From 5c3f0886e592ff2d3e3a8588ab496f36c19e0ce9 Mon Sep 17 00:00:00 2001 From: Grigory Shipunov Date: Tue, 14 Jan 2025 21:24:05 +0000 Subject: [PATCH] yeet authentik, add keycloak and radicale --- .sops.yaml | 13 +- flake.lock | 244 +---------------------- flake.nix | 25 ++- hosts/cloud/proxy/auth.nix | 24 +++ hosts/cloud/proxy/authentik.nix | 31 --- hosts/cloud/proxy/default.nix | 27 +-- hosts/minime/uvm.nix | 6 +- microvms/{authentik => auth}/default.nix | 13 +- microvms/auth/keycloak.nix | 18 ++ microvms/authentik/authentik.nix | 8 - microvms/radicale/default.nix | 74 +++++++ modules/wg/proxy.nix | 16 +- secrets/auth/secrets.yaml | 44 ++++ secrets/authentik/secrets.yaml | 44 ---- secrets/radicale/secrets.yaml | 42 ++++ 15 files changed, 263 insertions(+), 366 deletions(-) create mode 100644 hosts/cloud/proxy/auth.nix delete mode 100644 hosts/cloud/proxy/authentik.nix rename microvms/{authentik => auth}/default.nix (86%) create mode 100644 microvms/auth/keycloak.nix delete mode 100644 microvms/authentik/authentik.nix create mode 100644 microvms/radicale/default.nix create mode 100644 secrets/auth/secrets.yaml delete mode 100644 secrets/authentik/secrets.yaml create mode 100644 secrets/radicale/secrets.yaml diff --git a/.sops.yaml b/.sops.yaml index c813570..edd87ec 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -5,7 +5,8 @@ keys: - &cloud age1j3xpuuqaph5z885er90mftfsu6g3hw4q469k37a3veqktwntzdpqgue4z5 - &minime age1chq5k0t38882rtyljez8cwmvtcstu4tafzvveuhjrujvsqk72f9s9guc06 # microvms - - &authentik age1s9hew4wpff69fmz5lxmn96f8r3xuhqydw82t2dwkrn2rqhcx9pfqm3whvd + - &auth age1vzwz5s35w9g8ck9l5zaq5skrnl3mqzf3hsnc9w22sj4k8tu8kqfstpg2a8 + - &radicale age1j6z39kmnxkqa7jdcjsydy5cryjce7fttf225fh3pldyvq06ax3fq58mk8c creation_rules: - path_regex: secrets/toaster/[^/]+\.yaml$ key_groups: @@ -25,9 +26,15 @@ creation_rules: - *admin_oxa age: - *minime - - path_regex: secrets/authentik/[^/]+\.yaml$ + - path_regex: secrets/auth/[^/]+\.yaml$ key_groups: - pgp: - *admin_oxa age: - - *authentik + - *auth + - path_regex: secrets/radicale/[^/]+\.yaml$ + key_groups: + - pgp: + - *admin_oxa + age: + - *radicale diff --git a/flake.lock b/flake.lock index 7bc0798..ab0c251 100644 --- a/flake.lock +++ b/flake.lock @@ -1,49 +1,5 @@ { "nodes": { - "authentik-nix": { - "inputs": { - "authentik-src": "authentik-src", - "flake-compat": "flake-compat", - "flake-parts": "flake-parts", - "flake-utils": "flake-utils", - "napalm": "napalm", - "nixpkgs": [ - "nixpkgs-unstable" - ], - "poetry2nix": "poetry2nix", - "systems": "systems" - }, - "locked": { - "lastModified": 1736445563, - "narHash": "sha256-+f1MWPtja+LRlTHJP/i/3yxmnzo2LGtZmxtJJTdAp8o=", - "owner": "nix-community", - "repo": "authentik-nix", - "rev": "bf5a5bf42189ff5f468f0ff26c9296233a97eb6c", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "authentik-nix", - "type": "github" - } - }, - "authentik-src": { - "flake": false, - "locked": { - "lastModified": 