From a80fa1aaade4ceae98647cbc502f8fdbf8c4c293 Mon Sep 17 00:00:00 2001
From: Dominik Polakovics <dominik.polakovics@cloonar.com>
Date: Thu, 19 Mar 2026 15:19:17 +0100
Subject: [PATCH 1/8] feat: update ai mailer and configure language

---
 hosts/fw/modules/ai-mailer.nix | 3 ++-
 utils/pkgs/ai-mailer.nix       | 4 ++--
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/hosts/fw/modules/ai-mailer.nix b/hosts/fw/modules/ai-mailer.nix
index 4d38431..7c04880 100644
--- a/hosts/fw/modules/ai-mailer.nix
+++ b/hosts/fw/modules/ai-mailer.nix
@@ -27,9 +27,10 @@
 
       ai:
         openrouter_api_key: "file://${config.sops.secrets.ai-mailer-openrouter-key.path}"
-        model: "openai/gpt-5-mini"
+        model: "openai/gpt-5.4-mini"
         temperature: 0.3
         max_tokens: 200000
+        default_language: German
 
       context:
         urls:
diff --git a/utils/pkgs/ai-mailer.nix b/utils/pkgs/ai-mailer.nix
index 4ab8f96..fd7a1ae 100644
--- a/utils/pkgs/ai-mailer.nix
+++ b/utils/pkgs/ai-mailer.nix
@@ -6,8 +6,8 @@ buildGoModule rec {
 
   src = fetchgit {
     url = "https://git.cloonar.com/Paraclub/ai-mailer.git";
-    rev = "e88ac7caff72ffee206dc931f9e16b460d205f7e";
-    sha256 = "sha256-eafDeXvslj3P3TOcng1zObP/Vyva7GY/eSstmKynnBI=";
+    rev = "1d03d584c2da3ce7ce5761f03fa0a7daadc23471";
+    sha256 = "sha256-kXW15cX9WTQQejAC+Rs3KQwpRHCQA34oT07RX9Vibp0=";
   };
 
   vendorHash = "sha256-cEnb629V1dylMQfmB/8qv9gl1+T72rlkEd4wcsterXE=";

From c2e70e2a263ccd586e035bde810a6ba2cab323a2 Mon Sep 17 00:00:00 2001
From: Dominik Polakovics <dominik.polakovics@cloonar.com>
Date: Sat, 28 Mar 2026 14:21:14 +0100
Subject: [PATCH 2/8] feat: fw add subnet to wireguard

---
 hosts/fw/modules/wireguard.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hosts/fw/modules/wireguard.nix b/hosts/fw/modules/wireguard.nix
index 6a16ad8..9edc537 100644
--- a/hosts/fw/modules/wireguard.nix
+++ b/hosts/fw/modules/wireguard.nix
@@ -47,7 +47,7 @@
           endpoint = "5.9.131.17:51821";
           publicKey = "T7jPGSapSudtKyWwi2nu+2hjjse96I4U3lccRHZWd2s=";
           presharedKeyFile = config.sops.secrets.wg_epicenter_works_psk.path; 
-          allowedIPs = [ "10.14.1.0/24" "10.14.2.0/24" "10.14.11.0/24" "10.14.40.0/24" "10.25.0.0/24" "10.50.60.0/24" ];
+          allowedIPs = [ "10.14.1.0/24" "10.14.2.0/24" "10.14.11.0/24" "10.14.40.0/24" "10.25.0.0/24" "10.50.60.0/24" "10.60.60.0/24" ];
         }
       ];
     };

From 3568719372c3458e9e4d9f7ca4991e24cc1327a0 Mon Sep 17 00:00:00 2001
From: Dominik Polakovics <dominik.polakovics@cloonar.com>
Date: Sat, 28 Mar 2026 14:21:32 +0100
Subject: [PATCH 3/8] feat: nb add epicenter-vm

---
 hosts/nb/modules/epicenter.nix | 43 +++++++++++++++++++++++++++++++++-
 1 file changed, 42 insertions(+), 1 deletion(-)

diff --git a/hosts/nb/modules/epicenter.nix b/hosts/nb/modules/epicenter.nix
index 14cb508..7b48969 100644
--- a/hosts/nb/modules/epicenter.nix
+++ b/hosts/nb/modules/epicenter.nix
@@ -1,5 +1,45 @@
-{ lib, pkgs, ... }: 
+{ lib, pkgs, ... }:
 let
+  epicenter-vm = pkgs.writeShellScriptBin "epicenter-vm" ''
+    set -euo pipefail
+
+    VM_DIR="$HOME/epicenter-vm"
+    DISK="$VM_DIR/disk.qcow2"
+    ISO=""
+
+    while [[ $# -gt 0 ]]; do
+      case "$1" in
+        --iso) ISO="$2"; shift 2 ;;
+        *) echo "Usage: epicenter-vm [--iso /path/to/file.iso]"; exit 1 ;;
+      esac
+    done
+
+    # Create disk if it doesn't exist
+    if [ ! -f "$DISK" ]; then
+      mkdir -p "$VM_DIR"
+      ${pkgs.qemu}/bin/qemu-img create -f qcow2 "$DISK" 60G
+    fi
+
+    QEMU_ARGS=(
+      -enable-kvm
+      -m 4G
+      -smp 2
+      -drive "file=$DISK,format=qcow2,if=virtio"
+      -bios ${pkgs.OVMF.fd}/FV/OVMF.fd
+      -display gtk,gl=on
+      -device virtio-vga-gl
+      -device virtio-net-pci,netdev=net0
+      -netdev user,id=net0,hostfwd=tcp::2222-:22
+    )
+
+    # Attach ISO if provided
+    if [ -n "$ISO" ]; then
+      QEMU_ARGS+=(-cdrom "$ISO" -boot d)
+    fi
+
+    exec ${pkgs.qemu}/bin/qemu-system-x86_64 "''${QEMU_ARGS[@]}"
+  '';
+
   wrapperScript = pkgs.writeShellScriptBin "rustdesk-epicenter-wrapper" ''
     # Grant epicenter user access to the Wayland socket
     ${pkgs.acl}/bin/setfacl -m u:epicenter:x "$XDG_RUNTIME_DIR"
@@ -22,6 +62,7 @@ let
   };
 in {
   environment.systemPackages = [
+    epicenter-vm
     rustdeskEpicenterDesktopItem
   ];
 

From 31ae2be273c970746b7c7220b45b1cc8dfde4b88 Mon Sep 17 00:00:00 2001
From: Dominik Polakovics <dominik.polakovics@cloonar.com>
Date: Sat, 28 Mar 2026 14:21:36 +0100
Subject: [PATCH 4/8] fix: nb printer

---
 hosts/nb/modules/printer.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hosts/nb/modules/printer.nix b/hosts/nb/modules/printer.nix
index 2b8b347..a085dad 100644
--- a/hosts/nb/modules/printer.nix
+++ b/hosts/nb/modules/printer.nix
@@ -8,7 +8,7 @@ let
       -v 'ipp://brn30055c566237.cloonar.multimedia/ipp/print' \
       -m 'everywhere'
 
-      lpadmin -d 'epicenter.works'
+      lpadmin -d 'Cloonar'
     '';
   };
 

From ab3b4a000ebfcf2351fc4456d3165cfc489fc968 Mon Sep 17 00:00:00 2001
From: Dominik Polakovics <dominik.polakovics@cloonar.com>
Date: Sat, 28 Mar 2026 14:21:48 +0100
Subject: [PATCH 5/8] feat: web-arm add supabase

---
 hosts/web-arm/configuration.nix               |   1 +
 hosts/web-arm/modules/supabase/default.nix    | 433 ++++++++++++++++++
 .../web-arm/modules/supabase/env-generate.sh  |  89 ++++
 .../modules/supabase/kong-entrypoint.sh       |  25 +
 hosts/web-arm/modules/supabase/kong.yml       | 265 +++++++++++
 hosts/web-arm/modules/supabase/pooler.exs     |  30 ++
 .../modules/supabase/sql/_supabase.sql        |   2 +
 hosts/web-arm/modules/supabase/sql/jwt.sql    |   4 +
 hosts/web-arm/modules/supabase/sql/logs.sql   |   5 +
 hosts/web-arm/modules/supabase/sql/pooler.sql |   5 +
 .../web-arm/modules/supabase/sql/realtime.sql |   3 +
 hosts/web-arm/modules/supabase/sql/roles.sql  |   6 +
 .../web-arm/modules/supabase/sql/webhooks.sql | 153 +++++++
 hosts/web-arm/modules/supabase/vector.yml     | 255 +++++++++++
 hosts/web-arm/secrets.yaml                    | 119 ++---
 15 files changed, 1336 insertions(+), 59 deletions(-)
 create mode 100644 hosts/web-arm/modules/supabase/default.nix
 create mode 100644 hosts/web-arm/modules/supabase/env-generate.sh
 create mode 100644 hosts/web-arm/modules/supabase/kong-entrypoint.sh
 create mode 100644 hosts/web-arm/modules/supabase/kong.yml
 create mode 100644 hosts/web-arm/modules/supabase/pooler.exs
 create mode 100644 hosts/web-arm/modules/supabase/sql/_supabase.sql
 create mode 100644 hosts/web-arm/modules/supabase/sql/jwt.sql
 create mode 100644 hosts/web-arm/modules/supabase/sql/logs.sql
 create mode 100644 hosts/web-arm/modules/supabase/sql/pooler.sql
 create mode 100644 hosts/web-arm/modules/supabase/sql/realtime.sql
 create mode 100644 hosts/web-arm/modules/supabase/sql/roles.sql
 create mode 100644 hosts/web-arm/modules/supabase/sql/webhooks.sql
 create mode 100644 hosts/web-arm/modules/supabase/vector.yml

diff --git a/hosts/web-arm/configuration.nix b/hosts/web-arm/configuration.nix
index a5501ac..17927db 100644
--- a/hosts/web-arm/configuration.nix
+++ b/hosts/web-arm/configuration.nix
@@ -20,6 +20,7 @@
     ./modules/blackbox-exporter.nix
     ./modules/updns.nix
     ./modules/atticd.nix
+    ./modules/supabase
 
