{5EVh`X za&hUt11Q@B`^)DH3|u=Cvw0cV!!`GZRboc`_l&PaRliq>%ymFePKh@M>BuZaV*?$1 zzvPV=dT;9JM^^u!Q~t2UF22bVzSw^#h2k{EA3X9`(4b&CIq!I(-09)+X$dd2|6 XiORHFj)3Ao8_ zYDi>eT247-S8NJmD>O$lT2ga!D|&G@X;?2rO-@lxQEfs&K}}{eQcW*LM{sCKSZ#1n zVND7xJ|JI3Cr%vs z;h?uS!(cJf=Ab|euw`YRRhByB#r%Y7-IfYzXR5+)F;Nf-Ns(Xc_xUJaXQOqAMuEhF zNxD#=<}CP08_?2yFHHwA+Ju;ngu=FBy7#9k7Q1k7LrdxOc1J2Q85TlPZ4GW#Z@}cs z=TXkDFMk|b9UAr_|Ci+iC(F0c4VGti=CHapi+j5hRVU+eZYxIK+9vi&<)pGtztP|a ztWAhy2;-oI&>)GEM-ycVlCn9I&fh>#=LYcL;N066x{9wm3@b@b1)wXQib6ms?icO8 zCOWYJ{QPi97vRJSK1Cnvh#8>apMMa{VcKs(`hSh?L1+4lE0J&IJLb;55|tDtCVt&j zBTzN28)Of`w^BM5twffUd4tsp|JF~l438wgtVD+it~Uk$7$Upel{F603I5}9R(xqg zk3OcVm#SP1Fg>xh7{4RlBCehWrj-w#@zHAcgxqWdWYBqa+&;BcedkB%;H#hvo)OoN zNq_Y>B53&vgoVW>M^kCGzJV$V37a5XGf>!((;IDR-|~VJHs^_8;oe$ZjUu3L(Kr7IRF3v diff --git a/hosts/sire/default.nix b/hosts/sire/default.nix index 277d7e1..6287694 100644 --- a/hosts/sire/default.nix +++ b/hosts/sire/default.nix @@ -150,7 +150,9 @@ } // mkMicrovm "ai" { } // mkMicrovm "minecraft" { } - // mkMicrovm "ente" { } + // mkMicrovm "ente" { + enableStorageDataset = true; + } #// mkMicrovm "fasten-health" {} ); } diff --git a/hosts/sire/guests/ente.nix b/hosts/sire/guests/ente.nix new file mode 100644 index 0000000..b1b3fa0 --- /dev/null +++ b/hosts/sire/guests/ente.nix @@ -0,0 +1,238 @@ +{ + config, + globals, + lib, + pkgs, + ... +}: +let + enteAccountsDomain = "accounts.photos.${globals.domains.me}"; + enteAlbumsDomain = "albums.photos.${globals.domains.me}"; + enteApiDomain = "api.photos.${globals.domains.me}"; + enteCastDomain = "cast.photos.${globals.domains.me}"; + entePhotosDomain = "photos.${globals.domains.me}"; + s3Domain = "s3.photos.${globals.domains.me}"; + + proxyConfig = remoteAddr: nginxExtraConfig: { + upstreams.ente = { + servers."${remoteAddr}:80" = { }; + extraConfig = '' + zone ente 64k; + keepalive 20; + ''; + monitoring.enable = true; + }; + + upstreams.museum = { + servers."${remoteAddr}:8080" = { }; + extraConfig = '' + zone museum 64k; + keepalive 20; + ''; + }; + + upstreams.minio = { + servers."${remoteAddr}:9000" = { }; + extraConfig = '' + zone minio 64k; + keepalive 20; + ''; + }; + + virtualHosts = + { + ${enteApiDomain} = { + forceSSL = true; + useACMEWildcardHost = true; + locations."/".proxyPass = "http://museum"; + extraConfig = '' + client_max_body_size 4M; + ${nginxExtraConfig} + ''; + }; + ${s3Domain} = { + forceSSL = true; + useACMEWildcardHost = true; + locations."/".proxyPass = "http://minio"; + extraConfig = '' + client_max_body_size 32M; + proxy_buffering off; + proxy_request_buffering off; + ${nginxExtraConfig} + ''; + }; + } + // lib.genAttrs + [ + enteAccountsDomain + enteAlbumsDomain + enteCastDomain + entePhotosDomain + ] + (_domain: { + useACMEWildcardHost = true; + extraConfig = nginxExtraConfig; + }); + }; +in +{ + wireguard.proxy-sentinel = { + client.via = "sentinel"; + firewallRuleForNode.sentinel.allowedTCPPorts = [ + 80 + 9000 + ]; + }; + + wireguard.proxy-home = { + client.via = "ward"; + firewallRuleForNode.ward-web-proxy.allowedTCPPorts = [ + 80 + 9000 + ]; + }; + + globals.services.ente.domain = entePhotosDomain; + # FIXME: also monitor from internal network + globals.monitoring.http.ente = { + url = "https://${entePhotosDomain}"; + expectedBodyRegex = "Ente Photos"; + network = "internet"; + }; + + fileSystems."/storage".neededForBoot = true; + environment.persistence."/storage".directories = [ + { + directory = "/var/lib/minio"; + user = "minio"; + group = "minio"; + mode = "0750"; + } + ]; + + environment.persistence."/persist".directories = [ + { + directory = "/var/lib/ente"; + user = "ente"; + group = "ente"; + mode = "0750"; + } + ]; + + # NOTE: don't use the root user for access. In this case it doesn't matter + # since the whole minio server is only for ente anyway, but it would be a + # good practice. + age.secrets.minio-access-key = { + generator.script = "alnum"; + mode = "440"; + group = "ente"; + }; + age.secrets.minio-secret-key = { + generator.script = "alnum"; + mode = "440"; + group = "ente"; + }; + age.secrets.minio-root-credentials = { + generator.dependencies = [ + config.age.secrets.minio-access-key + config.age.secrets.minio-secret-key + ]; + generator.script = + { + lib, + decrypt, + deps, + ... + }: + '' + echo -n "MINIO_ROOT_USER=" + ${decrypt} ${lib.escapeShellArg (builtins.elemAt deps 0).file} + echo -n "MINIO_ROOT_PASSWORD=" + ${decrypt} ${lib.escapeShellArg (builtins.elemAt deps 1).file} + ''; + mode = "440"; + group = "minio"; + }; + + # base64 (url) + age.secrets.ente-jwt = { + generator.script = + { pkgs, ... }: "${pkgs.openssl}/bin/openssl rand -base64 32 | tr -d '\n' | tr '/+' '_-'"; + mode = "440"; + group = "ente"; + }; + # base64 (standard) + age.secrets.ente-encryption-key = { + generator.script = "base64"; + mode = "440"; + group = "ente"; + }; + # base64 (standard) + age.secrets.ente-hash-key = { + generator.script = { pkgs, ... }: "${pkgs.openssl}/bin/openssl rand -base64 64 | tr -d '\n'"; + mode = "440"; + group = "ente"; + }; + + services.minio = { + enable = true; + rootCredentialsFile = config.age.secrets.minio-root-credentials.path; + }; + systemd.services.minio = { + environment.MINIO_SERVER_URL = "https://${s3Domain}"; + postStart = '' + # Wait until minio is up + ${lib.getExe pkgs.curl} --retry 5 --retry-connrefused --fail --no-progress-meter -o /dev/null "http://localhost:9000/minio/health/live" + + # Make sure bucket exists + mkdir -p ${lib.escapeShellArg config.services.minio.dataDir}/data/ente + ''; + }; + + systemd.services.ente.after = [ "minio.service" ]; + services.ente.api = { + enable = true; + enableLocalDB = true; + domain = enteApiDomain; + settings = { + apps = { + accounts = "https://${enteAccountsDomain}"; + cast = "https://${enteCastDomain}"; + public-albums = "https://${enteAlbumsDomain}"; + }; + + webauthn = { + rpid = enteAccountsDomain; + rporigins = [ "https://${enteAccountsDomain}" ]; + }; + + s3 = { + use_path_style_urls = true; + b2-eu-cen = { + endpoint = "https://${s3Domain}"; + region = "us-east-1"; + bucket = "ente"; + key._secret = config.age.secrets.minio-access-key.path; + secret._secret = config.age.secrets.minio-secret-key.path; + }; + }; + + jwt.secret._secret = config.age.secrets.ente-jwt.path; + key = { + encryption._secret = config.age.secrets.ente-encryption-key.path; + hash._secret = config.age.secrets.ente-hash-key.path; + }; + }; + }; + + # NOTE: services.ente.web is configured separately on both proxy servers! + nodes.sentinel.services.nginx = proxyConfig config.wireguard.proxy-sentinel.ipv4 ""; + nodes.ward-web-prox.services.nginxy = proxyConfig config.wireguard.proxy-home.ipv4 '' + allow ${globals.net.home-lan.vlans.home.cidrv4}; + allow ${globals.net.home-lan.vlans.home.cidrv6}; + # Firezone traffic + allow ${globals.net.home-lan.vlans.services.hosts.ward.ipv4}; + allow ${globals.net.home-lan.vlans.services.hosts.ward.ipv6}; + deny all; + ''; +} diff --git a/hosts/sire/secrets/ente/host.pub b/hosts/sire/secrets/ente/host.pub new file mode 100644 index 0000000..83f16da --- /dev/null +++ b/hosts/sire/secrets/ente/host.