0xa/nix-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

yeet authentik, add keycloak and radicale

Browse source
This commit is contained in:
Grigory Shipunov 2025-01-14 21:24:05 +00:00
parent 2f2318aaaa
commit 5c3f0886e5
15 changed files with 263 additions and 366 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

13
.sops.yaml
View file

@ -5,7 +5,8 @@ keys:
- &cloud age1j3xpuuqaph5z885er90mftfsu6g3hw4q469k37a3veqktwntzdpqgue4z5
- &minime age1chq5k0t38882rtyljez8cwmvtcstu4tafzvveuhjrujvsqk72f9s9guc06
# microvms
- &authentik age1s9hew4wpff69fmz5lxmn96f8r3xuhqydw82t2dwkrn2rqhcx9pfqm3whvd
- &auth age1vzwz5s35w9g8ck9l5zaq5skrnl3mqzf3hsnc9w22sj4k8tu8kqfstpg2a8
- &radicale age1j6z39kmnxkqa7jdcjsydy5cryjce7fttf225fh3pldyvq06ax3fq58mk8c
creation_rules:
- path_regex: secrets/toaster/[^/]+\.yaml$
key_groups:
@ -25,9 +26,15 @@ creation_rules:
- *admin_oxa
age:
- *minime
- path_regex: secrets/authentik/[^/]+\.yaml$
- path_regex: secrets/auth/[^/]+\.yaml$
key_groups:
- pgp:
- *admin_oxa
age:
- *authentik
- *auth
- path_regex: secrets/radicale/[^/]+\.yaml$
key_groups:
- pgp:
- *admin_oxa
age:
- *radicale