     ./utils/modules/autoupgrade.nix
     ./utils/modules/promtail
diff --git a/hosts/web-arm/modules/supabase/default.nix b/hosts/web-arm/modules/supabase/default.nix
new file mode 100644
index 0000000..ce515a7
--- /dev/null
+++ b/hosts/web-arm/modules/supabase/default.nix
@@ -0,0 +1,433 @@
+{ config, lib, pkgs, ... }:
+
+let
+  kongEntrypoint = pkgs.writeTextFile {
+    name = "kong-entrypoint.sh";
+    executable = true;
+    text = builtins.readFile ./kong-entrypoint.sh;
+  };
+
+  envGenerateScript = pkgs.writeShellScript "supabase-env-generate"
+    (builtins.readFile ./env-generate.sh);
+
+  # Common extra options for all containers to join the supabase network
+  supabaseNet = [ "--network=supabase-net" ];
+
+in
+{
+  # --- SOPS secret ---
+  sops.secrets.supabase-env = { };
+
+  # --- Persistent data directories ---
+  systemd.tmpfiles.rules = [
+    "d /var/lib/supabase/db/data 0700 root root -"
+    "d /var/lib/supabase/storage 0755 root root -"
+    "d /var/lib/supabase/functions 0755 root root -"
+    "d /var/lib/supabase/snippets 0755 root root -"
+  ];
+
+  # --- Systemd services: network, env generation, and container ordering ---
+  systemd.services =
+    let
+      containerNames = [
+        "supabase-db"
+        "supabase-analytics"
+        "supabase-auth"
+        "supabase-rest"
+        "supabase-realtime"
+        "supabase-storage"
+        "supabase-imgproxy"
+        "supabase-meta"
+        "supabase-studio"
+        "supabase-kong"
+        "supabase-vector"
+        "supabase-pooler"
+        "supabase-functions"
+      ];
+      mkContainerDeps = name: {
+        "docker-${name}" = {
+          after = [ "init-supabase-network.service" "supabase-env-generate.service" ];
+          requires = [ "init-supabase-network.service" "supabase-env-generate.service" ];
+        };
+      };
+    in
+    lib.mkMerge (map mkContainerDeps containerNames ++ [
+      {
+        init-supabase-network = {
+          description = "Create supabase-net Docker network";
+          after = [ "docker.service" ];
+          requires = [ "docker.service" ];
+          wantedBy = [ "multi-user.target" ];
+          serviceConfig = {
+            Type = "oneshot";
+            RemainAfterExit = true;
+            # '-' prefix tells systemd to ignore non-zero exit (network may already exist)
+            ExecStart = "-${pkgs.docker}/bin/docker network create supabase-net";
+          };
+        };
+        supabase-env-generate = {
+          description = "Generate Supabase per-container env files from SOPS secrets";
+          after = [ "docker.service" ];
+          requires = [ "docker.service" ];
+          wantedBy = [ "multi-user.target" ];
+          serviceConfig = {
+            Type = "oneshot";
+            RemainAfterExit = true;
+            ExecStart = "${envGenerateScript} ${config.sops.secrets.supabase-env.path}";
+          };
+        };
+      }
+    ]);
+
+  # --- Containers ---
+  virtualisation.oci-containers.containers = {
+
+    # 1. PostgreSQL
+    supabase-db = {
+      image = "supabase/postgres:15.8.1.085";
+      environment = {
+        POSTGRES_HOST = "/var/run/postgresql";
+        PGPORT = "5432";
+        POSTGRES_PORT = "5432";
+        PGDATABASE = "postgres";
+        POSTGRES_DB = "postgres";
+        JWT_EXP = "3600";
+      };
+      environmentFiles = [ "/run/supabase/db.env" ];
+      volumes = [
+        "/var/lib/supabase/db/data:/var/lib/postgresql/data"
+        "${./sql/_supabase.sql}:/docker-entrypoint-initdb.d/migrations/97-_supabase.sql:ro"
+        "${./sql/realtime.sql}:/docker-entrypoint-initdb.d/migrations/99-realtime.sql:ro"
+        "${./sql/logs.sql}:/docker-entrypoint-initdb.d/migrations/99-logs.sql:ro"
+        "${./sql/pooler.sql}:/docker-entrypoint-initdb.d/migrations/99-pooler.sql:ro"
+        "${./sql/webhooks.sql}:/docker-entrypoint-initdb.d/init-scripts/98-webhooks.sql:ro"
+        "${./sql/roles.sql}:/docker-entrypoint-initdb.d/init-scripts/99-roles.sql:ro"
+        "${./sql/jwt.sql}:/docker-entrypoint-initdb.d/init-scripts/99-jwt.sql:ro"
+        "supabase-db-config:/etc/postgresql-custom"
+      ];
+      cmd = [
+        "postgres"
+        "-c" "config_file=/etc/postgresql/postgresql.conf"
+        "-c" "log_min_messages=fatal"
+      ];
+      extraOptions = supabaseNet ++ [
+        "--network-alias=db"
+        "--shm-size=2g"
+      ];
+    };
+
+    # 2. Analytics (Logflare)
+    supabase-analytics = {
+      image = "supabase/logflare:1.31.2";
+      dependsOn = [ "supabase-db" ];
+      environment = {
+        LOGFLARE_NODE_HOST = "127.0.0.1";
+        DB_USERNAME = "supabase_admin";
+        DB_DATABASE = "_supabase";
+        DB_HOSTNAME = "db";
+        DB_PORT = "5432";
+        DB_SCHEMA = "_analytics";
+        LOGFLARE_SINGLE_TENANT = "true";
+        LOGFLARE_SUPABASE_MODE = "true";
+        POSTGRES_BACKEND_SCHEMA = "_analytics";
+        LOGFLARE_FEATURE_FLAG_OVERRIDE = "multibackend=true";
+      };
+      environmentFiles = [ "/run/supabase/analytics.env" ];
+      extraOptions = supabaseNet ++ [
+        "--network-alias=analytics"
+      ];
+    };
+
+    # 3. Auth (GoTrue)
+    supabase-auth = {
+      image = "supabase/gotrue:v2.186.0";
+      dependsOn = [ "supabase-db" "supabase-analytics" ];
+      environment = {
+        GOTRUE_API_HOST = "0.0.0.0";
+        GOTRUE_API_PORT = "9999";
+        API_EXTERNAL_URL = "https://supabase.cloonar.com";
+        GOTRUE_DB_DRIVER = "postgres";
+        GOTRUE_SITE_URL = "https://supabase.cloonar.com";
+        GOTRUE_URI_ALLOW_LIST = "";
+        GOTRUE_DISABLE_SIGNUP = "false";
+        GOTRUE_JWT_ADMIN_ROLES = "service_role";
+        GOTRUE_JWT_AUD = "authenticated";
+        GOTRUE_JWT_DEFAULT_GROUP_NAME = "authenticated";
+        GOTRUE_JWT_EXP = "3600";
+        GOTRUE_EXTERNAL_EMAIL_ENABLED = "true";
+        GOTRUE_EXTERNAL_ANONYMOUS_USERS_ENABLED = "false";
+        GOTRUE_MAILER_AUTOCONFIRM = "true";
+        GOTRUE_SMTP_ADMIN_EMAIL = "admin@cloonar.com";
+        GOTRUE_SMTP_HOST = "supabase-mail";
+        GOTRUE_SMTP_PORT = "2500";
+        GOTRUE_SMTP_USER = "";
+        GOTRUE_SMTP_PASS = "";
+        GOTRUE_SMTP_SENDER_NAME = "Supabase";
+        GOTRUE_MAILER_URLPATHS_INVITE = "/auth/v1/verify";
+        GOTRUE_MAILER_URLPATHS_CONFIRMATION = "/auth/v1/verify";
+        GOTRUE_MAILER_URLPATHS_RECOVERY = "/auth/v1/verify";
+        GOTRUE_MAILER_URLPATHS_EMAIL_CHANGE = "/auth/v1/verify";
+        GOTRUE_EXTERNAL_PHONE_ENABLED = "false";
+        GOTRUE_SMS_AUTOCONFIRM = "false";
+      };
+      environmentFiles = [ "/run/supabase/auth.env" ];
+      extraOptions = supabaseNet ++ [
+        "--network-alias=auth"
+      ];
+    };
+
+    # 4. REST (PostgREST)
+    supabase-rest = {
+      image = "postgrest/postgrest:v14.6";
+      dependsOn = [ "supabase-db" ];
+      environment = {
+        PGRST_DB_SCHEMAS = "public,storage,graphql_public";
+        PGRST_DB_MAX_ROWS = "1000";
+        PGRST_DB_EXTRA_SEARCH_PATH = "public";
+        PGRST_DB_ANON_ROLE = "anon";
+        PGRST_DB_USE_LEGACY_GUCS = "false";
+        PGRST_APP_SETTINGS_JWT_EXP = "3600";
+      };
+      environmentFiles = [ "/run/supabase/rest.env" ];
+      cmd = [ "postgrest" ];
+      extraOptions = supabaseNet ++ [
+        "--network-alias=rest"
+      ];
+    };
+
+    # 5. Realtime
+    supabase-realtime = {
+      image = "supabase/realtime:v2.76.5";
+      dependsOn = [ "supabase-db" ];
+      environment = {
+        PORT = "4000";
+        DB_HOST = "db";
+        DB_PORT = "5432";
+        DB_USER = "supabase_admin";
+        DB_NAME = "postgres";
+        DB_AFTER_CONNECT_QUERY = "SET search_path TO _realtime";
+        DB_ENC_KEY = "supabaserealtime";
+        ERL_AFLAGS = "-proto_dist inet_tcp";
+        DNS_NODES = "''";
+        RLIMIT_NOFILE = "10000";
+        APP_NAME = "realtime";
+        SEED_SELF_HOST = "true";
+        RUN_JANITOR = "true";
+        DISABLE_HEALTHCHECK_LOGGING = "true";
+      };
+      environmentFiles = [ "/run/supabase/realtime.env" ];
+      extraOptions = supabaseNet ++ [
+        # Hostname must be realtime-dev.supabase-realtime for tenant ID parsing
+        "--hostname=realtime-dev.supabase-realtime"
+        "--network-alias=realtime-dev.supabase-realtime"
+      ];
+    };
+
+    # 6. Storage
+    supabase-storage = {
+      image = "supabase/storage-api:v1.44.2";
+      dependsOn = [ "supabase-db" "supabase-rest" "supabase-imgproxy" ];
+      environment = {
+        POSTGREST_URL = "http://rest:3000";
+        STORAGE_PUBLIC_URL = "https://supabase.cloonar.com";
+        REQUEST_ALLOW_X_FORWARDED_PATH = "true";
+        FILE_SIZE_LIMIT = "52428800";
+        STORAGE_BACKEND = "file";
+        GLOBAL_S3_BUCKET = "stub";
+        FILE_STORAGE_BACKEND_PATH = "/var/lib/storage";
+        TENANT_ID = "stub";
+        REGION = "stub";
+        ENABLE_IMAGE_TRANSFORMATION = "true";
+        IMGPROXY_URL = "http://imgproxy:5001";
+      };
+      environmentFiles = [ "/run/supabase/storage.env" ];
+      volumes = [
+        "/var/lib/supabase/storage:/var/lib/storage"
+      ];
+      extraOptions = supabaseNet ++ [
+        "--network-alias=storage"
+      ];
+    };
+
+    # 7. Imgproxy
+    supabase-imgproxy = {
+      image = "darthsim/imgproxy:v3.30.1";
+      environment = {
+        IMGPROXY_BIND = ":5001";
+        IMGPROXY_LOCAL_FILESYSTEM_ROOT = "/";
+        IMGPROXY_USE_ETAG = "true";
+        IMGPROXY_AUTO_WEBP = "true";
+        IMGPROXY_MAX_SRC_RESOLUTION = "16.8";
+      };
+      volumes = [
+        "/var/lib/supabase/storage:/var/lib/storage"
+      ];
+      extraOptions = supabaseNet ++ [
+        "--network-alias=imgproxy"
+      ];
+    };
+
+    # 8. Meta (pg-meta)
+    supabase-meta = {
+      image = "supabase/postgres-meta:v0.95.2";
+      dependsOn = [ "supabase-db" ];
+      environment = {
+        PG_META_PORT = "8080";
+        PG_META_DB_HOST = "db";
+        PG_META_DB_PORT = "5432";
+        PG_META_DB_NAME = "postgres";
+        PG_META_DB_USER = "supabase_admin";
+      };
+      environmentFiles = [ "/run/supabase/meta.env" ];
+      extraOptions = supabaseNet ++ [
+        "--network-alias=meta"
+      ];
+    };
+
+    # 9. Studio
+    supabase-studio = {
