From 03e0b54183aecd7cc89eea9c90527b9049336d58 Mon Sep 17 00:00:00 2001
From: Patrick <patrick@failmail.dev>
Date: Thu, 21 Mar 2024 20:39:59 +0100
Subject: [PATCH] WIP: netbird

---
 hosts/desktopnix/default.nix                  |   2 +
 hosts/elisabeth/guests.nix                    |  49 ++-
 .../elisabeth/secrets/kanidm/secrets.nix.age  | Bin 1947 -> 1920 bytes
 hosts/elisabeth/secrets/netbird/host.pub      |   1 +
 modules/netbird-dashboard.nix                 | 107 ++++++
 modules/netbird-server.nix                    | 315 +++++++-----------
 modules/services/kanidm.nix                   |   2 +
 modules/services/netbird.nix                  |  68 ++++
 secrets/secrets.nix.age                       | Bin 5695 -> 5733 bytes
 .../elisabeth/keys/elisabeth-netbird.age      |  16 +
 .../elisabeth/keys/elisabeth-netbird.pub      |   1 +
 .../psks/elisabeth+elisabeth-netbird.age      |  16 +
 12 files changed, 381 insertions(+), 196 deletions(-)
 create mode 100644 hosts/elisabeth/secrets/netbird/host.pub
 create mode 100644 modules/netbird-dashboard.nix
 create mode 100644 modules/services/netbird.nix
 create mode 100644 secrets/wireguard/elisabeth/keys/elisabeth-netbird.age
 create mode 100644 secrets/wireguard/elisabeth/keys/elisabeth-netbird.pub
 create mode 100644 secrets/wireguard/elisabeth/psks/elisabeth+elisabeth-netbird.age

diff --git a/hosts/desktopnix/default.nix b/hosts/desktopnix/default.nix
index 16951da..0866843 100644
--- a/hosts/desktopnix/default.nix
+++ b/hosts/desktopnix/default.nix
@@ -57,4 +57,6 @@
   nixpkgs.config.permittedInsecurePackages = lib.trace "remove when possible" [
     "nix-2.16.2"
   ];
+
+  services.netbird.enable = true;
 }
diff --git a/hosts/elisabeth/guests.nix b/hosts/elisabeth/guests.nix
index 784670d..c936136 100644
--- a/hosts/elisabeth/guests.nix
+++ b/hosts/elisabeth/guests.nix
@@ -21,6 +21,7 @@
       apispotify = "apisptfy";
       kanidm = "auth";
       oauth2-proxy = "oauth2";
+      netbird = "netbird";
     };
   in "${domains.${hostName}}.${config.secrets.secrets.global.domains.web}";
   # TODO hard coded elisabeth nicht so schön
@@ -61,6 +62,49 @@ in {
       {
         enable = true;
         recommendedSetup = true;
+        upstreams.netbird = {
+          servers."${ipOf "netbird"}:80" = {};
+          extraConfig = ''
+            zone netbird 64k ;
+            keepalive 5 ;
+          '';
+        };
+        upstreams.netbird-mgmt = {
+          servers."${ipOf "netbird"}:3000" = {};
+          extraConfig = ''
+            zone netbird 64k ;
+            keepalive 5 ;
+          '';
+        };
+        virtualHosts.${domainOf "netbird"} = {
+          forceSSL = true;
+          useACMEHost = "web";
+          locations = {
+            "/" = {
+              proxyPass = "http://netbird";
+              proxyWebsockets = true;
+              X-Frame-Options = "SAMEORIGIN";
+            };
+            "/signalexchange.SignalExchange/".extraConfig = ''
+              grpc_pass grpc://${ipOf "netbird"}:3001;
+              grpc_read_timeout 1d;
+              grpc_send_timeout 1d;
+              grpc_socket_keepalive on;
+            '';
+
+            "/api".proxyPass = "http://netbird-mgmt";
+
+            "/management.ManagementService/".extraConfig = ''
+              grpc_pass grpc://${ipOf "netbird"}:3000;
+              grpc_read_timeout 1d;
+              grpc_send_timeout 1d;
+              grpc_socket_keepalive on;
+            '';
+          };
+          extraConfig = ''
+            client_max_body_size 500M ;
+          '';
+        };
       }
       (blockOf "vaultwarden" {maxBodySize = "1G";})
       (blockOf "forgejo" {maxBodySize = "1G";})
@@ -154,7 +198,7 @@ in {
         }
       ])
       (blockOf "paperless" {maxBodySize = "5G";})
-      (blockOf "ttrss" {port = 80;})
+      #(blockOf "ttrss" {port = 80;})
       (blockOf "yourspotify" {port = 80;})
       (blockOf "apispotify" {
         port = 80;
@@ -262,8 +306,9 @@ in {
     // mkContainer "vaultwarden" {}
     // mkContainer "ddclient" {}
     // mkContainer "ollama" {}
-    // mkContainer "ttrss" {}
+    #// mkContainer "ttrss" {}
     // mkContainer "yourspotify" {}
+    // mkContainer "netbird" {}
     // mkContainer "kanidm" {}
     // mkContainer "nextcloud" {
       enablePanzer = true;
diff --git a/hosts/elisabeth/secrets/kanidm/secrets.nix.age b/hosts/elisabeth/secrets/kanidm/secrets.nix.age
index 2ec684ff7332385f8c4c8877658e74ada25a604a..ca3aa4e8d747f48621a8cfd1a291a169cc2d039b 100644
GIT binary patch
delta 1892
zcmZvZ`9IVN1Avnp&DNSWYD=NSmI-susL*_8#$3i6-<iSKWDawf)7&$8n;fgGMum#%
zt-O)4Dv>rN5})WIt<>A1bmNsHt$I6l-}lG&^LhV*=kq+zVV@m7dxM-AfHDIx8;K~s
zj?PgN(G)Sotb!*YxJ;WGpD4B}DCry}#Y~fN<&Y#W5v!o6VQi8$84foKBDFLnn@J&y
zS+E2gN)5!>?JBxl#o=erAmK4VdZi^?kHlbul6V{ypAbZFWD26-BnDpt2PGV|T|-VF
zI~CF>n}x_kpj2v>!iZ;b^$Z0@30fh<bTgTwj|6QxRwf%QVw+3}B5NEEFXu2Z9GO*<
zXckD5gn)=F{$H3dPOhX`g9um@N^3<T4XOkrjhd9KF_P6vJCJBqNsW;_Bt2fLhbuHu
z2r<YMVj!CIWVQyEK(muEh6KDx9gj>_rz7-aIyOq4q%@%L8B`6;z@{mX$t5heB~C*;
zpAjEt6LZA`I#*!H<VhV#Y%Ds;rsY{Ol1V)2f8udC2CfzhL9$^YhgdFv@yVbAZKUE7
zkye3&!=@<WR2V6TuEP<uB2AK&$ol^tFuNKXDL_Q($PTuU$dqZ-2EYjlR1}6#PFInm
zw18e^cj!T7Mmz@sl0*tF8m7my2ne;vf&-Ebl4P0Lq`>hw`UD|aV8kc|SRFoImi*sC
z25}ZiPc;z2<%V>TF+B(fTa6A9Ku{<qjD;o33<OAcczBRqtQIlEHXK}nrw{}(04Z?V
zWoD|>NYV>4<uD8!8;N1k6a)Zt=pdwFM}246(X##iP_I1P;7#vS!DE{lbgU=+#P*()
z95xkq?9kh1{x;t6`Gi;wgkSelc`vf+nh5cGH00)k*~4`~Au5%NBpN!@5`(O(wpW^l
zb7t?@(;kduMn5I~Yf3UUbL6t~i=}Mw6{t5h^IB2qNa>b(@22d|e&?yIsqU}Pk$Sgd
z`)X6aKa1k*3%0*{)tNsT;39mAI6g490v+B<b$eYxKKQ85Er9#;oNiC*VDrSvvWj&o
z#6Uw=v!gYkMzU0rt==>QYMUEJP1{K8#*4Qz^A1o>fg3*G^XM2W{@W4{XYont3v62I
zsrk@YuO^@hD!v5k>T06;1}}U*_!wxdTI<<HKf5_v7#cj8(o*?y@Z_V&EU&Kueoxq+
zRVy1`-0{Et`s>c3thRN}o~E5FSoFAW=g{}k#^wjBijdCxw-MDTOk*FP{&wqY6IYqD
zzlqSoWu3p8$`30TtbZx(Cpi79wq^d4Mb2Bxxc)YjsNJ~XW&5V_N{FlHo6&hM&j0Wg
z8q&a>os{h5ie@@~*;=cb<h;pGk^BL8%$KD>&Ia`7_On{1(_Ft!0`m=1BWpV5LX-!9
znU4oZLo36PcQn7gbF{+xkS`RN-92Nc$KL!t$NuK(#(zX)m~;Jk#;IIq=#OP6+J(o6
zbuy+Wa_P9woV?n5t;3sD9q_xIbq~i~-Fx?}ERU|XE|iQGKF@{cmoC#<`tqZ6qli7X
z4gQyMJF)O3PuHH~k1yEdo4GZr!rQu_<rK&7Oh>_;>^Z{=O+elH_0i7mv?I`SYp+Fw
zhEZd@3+j7z^{!L+n~h5kI4}KpLoxC}`e-5>KR*3<*}TxtI|^kUv1z5fAl#c$<-l)>
zUA{a=;rnbC6<(2Yf9H_pL&(7P8Hl5{a>9=>TcEyrkqP$|1Wtc-(?CDM8pRLWIa4K`
z*`J`9-!<K6Zv;1=NwF9CHJZWqa|1TqLZ2(CT-Zsj-t(mL^W}GkK&Lwj{jf45c~#%>
zn%eUbso;S6vZ2ib!p@qGAh&<<(Pg~=c@;0ac6fxX@{3>bCZ{ma_s{W|UYHQI#(lD-
zW%uw_j80ej>81?|+h3-4wP4{ZVZfvJt`c<7?z=1_cDh*-2OM)B9om1Q{c1Fsx3?4S
zUxU60IW{<&HDn2K!cyAZR}<>x$JwtE54TN3qt2?4CAuZW{Q;`F&gb}GiYxe4sb_zn
zWFWBt%(o%S@04F6ZnGD=cMYdrIan<WZ2N7%bR(|TM$EVA$5tys<Eo{*j^2IyY0ZU*
z#XDLo6AZ>Dy&ul!IhYqwb&DPG(~5(Jwmc8ueE8)$elFelh_z)1zsUG=%t3;8DDSt|
zwyc`whUhCO51P;P`<l*!IY$FrbHZ-boUfFPUB9h($AkE{qrR)8+(_b#ik}=ga@w?g