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILPHm23XtSiwueXpmqJqFWIxYVWU/eq+dQ0PcwMrsN+c diff --git a/hosts/ward/default.nix b/hosts/ward/default.nix index b5207b7..518ee23 100644 --- a/hosts/ward/default.nix +++ b/hosts/ward/default.nix @@ -13,7 +13,13 @@ let # FIXME: new entry here? make new firezone entry too. homeDomains = [ globals.services.grafana.domain - globals.services.ente.domain + # TODO: allow multiple domains per global service. + "accounts.photos.${globals.domains.me}" + "albums.photos.${globals.domains.me}" + "api.photos.${globals.domains.me}" + "cast.photos.${globals.domains.me}" + "photos.${globals.domains.me}" + "s3.photos.${globals.domains.me}" globals.services.immich.domain globals.services.influxdb.domain globals.services.loki.domain diff --git a/hosts/ward/guests/adguardhome.nix b/hosts/ward/guests/adguardhome.nix index f7b6bbd..626859d 100644 --- a/hosts/ward/guests/adguardhome.nix +++ b/hosts/ward/guests/adguardhome.nix @@ -112,7 +112,12 @@ in # FIXME: new entry here? make new firezone entry too. # FIXME: new entry here? make new firezone gateway on ward entry too. globals.services.grafana.domain - globals.services.ente.domain + "accounts.photos.${globals.domains.me}" + "albums.photos.${globals.domains.me}" + "api.photos.${globals.domains.me}" + "cast.photos.${globals.domains.me}" + "photos.${globals.domains.me}" + "s3.photos.${globals.domains.me}" globals.services.immich.domain globals.services.influxdb.domain globals.services.loki.domain diff --git a/hosts/ward/guests/web-proxy.nix b/hosts/ward/guests/web-proxy.nix index efb50bd..45ffe09 100644 --- a/hosts/ward/guests/web-proxy.nix +++ b/hosts/ward/guests/web-proxy.nix @@ -85,4 +85,15 @@ in users.groups.acme.members = [ "nginx" ]; services.nginx.enable = true; services.nginx.recommendedSetup = true; + + services.ente.web = { + enable = true; + domains = { + api = "api.photos.${globals.domains.me}"; + accounts = "accounts.photos.${globals.domains.me}"; + albums = "albums.photos.${globals.domains.me}"; + cast = "cast.photos.${globals.domains.me}"; + photos = "photos.${globals.domains.me}"; + }; + }; } diff --git a/modules/default.nix b/modules/default.nix index fe00f12..a1176f9 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -4,6 +4,7 @@ ./backups.nix ./deterministic-ids.nix ./distributed-config.nix + ./ente.nix ./globals.nix ./meta.nix ./nginx-upstream-monitoring.nix diff --git a/modules/ente.nix b/modules/ente.nix new file mode 100644 index 0000000..2cceb5e --- /dev/null +++ b/modules/ente.nix @@ -0,0 +1,346 @@ +{ + config, + lib, + pkgs, + utils, + ... +}: +let + inherit (lib) + getExe + mkDefault + mkEnableOption + mkIf + mkMerge + mkOption + mkPackageOption + optional + types + ; + + cfgApi = config.services.ente.api; + cfgWeb = config.services.ente.web; + + webPackage = + enteApp: + cfgWeb.package.override { + inherit enteApp; + enteMainUrl = "https://${cfgWeb.domains.photos}"; + extraBuildEnv = { + NEXT_PUBLIC_ENTE_ENDPOINT = "https://${cfgWeb.domains.api}"; + NEXT_PUBLIC_ENTE_ALBUMS_ENDPOINT = "https://${cfgWeb.domains.albums}"; + NEXT_TELEMETRY_DISABLED = "1"; + }; + }; + + defaultUser = "ente"; + defaultGroup = "ente"; + dataDir = "/var/lib/ente"; + + yamlFormat = pkgs.formats.yaml { }; +in +{ + options.services.ente = { + web = { + enable = mkEnableOption "Ente web frontend (Photos, Albums)"; + package = mkPackageOption pkgs "ente-web" { }; + + domains = { + api = mkOption { + type = types.str; + description = '' + The domain under which the api is served. This will NOT serve the api itself, + but is a required setting to host the frontends! This will automatically be set + for you if you enable both the api server and web frontends. + ''; + }; + + accounts = mkOption { + type = types.str; + description = "The domain under which the accounts frontend will be served."; + }; + + cast = mkOption { + type = types.str; + description = "The domain under which the cast frontend will be served."; + }; + + albums = mkOption { + type = types.str; + description = "The domain under which the albums frontend will be served."; + }; + + photos = mkOption { + type = types.str; + description = "The domain under which the photos frontend will be served."; + }; + }; + }; + + api = { + enable = mkEnableOption "Museum (API server for ente.io)"; + package = mkPackageOption pkgs "museum" { }; + nginx.enable = mkEnableOption "nginx proxy for the API server"; + + user = mkOption { + type = types.str; + default = defaultUser; + description = "User under which museum runs."; + }; + + group = mkOption { + type = types.str; + default = defaultGroup; + description = "Group under which museum runs."; + }; + + domain = mkOption { + type = types.str; + description = "The domain under which the api will be served."; + }; + + enableLocalDB = mkEnableOption "the automatic creation of a local postgres database for museum."; + + settings = mkOption { + description = '' + Museum yaml configuration. Refer to upstream [local.yaml](https://github.com/ente-io/ente/blob/main/server/configurations/local.yaml) for more information. + You can specify secret values in this configuration by setting `somevalue._secret = "/path/to/file"` instead of setting `somevalue` directly. + ''; + default = { }; + type = types.submodule { + freeformType = yamlFormat.type; + options = { + apps = { + public-albums = mkOption { + type = types.str; + default = "https://albums.ente.io"; + description = '' + If you're running a self hosted instance and wish to serve public links, + set this to the URL where your albums web app is running. + ''; + }; + + cast = mkOption { + type = types.str; + default = "https://cast.ente.io"; + description = '' + Set this to the URL where your cast page is