+      image = "supabase/studio:2026.03.16-sha-5528817";
+      dependsOn = [ "supabase-analytics" ];
+      environment = {
+        HOSTNAME = "::";
+        STUDIO_PG_META_URL = "http://meta:8080";
+        POSTGRES_PORT = "5432";
+        POSTGRES_HOST = "db";
+        POSTGRES_DB = "postgres";
+        PGRST_DB_SCHEMAS = "public,storage,graphql_public";
+        PGRST_DB_MAX_ROWS = "1000";
+        PGRST_DB_EXTRA_SEARCH_PATH = "public";
+        DEFAULT_ORGANIZATION_NAME = "Default Organization";
+        DEFAULT_PROJECT_NAME = "Default Project";
+        SUPABASE_URL = "http://kong:8000";
+        SUPABASE_PUBLIC_URL = "https://supabase.cloonar.com";
+        NEXT_PUBLIC_ENABLE_LOGS = "true";
+        NEXT_ANALYTICS_BACKEND_PROVIDER = "postgres";
+        LOGFLARE_URL = "http://analytics:4000";
+        SNIPPETS_MANAGEMENT_FOLDER = "/app/snippets";
+        EDGE_FUNCTIONS_MANAGEMENT_FOLDER = "/app/edge-functions";
+      };
+      environmentFiles = [ "/run/supabase/studio.env" ];
+      volumes = [
+        "/var/lib/supabase/snippets:/app/snippets"
+        "/var/lib/supabase/functions:/app/edge-functions"
+      ];
+      extraOptions = supabaseNet ++ [
+        "--network-alias=studio"
+      ];
+    };
+
+    # 10. Kong (API Gateway)
+    supabase-kong = {
+      image = "kong/kong:3.9.1";
+      dependsOn = [ "supabase-studio" ];
+      environment = {
+        KONG_DATABASE = "off";
+        KONG_DECLARATIVE_CONFIG = "/usr/local/kong/kong.yml";
+        KONG_DNS_ORDER = "LAST,A,CNAME";
+        KONG_DNS_NOT_FOUND_TTL = "1";
+        KONG_PLUGINS = "request-transformer,cors,key-auth,acl,basic-auth,request-termination,ip-restriction,post-function";
+        KONG_NGINX_PROXY_PROXY_BUFFER_SIZE = "160k";
+        KONG_NGINX_PROXY_PROXY_BUFFERS = "64 160k";
+        KONG_PROXY_ACCESS_LOG = "/dev/stdout combined";
+      };
+      environmentFiles = [ "/run/supabase/kong.env" ];
+      ports = [
+        "127.0.0.1:8000:8000"
+        "127.0.0.1:8443:8443"
+      ];
+      volumes = [
+        "${./kong.yml}:/home/kong/temp.yml:ro"
+        "${kongEntrypoint}:/home/kong/kong-entrypoint.sh:ro"
+      ];
+      entrypoint = "/home/kong/kong-entrypoint.sh";
+      extraOptions = supabaseNet ++ [
+        "--network-alias=kong"
+      ];
+    };
+
+    # 11. Vector (log collection)
+    supabase-vector = {
+      image = "timberio/vector:0.53.0-alpine";
+      environment = { };
+      environmentFiles = [ "/run/supabase/vector.env" ];
+      volumes = [
+        "${./vector.yml}:/etc/vector/vector.yml:ro"
+        "/var/run/docker.sock:/var/run/docker.sock:ro"
+      ];
+      cmd = [ "--config" "/etc/vector/vector.yml" ];
+      extraOptions = supabaseNet ++ [
+        "--network-alias=vector"
+        "--security-opt=label=disable"
+      ];
+    };
+
+    # 12. Pooler (Supavisor)
+    supabase-pooler = {
+      image = "supabase/supavisor:2.7.4";
+      dependsOn = [ "supabase-db" ];
+      environment = {
+        PORT = "4000";
+        CLUSTER_POSTGRES = "true";
+        REGION = "local";
+        ERL_AFLAGS = "-proto_dist inet_tcp";
+        POOLER_POOL_MODE = "transaction";
+        POSTGRES_PORT = "5432";
+        POSTGRES_DB = "postgres";
+        POOLER_TENANT_ID = "default-tenant";
+        POOLER_DEFAULT_POOL_SIZE = "20";
+        POOLER_MAX_CLIENT_CONN = "100";
+        DB_POOL_SIZE = "10";
+      };
+      environmentFiles = [ "/run/supabase/pooler.env" ];
+      volumes = [
+        "${./pooler.exs}:/etc/pooler/pooler.exs:ro"
+      ];
+      cmd = [
+        "/bin/sh" "-c"
+        "/app/bin/migrate && /app/bin/supavisor eval \"$(cat /etc/pooler/pooler.exs)\" && /app/bin/server"
+      ];
+      extraOptions = supabaseNet ++ [
+        "--network-alias=pooler"
+      ];
+    };
+
+    # 13. Edge Functions
+    supabase-functions = {
+      image = "supabase/edge-runtime:v1.71.2";
+      dependsOn = [ "supabase-kong" ];
+      environment = {
+        SUPABASE_URL = "http://kong:8000";
+        SUPABASE_PUBLIC_URL = "https://supabase.cloonar.com";
+        VERIFY_JWT = "false";
+      };
+      environmentFiles = [ "/run/supabase/functions.env" ];
+      volumes = [
+        "/var/lib/supabase/functions:/home/deno/functions"
+        "supabase-deno-cache:/root/.cache/deno"
+      ];
+      cmd = [ "start" "--main-service" "/home/deno/functions/main" ];
+      extraOptions = supabaseNet ++ [
+        "--network-alias=functions"
+      ];
+    };
+  };
+
+  # --- Nginx reverse proxy ---
+  services.nginx.virtualHosts."supabase.cloonar.com" = {
+    forceSSL = true;
+    enableACME = true;
+    acmeRoot = null;
+    locations."/" = {
+      proxyPass = "http://127.0.0.1:8000";
+      proxyWebsockets = true;
+      extraConfig = ''
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_read_timeout 86400s;
+        proxy_send_timeout 86400s;
+        client_max_body_size 50M;
+      '';
+    };
+  };
+}
diff --git a/hosts/web-arm/modules/supabase/env-generate.sh b/hosts/web-arm/modules/supabase/env-generate.sh
new file mode 100644
index 0000000..331bfdc
--- /dev/null
+++ b/hosts/web-arm/modules/supabase/env-generate.sh
@@ -0,0 +1,89 @@
+set -euo pipefail
+umask 077
+mkdir -p /run/supabase
+
+set -a
+source "$1"
+set +a
+
+cat > /run/supabase/db.env <<EOF
+POSTGRES_PASSWORD=$POSTGRES_PASSWORD
+PGPASSWORD=$POSTGRES_PASSWORD
+JWT_SECRET=$JWT_SECRET
+EOF
+
+cat > /run/supabase/analytics.env <<EOF
+DB_PASSWORD=$POSTGRES_PASSWORD
+LOGFLARE_PUBLIC_ACCESS_TOKEN=$LOGFLARE_PUBLIC_ACCESS_TOKEN
+LOGFLARE_PRIVATE_ACCESS_TOKEN=$LOGFLARE_PRIVATE_ACCESS_TOKEN
+POSTGRES_BACKEND_URL=postgresql://supabase_admin:$POSTGRES_PASSWORD@db:5432/_supabase
+EOF
+
+cat > /run/supabase/auth.env <<EOF
+GOTRUE_JWT_SECRET=$JWT_SECRET
+GOTRUE_DB_DATABASE_URL=postgres://supabase_auth_admin:$POSTGRES_PASSWORD@db:5432/postgres
+EOF
+
+cat > /run/supabase/rest.env <<EOF
+PGRST_JWT_SECRET=$JWT_SECRET
+PGRST_APP_SETTINGS_JWT_SECRET=$JWT_SECRET
+PGRST_DB_URI=postgres://authenticator:$POSTGRES_PASSWORD@db:5432/postgres
+EOF
+
+cat > /run/supabase/realtime.env <<EOF
+DB_PASSWORD=$POSTGRES_PASSWORD
+API_JWT_SECRET=$JWT_SECRET
+SECRET_KEY_BASE=$SECRET_KEY_BASE
+METRICS_JWT_SECRET=$JWT_SECRET
+EOF
+
+cat > /run/supabase/storage.env <<EOF
+ANON_KEY=$ANON_KEY
+SERVICE_KEY=$SERVICE_ROLE_KEY
+AUTH_JWT_SECRET=$JWT_SECRET
+DATABASE_URL=postgres://supabase_storage_admin:$POSTGRES_PASSWORD@db:5432/postgres
+S3_PROTOCOL_ACCESS_KEY_ID=$S3_PROTOCOL_ACCESS_KEY_ID
+S3_PROTOCOL_ACCESS_KEY_SECRET=$S3_PROTOCOL_ACCESS_KEY_SECRET
+EOF
+
+cat > /run/supabase/meta.env <<EOF
+PG_META_DB_PASSWORD=$POSTGRES_PASSWORD
+CRYPTO_KEY=$PG_META_CRYPTO_KEY
+EOF
+
+cat > /run/supabase/studio.env <<EOF
+POSTGRES_PASSWORD=$POSTGRES_PASSWORD
+PG_META_CRYPTO_KEY=$PG_META_CRYPTO_KEY
+SUPABASE_ANON_KEY=$ANON_KEY
+SUPABASE_SERVICE_KEY=$SERVICE_ROLE_KEY
+AUTH_JWT_SECRET=$JWT_SECRET
+LOGFLARE_API_KEY=$LOGFLARE_PUBLIC_ACCESS_TOKEN
+LOGFLARE_PUBLIC_ACCESS_TOKEN=$LOGFLARE_PUBLIC_ACCESS_TOKEN
+LOGFLARE_PRIVATE_ACCESS_TOKEN=$LOGFLARE_PRIVATE_ACCESS_TOKEN
+EOF
+
+cat > /run/supabase/kong.env <<EOF
+SUPABASE_ANON_KEY=$ANON_KEY
+SUPABASE_SERVICE_KEY=$SERVICE_ROLE_KEY
+DASHBOARD_USERNAME=supabase
+DASHBOARD_PASSWORD=$DASHBOARD_PASSWORD
+EOF
+
+cat > /run/supabase/vector.env <<EOF
+LOGFLARE_PUBLIC_ACCESS_TOKEN=$LOGFLARE_PUBLIC_ACCESS_TOKEN
+EOF
+
+cat > /run/supabase/pooler.env <<EOF
+POSTGRES_PASSWORD=$POSTGRES_PASSWORD
+DATABASE_URL=ecto://supabase_admin:$POSTGRES_PASSWORD@db:5432/_supabase
+SECRET_KEY_BASE=$SECRET_KEY_BASE
+VAULT_ENC_KEY=$VAULT_ENC_KEY
+API_JWT_SECRET=$JWT_SECRET
+METRICS_JWT_SECRET=$JWT_SECRET
+EOF
+
+cat > /run/supabase/functions.env <<EOF
+JWT_SECRET=$JWT_SECRET
+SUPABASE_ANON_KEY=$ANON_KEY
+SUPABASE_SERVICE_ROLE_KEY=$SERVICE_ROLE_KEY
+EOF
diff --git a/hosts/web-arm/modules/supabase/kong-entrypoint.sh b/hosts/web-arm/modules/supabase/kong-entrypoint.sh
new file mode 100644
index 0000000..f1da449
--- /dev/null
+++ b/hosts/web-arm/modules/supabase/kong-entrypoint.sh
@@ -0,0 +1,25 @@
+#!/bin/bash
+# Legacy API keys, not sb_ API keys -> pass apikey through unchanged
+export LUA_AUTH_EXPR="\$((headers.authorization ~= nil and headers.authorization:sub(1, 10) ~= 'Bearer sb_' and headers.authorization) or headers.apikey)"
+export LUA_RT_WS_EXPR="\$(query_params.apikey)"
+
+# Substitute environment variables in the Kong declarative config
+awk '{
+  result = ""
+  rest = $0
+  while (match(rest, /\$[A-Za-z_][A-Za-z_0-9]*/)) {
+    varname = substr(rest, RSTART + 1, RLENGTH - 1)
+    if (varname in ENVIRON) {
+      result = result substr(rest, 1, RSTART - 1) ENVIRON[varname]
+    } else {
+      result = result substr(rest, 1, RSTART + RLENGTH - 1)
+    }
+    rest = substr(rest, RSTART + RLENGTH)
+  }
+  print result rest
+}' /home/kong/temp.yml > "$KONG_DECLARATIVE_CONFIG"
+
+# Remove empty key-auth credentials (unconfigured opaque keys)
+sed -i '/^[[:space:]]*- key:[[:space:]]*$/d' "$KONG_DECLARATIVE_CONFIG"
+
+exec /entrypoint.sh kong docker-start
diff --git a/hosts/web-arm/modules/supabase/kong.yml b/hosts/web-arm/modules/supabase/kong.yml
new file mode 100644
index 0000000..52af820
--- /dev/null
+++ b/hosts/web-arm/modules/supabase/kong.yml
@@ -0,0 +1,265 @@
+_format_version: '2.1'
+_transform: true
+
+consumers:
+  - username: DASHBOARD
+  - username: anon
+    keyauth_credentials:
+      - key: $SUPABASE_ANON_KEY
+  - username: service_role
+    keyauth_credentials:
+      - key: $SUPABASE_SERVICE_KEY
+
+acls:
+  - consumer: anon
+    group: anon
+  - consumer: service_role
+    group: admin
+
+basicauth_credentials:
+  - consumer: DASHBOARD
+    username: '$DASHBOARD_USERNAME'
+    password: '$DASHBOARD_PASSWORD'
+
+services:
+  - name: auth-v1-open
+    url: http://auth:9999/verify
+    routes:
+      - name: auth-v1-open
+        strip_path: true
+        paths:
+          - /auth/v1/verify
+    plugins:
+      - name: cors
+  - name: auth-v1-open-callback
+    url: http://auth:9999/callback
+    routes:
+      - name: auth-v1-open-callback
+        strip_path: true
+        paths:
+          - /auth/v1/callback
+    plugins:
+      - name: cors
+  - name: auth-v1-open-authorize
+    url: http://auth:9999/authorize
+    routes:
+      - name: auth-v1-open-authorize
+        strip_path: true
+        paths:
+          - /auth/v1/authorize