zL-kdL@9}AwE2n4uA70S=DW8dXruGwUgBL@~<Zgf8$umbGbK?77L;d7$mZsmLsT}SN
ztc$tj%f^<Qo%=1{9!)DeeQrx;<=o|A3m6?6fe-)2En<7sxwBpGyDU$tCG=u<nb+`R
zZQGe$#(g6}7+{47Y$dLd=6(A``oNb+S~ZthkCFDK=S8G1yr!Hj_rKTug{gQcT#;Hn
zRj(fZEV;3MJmU7PlOZ3oXFRSiPDjV>6Z;Zu7btdA{ttmQ^ZU7xM`P3a(;V{#W2P#k
aGno4g$fbo=eN64K5p-X7-bCxRy?+5v>N;Zp

delta 1919
zcmZwD_gj+(0>E(@tu$&C86pmXmNEiO-jG>AO=1RFWDlxB$eTg(hD-uU<f8C6dZL0@
zxS&|90*XK>1u0daDr#{6;y4xSodSYZSqh?{_U^}fp8E?v&-c51@!`dVa5uxsqCg0q
zPQk=tY0ezbrUM0_g&+_itavgHL&#9D94K*y!kVFkQ5*^>o2S)~l9IS!vQEQOXK;j&
z5|NHnaMdiTRLiiN5jdR2B*Vbs*27I1_Baz7i-XHVe7%?iC*d?^E~Gb70SjM;lF4cD
zG>jXt6Py`%gBBvG=}Jhz#7WFlii9D8S%@rlQnnRqH>H>b=|+)Ki-4pAx!Gx^>-97&
zPs~(eby#+$Nlo}4EQO}YNXmwjoElQP5F#S9XtR)Rr(3X^c%~9mr4w*^J_}2camX5m
z-VS8jZ6+~{ZX`np$Y8Z)$Up%_3bIhbqzp5j%n(2dZdP`ZJcpvP%485ztuIdY3U+f;
zCYvf7OS2$|5{U%_Z4$ggj-+PAJ83dN!O&;{hYG}ILMS8*rz0z94mwWcPy%GTQ_Izh
zlT~__05S^A7L-#Eui#ra5)2@O<o~xLo5RytI0loABBuaqzL<neHn=y5<z}9SK{N<h
zBnp;8Wzn+O3_JzKHi3E-&FRQw$@n&mk;D}fSwv9k6e@Xi3MkSdNG3Kxj)Jf%)PFGp
zHO(FY#KvhXDuq=A*DB#_;JP$05e<{+4b*f(4o+;aXc1zfOp|02{O1~&!6%Z@W_P@j
zDklMKJ0pbv&@EDlXp=?ChsDLk!G#j8l!(G48JOTEfTfe5MA`BzijJ;FA)WTDWU^h)
z#8{CjCahHqTQ~|m-}&;yRA|-ZBWXWm=6ZdoIM&@=28xdk9csO6@1AL#RD_#`b_<8M
zF!`ZxJ4@qRgUfVp+Y;S|6RQ_)zFoIIwt2<v>f$#CS;*y4I^bDM*90lxo~U>5fIsxx
z>cAJ1Cwjxyc~6}w_;UAjk8EpgaehKDpa`FdJZr87P+rj`FB<N@g}Qls&vnm0)W>gx
z=Sw~hF)nJm<eVcE$_wXz{^&EAs=C>8)fyNUg$Uc)6OiMQ`$jx;pF*ah0~-eVo1VdL
zhW}QAXp5tpgHD%01Hqo_^xLemYaRPqn~&THnpmMTig)M#aWo?6=uBHfun)DL^|68_
zi;UkJQ|}rH4XP~P?k8q{dE6E%Iv3kfQKU}q8?C#1sP=<@g30FsMuo22e#LXW>Wb;i
zu6q3N7D44k$Cey~yJ*83dQ2XBrnGh5nju^>(lv=oSyH>#T1qX=OWPH-k(6J)>zOX-
z5x&N8Eh4X@f4}wD-it0tlHZhaK;G`tH2{CCdfIVA(&lLYx%FWIe@SQYyyvHbXbVOY
zq1<CNlEz%j(4;4AW#`7|4+$+pm7~68iTS;IlzV%UInDlY?o3zOp-%zHj~1xK2XoCW
zykF<>xmmcZ(6kZ7`l_zzam+-OJy}>Xd~DkUDwh$mn7{T;LP4YA?ub<Uee~|wNPJ2{
zL1^B#*=c;~rTB*Rap5*?N=`4w!m3Lwm2-;jKZS*adk?kzL*n?;Fn)=aH`C-7sH(3K
zW1mZ-%!7k&WYkZm7FzxBRTS9V+Fp-jeEqZ2Psf@b%+-5wifNt-d{ZhQ%cqnC-xy*w
zHeao+io7!*>^n48GHU!d5`3g{HgWqw2EVFfx)W$y^={Ymdo6}}oQn*XY->}`dwmsn
z_S2GEXH5pbNcJz6D`L(C2`tGcz?`-+SJyeRZZF^c-Gu|PrYX<hOV|63W%c97Zx077
zUzgyuZe&Ed<HgvY=tleSvTeEA?)hWe=kM&93puIB_^XB8`_6I+D>nH06IW8Mj?_Px
z&f`Gn*AtxPK$Ig3fM*^EG!zKi6Z@hml0ohS|6N5~WP%Od)rYU%8H5T8>EE%W=Skl4
z>0_JRHKvdo7iGDn53A(D&2l2$1uZa+0eNi!<+s#pCK2i*pN#BVaX-&rc;e=sj&rQe
z$%(H8OI|#jx{}+*u~ruO0sCRMR$2o(vNGFaI?_LTZ*@!<@>kbv`0+uy9kv)by|y(r
zEArVJ*Xo0NM;WW$ALh>vKYmi3$Tajme&b(BaTiuwnmU!Sv_G!-A_47Sv+5y^>n<kU
zD*FkwHS!HFs<Jlvz;u-JYr`BrwK7}8|K|*{Bm0xTKlUzn<=y-yG@z_&5l<!jZrow~
zqEdAHyxZE>y1e&&%QogqW|!Y-V%Mu8tRZaaw@Z62cv+S1sQu(?mt*{?lu~(bs!@4-
zkNXrA{VJ?)`m5KI-Yq9Rz6%o+-@ascPNg(}bw7WxV8;*dYJzurIgpR))4fw3O_h^2
z9)4o-4!!@cVlHOc(4u?!zkoZ#M=p&VB~E>Bg4C({)bjK1xMbns*|{Cd{l<@OTDaiU
z5p9HZ#oP9Tu}2^65%X`cTc9A3D0NHn6n8U|-2cjV|G>$mf3r$=&7k?myzU%YSwNWQ
w8MoA8*lkm*rtkinKHL3!iF<SUwDRL?vQMJz%q-V=r@!;Ae$6~m1tulpFP7;`*Z=?k

diff --git a/hosts/elisabeth/secrets/netbird/host.pub b/hosts/elisabeth/secrets/netbird/host.pub
new file mode 100644
index 0000000..5509a15
--- /dev/null
+++ b/hosts/elisabeth/secrets/netbird/host.pub
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF0+o9G3hA/5PbaxVy+EoOOJw5cHKu3p5yjAaHDHFQ8Q
diff --git a/modules/netbird-dashboard.nix b/modules/netbird-dashboard.nix
new file mode 100644
index 0000000..6f40045
--- /dev/null
+++ b/modules/netbird-dashboard.nix
@@ -0,0 +1,107 @@
+{
+  pkgs,
+  config,
+  lib,
+  ...
+}: let
+  inherit
+    (lib)
+    mkPackageOption
+    mkIf
+    mkEnableOption
+    mkOption
+    types
+    isBool
+    boolToString
+    ;
+
+  toStringEnv = value:
+    if isBool value
+    then boolToString value
+    else toString value;
+  cfg = config.services.netbird-dashboard;
+in {
+  options.services.netbird-dashboard = {
+    enable = mkEnableOption "the static netbird dashboard frontend";
+    package = mkPackageOption pkgs "netbird-dashboard" {};
+    enableNginx = mkEnableOption "Nginx as a webserver serving the backend";
+    domain = mkOption {
+      type = types.str;
+      description = "The domain under which the dashboard runs.";
+      default = "localhost";
+    };
+    settings = mkOption {
+      type = types.submodule {
+        freeformType = types.attrsOf (types.oneOf [types.str types.bool]);
+        config = {
+          #AUTH_AUTHORITY = ""; #${AUTH_AUTHORITY:-https://$AUTH0_DOMAIN}
+          #AUTH_CLIENT_ID = ""; #${AUTH_CLIENT_ID:-$AUTH0_CLIENT_ID}
+          # Due to how the backend and frontend work this secret will be templated into the backend
+          # and then served statically from your website
+          # This enables you to login without the normally needed indirection through the backend
+          # but this also means anyone that can reach your website can
+          # fetch this secret, which is why there is no real need to put it into
+          # special options as its public anyway
+          # As far as I know leaking this secret is just
+          # an information leak as one can fetch some basic app
+          # informations from the IDP
+          # To actually do something one still needs to have login
+          # data and this secret so this being public will not
+          # suffice for anything just decreasing security
+          AUTH_CLIENT_SECRET = ""; #${AUTH_CLIENT_SECRET}
+          AUTH_AUDIENCE = "netbird"; #${AUTH_AUDIENCE:-$AUTH0_AUDIENCE}
+          #AUTH_REDIRECT_URI=${AUTH_REDIRECT_URI}
+          #AUTH_SILENT_REDIRECT_URI=${AUTH_SILENT_REDIRECT_URI}
+          USE_AUTH0 = false; #${USE_AUTH0:-true}
+          AUTH_SUPPORTED_SCOPES = "openid profile email"; #${AUTH_SUPPORTED_SCOPES:-openid profile email api offline_access email_verified}
+
+          NETBIRD_MGMT_API_ENDPOINT = config.services.netbird-server.domain; #$(echo $NETBIRD_MGMT_API_ENDPOINT | sed -E 's/(:80|:443)$//')
+          NETBIRD_MGMT_GRPC_API_ENDPOINT = config.services.netbird-server.domain; #${NETBIRD_MGMT_GRPC_API_ENDPOINT}
+          #NETBIRD_HOTJAR_TRACK_ID=${NETBIRD_HOTJAR_TRACK_ID}
+          #NETBIRD_GOOGLE_ANALYTICS_ID=${NETBIRD_GOOGLE_ANALYTICS_ID}
+          NETBIRD_TOKEN_SOURCE = "idToken";
+          #NETBIRD_DRAG_QUERY_PARAMS=${NETBIRD_DRAG_QUERY_PARAMS:-false}
+        };
+      };
+    };
+  };
+  config = let
+    deriv = pkgs.runCommand "template-netbird-dashboard" {} ''
+      cp -r ${cfg.package} ./temp
+
+
+      ${
+        lib.concatStringsSep "\n" (lib.mapAttrsToList (name: value: ''export "${name}"="${toStringEnv value}"'') cfg.settings)
+      }
+
+      # replace ENVs in the config
+      ENV_STR="\$\$USE_AUTH0 \$\$AUTH_AUDIENCE \$\$AUTH_AUTHORITY \$\$AUTH_CLIENT_ID \$\$AUTH_CLIENT_SECRET \$\$AUTH_SUPPORTED_SCOPES \$\$NETBIRD_MGMT_API_ENDPOINT \$\$NETBIRD_MGMT_GRPC_API_ENDPOINT \$\$NETBIRD_HOTJAR_TRACK_ID \$\$NETBIRD_GOOGLE_ANALYTICS_ID \$\$AUTH_REDIRECT_URI \$\$AUTH_SILENT_REDIRECT_URI \$\$NETBIRD_TOKEN_SOURCE \$\$NETBIRD_DRAG_QUERY_PARAMS"