running. + This is for browser and chromecast casting support. + ''; + }; + + accounts = mkOption { + type = types.str; + default = "https://accounts.ente.io"; + description = '' + Set this to the URL where your accounts page is running. + This is primarily for passkey support. + ''; + }; + }; + + db = { + host = mkOption { + type = types.str; + description = "The database host"; + }; + + port = mkOption { + type = types.port; + default = 5432; + description = "The database port"; + }; + + name = mkOption { + type = types.str; + description = "The database name"; + }; + + user = mkOption { + type = types.str; + description = "The database user"; + }; + }; + }; + }; + }; + }; + }; + + config = mkMerge [ + (mkIf cfgApi.enable { + services.postgresql = mkIf cfgApi.enableLocalDB { + enable = true; + ensureUsers = [ + { + name = "ente"; + ensureDBOwnership = true; + } + ]; + ensureDatabases = [ "ente" ]; + }; + + services.ente.web.domains.api = mkIf cfgWeb.enable cfgApi.domain; + services.ente.api.settings = { + log-file = mkDefault ""; + db = mkIf cfgApi.enableLocalDB { + host = "/run/postgresql"; + port = 5432; + name = "ente"; + user = "ente"; + }; + }; + + systemd.services.ente = { + description = "Ente.io Museum API Server"; + after = [ "network.target" ] ++ optional cfgApi.enableLocalDB "postgresql.service"; + requires = optional cfgApi.enableLocalDB "postgresql.service"; + wantedBy = [ "multi-user.target" ]; + + preStart = '' + # Generate config including secret values. YAML is a superset of JSON, so we can use this here. + ${utils.genJqSecretsReplacementSnippet cfgApi.settings "/run/ente/local.yaml"} + + # Setup paths + mkdir -p ${dataDir}/configurations + ln -sTf /run/ente/local.yaml ${dataDir}/configurations/local.yaml + ''; + + serviceConfig = { + ExecStart = getExe cfgApi.package; + Type = "simple"; + Restart = "on-failure"; + + AmbientCapablities = [ ]; + CapabilityBoundingSet = [ ]; + LockPersonality = true; + MemoryDenyWriteExecute = true; + NoNewPrivileges = true; + PrivateMounts = true; + PrivateTmp = true; + PrivateUsers = false; + ProcSubset = "pid"; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectProc = "invisible"; + ProtectSystem = "strict"; + RestrictAddressFamilies = [ + "AF_INET" + "AF_INET6" + "AF_NETLINK" + "AF_UNIX" + ]; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + SystemCallArchitectures = "native"; + SystemCallFilter = "@system-service"; + UMask = "077"; + + BindReadOnlyPaths = [ + "${cfgApi.package}/share/museum/migrations:${dataDir}/migrations" + "${cfgApi.package}/share/museum/mail-templates:${dataDir}/mail-templates" + ]; + + User = cfgApi.user; + Group = cfgApi.group; + + SyslogIdentifier = "ente"; + StateDirectory = "ente"; + WorkingDirectory = dataDir; + RuntimeDirectory = "ente"; + }; + + # Environment MUST be called local, otherwise we cannot log to stdout + environment = { + ENVIRONMENT = "local"; + GIN_MODE = "release"; + }; + }; + + users = { + users = mkIf (cfgApi.user == defaultUser) { + ${defaultUser} = { + description = "ente.io museum service user"; + inherit (cfgApi) group; + isSystemUser = true; + home = dataDir; + }; + }; + groups = mkIf (cfgApi.group == defaultGroup) { ${defaultGroup} = { }; }; + }; + + services.nginx = mkIf cfgApi.nginx.enable { + enable = true; + upstreams.museum = { + servers."localhost:8080" = { }; + extraConfig = '' + zone museum 64k; + keepalive 20; + ''; + }; + + virtualHosts.${cfgApi.domain} = { + forceSSL = mkDefault true; + locations."/".proxyPass = "http://museum"; + extraConfig = '' + client_max_body_size 4M; + ''; + }; + }; + }) + (mkIf cfgWeb.enable { + services.ente.api.settings = mkIf cfgApi.enable { + apps = { + accounts = "https://${cfgWeb.domains.accounts}"; + cast = "https://${cfgWeb.domains.cast}"; + public-albums = "https://${cfgWeb.domains.albums}"; + }; + + webauthn = { + rpid = cfgWeb.domains.accounts; + rporigins = [ "https://${cfgWeb.domains.accounts}" ]; + }; + }; + + services.nginx = + let + domainFor = app: cfgWeb.domains.${app}; + in + { + enable = true; + virtualHosts.${domainFor "accounts"} = { + forceSSL = mkDefault true; + locations."/" = { + root = webPackage "accounts"; + tryFiles = "$uri $uri.html /index.html"; + }; + }; + virtualHosts.${domainFor "cast"} = { + forceSSL = mkDefault true; + locations."/" = { + root = webPackage "cast"; + tryFiles = "$uri $uri.html /index.html"; + }; + }; + virtualHosts.${domainFor "photos"} = { + serverAliases = [ + (domainFor "albums") # the albums app is shared with the photos frontend + ]; + forceSSL = mkDefault true; + locations."/" = { + root = webPackage "photos"; + tryFiles = "$uri $uri.html /index.html"; + }; + }; + }; + }) + ]; + + meta.maintainers = with lib.maintainers; [ oddlama ]; +} diff --git a/pkgs/default.nix b/pkgs/default.nix index df2d242..ef5abf1 100644 --- a/pkgs/default.nix +++ b/pkgs/default.nix @@ -18,6 +18,8 @@ _inputs: [ # }) # ]; + ente-web = prev.callPackage ./ente-web.nix { }; + formats = prev.formats // { ron = import ./ron.nix { inherit (prev) lib pkgs; }; }; diff --git a/pkgs/ente-web.nix b/pkgs/ente-web.nix new file mode 100644 index 0000000..71453b8 --- /dev/null +++ b/pkgs/ente-web.nix @@ -0,0 +1,91 @@ +{ + lib, + stdenv, + fetchFromGitHub, + fetchYarnDeps, + nodejs, + yarnConfigHook, + yarnBuildHook, + nix-update-script, + extraBuildEnv ? { }, + # This package contains serveral sub-applications. This specifies which of them you want to build. + enteApp ? "photos", + # Accessing some apps (such as account) directly will result in a hardcoded redirect to ente.io. + # To prevent users from accidentally logging in to ente.io instead of the selfhosted instance, you + # can set this parameter to override these occurrences with your own url. Must include the schema. + # Example: https://my-ente.example.com + enteMainUrl ? null, +}: + +stdenv.mkDerivation (finalAttrs: { + pname = "ente-web-${enteApp}"; + version = "1.0.4"; + + src = fetchFromGitHub { + owner = "ente-io"; + repo = "ente"; + sparseCheckout = [ "web" ]; + tag = "photos-v${finalAttrs.version}"; + fetchSubmodules = true; + hash = "sha256-M1kAZgqjbWNn6LqymtWRmAk/v0vWEGbyS50lVrsr85o="; + }; + sourceRoot = "${finalAttrs.src.name}/web"; + + offlineCache = fetchYarnDeps { + yarnLock = "${finalAttrs.src}/web/yarn.lock"; + hash = "sha256-EYhYwy6+7bgWckU/7SfL1PREWw9JUgKxWadSVtoZwXs="; + }; + + nativeBuildInputs = [ + yarnConfigHook + yarnBuildHook + nodejs + ]; + + # See: https://github.com/ente-io/ente/blob/main/web/apps/photos/.env + env = extraBuildEnv; + + # Replace hardcoded ente.io urls if desired + postPatch = lib.optionalString (enteMainUrl != null) '' + substituteInPlace \ + apps/payments/src/services/billing.ts \ + apps/photos/src/pages/shared-albums.tsx \ + --replace-fail "https://ente.io" ${lib.escapeShellArg enteMainUrl} + + substituteInPlace \ + apps/accounts/src/pages/index.tsx \ + --replace-fail "https://web.ente.io" ${lib.escapeShellArg enteMainUrl} + ''; + + yarnBuildScript = "build:${enteApp}"; + installPhase = + let + distName = if enteApp == "payments" then "dist" else "out"; + in + '' + runHook preInstall + + cp -r apps/${enteApp}/${distName} $out + + runHook postInstall + ''; + + passthru.updateScript = nix-update-script { + extraArgs = [ + "--version-regex" + "photos-v(.