From 138fd6f591eeb4489c9452434d2c5c1d5e73032e Mon Sep 17 00:00:00 2001 From: josie Date: Mon, 18 May 2026 16:54:00 +0200 Subject: [PATCH 1/3] =?UTF-8?q?feat:=20multi-box=20deployment=20=E2=80=94?= =?UTF-8?q?=20kingfisher=20backends=20+=20albatross=20frigate-edge?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reshapes albatross from a self-contained full Frigate node into an edge consumer of kingfisher's bitcoind/fulcrum/ZMQ over a private WireGuard mesh. Sidesteps the 866 GB pool capacity problem on albatross (bitcoind+txindex+fulcrum already runs over ~950 GB) without giving up the second public TLS endpoint. hosts/_mesh.nix Shared peer registry (kingfisher 10.42.0.1, albatross 10.42.0.2 on 10.42.0.0/24). Imported by both hosts' wireguard.nix. Public keys are PLACEHOLDERs — real keys go in before deploy per the plan. hosts/kingfisher/ + wireguard.nix — wg-mesh participant + per-host private key M frigate.nix — adds exposeBackends so bitcoind RPC, ZMQ sequence, and fulcrum bind on the wg interface in addition to loopback, scoped to albatross's mesh IP via interface firewall. rpcauth HMAC committed (one-way derived); plaintext is the edge consumer's secret. hosts/albatross/ + wireguard.nix — wg-mesh participant M frigate.nix — drops bitcoind/fulcrum/bootstrap toggle, consumes frigate-edge against 10.42.0.1 M hardware-configuration.nix — incidental nixfmt drift secrets/ + bitcoind-rpc-creds.age — `user:password` for albatross to auth against kingfisher bitcoind + wireguard-{kingfisher,albatross}.age — WG private keys, per-host M secrets.nix — recipient registry entries flake.nix — kingfisher adds wireguard-mesh module; albatross swaps `nixosModules.default` for `nixosModules.frigate-edge` + `wireguard-mesh`. .github/workflows/check.yml — adds albatross to the build matrix. Co-Authored-By: Claude Opus 4.7 (1M context) --- .github/workflows/check.yml | 2 +- flake.nix | 10 +++- hosts/_mesh.nix | 34 +++++++++++ hosts/albatross/default.nix | 1 + hosts/albatross/frigate.nix | 69 ++++++++-------------- hosts/albatross/hardware-configuration.nix | 21 +++++-- hosts/albatross/wireguard.nix | 20 +++++++ hosts/kingfisher/default.nix | 1 + hosts/kingfisher/frigate.nix | 20 +++++++ hosts/kingfisher/wireguard.nix | 20 +++++++ secrets/bitcoind-rpc-creds.age | 1 + secrets/secrets.nix | 25 ++++++-- secrets/wireguard-albatross.age | 1 + secrets/wireguard-kingfisher.age | 1 + 14 files changed, 169 insertions(+), 57 deletions(-) create mode 100644 hosts/_mesh.nix create mode 100644 hosts/albatross/wireguard.nix create mode 100644 hosts/kingfisher/wireguard.nix create mode 100644 secrets/bitcoind-rpc-creds.age create mode 100644 secrets/wireguard-albatross.age create mode 100644 secrets/wireguard-kingfisher.age diff --git a/.github/workflows/check.yml b/.github/workflows/check.yml index 9a37339..eafed44 100644 --- a/.github/workflows/check.yml +++ b/.github/workflows/check.yml @@ -23,7 +23,7 @@ jobs: strategy: fail-fast: false matrix: - host: [finney, kingfisher] + host: [finney, kingfisher, albatross] steps: - uses: actions/checkout@v4 - uses: cachix/install-nix-action@v30 diff --git a/flake.nix b/flake.nix index 4584b53..6fe4f27 100644 --- a/flake.nix +++ b/flake.nix @@ -57,8 +57,14 @@ { nixosConfigurations = { finney = mkHost "finney" [ ]; - kingfisher = mkHost "kingfisher" [ roost.nixosModules.default ]; - albatross = mkHost "albatross" [ roost.nixosModules.default ]; + kingfisher = mkHost "kingfisher" [ + roost.nixosModules.default + roost.nixosModules.wireguard-mesh + ]; + albatross = mkHost "albatross" [ + roost.nixosModules.frigate-edge + roost.nixosModules.wireguard-mesh + ]; }; formatter = forAllSystems (system: nixpkgs.legacyPackages.