From 0ae91ee62fd138cee595b8fcf50dcd3a4fd8c532 Mon Sep 17 00:00:00 2001
From: Dominik Polakovics <dominik.polakovics@cloonar.com>
Date: Mon, 2 Mar 2026 11:12:13 +0100
Subject: [PATCH] feat: switch to mas for matrix

---
 hosts/fw/modules/web/default.nix   |   2 +
 hosts/fw/modules/web/matrix.nix    | 212 ++++++++++++++++++++++++-----
 hosts/fw/modules/web/secrets.yaml  |  80 +++++------
 hosts/web-arm/modules/authelia.nix |   5 +-
 4 files changed, 226 insertions(+), 73 deletions(-)

diff --git a/hosts/fw/modules/web/default.nix b/hosts/fw/modules/web/default.nix
index fe1175b..edd85ee 100644
--- a/hosts/fw/modules/web/default.nix
+++ b/hosts/fw/modules/web/default.nix
@@ -91,6 +91,7 @@ in
             "/var/lib/zammad"
             "/var/lib/postgresql"
             "/var/lib/n8n"
+            "/var/lib/mas"
             "/var/lib/matrix-synapse"
             "/var/lib/mautrix-whatsapp"
             "/var/lib/mautrix-signal"
@@ -103,6 +104,7 @@ in
 
         environment.systemPackages = with pkgs; [
           vim # my preferred editor
+          matrix-authentication-service # mas-cli for migration
         ];
 
         networking.hostName = hostname;
diff --git a/hosts/fw/modules/web/matrix.nix b/hosts/fw/modules/web/matrix.nix
index 6277c2b..59e7356 100644
--- a/hosts/fw/modules/web/matrix.nix
+++ b/hosts/fw/modules/web/matrix.nix
@@ -3,42 +3,178 @@ let
   hostname = "matrix";
   fqdn = "${hostname}.cloonar.com";
   baseUrl = "https://${fqdn}";
-  clientConfig."m.homeserver".base_url = baseUrl;
+  clientConfig = {
+    "m.homeserver".base_url = baseUrl;
+    # MAS auth issuer discovery (MSC2965)
+    "org.matrix.msc2965.authentication" = {
+      issuer = baseUrl + "/";
+      account = baseUrl + "/account";
+    };
+  };
   serverConfig."m.server" = "${fqdn}:443";
   mkWellKnown = data: ''
     default_type application/json;
     add_header Access-Control-Allow-Origin *;
     return 200 '${builtins.toJSON data}';
   '';
+
+  masUpstreamId = "01KJPRKN397E5N8D0CA2Z3TJ7Y";
+  elementWebClientId = "01KJPVT5D54NRAY7AJY6PZEN0D";
+  masPackage = pkgs.matrix-authentication-service;
 in {
-  # Secrets for Synapse
-  sops.secrets.synapse-oidc-client-secret = {
-    owner = "matrix-synapse";
-  };
+  # Secrets for MAS
+  sops.secrets.mas-encryption-key = { owner = "mas"; };
+  sops.secrets.mas-matrix-secret = { owner = "mas"; };
+  sops.secrets.mas-authelia-client-secret = { owner = "mas"; };
+  sops.secrets.mas-rsa-key = { owner = "mas"; };
+
   sops.secrets.mautrix-whatsapp-env = { };
   sops.secrets.mautrix-signal-env = { };
   sops.secrets.mautrix-discord-env = { };
 
-  # PostgreSQL database for Synapse
+  # MAS system user
+  users.users.mas = {
+    isSystemUser = true;
+    group = "mas";
+    home = "/var/lib/mas";
+  };
+  users.groups.mas = { };
+
+  # PostgreSQL databases for Synapse and MAS
   services.postgresql = {
     enable = true;
     # Synapse requires C locale for correct collation behavior
     initdbArgs = [ "--lc-collate=C" "--lc-ctype=C" ];
-    ensureDatabases = [ "matrix-synapse" ];
+    ensureDatabases = [ "matrix-synapse" "mas" ];
     ensureUsers = [
       {
         name = "matrix-synapse";
         ensureDBOwnership = true;
       }
+      {
+        name = "mas";
+        ensureDBOwnership = true;
+      }
     ];
   };
 
   services.postgresqlBackup.enable = true;
-  services.postgresqlBackup.databases = [ "matrix-synapse" ];
+  services.postgresqlBackup.databases = [ "matrix-synapse" "mas" ];
+
+  # Matrix Authentication Service (MAS)
+  systemd.services.matrix-authentication-service = {
+    description = "Matrix Authentication Service";
+    after = [ "postgresql.service" "network.target" ];
+    before = [ "matrix-synapse.service" ];
+    wantedBy = [ "multi-user.target" ];
+
+    serviceConfig = {
+      Type = "simple";
+      User = "mas";
+      Group = "mas";
+      RuntimeDirectory = "mas";
+      RuntimeDirectoryMode = "0755";
+      StateDirectory = "mas";
+      StateDirectoryMode = "0750";
+      ExecStart = "${masPackage}/bin/mas-cli server --config /run/mas/config.yaml";
+      Restart = "on-failure";
+      RestartSec = "5s";
+    };
+
+    preStart = ''
+      # Read secrets from SOPS-managed files
+      ENCRYPTION_KEY=$(cat ${config.sops.secrets.mas-encryption-key.path})
+      MATRIX_SECRET=$(cat ${config.sops.secrets.mas-matrix-secret.path})
+      CLIENT_SECRET=$(cat ${config.sops.secrets.mas-authelia-client-secret.path})
+
+      # Write Synapse MAS config fragment with inline secret
+      # (secret_path is not supported in all Synapse versions)
+      cat > /run/mas/synapse-mas-config.yaml <<SYNEOF
+      matrix_authentication_service:
+        enabled: true
+        endpoint: "http://127.0.0.1:8081"
+        secret: "$MATRIX_SECRET"
+      SYNEOF
+      chmod 644 /run/mas/synapse-mas-config.yaml
+
+      # Write MAS config with secrets interpolated
+      cat > /run/mas/config.yaml <<MASEOF
+      http:
+        public_base: ${baseUrl}/
+        listeners:
+          - name: web
+            resources:
+              - name: discovery
+              - name: human
+              - name: oauth
+              - name: compat
+              - name: graphql
+              - name: assets
+            binds:
+              - address: "127.0.0.1:8081"
+
+      database:
+        uri: postgresql:///mas?host=/run/postgresql
+
+      matrix:
+        homeserver: cloonar.com
+        endpoint: "http://[::1]:8008"
+        secret: "$MATRIX_SECRET"
+
+      upstream_oauth2:
+        providers:
+          - id: ${masUpstreamId}
+            synapse_idp_id: oidc-authelia
+            human_name: Authelia
+            issuer: https://auth.cloonar.com
+            client_id: synapse
+            client_secret: "$CLIENT_SECRET"
+            token_endpoint_auth_method: client_secret_post
+            scope: "openid email profile"
+            claims_imports:
+              localpart:
+                action: force
+                template: "{{ user.email | split('@') | first }}"
+              displayname:
+                action: suggest
+                template: "{{ user.name }}"
+              email:
+                action: force
+                template: "{{ user.email }}"
+                set_email_verification: always
+
+      clients:
+        - client_id: ${elementWebClientId}
+          client_auth_method: none
+          redirect_uris:
+            - https://element.cloonar.com/
+            - https://element.cloonar.com/?no_universal_links=true
+
+      passwords:
+        enabled: true
+        schemes:
+          - version: 1
+            algorithm: bcrypt
+
+      secrets:
+        encryption: "$ENCRYPTION_KEY"
+        keys:
+          - kid: mas-rsa-key
+            key_file: ${config.sops.secrets.mas-rsa-key.path}
+
+      telemetry:
+        tracing:
+          exporter: none
+        metrics:
+          exporter: none
+      MASEOF
+    '';
+  };
 
   # Synapse homeserver
   services.matrix-synapse = {
     enable = true;
+    extraConfigFiles = [ "/run/mas/synapse-mas-config.yaml" ];
     settings = {
       server_name = "cloonar.com";
       public_baseurl = baseUrl;
@@ -68,37 +204,16 @@ in {
         };
       };
 
-      # Disable registration - users created via OIDC
-      enable_registration = false;
       allow_guest_access = false;
-
-      # OIDC SSO via Authelia
-      oidc_providers = [
-        {
-          idp_id = "authelia";
-          idp_name = "Authelia";
-          discover = true;
-          issuer = "https://auth.cloonar.com";
-          user_profile_method = "userinfo_endpoint";
-          client_id = "synapse";
-          client_secret_path = config.sops.secrets.synapse-oidc-client-secret.path;
-          scopes = [ "openid" "profile" "email" ];
-          allow_existing_users = true;
-          user_mapping_provider.config = {
-            subject_claim = "sub";
-            localpart_template = "{{ user.email | localpart_from_email }}";
-            display_name_template = "{{ user.name }}";
-            email_template = "{{ user.email }}";
-          };
-        }
-      ];
-
     };
   };
 
