From 006406e9a6a2d0eea3f0a1ac6db9743a69ac7c59 Mon Sep 17 00:00:00 2001
From: Filippo Berto <berto.f@protonmail.com>
Date: Tue, 27 Jun 2023 11:14:35 +0200
Subject: [PATCH] --wip-- [skip ci]

---
 baldur/configuration.nix            |  49 ++++++++++++++++++++++++----
 flake.nix                           |   4 +++
 secrets/baldur_wg_priv.age          |  25 ++++++++++++++
 secrets/baldur_wg_psk.age           |  25 ++++++++++++++
 secrets/garage_rpc_secret.age       | Bin 1326 -> 1424 bytes
 secrets/nextcloud_admin_secret.age  |  49 ++++++++++++++--------------
 secrets/nextcloud_bucket_secret.age | Bin 1365 -> 1300 bytes
 secrets/odin_wg_priv.age            | Bin 0 -> 1389 bytes
 secrets/odin_wg_psk.age             |  26 +++++++++++++++
 secrets/secrets.nix                 |   4 +++
 secrets/spotify_password.age        |  48 +++++++++++++--------------
 11 files changed, 174 insertions(+), 56 deletions(-)
 create mode 100644 secrets/baldur_wg_priv.age
 create mode 100644 secrets/baldur_wg_psk.age
 create mode 100644 secrets/odin_wg_priv.age
 create mode 100644 secrets/odin_wg_psk.age

diff --git a/baldur/configuration.nix b/baldur/configuration.nix
index 292e614..553f368 100644
--- a/baldur/configuration.nix
+++ b/baldur/configuration.nix
@@ -1,4 +1,4 @@
-{ pkgs, ... }: {
+{ pkgs, config, ... }: {
   boot = {
     growPartition = true;
     kernelParams = [ "console=ttyS0" "panic=1" "boot.panic_on_fail" ];
@@ -130,6 +130,12 @@
       enable = true;
       openFirewall = true;
     };
+    # wgautomesh = {
+    #   enable = true;
+    #   settings = {
+    #     interface = "wg0";  
+    #   };
+    # };
   };
 
   security.acme = {
@@ -153,12 +159,41 @@
     shell = pkgs.zsh;
   };
 
-  networking.firewall = {
-    enable = true;
-    allowPing = true;
-    allowedTCPPorts = [ 8000 80 443 ];
-    # allowedUDPPorts = [ ];
-    # extraCommands = ''iptables -t raw -A OUTPUT -p udp -m udp --dport 137 -j CT --helper netbios-ns'';
+  networking = {
+    firewall = {
+      enable = true;
+      allowPing = true;
+      allowedTCPPorts = [ 51235 80 443 ];
+      # allowedUDPPorts = [ ];
+      # extraCommands = ''iptables -t raw -A OUTPUT -p udp -m udp --dport 137 -j CT --helper netbios-ns'';
+    };
+    wg-quick.interfaces.wg0 = {
+      address = [
+        "192.168.10.2/24"
+      ];
+      peers = [
+        {
+          # baldur
+          allowedIPs = [
+            "192.168.10.1/24"
+          ];
+          # endpoint = "demo.wireguard.io:12913";
+          publicKey = "K57ikgFSR1O0CXWBxfQEu7uxSOsp3ePj/NMRets5pVc=";
+          # presharedKeyFile = config.age.secrets.baldur_wg_psk.path;
+        }
+        {
+          # odin
+          allowedIPs = [
+            "192.168.10.1/24"
+          ];
+          # endpoint = "demo.wireguard.io:12913";
+          publicKey = "AY2kVl9Znp79wrgHjmTUX5aagJKay7barD4BcMir5SY=";
+          # presharedKeyFile = config.age.secrets.odin_wg_psk.path;
+        }
+      ];
+      privateKeyFile = config.age.secrets."${config.networking.hostName}_wg_priv".path;
+      listenPort = 51235;
+    };
   };
 
   system.stateVersion = "22.11";
diff --git a/flake.nix b/flake.nix
index 8df5c29..818e373 100644
--- a/flake.nix
+++ b/flake.nix
@@ -103,6 +103,10 @@
         {
           # age.secrets.oauth_proxy_client_credentials.file = ./secrets/oauth_proxy_client_credentials.age;
           age.secrets.spotify_password = { file = ./secrets/spotify_password.age; owner = "bertof"; };
+          age.secrets.baldur_wg_priv = { file = ./secrets/baldur_wg_priv.age; };
+          age.secrets.odin_wg_priv = { file = ./secrets/odin_wg_priv.age; };
+          age.secrets.baldur_wg_psk = { file = ./secrets/baldur_wg_psk.age; };
+          age.secrets.odin_wg_psk = { file = ./secrets/odin_wg_psk.age; };