${system}.nixfmt-tree); diff --git a/hosts/_mesh.nix b/hosts/_mesh.nix new file mode 100644 index 0000000..464ac1c --- /dev/null +++ b/hosts/_mesh.nix @@ -0,0 +1,34 @@ +{ ... }: + +# Shared peer definitions for the private WireGuard mesh between +# kingfisher (the all-in-one frigate node) and albatross (the +# frigate-edge consumer). Imported by both hosts' wireguard.nix so the +# `peers` block is one place. Adding a third node is a one-line edit +# here plus that node's own `thisHost` + private-key wiring. +# +# The public keys below are PLACEHOLDERS — wireguard treats them as +# opaque strings during build, so the system closure evaluates fine, +# but `wg set` rejects them at activation. Replace before deploying: +# 1. `wg genkey | tee priv | wg pubkey > pub` per host +# 2. paste the public key into the matching entry here +# 3. `agenix -e secrets/wireguard-.age` and paste the private +# key into the file +# +# Endpoint IPs are kingfisher's and albatross's public addresses. WG +# resolves these once at interface setup; if either box's IP rotates +# the matching entry below has to update too. + +{ + services.roost.wireguard-mesh.peers = { + kingfisher = { + publicKey = "PLACEHOLDER_KINGFISHER_WG_PUBKEY="; + endpoint = "136.243.9.246:51820"; + meshIp = "10.42.0.1"; + }; + albatross = { + publicKey = "PLACEHOLDER_ALBATROSS_WG_PUBKEY="; + endpoint = "46.62.185.45:51820"; + meshIp = "10.42.0.2"; + }; + }; +} diff --git a/hosts/albatross/default.nix b/hosts/albatross/default.nix index d39664e..3d12672 100644 --- a/hosts/albatross/default.nix +++ b/hosts/albatross/default.nix @@ -11,6 +11,7 @@ ./hardware-configuration.nix ./gpu.nix ./frigate.nix + ./wireguard.nix ]; networking.hostName = "albatross"; diff --git a/hosts/albatross/frigate.nix b/hosts/albatross/frigate.nix index afe4eac..e22589c 100644 --- a/hosts/albatross/frigate.nix +++ b/hosts/albatross/frigate.nix @@ -6,61 +6,40 @@ }: { - # Own hostname for now (rather than sharing kingfisher's - # frigate.2140.dev). Each backend self-issues its own cert via - # HTTP-01 — no DNS-01 wiring and no shared-cert coordination. - # Future load-balancing work will move both back behind a single - # hostname, fronted by a third host doing TCP/SNI passthrough. - services.public-frigate = { + # Edge-mode Frigate: TLS termination + ACME live here, the bitcoind / + # fulcrum / ZMQ stack runs on kingfisher and is consumed over the + # private WireGuard mesh (see ./wireguard.nix and ../_mesh.nix). + # This sidesteps the storage-capacity problem on albatross's + # ~866 GB pool — frigate's own DuckDB index is the only local data. + services.frigate-edge = { enable = true; host = "albatross.2140.dev"; tls.acmeEmail = "josie@2140.dev"; - }; - # Add josie to the `bitcoin` group