+    plugins:
+      - name: cors
+  - name: auth-v1-open-jwks
+    url: http://auth:9999/.well-known/jwks.json
+    routes:
+      - name: auth-v1-open-jwks
+        strip_path: true
+        paths:
+          - /auth/v1/.well-known/jwks.json
+    plugins:
+      - name: cors
+  - name: auth-v1
+    url: http://auth:9999/
+    routes:
+      - name: auth-v1-all
+        strip_path: true
+        paths:
+          - /auth/v1/
+    plugins:
+      - name: cors
+      - name: key-auth
+        config:
+          hide_credentials: false
+      - name: request-transformer
+        config:
+          add:
+            headers:
+              - "Authorization: $LUA_AUTH_EXPR"
+          replace:
+            headers:
+              - "Authorization: $LUA_AUTH_EXPR"
+      - name: acl
+        config:
+          hide_groups_header: true
+          allow:
+            - admin
+            - anon
+  - name: rest-v1
+    url: http://rest:3000/
+    routes:
+      - name: rest-v1-all
+        strip_path: true
+        paths:
+          - /rest/v1/
+    plugins:
+      - name: cors
+      - name: key-auth
+        config:
+          hide_credentials: false
+      - name: request-transformer
+        config:
+          add:
+            headers:
+              - "Authorization: $LUA_AUTH_EXPR"
+          replace:
+            headers:
+              - "Authorization: $LUA_AUTH_EXPR"
+      - name: acl
+        config:
+          hide_groups_header: true
+          allow:
+            - admin
+            - anon
+  - name: graphql-v1
+    url: http://rest:3000/rpc/graphql
+    routes:
+      - name: graphql-v1-all
+        strip_path: true
+        paths:
+          - /graphql/v1
+    plugins:
+      - name: cors
+      - name: key-auth
+        config:
+          hide_credentials: false
+      - name: request-transformer
+        config:
+          add:
+            headers:
+              - "Content-Profile: graphql_public"
+              - "Authorization: $LUA_AUTH_EXPR"
+          replace:
+            headers:
+              - "Authorization: $LUA_AUTH_EXPR"
+      - name: acl
+        config:
+          hide_groups_header: true
+          allow:
+            - admin
+            - anon
+  - name: realtime-v1-ws
+    url: http://realtime-dev.supabase-realtime:4000/socket
+    protocol: ws
+    routes:
+      - name: realtime-v1-ws
+        strip_path: true
+        paths:
+          - /realtime/v1/
+    plugins:
+      - name: cors
+      - name: key-auth
+        config:
+          hide_credentials: false
+      - name: request-transformer
+        config:
+          add:
+            headers:
+              - "x-api-key:$LUA_RT_WS_EXPR"
+          replace:
+            querystring:
+              - "apikey:$LUA_RT_WS_EXPR"
+      - name: acl
+        config:
+          hide_groups_header: true
+          allow:
+            - admin
+            - anon
+  - name: realtime-v1-rest
+    url: http://realtime-dev.supabase-realtime:4000/api
+    protocol: http
+    routes:
+      - name: realtime-v1-rest
+        strip_path: true
+        paths:
+          - /realtime/v1/api
+    plugins:
+      - name: cors
+      - name: key-auth
+        config:
+          hide_credentials: false
+      - name: request-transformer
+        config:
+          add:
+            headers:
+              - "Authorization: $LUA_AUTH_EXPR"
+          replace:
+            headers:
+              - "Authorization: $LUA_AUTH_EXPR"
+      - name: acl
+        config:
+          hide_groups_header: true
+          allow:
+            - admin
+            - anon
+  - name: storage-v1
+    url: http://storage:5000/
+    routes:
+      - name: storage-v1-all
+        strip_path: true
+        paths:
+          - /storage/v1/
+    plugins:
+      - name: cors
+      - name: request-transformer
+        config:
+          add:
+            headers:
+              - "Authorization: $LUA_AUTH_EXPR"
+          replace:
+            headers:
+              - "Authorization: $LUA_AUTH_EXPR"
+      - name: post-function
+        config:
+          access:
+            - |
+              local auth = kong.request.get_header("authorization")
+              if auth == nil or auth == "" or auth:find("^%s*$") then
+                kong.service.request.clear_header("authorization")
+              end
+  - name: functions-v1
+    url: http://functions:9000/
+    read_timeout: 150000
+    routes:
+      - name: functions-v1-all
+        strip_path: true
+        paths:
+          - /functions/v1/
+    plugins:
+      - name: cors
+  - name: well-known-oauth
+    url: http://auth:9999/.well-known/oauth-authorization-server
+    routes:
+      - name: well-known-oauth
+        strip_path: true
+        paths:
+          - /.well-known/oauth-authorization-server
+    plugins:
+      - name: cors
+  - name: meta
+    url: http://meta:8080/
+    routes:
+      - name: meta-all
+        strip_path: true
+        paths:
+          - /pg/
+    plugins:
+      - name: key-auth
+        config:
+          hide_credentials: false
+      - name: acl
+        config:
+          hide_groups_header: true
+          allow:
+            - admin
+  - name: dashboard
+    url: http://studio:3000/
+    routes:
+      - name: dashboard-all
+        strip_path: true
+        paths:
+          - /
+    plugins:
+      - name: cors
+      - name: basic-auth
+        config:
+          hide_credentials: true
diff --git a/hosts/web-arm/modules/supabase/pooler.exs b/hosts/web-arm/modules/supabase/pooler.exs
new file mode 100644
index 0000000..791d61c
--- /dev/null
+++ b/hosts/web-arm/modules/supabase/pooler.exs
@@ -0,0 +1,30 @@
+{:ok, _} = Application.ensure_all_started(:supavisor)
+
+{:ok, version} =
+  case Supavisor.Repo.query!("select version()") do
+    %{rows: [[ver]]} -> Supavisor.Helpers.parse_pg_version(ver)
+    _ -> nil
+  end
+
+params = %{
+  "external_id" => System.get_env("POOLER_TENANT_ID"),
+  "db_host" => "db",
+  "db_port" => System.get_env("POSTGRES_PORT"),
+  "db_database" => System.get_env("POSTGRES_DB"),
+  "require_user" => false,
+  "auth_query" => "SELECT * FROM pgbouncer.get_auth($1)",
+  "default_max_clients" => System.get_env("POOLER_MAX_CLIENT_CONN"),
+  "default_pool_size" => System.get_env("POOLER_DEFAULT_POOL_SIZE"),
+  "default_parameter_status" => %{"server_version" => version},
+  "users" => [%{
+    "db_user" => "pgbouncer",
+    "db_password" => System.get_env("POSTGRES_PASSWORD"),
+    "mode_type" => System.get_env("POOLER_POOL_MODE"),
+    "pool_size" => System.get_env("POOLER_DEFAULT_POOL_SIZE"),
+    "is_manager" => true
+  }]
+}
+
+if !Supavisor.Tenants.get_tenant_by_external_id(params["external_id"]) do
+  {:ok, _} = Supavisor.Tenants.create_tenant(params)
+end
diff --git a/hosts/web-arm/modules/supabase/sql/_supabase.sql b/hosts/web-arm/modules/supabase/sql/_supabase.sql
new file mode 100644
index 0000000..8882968
--- /dev/null
+++ b/hosts/web-arm/modules/supabase/sql/_supabase.sql
@@ -0,0 +1,2 @@
+\set pguser `echo "$POSTGRES_USER"`
+CREATE DATABASE _supabase WITH OWNER :pguser;
diff --git a/hosts/web-arm/modules/supabase/sql/jwt.sql b/hosts/web-arm/modules/supabase/sql/jwt.sql
new file mode 100644
index 0000000..93a8041
--- /dev/null
+++ b/hosts/web-arm/modules/supabase/sql/jwt.sql
@@ -0,0 +1,4 @@
+\set jwt_secret `echo "$JWT_SECRET"`
+\set jwt_exp `echo "$JWT_EXP"`
+ALTER DATABASE postgres SET "app.settings.jwt_secret" TO :'jwt_secret';
+ALTER DATABASE postgres SET "app.settings.jwt_exp" TO :'jwt_exp';
diff --git a/hosts/web-arm/modules/supabase/sql/logs.sql b/hosts/web-arm/modules/supabase/sql/logs.sql
new file mode 100644
index 0000000..794b086
--- /dev/null
+++ b/hosts/web-arm/modules/supabase/sql/logs.sql
@@ -0,0 +1,5 @@
+\set pguser `echo "$POSTGRES_USER"`
+\c _supabase
+create schema if not exists _analytics;
+alter schema _analytics owner to :pguser;
+\c postgres
diff --git a/hosts/web-arm/modules/supabase/sql/pooler.sql b/hosts/web-arm/modules/supabase/sql/pooler.sql
new file mode 100644
index 0000000..516d986
--- /dev/null
+++ b/hosts/web-arm/modules/supabase/sql/pooler.sql
@@ -0,0 +1,5 @@
+\set pguser `echo "$POSTGRES_USER"`
+\c _supabase
+create schema if not exists _supavisor;
+alter schema _supavisor owner to :pguser;
+\c postgres
diff --git a/hosts/web-arm/modules/supabase/sql/realtime.sql b/hosts/web-arm/modules/supabase/sql/realtime.sql
new file mode 100644
index 0000000..231cded
--- /dev/null
+++ b/hosts/web-arm/modules/supabase/sql/realtime.sql
@@ -0,0 +1,3 @@
+\set pguser `echo "$POSTGRES_USER"`
+create schema if not exists _realtime;
+alter schema _realtime owner to :pguser;
diff --git a/hosts/web-arm/modules/supabase/sql/roles.sql b/hosts/web-arm/modules/supabase/sql/roles.sql
new file mode 100644
index 0000000..c507c29
--- /dev/null
+++ b/hosts/web-arm/modules/supabase/sql/roles.sql
@@ -0,0 +1,6 @@
+\set pgpass `echo "$POSTGRES_PASSWORD"`
+ALTER USER authenticator WITH PASSWORD :'pgpass';
+ALTER USER pgbouncer WITH PASSWORD :'pgpass';
+ALTER USER supabase_auth_admin WITH PASSWORD :'pgpass';
+ALTER USER supabase_functions_admin WITH PASSWORD :'pgpass';
+ALTER USER supabase_storage_admin WITH PASSWORD :'pgpass';
diff --git a/hosts/web-arm/modules/supabase/sql/webhooks.sql b/hosts/web-arm/modules/supabase/sql/webhooks.sql
new file mode 100644
index 0000000..7d5238b
--- /dev/null
+++ b/hosts/web-arm/modules/supabase/sql/webhooks.sql
@@ -0,0 +1,153 @@
+BEGIN;
+  CREATE EXTENSION IF NOT EXISTS pg_net SCHEMA extensions;
+  CREATE SCHEMA supabase_functions AUTHORIZATION supabase_admin;
+  GRANT USAGE ON SCHEMA supabase_functions TO postgres, anon, authenticated, service_role;
+  ALTER DEFAULT PRIVILEGES IN SCHEMA supabase_functions GRANT ALL ON TABLES TO postgres, anon, authenticated, service_role;
+  ALTER DEFAULT PRIVILEGES IN SCHEMA supabase_functions GRANT ALL ON FUNCTIONS TO postgres, anon, authenticated, service_role;
+  ALTER DEFAULT PRIVILEGES IN SCHEMA supabase_functions GRANT ALL ON SEQUENCES TO postgres, anon, authenticated, service_role;
+  CREATE TABLE supabase_functions.migrations (
+    version text PRIMARY KEY,
+    inserted_at timestamptz NOT NULL DEFAULT NOW()
+  );
+  INSERT INTO supabase_functions.migrations (version) VALUES ('initial');
+  CREATE TABLE supabase_functions.hooks (
