From 624808fcca1e541f805132f46bbe9fd9ba5678fc Mon Sep 17 00:00:00 2001
From: Patrick <patrick@failmail.dev>
Date: Tue, 19 Mar 2024 00:46:35 +0100
Subject: [PATCH] feat: oauth2-proxy

---
 hosts/elisabeth/guests.nix                    |  96 ++++++++++++++++--
 .../secrets/kanidm/generated/oauth2-proxy.age |  16 +++
 .../elisabeth/secrets/kanidm/secrets.nix.age  | Bin 1967 -> 1947 bytes
 .../secrets/oauth2-proxy/cookie-secret.age    |  15 +++
 .../generated/oauth2-client-secret-env.age    |  18 ++++
 hosts/elisabeth/secrets/oauth2-proxy/host.pub |   1 +
 modules/config/nix.nix                        |   4 -
 modules/config/users.nix                      |   1 +
 modules/services/adguardhome.nix              |   6 --
 modules/services/forgejo.nix                  |   2 +-
 modules/services/kanidm.nix                   |  20 ++++
 modules/services/oauth2-proxy.nix             |  90 ++++++++++++++++
 secrets/secrets.nix.age                       | Bin 5565 -> 5695 bytes
 .../elisabeth/keys/elisabeth-oauth2-proxy.age |  16 +++
 .../elisabeth/keys/elisabeth-oauth2-proxy.pub |   1 +
 .../psks/elisabeth+elisabeth-oauth2-proxy.age |  17 ++++
 users/common/programs/kitty.nix               |   5 +
 17 files changed, 289 insertions(+), 19 deletions(-)
 create mode 100644 hosts/elisabeth/secrets/kanidm/generated/oauth2-proxy.age
 create mode 100644 hosts/elisabeth/secrets/oauth2-proxy/cookie-secret.age
 create mode 100644 hosts/elisabeth/secrets/oauth2-proxy/generated/oauth2-client-secret-env.age
 create mode 100644 hosts/elisabeth/secrets/oauth2-proxy/host.pub
 create mode 100644 modules/services/oauth2-proxy.nix
 create mode 100644 secrets/wireguard/elisabeth/keys/elisabeth-oauth2-proxy.age
 create mode 100644 secrets/wireguard/elisabeth/keys/elisabeth-oauth2-proxy.pub
 create mode 100644 secrets/wireguard/elisabeth/psks/elisabeth+elisabeth-oauth2-proxy.age

diff --git a/hosts/elisabeth/guests.nix b/hosts/elisabeth/guests.nix
index 4156803..784670d 100644
--- a/hosts/elisabeth/guests.nix
+++ b/hosts/elisabeth/guests.nix
@@ -20,6 +20,7 @@
       yourspotify = "sptfy";
       apispotify = "apisptfy";
       kanidm = "auth";
+      oauth2-proxy = "oauth2";
     };
   in "${domains.${hostName}}.${config.secrets.secrets.global.domains.web}";
   # TODO hard coded elisabeth nicht so schÃ¶n
@@ -64,16 +65,94 @@ in {
       (blockOf "vaultwarden" {maxBodySize = "1G";})
       (blockOf "forgejo" {maxBodySize = "1G";})
       (blockOf "immich" {maxBodySize = "5G";})
-      (
-        blockOf "adguardhome"
+      (lib.mkMerge
+        [
+          (
+            blockOf "adguardhome"
+            {
+            }
+          )
+          {
+            virtualHosts.${domainOf "adguardhome"} = {
+              locations."/".extraConfig = ''
+                auth_request /oauth2/auth;
+                error_page 401 = /oauth2/sign_in;
+
+                # pass information via X-User and X-Email headers to backend,
+                # requires running with --set-xauthrequest flag
+                auth_request_set $user   $upstream_http_x_auth_request_user;
+                auth_request_set $email  $upstream_http_x_auth_request_email;
+                proxy_set_header X-User  $user;
+                proxy_set_header X-Email $email;
+
+                # if you enabled --cookie-refresh, this is needed for it to work with auth_request
+                auth_request_set $auth_cookie $upstream_http_set_cookie;
+                add_header Set-Cookie $auth_cookie;
+              '';
+              locations."/oauth2/" = {
+                proxyPass = "http://oauth2-proxy";
+                extraConfig = ''
+                  proxy_set_header X-Scheme                $scheme;
+                  proxy_set_header X-Auth-Request-Redirect $scheme://$host$request_uri;
+                '';
+              };
+
+              locations."= /oauth2/auth" = {
+                proxyPass = "http://oauth2-proxy/oauth2/auth?allowed_groups=adguardhome_access";
+                extraConfig = ''
+                  internal;
+
+                  proxy_set_header X-Scheme         $scheme;
+                  # nginx auth_request includes headers but not body
+                  proxy_set_header Content-Length   "";
+                  proxy_pass_request_body           off;
+                '';
+              };
+            };
+          }
+        ])
+      (lib.mkMerge [
+        (blockOf "oauth2-proxy" {})
         {
-          virtualHostExtraConfig = ''
-            allow ${config.secrets.secrets.global.net.privateSubnetv4};
-            allow ${config.secrets.secrets.global.net.privateSubnetv6};
-            deny all ;
-          '';
+          virtualHosts.${domainOf "oauth2-proxy"} = {
+            locations."/".extraConfig = ''
+              auth_request /oauth2/auth;
+              error_page 401 = /oauth2/sign_in;
+
+              # pass information via X-User and X-Email headers to backend,
+              # requires running with --set-xauthrequest flag
+              auth_request_set $user   $upstream_http_x_auth_request_user;
+              auth_request_set $email  $upstream_http_x_auth_request_email;
+              proxy_set_header X-User  $user;
+              proxy_set_header X-Email $email;
+
+              # if you enabled --cookie-refresh, this is needed for it to work with auth_request
+              auth_request_set $auth_cookie $upstream_http_set_cookie;
+              add_header Set-Cookie $auth_cookie;
+            '';
+
+            locations."/oauth2/" = {
+              proxyPass = "http://oauth2-proxy";
+              extraConfig = ''
+                proxy_set_header X-Scheme                $scheme;
+                proxy_set_header X-Auth-Request-Redirect $scheme://$host$request_uri;
+              '';
+            };
+
+            locations."= /oauth2/auth" = {
+              proxyPass = "http://oauth2-proxy/oauth2/auth";
+              extraConfig = ''
+                internal;
+
+                proxy_set_header X-Scheme         $scheme;
+                # nginx auth_request includes headers but not body
+                proxy_set_header Content-Length   "";
+                proxy_pass_request_body           off;
+              '';
+            };
+          };
