diff --git a/hosts/sentinel/coturn.nix b/hosts/sentinel/coturn.nix new file mode 100644 index 0000000..232e171 --- /dev/null +++ b/hosts/sentinel/coturn.nix @@ -0,0 +1,81 @@ +{ + config, + lib, + pkgs, + ... +}: let + inherit + (lib) + getExe + mkAfter + mkForce + ; + + hostDomain = config.repo.secrets.global.domains.me; + coturnDomain = "coturn.${hostDomain}"; +in { + age.secrets.coturn-password-netbird = { + generator.script = "alnum"; + group = "turnserver"; + mode = "440"; + }; + + networking.firewall.allowedUDPPorts = [ + config.services.coturn.listening-port + config.services.coturn.alt-listening-port + config.services.coturn.tls-listening-port + config.services.coturn.alt-tls-listening-port + ]; + networking.firewall.allowedTCPPorts = [ + config.services.coturn.listening-port + config.services.coturn.alt-listening-port + config.services.coturn.tls-listening-port + config.services.coturn.alt-tls-listening-port + ]; + networking.firewall.allowedUDPPortRanges = [ + { + from = config.services.coturn.min-port; + to = config.services.coturn.max-port; + } + ]; + networking.providedDomains.coturn = coturnDomain; + + services.coturn = { + enable = true; + + realm = coturnDomain; + lt-cred-mech = true; + no-cli = true; + + extraConfig = '' + fingerprint + user=netbird:@password@ + no-software-attribute + ''; + + cert = "@cert@"; + pkey = "@pkey@"; + }; + + systemd.services.coturn = let + certsDir = config.security.acme.certs.${hostDomain}.directory; + in { + preStart = mkAfter '' + ${getExe pkgs.replace-secret} @password@ ${config.age.secrets.coturn-password-netbird.path} /run/coturn/turnserver.cfg + ${getExe pkgs.replace-secret} @cert@ <(echo "$CREDENTIALS_DIRECTORY/cert.pem") /run/coturn/turnserver.cfg + ${getExe pkgs.replace-secret} @pkey@ <(echo "$CREDENTIALS_DIRECTORY/pkey.pem") /run/coturn/turnserver.cfg + ''; + serviceConfig = { + LoadCredential = [ + "cert.pem:${certsDir}/fullchain.pem" + "pkey.pem:${certsDir}/key.pem" + ]; + Restart = mkForce "always"; + RestartSec = "60"; # Retry every minute + }; + }; + + security.acme.certs.${hostDomain}.postRun = '' + systemctl restart coturn.service + ''; +} diff --git a/hosts/sentinel/default.nix b/hosts/sentinel/default.nix index 4db9c22..9158772 100644 --- a/hosts/sentinel/default.nix +++ b/hosts/sentinel/default.nix @@ -11,6 +11,7 @@ ../../modules/optional/zfs.nix ./acme.nix + ./coturn.nix ./fs.nix ./net.nix ./oauth2.nix diff --git a/hosts/ward/default.nix b/hosts/ward/default.nix index 5e51d7d..5eb9363 100644 --- a/hosts/ward/default.nix +++ b/hosts/ward/default.nix @@ -107,6 +107,7 @@ // mkMicrovm "adguardhome" // mkMicrovm "forgejo" // mkMicrovm "kanidm" + // mkMicrovm "netbird" // mkMicrovm "radicale" // mkMicrovm "vaultwarden" ); diff --git a/hosts/ward/guests/kanidm.nix b/hosts/ward/guests/kanidm.nix index 33cffac..65aaa1f 100644 --- a/hosts/ward/guests/kanidm.nix +++ b/hosts/ward/guests/kanidm.nix @@ -106,12 +106,24 @@ in { basicSecretFile = config.age.secrets.kanidm-oauth2-immich.path; preferShortUsername = true; # XXX: PKCE is currently not