+
+      find temp -type d -exec chmod 755 {} \;
+      OIDC_TRUSTED_DOMAINS="./temp/OidcTrustedDomains.js"
+      ${pkgs.gettext}/bin/envsubst "$ENV_STR" < "$OIDC_TRUSTED_DOMAINS".tmpl > "$OIDC_TRUSTED_DOMAINS"
+      for f in $(grep -R -l AUTH_SUPPORTED_SCOPES ./); do
+          ${pkgs.gettext}/bin/envsubst "$ENV_STR" < "$f" > "$f".copy
+          mv -f "$f".copy "$f"
+      done
+      mkdir -p $out
+      cp -r ./temp/. $out/
+    '';
+  in
+    mkIf cfg.enable
+    {
+      services.nginx = mkIf cfg.enableNginx {
+        enable = true;
+        virtualHosts = {
+          ${cfg.domain} = {
+            locations = {
+              "/" = {
+                root = "${deriv}/";
+                tryFiles = "$uri /index.html";
+              };
+            };
+          };
+        };
+      };
+    };
+}
diff --git a/modules/netbird-server.nix b/modules/netbird-server.nix
index 015e0b6..3d96266 100644
--- a/modules/netbird-server.nix
+++ b/modules/netbird-server.nix
@@ -9,39 +9,54 @@
     mkEnableOption
     mkOption
     types
-    mkDefault
+    mkPackageOption
     mkIf
     ;
-  cfg = config.services.netbird;
+  cfg = config.services.netbird-server;
 
-  configFile = formatType.generate config.json cfg.settings;
+  configFile = formatType.generate "config.json" cfg.settings;
 
-  formatType = pkgs.format.json {};
+  formatType = pkgs.formats.json {};
 in {
-  options.services.netbird = {
+  options.services.netbird-server = {
     enable = mkEnableOption "netbird, a self hosted wireguard VPN";
+    package = mkPackageOption pkgs "netbird" {};
     domain = mkOption {
       description = "The domain of your netbird instance";
     };
+    port = mkOption {
+      description = "The port the management interface will listen on";
+      type = types.port;
+      default = 3000;
+    };
     oidcConfigEndpoint = mkOption {
       type = types.str;
       example = "https://example.eu.auth0.com/.well-known/openid-configuration";
       description = "The oidc discovery endpoint";
     };
-    dataDir = mkOption {
-      description = "Runtime directory where netbird stores its data";
-      types = types.path;
-      default = /var/lib/netbird;
+    signalPort = mkOption {
+      description = "The listening port for the signal protocol";
+      default = 3001;
+      type = types.port;
     };
+
+    singleAccountModeDomain = mkOption {
+      description = "Optional domain for single account mode, set to null to disable singleAccountMode";
+      type = types.nullOr types.str;
+      default = "netbird.selfhosted";
+      example = null;
+    };
+
     turn = {
       domain = mkOption {
         description = "The domain under which the TURN server is reachable";
         type = types.str;
         example = "localhost";
+        default = cfg.domain;
       };
       port = mkOption {
         description = "The port under which the TURN server is reachable";
-        type = types.int;
+        type = types.port;
         default = 3478;
       };
       userName = mkOption {
@@ -56,15 +71,14 @@ in {
       };
     };
     settings = mkOption {
+      default = {};
       type = types.submodule {
         freeformType = formatType.type;
-        options = {
-        };
-        config = mkDefault {
+        config = {
           Stuns = [
             {
               Proto = "udp";
-              Uri = "stun:${cfg.turn.domain}:${cfg.turn.domain}";
+              Uri = "turn:${cfg.turn.domain}:${toString cfg.turn.port}";
               Username = "";
               Password = null;
             }
@@ -73,7 +87,7 @@ in {
             Turns = [
               {
                 Proto = "udp";
-                Uri = "stun:${cfg.turn.domain}:${cfg.turn.port}";
+                Uri = "stun:${cfg.turn.domain}:${toString cfg.turn.port}";
                 Username = cfg.turn.userName;
                 Password = cfg.turn.password;
               }
@@ -96,13 +110,13 @@ in {
               "0.0.0.0/0"
             ];
           };
-          Datadir = cfg.dataDir;
-          DataStoreEncryptionKey = lib.trace "uppsi wuppsi ich hab mein netbird unsiccccccher gemacht" "$NETBIRD_DATASTORE_ENC_KEY";
+          Datadir = "/var/lib/netbird-mgmt";
+          DataStoreEncryptionKey = lib.trace "uppsi wuppsi ich hab mein netbird unsiccccccher gemacht" "X4/obyAolDVhjGsz8NDb4TJqgCfwmCA7lOtJFHt9L3w=";
           StoreConfig = {
             Engine = "sqlite";
           };
           HttpConfig = {
-            Address = "0.0.0.0:3000";
+            Address = "0.0.0.0:${toString cfg.port}";
             #"AuthIssuer" = "$NETBIRD_AUTH_AUTHORITY";
             #"AuthAudience" = "$NETBIRD_AUTH_AUDIENCE";
             #"AuthKeysLocation" = "$NETBIRD_AUTH_JWT_CERTS";
@@ -127,198 +141,111 @@ in {
             #"KeycloakClientCredentials" = null;
             #"ZitadelClientCredentials" = null;
           };
-          #DeviceAuthorizationFlow = {
-          #  Provider = "$NETBIRD_AUTH_DEVICE_AUTH_PROVIDER";
-          #  "ProviderConfig" = {
-          #    "Audience" = "$NETBIRD_AUTH_DEVICE_AUTH_AUDIENCE";
-          #    "AuthorizationEndpoint" = "";
-          #    "Domain" = "$NETBIRD_AUTH0_DOMAIN";
-          #    "ClientID" = "$NETBIRD_AUTH_DEVICE_AUTH_CLIENT_ID";
-          #    "ClientSecret" = "";
-          #    "TokenEndpoint" = "$NETBIRD_AUTH_TOKEN_ENDPOINT";
-          #    "DeviceAuthEndpoint" = "$NETBIRD_AUTH_DEVICE_AUTH_ENDPOINT";
-          #    "Scope" = "$NETBIRD_AUTH_DEVICE_AUTH_SCOPE";
-          #    "UseIDToken" = "$NETBIRD_AUTH_DEVICE_AUTH_USE_ID_TOKEN";
-          #    "RedirectURLs" = null;
-          #  };
-          #};
+          DeviceAuthorizationFlow = {
+            #Provider = "$NETBIRD_AUTH_DEVICE_AUTH_PROVIDER";
+            ProviderConfig = {
+              Audience = "netbird";
+              #"AuthorizationEndpoint" = "";
+              #"Domain" = "$NETBIRD_AUTH0_DOMAIN";
+              #"ClientID" = "$NETBIRD_AUTH_DEVICE_AUTH_CLIENT_ID";
+              #"ClientSecret" = "";
+              #"TokenEndpoint" = "$NETBIRD_AUTH_TOKEN_ENDPOINT";
+              #"DeviceAuthEndpoint" = "$NETBIRD_AUTH_DEVICE_AUTH_ENDPOINT";
+              Scope = "openid profile email";
+              #"UseIDToken" = "$NETBIRD_AUTH_DEVICE_AUTH_USE_ID_TOKEN";
+              #"RedirectURLs" = null;
+            };
+          };
           PKCEAuthorizationFlow = {
             ProviderConfig = {
-              #Audience = "$NETBIRD_AUTH_PKCE_AUDIENCE";
+              Audience = "netbird";
               ClientID = "netbird";
-              ClientSecret = lib.trace "oho bei zo vielen sicherheitzlücken" "$NETBIRD_AUTH_CLIENT_SECRET";
