From d04d69157e38e7311ba8c57ed0927c61941e5cf0 Mon Sep 17 00:00:00 2001 From: Paul-Henri Froidmont Date: Tue, 24 Mar 2026 13:18:01 +0100 Subject: [PATCH 1/3] Setup relay server --- .envrc | 1 + .sops.yaml | 2 + flake.nix | 26 +++++++ keys/hosts/relay1.asc | 29 ++++++++ profiles/relay1.nix | 160 ++++++++++++++++++++++++++++++++++++++++++ secrets.enc.yml | 125 ++++++++++++++++++++------------- terraform/config.tf | 9 ++- terraform/dns.tf | 8 +++ terraform/hcloud.tf | 44 ++++++++++++ 9 files changed, 354 insertions(+), 50 deletions(-) create mode 100644 keys/hosts/relay1.asc create mode 100644 profiles/relay1.nix create mode 100644 terraform/hcloud.tf diff --git a/.envrc b/.envrc index 91ff861..7388514 100644 --- a/.envrc +++ b/.envrc @@ -1,3 +1,4 @@ use flake export TF_HTTP_PASSWORD=`sops -d --extract '["gitlab"]["token"]' secrets.enc.yml` +export HCLOUD_TOKEN=`sops -d --extract '["hcloud"]["token"]' secrets.enc.yml` diff --git a/.sops.yaml b/.sops.yaml index 85bc456..ce2b38e 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -2,6 +2,7 @@ keys: - &admin 3AC6F170F01133CE393BCD94BE948AFD7E7873BE - &elios 0C143D8AFF5FBCD2293897658E66EDB0546158DF - &hel1 0f0c4c2f9877cb8a53efadacb90613a2af502673 + - &relay1 515a19ef3f9b98442331d89b2997d83ee1948d54 creation_rules: - path_regex: secrets.enc.yml$ key_groups: @@ -9,3 +10,4 @@ creation_rules: - *admin - *elios - *hel1 + - *relay1 diff --git a/flake.nix b/flake.nix index b6d78b5..707fb7a 100644 --- a/flake.nix +++ b/flake.nix @@ -51,6 +51,7 @@ opentofu terraform-ls sops + hcloud deploy-rs.packages."x86_64-linux".deploy-rs ]; }; @@ -75,6 +76,27 @@ networking.domain = "banditlair.com"; nix.registry.nixpkgs.flake = nixpkgs; + system.stateVersion = "25.11"; + } + ]; + }; + relay1 = nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + specialArgs = { + inherit nixpkgs inputs; + }; + + modules = [ + disko.nixosModules.disko + defaultModuleArgs + sops-nix.nixosModules.sops + ./profiles/relay1.nix + { + sops.defaultSopsFile = ./secrets.enc.yml; + networking.hostName = "relay1"; + networking.domain = "froidmont.org"; + nix.registry.nixpkgs.flake = nixpkgs; + system.stateVersion = "24.05"; } ]; @@ -94,6 +116,10 @@ hostname = "37.27.138.62"; profiles.system = createSystemProfile self.nixosConfigurations.hel1; }; + relay1 = { + hostname = "rl.froidmont.org"; + profiles.system = createSystemProfile self.nixosConfigurations.relay1; + }; }; checks = builtins.mapAttrs (system: deployLib: deployLib.deployChecks self.deploy) deploy-rs.lib; diff --git a/keys/hosts/relay1.asc b/keys/hosts/relay1.asc new file mode 100644 index 0000000..146c028 --- /dev/null +++ b/keys/hosts/relay1.asc @@ -0,0 +1,29 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +xsFNBAAAAAABEAC6MtIO9yijVyi7GoKyfAz+oXgtXfqLlCzpGbxhhhEHDFgKkwzY +S1nN1GW5YcMjv8orKOSCZkf+pz4o/fZMiLX0jqLomE5fpTj4Lb56dKVJedWfQUsG +HAwX0u05QNcpi3iDlWuEx9WiOzy5nYEJMNmc+CrsWEBuEh88TcbfymOWqJi7FYj+ +FJjev6mcPp30qr4nHAe7VtuP/6a2pYbfkWvSUX+WuzLzeISILtkT9pF2+y0XFi7/ +8eUHWK5fCDP3IdbkTmN1gk2MJ+smMuwDMRSZTlFM8sBeIj9RBD3R30PsGHzsaNbr +CZ+80zSrjh5YbjYnLwBw1oSXk5xj0WFKPwsdTsHICJVclDqsxmJeo36kqF2o4iwv +36olTSJMEg/rx45+GcVvMV+7PEXcXpMz6R5ENbe0JJKX293biRqw2g7RAiyO8hhf +d9P8Wb/x1WrjFe51CthMe3XImeV1N0ualV14yYgYkrxIyETIbqlHSZsM/1ki2eX/ +biSbAppBBpaqm8Q05rYvACbinOnN4LJxuJo+MimCsw+X06dMYmniXwviuOX5FZVX +wLrfEI+6hsI1fl7fUKTSIcNzuCzzPMHXc70haCUKCbG4+YeEGy4rU6nhuRPewp6I +Rqt/Rr7ZPUmSvrQnyKU1tGdCbO5cWXeEuhBS7mXcM5oUZoXbjuIpJsEyfwARAQAB +zSlyb290IChJbXBvcnRlZCBmcm9tIFNTSCkgPHJvb3RAbG9jYWxob3N0PsLBrgQT +AQgAYwWCAAAAAAkQKZfYPuGUjVQ1FAAAAAAAHAAQc2FsdEBub3RhdGlvbnMub3Bl +bnBncGpzLm9yZ4FJ7kTP9qArngLB4DQlfywCGQECmw8WIQRRWhnvP5uYRCMx2Jsp +l9g+4ZSNVAAAzMYP+IHFwrgTA2mH3aMi2p5Dq8L1kMnfMNRo0g31SLQQ6M4dGoeq +N34vV1brRPy7Idf6jU5yDUGUHsriNviCmGoVfr8QskC0XXpQHZWdWPDYlAy2yYrD +UV6q98Q+1Rg/hgRV+J5JChoA+8nW8DSH2lLG/ZqPVEZ7mTcXXLbZuUMLQhFNs/hu +ckV/KddAxONq4wmlukGZhT3p3zW62x1xxN9TmVlVr4KcKIY1y14HY+AjMO7Q9d+6 +jPrdt6pKT81iZnysZ/tldtE6acQptKKzN4pM9XgyK3tlRw9sf/aYPQoDhzDFwoic +O6ai1VhUxEBb9GyUThoWcMUBUM2ZbbzPXZX+upnJSN82ABpm3kSvOxW0RvdXRUPc +LQSy1x7MF+z7WsbJ2LDz88tRbf8x1o6wqXJd9VSFX4QwK8BVMMhVOLqtBPrXOfMH +/sJLD1uZbp9ZKUFQH67qF2HlQXnZKesg0ayw1wAHJhEN26fK4WfT1vMDt6V7d5g6 +Jz73fcC4ntZCREfTAVrtEbl+pRRNpDrN317saKlLQ6V7rvjhueGf7NhsEJmd/BFK +PMm4goLAZyti6SFwlanhq57ejZvYzMijz9CXeA41zV+WSxwh20xHmhRMvko7/Q1S +iPpFMWjCp9fkdROPriMw5exR3hE4ADVzqdTpMGnpkOdiWqet4NttcTU9F5I= +=0Acw +-----END PGP PUBLIC KEY BLOCK----- diff --git a/profiles/relay1.nix b/profiles/relay1.nix new file mode 100644 index 0000000..f42394d --- /dev/null +++ b/profiles/relay1.nix @@ -0,0 +1,160 @@ +{ + modulesPath, + config, + ... +}: +{ + imports = [ + (modulesPath + "/installer/scan/not-detected.nix") + (modulesPath + "/profiles/qemu-guest.nix") + ../environment.nix + ../modules/openssh.nix + ]; + + networking.useDHCP = true; + nixpkgs.hostPlatform = "x86_64-linux"; + + boot.loader.grub = { + efiSupport = true; + efiInstallAsRemovable = true; + }; + + time.timeZone = "Europe/Amsterdam"; + + boot.tmp.cleanOnBoot = true; + networking.firewall.allowPing = true; + networking.firewall.allowedTCPPorts = [ 443 ]; + networking.usePredictableInterfaceNames = false; + custom.services.openssh.enable = true; + services.openssh.openFirewall = true; + + services.nscd.enableNsncd = true; + zramSwap.enable = true; + + sops.secrets = { + openvpnCa = { + key = "openvpn/ca.crt"; + }; + openvpnServerCert = { + key = "openvpn/server.crt"; + }; + openvpnServerKey = { + key = "openvpn/server.key"; + }; + openvpnDh = { + key = "openvpn/dh.pem"; + }; + openvpnTlsCrypt = { + key = "openvpn/tls-crypt.key"; + }; + }; + + systemd.tmpfiles.rules = [ + "d /etc/openvpn/ccd 0750 root root -" + ]; + + environment.etc."openvpn/ccd/wsl".text = '' + iroute 10.33.0.0 255.255.0.0 + iroute 10.46.0.0 255.255.0.0 + iroute 10.133.0.0 255.255.0.0 + iroute 10.134.0.0 255.255.0.0 + iroute 10.161.0.0 255.255.0.0 + iroute 10.200.0.0 255.255.0.0 + ''; + + services.openvpn.servers.relay.config = '' + port 443 + proto tcp-server + dev tun + topology subnet + + user nobody + group nogroup + persist-key + persist-tun + keepalive 10 120 + + ca ${config.sops.secrets.openvpnCa.path} + cert ${config.sops.secrets.openvpnServerCert.path} + key ${config.sops.secrets.openvpnServerKey.path} + dh ${config.sops.secrets.openvpnDh.path} + tls-crypt ${config.sops.secrets.openvpnTlsCrypt.path} + + server 10.8.0.0 255.255.255.0 + client-config-dir /etc/openvpn/ccd + + route 10.33.0.0 255.255.0.0 + route 10.46.0.0 255.255.0.0 + route 10.133.0.0 255.255.0.0 + route 10.134.0.0 255.255.0.0 + route 10.161.0.0 255.255.0.0 + route 10.200.0.0 255.255.0.0 + + push "route 10.33.0.0 255.255.0.0" + push "route 10.46.0.0 255.255.0.0" + push "route 10.133.0.0 255.255.0.0" + push "route 10.134.0.0 255.255.0.0" + push "route 10.161.0.0 255.255.0.0" + push "route 10.200.0.0 255.255.0.0" + + push "dhcp-option DNS 1.1.1.1" + push "dhcp-option DNS 9.9.9.9" + + status /var/log/openvpn-relay-status.log + log-append /var/log/openvpn-relay.log + verb 3 + ''; + + disko.devices = { + disk.disk1 = { + device = "/dev/sda"; + type = "disk"; + content = { + type = "gpt"; + partitions = { + boot = { + name = "boot"; + size = "1M"; + type = "EF02"; + }; + esp = { + name = "ESP"; + size = "500M"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + }; + }; + root = { + name = "root"; + size = "100%"; + content = { + type = "lvm_pv"; + vg = "pool"; + }; + }; + }; + }; + }; + lvm_vg = { + pool = { + type = "lvm_vg"; + lvs = { + root = { + size = "100%FREE"; + content = { + type = "filesystem"; + format = "ext4"; + mountpoint = "/"; + mountOptions = [ + "defaults" + ]; + }; + }; + }; + }; + }; + }; +} diff --git a/secrets.enc.yml b/secrets.enc.yml index 55b3b8b..72863cd 100644 --- a/secrets.enc.yml +++ b/secrets.enc.yml @@ -1,5 +1,5 @@ hcloud: - token: ENC[AES256_GCM,data:cLSwCwwtCaSn1eewHeLpCj4eS05z5+p5fpi0qZRj7/aNnKvugcME/eG3VR90hvpsS0g/EIWGmYK9Bv6thWEn1A==,iv:X9r7bQrNqaGRK7QwA6OtwyqUnoNCAf+ZbnMe/26cF2w=,tag:emGH0SWvFTE3AmYRNHKXcQ==,type:str] + token: ENC[AES256_GCM,data:hC0jbTzLR5n14EGI9Nl6iy7hz3wMB+NtuAyp506bAoOKQxGQMaQo6lxnL5DV8LfNUz/x9w3gl/AFvW7fqq3HLg==,iv:1bk3wQcaTjmBs3S4L73H3I9iAaUjioVPogobrITliVY=,tag:uin+HS4kQAdYN+Z5xVcAkQ==,type:str] dns_token: ENC[AES256_GCM,data:v41w2CkGH1bBDIv0MfhOKEYDn842zLoG8tpuVcuspic=,iv:+8fH5X0b+K4QOepvxFMOZIEUqeF+eCBZVfznXoefEUg=,tag:x78M9UQ0klJeVxtnPwMHGQ==,type:str] grafana: admin_password: ENC[AES256_GCM,data:seXajvIHrEU7XR/XVD6uG/dmZ5I2oiL5IxsM+sMlV9awLwnYpDI0u0gJbYqSYvMRhXS/ZhXuXaTJhgXD,iv:oavt6HtbCCLznPgpSSLKHcHPuJSP+7hPPLepu5orqm0=,tag:Gubg8LEYUMInZpXE1SDYtQ==,type:str] @@ -8,7 +8,7 @@ nix: chisel: auth.json: ENC[AES256_GCM,data:R2Lpgkn+OgYYKPWZdmvI16oOgVamNA4SVVm5x3A45hcHhVE4t7izDMkkgLHybPFZypBeSI7WPvrJBrK+xxt3Ykpt47GfiSvWv7aU1g==,iv:SX78DpzAZheg6OppVoedtr7FnDXRJSEgw7eEclN5IOs=,tag:iW7SJKkaHaLwyMUvFQld2g==,type:str] gitlab: - token: ENC[AES256_GCM,data:zZ77gaLg2/YDc5BmKvO1AzwzY6JM7cBwyCk=,iv:kb6+lyRxnH5KifLG49t3XA5jDAgjQFiYUnE0YyAdla0=,tag:umVKw3x3MPII3IqIUmAmIQ==,type:str] + token: ENC[AES256_GCM,data:w1sn55gAYBTj03wzVBHmDS0IT9Y6fRTu+ONTLfirA0XuiReL5PNbF4HL5UkurBNaKhMWp+U3tOy+,iv:j2WYxFvkHmoJfmtqTZG3BI7TRxuE/faMDTLedottFwc=,tag:6kraXBaasziA81VzWxscXA==,type:str] runner_registration_config: hel1: ENC[AES256_GCM,data:fQ3mOmS4eC1ocvXmGKB4f3sDedw6Lc6ekqe2QzL8nxdvjfrbiuhujxrVXq2iPPQz0Jc90N0/OfAH1qe0jtKQZc604PO5rhQuzwJvoZcjNvPq7bIbkLHaQSkc/8wIssm0+wBxCr8naIrXsdDqA2/kNSWYM/bY073RSFqD,iv:iWDYxw8hwVrCGDGg2WB3nNxCcZrAk1lcauDqo5GUqo8=,tag:UQ+DfqDBigAGB1em03yS4Q==,type:str] synapse: @@ -52,10 +52,17 @@ wiki: users_file: ENC[AES256_GCM,data:glllwv0+KnPOeJ4eFNXECZPZvL6k5RODxIJNfWjQgo8EUKF7UsVyRvHcL2g9TAEpXKT8RGLekZim+Q467eKKGPpdj2LlrI/XYPyMvk2ShaTBO2ivx+6e9zowpdJNclBMmtKGgggK+r7LeXGunCl06oq86LpKq9ddiX2zZnOfxU1b0ZAG+tmqSVfkgi7cOs5DGagSaco+2+SkCOGThahGquWMrPmVULO0Dz2w98+7uSbmFmXlJOOZjKCk/q0ou4Bi0gK6lQ8/fKleNJLJ0x8Vx0WPYZgz6109RkTYznMl2HSIZEcNp81PxQvr66Vumc8ZO+OXWbNyY064/LXFJB7sEA57r4ccHHkH5+FCKFQJzCA=,iv:Ki0MCTJ8jwogDNL71kiMY4EGrfBorxB2rpBJAid6QOQ=,tag:q/mfK3Dm0KFnK4AHjzsP7g==,type:str] scifirpg: users_file: ENC[AES256_GCM,data:bApVa1CJkHToft8LyO1rWSF4fEbOl+KIHUxFkiWxgzpaX9VuC3fnqGK1EVALktdIW4VkDlUgnNrRS/MY5orXzVasiYK4pzpKUxehCwcDaqB1qw==,iv:cQnMr/XGYsnDiK7ehRW/bPSKGvkxY4SAWvzrUOkuVSI=,tag:g/lmBp2ok6wkVYRkwW9A+w==,type:str] + chroniques: + users_file: ENC[AES256_GCM,data:lnNy+O0EoaohYx3Q+bpnEtpsMtsTC9efY5+eVR1M/hUuj2tdbeQRS+H4UGAZcK0FYkUdf4lZqWQPvZL6/oHg61a7gfyXlRQ4QktW9B54CBef3g==,iv:IPsmzv9HxKEZysOoez8i+EPrC9BA/j4gDNX5w+09JhA=,tag:KWiplISQv5iicIJ+w3K8eg==,type:str] wireguard: torrents.conf: ENC[AES256_GCM,data:xmiIpECVRdZ7yXs+3bVXc1tX/vKx5NSFxnOE0HQpmF0c97rd0ztkVtoLO1a6HWgCnxA/8TQbJo/B/Ij5fOjJ4xa16PCmhHY1Ba4/qjTykwmtvHctFRMTrAxQqx9MGqf/TadiorvYvUVomvas82W2+fPQb+wmxYsoM/Tq/dXy6Os933znEHtcfBe+qCXYijGqX9ob5GbXL0DvxGnJaQIxji00XiDXXhfVBCI5jHWCI/S8XD3PmS0RwZ6cik9tqeuB3PuOxVj5ofXEM9T+YrIXsj7dCtNiY5bifADScPYKw/VmDW4tT8NOuYFTQYkwY3O5psUSZUbMAdJYyygFhDoW8j1tifxdh4VLHmsw8MrYzNOFiZxv9VR/XVDSbxA/yFaIn+JqKw==,iv:mpUekPnpCIr/NcE+kOW4li3itFki/lVVtf/hkBKtM5E=,tag:rAyp3kzzvCX3YRWkrDODHw==,type:str] openvpn: credentials: ENC[AES256_GCM,data:AZRmAhGhqsCs650ExArM0nVX,iv:Y6vTMjIC5s4gIwDWgYfEOUPGScPpj4jhk4XYeyRjpUw=,tag:vkob+Q+Mv6O2GCFvY+adRw==,type:str] + ca.crt: ENC[AES256_GCM,data:2F9u9O6+X3uKLFuA17q8bJ4D1wT9O8xQZjwT4VS5qc4vc6Fe2ocmOjP6psyylxlrU1ckhdjqIw8glbpEGyKbZTPBLF3xeCvP0aniP/BLZnfAUnksLgKeO9IqpysFGeFBxbW5z67QNReaK2vrYFsrIwYvyZQekFqhBSot9qC7WGw7BNcCqnlsho+sRC5SvJ7PLVfOd78qQF57UkZ38pNqj+lGYPTc9D03zxotM/0qgRTyrVbpjVOuygMBm6eQx6nUFIIZ5W5gApXO4lpY1rCpPVj7TN9E6aJ8ezcuz+wI/A4JN7KDrv1GgOGAZhSLodTMc7rw0RZ0IfqWIyb2Yffl0EHftxckgUuRSNrrUpsbwsvIjRJg1gSif0E4WNdGqTLbVv7UE/M7+K92BBqo83RhN0LxD9s81BgdWr8I5HsNZ08w1YF7vo7JBssKSgSINm+xPlf0Q3HXZUb7VREYI02UKPMLPUkJcxXipb2tfV5RlZzEjl2CplF43K8w2ES3wCD7xk3l5h5EAovsHY2nroCo50Q2igaNIYDqn9IU7KeqklzNZboFd/9bDn4MwgP27dFffJuOtD2dv3Xc5yBc/exRmII0N2lM/v5vgl1goSre7GPrH6oaOxve86b14PwYnf8zvYOD1hUALZPoLRP+cC7WRiHuihaTLKvQq/FoRyqDTF5XvatldZrRSkOqa4iQbM4RA/uSEXxrBWURqhgrWJ3VL/avHrKOA00zDVHe07U2iq84B5ywblSMae6Cfew1bx7Zi9b4x+B41jc1X0YxHBmtNp6OMRw8LKnW1juzZXw9UhVt2rvZdw2IFEoMrultUkdqVMMyjw7cOHJS3BQzQucxUSTtUMGFRNLtUNmHthQRDRoEYV7A9aIYUawE7rfR+5S6kOiMsjn2VdBsGjyOs5tUplJXQl8ABJhMaFR6wZNbetbvZHWgg7CuW6x+VqvFFts2Vn+V8u5F8LCsLfhpyRXYuof9hBKuIIOh+EHdSiLgmuO8n5mixZBCx7wvfg1h4DUE/n7wk9tIzbcEaQE2i7amd07zDiadHpP2zZttz5dd279Ww/kYs2GP1xsY9rQ6KWyOM6qieQEdBxcWsv+kb+c79YWjtGqbchVo/OMHXaKgD7XPkXOQ6mQGQ83kAJZkXzooJarweN+GJIKX6UKvocCJ1ebQRvLoh1QwFaFRkp9gW5esNjTpP628eErbRpBCTsW0eGQLgB7qeodNaBw6bAV0cEh3jxkfa2tMiHQPQmTSFBCohnlp7PDX+/c1JrMSHPDoBeIeARB7jDWxOtEhZfqt9HO0MgBF0W7ka9uBdMqTj81ZF3yu6J3qbsxRqaOp01Uq8c13zP4E809jgpc/S9BbgA7jnz+EEc4RuCcmV9A9ZbdTf6thMq+ag2ujimxPAHwiA/PU2OkLu6T21pnlVRo6NobdZcRm7MADZxiR6FuplWEyXk6hwkogefEVXGDq622Ez/Oqg7ZojFBKr1BFvC4AjXQUFPDihobzpvCh+bGNUYKFUfm1iKXrZ19onvhV5dpXqX0GRFOVxZxhIMcvNpY9x7zBKq79X7x+FZt01epG1gHSspEYJF0uaVLqrdjkw6juKLkuCw==,iv:Pt11SZn1shfmZwSD2D0jg+5KUSMWO69eiomN8EHlbT8=,tag:hIzS7aIbN+7QHmi020ZAWA==,type:str] + server.crt: ENC[AES256_GCM,data:WF6g3nroT1rcEAZYahzsVOcwaBFXgG/BQzlMRDhstdSrMnwZsRLgRTYn/JdBiVc1piakYFdBkGY8sA96+EFZus6jjaiCjoD4yNtDJ5DlZk9hOQw6i0nKi++Xb+AMoCVe2x74bYLi6Pidqm3zaSaApC0NoyfZPY0HVfldryL5URh4NYutkRMTBbL/WThGV/7UemaQKvWRuEzWRJt+m0K7bBgFxR2fX8TXYpM0ids5kX4sQk62KMVvVS7tIKR+z2VjXQITa0XHPZ4iqdbdKdcgU+lxIHaDsU7/5hxtxjygqjclw97UoNhYwh3trhLjnW+sGT6JA3nPyiTb4+9Jix0NHO4qrdq/H28cpDdycTIIOm+LuA4hvt5v6O0Ky8YTkuiMHeX9x5a5up0o5rTsSURI6/uhNJtm0+fFanRTPLQ1+DO3sZ5xD4Hwd0YQ9JiWIsAbfs+3sxLuJRxH69vA5oFRpRHMccGlOGc7FxveBNtRY/o9L/QY6sVIxgLefVNMInbPT2Xz7W/VWfx0ZwmFiWtJgcDwRScoF+nu0hWJNHfqvUo7TCRhPmBQaX80tIzAQIHn0Ljn2PphvJTYDsZhTtLzZYLGyYMd70EuniDlq2AOo5hiAzZGYq2z0RXBFkBfMrv4fLDXvNdYdmKOf7IGQ75o3iql34XBoKobmEFrQyWziA6EFhnnk1ya4oQW8ApMxYSjHMvAG0xe92OziIXdqnC2Ei87ctg63pDwvHU77Uym3VsEFBnAlTxJKpW0xYdXco5UvxX0cncP6qGB/n9s7wDWkiSjjF22KkiX+qpNJcSguXtXqD0Umz7jEnoaRPhXT+OCJezooUYPlDrPXJoqaZhnQxWfA2oLKzLK3exvHZTJX3gbCxfswCbUb/mt4SRvYa7dqCXs4cxR8uEjhWtahMcICrYTx+HTF63/cmpHxVDl5qdSxO47wqn9bqkaURq0ocDaZ6frjMWSorvWACunM1UMgOYqDrFvyURh2cWOJIPuR5pWSCcrcEal/oQ8YF/hxI1JhfgKSzE7OGoVZy8P5pIZnGcQ5W5kGA6Iz7KgSKb7nl+cBYBADEmnS7ZsQq82++P5AQJyEnXIF9HAuQQjPh4SjjQ4VEeLP48D10vPojbXMlFcd0cLj4fOG5qCEBbsPBcnBw13b6QydBpLrWyZ7OCaFT1g19bIScRXJNBqRx8c7hz/J9p1X/EsG+hUwCr1griOMnv2uTdUfmAU70yVIO2CTm96Gpzn9K1RciAL37F2ld178/8Fgw1mvZJ1xvPOksLfK7SFFD0gCwn92b4VYFsOBNpQOWay7e85p3pS7vH+7JLv0hP+g0kouFIBlK5ZwQ1aKRV0ZfbUU1CsnpZFvf4xRXajnTkm2FQiC8ac7tEqKsXeVi5o45ypyWt6+BbKIQg/bABMSBY8+YgPsbpbViy6Phh4Z7WV0PiZYYTkkgjMeaRI+lJBpcXDaWwXh9RBoQgJFsCoxsRpoGbay6Hrls4ilgUcOy4Q9n5Rz0wDhPLGImaJ+QPCYCpplj4qQqLhMkQNxdeKcFPxx7eWS+4/MLq1inSP1Gf+ed3XYj3i7EcgHCSvK37SeUFlr+QCJ7jL6xF/3Im1FskfqOM0Exjw5ioEeQ==,iv:hW0+CnQBDkVPlE3ITQPJxFwqEitlYA9JCuaHefZl2ok=,tag:BQoVy7XLvLFir0kdJ38oZA==,type:str] + server.key: ENC[AES256_GCM,data:Ae5Q2rVQpKPytWGubEucHeJw68/skBXMsKxndbX2RiBd9Axj6VmYJQ8K+GnqZeG8Z03zuwxVoMEjgEIPkpzmxgEzWi+jClPmP4Cha6XHZxWS3AISsmkhIJdoemoUxtfcXMdpqOIiR8CYSAHM43MXPKArSjlyDf9r5XoojoEKYBv/sZKeH4uchC/gan5cCnF1hcNvfjHX9zo7x7U4wrOp9lDcbE9qrhuWYmIKLY1ETW/Oy0aDcm5VrKxOomB14D3Ln2+slugLT4aDU1t0KeNSm1DFNde2ZbNbUKuGxW3dWWhisW33YO49+0NmRfgey5SYgxYTdkcLDq7SizqjNWGb4hNvXis2T54Q7cH8zS3xrWzYIuf95+BBjQ71NJPgHZ9bbkNSX9/7hr4IuF80M8m4czOB7iHDGuHGAKEAgUwD1bxyGrYBnblMn7gpKNzMJY8/z4zxQGL6Lo0VRDK7OoOXB1ve/hQGV9hpJNLvTm8e1O4BgtC3o0Eej/ZMTEw/cFW3ifZWpvx2O4q8QZrSFdFb3delr1DYXQLUjxgyPLeXvIlSVDStVgK4+f/feZPMcTWu256mU9IFKSRpbEejRhi1j0fa4ZPL336wnOE0jrzL/eunqHlzN8cfFkJ9vsP/jB/fWAXzJ7ojzPPhNjzNTJhZf5TEYgi7rFph1iz6yj22sd/KNdjN+DqJYiQS2vjauGpwLTfVKnxqga9H7hK6cOMHVtFmoLYUBNoo4AilcLdynZQevsvWL6HFXRjXnfNcByAtX9hkVPc9TS1zxk5rvU/hU7Vjne4tKjcDa4F09RmL2Bf7FWQ1hm1nbS6+IiGenpF9UEyRm+Xiw+x8vC8DcZg+brcLXAi8RuzjcZaBV9f70fNF0sOIfkjcKETJiF6tXPMMN3ZkpRndglIjHAzmZ/xeWxwe0dwlzHP6I3nyGxR9BpPlDqvJO0pr/JIV2JD7sY3ppwJafakBc7Yb9n1O3rR91maO+AmC3o2YhnQDuiGworrCiBAQRC7Y6Rb6OztP5PL159DpAnkGWlhKqT4EeUmWhq9CsSEw29gsKtU+gHRzuGHNNvFjssxljaRF1lAjMhjqLRC3VsVAAba2A5qAObaDgD1mWVSlC6e4MD/ztJmi3i5lrRLcaUwrSWYRH9St3BHuw6/ov9fnyirNtwwNx0Zj+y5mnGhYT2JnQ+sTnJZUjpFMzf20Wh1h3il2ZLE6X9uy69bqrCmT7eDXJjcIN18AxdFiojQOEPQAYA5ObXqGPvakCswKs3XznglJhaUXbSsA+FDJz1j4JM+roE0h64AuoEM/CXBun29wE3HLrdBm7sqDvaXJYa2hvkywgm00AOl2PZ9nz1QSSTsLM66N/HHcLdKu9QgjuIIWcCCMvjDF0WuZ2wMM7eZpshtYIYgmpBIqncD7KhJrELfX3LSqAEwJvZ49/zUp2i8klUavBDXjJb0tC4PHrIJfdt5kNNUoiwi5FvrYerQzxQzMXECU9PLng8cav+d6Hp8tib/Vu2WPT4o/sJukCdBG2cT+6HEruCYeeaXRxIh6O49dMoWp3sVjeTuDEQU2DvxhCoHB9wGCm925tKvONWzZQ7YN2KMLO7fTG2HXSKw7letHedYcu0GCQKbxe3M/8jBwCjvW7f2lvYz2YcAWoNdrsZgtCry9hMtg2VPHWxS41bVQUfZSJqM0PwJ91+7Zw/QbGP6GXKlofcH8pd2upvCysGGCwE3VePqDmNe4CG4l3CW+3x+7exNBB8r9J++DKOjw8561WMe+sMYOSlyF95CTZa9g0pKkkEnQHhyzi4NicXO/5PPmHabr6kAZX0+nzSz2Ntv7+xDF2g24qd2oITA0S8YqKUOE+rzuK7u1P3bhRtw9b8Za0DuNkdWEP9F/IoGt8jTbypQb177qdRc9fVSA1zBgwF0FqlpUr7SwLiLLYnc8eZ3TVBrnh8KbY33MtgaPS46Qf0x5zFyG7AYGzCnmIMG5aWIKvXGi7ge6M2dhFZZffVNmp49gVJHuwITH0AG1TBkR+CW6SxKOcDwKyGyeyK8YJOibk+epKPgovYJ1t3QDB8x45cjL94olG0Rd52ajVOCgZZYPNFNKx1u7tuuWoOkNB53iEG1yi8Z+ZFrToifCWljBA46DnMoV0/R2OYmlaIJj8CChAhajyOBHJYW+s2ZiMtZzyY2aH3/1ih8J3XiYhIc1AeLnOOdohkvJwacuZ7ilkXR4R6ZXA72VQCJj9dcxsiVu/ZShO6Q+Kc5KLRuiFdrmQTPpGbm3cZFMvPQA,iv:kXdrnvOI2wi4pKxYryM9vcFqV3epKtL2/NhNzOUUrBo=,tag:pV0XCyLKTN6wsJ12Z+RsqQ==,type:str] + dh.pem: ENC[AES256_GCM,data:n7faEmrE3NvHESW8PRgnQQJj703rcyRTkE6HfbycfXwDphnTtJFpkLbkMPiHOKe7zTlCNjRXqtJPS6NY7QVvQ3rxYUxjG8CDD8kMpwHWZB9Aegm3yV5lM5qXOmfS/y+POR+YTgaG80GuM9n0nKLkCuwgUFDtXZLWbOFpsooCEdlTV9vfRLH2kJ+RfagI5lX/1/TLzL6X3zysmR0KpKtkAn26EPXiY/3sSdudZtHcRAx1r6M9kum5ESwPbJo6n3bp/Pwhu5ysGYhZH5YviW1veqlt0LyJ/KS8q8uhQBnP0KY/hQt07/jd0/nJtBzuHoffmkLNwXUuQHX0ir4Vl+njYuCkdVBPEfec1MkYJqT96B9DXzmuzF8vHFbxSjcPrDVBbHu0obSsQT3LSGKGZ3Sb7LQtw/L7G1LBmX4+Og34AacT5Ghoscfbso6J+ue9F2H6TPHO6jn6Q8bucm6A7LvMH3UwrVl7m0d8EFZFBsSuZaaH12vq45TlSMCjMfXkvGNdhATv9vUbG36OdKAo3vDG3MhFqpJ9FKga9T1tGsPKTLlK2Nh1hxUU54/OwU4=,iv:3EQ3WADja0DCWp4I1OHdSKnOs41nPH6lfMONC7XzOE8=,tag:TFeLbsMBXzOp7oN38dkEHw==,type:str] + tls-crypt.key: ENC[AES256_GCM,data:mdyOH3vhXSbm5S+BEM0KTV5gDNQxONvNMakaDERoYW/gmSeWNkC7wgBZ02UjqKMBlOSMK8F87xee05vjb68nGyH9CL/vvT5v+IXOxl5tp2bNcWhwsAT+S0IQf//dfhL+LIrUbn9x/C7a6g+eYX+detpQnhq/4B0ES0EoLPtKNkwKz9MiIFOX5EAKbF5C6iSp06XcHm3AUgVQhNQAuy98ndsOPPM8nT/u5my3UOInpqLXV8hOpqnvAxlqSH9slmqn25FIoEIbdANJ9YSGCW6YcfQItS7r/TtO4uSqBVfmdByDjE1+aTf2GsdcbUC2AaAjPWxH5ycSxzL7ryXi/eITHo8u68F/9vMsbHgmFS75Z1Ayncl1evThdGlWeUBAH2XSmZnKdLsSHqPAmvhBwKYbX1rYB5jxmcako5Rps5nDZHQNnUR5xDtRhshKbh2bJYi6I6knttuFVHm2dJ07qUpmRhs0TcPeQ/fxwtH2EcoWFxhHYPb3764dwBITmV4RxQkh5yXzbSWkSVn3YbW30PfHFz11XXOqsn3rx002O/XwKE2QnfGlhNINfrzRQq1BKa08rxi5ptX+5DFsP1i8ylNmuEqE5T26y4AubtpgvpSu4kWEuCqrI17XC1ub3c1EPfZkPi4dHE6z2oJyPSNMVcLYpEay9oaMOKYuVlzdiR5/tRuBM/b7XcFZBr4l28YG04e5NRSo80aEgd99ktv+bexwWMHroE6/AxkawjLm6C0OzDwSP9tPwbvqCSX5x3/atE9A2T9EBY5AWg/43chQ5JFPPaUwGLpeYk4E5yc=,iv:w0cPb/BqAU/vddwIC5+dui2YE5uLM38UiehnpQr4AQQ=,tag:5pt39V9JdvYUitqpjjtuIw==,type:str] borg: passphrase: ENC[AES256_GCM,data:RNUTb29sOdsg4KnB/0nIFGJFV/2nlMH4pxGFlgXdtTgDe2opT/moUg==,iv:6kdBeq+qFWnPB+N+zpKNdFkmkskOVMabdj8Uxk9QeQI=,tag:MxNqn5p9P0JpsjkNm9iYEQ==,type:str] client_keys: @@ -72,68 +79,88 @@ sshfs_keys: public: ENC[AES256_GCM,data:/68JE+/xr4WhUNghjenqkqnB+keotQs+IVa4anFbe78AGrtWXWVndGN+GTDxh6oiETmndV2S83SnlCU6xnOTJwdctDISNlulPj8SH7gZ22vhOa01AbD9r635HFVc0sqJO4xhnQrymuMj/0yvnFb9i9+4iTqQpaY4sDfM0dDQ5Hj29FP6tRVSKE0+e9JS/e9BHnJdSHoL+IPD2YxQYDWKwWayeQwAPVfi0X0AjuZvhLq65HUP7EeqfExAJfMfGk8AB3tHEFR52aq/c9u2TfTxMAqPKMyWEjrcsTu3oQObOuj+nZEQOZuoJoyxpQlLqe3BkMXEGvL+jeehyMWA171RapstWkXEoFd6p043OlVOXw1w+Awz9VmI9Du7l3AWJUABhCCwyMPR/jwK3vRnNrxPxyS2ophFuboTuVCr9AXkTaEiGH7dALtIPHoP3xQD89yYkqL3BABMi7ymUEERecsfwgP66sk+7VXQri/1LosI+g3NsAtJP4kIyjXP9ZqJTv0VsGOxOGgbtVbrBsw7UWYPuuknGNTStmF54VBf77BEg6wVqOEM1WM9JhoZsbDvBvGIqV2PbSR4UBJg04sHtcRQoCp4h8B6b6djVoI5YZ5N7SLNAy8e6t08r6/7iwygrafMGLxXPaSw6bcBksXeT7BNRRsKFvSbiNPKax0yOpIJiJMgoM7Wo8wOgekBaG+s8+7DkI5MlXiyX/6XWUtBhJqBGUEUJTGufiIspD4RjKPsJeFTMXAUVOjzjZqg4jpv4pbhDtBgbF58zdoMpcqbWuvxfaur7gHOnCPpWMJN2VeWxLdk0Nr66yRvVzqCIVA2iFuZj0Mulmqmj0i0Vh/CHzesXZODi10wauewxv19Iie7Bjo0v3ahxjTSfvG3T8emZ7Us+Q06W8gLZ0IvHHXy0yKvsg9VgFTX51RaW1KHHBO4DehOvwLcJRcuADfHlZDhrwtUbQdA6cWAnZoezQy2np/Dp7hMC34m,iv:kUKBtPeLWola7isgEo+QDq1RZkbR26G0AoBzy7iubiE=,tag:/kUG0/G7U83dp8p9AgyJXg==,type:str] private: ENC[AES256_GCM,data:NVKHVh5Ap1of3j3xAXbscIX3Psa6EolJ/wuhZu0ZkvcgLLS+Oi9NFqqiBdMQw6DrL5Os+GeA2rVSlCh5/mfntUMH5FTqnRRMeiQ0aaXPS93fxlD5jsrJH7BfTLkH7aijANiAf+Hy3pdfVELD5iiKYEGimRAU3UR3Yf0t/D9TbikO+alyZ6SpaDJMSpccYLD9riEqAUsWsWOc8Gd7K2vB7h0D5uePyFFcVw3pvYweRs5S4KlOisdz9eG6CNVaG/YjL6dlvILVxWwAx34AqY3Ul7FkpZ0tennba8Yz/i/fMp3mxZX7FcDmga2DekvybU4ff30SPv9xEtnFenI/ElKIH/duSjo3wBf8xJ0+EKHXulwhmR9lpvYCfjXYvjtJDhoof2Yw9Tc+dCUcTSdTex92NJBAXLEfL2BTRqszFwhJB3RQ5xNItLilSdmuDElPvhMpNfX1c1RsqjMmlxd4MJYDIo6TiBAQ1eEP5CQG8nWfZesmGCefSBmRlAAy+rWHT2gpGtVCUUwhcBlCHs9X5MmsBHDKrcmQIrMfoQHJ7etVRjhW3+s+np7ldjnTadVqo/or53wpHWg/SCMCaAdMKxPU+APEueaIPxKP3ce3WmMaH7qrgHUFo8EOx0FYaoqxuN2JAW/Ap00JOfN3fvwvjHZwvg47SO/F4hboRqsWaryHIFhlaCcBnMs0/hszbc/w9nkhJdirqCYss8URUvtoKYa1G6quCswd+BC+5aQyQP4SU+VMhw0ESWbZXzOzqypFvr+DH1BvOX3/aGZfN2aCJTbHqaoLaqwP0b5UTEdt/uW8vH9iApnQqsOiZhdB+RCLMkKNaFRR36k1bbI+RQibLOq9QL+bwoSQ9eA0bPpPBLPrL8I0zPBv506f72mqiH690gC/wtdRn6ujXV298nvMRQc1HbjCIexyALS9v/mvhUalxUmYlkf3eLribleQmbDtf5Ehg2oCcx93Zya+mSB9zgR2WRNq7AXO6tm2UO+3jr5xG6E6+J7lhUh0kmJBY7ScFU+LgogtwyJml4xAbNxCcmx+1WKUFCctlvOBZiVo8QB5vTMG6WYcOZZ8of3EeldiodCD14vQ+dNhmagiiQmFk0xBG2LjwTJvDkq3dRET7VZfRUnhrGdibLGykT9HvflVX+0kvBsYLvwKUvuy/HM2dvr+aNvhUm7H03tHygZK3cv0bq/v93jqo/5tvjNxDW4Fr0qHvRMsbwFXURmzuw5SMTx6dtPBKoE65oR0Ueo1yh+r2rKzFMKjfVFSq9HReD2V9iqUoTWduTMzsX0pCSiUvIPMNArt5szJtC3uzZRLOedz0bKR9lTfOG96M9iFpy9sLH0CNekvGy7az2sD++PVqzpsPVUlmp11+AQPFF/F9wPsjuoQiEOh3gIEuUsqyyuBqaFUmEBhWnOoNb8RGOIDF/TXzWvvrRaDw3E5RJ6ATS8SppPK2vYlzaS1Oj9+KX2JWCvuYgOv4NJkQ8R4fnKPKTmuU4D/BEaTfkbPvsYjocgfU6ENxtFHsCqc0Am/5NZOjwZVhcoIiEBbih3g8N2+Kqv8+1/HbaB4NGLwh4GLahYIzqRyWT8IoF5Qml160h2vKZCH7BK01bCSbXppWxs7Jbs0cOnb0cLsuMrHNnYlgGTQUA6A/zUq9pEipjT0Sheu6MQrbEzGCosvKHikJ6UoDN8SGgnVZ+w6l/TairatvG9guEyfM7uG6oF2ohLSEtqmzlyS6VsiiU3FIup4awh1g2fq//DKrttUX3dOHx2ByVR1xESBbQZaK5zdYlVxuBqZjWLBLi/c6eUkJobjrbcx8kvdCc4Yeh/tO5k+Ym+gdgO/V68M4cg5j8qlC8J/YsGtMgSlmE9FbScGT8VCfCfaZAC1gONls5asEMZHF5/HH2Q6nNwMtlvfIJ4RHwj/EyoE/gC9kr7Mv1OIMl14aBx1OFzGGUtlssdyQOhGfBJIthQIwq+kRqRDSSyvLGxlvidsUnmrs6XmJQiaIxflj1aCbhmN3QgsT6klXtnn+959x8TX+TvLW7DfS6PKJyeg5DQKuV1A2hnBdyDAAHJuur/k3YbJxvp0nMWQfGGo+nCvAfSpN6hvyUYbriD/pduk9qTcICZJFI3IDDQksF82HanaMWtQnoIUb+TKiDHi6tYr0r6JCtv9x/LLKFjJ0Cq/cjMOxv5a69XNRvbQq7mhwv9bLF2XS7g6CNFLYFxVymJx/OIEXtqmq0AV/C0CRXdW4BYctJCRU71W61VDc16Bb7lfG0deuU3ufdfDaT8MQE0R2/97nAF4sdurpqLLAeP5T/AzDTHk1dgL/cDuKrQ7RSX1SpPgKZPMzSQ/+LjRI0sqHff6nQpdothYLgC2IQZAwDWrI91Xg8OeqJcDQTDVUolMk/+qiGRmMT96dl03hUqyrPpWIdipYqAXKw58djQ2wvcVz0h6ksv03W33ZpwQEqsHBYlA1nCxoCxTR5VlO3uhRNXLPVOrP2BmnnfeknlNevTwRQWA1pQuvgB2JWdYbtnJvdLK+dSvemZhAqOqQSCM6zyh4tUaw5R/oHlBgTosaj28oEQQqQ737PsAcyhpjZUYJ4TWyOg8ng5DH2Js40jomml8VsWIS8V9Cw3vmwn4FUeeKCw8DqzH+LIX6omtzgAQHUVSuOah46u6Cuuw8+adoVy81vXW45uEIj9YpKjrmu5bplWJQrGJMuZAmHOm/F6BQphMVtOhncmpzhghtKjpJhMUlVGvk5WVQmX4YiihBg9el32bTqGEPrpuGZyfrYj6+gB73dP3Ey8JpHIxlp0QVpYUvGbxsgxYKCuETweJfh/q+hby90E7FaHkDkFPBKrWYHD+A4p/AVgmKiIt4rP3pb05EkMUv0ujz8Oro0BmidEKJS5N2diIr5tB6ao3y//FZ7beuLGp03P1Ann4YDxrRp+/75g/xY9zc1WTWe0ugA1Ine4kAH+1wE//NzLTIrrI0J0TJFzpta76jf/S7sWDYyXnUHl1OSBVVUeVpgQGJeaGMLPZrkUD3fNnAf4mntEy0WTLQcCuSPDIRLftMzTb+rATGGK9edwAbF/L4JwMt+n5v0nfcNLnJUwkSvFYTL0gHf3kDxisIblx/gdFT6BotJFz0uQNOoBUMdpXMtC5XcmbmqznKMSlBBkRrrftjqkWslUgYWfu1OB+Uo17yI3yPZpD/PVsK8Q/uKx2VW3sTA5+CilLc5+TVucYWu/hfArgqgNtI4Qo16Cyv+2gnQE13qHGfC2IAnrynnPcVqpG8KUaF3F8DkC9aAoOP0C+c1s6vk6e2iFU2bB5eUKsCmgu1jToVZEacXG4v/hjfx+XunMAELPp6CRV9MDp+7MoGPIIRHcDzlqL8uOKe84CM29qsGBShZXEc03ZyAf/45fVcppO0hZJbmQIHS7AOy56yW/TziH2IlGe+iAr76Z3/EZjxHDpBhcp3flg448Pg7Cwssq8Pd5UYQ276wgGeO05ZbdAPPdhvsEFuU8SXcVXakBO14qKBKu8GlFFqk4n9z69hMCsTw63MD+KDTQEMuJ6DAvW7RUKBKKrU+xWUvE+n+GAg8A+Ff01ttjf1xJNhNKiSrAxZAHnnzBHIR7Cj6aHmpZvgQSYdTfpX/nhZ5jMc8Jfkg5oA34APxmZBxHK5/E4wJecYMWlfcuLfNn7FyVCN7JRM0iNUS4trCdSX4OhbNIAfzXEbwuGNdBRiGqha5xYV4Z28KxzyqFtXupOHYiZNtZyYGL6f1m4ZTNbGweEk0632hpaJwc4I1AYaWHZ3o02/qzczr2hjfVGKVODp0r6gX64LfuoT/m4/123qj1maJ74zVaP/LnEZJXks3LWu5TlIIt3Cq80/73am9fsaoWNFnVVERfmG/vrBfVO40fJT89Bh5QKPAHCC4nbie/WDGshImVKFHoMT0KH5NFZdIdHSWGcvnc41dMNuwowd6Z/Aie3G2PDPrOr2n/Dv7DxYfB8HgP87l5mirhxlNS1mQOH4DkKkUFkBFNa2+0vIBJmdrf+0SBxev6yZgZbO6GKDR/Fkd99p5qaGd5bRjFg/7A3ZUFiYYnX40AoRR6bhkEyECEtW3B+jd7GOnF0jZFC9wUt3mgpi+v/EiLMoi887nQ/a2SotRd7+y3VKA7hUMAsbM4VfkzPz+LVhhrSU/LF3XkEMlWSpO2fBja8t3xZVtdVaZiFkVxfcla+TBcKr3Po0b7fmzbqVdLvgz/9Zle1s042m+5wKMotHyUMuG/N+78/CGpvqwdad3Cpz8g8C/fX7OVjoVTmhKYOr98Zms0Dr4xOD+Hnb7dNRfojGyuJ3x9UPOzu5zGxkv365iskiBJliALT,iv:BO+OifdPxtMUb83G9By19/O6DtF4D2jT1tmPjXdsNvA=,tag:DVj+JfIeBs3VFwhgZqzTeA==,type:str] sops: - lastmodified: "2025-12-26T12:09:51Z" - mac: ENC[AES256_GCM,data:Gvoax7ZMLV+TPiHM/CbUphR8x6p9C75Tr9RJW3CMTugEWRlQGuuDS0Q8BWIAOJ/eFEU9a+xC03QjuVb2AykntkOrf2KQYGSMiqkP944CKTn4CrD9c34+koZ9QFmJb5ICVtwGN/ZQevgffSXW/2h8U7gjCj4V/XO47CO0sTPvHYw=,iv:ddH0If9PtDlUJWqK7aV4UyiUxXfxKSWTcT7HypCjYlk=,tag:aJbSurfZIHKiX3FTfozneg==,type:str] + lastmodified: "2026-03-12T22:05:00Z" + mac: ENC[AES256_GCM,data:senWpTbLAPfc8QqH3YDG/lPqFf8bMmA+0Fi1j6ihT6P7cdkSKN+QeBSiV1eYeFynW5nfVOGDXx0dDmFiD3oPW0UTPZ1YUt5dGTVqPmtegJKa4Mv6Yh6Y+Q9NZo2mLLs1/etOTqDo8jbv/B7oC2tNdb6mjahY9ifTgxjP49Hnlmo=,iv:WdbvEnUrIHMBi4A/Bq6aq/dTJFg7Mbhv78fcSfOkyYM=,tag:+3rZT7N4kFbyDMxO0qzQ5g==,type:str] pgp: - - created_at: "2025-01-17T21:38:02Z" + - created_at: "2026-02-27T16:44:37Z" enc: |- -----BEGIN PGP MESSAGE----- - hQIMAy9TuQ4zAbDHARAAqOla+gYyHsbLreus848fUZ4Qy1MEFaS4MH9CQYA3ysMh - Mb+DmxMlh3waHni/0pqAjNULLZzSOg/TUCHWKcrxC+ublxm9oC5z8K/MSvJJFHNu - hA4qQfN3Cl1w7XXZZmfp2+SaTQPKxED1InPt4Nn0Ay73nmo0ze4RM7LBvM17gqYH - GnYLVbj12BB1TlkLwTG0OAttIVKcOHYxpACoYmztT5vtgqH4isDe1ukYNpxTBs1c - g7BKxEOkPmOYBBUvBspDCkpD7aKuWCM6yA4cRBuR+NxJhIF46fTgfq1PydhR7YLA - 6etcZfA6ZDcJsuSeZyuUUuqikjvJRWW3ERP1+vkvD/w4muFk3gwfHv4DfmiY/k/k - RXLV0VMuZZpd8iekuJHFqc8lszC6jnos2AZ/g8KfwA4WZhZnNau4F6u8jk1KcUHt - eQ0A96qbNS5cWhRgFuvL3YzJpG9R5WcKquUEe0dRqqAsX+uMfgKzk6VcESD/bSqs - EygLVmnsoh3DaJqtLldcELkGCzty1+sMXiyDSpR1OaYvJcVIK9BjEjXbYu4k9StJ - O7JDaV4BTHw6IwDdQN2hhlFTLEWGtJN8F3Ovhscdwo8GiLSTRF4NZ7hJaUKPBGJA - dm+yUjej7cjoyD6QhzYj77SQ1c8EtKSnt0VTWJtaDg1jN6bvNj8nCYZnJ4Xl4D7S - XgGVf5/2UofoyOw9JtVkk99wUHN9nFJgxwDMWGDm+3qWqY4wp6Ak39Wo6M/JfzWO - yFH+d6kqkMf605/+uq150QpeolqbVV2c0jZcIFA+etYix9iyvZdxHA8RTVy0Bgc= - =jZST + hQIMAy9TuQ4zAbDHAQ//Qb0DRkQVFdX1U6qkD5DrgRrARk1WCH8K5KaVNFWPleqT + VrcEHO2x5exclSmhJ1YKlUsQezs/55FDgCoN+mykjfzLUDhhVvHbvd87p97t9dkh + /taXAT4nsKleUMtSorVDyRGSaJQFKu7aDSi7iD2CYRbGCSqWbnAc/gr5FcHkFnzj + U6pPcPWVZYJfAL57kBdEawMdCmp9ins1cfpCZoZS1SH2FcCMbSojkZSkbRBW0xwW + SVLT1nGwEuQZk109XAsEpkc72rlLpvoQKgBWh33eqvJRCqrNImzyPeKwYJftAee6 + 5JcCUVGPtvcmxHgU41a4vn6ff5CeeUhgMVcjInm0pQrUWWFFpi0VGlr5smxw7NtZ + puba3n1gRD9v1uNY7Mru0ZLKqe1W/cjTNXGuvsk/Xy057Y/CEZj5+EHvBQJQ/tzF + R7cBCBL689aZz0CTqk580icftPqYCKJ/CHPEcb8cjHQ8/Z18p+JDhKfFxMIRNXFV + 2xwcodPM4VhQ392ySBvNYOKrN+lvdTxOJLSbt+yio7cIslvVmIZoYhgn+a8SxAQk + boG7F+sZ/RM43u4OmmJsI+rL42+px5LLByP+OXYW2pBFgT1VcEAthzP6T5G3aHdy + ZIc3+TA1ioec97kARLtO3j1BasktT3Fx54wFMu6X45x2TOGLrPMWGSFcARG2RDfS + XgFZcD7OM728Xo1aGOFX7KSGnw+MmFNmaNYFvUGWtJjxY/bQKwenFt+YSMysXFU1 + ZICJ72lkBTwLzzKfv9E6VGa9+8TJJlkeHZhmPHNdQTlQvtyo7zmkxBo1Z+y0ayY= + =s253 -----END PGP MESSAGE----- fp: 3AC6F170F01133CE393BCD94BE948AFD7E7873BE - - created_at: "2025-01-17T21:38:02Z" + - created_at: "2026-02-27T16:44:37Z" enc: |- -----BEGIN PGP MESSAGE----- - hQIMA5qa+llcB15aAQ//Qxav8CPF8zNzSIYd1Nut5wVTYHy4cZBoXdPxFQ3O+okJ - QNR1w/xbPtNuFRukPuHzBuFjS7bXe97WEIgFf7eyyifXy1xO/J/WYSXvzP9R/Lwk - nYowM8UCffLCHMsiSL/lZIPkU1rXYQQBMUOENSkU2tMJhI6SWoAOObGv/MDyX0Cn - AOlomUerPPIFJ5FoRMOe1fYs2vLn5soOsFlgeeJYzp93q+USPpYlB6nYVP22TsD6 - bnB7v1wR3zgP/iDDv9PfF9qXUyWJcsVZ3v/Ze8V4t8d3X9DKhl3IV5W1oIjbsaq8 - IKqpgX9qmO+p+zLeUCx11Mj1I5tfL70xYB6/F+pZUY6GOl9A64iuNMJ7mfTgNaeU - LwUgblZpovhCi1ExuItAOKRrNwJEg5zEPGf9BmRJ89ZOztxlkqevVzpTi4TRYPn4 - FGXNLHGevcJjPBPwiWQADVavz/6Kw8kUzwiWQtdfYSJbPI0mb9KPJ0btVGp0hSL4 - 4T/Fw70LHoluA6yjqPlZQESRuoCquYlJSZiZ20E3ktqIwzm48INu32JuqXF+msfP - kV+saikKZZoKIxeUB4ZAg120nhgR3riZBRw1iBJYqYGzn8woCtPxeFKh483Rowqi - yFOKCSy+DC8EPq5+MbBuksnKAynKxs69JnU+MCvqUkZjN/bheNN3ONXOV7aP1X/S - XgEKD4RJS2qIMZvogw7po6ZokC9b6/hFfIuPA3twbu/Ll5sJLySQigNgUp/MnEMi - j+yO03/SVtimS2lkR1CB1+YIiI4IDGyw6FHlU+IFx70OmR+uftboSA+l3tp18aQ= - =kpwG + hQIMA5qa+llcB15aAQ//WC6hKdcyWxHa6Y0dhjAadUb77DbzPRi7VYGCoZ33PibN + crg/dgst0VQJOzf0VSpFwrqs7epj3OY1fz+ZegxB6GImkzwdgc5bifdaETR1i5E2 + FYRulz6BNh3iLvNiHK4T3oGNb0a85Lr41XUpjousEQSZkL/Hq1h2tWYB+IoqCn3r + KZqtfJI5Vyv1Ls1WNrFtLzvGgtZAoXSpuxuGtgTuftLR/m5pTrkkmmNpqkfsTYrT + QeWwsAnp9Dg0caliRH2kz92tyH0NOq7Y0K7tMLb15ns+29GR17KPpGDz0I5sSJZn + PEcjoSuEzr3XLcR+g/QaqNoOffyJ1tTOquozgHOs4Ks52ilE9aSY+oNvWD3qk4zc + v29J1drH+07igVFfr7wrmDKDkCTfotIawejq99WR5/roSaBupCtkXZh/WfG1XLdq + M9SxID2vt0FRPka58zFJMRpgFZe1TihHYCNBt0nPh/U3TzrT0X5fG+23S9kITYt/ + lXowiNusXVJ4ppQ2c2rtq2JezJ5wp6xhp41bYNCvbRK6R50WwYxG/LdyqzfjDzLO + +buTtYA7X8d1hDlW4FekDIzZpoXztfwZ2qisHfkCbhWkRBp0mOL1iVOy3JRwPSqO + Zg+yKkX8ajVHFNE+TnyjufF1eXizJqPLWcvMT5TE2Jq02ywXhqDcYmvgnGi3olTS + XgEmLcqoM3AFnJYM2wWUw2y+PwjC2hobC8rZbpgzpk92kdW8Oh8fhwnlUAcY51Zt + /UTHzAbN5JzqUhaC5ABTXMnUJd1kkG8SND0lVOecFQSyF4b5QEBSm93zXH31sgA= + =IgdZ -----END PGP MESSAGE----- fp: 0C143D8AFF5FBCD2293897658E66EDB0546158DF - - created_at: "2025-01-17T21:38:02Z" + - created_at: "2026-02-27T16:44:37Z" enc: |- -----BEGIN PGP MESSAGE----- - hQIMA7kGE6KvUCZzAQ//WWbM1yyL0ldJMvpHtMEnsuUMOjbT63pxoThuep1UclRD - 7M8B0Hvi6GU4HzayXfkpW1fUalpJSwsP9Aeewq0pz16nnoHGukQjO3CHXQ2gtvip - JwinImuSfAnQCGGUvaly1JRny9ytZJE7o6DCMmQFQDCjgrgA2ZaUjAKcMnGuPSZs - IwnThW4NMjooZhhCBvnWLq9A5cGuhhMVQ4tzlQEUxZZJV1ySiAGu9QkhdMeyHUQS - 88LYdKpujVlmXYAtkqbwZ1YXcC/DQZnLnt3bVf6i/SzWuvbezAM8BTXn9PJTK58i - nw720g7XdEDmH/1Uy6vxQEqsh/lJQFFpuNhnELRQrf0Co9CDUFODQHNz3ZhD1Oad - irakoPR1iEdaDPlVlB079GEteoxKdewJZFPEjRgB2U8+dhOED/ZDbU+0ECRtXQ7F - Ctd5nq7AQTOWMj9BXvm3wTE35nhpL9ov/NX1My20o9JULoixsYpYSGP1QZhOK2Dc - O1wRgsU/R9p6bEDW/eGJ8FlavPkoy7lLaZC/GFtFUa72Da5jAvDIB1sAn5ArhOrx - lj1m4g+HhMitrMV7TSJ97kqM8o5REdEbs+BhwIdcYdmScf9qotYthBkJLz+SIyGj - FDd8KLcMxoFVM/GQSzoAdqfeoycQpbF6Tmv4NrKzj1ID8EzCZCIaufcT85L2ohrS - WAGwruMsuu6FNgdvrZXyOu20cba1055Vb96Q9ESrjNdDE542b+MeNcdc9Xk8N0HE - oxmj0k50D2Fm77HvwKOwwGdRQcbFFynbB6mJ7LYOkjgYJN4Z/9zgtEQ= - =p5J/ + hQIMA7kGE6KvUCZzAQ//VtWatqX53BTQxImBo3HRWNhTVx9zW1DNi0GvUYIDUoyb + 4x5XG5eGbP6x7z2hdvV1Gd8rzBcAL81O8k917Ax1u2+YGVfwTo83OPFrjoLU8qud + XyMu7vW2qjBlgWmDjNyWYUjFiJx32m16sFeS5cf0w3ozGUgn8frVkYiAWDRWvpHE + SpUuJqxLLPwgwIIT1d8QncHWe7uPLzxiusI0eAeFqkd4BiI5R4qDSldj/PNQYHYi + yzoMmkhAZaIYjYsDkUGJAFXjLx9WKnD14s5PeqX/VNYLFRjgAyht5HdKVq24lL64 + DAwlZoraObiSocr3La2NOAwQHpRCggH3eMWyRPCghnTWO3Axlin85OFxhLzurWQj + 8DPFP3Mynv45Fz5SzIb7aHm0pFbjrCiRnEGyVtDbTzdvB7IzffBUxHqKng5Hi9y5 + 7tJjLEM9nS4bXbD1dlU51voARKRM2uLph3ALvZhwpe1XLYqBW4VEzJsPhcaDf54I + 3kfCrnewTf7yaH/isv/njut2XaSYw9nCxkjAyNR3A2J7Vge5BNequP0dVJZWPIKU + /jBVh6K1Hxk/KM9lXbdz2sdy37YDm2KDk9k74Fzpt+NaE8FNZW0/XETgGAwksiK1 + yxu8x+79qmUX0RhmYwFeri47/uydAPUWF4XqQmw4g2G0FwHSCEqOECHkSKTa8ODS + WAGTLhr//YXMNi+JvBDFcKSW/N1uOETNxnL+rEmJ2AHJkAF8EHUugouhPprFYYDd + 0fFWHMhSkW4TCq2YoHBc8LN9Kpf9As019euYrROgNgQ0kx80qzsPs28= + =g3EJ -----END PGP MESSAGE----- fp: 0f0c4c2f9877cb8a53efadacb90613a2af502673 + - created_at: "2026-02-27T16:44:37Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAymX2D7hlI1UARAAslfFnR3hd4wjyEdkqNG33yccH/Sj1LLmkHOumOF9zXDt + q3BI7LwFhTjjAWV59UO8neV/449P/5B9XR9gEd7USCM80rnSv5T0wcKPUfclq3DI + EN348d95fWvOOBos7UnPlCABMCvc4+8oWYlLIVUWFxH+pakSG3zr2EpyvqBzbZqx + n+FilMsxf5Gd5bvqwQAhDjPy/Pjr61y2ksDZpkvbetcve/QRRGL0smjl2dS1k1Rf + N79LgPFxtkfo4CURjUk6hkMfb5ZoeHQFfos1B48pmxKaBmeX2f4Wt4UktzA/o8MY + PubLeFJQdyYF3WKGYssvgFI/3IdiotQ4R5EKJu71ww0eSMZ/jt2a9cstdSFz7OWp + AoIlRM9MnfyafWlztzIByyJwedLSGyd/o8ZrRX7xYFYWgobabC1bagECL3/tU9WE + vzWIG9c7jKDEm7M0ijESuYCsSdKhCaQbn7pu4kzPcoFIlrwLx4ONO0o+OBTyDxxL + P/UWOb9yM0YaGuhgQwJq64e6QBd3af1FmhR6Jwfz2fYq9QE+OFYPFx7DVz4QPRKI + Wi6sG01Q8gMGU12DfFdBoTSBAGREI4RCw4qs9lRMPEuTb8S6vZXc2rlg3BStnJWA + FYijdFlxqPpMJ2I368r6MfFgxCnBzxwVRp0ON5QtOX/NanHJKUCgHj+EybFDBNHS + WAGOEBJ1ZPAyAc55PVEb+QlhO9+J/zFGD+bZTQB3SZwHZUgx1DdwT8o3lOjLDeng + eGP4rPdhA/ZwC6SB4n2HzdYBMc6aRcMpm6++p1PrMHYaK4S65sQenOI= + =mBZV + -----END PGP MESSAGE----- + fp: 515a19ef3f9b98442331d89b2997d83ee1948d54 unencrypted_suffix: _unencrypted version: 3.11.0 diff --git a/terraform/config.tf b/terraform/config.tf index d285fa6..d87a2d9 100644 --- a/terraform/config.tf +++ b/terraform/config.tf @@ -8,6 +8,14 @@ terraform { username = "phfroidmont" } required_providers { + hcloud = { + source = "hetznercloud/hcloud" + version = "~> 1.49" + } + null = { + source = "hashicorp/null" + version = "~> 3.2" + } hetznerdns = { source = "timohirt/hetznerdns" version = ">= 2.2.0" @@ -28,4 +36,3 @@ data "sops_file" "secrets" { provider "hetznerdns" { apitoken = data.sops_file.secrets.data["hcloud.dns_token"] } - diff --git a/terraform/dns.tf b/terraform/dns.tf index 08e25bc..38b6b95 100644 --- a/terraform/dns.tf +++ b/terraform/dns.tf @@ -382,6 +382,14 @@ resource "hetznerdns_record" "froidmont_a" { ttl = 600 } +resource "hetznerdns_record" "rl_a" { + zone_id = data.hetznerdns_zone.froidmont_zone.id + name = "rl" + value = hcloud_server.relay1.ipv4_address + type = "A" + ttl = 600 +} + resource "hetznerdns_record" "website_marie_a" { zone_id = data.hetznerdns_zone.froidmont_zone.id name = "osteopathie" diff --git a/terraform/hcloud.tf b/terraform/hcloud.tf new file mode 100644 index 0000000..84819e9 --- /dev/null +++ b/terraform/hcloud.tf @@ -0,0 +1,44 @@ +provider "hcloud" {} + +resource "hcloud_ssh_key" "phfroidmont_stellaris" { + name = "phfroidmont-stellaris" + public_key = file("${path.module}/../ssh_keys/phfroidmont-stellaris.pub") +} + +resource "hcloud_ssh_key" "froidmpa_desktop" { + name = "froidmpa-desktop" + public_key = file("${path.module}/../ssh_keys/froidmpa-desktop.pub") +} + +resource "hcloud_ssh_key" "elios_desktop" { + name = "elios-desktop" + public_key = file("${path.module}/../ssh_keys/elios-desktop.pub") +} + +resource "hcloud_server" "relay1" { + name = "relay1" + server_type = "cx23" + image = "ubuntu-24.04" + location = "nbg1" + + public_net { + ipv4_enabled = true + ipv6_enabled = false + } + + ssh_keys = [ + hcloud_ssh_key.phfroidmont_stellaris.id, + hcloud_ssh_key.froidmpa_desktop.id, + hcloud_ssh_key.elios_desktop.id, + ] +} + +module "nixos_anywhere_install" { + source = "github.com/nix-community/nixos-anywhere//terraform/install" + + target_host = hcloud_server.relay1.ipv4_address + instance_id = hcloud_server.relay1.id + flake = "${path.module}/..#relay1" + + depends_on = [hcloud_server.relay1] +} From 572c6e3e54d72f56db7e9e9d167963494d274911 Mon Sep 17 00:00:00 2001 From: Paul-Henri Froidmont Date: Wed, 25 Mar 2026 11:39:53 +0100 Subject: [PATCH 2/3] Update email config --- profiles/hel.