From 69bd2a71ce7a4a1958724c851b954df6cfe70b3d Mon Sep 17 00:00:00 2001
From: oddlama <oddlama@oddlama.org>
Date: Mon, 12 Jun 2023 01:03:44 +0200
Subject: [PATCH] feat: generate secrets

---
 .../secrets/loki-basic-auth-hashes.age        |  17 +++++-----
 hosts/sentinel/secrets/loki-basic-auth.age    | Bin 409 -> 0 bytes
 hosts/ward/microvms/grafana/default.nix       |  30 ++++++------------
 .../grafana-loki-basic-auth-password.age      |   9 ++++++
 hosts/ward/microvms/kanidm/default.nix        |  24 +++-----------
 hosts/ward/microvms/loki/default.nix          |  23 +++-----------
 .../promtail-loki-basic-auth-password.age     |   9 ++++++
 modules/distributed-config.nix                |   1 +
 modules/proxy-via-sentinel.nix                |  25 +++++++++++++++
 .../proxy-sentinel/keys/ward-grafana.age      | Bin 0 -> 462 bytes
 .../proxy-sentinel/keys/ward-grafana.pub      |   1 +
 .../proxy-sentinel/keys/ward-kanidm.age       |   9 ++++++
 .../proxy-sentinel/keys/ward-kanidm.pub       |   1 +
 .../psks/sentinel+ward-grafana.age            |  12 +++++++
 .../psks/sentinel+ward-kanidm.age             | Bin 0 -> 449 bytes
 .../ward-local-vms/keys/ward-grafana.age      |  10 ++++++
 .../ward-local-vms/keys/ward-grafana.pub      |   1 +
 .../ward-local-vms/keys/ward-kanidm.age       |   9 ++++++
 .../ward-local-vms/keys/ward-kanidm.pub       |   1 +
 .../ward-local-vms/psks/ward+ward-grafana.age |   9 ++++++
 .../ward-local-vms/psks/ward+ward-kanidm.age  | Bin 0 -> 418 bytes
 .../psks/ward-grafana+ward-kanidm.age         |   9 ++++++
 .../psks/ward-grafana+ward-loki.age           |   9 ++++++
 .../psks/ward-kanidm+ward-loki.age            |  10 ++++++
 24 files changed, 154 insertions(+), 65 deletions(-)
 delete mode 100644 hosts/sentinel/secrets/loki-basic-auth.age
 create mode 100644 hosts/ward/microvms/grafana/secrets/grafana-loki-basic-auth-password.age
 create mode 100644 hosts/ward/secrets/promtail-loki-basic-auth-password.age
 create mode 100644 modules/proxy-via-sentinel.nix
 create mode 100644 secrets/wireguard/proxy-sentinel/keys/ward-grafana.age
 create mode 100644 secrets/wireguard/proxy-sentinel/keys/ward-grafana.pub
 create mode 100644 secrets/wireguard/proxy-sentinel/keys/ward-kanidm.age
 create mode 100644 secrets/wireguard/proxy-sentinel/keys/ward-kanidm.pub
 create mode 100644 secrets/wireguard/proxy-sentinel/psks/sentinel+ward-grafana.age
 create mode 100644 secrets/wireguard/proxy-sentinel/psks/sentinel+ward-kanidm.age
 create mode 100644 secrets/wireguard/ward-local-vms/keys/ward-grafana.age
 create mode 100644 secrets/wireguard/ward-local-vms/keys/ward-grafana.pub
 create mode 100644 secrets/wireguard/ward-local-vms/keys/ward-kanidm.age
 create mode 100644 secrets/wireguard/ward-local-vms/keys/ward-kanidm.pub
 create mode 100644 secrets/wireguard/ward-local-vms/psks/ward+ward-grafana.age
 create mode 100644 secrets/wireguard/ward-local-vms/psks/ward+ward-kanidm.age
 create mode 100644 secrets/wireguard/ward-local-vms/psks/ward-grafana+ward-kanidm.age
 create mode 100644 secrets/wireguard/ward-local-vms/psks/ward-grafana+ward-loki.age
 create mode 100644 secrets/wireguard/ward-local-vms/psks/ward-kanidm+ward-loki.age