supported by immich - # XXX: Also RS256 is used instead of ES256 so additionally needed: - # kanidm system oauth2 warning-enable-legacy-crypto immich allowInsecureClientDisablePkce = true; + # XXX: RS256 is used instead of ES256 so additionally we need legacy crypto + enableLegacyCrypto = true; scopeMaps."immich.access" = ["openid" "email" "profile"]; }; + # Netbird + groups."netbird.access" = {}; + systems.oauth2.netbird = { + public = true; + displayName = "Netbird"; + originUrl = "https://${sentinelCfg.networking.providedDomains.netbird}/"; + preferShortUsername = true; + enableLocalhostRedirects = true; + enableLegacyCrypto = true; + scopeMaps."netbird.access" = ["openid" "email" "profile"]; + }; + # Paperless groups."paperless.access" = {}; systems.oauth2.paperless = { diff --git a/hosts/ward/guests/netbird.nix b/hosts/ward/guests/netbird.nix new file mode 100644 index 0000000..f36fa68 --- /dev/null +++ b/hosts/ward/guests/netbird.nix @@ -0,0 +1,134 @@ +{ + config, + lib, + nodes, + ... +}: let + sentinelCfg = nodes.sentinel.config; + netbirdDomain = "netbird.${config.repo.secrets.global.domains.me}"; +in { + wireguard.proxy-sentinel = { + client.via = "sentinel"; + firewallRuleForNode.sentinel.allowedTCPPorts = [3000 3001]; + }; + + # Mirror the original coturn password + age.secrets.coturn-password-netbird = { + inherit (sentinelCfg.age.secrets.coturn-password-netbird) rekeyFile; + }; + + age.secrets.coturn-secret = { + generator.script = "alnum"; + }; + + age.secrets.netbird-data-store-encryption-key = { + generator.script = {pkgs, ...}: '' + ${lib.getExe pkgs.openssl} rand -base64 32 + ''; + }; + + environment.persistence."/persist".directories = [ + { + directory = "/var/lib/netbird-mgmt"; + mode = "640"; + user = "netbird"; + group = "netbird"; + } + ]; + + services.netbird = { + server = { + enable = true; + domain = netbirdDomain; + + dashboard.settings.AUTH_AUTHORITY = "https://${sentinelCfg.networking.providedDomains.kanidm}/oauth2/openid/netbird"; + + management = { + port = 3000; + dnsDomain = "internal.${config.repo.secrets.global.domains.me}"; + singleAccountModeDomain = "home.lan"; + oidcConfigEndpoint = "https://${sentinelCfg.networking.providedDomains.kanidm}/oauth2/openid/netbird/.well-known/openid-configuration"; + turnDomain = sentinelCfg.networking.providedDomains.coturn; + turnPort = sentinelCfg.services.coturn.tls-listening-port; + settings = { + TURNConfig = { + Secret._secret = config.age.secrets.coturn-secret.path; + Turns = [ + { + Proto = "udp"; + URI = "turn:${config.services.netbird.server.management.turnDomain}:${builtins.toString config.services.netbird.server.management.turnPort}"; + Username = "netbird"; + Password._secret = config.age.secrets.coturn-password-netbird.path; + } + ]; + }; + DataStoreEncryptionKey._secret = config.age.secrets.netbird-data-store-encryption-key.path; + }; + }; + }; + }; + + nodes.sentinel = { + networking.providedDomains.netbird = netbirdDomain; + + services.nginx = { + upstreams.netbird = { + servers."