From 1f5e5b9a37ada94b9989dd7d73d0dcde99d09297 Mon Sep 17 00:00:00 2001 From: Dominik Polakovics Date: Wed, 22 Apr 2026 21:24:09 +0200 Subject: [PATCH 1/5] feat: nb add network to epicenter wireguard --- hosts/fw/modules/dnsmasq.nix | 1 + hosts/fw/modules/wireguard.nix | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/hosts/fw/modules/dnsmasq.nix b/hosts/fw/modules/dnsmasq.nix index ace789b..0859fa6 100644 --- a/hosts/fw/modules/dnsmasq.nix +++ b/hosts/fw/modules/dnsmasq.nix @@ -12,6 +12,7 @@ server = [ "/epicenter.works/10.50.60.1" + "/epicenter.intra/10.50.60.1" "/akvorrat.at/10.50.60.1" "9.9.9.9" "149.112.112.11" diff --git a/hosts/fw/modules/wireguard.nix b/hosts/fw/modules/wireguard.nix index 9edc537..3ab00e8 100644 --- a/hosts/fw/modules/wireguard.nix +++ b/hosts/fw/modules/wireguard.nix @@ -47,7 +47,7 @@ endpoint = "5.9.131.17:51821"; publicKey = "T7jPGSapSudtKyWwi2nu+2hjjse96I4U3lccRHZWd2s="; presharedKeyFile = config.sops.secrets.wg_epicenter_works_psk.path; - allowedIPs = [ "10.14.1.0/24" "10.14.2.0/24" "10.14.11.0/24" "10.14.40.0/24" "10.25.0.0/24" "10.50.60.0/24" "10.60.60.0/24" ]; + allowedIPs = [ "10.14.1.0/24" "10.14.2.0/24" "10.14.11.0/24" "10.14.40.0/24" "10.14.50.0/24" "10.25.0.0/24" "10.50.60.0/24" "10.60.60.0/24" ]; } ]; }; From 67e81d39f331e31c17264bafb5f786576b53bdd7 Mon Sep 17 00:00:00 2001 From: Dominik Polakovics Date: Wed, 22 Apr 2026 22:08:29 +0200 Subject: [PATCH 2/5] feat(supabase): add Google/Apple OAuth and fueltide.io-branded email flows Enables the auth providers and transactional email flows the self-hosted Supabase was missing compared to the cloud instance: - GoTrue now accepts Google and Apple OAuth (web flow); Apple client-secret JWT is signed fresh on every activation from the SOPS-stored .p8 so there's no 6-month rotation ritual. - SMTP points at mail.cloonar.com:587 with SASL auth via a new `supabase` LDAP account; a `noreply@fueltide.io` mailAlias lets that account send as the fueltide.io address. - rspamd on mail.cloonar.com gets a per-domain DKIM key for fueltide.io (selector `default`) so outbound mail is signed. - MAILER_AUTOCONFIRM is off so signup confirmation + password reset actually go through email. - SITE_URL + URI_ALLOW_LIST point at app.fueltide.io / stage so links in emails and OAuth redirects land in the right app. FUELTIDE_AUTH_SETUP.md documents the manual steps (LDAP entries, SOPS additions, DNS records, Google/Apple console setup) that must be completed before merging. --- hosts/mail/configuration.nix | 1 + hosts/mail/modules/dkim-fueltide.nix | 28 ++ .../modules/supabase/FUELTIDE_AUTH_SETUP.md | 246 ++++++++++++++++++ hosts/web-arm/modules/supabase/default.nix | 63 ++++- .../web-arm/modules/supabase/env-generate.sh | 40 +++ 5 files changed, 366 insertions(+), 12 deletions(-) create mode 100644 hosts/mail/modules/dkim-fueltide.nix create mode 100644 hosts/web-arm/modules/supabase/FUELTIDE_AUTH_SETUP.md diff --git a/hosts/mail/configuration.nix b/hosts/mail/configuration.nix index dff1253..cb1fc81 100644 --- a/hosts/mail/configuration.nix +++ b/hosts/mail/configuration.nix @@ -10,6 +10,7 @@ ./modules/openldap.nix ./modules/dovecot.nix ./modules/postfix.nix + ./modules/dkim-fueltide.nix ./utils/modules/borgbackup.nix ./utils/modules/promtail diff --git a/hosts/mail/modules/dkim-fueltide.nix b/hosts/mail/modules/dkim-fueltide.nix new file mode 100644 index 0000000..2a0af27 --- /dev/null +++ b/hosts/mail/modules/dkim-fueltide.nix @@ -0,0 +1,28 @@ +{ config, pkgs, ... }: + +{ + sops.secrets.rspamd-dkim-fueltide-io-key = { + owner = "rspamd"; + group = "rspamd"; + mode = "0400"; + }; + + # rspamd's dkim_signing module in rspamd.nix picks up per-domain keys from + # /var/lib/rspamd/dkim/$domain.$selector.key. This one-shot drops the + # fueltide.io key into place before rspamd starts. + systemd.services.rspamd-dkim-fueltide-setup = { + description = "Install fueltide.io DKIM key into rspamd"; + wantedBy = [ "multi-user.target" ]; + before = [ "rspamd.service" ]; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + }; + script = '' + install -d -o rspamd -g rspamd -m 0750 /var/lib/rspamd/dkim + install -o rspamd -g rspamd -m 0400 \ + ${config.sops.secrets.rspamd-dkim-fueltide-io-key.path} \ + /var/lib/rspamd/dkim/fueltide.io.default.key + ''; + }; +} diff --git a/hosts/web-arm/modules/supabase/FUELTIDE_AUTH_SETUP.md b/hosts/web-arm/modules/supabase/FUELTIDE_AUTH_SETUP.md new file mode 100644 index 0000000..16f3dc9 --- /dev/null +++ b/hosts/web-arm/modules/supabase/FUELTIDE_AUTH_SETUP.md @@ -0,0 +1,246 @@ +# Supabase auth setup: Google + Apple OAuth, fueltide.io email + +This doc lists the **user-side steps** required to make the code changes in +this branch functional. Nothing here is performed by Nix — these are manual +actions on external services, LDAP, SOPS, and DNS. + +The Nix changes in this branch cover: + +- `hosts/web-arm/modules/supabase/default.nix` — GoTrue env for Google + Apple + OAuth, SMTP pointed at `mail.cloonar.com:587`, `MAILER_AUTOCONFIRM=false`, + `SITE_URL` + `URI_ALLOW_LIST` for fueltide.io, python+cryptography in the + env-generate path (for Apple JWT signing). +- `hosts/web-arm/modules/supabase/env-generate.sh` — new `auth.env` block that + pulls SMTP + OAuth creds from SOPS and signs the Apple client-secret JWT + fresh on every activation. +- `hosts/mail/modules/dkim-fueltide.nix` — installs a per-domain DKIM key for + fueltide.io into rspamd so outbound mail from `noreply@fueltide.io` is + signed. + +Complete the seven steps below **before** merging to master. Merging without +them will deploy a broken GoTrue (missing OAuth/SMTP creds → auth emails fail, +OAuth flows 500). + +--- + +## 1. LDAP service account + fueltide alias on `mail.cloonar.com` + +Mirrors the `gitea@cloonar.com` / `authelia@cloonar.com` pattern. The alias +on `noreply@fueltide.io` is what `smtpd_sender_login_maps` uses to let the +`supabase` SASL user send as that address without tripping +`reject_authenticated_sender_login_mismatch`. + +```bash +# on mail.cloonar.com +SMTP_PASS=$(openssl rand -base64 30 | tr -d '/+=' | head -c 32) +echo "SMTP_PASS (store this in SOPS, step 3): $SMTP_PASS" +CRYPT=$(mkpasswd -m sha-512 "$SMTP_PASS") + +cat > /tmp/supabase.ldif < goes into SOPS (step 3) +# public key: printed to stdout -> goes into DNS (step 4) +``` + +Wipe the temp dir once both are copied out. + +## 3. SOPS edits (two files) + +### `hosts/mail/secrets.yaml` + +```bash +nix-shell -p sops --run 'sops hosts/mail/secrets.yaml' +``` + +Add: + +```yaml +rspamd-dkim-fueltide-io-key: | + -----BEGIN PRIVATE KEY----- + + -----END PRIVATE KEY----- +``` + +### `hosts/web-arm/secrets.yaml` + +```bash +nix-shell -p sops --run 'sops hosts/web-arm/secrets.yaml' +``` + +Inside the existing `supabase-env` multiline value, append eight new lines +(these are sourced as shell variables by `env-generate.sh`): + +``` +SMTP_USER=supabase@cloonar.com +SMTP_PASS= +GOOGLE_CLIENT_ID=<from step 5> +GOOGLE_SECRET=<from step 5> +APPLE_TEAM_ID=XWJ4DC7TBH +APPLE_KEY_ID=<from step 6> +APPLE_SERVICES_ID=com.cloonar.supabase.fueltide +APPLE_PRIVATE_KEY=-----BEGIN PRIVATE KEY-----\n<.p8 body>\n-----END PRIVATE KEY----- +``` + +Note on `APPLE_PRIVATE_KEY`: it must be **one line** with literal backslash-n +separating the PEM lines (no real newlines inside the value). The python +signer in `env-generate.sh` un-escapes those via `decode("unicode_escape")` +before loading the PEM. To format an existing `AuthKey_XXX.p8` as that single +line: + +```bash +awk '{printf "%s\\n", $0}' AuthKey_XXXXXXXXXX.p8 +``` + +## 4. DNS records for `fueltide.io` + +Add on whichever DNS provider hosts fueltide.io: + +``` +TXT @ v=spf1 mx a:mail.cloonar.com ~all +TXT default._domainkey v=DKIM1; k=rsa; p=<public key from step 2> +TXT _dmarc v=DMARC1; p=quarantine; rua=mailto:postmaster@cloonar.com; fo=1 +``` + +PTR for mail.cloonar.com is already set (it's been sending for cloonar.com). +If fueltide.io has no MX record, outbound is fine but bounces from remote MTAs +won't route — acceptable for one-way transactional mail. Add an MX pointing at +`mail.cloonar.com.` if you want bounces to be received. + +## 5. Google Cloud OAuth client (≈ 5 min) + +1. console.cloud.google.com → **APIs & Services → OAuth consent screen**. + External user type. App name `Fueltide`, user support email, developer + contact. Scopes: `openid`, `email`, `profile`. Submit (or keep in testing + if only internal users). +2. **Credentials → Create Credentials → OAuth client ID → Web application**. + Name `Supabase`. Authorised redirect URI: + `https://supabase.cloonar.com/auth/v1/callback`. +3. Copy Client ID + Client Secret → into SOPS as `GOOGLE_CLIENT_ID` and + `GOOGLE_SECRET`. + +## 6. Apple Developer Sign in with Apple (≈ 15 min, paid account required) + +1. developer.apple.com → **Certificates, IDs & Profiles → Identifiers → + + → Services IDs**. Description `Fueltide Supabase Auth`. Identifier + `com.cloonar.supabase.fueltide`. Check **Sign in with Apple → Configure**. +2. Primary App ID: existing `io.fueltide.workout` (Team `XWJ4DC7TBH`, see + `hosts/web-arm/sites/fueltide.io.nix`). Domains and Subdomains: + `supabase.cloonar.com`. Return URLs: + `https://supabase.cloonar.com/auth/v1/callback`. Save. +3. **Keys → +** → name `Fueltide Supabase Auth` → check **Sign in with Apple + → Configure** → primary App ID `io.fueltide.workout`. Register. +4. **Download the `.p8` file now** — Apple only offers it once. +5. Note the Key ID (10 chars) displayed on the key page. +6. Team ID is `XWJ4DC7TBH` (already known). +7. Into SOPS on web-arm: + - `APPLE_TEAM_ID=XWJ4DC7TBH` + - `APPLE_KEY_ID=<from step 5>` + - `APPLE_SERVICES_ID=com.cloonar.supabase.fueltide` + - `APPLE_PRIVATE_KEY=<single-line .p8 as described in step 3>` + +### iOS native flow (optional) + +If the fueltide iOS app will use `supabase.auth.signInWithIdToken({ provider: +'apple', token: identityToken })` (native `AuthenticationServices` SDK, no web +browser), the iOS bundle ID must also appear in `GOTRUE_EXTERNAL_APPLE_CLIENT_ID`. +Change the line in `env-generate.sh` that currently reads: + +```sh +GOTRUE_EXTERNAL_APPLE_CLIENT_ID=${APPLE_SERVICES_ID:-} +``` + +to something like: + +```sh +GOTRUE_EXTERNAL_APPLE_CLIENT_ID=${APPLE_SERVICES_ID:-},io.fueltide.workout +``` + +(GoTrue accepts a comma-separated audiences list here and validates incoming +id_tokens against any of them.) + +## 7. Merge and deploy + +Once steps 1–6 are done: + +```bash +./scripts/test-configuration web-arm +./scripts/test-configuration mail +git checkout master +git merge --no-ff <this-branch> +git push +``` + +Bento rolls out both hosts. On `web-arm.cloonar.com`: + +```bash +sudo systemctl restart supabase-env-generate +sudo cat /run/supabase/auth.env # expect 8 new vars populated +sudo podman exec supabase-auth nc -vz mail.cloonar.com 587 +sudo podman restart supabase-auth +``` + +### Verification checklist + +- [ ] `/run/supabase/auth.env` contains `GOTRUE_EXTERNAL_APPLE_SECRET=<long-JWT>`. +- [ ] Second `systemctl restart supabase-env-generate` produces a different + Apple JWT (freshness — signed with new `iat`). +- [ ] `curl -X POST -H 'apikey: <anon>' -H 'Content-Type: application/json' \ + https://supabase.cloonar.com/auth/v1/signup \ + -d '{"email":"<real inbox>","password":"correct horse battery staple"}'` + delivers a mail with `From: noreply@fueltide.io` within ~30 s. +- [ ] Mail headers show `dkim=pass`, `spf=pass`, `dmarc=pass` + (`Authentication-Results` header). +- [ ] `POST /auth/v1/recover` triggers a reset mail. +- [ ] Browser visit to + `https://supabase.cloonar.com/auth/v1/authorize?provider=google` + completes and lands on `/auth/v1/callback`. Row in `auth.identities` + with `provider='google'`. +- [ ] Same with `?provider=apple` from a page Apple's Return URL accepts. +- [ ] Send a signup to [mail-tester.com](https://www.mail-tester.com/) — target + ≥ 9/10 spam score. + +## Rotation notes + +- **Apple client-secret JWT**: auto-regenerated on every activation + (`supabase-env-generate.service`). No manual rotation. +- **Apple `.p8` key**: no expiry, but revoking it in the Apple console + immediately breaks auth. If ever rotated, update `APPLE_KEY_ID` and + `APPLE_PRIVATE_KEY` in SOPS together. +- **Google client secret**: no expiry; rotate via Google Cloud console if + leaked and update `GOOGLE_SECRET` in SOPS. +- **DKIM key**: no expiry, but best practice is to rotate yearly. Rotation + = regenerate keypair (step 2), replace the SOPS value (step 3), update DNS + (step 4), deploy. Keep both old+new DNS records live for 24h during + cutover. +- **SMTP LDAP password**: no expiry. To rotate, run `mkpasswd` again and + update both the LDAP userPassword attribute and SOPS `SMTP_PASS`. diff --git a/hosts/web-arm/modules/supabase/default.nix b/hosts/web-arm/modules/supabase/default.nix index 4519e7e..5613edf 100644 --- a/hosts/web-arm/modules/supabase/default.nix +++ b/hosts/web-arm/modules/supabase/default.nix @@ -19,11 +19,14 @@ in sops.secrets.supabase-env = { }; # --- Persistent data directories --- + # Postgres data lives in a named podman volume (supabase-db-data) so podman + # owns the permissions on the container's postgres UID; logical dumps go to + # /var/backups/supabase where borg picks them up from /var. systemd.tmpfiles.rules = [ - "d /var/lib/supabase/db/data 0700 root root -" "d /var/lib/supabase/storage 0755 root root -" "d /var/lib/supabase/functions 0755 root root -" "d /var/lib/supabase/snippets 0755 root root -" + "d /var/backups/supabase 0700 root root -" ]; @@ -67,7 +70,12 @@ in supabase-env-generate = { description = "Generate Supabase per-container env files from SOPS secrets"; wantedBy = [ "multi-user.target" ]; - path = [ pkgs.jq ]; + # python+cryptography is used to sign the Apple OAuth client-secret JWT + # (ES256) inside env-generate.sh. + path = [ + pkgs.jq + (pkgs.python3.withPackages (ps: [ ps.cryptography ])) + ]; serviceConfig = { Type = "oneshot"; RemainAfterExit = true; @@ -95,9 +103,38 @@ in after = [ "supabase-functions-seed.service" ]; requires = [ "supabase-functions-seed.service" ]; }; + # Logical daily dump of the containerised Postgres cluster. Writes to + # /var/backups/supabase which is covered by the borg path /var; + # /var/lib/containers (the named-volume storage) is excluded from borg, + # so the dump is the only copy borg ships off-host. + supabase-db-backup = { + description = "pg_dumpall of the Supabase Postgres cluster"; + after = [ "podman-supabase-db.service" ]; + requires = [ "podman-supabase-db.service" ]; + serviceConfig = { + Type = "oneshot"; + }; + script = '' + set -euo pipefail + tmp=/var/backups/supabase/supabase-all.sql.tmp + out=/var/backups/supabase/supabase-all.sql + ${pkgs.podman}/bin/podman exec -u postgres supabase-db \ + pg_dumpall -U postgres --clean --if-exists > "$tmp" + mv "$tmp" "$out" + ''; + }; } ]); + systemd.timers.supabase-db-backup = { + description = "Daily Supabase Postgres dump"; + wantedBy = [ "timers.target" ]; + timerConfig = { + OnCalendar = "*-*-* 02:30:00"; + Persistent = true; + }; + }; + # --- Containers --- virtualisation.oci-containers.containers = { @@ -114,7 +151,7 @@ in }; environmentFiles = [ "/run/supabase/db.env" ]; volumes = [ - "/var/lib/supabase/db/data:/var/lib/postgresql/data" + "supabase-db-data:/var/lib/postgresql/data" "${./sql/_supabase.sql}:/docker-entrypoint-initdb.d/migrations/97-_supabase.sql:ro" "${./sql/realtime.sql}:/docker-entrypoint-initdb.d/migrations/99-realtime.sql:ro" "${./sql/logs.sql}:/docker-entrypoint-initdb.d/migrations/99-logs.sql:ro" @@ -166,8 +203,8 @@ in GOTRUE_API_PORT = "9999"; API_EXTERNAL_URL = "https://supabase.cloonar.com"; GOTRUE_DB_DRIVER = "postgres"; - GOTRUE_SITE_URL = "https://supabase.cloonar.com"; - GOTRUE_URI_ALLOW_LIST = ""; + GOTRUE_SITE_URL = "https://app.fueltide.io"; + GOTRUE_URI_ALLOW_LIST = "https://app.fueltide.io,https://app.fueltide.io/**,https://app.stage.fueltide.io,https://app.stage.fueltide.io/**,io.fueltide.workout://"; GOTRUE_DISABLE_SIGNUP = "false"; GOTRUE_JWT_ADMIN_ROLES = "service_role"; GOTRUE_JWT_AUD = "authenticated"; @@ -175,19 +212,21 @@ in GOTRUE_JWT_EXP = "3600"; GOTRUE_EXTERNAL_EMAIL_ENABLED = "true"; GOTRUE_EXTERNAL_ANONYMOUS_USERS_ENABLED = "false"; - GOTRUE_MAILER_AUTOCONFIRM = "true"; - GOTRUE_SMTP_ADMIN_EMAIL = "admin@cloonar.com"; - GOTRUE_SMTP_HOST = "supabase-mail"; - GOTRUE_SMTP_PORT = "2500"; - GOTRUE_SMTP_USER = ""; - GOTRUE_SMTP_PASS = ""; - GOTRUE_SMTP_SENDER_NAME = "Supabase"; + GOTRUE_MAILER_AUTOCONFIRM = "false"; + GOTRUE_SMTP_ADMIN_EMAIL = "noreply@fueltide.io"; + GOTRUE_SMTP_HOST = "mail.cloonar.com"; + GOTRUE_SMTP_PORT = "587"; + GOTRUE_SMTP_SENDER_NAME = "Fueltide"; GOTRUE_MAILER_URLPATHS_INVITE = "/auth/v1/verify"; GOTRUE_MAILER_URLPATHS_CONFIRMATION = "/auth/v1/verify"; GOTRUE_MAILER_URLPATHS_RECOVERY = "/auth/v1/verify"; GOTRUE_MAILER_URLPATHS_EMAIL_CHANGE = "/auth/v1/verify"; GOTRUE_EXTERNAL_PHONE_ENABLED = "false"; GOTRUE_SMS_AUTOCONFIRM = "false"; + GOTRUE_EXTERNAL_GOOGLE_ENABLED = "true"; + GOTRUE_EXTERNAL_GOOGLE_REDIRECT_URI = "https://supabase.cloonar.com/auth/v1/callback"; + GOTRUE_EXTERNAL_APPLE_ENABLED = "true"; + GOTRUE_EXTERNAL_APPLE_REDIRECT_URI = "https://supabase.cloonar.com/auth/v1/callback"; }; environmentFiles = [ "/run/supabase/auth.env" ]; extraOptions = supabaseNet ++ [ diff --git a/hosts/web-arm/modules/supabase/env-generate.sh b/hosts/web-arm/modules/supabase/env-generate.sh index ecf4f1b..ba8278c 100644 --- a/hosts/web-arm/modules/supabase/env-generate.sh +++ b/hosts/web-arm/modules/supabase/env-generate.sh @@ -22,9 +22,49 @@ LOGFLARE_PRIVATE_ACCESS_TOKEN=$LOGFLARE_PRIVATE_ACCESS_TOKEN POSTGRES_BACKEND_URL=postgresql://supabase_admin:$PG_PASS_ENCODED@db:5432/_supabase EOF +# Apple client-secret is a short-lived JWT signed with the .p8 key downloaded +# from Apple Developer. Re-sign on every activation (lifetime 180 days, Apple's +# cap) so there is no manual rotation ritual. The SOPS-sourced APPLE_PRIVATE_KEY +# is stored as a single line with literal \n separators; python un-escapes it. +APPLE_SECRET="" +if [ -n "${APPLE_TEAM_ID:-}" ] && [ -n "${APPLE_KEY_ID:-}" ] \ + && [ -n "${APPLE_SERVICES_ID:-}" ] && [ -n "${APPLE_PRIVATE_KEY:-}" ]; then + APPLE_SECRET=$( + APPLE_TEAM_ID="$APPLE_TEAM_ID" \ + APPLE_KEY_ID="$APPLE_KEY_ID" \ + APPLE_SERVICES_ID="$APPLE_SERVICES_ID" \ + APPLE_PRIVATE_KEY="$APPLE_PRIVATE_KEY" \ + python3 - <<'PY' +import base64, json, os, time +from cryptography.hazmat.primitives import serialization, hashes +from cryptography.hazmat.primitives.asymmetric import ec +from cryptography.hazmat.primitives.asymmetric.utils import decode_dss_signature +def b64u(b): return base64.urlsafe_b64encode(b).rstrip(b"=").decode() +now = int(time.time()) +header = {"alg": "ES256", "kid": os.environ["APPLE_KEY_ID"], "typ": "JWT"} +payload = {"iss": os.environ["APPLE_TEAM_ID"], "iat": now, "exp": now + 86400 * 180, + "aud": "https://appleid.apple.com", "sub": os.environ["APPLE_SERVICES_ID"]} +parts = (b64u(json.dumps(header, separators=(",", ":")).encode()) + + "." + b64u(json.dumps(payload, separators=(",", ":")).encode())).encode() +pem = os.environ["APPLE_PRIVATE_KEY"].encode().decode("unicode_escape").encode() +key = serialization.load_pem_private_key(pem, password=None) +der = key.sign(parts, ec.ECDSA(hashes.SHA256())) +r, s = decode_dss_signature(der) +raw = r.to_bytes(32, "big") + s.to_bytes(32, "big") +print(parts.decode() + "." + b64u(raw)) +PY + ) +fi + cat > /run/supabase/auth.env <<EOF GOTRUE_JWT_SECRET=$JWT_SECRET GOTRUE_DB_DATABASE_URL=postgres://supabase_auth_admin:$PG_PASS_ENCODED@db:5432/postgres +GOTRUE_SMTP_USER=${SMTP_USER:-} +GOTRUE_SMTP_PASS=${SMTP_PASS:-} +GOTRUE_EXTERNAL_GOOGLE_CLIENT_ID=${GOOGLE_CLIENT_ID:-} +GOTRUE_EXTERNAL_GOOGLE_SECRET=${GOOGLE_SECRET:-} +GOTRUE_EXTERNAL_APPLE_CLIENT_ID=${APPLE_SERVICES_ID:-} +GOTRUE_EXTERNAL_APPLE_SECRET=$APPLE_SECRET EOF cat > /run/supabase/rest.env <<EOF From 5c6b4f18eb0888720582878c448468cc2c8402b1 Mon Sep 17 00:00:00 2001 From: Dominik Polakovics <dominik.polakovics@cloonar.com> Date: Fri, 24 Apr 2026 18:57:09 +0200 Subject: [PATCH 3/5] fefeat: supabase add secrets and change to just ios native auth --- hosts/mail/secrets.yaml | 57 +++++---- .../modules/supabase/FUELTIDE_AUTH_SETUP.md | 117 +++++++---------- hosts/web-arm/modules/supabase/default.nix | 9 +- .../web-arm/modules/supabase/env-generate.sh | 36 ------ hosts/web-arm/secrets.yaml | 120 +++++++++--------- 5 files changed, 134 insertions(+), 205 deletions(-) diff --git a/hosts/mail/secrets.yaml b/hosts/mail/secrets.yaml index a50f7ce..689069b 100644 --- a/hosts/mail/secrets.yaml +++ b/hosts/mail/secrets.yaml @@ -1,47 +1,48 @@ -borg-passphrase: ENC[AES256_GCM,data:D6+ZedxUQ7m/m0YkM5m/B4kFsNySJjFyh8Gmhn3Mpe+mqEzzMRjAbwmGzx9i9Lnr1dTjRElUOgevnnvW5J2KRA==,iv:cG4w1KsEm1SOTni9bsbSW1+ypzjjs2Q42I+4xvcCAu0=,tag:WkkNVa27Uy5nFpmXaIH6ww==,type:str] -borg-ssh-key: ENC[AES256_GCM,data:T/EPWSuY9Ocj6D8nL2pfPg7r/lN4TyS7SiAqhQhkr10Y3R2mzfgMrOZTg/MrYv3/uNCt5h9TBDxwmiAwSmBzBSms0T5qD8aSxLgbmc6MAG7FSm7cGFf6x/7fMgVn7DAlwMz+4t/PkVk1iCRG4IwzimXwBvq73yIZuAiIARq0Azin7YAoSKjxnZ8ACkyRVCecf45pk7ModRmPLSDK8MZcT7bcHpZt6gQKx72OXSCJTD5FRUX180miUaywf7SxF1goEGRSmwtFDhyVs8iThiqyz0IsElB/dPGR+vYQwlFNWOFUshfAifz5tHXkvaKt08EJKyVV2TUqEsUETfFEqQW+8YNym3wBvrlnXm05DrHnfjz9GOEeUr35d9ESNgS+J5SzWVDitK29ca7QiaQ+YfaDn4/4mOGKSbPUnqOgRBoqXhJMV4ddV0lTKgBrg9isBVPgaye2prcHGjtUkVw2Kyh1omT3RKv6y7X+jfOpeOWOiByN73PCsZF7g+FFlP0K5jcfm4y4yaD8y6NlEaozrabuCIpY2ZUdZ/aH11vzLAk+LB8XE6lJ5MKMNPjNRftErJ9iE3OaOyan1ovTzaGqzaEwGtx/MZpk5hWNUwcSrJvZDqDuKO4+OhwMedvCCRKtNFIbEZ49EJrtp326Y1EelhfWgls5nJFPXukHo/C17ybsP4uFySFz/M13RVTIRntn7WKoh0bH7na2XgVGtXmI2plqVA5zppCbVTzr9+pAAD9RvXTX7t12gA1iNmdxM8alOeoZ41JXHd6BDF4bvDLVMhFhlslDLZ3wNV/QPWcSczinpJlvEQ13/WFN/NTO25Y16p+oxY9g8QD3pNEkAVLOMYjnEUlV6+DQcZbxzU8RCfpEzfVsOqbztTihDgHD5ldWt/VpN4ncm/WCVCWBlT33iiTxufC8htY3SjXt8JULEt0049HNIbNwj1awZwqTgT4z06okf7sz0m8Y/U8D5MCu8uNpt7QJBftVHxCKSUmQ4NJRicMDhlrpEJklQYlRtsvKlL/ntnyf5ZoUnkX03AoG0zh4Dh0LydGKC9RsKfwJeU+684d3opBI9eIYL6Rp/XB60LKcUA6Q+m7BgB7Tjck2YbG8nFPLaV3PdmIejlE0agICJ8Hef8rnqdU/r6X92gCEBvGXNbuqsKJvDTYPafQP8U6rXc7Tq+g68zfCOijIuHyKjkzdtIom8KMi5MUdFBSXK22xB1q4ye+QaCaAdN/1Xe6KDxWiafPG+BkpExh7hXbqZU1MyiTYMExpilY30e+CmPXMdxAWmygOxwUk+mPbuWrF0oh16DYN0dS38gUbo2Z4fjRvYIoZea1pu8niQRfhTVgLZVpEN07pYPu2farsPCPIXPalXVcijVO/yi2Dg4uhTsjzW/aRZ6XDIoXRd59v5hG+L27l7gTIXfTx1+htwClRJjYxFy6hTL+ZjcKdNrz/jezXPrR7kRHNEEfJM/ysv8d/7Ghpt+wITgc22bdnxKJv9rWnoKDEQ/FRGm6Y/eMisOttUFFlznQi2lqShOxPXnnuOnpndklcxPM8FowlL4FMDN7QUW3kdXJ2j0GgN4o34oKhqvXjtjf9Dk5r5KB+GTeOhf3SJXgeR4llaSAQXjzGdZqk0g34YTa3qb8rVxDSBKEHOnKs+Cr/4H09k62S/3SzZfrBIaaZ6Ey1b+bFfnbJJlD/Y/1Hwd5IhNbMHj7bfOKC8VabieeHwMbWfkGdnnmdY5LLJqXAwANrCIYZrEpm38pYJiKes5GrAz8caK2rPIhAPShURwkjCsvowmadTvnEbO/KoaUIcqk40wYdM6NAlVme6dLXxeVN7Y3K6UAWFIIZtYarAog0Axncs30shIoy1CGd6dN87tuK+/twO/jr458fJInumXSMRy2X2K0MKPLONF9FcP/EWENa+H43Zcfo1y42HkoYxI70R2YqOlpbtJUk8/8PqVSlJBrbgpBZNzAMCbsIjhrBevISerf8Sa8X6WC/KjwswjfGJ7h+FEnrPutKJg/ajDywAI+RZ3H+5zWm/CZxBYT6k4w6gAWZva0Nlx6jWQExONGQfUBkrRrRfIHhWl3c+k5VrhyzwW9fmAB9XmT1iYbk9T+ZNU/O8HY1bAZWufS4G7GaHchbPIvz3edMvP+zrGBZXPPJE3abls9oUcVZ223NFU1RPMZwG7LqL0fzfHXl4zx82TEXn14dAIBBVr67RAejz5xOGf8I2MpYQ6RAxvfhc7bjWY9/FU1RU09ob7usJCZphm51oa4TR7kz0AH1HxSOGfCJKLdYjBxbylR1GxY1bUTokLVWEYHalCr6d4lyEmUHM3+1vBUQQ6aq81njW33yGvwclUvhWj4sB51WPaREcYQsPkYnftN/dRSKVQoEZckgmIvML3lUwiVMLGlXlcUViyQpktnWAWxXgw5GH6KXMqoI43jRmxTeR3KrVyZRJBlDj/AnGWOD37fndGuMdpmAIGX/1fZnUUCxNhhuou20LvOr8BnjcHP9pBjtRPxu4o9fFmnzNCt43SC2ivMDOLxL/Uq6batacYrRnLtK4XnNqzfpCqe1bkfBsmTbRGnwPIJrA7TThfHH322DLy/GueYiddIa5spqdIH2jI8nfjKq4SxLtwsNZ4GUG/z83YQEg0Z8I/CQhYh3Y8Gcjb4ZUrOg9n84iLADDOn2j9CI1QfsyJAt+qLEDPRJ9yMRefmq7BAxvGbNq+4YUbj4Fo6K2FwaO2quUVl7RpfVgT/WvXTJS4pAndPJt4PrG03X56ra3yOTtlZqPvGR+XGjp56hG5I5AtQ27JmB6S30EncH9sDLDPucNtEzn57cY90kAZSdDYjBkJ5/lC3xJOB4UiAs582UgyIiVlL/mvjXd1kajAcchfUYnjEUkgFuOoRysWDO/rq8aDFYg/jokUNOn4ent7xXzlfEXkpMZ00coZ7gi+CjKOf29+/ZE1wCfbRhBds/mCmAerWJo24vb632lTCWKImbHo36WuBAvKqofFNpVyMRQ+OKm9Bzr2jQD7W4+1CUk/ZatGVWJHCPsEGWt/L0Fj8K3NzF135c9d8aZ9HqC9XNqOKTZpNe9QSMc5S+tD1ZUxHVrDHny0fOKaWGVHtgyNkcyte0l16wet1z+xZcPCKr8ieMSqh+HgfT2/kWjpb1hlmyEDFmPnnbmhCDD2QWstX8vCa9JTdd0OLb3rTgPMlbxPPIiWQGSBc6tig7X3mZbebweRz5ktqrdMvK3ter9bVC9T2TF6EiCktxw+IdS9MONajvoGAaR2k1nGbfKDSVIKk1ialfv1FGJu1gUA8J0pvXqbrTJfSPOH4iuJrWJut0UpJeHrUuh0ODguNriBivobZeaRamUA/PPNvM5KCSUQUtefDnVINsJSoT4yXn55fkRwvb2957AfHI8yMRg9KtNIYj8i5KsEsw4gE53Lr+NU7Wq2O08+v2mUSNjP0REWgu0Dw0M4/Q9eykLV/ZRnhRcbUZyA==,iv:yA1CkRMapP1S3zMwu6Tj0/0/HHpwD1yRAm/qrZx/kPs=,tag:SYg2IoXeD9fMYb35J/AJ1Q==,type:str] -netdata-claim-token: ENC[AES256_GCM,data:ECx8zLnU/dj08vfA76oVbVzL3JG9MLBoFmxSjtjiFbSiFtdaHtG/8u5FEuyQ1bQMQntV91xj7x1kY8fAp7VNbWyC13pOEOrt6rvJYch14eM3bqNvfGeqgJsHmAaRbY6mBrxJBkiRJBLYVil4e1oDNZVnzFQ4ditXZbMGtAV2063K1MRI/48p,iv:viE84mOp5KSdj8vdK5XxR0W9A54oPxQO5ahnpPLeAdE=,tag:WjzKjGXRRAc7vlzreFHbng==,type:str] -openldap-rootpw: ENC[AES256_GCM,data:W0em1Dffg+IUoynwwPD4NjFksR38ZO4mhWFI83ALvYcwYIplxw/gDRLGCqbSt6TR5C65CKr1sOUiU+4Xq3UWmw==,iv:BHQhISTIYuwSM3KiSb0mEEo3BMNo6FXEDXoIvI3SZrU=,tag:tX8gfnk1JYnaNionk/jrLg==,type:str] -dovecot-ldap-password: ENC[AES256_GCM,data:JYAt8/WggwclNEPO9CaWfQsvQBA8DDJCU2km93HpowoVwIdvQ/0lQHeXndPYe1EmJGJ3vLErie+Zn2kDINIMqQ==,iv:HR0QJ0GgQks3NzhfXwjHupCKcPOekkiTcp5Jxbz7CxI=,tag:19m7F6TjGUPOuHQJuUq2pw==,type:str] +borg-passphrase: ENC[AES256_GCM,data:BPfGmuF0wI6LAge/wWObEHhUxfyNHYmFHJW3kkFxxHQDjQqQtORfGiQGUYnzw6BhJa7FGpvHHiagLbSZcpXvWw==,iv:jzm3toujgf2rCwDokbR3/YEs6BBwt5DNUyzoLQiBlSE=,tag:/X/7tG1bG/wqNhshMfUkSg==,type:str] +borg-ssh-key: ENC[AES256_GCM,data:TIjsBcgwigIkpC6yGL+YwnGA8HVfutVJVBL4fCBpH+SIhK6RIGrdry6FiZCOvlIMMOIeB4zc8FCaiIhT/AqdwkGDz/KHzoau8TQfT2XBxa+2Zpwk6yvp62R099lECpZTk6RjoE0iBYhIUFKVJSpwbqf7TcGSLm21tVXyrE0KyF4+keQbly1TVSbx3NJyfsJl8XkzeoCgt2pltk0i365sWoWXoLnsMnzYTZUZ5CgJ2sSqyPFcQP/kb9BgjDWUwHHrKNkHZTirpLis1bI9oDC2yFHlTNPVkElEF6ot0m4ElQZEG6x0e9QLcftPbIiyD1j7jpaRYYFWOX1co4aUzgpb3tNZMsB3cEdked2U9Q9u27tcc+elsqfinGAiDvzpH0G69HN1ECZ4oH2gCTUkqtdp6LvwHF1DhrMh/w4V9G5QjmIgU873H48vYhOOVzfqMjAWp8reZofcKsv+B1EjVDODFtsal4QZ1jStBUg8Jhg6cm+snu7QdkhWehZSbHMMNqEm0VH8q0hh7atYAl0iNT0Z03IzC5L/tfmdOJwbXHbC6gzgYcVshOTzTjkO/8Rei9kouHZXrm63nRWStWPZtSjVXK6jCSGj5RZ9hIo6BTWMq7K5pEwJkoD8h5DBB/erRHU3WnivhtVh7aU7gewV6dLZARsLzLAy47dftva1lG154+8ybql4ikEGLdejVsqrZDNtOS53Vm2WCj/3VVTZx4tuR13y+0xnwBUQ6JJBZLT2CwB7ZZSyC0QS4RGF5xEfyFRjONShXHoK9TjuCuGqDitoThDdZzAu7fghQGWtJ4rjTe8IZCYh3ApMA3T2mVmPZ2KdSySXoks6jwDjob86OGw7fwNh1rpDrPGoGzMg9IqbKmZJvFuuqVHCdpt7o4qXd0J4PGyvklW2JbSeN7IamymRKSQ267LO39wdLtHBrASZp8rHKY6Du7M9jk3CeG0PuZw47LYmtS/YYsaUPtIfvpYlk+iHgsMf5T4aV94Ipltng1zzYL0SGvd0I+mioDfLkXyO4oP4lXWsJSXCxUktR0Q+zK+HgcnD8xNPvr7HQti31BZhML1wDfIlkqPxSKTnyA81YFdPjHbtMUFKX7z3asu3HPXNojU+qdrGID0X4xHoDUtKYj1EuY8Cdg3yI5IBuZkB4C60abVtG8cQsJm20O20vxXYn0GsPm7COxUD2NREwTC2Bs4LbdQQzMbqTiDmoP9fjkX5R/FGAjIbyT1oqgXXOR9H6XOMCKOSwKOil++G/AvzpTBGEBDwbUdCh+34W+qDoNY+xts/y+jFkyiIfBqgpu7gkDw6mTxkpeG6J9CzwMGRtgxr4XWQfW7x3ET1xgmFxhYdNY4eI0oukO9OId9gTwij7iCjcy6mKiKyAF1I5uNCQWzT0F+v4a0QuFYF4M21gthrVpVYKAUCD9+o8Q0vsj40EnOciuY4aJLUkEnVEiQBIzd9LFD7/W/hU7ErCOEUGcIDNjjFFc5M3D5Tr7LcYJrzWmyTOs40k0eB4l9PwsX9wbNojDPSXM8zUUIbDW9YFPTkSXaMN3FqbwUAKKiEp8So6u182DDjIiAnDUwINVSaBchKIb58upxdqX2oj+H24QO+0IeZ5cQrorpzuu/z48i9dOIxlZzO3Si49f1CWZ178saO/jq1BebvGj1Bo6LKQyT5yT9WUPCdJPVIoRmZp/jfLYo8s4o9t9XCf+/iYJvpQshbxFIo4rZU/Bl24wro6BGEtIvHV+g3XjOW47u1YI3bDTScN1P/Iq5OtKyo3VYFvYrRK1QPrweOddQs6zE8oIiZF+1ixNwcx/tW/o4KWk1jBfjqalhvxQj9+tNvZGKxjRgVjyY32j5ZY6KObs1W3EhSPRoUXp3MOUDmh9/4XMK/mpd4Eo3PeB195EgOlwttAwhTcb1GgeOuqVYIFggB00TBNOLGPM4uf0xwlGxZBa4egBHoCyuc4bT3ImaGuwLb4IiUSscLN5r9xWq8w06S8PnxjQVdvT/vI/bNEU5pFBYBH6b/MFhH7PQLHvatFoIU4YlPlL1fKQhDhLUwi91a7cTgdg84nPr8JNJw3BtgGwX5m4FWb1uxcC7Xe7/94BH7ufkfXW11lw3pkWxXtKzxR9+7hHYb5hwbX1D9GfPJXHBDV3BxCgBK/XkzkTu6wZdtjZmdHM9BpBsXawGDWVRk++RYAou3TQx4zMfT9Vkgf15lo0zcR7PMv0aXt3QhhRRxqeeuM/6zSsbBTF//LecgIa18uFipdXqEslF720u6Ta7+9DgtEwMiuxEgrFO1YXF5vuePjyLN/bTE2bJlIZ4SivEx4hhkG94lQIc7U52gfRz+Xcwb39kopaouw0cNn/9rdXY0D354fhwMZSbOeEWuTLC60LccGHczFwTUsdqsZDvRU4v8IGyBqHUxe6Fc27Iie+hR/+yberbWSuKicqIWxRqjTYkMUsP5p9OfG5yzMUSKidKhWFhvC0szwUBsbpt61qyiEzYFFq9Yf3O9AbHHBgYZkV5F9Vn8bpiM0PfmNYy+AchA8SNYRUzGLUfHUdWnz709E+2Np8a5TEzdYaet07BvcLahWXrUBvk2SFF/AdDfsJbN1MKocGcftHghoMdd/CzQD2Dt+kFKGorvglqx3cxShWE6Qepx5FsUVUqfG2UZr9QM6kntPve1kpanIDIs2dlqx8A6gZGp7dUambNduj8ydltJnAKHXv1KaWHstQEW1uGpSwLVr2k4Qz7/kYXOuVnQ/1+cfBWLJVD9VQtMZCZtOWSL/ZazomNTV13v6UiaLcgJiKmYwppUmqinYY/WA/1OQ50LRtP/OvHRZjjgdf0OOHNKnepOMkmEYKLJTHckMOr2ukJS070iXxIGtpzETKoydziyPiBxnEbe2Yi3ZtJxQPQj23IG2kWfbsCjZ+BiD6Eld7/FlHksrFUT6vPnuGHFQOMOFrFYID9Tuxo+laWV8g7nKZ635K742QTlhaSLhtwamBJiZQfs/R7BmkLTt8U4o3iIlP8txtjuYEt0XbQHcKAhJJPj6UMfGwG4yyao/4DorUhNZygoamcvnQ0dzXcp+T9HMc6hqUtVBcH3v2yqnXlkluxTtNowzkgCacezTeOFTKVALtoX971YvEbHD/0EK+04/ji+ZFqjuS9yahchIivHiLhnrlwNQWiSO+r9SlNxbYNO0OIgFoRRgQkOi7Xti9Bnj5dCgfTg3/pUjnWVmZLOVT0yFQ3PWGZsSBBA416yUr/KJLv0WfD5RzV4+znvkSRDnz79Aq5BIrb8ln9ul/ufmmejgX62Hu+YC2+1UGHM0mnNR1HVUjKePX7wdI/9z3aT1axBHEsOEIX7mx3G4syVRptw5mQh86CbA5BM5UZkE38SvcuMWdzjubZvNYAZ2A4sbO9gBt9xMlfJCA6jSYm8kGD6TD1i1EYwkF/oF/7+DEStBdoqiQXS12R5nJO7kajY6nw0gVy8PMLT8X9GJE6NCujZRQ==,iv:8qdeLajGkVgn5xw44BJNUbUZQH2cMq5mBnZByvktsuI=,tag:YjNLIl0mw7h+6wfI5hYnQQ==,type:str] +netdata-claim-token: ENC[AES256_GCM,data:XB+OXsHtohopphWDWbW7dAI/UXbntsHRIOt4OiWI4QPy1pamL7f9x4QPTMUM2TfVqxrRYGdvDXh0fnUTIK8OqoksrrjdOiy2fQ6k4W7y11+/Un2bEXTMrS3GT3BcVYN9ppc/VUhgX/JDmIm9EptLyASOV0VyQCHOkTVLuyYfQva7tetVgX+W,iv:8cpwuMQi3IAAYSGOzKPTsr+SrUW95UB+YCZBO0sDdEw=,tag:WBcvCoknTgkxgbWRAKWwLA==,type:str] +openldap-rootpw: ENC[AES256_GCM,data:GtR9nwx1f5zx8D8p6cmvCyM1lKyKXDdcum6mCvU87Jm/C868qRiatLDBbP6qUsDzzyFG+9hyVPetik88kGhvrw==,iv:j5JYdAbUga5eUFmIUNrPNZ0G6Sx1zYtb68nNVAClpXs=,tag:WpcrFPRuqTpRZmcrr6T/Vg==,type:str] +dovecot-ldap-password: ENC[AES256_GCM,data:86vTpWKCKINNrkD+a1UJeJkECW+vmIwXrtD4KPyNBmmPN6xi+LutzEDuwIGKQrC1ISTcmjo3SePsR1KTDSqJ3A==,iv:kqyT1bEyCWHvs8o6wwSC+08jtuOc/gA77yFCkv75gQg=,tag:hLt7Vw5WltVI1L83adcepA==,type:str] +rspamd-dkim-fueltide-io-key: ENC[AES256_GCM,data:Rhiuu+vc6XyYnY/Syjs1qvrZeIW3HEPcK/GNUEN+FDQ/vBMHwSnw5XTmS8DjyvMMNB6ga+YrRAOPFu1P4Py23w3HEA9YL/+5g1QLOveBwS159peRSBsGB029JHiFLrZ4cpiaBSn36gr+/ygSpQRM0JPWhJkh8t456bnc9rtFSn8MBgT/AnZh5SYGfhNyrj7HfRV09espFSqRMQyccxykiQi84ojasQiq/lCLv9TLz07bZAQRbu/cEAe2yQKfPrgCCY3m27wJf/Hd/iCWv4/uWXcqlD8lCnK0Auat0s5Qq36oKUF6GMmVME2jRSLjwo9Uo6rT16iUA6lV/TrsYPAcxBtkXroiZn8sp6aXRvOHaWuLwClF3ajfZ06PO4WB2Wi7up6s3WASGF7GX4zyPmi8FEfo/QnCTeqcLGZdBrwqkAkPZ7S7IB0pYCHWLfp47TX2IB7T4AB6RJZ6LQ1nwqLgChjEZXF7eylVZyNPPLpSV3WegdkvqmLA+o5WyzGI76hkKNou91Quizd2BhbWKfvlbcqLvu3jWnsp/3xKmFS+7CdhB5P+pkNYnvQN7r33UrVhm3jSbDF5NJqMiVmgX5H8/4m9bNS7KRDbGQdQo/egploOc5PKUVrxlXFTpEofpoGBy/XW+69y0GoPYPAB4nFT0fIGox/N6bxgP232MMZKn3wBqiI3l8UVQRU/OT71bta/gQo+Y+PljSn18hF41k77j421FXG41rL1Psuc5SSKKI4vxxogHE3RdbhEvE/mSawM+kgWGOBfK0VejxGkBjPRKO+bP5HnN0J4L35D+3y0zpYkHTJJP99T+14GECmogk1GrAj8EQFRCSgE3bq58VlUKV9ZmBDS+/gbpxZ/bcXWpg7OQZ3OvZFKh3MgmphYQhiqy2kamLOisqU3ueQNgA9h4QEX48cPxBo69hTGsfn+IMI1lJYjZsm7hykvGWxfHN3uH971ZYh8Ct3xaFX8Z3pNBmvuWm11aLzglwOVTQJXFBBRbIB3v1mHexGa13QjEXJ2smZyaW5cdpLBVEYmWCR+sHoOq+7V6F67bpEOyfVKl4pyRXgg+u7t049MsLqyZ5i0yTVmSEvqGdwhkYQZi3y3RiMOFvorb63ePuSSfxXrs0GXdIfQhtWkUMGXDk+r+UC+l0jh31VJ3gwNBiDit8WKmLpKEMvaTi4Z+by6oZY3s5G/f5j0HXpOqnJi944bxF/5eXa6YQ==,iv:CC1jJ0YBTUwiwX8fPXub1+yG+eeDIUBorv7mgTRWGLw=,tag:M7L0763goCdaM5o8UZ9QTQ==,type:str] sops: age: - recipient: age14grjcxaq4h55yfnjxvnqhtswxhj9sfdcvyas4lwvpa8py27pjy2sv3g6v7 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0NWZPWXltTVNXNGxPd0hZ - R0U4VzN5WlI0WWZrRVVFMmpnckpMMkREaTBvCm54eTZtZlZzRVpwRmg4Ulp0VG5w - VnJkc29nN0VBRFR1U1J6L0RQeWlLNlkKLS0tIDJ3eTdiUWJzbURvSk1neEhyakJS - Z2MzZi8ybW1PMngyRGk4NHhIMzZsem8KZuy1TWwvkFGsAVMIEk2+bwDcsmYziUjj - Wd4wMK1XuLnJyFYPt6CwzBAPG+1LQzmYWdC9mNI00YZM6XneU3OisQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1dWxFbG1McEYzWlN2WmZ6 + enU5bnRjblI4ZHhvVHhIMGdBdzR5VFBrL1E0CkljRmpqTko3NDdXTS9RWDVXaDZl + bVVjbGJwalZuT3VMdUErUUg3N2JiL1UKLS0tIEcrYTNGSFYvd0VLRnJ2V0syNGNz + UlNlWURkNmk0dXBRQ212U0dWaXpxM0UKS+6vyPlzyhlgbj+1OHdv07I8CKK3dLKN + 8jY30HiMPoBWS6Rk8mItRcLi56aTEGUsbdg85fxy8TUvdEdxgxLA0g== -----END AGE ENCRYPTED FILE----- - recipient: age1exny8unxynaw03yu8ppahu5z28uermghr8ag34e7kdqnaduq9stsyettzz enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBZEhsK0x1QkczeFIvL0JI - UWY5R252WkZvR0s2SStlWVBMQk9ENFpaRHpRClg3VjhpYW5UbzJkODRFYWF2aGpr - ajE3aUFhZStYY0NJYlg1QTZqVHJsODAKLS0tIGsyRHlXSVQyV2RXVCswRVlsbktV - c0Z5ZXhtb0wrT0Q3WU1ONjFiNk1WOVkKHxnDqJkGfiqrlAyzJHYVbJlR1/jluFU+ - hM/wENwqtlZ7RCSdG68AssgP9zukO94sV9mAtbfOdeVwXa1LU66Ncw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhS2s4bWlZN2pjRUticDJY + eGtIVEZEVkM3c2RKVmVKQnF3Z1cxbnBzZEh3CmRFN2c0T2FjV0UyMUxKREJsUnhl + YWZ3WGJOZWptd1c2SG5pTy82djBmVXMKLS0tIC9YamwwNHV3RjNtZ25mY2NPVTRQ + a1NSUlY4cWFWYzVYdVFxVFdNQm5DZzAKKmUA1AbqsFOhpczeHtiPnOcVMVp92m// + fB+AfPQUdb2/4p87PpzE/2xUMUTgY5Eng2KaHyJHq0gh+5XKhsDi3Q== -----END AGE ENCRYPTED FILE----- - recipient: age1v6p8dan2t3w9h94fz4flldl32082j3s9x6zqq7u5j66keth9aphsd6pvch enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5TG9wT2JHN2pOVjRueUF2 - UGJkM2d5VFpLT0hKVmIwV2Qva25ubk1lK0ZBCkJiNWpuZ3grQ0lkSDlCMDBwYjRR - cDlPVHhtWlpnaVFYMFJqWWY2ZVFGNncKLS0tIFZQVVRSQXVOZnNDOHVwTHBraUx3 - MVRVRlRQMFcyelNvL3FaNjc3U3VYbmsKZ+rJ/EFb3KNyyJ5hqO/wV4AtO1FJCeB/ - oazkDDoFBE+uhiLmdCy41eYkqW8Owt/zrO29nITeJ5EtGAXTbACcgg== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOUk80d2VXVHp6UU1sYVBz + WGY4ZmFINHVzV0lRbVdxczl4MjVWbWRMR21JCkJSVVV1b3RPZnBnUlF5N0RsRkZO + cDRqYTFPRm5lUkhRUnVTQ0hCVXRVancKLS0tIFB5SWw1L1Q5NWROZk1ucE5nZjRt + QUdNcjB4OHNNcENpWnJXTEw5K0ZqcFEKlO7SN3jy8KUCjcO1vYLo4INsNlLi9s7H + mMUbt+4kwruhY8gN3UB0ATDAD2MpcxprdfZEq7swxtxsWOLA+IpcXQ== -----END AGE ENCRYPTED FILE----- - recipient: age1jyeppc8yl2twnv8fwcewutd5gjewnxl59lmhev6ygds9qel8zf8syt7zz4 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDZlJYSG51NEE3emlTVDM0 - WEE4LzFqazdZQkRZSUlqQ0dzYURkbWc5RWxnCnJobm5LVnkxZkFIeTNWWUJvOUFU - SlZhZDBsdHhDRzFVQjhsN3F1dE9SVDAKLS0tIFBlOEwxallncjBxWDZCSkhZdlJN - b21icTBmeFM1cnVkaXAySHFzam1hYmcKULP2EuMGhspSusYPZs/DTksaZb0Asfel - mVn9Unqe2b9tT5cchGrxLiDJ+2YvfTA0s/JpDtLN+MpiRQQl0vJikg== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2LzBJVk5KcjdVWng3azU5 + N0dNQzRWcmlQMnRzWXk0MmZrK2ltbnBDMkJrCnpmenBlUExLOEtaM1gzdUg0RW9T + Z3dDcVRqVmU1WXg1eWVDaGlLdjRSRGsKLS0tIE5hYVNkWHVKNWlmdGIzTDhuSStS + aTJueXRDNDlvUEZHajVHZEpyVnlVVGMKK7gUYs3D1BUeD8pH81iy7Hoc0VjCCYCq + PAnweggfzOVvZj8YHUBZ6/kfAODdjQi/16B9yBR6A0K499/+FGeazg== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-07-08T11:20:50Z" - mac: ENC[AES256_GCM,data:GPUwpSAz6fj7mRxX1ebEb2sLAMLkQLuKPXk+B3+zZmA6+D7gAKrrBGUWHqYA9DMMY0r32OZSccGRmeKqdA7sWmzdIJTcBu8EyER1nJqVFJiXcOOdTkCLdOM4xW969YE0lBKpIAQ40E7YXYYwkI1JINneIBTuXkvIBmSQ3Bt2+ak=,iv:VEPNQxDLzxyTxkn8dI6xNDe9ESk2RojSNYYEwT+Ggas=,tag:cfUEKU3arSJl+lEOa+4iRA==,type:str] + lastmodified: "2026-04-22T20:20:18Z" + mac: ENC[AES256_GCM,data:lmtkTa+zts+gA9HPRrfCCzlj3TvDL7ROf6+OmPIPHx+e7yIeLXuvDDGlEATkVLc3CfetdFpd0cMOb5UYixqqE75ivNxZHwh+g3qwHAdmNP2NtjWTkTi1fSPjuuwSWG6e1lHCmX5SS/bmnnT/bfCRCDruyVtm766d7iWicLuGq1M=,iv:jBTDksnZRJrV0jJ8QccK8Ov5lAPf+dfSQ6D88icUMXQ=,tag:zlfequv/RHz1Y21uMvwseQ==,type:str] unencrypted_suffix: _unencrypted - version: 3.8.1 + version: 3.12.1 diff --git a/hosts/web-arm/modules/supabase/FUELTIDE_AUTH_SETUP.md b/hosts/web-arm/modules/supabase/FUELTIDE_AUTH_SETUP.md index 16f3dc9..2f8b202 100644 --- a/hosts/web-arm/modules/supabase/FUELTIDE_AUTH_SETUP.md +++ b/hosts/web-arm/modules/supabase/FUELTIDE_AUTH_SETUP.md @@ -1,4 +1,4 @@ -# Supabase auth setup: Google + Apple OAuth, fueltide.io email +# Supabase auth setup: Google OAuth, Apple native sign-in (iOS), fueltide.io email This doc lists the **user-side steps** required to make the code changes in this branch functional. Nothing here is performed by Nix — these are manual @@ -6,20 +6,28 @@ actions on external services, LDAP, SOPS, and DNS. The Nix changes in this branch cover: -- `hosts/web-arm/modules/supabase/default.nix` — GoTrue env for Google + Apple - OAuth, SMTP pointed at `mail.cloonar.com:587`, `MAILER_AUTOCONFIRM=false`, - `SITE_URL` + `URI_ALLOW_LIST` for fueltide.io, python+cryptography in the - env-generate path (for Apple JWT signing). -- `hosts/web-arm/modules/supabase/env-generate.sh` — new `auth.env` block that - pulls SMTP + OAuth creds from SOPS and signs the Apple client-secret JWT - fresh on every activation. -- `hosts/mail/modules/dkim-fueltide.nix` — installs a per-domain DKIM key for - fueltide.io into rspamd so outbound mail from `noreply@fueltide.io` is +- `hosts/web-arm/modules/supabase/default.nix` — GoTrue env for Google OAuth + (web code-exchange flow) and Apple native sign-in (iOS id_token flow, + `GOTRUE_EXTERNAL_APPLE_CLIENT_ID=io.fueltide.workout`), SMTP pointed at + `mail.cloonar.com:587`, `MAILER_AUTOCONFIRM=false`, `SITE_URL` + + `URI_ALLOW_LIST` for fueltide.io. +- `hosts/web-arm/modules/supabase/env-generate.sh` — new `auth.env` block + that pulls SMTP + Google creds from SOPS. +- `hosts/mail/modules/dkim-fueltide.nix` — installs a per-domain DKIM key + for fueltide.io into rspamd so outbound mail from `noreply@fueltide.io` is signed. -Complete the seven steps below **before** merging to master. Merging without -them will deploy a broken GoTrue (missing OAuth/SMTP creds → auth emails fail, -OAuth flows 500). +Apple sign-in is scoped to the **native iOS flow only**: the app uses +`AuthenticationServices` to obtain an Apple `id_token`, then calls +`supabase.auth.signInWithIdToken({ provider: 'apple', token, nonce })`. +GoTrue verifies the id_token against Apple's JWKS and checks that `aud` +matches `io.fueltide.workout`. No server-side client secret, `.p8` key, or +Services ID is needed. Android uses native Google sign-in (handled +separately) and no Apple browser flow is supported. + +Complete the six steps below **before** merging to master. Merging without +them will deploy a broken GoTrue (missing Google/SMTP creds → auth emails +fail, Google OAuth flows 500). --- @@ -97,7 +105,7 @@ rspamd-dkim-fueltide-io-key: | nix-shell -p sops --run 'sops hosts/web-arm/secrets.yaml' ``` -Inside the existing `supabase-env` multiline value, append eight new lines +Inside the existing `supabase-env` multiline value, append four new lines (these are sourced as shell variables by `env-generate.sh`): ``` @@ -105,20 +113,6 @@ SMTP_USER=supabase@cloonar.com SMTP_PASS=<plaintext from step 1> GOOGLE_CLIENT_ID=<from step 5> GOOGLE_SECRET=<from step 5> -APPLE_TEAM_ID=XWJ4DC7TBH -APPLE_KEY_ID=<from step 6> -APPLE_SERVICES_ID=com.cloonar.supabase.fueltide -APPLE_PRIVATE_KEY=-----BEGIN PRIVATE KEY-----\n<.p8 body>\n-----END PRIVATE KEY----- -``` - -Note on `APPLE_PRIVATE_KEY`: it must be **one line** with literal backslash-n -separating the PEM lines (no real newlines inside the value). The python -signer in `env-generate.sh` un-escapes those via `decode("unicode_escape")` -before loading the PEM. To format an existing `AuthKey_XXX.p8` as that single -line: - -```bash -awk '{printf "%s\\n", $0}' AuthKey_XXXXXXXXXX.p8 ``` ## 4. DNS records for `fueltide.io` @@ -148,45 +142,19 @@ won't route — acceptable for one-way transactional mail. Add an MX pointing at 3. Copy Client ID + Client Secret → into SOPS as `GOOGLE_CLIENT_ID` and `GOOGLE_SECRET`. -## 6. Apple Developer Sign in with Apple (≈ 15 min, paid account required) +## 6. Apple Developer — enable Sign in with Apple on the iOS App ID -1. developer.apple.com → **Certificates, IDs & Profiles → Identifiers → + - → Services IDs**. Description `Fueltide Supabase Auth`. Identifier - `com.cloonar.supabase.fueltide`. Check **Sign in with Apple → Configure**. -2. Primary App ID: existing `io.fueltide.workout` (Team `XWJ4DC7TBH`, see - `hosts/web-arm/sites/fueltide.io.nix`). Domains and Subdomains: - `supabase.cloonar.com`. Return URLs: - `https://supabase.cloonar.com/auth/v1/callback`. Save. -3. **Keys → +** → name `Fueltide Supabase Auth` → check **Sign in with Apple - → Configure** → primary App ID `io.fueltide.workout`. Register. -4. **Download the `.p8` file now** — Apple only offers it once. -5. Note the Key ID (10 chars) displayed on the key page. -6. Team ID is `XWJ4DC7TBH` (already known). -7. Into SOPS on web-arm: - - `APPLE_TEAM_ID=XWJ4DC7TBH` - - `APPLE_KEY_ID=<from step 5>` - - `APPLE_SERVICES_ID=com.cloonar.supabase.fueltide` - - `APPLE_PRIVATE_KEY=<single-line .p8 as described in step 3>` +Only one action, no keys or Services IDs: -### iOS native flow (optional) +1. developer.apple.com → **Certificates, IDs & Profiles → Identifiers → App + IDs**. Select `io.fueltide.workout` (Team `XWJ4DC7TBH`, see + `hosts/web-arm/sites/fueltide.io.nix`). Check **Sign in with Apple**. + Save. -If the fueltide iOS app will use `supabase.auth.signInWithIdToken({ provider: -'apple', token: identityToken })` (native `AuthenticationServices` SDK, no web -browser), the iOS bundle ID must also appear in `GOTRUE_EXTERNAL_APPLE_CLIENT_ID`. -Change the line in `env-generate.sh` that currently reads: - -```sh -GOTRUE_EXTERNAL_APPLE_CLIENT_ID=${APPLE_SERVICES_ID:-} -``` - -to something like: - -```sh -GOTRUE_EXTERNAL_APPLE_CLIENT_ID=${APPLE_SERVICES_ID:-},io.fueltide.workout -``` - -(GoTrue accepts a comma-separated audiences list here and validates incoming -id_tokens against any of them.) +That's it on the Apple side. No Services ID, no Keys, no `.p8` download. +The iOS app obtains the `id_token` on-device via `AuthenticationServices` +and posts it to `supabase.auth.signInWithIdToken`; GoTrue validates it +against Apple's JWKS with `aud=io.fueltide.workout`. ## 7. Merge and deploy @@ -204,16 +172,18 @@ Bento rolls out both hosts. On `web-arm.cloonar.com`: ```bash sudo systemctl restart supabase-env-generate -sudo cat /run/supabase/auth.env # expect 8 new vars populated +sudo cat /run/supabase/auth.env # expect SMTP + Google vars populated sudo podman exec supabase-auth nc -vz mail.cloonar.com 587 sudo podman restart supabase-auth ``` ### Verification checklist -- [ ] `/run/supabase/auth.env` contains `GOTRUE_EXTERNAL_APPLE_SECRET=<long-JWT>`. -- [ ] Second `systemctl restart supabase-env-generate` produces a different - Apple JWT (freshness — signed with new `iat`). +- [ ] `/run/supabase/auth.env` contains `GOTRUE_SMTP_USER`, `GOTRUE_SMTP_PASS`, + `GOTRUE_EXTERNAL_GOOGLE_CLIENT_ID`, `GOTRUE_EXTERNAL_GOOGLE_SECRET`. +- [ ] `podman inspect supabase-auth` shows + `GOTRUE_EXTERNAL_APPLE_ENABLED=true` and + `GOTRUE_EXTERNAL_APPLE_CLIENT_ID=io.fueltide.workout` in the env. - [ ] `curl -X POST -H 'apikey: <anon>' -H 'Content-Type: application/json' \ https://supabase.cloonar.com/auth/v1/signup \ -d '{"email":"<real inbox>","password":"correct horse battery staple"}'` @@ -225,17 +195,16 @@ sudo podman restart supabase-auth `https://supabase.cloonar.com/auth/v1/authorize?provider=google` completes and lands on `/auth/v1/callback`. Row in `auth.identities` with `provider='google'`. -- [ ] Same with `?provider=apple` from a page Apple's Return URL accepts. +- [ ] From the iOS app: Sign in with Apple → + `supabase.auth.signInWithIdToken({ provider: 'apple', token, nonce })` + succeeds. Row in `auth.identities` with `provider='apple'` and + `identity_data.sub` matching the Apple user id. (Apple sign-in has no + browser flow here — it is tested from the app only.) - [ ] Send a signup to [mail-tester.com](https://www.mail-tester.com/) — target ≥ 9/10 spam score. ## Rotation notes -- **Apple client-secret JWT**: auto-regenerated on every activation - (`supabase-env-generate.service`). No manual rotation. -- **Apple `.p8` key**: no expiry, but revoking it in the Apple console - immediately breaks auth. If ever rotated, update `APPLE_KEY_ID` and - `APPLE_PRIVATE_KEY` in SOPS together. - **Google client secret**: no expiry; rotate via Google Cloud console if leaked and update `GOOGLE_SECRET` in SOPS. - **DKIM key**: no expiry, but best practice is to rotate yearly. Rotation diff --git a/hosts/web-arm/modules/supabase/default.nix b/hosts/web-arm/modules/supabase/default.nix index 5613edf..e8bfdf8 100644 --- a/hosts/web-arm/modules/supabase/default.nix +++ b/hosts/web-arm/modules/supabase/default.nix @@ -70,12 +70,7 @@ in supabase-env-generate = { description = "Generate Supabase per-container env files from SOPS secrets"; wantedBy = [ "multi-user.target" ]; - # python+cryptography is used to sign the Apple OAuth client-secret JWT - # (ES256) inside env-generate.sh. - path = [ - pkgs.jq - (pkgs.python3.withPackages (ps: [ ps.cryptography ])) - ]; + path = [ pkgs.jq ]; serviceConfig = { Type = "oneshot"; RemainAfterExit = true; @@ -226,7 +221,7 @@ in GOTRUE_EXTERNAL_GOOGLE_ENABLED = "true"; GOTRUE_EXTERNAL_GOOGLE_REDIRECT_URI = "https://supabase.cloonar.com/auth/v1/callback"; GOTRUE_EXTERNAL_APPLE_ENABLED = "true"; - GOTRUE_EXTERNAL_APPLE_REDIRECT_URI = "https://supabase.cloonar.com/auth/v1/callback"; + GOTRUE_EXTERNAL_APPLE_CLIENT_ID = "io.fueltide.workout"; }; environmentFiles = [ "/run/supabase/auth.env" ]; extraOptions = supabaseNet ++ [ diff --git a/hosts/web-arm/modules/supabase/env-generate.sh b/hosts/web-arm/modules/supabase/env-generate.sh index ba8278c..c83bf28 100644 --- a/hosts/web-arm/modules/supabase/env-generate.sh +++ b/hosts/web-arm/modules/supabase/env-generate.sh @@ -22,40 +22,6 @@ LOGFLARE_PRIVATE_ACCESS_TOKEN=$LOGFLARE_PRIVATE_ACCESS_TOKEN POSTGRES_BACKEND_URL=postgresql://supabase_admin:$PG_PASS_ENCODED@db:5432/_supabase EOF -# Apple client-secret is a short-lived JWT signed with the .p8 key downloaded -# from Apple Developer. Re-sign on every activation (lifetime 180 days, Apple's -# cap) so there is no manual rotation ritual. The SOPS-sourced APPLE_PRIVATE_KEY -# is stored as a single line with literal \n separators; python un-escapes it. -APPLE_SECRET="" -if [ -n "${APPLE_TEAM_ID:-}" ] && [ -n "${APPLE_KEY_ID:-}" ] \ - && [ -n "${APPLE_SERVICES_ID:-}" ] && [ -n "${APPLE_PRIVATE_KEY:-}" ]; then - APPLE_SECRET=$( - APPLE_TEAM_ID="$APPLE_TEAM_ID" \ - APPLE_KEY_ID="$APPLE_KEY_ID" \ - APPLE_SERVICES_ID="$APPLE_SERVICES_ID" \ - APPLE_PRIVATE_KEY="$APPLE_PRIVATE_KEY" \ - python3 - <<'PY' -import base64, json, os, time -from cryptography.hazmat.primitives import serialization, hashes -from cryptography.hazmat.primitives.asymmetric import ec -from cryptography.hazmat.primitives.asymmetric.utils import decode_dss_signature -def b64u(b): return base64.urlsafe_b64encode(b).rstrip(b"=").decode() -now = int(time.time()) -header = {"alg": "ES256", "kid": os.environ["APPLE_KEY_ID"], "typ": "JWT"} -payload = {"iss": os.environ["APPLE_TEAM_ID"], "iat": now, "exp": now + 86400 * 180, - "aud": "https://appleid.apple.com", "sub": os.environ["APPLE_SERVICES_ID"]} -parts = (b64u(json.dumps(header, separators=(",", ":")).encode()) - + "." + b64u(json.dumps(payload, separators=(",", ":")).encode())).encode() -pem = os.environ["APPLE_PRIVATE_KEY"].encode().decode("unicode_escape").encode() -key = serialization.load_pem_private_key(pem, password=None) -der = key.sign(parts, ec.ECDSA(hashes.SHA256())) -r, s = decode_dss_signature(der) -raw = r.to_bytes(32, "big") + s.to_bytes(32, "big") -print(parts.decode() + "." + b64u(raw)) -PY - ) -fi - cat > /run/supabase/auth.env <<EOF GOTRUE_JWT_SECRET=$JWT_SECRET GOTRUE_DB_DATABASE_URL=postgres://supabase_auth_admin:$PG_PASS_ENCODED@db:5432/postgres @@ -63,8 +29,6 @@ GOTRUE_SMTP_USER=${SMTP_USER:-} GOTRUE_SMTP_PASS=${SMTP_PASS:-} GOTRUE_EXTERNAL_GOOGLE_CLIENT_ID=${GOOGLE_CLIENT_ID:-} GOTRUE_EXTERNAL_GOOGLE_SECRET=${GOOGLE_SECRET:-} -GOTRUE_EXTERNAL_APPLE_CLIENT_ID=${APPLE_SERVICES_ID:-} -GOTRUE_EXTERNAL_APPLE_SECRET=$APPLE_SECRET EOF cat > /run/supabase/rest.env <<EOF diff --git a/hosts/web-arm/secrets.yaml b/hosts/web-arm/secrets.yaml index e94335f..7917310 100644 --- a/hosts/web-arm/secrets.yaml +++ b/hosts/web-arm/secrets.yaml @@ -1,80 +1,80 @@ -borg-passphrase: ENC[AES256_GCM,data:s/Eht8wmvTiFSIZEKPqAo0xEhsXUr285p3G5vmu2k6kQbirqPNankreApdzLT6Pp6E5LIBspREMn2kGRkZP0TA==,iv:1sFpZW7PrbR+sk+OFbBAQ/L4IYsvZ4Acw+CcRoayu+k=,tag:GTtgyABKFprkAlT0wDeiTg==,type:str] -borg-ssh-key: ENC[AES256_GCM,data:rDnnd9Jx3fCYtlN21vJ03WdaieAc7U8RAbkpS4auOq5m7Uu4EJbrBhgH/G+D8NjGKr1Q9O29e026ZSqsNHvTfAm9hdt00r3DB9Lx9lMDnM/7JXlsIZgB1+Eh56oF6DveAx5V7o+2OrmZt5cTly0ZcIMFYtZSy1yn+ZRirEj309ZKXwj/V5Ne8e+KGlTDdOyGVO1Zoa0S6Zpyeec8WejLlrlFZ2qCbzjJHnw4cFiyrmk2+OY4Y9GEe6grWhqRAPAF4oxAK+rzm+C1mERjB+Ys5pV6L756Bc5Vs6h91EQQtFcD2xJ4ubMmEQxopASTvw+GPcfqrTLsWKpyjjjpIjOYhdbLM1ca6OS1QUuJtKGXsbPQsdI5n7WmX6KW+s/kiPAMbMlZez3YuYhSdY70CL5oHZCWRYfM1mJWKKDmRuzN2vFNdUX7mEwIsnwDQzSse48lgdLB7+QKqiYBUnt1xettMojJZTqnqR5/jMQEPjSGatDk0T8zI/PPQzJp60rWLiXaWo+/bxHkrFlAvGt94/5x,iv:UhPVXedvA/7zS0mOggeMg3nE7LPTl+9/gOb9aocMnbE=,tag:MrgnbhB9RnxszlOsMb2qdg==,type:str] -vaultwarden-admin-token: ENC[AES256_GCM,data:eimjqTskUBgROPHIZdMx+F8ydri5aHk53Sx8Jdzw9gmDFfHtLNfPgYZ13q4D7Yi0pd6ze+LeW73U+P4npS78cg==,iv:PrcIKJSzg62VqETwcgQlU3U45n6tN0ScdQwk/5bNudw=,tag:O0wk+k8CFAG33erXVn4p7g==,type:str] -vaultwarden-ldap-password: ENC[AES256_GCM,data:pvd8vjYlc6Xm5WZ1Cb9Sj4HnwiBWkr8Y9Cjb9+4H3Tstf0e8QhXZJDREbsOk/fkvlW1vhmdEFhDPPaAIuz+Gmg==,iv:Tl/gZLv2290PxeTiHSt610070LRMWjWAGcifFl4jRas=,tag:tLmOpM4gwME7r/sg3sS0lQ==,type:str] -vaultwarden-env: ENC[AES256_GCM,data:OI8R64PZ4RrNmtEXP5BjTbTZY/FqQ+spQGyTPziUsOJzS9hiKRW7BS/IXEKyCo70siBQbl8BG8W/i6c6k7KW63vX4I7vp106uwvBTYDVpflgeG9TF9Vw7Oz+gCjDo0WdtIwLQA15QUrZR/mct96oRd80HO6OR9Urm7UPkW/6Yb+WHpKonj7sqPhMkPeJLBRxjf0Ks/q4KK564Sr/39M45WlnOw/LI+B0oHyoiufmnx8yhrDbb/L8AbT3pN+HkKkqxkMcZ6ujIVF07zlyJDmlKH0Dg/F3M4DE386X1birpEVEh5AT18IHt8/XPt7OTUNlFHI9hBtykg==,iv:Lh7FatOIKkTCAfpH3uQeGZl3QlvGOi9fzUUICtP9aaY=,tag:afaF9fACuH2ypilMPJEnJQ==,type:str] -authelia-jwt-secret: ENC[AES256_GCM,data:FWEwqCDoOABmYtjvXwTNk9m5c3QyM4GYVMmav3c1SwDvXT+CRKlXe2qFvJd35F1Hm7ShsR9hDQD7CMgFHOb4ww==,iv:dBc1fCWEoGChNdIjHFdxbx8tEYORb8OU8g1inDqaCvM=,tag:2AsKjNO2Jah3bJHTp4g1dQ==,type:str] -authelia-backend-ldap-password: ENC[AES256_GCM,data:/udgZo/DhJexvOryuXScGINtCzyvvBKiowowf0oP+Wg6tXgma0od3jvMlRneaajJ0LH4Jn+CCku4lUf1XoqcOQ==,iv:G3JIClPfptziL505j1M9yQtweRoar2fBpKVnI91j/WY=,tag:SbuBYaD9JY4kDVgrz/cJgw==,type:str] -authelia-storage-encryption-key: ENC[AES256_GCM,data:kuCXAdBq5XeDlNKMbGGynyyNbs087OYT1kabPTnV4WnLxl4z/tBwGXEL30kTtFueJAX9LgUEPZe/MpVaAVn2WQ==,iv:mVOhoBWHXlOBAXP+sB3GaOMLiKJ+7SiBPs4coH0R8BY=,tag:tXQtMqB444Qv8Tdrbrz8tg==,type:str] -authelia-session-secret: ENC[AES256_GCM,data:DjJC8nT2W8A730MUT6UIsWNflPYMpgVrshbCAdCGn0hh8jTu5uo6N6fKLdbWdhJ+q4cAqNONYNiKi5NMp6yktQ==,iv:p8kN0PydEwV4EXwLp9R10Xp2/NjqNaFux9l0GdGQQFk=,tag:OD+V1DrcvNp5frvEhn9tsw==,type:str] -authelia-identity-providers-oidc-hmac-secret: ENC[AES256_GCM,data:OWzABR9ggbcAEauMG13L8p9IlAlyY9logj+qfx5aSpe7qUECVqD/eYGPm9ATQ+8PYkL9qyS80rwDunbwp1uRJmFY2WZxDtrrLsI4bDTqOt+IG/EZMvfVZAgAXhJKnacsshy6FINmRstHK3Ki1YTb3U8gvQgoX2LP+KH1q+fJHfY=,iv:v0MWOchPZILPczjmxnwSgTHgxKC0CKd69+s1ERa3CGs=,tag:Dh+/1kBuhlZLp7BQbev4kw==,type:str] -authelia-identity-providers-oidc-issuer-certificate-chain: ENC[AES256_GCM,data:Kzo+ysjKrYI8pTCIxYsSHYqCGYjj2JtGWTTwq3MP7rtMSB4We417QyZXrZY4JFc+TXD25K+aQf1o/cb3x3zynhTTzPkJnwBRmhVdaHLfWfQYmmfq9SRrEVvQLjdQHtatMdZ3H9v+JfUbGSxCnmDzMAkozVX62ReYpbFpX66Ng2sj+JBk5adi3dwbEQ/QRMJGiuunfKPJWau7tWEaCzj8AGxBk6MehkgTzjYWL7Octn/QMjTb76hbuBPazR4pczNNRkacXoFBwRPdBF8vEAtapHZkkKzKIpQZqaUhIVngOjRQQIwwJ/sj1XnBvYzwJNDe2Hh3oErgxmwI6ppC3QIEH1si8IbKZQckysStn/pEtSZ4d+tPsOhLBOesab1aJZP8snRUd8tY1oyfHk9UlpY9r7QnJLKsXvI3DKn3XhrpMaQ+blucj/OeNDmjMx2j2+ZDKryAdSmxjVCrWhYxqFrhqyoRVXB453umMCH01qjxvuMawyOzpWZyXO4z9oCe7SYF1HxLFCQgRMAENAdFbd3DGNN6z2oeJyIZNdefe9eOeilky3zUxntBYPVrXmE6VYcd4hYE0t4nOku/l0GkUXmhq7+2hk5OWjAW89I6qo8MPa/Ydpr6I0AGHTDuBST99Pqt5RLKABDQtehm4R4qWhFjOkUjqU2vl1Fy8cK87/RYLHRa0B1A9Uctlis68xUAE7sJMEc+KFP6VaOXuw4v6PZEvmi8eGWBihqaYzcD+HwXLPm59FNpy5Rs1WQCvv255z7kISU63vTW6W1YglBRdgBLg9k5lFFg1OUcgupj735hNTwOmpEXUsMjTRz+8XWUOkBCOWXbVWOgGkW4HIsI3wiunECXwsEVxyXoiwYYYM4y/WnEUQKmr6NXp4xrAkTHUe6jFS4MX+GLEVHWi/tv5iKmSBl+LjKkGeaEWL1TjHRxCUvOwWYs3Z14czNys4lpcXcbjZBBhX8Zn5Kgntc1aukW6GcGNla+m4RwAbJzWjDCwGNGG60SDFM8P5M3gbkvmnE2zFkkXNSDmw==,iv:iZuII4OYUpyx/dfvg4hAuu1YOtF6jHrw5CMimTfSg60=,tag:KG0INX66V3D7w+QuDfCJMw==,type:str] -authelia-identity-providers-oidc-issuer-private-key: ENC[AES256_GCM,data:VwiywbmQKOfGZQtbYZAoGN1Z6UaxlGwy+pzhzBTzKZdrChNwDuxphgXLOpzkZ0HaxzEGfFez8b2xVbkPbKrPR8J+ddwctfNYZGSFn6uWf9irFiWiXAjeLPYcCxORLDvUAEV9Nk/TZ0EIjS15nQLSbYovEr9Xf5+27UX5jzu1HHo+S0LVw5dHwE2zXSFvv8AMgl/RXT6GJqQgYnGUeSk+xEXNoixKoNe63EJyiB2o9FNUZ2mcBS528KLWp6AtceE2sC34/76MuI7yv7QbVOY2YLoEuLeaz0dBFl8olEIADecvQBgsKKrOMVJGbw3Oa86mCoYUXW44XqF5DAmCssQxiV7XqrYefYiZzyK3KgIv/ii4qqWnS4UnGgOALaqT3ut0dy1rgU+kp/YipAjDS0ZvTSuPK15cNYSuHPXFEeMqoUFzljKEsRTXY3Q1iyl7/IgE5vUNIwOEBXVXxOX8sqMkaM2I9fe7u11BQ3InyBXoQnzOOSWUK4hnBQ34qwroHMMSV46LulJyOxNqcUrw4t60MKKa9YYemT+JhvI3M40OORLWw02K0bx5b4b0wxrgNWGpvOkwB5MRABtXAf0ybD35pdio4rxW0Q+GP47gsj3hA/FSUDhpgqOuyl58uruZKBtWvu2SU3Doaj9J4IOUG3dz8966zorZpCZR4chXIT4k025NuP7RlDg9aCfo4WneqZV2O92MLMTjAIIPBJ6iiMvX00FvrVInyJNEdGdutAC6EhA2uGR0IrD2g0dsfsJUGqN5PmmfusJIjbDVmWsqaISWOPg2uefR3OEWaaOGSoCkV9HKKsKyEltXCzZyML8Cd8UB5KCRaxtmaYvE0PxFvx/pBRrkP1XGyn/eYhY92faveEAwhHgMHuUREx8aimA9Yg28NoAnq7MtGOgmEXwGWgFDqwdCmsquk9FHT4PF9OfubQW/+UDOEGnrdqqzeVLOpDgMUZ/J/t1XjB/WHN1RtQVOGjBllwJ/l71J9/bcO3iQTucLClVFfmDc9xP8KM8rv6smpifT82v2wtnq7ieyF4Z4uqHBN0zcqdgLStgL8JE+5QqkcHJL6kU1btx6B4MOBHNT+f7t/t4ISzw238pvhm8KM10TBFCzSDcSAEYwBU7mxFDlgQOqvdavCjKDL0rCp4dwV+q9kjTWuWGyn07wqHGH9jTUW8g2VXgWSdu0kOwPPqlSvx6HTm2uUvipmsH97oSTk1L3rLDd+oiF1Rvj0PbYh2hM/ZLCWGsXEpQlnWN+WSsUlEqsHTRneqga/KLVauhEoRXCLPXXLxzyc9x7BzqYn11pAovmXGgC1N6UIC7z3QGEMllJ3EoW9WTSS+gxuTQwhiTDd9xTa42fCyMrAuHAttsvzUA/FVg5M940LZNcUG+X7lrecPoWl7M8QbaoaNfKibqiA/YeODGQnBM53Y+ycWzJ1YMyhihBLTovDb1TpqwsnAU1YgRpIZwAzv2dzULnx1/QXCyIJD/2U6rNbxWqnLjcEZVMsscja8skqNTAdaHWwsCzyO592FG0JaXVRNM3KLTCnEtQItobpSiXb5TV1YhzRztPikYPqnx3nHQIk3WVlxUSCrEIjkgR/QxxrUDw5pEknBkEyUdD/8kVgmlt9SdUf1cJdBfLFgrGhpVt2EWJpvdtGGIeP9fWTqboLejR58+B94SszMo5WgMMv437OUA6QTf7Lb6HFacWueVSEhV1qvFu6yS2C0uHYnbWRWtfGqNmwfOeW4CE+Kj+d8yEfHgqseA0lf3DIlWjIeM4DgriLMqV5AuDOVKc+7x1SXURuwgqibuByT8fYGrCCEV7apWkGpDEmeuAC+omZWJFV6IndYOUC0DZR5EiNpqp1rviFj/FfjzYqcFu/Vw4Sye/VY+4Tyjb6hOVgKCQ0SKwFa/fwbgH0lGezS5Ayvk4Vrh1633scztcyd68Erq6xVKaWFXuLIIEHJd3QgnTByZ2Ue5ftPB8MM2r7Jgpn9YZUo734yPU0hQMHnampNlyN0o4oqxZESZJs5SrUEayui6YfArxPnFJbZgFAuh9hv2GjoOm+3RVxJW78Da7V73mvnhlY7yYC1ipDRtiKDOAPBkRpUTi+uKyNfutQ3SsMulFOylVU0MlK2Zlj+hLz8oJZ1y2f7whNJ4H6ZJ3oU7PEx2Lfx9cw8Qc42uOYevOvgsR82q74NWvRzaJzicbMO2EkqxJVvz1Ywz9N8ra+30GplLPfwfvYZ/T88lAdhuH9Wwx0rceMYDUk8oRQvc9/jv08DZ0kGgWLpbDSnh1x/BT3vnz/u9GnDySeab8IvsPNwa62ki6T+twaSaAwDE/nzAKQk4W/98+xf37dnmagXs7zA3MbrPmiCwqJtJWyh182lAUJlxq5Pu2E/uUwcuU1XH7F/NH/uWxmlL4HW2hVOnDVat+FXVSv8ZCZJnPjEpWt2zRSJlVVuzwSnym91l8Zygye04TsYKajDVytrwNbLnwfVKqf1/fxvBAwmjnNyi7CDfdrJYSS0obo/FvwtwiU/pnzeSiOhOMV2O0RgRnzitcqRklHOyk20X5EFPpsE6Ev50LyiKoyhLpMAUbE4IU4W9q/Y44/8zQpjo4yJfFb/BHwJDKKjUbYSqtCcmowX3fV1zBk15utjOvTZqm7fEqcTlgIyYEwgMAUQ+j7j/e9QoQLEjUNDHP8q+xEzRk+gufKfKMSpiYbgveJtcg10Ar87YrPMj+hutlQFS0elRBjKlb5+NpmS4coY2Cf9ySJFhVtkZSm08OlxA5gS0zmW3oKoKoOsNVS5QgaD4s+cJKHsNDeWAVvgTGBNbg5bDFnFnA9RJfCnHmImvmmUB7RrWCB/FEt/UHd5kTfYuNLAcmtZWpIjQk7WG+zgMkpUv2lDwPyR62X8KOOTGQBFnm5rYHZnFzwDWnjCi0/KO/asqnGauerzB/pfcX4UgGbvto2hI3ea6xkvUsjGWXFTHf1ugB2JTNNr9Rtg5SntJayxQ5fi2RKykg0kgteL+ujfYndOuqIT8Y1jlxyu08Sv3X+rdrBAvrbbwXVjKHRNDFQQBaj1ZazNgVKideft22H6GzqNA2+SdPx/s8yX6bC638wNspyrHxhGBfaIyuGjQwFECLi1mvoFcV+uVWgzivLuugOFy/VBRfqSWah2AB4sq7qUeUL+b/IRnvB7i1xBFXqZ0Eqr92HUwb94DvIi0jaCa+ULFwyfGwA0UvmpYAfDGomR1LY5MHidx5vSTaqyfRzoHKSkLAEmGalok+ga/XKGXP0DJkrRqpe2/PY6eCdGD1qtXN++NQeqkcX+nMH/smnhv+FOLHyRdJtyVduVlm7rotBjDRTRZCfdMW0fZEuhPTC0DiHZxE+tN7kw72JZWR4eOd3TfFwoZY4g+PW1FUe3CzVmrLs2u3gAE3MJ/cqo73+m7KErh3dgZbH+dlIvtblxqgHH5jz/iwpvmB+ygAeS8Bf4SEN4WrgltykUgAxessBX+kJxZBSEBAFewBaH+iymY1+X0/wXhRHMxGHGVxaZlKxXNQFscP1u3f3qobeHdOhP8+ZwkFggJWTan2ymarsOQy816T1HJnk1xuGCMmd9yu6pXy7FngBf3J0kQxoUcx/7CrVhwoi+CXUgbaN5J/xWaSSrrNsXyKZ69aPharfNZeiUnA6GiXENXh0e9dtiT9658X/c4rwum/gr2lMFUqrkSePhCoJzSum4LQMVS86DNwtmlYkV/1I0o95HL2ryw8mCZ0K7kfixI9/0hrXU97R2h/Be0viwqrqV6dB6vqKm68ANMgUUqWUlh1pf7mqXKBdtcWCq7eAjcggcMRUyFh2cmmVAjqp70BcuWqsnxhwPwO4HkWV0N3y7K5Ai7Di23tIrtP+e2qkEPD9svEAIKbX++DmxXjl+75BaW8uDYKXWuccz/c6vCJazylKO9NHc+aL/15JikHCnjEPy8BkSGz0xCTS1+pH8XWmOY0p47+lxq8E9U6ueYLGPlsp9j/3ZvkcHiVR5JEg0KgH5rQubHhz51BaZFSd/n3C9UxA6dPv4VEV2hk2ZW626xgawCGSJ8cfaNtJ2utcBFko68iKq90XHTvPa/Mm229foMoTFiSgbjOfZ7bjV5kLQiVuNmGYqmoXmkt2GHaydGdVO9x8scp/ItshTi6Z9bfEkmXftVcnV0j2ZzAo9vkNlDIfioWCKv+o0lwGJnXRItclWNkZTBxyTBnPOqyloNGhfIvlgpJ1TjXLfoiPi8CL/GAzqqkI9gcfJpv2VBsOxYBSXzh3ereYveO0KvlWQj2TGJESNKIDAs+Gms2s6C3URACubWs8ODEXK4tvMAJeUC0GS3XNPv8KORwS3m3,iv:rACJcfz2Jzb5DCA4KmRu0WP6QR+ntt59kINPA6g9fyw=,tag:NGrmOd72w7AQIvdK13JFFQ==,type:str] -gitea-ssh-key: ENC[AES256_GCM,data:6RCM9oHKV4K12YJUfBXphHB0aw7vTLVRlHwM0rQlfMFlgu4nKJ1xlWtZQHSu5Pn4z+W4v+RogeK13C6ln7/ibXX/WSTAUM0UfuSLdMcN36h3VZ87UIsxEsNWDq00zwgqT7ShdVdvRimG/mY5AE/ebJbgHP116Ar5Qv1KevnmrcYoVUDrsjblNz7zOb/3tDwMKcTOnR1eSn86de4yLkHCWgk0Hq9nK4spalEil1cHxCmI9XMcnPY8bxRsPAPZcXSi1prE5Im+sN0bDesq1AtWXeKUpBO3tWnwW2N2ibnhKY671u+EscOKZ4NdUFY62BkmjZCqJpireadvb+GhKv8lAH0qYbNvaMNdh0f3n2gidoAbBEXQVlh5+dLPcpp+4mtCCUODb+UA091W9YCKkTEJe+C6HxP47SdayEsK2DEq+PPNUITGb3m6cmlx68mEi8H7EJlNVuPbYGlwF3zHvjXt1pgc7qAdlb4U3/BdpnSICEZbNhOyAcrPzFjAh774MlQ5laYz1lXIjmkA/aNxVdFi,iv:yGy0E1oKdwQeV4VfPazkLtwvAB4DRZsS9MhEUYxRHZ0=,tag:VOPvYexE2BWt6XNy1r9OVw==,type:str] -grafana-ldap-password: ENC[AES256_GCM,data:18UHXYC4GvAteDrAWVqsg6ftu9xN3Q3ZUrBmmlmA0OO3qHKI60PWlRVgOhQDr5RTVtbKF6IyKu65p/zlctEk8QGFmNP7uE4fjdUog0viL/CeCvzpJwUI+f8kWj8lIJ9FcKKBxB/VpBTDL2w5Znsth/xqpS3uJOIIOy/mwBMBmkk=,iv:UhNGj2InW6+BnaUDAvuifxT5boVRcOaUGX8JTsxZptQ=,tag:zc6UymBNMS2sz29riT+Arg==,type:str] -grafana-admin-password: ENC[AES256_GCM,data:lBwKPZ94bmbWqUkGxmeAdqXFbt+Feq7riz3fdohZFsZYVyJ9Kmbqw8q2erRnh7DRu//kaqt0l8VztGEsgnp+Ltqtc23p/2h7hsK8IwJXApc6DUw0W8MRwHhsFXLfViucpachgcAJ3hSrUShlfz7F5HvvDk4fbEDxd/HXzKaUppk=,iv:8oZOyNnXIJQKuMxewNQIhEYZJZM9EkoPNsneplyDzWA=,tag:z2uORXdtTJxIHhtOPY0l7A==,type:str] -grafana-oauth-secret: ENC[AES256_GCM,data:R5pKrhrSKJRQKPzHti9zaDV4rIt676LjDeijzw1vrii2NeeFzRx/b6Cp4ANxH560+BeYoDfHG6iZuPzadkZax4KeeibKeccv,iv:FTHKRFcBHdyyvXfNfwEJAk1wWHakCm+wP80+JdSv+V4=,tag:m8OnyByv+yS3Guybomst6Q==,type:str] -linuxbind-password: ENC[AES256_GCM,data:bkcC17VkxtKoCqRpovXqFRcikPiuAM7JXTiMyHSUiuWUh2pqCmCMBeCRL0YIkCb4dHK0KyLEv9rZorQeGCX5MQ==,iv:6pkFgEMBJJLSTart+o7kUq8zKZiAsbFMvJWHzqN6StQ=,tag:9i6hVZXCdzV7HQV1cO++iA==,type:str] -sssd-environment: ENC[AES256_GCM,data:knST2jcJlRxjc+lv9AvIOtcvKFkR/64S9S3erW9//IH3p5fNVD1Lj6H94rem+1PoIMLWXe6IfgbPiZvjM9onU0z7GAi1ZYsIJbLNHcHjDf6U+iIJB6iP8fY9zw==,iv:hxqrmhfws09JwUusq3Tf82ZoYScQMObvYY5/4I3dC4Y=,tag:irQYLHdTgNf3YubxqqttjQ==,type:str] -promtail-nginx-password: ENC[AES256_GCM,data:8C/3+qSPTdcqXb6qFKTTN9CO077nux7RkDzSoMP3SLCIIoqgdesi6VpQrvFc2HDVXvInVks4XJ93KQ==,iv:Lc35AdffObuFHDTkyDmlx48ff2gGbXKT3fCcu8FsY1Y=,tag:c2i9KGF9nnJeSjdVCUUfsw==,type:str] -victoria-nginx-password: ENC[AES256_GCM,data:B5PB1bcHuI/nUc5Nge2khC2I1cSr76TnQukS24vhaqB2l7eLQceiD7lbd2yxwqxI72dpf1w=,iv:vU1+DY0xR/XLDYErkVGog2i2j7n6ndBKv+9XSapXuBw=,tag:SRqFvGgpvbH2lbgtGR6zCA==,type:str] -nextcloud-adminpass: ENC[AES256_GCM,data:7jz1EqzOFVC59wAfo6Ss8A4LX5b2yY7adCScr3pY/HT7VDp7eosuroZCMkAZ/1DpLg6XzJfSYeDbd75qUkSyQav4T5q3DUT67iCHNSLt11QKUCC19HVItFWxD/+IbGyvF5Lg7P7OFWWCkEPfRt/s6iCwR9Yp5y2TXLxNaNVyW2s=,iv:yusz6/W+nl86vZpl5qXcHCh84fagKmECP9rfeJW3MWo=,tag:4E0R5InvZhxVYKVFumcKtw==,type:str] -nextcloud-secrets: ENC[AES256_GCM,data:O3epYK5tAagt8XZmP9HrkzxT+h3v4f8HAz8Sdz7GWsOl5HbHHxZtoJwy0MT35CxA3jjTofQc8clgeeez0Q5sBuKx8Adx/oFOe8nOIhGBOjakm/qAG0E0o0iBmxJjwi3/miX2JQuDBS2v3FuHXg==,iv:S+qmPwkGWx7acXl86ieZWRUTqnyT6oB+N/RBT89blro=,tag:ral8aKlCeMXQydJgs2EQWQ==,type:str] -nextcloud-smb-credentials: ENC[AES256_GCM,data:UHR18bSSqJDppcdL6dvXC8R9I5fdOQ065PD5c0VB+EYTnsHDKkrw0FIf680RzdTo,iv:4cCuvULmKBVahGIsKham7ZTQSM12oUPypgd+NkJsLlw=,tag:fdzqR5hdv/qxNR0v6XvQJA==,type:str] -atticd: ENC[AES256_GCM,data:zJuJjTOyD93ZmWnprD6sFgza2oFjPg23oC8+j/xz14CRC9qRt/anpzOtLiwT6Z69Sf/MDgWD7vYXYvows7d4+KMiKSzBhpPi4iSIkhvuYtV1Uwi1tUIPFAYXQAg6uq0wd9i3wKGKDZ3nYyAIbXcoXjO8VByBtMoFx12Bufe233nIPvgw5hF4Du8ySK70sHAEvHARzoG/WkmoovR79Xb7citAvroPsO5qgjFMbhC8Ea/58NkJYdspfFEUEu3YtibiwvoKSSN6G7kgobxi8Aemo07zEEzeslcR2jm3HjqHUmL+LiUVscDCwUtWJu4zDOb92srW20JAZZWFRJwQuwReV0ANAwzWkupK5PsWZTct+aM0XKClxY4OdTwHLQywAM735HS06aULepkBx/ycfySh4oQYF/W9sHbjWxriI9a83oUdXgaf/TrLqaHwvWU4mVLNsKR3Xh+YVbHa/cV/cw0bjLo7LbRA4uKowX8tDN1vy/Co9u+8bKB1oCEGSXGDhEviuM0cVyJHM8oaUrIPw5WWtH0QnnAQulrMOdAhfqKQOnWv+RZLuCMyRBKObqyQ/GD+Cc/SxOIfhpR4KvqUrqBIDVWcOqkGv8ayl6PJ4So4Lm9G3UoCefR2vjHVokFVPtVLCpfv8UvmvLigowstMxoe5wLBq5OZmPXqiccL1ngW4Dnt9pysAmvDmvPFAQS5OkmtpWOctjU4HKzNgVcCLZfeqz8avt2QreThxYTClp2Gfs4ooyn30tEpmbdkHxYODmlbZVhIfSg+Nt6x86Wxg7hhZs/5dP1te9MkALoYxMYAH0TNuDgnFjTwlAp/vTNlD6uNgcWGGLj7T9NlykCl3LI/F/n7VUAmTmklgZCsO9usBK0+nPYqC69/2yLXuvG2jwZZuo5EUlGDM4L9jJ2M9ikwQGYcREHpmuFonT0/+OrfXS2VmJJqJIL7RhW2wEPkQVvAT+UppoQWwPW2u6U55/m1/DNX/qWwRhg6jYEmeYzNgLBoh1Yp9+fdti2GhijvdBkzkKe6k+Tme7zF4PnanB/FHZ+SBdAVJig5LOCeNtdzophC1S/jlCluK2CUSqoh33knaYmz0bjB3IsZcbjnKdmpkFCGQfEcvOd+kd5v45+h27ugFU/1pxV3LFDNs//+R8Xg0xpF0bdBaqhImqr3hgydWJEwndn1IDUYC/S7T5yDDVsz7vCbaOEst5nuXix0UVIpQcNFYtPUzITsh3lmJjwrfdyfo8ZqpcQMpqo5hH5T7nn6XlcJdTV3/Qiqmiz8D7Pi/XXyIncjAXh1ennTbFcqs2CM4b0JOWMNxgVD/XBXvALbemTqWP70pWOz2D1vgCpGiFHor4qkxG+zWBodeQDgM6ErxY23ZrQf7nT8CcvW7tgzIsEYs4fKqoHOFwKGgH5friCUNFzyuDbG+4VuJn/0qxC9MsrhxAYSJAC0MbyyucxOVrfCtCOm8cJQWQNfej1nV8taF54vrzccu6coE6dZTDwXru249udEM1FgHrd3hBhczPqX5QBUTe9Glj2kAdn5VXXu3YSzq9tkPJV3mDYc1k1aYVnXUQDwlKT9BifOG/KOatBM1FtptfUq+0NoMJLVNQsMYhYKt9HCBMGcxf9DcrIkTN9RIpwqD6XS1oHmWP2tF/qVCkF+koIDH4k82ekdnMRhkKMVY9kjRFpi760lL5Jub9rzG+zaKhIOQrLwZ3+SdKPBVfvD4kc6swWYcLE2Q7ULJ1i1u+FMHAlAKuuFmP9TVbLB7zoWTxzEl+S/hS70A/zlX9EyAn5RZcwrxL7g8+1d3bp2lmP/Z54QQCGXnkBLVFCoq77/cgCST23nV3MCZwbzUaOIIFUYJXqvmnW85ZaojSpAQnR9UUSTI451Sey8bYwvC5K90N8+xzSMWl4Jo0R/Kp8Tt4gVV4h6jlj8IYbYLM4vEXzsrseI3Gi4vc8Xgbu35tWvkl5qnl3HwpImcf5ux91wUDlaPeOYAXQdu2w+gL/N7/qXwbWT4rKVK2LQGXEjjUsC0JBOctRsEphsEwB2X6fQhAgjTcbe0t1eM3gKTxAhISX2DkUM/4ojtaNmRhrNpH4FG3JbH0Ara1IfBqre6insT5pJrC6sq2IxGhhniFZsYTBOMitltajAHxElQKw4x0SegCYbuhOfdpMfULuLQNOODRqtRcEOCw3Xi85+Hz95+3aNkkx31OkY96udXT6VG6HgMUa1n+aS3cQlM+GCqjRyijyTAPZ5pSWLFdUR+GwIbU3YzQxVyym+BrAAJxXAQ8+n/m9fJUIhdmXxS1Di0bKND1Q7KVHF1VR6CObT24Q7eO45u8XcsUmh4moww/wIJxI+Kx4oNWpGooMEx/q8dIgsqE+aDwL0SAjX5r/FvSfGF5FdANU2TQSXXRTcDHJkmk44E8OcLH+V46ldnK3Y6OlPIwMedF6Uba1AAevW1kZytMKAcUiKm3zh3UbPEKG/DyCf928bjcdGvb975EcLbU0AntxfF8DbBoq4ydnrYI+tXtu/+ljMJrpDaObJth+msTZZUmFFkOKM2XDNhSDcLA/5dWrX2IdVvxJJ/yDsi8Tee78EWln8tpqk5xRToIRVcjbXh4TqdXWpmoS8KOqpfOlohQp/7xbNrqgxJ5TGpdkYYPteqxMRh/rYk9Irc4TLMv87qjJjwvNNiy5HywptiY2nFC2uALGNDeM2LdKU+8oPl+NUWz/0bvt00Zi8tOxYZmmoxPrVCmNW+MX2Taoxsg8Lc54kHJqLuQsHUa3RWO/gJmBPW6QYG13TaAcvCAChca912d8ggGN9ZJFNBrBFpbLx1VzIgTEBYW7hQMpRNfzcSxil+DRN+Tzhqj9kOXmPruh0j2+nBp1URik8xR3GilU/DQ0y4WrJiQXE9JvoDFIypB+NUnMm3SQ0RjuprpxlHtUMUm9JJ2iuaGBPv9s2bysjXQfsQ1+4AhAyMkl6E08+1f/mBNGHsXDoSnec4WvCTYRzIRjZnyLK/jslTtSYlYR+KaevwJMHNjenHPAZCFJLsKNAU6lYyqEqMpXR+tPyyqzh8bPV5bZgNpi/30KUpV4D004J8Yqkv/uFoCY92s+2Ok9a2p/SPOPfGpo4f0Blzs8SifCJzWKuylybwU7HnVmGmC2YGutgMvsDYEfQRR2S4gBiGZ0stJie49bPDTyktaUH2aySIXfiI69g/geuZpqFi2hEcbszZgkGlu0Q94FqiQ1Jjs3mQEQBbVSFfgxS2ET7u7ZCYw4DgJAH/3HzwYII0mOgYIoSEs2VXBsucLf/L0j2ZzZTn0PvmYx5MSqOO4Dz9Ru8WEbtC4HeZlmMXuMgqHEaGD6wB8iSFeS3dxqJwx7kCW09iJZCFh0fNjuxPk0NtanHSqS1z4rHGB22i2hfya+Y6xoPI8O/NGv0mZJonE7Ml/3+Kk+MJqj1IB+Z8AxbWVyb7Wn+fUt2iEVrN065VNw7vtxcgT5aSSu5rAyIdEgVIDoxDVo2WF42H7xQVSPLgbK91FfIvW9VFWfffwVsPwiJmvOhtYez3ZQypoavo5LxE+aj6zfE7xwO+d17r5FgEajCT8GAAh+KloLS49JaWEMJRgoBQWxmQbxEa7rxLiLWktXyQQyUBaqVEXnEYwMLINgtbMG7in1KaXRhkT66TYSqFb20Lmz1cErelleAgffDA3Fjj6uJJ4Mdqg2LL/+JiEdKP+ql9q1IoHAZNOs0vViT1Lf+Jirandg7BAp6GfyOd1QZK05zf5hEiaSb+oOdxcRI5biw2yMucCxbtkD+kHZ3nZsiod3nNz/cAHlKV/tVrEGLRyo60z6Ktd1MMGuF2WkqE4GZjSv5BBKI1OMbMNK9iNfQ9wA6brXIso+HmouxIvrRIR20hMOebDW/I7Uk/LxENlscKjWSnaqOBU6PpdrzMIrL9XpfZLWgQW2wmds9N8AfaKvf6Cpx50HVo4cyIlO49Z3ZOheF8C9b5YiP3LoIa1NkwwlPoBzj6hFiMfLL6VWFUNbsGF7pyggRyfTWL9I/3XzCoKS4N0dv3s6sAA9E5TQ0Ppzt8rEA6KkKLxJMGLSpUptDf1nB0PGhRufjSJsLUHBW4pjlMlJu/upALKiXEFVOarciGC62sXaJQy0OpFI+LvM9C8wuJFkt8YiluMu76+e7CVJrN2zCRDGyFwtUtw588CLhmnHrkWTYIsbOk+15+qKqr64xHPhZSjooRTSbNR9qEnVMDWgmwOPd6xGmGLH81krl9AhYdYgTdicF+65TV2SKfrS9AC2707kzLV0gBp0nAC0rcD1FImMtFA3ZBry7BUYaAxG5KwB3/ES/Z+diKfNRrJxKzW/RSUAG3YxaESlH6Wbtc0jDMii1qpJmFbfuc5ma2f/S2pjg+2L2eS4r7ZtX5MFp6LUr+gs0mHsr2GCJUKA9fba+Flw3WjxCOJzui+aAfsot3PkIu25AZwt76PkeMs+mg/pOS8aCH0i85CEngTxxNiNNnSVt/6NvPJhmDEWrFpk5UBN4RzzCH/BeNPMv6SFE0/BTNJkVUOvmpyuuiS3+5GhS4yjoqBSN+dH2IRs3IObVdd2BWv+drCjfXrmWaYga/1G5yjLD51/8mDf9hLcbVrEg6BALOzOvbuywODnsgAc/HrHQ4hRxRC41GgnXFE1iMy/69vq3xw8upt81IetkGdpXIrA7I514u9vN2TD/XbEAHJAmS37Xb7FsKMwMR5IdtgLdhRL3F4bnfigK57UmYRI6H8Dt0rJXfM3qKp9mijv4dtnhrlR012Yq+cRZquT2WmbXn5mlFjclz+GbCB8qJnephmkF+bmYUHHKZ9mYBRUmv2rSIGHp1oP/EymNycc6gHugn1i/vs4a1rHBatBzELo2F6c2HV2gKJj2fxFnYFNmdgJznedLcD/EMDSAblgFD6N+kJSWf8hONJ5D524QvY50oDilXtPoCyMNYBsOUfCUP8Za6wKK8/6sDVal2gBPv0wYhrC9Iyt5+kZz2dtE0Cg9WFdleV5r/6xPdKGkcTiNHY8XJyUnyfB0+IChxPJbwu6Qpe+bkqtDnX2uCHltHMhDEkX4dKFvn+BIU20b7BOOrBUySUM4pnYUtCMMVCpnlnArfpqMXB/jb15GI1gT4W4+m4Yg7FqwFewHugOuV8Yg0uw/lPlsRvtGlpzMrZ2BYJDQhEhh8DkmXZSrwmQ0b9W24GToRBFDMeLW79RHe/OBT9ep68htIb0ZT0K2YmQrhlPV4TD4HrtV4REQq6vVjylaCTHX+oePj7YYUlBJVTLDarbHApIFI+z6C6t8AgIsmjxhZyT9XGlPH8pgaULH5Ejq/WaXRSvHVf1TOY8d+UIUZwVmbuXDvIFFkgBVSUkGpYwpImjUIL/1G+dg6/J9LPEzg+ypPzJhkiKYo2lnxyEpS7UMOaf/pvVIn9bmRlcDXjDhjumlaLc2iiCZ1UcrMBPjvMO1Y9udKYw+EWLYakY6QDCabZWBfQpVvdXpUQV4XN+Bk8jyKuHzjtaAFXPAv+h08Nk0OJ7Rf2FRdXI3s5d0e25E5DksHz4j7eauawU3LsnBuT0wZzSP8lJVFd02ivl9N5yApy4DZlS/kpE1Mwi90LV2X7+wVlXMnz8bp+FXWr5b1D09iPqg+J3hxWQ1Yxsj0R3ef1gjF2cdJVMks9s6IqCDMkk9A5bIzUeD3vB0l0edsBVQtrHiLDtnC8hIiaiEX+6A2B8aRrF9rPr8xxrA25buXvgrI/sz2XbKTtvbIAu3qHFzuOLU5ZmLTi3dLPnU5voqbWOt1AaDzrPyrrUyzuhu2DQ7KgoG9glrBu4qfahIaYhv979MyLO+fJs/T5Mnhm+/xG6jUbnN3LWGND2tDvGA2e+TuQh4s6Gcq6iK07nFRSq8TnGUWMwKxEkRlu4PkMLFoHxjTqB/q798kqjLmIB2n/umi2vKFBinkPw+A772UEshVw==,iv:MdOlYBly1LCjAC3pKhfT5k6TZm+pUrtikJ1R5g1H34c=,tag:TG5mWrdjCch0S112kcMp8g==,type:str] -atticd-smb-credentials: ENC[AES256_GCM,data:rxNeD2ZfjdWdctsNLa7ZEEed863Huw9+LjFYXJ0w5dOBReTlftWfrQlwcXY3Efb6ueJfie9ldJXzO7+Bk6kK1rTYtSJvCz5j3d8PIQ==,iv:D8S9Bu0H7qB2f6IKVk9aW+5+QZQ8gNgrJ0W76FvSfEI=,tag:i5GhGTikil9I3x3D7Ek87A==,type:str] -ocis-admin-password: ENC[AES256_GCM,data:RaTYOpym8818FlJcvMKtD7+wGtxQ/5BI9smluMsrh6V6VWE1FefqfCfkFZl2xg==,iv:8wo2iASlUClRUEu+X4bQo4/8wr81XvwWHA48a3A/PLg=,tag:3iGppZMawfrPMKspn1C8Ug==,type:str] -openclaw-mysql-password: ENC[AES256_GCM,data:ioD6DBOTMR70zFa5lOtEAo4VF6UiCPujZl9T5yM2Cv4p7Z7Mq13bG6/tjRYo2A==,iv:eSbwmVKAAXBP2dxq3PuZ3R9Jghdk+8iE/+ysuMWmOTw=,tag:6Lzrtf1Oo7kn2Krs04tU5A==,type:str] -pushover-api-token: ENC[AES256_GCM,data:SmGX2G2SqPXR+JxLpTCdRlvfQxnICYQGX2lZZ8gn,iv:Nhf15Uin5Bz9YCIa4vuMgVN472otKSfINmgjqMZhdBs=,tag:BQrUmyiDzjMFIXF1pmKiiA==,type:str] -pushover-user-key: ENC[AES256_GCM,data:01JeZf+e0JY6x1PUHoviPGy6gp6+P7ZC0VpitxVd,iv:xdlFZlMmz399bAKRTfWUEiY1srWG4lthvMniO+qYaWQ=,tag:GP+NIY9glf9kx++kEbA3sA==,type:str] -sa-core-mailpw: ENC[AES256_GCM,data:jU5HDVARYCKz7Vk3bzlriAxfWJzzaOJR8Sqg,iv:/zuSEsEZ3Egh34lahGv9Yx0l88wBPs/TizDxo7mOQnA=,tag:S698QX0Qo7U5RfVYJLV0cA==,type:str] -zammad-db-password: ENC[AES256_GCM,data:IkociTGt+/wLx2mymSn2Pb7y3w65gWo24j6/pZZo1Ia40IeXZyMvUp+b+EzaKoxh6Pn97fLtcMc09AIu1KWRYA==,iv:U3lHTA1WMxFKfFe0AJVon2pDp4g0+eSNpPiiH351Yv4=,tag:CblZX8H9njJKy5ahsIgBxw==,type:str] -zammad-key-base: ENC[AES256_GCM,data:ttawuhyN6gl+zveN0OxuRvMQ2V7Uxn40vHNMGhbnD+U9mmR1+ro/79iXzcMQCAcnc/YwGuUOwKBIdklGG9L4yr9Sga4EV7NsKviFnLAphwNpPzzfp/IuJ49AA3ut3z1DfNxjYjJyKBRbzcY8HxIEXEx8ZgKPkVP6od851vjsz7g=,iv:93SR1XLROwRmbTng/yDKHydcYUoMFB0J3iDL+m2RaN4=,tag:F5rR738p3JbOsVl/N3oJBg==,type:str] -updns-token: ENC[AES256_GCM,data:iod0VbBSdryYPkFkw8a/cgg1wijtJAIgMoUmSDosgxM=,iv:7HTZBxEWBiSXPr/SJqIJjiK/YUjNT3ZWqH4e5cOnM5c=,tag:LAm23Gxj4LuJ+nb+Bc/JzQ==,type:str] -wg_cloonar_key: ENC[AES256_GCM,data:3yNVgw6VI+B2Em0BSJ9COCUdvqMhNxf4LhZukQpVz3MpUASuqe6a7SUD+oE=,iv:wh99ZWcvhXhZA3pKJG3oz6+Z4j8Ln78CgTb9lqN5Tos=,tag:fT+1x5k57U/FbessR45i/A==,type:str] -piped-db-password: ENC[AES256_GCM,data:Q6omTndqfYOER3lovjnxEzSKDwn3+gdBBNPPQDRaTE/mlsIop1QNXTlby7w=,iv:UE6ZZDyumsUAA7WGf3RzZohjYPH4/7CwBvdvG9lPkBI=,tag:vBkrxHbSLlhEn2LigFUYfA==,type:str] -piped-http-auth: ENC[AES256_GCM,data:Uu/3JUVCYdVYhCh1iRKJ0QWHVZI2ezCkrVYBCA0bwgO6PjHumcuN0HObpCfM,iv:/OIqimC7w3X93a8/Xc/ZVkabPto315LFDHCzkSA7u8s=,tag:sHyziP7D5OfJ0FrV0jHpaw==,type:str] -fueltide-lego-credentials: ENC[AES256_GCM,data:1l1zgB4umgijima9DhW9Kx0Frwc+u44P0jdXLQORZcCRQwjdZt4xYPmi9ydP2h9GMQ4wJfWwK1ggzBF6DFS/a4ijeRYWeoRpA9pEuxrEQl3VYQ==,iv:wrUpTxtQxlO1GQcgmNIsmsVxiIRnZHCmx9aWTWQw36U=,tag:7TOha6wlxgplB6Mq4/AtfA==,type:str] -supabase-env: ENC[AES256_GCM,data:k0LeN+834/RVNz5F2IcQ7semcLSlV6wgEpNI+HHT/VaujxFJ/sxn5xiqmhOUdfuDGj4frzrC+HKun3goipd+nPx4lyca/dhFtpBwBk1BxvIXd59qT6mUqzFzbFWHRQRNPeVPghO+evfx8jTspBZF90kwdXupcFgmqzOys8Tm2rM1qq9qx+mSZ3ls8JF/ba1J1/DwkrrH5qdJwl4iMLPryr4aDhvXqiCpjyCf+kGmEPjrvaz8qLzfFpbHSgZHxXOPBUqz6JwrDrzI0AbMbzuoP8dLEkBwS8c8FJL9A8xzFT7HkzOwhgYI2rUU4u+IUpF2t1/iYisWEvhbTeu8fMql8OJMupPwUaRY/Y5oq0pajC89lxGEtpQ2BzOM6AS6rgRZFIwGu/Xc5qQxsO5Oozhdw6iaetwk6YiFOesGlvOjzqeQ0XYK3nK+XUjvVolcdCvmSocYQCykqbf+DWsFNH0QDf+yXPtgkkT3PTSxKQ/a5i3LQc0k+XmOv2Ios9dItFsDFNjJrlhwwg5vSljTE+nz2V+wfaF8EDWlpoJ+I9X8tvQJMVqys2ubMe5IhHoI77a3LWXFm+N/Xb3PO71Fw2L1AOJzUgKWuaoelA910kpFzpqO1v21dC/oKMMHRdoZh+/wR4/sEMrtHqljdEQo8r7BPyiBx58FBYobsFr5OCM8RF8ZRVk2GnN/bPdEy2tgJm1E2zlzVqUx5XAzgT6g83O/ceyqKLrbOKyZrkfvd1bj7NfMTu3olhcWXAvIz0T2KoAqs3Od8wFErUQST/dXdyTvKd5EJ5hScMff4cqXdZ9EaDHFbirKieqwgb6bSFZr4hbPIm/BFx26C+l1pZd8Fj+1jWc7wg/1hzcnNUItWGSOsU9HatmA+KYI/YDZfVbpio/LSXhMW+mR7nicvgH89bz7wigeqvIJtxmEbWqX5Z2rXM2jxAfE3lDLaoPcyRUrDoiCBVEs26ThHXzgzPbOJCGfwe1F7a6tnQBwYA6RM9QxqiF1ZkIYaTaxrJPR3f62SnVIxSZk2mWQ9Nee24Ca6T+guFI3Rr3wUc+2WLYKiWRZJsDPFGQFeHbjqEO/VhdW/t6RyG/oHewdaoPtJ/747ku/JCSfUOln5Xvt3a5ToUfAUCOFJQjOi5mC1uPeqw2IWfchkXS8eUGnu85qMIB4G3mJTOIGjxx+2wV+kS4yaHbl4/cQdzR0Z+ZjclKrLsu7oFzvMZRaddqfRaMRnbY6k8bWvvOP+UxkBUfaQwIL5h08tSDlxvF2pd1QMc/ebOZ0k6DHRnRApuWDRslZZXVf5e0=,iv:tXuI40VG7gndwTV+3dpA5TZSkwmfj/OS7jsXcLDgBus=,tag:qOO8c8kiy4oVP+NCwzXCKQ==,type:str] +borg-passphrase: ENC[AES256_GCM,data:E1O37tZVfr+76hTKEzluCruTO8JUrsTwYbhtlDmWxnX2wBwcQm21ks8LYTkgjRMOAg2pseHumr3HdVGdRz+wzw==,iv:dXj4wS6FLbe2s58/kLdoxrLE6Q7IKMEkKGcKq/v+dgQ=,tag:FtBSFm7LEIbbzebhvYqrIw==,type:str] +borg-ssh-key: ENC[AES256_GCM,data:mX/lV32oU4BXTjAA5T1lQnvWF9geq4bKmf2bCyjoKARVhVrlq9TX/GQqkLPjVsA/y9BeE7yvUdCst8F+qKTGkLoLHU2DgjiDPm2voiBn/x4FO+QQMGl76UyB20La+lz+hs8hNsRzDEsAhdEzmi9yFDythUOzgYLbMpdiOk2aPau6UQhOp18DDBXpkFvqOhzO1QzNFOJzpd2kbKMkbQzIuRbwjVzQyFm4wJmPmKaaYG0C9aobn+qrgCBMjcYtPn1S8GM+nigYsvLOJzdxYC/OZUBESosvAh/KEiQYXLG6iBC6ExonUCJsBBxWDMnXPNJC7RWL45SGySwv5zq4CI44ZSvfXwbyUG80omTOdkbLaxkofNKWIK3tJ45p2MmHhh6qDqSw+liNp6ZeX17fwkCU6XQymRImdKPFJrrs3ZoR3GvzyVXK/vxcvG4cTyJxldJNYeNF0oNJsB3x9svr3vangPgyxfUn2iYoSssz4NYGUNhy6edHjlZ0phioJIarUkdLBqXVykbpEg0Lze5tMS28,iv:b43PmYxF9GJ3NX1C5Ki904lx8amjyQ8Wx1KTv+hIkPU=,tag:WzSGx37prY2dGy2s0RWUhw==,type:str] +vaultwarden-admin-token: ENC[AES256_GCM,data:A+WaZP3rOT8Sr3Fnh/aX4vSUQViNgn2KlFwkjnV9mIK/3m2hQBnMvY2YtSFgLkBEkMomAxmRyIAw+PpWU4+TlA==,iv:QwLtekgMaBaAKeZBb2wvPZEuPYwpP17xOVZOkmOjzFM=,tag:625ybIGd3Wr2pLsnZy9pdQ==,type:str] +vaultwarden-ldap-password: ENC[AES256_GCM,data:Db5TKSQEmpZMLp9mLqV0MB8ICnf6EcgHCG6BkZrl2H9U/PAamPQa3aEgS5yQDDZRXADxnVaeLvvBH/CQlRK5mw==,iv:Ahg6ZiqJHCoJ43yq3WDw4oWRo8JhrQ0dC3w9+b8o4+k=,tag:xetBoKe7aw65nNXD2cVASw==,type:str] +vaultwarden-env: ENC[AES256_GCM,data:761VT3rj6WltBrjEspTRdbOCKcQOt06R2m5TOTRFG2BRHwsSCZP+V3XxGe51xFwB4LMUD4zPjl5z8FR25Z7GdRY6i1DGBlcCSJjJAeMPBY2v+pP2/8FmV8zcgAfOJxu6yjkfg23+q6bUxFxSwMkBUYmr0UnSNdQU9dpB9O2r5vfNv+JkjOZzqgfvN99YBfV5o+9H5wQYTnW+TpV+lsIOeN/Ja8l+tMa8+I4AH1kkNASD6LQ3TEFBuc8IRmUfztEsuCR0Mf7kEcqhDzWac2SC1EA1jhLJGMgCQtRqeZ++VcoR1obgwnMdjC1G783ffXttMJ/Ut8kLjQ==,iv:fjbGcULFd5fSZLL1l04fIzDvlcKvlnlCXsVWMJma4Zo=,tag:qFKfixayRWeV+D5i6Dr+9A==,type:str] +authelia-jwt-secret: ENC[AES256_GCM,data:StT9SXs9pkB75G2XdGVSlVYAJOnDjZFifGETVLkJ3C3tThEKybV/ibhMRZj9z2sE3A126v1xbX7SI7broNxlPg==,iv:bLhYu9vHh2n/nT88Yg7ejXWr1xvJK9Du2fAe8zn+8NI=,tag:cDX7iAC4Vrp9HIf0ZTIPSg==,type:str] +authelia-backend-ldap-password: ENC[AES256_GCM,data:d73smm/wTl2uUR3Z2RMf/AvFcDJvKZDxezrs6DJ7qFLkDWAu/0t8nB/l5CiLn4DQrAKQm0bi7C8mbGmKYTskag==,iv:X7KXpbRwcAMATzTNGmUlDLNvZJXjMqLwAkebsH50uiI=,tag:X0n+mhK5LT4rj5oEsZqZ0g==,type:str] +authelia-storage-encryption-key: ENC[AES256_GCM,data:NdiBiq0uI60VrqUlAB7B9Q2BLYyMNfBoQGL+obb8WO4ThOVFLsx061KjdzPtQ7tlvvhbL2JXpPXxfKnMRpyb+Q==,iv:M5gbiE8iDrPTxwETV3UfZoi3UDwXREhVcnyysdlD8Kk=,tag:aeuTT4FPPnJZGaROOxdHQA==,type:str] +authelia-session-secret: ENC[AES256_GCM,data:S8WkCSF7wbfb1ZOjuKSBDUxcr3Wsqs8m8ZIzTyScU1qt41gdGzAs7wBfTbTdLw+IpcUoC8iJv1cMLZRPrPz2QQ==,iv:/amZglU0DoYN9KWfaYeoW+FfppKNmlOt67HEu3tv5jM=,tag:yw9h1pEhdPGCThj3HLuMyQ==,type:str] +authelia-identity-providers-oidc-hmac-secret: ENC[AES256_GCM,data:qUUohOQMJrBChpub0Wo/oburQBybRCbDToFLziubhttcMqzEzfc0t5958Rd9GVwM3YKqbAfc85omagkh15xNwbAwKpW2CaQ7ExDnd800YkTWS/U5AGDoV61JDb7sl0kpEHhY+DjcqY/1Joy2ZO78cdq1OlDo9X2MyVBJeuLSC38=,iv:K8SNO6385+QLlbRg38hj4eHmqSw7RncFPKy+8blD+Ps=,tag:7pY3ibRYPA+zHrkWgcIjKw==,type:str] +authelia-identity-providers-oidc-issuer-certificate-chain: ENC[AES256_GCM,data:pQ2JmNy7kDLW5hktGUO2Ubxjs1bkifLT5anFdOE4AujJFMAktw4wkpjzDbQwrWAvjGiORG6NryXPg3N51ocRjAi8Stli4HuUT2bpSrmeQHfOP53TEB2CiTSrnp+8vRlwaflPCjH2zXldGRYAwMfKjiJcZODuIicB6Y6BqDJ9a4aSgSTlbVO2/eu4SUnwmXPtZKHkG/3o93qp3Mola9h9b6ZWiKhOD/BZRx9svA1NW4vkgy4wwmLR6kgVbkVDv8Ga/vJr8kKwkwmX9ocT2A4un0Uyzok0bISk4kOcnOEPxvlyiMbYc+dyfNo/czNN6LTsKZU58FRAuuYrz3zSh+5CxMbBDGPgW1m1iStSi+1ahZ1+OOi6Ay/tOs6jy1267qFoTlSm1Nz74dodlOEuXU9ezZRN/oakhWCwiEoADm4yQzUSKTahnsauap7vZoXsEjSTtwrWOlhUxSUIAej3Pl4e5uBYJCgqg9uGJu24U4qaWVnM2hn3bFeTI1vRW17K4WK8JQSvUHpENitz79/VwaNpoRYXNk4/S3rLWkRsRUfI3MyoeCYNflduFjBHExY6JG+DQvtMLGaR5Ih9VkGfbhmRLKVnuE03HMpaB53cja9kEeF8uFqigardBPIRanTvEXyNtz1oA5NdUhClkuOTjaUkI55zZgzYurJkWxsxfQtvSs1Um/VFkdHLTIzyTkE5y9QyZNuwitWYG6eHSjhfvCLlRYp+AUsL1C7CYM9/3RizQnHaXsyyKqoTbjpdk6qhAgg8sE4lssCADM3GwpUzfSnM3wDoOL1TozUnpcpb7Dy+IJIl15V3bJwzi4PF4OGpaWQ1WLPu0g+LZ9sFWtjc8eOqYUQ+Q845I+JfC7nE5MgxGeUQsLcA4beAOXlyfzBvUpHXFlfk3aM3Gzraev6p5f/bKZQM2ZQeiw+mGKh5s5ifIGUSHwjUlTca92ohOSR/HoDbtZGtLsKFjZUseWqu1JHLN02Xh5D9lMrWAHRnTvl5k1rmyUSHCMZNZO1L3a9qSdW0Brx5sX7/lw==,iv:SmXQArwrm7eufINusZdYOBm89FefJia+BYZiZS438ZI=,tag:4QUYxECPo2+RUWY7fD/peQ==,type:str] +authelia-identity-providers-oidc-issuer-private-key: ENC[AES256_GCM,data:GTSvXcCLT8LdMWhAjxG6qYR4hKBh64lF8ZYoY6nkbSIg4/mGIQc5XWYC0Gy6sjKXViLtCDoWx0UPGTxY4VEIA3N47CfQQjCmKOIQjr2R4xfE+F6SpR1kt3DZy8fj4zwwxT822mShZ13qOPXvp8uVzpO1y1ymlopCHuZtAVbljeJLrLniXwHXKMd43N62KnKTCdszGKxY7MdbjzEitVJJo2970TT8jz62PJKMEfK2gklFISCqvMpo9JWbX+0KjJqq3hOklGH9+LbAd4viV5ngTA7dMYWR0nPh0LVyZj+nT0A+6rsG2hLDTnYrYNJX7rlW+DR9h56ZC9JUuEDVLRsUdmz6w6iZmMt6GJW1xu+lcxOeXd/HK/yUnxWKTYfa55nDUZ+GhBPy2oQfw6+28GxnE8exYhhhsSn2KmkkGpBVMrtBuIQkwr8E4wpn3Y9w0eRaWWsd5crvuT2HLa4T49TVwxM93/zxyT7QFvsQhIOzaAhTavJMfRtbCvi92I3Z2WpDtWlxvPQIvFARzHunbAm/2UCl0jykVyoKOL6cu+jyKX0y6koX5UbVQGSJy3y1UyBKZRrthUbhRpTufujvT/uVtO0mbE2yDqnqn0rWHah6wJCuMk3UQR+AJcSgMkdYdLlZsuuYfF6uFsPoBlY5c93yeqjSCqRqJUiTUpVzVJVjdZd4kPIvC1W5Xzd5gqqnCMav//xCwCk+7ByYnWOM6ykSNWniQkGocW4+vDZSgozGpOcYVOTdzdMGwzgnu58cdmP7CxM4o2nLtfemLU/wAcNLaVtPlaPydkXVYkSu5tCi6L7v+KXBbi3q1PKQXSvvBKJCZQmwLNX3I/s9lDgVx3H82VefQR6WHz0oQz8LhHOQai3p9HrFBluzMKCmSngN985ccbRzlXpnxOGZz9n24wXk3GkVyhSIlbuSUX58JwLS5rQOn7g8OLo48HtHxUY5wxFxoK2kyxtgEuZb4d+zRr/JI9D17GS+Yy58fzYEGoE4faHjHTFwu/IQNJyg5fTzx4CuUM+ddgQBe7uKjb3VtHqRIpIVQPXj5fuRyGvoRujgONqmlNpJDFxFLcapH+nagFQzlQ5TJ+ljroxHy63HtdLP+cbn4u5KkJIyfHAMv9gkJf+1lqXBgRa+RxlF05jNF9JZHqjTtl5MtS3zzDZOdYs/EYiULx+oyN8Hfmy9JaFFNMmyTJtIQqodibL1dJ09EPolo2r8gwmLJIvMMHmfpGoGAx4y+BnBw4LC52gGacGqfvTk9pG5tMCsM86d2lYbklXpup4KkUXdA+9w+QLBB1SSwDD9bpLB9ZXC/XHw5iVUL1RsnX179Tzca6t+qUGSlIcl6YHL5Hzzaf77PM87ZGnBV+/UrA8XmzZfCA3BxiIouF2ItadRGuz32vbPQjN76ple+hyWKXhv8L2Z4HmqBK4WExPY5ZX1NbCNMLTD0omr9s/YuOvQxxQraUuLsSrzSOhuno6gMMOws2fvP3mgpsi5382NDAr3xPG7j/bWATJ1MYxdXNLDyYL/jP1PM1chbwcvPP7Ej2IH4NkxeD1bKu9CFBZy2ZjZGHxXho9WBr5+MeuFqbIADnneLzG/xfXohpcreumDIGHBl/sn4GdcQFLg/8jvwPY3VNym2G3LSONSPPwnEVsI4k6WaySTxnrzF3tSMckXKxw5HzvMU2YRQUoIag2Z2ZK+WQpL75r5+KBJW/hRsEkkMqRT+ztBw3fD9V0Ma++HRSdr7kq1//SX1WSkdXl4tW+A5yvsCdJ4kEn5gpqeENYlSpiLabdd7ASCRAB8GkBAx5o+OGPr8D0ntCtHwArpqs6P8wXvSFCpuAEL8WTgLYB76l1RHb+zp4J0C7my1MbBxVl2Xn8WhIWNvPvoXag4ukpUYL+9+SJ5hKDueh+YyM9iTw4pW2kiuxprshlYglPLaGl/DsqqEZxyGc4gdk4z01pXsZcRu1M3Ea6R4aTIBiwCvPZ0Hp0fbMlH8LZnOq6O1WO079kd1PBXjh9jzr20UvK5F3AcJfK6HbTmH+CD2wSwr0s7oJnJ6KMWECSKi+qejSO5qIvpy/59LtDlHhYOI/lBsCjdqiyci9oVevNRFGGaLo8iNf3fWpLrmGfIFkP1VgOVnTm9W4zhuKp6EwazCMTsvKGw+rrVjj0gNtDzb66uzMW/5RV8d//fjaDvDWLNef29sOHwj9Ng4A+udZpRDxcgC5cnV6P3vunFhiFHJz02Y8ZY1zDNMxcbc2NFuDfKKu+ANEj5+gcatYTtsAWFH3HuSSxYvbwUIAj+tMsITYfvrzL0gpuiIgeqDq7DoPUCdMLbGYNznAe6TEHenZ+KeLLJs2+lgZkLmXQgVFh6WV3sm1mTpgxfcL3wwvxI2YrUJg6kRRmWEfL1Tn06XwqH31C+/SWQCl1a394CMNus6/t8aFkYg/YTEHO/O1c9WDBRVWNKQuVTiC2kCJe6tIA7HShbP2ZC5sNYh6lWqIQATM/oCGth3K/GNi85/wjgrSBstBEgtW1h8YshxelDE7xguRpP6gVC75Q+upFaVHTnpw5bwzlkN25y3KuMaktOQBJaoQ6jgNbCuZXCa7kCB2Wh2qApebkUaBVCWgLqDmX2u8F/dF6M/C8+1UpJTZGj7pRR6GMZmMRt27zuipClzSoLAJP1LmjpIHdg68M5epLs0WW3E6I9SRbFeERQ4JCM/abq3+w4xgsOjHi0A3CR4jVNiDaFujEJI6QpR+AETegWDSlKs6Mf2kSksH880k3yBcsTbbKi2YqbzpGXqiNl18GbfHU8hNLfF7dDYtlyeoIvWWrXx1sG9AyPgKbqC1rYhEoZs5CTpdMeaUQyAdnXzxJmCiR16qUP+YAQawTnEjlSmwOAFQxfSnMAHy+cCLnjk6Cc0VoLPlpeNh+HTHKm6etgGX7wbjeL0wS1AW7ZA6bNyZT0CvR8nn5fURpOa8t58l6DDyWhyJwFZP8GUZ0MAbMJg7j6bjkj9B+luRJ7dKsant6kfluH7UR7Ps+Jrfrdhdj/KDexWcgffG74fHYN8TdFBF7OKXD+kXdjjAt1Nx9rIw4FnlENurbw2RkkwMaQjm2Kl1Y3ATNsN6emH0541nnMfbVkGQSmHWMcE0aW0aXSYJw+qjMj89S0rxjonlylf7vsTIm453T8tHRmuRO/UzOpSDSEIbCxBnQcNrJebmKTjkvxqwbJbEfq0LB4t5F+wdqAPACU8oSLtu/hBZBgaIarHBBWYibJKhEnymMJ1WuhzZ+t+ejy6WRbwWQ9YQC5ZMYaNF1A38CIu/5+xp/7SSdbLO6sPq+VpLiOf3kE+rTTYzgZUqVN9NgkBj49RZTyUYVj0qwXGV9td2DRD2iPLSIsq9MSo2Px1iPSpHKkpT3tJNtC/Khe44kzgS9zHRC973paU8R544n0XpS/bJkBp6jx2dQhUuR7VCsZGX34sDlHraxr31a324p3gToNUbrzxfdyR077F6nrGcVUZJKDngoSCsUHTyG10JVySjmvJuPVDM+1eYKOBvY///4bSnVZ25930Hi5KTiI0Y4V1qJk1stZTsAdorxX2zBSQLMt3b1qTAzzm4ClXjrWBJ3HrTL6g7TGMZ2XWblB5jR6yYHA9RVY5BQq1iQoGA4WCkwXxunZBJp690oHEAWQNu3PB8l5Vi6Y1xFJyAoqpM7SZJmqPi3J/A+kYFqRTmjke6US8EFoZS1Cq0u5BdE/AjH3xQAu32ElUfamMdgtJ7jbAevDIzyKC+fH+vhmDkmmUT0IsQRF2IOufA0Vv3ehkQkMtZU4v39itA9H8HXXA/V5JMRNQSLQd91G0dfEZen83KDharOEZPuou3EBoEhh1ohXOlO+gMt35JnpUjobcdNXKm3bZa1VK8Z+oEFDfmbUcR/xrM4S6h4R2sg/U+E4fBDkhJfh456Ebq0ZEUqJZU945qgcWj+4zHkwt5h7XdpnkkKRk0rKQ/VzSU0xoHApMO7aK0YjBQHnF9Kd2j2pK6rizqovexUeVB/Wk0g1g7cY72W/a225/YfoZYpBZFS7/2+AiPNhI8FIey8Sj25fhPbzOZyInsc400gMt0/lHpsBB1ZHML+f7OSFWZgh9z/6OlaBfngw/QAhi7g9S4bM7SJY7Ouo58LoqnMhXxE8tMzvzGrJ1kVvLLi8znYbqZI4Uzo7oiXQI1Kyo6IfSEjL3LUGUfdsagek63WqteQ+gv1j23udXYxz5Fa8IIsS205GiDYNYWmS1RJdcw70maoD3lW1YGLhU6H0hYLnwLpxqGVkTKxVn/2gijSU4mUklNeMZIFS9mLIC5FFA5Nfl2/whOXHOW405gb4Hrf85L1fy6a8,iv:0+CqN0JedhUvs4AWh35OW/cDIfqvE0rtib7ZLlE23Tk=,tag:0Q6+Ee6kQig8FlSNFoCzrg==,type:str] +gitea-ssh-key: ENC[AES256_GCM,data:jCe+/CpRfn5dv5neQ1yzL7nI7D6cwjMohDjDQmUJxHkQaJMUYG0977rYEcZhPhFUCMDNW28J60g/kfrfRjSIzX895LaD25ZZrSbkeLpKywt9zhUqaXnpaPcT9SfQyn+jgGGsgQd3xvi/1fyu6+lwDfQ/nbbF33E/Wo5D2j7o8yL8LbvDjQZkDZlaO4QXTRlhxtTzlkZk3zVmIMF62+PMYImyCdH+bAQ2+12YhO30iETiz1EcXSkz+EtVZj1+pI7RlJeQK2qp5HUJT7+h+hfzNfslqd4pvTKFwUvM33VSoFUR8NRuh4wAu5pthSp4JPZLuKGucvAVC9g+F2wVfcS+ntHKSBW3fWDYCbafB0USSow28ZhUn8eZRhBkhfisxgp1Hh+uD2sgBZUEPJo3AhnEOKC0X4MgWHU2qEi8BiMkplE6j8tVWtZja+le7kroklZ15jwuEls/ZZqWDYjnef6KxfRRBRxu5SrZcHXO/aG3qeZ0qArPcyO2ZzJvU/f42+TOlkzgjG4OSY4lJV3mo/Hf,iv:mBlZOuBvd23enZ1LwiLVIcuzDdaXBMdMrtw4Zu/ZIPA=,tag:hK5UQWZThjkWBf/BKXqMDg==,type:str] +grafana-ldap-password: ENC[AES256_GCM,data:9F/gYXzxzkS/vq3UE1vYF/woYs0Leyzroeqh5F7YV1r2Dnsomxm1AQ01N71wtAqW2aTda0pwDFv94N3qH/CJZ6FBk9wZrbtY5wt63PjvkaQD2T/7rC/BmvSWtddSlU+eSJ/rTilHHEBpFb+4czrRcyZmy8x5vuR+h3nz+n5BGgU=,iv:kFVlGQZF+ins5IPRwOlrT38hpp6M69x/hxZ9lDWZb2Y=,tag:VUh1GVmlzy8vnmPqyWnaKA==,type:str] +grafana-admin-password: ENC[AES256_GCM,data:1eHCZpqjmQKMaD7PdlWZ784shYQw9lSa3L59uE57yr+GRIxpDYgWSh748tcpicMfQE8RlFpq5SZ45BeqtUodM5lxEHG8JIwu0f0X9xvBbm4C4ZoyMKg5zB9DY/39VzV+KPtPffjy3tCpFjNzfoBmw5bVc1aLrhsKtqOreKg4njA=,iv:XAM2leioNVsOLt/EC48iuOx+YJEugdarCZBV+/ybdko=,tag:64MDI6nWc3XMkQSA2/qGxg==,type:str] +grafana-oauth-secret: ENC[AES256_GCM,data:MRrb9+JqQZksdVdKDZJ0GJsBDQUwkfboVXL/xp7gMfRF+LNsIdxjSTeLyXAjAlVGAp9arb2zvVGNfgS0B8Lng3fbx46UC/s6,iv:blgyt4cLP49K384yp4HlL76AogEewwk7bqCIbwB9AuM=,tag:MSYoH8Fcr5qQdHhBLjbRkw==,type:str] +linuxbind-password: ENC[AES256_GCM,data:TY7UBM5yDvUvUTIGjshRT0GtiVrBufpf5g/wJP2CTz1X/pliZTSJ/RRR7hc5TuUPs6nivGnQUNm/1EXD56uIAA==,iv:8cOr4WrkjTsGW5XDAjQaOwbXJrH4D98yO9jJRTn5dDk=,tag:Eu6N31m3sfzN14tzPvVq8A==,type:str] +sssd-environment: ENC[AES256_GCM,data:0up0tN6r80Z7uBgUFHTgd1IWhQE0EeM8DNrngplSjHnx/dMqBxH06liFalfiAB92KKtHr//iBjgMHJ0jtmW8hu2xFSE/QAZ9VZ5BQCyhwn9sSX6NH0SL65aGrg==,iv:3Fs0AxtUdsei7cw0M85XT1eraNIvwONmAS4mE7ns768=,tag:5BWFnOWE+V8C2gFx1JVEVQ==,type:str] +promtail-nginx-password: ENC[AES256_GCM,data:Sp6KjAUz2y+CPwaWb1k75Ca2SX81dGdlcfJJ0tLKyqPzeVQz7arpuC3/0TPNg/zRG4jHchS6NJ2hEA==,iv:1FYRFk5eevTwMzNMkpC9kPDivf+Z4kRa66EhI0NXXKc=,tag:4Wg6OFE/XolDq//I8hh3gA==,type:str] +victoria-nginx-password: ENC[AES256_GCM,data:QIjz+/l7a91No+9EUMDUYsyRpNqHWGn2Ll65EV9rSF+1G4ubiRBVzysYYetZRUrgZxsDu5Q=,iv:eRMYYoMYg+xD+HwPs4muIM3GQ2oC4FzYKMnnXpHp1XQ=,tag:WPwPjFC2v/N1sAXkmMCJ2A==,type:str] +nextcloud-adminpass: ENC[AES256_GCM,data:ORkyUFw7kxJWw45PjIiebBwoLLwGdjxumn9L7627nyAHIUZm2PYLeKnHc2hZsqP/dEs59pkttiindXGePrQa3s0fVZSKrh5g2eGnX5GfhaZgcMe/Gus5P1YMs775mRgxHUfdPkJdzs5A+KmKWa5BLUATarO/dZvLSlfF2suhJK0=,iv:KNIbcDqVGVPv2klixeKEhQxB1/V8KRXl3rtbbPmTcK0=,tag:wRk1kN/5aSUFB4qLfu+Ytg==,type:str] +nextcloud-secrets: ENC[AES256_GCM,data:z6jPujXeek+q5er0hlJXqAHHcKSEPHNuQ3g9O7uGDODqttXX+iXL8N+k2EsTk3baAncR8OQsXdWrKmyR68coNGZZTQ6V6gPIfDK58a3Z0lErBy2oW03apCIVqAt4a7V0w4KUMUisU+ufQWEwIA==,iv:pdMlTt9w2lTt5XSaohGxOhsqaCLcoWFc3WGdV/RvpWg=,tag:okguzCm2iCRxjyKmFmyQAw==,type:str] +nextcloud-smb-credentials: ENC[AES256_GCM,data:2AobSnB8bracurDscSHt/4j8fY2uvU3zZ8f4j6VN0M1Y6i7A8ivSsGNG4t1LOu2b,iv:ogRwat1FWmiihe5xPaxduzNxcHhBGSBG3oM0I1nr7JE=,tag:Tsza9rKn44irm04Hj6XUrQ==,type:str] +atticd: ENC[AES256_GCM,data:B+Bpay6wCNy8d2F8JB4LyCqzbN3WSgUq66fyZA1jCkGhksRQtW6Fq5P1p3w2qgLA39Otwq948lQmYXgyxaC9PX6b4qD1Xnz2xS1D0Oc0xLzSqAbQH/7p7X8bjn/fC4kBr4zZpJKsVPe7AzMAAufg67l4Nmlm96/vAUW9XSm+9N69aIORgNEXtyUN0XrVlkk5CLv2MohUKKYrOrSjny32nyoGBJ4HUT6Eqly2um6s8rPIF0UuNWPFIR9GYlbSDyLnYySVRbgdOee0hLz9CKJf07xjilMrPJcL+Ruh+1EwjACu8Uf0Ocx2aW+oKFXjbABfWpoTxj+UoqS59Q80cSHlolpvy2dqjxwzWayusxlbEL3TF1NBp/2x7ikye0uxA94wk0ApctYkkwwn39URREL9N75eWmsKz1nDFrLPNG+LNFKzsspfJ6tUY8me88xOFbmQb3YBkTJkjdjw3fyPKl2wrsaV/Vl424C4DPgN4PhifXQhqmfl5HQCmEw16jEx++VC3aAF/nGQ1yw0v8FIXZIi3rh//Qg5PlPKMlaMDz69avlfuyglyySL38Tode6b5Qo7He+FDVn9J0bqoEkrKL5MovACoonUxnSz1g1by03l+3G6X/HAQCizcbj7plROGVVoULnfI5OvtyNxmw1WWEvigkrx/HpQ4ZsdQ51iIvt6HCZrbK5wnOmS+y8zQAgScUyZ/s84gTwelhJN4RDC/c0NnDs2QBeb3RItrg37refi/CqzUvS5wWBoKzKCmxTVlVj+TcA9+/I+76T1SRxaBdsHG4ptzvnbD/kvHmITNmo8swnsCTa3zVC1tH339/Qsfg9Ae+uHwz3SbDqEsspBlMqCYkJIFGph7nCVb2GFJUCCjnCAhjCRAEoaJMGBBVINbL4vIH7SAu/NxL/pZhy9nRjwaKYIB+EA2S5soff5Hrw5YT6FcA6LUSZll4xej7DHHrBTxb0FfRRH2ah62McAvkvWKm7BB08fbRbjMxAJMu53nzRBkfwqedW4pTVoPQzR2kP2Iyamm3sjHOM2XNh03BBhxH1m6A9yABtemZhE+yoHJLrv0tQtJyp6TtjyMsOi25EDtqM40QwnwF4rKRk144ge5q8aE/8sSJ6y5aSLUAwfw89MgETugXkKwyE7LdYrIHRBMwkRDF78i0UwEGkKKpLIijhuuLMVwcvPwSIgyBFBiZctqL6p8Sayhhb/g5Asr/THoyterOeWaeL6wqvwcjODUjDyK8put/oALhOVETAZiv5fFEW/B6vkIQPeAVUNXvTQl30lueFDvv5jCYxXHcJ4vxvWX5p0eXFXD/WuLSuUm5F/uL1231Zkdofo6U6PBqTqyXOZfaqDa6hNIsargCsu3GUVTlcafBwbeQ9anF010D9h4HTNPsKPAlm14CecvKKscf07w5cL5/vkGu175M/xI5z8bG4JdAvrhsShiL0hbf0WlProPJFc+AS9zgXxlNfqEn9gTFzfFNLm9APWjZ8PH27STfubJvtvq/dwUjSDV4Lpnq7ououFWF5b3PjZ8OX4Nu30r30Nt76NJMREORV3w8os2geILgsqZYPQJbvnw/ChTSWL95Qm9ERrW1HjkhvWatED47/Ed1PlJVKJAI45RVke4vei1qqG7yIeRDjtneAKfIkiVBnWgl1G7MSicJf4hJnVpostEWp+DIFZHShjWRmq01rvwh0oRRsHnCkdXfy+hh/k9YyNb6fBkxhuab3dzoVtTOY1dzqEmcvZoqN2agyWpfIj0x7C3/w+tYkyxs+4OyI0bI4O+Pe5hpWSP9teYL88QAJQeFi6O5XlKiUUKlI3LSpMfkOH8G+pgYL0Ti1Jb6GSlfErX70J4LT26JL0iUsyfsEwvGNFx3/L4SlU0hMv7rW1wNpvQTPEPr+NQGDmv9QRW6myF2hv72w/STqlxTedwdVDlSaAsQriM8haAmZCp6l2Fr3DVOKe3VQNsyHkHceRWfRSZHOa1hUQhjQP9kc/3cWY7G3lSCXWZwrKcEpoSpx5fWsgzwplYYv7eIcm88r6+RXxSgv8r66d6/peCXv2NTnH7dGDat+WIRoGzLgXCrukXeH9BrpTjXIxRr+zxj+c51LCDf8Iyoymyhv/DPXMybA7wfs1cNtB7NY9GaVt6zbhYveS5um21i/nuKRnBKseUWw0b/vumpCOSZxM4Jbziko+Fn/biyBCVDilRBHAyGD4blOMCizlUMQTSVUw0udQ8Ar74o/Xe4t1eY0LNvRA1uErKd2wR/m9voj0gJpZxdXn7Wah8jx8/xDSeVpzZcmQidB2iOZ7EtY4kWnh1dWzGvYMfhXbHfAnu7zkZtBgSUlg7Gda5pc86wYd/Af6X6k0kIUf9RyXPZ7Ir6ocM//TUg3mj0aP0YQh8LrdSXTkeM0zJMfzD/mh6xgZZ6GF6UK9KJp7Skn7B93KpaRAEd5SnOqnMwh3mlOqt2x72FpBXI/VN2fyv4aA7H1YDbMkKgqoifn5O5hQQ0joAMzvPbkxa4eRarvLWeGEvga/vNFpHwaf/rW2V0KseC5/MtpKBGQQfhGilRl8BW+J94uMEkRJrhzrLMPoEgbjoATbFj48E6u6Nw0sGZG8pfUTVgZh842eC+bDUX2hHQljc42cD6NGbw3LRjPxiDBXgU8ppDTNxaXXhzX0EoXuXwtNaOy2W+1gERDKp7HP45EHZuI9/lkHJ1/KB+uGDxTSABwHCeWdQdTt9EASCrsXr3jEXXv4BWfaNd5hiRKZCvXof+N77/2mZ3uo3wBLPjbhToKYh0hPyiE6bSB2liP8+kE2ZtxzkEW39XjYExucsXN1OvgDAfi5r73Esx+sFtQkc7fZ2YDuxdAxQZhAs++sa3dLudbn6YrdYwKwpJGanqPrSiRbGL1JCEgjTSz+NpsVx3T266sCrr2YolhcuTiH6ifhP7+SC6NfQ/NcADjcyCBcHetr9xWCPdlCxSgk6AWYU0rDv0J5W3pr4eT2WXjDE+wDnboaYeT6B6Pc1woyoK/54t/dbf0uVdIM+uarTrtHKh0r5yRpZVbxruZ/lFisu4C0QJSYdwDu/DDzuva4t39dx6GTjXUcdRlaHpBOW/gnF/kPrgt/Ra6+VHhPOYYOOfVravzC6LxVfoPpAGUO/8TsWfNGtdYnaVlTf1mg37ISoY8iaLEWtUS4DhoxxtZDlMt0Wnio1TkisEoBuVZvhRuWWLWmRi8JJHhjdjFft3FblwxA56t2jkvbNb0i8hv3rXfbgXbAF8jFyiMoPBB73Qj+DV4jO7gZS8dHw/k1L9kNnVeTLYwES+SGzhJnk0Wni3H13EMLxKDOxcJoGi/xizW5S6ubwmk58wy9//nDKgmzSEf37IZt9X0bKX8PlY6QJIKFne+JIbwPPaT4y8Uq2yl3vFtMjilpRB31jtPTgzCeER5S/q9OdHrdrXojwMZ+WyN8Wxeqfb7l0YmcjOsAE3Nt+7ZLWqwvE1VT+VUkl6aDtLFCwxn8C4P+7aKAmfXI+93nM4RRuH7XzJBnKF3r/xjeIDtobxiJNQd/jK0j5GQjAaxmbA0vi5ztZSNHpd3AWLLkq852sK7pKcLTsvUWkYssFTmqpWc7Sby7+Yj2p6JweoQvb5Y5uhIrCZ0hGbDeqYfYOfycFgHu6gcTkix+wnV7FUoy2FXKS6ahrcnzPLSex+tu7N87UB7XzcMwrgikTmyZwKxQudl06vh83edeaVG3apEFftqXBpeLYRuXG467rPi3o2iecIbuh/CxhMkO1djnpfx/CExPCVeh4AzSxWSGqwrvF4gvO4lyrF0VO4Lyy0kJMp5uCF2qhpGGGhGz9YFR23jr3DZu1zkz7VRTmLxVe4O5fDcJoXc6372aUXjqI46aq15ws8xNfMUL6kbYJ/Ijf7zBc03106xHsMGk6YahpMQQNK8dmwr9z/4dBsVSSf9GvXhXPCfyJ/8HvgaPRBB811r6bHtV9/jNa6G5WJYSI0neUsAaqYqKVtvulvQedckT0LxbQJZq7pgGSFFOlzKhoZh2dbPF8csRkgDohg/KGxmyues5YcwsDwjQ9ZsjGFU8oKT+258oerS25/kNuKkyEVrafHbFVjn94/z9Kb3m+05oM3atGd5erif5UQfe3x1P5RaGvhgDi1f+9vZXRBlJw0FQl1QILLtfWcHVbb5jjKqtOLt8+Zl11e1VzZOfH9c3jDuNLizbW6a8/GhIQFGuRUP4rpxzHmfd711ktsuRBrww7pc9WfoQghSyh3H1eLYU/rIwqNUwJPsHLER+jcqu2roEo7t6U45FmfRFy/THdjKL5Ps3ZXjGwJ8F3TyzgEKnnqlT8xvWvYpwxYkobvVnM4+PMtDYLYBtnN1OMhBqZLUqgZxhu+vjR4fojVwoVKqSVM8BWWKf3FlkrD8nRVfhPcKwRYRqRlzqS7T/DoNsj6dWOBg7DFi2VatxlQJDsgNa02Lam7S9aCY37h+uDYXjawTXFpEqSqhRzLEELdTxUaXJrLcNrF6fhBtgX7wW7RKsPz+T/0wijMfyWZn9rkKCutn79Xvgc7KBDqsJApHMYmnMEG+t5iRlA1pBSCsfWeUD9ElLmR/N0ZGemurrKy30PYqNhuLgvM2fzXcwkmGXp2T9N0CUa/mgpQr+Wz716Tcy1jO5Z66K/DPagAtA0CKBN7yeP/L7A1T09FLMO2SD5vQ3bB7iVCRE1UCTu73wUgsgehBIgg9rv7osRRr/216cjkSiC954RoGzEGcchiROLhkaaU5artilxp7jNT8WSBW3AWL0s/OuXO2XyGUONnnTF3FG1j3kaLukZqAUXSCw9gxVI/NFuugZN+m3mjAOqAs6IiTQTWh8GplyChNijHRnJBZurY/AODzDKj6dLrKC6HjtuSfMT32IItu19GMCS47Uhgpgx1L6UOL4T5OnqjGEqEP9jiSmqdjRBFKcvvz7tvhAdfTkmBu+ZQ+hAtJxlgDMHyxkezx3xvRj9lGlYGqyBPshLhSjRZ468kO/RO3oiTXgizx88waoQiW5X0EBxHW1ELlC5blmv0eebbFy/C9iK5VwWfk+tCrW2iBJunePmqzC4zWkBFSCQAtG8+5zBFQZ0FQJ6weX/yYiKSzwYks25TH9ZIBYVTjY+RQp3Jc4fBUE6nnpNqeKmbjv7mw801bv39Si256T9MKf9I1pe8LMoXBI+BvRF5Dc0Z/RKb/eWiCH+P+IP67IvAwacQ/PfFuYUvh/fvw2Myek3uv1ggEcDE1N8sJXDTGVAoiwzaVbo0sAi7KGNGHevrC4Ne05P8ePUg3Oj+yvH8C8EhFLO0pUGQhQcztiDzKBGiDwUkookYaUn1H8qEkQ3EgfyBHMIgvLvNyR+u3dizvxGJ4S+KS8yosemtBeyLxKgMFrmXUssiwBqOgLAO0Iuh1jjbxedPnB8MvvioApG42OM9w7y+J4EFBL3LnjVK3aRB5Rg3GTYf+M1iq8+lKeyUJ+VEFSib/1U9ja4O6WIpPoTatVejWv1ql8QanNva5XJUMIq/MjbQajpgXARk5wJYgP13mnH6S9Xbp/Do/bkFIlaRCAdOP/H7N12JxeTlnPkpcfMRvuPiYgS5aUbQsEu0hT6RV2fD06QCuOsQ+LtU3EJVcCuz8l042OI4PhvbzqPZQiXoslJheZN9ZUi7T4fI+WBphrTiij+PF+ONO4mrrLec2+BiwQiJJSPdkfVwLmmh+xT46Sn4HmVBATvmYgVQPJxSrqLd43MYNZDlSDF9UCywbZBd1HxqLYw2MheAy6Z3rf3PL7HUEHQNEpJ45HOIe2nafeNndeNXFQ4usac7H6jqp3tVfWiwc/j0AeEPkTTmC8GFhrD6Zss5wP/4dNgrq3MEAw+HYJMoyi+aZPtFWLneKqp4Imy6cNgzM+6sxTG/Ky6GaJps7vz3oCWEA7adkC+6fHbs0M60KSToXl87+xQA==,iv:E2R6CnmzHHO9qOGFROaQc18jyiGXKFH9eDFtWoTRNbw=,tag:IKXiF6hF+FcrLRsQ0ADdtg==,type:str] +atticd-smb-credentials: ENC[AES256_GCM,data:mj+49EsyWKfWPns+8iLmng6uPm9LjPdqyw7D0c6jipV1+FyYZblNCsh/IWZqwklIKnBm8Bb7Whreu7W4t0SdC2hyJfb9WBvrHm8ZSw==,iv:MFpPvXnmAlc3fnPihPlCQE2vZx5v1IHfI9N/AuXp2c0=,tag:hBUKKn9cu7FIC2W70mRjJQ==,type:str] +ocis-admin-password: ENC[AES256_GCM,data:dhrQI4ody6o9IowmlhKG91Ps1T7FQ4bVLLgR1WEuDubB1j//7myLIvaINQ3G9w==,iv:q8ywceZ5ky1O3TQVsx+oMHkIh2o/qYiR9EDvwTqq4PY=,tag:d1N8lq+rVAq2YsI7Ex3yrw==,type:str] +openclaw-mysql-password: ENC[AES256_GCM,data:flTJzVaCc0/KFdoC8F1drrl3xC99I7ZBfR2ARZoC3gJi2YZb2KthJuiRCQwvyg==,iv:PRBtD/xe2jEs9fA2mx2FpPctX5zZ/7ss5W0MlENOL3A=,tag:HToJLKPwo7Jd9eRYMwsapw==,type:str] +pushover-api-token: ENC[AES256_GCM,data:0EneqOqEQAx0UvN9oofUW7wShjzW9RsTBhkyqV9H,iv:/InwtiShoLifQMhkalUjESfiMMidWzYxXdtC2MtHnhY=,tag:j+/X1SbtRLs7yCl4jBn+mA==,type:str] +pushover-user-key: ENC[AES256_GCM,data:iGrwNi9aan36u4qC+/nodAtOg2gEkcWTd6asf7tw,iv:jVUKcU7F7t7aMtimoXPYtHqSyeOTVm7I6XegMNGtibw=,tag:O+1jFqcqMBe2pM2IS6Schw==,type:str] +sa-core-mailpw: ENC[AES256_GCM,data:YMZnEkAAPt1dp5CAZvs+/7jlPRTFKrfZSrnN,iv:W/sbU8FDcLiwTGRvdWtCwKxlZtxVuhtYm0XxhMzzFgg=,tag:OeNtMRzlYf3EniFoJrxzJA==,type:str] +zammad-db-password: ENC[AES256_GCM,data:e9KjHWlZBwaarUS24IvPropjBxxODEkxMVSfrOF3yCwS1Zjwb1Kus+42LHSaXT9PvHHepa3ov2lENBkEAEWfbQ==,iv:RGGm+P2ZldF+51zWZEaeyAypqFbIBwqL9OgXttXlNhA=,tag:Fp/tfeOEm/p/vN8779JaUg==,type:str] +zammad-key-base: ENC[AES256_GCM,data:9I4h5zdDQCvdmfEWiowqfoL5BY7GkPtW58JFO/J/xKKzlC7kVhmKQKaoK0uIcuuuNKbd2kZ0PGsM7x0f/Sk4rgH+nSXpriD7DbsfDF9Cmg/uz2bMgfWBJe5SCFNt5rx5/Cpt6buRjzOxndioNhqH3+K3z/KWr0HuWtpUC4sYXVQ=,iv:Fxl42oTd5lP9aJGgx74qfhNtELVY4UVnLszbIlv8XVQ=,tag:w2S2xYYVPJbHqfyTRWZu5w==,type:str] +updns-token: ENC[AES256_GCM,data:CsCoGIyHCdmzXeaRBsvFAdqmZPAX7U3A2H0ztFywyYU=,iv:tLRqZLqPB9RuxXrc/wcZ5W4nbubta/HEOJjU6wpCILs=,tag:8vv2O9GcPqORltZnlXZcgQ==,type:str] +wg_cloonar_key: ENC[AES256_GCM,data:kQS1G+2XQHzTPQmaZYlkmktVuhwDoPNjdM7yPRkL9bheqbRBaxrBIzFsrPI=,iv:rU4E/yDazQ43MBRaC8ZLkXo0gNf10PIGrjEYRfBpUZU=,tag:39MLYrGOC0eWrU3h3b3jag==,type:str] +piped-db-password: ENC[AES256_GCM,data:OLpltypEEFiUlunYD8KWavycPALJ4ADVorwMCZGXZw+vjO4G6+TDIWKFv58=,iv:QAbJEqgJjnVrKGuKybA9SNxq8D/Nuihcc6Rv8qf9kH0=,tag:NQ7W1qDJeRqe1VAU4h4kMQ==,type:str] +piped-http-auth: ENC[AES256_GCM,data:EO+MN0X62dNEbc4iPHNRQYvcvukTsMIdGKgk+WUNGpQxuupPjGvFOsJoJxjD,iv:cHYqo+iKHPUF5PzPpE0xEFPVbruLM0cfG5CFsnzkFOs=,tag:6f58D+xWsTlzsKd/guxmuw==,type:str] +fueltide-lego-credentials: ENC[AES256_GCM,data:dvZ0bn4cQXuNqemIOBOznK68V67KlUF9yKr+pMrB/9R97A3/HVpvBcW7l97IKaiXvxvU/5LbF14zKAAUGc2tycRlVy5yMSWUWNz904O4m3L2xw==,iv:2XTJ6pilUXm07EazAhQGX1yncqxcTCTmwWjJrwA2A6E=,tag:gzgdcA+l/6HQYKwBnV8D4Q==,type:str] +supabase-env: ENC[AES256_GCM,data:sK29tW/X5+89sKWd4eeq9yVoUXRco438Kc4Ph+r9RMUV3RZF33V2wrZqbCSICEGofhb0e1vOcinrpwCZPcdN0zHfSj0tTsB0lJU+wPozTbSCoA5W5UHPD7uqnXKh7w4nxZapaRTwJOTXJ0+qZWS6dvNQmVue/cq13DXtvTduQ4WyFZ9vapbHamr8ItE+EhRZ+LilppbIK0vOEjwv16tyR9VyUuEvhyx+sjxK7c5O6FDbWiDrGxYV3kKdD+DQLQG+j1GLk5WzSHY46fPOWM+2aK5+6CowdFnGzzmk5FQCythP7rkH4xAFcaVpBddzq0Bwp5A697yedXuhJQhR4D8Tom1/KGbOwHjIp0BQf5HksAndVB816IVh2ijmhznYguVoLXHNUnaJ+c7TIIbhhalvBMuBrSM4AahF+a1/yXFMQICFcbnmCJfPOExoiplCowqsqTU8uwm3QWEfB92vgVoA8vn+LmqlG7lVL41Lyu0HfQGsj/qLTf2K9kPae687xyKhHCbTbw5JP9O/btNoi2Y6qo7npSTympTb4YaIBkhTkynA4HWtFmH9pKkvMx3IUgBHh57EPs46aBCntHorhoBQl6d82XYW8TtdWKKh98LSxcUgj4qD0oV4vK4qd00cf4DjW7uTUGHsAw+Ti06EuWYY4XO5qhe11dKqMHsBO1zsHkhJX4dRiZrMca/3PniT0c+XmEQUCbLSR5m2hZ2R11v0DkADZ2s3cm2rHOFAH/Lm0VClOIqnvQ2hZ6jxzYlSPLTTu5H6OxI20allCaqTuuUlhkZGV5c4mAw7UmrrsJIcw3N7Ra53rJybxxAcr8lCFc1Xat+Ayfm9b1RaDyPwRsysn/msk6z9JKkiDWYCbunmJ3rNLTt4obUXax47E9lW5xY/Vh0Omd27eiOh6uGzBUxDdNEh8tb9vNs3EQe4cgx8ODYJ9t/+zFQUd3lL1zzNNUg06RcZQrAQPLOldsSjEsRzCne6HOydu0cL04s88mpERmUA8Mg5lmrS2D32yrxSRJ6Z7WlnyP1i/yQWy1x3aOP8wmtiqcSbscpYt8Gj71SXXyB07EgKUT5SDRIl4awaEGw6M8hcCA4b6rTdHnMcohXh+axik91zW1UI8xvjvbYO9faE+J1+SWn0UX84HIhrVUUDaCS/CJHQGKmcChKqSj+KRB+XjXWwTdWM3V/fmcYQ85LMiAW/1XoNQLWNtp1uRY1YIpyMIvEVRk1nBwrPiP3gIt2HkD9Zr5NR3gvPDuBnpoPCzFUdiB2rg6TcCk7goEoTMMPhQ3dFug0VswAvFd7nlFVIAdaG4gzsUNFSbmGd/8IG1j6JOJY5baVgA4cYhZFn9Ox+dPJGRN5Ol6RraPr2K04zUfp679dv4Zg9mss+5cVrcNBlzzhWsuZN0Qa1K7czxKKgJQVfEC/cdLIoHPkOZKnBQGwcDGOD+bWRWVVbXpdnC/d1+VdWAD+hiZR4Kzcoe82BTtY2KbNoa+fVJCZM,iv:7pWYLa06a7lsM/fEGXMS5sSfKtbTKs9NCJ1bHe5+UPc=,tag:9mPaObLKBG2bSfNczB887w==,type:str] sops: age: - recipient: age14grjcxaq4h55yfnjxvnqhtswxhj9sfdcvyas4lwvpa8py27pjy2sv3g6v7 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXRGl3T0gwYS8yNWI2WVFo - NitRWS9tQ2txTGlmc2FDTFBxM1gwY0NCcEFVCmZmWkJNYStxdXlCL1dTeTVuS0p2 - cEtla25JTE9ZejNmYnA2MHpGMk9EeG8KLS0tIEdtcElDbzEyMWNrRWR0VVE4NWd5 - am1FM0NXWDA2SzVuOWhnZ29QR2NYa0UKEOnXzjFVzvoAofwBNtn5uTPtB1CCW1GG - RrfByeQ/tYV2OAGERiETt6s0liZd99jU0Hc6YkCEwT7cfjhxIb+yLg== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhTWszRnZUVWI3VGJsVFVG + VW1sdTU3K3hnems1bi9TeGI4RHlLanlVN2xNCktQZzRsaTlwSGFlakI5NzhTL2Jl + c2VUeGdDY0lTRjBmSWJuS0hNSnRMK0kKLS0tIExKTDBpOW45MGhNRGhjTVA0R2Ez + cmRkMTVuOEdSK0NxcVVUSWZnZXJnaUkKCpyj5em3HIfpPciF6+PCda64C7fYJ5xB + dgTTbcJ7HXm+bn57dd12FOMlLZn3xYjV6/JK/xAm3AaXQIWhi8NHsQ== -----END AGE ENCRYPTED FILE----- - recipient: age1exny8unxynaw03yu8ppahu5z28uermghr8ag34e7kdqnaduq9stsyettzz enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUTEM3aXVkT1FFZlFvMVd4 - S1pRcGx6azgzOVVST3RvTWw4S0VDOWg3eFVJCi9HcjlCdnFwSzh5U29uQ0R3Q0hX - UU15V3BuYUFoQ3hvMitIdjBCYVVzY2MKLS0tIDdRd3lic3h4cUgrVXh3dFhZWE45 - V20yTHJqOUZ1TlBqZXFoMjNaeSs5TU0KB1ad+BOkjd9KlWh11NhfQH/6ds7/k4xg - b+bBOq5C9K4DqTgtKAQoTEHCfpPKHqlzP22TWJwj4lqyxYoN640dXw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2Y1BBZWxNL0ZjR3dBVWk3 + TlpRTkJnWFJCSXo2RlhYQjVueWplNW1qbFNJClUwU3U1aDRWUG15OGxnUkNmQ0Z6 + aDI1TVltOE1qWXMybW0veitnZWQ3TGMKLS0tIDc0cWFpenFkM1k5MTk0d1p4SDFY + MFNxRTAyUkpRb2RWdWJvZHBQMGtoeU0K3hfwA3jT9eidPeN6LgD4Un70CzfK+OA7 + WEq98tdYF0I65y11oMKW0wt+CWq05ygA+Wgxb2zeAX4xejTuXA4wjA== -----END AGE ENCRYPTED FILE----- - recipient: age1v6p8dan2t3w9h94fz4flldl32082j3s9x6zqq7u5j66keth9aphsd6pvch enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjQWFISWN4SWZUcDJ3SFJ5 - eXN0MDZDMk5tTGV1OXlGeDJWNU5zNC80WTNjCkQ5NktHQjZRT05la3AvcWplM1dZ - UlF3eW12OHREQTVzSVBnaFhpWUJoSk0KLS0tIDV4VGpoRmhRbFY4dElqYjMzZ0Rp - d2FBUkU1bHpqWlIrZVhDMzRjVE9seVkK4oz/2tg0yzqCQ18bZ1LXn5c9NNJrxtOV - k+YQkVEoIBabtA8CDUpdZHW+4r1MTnpM1zxBE1rf8e9nMmidNk4OwQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtVUZQbEtxZ3RXQmowOUY1 + VTRmZTRoZ2dKbzdEU3dKV1ByaDIzRUVTR25ZCnoxUHlrcDdiREFKTllZMThRbEFr + empRV1JxQmcwQVBBWEFFUUNsRnZyMFEKLS0tIEJxTUlybTF0YlVmK3h3Tkt5a0Yx + TjQvZEJBKzlyNDhaNTBMWmJ4N3drWHMKr5MZlIdKupzG/s2snMGABdj4FJ8zAZMz + Egy1ifZNNQd/JgtghEQlMa0kQGYYOa9tsII92MR/WReD0ICCy/Q24A== -----END AGE ENCRYPTED FILE----- - recipient: age1ylrpaytkm0k5kcecsxvyv5xd9ts4md0uap48g6wsmj9pwm4lf5esffu0gw enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAveHc3blFHKzFhK1FHbHRx - ODNtVGdpa09mYVU3TFRFL3F3TDJCNnlIYUZVCkgzSUdrZTBFOFloZE00dUtpYmlC - emtSeHZjdlB0YkxyckhWWVdMcXFPVncKLS0tIEl1WGtOTXc3dThlVmgxc1haOWxu - Vk1GbFdZZDdQSVBvZzRhbWdsRlhSRzgKD1xu9pe7dO46RGWNaZDbKzhL1XHqXcUN - y1rA6p1r5nWboIHKZBRtoN6vssvGxftKXIjgE+T5M6mzMslHoXGXEQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiNDVtYWJrc0pqS2FIdkRi + RjRsSFN4LzZicUJ5c21Gc1BoQnRxU2JIeEZrCm5xQTE3YzlrY1FzeW15S3N2bmR6 + L1c5enRESmY2SDlyTXQ3dmJBTFovc0UKLS0tIDJTMXdlZFF3ZHZGOVVabHZ4ZXdD + MWdMYitOVlREenB3Qi8yUHBGRVcyZk0KAIfJnuCiwVF1J3EE27BaXMOW4x3lI33C + A8TSnLkRc0/bMYDuBXelcy/KOf/WSGQQyzYh4DpzTTkvxu3i2m7Gyg== -----END AGE ENCRYPTED FILE----- - lastmodified: "2026-04-16T07:32:31Z" - mac: ENC[AES256_GCM,data:YENx+ZwyoVvKJUCMpgNHsGbCYZ+A4QJnVGo+SQsj2JjGUMEFz03JYiTzhqYg+cokfKW3QOptb47fX75i/yaE2CjjhqdlmDe9jKfnKE+AoAEgoRtrkmgii/sctM5ZE5uSNZsymS748kgrgNt3mt1tJInog7YLnkI3X3llpOkSKiM=,iv:D/Y3FnipB1z9q826HPhpLXt9PGvvYxrNzYezwLXHkbw=,tag:gRNezCYj4UvToSGW3EFzCw==,type:str] + lastmodified: "2026-04-24T16:56:29Z" + mac: ENC[AES256_GCM,data:lE/HKsa0qP7ngt+7zGZ6NHLiQuP4TvZhUsF5cGZ9AfaV2g7EFzH8WW9oMRDvcWmUsuD81MjIDqjrpP/NpEYkjBlTYP/k0WmoCNS7WQeZ3+buyGXzk2iwqQ2WzW3uiNJmZF2iFOBWp8wtu+4NxgNq/5GCCXlfmqGT9w9K8q0BXmg=,iv:iAgWtEIv/+nFTqu3oj9b9oLvPDY/fgpmVjPJ+IXFrYI=,tag:RW8czu/R+tmnjePib0QY1w==,type:str] unencrypted_suffix: _unencrypted version: 3.12.1 From 6d25a6074b264585f392caee4ab2ea00d16adb6c