         }
-      )
+      ])
       (blockOf "paperless" {maxBodySize = "5G";})
       (blockOf "ttrss" {port = 80;})
       (blockOf "yourspotify" {port = 80;})
@@ -179,6 +258,7 @@ in {
   in
     {}
     // mkContainer "adguardhome" {}
+    // mkContainer "oauth2-proxy" {}
     // mkContainer "vaultwarden" {}
     // mkContainer "ddclient" {}
     // mkContainer "ollama" {}
diff --git a/hosts/elisabeth/secrets/kanidm/generated/oauth2-proxy.age b/hosts/elisabeth/secrets/kanidm/generated/oauth2-proxy.age
new file mode 100644
index 0000000..b4b4e78
--- /dev/null
+++ b/hosts/elisabeth/secrets/kanidm/generated/oauth2-proxy.age
@@ -0,0 +1,16 @@
+age-encryption.org/v1
+-> X25519 23FVuMgnvk6uz0HeokrJvQriQMhbnQrzSqrGMLAuLQ0
+Rr6NqDi6GPYe/ttFe0pJjc4q4yG3f8PYRf1CYz43Nlo
+-> piv-p256 XTQkUA A6eV+SQvNKx7KdBjE3VZr3FN4UcvNtrzu5M6E39a0kyT
+hqNraFWXEZi/y8oh12eARpqG0lqbKbl/nEyBHaVrf1M
+-> piv-p256 ZFgiIw A8KtgxgZfyjlPZMTjfMF/hM/AVaLuJSMHMNjsgPj9esB
+ulY//QiAV5LWF5ytgclyl9MI8RtQsmJrZOl7GByOEsk
+-> piv-p256 5vmPtQ Avqrc9ag13E8hB4znx8RSEMWQ1HtlTWf3fqUsg9oZtWi
+gq5O9+tS2mazr9B5hzcXu/9H7N5kHPAjeffqbgRcXNk
+-> piv-p256 ZFgiIw Aq1t4sN2K/eCs5sER0UrG5pvpg/0GbBcI55VQkW5du4e
+ds8/Hd+yB628RAAzgZx1FK7u63XDsAF24//rHM/hEYM
+-> 4r7hpz-grease $[jc"i f0kC pV+ t":]
+9c3YRD+ZAUz+n6D1QFLJa7Lht7UZ8jHnRqa3BTWYlyo0o7Fo2khySVu31QUulGQn
+nOonQVqhSo+Xli56voLAreMwSNCLmND51H5xy6txfA
+--- 81bqCX4ison7wBIJw3Y0r6+DpKZsizu3qyZaDLDI6ek
+²x_<×“kP*LªFèC;gÜ®Ÿ1XZ‹Bï.ôIcÒœ’ç]ÒðM1y-‰;Í‘â¶<%…	"’ÿ**—2¦¾¬„@.@°
\ No newline at end of file
diff --git a/hosts/elisabeth/secrets/kanidm/secrets.nix.age b/hosts/elisabeth/secrets/kanidm/secrets.nix.age
index 4e84aeebc79f51375cce572e95258155f24a066c..2ec684ff7332385f8c4c8877658e74ada25a604a 100644
GIT binary patch
delta 1920
zcmZwD_gj+(0>E(@tu$&C86v0zEd>cQc|&FeHHjHykv*siA#VoB8!`zbk&D9P=!ptq
z;eukZ3Mc|v3sO#zs;Gwp5XY%d?i3KP%2E&owRb<>^W0zXdA{E>iw`d@gu5A576n4^
zbP6UGOLOLcHXSGcEd+rGVa1bq7(#}E<v@uu6xIwSjN(v8**vX=l$68;lXV)NI)fvG
zl!$bsf~#gxrCNsFjKJYECK(16w;pcFu*aFuSR7m?;_JmEI0>gQb0NKv3Rw6$luS;G
zr(xWHo#4#C8?+EfO;<t!CQf3eQX~u!%tB<bld`Q?yD7yiNH>a<S_C8|$jweOU9YEM
zd19s#tHZK0O=`mbU@0_BMp8DM<kXPTg%A;;MVp0mJKciS#50wkDxHAS^I2Gmj6>Ei
z^mZWIZZnBtbR!u;KnANVLk0>cQjmobCS{oMWQG7zaI><L<T(_TRVIU&YJG9CSCAXW
zQJHM2Y%I-!AW9?_5VT3~4mpyV74M|U00l#%1sp06n+c(iFr1F8pgHI`kwXcP?M^LM
zFHTnJSpvu?G+R(kLA-)*;Ycum5R(7jkZcZ5XW<x3Hj11AsQF?NGTCj|B$k_b8V1oI
zV38<T4wXgAVl(g*7~2HuRWzp~lO^NZFh&wrOk@#3sZ*%r(J7!viy)cU1UU-As!;#M
z4AeAxBoG^?v8WVQ6<n)?uZHW=z(h1mrZ-U22{|~i!J<Woi84)+P4J&>U<RK^M!U`N
zN~)X$u<eW#0zkJ&C8A9hDIXRW7Y7$gxKbhtlVo6mn*f$hf)ZuRvnV>c9))z;vy#bn
zJriR^rkJo+F>K)|^kV0$6H}p8*N>$Al$q=GvEo=qM;RzSI(Vr0p}k|~+@vDHG`L$h
zw1vqJeb-hR-yB?~d)MMlG@MwqaP$4T^|6g%_p6KF9%LbxN9%x*nDz-$z#~!DzyW{g
zw^e~JCr@;Ruk)TdU-0$r=}y_!+T#3#U_cQu6LrB{4WPW%mb^Us_#M>2<9lv<`lCO6
zC%jzpWr%T6%Qfd5p-^5p|I5BFWUA^$&rNG!cr+q>YiB@?OYR%#?mdM}MF*bk?`ar;
z-HrII1kn;lHwT?AgZhI#x9Rs;Ww%=QH8&o45Ht~{Gm3ZT|9&(w=;%z#*<c@P59?C}
zOBNNsH>Tb-92!(vzTHpE{`$BrRCF=6wW3I!-aT4({ZQ>k{{)lI6^sg9x&4OccGV5j
z`Caw+p)G>SjgBojZbZ?BxAd4i_DpH>yw!uaMx<*Jm$IaGueFp~nwPdKdLt>neAkFB
zs1IM`xD}b#+OyyK_pYlhNs`}`vR{75r@bHkRQ0^|j-<tL>6hl-0{)V=;(0Gl2hkRc
zCPKN#Y9!}!F@uwyv=wa|*M3ZB8mt`kElbSr+N0dtnapYQcgJPA(hhwNNX}TGCLhc#
zxA1YD$LDV0vO?2F6ziM1qNgzvRrX|I$<VQF6R2E9$YTDQ2MGn|6c2}`;vd)Uj*Y^n
zBou_^ZJV9OmtKoMyFM<$rcKG|;#gR9iKTK*(c|Z^kO=R=roTxXe;CHE(eh>*`~p?=
zHDc@wX|#F3J%Eh<`P4$IKfa0rn_JW6k&Le&IsJUB;mKUR7pIu!slYd+0<wHcN${OP
z*15);wN+6M`i0$x#!5zwpN4~vw9O`NKgi%$wNAGIEi2#edhw{qFpqPU;gW4_==`9s
z0xx`Ca_@r4;1|XI^?F6j#UOzt`2?8LQs!#ENY?Fj^MAN<K-Mtj8F=OT(7LRC{P_K$
zfaU8Fyw(j5OLx2+`vZN>KD2CGuC`<T*!KB5JLf`9>M{OmVaL7;Tte6eUw`5X%FW^W
zC)0Tx2>oV)(-??yWC8HZ1A&GD;ibgxwG_z!cY^=EA}%VyhHmf1SMLl$g@^R)Skn0{
z@5S^n_of<C$epXQ+|u4Exp1?bNOwUCjAKAvOF;QO_3BB4`p9R)`@$aQ`3q0n-P3xJ
z)iycttzgN^-l-e8EgWlQksq)hc5j6>pfxM=QcP?57ay#S2}Ay>nhj^3q}ySOk<)9M
zW3!@0-nv#D+&jux`Qb2scIfG|>O`iY>*-tnN;jpj+S1UbjHUg4%NGe~2O3qqIIg>x
zbg%4Z)YhoCyy(i>wFjo7o!=Vf_^FlIBK|*TkgeID{q?DLxhwDPccB4g?TdIS;Sb{u
z<5!iU<Copm?&jrPADXr?UoqSLP7~W-7hw(IOTS;*dBw}BbVu(e-?|>-Po<Q~yHbtH
z<L*7DsOZ<>-P7N^ne=Wt>G55dp!oh3!*eR-ELiu;R||Ih^u8u|x0eIiSD)^k(l=F3
z+IaYx$vgD%zlyn-WrK?z<^Kxqj2ON)e3Ur#qX|-{>Ql=vzvq&LhiB(@EcY8fx@qBp
zQ%AIs*06V%62|&I*(2xQV>dxTB2ns=<SFiE3bW_6@BaRiOaEe(?wUdKk9j>fw4#78
y&ogeR#jsnZR!%?sH+{C_A0_V1>C?(jZ^%B0w)3-G=YyWMhx*m?NEMir$UgzBkxV@R

delta 1940
zcmZva`CF0+0)W#ziY`|(Ev;y^as>oFki%vx4*57fPC<}qN&>kQ{5TX54QI5pDaA@F
zv)a@etF5%GG_$NW$FXVCYMl-<kM^0gayurE)N<z8-}ZU-FL>YgdEUxJb&E=oZv9rg
zg{H=89WuJyX&~8BcxDpQVW;sZnSd%&$d_!@(UaooL_3{^$bdN+a!_N2_^?I~>KH~o
zoeqG!bQFbXWALbSe0HqZEaIUQI2!`99tj&VF)$EILMo)<R2dCPGuzB0vdAD1Qlti_
z+>SzJ$=y=D6iTv^_+%ldL&c{uA+Ctal&j1LE-z666JVGx%Ao7<ESfx%B93K~1t2|D
zfFsDQi5w>xAf+qp4$l9;lq{Wr<3Q44l?1VaYU5_vL`;DN!Wy%<Bzhu*$4m7p5JhrO
zq;k+s!Y3tiKrF&Q5m_7#K%Wk&V|hvoSHVuwS!LN2O{$V$PE&}}V4jK$F#wT*xKHR6
z?55!G8FH>sD@bvY06T+{iWM8^1Zo;&5|CId1z$ilnITb%ks-$-ObmrFlkC)@=mZUj
zvzpRvNz@c)_8%@<0)s%%$7VBAw4iw_4yXISAy}TBB6W)78YvTpm*4;b%i_*tn1mS`
zU4}&kYGg23naGt8A#8#J0m-Q8QnA*~)3X(+W)W3{BFM!6&Z^L8v*Qg)i42lSupA|r
zPW>-ztu|w=h_MEvv!<wQDM+;$nWIIfYNDc%=`jdNno>fwFl-KiNveabX+R2K&V~Uh
z-{2PGl_c1Nq5uq|&Z&2>I5MtAr^KR678DmR)@aO3AkAh#@JVJnDpsS04GgC)6UsK2
zvaEm!FGOH47^F^!<J)vPAxVq300~-(LZG43r2-1YpiE(Bg5nG{N2`#a6htl#F}h8a
zzyvRbK4{q}l)J{<l(Kq))OvH#Zb(A;@m^UyYF0n@J8xP?R(B~nx94^AwUH(DuT_|%
zP#o#N*wbTyhivnE1i|-0AG8NIx;7PdP7P$3lho-ocS9-OanLkzdoiZ6@3HN~c|y@J
zdn&AV)t590JLuMem*;vm{5vbGuaC9NW`XJsyFLnbRBc+~)@y`qr_9}&!I`(-3#090
zybblvvo8K@U)wJ&0W%%FB}+wb$k&tqa;~8Fvh)coyE8m^K00L1qRNomVq)ov(MU_K
z;Ndvi_iu)CeCwmmxjAxw|GCNiDb2$$GGz7Iv67wnODwma_|Nyp^-YYwneI?UzG?6w
zw@Hhm8tNK*+}+)Ak!;5o@48xZmFI`N*0ksJ23n0VYXAJ@SJitn!GNZVRpZaj0aus<
zXU|Aiu6Moub!d|?@Y`%d*rKD%fZUo1Pk$9^j^&$=RRs&GelkSHggieQLoXUn?!J3p
z4V^jJ@a)sqff%2~t9K4X6jv_RluKt0IA?8FPOb@EeaXx1z92zwygxNM^z~Q63rPMP
zKXm$x3mOh83c@r5#YCo-%KiWB`eF14bI*h*2&(A9+&Ja&iMSrS){K5KeWGTh>&&{E
z_T3jR)aQHNhVLu0wm1EC8>@;>Ty^kWgs%FC!j1`>9qQ;t>=++ldD)i*g2dvf7u&YX
z6i#!7?<_p&4#%mxwZ`fl<K24XQ}hdb=-;n4w+`j1V#1UEb>-2(&o4H%ze+48-w%xm
zs~Wk+3>&zfoF+gQY2b?fqjxtu@(M>5RKDu;iY!0{&ghmQ2Pb=1Oj>lj+GiGS%TO)G
zyYDnm!hZDjM|DZ_LP7V-?1cJiP0lh-;|E4#YR>x%_sP7>f3_^0cc>5f(Bry#9UZ@V
zec$xU6PLXwFKiGVc^r3AIoN;sOJP{sswb`2nmn|lS&Qc!X0;TA)(gBPefaij7&s>W
zjj?BtTeb$fbXJ|Lb^ECsAHb$xbVWhC+&6=1HB$o9D0+yk(H@ChSy6ZphAJaEZ};NC
z@T4uDuefg|6fXGQqeZ=h)5&|!UJ|wJ-Q_^Y%AlN%=!w`duQK6jaLnSDK<;d=P4d;y
zHVX1%oGjPU-mapc^)UKMwW4A3#8;nO+s^uQ!#%HgmzR5lqx0v{+U^z4joyE}@O8M?
