diff --git a/hosts/fw/modules/dnsmasq.nix b/hosts/fw/modules/dnsmasq.nix index 940eae7..ace789b 100644 --- a/hosts/fw/modules/dnsmasq.nix +++ b/hosts/fw/modules/dnsmasq.nix @@ -92,12 +92,14 @@ address = [ "/fw.cloonar.com/${config.networkPrefix}.97.1" "/omada.cloonar.com/${config.networkPrefix}.97.2" + "/element.cloonar.com/${config.networkPrefix}.97.5" "/web-02.cloonar.com/${config.networkPrefix}.97.5" "/pla.cloonar.com/${config.networkPrefix}.97.5" "/piped.cloonar.com/${config.networkPrefix}.97.5" # Replaced by Invidious "/pipedapi.cloonar.com/${config.networkPrefix}.97.5" # Replaced by Invidious "/invidious.cloonar.com/${config.networkPrefix}.97.5" "/fivefilters.cloonar.com/${config.networkPrefix}.97.5" + "/matrix.cloonar.com/${config.networkPrefix}.97.5" "/n8n.cloonar.com/${config.networkPrefix}.97.5" "/dev.cloonar.com/${config.networkPrefix}.97.15" "/.ddev.site/${config.networkPrefix}.97.15" # Wildcard for ddev projects diff --git a/hosts/fw/modules/web/default.nix b/hosts/fw/modules/web/default.nix index dd021b0..fe1175b 100644 --- a/hosts/fw/modules/web/default.nix +++ b/hosts/fw/modules/web/default.nix @@ -10,7 +10,7 @@ in pkgs = import pkgs.path { config = { permittedInsecurePackages = [ - # needed for matrix + # needed for matrix bridges (mautrix-* depend on olm) "olm-3.2.16" ]; allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [ @@ -91,6 +91,10 @@ in "/var/lib/zammad" "/var/lib/postgresql" "/var/lib/n8n" + "/var/lib/matrix-synapse" + "/var/lib/mautrix-whatsapp" + "/var/lib/mautrix-signal" + "/var/lib/mautrix-discord" "/var/log" "/var/lib/systemd/coredump" "/var/backup" diff --git a/hosts/fw/modules/web/matrix.nix b/hosts/fw/modules/web/matrix.nix index 64735af..6277c2b 100644 --- a/hosts/fw/modules/web/matrix.nix +++ b/hosts/fw/modules/web/matrix.nix @@ -10,18 +10,20 @@ let add_header Access-Control-Allow-Origin *; return 200 '${builtins.toJSON data}'; ''; - - # Shared settings format for bridges - settingsFormat = pkgs.formats.json {}; in { # Secrets for Synapse sops.secrets.synapse-oidc-client-secret = { owner = "matrix-synapse"; }; + sops.secrets.mautrix-whatsapp-env = { }; + sops.secrets.mautrix-signal-env = { }; + sops.secrets.mautrix-discord-env = { }; # PostgreSQL database for Synapse services.postgresql = { enable = true; + # Synapse requires C locale for correct collation behavior + initdbArgs = [ "--lc-collate=C" "--lc-ctype=C" ]; ensureDatabases = [ "matrix-synapse" ]; ensureUsers = [ { @@ -84,28 +86,20 @@ in { allow_existing_users = true; user_mapping_provider.config = { subject_claim = "sub"; - localpart_template = "{{ user.preferred_username }}"; + localpart_template = "{{ user.email | localpart_from_email }}"; display_name_template = "{{ user.name }}"; email_template = "{{ user.email }}"; }; } ]; - # Appservice registrations for bridges - app_service_config_files = [ - "/var/lib/mautrix-whatsapp/whatsapp-registration.yaml" - "/var/lib/mautrix-signal/signal-registration.yaml" - "/var/lib/mautrix-discord/discord-registration.yaml" - ]; }; }; - # Allow bridge users to read registration files - systemd.services.matrix-synapse.serviceConfig.SupplementaryGroups = [ - "mautrix-whatsapp" - "mautrix-signal" - "mautrix-discord" - ]; + # Synapse runs inside an isolated microVM, so PrivateUsers provides minimal + # additional security. Disabling it allows Synapse to read bridge registration + # files via SupplementaryGroups (user namespace blocks mapped GIDs otherwise). + systemd.services.matrix-synapse.serviceConfig.PrivateUsers = lib.mkForce false; # Element Web client services.nginx.virtualHosts."element.cloonar.com" = { @@ -136,414 +130,98 @@ in { locations."/".extraConfig = '' return 404; ''; + locations."= /.well-known/matrix/server".extraConfig = mkWellKnown serverConfig; + locations."= /.well-known/matrix/client".extraConfig = mkWellKnown clientConfig; locations."/_matrix".proxyPass = "http://[::1]:8008"; locations."/_synapse/client".proxyPass = "http://[::1]:8008"; }; # - # Mautrix bridges + # Mautrix bridges (using NixOS modules) + # Modules handle users, groups, registration files, Synapse integration, + # and service ordering automatically via registerToSynapse. # # WhatsApp bridge - users.users.mautrix-whatsapp = { - isSystemUser = true; - group = "mautrix-whatsapp"; - home = "/var/lib/mautrix-whatsapp"; - description = "Mautrix-WhatsApp bridge user"; - }; - users.groups.mautrix-whatsapp = {}; - - systemd.services.mautrix-whatsapp = let - dataDir = "/var/lib/mautrix-whatsapp"; - registrationFile = "${dataDir}/whatsapp-registration.yaml"; - settingsFile = "${dataDir}/config.json"; - settingsFileUnsubstituted = settingsFormat.generate "mautrix-whatsapp-config-unsubstituted.json" defaultConfig; - appservicePort = 29318; - defaultConfig = { + services.mautrix-whatsapp = { + enable = true; + registerToSynapse = true; + environmentFile = config.sops.secrets.mautrix-whatsapp-env.path; + settings = { homeserver = { address = "http://[::1]:8008"; domain = "cloonar.com"; }; - appservice = { - hostname = "[::]"; - port = appservicePort; - database.type = "sqlite3"; - database.uri = "${dataDir}/mautrix-whatsapp.db"; - id = "whatsapp"; - bot.username = "whatsappbot"; - bot.displayname = "WhatsApp Bridge Bot"; - as_token = ""; - hs_token = ""; - }; bridge = { - username_template = "whatsapp_{{.