*)" + ]; + }; + + meta = { + description = "Ente application web frontends"; + homepage = "https://ente.io/"; + changelog = "https://github.com/ente-io/ente/releases"; + license = lib.licenses.agpl3Only; + maintainers = with lib.maintainers; [ + pinpox + oddlama + ]; + platforms = lib.platforms.all; + }; +}) diff --git a/secrets/generated/sentinel/loki-basic-auth-hashes.age b/secrets/generated/sentinel/loki-basic-auth-hashes.age index b5cef56a927d0873485dcd4fe43a473107c7fd41..858f27a02a35bf6416897389780d4df1c5efbb5c 100644 GIT binary patch delta 2629 zcmV-L3cB^v6v`BkAb)IfQ+ahuSu$a8Sa~;bFlI$VaWYC$SWQS*LR3^#V^d>UMR#LD zc55|hI0`RrO*S|%I963=MKoGOcW-kra8_ASY;9OfMrb%PGhsPnY;jpZS7SJCI0`L3 zAaH4REpRe5HXwL$Q)M_&AVD=~WKUI7V?;=7dT=;cS#wWpbANSDOjs{yOhI&db!u-# zP;g{nF)%Y(Pf`j;a5pqVbaOaDQF>)=H90s)Xi!E)Sx9wlS21Q}D@tcLWKTpgq|Zc}4QSy4kyG;BC=G;b?2 zH8Dy=c6VAdD}P~UZ8>^xFbXX#Eg(c^MpQO!Ze~$;FG@seHdZlYGiOm#X)iT)OF>6@ zQC4|KdNf99G(}=>Q3~mq(2`)06*za;zo@Gmq&i@X9b; z0!CIjufj+*n6dA6qFNRTdBb{fF8H2IVR{Gtu`*qkY#EQ2%bShZDTmsB?ieA9 zC>v-ZKYuY3e_I9bgD}I~Za=QNs6qdPt4PgE(+L-4c6D96q>mxz92<%+*%j7gfgNuY zEwNJhpv|8SmQM#Jevgq4C0%pTE@{|G4?u&S7|{`cGF$ zXQD)-SsXDYl|g|crX{D8Cr9(W-+iGUUJVwDQB8LQ&3zf>!#5tCgs5W1TQ*FUag3eg zknbKLfY|bwS!?tFZR8eJnfHs^&g}`ctnp@?*2`Ehbe_!}&EYqavTid3E1AmORn~g{ zEPsU1^*hbCTJM&X_K~W3xeR@5O`oYvou4r696zp0<0x&9hs1uaSTo?VF@CStZ$E{D z_igPyrb#P5Bs9SO7-rXh9kg!f_9z8}UbXDh9zbFICX5c^2y_x+c{=>BZ`;3guSoPPO(v3 z?5;&O4$3E!a0TUQHEQmhiXGY_H2jFGWL0jHhZsn<$K6cWUY?&9c>+51O6xiqkpp& za(uh?JSRi3HP6)DryV7Qp!p-r^H>8fd@lsZpmh$LX}~UbGir7P-(^f+D~7Q+`H1UR zPQxv0?s-rrC*1-XFq#ffwNGv=HXElHyA!YLwBg@dh4WnkS(izrP z)UU^z9yI6FehW2o1=0MkK}Mh{2v@Gxm>E)K@8B@Q9NEe9Z`?h(SZ!|eh=29}HjwQ` zS_s3;P0qFM_1k#<+7n49O56vOP+C@3y2gqE>jEStNZhqPgArcch$ay@aYJ#jyWAHN z;G15GE6Kb;XAt=X&`_ac%>&x<_@dYwl77wvr~;1|DtL$unZ=alv+-xVP54AeAy={I zhyABra6j6iu&qtbcr=o=f`8M768froq6lF`ja6Uo`b_Y+8WJ>lbg`aFYI{ zHWb7|g~6ry6;@OjeqLj*OGih)sgsqdXN%RhMW~V3Uppnd_CL+TW2A-l)A}0t5>$r2 z!0b%FV^Q+cNDV5sJg#A45nZFj@5O=`lLx>(_irW&EJH2sI-5M!w}0E)Wf@>L`qO4( zA$Zj|X^Hrk%IIOK;Waf`tQs2AhXufh*Q{Fi%4O=y)k8~cD`W&As!oC7HJBQdaE{)$ zOv=6wzosxlqNgdMAs^U466+P;ro|aKeV2m+sprkMrBCrhDu;jXfi-QVjQ(%*+p^n4 zE0&z=ia)ev)p+Q;)PIx?O@!`|FgVZwuH$ycdM8Kr{WU<#N*O&;T(nP4{*%i-4xOaL zWZtQNWB9X#)#R4({m&}{%a1{1JpJrDA@=!NGSDQd6CFz+`_$ow5@DXxz|W~=j3e>> z$hfP?aH%6(H18hS9c3(o0L59ahgUFM%tGM);n{i+^gosVOMeenR~lCDOD-*O9k02I z*z<41v8L-Y8it?~Sa}Y4IG)pN^Q{T>KXEaQlrHQ1Mj?}2=e9O%l2)}#$~kx!B>k!* z=DrvS$=I1qL_m)1CK$JYtn!KZm)BeY!NS?7r7j_EBM@K)yTIRXLxbZB4J!EhE@?^U z(F+YzrX=;87=JJ}wao3PWNnew6@qn%n!XYRu=bP?@U(Ukb$T>Fkiae8yNPF8=PJ8! zhej${)=?qwCdMg#dcgEPo0Jc0?xV+svOe8ey$%RyF*>m8s%#{+6iHL2(E! z0SUT72SiCf3xo!)3_NkwNN*N#F?St$UX>4Rz1HqGw|@*))tdj4t ziE2x0n222Eq5MNdpo+;rKFFSOj3nY8XP<@Mr8Kk4w;f-@mh9ja!bd^E^`g5iA=O8$W$#j!0o1l?{N)Ud(V zmgfT%-GX`7Tgon$3UlxQD~#hb!EcKcg1m&06qn?SR6+@@Q-PeJ`5Ea%EG1Iq+5R^` z>o=O>ru`Nr+;WKFEIDlQb8ziRDvO4qgLI|S3HN^ zqXBwp5(9CMGpm2U6r499BsJi&qsAdbIy`9dNh zVV467+)@Fjmlw9i6ZC^;bTC^){C1bM?ym&iC^%omxB3q40^!! zH+PIQ;!!PF#X8doX(@3!F3|cAS%d}%V*I4V*pRr$#adN)3cT8aZzA!7XX%^2@*CF= zJBon3`Ak{N;LR&)S{9~aB?3}3vS4Viq(1oPaxOw|gz848P#)}TAe79VgU6h;$fpt# nA83$~qI7}lBG16sfi$r##-ylOf#ng~%}gk(|HS%u+bK|^N>b6O=Jw9c%NYMZq5+U&v=`=TY-TO6rVv>^Hvv^ZN+ z65K(KuA3i7+T9KH;d+3|7rRlSw18TU@arE2`WiyYynm7mf9Wg

skZ9yOFU%QcnBk~kSQZHAzb$vxs4c3(v9C5*5j(laz3}~}n%K33jgsYIQa3Ui| znA7r<{eRNl4o`^*;D&qMaia51LbUb~ue3G2rb@Ewb=`G-E;Rz1FbOpe6;#QW450}H zUg_mpCtk9~grV#t9|d*kt#Ca?l~e5cx;2wC$9?-Bldp=14#8RJIP@!N^Mnl$hN_;V zySsJ_x$2B@j9p4?65@C$?-@nQX!9C3gV0mV-hU<}XcUzBZInQsmBmAj3o~aMz-SYW ztgN7{>I<+?X+!$D1mYGBAPyjf3-Yru30#nv#!BVK^JYVHDA925T>YquFSu5Y%k&A! zb_5DP5W%U%15n|q0Fb&KG&#M0d0TuLL!hB&#jx89te_C)9f-j!K&mM1dU&B{@CATY%9>UF#w}UEzGXJ(P*!8#=aCBJ1^?qr1}Y7 zODc5ivqarx%Cm7T*v84)sN=3ELD_7ns(-Rw>LULR-Fov)+2c4rXkeOsN)hqw619}M z?y8?*S~|)cevc{5dS;_sVQH$yL&wX7$?XcBr84iA^@S4I!a`@%7JX2d3JkAit_rOu zOH(WWp{d`V_OF?0gF$A-?y1J;-2SKfvgN$LA^~iZpA-yO@mVngHMt@09 zdqgvAzG4R1pkX2`!w#O9G#FMrlCcuQu+2}(+Ksf6F0a+GBjlZ%Z(fL+p_%|M)G zwh@w=xH~_q$v<{0!;%-Hr&L7}m!!}qpi91E3F$5*M?z;KldMe_+qk1(D26x2yrJUVX3L-m*4t$*k86-IYCbMGL>gDaLmy>bCOHrwf2TRs4-GcUIspA`Qf z(DeXs6;ar;=7aKB`YL8$8JFRGnaoy$(g^ zyJFYpb{wEks=;$JDxNja=S?8`nysLvDEAb$=lX*H}_$O47@ zYUE@*hoe+=~J zwSoF$3967vIl?%CkzMeu3(cNsng5xGV9>~ngmx8zZ?XrHfhZuq+Mok_@m!zDuNF%R zL?k)Zlx$CDjUW?TC`WMc^AcpK{#QKuM}h_%a;8LP+Eu_#TFGy66l5`ASyKUkC6M*& zKx_F&>Ik5v#D7xs7Z9Gyohk^oz;YQFwD5}d5Zq9iuXnuXKaW`pKi>y%ldSt;jc=}9 z#+m?=;DCzc8P-VJIKgS|e*=cvf*JLj^ijy9D0;Y#HdQb}bSb`R2^jelH^@3MfNjo! z0){w`sjV{lJ}WORPYcjPDOa~iuB6p&SNi;@q9%}tY=5d&kBKC=vDsYI52tbpbNc0u zT9J{QY59AOeLGbkyB-q%CdQL*4-EPuT>ro2gxJYWle|}aRwXV(H%W5XWsXMXpU0 zNwU=rp?`5*aJ63j-DEd(`}!wv`nY~5bhHaU8%JYJrAKD6?}lh|ZcDL?VQ1jUvZ_}O z00L$4XdM>jVOE!Enpc`Sa^NOswn`{b-;rI7ZMwJn;~w_-LJnY>heeyGzLjI@4;K4g za+F>21_p7JdDr=^Sm{4ObA59wZ8+u`5{O7C)PD&y)yBjSu^SMkIU4qhOqWOB|8!9Q9KY6k#djH}QCv@M}l-Uv2q) zHuJGwctb3zS@xdeKN2vQ78M7_Xp!J wHyml*kFSw66h{9)KEUaINkU+QG^8pO9NFtZuOAdz6VU*P|I9!KUT2*!CCIqb7ytkO diff --git a/secrets/generated/sire-ente/ente-encryption-key.age b/secrets/generated/sire-ente/ente-encryption-key.age new file mode 100644 index 0000000..6c1e565 --- /dev/null +++ b/secrets/generated/sire-ente/ente-encryption-key.age @@ -0,0 +1,9 @@ +age-encryption.org/v1 +-> X25519 zRngxioYpKJbERi6At0Wiuy9D9vVfieDcpElvJWeIUI +qYMaG1W7b42179kEL2NJsuCoREGrZBPs+U8+rNdFyOM +-> piv-p256 xqSe8Q AmC86Dj5laQaiH2OIrcZG2AiGB4T5wgzIhLMPgBzJaKn +VjFnsl5UgDDw3sap9mgd3jJR/jqlRL4KS3/jxxcuLQM +-> ,?FIg-grease iYX?nyr *z|V}ruN +i/j/P1jbT8hP6RHqUKAzg94nWWWk5E8EJXomFBc9tQ +--- S7mlAB35SMtQSlUn5dPpNjj9ekUkOJTPvLuEAPGJNXQ +8ݾ x|?