fix: synapse

hosts/fw/modules/dnsmasq.nix

@@ -92,12 +92,14 @@
       address = [
         "/fw.cloonar.com/${config.networkPrefix}.97.1"
         "/omada.cloonar.com/${config.networkPrefix}.97.2"
+        "/element.cloonar.com/${config.networkPrefix}.97.5"
         "/web-02.cloonar.com/${config.networkPrefix}.97.5"
         "/pla.cloonar.com/${config.networkPrefix}.97.5"
         "/piped.cloonar.com/${config.networkPrefix}.97.5" # Replaced by Invidious
         "/pipedapi.cloonar.com/${config.networkPrefix}.97.5" # Replaced by Invidious
         "/invidious.cloonar.com/${config.networkPrefix}.97.5"
         "/fivefilters.cloonar.com/${config.networkPrefix}.97.5"
+        "/matrix.cloonar.com/${config.networkPrefix}.97.5"
         "/n8n.cloonar.com/${config.networkPrefix}.97.5"
         "/dev.cloonar.com/${config.networkPrefix}.97.15"
         "/.ddev.site/${config.networkPrefix}.97.15" # Wildcard for ddev projects

hosts/fw/modules/web/default.nix

@@ -10,7 +10,7 @@ in
       pkgs = import pkgs.path {
         config = {
           permittedInsecurePackages = [
-            # needed for matrix
+            # needed for matrix bridges (mautrix-* depend on olm)
             "olm-3.2.16"
           ];
           allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [
@@ -91,6 +91,10 @@ in
             "/var/lib/zammad"
             "/var/lib/postgresql"
             "/var/lib/n8n"
+            "/var/lib/matrix-synapse"
+            "/var/lib/mautrix-whatsapp"
+            "/var/lib/mautrix-signal"
+            "/var/lib/mautrix-discord"
             "/var/log"
             "/var/lib/systemd/coredump"
             "/var/backup"

hosts/fw/modules/web/matrix.nix

@@ -10,18 +10,20 @@ let
     add_header Access-Control-Allow-Origin *;
     return 200 '${builtins.toJSON data}';
   '';
-
-  # Shared settings format for bridges
-  settingsFormat = pkgs.formats.json {};
 in {
   # Secrets for Synapse
   sops.secrets.synapse-oidc-client-secret = {
     owner = "matrix-synapse";
   };
+  sops.secrets.mautrix-whatsapp-env = { };
+  sops.secrets.mautrix-signal-env = { };
+  sops.secrets.mautrix-discord-env = { };
 
   # PostgreSQL database for Synapse
   services.postgresql = {
     enable = true;
+    # Synapse requires C locale for correct collation behavior
+    initdbArgs = [ "--lc-collate=C" "--lc-ctype=C" ];
     ensureDatabases = [ "matrix-synapse" ];
     ensureUsers = [
       {
@@ -84,28 +86,20 @@ in {
           allow_existing_users = true;
           user_mapping_provider.config = {
             subject_claim = "sub";
-            localpart_template = "{{ user.preferred_username }}";
+            localpart_template = "{{ user.email | localpart_from_email }}";
             display_name_template = "{{ user.name }}";
             email_template = "{{ user.email }}";
           };
         }
       ];
 
-      # Appservice registrations for bridges
-      app_service_config_files = [
-        "/var/lib/mautrix-whatsapp/whatsapp-registration.yaml"
-        "/var/lib/mautrix-signal/signal-registration.yaml"
-        "/var/lib/mautrix-discord/discord-registration.yaml"
-      ];
     };
   };
 
-  # Allow bridge users to read registration files
+  # Synapse runs inside an isolated microVM, so PrivateUsers provides minimal
-  systemd.services.matrix-synapse.serviceConfig.SupplementaryGroups = [
+  # additional security. Disabling it allows Synapse to read bridge registration
-    "mautrix-whatsapp"
+  # files via SupplementaryGroups (user namespace blocks mapped GIDs otherwise).
-    "mautrix-signal"
+  systemd.services.matrix-synapse.serviceConfig.PrivateUsers = lib.mkForce false;
-    "mautrix-discord"
-  ];
 
   # Element Web client
   services.nginx.virtualHosts."element.cloonar.com" = {
@@ -136,414 +130,98 @@ in {
     locations."/".extraConfig = ''
       return 404;
     '';
+    locations."= /.well-known/matrix/server".extraConfig = mkWellKnown serverConfig;
+    locations."= /.well-known/matrix/client".extraConfig = mkWellKnown clientConfig;
     locations."/_matrix".proxyPass = "http://[::1]:8008";
     locations."/_synapse/client".proxyPass = "http://[::1]:8008";
   };
 
   #
-  # Mautrix bridges
+  # Mautrix bridges (using NixOS modules)
+  # Modules handle users, groups, registration files, Synapse integration,
+  # and service ordering automatically via registerToSynapse.
   #
 
   # WhatsApp bridge
-  users.users.mautrix-whatsapp = {
+  services.mautrix-whatsapp = {
-    isSystemUser = true;
+    enable = true;
-    group = "mautrix-whatsapp";
+    registerToSynapse = true;
-    home = "/var/lib/mautrix-whatsapp";
+    environmentFile = config.sops.secrets.mautrix-whatsapp-env.path;
-    description = "Mautrix-WhatsApp bridge user";
+    settings = {
-  };
-  users.groups.mautrix-whatsapp = {};
-
-  systemd.services.mautrix-whatsapp = let
-    dataDir = "/var/lib/mautrix-whatsapp";
-    registrationFile = "${dataDir}/whatsapp-registration.yaml";
-    settingsFile = "${dataDir}/config.json";
-    settingsFileUnsubstituted = settingsFormat.generate "mautrix-whatsapp-config-unsubstituted.json" defaultConfig;
-    appservicePort = 29318;
-    defaultConfig = {
       homeserver = {
         address = "http://[::1]:8008";
         domain = "cloonar.com";
       };
-      appservice = {
-        hostname = "[::]";
-        port = appservicePort;
-        database.type = "sqlite3";
-        database.uri = "${dataDir}/mautrix-whatsapp.db";
-        id = "whatsapp";
-        bot.username = "whatsappbot";
-        bot.displayname = "WhatsApp Bridge Bot";
-        as_token = "";
-        hs_token = "";
-      };
       bridge = {
-        username_template = "whatsapp_{{.}}";
-        displayname_template = "{{if .BusinessName}}{{.BusinessName}}{{else if .PushName}}{{.PushName}}{{else}}{{.JID}}{{end}} (WA)";
-        double_puppet_server_map = {};
-        login_shared_secret_map = {};
         command_prefix = "!wa";
         permissions."*" = "relay";
         permissions."cloonar.com" = "user";
         relay.enabled = true;
-        history_sync.request_full_sync = false;
-        encryption = {
-          allow = true;
-          default = true;
-          require = true;
-        };
       };
-      logging = {
+      encryption = {
-        min_level = "info";
+        allow = true;
-        writers = lib.singleton {
+        default = true;
-          type = "stdout";
+        require = true;
-          format = "pretty-colored";
+        pickle_key = "$MAUTRIX_WHATSAPP_PICKLE_KEY";
-          time_format = " ";
-        };
       };
     };
-  in {
-    description = "Mautrix-WhatsApp Service - A WhatsApp bridge for Matrix";
-    wantedBy = ["multi-user.target"];
-    wants = ["network-online.target" "matrix-synapse.service"];
-    after = ["network-online.target" "matrix-synapse.service"];
-
-    preStart = ''
-      test -f '${settingsFile}' && rm -f '${settingsFile}'
-      old_umask=$(umask)
-      umask 0177
-      ${pkgs.envsubst}/bin/envsubst \
-        -o '${settingsFile}' \
-        -i '${settingsFileUnsubstituted}'
-      umask $old_umask
-
-      # generate the appservice's registration file if absent
-      if [ ! -f '${registrationFile}' ]; then
-        ${pkgs.mautrix-whatsapp}/bin/mautrix-whatsapp \
-          --generate-registration \
-          --config='${settingsFile}' \
-          --registration='${registrationFile}'
-      fi
-      chmod 640 ${registrationFile}
-
-      umask 0177
-      ${pkgs.yq}/bin/yq -s '.[0].appservice.as_token = .[1].as_token
-        | .[0].appservice.hs_token = .[1].hs_token
-        | .[0]' '${settingsFile}' '${registrationFile}' \
-        > '${settingsFile}.tmp'
-      mv '${settingsFile}.tmp' '${settingsFile}'
-      umask $old_umask
-    '';
-
-    serviceConfig = {
-      User = "mautrix-whatsapp";
-      Group = "mautrix-whatsapp";
-      StateDirectory = baseNameOf dataDir;
-      WorkingDirectory = dataDir;
-      ExecStart = ''
-        ${pkgs.mautrix-whatsapp}/bin/mautrix-whatsapp \
-        --config='${settingsFile}' \
-        --registration='${registrationFile}' \
-        --ignore-unsupported-server
-      '';
-      LockPersonality = true;
-      MemoryDenyWriteExecute = true;
-      NoNewPrivileges = true;
-      PrivateDevices = true;
-      PrivateTmp = true;
-      PrivateUsers = true;
-      ProtectClock = true;
-      ProtectControlGroups = true;
-      ProtectHome = true;
-      ProtectHostname = true;
-      ProtectKernelLogs = true;
-      ProtectKernelModules = true;
-      ProtectKernelTunables = true;
-      ProtectSystem = "strict";
-      Restart = "on-failure";
-      RestartSec = "30s";
-      RestrictRealtime = true;
-      RestrictSUIDSGID = true;
-      SystemCallArchitectures = "native";
-      SystemCallErrorNumber = "EPERM";
-      SystemCallFilter = ["@system-service"];
-      Type = "simple";
-      UMask = 0027;
-    };
-    restartTriggers = [settingsFileUnsubstituted];
   };
 