+    id bigserial PRIMARY KEY,
+    hook_table_id integer NOT NULL,
+    hook_name text NOT NULL,
+    created_at timestamptz NOT NULL DEFAULT NOW(),
+    request_id bigint
+  );
+  CREATE INDEX supabase_functions_hooks_request_id_idx ON supabase_functions.hooks USING btree (request_id);
+  CREATE INDEX supabase_functions_hooks_h_table_id_h_name_idx ON supabase_functions.hooks USING btree (hook_table_id, hook_name);
+  COMMENT ON TABLE supabase_functions.hooks IS 'Supabase Functions Hooks: Audit trail for triggered hooks.';
+  CREATE FUNCTION supabase_functions.http_request()
+    RETURNS trigger
+    LANGUAGE plpgsql
+    AS $function$
+    DECLARE
+      request_id bigint;
+      payload jsonb;
+      url text := TG_ARGV[0]::text;
+      method text := TG_ARGV[1]::text;
+      headers jsonb DEFAULT '{}'::jsonb;
+      params jsonb DEFAULT '{}'::jsonb;
+      timeout_ms integer DEFAULT 1000;
+    BEGIN
+      IF url IS NULL OR url = 'null' THEN
+        RAISE EXCEPTION 'url argument is missing';
+      END IF;
+      IF method IS NULL OR method = 'null' THEN
+        RAISE EXCEPTION 'method argument is missing';
+      END IF;
+      IF TG_ARGV[2] IS NULL OR TG_ARGV[2] = 'null' THEN
+        headers = '{"Content-Type": "application/json"}'::jsonb;
+      ELSE
+        headers = TG_ARGV[2]::jsonb;
+      END IF;
+      IF TG_ARGV[3] IS NULL OR TG_ARGV[3] = 'null' THEN
+        params = '{}'::jsonb;
+      ELSE
+        params = TG_ARGV[3]::jsonb;
+      END IF;
+      IF TG_ARGV[4] IS NULL OR TG_ARGV[4] = 'null' THEN
+        timeout_ms = 1000;
+      ELSE
+        timeout_ms = TG_ARGV[4]::integer;
+      END IF;
+      CASE
+        WHEN method = 'GET' THEN
+          SELECT http_get INTO request_id FROM net.http_get(url, params, headers, timeout_ms);
+        WHEN method = 'POST' THEN
+          payload = jsonb_build_object(
+            'old_record', OLD, 'record', NEW, 'type', TG_OP,
+            'table', TG_TABLE_NAME, 'schema', TG_TABLE_SCHEMA
+          );
+          SELECT http_post INTO request_id FROM net.http_post(url, payload, params, headers, timeout_ms);
+        ELSE
+          RAISE EXCEPTION 'method argument % is invalid', method;
+      END CASE;
+      INSERT INTO supabase_functions.hooks (hook_table_id, hook_name, request_id)
+      VALUES (TG_RELID, TG_NAME, request_id);
+      RETURN NEW;
+    END
+  $function$;
+  DO
+  $$
+  BEGIN
+    IF NOT EXISTS (SELECT 1 FROM pg_roles WHERE rolname = 'supabase_functions_admin') THEN
+      CREATE USER supabase_functions_admin NOINHERIT CREATEROLE LOGIN NOREPLICATION;
+    END IF;
+  END
+  $$;
+  GRANT ALL PRIVILEGES ON SCHEMA supabase_functions TO supabase_functions_admin;
+  GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA supabase_functions TO supabase_functions_admin;
+  GRANT ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA supabase_functions TO supabase_functions_admin;
+  ALTER USER supabase_functions_admin SET search_path = "supabase_functions";
+  ALTER table "supabase_functions".migrations OWNER TO supabase_functions_admin;
+  ALTER table "supabase_functions".hooks OWNER TO supabase_functions_admin;
+  ALTER function "supabase_functions".http_request() OWNER TO supabase_functions_admin;
+  GRANT supabase_functions_admin TO postgres;
+  DO
+  $$
+  BEGIN
+    IF EXISTS (SELECT 1 FROM pg_roles WHERE rolname = 'supabase_pg_net_admin') THEN
+      REASSIGN OWNED BY supabase_pg_net_admin TO supabase_admin;
+      DROP OWNED BY supabase_pg_net_admin;
+      DROP ROLE supabase_pg_net_admin;
+    END IF;
+  END
+  $$;
+  DO
+  $$
+  BEGIN
+    IF EXISTS (SELECT 1 FROM pg_extension WHERE extname = 'pg_net') THEN
+      GRANT USAGE ON SCHEMA net TO supabase_functions_admin, postgres, anon, authenticated, service_role;
+      ALTER function net.http_get(url text, params jsonb, headers jsonb, timeout_milliseconds integer) SECURITY DEFINER;
+      ALTER function net.http_post(url text, body jsonb, params jsonb, headers jsonb, timeout_milliseconds integer) SECURITY DEFINER;
+      ALTER function net.http_get(url text, params jsonb, headers jsonb, timeout_milliseconds integer) SET search_path = net;
+      ALTER function net.http_post(url text, body jsonb, params jsonb, headers jsonb, timeout_milliseconds integer) SET search_path = net;
+      REVOKE ALL ON FUNCTION net.http_get(url text, params jsonb, headers jsonb, timeout_milliseconds integer) FROM PUBLIC;
+      REVOKE ALL ON FUNCTION net.http_post(url text, body jsonb, params jsonb, headers jsonb, timeout_milliseconds integer) FROM PUBLIC;
+      GRANT EXECUTE ON FUNCTION net.http_get(url text, params jsonb, headers jsonb, timeout_milliseconds integer) TO supabase_functions_admin, postgres, anon, authenticated, service_role;
+      GRANT EXECUTE ON FUNCTION net.http_post(url text, body jsonb, params jsonb, headers jsonb, timeout_milliseconds integer) TO supabase_functions_admin, postgres, anon, authenticated, service_role;
+    END IF;
+  END
+  $$;
+  CREATE OR REPLACE FUNCTION extensions.grant_pg_net_access()
+  RETURNS event_trigger
+  LANGUAGE plpgsql
+  AS $$
+  BEGIN
+    IF EXISTS (
+      SELECT 1 FROM pg_event_trigger_ddl_commands() AS ev
+      JOIN pg_extension AS ext ON ev.objid = ext.oid
+      WHERE ext.extname = 'pg_net'
+    ) THEN
+      GRANT USAGE ON SCHEMA net TO supabase_functions_admin, postgres, anon, authenticated, service_role;
+      ALTER function net.http_get(url text, params jsonb, headers jsonb, timeout_milliseconds integer) SECURITY DEFINER;
+      ALTER function net.http_post(url text, body jsonb, params jsonb, headers jsonb, timeout_milliseconds integer) SECURITY DEFINER;
+      ALTER function net.http_get(url text, params jsonb, headers jsonb, timeout_milliseconds integer) SET search_path = net;
+      ALTER function net.http_post(url text, body jsonb, params jsonb, headers jsonb, timeout_milliseconds integer) SET search_path = net;
+      REVOKE ALL ON FUNCTION net.http_get(url text, params jsonb, headers jsonb, timeout_milliseconds integer) FROM PUBLIC;
+      REVOKE ALL ON FUNCTION net.http_post(url text, body jsonb, params jsonb, headers jsonb, timeout_milliseconds integer) FROM PUBLIC;
+      GRANT EXECUTE ON FUNCTION net.http_get(url text, params jsonb, headers jsonb, timeout_milliseconds integer) TO supabase_functions_admin, postgres, anon, authenticated, service_role;
+      GRANT EXECUTE ON FUNCTION net.http_post(url text, body jsonb, params jsonb, headers jsonb, timeout_milliseconds integer) TO supabase_functions_admin, postgres, anon, authenticated, service_role;
+    END IF;
+  END;
+  $$;
+  COMMENT ON FUNCTION extensions.grant_pg_net_access IS 'Grants access to pg_net';
+  DO
+  $$
+  BEGIN
+    IF NOT EXISTS (SELECT 1 FROM pg_event_trigger WHERE evtname = 'issue_pg_net_access') THEN
+      CREATE EVENT TRIGGER issue_pg_net_access ON ddl_command_end WHEN TAG IN ('CREATE EXTENSION')
+      EXECUTE PROCEDURE extensions.grant_pg_net_access();
+    END IF;
+  END
+  $$;
+  INSERT INTO supabase_functions.migrations (version) VALUES ('20210809183423_update_grants');
+  ALTER function supabase_functions.http_request() SECURITY DEFINER;
+  ALTER function supabase_functions.http_request() SET search_path = supabase_functions;
+  REVOKE ALL ON FUNCTION supabase_functions.http_request() FROM PUBLIC;
+  GRANT EXECUTE ON FUNCTION supabase_functions.http_request() TO postgres, anon, authenticated, service_role;
+COMMIT;
diff --git a/hosts/web-arm/modules/supabase/vector.yml b/hosts/web-arm/modules/supabase/vector.yml
new file mode 100644
index 0000000..cb6ca90
--- /dev/null
+++ b/hosts/web-arm/modules/supabase/vector.yml
@@ -0,0 +1,255 @@
+api:
+  enabled: true
+  address: 0.0.0.0:9001
+
+sources:
+  docker_host:
+    type: docker_logs
+    exclude_containers:
+      - supabase-vector
+
+transforms:
+  project_logs:
+    type: remap
+    inputs:
+      - docker_host
+    source: |-
+      .project = "default"
+      .event_message = del(.message)
+      .appname = del(.container_name)
+      del(.container_created_at)
+      del(.container_id)
+      del(.source_type)
+      del(.stream)
+      del(.label)
+      del(.image)
+      del(.host)
+      del(.stream)
+  router:
+    type: route
+    inputs:
+      - project_logs
+    route:
+      kong: '.appname == "supabase-kong"'
+      auth: '.appname == "supabase-auth"'
+      rest: '.appname == "supabase-rest"'
+      realtime: '.appname == "realtime-dev.supabase-realtime"'
+      storage: '.appname == "supabase-storage"'
+      functions: '.appname == "supabase-edge-functions"'
+      db: '.appname == "supabase-db"'
+  kong_logs:
+    type: remap
+    inputs:
+      - router.kong
+    source: |-
+      req, err = parse_nginx_log(.event_message, "combined")
+      if err == null {
+          .timestamp = req.timestamp
+          .metadata.request.headers.referer = req.referer
+          .metadata.request.headers.user_agent = req.agent
+          .metadata.request.headers.cf_connecting_ip = req.client
+          .metadata.response.status_code = req.status
+          url, split_err = split(req.request, " ")
+          if split_err == null {
+              .metadata.request.method = url[0]
+              .metadata.request.path = url[1]
+              .metadata.request.protocol = url[2]
+          }
+      }
+      if err != null {
+        abort
+      }
+  kong_err:
+    type: remap
+    inputs:
+      - router.kong
+    source: |-
+      .metadata.request.method = "GET"
+      .metadata.response.status_code = 200
+      parsed, err = parse_nginx_log(.event_message, "error")
+      if err == null {
+          .timestamp = parsed.timestamp
+          .severity = parsed.severity
+          .metadata.request.host = parsed.host
+          .metadata.request.headers.cf_connecting_ip = parsed.client
+          url, err = split(parsed.request, " ")
+          if err == null {
+              .metadata.request.method = url[0]
+              .metadata.request.path = url[1]
+              .metadata.request.protocol = url[2]
+          }
+      }
+      if err != null {
+        abort
+      }
+  auth_logs:
+    type: remap
+    inputs:
+      - router.auth
+    source: |-
+      parsed, err = parse_json(.event_message)
+      if err == null {
+          .metadata.timestamp = parsed.time
