feat: add ente

config/users.nix

@@ -47,5 +47,6 @@
       # firefly-pico = uidGid 964;
       avahi = uidGid 963;
       ente = uidGid 962;
+      minio = uidGid 961;
     };
 }

hosts/sentinel/default.nix

@@ -54,4 +54,15 @@
     # This node shall monitor the infrastructure
     availableMonitoringNetworks = [ "internet" ];
   };
+
+  services.ente.web = {
+    enable = true;
+    domains = {
+      api = "api.photos.${globals.domains.me}";
+      accounts = "accounts.photos.${globals.domains.me}";
+      albums = "albums.photos.${globals.domains.me}";
+      cast = "cast.photos.${globals.domains.me}";
+      photos = "photos.${globals.domains.me}";
+    };
+  };
 }

hosts/sentinel/firezone.nix

@@ -12,7 +12,12 @@ let
   # FIXME: new entry here? make new firezone gateway on ward entry too.
   homeDomains = [
     globals.services.grafana.domain
-    globals.services.ente.domain
+    "accounts.photos.${globals.domains.me}"
+    "albums.photos.${globals.domains.me}"
+    "api.photos.${globals.domains.me}"
+    "cast.photos.${globals.domains.me}"
+    "photos.${globals.domains.me}"
+    "s3.photos.${globals.domains.me}"
     globals.services.immich.domain
     globals.services.influxdb.domain
     globals.services.loki.domain

hosts/sire/default.nix

@@ -150,7 +150,9 @@
       }
       // mkMicrovm "ai" { }
       // mkMicrovm "minecraft" { }
-      // mkMicrovm "ente" { }
+      // mkMicrovm "ente" {
+        enableStorageDataset = true;
+      }
       #// mkMicrovm "fasten-health" {}
     );
 }

hosts/sire/guests/ente.nix

@@ -0,0 +1,238 @@
+{
+  config,
+  globals,
+  lib,
+  pkgs,
+  ...
+}:
+let
+  enteAccountsDomain = "accounts.photos.${globals.domains.me}";
+  enteAlbumsDomain = "albums.photos.${globals.domains.me}";
+  enteApiDomain = "api.photos.${globals.domains.me}";
+  enteCastDomain = "cast.photos.${globals.domains.me}";
+  entePhotosDomain = "photos.${globals.domains.me}";
+  s3Domain = "s3.photos.${globals.domains.me}";
+
+  proxyConfig = remoteAddr: nginxExtraConfig: {
+    upstreams.ente = {
+      servers."${remoteAddr}:80" = { };
+      extraConfig = ''
+        zone ente 64k;
+        keepalive 20;
+      '';
+      monitoring.enable = true;
+    };
+
+    upstreams.museum = {
+      servers."${remoteAddr}:8080" = { };
+      extraConfig = ''
+        zone museum 64k;
+        keepalive 20;
+      '';
+    };
+
+    upstreams.minio = {
+      servers."${remoteAddr}:9000" = { };
+      extraConfig = ''
+        zone minio 64k;
+        keepalive 20;
+      '';
+    };
+
+    virtualHosts =
+      {
+        ${enteApiDomain} = {
+          forceSSL = true;
+          useACMEWildcardHost = true;
+          locations."/".proxyPass = "http://museum";
+          extraConfig = ''
+            client_max_body_size 4M;
+            ${nginxExtraConfig}
+          '';
+        };
+        ${s3Domain} = {
+          forceSSL = true;
+          useACMEWildcardHost = true;
+          locations."/".proxyPass = "http://minio";
+          extraConfig = ''
+            client_max_body_size 32M;
+            proxy_buffering off;
+            proxy_request_buffering off;
+            ${nginxExtraConfig}
+          '';
+        };
+      }
+      // lib.genAttrs
+        [
+          enteAccountsDomain
+          enteAlbumsDomain
+          enteCastDomain
+          entePhotosDomain
+        ]
+        (_domain: {
+          useACMEWildcardHost = true;
+          extraConfig = nginxExtraConfig;
+        });
+  };
+in
+{
+  wireguard.proxy-sentinel = {
+    client.via = "sentinel";
+    firewallRuleForNode.sentinel.allowedTCPPorts = [
+      80
+      9000
+    ];
+  };
+
+  wireguard.proxy-home = {
+    client.via = "ward";
+    firewallRuleForNode.ward-web-proxy.allowedTCPPorts = [
+      80
+      9000
+    ];
+  };
+
+  globals.services.ente.domain = entePhotosDomain;
+  # FIXME: also monitor from internal network
+  globals.monitoring.http.ente = {
+    url = "https://${entePhotosDomain}";
+    expectedBodyRegex = "Ente Photos";
+    network = "internet";
+  };
+
+  fileSystems."/storage".neededForBoot = true;
+  environment.persistence."/storage".directories = [
+    {
+      directory = "/var/lib/minio";
+      user = "minio";
+      group = "minio";
+      mode = "0750";
+    }
+  ];
+
+  environment.persistence."/persist".directories = [
+    {
+      directory = "/var/lib/ente";
+      user = "ente";
+      group = "ente";
+      mode = "0750";
+    }
+  ];
+
+  # NOTE: don't use the root user for access. In this case it doesn't matter
+  # since the whole minio server is only for ente anyway, but it would be a
+  # good practice.
+  age.secrets.minio-access-key = {
+    generator.script = "alnum";
+    mode = "440";
+    group = "ente";
+  };
+  age.secrets.minio-secret-key = {
+    generator.script = "alnum";
+    mode = "440";
+    group = "ente";
+  };
+  age.secrets.minio-root-credentials = {
+    generator.dependencies = [
+      config.age.secrets.minio-access-key
+      config.age.secrets.minio-secret-key
+    ];
+    generator.script =
+      {
+        lib,
+        decrypt,
+        deps,
+        ...
+      }:
+      ''
+        echo -n "MINIO_ROOT_USER="
+        ${decrypt} ${lib.escapeShellArg (builtins.elemAt deps 0).file}
+        echo -n "MINIO_ROOT_PASSWORD="
+        ${decrypt} ${lib.escapeShellArg (builtins.elemAt deps 1).file}
+      '';
+    mode = "440";
+    group = "minio";
+  };
+
+  # base64 (url)
+  age.secrets.ente-jwt = {
+    generator.script =
+      { pkgs, ... }: "${pkgs.openssl}/bin/openssl rand -base64 32 | tr -d '\n' | tr '/+' '_-'";
+    mode = "440";
+    group = "ente";
+  };
+  # base64 (standard)
+  age.secrets.ente-encryption-key = {
+    generator.script = "base64";
+    mode = "440";
+    group = "ente";
+  };
+  # base64 (standard)
+  age.secrets.ente-hash-key = {
+    generator.script = { pkgs, ... }: "${pkgs.openssl}/bin/openssl rand -base64 64 | tr -d '\n'";
+    mode = "440";
+    group = "ente";
+  };
+
+  services.minio = {
+    enable = true;
+    rootCredentialsFile = config.age.secrets.minio-root-credentials.path;
+  };
+  systemd.services.minio = {
+    environment.MINIO_SERVER_URL = "https://${s3Domain}";
+    postStart = ''
+      # Wait until minio is up
+      ${lib.getExe pkgs.curl} --retry 5 --retry-connrefused --fail --no-progress-meter -o /dev/null "http://localhost:9000/minio/health/live"
+
+      # Make sure bucket exists
+      mkdir -p ${lib.escapeShellArg config.services.minio.dataDir}/data/ente
+    '';
+  };
+
+  systemd.services.ente.after = [ "minio.service" ];
+  services.ente.api = {
+    enable = true;
+    enableLocalDB = true;
+    domain = enteApiDomain;
+    settings = {
+      apps = {
+        accounts = "https://${enteAccountsDomain}";
+        cast = "https://${enteCastDomain}";
+        public-albums = "https://${enteAlbumsDomain}";
+      };
+
+      webauthn = {
+        rpid = enteAccountsDomain;
+        rporigins = [ "https://${enteAccountsDomain}" ];
+      };
+
+      s3 = {
+        use_path_style_urls = true;
+        b2-eu-cen = {
+          endpoint = "https://${s3Domain}";
+          region = "us-east-1";
+          bucket = "ente";
+          key._secret = config.age.secrets.minio-access-key.path;
+          secret._secret = config.age.secrets.minio-secret-key.path;
+        };
+      };
+
+      jwt.secret._secret = config.age.secrets.ente-jwt.path;
+      key = {
+        encryption._secret = config.age.secrets.ente-encryption-key.path;
+        hash._secret = config.age.secrets.ente-hash-key.path;
+      };
+    };
+  };
+
+  # NOTE: services.ente.web is configured separately on both proxy servers!
+  nodes.sentinel.services.nginx = proxyConfig config.wireguard.proxy-sentinel.ipv4 "";
+  nodes.ward-web-prox.services.nginxy = proxyConfig config.wireguard.proxy-home.ipv4 ''
+    allow ${globals.net.home-lan.vlans.home.cidrv4};
+    allow ${globals.net.home-lan.vlans.home.cidrv6};
+    # Firezone traffic
+    allow ${globals.net.home-lan.vlans.services.hosts.ward.ipv4};
+    allow ${globals.net.home-lan.vlans.services.hosts.ward.ipv6};
+    deny all;
+  '';
+}