1736440980, - "narHash": "sha256-Z3rFFrXrOKaF9NpY/fInsEbzdOWnWqLfEYl7YX9hFEU=", - "owner": "goauthentik", - "repo": "authentik", - "rev": "9d81f0598c7735e2b4616ee865ab896056a67408", - "type": "github" - }, - "original": { - "owner": "goauthentik", - "ref": "version/2024.12.2", - "repo": "authentik", - "type": "github" - } - }, "crane": { "inputs": { "nixpkgs": [ @@ -81,41 +37,7 @@ "type": "github" } }, - "flake-compat_2": { - "flake": false, - "locked": { - "lastModified": 1696426674, - "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", - "owner": "edolstra", - "repo": "flake-compat", - "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", - "type": "github" - }, - "original": { - "owner": "edolstra", - "repo": "flake-compat", - "type": "github" - } - }, "flake-parts": { - "inputs": { - "nixpkgs-lib": "nixpkgs-lib" - }, - "locked": { - "lastModified": 1727826117, - "narHash": "sha256-K5ZLCyfO/Zj9mPFldf3iwS6oZStJcU4tSpiXTMYaaL0=", - "owner": "hercules-ci", - "repo": "flake-parts", - "rev": "3d04084d54bedc3d6b8b736c70ef449225c361b1", - "type": "github" - }, - "original": { - "owner": "hercules-ci", - "repo": "flake-parts", - "type": "github" - } - }, - "flake-parts_2": { "inputs": { "nixpkgs-lib": [ "lanzaboote", @@ -138,28 +60,7 @@ }, "flake-utils": { "inputs": { - "systems": [ - "authentik-nix", - "systems" - ] - }, - "locked": { - "lastModified": 1726560853, - "narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, - "flake-utils_2": { - "inputs": { - "systems": "systems_2" + "systems": "systems" }, "locked": { "lastModified": 1731533236, @@ -175,9 +76,9 @@ "type": "github" } }, - "flake-utils_3": { + "flake-utils_2": { "inputs": { - "systems": "systems_3" + "systems": "systems_2" }, "locked": { "lastModified": 1710146030, @@ -218,9 +119,9 @@ "lanzaboote": { "inputs": { "crane": "crane", - "flake-compat": "flake-compat_2", - "flake-parts": "flake-parts_2", - "flake-utils": "flake-utils_3", + "flake-compat": "flake-compat", + "flake-parts": "flake-parts", + "flake-utils": "flake-utils_2", "nixpkgs": [ "nixpkgs-unstable" ], @@ -267,54 +168,6 @@ "type": "github" } }, - "napalm": { - "inputs": { - "flake-utils": [ - "authentik-nix", - "flake-utils" - ], - "nixpkgs": [ - "authentik-nix", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1725806412, - "narHash": "sha256-lGZjkjds0p924QEhm/r0BhAxbHBJE1xMOldB/HmQH04=", - "owner": "willibutz", - "repo": "napalm", - "rev": "b492440d9e64ae20736d3bec5c7715ffcbde83f5", - "type": "github" - }, - "original": { - "owner": "willibutz", - "ref": "avoid-foldl-stack-overflow", - "repo": "napalm", - "type": "github" - } - }, - "nix-github-actions": { - "inputs": { - "nixpkgs": [ - "authentik-nix", - "poetry2nix", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1729742964, - "narHash": "sha256-B4mzTcQ0FZHdpeWcpDYPERtyjJd/NIuaQ9+BV1h+MpA=", - "owner": "nix-community", - "repo": "nix-github-actions", - "rev": "e04df33f62cdcf93d73e9a04142464753a16db67", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "nix-github-actions", - "type": "github" - } - }, "nixos-hardware": { "locked": { "lastModified": 1736978406, @@ -331,18 +184,6 @@ "type": "github" } }, - "nixpkgs-lib": { - "locked": { - "lastModified": 