}}"; - displayname_template = "{{if .BusinessName}}{{.BusinessName}}{{else if .PushName}}{{.PushName}}{{else}}{{.JID}}{{end}} (WA)"; - double_puppet_server_map = {}; - login_shared_secret_map = {}; command_prefix = "!wa"; permissions."*" = "relay"; permissions."cloonar.com" = "user"; relay.enabled = true; - history_sync.request_full_sync = false; - encryption = { - allow = true; - default = true; - require = true; - }; }; - logging = { - min_level = "info"; - writers = lib.singleton { - type = "stdout"; - format = "pretty-colored"; - time_format = " "; - }; + encryption = { + allow = true; + default = true; + require = true; + pickle_key = "$MAUTRIX_WHATSAPP_PICKLE_KEY"; }; }; - in { - description = "Mautrix-WhatsApp Service - A WhatsApp bridge for Matrix"; - wantedBy = ["multi-user.target"]; - wants = ["network-online.target" "matrix-synapse.service"]; - after = ["network-online.target" "matrix-synapse.service"]; - - preStart = '' - test -f '${settingsFile}' && rm -f '${settingsFile}' - old_umask=$(umask) - umask 0177 - ${pkgs.envsubst}/bin/envsubst \ - -o '${settingsFile}' \ - -i '${settingsFileUnsubstituted}' - umask $old_umask - - # generate the appservice's registration file if absent - if [ ! -f '${registrationFile}' ]; then - ${pkgs.mautrix-whatsapp}/bin/mautrix-whatsapp \ - --generate-registration \ - --config='${settingsFile}' \ - --registration='${registrationFile}' - fi - chmod 640 ${registrationFile} - - umask 0177 - ${pkgs.yq}/bin/yq -s '.[0].appservice.as_token = .[1].as_token - | .[0].appservice.hs_token = .[1].hs_token - | .[0]' '${settingsFile}' '${registrationFile}' \ - > '${settingsFile}.tmp' - mv '${settingsFile}.tmp' '${settingsFile}' - umask $old_umask - ''; - - serviceConfig = { - User = "mautrix-whatsapp"; - Group = "mautrix-whatsapp"; - StateDirectory = baseNameOf dataDir; - WorkingDirectory = dataDir; - ExecStart = '' - ${pkgs.mautrix-whatsapp}/bin/mautrix-whatsapp \ - --config='${settingsFile}' \ - --registration='${registrationFile}' \ - --ignore-unsupported-server - ''; - LockPersonality = true; - MemoryDenyWriteExecute = true; - NoNewPrivileges = true; - PrivateDevices = true; - PrivateTmp = true; - PrivateUsers = true; - ProtectClock = true; - ProtectControlGroups = true; - ProtectHome = true; - ProtectHostname = true; - ProtectKernelLogs = true; - ProtectKernelModules = true; - ProtectKernelTunables = true; - ProtectSystem = "strict"; - Restart = "on-failure"; - RestartSec = "30s"; - RestrictRealtime = true; - RestrictSUIDSGID = true; - SystemCallArchitectures = "native"; - SystemCallErrorNumber = "EPERM"; - SystemCallFilter = ["@system-service"]; - Type = "simple"; - UMask = 0027; - }; - restartTriggers = [settingsFileUnsubstituted]; }; # Signal bridge - users.users.mautrix-signal = { - isSystemUser = true; - group = "mautrix-signal"; - home = "/var/lib/mautrix-signal"; - description = "Mautrix-Signal bridge user"; - }; - users.groups.mautrix-signal = {}; - - systemd.services.mautrix-signal = let - pkgswithsignal = import (fetchTarball "https://github.com/NixOS/nixpkgs/archive/fd698a4ab779fb7fb95425f1b56974ba9c2fa16c.tar.gz") { - config = { - permittedInsecurePackages = [ - "olm-3.2.16" - ]; - }; - }; - dataDir = "/var/lib/mautrix-signal"; - registrationFile = "${dataDir}/signal-registration.yaml"; - settingsFile = "${dataDir}/config.json"; - settingsFileUnsubstituted = settingsFormat.generate "mautrix-signal-config-unsubstituted.json" defaultConfig; - appservicePort = 29328; - defaultConfig = { + services.mautrix-signal = { + enable = true; + registerToSynapse = true; + environmentFile = config.sops.secrets.mautrix-signal-env.path; + settings = { homeserver = { address = "http://[::1]:8008"; domain = "cloonar.com"; }; - appservice = { - hostname = "[::]"; - port = appservicePort; - database.type = "sqlite3"; - database.uri = "file:${dataDir}/mautrix-signal.db?_txlock=immediate"; - id = "signal"; - bot = { - username = "signalbot"; - displayname = "Signal Bridge Bot"; - }; - as_token = ""; - hs_token = ""; - }; bridge = { - username_template = "signal_{{.