+              ClientSecret = lib.trace "oho bei zo vielen sicherheitzlücken" "";
               Domain = "";
               #AuthorizationEndpoint = "$NETBIRD_AUTH_PKCE_AUTHORIZATION_ENDPOINT";
               #TokenEndpoint = "$NETBIRD_AUTH_TOKEN_ENDPOINT";
               Scope = "openid profile email";
-              RedirectURLs = ["localhost:53000"];
-              UseIDToken = "$NETBIRD_AUTH_PKCE_USE_ID_TOKEN";
+              RedirectURLs = ["http://localhost:53000"];
+              UseIDToken = true;
             };
           };
         };
       };
     };
   };
-  config =
-    mkIf cfg.enable {
-      systemd.services = {
-        netbird-setup = {
-          wantedBy = [
-            "netbird-management.service"
-            "netbird-signal.service"
-            "multi-user.target"
-          ];
-          serviceConfig = {
-            Type = "oneshot";
-            RuntimeDirectory = "netbird-mgmt";
-            StateDirectory = "netbird-mgmt";
-            WorkingDirectory = cfg.dataDir;
-            EnvironmentFile = [  ];
-          };
-          unitConfig = {
-            StartLimitInterval = 5;
-            StartLimitBurst = 10;
-          };
+  config = mkIf cfg.enable {
+    systemd.services = {
+      netbird-signal = {
+        after = ["network.target"];
+        wantedBy = ["netbird-management.service"];
+        restartTriggers = [
+          configFile
+        ];
 
-          path =
-            [
-              pkgs.coreutils
-              pkgs.findutils
-              pkgs.gettext
-              pkgs.gnused
-           # ]
-           # ++ (optionals cfg.setupAutoOidc [
-           #   pkgs.curl
-           #   pkgs.jq
-            ];
-
-          script =
-            ''
-              cp ${configFile} ${cfg.dataDir}/management.json
-            ''
-            #+ (optionalString cfg.setupAutoOidc ''
-            #  mv ${stateDir}/management.json.copy ${stateDir}/management.json
-            #  echo "loading OpenID configuration from $NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT to the openid-configuration.json file"
-            #  curl "$NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT" -q -o ${stateDir}/openid-configuration.json
-
-            #  export NETBIRD_AUTH_AUTHORITY=$(jq -r '.issuer' ${stateDir}/openid-configuration.json)
-            #  export NETBIRD_AUTH_JWT_CERTS=$(jq -r '.jwks_uri' ${stateDir}/openid-configuration.json)
-            #  export NETBIRD_AUTH_TOKEN_ENDPOINT=$(jq -r '.token_endpoint' ${stateDir}/openid-configuration.json)
-            #  export NETBIRD_AUTH_DEVICE_AUTH_ENDPOINT=$(jq -r '.device_authorization_endpoint' ${stateDir}/openid-configuration.json)
-            #  export NETBIRD_AUTH_PKCE_AUTHORIZATION_ENDPOINT=$(jq -r '.authorization_endpoint' ${stateDir}/openid-configuration.json)
-
-            #  envsubst '$NETBIRD_AUTH_AUTHORITY $NETBIRD_AUTH_JWT_CERTS $NETBIRD_AUTH_TOKEN_ENDPOINT $NETBIRD_AUTH_DEVICE_AUTH_ENDPOINT $NETBIRD_AUTH_PKCE_AUTHORIZATION_ENDPOINT' < ${stateDir}/management.json > ${stateDir}/management.json.copy
-            #'')
-            #+ ''
-           #   # Update secrets in management.json
-           #   ${builtins.concatStringsSep "\n" (
-           #     builtins.attrValues (
-           #       builtins.mapAttrs (name: path: "export ${name}=$(cat ${path})") (
-           #         filterAttrs (_: p: p != null) cfg.secretFiles
-           #       )
-           #     )
-           #   )}
-            + ''
-
-              #envsubst '$TURN_PASSWORD $TURN_SECRET $STUN_PASSWORD $AUTH_CLIENT_SECRET $IDP_MGMT_CLIENT_SECRET' < ${cfg.dataDir}/management.json.copy > ${cfg.dataDir}/management.json
-
-              rm -rf ${cfg.dataDir}/web-ui
-              mkdir -p ${cfg.dataDir}/web-ui
-              cp -R ${cfg.dashboard}/* ${cfg.dataDir}/web-ui
-
-              export AUTH_AUTHORITY="$NETBIRD_AUTH_AUTHORITY"
-              export AUTH_CLIENT_ID="$NETBIRD_AUTH_CLIENT_ID"
-              ${optionalString (cfg.secretFiles.AUTH_CLIENT_SECRET == null)
-                ''export AUTH_CLIENT_SECRET="$NETBIRD_AUTH_CLIENT_SECRET"''}
-              export AUTH_AUDIENCE="$NETBIRD_AUTH_AUDIENCE"
-              export AUTH_REDIRECT_URI="$NETBIRD_AUTH_REDIRECT_URI"
-              export AUTH_SILENT_REDIRECT_URI="$NETBIRD_AUTH_SILENT_REDIRECT_URI"
-              export USE_AUTH0="$NETBIRD_USE_AUTH0"
-              export AUTH_SUPPORTED_SCOPES=$(echo $NETBIRD_AUTH_SUPPORTED_SCOPES | sed -E 's/"//g')
-
-              export NETBIRD_MGMT_API_ENDPOINT=$(echo $NETBIRD_MGMT_API_ENDPOINT | sed -E 's/(:80|:443)$//')
-
-              MAIN_JS=$(find ${cfg.dataDir}/web-ui/static/js/main.*js)
-              OIDC_TRUSTED_DOMAINS=${cfg.dataDir}/web-ui/OidcTrustedDomains.js
-              mv "$MAIN_JS" "$MAIN_JS".copy
-              envsubst '$USE_AUTH0 $AUTH_AUTHORITY $AUTH_CLIENT_ID $AUTH_CLIENT_SECRET $AUTH_SUPPORTED_SCOPES $AUTH_AUDIENCE $NETBIRD_MGMT_API_ENDPOINT $NETBIRD_MGMT_GRPC_API_ENDPOINT $NETBIRD_HOTJAR_TRACK_ID $AUTH_REDIRECT_URI $AUTH_SILENT_REDIRECT_URI $NETBIRD_TOKEN_SOURCE $NETBIRD_DRAG_QUERY_PARAMS' < "$MAIN_JS".copy > "$MAIN_JS"
-              envsubst '$NETBIRD_MGMT_API_ENDPOINT' < "$OIDC_TRUSTED_DOMAINS".tmpl > "$OIDC_TRUSTED_DOMAINS"
-            '';
+        serviceConfig = {
+          ExecStart = ''
+            ${cfg.package}/bin/netbird-signal run \
+              --log-file console \
+              --port ${builtins.toString cfg.signalPort}
+          '';
+          Restart = "always";
+          RuntimeDirectory = "netbird-mgmt";
+          StateDirectory = "netbird-mgmt";
+          WorkingDirectory = "/var/lib/netbird-mgmt";
         };
-
-        netbird-signal = {
-          after = [ "network.target" ];
-          wantedBy = [ "netbird-management.service" ];
-          restartTriggers = [
-            settingsFile
-            managementFile
-          ];
-
-          serviceConfig = {
-            ExecStart = ''
-              ${cfg.package}/bin/netbird-signal run \
-                --port ${builtins.toString cfg.ports.signal} \
-                --log-file console \
-                --log-level ${cfg.logLevel}
-            '';
-            Restart = "always";
-            RuntimeDirectory = "netbird-mgmt";
-            StateDirectory = "netbird-mgmt";
-            WorkingDirectory = cfg.dataDir;
-          };
-          unitConfig = {
-            StartLimitInterval = 5;
-            StartLimitBurst = 10;
-          };
-          stopIfChanged = false;
-        };
-
-        netbird-management = {
-          description = "The management server for Netbird, a wireguard VPN";
-          documentation = [ "https://netbird.io/docs/" ];