${config.wireguard.proxy-sentinel.ipv4}:80" = {}; + extraConfig = '' + zone netbird 64k; + keepalive 5; + ''; + }; + upstreams.netbird-mgmt = { + servers."${config.wireguard.proxy-sentinel.ipv4}:3000" = {}; + extraConfig = '' + zone netbird 64k; + keepalive 5; + ''; + }; + upstreams.netbird-signal = { + servers."${config.wireguard.proxy-sentinel.ipv4}:3001" = {}; + extraConfig = '' + zone netbird 64k; + keepalive 5; + ''; + }; + virtualHosts.${netbirdDomain} = { + forceSSL = true; + useACMEWildcardHost = true; + locations = { + "/" = { + root = config.services.netbird.server.dashboard.finalDrv; + tryFiles = "$uri $uri.html $uri/ =404"; + X-Frame-Options = "SAMEORIGIN"; + }; + + "/signalexchange.SignalExchange/".extraConfig = '' + grpc_pass grpc://netbird-signal; + grpc_read_timeout 1d; + grpc_send_timeout 1d; + grpc_socket_keepalive on; + ''; + + "/api".proxyPass = "http://netbird-mgmt"; + + "/management.ManagementService/".extraConfig = '' + grpc_pass grpc://netbird-mgmt; + grpc_read_timeout 1d; + grpc_send_timeout 1d; + grpc_socket_keepalive on; + ''; + }; + + extraConfig = '' + client_max_body_size 500M ; + client_header_timeout 1d; + client_body_timeout 1d; + ''; + }; + }; + }; + + systemd.services.netbird-signal.serviceConfig.RestartSec = "60"; # Retry every minute + systemd.services.netbird-management.serviceConfig.RestartSec = "60"; # Retry every minute +} diff --git a/hosts/ward/net.nix b/hosts/ward/net.nix index 27dc583..259a854 100644 --- a/hosts/ward/net.nix +++ b/hosts/ward/net.nix @@ -110,9 +110,29 @@ in { late = true; # Only accept after any rejects have been processed verdict = "accept"; }; + + #masquerade-vpn = { + # from = ["wg-home"]; + # to = ["lan"]; + # masquerade = true; + #}; + + #outbound-vpn = { + # from = ["wg-home"]; + # to = ["lan"]; + # late = true; # Only accept after any rejects have been processed + # verdict = "accept"; + #}; }; }; # Allow accessing influx wireguard.proxy-sentinel.client.via = "sentinel"; + + #wireguard.home.server = { + # host = todo # config.networking.fqdn; + # port = 51192; + # reservedAddresses = ["10.10.0.1/24" "fd00:10::/120"]; + # openFirewall = true; + #}; } diff --git a/hosts/ward/secrets/netbird/host.pub b/hosts/ward/secrets/netbird/host.pub new file mode 100644 index 0000000..3f2ed92 --- /dev/null +++ b/hosts/ward/secrets/netbird/host.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJt2DE0HJjmePYjuZVRcsb0/SfoHSmm06T4ayzIgxUOp diff --git a/modules/config/nftables.nix b/modules/config/nftables.nix index 0d0544e..450551f 100644 --- a/modules/config/nftables.nix +++ b/modules/config/nftables.nix @@ -48,7 +48,9 @@ inherit (config.networking.firewall) allowedTCPPorts + allowedTCPPortRanges allowedUDPPorts + allowedUDPPortRanges ; }; }; diff --git a/modules/kanidm.nix b/modules/kanidm.nix index 1d1e767..16d92f9 100644 --- a/modules/kanidm.nix +++ b/modules/kanidm.nix @@ -450,6 +450,12 @@ in { options = { present = mkPresentOption "oauth2 resource server"; + public = mkOption { + description = "Whether this is a public client (enforces PKCE, doesn't use a basic secret)"; + type = types.bool; + default = false; + }; + displayName = mkOption { description = "Display name"; type = types.str; @@ -479,10 +485,23 @@ in { default = null; }; + enableLocalhostRedirects = mkOption { + description = "Allow localhost redirects. Only for public clients."; + type = types.bool; + default = false; + }; + + enableLegacyCrypto = mkOption { + description = "Enable legacy crypto on this client. Allows JWT signing algorthms like RS256."; + type = types.bool; + default = false; + }; + allowInsecureClientDisablePkce = mkOption { description = '' Disable PKCE on this oauth2 resource server to work around insecure clients that may not support it. You should request the client to enable PKCE! + Only for non-public clients. ''; type = types.bool; default = false; @@ -681,6 +700,21 @@ in { assertion = (cfg.provision.enable && cfg.enableServer) -> any (xs: xs != []) (attrValues claimCfg.valuesByGroup); message = "services.kanidm.provision.systems.oauth2.${oauth2}.claimMaps.${claim} does not specify any values for any group"; } + # Public clients cannot define a basic secret + { + assertion = (cfg.provision.enable && cfg.enableServer && oauth2Cfg.public) -> oauth2Cfg.basicSecretFile == null; + message = "services.kanidm.provision.systems.oauth2.${oauth2} is a public client and thus cannot specify a basic secret"; + } + # Public clients cannot disable PKCE + { + assertion = (cfg.provision.enable && cfg.enableServer && oauth2Cfg.public) -> !oauth2Cfg.allowInsecureClientDisablePkce; + message = "services.kanidm.provision.systems.oauth2.${oauth2} is a public client and thus cannot disable PKCE"; + } + # Non-public clients cannot enable localhost redirects + { + assertion = (cfg.provision.enable && cfg.enableServer && !oauth2Cfg.public) -> !oauth2Cfg.enableLocalhostRedirects; + message = "services.kanidm.provision.systems.oauth2.${oauth2} is a non-public client and thus cannot enable localhost redirects"; + } ])) )); diff --git a/pkgs/kanidm-provision.nix b/pkgs/kanidm-provision.nix index 9b8bf01..b076dbb 100644 --- a/pkgs/kanidm-provision.nix +++ b/pkgs/kanidm-provision.nix @@ -5,16 +5,16 @@ }: rustPlatform.buildRustPackage rec { pname = "kanidm-provision"; - version = "1.0.1"; + version = "1.1.0"; src = fetchFromGitHub { owner = "oddlama"; repo = "kanidm-provision"; rev = "v${version}"; - hash = "sha256-tSr2I7bGEwJoC5C7BOmru2oh9ta04WVTz449KePYSK4="; + hash = "sha256-pFOFFKh3la/sZGXj+pAM8x4SMeffvvbOvTjPeHS1XPU="; }; - cargoHash = "sha256-LRPpAIH+pXThS+HJ63kVbxMMoBgsky1nf99RWarX7/0="; + cargoHash = "sha256-oiKlKIL23xH67tCDbny9Gj97JQQm4mYt0IHXB5hzJ/A="; meta = with lib; { description = "A small utility to help with kanidm provisioning"; diff --git a/secrets/generated/sentinel/coturn-password-netbird.age b/secrets/generated/sentinel/coturn-password-netbird.age new file mode 100644 index 0000000..14e0070 --- /dev/null +++ b/secrets/generated/sentinel/coturn-password-netbird.age @@ -0,0 +1,11 @@ +age-encryption.org/v1 +-> X25519 BX1TzWJvYYuXIc5jazmoefCDOrWYCc6vtQHqiidFK0k +KguZPOuk4LKDPogJ40mXA8okdLgG9PAx5fqYW2gkqwQ +-> piv-p256 xqSe8Q A58MztEJBOwOK0pPa7WngTGynn0I+VUFrCtibSKSwOep +sVyAneNoMlRnIPR502xrnFeQyI36GpzxqTRhjOpfU7w +-> YS-grease +WMxsZrN//DXWbO+03CQwRqPKXdeV844codU +--- BrgOOiY9Crg771rp77VQ0i3tM770D6CjGknWYRgoIfk +zXN,1 ?v(oծ +|vF9ޙ޻m"dя?9? +Jn7Q-gQ^\fQ \ No newline at end of file diff --git a/secrets/generated/sentinel/loki-basic-auth-hashes.age b/secrets/generated/sentinel/loki-basic-auth-hashes.age index e72f442..08e1a85 100644 Binary files a/secrets/generated/sentinel/loki-basic-auth-hashes.age and b/secrets/generated/sentinel/loki-basic-auth-hashes.age differ diff --git a/secrets/generated/ward-netbird/coturn-secret.age b/secrets/generated/ward-netbird/coturn-secret.age new file mode 100644 index 0000000..85f389d --- /dev/null +++ b/secrets/generated/ward-netbird/coturn-secret.age @@ -0,0 +1,9 @@ +age-encryption.org/v1 +-> X25519 pc+s+uniKbP/sMiud4xtJ9x6UMBaIdBO0iHBeznb6VI +/baQ9J0Qcpr9sZD6LWguy7lcAcgFHq0fPSsCBkkDoKY +-> piv-p256 xqSe8Q Ay2WPFU0XrukDvFIe0+ZiGm+5m5oJTzktnZ+7L3l4/G5 +5/CGoggDIARr02H0sUX3/HJ6PEoQMLJuhACF2MEdRts +-> T/-grease =Cr4 B ,R1u(? +is0bg8583EfFjiM8b+737Wm6+J4 +--- +R5bojMEBENAYEEy++5iMdhEyKCr8rCPOIOiHRa4Wls +79 p.d"go:94~(ٸQ*jCD8> evSLE#+ \ No newline at end of file diff --git a/secrets/generated/ward-netbird/netbird-data-store-encryption-key.age b/secrets/generated/ward-netbird/netbird-data-store-encryption-key.age new file mode 100644 index 0000000..fa97b65 Binary files /dev/null and b/secrets/generated/ward-netbird/netbird-data-store-encryption-key.age differ diff --git a/secrets/generated/ward-netbird/promtail-loki-basic-auth-password.age b/secrets/generated/ward-netbird/promtail-loki-basic-auth-password.age new file mode 100644 index 0000000..fef2787 --- /dev/null +++ b/secrets/generated/ward-netbird/promtail-loki-basic-auth-password.age @@ -0,0 +1,11 @@ +age-encryption.org/v1 +-> X25519 qeT9jfLCM7cn3uu9z44fa54bAQgjdK+l/uvIG5al924 +Py1wATeO86kvUJzY6MFzl2vTXSvyM93ZrTBjxrMrxBg +-> piv-p256 xqSe8Q A8ojuCdRG5nViw0SS133NIk7/h0hWbjDYeJiO5LtxkS8 +jQUqyqhIbeUGqyrLOBJBYwCg9ucyumzjT4c/BsrVjLU +-> {Z-grease jeRAOL 7:2"CZ u={2< 2|0e$Sqx +Z9ZtNsDOP2sj5nmBgAfDGSEJVQ6jO/ikZuyZXOklhsWa3o1hvgXWL43S3ThRN3+t +dsQyP7yVZ1J54/mMURTJc9pPyTqSsvoQ9/MP9VkfIhp6ZBoeQGa34UCppzX1xfo +--- JFa18D2SE3VwuLEMvNpiiR9YY5NZBUVTxzNZcTSfFHI +x{!ΝD(UunM[P7;.K#Ⱦ`ڝx $<s*GH,- +ydATs \ No newline at end of file diff --git a/secrets/generated/ward-netbird/telegraf-influxdb-token.age b/secrets/generated/ward-netbird/telegraf-influxdb-token.age new file mode 100644 index 0000000..7abc3c2 Binary files /dev/null and b/secrets/generated/ward-netbird/telegraf-influxdb-token.age differ diff --git a/secrets/global.nix.age b/secrets/global.nix.age index ccb8826..693d35b 100644 Binary files a/secrets/global.nix.age and b/secrets/global.nix.age differ diff --git a/secrets/rekeyed/sentinel/320fd087208acc8f688f0028edca8ba5-wireguard-proxy-sentinel-psks-sentinel+ward-netbird.age b/secrets/rekeyed/sentinel/320fd087208acc8f688f0028edca8ba5-wireguard-proxy-sentinel-psks-sentinel+ward-netbird.age new file mode 100644 index 0000000..b711203 --- /dev/null +++ b/secrets/rekeyed/sentinel/320fd087208acc8f688f0028edca8ba5-wireguard-proxy-sentinel-psks-sentinel+ward-netbird.age @@ -0,0 +1,8 @@ +age-encryption.org/v1 +-> ssh-ed25519 yV7lcA YulN0/x6Gm6SCXABynVcm2EmCKtvS8Qd9mfvJdWBHhY +clZ+rznQkfQGnPpM2H2FaPCjg+Tou6wkvXo0SEO0QUk +-> lSt!