244
flake.lock generated
View file

@ -1,49 +1,5 @@
{
"nodes": {
"authentik-nix": {
"inputs": {
"authentik-src": "authentik-src",
"flake-compat": "flake-compat",
"flake-parts": "flake-parts",
"flake-utils": "flake-utils",
"napalm": "napalm",
"nixpkgs": [
"nixpkgs-unstable"
],
"poetry2nix": "poetry2nix",
"systems": "systems"
},
"locked": {
"lastModified": 1736445563,
"narHash": "sha256-+f1MWPtja+LRlTHJP/i/3yxmnzo2LGtZmxtJJTdAp8o=",
"owner": "nix-community",
"repo": "authentik-nix",
"rev": "bf5a5bf42189ff5f468f0ff26c9296233a97eb6c",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "authentik-nix",
"type": "github"
}
},
"authentik-src": {
"flake": false,
"locked": {
"lastModified": 1736440980,
"narHash": "sha256-Z3rFFrXrOKaF9NpY/fInsEbzdOWnWqLfEYl7YX9hFEU=",
"owner": "goauthentik",
"repo": "authentik",
"rev": "9d81f0598c7735e2b4616ee865ab896056a67408",
"type": "github"
},
"original": {
"owner": "goauthentik",
"ref": "version/2024.12.2",
"repo": "authentik",
"type": "github"
}
},
"crane": {
"inputs": {
"nixpkgs": [
@ -81,41 +37,7 @@
"type": "github"
}
},
"flake-compat_2": {
"flake": false,
"locked": {
"lastModified": 1696426674,
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-parts": {
"inputs": {
"nixpkgs-lib": "nixpkgs-lib"
},
"locked": {
"lastModified": 1727826117,
"narHash": "sha256-K5ZLCyfO/Zj9mPFldf3iwS6oZStJcU4tSpiXTMYaaL0=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "3d04084d54bedc3d6b8b736c70ef449225c361b1",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "flake-parts",
"type": "github"
}
},
"flake-parts_2": {
"inputs": {
"nixpkgs-lib": [
"lanzaboote",
@ -138,28 +60,7 @@
},
"flake-utils": {
"inputs": {
"systems": [
"authentik-nix",
"systems"
]
},
"locked": {
"lastModified": 1726560853,
"narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flake-utils_2": {
"inputs": {
"systems": "systems_2"
"systems": "systems"
},
"locked": {
"lastModified": 1731533236,
@ -175,9 +76,9 @@
"type": "github"
}
},
"flake-utils_3": {
"flake-utils_2": {
"inputs": {
"systems": "systems_3"
"systems": "systems_2"
},
"locked": {
"lastModified": 1710146030,
@ -218,9 +119,9 @@
"lanzaboote": {
"inputs": {
"crane": "crane",
"flake-compat": "flake-compat_2",
"flake-parts": "flake-parts_2",
"flake-utils": "flake-utils_3",
"flake-compat": "flake-compat",
"flake-parts": "flake-parts",
"flake-utils": "flake-utils_2",
"nixpkgs": [
"nixpkgs-unstable"
],
@ -267,54 +168,6 @@
"type": "github"
}
},
"napalm": {
"inputs": {
"flake-utils": [
"authentik-nix",
"flake-utils"
],
"nixpkgs": [
"authentik-nix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1725806412,
"narHash": "sha256-lGZjkjds0p924QEhm/r0BhAxbHBJE1xMOldB/HmQH04=",
"owner": "willibutz",
"repo": "napalm",
"rev": "b492440d9e64ae20736d3bec5c7715ffcbde83f5",
"type": "github"
},
"original": {
"owner": "willibutz",
"ref": "avoid-foldl-stack-overflow",
"repo": "napalm",
"type": "github"
}
},
"nix-github-actions": {
"inputs": {
"nixpkgs": [
"authentik-nix",
"poetry2nix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1729742964,
"narHash": "sha256-B4mzTcQ0FZHdpeWcpDYPERtyjJd/NIuaQ9+BV1h+MpA=",
"owner": "nix-community",
"repo": "nix-github-actions",
"rev": "e04df33f62cdcf93d73e9a04142464753a16db67",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "nix-github-actions",
"type": "github"
}
},
"nixos-hardware": {
"locked": {
"lastModified": 1736978406,
@ -331,18 +184,6 @@
"type": "github"
}
},
"nixpkgs-lib": {
"locked": {
"lastModified": 1727825735,
"narHash": "sha256-0xHYkMkeLVQAMa7gvkddbPqpxph+hDzdu1XdGPJR+Os=",
"type": "tarball",
"url": "https://github.com/NixOS/nixpkgs/archive/fb192fec7cc7a4c26d51779e9bab07ce6fa5597a.tar.gz"
},
"original": {
"type": "tarball",
"url": "https://github.com/NixOS/nixpkgs/archive/fb192fec7cc7a4c26d51779e9bab07ce6fa5597a.tar.gz"
}
},
"nixpkgs-stable": {
"locked": {
"lastModified": 1710695816,
@ -391,37 +232,6 @@
"type": "github"
}
},
"poetry2nix": {
"inputs": {
"flake-utils": [
"authentik-nix",
"flake-utils"
],
"nix-github-actions": "nix-github-actions",
"nixpkgs": [
"authentik-nix",
"nixpkgs"
],
"systems": [
"authentik-nix",
"systems"
],
"treefmt-nix": "treefmt-nix"
},
"locked": {
"lastModified": 1735164664,
"narHash": "sha256-DaWy+vo3c4TQ93tfLjUgcpPaSoDw4qV4t76Y3Mhu84I=",
"owner": "nix-community",
"repo": "poetry2nix",
"rev": "1fb01e90771f762655be7e0e805516cd7fa4d58e",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "poetry2nix",
"type": "github"
}
},
"pre-commit-hooks-nix": {
"inputs": {
"flake-compat": [
@ -451,8 +261,7 @@
},
"root": {
"inputs": {
"authentik-nix": "authentik-nix",
"flake-utils": "flake-utils_2",
"flake-utils": "flake-utils",
"lanzaboote": "lanzaboote",
"microvm": "microvm",
"nixos-hardware": "nixos-hardware",
@ -524,21 +333,6 @@
}
},
"systems": {
"locked": {
"lastModified": 1689347949,
"narHash": "sha256-12tWmuL2zgBgZkdoB6qXZsgJEH9LR3oUgpaQq2RbI80=",
"owner": "nix-systems",
"repo": "default-linux",
"rev": "31732fcf5e8fea42e59c2488ad31a0e651500f68",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default-linux",
"type": "github"
}
},
"systems_2": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
@ -553,7 +347,7 @@
"type": "github"
}
},
"systems_3": {
"systems_2": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
@ -583,28 +377,6 @@
"repo": "tmux-yank",
"type": "github"
}
},
"treefmt-nix": {
"inputs": {
"nixpkgs": [
"authentik-nix",
"poetry2nix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1730120726,
"narHash": "sha256-LqHYIxMrl/1p3/kvm2ir925tZ8DkI0KA10djk8wecSk=",
"owner": "numtide",
"repo": "treefmt-nix",
"rev": "9ef337e492a5555d8e17a51c911ff1f02635be15",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "treefmt-nix",
"type": "github"
}
}
},
"root": "root",