-          after = [
-            "network.target"
-            "netbird-setup.service"
-          ];
-          wantedBy = [ "multi-user.target" ];
-          wants = [
-            "netbird-signal.service"
-            "netbird-setup.service"
-          ];
-          restartTriggers = [
-            settingsFile
-            managementFile
-          ];
-
-          serviceConfig = {
-            ExecStart = ''
-              ${cfg.package}/bin/netbird-mgmt management \
-                --config ${stateDir}/management.json \
-                --datadir ${stateDir}/data \
-                ${optionalString cfg.management.disableAnonymousMetrics "--disable-anonymous-metrics"} \
-                ${optionalString cfg.management.disableSingleAccountMode "--disable-single-account-mode"} \
-                --dns-domain ${cfg.management.dnsDomain} \
-                --single-account-mode-domain ${cfg.management.singleAccountModeDomain} \
-                --idp-sign-key-refresh-enabled \
-                --port ${builtins.toString cfg.ports.management} \
-                --log-file console \
-                --log-level ${cfg.logLevel}
-            '';
-            Restart = "always";
-            RuntimeDirectory = "netbird-mgmt";
-            StateDirectory = [
-              "netbird-mgmt"
-              "netbird-mgmt/data"
-            ];
-            WorkingDirectory = stateDir;
-          };
-          unitConfig = {
-            StartLimitInterval = 5;
-            StartLimitBurst = 10;
-          };
-          stopIfChanged = false;
+        unitConfig = {
+          StartLimitInterval = 5;
+          StartLimitBurst = 10;
         };
+        stopIfChanged = false;
+      };
+
+      netbird-management = {
+        description = "The management server for Netbird, a wireguard VPN";
+        documentation = ["https://netbird.io/docs/"];
+        after = [
+          "network.target"
+          "netbird-setup.service"
+        ];
+        wantedBy = ["multi-user.target"];
+        wants = [
+          "netbird-signal.service"
+          "netbird-setup.service"
+        ];
+        restartTriggers = [
+          configFile
+        ];
+
+        serviceConfig = {
+          ExecStart = ''
+            ${cfg.package}/bin/netbird-mgmt management \
+              --config ${configFile} \
+              --datadir /var/lib/netbird-mgmt/data \
+              --disable-anonymous-metrics \
+              ${
+              if cfg.singleAccountModeDomain == null
+              then "--disable-single-account-mode"
+              else "--single-account-mode-domain ${cfg.singleAccountModeDomain}"
+            } \
+              --idp-sign-key-refresh-enabled \
+              --port ${builtins.toString cfg.port} \
+              --log-file consolef
+          '';
+          # TODO add extraCOmmandLine option
+          Restart = "always";
+          RuntimeDirectory = "netbird-mgmt";
+          StateDirectory = [
+            "netbird-mgmt"
+            "netbird-mgmt/data"
+          ];
+          WorkingDirectory = "/var/lib/netbird-mgmt";
+        };
+        unitConfig = {
+          StartLimitInterval = 5;
+          StartLimitBurst = 10;
+        };
+        stopIfChanged = false;
       };
-    })
     };
+  };
 }
diff --git a/modules/services/kanidm.nix b/modules/services/kanidm.nix
index ba3eba6..5dcc958 100644
--- a/modules/services/kanidm.nix
+++ b/modules/services/kanidm.nix
@@ -119,6 +119,8 @@ in {
         scopeMaps."immich.access" = ["openid" "email" "profile"];
         preferShortUsername = true;
       };
+      groups."netbird.access" = {
+      };
 
       groups."forgejo.access" = {
         members = ["forgejo.admins"];
diff --git a/modules/services/netbird.nix b/modules/services/netbird.nix
new file mode 100644
index 0000000..ac9fa7c
--- /dev/null
+++ b/modules/services/netbird.nix
@@ -0,0 +1,68 @@
+{config, ...}: {
+  imports = [
+    ../netbird-server.nix
+    ../netbird-dashboard.nix
+  ];
+  wireguard.elisabeth = {
+    client.via = "elisabeth";
+    firewallRuleForNode.elisabeth.allowedTCPPorts = [80 3000 3001];
+  };
+
+  networking.firewall.allowedTCPPorts = [80 3000 3001];
+  networking.firewall.allowedUDPPorts = [3478];
+  services.netbird-dashboard = {
+    enable = true;
+    enableNginx = true;
+    domain = "netbird.${config.secrets.secrets.global.domains.web}";
+    settings = {
+      AUTH_AUTHORITY = "https://auth.${config.secrets.secrets.global.domains.web}/oauth2/openid/netbird";
+      AUTH_CLIENT_ID = "netbird";
+    };
+  };
+  services.netbird-server = {
+    enable = true;
+    domain = "netbird.${config.secrets.secrets.global.domains.web}";
+    # TODO remove
+    oidcConfigEndpoint = "https://auth.${config.secrets.secrets.global.domains.web}/oauth2/openid/netbird/.well-known/openid-configuration";
+    singleAccountModeDomain = "netbird.patrick";
+    settings = {
+      HttpConfig = {
+        AuthIssuer = "https://auth.${config.secrets.secrets.global.domains.web}/oauth2/openid/netbird";
+        AuthKeysLocation = "https://auth.${config.secrets.secrets.global.domains.web}/oauth2/openid/netbird/public_key.jwk";
+      };
+      # Seems to be only useful for idp that netbird supports
+      IdpManagerConfig.ClientConfig = {
+        Issuer = "https://auth.${config.secrets.secrets.global.domains.web}/oauth2/openid/netbird";
+        TokenEndpoint = "https://auth.${config.secrets.secrets.global.domains.web}/oauth2/token";
+      };
+      DeviceAuthorizationFlow = {
+        Provider = "none";
+        ProviderConfig = {
+          AuthorizationEndpoint = "https://auth.${config.secrets.secrets.global.domains.web}/ui/oauth2/";
+          ClientID = "netbird";
+          #ClientSecret = "";
+          TokenEndpoint = "https://auth.${config.secrets.secrets.global.domains.web}/oauth2/token";
+          #RedirectURLs = ["http://localhost:53000"];
+        };
+      };
+      PKCEAuthorizationFlow.ProviderConfig = {
+        AuthorizationEndpoint = "https://auth.${config.secrets.secrets.global.domains.web}/ui/oauth2/";
+      };
+    };
+  };
+  services.coturn = {
+    enable = true;
+
+    realm = "netbird.${config.secrets.secrets.global.domains.web}";
+    lt-cred-mech = true;
+    no-cli = true;
+
+    extraConfig = ''
+      fingerprint
+
+      user=turn:netbird
+      no-software-attribute
+      external-ip=87.170.9.213
+    '';
+  };
+}
diff --git a/secrets/secrets.nix.age b/secrets/secrets.nix.age
index 81f6c198f0354ae30879e2199532ab4940e78e5a..5330234e836597efdc6e3e07213e70992eb22c84 100644
GIT binary patch
literal 5733
zcmV-r7Mkf{XJsvAZewzJaCB*JZZ2<fXD@a!3N1b$STZ#=F*zVaR5*EKLu*<wc|%4-
zYHxN@Y)yE0XGK|4ZB95xcxXdzYHc`gPGT}<Ml=d;K}l;XZ)GnlOlx#*MNdm%cuG!H