   # Synapse runs inside an isolated microVM, so PrivateUsers provides minimal
   # additional security. Disabling it allows Synapse to read bridge registration
   # files via SupplementaryGroups (user namespace blocks mapped GIDs otherwise).
+  # Synapse depends on MAS for auth delegation
+  systemd.services.matrix-synapse.after = [ "matrix-authentication-service.service" ];
+  systemd.services.matrix-synapse.wants = [ "matrix-authentication-service.service" ];
   systemd.services.matrix-synapse.serviceConfig.PrivateUsers = lib.mkForce false;
 
   # Element Web client
@@ -114,6 +229,15 @@ in {
             base_url = "https://matrix.cloonar.com";
             server_name = "cloonar.com";
           };
+          "org.matrix.msc2965.authentication" = {
+            issuer = "https://matrix.cloonar.com/";
+            account = "https://matrix.cloonar.com/account";
+          };
+        };
+        oidc_static_clients = {
+          "https://matrix.cloonar.com/" = {
+            client_id = elementWebClientId;
+          };
         };
         disable_custom_urls = true;
         disable_3pid_login = true;
@@ -122,7 +246,7 @@ in {
     };
   };
 
-  # Synapse nginx reverse proxy
+  # Synapse + MAS nginx reverse proxy
   services.nginx.virtualHosts."${fqdn}" = {
     forceSSL = true;
     enableACME = true;
@@ -132,6 +256,28 @@ in {
     '';
     locations."= /.well-known/matrix/server".extraConfig = mkWellKnown serverConfig;
     locations."= /.well-known/matrix/client".extraConfig = mkWellKnown clientConfig;
+
+    # MAS compatibility endpoints (must be before /_matrix catch-all)
+    locations."~ ^/_matrix/client/(r0|v3)/login$".proxyPass = "http://127.0.0.1:8081";
+    locations."~ ^/_matrix/client/(r0|v3)/logout$".proxyPass = "http://127.0.0.1:8081";
+    locations."~ ^/_matrix/client/(r0|v3)/refresh$".proxyPass = "http://127.0.0.1:8081";
+
+    # MAS own endpoints
+    locations."/authorize".proxyPass = "http://127.0.0.1:8081";
+    locations."/oauth2".proxyPass = "http://127.0.0.1:8081";
+    locations."/.well-known/openid-configuration".proxyPass = "http://127.0.0.1:8081";
+    locations."/.well-known/webfinger".proxyPass = "http://127.0.0.1:8081";
+    locations."/assets".proxyPass = "http://127.0.0.1:8081";
+    locations."/graphql".proxyPass = "http://127.0.0.1:8081";
+    locations."/account".proxyPass = "http://127.0.0.1:8081";
+    locations."/upstream".proxyPass = "http://127.0.0.1:8081";
+    locations."/register".proxyPass = "http://127.0.0.1:8081";
+    locations."/consent".proxyPass = "http://127.0.0.1:8081";
+    locations."/recovery".proxyPass = "http://127.0.0.1:8081";
+    locations."/login".proxyPass = "http://127.0.0.1:8081";
+    locations."/change-password".proxyPass = "http://127.0.0.1:8081";
+
+    # Synapse endpoints
     locations."/_matrix".proxyPass = "http://[::1]:8008";
     locations."/_synapse/client".proxyPass = "http://[::1]:8008";
   };
diff --git a/hosts/fw/modules/web/secrets.yaml b/hosts/fw/modules/web/secrets.yaml
index 3afbedd..b42636f 100644
--- a/hosts/fw/modules/web/secrets.yaml
+++ b/hosts/fw/modules/web/secrets.yaml
@@ -1,58 +1,62 @@
-borg-passphrase: ENC[AES256_GCM,data:GJdxBsj/CFT8oqO+apbvQHDJS7DteBIINP+pq1pATWa+a8F+zJ5hwvtjyoSx7hLhVkB6w1fh6LTXxlGkJ0a661a4NOo=,iv:hCd45iFw1BBcOZfreJ9gDqoRt72sakYke8tKnyjMEOA=,tag:+7S4Smcmv8gEQua1yNFp+w==,type:str]
-borg-ssh-key: ENC[AES256_GCM,data:l2Q8mINxmByCk7gYdPiZ91NN+batshnSlwqu5b6v0m8PRzor8ejgf0LNStDM6DJMot8vzlqawbB5L1xuLK3Bwj3e4JyAD9xCHFIJlXbH6WViL+A4mLoJMeW/ZJOlZyzI250FehkdxUa9OY6PgQNKSn5P0MJChW9m7frmmt304r8P+WYDruyNe30tSMqt6Dixwik1znq27ZbzXaqaG9VOm+ltW8wr6Uq433pgmqIIDQgFdwWZw8MSZaZ+OOFmCo8iwgroQ2spk+mmS61ldh6nmkwSLYnZ5LkCxRRHfw+/i8M321k1vf3bX0R4Cy37jhg6wg7ZVKngqD3WW5bFQ4bd6BHSEHMvSn2O+eA6v5DBAMmOicN0wJljaXFTXg++Ju3tr3pZ6s5e40Gvz2nQBSMPVrifFprGGwXf8w0RpyRYRbXHfC1eAYjwETtCw0AEKSzhqv+BnNDPBaypfp56kbVP5A/xe20sREGdKmRuCQrhsad5pYlsWrJgf32CpYeTQXWau79CG+CEm0Nq34ZA5OffQqWs75hGNWuhB3OpSEkFK8BJgeWZ44QGlhDukyeicyivqbfME9Uznodvl4VUpNLoq10n1m8ibVpZqVDFjhE50DlPHVRdMQu61MVk0oveYBdmkAXu75KPPkOuEPZ0bMaido3WCzQ9OkIjEofRVfz+3Tl9qxoETkoWGcZVWis+LWMs6pb7mFvhVGMVwnpofImmo514ebl3lDKQZCoeyK/+m1HDkOnjSbd/Czv9zcVJ2e4pZuG5VpSs3brAr8klb65cqxklPqHMJf0gOFcSKrbbhJr+fiyYHUOTy+z4WZIHH6+c5usLPz6v4oytT7bBoPBudZwnroKidEBTvdLZ0emtz/d+