25
flake.nix
View file

@ -25,12 +25,6 @@
inputs.nixpkgs.follows = "nixpkgs-unstable";
};
authentik-nix = {
url = "github:nix-community/authentik-nix";
inputs.nixpkgs.follows = "nixpkgs-unstable";
# inputs.flake-parts.follows
};
tmux-yank = {
url = "github:tmux-plugins/tmux-yank";
flake = false;
@ -40,7 +34,6 @@
outputs =
inputs@{
self,
authentik-nix,
flake-utils,
lanzaboote,
microvm,
@ -107,19 +100,31 @@
];
};
authentik = nixpkgs-stable.lib.nixosSystem {
auth = nixpkgs-stable.lib.nixosSystem {
system = "x86_64-linux";
specialArgs = { inherit inputs; };
modules = [
sops-nix.nixosModules.sops
microvm.nixosModules.microvm
authentik-nix.nixosModules.default
./microvms/authentik
./microvms/auth
./modules/server
./modules/wg
];
};
radicale = nixpkgs-stable.lib.nixosSystem {
system = "x86_64-linux";
specialArgs = { inherit inputs; };
modules = [
sops-nix.nixosModules.sops
microvm.nixosModules.microvm
./microvms/radicale
./modules/server
./modules/wg
];
};
};
};
}

24
hosts/cloud/proxy/auth.nix Normal file
View file

@ -0,0 +1,24 @@
{ ... }:
{
services.nginx.upstreams.keycloak = {
servers = {
"10.89.88.11:38080" = {};
"[fd31:185d:722f::11]:38080" = {};
};
};
services.nginx.virtualHosts."auth.oxapentane.com" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://keycloak";
extraConfig = ''
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Port 433;
'';
};
};
}

31
hosts/cloud/proxy/authentik.nix
View file

@ -1,31 +0,0 @@
# TODO: integrade with oxalab-wg
{ config, ... }:
{
# authentik
services.nginx.upstreams.authentik = {
extraConfig = ''
keepalive 10;
'';
servers =
{
"10.89.88.2:9000" = { };
"[fd31:185d:722f::2]:9000" = { };
};
};
services.nginx.virtualHosts."sso.oxapentane.com" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyWebsockets = true;
proxyPass = "http://authentik";
extraConfig = ''
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
'';
};
};
}