zWo2YeabtK!cSuQ5X>K=dZcI^DNn;8vJ|J*ub}eu+H8vnvR8ebHK_EdiW<zslWO7Mi
za!q(qG&M{wc5*dqNl7_Mab`7VXLdw5Y<6LEayNG|YD@|=D>5}>NJ&L9dUQ)iSad^G
zMO9N$cT7}NcU4F)G<bJYOmaqdFL+HeO;rjlJ|J*ub}eu+H8vnxMrUbBcOXG-Wi~TH
zX=zMWIWbyHW-?<-crbH$Lvm6$XLVI>Np@3Ma70f_LQ`--bz=%<PDgh%PBcSFYA<q6
zabhcDPf06Kc|k}|M@vXKSTtiROgB(%Ni=v#MRy7<J|J*ub}eu+H8vnMc5P5}Q6NEa
zb9GfYN@hn=G<Y*aRda1hHF#!7OH*ZVSY=~nFmFvmdRTXNd2UZeY<UVdP*`DYZ#FPv
zZZ&98Wkg9tHgH)-NLVp$QB80;Fib~BP&jm9ZBKMhb2JJqJ|J*ub}eu+H8vnxMrUbB
zcOXGCZACLeMRj;GG<GmGT5Ci$Y%4`ELuqYAc{wXnRaikoW<+pdS50R%M_39kL2o!k
zZ$U*&ct~YxRCh5*RcTjRR8>`QN=`+3HF9=CS9y9)OG`9sQ+En2J|Jo@N-bw{Wnpt=
zAZA{0aSBpKGfG1^LP%FeO-WQkF;{qUVr*(wX+%tQIaWerR8MwtT0}2ZS~yiuSz%Lj
zI8rY}Y<6gFHf2OmV`wo$LUjs7YfO1?Fj_HCHZ@W<MRrGYQe#vyGH`ZhNl!OJR6;{S
zVoFM6D^7AxF?LsCaYi?5b6R(0VsT11L@PLQW>pF;EiE8NFLiG#W-nP}Y*24QLpNG4
zR(WhoYj<`qOJ^@@V@PUPP&sK+cQ8myWHbs0beZdE@Qccxt%Y>h*|}x9HGld1b9Hj3
zJS8S5P1Zoq!-*3^;XJ3qJrwy*Rq<qZxboX?!Q?VksF<+Ooi`2&Ia7@4Nqa_H%Hvx#
zEe6?Z`~GLs`V$x+D`D_K7lQ7IiU*^EfMIyZoWgdRIvv@Y26+VJ;ZW_FSVBK{*7(?3
zMqPa1`7h0qU1I<9v{;Vc=YlN&^_PdwW{*p52rQ*lE4z-$z|~sWcb&b2C4FtdIAIW#
zv5@4!)CSv=<aa<%iK;M~OjI3!;We}fvDsSdj|4j9D2mTg$c>Q?ck5^wkqQ`Gz;Wr`
z6O1R0ahj=xrStI+DG$BE-}THu7Os=x?*@!@+sa-NW}p~Ik132^{yXCgWW9yGdphX1
z-aL)0$wp#?(FTbcL^orEMT%j86`aSGI{IkIgx-cfP%N_NBU+J(b~rPslGrEj$`5AA
z`v9Q~E9XbLDojc4PYoEP(hyF-nKJO3X|m5+O_2dtq=V_&r$J+A=f2Po5})g7hI7pe
zm6!^1^NLcyPnu+rdRO=W%LVK`uUTUlvKZ?AUI^m9n3*}<!7EM9L79$hp&(7ne#fLi
zHZLgP(+7(MNx3Lq!gN74yFHf=ULI1&+vc^Pe*vWUns1N19Ff?!Nqv>@9#VOIPD?d}
zE9$cyIX^y#<=@@DaI{6yrw9@fq6J_~IXAQ&KuhBR@v!Y|<##g~hXfDCb+qKwScCYG
zEFI=cG-6W3HlDS<oXr|mai#)B13)_;vlRm`@Ds)tP2g@PlhTe%DMWb<=J>iaa}(n^
zgel%N2Hn|i-u<u9&^RbR)w232k&eHn*VD+OpGJ}b`6rH7eUWfrK0HnReqN^L!)q{8
zC9$6+8!h&NJ=2=AVY4lBQLMuBDJ&_O7#f%~*S#dg+8E^ITUShQ&E9-@JG6>c+HAs1
z(X2h((oaCQ)TU6Ut)(s_t|BYdQE-lebv*$Fgb7Ptle0Yq7I4>$bXS}4YqFZi1mxA>
zT6Nl8U(m<Rfk}I_VL@WnQV}Iz6K5?gCtu~w7{wzDk?$qfl@3_m5|$G?Mn4wDnvaBB
zUG7kY&`k;>a55}@EL(pTVXH{jB~%g`6(B_`Jf-Gm=)H1kGkZ<Ek@V;G-bXZ2d<;w@
z8;Wl1X(by;PxrT+|D02~CiR{n_|8K;&}u+P0A!+mJ)`dQr$mHh+)!h*0<jRl(NsnC
z*^KUZK^j!@fN^n>j1|hoD3R2muq=)OISia4;F9=EC?JqBM;|JLBk-^d0JNS0akDku
z;s;pqvcY0%&OHX$PZ=+Og~)vjo;XzIu@kO)YrB6d(sdRz3%UR@2Z`O+`C2MbE)iLK
z&QYq{1iCFSeGgxwn0<yE!hPkS&0ibw@<9ZI$VA&)mm-QUR=_mBHHUWUq=t$8E<z!w
z=8GL#FfO*lqeM1}rn?n>$94rOaT8R;p&pE5pq4F*lKOUGs7VmgykUTWYV>4xAQ$n&
zPas(U;b?DM_HG1n^l9{_fMl<%g9qfXN~^T+l_}Z-<PpWo+h-2Ol<#U%)#kec1m=1W
zqqoJFn4wYUy#6~&N;HR_>X6EjjQjkCdcuL=_{6RKqN#{Mz11tnj%KCb&~EBBSr+Uo
z|3&)h$7lEqfw2#d5gOIY8)OmvHKNZUTcgguI(_G8FB(;>ErT?;(L#;$XQ%-Ixkk85
zHRST(YqXZ@;EyvAht5e0u&S|$cJ~1NsPBpe+Rz3u8Jj_ZZ;y4;Cg6+=i`~nFn4&uZ
z5}|Oxd-fI)!h~U%=ZbuPfDQ)9GFIq5_NlOOwkZstGrFgcqKT?aM>;i1I4=~&jdWJ<
zY^!(U|GGUh9$ri5YO9E$p7P9XKeWLA0!Kb5th9C(ou)l!I8f{J?t#lf1cs<Qga3Hd
z30?uu$r`m$0LL~06w()iYN#{Z+7qSUDvx=P1ApJ$eD>@_yeW1!MWR3HJ)&wdew6^u
zMDQ+ax#;%;rELPxzuDJ?kuMGD;0bKnhU2Y1Qk7t5`I)ITV86AKp|I<+apkD)wTfGl
zqdJNzG$zCC{2AUY0N7QY(nw*MT)vHUzUa*cA}BA#!7{{Qpv0>ehz}xV=jfxM>_td^
zdMhRib{uDwp~Y<#HG6Tesq^K}+s5}5IyNALM65*WvAwTZ8d#2dXgY-`T~KoF)UKel
z8iEc8rFPUuW*<ur*=^gnuLP=5PTg+bCVRm&s<c$H?_)%$Q<F0qj+BX(6+3l(%y~li
z?RETd(wp{OpjPYny75)b)Mhu^^j8;8^%Fte%L8dn5Lm&?rrLdq3xm%XnfnyG70PK>
zyX&UZlJSuw@8~D64sQ;)eVt(v!HZn4jVL>b)s%c}V8tMXbG4I0lA$Zw+h_M#ogY4d
zVPXQvjrrh?qV8mH$cx17H16w$P0#&afAzbX%T_%oez`gCO<I!>t1tQtyqcayfM`*4
z!SC_-nR++xgn205#@2>o(>lABkQ%^9Zq_!Cj}!uxEmdrH<%6V$c>{lKlj8+^VfEs*
zzA<s~HkccGWfMA-b80QzeKG-nEZM;ovED=|@Nb^)Noz#~ko3h^?5ktIu4rxz`-1)%
z`WDRo$oX_tJ`8J_w3$(Ynw4!lYqtc59YkY!QJz9yJ|kxy1lvY)%Q`@dfnQ+3jeN9G
z2>JZV<|uz$x4yqmE5$XzhxT<Og4JsnwGxR?Vg5jdDQ%9UWT{ENRL1gq5d9D)v8xla
z16T2Zv%LK@tsjj1gL&p)7j<fl3^(@oHn`m<QBkG|tR;l7L%rEt#|Xv2pn^NW7YLAa
zv30q+15<>VA`&JaV1^ZGa8D(HsSx=A+^i7|tw@C;H~-TA+N`TQUb9ykN^s?yIvJf`
zT~7#!AQMg$LY#c<>=mL+xDP8e+bPob8TF$1k%P_B=M_$s#cX>@!|ZBaa*jh|ENXU%
zJJqAjF68mOm1XT=SKP<~!s=XVZA_{|y^LGijk%}>$Lw4@U<cUv-DZ(PjonDBAXilJ
z88P32Hi}ab9<6UWP|fNT3Ydxx&jQ4}s<n4fjZ<!%C`L(OON28$@#aYdl$XZ>QsK!G
zAY&xdy2JTgp>x3y7AO>_LCU+D#2~IYgJZ8c(~={{?^?O?B=+E|+CMOx82l$i|A4J%
zzgvb@bCxyB*IxZ}^d2Dacz*%_=bunhcA|E&f0AQt?Ys*)cO6hq!L-Sh3#>UB6(hG2
zf>q{fRk$;We^6#r;%{;!(<|@Ffizh9!@u4-;La;)1m5Fja>gtq1x!hc*I)z9G~#3i
z;bUc`Q(%xgi`^pTdFUc1>u<GX!;(SC21MTtVZ*GNyf%kM=wpJ`7G-iW-EAs9ZP57h
zxo#<?rH+hjLCiqA8)?_mAXBPzOk4=QP82F8+3&S`VvKO-8k4;3n3nJas|w%k(#tM;
zWAh^5Qf=<(4O1&8;(b3|18)0s$onR!VB3?MNP0~5AZ_kVy#Si8)EXd~mT2(;pToyf
zCsE;K_c}keAz8lTMnq(5IDkFE|49rXcjM0F;U!mJtO&~N#$G9ang2oSP~`8fejnAt
z-)1bwRU~AfE5j;>bDG%n9FanKCslBpv==%1rDJ0s|IY$Bvl;VI@$kABV3U?xAglKl
z!iRgA{e^%;y*}5cNuI#LU6Q#VMd6bE@Q%cyluip=^6rAR%*ADXG`Z!bMG`0igS;<r
zW-<eO;KnT#bDZZLp(ts_HJ-uk9RL{Bh-jfRyvD$;?4En?cM2`n4D5OSk+h?e{+eW9
z%4#}aMVZ_hLZlUGjl=Fp>XHB-^GC!v<gl?;Mp3ELQf@6Fd|KT`jkSN+i+)BYx{JWj
zg5%Z1Mp7XE^9;!7N0$l-+@kE4%*fpq&|tx^@P}$_3Rx01opuPeY3uj}VO7`^b~LUl
zS(MX-KrHFz#U;X{x}K5MM+ukiOM)YRa0|Mi|7=mwKYL9N6-#|%bX$wy$30f*M8UQz
zoee{B)MnAk&6=)JlG1x8fdg7_7{vm@mm%frahT!f<*mM%HOf^ydZ9`;U_gEVCp3)?
zIoP9-u@hYz6*L{DtO0q%z@b3%G+UV)p7XBW*%%ggD>`d5Bz)%Lsgsn9dT7ET0~Uhq
zF%aP&j~2Go>=ZZk(U2__<a~Sr;mL@V>kx#UVH~iJ3>2ml5IH;7!0(3u%_KZp#@sx{
zM-hj2{Gt#Om&aQ$^`7PQy_D4i{UXCrJKiaTt>sPZ@~J(cssxJS7F$1QVa(A*QUc$v
z6dO7Zm463k6SbQCY!%w~{6TLLy|#Xu4MtdcK{6Ay!d1Tfmd`^}jtuu{WQx@&QmnBZ
z4pNAN+0RHQwnw0^dV^UtNtmycZ^X0g)cp&j`aMT&yv@~n)gwr@TfBmtBJV}unCK+S
zqAei1<X@rT#KpUX-LN&P`-Oafi?&ld-l*IBpd=Ca15p<}rkMdoIyFKkPI1lbNOorP
z!6MX1^SfaBdiVF!_^*uJo^OSb*H_JB;?hc)Y@)9pVIlucD!6S%H20rNrdM{9$(E^-
z1NhvPNBatP$NR9<J1Qd`kH<rG#mnauA7;h!%PdNOZME5QlF??8Gltvr>Ox;6He#)|
zWQEAevw@tGvM_{?Cabv(aRZV$K-YYTt|lN8|EQaq@|b47jqZeR!ro2u2@@FL^H<#m
z*otQh)Ywgqj+k1t(KGlWwF}dStcFs&dO7Jp!fn`x2D8B>7H5u`%>9aI;j?dGXM*iN
zG%nGvsBGGI23Va~;+V*gWHT<UFOchrIlQ^Q+%j973HC^D;HEYJ%$_LfB$tNOffWqG
zA5ZYpo)1+#E(rcx#;hVG&yTEDCZ`E0=JPiZyl~-Z=xaDV!p>-NZ^4^~8I}$3S-{)~
zv3MYEDbcm-3k_PPA<P{0d8z#M)IYt6O^j#~!xYLf5{HWI*wP(3G|FA3aLSME#k*D!
z2ZMSYLv46z2kO5J6>exKS)<Bb49`Z;0Ua4GR;Ipskv_2Lf)kC!J`2SMg86Sz*L#!K
zP%^ZDz1xstO#&0G$`#=Q0{lNqR*&|1l4eXxBT19v4r&CriPM*`q>{CKZZ0o?12O*q
zyA_x*aLp`A^4y}*3d;KJ+rr`d*qT0Xer2Vk;r3t&6HdVT;cCC~0g6s{i`Pw0q5+qS
z7t71X_@V}lMR{PUgY%MrVWG1bJ;9z0Ikry3M1!IS$#i8nkBN97>U7h|=%A-#0n+Dy
z>@$gzqJ-y^G*p8Z4kl&O{Y$CUIhbZKOqW%4Z90uY?rHyR4pbo4sYo8iv9dBP!G*>d
z1>x)ZgK(!;;K}u(IPfeUN4&tzlr93tAK<?<k<5wmYGMpF=~iDEI_EW_rk4k8+)6hm
za9X{ZtZ<!2QwEKF$r8FR;Ry1joFX){{d{2nnjQ|~UM@iIw#w<g%@?0lzT-}4E_!*^
z1;nUo`+C~cm$dB-_)LrxK^a-OaSSz~9x3pzS|IlVhy{%r5)`=S45I4YK5-<`j8NS;
zB+y1TOokb`PhFsRe8C90*}Cn>@fl@}3*D0NOO5ws#92#<VyJR=wB7MqGK+dRC*#0A
z#gqqfZ~Z8fyRxTczInQk2lx<&YG&D()yX<?Ul#jcitC_<c!`qW73@5@PdTJ?r(?iD
z_?oz{xv-W79LDh^@(%WN9~DEdNJOtaOrALuum$y_`vvBDA2M1G@X$j_r6>vG`v1=s
z5ajF#N7`i-FZl=LpPf@f+`J|2VDb#o&c|EJ1QgE0xBLLT`wYHNRUm1+$1UKus`eY6
z;yNY76ccPVGGw~K+%|KjoAc_DU84r1Azky$Y9x`QWEFEKr3sYidcB-$&4U7^%@YWY
z+}$<;b^F};)4#y|H!(4WVL)VziDXr05GIli(GbkP9~mwspAY2FH@uqM;ohIciTh|&
zy9z5+pW(wItwr;!0YU0ePXT|+Ez5`4BmQt8>xdg>(qIO8TY&F4N2`oY(4xvae*AfW
z-YC4VP66_{Y=<2W<-)ezflOmzkn1s<9g=lqEB#OM=g$&(l6XTar|~`X#R4q3VNw46