-NX-vSB$eVZp\m 2ӳBBB,틖%P_ \ No newline at end of file diff --git a/secrets/generated/sire-ente/ente-hash-key.age b/secrets/generated/sire-ente/ente-hash-key.age new file mode 100644 index 0000000000000000000000000000000000000000..47c6e0f9c9c280b94d0f8863ae7f9dd329f77aa6 GIT binary patch literal 418 zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR2FFfuhYv{W!N%Slaf^-MI(Of)a_2=g*_ zPVuSmsESC>&i2VEvq<%*)XvX}$O$t|PvP8Datm?$_Cj`kXfc%U}S2hP*E71Y7wa5m>%S9W|?SYS!}4CnjB^n z67H7nW0GNRSz4YP<)W>hl@wWMni8C>@9pTrl~`G5Sr%Db65;A!krrlY5m-@B6q%gm z>+fC|T2Y+rVd0mm9pq=8;+U5Xvdb~ozCt&>C^fM-l`AzY&9JzfOIKG{A+^xeyQnNA zwa~1p!qHGaH>o_kv`jxK#NDUV(J9B>HO11UJXAl+E!VM_YpP literal 0 HcmV?d00001 diff --git a/secrets/generated/sire-ente/ente-jwt.age b/secrets/generated/sire-ente/ente-jwt.age new file mode 100644 index 0000000..7eb095a --- /dev/null +++ b/secrets/generated/sire-ente/ente-jwt.age @@ -0,0 +1,9 @@ +age-encryption.org/v1 +-> X25519 fSjolShGCdhJfr1tdcTeYmkpWG3iiA8QEKZjgHjIMUM +Wc0uFJRebFT6xVzxpNStdGyNkC1l+SrtbKBe0vYEX/w +-> piv-p256 xqSe8Q AhhzkRFNoGd0Sv9t08g/wxkCqiKjcMUAutwztgIs+x9U +Q8Y8SEIcGrSQbp//vTWIFAfXcy6LADNEJ6Q0GxFQOpI +-> 754F*-grease k$4zy* >% { og8qk- +r8c9fTLupld7X0fmQ6OLuuBSITL4xU/m0G0eTBcau7o +--- nQo78/W1zOcPeBsXIEEepU5WOCvlllLwB6+Fqrc9OY8 +:f;oQY9; 2Y e]vbUﳕ[p(Wet^vd8: \ No newline at end of file diff --git a/secrets/generated/sire-ente/minio-access-key.age b/secrets/generated/sire-ente/minio-access-key.age new file mode 100644 index 0000000..cc1a5ca --- /dev/null +++ b/secrets/generated/sire-ente/minio-access-key.age @@ -0,0 +1,10 @@ +age-encryption.org/v1 +-> X25519 RUswhRVBILKxzva+FcHu69TNIDotls9+FTqL3IYiZio +MwXFm8JK7Viy6cQZXjBT5U2ERhH6jAckfU0bph6BixU +-> piv-p256 xqSe8Q A6dYQvH4lZ8FSM00u8YCyYHQQvu9xy+UfzBhXepKDWdu +eBb9JP+MLrQ5sttl2MDOyrYI0V1fI7spw57DbAGriVI +-> w.wd]R-grease >g2~Z~ \ ,6 +2S+12Sh/Bjvx0wFMVU4ApN4aVMTkHOqitD9OjcxwuG6Z22Cz04H4e7FD/9VQ57uD +BcvbmzU/sN52h/7K8/wBjHj43V+3L9SVafm2+WF+VfVON6CfcznCfgCq2w +--- wFSnGM1uYgDGmVkYKoARx7uKyV0KEbyYWzeYIA3bxNg +mQjdfv ~2X0YBx[ #_S`C/#Kl)QC:" \ No newline at end of file diff --git a/secrets/generated/sire-ente/minio-root-credentials.age b/secrets/generated/sire-ente/minio-root-credentials.age new file mode 100644 index 0000000..520d61f --- /dev/null +++ b/secrets/generated/sire-ente/minio-root-credentials.age @@ -0,0 +1,9 @@ +age-encryption.org/v1 +-> X25519 1g/zXfi1yIQ8Gr7s8vXVcqY2SqSY54wIm2K5jZw2FGU +20yDp5BbvL4/Dwj5wUsqICutjmcdEzQzHzhYn2wGxa4 +-> piv-p256 xqSe8Q A0hl01YjJvSgNoVVgqbXtbJebphdyC1KfXuq0KHsGLEY +/tp18Vk3vM2UUxfB+rCi6a1hKvtNi1E+o/CkfEdejBM +-> AR0.!FY-grease jw9K!j +eujGLw +--- 5iSrLf3Tc9d65fjQZvzv2XO5E2FnOKIAcG0aViBQ3T0 +GNN)o@")aM44_-Ciyn6EDO%I-?nc4RTJ}2;K5BK9mG#iEZdKd?VlqKj}WRK%{ zRw7#!O?3NKR}utOO>ABE+YJ}EdG3rxmMthMtD5aX&>c(?0%L@<(8RmrIU5)dL||`H zAIu#{4P<^Yb;Ds9_^K+11~?z0QA$S~FOc(T#{*lWoHT`D(A2XC?Bo;}0W6kLLq;}o z)6`AWN#f#|-`1d9fL(jrWzBwHfy9 znh990=}KBva#F3we~A0?JTDq z%&zb$Pft#DG%yS^Ds#8=am-0c3-U4vH{dcaF)eUQ%64^k4G1juw@fd{aZPkK&2_gh zGS1Ns%64)xOYzh%*01u>cLmu{kXfc%U}S2hP*E71Y7wa5Sm9k15bEJ+?3-QgWtd?W zY?@c@9aUImm~Y_`kyVkA?OE!rA7)wVQsnN>6%n2u6&dN0AC%^tWagL_W#p+}9^sT9 z0|4PGi`oDH literal 0 HcmV?d00001 diff --git a/secrets/generated/sire-ente/telegraf-influxdb-token.age b/secrets/generated/sire-ente/telegraf-influxdb-token.age new file mode 100644 index 0000000000000000000000000000000000000000..739f604d622d2bdccc961fdf27d7909596ed7cce GIT binary patch literal 467 zcmWm7J&%)M003YIm&0AnT}+7439*F&Ez4bKDJ{oW`FLrIF_F?2N?ZACDR7fcE;qS& zi-|GuCYSpGCgvQx#Kh6*{(;H;1kF8v;Bfe&MGX*;#oln9KR=&QEdtgE%8@MA$lMm$4dmew&!vq_QD zDhForrfsg8V>*afTFGyRBrNcRq#3kKP1w;g;Gsy>=CTW8`KvSns!pV6xJuuwPhwBH2f?lspL^h(xj14m9lEGd+q0R^c& zL+{j00ZxT>g{cw6FTggT<_RcsU$#gD$8j{Bnk`ypy+$=3XqbYPsh@6_@k*I<&>6Nc zC~1S;(B+*#LEfKz{^h(xzr0hwuKzq@&mUh{hr6dIdzaK-@&475}D?UwydbzdhK~ze}fYukWBY2Nxfo{apO>!~c4rpW*-j literal 0 HcmV?d00001 diff --git a/secrets/rekeyed/sentinel/0eaa4bb18cbfcecdc7f5b14bf1f05cdf-loki-basic-auth-hashes.age b/secrets/rekeyed/sentinel/0eaa4bb18cbfcecdc7f5b14bf1f05cdf-loki-basic-auth-hashes.age new file mode 100644 index 0000000000000000000000000000000000000000..c7cb0c0689ef6bc439d1e9c99f2dd87deb02a4c8 GIT binary patch literal 2551 zcmVRkV{v(FHFijNLp63;PFV^qJ|HeFXL4m>b7df5OesTJ zejs#SYcpO_eo!D%Nn;9QOmlKYOLux=c1L1HFj8$bYG!zMZFNLQLt=DHW_V|5a#2P` zb3s&0MR|8`Q3@?BEg)iIIW&4NXjNk{Q)OpOF++MncVTd7HC1pkX=GAtb3toGMJrK8 zZ+UudRSHU(ZTmS9d6nCNrD&Bln5O*W`wu^rFYF&ZP0mjF>T^R3Dh&J=y6X)TBpxsY zHX*!W0+=ds|+{W{#N_ z#eESG+IKCsA9jO?7(O2mENVPvt`hx_8be?1pb9hJL#XRfUG_4KOdyxH<|vW)uM*P! z?NQu|-qS{~?J(t}rq5+$ry+p-Xv<%#f>|z}2vkjyay&U_Y%E(|rfy{LqSGb@TFhNWtK@D^hr4NVkY^jQ102xmMiFu~c|#TR9iO&dz?OFiSc6Gfr{V1m#0D zHV}{@zlke=(`JSeqi_I zn8rL>d_ed7JqZrZgy!M+i@e$!mP9t?ZzyIE;fO%6JLb^UE82{+Xlq5LRMl5^(zAcV zmUP{z7hCqbp({)90qr9gOCWb)`$z?<2dmD{N+QuyP3Hi8Z)mxwAIn|Wt^#~)k%o=` z`#7YyAS#hn{Znq>=$x6SNjC{1q-pH!Tsl=i7$$H6-9ORSh0%8r9)>I9=}s}#M3@$f zq_z+9beRCAA>tjR!%-bnoXbIzTBZ8q*x2!d!qIIE;`dIBAmk#*)lO%FLoqwQs?ONN zsu^&;dk387vUokCBL4#pILTh%{dg&HW9_|SUF77f-WAU;Bp&wqw$as;-|G}?yXME} zWyj)5^pqS+QRv(A0CH!}FvGl4Tao&>hZRtWsT4Z)6De?ZmyIF2r{b%wbC{WKj!y#3 zy}{Mj6Bw~L97Px7KTHw(HXaVH#XSR5RvjvL>XXGg+zJPgot{1Cplvc7;8O8?=P<#* zTit_+1{|u#PsRPDF_EXn)3KpduaPdB=hS+RCNMqUW&o*b;Z#o!C(oC(GY0Z*$*EMW z3C&#jQn3F$W-9*R#3>bcRXjY`zay6Aq82~>Ar5ZH5MBu#M+qNp$I9nC{@R3ry>Jq9 zS*--C2Cy9+ZcJzKk?+F-AGQ~OPK7s(nnC#l|EoN}I(GvXi2@)3iifIP?hqq4Q-ze5 zaPZC$%K1ystrs!np%x5Jy;K>&L^EX5ZQaNmexUNY_v&l_(>_yt6)+B>PrFggS;M!! zKjZAP$bl^A3?zmX8E>&Zx-_F#OTMP3uUymX&<%zuCH4Wg{+3HhmSM9OH(jsH^iX?w zr&X(HL5X;3x(9Z?TC^l<+m>+9S#|JMdafsH_kuvGnTi!x7?KBHF%?rzC5$Lfr4bk* z^Ut@inZR!l>XbbE1|}8CmF~r>`hALTvYoR$h2a*C1^|s82%ps|`6Us`R7HJX3g_o*Z(j(jeA)wY(E4QQJ8TomYhuU;3%w%-3s1fpJ+;*2-I^&~ zT9<~vl$GYZ^WgR%h};(i@isu~i6KU^EBda{%L&-&G$cDj_2ZSG-^in~{tZ2GOe;FE z_YF#g)O(cGZdrGn;@-+v2(xRum>Cb zga#+WKp^&&q2`^s%?E!-Yf7Q_CO{6Ek13S(f#R*@}rX>qQnz<7Ekjbb``q6X%KuDO>F4i+v8*9(ce1ItG!Lmc=A;2K1{CXG zUBr6zI}zPART`?c_sW0X;J*`9kZ9bpC&>&sQs51bBo6QhPF*^5Zd(;A{O_i~SIfSb zpHIM2-LRf*eFR(CWnUjs85BN$uuCs+GUexIx)U-Ta&{9Ce&tdwbywcyIGritOel9_ z^19(4m~PXLd&1TDCNEEi*G=-D0w-=Yrx7&B(x-S z+C8?_yGRlVV>?cZa}h1p!0;E7x2&rV-0OQ!<|D!=Cbim;H0sRbINyGm6+rkUR4;bj NL`AY~^QnvZDx8AvzFzTO;dTTT>IaFqGX*F4KN?L4JF*FKFXh|_bZg_Yx zF?nlxOEr0UXmo6ILN{qLM0!bOI7};0Z%a{RYD`mcI8h2MJ|J~wXeQY%*GBc2q?$cS$%)QF&rAMr}uOQ&|cvEiE8$Q*(H8Xjg4lOl){iP&HO> zMQSfoVrEuZc6w(*b9z>9Gih!wW?D)}NmUA!KG(FL3t_j7&tt%_cvSo_wn1giW{qL> z=Y%5{dJJ8p>K&=V0o@C4~dL-At|5p#UG7sfH@}0JC{_w+7Mz4u{m6Le8HoX!`h9ataA-aU?7@+&c^CkA{zYW z>`(dphId3RDVH?%b)WxE>$`}SI`m!9^dO?t=k=lIYrj;iWAy7cp_xZj9sSk8nU4F?KlViKQK4^;c#^u6n_7om6sh(L)WXK} zs3|nhF$&dpc7z9OvuQah<<^Db#DU&$Mn9Uqo?}B#bS3eu@9zI)#uy!FC;1jUhJ-Ux#yGad}>jQOZK;|M)9m5#C8TmL>?