27
hosts/cloud/proxy/default.nix
View file

@ -1,7 +1,7 @@
{ config, ... }:
{
imports = [
./authentik.nix
./auth.nix
];
networking.firewall.allowedTCPPorts = [ 80 443 ];
@ -12,24 +12,11 @@
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedTlsSettings = true;
recommendedProxySettings = true;
sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
appendHttpConfig = ''
### recommendedProxySettings minus proxy_redirect (breaks authentik)
# proxy_redirect off;
proxy_connect_timeout 60s;
proxy_send_timeout 60s;
proxy_read_timeout 60s;
proxy_http_version 1.1;
proxy_set_header "Connection" "";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
### TLS
# Add HSTS header with preloading to HTTPS requests.
# Adding this header to HTTP requests is discouraged
@ -39,13 +26,13 @@
add_header Strict-Transport-Security $hsts_header;
# Enable CSP for your services.
add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
# add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
# Minimize information leaked to other domains
add_header 'Referrer-Policy' 'origin-when-cross-origin';
# Disable embedding as a frame
add_header X-Frame-Options DENY;
# add_header X-Frame-Options DENY;
# Prevent injection of code in other mime types (XSS Attacks)
add_header X-Content-Type-Options nosniff;
@ -56,11 +43,7 @@
enableACME = true;
# default = true;
locations."/" = {
return = "200 '<html><body><h1>¯\\_()_/¯</h1></body></html>'";
extraConfig = ''
default_type text/html;
'';
return = "503";
};
};
};

6
hosts/minime/uvm.nix
View file

@ -2,7 +2,11 @@
{
microvm.stateDir = "/var/lib/microvms";
microvm.vms = {
authentik = {
auth = {
flake = inputs.self;
updateFlake = "github:gshipunov/nix-config/master";
};
radicale = {
flake = inputs.self;
updateFlake = "github:gshipunov/nix-config/master";
};

13
microvms/authentik/default.nix → microvms/auth/default.nix
View file

@ -4,17 +4,16 @@ let
in
{
imports = [
./authentik.nix
./keycloak.nix
];
sops.defaultSopsFile = ../../secrets/authentik/secrets.yaml;
sops.defaultSopsFile = ../../secrets/auth/secrets.yaml;
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
sops.secrets = {
"wg/0xa-proxy" = {
owner = config.users.users.systemd-network.name;
};
"authentik/envfile" = { };
"keycloak/db_pass" = { };
};
microvm = {
@ -24,7 +23,7 @@ in
interfaces = [
{
type = "tap";
id = "uvm-authentik";
id = "uvm-auth";
mac = mac;
}
];
@ -61,7 +60,7 @@ in
networks."11-host" = {
matchConfig.MACAddress = mac;
networkConfig = {
Address = "10.99.99.10/24";
Address = "10.99.99.11/24";
DHCP = "no";
};
routes = [
@ -74,6 +73,6 @@ in
};
};
networking.hostName = "authentik";
networking.hostName = "auth";
system.stateVersion = "24.11";
}

18
microvms/auth/keycloak.nix Normal file
View file

@ -0,0 +1,18 @@
{ config, ... }:
{
services.keycloak = {
enable = true;
database = {
type = "postgresql";
createLocally = true;
passwordFile = config.sops.secrets."keycloak/db_pass".path;
};
settings = {
hostname = "https://auth.oxapentane.com";
http-port = 38080;
http-enabled = true;
proxy-headers = "xforwarded";
proxy-trusted-addresses = "10.89.88.0/24,fd31:185d:722f::/48";
};
};
}

8
microvms/authentik/authentik.nix
View file

@ -1,8 +0,0 @@
{ config, ... }:
{
services.authentik = {
enable = true;
environmentFile = config.sops.secrets."authentik/envfile".path;
settings.disable_startup_analytics = true;
};
}