zFsZpqbuV;hLSs3SGub$Z$-4u0gLKoqJ^u{e0KsoL_rY+N>)TmFCV>t`F`1f84T%p<
zJ^N+EViLCMF>5(T-(cf6<`{o05sO@Ug|id&tKsuSA@l^3l}vqV+!hPDh_U^q&%);O
zLO4h^Hbuu&&}S|?KZd{=|D3H>+3)ixw}bO)P>Vxj2iM>{Cli-0rT-osXPk*I!+vMr
zY*PxkfceNalQ#OwrK9xaApODNv9z<kaR2MgAxJ+_asO)0CLOz^-(IDS;(4JF$Zh=B
z-Od>P#DD|-<G0+4+^(J#>PMt_#6`GgUOKNOakbwGh<0XQ-~DjkzL^=EWc_?^XzuIS
zhGEZ@9p>aom<SMu*TwaIXqo6A(>ryX><e*8(NSR4v2%ajON~9B(Q?b0V*is#7XI2<
zDE8R<IpZ8xpV9<%QaPs6y$-2OD4U6)Q4*y>kRv4FowzgOD8f(z2YPRJ;HjS&Rl#oX
zd{QbOIsWXzOikqKFrqT<9ihctmv_~%fnVF)p*mDj%nBi;`q&z;dP#q8X+<geV2(SD
Xz7R4ziX(cDj}5)0YS8<*yHL{3S+uh>

literal 5695
zcmZwCWmgk`!T?~AMnwS;L0XWGF=~MH=o({VbPg84sBJV7B8{}PfP{pEG)hRL(%p)5
ziiDE)y&vy6?=N`HW9N(%LAp73`nr3gac-hGPiHX#fJQ`-6Coib1pslXxT*V?`bbJS
z3OT9xxgvoOfQpHjmXMd07D`CWL4|0q;t7@k8u<d@SQ;%q2VF0MtD}LRp}C%}iMNM2
z&R)XK8-p>_BB)5}!F6Q;X4;P4W=<IJe+73mLBw4`N}3a40>Q#mI8}Vb)f}7+bbwGO
zPQt-kLdXr};H+j3$H)qyO%08FP4%4AC4gRjCTOB5jTyn*7;lW!LO`?-K5pJvqNjtV
zrz;p|rY9wC?+i3G(({va(k4P>i7NkNnQJ(swTYZ6E~eg^j?P*zH8XW*ZGbaG(pVZK
zZ4S{glGZ|L=)uf9T+QGZkeaF#P?E+;#!E^K>Y|P`2N~PJ;pW~h9tK8YE^vY~#uo<A
zb#OJ4CSY7NOicj)`;sEK8hJzh?`3YPVI~81^|Q0rf*KnmpwiMtcylooRkSn|C4)k{
zLm>`QUKpf<36jQMMq1iLS4aYGCobe6?E%zuuyZ$qm^(r>5UL;_JyjJ`Rh*+AOw$o8
z`TxGWJRBU%un;YP9#RJlfB-PsUhZ%&qy$z11T@k#be8oZ0L+0vh>VyF4H%&&>uTa|
zr|RpA(pQ71h^b*PQZfjrmbN5P94cv`>I{KtVNnD#1Bd@w4nQw;H61q*XHTS^7m@}j
z1eU@>Fir%Vww4+is|Q8{aH_7_cw?{$$`A(jQ+INga#YiB1A%b9cD_a+KO|fNEM?~F
z0RY3rRRCxjeTat;oapIjqD}BHbw}aRKI&?A`l@ghdq-8QtTYmcQukDM*D{0Z%i^63
zy&UurLOu{pAt;TAhzO^)xG_l6Ps&RSiP1F|Cwi)ae8sUiGj(kPbw3{ytfrxk1{$EE
z<%dU@(STdc?(#{MO&p8L*d%>)#ZMV`jrm5?EweDb*3Uq3*QTsyE#KmX_HWN=e#j_3
z?FcgTUmqCRVgIR<ZjH0LHSrv}wWY2vI46&}F)=7iD9g4}O@!oV|I^7v_pptm$LddQ
zSnu;y-P&pBmxetr$Y~vb9!M#g`mRev6KQ_zpPp|(*7}hgJ|*xhnTzvmNYWNTN4rsd
zaWKB(qC@^32pCemb?M|psm+_7$6V!AX}L@|-a6!n1*Dx93j~x5<B96V*)JS8=oB3C
zFXtn8L|q4eOgs@dD6Nl9oc=&jtVH=<&Q;Fx^HAP<Y!XE_sqKu8%D30--8zY5k%|u@
zPUDT0SF1#;J{ME={(WWpXOTB5$hl)+HCwEB(L%nG*HYbs4iu(#KFVkPA;*E6PxR@M
z<tmF*<9Ed6RgI+Z_wjJU8=2E91{rK(hd>R>;XtUJmuE=86biYfCjx~M-!Q&CEG5-Y
zSF=yhT9~dcD*JB9HP__VK)==)Mr{;rA73(NV<w<!t$sO4%)B^SXKqo&H1BUg%+$Pt
z<0;6?%RHWi-K4#AnC5QCd05gH40E)`)@)m?GTa*ba|G1Pkb1Qnc4_(P+A!s&=pj1W
zSv{UPQG&?v^~Ig~*(|pZ$ASU)7kdhF@V~bz$C@#MFKKfzhLm(l3#Ik1DsWc=a1Cy4
zm-)wB6Z<@sTWv0G2dS5@KL5ive`&Bz{j`xfqr_n)=HaS9CfF!Y%JX)K+yZgXDJU$q
z34SgAlKWq?QM+8`?8DO${nxg8UuAS?-GMh*+@{3^^-M+Ss)#-2aYx&VYd$@)og3kl
zCl!+ZO)JEF6R%qDM5$lQ`2cO^D`cqWTe7sE0fF$))me%=^dFj;Zhe!k^xp6vlu4V;
zSEJLTr5k_HiCnBRZ7FlcvK3CllY8$=c(rA*#64OOTcS*~)>IgInp~qxcl_6{{4#0a
zr*=VK;9(<c<%>v?v56O>)VFx?DJ}~#_Q-Ra=!APl_f8Trzf~5V??|hs@Wu^he^XZ*
zxj>wJutaAmwa0X36c11l=MxpUT%#aG9U)6Tg*H!@PnpU~xqsF)uYQ^+YmBfJmY&3l
zUR==x_Shaw1#E-zod6hfs{Jk#VzGA+ms2p;J;~v#r2Y)+_S#PinT2hJ@gF(I_yton
zFL@GVQlQ`wC6bYIvrnPYPntElE!4B;0ba%TmEw<krYUN!X7zNsF)Z5|17LfU#D_3S
zz~~|&(#h0&D*Bz+h+2w$YZ1DD`n$>dT+*9|O3W4qOjxe!pNN9<TClri>8mDX8=eLU
zeFMLS;7%v?wzu10Mmh`eMcDkDt>o)GSdp*0^ol)=mN-x{FZ`kTH)Rv1iaWL#5+z%1
z<kS-D4+X)WEBuNs1V6>cksL$mzW%f(Pf+x-(ro~5Jy;xMePaY0x-2(i5ioPnv`U_Q
z7N4a;mGa|V^yoW1f~o8(phG(-wcv$_@Mym1V$g@`WI8WSj6*c07;C^7Lr1yiQr7lf
z&4%TiI~a8@)biIwb)KvL#Q;Eb2Q?zVjXyUUKFj#4(fe^XkaFm+W#;pi66MZcBE&#G
zlH$sMVAY6(<UI-U;74O;F&aypL!FUF_`(a8YxW4{4F4rd1(%=vAF_9`lRt&}`P+5m
zqYk8*!pt8#uPKOAz07YBD(!;U!Y!<VHhnvGQou1wWO1uag2Cb!rZW1E&J0lbfj6$D
z!~EXEoAy~ctU+u!xErY#_%1eB@%NIwQ;)@jJS0ypY3Dc@axxVMJ$l0Y@FI%~|5l84
zu^S(H=W~nNBuv^$dE>>wCn24w<N(p;=`+^6fH5;WvR-+P%IrCm!w7HtgQEnDPJ_y=
z$nn50m5(}HQ+mPiPA?vN;~djp?#+0GCldNT)eo9h=rK4h96Dy`LwYF13uPw)(76JQ
zcFMw!?ZiXM?s}6>(%QTC-!@Ed#rM2R``Aht|G<EIpGTd%0KN$}H9~;?^jNNzo&W9L
z+Z}vPs}ff}pGG*~EB@;~N3T_C+qcD5{qS|C5Q_(+q1P1P4qt1LD7WI9A%*#ir){_w
zUZUvcWAM35P2}w=RzdrnO~AVNsY3X+>N4iCV6eABwodlVTHqRYq|vLh`#+(nn#sQh
z14;l4Eu*Suyzctf!do=~q3>Nu^xfqPP*bsH*U7XE(sn9S2-!kf6MySOj&5V4r(VIX
ze12xJA;qt}$ZO$uWf4~D4=wS<sBG?F^YeJq@QoTP)On)%Qns)lDYhT1wXWUJAr)Pd
zcVW)39x=~s@x>n!havcHaL<mco(T~kiVL$NwF~OJC;v8dZBi=Um(I9_Z$z_NAUT4$
zG9uZcr^eV(uD2UBXy~&atoP~7|4ig&Zr11upC-Aw$6@t;`aVUN>Tjn+!o*^T05eyV
ziR>4gm+`k1Y?q@)N9MsUk^W7@B?*!2GCH|3?kI`x{T=$zgB_cM$XTv|*V~0exid!R
zmB&@W8*cBwAR=uvxjWKHf<JLUeqqZ{K;rAGL?6+7r#JS^vDzXk_A{RkS<4F8vT|iD
z%a6()@_}=_RSuY0w;?2b-#+-4B%fxlhKTjTXr9&{U@@n6|5+DPrg<@Pzl*_8V2pN!
zc&c--3qc3DS9lto?La8VqD+9z!+nd!0$AP(Pgq$?X@=t|ntt`T+=(|G?Bq^-Q=2q4
zmC{MFPUTXs>@&~UDJF|X<jHh5WdmjN0<>smLRcYg;KwHn!R--dE*fgRo`6<v=DL6=
zw7#Kb%c`R7ILvl-;P!Xa{<rSd=l-CRyM=3^p@XM29(Cu`WJ&CW(qe#BcjD9#I}dTY
z3STtT|0k(_KBa@^td{B(r*iu9)#{=#jgcLl@zl(IVXSkx7}{?5(NJNRV>+3uhpNVd
zDDxX=91dYjO}{?f`0=q3zv%AOh?+f?^<(YGc#h`GUh6(Qw7&f~)__l1L+RJ@mcUGj
zE0rnnsln4+^Ye9{9XFkr+lK>v?^>NyDX+X;6IT_W!dzKtN(UUxB2)T`iB!K^cXqFv
z9(z3I#kza}IRsxWe7-Ls_2Yh^uHq@v%CHF4SJ>{ylvI9LAc-D`Z>S+2B}r6lXajm)
zjmy>3q~CSP98E=MQ%O7kt<=!$^wwA`K0QdHNI-5*iBW~CWeRhBSvW!bXm5(i=buWl
zc9nP=6-CAV>TjqG@kqy#PX;lrbl5=8zhu!r)vYM^K8K~<mm=Y>HJs)2apAHXZfoTM
zGzXfX9F-jwUbT@jH>;};kH#(Y^#%Y~<x|me&vov~qoC!C>O?o{y(MN{!=9bKrVeHm
zj;DY+>gtzgMZ-%!hLYq8wBF`0mgj^5<&(|9MJapbW6L{@7i$%!uGa4SN`}xNu8>;T
zM9pV(lag^$v}`c<`Q*>eFTLudb(<}B`C**e7=<go*B94icRgO<nLO@uAMdo+Ig{Kg
zt`g>HtF#G;WH5)OX77eHCg1j}u4^bwVsm-Q99V`L<=CTh<GMXuBIDTw^jj_dbw^=k
zc8#`ioxZJ;+2FW7Ciq7AU;9^bwsM_soDyB)&kt(WiZU!y7d^t?!|f5Em!~42gy=!3
zS?~s@`Z6aAaN5_%a`cIn#^4@bY@|wyDz#W8riC3*l@aZ~8cEiuad{uX+b6|;(t;mq
zU)jjxiqfLie;`<*5Bt^tU$QbNMSbWe?+d~|+MFM}7u&H1E1ETSL$Az4{r)}CwQ7LF
zaAlX%wAF7(jN0$PciFk#;I@65R)5qj-^&Y7`8vI*&|a1&4ZemQOV9G$)q3_^iPxL@
zzE#w_1l$8OXClurx}KbuE1&t3&3511v-VUUJvTjt?+RB8O<+)(&V2>+y89zz#HL=}
zLQBypB}W(d>fzTlxs+3c4$`uXBcs2ErFyZ@&M%Ir&0U>)r1kMd%GI3HPnOth+7)KC
z=R0Qj#RPn@kA2|@Xy1d1h9KG?w)d9a>5=YL(F=h*i`OBt_IJcTRy{D%JT2k4+=Kq}
zcz2RPK4blg395TC17>~_zuTiKEH%lD%dhxafDILMnQNtL$<D|f1Pqc1{~?LX%RKho
z`%*ozIrf~0u%f0g5Ss$0ao;&h30tN>pZhTAX7-4xZajl%_U#Ipn_0g|BcnY2C~4o;
zu-XtZ{NzzAo~<jSW<Z4GnJTub|KBD7M=>Gm_-BP%GEG27oJ+ib)JGe>I9xy}GE30}
zG98N8cplc-lf`;7MpyrPdd*=!=?)@^Gb^7gcJ9d^H>1>Risw2JhLk2RIYLc0J5ySz
zx*=I}qHTk#lS7hLY>qE&hvEG~&a$^eMrwBw4l#+e8H{s5uT@6QkPn~k53?BXzTFFQ
zvWc?W4db{f0TQ8>T6{D$uk%JK%F1RZKZeEumViv`fptfU>RIG4_t_z4vDrhTE;_p9
z;q8jy;B!nixNXvUPJoIaoLQjPJgkaXoPhn6u6iobn~~=+@Kajx<P(*NRxD<iF_E3%
z%a<%%(`<{Il)uOORU`#}`QZIh)_B!U^~)GO(B4p#!3Z4qHGg3_1GzZ*$)i$yoK#sp
z-=1vQ#;N(*Z%jD8Lo`%=Q%>sW*$MpFt;87y8{4KM_(aC%4|>1fsHry(bw<^-pK|xT
z4iirI>gLU@2w$6U?A)FMPXxy|nEspjOBO>i{Rs7O|Fa7DKc|Z3`3axY)6deGkz*56
zE0$&O3XKw+ttL9nW0mf2GdXpJ-IuT~Cy3{K^%l!<)m04D(9XL?nK5Ik?`iM$sf%;W
zy_mAEwtMY{mZvSBMBYkQmbZFcg#9#KNxys#PjdrTw)PJo=ixGc*)drDMTT=>^xU>y
zj$pw+5E&OyBK;UDp))`2!rnl7dou#PI>5Kl^9TFcsZk)t6JKReZ(C$D0XlqGKM!Ud
z+OYU!2#Zf*V}jRyWb4mP`sz(h1KP_&{=`NIX}78x?v|P|7GQ>QzZOQGD9i9=S6>P+
zw7gL&a{QSWKaC^Lrm9Gi&4Vz_e2%igPqa^fUSe&J{TBrj=7Jf~6l}~lU)X6o7$l#M
zl~~b!*;%9i?E#P_2jmBUT*D?kJmCYiAyak16&eC}3hnls=}zEyAY@|e_It9*gWx5t
zGe^O}*}N)KmX%n+x$kn78}0!skw27euX(x!H(?K*58J0ur3wjj(R?d!lquexa?yV_
zH?*hn$7X~yE=hl#x$=LL+0@nq`xXr~nUiVzXU;uwd6Ap{G<<Y3r=XA}5m#SQ!z4CD
z{XWc>yCjM#vT^Ho;jgzvqB1q1;#xJqxzc^_--I!<@(bCH-O~H`Gj}cII_Zsf_EOE!