hosts/sire/secrets/ente/host.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILPHm23XtSiwueXpmqJqFWIxYVWU/eq+dQ0PcwMrsN+c

hosts/ward/default.nix

@@ -13,7 +13,13 @@ let
   # FIXME: new entry here? make new firezone entry too.
   homeDomains = [
     globals.services.grafana.domain
-    globals.services.ente.domain
+    # TODO: allow multiple domains per global service.
+    "accounts.photos.${globals.domains.me}"
+    "albums.photos.${globals.domains.me}"
+    "api.photos.${globals.domains.me}"
+    "cast.photos.${globals.domains.me}"
+    "photos.${globals.domains.me}"
+    "s3.photos.${globals.domains.me}"
     globals.services.immich.domain
     globals.services.influxdb.domain
     globals.services.loki.domain

hosts/ward/guests/adguardhome.nix

@@ -112,7 +112,12 @@ in
               # FIXME: new entry here? make new firezone entry too.
               # FIXME: new entry here? make new firezone gateway on ward entry too.
               globals.services.grafana.domain
-              globals.services.ente.domain
+              "accounts.photos.${globals.domains.me}"
+              "albums.photos.${globals.domains.me}"
+              "api.photos.${globals.domains.me}"
+              "cast.photos.${globals.domains.me}"
+              "photos.${globals.domains.me}"
+              "s3.photos.${globals.domains.me}"
               globals.services.immich.domain
               globals.services.influxdb.domain
               globals.services.loki.domain

hosts/ward/guests/web-proxy.nix

@@ -85,4 +85,15 @@ in
   users.groups.acme.members = [ "nginx" ];
   services.nginx.enable = true;
   services.nginx.recommendedSetup = true;
+
+  services.ente.web = {
+    enable = true;
+    domains = {
+      api = "api.photos.${globals.domains.me}";
+      accounts = "accounts.photos.${globals.domains.me}";
+      albums = "albums.photos.${globals.domains.me}";
+      cast = "cast.photos.${globals.domains.me}";
+      photos = "photos.${globals.domains.me}";
+    };
+  };
 }

modules/default.nix

@@ -4,6 +4,7 @@
     ./backups.nix
     ./deterministic-ids.nix
     ./distributed-config.nix
+    ./ente.nix
     ./globals.nix
     ./meta.nix
     ./nginx-upstream-monitoring.nix