zZ+~ik9IE#7^jM1Cq1!)yen(wX_c<}bD{gf5w{-X0d~mxf51rq9A*S|xepKVFeLFr?
ze#rB7pN^yM5$w!8M7wnCj{)+=ZGi9h;fvca1*LdH-E`%YX;(q!-01}9PRQlbJv*4U
zYO&tcY@e>R<j*>XcUbTHUw6*=hyUZjyE(gtUWMSM%7fn@PM(OGeK8E~yMExM@n?gu
z>C}MH?blNthpISkN(kRNt3uJ?SYAhK?LXHT{Rt`Ttskb}E_^=j@Y#@B2|wT}p2v-P
z{dDD<2f^xqIMuwmZAj#O=s<CazJZsURK}h(R&KdRdR$dw?wNct67Y`oU2E6v_^6;J
z@lz`Xyx})8+DIIjeBtS85jW-P^&Kl2QR7B=XY-lm)Fx2gGz;m=W&B6ib}Tud?cmJj
zqBF!|e86yCplNH@I-uMa@Z9|pv*ITI<o0YVe;zjR_Fi24;*S-DC0!Bq)noqqt>q7I
Qth?a{?GB@zK7K#scOnc#R{#J2

diff --git a/hosts/elisabeth/secrets/oauth2-proxy/cookie-secret.age b/hosts/elisabeth/secrets/oauth2-proxy/cookie-secret.age
new file mode 100644
index 0000000..d7f2522
--- /dev/null
+++ b/hosts/elisabeth/secrets/oauth2-proxy/cookie-secret.age
@@ -0,0 +1,15 @@
+age-encryption.org/v1
+-> X25519 8hIhP1nlR5z4Sk15LdISVf/9SYsGK5KhwMrlPnmIJgg
+KTepeuDQaAOMK1gvNxHOTPjL7SphLGCtEpHvXbPiKk8
+-> piv-p256 XTQkUA A7jgBkaMKAkBJqCVDUuOSzp6GZyDlU2NfiNZnJak9TVy
+oy5WTHr9YtEovcjCpBzo1H1LsHj1B3zNSBBKeGpwduI
+-> piv-p256 ZFgiIw Av/mFUoy4d+wr1OICrbKSf95K8i5abaOixkyVJMlI8r8
+IbRAvpictJMvQin6NcLVzhZdB7637PRWhH0hqiWYgCE
+-> piv-p256 5vmPtQ Al8w47I8tiYFHtgZO/RGYehoP7pAARW+ZslbU5I4iwTC
+cRom9vNm04N2yGdnjQegWm3MsDBIi1uXExGF1Bz+K58
+-> piv-p256 ZFgiIw Axp4AzWo1yCR0gAaYx4i88+nIGnutkwsX0GGecvE7BiN
+i6UmA1TgfHqOKMjEuOHyF3WNUkYYfDZIHPPjoWqpSwo
+-> K]@eH@U9-grease *[ Rk;n
++mpDtu7YRdf8
+--- Kqc6c3+xpw8HtP0VJfDjujseDhs4NX4Yk9u1/fO+dSg
+Ý#l–j³f_Æ›äÔ	b<ðJwŒÜœa^¤FZ“ßÁFÊr'å/ ÖLLXš·Û*)\óv`ú&=Ê3˜àUL…t1„ßšï5XŠ/¨šjÖÿ¥>yô}íš&`
\ No newline at end of file
diff --git a/hosts/elisabeth/secrets/oauth2-proxy/generated/oauth2-client-secret-env.age b/hosts/elisabeth/secrets/oauth2-proxy/generated/oauth2-client-secret-env.age
new file mode 100644
index 0000000..419d44e
--- /dev/null
+++ b/hosts/elisabeth/secrets/oauth2-proxy/generated/oauth2-client-secret-env.age
@@ -0,0 +1,18 @@
+age-encryption.org/v1
+-> X25519 qMjJ4MnL4DXTo8ZGMwrNqIs/MXOeNMJN0EmdaDmNiRE
+Y53jpcDeuKJco1Hn/SV9zOhGsG4l8EwOtWa41nPnHQQ
+-> piv-p256 XTQkUA AmR3DeZhBej8l2wE0c+YFU/9huQOxF8u9ywmrIsBJdlT
+vlMngpmAfsHlczNnYbK9BHsHsRhRkzROsmB/nv9IYGg
+-> piv-p256 ZFgiIw AiF+VwhC3PFR0a+gAqHegAROpKXjTzHWq4/OSQ63x6g4
+Hj8YHUklAGOYf/08CowvFFy73X51eKI12aozBsIW6wI
+-> piv-p256 5vmPtQ A4zshisuH4R7fjUTR1A8OfaHQMnOuB27PkHSbo8/UoEJ
+MwOocx7FZqmoCYnVAAWN8feRbS9jpImBr93TfX3gwd8
+-> piv-p256 ZFgiIw Av7hUs3HIkOuxLGZMabSFU+fCGwyoroO309I0PhuJC9r
+FhvTAwtHpW+g4MFLhxchg6+147zN0MLVfPKrHfaimq4
+-> -K03YU%-grease =5
+k6FjepBttAZSJp0hzk+WcTZ+kebQkKmbOCLZ2yp+lA6GQoNGhirdlm7In5SY5hoO
+swHJWPPi3F3Atbf8hmEB4WU
+--- NSt/Ot08yHqlDunM/P7XP78EBCALeFBOm0KYbdMhwew
+nÈÜ?)p)&È*‹Ÿ”þ±+Uëtk| ñæÙö=û¢89î§¬D2.£Ò
+Rzþ§LD4!F¿Û¥£Òž»Oö¢M•ñ¿àÂy£þ/që-ÐmÙC>ÆÁÿ*¦ºö
+ú„÷ÿÚÂ
\ No newline at end of file
diff --git a/hosts/elisabeth/secrets/oauth2-proxy/host.pub b/hosts/elisabeth/secrets/oauth2-proxy/host.pub
new file mode 100644
index 0000000..e69f745
--- /dev/null
+++ b/hosts/elisabeth/secrets/oauth2-proxy/host.pub
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINhR0E6eLN6HVm7s4Nl8G6gVlicWSF4egzCsSWc7d+Ld
diff --git a/modules/config/nix.nix b/modules/config/nix.nix
index eea62b2..97def45 100644
--- a/modules/config/nix.nix
+++ b/modules/config/nix.nix
@@ -11,17 +11,13 @@
       trusted-users = ["root"];
       system-features = ["recursive-nix" "repl-flake" "big-parallel"];
       substituters = [
-        "https://nix-config.cachix.org"
         "https://nix-community.cachix.org"
-        "https://colmena.cachix.org"
         "https://cache.nixos.org"
         "https://nixpkgs-wayland.cachix.org"
         "https://ai.cachix.org"
       ];
       trusted-public-keys = [
-        "nix-config.cachix.org-1:Vd6raEuldeIZpttVQfrUbLvXJHzzzkS0pezXCVVjDG4="
         "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
-        "colmena.cachix.org-1:7BzpDnjjH8ki2CT3f6GdOk7QAzPOl+1t3LvTLXqYcSg="
         "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
         "nixpkgs-wayland.cachix.org-1:3lwxaILxMRkVhehr5StQprHdEo4IrE8sRho9R9HOLYA="
         "ai.cachix.org-1:N9dzRK+alWwoKXQlnn0H6aUx0lU/mspIoz8hMvGvbbc="
diff --git a/modules/config/users.nix b/modules/config/users.nix
index 0b07794..fcf72ed 100644
--- a/modules/config/users.nix
+++ b/modules/config/users.nix
@@ -31,6 +31,7 @@
     mongodb = uidGid 221;
     authelia-main = uidGid 222;
     kanidm = uidGid 223;
+    oauth2_proxy = uidGid 224;
     paperless = uidGid 315;
     systemd-oom = uidGid 300;
     systemd-coredump = uidGid 301;
diff --git a/modules/services/adguardhome.nix b/modules/services/adguardhome.nix
index 12a87ed..ce257a5 100644
--- a/modules/services/adguardhome.nix
+++ b/modules/services/adguardhome.nix
@@ -40,12 +40,6 @@
       ];
       dhcp.enabled = false;
       ratelimit = 60;
-      users = [
-        {
-          name = "patrick";
-          password = "$2y$10$cmdb7U/qbtUvrcFeKQvr6.BPrm/UwCiP.gBW2jG0Aq24hnzd2co4m";
-        }
-      ];
       filters = [
         {
           name = "AdGuard DNS filter";