so `bitcoin-cli` works directly - # without `sudo -u bitcoin`. Operator name varies per box, so this - # stays per-host. - nix-bitcoin.operator = { - enable = true; - name = "josie"; + backend = { + bitcoind = { + rpcUrl = "http://10.42.0.1:8332"; + authCredentialFile = config.age.secrets.bitcoind-rpc-creds.path; + zmqSequenceEndpoint = "tcp://10.42.0.1:28336"; + }; + electrumUrl = "tcp://10.42.0.1:60001"; + }; }; - # 48-thread Xeon Gold 5412U with 256 GB RAM and a Blackwell RTX PRO - # 6000 (96 GB VRAM). The roost preset's default dbCache of 4 GB - # underuses this box badly during IBD; bump it for faster initial - # sync. Drop back after sync if memory pressure shows up elsewhere. - services.bitcoind.dbCache = lib.mkForce 16384; + # `user:password` consumed by frigate via systemd LoadCredential. The + # matching `rpcauth=user:salt$hash` line lives on kingfisher in its + # `exposeBackends.rpcAuth.passwordHMAC` setting. Mode 0440 + owner + # `frigate` so the frigate user (declared by the bare frigate module) + # can read it for LoadCredential to pick up. + age.secrets.bitcoind-rpc-creds = { + file = ../../secrets/bitcoind-rpc-creds.age; + owner = "frigate"; + mode = "0440"; + }; # systemd starts services with a stripped environment that does not # inherit NixOS's interactive-shell GPU library path. Without this, # frigate's JVM dlopen of libOpenCL.so.1 fails and DuckDB's ufsecp # extension silently falls back to CPU. systemd.services.frigate.environment.LD_LIBRARY_PATH = "/run/opengl-driver/lib"; - - # batchSize tuning is deferred: this GPU is roughly an order of - # magnitude more capable than kingfisher's RTX 4000 SFF Ada and the - # right value will only be visible after a real scan. The module - # default (300_000) is the starting point. - - # BOOTSTRAP: keep the data-bearing services from autostarting on the - # first boot so /var/lib/{bitcoind,fulcrum,frigate} can be populated - # via `zfs recv` from kingfisher without racing live writes. The - # users/groups still get created (those come from the modules' user - # definitions, independent of wantedBy), so the post-recv chown - # step has somebody to chown to. - # - # Also disable autoUpgrade for the duration: the seeding workflow - # destroys the placeholder datasets before recv, which would leave - # mount units in a failed state until recv lands. An hourly rebuild - # firing during that window risks compounding the breakage and - # killed albatross on the first attempt. - # - # Remove this block once the import is complete and push; the next - # nixos-rebuild will land services in multi-user.target normally, - # they will start with the imported state, and autoUpgrade resumes - # polling. - systemd.services.bitcoind.wantedBy = lib.mkForce [ ]; - systemd.services.fulcrum.wantedBy = lib.mkForce [ ]; - systemd.services.frigate.wantedBy = lib.mkForce [ ]; - system.autoUpgrade.enable = lib.mkForce false; } diff --git a/hosts/albatross/hardware-configuration.nix b/hosts/albatross/hardware-configuration.nix index c0d2761..a2e4054 100644 --- a/hosts/albatross/hardware-configuration.nix +++ b/hosts/albatross/hardware-configuration.nix @@ -1,14 +1,25 @@ # Do not modify this file! It was generated by ‘nixos-generate-config’ # and may be overwritten by future invocations. Please make changes # to /etc/nixos/configuration.nix instead. -{ config, lib, pkgs, modulesPath, ... }: +{ + config, + lib, + pkgs, + modulesPath, + ... +}: { - imports = - [ (modulesPath + "/installer/scan/not-detected.nix") - ]; + imports = [ + (modulesPath + "/installer/scan/not-detected.nix") + ]; - boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usbhid" ]; + boot.initrd.availableKernelModules = [ + "xhci_pci" + "ahci" + "nvme" + "usbhid" + ]; boot.initrd.kernelModules = [ ]; boot.kernelModules = [ "kvm-intel" ]; boot.extraModulePackages = [ ]; diff --git a/hosts/albatross/wireguard.nix b/hosts/albatross/wireguard.nix new file mode 100644 index 0000000..2296d09 --- /dev/null +++ b/hosts/albatross/wireguard.nix @@ -0,0 +1,20 @@ +{ config, ... }: + +{ + imports = [ ../_mesh.nix ]; + + # Encrypted private key. Agenix decrypts to /run/agenix/wireguard-albatross + # at activation; the wireguard module reads it as `privateKeyFile`. Mode + # 0400 keeps it root-only on disk. + age.secrets.wireguard-albatross = { + file = ../../secrets/wireguard-albatross.age; + mode = "0400"; + }; + + services.roost.wireguard-mesh = { + enable = true; + thisHost = "albatross"; + privateKeyFile = config.age.secrets.wireguard-albatross.path; + meshCidr = "10.42.0.0/24"; + }; +} diff --git a/hosts/kingfisher/default.nix b/hosts/kingfisher/default.nix index be2a376..f23b299 100644 --- a/hosts/kingfisher/default.nix +++ b/hosts/kingfisher/default.nix @@ -11,6 +11,7 @@ ./hardware-configuration.nix ./gpu.nix ./frigate.nix + ./wireguard.nix ]; networking.hostName = "kingfisher"; diff --git a/hosts/kingfisher/frigate.nix b/hosts/kingfisher/frigate.nix index bf8e98e..4973c8a 100644 --- a/hosts/kingfisher/frigate.nix +++ b/hosts/kingfisher/frigate.nix @@ -14,6 +14,26 @@ enable = true; host = "frigate.2140.dev"; tls.acmeEmail = "josie@2140.dev"; + + # Expose bitcoind RPC + ZMQ + fulcrum on the WireGuard mesh interface + # so albatross can run frigate-edge against this stack instead of + # carrying its own ~950 GB chain copy. Interface-scoped firewall + # keeps these ports unreachable from the public internet. + # + # The HMAC below is committed (one-way derived from the password); + # the plaintext lives in secrets/bitcoind-rpc-creds.age on albatross. + # See modules/wireguard-mesh.nix for the mesh topology and + # hosts/_mesh.nix for the peer registry. + exposeBackends = { + enable = true; + bindAddress = "10.42.0.1"; + interface = "wg0"; + allowedPeers = [ "10.42.0.2/32" ]; + rpcAuth = { + user = "frigate-edge"; + passwordHMAC = "PLACEHOLDER_RPCAUTH_HMAC"; + }; + }; }; # Operator pattern: add josie to the `bitcoin` group so `bitcoin-cli` diff --git a/hosts/kingfisher/wireguard.nix b/hosts/kingfisher/wireguard.nix new file mode 100644 index 0000000..acdb069 --- /dev/null +++ b/hosts/kingfisher/wireguard.nix @@ -0,0 +1,20 @@ +{ config, ... }: + +{ + imports = [ ../_mesh.nix ]; + + # Encrypted private key. Agenix decrypts to /run/agenix/wireguard-kingfisher + # at activation; the wireguard module reads it as `privateKeyFile`. Mode + # 0400 keeps it root-only on disk. + age.secrets.wireguard-kingfisher = { + file = ../../secrets/wireguard-kingfisher.age; + mode = "0400"; + }; + + services.roost.wireguard-mesh = { + enable = true; + thisHost = "kingfisher"; + privateKeyFile = config.age.secrets.wireguard-kingfisher.path; + meshCidr = "10.42.0.0/24"; + }; +} diff --git a/secrets/bitcoind-rpc-creds.age b/secrets/bitcoind-rpc-creds.age new file mode 100644 index 0000000..b029a35 --- /dev/null +++ b/secrets/bitcoind-rpc-creds.age @@ -0,0 +1 @@ +PLACEHOLDER_REPLACE_BEFORE_DEPLOY diff --git a/secrets/secrets.nix b/secrets/secrets.nix index f471767..ac08100 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -11,15 +11,32 @@ # nix run github:ryantm/agenix -- --identity edit-key # and paste its public form into `josie` below. # 4. Encrypt secrets: -# cd secrets && nix run github:ryantm/agenix -- -e bitcoind-rpcauth.age +# cd secrets && nix run github:ryantm/agenix -- -e .age # 5. Reference them from a host module via `age.secrets..file = ./secrets/.age;`. let josie = "age1...REPLACE_ME_WITH_YOUR_AGE_PUBKEY"; finney = "ssh-ed25519 AAAA...REPLACE_ME_WITH_HOST_KEY_AFTER_FIRST_BOOT"; kingfisher = "ssh-ed25519 AAAA...REPLACE_ME_WITH_HOST_KEY_AFTER_FIRST_BOOT"; + albatross = "ssh-ed25519 AAAA...REPLACE_ME_WITH_HOST_KEY_AFTER_FIRST_BOOT"; in { - # Examples — uncomment and create the .age files when wiring services: - # "bitcoind-rpcauth.age".publicKeys = [ josie kingfisher ]; - # "wireguard-finney.age".publicKeys = [ josie finney ]; + # `user:password` for the bitcoind RPC user that frigate-edge on + # albatross uses to authenticate to kingfisher's bitcoind. The + # corresponding rpcauth HMAC lives in + # hosts/kingfisher/frigate.nix (services.public-frigate.exposeBackends.rpcAuth.passwordHMAC). + "bitcoind-rpc-creds.age".publicKeys = [ + josie + albatross + ]; + + # Per-host WireGuard private keys. Each one only needs to decrypt on + # its own host plus josie (so josie can re-encrypt if needed). + "wireguard-kingfisher.age".publicKeys = [ + josie + kingfisher + ]; + "wireguard-albatross.age".publicKeys = [ + josie + albatross + ]; } diff --git a/secrets/wireguard-albatross.age b/secrets/wireguard-albatross.age new file mode 100644 index 0000000..b029a35 --- /dev/null +++ b/secrets/wireguard-albatross.age @@ -0,0 +1 @@ +PLACEHOLDER_REPLACE_BEFORE_DEPLOY diff --git a/secrets/wireguard-kingfisher.age b/secrets/wireguard-kingfisher.age new file mode 100644 index 0000000..b029a35 --- /dev/null +++ b/secrets/wireguard-kingfisher.age @@ -0,0 +1 @@ +PLACEHOLDER_REPLACE_BEFORE_DEPLOY From 7c56381544633a1ee35b76274945904e0e98283d Mon Sep 17 00:00:00 2001 From: josie Date: Tue, 19 May 2026 13:47:58 +0200 Subject: [PATCH 2/3] deploy: pin roost to multi-box merge, fill real keys MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Resolves every placeholder put down with the initial multi-box commit: flake.lock — bump roost to b9c80be (multi-box merged) hosts/_mesh.nix — real WG public keys for kingfisher + albatross hosts/kingfisher/frigate.nix — real rpcauth HMAC for the frigate-edge user secrets/secrets.nix — real recipient pubkeys (josie age + two host SSH) The three encrypted .age blobs at secrets/*.age still contain placeholder bytes; those get rewritten with the actual ciphertext by josie locally before deploy (the private keys never touch this commit). Co-Authored-By: Claude Opus 4.7 (1M context) --- flake.lock | 6 +++--- hosts/_mesh.nix | 16 +++++----------- hosts/kingfisher/frigate.nix | 2 +- secrets/secrets.nix | 6 +++--- 4 files changed, 12 insertions(+), 18 deletions(-) diff --git a/flake.lock b/flake.lock index e1f0fcb..da87afe 100644 --- a/flake.lock +++ b/flake.lock @@ -214,11 +214,11 @@ ] }, "locked": { - "lastModified": 1779107941, - "narHash": "sha256-uqcr+MR6f+EAxmWedrezCOirUTMEjaT47sl+8Wg1Glk=", + "lastModified": 1779190854, + "narHash": "sha256-c2G3VCBrqLyoTg8fzzN81vfBhW1dJHljEGCXrmohaC8=", "owner": "2140-dev", "repo": "roost", - "rev": "5a675cb898286f3cb93cc44269471c965da7e6c2", + "rev": "b9c80bebae089e0658baa5a17f65fd38f75badd7", "type": "github" }, "original": { diff --git a/hosts/_mesh.nix b/hosts/_mesh.nix index 464ac1c..bf618db 100644 --- a/hosts/_mesh.nix +++ b/hosts/_mesh.nix @@ -6,27 +6,21 @@ # `peers` block is one place. Adding a third node is a one-line edit # here plus that node's own `thisHost` + private-key wiring. # -# The public keys below are PLACEHOLDERS — wireguard treats them as -# opaque strings during build, so the system closure evaluates fine, -# but `wg set` rejects them at activation. Replace before deploying: -# 1. `wg genkey | tee priv | wg pubkey > pub` per host -# 2. paste the public key into the matching entry here -# 3. `agenix -e secrets/wireguard-.age` and paste the private -# key into the file -# # Endpoint IPs are kingfisher's and albatross's public addresses. WG # resolves these once at interface setup; if either box's IP rotates -# the matching entry below has to update too. +# the matching entry below has to update too. The private keys +# matching the public keys below live in secrets/wireguard-.age, +# encrypted to both `josie` and the host's own SSH key. { services.roost.wireguard-mesh.peers = { kingfisher = { - publicKey = "PLACEHOLDER_KINGFISHER_WG_PUBKEY="; + publicKey = "65eBW/IfinjLj7Q9HBnw+CBeEAx/6zaMVDejs+Vxb2o="; endpoint = "136.243.9.246:51820"; meshIp = "10.42.0.1"; }; albatross = { - publicKey = "PLACEHOLDER_ALBATROSS_WG_PUBKEY="; + publicKey = "BZFpBTwYt3RUPFkIMQIrXZgkMDGryaae/empkoEiehE="; endpoint = "46.62.185.45:51820"; meshIp = "10.42.0.2"; }; diff --git a/hosts/kingfisher/frigate.nix b/hosts/kingfisher/frigate.nix index 4973c8a..9c507d8 100644 --- a/hosts/kingfisher/frigate.nix +++ b/hosts/kingfisher/frigate.nix @@ -31,7 +31,7 @@ allowedPeers = [ "10.42.0.2/32" ]; rpcAuth = { user = "frigate-edge"; - passwordHMAC = "PLACEHOLDER_RPCAUTH_HMAC"; + passwordHMAC = "bec2842f5d4d3451316cc22f5db6560c$804448c1fd845e4160f5e6cc182b8250d5324679b9372e817fdb37c42ea71cc9"; }; }; }; diff --git a/secrets/secrets.nix b/secrets/secrets.nix index ac08100..068c5d2 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -14,10 +14,10 @@ # cd secrets && nix run github:ryantm/agenix -- -e .age # 5. Reference them from a host module via `age.secrets..file = ./secrets/.age;`. let - josie = "age1...REPLACE_ME_WITH_YOUR_AGE_PUBKEY"; + josie = "age1jf8np2gw2wkd0k46x4z3plr47jz0kqvjker63jh2xqqjqpszcedsg2e6ug"; finney = "ssh-ed25519 AAAA...REPLACE_ME_WITH_HOST_KEY_AFTER_FIRST_BOOT"; - kingfisher = "ssh-ed25519 