^v;$ zpLDbl%eN*n;xpBQXL#AWsDeTowM(lYxKv*C91(-txIw0YHq3I8D#-E5&d?qK)|%(( zbPnM}aJ~_4ioel9X;#cCyW`$#87cE5K!XNbHkJ^@Z?bmyec%0A7I>R$z=Yk`=9w8r zM$#w+ZEJX#Qhw=izg~2VVX1K5|H4y2k0?Z9eeIT0Q~75>Q$Md)g}#^@EM8s?m~tjz zh{D05m(jb}-tV+5apE?MESLfWz2WU$DL?@J1ZFEnL^ZxLgLs`{Y`@&tTm~+YiIuW? zf#m;F>c!;O1@VAXRO+GDn$k%%jx;-8y@pCl&VrQnZ#+0s)e;{WEUQ>;BhTRu*1(d{ zq=?gBGA&9e2Tu2?IVYYJ?^+QFogf`-4QkLa^j!u>-@#cvEYq4el4jiXYEV-MGxh1Z z3KCxsp}@C@AeX%l#A7`$R8Y5@ECPuR(Q`Ajuh{=*4N5*JsIb7JBlaG2X))rE?<^tn zC9wwqxlI9rDt0p;Peh^Qb(~t)|A8VIY_AlBz3!kE0758*=@RsNOEt7>Ahin~o{AS) zcI<+`%3&Lb>Gb!v{3>C84NiVw#BuC`!CBa|$@8oM>2E{1*)e8F-m|?DGLv@dO?95!i)gFJ1Ss6-xZ# zrQFGV6&&raJf>BzHWbM1V)7}-{_8c}77de~@_)W?9(|GfS&O7|w=?TT2Jdk2XVca1 zO{3l6s&PAw*{@j4tuC=3Bp;ah@vd*vcPmFs;3K?NoE0Y$+bAOk1cC)ij1UR7E&OL& zp&&&`e&Re}^h(tT*(T7QxrE5V**KJL9#kwOp!AA1I|LX2wAngNr8kf8=e+xFL6>u( z2sk!=;j1`EB}qVgW==^*O^0o9ihA9}3DwDzZU6+Hp$m=Jwy-aoMtXP*D*F~c!1Tns zJVJsZ(m->)(X;lyT4LdtQwW3D~8MnvkdN&Xqs&7k!OpESGil1HJ z+y+}y1;b!U@*;>Vk{xonBTNS8?L3o-y&Vl^zT@HSRUjk9jfBBuIPsNFCX);4-%%re?_2GweKfn27zVK{5eOx@xn-{gPIPydsi8~tcq>| zdJw4dBk=rz?D^f`3mXsy)R)HWw3aFYXPQt7kZH^jp@k%1GzQI+g3TYs(tQOmYjC(- zsCI~lt5aWH#J`l2UhZfY_7)Hq{68yvg`HojnBL8-DPRG@c^s{aG)~!}06d0bSel2# z5b;^4L%H^4$$t_uce}0ojxLo0V};!f-Sv!F7OEA#fd-%Gd6ok1OUbH;wl8_L9P7Je zC@Y68OfM49o^rq{uSc5`QFxoEqBd%CnsV(XQAp-PJNS0%oCPdDCw#cl0#&2Cj-PKT zd2bMThp%&jlj){Sob`6>=)YQ!dC4?nXZudSXxI4hYv4xIg`ZUp+@xZ&ExfPOXO4RS zT2aDz`j^J!d|xlQ#?(6Ija`U?+Dy_`*Sy?I!;iw{ZMc}47O`C2zLC=@UF)3Ckm^b_ z6}}6ydnXpissuZoHooX6OyL+4ZE8Dq=aPNkjE*YHhN!^7K)`a$ha13wN+aWvK_%IC zckT~)E^aosB{xKKqNFMKci-1=&Mh{4?Zo zASZuIRN=lxD9;jAOJ4YS&C&Qm=+ULxOJ)>mx$%GTa?o3ll?~MWM^*5S@j)tnuwg0p zGMKmRe~%+UvC9z<{qWFi3PJ$JH<}UDLY<@s(I7n8T9A8t$#rd=ujfI;Pz6MYG^A4b zLSSwrdYYM*wl7MK9|zH7-g~`1lkfJ&qEw=CVfQSu0mS;=CHkm%vMKPc%=Jy!@5LnM z)3H^;*eTIhtYMo(M#CHO#+rEzD{x0HNK_+AfORWHRDfJKw8sZ$s7Rc!48ejKawYmW z{Qz<*b&9d<`VzfAZ8ioF@8*=GIK$6uOX$k^>@i7*;4aUsbjKgXl7dfj_kkXOZGquH z?B8_EH~ri;F?DnmDcdV;k5QE@Lj@K&*jf8j|_3%^9pfr l+z6;*8k ssh-ed25519 yV7lcA tb9kSCCrR4ZsCY2rFru596/nvJ3Ls0CAIx1SbeBb3jE +sFwhpTJtUKZLI05/Pka9UN+/AhqRr1T2qOsoXqnJm+I +-> M{JlUebq-grease UsK ZwN> .2j< +q7Jcr9NMDZPmnfX7OE9ul+ABFA +--- caLIQEMxZ2TikSZVAKd4ms6qcoOsd0pCgC3Q0UwXTIU +/0da*/-I<"& ˗UmcRKtk,1RYIeXx5UqY \ No newline at end of file diff --git a/secrets/rekeyed/sire-ente/0a655191d8a00f031974a30ce0d150b5-ente-encryption-key.age b/secrets/rekeyed/sire-ente/0a655191d8a00f031974a30ce0d150b5-ente-encryption-key.age new file mode 100644 index 0000000..41030bb --- /dev/null +++ b/secrets/rekeyed/sire-ente/0a655191d8a00f031974a30ce0d150b5-ente-encryption-key.age @@ -0,0 +1,8 @@ +age-encryption.org/v1 +-> ssh-ed25519 JgWCuA E7lVaNWH6szAllQ8QNG1vHT5aNf9oJ4qC6NhQmJDwAc +59GgmOFiryp/c0/R+u3xPZCQg5E2D7xLiABGn/iYfPc +-> V?-grease Lb\VjM_ +DH5djc92LmIQFfn2wJSdLgz+OsGY+7y9AqtYiOfWZyClDaTOGvY2GxqzJS7k8Wh0 +zQ +--- R/ulTpEmTlZhlnlmlp+MQxe2pLvONgXqEiDQOM0xZQA +|83 hAXC=^w0G1AGb  ¿;V4o/3 \ No newline at end of file diff --git a/secrets/rekeyed/sire-ente/39ed4aee39bb5284ed82d595b57af3a6-promtail-loki-basic-auth-password.age b/secrets/rekeyed/sire-ente/39ed4aee39bb5284ed82d595b57af3a6-promtail-loki-basic-auth-password.age new file mode 100644 index 0000000..d1d7fed --- /dev/null +++ b/secrets/rekeyed/sire-ente/39ed4aee39bb5284ed82d595b57af3a6-promtail-loki-basic-auth-password.age @@ -0,0 +1,7 @@ +age-encryption.org/v1 +-> ssh-ed25519 JgWCuA 7g34bQN2G4hf4lTxDLfPJog/r8rgjQnmwPZW277jpQk +nhnGg8CcoVzuASxf2SAVBeVA5gcpNBB0LNHMSnHvvzA +-> EXviAf-grease `>N4 +HByrqYnzlTIEjr6cRuJ1Eg +--- 4/1YuJpu8rbYPKqcyYbtDCSaq9doFKbdNvhHTGoL0e8 +7KAX| !p8'.w f:~Z[/޺ul2'WYGFNd:Pk1BO=+ \ No newline at end of file diff --git a/secrets/rekeyed/sire-ente/48afcb0cd2c5ea7e134a9ea29b7eaa7b-telegraf-influxdb-token.age b/secrets/rekeyed/sire-ente/48afcb0cd2c5ea7e134a9ea29b7eaa7b-telegraf-influxdb-token.age new file mode 100644 index 0000000..92fb41e --- /dev/null +++ b/secrets/rekeyed/sire-ente/48afcb0cd2c5ea7e134a9ea29b7eaa7b-telegraf-influxdb-token.age @@ -0,0 +1,7 @@ +age-encryption.org/v1 +-> ssh-ed25519 JgWCuA PHWocAK4Uq2RlRBQRJmlYytDt1UDys9oSSkqkqGoagE +TAkHn01nLHkhdTRT1KFdrnxkxRM+1Kpr1JaUaVrf6Cc +-> ~f-grease $"CHQ ;>^KKwf[ $Ets\o1 +4g0E9jf4hAzb0A +--- gGNrPcfze2eOkJg/PPrgVHnffTmOX58dOukGGYVM3Qc +(yC!;dkLqGINJE BFc ssh-ed25519 JgWCuA ibIMzo1GidK7NjVdRwLtW/ZBmEYJljlEQBDpzcS7u3g +gJO2mEFR7VpiZ66lo1C2DICFthKDrBbK3b9yvvv2OUk +-> L`^@f-grease +6KFxCBHS1sez24DemcAVbP/2DA1qMH6G4Slt36Be+7XN/pc21NTm15Y2WAOdfnfr +hYtLONwqTGd9M9309Nyf431l/92Hpvg0ZT0on4iwqA +--- rzYINbMisctAhV6j6uTIFtZeOgl4LylFpwql2QpJAhU +4;lm(φL꩒jk8N@gP1tBp<'AuV\Q]}]y-eH[d#b_FJ뷟ܺLP|)wÈm \ No newline at end of file diff --git a/secrets/rekeyed/sire-ente/50b5f9785853d40bd74d52dde6d57c11-wireguard-proxy-sentinel-priv-sire-ente.age b/secrets/rekeyed/sire-ente/50b5f9785853d40bd74d52dde6d57c11-wireguard-proxy-sentinel-priv-sire-ente.age new file mode 100644 index 0000000..9eb7e18 --- /dev/null +++ b/secrets/rekeyed/sire-ente/50b5f9785853d40bd74d52dde6d57c11-wireguard-proxy-sentinel-priv-sire-ente.age @@ -0,0 +1,7 @@ +age-encryption.org/v1 +-> ssh-ed25519 JgWCuA Nwy2LY1REyI7LRKDFNbaS2FF1R+Erl6KrdrumvS/XX4 +1S9sYJnsgMmDTXvBO1/RDxlcEIYfDH+cO0MkZuo40VU +-> )-grease )!nP Q@Q@ur{3 dcBOk*] +D1GIlaWvcD2KUvCe7m+aClC3OEsWGn0WRlsG25o8YWJq48TgZOezeZSaNco +--- Rcndrv1V5ZhAiFHZe1WdTMEeZ5+jqu2ES16D1aN/1wg +tk]88ٜR2 ҒgZө(riV\Py f܋L_. \ No newline at end of file diff --git a/secrets/rekeyed/sire-ente/6bd5a9be337a42f7ceccabcb94e58c7d-ente-jwt.age b/secrets/rekeyed/sire-ente/6bd5a9be337a42f7ceccabcb94e58c7d-ente-jwt.age new file mode 100644 index 0000000..050dc20 --- /dev/null +++ b/secrets/rekeyed/sire-ente/6bd5a9be337a42f7ceccabcb94e58c7d-ente-jwt.age @@ -0,0 +1,9 @@ +age-encryption.org/v1 +-> ssh-ed25519 JgWCuA FRpqXDi8hsKKuScuMTNJWP8hyeDsEiT0cKeRCtcSHDo +9ws3OouI1gl6WCjTVeGL1FLlzjoc5r3KuIicz1Hxvvk +-> B$<$\Y-grease /HHpi >/9 -!*14 GB#8+TJ +YCQ/DeYqBopIh5w11DrHtJnJJ32yaFQ9qE6yOXGAbVfrSik5sVf/Txn2dBNb+nTG +3jQTR5kKOkGFLIUul83ix6A +--- wG6qOXsr8udyFHqA4WDFTGQASgtnG39UC8SXiyoCH24 +ګw "N* + tT1ecw=ܐm_¥l4hA{e< ssh-ed25519 JgWCuA 8gWuOL3ItuZnJLSV4wJSKIavVdU1mZZOYSDP9X5pkjg +H32gHbisIG+aVXOU/fkAHVmoVyH6BMhR1yVN+grYnbI +-> KE-grease #rT+&3B& :$ @ +JQuPHa3Y1qlRkw +--- akx1iJc1tHixZXIOYzC+59TIvfFrUoTvgHCPnujR6Zc +b˓xCPX e#0}t9=KdK/3as.mV{f@7GujG1Ov)Nj4f*bՕQzY0I6Ew~^.AMhn s{BHd?C) o˥̡F"q\#c \ No newline at end of file diff --git a/secrets/rekeyed/sire-ente/a3d4334dfab58cfbb82ce922dbb23c50-wireguard-proxy-sentinel-psks-sentinel+sire-ente.age b/secrets/rekeyed/sire-ente/a3d4334dfab58cfbb82ce922dbb23c50-wireguard-proxy-sentinel-psks-sentinel+sire-ente.age new file mode 100644 index 0000000..e79099d --- /dev/null +++ b/secrets/rekeyed/sire-ente/a3d4334dfab58cfbb82ce922dbb23c50-wireguard-proxy-sentinel-psks-sentinel+sire-ente.age @@ -0,0 +1,7 @@ +age-encryption.org/v1 +-> ssh-ed25519 JgWCuA R/2IkDfac3BnlHNqFlXEBDEKUAFkOJPzMuydNFZAzWo +ub21BfD8Q5GaLr8IdLwHkdZqSVAjG2q3MuDrB4KozJA +-> $a|&-grease k!M4 NZQL R,s4mUU ]y +zoxZDA +--- 41/Orge3q+gN8+MgvL745C/fatbvxkpeS7jrdiyphTk +5P/֩Z+B|V$x~e 0h _M`ruBiy~xg?