diff --git a/hosts/sentinel/secrets/loki-basic-auth-hashes.age b/hosts/sentinel/secrets/loki-basic-auth-hashes.age
index 1bd7187..c47f312 100644
--- a/hosts/sentinel/secrets/loki-basic-auth-hashes.age
+++ b/hosts/sentinel/secrets/loki-basic-auth-hashes.age
@@ -1,9 +1,10 @@
 age-encryption.org/v1
--> X25519 POUeKoNotGuIHX9N955m56eWzou850H02OG3O+ygIy0
-zR6pq7sHR/Vo32YS6wITRuKRgHWjIqdcsILvR4yL6NU
--> piv-p256 xqSe8Q AoHB1E3JcMAeRCjGPj/Fnd7eeVbi1X/qXV62/04DabNm
-Uqx5OonPfDJ++9gWVfD2RztyaRVEC+ZI0eSa7h9MVgo
--> ={9x3$iL-grease 7(o } u,|S!;51 "
-g2+PG1QoDXzzkGnd3ZLsfltd0neKRWt3NwJeTDhPACFBL7yooXk
---- 5mTTZWqCisymYqhefWaZ67X1UWkrSyIMKCMvS4d6I40
-UWh;oDñn&.¥Pš	žiˆ—³¶ÈÃíºBâÌ'ÊÉr¸nâØgŽúa@UOL_Æfã…¨ö)ñRhªvüžc2Ã[iêEÜJ$fZ¾LgÉÊÎU>­\7Ú>NbÌßr{LW?ïÎ’Ë4ëxð•ãÅÏÑ‹Ý‹§7=ã~qü•ÖO6u£öõQÁøÍîÄJŒ	S¶šz	ÈÔMÀ0ï'`ì
\ No newline at end of file
+-> X25519 lB23D7AmIF0aexiFK8El0nE88SFMsTdqI2AFwCkoAkw
+n1eyViq9JQCe7QTuKi3k8DNdnjR6c2lLaBoT8f4IHQg
+-> piv-p256 xqSe8Q Ar0Mqg1pFoTei1CfCUp4SZsXNSxkJw9CVV7KuiZWqVkB
+Vx7hdeRcSiS/IiXWkMm0Sy2c5zWGGFUtLd03WKKTpYs
+-> -.-grease C?E+>{j _of5
+u02vRewJinMZScNTqe7+7Ee8b98EY3+T0oYs1yOhEJ2KdFPsrUcoMWivMun2KwwM
+rPkxdA
+--- zMYSBhkaD2xsuyTKqN8hG8NaJuAXeinDrXQtddfR0Gs
+sŒÈ†eýpÀ®_u³¸÷”hÓ·ª¶Û¶B UÿóÖìUÚp¿›[[cøË7ÿêÿ+…O´EeÁü½lˆ`j(¿`Æªv#_Ž¡î‰Æ.¸GP:ò?ê"’ß;_'>Ú 4Ç
\ No newline at end of file
diff --git a/hosts/sentinel/secrets/loki-basic-auth.age b/hosts/sentinel/secrets/loki-basic-auth.age
deleted file mode 100644
index 50f10466068ef4865d75a23b1ed93941df0be1bf..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 409
zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR2FFfuhYv{Z01PjpTTN;j-5b4+t~F>}jv
zGpa1CDo-?auJA94$O_HyD9<(ZD@gLn4CV4qu`tOjc5@CYD|bzgFg4dsk1R6HcdGQy
z%XRXpG^_GWN-rok)A#Vx_XXKdkXfc%U}S2hP*E71Y7wa5SmEYal2e}QQKnxW6;T;k
zVD6NkU18uJQkYbh8<w47sGk^|X_4z_n4DY4mExI|WDx2V=xJu08k%Dg;O67u5>#TI
zTUwOp?-7}5=&7IS8J6an>t>b>vdd66y(l%YI8`B}IG4*iEioshoJ&_%SD~sRtvJoN
zydu{-s@NmTyVTRqEm%7{!ZNth+ter^tDw|CJKe;`!YeG<lS_Jj<Yy;_qz_p}cXn>`
zxTUv9)!W}iyhT^|)DiEBC&Bwd%8pF_qWYomb%w6SQQf~kStGx>Op&j*^J`XLQ~#y@
zK*5~6)jPsizVBZy#+~#z%ge8{WZ`;lxkX!jvKCI<ZE87>E9pwX4@Y@_hDoBWwEzPq
BlpFv6

diff --git a/hosts/ward/microvms/grafana/default.nix b/hosts/ward/microvms/grafana/default.nix
index 3f4285f..73a9059 100644
--- a/hosts/ward/microvms/grafana/default.nix
+++ b/hosts/ward/microvms/grafana/default.nix
@@ -6,25 +6,12 @@
   utils,
   ...
 }: {
-  extra.wireguard.proxy-sentinel.client.via = "sentinel";
+  imports = [
+    ../../../../modules/proxy-via-sentinel.nix
+  ];
 