}}"; - displayname_template = "{{or .ProfileName .PhoneNumber \"Unknown user\"}} (Signal)"; - double_puppet_server_map = { }; - login_shared_secret_map = { }; command_prefix = "!signal"; permissions."*" = "relay"; permissions."cloonar.com" = "user"; relay.enabled = true; - encryption = { - allow = true; - default = true; - require = true; - }; }; - matrix = { - sync_direct_chat_list = true; - }; - logging = { - min_level = "info"; - writers = lib.singleton { - type = "stdout"; - format = "pretty-colored"; - time_format = " "; - }; + encryption = { + allow = true; + default = true; + require = true; + pickle_key = "$MAUTRIX_SIGNAL_PICKLE_KEY"; }; + matrix.sync_direct_chat_list = true; }; - in { - description = "Mautrix-Signal Service - A Signal bridge for Matrix"; - wantedBy = ["multi-user.target"]; - wants = ["network-online.target" "matrix-synapse.service"]; - after = ["network-online.target" "matrix-synapse.service"]; - - preStart = '' - test -f '${settingsFile}' && rm -f '${settingsFile}' - old_umask=$(umask) - umask 0177 - ${pkgs.envsubst}/bin/envsubst \ - -o '${settingsFile}' \ - -i '${settingsFileUnsubstituted}' - umask $old_umask - - # generate the appservice's registration file if absent - if [ ! -f '${registrationFile}' ]; then - ${pkgswithsignal.mautrix-signal}/bin/mautrix-signal \ - --generate-registration \ - --config='${settingsFile}' \ - --registration='${registrationFile}' - fi - chmod 640 ${registrationFile} - - umask 0177 - ${pkgs.yq}/bin/yq -s '.[0].appservice.as_token = .[1].as_token - | .[0].appservice.hs_token = .[1].hs_token - | .[0] - | if env.MAUTRIX_SIGNAL_BRIDGE_LOGIN_SHARED_SECRET then .bridge.login_shared_secret_map.[.homeserver.domain] = env.MAUTRIX_SIGNAL_BRIDGE_LOGIN_SHARED_SECRET else . end' \ - '${settingsFile}' '${registrationFile}' > '${settingsFile}.tmp' - mv '${settingsFile}.tmp' '${settingsFile}' - umask $old_umask - ''; - - serviceConfig = { - User = "mautrix-signal"; - Group = "mautrix-signal"; - StateDirectory = baseNameOf dataDir; - WorkingDirectory = dataDir; - ExecStart = '' - ${pkgswithsignal.mautrix-signal}/bin/mautrix-signal \ - --config='${settingsFile}' \ - --registration='${registrationFile}' \ - --ignore-unsupported-server - ''; - LockPersonality = true; - MemoryDenyWriteExecute = true; - NoNewPrivileges = true; - PrivateDevices = true; - PrivateTmp = true; - PrivateUsers = true; - ProtectClock = true; - ProtectControlGroups = true; - ProtectHome = true; - ProtectHostname = true; - ProtectKernelLogs = true; - ProtectKernelModules = true; - ProtectKernelTunables = true; - ProtectSystem = "strict"; - Restart = "on-failure"; - RestartSec = "30s"; - RestrictRealtime = true; - RestrictSUIDSGID = true; - SystemCallArchitectures = "native"; - SystemCallErrorNumber = "EPERM"; - SystemCallFilter = ["@system-service"]; - Type = "simple"; - UMask = 0027; - }; - restartTriggers = [settingsFileUnsubstituted]; }; # Discord bridge - users.users.mautrix-discord = { - isSystemUser = true; - group = "mautrix-discord"; - home = "/var/lib/mautrix-discord"; - description = "Mautrix-Discord bridge user"; - }; - users.groups.mautrix-discord = {}; - - systemd.services.mautrix-discord = let - pkgswithdiscord = import (fetchTarball "https://github.com/NixOS/nixpkgs/archive/5ed627539ac84809c78b2dd6d26a5cebeb5ae269.tar.gz") { - config = { - permittedInsecurePackages = [ - "olm-3.2.16" - ]; - }; - }; - dataDir = "/var/lib/mautrix-discord"; - registrationFile = "${dataDir}/discord-registration.yaml"; - settingsFile = "${dataDir}/config.json"; - settingsFileUnsubstituted = settingsFormat.generate "mautrix-discord-config-unsubstituted.json" defaultConfig; - appservicePort = 29329; - defaultConfig = { + services.mautrix-discord = { + enable = true; + registerToSynapse = true; + environmentFile = config.sops.secrets.mautrix-discord-env.path; + settings = { homeserver = { address = "http://[::1]:8008"; domain = "cloonar.com"; }; - appservice = { - hostname = "[::]"; - port = appservicePort; - database.type = "sqlite3"; - database.uri = "file:${dataDir}/mautrix-discord.db?_txlock=immediate"; - id = "discord"; - bot = { - username = "discordbot"; - displayname = "Discord Bridge Bot"; - }; - as_token = ""; - hs_token = ""; - }; bridge = { - username_template = "discord_{{.}}"; - displayname_template = "{{or .GlobalName .Username}} (Discord{{if .Bot}} bot{{end}})"; - double_puppet_server_map = { }; - login_shared_secret_map = { }; command_prefix = "!discord"; permissions."