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/profiles/hel.nix b/profiles/hel.nix index b989242..3a50dd5 100644 --- a/profiles/hel.nix +++ b/profiles/hel.nix @@ -453,6 +453,7 @@ aliases = [ "osteopathie@froidmont.org" "communication@froidmont.org" + "kots-libramont@froidmont.org" ]; }; "alice@froidmont.org" = { From a6571d5f39e1b1bde1c5fa5ef624666eb2f9d6ef Mon Sep 17 00:00:00 2001 From: Paul-Henri Froidmont Date: Wed, 25 Mar 2026 14:54:08 +0100 Subject: [PATCH 3/3] relay1: migrate to wstunnel + WireGuard subnet relay via Headscale Replace the OpenVPN/OCServ path with a cleaner wstunnel-terminated WireGuard relay on :443, advertise/approve corporate subnet routes through Headscale, and add wsl DNS/route plumbing for tailnet access. --- flake.nix | 2 +- modules/headscale.nix | 7 +++ profiles/relay1.nix | 135 +++++++++++++++++++++--------------------- secrets.enc.yml | 9 +-- terraform/dns.tf | 10 +++- 5 files changed, 87 insertions(+), 76 deletions(-) diff --git a/flake.nix b/flake.nix index 707fb7a..20b2334 100644 --- a/flake.nix +++ b/flake.nix @@ -117,7 +117,7 @@ profiles.system = createSystemProfile self.nixosConfigurations.hel1; }; relay1 = { - hostname = "rl.froidmont.org"; + hostname = "rl.banditlair.com"; profiles.system = createSystemProfile self.nixosConfigurations.relay1; }; }; diff --git a/modules/headscale.nix b/modules/headscale.nix index 4592bc2..5243f22 100644 --- a/modules/headscale.nix +++ b/modules/headscale.nix @@ -37,6 +37,13 @@ in "lefoyer.lu" = "10.33.0.100"; }; }; + extra_records = [ + { + name = "wsl.ts.net"; + type = "A"; + value = "10.250.250.2"; + } + ]; }; }; }; diff --git a/profiles/relay1.nix b/profiles/relay1.nix index f42394d..20aaf73 100644 --- a/profiles/relay1.nix +++ b/profiles/relay1.nix @@ -1,6 +1,5 @@ { modulesPath, - config, ... }: { @@ -23,7 +22,10 @@ boot.tmp.cleanOnBoot = true; networking.firewall.allowPing = true; - networking.firewall.allowedTCPPorts = [ 443 ]; + networking.firewall.allowedTCPPorts = [ + 80 + 443 + ]; networking.usePredictableInterfaceNames = false; custom.services.openssh.enable = true; services.openssh.openFirewall = true; @@ -31,79 +33,78 @@ services.nscd.enableNsncd = true; zramSwap.enable = true; - sops.secrets = { - openvpnCa = { - key = "openvpn/ca.crt"; - }; - openvpnServerCert = { - key = "openvpn/server.crt"; - }; - openvpnServerKey = { - key = "openvpn/server.key"; - }; - openvpnDh = { - key = "openvpn/dh.pem"; - }; - openvpnTlsCrypt = { - key = "openvpn/tls-crypt.key"; + security.acme = { + acceptTerms = true; + defaults.email = "letsencrypt.account@banditlair.com"; + certs."ws.banditlair.com" = { + listenHTTP = "0.0.0.0:80"; + reloadServices = [ "wstunnel-server-relay.service" ]; }; }; - systemd.tmpfiles.rules = [ - "d /etc/openvpn/ccd 0750 root root -" - ]; + services.wstunnel = { + enable = true; + servers.relay = { + listen = { + host = "0.0.0.0"; + port = 443; + enableHTTPS = true; + }; + useACMEHost = "ws.banditlair.com"; + settings = { + log-lvl = "INFO"; + restrict-to = [ + { + host = "127.0.0.1"; + port = 51820; + } + ]; + }; + }; + }; - environment.etc."openvpn/ccd/wsl".text = '' - iroute 10.33.0.0 255.255.0.0 - iroute 10.46.0.0 255.255.0.0 - iroute 10.133.0.0 255.255.0.0 - iroute 10.134.0.0 255.255.0.0 - iroute 10.161.0.0 255.255.0.0 - iroute 10.200.0.0 255.255.0.0 - ''; + systemd.services.wstunnel-server-relay = { + after = [ "acme-ws.banditlair.com.service" ]; + wants = [ "acme-ws.banditlair.com.service" ]; + }; - services.openvpn.servers.relay.config = '' - port 443 - proto tcp-server - dev tun - topology subnet + networking.wireguard.enable = true; + networking.wireguard.interfaces.wg-relay = { + ips = [ "10.250.250.1/30" ]; + listenPort = 51820; + privateKeyFile = "/var/lib/wireguard/wg-relay.key"; + generatePrivateKeyFile = true; + peers = [ + { + publicKey = "EX3QEJYNzs3sA3FUEIc9YGAhEup20qOCzUe+nMRrljQ="; + allowedIPs = [ + "10.250.250.2/32" + "10.33.0.0/16" + "10.46.0.0/16" + "10.133.0.0/16" + "10.134.0.0/16" + "10.161.0.0/16" + "10.200.0.0/16" + ]; + } + ]; + }; - user nobody - group nogroup - persist-key - persist-tun - keepalive 10 120 + services.tailscale = { + enable = true; + useRoutingFeatures = "server"; + extraSetFlags = [ + "--advertise-routes=10.250.250.2/32,10.33.0.0/16,10.46.0.0/16,10.133.0.0/16,10.134.0.0/16,10.161.0.0/16,10.200.0.0/16" + ]; + }; - ca ${config.sops.secrets.openvpnCa.path} - cert ${config.sops.secrets.openvpnServerCert.path} - key ${config.sops.secrets.openvpnServerKey.path} - dh ${config.sops.secrets.openvpnDh.path} - tls-crypt ${config.sops.secrets.openvpnTlsCrypt.path} + boot.kernel.sysctl."net.ipv4.ip_forward" = true; - server 10.8.0.0 255.255.255.0 - client-config-dir /etc/openvpn/ccd - - route 10.33.0.0 255.255.0.0 - route 10.46.0.0 255.255.0.0 - route 10.133.0.0 255.255.0.0 - route 10.134.0.0 255.255.0.0 - route 10.161.0.0 255.255.0.0 - route 10.200.0.0 255.255.0.0 - - push "route 10.33.0.0 255.255.0.0" - push "route 10.46.0.0 255.255.0.0" - push "route 10.133.0.0 255.255.0.0" - push "route 10.134.0.0 255.255.0.0" - push "route 10.161.0.0 255.255.0.0" - push "route 10.200.0.0 255.255.0.0" - - push "dhcp-option DNS 1.1.1.1" - push "dhcp-option DNS 9.9.9.9" - - status /var/log/openvpn-relay-status.log - log-append /var/log/openvpn-relay.log - verb 3 - ''; + networking.nat = { + enable = true; + internalInterfaces = [ "tailscale0" ]; + externalInterface = "wg-relay"; + }; disko.devices = { disk.disk1 = { diff --git a/secrets.enc.yml b/secrets.enc.yml index 72863cd..60fc7d2 100644 --- a/secrets.enc.yml +++ b/secrets.enc.yml @@ -58,11 +58,6 @@ wireguard: torrents.conf: ENC[AES256_GCM,data:xmiIpECVRdZ7yXs+3bVXc1tX/vKx5NSFxnOE0HQpmF0c97rd0ztkVtoLO1a6HWgCnxA/8TQbJo/B/Ij5fOjJ4xa16PCmhHY1Ba4/qjTykwmtvHctFRMTrAxQqx9MGqf/TadiorvYvUVomvas82W2+fPQb+wmxYsoM/Tq/dXy6Os933znEHtcfBe+qCXYijGqX9ob5GbXL0DvxGnJaQIxji00XiDXXhfVBCI5jHWCI/S8XD3PmS0RwZ6cik9tqeuB3PuOxVj5ofXEM9T+YrIXsj7dCtNiY5bifADScPYKw/VmDW4tT8NOuYFTQYkwY3O5psUSZUbMAdJYyygFhDoW8j1tifxdh4VLHmsw8MrYzNOFiZxv9VR/XVDSbxA/yFaIn+JqKw==,iv:mpUekPnpCIr/NcE+kOW4li3itFki/lVVtf/hkBKtM5E=,tag:rAyp3kzzvCX3YRWkrDODHw==,type:str] openvpn: credentials: ENC[AES256_GCM,data:AZRmAhGhqsCs650ExArM0nVX,iv:Y6vTMjIC5s4gIwDWgYfEOUPGScPpj4jhk4XYeyRjpUw=,tag:vkob+Q+Mv6O2GCFvY+adRw==,type:str] - ca.crt: ENC[AES256_GCM,data:2F9u9O6+X3uKLFuA17q8bJ4D1wT9O8xQZjwT4VS5qc4vc6Fe2ocmOjP6psyylxlrU1ckhdjqIw8glbpEGyKbZTPBLF3xeCvP0aniP/BLZnfAUnksLgKeO9IqpysFGeFBxbW5z67QNReaK2vrYFsrIwYvyZQekFqhBSot9qC7WGw7BNcCqnlsho+sRC5SvJ7PLVfOd78qQF57UkZ38pNqj+lGYPTc9D03zxotM/0qgRTyrVbpjVOuygMBm6eQx6nUFIIZ5W5gApXO4lpY1rCpPVj7TN9E6aJ8ezcuz+wI/A4JN7KDrv1GgOGAZhSLodTMc7rw0RZ0IfqWIyb2Yffl0EHftxckgUuRSNrrUpsbwsvIjRJg1gSif0E4WNdGqTLbVv7UE/M7+K92BBqo83RhN0LxD9s81BgdWr8I5HsNZ08w1YF7vo7JBssKSgSINm+xPlf0Q3HXZUb7VREYI02UKPMLPUkJcxXipb2tfV5RlZzEjl2CplF43K8w2ES3wCD7xk3l5h5EAovsHY2nroCo50Q2igaNIYDqn9IU7KeqklzNZboFd/9bDn4MwgP27dFffJuOtD2dv3Xc5yBc/exRmII0N2lM/v5vgl1goSre7GPrH6oaOxve86b14PwYnf8zvYOD1hUALZPoLRP+cC7WRiHuihaTLKvQq/FoRyqDTF5XvatldZrRSkOqa4iQbM4RA/uSEXxrBWURqhgrWJ3VL/avHrKOA00zDVHe07U2iq84B5ywblSMae6Cfew1bx7Zi9b4x+B41jc1X0YxHBmtNp6OMRw8LKnW1juzZXw9UhVt2rvZdw2IFEoMrultUkdqVMMyjw7cOHJS3BQzQucxUSTtUMGFRNLtUNmHthQRDRoEYV7A9aIYUawE7rfR+5S6kOiMsjn2VdBsGjyOs5tUplJXQl8ABJhMaFR6wZNbetbvZHWgg7CuW6x+VqvFFts2Vn+V8u5F8LCsLfhpyRXYuof9hBKuIIOh+EHdSiLgmuO8n5mixZBCx7wvfg1h4DUE/n7wk9tIzbcEaQE2i7amd07zDiadHpP2zZttz5dd279Ww/kYs2GP1xsY9rQ6KWyOM6qieQEdBxcWsv+kb+c79YWjtGqbchVo/OMHXaKgD7XPkXOQ6mQGQ83kAJZkXzooJarweN+GJIKX6UKvocCJ1ebQRvLoh1QwFaFRkp9gW5esNjTpP628eErbRpBCTsW0eGQLgB7qeodNaBw6bAV0cEh3jxkfa2tMiHQPQmTSFBCohnlp7PDX+/c1JrMSHPDoBeIeARB7jDWxOtEhZfqt9HO0MgBF0W7ka9uBdMqTj81ZF3yu6J3qbsxRqaOp01Uq8c13zP4E809jgpc/S9BbgA7jnz+EEc4RuCcmV9A9ZbdTf6thMq+ag2ujimxPAHwiA/PU2OkLu6T21pnlVRo6NobdZcRm7MADZxiR6FuplWEyXk6hwkogefEVXGDq622Ez/Oqg7ZojFBKr1BFvC4AjXQUFPDihobzpvCh+bGNUYKFUfm1iKXrZ19onvhV5dpXqX0GRFOVxZxhIMcvNpY9x7zBKq79X7x+FZt01epG1gHSspEYJF0uaVLqrdjkw6juKLkuCw==,iv:Pt11SZn1shfmZwSD2D0jg+5KUSMWO69eiomN8EHlbT8=,tag:hIzS7aIbN+7QHmi020ZAWA==,type:str] - server.crt: ENC[AES256_GCM,data:WF6g3nroT1rcEAZYahzsVOcwaBFXgG/BQzlMRDhstdSrMnwZsRLgRTYn/JdBiVc1piakYFdBkGY8sA96+EFZus6jjaiCjoD4yNtDJ5DlZk9hOQw6i0nKi++Xb+AMoCVe2x74bYLi6Pidqm3zaSaApC0NoyfZPY0HVfldryL5URh4NYutkRMTBbL/WThGV/7UemaQKvWRuEzWRJt+m0K7bBgFxR2fX8TXYpM0ids5kX4sQk62KMVvVS7tIKR+z2VjXQITa0XHPZ4iqdbdKdcgU+lxIHaDsU7/5hxtxjygqjclw97UoNhYwh3trhLjnW+sGT6JA3nPyiTb4+9Jix0NHO4qrdq/H28cpDdycTIIOm+LuA4hvt5v6O0Ky8YTkuiMHeX9x5a5up0o5rTsSURI6/uhNJtm0+fFanRTPLQ1+DO3sZ5xD4Hwd0YQ9JiWIsAbfs+3sxLuJRxH69vA5oFRpRHMccGlOGc7FxveBNtRY/o9L/QY6sVIxgLefVNMInbPT2Xz7W/VWfx0ZwmFiWtJgcDwRScoF+nu0hWJNHfqvUo7TCRhPmBQaX80tIzAQIHn0Ljn2PphvJTYDsZhTtLzZYLGyYMd70EuniDlq2AOo5hiAzZGYq2z0RXBFkBfMrv4fLDXvNdYdmKOf7IGQ75o3iql34XBoKobmEFrQyWziA6EFhnnk1ya4oQW8ApMxYSjHMvAG0xe92OziIXdqnC2Ei87ctg63pDwvHU77Uym3VsEFBnAlTxJKpW0xYdXco5UvxX0cncP6qGB/n9s7wDWkiSjjF22KkiX+qpNJcSguXtXqD0Umz7jEnoaRPhXT+OCJezooUYPlDrPXJoqaZhnQxWfA2oLKzLK3exvHZTJX3gbCxfswCbUb/mt4SRvYa7dqCXs4cxR8uEjhWtahMcICrYTx+HTF63/cmpHxVDl5qdSxO47wqn9bqkaURq0ocDaZ6frjMWSorvWACunM1UMgOYqDrFvyURh2cWOJIPuR5pWSCcrcEal/oQ8YF/hxI1JhfgKSzE7OGoVZy8P5pIZnGcQ5W5kGA6Iz7KgSKb7nl+cBYBADEmnS7ZsQq82++P5AQJyEnXIF9HAuQQjPh4SjjQ4VEeLP48D10vPojbXMlFcd0cLj4fOG5qCEBbsPBcnBw13b6QydBpLrWyZ7OCaFT1g19bIScRXJNBqRx8c7hz/J9p1X/EsG+hUwCr1griOMnv2uTdUfmAU70yVIO2CTm96Gpzn9K1RciAL37F2ld178/8Fgw1mvZJ1xvPOksLfK7SFFD0gCwn92b4VYFsOBNpQOWay7e85p3pS7vH+7JLv0hP+g0kouFIBlK5ZwQ1aKRV0ZfbUU1CsnpZFvf4xRXajnTkm2FQiC8ac7tEqKsXeVi5o45ypyWt6+BbKIQg/bABMSBY8+YgPsbpbViy6Phh4Z7WV0PiZYYTkkgjMeaRI+lJBpcXDaWwXh9RBoQgJFsCoxsRpoGbay6Hrls4ilgUcOy4Q9n5Rz0wDhPLGImaJ+QPCYCpplj4qQqLhMkQNxdeKcFPxx7eWS+4/MLq1inSP1Gf+ed3XYj3i7EcgHCSvK37SeUFlr+QCJ7jL6xF/3Im1FskfqOM0Exjw5ioEeQ==,iv:hW0+CnQBDkVPlE3ITQPJxFwqEitlYA9JCuaHefZl2ok=,tag:BQoVy7XLvLFir0kdJ38oZA==,type:str] - server.key: ENC[AES256_GCM,data:Ae5Q2rVQpKPytWGubEucHeJw68/skBXMsKxndbX2RiBd9Axj6VmYJQ8K+GnqZeG8Z03zuwxVoMEjgEIPkpzmxgEzWi+jClPmP4Cha6XHZxWS3AISsmkhIJdoemoUxtfcXMdpqOIiR8CYSAHM43MXPKArSjlyDf9r5XoojoEKYBv/sZKeH4uchC/gan5cCnF1hcNvfjHX9zo7x7U4wrOp9lDcbE9qrhuWYmIKLY1ETW/Oy0aDcm5VrKxOomB14D3Ln2+slugLT4aDU1t0KeNSm1DFNde2ZbNbUKuGxW3dWWhisW33YO49+0NmRfgey5SYgxYTdkcLDq7SizqjNWGb4hNvXis2T54Q7cH8zS3xrWzYIuf95+BBjQ71NJPgHZ9bbkNSX9/7hr4IuF80M8m4czOB7iHDGuHGAKEAgUwD1bxyGrYBnblMn7gpKNzMJY8/z4zxQGL6Lo0VRDK7OoOXB1ve/hQGV9hpJNLvTm8e1O4BgtC3o0Eej/ZMTEw/cFW3ifZWpvx2O4q8QZrSFdFb3delr1DYXQLUjxgyPLeXvIlSVDStVgK4+f/feZPMcTWu256mU9IFKSRpbEejRhi1j0fa4ZPL336wnOE0jrzL/eunqHlzN8cfFkJ9vsP/jB/fWAXzJ7ojzPPhNjzNTJhZf5TEYgi7rFph1iz6yj22sd/KNdjN+DqJYiQS2vjauGpwLTfVKnxqga9H7hK6cOMHVtFmoLYUBNoo4AilcLdynZQevsvWL6HFXRjXnfNcByAtX9hkVPc9TS1zxk5rvU/hU7Vjne4tKjcDa4F09RmL2Bf7FWQ1hm1nbS6+IiGenpF9UEyRm+Xiw+x8vC8DcZg+brcLXAi8RuzjcZaBV9f70fNF0sOIfkjcKETJiF6tXPMMN3ZkpRndglIjHAzmZ/xeWxwe0dwlzHP6I3nyGxR9BpPlDqvJO0pr/JIV2JD7sY3ppwJafakBc7Yb9n1O3rR91maO+AmC3o2YhnQDuiGworrCiBAQRC7Y6Rb6OztP5PL159DpAnkGWlhKqT4EeUmWhq9CsSEw29gsKtU+gHRzuGHNNvFjssxljaRF1lAjMhjqLRC3VsVAAba2A5qAObaDgD1mWVSlC6e4MD/ztJmi3i5lrRLcaUwrSWYRH9St3BHuw6/ov9fnyirNtwwNx0Zj+y5mnGhYT2JnQ+sTnJZUjpFMzf20Wh1h3il2ZLE6X9uy69bqrCmT7eDXJjcIN18AxdFiojQOEPQAYA5ObXqGPvakCswKs3XznglJhaUXbSsA+FDJz1j4JM+roE0h64AuoEM/CXBun29wE3HLrdBm7sqDvaXJYa2hvkywgm00AOl2PZ9nz1QSSTsLM66N/HHcLdKu9QgjuIIWcCCMvjDF0WuZ2wMM7eZpshtYIYgmpBIqncD7KhJrELfX3LSqAEwJvZ49/zUp2i8klUavBDXjJb0tC4PHrIJfdt5kNNUoiwi5FvrYerQzxQzMXECU9PLng8cav+d6Hp8tib/Vu2WPT4o/sJukCdBG2cT+6HEruCYeeaXRxIh6O49dMoWp3sVjeTuDEQU2DvxhCoHB9wGCm925tKvONWzZQ7YN2KMLO7fTG2HXSKw7letHedYcu0GCQKbxe3M/8jBwCjvW7f2lvYz2YcAWoNdrsZgtCry9hMtg2VPHWxS41bVQUfZSJqM0PwJ91+7Zw/QbGP6GXKlofcH8pd2upvCysGGCwE3VePqDmNe4CG4l3CW+3x+7exNBB8r9J++DKOjw8561WMe+sMYOSlyF95CTZa9g0pKkkEnQHhyzi4NicXO/5PPmHabr6kAZX0+nzSz2Ntv7+xDF2g24qd2oITA0S8YqKUOE+rzuK7u1P3bhRtw9b8Za0DuNkdWEP9F/IoGt8jTbypQb177qdRc9fVSA1zBgwF0FqlpUr7SwLiLLYnc8eZ3TVBrnh8KbY33MtgaPS46Qf0x5zFyG7AYGzCnmIMG5aWIKvXGi7ge6M2dhFZZffVNmp49gVJHuwITH0AG1TBkR+CW6SxKOcDwKyGyeyK8YJOibk+epKPgovYJ1t3QDB8x45cjL94olG0Rd52ajVOCgZZYPNFNKx1u7tuuWoOkNB53iEG1yi8Z+ZFrToifCWljBA46DnMoV0/R2OYmlaIJj8CChAhajyOBHJYW+s2ZiMtZzyY2aH3/1ih8J3XiYhIc1AeLnOOdohkvJwacuZ7ilkXR4R6ZXA72VQCJj9dcxsiVu/ZShO6Q+Kc5KLRuiFdrmQTPpGbm3cZFMvPQA,iv:kXdrnvOI2wi4pKxYryM9vcFqV3epKtL2/NhNzOUUrBo=,tag:pV0XCyLKTN6wsJ12Z+RsqQ==,type:str] - dh.pem: ENC[AES256_GCM,data:n7faEmrE3NvHESW8PRgnQQJj703rcyRTkE6HfbycfXwDphnTtJFpkLbkMPiHOKe7zTlCNjRXqtJPS6NY7QVvQ3rxYUxjG8CDD8kMpwHWZB9Aegm3yV5lM5qXOmfS/y+POR+YTgaG80GuM9n0nKLkCuwgUFDtXZLWbOFpsooCEdlTV9vfRLH2kJ+RfagI5lX/1/TLzL6X3zysmR0KpKtkAn26EPXiY/3sSdudZtHcRAx1r6M9kum5ESwPbJo6n3bp/Pwhu5ysGYhZH5YviW1veqlt0LyJ/KS8q8uhQBnP0KY/hQt07/jd0/nJtBzuHoffmkLNwXUuQHX0ir4Vl+njYuCkdVBPEfec1MkYJqT96B9DXzmuzF8vHFbxSjcPrDVBbHu0obSsQT3LSGKGZ3Sb7LQtw/L7G1LBmX4+Og34AacT5Ghoscfbso6J+ue9F2H6TPHO6jn6Q8bucm6A7LvMH3UwrVl7m0d8EFZFBsSuZaaH12vq45TlSMCjMfXkvGNdhATv9vUbG36OdKAo3vDG3MhFqpJ9FKga9T1tGsPKTLlK2Nh1hxUU54/OwU4=,iv:3EQ3WADja0DCWp4I1OHdSKnOs41nPH6lfMONC7XzOE8=,tag:TFeLbsMBXzOp7oN38dkEHw==,type:str] - tls-crypt.key: ENC[AES256_GCM,data:mdyOH3vhXSbm5S+BEM0KTV5gDNQxONvNMakaDERoYW/gmSeWNkC7wgBZ02UjqKMBlOSMK8F87xee05vjb68nGyH9CL/vvT5v+IXOxl5tp2bNcWhwsAT+S0IQf//dfhL+LIrUbn9x/C7a6g+eYX+detpQnhq/4B0ES0EoLPtKNkwKz9MiIFOX5EAKbF5C6iSp06XcHm3AUgVQhNQAuy98ndsOPPM8nT/u5my3UOInpqLXV8hOpqnvAxlqSH9slmqn25FIoEIbdANJ9YSGCW6YcfQItS7r/TtO4uSqBVfmdByDjE1+aTf2GsdcbUC2AaAjPWxH5ycSxzL7ryXi/eITHo8u68F/9vMsbHgmFS75Z1Ayncl1evThdGlWeUBAH2XSmZnKdLsSHqPAmvhBwKYbX1rYB5jxmcako5Rps5nDZHQNnUR5xDtRhshKbh2bJYi6I6knttuFVHm2dJ07qUpmRhs0TcPeQ/fxwtH2EcoWFxhHYPb3764dwBITmV4RxQkh5yXzbSWkSVn3YbW30PfHFz11XXOqsn3rx002O/XwKE2QnfGlhNINfrzRQq1BKa08rxi5ptX+5DFsP1i8ylNmuEqE5T26y4AubtpgvpSu4kWEuCqrI17XC1ub3c1EPfZkPi4dHE6z2oJyPSNMVcLYpEay9oaMOKYuVlzdiR5/tRuBM/b7XcFZBr4l28YG04e5NRSo80aEgd99ktv+bexwWMHroE6/AxkawjLm6C0OzDwSP9tPwbvqCSX5x3/atE9A2T9EBY5AWg/43chQ5JFPPaUwGLpeYk4E5yc=,iv:w0cPb/BqAU/vddwIC5+dui2YE5uLM38UiehnpQr4AQQ=,tag:5pt39V9JdvYUitqpjjtuIw==,type:str] borg: passphrase: ENC[AES256_GCM,data:RNUTb29sOdsg4KnB/0nIFGJFV/2nlMH4pxGFlgXdtTgDe2opT/moUg==,iv:6kdBeq+qFWnPB+N+zpKNdFkmkskOVMabdj8Uxk9QeQI=,tag:MxNqn5p9P0JpsjkNm9iYEQ==,type:str] client_keys: @@ -79,8 +74,8 @@ sshfs_keys: public: ENC[AES256_GCM,data:/68JE+/xr4WhUNghjenqkqnB+keotQs+IVa4anFbe78AGrtWXWVndGN+GTDxh6oiETmndV2S83SnlCU6xnOTJwdctDISNlulPj8SH7gZ22vhOa01AbD9r635HFVc0sqJO4xhnQrymuMj/0yvnFb9i9+4iTqQpaY4sDfM0dDQ5Hj29FP6tRVSKE0+e9JS/e9BHnJdSHoL+IPD2YxQYDWKwWayeQwAPVfi0X0AjuZvhLq65HUP7EeqfExAJfMfGk8AB3tHEFR52aq/c9u2TfTxMAqPKMyWEjrcsTu3oQObOuj+nZEQOZuoJoyxpQlLqe3BkMXEGvL+jeehyMWA171RapstWkXEoFd6p043OlVOXw1w+Awz9VmI9Du7l3AWJUABhCCwyMPR/jwK3vRnNrxPxyS2ophFuboTuVCr9AXkTaEiGH7dALtIPHoP3xQD89yYkqL3BABMi7ymUEERecsfwgP66sk+7VXQri/1LosI+g3NsAtJP4kIyjXP9ZqJTv0VsGOxOGgbtVbrBsw7UWYPuuknGNTStmF54VBf77BEg6wVqOEM1WM9JhoZsbDvBvGIqV2PbSR4UBJg04sHtcRQoCp4h8B6b6djVoI5YZ5N7SLNAy8e6t08r6/7iwygrafMGLxXPaSw6bcBksXeT7BNRRsKFvSbiNPKax0yOpIJiJMgoM7Wo8wOgekBaG+s8+7DkI5MlXiyX/6XWUtBhJqBGUEUJTGufiIspD4RjKPsJeFTMXAUVOjzjZqg4jpv4pbhDtBgbF58zdoMpcqbWuvxfaur7gHOnCPpWMJN2VeWxLdk0Nr66yRvVzqCIVA2iFuZj0Mulmqmj0i0Vh/CHzesXZODi10wauewxv19Iie7Bjo0v3ahxjTSfvG3T8emZ7Us+Q06W8gLZ0IvHHXy0yKvsg9VgFTX51RaW1KHHBO4DehOvwLcJRcuADfHlZDhrwtUbQdA6cWAnZoezQy2np/Dp7hMC34m,iv:kUKBtPeLWola7isgEo+QDq1RZkbR26G0AoBzy7iubiE=,tag:/kUG0/G7U83dp8p9AgyJXg==,type:str] private: ENC[AES256_GCM,data:NVKHVh5Ap1of3j3xAXbscIX3Psa6EolJ/wuhZu0ZkvcgLLS+Oi9NFqqiBdMQw6DrL5Os+GeA2rVSlCh5/mfntUMH5FTqnRRMeiQ0aaXPS93fxlD5jsrJH7BfTLkH7aijANiAf+Hy3pdfVELD5iiKYEGimRAU3UR3Yf0t/D9TbikO+alyZ6SpaDJMSpccYLD9riEqAUsWsWOc8Gd7K2vB7h0D5uePyFFcVw3pvYweRs5S4KlOisdz9eG6CNVaG/YjL6dlvILVxWwAx34AqY3Ul7FkpZ0tennba8Yz/i/fMp3mxZX7FcDmga2DekvybU4ff30SPv9xEtnFenI/ElKIH/duSjo3wBf8xJ0+EKHXulwhmR9lpvYCfjXYvjtJDhoof2Yw9Tc+dCUcTSdTex92NJBAXLEfL2BTRqszFwhJB3RQ5xNItLilSdmuDElPvhMpNfX1c1RsqjMmlxd4MJYDIo6TiBAQ1eEP5CQG8nWfZesmGCefSBmRlAAy+rWHT2gpGtVCUUwhcBlCHs9X5MmsBHDKrcmQIrMfoQHJ7etVRjhW3+s+np7ldjnTadVqo/or53wpHWg/SCMCaAdMKxPU+APEueaIPxKP3ce3WmMaH7qrgHUFo8EOx0FYaoqxuN2JAW/Ap00JOfN3fvwvjHZwvg47SO/F4hboRqsWaryHIFhlaCcBnMs0/hszbc/w9nkhJdirqCYss8URUvtoKYa1G6quCswd+BC+5aQyQP4SU+VMhw0ESWbZXzOzqypFvr+DH1BvOX3/aGZfN2aCJTbHqaoLaqwP0b5UTEdt/uW8vH9iApnQqsOiZhdB+RCLMkKNaFRR36k1bbI+RQibLOq9QL+bwoSQ9eA0bPpPBLPrL8I0zPBv506f72mqiH690gC/wtdRn6ujXV298nvMRQc1HbjCIexyALS9v/mvhUalxUmYlkf3eLribleQmbDtf5Ehg2oCcx93Zya+mSB9zgR2WRNq7AXO6tm2UO+3jr5xG6E6+J7lhUh0kmJBY7ScFU+LgogtwyJml4xAbNxCcmx+1WKUFCctlvOBZiVo8QB5vTMG6WYcOZZ8of3EeldiodCD14vQ+dNhmagiiQmFk0xBG2LjwTJvDkq3dRET7VZfRUnhrGdibLGykT9HvflVX+0kvBsYLvwKUvuy/HM2dvr+aNvhUm7H03tHygZK3cv0bq/v93jqo/5tvjNxDW4Fr0qHvRMsbwFXURmzuw5SMTx6dtPBKoE65oR0Ueo1yh+r2rKzFMKjfVFSq9HReD2V9iqUoTWduTMzsX0pCSiUvIPMNArt5szJtC3uzZRLOedz0bKR9lTfOG96M9iFpy9sLH0CNekvGy7az2sD++PVqzpsPVUlmp11+AQPFF/F9wPsjuoQiEOh3gIEuUsqyyuBqaFUmEBhWnOoNb8RGOIDF/TXzWvvrRaDw3E5RJ6ATS8SppPK2vYlzaS1Oj9+KX2JWCvuYgOv4NJkQ8R4fnKPKTmuU4D/BEaTfkbPvsYjocgfU6ENxtFHsCqc0Am/5NZOjwZVhcoIiEBbih3g8N2+Kqv8+1/HbaB4NGLwh4GLahYIzqRyWT8IoF5Qml160h2vKZCH7BK01bCSbXppWxs7Jbs0cOnb0cLsuMrHNnYlgGTQUA6A/zUq9pEipjT0Sheu6MQrbEzGCosvKHikJ6UoDN8SGgnVZ+w6l/TairatvG9guEyfM7uG6oF2ohLSEtqmzlyS6VsiiU3FIup4awh1g2fq//DKrttUX3dOHx2ByVR1xESBbQZaK5zdYlVxuBqZjWLBLi/c6eUkJobjrbcx8kvdCc4Yeh/tO5k+Ym+gdgO/V68M4cg5j8qlC8J/YsGtMgSlmE9FbScGT8VCfCfaZAC1gONls5asEMZHF5/HH2Q6nNwMtlvfIJ4RHwj/EyoE/gC9kr7Mv1OIMl14aBx1OFzGGUtlssdyQOhGfBJIthQIwq+kRqRDSSyvLGxlvidsUnmrs6XmJQiaIxflj1aCbhmN3QgsT6klXtnn+959x8TX+TvLW7DfS6PKJyeg5DQKuV1A2hnBdyDAAHJuur/k3YbJxvp0nMWQfGGo+nCvAfSpN6hvyUYbriD/pduk9qTcICZJFI3IDDQksF82HanaMWtQnoIUb+TKiDHi6tYr0r6JCtv9x/LLKFjJ0Cq/cjMOxv5a69XNRvbQq7mhwv9bLF2XS7g6CNFLYFxVymJx/OIEXtqmq0AV/C0CRXdW4BYctJCRU71W61VDc16Bb7lfG0deuU3ufdfDaT8MQE0R2/97nAF4sdurpqLLAeP5T/AzDTHk1dgL/cDuKrQ7RSX1SpPgKZPMzSQ/+LjRI0sqHff6nQpdothYLgC2IQZAwDWrI91Xg8OeqJcDQTDVUolMk/+qiGRmMT96dl03hUqyrPpWIdipYqAXKw58djQ2wvcVz0h6ksv03W33ZpwQEqsHBYlA1nCxoCxTR5VlO3uhRNXLPVOrP2BmnnfeknlNevTwRQWA1pQuvgB2JWdYbtnJvdLK+dSvemZhAqOqQSCM6zyh4tUaw5R/oHlBgTosaj28oEQQqQ737PsAcyhpjZUYJ4TWyOg8ng5DH2Js40jomml8VsWIS8V9Cw3vmwn4FUeeKCw8DqzH+LIX6omtzgAQHUVSuOah46u6Cuuw8+adoVy81vXW45uEIj9YpKjrmu5bplWJQrGJMuZAmHOm/F6BQphMVtOhncmpzhghtKjpJhMUlVGvk5WVQmX4YiihBg9el32bTqGEPrpuGZyfrYj6+gB73dP3Ey8JpHIxlp0QVpYUvGbxsgxYKCuETweJfh/q+hby90E7FaHkDkFPBKrWYHD+A4p/AVgmKiIt4rP3pb05EkMUv0ujz8Oro0BmidEKJS5N2diIr5tB6ao3y//FZ7beuLGp03P1Ann4YDxrRp+/75g/xY9zc1WTWe0ugA1Ine4kAH+1wE//NzLTIrrI0J0TJFzpta76jf/S7sWDYyXnUHl1OSBVVUeVpgQGJeaGMLPZrkUD3fNnAf4mntEy0WTLQcCuSPDIRLftMzTb+rATGGK9edwAbF/L4JwMt+n5v0nfcNLnJUwkSvFYTL0gHf3kDxisIblx/gdFT6BotJFz0uQNOoBUMdpXMtC5XcmbmqznKMSlBBkRrrftjqkWslUgYWfu1OB+Uo17yI3yPZpD/PVsK8Q/uKx2VW3sTA5+CilLc5+TVucYWu/hfArgqgNtI4Qo16Cyv+2gnQE13qHGfC2IAnrynnPcVqpG8KUaF3F8DkC9aAoOP0C+c1s6vk6e2iFU2bB5eUKsCmgu1jToVZEacXG4v/hjfx+XunMAELPp6CRV9MDp+7MoGPIIRHcDzlqL8uOKe84CM29qsGBShZXEc03ZyAf/45fVcppO0hZJbmQIHS7AOy56yW/TziH2IlGe+iAr76Z3/EZjxHDpBhcp3flg448Pg7Cwssq8Pd5UYQ276wgGeO05ZbdAPPdhvsEFuU8SXcVXakBO14qKBKu8GlFFqk4n9z69hMCsTw63MD+KDTQEMuJ6DAvW7RUKBKKrU+xWUvE+n+GAg8A+Ff01ttjf1xJNhNKiSrAxZAHnnzBHIR7Cj6aHmpZvgQSYdTfpX/nhZ5jMc8Jfkg5oA34APxmZBxHK5/E4wJecYMWlfcuLfNn7FyVCN7JRM0iNUS4trCdSX4OhbNIAfzXEbwuGNdBRiGqha5xYV4Z28KxzyqFtXupOHYiZNtZyYGL6f1m4ZTNbGweEk0632hpaJwc4I1AYaWHZ3o02/qzczr2hjfVGKVODp0r6gX64LfuoT/m4/123qj1maJ74zVaP/LnEZJXks3LWu5TlIIt3Cq80/73am9fsaoWNFnVVERfmG/vrBfVO40fJT89Bh5QKPAHCC4nbie/WDGshImVKFHoMT0KH5NFZdIdHSWGcvnc41dMNuwowd6Z/Aie3G2PDPrOr2n/Dv7DxYfB8HgP87l5mirhxlNS1mQOH4DkKkUFkBFNa2+0vIBJmdrf+0SBxev6yZgZbO6GKDR/Fkd99p5qaGd5bRjFg/7A3ZUFiYYnX40AoRR6bhkEyECEtW3B+jd7GOnF0jZFC9wUt3mgpi+v/EiLMoi887nQ/a2SotRd7+y3VKA7hUMAsbM4VfkzPz+LVhhrSU/LF3XkEMlWSpO2fBja8t3xZVtdVaZiFkVxfcla+TBcKr3Po0b7fmzbqVdLvgz/9Zle1s042m+5wKMotHyUMuG/N+78/CGpvqwdad3Cpz8g8C/fX7OVjoVTmhKYOr98Zms0Dr4xOD+Hnb7dNRfojGyuJ3x9UPOzu5zGxkv365iskiBJliALT,iv:BO+OifdPxtMUb83G9By19/O6DtF4D2jT1tmPjXdsNvA=,tag:DVj+JfIeBs3VFwhgZqzTeA==,type:str] sops: - lastmodified: "2026-03-12T22:05:00Z" - mac: ENC[AES256_GCM,data:senWpTbLAPfc8QqH3YDG/lPqFf8bMmA+0Fi1j6ihT6P7cdkSKN+QeBSiV1eYeFynW5nfVOGDXx0dDmFiD3oPW0UTPZ1YUt5dGTVqPmtegJKa4Mv6Yh6Y+Q9NZo2mLLs1/etOTqDo8jbv/B7oC2tNdb6mjahY9ifTgxjP49Hnlmo=,iv:WdbvEnUrIHMBi4A/Bq6aq/dTJFg7Mbhv78fcSfOkyYM=,tag:+3rZT7N4kFbyDMxO0qzQ5g==,type:str] + lastmodified: "2026-03-25T11:22:55Z" + mac: ENC[AES256_GCM,data:QmbEO1eovjBJvuZu2pai+V+5qMWhsBmQSCYvFqRPe1P5cH4eDYwOs24kvjN4FKF55FGPLf9olKMj65wtrX5ve7g5ntvnRbE0lTL0Cm08OvKUk2Bj2tW2Fu+Im7zZrSoQY4WTx533zXHGwvlgEeDT7MPdCTdmoyVUknRgBk2PXOQ=,iv:VT3sNoEEEXrQBdL+dbB9bSnyDxwMH90giVcnMDmy2bM=,tag:VLGTjPw4ZrI0PggVTD9e5Q==,type:str] pgp: - created_at: "2026-02-27T16:44:37Z" enc: |- diff --git a/terraform/dns.tf b/terraform/dns.tf index 38b6b95..c194705 100644 --- a/terraform/dns.tf +++ b/terraform/dns.tf @@ -68,6 +68,14 @@ resource "hetznerdns_record" "hel1_a" { ttl = 600 } +resource "hetznerdns_record" "ws_a" { + zone_id = data.hetznerdns_zone.banditlair_zone.id + name = "ws" + value = hcloud_server.relay1.ipv4_address + type = "A" + ttl = 600 +} + resource "hetznerdns_record" "grafana_a" { zone_id = data.hetznerdns_zone.banditlair_zone.id name = "grafana" @@ -383,7 +391,7 @@ resource "hetznerdns_record" "froidmont_a" { } resource "hetznerdns_record" "rl_a" { - zone_id = data.hetznerdns_zone.froidmont_zone.id + zone_id = data.hetznerdns_zone.banditlair_zone.id name = "rl" value = hcloud_server.relay1.ipv4_address type = "A"