         }
 
         ./nixos_modules/bertof_user.nix
diff --git a/secrets/baldur_wg_priv.age b/secrets/baldur_wg_priv.age
new file mode 100644
index 0000000..cc6012e
--- /dev/null
+++ b/secrets/baldur_wg_priv.age
@@ -0,0 +1,25 @@
+age-encryption.org/v1
+-> ssh-ed25519 lC44xg eswmM0Q9AbLRCsQQq1ZlTnFzZAq4m3IjCBYy3GONuH4
+s/5WMKPYoW4oflZacxkkLkodch60wMbQdbKN9fIPkVw
+-> ssh-ed25519 2L7QNA dkOQottCMaLj1iQSCmiyZpwJdJC/erUNAzf1aXB7RGA
+GEUo6TNwN1jJXBmuEy8iTN3xVYYa1vZJF+tFdz5sEZs
+-> ssh-ed25519 sNAOqA 0elrCKGKgQzyBd3mqVxTVq4bboiBJJKYi+UKNS5ZozA
+K71ijRpi7hK2lqxjMF1LUKy0q83FbT1NovmDf+Kkk0Q
+-> ssh-ed25519 13iwjQ tyC3lOXD830cFLGHc/Ae4ZgF2HhHb7iTlbmPQoJ+HBE
+EIgi/nWMEFYIFhxFiZXYFm53Vm/1pBhhRYdru790oiw
+-> ssh-ed25519 7MB20A +GrWTCkLWOa9uYnQZi4pgzLSJJiqKsZMX3Cq4ijlQBI
+SxW5c3Txd/IaKelHc7VGgKnkqNVn8w1m+VyDqGTJYvk
+-> ssh-ed25519 IvyYug CycRY3+o7lg6UWNjwd+VLApOWH2Mktl7Ud+pBBzq3yw
+3mF23XkJ+cCB9kMEWkF+oYBNOKIQcDvHJIQ0jo7gWcA
+-> ssh-ed25519 v7O/FA CFZvpkvFPOdw0ass4KPU+oLNUBAe3m2+9AAiHFA27Dc
+IRONev1DEc+lD5kwveZdX/Ey8TlEQiATaiTDG5XjJUg
+-> ssh-ed25519 Wzv8ew GhGJdN18tBkCk/Q0zqrfwp6MJVNVx20+z/l03m9BbGg
+IkE2gHSfeSUqB4vu0kXZPw3+bMYYc2KszChenmR8z18
+-> ssh-ed25519 XgC3XA 1zEjnAUysdOuIm5dYKTwXD3sPDyLh8GWsonKxYw7hWo
+/sxObfeZiZXTGQgx2tsga1ykuyweERwYkV7auvuR8bU
+-> ssh-ed25519 l795CA B3WcfrFFNXFQjPKZ5K4M/prj7RCKKPkP8ktZ0XVghBM
+hQhG8C3xd7QR4Eev7X8S94d5buxaJYXtNpzzLfO9jeg
+-> vbUD;-grease Pu.[?[PM 2v0J'W_e EXW(UE
+3VQcTpfcBjiL9iIK0MzJ5KAsg1p+ZX2hxfBwwrfY7Fsn72NeWH/MSxV3RRIUCOY
+--- uooL6VvAvEpWbcnuq6gGDKpN0wOHympu0CVPZWyIddc
+zc»¸{¬³‹…Üg—3v¦RžNÊ(î"ßÒ-jNÏc0z.¾cE4¨ƒšü.Ø¢Ï~hñwÜª³¢äðò­k¹ôÐ‘7Ù»Xü
\ No newline at end of file
diff --git a/secrets/baldur_wg_psk.age b/secrets/baldur_wg_psk.age
new file mode 100644
index 0000000..947f912
--- /dev/null
+++ b/secrets/baldur_wg_psk.age
@@ -0,0 +1,25 @@
+age-encryption.org/v1
+-> ssh-ed25519 lC44xg K4dWWJ1lPXfhlAIRAybZOkBQp/LRJxRGmbOy5jlvi1I
+BX9GP/JpsDjoG+cxNDqpRn5KI/YUJbsOLXHTBDwyUjA
+-> ssh-ed25519 2L7QNA iXXL+Yb8hZvh3RYRDHtBUTtqHHY5oBKEtqmWhHlkt2o
+0XgMpq6fHAYeusPS++Fc6HmFH28M3xNAY1N7ubaEHN0
+-> ssh-ed25519 sNAOqA 9NOzTgetjETYpwKD4HruFt2zyrJ7fAcNn70Oq38N+Ww
+qJUthhdhGxBZ5jxjh6LbDR7aO5EY0opS1Z56jZpG3jU
+-> ssh-ed25519 13iwjQ pPze3cWfSczM8n4WYY5CJcjIU/DGShpioJ9p885P7io
+WuI/QZG7XTxP3BVo0wOACyKTtgRuLe9StVnherNethg
+-> ssh-ed25519 7MB20A vtho1nIxUgJaIMo2LMCn4rmTSR4yWlT9AxNJ/cDWOmI
+TtaLb344pbQq9k29qFMM3ee3okePsQav+EUt4Q31OTY
+-> ssh-ed25519 IvyYug qKOrg57dpDecShTU2TMjMjrZCwXmpxGTiiexYujLPVE
+hgTCdKOpyyHnPbV8eXXWskxd3nGFI/U2rHmhdudYuec
+-> ssh-ed25519 v7O/FA gQJcXXvDefLoFAjj3Vep4qiggkDX8/nCCQh2w6sS8Xs
+B0BQZdQIc+hWMfNVz54tAdFCTjcLSw1t+htSwC5MKUg
+-> ssh-ed25519 Wzv8ew MdVlkPiVjagW9qgp6US0on0ctihFEtA0ISpHbf57i1k
+83jmpZXFnyIY1tBKbgmfpA7inuPkhlTK3s43zASmwwI
+-> ssh-ed25519 XgC3XA BthsRj8+CBrTySpWVTfxbzpE5RqjUKGlYEWehRCOKm0
+0XtGkYD6e2t/bzpXgMeKiw5NwRPUZMZ0Hpwf4c90Nsk
+-> ssh-ed25519 l795CA SEp14FlOLzdCydp+1QEpbpbMuuzhM12ritcpZ4xDllg
+FKKaCHlg74KBscVsH8E9H2KQyG2N9xxwp0oOG3oVTmU
+-> y[|Z-grease )j`~y"},
+AjmSyODTMq+EbK0kDQs+Yw
+--- FxyOaPmh4fQDzD/XGykiw6PwySqaiwyvuo1YSN/ULaU
+q–Õ,‡‚XêÖ–ydß­7ˆq¶‡2Ÿ¡¸Ÿç¡°²¼Ó=ïú®JáüÔŸ9U~x*À—EúþÔÚ­jgÈ·Ü‰BåÀ	öV8û
\ No newline at end of file
diff --git a/secrets/garage_rpc_secret.age b/secrets/garage_rpc_secret.age
index be511ff10009a878c806b00e01fac5aae7a2ba9e..a5628d9780ed235069e2ea9faf37c4842f434ea3 100644
GIT binary patch
literal 1424
zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCU7aW*ljNLTO;4m2wY
zi8OL8H?j<H@zXYsOe+mCtMt{6G<C^x^maFNb*`#N3o!6>GU4)b_c91J^a;-?D)4tH
zEX&K*4#-MQ&P?|ROm<0f(+>A>E%q((2zLxD3PiWf$j3a;&ru;i#WlPvrLZbHFtIYb
z%Gu1lq^Kx4H_{}aBqzwtCAqAk)YB*|)ikFfx16g?->0a^AT>EeU%RBhBCW72*f-eI
zUEia`-^|%1-!IH0D#a_QATZ21(G}gcVn0X!LPv#y!YcQ$RL|U~WcN&`kjy;CQpZqN
z1K%k9{FDj<vjV4FC&OZM*YH67s${OfpfD%*iXx9l_fl^^&(f@91NU54*X%$a{p<?!