-  networking.nftables.firewall = {
-    zones = lib.mkForce {
-      proxy-sentinel.interfaces = ["proxy-sentinel"];
-      sentinel = {
-        parent = "proxy-sentinel";
-        ipv4Addresses = [nodes.sentinel.config.extra.wireguard.proxy-sentinel.ipv4];
-        ipv6Addresses = [nodes.sentinel.config.extra.wireguard.proxy-sentinel.ipv6];
-      };
-    };
-
-    rules = lib.mkForce {
-      sentinel-to-local = {
-        from = ["sentinel"];
-        to = ["local"];
-        allowedTCPPorts = [3001];
-      };
-    };
+  networking.nftables.firewall.rules = lib.mkForce {
+    sentinel-to-local.allowedTCPPorts = [3001];
   };
 
   age.secrets.grafana-secret-key = {
@@ -40,7 +27,10 @@
     group = "grafana";
   };
 
-  nodes.sentinel.age.secrets.loki-basic-auth-hashes.generator.dependencies = [config.age.secrets.grafana-loki-basic-auth-password];
+  nodes.sentinel.age.secrets.loki-basic-auth-hashes.generator.dependencies = [
+  aaa not wokring
+    config.age.secrets.grafana-loki-basic-auth-password
+  ];
 
   services.grafana = {
     enable = true;
@@ -104,7 +94,7 @@
           orgId = 1;
           basicAuth = true;
           basicAuthUser = nodeName;
-          secureJsonData.basicAuthPassword = "$__file{${config.age.secrets.loki-basic-auth-password.path}}";
+          secureJsonData.basicAuthPassword = "$__file{${config.age.secrets.grafana-loki-basic-auth-password.path}}";
         }
       ];
     };
diff --git a/hosts/ward/microvms/grafana/secrets/grafana-loki-basic-auth-password.age b/hosts/ward/microvms/grafana/secrets/grafana-loki-basic-auth-password.age
new file mode 100644
index 0000000..83c4eaf
--- /dev/null
+++ b/hosts/ward/microvms/grafana/secrets/grafana-loki-basic-auth-password.age
@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> X25519 S8bAt5Bt8ci+w8+jC/II3dMSUUEneGKpJULB+FYN6ns
+DpKs7bP2Ft4fgbntM6guSFlUuCHiysmALR6jAK6bR/A
+-> piv-p256 xqSe8Q A7ZD865VJVg/Lx4d2Ly4dvaIzKmmA1X5f/EOdwdH3dfb
+jEqpzb0kdVzYddrmVXIi8672/YLH5+luvUJeb4/ibzA
+-> gu'-grease
+uGbk/7/cRAmN2VWdXgKuVrvRAfnupb/WTK0r5ow5ud/sp2iEVAM8NZ9f
+--- QtjcCefxUDq0yYOou3EbBBZbGu1FfzmXo3cXhiKe44E
+0ß¾.D¨$Ê¼C G‰­KŽ	Bˆ¿FËméXêŸ]¢,'0›áæo!‘ß¸#‹¬]%öðŽ=—Óž~­QÜèß€ÐÌƒ›Gæ¶Òœr—
\ No newline at end of file
diff --git a/hosts/ward/microvms/kanidm/default.nix b/hosts/ward/microvms/kanidm/default.nix
index 1340c88..46c3646 100644
--- a/hosts/ward/microvms/kanidm/default.nix
+++ b/hosts/ward/microvms/kanidm/default.nix
@@ -6,26 +6,12 @@
   utils,
   ...
 }: {
-  extra.wireguard.proxy-sentinel.client.via = "sentinel";
+  imports = [
+    ../../../../modules/proxy-via-sentinel.nix
+  ];
 
-  # TODO this as includable module?
-  networking.nftables.firewall = {
-    zones = lib.mkForce {
-      proxy-sentinel.interfaces = ["proxy-sentinel"];
-      sentinel = {
-        parent = "proxy-sentinel";
-        ipv4Addresses = [nodes.sentinel.config.extra.wireguard.proxy-sentinel.ipv4];
-        ipv6Addresses = [nodes.sentinel.config.extra.wireguard.proxy-sentinel.ipv6];
-      };
-    };
-
-    rules = lib.mkForce {
-      sentinel-to-local = {
-        from = ["sentinel"];
-        to = ["local"];
-        allowedTCPPorts = [8300];
-      };
-    };
+  networking.nftables.firewall.rules = lib.mkForce {
+    sentinel-to-local.allowedTCPPorts = [8300];
   };
 
   age.secrets."kanidm-self-signed.crt" = {
diff --git a/hosts/ward/microvms/loki/default.nix b/hosts/ward/microvms/loki/default.nix
index 1aeaa93..687683f 100644
--- a/hosts/ward/microvms/loki/default.nix
+++ b/hosts/ward/microvms/loki/default.nix
@@ -5,25 +5,12 @@
   utils,
   ...
 }: {
-  extra.wireguard.proxy-sentinel.client.via = "sentinel";
+  imports = [
+    ../../../../modules/proxy-via-sentinel.nix
+  ];
 