diff --git a/modules/services/forgejo.nix b/modules/services/forgejo.nix
index 3484607..c9c3459 100644
--- a/modules/services/forgejo.nix
+++ b/modules/services/forgejo.nix
@@ -131,7 +131,7 @@ in {
   # XXX: PKCE is currently not supported by gitea/forgejo,
   # see https://github.com/go-gitea/gitea/issues/21376.
   systemd.services.forgejo = {
-    serviceConfig.RestartSec = "600"; # Retry every 10 minutes
+    serviceConfig.RestartSec = "60"; # Retry every minute
     preStart = let
       exe = lib.getExe config.services.forgejo.package;
       providerName = "kanidm";
diff --git a/modules/services/kanidm.nix b/modules/services/kanidm.nix
index e2c0b8b..ba3eba6 100644
--- a/modules/services/kanidm.nix
+++ b/modules/services/kanidm.nix
@@ -41,6 +41,11 @@ in {
       mode = "440";
       group = "kanidm";
     };
+    oauth2-proxy = {
+      generator.script = "alnum";
+      mode = "440";
+      group = "kanidm";
+    };
     oauth2-forgejo = {
       generator.script = "alnum";
       mode = "440";
@@ -121,6 +126,21 @@ in {
       groups."forgejo.admins" = {
         members = ["administrator"];
       };
+
+      systems.oauth2.oauth2-proxy = {
+        displayName = "Oauth2-Proxy";
+        originUrl = "https://oauth2.${config.secrets.secrets.global.domains.web}/";
+        basicSecretFile = config.age.secrets.oauth2-proxy.path;
+        scopeMaps."adguardhome.access" = ["openid" "email" "profile"];
+        preferShortUsername = true;
+        claimMaps.groups = {
+          joinType = "array";
+          valuesByGroup."adguardhome.access" = ["adguardhome_access"];
+        };
+      };
+
+      groups."adguardhome.access" = {
+      };
       systems.oauth2.forgejo = {
         displayName = "Forgejo";
         originUrl = "https://git.${config.secrets.secrets.global.domains.web}/";
diff --git a/modules/services/oauth2-proxy.nix b/modules/services/oauth2-proxy.nix
new file mode 100644
index 0000000..c6ef435
--- /dev/null
+++ b/modules/services/oauth2-proxy.nix
@@ -0,0 +1,90 @@
+{
+  config,
+  nodes,
+  ...
+}: {
+  wireguard.elisabeth = {
+    client.via = "elisabeth";
+    firewallRuleForNode.elisabeth.allowedTCPPorts = [3000];
+  };
+
+  age.secrets.oauth2-cookie-secret = {
+    rekeyFile = config.node.secretsDir + "/cookie-secret.age";
+    mode = "440";
+    group = "oauth2_proxy";
+  };
+
+  services.oauth2_proxy = {
+    enable = true;
+    cookie.domain = ".${config.secrets.secrets.global.domains.web}";
+    cookie.secure = true;
+    cookie.expire = "30m";
+    cookie.secret = null;
+
+    clientSecret = null;
+
+    reverseProxy = true;
+    httpAddress = "0.0.0.0:3000";
+    redirectURL = "https://oauth2.${config.secrets.secrets.global.domains.web}/oauth2/callback";
+    setXauthrequest = true;
+    extraConfig = {
+      code-challenge-method = "S256";
+      whitelist-domain = ".${config.secrets.secrets.global.domains.web}";
+      set-authorization-header = true;
+      pass-access-token = true;
+      skip-jwt-bearer-tokens = true;
+      upstream = "static://202";
+
+      oidc-issuer-url = "https://auth.${config.secrets.secrets.global.domains.web}/oauth2/openid/oauth2-proxy";
+      provider-display-name = "Kanidm";
+      #client-secret-file = config.age.secrets.oauth2-client-secret.path;
+    };
+
+    provider = "oidc";
+    scope = "openid email";
+    loginURL = "https://auth.${config.secrets.secrets.global.domains.web}/ui/oauth2";
+    redeemURL = "https://auth.${config.secrets.secrets.global.domains.web}/oauth2/token";
+    validateURL = "https://auth.${config.secrets.secrets.global.domains.web}/oauth2/openid/oauth2-proxy/userinfo";
+    clientID = "oauth2-proxy";
+    email.domains = ["*"];
+  };
+
+  systemd.services.oauth2_proxy.serviceConfig = {
+    RuntimeDirectory = "oauth2-proxy";
+    RuntimeDirectoryMode = "0750";
+    UMask = "007"; # TODO remove once https://github.com/oauth2-proxy/oauth2-proxy/issues/2141 is fixed
+    RestartSec = "60"; # Retry every minute
+  };
+
+  systemd.services.oauth2_proxy.serviceConfig.EnvironmentFile = [
+    config.age.secrets.oauth2-cookie-secret.path
+    config.age.secrets.oauth2-client-secret-env.path
+  ];
+  # Mirror the original oauth2 secret
+  age.secrets.oauth2-client-secret = {
+    inherit (nodes.elisabeth-kanidm.config.age.secrets.oauth2-proxy) rekeyFile;
+    mode = "440";
+    group = "oauth2_proxy";
+  };
+  # Mirror the original oauth2 secret, but prepend OAUTH2_PROXY_CLIENT_SECRET=
+  # so it can be used as an EnvironmentFile
+  # Using the normal secret file option does not work as
+  # it includes the newline terminating the file which
+  # makes kanidm reject the secret
+  age.secrets.oauth2-client-secret-env = {
+    generator.dependencies = [
+      nodes.elisabeth-kanidm.config.age.secrets.oauth2-proxy
+    ];
+    generator.script = {
+      lib,
+      decrypt,
+      deps,
+      ...
+    }: ''
+      echo -n "OAUTH2_PROXY_CLIENT_SECRET="
+      ${decrypt} ${lib.escapeShellArg (lib.head deps).file}
+    '';
+    mode = "440";
+    group = "oauth2_proxy";
+  };
+}
diff --git a/secrets/secrets.nix.age b/secrets/secrets.nix.age
index 5c3e375ae0384b61559a31a7a46bd3d03b677215..81f6c198f0354ae30879e2199532ab4940e78e5a 100644
GIT binary patch
literal 5695
zcmZwCWmgk`!T?~AMnwS;L0XWGF=~MH=o({VbPg84sBJV7B8{}PfP{pEG)hRL(%p)5
ziiDE)y&vy6?=N`HW9N(%LAp73`nr3gac-hGPiHX#fJQ`-6Coib1pslXxT*V?`bbJS
z3OT9xxgvoOfQpHjmXMd07D`CWL4|0q;t7@k8u<d@SQ;%q2VF0MtD}LRp}C%}iMNM2
z&R)XK8-p>_BB)5}!F6Q;X4;P4W=<IJe+73mLBw4`N}3a40>Q#mI8}Vb)f}7+bbwGO
zPQt-kLdXr};H+j3$H)qyO%08FP4%4AC4gRjCTOB5jTyn*7;lW!LO`?-K5pJvqNjtV
zrz;p|rY9wC?+i3G(({va(k4P>i7NkNnQJ(swTYZ6E~eg^j?P*zH8XW*ZGbaG(pVZK