RoOViPcLn55521hzegtmRuyc+jCHXR+NvHk3IhMt5BUHD6th1G2aNgX2RqrLOOMcm0CVyoEttwKZ7vnGWh4AqSGGiIyyfqawY1vbtj6opKe3k6fkIaofW1sHrlI2QKxvPUNCv/zhbfa2G6ObbCbNXSOnCYRdhXxH9E3j3LtIBSAML4Svji/sy3ZLZjbFrOib4bC8dkWPwrNlNQaUJFRgA2Dsh82M24rfj4yc0NzW1xurGsbN0/7lfHeKDIHtpxoiQXewlhLnfLvUDZrEcqXED3ScSeAa1tadGSVP7og7p0qtFi2G+ep+74OE5iJ6Rjq/T/BV2JJoTyH1YysHLsyfVe2LboyxA42+wnlBj0IVaVLPX7gPrxY8+G71b5nIHdF/djJoJDZ2prJ0HtK389U6jdEbHZpzO7MwCSoUVy/q8CsMsmfiiTyvWjrCxa02vhqywI0XRiiUXkAgs9+1/ydMHsFP7W6oa+d6IkNVxsjJ6egFg/Nxi/IoY4vbckBUhhiqprIvY+7qmF6LNLhJbC/CJqjBo+ywNI0A4kI3Tq8O1iedGZ/XxczgfqqBM25hecqDMHLorCc356JZcpQIBDGhpjHHa9I/8+T0hDrWklfnDwGSSQwshcvMFAcePCCT8qcBDiWUTb1eqQIc4LZp/BLoJ8m3KZlugzcWI4IqcZQmMEx7Bv1J9k4Jl39FKlR4Km+I5ePUyBfx78WQgCkHdZDVr2lTYqzV4Nr+YO/N94uCwXvjZli+Xap9C4WD2gShsV6uQfJh6iLSrP/fVURTwwDYLnyUlcxTaiRFK/lF2bV5/QNAjKki2qm4Jw4GfKH/CQ0+a8GdQ+egcNFRD+VqD8tA7QmA0SviBR8SgJwyb3HRzvPVIAmfYAetX1b80jcKUMDKHAAV+Evn2pdw4AR+aqcPPEWc/RE6Un1UcWju31a6Aj+B9DNbYGug7F2ZJGLOudKlxBjG7LUa86blCzmNata28VXpTNdGlOWgexFtTIn4GdvHqPKNWLIwkontWOyQZ3ZZsuc9XbphcB7r4fCt0Sax81u7gdpuDpno/hL8eUhAL3I/UNp/Z5j5B4pwV3/47bbYta+bwbj5ATYM4j3wWPRusL1gtU8WKMrggJyfyQof7vlcculmSJV2V/0oojSfqDqk87tMZNX/o4kFLlj/tY47hHhN6U3O8z7HObvGhHSZ8uFfoASGJK56rVcJVD3EygJHytoA9SuO2Tzlt1S+YeboroZG+5EhVV9Hm9z2qJZd5EXBkO1f8L+uTA1j3NEsUjjVWRvs6fBD72Uls/RcJVM2fq63swY7vmFtwIqdF2uy4/ED1wua0oy/uxl+kk6nBvgj4ZX8U5ByWnVIyJTmol8SogE2TKMPOfvvRF5AJnRFT4P22EUDvIO9/rPNB1loQVeXq7XXOyV56RXkM5uc0Q8zZBqCr8QyRc8XBoZ2ChBIhlviXyyFbOdLppYOSNVnI2B3zsVF0KSCkCd7Q7pf7paPkNNp7bq9ZBv6giJ+zHj5f4xtTa13qdmU+yuIWunyWHmkY8/8I4nqVMEsjDz+nWkVsTpNgHSS23rtkcz7+i3srOM9RYj1IA0R5BjiHLt4Gy9i512nd4lqEUnwvoaUVVQxVtwsUbbhAIndV/diJBfsj0/ACuxbpmd0q/WgA9V0u3a02I3SIR8vtDz+Ode461+6QeWfwS70rV5TEJB1y1WEbz5yZ4lVTlpB1s4SGsDG7jjV2eWYqUoV9fP3wHsyzdoMwikq0tStt6oUt7yhdsugWsVjZu+gGFppjqM2sPjDsnIbrkomz/azORERsiUzlHqAwVDbVI9m+p504jHIPhUEpziPaECSShFG3zibRmQHRd30PiTWoThgHxRJwIIvQJQFnkFVxUTZ/27DtBKgL/0AeC8LIJ8bMQ/V83wHFNUj8NtO0zeQKsZEBPsO4g4+/hK195Txn98FlyOjn9cwAgLq5UMySQhhTEz+NhheJH7F3RldNlZDyXxIEFSjGlQF2+UPcataNsZ3lo/YVgcW2P70j2t/6BMvZ2MqaocwR5PkfetZIWoxQxUU+pPWKQLyCnjLZ9G7JYcIpbHsfZI9rD8ianFh43E/lbNw4NFfhSodOb8mBFgtYw88iFP+8yNtKixefOZKm3N5o65kH7ijnKxCJFEQcbZV/IV6JEOgy1lPSVxUv5+fjxatxefGa2shA7WXig4XBGgH8e6rvv3TGGpMX4ROgi4unoK+AjIrcSZ4LASKbJaj+QwEAg/6d+DoxJVf79vC+xVqaJ2RhjJl0FR8L1SmSrEpjD476qCKwCI15zWeo4GSBDGMAdAKQpWA4I5exp6lry+wG03O/le1Xkq6Z8sRkmUAie3Z9ZVyULa4p+GT4R3iNaHSFPj2WuqBE9b0HEU3Ux8r9KuzLyPBoG23qy6hzetOXtNWdMCbEdLlz5lfgUtEFrgwYe50nlB6xSVNut5oQWtuOR3HdIOPTh8hVTm9olvxTtVcLPSPgykm3czbnAQefcooUb+fS0QuZZVqFH/3xU6GzLk73R7sasxfzqGDUZOTm1cXBBUNr+sk7cv94lJzwB2lqkU4qsLboqRVL2GOIVKQNKv86A==,iv:++pEa8RSP2UydzilOOkNbIZI1pLjs3PEpttPO/YM6qw=,tag:wGiHUh4qQ07GaK3xcJtG+g==,type:str]
-zammad-key-base: ENC[AES256_GCM,data:q1+9uGw+VShevkdfs1LNiZvAsJWUO4zy0ajJbDYf1XzMwqCYE2dC5fsXxp9MpkEzMZHR9jdQyGnIZmpQ+wDiGIn9V5BE3X+hMhD88pneA8XXt5hdOCkC+TfkwQ0kiF9PlHhPt8w/4wCJkwM1lsj+ZVX+6BVmUuwHg3lBTTDMmeU=,iv:YIgu2och/ibSzfaVUH3rpVu00MIYlRYolgb1GckrRio=,tag:GGMOTNh7SfVVfzOCTAiXwA==,type:str]
-invidious-hmac-key: ENC[AES256_GCM,data:g3eE1y+CpVmQAb47DQbxK/rrV+BHExYtEPHAbw==,iv:l2dS0uudbdYzSPntxvPwqGp2CyMQQEStXbVBPgeVAxo=,tag:fwUAxEWQR5BMTpoipJRUxQ==,type:str]
-invidious-admin-password: ENC[AES256_GCM,data:SVtHTKaC6e+O9vz2eb6jplw/UeDdoLXIgw1wPxHqmw1GFgjXPTLCYG2tx4qt2CWHzA==,iv:ZWTlVfepoi0b8091w2pLjqMtyca42JodYPSN5q4M2QI=,tag:MEUbEY0mVTspIJZ1xpqR6w==,type:str]
-invidious-companion-key: ENC[AES256_GCM,data:s8VhQhsStNFwCHjgHO8UZA==,iv:V5v+l04FH3aQkJpAE554r+Brcn58bJhpO9IlsCf0j4c=,tag:MAIbYTdSGHt7A8Y3RufR/Q==,type:str]
-dendrite-private-key: ENC[AES256_GCM,data:IzeYvGS5MSg3SHwPs2zHI1QZerGG3U1VWBaOpiQhwBnd3yabGdinX2bMGV7fnWvsYgsD5C7E9NspAJLiGyqMQqsbFP/6Iy1vLTjns2kY4jqd7l4yFIPwABu3VPVomO5Cm1OMiR/GZwxObk1oLycxKzVv2VUjcbmGAadpjK5IgKDj2M7vd7WzGtc=,iv:QzOIiskPRrjI9T0JuUjxKYek3cVoHL/cEvKOHT4J/54=,tag:7xbpIv1/lStAaoGQdFcaLw==,type:str]
-matrix-shared-secret: ENC[AES256_GCM,data:F28P8x0aguu7BuWWtXTbgaPdQx88dpeKA1FsRK52pTVp3d4rMgAWQDfO22WOYgJ2ltPO2xIK7bnQFi1X,iv:Od3RfCvKkMyI2RxlnfixiIF2GTn7B9OXeD+21ttk/rE=,tag:ev56YcadjWgq0zQN+Hl+Sg==,type:str]