modules/ente.nix

@@ -0,0 +1,346 @@
+{
+  config,
+  lib,
+  pkgs,
+  utils,
+  ...
+}:
+let
+  inherit (lib)
+    getExe
+    mkDefault
+    mkEnableOption
+    mkIf
+    mkMerge
+    mkOption
+    mkPackageOption
+    optional
+    types
+    ;
+
+  cfgApi = config.services.ente.api;
+  cfgWeb = config.services.ente.web;
+
+  webPackage =
+    enteApp:
+    cfgWeb.package.override {
+      inherit enteApp;
+      enteMainUrl = "https://${cfgWeb.domains.photos}";
+      extraBuildEnv = {
+        NEXT_PUBLIC_ENTE_ENDPOINT = "https://${cfgWeb.domains.api}";
+        NEXT_PUBLIC_ENTE_ALBUMS_ENDPOINT = "https://${cfgWeb.domains.albums}";
+        NEXT_TELEMETRY_DISABLED = "1";
+      };
+    };
+
+  defaultUser = "ente";
+  defaultGroup = "ente";
+  dataDir = "/var/lib/ente";
+
+  yamlFormat = pkgs.formats.yaml { };
+in
+{
+  options.services.ente = {
+    web = {
+      enable = mkEnableOption "Ente web frontend (Photos, Albums)";
+      package = mkPackageOption pkgs "ente-web" { };
+
+      domains = {
+        api = mkOption {
+          type = types.str;
+          description = ''
+            The domain under which the api is served. This will NOT serve the api itself,
+            but is a required setting to host the frontends! This will automatically be set
+            for you if you enable both the api server and web frontends.
+          '';
+        };
+
+        accounts = mkOption {
+          type = types.str;
+          description = "The domain under which the accounts frontend will be served.";
+        };
+
+        cast = mkOption {
+          type = types.str;
+          description = "The domain under which the cast frontend will be served.";
+        };
+
+        albums = mkOption {
+          type = types.str;
+          description = "The domain under which the albums frontend will be served.";
+        };
+
+        photos = mkOption {
+          type = types.str;
+          description = "The domain under which the photos frontend will be served.";
+        };
+      };
+    };
+
+    api = {
+      enable = mkEnableOption "Museum (API server for ente.io)";
+      package = mkPackageOption pkgs "museum" { };
+      nginx.enable = mkEnableOption "nginx proxy for the API server";
+
+      user = mkOption {
+        type = types.str;
+        default = defaultUser;
+        description = "User under which museum runs.";
+      };
+
+      group = mkOption {
+        type = types.str;
+        default = defaultGroup;
+        description = "Group under which museum runs.";
+      };
+
+      domain = mkOption {
+        type = types.str;
+        description = "The domain under which the api will be served.";
+      };
+
+      enableLocalDB = mkEnableOption "the automatic creation of a local postgres database for museum.";
+
+      settings = mkOption {
+        description = ''
+          Museum yaml configuration. Refer to upstream [local.yaml](https://github.com/ente-io/ente/blob/main/server/configurations/local.yaml) for more information.
+          You can specify secret values in this configuration by setting `somevalue._secret = "/path/to/file"` instead of setting `somevalue` directly.
+        '';
+        default = { };
+        type = types.submodule {
+          freeformType = yamlFormat.type;
+          options = {
+            apps = {
+              public-albums = mkOption {
+                type = types.str;
+                default = "https://albums.ente.io";
+                description = ''
+                  If you're running a self hosted instance and wish to serve public links,
+                  set this to the URL where your albums web app is running.
+                '';
+              };
+
+              cast = mkOption {
+                type = types.str;
+                default = "https://cast.ente.io";
+                description = ''
+                  Set this to the URL where your cast page is running.
+                  This is for browser and chromecast casting support.
+                '';
+              };
+
+              accounts = mkOption {
+                type = types.str;
+                default = "https://accounts.ente.io";
+                description = ''
+                  Set this to the URL where your accounts page is running.
+                  This is primarily for passkey support.
+                '';
+              };
+            };
+
+            db = {
+              host = mkOption {
+                type = types.str;
+                description = "The database host";
+              };
+
+              port = mkOption {
+                type = types.port;
+                default = 5432;
+                description = "The database port";
+              };
+
+              name = mkOption {
+                type = types.str;
+                description = "The database name";
+              };
+
+              user = mkOption {
+                type = types.str;
+                description = "The database user";
+              };
+            };
+          };
+        };
+      };
+    };
+  };
+
+  config = mkMerge [
+    (mkIf cfgApi.enable {
+      services.postgresql = mkIf cfgApi.enableLocalDB {
+        enable = true;
+        ensureUsers = [
+          {
+            name = "ente";
+            ensureDBOwnership = true;
+          }
+        ];
+        ensureDatabases = [ "ente" ];
+      };
+
+      services.ente.web.domains.api = mkIf cfgWeb.enable cfgApi.domain;
+      services.ente.api.settings = {
+        log-file = mkDefault "";
+        db = mkIf cfgApi.enableLocalDB {
+          host = "/run/postgresql";
+          port = 5432;
+          name = "ente";
+          user = "ente";
+        };
+      };
+
+      systemd.services.ente = {
+        description = "Ente.io Museum API Server";
+        after = [ "network.target" ] ++ optional cfgApi.enableLocalDB "postgresql.service";
+        requires = optional cfgApi.enableLocalDB "postgresql.service";
+        wantedBy = [ "multi-user.target" ];
+
+        preStart = ''
+          # Generate config including secret values. YAML is a superset of JSON, so we can use this here.
+          ${utils.genJqSecretsReplacementSnippet cfgApi.settings "/run/ente/local.yaml"}
+
+          # Setup paths
+          mkdir -p ${dataDir}/configurations
+          ln -sTf /run/ente/local.yaml ${dataDir}/configurations/local.yaml
+        '';
+
+        serviceConfig = {
+          ExecStart = getExe cfgApi.package;
+          Type = "simple";
+          Restart = "on-failure";
+
+          AmbientCapablities = [ ];
+          CapabilityBoundingSet = [ ];
+          LockPersonality = true;
+          MemoryDenyWriteExecute = true;
+          NoNewPrivileges = true;
+          PrivateMounts = true;
+          PrivateTmp = true;
+          PrivateUsers = false;
+          ProcSubset = "pid";
+          ProtectClock = true;
+          ProtectControlGroups = true;
+          ProtectHome = true;
+          ProtectHostname = true;
+          ProtectKernelLogs = true;
+          ProtectKernelModules = true;
+          ProtectKernelTunables = true;
+          ProtectProc = "invisible";
+          ProtectSystem = "strict";
+          RestrictAddressFamilies = [
+            "AF_INET"
+            "AF_INET6"
+            "AF_NETLINK"
+            "AF_UNIX"
+          ];
+          RestrictNamespaces = true;
+          RestrictRealtime = true;
+          RestrictSUIDSGID = true;
+          SystemCallArchitectures = "native";
+          SystemCallFilter = "@system-service";
+          UMask = "077";
+
+          BindReadOnlyPaths = [
+            "${cfgApi.package}/share/museum/migrations:${dataDir}/migrations"
+            "${cfgApi.package}/share/museum/mail-templates:${dataDir}/mail-templates"
+          ];
+
+          User = cfgApi.user;
+          Group = cfgApi.group;
+
+          SyslogIdentifier = "ente";
+          StateDirectory = "ente";
+          WorkingDirectory = dataDir;
+          RuntimeDirectory = "ente";
+        };
+
+        # Environment MUST be called local, otherwise we cannot log to stdout
+        environment = {
+          ENVIRONMENT = "local";
+          GIN_MODE = "release";
+        };
+      };
+
+      users = {
+        users = mkIf (cfgApi.user == defaultUser) {
+          ${defaultUser} = {
+            description = "ente.io museum service user";
+            inherit (cfgApi) group;
+            isSystemUser = true;
+            home = dataDir;
+          };
+        };
+        groups = mkIf (cfgApi.group == defaultGroup) { ${defaultGroup} = { }; };
+      };
+
+      services.nginx = mkIf cfgApi.nginx.enable {
+        enable = true;
+        upstreams.museum = {
+          servers."localhost:8080" = { };
+          extraConfig = ''
+            zone museum 64k;
+            keepalive 20;
+          '';
+        };
+
+        virtualHosts.${cfgApi.domain} = {
+          forceSSL = mkDefault true;
+          locations."/".proxyPass = "http://museum";
+          extraConfig = ''
+            client_max_body_size 4M;
+          '';
+        };
+      };
+    })
+    (mkIf cfgWeb.enable {
+      services.ente.api.settings = mkIf cfgApi.enable {
+        apps = {
+          accounts = "https://${cfgWeb.domains.accounts}";
+          cast = "https://${cfgWeb.domains.cast}";
+          public-albums = "https://${cfgWeb.domains.albums}";
+        };
+
+        webauthn = {
+          rpid = cfgWeb.domains.accounts;
+          rporigins = [ "https://${cfgWeb.domains.accounts}" ];
+        };
+      };
+
+      services.nginx =
+        let
+          domainFor = app: cfgWeb.domains.${app};
+        in
+        {
+          enable = true;
+          virtualHosts.${domainFor "accounts"} = {
+            forceSSL = mkDefault true;
+            locations."/" = {
+              root = webPackage "accounts";
+              tryFiles = "$uri $uri.html /index.html";
+            };
+          };
+          virtualHosts.${domainFor "cast"} = {
+            forceSSL = mkDefault true;
+            locations."/" = {
+              root = webPackage "cast";
+              tryFiles = "$uri $uri.html /index.html";
+            };
+          };
+          virtualHosts.${domainFor "photos"} = {
+            serverAliases = [
+              (domainFor "albums") # the albums app is shared with the photos frontend
+            ];
+            forceSSL = mkDefault true;
+            locations."/" = {
+              root = webPackage "photos";
+              tryFiles = "$uri $uri.html /index.html";
+            };
+          };
+        };
+    })
+  ];
+
+  meta.maintainers = with lib.maintainers; [ oddlama ];
+}