+          .metadata = merge!(.metadata, parsed)
+      }
+  rest_logs:
+    type: remap
+    inputs:
+      - router.rest
+    source: |-
+      parsed, err = parse_regex(.event_message, r'^(?P<time>.*): (?P<msg>.*)$')
+      if err == null {
+          .event_message = parsed.msg
+          .timestamp = parse_timestamp!(value: parsed.time,format: "%d/%b/%Y:%H:%M:%S %z")
+          .metadata.host = .project
+      }
+  realtime_logs_filtered:
+    type: filter
+    inputs:
+      - router.realtime
+    condition: '!contains(string!(.event_message), "/health")'
+  realtime_logs:
+    type: remap
+    inputs:
+      - realtime_logs_filtered
+    source: |-
+      .metadata.project = del(.project)
+      .metadata.external_id = .metadata.project
+      parsed, err = parse_regex(.event_message, r'^(?P<time>\d+:\d+:\d+\.\d+) \[(?P<level>\w+)\] (?P<msg>.*)$')
+      if err == null {
+          .event_message = parsed.msg
+          .metadata.level = parsed.level
+      }
+  functions_logs:
+    type: remap
+    inputs:
+      - router.functions
+    source: |-
+      .metadata.project_ref = del(.project)
+  storage_logs:
+    type: remap
+    inputs:
+      - router.storage
+    source: |-
+      .metadata.project = del(.project)
+      .metadata.tenantId = .metadata.project
+      parsed, err = parse_json(.event_message)
+      if err == null {
+          .event_message = parsed.msg
+          .metadata.level = parsed.level
+          .metadata.timestamp = parsed.time
+          .metadata.context[0].host = parsed.hostname
+          .metadata.context[0].pid = parsed.pid
+      }
+  db_logs:
+    type: remap
+    inputs:
+      - router.db
+    source: |-
+      .metadata.host = "db-default"
+      .metadata.parsed.timestamp = .timestamp
+      parsed, err = parse_regex(.event_message, r'.*(?P<level>INFO|NOTICE|WARNING|ERROR|LOG|FATAL|PANIC?):.*', numeric_groups: true)
+      if err != null || parsed == null {
+        .metadata.parsed.error_severity = "info"
+      }
+      if parsed.level != null {
+       .metadata.parsed.error_severity = parsed.level
+      }
+      if .metadata.parsed.error_severity == "info" {
+          .metadata.parsed.error_severity = "log"
+      }
+      .metadata.parsed.error_severity = upcase!(.metadata.parsed.error_severity)
+
+sinks:
+  logflare_auth:
+    type: 'http'
+    inputs:
+      - auth_logs
+    encoding:
+      codec: 'json'
+    method: 'post'
+    request:
+      retry_max_duration_secs: 30
+      retry_initial_backoff_secs: 1
+      headers:
+        x-api-key: ${LOGFLARE_PUBLIC_ACCESS_TOKEN}
+    uri: 'http://analytics:4000/api/logs?source_name=gotrue.logs.prod'
+  logflare_realtime:
+    type: 'http'
+    inputs:
+      - realtime_logs
+    encoding:
+      codec: 'json'
+    method: 'post'
+    request:
+      retry_max_duration_secs: 30
+      retry_initial_backoff_secs: 1
+      headers:
+        x-api-key: ${LOGFLARE_PUBLIC_ACCESS_TOKEN}
+    uri: 'http://analytics:4000/api/logs?source_name=realtime.logs.prod'
+  logflare_rest:
+    type: 'http'
+    inputs:
+      - rest_logs
+    encoding:
+      codec: 'json'
+    method: 'post'
+    request:
+      retry_max_duration_secs: 30
+      retry_initial_backoff_secs: 1
+      headers:
+        x-api-key: ${LOGFLARE_PUBLIC_ACCESS_TOKEN}
+    uri: 'http://analytics:4000/api/logs?source_name=postgREST.logs.prod'
+  logflare_db:
+    type: 'http'
+    inputs:
+      - db_logs
+    encoding:
+      codec: 'json'
+    method: 'post'
+    request:
+      retry_max_duration_secs: 30
+      retry_initial_backoff_secs: 1
+      headers:
+        x-api-key: ${LOGFLARE_PUBLIC_ACCESS_TOKEN}
+    uri: 'http://analytics:4000/api/logs?source_name=postgres.logs'
+  logflare_functions:
+    type: 'http'
+    inputs:
+      - functions_logs
+    encoding:
+      codec: 'json'
+    method: 'post'
+    request:
+      retry_max_duration_secs: 30
+      retry_initial_backoff_secs: 1
+      headers:
+        x-api-key: ${LOGFLARE_PUBLIC_ACCESS_TOKEN}
+    uri: 'http://analytics:4000/api/logs?source_name=deno-relay-logs'
+  logflare_storage:
+    type: 'http'
+    inputs:
+      - storage_logs
+    encoding:
+      codec: 'json'
+    method: 'post'
+    request:
+      retry_max_duration_secs: 30
+      retry_initial_backoff_secs: 1
+      headers:
+        x-api-key: ${LOGFLARE_PUBLIC_ACCESS_TOKEN}
+    uri: 'http://analytics:4000/api/logs?source_name=storage.logs.prod.2'
+  logflare_kong:
+    type: 'http'
+    inputs:
+      - kong_logs
+      - kong_err
+    encoding:
+      codec: 'json'
+    method: 'post'
+    request:
+      retry_max_duration_secs: 30
+      retry_initial_backoff_secs: 1
+      headers:
+        x-api-key: ${LOGFLARE_PUBLIC_ACCESS_TOKEN}
+    uri: 'http://analytics:4000/api/logs?source_name=cloudflare.logs.prod'
diff --git a/hosts/web-arm/secrets.yaml b/hosts/web-arm/secrets.yaml
index 9f07175..24b997a 100644
--- a/hosts/web-arm/secrets.yaml
+++ b/hosts/web-arm/secrets.yaml
@@ -1,78 +1,79 @@
-borg-passphrase: ENC[AES256_GCM,data:Lh5OC7ZwW7+hVJ8lKb/sDcPb6/nC8ZYkEFx8lYWfrMsGlftXru3UmzzpoI7hGo/AOeYPN0wBplSGvKRpAJpqdA==,iv:gmnwl6ibanMlUhrTvH7BZX+PUah8UIZ2MmPakWB9qtk=,tag:Bg/RALc3Wdu13Tr7aR6pkg==,type:str]
-borg-ssh-key: ENC[AES256_GCM,data:Y6OzbVZSyrmQPjcADGDWxDPbxTHdfg34nk6X/veCmaYbRKQoCy0fBP7th+eAYwuKgdrPrVxEPLqKL8MNOgHWTtHvpsiwGQtb5yYjchFB0/GGp7eGH0wIuv7TeH79Qvmuk5s5ObRpWv2xTeSbpeiG+SsrJ5wq4BLjI/r0CuNAIJ/k83q5blAMcmjvSGObxqSczew5G8BieCaa/PgykpUixlh89+UgITc9AMAozcRzAQuusa8TIVC7yRCSk3SjpUkyArdwp0jCvn7IIuZg7P+Soq7WL5N6XsvkiH4WjPQA2taIOiE7uLf/l35DoDLDIoHS5VgUQa+DFVpJb6cpC8qGWas0KbN87B1qUDYa+z6Ccz0Leo+Kuy87pcuE58u0yDvnHzFBEteHbTsZDm8o8I8V8+Y7CIyKISFgxSH2xkYX1wadDe52S1pq3wBik9IYq83Ea03ej69NHF81THaRhuv6ePIgGWgbC8Bu6sZQysHLCPQO0+c1k5AoYwES0ZO4IWA+z9bE7/nLCJfMR9vy5Rjl,iv:MjVNeVORiu/CsSze9PB3P2U9jEJ338x+aNwY1Ok+OmA=,tag:PlSYvHvc4QjTgrrgTKk6lQ==,type:str]
-vaultwarden-admin-token: ENC[AES256_GCM,data:r9CACx1Rj3B6aJthLnk0BbQ/rzwNr0Prskxk2vLYkWZ8bIT/ndXzsKBcZVut6MuZU20RJ/xB58RJku3i56HMqQ==,iv:dSTKC8Mtp7uKihYP8zMp68RqlqRz9YPsOyhEiDd64Fs=,tag:+u/+iWOhBoXE8v4NBnWJWQ==,type:str]
-vaultwarden-ldap-password: ENC[AES256_GCM,data:+iX1uz6fPJq2JCqEp/sDvU62JXX87fwX+nJz1rWIwKocyx7HwoHDhXoosjSAcP06IwZw1pguQKhW/FehkS/tGA==,iv:+DQNMsML0Mtgjv7xvF0w64Ftn7i2raxx8YPmQNHIhKk=,tag:EVxwhz5ojlETgGO3vL8ivQ==,type:str]
-vaultwarden-env: ENC[AES256_GCM,data:d9mOf3KZ1JpDtLFY+mFpShtUaOTKyHqJPnWJr5LaB3wX1p/YYdxzFwatzhoiTTeYpDtUE2QrFwTlOOpixlYpaKhZB6SkEP1Wb0TyXZRbs7i54oxzUVZgBAoX6IzgzsJSYbvdfCFjLnNxa6137x5kazLU1isLz+ZBIdMozPDWKkNIslxtjUUM0uOlL+e68gaeVw1n72GilL5VHFGZirzU3Wg5AkeBAkfSizJRLMfkt9Ly6l08XaEKfQ+/0cikL6MPosRplaSU9NW1gUJ0uqR8G0EUnAdQ+oS3/NXTOJLvALADSakSTfTo3QNy6izoL047tx7QL0WCbA==,iv:t6H67pD1pSOiyEdELK3NTi9v7Dz/D+J+d5towzu4ufU=,tag:p8AGJPR8Qx1V90kS1amxzA==,type:str]
-authelia-jwt-secret: ENC[AES256_GCM,data:EK3xRR6X1WmCPk0JX2svcRpmA01ROryOwSgoSP8wzV2DeZm4+2sJq/4WfE7q5lsLOt0x+d7tIPOmLH11FVD6lw==,iv:MuJyOA/3Gi06U0wS3xPkZ65jucknSFsO/0Bg4GMO9VM=,tag:TjefmX+X3tF3EcRwsLLpJw==,type:str]
-authelia-backend-ldap-password: ENC[AES256_GCM,data:HbGoj3N3yOGsj6BA/C2HIBMF74C3K5nLwv3fOdHzmcK6oDMhiK6zqhLP5cTltxkIBQHsFrW8wd9jKkMWFqf6Pg==,iv:zk1tpx63c5E1/eXOHjeYC1t73REOhzpJrdzXrvk+vug=,tag:o6k5f+PQqFuqSOXNbyDjFw==,type:str]
-authelia-storage-encryption-key: ENC[AES256_GCM,data:Fsvev07/qOWA0oTMoXJenrmlxnFLZ9u18UI/avUqjlCpnxYtGxwz9y7Vt0FjTh6K4mQ7omMYhMFy3t6vp+9AZg==,iv:Ja404BfvjAqGW8ZfrDp1whmsl5J1TklPHrHS3G92uuQ=,tag:ovFcA8v7svFWE6yGYTCKXQ==,type:str]
-authelia-session-secret: ENC[AES256_GCM,data:mFRzgFzcR0zOxjSxYDT0EX0rb3GfLFiPcqjcND5/7hsGj7KQ4UobGS7UKkHquhqPYun61FystUiz2jLInUYluQ==,iv:b2d1W6Ab69JkLXHA5mxXLoHH7iawsGg8foeO2MaR7nc=,tag:jo3j03Fqnhi8KG1+VJ8rLg==,type:str]
-authelia-identity-providers-oidc-hmac-secret: ENC[AES256_GCM,data:Sbcd7v+a5RSTQW6txQEiwsNx4tlPh44GVnSawI1/tooKyvgL1tBdSSFn7l75NfQyK7jK4KZ2Lqhfi8Iff+AFJxTCc94UN9axrlKUq27UuvIdrvr33O9hacICuuXOTRFmHOh8ipNVP721jpOGtuB+L3MDG9RHLMk8tGhIe3L21Sk=,iv:SaUm9EtnheetwLtoOD6zamtyJ/uHr9dA4YPFWweqWsk=,tag:P4W8QIeL90SZxtCTMkA7Ug==,type:str]
-authelia-identity-providers-oidc-issuer-certificate-chain: ENC[AES256_GCM,data:H2erV681TZ0St8AlSs4V39mcFetbtBcernBmOVQhhzCaxk0kDmz373WH0duRcehKHXOnF3vfZ7PesngAwEzKZ8K4iyvuEF0senYcVs98eFq4avI7JoPan9lcqrYmaihMZi9fwHiM4hD31SXauINPBOb3kTsd2s3vdtICmD7S3w3WOzRJ3NtPuww1w3vfjTcNgXUpNUN9CzZCaGLoesXNPieXp2izEzj5JMPRWySDl21okVNzMuGzF0hLC9KrA4zDk0bBeS/rpv1m1Hk/8JYZ/ZbhYJvaqdXxy2XNzeexBnq06KiaOos3tNo+KyUvbbW8xC7Wk6LNS2wlDgu7jSNo4bGyN4gMfNhIF/RAj2cjDoMdZrBmjJRELZYbTZR7IIbmsbSgSIVJ1itCkkPlqBw/e60nmpUU+m1IBwzAszS2DQCMKIZhRuwfNL43i4KHx1cANGOZAexStG7BP7QOk2nDzFGhxBUz5szDJmJCpokC/rATGOcwv1LO6ofK0tQGLPzn6Rpl0NcDafBxBKoFhlmqNFvgBQyXJpI/WnGKorvpI26lLtRPlbZn+26mNCIsq7KcEuCDVM3G/CkpGX9jo3s+933yzI0nMECBLbrRWFqvTlNivqbI7KXTKNjna+p/Vh5uoo5++Yk+gcv47YuNp8udQQakTE4Ba7hrbMwUrLQMf3PCeAr7lfF1Sl883wm4lEQbZyhhsaHCnMqATTADe8YNZXi7ThAi5z4MwSbx/XrRBtKm5dfeuBcQOTfcH+Ek9rSn0Y3d+5yW9G4YOrOpbKhnx8sSQ3I3s4+V43k1WGo8akN8xXRw/hcqB9YYBx5ZYoP78G4ibSZjGVrzGFIgiCHPvOy6sNUGXfxRQiZVxgrwxJge2/V3R8qTzMmLin7A463RU+5il4u7Y9tndmjq13SMCRppIYF1SRN4kVihBOj65xazhEBp4u+S4QCnepPUt5S5R/BcZT3w1OBxqsZG5iCLFN8w6eiwlbHa7tT5SpVUl9d5y0mc4+QR/S9hmYdjPLEZwomzQInZxw==,iv:HOsm8MF55w41zybErWIqLlzVi2dOVS38ui+F/mpEqZ8=,tag:UGoAVuHfVYU2jy8j7w50jA==,type:str]