zZ4S{glGZ|L=)uf9T+QGZkeaF#P?E+;#!E^K>Y|P`2N~PJ;pW~h9tK8YE^vY~#uo<A
zb#OJ4CSY7NOicj)`;sEK8hJzh?`3YPVI~81^|Q0rf*KnmpwiMtcylooRkSn|C4)k{
zLm>`QUKpf<36jQMMq1iLS4aYGCobe6?E%zuuyZ$qm^(r>5UL;_JyjJ`Rh*+AOw$o8
z`TxGWJRBU%un;YP9#RJlfB-PsUhZ%&qy$z11T@k#be8oZ0L+0vh>VyF4H%&&>uTa|
zr|RpA(pQ71h^b*PQZfjrmbN5P94cv`>I{KtVNnD#1Bd@w4nQw;H61q*XHTS^7m@}j
z1eU@>Fir%Vww4+is|Q8{aH_7_cw?{$$`A(jQ+INga#YiB1A%b9cD_a+KO|fNEM?~F
z0RY3rRRCxjeTat;oapIjqD}BHbw}aRKI&?A`l@ghdq-8QtTYmcQukDM*D{0Z%i^63
zy&UurLOu{pAt;TAhzO^)xG_l6Ps&RSiP1F|Cwi)ae8sUiGj(kPbw3{ytfrxk1{$EE
z<%dU@(STdc?(#{MO&p8L*d%>)#ZMV`jrm5?EweDb*3Uq3*QTsyE#KmX_HWN=e#j_3
z?FcgTUmqCRVgIR<ZjH0LHSrv}wWY2vI46&}F)=7iD9g4}O@!oV|I^7v_pptm$LddQ
zSnu;y-P&pBmxetr$Y~vb9!M#g`mRev6KQ_zpPp|(*7}hgJ|*xhnTzvmNYWNTN4rsd
zaWKB(qC@^32pCemb?M|psm+_7$6V!AX}L@|-a6!n1*Dx93j~x5<B96V*)JS8=oB3C
zFXtn8L|q4eOgs@dD6Nl9oc=&jtVH=<&Q;Fx^HAP<Y!XE_sqKu8%D30--8zY5k%|u@
zPUDT0SF1#;J{ME={(WWpXOTB5$hl)+HCwEB(L%nG*HYbs4iu(#KFVkPA;*E6PxR@M
z<tmF*<9Ed6RgI+Z_wjJU8=2E91{rK(hd>R>;XtUJmuE=86biYfCjx~M-!Q&CEG5-Y
zSF=yhT9~dcD*JB9HP__VK)==)Mr{;rA73(NV<w<!t$sO4%)B^SXKqo&H1BUg%+$Pt
z<0;6?%RHWi-K4#AnC5QCd05gH40E)`)@)m?GTa*ba|G1Pkb1Qnc4_(P+A!s&=pj1W
zSv{UPQG&?v^~Ig~*(|pZ$ASU)7kdhF@V~bz$C@#MFKKfzhLm(l3#Ik1DsWc=a1Cy4
zm-)wB6Z<@sTWv0G2dS5@KL5ive`&Bz{j`xfqr_n)=HaS9CfF!Y%JX)K+yZgXDJU$q
z34SgAlKWq?QM+8`?8DO${nxg8UuAS?-GMh*+@{3^^-M+Ss)#-2aYx&VYd$@)og3kl
zCl!+ZO)JEF6R%qDM5$lQ`2cO^D`cqWTe7sE0fF$))me%=^dFj;Zhe!k^xp6vlu4V;
zSEJLTr5k_HiCnBRZ7FlcvK3CllY8$=c(rA*#64OOTcS*~)>IgInp~qxcl_6{{4#0a
zr*=VK;9(<c<%>v?v56O>)VFx?DJ}~#_Q-Ra=!APl_f8Trzf~5V??|hs@Wu^he^XZ*
zxj>wJutaAmwa0X36c11l=MxpUT%#aG9U)6Tg*H!@PnpU~xqsF)uYQ^+YmBfJmY&3l
zUR==x_Shaw1#E-zod6hfs{Jk#VzGA+ms2p;J;~v#r2Y)+_S#PinT2hJ@gF(I_yton
zFL@GVQlQ`wC6bYIvrnPYPntElE!4B;0ba%TmEw<krYUN!X7zNsF)Z5|17LfU#D_3S
zz~~|&(#h0&D*Bz+h+2w$YZ1DD`n$>dT+*9|O3W4qOjxe!pNN9<TClri>8mDX8=eLU
zeFMLS;7%v?wzu10Mmh`eMcDkDt>o)GSdp*0^ol)=mN-x{FZ`kTH)Rv1iaWL#5+z%1
z<kS-D4+X)WEBuNs1V6>cksL$mzW%f(Pf+x-(ro~5Jy;xMePaY0x-2(i5ioPnv`U_Q
z7N4a;mGa|V^yoW1f~o8(phG(-wcv$_@Mym1V$g@`WI8WSj6*c07;C^7Lr1yiQr7lf
z&4%TiI~a8@)biIwb)KvL#Q;Eb2Q?zVjXyUUKFj#4(fe^XkaFm+W#;pi66MZcBE&#G
zlH$sMVAY6(<UI-U;74O;F&aypL!FUF_`(a8YxW4{4F4rd1(%=vAF_9`lRt&}`P+5m
zqYk8*!pt8#uPKOAz07YBD(!;U!Y!<VHhnvGQou1wWO1uag2Cb!rZW1E&J0lbfj6$D
z!~EXEoAy~ctU+u!xErY#_%1eB@%NIwQ;)@jJS0ypY3Dc@axxVMJ$l0Y@FI%~|5l84
zu^S(H=W~nNBuv^$dE>>wCn24w<N(p;=`+^6fH5;WvR-+P%IrCm!w7HtgQEnDPJ_y=
z$nn50m5(}HQ+mPiPA?vN;~djp?#+0GCldNT)eo9h=rK4h96Dy`LwYF13uPw)(76JQ
zcFMw!?ZiXM?s}6>(%QTC-!@Ed#rM2R``Aht|G<EIpGTd%0KN$}H9~;?^jNNzo&W9L
z+Z}vPs}ff}pGG*~EB@;~N3T_C+qcD5{qS|C5Q_(+q1P1P4qt1LD7WI9A%*#ir){_w
zUZUvcWAM35P2}w=RzdrnO~AVNsY3X+>N4iCV6eABwodlVTHqRYq|vLh`#+(nn#sQh
z14;l4Eu*Suyzctf!do=~q3>Nu^xfqPP*bsH*U7XE(sn9S2-!kf6MySOj&5V4r(VIX
ze12xJA;qt}$ZO$uWf4~D4=wS<sBG?F^YeJq@QoTP)On)%Qns)lDYhT1wXWUJAr)Pd
zcVW)39x=~s@x>n!havcHaL<mco(T~kiVL$NwF~OJC;v8dZBi=Um(I9_Z$z_NAUT4$
zG9uZcr^eV(uD2UBXy~&atoP~7|4ig&Zr11upC-Aw$6@t;`aVUN>Tjn+!o*^T05eyV
ziR>4gm+`k1Y?q@)N9MsUk^W7@B?*!2GCH|3?kI`x{T=$zgB_cM$XTv|*V~0exid!R
zmB&@W8*cBwAR=uvxjWKHf<JLUeqqZ{K;rAGL?6+7r#JS^vDzXk_A{RkS<4F8vT|iD
z%a6()@_}=_RSuY0w;?2b-#+-4B%fxlhKTjTXr9&{U@@n6|5+DPrg<@Pzl*_8V2pN!
zc&c--3qc3DS9lto?La8VqD+9z!+nd!0$AP(Pgq$?X@=t|ntt`T+=(|G?Bq^-Q=2q4
zmC{MFPUTXs>@&~UDJF|X<jHh5WdmjN0<>smLRcYg;KwHn!R--dE*fgRo`6<v=DL6=
zw7#Kb%c`R7ILvl-;P!Xa{<rSd=l-CRyM=3^p@XM29(Cu`WJ&CW(qe#BcjD9#I}dTY
z3STtT|0k(_KBa@^td{B(r*iu9)#{=#jgcLl@zl(IVXSkx7}{?5(NJNRV>+3uhpNVd
zDDxX=91dYjO}{?f`0=q3zv%AOh?+f?^<(YGc#h`GUh6(Qw7&f~)__l1L+RJ@mcUGj
zE0rnnsln4+^Ye9{9XFkr+lK>v?^>NyDX+X;6IT_W!dzKtN(UUxB2)T`iB!K^cXqFv
z9(z3I#kza}IRsxWe7-Ls_2Yh^uHq@v%CHF4SJ>{ylvI9LAc-D`Z>S+2B}r6lXajm)
zjmy>3q~CSP98E=MQ%O7kt<=!$^wwA`K0QdHNI-5*iBW~CWeRhBSvW!bXm5(i=buWl
zc9nP=6-CAV>TjqG@kqy#PX;lrbl5=8zhu!r)vYM^K8K~<mm=Y>HJs)2apAHXZfoTM
zGzXfX9F-jwUbT@jH>;};kH#(Y^#%Y~<x|me&vov~qoC!C>O?o{y(MN{!=9bKrVeHm
zj;DY+>gtzgMZ-%!hLYq8wBF`0mgj^5<&(|9MJapbW6L{@7i$%!uGa4SN`}xNu8>;T
zM9pV(lag^$v}`c<`Q*>eFTLudb(<}B`C**e7=<go*B94icRgO<nLO@uAMdo+Ig{Kg
zt`g>HtF#G;WH5)OX77eHCg1j}u4^bwVsm-Q99V`L<=CTh<GMXuBIDTw^jj_dbw^=k
zc8#`ioxZJ;+2FW7Ciq7AU;9^bwsM_soDyB)&kt(WiZU!y7d^t?!|f5Em!~42gy=!3
zS?~s@`Z6aAaN5_%a`cIn#^4@bY@|wyDz#W8riC3*l@aZ~8cEiuad{uX+b6|;(t;mq
zU)jjxiqfLie;`<*5Bt^tU$QbNMSbWe?+d~|+MFM}7u&H1E1ETSL$Az4{r)}CwQ7LF
zaAlX%wAF7(jN0$PciFk#;I@65R)5qj-^&Y7`8vI*&|a1&4ZemQOV9G$)q3_^iPxL@
zzE#w_1l$8OXClurx}KbuE1&t3&3511v-VUUJvTjt?+RB8O<+)(&V2>+y89zz#HL=}
zLQBypB}W(d>fzTlxs+3c4$`uXBcs2ErFyZ@&M%Ir&0U>)r1kMd%GI3HPnOth+7)KC
z=R0Qj#RPn@kA2|@Xy1d1h9KG?w)d9a>5=YL(F=h*i`OBt_IJcTRy{D%JT2k4+=Kq}
zcz2RPK4blg395TC17>~_zuTiKEH%lD%dhxafDILMnQNtL$<D|f1Pqc1{~?LX%RKho
z`%*ozIrf~0u%f0g5Ss$0ao;&h30tN>pZhTAX7-4xZajl%_U#Ipn_0g|BcnY2C~4o;
zu-XtZ{NzzAo~<jSW<Z4GnJTub|KBD7M=>Gm_-BP%GEG27oJ+ib)JGe>I9xy}GE30}
zG98N8cplc-lf`;7MpyrPdd*=!=?)@^Gb^7gcJ9d^H>1>Risw2JhLk2RIYLc0J5ySz
zx*=I}qHTk#lS7hLY>qE&hvEG~&a$^eMrwBw4l#+e8H{s5uT@6QkPn~k53?BXzTFFQ
zvWc?W4db{f0TQ8>T6{D$uk%JK%F1RZKZeEumViv`fptfU>RIG4_t_z4vDrhTE;_p9
z;q8jy;B!nixNXvUPJoIaoLQjPJgkaXoPhn6u6iobn~~=+@Kajx<P(*NRxD<iF_E3%
z%a<%%(`<{Il)uOORU`#}`QZIh)_B!U^~)GO(B4p#!3Z4qHGg3_1GzZ*$)i$yoK#sp
z-=1vQ#;N(*Z%jD8Lo`%=Q%>sW*$MpFt;87y8{4KM_(aC%4|>1fsHry(bw<^-pK|xT
z4iirI>gLU@2w$6U?A)FMPXxy|nEspjOBO>i{Rs7O|Fa7DKc|Z3`3axY)6deGkz*56
zE0$&O3XKw+ttL9nW0mf2GdXpJ-IuT~Cy3{K^%l!<)m04D(9XL?nK5Ik?`iM$sf%;W
zy_mAEwtMY{mZvSBMBYkQmbZFcg#9#KNxys#PjdrTw)PJo=ixGc*)drDMTT=>^xU>y
zj$pw+5E&OyBK;UDp))`2!rnl7dou#PI>5Kl^9TFcsZk)t6JKReZ(C$D0XlqGKM!Ud
z+OYU!2#Zf*V}jRyWb4mP`sz(h1KP_&{=`NIX}78x?v|P|7GQ>QzZOQGD9i9=S6>P+
zw7gL&a{QSWKaC^Lrm9Gi&4Vz_e2%igPqa^fUSe&J{TBrj=7Jf~6l}~lU)X6o7$l#M
zl~~b!*;%9i?E#P_2jmBUT*D?kJmCYiAyak16&eC}3hnls=}zEyAY@|e_It9*gWx5t
zGe^O}*}N)KmX%n+x$kn78}0!skw27euX(x!H(?K*58J0ur3wjj(R?d!lquexa?yV_
zH?*hn$7X~yE=hl#x$=LL+0@nq`xXr~nUiVzXU;uwd6Ap{G<<Y3r=XA}5m#SQ!z4CD
z{XWc>yCjM#vT^Ho;jgzvqB1q1;#xJqxzc^_--I!<@(bCH-O~H`Gj}cII_Zsf_EOE!