zY!656bf3`5R3}s8Fi&*b42?6(vjP=-3f<lOivrSI3$iQ?(~Ug5%o5GBytP9L+`au=
zs!GaTic_7uERymQ9n-nIQc|PLq6~{X16?gGN(|Gz5{r_n^ut0tjXX@81A@~NGm{)W
zq6~~I^Dsiv+}Fv-z)>M7EUnVrAUwCK*wV|VBr-TS-Pt%RG^M06BEP&WBrL$oFu>5u
zRX-#n*MQ5}ATT30+rqgtwW=Z|KR>_F+|VR7s>C=d#6#P-varOfBGT8;FEFbzF&o`)
zo@JGhrRfS~xv74^fr&nmIc~;DMy}3T#qLh&Mrp<tj>hIeiH5=1RS{wCKE7so#*SP@
z9@@qhNtt<BxfQPA29cJQWxmC!<>6ixhAtK%K@~wcj^+kgW?@BMr5LuAnfvRzIV$*-
z=jFTS7+WNzRg@)%xTRzk6qpC;2S-Jvm*p9`m-#z6db%10yXyO7cydLA6qosx=O=l%
z7vy^6<_EhOnt8jr7h4!=`$q<4W)+#6M&<<SCk6+ZV}xXQRhdO<xk9RQj;nuKa+PPO
zk87Z_L54|1fwyOVX=$K&sd<V?fLTPIOF)%JQD}j4IhT)rsE1Q<S-MY9a6pi6VO4Ra
zpP!+&L0CzmMWjnep-*b2Nn(0cSebsJ33^CIq&pi&I4YC{W;pwJW>g0I8YC7Pq?$Mv
z1$!nsYa19vm^qi{C1qxXg!)BjrzD5F8*o(=_!OiEXa|=%hvgXNC0AKkY8T`f`<R7U
z=2n*bSLC^+7pHkU7w6@8Mxxu6V{U2c?5JRv=v*0KRN<R$>|dN!k>!~d>R)aWYLuH_
zl$o4o=$e?8Xyj?&5t*D4V!@Rblu}-1<Y}QFSzHj6<m&8dkx>|-Umli{o8wj-5^P~^
znB`b$Xq@fjQ4X@r#4_GEMK`@DHL*BVAvDRNB2kwsFvHTI(96`=!_nEK*rhbU!#p4(
zB{L(ZJUOx0u{cM+*x5KO*I3`MIMmEE)6&sXKRiFAG|;%X*g3^LEYTv1E6+bK!?d*2
zD=ICuBG}L}C@i2n#W6QD$JC(GBCk9&)g#T^u{1Hu&Dq1qGtJ+`ywcyKpu!^~v(T_2
zqSPfMkt@`%qLNEjS69K%)Fq<O)h#6_BeO7DKQOOUKhxFUpv2wHJ<mHe%plb)Br4cD
zJuSf4Cz5NH$BTbbA@8fMB@3-&y%d~b6wGngtiSiN&Fi4=jt6>u*}S*xO-l4xcOc%3
zRV((iw#wD>Ph;ixZzvWknlgRH!)I?FT5en2Jz1+vE!;6Z&cMQ9=F<A)7KV+tT?`_x
I>aJ=504mASb^rhX

literal 1326
zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCU7aW*ljNLQ##&Pemu
z&kM{msBm(MDy}RG3vsNBbW1D`t8~ju&ovD%t}IXU*3V9JapbZvsx0vK%PP?~F^qEY
zb_@xR$P4fY%`nMvkFw0uPjt+5EpvCxH_S+>C`Y%=$j3a;&r!i6*f-gr*v~JZ(%3Sk
zpg27=#In$@GNQ^a&n>kqqaZyy%h0<#$;B-y(3dMa&my}drNp4DJW*S_)XP68G%C<P
z+$}dZ&m`ANJHRE^#MQvVGtfZa(gfYMVn0X!LPrJnGUqbqfY2m&W1p<tz;MUV%-rH6
zM}0q+d?!Dzs(`$FuS`=*ljPL&a!;-tcW2A;@H|7Gd=ryIzlhA-LPHPF+z9h>LuZ#_
z_n?S!OJ@U5w-iICB2RSN42?6(vjP<=i^@tWi<2|53Ud?Por41`3d4hoLQ>OQEs{%;
zQcX(I41LVf((=tJLQS~x^P`F)(*4RT(=(Eb^Ziqk62r2RLtK4=^vgmjGcvu?jXe_c
z4N9C1qFm8!Gxv2eGH_I=v<y$IG)&ev%#0{4&h*d7&NizG_fINL4{|azbk9lF4-WQ9
zadPr54lCx$^~sE?40Nk7GxT;14{$Vhau0RUcg`*_4bL?33r_Q}Omr!5PxC8xib_Ve
z&9kgBvNT;GpfKOZG$^UKqS)Wu$kn(cD=o^Ss;n$f-?-8>!XT@_Eh;xG(8A3nBRG`H
z(#*XeE!5G|x1v1IKdhw4zcRBlEY~zOEX*vk*xNJFFTAjzEW9kSv;-q0%gp`t-5eFP
z!#vELE#170j9s$beD$N8Gs28aEdv5VTn&s}O)Q*@wcYZ<a(yGyGA+1rf=m6(!UEDO
zq5{3sQ!UCOvoeFdLR~VQ99=^)lcMsR68)13D~mD=Q$o@G7G70mky@@0k!ED!Y?k4Z
z7FkePT$xqwSss{?>fuvl<YC}e7;2WQT~c0>T<K#P?BvQ-=INSbR;gX!SXfo;<m{bS
zn696k<(*WJpXE{N9AOxo@0L^Sm=lrX8g7AZTSU6EafG9STcKfAs9&*PKyGrHUuCIb
zvXhU$c8a&3sdrG2M_`qgp`mGNVyLN^yFnyZpre6)l8L9Yo3U#^p?Q>#xqEh&c1DJ$