-n8n-env: ENC[AES256_GCM,data:qyZY8bLnXEMU7bIUBjufWkGxDybu7XWp8YKWYqCMKH6OIrzWQhRfwJQuvjKVWsyR/HsPtwzcxHf9cVuW+IJ5gcUVWj2lxLCTjeewD5otAXGRx0FbOvZ0W4wmb7y3zJGd1N618p5RhmpySOfQ6NQ4iXTxYWDYgJSlBl9Kn3/0KXsIZawepo8BDl2MUJ3hevibys2+9nGfS7+7/aq0wybaMuy/ivjgglwrGKWrByUrpDOJLW07BtD2VCXiWWb3jMYfCCkQ5eXtxAlI6BYRj4pzPO7QjbcR2h5S9Q/YIqOUtEyrDZTpkYHVm4soFwl9Eo7O7IlrS/P7hiqf77OVz3FZ+5K25YYLA17UauoLncnUtgOxlHn9Fnrtnr+0iMsYWtg=,iv:yJM/JcQI8BUp4a1m4ju2iHvnWpiWPC+/2kysSnmp9NM=,tag:cGbbKuGlso2MrFYijbSV9A==,type:str]
-n8n-git-key: ENC[AES256_GCM,data:KWwOxNZqNjMgUfdg/GIVdQ7zMsPSdWGL/YXtNrGHz6i4jlHl4tXAMbmBcea+1gOQxmiV3ikJh4kO/PJHpIcjtdishCGB/9QXjdGcn066zHQCH2RaHIQ8q1puRIgmQubHap6iCRI73+eCxevh98nikUdwwW/7ESUK5H68kLxN4GaFldS4u7rEu9TdnCI/+VExK15ZcihT7N7PV76JDCnHf33+28DMC1EcLcGwWVwNQY+zCCWbonovkEXSVP+PazP+hDZDK6ry6xeO7bpX5ujCM6hTql1oyg3TrSRtwPpUVP4RzaMtKB6IyJhkR6KdwsxeZooRQX+Fxl7mVKldAaxIE7IGZwjXNPyqONW6KPUtlvosg+4z+x9aGkHugFoUvSExDQ+51t/GTo6liFTi9Z7hveDuPN8Ng1pK5XajCLMTx/8+V5iVC+DR6gD8fjPyURkN1Hm4iWk0xGjiH6p2PRGHk65AWtBuh3EvMHbd8Udnxeo39GmV73/h1Fryazcg2O5tyvooY5wJlTJbTW3MgNGS,iv:i1YxUvaxTbATF3sFmDt0RSnAOOifqBiDR9jegJpQWY0=,tag:mYZBAXn6hZ/aZwWHICBQmg==,type:str]
-phpldapadmin: ENC[AES256_GCM,data:aVoj1dhX9IsLTA/ZEJfRXgdQRah3nGntUM38kdcHRdmBY03EUm+i2sfKiaknB4afIAjc04SUxxNVbjeM65ipSW6sKQEMiVTAIJzi+1ETi6clbZvQhWDtvBBJ39ybUkH5YX3Os109h/jD/TApa2MRfyhml6rHWcNzhoxR3QJQpuE09kj6eBxfillUDfKfomWL4x4ksJl/agJdXxU0VGwc7zyi7mvMwCQokcrMxJ9GC+7p2Jpz+W5a3WKSnqc2Gpv9DEbo95m71arnK4TcZL+S7tAZsT5+rHzEoNp5I9/5WCzlJrDJ9vHD2JQ=,iv:fQigdELKdM8E1nfSVB7/5568tbALh/LVSMf4wxfOc54=,tag:zWnHAcTOxk0eEViPCK5lOg==,type:str]
-piped-db-password: ENC[AES256_GCM,data:yUmxi/Dqf/u9RumLEPGgZK2tzSYuskPFS88keb4w83vxY1S+Zgu3fcO5ZA8=,iv:1rI2WB2kZBKB2XzYB4AYtpaDtkXOssqo+fEq5ooMrnE=,tag:sOUR89pH8FceWBSqUw5aYg==,type:str]
-synapse-oidc-client-secret: ENC[AES256_GCM,data:nEDFJIgYDWW+8Nw7iMlesZwqcX6O/a4degzg56yvHsX0CfKBp3mND7uHoNfAWoYTMuNEpy6SYLnOVGiYAzaY/A==,iv:B1PdBoK0ml8baRfxCTbDPZZ7XNNXv14SuBxL2wM1f4Q=,tag:Lfgz4zl6BWTOxkgRPb/pCw==,type:str]
-mautrix-whatsapp-env: ENC[AES256_GCM,data:5inKfoXwqJ16wqE0yzn7RazXD9/vI/EtN79Yl3Z0mbil6JXd9kwDxnU3uuIz54QoLsDrcd8u+rSVrLgMThXx7py6GAfrQNBLuYFbvA2Os9CjJqydKiYze0VD5mbd,iv:kNvwQz1Xhem/kPCyk3k/nUrNmO9R9adw/q5YZJr4UGI=,tag:IreWAJCM4WodHdJVUIhMCg==,type:str]
-mautrix-signal-env: ENC[AES256_GCM,data:VPyFQJ9nsm74CtF+ihDIPEP/NwQuJZx7qX256HPmRk9Akr/FiLTBa6+ocgS0Vx348qrzOdXZrupI5xl0AQKh27cFLvH6LYk2A9LlylNkxmwrW07vVmUrmrcmhQ==,iv:D4xca4rxGV2LnwRLjjgiz+AeWuzCXLkZl9EWyrULkao=,tag:V/FFSON0rHxmQfh9/mi34Q==,type:str]
-mautrix-discord-env: ENC[AES256_GCM,data:fv9EXSCXVJQIWZyoPjwpSOwagcsBo9tid8ntr914QL3Dqm2Tb566BB1suti4is0g4PdpjVh5vofsgZsdscIEH+C5ohmyhAo2TjWJhXjTxxHZKHBn3b7JSd77rrJJWGXvcIT2iCCX8JCU7raWo4lNiZBzaPr/284rHaUMiN3QPnFNHMDfPwGEw9hYV0zOy/EkM2KQyy1zOtSBUzVxFyFgI/aCtvqlWKigELfhLuNVTwP9BSiCZVuXNhghVcStk75atmnYWU867/1frr+NvwkME7bHEhz8JYYM9Bc9iEAGhJZB/Nv0bAmLOsiN3ayOhhCpAFIWlgFk3A3lcpX7b5YcqXkYUPNEcmxSOzzloeSe2q8=,iv:wTJ/YFilbmHuIzCYyu8jwEXnOx7xvFV7/HTvzRwirXo=,tag:bLghcDPbiQPYEa95VeZnZQ==,type:str]
+borg-passphrase: ENC[AES256_GCM,data:xuSgy269tSzDNjo/XOYS82OPkfPyA/B0et25Sc8j23ifWu1y9yjzb9jSgc3MU9rXeDe6sCNw8v9JV6+btdvomH4VzzM=,iv:hRvMcFmTr+LT0VRCGFp0Vdt7/Wvwu02l2xMyL6ZVKYk=,tag:w1FI6GS71pmPk9Qsr0vyAg==,type:str]
+borg-ssh-key: ENC[AES256_GCM,data:W6OtuMBsvhTHVojbo01uwDbEWlm3rhXmLnYQBQh0+YFRmQmlveYxojUmyMIsesXNSysRRF8dkmjYrMuB3LMqWFvYO4mt5AfSkjwmpHnOFtk//ctQownye5b6jnQjo+bD1/v2rbd6RSHwB/hI+xT2uxZ+8eBVW3AxnUZuSRKyVFsMrmxqJrK3+glhamP8cy5lnD8i1YDCmgicOUBh/CGzRHgTOXzhe9dUEljAXFRhV179mU7YkxDnSuLLexh+LJ7YM4DtUP7M2SI9DA3vBM5aCrsRyR8Pw4f5R5790v82GoIWZl4L6V1QDeXdeTFdhu3jBmBrLUNECbPwA6NLssEulufpXtwl5SRVyr+8a8Ch1/6VUOiUiFIRiZ/a4+gD3cAFGrq7CFmf6zavyi/UxJhVFz1qKTuu44AWtYKW81zRFbs3zgQ+6MuU7pAsEd70vPZmfKUDMsWUAQavjiZKihF/DKazeDC/Lquv/7Gq7LZG07DzdTMgr06i6Z3Dw7b+EqPkOYfdkr2289iFJoLnQm02XqcDlqnXbM8iegxxYceW9NhFOaMa1l2vYROg5zxxRdukqGK655iNEK/Q2eoaN2SUoi1UNOlK9X/bJADMVr/e6fEkD0BJVL/qnPyi26jNqFcTXFt51/DZ4yOiwOFheSOhXKNIBxn2Vl4INSYhUqze+4oFSzBMRVtwemDYZUdXkFM2QbdUe6U/kYKHOl1xH56eTKiI59ZoqHxKMlHNDpOO6KUKj6rVxFBHC57ZTnto7WOfOWmy8s8+DzU0OeYZzE+7Mfp6onTGVtKCZFmYOR6JARfF90TD4t8iocUdiuvLV5GeRE7YKyjoMIuGcRVvb8eR/8iVZNtTKKNGKhpYwTdgQDeBCDRzsq2Del0ZtVpnDydCI07/mApMqES8V41rE65u6qZOJPOpe0FSf+Ozkrkq8yEiGVwdgm213F/c5K8+YUwNeU7fJHvbWOdRdzdfWIes0sKlJBB4pJiUuDp9xqYiqYDV6+0VqSZA7nTeWPvm/LTjlbFvRboyXNKHfpq7GD2vQI4jgr+Jk5LRJ8pI73pF3dVo5QphsRmAgmtL/+d17KXHzlG0l/TE9STfIhCrZ7yx1+9Nz5cG25fvENybpX6aCiZz27BBidG5VLRNgcRqLE5rQcsrnd3iqo2HAXnlGiggClH9SbK9ao64cCA7fW4EFoxK8G4gQmqCXGZqKEChLfIOThYkXIxlpc2VSMEhsysENTmBHOM3oI76f0JvTttftgbGt/pZcJGfgLa/qwb7Se0J8OsWsxRH3bjAFbuO6wjgx5wCIztH6fMsofTTl4i6dyAc6ub9zGQKm8AEBD0xDftCEhrlFH2kR1bkacCKQz6R35E7eisAXP3JU9Luc25cmmxkiqxuW+Aw109Hmm00QCsDM/xWBZtbwotVrN0enOLjsUpE7Dk+ibLCM3I8QAxvgXfd90vrRDUjUpEVKwm53naa4cHJObBsXuIDPfAXxga9ePOUbD9IdGuDw43d/RSPlCOQmRLIosvt/OnAKoCtyFw/0OEr+pGRmbnLShHJKXlFIQqTTe5NT/O5jX+plqkVNYHL3XKQxU1ALF55zWge8OuJmD9kgia7692ul2JR/irdWqk/CeKYZy3B+PBfulSkWLUsRn0s2CYkwAsmbcE+3lllk/7VSZrJn74SObV+sCan0FL5T6G8N5kgMJHagUGMOiqqvJh5npAMgX/a4ynCb2IWt3wIZ67pdVEt7AVZZMShFkTBVRD0amPRD1cJuPba5ABul5QloQ5iLl5KnuB0Qg40ogpFMB1DE43fFoJjzF1mfz+Mt4b5w9hZph3qkvGOKB4kAkIic63CrFSia+slH3mRbsvo5XqZJ5Yp2H8iG4XzIICGlRQ0/C6nKqNNkG9SsP1GourbwW1QIbxuTJxrDCI0LfVm9zigkH7vIo02ZNpa6ZWh0t2gXL7I/T274Q/wLUkGmv0quxbrF35TcD9a/uOA87zPpI3J73sxGmTbQSDoopBf10vlZcoxougBxlh3LgECF2DO9XkqzgZVvwdelrYwLT0UY7zJSiN+/nFYHxyMLNYZb7QJ6xqNFbh1EtlFDgNW9XzUPMDZQzrg7jhODYC6P+U1K145cwIqAfCWsn84m/+U/iFBFL8I/wino/1/0yG10mP64Ecf6r+VVfkKZ8rAn0WlKYEovNdmfQhqs7lJdY4oLhAJZimgdtx6fo1ZGSEt1em5pWU87vQvogA23bQPCKSCaiza9KLraz2s3SaYqZo+mALMpOU8BtvvAT8zBOrrSt/JWzJHSsVrT84LZumIHd+os3Q6juNq7konIRX3jJUvkGlgim2KRpCfgipw9OoyNExzrffcCnf3jEUtTdviB27lxamFSv0eZZgoPxNbANZhd/zrvEpQj+NHZOaSg7LbfrO2eIgkc290T/10vkhvzXEpjxt1prSLSF1/I7RYpv8sgwhpEIuvOf97tBxJX9Aw8ylJhbiZuceUI736LGyGrxDqxIMzb8pbQ9k/8VXjOIQBPEcC0d1zXKUrYteMHhHXVjmMeAlTLsHpmsQ7q1NVu35tyuqBImXu4wU06VkDak5pjBR/+GAqYMnEPKs5ALNfUkZDtRjS5SGMiKP0e8kQuC0bk6Dhl/GAfO5ckv5kuPArOzUIknYvNU234bcVTOfjh7kfAA1UnSIX7Fa/vcAAzWxjhYvuszagJe6xwrnZTvI9IzaTn0TcOovjpVZUiP2E1Pghrlv+//RT+XeRu9cjNxVrpwmlNVCDDZmz+jaH00YOT7kGNejJUvclR3gjyUK1uo+MqF4nCLpBc2yrnvctMfcY03pwyR46pyhsSx1c377G9E9c3pBVyPFXz8zY3xRcd9aMRUJiJEwD1wn1HZaEo+qvJYsZcFPEF03MenVl2vup0JYZNYEMe9VPEefaLJ/uPCdUYedIo74EZr4baDqdButp39v5kXih4Cab4AsPwlds42BcYfkDS3oXHE/BRMppGvAngHZWwmyuGGAEiT+UjumqFmiPtKL6KWVRGfS2gyS9CJ8oEZJBizVFXzjhdoh/kg9M5MFT7uQfjory8dJWX7jpUuWMIHyLYfYhzTm0K6mFvOoO3W25SvvFnygo6JmBbuuAzV2raFktgsjZm1xDmZOPvbM6Ur3XUWzGXyWLiWqNVgAishPccAzI9F2/ocH0NeXOf+D3tWld9kXBbQPI4DClprRrGqpzKtct16VAKc1kAuuK8BuSD+YbyP5T/3EaO95/KxKhG3ZfJo5map4cuCmz6dys2oKCHmbAxkLFJwzC6hoYhnwJUZj6SWeGJB4IT8bfZ6UYKpfdONW2/841r+WbKljhTzDvSKqGZDvLF6YB2aK4Oe92tnzPbuArNohERv0oJPvAtdUiSW3Ku+62e4YNKEprLNYBVkJ3ew7d3V/Pc8Rb8uMFehx8oq0ojV6Xzj/PT4B1Vt8XrUQlYxkha+ZThs3iJLlSyQ==,iv:qAE9OZM64KdFc2guTNGCVxom8HWmv5CWQJvt0MmHZIE=,tag:56KMQ/JnK1AtRojWGcClcg==,type:str]
+zammad-key-base: ENC[AES256_GCM,data:WZsUd7jTG7WlF/d1MRnYPdBDxAuSWATJMN8kpR0LRXbGcPgJL6q55FRIWc5lopeUfqt5fTnY9MqgZ/imjwcj4MX9WkPQ7kMi8cquL60++sn4zmrcs6mIKlj4GJDCJ2uUk1kqJFdSRHAnSvJyC//3g8HmX/CFa0j4j4sihJmeZ6A=,iv:dFX0aOrJBeWk8wErKK4hqu/sWbjamHFRZUrxxvoySUo=,tag:+uoE7cW5ioc5nkXcvY0NCA==,type:str]
+invidious-hmac-key: ENC[AES256_GCM,data:TkacC/3KV3+yIHo2WF1Na/x0e4RhApFNOqmyuw==,iv:sbmS2l5NjZDGLOQR7wWQ0lFB7WIf3endlvWC0+Sbh5U=,tag:oIBtURshPQCAcvj4ANYFiw==,type:str]
+invidious-admin-password: ENC[AES256_GCM,data:R2FF0lz6QZkHVJ/vSRzr0crxta5euQdLwLFWKeWRXy/Nu3xwcFP+bRjWYXiyxYoAig==,iv:/4b4vNJlgNjD08M55e/IVFhmeNT/z9qMi8i1r54xr5A=,tag:swjJVaydugX9Xa/v98ULbQ==,type:str]
+invidious-companion-key: ENC[AES256_GCM,data:AMrP65ryJOfdWsSMX+4Fdw==,iv:nlDdFqK494VBjFS37g+slU5TFAZkT/fsHvMxCH8+Aw4=,tag:58XOkEZYjCOdUXTZr4gZNw==,type:str]
+dendrite-private-key: ENC[AES256_GCM,data:oUCh44Ejbw6itfirf5/3hVo2FBlUo8OeR4eTlL388NWAsOKp5fgY2yx2xX8W4Swq2BixKA/KyAV/cFOTzN0Sg2PfasrGYaWxlchwmyHTwSH6+PlFqDqTwGmjfghWagJ0RYadxwm6Z2YsebDkGoJEwSXlwj/zxU5tNJc2WBmto1lg34eYFMGrJmg=,iv:si85iXafRCdX3KxO+fxH+H6iO/xyfU+mV1+e+I9DQKo=,tag:SOLSM2JH7Ktk3685Al14ug==,type:str]
+matrix-shared-secret: ENC[AES256_GCM,data:rmYdPQNubnYN6JUsGbzYvdtTZkWoJOor2VtiLhICRPlJDrobZflUDKF5WcWR+rwNKgta6jTmZD9QnQbT,iv:q9TZFxN/SEYiYUhjQmUF/dtQtjQkBeLeF3vlBs/KJ78=,tag:pjtQLEbdCtyVmz1wjXyv6Q==,type:str]
+n8n-env: ENC[AES256_GCM,data:7Rm5u1eAp/fw3xgyS8K4P7TshJVy9Vs3cHVtzqnQqBggX185LRDtADoslkEnvidxxjImGWZ6Me+Ukchdz3PTnxLoDi9QwpOcL2qP0/RSkqQeMpbwn6aOsd+r54VS1micL2LWQkuwNczPKGcQbrAnSDWaPP44F2r429dENzX2Px8MAHlBBZxhveBWY+vXuwLBD6ylOu9juFz7foq1s+BZxf66B1yo6u5JIPlR3oojDpbPJ7vYa2bMPBEZYB1M4bgkl0mv7IMpQoSItndQNX4AxoB3ZzCFjfZSe2mzhiJtazB2b/CMa0aoBt4UmPSZBfabJ1fvDvRD0KI0G2GIPCmuUT5960bfFcHDImgR3nTzi6AQsxEVgWbLfB9TTFC8duM=,iv:JPdWPnF+uzbWCIzqCVtV3i01s6VYEOD3HATYUw1JM/g=,tag:9HpH8zJAPpeRCZpL3YpTyg==,type:str]