*" = "relay"; permissions."cloonar.com" = "user"; relay.enabled = true; - restricted_rooms = false; - encryption = { - allow = true; - default = true; - require = true; - }; }; - logging = { - min_level = "info"; - writers = lib.singleton { - type = "stdout"; - format = "pretty-colored"; - time_format = " "; - }; + # Override dummy token defaults so env var substitution writes real tokens + # into the config and registration file (module defaults are placeholder strings) + appservice = { + as_token = "$MAUTRIX_DISCORD_AS_TOKEN"; + hs_token = "$MAUTRIX_DISCORD_HS_TOKEN"; + }; + encryption = { + allow = true; + default = true; + require = true; + pickle_key = "$MAUTRIX_DISCORD_PICKLE_KEY"; }; }; - in { - description = "Mautrix-Discord Service - A Discord bridge for Matrix"; - wantedBy = ["multi-user.target"]; - wants = ["network-online.target" "matrix-synapse.service"]; - after = ["network-online.target" "matrix-synapse.service"]; - - preStart = '' - test -f '${settingsFile}' && rm -f '${settingsFile}' - old_umask=$(umask) - umask 0177 - ${pkgs.envsubst}/bin/envsubst \ - -o '${settingsFile}' \ - -i '${settingsFileUnsubstituted}' - umask $old_umask - - # generate the appservice's registration file if absent - if [ ! -f '${registrationFile}' ]; then - ${pkgswithdiscord.mautrix-discord}/bin/mautrix-discord \ - --generate-registration \ - --config='${settingsFile}' \ - --registration='${registrationFile}' - fi - chmod 640 ${registrationFile} - - umask 0177 - ${pkgs.yq}/bin/yq -s '.[0].appservice.as_token = .[1].as_token - | .[0].appservice.hs_token = .[1].hs_token - | .[0] - | if env.MAUTRIX_DISCORD_BRIDGE_LOGIN_SHARED_SECRET then .bridge.login_shared_secret_map.[.homeserver.domain] = env.MAUTRIX_DISCORD_BRIDGE_LOGIN_SHARED_SECRET else . end' \ - '${settingsFile}' '${registrationFile}' > '${settingsFile}.tmp' - mv '${settingsFile}.tmp' '${settingsFile}' - umask $old_umask - ''; - - serviceConfig = { - User = "mautrix-discord"; - Group = "mautrix-discord"; - StateDirectory = baseNameOf dataDir; - WorkingDirectory = dataDir; - ExecStart = '' - ${pkgswithdiscord.mautrix-discord}/bin/mautrix-discord \ - --config='${settingsFile}' \ - --registration='${registrationFile}' - ''; - LockPersonality = true; - MemoryDenyWriteExecute = true; - NoNewPrivileges = true; - PrivateDevices = true; - PrivateTmp = true; - PrivateUsers = true; - ProtectClock = true; - ProtectControlGroups = true; - ProtectHome = true; - ProtectHostname = true; - ProtectKernelLogs = true; - ProtectKernelModules = true; - ProtectKernelTunables = true; - ProtectSystem = "strict"; - Restart = "on-failure"; - RestartSec = "30s"; - RestrictRealtime = true; - RestrictSUIDSGID = true; - SystemCallArchitectures = "native"; - SystemCallErrorNumber = "EPERM"; - SystemCallFilter = ["@system-service"]; - Type = "simple"; - UMask = 0027; - }; - restartTriggers = [settingsFileUnsubstituted]; }; } diff --git a/hosts/fw/modules/web/secrets.yaml b/hosts/fw/modules/web/secrets.yaml index 2d1b217..3afbedd 100644 --- a/hosts/fw/modules/web/secrets.yaml +++ b/hosts/fw/modules/web/secrets.yaml @@ -1,55 +1,58 @@ -borg-passphrase: ENC[AES256_GCM,data:DK/H5UUurRp1fJuz1Lx/imac5Twy5slcxdJ391hi0m/8gLy9hbsT8p2xVtOo0y4zMI79tJwtdUhM4843Mos6Ayj5rPQ=,iv:K07tGJSAcClTKmTCZUFxmy9ICl8fAg0oDEvubM9/dvE=,tag:jSmCdLsgzZTP2UOGlD8ekQ==,type:str] -borg-ssh-key: ENC[AES256_GCM,data:RMLvgwaJAmD5I0OY8Ii2W0JKtVFe9Fe5adihLqGydP4tZ8lD54KN+t3NhneX1llDEYx4TFlkX65KTB/Ancn4WTHvNWiIQhAvnaZfBunAS8Lm4Xy6D9tnKxARhGNy5ljOEQlX6IoU9uvzQo3XIv6Fkp4bjP9sySus/lr9/nmOMnD9A0XHgwnqtv3D6CUJ4iKXVt2rSi2tVqOoRbiQ7n6SChzSgYqrzkeuO4Lpn8lGmvPoKo4WN5+w5CX9OmtRXDzqFVJYF5tGNUUfvUM4sjjG+fFMgcTvRwswEEpecEpRRP5RJoL+wh/2ghmUUweFhtq4zydubZPg8EtwAy8XqH0hleBhS0XO0jKVwp9iEdN+webdBqx8J0+qVTdUZxxDNFl5sF9Y0N0Dcu0iu8SoBcVSzGrNDV9GY4GM+D8oafsL7W5jtoLdLWWnKhMqxamZZKlvh/iBHkulXQEdhEF/OtezIerVgeXIJpftKqx7JCVUz2c86WCJ0qoE3Yzpl4SsARbIdC1NZbtHwy2JUKfeoGoYF7t88GunbelSDRIBPxGL9aV7q0sXSlWgfZDncTqT6s8hBm6dxwJxk83+yw4P3GduUBaPV+QCOB3ZIepWGjQ6MlaOf0H57eeVyXfL6uZr4Cgc3WqtFp6ubeEkBZCb6h6zqBt99t3vhe9KGBQ4N1BAKjNmx6yMK2MBC1QhxFUHGLzu2xh2bW6zBUpNFeL7g6o8G8ptjqGC1gsRxwjiwjMbsWZq79p0HoLx4IU9JyU04uuGwPbbDw1IHnYqbPaxrTbi7qzaLea8yDIKF5Rknxg5Pp9zF/5eugu4/f5ZxyVLkU7Xwg7OPntELZmxhFVjBlZClCFbywbWJPQqw8flYIf2yo7+LkEaG0p7Z56Py7R5WOvJKTy9EmXn7zMehBN7Qb3Z06oHybmW+AdoL5xJ33eE7zCGDodGAWxbyH2yU02WgbgfPlRnHTx8Secu220IIsfaXtJQN9/BCrJSirtjefpyrbuGhC0BeEIYCzRm0grOJ6OfByEsuPcNJtffLD+H6CmwTxPEL11FLCzD6vho9psy7rxK2oxPus1kHz05kcaGC8qvnxWCu7URzDL3qRzPCkr7Bj+NczKNZmCHlVC4IW5TaCikfoDBkW93Esnks8Pm9CxGTh0GTpZMeZ3tUnUwI3pl+2AfZmdEqtZHzPn2DRRXUrzXpknH6mBXWAu3d0LOs4tkpCglVa+Sm/3Ir3XWxQ8Vm5Q7iZQzrjDoc0ZckkAKxblgdZ+l9RhYc1gcy1xGiofFoIksMRPG8pMbLrBmO7psEoZZHrwYuQ+zEWvtdqbpC+9p6v8l8hPjZa7d8lYTpSHWqMvonLvUyKBnXIrzi5tILU1shS1loTctWqGgJ6hO6qq7NQs9hHI0NfSm1BPyaUU3QrrjiQxTIsS1BxrychenVkgD6kDU5XH/ddUP2S7scnvsfPg9DKCRXF3eLo2pa8TYqliurZ3zzprso7TzZPfV9qNW9fNsLX+Z7i6UFxJwqjSv0zqs0vwi1qiODMX5NGIroybqqJIiUpawskyxREkjdg2HWFPPgmlT0WBGeSIvtHsSALnALcSXMJDj/zDtDzgvd5Xr/G4ltMkf7QSQlbuBEXtGpRcrBGHGXqIAJlbQBh/wMTY0Bk/9b6fyT4QUEljl1WOy+++yFhPz9TxgyD0Pf6vouvkgNJwzcTC6VavUTRv+ug9VJiH7yzvHB12aMLESjvOkZcMKsXVlHgCj82k42Siqamsh+V6ECggW4RUILMMcaXPcYwNcGLNFm36lf22jhW2hfU9q2F7PUutawc1Ziv+rMlmSWa8SDC7rEU8KBIvO8zy0zv8IxbheA5QTm+OzajDAvkk8KkubAxFnMdY6nYkbJ+eVr0nBeFJu+xOMlLBD2fnH+KRSTtT14+E0kxfbIXW+qmKj82Cc9Rk92nd8TpsAK89pvBNsMQouCnTHLPoyDHiGHM+3P0hfwCwF9VCS2TAGCuW2sHW84Y5gfR2x6JbUiWVAz0qJDMQ+ypDtNYk1t14ILeUm6RJyPDeEGdnMdAXxxP8JoIIfjHtlJ5orIitba16pRU/Q/QOWf4hHCoGdRTQcgGjduAkzGpxx3jkj6R7YjQ3fsrtAFziBL+Z0MxDWUgWmJlancXjv4vFzqdf5W1PMI8CxkcL6NsluSUhPfarxZJIcXoeD8zHWVeCFgWNPsDC/JZfBgNtBFihmwM9FAASxtOvEL5kNKgqvkbbFawrN9N9Lm95rOC2EsjB3wcq2VEZ8kfU7a8y9YulAvkBSlIf0EtMdgCsJpQPufjE1R+yAoHlp3/SKYXvzZMR+yAFF0QcZF79/gtNwTG3l+HeqX4Lj7PZuR44Y9V5yUhLJbhanIc/LQrO7F+2N7go1kVWAhEw1E2g/MVeC799O9G7OjQB65jCUKjvp7pjrDZ5FxVPP2fc1Z1XpYP3Z/JdUcBJbSHOaGuzzn4KHpNtXD8kw6JI2EBqNqQc1J0OMlVZtldThNnC3sbEJWyy1bJdWhfcbph0XpJZ7IuM7quU35z3PIc7DWW+aiNzsUOV/SB7hUgLvOIkKU2vRUdOqqKdDRqD9fSnAFOAsW1TkwytSHM6hfic+G0eUqTrZJlpNWOVpkfvggO3Tz0aQTd/tJyENRcjlfWwcn7ZZrf2ZCxyRwCuBd2SS2zqBL1Sg3ZLZP6NydhoA8NDDP4Qde/n+qwHd8AalA35rdMMApWcq0rQIxU2XS2xbdgbYHNUFTn/SFl3J0ayNkvF/NZaAcg5Qd0luiVk4zh5osQg832Y8dJDOB3PQLF5b+E6TTj8m3saKsyASag5OIoC6Aau31LB2fYlWermyaeU0VFuLwFZ1ATCbqNKmez59FAQVwfH5/6aXhpHxbXwy82EztqOzE48U1W7LdU2gKMLFwiaVcarx5xQFqjRO3/5YPfH11qFyikaZmOvSAJdCDM2dZYO1gzexwtP1LyNOG8FpN9P6d6Dbz6Ik2izjbmoZTuUakZH4nldB/tPfKQAov/FMQPkXIRasEQDGUxqjwXYiIdPdEIRClst1lnMuHAxwDvgfiyCMJ5DkgQyQGcJ4rskdlzAPt9S1h47XIRna2O6o1l63WpYfJ8ucFPR7Er07cBjWq8V22edUqIKiB53VwMI2y6eMYkZBh1rYt1Oo+tn+2jUKX7HDpP/bCF3NIsPDWkljukPs8wwcxh/n58ob2vqYoPtzfdDgkPnstb1G8WC76jwVlmUDn7n00SeOAwk0Gz4vJvHA2TZP2nuhfUVv5D0LbVc4jE05Xyfk8WWsGraBJaJ1WByVJC2lF4uTm7Y7XW+0ppFjIn4HoJSj/Ab5/T8nXRAwxWAg5XU/gBvGXONiTIIwUKyXc36ON9Mv7irdsjUdL+p3rRHtzcoriwll6sF2o4nij11wo3muDTE27j+FtNehj7sQ2e18BkZUDPIdZKExSHLrBm9Tj88DUptDP0EiW2Wjxg==,iv:wxaCTfzZWfwluEpiaoLcxg6tpZ8schGPrIJEODdJUr0=,tag:ys3am95Im/HWSUPxDz2ETQ==,type:str] -zammad-key-base: ENC[AES256_GCM,data:ZegLmGOVjKvPaNCl9BW3nyuurypOIgZBi0Nr1taqdsSbo1Njy4EPrYQyPZhrxbbOwfliheMHfAQ6CRiRwbEk6evnIjLYEeuC5m9uayRQVXy79Z3m99pI806BKNZ8tYzOsn06Qsdy5hsRNU1uuEhtuQ+HasmScpA9GBjv9KR+x4s=,iv:If1mv4xfkPdkR3x48BocRJ4Xlq+fIP/u3xPyPE1jqdo=,tag:t4Xb+pe+3r8nAVAWsYPBHQ==,type:str] -invidious-hmac-key: ENC[AES256_GCM,data:mwPGzo3iKNUTxl4lU17tw9UEMfnKZ+JFaZ4ebQ==,iv:bhcBJ6CkffR4inm39FDRkJJgNCwQip8fRaP8lnTKnD8=,tag:dornpNzkpERQEOpRKCriMw==,type:str] -invidious-admin-password: ENC[AES256_GCM,data:mIvqq29GTBSkI7XS/fQKByOUYyOc2GZo/SmqLzTgYpZuuW+kqEaKWgYDJqnqzAkLsw==,iv:D5AQEWNNaVYw33Yz+qyt/EmRSiiCGbSawtT2mdJOQXk=,tag:hqa9B0a1l7x7weKDmaUUrw==,type:str] -invidious-companion-key: ENC[AES256_GCM,data:svFzw7bv/IbEjZl9ggc2nA==,iv:gCG6U0h8SpKvXBpgF+OZ/Mo+ERLAm7eKqF2yDtLxy6g=,tag:wpQo5ywZKfdK9tfV29FHnA==,type:str] -dendrite-private-key: ENC[AES256_GCM,data:JUbe3CBUh3n/TqCU7Ks7mKuGKdO3I72Xtw1BhMUtRqOQD2zEDBDyVOJaqf/TKBwi2UIy+0PBezOyHbfM0Gpb1X4uJmsbM66PkjlnSuWZzQgqvgW8BKh8+LGwxabmx+aHI+trhkaGKtIlz1HcyOIKG0EGlKU6/S73+HsbuhNeWkca5YBhIuFRI+s=,iv:2EXVI47isKCVCOTt7Ayg6z5qaUYCyXOmzeMsjHmLe5Y=,tag:FfXsV2xc5wyw2PR2V3WKMA==,type:str] -matrix-shared-secret: ENC[AES256_GCM,data:3YO9KkFiFV5pdzmpdW37f+F/FHNBpbG6HfrcFNKqHYrXg6SGEZa4hjMIcWgKkZPBlpIMpJ+B4Lzp9PuT,iv:RiAOTZ25nAJ85ZLqvbHYrni/4ckNsx75R8mAFWH/ILI=,tag:+DkG4h351yLcPm+w5SFj3Q==,type:str] -n8n-env: ENC[AES256_GCM,data:ldY3t2o5hBLRHISl6OmdtxZSG8snVtvVlNLEAZBnVOyLLW64m6LVhrDx2cD+frITxDokb1B11/aRSOzn8tiOosD4hVKZUyELe7E8SA8yfu3SR3mztxzj/3d6Rns27UsnXSbYr59ELd1SZKtM1eoJYOvWxVbQGu1bK1nn3S555vrSGGo84EiSqQtNCaWJETOXeDIwUKrFKAXM9YKgN2yajDK92t6Hy71AD6RWfl3G19qXmeo+wawu+aoG8Ke2VRdbVM1h1bczyrPBa3CY68UbGpK5PrmRrVWpu2LvtNDnAGz5u2yVEfDEUKNjKeaIPvwIvU16K7IshpJ5kOdoAKtQRzpF4PbE8YAeylly5TuCtm/Ke6jVG9zsaoZRSZJL7tI=,iv:FCYNbrN1RhjtmLujJWB2RPZZuQeV7j2Rfo7ChCJb66k=,tag:uESnEa18GsfMCFo6e2mrIQ==,type:str] -n8n-git-key: ENC[AES256_GCM,data:ocL3yxwE7TElYRTMGY6cxqFG8FlijuSK57rLONHpGdob5tVkRch1Z+iOGOSqj2R+IH+CzFWoWS/mx9mgQQxxMLXiPxICpyNxpD9BdKgzhJrUpt0BqoriTTutE8ybs5OkE2dkCMhvCItfji2zdz5pKv1ZXWt4wH8v+yUoUh/83hVWfLTdabk6cioE/UXD0uu2IQiG0FAaCkiZyw0Peycp2ePuq4P7dh0l9rXI11CJ7nfBsbBUU4J1Pp0wjdADuUVZwGzUubKYATMmOzlz1zHF7PHKR7QxJWBkpBGNMiRvBjo86NFKRfyES5A+6qYhxaWubbVlOwgbiXaaBOga1CDup/aFwi/2alq/sSooMQVibJ/oFTasdTTqEWMrr8XkUX5c5yQMPwQla6j8mrMlGTkBwHiPPgx4j78mACbiYKgrwAjJnUZ4MNbXCspx/ufBcE/efKLfJ3NWofMSAdxoEc+voOFnNfB7Vd4urDsiI0dhA6g3KT8ofoj5gaoNCLnXtyVSkKlWHM1kVqOoaXX/0jaz,iv:TKLOWRcHd0KiupXhE1qAbILfgYYqdQNltKnshtnNCvs=,tag:DZmoHPrmpAm3B9EuPNKikA==,type:str] -phpldapadmin: ENC[AES256_GCM,data:JbFm9hukT/l0SNY9rtV9ZaHiNA7yYiVlBJphognDlajFHwflgLH4v09JJb+Ku9Oep8cjQHCXWq5FppWIOknZCAxahEHjSYOllQ+gyNG+ReYYoMGwRzz8EsoDGrGlQ0aZd0v47dCaZXejGkoJJgUY7ieakYVZABotlQI6MNeWpYTDrMt1IYe/QZ/7vhF8gM+7m3Zg+iKT+f+DOfVV9rsv07cucNizj1p2JXsAP4RF+M1gwM4cP6KLdTovoFWJ9H97PFbpZ+v17XRKJwYDgBG/o0RuSQ9+5cXNk3pAbBPCEyApzVzMzNzG0dY=,iv:zaoFItL/2zvxQjYYySFWkw5MBwIMlfk9I880AQG+x0M=,tag:aMAMFkYbs0yZjnrepiRRfw==,type:str] -piped-db-password: ENC[AES256_GCM,data:zCWq3Jj0DFWJTTAS/0p57kOIktD34C4AFLgQAayfEb2buYtTsm5dclLp9cI=,iv:xXue25p1bDH93Sq1y04nT08lzw0SGUS7pHnLjx7jC9o=,tag:6xYIav4lMk6mDVRJ2C5jqA==,type:str] -synapse-oidc-client-secret: ENC[AES256_GCM,data:5mxGbcqTgeFZ8tTEysW4vb4PTgrpgsHMYZc6CcwDsBf5zsPnKWc2we37WR9i7Y3iCk6hT/5HGOiVBOqJgmXmnA==,iv:t3xrXtfpwaEQWiLdPD4s6GMdxP1+NWkPla6w0JbPZqA=,tag:mdDkolP0Cyr6waBYjJX+WA==,type:str] +borg-passphrase: ENC[AES256_GCM,data:GJdxBsj/CFT8oqO+apbvQHDJS7DteBIINP+pq1pATWa+a8F+zJ5hwvtjyoSx7hLhVkB6w1fh6LTXxlGkJ0a661a4NOo=,iv:hCd45iFw1BBcOZfreJ9gDqoRt72sakYke8tKnyjMEOA=,tag:+7S4Smcmv8gEQua1yNFp+w==,type:str] +borg-ssh-key: ENC[AES256_GCM,data:l2Q8mINxmByCk7gYdPiZ91NN+batshnSlwqu5b6v0m8PRzor8ejgf0LNStDM6DJMot8vzlqawbB5L1xuLK3Bwj3e4JyAD9xCHFIJlXbH6WViL+A4mLoJMeW/ZJOlZyzI250FehkdxUa9OY6PgQNKSn5P0MJChW9m7frmmt304r8P+WYDruyNe30tSMqt6Dixwik1znq27ZbzXaqaG9VOm+ltW8wr6Uq433pgmqIIDQgFdwWZw8MSZaZ+OOFmCo8iwgroQ2spk+mmS61ldh6nmkwSLYnZ5LkCxRRHfw+/i8M321k1vf3bX0R4Cy37jhg6wg7ZVKngqD3WW5bFQ4bd6BHSEHMvSn2O+eA6v5DBAMmOicN0wJljaXFTXg++Ju3tr3pZ6s5e40Gvz2nQBSMPVrifFprGGwXf8w0RpyRYRbXHfC1eAYjwETtCw0AEKSzhqv+BnNDPBaypfp56kbVP5A/xe20sREGdKmRuCQrhsad5pYlsWrJgf32CpYeTQXWau79CG+CEm0Nq34ZA5OffQqWs75hGNWuhB3OpSEkFK8BJgeWZ44QGlhDukyeicyivqbfME9Uznodvl4VUpNLoq10n1m8ibVpZqVDFjhE50DlPHVRdMQu61MVk0oveYBdmkAXu75KPPkOuEPZ0bMaido3WCzQ9OkIjEofRVfz+3Tl9qxoETkoWGcZVWis+LWMs6pb7mFvhVGMVwnpofImmo514ebl3lDKQZCoeyK/+m1HDkOnjSbd/Czv9zcVJ2e4pZuG5VpSs3brAr8klb65cqxklPqHMJf0gOFcSKrbbhJr+fiyYHUOTy+z4WZIHH6+c5usLPz6v4oytT7bBoPBudZwnroKidEBTvdLZ0emtz/d+RoOViPcLn55521hzegtmRuyc+jCHXR+NvHk3IhMt5BUHD6th1G2aNgX2RqrLOOMcm0CVyoEttwKZ7vnGWh4AqSGGiIyyfqawY1vbtj6opKe3k6fkIaofW1sHrlI2QKxvPUNCv/zhbfa2G6ObbCbNXSOnCYRdhXxH9E3j3LtIBSAML4Svji/sy3ZLZjbFrOib4bC8dkWPwrNlNQaUJFRgA2Dsh82M24rfj4yc0NzW1xurGsbN0/7lfHeKDIHtpxoiQXewlhLnfLvUDZrEcqXED3ScSeAa1tadGSVP7og7p0qtFi2G+ep+74OE5iJ6Rjq/T/BV2JJoTyH1YysHLsyfVe2LboyxA42+wnlBj0IVaVLPX7gPrxY8+G71b5nIHdF/djJoJDZ2prJ0HtK389U6jdEbHZpzO7MwCSoUVy/q8CsMsmfiiTyvWjrCxa02vhqywI0XRiiUXkAgs9+1/ydMHsFP7W6oa+d6IkNVxsjJ6egFg/Nxi/IoY4vbckBUhhiqprIvY+7qmF6LNLhJbC/CJqjBo+ywNI0A4kI3Tq8O1iedGZ/XxczgfqqBM25hecqDMHLorCc356JZcpQIBDGhpjHHa9I/8+T0hDrWklfnDwGSSQwshcvMFAcePCCT8qcBDiWUTb1eqQIc4LZp/BLoJ8m3KZlugzcWI4IqcZQmMEx7Bv1J9k4Jl39FKlR4Km+I5ePUyBfx78WQgCkHdZDVr2lTYqzV4Nr+YO/N94uCwXvjZli+Xap9C4WD2gShsV6uQfJh6iLSrP/fVURTwwDYLnyUlcxTaiRFK/lF2bV5/QNAjKki2qm4Jw4GfKH/CQ0+a8GdQ+egcNFRD+VqD8tA7QmA0SviBR8SgJwyb3HRzvPVIAmfYAetX1b80jcKUMDKHAAV+Evn2pdw4AR+aqcPPEWc/RE6Un1UcWju31a6Aj+B9DNbYGug7F2ZJGLOudKlxBjG7LUa86blCzmNata28VXpTNdGlOWgexFtTIn4GdvHqPKNWLIwkontWOyQZ3ZZsuc9XbphcB7r4fCt0Sax81u7gdpuDpno/hL8eUhAL3I/UNp/Z5j5B4pwV3/47bbYta+bwbj5ATYM4j3wWPRusL1gtU8WKMrggJyfyQof7vlcculmSJV2V/0oojSfqDqk87tMZNX/o4kFLlj/tY47hHhN6U3O8z7HObvGhHSZ8uFfoASGJK56rVcJVD3EygJHytoA9SuO2Tzlt1S+YeboroZG+5EhVV9Hm9z2qJZd5EXBkO1f8L+uTA1j3NEsUjjVWRvs6fBD72Uls/RcJVM2fq63swY7vmFtwIqdF2uy4/ED1wua0oy/uxl+kk6nBvgj4ZX8U5ByWnVIyJTmol8SogE2TKMPOfvvRF5AJnRFT4P22EUDvIO9/rPNB1loQVeXq7XXOyV56RXkM5uc0Q8zZBqCr8QyRc8XBoZ2ChBIhlviXyyFbOdLppYOSNVnI2B3zsVF0KSCkCd7Q7pf7paPkNNp7bq9ZBv6giJ+zHj5f4xtTa13qdmU+yuIWunyWHmkY8/8I4nqVMEsjDz+nWkVsTpNgHSS23rtkcz7+i3srOM9RYj1IA0R5BjiHLt4Gy9i512nd4lqEUnwvoaUVVQxVtwsUbbhAIndV/diJBfsj0/ACuxbpmd0q/WgA9V0u3a02I3SIR8vtDz+Ode461+6QeWfwS70rV5TEJB1y1WEbz5yZ4lVTlpB1s4SGsDG7jjV2eWYqUoV9fP3wHsyzdoMwikq0tStt6oUt7yhdsugWsVjZu+gGFppjqM2sPjDsnIbrkomz/azORERsiUzlHqAwVDbVI9m+p504jHIPhUEpziPaECSShFG3zibRmQHRd30PiTWoThgHxRJwIIvQJQFnkFVxUTZ/27DtBKgL/0AeC8LIJ8bMQ/V83wHFNUj8NtO0zeQKsZEBPsO4g4+/hK195Txn98FlyOjn9cwAgLq5UMySQhhTEz+NhheJH7F3RldNlZDyXxIEFSjGlQF2+UPcataNsZ3lo/YVgcW2P70j2t/6BMvZ2MqaocwR5PkfetZIWoxQxUU+pPWKQLyCnjLZ9G7JYcIpbHsfZI9rD8ianFh43E/lbNw4NFfhSodOb8mBFgtYw88iFP+8yNtKixefOZKm3N5o65kH7ijnKxCJFEQcbZV/IV6JEOgy1lPSVxUv5+fjxatxefGa2shA7WXig4XBGgH8e6rvv3TGGpMX4ROgi4unoK+AjIrcSZ4LASKbJaj+QwEAg/6d+DoxJVf79vC+xVqaJ2RhjJl0FR8L1SmSrEpjD476qCKwCI15zWeo4GSBDGMAdAKQpWA4I5exp6lry+wG03O/le1Xkq6Z8sRkmUAie3Z9ZVyULa4p+GT4R3iNaHSFPj2WuqBE9b0HEU3Ux8r9KuzLyPBoG23qy6hzetOXtNWdMCbEdLlz5lfgUtEFrgwYe50nlB6xSVNut5oQWtuOR3HdIOPTh8hVTm9olvxTtVcLPSPgykm3czbnAQefcooUb+fS0QuZZVqFH/3xU6GzLk73R7sasxfzqGDUZOTm1cXBBUNr+sk7cv94lJzwB2lqkU4qsLboqRVL2GOIVKQNKv86A==,iv:++pEa8RSP2UydzilOOkNbIZI1pLjs3PEpttPO/YM6qw=,tag:wGiHUh4qQ07GaK3xcJtG+g==,type:str] +zammad-key-base: ENC[AES256_GCM,data:q1+9uGw+VShevkdfs1LNiZvAsJWUO4zy0ajJbDYf1XzMwqCYE2dC5fsXxp9MpkEzMZHR9jdQyGnIZmpQ+wDiGIn9V5BE3X+hMhD88pneA8XXt5hdOCkC+TfkwQ0kiF9PlHhPt8w/4wCJkwM1lsj+ZVX+6BVmUuwHg3lBTTDMmeU=,iv:YIgu2och/ibSzfaVUH3rpVu00MIYlRYolgb1GckrRio=,tag:GGMOTNh7SfVVfzOCTAiXwA==,type:str] +invidious-hmac-key: ENC[AES256_GCM,data:g3eE1y+CpVmQAb47DQbxK/rrV+BHExYtEPHAbw==,iv:l2dS0uudbdYzSPntxvPwqGp2CyMQQEStXbVBPgeVAxo=,tag:fwUAxEWQR5BMTpoipJRUxQ==,type:str] +invidious-admin-password: ENC[AES256_GCM,data:SVtHTKaC6e+O9vz2eb6jplw/UeDdoLXIgw1wPxHqmw1GFgjXPTLCYG2tx4qt2CWHzA==,iv:ZWTlVfepoi0b8091w2pLjqMtyca42JodYPSN5q4M2QI=,tag:MEUbEY0mVTspIJZ1xpqR6w==,type:str] +invidious-companion-key: ENC[AES256_GCM,data:s8VhQhsStNFwCHjgHO8UZA==,iv:V5v+l04FH3aQkJpAE554r+Brcn58bJhpO9IlsCf0j4c=,tag:MAIbYTdSGHt7A8Y3RufR/Q==,type:str] +dendrite-private-key: ENC[AES256_GCM,data:IzeYvGS5MSg3SHwPs2zHI1QZerGG3U1VWBaOpiQhwBnd3yabGdinX2bMGV7fnWvsYgsD5C7E9NspAJLiGyqMQqsbFP/6Iy1vLTjns2kY4jqd7l4yFIPwABu3VPVomO5Cm1OMiR/GZwxObk1oLycxKzVv2VUjcbmGAadpjK5IgKDj2M7vd7WzGtc=,iv:QzOIiskPRrjI9T0JuUjxKYek3cVoHL/cEvKOHT4J/54=,tag:7xbpIv1/lStAaoGQdFcaLw==,type:str] +matrix-shared-secret: ENC[AES256_GCM,data:F28P8x0aguu7BuWWtXTbgaPdQx88dpeKA1FsRK52pTVp3d4rMgAWQDfO22WOYgJ2ltPO2xIK7bnQFi1X,iv:Od3RfCvKkMyI2RxlnfixiIF2GTn7B9OXeD+21ttk/rE=,tag:ev56YcadjWgq0zQN+Hl+Sg==,type:str] +n8n-env: ENC[AES256_GCM,data:qyZY8bLnXEMU7bIUBjufWkGxDybu7XWp8YKWYqCMKH6OIrzWQhRfwJQuvjKVWsyR/HsPtwzcxHf9cVuW+IJ5gcUVWj2lxLCTjeewD5otAXGRx0FbOvZ0W4wmb7y3zJGd1N618p5RhmpySOfQ6NQ4iXTxYWDYgJSlBl9Kn3/0KXsIZawepo8BDl2MUJ3hevibys2+9nGfS7+7/aq0wybaMuy/ivjgglwrGKWrByUrpDOJLW07BtD2VCXiWWb3jMYfCCkQ5eXtxAlI6BYRj4pzPO7QjbcR2h5S9Q/YIqOUtEyrDZTpkYHVm4soFwl9Eo7O7IlrS/P7hiqf77OVz3FZ+5K25YYLA17UauoLncnUtgOxlHn9Fnrtnr+0iMsYWtg=,iv:yJM/JcQI8BUp4a1m4ju2iHvnWpiWPC+/2kysSnmp9NM=,tag:cGbbKuGlso2MrFYijbSV9A==,type:str] +n8n-git-key: ENC[AES256_GCM,data:KWwOxNZqNjMgUfdg/GIVdQ7zMsPSdWGL/YXtNrGHz6i4jlHl4tXAMbmBcea+1gOQxmiV3ikJh4kO/PJHpIcjtdishCGB/9QXjdGcn066zHQCH2RaHIQ8q1puRIgmQubHap6iCRI73+eCxevh98nikUdwwW/7ESUK5H68kLxN4GaFldS4u7rEu9TdnCI/+VExK15ZcihT7N7PV76JDCnHf33+28DMC1EcLcGwWVwNQY+zCCWbonovkEXSVP+PazP+hDZDK6ry6xeO7bpX5ujCM6hTql1oyg3TrSRtwPpUVP4RzaMtKB6IyJhkR6KdwsxeZooRQX+Fxl7mVKldAaxIE7IGZwjXNPyqONW6KPUtlvosg+4z+x9aGkHugFoUvSExDQ+51t/GTo6liFTi9Z7hveDuPN8Ng1pK5XajCLMTx/8+V5iVC+DR6gD8fjPyURkN1Hm4iWk0xGjiH6p2PRGHk65AWtBuh3EvMHbd8Udnxeo39GmV73/h1Fryazcg2O5tyvooY5wJlTJbTW3MgNGS,iv:i1YxUvaxTbATF3sFmDt0RSnAOOifqBiDR9jegJpQWY0=,tag:mYZBAXn6hZ/aZwWHICBQmg==,type:str] +phpldapadmin: ENC[AES256_GCM,data:aVoj1dhX9IsLTA/ZEJfRXgdQRah3nGntUM38kdcHRdmBY03EUm+i2sfKiaknB4afIAjc04SUxxNVbjeM65ipSW6sKQEMiVTAIJzi+1ETi6clbZvQhWDtvBBJ39ybUkH5YX3Os109h/jD/TApa2MRfyhml6rHWcNzhoxR3QJQpuE09kj6eBxfillUDfKfomWL4x4ksJl/agJdXxU0VGwc7zyi7mvMwCQokcrMxJ9GC+7p2Jpz+W5a3WKSnqc2Gpv9DEbo95m71arnK4TcZL+S7tAZsT5+rHzEoNp5I9/5WCzlJrDJ9vHD2JQ=,iv:fQigdELKdM8E1nfSVB7/5568tbALh/LVSMf4wxfOc54=,tag:zWnHAcTOxk0eEViPCK5lOg==,type:str] +piped-db-password: ENC[AES256_GCM,data:yUmxi/Dqf/u9RumLEPGgZK2tzSYuskPFS88keb4w83vxY1S+Zgu3fcO5ZA8=,iv:1rI2WB2kZBKB2XzYB4AYtpaDtkXOssqo+fEq5ooMrnE=,tag:sOUR89pH8FceWBSqUw5aYg==,type:str] +synapse-oidc-client-secret: ENC[AES256_GCM,data:nEDFJIgYDWW+8Nw7iMlesZwqcX6O/a4degzg56yvHsX0CfKBp3mND7uHoNfAWoYTMuNEpy6SYLnOVGiYAzaY/A==,iv:B1PdBoK0ml8baRfxCTbDPZZ7XNNXv14SuBxL2wM1f4Q=,tag:Lfgz4zl6BWTOxkgRPb/pCw==,type:str] +mautrix-whatsapp-env: ENC[AES256_GCM,data:5inKfoXwqJ16wqE0yzn7RazXD9/vI/EtN79Yl3Z0mbil6JXd9kwDxnU3uuIz54QoLsDrcd8u+rSVrLgMThXx7py6GAfrQNBLuYFbvA2Os9CjJqydKiYze0VD5mbd,iv:kNvwQz1Xhem/kPCyk3k/nUrNmO9R9adw/q5YZJr4UGI=,tag:IreWAJCM4WodHdJVUIhMCg==,type:str] +mautrix-signal-env: ENC[AES256_GCM,data:VPyFQJ9nsm74CtF+ihDIPEP/NwQuJZx7qX256HPmRk9Akr/FiLTBa6+ocgS0Vx348qrzOdXZrupI5xl0AQKh27cFLvH6LYk2A9LlylNkxmwrW07vVmUrmrcmhQ==,iv:D4xca4rxGV2LnwRLjjgiz+AeWuzCXLkZl9EWyrULkao=,tag:V/FFSON0rHxmQfh9/mi34Q==,type:str] +mautrix-discord-env: ENC[AES256_GCM,data:fv9EXSCXVJQIWZyoPjwpSOwagcsBo9tid8ntr914QL3Dqm2Tb566BB1suti4is0g4PdpjVh5vofsgZsdscIEH+C5ohmyhAo2TjWJhXjTxxHZKHBn3b7JSd77rrJJWGXvcIT2iCCX8JCU7raWo4lNiZBzaPr/284rHaUMiN3QPnFNHMDfPwGEw9hYV0zOy/EkM2KQyy1zOtSBUzVxFyFgI/aCtvqlWKigELfhLuNVTwP9BSiCZVuXNhghVcStk75atmnYWU867/1frr+NvwkME7bHEhz8JYYM9Bc9iEAGhJZB/Nv0bAmLOsiN3ayOhhCpAFIWlgFk3A3lcpX7b5YcqXkYUPNEcmxSOzzloeSe2q8=,iv:wTJ/YFilbmHuIzCYyu8jwEXnOx7xvFV7/HTvzRwirXo=,tag:bLghcDPbiQPYEa95VeZnZQ==,type:str] sops: age: - recipient: age14grjcxaq4h55yfnjxvnqhtswxhj9sfdcvyas4lwvpa8py27pjy2sv3g6v7 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLVnJiUU5SRTA0RXREVXBP - YWxCK1pTakdzTFEwdEhtSkZoeEQ3cWcyeEFnClFwN1JaRGpZYlpFM1d4OC8yUUNQ - UWo1V0RqeTZsRDFoalVoRFU3bE9UdFUKLS0tIFAxNDJFTW55RUJRREVMVnpESDdm - NXcvZjVBRVZ1cmlqN04vNURUU05sdVUKbv0g3mSiHvBKmEMJHGN/cZUe4a1WhG/m - kjxlhU6EijlCZiR/yiSYXumfuwe0UyMCH5MlMFwPGdeaWP8Ns6lhXQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3M3h5OUlDbHc4Tk14MG1O + eWsyZkgxbGpVOHV0WlJnY01za2VEZHJFMFFFCk1PNmVnQ0dMd3U3VFBIK2Y4WWc3 + M2d2NFdiT0JzUng0VjU4SEFIMlVLdk0KLS0tIFptQ09tN1lGbk9SMk1neVQ1OHFl + emJ4enVuSEFxZ0tlWHlvUC9LVDR2ZkUKJokdEz17dE3H2t0XdDJVQv9qPptsvde6 + MBkqIaeRN/esWpyT9SpqxA5gSpF0sBwRmkQFAyYVW0yDmsDxmA6NFw== -----END AGE ENCRYPTED FILE----- - recipient: age1exny8unxynaw03yu8ppahu5z28uermghr8ag34e7kdqnaduq9stsyettzz enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsWWFMdnZzQ1RyMmtWWUdQ - d2wzOURoczVuR3p3akFCdUJsZ0c3SzN0UGdNCjdUMlFEZEw5TW14OXpESlVDN3Zv - SGtZM1NxdGNsTnEyRWVoNnE3TnNSNnMKLS0tIFdsL2VZTDl4Mms4RDEycEVoWnJC - ZURqZXFDaU41TENOYWdrdUZYUjdLVk0KJHNJ5egCvlkNkUX2Kh76O64rzPwDdstJ - z/x9gGB9OhwDGtU5qnPaywTNBO0Fwq6PWyse6Xmbu9D5G6xMn4jhMQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGS2dmbE5DUVBGMlQ0Um1l + MXY1YXVrTktOSkF5MEhpbmQ2QXdtWTY0OHhZCm5vbFFFdUYxM2NPdVA1MjNLVStB + Mm51TmJxWDloRlNWRHNBb2hBUnMwbHMKLS0tIEJIUnVUVVRLWlBEMmNQR0tMQTNm + a29uaTl4ZlVWUXlXS0E5bDBmOTJiWmsKydzPPYsWSZRBw9Z9X8ToRjSbCO8QgxGj + 4X7TxshEEhzdcUOgkrGSDvDcsb9lQV1p9zTudjd3GpaXRmTOP4z1sA== -----END AGE ENCRYPTED FILE----- - recipient: age1v6p8dan2t3w9h94fz4flldl32082j3s9x6zqq7u5j66keth9aphsd6pvch enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvMmo3ZnN4alpHZFUyTUVx - cEhFSFBqbXRhZ1FDNXppNEtkUEpJV2k4cUFVCjBPNkd0c1VWLzVpQnMrdElGaHN1 - eFRMMTI2aENBSTRMUkQvVE80a1QvSUkKLS0tIDNZQ3cwb2kvSWs4QW9jVHN3OFRa - YVlZTnpXc3hlV2lRbUkxZTFZT1VhODQKBSF41WH1AWv8Is/oTqzt5bPAAnJkhmdZ - 9U+w2hSqsvtlfLFuH+p2WOP1LbNo1MX1zckd9EUA+nGdgkIugJSP+Q== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnRTNZaWtFZE5XdDROekx4 + NXVZcFl5ZGxqVmFYWnRjb2M1MUdDMDVwQ1VZClE4dEdtTGhRb0JQNDJZa2dSeERQ + L1NrajJrcllZcHZ5RVpUVkdDRWYyU0kKLS0tIGV0WHkyb3grT0J1ajhGeW1QeFIw + Y28vcThsa2c0ODZETlVteWk3M2ZvbWsKk+d67Xrxd54K4OQ/ssosEWU8AFNjAiZq + tv02IJnaVu0jTpGnscqpL/fweGOg3++blsccESxnd1G/n8mN9Iifkw== -----END AGE ENCRYPTED FILE----- - recipient: age1gjm4c3swt8u88e36gf2qlg3syxfc0ly94u64c42f2tsf24npw4csa6e4fw enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwbERiaG9zWG1pUGM1cExn - S3ZsRUtiK040THFVWlpIS0JQdDJBUnFOekhZCnpVSUdMWmJPMDdaRGJoeUZkWlZF - ZmVvdlBKZWVPcUF6Q2x5dTdadnY5dUEKLS0tIHdLS3hydDdPWFNuOVRTRmV0aU9E - cVpodmo2THlMOWVET0NvemR1RkdaRWMKEesi5z/onWEsyDAPYxHD41SBPtPuDWxY - li2et9gPM3VlNP3gnQgWTexkfnPGODnRDZrqcc8EvFLbw8ykXo3Keg== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFQ0E1d3lrdnZNTUxzaHFm + SXFGaXFVbDJmRVVHRDRGNlJkemk3N0lwZVc0Cnl4NDJhYzhvQWk0YjRQcFZEQTlY + VDZLcDJjT1JmaHJlYkhYbWlkcUpxZ0kKLS0tIGlGZmZOdFJzd2VZbi8wb3dUNGxy + MlViei9iU0d3K05aQWlKWHpKSThGVU0K056Yqw353eLHg0bUsMsxYSUN01MDVutl + +ZTPtbNIy0xh6tj0ZWr+wIYnN5z1sn3OtcUIKm98sT2bHapvoUkl1g== -----END AGE ENCRYPTED FILE----- - lastmodified: "2026-03-01T11:43:18Z" - mac: ENC[AES256_GCM,data:gTctKFh+3NdkBi4SjtGiQWeCX41btPLyVuMMxuzhA5D1HLbQ/jgdRvGtbAXBJtnI9eCBo3iH/rinb86d6xjK5AUbH0oTzkYmkd6jAPtJJgWhMoPD0iIpQLngZHNdiWh64FpS+Y+gOI8l1BN08cYxa8G9cHPnMF09jMrgwC4wREs=,iv:5n1U6skIfynxWN1Aw81XUQ13QXOeki5wASu0/YlbXsU=,tag:auUIBtwEPIdwthT/X+hNsg==,type:str] + lastmodified: "2026-03-01T18:37:04Z" + mac: ENC[AES256_GCM,data:Kb2QbqGZyHo6mBC1fzx9/hC7xdI+YafTZBvzbkXUIOpC8EKveqivteU9NKV/y6Yyn6e5bMW77oafriP2kWSSroWVPlDpEBnwxuKp02OGDD2dXgKg2hpsbVJw/rB2PCeAPCo+TO8Yw0sqzW1QzA9XIhL9K3Qt3ncXvh+qh2O6S9A=,iv:XouQNRAalAw60wt2D9l/n8JDMpXIkA+4IdR7ixJX+40=,tag:vUimegOoteMPi4TyCJoWpQ==,type:str] unencrypted_suffix: _unencrypted version: 3.12.1 diff --git a/hosts/web-arm/modules/authelia.nix b/hosts/web-arm/modules/authelia.nix index 263e7b1..a54cd7b 100644 --- a/hosts/web-arm/modules/authelia.nix +++ b/hosts/web-arm/modules/authelia.nix @@ -254,21 +254,21 @@ in { ]; userinfo_signing_algorithm = "none"; } - # { - # id = "synapse"; - # description = "Matrix Synapse homeserver"; - # secret = "$pbkdf2-sha512$310000$PLACEHOLDER_NEEDS_UPDATING$PLACEHOLDER_NEEDS_UPDATING"; - # public = false; - # authorization_policy = "one_factor"; - # redirect_uris = [ "https://matrix.cloonar.com/_synapse/client/oidc/callback" ]; - # consent_mode = "implicit"; - # scopes = [ - # "openid" - # "profile" - # "email" - # ]; - # userinfo_signing_algorithm = "none"; - # } + { + id = "synapse"; + description = "Matrix Synapse homeserver"; + secret = "$pbkdf2-sha512$310000$eb85q6wn7juP3DnTjobqEQ$GFNbhkZrXRU8gM6SwMFkPPIYPIsJcGyaQXacGB0r.gI.xTEEoeWU3gG6hkSgJHYnjhZtZoELZLcaE4qCd9fKLg"; + public = false; + authorization_policy = "one_factor"; + redirect_uris = [ "https://matrix.cloonar.com/_synapse/client/oidc/callback" ]; + consent_mode = "implicit"; + scopes = [ + "openid" + "profile" + "email" + ]; + userinfo_signing_algorithm = "none"; + } ]; }; };