AAAA...REPLACE_ME_WITH_HOST_KEY_AFTER_FIRST_BOOT"; - albatross = "ssh-ed25519 AAAA...REPLACE_ME_WITH_HOST_KEY_AFTER_FIRST_BOOT"; + kingfisher = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB2j+A4rvxr+5JIP4XrRqAI3uHUOriAPpiDSc8F+izAG root@kingfisher"; + albatross = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAPnn6DYBcz7nkpnOniTfwLtncQ8JlzYSjkFLd5uL5o3 root@albatross"; in { # `user:password` for the bitcoind RPC user that frigate-edge on From fdab86358e4458ae40b0ae1d475b742492ac85ca Mon Sep 17 00:00:00 2001 From: josie Date: Tue, 19 May 2026 13:57:37 +0200 Subject: [PATCH 3/3] deploy: encrypt secrets for multi-box deployment MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Replaces the three plaintext placeholder .age files with real ciphertext from `agenix -e`. Each secret is encrypted to josie's age key plus the SSH host key of whichever box decrypts it at activation: bitcoind-rpc-creds.age → josie + albatross contains `frigate-edge:`, read by frigate-edge via LoadCredential and matched against kingfisher's rpcauth HMAC on bitcoind. wireguard-kingfisher.age → josie + kingfisher contains the WG private key matching the public key in hosts/_mesh.nix. wireguard-albatross.age → josie + albatross same shape, albatross side. Co-Authored-By: Claude Opus 4.7 (1M context) --- secrets/bitcoind-rpc-creds.age | 10 +++++++++- secrets/wireguard-albatross.age | 9 ++++++++- secrets/wireguard-kingfisher.age | 8 +++++++- 3 files changed, 24 insertions(+), 3 deletions(-) diff --git a/secrets/bitcoind-rpc-creds.age b/secrets/bitcoind-rpc-creds.age index b029a35..e4130ba 100644 --- a/secrets/bitcoind-rpc-creds.age +++ b/secrets/bitcoind-rpc-creds.age @@ -1 +1,9 @@ -PLACEHOLDER_REPLACE_BEFORE_DEPLOY +age-encryption.org/v1 +-> X25519 HmHFvOhvEcpO8m1QxQOapgtRxbzYBy/Ep/wtZ2YFsRs +eku0xiNGs2F6FYpwsjKJCJ9u66c5opg22mZAl/aWKoM +-> ssh-ed25519 gk326w I6Yz6OCVP/J4xYDKIaKKPrUITRpwnmfbuYj3mcgDkzI +pr67JMb6f7zIkNr8OeK1FVn3Uq3J/IanazqIzjN4PQA +--- DgrxI4XH1OG1OUFvxHSK8jPfBjs7dvXDxfRrbDNA57g +[t'>.F +5n9<!UZ5r<͸DL׊5-×/ +A!Uݽ1ziXHhvY \ No newline at end of file diff --git a/secrets/wireguard-albatross.age b/secrets/wireguard-albatross.age index b029a35..b94ba18 100644 --- a/secrets/wireguard-albatross.age +++ b/secrets/wireguard-albatross.age @@ -1 +1,8 @@ -PLACEHOLDER_REPLACE_BEFORE_DEPLOY +age-encryption.org/v1 +-> X25519 vuYGyBlUd9JWV2NmLJh1/y15DPqQCF0jx41c/6Rq/Rk +ys9jOAiTgWsZ6JLqxJgaPr8s3uTfbws1P04W6VAWfH0 +-> ssh-ed25519 gk326w PeBwSV+7Ip6wTChUOSBQvq8/4vTaK47s9RnbT4FtEUc +Rz0l+0w68Pn/xkV3YjktyBjORrhwWwolxLlTgSZjuwI +--- 2PZ/h/XsrH2acXB4THqEZW+0qYNQcY90k75l5L1RwTY +xCф +o,| `_%3Op>Ւ=#WZ_d#fvkŏcoĉ/a \ No newline at end of file diff --git a/secrets/wireguard-kingfisher.age b/secrets/wireguard-kingfisher.age index b029a35..4cffa16 100644 --- a/secrets/wireguard-kingfisher.age +++ b/secrets/wireguard-kingfisher.age @@ -1 +1,7 @@ -PLACEHOLDER_REPLACE_BEFORE_DEPLOY +age-encryption.org/v1 +-> X25519 D1Ve7RKEJVkOsoblZrgyTd6k9c1fpQQrUnMkfmlYSyM +/8/jYX7P0Iw/Js4/TqivBXz1q4g3XhR5uHpTrFDjRy0 +-> ssh-ed25519 8eNJZw 3Bo+7+XQgVpwZSY1KvT9P0GOgUHL6YmfakBHUdD1vQc +GM3Od97IzBefnZ99Fc+iUWtvjcoE5baK55FEYRsRfsc +--- XPebRbSZsB1LpCm27WstMLbWgwpzsgitiekJN/8gcPE +yÏ]uyl~55u}-S&72T^ c|k[e'>,|>c@0$Ԭ` \ No newline at end of file