-grease n/_ lnzq>4 WHRbZ78. C +C3jB9dLLqtVQOaL7tusyOvrAAxsfjHbYvUtz1XgSQYfLySmfyhVxNz2TYG2biWkE +xnhyT65BjhSlKRCGN5ABKmUtjYQ +--- i9Wkqqpnbnye7ndRxxXbZaVhC5x8qTldieLbzx9h5vE +"A<(!z )_"Ncn5iJ/YȾwK;y$IvR< \ No newline at end of file diff --git a/secrets/rekeyed/sentinel/3b515237f2eec169c6992aea9e6fe02b-loki-basic-auth-hashes.age b/secrets/rekeyed/sentinel/3b515237f2eec169c6992aea9e6fe02b-loki-basic-auth-hashes.age new file mode 100644 index 0000000..db27904 Binary files /dev/null and b/secrets/rekeyed/sentinel/3b515237f2eec169c6992aea9e6fe02b-loki-basic-auth-hashes.age differ diff --git a/secrets/rekeyed/sentinel/5bc5d5daad95fcc8f628181d006ba3a6-loki-basic-auth-hashes.age b/secrets/rekeyed/sentinel/5bc5d5daad95fcc8f628181d006ba3a6-loki-basic-auth-hashes.age deleted file mode 100644 index 9c8ec0a..0000000 Binary files a/secrets/rekeyed/sentinel/5bc5d5daad95fcc8f628181d006ba3a6-loki-basic-auth-hashes.age and /dev/null differ diff --git a/secrets/rekeyed/sentinel/88ab56073f4bca323fbe7cb973103277-coturn-password-netbird.age b/secrets/rekeyed/sentinel/88ab56073f4bca323fbe7cb973103277-coturn-password-netbird.age new file mode 100644 index 0000000..e2d9c06 --- /dev/null +++ b/secrets/rekeyed/sentinel/88ab56073f4bca323fbe7cb973103277-coturn-password-netbird.age @@ -0,0 +1,9 @@ +age-encryption.org/v1 +-> ssh-ed25519 yV7lcA rInHh7EJiht3x4bSdusTvPZeFc6GAUkUZQGaISa0HDI +p3HcoOg+PcPMdLVpHvn5R28GJ6n/d00EVF1KKMZOsqI +-> :`epM2-grease 0%~=37:k @~ +-.u1/~= +d8uTZyL9nN5Q+tS1YQzoyDxS14GT7+EtISr2LSS+/41aWiaUNsvn1/0PKR4lNBce +vGmoEWERf9yKd6a1h9dlbPaf9jOgEaDjgNyYboYyf0EKQSM +--- sERxxQVPG2gykXJPnD/BHzDZ2m6XqkywufcNLcinwVg +gUc= +ک[qqLXVJo=0А!C3gtYBj|>gܸ!/ \ No newline at end of file diff --git a/secrets/rekeyed/sire-influxdb/9d519a4364a78ed35630ef296bd96439-telegraf-influxdb-token-ward-netbird.age b/secrets/rekeyed/sire-influxdb/9d519a4364a78ed35630ef296bd96439-telegraf-influxdb-token-ward-netbird.age new file mode 100644 index 0000000..57474d7 --- /dev/null +++ b/secrets/rekeyed/sire-influxdb/9d519a4364a78ed35630ef296bd96439-telegraf-influxdb-token-ward-netbird.age @@ -0,0 +1,7 @@ +age-encryption.org/v1 +-> ssh-ed25519 1tdZKQ UEC1qtqm46KIsl/aWeFtVQxPzY3Rb/iVnNYFaNpyShc +le4O/7aTZ1wvwqaZ+TciQQcnFavIqele5FCyNjoPUg0 +-> @-grease +15HI1iKmv/+MRpeT +--- GbgkpPSiqzyooOKtrsj0HGl0gfMMT7d46CrKpwpkVTI +#/yMNj 5ɥBև]HϿ( !