zcBDseMPOK1X|ju9U`kX`RCqeNZ8_$arp}HE>4jdQ!IjzWK`Cib2449=sjl9Uh1q_t
zAwKyQeo^U#VU^)2#Tky}o;em=jz-3%8Lp;2DPi8h?m<OHRp|kt#+6=aWd-3LUM8L{
znFg8uCP|r&S%%pl+w^qPi&7JdQx$9!>gp82eZzgyBDuT*(!+8qQyk6HEwl3cl6|6*
zJlrjkQ}lzKic2Fa^1LgG^SN|&brs6OT>Xuc!c&u6!_)K3vT`$1Ez-0-EG<2&5+j1#
z^MVXKjKhq}Dou>?9l1=4R$t6nHkEZ|w@iX!rNz1BJ}LEUPOiG`qrNEa!T;Ct+YWuU
zoLlI&_V-Di^!CW~R!#F7$?MZw5|8v4^6FjrXmD}id499N9rHShcOKYuVXJ?AOaCsx
QAKoVCcf`2V@ybmE0GiLYumAu6

diff --git a/secrets/nextcloud_admin_secret.age b/secrets/nextcloud_admin_secret.age
index c3fce91..16b39d3 100644
--- a/secrets/nextcloud_admin_secret.age
+++ b/secrets/nextcloud_admin_secret.age
@@ -1,26 +1,25 @@
 age-encryption.org/v1
--> ssh-ed25519 lC44xg 9e5nfNFt2hdXNukpsEZMPamnZOgZWoU772CpLp5BY2M
-BlrlZmQyllvyi0VH5FND1j1zQnYbzx62Z7Qbdh89sQM
--> ssh-ed25519 2L7QNA 75i/WgIcLrP9oaMRE0CvToF/XrbmvrLmFEOOxLRuXkw
-TeVzeoKkywajFAd1M73QTg3nggpatyOVu1dcLOBnH7U
--> ssh-ed25519 sNAOqA DlEpU6pt3b3Brj7AF5yGs/+9FRJFhevDNgNMo+UXcgc
-CRu+T7bCIxXFA4MSnn4/ztUaNbTJpDejXK+wveVWTRs
--> ssh-ed25519 13iwjQ 43OjYsNkZ/5UQ5dfwxYB3bDFeuUHPW+XxAtyqmJMhH0
-V/P6Ystpx3PnGn+DOsTxe9ikCltNKwA9X8rymEzY3e4
--> ssh-ed25519 7MB20A gPC+CxOmDImMJap8SgkK9NpL4s/GSJmyX2umUmKjRA8
-3ic5wU2Oy3Gfj3GzinFDxFi1KPdWapstegb+zYowg6U
--> ssh-ed25519 IvyYug P/7CQ6DQQym1kM/OLOG8Nakoebz7BNH5CK2DApx5UC8
-9zqvma+HyFRciXLE6DpsSEDOqHQwFTH+PMsm/O4Yjko
--> ssh-ed25519 v7O/FA 1ge/Vw8r5EtumJI48XuXLEFG7aqorWH48Bqb8kSaBEo
-KuQPV9X0zWAMtNj/APt+eTtfLiWDYV0DsLlRH7x9l0k
--> ssh-ed25519 Wzv8ew El6uIpGgcyCuu9FKpjXOv5L9gItC3vi/yFFUNTFvcUM
-7TDO3r9xfYKTtehaYg68hglQcSgmbzShY8mZRiqUtnk
--> ssh-ed25519 XgC3XA 8zEhP9aNEmKUH2B8Dw4rzn+O6riE+c7jmFESYFRGV3M
-Vmic1XoWQkxTXku+YJ905sdEdW6jRX5XwRGiel6W3ek
--> ssh-ed25519 l795CA cMMrQ1PhDE6WMeP8+qfMsH+QUf5uPcgKh3xr2MRuASY
-Rn6DNsW/8mrL9qYznNuan4iSxNMG4SAfJpZHrmefhHQ
--> m-grease
-0XiydRLe1NgiM8bul8te9GUStrFd6H4dOcB0SDRzf9X2XxhPCFcXUVxNGYoMHXrL
-0zCXWMvDQoNAVhWXxPMgxEx6tyA3hVbjRQsAkjUve6ennirLbNBgc6E
---- DQM3pmcI7d8NtCe7Eox5gqsvlJPssjhugFUcShhB2Y0
-^–äf¶¦ªŸÃ£7%Í5ëEë3Ir0¬ÖP-a)rúÓ([–Å•ãgO€fú‰8&›Å“tžÅžT[ŸëÕ_”±§å5°@ª,"„ƒ~
\ No newline at end of file
+-> ssh-ed25519 lC44xg 91Drbhm8rawrH1Tf4i6sY3b4dV22PUCkXasYJDjnVBk
+JP/im4nu9fRvC6lBmuZqtjK/MONa0QSBX9Je3tcMZnY
+-> ssh-ed25519 2L7QNA p7gDPKqy1aSZo2l049BFUYzozamZe6xy0CZh8xeWBlo
+xlC1v+bF9nJQkQ54ObXfi3Tvj3yVz4+JbHyxmIQGsDI
+-> ssh-ed25519 sNAOqA OsIskIft3nuF89TJ66Gsyj64oV2G5+JJhd0tFuFLsGI
+YkMztKrO0OtEtCdqnhNe3YkX493l+jSJT+k9sbScMKE