-  networking.nftables.firewall = {
-    zones = lib.mkForce {
-      proxy-sentinel.interfaces = ["proxy-sentinel"];
-      sentinel = {
-        parent = "proxy-sentinel";
-        ipv4Addresses = [nodes.sentinel.config.extra.wireguard.proxy-sentinel.ipv4];
-        ipv6Addresses = [nodes.sentinel.config.extra.wireguard.proxy-sentinel.ipv6];
-      };
-    };
-
-    rules = lib.mkForce {
-      sentinel-to-local = {
-        from = ["sentinel"];
-        to = ["local"];
-        allowedTCPPorts = [3100];
-      };
-    };
+  networking.nftables.firewall.rules = lib.mkForce {
+    sentinel-to-local.allowedTCPPorts = [3100];
   };
 
   services.loki = let
diff --git a/hosts/ward/secrets/promtail-loki-basic-auth-password.age b/hosts/ward/secrets/promtail-loki-basic-auth-password.age
new file mode 100644
index 0000000..30ce9bd
--- /dev/null
+++ b/hosts/ward/secrets/promtail-loki-basic-auth-password.age
@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> X25519 WO6NVr8uGQ9GGngru17rGIcyZ7Jk0V47Me3ee4h0wTQ
+2wi5L99XZMN4Aytb8aYH4H6iR9MeuXNXh6hOCap/75A
+-> piv-p256 xqSe8Q Aoh7VxZSYtAdc4h0B9toepYGmB9Ad6lib7ovoK7P9jTp
+21bQ859o1wlRZxyw84hCEZFWcCQ58uQ0sxzSMlVYvwE
+-> DJt-grease ipE| /Qlv %,8pl
+6Pg7ViLxJIt1CrQFYVZvTPGz
+--- DNpm5163v+rHN5tTVzNbIt3mQRvkLs7Envc7HulIU0g
+Í\©¬ü®ÆÄ[Ñbr©WÝ%úÿ‘ÜZ‚ÇÑ:Ù¦ý¿O_Ô6YpÔ½pÁÒƒ —"ó)Z¼G/B§–H¶&©}3ª‘]u	æ½õEÏóÌ‚§
\ No newline at end of file
diff --git a/modules/distributed-config.nix b/modules/distributed-config.nix
index 647173d..290be61 100644
--- a/modules/distributed-config.nix
+++ b/modules/distributed-config.nix
@@ -34,6 +34,7 @@ in {
     foreignConfigs = map (n: colmenaNodes.${n}.config.nodes.${nodeName} or {}) otherNodes;
     toplevelAttrs = ["age" "networking" "systemd" "services"];
   in
+    todo wrong, currently extension FROM microvms is not possible
     {
       assertions =
         map (n: {
diff --git a/modules/proxy-via-sentinel.nix b/modules/proxy-via-sentinel.nix
new file mode 100644
index 0000000..a54712d
--- /dev/null
+++ b/modules/proxy-via-sentinel.nix
@@ -0,0 +1,25 @@
+{
+  lib,
+  nodes,
+  ...
+}: {
+  extra.wireguard.proxy-sentinel.client.via = "sentinel";
+
+  networking.nftables.firewall = {
+    zones = lib.mkForce {
+      proxy-sentinel.interfaces = ["proxy-sentinel"];
+      sentinel = {
+        parent = "proxy-sentinel";
+        ipv4Addresses = [nodes.sentinel.config.extra.wireguard.proxy-sentinel.ipv4];
+        ipv6Addresses = [nodes.sentinel.config.extra.wireguard.proxy-sentinel.ipv6];
+      };
+    };
+
+    rules = lib.mkForce {
+      sentinel-to-local = {
+        from = ["sentinel"];
+        to = ["local"];
+      };
+    };
+  };
+}
diff --git a/secrets/wireguard/proxy-sentinel/keys/ward-grafana.age b/secrets/wireguard/proxy-sentinel/keys/ward-grafana.age
new file mode 100644
index 0000000000000000000000000000000000000000..f0a43120c265ccf237d199479f2ba33749e8a23f
GIT binary patch
literal 462
zcmWm7y^GUO003}BhijH|a24X<RC2kbdHLYrAWhq($6eF3`LZIKOOw~oBroY}nvY31
z)J2?J)JbsFO$0Y5MYut5a1tjs4+IwlLGJet{5%*?LF%vSY#pI=2dyBzVF+rUbXfox
zi4+CL?z$E&Z89YS9$!zYo0XQvxn3l8!Hp6nYm#KwsiKlt=TpgQ>vaPi#*5XF(m2vW
zmka<!o(?As$PZ!DVQ4(sJs+}YLuD-B$ts@)qCv{l`T%Az*B*y;RY&~+SB7ddoBP~S
zw!~=(Ts#Cv?NLV<6@-|S-UJSczKIXJ1GF4Z1&OvXyTo$I%x8_IYnIu_%fvR$uXcy_
zDYyze9FRG`=Nz%LLSDB$WiKi35H@Wq63768y~$9U#Erih@JRLGFu*SDv9`?V95*wE
z#zM{!L}}O;rpL$72ofL8K#x!hpo(!%)ntOADAJU~1iR%1^cQty7IW>Oo+&)2xfLVu
z9V~K4jl!XtmkuKSerYbAe82tjTlMy1t8@7^ojmHI?LRO6J$d)$($)jx*|_y%D?Yj6
pK0f{Q`@)S^;M&>es~=kXr|H?x>ixa?ZXZAF{krw_X@39t&VNSDprHT&