   # Signal bridge
-  users.users.mautrix-signal = {
+  services.mautrix-signal = {
-    isSystemUser = true;
+    enable = true;
-    group = "mautrix-signal";
+    registerToSynapse = true;
-    home = "/var/lib/mautrix-signal";
+    environmentFile = config.sops.secrets.mautrix-signal-env.path;
-    description = "Mautrix-Signal bridge user";
+    settings = {
-  };
-  users.groups.mautrix-signal = {};
-
-  systemd.services.mautrix-signal = let
-    pkgswithsignal = import (fetchTarball "https://github.com/NixOS/nixpkgs/archive/fd698a4ab779fb7fb95425f1b56974ba9c2fa16c.tar.gz") {
-      config = {
-        permittedInsecurePackages = [
-          "olm-3.2.16"
-        ];
-      };
-    };
-    dataDir = "/var/lib/mautrix-signal";
-    registrationFile = "${dataDir}/signal-registration.yaml";
-    settingsFile = "${dataDir}/config.json";
-    settingsFileUnsubstituted = settingsFormat.generate "mautrix-signal-config-unsubstituted.json" defaultConfig;
-    appservicePort = 29328;
-    defaultConfig = {
       homeserver = {
         address = "http://[::1]:8008";
         domain = "cloonar.com";
       };
-      appservice = {
-        hostname = "[::]";
-        port = appservicePort;
-        database.type = "sqlite3";
-        database.uri = "file:${dataDir}/mautrix-signal.db?_txlock=immediate";
-        id = "signal";
-        bot = {
-          username = "signalbot";
-          displayname = "Signal Bridge Bot";
-        };
-        as_token = "";
-        hs_token = "";
-      };
       bridge = {
-        username_template = "signal_{{.}}";
-        displayname_template = "{{or .ProfileName .PhoneNumber \"Unknown user\"}} (Signal)";
-        double_puppet_server_map = { };
-        login_shared_secret_map = { };
         command_prefix = "!signal";
         permissions."*" = "relay";
         permissions."cloonar.com" = "user";
         relay.enabled = true;
-        encryption = {
-          allow = true;
-          default = true;
-          require = true;
-        };
       };
-      matrix = {
+      encryption = {
-        sync_direct_chat_list = true;
+        allow = true;
-      };
+        default = true;
-      logging = {
+        require = true;
-        min_level = "info";
+        pickle_key = "$MAUTRIX_SIGNAL_PICKLE_KEY";
-        writers = lib.singleton {
-          type = "stdout";
-          format = "pretty-colored";
-          time_format = " ";
-        };
       };
+      matrix.sync_direct_chat_list = true;
     };
-  in {
-    description = "Mautrix-Signal Service - A Signal bridge for Matrix";
-    wantedBy = ["multi-user.target"];
-    wants = ["network-online.target" "matrix-synapse.service"];
-    after = ["network-online.target" "matrix-synapse.service"];
-
-    preStart = ''
-      test -f '${settingsFile}' && rm -f '${settingsFile}'
-      old_umask=$(umask)
-      umask 0177
-      ${pkgs.envsubst}/bin/envsubst \
-        -o '${settingsFile}' \
-        -i '${settingsFileUnsubstituted}'
-      umask $old_umask
-
-      # generate the appservice's registration file if absent
-      if [ ! -f '${registrationFile}' ]; then
-        ${pkgswithsignal.mautrix-signal}/bin/mautrix-signal \
-          --generate-registration \
-          --config='${settingsFile}' \
-          --registration='${registrationFile}'
-      fi
-      chmod 640 ${registrationFile}
-
-      umask 0177
-      ${pkgs.yq}/bin/yq -s '.[0].appservice.as_token = .[1].as_token
-        | .[0].appservice.hs_token = .[1].hs_token
-        | .[0]
-        | if env.MAUTRIX_SIGNAL_BRIDGE_LOGIN_SHARED_SECRET then .bridge.login_shared_secret_map.[.homeserver.domain] = env.MAUTRIX_SIGNAL_BRIDGE_LOGIN_SHARED_SECRET else . end' \
-        '${settingsFile}' '${registrationFile}' > '${settingsFile}.tmp'
-      mv '${settingsFile}.tmp' '${settingsFile}'
-      umask $old_umask
-    '';
-
-    serviceConfig = {
-      User = "mautrix-signal";
-      Group = "mautrix-signal";
-      StateDirectory = baseNameOf dataDir;
-      WorkingDirectory = dataDir;
-      ExecStart = ''
-        ${pkgswithsignal.mautrix-signal}/bin/mautrix-signal \
-        --config='${settingsFile}' \
-        --registration='${registrationFile}' \
-        --ignore-unsupported-server
-      '';
-      LockPersonality = true;
-      MemoryDenyWriteExecute = true;
-      NoNewPrivileges = true;
-      PrivateDevices = true;
-      PrivateTmp = true;
-      PrivateUsers = true;
-      ProtectClock = true;
-      ProtectControlGroups = true;
-      ProtectHome = true;
-      ProtectHostname = true;
-      ProtectKernelLogs = true;
-      ProtectKernelModules = true;
-      ProtectKernelTunables = true;
-      ProtectSystem = "strict";
-      Restart = "on-failure";
-      RestartSec = "30s";
-      RestrictRealtime = true;
-      RestrictSUIDSGID = true;
-      SystemCallArchitectures = "native";
-      SystemCallErrorNumber = "EPERM";
-      SystemCallFilter = ["@system-service"];
-      Type = "simple";
-      UMask = 0027;
-    };
-    restartTriggers = [settingsFileUnsubstituted];
   };
 