+-> ssh-ed25519 13iwjQ 7PzPPgN6r8f/cUdSfTp5E9wWF1574yNwAtmuX5i3FxE
+jfkjBP4GBmghOCaiQ6FGNaqoDvLlCt0Bbln4TxLNYiY
+-> ssh-ed25519 7MB20A Fwbdkqeecc6cI9EN67VWSlT0kE4/IJIiANX9dtM5pA4
+8vMUxIxzQEwn+IB0QP4wxdixOd5fnsSHzVn86yearVM
+-> ssh-ed25519 IvyYug OUah9hhgBilrcgdR/8u+POTWSwujWsp8AA+YiPmvFCs
+arwEHcpNqCwswlob+KZlIdbmS5YHLfWUXKDfsWoU6dM
+-> ssh-ed25519 v7O/FA yq5SYgje+HOJwZ9/bKITPv244Ao3aZCsLNkUw+L3dkA
+2pU1nqZgUTLypnpbJ1prR59rMyfBAHhgK+8ddxQjKMs
+-> ssh-ed25519 Wzv8ew y9fZuZAtknkDiZmXYn4ZWyDHoVZ3R9sm3vlzh4I7vhw
+EJAnK5hjNK6Atz2VoQZeO/niZ6Coi3LywbGvxtqP3Bc
+-> ssh-ed25519 XgC3XA z2WuzBfJPnwKJOY+fkgLsOEIArIPgUFtD8O2mLGg0m0
+cK8bD/QqVNJerThnAqtn91Q96TaLsKYSTG4yDNDFKaY
+-> ssh-ed25519 l795CA tNto7MnYOtTlmjl/bhSZEcKDjqnn8ZlbW9BBQQDuAmA
+43kE1/kjso/penSuM3MBSsURVG4rFJpsuCjxKJtWAHY
+-> ,|t-grease
+KOs7pQc4KksrMBNIFip3hz44UmaNEB6K+N4wX2/Oz7ayTQr6vg
+--- 1BqdPneo6efppGPNy9GpeWxCqXfDPsKwj15gUVWDY0k
+9¶»9ÊümÊ‡Rþ#ÐðÎè¤[o„»QŽŒ¤Ð€ˆÔ¸=ólmõÑvÇ•eF{P!¡ª”aEÄ(§d<mcç}W·j£Í3Tç¥í±tãÔ"ì
\ No newline at end of file
diff --git a/secrets/nextcloud_bucket_secret.age b/secrets/nextcloud_bucket_secret.age
index 6f11a36debe0258bbabd32b5620d62b27c2d529a..d9833ce4cd37bf70e07830dec693aacefc21c986 100644
GIT binary patch
literal 1300
zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCU7aW*ljNLR?q_N^$(
zOV7&jN>7iB3`sH!O|}U4Ep!cc^-Xa$a!c}XH*;|g&Ued?FyYEE3-&ZD2+1oAaV`jt
z3@`Q$D$lEQiPBCq3o<dWFn4uM_Rr1n(~tD1bVRq!$j3a;&r!kE!#AudB|j<1wb;-!
z$~(Er%_z0BB&RgdEHgVfIV!hQ+pVg=C@Z@%Gm<OUDbrZnxzH~q%fMedJ1RK8#IeZF
zrJ&5%%e%tUG(9`BB+5KJ+0!tx$P?YRVn0X!LPrICb6=m_U?&Sd5AVDjFS8);yvW3K
z6BnOIQ}c)<?{dRH|KjkB5JNX}qd+c015Z~om!u>U%dlkMvK*JRf<p7mRFgu_szj%>
z$YA4;{KPO5_sB3;eP49j42?6(vjP=N(!GL%v-Au6QbK~w(({wuGTqHx@=YULjWg4-
za!XS5T~oq~_5D*aGXuE_5-ajNyt0f7EDKYzeDeH#%JeflGm=dGi;DBJB7%J_+#<bA
z`~q_;g45A$Gxv2eGH_II3<)bQ3ko)OHa0ZO@hA_q%ysi~F%NSMstj?n$nwxm)i(|=
z4Jh_X$tmYb&dfH-vkWTp@yhT`$~DOKjEo4-wu}l)kIHlM^>H!QcXcT<t_-aT2uen`
z&9kgBvNT;GwIVwsCBob=G9{?eCnO}t-P}A&yV$bIHM=au+cVVEJ2EU&KgGi<&nS{B
z(<Q<vxF{*Y#V<23GA*ejA~ZQMBiT32A}P%%ARsr=&owb1%%{jBv<f4Yl$rbMyE!U^
zxP|6=Mg;p76gc`v1)8~<CuOCVIVT3?xMXI#Bw8AkIQd(arWJ)bWhZl$Sfu!5mpGec
z75bK1mSu$ao8>#DdwEv+7vyFKyM<_*75RG^goIQkW=5j>ExfACBDGv0)2$#VFWbmH
zTi+?9%+DmM*f=0m-_6}HEG(<Y$f!KSJKs6bOW!>)IV+SaBv;$mDALC*)7-4o&?726
zIWaXjs<hm<DAzGLC&{8D)WbF1%gA5fBcvGJwup3R;|NEEa$`dy(@;ap<f6(DZ%5O#
zyzI)Nie%ps?Qj!A<6w^pKOb}NEOUSNu)K6G?|kP76Yt{6^jvdqr#$bh6a&|g46{Jr
zM9ZSA;Kbt4M1yR<j4=Js>{5(0nPYBg>g=fCT4Lapmm6%FmT8{lTAG@zU0#wBkndk?