pkgs/default.nix

@@ -18,6 +18,8 @@ _inputs: [
     #   })
     # ];
 
+    ente-web = prev.callPackage ./ente-web.nix { };
+
     formats = prev.formats // {
       ron = import ./ron.nix { inherit (prev) lib pkgs; };
     };

pkgs/ente-web.nix

@@ -0,0 +1,91 @@
+{
+  lib,
+  stdenv,
+  fetchFromGitHub,
+  fetchYarnDeps,
+  nodejs,
+  yarnConfigHook,
+  yarnBuildHook,
+  nix-update-script,
+  extraBuildEnv ? { },
+  # This package contains serveral sub-applications. This specifies which of them you want to build.
+  enteApp ? "photos",
+  # Accessing some apps (such as account) directly will result in a hardcoded redirect to ente.io.
+  # To prevent users from accidentally logging in to ente.io instead of the selfhosted instance, you
+  # can set this parameter to override these occurrences with your own url. Must include the schema.
+  # Example: https://my-ente.example.com
+  enteMainUrl ? null,
+}:
+
+stdenv.mkDerivation (finalAttrs: {
+  pname = "ente-web-${enteApp}";
+  version = "1.0.4";
+
+  src = fetchFromGitHub {
+    owner = "ente-io";
+    repo = "ente";
+    sparseCheckout = [ "web" ];
+    tag = "photos-v${finalAttrs.version}";
+    fetchSubmodules = true;
+    hash = "sha256-M1kAZgqjbWNn6LqymtWRmAk/v0vWEGbyS50lVrsr85o=";
+  };
+  sourceRoot = "${finalAttrs.src.name}/web";
+
+  offlineCache = fetchYarnDeps {
+    yarnLock = "${finalAttrs.src}/web/yarn.lock";
+    hash = "sha256-EYhYwy6+7bgWckU/7SfL1PREWw9JUgKxWadSVtoZwXs=";
+  };
+
+  nativeBuildInputs = [
+    yarnConfigHook
+    yarnBuildHook
+    nodejs
+  ];
+
+  # See: https://github.com/ente-io/ente/blob/main/web/apps/photos/.env
+  env = extraBuildEnv;
+
+  # Replace hardcoded ente.io urls if desired
+  postPatch = lib.optionalString (enteMainUrl != null) ''
+    substituteInPlace \
+      apps/payments/src/services/billing.ts \
+      apps/photos/src/pages/shared-albums.tsx \
+      --replace-fail "https://ente.io" ${lib.escapeShellArg enteMainUrl}
+
+    substituteInPlace \
+      apps/accounts/src/pages/index.tsx \
+      --replace-fail "https://web.ente.io" ${lib.escapeShellArg enteMainUrl}
+  '';
+
+  yarnBuildScript = "build:${enteApp}";
+  installPhase =
+    let
+      distName = if enteApp == "payments" then "dist" else "out";
+    in
+    ''
+      runHook preInstall
+
+      cp -r apps/${enteApp}/${distName} $out
+
+      runHook postInstall
+    '';
+
+  passthru.updateScript = nix-update-script {
+    extraArgs = [
+      "--version-regex"
+      "photos-v(.*)"
+    ];
+  };
+
+  meta = {
+    description = "Ente application web frontends";
+    homepage = "https://ente.io/";
+    changelog = "https://github.com/ente-io/ente/releases";
+    license = lib.licenses.agpl3Only;
+    maintainers = with lib.maintainers; [
+      pinpox
+      oddlama
+    ];
+    platforms = lib.platforms.all;
+  };
+})