znd$Y*^_8oD?ZC?3y0?~AW=w)bZR|Oou@uCMwS6!CZwT6fgzA<J@kEAnU-kxjPA%G<
zhMl8WRf)ds#c`v)1`CTE9=|BzM&A$!TX^Qa;1U_^SHPuCY|pJ1bu5Yi_AkN4k9!Ip
zj=bHj|HBn-=zRO5d#IB5ous`zS!c84a*e;`8zHf!W0quaZLVq`VH!=bYogphQiYSo
zF@LvDb<k3+S?s@eMJ}2Sq#ZgR9x&G|_vDnIK<uWUdU^^^J&i|5RKqvf1+!83^+6_s
zFXh>$?i-C%84Up68Ob@jUH4EXHyB$C1ILh!Zbf7FU?fkC!1>v*;Im-GrqB-sJ3ND-
zjJ>$AL5|Oz$r6`4BAju0!$N|-T%@iG4EqN%2g35buNW&C7kY03p6mtkz9xg!Z<6I8
zPKLmpl*eG_puTE0-=VL#tdUI%uJIt%dfmLA45l3kYUJ0W*LV6=)7@cz{=|UJb#JJ5
zfneYJ%sa=&_3G_3<bF-jU(XXMat6rj_+6m!`6JI+@J#14DawSH?>-_m^T3B1C0@X&
z>&wU)%m6_w#4h5zaIH&jPmMVw)F?SFox=a5|E1!1@Sw=N!XvfY2=GYbv5JT2*MXp+
z0-1EHBUW;Wl2LB9WB<lMd6E=@WaGcI7eZ`vDuLc>ae{){Or$kV{>8>rp>GXW853ih
zjJ>|KI{miY>p-qNvw_LD`tjPmcY821iQBPWN*L&%VQCO~;z6`Os2_s3epwkB)XP8c
z@8<oreXttBY^N94w;a1<X<U)gw=U|`O}zOvof~tfx>$Cb{5tOT%y{K_DWnJanB8S^
z5;^(OIxjY$Yb^Zs!oAemXvwRX&wEEF*0Z-xT3?}m<83644M`xRlef#ogQpFgRYuPu
zV$<AH6OnLaIx7Q;5ki&DDxYQLZx*$_+26~7w5{f>Z3vq1tNtx}ydhVhPYC-1ING|F
za?sZq-Ou~`97%szXXOPaKLk9aATKzt5zOZn>skbm-cQ73@ztew0vG5bnG=hnHSLAF
zhUJ4V&qmHNz0<&|3$urp(Oh{ma~XaX8?lZHpCG#}NfE#ag3@uPAgnAVM#lqw@sy9<
zihPH(d!Z%r(~8J;6IpO(jNWOZ!)@kKBU#ePTg=}njeC^XSh&b@ae|J8<!NUXT=r7g
z(JsL^i=7XG3}1hbl-^68UZpT|L>6Qi$#r|1#Fe6ys`GV`{#-ei1~7p7i1#0@!``e}
i0kx`eRVHnS>umQ_!>V`72-HG1B9LB=<zH$?)_(vT6Sa8&

literal 5565
zcmV;u6+-G^XJsvAZewzJaCB*JZZ2<fXD@a!3N1b$STZ#=F*zVOa#(R?LvdnPXjX4%
zNNR0#cU5C!aBgcWWMx)mLrzvfNK9!jL31=Uc~J^Ab2Uq4b82NnZgFN!bVp<}D{^>R
zLrY>pFmh>Pac)CrIBz&GF-uHBPdExKJ|J*ub}eu+H8vnvR8ebHK_EddMLBv(On6I4
zFGE9eXKF$>GcRvrXklVEc`$ZbMn-H=NKG_nZ$T?mN^S}^F>yz0WLh>(bZ{_gQ$lk|
zSZ+*Lcv4hUa!-1BGDB8saW^q%OG`OJOlJx$J|J*ub}eu+H8vnxMrUbBcOXG*YejBp
zdUQ=~IWuxHFm7gYH)KgxRZclpHgqd5L~C+tb!Kolc}a9PM^6e(PgX}*csE)_XGD58
zD`9$hMs`eNHdIe{Rd`}UK}l&<bTeaXa!GAZIByCqJ|J*ub}eu+H8vnMc5P5}Q6NDp
zGc{T@M>tP;cPnF9MQ2uYOiyt)aBW97OL25dS#)DIWJhK-OiOS=N=gc0L{Lt3Z#Yj<
zM`1xXaW-aYHhM8^I8I?&aBeYYVoOg;QBOrrHA*sZG(ie2J|J*ub}eu+H8vnxMrUbB
zcOXGCYHL9<WkOj*Y;QJUH#s#jR$4=IRA*8!MR{*?ZFov+OJX%SQbbHSdU^_WLt=Jy
za4T_TF>Od?HB&W7NmzAqL04sBbxtrzWixPYb}w>pOfg1fHggIsJ|HbheqvibEoX9N
zVRL05P-JLHTp(~HAa-v?T~r|oL0NZnHE3m0Lo;g%EiEk|NJVipS}<ohFimPVF*Hn1
zOGQCgW@0jEWN}VtZ8K|GPeV#MLvM2{IBjPN9K2WXF?=xcE59zd<l-hEXTc&=7y!T5
zNpcE0=#X)=D>}?bEKEcKI^~~gyvx^1j$_x9timkjqbX@fO+3EQI~Lgym};#jHY|IN
z;1ul1;VB_LYH}T<fz5+7#2TuNEAJEkQ3Uk`_!Y}*4BH$z@PKY5Dgj7^<0O2-b`*70
z*0$|``j5FdL;;xUAtbWfS}|CY8%prYjqAKSnleszBJYFLX}*9EeWzQMpU9CyN6vVG
zrPzqGLwL}lN~|2d;mV>hO+N_(zQty=fz-l0qg5GuarUsLF5oW1q7UxUo#RS>lDRk{
z!McGXNsOl9M#G>A5bm`;j>BkDC|o0@7d{!fAf{~8qKZ&^V~!1yU-d%-Y{TC6d7%^?
zY=Ungq<AxVmc*reu*ebk3Bf))rYl)TEUm{6&~vI^_fJhKUcf4_4wpd9-`I~P_T0hT
zP{!d9*G+0`6A<~zOsM000#igjMX>MC3goD`kcwOm2(GeF?)a_#IgkW<aF(g{(q?@o
z?HTK}T}9`q6}0`IZZ%Jr7c|YV=i26uJdd6U3N*>#$f;a8P;DsT8jpbQUTkKjWiUnF
zp^Pae7+^~G@%a~!EFge)rQxK3{^c7|9-0gCkZ*o3Ls>xWnGSx-l=csk)!M?Pi|SSt
zN>0o<gnD<`p8va!G!#uSP0cd#_TDfuBL3d9zwQkm?Jklb4g^2jmY$hw)Pq8}NN1#m
z1JbQWE#`M3aY$Am3qN?Fu$)y3?qN8o$}f~mO-q9{x0MGA$`ZmDMEEb{RxHJ(KV!<f
zek^7JySAlzGx6xNetCgbw&#iDSu(PC=yuvDfil3>53T(f5UifJxI_PgzulLDVLTs8
zq<}oBIv_yjv3@{0(nQ*_G@S!Aco0tu`LrCNdKG78-p#a-N#6sqBMsfkFvyT=y!%RW
zP1B0zWW~BVb$1J6D&bl<_!bKg@Qh9DknnC18xsN{SKLax`|4kQ-Nx(7=C3H@ca2K?