Mon Sep 17 00:00:00 2001 From: Dominik Polakovics <dominik.polakovics@cloonar.com> Date: Fri, 24 Apr 2026 21:15:32 +0200 Subject: [PATCH 4/5] feat: remove supabase --- hosts/web-arm/configuration.nix | 1 - .../modules/supabase/FUELTIDE_AUTH_SETUP.md | 215 -------- hosts/web-arm/modules/supabase/default.nix | 486 ------------------ .../web-arm/modules/supabase/env-generate.sh | 96 ---- .../modules/supabase/functions/main/index.ts | 144 ------ .../modules/supabase/kong-entrypoint.sh | 25 - hosts/web-arm/modules/supabase/kong.yml | 265 ---------- hosts/web-arm/modules/supabase/pooler.exs | 30 -- .../modules/supabase/sql/_supabase.sql | 2 - hosts/web-arm/modules/supabase/sql/jwt.sql | 4 - hosts/web-arm/modules/supabase/sql/logs.sql | 5 - hosts/web-arm/modules/supabase/sql/pooler.sql | 5 - .../web-arm/modules/supabase/sql/realtime.sql | 3 - hosts/web-arm/modules/supabase/sql/roles.sql | 6 - .../web-arm/modules/supabase/sql/webhooks.sql | 153 ------ hosts/web-arm/modules/supabase/vector.yml | 255 --------- hosts/web-arm/secrets.yaml | 120 ++--- 17 files changed, 60 insertions(+), 1755 deletions(-) delete mode 100644 hosts/web-arm/modules/supabase/FUELTIDE_AUTH_SETUP.md delete mode 100644 hosts/web-arm/modules/supabase/default.nix delete mode 100644 hosts/web-arm/modules/supabase/env-generate.sh delete mode 100644 hosts/web-arm/modules/supabase/functions/main/index.ts delete mode 100644 hosts/web-arm/modules/supabase/kong-entrypoint.sh delete mode 100644 hosts/web-arm/modules/supabase/kong.yml delete mode 100644 hosts/web-arm/modules/supabase/pooler.exs delete mode 100644 hosts/web-arm/modules/supabase/sql/_supabase.sql delete mode 100644 hosts/web-arm/modules/supabase/sql/jwt.sql delete mode 100644 hosts/web-arm/modules/supabase/sql/logs.sql delete mode 100644 hosts/web-arm/modules/supabase/sql/pooler.sql delete mode 100644 hosts/web-arm/modules/supabase/sql/realtime.sql delete mode 100644 hosts/web-arm/modules/supabase/sql/roles.sql delete mode 100644 hosts/web-arm/modules/supabase/sql/webhooks.sql delete mode 100644 hosts/web-arm/modules/supabase/vector.yml diff --git a/hosts/web-arm/configuration.nix b/hosts/web-arm/configuration.nix index 17927db..a5501ac 100644 --- a/hosts/web-arm/configuration.nix +++ b/hosts/web-arm/configuration.nix @@ -20,7 +20,6 @@ ./modules/blackbox-exporter.nix ./modules/updns.nix ./modules/atticd.nix - ./modules/supabase ./utils/modules/autoupgrade.nix ./utils/modules/promtail diff --git a/hosts/web-arm/modules/supabase/FUELTIDE_AUTH_SETUP.md b/hosts/web-arm/modules/supabase/FUELTIDE_AUTH_SETUP.md deleted file mode 100644 index 2f8b202..0000000 --- a/hosts/web-arm/modules/supabase/FUELTIDE_AUTH_SETUP.md +++ /dev/null @@ -1,215 +0,0 @@ -# Supabase auth setup: Google OAuth, Apple native sign-in (iOS), fueltide.io email - -This doc lists the **user-side steps** required to make the code changes in -this branch functional. Nothing here is performed by Nix — these are manual -actions on external services, LDAP, SOPS, and DNS. - -The Nix changes in this branch cover: - -- `hosts/web-arm/modules/supabase/default.nix` — GoTrue env for Google OAuth - (web code-exchange flow) and Apple native sign-in (iOS id_token flow, - `GOTRUE_EXTERNAL_APPLE_CLIENT_ID=io.fueltide.workout`), SMTP pointed at - `mail.cloonar.com:587`, `MAILER_AUTOCONFIRM=false`, `SITE_URL` + - `URI_ALLOW_LIST` for fueltide.io. -- `hosts/web-arm/modules/supabase/env-generate.sh` — new `auth.env` block - that pulls SMTP + Google creds from SOPS. -- `hosts/mail/modules/dkim-fueltide.nix` — installs a per-domain DKIM key - for fueltide.io into rspamd so outbound mail from `noreply@fueltide.io` is - signed. - -Apple sign-in is scoped to the **native iOS flow only**: the app uses -`AuthenticationServices` to obtain an Apple `id_token`, then calls -`supabase.auth.signInWithIdToken({ provider: 'apple', token, nonce })`. -GoTrue verifies the id_token against Apple's JWKS and checks that `aud` -matches `io.fueltide.workout`. No server-side client secret, `.p8` key, or -Services ID is needed. Android uses native Google sign-in (handled -separately) and no Apple browser flow is supported. - -Complete the six steps below **before** merging to master. Merging without -them will deploy a broken GoTrue (missing Google/SMTP creds → auth emails -fail, Google OAuth flows 500). - ---- - -## 1. LDAP service account + fueltide alias on `mail.cloonar.com` - -Mirrors the `gitea@cloonar.com` / `authelia@cloonar.com` pattern. The alias -on `noreply@fueltide.io` is what `smtpd_sender_login_maps` uses to let the -`supabase` SASL user send as that address without tripping -`reject_authenticated_sender_login_mismatch`. - -```bash -# on mail.cloonar.com -SMTP_PASS=$(openssl rand -base64 30 | tr -d '/+=' | head -c 32) -echo "SMTP_PASS (store this in SOPS, step 3): $SMTP_PASS" -CRYPT=$(mkpasswd -m sha-512 "$SMTP_PASS") - -cat > /tmp/supabase.ldif <<EOF -dn: uid=supabase,ou=users,dc=cloonar,dc=com -objectClass: mailAccount -objectClass: inetOrgPerson -uid: supabase -cn: Supabase Auth -sn: Auth -mail: supabase@cloonar.com -mailSendOnly: TRUE -userPassword: {CRYPT}$CRYPT -description: SASL account for Supabase GoTrue outbound mail - -dn: mail=noreply@fueltide.io,ou=aliases,dc=cloonar,dc=com -objectClass: mailAlias -mail: noreply@fueltide.io -maildrop: supabase@cloonar.com -EOF - -ldapadd -x -D "cn=admin,dc=cloonar,dc=com" -W -f /tmp/supabase.ldif -rm /tmp/supabase.ldif -``` - -## 2. Generate the fueltide.io DKIM key - -Selector is `default` to match the glob that rspamd's `dkim_signing` block -(`hosts/mail/modules/rspamd.nix:15-19`) watches for. - -```bash -mkdir -p /tmp/dkim-gen && cd /tmp/dkim-gen -nix-shell -p rspamd --run \ - "rspamadm dkim_keygen -s default -d fueltide.io -k fueltide.io.default.key" - -# private key: fueltide.io.default.key -> goes into SOPS (step 3) -# public key: printed to stdout -> goes into DNS (step 4) -``` - -Wipe the temp dir once both are copied out. - -## 3. SOPS edits (two files) - -### `hosts/mail/secrets.yaml` - -```bash -nix-shell -p sops --run 'sops hosts/mail/secrets.yaml' -``` - -Add: - -```yaml -rspamd-dkim-fueltide-io-key: | - -----BEGIN PRIVATE KEY----- - <paste contents of /tmp/dkim-gen/fueltide.io.default.key> - -----END PRIVATE KEY----- -``` - -### `hosts/web-arm/secrets.yaml` - -```bash -nix-shell -p sops --run 'sops hosts/web-arm/secrets.yaml' -``` - -Inside the existing `supabase-env` multiline value, append four new lines -(these are sourced as shell variables by `env-generate.sh`): - -``` -SMTP_USER=supabase@cloonar.com -SMTP_PASS=<plaintext from step 1> -GOOGLE_CLIENT_ID=<from step 5> -GOOGLE_SECRET=<from step 5> -``` - -## 4. DNS records for `fueltide.io` - -Add on whichever DNS provider hosts fueltide.io: - -``` -TXT @ v=spf1 mx a:mail.cloonar.com ~all -TXT default._domainkey v=DKIM1; k=rsa; p=<public key from step 2> -TXT _dmarc v=DMARC1; p=quarantine; rua=mailto:postmaster@cloonar.com; fo=1 -``` - -PTR for mail.cloonar.com is already set (it's been sending for cloonar.com). -If fueltide.io has no MX record, outbound is fine but bounces from remote MTAs -won't route — acceptable for one-way transactional mail. Add an MX pointing at -`mail.cloonar.com.` if you want bounces to be received. - -## 5. Google Cloud OAuth client (≈ 5 min) - -1. console.cloud.google.com → **APIs & Services → OAuth consent screen**. - External user type. App name `Fueltide`, user support email, developer - contact. Scopes: `openid`, `email`, `profile`. Submit (or keep in testing - if only internal users). -2. **Credentials → Create Credentials → OAuth client ID → Web application**. - Name `Supabase`. Authorised redirect URI: - `https://supabase.cloonar.com/auth/v1/callback`. -3. Copy Client ID + Client Secret → into SOPS as `GOOGLE_CLIENT_ID` and - `GOOGLE_SECRET`. - -## 6. Apple Developer — enable Sign in with Apple on the iOS App ID - -Only one action, no keys or Services IDs: - -1. developer.apple.com → **Certificates, IDs & Profiles → Identifiers → App - IDs**. Select `io.fueltide.workout` (Team `XWJ4DC7TBH`, see - `hosts/web-arm/sites/fueltide.io.nix`). Check **Sign in with Apple**. - Save. - -That's it on the Apple side. No Services ID, no Keys, no `.p8` download. -The iOS app obtains the `id_token` on-device via `AuthenticationServices` -and posts it to `supabase.auth.signInWithIdToken`; GoTrue validates it -against Apple's JWKS with `aud=io.fueltide.workout`. - -## 7. Merge and deploy - -Once steps 1–6 are done: - -```bash -./scripts/test-configuration web-arm -./scripts/test-configuration mail -git checkout master -git merge --no-ff <this-branch> -git push -``` - -Bento rolls out both hosts. On `web-arm.cloonar.com`: - -```bash -sudo systemctl restart supabase-env-generate -sudo cat /run/supabase/auth.env # expect SMTP + Google vars populated -sudo podman exec supabase-auth nc -vz mail.cloonar.com 587 -sudo podman restart supabase-auth -``` - -### Verification checklist - -- [ ] `/run/supabase/auth.env` contains `GOTRUE_SMTP_USER`, `GOTRUE_SMTP_PASS`, - `GOTRUE_EXTERNAL_GOOGLE_CLIENT_ID`, `GOTRUE_EXTERNAL_GOOGLE_SECRET`. -- [ ] `podman inspect supabase-auth` shows - `GOTRUE_EXTERNAL_APPLE_ENABLED=true` and - `GOTRUE_EXTERNAL_APPLE_CLIENT_ID=io.fueltide.workout` in the env. -- [ ] `curl -X POST -H 'apikey: <anon>' -H 'Content-Type: application/json' \ - https://supabase.cloonar.com/auth/v1/signup \ - -d '{"email":"<real inbox>","password":"correct horse battery staple"}'` - delivers a mail with `From: noreply@fueltide.io` within ~30 s. -- [ ] Mail headers show `dkim=pass`, `spf=pass`, `dmarc=pass` - (`Authentication-Results` header). -- [ ] `POST /auth/v1/recover` triggers a reset mail. -- [ ] Browser visit to - `https://supabase.cloonar.com/auth/v1/authorize?provider=google` - completes and lands on `/auth/v1/callback`. Row in `auth.identities` - with `provider='google'`. -- [ ] From the iOS app: Sign in with Apple → - `supabase.auth.signInWithIdToken({ provider: 'apple', token, nonce })` - succeeds. Row in `auth.identities` with `provider='apple'` and - `identity_data.sub` matching the Apple user id. (Apple sign-in has no - browser flow here — it is tested from the app only.) -- [ ] Send a signup to [mail-tester.com](https://www.mail-tester.com/) — target - ≥ 9/10 spam score. - -## Rotation notes - -- **Google client secret**: no expiry; rotate via Google Cloud console if - leaked and update `GOOGLE_SECRET` in SOPS. -- **DKIM key**: no expiry, but best practice is to rotate yearly. Rotation - = regenerate keypair (step 2), replace the SOPS value (step 3), update DNS - (step 4), deploy. Keep both old+new DNS records live for 24h during - cutover. -- **SMTP LDAP password**: no expiry. To rotate, run `mkpasswd` again and - update both the LDAP userPassword attribute and SOPS `SMTP_PASS`. diff --git a/hosts/web-arm/modules/supabase/default.nix b/hosts/web-arm/modules/supabase/default.nix deleted file mode 100644 index e8bfdf8..0000000 --- a/hosts/web-arm/modules/supabase/default.nix +++ /dev/null @@ -1,486 +0,0 @@ -{ config, lib, pkgs, ... }: - -let - kongEntrypoint = pkgs.writeTextFile { - name = "kong-entrypoint.sh"; - executable = true; - text = builtins.readFile ./kong-entrypoint.sh; - }; - - envGenerateScript = pkgs.writeShellScript "supabase-env-generate" - (builtins.readFile ./env-generate.sh); - - # Common extra options for all containers to join the supabase network - supabaseNet = [ "--network=supabase-net" ]; - -in -{ - # --- SOPS secret --- - sops.secrets.supabase-env = { }; - - # --- Persistent data directories --- - # Postgres data lives in a named podman volume (supabase-db-data) so podman - # owns the permissions on the container's postgres UID; logical dumps go to - # /var/backups/supabase where borg picks them up from /var. - systemd.tmpfiles.rules = [ - "d /var/lib/supabase/storage 0755 root root -" - "d /var/lib/supabase/functions 0755 root root -" - "d /var/lib/supabase/snippets 0755 root root -" - "d /var/backups/supabase 0700 root root -" - ]; - - - # --- Systemd services: network, env generation, and container ordering --- - systemd.services = - let - containerNames = [ - "supabase-db" - "supabase-analytics" - "supabase-auth" - "supabase-rest" - "supabase-realtime" - "supabase-storage" - "supabase-imgproxy" - "supabase-meta" - "supabase-studio" - "supabase-kong" - "supabase-vector" - "supabase-pooler" - "supabase-functions" - ]; - mkContainerDeps = name: { - "podman-${name}" = { - after = [ "init-supabase-network.service" "supabase-env-generate.service" ]; - requires = [ "init-supabase-network.service" "supabase-env-generate.service" ]; - }; - }; - in - lib.mkMerge (map mkContainerDeps containerNames ++ [ - { - init-supabase-network = { - description = "Create supabase-net Podman network"; - wantedBy = [ "multi-user.target" ]; - serviceConfig = { - Type = "oneshot"; - RemainAfterExit = true; - # '-' prefix tells systemd to ignore non-zero exit (network may already exist) - ExecStart = "-${pkgs.podman}/bin/podman network create supabase-net"; - }; - }; - supabase-env-generate = { - description = "Generate Supabase per-container env files from SOPS secrets"; - wantedBy = [ "multi-user.target" ]; - path = [ pkgs.jq ]; - serviceConfig = { - Type = "oneshot"; - RemainAfterExit = true; - ExecStart = "${envGenerateScript} ${config.sops.secrets.supabase-env.path}"; - }; - }; - # Seed the edge-runtime's bootstrap `main` function. The container's - # entrypoint requires `/home/deno/functions/main/index.ts` to exist; - # without it edge-runtime fails with "could not find an appropriate - # entrypoint". Re-seed on every activation so updates to the bootstrap - # are picked up, while leaving user-authored functions untouched. - supabase-functions-seed = { - description = "Seed Supabase edge-functions main bootstrap"; - wantedBy = [ "multi-user.target" ]; - serviceConfig = { - Type = "oneshot"; - RemainAfterExit = true; - }; - script = '' - install -d -m 0755 /var/lib/supabase/functions/main - install -m 0644 ${./functions/main/index.ts} /var/lib/supabase/functions/main/index.ts - ''; - }; - podman-supabase-functions = { - after = [ "supabase-functions-seed.service" ]; - requires = [ "supabase-functions-seed.service" ]; - }; - # Logical daily dump of the containerised Postgres cluster. Writes to - # /var/backups/supabase which is covered by the borg path /var; - # /var/lib/containers (the named-volume storage) is excluded from borg, - # so the dump is the only copy borg ships off-host. - supabase-db-backup = { - description = "pg_dumpall of the Supabase Postgres cluster"; - after = [ "podman-supabase-db.service" ]; - requires = [ "podman-supabase-db.service" ]; - serviceConfig = { - Type = "oneshot"; - }; - script = '' - set -euo pipefail - tmp=/var/backups/supabase/supabase-all.sql.tmp - out=/var/backups/supabase/supabase-all.sql - ${pkgs.podman}/bin/podman exec -u postgres supabase-db \ - pg_dumpall -U postgres --clean --if-exists > "$tmp" - mv "$tmp" "$out" - ''; - }; - } - ]); - - systemd.timers.supabase-db-backup = { - description = "Daily Supabase Postgres dump"; - wantedBy = [ "timers.target" ]; - timerConfig = { - OnCalendar = "*-*-* 02:30:00"; - Persistent = true; - }; - }; - - # --- Containers --- - virtualisation.oci-containers.containers = { - - # 1. PostgreSQL - supabase-db = { - image = "supabase/postgres:15.8.1.085"; - environment = { - POSTGRES_HOST = "/var/run/postgresql"; - PGPORT = "5432"; - POSTGRES_PORT = "5432"; - PGDATABASE = "postgres"; - POSTGRES_DB = "postgres"; - JWT_EXP = "3600"; - }; - environmentFiles = [ "/run/supabase/db.env" ]; - volumes = [ - "supabase-db-data:/var/lib/postgresql/data" - "${./sql/_supabase.sql}:/docker-entrypoint-initdb.d/migrations/97-_supabase.sql:ro" - "${./sql/realtime.sql}:/docker-entrypoint-initdb.d/migrations/99-realtime.sql:ro" - "${./sql/logs.sql}:/docker-entrypoint-initdb.d/migrations/99-logs.sql:ro" - "${./sql/pooler.sql}:/docker-entrypoint-initdb.d/migrations/99-pooler.sql:ro" - "${./sql/webhooks.sql}:/docker-entrypoint-initdb.d/init-scripts/98-webhooks.sql:ro" - "${./sql/roles.sql}:/docker-entrypoint-initdb.d/init-scripts/99-roles.sql:ro" - "${./sql/jwt.sql}:/docker-entrypoint-initdb.d/init-scripts/99-jwt.sql:ro" - "supabase-db-config:/etc/postgresql-custom" - ]; - cmd = [ - "postgres" - "-c" "config_file=/etc/postgresql/postgresql.conf" - "-c" "log_min_messages=fatal" - ]; - extraOptions = supabaseNet ++ [ - "--network-alias=db" - "--shm-size=2g" - ]; - }; - - # 2. Analytics (Logflare) - supabase-analytics = { - image = "supabase/logflare:1.31.2"; - dependsOn = [ "supabase-db" ]; - environment = { - LOGFLARE_NODE_HOST = "127.0.0.1"; - DB_USERNAME = "supabase_admin"; - DB_DATABASE = "_supabase"; - DB_HOSTNAME = "db"; - DB_PORT = "5432"; - DB_SCHEMA = "_analytics"; - LOGFLARE_SINGLE_TENANT = "true"; - LOGFLARE_SUPABASE_MODE = "true"; - POSTGRES_BACKEND_SCHEMA = "_analytics"; - LOGFLARE_FEATURE_FLAG_OVERRIDE = "multibackend=true"; - }; - environmentFiles = [ "/run/supabase/analytics.env" ]; - extraOptions = supabaseNet ++ [ - "--network-alias=analytics" - ]; - }; - - # 3. Auth (GoTrue) - supabase-auth = { - image = "supabase/gotrue:v2.186.0"; - dependsOn = [ "supabase-db" "supabase-analytics" ]; - environment = { - GOTRUE_API_HOST = "0.0.0.0"; - GOTRUE_API_PORT = "9999"; - API_EXTERNAL_URL = "https://supabase.cloonar.com"; - GOTRUE_DB_DRIVER = "postgres"; - GOTRUE_SITE_URL = "https://app.fueltide.io"; - GOTRUE_URI_ALLOW_LIST = "https://app.fueltide.io,https://app.fueltide.io/**,https://app.stage.fueltide.io,https://app.stage.fueltide.io/**,io.fueltide.workout://"; - GOTRUE_DISABLE_SIGNUP = "false"; - GOTRUE_JWT_ADMIN_ROLES = "service_role"; - GOTRUE_JWT_AUD = "authenticated"; - GOTRUE_JWT_DEFAULT_GROUP_NAME = "authenticated"; - GOTRUE_JWT_EXP = "3600"; - GOTRUE_EXTERNAL_EMAIL_ENABLED = "true"; - GOTRUE_EXTERNAL_ANONYMOUS_USERS_ENABLED = "false"; - GOTRUE_MAILER_AUTOCONFIRM = "false"; - GOTRUE_SMTP_ADMIN_EMAIL = "noreply@fueltide.io"; - GOTRUE_SMTP_HOST = "mail.cloonar.com"; - GOTRUE_SMTP_PORT = "587"; - GOTRUE_SMTP_SENDER_NAME = "Fueltide"; - GOTRUE_MAILER_URLPATHS_INVITE = "/auth/v1/verify"; - GOTRUE_MAILER_URLPATHS_CONFIRMATION = "/auth/v1/verify"; - GOTRUE_MAILER_URLPATHS_RECOVERY = "/auth/v1/verify"; - GOTRUE_MAILER_URLPATHS_EMAIL_CHANGE = "/auth/v1/verify"; - GOTRUE_EXTERNAL_PHONE_ENABLED = "false"; - GOTRUE_SMS_AUTOCONFIRM = "false"; - GOTRUE_EXTERNAL_GOOGLE_ENABLED = "true"; - GOTRUE_EXTERNAL_GOOGLE_REDIRECT_URI = "https://supabase.cloonar.com/auth/v1/callback"; - GOTRUE_EXTERNAL_APPLE_ENABLED = "true"; - GOTRUE_EXTERNAL_APPLE_CLIENT_ID = "io.fueltide.workout"; - }; - environmentFiles = [ "/run/supabase/auth.env" ]; - extraOptions = supabaseNet ++ [ - "--network-alias=auth" - ]; - }; - - # 4. REST (PostgREST) - supabase-rest = { - image = "postgrest/postgrest:v14.6"; - dependsOn = [ "supabase-db" ]; - environment = { - PGRST_DB_SCHEMAS = "public,storage,graphql_public"; - PGRST_DB_MAX_ROWS = "1000"; - PGRST_DB_EXTRA_SEARCH_PATH = "public"; - PGRST_DB_ANON_ROLE = "anon"; - PGRST_DB_USE_LEGACY_GUCS = "false"; - PGRST_APP_SETTINGS_JWT_EXP = "3600"; - }; - environmentFiles = [ "/run/supabase/rest.env" ]; - cmd = [ "postgrest" ]; - extraOptions = supabaseNet ++ [ - "--network-alias=rest" - ]; - }; - - # 5. Realtime - supabase-realtime = { - image = "supabase/realtime:v2.76.5"; - dependsOn = [ "supabase-db" ]; - environment = { - PORT = "4000"; - DB_HOST = "db"; - DB_PORT = "5432"; - DB_USER = "supabase_admin"; - DB_NAME = "postgres"; - DB_AFTER_CONNECT_QUERY = "SET search_path TO _realtime"; - DB_ENC_KEY = "supabaserealtime"; - ERL_AFLAGS = "-proto_dist inet_tcp"; - DNS_NODES = "''"; - RLIMIT_NOFILE = "10000"; - APP_NAME = "realtime"; - SEED_SELF_HOST = "true"; - RUN_JANITOR = "true"; - DISABLE_HEALTHCHECK_LOGGING = "true"; - }; - environmentFiles = [ "/run/supabase/realtime.env" ]; - extraOptions = supabaseNet ++ [ - # Hostname must be realtime-dev.supabase-realtime for tenant ID parsing - "--hostname=realtime-dev.supabase-realtime" - "--network-alias=realtime-dev.supabase-realtime" - ]; - }; - - # 6. Storage - supabase-storage = { - image = "supabase/storage-api:v1.44.2"; - dependsOn = [ "supabase-db" "supabase-rest" "supabase-imgproxy" ]; - environment = { - POSTGREST_URL = "http://rest:3000"; - STORAGE_PUBLIC_URL = "https://supabase.cloonar.com"; - REQUEST_ALLOW_X_FORWARDED_PATH = "true"; - FILE_SIZE_LIMIT = "52428800"; - STORAGE_BACKEND = "file"; - GLOBAL_S3_BUCKET = "stub"; - FILE_STORAGE_BACKEND_PATH = "/var/lib/storage"; - TENANT_ID = "stub"; - REGION = "stub"; - ENABLE_IMAGE_TRANSFORMATION = "true"; - IMGPROXY_URL = "http://imgproxy:5001"; - }; - environmentFiles = [ "/run/supabase/storage.env" ]; - volumes = [ - "/var/lib/supabase/storage:/var/lib/storage" - ]; - extraOptions = supabaseNet ++ [ - "--network-alias=storage" - ]; - }; - - # 7. Imgproxy - supabase-imgproxy = { - image = "darthsim/imgproxy:v3.30.1"; - environment = { - IMGPROXY_BIND = ":5001"; - IMGPROXY_LOCAL_FILESYSTEM_ROOT = "/"; - IMGPROXY_USE_ETAG = "true"; - IMGPROXY_AUTO_WEBP = "true"; - IMGPROXY_MAX_SRC_RESOLUTION = "16.8"; - }; - volumes = [ - "/var/lib/supabase/storage:/var/lib/storage" - ]; - extraOptions = supabaseNet ++ [ - "--network-alias=imgproxy" - ]; - }; - - # 8. Meta (pg-meta) - supabase-meta = { - image = "supabase/postgres-meta:v0.95.2"; - dependsOn = [ "supabase-db" ]; - environment = { - PG_META_PORT = "8080"; - PG_META_DB_HOST = "db"; - PG_META_DB_PORT = "5432"; - PG_META_DB_NAME = "postgres"; - PG_META_DB_USER = "supabase_admin"; - }; - environmentFiles = [ "/run/supabase/meta.env" ]; - extraOptions = supabaseNet ++ [ - "--network-alias=meta" - ]; - }; - - # 9. Studio - supabase-studio = { - image = "supabase/studio:2026.03.16-sha-5528817"; - dependsOn = [ "supabase-analytics" ]; - environment = { - HOSTNAME = "::"; - STUDIO_PG_META_URL = "http://meta:8080"; - POSTGRES_PORT = "5432"; - POSTGRES_HOST = "db"; - POSTGRES_DB = "postgres"; - PGRST_DB_SCHEMAS = "public,storage,graphql_public"; - PGRST_DB_MAX_ROWS = "1000"; - PGRST_DB_EXTRA_SEARCH_PATH = "public"; - DEFAULT_ORGANIZATION_NAME = "Default Organization"; - DEFAULT_PROJECT_NAME = "Default Project"; - SUPABASE_URL = "http://kong:8000"; - SUPABASE_PUBLIC_URL = "https://supabase.cloonar.com"; - NEXT_PUBLIC_ENABLE_LOGS = "true"; - NEXT_ANALYTICS_BACKEND_PROVIDER = "postgres"; - LOGFLARE_URL = "http://analytics:4000"; - SNIPPETS_MANAGEMENT_FOLDER = "/app/snippets"; - EDGE_FUNCTIONS_MANAGEMENT_FOLDER = "/app/edge-functions"; - }; - environmentFiles = [ "/run/supabase/studio.env" ]; - volumes = [ - "/var/lib/supabase/snippets:/app/snippets" - "/var/lib/supabase/functions:/app/edge-functions" - ]; - extraOptions = supabaseNet ++ [ - "--network-alias=studio" - ]; - }; - - # 10. Kong (API Gateway) - supabase-kong = { - image = "kong/kong:3.9.1"; - dependsOn = [ "supabase-studio" ]; - environment = { - KONG_DATABASE = "off"; - KONG_DECLARATIVE_CONFIG = "/usr/local/kong/kong.yml"; - KONG_DNS_ORDER = "LAST,A,CNAME"; - KONG_DNS_NOT_FOUND_TTL = "1"; - KONG_PLUGINS = "request-transformer,cors,key-auth,acl,basic-auth,request-termination,ip-restriction,post-function"; - KONG_NGINX_PROXY_PROXY_BUFFER_SIZE = "160k"; - KONG_NGINX_PROXY_PROXY_BUFFERS = "64 160k"; - KONG_PROXY_ACCESS_LOG = "/dev/stdout combined"; - }; - environmentFiles = [ "/run/supabase/kong.env" ]; - ports = [ - "127.0.0.1:8000:8000" - "127.0.0.1:8443:8443" - ]; - volumes = [ - "${./kong.yml}:/home/kong/temp.yml:ro" - "${kongEntrypoint}:/home/kong/kong-entrypoint.sh:ro" - ]; - entrypoint = "/home/kong/kong-entrypoint.sh"; - extraOptions = supabaseNet ++ [ - "--network-alias=kong" - ]; - }; - - # 11. Vector (log collection) - supabase-vector = { - image = "timberio/vector:0.53.0-alpine"; - environment = { }; - environmentFiles = [ "/run/supabase/vector.env" ]; - volumes = [ - "${./vector.yml}:/etc/vector/vector.yml:ro" - "/var/run/docker.sock:/var/run/docker.sock:ro" - ]; - cmd = [ "--config" "/etc/vector/vector.yml" ]; - extraOptions = supabaseNet ++ [ - "--network-alias=vector" - "--security-opt=label=disable" - ]; - }; - - # 12. Pooler (Supavisor) - supabase-pooler = { - image = "supabase/supavisor:2.7.4"; - dependsOn = [ "supabase-db" ]; - environment = { - PORT = "4000"; - CLUSTER_POSTGRES = "true"; - REGION = "local"; - ERL_AFLAGS = "-proto_dist inet_tcp"; - POOLER_POOL_MODE = "transaction"; - POSTGRES_PORT = "5432"; - POSTGRES_DB = "postgres"; - POOLER_TENANT_ID = "default-tenant"; - POOLER_DEFAULT_POOL_SIZE = "20"; - POOLER_MAX_CLIENT_CONN = "100"; - DB_POOL_SIZE = "10"; - }; - environmentFiles = [ "/run/supabase/pooler.env" ]; - volumes = [ - "${./pooler.exs}:/etc/pooler/pooler.exs:ro" - ]; - cmd = [ - "/bin/sh" "-c" - "/app/bin/migrate && /app/bin/supavisor eval \"$(cat /etc/pooler/pooler.exs)\" && /app/bin/server" - ]; - extraOptions = supabaseNet ++ [ - "--network-alias=pooler" - ]; - }; - - # 13. Edge Functions - supabase-functions = { - image = "supabase/edge-runtime:v1.71.2"; - dependsOn = [ "supabase-kong" ]; - environment = { - SUPABASE_URL = "http://kong:8000"; - SUPABASE_PUBLIC_URL = "https://supabase.cloonar.com"; - VERIFY_JWT = "false"; - }; - environmentFiles = [ "/run/supabase/functions.env" ]; - volumes = [ - "/var/lib/supabase/functions:/home/deno/functions" - "supabase-deno-cache:/root/.cache/deno" - ]; - cmd = [ "start" "--main-service" "/home/deno/functions/main" ]; - extraOptions = supabaseNet ++ [ - "--network-alias=functions" - ]; - }; - }; - - # --- Nginx reverse proxy --- - services.nginx.virtualHosts."supabase.cloonar.com" = { - forceSSL = true; - enableACME = true; - acmeRoot = null; - locations."/" = { - proxyPass = "http://127.0.0.1:8000"; - proxyWebsockets = true; - extraConfig = '' - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_read_timeout 86400s; - proxy_send_timeout 86400s; - client_max_body_size 50M; - ''; - }; - }; -} diff --git a/hosts/web-arm/modules/supabase/env-generate.sh b/hosts/web-arm/modules/supabase/env-generate.sh deleted file mode 100644 index c83bf28..0000000 --- a/hosts/web-arm/modules/supabase/env-generate.sh +++ /dev/null @@ -1,96 +0,0 @@ -set -euo pipefail -umask 077 -mkdir -p /run/supabase - -set -a -source "$1" -set +a - -# URL-encode password for use in connection strings -PG_PASS_ENCODED=$(printf '%s' "$POSTGRES_PASSWORD" | jq -sRr @uri) - -cat > /run/supabase/db.env <<EOF -POSTGRES_PASSWORD=$POSTGRES_PASSWORD -PGPASSWORD=$POSTGRES_PASSWORD -JWT_SECRET=$JWT_SECRET -EOF - -cat > /run/supabase/analytics.env <<EOF -DB_PASSWORD=$POSTGRES_PASSWORD -LOGFLARE_PUBLIC_ACCESS_TOKEN=$LOGFLARE_PUBLIC_ACCESS_TOKEN -LOGFLARE_PRIVATE_ACCESS_TOKEN=$LOGFLARE_PRIVATE_ACCESS_TOKEN -POSTGRES_BACKEND_URL=postgresql://supabase_admin:$PG_PASS_ENCODED@db:5432/_supabase -EOF - -cat > /run/supabase/auth.env <<EOF -GOTRUE_JWT_SECRET=$JWT_SECRET -GOTRUE_DB_DATABASE_URL=postgres://supabase_auth_admin:$PG_PASS_ENCODED@db:5432/postgres -GOTRUE_SMTP_USER=${SMTP_USER:-} -GOTRUE_SMTP_PASS=${SMTP_PASS:-} -GOTRUE_EXTERNAL_GOOGLE_CLIENT_ID=${GOOGLE_CLIENT_ID:-} -GOTRUE_EXTERNAL_GOOGLE_SECRET=${GOOGLE_SECRET:-} -EOF - -cat > /run/supabase/rest.env <<EOF -PGRST_JWT_SECRET=$JWT_SECRET -PGRST_APP_SETTINGS_JWT_SECRET=$JWT_SECRET -PGRST_DB_URI=postgres://authenticator:$PG_PASS_ENCODED@db:5432/postgres -EOF - -cat > /run/supabase/realtime.env <<EOF -DB_PASSWORD=$POSTGRES_PASSWORD -API_JWT_SECRET=$JWT_SECRET -SECRET_KEY_BASE=$SECRET_KEY_BASE -METRICS_JWT_SECRET=$JWT_SECRET -EOF - -cat > /run/supabase/storage.env <<EOF -ANON_KEY=$ANON_KEY -SERVICE_KEY=$SERVICE_ROLE_KEY -AUTH_JWT_SECRET=$JWT_SECRET -DATABASE_URL=postgres://supabase_storage_admin:$PG_PASS_ENCODED@db:5432/postgres -S3_PROTOCOL_ACCESS_KEY_ID=$S3_PROTOCOL_ACCESS_KEY_ID -S3_PROTOCOL_ACCESS_KEY_SECRET=$S3_PROTOCOL_ACCESS_KEY_SECRET -EOF - -cat > /run/supabase/meta.env <<EOF -PG_META_DB_PASSWORD=$POSTGRES_PASSWORD -CRYPTO_KEY=$PG_META_CRYPTO_KEY -EOF - -cat > /run/supabase/studio.env <<EOF -POSTGRES_PASSWORD=$PG_PASS_ENCODED -PG_META_CRYPTO_KEY=$PG_META_CRYPTO_KEY -SUPABASE_ANON_KEY=$ANON_KEY -SUPABASE_SERVICE_KEY=$SERVICE_ROLE_KEY -AUTH_JWT_SECRET=$JWT_SECRET -LOGFLARE_API_KEY=$LOGFLARE_PUBLIC_ACCESS_TOKEN -LOGFLARE_PUBLIC_ACCESS_TOKEN=$LOGFLARE_PUBLIC_ACCESS_TOKEN -LOGFLARE_PRIVATE_ACCESS_TOKEN=$LOGFLARE_PRIVATE_ACCESS_TOKEN -EOF - -cat > /run/supabase/kong.env <<EOF -SUPABASE_ANON_KEY=$ANON_KEY -SUPABASE_SERVICE_KEY=$SERVICE_ROLE_KEY -DASHBOARD_USERNAME=supabase -DASHBOARD_PASSWORD=$DASHBOARD_PASSWORD -EOF - -cat > /run/supabase/vector.env <<EOF -LOGFLARE_PUBLIC_ACCESS_TOKEN=$LOGFLARE_PUBLIC_ACCESS_TOKEN -EOF - -cat > /run/supabase/pooler.env <<EOF -POSTGRES_PASSWORD=$POSTGRES_PASSWORD -DATABASE_URL=ecto://supabase_admin:$PG_PASS_ENCODED@db:5432/_supabase -SECRET_KEY_BASE=$SECRET_KEY_BASE -VAULT_ENC_KEY=$VAULT_ENC_KEY -API_JWT_SECRET=$JWT_SECRET -METRICS_JWT_SECRET=$JWT_SECRET -EOF - -cat > /run/supabase/functions.env <<EOF -JWT_SECRET=$JWT_SECRET -SUPABASE_ANON_KEY=$ANON_KEY -SUPABASE_SERVICE_ROLE_KEY=$SERVICE_ROLE_KEY -EOF diff --git a/hosts/web-arm/modules/supabase/functions/main/index.ts b/hosts/web-arm/modules/supabase/functions/main/index.ts deleted file mode 100644 index 05b6ad6..0000000 --- a/hosts/web-arm/modules/supabase/functions/main/index.ts +++ /dev/null @@ -1,144 +0,0 @@ -import * as jose from 'https://deno.land/x/jose@v4.14.4/index.ts' - -console.log('main function started') - -const JWT_SECRET = Deno.env.get('JWT_SECRET') -const SUPABASE_URL = Deno.env.get('SUPABASE_URL') -const VERIFY_JWT = Deno.env.get('VERIFY_JWT') === 'true' - -// Create JWKS for ES256/RS256 tokens (newer tokens) -let SUPABASE_JWT_KEYS: ReturnType<typeof jose.createRemoteJWKSet> | null = null -if (SUPABASE_URL) { - try { - SUPABASE_JWT_KEYS = jose.createRemoteJWKSet( - new URL('/auth/v1/.well-known/jwks.json', SUPABASE_URL) - ) - } catch (e) { - console.error('Failed to fetch JWKS from SUPABASE_URL:', e) - } -} - -function getAuthToken(req: Request) { - const authHeader = req.headers.get('authorization') - if (!authHeader) { - throw new Error('Missing authorization header') - } - const [bearer, token] = authHeader.split(' ') - if (bearer !== 'Bearer') { - throw new Error(`Auth header is not 'Bearer {token}'`) - } - return token -} - -async function isValidLegacyJWT(jwt: string): Promise<boolean> { - if (!JWT_SECRET) { - console.error('JWT_SECRET not available for HS256 token verification') - return false - } - - const encoder = new TextEncoder(); - const secretKey = encoder.encode(JWT_SECRET) - - try { - await jose.jwtVerify(jwt, secretKey); - } catch (e) { - console.error('Symmetric Legacy JWT verification error', e); - return false; - } - return true; -} - -async function isValidJWT(jwt: string): Promise<boolean> { - if (!SUPABASE_JWT_KEYS) { - console.error('JWKS not available for ES256/RS256 token verification') - return false - } - - try { - await jose.jwtVerify(jwt, SUPABASE_JWT_KEYS) - } catch (e) { - console.error('Asymmetric JWT verification error', e); - return false - } - - return true; -} - -async function isValidHybridJWT(jwt: string): Promise<boolean> { - const { alg: jwtAlgorithm } = jose.decodeProtectedHeader(jwt) - - if (jwtAlgorithm === 'HS256') { - console.log(`Legacy token type detected, attempting ${jwtAlgorithm} verification.`) - - return await isValidLegacyJWT(jwt) - } - - if (jwtAlgorithm === 'ES256' || jwtAlgorithm === 'RS256') { - return await isValidJWT(jwt) - } - - return false; -} - -Deno.serve(async (req: Request) => { - if (req.method !