secrets/generated/sire-ente/ente-encryption-key.age

@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> X25519 zRngxioYpKJbERi6At0Wiuy9D9vVfieDcpElvJWeIUI
+qYMaG1W7b42179kEL2NJsuCoREGrZBPs+U8+rNdFyOM
+-> piv-p256 xqSe8Q AmC86Dj5laQaiH2OIrcZG2AiGB4T5wgzIhLMPgBzJaKn
+VjFnsl5UgDDw3sap9mgd3jJR/jqlRL4KS3/jxxcuLQM
+-> ,?FIg-grease iYX?nyr *z|V}ruN
+i/j/P1jbT8hP6RHqUKAzg94nWWWk5E8EJXomFBc9tQ
+--- S7mlAB35SMtQSlUn5dPpNjj9ekUkOJTPvLuEAPGJNXQ
+¹8ݾ ‚x•|?-‚N¬X-v¼žS™ìôB$ŸeVZpÊ\·m— º‰Àò2¢Ó³ãÎôBÍBB§æ,þ‡êí‹–Üò%®P_”

secrets/generated/sire-ente/ente-jwt.age

@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> X25519 fSjolShGCdhJfr1tdcTeYmkpWG3iiA8QEKZjgHjIMUM
+Wc0uFJRebFT6xVzxpNStdGyNkC1l+SrtbKBe0vYEX/w
+-> piv-p256 xqSe8Q AhhzkRFNoGd0Sv9t08g/wxkCqiKjcMUAutwztgIs+x9U
+Q8Y8SEIcGrSQbp//vTWIFAfXcy6LADNEJ6Q0GxFQOpI
+-> 754F*-grease k$4zy* >% { og8qk-
+r8c9fTLupld7X0fmQ6OLuuBSITL4xU/m0G0eTBcau7o
+--- nQo78/W1zOcPeBsXIEEepU5WOCvlllLwB6+Fqrc9OY8
+öþ¼¶:¼Ìf�;»ÈÈoûQY9;
Š–Ã2¥®Y­ e]vbU¹û´°áﳕšëÀ[ØpŒ(Weøt¿^™þÒví«½Úèæd8:ì

secrets/generated/sire-ente/minio-access-key.age

@@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> X25519 RUswhRVBILKxzva+FcHu69TNIDotls9+FTqL3IYiZio
+MwXFm8JK7Viy6cQZXjBT5U2ERhH6jAckfU0bph6BixU
+-> piv-p256 xqSe8Q A6dYQvH4lZ8FSM00u8YCyYHQQvu9xy+UfzBhXepKDWdu
+eBb9JP+MLrQ5sttl2MDOyrYI0V1fI7spw57DbAGriVI
+-> w.wd]R-grease >g2~Z~ \ ,6
+2S+12Sh/Bjvx0wFMVU4ApN4aVMTkHOqitD9OjcxwuG6Z22Cz04H4e7FD/9VQ57uD
+BcvbmzU/sN52h/7K8/wBjHj43V+3L9SVafm2+WF+VfVON6CfcznCfgCq2w
+--- wFSnGM1uYgDGmVkYKoARx7uKyV0KEbyYWzeYIA3bxNg
+ºæmºQjždfvÎå~–º2X™0ÑẎêÁÓBªxÊÐ[
å#Õ_S–¬½`áC…¯/Ò#Klçƒ)œþ øàQöÊC¤Åê:"À¯ô

secrets/generated/sire-ente/minio-root-credentials.age

@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> X25519 1g/zXfi1yIQ8Gr7s8vXVcqY2SqSY54wIm2K5jZw2FGU
+20yDp5BbvL4/Dwj5wUsqICutjmcdEzQzHzhYn2wGxa4
+-> piv-p256 xqSe8Q A0hl01YjJvSgNoVVgqbXtbJebphdyC1KfXuq0KHsGLEY
+/tp18Vk3vM2UUxfB+rCi6a1hKvtNi1E+o/CkfEdejBM
+-> AR0.!FY-grease jw9K!j
+eujGLw
+--- 5iSrLf3Tc9d65fjQZvzv2XO5E2FnOKIAcG0aViBQ3T0
+G­N¿ý­N)—™o…@Ü"Êðî)Ÿa<p¾Öô; wÚ™}
Õ$!îqqÂsütˆ
,Eã3R#�xqû,=^=ížéS�ÅB
6’’_48‘jêY¡;€YÃ[`“‹q':¬ �v8î$€šºBÛ£¸?ñ½ÂÉyxË ‚pžŸ1��¿v
Ѳ¢!ÆÐÕr50+lrÚ¦
¬sg�êî

secrets/rekeyed/sentinel/7dd21124a6116b64884cc34b22d128b0-wireguard-proxy-sentinel-psks-sentinel+sire-ente.age