   # Discord bridge
-  users.users.mautrix-discord = {
+  services.mautrix-discord = {
-    isSystemUser = true;
+    enable = true;
-    group = "mautrix-discord";
+    registerToSynapse = true;
-    home = "/var/lib/mautrix-discord";
+    environmentFile = config.sops.secrets.mautrix-discord-env.path;
-    description = "Mautrix-Discord bridge user";
+    settings = {
-  };
-  users.groups.mautrix-discord = {};
-
-  systemd.services.mautrix-discord = let
-    pkgswithdiscord = import (fetchTarball "https://github.com/NixOS/nixpkgs/archive/5ed627539ac84809c78b2dd6d26a5cebeb5ae269.tar.gz") {
-      config = {
-        permittedInsecurePackages = [
-          "olm-3.2.16"
-        ];
-      };
-    };
-    dataDir = "/var/lib/mautrix-discord";
-    registrationFile = "${dataDir}/discord-registration.yaml";
-    settingsFile = "${dataDir}/config.json";
-    settingsFileUnsubstituted = settingsFormat.generate "mautrix-discord-config-unsubstituted.json" defaultConfig;
-    appservicePort = 29329;
-    defaultConfig = {
       homeserver = {
         address = "http://[::1]:8008";
         domain = "cloonar.com";
       };
-      appservice = {
-        hostname = "[::]";
-        port = appservicePort;
-        database.type = "sqlite3";
-        database.uri = "file:${dataDir}/mautrix-discord.db?_txlock=immediate";
-        id = "discord";
-        bot = {
-          username = "discordbot";
-          displayname = "Discord Bridge Bot";
-        };
-        as_token = "";
-        hs_token = "";
-      };
       bridge = {
-        username_template = "discord_{{.}}";
-        displayname_template = "{{or .GlobalName .Username}} (Discord{{if .Bot}} bot{{end}})";
-        double_puppet_server_map = { };
-        login_shared_secret_map = { };
         command_prefix = "!discord";
         permissions."*" = "relay";
         permissions."cloonar.com" = "user";
         relay.enabled = true;
-        restricted_rooms = false;
-        encryption = {
-          allow = true;
-          default = true;
-          require = true;
-        };
       };
-      logging = {
+      # Override dummy token defaults so env var substitution writes real tokens
-        min_level = "info";
+      # into the config and registration file (module defaults are placeholder strings)
-        writers = lib.singleton {
+      appservice = {
-          type = "stdout";
+        as_token = "$MAUTRIX_DISCORD_AS_TOKEN";
-          format = "pretty-colored";
+        hs_token = "$MAUTRIX_DISCORD_HS_TOKEN";
-          time_format = " ";
+      };
-        };
+      encryption = {
+        allow = true;
+        default = true;
+        require = true;
+        pickle_key = "$MAUTRIX_DISCORD_PICKLE_KEY";
       };
     };
-  in {
-    description = "Mautrix-Discord Service - A Discord bridge for Matrix";
-    wantedBy = ["multi-user.target"];
-    wants = ["network-online.target" "matrix-synapse.service"];
-    after = ["network-online.target" "matrix-synapse.service"];
-
-    preStart = ''
-      test -f '${settingsFile}' && rm -f '${settingsFile}'
-      old_umask=$(umask)
-      umask 0177
-      ${pkgs.envsubst}/bin/envsubst \
-        -o '${settingsFile}' \
-        -i '${settingsFileUnsubstituted}'
-      umask $old_umask
-
-      # generate the appservice's registration file if absent
-      if [ ! -f '${registrationFile}' ]; then
-        ${pkgswithdiscord.mautrix-discord}/bin/mautrix-discord \
-          --generate-registration \
-          --config='${settingsFile}' \
-          --registration='${registrationFile}'
-      fi
-      chmod 640 ${registrationFile}
-
-      umask 0177
-      ${pkgs.yq}/bin/yq -s '.[0].appservice.as_token = .[1].as_token
-        | .[0].appservice.hs_token = .[1].hs_token
-        | .[0]
-        | if env.MAUTRIX_DISCORD_BRIDGE_LOGIN_SHARED_SECRET then .bridge.login_shared_secret_map.[.homeserver.domain] = env.MAUTRIX_DISCORD_BRIDGE_LOGIN_SHARED_SECRET else . end' \
-        '${settingsFile}' '${registrationFile}' > '${settingsFile}.tmp'
-      mv '${settingsFile}.tmp' '${settingsFile}'
-      umask $old_umask
-    '';
-
-    serviceConfig = {
-      User = "mautrix-discord";
-      Group = "mautrix-discord";
-      StateDirectory = baseNameOf dataDir;
-      WorkingDirectory = dataDir;
-      ExecStart = ''
-        ${pkgswithdiscord.mautrix-discord}/bin/mautrix-discord \
-        --config='${settingsFile}' \
-        --registration='${registrationFile}'
-      '';
-      LockPersonality = true;
-      MemoryDenyWriteExecute = true;
-      NoNewPrivileges = true;
-      PrivateDevices = true;
-      PrivateTmp = true;
-      PrivateUsers = true;
-      ProtectClock = true;
-      ProtectControlGroups = true;
-      ProtectHome = true;
-      ProtectHostname = true;
-      ProtectKernelLogs = true;
-      ProtectKernelModules = true;
-      ProtectKernelTunables = true;
-      ProtectSystem = "strict";
-      Restart = "on-failure";
-      RestartSec = "30s";
-      RestrictRealtime = true;
-      RestrictSUIDSGID = true;
-      SystemCallArchitectures = "native";
-      SystemCallErrorNumber = "EPERM";
-      SystemCallFilter = ["@system-service"];
-      Type = "simple";
-      UMask = 0027;
-    };
-    restartTriggers = [settingsFileUnsubstituted];
   };
 