74
microvms/radicale/default.nix Normal file
View file

@ -0,0 +1,74 @@
{ config, lib, ... }:
let
mac = "02:00:00:00:00:02";
in
{
sops.defaultSopsFile = ../../secrets/radicale/secrets.yaml;
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
sops.secrets = {
"wg/0xa-proxy" = {
owner = config.users.users.systemd-network.name;
};
};
microvm = {
hypervisor = "qemu";
mem = 1 * 1024;
vcpu = 1;
interfaces = [
{
type = "tap";
id = "uvm-radicale";
mac = mac;
}
];
shares =
[
{
source = "/nix/store";
mountPoint = "/nix/.ro-store";
tag = "store";
proto = "virtiofs";
socket = "store.socket";
}
]
++ map
(dir: {
source = dir;
mountPoint = "/${dir}";
tag = dir;
proto = "virtiofs";
socket = "${dir}.socket";
})
[
"etc"
"var"
"home"
];
};
networking.useNetworkd = true;
networking.firewall.enable = lib.mkForce false; # firewalling done by the host
systemd.network = {
enable = true;
networks."11-host" = {
matchConfig.MACAddress = mac;
networkConfig = {
Address = "10.99.99.12/24";
DHCP = "no";
};
routes = [
{
Gateway = "10.99.99.1";
Destination = "0.0.0.0/0";
Metric = 1024;
}
];
};
};
networking.hostName = "radicale";
system.stateVersion = "24.11";
}

16
modules/wg/proxy.nix
View file

@ -23,12 +23,20 @@
publicIface = "enp1s0";
};
};
"authentik" = {
"auth" = {
address = [
"10.89.88.2/24"
"fd31:185d:722f::2/48"
"10.89.88.11/24"
"fd31:185d:722f::11/48"
];
publicKey = "/0DRKWg3U/WuR8iYtH8bD2i+RXTWRzj6+MCS3xFfg1o=";
publicKey = "5pW+lt3Xty8IdQ3ndcIXR3B7pl3hV+8M+EgvGmaRhyU=";
privateKeyFile = config.sops.secrets."wg/0xa-proxy".path;
};
"radicale" = {
address = [
"10.89.88.12/24"
"fd31:185d:722f::12/48"
];
publicKey = "EIdTwWTqGJv9i2rV+Uu8d/QptGwFAFjHcHp/Hquhr3g=";
privateKeyFile = config.sops.secrets."wg/0xa-proxy".path;
};
};