z8kO(tYvNfHVG^F>?U&^p<yy{_QIT01VB~GCt?#d2>7(x-VHR1GWtkt4QKlc9?(C|c
z?wsx$6;kTz?;Q&An{$|MdQoa(aVl3{M5dovn6E*UWnxvBM^Q;taE>pRuCA^^NMU|f
zSy_cyph>a0NosJ2d0JXwph03`x@nP5NvdafMo6foQKXlXfqx)ZdyIsf${DTTgoaN~
z4*O4eF)@TOYE@{5+_a(uIm^?Vx9y9I{Cag=-MLzx58|)h+&!(6d8$j`#8QdL#iuXs
q+cm{uv%OU0*ZmSx|84Z!Ecevy=<mpBnLFlOpQR)-vwU-K&np1o6R$D=

literal 1365
zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCU7aW*ljNLO%<2rEy^
zOfmB?FEcYSOf(E~^fUD>b}IAn@-3<`40HF+3ot9y)(-b9H{mi$w(tm#N-Z#POwTk=
zO|8%lH1y6*cFqd)%F~W;^YAOrH!U)7tnl*>aYVPx$j3a;&r!iA%rPR-ATce{tjNDI
zBdIhe-8CRNEIF(wF~rx>*Vs3}!y+TXveY%u(U&Wu(yY`l&9bcA-_1GPr^?7(JJQLx
z*vB-e%GJp))ucEhx74{JwLB{{B^%wgVn0X!LPrJnEZ6*EkL03=AYZ3Q14AcEliWae
z^X#0AaDU&N^hzgp_dE}ak|0aRbVsg;%#@^{@U#>k3%5+|fQ+o<45x~~P`65#OlPmM
zK+{yqqDl*IQ!j7*uzYme42?6(vjP?Jv&*8q^Zi}2E!>@gN|J(n!?HuoN*zrsoeMoZ
z+|s-YicC_=%8OicvJJShOFW#@e2X(J(~?t6)BVjuf_-y5szS8Wk_?>uvm6sc0{jC_
ztEvLsy-d(;Gxv2eGH_JzOSUwu$V+i?_xCsQ%P(;^@Jn}(2siQesR&CmPl+-OEDjIO
zN_7q`GdAF|EHLvh3JLRZG%C!=a`ARF^G<RyHm)kED0T8IGYk#zam&ps@b`_#DJw>|
z&9kgBvNT=6-7&l{#K$0{(j&AmAR{QU$~4ivz^}^F*U8AqBA~!2Gu+9bBG5A_BFvR5
zB0nn9+1=Q~#mUz<&?w0z*u^O#B+IkB)U4Py%)cnO*eKo2Jt;9c*EbT~wlZ^neK$vi
zP}9Uhb61~obC)phDC0!0l;8|+&$PgtwDLr+;JieCuQczpAScVjLKjaiH=}$Pm(*;>
z3gcoE_p;P<FSo=9r{H2s6VH+`kD$^blL#*#Z4>SA0B>J(+rq2LEK<uA0s>t#k{w-)
z^^Ggs%Ob)Hi_JV!Ln6H*D~i&>O9~9M3-$9nl3YDgy@Oo2JVS~rJqo>yvI8qqJv_=H
zE%Sp*qS7q11C8<ujC1^5{nOJb%glW(lJm>aZHq{EHjZ#qNH0q)$|%$>sIm+QGjMWE
z4D@mj%*zQW3k`B}EDcH3FOF~tO3#k0tf)-pa`kugs_^voEiu#9cFGB<)ON~<OiXu8
z_ck!mcTM*W^{p~VHa8DUa?-|#w;XdzQ)fqojFNogsK9c!tTeMIU;XSn_lm5PlJYXY
zyyA54Z0%5IpTe@LDxW+Tb0=4>f;3kr-*StLprW9%Y-eo`w;*k^Y>&#Yko<^HzuYj3
za>MWf3ztC4WM@y1-;&B*)E%6we09@{QWJ|)6*L{fJQOPJRr3@o70hZw^YgWwxLiYB
zwIh6T&5{C)4a}<|bIpP+{e3N*0!>0Q!ty<fgZwSE0~{^$Jae7&!^6WJwF5khf=vVT
z6ZQQJxO8=O70iNy@-5xNBU~!ON+Q#J4I+{~EQ&MJyt7OFs|rgEB8-eZvP#ojD>9vn
zxgMyVFZ$;DJ}I@J<w4%huP+bCpV(G(tM1vt$3AA4d864ky;d~c$8pK$WZ^=sUoz$%
zSKb%?THC6<!udN-yM%!o1OJ4U19Q0B?6y3)qVxKjVuk&_EmIaYPx--R;JEvYXvc8?
DkB-1i

diff --git a/secrets/odin_wg_priv.age b/secrets/odin_wg_priv.age
new file mode 100644
index 0000000000000000000000000000000000000000..10d1712dfd6b56ed7d303f93ac2b96e69114cfc4
GIT binary patch
literal 1389
zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCU7aW*ljNLNUyGBfi|
z^T<pobusZQ&kE1;@zXEx^^44k$O{QENeqw7ba!;D^2rW~@Z@qWwus6#&CX8G4E79l
zGcq^IatZXU&~}f?C`xn=DK^eCFE+?X_0KH#j6}E1$j3a;&rzYsz$?Qv*uSJO)KuFd
z*d*02IH=exDL1PqG^;8(GDF`zv^=;fBD~lm$CoRpLf<3UBiPB*FVd;hDaSK2EH}K&
zz$rAP*x1d?+aNSO%gI$gH8Cp0D<9pqVn0X!LPv%2Y@<^1f^5TNpHM$vSARD%Z?Du)
zS9i0d$g)!BBJaY${FJ=Rq7aW#cTcV$Q~ex^WOpN@LiZ5gJj05RWTWuVijtJ9eCMiE
zS4$t)sH!Bhk_yX!LJYqd8fTVg1u8`O<{A2%6-8Q_`viwq26>wmIs1D=XuEjo=URHE
zyA@gFRhgxg8HV|1`*M})yH-YIT4q+3x)qoQ7#e$pMw(ZJ7<=SLWjXsLMH>1TmHAiY
zrRf{wS)lvP+}Fv-z)``)Da1d+#ly|9+`~UJJv_glB-kv_+0oF++n~y+*eom8zc4J=
zJHW}wD3YttL%UqtKPtdIKf|opE6u{iz{NB@I6Ta-up-p0RNLD*H_0_D%BkGX&=K7>
z&$7zM(sTvma=+3PCyVram&#Hnmn5&m5+m1?M5Bnryr7bjM9-9p3P=A`lhE7@=TNQ^