 }

hosts/fw/modules/web/secrets.yaml

@@ -1,55 +1,58 @@
-borg-passphrase: ENC[AES256_GCM,data:DK/H5UUurRp1fJuz1Lx/imac5Twy5slcxdJ391hi0m/8gLy9hbsT8p2xVtOo0y4zMI79tJwtdUhM4843Mos6Ayj5rPQ=,iv:K07tGJSAcClTKmTCZUFxmy9ICl8fAg0oDEvubM9/dvE=,tag:jSmCdLsgzZTP2UOGlD8ekQ==,type:str]
+borg-passphrase: ENC[AES256_GCM,data:GJdxBsj/CFT8oqO+apbvQHDJS7DteBIINP+pq1pATWa+a8F+zJ5hwvtjyoSx7hLhVkB6w1fh6LTXxlGkJ0a661a4NOo=,iv:hCd45iFw1BBcOZfreJ9gDqoRt72sakYke8tKnyjMEOA=,tag:+7S4Smcmv8gEQua1yNFp+w==,type:str]
-borg-ssh-key: ENC[AES256_GCM,data:RMLvgwaJAmD5I0OY8Ii2W0JKtVFe9Fe5adihLqGydP4tZ8lD54KN+t3NhneX1llDEYx4TFlkX65KTB/Ancn4WTHvNWiIQhAvnaZfBunAS8Lm4Xy6D9tnKxARhGNy5ljOEQlX6IoU9uvzQo3XIv6Fkp4bjP9sySus/lr9/nmOMnD9A0XHgwnqtv3D6CUJ4iKXVt2rSi2tVqOoRbiQ7n6SChzSgYqrzkeuO4Lpn8lGmvPoKo4WN5+w5CX9OmtRXDzqFVJYF5tGNUUfvUM4sjjG+fFMgcTvRwswEEpecEpRRP5RJoL+wh/2ghmUUweFhtq4zydubZPg8EtwAy8XqH0hleBhS0XO0jKVwp9iEdN+webdBqx8J0+qVTdUZxxDNFl5sF9Y0N0Dcu0iu8SoBcVSzGrNDV9GY4GM+D8oafsL7W5jtoLdLWWnKhMqxamZZKlvh/iBHkulXQEdhEF/OtezIerVgeXIJpftKqx7JCVUz2c86WCJ0qoE3Yzpl4SsARbIdC1NZbtHwy2JUKfeoGoYF7t88GunbelSDRIBPxGL9aV7q0sXSlWgfZDncTqT6s8hBm6dxwJxk83+yw4P3GduUBaPV+QCOB3ZIepWGjQ6MlaOf0H57eeVyXfL6uZr4Cgc3WqtFp6ubeEkBZCb6h6zqBt99t3vhe9KGBQ4N1BAKjNmx6yMK2MBC1QhxFUHGLzu2xh2bW6zBUpNFeL7g6o8G8ptjqGC1gsRxwjiwjMbsWZq79p0HoLx4IU9JyU04uuGwPbbDw1IHnYqbPaxrTbi7qzaLea8yDIKF5Rknxg5Pp9zF/5eugu4/f5ZxyVLkU7Xwg7OPntELZmxhFVjBlZClCFbywbWJPQqw8flYIf2yo7+LkEaG0p7Z56Py7R5WOvJKTy9EmXn7zMehBN7Qb3Z06oHybmW+AdoL5xJ33eE7zCGDodGAWxbyH2yU02WgbgfPlRnHTx8Secu220IIsfaXtJQN9/BCrJSirtjefpyrbuGhC0BeEIYCzRm0grOJ6OfByEsuPcNJtffLD+H6CmwTxPEL11FLCzD6vho9psy7rxK2oxPus1kHz05kcaGC8qvnxWCu7URzDL3qRzPCkr7Bj+NczKNZmCHlVC4IW5TaCikfoDBkW93Esnks8Pm9CxGTh0GTpZMeZ3tUnUwI3pl+2AfZmdEqtZHzPn2DRRXUrzXpknH6mBXWAu3d0LOs4tkpCglVa+Sm/3Ir3XWxQ8Vm5Q7iZQzrjDoc0ZckkAKxblgdZ+l9RhYc1gcy1xGiofFoIksMRPG8pMbLrBmO7psEoZZHrwYuQ+zEWvtdqbpC+9p6v8l8hPjZa7d8lYTpSHWqMvonLvUyKBnXIrzi5tILU1shS1loTctWqGgJ6hO6qq7NQs9hHI0NfSm1BPyaUU3QrrjiQxTIsS1BxrychenVkgD6kDU5XH/ddUP2S7scnvsfPg9DKCRXF3eLo2pa8TYqliurZ3zzprso7TzZPfV9qNW9fNsLX+Z7i6UFxJwqjSv0zqs0vwi1qiODMX5NGIroybqqJIiUpawskyxREkjdg2HWFPPgmlT0WBGeSIvtHsSALnALcSXMJDj/zDtDzgvd5Xr/G4ltMkf7QSQlbuBEXtGpRcrBGHGXqIAJlbQBh/wMTY0Bk/9b6fyT4QUEljl1WOy+++yFhPz9TxgyD0Pf6vouvkgNJwzcTC6VavUTRv+ug9VJiH7yzvHB12aMLESjvOkZcMKsXVlHgCj82k42Siqamsh+V6ECggW4RUILMMcaXPcYwNcGLNFm36lf22jhW2hfU9q2F7PUutawc1Ziv+rMlmSWa8SDC7rEU8KBIvO8zy0zv8IxbheA5QTm+OzajDAvkk8KkubAxFnMdY6nYkbJ+eVr0nBeFJu+xOMlLBD2fnH+KRSTtT14+E0kxfbIXW+qmKj82Cc9Rk92nd8TpsAK89pvBNsMQouCnTHLPoyDHiGHM+3P0hfwCwF9VCS2TAGCuW2sHW84Y5gfR2x6JbUiWVAz0qJDMQ+ypDtNYk1t14ILeUm6RJyPDeEGdnMdAXxxP8JoIIfjHtlJ5orIitba16pRU/Q/QOWf4hHCoGdRTQcgGjduAkzGpxx3jkj6R7YjQ3fsrtAFziBL+Z0MxDWUgWmJlancXjv4vFzqdf5W1PMI8CxkcL6NsluSUhPfarxZJIcXoeD8zHWVeCFgWNPsDC/JZfBgNtBFihmwM9FAASxtOvEL5kNKgqvkbbFawrN9N9Lm95rOC2EsjB3wcq2VEZ8kfU7a8y9YulAvkBSlIf0EtMdgCsJpQPufjE1R+yAoHlp3/SKYXvzZMR+yAFF0QcZF79/gtNwTG3l+HeqX4Lj7PZuR44Y9V5yUhLJbhanIc/LQrO7F+2N7go1kVWAhEw1E2g/MVeC799O9G7OjQB65jCUKjvp7pjrDZ5FxVPP2fc1Z1XpYP3Z/JdUcBJbSHOaGuzzn4KHpNtXD8kw6JI2EBqNqQc1J0OMlVZtldThNnC3sbEJWyy1bJdWhfcbph0XpJZ7IuM7quU35z3PIc7DWW+aiNzsUOV/SB7hUgLvOIkKU2vRUdOqqKdDRqD9fSnAFOAsW1TkwytSHM6hfic+G0eUqTrZJlpNWOVpkfvggO3Tz0aQTd/tJyENRcjlfWwcn7ZZrf2ZCxyRwCuBd2SS2zqBL1Sg3ZLZP6NydhoA8NDDP4Qde/n+qwHd8AalA35rdMMApWcq0rQIxU2XS2xbdgbYHNUFTn/SFl3J0ayNkvF/NZaAcg5Qd0luiVk4zh5osQg832Y8dJDOB3PQLF5b+E6TTj8m3saKsyASag5OIoC6Aau31LB2fYlWermyaeU0VFuLwFZ1ATCbqNKmez59FAQVwfH5/6aXhpHxbXwy82EztqOzE48U1W7LdU2gKMLFwiaVcarx5xQFqjRO3/5YPfH11qFyikaZmOvSAJdCDM2dZYO1gzexwtP1LyNOG8FpN9P6d6Dbz6Ik2izjbmoZTuUakZH4nldB/tPfKQAov/FMQPkXIRasEQDGUxqjwXYiIdPdEIRClst1lnMuHAxwDvgfiyCMJ5DkgQyQGcJ4rskdlzAPt9S1h47XIRna2O6o1l63WpYfJ8ucFPR7Er07cBjWq8V22edUqIKiB53VwMI2y6eMYkZBh1rYt1Oo+tn+2jUKX7HDpP/bCF3NIsPDWkljukPs8wwcxh/n58ob2vqYoPtzfdDgkPnstb1G8WC76jwVlmUDn7n00SeOAwk0Gz4vJvHA2TZP2nuhfUVv5D0LbVc4jE05Xyfk8WWsGraBJaJ1WByVJC2lF4uTm7Y7XW+0ppFjIn4HoJSj/Ab5/T8nXRAwxWAg5XU/gBvGXONiTIIwUKyXc36ON9Mv7irdsjUdL+p3rRHtzcoriwll6sF2o4nij11wo3muDTE27j+FtNehj7sQ2e18BkZUDPIdZKExSHLrBm9Tj88DUptDP0EiW2Wjxg==,iv:wxaCTfzZWfwluEpiaoLcxg6tpZ8schGPrIJEODdJUr0=,tag:ys3am95Im/HWSUPxDz2ETQ==,type:str]
+borg-ssh-key: ENC[AES256_GCM,data:l2Q8mINxmByCk7gYdPiZ91NN+batshnSlwqu5b6v0m8PRzor8ejgf0LNStDM6DJMot8vzlqawbB5L1xuLK3Bwj3e4JyAD9xCHFIJlXbH6WViL+A4mLoJMeW/ZJOlZyzI250FehkdxUa9OY6PgQNKSn5P0MJChW9m7frmmt304r8P+WYDruyNe30tSMqt6Dixwik1znq27ZbzXaqaG9VOm+ltW8wr6Uq433pgmqIIDQgFdwWZw8MSZaZ+OOFmCo8iwgroQ2spk+mmS61ldh6nmkwSLYnZ5LkCxRRHfw+/i8M321k1vf3bX0R4Cy37jhg6wg7ZVKngqD3WW5bFQ4bd6BHSEHMvSn2O+eA6v5DBAMmOicN0wJljaXFTXg++Ju3tr3pZ6s5e40Gvz2nQBSMPVrifFprGGwXf8w0RpyRYRbXHfC1eAYjwETtCw0AEKSzhqv+BnNDPBaypfp56kbVP5A/xe20sREGdKmRuCQrhsad5pYlsWrJgf32CpYeTQXWau79CG+CEm0Nq34ZA5OffQqWs75hGNWuhB3OpSEkFK8BJgeWZ44QGlhDukyeicyivqbfME9Uznodvl4VUpNLoq10n1m8ibVpZqVDFjhE50DlPHVRdMQu61MVk0oveYBdmkAXu75KPPkOuEPZ0bMaido3WCzQ9OkIjEofRVfz+3Tl9qxoETkoWGcZVWis+LWMs6pb7mFvhVGMVwnpofImmo514ebl3lDKQZCoeyK/+m1HDkOnjSbd/Czv9zcVJ2e4pZuG5VpSs3brAr8klb65cqxklPqHMJf0gOFcSKrbbhJr+fiyYHUOTy+z4WZIHH6+c5usLPz6v4oytT7bBoPBudZwnroKidEBTvdLZ0emtz/d+RoOViPcLn55521hzegtmRuyc+jCHXR+NvHk3IhMt5BUHD6th1G2aNgX2RqrLOOMcm0CVyoEttwKZ7vnGWh4AqSGGiIyyfqawY1vbtj6opKe3k6fkIaofW1sHrlI2QKxvPUNCv/zhbfa2G6ObbCbNXSOnCYRdhXxH9E3j3LtIBSAML4Svji/sy3ZLZjbFrOib4bC8dkWPwrNlNQaUJFRgA2Dsh82M24rfj4yc0NzW1xurGsbN0/7lfHeKDIHtpxoiQXewlhLnfLvUDZrEcqXED3ScSeAa1tadGSVP7og7p0qtFi2G+ep+74OE5iJ6Rjq/T/BV2JJoTyH1YysHLsyfVe2LboyxA42+wnlBj0IVaVLPX7gPrxY8+G71b5nIHdF/djJoJDZ2prJ0HtK389U6jdEbHZpzO7MwCSoUVy/q8CsMsmfiiTyvWjrCxa02vhqywI0XRiiUXkAgs9+1/ydMHsFP7W6oa+d6IkNVxsjJ6egFg/Nxi/IoY4vbckBUhhiqprIvY+7qmF6LNLhJbC/CJqjBo+ywNI0A4kI3Tq8O1iedGZ/XxczgfqqBM25hecqDMHLorCc356JZcpQIBDGhpjHHa9I/8+T0hDrWklfnDwGSSQwshcvMFAcePCCT8qcBDiWUTb1eqQIc4LZp/BLoJ8m3KZlugzcWI4IqcZQmMEx7Bv1J9k4Jl39FKlR4Km+I5ePUyBfx78WQgCkHdZDVr2lTYqzV4Nr+YO/N94uCwXvjZli+Xap9C4WD2gShsV6uQfJh6iLSrP/fVURTwwDYLnyUlcxTaiRFK/lF2bV5/QNAjKki2qm4Jw4GfKH/CQ0+a8GdQ+egcNFRD+VqD8tA7QmA0SviBR8SgJwyb3HRzvPVIAmfYAetX1b80jcKUMDKHAAV+Evn2pdw4AR+aqcPPEWc/RE6Un1UcWju31a6Aj+B9DNbYGug7F2ZJGLOudKlxBjG7LUa86blCzmNata28VXpTNdGlOWgexFtTIn4GdvHqPKNWLIwkontWOyQZ3ZZsuc9XbphcB7r4fCt0Sax81u7gdpuDpno/hL8eUhAL3I/UNp/Z5j5B4pwV3/47bbYta+bwbj5ATYM4j3wWPRusL1gtU8WKMrggJyfyQof7vlcculmSJV2V/0oojSfqDqk87tMZNX/o4kFLlj/tY47hHhN6U3O8z7HObvGhHSZ8uFfoASGJK56rVcJVD3EygJHytoA9SuO2Tzlt1S+YeboroZG+5EhVV9Hm9z2qJZd5EXBkO1f8L+uTA1j3NEsUjjVWRvs6fBD72Uls/RcJVM2fq63swY7vmFtwIqdF2uy4/ED1wua0oy/uxl+kk6nBvgj4ZX8U5ByWnVIyJTmol8SogE2TKMPOfvvRF5AJnRFT4P22EUDvIO9/rPNB1loQVeXq7XXOyV56RXkM5uc0Q8zZBqCr8QyRc8XBoZ2ChBIhlviXyyFbOdLppYOSNVnI2B3zsVF0KSCkCd7Q7pf7paPkNNp7bq9ZBv6giJ+zHj5f4xtTa13qdmU+yuIWunyWHmkY8/8I4nqVMEsjDz+nWkVsTpNgHSS23rtkcz7+i3srOM9RYj1IA0R5BjiHLt4Gy9i512nd4lqEUnwvoaUVVQxVtwsUbbhAIndV/diJBfsj0/ACuxbpmd0q/WgA9V0u3a02I3SIR8vtDz+Ode461+6QeWfwS70rV5TEJB1y1WEbz5yZ4lVTlpB1s4SGsDG7jjV2eWYqUoV9fP3wHsyzdoMwikq0tStt6oUt7yhdsugWsVjZu+gGFppjqM2sPjDsnIbrkomz/azORERsiUzlHqAwVDbVI9m+p504jHIPhUEpziPaECSShFG3zibRmQHRd30PiTWoThgHxRJwIIvQJQFnkFVxUTZ/27DtBKgL/0AeC8LIJ8bMQ/V83wHFNUj8NtO0zeQKsZEBPsO4g4+/hK195Txn98FlyOjn9cwAgLq5UMySQhhTEz+NhheJH7F3RldNlZDyXxIEFSjGlQF2+UPcataNsZ3lo/YVgcW2P70j2t/6BMvZ2MqaocwR5PkfetZIWoxQxUU+pPWKQLyCnjLZ9G7JYcIpbHsfZI9rD8ianFh43E/lbNw4NFfhSodOb8mBFgtYw88iFP+8yNtKixefOZKm3N5o65kH7ijnKxCJFEQcbZV/IV6JEOgy1lPSVxUv5+fjxatxefGa2shA7WXig4XBGgH8e6rvv3TGGpMX4ROgi4unoK+AjIrcSZ4LASKbJaj+QwEAg/6d+DoxJVf79vC+xVqaJ2RhjJl0FR8L1SmSrEpjD476qCKwCI15zWeo4GSBDGMAdAKQpWA4I5exp6lry+wG03O/le1Xkq6Z8sRkmUAie3Z9ZVyULa4p+GT4R3iNaHSFPj2WuqBE9b0HEU3Ux8r9KuzLyPBoG23qy6hzetOXtNWdMCbEdLlz5lfgUtEFrgwYe50nlB6xSVNut5oQWtuOR3HdIOPTh8hVTm9olvxTtVcLPSPgykm3czbnAQefcooUb+fS0QuZZVqFH/3xU6GzLk73R7sasxfzqGDUZOTm1cXBBUNr+sk7cv94lJzwB2lqkU4qsLboqRVL2GOIVKQNKv86A==,iv:++pEa8RSP2UydzilOOkNbIZI1pLjs3PEpttPO/YM6qw=,tag:wGiHUh4qQ07GaK3xcJtG+g==,type:str]
-zammad-key-base: ENC[AES256_GCM,data:ZegLmGOVjKvPaNCl9BW3nyuurypOIgZBi0Nr1taqdsSbo1Njy4EPrYQyPZhrxbbOwfliheMHfAQ6CRiRwbEk6evnIjLYEeuC5m9uayRQVXy79Z3m99pI806BKNZ8tYzOsn06Qsdy5hsRNU1uuEhtuQ+HasmScpA9GBjv9KR+x4s=,iv:If1mv4xfkPdkR3x48BocRJ4Xlq+fIP/u3xPyPE1jqdo=,tag:t4Xb+pe+3r8nAVAWsYPBHQ==,type:str]
+zammad-key-base: ENC[AES256_GCM,data:q1+9uGw+VShevkdfs1LNiZvAsJWUO4zy0ajJbDYf1XzMwqCYE2dC5fsXxp9MpkEzMZHR9jdQyGnIZmpQ+wDiGIn9V5BE3X+hMhD88pneA8XXt5hdOCkC+TfkwQ0kiF9PlHhPt8w/4wCJkwM1lsj+ZVX+6BVmUuwHg3lBTTDMmeU=,iv:YIgu2och/ibSzfaVUH3rpVu00MIYlRYolgb1GckrRio=,tag:GGMOTNh7SfVVfzOCTAiXwA==,type:str]
-invidious-hmac-key: ENC[AES256_GCM,data:mwPGzo3iKNUTxl4lU17tw9UEMfnKZ+JFaZ4ebQ==,iv:bhcBJ6CkffR4inm39FDRkJJgNCwQip8fRaP8lnTKnD8=,tag:dornpNzkpERQEOpRKCriMw==,type:str]
+invidious-hmac-key: ENC[AES256_GCM,data:g3eE1y+CpVmQAb47DQbxK/rrV+BHExYtEPHAbw==,iv:l2dS0uudbdYzSPntxvPwqGp2CyMQQEStXbVBPgeVAxo=,tag:fwUAxEWQR5BMTpoipJRUxQ==,type:str]
-invidious-admin-password: ENC[AES256_GCM,data:mIvqq29GTBSkI7XS/fQKByOUYyOc2GZo/SmqLzTgYpZuuW+kqEaKWgYDJqnqzAkLsw==,iv:D5AQEWNNaVYw33Yz+qyt/EmRSiiCGbSawtT2mdJOQXk=,tag:hqa9B0a1l7x7weKDmaUUrw==,type:str]
+invidious-admin-password: ENC[AES256_GCM,data:SVtHTKaC6e+O9vz2eb6jplw/UeDdoLXIgw1wPxHqmw1GFgjXPTLCYG2tx4qt2CWHzA==,iv:ZWTlVfepoi0b8091w2pLjqMtyca42JodYPSN5q4M2QI=,tag:MEUbEY0mVTspIJZ1xpqR6w==,type:str]
-invidious-companion-key: ENC[AES256_GCM,data:svFzw7bv/IbEjZl9ggc2nA==,iv:gCG6U0h8SpKvXBpgF+OZ/Mo+ERLAm7eKqF2yDtLxy6g=,tag:wpQo5ywZKfdK9tfV29FHnA==,type:str]
+invidious-companion-key: ENC[AES256_GCM,data:s8VhQhsStNFwCHjgHO8UZA==,iv:V5v+l04FH3aQkJpAE554r+Brcn58bJhpO9IlsCf0j4c=,tag:MAIbYTdSGHt7A8Y3RufR/Q==,type:str]
-dendrite-private-key: ENC[AES256_GCM,data:JUbe3CBUh3n/TqCU7Ks7mKuGKdO3I72Xtw1BhMUtRqOQD2zEDBDyVOJaqf/TKBwi2UIy+0PBezOyHbfM0Gpb1X4uJmsbM66PkjlnSuWZzQgqvgW8BKh8+LGwxabmx+aHI+trhkaGKtIlz1HcyOIKG0EGlKU6/S73+HsbuhNeWkca5YBhIuFRI+s=,iv:2EXVI47isKCVCOTt7Ayg6z5qaUYCyXOmzeMsjHmLe5Y=,tag:FfXsV2xc5wyw2PR2V3WKMA==,type:str]