literal 0
HcmV?d00001

diff --git a/secrets/wireguard/proxy-sentinel/keys/ward-grafana.pub b/secrets/wireguard/proxy-sentinel/keys/ward-grafana.pub
new file mode 100644
index 0000000..8bcfb3e
--- /dev/null
+++ b/secrets/wireguard/proxy-sentinel/keys/ward-grafana.pub
@@ -0,0 +1 @@
+e01aX1saudxbQ2QNI171c3HQYopzr65dUSvy3nttv2I=
diff --git a/secrets/wireguard/proxy-sentinel/keys/ward-kanidm.age b/secrets/wireguard/proxy-sentinel/keys/ward-kanidm.age
new file mode 100644
index 0000000..7b741de
--- /dev/null
+++ b/secrets/wireguard/proxy-sentinel/keys/ward-kanidm.age
@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> X25519 iDP/l9JWpSbmurGwatXgJB7lpXbN91ni8Q2dJQcOuHI
+0mZ+TZtBjLrxg+9S4wPNfmQMMF8Muoz80FljLGZeQls
+-> piv-p256 xqSe8Q Any/1MXgHhAG2HbdPc6E9tm4S+LwrzYl0I4Ueqhu/paX
+C95VJbBXVDaKe6yHLjZ3QHhh+X9gn8xZ7NdF/1egY/w
+-> r1b-grease !c:IOcD~
+G3m3OhWWqAc+CuI
+--- XmXpw9TwMOGptOoWlyvlwiuKIhqiBc0+hq2zJ+jZwuc
+*ƒ½oXØ>R’=v† ½›b"	vNã€Å”¥¯YÃ|¿$‡îãë	…:Ý<é¹Š£.Z/Ìª`P|[ŽõŠÍÀÞUj›D›³üè»hY
\ No newline at end of file
diff --git a/secrets/wireguard/proxy-sentinel/keys/ward-kanidm.pub b/secrets/wireguard/proxy-sentinel/keys/ward-kanidm.pub
new file mode 100644
index 0000000..bc74869
--- /dev/null
+++ b/secrets/wireguard/proxy-sentinel/keys/ward-kanidm.pub
@@ -0,0 +1 @@
+n+WfDPdO0Xz1j7pVdc/TgCxj+LQQSiAjs3isjPC2GUM=
diff --git a/secrets/wireguard/proxy-sentinel/psks/sentinel+ward-grafana.age b/secrets/wireguard/proxy-sentinel/psks/sentinel+ward-grafana.age
new file mode 100644
index 0000000..312d44c
--- /dev/null
+++ b/secrets/wireguard/proxy-sentinel/psks/sentinel+ward-grafana.age
@@ -0,0 +1,12 @@
+age-encryption.org/v1
+-> X25519 0yESayMtWrk28Z68kjxDmDD9JH68LZbhw0HsaSDXoVY
+G7TX9cB4VAvnz5yPVxGM+7CNhhsYpc9z1AnmDX68fDE
+-> piv-p256 xqSe8Q A4nALj+oE9+cPh20V0q7Q3FW+BUe6ss1YL28G7qgT3AP
+eSUmv9rudIjfD9eqF+4C1PBsrH96YyQsalxA2SHnOuk
+-> Og-_`qm-grease R.-KV
+2vNoHmyK16/IIrS3NnRBc1TTkfnf8ZC55hgzxfHuB2dhuRH2MuNGS9nz5HHfZ9yi
+iIw
+--- CoRs6zw5vxbWfLmaO3aE7PrYJHcPWkJ16Dcb+9pecrw
+:
+É<^7¥å–vÈùuáÍÌQû“ªuÁ­eËY"·ê
+#!‘!ÉM¢Gé&ßêÂ{¬Þ¬x.©!|F äÿ¦>[ˆÄ«q¹6Ïs
\ No newline at end of file
diff --git a/secrets/wireguard/proxy-sentinel/psks/sentinel+ward-kanidm.age b/secrets/wireguard/proxy-sentinel/psks/sentinel+ward-kanidm.age
new file mode 100644
index 0000000000000000000000000000000000000000..83337dffe6a5a37d5b9437073c855bc046b3501b
GIT binary patch
literal 449
zcmWm7&ui0A007{@KqdGu2pK~>JY$<SKLrO(+9h_pu32M~zKdqbOV(sf-qIv54Lb~W
z77+&G&40n0Af7!6B6xQmL}hr;g9k--`i`F$VGgH$z9PjuOYdZP)T(%f+hX00DDo<s
zW(nLEp<Z;twun1jU2C=vESHA%!X)h}0Z7Uflr?i2F^dpRgB_L5)MS*dDnD$*J+jcC
zH`ZkAL@t7UU<gSqA$mEGdBu^AD6#d?1S=NX1NDItR(?XQ(j?_zp+{Nl1@3;Nj3Hmd
z-GmP8xTfANv6u&elxg!^(``>&;=`J%nlfw}(3Ne!V~-VeJR7Zut~-Koc^w}=f?Ski
zZ;4rx$D8POpC!eu5<M*T*lK6X+Gvj$+lT#rnJ0us#staTDF#4CAQramdP1cjtxA&)
zk1BO2IRlxt497r;GGjQ7V>71>tjvJWg04b?(U9~)^U#q8veOrK|5FKZ0Ep8o?lbEj
zs}t4!8UOk6<IH{`F4tb?SI?hb+*DqDy>|V|-QVbJ2H!c~&1d)U`uX$;kY0ZN7MvOg
ZJbxo>Y{qNR#rwCdUpM&2_NNbj{{dsDoY(*W

