From ee388398e53f38993bc8e4cf5c3d4aabaec05120 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tristan=20Dani=C3=ABl=20Maat?= Date: Fri, 14 Nov 2025 10:54:51 +0800 Subject: [PATCH] refactor(sops): Move secret definitions to specific modules --- configuration/default.nix | 2 +- configuration/nginx/ssl.nix | 5 ++ configuration/services/backups.nix | 13 +++ configuration/services/battery-manager.nix | 5 ++ configuration/services/conduit/default.nix | 7 ++ .../services/conduit/heisenbridge.nix | 6 ++ .../services/conduit/matrix-hookshot.nix | 6 ++ configuration/services/metrics/grafana.nix | 11 +++ .../services/metrics/victoriametrics.nix | 8 +- configuration/services/nextcloud.nix | 5 ++ configuration/services/starbound.nix | 3 + configuration/services/wireguard.nix | 6 ++ configuration/sops.nix | 89 ------------------- keys/production.yaml | 10 +-- 14 files changed, 78 insertions(+), 98 deletions(-) delete mode 100644 configuration/sops.nix diff --git a/configuration/default.nix b/configuration/default.nix index 54f17c2..631e93e 100644 --- a/configuration/default.nix +++ b/configuration/default.nix @@ -28,7 +28,6 @@ # ./services/starbound.nix -- Not currently used ./services/postgres.nix ./nginx - ./sops.nix ]; nixpkgs.overlays = [ (_: prev: { local = import ../pkgs { pkgs = prev; }; }) ]; @@ -124,6 +123,7 @@ services.sudo.rssh = true; }; }; + sops.defaultSopsFile = ../keys/production.yaml; # Remove some unneeded packages environment.defaultPackages = [ ]; diff --git a/configuration/nginx/ssl.nix b/configuration/nginx/ssl.nix index 4cea508..7abc38e 100644 --- a/configuration/nginx/ssl.nix +++ b/configuration/nginx/ssl.nix @@ -64,5 +64,10 @@ in ''${pkgs.runtimeShell} -c '${confirm}' ''; }; + + sops.secrets = { + "porkbun/api-key".owner = "acme"; + "porkbun/secret-api-key".owner = "acme"; + }; }; } diff --git a/configuration/services/backups.nix b/configuration/services/backups.nix index 688f5f9..0ae8abf 100644 --- a/configuration/services/backups.nix +++ b/configuration/services/backups.nix @@ -265,5 +265,18 @@ in }; groups.backup = { }; }; + + sops.secrets = { + "restic/storagebox-backups" = { + owner = "root"; + group = "backup"; + mode = "0440"; + }; + "restic/storagebox-ssh-key" = { + owner = "backup"; + group = "backup"; + mode = "0040"; + }; + }; }; } diff --git a/configuration/services/battery-manager.nix b/configuration/services/battery-manager.nix index 9da7e32..0c58c7b 100644 --- a/configuration/services/battery-manager.nix +++ b/configuration/services/battery-manager.nix @@ -13,4 +13,9 @@ log_level = "DEBUG"; }; }; + + sops.secrets = { + "battery-manager/email" = { }; + "battery-manager/password" = { }; + }; } diff --git a/configuration/services/conduit/default.nix b/configuration/services/conduit/default.nix index 4ba5271..6e01e81 100644 --- a/configuration/services/conduit/default.nix +++ b/configuration/services/conduit/default.nix @@ -179,4 +179,11 @@ in systemd.services.coturn.serviceConfig.SupplementaryGroups = [ config.security.acme.certs."tlater.net".group ]; + + sops.secrets = { + "turn/env" = { }; + "turn/secret" = { + owner = "turnserver"; + }; + }; } diff --git a/configuration/services/conduit/heisenbridge.nix b/configuration/services/conduit/heisenbridge.nix index f0f7e49..5441639 100644 --- a/configuration/services/conduit/heisenbridge.nix +++ b/configuration/services/conduit/heisenbridge.nix @@ -75,4 +75,10 @@ in # AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ]; }; }; + + sops.secrets = { + # Accessed via systemd cred through /run/secrets/heisebridge + "heisenbridge/as-token" = { }; + "heisenbridge/hs-token" = { }; + }; } diff --git a/configuration/services/conduit/matrix-hookshot.nix b/configuration/services/conduit/matrix-hookshot.nix index 6b788b2..c1fec82 100644 --- a/configuration/services/conduit/matrix-hookshot.nix +++ b/configuration/services/conduit/matrix-hookshot.nix @@ -163,4 +163,10 @@ in metrics.enabled = true; }; }; + + sops.secrets = { + # Accessed via systemd cred through /run/secrets/matrix-hookshot + "matrix-hookshot/as-token" = { }; + "matrix-hookshot/hs-token" = { }; + }; } diff --git a/configuration/services/metrics/grafana.nix b/configuration/services/metrics/grafana.nix index b30806c..f4b6956 100644 --- a/configuration/services/metrics/grafana.nix +++ b/configuration/services/metrics/grafana.nix @@ -67,4 +67,15 @@ in }; }; }; + + sops.secrets = { + "grafana/adminPassword" = { + owner = "grafana"; + group = "grafana"; + }; + "grafana/secretKey" = { + owner = "grafana"; + group = "grafana"; + }; + }; } diff --git a/configuration/services/metrics/victoriametrics.nix b/configuration/services/metrics/victoriametrics.nix index f37b8b0..96e09e5 100644 --- a/configuration/services/metrics/victoriametrics.nix +++ b/configuration/services/metrics/victoriametrics.nix @@ -4,7 +4,7 @@ let blackbox_port = config.services.prometheus.exporters.blackbox.port; in { - config.services.victoriametrics = { + services.victoriametrics = { enable = true; extraOptions = [ "-storage.minFreeDiskSpaceBytes=5GB" ]; @@ -96,4 +96,10 @@ in victorialogs.targets = [ config.services.victorialogs.bindAddress ]; }; }; + + sops.secrets."forgejo/metrics-token" = { + owner = "forgejo"; + group = "metrics"; + mode = "0440"; + }; } diff --git a/configuration/services/nextcloud.nix b/configuration/services/nextcloud.nix index 4af77a9..ef2a6ac 100644 --- a/configuration/services/nextcloud.nix +++ b/configuration/services/nextcloud.nix @@ -100,4 +100,9 @@ in # Ensure that this service doesn't start before postgres is ready systemd.services.nextcloud-setup.after = [ "postgresql.service" ]; + + sops.secrets."nextcloud/tlater" = { + owner = "nextcloud"; + group = "nextcloud"; + }; } diff --git a/configuration/services/starbound.nix b/configuration/services/starbound.nix index f5b23c3..609d4c0 100644 --- a/configuration/services/starbound.nix +++ b/configuration/services/starbound.nix @@ -114,4 +114,7 @@ in paths = [ "/var/lib/private/starbound/storage/universe/" ]; pauseServices = [ "starbound.service" ]; }; + + # Accessed via systemd cred through /run/secrets/steam + sops.secrets."steam/tlater" = { }; } diff --git a/configuration/services/wireguard.nix b/configuration/services/wireguard.nix index a6b7763..d4ab090 100644 --- a/configuration/services/wireguard.nix +++ b/configuration/services/wireguard.nix @@ -62,4 +62,10 @@ }; }; }; + + sops.secrets."wireguard/server-key" = { + owner = "root"; + group = "systemd-network"; + mode = "0440"; + }; } diff --git a/configuration/sops.nix b/configuration/sops.nix deleted file mode 100644 index 0337438..0000000 --- a/configuration/sops.nix +++ /dev/null @@ -1,89 +0,0 @@ -{ - sops = { - defaultSopsFile = ../keys/production.yaml; - - secrets = { - "battery-manager/email" = { }; - - "battery-manager/password" = { }; - - # Gitea - "forgejo/metrics-token" = { - owner = "forgejo"; - group = "metrics"; - mode = "0440"; - }; - - # Grafana - "grafana/adminPassword" = { - owner = "grafana"; - group = "grafana"; - }; - "grafana/secretKey" = { - owner = "grafana"; - group = "grafana"; - }; - - # Heisenbridge - "heisenbridge/as-token" = { }; - "heisenbridge/hs-token" = { }; - - # Matrix-hookshot - "matrix-hookshot/as-token" = { }; - "matrix-hookshot/hs-token" = { }; - - # Nextcloud - "nextcloud/tlater" = { - owner = "nextcloud"; - group = "nextcloud"; - }; - - # Porkbub/ACME - "porkbun/api-key" = { - owner = "acme"; - }; - "porkbun/secret-api-key" = { - owner = "acme"; - }; - - # Restic - "restic/local-backups" = { - owner = "root"; - group = "backup"; - mode = "0440"; - }; - "restic/storagebox-backups" = { - owner = "root"; - group = "backup"; - mode = "0440"; - }; - "restic/storagebox-ssh-key" = { - owner = "backup"; - group = "backup"; - mode = "0040"; - }; - - # Steam - "steam/tlater" = { }; - - # Turn - "turn/env" = { }; - "turn/secret" = { - owner = "turnserver"; - }; - "turn/ssl-key" = { - owner = "turnserver"; - }; - "turn/ssl-cert" = { - owner = "turnserver"; - }; - - # Wireguard - "wireguard/server-key" = { - owner = "root"; - group = "systemd-network"; - mode = "0440"; - }; - }; - }; -} diff --git a/keys/production.yaml b/keys/production.yaml index a5a4674..a686ed3 100644 --- a/keys/production.yaml +++ b/keys/production.yaml @@ -22,18 +22,14 @@ matrix-hookshot: wireguard: server-key: ENC[AES256_GCM,data:mXb7ZznJHf5CgV8rI4uzPBATMRbmd7LimgtCkQM9kAjbIaGwUBqJZBN3fXs=,iv:3Po1Orinzov9rnEm9cLzgJY1PeD+5Jl9115MriABHh8=,tag:E/2CjDO1JCvJzxCnqKcNyw==,type:str] restic: - local-backups: ENC[AES256_GCM,data:NLNVlR9G9bLSZOkMoPvkbBbAZlKkmiUbdWHOFDnaefuy9wNLH53ctOIyS0rSsQLaJCSBTpgPSWIIXUSuzoK/eA==,iv:DzuujmyJJP4GiE5z7KOOGUEzUgOwmtf/7UYhwkyLe9g=,tag:cElFhpVC7S6HYlB6UyN7PQ==,type:str] storagebox-backups: ENC[AES256_GCM,data:UyT8jCkKlfYJXjWLI9MbYfeVhY5d89N3aj1Olj54/aBOP3gwcrx6gU56Pwa1xKZ3lR13AVs/b4wF9sbvP7Kqqg==,iv:0HM+DgH4iCiWpjRvAYCFQGEy4xIBQwAM+PkkzOsizw0=,tag:jbrqo1In2O4jVM5e7fjOzg==,type:str] storagebox-ssh-key: ENC[AES256_GCM,data:7aYlKX7I8Bsur3nm4nV9eSW3lmIxBCeCUMbPX3qgcotPbyPYaUqD3MOCnFRepajYkFXAgMX4jknqLfoO9xYc4bavDFjOY8Ww/KmLay7ces6tDnkK6tTRxcNRPUBqEzaFiPNsZc2UwHnmHOF0rKvQusvhCOplYao3xxz5McTHC7IEriUApSNudWCg3qGbyAmxkGEw7tRfh6IiUXEOFeaXDZd78dWZlWIIeospmA1hcVhkLGrjMmoikt/YANHUpWPbd+B9E6x+s2eIzFdvztRjarBluWPZuX981b+hcOm1/+HY/tJ/jzgyVbX1rjmdgZ9jZqdKO/vkOkijHWXlwpQ0QJ2s8p5MURPGRsC7W5jfmGbVKrubxfQC2mSJRJgBaj1wX3yI4GbfCXNdbpseAMy7t8OmN/iMN57lGnD3uX8CWWD327PIWp3SgwMDIZtJRlMBu3vMUrBdNnrrlYoLgf821tX7JWW6L5g1EK/bcBZqZZ/6rE+Q9fLiJHTsj2lyTzQZRLKsn0YePlcIMOWHO2CG/aWrfycdSKKjaKGG,iv:OVnEIMFB4h/EQ8zV3XOpVXLDrV5t4roNYDFQz99m4sQ=,tag:mKWF12uD1TLla/MoJs2zNg==,type:str] turn: env: ENC[AES256_GCM,data:kt5nhVo9pb/ZbPUEcqSYXxN9YMgQKnFb5VRfFFS/qoIaJ73uD2fuJKqcxAyVRrdLqnSAWSQBgTgunBzdP7xqLAK2qt8DYAQWHkIe9uxFbSXZpdmw,iv:9lq6SFwTFN4GGm6gPiJpUMasMdnHVF6XLGYrsyG3kjU=,tag:428Qf9DOiiHt/Wjb188b8g==,type:str] secret: ENC[AES256_GCM,data:si7ee6Xfhdgdyzbp6aQpF7pz3TmTBb7iQ82lRPVXNDg9JfHI+lbmgAsSnRLX5qMCA6P9R045sSMosqidL8QwRg==,iv:SrhpZKK8D45yxCEfDb9P3TwtA14+qEI+wcRqcN/a6pw=,tag:PiwV+mOL9xHJgJft6sc61g==,type:str] - ssl-key: ENC[AES256_GCM,data:CHFH8XTcyAkIDwclwUpAyDkvP0awoW7mtZ2PgR81DyQZrKIAjuhox7x+8Gl9vfjdug2WLISycwoCJ2w+Y6Qpuk+XgXOmZeBU4UyMX5sfwGYAt0fjyQPix3Xni3cfDPQ3bJ9Ez0Nn6pxmKvSUY2nCOPJe8gK5+kaMt3d2SWS1bteH/rOUXSx3hczdQ54M8kScTUHceG7G65rfrmpTIVS1GNRYm7N8F8uXToP3qdTJBF03qSfdbAvWw5RhkNQoF35Hc8HT2W5hYmUb6ceuo4b3tCyTVDGzNtqn760+VSqXcJ5acc4O22cH/TqeF7VSS7akUqZzYot92riqSL0lHbET6VlXuYdidNIgW5uoUgtJLj9KRkYljOHkP1H90acWTW0+T3jS9cesVBVDWCHaYt2rFKwQgViNvgU27f1u9PT4wGKyqQMnLE5iLdmUT4qAwNw8ErXnpIOlXDizZ0sYXtNEmlNGdOk3jrjW3C1TGBw77PmWzHHRBrRNMO/6s3QWuRgTdQixF/UzTvyRf5yjt7Cev8fDm16FL8c+2uduDTkxTKwEVrt6U1wsJMqS52u7jAj5xtpmWSGJRqxc/bu9l+fcRDrZt1EaktxKCc3zSFp8Mv+LwMdj6dXcYoFQZmh5N2rySmxdCeHT+Me8htReesVxDPG5/pIZJ7n5DYK60V84KnDaqiw0DM0XEY6Y9UJ0Vx6qvk8lVouQaPbxEnfwc3775jVojEA/nCBd7LiyRfUEILtSgm+IjhIvVjDr3qzzKo7Ao66trEN6Sb7UtYo11rUyGfKqOwAZTsb/bXk6pYWo/qhzwx9EfxCrrMt06mXjN7JGzIZeBlV0azHEw1jt/CJ2lPFSUuTWIjjtTfZzpx6jYBJmTN9rAMbKHMknO3hEKWwpzYG/w7TLO2JKkXrOdT58IdvfxOKwaQ/kJRycYvuWcF8NqdcRhbZvrVaKHRWhWldhWkOj5a+G0DnFsgak6D1FOvDx0doN8hibFemn1MfLzk6/UJ5AxAbPCRSaEumkMZ6n/Xx5M+C7TswWrYVkrIeRxSU6+B24ZmLeVvfvNq6jfBBgk3MBXHU6bwr/nsfcQ0wlJwYCc/YVP02d/oAhN/MobUSKY+bG+ZirmyRb3MZ5C5ZjLY60wcSSWpty7jPzMUu0AoJVs6CA04frw9FqmW+Y0f3apFfaPI8OSOqT8UUURORjWK0j35v9nrpoDGTqLdq1d0oVQW3vxQqE6gmyPv4/ZqPgdUZhZ6BYiDc9L79c4misxmxsy6pZBxwb0vY34PyCwpamTWZC8u7JxRoXYu1l/UTdz9Oj2z1smaouy7yNKMK/BitF4uv3sKi0lWOpE6oTtqNtEoC265RUot3CGjaI3aZnwgku8jztvSn0JVwQYZyWZx7eFRh1acNIt3zRP8Pc4SL+XCm8RSufH2+j1kF0rbhCGTngDaLWdz/1FIWTizj3sjLnMEQYYw02QE1W+b9TJAMmgdh6LFhjrIFXtQFQtNSgH6edh8nreFWnpDvI8nyT9w/cCfJhDZhEvOYIDOVlc0mPH2k0yNfpA4x0DOvBNZJx9Gu0CcyOLRZGlyAwlDTIqBYLLV7bqwTsOdfOYBE581T2r+o9w/tgRF4EORM29U1KjGjSl2/XBXQVZHbRnXBM5l7kypyJfHD7X5DUp2hkuSdmHgBI5psnZXSjHh95Nn5YjFAAPDapqdIJO2AJhXkaY57mSUFjLrI9DRFU8pcqeY33si4i1QOqsRdkfh72+vCwsj4gFteV0Sh6N2Tp92+NkY0to3hk6Za9O6ESzqCiokcf9DaCyWv4ELd6Wed2DVVfrPXLABF5hnfzYw/tvtpXMFOOofKyOYY4KT5FRVUGlsst/x0F9wr2hYJ1qwTIRpp9wEWjiecO+wBeuNbLHv727pMCPcLX7YEoa/fcQuesuEAXQDKFTVJmBAHk1J5GpOu0R5F6qXAxsR9MFDRMHo2en4jkTAWgWFa7n6UqRlTTu5lj9RtFgQekayC71GyTEqvBY2tdLfHYoNsKKVBand7fmpwGDG2kivEUMNDitT2AG2F2GxbM+zbLewu3WwlXCzyEYpPq34+WK+C+QZuY+b4bOVnNTl1aiyMTIauomDTdvUbGAlnoIeukc65O1nvlI5uEQwgcxA/nFGYPdiXJKlgW0rZPaJX+7xZUlosP9fYR+1purREYHJBFPGs7Qx3Fq/RuPEcA2S9+CynhXm3TRRLOfzKYXeny/qdpJw==,iv:lpQ/utPri3QEIvB8V5MzHmgyeyGmlVGbkbNKKrb10lM=,tag:eWFSV+nRqDfYERXTXT8eAQ==,type:str] - #ENC[AES256_GCM,data:DkvLWzxK8Xp/TXnJNZ15Wa+ojB7qGxh44zvwdm50ENgTPaqIl2468q+HeOUIUE7OiXCQWj2PVg==,iv:J9EkotYGBY1FZo62wieUSFaTCn1NnBb6aOKnUOCELS8=,tag:vmxNYyjCYfi6n9nBZ8DwPg==,type:comment] - ssl-cert: ENC[AES256_GCM,data:frN9jDBZA2gyrCASsw6T5f5ld0CH+2m1YQOPWh53UfQnr9RxQUhvBYvwMtNJ2+DaT7GHTxZDC7Ft48DkrCKOawt3Z9BKkukYz3Wy9ozDUQ6dB4Hil4O76TQ+Lb3Yn5rKrJWIyR/QUwnv/HdpjxbrHMYw6Uc04uLj4djE+l5e2Iof3gYX64TDaB0ZQkvSAGWO92a3K2cwOKORNltR6KlJ9VzWixHBX8INJaGlPAnHMQkwu9ppkz8waYiIC9sWqwlMep8gN9mvPpq7fxMOvb8az3CkTmLTgXlDx5wxIx56uHlHkNlYKMvz3/HV8PAAIrMod6DCESeDIIP/g004rQRVpxMP5+G9uWklNFDcSpVIzHvl1GLqw05FCQGk93Tj+NmPt7dJiZssPz4dtthXEHg7/phOQJykJkyNVHcfIheqJHK1EQ3WztDJR9hGHUVepnRKo4VseVu6wIeOPa4En9OQ850+AfiekWcivfH9QMW2H3hsknC6Z2+Nb6X6AQBX9GPYwSjmioSbMSOIJpbvTxiM5K9AP25o13NHRH1xwydOqpTPxk0tf47o7PUyJ5gM/0zK60IwRVjRHb4974bpX10K3zLDgin9/WfjetsCm5o7QSs0JfzhTwxZeIC14ZrVwutdR9/KevK+305F7wpQO2jI3WHxniJsc+ov2JbESlj+2VR5+c/zC6yH20cBAOWnM3hblkbsVhXWG/LJtUKR58PGAYAMjrz4xwwvwUhEyEsw55kM0pzggkUJMrYDhQwf2FUsOl06b0qfUf63E7V1nI0jEEfEserO7geSWWf5t0ZQoiCzPxzX/ILd5dqtuzHiaMRonD/gZ/fUWkr1pWuZzi3agRVJSpEglZHwZuPd0L8jFaIyyF4StPiBkt1Ez+OAVS1vKJAQCzQYiFduJtBlExayioyV6iMjlOdcIlneWcgcAvmBAkjkBI2GlDS1Dtaev89tLJUcFQXxKMYIPjoFMNgINxN2ShSAukd9SnsGKCstDa8iwNJ88Ue0YGBTYLPnUnaBW3TJEdQyFF7SwL2/4FHIbX7thlr9vWC4pPthArmQCUDR8iYldSSI96eNoS1YI6qFEuRwUEh08yuDyHMHIFAHO9IAWWc5vza+BXsMcOt/NTuwhUAVWx3NC+TxAwGQJfXqHtsqZpCRZtdtWtacH/eBCPlhb0GZ5wQvIfxNi/okqGfk26d357jxNBgzJEAo9N9KdF4Wys5FzY78lQTF9pZEm8/Vzmodc1b4DZWYFeX9cCFtlEnqDPvknXSn64W/Yg2vO1siZk/HgY8BMHviiI008UMxpzMNiV9X+7csTjbCrf1GDjv8QmZwTUKLJbDgX4++HGM9TK/+wy4sPSic4Y0E+9+Z1QSFaXCogjUUCBwuI8+YnvRwzrK7HXJG7NzW7FM1FSkYjotv6zEQJ1xOQJvxwSa8c15GQ1tdq0ZhXEAxaUjABjFdUKKsOJp/SwQZScEAXbznWeAPa12CevFrDkVv/JZCr55bg+PCbxXwblxq8dVoHzkxPbRiG2fS9ue8rlp8lL2IubrpPaKAYxlL+sK1uOSxfa2cGF91vzNIb+a9mxplsPnXzxODfS+KVqEHLXY81bjIytq5ex3Fow3+0B9BSNRQygayPqyEPHiLzbabWOv58oKlgbCGBLBtPN6CGyH/i6GwqvGf1de9lYsoYRYwdYJN/PZvfgzcIW97eirlXB1hdSxAKlicjejrqyZP8gGupTi/htm9jB+TzYTcsAUt29djdEIdgGgAb1/zHET1em1DSR1v5qmyiMG/YmwyE6dAoyPhiGrAOPwTgJUahNB+Ok7bbOp5ZAM5/uhFumF+5LsNWAZc50vuo1bbYxpP5RXxK7+eF1xZ+Jj5JgFuZ2tn0gZlLBNjHPMVLEUn3XbsaVgBplBuE04GpMRAk5Hia5CLJqB+x+KHDUrG2e1WeZttv2KLm+WaPdogF+n6CO684Om1JMga3pRF1EvHvUFVmKYtIn/Iwhh8fbfTrZmN02K+RH5ZVnCrfn4uFjOJ5FMuYCvEV6Bwbd5a5nDCY0MhYv6jzg5P+C00ZUXwE2e4Pa+vVy9t4IXatdWSfxVG6hKBu9EeJYEQ2/zcZmjV8sBXcHXczDlo3CD4lqQD4cCN42+Px9hKP9FfvOTgWSBpXOQsns0D2A+wXYdcN4DpCVVQ4Y/ESjwVzfUn3jwsirowYl2XOIeidS6wrQ2KvG3WxfPq2cFNflpe4jDx1fFuY2/r35XpYS5nf4Lderldef1dYhYOb9eN45U8NX6Nn8Vwmewd52fC600upp2R7LoSTfIZQbzK8/rU84pIClvs+UzpzByZqTrrDhwkvJlbMeZVekwBJj83gdzHHrHRjPnapsLBmQ4DnRNHeabr3i7q87aFFYntREeQdqx0/HSocT4bRNYbQXydKus2Q5/cZAL3ptXTTrJpM5Sjf6JTxuN8tPCJ024KGxzvQo1Q2NkMIPR6JhAHhfK4UerhRtwVDTusoEpM6I6izJ1l68b5KULAIujSOGxZCU43Zuggn6ECLIaFo+qe1AA9cnLApoXH4IQu19xXchETsyPqkJJnnXbTFssSkeuCrvdAwyxqUmAwbIIN8tlw+Kf2+CisUB2APqhy79S0Z/2ehJyq2jfHf6zw4ZI+syU8diA3OJQzVJj5dhcTCwEkvdgb692QGk4FWmpoUTRl5FhwfAyNBrQqvDDB1MIP61tWlahBpPLeLbYTlSzrnFPyThtwd+IEZt1mZze7OghuKLqa1hOxb7aFVjwuHYWLoNXbJ8lqdrlM/wNRuZemhwhH7p8bob2x6a+cZ+DEHnVNMCHv9vgks2k2ng6FRB2wsC9pMIU4nU/aMhC+B643RIqvGUkgqyeQcpgAdqDuovLwt4wWYWZAuTbwFm8rL+fzwwyb6a24FrHAfIbcPbZWtSoQl3mOiQi6NogqDUslEYoVwnAL5v/WRjSTO+Bg6AfOA9JeR1OUqTXW1k1w5zngN1aP6CxsHu1wuhgUiWCTwomA5eg989GgRXc85neP97+Gx+jij5QbOyOqh/45VtPeT7sMWCyJW9gDRkNKdT9DuTtySWvic02+Yf79xq6cv5JafuAgl6JGyTOqqmqDuhLDJ/62KQ4Tn0VHGWIKqOoitt31nouueZHnbKMJ9QsJO0Mucsch05MBdPVqwOgrIIYOpqS0/jZnonOh+O/tL0SeOLb2yc04T+TbeCVAlod7r9J9YjRjUq0+GN5ZkQ/jwW1JiwXYnr+qFy5sWoDZIpCXp7kQBOb9CYiXVXCdq/3x5hemj1fJ7Rsn/xopJZXTqych/o9Nydg89lJJwzaNVOA+Uru9UBBejb4+SIn17X2VDb78r93Fqu8dsBEnDMJsqPTz9sJAQTjJauX7Ty+JmDioio0oopJAqORea5pJFfPnaGkseIKUoRD0VmxWKBnGA0baiQgbA5j8CcoIZujZa7hIcyDinYUpQcdPeZto9UGF8qxH2++dL+lblFuO72UKEtq0UHqDF9ByhmtLDZuY5V34UeIQCa+63etBBg2T4+M5Ev99zhcjEh4ILhoRJ+TtzO9qk0n3edvnThT67igBsCTttsgKfINN3TNDqzrvQK+BscSq2WUKMBq3ySe2JWsk6Nw+XNoadjEWO8r8Xm0jP9R+aRoVbsmeYVOjr/uJ4DgXkR9LijIiAKHMeOuBlTNbEWEUVM89mLCvHO7w/+Pt9Z30DhHM0dCCB967rRrMCP+xUCBtpjM0b5dA1AAEp8v3EJtL14JGqvtd4PhKOlTDumVLTj2jz7rHwQj5ZUxa7aFKkvVWBDywGcwUB2jj5CtKdGtFNPYguivVIjBY7dkPDY+rFi7UwhpDKEqUu6F56P1Bbl/YrV7fejDLAZaM///sYd2pJmYb0J9Fm9f8DP1AGLvLWrX8l/Ewp+hFDXo0xDi7zfowpjjnCa4AQZ7ZT2WCGWixypojetpyo+VPbocuFTvlYQIb0VK9vn9cLgDOrSKsyb1q2vJ1t1T1LOJKcbvT+d4GUMlIgbmhqZKEHuIYu3UHShh7R2WcSuB4IXQYEKJlwm8seVVeLu8Yub8DNIgO8BcKas2dnaI6hIEELuS/lZ3uonPX1rGv4QOWA83E6fNHMEM1jLclkknho07NkIx90yjm6A+S6kDaxIVmtS7AuLYyqgsabYMwz2ruiH+HU2hoGQ4qWCywGti0zNrvTXjf4AOdvb+TD2BONVuWIWRZbQoq8hdiI2sOkk0jaFNqM4u5XA1qL/GG8s/ldvoWvkNygIQmTjLZt8gDq9QacZe7VN1JXQ71+cy2Kak3EawyGlzeP2UtAkOSoGlTzzN0rDVUY/kTJtTVOsGQv5A2ENS3O/uduy0d8zFv589h/fSOxnBsYy7X1Yn9r3fu7pN44WP+vUvoGGp9Rty735TqL4uf2bSbELBT60ukh+OQKQiSKC5fw9fpc7adGM46veLRuhdN9Wu8GpCbgcSmJ3YFXdLy2GGH7Y+w/9ZV6+q57FvobuegwJ1iKwxP9PJejLooElW1AIP7LuDfOz/KwfkrGcEhE5f3AdAB5StqoQhULwy7H/UnPrt6+cAFX8d+MLWOcBr9KxICE4VhZWg44JDVaoZU5P0KADb+e7oOMM9LsgcMEFFvtvQ7ULSHYGwy3Lo4rPGhAwsPP5XwPOBBdj9nd9SrfNWcBb+TsYPbGObfh7+BgjKShIy3r1E9wzkD2cQA1Lj6/fgK/zuIrXQiaQEY0YjjCYEBbCNpun/6tYgPN0bcZS2vzZEaiOQvUdvKO0Be+RGX27Sl+iPd7snNia4aZK59B0EaGGdLq/TOncNOjotEDRnPBrkq7De20kfGCp2L/zMf5L/y4VESCwnMqPdSFk/BTuySp9R53xbj+07KKcAy4kj9czHNE2F0ng/YgvjJqaYcz/xQMCZGZ2P+O91TCuV9MVNHjsJMuGYBadoPUT20RW5mCdqItZYe8MZyzhO9ryTUWJsNWEYRlNHREpoEYPHz00BPeiU9JYLInU2pVgsQuuv4MMMAWJ4j3MbGLyZGSnZ7Ln7vCOUBC4jIDleaLfz1keJJ/GZE5RNU0aM/6qFnaL6/QN66/pa/NGi7iNAzHArgckp/8qbnpM2gbsu43FypDwR9eHroMxkEY3F6qP7xZN1t72DkQVaoZc+91+d8TB3VSfxjtIOFLJZs6hr9+L9bLQ9P6803BPwhjqS/HrMybM3b7aJ5pL1QE9vIe3RO/FUMH8I+OXzZRJZUGLoyekj1gaffPgibU+m5WiGeh1y668wF7hTaz8CdZPS/0ADEXv0FWnnCsg6o2PfUxZvv9gHPJPWBEg2KSsBFE/kyaNWyvC2T0PWh8/RbiCyK4AhXXi/xFO/jFcoj8Fy1pAl5fRAN/dFdyLjuvwNSGbrYFl0ivkTpNhjmnxx92iJHcegkvP4bCKOfnMqcd62i/qdLIi7fCSRNZal+namZ0oloseiLt9vCAjj7J2nbexVVK+BxzszlhS+EFX8RLwekhZodPgXCbSEuOoRNm1Vdphn+40G1lCmbPAPb//onX2kaeloqQ+PTOY1YBbVbw1FTcw7mGH0lK7R3TN57hMZFJBqHyIPiZiOWSFoscktQ4fhJV5Wx1+MGfc0vmFEDoGS7srUGGJJjXtdCvnjINhD+khIWApVKGqJt84Z83Eh2MGxtyl5uymQl3vWbZe7h04ai2sAOA7+Cmjtg6AiYEDRF7pS46f/OFbTrDNumb7O2sF8W5oIMlNfSu79/EkNpVrtwjFrMFFAyNwsilW/GNr02eIzRy3yS6lek3NOvZ0yT37HCUNOvjJqzqTUAFg6hqUgVyjp41UBN1rLR7GZQl2gyhjNWCqeSb0lgL3btkMIzwokoOJlMO1KBX7UwXm3t0tKvNXPDlAXepvk8B7uH2ON9hhAbNfTdNkR84RjQ1sZ7g5QO62kKF4cFfxFK7DDSmpW732fvCKxFowDi2GGSn6E8Ay5uO2kPdXmwsX9EdwjjXEpsFxYWTOAtyjJIRGfpvMsroskNd8CaQT6yaG2pR/1ZE4pLiIICpMax8dHbukpK7WWE9cDvFz96BC1dsx14vbUfwkm0sKcSaWllVn5Elw9EP8FTVcEr/NejFQbYh5auG2JrpheCKuk+YvM8QvpC2vPASnG6ww7W1oiZFtqGZBo8I5kh7DYadOeE3sRXxLr0YDNusReEiWP3eWskoSMCBX7xSVtg9hfdzSDd3Y7EeiI/vEx8nllOSI0lVVu01CQAnVK1z7EtUEe7bFRY/bIinm/rPA184220rHlatQaNVo8MOmo4fK/SMJOPHNj8xoy7dA==,iv:JvoC84+dJ+sKdDDNvzIRWJUKHftgW4hhT6fiJQXR4rs=,tag:wrFQF7ZqG0us3E98i/gkyA==,type:str] sops: - lastmodified: "2025-02-07T19:44:49Z" - mac: ENC[AES256_GCM,data:+0hpd/E7GxK/27f2Itf0hDV+3Ga4gHb8xxLutJ32HLBWLZ5Y+dN03xgkz8jBTiM+BeHwS4gz70Cs9X3zLMHbosWVuIV9DLuRaHRq/IU9KiADwqmCySZALqCf3+T5QKZr3Qs4AZJHwaAXkRX9HbnRFriIAFDJW/BGdIHdoROquxY=,iv:TeXI8LGqHVa5wo61sGdNbZ2nJvSlPdgn9R3Lq5qUggU=,tag:TFort5wxVTdi9LMlMeT/DQ==,type:str] + lastmodified: "2025-11-19T07:44:21Z" + mac: ENC[AES256_GCM,data:u95fSyrfZGan7Zwm/Vv23mVVXSqZhZOLQHFwSclOeIvnXXgv1b+sYlxlGZekQ8Bg24+5G/fUCFIrhfFtCNuB/R5Ynj6t6QhYYD8o3kTvUKa4nf3501gLAIzqbyK4PYpJx4Olv1OkGHHdr9UpP1m6cIhaAZtbBfqW+WL26HjE/CY=,iv:gk5tlrbON64+2y+5PHrhwSPh7B9bvYckRgrepHTiQDA=,tag:FopFqhMgCmoKun1QmjtC0w==,type:str] pgp: - created_at: "2025-10-03T21:38:48Z" enc: |- @@ -87,4 +83,4 @@ sops: -----END PGP MESSAGE----- fp: 0af7641adb8aa843136cf6d047f71da3e5ad79f9 unencrypted_suffix: _unencrypted - version: 3.9.2 + version: 3.11.0