zg=T%|q8_NMx&!usm(G1A3Q1rUGfiMZ%rXym=XXeBB>Xd@BbHw~fxJzS=YTfXv4SB(
zt^tmc`mi6EeGQBxWID%U;XHF7hDq<Q`km^7Nmnp^0g(v{R7w%pMgLXbc<AE5^o%mG
zlmDf-%R^Yxm*4+?90FKs0)RyDF;0$4aK|)FwNrKha^5LH6KAatD`WGGrWWE?JH>5E
zzqKz~Z&z_u8Z_rk*Jhq8W#8ru{WCtTH{?U5nePg3HMh|BIT>$`V#D|~LolJLR5#4Z
zdWFlg8_I_Az7DYqlKSs<AHVp#Eu%CgZvi(gNykkK7T|+W-^4xOj|SC`YGBtFg%tB9
zK2Gv4g_yMGyHy~LjX=aiXw7`Lb@Ctcp_qny7M6EH?(#%i3_MN<Y_g%Dr}4Ukg^Hd@
z8Z=hUE?)|I%ruLK2W$TSg}RlBM6Gbi;!88;SmnPmrfO*UfhB1|IRw!`mTJ+c-`62N
zURDT@`MgB|7q{Vs_t}W2cg2K&r&Hlvd4nbwOxu%F2+^bwvz`_=Ev^hqNi*Uk3EuCf
z+Ih5shUksu3hNtS&}6n9mm$Kp+R9ooW&)}PvD{eeGFn%zVmllN9nSiVXvj#*=@Avb
zKC(Nw6q8uQ^W&@c#20vk@u%ziA^+LgHhlk(Q^^Hwkf5HRy>6FfcUt`}gh$io=CM+h
z_HmX-78Q@wuV6$FR-Z1Au(7lhs}G&mAww(XthG<f-Zz7cs^|X_>p4|@HW`T`Yw_do
z@viFmdQ6M4k#LHYc7*Q04$UR)9<<g%(ejBRn|o4h*bq!GW6A}BosMZ3Eb$@WLu(BL
zkvo_cx~KQUi6iF)jx(qSX$IjprPgF~57F)9b*~BJX8y)|8O{p>5#Q!)yS3^oY(2ik
zE5hJ5lrm1x9A_&tmCjhC_TSFyiI;Tn^oeq*Fn-F2m?`tUM04RJ)y25rc>eD@(lXli
z*5lm|*i|wlmy|8uI*V&#d(?3oM~(pw)3CNSGcm{@g$f9^m94(qHrcX{wk5RLcvHmG
z*wR(^AHdKFu4tjZ6@%YA5{aTBY`%ammh*TdE$bymv=Zx8Wj2`{bQ}koI>Oz$p4Fa^
zv|=D%PvM~d9=|^le(>^=09vqJf&HOR(oO@RVvVpD1KkX%8%&oyiP#$}O|+W*GN)mM
zTdifh2dY(Y0v9g%q!Se5ttni@F(OrW1YGw&3Q}zWc#fMp=oy&UVpRwt-m~NiHX<9v
zi_g)d@g-rtQgL0m!;OPNrA(8wqp<xk7;H_5ocVJ}HaQ(p$%>kMv!RC*B!D{)gY1?A
zSR6i7n!Om9&%}{f-r{55cjA!=)}=F#TeO8#;s+{6&LtIEu8{Z6lguwSh5lv-g)><#
z1uUlQ#A96(A75-}@kM|WREepJJ_kQ@Ij8rO4k?z+A7b*^cm!tK7R?oCfJLqR7Tg0u
zO|Vhy&=5?|djkOE!KeR?>IgpNvnMdA08;8-<T`nRN{MaD3`w*n;s+5Ih#0Zc4n4Tu
z7*<jQMt+l??ztY_;NGgt?(53Cit{@Iu)nj8esd}qEOhd=wMIM)tU_ZRb>x`mFFk6>
zjwMz#`5sn0QijPE;anSsi1l+%n4PR-X%hI2RkpC2ZLV}<7#EfeH%SE%l`+=PPgVbU
zI-c9?MrYkrZjQNHVm+;?oZEs-?Jx%=v7u!RB^U-GGZKF0uxIsZifF?oobs{!;0J*B
zuKbyz#rF`Ped!57>eWIH#Y!ry?b61s0(u^@C<9kbPAynA+x|-g_Y5@%>`eHDBorUt
z8RsDt5<r&Q4vlAeV`T94M}clsK;~fGW86*Z$7gQ7eXAYD*;|I(X@`DP_v28(5Sa{&
znMF9B&*`LC0MqHG3cMi9s9o5?;4w3T$AlD-u?#VD!`S5j<t=`K62{tT;il=t@$}_R
zUq}$&z;tWjLWO`?IP4V3(3IS@U!^g|&`m|@Y6d5s!jl6IwrE#NP};xDQ0X~xq4hQ)
zqvT!BRpEIPI+^z>6gy?Ym6Xyxe1(A-Trdj$DM!*~rA^}Ph?S_2{hMC=M7ZVu>m}#N
zLlAtf!i8>!hK+#bbD{ll%5yLlX)C4Wh`m<sIzL;oA-?~wM*mH@gcSf^QX`X($vDcT
z4;gzDp|VWgkU8t9d+tNPGTsH4klYao+r_AGq4Sp{)EP8vbb^4BeKPcPWzv*5kis3@
zo!BdK6n+{z%sm*s4+yKDUZ?aDv3~BWtw~W{-j=i&IKnp?Zk>KwNSt%ld?lW0JhyF8
zfgc0``V<?tNz&VO(v?7<q6(g|-r4!*)BZO@64##SD_p1rK?Cdn-t*kpbjFH>3<28k
z_UyiG>DRXKNx@((79TG8(T%assrZS09gVgdR`eu;u#_^8Jcz6_o7B8j%LnO)rgRd0
zEm9op5}}I>6X|79hCPU5EIsN0VQ@2e#E2|_a@|?wbvQ`t8;;{q-U-jEIgP(BZ@ojt
zjh7h3zC>vJTqX%;J!wkhDfcQz5f~P2D1GKJavR*TBeMtPVQ?1)oA~qY!ffl>z1<@D
zT;)waNdmx6yT^T<m&;#Ht>QzdeiXbUKJ#FF+}5KY&(YILV)0oSRy%`+O>=xeuDtVr
zFq(xJUo`*2=r_nTY)9F=OFsudrfzyInMoxY-R|wq{)M)rt9p(q^~K)n%nyGLQVJA-
z)q~#IFLM2K-!(~`a|hH?ryPb_a}$$(;u_adXM4$09%<^y;OkWrUp*J}9P_^R<2K(K
zoR!3RgH6vuBJ)1Nz9An#pbd^2nND<*Z=~Iw4;qKZe={SfRwD10Gfhr7GM01iy%}sR
zDhXcBTmMIQ!4TtwW*09Yw8D36OW+70C>8$o(QnnhPp&lsLbO1*tbp8N9@X673Bg{E
z!z!phS&_p-Du{cvJpzCfD5pu^Z|q*5GTAUAZvzFk%?4L0ZBe&@sM*fp3GM`d(R}R^
z7;!dlP;{nrKHGzSfxZj<#TX%3eXljSZ_W^>J)C0N&}iS4se$COPftO`2$d70p?=JF
zaE9{Dj~KNf^uvmBm!uxdE5-Ypnw=<>^%yM>IJ(eO*Vn9=;#ti)VN6`5?lbfp;e!Ok
zo9>=&O}4*V{93A6P@gO_j`L-hG{y@5LXjhC#t#d5V%6^2T?oRpe`xQ~!lHmgM-)(u
zB6w(0O%YbkKIb89?_W{ttxi@BOu+e+sTStKHn8;WYSM;ku`0pCY9EF(=H`_!!}NIt
z8{xXCdwJ7W2i`J5{`ynO{qOg&m&p*6A71P0DA5nqbaT^$yJ6j@laDu&T|xled(CBx
ziv>$i!eMEr4*7kg=BO_A!f%{Fc-D&xO$bhgtceh-xuEnuHXNXwQ_{{_)sDlx{oQXd
zhWKuv3@NLvH~aYY8Pqn*pfPufangZt7+GlTzE>C0Z)`RZUXhtuu1CLl?T{G83)7^z
zso5n0S_t--Zx4TADCMs0lLacN?1M9CXT1{6C82b4=utk1{Hyd5H17QnQlh%d>mAjm
zeepC{@$qau;TG}+6^4Fy4Hw1A>oN~I(0O`|nRm!l8>D@kx_s%`h-H=iOIm9$8k=u%
z+<^(zFgKBqkRim*p*_ke-y(XI;<sY2x(MLnm}meiB*YQAj~{A0aTv&zQzrB2oS(eC
zxQMl_@tlt-yqq5G9^gzLyCDuYW$<*&p0F<z6D|`XWKIJt8nEclkUK^y#M^iTY`dKn
z8$6#<^T0M^pk_<;sZFewhU2&fn`k>6?ASss<<D=}B&PGB5UPVsq_(e*qZg^jC7@lb
z3!9TCNn|?86X1CjN3*Ko>006#2a17Gk|;l2bp(+MI8jqSPuDD|v=b6i7O)osUb@}p
zQrCL(R0L0$oLF}b4jvbPqsz;SK7dYrr5K94P+i}%L2Qo21R-edN!=2M#L1^X*AiZx
z1JhGcp?^8p9IKuP`N*2Vp0j{|c~-UdvneYLT&WiAm+>`H9{quvsl714ni!+(2JiJW
zGs9eMo&-g>%iI%1oto5N@uTJ>n<!H4@?e=iz^7$z^|f0W7a%YzbcXps-pga8)z_Be
zI#Y0w4O5}))Hill{x@sb_*(z7H3tAN2^`*3WKk{j&L%l^(5jbD#mu%iNdsvWbHjYz
z5(w)iR7aVX#*66_h-{aAY;~b<;wt+)hN3ySqoqU-_~Y%V|5|E^@lgmsgyx9r2}9Lx
zLK8ZSAYLzX84q>E5CvI-4^}Y)0z^iF{gW^utu;)SS2<iNv$bZlx+VQcPpE!icwH^5
zImu||{Y{@WN|eHBmryk0*;;UWKJHj-?q4P_yGkX?_-~9${J6!lXPe%8_f<_*EJCtM