@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 yV7lcA tb9kSCCrR4ZsCY2rFru596/nvJ3Ls0CAIx1SbeBb3jE
+sFwhpTJtUKZLI05/Pka9UN+/AhqRr1T2qOsoXqnJm+I
+-> M{JlUebq-grease <v+'>UsK ZwN> .2j<
+q7Jcr9NMDZPmnfX7OE9ul+ABFA
+--- caLIQEMxZ2TikSZVAKd4ms6qcoOsd0pCgC3Q0UwXTIU
+/0daïà*�/�-I<â"&éË—ðUmc™RKtk,†1§RY ÏËãàÆÚÌIç´eËXx¤üÕî5ÿÚÀªëøÕUqYŽ“¿ÇÊ

secrets/rekeyed/sire-ente/0a655191d8a00f031974a30ce0d150b5-ente-encryption-key.age

@@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 JgWCuA E7lVaNWH6szAllQ8QNG1vHT5aNf9oJ4qC6NhQmJDwAc
+59GgmOFiryp/c0/R+u3xPZCQg5E2D7xLiABGn/iYfPc
+-> V?-grease Lb\VjM_
+DH5djc92LmIQFfn2wJSdLgz+OsGY+7y9AqtYiOfWZyClDaTOGvY2GxqzJS7k8Wh0
+zQ
+--- R/ulTpEmTlZhlnlmlp+MQxe2pLvONgXqEiDQOM0xZQA
+|‚…†®Æ8½3	ÇhœËÄAXæC=�Ü^ùÔü¸wœ0Gä1A›GËbÍàèħ‡
ê¿;ôŠ¸VÙ4o—/™ƒÓ3

secrets/rekeyed/sire-ente/39ed4aee39bb5284ed82d595b57af3a6-promtail-loki-basic-auth-password.age

@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 JgWCuA 7g34bQN2G4hf4lTxDLfPJog/r8rgjQnmwPZW277jpQk
+nhnGg8CcoVzuASxf2SAVBeVA5gcpNBB0LNHMSnHvvzA
+-> EXviAf-grease `>N4
+HByrqYnzlTIEjr6cRuJ1Eg
+--- 4/1YuJpu8rbYPKqcyYbtDCSaq9doFKbdNvhHTGoL0e8
+7KøAXü|» ñ!Üp8'ÓôŒ.×w�ÜŽêf:Ú~÷Z [/¤Þºušïl2Ì'ÔWYG€F��Nd:ÐPkÒ1BO=å¶ñøæ+àÔê

secrets/rekeyed/sire-ente/48afcb0cd2c5ea7e134a9ea29b7eaa7b-telegraf-influxdb-token.age

@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 JgWCuA PHWocAK4Uq2RlRBQRJmlYytDt1UDys9oSSkqkqGoagE
+TAkHn01nLHkhdTRT1KFdrnxkxRM+1Kpr1JaUaVrf6Cc
+-> ~f-grease $"CHQ ;>^KKwf[ $Ets\o1
+4g0E9jf4hAzb0A
+--- gGNrPcfze2eOkJg/PPrgVHnffTmOX58dOukGGYVM3Qc
+ƒè’ÐÅ��(yêCÀ�!ÿ;ƒ“¿dÛkL€q·GÛIÏÉý¿œNJE
B¾Fòc
À	Ã<Z*‚„Š2òÿd�Ý’RˆLÒצ(~]oÌ®Ùc¥

secrets/rekeyed/sire-ente/4fddd2864abd2ee1ab5829fc3ac741d6-ente-hash-key.age

@@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 JgWCuA ibIMzo1GidK7NjVdRwLtW/ZBmEYJljlEQBDpzcS7u3g
+gJO2mEFR7VpiZ66lo1C2DICFthKDrBbK3b9yvvv2OUk
+-> L`^@f-grease
+6KFxCBHS1sez24DemcAVbP/2DA1qMH6G4Slt36Be+7XN/pc21NTm15Y2WAOdfnfr
+hYtLONwqTGd9M9309Nyf431l/92Hpvg0ZT0on4iwqA
+--- rzYINbMisctAhV6j6uTIFtZeOgl4LylFpwql2QpJAhU
+4;±l¸øÇúm(ô‘φÓL½ê©’ýjk8N@ø¶gPØýº¡1tÕBpÅ<'²A§u Vž\ýç‘Q]}]y¢-eÖð¢¢ÀH[âd#b_F´J뷟ܺLèP|Ì)Á€šw¿ü¨„Èm³Œ©�

secrets/rekeyed/sire-ente/50b5f9785853d40bd74d52dde6d57c11-wireguard-proxy-sentinel-priv-sire-ente.age

@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 JgWCuA Nwy2LY1REyI7LRKDFNbaS2FF1R+Erl6KrdrumvS/XX4
+1S9sYJnsgMmDTXvBO1/RDxlcEIYfDH+cO0MkZuo40VU
+-> )-grease )!nP Q@Q@ur{3 dcBOk*]
+D1GIlaWvcD2KUvCe7m+aClC3OEsWGn0WRlsG25o8YWJq48TgZOezeZSaNco
+--- Rcndrv1V5ZhAiFHZe1WdTMEeZ5+jqu2ES16D1aN/1wg
+½Étk�Ãü]8É8 ÙœöèR·2–
±—íÒ’üŠgZáÓ©(™r—½ÅëižV\Py ªf½¦¤ÕÜ‹Lü_.ýµ£ûƒ

secrets/rekeyed/sire-ente/6bd5a9be337a42f7ceccabcb94e58c7d-ente-jwt.age

@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 JgWCuA FRpqXDi8hsKKuScuMTNJWP8hyeDsEiT0cKeRCtcSHDo
+9ws3OouI1gl6WCjTVeGL1FLlzjoc5r3KuIicz1Hxvvk
+-> B$<$\Y-grease /HHpi >/9 -!*14 GB#8+TJ
+YCQ/DeYqBopIh5w11DrHtJnJJ32yaFQ9qE6yOXGAbVfrSik5sVf/Txn2dBNb+nTG
+3jQTR5kKOkGFLIUul83ix6A
+--- wG6qOXsr8udyFHqA4WDFTGQASgtnG39UC8SXiyoCH24
+Ú«ì¤wÇ	"NÞ*³
+� ç¹tñ¯T¼1e™cwÂè=‚Ü�m»_Â¥l‰ç4hA{e<“<Lʪ”£á�èµÖú	90kÓzl—rûÇ

secrets/rekeyed/sire-ente/8dabe142e6ad67a259f83111fceb6e17-minio-root-credentials.age