44
secrets/auth/secrets.yaml Normal file
View file

@ -0,0 +1,44 @@
keycloak:
db_pass: ENC[AES256_GCM,data:2np1ObGvyC+JgaWZa/mcGJ1d/hq9Po+VhV/Y2ctKXVEw2nAfP5OO9GJCwtCI0D4NQvcCYvOxmNAUTaT7NE8d3rQlXX4riNeMSHaL//aLes/CqJJFY3Qc0HNN1sV7AgC2Wce6t02wGUv8kE0fkBQqr1at9/7KItjo6CGL3t0N7RU=,iv:iZXw6Qaa3S+zgHDscsO6cU9hJ9t1SyKLNRTKM5EYgKQ=,tag:v1y3SjLPJxvAckF0aotBIQ==,type:str]
wg:
0xa-proxy: ENC[AES256_GCM,data:q6vpJZy1Cb54MhMRj0nm8QEX1a38S7Adxymex6gMtwkA6A9V3nLTHPfdJAc=,iv:EsRkUqrpUXoFVkZ8SGE2jp22SeqTlvBx8OTBCRxOjDA=,tag:JLv73iYYV6ZvJiODQOqfEQ==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1vzwz5s35w9g8ck9l5zaq5skrnl3mqzf3hsnc9w22sj4k8tu8kqfstpg2a8
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwaUZKenJGaDQ3WnNJNWtR
ODZVV0drWC9ZanJ2Z1h1UHN1RWh1UGxHQ1NjCmE0TEhYRVNBN1VhelA4aG1ldkkv
dXdCT1AxUVJzNEEwY0FMSGE4cWtja1EKLS0tIE0xVjM1Tk5taTRKeEpOMXM2Nml4
QjRNM3p4MnlIaThXUmpNL1oxajRtdDAKhMMdQ0rK7FL/CJc9BQci5HF2ByyjH812
JLNq2aOXPNsRn8p+EsDeAoJW4LXhyashxcCdRP0yJV5tEk2LIOvW7g==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-01-19T18:16:48Z"
mac: ENC[AES256_GCM,data:LDHoZow50rTd3uh7DtBiPlAMGcO7m5tyBF/nlYBKOuGck6fsefzX28OUVStTRyqRWkvLInxrxEHVlvO64KaPFXjsaUQxrNVIbsAsEf83b6lvZOFrcfDuKpC5infV5erExQEDuOfsWBgYpvMVtGZUXz8WbY/tjgeazpTIXfSQapM=,iv:Q0Tv3wDo8KeJsCHUOThBDp81P5rAZJ+WpUdO/gtcKeI=,tag:1XvmjuEGKmPRqXnUD5d3mQ==,type:str]
pgp:
- created_at: "2025-01-19T17:45:49Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA7zUOKwzpAE7AQ//QneFptbsF2rFz+nRFT6L/iVZflLVkDkTowGIIobs4xjp
UZlAxFYPuHeviyap3End5Db3IrCiAYka07NqNyTeHFAmqmfmYO/A3XPPSqa8Kzh1
g8+i/21a5ZrBOu/jItddDPCoEwoF6+B45Ce1TkjZUFZv+uQ2oMf2sF78YNwGP+Oc
PLTjONn6d+9gui7mQrXT0s9Wm0ggFHJNQ3alrNh8QOuofuhGmw22S+pLO1YLksc8
Rc43+hRmsGxf0YLcCgzR5qL92kPtBuTwE366Mk+/31/BHUvgJM7S17SqO5CWu1XQ
EYTrAkxgYMO/xJ2GX9ny8hnH1LbqdvlzL/YVU9vrlpLmZezsq5SNeOCT6cKC3/+/
IFf2yXVikTYPPxczE3StFERCEDW5nAsmbgW/pbPpiIOKCBVddUaMY9H8L/wY/VZX
Yu1zMLT+gpyJusZOOVPk2Z8s7Ln3upGFDbQ5gnd+TIWL+X2JdscMbynCZI2a0Pe2
66negRkpS62Ff24Y67v8moTvZzUFarbNazkMnaG6cHTHaEUGmo4oWPHu/oOzxt5r
JDSecqAl3bNzcLzsIVgnrAtwtH4o+ZD+exr4GXp6m8fuj8WvOABPRn6zbsCLfPfp
xSzL5ITfOKsux2clMnp60EqXoLQ4VXSw8dzBHe8HdArGBdeecp+httV5bjoWx1nS
XgEoyZOGEHOmNO3ywOE6dEOFP45QATd+ZU1aFCb1oIf/cr3ST8yQEGpxRxRY2xBO
OuLKUNt5NrNXGJNXWMj2zQSuHcIU/nMAclI/Kf+v343O7MYR2fGoCpdEM3ByegQ=
=6IaY
-----END PGP MESSAGE-----
fp: DD0998E6CDF294537FC604F991FA5E5BF9AA901C
unencrypted_suffix: _unencrypted
version: 3.9.2