== 'OPTIONS' && VERIFY_JWT) { - try { - const token = getAuthToken(req) - const isValidJWT = await isValidHybridJWT(token); - - if (!isValidJWT) { - return new Response(JSON.stringify({ msg: 'Invalid JWT' }), { - status: 401, - headers: { 'Content-Type': 'application/json' }, - }) - } - } catch (e) { - console.error(e) - return new Response(JSON.stringify({ msg: e.toString() }), { - status: 401, - headers: { 'Content-Type': 'application/json' }, - }) - } - } - - const url = new URL(req.url) - const { pathname } = url - const path_parts = pathname.split('/') - const service_name = path_parts[1] - - if (!service_name || service_name === '') { - const error = { msg: 'missing function name in request' } - return new Response(JSON.stringify(error), { - status: 400, - headers: { 'Content-Type': 'application/json' }, - }) - } - - const servicePath = `/home/deno/functions/${service_name}` - console.error(`serving the request with ${servicePath}`) - - const memoryLimitMb = 150 - const workerTimeoutMs = 1 * 60 * 1000 - const noModuleCache = false - const importMapPath = null - const envVarsObj = Deno.env.toObject() - const envVars = Object.keys(envVarsObj).map((k) => [k, envVarsObj[k]]) - - try { - const worker = await EdgeRuntime.userWorkers.create({ - servicePath, - memoryLimitMb, - workerTimeoutMs, - noModuleCache, - importMapPath, - envVars, - }) - return await worker.fetch(req) - } catch (e) { - const error = { msg: e.toString() } - return new Response(JSON.stringify(error), { - status: 500, - headers: { 'Content-Type': 'application/json' }, - }) - } -}) diff --git a/hosts/web-arm/modules/supabase/kong-entrypoint.sh b/hosts/web-arm/modules/supabase/kong-entrypoint.sh deleted file mode 100644 index f1da449..0000000 --- a/hosts/web-arm/modules/supabase/kong-entrypoint.sh +++ /dev/null @@ -1,25 +0,0 @@ -#!/bin/bash -# Legacy API keys, not sb_ API keys -> pass apikey through unchanged -export LUA_AUTH_EXPR="\$((headers.authorization ~= nil and headers.authorization:sub(1, 10) ~= 'Bearer sb_' and headers.authorization) or headers.apikey)" -export LUA_RT_WS_EXPR="\$(query_params.apikey)" - -# Substitute environment variables in the Kong declarative config -awk '{ - result = "" - rest = $0 - while (match(rest, /\$[A-Za-z_][A-Za-z_0-9]*/)) { - varname = substr(rest, RSTART + 1, RLENGTH - 1) - if (varname in ENVIRON) { - result = result substr(rest, 1, RSTART - 1) ENVIRON[varname] - } else { - result = result substr(rest, 1, RSTART + RLENGTH - 1) - } - rest = substr(rest, RSTART + RLENGTH) - } - print result rest -}' /home/kong/temp.yml > "$KONG_DECLARATIVE_CONFIG" - -# Remove empty key-auth credentials (unconfigured opaque keys) -sed -i '/^[[:space:]]*- key:[[:space:]]*$/d' "$KONG_DECLARATIVE_CONFIG" - -exec /entrypoint.sh kong docker-start diff --git a/hosts/web-arm/modules/supabase/kong.yml b/hosts/web-arm/modules/supabase/kong.yml deleted file mode 100644 index 52af820..0000000 --- a/hosts/web-arm/modules/supabase/kong.yml +++ /dev/null @@ -1,265 +0,0 @@ -_format_version: '2.1' -_transform: true - -consumers: - - username: DASHBOARD - - username: anon - keyauth_credentials: - - key: $SUPABASE_ANON_KEY - - username: service_role - keyauth_credentials: - - key: $SUPABASE_SERVICE_KEY - -acls: - - consumer: anon - group: anon - - consumer: service_role - group: admin - -basicauth_credentials: - - consumer: DASHBOARD - username: '$DASHBOARD_USERNAME' - password: '$DASHBOARD_PASSWORD' - -services: - - name: auth-v1-open - url: http://auth:9999/verify - routes: - - name: auth-v1-open - strip_path: true - paths: - - /auth/v1/verify - plugins: - - name: cors - - name: auth-v1-open-callback - url: http://auth:9999/callback - routes: - - name: auth-v1-open-callback - strip_path: true - paths: - - /auth/v1/callback - plugins: - - name: cors - - name: auth-v1-open-authorize - url: http://auth:9999/authorize - routes: - - name: auth-v1-open-authorize - strip_path: true - paths: - - /auth/v1/authorize - plugins: - - name: cors - - name: auth-v1-open-jwks - url: http://auth:9999/.well-known/jwks.json - routes: - - name: auth-v1-open-jwks - strip_path: true - paths: - - /auth/v1/.well-known/jwks.json - plugins: - - name: cors - - name: auth-v1 - url: http://auth:9999/ - routes: - - name: auth-v1-all - strip_path: true - paths: - - /auth/v1/ - plugins: - - name: cors - - name: key-auth - config: - hide_credentials: false - - name: request-transformer - config: - add: - headers: - - "Authorization: $LUA_AUTH_EXPR" - replace: - headers: - - "Authorization: $LUA_AUTH_EXPR" - - name: acl - config: - hide_groups_header: true - allow: - - admin - - anon - - name: rest-v1 - url: http://rest:3000/ - routes: - - name: rest-v1-all - strip_path: true - paths: - - /rest/v1/ - plugins: - - name: cors - - name: key-auth - config: - hide_credentials: false - - name: request-transformer - config: - add: - headers: - - "Authorization: $LUA_AUTH_EXPR" - replace: - headers: - - "Authorization: $LUA_AUTH_EXPR" - - name: acl - config: - hide_groups_header: true - allow: - - admin - - anon - - name: graphql-v1 - url: http://rest:3000/rpc/graphql - routes: - - name: graphql-v1-all - strip_path: true - paths: - - /graphql/v1 - plugins: - - name: cors - - name: key-auth - config: - hide_credentials: false - - name: request-transformer - config: - add: - headers: - - "Content-Profile: graphql_public" - - "Authorization: $LUA_AUTH_EXPR" - replace: - headers: - - "Authorization: $LUA_AUTH_EXPR" - - name: acl - config: - hide_groups_header: true - allow: - - admin - - anon - - name: realtime-v1-ws - url: http://realtime-dev.supabase-realtime:4000/socket - protocol: ws - routes: - - name: realtime-v1-ws - strip_path: true - paths: - - /realtime/v1/ - plugins: - - name: cors - - name: key-auth - config: - hide_credentials: false - - name: request-transformer - config: - add: - headers: - - "x-api-key:$LUA_RT_WS_EXPR" - replace: - querystring: - - "apikey:$LUA_RT_WS_EXPR" - - name: acl - config: - hide_groups_header: true - allow: - - admin - - anon - - name: realtime-v1-rest - url: http://realtime-dev.supabase-realtime:4000/api - protocol: http - routes: - - name: realtime-v1-rest - strip_path: true - paths: - - /realtime/v1/api - plugins: - - name: cors - - name: key-auth - config: - hide_credentials: false - - name: request-transformer - config: - add: - headers: - - "Authorization: $LUA_AUTH_EXPR" - replace: - headers: - - "Authorization: $LUA_AUTH_EXPR" - - name: acl - config: - hide_groups_header: true - allow: - - admin - - anon - - name: storage-v1 - url: http://storage:5000/ - routes: - - name: storage-v1-all - strip_path: true - paths: - - /storage/v1/ - plugins: - - name: cors - - name: request-transformer - config: - add: - headers: - - "Authorization: $LUA_AUTH_EXPR" - replace: - headers: - - "Authorization: $LUA_AUTH_EXPR" - - name: post-function - config: - access: - - | - local auth = kong.request.get_header("authorization") - if auth == nil or auth == "" or auth:find("^%s*$") then - kong.service.request.clear_header("authorization") - end - - name: functions-v1 - url: http://functions:9000/ - read_timeout: 150000 - routes: - - name: functions-v1-all - strip_path: true - paths: - - /functions/v1/ - plugins: - - name: cors - - name: well-known-oauth - url: http://auth:9999/.well-known/oauth-authorization-server - routes: - - name: well-known-oauth - strip_path: true - paths: - - /.well-known/oauth-authorization-server - plugins: - - name: cors - - name: meta - url: http://meta:8080/ - routes: - - name: meta-all - strip_path: true - paths: - - /pg/ - plugins: - - name: key-auth - config: - hide_credentials: false - - name: acl - config: - hide_groups_header: true - allow: - - admin - - name: dashboard - url: http://studio:3000/ - routes: - - name: dashboard-all - strip_path: true - paths: - - / - plugins: - - name: cors - - name: basic-auth - config: - hide_credentials: true diff --git a/hosts/web-arm/modules/supabase/pooler.exs b/hosts/web-arm/modules/supabase/pooler.exs deleted file mode 100644 index 791d61c..0000000 --- a/hosts/web-arm/modules/supabase/pooler.exs +++ /dev/null @@ -1,30 +0,0 @@ -{:ok, _} = Application.ensure_all_started(:supavisor) - -{:ok, version} = - case Supavisor.Repo.query!("select version()") do - %{rows: [[ver]]} -> Supavisor.Helpers.parse_pg_version(ver) - _ -> nil - end - -params = %{ - "external_id" => System.get_env("POOLER_TENANT_ID"), - "db_host" => "db", - "db_port" => System.get_env("POSTGRES_PORT"), - "db_database" => System.get_env("POSTGRES_DB"), - "require_user" => false, - "auth_query" => "SELECT * FROM pgbouncer.get_auth($1)", - "default_max_clients" => System.get_env("POOLER_MAX_CLIENT_CONN"), - "default_pool_size" => System.get_env("POOLER_DEFAULT_POOL_SIZE"), - "default_parameter_status" => %{"server_version" => version}, - "users" => [%{ - "db_user" => "pgbouncer", - "db_password" => System.get_env("POSTGRES_PASSWORD"), - "mode_type" => System.get_env("POOLER_POOL_MODE"), - "pool_size" => System.get_env("POOLER_DEFAULT_POOL_SIZE"), - "is_manager" => true - }] -} - -if !Supavisor.Tenants.get_tenant_by_external_id(params["external_id"]) do - {:ok, _} = Supavisor.Tenants.create_tenant(params) -end diff --git a/hosts/web-arm/modules/supabase/sql/_supabase.sql b/hosts/web-arm/modules/supabase/sql/_supabase.sql deleted file mode 100644 index 8882968..0000000 --- a/hosts/web-arm/modules/supabase/sql/_supabase.sql +++ /dev/null @@ -1,2 +0,0 @@ -\set pguser `echo "$POSTGRES_USER"` -CREATE DATABASE _supabase WITH OWNER :pguser; diff --git a/hosts/web-arm/modules/supabase/sql/jwt.sql b/hosts/web-arm/modules/supabase/sql/jwt.sql deleted file mode 100644 index 93a8041..0000000 --- a/hosts/web-arm/modules/supabase/sql/jwt.sql +++ /dev/null @@ -1,4 +0,0 @@ -\set jwt_secret `echo "$JWT_SECRET"` -\set jwt_exp `echo "$JWT_EXP"` -ALTER DATABASE postgres SET "app.settings.jwt_secret" TO :'jwt_secret'; -ALTER DATABASE postgres SET "app.settings.jwt_exp" TO :'jwt_exp'; diff --git a/hosts/web-arm/modules/supabase/sql/logs.sql b/hosts/web-arm/modules/supabase/sql/logs.sql deleted file mode 100644 index 794b086..0000000 --- a/hosts/web-arm/modules/supabase/sql/logs.sql +++ /dev/null @@ -1,5 +0,0 @@ -\set pguser `echo "$POSTGRES_USER"` -\c _supabase -create schema if not exists _analytics; -alter schema _analytics owner to :pguser; -\c postgres diff --git a/hosts/web-arm/modules/supabase/sql/pooler.sql b/hosts/web-arm/modules/supabase/sql/pooler.sql deleted file mode 100644 index 516d986..0000000 --- a/hosts/web-arm/modules/supabase/sql/pooler.sql +++ /dev/null @@ -1,5 +0,0 @@ -\set pguser `echo "$POSTGRES_USER"` -\c _supabase -create schema if not exists _supavisor; -alter schema _supavisor owner to :pguser; -\c postgres diff --git a/hosts/web-arm/modules/supabase/sql/realtime.sql b/hosts/web-arm/modules/supabase/sql/realtime.sql deleted file mode 100644 index 231cded..0000000 --- a/hosts/web-arm/modules/supabase/sql/realtime.sql +++ /dev/null @@ -1,3 +0,0 @@ -\set pguser `echo "$POSTGRES_USER"` -create schema if not exists _realtime; -alter schema _realtime owner to :pguser; diff --git a/hosts/web-arm/modules/supabase/sql/roles.sql b/hosts/web-arm/modules/supabase/sql/roles.sql deleted file mode 100644 index c507c29..0000000 --- a/hosts/web-arm/modules/supabase/sql/roles.sql +++ /dev/null @@ -1,6 +0,0 @@ -\set pgpass `echo "$POSTGRES_PASSWORD"` -ALTER USER authenticator WITH PASSWORD :'pgpass'; -ALTER USER pgbouncer WITH PASSWORD :'pgpass'; -ALTER USER supabase_auth_admin WITH PASSWORD :'pgpass'; -ALTER USER supabase_functions_admin WITH PASSWORD :'pgpass'; -ALTER USER supabase_storage_admin WITH PASSWORD :'pgpass'; diff --git a/hosts/web-arm/modules/supabase/sql/webhooks.sql b/hosts/web-arm/modules/supabase/sql/webhooks.sql deleted file mode 100644 index 7d5238b..0000000 --- a/hosts/web-arm/modules/supabase/sql/webhooks.sql +++ /dev/null @@ -1,153 +0,0 @@ -BEGIN; - CREATE EXTENSION IF NOT EXISTS pg_net SCHEMA extensions; - CREATE SCHEMA supabase_functions AUTHORIZATION supabase_admin; - GRANT USAGE ON SCHEMA supabase_functions TO postgres, anon, authenticated, service_role; - ALTER DEFAULT PRIVILEGES IN SCHEMA supabase_functions GRANT ALL ON TABLES TO postgres, anon, authenticated, service_role; - ALTER DEFAULT PRIVILEGES IN SCHEMA supabase_functions GRANT ALL ON FUNCTIONS TO postgres, anon, authenticated, service_role; - ALTER DEFAULT PRIVILEGES IN SCHEMA supabase_functions GRANT ALL ON SEQUENCES TO postgres, anon, authenticated, service_role; - CREATE TABLE supabase_functions.migrations ( - version text PRIMARY KEY, - inserted_at timestamptz NOT NULL DEFAULT NOW() - ); - INSERT INTO supabase_functions.migrations (version) VALUES ('initial'); - CREATE TABLE supabase_functions.hooks ( - id bigserial PRIMARY KEY, - hook_table_id integer NOT NULL, - hook_name text NOT NULL, - created_at timestamptz NOT NULL DEFAULT NOW(), - request_id bigint - ); - CREATE INDEX supabase_functions_hooks_request_id_idx ON supabase_functions.hooks USING btree (request_id); - CREATE INDEX supabase_functions_hooks_h_table_id_h_name_idx ON supabase_functions.hooks USING btree (hook_table_id, hook_name); - COMMENT ON TABLE supabase_functions.hooks IS 'Supabase Functions Hooks: Audit trail for triggered hooks.'; - CREATE FUNCTION supabase_functions.http_request() - RETURNS trigger - LANGUAGE plpgsql - AS $function$ - DECLARE - request_id bigint; - payload jsonb; - url text := TG_ARGV[0]::text; - method text := TG_ARGV[1]::text; - headers jsonb DEFAULT '{}'::jsonb; - params jsonb DEFAULT '{}'::jsonb; - timeout_ms integer DEFAULT 1000; - BEGIN - IF url IS NULL OR url = 'null' THEN - RAISE EXCEPTION 'url argument is missing'; - END IF; - IF method IS NULL OR method = 'null' THEN - RAISE EXCEPTION 'method argument is missing'; - END IF; - IF TG_ARGV[2] IS NULL OR TG_ARGV[2] = 'null' THEN - headers = '{"Content-Type": "application/json"}'::jsonb; - ELSE - headers = TG_ARGV[2]::jsonb; - END IF; - IF TG_ARGV[3] IS NULL OR TG_ARGV[3] = 'null' THEN - params = '{}'::jsonb; - ELSE - params = TG_ARGV[3]::jsonb; - END IF; - IF TG_ARGV[4] IS NULL OR TG_ARGV[4] = 'null' THEN - timeout_ms = 1000; - ELSE - timeout_ms = TG_ARGV[4]::integer; - END IF; - CASE - WHEN method = 'GET' THEN - SELECT http_get INTO request_id FROM net.http_get(url, params, headers, timeout_ms); - WHEN method = 'POST' THEN - payload = jsonb_build_object( - 'old_record', OLD, 'record', NEW, 'type', TG_OP, - 'table', TG_TABLE_NAME, 'schema', TG_TABLE_SCHEMA - ); - SELECT http_post INTO request_id FROM net.http_post(url, payload, params, headers, timeout_ms); - ELSE - RAISE EXCEPTION 'method argument % is invalid', method; - END CASE; - INSERT INTO supabase_functions.hooks (hook_table_id, hook_name, request_id) - VALUES (TG_RELID, TG_NAME, request_id); - RETURN NEW; - END - $function$; - DO - $$ - BEGIN - IF NOT EXISTS (SELECT 1 FROM pg_roles WHERE rolname = 'supabase_functions_admin') THEN - CREATE USER supabase_functions_admin NOINHERIT CREATEROLE LOGIN NOREPLICATION; - END IF; - END - $$; - GRANT ALL PRIVILEGES ON SCHEMA supabase_functions TO supabase_functions_admin; - GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA supabase_functions TO supabase_functions_admin; - GRANT ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA supabase_functions TO supabase_functions_admin; - ALTER USER supabase_functions_admin SET search_path = "supabase_functions"; - ALTER table "supabase_functions".migrations OWNER TO supabase_functions_admin; - ALTER table "supabase_functions".hooks OWNER TO supabase_functions_admin; - ALTER function "supabase_functions".http_request() OWNER TO supabase_functions_admin; - GRANT supabase_functions_admin TO postgres; - DO - $$ - BEGIN - IF EXISTS (SELECT 1 FROM pg_roles WHERE rolname = 'supabase_pg_net_admin') THEN - REASSIGN OWNED BY supabase_pg_net_admin TO supabase_admin; - DROP OWNED BY supabase_pg_net_admin; - DROP ROLE supabase_pg_net_admin; - END IF; - END - $$; - DO - $$ - BEGIN - IF EXISTS (SELECT 1 FROM pg_extension WHERE extname = 'pg_net') THEN - GRANT USAGE ON SCHEMA net TO supabase_functions_admin, postgres, anon, authenticated, service_role; - ALTER function net.http_get(url text, params jsonb, headers jsonb, timeout_milliseconds integer) SECURITY DEFINER; - ALTER function net.http_post(url text, body jsonb, params jsonb, headers jsonb, timeout_milliseconds integer) SECURITY DEFINER; - ALTER function net.http_get(url text, params jsonb, headers jsonb, timeout_milliseconds integer) SET search_path = net; - ALTER function net.http_post(url text, body jsonb, params jsonb, headers jsonb, timeout_milliseconds integer) SET search_path = net; - REVOKE ALL ON FUNCTION net.http_get(url text, params jsonb, headers jsonb, timeout_milliseconds integer) FROM PUBLIC; - REVOKE ALL ON FUNCTION net.http_post(url text, body jsonb, params jsonb, headers jsonb, timeout_milliseconds integer) FROM PUBLIC; - GRANT EXECUTE ON FUNCTION net.http_get(url text, params jsonb, headers jsonb, timeout_milliseconds integer) TO supabase_functions_admin, postgres, anon, authenticated, service_role; - GRANT EXECUTE ON FUNCTION net.http_post(url text, body jsonb, params jsonb, headers jsonb, timeout_milliseconds integer) TO supabase_functions_admin, postgres, anon, authenticated, service_role; - END IF; - END - $$; - CREATE OR REPLACE FUNCTION extensions.grant_pg_net_access() - RETURNS event_trigger - LANGUAGE plpgsql - AS $$ - BEGIN - IF EXISTS ( - SELECT 1 FROM pg_event_trigger_ddl_commands() AS ev - JOIN pg_extension AS ext ON ev.objid = ext.oid - WHERE ext.extname = 'pg_net' - ) THEN - GRANT USAGE ON SCHEMA net TO supabase_functions_admin, postgres, anon, authenticated, service_role; - ALTER function net.http_get(url text, params jsonb, headers jsonb, timeout_milliseconds integer) SECURITY DEFINER; - ALTER function net.http_post(url text, body jsonb, params jsonb, headers jsonb, timeout_milliseconds integer) SECURITY DEFINER; - ALTER function net.http_get(url text, params jsonb, headers jsonb, timeout_milliseconds integer) SET search_path = net; - ALTER function net.http_post(url text, body jsonb, params jsonb, headers jsonb, timeout_milliseconds integer) SET search_path = net; - REVOKE ALL ON FUNCTION net.http_get(url text, params jsonb, headers jsonb, timeout_milliseconds integer) FROM PUBLIC; - REVOKE ALL ON FUNCTION net.http_post(url text, body jsonb, params jsonb, headers jsonb, timeout_milliseconds integer) FROM PUBLIC; - GRANT EXECUTE ON FUNCTION net.http_get(url text, params jsonb, headers jsonb, timeout_milliseconds integer) TO supabase_functions_admin, postgres, anon, authenticated, service_role; - GRANT EXECUTE ON FUNCTION net.http_post(url text, body jsonb, params jsonb, headers jsonb, timeout_milliseconds integer) TO supabase_functions_admin, postgres, anon, authenticated, service_role; - END IF; - END; - $$; - COMMENT ON FUNCTION extensions.grant_pg_net_access IS 'Grants access to pg_net'; - DO - $$ - BEGIN - IF NOT EXISTS (SELECT 1 FROM pg_event_trigger WHERE evtname = 'issue_pg_net_access') THEN - CREATE EVENT TRIGGER issue_pg_net_access ON ddl_command_end WHEN TAG IN ('CREATE EXTENSION') - EXECUTE PROCEDURE extensions.grant_pg_net_access(); - END IF; - END - $$; - INSERT INTO supabase_functions.migrations (version) VALUES ('20210809183423_update_grants'); - ALTER function supabase_functions.http_request() SECURITY DEFINER; - ALTER function supabase_functions.http_request() SET search_path = supabase_functions; - REVOKE ALL ON FUNCTION supabase_functions.http_request() FROM PUBLIC; - GRANT EXECUTE ON FUNCTION supabase_functions.http_request() TO postgres, anon, authenticated, service_role; -COMMIT; diff --git a/hosts/web-arm/modules/supabase/vector.yml b/hosts/web-arm/modules/supabase/vector.yml deleted file mode 100644 index cb6ca90..0000000 --- a/hosts/web-arm/modules/supabase/vector.yml +++ /dev/null @@ -1,255 +0,0 @@ -api: - enabled: true - address: 0.0.0.0:9001 - -sources: - docker_host: - type: docker_logs - exclude_containers: - - supabase-vector - -transforms: - project_logs: - type: remap - inputs: - - docker_host - source: |- - .project = "default" - .event_message = del(.message) - .appname = del(.container_name) - del(.container_created_at) - del(.container_id) - del(.source_type) - del(.stream) - del(.label) - del(.image) - del(.host) - del(.stream) - router: - type: route - inputs: - - project_logs - route: - kong: '.appname == "supabase-kong"' - auth: '.appname == "supabase-auth"' - rest: '.appname == "supabase-rest"' - realtime: '.appname == "realtime-dev.supabase-realtime"' - storage: '.appname == "supabase-storage"' - functions: '.appname == "supabase-edge-functions"' - db: '.appname == "supabase-db"' - kong_logs: - type: remap - inputs: - - router.kong - source: |- - req, err = parse_nginx_log(.event_message, "combined") - if err == null { - .timestamp = req.timestamp - .metadata.request.headers.referer = req.referer - .metadata.request.headers.user_agent = req.agent - .metadata.request.headers.cf_connecting_ip = req.client - .metadata.response.status_code = req.status - url, split_err = split(req.request, " ") - if split_err == null { - .metadata.request.method = url[0] - .metadata.request.path = url[1] - .metadata.request.protocol = url[2] - } - } - if err != null { - abort - } - kong_err: - type: remap - inputs: - - router.kong - source: |- - .metadata.request.method = "GET" - .metadata.response.status_code = 200 - parsed, err = parse_nginx_log(.event_message, "error") - if err == null { - .timestamp = parsed.timestamp - .severity = parsed.severity - .metadata.request.host = parsed.host - .metadata.request.headers.cf_connecting_ip = parsed.client - url, err = split(parsed.request, " ") - if err == null { - .metadata.request.method = url[0] - .metadata.request.path = url[1] - .metadata.request.protocol = url[2] - } - } - if err != null { - abort - } - auth_logs: - type: remap - inputs: - - router.auth - source: |- - parsed, err = parse_json(.event_message) - if err == null { - .metadata.timestamp = parsed.time - .metadata = merge!(.metadata, parsed) - } - rest_logs: - type: remap - inputs: - - router.rest - source: |- - parsed, err = parse_regex(.event_message, r'^(?P<time>.*): (?P<msg>.*)$') - if err == null { - .event_message = parsed.msg - .timestamp = parse_timestamp!(value: parsed.time,format: "%d/%b/%Y:%H:%M:%S %z") - .metadata.host = .project - } - realtime_logs_filtered: - type: filter - inputs: - - router.realtime - condition: '!contains(string!(.event_message), "/health")' - realtime_logs: - type: remap - inputs: - - realtime_logs_filtered - source: |- - .metadata.project = del(.project) - .metadata.external_id = .metadata.project - parsed, err = parse_regex(.event_message, r'^(?P<time>\d+:\d+:\d+\.\d+) \[(?P<level>\w+)\] (?P<msg>.*)$') - if err == null { - .event_message = parsed.msg - .metadata.level = parsed.level - } - functions_logs: - type: remap - inputs: - - router.functions - source: |- - .metadata.project_ref = del(.project) - storage_logs: - type: remap - inputs: - - router.storage - source: |- - .metadata.project = del(.project) - .metadata.tenantId = .metadata.project - parsed, err = parse_json(.event_message) - if err == null { - .event_message = parsed.msg - .metadata.level = parsed.level - .metadata.timestamp = parsed.time - .metadata.context[0].host = parsed.hostname - .metadata.context[0].pid = parsed.pid - } - db_logs: - type: remap - inputs: - - router.db - source: |- - .metadata.host = "db-default" - .metadata.parsed.timestamp = .timestamp - parsed, err = parse_regex(.event_message, r'.*(?P<level>INFO|NOTICE|WARNING|ERROR|LOG|FATAL|PANIC?):.*', numeric_groups: true) - if err != null || parsed == null { - .metadata.parsed.error_severity = "info" - } - if parsed.level != null { - .metadata.parsed.error_severity = parsed.level - } - if .metadata.parsed.error_severity == "info" { - .metadata.parsed.error_severity = "log" - } - .metadata.parsed.error_severity = upcase!(.metadata.parsed.error_severity) - -sinks: - logflare_auth: - type: 'http' - inputs: - - auth_logs - encoding: - codec: 'json' - method: 'post' - request: - retry_max_duration_secs: 30 - retry_initial_backoff_secs: 1 - headers: - x-api-key: ${LOGFLARE_PUBLIC_ACCESS_TOKEN} - uri: 'http://analytics:4000/api/logs?source_name=gotrue.logs.prod' - logflare_realtime: - type: 'http' - inputs: - - realtime_logs - encoding: - codec: 'json' - method: 'post' - request: - retry_max_duration_secs: 30 - retry_initial_backoff_secs: 1 - headers: - x-api-key: ${LOGFLARE_PUBLIC_ACCESS_TOKEN} - uri: 'http://analytics:4000/api/logs?source_name=realtime.logs.prod' - logflare_rest: - type: 'http' - inputs: - - rest_logs - encoding: - codec: 'json' - method: 'post' - request: - retry_max_duration_secs: 30 - retry_initial_backoff_secs: 1 - headers: - x-api-key: ${LOGFLARE_PUBLIC_ACCESS_TOKEN} - uri: 'http://analytics:4000/api/logs?source_name=postgREST.logs.prod' - logflare_db: - type: 'http' - inputs: - - db_logs - encoding: - codec: 'json' - method: 'post' - request: - retry_max_duration_secs: 30 - retry_initial_backoff_secs: 1 - headers: - x-api-key: ${LOGFLARE_PUBLIC_ACCESS_TOKEN} - uri: 'http://analytics:4000/api/logs?source_name=postgres.logs' - logflare_functions: - type: 'http' - inputs: - - functions_logs - encoding: - codec: 'json' - method: 'post' - request: - retry_max_duration_secs: 30 - retry_initial_backoff_secs: 1 - headers: - x-api-key: ${LOGFLARE_PUBLIC_ACCESS_TOKEN} - uri: 'http://analytics:4000/api/logs?source_name=deno-relay-logs' - logflare_storage: - type: 'http' - inputs: - - storage_logs - encoding: - codec: 'json' - method: 'post' - request: - retry_max_duration_secs: 30 - retry_initial_backoff_secs: 1 - headers: - x-api-key: ${LOGFLARE_PUBLIC_ACCESS_TOKEN} - uri: 'http://analytics:4000/api/logs?source_name=storage.logs.prod.2' - logflare_kong: - type: 'http' - inputs: - - kong_logs - - kong_err - encoding: - codec: 'json' - method: 'post' - request: - retry_max_duration_secs: 30 - retry_initial_backoff_secs: 1 - headers: - x-api-key: ${LOGFLARE_PUBLIC_ACCESS_TOKEN} - uri: 'http://analytics:4000/api/logs?source_name=cloudflare.logs.prod' diff --git a/hosts/web-arm/secrets.yaml b/hosts/web-arm/secrets.yaml index 7917310..bc5ae05 100644 --- a/hosts/web-arm/secrets.yaml +++ b/hosts/web-arm/secrets.yaml @@ -1,80 +1,80 @@ -borg-passphrase: ENC[AES256_GCM,data:E1O37tZVfr+76hTKEzluCruTO8JUrsTwYbhtlDmWxnX2wBwcQm21ks8LYTkgjRMOAg2pseHumr3HdVGdRz+wzw==,iv:dXj4wS6FLbe2s58/kLdoxrLE6Q7IKMEkKGcKq/v+dgQ=,tag:FtBSFm7LEIbbzebhvYqrIw==,type:str] -borg-ssh-key: ENC[AES256_GCM,data:mX/lV32oU4BXTjAA5T1lQnvWF9geq4bKmf2bCyjoKARVhVrlq9TX/GQqkLPjVsA/y9BeE7yvUdCst8F+qKTGkLoLHU2DgjiDPm2voiBn/x4FO+QQMGl76UyB20La+lz+hs8hNsRzDEsAhdEzmi9yFDythUOzgYLbMpdiOk2aPau6UQhOp18DDBXpkFvqOhzO1QzNFOJzpd2kbKMkbQzIuRbwjVzQyFm4wJmPmKaaYG0C9aobn+qrgCBMjcYtPn1S8GM+nigYsvLOJzdxYC/OZUBESosvAh/KEiQYXLG6iBC6ExonUCJsBBxWDMnXPNJC7RWL45SGySwv5zq4CI44ZSvfXwbyUG80omTOdkbLaxkofNKWIK3tJ45p2MmHhh6qDqSw+liNp6ZeX17fwkCU6XQymRImdKPFJrrs3ZoR3GvzyVXK/vxcvG4cTyJxldJNYeNF0oNJsB3x9svr3vangPgyxfUn2iYoSssz4NYGUNhy6edHjlZ0phioJIarUkdLBqXVykbpEg0Lze5tMS28,iv:b43PmYxF9GJ3NX1C5Ki904lx8amjyQ8Wx1KTv+hIkPU=,tag:WzSGx37prY2dGy2s0RWUhw==,type:str] -vaultwarden-admin-token: ENC[AES256_GCM,data:A+WaZP3rOT8Sr3Fnh/aX4vSUQViNgn2KlFwkjnV9mIK/3m2hQBnMvY2YtSFgLkBEkMomAxmRyIAw+PpWU4+TlA==,iv:QwLtekgMaBaAKeZBb2wvPZEuPYwpP17xOVZOkmOjzFM=,tag:625ybIGd3Wr2pLsnZy9pdQ==,type:str] -vaultwarden-ldap-password: ENC[AES256_GCM,data:Db5TKSQEmpZMLp9mLqV0MB8ICnf6EcgHCG6BkZrl2H9U/PAamPQa3aEgS5yQDDZRXADxnVaeLvvBH/CQlRK5mw==,iv:Ahg6ZiqJHCoJ43yq3WDw4oWRo8JhrQ0dC3w9+b8o4+k=,tag:xetBoKe7aw65nNXD2cVASw==,type:str] -vaultwarden-env: ENC[AES256_GCM,data:761VT3rj6WltBrjEspTRdbOCKcQOt06R2m5TOTRFG2BRHwsSCZP+V3XxGe51xFwB4LMUD4zPjl5z8FR25Z7GdRY6i1DGBlcCSJjJAeMPBY2v+pP2/8FmV8zcgAfOJxu6yjkfg23+q6bUxFxSwMkBUYmr0UnSNdQU9dpB9O2r5vfNv+JkjOZzqgfvN99YBfV5o+9H5wQYTnW+TpV+lsIOeN/Ja8l+tMa8+I4AH1kkNASD6LQ3TEFBuc8IRmUfztEsuCR0Mf7kEcqhDzWac2SC1EA1jhLJGMgCQtRqeZ++VcoR1obgwnMdjC1G783ffXttMJ/Ut8kLjQ==,iv:fjbGcULFd5fSZLL1l04fIzDvlcKvlnlCXsVWMJma4Zo=,tag:qFKfixayRWeV+D5i6Dr+9A==,type:str] -authelia-jwt-secret: ENC[AES256_GCM,data:StT9SXs9pkB75G2XdGVSlVYAJOnDjZFifGETVLkJ3C3tThEKybV/ibhMRZj9z2sE3A126v1xbX7SI7broNxlPg==,iv:bLhYu9vHh2n/nT88Yg7ejXWr1xvJK9Du2fAe8zn+8NI=,tag:cDX7iAC4Vrp9HIf0ZTIPSg==,type:str] -authelia-backend-ldap-password: ENC[AES256_GCM,data:d73smm/wTl2uUR3Z2RMf/AvFcDJvKZDxezrs6DJ7qFLkDWAu/0t8nB/l5CiLn4DQrAKQm0bi7C8mbGmKYTskag==,iv:X7KXpbRwcAMATzTNGmUlDLNvZJXjMqLwAkebsH50uiI=,tag:X0n+mhK5LT4rj5oEsZqZ0g==,type:str] -authelia-storage-encryption-key: ENC[AES256_GCM,data:NdiBiq0uI60VrqUlAB7B9Q2BLYyMNfBoQGL+obb8WO4ThOVFLsx061KjdzPtQ7tlvvhbL2JXpPXxfKnMRpyb+Q==,iv:M5gbiE8iDrPTxwETV3UfZoi3UDwXREhVcnyysdlD8Kk=,tag:aeuTT4FPPnJZGaROOxdHQA==,type:str] -authelia-session-secret: ENC[AES256_GCM,data:S8WkCSF7wbfb1ZOjuKSBDUxcr3Wsqs8m8ZIzTyScU1qt41gdGzAs7wBfTbTdLw+IpcUoC8iJv1cMLZRPrPz2QQ==,iv:/amZglU0DoYN9KWfaYeoW+FfppKNmlOt67HEu3tv5jM=,tag:yw9h1pEhdPGCThj3HLuMyQ==,type:str] -authelia-identity-providers-oidc-hmac-secret: ENC[AES256_GCM,data:qUUohOQMJrBChpub0Wo/oburQBybRCbDToFLziubhttcMqzEzfc0t5958Rd9GVwM3YKqbAfc85omagkh15xNwbAwKpW2CaQ7ExDnd800YkTWS/U5AGDoV61JDb7sl0kpEHhY+DjcqY/1Joy2ZO78cdq1OlDo9X2MyVBJeuLSC38=,iv:K8SNO6385+QLlbRg38hj4eHmqSw7RncFPKy+8blD+Ps=,tag:7pY3ibRYPA+zHrkWgcIjKw==,type:str] -authelia-identity-providers-oidc-issuer-certificate-chain: ENC[AES256_GCM,data:pQ2JmNy7kDLW5hktGUO2Ubxjs1bkifLT5anFdOE4AujJFMAktw4wkpjzDbQwrWAvjGiORG6NryXPg3N51ocRjAi8Stli4HuUT2bpSrmeQHfOP53TEB2CiTSrnp+8vRlwaflPCjH2zXldGRYAwMfKjiJcZODuIicB6Y6BqDJ9a4aSgSTlbVO2/eu4SUnwmXPtZKHkG/3o93qp3Mola9h9b6ZWiKhOD/BZRx9svA1NW4vkgy4wwmLR6kgVbkVDv8Ga/vJr8kKwkwmX9ocT2A4un0Uyzok0bISk4kOcnOEPxvlyiMbYc+dyfNo/czNN6LTsKZU58FRAuuYrz3zSh+5CxMbBDGPgW1m1iStSi+1ahZ1+OOi6Ay/tOs6jy1267qFoTlSm1Nz74dodlOEuXU9ezZRN/oakhWCwiEoADm4yQzUSKTahnsauap7vZoXsEjSTtwrWOlhUxSUIAej3Pl4e5uBYJCgqg9uGJu24U4qaWVnM2hn3bFeTI1vRW17K4WK8JQSvUHpENitz79/VwaNpoRYXNk4/S3rLWkRsRUfI3MyoeCYNflduFjBHExY6JG+DQvtMLGaR5Ih9VkGfbhmRLKVnuE03HMpaB53cja9kEeF8uFqigardBPIRanTvEXyNtz1oA5NdUhClkuOTjaUkI55zZgzYurJkWxsxfQtvSs1Um/VFkdHLTIzyTkE5y9QyZNuwitWYG6eHSjhfvCLlRYp+AUsL1C7CYM9/3RizQnHaXsyyKqoTbjpdk6qhAgg8sE4lssCADM3GwpUzfSnM3wDoOL1TozUnpcpb7Dy+IJIl15V3bJwzi4PF4OGpaWQ1WLPu0g+LZ9sFWtjc8eOqYUQ+Q845I+JfC7nE5MgxGeUQsLcA4beAOXlyfzBvUpHXFlfk3aM3Gzraev6p5f/bKZQM2ZQeiw+mGKh5s5ifIGUSHwjUlTca92ohOSR/HoDbtZGtLsKFjZUseWqu1JHLN02Xh5D9lMrWAHRnTvl5k1rmyUSHCMZNZO1L3a9qSdW0Brx5sX7/lw==,iv:SmXQArwrm7eufINusZdYOBm89FefJia+BYZiZS438ZI=,tag:4QUYxECPo2+RUWY7fD/peQ==,type:str] -authelia-identity-providers-oidc-issuer-private-key: ENC[AES256_GCM,data:GTSvXcCLT8LdMWhAjxG6qYR4hKBh64lF8ZYoY6nkbSIg4/mGIQc5XWYC0Gy6sjKXViLtCDoWx0UPGTxY4VEIA3N47CfQQjCmKOIQjr2R4xfE+F6SpR1kt3DZy8fj4zwwxT822mShZ13qOPXvp8uVzpO1y1ymlopCHuZtAVbljeJLrLniXwHXKMd43N62KnKTCdszGKxY7MdbjzEitVJJo2970TT8jz62PJKMEfK2gklFISCqvMpo9JWbX+0KjJqq3hOklGH9+LbAd4viV5ngTA7dMYWR0nPh0LVyZj+nT0A+6rsG2hLDTnYrYNJX7rlW+DR9h56ZC9JUuEDVLRsUdmz6w6iZmMt6GJW1xu+lcxOeXd/HK/yUnxWKTYfa55nDUZ+GhBPy2oQfw6+28GxnE8exYhhhsSn2KmkkGpBVMrtBuIQkwr8E4wpn3Y9w0eRaWWsd5crvuT2HLa4T49TVwxM93/zxyT7QFvsQhIOzaAhTavJMfRtbCvi92I3Z2WpDtWlxvPQIvFARzHunbAm/2UCl0jykVyoKOL6cu+jyKX0y6koX5UbVQGSJy3y1UyBKZRrthUbhRpTufujvT/uVtO0mbE2yDqnqn0rWHah6wJCuMk3UQR+AJcSgMkdYdLlZsuuYfF6uFsPoBlY5c93yeqjSCqRqJUiTUpVzVJVjdZd4kPIvC1W5Xzd5gqqnCMav//xCwCk+7ByYnWOM6ykSNWniQkGocW4+vDZSgozGpOcYVOTdzdMGwzgnu58cdmP7CxM4o2nLtfemLU/wAcNLaVtPlaPydkXVYkSu5tCi6L7v+KXBbi3q1PKQXSvvBKJCZQmwLNX3I/s9lDgVx3H82VefQR6WHz0oQz8LhHOQai3p9HrFBluzMKCmSngN985ccbRzlXpnxOGZz9n24wXk3GkVyhSIlbuSUX58JwLS5rQOn7g8OLo48HtHxUY5wxFxoK2kyxtgEuZb4d+zRr/JI9D17GS+Yy58fzYEGoE4faHjHTFwu/IQNJyg5fTzx4CuUM+ddgQBe7uKjb3VtHqRIpIVQPXj5fuRyGvoRujgONqmlNpJDFxFLcapH+nagFQzlQ5TJ+ljroxHy63HtdLP+cbn4u5KkJIyfHAMv9gkJf+1lqXBgRa+RxlF05jNF9JZHqjTtl5MtS3zzDZOdYs/EYiULx+oyN8Hfmy9JaFFNMmyTJtIQqodibL1dJ09EPolo2r8gwmLJIvMMHmfpGoGAx4y+BnBw4LC52gGacGqfvTk9pG5tMCsM86d2lYbklXpup4KkUXdA+9w+QLBB1SSwDD9bpLB9ZXC/XHw5iVUL1RsnX179Tzca6t+qUGSlIcl6YHL5Hzzaf77PM87ZGnBV+/UrA8XmzZfCA3BxiIouF2ItadRGuz32vbPQjN76ple+hyWKXhv8L2Z4HmqBK4WExPY5ZX1NbCNMLTD0omr9s/YuOvQxxQraUuLsSrzSOhuno6gMMOws2fvP3mgpsi5382NDAr3xPG7j/bWATJ1MYxdXNLDyYL/jP1PM1chbwcvPP7Ej2IH4NkxeD1bKu9CFBZy2ZjZGHxXho9WBr5+MeuFqbIADnneLzG/xfXohpcreumDIGHBl/sn4GdcQFLg/8jvwPY3VNym2G3LSONSPPwnEVsI4k6WaySTxnrzF3tSMckXKxw5HzvMU2YRQUoIag2Z2ZK+WQpL75r5+KBJW/hRsEkkMqRT+ztBw3fD9V0Ma++HRSdr7kq1//SX1WSkdXl4tW+A5yvsCdJ4kEn5gpqeENYlSpiLabdd7ASCRAB8GkBAx5o+OGPr8D0ntCtHwArpqs6P8wXvSFCpuAEL8WTgLYB76l1RHb+zp4J0C7my1MbBxVl2Xn8WhIWNvPvoXag4ukpUYL+9+SJ5hKDueh+YyM9iTw4pW2kiuxprshlYglPLaGl/DsqqEZxyGc4gdk4z01pXsZcRu1M3Ea6R4aTIBiwCvPZ0Hp0fbMlH8LZnOq6O1WO079kd1PBXjh9jzr20UvK5F3AcJfK6HbTmH+CD2wSwr0s7oJnJ6KMWECSKi+qejSO5qIvpy/59LtDlHhYOI/lBsCjdqiyci9oVevNRFGGaLo8iNf3fWpLrmGfIFkP1VgOVnTm9W4zhuKp6EwazCMTsvKGw+rrVjj0gNtDzb66uzMW/5RV8d//fjaDvDWLNef29sOHwj9Ng4A+udZpRDxcgC5cnV6P3vunFhiFHJz02Y8ZY1zDNMxcbc2NFuDfKKu+ANEj5+gcatYTtsAWFH3HuSSxYvbwUIAj+tMsITYfvrzL0gpuiIgeqDq7DoPUCdMLbGYNznAe6TEHenZ+KeLLJs2+lgZkLmXQgVFh6WV3sm1mTpgxfcL3wwvxI2YrUJg6kRRmWEfL1Tn06XwqH31C+/SWQCl1a394CMNus6/t8aFkYg/YTEHO/O1c9WDBRVWNKQuVTiC2kCJe6tIA7HShbP2ZC5sNYh6lWqIQATM/oCGth3K/GNi85/wjgrSBstBEgtW1h8YshxelDE7xguRpP6gVC75Q+upFaVHTnpw5bwzlkN25y3KuMaktOQBJaoQ6jgNbCuZXCa7kCB2Wh2qApebkUaBVCWgLqDmX2u8F/dF6M/C8+1UpJTZGj7pRR6GMZmMRt27zuipClzSoLAJP1LmjpIHdg68M5epLs0WW3E6I9SRbFeERQ4JCM/abq3+w4xgsOjHi0A3CR4jVNiDaFujEJI6QpR+AETegWDSlKs6Mf2kSksH880k3yBcsTbbKi2YqbzpGXqiNl18GbfHU8hNLfF7dDYtlyeoIvWWrXx1sG9AyPgKbqC1rYhEoZs5CTpdMeaUQyAdnXzxJmCiR16qUP+YAQawTnEjlSmwOAFQxfSnMAHy+cCLnjk6Cc0VoLPlpeNh+HTHKm6etgGX7wbjeL0wS1AW7ZA6bNyZT0CvR8nn5fURpOa8t58l6DDyWhyJwFZP8GUZ0MAbMJg7j6bjkj9B+luRJ7dKsant6kfluH7UR7Ps+Jrfrdhdj/KDexWcgffG74fHYN8TdFBF7OKXD+kXdjjAt1Nx9rIw4FnlENurbw2RkkwMaQjm2Kl1Y3ATNsN6emH0541nnMfbVkGQSmHWMcE0aW0aXSYJw+qjMj89S0rxjonlylf7vsTIm453T8tHRmuRO/UzOpSDSEIbCxBnQcNrJebmKTjkvxqwbJbEfq0LB4t5F+wdqAPACU8oSLtu/hBZBgaIarHBBWYibJKhEnymMJ1WuhzZ+t+ejy6WRbwWQ9YQC5ZMYaNF1A38CIu/5+xp/7SSdbLO6sPq+VpLiOf3kE+rTTYzgZUqVN9NgkBj49RZTyUYVj0qwXGV9td2DRD2iPLSIsq9MSo2Px1iPSpHKkpT3tJNtC/Khe44kzgS9zHRC973paU8R544n0XpS/bJkBp6jx2dQhUuR7VCsZGX34sDlHraxr31a324p3gToNUbrzxfdyR077F6nrGcVUZJKDngoSCsUHTyG10JVySjmvJuPVDM+1eYKOBvY///4bSnVZ25930Hi5KTiI0Y4V1qJk1stZTsAdorxX2zBSQLMt3b1qTAzzm4ClXjrWBJ3HrTL6g7TGMZ2XWblB5jR6yYHA9RVY5BQq1iQoGA4WCkwXxunZBJp690oHEAWQNu3PB8l5Vi6Y1xFJyAoqpM7SZJmqPi3J/A+kYFqRTmjke6US8EFoZS1Cq0u5BdE/AjH3xQAu32ElUfamMdgtJ7jbAevDIzyKC+fH+vhmDkmmUT0IsQRF2IOufA0Vv3ehkQkMtZU4v39itA9H8HXXA/V5JMRNQSLQd91G0dfEZen83KDharOEZPuou3EBoEhh1ohXOlO+gMt35JnpUjobcdNXKm3bZa1VK8Z+oEFDfmbUcR/xrM4S6h4R2sg/U+E4fBDkhJfh456Ebq0ZEUqJZU945qgcWj+4zHkwt5h7XdpnkkKRk0rKQ/VzSU0xoHApMO7aK0YjBQHnF9Kd2j2pK6rizqovexUeVB/Wk0g1g7cY72W/a225/YfoZYpBZFS7/2+AiPNhI8FIey8Sj25fhPbzOZyInsc400gMt0/lHpsBB1ZHML+f7OSFWZgh9z/6OlaBfngw/QAhi7g9S4bM7SJY7Ouo58LoqnMhXxE8tMzvzGrJ1kVvLLi8znYbqZI4Uzo7oiXQI1Kyo6IfSEjL3LUGUfdsagek63WqteQ+gv1j23udXYxz5Fa8IIsS205GiDYNYWmS1RJdcw70maoD3lW1YGLhU6H0hYLnwLpxqGVkTKxVn/2gijSU4mUklNeMZIFS9mLIC5FFA5Nfl2/whOXHOW405gb4Hrf85L1fy6a8,iv:0+CqN0JedhUvs4AWh35OW/cDIfqvE0rtib7ZLlE23Tk=,tag:0Q6+Ee6kQig8FlSNFoCzrg==,type:str] -gitea-ssh-key: ENC[AES256_GCM,data:jCe+/CpRfn5dv5neQ1yzL7nI7D6cwjMohDjDQmUJxHkQaJMUYG0977rYEcZhPhFUCMDNW28J60g/kfrfRjSIzX895LaD25ZZrSbkeLpKywt9zhUqaXnpaPcT9SfQyn+jgGGsgQd3xvi/1fyu6+lwDfQ/nbbF33E/Wo5D2j7o8yL8LbvDjQZkDZlaO4QXTRlhxtTzlkZk3zVmIMF62+PMYImyCdH+bAQ2+12YhO30iETiz1EcXSkz+EtVZj1+pI7RlJeQK2qp5HUJT7+h+hfzNfslqd4pvTKFwUvM33VSoFUR8NRuh4wAu5pthSp4JPZLuKGucvAVC9g+F2wVfcS+ntHKSBW3fWDYCbafB0USSow28ZhUn8eZRhBkhfisxgp1Hh+uD2sgBZUEPJo3AhnEOKC0X4MgWHU2qEi8BiMkplE6j8tVWtZja+le7kroklZ15jwuEls/ZZqWDYjnef6KxfRRBRxu5SrZcHXO/aG3qeZ0qArPcyO2ZzJvU/f42+TOlkzgjG4OSY4lJV3mo/Hf,iv:mBlZOuBvd23enZ1LwiLVIcuzDdaXBMdMrtw4Zu/ZIPA=,tag:hK5UQWZThjkWBf/BKXqMDg==,type:str] -grafana-ldap-password: ENC[AES256_GCM,data:9F/gYXzxzkS/vq3UE1vYF/woYs0Leyzroeqh5F7YV1r2Dnsomxm1AQ01N71wtAqW2aTda0pwDFv94N3qH/CJZ6FBk9wZrbtY5wt63PjvkaQD2T/7rC/BmvSWtddSlU+eSJ/rTilHHEBpFb+4czrRcyZmy8x5vuR+h3nz+n5BGgU=,iv:kFVlGQZF+ins5IPRwOlrT38hpp6M69x/hxZ9lDWZb2Y=,tag:VUh1GVmlzy8vnmPqyWnaKA==,type:str] -grafana-admin-password: ENC[AES256_GCM,data:1eHCZpqjmQKMaD7PdlWZ784shYQw9lSa3L59uE57yr+GRIxpDYgWSh748tcpicMfQE8RlFpq5SZ45BeqtUodM5lxEHG8JIwu0f0X9xvBbm4C4ZoyMKg5zB9DY/39VzV+KPtPffjy3tCpFjNzfoBmw5bVc1aLrhsKtqOreKg4njA=,iv:XAM2leioNVsOLt/EC48iuOx+YJEugdarCZBV+/ybdko=,tag:64MDI6nWc3XMkQSA2/qGxg==,type:str] -grafana-oauth-secret: ENC[AES256_GCM,data:MRrb9+JqQZksdVdKDZJ0GJsBDQUwkfboVXL/xp7gMfRF+LNsIdxjSTeLyXAjAlVGAp9arb2zvVGNfgS0B8Lng3fbx46UC/s6,iv:blgyt4cLP49K384yp4HlL76AogEewwk7bqCIbwB9AuM=,tag:MSYoH8Fcr5qQdHhBLjbRkw==,type:str] -linuxbind-password: ENC[AES256_GCM,data:TY7UBM5yDvUvUTIGjshRT0GtiVrBufpf5g/wJP2CTz1X/pliZTSJ/RRR7hc5TuUPs6nivGnQUNm/1EXD56uIAA==,iv:8cOr4WrkjTsGW5XDAjQaOwbXJrH4D98yO9jJRTn5dDk=,tag:Eu6N31m3sfzN14tzPvVq8A==,type:str] -sssd-environment: ENC[AES256_GCM,data:0up0tN6r80Z7uBgUFHTgd1IWhQE0EeM8DNrngplSjHnx/dMqBxH06liFalfiAB92KKtHr//iBjgMHJ0jtmW8hu2xFSE/QAZ9VZ5BQCyhwn9sSX6NH0SL65aGrg==,iv:3Fs0AxtUdsei7cw0M85XT1eraNIvwONmAS4mE7ns768=,tag:5BWFnOWE+V8C2gFx1JVEVQ==,type:str] -promtail-nginx-password: ENC[AES256_GCM,data:Sp6KjAUz2y+CPwaWb1k75Ca2SX81dGdlcfJJ0tLKyqPzeVQz7arpuC3/0TPNg/zRG4jHchS6NJ2hEA==,iv:1FYRFk5eevTwMzNMkpC9kPDivf+Z4kRa66EhI0NXXKc=,tag:4Wg6OFE/XolDq//I8hh3gA==,type:str] -victoria-nginx-password: ENC[AES256_GCM,data:QIjz+/l7a91No+9EUMDUYsyRpNqHWGn2Ll65EV9rSF+1G4ubiRBVzysYYetZRUrgZxsDu5Q=,iv:eRMYYoMYg+xD+HwPs4muIM3GQ2oC4FzYKMnnXpHp1XQ=,tag:WPwPjFC2v/N1sAXkmMCJ2A==,type:str] -nextcloud-adminpass: ENC[AES256_GCM,data:ORkyUFw7kxJWw45PjIiebBwoLLwGdjxumn9L7627nyAHIUZm2PYLeKnHc2hZsqP/dEs59pkttiindXGePrQa3s0fVZSKrh5g2eGnX5GfhaZgcMe/Gus5P1YMs775mRgxHUfdPkJdzs5A+KmKWa5BLUATarO/dZvLSlfF2suhJK0=,iv:KNIbcDqVGVPv2klixeKEhQxB1/V8KRXl3rtbbPmTcK0=,tag:wRk1kN/5aSUFB4qLfu+Ytg==,type:str] -nextcloud-secrets: ENC[AES256_GCM,data:z6jPujXeek+q5er0hlJXqAHHcKSEPHNuQ3g9O7uGDODqttXX+iXL8N+k2EsTk3baAncR8OQsXdWrKmyR68coNGZZTQ6V6gPIfDK58a3Z0lErBy2oW03apCIVqAt4a7V0w4KUMUisU+ufQWEwIA==,iv:pdMlTt9w2lTt5XSaohGxOhsqaCLcoWFc3WGdV/RvpWg=,tag:okguzCm2iCRxjyKmFmyQAw==,type:str] -nextcloud-smb-credentials: ENC[AES256_GCM,data:2AobSnB8bracurDscSHt/4j8fY2uvU3zZ8f4j6VN0M1Y6i7A8ivSsGNG4t1LOu2b,iv:ogRwat1FWmiihe5xPaxduzNxcHhBGSBG3oM0I1nr7JE=,tag:Tsza9rKn44irm04Hj6XUrQ==,type:str] -atticd: ENC[AES256_GCM,data:B+Bpay6wCNy8d2F8JB4LyCqzbN3WSgUq66fyZA1jCkGhksRQtW6Fq5P1p3w2qgLA39Otwq948lQmYXgyxaC9PX6b4qD1Xnz2xS1D0Oc0xLzSqAbQH/7p7X8bjn/fC4kBr4zZpJKsVPe7AzMAAufg67l4Nmlm96/vAUW9XSm+9N69aIORgNEXtyUN0XrVlkk5CLv2MohUKKYrOrSjny32nyoGBJ4HUT6Eqly2um6s8rPIF0UuNWPFIR9GYlbSDyLnYySVRbgdOee0hLz9CKJf07xjilMrPJcL+Ruh+1EwjACu8Uf0Ocx2aW+oKFXjbABfWpoTxj+UoqS59Q80cSHlolpvy2dqjxwzWayusxlbEL3TF1NBp/2x7ikye0uxA94wk0ApctYkkwwn39URREL9N75eWmsKz1nDFrLPNG+LNFKzsspfJ6tUY8me88xOFbmQb3YBkTJkjdjw3fyPKl2wrsaV/Vl424C4DPgN4PhifXQhqmfl5HQCmEw16jEx++VC3aAF/nGQ1yw0v8FIXZIi3rh//Qg5PlPKMlaMDz69avlfuyglyySL38Tode6b5Qo7He+FDVn9J0bqoEkrKL5MovACoonUxnSz1g1by03l+3G6X/HAQCizcbj7plROGVVoULnfI5OvtyNxmw1WWEvigkrx/HpQ4ZsdQ51iIvt6HCZrbK5wnOmS+y8zQAgScUyZ/s84gTwelhJN4RDC/c0NnDs2QBeb3RItrg37refi/CqzUvS5wWBoKzKCmxTVlVj+TcA9+/I+76T1SRxaBdsHG4ptzvnbD/kvHmITNmo8swnsCTa3zVC1tH339/Qsfg9Ae+uHwz3SbDqEsspBlMqCYkJIFGph7nCVb2GFJUCCjnCAhjCRAEoaJMGBBVINbL4vIH7SAu/NxL/pZhy9nRjwaKYIB+EA2S5soff5Hrw5YT6FcA6LUSZll4xej7DHHrBTxb0FfRRH2ah62McAvkvWKm7BB08fbRbjMxAJMu53nzRBkfwqedW4pTVoPQzR2kP2Iyamm3sjHOM2XNh03BBhxH1m6A9yABtemZhE+yoHJLrv0tQtJyp6TtjyMsOi25EDtqM40QwnwF4rKRk144ge5q8aE/8sSJ6y5aSLUAwfw89MgETugXkKwyE7LdYrIHRBMwkRDF78i0UwEGkKKpLIijhuuLMVwcvPwSIgyBFBiZctqL6p8Sayhhb/g5Asr/THoyterOeWaeL6wqvwcjODUjDyK8put/oALhOVETAZiv5fFEW/B6vkIQPeAVUNXvTQl30lueFDvv5jCYxXHcJ4vxvWX5p0eXFXD/WuLSuUm5F/uL1231Zkdofo6U6PBqTqyXOZfaqDa6hNIsargCsu3GUVTlcafBwbeQ9anF010D9h4HTNPsKPAlm14CecvKKscf07w5cL5/vkGu175M/xI5z8bG4JdAvrhsShiL0hbf0WlProPJFc+AS9zgXxlNfqEn9gTFzfFNLm9APWjZ8PH27STfubJvtvq/dwUjSDV4Lpnq7ououFWF5b3PjZ8OX4Nu30r30Nt76NJMREORV3w8os2geILgsqZYPQJbvnw/ChTSWL95Qm9ERrW1HjkhvWatED47/Ed1PlJVKJAI45RVke4vei1qqG7yIeRDjtneAKfIkiVBnWgl1G7MSicJf4hJnVpostEWp+DIFZHShjWRmq01rvwh0oRRsHnCkdXfy+hh/k9YyNb6fBkxhuab3dzoVtTOY1dzqEmcvZoqN2agyWpfIj0x7C3/w+tYkyxs+4OyI0bI4O+Pe5hpWSP9teYL88QAJQeFi6O5XlKiUUKlI3LSpMfkOH8G+pgYL0Ti1Jb6GSlfErX70J4LT26JL0iUsyfsEwvGNFx3/L4SlU0hMv7rW1wNpvQTPEPr+NQGDmv9QRW6myF2hv72w/STqlxTedwdVDlSaAsQriM8haAmZCp6l2Fr3DVOKe3VQNsyHkHceRWfRSZHOa1hUQhjQP9kc/3cWY7G3lSCXWZwrKcEpoSpx5fWsgzwplYYv7eIcm88r6+RXxSgv8r66d6/peCXv2NTnH7dGDat+WIRoGzLgXCrukXeH9BrpTjXIxRr+zxj+c51LCDf8Iyoymyhv/DPXMybA7wfs1cNtB7NY9GaVt6zbhYveS5um21i/nuKRnBKseUWw0b/vumpCOSZxM4Jbziko+Fn/biyBCVDilRBHAyGD4blOMCizlUMQTSVUw0udQ8Ar74o/Xe4t1eY0LNvRA1uErKd2wR/m9voj0gJpZxdXn7Wah8jx8/xDSeVpzZcmQidB2iOZ7EtY4kWnh1dWzGvYMfhXbHfAnu7zkZtBgSUlg7Gda5pc86wYd/Af6X6k0kIUf9RyXPZ7Ir6ocM//TUg3mj0aP0YQh8LrdSXTkeM0zJMfzD/mh6xgZZ6GF6UK9KJp7Skn7B93KpaRAEd5SnOqnMwh3mlOqt2x72FpBXI/VN2fyv4aA7H1YDbMkKgqoifn5O5hQQ0joAMzvPbkxa4eRarvLWeGEvga/vNFpHwaf/rW2V0KseC5/MtpKBGQQfhGilRl8BW+J94uMEkRJrhzrLMPoEgbjoATbFj48E6u6Nw0sGZG8pfUTVgZh842eC+bDUX2hHQljc42cD6NGbw3LRjPxiDBXgU8ppDTNxaXXhzX0EoXuXwtNaOy2W+1gERDKp7HP45EHZuI9/lkHJ1/KB+uGDxTSABwHCeWdQdTt9EASCrsXr3jEXXv4BWfaNd5hiRKZCvXof+N77/2mZ3uo3wBLPjbhToKYh0hPyiE6bSB2liP8+kE2ZtxzkEW39XjYExucsXN1OvgDAfi5r73Esx+sFtQkc7fZ2YDuxdAxQZhAs++sa3dLudbn6YrdYwKwpJGanqPrSiRbGL1JCEgjTSz+NpsVx3T266sCrr2YolhcuTiH6ifhP7+SC6NfQ/NcADjcyCBcHetr9xWCPdlCxSgk6AWYU0rDv0J5W3pr4eT2WXjDE+wDnboaYeT6B6Pc1woyoK/54t/dbf0uVdIM+uarTrtHKh0r5yRpZVbxruZ/lFisu4C0QJSYdwDu/DDzuva4t39dx6GTjXUcdRlaHpBOW/gnF/kPrgt/Ra6+VHhPOYYOOfVravzC6LxVfoPpAGUO/8TsWfNGtdYnaVlTf1mg37ISoY8iaLEWtUS4DhoxxtZDlMt0Wnio1TkisEoBuVZvhRuWWLWmRi8JJHhjdjFft3FblwxA56t2jkvbNb0i8hv3rXfbgXbAF8jFyiMoPBB73Qj+DV4jO7gZS8dHw/k1L9kNnVeTLYwES+SGzhJnk0Wni3H13EMLxKDOxcJoGi/xizW5S6ubwmk58wy9//nDKgmzSEf37IZt9X0bKX8PlY6QJIKFne+JIbwPPaT4y8Uq2yl3vFtMjilpRB31jtPTgzCeER5S/q9OdHrdrXojwMZ+WyN8Wxeqfb7l0YmcjOsAE3Nt+7ZLWqwvE1VT+VUkl6aDtLFCwxn8C4P+7aKAmfXI+93nM4RRuH7XzJBnKF3r/xjeIDtobxiJNQd/jK0j5GQjAaxmbA0vi5ztZSNHpd3AWLLkq852sK7pKcLTsvUWkYssFTmqpWc7Sby7+Yj2p6JweoQvb5Y5uhIrCZ0hGbDeqYfYOfycFgHu6gcTkix+wnV7FUoy2FXKS6ahrcnzPLSex+tu7N87UB7XzcMwrgikTmyZwKxQudl06vh83edeaVG3apEFftqXBpeLYRuXG467rPi3o2iecIbuh/CxhMkO1djnpfx/CExPCVeh4AzSxWSGqwrvF4gvO4lyrF0VO4Lyy0kJMp5uCF2qhpGGGhGz9YFR23jr3DZu1zkz7VRTmLxVe4O5fDcJoXc6372aUXjqI46aq15ws8xNfMUL6kbYJ/Ijf7zBc03106xHsMGk6YahpMQQNK8dmwr9z/4dBsVSSf9GvXhXPCfyJ/8HvgaPRBB811r6bHtV9/jNa6G5WJYSI0neUsAaqYqKVtvulvQedckT0LxbQJZq7pgGSFFOlzKhoZh2dbPF8csRkgDohg/KGxmyues5YcwsDwjQ9ZsjGFU8oKT+258oerS25/kNuKkyEVrafHbFVjn94/z9Kb3m+05oM3atGd5erif5UQfe3x1P5RaGvhgDi1f+9vZXRBlJw0FQl1QILLtfWcHVbb5jjKqtOLt8+Zl11e1VzZOfH9c3jDuNLizbW6a8/GhIQFGuRUP4rpxzHmfd711ktsuRBrww7pc9WfoQghSyh3H1eLYU/rIwqNUwJPsHLER+jcqu2roEo7t6U45FmfRFy/THdjKL5Ps3ZXjGwJ8F3TyzgEKnnqlT8xvWvYpwxYkobvVnM4+PMtDYLYBtnN1OMhBqZLUqgZxhu+vjR4fojVwoVKqSVM8BWWKf3FlkrD8nRVfhPcKwRYRqRlzqS7T/DoNsj6dWOBg7DFi2VatxlQJDsgNa02Lam7S9aCY37h+uDYXjawTXFpEqSqhRzLEELdTxUaXJrLcNrF6fhBtgX7wW7RKsPz+T/0wijMfyWZn9rkKCutn79Xvgc7KBDqsJApHMYmnMEG+t5iRlA1pBSCsfWeUD9ElLmR/N0ZGemurrKy30PYqNhuLgvM2fzXcwkmGXp2T9N0CUa/mgpQr+Wz716Tcy1jO5Z66K/DPagAtA0CKBN7yeP/L7A1T09FLMO2SD5vQ3bB7iVCRE1UCTu73wUgsgehBIgg9rv7osRRr/216cjkSiC954RoGzEGcchiROLhkaaU5artilxp7jNT8WSBW3AWL0s/OuXO2XyGUONnnTF3FG1j3kaLukZqAUXSCw9gxVI/NFuugZN+m3mjAOqAs6IiTQTWh8GplyChNijHRnJBZurY/AODzDKj6dLrKC6HjtuSfMT32IItu19GMCS47Uhgpgx1L6UOL4T5OnqjGEqEP9jiSmqdjRBFKcvvz7tvhAdfTkmBu+ZQ+hAtJxlgDMHyxkezx3xvRj9lGlYGqyBPshLhSjRZ468kO/RO3oiTXgizx88waoQiW5X0EBxHW1ELlC5blmv0eebbFy/C9iK5VwWfk+tCrW2iBJunePmqzC4zWkBFSCQAtG8+5zBFQZ0FQJ6weX/yYiKSzwYks25TH9ZIBYVTjY+RQp3Jc4fBUE6nnpNqeKmbjv7mw801bv39Si256T9MKf9I1pe8LMoXBI+BvRF5Dc0Z/RKb/eWiCH+P+IP67IvAwacQ/PfFuYUvh/fvw2Myek3uv1ggEcDE1N8sJXDTGVAoiwzaVbo0sAi7KGNGHevrC4Ne05P8ePUg3Oj+yvH8C8EhFLO0pUGQhQcztiDzKBGiDwUkookYaUn1H8qEkQ3EgfyBHMIgvLvNyR+u3dizvxGJ4S+KS8yosemtBeyLxKgMFrmXUssiwBqOgLAO0Iuh1jjbxedPnB8MvvioApG42OM9w7y+J4EFBL3LnjVK3aRB5Rg3GTYf+M1iq8+lKeyUJ+VEFSib/1U9ja4O6WIpPoTatVejWv1ql8QanNva5XJUMIq/MjbQajpgXARk5wJYgP13mnH6S9Xbp/Do/bkFIlaRCAdOP/H7N12JxeTlnPkpcfMRvuPiYgS5aUbQsEu0hT6RV2fD06QCuOsQ+LtU3EJVcCuz8l042OI4PhvbzqPZQiXoslJheZN9ZUi7T4fI+WBphrTiij+PF+ONO4mrrLec2+BiwQiJJSPdkfVwLmmh+xT46Sn4HmVBATvmYgVQPJxSrqLd43MYNZDlSDF9UCywbZBd1HxqLYw2MheAy6Z3rf3PL7HUEHQNEpJ45HOIe2nafeNndeNXFQ4usac7H6jqp3tVfWiwc/j0AeEPkTTmC8GFhrD6Zss5wP/4dNgrq3MEAw+HYJMoyi+aZPtFWLneKqp4Imy6cNgzM+6sxTG/Ky6GaJps7vz3oCWEA7adkC+6fHbs0M60KSToXl87+xQA==,iv:E2R6CnmzHHO9qOGFROaQc18jyiGXKFH9eDFtWoTRNbw=,tag:IKXiF6hF+FcrLRsQ0ADdtg==,type:str] -atticd-smb-credentials: ENC[AES256_GCM,data:mj+49EsyWKfWPns+8iLmng6uPm9LjPdqyw7D0c6jipV1+FyYZblNCsh/IWZqwklIKnBm8Bb7Whreu7W4t0SdC2hyJfb9WBvrHm8ZSw==,iv:MFpPvXnmAlc3fnPihPlCQE2vZx5v1IHfI9N/AuXp2c0=,tag:hBUKKn9cu7FIC2W70mRjJQ==,type:str] -ocis-admin-password: ENC[AES256_GCM,data:dhrQI4ody6o9IowmlhKG91Ps1T7FQ4bVLLgR1WEuDubB1j//7myLIvaINQ3G9w==,iv:q8ywceZ5ky1O3TQVsx+oMHkIh2o/qYiR9EDvwTqq4PY=,tag:d1N8lq+rVAq2YsI7Ex3yrw==,type:str] -openclaw-mysql-password: ENC[AES256_GCM,data:flTJzVaCc0/KFdoC8F1drrl3xC99I7ZBfR2ARZoC3gJi2YZb2KthJuiRCQwvyg==,iv:PRBtD/xe2jEs9fA2mx2FpPctX5zZ/7ss5W0MlENOL3A=,tag:HToJLKPwo7Jd9eRYMwsapw==,type:str] -pushover-api-token: ENC[AES256_GCM,data:0EneqOqEQAx0UvN9oofUW7wShjzW9RsTBhkyqV9H,iv:/InwtiShoLifQMhkalUjESfiMMidWzYxXdtC2MtHnhY=,tag:j+/X1SbtRLs7yCl4jBn+mA==,type:str] -pushover-user-key: ENC[AES256_GCM,data:iGrwNi9aan36u4qC+/nodAtOg2gEkcWTd6asf7tw,iv:jVUKcU7F7t7aMtimoXPYtHqSyeOTVm7I6XegMNGtibw=,tag:O+1jFqcqMBe2pM2IS6Schw==,type:str] -sa-core-mailpw: ENC[AES256_GCM,data:YMZnEkAAPt1dp5CAZvs+/7jlPRTFKrfZSrnN,iv:W/sbU8FDcLiwTGRvdWtCwKxlZtxVuhtYm0XxhMzzFgg=,tag:OeNtMRzlYf3EniFoJrxzJA==,type:str] -zammad-db-password: ENC[AES256_GCM,data:e9KjHWlZBwaarUS24IvPropjBxxODEkxMVSfrOF3yCwS1Zjwb1Kus+42LHSaXT9PvHHepa3ov2lENBkEAEWfbQ==,iv:RGGm+P2ZldF+51zWZEaeyAypqFbIBwqL9OgXttXlNhA=,tag:Fp/tfeOEm/p/vN8779JaUg==,type:str] -zammad-key-base: ENC[AES256_GCM,data:9I4h5zdDQCvdmfEWiowqfoL5BY7GkPtW58JFO/J/xKKzlC7kVhmKQKaoK0uIcuuuNKbd2kZ0PGsM7x0f/Sk4rgH+nSXpriD7DbsfDF9Cmg/uz2bMgfWBJe5SCFNt5rx5/Cpt6buRjzOxndioNhqH3+K3z/KWr0HuWtpUC4sYXVQ=,iv:Fxl42oTd5lP9aJGgx74qfhNtELVY4UVnLszbIlv8XVQ=,tag:w2S2xYYVPJbHqfyTRWZu5w==,type:str] -updns-token: ENC[AES256_GCM,data:CsCoGIyHCdmzXeaRBsvFAdqmZPAX7U3A2H0ztFywyYU=,iv:tLRqZLqPB9RuxXrc/wcZ5W4nbubta/HEOJjU6wpCILs=,tag:8vv2O9GcPqORltZnlXZcgQ==,type:str] -wg_cloonar_key: ENC[AES256_GCM,data:kQS1G+2XQHzTPQmaZYlkmktVuhwDoPNjdM7yPRkL9bheqbRBaxrBIzFsrPI=,iv:rU4E/yDazQ43MBRaC8ZLkXo0gNf10PIGrjEYRfBpUZU=,tag:39MLYrGOC0eWrU3h3b3jag==,type:str] -piped-db-password: ENC[AES256_GCM,data:OLpltypEEFiUlunYD8KWavycPALJ4ADVorwMCZGXZw+vjO4G6+TDIWKFv58=,iv:QAbJEqgJjnVrKGuKybA9SNxq8D/Nuihcc6Rv8qf9kH0=,tag:NQ7W1qDJeRqe1VAU4h4kMQ==,type:str] -piped-http-auth: ENC[AES256_GCM,data:EO+MN0X62dNEbc4iPHNRQYvcvukTsMIdGKgk+WUNGpQxuupPjGvFOsJoJxjD,iv:cHYqo+iKHPUF5PzPpE0xEFPVbruLM0cfG5CFsnzkFOs=,tag:6f58D+xWsTlzsKd/guxmuw==,type:str] -fueltide-lego-credentials: ENC[AES256_GCM,data:dvZ0bn4cQXuNqemIOBOznK68V67KlUF9yKr+pMrB/9R97A3/HVpvBcW7l97IKaiXvxvU/5LbF14zKAAUGc2tycRlVy5yMSWUWNz904O4m3L2xw==,iv:2XTJ6pilUXm07EazAhQGX1yncqxcTCTmwWjJrwA2A6E=,tag:gzgdcA+l/6HQYKwBnV8D4Q==,type:str] -supabase-env: ENC[AES256_GCM,data:sK29tW/X5+89sKWd4eeq9yVoUXRco438Kc4Ph+r9RMUV3RZF33V2wrZqbCSICEGofhb0e1vOcinrpwCZPcdN0zHfSj0tTsB0lJU+wPozTbSCoA5W5UHPD7uqnXKh7w4nxZapaRTwJOTXJ0+qZWS6dvNQmVue/cq13DXtvTduQ4WyFZ9vapbHamr8ItE+EhRZ+LilppbIK0vOEjwv16tyR9VyUuEvhyx+sjxK7c5O6FDbWiDrGxYV3kKdD+DQLQG+j1GLk5WzSHY46fPOWM+2aK5+6CowdFnGzzmk5FQCythP7rkH4xAFcaVpBddzq0Bwp5A697yedXuhJQhR4D8Tom1/KGbOwHjIp0BQf5HksAndVB816IVh2ijmhznYguVoLXHNUnaJ+c7TIIbhhalvBMuBrSM4AahF+a1/yXFMQICFcbnmCJfPOExoiplCowqsqTU8uwm3QWEfB92vgVoA8vn+LmqlG7lVL41Lyu0HfQGsj/qLTf2K9kPae687xyKhHCbTbw5JP9O/btNoi2Y6qo7npSTympTb4YaIBkhTkynA4HWtFmH9pKkvMx3IUgBHh57EPs46aBCntHorhoBQl6d82XYW8TtdWKKh98LSxcUgj4qD0oV4vK4qd00cf4DjW7uTUGHsAw+Ti06EuWYY4XO5qhe11dKqMHsBO1zsHkhJX4dRiZrMca/3PniT0c+XmEQUCbLSR5m2hZ2R11v0DkADZ2s3cm2rHOFAH/Lm0VClOIqnvQ2hZ6jxzYlSPLTTu5H6OxI20allCaqTuuUlhkZGV5c4mAw7UmrrsJIcw3N7Ra53rJybxxAcr8lCFc1Xat+Ayfm9b1RaDyPwRsysn/msk6z9JKkiDWYCbunmJ3rNLTt4obUXax47E9lW5xY/Vh0Omd27eiOh6uGzBUxDdNEh8tb9vNs3EQe4cgx8ODYJ9t/+zFQUd3lL1zzNNUg06RcZQrAQPLOldsSjEsRzCne6HOydu0cL04s88mpERmUA8Mg5lmrS2D32yrxSRJ6Z7WlnyP1i/yQWy1x3aOP8wmtiqcSbscpYt8Gj71SXXyB07EgKUT5SDRIl4awaEGw6M8hcCA4b6rTdHnMcohXh+axik91zW1UI8xvjvbYO9faE+J1+SWn0UX84HIhrVUUDaCS/CJHQGKmcChKqSj+KRB+XjXWwTdWM3V/fmcYQ85LMiAW/1XoNQLWNtp1uRY1YIpyMIvEVRk1nBwrPiP3gIt2HkD9Zr5NR3gvPDuBnpoPCzFUdiB2rg6TcCk7goEoTMMPhQ3dFug0VswAvFd7nlFVIAdaG4gzsUNFSbmGd/8IG1j6JOJY5baVgA4cYhZFn9Ox+dPJGRN5Ol6RraPr2K04zUfp679dv4Zg9mss+5cVrcNBlzzhWsuZN0Qa1K7czxKKgJQVfEC/cdLIoHPkOZKnBQGwcDGOD+bWRWVVbXpdnC/d1+VdWAD+hiZR4Kzcoe82BTtY2KbNoa+fVJCZM,iv:7pWYLa06a7lsM/fEGXMS5sSfKtbTKs9NCJ1bHe5+UPc=,tag:9mPaObLKBG2bSfNczB887w==,type:str] +borg-passphrase: ENC[AES256_GCM,data:tdqB4ipAqF+gRBYeukt9q4+o+8mec8lHQ17KV1u4rNWPxSgD+Px+aqPI5Qz8uNmIy467LlLfXOLsYMZNN0Z8Xw==,iv:8sBE3Ynz/Fk1Zt+gdDGoYh/udmdLSjtBQnWm9o1WR68=,tag:mmV5OE6uRNNIaW/UDB5QzQ==,type:str] +borg-ssh-key: ENC[AES256_GCM,data:1pz5NDNI3RpaVDPaQR5+nBZyKoZVeox5WZxu4FiRJ5zraDvA8IuS0PG+rib0J/FniXU9Lqxux8etvCmpnHp8jA2rGGrK9UCPIhhYixPu+XIEh0ilgGO6F/ory8D5jlLfjcpK9AlOToXXgPxraFUsr3xW712SQZ1fMMCl2Zh8z/qpduD7idr8nDYvIdVzGiWnwRaYLaoHCS+Tj56QdsIM+mMR4Gs4i/GLjaTS1AepKyCxnV4hDzjPnS0LpvKR5wEUwGbV4RUGWJVEsMScCo1CWy9VnZCmN587sOS2fqVQEMXh7PCVZ010X61ynUebd3MwAPRySdxpNZfQuqlidCVUPmsxpa39PbeHBFzXAVWkbiB6sRQsMo0k43JP+qvQDUAhNVVRvibhtExRM2J7ONolIdHOB6O1dieosnPCD0dUCj1bIimJHTkQy6bXxErQYDW/5DnMtY8mNJTVJh1V65+FIT4luKxRxJZzWZz/hcz43baTcA1ExditgaRDrdLySDiGs4BkD9i8wSvkdbmloOOe,iv:fDjsfXl9SXdS7pPOVP0cJ+DDUImJlTBsOTiwXTge6HU=,tag:avzEFeFEH2WZ4pNkYHiVrQ==,type:str] +vaultwarden-admin-token: ENC[AES256_GCM,data:sQ76TnXNSbrSU+Hf3axCG2v9bKXJ8jY135eKQ0D6wPTTAdl+L7Oi0VhubPcO9xuud5+DM1t3AIA9pETDkrMLew==,iv:IQLURBw82K5f+E+6VBTjWmNQbk1mNiYk0g+Qvn7KLEk=,tag:dTr5o8VEcwUbljE4uZiS9w==,type:str] +vaultwarden-ldap-password: ENC[AES256_GCM,data:hyu+YJJeZSWEGqfoEi9Il2mHGvDbzN1rJgib99jkVXx3FBI/cHh+3Pxc2QB7ipjB3Vtz4aHuiVEYMvwlaO+Ejw==,iv:tWiNkgFooz1KfGiB9M7QajirPem/z5YeDFNVVl1DMZo=,tag:pUuRCRJVfSWdt0btiuhq8w==,type:str] +vaultwarden-env: ENC[AES256_GCM,data:zE8PRD/2FQAgBPj5nxZHC7A4uC2c7lgBEHjmgeahexWI8tTiE5arpogTyArdRsWJ2ma7OqhngXbSR2FyiZVFX9yPbmNHSrr3+RnX+RzvlcuvcA5GLA+QMZr9aDUN9+IvlY6L4sQupvqYBLiMjy51oWywe8QundxYnt8UW31haVjuCtANiSQBxOWAFikIaSwCTFXb9taKUqviZ+WBacMJx16GhnXBMtBegQ0/VQtXLEKaZ00PDVhZ8xf9thoMaKdJdZookBWZw6Er3A863vuTJqQxPC6Jw+6A0+myLtNgHBn94lUWUmh6cipfwaFWGQAvmCf8B2Fzgw==,iv:2EWG/4G/+L3IZSMOeK/7hT30jexXDccvz0uu7Galtx4=,tag:m59TE0Hufjv7x9MZaZxyAw==,type:str] +authelia-jwt-secret: ENC[AES256_GCM,data:kbLosJfjNJYxpP+nOF4pOoJMguJdlNy0YFpFebUuh/gJLwBaJdGAtkOrnYxn+tD7Vy5jAjSrla91x0q4zGqaMw==,iv:byILGt+YZZKZq4S1hl91RKV2F4LM8d0XIM3NptPADl4=,tag:qURHQGytgJZOwJEmX+52mg==,type:str] +authelia-backend-ldap-password: ENC[AES256_GCM,data:8Y+tjUIfDJDBdwiZbQojXDvT15F8PQmdGiXvukCjbAFBzzHWb4uzHzfpRhSlP6l7pPEScoAktF0xmh1+8Pczgw==,iv:21oQPsiVuaXrxInwO0muPQ76KoeHrnv61qNBKydoVD4=,tag:aJH+jIGAe70hjvQe5a+wXw==,type:str] +authelia-storage-encryption-key: ENC[AES256_GCM,data:wbo27JJ0GOE9rqWb4DhDmETusk2ApaTpoEd62CtvnrcY0OpTl8CrbkUrtKXImO5ZU9L1j1YjHOslVdJbQPeAvA==,iv:TYqE1yrT3L1odhmxE3f50FRxD2O8257XOij7ZA3wMbY=,tag:RFzNTTGyTbb0Kmz9ACqW5w==,type:str] +authelia-session-secret: ENC[AES256_GCM,data:qxvO9q94MJvRxS+ymf4XT4yU5U6rLpid+6n+3gBIWFEB/wokKVuwqhCmvcF1Euz8rVjQ0ypgGMjRQVBXvmmhhA==,iv:zKPtNJUBzZLFB3DnRV0n+9YBN+PNVHZdQhCC9k1G38Y=,tag:b4WPiqwzFvHIzVb5azv2Vw==,type:str] +authelia-identity-providers-oidc-hmac-secret: ENC[AES256_GCM,data:0ilRneTzMbESwiU4irhYGVkYCrzZFoNzAcsUSFueofI3UIav194OV2+Ut2QWAUZIJM7EBxw30HhykrfcPg5Ehtxwva+/cN/Am9JJjvTwuyPDEkW2/l7wubyhW5tEPulQgokdh91YsSLXWuHc9zgSlMdbKonulGo5dr4P1wfhJ6c=,iv:9BVVdB7/uSB4wyr4G/yXTngMmcqaJ/gm7bZBev3SSA0=,tag:kRkZgTCnQWDgzhUb28KNGw==,type:str] +authelia-identity-providers-oidc-issuer-certificate-chain: ENC[AES256_GCM,data:zskH55WXXCUVOZhfewPf1PRTkD1cZIZv0nRdHTepR5hPXAWcClRdi6jytnlpWGL8xaJQ/Sc8/dKe7r919ejlP74YPkscPqPuL7fNh54/AlDKmkFPblUE66aZcF9kJaawPb//QcdNOgwQzCUihlcR3Isctt8qnjRdleprvqQAmpmQfQltgdGVlWwZbzy8QzhuF83BsEC9rdJvgZzBNkA05F6CGu0JeVw/YqV8ZrO5snEQAebNFY/n8mygdMB0bh3RlrFtDcqB5VGwa1lCZpEIlbZz70v5Sdwpv150ns9zP2YHgRDcK91k/4BI1IEmHpDjXp1zQmoktJzjcpUH/AS1gZ4AAuuXeH9cCGepCf8Yzc2jKqVGq1nMiQTKUAKfct1RkV5r2OQgjlrDwPy7FyBdeoJB1IEzsfjaS+/N4k4dY4V3vWJZkkREvAzoNnHj3lg/YomQ+G8tCzX3X2Qpv09NtEjPPTWyHgl0xuO+V89HpcdEkh7m/zG8ByTPSzsWWcdiLXmONZt4E7xvDa3kY/TtJzoXQ+UfnuNyzz6/E96VpJj3tndudV6FAw1Pw3lWkYzO6Xm1mMx30UvbkIBszzLCfSJYkeEna+Sc3goDWUIVB7f2Dd+16ThJRnYso8xO1DEvvnPB8lvb67HbY32EL9fy4bMazMAmRa376LCXHwHZ4m1m1rE+mDxk1sB3Lau4OWp10aIIK2GDOw7Z6BmvsLT36v7iueP/iTJB6KFaHmHClMM1fGktjTxCrvNbl0v2nPsf5HL1GnUK3O02q/z0Ok6CQMTtYSghC5Sx5I4r21BjJkgleKl+Zo7gQWVkuSsG+09n22RDlOR2yHTnVPzzHiylykBfI9B01D+feAwzM6Om+WPLCkL09qg/oYBI4HF9IXTlSJ9nMzzDnLzlyIavmAVSvWarqdPE5ygnQiLQY98XbQAYOnvxzU9WRiq9aGWSGxqQUgvJGeoQ9YBwXuz8JOEXS6Ajl1SCX2nWhH5dK+JxsTVd6HEhk31mkJ2TB31ZaK+QGnZoBwyhFg==,iv:c4FHCn5W4qKLKdf/7ukTVw9HW6KiYPde1I61gWSBED4=,tag:FH/B2CkcOQoXjqpiA5Z+Jw==,type:str] +authelia-identity-providers-oidc-issuer-private-key: ENC[AES256_GCM,data:llHU0zfpzFFLMkIjgRBMqqSNcNYcvnBf+F5KWTfOLtj+b/a26Xj4CzzR+crTiyHN5G/DrjPrrOGd4EDM3GIMYs68WUg92kmjks0G6HhvWSQKvl+rASHibPhcIYTPFea08PzTX8JV0IzQR9G2wx9rkLjddRQns0A/UeEmULvVxADI+EZuQP1dAit596NVGxcKcz61lQwP4aKTGpTGk8dr9x4AXqGKGZl4p7sUOmJwT/Rtm1OKm/L2Dq/gbrxX6Ay12diT2Sdy7DaWotygqBnhOgByfKs3BoWdgq85OVmficntrviWdy+fUDXxpkiUrs62ZMDPFCxsmphV2YfTLur0UFMrgkMaRIKN34XRlIRwe6y1G9eNtvZq1yPSvabgX2Va/ex04SXLHuoFpqInHmX802fXLJM2dr9stN+QTlncuzr5reJNUuEwGmOclnufxm1zMIipzvKghTW3CQNYC7HWZLijklj2vXdMNPH+wauiCYBvrWmN6XUoPRj2+U57pgWBzzuSgHebnUTyULI9aYiumGXcI4KCD3jKZLht3za651mYMiepPdj9Ha7Fy6X6uSh7otZn7Z+OyGvuMBBx405eBYzR6jBAsYaNHecgOrR7bsDxO6mki9ZzXPGUgVlgUKWyWg9q5evSX79Fek5LDQ29nRjrMefDXpF2XXXReA7DFv8krN/Bpgm5RvyZn9BrAU2bsd8i6L0rIELhFmwx/rNMIsVJSCLsuxqgXglx+hSq7sXiRnF0Ipmrd499jxgUjupjgZTbWbb6fGdUkjH7iPdaoPkEJ1jLZJeE3ADyR1uj2McyZOMRM/rIu5Er1YiPMReJg7XZzQPHSl3UFD1v1hRFvMBtLKLYcjTu/rFdJV72ItxSkFohXeVDZZUHJzrpKPwSf3R8BxJyEfRD5Ph/yszT6HzbYesh5X46F99KC6cvJ84EPvQPf/xnzRxX42c48wG2DxVaoGygtpfi+FhGo2o1imMiRZYMHWbqPRrOJejpMV/C+BtN+I6SPP9+phmqwH3G958tk2ZSPhdm+ug3VWv2mAKfcPeb8G7E683TXYnsWWexkbyZxS0UU3maZyLnUnG+1AA49Sd7d+DTpvkwQP7kiRdybnxBKgD+JcwXmSrmoz2PFWHZaDuA1UFZV3aoZWuV6Q/2xgdziaCRhs9H2TeibeOEsu4S4UTFG6+/pDS3kJslkYMLCSLN7flBixDj9U4SIz6IPwjmVxC6JL4SJxGgXSPEICuxyMDGT/yLuZGqHQiElyNgUXjVu9dN79l2KNu/Le7NQYFgQvL0QFL/uw1ht+iUhmBUM8bSEZ29iHtC0speouYAnNTyx0Y6eYUDosBa0zS/+6UhiZr6zVGDg/b6CLZparkL2zdOFOvOQgwh/Q6ogPG6TekOds6GMY9rz0i6PJRWzorlFp3o9myKduyieip9UVnm5pFMuCxNGyJR+6xmbEESlioq5TMKtP4F1sxNEfWG7Wh1wtEmWWKe4QRJs5lej8Pwm8rx2o2ngA3ZXHjpl96h4j3haArIxpXZvT9YeU6ESm0Grv6NAt3M656B+i8RV6eNFYf6P3Vr9ydxagDMurGidgPncZZxT9TPk3EqJbOelYduNB1i/b7jBng3eW8NpU49uTJQB3xvREE4nQVSUdPvqUw4SSJpZhI+yxe1fdiJiFd5bGUYLFr2DMLvms67UczM+kvmaNvfvTmuD5COwv5rufuywtcNXv0lfzw2uZ/h0OgUOuvnUi4I410TaFLyobUsN+PP9+4z/VeQ7kKY31NpZwKAGJYYZiorUCg9CyD6ffcOGH5AcQU/7Vjdq5Qy8yiPE7BNJ7Dnw/NkWdC7YhsJjLLyHL8ssTurJGHD9cwYw3/Tjl3kA21B9FxJ01HH5xTOIY0aqlxdLCs62hW8nOeJz8TYprNZ3IQMjnHIfktxR5nf+HC5ghndGcEpwMOKJFSqmAURp+hepoqEATlgfDLLVk2WgMp/tilQb44jPhNtQgVIVJBzSHWKDgrePnU00QSNRZT9vyOZDJyzLrA/4WnJkLUgJoQUIuyW5HXAq5mlHO+HllCzt4jvqcC6XF/x/hK1/wiJ4IqRB3i5G/PuUwZfYd7Sc+3RtCsMbzFkKOtzmLtyGF955E5ASuXRwecsgvuTYOmioxxtNFHiqc8r1OE5lleLgYClrK0aA2UKGzwXHuH4T13+ai53oW69/LyhaWlqvkknDH8j86WV+//ZptvElmYC8k+VSRJZb0BlSGgrlJ+P4vISa1f8Z5jMROrO06GUo0++TB4W2v0hd6Sl3ytyteLzS+CZQryTTdUZVFbsDZi1oumS9qg5NF8ZCA9u1iEj2PsHGkAng3zQqS3mmga98uL+EBkZYv/bfFgiMqrdOTBJ7KRjbqkHAA8o1BoULn2TV9ZVxqg1VRXIGYkAcxl5K14aopopGeA6kbxQ+oQ6J4tdOKsV6sUr80QWVw7HqlHgWSHlvjl7Yc/dp4mHrQxzDx0b6WVlmqTYEaT5xzSQs6NrFrX33W9BABYSTKVK1CVHj3A5Vv7pniojnsgJeezRysbdORknWTvzuX/o470aiUgBM9wjqWkrahkbqKqntm6E5Dl/JiImDJ0yXoxbwAzY2yDH1jLMFz0ZUvDw9pskZQPJeEsZY+GdOFsMCj4Ht841pgcwNq27jf6anFY76aw6OYl18qmPhpBhLsPc6LpWoMFTQYooasOSwkzsNU+yJvGX6RpV7CoC4jl5sEwzwX3BlnxAlVz1fLU7ENxqPW/l4d/ct1jNMIW2RJYJvl2jTH2LsHRfMM4dcKoq0QTktr41Tgw3f4GNI0qzhnY4W7YeNgiMrEP9WAczdxSPNWYSlYUc0eHvWl1bUFwvANOD2jna3IuLD/8qqTD2fWKfppowLETx6T4hwqnIi7e3CBvlW8gJapnd9/OERcTSFl4Msb0cnAlwPU7PK+rtltrERlQFP96eZWwFwE2l4COUoqbN6fAXO+evLU8s15Lpzr/RSOU5BspZgq9eN7PUHCGg+jXeH3avPxgLGK/SuS0njiM+4t513+SS9TLESQD7BR1tFb/BBtDMsGZoRdCWrnELa0stFukFuYcIgXXXzr0ufznK+HETPkdNDXw5yIBxl/nPSpeVonKNSTo3p3QNZRLhOJcLK944Q633ue6ijyNCOZvWEPzAdqAPE5JiZyJkfgZsBHZ5xJZSwERTZ1q2VgrYcOLfJQg/BigO76kJN/LKjlg3fvZPIv2ls2DPWSK1xA1DKh6jeb2DdRy2rRII90RbqyiUSkbcJu56SLPNJseC1Je3jB7zQE5AhJb13hlibIxy15fz4xFy/BMxR/yHAJM+yRRPoKAw4v3/CDiUsJAbIfIlGlZk11cce3aTJrMyMOglpeLqRgMNRPLkOzpVXt0rD1Sd5802DWT7G5RZmTt/PhSwsNE7TzBoG0Rg+F+pLS0V2zClNiAKN4st/DPS0tx43+a+0HicbXKdEdprIdyk+3nmhOBlDZXh0Tw0dxcANVaUYiaudL8Bi6GyYqjGf4Na7B41HdGQJEugoIzuciHlznc/PysXMPE9XLort6gdYYT32LXX2LHVtzYn/HvuKmDXg3Up6LNPUhQcj0akhOifYxRvDVDCTJ9IK9KTTI5vF9O7sIoqzn8CsM2FzfM5x+EE8/ae7b/xWsxkscCc34yjpDCJF5ur46W6y8zbJyCGaEqTjtkQBzwND2++5B2dghtW6ClCtjYV7Gf3vUq+7lQYmnxj41IG3ad8GTEUYBgIfpoz3gS8mVO1phDyfjeKYaWDtuVl1bC8nKOvuPnAX2Gpb9MABrE0onYpt4wcMtTgtlugcUNWzmrxXikuZlinQSWVLX8EzdF2r86auvw+wHX1EqeIMdJ283F3HAhNkFAfeTR/a64JWue8c4v1Ak0Tn5s84OTJ7wJKeShR6XEBuzCZ9Bbyobr3RmNOKtd11Ph32Imnq7/YaCyZ0iCiuTW+1orynDBZY/8H0jNFUIACxF/Qp7uTIA7E7nXRnzzHEmk7PeTnrMDcAKom6MEEWzQdkbDdqVrvqtw2WBsUAaXLdmw5O/UNiXBLcN/TxMtViJzmbPOA9+l+Vxy4UIctB0Fi05bU4PeFULioY1a0EccElFgTsMNhw0B/qnkOuJUs6scK42GojkPjZn09mxEByL/gUZw/6gxF+nUVA4YyvDkPVYgSNe54pMJ19OtbD91aMv63UbLJfMdcHabXFHPeByzEanl9IWzxOSRDpT1ga3vRo+WohSvUNbXmOuswh+qz6qRHlJM5SRwHj3AsXevxKiIuBPgeiV6rjTTmol9ezr0tDCLumxi8uLnJYkrBbjrG,iv:6sZT9L4js0G3Gqb6zoFhAEOxjjPK6klZElHVdpJ83uo=,tag:UBAhUBMwlQ3tNCiWlzzP7g==,type:str] +gitea-ssh-key: ENC[AES256_GCM,data:8iBhuTg4GLslB+6nXh1RRWLIFsFOpcW/vvGltsXpG7Sz8Bmau1i2IAJM03AauSm6PeTHVpIqVbX+VnHGs4SO1Ld1D+2n57RrA8PVvSRyNo34Z1nwA9Zk4Y2GVEYAyFIJhFv3aUFL2YX7Y2yr01kiNp+YR8nBxNwSuIKUgIL+vFyTfLp56c0zKeAKD3B1krMPnfD/Jw+cfgQFmAZoKAOddB+P2QilPN31813Cdg++lXYm837Uu7IhlHNdXWycpF4tw+QMaIML+FS1Q2KbmhfuaUIqgK1EZ30VZMsUlclRy9PegKo2veaAdhQhizW0+0sixVYIrsAzhy7oaeMg/iHGv2MGCFogT0bSbV1bNM2+D1O1IVyHA1Hc2OdEBC2OPyBf8938VRJUf/1kFYcTf/RQR5hhcz0kZq7sQW+FcFdyljhpUPdggluryj7WeR4yjbyDYCVIQf5FMu3Yz04UM14Jh5Wegd0CHEYNOmh0Es12pgzUC/l2oo5vxdwcMGOIPrUkqm4V7u1psrlDb+nrPhOx,iv:Mk5+HEUUe+h4XeMpVhzV3+ntTESD+S/Z7iOc2vpkIJ8=,tag:87HTy4/rzuvjYUBy7vowZg==,type:str] +grafana-ldap-password: ENC[AES256_GCM,data:OqqdEMpq8/GvnBncfbp5ZZZKgpWtWYAqvxlkaQHdssP34bUhMYHhclr7vp6vb6WQedlnxdfhAIsCUysGQW3YWSOb1+e5Z6igPpasyTWhrDPRsGgpkSRrkg1gTjQAY9MGp1r6a1zRsij3VCS8mImhqiXDusnrkVJOx1riilJ/74s=,iv:EgWzKPailuyx+ciXMzu4KLo6W+QMHxTbABhZHJbQ6+U=,tag:ezW3fvitEoM9yN0EqwThkw==,type:str] +grafana-admin-password: ENC[AES256_GCM,data:FPT69Bd1GhaLzJfT4SkljkcaVDB/joi9F2hsostVjNdWxAg4iqnMN6bPYeyvaQN6tELsn797wO/nIr2LrZLordX108La9i5Y3JOaKc52nGPmTytcFjg6I2K1lWl/V1nQP4WqDXpJstD+AHUUbo378IybhWPUmqNWkg8+xH78KG0=,iv:n6Uu0SDEta5ZoEc/Mf31VGSviRntUBvIz0QE8A9nvHU=,tag:/lZZUrOs6Q6AtnR+fsXwXQ==,type:str] +grafana-oauth-secret: ENC[AES256_GCM,data:GDrAi5y1+bwA7kpg04M3xxL1GDZUGfkSnWipLaZG0xPT5sJKlzizZznHuKVvnKuv/+RhvrqOoOlkqJU1S8cnGWE7ZBesMIDV,iv:dNkhDjitrZQIN2yxtr4BemNwJOvXhvxMFNznJzakZhU=,tag:zt+gNH6w4IPwAyYmhqlilQ==,type:str] +linuxbind-password: ENC[AES256_GCM,data:FYYID2pX4j+p2wGvA8C/d9pI2HjflIorHttsjqNpsqfIskCt8uuYVgxxT1KE3eFJZ44TwbO/Bn9m3sqd4Afcig==,iv:JhsbAhqWV2H/SYmDEMWj2gotJ0pMQU/XJmAYkW3TlxI=,tag:JbeH7JOUZ/+OPa6aKgtWBw==,type:str] +sssd-environment: ENC[AES256_GCM,data:jTli4rpUIJfvlkyTAlLxbSNnkGnRt61Jh7geUPY5YGUVLWOeqZWmIcUHNuxiSTHzkEbUUffYdzf/WcTAM3ASt7rC3+r+iEZyQtiVseCUfNOZmYkyVtvxiC/uIw==,iv:Zn0Iski8AmowJxY21xhuMvDEre1wQyEJWoc4qFbB+xo=,tag:QKzamd1wLNw2QXDqFl4+Yw==,type:str] +promtail-nginx-password: ENC[AES256_GCM,data:Gr9pkbRWoOtWhIe0k8jKQT7JxiApy0qPEB9AtPNuhFivixk11S98J23Go4Y7ewSKd+Uh9neOVil+mg==,iv:MK/53+xLWShQAnru94Q8GWOlUn8gNFoR/ai3ULadK/0=,tag:J+Peq/Fx4NERC4jYh71rhw==,type:str] +victoria-nginx-password: ENC[AES256_GCM,data:GrZlgcVuzSO/+FwZoewBEgnBrMmd0gfGn7MvlnTsiVPJVsg73XfyrABhrKhuBvaxET0G3dU=,iv:HJ2vyM3bL0lnIRxSBW/mooEfof74GXgvwlrRvrZGIRQ=,tag:wOwIKy1D2j/mEA/yMHQ1hA==,type:str] +nextcloud-adminpass: ENC[AES256_GCM,data:7SOBoH4Gd0SubsNuUQ5T0EDRhjiZU2ZmDa8cM6WSeU6KFNOdKq6I5nLtr/k0Cmds4XItj+ikDG7c/0AfoD0XiIyF6zvVn1/ObTQmALHXzAoKZlPJAKy+zrYJR2fpwuOLcZ6hwkwlTSJ2LPASPM2XOveXlXp9iemHNybe3yUlxk0=,iv:JNit7fGK7iumZDySI27jFFsJwSlQ37zwOJkPozRbuZY=,tag:qHzf8sl2N3qzvuc/h4X7Zw==,type:str] +nextcloud-secrets: ENC[AES256_GCM,data:huaByUaJp7lzhlLxklMd9L68+L/zUrcButs/B3RIROreJEGIfL5HoTernA41q/ILrnN+VdxqnmhWFfWBAH9jIdMvzaX2W7+OVaqVobKGptcS4OEA3Ae8hQqYWUyHNQ9wb9OsKqbUOqNurfacaw==,iv:HflKiZO+LwQvkoGgacJOOyH8nDxOAlbZgBjkMnsLgy4=,tag:9Rj8s4i28n5XUBPgiVBf3w==,type:str] +nextcloud-smb-credentials: ENC[AES256_GCM,data:Uh4Q0Xn0vlqn4MdQ2aDxRmqXHlRvJJErfp2FV8k/kGckU6XMfdywYLgzzHemddVR,iv:BVh3nMUvC1lntcdMd9ehGIm1WNHOle7CoMlnfqhj3n4=,tag:Ue3igBcj3rUw8eKPuhUnwg==,type:str] +atticd: ENC[AES256_GCM,data:6f0ah0jtMd2VGKhRavP2h104hP7A3uI4by9VX6BQaZO5T7E5MurADnu2pVSM4MMRv5n5gK0wxWoDbXvAvQRfK36Fm68FsMoPQYLeS2V0glLUU3OcmH1LcMdl5xs0xS+Ljl/CSQ8EHcFL7N2RJ2E3Br36+rtAXx0EhB6Ff67AY/FNbeJCFeYvvPFj6Bljn5A6WARR89+Omete4c014bLZWcJFU1Pv36uKEKmdyreSL5Dl/WdXghzQypwDmxXv6NAfXwMDxFesBgwVoHyF5rYebjDegmRt3KkzWvdijk5cTiW3UchcZn4fWILyFOoVnzooPvV9Ktp80RkX36B1H97xgF6BVpWUZXjMwaxdkQD3B99Gqi8zqlj2n8bqWTkcX/04M66REdxeC/Z8t0PS5WkbpxVFJecZXGr0WQmBygxeJOjRt+atBmqp/zH6KnMg/yv5VlQ+yJmtGXDJKWfduHaE2tKrTkplXMWf7Dv+jZ0b7+XlCdVgw62IA/KIEteEYPVd2yITMEworFGYEXhU3GzLamyaUMzmCufiYY8WZD38oHMEoYxd8HBSPgUgQWkd7ajyJmRerDqIEi9RtOnhYGz8x1V+MR7p0fI9GXE+8rIDDK1qOXyWHoAVk2f0EkLcBEskefjDZ5WH0KA37XWGhdxBJSX3GeksYhvmlzMdiFKBT7JbR83wXeuT3PKFhQej+a/tsh3lH5BTlUOqvToqCrmjLcvjDBWxcIL++/6lWXsU5etSjDcJ1+AD6PLrAFJvi6FAtewCTs+AjhMd7EVWCWzJe+3z+SXN7U3j2+tnMwqR/KjaM99E7XL91GUvAe45koAO6RtWFIXzk+vzM3nUOR7GZmkLjizNcmlK7u0Kt6bab0fpl9QoBGwcHofN67R8gYchVz1Km65UCtlI/761tA3MuViBDCWmYGk2NzQVF/ZOXdJSVm21RT0ZUIGg5T3aEcqdO30hz22cmulfuxorq0mSCk0wZ332VHQ/wfRt9SchNIJ4lOmRRE/IycFCCnL4cT4gL4PuftIjnRxXtIJPohX2e8AUEg3c2P5OjV+5yUdOWQqeT2i+CNAh4Z/T6f+vSFskvuY3O4F2yKFLChcnJrLoCoGhD5DMZfMnmxPCGDy6i7U2trwd+m8v2p2CuYE5tQb3kNaH90S5w3vVc+xDdezaTV88lC3BCDNUZKrIqFVuwU+hNkY8+Nz4I/pVIGU68/BwgcD2JgS7Xc/PM1dxU/DzaO4SEfd1CZU3MorsUqy6kXVE/B10h+7L3f/tIxRQzDeYAsZ5sr6LD62ETp6o9tzlZfR6XeYikv4wxo+FZs4ZCMfUWjtszSXf5t8vFPVn0E9tg9DULgWuSogUJ234hbk/+x/RS3QbBnIdrCMCucw9i6jUVy9C4+Qy8Pn0KTrs0VL6Qi7WPWN5ik9QgnSUgcyfHOrJVYhG/8A8C6Xgmu+4HbOGiZ+VKBxIBfp9eQe4YKkPfZih7XcuCExWSrLKeF+nYqITZnxpu8lRxBXq3iCf5FfJ7lhPhZFIBFMEgA80JHcpXCpDQcnaRWRA7ti+M+V29WTH95y3o14k+IYsvi6+0DlRfqkgCYY4C5uYXcDka5G8+JWtzHF1VBa7ZNubVP3FM18q7VMoqjud1ywKg0TB4mXk0RYIWGkD0QRUjxmPy2kEKPEOox+iwHCqQ3+RefCbN4rncwoaI6TG96DotBKG/JO2kXrCZYp2A710HkeKKmy8K8huHGUtxA8bGvc2TAgmx58A0W6k8zItHk+PUu+qQ6ivjyRuhbzRw+2LlbzK4wDQSaP3Bbg7GvNqY8v3TvTFcFPrKLzgkXgmfCdMGl9Aeh8lTxF+wTfpz7boYNxxUItx6qyw6VDJnctV1wEhXJmW0ahPmRo50FMtuUa5HyOyxlPLHblKlDRB++u+6Oy5I820D79JDc4Qz8gXiomjdBP58mNPrS7GMhOprtLs7YwaUCDnS3haLY96zY0QMK0jYK7w/LT3m1kLYRGCuB2ddvwF3mfJ2WQPuJ9EVyXv16MPIqLku+qqwjisYQXYBx26jbDhP7WHP2FPewu48G1MKtO9UNo6hY1hCA499y+6IhPdeC1dzgd52noH2lPTZih3X0RKGioXYEa4ssrgyu5pCGyC/qvt9DWfST4au9ilLqfBjGYT+mUbZg/ZyKFw7qbihd8WXvrZp+SsIM1G20uflKsZVi93IpDxZ5/5qgA/czzRcselUQ9bOnwBJNTHc7lCQQ8Ds/7LsLVSxkwc5PyS213d0GGyoSAxMvgUcVrmlMs8W10+dOdAfiO+Z786CMaRkKi1D/WTuhAf9i87FG5kfYdieRUxOHob9zTh7/DP4H6ybsnMDr2MEU+RHbx275Z3KXHHxayrXxodc/2FZ78AMKobxU5gBvb6mP3xdsHPbLZdor55r3I5YQpZGZFThxi0ZZMxAafVejPpeUhHqUr0jNxrMigypGmpMv7cOyDr9bPrpFgitBzOBJdi7M05XaZoFpmr5dl5hg4S/jTPn7MxihbwsRb0XTbuIbZf5BTzwAZHTXNhWW+J+jpt7Oe2HGSCAAbL6BBlX0gzAdVe8f29FK3uRUIyxUKkEcfvsE9Wp1WYzP98Utc7thrWCWDxKcxr+ES4AY+cZmJ6JHIyXixjIaBxWMc9HBtwaz+OreJ01/PkY1fPruUhQmGOxxwwa9Jnh0/DcSNsRVUyl5zLdyoP1yqgJM8XN4QRzLILCJf3MYAsyyEoqFEO1PYjVKgSRS7N5JMJB6SJ9x9u31x4fwrosCpuS746OzCGOj0LFMA+bkiypkiK87WlXzDvbA1VST+MESzhFqBthUmY0Bd15A6rwpbjPooEjLcQfdExjqpymNBDXfI7wAcsNgF+AdES7/dZKqXNUo29X95VnQD6uOfEsL8dkzTv2TCgj+iEKnHYi1DKPxwlgtTrs9zjYMh+vAHzK7FVM8jKRDOzLt7MIggrhFmnspIofrIFeZJjTIvXwIDRDY3JjToO8B5JEJ7WTgY00DL0catmT5BC8fNg0m7XP1Z+HVKR1lPKNXHO+5S6bAQ5mtgCDykpWDM8GDNH5d+hrK6F3JZBdXKD0P9ZSKjs8lTbvztNzphija0hDpzVdgwXSPL0n3ZgwJoQWQ+rGvA3P0iAa9ZCi2DEnZw9v6wTGnX9s8zOqBB/G6pw+PKfI4SVN4iySp5EJSvDc0qOdYL45321yTOObY5EL1gOmnOZKXNuFyDpBY1QJvkWx6bcE64HqhppDsVg9JFbkMIO3q7XT0V2paw8VHK21x4+TwUwdBSwioZDHieshAR/JHWF6N0Zp89weclBQYQ/bcVw2/8CovNgsb1UsXF2+XdY1s51sP/rM688YIAN4VoavKz8w9fz39QgNy1HGys1I7llW8wlmBxK6ZZKdZGo1gnL7uXhRUXBUXlsdMP1RL7oBTV6gdd3H+GDcqo5ms+hnRP1dv09+fk+a3ny+HX78pLmPShPgrfHrHNsyVdHgkpVW5DtyQeZ+MH0vh9/liPE3Kx1UdZ9oikCT174p+Y4U16iFWW1iZa8Kbzl7jfpg/OFYdk+zxXmmloWHI6c1Y1dN4mteKoWUtpxOxBdcDk7K3Hh5zujm7nJzzAnxYCf2+RJdFxjIUyujw/s9SfOayhACsLsoenzmDJjI4Ds6JMBKcw2kCSmGMvxCsosW3GBE7q1OVWfLfRHwwp3lX7scRefJj89NJLy652e6lBAXL4NVqrg4uGD1OhVQ0WkR0arhM3n3MC7wwQ2l0NndzvMGtsESs0OY4tYqlwGyiqAI36Y2yXt32sk0knv5Oh0Hsegjrh1oj0bzw2wyqGMOh9WWoV+MOd7NZO9pqYFR4hDujrqhZpIsUgi+8I5vy4Ni4t8f5IH7FCV/T9ndzjkYiB5a+Xbt8Du/+0RkRvghi9VgOoTlC75d7rnVHC0s4Zyq3Q14+ylU25+BSFxODda2dXZLmHWi5ozwE+4jGVOfK3JjXC61nANPbbYKnOUx/B6j5T1F7if/NMXlYiIHhi13+09X1VLnsH33ysRUdmbPPTy9dvlAybkVlGN7Volbr4S5MpOg2UEEIQxij9G77MXoEWza2lzpoiFlKYjy/09nazmYl9oeWYlbKUZmJ7FCkhCsqLUkD1uD2wH3rkD0gGDNNxZKh4s2vNeP6okJYwqGhNuHlB1W0zlL2aqrF2uqcGP6eysgkcn+e+b1KhQEWOW6caeI8EI6zWom9uwiy9E95g+IFEoIgbHXFdTUFbnZmbzQSQr+5ViSMUmn12rdAuDKBw+P9MAyoYeDlMT4a4Lx1RlWELi8Rk6SgS0eIErVgreGBy9/2Rtf26DI/7WXq8e1toDy301efe6x4o5y8Am1rf1+dNl+bu4ik2vbL14B/VTzptpsl/Gas7SHMOG64xyhmpvonVFIfWl2pVaBthwNSXTO6ySdg3dGyO+sCg3rhZklA20Snwjyyns5B62PMitii2hzoDV44q1u27KZGSrJmeHLRq8MdAHwrZAiyjmDsWm5rViavW/27P6PJY9Z2+sjMfON/mkG4Zh1uQ7X2zLy1DcAIb2YL/AaWmPNAHqkX4CVBI8hTLNemmrfGLyvfk1bBRON70nC71xmv//rczdLt9qsXNlnQBfNFsZ5naEu+hL2NWpl4WTEhePs5qqaVK/cJJHizBA4qyOWsdLz7JujW9XVHovNv/pMOSbcx1BUg0Trb8r4hp2qSYAsLLV8rwS5mxtYE1tr/tk0uaWDB27JkJsMoGqIEgjkR39PSReYYwH3VFQa2qYLRqo+od9+kO7ImG+fqb0iZdAscQPvqIaI4rzOnM4IpYGGz51rPjUutMi48Ag0uonBCr0cfd6AnhudSHiqzlASuzSfr/M47VxLNxDXo/ymQJhUkI4+09IDJy1YpXDnHqiRhQPds7J/9fbzOk4CUbpSK+t8VIUeLStbt1rGDSWrEHzXCcbyHdlC6ZHSWIp/fb4DGI867gFeZfYQe8dxQCCwMDtgw728o9pnfNHVjCf5m+ndP6JcB4GJNgbBmvY74gnoEa5XPMz8AYXjNUii3jXE7a0Xhq5emTROlgj+HuuajVzZFjH+fVYSTPNJplN6CXJmcg3MXoCsYWcvzKXujc7AYJ5t8beaucZVM7s2V3NWL4uhBkBIwAybeoXYf/Tq0VDuNrPgG/rt0nzOIJsCVDzWIxJKOaomDdcgpMWxz98aNpFfx9DCUE9a20YPBzoII6BzfumOhvdLzWtMf16SrUfdR+jjuR3Db0EAI7/qHF6IdPXVKjyDt1smJOSCmIr9JhzyK3OK7+4GfpT2o/tKhpqcmQ2IE0LUiej+MRWR33jS1rMsbSiU5uIkxL6xQa6VBJtrU9BvtUTuHz2DmL37mI3ofuOS32w3NlR+z7ZJ1KaAtWDYLHEn6DArj4Gpyb6liXdb5XPOXIkM7CC1rNNParnbr3pVxBYuLFfRKDAv5IBXzRp8ktoMXhaW6JStmLL/hzC7GgML1Irt8s85fjjxDe+NPpdVyk0/82Nr940jtvdWyRACpqoBHLN4OYzx/YCKhL9VB5q9PzM2q8FIQvtfCyUf6IFxupvmra+QVXq278vhuruA+TdXkg0ndjfLU2/gWP1uJmrNWsB5I81l+/RRnxO7xl40NE1A1I1vDvewngjg10QVJU7KWkUu8nmMPiZb3Xy0XMhlArfueXgeiB9S+oeX/2yP5GEvd9MbeBaTx4V0MELpFOy6YZSfIdBFjJCTZSzeE0hvqNoMTrGxqlXlLTQa+yZKnGM/FVvhsm4PFGdgshGt/zNVzZuiql24N3gWCQSSlitdDQNOhbj4tVE91+djwcpWunaAmPizr8YQjJdYWQT3Z/nXM+WXdVNvaZ8Tb459X5t1YoOYzyp/evtbIUOVmTP8RjJm+flnx+u48RYevGaZyRwT5B/ba7u1QCyPrM/7g==,iv:l1jz+NiqmD8xrrIZ1F30u2hGzU0Z/zccLYB9VN9ZFaU=,tag:q6vdceAjnvEYbQYggOh4zQ==,type:str] +atticd-smb-credentials: ENC[AES256_GCM,data:U4JHFUIB6s/5igOWWv4NQYNr5sNCv1zUHLiHl62vb47mf34ZtX/YKtlip7fewtKYfifmkIuegRVPf2tz4S3O/3F6CpALLIzY2LYB+g==,iv:N1PezIom3Jqctkh0ZNuI0XfExUxTYX6hm03+r+MrTOk=,tag:cR2bPpaN6pLFvIcR+kCV1w==,type:str] +ocis-admin-password: ENC[AES256_GCM,data:44qcM8qMUGaGlnffoILF2wC0wpYFNyqml+t+o59TfM0I1tBRya1ID1yL/rd4aQ==,iv:/44TQUkpT009MqXp+o+Cl7GbC4FDftlt9fGVIEqgvEk=,tag:oXP8LZeWfhlYDQVGb6d9qA==,type:str] +openclaw-mysql-password: ENC[AES256_GCM,data:q1pWusf1KZuIiW6hP98ZOSepdQ0auiGfsyxAzWM1eCyVg8L+EOnOml7BLBnOrg==,iv:gMP6durtZrPmHkvyY//Xc32XFMjrLGOgdjt+b3R7IIQ=,tag:I/bYET+bcDo4flwjI+xKyQ==,type:str] +pushover-api-token: ENC[AES256_GCM,data:SzegegBvjTVZoSPZlE6+AajWQpuhsxscEgd8UN2Q,iv:oHZiT/LNjfL7rIdhw9J9wOi4oM/O4qtQiXBrkYJ4AZA=,tag:i+c4UacnwKXjqvXjDoaN+w==,type:str] +pushover-user-key: ENC[AES256_GCM,data:SAUzz1twmSSZwQ3FBNun1DSfsE2gmb+JcfoSRGkX,iv:Ei8MXq/Y0YfOGnODwsJNd1ie1AusNhldqylf1MrVj5M=,tag:Wzk4fy5SbwcxgvzmZ93PAw==,type:str] +sa-core-mailpw: ENC[AES256_GCM,data:6SRPg8no5EgQHFskZWVPX/9+OSDrI0jCE+oI,iv:Difm9K2f3UfJ/6ZvrOMA9vdeY3Cqh/MN1OJ3dFktxmE=,tag:1JhxMU+eE43xmKwY2KX7oA==,type:str] +zammad-db-password: ENC[AES256_GCM,data:FlCUVlIW9mIxNdTApXZ/C4AihH2dx7vNcG4HxRJ/dhgQ1MQWuCoG4JxNbqVtySsZywhRFjxZI9rhlo0U8nuRbg==,iv:OP6+rA+n7MIQHH9Ip3GOr/bdbmBu/tTKX+EWrtdOkZc=,tag:MLab9QtuHFMjWVy/+sC4rQ==,type:str] +zammad-key-base: ENC[AES256_GCM,data:UwXUoxBUJbvQxk7gqIp0bVu5dOKhGQcl3ngFMLfFXBsUOXMgQEE6YEolX5XIsFyC2DqgCC2DNABt1D7/0NRUL5KGOvnA/P/2SjnwYTeaonZ+oO9WQEk8ZIP2y/QMRjv19AhXtnnUfuSsXlUgPfvbROzo6Si27o5KLbe8Mgdy21A=,iv:iJ9wqIvEEXmBrbxkIroccaECXl5YzEdL7/S9UowyaNs=,tag:N7w5PvuZGnT1mbA++ulh/A==,type:str] +updns-token: ENC[AES256_GCM,data:k/X52K1L1Fm8Drti08sVbIDwuGLwhEUHVRvSlmPp4t0=,iv:4vxz/YduOZ7shs+eIutTITcs58TCC+FebvFZ2T5I0Fw=,tag:bU71WgglybMOMctv+kokGA==,type:str] +wg_cloonar_key: ENC[AES256_GCM,data:t8avIo0y1548SGuJhrctM/A2o03ZZ2TC5QVlKKoyRIDs9nMF6vxI8LkaO2o=,iv:Gr4452tl/MIbp2u2BGvAY/cV4FhYuZI8FBpJOdVZSlM=,tag:Oc6qVqPh6Mjgch42bh/fyA==,type:str] +piped-db-password: ENC[AES256_GCM,data:7tAJHnZWExOJNDxjqWAcLQlu1JfzA2Yqr1djDD9O/esrWczsOaS4ylClHQo=,iv:zSrd367s9TcicCJ+T3T4gPXvZ0uL4IA81AHWDEw+RJ4=,tag:juCd74d1c/qGtP6qwEfTqw==,type:str] +piped-http-auth: ENC[AES256_GCM,data:0bcLfpsuWXFJEbXmzpvUpO7pQgt0HDAGioAvUwkAkwnReCRVY1Xk320YjL8G,iv:4SgDFfeviPyLRkQE9cjo6ommeVwPrirV+u8To+2L9UI=,tag:VkcwKWSh2ILiTz5ZNF7Wpw==,type:str] +fueltide-lego-credentials: ENC[AES256_GCM,data:UrHRbxAuzghXwTqvfbxueuA7QZbzHvUJMOU9hGMcpFDBIuXnXMBEyV9DBh0hi8K5jlAFVvo8bYA6KYrPGUGcjQ9WN+2ytZybrNFiQm9jghzxjw==,iv:A2qpq5uodE32pZkm5kUktZBcr1cyL1Crp79Tjqg5geM=,tag:NsFMEwQyW0Q0yYi06sFzhA==,type:str] +supabase-env: ENC[AES256_GCM,data:hp0i+yDutgZgaSHP+KLTXH8SnfqGQ72WNRVHZMk2BFKU2w5kLZ8VaMaG35FOX6PW8L4TKABBzStekdLAFrCCyQ06a9D/3XT0GwzcJV2goMXm2ZYd7hs=,iv:jU3JnUyCTWzfzz3H3ih5Mx970iQ9K5BWyUZYW5zhz4U=,tag:on3C6Gsob2TUd+yTDM5FlA==,type:str] sops: age: - recipient: age14grjcxaq4h55yfnjxvnqhtswxhj9sfdcvyas4lwvpa8py27pjy2sv3g6v7 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhTWszRnZUVWI3VGJsVFVG - VW1sdTU3K3hnems1bi9TeGI4RHlLanlVN2xNCktQZzRsaTlwSGFlakI5NzhTL2Jl - c2VUeGdDY0lTRjBmSWJuS0hNSnRMK0kKLS0tIExKTDBpOW45MGhNRGhjTVA0R2Ez - cmRkMTVuOEdSK0NxcVVUSWZnZXJnaUkKCpyj5em3HIfpPciF6+PCda64C7fYJ5xB - dgTTbcJ7HXm+bn57dd12FOMlLZn3xYjV6/JK/xAm3AaXQIWhi8NHsQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxYzFWaStyMFVsSk9TRkp0 + eExNL1AvUGl4Skp0N0ZrcTFWc1NaWkNrQmtrCjAwOEMrZW94S2sxcVE2SnRHeWc3 + NEZZTjg2ZVZ4dVhvZ2xUWjlmTjA1QkEKLS0tIG1YdWtBYmlHY1ZnZHFZcFFQRXdq + TGgxZkp1bEEvdGd3VFdxYXF0eCtHeUUKFei/CwLwc9spgzwExzaKAG1/p4SFNdUc + i7tG8ZdW4d0DSNtxiHJT4x8M17z69U7kmTj17ioRsd5hV+JuIYmhQA== -----END AGE ENCRYPTED FILE----- - recipient: age1exny8unxynaw03yu8ppahu5z28uermghr8ag34e7kdqnaduq9stsyettzz enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2Y1BBZWxNL0ZjR3dBVWk3 - TlpRTkJnWFJCSXo2RlhYQjVueWplNW1qbFNJClUwU3U1aDRWUG15OGxnUkNmQ0Z6 - aDI1TVltOE1qWXMybW0veitnZWQ3TGMKLS0tIDc0cWFpenFkM1k5MTk0d1p4SDFY - MFNxRTAyUkpRb2RWdWJvZHBQMGtoeU0K3hfwA3jT9eidPeN6LgD4Un70CzfK+OA7 - WEq98tdYF0I65y11oMKW0wt+CWq05ygA+Wgxb2zeAX4xejTuXA4wjA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaNXRaOVBKUFZld3VUVGJt + NTF3YTEvOWVFZzI2YW14M2ZYV3ByUHA3OWlZCnZZbVhNTkFpYVAvaHFpVDkxT3BS + dFFLdDFFVEo2cnFyTk1CMXMvcWt2T3MKLS0tIDlJSlo5bG1ZRjFQaEpybjRCZkh1 + bzMwMHZMVWxobHIrMHZBeDZMSkwrVlEKQbAMCacyIllIC0lZakWB2J2iVTdK5qdM + rNObc3rq8PZkvJMxeTDt1mVvLIOJU4fUn8UCMx1pa0Wz+NTkKkkUUw== -----END AGE ENCRYPTED FILE----- - recipient: age1v6p8dan2t3w9h94fz4flldl32082j3s9x6zqq7u5j66keth9aphsd6pvch enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtVUZQbEtxZ3RXQmowOUY1 - VTRmZTRoZ2dKbzdEU3dKV1ByaDIzRUVTR25ZCnoxUHlrcDdiREFKTllZMThRbEFr - empRV1JxQmcwQVBBWEFFUUNsRnZyMFEKLS0tIEJxTUlybTF0YlVmK3h3Tkt5a0Yx - TjQvZEJBKzlyNDhaNTBMWmJ4N3drWHMKr5MZlIdKupzG/s2snMGABdj4FJ8zAZMz - Egy1ifZNNQd/JgtghEQlMa0kQGYYOa9tsII92MR/WReD0ICCy/Q24A== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQZUR2cFVxUW9TNjBLNFVP + cThwVFF0OGpvNnJ5VGhST3ZkM2c5Y1VUY0Y4CnJ0ZFhOYWZ2c1doUmdJZVJRU0Nm + YlI1TlRkVUJyc1dHenRVZGwwN3YyWDgKLS0tIC9PN1c1QWJ5c1NtSnV5TFl6NXlR + aGVLUzIwWjdwWDBNSVdzSlFsZjE3MjQKyX1pyL3Lf/Epfqp4UJWmySMJps/1IZxb + levsN+2CvhQNiFDaknVRQ7l1JpHfg1GyhqerjlGNKJQyA0KoBBZOzw== -----END AGE ENCRYPTED FILE----- - recipient: age1ylrpaytkm0k5kcecsxvyv5xd9ts4md0uap48g6wsmj9pwm4lf5esffu0gw enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiNDVtYWJrc0pqS2FIdkRi - RjRsSFN4LzZicUJ5c21Gc1BoQnRxU2JIeEZrCm5xQTE3YzlrY1FzeW15S3N2bmR6 - L1c5enRESmY2SDlyTXQ3dmJBTFovc0UKLS0tIDJTMXdlZFF3ZHZGOVVabHZ4ZXdD - MWdMYitOVlREenB3Qi8yUHBGRVcyZk0KAIfJnuCiwVF1J3EE27BaXMOW4x3lI33C - A8TSnLkRc0/bMYDuBXelcy/KOf/WSGQQyzYh4DpzTTkvxu3i2m7Gyg== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWeUo1Y0d5RjduWDloRVZH + NUFIamg3bVlYZkI3WGJqVDVLTENoYTZpVUhBCmdzYm5qUTVXM2hWYVN2aGRKM0Ra + TUtGWjJZSHExRlRTOTRJNGZSU2ZibU0KLS0tIHE1MUZYOVFNK3FudnYzd25NZTFp + MDdacW00M2wwRUtsMUpwRWxHOFJ1TkEKmBULK5JZYwVJAoKgcM8GPXXto6QogDA9 + dTlGnMiDxmfNWFbA+Fl1gb6vw8rC/ufs+Binf1TibD413ezK4JNE+w== -----END AGE ENCRYPTED FILE----- - lastmodified: "2026-04-24T16:56:29Z" - mac: ENC[AES256_GCM,data:lE/HKsa0qP7ngt+7zGZ6NHLiQuP4TvZhUsF5cGZ9AfaV2g7EFzH8WW9oMRDvcWmUsuD81MjIDqjrpP/NpEYkjBlTYP/k0WmoCNS7WQeZ3+buyGXzk2iwqQ2WzW3uiNJmZF2iFOBWp8wtu+4NxgNq/5GCCXlfmqGT9w9K8q0BXmg=,iv:iAgWtEIv/+nFTqu3oj9b9oLvPDY/fgpmVjPJ+IXFrYI=,tag:RW8czu/R+tmnjePib0QY1w==,type:str] + lastmodified: "2026-04-24T19:14:56Z" + mac: ENC[AES256_GCM,data:JvzlrUYskscZJuRQezku0FegWl5wL3q9BmxwMchqKyKkfr/I+ujZTKogn4iQMiYgy5B/zHIgJhHwtgSR3/CCVXF1M/PLqRoIdhBYgMGoVVx9e7xt+TGd47cL/9LHVHe7y3gJsP2ZkGJBHEMy8cPF8dXYFKUkZWR9AxY438vqYuw=,iv:VMN+Qc/DvudTnKI2x/CbS5UWOEShDVdOl95K9Zccfv0=,tag:it/nLuWMpUhDrxi25m8vtA==,type:str] unencrypted_suffix: _unencrypted version: 3.12.1 From bef415b5915e5d3a67208ac475a43fb3def62a9e Mon Sep 17 00:00:00 2001 From: Dominik Polakovics <dominik.polakovics@cloonar.com> Date: Fri, 24 Apr 2026 22:22:26 +0200 Subject: [PATCH 5/5] feat: add fueltide backup --- hosts/web-arm/configuration.nix | 1 + .../modules/fueltide-backup/RESTORATION.md | 129 ++++++++++++++++++ .../modules/fueltide-backup/default.nix | 64 +++++++++ hosts/web-arm/secrets.yaml | 121 ++++++++-------- 4 files changed, 255 insertions(+), 60 deletions(-) create mode 100644 hosts/web-arm/modules/fueltide-backup/RESTORATION.md create mode 100644 hosts/web-arm/modules/fueltide-backup/default.nix diff --git a/hosts/web-arm/configuration.nix b/hosts/web-arm/configuration.nix index a5501ac..79ba795 100644 --- a/hosts/web-arm/configuration.nix +++ b/hosts/web-arm/configuration.nix @@ -42,6 +42,7 @@ ./modules/scana11y.nix ./modules/wireguard.nix + ./modules/fueltide-backup ]; nixpkgs.overlays = [ diff --git a/hosts/web-arm/modules/fueltide-backup/RESTORATION.md b/hosts/web-arm/modules/fueltide-backup/RESTORATION.md new file mode 100644 index 0000000..400e2fa --- /dev/null +++ b/hosts/web-arm/modules/fueltide-backup/RESTORATION.md @@ -0,0 +1,129 @@ +# Fueltide Supabase Restoration Runbook + +Use this when the upstream Supabase project at `majxbigjafpzayzboxsf.supabase.co` is gone, broken, or you want to move to a new project. + +## What this backup covers + +The nightly `fueltide-backup.service` on `web-arm` produces three SQL files per run under `/var/backup/fueltide-supabase/<timestamp>/`: + +- `roles.sql` — cluster roles (via `pg_dumpall --roles-only --no-role-passwords`) +- `schema.sql` — DDL: tables, functions, triggers, RLS policies, views, extensions, types (via `pg_dump --schema-only`) +- `data.sql` — all row data, including `auth.users`, `auth.identities`, `storage.objects` metadata (via `pg_dump --data-only`) +- `sha256.txt` — checksums for verification + +These files are included in the nightly borgbackup run (03:00 UTC) and shipped to the Hetzner Storage Box at `u149513-sub8`. + +## What this backup does **not** cover + +- **Supabase Edge Functions** — lives in the `fueltide` app repo, deployed via `supabase functions deploy`. No action needed beyond redeploying from source. +- **Storage bucket files** — not in use for this project (only DB-backed data). +- **Control-plane settings** — auth providers, SMTP, email templates, API keys. These live in Supabase's dashboard, not the database. Must be reapplied manually (steps below). + +--- + +## Restoration steps + +### 1. Provision a fresh Supabase project + +Dashboard → New project. Use the same region (`eu-west-1`). Record: +- New **project ref** (20-char subdomain) +- New **database password** +- New **session pooler hostname** (Project Settings → Database → Connection string → Session pooler) — the cluster prefix (`aws-1-`, `aws-0-`, etc.) may differ from the old project. + +### 2. Fetch the latest dump from borg + +From `web-arm.cloonar.com`: + +```bash +borg-list # find newest archive, e.g. web-arm-2026-04-24 +mkdir -p /mnt/borg +borg-mount web-arm-2026-04-24 /mnt/borg +ls /mnt/borg/var/backup/fueltide-supabase/ # pick newest timestamped directory +cp -r /mnt/borg/var/backup/fueltide-supabase/<ts> /tmp/restore +borg umount /mnt/borg + +cd /tmp/restore +sha256sum -c sha256.txt # verify integrity +``` + +If `web-arm` itself is lost, fetch from any machine with the borg SSH key + passphrase (secrets are in sops under `borg-ssh-key` / `borg-passphrase`). + +### 3. Restore the database + +```bash +export NEW_URL="postgres://postgres.<new-ref>:<new-pw>@<new-pooler-host>:5432/postgres" + +# roles (some will error because Supabase-managed roles already exist — safe to ignore) +psql "$NEW_URL" -f /tmp/restore/roles.sql || true + +# schema +psql "$NEW_URL" -f /tmp/restore/schema.sql + +# data +psql "$NEW_URL" -f /tmp/restore/data.sql +``` + +Expected noise that is safe to ignore: +- `role "supabase_admin" already exists`, same for `authenticator`, `service_role`, `anon`, `authenticated`, `dashboard_user` +- `extension "pg_graphql" already exists` (if schema uses `CREATE EXTENSION` without `IF NOT EXISTS` for any extension not pre-installed — rare) +- `schema "auth" already exists` + +Stop and investigate if you see errors like `permission denied`, `syntax error`, or `duplicate key value`. + +### 4. Redeploy Edge Functions from the app repo + +From a checkout of the fueltide app repo: + +```bash +supabase link --project-ref <new-ref> +supabase functions deploy # deploys all functions in supabase/functions/ +``` + +If specific function secrets are configured (via `supabase secrets set`), re-set them from the app repo's documented env values. + +### 5. Reapply dashboard-only settings + +These live in Supabase's control plane and are **not** in any dump: + +| Setting | Location | Notes | +|---|---|---| +| Google OAuth provider | Authentication → Providers → Google | Client ID + secret from SOPS (commit `67e81d3` added these) | +| Apple OAuth provider | Authentication → Providers → Apple | Services ID + Team ID + Key ID + P8 key from SOPS | +| SMTP settings | Authentication → SMTP Settings | Sender `noreply@fueltide.io`, use the mail host's SMTP creds | +| Email templates | Authentication → Email Templates | Fueltide-branded magic link, confirm, recovery — bodies in commit `67e81d3` | +| API keys | Project Settings → API | A **new** `anon` and `service_role` are generated per project — copy them | + +### 6. Update app clients + +Update the iOS app (and any server-side callers) with: + +- `SUPABASE_URL = https://<new-ref>.supabase.co` +- `SUPABASE_ANON_KEY = <new anon key>` +- `SUPABASE_SERVICE_ROLE_KEY = <new service role key>` (server-side only) + +Update CSP in `hosts/web-arm/sites/fueltide.io.nix` (currently commented out, references `*.supabase.co`) if you reinstate it. + +### 7. Smoke test + +- Sign up + sign in via email magic link (confirms SMTP + email templates) +- Sign in via Google (confirms OAuth provider) +- Sign in via Apple (confirms OAuth provider) +- Read a known row from the largest app table (confirms data restored, RLS intact) +- Insert + read back a new row (confirms writes work) +- Call an edge function (confirms functions redeployed) + +### 8. Update this backup service to point at the new project + +Edit `hosts/web-arm/modules/fueltide-backup/default.nix`: + +- Set `project = "<new-ref>"` +- Set `poolerHost = "<new-pooler-host>"` (the region + cluster may differ) +- If the new project is on a different Postgres major version, update `pg = pkgs.postgresql_XX` + +Rotate the `fueltide-supabase-db-password` secret in `hosts/web-arm/secrets.yaml` via: + +```bash +nix-shell -p sops --run 'sops hosts/web-arm/secrets.yaml' +``` + +Deploy, then run `systemctl start fueltide-backup.service` manually on `web-arm` and verify a new dump lands under `/var/backup/fueltide-supabase/`. diff --git a/hosts/web-arm/modules/fueltide-backup/default.nix b/hosts/web-arm/modules/fueltide-backup/default.nix new file mode 100644 index 0000000..7680f4d --- /dev/null +++ b/hosts/web-arm/modules/fueltide-backup/default.nix @@ -0,0 +1,64 @@ +{ config, pkgs, ... }: + +let + project = "majxbigjafpzayzboxsf"; + poolerHost = "aws-1-eu-west-1.pooler.supabase.com"; + outDir = "/var/backup/fueltide-supabase"; + # retain local dumps for this many days; borg handles offsite retention + retainDays = 1; + # match the upstream Supabase Postgres major version + pg = pkgs.postgresql_17; +in { + sops.secrets.fueltide-supabase-db-password = { }; + + systemd.tmpfiles.rules = [ "d ${outDir} 0700 root root -" ]; + + systemd.services.fueltide-backup = { + description = "Dump upstream Supabase database for ${project}"; + path = [ pg pkgs.coreutils pkgs.findutils ]; + serviceConfig = { + Type = "oneshot"; + User = "root"; + LoadCredential = "db-password:${config.sops.secrets.fueltide-supabase-db-password.path}"; + }; + script = '' + set -euo pipefail + + export PGPASSWORD + PGPASSWORD=$(cat "$CREDENTIALS_DIRECTORY/db-password") + export PGHOST="${poolerHost}" + export PGPORT=5432 + export PGUSER="postgres.${project}" + export PGDATABASE=postgres + + TS=$(date -u +%Y%m%dT%H%M%SZ) + OUT="${outDir}/$TS" + mkdir -p "$OUT" + chmod 700 "$OUT" + + # cluster roles (Supabase-managed roles already exist on a fresh project; + # restore errors for those are expected and benign) + pg_dumpall --roles-only --no-role-passwords > "$OUT/roles.sql" + + # schema: tables, functions, triggers, RLS policies, views, extensions + pg_dump --schema-only --no-owner --no-privileges > "$OUT/schema.sql" + + # data: all rows (includes auth.users, storage.objects metadata, etc.) + pg_dump --data-only --no-owner > "$OUT/data.sql" + + ( cd "$OUT" && sha256sum *.sql > sha256.txt ) + + find "${outDir}" -mindepth 1 -maxdepth 1 -type d \ + -mtime +${toString retainDays} -exec rm -rf {} + + ''; + }; + + systemd.timers.fueltide-backup = { + wantedBy = [ "timers.target" ]; + timerConfig = { + OnCalendar = "*-*-* 02:30:00"; + Persistent = true; + RandomizedDelaySec = "10m"; + }; + }; +} diff --git a/hosts/web-arm/secrets.yaml b/hosts/web-arm/secrets.yaml index bc5ae05..c5847a8 100644 --- a/hosts/web-arm/secrets.yaml +++ b/hosts/web-arm/secrets.yaml @@ -1,80 +1,81 @@ -borg-passphrase: ENC[AES256_GCM,data:tdqB4ipAqF+gRBYeukt9q4+o+8mec8lHQ17KV1u4rNWPxSgD+Px+aqPI5Qz8uNmIy467LlLfXOLsYMZNN0Z8Xw==,iv:8sBE3Ynz/Fk1Zt+gdDGoYh/udmdLSjtBQnWm9o1WR68=,tag:mmV5OE6uRNNIaW/UDB5QzQ==,type:str] -borg-ssh-key: ENC[AES256_GCM,data:1pz5NDNI3RpaVDPaQR5+nBZyKoZVeox5WZxu4FiRJ5zraDvA8IuS0PG+rib0J/FniXU9Lqxux8etvCmpnHp8jA2rGGrK9UCPIhhYixPu+XIEh0ilgGO6F/ory8D5jlLfjcpK9AlOToXXgPxraFUsr3xW712SQZ1fMMCl2Zh8z/qpduD7idr8nDYvIdVzGiWnwRaYLaoHCS+Tj56QdsIM+mMR4Gs4i/GLjaTS1AepKyCxnV4hDzjPnS0LpvKR5wEUwGbV4RUGWJVEsMScCo1CWy9VnZCmN587sOS2fqVQEMXh7PCVZ010X61ynUebd3MwAPRySdxpNZfQuqlidCVUPmsxpa39PbeHBFzXAVWkbiB6sRQsMo0k43JP+qvQDUAhNVVRvibhtExRM2J7ONolIdHOB6O1dieosnPCD0dUCj1bIimJHTkQy6bXxErQYDW/5DnMtY8mNJTVJh1V65+FIT4luKxRxJZzWZz/hcz43baTcA1ExditgaRDrdLySDiGs4BkD9i8wSvkdbmloOOe,iv:fDjsfXl9SXdS7pPOVP0cJ+DDUImJlTBsOTiwXTge6HU=,tag:avzEFeFEH2WZ4pNkYHiVrQ==,type:str] -vaultwarden-admin-token: ENC[AES256_GCM,data:sQ76TnXNSbrSU+Hf3axCG2v9bKXJ8jY135eKQ0D6wPTTAdl+L7Oi0VhubPcO9xuud5+DM1t3AIA9pETDkrMLew==,iv:IQLURBw82K5f+E+6VBTjWmNQbk1mNiYk0g+Qvn7KLEk=,tag:dTr5o8VEcwUbljE4uZiS9w==,type:str] -vaultwarden-ldap-password: ENC[AES256_GCM,data:hyu+YJJeZSWEGqfoEi9Il2mHGvDbzN1rJgib99jkVXx3FBI/cHh+3Pxc2QB7ipjB3Vtz4aHuiVEYMvwlaO+Ejw==,iv:tWiNkgFooz1KfGiB9M7QajirPem/z5YeDFNVVl1DMZo=,tag:pUuRCRJVfSWdt0btiuhq8w==,type:str] -vaultwarden-env: ENC[AES256_GCM,data:zE8PRD/2FQAgBPj5nxZHC7A4uC2c7lgBEHjmgeahexWI8tTiE5arpogTyArdRsWJ2ma7OqhngXbSR2FyiZVFX9yPbmNHSrr3+RnX+RzvlcuvcA5GLA+QMZr9aDUN9+IvlY6L4sQupvqYBLiMjy51oWywe8QundxYnt8UW31haVjuCtANiSQBxOWAFikIaSwCTFXb9taKUqviZ+WBacMJx16GhnXBMtBegQ0/VQtXLEKaZ00PDVhZ8xf9thoMaKdJdZookBWZw6Er3A863vuTJqQxPC6Jw+6A0+myLtNgHBn94lUWUmh6cipfwaFWGQAvmCf8B2Fzgw==,iv:2EWG/4G/+L3IZSMOeK/7hT30jexXDccvz0uu7Galtx4=,tag:m59TE0Hufjv7x9MZaZxyAw==,type:str] -authelia-jwt-secret: ENC[AES256_GCM,data:kbLosJfjNJYxpP+nOF4pOoJMguJdlNy0YFpFebUuh/gJLwBaJdGAtkOrnYxn+tD7Vy5jAjSrla91x0q4zGqaMw==,iv:byILGt+YZZKZq4S1hl91RKV2F4LM8d0XIM3NptPADl4=,tag:qURHQGytgJZOwJEmX+52mg==,type:str] -authelia-backend-ldap-password: ENC[AES256_GCM,data:8Y+tjUIfDJDBdwiZbQojXDvT15F8PQmdGiXvukCjbAFBzzHWb4uzHzfpRhSlP6l7pPEScoAktF0xmh1+8Pczgw==,iv:21oQPsiVuaXrxInwO0muPQ76KoeHrnv61qNBKydoVD4=,tag:aJH+jIGAe70hjvQe5a+wXw==,type:str] -authelia-storage-encryption-key: ENC[AES256_GCM,data:wbo27JJ0GOE9rqWb4DhDmETusk2ApaTpoEd62CtvnrcY0OpTl8CrbkUrtKXImO5ZU9L1j1YjHOslVdJbQPeAvA==,iv:TYqE1yrT3L1odhmxE3f50FRxD2O8257XOij7ZA3wMbY=,tag:RFzNTTGyTbb0Kmz9ACqW5w==,type:str] -authelia-session-secret: ENC[AES256_GCM,data:qxvO9q94MJvRxS+ymf4XT4yU5U6rLpid+6n+3gBIWFEB/wokKVuwqhCmvcF1Euz8rVjQ0ypgGMjRQVBXvmmhhA==,iv:zKPtNJUBzZLFB3DnRV0n+9YBN+PNVHZdQhCC9k1G38Y=,tag:b4WPiqwzFvHIzVb5azv2Vw==,type:str] -authelia-identity-providers-oidc-hmac-secret: ENC[AES256_GCM,data:0ilRneTzMbESwiU4irhYGVkYCrzZFoNzAcsUSFueofI3UIav194OV2+Ut2QWAUZIJM7EBxw30HhykrfcPg5Ehtxwva+/cN/Am9JJjvTwuyPDEkW2/l7wubyhW5tEPulQgokdh91YsSLXWuHc9zgSlMdbKonulGo5dr4P1wfhJ6c=,iv:9BVVdB7/uSB4wyr4G/yXTngMmcqaJ/gm7bZBev3SSA0=,tag:kRkZgTCnQWDgzhUb28KNGw==,type:str] -authelia-identity-providers-oidc-issuer-certificate-chain: ENC[AES256_GCM,data:zskH55WXXCUVOZhfewPf1PRTkD1cZIZv0nRdHTepR5hPXAWcClRdi6jytnlpWGL8xaJQ/Sc8/dKe7r919ejlP74YPkscPqPuL7fNh54/AlDKmkFPblUE66aZcF9kJaawPb//QcdNOgwQzCUihlcR3Isctt8qnjRdleprvqQAmpmQfQltgdGVlWwZbzy8QzhuF83BsEC9rdJvgZzBNkA05F6CGu0JeVw/YqV8ZrO5snEQAebNFY/n8mygdMB0bh3RlrFtDcqB5VGwa1lCZpEIlbZz70v5Sdwpv150ns9zP2YHgRDcK91k/4BI1IEmHpDjXp1zQmoktJzjcpUH/AS1gZ4AAuuXeH9cCGepCf8Yzc2jKqVGq1nMiQTKUAKfct1RkV5r2OQgjlrDwPy7FyBdeoJB1IEzsfjaS+/N4k4dY4V3vWJZkkREvAzoNnHj3lg/YomQ+G8tCzX3X2Qpv09NtEjPPTWyHgl0xuO+V89HpcdEkh7m/zG8ByTPSzsWWcdiLXmONZt4E7xvDa3kY/TtJzoXQ+UfnuNyzz6/E96VpJj3tndudV6FAw1Pw3lWkYzO6Xm1mMx30UvbkIBszzLCfSJYkeEna+Sc3goDWUIVB7f2Dd+16ThJRnYso8xO1DEvvnPB8lvb67HbY32EL9fy4bMazMAmRa376LCXHwHZ4m1m1rE+mDxk1sB3Lau4OWp10aIIK2GDOw7Z6BmvsLT36v7iueP/iTJB6KFaHmHClMM1fGktjTxCrvNbl0v2nPsf5HL1GnUK3O02q/z0Ok6CQMTtYSghC5Sx5I4r21BjJkgleKl+Zo7gQWVkuSsG+09n22RDlOR2yHTnVPzzHiylykBfI9B01D+feAwzM6Om+WPLCkL09qg/oYBI4HF9IXTlSJ9nMzzDnLzlyIavmAVSvWarqdPE5ygnQiLQY98XbQAYOnvxzU9WRiq9aGWSGxqQUgvJGeoQ9YBwXuz8JOEXS6Ajl1SCX2nWhH5dK+JxsTVd6HEhk31mkJ2TB31ZaK+QGnZoBwyhFg==,iv:c4FHCn5W4qKLKdf/7ukTVw9HW6KiYPde1I61gWSBED4=,tag:FH/B2CkcOQoXjqpiA5Z+Jw==,type:str] -authelia-identity-providers-oidc-issuer-private-key: ENC[AES256_GCM,data:llHU0zfpzFFLMkIjgRBMqqSNcNYcvnBf+F5KWTfOLtj+b/a26Xj4CzzR+crTiyHN5G/DrjPrrOGd4EDM3GIMYs68WUg92kmjks0G6HhvWSQKvl+rASHibPhcIYTPFea08PzTX8JV0IzQR9G2wx9rkLjddRQns0A/UeEmULvVxADI+EZuQP1dAit596NVGxcKcz61lQwP4aKTGpTGk8dr9x4AXqGKGZl4p7sUOmJwT/Rtm1OKm/L2Dq/gbrxX6Ay12diT2Sdy7DaWotygqBnhOgByfKs3BoWdgq85OVmficntrviWdy+fUDXxpkiUrs62ZMDPFCxsmphV2YfTLur0UFMrgkMaRIKN34XRlIRwe6y1G9eNtvZq1yPSvabgX2Va/ex04SXLHuoFpqInHmX802fXLJM2dr9stN+QTlncuzr5reJNUuEwGmOclnufxm1zMIipzvKghTW3CQNYC7HWZLijklj2vXdMNPH+wauiCYBvrWmN6XUoPRj2+U57pgWBzzuSgHebnUTyULI9aYiumGXcI4KCD3jKZLht3za651mYMiepPdj9Ha7Fy6X6uSh7otZn7Z+OyGvuMBBx405eBYzR6jBAsYaNHecgOrR7bsDxO6mki9ZzXPGUgVlgUKWyWg9q5evSX79Fek5LDQ29nRjrMefDXpF2XXXReA7DFv8krN/Bpgm5RvyZn9BrAU2bsd8i6L0rIELhFmwx/rNMIsVJSCLsuxqgXglx+hSq7sXiRnF0Ipmrd499jxgUjupjgZTbWbb6fGdUkjH7iPdaoPkEJ1jLZJeE3ADyR1uj2McyZOMRM/rIu5Er1YiPMReJg7XZzQPHSl3UFD1v1hRFvMBtLKLYcjTu/rFdJV72ItxSkFohXeVDZZUHJzrpKPwSf3R8BxJyEfRD5Ph/yszT6HzbYesh5X46F99KC6cvJ84EPvQPf/xnzRxX42c48wG2DxVaoGygtpfi+FhGo2o1imMiRZYMHWbqPRrOJejpMV/C+BtN+I6SPP9+phmqwH3G958tk2ZSPhdm+ug3VWv2mAKfcPeb8G7E683TXYnsWWexkbyZxS0UU3maZyLnUnG+1AA49Sd7d+DTpvkwQP7kiRdybnxBKgD+JcwXmSrmoz2PFWHZaDuA1UFZV3aoZWuV6Q/2xgdziaCRhs9H2TeibeOEsu4S4UTFG6+/pDS3kJslkYMLCSLN7flBixDj9U4SIz6IPwjmVxC6JL4SJxGgXSPEICuxyMDGT/yLuZGqHQiElyNgUXjVu9dN79l2KNu/Le7NQYFgQvL0QFL/uw1ht+iUhmBUM8bSEZ29iHtC0speouYAnNTyx0Y6eYUDosBa0zS/+6UhiZr6zVGDg/b6CLZparkL2zdOFOvOQgwh/Q6ogPG6TekOds6GMY9rz0i6PJRWzorlFp3o9myKduyieip9UVnm5pFMuCxNGyJR+6xmbEESlioq5TMKtP4F1sxNEfWG7Wh1wtEmWWKe4QRJs5lej8Pwm8rx2o2ngA3ZXHjpl96h4j3haArIxpXZvT9YeU6ESm0Grv6NAt3M656B+i8RV6eNFYf6P3Vr9ydxagDMurGidgPncZZxT9TPk3EqJbOelYduNB1i/b7jBng3eW8NpU49uTJQB3xvREE4nQVSUdPvqUw4SSJpZhI+yxe1fdiJiFd5bGUYLFr2DMLvms67UczM+kvmaNvfvTmuD5COwv5rufuywtcNXv0lfzw2uZ/h0OgUOuvnUi4I410TaFLyobUsN+PP9+4z/VeQ7kKY31NpZwKAGJYYZiorUCg9CyD6ffcOGH5AcQU/7Vjdq5Qy8yiPE7BNJ7Dnw/NkWdC7YhsJjLLyHL8ssTurJGHD9cwYw3/Tjl3kA21B9FxJ01HH5xTOIY0aqlxdLCs62hW8nOeJz8TYprNZ3IQMjnHIfktxR5nf+HC5ghndGcEpwMOKJFSqmAURp+hepoqEATlgfDLLVk2WgMp/tilQb44jPhNtQgVIVJBzSHWKDgrePnU00QSNRZT9vyOZDJyzLrA/4WnJkLUgJoQUIuyW5HXAq5mlHO+HllCzt4jvqcC6XF/x/hK1/wiJ4IqRB3i5G/PuUwZfYd7Sc+3RtCsMbzFkKOtzmLtyGF955E5ASuXRwecsgvuTYOmioxxtNFHiqc8r1OE5lleLgYClrK0aA2UKGzwXHuH4T13+ai53oW69/LyhaWlqvkknDH8j86WV+//ZptvElmYC8k+VSRJZb0BlSGgrlJ+P4vISa1f8Z5jMROrO06GUo0++TB4W2v0hd6Sl3ytyteLzS+CZQryTTdUZVFbsDZi1oumS9qg5NF8ZCA9u1iEj2PsHGkAng3zQqS3mmga98uL+EBkZYv/bfFgiMqrdOTBJ7KRjbqkHAA8o1BoULn2TV9ZVxqg1VRXIGYkAcxl5K14aopopGeA6kbxQ+oQ6J4tdOKsV6sUr80QWVw7HqlHgWSHlvjl7Yc/dp4mHrQxzDx0b6WVlmqTYEaT5xzSQs6NrFrX33W9BABYSTKVK1CVHj3A5Vv7pniojnsgJeezRysbdORknWTvzuX/o470aiUgBM9wjqWkrahkbqKqntm6E5Dl/JiImDJ0yXoxbwAzY2yDH1jLMFz0ZUvDw9pskZQPJeEsZY+GdOFsMCj4Ht841pgcwNq27jf6anFY76aw6OYl18qmPhpBhLsPc6LpWoMFTQYooasOSwkzsNU+yJvGX6RpV7CoC4jl5sEwzwX3BlnxAlVz1fLU7ENxqPW/l4d/ct1jNMIW2RJYJvl2jTH2LsHRfMM4dcKoq0QTktr41Tgw3f4GNI0qzhnY4W7YeNgiMrEP9WAczdxSPNWYSlYUc0eHvWl1bUFwvANOD2jna3IuLD/8qqTD2fWKfppowLETx6T4hwqnIi7e3CBvlW8gJapnd9/OERcTSFl4Msb0cnAlwPU7PK+rtltrERlQFP96eZWwFwE2l4COUoqbN6fAXO+evLU8s15Lpzr/RSOU5BspZgq9eN7PUHCGg+jXeH3avPxgLGK/SuS0njiM+4t513+SS9TLESQD7BR1tFb/BBtDMsGZoRdCWrnELa0stFukFuYcIgXXXzr0ufznK+HETPkdNDXw5yIBxl/nPSpeVonKNSTo3p3QNZRLhOJcLK944Q633ue6ijyNCOZvWEPzAdqAPE5JiZyJkfgZsBHZ5xJZSwERTZ1q2VgrYcOLfJQg/BigO76kJN/LKjlg3fvZPIv2ls2DPWSK1xA1DKh6jeb2DdRy2rRII90RbqyiUSkbcJu56SLPNJseC1Je3jB7zQE5AhJb13hlibIxy15fz4xFy/BMxR/yHAJM+yRRPoKAw4v3/CDiUsJAbIfIlGlZk11cce3aTJrMyMOglpeLqRgMNRPLkOzpVXt0rD1Sd5802DWT7G5RZmTt/PhSwsNE7TzBoG0Rg+F+pLS0V2zClNiAKN4st/DPS0tx43+a+0HicbXKdEdprIdyk+3nmhOBlDZXh0Tw0dxcANVaUYiaudL8Bi6GyYqjGf4Na7B41HdGQJEugoIzuciHlznc/PysXMPE9XLort6gdYYT32LXX2LHVtzYn/HvuKmDXg3Up6LNPUhQcj0akhOifYxRvDVDCTJ9IK9KTTI5vF9O7sIoqzn8CsM2FzfM5x+EE8/ae7b/xWsxkscCc34yjpDCJF5ur46W6y8zbJyCGaEqTjtkQBzwND2++5B2dghtW6ClCtjYV7Gf3vUq+7lQYmnxj41IG3ad8GTEUYBgIfpoz3gS8mVO1phDyfjeKYaWDtuVl1bC8nKOvuPnAX2Gpb9MABrE0onYpt4wcMtTgtlugcUNWzmrxXikuZlinQSWVLX8EzdF2r86auvw+wHX1EqeIMdJ283F3HAhNkFAfeTR/a64JWue8c4v1Ak0Tn5s84OTJ7wJKeShR6XEBuzCZ9Bbyobr3RmNOKtd11Ph32Imnq7/YaCyZ0iCiuTW+1orynDBZY/8H0jNFUIACxF/Qp7uTIA7E7nXRnzzHEmk7PeTnrMDcAKom6MEEWzQdkbDdqVrvqtw2WBsUAaXLdmw5O/UNiXBLcN/TxMtViJzmbPOA9+l+Vxy4UIctB0Fi05bU4PeFULioY1a0EccElFgTsMNhw0B/qnkOuJUs6scK42GojkPjZn09mxEByL/gUZw/6gxF+nUVA4YyvDkPVYgSNe54pMJ19OtbD91aMv63UbLJfMdcHabXFHPeByzEanl9IWzxOSRDpT1ga3vRo+WohSvUNbXmOuswh+qz6qRHlJM5SRwHj3AsXevxKiIuBPgeiV6rjTTmol9ezr0tDCLumxi8uLnJYkrBbjrG,iv:6sZT9L4js0G3Gqb6zoFhAEOxjjPK6klZElHVdpJ83uo=,tag:UBAhUBMwlQ3tNCiWlzzP7g==,type:str] -gitea-ssh-key: ENC[AES256_GCM,data:8iBhuTg4GLslB+6nXh1RRWLIFsFOpcW/vvGltsXpG7Sz8Bmau1i2IAJM03AauSm6PeTHVpIqVbX+VnHGs4SO1Ld1D+2n57RrA8PVvSRyNo34Z1nwA9Zk4Y2GVEYAyFIJhFv3aUFL2YX7Y2yr01kiNp+YR8nBxNwSuIKUgIL+vFyTfLp56c0zKeAKD3B1krMPnfD/Jw+cfgQFmAZoKAOddB+P2QilPN31813Cdg++lXYm837Uu7IhlHNdXWycpF4tw+QMaIML+FS1Q2KbmhfuaUIqgK1EZ30VZMsUlclRy9PegKo2veaAdhQhizW0+0sixVYIrsAzhy7oaeMg/iHGv2MGCFogT0bSbV1bNM2+D1O1IVyHA1Hc2OdEBC2OPyBf8938VRJUf/1kFYcTf/RQR5hhcz0kZq7sQW+FcFdyljhpUPdggluryj7WeR4yjbyDYCVIQf5FMu3Yz04UM14Jh5Wegd0CHEYNOmh0Es12pgzUC/l2oo5vxdwcMGOIPrUkqm4V7u1psrlDb+nrPhOx,iv:Mk5+HEUUe+h4XeMpVhzV3+ntTESD+S/Z7iOc2vpkIJ8=,tag:87HTy4/rzuvjYUBy7vowZg==,type:str] -grafana-ldap-password: ENC[AES256_GCM,data:OqqdEMpq8/GvnBncfbp5ZZZKgpWtWYAqvxlkaQHdssP34bUhMYHhclr7vp6vb6WQedlnxdfhAIsCUysGQW3YWSOb1+e5Z6igPpasyTWhrDPRsGgpkSRrkg1gTjQAY9MGp1r6a1zRsij3VCS8mImhqiXDusnrkVJOx1riilJ/74s=,iv:EgWzKPailuyx+ciXMzu4KLo6W+QMHxTbABhZHJbQ6+U=,tag:ezW3fvitEoM9yN0EqwThkw==,type:str] -grafana-admin-password: ENC[AES256_GCM,data:FPT69Bd1GhaLzJfT4SkljkcaVDB/joi9F2hsostVjNdWxAg4iqnMN6bPYeyvaQN6tELsn797wO/nIr2LrZLordX108La9i5Y3JOaKc52nGPmTytcFjg6I2K1lWl/V1nQP4WqDXpJstD+AHUUbo378IybhWPUmqNWkg8+xH78KG0=,iv:n6Uu0SDEta5ZoEc/Mf31VGSviRntUBvIz0QE8A9nvHU=,tag:/lZZUrOs6Q6AtnR+fsXwXQ==,type:str] -grafana-oauth-secret: ENC[AES256_GCM,data:GDrAi5y1+bwA7kpg04M3xxL1GDZUGfkSnWipLaZG0xPT5sJKlzizZznHuKVvnKuv/+RhvrqOoOlkqJU1S8cnGWE7ZBesMIDV,iv:dNkhDjitrZQIN2yxtr4BemNwJOvXhvxMFNznJzakZhU=,tag:zt+gNH6w4IPwAyYmhqlilQ==,type:str] -linuxbind-password: ENC[AES256_GCM,data:FYYID2pX4j+p2wGvA8C/d9pI2HjflIorHttsjqNpsqfIskCt8uuYVgxxT1KE3eFJZ44TwbO/Bn9m3sqd4Afcig==,iv:JhsbAhqWV2H/SYmDEMWj2gotJ0pMQU/XJmAYkW3TlxI=,tag:JbeH7JOUZ/+OPa6aKgtWBw==,type:str] -sssd-environment: ENC[AES256_GCM,data:jTli4rpUIJfvlkyTAlLxbSNnkGnRt61Jh7geUPY5YGUVLWOeqZWmIcUHNuxiSTHzkEbUUffYdzf/WcTAM3ASt7rC3+r+iEZyQtiVseCUfNOZmYkyVtvxiC/uIw==,iv:Zn0Iski8AmowJxY21xhuMvDEre1wQyEJWoc4qFbB+xo=,tag:QKzamd1wLNw2QXDqFl4+Yw==,type:str] -promtail-nginx-password: ENC[AES256_GCM,data:Gr9pkbRWoOtWhIe0k8jKQT7JxiApy0qPEB9AtPNuhFivixk11S98J23Go4Y7ewSKd+Uh9neOVil+mg==,iv:MK/53+xLWShQAnru94Q8GWOlUn8gNFoR/ai3ULadK/0=,tag:J+Peq/Fx4NERC4jYh71rhw==,type:str] -victoria-nginx-password: ENC[AES256_GCM,data:GrZlgcVuzSO/+FwZoewBEgnBrMmd0gfGn7MvlnTsiVPJVsg73XfyrABhrKhuBvaxET0G3dU=,iv:HJ2vyM3bL0lnIRxSBW/mooEfof74GXgvwlrRvrZGIRQ=,tag:wOwIKy1D2j/mEA/yMHQ1hA==,type:str] -nextcloud-adminpass: ENC[AES256_GCM,data:7SOBoH4Gd0SubsNuUQ5T0EDRhjiZU2ZmDa8cM6WSeU6KFNOdKq6I5nLtr/k0Cmds4XItj+ikDG7c/0AfoD0XiIyF6zvVn1/ObTQmALHXzAoKZlPJAKy+zrYJR2fpwuOLcZ6hwkwlTSJ2LPASPM2XOveXlXp9iemHNybe3yUlxk0=,iv:JNit7fGK7iumZDySI27jFFsJwSlQ37zwOJkPozRbuZY=,tag:qHzf8sl2N3qzvuc/h4X7Zw==,type:str] -nextcloud-secrets: ENC[AES256_GCM,data:huaByUaJp7lzhlLxklMd9L68+L/zUrcButs/B3RIROreJEGIfL5HoTernA41q/ILrnN+VdxqnmhWFfWBAH9jIdMvzaX2W7+OVaqVobKGptcS4OEA3Ae8hQqYWUyHNQ9wb9OsKqbUOqNurfacaw==,iv:HflKiZO+LwQvkoGgacJOOyH8nDxOAlbZgBjkMnsLgy4=,tag:9Rj8s4i28n5XUBPgiVBf3w==,type:str] -nextcloud-smb-credentials: ENC[AES256_GCM,data:Uh4Q0Xn0vlqn4MdQ2aDxRmqXHlRvJJErfp2FV8k/kGckU6XMfdywYLgzzHemddVR,iv:BVh3nMUvC1lntcdMd9ehGIm1WNHOle7CoMlnfqhj3n4=,tag:Ue3igBcj3rUw8eKPuhUnwg==,type:str] -atticd: ENC[AES256_GCM,data:6f0ah0jtMd2VGKhRavP2h104hP7A3uI4by9VX6BQaZO5T7E5MurADnu2pVSM4MMRv5n5gK0wxWoDbXvAvQRfK36Fm68FsMoPQYLeS2V0glLUU3OcmH1LcMdl5xs0xS+Ljl/CSQ8EHcFL7N2RJ2E3Br36+rtAXx0EhB6Ff67AY/FNbeJCFeYvvPFj6Bljn5A6WARR89+Omete4c014bLZWcJFU1Pv36uKEKmdyreSL5Dl/WdXghzQypwDmxXv6NAfXwMDxFesBgwVoHyF5rYebjDegmRt3KkzWvdijk5cTiW3UchcZn4fWILyFOoVnzooPvV9Ktp80RkX36B1H97xgF6BVpWUZXjMwaxdkQD3B99Gqi8zqlj2n8bqWTkcX/04M66REdxeC/Z8t0PS5WkbpxVFJecZXGr0WQmBygxeJOjRt+atBmqp/zH6KnMg/yv5VlQ+yJmtGXDJKWfduHaE2tKrTkplXMWf7Dv+jZ0b7+XlCdVgw62IA/KIEteEYPVd2yITMEworFGYEXhU3GzLamyaUMzmCufiYY8WZD38oHMEoYxd8HBSPgUgQWkd7ajyJmRerDqIEi9RtOnhYGz8x1V+MR7p0fI9GXE+8rIDDK1qOXyWHoAVk2f0EkLcBEskefjDZ5WH0KA37XWGhdxBJSX3GeksYhvmlzMdiFKBT7JbR83wXeuT3PKFhQej+a/tsh3lH5BTlUOqvToqCrmjLcvjDBWxcIL++/6lWXsU5etSjDcJ1+AD6PLrAFJvi6FAtewCTs+AjhMd7EVWCWzJe+3z+SXN7U3j2+tnMwqR/KjaM99E7XL91GUvAe45koAO6RtWFIXzk+vzM3nUOR7GZmkLjizNcmlK7u0Kt6bab0fpl9QoBGwcHofN67R8gYchVz1Km65UCtlI/761tA3MuViBDCWmYGk2NzQVF/ZOXdJSVm21RT0ZUIGg5T3aEcqdO30hz22cmulfuxorq0mSCk0wZ332VHQ/wfRt9SchNIJ4lOmRRE/IycFCCnL4cT4gL4PuftIjnRxXtIJPohX2e8AUEg3c2P5OjV+5yUdOWQqeT2i+CNAh4Z/T6f+vSFskvuY3O4F2yKFLChcnJrLoCoGhD5DMZfMnmxPCGDy6i7U2trwd+m8v2p2CuYE5tQb3kNaH90S5w3vVc+xDdezaTV88lC3BCDNUZKrIqFVuwU+hNkY8+Nz4I/pVIGU68/BwgcD2JgS7Xc/PM1dxU/DzaO4SEfd1CZU3MorsUqy6kXVE/B10h+7L3f/tIxRQzDeYAsZ5sr6LD62ETp6o9tzlZfR6XeYikv4wxo+FZs4ZCMfUWjtszSXf5t8vFPVn0E9tg9DULgWuSogUJ234hbk/+x/RS3QbBnIdrCMCucw9i6jUVy9C4+Qy8Pn0KTrs0VL6Qi7WPWN5ik9QgnSUgcyfHOrJVYhG/8A8C6Xgmu+4HbOGiZ+VKBxIBfp9eQe4YKkPfZih7XcuCExWSrLKeF+nYqITZnxpu8lRxBXq3iCf5FfJ7lhPhZFIBFMEgA80JHcpXCpDQcnaRWRA7ti+M+V29WTH95y3o14k+IYsvi6+0DlRfqkgCYY4C5uYXcDka5G8+JWtzHF1VBa7ZNubVP3FM18q7VMoqjud1ywKg0TB4mXk0RYIWGkD0QRUjxmPy2kEKPEOox+iwHCqQ3+RefCbN4rncwoaI6TG96DotBKG/JO2kXrCZYp2A710HkeKKmy8K8huHGUtxA8bGvc2TAgmx58A0W6k8zItHk+PUu+qQ6ivjyRuhbzRw+2LlbzK4wDQSaP3Bbg7GvNqY8v3TvTFcFPrKLzgkXgmfCdMGl9Aeh8lTxF+wTfpz7boYNxxUItx6qyw6VDJnctV1wEhXJmW0ahPmRo50FMtuUa5HyOyxlPLHblKlDRB++u+6Oy5I820D79JDc4Qz8gXiomjdBP58mNPrS7GMhOprtLs7YwaUCDnS3haLY96zY0QMK0jYK7w/LT3m1kLYRGCuB2ddvwF3mfJ2WQPuJ9EVyXv16MPIqLku+qqwjisYQXYBx26jbDhP7WHP2FPewu48G1MKtO9UNo6hY1hCA499y+6IhPdeC1dzgd52noH2lPTZih3X0RKGioXYEa4ssrgyu5pCGyC/qvt9DWfST4au9ilLqfBjGYT+mUbZg/ZyKFw7qbihd8WXvrZp+SsIM1G20uflKsZVi93IpDxZ5/5qgA/czzRcselUQ9bOnwBJNTHc7lCQQ8Ds/7LsLVSxkwc5PyS213d0GGyoSAxMvgUcVrmlMs8W10+dOdAfiO+Z786CMaRkKi1D/WTuhAf9i87FG5kfYdieRUxOHob9zTh7/DP4H6ybsnMDr2MEU+RHbx275Z3KXHHxayrXxodc/2FZ78AMKobxU5gBvb6mP3xdsHPbLZdor55r3I5YQpZGZFThxi0ZZMxAafVejPpeUhHqUr0jNxrMigypGmpMv7cOyDr9bPrpFgitBzOBJdi7M05XaZoFpmr5dl5hg4S/jTPn7MxihbwsRb0XTbuIbZf5BTzwAZHTXNhWW+J+jpt7Oe2HGSCAAbL6BBlX0gzAdVe8f29FK3uRUIyxUKkEcfvsE9Wp1WYzP98Utc7thrWCWDxKcxr+ES4AY+cZmJ6JHIyXixjIaBxWMc9HBtwaz+OreJ01/PkY1fPruUhQmGOxxwwa9Jnh0/DcSNsRVUyl5zLdyoP1yqgJM8XN4QRzLILCJf3MYAsyyEoqFEO1PYjVKgSRS7N5JMJB6SJ9x9u31x4fwrosCpuS746OzCGOj0LFMA+bkiypkiK87WlXzDvbA1VST+MESzhFqBthUmY0Bd15A6rwpbjPooEjLcQfdExjqpymNBDXfI7wAcsNgF+AdES7/dZKqXNUo29X95VnQD6uOfEsL8dkzTv2TCgj+iEKnHYi1DKPxwlgtTrs9zjYMh+vAHzK7FVM8jKRDOzLt7MIggrhFmnspIofrIFeZJjTIvXwIDRDY3JjToO8B5JEJ7WTgY00DL0catmT5BC8fNg0m7XP1Z+HVKR1lPKNXHO+5S6bAQ5mtgCDykpWDM8GDNH5d+hrK6F3JZBdXKD0P9ZSKjs8lTbvztNzphija0hDpzVdgwXSPL0n3ZgwJoQWQ+rGvA3P0iAa9ZCi2DEnZw9v6wTGnX9s8zOqBB/G6pw+PKfI4SVN4iySp5EJSvDc0qOdYL45321yTOObY5EL1gOmnOZKXNuFyDpBY1QJvkWx6bcE64HqhppDsVg9JFbkMIO3q7XT0V2paw8VHK21x4+TwUwdBSwioZDHieshAR/JHWF6N0Zp89weclBQYQ/bcVw2/8CovNgsb1UsXF2+XdY1s51sP/rM688YIAN4VoavKz8w9fz39QgNy1HGys1I7llW8wlmBxK6ZZKdZGo1gnL7uXhRUXBUXlsdMP1RL7oBTV6gdd3H+GDcqo5ms+hnRP1dv09+fk+a3ny+HX78pLmPShPgrfHrHNsyVdHgkpVW5DtyQeZ+MH0vh9/liPE3Kx1UdZ9oikCT174p+Y4U16iFWW1iZa8Kbzl7jfpg/OFYdk+zxXmmloWHI6c1Y1dN4mteKoWUtpxOxBdcDk7K3Hh5zujm7nJzzAnxYCf2+RJdFxjIUyujw/s9SfOayhACsLsoenzmDJjI4Ds6JMBKcw2kCSmGMvxCsosW3GBE7q1OVWfLfRHwwp3lX7scRefJj89NJLy652e6lBAXL4NVqrg4uGD1OhVQ0WkR0arhM3n3MC7wwQ2l0NndzvMGtsESs0OY4tYqlwGyiqAI36Y2yXt32sk0knv5Oh0Hsegjrh1oj0bzw2wyqGMOh9WWoV+MOd7NZO9pqYFR4hDujrqhZpIsUgi+8I5vy4Ni4t8f5IH7FCV/T9ndzjkYiB5a+Xbt8Du/+0RkRvghi9VgOoTlC75d7rnVHC0s4Zyq3Q14+ylU25+BSFxODda2dXZLmHWi5ozwE+4jGVOfK3JjXC61nANPbbYKnOUx/B6j5T1F7if/NMXlYiIHhi13+09X1VLnsH33ysRUdmbPPTy9dvlAybkVlGN7Volbr4S5MpOg2UEEIQxij9G77MXoEWza2lzpoiFlKYjy/09nazmYl9oeWYlbKUZmJ7FCkhCsqLUkD1uD2wH3rkD0gGDNNxZKh4s2vNeP6okJYwqGhNuHlB1W0zlL2aqrF2uqcGP6eysgkcn+e+b1KhQEWOW6caeI8EI6zWom9uwiy9E95g+IFEoIgbHXFdTUFbnZmbzQSQr+5ViSMUmn12rdAuDKBw+P9MAyoYeDlMT4a4Lx1RlWELi8Rk6SgS0eIErVgreGBy9/2Rtf26DI/7WXq8e1toDy301efe6x4o5y8Am1rf1+dNl+bu4ik2vbL14B/VTzptpsl/Gas7SHMOG64xyhmpvonVFIfWl2pVaBthwNSXTO6ySdg3dGyO+sCg3rhZklA20Snwjyyns5B62PMitii2hzoDV44q1u27KZGSrJmeHLRq8MdAHwrZAiyjmDsWm5rViavW/27P6PJY9Z2+sjMfON/mkG4Zh1uQ7X2zLy1DcAIb2YL/AaWmPNAHqkX4CVBI8hTLNemmrfGLyvfk1bBRON70nC71xmv//rczdLt9qsXNlnQBfNFsZ5naEu+hL2NWpl4WTEhePs5qqaVK/cJJHizBA4qyOWsdLz7JujW9XVHovNv/pMOSbcx1BUg0Trb8r4hp2qSYAsLLV8rwS5mxtYE1tr/tk0uaWDB27JkJsMoGqIEgjkR39PSReYYwH3VFQa2qYLRqo+od9+kO7ImG+fqb0iZdAscQPvqIaI4rzOnM4IpYGGz51rPjUutMi48Ag0uonBCr0cfd6AnhudSHiqzlASuzSfr/M47VxLNxDXo/ymQJhUkI4+09IDJy1YpXDnHqiRhQPds7J/9fbzOk4CUbpSK+t8VIUeLStbt1rGDSWrEHzXCcbyHdlC6ZHSWIp/fb4DGI867gFeZfYQe8dxQCCwMDtgw728o9pnfNHVjCf5m+ndP6JcB4GJNgbBmvY74gnoEa5XPMz8AYXjNUii3jXE7a0Xhq5emTROlgj+HuuajVzZFjH+fVYSTPNJplN6CXJmcg3MXoCsYWcvzKXujc7AYJ5t8beaucZVM7s2V3NWL4uhBkBIwAybeoXYf/Tq0VDuNrPgG/rt0nzOIJsCVDzWIxJKOaomDdcgpMWxz98aNpFfx9DCUE9a20YPBzoII6BzfumOhvdLzWtMf16SrUfdR+jjuR3Db0EAI7/qHF6IdPXVKjyDt1smJOSCmIr9JhzyK3OK7+4GfpT2o/tKhpqcmQ2IE0LUiej+MRWR33jS1rMsbSiU5uIkxL6xQa6VBJtrU9BvtUTuHz2DmL37mI3ofuOS32w3NlR+z7ZJ1KaAtWDYLHEn6DArj4Gpyb6liXdb5XPOXIkM7CC1rNNParnbr3pVxBYuLFfRKDAv5IBXzRp8ktoMXhaW6JStmLL/hzC7GgML1Irt8s85fjjxDe+NPpdVyk0/82Nr940jtvdWyRACpqoBHLN4OYzx/YCKhL9VB5q9PzM2q8FIQvtfCyUf6IFxupvmra+QVXq278vhuruA+TdXkg0ndjfLU2/gWP1uJmrNWsB5I81l+/RRnxO7xl40NE1A1I1vDvewngjg10QVJU7KWkUu8nmMPiZb3Xy0XMhlArfueXgeiB9S+oeX/2yP5GEvd9MbeBaTx4V0MELpFOy6YZSfIdBFjJCTZSzeE0hvqNoMTrGxqlXlLTQa+yZKnGM/FVvhsm4PFGdgshGt/zNVzZuiql24N3gWCQSSlitdDQNOhbj4tVE91+djwcpWunaAmPizr8YQjJdYWQT3Z/nXM+WXdVNvaZ8Tb459X5t1YoOYzyp/evtbIUOVmTP8RjJm+flnx+u48RYevGaZyRwT5B/ba7u1QCyPrM/7g==,iv:l1jz+NiqmD8xrrIZ1F30u2hGzU0Z/zccLYB9VN9ZFaU=,tag:q6vdceAjnvEYbQYggOh4zQ==,type:str] -atticd-smb-credentials: ENC[AES256_GCM,data:U4JHFUIB6s/5igOWWv4NQYNr5sNCv1zUHLiHl62vb47mf34ZtX/YKtlip7fewtKYfifmkIuegRVPf2tz4S3O/3F6CpALLIzY2LYB+g==,iv:N1PezIom3Jqctkh0ZNuI0XfExUxTYX6hm03+r+MrTOk=,tag:cR2bPpaN6pLFvIcR+kCV1w==,type:str] -ocis-admin-password: ENC[AES256_GCM,data:44qcM8qMUGaGlnffoILF2wC0wpYFNyqml+t+o59TfM0I1tBRya1ID1yL/rd4aQ==,iv:/44TQUkpT009MqXp+o+Cl7GbC4FDftlt9fGVIEqgvEk=,tag:oXP8LZeWfhlYDQVGb6d9qA==,type:str] -openclaw-mysql-password: ENC[AES256_GCM,data:q1pWusf1KZuIiW6hP98ZOSepdQ0auiGfsyxAzWM1eCyVg8L+EOnOml7BLBnOrg==,iv:gMP6durtZrPmHkvyY//Xc32XFMjrLGOgdjt+b3R7IIQ=,tag:I/bYET+bcDo4flwjI+xKyQ==,type:str] -pushover-api-token: ENC[AES256_GCM,data:SzegegBvjTVZoSPZlE6+AajWQpuhsxscEgd8UN2Q,iv:oHZiT/LNjfL7rIdhw9J9wOi4oM/O4qtQiXBrkYJ4AZA=,tag:i+c4UacnwKXjqvXjDoaN+w==,type:str] -pushover-user-key: ENC[AES256_GCM,data:SAUzz1twmSSZwQ3FBNun1DSfsE2gmb+JcfoSRGkX,iv:Ei8MXq/Y0YfOGnODwsJNd1ie1AusNhldqylf1MrVj5M=,tag:Wzk4fy5SbwcxgvzmZ93PAw==,type:str] -sa-core-mailpw: ENC[AES256_GCM,data:6SRPg8no5EgQHFskZWVPX/9+OSDrI0jCE+oI,iv:Difm9K2f3UfJ/6ZvrOMA9vdeY3Cqh/MN1OJ3dFktxmE=,tag:1JhxMU+eE43xmKwY2KX7oA==,type:str] -zammad-db-password: ENC[AES256_GCM,data:FlCUVlIW9mIxNdTApXZ/C4AihH2dx7vNcG4HxRJ/dhgQ1MQWuCoG4JxNbqVtySsZywhRFjxZI9rhlo0U8nuRbg==,iv:OP6+rA+n7MIQHH9Ip3GOr/bdbmBu/tTKX+EWrtdOkZc=,tag:MLab9QtuHFMjWVy/+sC4rQ==,type:str] -zammad-key-base: ENC[AES256_GCM,data:UwXUoxBUJbvQxk7gqIp0bVu5dOKhGQcl3ngFMLfFXBsUOXMgQEE6YEolX5XIsFyC2DqgCC2DNABt1D7/0NRUL5KGOvnA/P/2SjnwYTeaonZ+oO9WQEk8ZIP2y/QMRjv19AhXtnnUfuSsXlUgPfvbROzo6Si27o5KLbe8Mgdy21A=,iv:iJ9wqIvEEXmBrbxkIroccaECXl5YzEdL7/S9UowyaNs=,tag:N7w5PvuZGnT1mbA++ulh/A==,type:str] -updns-token: ENC[AES256_GCM,data:k/X52K1L1Fm8Drti08sVbIDwuGLwhEUHVRvSlmPp4t0=,iv:4vxz/YduOZ7shs+eIutTITcs58TCC+FebvFZ2T5I0Fw=,tag:bU71WgglybMOMctv+kokGA==,type:str] -wg_cloonar_key: ENC[AES256_GCM,data:t8avIo0y1548SGuJhrctM/A2o03ZZ2TC5QVlKKoyRIDs9nMF6vxI8LkaO2o=,iv:Gr4452tl/MIbp2u2BGvAY/cV4FhYuZI8FBpJOdVZSlM=,tag:Oc6qVqPh6Mjgch42bh/fyA==,type:str] -piped-db-password: ENC[AES256_GCM,data:7tAJHnZWExOJNDxjqWAcLQlu1JfzA2Yqr1djDD9O/esrWczsOaS4ylClHQo=,iv:zSrd367s9TcicCJ+T3T4gPXvZ0uL4IA81AHWDEw+RJ4=,tag:juCd74d1c/qGtP6qwEfTqw==,type:str] -piped-http-auth: ENC[AES256_GCM,data:0bcLfpsuWXFJEbXmzpvUpO7pQgt0HDAGioAvUwkAkwnReCRVY1Xk320YjL8G,iv:4SgDFfeviPyLRkQE9cjo6ommeVwPrirV+u8To+2L9UI=,tag:VkcwKWSh2ILiTz5ZNF7Wpw==,type:str] -fueltide-lego-credentials: ENC[AES256_GCM,data:UrHRbxAuzghXwTqvfbxueuA7QZbzHvUJMOU9hGMcpFDBIuXnXMBEyV9DBh0hi8K5jlAFVvo8bYA6KYrPGUGcjQ9WN+2ytZybrNFiQm9jghzxjw==,iv:A2qpq5uodE32pZkm5kUktZBcr1cyL1Crp79Tjqg5geM=,tag:NsFMEwQyW0Q0yYi06sFzhA==,type:str] -supabase-env: ENC[AES256_GCM,data:hp0i+yDutgZgaSHP+KLTXH8SnfqGQ72WNRVHZMk2BFKU2w5kLZ8VaMaG35FOX6PW8L4TKABBzStekdLAFrCCyQ06a9D/3XT0GwzcJV2goMXm2ZYd7hs=,iv:jU3JnUyCTWzfzz3H3ih5Mx970iQ9K5BWyUZYW5zhz4U=,tag:on3C6Gsob2TUd+yTDM5FlA==,type:str] +borg-passphrase: ENC[AES256_GCM,data:buuTQkYGqbeQjRqKF/QuM9Uor635QdlcmqQo7IBY/lJoo6+5goRLjqmRKsN5GhdvypyTwoLkNvmQ8AaaCvzVpQ==,iv:VgbVYy2uO6XCOBexEuU9oIcpumD2rleWpXKyWuHkgcA=,tag:MChCK4tWTjjiC9FcDVzVHw==,type:str] +borg-ssh-key: ENC[AES256_GCM,data:0EqxRYmoxCQnb3Z4aG6WwH5ZVQ0jeXWol/sSBFowpmg5mUayaLGG4/wFaDu4+1oTai7DoC9omI9jiI9MCGAzbzqFCQrQm6guzXT3D8dCWojfRaChU5VJR0gSPLjqlTAMbbYoKDod58YNYJI9VHhJ6NJRci5sN5b7U/+6YB5XmOvBAbjGZCRcmn8CE4CDtMGn0svZJKikHSVkeXGuAS2zF9sEOS8j+q7/tcCrypcBO7HAqeg/4jqNbyqcRRkOuy9BZnIgmdBPtUQJx3GxCF3YX9e4jfgSnMN15O3/3PgiPFTUjc1sByhP61YImIvSTEOSGNTVxFH0DR5iOMzor6quDdBqh0QUivRhcdHletvJC2cDaPDjQ30C9dA71ZhZwFzRkSSJEhqhQej+5woSCoNif+nRZPSqRNSJ4gtP+d/zmd4UHl3kwI/wFFCKoGp2SD0HSKpWP6T4Jf4NkGdKpG3gMBlqAN+OxqMetL5/fnWFMBlp5VDscAtvXNb3bP9grwW60EdTE1m3pJb4kXwWZa3g,iv:e/ZC3yk78tn7ttoypEeb2UVSlCMOP+OuKVdN6dM7bWM=,tag:meGZrJ8XHxuUHyTjI8DQVQ==,type:str] +vaultwarden-admin-token: ENC[AES256_GCM,data:OTfzRrgkVvLVUrKikzPhIFqwC6DQbwhVDExaH7vollApP11oP4en+WPhHhB7KGNsCLoqblDi1uJR2xwhucScJw==,iv:7tyqCb9SBlPGr4/JhED+Nzrh7LNP5/q93iX3/wAPZTg=,tag:5tBnIbDndISdnh1clLrvlA==,type:str] +vaultwarden-ldap-password: ENC[AES256_GCM,data:GroPOxGIq6ItRRokixclOtZEp+mjE6L6nCy8RK6B5xi0TnZ1zmmZ3HVbvgGV6a0HwDoxcfMAPkz053xiFnnZaQ==,iv:qjEO77nx1sqA+ZuL1+i/Kz3RymLSG5OEBu+j4SbFv38=,tag:YGEfoTy0Bk+LW4tpu6Qy/Q==,type:str] +vaultwarden-env: ENC[AES256_GCM,data:vgx8PPRuYoW2ZycLPtyHPiAM+WaVznqMHkp29vTpY5nzE548n0gXw4gb2o0BQ/XdfEiXuZFp25HN1NICSuCsfW7NVGlUdI6tFflWRwHfW8MothJO0+zlPRIK4w0sOHOzUa3VTaTOyTWvzUTIgSkxgF1Ib42PnPYwxIoDVSB/Vt7vG9fUYOjYYB8TVG7pJBS7xn+l2/BGPvR3Paw94EP64bchPUPyvbxbST+JKV//aV7v1diBTJshAQXgCv5/1oft1ccj4c4fcjqrlnjirOggWKPpn/AIetmEDyhgxMPOGMwKZopEbJpmEqvickHOZQ0jWPcpCESqBw==,iv:/F+cgpnQZEtDYZzthWg1TgTUXv9Vwqjt0hed3sz6u10=,tag:JzT/pm8E4DPM7NQd11J+fA==,type:str] +authelia-jwt-secret: ENC[AES256_GCM,data:4H7ZUvxck27nevXeF9fOFmcI8SYC4shFJ42e1ZAX+nvBG+dLgWB0Qv93ltWXen7bnB4WoI03nT82f00JJFpY9w==,iv:m4gdr+WZfsMSrgRm7Mi5rIMci08XloSMkrySckzbnAQ=,tag:Nhc7uwvBkgzBllNwhBZ3Fw==,type:str] +authelia-backend-ldap-password: ENC[AES256_GCM,data:2mSnqcZK9rrcYJ9DVMtFsq9HPPiss4FzaijrVlxgkMT6NRYucuLZhykpJHbQDn+LXD16flfCGEg5FGBKPeDUkA==,iv:PPVP9uwoG37vya7N7QZHgbSR7cI+5l6oSzNgqZHL2gU=,tag:33agzKmjyXo3ntEjQ1qndg==,type:str] +authelia-storage-encryption-key: ENC[AES256_GCM,data:RMHgT3iAOcvvhhRBsAVpsIz+wecBdNVFqpPRNdA02TnroNR367pBHxtPfjiNkPEeYKajJ4zziOv35Zl6q9kSlQ==,iv:mhT9WfF0nN7PZgnRoMOEhQIxnhQ05TAv6dJyzPr40Yw=,tag:K4FG/CJs0H6jW8MOeMqefg==,type:str] +authelia-session-secret: ENC[AES256_GCM,data:v50U6BsbkXjZx2UGKFoLn2cI+KLcPtC9FQQ4uBRKY0uITaDaAnO6gYtc4vKgfYsflCAirHL+bThAKidlc8oxxg==,iv:V+Dp9DULQYqP7+BtxdYsYnKlODhJLQx0AoInTnKx3zo=,tag:Bmo7mKA7rvoobnbvFAM8kQ==,type:str] +authelia-identity-providers-oidc-hmac-secret: ENC[AES256_GCM,data:fjCwmrijLMgpu6uFpHO3B+Kx3C30mVTBkGtbfL2WudCoergd3hGwWiSf0aUJY6ClLbRlyyu9IUljkgmC362zGaujaXIHINFO/m4mkLYWnOoRI+ZS8fDaC2jFEBoCfABqoAvCrkbv3Hi1XT/Yed/4CX2cj6PIWH/XBMYniiv2Wqw=,iv:+AC/5irw91VDE2ixZCphg4170KHsV7okL5aack9s+HQ=,tag:KiFT2IPFDjyOLYLvvuqeyQ==,type:str] +authelia-identity-providers-oidc-issuer-certificate-chain: ENC[AES256_GCM,data:LoC1tjpLuuXCHKlx7ZMcDUVlF+iDvKk+ak+YoZO26CJQhOlEezPBKq93RkU+6g65uMMP7XK02YP4WtafRZuDpzCBUMPgs0R7wNJnVibZdUqmXqCy+Ig4KuwHc843yFFVn34J77geYjP13Pi+7NSD4AczScVvIySVrtKzLtoL5zAc+9zoe7rF6OmXsqeP1cs4dErrTTOUWR0FpGmpLsLuqvChUzLsKt1hXchiEYTjN8uClrGDGkEG2nz4QZq45szLzxVlHhixSUTGi+Nyf+gawMzARCUiW/QledVGUYdUU+4p1EzpOpgbS9Um6riJSmnfygHlPtXiqo6yvosZo/z4Hw9bpSvgXF9LIDGW+YZW4wulyx07rkAxcw3QhEhtvjViZAjfEIPT/eEp97b91XPDp7hrvUmMLm2WqmqLCyJ+7KDmuSzvoUEP1juV9dPwvnFzlBFfQ53YUkTQiPPN2Bt6PQ0VQn8WujgINm2adu3B+bWGHx7nznT8T6mTN07SAyS/jAb9DQ8aQ7grgmnRk+P1BYsjEbK2D7cbLyNyK+Mi2yZ3ysmGRpUW3aM9fOW/h1l4WNVGLXvWtOgyKJ2aCxfawFCWQ4q/yP43EujyCIWYr8GHHMQishJjic9W4fkyvDaMKvu3SVTsvtOLxqQSm4Em86NPuViZPNFAqM9ZT0/RcwEN3jUIJelfa7i98VNOab+YINhXTjzm7Da2srefytSXh4tJFv3YtBJJGxt7Nmktiie1AuLUEpdh/reAOCk+HSYLvSddFKSx73iNbKkNy3YuqV520+KXXivAvdVTzFJ1DzApcLTAuZQ49JvSUJYrek9oqldEPfO1nN7DhwEl4HxXrlyVvDg7Ab05cRmgxJFzkf9iCIQHkyaxcQJSjYfX56kexn4Izoq6DJMc1gHqmNo8IeRm61a5gxKhhtABmJfu60LD/lXe4z9xo2NkIgoExJ8buudOcLf4wiFSLmbFsCEy7Y2yBDJVAoUrZVeqRPMiQapnR66UOXwJY1nKWYcAOoGXn6s/FPiZng==,iv:wfna5b+CV38cNirRWGKZ5C0Pztz3LGgO3t4WY1bCROQ=,tag:YSOQjy07vX7mrxzPRnyn7w==,type:str] +authelia-identity-providers-oidc-issuer-private-key: ENC[AES256_GCM,data:orFRapL7FBz3ps7ogFzkyLMQS632QT/irp6O3b8UxEb+sTO5+T4tUuhq/CqHkgX9ICZgeZomZuTJh+31wP6IGXW9/NGLmXJnJ/lViob5iZjsPXDhSE8KsveIA4NUrURvDDqryPFB43bM1CXy7cIjIH3rsEdSZGFpKnJy++xZkGM2OpMCTzZTQY0bvGy18hUvZGsyH1hNX8DKAUKrl5EkKqUolMrLeFYMGzTHxRyyTWx6fh6cEqBnonM7v8s3658dFuZ+Z1FvhC+LmNUtF/QsnCcSVAhx1Uit8RNuHJw8ypPb4Du604GC8XSPNF+qCHTXrcn2icEWgfHdkTokUXxKhy2Q+nLDYi45yxLB8v4QyKYQr9pe9Gq+w/rvqGCvJ+TBlVrKTz/KXmqs9WK5IpentPoklN3p+9/5fEfw2SmwFVonj8e96QeMON3JRjwxkDJS2rwijfeiaiiZLJqM90pByfPxfhXDN82oHvlo0bzEoZKl0uCFbcPLosYK23jMkplzIGQGNXOWu2clQ5ygkwNJdnG27o+YotnTO5pd7hehsmkG0pIG7rmdhifibY/laPrAQS3LJTJUaKY4N+TUpoW4FjVzKsdJQ/sez76hBwZYnP57T1FrSdmkkHgA7fQW79mxcqt39Me7IdqPhfgV7D9FMCOvYvYWQ03nKmnj5v3RGjyquoQrBe78aNwL7Rnyfy93GMhIFdcGCiAP8uPQqM2vuyClJ74SB6t+PRbKbPAc1gBPyGHXxxAkhdJqZhV/EYeK2ZJSGBZJlbYLBLsUBFqosBkJ3GcehylRxZuwmxCP5ay92zSqc+b9Pj+DzrwK41UHH5j4s6cr+EZO5x/Or1ob3xqJL4ECFiuotnTSsJW4Hz3+82p6Vl7bXEEZ1OLVQCQgpqqvStl0qDKzNED9ytFC1xK3G31JkdLVBalRHiZV8qi7o6qgQSpnKAKIwSz7EcTQcPu2yqfG33gb76El92nwPZD7DnOlaXAc+jK3WmOUvjlX3mgjo8sOHwhToTfDQn3l8ExWAjg9/VZqEs1/uCaVpAXvFD7skb0I3zbd/1k2RJg3ZJLGUKhWkzM3FTRmN81FncwgTtwqXik9g3snplHH3+eLKvBRi3mjeDPaIFsEdb5dIZXaU+SgY7BemsjB1jL2rya6ipX4xN72Md2F/+8SrhTKTvsQ85ydkyACBUQ9f7KTjwtrvDOeyrCma7d2FCUOOqZEa5x+MAz2mic1x3o2HbhlQSHT6icPP6py7yvuFeyOCthpRKYnlp72jBb1vTGf3EnS3MDcw4hSBR8ztaza3NV/xkdbm44wYzwuAX9H0cFC5E7q2MH6OIWYyIF715G9RTNSE0QkWqYVP5u3MXDYI6wAfh9t3hT739s/F4yZiMEkdhpH4x+0wPL0C3I0gHS7DzOw1A/N3Bf2p2lL5cRwzINKpnGkKMbQd8JdkXworakYrPahSs0uDLk3kcHnCRS5a1SnLwrhJGTbSP+dM9KNBOJmTeqXnVS/u11hkiogUeIZfTydhBYwCKwP95fikX23cWL5j2FM0/C8ueps2xX70aaEvh04Mm9jlaL+k5D/ZkgOZdUUhMG3VyiEZaV1FSyVDtP7IduXcz7A8P+HZG+3Wj0579Z8PCxfj6JxqVpJ8swv2ecQw4cI1ZRN7RjDKLOOoFZFRL7zh8wAejhQVPFFRXuqYxr6ousIMrvA5g2GjZmeJkHkMXVQmrg1uFwIq6FPJnqwzUF44BoFRROr/XKnldSrR+WWus6OgclFhigTbzpC4VPevGx5/REK2lDSIfsf0XnsYmtyYP0HkS9CuR3ZQF+TTQ42WLGXm6V9gZV5PpyZQRCmPJ1cZuOn24JIabxC80Hz4wHw11Uiu8H1ForduVIImuzL75Y+14x0K3nLA1jlI4oCZMGdddFUnHrZgFJ6pUrpSY50Ld1l87fP2eEVxPcdgR3sJWLTWP9X4hSft6uDcMxuDawNwDgEvk7uIGtjTNcs6rZB7T3Cp2E3wt45uJjQgiRRTnAy1Misv03fTt6dn/lO6qAgy/tVJcgCPQJlUBgToirdTjBXcezmLKr9v6bm/6l/cx4qKHKiePCWovLBPiaKkuAzcdk671xc6+8bZQCoM51h+kzJ1WgG6PHKViKs5Hr0IPD33dxvJV5gCQzYmVzcyu7hfnrV82jhZx0amZcjmAAqY+BtEBKDGAxW5alahhCIXbnRr46Hb2++cwon7MnjG4q+3e5YRbWPk0kkrtIjxj8Aa/qVWI89cNAt+H5zHaTNOCyVf0DPQYEIlMNEJILwifKsp74LdxgcoLVieTSV8Q78EVjvevSKUEbPiJ/LQG41pgILgILsoHLD8FP098UzJKg5gl5w+0gX1dun6rFZUrSNE6bTG7hVDf37X/eYAVJ4h7u6HZzr7/mzp63pXesw/Z/j4FJOLY5oLvBrqnUbuiY+He5Rao5QwOsnOXCtx9XijIM9gkU5LKUKa1/Tw4khyL2O9iotESaPTyYh1Y+OjPOSTIXz6s0L/a1eTnKGYVJ0ZAayQ4oNqdCuIHiA59mlAs+FiCOpS7adwSzW635EcAff/DK710ZQhW7+96+aDmB3t1Metzs9NNwmNpduA44UF7grxYzPGG+j/Sk61Lv9y+yJw7D9wIsOpQnp+tEUUxt+oAn0TGjdyef/WYFV8pm8Oq8UHipxk3geZZUB7WKKIrdKWH2PncaTjh4iBmB3f2Tnv8pCtaDxUXmAF0LC/ZQ1EFRuYxPduQxLF6vQ0WWpRt861Tl3zO6oPl4wIVJ1kNTHqNFVlqfM62X3yU2pE/RU/zMn0YUBRwKqoutcqOiQ2fz2KcUzjuVlmMDl/dzbKsUZBMaDm3AeQaAslyxLsJ51GsziArQlm+K4ZyK5/oQGXdEK7hdkkt9DlAd8X+4+UPcfVzIwCB9/R0EQibeKKhAIMYCL3zQwk+F3M3Gs7vjrhKIYj9c9ebbgD63vgNHjnOdALqUBIy9bpRtyvikr2G14Ll4JF0jIjxQdvm1X3NieMp3sJnYzx5jFYYWyxMoP5H2H8ToPZ2sBpthykYbBpD3dtgqjKd+XnguHlfrLIH2Ucq3VNAVJpUn/B3FEsF7RGuejnIGdTDkVBbCAuUqc/5vktYcEtRaNnHh7K6s9HeOei4axvkYvW8Ajvw2lVCv08K5c2t2d/NFyF7Ae1dYBarSFxT3MDVtNH3dWnOLVuyZKjuc/mjOZ7ovPCc0JYMGjiFFfyl+2PF87+lx95UUoTPVENn/ZtLNECrwIe5ljblCIKJjdbSrkfed3NBxac/M979PXVmcXtNS3zidiPYqMiW1Oq/ufWm4BWrJfMSsgIzpMvfHk6TbqV0uohkT3IExtLZBNZ5XPv4uiP9Gk4IlGd6SoNfYKm2KHlW7+M53mGNiB0lLPPe1C4VAL/K6EV83z8NQM19SV6wKWwO579xocL8Y0coulPcPo8uZZlfYS/PNVxNKEupVHxEoC8n/Hc3bIe5XhDKaXWvklIOEMEfyWxLFVbemmhduDzcOZu2VF6hmXZIa6k3tZYNUxRuDi3BspXwyoA4i3GjihMSitqWOM19+AtUU2DYzW/T0SWYcEPc5CC5mVP7LdlKEzFmKRzr0aOy4kBOZhu1vwuVstrt6NGwj+6MDz2zlj9x4TxEVaxMmnk2IUugXiQwdblzgLlflgFIghBj65rlJ/YoF8RnBIjAYb+4bvmkoW0U137J0/Qi0qfSpQR4sLCP7h4DMV9PpfF4eQQq19mkIjo31d5KO0lmBpXzSn5QwgHmSW+ytjzGu1LuE+UuwXcTMIDaGiUCQ+cAd3HAhMmV60tn4hIWEbKpiu2BP8LivU2ghiX7HRu2t5HzITzmwr5FrFaA/jJELljCEih9YOpO06sBvz6AhTQGGUxV8oPcJb2xzMU0J2WtEVB5MYzFaFCwCrDs76ITVff7HG+axno4VOrXRAOnkENsD8oAM189aig4u2higYewviCzK2btZgrpj0FxCRHX5gL93NGmPCeO+YO0xlm0ucr5Mbav4gxgJMMmJaglnpRN9T0Ury8+oQBo1IzFsp1qmm0uLA4vRpntGIFBTqWpTWZXCrzHppp8u+defeeakSLHaQeNj7N3OrlKg8Hu1B/rbPS8RwtPZ98EpGGQhxnZ6LMBJqFqf4/WdVD1FhhAZwPr/5T+i+VmHqextF3OB+342UP4iisvnLkf3WqEGwqfosZnhqusifQ0StQi45pPgVgS2Y4DO16ukl4ub0HlgEXGGLpYdgjD/CZI8EHd40fvysI/WSJn6lhq1Sc2BfEzPdOmC7jHwh/p7psLnyfnjEuzl3PMbvfUc5t46u,iv:wW+0wQtN5kZgYlnkNacfEGRzluGRBHGQ7Go9HO6r3sY=,tag:uNWvrLNVfeHg8CrO5tcYjA==,type:str] +gitea-ssh-key: ENC[AES256_GCM,data:rPpT0vo+JZz7p77liYr4CnAPAIIBUtoDMlo6uazj1iG89rxIXwvrCPXE7YBYdarbSIOjyleIUiKs0hBN7ZiUEQ5g7dEsr4L2Unr456kqmKDznEbCtSElFcCjSMGJuZow1sOnA1lXHVd/U49Dlx5LpoUsV/cVreag362I2PcMZWQdrvAGJJnHovbFgi11wQ+IwnuXWKD884CLT3gkpfTVnr16BLFkeeJUpfdJmLr7NOmN33eQzivhG4xbY7uzP5vFFZIOk9wjOrZ4l4Ho47NWKfDhHawrxfnKas86OavWWawrzvyUpG7siazvdx+elzXZopYnadJwFyXJ4123iFkNIn8UVLJgXMpiDle757AeXL302gwmZm5vkFrC7a4CTGdQO4BjpJU3Agvf3Len72TlhPIvkIcQ27dYA1k6IxM7Tk4q8zmSDxXKw7rMmqWST0YVgB5J3zDAxpR2PEi8AQsPSZ0oTiSk+zmZh5tliL8MlA34jRCZabMdY+uL5jlIyTKBDMOJfh8gdOaSsO6c6rxb,iv:lb7j0lVwBWE2aDwMfAEDuzJZqjsZqWygPaMs+vv21k4=,tag:DATZV6WWPV/PrEJ8eqZZOA==,type:str] +grafana-ldap-password: ENC[AES256_GCM,data:WAXDi24lgXvYdtDznBVVbF60BQJyluL+giN8PecXDGjXH3N3bzFS0b5GLok22GwXXAbaoZsQDOvx26Kowk+aNWBCAAB7GtiHuybLR/x866TRD1w9rCTybp1wb6wPzUGT95cSw+3oBy7vb/yhr0dr7JpyGfFO69JslmzZf0N0NHA=,iv:atDoDIFeC4B+JsU2cNqdJCJI9PY9jYq0ZI+3oonIC4Y=,tag:7lDtY/i0UP1Kbppz/JIv2Q==,type:str] +grafana-admin-password: ENC[AES256_GCM,data:58qImxBTolHpljJ5GV4yA+hvsiPlNRCiODqNk6TMdm27swm9Q5h1XWdbhH5FNlntwsTNGZaIqSMIlcXfBweCgZDxKBU6GidoeE2bcD5MGQOWB53dEujaUyZPe8M85QBWo9CYSCAw8VCa5AGF+61Knhx1+tRxjzGaiysbtcW6tTw=,iv:HWa7KRQQaO+lw96rl+F8MN6Ww4DAibR/m6LOTEpbjnM=,tag:DwF4mzuYrcZ38fRKqQFl2Q==,type:str] +grafana-oauth-secret: ENC[AES256_GCM,data:5Nahon+KoWKqMu23kLDGv3K1wDObDYrKWNMsaxO1P4icosterBMT6yoSkOB42CF54vz28GKqqAZYlaZNSGapdVn39wudVMSl,iv:ISUFbza0Jf+EEeOpXk7p2hOH8jQ2AnbxDUx7pXIzSDw=,tag:C4gcB7cE+rrMssVvvK0bQg==,type:str] +linuxbind-password: ENC[AES256_GCM,data:L/rCBNm9U0TR3f7ZPuD6zoI5LR6qZJ0rsBtSR856IGTQNNzMSALkNVsJYG2M/VoIaKLkA+fitbsLJEiaCNNLrg==,iv:pdNj4jjbYVUYA9ykFpjkwDUn355069MGzh+F4VvXulg=,tag:jQR+HO1wma5m+eyLqtW+jw==,type:str] +sssd-environment: ENC[AES256_GCM,data:UEoB0duAXes7MXxaXetgkQPMAK0wVyw/QKuU0p55u0wdf68xBQcn5APBWIPBX+AsQ0eePcnP0p01+oBkHjxsa0gW8yODywb16ZRZ89u0QmdrnJuhYFFgAjzyZg==,iv:EhKQzgH9EdQLLjwRHy/HFxbyqA4Ksk2L8P1addcT+MU=,tag:eAxkeVzjIEb6Bww9ZaF3gA==,type:str] +promtail-nginx-password: ENC[AES256_GCM,data:qazwMvixvdkBuxgGraM1CyW8rd/fNStPUt/BB4nR/6Mbll0ur9j6yyikQwjxMEqWzR7I/+as6Bdg5g==,iv:cnoYpUgezk5l+szg0vMymDl7dEFRrX9nOW+MnrCFRxM=,tag:xLNyVVuJhjgQWcOyzmMs3Q==,type:str] +victoria-nginx-password: ENC[AES256_GCM,data:Zn4B0BqB10WwZagZc3TTdwnnd9MR9V8CFkNoy8j3qzD9MPONG44cKHuyqaKKte9EmXqevx0=,iv:XaErXbxG5e1DWEqAm+b5UtMTo+ptwiFeH7+03C5kOAo=,tag:29aXfI85auCvbGEjOA8GVw==,type:str] +nextcloud-adminpass: ENC[AES256_GCM,data:PUso8V7N9Hmdmttu/I2ItddtvURb0xOU8qga8L0Zzj7CWunLydvewvk+o3PtfD7wwPgLauBu0n1hnAIBLgjVGE6QVpXYrLUIj2KoaaR74t05jERGHJv1gQPVAoaqCSuVaGLTcITEff3qqnXcwvONnvEvfrE8UqITTL8dGkjM9+Y=,iv:LHRVnywRW/8UY40WUrUYhPnBEtnJsq73YAcyDECR4ic=,tag:p4lD20qdn9zuX883blMV4g==,type:str] +nextcloud-secrets: ENC[AES256_GCM,data:7vSk0BB+I2hX2K4p3dqzxd5oKbZE57HgQGW0UDn8z84pEf8MB9HVnMm+7s4c8M48/VE5T8Q4qwXOuRAu2YxcDzfpSJ3xHo2t+TPBrcdnFZXNYLUUT2mpXsV74OSY5cqMgWqk8xVx5apvJ7dwOA==,iv:plhnyTql1nuebM69ndagcUzXfqksSD4u94BNs3x1ZVE=,tag:r6MVjDEKp82FavISM2AFvQ==,type:str] +nextcloud-smb-credentials: ENC[AES256_GCM,data:+GCdKKLG3TJrQUnK0A5szL10VRI/zY7ZJKqgx2YJFX7ZL8WNDN0QpcwGfHj+FYB3,iv:Cw4DXnCR1HR06qfN1ZBjZXypEelQA/ii4WqXA69t9pY=,tag:Sb/8LSytLyVVK1dqIUbs1g==,type:str] +atticd: ENC[AES256_GCM,data:PrB9lewJV+hSBcRX/v3rwVNqUGCEmOWY9kbiM429slba+JQbg5tmOPdLObs+B/tk9DgmI6pZfpav9z0zKDU5JWX6sVuoA+8fWG7Y5kKETdWCc2NWcM/Ms3l9QZy71Rj4yyCg8D6x1QO2LJmKFuugcKTgC/8G2Kh2/lZKO+5gwOEJvqU+9xk0oZrpFOu5+UUTEpCPYu7AVdO0eoA8VaQ0f4Lyo2MlL8mD4in1rov+r9APR9QRlQWuuBDn51ntzaUdRxyg5t1H7KxylNPllRdcnL9f59Ckx3H4urb9Tr3u1y9r43AOnkiQ5PDFGNSTIHlt12kXLUcKkbNGPN1mjnX27zsdxubLfslGbs8OlD884pIUl7MdRd31QBWm7phO/5jxifWoveXKBxM19HhIvRvnee6KYoGGAU2eoYzpOEKcY8ieuXAczwv1fYPLzX/18V+Md71JTHHrfTRKXr77XUIyyraUVylpR7B0Q698S+LgvrC00ZQFuR/rk8FKU0BG07EcePBv8qnyQkuTt0oYQbPbEipozZubzWeBL6WSxlQwf9PYYhgykwVzY7Y0tqUfJr+l7dtis6s1m6ETXV7PbGEK7wvewjKD8ZFgl8diiO9bdJtjyDAqFOhoPPpC/dyplgaj+qLfrYuM75nrwgLm0rCapmb5UpVaQZnkCh5ckMHUy3XufWHVHC2c8P7Az3GqNxnprKkY+0v/x4kxtAI6EgLFr+E5T6WDZ//cf2WpJJTXwQHUXJqQqcOg1iW7D1BdvzmBYtkAXVCe4+n001ZtqnkM4QkTojQ3ATgZEg+uB6RnhEfHOQoZf+e2dITdCWNU5JurgRq8rjY1qSPfHTf5oXGf1a6ypJ2KQU70uwxdepH4NOoOsCYbYEY6hBSYtTcqpJWXHGIXarFvLpoPfb5tgJdEgWekpXQIlhEKieS9n7pubD7HMBjmuXstKVjWzXYeNVj/VCjwRdg1+jPSK2X5LGHRjcBCmj+P+X6iMb4fcNaFwQLL5H//XKzvt3PfZiieuSM9IzK1WQKOtS5/fJlz131WMFSG8Am27VCdS2Ela7z53lA9Dqp180vuKMRqedFBqYrpzE9Cbyo67H8pygIEOK2cS66MBEPvrlLL2adSlmeQPJHeQ+oC3rg9IwKEWmsdHrUvSWDnp7DkwpWGzxMxHKVU5y7EiUTmKCkm4BEEQFsThpCVJL2wqO0LTqllJUHC+Z9QNLy9Tsln535ciRoz2cqKrRpG25UIREpbcR0+aMwngZxkfSp4++CrfAsrobZks4nry9E15KUISnZsrR7otWXdvTd8i8E+BRr7n9IH68uNzSPB7vt6tVtmAlZBzOZIu1NXeAuK/I6/KyNYLW+7WxQ/In3afVdzuH1OJ3GLmVUwAoOwB1kEMUConlBSx3cXXuOTEBuEIK5X71CvfPAVncWXKcaVp2IKx4OxtBgT5+9LThdXClxP7LrazvI/ucSgDYyxXCkZ2WYGFpGcDwk3sKNgrOmuNVpJRLUDdGzcKAlBftRqFs1PmCAzl99WoXwqGutbA1Kq0LpiPXuhBNiwQAttPsrv19vxn/3BWIggxKvrwDWlDV9U/nvazZ+/pVifOfYJeR95SS5SsLcZbN0w9xcQh7z4XONbho7j6gL2/Hi8rfoxoMnF3NbMeaTlN/Lo0k3N06YOWGiyuOv5PGWA0+uEBudjmxYtmIA/0vA4wPuY2XA5sHzTym/2gVwdcQGJ3Ja6XQCOMNXbpzh+ZMVlQqJRhgV8rJqOo6NtVZ7j0NfMMtwjmPT5u+AzFpDVNt/Z+82PW5WtvjZ6Mc5kaHbOV3l+8eKtq9ropE3MJPIcNli19X5vjcPONujtT9ZfEkM+5EEkv/KxoZdd+Ji7qe6y4A7/ADc/tMEBp+aOk6QMO04f0l+S9lNMEU1nICeTac5rMdBNUenM4/Hd/WpcgGP+NbxpPMTPPXBTo7zcFL7bnOImTGnI8iTwsf8meFvkjQSr0dawQf4Trpn9I4SuI/o3bmIMhQuZ2t2JyzT84OVgSGAgoCpt1VJ9T4b6pYuaVdNXqdlFghdLHPaMZIU3iSXuuLaqg25INGEQyjC4XWqW3GHDIgPN9wpIQfV+OvZjrY4ppHj/Y/c70A8XG+Cf4uX/dNQM4EaT0cXRA5iFJ5sEIr+sgUntpBAy4oN8gdjXTp6s0sIEZmL6TTQ8dsnD1rIyOnXc6KzGJMYRCyK6iynisWJqKBJTeiSgnWttFWp3Yn1CaJzq0mCKZp896uzSdRTZaSuwdwYaGZXmHM9hfs3Gj+yqK5aDuvoJehKJdwEyBIIz9TiZQDCgGKidMPjTskmo1Kjy7+0tK1NoFhEPMupCD5T9yU7Nyjw1nQC1+9+z9GqGqTZwYv5BOqPBvItn9D1kJXFGrZxdu1oLZwcmWRNw6Ry42cjXtpt9FBbuPlgJdLtMdgiV3w/hfYH9o/fU/0UgZ1fWCbwUQp8NF41nDZiQutIIcAhFLpzXVRvNuV3aA2xSnU/qAbSUsnBjI3eSkUKRO4BnV8ptahfWZaS2WCX3YK/mbxuJRfvEbMhdUjacBcW/weYNmzdWznqLL36Eu6gyD/NrrfnkEP4/rs/xsvCJkaOtT47OxVLYKR7G2XrT7bHfKC9OJS+wRuYqPGyppUb2LxBcWGOqtX1E9R5ZB6/51NgkTiKDgRwkeI+zjgW8m2P9t33PIpmlMSdydiTiPqZpnmYyMqqKEYfVPIpzCnwEcrYkf2ghjcS6yZ4gG2x9ksu3hGyLYEkGmDvYu94yGMkmq7BLJX92tuQJWSEtF5Prl4fylwwGHBOW5HoPfsvOllMEwCRUiZdPIQjwrrL7I88IySfU9AccVrICl3PaBNRcBPe/T48zz/18Libh4ZUf2JLAbPAFVNlNyPlY3/htqNxxewEYqIfpECPv68NnBAUI+gTPP2ntF1ubcXLabRnX1DbaxoU8naYwSAcek6xFiiBRsdfv3qc8vtdAh6WA6fic5oDCBTaz2KCUz99sj6NK6U8KxCQBrrJ7iTM3oGXAAWI29PsleA39GhyLPp/0vdxM44Iwqlo+16jOxhriumN+Lr7OT9pqIp//CJ9tIltEqBHVeOsDMf8K27EG4LcUc5+kL1AGIdeNBI4CEyn3NoPQjq4yANtk6R4Qgwx++5g36caDOsZjC0uJVOfuusuP34rT6PF2lYPY5dPb2RPo83cyzcYyyUC18FMb+G7+p560pCrl93J/JtwCSZ6z44o2yv5ao52MdGzxOlqXmZQMTyot3wophcv0RsfrZ54wkbC0nQGbWvQIWgPRTBcwmg8GqFvtf437K5cZ+2DF3pROdF0AwSQRp6vdJ0G0Uymje/RS6gLEEEv6+wwBU3MrsdI/Io+91teC/qArrtTgydTAHShZcdtoLeF6dK7HsS0fCmBguyY2+Dr7vjhrt1EHQ5AjFiGwut9p1+0lPZYKBmaDcDvY4Q9YFqi9tsOn3nRoLbHcT86ctSP6yMChpM/OuSyuEgXxA5xoEo6e4trgxpAwmDWwJW2tN3iy6ehZTKyMyz1FFHcnxf+jDgleaal2W0I5nythjQPMiVuguBvqbJd7o7RhIY4excVZo5LiLz1ZnQPhhEYBFLQKX/jsXrmqfWiSxnFZ1SNtVn3V05HAvq9t2KvVSc6XjraXsuR7oJe2wea/eD4QIPE0H1xZQKPtIb8MDG3YWBD66+hl0h2cHzaRd2w6jQd2K9ctBYVaNK9jhSLegYnbihLVUbAB5fBlwTQF/KAbWDt/+RO3KHQIg8QDKbWcEnr8qZ7odxzeSxQKP6KSKYOFLMYGWQ07dpFCA30YBPx7FOImf5yWexAx4AqdMNvhYyjPdDsGn+yFoAvaKWXm217m8aQo7FKUHxHIP2RRmmxpsYRyVYTahWGRDeV9x5R0XDG8u2YyLRgOPzw4hRgH+NXRa9ch6svnWYrtwBwO4s7NWXMKr5qH9kR4Oj//TyohUFsxznY8qdN3draBmNNR6lNOnfXry0XwmjUdwW8I+Vk/g5+tnRNGFrJohWlbiR1OUTIP5cA9RR6x/ptbPUgA3xORLWP/uNHshOfAUzsryi+iJwrObrLLmkzjESmw+pPLneKuXdSNhpgnmWS6ujcpAxO+WK+SXdUfET3Hub4UEGUd4KR3R7KrRuD3hrTWL/k9TljJFOnd8+Cco9k8DjvtG8n2Qb3Kos4r3dkKKWNHEnqv9Bumw48e7j6RizbMLl61o2TmCT1+E6N6YfvwYV46F/NC6chIIN2KbZKSnfCr0l4f13CCbnuZC+6kysenX/KdsKpJst/qd36Vjju94BP1NvUD3GEXeonnAXHPvzUTVuvwOuaxzCv9VfVD73Zlwpit6rG/mCrKEmJ0496B0gqlrDoBvpFQZ5fgQaOBDO+ddtMDWBUEDxsf/YpOnswysbbf1PWVtHbE/Iy/lYd4HRzRaSTIRgqpQhLWLDkqgYxZAHaz/KuB1kZS93ugpzsegl5flS0L3q9tLG9gJeO9xQKiB4VtWptgvLvRq4vh5o2b9RW7T2z7euggUYCxJD/FplBlQzQGqENEF9y9CCkIZi485cm0DbWWosaQMtEilfgox8JGMsQ86x5mFRqa9L64Bbh9RW3Q6kOVzsaTWv/fBRRfTBmxVfkGiSwqKwpJ7RNaerF6mVyMnbF1eRHAcZcyTbOHzREmcF/n/s9Kj1ug6mHItWR0CHtKuG43cLi0haWDRg4LL94dzJJQYO1bquXevb0EByGCaiDdt73ULuCYC787FKKt4FgvSfYQJO0Jhgz2KsdVND5wx7ZkHm6ah0Y4o7jMqehnw7k9XfJODHYuqjk76vNnwPHmRZVE0fRo8W9ChbAUuGZIlVtxozm0Hni3pXw3aO2Me+JNi3f9LHQR2DTvRGl6ACLFiLCMLhfeFXhaCt89cfbIythiqaRHbKcOrNRbX+FOmTZCdovfrwh/nZ7OYQOmNToNGbjmhlvUVcq9uOo1oj8TcmqRbpDjjFZb2ACs25BRKNN47jxw1BPKnC6WlygxFMK4PWRRvG6jDG8am1OHd6UhuDPZs6t1Lz9EDFxDuLm4hxM1b8BoMABb0zRJht+DtA0lMESKO8wCjKwrTq7Ix4EcofTOgsKXS8svYtMaEioy7lqEmzVZBJOcTrHGzI8gS51axGRRtGYiDGPGr/loOzQvDMUaBY/qKzmR9PL04c+TWdtOcSv2TvvAuSSJvRWEcWrIcrfUAOlRfSC8rA6Y1DY87nlSl5J1vlUw+u9d4iD8AiQKGG9niRGT+Z2J+Fi7npK7C5LM6N9Msr7VFcSPy1qsnhxqeLkdy9arSwc5/Ikh+SbjM0QotEPQ5YCEwetIBK/WGI3qY/P4vs2IZGYebWZ6bSHnmICNUdt4B9wYmgRDNcnvsPUVBbrQ8W7MopYXu7hkt7HYqlbiIIjdb0p1bVsZM5ACgtN3QMwDOwXfnP/gVm/EhIE8DkTADVrfvKTw8O428CJFuFOOnV1AYJGoH4nFuIEa5brIJqXduko8zWFmP89WKBENQSG0w/q0Rsl6POXXe5VSQ23Ti1Hd2GbSb9N77J3ujQu5Qtb/jTSf7MiyxDrz6y47kyACD6CcnjMxv9p9nXg0yfmCDfT0AmMbF4k9v0TQWoC5okeuDAcLf3OzZsVCNVK1/YFt3XZiFlxUtpbPnithsFJsbDxX7zdfLuGp4l4bAOVacK0nS2r6SFgioPAxyWyqBpWCFpnmj5McJkWHDwaVvT0vUrXk+5/XgRilOOUZAZ/Z5Rn0AmolAgMdzEfJv1LpDafWljQbwiNCQymFxd0svrClJ+k0mTZWjbjFS8HFiMKo1g8rnOqVphCJD2IvBIyzxF/oPrSMjEpyaVwcHHJ/9uj/iIWYMvul+GDnCX120Ixap23SFTzfhDGkyLybYrAw/Kldxo8q66JQ61Nuebn0B//v9A91ew==,iv:JFmJrFnICIoCGF0gm/5QmseURMMwXrNZLSRaPmVMQ0o=,tag:rh+M/4STEN9wZtcb8oOQ3Q==,type:str] +atticd-smb-credentials: ENC[AES256_GCM,data:D9tRxFPHrRdsgbp67VHpNcN9aEzenbZGIiLyVLSA6H1J9e3NZ9/sUOU9CctE5q3KByTrKrXQt6f8W3LgfGVEhqrUvwYoOOiTWGAuPw==,iv:alxO3FQZKoTiBbzlY49DY9qY/JZNnHWm1ktE8rcMSHs=,tag:8USQK9BhtDMG4APi0NDgmg==,type:str] +ocis-admin-password: ENC[AES256_GCM,data:lHDccSSVpCrhsx9xnPPxrmVVrgxrfBK3xxrTjOTt8UzJXNqpp8X9vrAvfZ0ylA==,iv:c2RRTNv86Jkf4CzevwzPZQ2VXjMaBGPKVbAlXnggay4=,tag:LpMZ3WrOLig7n1jV9xXsTw==,type:str] +openclaw-mysql-password: ENC[AES256_GCM,data:mCW08YclTKwOyXk+MR9rkADIffWIi5nDYFEG1Au3V0sB3urPIM43rwmndwOsng==,iv:pcwbo3sFJzFbST5iZlk/g9Zes2OnGznKkApF5vt6oHY=,tag:gYA8qyAV98gJQVCtNUD6wA==,type:str] +pushover-api-token: ENC[AES256_GCM,data:yTt2EunzS4/Znn6a/IfVQj57UnP+tr1/NvNl2jT8,iv:deie8DXqk3YQYWXtpqixMFOTyDsz+gJSZ0KJOMbNtnU=,tag:EUMBKf+kTjRq5tGGY6FhZw==,type:str] +pushover-user-key: ENC[AES256_GCM,data:uToVHF9KTrimA3bMhz2EVq8dyssUhZQ91Ajtk5H+,iv:m6NjPWe8bY+rAc3w4g3FcaSWYbFRUflg/mY2U0vvBBw=,tag:TEWOGqzi9sDyrpGryTXD5A==,type:str] +sa-core-mailpw: ENC[AES256_GCM,data:IxVn24kUzabw9uVKA2om5IRWBN91UkNh+09r,iv:PDWZLxoTI9HXsPPGC4IZoQKht58rK/XzQsiOhdGVBxY=,tag:ktY8ZEu75KeiuOQQXWxsZw==,type:str] +zammad-db-password: ENC[AES256_GCM,data:R9X42fxx8t82MkCmRHEPfCBigEOaD6xWS16orbI8C0mG8qkvCRU2dNVqYTGjCn+2bxIxSbM2E03xupzS9qzWxw==,iv:JEx3TE3LqJ8+ud5xW1ODlAowQFk7JMqu9xo+Ghfijc4=,tag:Es0nltFxkBmohbjlRdLrUw==,type:str] +zammad-key-base: ENC[AES256_GCM,data:IEkcphUs9L76cnHawLUFrPKR+8S25lDZ7WyrbW5k4zETv5efi1hwAsTGe0WjSf/VIY6IV+f8PffvvDGw99D7nKZmF1MIy96FOud7jM3W01i4yZ3wnvimT0OIx5kRn3hhb5198X1MXTLLRyQWeRDNtFma4S9cfaVH1bcyF2r+M8E=,iv:nUKG9cGL0nT8k0PYevUdb/V8bAB3dU5q0jUKtBol96s=,tag:TkKRzvtpkuK0FLQI/sjsiA==,type:str] +updns-token: ENC[AES256_GCM,data:kxslz5ATbxptfBRcYzacaMnEwT9+xySh51ef5SkqRIo=,iv:2D/Ds83zEmWe/uZcJUIQCCkd86Xxyc2IzIRgFNni7Sk=,tag:qFy68Uc9owWBBODA0hCxfg==,type:str] +wg_cloonar_key: ENC[AES256_GCM,data:TnGjwBnCx5sQi3kWC2BDYRZ/eTmlWbxPTQ9Rh9Q5nc1krV0qSaoJ/SdLSAs=,iv:fSZYnjvDeuyMZztjq6Fr4RA+/WBmwHhiuz8BSq2s08w=,tag:ZilAJldCNRwcuuxvyG6HtA==,type:str] +piped-db-password: ENC[AES256_GCM,data:Sw+NRIcoR6apOcDpV/5s1wdzXp3LzD2EUL/73XvbnWjNCJiJGhisfRfTxf4=,iv:fZvY9wFFv9sSJZFBqwotEUKJqEDRz/y7zIdqaUmIG/8=,tag:5kzimxwrJUuK34VBHxVQQg==,type:str] +piped-http-auth: ENC[AES256_GCM,data:ZPtdotDVBIIl1RSc4XSE2rXRkm1tM/MjsIh1Ls+SS0CDXdpoM91vQkTu4x3/,iv:p1mwQa/lKgJC2NcujX7//bJx7U5ZM2HZsoh6pCUFbeg=,tag:dWoDdZjCvtdEzTWBZ2IWUA==,type:str] +fueltide-lego-credentials: ENC[AES256_GCM,data:rAky5Ymd5y7kt/07N7wzO+BdIx+F59LXtOcXp0wUH0freWGErjhXk2FUac4+hKMAYOB+t42v8MKgnjwy+RGy0uoYkN1/R19NG4O4GZvH3wtw6w==,iv:JRHQXe4hTjTxo9mHSXOCSPS5cAzYd3HzhEE26mpjrLk=,tag:O//xOIDATJd+xuZypDm8Zw==,type:str] +supabase-env: ENC[AES256_GCM,data:tpGHzsqMNo4t/VHLtjxppQ9F7QH1mWklKonTbZEmGsGeDy/qUXrNzo2tINqvKAFgY8ZKeosDEa9VawRwU2J4bJbT4zXy+wySIGLmUEqXT95T4OdGTtg=,iv:HnqPTJV2r2Q0fWkM3KTjOwDlj1PW/u76M1gLK8Khbvc=,tag:w0dOQihy5AV3yfOICSSOQA==,type:str] +fueltide-supabase-db-password: ENC[AES256_GCM,data:8tEJotL/rkV6Yo4G3uQVXDsYjQUtbO+pDjYJS8JoQQ==,iv:FMSfGnspyNDsHibz5bMEmzUmuMbzlHAiJxgjzWLdmD4=,tag:Hb6T9TTlG1b+O1KNDmMyhw==,type:str] sops: age: - recipient: age14grjcxaq4h55yfnjxvnqhtswxhj9sfdcvyas4lwvpa8py27pjy2sv3g6v7 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxYzFWaStyMFVsSk9TRkp0 - eExNL1AvUGl4Skp0N0ZrcTFWc1NaWkNrQmtrCjAwOEMrZW94S2sxcVE2SnRHeWc3 - NEZZTjg2ZVZ4dVhvZ2xUWjlmTjA1QkEKLS0tIG1YdWtBYmlHY1ZnZHFZcFFQRXdq - TGgxZkp1bEEvdGd3VFdxYXF0eCtHeUUKFei/CwLwc9spgzwExzaKAG1/p4SFNdUc - i7tG8ZdW4d0DSNtxiHJT4x8M17z69U7kmTj17ioRsd5hV+JuIYmhQA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmZCtrTlV4NkZXczRmYmtP + Y1lDTzIybThtREVVcERtb3JHUXFlU1drYjNnCjVPOUI1Rm1rWWF6WXd0MGF6Qkhy + dkxWSFZyRjc2dWQ2K3ZiNzlHRktZaWMKLS0tIFhzUzFBUFdRSkFlaWNBQ3RWS0tE + SlVjQjRTN3VMOWdHQ0pHSkNiNFNSalEKjklyGB+rhe/5R0iTjQ4aT0maASGyqU6E + VN8n49sqUiRTi6cEPJakuW5/HHkMLU6rygBjQFDfn13kOTFeTFvvFg== -----END AGE ENCRYPTED FILE----- - recipient: age1exny8unxynaw03yu8ppahu5z28uermghr8ag34e7kdqnaduq9stsyettzz enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaNXRaOVBKUFZld3VUVGJt - NTF3YTEvOWVFZzI2YW14M2ZYV3ByUHA3OWlZCnZZbVhNTkFpYVAvaHFpVDkxT3BS - dFFLdDFFVEo2cnFyTk1CMXMvcWt2T3MKLS0tIDlJSlo5bG1ZRjFQaEpybjRCZkh1 - bzMwMHZMVWxobHIrMHZBeDZMSkwrVlEKQbAMCacyIllIC0lZakWB2J2iVTdK5qdM - rNObc3rq8PZkvJMxeTDt1mVvLIOJU4fUn8UCMx1pa0Wz+NTkKkkUUw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkVjc1aXZ4M1pXUGlySGJp + dG40Ym5kNHlNWnVLcncrbitGNWRKV2xsVnhRCmJjcFg0NHdyUGxrQmVhMm9LdVdh + ckQ0d0J1dnUrWVNQS2s1VzB3SlF1SEkKLS0tIEJVWSt5VVRvUUdzVmY5eGE4Wk9Q + L1hqTkdEWHhuNzV6Qm9aOUxqQ3NrTFEKyiuO1ms+a/HV+RVmVUnVCqw6jB3NN+ii + 2yz3cIORMqTaeC2jLjxDrRpNj6Y4Z85YT5uJI3QNol03nqRxdCryOw== -----END AGE ENCRYPTED FILE----- - recipient: age1v6p8dan2t3w9h94fz4flldl32082j3s9x6zqq7u5j66keth9aphsd6pvch enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQZUR2cFVxUW9TNjBLNFVP - cThwVFF0OGpvNnJ5VGhST3ZkM2c5Y1VUY0Y4CnJ0ZFhOYWZ2c1doUmdJZVJRU0Nm - YlI1TlRkVUJyc1dHenRVZGwwN3YyWDgKLS0tIC9PN1c1QWJ5c1NtSnV5TFl6NXlR - aGVLUzIwWjdwWDBNSVdzSlFsZjE3MjQKyX1pyL3Lf/Epfqp4UJWmySMJps/1IZxb - levsN+2CvhQNiFDaknVRQ7l1JpHfg1GyhqerjlGNKJQyA0KoBBZOzw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUUFN2dTBBR0xmVSttTFB3 + d3dTNGJXMlVRUjc3Wk1NRUdBSlA2S1E4N1NRCjY3TTU0bk13NTdEMVV2ZnVHdW5n + amhwOUFrMWVOTlhEWU5ZeDFKYTlzM2cKLS0tIFI2ZEFjL0hLUjdCNkZkanN0VEhL + MTlrRVo4Y3VKQmVpNkRzNGt2UkQyK28KSpZDVxYqcHnb+03mwSs5wbPgrA+LU1Ap + 9h1nDG8hKYUq28gfnck6ujnh7QX83wujHmRWtEDGkMrriL082wKM/Q== -----END AGE ENCRYPTED FILE----- - recipient: age1ylrpaytkm0k5kcecsxvyv5xd9ts4md0uap48g6wsmj9pwm4lf5esffu0gw enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWeUo1Y0d5RjduWDloRVZH - NUFIamg3bVlYZkI3WGJqVDVLTENoYTZpVUhBCmdzYm5qUTVXM2hWYVN2aGRKM0Ra - TUtGWjJZSHExRlRTOTRJNGZSU2ZibU0KLS0tIHE1MUZYOVFNK3FudnYzd25NZTFp - MDdacW00M2wwRUtsMUpwRWxHOFJ1TkEKmBULK5JZYwVJAoKgcM8GPXXto6QogDA9 - dTlGnMiDxmfNWFbA+Fl1gb6vw8rC/ufs+Binf1TibD413ezK4JNE+w== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiU0MwTFYrd0pYcy9HODh1 + blh6Q2dSWGI1RU5aZ1M4b2VncnB6NnVIaDNjClBNam9zR2tHYUJJVkgvcHZOMDVa + emZIWVNSZzd4QUpqdjhXU29jOHlnN00KLS0tIGl6bE9ERnN4UUpUWmhlb0h5VnZq + TGZldmsrM2hnZFQrdFBTVnl4TDdUak0K6oMHz4FdZiGp+0pKNMYxp2ptrAZIDJoV + kdth0XLBDrLf7+dZolBPTStTfruVi3+aWDCGEQYnHOnaYg9IdDLPCA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2026-04-24T19:14:56Z" - mac: ENC[AES256_GCM,data:JvzlrUYskscZJuRQezku0FegWl5wL3q9BmxwMchqKyKkfr/I+ujZTKogn4iQMiYgy5B/zHIgJhHwtgSR3/CCVXF1M/PLqRoIdhBYgMGoVVx9e7xt+TGd47cL/9LHVHe7y3gJsP2ZkGJBHEMy8cPF8dXYFKUkZWR9AxY438vqYuw=,iv:VMN+Qc/DvudTnKI2x/CbS5UWOEShDVdOl95K9Zccfv0=,tag:it/nLuWMpUhDrxi25m8vtA==,type:str] + lastmodified: "2026-04-24T19:52:34Z" + mac: ENC[AES256_GCM,data:hZypJE2mMarXuq8yOget0F/xLLvaU+KxxZYT3BptX56iDDiMbMOBH5kHWA3syIIg7SmovvCATOH60svpCBeGNXNY3Tuhi4OheGkJPHvihdvhgjHze+egKWACKce87ycusQJGqwMRcGfNIehfeNEiezaUtXno22UWjQyPLzo684o=,iv:wvKvrmLuQZIWehO0SIiDCmQx/4u1xoo7wIScMl6IuSQ=,tag:spca+w+0fETCXbmKdKj29Q==,type:str] unencrypted_suffix: _unencrypted version: 3.12.1