@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 JgWCuA 8gWuOL3ItuZnJLSV4wJSKIavVdU1mZZOYSDP9X5pkjg
+H32gHbisIG+aVXOU/fkAHVmoVyH6BMhR1yVN+grYnbI
+-> KE-grease #rT+&3B& :$ @
+JQuPHa3Y1qlRkw
+--- akx1iJc1tHixZXIOYzC+59TIvfFrUoTvgHCPnujR6Zc
+Ðb§êˆË“éxâC�P×õX°ãÒeÙ#0�}ø­št9Þ=KdêK��/¢â3aùs.‘mÄV{ùªfå@7G¹çûujG¼1Oâ…v)æNøöÿÊj4ãf*¾b¿Õ•ÅQzY0ÿ‹I½¶õŸçåš6EÖw~ÉÇ^.„îA�øæMhnÔsàŠ{ÒB¸Hd?Có»É)
oêÞ˥̡F"q\ê—#c

secrets/rekeyed/sire-ente/a3d4334dfab58cfbb82ce922dbb23c50-wireguard-proxy-sentinel-psks-sentinel+sire-ente.age

@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 JgWCuA R/2IkDfac3BnlHNqFlXEBDEKUAFkOJPzMuydNFZAzWo
+ub21BfD8Q5GaLr8IdLwHkdZqSVAjG2q3MuDrB4KozJA
+-> $a|&-grease k!M4 NZQL R,s4mUU ]y
+zoxZDA
+--- 41/Orge3q+gN8+MgvL745C/fatbvxkpeS7jrdiyphTk
+5P°‡/ƒÖ©Z+B|ÖV$ƒx~Ž†‘e 0hµ _Mˆ`ruBôi“y–¥~îxg?Ù£>LÎœ>&äw!Ös—?p�…61ü�÷j

secrets/rekeyed/sire-ente/b196a04930eeaf93e5314de87b7ddc1f-minio-access-key.age

@@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 JgWCuA BhciDbzGldKHFga2iDU/xYnMv7eGi1LZb+lGXJC5BHY
+sG8HF+9adDtroTygekl57kNWmdPxBOoUKDxFHKEBQ8U
+-> 4W-grease
+9sX0u6PKO6b5tCx5KEMzpHUyIX81ZtbCrXkCy/5H/6MrziNyG3hm9RlmYfjroA8w
+JInJF5/S
+--- nu0Fb0V8USP+6NdT6egQ13gUHjsBDh3e1vTIeU1koWk
+n”hþµûÄâ·€¡º#×ÒE“»7m`zcä”BŸAîóÔ�°ÑÇ5­œ<ÂB¹1gñO5+Øž3r9‰º¾×!<²�ñˆø2:¨Ýk“\
g~

secrets/rekeyed/sire-ente/c286daba571651cf0fb3baa35f8717e5-minio-secret-key.age

@@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 JgWCuA qCQiUbrSa9VHQmnGxUzAKnIXnz1iCaGltMtlekJtSik
+n1C2khtbkEjU06GoLlV/cGqKiHJPC45esUUXzSrqUdY
+-> G-grease ~;bV'qp 6[ 2=41r2
+6XoXhm9137td0dfyVG9y+aoXgnZ/DHyEz/Mm7bWTVOALBjNiND962acconiU+YAV
+rNjORyxn
+--- FbizueAYs+ySyCsYHz2nSOP9ZK1B3cwY0tfnbCUSZSo
+9æñQ¨P«
ÜÉ:ûpò2Í‚Œž}HÙÜ_P¦ÛrC¨óÛPö>kæã+ø@¹ëbá\U_EῲɌioV²ˆš*NNºR'î=H´¿UÆ

secrets/rekeyed/sire-ente/cff35fe4c607c5c2d57af131e14080b5-wireguard-proxy-home-priv-sire-ente.age

@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 JgWCuA 4Yb3GrxVz12WnVG/xOLQ5v+AfvQnfu8rz+KF2z2hzzY
+sGXnAMSxc9L47Zzvnovmq0jIHnEIogVN5XG7FBurTn4
+-> cwlzzK-grease
+15ku+cw
+--- JMaYeYHOTTH0E93AnU0hKwp/bdHg6wkmdK5WxFdIKLg
+¦.µÜ…$5Z¸{uÎËÇs�»L‡9,¿�k 	¢)Ý6Ïv#¤Éò§+ï
;Þp¡§˜n
ÓÓšnŽõ­íx[0›f؈¼›v!Tè#ëÜä

secrets/rekeyed/sire-ente/d0a3d1a9285c9e295e71bd59a2399ec6-wireguard-proxy-home-psks-sire-ente+ward.age