zRNL>24I6ze$9W5&Sn1n&+XB02+-(ayl`*h^e|bnOx$*$Nn+gzsmH&;;ms6|Njo|qO
zccKzv>sLq=ct^pe?<Q(jo_5haVS6@k_<l9{#-a$iYJ82rT6B$=5Ig?T)6C2-MM&09
z3V~oKEWhZ^RG>9@>I$1@=19(SZiON)VW%*V5%$|sh8rFn(KXCy2$4GlX>t$lXo;+V
zJGK}?_;Mh+(U&Ad*<>6qlerY8lR^l>2!(C2tsp&>Uy^bNP(YJCjXsr_gp=ktI~z}U
zdFOC1A1=#x;ZjpAOmpV}LTi~jp-E)R39(RF{<9L^EJD-@k92jOoB#))ps|n3^hO8U
zM+xhdPB;#4gRuo)g-ZBzeA`5;JN|yR2L|*TgPv%eYtghsw)N??vrgM=J!;5yP@z3x
zZQ3F<J#x{y61VI9XCv@l)YYB!!?0-q4tVwKhPw_J?9_@5-`ja8zf1ka_rc<|lWw98
z8_z89Zf9P0TQl+|qOjp$626a?h%F<NHI`BkM3h8(V~>Eq={OCMc4+rww?!(U_upDb
z)&)pr4Gp%z4R3XnekH(-WF(S3VUm4I5%mNqs$H@D``8Vu>pelwfM6q*Wi+90@@Ba5
zrKUDhO1WPP|L>edZ3wW`Dzk&_E^5b--_ORK?@@7mKJ9c5OMoA@aSl_f4cduN8+Gxn
zIddF}=R08%SurUe13p=T<fmSUqVn%!iF>r8&gSExN#@1yJLS65beIA)no6OPqXxD1
zc46J|`-qUE+2w7a`yegnSq%H)a}C}SexR>N38uNPRC#V<L(97v^uJ-%alnhz$oQu-
z$-DTxeqP3!IQXlMT+DvJG7ZgKY-33vu^sn&<S`e8rLT`nXZ(EoSY&7#ZJN7bQ#eNo
zJOyGm#w3>?ntT%0D#nlpM)En!Xhr|K+C8mB|J&rmpx*)r6!CKR=el~L-9}Y9=C662
zG&{e#fjVVnr0SP<htc!TcGsihwHrcfL3_#_E`*-RaO5SvTZCV#7Xd=Om8WRv<=i$T
zg>9QUjvwR<7N1C9u=Kn#;A6`W-X|){QyVcVZt^}7jF;>hLg|)3m-n~jR&)w}Ua(M7
zb9dnS09Y31*aeVs;G_Y{?Mo1~j?(c)dBD`RIgpkU9vb(+S!<TvKst^SD>1c$CYn7A
L@Jg(9Sn=@AjNneE

diff --git a/secrets/wireguard/elisabeth/keys/elisabeth-oauth2-proxy.age b/secrets/wireguard/elisabeth/keys/elisabeth-oauth2-proxy.age
new file mode 100644
index 0000000..b5f2668
--- /dev/null
+++ b/secrets/wireguard/elisabeth/keys/elisabeth-oauth2-proxy.age
@@ -0,0 +1,16 @@
+age-encryption.org/v1
+-> X25519 g1vqWzZctykJkoxT61vjFHJUqeNOKSg0bf3wCYB7MDc
+D4JZnpctpgjZaIn5WK3/hpY9R5XhQHWnHFJ+Uh48ZIs
+-> piv-p256 XTQkUA A64jIlHXaqPB+WBfZFOrOihV6EF7Y2yt5BxVtGydv/E/
+JJ/yeiDQSl2NINj2sSN/TUzdNhgmrtI6NcPcp45tLSk
+-> piv-p256 ZFgiIw AmP5WWw0UADOv+ilwqnbRYtq4sQUPPIAANFNjf33yqKr
+B5FRnKIDqLPAlFzrpZXjoiH6BhE51GRocvGhRrGFEv0
+-> piv-p256 5vmPtQ AoFOKSUyPwm3C/KmrC7z38CFMXr/Ct9mzvil7bHjg4jV
+hFV3hQGKo8zPOybLDnRYlyeNTX5kFb8AOwBrgZ0JTb0
+-> piv-p256 ZFgiIw A8SpfqzsNh/My9UQSiBNFKH8p29bLNs3NfbBkAQbbr+0
+xeittOKnGG63GDguhqN2fYMg0LiLkqU3b7XStbDrrNY
+-> y-grease x#'<Q
+2zNxND7dipOrQT2lnYqzR3Nfl3ovQ7RJXiuUbsGuDp9tyPCxZ6I2DgclkMmt9VYu
+qNm5aDYTLJpNfPhJniEtkBi+Yw
+--- BA6/EyC1xL8JXy/dwpqrTyHT2SRbsyvlAHq32w8yIDE
+ûE›ëåD!¿dJUE–ŽÁZw5H#£i7}­1»ÙãhÈ3÷«P1ÕQ]gñ2à!YÈLmw×E¯ÒNò™Žd*Ì«È›
\ No newline at end of file
diff --git a/secrets/wireguard/elisabeth/keys/elisabeth-oauth2-proxy.pub b/secrets/wireguard/elisabeth/keys/elisabeth-oauth2-proxy.pub
new file mode 100644
index 0000000..8110cb1
--- /dev/null
+++ b/secrets/wireguard/elisabeth/keys/elisabeth-oauth2-proxy.pub
@@ -0,0 +1 @@
++OFa4ZrDnLty45PNocVJ7uhzU8JAaZiqZxCP9dENu1c=
diff --git a/secrets/wireguard/elisabeth/psks/elisabeth+elisabeth-oauth2-proxy.age b/secrets/wireguard/elisabeth/psks/elisabeth+elisabeth-oauth2-proxy.age
new file mode 100644
index 0000000..afa6628
--- /dev/null
+++ b/secrets/wireguard/elisabeth/psks/elisabeth+elisabeth-oauth2-proxy.age
@@ -0,0 +1,17 @@
+age-encryption.org/v1
+-> X25519 ajsHkFAv6DGIBXK+TXNexcF46v9OSL56zJU++ESh2Ec
+rlt3Qc5FpGQ4Uy7djHxXinaRj+vGzRD15ePectg3V5o
+-> piv-p256 XTQkUA A5b2vQKPUK7CMtZtkqk7Sljxs3t+7T0xyok+W7NQIQhV
+ouEoWuNAgUWZs/CmDwwO33S8sBF+vx09HwVi+k5xduM
+-> piv-p256 ZFgiIw Agm3uergfR/G0r1jgJa6SQvL4s08DGLiIQytODbhtWpN
+mk0MjBvUwoxHzTidlJY3wm9jimJiTi05rqFk6pWiz+s
+-> piv-p256 5vmPtQ AgEl043vCMOGb7VMLrXZzFqJXqzpEts1dQ2BxKGWRQ0I
+gqIxevnt+BQajswMvOnbhOCPoNeGjs6z+9Q2brXHXnw
+-> piv-p256 ZFgiIw AjQwtNB6n1WgESAuFpUN8gfbDe13iTJiKwvn74gSTipx
+KVmS8Q/hNZ454y9/CRS8s54yvIZtVc3IPMtBgDM/vLg
+-> I[Qt/-grease Rux=WTOi _asi.\- YgMq{
+BIULAuvdBWYTVL2OKUZSry4BEUaJaPxhuj6szwhGillSGRJEETf1AdTuhq2UyU4W
+KRwUpEwJG6X/98y90H+ZxbEAcT4nzpq9mvc
+--- cz5LsXdzqSnzi5YSj7mnRRIWjIouvBithyGjWSy2nCw
+Šû°1IÇ~ƒ(Á“ø»õYNü²kqœ¸‘7ŒÍ³F•i³Ñ‰±¹ì3c
+hu°h£7.t Ñ©•({‰ÞDÌQjÌø!hìÐOi
\ No newline at end of file
diff --git a/users/common/programs/kitty.nix b/users/common/programs/kitty.nix
index 7b78fef..737b376 100644
--- a/users/common/programs/kitty.nix
+++ b/users/common/programs/kitty.nix
@@ -13,6 +13,11 @@
       # Use xterm-256color because copying terminfo-kitty is painful.
       term = "xterm-256color";
 
+      # make kitty go brrrr
+      repaint_delay = 8;
+      input_delay = 0;
+      sync_to_monitor = "no";
+
       # Do not wait for inherited child processes.
       close_on_child_death = "yes";