1727825735, - "narHash": "sha256-0xHYkMkeLVQAMa7gvkddbPqpxph+hDzdu1XdGPJR+Os=", - "type": "tarball", - "url": "https://github.com/NixOS/nixpkgs/archive/fb192fec7cc7a4c26d51779e9bab07ce6fa5597a.tar.gz" - }, - "original": { - "type": "tarball", - "url": "https://github.com/NixOS/nixpkgs/archive/fb192fec7cc7a4c26d51779e9bab07ce6fa5597a.tar.gz" - } - }, "nixpkgs-stable": { "locked": { "lastModified": 1710695816, @@ -391,37 +232,6 @@ "type": "github" } }, - "poetry2nix": { - "inputs": { - "flake-utils": [ - "authentik-nix", - "flake-utils" - ], - "nix-github-actions": "nix-github-actions", - "nixpkgs": [ - "authentik-nix", - "nixpkgs" - ], - "systems": [ - "authentik-nix", - "systems" - ], - "treefmt-nix": "treefmt-nix" - }, - "locked": { - "lastModified": 1735164664, - "narHash": "sha256-DaWy+vo3c4TQ93tfLjUgcpPaSoDw4qV4t76Y3Mhu84I=", - "owner": "nix-community", - "repo": "poetry2nix", - "rev": "1fb01e90771f762655be7e0e805516cd7fa4d58e", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "poetry2nix", - "type": "github" - } - }, "pre-commit-hooks-nix": { "inputs": { "flake-compat": [ @@ -451,8 +261,7 @@ }, "root": { "inputs": { - "authentik-nix": "authentik-nix", - "flake-utils": "flake-utils_2", + "flake-utils": "flake-utils", "lanzaboote": "lanzaboote", "microvm": "microvm", "nixos-hardware": "nixos-hardware", @@ -524,21 +333,6 @@ } }, "systems": { - "locked": { - "lastModified": 1689347949, - "narHash": "sha256-12tWmuL2zgBgZkdoB6qXZsgJEH9LR3oUgpaQq2RbI80=", - "owner": "nix-systems", - "repo": "default-linux", - "rev": "31732fcf5e8fea42e59c2488ad31a0e651500f68", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default-linux", - "type": "github" - } - }, - "systems_2": { "locked": { "lastModified": 1681028828, "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", @@ -553,7 +347,7 @@ "type": "github" } }, - "systems_3": { + "systems_2": { "locked": { "lastModified": 1681028828, "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", @@ -583,28 +377,6 @@ "repo": "tmux-yank", "type": "github" } - }, - "treefmt-nix": { - "inputs": { - "nixpkgs": [ - "authentik-nix", - "poetry2nix", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1730120726, - "narHash": "sha256-LqHYIxMrl/1p3/kvm2ir925tZ8DkI0KA10djk8wecSk=", - "owner": "numtide", - "repo": "treefmt-nix", - "rev": "9ef337e492a5555d8e17a51c911ff1f02635be15", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "treefmt-nix", - "type": "github" - } } }, "root": "root", diff --git a/flake.nix b/flake.nix index fe9143e..ecae4b7 100644 --- a/flake.nix +++ b/flake.nix @@ -25,12 +25,6 @@ inputs.nixpkgs.follows = "nixpkgs-unstable"; }; - authentik-nix = { - url = "github:nix-community/authentik-nix"; - inputs.nixpkgs.follows = "nixpkgs-unstable"; - # inputs.flake-parts.follows - }; - tmux-yank = { url = "github:tmux-plugins/tmux-yank"; flake = false; @@ -40,7 +34,6 @@ outputs = inputs@{ self, - authentik-nix, flake-utils, lanzaboote, microvm, @@ -107,19 +100,31 @@ ]; }; - authentik = nixpkgs-stable.lib.nixosSystem { + auth = nixpkgs-stable.lib.nixosSystem { system = "x86_64-linux"; specialArgs = { inherit inputs; }; modules = [ sops-nix.nixosModules.sops microvm.nixosModules.microvm - authentik-nix.nixosModules.default - ./microvms/authentik + ./microvms/auth ./modules/server ./modules/wg ]; }; + + radicale = nixpkgs-stable.lib.nixosSystem { + system = "x86_64-linux"; + specialArgs = { inherit inputs; }; + modules = [ + sops-nix.nixosModules.sops + microvm.nixosModules.microvm + + ./microvms/radicale + ./modules/server + ./modules/wg + ]; }; }; + }; } diff --git a/hosts/cloud/proxy/auth.nix b/hosts/cloud/proxy/auth.nix new file mode 100644 index 0000000..27ee2ee --- /dev/null +++ b/hosts/cloud/proxy/auth.nix @@ -0,0 +1,24 @@ +{ ... }: +{ + services.nginx.upstreams.keycloak = { + servers = { + "10.89.88.11:38080" = {}; + "[fd31:185d:722f::11]:38080" = {}; + }; + }; + + services.nginx.virtualHosts."auth.oxapentane.com" = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://keycloak"; + extraConfig = '' + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port 433; + ''; + }; + }; +} diff --git a/hosts/cloud/proxy/authentik.nix b/hosts/cloud/proxy/authentik.nix deleted file mode 100644 index c6c9685..0000000 --- a/hosts/cloud/proxy/authentik.nix +++ /dev/null @@ -1,31 +0,0 @@ -# TODO: integrade with oxalab-wg -{ config, ... }: -{ - # authentik - services.nginx.upstreams.authentik = { - extraConfig = '' - keepalive 10; - ''; - servers = - { - "10.89.88.2:9000" = { }; - "[fd31:185d:722f::2]:9000" = { }; - }; - }; - - services.nginx.virtualHosts."sso.oxapentane.com" = { - forceSSL = true; - enableACME = true; - locations."/" = { - proxyWebsockets = true; - proxyPass = "http://authentik"; - extraConfig = '' - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Host $host; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - ''; - }; - }; - } diff --git a/hosts/cloud/proxy/default.nix b/hosts/cloud/proxy/default.nix index 046c807..798b34d 100644 --- a/hosts/cloud/proxy/default.nix +++ b/hosts/cloud/proxy/default.nix @@ -1,7 +1,7 @@ { config, ... }: { imports = [ - ./authentik.nix + ./auth.nix ]; networking.firewall.allowedTCPPorts = [ 80 443 ]; @@ -12,24 +12,11 @@ recommendedGzipSettings = true; recommendedOptimisation = true; recommendedTlsSettings = true; + recommendedProxySettings = true; sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL"; appendHttpConfig = '' - ### recommendedProxySettings minus proxy_redirect (breaks authentik) - # proxy_redirect off; - proxy_connect_timeout 60s; - proxy_send_timeout 60s; - proxy_read_timeout 60s; - proxy_http_version 1.1; - proxy_set_header "Connection" ""; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Forwarded-Server $host; - ### TLS # Add HSTS header with preloading to HTTPS requests. # Adding this header to HTTP requests is discouraged @@ -39,13 +26,13 @@ add_header Strict-Transport-Security $hsts_header; # Enable CSP for your services. - add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; + # add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; # Minimize information leaked to other domains add_header 'Referrer-Policy' 'origin-when-cross-origin'; # Disable embedding as a frame - add_header X-Frame-Options DENY; + # add_header X-Frame-Options DENY; # Prevent injection of code in other mime types (XSS Attacks) add_header X-Content-Type-Options nosniff; @@ -56,11 +43,7 @@ enableACME = true; # default = true; locations."/" = { - return = "200 '