@@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 JgWCuA fLErDkfDNMgSF0E/ZoBB6OVIrofuDzXnNSh0UwfwBAs
+87BAmP1neIBVz/sPnx32S+y+EgV3uKQyWNI1wkj/rok
+-> 6b=-grease aZPivQ
+9Wkt0eTctqiZ2uajuNkl5su0tKGudpCKnl43cS3nOX2/tjXEIKB0Pe4bc1ImIJvV
+z+2FuJju8Q5o+mx2/NKZINhT0VnXzQFpjgwWsZs2mntMCxI0GMwPUyt8pg
+--- urAXMUjYZJ/Q1ezsnn4uu20993E3EkK2Fqmhu5TgWcE
+›0‡]îJæn¶ü“ý;??^E©e=ÍÒ!{MòÙNÔÙ!™+÷§yõ™ËèNq/¤×sºˆlªÒÔadòx*qtǪU¥±	v%0

secrets/rekeyed/sire-influxdb/d7176dcef3b2245267cb9d77723a1261-telegraf-influxdb-token-sire-ente.age

@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 1tdZKQ uVXynHs0BZZu7YlnLtqEOy7DBrylGwAsuw2V5Xe1tlc
+OhgF8N3bDlZC4XD7PAZFdBqtJPoaRX7ChQSEbnjsnKY
+-> Z8-grease j jA Kr?3M$?
+Qh8AQ2InqiJFZg
+--- VaYAzDhieUncCVKxqNSG4PA9RGiHG1lmjy/s/1dSwFs
+=exµ1*Ù[áYj<Ð ö¸ŠåÝîò%&¯Æ»)PyŸ¾¢íqÁ8*Fµ“7¼Ôùìf½ÊÀNÏݹ,ÿÇáÓx0J‹¢ò‚Õ¤Iu2)á2

secrets/rekeyed/ward/82fb2774f6a5e08a0e4bd8b8cdc09238-wireguard-proxy-home-psks-sire-ente+ward.age

@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 iNceIg BmCXt086D1EkeS07iplFsR6T33WyWAyiCT1mRLB32hw
+fy0OpMuK/8qPw3Ryb5EAwnPSzlUx2YoYawzzKP75RFo
+-> ah,luV-grease 7%Q {Zju_"(b
+MqKtQw
+--- DhDp8jYeynd1OUpCU61SpPZVPXnFokxX2Usixo7/ZG8
+…¤¸øϨol¹í¦‹öïtAn-Wq¥ëoUÚH)ïæ:2:¤d²#Ô*ô"aØã2œ1qJ6ð÷†¸5ô1<‰DåÑyBãF

secrets/wireguard/proxy-home/keys/sire-ente.age

@@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> X25519 AKZ+AtI/m8zX6g0lWM7NrNhtRTzn99G3Hzd4xTLmP2o
+k06IWa/NYnJWHctoRtOuONWPRc3TeFKWGq62EEtPK2w
+-> piv-p256 xqSe8Q ArPIpreqaxqoRvOr68Iyh6LhfzH+GbUbmZ24PMy6v6CR
+/1AcoGVvZgOW2IIIiU6Kya37CT4N5igi5tGyuJCMfaw
+-> b'2Yw/88-grease
+hNHp2mtaChpVqJXW6+rZtdGdabmmtHxpSo64gPxsoTED9Jm+A36HtQTovZ2hfxWG
+jwQadJT4WS9CJIvdqFRWi25FLAbS3c8
+--- /qAMQiLi2hgue66lXzk08Hl5FEgO4daK/TqisxvKhC0
+Õq(
ÂÔÎ)¡ûå7ê®ÆG»¿£Åõ*µ%¢%%ž[ t`¦¬ÌèÀ÷jØw€OÕ›ÎÈE¼ç :Ûö;Í
Çêxbi�

secrets/wireguard/proxy-home/keys/sire-ente.pub

@@ -0,0 +1 @@
+AOGA/huE+l8LA7VsqTVuu8Idf/CljsEz2w9r3HF0xF8=

secrets/wireguard/proxy-home/psks/sire-ente+ward.age

@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> X25519 BFrpqy55NcKEF7q772I17T0wjQ02Ut2rWrMZ1rtjWwI
+yH1f7HWIRcqlm6uRwBUcOBbz0gceyio8iL9Ggnt3Fb0
+-> piv-p256 xqSe8Q Anx1LI2vbGG5xYzIF5rKnHaqP6Lh5wf4xyNd4lsQSay3
+OePEiNdGFCd+xrGv7ARUaNKHMNWQgng4Q21Q+sbF5BA
+-> /lY8-grease
+MuwhaBG4mNhGQrxArOVAeqpkXtqhORkH40vnttBf4A
+--- R2ZE5vy2h7+LiQF946AhQXTaGuZzhar5QthG8zQXeOQ
+/hNűžš®Q
ŔÄüäÝtľ>”ZŚüT-Şßç¶Qă”™jeŐőN«dă
{Ľ ˆ5gáüöů-Ż�>˘őÁ›‹–×m.¦

secrets/wireguard/proxy-sentinel/keys/sire-ente.age

@@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> X25519 vQk4YSBJ4lAhykKSn6EQVJt3N5knDwFojKKkGXIpkko
+VFMoGYvz3Ghr2yDvkKVBhBk0RXwKvAa/1tc0XvAksqo
+-> piv-p256 xqSe8Q Ao8pq7XVm2sW7pWJwY5xV+OENbydQYPDHFyW3D4Zcypy
+804ByjdNfiNjYE1pETvtq2+Qf9XOpPSfTBTnaMYpWx0
+-> Bm!-grease
+mTATrQka+LR7fjxFRq9eK2w4OC7Da+Rx2mgoT0jRRw2urXAN3m25hupRhmXjAmUT
+UXCI6XLGG0gc+Fb5SOBXSPIjwMoVI3h8BgIRQsKUECM39iwN8j95kR9uDiP10Q
+--- kOS9Fo+PrmUqGDLRkYYMEJcoSKeVoPudmLzD/M4rwzY
+Ø¿9Sê)à)`J@´_�‹<îØèÐÁì‰N;ëHå›ä=NgÙTÞ\5;gtæÏy{ùºÏNH€…bÔeM6ñ¦îùmáÅ3

secrets/wireguard/proxy-sentinel/keys/sire-ente.pub

@@ -0,0 +1 @@
+TQLqvOZp/FoELpqnkuls/wio9ET7KurTE9XW6m+BegU=