+dendrite-private-key: ENC[AES256_GCM,data:IzeYvGS5MSg3SHwPs2zHI1QZerGG3U1VWBaOpiQhwBnd3yabGdinX2bMGV7fnWvsYgsD5C7E9NspAJLiGyqMQqsbFP/6Iy1vLTjns2kY4jqd7l4yFIPwABu3VPVomO5Cm1OMiR/GZwxObk1oLycxKzVv2VUjcbmGAadpjK5IgKDj2M7vd7WzGtc=,iv:QzOIiskPRrjI9T0JuUjxKYek3cVoHL/cEvKOHT4J/54=,tag:7xbpIv1/lStAaoGQdFcaLw==,type:str]
-matrix-shared-secret: ENC[AES256_GCM,data:3YO9KkFiFV5pdzmpdW37f+F/FHNBpbG6HfrcFNKqHYrXg6SGEZa4hjMIcWgKkZPBlpIMpJ+B4Lzp9PuT,iv:RiAOTZ25nAJ85ZLqvbHYrni/4ckNsx75R8mAFWH/ILI=,tag:+DkG4h351yLcPm+w5SFj3Q==,type:str]
+matrix-shared-secret: ENC[AES256_GCM,data:F28P8x0aguu7BuWWtXTbgaPdQx88dpeKA1FsRK52pTVp3d4rMgAWQDfO22WOYgJ2ltPO2xIK7bnQFi1X,iv:Od3RfCvKkMyI2RxlnfixiIF2GTn7B9OXeD+21ttk/rE=,tag:ev56YcadjWgq0zQN+Hl+Sg==,type:str]
-n8n-env: ENC[AES256_GCM,data:ldY3t2o5hBLRHISl6OmdtxZSG8snVtvVlNLEAZBnVOyLLW64m6LVhrDx2cD+frITxDokb1B11/aRSOzn8tiOosD4hVKZUyELe7E8SA8yfu3SR3mztxzj/3d6Rns27UsnXSbYr59ELd1SZKtM1eoJYOvWxVbQGu1bK1nn3S555vrSGGo84EiSqQtNCaWJETOXeDIwUKrFKAXM9YKgN2yajDK92t6Hy71AD6RWfl3G19qXmeo+wawu+aoG8Ke2VRdbVM1h1bczyrPBa3CY68UbGpK5PrmRrVWpu2LvtNDnAGz5u2yVEfDEUKNjKeaIPvwIvU16K7IshpJ5kOdoAKtQRzpF4PbE8YAeylly5TuCtm/Ke6jVG9zsaoZRSZJL7tI=,iv:FCYNbrN1RhjtmLujJWB2RPZZuQeV7j2Rfo7ChCJb66k=,tag:uESnEa18GsfMCFo6e2mrIQ==,type:str]
+n8n-env: ENC[AES256_GCM,data:qyZY8bLnXEMU7bIUBjufWkGxDybu7XWp8YKWYqCMKH6OIrzWQhRfwJQuvjKVWsyR/HsPtwzcxHf9cVuW+IJ5gcUVWj2lxLCTjeewD5otAXGRx0FbOvZ0W4wmb7y3zJGd1N618p5RhmpySOfQ6NQ4iXTxYWDYgJSlBl9Kn3/0KXsIZawepo8BDl2MUJ3hevibys2+9nGfS7+7/aq0wybaMuy/ivjgglwrGKWrByUrpDOJLW07BtD2VCXiWWb3jMYfCCkQ5eXtxAlI6BYRj4pzPO7QjbcR2h5S9Q/YIqOUtEyrDZTpkYHVm4soFwl9Eo7O7IlrS/P7hiqf77OVz3FZ+5K25YYLA17UauoLncnUtgOxlHn9Fnrtnr+0iMsYWtg=,iv:yJM/JcQI8BUp4a1m4ju2iHvnWpiWPC+/2kysSnmp9NM=,tag:cGbbKuGlso2MrFYijbSV9A==,type:str]
-n8n-git-key: ENC[AES256_GCM,data:ocL3yxwE7TElYRTMGY6cxqFG8FlijuSK57rLONHpGdob5tVkRch1Z+iOGOSqj2R+IH+CzFWoWS/mx9mgQQxxMLXiPxICpyNxpD9BdKgzhJrUpt0BqoriTTutE8ybs5OkE2dkCMhvCItfji2zdz5pKv1ZXWt4wH8v+yUoUh/83hVWfLTdabk6cioE/UXD0uu2IQiG0FAaCkiZyw0Peycp2ePuq4P7dh0l9rXI11CJ7nfBsbBUU4J1Pp0wjdADuUVZwGzUubKYATMmOzlz1zHF7PHKR7QxJWBkpBGNMiRvBjo86NFKRfyES5A+6qYhxaWubbVlOwgbiXaaBOga1CDup/aFwi/2alq/sSooMQVibJ/oFTasdTTqEWMrr8XkUX5c5yQMPwQla6j8mrMlGTkBwHiPPgx4j78mACbiYKgrwAjJnUZ4MNbXCspx/ufBcE/efKLfJ3NWofMSAdxoEc+voOFnNfB7Vd4urDsiI0dhA6g3KT8ofoj5gaoNCLnXtyVSkKlWHM1kVqOoaXX/0jaz,iv:TKLOWRcHd0KiupXhE1qAbILfgYYqdQNltKnshtnNCvs=,tag:DZmoHPrmpAm3B9EuPNKikA==,type:str]
+n8n-git-key: ENC[AES256_GCM,data:KWwOxNZqNjMgUfdg/GIVdQ7zMsPSdWGL/YXtNrGHz6i4jlHl4tXAMbmBcea+1gOQxmiV3ikJh4kO/PJHpIcjtdishCGB/9QXjdGcn066zHQCH2RaHIQ8q1puRIgmQubHap6iCRI73+eCxevh98nikUdwwW/7ESUK5H68kLxN4GaFldS4u7rEu9TdnCI/+VExK15ZcihT7N7PV76JDCnHf33+28DMC1EcLcGwWVwNQY+zCCWbonovkEXSVP+PazP+hDZDK6ry6xeO7bpX5ujCM6hTql1oyg3TrSRtwPpUVP4RzaMtKB6IyJhkR6KdwsxeZooRQX+Fxl7mVKldAaxIE7IGZwjXNPyqONW6KPUtlvosg+4z+x9aGkHugFoUvSExDQ+51t/GTo6liFTi9Z7hveDuPN8Ng1pK5XajCLMTx/8+V5iVC+DR6gD8fjPyURkN1Hm4iWk0xGjiH6p2PRGHk65AWtBuh3EvMHbd8Udnxeo39GmV73/h1Fryazcg2O5tyvooY5wJlTJbTW3MgNGS,iv:i1YxUvaxTbATF3sFmDt0RSnAOOifqBiDR9jegJpQWY0=,tag:mYZBAXn6hZ/aZwWHICBQmg==,type:str]
-phpldapadmin: ENC[AES256_GCM,data:JbFm9hukT/l0SNY9rtV9ZaHiNA7yYiVlBJphognDlajFHwflgLH4v09JJb+Ku9Oep8cjQHCXWq5FppWIOknZCAxahEHjSYOllQ+gyNG+ReYYoMGwRzz8EsoDGrGlQ0aZd0v47dCaZXejGkoJJgUY7ieakYVZABotlQI6MNeWpYTDrMt1IYe/QZ/7vhF8gM+7m3Zg+iKT+f+DOfVV9rsv07cucNizj1p2JXsAP4RF+M1gwM4cP6KLdTovoFWJ9H97PFbpZ+v17XRKJwYDgBG/o0RuSQ9+5cXNk3pAbBPCEyApzVzMzNzG0dY=,iv:zaoFItL/2zvxQjYYySFWkw5MBwIMlfk9I880AQG+x0M=,tag:aMAMFkYbs0yZjnrepiRRfw==,type:str]
+phpldapadmin: ENC[AES256_GCM,data:aVoj1dhX9IsLTA/ZEJfRXgdQRah3nGntUM38kdcHRdmBY03EUm+i2sfKiaknB4afIAjc04SUxxNVbjeM65ipSW6sKQEMiVTAIJzi+1ETi6clbZvQhWDtvBBJ39ybUkH5YX3Os109h/jD/TApa2MRfyhml6rHWcNzhoxR3QJQpuE09kj6eBxfillUDfKfomWL4x4ksJl/agJdXxU0VGwc7zyi7mvMwCQokcrMxJ9GC+7p2Jpz+W5a3WKSnqc2Gpv9DEbo95m71arnK4TcZL+S7tAZsT5+rHzEoNp5I9/5WCzlJrDJ9vHD2JQ=,iv:fQigdELKdM8E1nfSVB7/5568tbALh/LVSMf4wxfOc54=,tag:zWnHAcTOxk0eEViPCK5lOg==,type:str]
-piped-db-password: ENC[AES256_GCM,data:zCWq3Jj0DFWJTTAS/0p57kOIktD34C4AFLgQAayfEb2buYtTsm5dclLp9cI=,iv:xXue25p1bDH93Sq1y04nT08lzw0SGUS7pHnLjx7jC9o=,tag:6xYIav4lMk6mDVRJ2C5jqA==,type:str]
+piped-db-password: ENC[AES256_GCM,data:yUmxi/Dqf/u9RumLEPGgZK2tzSYuskPFS88keb4w83vxY1S+Zgu3fcO5ZA8=,iv:1rI2WB2kZBKB2XzYB4AYtpaDtkXOssqo+fEq5ooMrnE=,tag:sOUR89pH8FceWBSqUw5aYg==,type:str]
-synapse-oidc-client-secret: ENC[AES256_GCM,data:5mxGbcqTgeFZ8tTEysW4vb4PTgrpgsHMYZc6CcwDsBf5zsPnKWc2we37WR9i7Y3iCk6hT/5HGOiVBOqJgmXmnA==,iv:t3xrXtfpwaEQWiLdPD4s6GMdxP1+NWkPla6w0JbPZqA=,tag:mdDkolP0Cyr6waBYjJX+WA==,type:str]
+synapse-oidc-client-secret: ENC[AES256_GCM,data:nEDFJIgYDWW+8Nw7iMlesZwqcX6O/a4degzg56yvHsX0CfKBp3mND7uHoNfAWoYTMuNEpy6SYLnOVGiYAzaY/A==,iv:B1PdBoK0ml8baRfxCTbDPZZ7XNNXv14SuBxL2wM1f4Q=,tag:Lfgz4zl6BWTOxkgRPb/pCw==,type:str]
+mautrix-whatsapp-env: ENC[AES256_GCM,data:5inKfoXwqJ16wqE0yzn7RazXD9/vI/EtN79Yl3Z0mbil6JXd9kwDxnU3uuIz54QoLsDrcd8u+rSVrLgMThXx7py6GAfrQNBLuYFbvA2Os9CjJqydKiYze0VD5mbd,iv:kNvwQz1Xhem/kPCyk3k/nUrNmO9R9adw/q5YZJr4UGI=,tag:IreWAJCM4WodHdJVUIhMCg==,type:str]