z3s)x>AM>(OCsQL+V`De%LJN=5Dlea$kiukVgY>-YWaoh5Jj)b|!eVsW%FO-s-5eEs
z+)Ba&JUyI)&8xi4vW$#VldJOm^bIrI%AK8~LY<A0wKKGnTynE494)xa4YMj73tUqy
zjr@#q0;4Sb!^}&4@-jRv{mpU<ibI2QLk&IMTnxf|lhV;`3$H4(NG(@zb@lN#t*~(O
zaPu%W_x1}3N)4<?Pbw?S^vQBAa*gl}i^@sM&d$gPt2E#;_OPflGz(2lGzc~=@<}rd
zO)n{}3JNeaDl2wLardZ9^vpF+atcf}_Q6P#5$Vpx5snJJIsP8GVcN-N6|Q;aIVP@A
z1wIv_mQ~s5`4L4qg@#E*nK_mz`36Q+f%#lc?qLC$q1l#B7ViEQ=1JNaB|+|HW+u*6
zk)F8$kpZR#M%umssTL6?1{i+JF}E~zc2vl9%lCJVEDFmi&hs#KD+~(E^EXe6GVwMJ
za?SQE&hT^daMt%S_b>=`Oy@EPa`(z{ig3wE$|=-$PtUd}^bafu_N;Psbn-0l4aw1W
z$~P}?^es>E1*gesAMbo?6C*X<^rF<n;#7r@Dr*HRt0Y@(cLmGJLK}<p0&NB5NOdlQ
zl!!$COb^T4u+(fvfBziAP!Eq#uM)4q@Pa(IbW2Oaa91B^=fo1ff>iyA63^76Liap>
zeV-KP{B-@&K(h$0u*#yaT-ORycWvV=(_|AT_ax`E#FVJO3a@n6q|nF|E?r$+1z#_x
z<ig@)?eI|JGS5__kW>>7b8RCdGsD2JoM3~TRQ<w8kF*>=GXoP(uDN@~_Z@PR_ssIi
zxoNO*W!7R(@yPHQrd=B<Hl;Z4-tt!Y$e~iFX|FaaZ&LV?e<HP);eCYRG2uxO8wF?2
YHDBnm%<F6t(}4$jrq{iAwf{~&0IkWtyZ`_I

literal 0
HcmV?d00001

diff --git a/secrets/odin_wg_psk.age b/secrets/odin_wg_psk.age
new file mode 100644
index 0000000..f00b821
--- /dev/null
+++ b/secrets/odin_wg_psk.age
@@ -0,0 +1,26 @@
+age-encryption.org/v1
+-> ssh-ed25519 lC44xg mdip3HBP+qEHMNFgw+bCXJRr35yCxEqPg4V+pLdZMx0
+yMbZYirQlZMmr95StdYp/1wPjXaxjsNGX472ex3SMfc
+-> ssh-ed25519 2L7QNA r+tO1POIf8Ayi8PC37rLf0p7Y1O5z5CasCHkRK7BtGs
+Ts/86q2fOA9BQyuKTUZ8eac39MnPQ3MJM9y2XXVV7RA
+-> ssh-ed25519 sNAOqA DLcdzGd38r3t4mLvbAFAD15evjuVVMlhgSD2md0HYRw
+2B3LGMJWeVPhkPMmQx8A7aF5HUf6zRMMFG85GX/8e90
+-> ssh-ed25519 13iwjQ jtSOmjgGcGh2XqIoc58J5cgcH5M1O1Z9ZJS0M3TFrgI
+M9EJKUUWwayAYhhGysvpJ2LVWyedn1k0Q9hT5kEt5MQ
+-> ssh-ed25519 7MB20A kqYtQSu3sYRHi4bka/lXMimez0AFGFU5BqoFlGqKmjQ
+Kmk3rIxRw8xeGtfC7cabLiP3DXGhd9oc7vwl/BUFvTQ
+-> ssh-ed25519 IvyYug gMJj5DWImX/iNW+cY39tE4UJUbQlUqfEl0hMQjcS6lQ
+u3mqyt2QmhkrYWAL02b5Pv81tXAgDif1QRZJLc61Nvk
+-> ssh-ed25519 v7O/FA mzDFmhR9wPZT/Wj9Rra1d/8mIXMZfMqMKZ5Wroo9Ygc
+Cz1il7hvvgJFqu4cqFSHbr3FpJAnMvE4RY2BTutXiqU
+-> ssh-ed25519 Wzv8ew qv3oQQMhCw2UnZm6GRE24OJ47N9h2wtO4ayM80it/io
+oIg6KVKFY1bh4HJkj6bUhXq+ThO1kl2w02GhMqHjFz0
+-> ssh-ed25519 XgC3XA P2CmO1HJLq3WzfKFv2gkgfyOQ89ks3Vjqv5lvUHRcDU
+lNTqncVz7Eg2jVjzWGav50twa5XdN4oRhptjdGgUhrs
+-> ssh-ed25519 l795CA Kw1lASAR6zB25xmAzatCH1TvkEWWQtSwS8c9lvvcFAc
+HTBNX95GqBFtXV6mgGCtfh1lXlMDdwNaIp8i60cOfnQ
+-> 0*Wg!:e-grease "7]bbwxk :0H<{U;0 vG
+zh1b0AW0O2PICiREGYcbQ8/aktTtuGY6ppsGioeao53t
+--- LoEv/DfNru/GjqqHLww788WIV5nvB7z5zAhByyRkKb8
+]°¤vnDP¤®ÒòÁýÒ+ØúvBS5¿w¨yžä]»øLfÈ2u-syl“±sæl:#]
+dh)«fÞ³[œsµ-ù…{ØpÓe×!Ï
\ No newline at end of file
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index bb39c46..99e272c 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -29,4 +29,8 @@ in
   "garage_rpc_secret.age".publicKeys = users ++ systems;
   "nextcloud_admin_secret.age".publicKeys = users ++ systems;
   "nextcloud_bucket_secret.age".publicKeys = users ++ systems;
+  "baldur_wg_priv.age".publicKeys = users ++ systems;
+  "baldur_wg_psk.age".publicKeys = users ++ systems;