literal 0
HcmV?d00001

diff --git a/secrets/wireguard/ward-local-vms/keys/ward-grafana.age b/secrets/wireguard/ward-local-vms/keys/ward-grafana.age
new file mode 100644
index 0000000..cd5277f
--- /dev/null
+++ b/secrets/wireguard/ward-local-vms/keys/ward-grafana.age
@@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> X25519 1VMVSzcANsteZ4hAHqn/TJJcEU1jqj2m3fgY6SNe1Vc
+w5a7A0Suk4RHNVUbqdLnodZf5qPmAd214QtOqHLMFU8
+-> piv-p256 xqSe8Q Ah1xDNBFPyADUPmDyZn1nrdd1etkCGCP9k1FVzO2ax05
+SLRXGnfmBI+MucpBj5IhdCLOSCE+VdEsVGJrV8Uno1c
+-> Bk(9k-grease
+X7PFQXIU0w0BA4i39o/DvXD7RvSI6a/19qbgDus8QspP2zizCYLRiir4GC/eEmbx
+naZ8rbadAiqF33d9TJjt0GHLAKEO41LLag
+--- S9BGD+Tn7zOwdYaOL6bxMJg+miYxMClrfVYF++N1bT8
+YÊ¾ÔS/OðÕÆ}€‘ `Ì’GSt€Hg—/cÑ»É¼¥Àö+GŽÀ¥Ú`üˆù§y‘O2-ž‰eÇSøº¥ìùË/.ˆ³Ä³ê‹$Í³K
\ No newline at end of file
diff --git a/secrets/wireguard/ward-local-vms/keys/ward-grafana.pub b/secrets/wireguard/ward-local-vms/keys/ward-grafana.pub
new file mode 100644
index 0000000..029880c
--- /dev/null
+++ b/secrets/wireguard/ward-local-vms/keys/ward-grafana.pub
@@ -0,0 +1 @@
+JhRPg09Lsu7OJ2YpyZHD+/KaKYT9xHJ6D8Ljhwa7JXU=
diff --git a/secrets/wireguard/ward-local-vms/keys/ward-kanidm.age b/secrets/wireguard/ward-local-vms/keys/ward-kanidm.age
new file mode 100644
index 0000000..f19c451
--- /dev/null
+++ b/secrets/wireguard/ward-local-vms/keys/ward-kanidm.age
@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> X25519 fh0OvxTr6Zttk6+VAI9c4Y9ann6FIkTmBvC7Y82SrxI
+Y6k/ZKI7a1J0/hcPrPdl25l6takAd//omssdtLinYlo
+-> piv-p256 xqSe8Q AjohzpU4WsG47TdoKLAUQ38ebUvlFSh6HK+tpFIa8XiD
+OIBdk79gYZCYn6Cpb7g/wYMdiP2f244nGfkuhHvtIdM
+-> PvW.-grease M`]UA5 5e} %97ce
+IC2uBMgrkvgSG7PDF7sNIA
+--- Ewa38w9RjdbGnOTGDW9Np0S5URA9FP1vLSm+5ewr0vk
+¤…¦¶mV.ñ«è˜®iLA`½fLÖ1hOêñ@V‹=.òˆl‰` ¢¦Í¾ÚÅ´=ñ/¬YÚ¹JÃŸ©+WõaŒáëz
\ No newline at end of file