٣>LΜ>&w!s?p61j \ No newline at end of file diff --git a/secrets/rekeyed/sire-ente/b196a04930eeaf93e5314de87b7ddc1f-minio-access-key.age b/secrets/rekeyed/sire-ente/b196a04930eeaf93e5314de87b7ddc1f-minio-access-key.age new file mode 100644 index 0000000..c08b84a --- /dev/null +++ b/secrets/rekeyed/sire-ente/b196a04930eeaf93e5314de87b7ddc1f-minio-access-key.age @@ -0,0 +1,8 @@ +age-encryption.org/v1 +-> ssh-ed25519 JgWCuA BhciDbzGldKHFga2iDU/xYnMv7eGi1LZb+lGXJC5BHY +sG8HF+9adDtroTygekl57kNWmdPxBOoUKDxFHKEBQ8U +-> 4W-grease +9sX0u6PKO6b5tCx5KEMzpHUyIX81ZtbCrXkCy/5H/6MrziNyG3hm9RlmYfjroA8w +JInJF5/S +--- nu0Fb0V8USP+6NdT6egQ13gUHjsBDh3e1vTIeU1koWk +nhⷀ#E7m`zcBAԝ5 ssh-ed25519 JgWCuA qCQiUbrSa9VHQmnGxUzAKnIXnz1iCaGltMtlekJtSik +n1C2khtbkEjU06GoLlV/cGqKiHJPC45esUUXzSrqUdY +-> G-grease ~;bV'qp 6[ 2=41r2 +6XoXhm9137td0dfyVG9y+aoXgnZ/DHyEz/Mm7bWTVOALBjNiND962acconiU+YAV +rNjORyxn +--- FbizueAYs+ySyCsYHz2nSOP9ZK1B3cwY0tfnbCUSZSo +9QP : p2͂}H_PrCP>k+@b\U_EῲɌioV*NNR'=HU \ No newline at end of file diff --git a/secrets/rekeyed/sire-ente/cff35fe4c607c5c2d57af131e14080b5-wireguard-proxy-home-priv-sire-ente.age b/secrets/rekeyed/sire-ente/cff35fe4c607c5c2d57af131e14080b5-wireguard-proxy-home-priv-sire-ente.age new file mode 100644 index 0000000..7fedece --- /dev/null +++ b/secrets/rekeyed/sire-ente/cff35fe4c607c5c2d57af131e14080b5-wireguard-proxy-home-priv-sire-ente.age @@ -0,0 +1,7 @@ +age-encryption.org/v1 +-> ssh-ed25519 JgWCuA 4Yb3GrxVz12WnVG/xOLQ5v+AfvQnfu8rz+KF2z2hzzY +sGXnAMSxc9L47Zzvnovmq0jIHnEIogVN5XG7FBurTn4 +-> cwlzzK-grease +15ku+cw +--- JMaYeYHOTTH0E93AnU0hKwp/bdHg6wkmdK5WxFdIKLg +.܅$5Z{usL9,k )6v#+;pnӚnx[0f؈v!T# \ No newline at end of file diff --git a/secrets/rekeyed/sire-ente/d0a3d1a9285c9e295e71bd59a2399ec6-wireguard-proxy-home-psks-sire-ente+ward.age b/secrets/rekeyed/sire-ente/d0a3d1a9285c9e295e71bd59a2399ec6-wireguard-proxy-home-psks-sire-ente+ward.age new file mode 100644 index 0000000..db926b7 --- /dev/null +++ b/secrets/rekeyed/sire-ente/d0a3d1a9285c9e295e71bd59a2399ec6-wireguard-proxy-home-psks-sire-ente+ward.age @@ -0,0 +1,8 @@ +age-encryption.org/v1 +-> ssh-ed25519 JgWCuA fLErDkfDNMgSF0E/ZoBB6OVIrofuDzXnNSh0UwfwBAs +87BAmP1neIBVz/sPnx32S+y+EgV3uKQyWNI1wkj/rok +-> 6b=-grease aZPivQ +9Wkt0eTctqiZ2uajuNkl5su0tKGudpCKnl43cS3nOX2/tjXEIKB0Pe4bc1ImIJvV +z+2FuJju8Q5o+mx2/NKZINhT0VnXzQFpjgwWsZs2mntMCxI0GMwPUyt8pg +--- urAXMUjYZJ/Q1ezsnn4uu20993E3EkK2Fqmhu5TgWcE +0]Jn;??^Ee=!{MN!+yNq/sladx*qtǪU v%0 \ No newline at end of file diff --git a/secrets/rekeyed/sire-influxdb/d7176dcef3b2245267cb9d77723a1261-telegraf-influxdb-token-sire-ente.age b/secrets/rekeyed/sire-influxdb/d7176dcef3b2245267cb9d77723a1261-telegraf-influxdb-token-sire-ente.age new file mode 100644 index 0000000..1c27ab9 --- /dev/null +++ b/secrets/rekeyed/sire-influxdb/d7176dcef3b2245267cb9d77723a1261-telegraf-influxdb-token-sire-ente.age @@ -0,0 +1,7 @@ +age-encryption.org/v1 +-> ssh-ed25519 1tdZKQ uVXynHs0BZZu7YlnLtqEOy7DBrylGwAsuw2V5Xe1tlc +OhgF8N3bDlZC4XD7PAZFdBqtJPoaRX7ChQSEbnjsnKY +-> Z8-grease j jA Kr?3M$? +Qh8AQ2InqiJFZg +--- VaYAzDhieUncCVKxqNSG4PA9RGiHG1lmjy/s/1dSwFs +=ex1*[Yj< %&)Pyq8*F7fNݹ ,x0JդIu2)2 \ No newline at end of file diff --git a/secrets/rekeyed/ward-web-proxy/09683ecb6ba69322f3aa1c34b6ed6dfd-loki-basic-auth-hashes.age b/secrets/rekeyed/ward-web-proxy/09683ecb6ba69322f3aa1c34b6ed6dfd-loki-basic-auth-hashes.age new file mode 100644 index 0000000000000000000000000000000000000000..c1b183c9254832caa70b6f1083fb93709df8278d GIT binary patch literal 2526 zcmV<42_g1jXJsvAZewzJaCB*JZZ2HmQI8jY)XKPVnOE_mSVn=2joEoX9NVRL05 zel27#5YQ)(||QB^Q`FEnvTcTIC_cq?aO3N0-yAW=yxcuG-4MJrN8 zQdLQ1IZQ}nOmSyxGiF&xVQfJ|H)}?9XG2bOQ%FW{3SwL2Rq_)n&3U%^6Sj(4#4Slf zo)7mNJZ_=!WUlfJIQGh3Qk{UUsn1+J@f9qLFpD52KXL0<*DDsCm=v+D`rF%xw){3306+8Y zoCv7I%M`(CLo6+DtU?SU=pXrUFWU3OTMzM6`HST?px*Z`(Fh{*!Qz>CRR|~h`lubr za(C|(2Mgg^@Fzt=4PmZv^WVWM{e3}`L+wCcZX3hs?M!E1qV@TE;v#us@DwuYS6G04 zci;1L4&Jo|&lBvNEDaEGLaM{LoL#_}r*3l5Zdr`elj!ioVh_JA5i&rMyGl6O6a4N_ zc~ZB6ql&yfwl)?7E9RLc^Jzx}H0yg~&vVt&I+nOK9c`3>pS2gM$Y_uhxRc2~_5_KL zi9U~4i39I!rd>*_{#qbCNCwUyt&e-x-1)ONZ_5E~xrjbS`O}3kS`GaUPH`-+Cz!KS zd&qn}u&th^H56+{a*8KJ`Duh+Ljh6`va`|e+hS$%^s_9r1|8^WNVnE=TODvt8K#kS zHYn+FNJpiWx4j9vG=^{fh}g$qHSY7KxMd7hsMKWwHw4Q1+-rD7ab!~ii48U(2!$2O+1zVMu-zmaZWY7%*mys#?umoJ96d4Kr zBS^MyXwcaAyjE|gZh@;^Tg7Hd=Dz(ZohQZ?I{Ft*+x-gp(9}U@zVUtn<#xM;(^~mj zb7{LrMVOq%Sb<({bQ22#86ix(I~<^qE-uOn!ONU>rDMVDnfzz6mI;S8cKwNQN4$j* zuuDVZncleF8A3$_15keNkV9ej->V*4a$K^$8X8-A8%znt;#MD?xFFjZ<0|mN%sLi zGS~rNN0b)^T(}8k#d}(IL>s}7=-0U>#~T2Uh2y>{;+ZvNKbG2It*C@#QDpPzQGwrs zE)XH+sns1P>6oXU#ONILGjr-fX@1Mj<5C|19#ePNhiVj2;h0&o{p%axTn$ZWWn=g; zld|RN(46bdK$(BjntCun6j@HZHNCBwM8!(_>)99Ty2Rt5|5{~<%%ub&%s=JLbHDgb z9Rx<#jJ$OhoveCVzrPt~_k7w&Try5#2q#k8fV=D??L|u-&}GAfmGwRcr@$tGq&~gsB!m zCT`@0^Tb>LpGX|79HbvR%a$*1GlKBp^^rWc(b;Z8NZ9d1M_s{)SjUOyUvx~<@NMpP z#;ev-uw%8x8V-K)PmPEs+Hpkm28Ll+CVBakPRZd=Mf&x9ooHTTE|!lvOpe*G)L2c9WHPdZq2De78#Oam);&`!sf;qIW@$g5^YZpO z?kzdcLLXy4Ml$;A@?P@6z}*=5C*v+|`_OX08>Xq$RRX(Qae^Jz8h}Cw7KBx)?|rH0 zlR#2Yd6FnS%=`jcIm7GK()NYM~e}$@J$jN6YIPjCA8?QsiqB&yDUU$ z2~-j3?VnS0C=U7~9iEAnNzf_x;N-ejIYP66T8HF^+GhFLiyhrc*EJRMe;VH>A({_z zY*F18P!PUQ7)T3BX+^8v^ZNy6ug2iWw!?Wrp{Fw>|U}bg?>qZ2EAlm8}Lk}vdYbO7Q3!QEXxPAlM6XK ztRNEuRat_Th9E>Y)g;sfP;;4S)Z31(j8QXxeFIK-Q?6=hT|R~-ns3MF#WMMLuNX8o zRfp=Pb-&m!{(g?yyU=v_oKDrt<#fl9rt_@hNDs(wx0V;FK&Th^h9;2{tF`3aW_^L& z5tlNJ;EL=H@eoi16rB2JWIOD3SP~D2~cc2uWf{%4_aO{C3SqOb7zjHv?>k` z-F|l1!j8(WAt4_$@Y<|#r^wzDpWMuamJU5KWYE(peYP@Uv?&?$A;wgmY?heh!*6FW z?EVC@7}qasrCSxm~DsbVz*9fCr2=Seoa+2+*p@0{{R3 literal 0 HcmV?d00001 diff --git a/secrets/rekeyed/ward-web-proxy/90ab11485712f95db2c07814074b7899-loki-basic-auth-hashes.age b/secrets/rekeyed/ward-web-proxy/90ab11485712f95db2c07814074b7899-loki-basic-auth-hashes.age deleted file mode 100644 index 7c51e7da58b45948bd5acbc38557241ae2706282..