znd$Y*^_8oD?ZC?3y0?~AW=w)bZR|Oou@uCMwS6!CZwT6fgzA<J@kEAnU-kxjPA%G<
zhMl8WRf)ds#c`v)1`CTE9=|BzM&A$!TX^Qa;1U_^SHPuCY|pJ1bu5Yi_AkN4k9!Ip
zj=bHj|HBn-=zRO5d#IB5ous`zS!c84a*e;`8zHf!W0quaZLVq`VH!=bYogphQiYSo
zF@LvDb<k3+S?s@eMJ}2Sq#ZgR9x&G|_vDnIK<uWUdU^^^J&i|5RKqvf1+!83^+6_s
zFXh>$?i-C%84Up68Ob@jUH4EXHyB$C1ILh!Zbf7FU?fkC!1>v*;Im-GrqB-sJ3ND-
zjJ>$AL5|Oz$r6`4BAju0!$N|-T%@iG4EqN%2g35buNW&C7kY03p6mtkz9xg!Z<6I8
zPKLmpl*eG_puTE0-=VL#tdUI%uJIt%dfmLA45l3kYUJ0W*LV6=)7@cz{=|UJb#JJ5
zfneYJ%sa=&_3G_3<bF-jU(XXMat6rj_+6m!`6JI+@J#14DawSH?>-_m^T3B1C0@X&
z>&wU)%m6_w#4h5zaIH&jPmMVw)F?SFox=a5|E1!1@Sw=N!XvfY2=GYbv5JT2*MXp+
z0-1EHBUW;Wl2LB9WB<lMd6E=@WaGcI7eZ`vDuLc>ae{){Or$kV{>8>rp>GXW853ih
zjJ>|KI{miY>p-qNvw_LD`tjPmcY821iQBPWN*L&%VQCO~;z6`Os2_s3epwkB)XP8c
z@8<oreXttBY^N94w;a1<X<U)gw=U|`O}zOvof~tfx>$Cb{5tOT%y{K_DWnJanB8S^
z5;^(OIxjY$Yb^Zs!oAemXvwRX&wEEF*0Z-xT3?}m<83644M`xRlef#ogQpFgRYuPu
zV$<AH6OnLaIx7Q;5ki&DDxYQLZx*$_+26~7w5{f>Z3vq1tNtx}ydhVhPYC-1ING|F
za?sZq-Ou~`97%szXXOPaKLk9aATKzt5zOZn>skbm-cQ73@ztew0vG5bnG=hnHSLAF
zhUJ4V&qmHNz0<&|3$urp(Oh{ma~XaX8?lZHpCG#}NfE#ag3@uPAgnAVM#lqw@sy9<
zihPH(d!Z%r(~8J;6IpO(jNWOZ!)@kKBU#ePTg=}njeC^XSh&b@ae|J8<!NUXT=r7g
z(JsL^i=7XG3}1hbl-^68UZpT|L>6Qi$#r|1#Fe6ys`GV`{#-ei1~7p7i1#0@!``e}
i0kx`eRVHnS>umQ_!>V`72-HG1B9LB=<zH$?)_(vT6Sa8&

diff --git a/secrets/wireguard/elisabeth/keys/elisabeth-netbird.age b/secrets/wireguard/elisabeth/keys/elisabeth-netbird.age
new file mode 100644
index 0000000..1029bf0
--- /dev/null
+++ b/secrets/wireguard/elisabeth/keys/elisabeth-netbird.age
@@ -0,0 +1,16 @@
+age-encryption.org/v1
+-> X25519 zghXrLqQhlVqAAbMi1k8gvG5IjG9boIJCyEx63DwwGo
+/ae8dzj7mPxZdpciA+lLiR6H/WCrIvTkUfaXGP+RZiY
+-> piv-p256 XTQkUA A4PgmdpN1WmH++JUTIdADZBqDrCQ2N8HP9FzQ7DtyJuU
+CIzSKNP8YYYfMycueE564094XeKJ9mNEceAuUEnvFFI
+-> piv-p256 ZFgiIw AgxtRiqyF4Fo6Us/l8vXhWl2tQakCQGwd1Dogf/Wqnyv
+Gi9O1lFR2hhfkXoC7cmlpT+iHx0DxeDFmuU9i+Gc4Ms
+-> piv-p256 5vmPtQ AsbmH20Pc58VF7tBnoE5iqzlrsahCDTHkvuyAQ4W5SPy
+BcJr9QsIDanypSNZ0UWrt0VnJK99LM0FOmCQWc+2rPY
+-> piv-p256 ZFgiIw A5CT86jvz263c1GoDrtGVBXZx9EZeQwCL2d/tCXGqay3
+8kHhsuD77fPPLPe8JYTuHNcCtp0VJcdrTg220BVdyGc
+-> v-"@h-grease sJN %C \ ?mh0`=L
+FarOmtacPX3pzMNzucQdNxI8MpVZdumJghhEPiukRJxp5+3InvEp7lvBhtZv49i3
+QPoKNFjUweN6aXA9Vs1cpSQ
+--- k49nSQRFr22Pc4QtH0WlYQ2/yMpBXSJasmQ97ZcxLkU
+^s���h�ʏL��v�����++'��8�{Z����C���}��Z�PQ0U�$������:Y�������1�NO
l'
\ No newline at end of file
diff --git a/secrets/wireguard/elisabeth/keys/elisabeth-netbird.pub b/secrets/wireguard/elisabeth/keys/elisabeth-netbird.pub
new file mode 100644
index 0000000..9ef8bfe
--- /dev/null
+++ b/secrets/wireguard/elisabeth/keys/elisabeth-netbird.pub
@@ -0,0 +1 @@
+yv8nqlqgBxDIf6oYrn01FRKoKnqZPfdenWIFHxfSLiA=
diff --git a/secrets/wireguard/elisabeth/psks/elisabeth+elisabeth-netbird.age b/secrets/wireguard/elisabeth/psks/elisabeth+elisabeth-netbird.age
new file mode 100644
index 0000000..d7e79b7
--- /dev/null
+++ b/secrets/wireguard/elisabeth/psks/elisabeth+elisabeth-netbird.age
@@ -0,0 +1,16 @@
+age-encryption.org/v1
+-> X25519 bq+eQrKzKWG2cvp+7cKzpkN7KEbxf4H8aSOBxOBNeVE
+uiZloroeAw+q0T9CTGbAg6cdHShGaa5YOVk0iE5FLMM
+-> piv-p256 XTQkUA A5CqoI0rxRrOyHv6LksBqtzWPapfCLi6IdK3KAUATzJF
+d3VMdZpw0TjU8kZ6WNLcbvenDD4WWxJp2rEogNnW43o
+-> piv-p256 ZFgiIw Ah/2IZobkAFu0r0rSHvB9RyQhXh+wk1R9Vlky8J44xib
+5GXXZuXybVXcrpU8G8bWYwMOjnzdw7X+YjQaQlA1F4E
+-> piv-p256 5vmPtQ AjmJ3ZgFxcbSbGefvufWZNzo0nOc8vl+4jA7kb5kwSbI
+2ks2FzxZ/YloeAVCRT/0NEo4hRWzUbknj+pnwtGuEZM
+-> piv-p256 ZFgiIw ApvFPxETdpXGYLa9srv+pKFHNOGfa7ie8oyOInKDbOqC
+8rIukUZzrkWdH11pnTYfPd259ql/UGg5/Z6SuNvslUA
+-> X=N9-grease CPXXj9j! Mf6?oC AuDyAWo z5x1TGOh
+CYoYan7n
+--- 9xwTgosTBqh7i3YCpHUhvkYV6bormJ3hYP4WHTwwQk4
+�I�y�0�[۞$ތ��-��:k@�
�}�9 ��
+2��l'*ԭ[S�r$�*�Wj�B�,-w�R�
1�B�&�!�.�@
\ No newline at end of file