44
secrets/authentik/secrets.yaml
View file

@ -1,44 +0,0 @@
authentik:
envfile: ENC[AES256_GCM,data:92eaAh50YgOmapCA0vjmvT19Sgu/wpA255TRFc9NcuekRn7fLmwgd9N1f1r2hdT3P+DWtQkTCVIVnlWbb5nJON1gI08GJReC/8oUI5fGc6cplnT62s++YkdajQC3gmqrio8vOhb+JxsE87FI9fvaTE6lDau5ljjtiiA3Jga5ybgGBLakTUE=,iv:knVawwEJZLtvlKjPD03ew2shUAaJlxq2+8VjsoPWQkc=,tag:DGpASi4JvmkUZEddD4Bb6A==,type:str]
wg:
0xa-proxy: ENC[AES256_GCM,data:mIYz1DK+aKnd+9krPxwOSpXe7n7DRedCKvmO46Lwtb4ri/8DYtKxUeGpGmI=,iv:kAaiXXILSFLA3hdKng5OsK5ToPNxu9OyWbqz32gjBFk=,tag:s2TGabr3B5JOLFXjKQ7tfw==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1s9hew4wpff69fmz5lxmn96f8r3xuhqydw82t2dwkrn2rqhcx9pfqm3whvd
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaWHkwWCtGa1A2Wk9QMGc4
bm0rN2pGRzdyeWpUTUdHa0x4eFViQmxreFNzCmhXc0JYZWlXd0Fod1QxYnJDYXdl
ZEJZbDBoWWRWVm9aeVhwcWxsb3ZXbmMKLS0tIHFGNThkQTJrdWpLOGFHc01GMlNT
QXh1c3BhaExUWFdldC9ib0NNTzdaWk0KF+KZEPxYLyFwUj7pBXR6ULuwZB92wITr
8TXyfh+NkS+px9jMICprOqwNgcBuVxTJL5FGbtMTAiAMpcPlExnoSA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-01-14T00:23:28Z"
mac: ENC[AES256_GCM,data:9Y03crcSMc6IkgD1krGTABv3rKVQCha59IG1yseT+NAi8Tl0uJUKLpPMKeel/pPPSrN+oewMoZy0NV7wXJRDw0nSCsKJpA7vaVYsls4C28h3rCj5A5Y9B0hbevWyJV5jCPaagrEmJ7IKhrLrOEkbBC5CZg5Y2cKsy4PV3BjfIfc=,iv:Zs0YcjCm5Oz8aT3XPy51DpOuc5H/OlTNoM668M2VPLI=,tag:gYBqhJPwCMmNyabIaVrnqQ==,type:str]
pgp:
- created_at: "2025-01-12T19:54:13Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA7zUOKwzpAE7AQ/7BD8AdH3N/iaGJpScMgFjvFcUoypmxN+B4OxFtHSHVb/t
q361mcgvUcd1T5KNx45smVzoH+2DrTFYiFd5rO/sfaytIRlRAvm542bKbkQLe2xX
PMeu4LnO6WrVoZDDetM7DhpwRyDaD38bXMg7bl1KjoTCdul34aHTWczErCEm0YtK
VO0tJ1R2eu8Z9JcUm/kFA+4bIRyF62hLio86E2o+1pWYpeLsb3RGnI4ttv9imIGT
IvoHidpLP3YRuykEtfiz9rjcTqpYkj8PDnA5ote/cSqNdx6TbVTL0n5yQvvDW183
I819ScBbXHz2i/zNjMWsq2mgD67vCFtWS7A56qslv7qNv2PpK+ABiH1ZfnrpvbWL
YzfLZ0bIP+Qzes1NrQsMM3/Kn/7/xN2rU0xDHNymnVp+M/8ELGR4n1QJF+ETdG6C
b/gc8i4n+Rv1fXhuKVJlP7v+j6xJxK1FYd+K3nrPD4iRx0lX1/BzDxPH4b3xEIfO
voyFWseAPA9VdgOyfjFIMcND5g/JTpVJWS3EDSl1DhtM83vXNVa1gNj3PsJ5ud1V
OHThu0X52ruAkmKfOL2+zEu7UV46DvHCtMj07Ie0RMRQIUu/4TKXKQePZswyY8TR
Y9Xi7OASCGIoZ4Nfnf1bFkDR0umd/9ep0K68GcRR6jFxnu9i6nv6RkjicZj6LBzS
XgE1b+T1j6ujvl6SibMpkclhbSBp7fjYhXbxfACqk1bZvs5DDtdTtmcTmvMt6Iwz
2hENzitwjJ1sCNHlQi37sLVIOU3c2BmLrS1I+WzhpkK61RbnTqwXJhR+XV8hS+Y=
=AIdw
-----END PGP MESSAGE-----
fp: DD0998E6CDF294537FC604F991FA5E5BF9AA901C
unencrypted_suffix: _unencrypted
version: 3.9.2