+mautrix-signal-env: ENC[AES256_GCM,data:VPyFQJ9nsm74CtF+ihDIPEP/NwQuJZx7qX256HPmRk9Akr/FiLTBa6+ocgS0Vx348qrzOdXZrupI5xl0AQKh27cFLvH6LYk2A9LlylNkxmwrW07vVmUrmrcmhQ==,iv:D4xca4rxGV2LnwRLjjgiz+AeWuzCXLkZl9EWyrULkao=,tag:V/FFSON0rHxmQfh9/mi34Q==,type:str]
+mautrix-discord-env: ENC[AES256_GCM,data:fv9EXSCXVJQIWZyoPjwpSOwagcsBo9tid8ntr914QL3Dqm2Tb566BB1suti4is0g4PdpjVh5vofsgZsdscIEH+C5ohmyhAo2TjWJhXjTxxHZKHBn3b7JSd77rrJJWGXvcIT2iCCX8JCU7raWo4lNiZBzaPr/284rHaUMiN3QPnFNHMDfPwGEw9hYV0zOy/EkM2KQyy1zOtSBUzVxFyFgI/aCtvqlWKigELfhLuNVTwP9BSiCZVuXNhghVcStk75atmnYWU867/1frr+NvwkME7bHEhz8JYYM9Bc9iEAGhJZB/Nv0bAmLOsiN3ayOhhCpAFIWlgFk3A3lcpX7b5YcqXkYUPNEcmxSOzzloeSe2q8=,iv:wTJ/YFilbmHuIzCYyu8jwEXnOx7xvFV7/HTvzRwirXo=,tag:bLghcDPbiQPYEa95VeZnZQ==,type:str]
 sops:
     age:
         - recipient: age14grjcxaq4h55yfnjxvnqhtswxhj9sfdcvyas4lwvpa8py27pjy2sv3g6v7
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLVnJiUU5SRTA0RXREVXBP
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3M3h5OUlDbHc4Tk14MG1O
-            YWxCK1pTakdzTFEwdEhtSkZoeEQ3cWcyeEFnClFwN1JaRGpZYlpFM1d4OC8yUUNQ
+            eWsyZkgxbGpVOHV0WlJnY01za2VEZHJFMFFFCk1PNmVnQ0dMd3U3VFBIK2Y4WWc3
-            UWo1V0RqeTZsRDFoalVoRFU3bE9UdFUKLS0tIFAxNDJFTW55RUJRREVMVnpESDdm
+            M2d2NFdiT0JzUng0VjU4SEFIMlVLdk0KLS0tIFptQ09tN1lGbk9SMk1neVQ1OHFl
-            NXcvZjVBRVZ1cmlqN04vNURUU05sdVUKbv0g3mSiHvBKmEMJHGN/cZUe4a1WhG/m
+            emJ4enVuSEFxZ0tlWHlvUC9LVDR2ZkUKJokdEz17dE3H2t0XdDJVQv9qPptsvde6
-            kjxlhU6EijlCZiR/yiSYXumfuwe0UyMCH5MlMFwPGdeaWP8Ns6lhXQ==
+            MBkqIaeRN/esWpyT9SpqxA5gSpF0sBwRmkQFAyYVW0yDmsDxmA6NFw==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1exny8unxynaw03yu8ppahu5z28uermghr8ag34e7kdqnaduq9stsyettzz
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsWWFMdnZzQ1RyMmtWWUdQ
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGS2dmbE5DUVBGMlQ0Um1l
-            d2wzOURoczVuR3p3akFCdUJsZ0c3SzN0UGdNCjdUMlFEZEw5TW14OXpESlVDN3Zv
+            MXY1YXVrTktOSkF5MEhpbmQ2QXdtWTY0OHhZCm5vbFFFdUYxM2NPdVA1MjNLVStB
-            SGtZM1NxdGNsTnEyRWVoNnE3TnNSNnMKLS0tIFdsL2VZTDl4Mms4RDEycEVoWnJC
+            Mm51TmJxWDloRlNWRHNBb2hBUnMwbHMKLS0tIEJIUnVUVVRLWlBEMmNQR0tMQTNm
-            ZURqZXFDaU41TENOYWdrdUZYUjdLVk0KJHNJ5egCvlkNkUX2Kh76O64rzPwDdstJ
+            a29uaTl4ZlVWUXlXS0E5bDBmOTJiWmsKydzPPYsWSZRBw9Z9X8ToRjSbCO8QgxGj
-            z/x9gGB9OhwDGtU5qnPaywTNBO0Fwq6PWyse6Xmbu9D5G6xMn4jhMQ==
+            4X7TxshEEhzdcUOgkrGSDvDcsb9lQV1p9zTudjd3GpaXRmTOP4z1sA==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1v6p8dan2t3w9h94fz4flldl32082j3s9x6zqq7u5j66keth9aphsd6pvch
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvMmo3ZnN4alpHZFUyTUVx
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnRTNZaWtFZE5XdDROekx4
-            cEhFSFBqbXRhZ1FDNXppNEtkUEpJV2k4cUFVCjBPNkd0c1VWLzVpQnMrdElGaHN1
+            NXVZcFl5ZGxqVmFYWnRjb2M1MUdDMDVwQ1VZClE4dEdtTGhRb0JQNDJZa2dSeERQ
-            eFRMMTI2aENBSTRMUkQvVE80a1QvSUkKLS0tIDNZQ3cwb2kvSWs4QW9jVHN3OFRa
+            L1NrajJrcllZcHZ5RVpUVkdDRWYyU0kKLS0tIGV0WHkyb3grT0J1ajhGeW1QeFIw
-            YVlZTnpXc3hlV2lRbUkxZTFZT1VhODQKBSF41WH1AWv8Is/oTqzt5bPAAnJkhmdZ
+            Y28vcThsa2c0ODZETlVteWk3M2ZvbWsKk+d67Xrxd54K4OQ/ssosEWU8AFNjAiZq
-            9U+w2hSqsvtlfLFuH+p2WOP1LbNo1MX1zckd9EUA+nGdgkIugJSP+Q==
+            tv02IJnaVu0jTpGnscqpL/fweGOg3++blsccESxnd1G/n8mN9Iifkw==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1gjm4c3swt8u88e36gf2qlg3syxfc0ly94u64c42f2tsf24npw4csa6e4fw
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwbERiaG9zWG1pUGM1cExn
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFQ0E1d3lrdnZNTUxzaHFm
-            S3ZsRUtiK040THFVWlpIS0JQdDJBUnFOekhZCnpVSUdMWmJPMDdaRGJoeUZkWlZF
+            SXFGaXFVbDJmRVVHRDRGNlJkemk3N0lwZVc0Cnl4NDJhYzhvQWk0YjRQcFZEQTlY
-            ZmVvdlBKZWVPcUF6Q2x5dTdadnY5dUEKLS0tIHdLS3hydDdPWFNuOVRTRmV0aU9E
+            VDZLcDJjT1JmaHJlYkhYbWlkcUpxZ0kKLS0tIGlGZmZOdFJzd2VZbi8wb3dUNGxy
-            cVpodmo2THlMOWVET0NvemR1RkdaRWMKEesi5z/onWEsyDAPYxHD41SBPtPuDWxY
+            MlViei9iU0d3K05aQWlKWHpKSThGVU0K056Yqw353eLHg0bUsMsxYSUN01MDVutl
-            li2et9gPM3VlNP3gnQgWTexkfnPGODnRDZrqcc8EvFLbw8ykXo3Keg==
+            +ZTPtbNIy0xh6tj0ZWr+wIYnN5z1sn3OtcUIKm98sT2bHapvoUkl1g==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-03-01T11:43:18Z"
+    lastmodified: "2026-03-01T18:37:04Z"
-    mac: ENC[AES256_GCM,data:gTctKFh+3NdkBi4SjtGiQWeCX41btPLyVuMMxuzhA5D1HLbQ/jgdRvGtbAXBJtnI9eCBo3iH/rinb86d6xjK5AUbH0oTzkYmkd6jAPtJJgWhMoPD0iIpQLngZHNdiWh64FpS+Y+gOI8l1BN08cYxa8G9cHPnMF09jMrgwC4wREs=,iv:5n1U6skIfynxWN1Aw81XUQ13QXOeki5wASu0/YlbXsU=,tag:auUIBtwEPIdwthT/X+hNsg==,type:str]
+    mac: ENC[AES256_GCM,data:Kb2QbqGZyHo6mBC1fzx9/hC7xdI+YafTZBvzbkXUIOpC8EKveqivteU9NKV/y6Yyn6e5bMW77oafriP2kWSSroWVPlDpEBnwxuKp02OGDD2dXgKg2hpsbVJw/rB2PCeAPCo+TO8Yw0sqzW1QzA9XIhL9K3Qt3ncXvh+qh2O6S9A=,iv:XouQNRAalAw60wt2D9l/n8JDMpXIkA+4IdR7ixJX+40=,tag:vUimegOoteMPi4TyCJoWpQ==,type:str]
     unencrypted_suffix: _unencrypted
     version: 3.12.1