diff --git a/secrets/wireguard/ward-local-vms/keys/ward-kanidm.pub b/secrets/wireguard/ward-local-vms/keys/ward-kanidm.pub
new file mode 100644
index 0000000..8e72e4e
--- /dev/null
+++ b/secrets/wireguard/ward-local-vms/keys/ward-kanidm.pub
@@ -0,0 +1 @@
+utKdEpCoObpQQBsgTdHo9ILebtAmky2ODzzvyxqCNGU=
diff --git a/secrets/wireguard/ward-local-vms/psks/ward+ward-grafana.age b/secrets/wireguard/ward-local-vms/psks/ward+ward-grafana.age
new file mode 100644
index 0000000..b0e3939
--- /dev/null
+++ b/secrets/wireguard/ward-local-vms/psks/ward+ward-grafana.age
@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> X25519 l+Kx2WdyZAcXw1khpjWLlp3i0ZGsL55c4uglYcjM8lg
+X7K6tEd5ShwZTV77QJGOUze5xqC7h52p/sgxdYjd+Hw
+-> piv-p256 xqSe8Q Almjk6hOZRvyUCMKI/zvfBxtiRHkeJ0osoqhgkNKJwWb
+zICEosfjzSTe4KF29PpxpUiEb3+U7tSVgPd6DBGrTF8
+-> ZiQW'-grease f cV
+hIn+gaL0Gga0VyVw9KFhgc/tIrleJnE
+--- rtrMiXdLfW6uqYP8F8OUPGxJxiBV2L7x4/6zQk6MbVo
+¡û€š™ª+óÛf>>¿«Ã˜º1dËà"Ÿ„ÀdŸ êÚuN³y=Ñ­²Ž–œâÙtf+_·m”ƒè=”¡à)*’¡¶ûŒ°
\ No newline at end of file
diff --git a/secrets/wireguard/ward-local-vms/psks/ward+ward-kanidm.age b/secrets/wireguard/ward-local-vms/psks/ward+ward-kanidm.age
new file mode 100644
index 0000000000000000000000000000000000000000..774b6dde75974a17628727b15ec06a852917e56a
GIT binary patch
literal 418
zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR2FFfuhYv{Wc6am_IfDR*)7GcOD*HApHC
z$ahUQ$}h?{OpNsQu`I}Qj`S%m4~z0P^5u%i^$1T-$~3kx*EY?~HZjey$S86R$j*)Q
zwA8NfH7HAU^$fBw^78Qw%?H^~kXfc%U}S2hP*E71Y7wa5Xi}IGRPJF|m2X+@>zi9z
z>S|<~lkQiV=2;XHSec)a=UDEZZs3(%5s{nC<>%v_=@D)j>Jk{}TICex>y~L$;^FV=
zR+MEJ74BK->y@2U;h$e+5LFxrvP(JN$~(b7SvS2XHL*BV!Mw)a%bd$KqpYGhwaUFJ
ztk~SBsx-<dEhHqu(X`ks#51iVC@aY&yRf)4zsizJS65fTEiu9`vfQ=M+rT_8(mCI=
zASgJ>F~hys&DS8qpensQ(mmAA**G!DE6SB?Cu8Ot56^|iPTyrc<ICjMFjq>}_`#xy
znH44O86P<RSX-9{9-J3D*@fZlT&t5>+rBa#GTc$OH}u8M3tQ9#y99cw&%0`@Hmzpc
Jkg`Vj0RWkwlJfun