+n8n-git-key: ENC[AES256_GCM,data:R5vJ7nFmEYza3adrfWe2X6WExlmxaUrUdv8PDqBAeF/YWHK/mzIld28Bz38EEUgHwzHazhByVyoz5SQoe1ikNphjWYl14mWkwSPFSdet+UQ6hipLAslRMG9QFcR0funfSvUELN0WK+ewJ1B9imbhPpyLVpTKuns5SSUNOidJX1lnEvLmVrVITvU0XkCpzjNZKl5vMULPu3+Blg7L+vlpAM3vrH24vbRA++HxPfox3hneHkbe4Ckll3ID+KUt7TFeFoKoiB4SWuF5+3mHcl74zuYUORmlvqP9x6sNvYm6ozQggb6J+1zBSmD8mlNFr4s0FmGgnPkjwImKzvETqAcf5Ny7wa2Bu4zQsPQsZP6qco9pbFH6hmF0+g6U/o3G1Bqf/K+xCYtOVIfposk/hLCFAN1G0NvkVjyGrnmwrsrhdR9fVDVfxrshxOGip7PMxFIUuHs+gaGP44ocFmIAeizwrY3skb7dAZqQsXwgEEOKoWEtTWxFyvr1moCdjwgByHXPMRpdEF8mzNwLpNqEVo0y,iv:qRJUj/tHElD+UA7cxvBPiHSRBBrg+hPtL9REtyn8uN4=,tag:8MxVx9KbtAu1oKyS1E0H3w==,type:str]
+phpldapadmin: ENC[AES256_GCM,data:ctXBV5sxhlY6DeR2ZNCDaxXMhGcdZvoLXNBpE4bZ9zBvOUuo1PwwPkDa2akwVGDyIWHkTQIuoEQO/oS+yc2rHVf/4sf3YSJJvsrpwLYiFyzYBi0ar9PNwAdUAGzTuFrilM5/XiGbXCa5bOk7Cp+FN566xipCvGZpMXO9EGLPIeEBh8ojpPOTFGkLA+4Izw9MZZslPMbsPd3jFeI9bAe+w8o816bCM5xoebO5/7rKTvaWVOWbIXocye43jhD7+C/KArWKO4KW2HytuuXDt33xEbypAA2z4C0o29jQ96QruVk5rl5Cb9P0qLA=,iv:jc7Xwo+Ux2pTlwwQ82bo4QFRkk9bLxYtGkiEPLdxl6o=,tag:58Ty5w2cO2QLZD53abRyUg==,type:str]
+piped-db-password: ENC[AES256_GCM,data:oinOX75JbOw6HtNK+xmn4UaW2fTHzm8XASjgLaZrXtD/IOOh+/3DUaSwz30=,iv:00ZVBisldW/t6Sma4Ov9hGuK8Y6lq817OKYH4QuHz9A=,tag:GV8FP9XAktdLMbHquP2xnQ==,type:str]
+synapse-oidc-client-secret: ENC[AES256_GCM,data:fU0WUkNvaR+JWRlADp1yk5EmFf0RM5JBdBvVsPLtxzPwhZtNN8zhRTv9anp6NZoThLSNOffXqievBE0PMxVGiw==,iv:mnijdEufA77vU8dYOGrjvaN0LwFNhT1S050lStRgRD4=,tag:GdhdGRQedaXcp4rJ/OBXoQ==,type:str]
+mas-encryption-key: ENC[AES256_GCM,data:w9V55+9fpCeYHwT9XLHM+9SHpGNaJO0fWI7JO/DEkGyOQd/7/zLeSaxDnOvORl9T1WTMZfob6XvroeOgt+/Iew==,iv:CtSuhO1KhiSkkfFcvp7KOiQjKU27VlzIayOUEoFjin0=,tag:iZdVd4QTxX2g+W5X2TqvRg==,type:str]
+mas-matrix-secret: ENC[AES256_GCM,data:OvBEnMhif9OfZKd2NWhSprIupt4fM7x0ROPKatY2eJbXtzkF9qkKitEhsWgbBrkZP6fp0qEgN7VCF134dmVuGg==,iv:72IrdvZsi4DwkkLPRPM82rhB+g677kaJNeS6KkcA9zA=,tag:H6znD9OQT4hOZ2bIcaj5Tg==,type:str]
+mas-authelia-client-secret: ENC[AES256_GCM,data:UB//9okQ5nFouVaRky3t9qyBuOHMw4eX/V0jirD2xBzW2OUieRBDandusPLaFqCm5VjZJUTezT2M+SBpKk7sww==,iv:GDmYh+7RJ7deOLbUtbGXoa2gY+dGa5BrzaSk7PSl85Y=,tag:smPKgSWcmuVZVwm/Osjrxw==,type:str]
+mas-rsa-key: ENC[AES256_GCM,data:PMp9YBPL2wXTOm80b5bIG6+rA6fvPX+PHhr+Hvb+vl0n5MGjrmIVwkVHslY5QEMDFmlk4ytKH5BDYV0OVm619vxuopN4CAqUpFhLum3XKXKINGUziwj8HDv3xk5wxdPsQSofGR+E0Cmmls/bHp00CKfid/GzlooI/3hA0+0y1N0JcaiR7xOZJuFGzqzo31UaLoYqdsviKEWoTieme+TiU9CkX297C5PPUqjDGGEZ/UBvueOAlFB+t3So8xdFL5Q8tY2ZeM0YZS1GCodDJUeKHL8X/cmN9PcIoVgJ4UMbQaL8IShgKqAwRNGjBEWgL+q1BlpxCmsGNWnX9V6ox3wpsQM+n6RLkQezJkamQ9E9PmYleo/9Qk3RC1pOMGzMjvnp/Dl3lmzUkXVrkQpDyBPU+DN4l9uWQbxFlk+APAloeXYwrucr2dUGpJNPvpxI22X248qOh++03yIRY/Woef3URDjz/EFZbOExj2HLPb8NnyGl336dpP+FTHolzMxplcsTAp/dyyL2UQiDX5ms1QA90HQ/YHWo74OhZwbV8jAxL/fu3oXwUA2aBHwlNYObPrrWbXMC5QBChLeOxPQaVL0Yj6sSAS0S6H8MW/we0qb8P19T6bYWBSvzSLIKqU2mIvdYx7gNDjMDZUgKaVTk8E4J5KihryN0NBMcyWROeSdKXET71BSp9oEIWtDqzatpMMEGcqXFkZjRt6GT95cYkhiYIPweCQGcggF0eZSTQUBCzfBnugMtbB3UoE/EoGKqELB9KjgoIz/IQOmR5vbhislSZ0myCr4h9J9r++I4b34n7CeK8omKflNY7i7ru3CQyxXcI9pLQjJgAdzFadNONMIvPhTfYymXYAMbm9nJjNprVKnvAP1DN6QMQGpfgqx9ausj7rQoCPhR+CmTVezWokTvu7fk0rphlOawtcf0Zt3TCi3OeAP8w14tXrywyO5fAa/M8u2VSChLIFC/dY1X9lrZxzt4AKnJ7rLitliCQFe4Sm6UhJgb8r5TszN9nBnN9Wo0WoqRnYR7Oj+aDEqeANF/fhDlFzi9y/2hDRiWSbQV13rOwoObgoUMj1+VWCYdgKUJUo5FhpBaEEsVfxS0dJ/cgNprFqbu8srhGa8ajnb6JReKnTwRgN3IquppF6lgBQc50Eb9m6mFZhNR/5cgNxUXpI3uFYqwNnwuRn+nE5s5Py0Dr7d1C579S5BF/awiVQZYGi9tK4OA9qCxjESRThe3jXSatOnCTtYaGs3F85HXEtexKejn9qmLIEbuoBs01BoaLWzGBIRdrbBanbMXCr8JsxyTEk8uRvm1YujH0WDk8HEhjOaDAr+0MPROF2oOlKNzY6Nj65rmXy3wTat0/NhUgf5R4oS7CNhMxo1HyOXaNdAlLkGjbC9p53I8Ic2aeX467jCqkR0fzjd5WNJG3y4Gl7vwbJcv971Zq1JFLkppDFjTiKBNtfCChXtO4nSKMRltHYVnSVSok08ZjFIknqzl2Krnj+GO3AXUYDHwnYHY1NN5e65omJMH6OGHSQqDy2FRSupDX+dx3Bi4p6sw7Khas9+QE1Qx2mzaXknjR+8drYNqMTG4WtRfikwHeqGXJIVCF174NdXBqy4qjyDNPp5SZevpOTbwgn0lIb8F0auQKJ+QyF6cd8vbi4nYh/WTxXU3agjpnojblid1qP6/AjzMIFAnWBOJN1kpwCLcbCSOH9nErqlFl+YrGpifcMIuHncXtbY6mtNPKX+FSj+Vc9ifoDnldtThak0D9ZUKgt3j3oJD4JoMv4ci0AsRpBqNYMnIUhkOdhkApG4mxx1MZ0q/Ahykd4Xgau2bHX65SW20mp0HAjo4b5jz0YE3TLC4nT/MPGUBzGxwNcSpTunsZoH08rh4VIMRmPDRQT6FMiadfxkSQaX78OSBQNVsDcpbHwIL+3kToMkG/o2UQGL9tvORJuU/oyHObIGJpmJHozpFLoy9M0LDaza3e60KT/Vr/DTbgoadtG3tEN2ELGfUCUMuiQcAqd7mdC1pIRX4bLnmSFPERAQ8W+Nyo51+qBeFrZMN9h/vOB+8c6eXZ8FVflFCSHrsPeG+Ju9uuXUOVf7dIjMnZlqbsf4FvX0rcGzIIgEHkoMSa3nOcWvvpSFAA/cflvKsoa05b9/4o/Bo0uXu2Ojil2fsIYUsaajfquxO4r3Z7GZd1JGXJhu4QcOClAW1FsfzlbgEbBtgnx2KK0OrVZ5rCHf5/8EMpiK1ZoFT8xNFEG5Mvc0fj/7HM7UUnHPqRf51/n+6Yzzxd8R6PBght/boiexkxLFwsqkLD1Mpd3klCdaCQbEnTO3GMWPBCs5lxxyJsUjeLY1vNestZdDAQQMCVD2LZ+HnhAmiSak39G1h2glvwKITMRxnAco32mkDPJyYFYcgSANDXZijj9R385uc1h7xIwFYh2z9XRX47QYE1kWvjg7z7lEOH4v/7TwWMw+T3dPocNxRKn3HVcNBFabHLilfECSq6aDXp+7eSUSkKvBCkXJ4xj7ED7y2etee5nVCmG7kVWOHJROxWAJG3htniF+kMtoOLWlSpnPhFlWDaNE5E7TsX/T+zNfbTX3RpGWFLqqMvL1PJyR13rAS+rHeL2KPKoVWbX4JPfTP8vWwKheG3smhDdEAzXugp9gfw4ZweSOpOMJMRf0RvpnU+A9udVwVIpHd9DT/DMtaCvGz/rAZclr5LCuIFQ+OWLytrV4ZKdY9pJ0EXfgpYh7kt+LXjsVGqtQlU0lG9v2jvmaxPMMZtj3Oq3Cx/ZskELcn2YGPl9Q99nsz0RXeeXPJJ7QhId9Zw4TocJAZXC4ZEyf1GPeb5CIGhWM1Lz2kn3ftM+xwTBpj7u0FNFsEbMKBxw8WQb28poiZFB2K5qabWpi1n7S+yIJEmviNGMG9FsIAWNOm474NzHBZT5VByHEQfYEMjIXejrDcD2Cs6CGmaAm7C9Cl4l42LZKmJ7KRXq00/vcbotVN4YnPRfHbelhVvTQYcpPIqqsKs/JefTViA3YMYRnj+WhRyn2KU1g+hzyTwyyKhfTVRDIkwxVEr+yrINgSDCxRxRWR4YlTnVGhOki+bmURGxWYLRcxk73+OHfz2/rYRsTzyzDBWv0xs1ycplOHehc7JuweFJgFn2KTAxS2yX14fZ+R1PSKyN7yRa036qoZN5bG6dMh8Ki6+DR6oQv0ejc4W72yYQ6XXdXeEHd0oQoGrF5kFK5UuX4dQZ+RpgsrL/pFEGQG+h09IvR8N3V5iZXJf557LyhOsGxPY5ZFv5Wl6ZklHdwsbGtU6iuMMdWyGsQ9k0/UPPSijsoRomS9DMFgqZBxzkajYV8dMKLcJCbIYzk6q5w/YdKr4YjglDF1lnkggVORLHVNYsPagjokPJikpSmFlnUdIfbTMSk2UlcTinxVkwiu9yyGD2Ra34Cbe+b43EdS1Jph4abopadT5k1snpfIFiVy5lp1RDGFaqkr+phf6SQDOoLXk3i+toYwElq3pS4Wes7xoUWj+y6icGwXQjv09/TP7KKxwq/lYGcjENOANA1eztkAb2q787ZYAHYOvJiwz2C//D+QG0H8rCP1B6VBZZe29qDM6T9FI45LkkTximoOwPFJfO3XM7tn2CSJ+CMffQTlFkucfqYuB38G0lf6eTxA1bSEua7l0gOnfyTmO+KY1J8yIDJ+gkwLdeE1jK+5/Vn9hVNmYbj3MuzdddzMJ1uQuZcs7LzUTYdkSVUKyT9Pvndlvfeoa4s9W/5lbfa6vpo7pcya5p8dIgU3l9hmqzl/XWZW4yLANImpxGEdTWQabun8HZT3s1Dw7kw6TQymAFky/FEx/gulC7e5n7285FXsC6jIu4Cv0bmqVRdu2qvo1XNEIQxhwp4IemwMfe5Bol6tCQtlVUDgyvgXhZ+rUzc9h/zYNui8AdUVgwEO4GIDEfDI1LGV9rDYAj4ZKDTK2irwDMtdUq3VDK43+IxKLAUqxKA4fBx1CMseY58Tbdky6vLX1VhKB6N5R6zJIl6m9DapYSAdYVuJDjtBAwB3KobJyPrQNEYBSLmp4yqvVDR9ElONs5IURci4VFgIXPTyxsmPKrXjHXiZBYXU+nHNY0KlCnzaScgKRIQDSIOHuu+1acEUETutZWv3+ru7+3cEe7D6SPEDt89MyiBJCVRfnu0s9ssojOMDLvKn5Ba7j7HMsi6cFAyETfFqwrl3HHoc5e69J+1kwc1pxKmn8oJubuBn+7lgp7vJ6GfxobDGi/V5/ICwBMl3FbNfeagpuFguvY6ix426W7Eha5coC9WHNC6wLGJvRyo5aWRcqeakl9veUX8Zh19qPxSsgq3glnGzvcXwZGCY7CcCxLmOrZe0Efy+5vVq9D8XDdwq0twsN5w=,iv:rMEKALM7zs/akDPwSL0yEhcgZJC00shO+BgmLvpGRIs=,tag:B8PSa4SgYlhxtbsUJQNisg==,type:str]
+mautrix-whatsapp-env: ENC[AES256_GCM,data:FKYO9xS3ndWzsrEan0aQo0VnYn3vFYB3/6bgR2JzyAWSO6BLCFKbpKOZQ12/9fs/Ofxl3YutKwfCjULqt5WHcl/xU7kGxd1WnaAMXMsfzbteB+leZb68nK1b4TR4,iv:9XdrEhmZE6ck5xZKJASnF14cI0mGgiBTzTYXkTG5sM8=,tag:NMPEwVPV4TLLljSPpjy2kw==,type:str]
+mautrix-signal-env: ENC[AES256_GCM,data:5J9XEMZ56gZWwo2yGXqS4fnGYMHUMxB1FDogrh/HguyUizc7sgiX/nqMjm2byoPQajdYmPkNkp6cuKPre7uThvOHBLTXoQAPa7oH2rHuoxFGKHEoaMNS9ASC3A==,iv:ralynGox+FPfraSRg9L9DFU2NNhDQkhWrOtR/REnpok=,tag:u14jhQe50opbyNv1XFdhKA==,type:str]
+mautrix-discord-env: ENC[AES256_GCM,data:ZFTR6bJ/OXo8Eb7OsB65FX0dv2L53voJL8aE8i1AmXgr6t2e4RIxEj5cMUMv8g5YjnTxodlQwlCojErU68RGikksSHt0I00aEVxD7QzAoZ168apwh4PY6/jklyoclusRV7O4p3nGqjMJHgLe5abZUbTSwG64jspn9xF74SIPC7FseOwb4L9rkFZdwF2Guvg/vuX5bPOjxw300qiJmxh0qyQOWE61jTWPD0NMBhvKdBgvHhxqOx5UPV8mldEJ3lsIyfADF4nOygfuumZ48P1v3mSo8jdQczHhACfw2HhoZd+vhtfo3d9T3brbRVMDbVerOukUAUn7lb6wqJEUKtaUOquNV/xunoTKmRjwD5+FdDA=,iv:ed4Eb4zvkb14Fx4Fnt7ldDdjH4FhHm0OoCcWdbVb3WI=,tag:0w3SYMcrFs6ODtdjH+cbZQ==,type:str]
 sops:
     age:
         - recipient: age14grjcxaq4h55yfnjxvnqhtswxhj9sfdcvyas4lwvpa8py27pjy2sv3g6v7
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3M3h5OUlDbHc4Tk14MG1O
-            eWsyZkgxbGpVOHV0WlJnY01za2VEZHJFMFFFCk1PNmVnQ0dMd3U3VFBIK2Y4WWc3
-            M2d2NFdiT0JzUng0VjU4SEFIMlVLdk0KLS0tIFptQ09tN1lGbk9SMk1neVQ1OHFl
-            emJ4enVuSEFxZ0tlWHlvUC9LVDR2ZkUKJokdEz17dE3H2t0XdDJVQv9qPptsvde6
-            MBkqIaeRN/esWpyT9SpqxA5gSpF0sBwRmkQFAyYVW0yDmsDxmA6NFw==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyMkl1OGpYYmxUd1AvejdG
+            WlRtOXh6TjhPTTlyNmtHZFhRQ1Z3OFJOckFBCktGbEcrZHR1MHRQanhxaGpWQUNB
+            ekdVMkZQU3FkbDlURklLNlJyNENDRHcKLS0tIDdxSkVBMnhkS0dMZFJ6bGs5V0lV
+            TThyY2hQeTRIcnpQKzYzbXdlUVQxaUUKE0jgn7aNzN/jnJzLabYPkEw6hSxEbTK4
+            dbaccqGjDs/ubiD2ajtsX2/BhARSfsA400vZu/gXBLF9+bzJ3paM3A==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1exny8unxynaw03yu8ppahu5z28uermghr8ag34e7kdqnaduq9stsyettzz