+  "odin_wg_priv.age".publicKeys = users ++ systems;
+  "odin_wg_psk.age".publicKeys = users ++ systems;
 }
diff --git a/secrets/spotify_password.age b/secrets/spotify_password.age
index 0cb9796..c273dba 100644
--- a/secrets/spotify_password.age
+++ b/secrets/spotify_password.age
@@ -1,25 +1,25 @@
 age-encryption.org/v1
--> ssh-ed25519 lC44xg qx8ScB8EQSt3zYm/ssCJBJhDnKRnISz6SDIVtp/CVUw
-KyzGrKbTVrd7+3Qxo7pIE+B0ZfGY8M/ELyX5S52pEfo
--> ssh-ed25519 2L7QNA O+yiQWRmwQTbxVrcR2ZVblt+x67AHVd7Y44uNUG9zWQ
-PJJGYlh9IbQBvVKPSUD3PkneDFpNnnSoGBys6NPGygk
--> ssh-ed25519 sNAOqA iKRbXMoXHsvHu0tvlQSSTILcs130LnK7OtkehxoY2DU
-9OuE3tdLJhLgcx0UF+PacOd/0XlDj1cZiHcw6YTO0Oo
--> ssh-ed25519 13iwjQ PxNLHEV39X1RKvuIBiklbiv5ygjZWRAD/qGOxyaJw3g
-Srqdehuwr6tJ7dCWnV5QsR1mcqb/LUxlnZkKr1gmEPo
--> ssh-ed25519 7MB20A 6nwXbt9UPU08srOlnbVqsM9yYrl2SVmtOhpDoZRpyCw
-1IGrugG0f/anCT6nYffvt1kYcoeWNxeROCz0M0Rmmtk
--> ssh-ed25519 IvyYug 1GtgYlEX8tZzK1mBmudqjNr1TE7ZvBuYkY7CyvCsIlk
-KEwiOT+zne9PfK+Rh5KxgnBaly8IU/GWG5vubJbOSho
--> ssh-ed25519 v7O/FA dmGBSmygIDpqoF+n4/AWxkvAnvB9lcf3eXjqpHA001M
-LTBJvyp/MGYFcLeLBjdatTW0P1Hf1d65AUxBtaANvFg
--> ssh-ed25519 Wzv8ew GRwNr4PcQeiI0qgcl3QGeo2HcFt65DPw+EXHxeNZZD8
-i5QkEwUZLDqJ5VsMcYajnmZ50d04J1WJ406U+bFlQIA
--> ssh-ed25519 XgC3XA DexhXmClBwlAd4/gXAM58MMmLhpqSDCjvWYX2E7X9EU
-HNvLtXFRpXh5JJwUfZ00lXyx+I+RWZpQSli4SbZdvYc
--> ssh-ed25519 l795CA pVq9WszC4VOy61ewkCSykfCnknmsOftp+Cg5Hr5epT4
-1bV64LwANMZe77fPql+GlM0h/8LJ8bW4dETkkoX/MeE
--> ]|v,%-grease
-cdOa3vKMVCeih1cEkDclR4tHhbAZ+3DMprjA9w
---- Fh6zKYunbTLngs9QpT12TtRPvgjO1zypM4Q9YbgzqJw
-¯ÈL#¢b*Šå«XÎHU1þ7Ûé2×ÔÜÑ½F4­†Ä‡HÙï›”K×ˆ†’í
\ No newline at end of file
+-> ssh-ed25519 lC44xg fNZm17lZ7I9OF+9KzG5CkE20zykUWfNiVqfinwfaT1E
+YIf4M7hFVDHxkdbgj9YIkjan31NV298Ne94/5mm+lVw
+-> ssh-ed25519 2L7QNA CVA8eZ1QVvcI7SF5Qf7UlG71NbNHZF0XzEPe7YsZFgw
+9YX+T2GKTXbJNzSPLoXE27q4oV6LQ5HubgoCwKGxS4Y
+-> ssh-ed25519 sNAOqA lJ4QkGtqdcUn9ofknOG/HaCHm6Ya0ZD/UsV5o4GDVkE
+RmKwFfLGnJmNcnC7fAF5BEHMYEjmW2PyUUpJIqtcRKQ
+-> ssh-ed25519 13iwjQ 1uvoQrLZ+DmBhHvei8rHTWsUkDnJVHq7IJQXeZ6Y/Dk
+dwMrSGWryp5pw4bjHAJciVwq+HtrAbu3n/BqZdlfq2k
+-> ssh-ed25519 7MB20A Xmx38wKS0U/yHhCh30ovmik/9g0ryVLgg89DFx4bH1g
+xzrwGBJrmK8e5jNGkDEQ3AxkJ7t7l6qMatSFHwP3i9c
+-> ssh-ed25519 IvyYug /Z3qxc0ETc8hjTYuRT8n0jm3ASLsHqWcDWmqHDiqY3w
+8oNzoP8oe6EbxXoKRScpd9ioRMtux+a9wQXLuFO570I
+-> ssh-ed25519 v7O/FA R4o3qe/Hdr8NU5/Lh5XWI5PcwlAqQhEDxnLax8woc2A
+yewsVadr1x6aOjodDC5AJiAaJ1UZErlwhJrgvKLy4UU
+-> ssh-ed25519 Wzv8ew G0eVpxoMIMQsGZw+bMYMHHs/zlLiYtfdLrMHZztIGWc
+Pe8BgxqumkizijWUzX4pnnow5oZCQi7byRCd+qNIobI
+-> ssh-ed25519 XgC3XA MJWNf+zH+qO1F5uRI6nsEXbeE+8Yq+gSF2RFq0kF0Tg
+Wfqs7UtrwBtCH8clxv44mAXaYCLVJTHSpsP1OD9Py2c
+-> ssh-ed25519 l795CA VRGxjEzDM3Wh6PVbl609EAopcPPc5k/74j7J14el1lY
+YtjcGN40o4R3e5JGlD9Vtks5Aaa1SvjEW6yjQJeiX1A
+-> &-grease ~#1cr
+D7H4Rvbgs/yp9b8X
+--- uHnGjluN/BbsC3f0jQuq5SaOU2woJF+aQLBL6cKPlGk
+äØüÄ¢¶ú I å†öY-‰_`ÂÄŠÜ‰ä8žíuŽOÝÁ{œhƒøûë0ãº
\ No newline at end of file