hosts/web-arm/modules/authelia.nix

@@ -254,21 +254,21 @@ in {
               ];
               userinfo_signing_algorithm = "none";
             }
-            # {
+            {
-            #   id = "synapse";
+              id = "synapse";
-            #   description = "Matrix Synapse homeserver";
+              description = "Matrix Synapse homeserver";
-            #   secret = "$pbkdf2-sha512$310000$PLACEHOLDER_NEEDS_UPDATING$PLACEHOLDER_NEEDS_UPDATING";
+              secret = "$pbkdf2-sha512$310000$eb85q6wn7juP3DnTjobqEQ$GFNbhkZrXRU8gM6SwMFkPPIYPIsJcGyaQXacGB0r.gI.xTEEoeWU3gG6hkSgJHYnjhZtZoELZLcaE4qCd9fKLg";
-            #   public = false;
+              public = false;
-            #   authorization_policy = "one_factor";
+              authorization_policy = "one_factor";
-            #   redirect_uris = [ "https://matrix.cloonar.com/_synapse/client/oidc/callback" ];
+              redirect_uris = [ "https://matrix.cloonar.com/_synapse/client/oidc/callback" ];
-            #   consent_mode = "implicit";
+              consent_mode = "implicit";
-            #   scopes = [
+              scopes = [
-            #     "openid"
+                "openid"
-            #     "profile"
+                "profile"
-            #     "email"
+                "email"
-            #   ];
+              ];
-            #   userinfo_signing_algorithm = "none";
+              userinfo_signing_algorithm = "none";
-            # }
+            }
           ];
         };
       };