42
secrets/radicale/secrets.yaml Normal file
View file

@ -0,0 +1,42 @@
wg:
0xa-proxy: ENC[AES256_GCM,data:am8oeEjo7QUJp7lutrBgUovOW2GXf4tS7KUhcZKTiSt6ilk9FVXnG9AYCSE=,iv:Ra/aZI+d9ozGW4lv2lCVXaL7Kc5+xDvUtAAEeX+SZ0Q=,tag:WqRN0llEoXQkaSzNVEaPUA==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1j6z39kmnxkqa7jdcjsydy5cryjce7fttf225fh3pldyvq06ax3fq58mk8c
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlZ09mS0hNQnFFb1BIdWxp
Q3VOandrbm9Yc3BzQ0Qxc2xocE5RMHhmR2d3CjI0dEZhYkFJR2wzQ2lBYTR3V3pL
bUY2M3BlUTJLVHNpQTdhaEhJV1ZLMkkKLS0tIHFkQnBzSDZFakxIaEVjaWdENkJC
OU16akZaVWowcjRlQmpJYllnN3A5ZzAKv13wAORghjJ/WoMyGieLTh4VFHvU3TuY
pcUQSDzD3zen0uZodv2z+T3/8mrk61iyYbw5ALDpE4VMXHW68jopbg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-01-19T18:17:51Z"
mac: ENC[AES256_GCM,data:ipVU6VvwqMXN17rj7hBbzL/CsXZ3MTq0/ysurWw0WvljFcag0HKjBZ+qX0of3VLO2NDYYfaYRJt/hP1PqoRNMrYKIAOJqZRlJmONq5MFe7UMd+hE4XPIFs+fIszu336Qb/Nf5uogqn1j+39uEY2vYvJcMwiW3gsxqlduzVys6P8=,iv:hqG1gwdeeJoKfnCZ6hi1DrH9GJy+LZaWcp9lmgiSe/s=,tag:FDZ07PBMHCYHgbyciRvyEg==,type:str]
pgp:
- created_at: "2025-01-19T18:17:36Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA7zUOKwzpAE7AQ/+LAMEykBkJwMlsBrAFo2FhcuLDEcKu91E8IPAWnHjKL1U
0VKPpZgK+5iQ953AW4lULpfR9Ic26rCwEbYiuG4hsaRrHVkteO2tTf5Z8sWirbGB
9VOS5igrSi+UefvfR8rUzZTzNGoYaR/+9GkJ1ZDM9a13RnDTxyxwG1YCGI8Osvyi
eqVTaR6PhNBfTtzx4zMA23Zqhjv3Hd6lNSlhnSGBPfCvekoHuAkT2ciIUrEdpexs
8Uz9QLbthKuxRlNCgZchqZSRyWifSUsHMYqPbesz74LIyETICNFQXVHolF867jai
rL7l8bkJmRsFais9RsGU3nr6Mg4ya75rEo1ftvAl73L0135K/jYjmqWnOFMpJStu
CZGjMVoKF8j1Jan9bzEmLWmXPU902lbEWWjKBF6PIzOSyPxIgcFEMM5wrhT0upRN
t9x81L3gAyuM9Bb8FewMGCpxHDGF8QV6I6JshGJSAR4q+f7bjgwD5PkAWw687AcD
I/GQsC572Y3PtY0saVRoSmzabebxDbG/kE1/1CqJQ6ddLHHs577Nnk/4oaiqbmdO
mexq60Scv7IvPk+AheL6wpCaXIQ+Gy0Tx7FLVgK5Bq5+EpOr24cUGj/DgiUnKuAe
dvCjXIlgimsfGRHXOOTNHYRQGhPRsQiYEOF/+atWzMrLQTxojxW6GrsjCnan1qDS
XAFHhWhQrq/vVSLOkbZ0WnReczDQXb1tm6DN7WYLh7Xs9GQvnaOWMk2NlxuM0oiN
3v57kIJhyMnhrfJxZDMY/CYKQr+kICaGXNdgTt6ojNm6RST3X0JSuQiwAbc+
=8sVt
-----END PGP MESSAGE-----
fp: DD0998E6CDF294537FC604F991FA5E5BF9AA901C
unencrypted_suffix: _unencrypted
version: 3.9.2