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 2577 zcmV+s3hwn`XJsvAZewzJaCB*JZZ239Z8UgJLvIRWW>soLb2dXO zGf`7VMrt-yK{PN;NjNZNWmZvUaWXSTOhjaAYc^tGb5#m0J|J0KOFb=Ta%Ew2Wgu-M zPHHbB3S~`tNH#}lF?wxcOmJ2-N=#QtRZLiUMPWEda%n+YI4d_nYj5Rti#L9u#d2B5 z+19}yjudw|7|g^PwLSE}GIjn2CQV`}N*j+Z1xwT+XZU8wpweu3lZ19)ehD(0CxcY1 zWJq>p0l4AYfb%MZ^o{Sk{{50E_mGFU*p>A}HD^-SDR5wmb!lo|of73l8?wJl`xvnjrT;K{)sOd~T*02_64Sj*!NMdT3soqKbW z(XhdWCod;VIkg3wXhsuW6s0Zr?X`hv5Pt525dEz(z|0GYaT8HkN2RdO3j^C;bnsh- zR=VhD3?`|(0*vq!R02=*H^?apFDA^(UtRtia=fq91}anh(HWox+RZnm@i284AKi&f z4F#7;0D-+i@lR8rtz+qKri4H9#QALa?XiWEWx8HiBxtidbkj#Qe)nS?BZRflsJ z(4H)aQJybgdCTm`g%fadc}unES0#FyBL-<%I@qG*i?>uN$$LWF$JmdETCwVuM`YNX zZZCLW{q!2QaUh>Zu)Q}S&U*_?nU=QHPxCP2>VmMv?XQ~atY%d{PNQMn#f2SBt<2-% zftuo5$8t04;x%yM3I`saO@B;7nr?A4Y^Hg}Y{O4W0)}0x*mWmxEp#$cy*OoM$0?Nr zqG?l^u2#|mnbU4zwC%Y9@$lu=E3*zz_1?!*`pneQ%2Na=7lSF>32!LeChZ< z(7(-V?|3aNF~2-vha7Ha;e-5k)v#e|UjOT}oK%a?&z5O1K-k#WyE&2e?;UtOfYI@? zp*rf1qu;&ES^{izVb%BtET5iVj$U>0N$EFm7}&wt6LFfrTSfN@VOmAx*Ekq+jV+gp~w-Y!~9xk4mdq-;tiF_I(fK2 z#>scn6@wvJh?QJMVs&mF+Hk1TTNc)rcgUh*PEIFj>2JQ8`#IV=NoyxLmvh+sPWW0lCw_JL{`Nv<@+>E<@`A<(Q*wdPSJI$8U z$I4ZkUV#C?&*%nhFLxidT(ge~nh&la%2>jW*~nng8B%XO2(8l>@y)#h0htzoh2&qv z`|lXrCW4ro+OP1lozJ0AVMi;tXl6gEZHW04_+O&xsf~^uza>A5^BQD?pbF~`rN)29 z>$HtwnkDAn01@ezvjm@un)T#-uVAQ(L|pp=ysCOF({;@1o8sh2^N4!LM(J;9zxnV$Bxnz&EepQ{x|nfB|tEH_w|r)S05PBvqlG^g({awZQHrqw3&d( z&2fq9+AGm=gWyaD=9w~|12(+OINPDB6Zw^)#o!W7F_5L11bXa{KBJ5rr#~+2o{x5v zNH<--PAWRZEjC0Z_qp{J1ng0cS7%1tUF*rJObUo2zrMU1%CG3YGd5(JwAvR*^Y3rJ zwB%-DyGW3w0&spKWoA~!wV{w1&ZEfLq=3^FY|@w+HiW9B;lt()4vd8U#D+Cmq{=EB zvt|oRg5A&8;g2}9hf9Z~5-DYGzoUTTO$QgPTc@Dc37m4mRF#$1;C%Lnw-YVYOoB>0SPjB)GYtoQ^$t2%;>k#9 zOd?C5Kt1!zHeS|`Jf%p9dFd^m6Qz$rn?8hgrrh#P=Qy#u1d$5J*~M80C}6WTfZ@H6 zTlV;Ttv!5KQ%e*OcY4Slm0k>-n(4-C%SZ3oK_{g|3_2R46sEq#K^;>c60d#`AIou< zne=#&NO%rcO+T96AJ9*rXKk!YV)?PREpnTNffV1lunv7Z)B{q9W<3Lw{ol5ngb5xK zgleHMS1D`xfL*bsRaEMaIY%N4DYXQ(HwZ>ZnY}c#EdYm^p^pV_UIWspcSp^o^En(2 zJjh?MrEp7}aq%E(!J5(bkm2m&52i%C5-@+*%Z`AfZnq%s;Vb#3MDIB71bRSqOKn65vZG(5_OiDw{ED#ufIA>|tX$Yg(}DY;XT zsh`AS%QX-!uwDUn?O&A==`v-{bu~MrrtFUo<@elzwh6ndt>x|2nc~{PrQsa^52b#1 zDD;nXnryI>UD~5obygE)g?5F23g{xYj zTWei;vk;>m1V!?l5kpZmT`eAkaI$b?dYu_3{{hK1q?jUDyOm*o!JkI9e!8e`$q1Q> zhQJXnA*`xuLM1&WcgkZ7h!Vj7PUe4@zqwT_J7HL*3xQ1%)ZeYV3W85e&yvrSn+@Nu zlk1dpP3j@Zzunotxp~Zg2<B;+fymf;(__|t^ohLCj3j`w!Zt)Clu^|yv`48BYWoMCN@aKe<_*qxS^v`}WAMt^ zVb;;Sj_kb0i$Dr|DhWqA2jt%9$uC<2Qjr3~G$I)19`pwIxX!&R9xxWO_5ybhFI1)x z%jPZCuL~WS>q@x@t`zc0q}6DE0EWz diff --git a/secrets/rekeyed/ward/82fb2774f6a5e08a0e4bd8b8cdc09238-wireguard-proxy-home-psks-sire-ente+ward.age b/secrets/rekeyed/ward/82fb2774f6a5e08a0e4bd8b8cdc09238-wireguard-proxy-home-psks-sire-ente+ward.age new file mode 100644 index 0000000..0c7a0a6 --- /dev/null +++ b/secrets/rekeyed/ward/82fb2774f6a5e08a0e4bd8b8cdc09238-wireguard-proxy-home-psks-sire-ente+ward.age @@ -0,0 +1,7 @@ +age-encryption.org/v1 +-> ssh-ed25519 iNceIg BmCXt086D1EkeS07iplFsR6T33WyWAyiCT1mRLB32hw +fy0OpMuK/8qPw3Ryb5EAwnPSzlUx2YoYawzzKP75RFo +-> ah,luV-grease 7%Q {Zju_"(b +MqKtQw +--- DhDp8jYeynd1OUpCU61SpPZVPXnFokxX2Usixo7/ZG8 +ϨoltAn-WqoUH):2:d#*"a21qJ651<DyBF \ No newline at end of file diff --git a/secrets/wireguard/proxy-home/keys/sire-ente.age b/secrets/wireguard/proxy-home/keys/sire-ente.age new file mode 100644 index 0000000..05d683e --- /dev/null +++ b/secrets/wireguard/proxy-home/keys/sire-ente.age @@ -0,0 +1,10 @@ +age-encryption.org/v1 +-> X25519 AKZ+AtI/m8zX6g0lWM7NrNhtRTzn99G3Hzd4xTLmP2o +k06IWa/NYnJWHctoRtOuONWPRc3TeFKWGq62EEtPK2w +-> piv-p256 xqSe8Q ArPIpreqaxqoRvOr68Iyh6LhfzH+GbUbmZ24PMy6v6CR +/1AcoGVvZgOW2IIIiU6Kya37CT4N5igi5tGyuJCMfaw +-> b'2Yw/88-grease +hNHp2mtaChpVqJXW6+rZtdGdabmmtHxpSo64gPxsoTED9Jm+A36HtQTovZ2hfxWG +jwQadJT4WS9CJIvdqFRWi25FLAbS3c8 +--- /qAMQiLi2hgue66lXzk08Hl5FEgO4daK/TqisxvKhC0 +q( )7G*%%%[t`jwO՛E:;xbi \ No newline at end of file diff --git a/secrets/wireguard/proxy-home/keys/sire-ente.pub b/secrets/wireguard/proxy-home/keys/sire-ente.pub new file mode 100644 index 0000000..4e6e920 --- /dev/null +++ b/secrets/wireguard/proxy-home/keys/sire-ente.pub @@ -0,0 +1 @@ +AOGA/huE+l8LA7VsqTVuu8Idf/CljsEz2w9r3HF0xF8= diff --git a/secrets/wireguard/proxy-home/psks/sire-ente+ward.age b/secrets/wireguard/proxy-home/psks/sire-ente+ward.age new file mode 100644 index 0000000..62bedb0 --- /dev/null +++ b/secrets/wireguard/proxy-home/psks/sire-ente+ward.age @@ -0,0 +1,9 @@ +age-encryption.org/v1 +-> X25519 BFrpqy55NcKEF7q772I17T0wjQ02Ut2rWrMZ1rtjWwI +yH1f7HWIRcqlm6uRwBUcOBbz0gceyio8iL9Ggnt3Fb0 +-> piv-p256 xqSe8Q Anx1LI2vbGG5xYzIF5rKnHaqP6Lh5wf4xyNd4lsQSay3 +OePEiNdGFCd+xrGv7ARUaNKHMNWQgng4Q21Q+sbF5BA +-> /lY8-grease +MuwhaBG4mNhGQrxArOVAeqpkXtqhORkH40vnttBf4A +--- R2ZE5vy2h7+LiQF946AhQXTaGuZzhar5QthG8zQXeOQ +/hNQ t>ZT-QjeNd { ˆ5g->m. \ No newline at end of file diff --git a/secrets/wireguard/proxy-sentinel/keys/sire-ente.age b/secrets/wireguard/proxy-sentinel/keys/sire-ente.age new file mode 100644 index 0000000..20de322 --- /dev/null +++ b/secrets/wireguard/proxy-sentinel/keys/sire-ente.age @@ -0,0 +1,10 @@ +age-encryption.org/v1 +-> X25519 vQk4YSBJ4lAhykKSn6EQVJt3N5knDwFojKKkGXIpkko +VFMoGYvz3Ghr2yDvkKVBhBk0RXwKvAa/1tc0XvAksqo +-> piv-p256 xqSe8Q Ao8pq7XVm2sW7pWJwY5xV+OENbydQYPDHFyW3D4Zcypy +804ByjdNfiNjYE1pETvtq2+Qf9XOpPSfTBTnaMYpWx0 +-> Bm!-grease +mTATrQka+LR7fjxFRq9eK2w4OC7Da+Rx2mgoT0jRRw2urXAN3m25hupRhmXjAmUT +UXCI6XLGG0gc+Fb5SOBXSPIjwMoVI3h8BgIRQsKUECM39iwN8j95kR9uDiP10Q +--- kOS9Fo+PrmUqGDLRkYYMEJcoSKeVoPudmLzD/M4rwzY +ؿ9S))`J@_<N;H=NgT\5;gty{N HbeM6m3 \ No newline at end of file diff --git a/secrets/wireguard/proxy-sentinel/keys/sire-ente.pub b/secrets/wireguard/proxy-sentinel/keys/sire-ente.pub new file mode 100644 index 0000000..eee613f --- /dev/null +++ b/secrets/wireguard/proxy-sentinel/keys/sire-ente.pub @@ -0,0 +1 @@ +TQLqvOZp/FoELpqnkuls/wio9ET7KurTE9XW6m+BegU= diff --git a/secrets/wireguard/proxy-sentinel/psks/sentinel+sire-ente.age b/secrets/wireguard/proxy-sentinel/psks/sentinel+sire-ente.age new file mode 100644 index 0000000000000000000000000000000000000000..262bdfa729d8804525875f9ad63a56bf1de8bc0c GIT binary patch literal 518 zcmWm7J&V&|003aoL5Mnt2rfcEgkDQ*lIE*|2iGQPlQeD9Hf>T5j(lIzCTY^%+` zP9mr{3gX}(I5;>s9f+dns((OST|@-AN#&kD@ED$hIFXf>tBoH=*W%Qx0}Mj8VGSoq ztO-*&$yl~MWpM0(pKm;z4d{VjHbq-f1#Hwzb!Wl(QaDo?2(1Y{m&Ay|T}(x5E;8K2 zJSfo!4P>*{Q^^Jx=re*bHiUjWtbBm1aFT+HWb7~syh8{EUW)Bd&T)GXt71bA*@S3k zDZw`hc`3*o2vOP_*b5ZO)tMJh^j4JGQEAme-fxcswYPEhxh0ANIvKS%-<*eR79U>~ zD@$(beGKtZ$5=b?c+1r$SBLPG?KFUI>{hEB1r3P0(V0jj(A@eOu2F1@Ie%R2x@7SM<+S@p1_Jsc@A z=<*p5tWJwjpo9~@7FVjAFk(@Po8`EFTMSoepPvK;_