=s7qx/ ssh-ed25519 2PpNmg HR+7l6qXcAXmDXTDI6J2sLwYdEo7/7eOvtbsJELHfQQ +VpCZPyJT4syKsoby/di70g63EUZsGg36mla1jKk5fyw +-> 1-grease T9.Y +2qDDSDI0Yoh83qTVXki1WYPsqdjuR9e2qrNdl6H3mWYAlF5ggjLu+3MbQ2P6ouIP +cFvso0vS56O/SOpPpj5P9El6auY +--- sWPsDspbccjrl+UmGBwI9e959ZoMSkb6kvGcbB+NE4Q +sH1bL/Co3jaȍ701j沃` ^t/s|~{WH%.0}VȲAhEz~ \ No newline at end of file diff --git a/secrets/rekeyed/ward-netbird/aebb2152acff74fc1f4af3b8d5141ee8-netbird-data-store-encryption-key.age b/secrets/rekeyed/ward-netbird/aebb2152acff74fc1f4af3b8d5141ee8-netbird-data-store-encryption-key.age new file mode 100644 index 0000000..eed605b --- /dev/null +++ b/secrets/rekeyed/ward-netbird/aebb2152acff74fc1f4af3b8d5141ee8-netbird-data-store-encryption-key.age @@ -0,0 +1,9 @@ +age-encryption.org/v1 +-> ssh-ed25519 2PpNmg 7/LkMYjajibcu5sLO2inuFhGEVFWmNm7qUnr632xjWk +nlPVfytJZwJPb+yUK65F7FGlx7qr5KZf0amCyNrr59Y +-> yFt7;"Zk-grease o>Bq cB",D: a +FyaoFSVUSuohR/Jx7g +--- eOCUycFPEH0Du123hXxaNyKJYaxSN++TaUB+yTaMtVM +6 +yCstlĩ {0?,|i Gb +"g_1;y'ԗʳL*,A M" \ No newline at end of file diff --git a/secrets/rekeyed/ward-netbird/b538aae13a0d8e017e3834f262ae89c7-promtail-loki-basic-auth-password.age b/secrets/rekeyed/ward-netbird/b538aae13a0d8e017e3834f262ae89c7-promtail-loki-basic-auth-password.age new file mode 100644 index 0000000..037039d --- /dev/null +++ b/secrets/rekeyed/ward-netbird/b538aae13a0d8e017e3834f262ae89c7-promtail-loki-basic-auth-password.age @@ -0,0 +1,8 @@ +age-encryption.org/v1 +-> ssh-ed25519 2PpNmg 2nliLnpdZpUd3hQj9PTbxZAbnVDhhr+BLrQ9YxCeh1k +/8/mZbj6pE0imMg3Rm7sCJ599u45jbRJc+NtGDAiykU +-> c7i-grease s +1aVkJHJXdVXk0R91F3HaCV4p9/yPqrMrAFYpUjvrvp7jVkyr6fwt3xJjTigrHvS4 +bTa42nF3bxkU2u5sfD9Kr55l +--- XzYsO6Vi2ch5tUqKn1JZQ8qXg/e9A6ujd5j189Rufc8 +p{?2Je<Z"}-.vɓߋπEyCw۲L&۶ͬ߷\WP{(+z] \ No newline at end of file diff --git a/secrets/rekeyed/ward-netbird/ba98d6bdeb0dffac652fa15dbde10da7-wireguard-proxy-sentinel-psks-sentinel+ward-netbird.age b/secrets/rekeyed/ward-netbird/ba98d6bdeb0dffac652fa15dbde10da7-wireguard-proxy-sentinel-psks-sentinel+ward-netbird.age new file mode 100644 index 0000000..d6e5f8f Binary files /dev/null and b/secrets/rekeyed/ward-netbird/ba98d6bdeb0dffac652fa15dbde10da7-wireguard-proxy-sentinel-psks-sentinel+ward-netbird.age differ diff --git a/secrets/rekeyed/ward-netbird/baa6e9c40b40f680bbd2c211a005fa72-telegraf-influxdb-token.age b/secrets/rekeyed/ward-netbird/baa6e9c40b40f680bbd2c211a005fa72-telegraf-influxdb-token.age new file mode 100644 index 0000000..8c5cfc1 Binary files /dev/null and b/secrets/rekeyed/ward-netbird/baa6e9c40b40f680bbd2c211a005fa72-telegraf-influxdb-token.age differ diff --git a/secrets/wireguard/proxy-sentinel/keys/ward-netbird.age b/secrets/wireguard/proxy-sentinel/keys/ward-netbird.age new file mode 100644 index 0000000..f06af5d Binary files /dev/null and b/secrets/wireguard/proxy-sentinel/keys/ward-netbird.age differ diff --git a/secrets/wireguard/proxy-sentinel/keys/ward-netbird.pub b/secrets/wireguard/proxy-sentinel/keys/ward-netbird.pub new file mode 100644 index 0000000..fa90897 --- /dev/null +++ b/secrets/wireguard/proxy-sentinel/keys/ward-netbird.pub @@ -0,0 +1 @@ ++rcp1Aobh/8XtB9anwQMymySe7JQ5bQMnIXg3AbPN08= diff --git a/secrets/wireguard/proxy-sentinel/psks/sentinel+ward-netbird.age b/secrets/wireguard/proxy-sentinel/psks/sentinel+ward-netbird.age new file mode 100644 index 0000000..26ce508 Binary files /dev/null and b/secrets/wireguard/proxy-sentinel/psks/sentinel+ward-netbird.age differ