literal 0
HcmV?d00001

diff --git a/secrets/wireguard/ward-local-vms/psks/ward-grafana+ward-kanidm.age b/secrets/wireguard/ward-local-vms/psks/ward-grafana+ward-kanidm.age
new file mode 100644
index 0000000..9b09e50
--- /dev/null
+++ b/secrets/wireguard/ward-local-vms/psks/ward-grafana+ward-kanidm.age
@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> X25519 0rM+VxBb/RV2VTW5xCQEsiKcEavMhS84MczYVNu3M28
+JqY5QAqkTOe+DPTcQ+hE8VyydiuCTB/oMfybJy77nTw
+-> piv-p256 xqSe8Q A7YPM7afy7jQlOjLSGnRZxM1Lpjq/MIrE/Re/eXvTWLG
+DVs5SmBiriP1N5Ao/JZCW4kMMsM5Pn3GZq2wGEUIQ5Y
+-> WkDB[!<@-grease NA %r x ?p8%w^w
+KzfsXKRvSOnHZCqBCNA
+--- 0nKf16DM2WX3m8hCsuXJhepeoqW4ijIFDvrS7j9RUuI
+¾‰í8ÿ3Ì×Åxå0"~<âÜê1€+ºÙ”zb„Õ=$-´\ýwåëu}ââ)¤×ìù¸ÔÃÃðÔtR5šT78Ðªäý—÷þš
\ No newline at end of file
diff --git a/secrets/wireguard/ward-local-vms/psks/ward-grafana+ward-loki.age b/secrets/wireguard/ward-local-vms/psks/ward-grafana+ward-loki.age
new file mode 100644
index 0000000..14a8c04
--- /dev/null
+++ b/secrets/wireguard/ward-local-vms/psks/ward-grafana+ward-loki.age
@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> X25519 uqBWvpQ8DR8aQY2r3Vhw6axyVbKmgXvEXFLZuM7rA1o
++uCVaGfiloQOtRdJXkqi3DmyflJxCmnHBdTd8i+Pafc
+-> piv-p256 xqSe8Q AoCH6+psiFFiq55UYRSO1xsTxDAbspFul9JLvoa15kwp
+6jgEbmnQtGkajeVOOVcna+3lBwWn9ugUAOueJ3xHMpo
+-> z-grease n3dm|_ '/E`@% H
+85u5GUpIwcbSPBPN9Kulccacf9/mWWvIHfTb
+--- feOoiwcKK14ARe6JX6Fgn8mql8i6pQ9D8RLo5VF13VI
+&L)¼/¢øÓÊ‡…–¡Û^H‡,báN<üÌB†³K†6 >²ƒKEí8¢ ÞçMß€õÃú1¼µ€í¬Ùsæù¦%BdÈäg¨Òr
\ No newline at end of file
diff --git a/secrets/wireguard/ward-local-vms/psks/ward-kanidm+ward-loki.age b/secrets/wireguard/ward-local-vms/psks/ward-kanidm+ward-loki.age
new file mode 100644
index 0000000..f47879f
--- /dev/null
+++ b/secrets/wireguard/ward-local-vms/psks/ward-kanidm+ward-loki.age
@@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> X25519 UnfKesPLrwZKz3l1tgw3u0eSpH/znFoeEtDJMkBzz3E
+SdRp4/E0e54l1P9f7/qh6Y/FT3AItVnNyu+z+IRE91Q
+-> piv-p256 xqSe8Q Ai0cV8qTPFWewQC9MDQUm5pnKUa2Vkq1CwbWcpTURxOj
+56B02YgriclCJMU8qT8J9auzEAi2dQFrYZwCSIny7Lc
+-> PS-rC-grease kf8 Ri>B
+yrzDq1oL2vHsqwzYr5I8nV+oC7QWnGWDMLVe
+--- L7Jd7UDHK8K1mjVqv25iOui+8jbVx+fcd3Bp0aqFstQ
+«{"ŸqK¨sóqË Ãá|?'2ÌðÁàü½Û
+°S]jíW2½„úÛNõ¸ªMÖÁð;ühüüíš`ñ°• Ú˜‰"*eÙÄxy
\ No newline at end of file