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGS2dmbE5DUVBGMlQ0Um1l
-            MXY1YXVrTktOSkF5MEhpbmQ2QXdtWTY0OHhZCm5vbFFFdUYxM2NPdVA1MjNLVStB
-            Mm51TmJxWDloRlNWRHNBb2hBUnMwbHMKLS0tIEJIUnVUVVRLWlBEMmNQR0tMQTNm
-            a29uaTl4ZlVWUXlXS0E5bDBmOTJiWmsKydzPPYsWSZRBw9Z9X8ToRjSbCO8QgxGj
-            4X7TxshEEhzdcUOgkrGSDvDcsb9lQV1p9zTudjd3GpaXRmTOP4z1sA==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAycjIzMzVoWmRKUWc3U2Vi
+            Z1dhYTB4Y3ZoeDU1Wng2M2F4ZDBjd0tvcjFvCkRYVlhiWXFlTFdWazcyMG9xSnd5
+            Z3h0U3J0MEIrYWZQaDlwUFR4MDVidFUKLS0tIGErakZGRUpEN1RqRVhrRGp6bTNP
+            S3JmQnFEL0dWRU02dUI5T0RldXFvSWMKT9t6jWeX51XlE27BoKnUsrgWz5jn4ygf
+            +gqh2KUQPmVooPAooTXl6SVBuqaak+A5kv02/5iiKdKS30m9nEOgUg==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1v6p8dan2t3w9h94fz4flldl32082j3s9x6zqq7u5j66keth9aphsd6pvch
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnRTNZaWtFZE5XdDROekx4
-            NXVZcFl5ZGxqVmFYWnRjb2M1MUdDMDVwQ1VZClE4dEdtTGhRb0JQNDJZa2dSeERQ
-            L1NrajJrcllZcHZ5RVpUVkdDRWYyU0kKLS0tIGV0WHkyb3grT0J1ajhGeW1QeFIw
-            Y28vcThsa2c0ODZETlVteWk3M2ZvbWsKk+d67Xrxd54K4OQ/ssosEWU8AFNjAiZq
-            tv02IJnaVu0jTpGnscqpL/fweGOg3++blsccESxnd1G/n8mN9Iifkw==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1dktnemgySlhZbFUrYjl0
+            aTB0QlpkL0lReFJONjBvczF1MGMyU0ozRjNzClpGaDlqUWRTbWVDb0hPRys5T0x3
+            eVd6cXBrNDR0YlJLQVJoN2QxeEZQaW8KLS0tIDAxVXd0TTNZWmFNM0F2ZEJnTUZZ
+            NlNWTnJjWTdNdXRjTjRRWk9MZGp6SWsKMvtB5iYQfa3GFYzf4w5peWuf7zf55Dhj
+            9bNf/AzapwW1czt684gkpPLxMlBOFqj+0hVks1YZn7QLtB1EcnAbBg==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1gjm4c3swt8u88e36gf2qlg3syxfc0ly94u64c42f2tsf24npw4csa6e4fw
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFQ0E1d3lrdnZNTUxzaHFm
-            SXFGaXFVbDJmRVVHRDRGNlJkemk3N0lwZVc0Cnl4NDJhYzhvQWk0YjRQcFZEQTlY
-            VDZLcDJjT1JmaHJlYkhYbWlkcUpxZ0kKLS0tIGlGZmZOdFJzd2VZbi8wb3dUNGxy
-            MlViei9iU0d3K05aQWlKWHpKSThGVU0K056Yqw353eLHg0bUsMsxYSUN01MDVutl
-            +ZTPtbNIy0xh6tj0ZWr+wIYnN5z1sn3OtcUIKm98sT2bHapvoUkl1g==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEeks5anEwU2FnVTZNbXpI
+            cWZiMEpQL1d5bWRpcU84OUZSOURxMXlkaW00CmJKVGppVTFRelBqYm9oTVlYT2RC
+            OWJLWFFuM05TVUhPZFlsWDhMRGdra3MKLS0tIFpYTjZPbXRlZTJ1cDV1ZFRlZFYr
+            WUJqaXo0YlR0d3FXb05zYnFFRlhtT2cKFxPi681ZwL3Pr3pyE6cJ0QFxWAGFcI6g
+            i772pQ/Yqxr81bj3hCSE+vHg0GGV9oGj5La9jdKFVrV7DcW52Rd0gQ==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-03-01T18:37:04Z"
-    mac: ENC[AES256_GCM,data:Kb2QbqGZyHo6mBC1fzx9/hC7xdI+YafTZBvzbkXUIOpC8EKveqivteU9NKV/y6Yyn6e5bMW77oafriP2kWSSroWVPlDpEBnwxuKp02OGDD2dXgKg2hpsbVJw/rB2PCeAPCo+TO8Yw0sqzW1QzA9XIhL9K3Qt3ncXvh+qh2O6S9A=,iv:XouQNRAalAw60wt2D9l/n8JDMpXIkA+4IdR7ixJX+40=,tag:vUimegOoteMPi4TyCJoWpQ==,type:str]
+    lastmodified: "2026-03-02T08:06:35Z"
+    mac: ENC[AES256_GCM,data:rWFIxCen7QsSVk4aRU19RejHyN4dympO6h+qEOUmS93eKIi8hMidiHBembLKn+R20CcrX1eKGUVfcazThRQ9RbLEV+amKV2Z3rrQWmTrKu4glCZf7Pnjex9rzSLWYo73inG7n50/bXa/6jP+HPeoBcsdzNpomIogm2ZDF4qDVcY=,iv:ZsxzVWp2B7F0dYAoUGbRi2PsJT1dV9JzrmmldwS66/g=,tag:x/jjfHX6ZyczRfpzqoNAWA==,type:str]
     unencrypted_suffix: _unencrypted
     version: 3.12.1
diff --git a/hosts/web-arm/modules/authelia.nix b/hosts/web-arm/modules/authelia.nix
index a54cd7b..2edffa7 100644
--- a/hosts/web-arm/modules/authelia.nix
+++ b/hosts/web-arm/modules/authelia.nix
@@ -256,12 +256,13 @@ in {
             }
             {
               id = "synapse";
-              description = "Matrix Synapse homeserver";
+              description = "Matrix Authentication Service";
               secret = "$pbkdf2-sha512$310000$eb85q6wn7juP3DnTjobqEQ$GFNbhkZrXRU8gM6SwMFkPPIYPIsJcGyaQXacGB0r.gI.xTEEoeWU3gG6hkSgJHYnjhZtZoELZLcaE4qCd9fKLg";
               public = false;
               authorization_policy = "one_factor";
-              redirect_uris = [ "https://matrix.cloonar.com/_synapse/client/oidc/callback" ];
+              redirect_uris = [ "https://matrix.cloonar.com/upstream/callback/01KJPRKN397E5N8D0CA2Z3TJ7Y" ];
               consent_mode = "implicit";
+              token_endpoint_auth_method = "client_secret_post";
               scopes = [
                 "openid"
                 "profile"