¯\\_(ツ)_/¯

'"; - extraConfig = '' - default_type text/html; - ''; - + return = "503"; }; }; }; diff --git a/hosts/minime/uvm.nix b/hosts/minime/uvm.nix index 7f10579..0437cdf 100644 --- a/hosts/minime/uvm.nix +++ b/hosts/minime/uvm.nix @@ -2,7 +2,11 @@ { microvm.stateDir = "/var/lib/microvms"; microvm.vms = { - authentik = { + auth = { + flake = inputs.self; + updateFlake = "github:gshipunov/nix-config/master"; + }; + radicale = { flake = inputs.self; updateFlake = "github:gshipunov/nix-config/master"; }; diff --git a/microvms/authentik/default.nix b/microvms/auth/default.nix similarity index 86% rename from microvms/authentik/default.nix rename to microvms/auth/default.nix index badb384..b4c23f1 100644 --- a/microvms/authentik/default.nix +++ b/microvms/auth/default.nix @@ -4,17 +4,16 @@ let in { imports = [ - ./authentik.nix + ./keycloak.nix ]; - - sops.defaultSopsFile = ../../secrets/authentik/secrets.yaml; + sops.defaultSopsFile = ../../secrets/auth/secrets.yaml; sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; sops.secrets = { "wg/0xa-proxy" = { owner = config.users.users.systemd-network.name; }; - "authentik/envfile" = { }; + "keycloak/db_pass" = { }; }; microvm = { @@ -24,7 +23,7 @@ in interfaces = [ { type = "tap"; - id = "uvm-authentik"; + id = "uvm-auth"; mac = mac; } ]; @@ -61,7 +60,7 @@ in networks."11-host" = { matchConfig.MACAddress = mac; networkConfig = { - Address = "10.99.99.10/24"; + Address = "10.99.99.11/24"; DHCP = "no"; }; routes = [ @@ -74,6 +73,6 @@ in }; }; - networking.hostName = "authentik"; + networking.hostName = "auth"; system.stateVersion = "24.11"; } diff --git a/microvms/auth/keycloak.nix b/microvms/auth/keycloak.nix new file mode 100644 index 0000000..de537ef --- /dev/null +++ b/microvms/auth/keycloak.nix @@ -0,0 +1,18 @@ +{ config, ... }: +{ + services.keycloak = { + enable = true; + database = { + type = "postgresql"; + createLocally = true; + passwordFile = config.sops.secrets."keycloak/db_pass".path; + }; + settings = { + hostname = "https://auth.oxapentane.com"; + http-port = 38080; + http-enabled = true; + proxy-headers = "xforwarded"; + proxy-trusted-addresses = "10.89.88.0/24,fd31:185d:722f::/48"; + }; + }; +} diff --git a/microvms/authentik/authentik.nix b/microvms/authentik/authentik.nix deleted file mode 100644 index 3095944..0000000 --- a/microvms/authentik/authentik.nix +++ /dev/null @@ -1,8 +0,0 @@ -{ config, ... }: -{ - services.authentik = { - enable = true; - environmentFile = config.sops.secrets."authentik/envfile".path; - settings.disable_startup_analytics = true; - }; -} diff --git a/microvms/radicale/default.nix b/microvms/radicale/default.nix new file mode 100644 index 0000000..7ed8f11 --- /dev/null +++ b/microvms/radicale/default.nix @@ -0,0 +1,74 @@ +{ config, lib, ... }: +let + mac = "02:00:00:00:00:02"; +in +{ + sops.defaultSopsFile = ../../secrets/radicale/secrets.yaml; + sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + + sops.secrets = { + "wg/0xa-proxy" = { + owner = config.users.users.systemd-network.name; + }; + }; + + microvm = { + hypervisor = "qemu"; + mem = 1 * 1024; + vcpu = 1; + interfaces = [ + { + type = "tap"; + id = "uvm-radicale"; + mac = mac; + } + ]; + shares = + [ + { + source = "/nix/store"; + mountPoint = "/nix/.ro-store"; + tag = "store"; + proto = "virtiofs"; + socket = "store.socket"; + } + ] + ++ map + (dir: { + source = dir; + mountPoint = "/${dir}"; + tag = dir; + proto = "virtiofs"; + socket = "${dir}.socket"; + }) + [ + "etc" + "var" + "home" + ]; + }; + + networking.useNetworkd = true; + networking.firewall.enable = lib.mkForce false; # firewalling done by the host + + systemd.network = { + enable = true; + networks."11-host" = { + matchConfig.MACAddress = mac; + networkConfig = { + Address = "10.99.99.12/24"; + DHCP = "no"; + }; + routes = [ + { + Gateway = "10.99.99.1"; + Destination = "0.0.0.0/0"; + Metric = 1024; + } + ]; + }; + }; + + networking.hostName = "radicale"; + system.stateVersion = "24.11"; +} diff --git a/modules/wg/proxy.nix b/modules/wg/proxy.nix index 60516fe..8885269 100644 --- a/modules/wg/proxy.nix +++ b/modules/wg/proxy.nix @@ -23,12 +23,20 @@ publicIface = "enp1s0"; }; }; - "authentik" = { + "auth" = { address = [ - "10.89.88.2/24" - "fd31:185d:722f::2/48" + "10.89.88.11/24" + "fd31:185d:722f::11/48" ]; - publicKey = "/0DRKWg3U/WuR8iYtH8bD2i+RXTWRzj6+MCS3xFfg1o="; + publicKey = "5pW+lt3Xty8IdQ3ndcIXR3B7pl3hV+8M+EgvGmaRhyU="; + privateKeyFile = config.sops.secrets."wg/0xa-proxy".path; + }; + "radicale" = { + address = [ + "10.89.88.12/24" + "fd31:185d:722f::12/48" + ]; + publicKey = "EIdTwWTqGJv9i2rV+Uu8d/QptGwFAFjHcHp/Hquhr3g="; privateKeyFile = config.sops.secrets."wg/0xa-proxy".path; }; }; diff --git a/secrets/auth/secrets.yaml b/secrets/auth/secrets.yaml new file mode 100644 index 0000000..b07d20e --- /dev/null +++ b/secrets/auth/secrets.yaml @@ -0,0 +1,44 @@ +keycloak: + db_pass: ENC[AES256_GCM,data:2np1ObGvyC+JgaWZa/mcGJ1d/hq9Po+VhV/Y2ctKXVEw2nAfP5OO9GJCwtCI0D4NQvcCYvOxmNAUTaT7NE8d3rQlXX4riNeMSHaL//aLes/CqJJFY3Qc0HNN1sV7AgC2Wce6t02wGUv8kE0fkBQqr1at9/7KItjo6CGL3t0N7RU=,iv:iZXw6Qaa3S+zgHDscsO6cU9hJ9t1SyKLNRTKM5EYgKQ=,tag:v1y3SjLPJxvAckF0aotBIQ==,type:str] +wg: + 0xa-proxy: ENC[AES256_GCM,data:q6vpJZy1Cb54MhMRj0nm8QEX1a38S7Adxymex6gMtwkA6A9V3nLTHPfdJAc=,iv:EsRkUqrpUXoFVkZ8SGE2jp22SeqTlvBx8OTBCRxOjDA=,tag:JLv73iYYV6ZvJiODQOqfEQ==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1vzwz5s35w9g8ck9l5zaq5skrnl3mqzf3hsnc9w22sj4k8tu8kqfstpg2a8 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwaUZKenJGaDQ3WnNJNWtR + ODZVV0drWC9ZanJ2Z1h1UHN1RWh1UGxHQ1NjCmE0TEhYRVNBN1VhelA4aG1ldkkv + dXdCT1AxUVJzNEEwY0FMSGE4cWtja1EKLS0tIE0xVjM1Tk5taTRKeEpOMXM2Nml4 + QjRNM3p4MnlIaThXUmpNL1oxajRtdDAKhMMdQ0rK7FL/CJc9BQci5HF2ByyjH812 + JLNq2aOXPNsRn8p+EsDeAoJW4LXhyashxcCdRP0yJV5tEk2LIOvW7g== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-01-19T18:16:48Z" + mac: ENC[AES256_GCM,data:LDHoZow50rTd3uh7DtBiPlAMGcO7m5tyBF/nlYBKOuGck6fsefzX28OUVStTRyqRWkvLInxrxEHVlvO64KaPFXjsaUQxrNVIbsAsEf83b6lvZOFrcfDuKpC5infV5erExQEDuOfsWBgYpvMVtGZUXz8WbY/tjgeazpTIXfSQapM=,iv:Q0Tv3wDo8KeJsCHUOThBDp81P5rAZJ+WpUdO/gtcKeI=,tag:1XvmjuEGKmPRqXnUD5d3mQ==,type:str] + pgp: + - created_at: "2025-01-19T17:45:49Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA7zUOKwzpAE7AQ//QneFptbsF2rFz+nRFT6L/iVZflLVkDkTowGIIobs4xjp + UZlAxFYPuHeviyap3End5Db3IrCiAYka07NqNyTeHFAmqmfmYO/A3XPPSqa8Kzh1 + g8+i/21a5ZrBOu/jItddDPCoEwoF6+B45Ce1TkjZUFZv+uQ2oMf2sF78YNwGP+Oc + PLTjONn6d+9gui7mQrXT0s9Wm0ggFHJNQ3alrNh8QOuofuhGmw22S+pLO1YLksc8 + Rc43+hRmsGxf0YLcCgzR5qL92kPtBuTwE366Mk+/31/BHUvgJM7S17SqO5CWu1XQ + EYTrAkxgYMO/xJ2GX9ny8hnH1LbqdvlzL/YVU9vrlpLmZezsq5SNeOCT6cKC3/+/ + IFf2yXVikTYPPxczE3StFERCEDW5nAsmbgW/pbPpiIOKCBVddUaMY9H8L/wY/VZX + Yu1zMLT+gpyJusZOOVPk2Z8s7Ln3upGFDbQ5gnd+TIWL+X2JdscMbynCZI2a0Pe2 + 66negRkpS62Ff24Y67v8moTvZzUFarbNazkMnaG6cHTHaEUGmo4oWPHu/oOzxt5r + JDSecqAl3bNzcLzsIVgnrAtwtH4o+ZD+exr4GXp6m8fuj8WvOABPRn6zbsCLfPfp + xSzL5ITfOKsux2clMnp60EqXoLQ4VXSw8dzBHe8HdArGBdeecp+httV5bjoWx1nS + XgEoyZOGEHOmNO3ywOE6dEOFP45QATd+ZU1aFCb1oIf/cr3ST8yQEGpxRxRY2xBO + OuLKUNt5NrNXGJNXWMj2zQSuHcIU/nMAclI/Kf+v343O7MYR2fGoCpdEM3ByegQ= + =6IaY + -----END PGP MESSAGE----- + fp: DD0998E6CDF294537FC604F991FA5E5BF9AA901C + unencrypted_suffix: _unencrypted + version: 3.9.2 diff --git a/secrets/authentik/secrets.yaml b/secrets/authentik/secrets.yaml deleted file mode 100644 index c4dfd0a..0000000 --- a/secrets/authentik/secrets.yaml +++ /dev/null @@ -1,44 +0,0 @@ -authentik: - envfile: ENC[AES256_GCM,data:92eaAh50YgOmapCA0vjmvT19Sgu/wpA255TRFc9NcuekRn7fLmwgd9N1f1r2hdT3P+DWtQkTCVIVnlWbb5nJON1gI08GJReC/8oUI5fGc6cplnT62s++YkdajQC3gmqrio8vOhb+JxsE87FI9fvaTE6lDau5ljjtiiA3Jga5ybgGBLakTUE=,iv:knVawwEJZLtvlKjPD03ew2shUAaJlxq2+8VjsoPWQkc=,tag:DGpASi4JvmkUZEddD4Bb6A==,type:str] -wg: - 0xa-proxy: ENC[AES256_GCM,data:mIYz1DK+aKnd+9krPxwOSpXe7n7DRedCKvmO46Lwtb4ri/8DYtKxUeGpGmI=,iv:kAaiXXILSFLA3hdKng5OsK5ToPNxu9OyWbqz32gjBFk=,tag:s2TGabr3B5JOLFXjKQ7tfw==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age1s9hew4wpff69fmz5lxmn96f8r3xuhqydw82t2dwkrn2rqhcx9pfqm3whvd - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaWHkwWCtGa1A2Wk9QMGc4 - bm0rN2pGRzdyeWpUTUdHa0x4eFViQmxreFNzCmhXc0JYZWlXd0Fod1QxYnJDYXdl - ZEJZbDBoWWRWVm9aeVhwcWxsb3ZXbmMKLS0tIHFGNThkQTJrdWpLOGFHc01GMlNT - QXh1c3BhaExUWFdldC9ib0NNTzdaWk0KF+KZEPxYLyFwUj7pBXR6ULuwZB92wITr - 8TXyfh+NkS+px9jMICprOqwNgcBuVxTJL5FGbtMTAiAMpcPlExnoSA== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-01-14T00:23:28Z" - mac: ENC[AES256_GCM,data:9Y03crcSMc6IkgD1krGTABv3rKVQCha59IG1yseT+NAi8Tl0uJUKLpPMKeel/pPPSrN+oewMoZy0NV7wXJRDw0nSCsKJpA7vaVYsls4C28h3rCj5A5Y9B0hbevWyJV5jCPaagrEmJ7IKhrLrOEkbBC5CZg5Y2cKsy4PV3BjfIfc=,iv:Zs0YcjCm5Oz8aT3XPy51DpOuc5H/OlTNoM668M2VPLI=,tag:gYBqhJPwCMmNyabIaVrnqQ==,type:str] - pgp: - - created_at: "2025-01-12T19:54:13Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMA7zUOKwzpAE7AQ/7BD8AdH3N/iaGJpScMgFjvFcUoypmxN+B4OxFtHSHVb/t - q361mcgvUcd1T5KNx45smVzoH+2DrTFYiFd5rO/sfaytIRlRAvm542bKbkQLe2xX - PMeu4LnO6WrVoZDDetM7DhpwRyDaD38bXMg7bl1KjoTCdul34aHTWczErCEm0YtK - VO0tJ1R2eu8Z9JcUm/kFA+4bIRyF62hLio86E2o+1pWYpeLsb3RGnI4ttv9imIGT - IvoHidpLP3YRuykEtfiz9rjcTqpYkj8PDnA5ote/cSqNdx6TbVTL0n5yQvvDW183 - I819ScBbXHz2i/zNjMWsq2mgD67vCFtWS7A56qslv7qNv2PpK+ABiH1ZfnrpvbWL - YzfLZ0bIP+Qzes1NrQsMM3/Kn/7/xN2rU0xDHNymnVp+M/8ELGR4n1QJF+ETdG6C - b/gc8i4n+Rv1fXhuKVJlP7v+j6xJxK1FYd+K3nrPD4iRx0lX1/BzDxPH4b3xEIfO - voyFWseAPA9VdgOyfjFIMcND5g/JTpVJWS3EDSl1DhtM83vXNVa1gNj3PsJ5ud1V - OHThu0X52ruAkmKfOL2+zEu7UV46DvHCtMj07Ie0RMRQIUu/4TKXKQePZswyY8TR - Y9Xi7OASCGIoZ4Nfnf1bFkDR0umd/9ep0K68GcRR6jFxnu9i6nv6RkjicZj6LBzS - XgE1b+T1j6ujvl6SibMpkclhbSBp7fjYhXbxfACqk1bZvs5DDtdTtmcTmvMt6Iwz - 2hENzitwjJ1sCNHlQi37sLVIOU3c2BmLrS1I+WzhpkK61RbnTqwXJhR+XV8hS+Y= - =AIdw - -----END PGP MESSAGE----- - fp: DD0998E6CDF294537FC604F991FA5E5BF9AA901C - unencrypted_suffix: _unencrypted - version: 3.9.2 diff --git a/secrets/radicale/secrets.yaml b/secrets/radicale/secrets.yaml new file mode 100644 index 0000000..b56f018 --- /dev/null +++ b/secrets/radicale/secrets.yaml @@ -0,0 +1,42 @@ +wg: + 0xa-proxy: ENC[AES256_GCM,data:am8oeEjo7QUJp7lutrBgUovOW2GXf4tS7KUhcZKTiSt6ilk9FVXnG9AYCSE=,iv:Ra/aZI+d9ozGW4lv2lCVXaL7Kc5+xDvUtAAEeX+SZ0Q=,tag:WqRN0llEoXQkaSzNVEaPUA==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1j6z39kmnxkqa7jdcjsydy5cryjce7fttf225fh3pldyvq06ax3fq58mk8c + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlZ09mS0hNQnFFb1BIdWxp + Q3VOandrbm9Yc3BzQ0Qxc2xocE5RMHhmR2d3CjI0dEZhYkFJR2wzQ2lBYTR3V3pL + bUY2M3BlUTJLVHNpQTdhaEhJV1ZLMkkKLS0tIHFkQnBzSDZFakxIaEVjaWdENkJC + OU16akZaVWowcjRlQmpJYllnN3A5ZzAKv13wAORghjJ/WoMyGieLTh4VFHvU3TuY + pcUQSDzD3zen0uZodv2z+T3/8mrk61iyYbw5ALDpE4VMXHW68jopbg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-01-19T18:17:51Z" + mac: ENC[AES256_GCM,data:ipVU6VvwqMXN17rj7hBbzL/CsXZ3MTq0/ysurWw0WvljFcag0HKjBZ+qX0of3VLO2NDYYfaYRJt/hP1PqoRNMrYKIAOJqZRlJmONq5MFe7UMd+hE4XPIFs+fIszu336Qb/Nf5uogqn1j+39uEY2vYvJcMwiW3gsxqlduzVys6P8=,iv:hqG1gwdeeJoKfnCZ6hi1DrH9GJy+LZaWcp9lmgiSe/s=,tag:FDZ07PBMHCYHgbyciRvyEg==,type:str] + pgp: + - created_at: "2025-01-19T18:17:36Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA7zUOKwzpAE7AQ/+LAMEykBkJwMlsBrAFo2FhcuLDEcKu91E8IPAWnHjKL1U + 0VKPpZgK+5iQ953AW4lULpfR9Ic26rCwEbYiuG4hsaRrHVkteO2tTf5Z8sWirbGB + 9VOS5igrSi+UefvfR8rUzZTzNGoYaR/+9GkJ1ZDM9a13RnDTxyxwG1YCGI8Osvyi + eqVTaR6PhNBfTtzx4zMA23Zqhjv3Hd6lNSlhnSGBPfCvekoHuAkT2ciIUrEdpexs + 8Uz9QLbthKuxRlNCgZchqZSRyWifSUsHMYqPbesz74LIyETICNFQXVHolF867jai + rL7l8bkJmRsFais9RsGU3nr6Mg4ya75rEo1ftvAl73L0135K/jYjmqWnOFMpJStu + CZGjMVoKF8j1Jan9bzEmLWmXPU902lbEWWjKBF6PIzOSyPxIgcFEMM5wrhT0upRN + t9x81L3gAyuM9Bb8FewMGCpxHDGF8QV6I6JshGJSAR4q+f7bjgwD5PkAWw687AcD + I/GQsC572Y3PtY0saVRoSmzabebxDbG/kE1/1CqJQ6ddLHHs577Nnk/4oaiqbmdO + mexq60Scv7IvPk+AheL6wpCaXIQ+Gy0Tx7FLVgK5Bq5+EpOr24cUGj/DgiUnKuAe + dvCjXIlgimsfGRHXOOTNHYRQGhPRsQiYEOF/+atWzMrLQTxojxW6GrsjCnan1qDS + XAFHhWhQrq/vVSLOkbZ0WnReczDQXb1tm6DN7WYLh7Xs9GQvnaOWMk2NlxuM0oiN + 3v57kIJhyMnhrfJxZDMY/CYKQr+kICaGXNdgTt6ojNm6RST3X0JSuQiwAbc+ + =8sVt + -----END PGP MESSAGE----- + fp: DD0998E6CDF294537FC604F991FA5E5BF9AA901C + unencrypted_suffix: _unencrypted + version: 3.9.2