-authelia-identity-providers-oidc-issuer-private-key: ENC[AES256_GCM,data:AiEsiNlmvt18yBBp9B3Ghkh7rfTd9D8JB214PB8QuZtiTybQMl4Y7M+1gRdUWpYnPvV3uARSewPEdnM0TXnStL0dVysYdJQrHFdRSRzz5i9i5jwxfJkKaBavbYwZxHsgH0U5WFMXVKMbhpbC9A3tggl8y0LO3CMPtGGGwkAx81/FiuXrULQlCpGiBdwIla54PURx4VTfYXPeTnYhKvcWjk8cA/up+WErC9cuv8MmGbBXTtqXcDhPnP2DqoAda8KxM2P/UX3h7udhp92QSAqzY1wDyuQpOmFd3osrOlDKwg6VWaYdTlBdmAHXvCP0NgCstUbv57yf1m3xtx2A3H9EC/fm5P1ALk305W8XdNWEZ7eZhaY6fuJbqOLZXKI3PsCGXjAbYWYNS7F6kvE0MGLmZQJFqhQwKdJwARPBMBvGSRbnN3nR3O14gwEaRjcLcpv6v5sXRik7jtE3eEntoFmctxEkvSGpcASkaRg9Dn18nOIub9zFEFhUxV2DeoKPFlBB/jRh1UvcyUNsHd7tF5QpvZL7einIy0lEGUzbQkr4jRiidvw6URb84YDIhkx26101FXnezSc5JhqUI7zKg9qJCQiFzjbi/j0t38FjrjV6HvqBBe3NfT+XgV0vuUoUZ/i8faF6UWJIBj3XihScSag9T9c3pNC6a+nuXIJPnaWbPmBm1pXx3AC5+EESKg8VLUz+wvzFToV4NJ3rHYqE/+HO1xgydGwUx4feI0fbVQ/7L6N7EcESU5QyPgTQNpeakogTBLhGU9dfJkxWkCyLLytap32bUFVnPnKPcrz0wc+ZTLzxLgXR5ilxB/5Ue9M8ygQWeg/OI4i/c9T1bDnLDMjXMegZJbzoQJSXHsdusOaVygN4Xa5ZJNRbEogCp58cVAeD4gGGA/apI1dQCPAG7aA6tenQNrS1hgCeVtDKrRWmK/ki9BVajt4pqWeOKr6T51GFXyvTThCtC5OE6+GpBrZaVwIgw015N2VF1Ze3ZW5anBc/Vqd7fmAP0/F/5gin7e/EGcnOodiPXSosms2dPtivfOOPnISjSJmtw6YZuVyMJ3CMUhO//nmFoggYZ8lTSNm9YVin2VcrI+zWgToevks48F/33WFEyZ9lFIEh2JK8TjiRWNOsnJPDpeGaVGX9vK4SwSSEwJqsXI2uIFLmmU5cKAqGULee+cQTTYezd2rXnavCHKhHG1KBiyq5+u+ZyxoqpkxgZoDFMHiya4nZPDDozfFRzQATlTSAjHkXI350AH/Pmb3E0NbfIDVogvFqEbOAVK9ByAHuZEEZVl+f7eg0f/zM6cZJqXnR7IchvnDS+tc4E150F7of4KMhUDmKps0vEvGp8ZgjN+/+w9g90x3+SgvBHOz0S/jsprHO88lRJZOsItXxdetk5j7fLlmVV76bhtb/uEdgKquXX7/KV/ubHe8Gq9M8ZIsKQOg/hPlKSH4uB7RKpp5qSLUizmKhL/UyWrfuFASWFFZHe7HRem1fy76voxgdByacSv8IiR5oQM9OW9pfDVdDU9CY8dZjYQuoZ+R5hm+LdwVPIc7QU4o/7hSsu6WgStVRU+Nd6vz64bSiUtAvLjVgLHPMjzklFIYd9/jTyp2Rhj+9bN/mLoLWPjOCGeDuECzj1x3MWpRuZgv89GYDzfNJWqNE5RyJfQqMm8EMmtieSHyFO0L0ZWAFgsyb1HaUhAAR7nxpxS4LgRRz6Xh/occsoI+RqIUxIHu7TlQM01uzA+wUzSxyO1sl5UBjCl0mDg4LdBu8ttXmBQPw8MEHikF7QavYLoD3xDiw9E3twFxNd5FBeLNvcro4S02vNEVBI15GpMdQHNES2OFMy6xeU4yZyM7wVBP6d7aS8x0Iux1GQKPjqKfC+vqdO5nrlOFDHrLK5CnhUEtdksD5XglZWgy2OI/2aryK2ZuejoYnMGm9Eb7FVLLySjMuCWQWQdGgPC4AuVoyPD8O/JNLXeNR2tOPLwnO6dpD+dw0MGUfmPclTl74tbKwSrQ/ogl2zXVpI1qPHYIVxO7HOq8DcaQK5uLyrnF3/8qcHfSGx/Zbuba8vW8AuEs+I213oRR54I5TIidJEbw3TuacXYmNCGP+EieZXwiYNl/5xhznPa4s9Xjob66Ks7kPxn5inHo24w3CURqAE7+GDlfX7eDUiyLngraK8vdPpzRP93ZcxLi9A2RZgbxaLrQIdPjyNOmv07NQy7rLEhSTmBEsp3searJ/bE9kJC5peeVzcuNoYbVBvdostCV4gnj4ojvzq25JYyn7QFTZ9f7lMHBOdCuX0lQ2vEgrMmJma6/o+NhfDRAFJTKw7CL/s6QfhfpiCPum0b/qBvNZRuScm4lDJtcqC+/DFKmXQZsmfFC4PraieETm9504r4vJORKOz5hWKAeB4gitg+FlXnTWit4m3JfQRCEZUljJ+5zmSEy2MxWapz3BqyRWt0EHnpVG/xzLaf4onhrXmCK+bVz8Xl+7PgfcOGrltulZ1KR2T1v/sCHG1Kx31Bzzxvme2tzSQlnSHkCVbR6Xo2EsdvYXKjU9LN/b3sd4mwUVUs0ftxzmp7EhJrqDITA/wH0tsyAE49WodnbM91oqlCpS3UOU03Bkf0MKmmRGaUxkS8S+B71lvbtvmnDJEhLnonhb+ZoT9K+ILzmpeEceYElNAL6lDzNaE2h6kLV4nOZOQrT8bBHoyOz4c0anyPJyfwJUVMxWEOCzGcgVh+lI6pQEMuA1rjDR/d4+SuRN8QJLvyoLBy2wEPy7Vp5l+cK9Duj59AWVJU9az6NZNu2Y+QcDi07u1yFuyDHnewbW8yu45ZPwPpOj4QCpqDGHz9LJbAcqt40XAvXMRbXeUJnm71ptVevpxeSjwUN0XiIVB367TWRLUxUUSf4wogONlKZ/I0KbCSInhBbfP7PsRLuuA21Q3abOiSaRkT/wKy9n53GeKs4GjWZU32eYhN1pESgc/6pvzNsIwlPfQNEOcCK147UrXCmTb4k+i7utsC1jRrfGSX2rtW8Eooh+85UK/LL/SQoZt5Cd3mF7bhhHohW4bEfKgafw/rjxZj7XuL0A637EWG0/1OBPOur4fxnKKwBNGh2FlevWNeZWT+818VAk7IhHFp/Po9LPfMUYNMokc4K+Mm9P4IXqqFEwEiUFmxl7xcqzbmBB8XYOabOxQbqkQlnlm3kzEcAk5ymoajtfOstTnyQuKtxmwKcOi0F/F+Q9Lvvc22L2Q7RK5yvY/gR9DndCD7wZeyiXFtNMkaBv5CfK7ttXq3yyrlWvdNqaZQ/AgV+THP7iGIx+vS45ZmBqBpugVnO3cq4ffulehYOabat/BUkmW8M2vVuGTerRuX+tDEHU/Bvk/WpSIbG/PjqKpdJwxWQrgeQYOFG2EOCerpdkWJ3ctg0U1ffMe8ZF2tobgzJSoYt1971xrVIPiJEqDPc8GykTlV9c281WFv5HCWQL8wYSt+gutoRGN94ABaD7NpYcLUh2gAFSZYLlxFqILOIgPCRqpVQx/mZhLZymF/h5hIbuBLWMYyHPmrCeMAo3M0yk2Xj0VeE3xrBpaQAiloCo8tdj9olAtp5vUlWNLFfr4i1UPIhiR/vKZgU90fEGZlqLtsl/8x3IUFTGj8HErcaJIL7y2ElsC8vy8spoT93nkBs4dAFQ1WkL3N/Gbr8obV6vzYQtsm1AS9UfmPqMHhzh68WhSsTmFvXRdS/mLktTYkcnEABdQk70KdqOJe2P3ZxUFcUxHRDB7Yal1U1kF0xTBevf5Yj/nBpCEneRVKKfg4m5Pm9a+8bpo2cQl+NhjMIbModkyosa/m9/MaGhpMv7mUKuaScMB4w7mDYDJgVXl9HpXmQdcYq7w9xSE9HXtjuC2SNecMXBJngkJ07+svCJmQUxHJs2o9YJ+4cNrRUQbFtGny9fG74jdGf0LI1hQtZEUgmrxEiSd3t4zAsUZdr/YsbrvOeuOpEppzaWA4jwZt5eVcks1h1o8AuU5U2DWAu+FNbJzHn8XdaMR9Mo6k7SU16BwVgNWpDfCzg+/SDltnpQLL7BHXrWaFRS18Vr29KtakDRDJki4iZIZb+c4u2QCnBA3aBIpNW/OF5hNLCPiHjspnPt7vRfJFF8mtfYe+RiaC7MdGFqcRRAofytCGcJwy6UgXxvglYi1YwYj4pGMH8EkvE0dEZ6eSLR3abmuVd8TunjLYmnaFeu9FSBZl4kNmYnwNpJjdD6JSYnvQx3pfLp448kusWC7F/IDx7CUisIAtP1tqvktpHgsG9KFyV3gXkdnIOxtgNWmyZvwXKbJrY5Focg3LMxCyjR9re72MKlQ1uwYunmJerYB5sA/WTSLkVb,iv:4l4BTCYl/ix7oT2Y3p4oQY4GLYbmVZpoGQ02Mg705Wc=,tag:TP5BGIIkpJLYR4KSCvjU+g==,type:str]
-gitea-ssh-key: ENC[AES256_GCM,data:rlNxql76ws07uw2nue+55GIBEtU7bq6flr8MUrY5kkO/UQu6glD531SI9LLcmqMJ7Ee0a9vg1sW2QMjucMEjPzdo559x+g9COk8AXPQobSpJo/3/JL4s0r5a2ymGmAQtDWhW2ukU9uLlHvir13PBDfeLjDJ6kvv6/JUP5lD6AaXFZJEF6PhkGIFhExBvxU+5cLGMdFKRNTg0+dCj1/bg4iWFmW4znz5LGOrbofcSSJsIxgZtbwAsthimWJrSnaSdbiKKKItullZn7eXT+D3SALAcLscHaf9m/6IP+s6oOOzVxANGxqZaPvC9qpDrrzGEuNjl9d3Jb2bTxXroz/pe+NWGtAot9GVUp9fpJzxF4NvRgcLa4gI5kIfbsCKxjjSaUl9nmqBjP2kGflyEiiO/Z2k3h049bHK0DDDVizb7X2fajUUIDsRPdRQToADjQwDn9tzDDIg4oWoc3xi45RDbBf/zGGz4QBxtPcjWzLaN3KK+VE9Y98LXjhSZ/PgsSj8ZIz0IqpuaP5aW/9c5cQdM,iv:owBhJUG05Qelj9u/MafjfLJBnFAMnQYXmBqziFoJHdw=,tag:uENfxVUZhG7QiBtbMvMYZg==,type:str]
-grafana-ldap-password: ENC[AES256_GCM,data:bdXfRoUKr6wojDCM+wh/KpHCu5ZUPlrfgj/EkK90sZQn6iI5rB/R3g2+r3zZYhBD3lAeYQu+WtLR59eB1mgLvSAvwRUGrOBQnfWVh6WpAOFcqPihUy4Tpu/cE1Qk81W515aQLNWW9k+oqs6Yasl7ykwmd22w3NK7WoSiasti+Sk=,iv:hAOkJaJJPO03fKhDzf5j73I64v4c/W2xrXixR+H5uxo=,tag:8dodaafT/xgdEV3ypvEX4g==,type:str]
-grafana-admin-password: ENC[AES256_GCM,data:7tWSPyJYCHAw9ftowrYNTYUBZYQb5OBEsjDVTodnrsTqZWtu6UKwPRhancRUcg375I5ZRpf+bMd5cXpSsVstHd+u/zYlfe2ScyH0qINu44JsZyEBUb6jZ4RW2MUucSAsXUK1badBdwmOCPVO+3V9wOc7yV47DLYOTRiLOsMLU2o=,iv:SYYFwxlWm9wl3kzEsZsZ0FeFC91ho1E6Wd3cMLX1fmc=,tag:ItG0MNRcncys6T4oT1hF0w==,type:str]
-grafana-oauth-secret: ENC[AES256_GCM,data:LFzNHnb7WK7lnFqBqc+a+vgpf42+1TeUzad/a3BJkWTJ1kHRfeBD9LETXwy/lg6kAofQISjRK5LGNZK11OTii8xoG4TWidPI,iv:w8j8vlThcCuhUWSHyQ0CwXb+XRjKCQ0u1QV4JJCDqF4=,tag:amEliYePf9b+xHjkk0LKDg==,type:str]
-linuxbind-password: ENC[AES256_GCM,data:RIBiXMrcKjfpLimX9CLAOg4oirPIXAWinh9nYqxiwKofZUtphH6+LPMmcAGtbh1Q99NvNiToGdq3CjO2mP7b+Q==,iv:MoWOPPC1X6ZeFQoJrNOBt+ekT5zqPPUcx4zm+j7y3bQ=,tag:AQAaiIBpwPcEu2bJxlx9ag==,type:str]
-sssd-environment: ENC[AES256_GCM,data:LFxkBToE4D1ai0d6FfmhYam577Fo3HQs05n29nH4StBYeaLEQ2g1BLyt6f9B1k0RpI5MfzxPAJHRYQEFbcCNAc20VO2+0alTLsX61FLLhKMtvg2y7rEhsTGLvQ==,iv:GeM4ruyVqFd7mOtxlXoMA2sYwD5XDWQqauhhUrsiHPw=,tag:siGzNxkgcshYXyjn3/Cmjg==,type:str]
-promtail-nginx-password: ENC[AES256_GCM,data:AKftXPlaYPO6MPlzii0/4V0jjmXCgVNFcBXjku9MGk1wqaGWn5KH4q2qAEwGwhWX4DoraIQaYzweSA==,iv:2xqraUqHVHFvA6vCqfOE1cwdFbEcxg225DHQRpdLmi8=,tag:togzAaJK9JuWXAOHLYl2Ag==,type:str]
-victoria-nginx-password: ENC[AES256_GCM,data:oSh83mcpLTKN9oAP8UEZ8opEezlPdDIO5nOmrV3EzqOWYta6ffIg3XsYNvNQ9JWCY8b49CU=,iv:0R1P20nVJe7KuoVOCuAj6GbhnmTg4GVD6uAd8Z9PnPI=,tag:ReH9FfnAUM82B1CMdoVGeA==,type:str]
-nextcloud-adminpass: ENC[AES256_GCM,data:WqaU8XyfgrfPVMrB8vpeEwtZ6RidzKsfl/RdOEar5KE0occ6cdehRF1EacGdbmKtM/5GFgCWVYVzyA3nXeqPU2Xnl3HMTwJGE1RPLAo66Zl6UCU27pYVrgJyBq+K195n1C1RzRXxNrLRMx8utRTVVKaf449EQdJuyZ8u2y+K86c=,iv:qPssMccTUeZQNN4PsokQPgv4WG8cVo0NI3jTH5Hqn7A=,tag:cNXmCIHPOIrvHXhlbNKUhA==,type:str]
-nextcloud-secrets: ENC[AES256_GCM,data:OTvpnL/GJcQXg2Qs6e7EN3//VWsb3x/JqL1XIEilpPsvWUXEMjbYMz9NwLLdaJOCOLaSjwwz/5SzSeh85C9qQCcCWPXn5IW5WQ0TRD+XZC8ZfnclTVehpdTBA6X6doPYAOuEnW60DeTYiUyZVA==,iv:AWTuqd5kXrMsRVN6AROt3WROyjxpgtF0DGVIW8I8tnQ=,tag:MO8GIT1kzHGHDzV+PZW/yA==,type:str]
-nextcloud-smb-credentials: ENC[AES256_GCM,data:RNTaQDlkBryt/HJsOTdnEFSzqiYaZKKn9zQ+t9yXHXgnv4CUmSs+ovkx5lTME8y/,iv:LFXTY6MiseiA+QmMTjaHHW9lISm9meOQaihxUGwen2Q=,tag:SPKOgwZTb4g1a2ej8XrV9A==,type:str]
-atticd: ENC[AES256_GCM,data:CL1A9NV6vJzphXAU1e7fBp5rXLKcR/VcqThKQrAhRm637to10VTK9l5XaqC5ChpLBZ9mJaY1YAZz9k8Vxu+5pifOZ7SV5Ehko2Aix6LlVm8iXmKFVHR8BzUGvjX9YrzjirozfnUPhWCgtYP3Nh+O09xqDDJMQq32AlNf9lwc3JxchjgFkQBFm+shYwq0vIyGdBvbx/c4DfqhmjpQzGxpsVZJwq9MgNZyhPXS1cUChVNF7m27T/tarPs+3zctc8JgwhthIY7hJp1cmXIFTBTzjOLVdiv8X2BD2LplgmUtOndeG/4uQTvs2n5SfkOp7AhuFRdiPhgml4pVLp2TIAVREfSa3mabzit3qNAWNSqTUMOXjuSg/Vqn7zKVLsexIHiBAp6d0YmR3DhHbB2yracf1xVA3b8xtE7/aiSYpzoxh2pzGFzUsXAXPotDVkdDWjNPP2RuUfRysdS3XnmH6VJ1mgNDlqWVzn01lTuOq+PHkLCY0dc6x9RiKAIjRm8NU8rNYkf/F6QgLh68b4ViONgC36jzHTOCN4XVD7rqXrDhDvAc5YItCGem0AEyAWkqkEd0vLOIAx0SOmFY7UOunEB+PxUAcHkMN/91kj/UTfyiXNHz8J5jsjblSVd4BJsIvd08C7iW78tUhkxmpO7KtjFne9888jH+HCZZ38Y7Ndtf32OBtbN0bi+jqyqKrvXqIv2cjI2bBLrn7fhSMNCAYNF/ugh0hau1/0ycKj8fDnczR6XV7Kr/gonje1Xa1XZELIZHJSUbwPVuORkoRk6q1d3Tc8O6BiHOMOrr4tici+ugd8alRCs3/CMv3IJo44kYdfJCHxYy9EKslSMxF34QhJKHqI1zQaY9+RNMCoGo/E2+pYeK9WYsralTn/uF7FHoE75I/ZAt9Txb+K2lJECS/CvRF4DHHE39jXAXUl7NxFsuG4/Zg2uLsdd8xvaAUSeBw1g7bKZEgP6f/mo4ixk5RS7NEjoBZgSlPOry0meqy3WQI3CIP5HC5GiWAD2mzIapia64rdxzsWn2GKR7aWIocn4B5TlK7fYqDJRMaswuYfy3eSfS9z05WZUNIePPBdyVThoQniWGMGVkT0bC2dzv1q2HhPA+ipjLH4sL/LI7VkY/X5GzombVgBm8fy0o3lZgAu4HMR9+ddVkD0vZAAbuJ7kMns6iH/2sdMS5a8eiFrh7XXxY8OHTVC5A28GY0CDvrvwGtIqEB4B9y0i42kvd7dbO6wyeuUkzPr+FWy3bqAVaZJmfng7Uus9VK3tLaTay0+JHIvI4jyxz7S6P7Z3sPUOfAAwEGsHihC8cmVxo5yqAAsjbNE3bBEN5pIF+Z/EJlOzt/FbVuVIHjK70+T9zrr1dt/goEynnnBKll9Ou+Ks7dn+ijYrzZ3e2G8TCfNcB6dXgjng3gtmSG2OtiU+gJ34OffApPFtWOk8iJApKzAtWW/0aiHctMnk7pVurew2XcAPDe2uCHVkPk2YC8PHsiFa2feMxYiR9compCNGqmBjVEeQnkDBdtdOhjg25SSmvQ9zudYDUKHzoq8lssHpR9hQddXJgZr2FpcSH8F3I+TQjYIOt8FSrX7/Nt6zMEwzgV7eosROMlLAdyHqI1vMxBL7GWnKEG+XBQMl8nM6QuvRdHKUpUi6xzruXGXApdy+ahK9hJcaLqgz5MFWnS0fp2PMBA2YMslxpcnyqdjnYUsBjLvCnFbA18cyr2Lw8Z0B+keLxMdh5haigJuinIrj7ltsu/jo7RDHcVE5Wm0Y/1z+ff616WEkxiWtfPVHLssiRa8AVipD9qOICWAjVTySYYVOX6yjNNV/ci2sE+LEb1fvS3kUzD6gyg9hH3KyTxgwFA+7UZsfqZZnBTtKK8RJGUmqO0erGhv5gcywWR7TLe3SW/+Iba8fANr9BB/+P8dXgPAauoGU2PHAsmg+rJlZUIhObt6pCvQCezoG9RAFtePOuG50llOcGUsfYTAQ7A4My9f/ujGjW9J5tRNka5iLXLZCzTgVgZJ3Ep7LhKxYoZyHK/DsAKmZfB+2DEYpbL8e7ZaIEi5vzITR4qAjdONtHdAoyHY5j2GFO90NEJP4IhV41KggHTc+Wpfh/It5h0eVW+gfGdhNOkyOujSYfeCZ9N1BNcE7LSHGEHSbM3R8Db9BQkFm8oIFB+dByBLDY4bHjzRLipc6itq6ja2Pt+C7n4c8nNHjBGG3B5z0QPxIfAy0aUZGZFxOmrztUztWIloI07AlCjKMPXDwkiET/I9fIxijWP7uuBcOVO7H/R0+UjRG8Db+RqdBhmuax5E+2qZQgb2USmy3o8vMuFKadoCPyJ1e/wWii/3lckkTjO1JKTEB8tAOWbd3SwJpp9BuJtftACgMjlAX0l3F7hDtKurd6tKF2c9KAx1lbbEeVKhh6K5aAIi4HkkE8EGgJ6SWIXD+246Be9C7jaeiJFUry2SaQnm9QUOxWbS/kR+oLxLwdGUeAoCcR2WtPWRujRBc2Yf1un7v4YmbngrF0gFNB5H0k+O2Tdswy53aKG4QZJqxh3tcTAVU3DrkeytAlAuFJhUsw07poCeky57Alf13ALkwuAP+oeCLxY+fzBNW9tortVXb+Ip7wuoFwnX+xRnLSqBWZEKdGNzeyjdl7p7RCHCmP3vZkN8A1ziMaEETiwMaZ2LE6sMesfGQbeytyjkuqvCgOBr0j2gQtnUPf5W30JpG512OFjbLDaXVKu54ie2wID0+DAfM9vwvuBd/d8NdYx7P4L1AjD179qCONlWgudiS0mkVrYlEE9Zr8kcbOy2aWnQQJaxRpg6Thy2mcOkN3ZRhkfr5JWSmIQ/Ccoy0Cgc8YQc/dL7zhn4lvfaR7ZztahcHwlv6A4b0Q2E9QIcwxlhDPmlTQP+IJ7liJd9wEOfdpEdPBn+gwi8N6M9oWlgvmNM6UwovvVCQipMNOSIfRJnMoW77DGmKYx0opxw6k7AoFvOXxy8CHo0vV3pd8aVS7uuRB8fB6hIyv8GJSO4etiyJJer9siAUe6F1S5ANtEIRX7S++EEalD3oNwOlfu8I0l+zVCwYPGsjWKBZUZpbg8FgWBlQFJHI2erDzKzpyeYwS0o9aOkmbWSnHqURuPou3iI1VthFd7LANOg317SC1HmVLUs/FN9C5g7ULk9rXqahbGhvKrf5Q8hycwD4TqqkCoCuGA+qL5BNd51QwmWn9mNFj2pZYxCY1/bVJs8mXZMxmC3HlqaO0iPGxBy8AA6hIJFGb+ZgNs06Y1s7F2+6pLNVm0TfKd9GxKIHtP21KeoOS0sjaYmjTf8GlJtMLcEPd1OGJSYV8qta75h9DqIVbsFtCQ9NJlC+gnAN5586sYzLiba9WTEqSYCFN5+pBmjG9szOhJheBTyBnb9IT8IzEbALeASKmUt1whgoJeCPcERYEpFvh8wbVvPj3ExiO1eZpEMxqtK0ZLbD+hMMzLSJW3ild3hF4AhFVMbWgcYKOkNROf3Gx2QAfCF4oORURl0TZ0BHv3YSqeL+DGQwkQcwzYmuWyKLzk9tFnflloaEsi8JLmjKSp38cCk3DGM59BsoVzEG1oLfyIMURlbmy5YD4ANie0YsUXcRaIBa+cPpdWI9Im9nJ/7yKfkBOF836dhwNhIekLTQzAEgNoBEdIsOHfNY277uOLN8reruSUoVTqGkVNalqxSd+6Kj43KnRn+LRftDaLK3D4fflV55ADkqcuOAlMCVQLEC1dKTxGbvie8Y7OJloCPCdy+UcViTNgPjT1sP5cR94b8WjIBXtI0SGdbsOo5jlKQPSDMnxdM1WaNsr2ntcUwmFQbHDcnbo6Fu5U07f7OZvQ4BPpgPrd5dBa9tOq7VZh7g9pDyMvQ1eIfGQpBvY8olAn7l1X28m3ifwnbbjs78sfQ55m6/0yOYqIAaZTrBhXxlriGOYz3G1OhNYmKB7r6Hj5u2aFbyZvwClkX6BHyiL2wVmMNB8g2FlVdN8A+j8a4WfulI70P58aEdrZSC40WjiWjUWTQwqqZQp4nBQTrSBz93Vj8MTam9gk4NkK6Sx87x8b2Aqx88XmHE1V7KWyMvrWvTZutIWl09i+97rgoMwG9CxVQjXYKOHyq5EjZcA5PV16LBGxOP3L/D+pmLspAlscdJ/e8i6gZetioGxzcEQNAjOpjM8fYt7odNP+jKmcTxLSyMgKW0FeSP4gbaV04oFL0E2g1cH0rVoLZrN5g0+LQ0Y1MJJ7XaxGcZoelatSsTS9jsyAxB+uY342JfxD6zmf7KhaKESuTEvz6EQP++uEbT2SsIzCzQk1RGYAyMNHdnEuW97BWqIl4pzuUKgcKujUUIQui0SXUtIo4ojmEJG8wc8/T3fpOTFjIxkeZoDLeQktfo1eTi7BHtjZgwlB/xzI/ItBKcZh3x+tmWiN/GwVKI6aa1/4ZV5ism0BKs6DQAtMy6aWZCQ1qwQl6c6Ld4BGKI5roOgHZ/8rB1d9qucTFyLs6PI+JB8yiu2m444+VpRaOaj2Tk/XN2b1xRukLoKtlXmzdCB06fZhcq5TiH+nLEcZ3GcNc7MGwIxXEAf+fpgeMbDTX8/DbpjumNXb6UbUddrJ/dXKyxgRA/AIjSPpM/fWyutxLcO7Lc9E+dkDyVtRCTksmSg8Cdn5OElQgHBV+jhG8HxDnOkjrBKdXFrpy+gIlHYDdOvce4ao6Y0Os1IwuBDKv4b0/dnhfl7zu9qcp5aNI1QrVSf4RBjuB6XPMd8P2l/khX/XboHklX6YkUCOPKKxd3d9NdxdVO/QRxNCR5vkFIm4s3ZdAo5TahG+Mew10s8Kan/8alosWs2ld+3piry2UYxXKErTKM2q+P9DAIunhoJPt4RNlvAFFJc0eMgNyri1ahYknE/qlhdK6NYhZOd5XsY7x4hmyBZ0QvADuHRjZWuttMF/FuSdN6t244eXnnl+2M52GIWULRh6n1qPZqceHoTRlFNr0pqY7P2Y0WgeHpCIEYmUUd38lTuBhsyPywZ4n+Ery6SWZGU4SS7LLG78zKaW1qQWN79KCnB5wsZjAnUsfh5yZ+afobwUihpPJARsOO3lCmLFo+F/RcCABiMMp/SGVBInXkqK93V4qBwVc7Z+CkE+jyDgvsMjjlWfqs5DXAM7QVuplfodNH4mJtktiBSpyLY3QUrQdx6Egbozb+U0nRuzSg0hD9H0uibVG9mKyaZYEffaW/05dHixZjBZdiMttOBA59a1yo/Nx75MUyhVQ2hNFvRtJXMnkfs9tufyiBAL1D33efM+l9SqcPCiKSLXqtY7JeFUX5qFbAtzfUomqfqgyTc5HbXIMgqLXIU4IhYUZuBbJZ5t5HsSKkmvnrtahBDfPbc3oRrJVahgRftzVa7M0qbdLfrIe2k1adqqi+F8thZ1qe38esQwcGS2/eKkD25cX4G+KOoPIRW/aU4mc0mgg0MdoFKPHeK2t6Fh0s9oDMkEXTrpCcMdynIfJWKl8S5EFjezxHYQyKvtQSH3YKEVxjrorw4ePEAGpoyIfWTEIqguL3/BbJhaIh96RbpxYv4s3mFOGYL39H4tZB53upK+CfLJwghgvtIbkkOOuzCDHixEbWZMdEB2WzA9vVgerQvCW8m80S8kDgeSQkdPHcgujyBWXjEv/UA84gxgNq9/u8XABt5KzVTmyFcPKwKlkR9+iFw/6qhilrGAFcY6H6+0AZ/R7p1xucABSpneAOCsWwUo+xhtDlFvEMhFltcUzKfwiqScJT/SEu4KxANZk2KlzT9b22cHP6UHIMpCR8T9RbkG0Ku4Al/hdbGDm6cqv1rgs9Ofz9C8XuD2UR9HDMz147INXMrRhQvdWx9uwO2HeLLtnRqt9NeFkB4Pk8nEvLmtnr1Qoz85/AvI1bmLkDI2CKnIpb6BFYYrN0TcVdvi8Yc1Q3C9Gym/VOyYArRBuKFIOgJkztIKQD6Vf61dQ==,iv:2xGVI73fNDJ05dyrliwZVynsS5TGqI6SCU2ydoZNvQk=,tag:ApeTDPUTUiq5wSgiF3CQ7g==,type:str]
-atticd-smb-credentials: ENC[AES256_GCM,data:gCyQV9fndo0fUDZut27Zos6vMX+NyHL/UtDpXAQqdlB3MwKhazYLWTGSFC62gB2WKDA/IBxDxr6hz98O5PqC0oiFn7TcVlWPReieKw==,iv:7vW+kTaHwMghgdpt7LMHd0rCLtiR3qydtGC0/WhcozQ=,tag:6NI6ZsaPGMNmWqbxX2Dlyw==,type:str]
-openclaw-mysql-password: ENC[AES256_GCM,data:HMqDZf7+HtW7DrcVaOH43j7Uzb+L2u4LUSaDzajo0p+/q1QrM5jixXc06E1yIA==,iv:yj/6Ei3vlz7CMmLepcQLHcZP5Yk7VQaF5vT59qtVbSE=,tag:l7jtPkmVxxWeRd9jtMb9FQ==,type:str]
-pushover-api-token: ENC[AES256_GCM,data:YCBTFmboqBVwHM9RqKxyrZE6cQfw00SkDRAHucaP,iv:JqYe5QnRTSaR9W03mRk5DyObSp8MdVujoB8LtOaz5gw=,tag:pMPJdBAcii29fvENKBCk2Q==,type:str]
-pushover-user-key: ENC[AES256_GCM,data:bu1f5SkNEn6lHipOaHqWCwoLqaHTJmxb3GlmVyvL,iv:mwERwbKhPv+tgChn/KG9MnZWakOlnrcZ60ffJboHhuc=,tag:gHn5FmY7EAsN7NhaqgZLRg==,type:str]
-sa-core-mailpw: ENC[AES256_GCM,data:aaqDFZwDNOkRv0Ldfr4kq8kU3vAVVN72xymt,iv:prbR+BFnlHL/5f5dOkYOULFiSNTF0HII8QIWDyPw9rc=,tag:ufOTYkuBp70Kl8pCCaUkeQ==,type:str]
-zammad-db-password: ENC[AES256_GCM,data:YYvi6X0iTmhPtDpGrmWldOjh79D4x4+jHfrosPeLUtvQdOFRo7FeN2ZnxaXMmlnguWkfgR0KGWK0We5khasEWQ==,iv:iA8hNG8bpAQO/UsO0AJTTeqzT8C9kqDHwkNeXc6p6ZU=,tag:8bq7aQfwLHfbvrbZzjJTcg==,type:str]
-zammad-key-base: ENC[AES256_GCM,data:VykcvUeKy6112M6fRArncwoIGTN+KXifOUKvFDkhaqhyESJrpkywwTZdnHyWPHPDIa/0mWWYW2jqYY0PNQnovw4b0S6fvJKTQ8zwxeEp50jFuD+1CWjHoE0+ISHykOw1VYZCsHNjkj9nLdbQwwyqzYX2yQajMTPzm5hLZFonsuM=,iv:UwNWHw8GsibhYnV5XAFamHXs0Ma+M+9CgdhT54/4DYo=,tag:McKGVO1XbiJezvkmk3SVJw==,type:str]
-updns-token: ENC[AES256_GCM,data:tm9+BATAW3JVeyRQ+uoJh8iKMkVXQV81+taT432vxgU=,iv:FV0VI6z2Qd2Jwjdfpon0StAkjsg2Ror70v2ijZwN8FM=,tag:PARnbBoc2+Em694nNgoc4A==,type:str]
-wg_cloonar_key: ENC[AES256_GCM,data:VUL1wrSYUQcfcNlDFD992LiXboqqXb0eHCnc6hCRI+qy4+uN9KoJXkQ0eSA=,iv:B9D/WK88xi9kEuujlhaD55PLaQ/UhAa7VU1tIqcYj0k=,tag:3pOkFB3z9RyOv3B5O1B5/g==,type:str]
-piped-db-password: ENC[AES256_GCM,data:Vm9w6zyagZXmTUacWBPea88JFtwBXX7hdmN3sOLA9CDwIcDP1eWLv7nDZfk=,iv:gKS6J2vl396O/r8Jj4/uoa1ehg06nNXVaaMhq9bissk=,tag:4l+TZ/6CJvS9e69Q5uF2og==,type:str]
-piped-http-auth: ENC[AES256_GCM,data:PASSZN28JUCtQAiNlFx4QQzwLcm/ltmWm0OZVMgivXfDqfefGuRhUK6BByTI,iv:WxFGpKZXDRPYTu9W3XI6xm9+6IVOZ1MKjNkcSgUpJkY=,tag:KqDaAFTHzs07JHIy20W07g==,type:str]
-fueltide-lego-credentials: ENC[AES256_GCM,data:qeQ1p4ZAqxjsF224gEE3dKMVUlCkBu4gw5xoBtdBg3FPu1NR4gSkrDmtfVai45GQEFxNG1+qwY09NYFTJJ4aTLvvEBZabdurivoCM0L1GPR2Tg==,iv:YunXwPQDDuS0x3sDjwOAE82KUo5rUGKJLhXP2fU+cdQ=,tag:3nl5qZpqBPgiW9Op/fyTjg==,type:str]
+borg-passphrase: ENC[AES256_GCM,data:rMBhoMpB7qlJYyGs/RCDk6qlcCZaoUDSnWC2opgiJKfP+EXpobmgmjVMupIYDhEQvCWbRV9sLb2k75b0hw+u4w==,iv:N+HtnJSB8Lov6UoEcIP5TY+UBkKIcfX9ZkXC1j37LKc=,tag:xscP0odeh4E0Kor3u92FdA==,type:str]
+borg-ssh-key: ENC[AES256_GCM,data:H5NZUzcboO2UJikEOOvtcbXHjJhBi73qgKP0QdMHwD9Hlap9mah4d6VDc7vT6FvTE1C4W9qCR0+cEAd+h82RL1wdrlxk4Kdg5CTJ7EipNu03kdSO/ru4hUPiOx66qT/G6rbyGrOPASffrZ+AGlpP3INBevDXykRBTYsBPELFkDo023T5nKHSo6+m5Rt8tkyxLkfi8WmiNPN0/zMVr4olCxUrsWyOUpvW7rIMjwwY3eT0a8eD/rGseX4a7s+ZVrRob2C8Mx8TRH8+gnZmD8oHRseXVQcWAAy5/g3adUBFDmsfJ7LihIznc/X+BoSSzl0ILR+3+QJkplr0pV5wWQ6db2YPLtW4XUw+w+O7ZtpbRW14IU348/gfl9W3BvgbgxwseV3VuIG3NUEPXsacbITTcR1QGF/Na5KEUNdNz8olSUfVLpMOUV/fu3THZI2k8/bQFzDXxAwU0I0dAHrobtaBryd0+ohoyuIlHd8a1gKXjOS7XXEzcoBO8JxPplbHB1jc63UP0fjXwGpdj4kZN2k3,iv:2xeH7wQ/K8lM2HysYyrYPHW3kZb9oJecVScgT9l1h08=,tag:3p3uyAHQtdmH6XDOWmgMpQ==,type:str]
+vaultwarden-admin-token: ENC[AES256_GCM,data:6NnJyeRzMeqFHyjV3CI8eclp/tf61WZY+sBhvEDynzmi5BOr9B/J4sU+soslR2sA0K747qoExfTD0gO7OXgSlg==,iv:zHl+Xv19NerAmgPLBwqxK1toVp8dTIagScmz3ffl/ek=,tag:V+6w1AsLIXRUV7KMsLxrgA==,type:str]
+vaultwarden-ldap-password: ENC[AES256_GCM,data:FsFrEleUMdCtde/R5k4+1RFBLJM795anjVs7adQwIM5CQ9EjNtb6b+qJsuxXUGIPkawyf6IzOOC2+injSFPNhg==,iv:TSVhMcpnV3XFnbKVPKauHLB28dXbfgxmTa0hoAc7X9Y=,tag:PI021Em0gf/fg3CbcqEa8w==,type:str]
+vaultwarden-env: ENC[AES256_GCM,data:Wl5JupiRjw+S/Qi68XvE68pkcfu6bBYzP2qLlc+pVgTpB+c4Ul3JJwwmbemqMfG+6oNENFXZGN7UIzPFh7n2ugYbPAne6sEtOtUPD4Kkz6gqca/AnHXtrQC96aCmkmAEtDE2dm4zXz2Sx+ZYyv/NW6+xxTq0mWrj6vJTiu7PHbwR7afqKM3IEQF1aQ9ystsB39Jn9YLLcU22OsnOaNuv2/TpPY0ocUZuOSj6BBdOip/HoFZ9OMxL57q6zsa+aSYZKouEtRcl4tN9D/fVfdNPSvpgDZiufFfV1/V2WsSy3hGy6utBb2RhwjQsMEKgR4X4pJihkjj1OA==,iv:nd9uc2MJx0F3X3n6t2sFlckVxke9tba8BnVaaisCNlU=,tag:pKUixSSNutwCaj629YKzwQ==,type:str]
+authelia-jwt-secret: ENC[AES256_GCM,data:x0Nz1NyKheqm9bcBxIlhfbv8YjKouLB0RmnGjaQyiK/Gi3j39Q5XaopkmVyeN7s3hH6NmQNNO8QATHHaKFar/g==,iv:0U5KokwAJME+0D3TyO9fG0csIBnZoYwNlr/XPOezRFU=,tag:3FKG5lgvQFeHaJM1GFBhOw==,type:str]
+authelia-backend-ldap-password: ENC[AES256_GCM,data:Cgsz6VaRWz3x5o9UFSzkQvJrHU445XEtx9v5zHevQbsbMS6hv/DK+qpIpCJ0WQTSt1qRAl3iBUfTWI2lgaZLGg==,iv:0Ls3tFEP4g2EdCcB/ScxaBrIyJZGNOCpQV9NR6trIws=,tag:zQuqar+QaOi4Oq8v1d7bSA==,type:str]
+authelia-storage-encryption-key: ENC[AES256_GCM,data:eGey8lVi1KF6dBi94YfRh+LZFf37Y5wFEBvyzQW1Uf370N7LALKJ+aX6Zg9Q3FeO61IgefhFh3XT6gRpSZCAKg==,iv:GQw7sbSgjv9GiMYiWYYcCJ/EtDZpoGlUcXJROYydrJk=,tag:kD/Cmkgd19zDLtHKiob82A==,type:str]
+authelia-session-secret: ENC[AES256_GCM,data:ZAvO52P18vODsOqOwGRWp8Th07ejyl4s+Wj7PkeTDG9iuaP6e54dskujr/yb9OroODw5x4HQIcLvsSsOYosReA==,iv:GJzcEhHw8qqRIeY7+HxnIRccGehjL1LB8TyY3rsQNQc=,tag:v3gb0Q+YBVwOj++Mjj+J7A==,type:str]
+authelia-identity-providers-oidc-hmac-secret: ENC[AES256_GCM,data:dq+bbbSUGM50xPIlezCC8q7bmeCSDxszEGxYU9Kp6Ntue3x7rKBRI7KTVLHl8PA7nKiWl1wyVNBGsaamZrkhmAMP146CHcyOse5CkZgTbZsGrYGBGtBpMENPVQazKcBMY8j1FxgfG5G8fwNfLHyZ18a0HfoZ2lFBjqVieG6WDJU=,iv:+eujOVjyyPHeBlfZAx6DtfwLOihRApbagO/v2vioJQg=,tag:/GJWT83szC3Z4TTl7lEqKw==,type:str]
+authelia-identity-providers-oidc-issuer-certificate-chain: ENC[AES256_GCM,data:vDv7K72jkfzPcwKTwDseOKqQGioOISMkBJZ2HuzsvvCCD9vLVSz+iacGgbEvaGzkZ+ol6gToZijhu+G7veTASbTI4JrDDWUNUUThj5sNe6wlDfnFfBdVSj3HPHj0/bNpeLiVQaSJBajB3vn+2AbCCWEccvCxlwc9dOlb16qAaclsq4eobm9JBs8zv5C7XAR2OdFypPfRraIrCtaJ6FP28fY5J+XCISx15uP2Q1128jtDKoFmKBEZkUzgiqh5VlTe/lRYrabYNxRcYbyL4YaTcQb563BButkbpuMHM2SwOu6/90WnvYNoqNbS3nFe0l0qF+xsIjDDBMzXzigWvRIQwvtcLAR6ceN89oGBL3WnlRbT9A7BnR5zrQU/3l2vmche/MN82pGASLYQrBJQq2HkKe2JOiKJ6d7My4RjDaMp174DVs5ZKOyS1MOWleG2ZBHDHXVmipII2QxqfO8wq0i7DvBGeQpbs8Bw1pS7Jo2TId0djOYbQs1R6Yn5lxI2EdCxD1kw2MwJ0AppKm1e7f/jAzYj0CiAsZO3f73hDzAVODQ0yRWnDrizK2X1F8RhNRtYW/a6TRXPvW406fjJn2HmVuVV1JVbN1RAyih4BzzF6FS0UWs5Bt+jWTzV8QJq+V19doDs1KZpiQnEvUd5yaQfId6jOaLtkwenLeYNrNXsjUjmtqOxYlQQZ6G7RNMdnPeU1oiZXnL03SjTIh1Cm1hs++Xqd6Vz4Xn0HpZn/8w1QeMAYAtUDR2TalzWyRKrOUCv0BW+A2QEvgqfBUe9kV4IkLFbpPic5JNMTgGdPXTrxc2gThrxDv0C8yiO9+9Eg5Nyi0NBqZGdopkPsN7KGqi6RH5frgHMboGz5CJfhykl/sA0t+62rKYzMtt8F3vv0WR7Kl8ERMcJJbFUGbnFmsYo0wT4x7MccByMevVZY/re6qEhTC0qqDkCoC1zMJkd203YUT24/gtdAU3wysaCu3DaXogDXy1yEcgGGcBDmRFUu+4sdmBbcvqjDtusi5b8NAdBDGItSBdqrQ==,iv:yJSMoCL3YqJk8QTMfNWJDPm/AzUov3sYBW4CUDw/lWA=,tag:bfmW8W6yF4NftGOlPh0p6Q==,type:str]
+authelia-identity-providers-oidc-issuer-private-key: ENC[AES256_GCM,data:0LaiIknTVriyiPUzVmJY+yPHqV1Mw6MDZG9Dqmy7yXAuY/YgM1Nnr5PCHKjZnCFcR01UCGbJqdxbMkOPbpE9iEbxlelq9QxbuevsaWzHkip/EvTTPjYLzl0ORN1hSqoO6DCmAnwcz7/Pb5A0WmNArwUBQSHYBKNVaqEEz0iEjRze+DvQEPc/eF0teXC5i6XbKCbG7HVWbt/k+V4geW+VhTwtgn58mbMqzgzYH3HEOEtZqB/a2Lv7zljiDBGYNbNIyO2DarxHk9VLYYcQU3remQYxJ1a/4GcLf34z6n+LuXUBpbv3fktKBja1Tlx1QDLNEQG0qjmLL/Dgv2vyW6v1M9HKin0i/coeueERqMgu2MvHZPHpXpFCnqzHX3kYArtuAjL/vZ/gzTtRvL0hBTnDSJrjAXV9/36XYxHma/doTdfhcXBzCI5838UXmgACUtp2xTG1JdqJiVq5LqTW/reFT6hSZOjk9GZXov9CLbM49wY66PhXqKgImLapz9RhB46DCFtvbU5D5W1dZnpawV227zOsklKzLgDdYQ6SNznLPg+qhn60cSTApvovyq+clIlE9fCHOfSFa/qBjo3i3HtOhvY/e8Tr+H11OCI2zA9zGmZWF00IHffaMINrhXOloL/7wqn+mW4KvnXwGPTd2SMbA2YCMJoBiXR0SWTCg0kaKERhRP2FGSOMno0kJPN7MPc1ZZeYRMdPIqM+zrGl7ZbJZF0jwyUTBnh9BiSvFMmCdKEniIPbWgT4nW1v85iRnkyylsUwr5ivaiaUxCEFl0PSY/pgt7kXRyUSov7CXynptGQcmGbynebMEnTEe7aciNzfZYFwtuxu803wtsaudObXKKaqEItwCUVinii96D7G3lJn00TksINVAhRpM6lc31PvHqh0VPgoIIPl+DkqDQujYjLw1bLbpaAOFXp3w1tyBxRAETZfYJJiFOa5NcMA6dDF7IBg1tBig/51czb/D0jw7vOQzZzXfEnDHq7yIzHXwjmfP+tNDUjEoJG50Qhey3ipUpzt2E7wIkdWGGsjgtxuWYmauZNRW1S633DAbUy9rVjS6L+0kibBQCyl8RqadXsdvcrrSM9F9+TRUK4CCOC+Hqgw+qcg3SSRooZGavMBU4W5CImETfeR/+8HQTF1HA3I8tkoU3MYxWt/3iLWqKEJ/BbX1VybtIO3zSlTUbioHhwy4IhiNasV/zy5UPHAKVY+r4btJgWhfkScX2m0+Q52Nm6TP1JuSqqGe6EkNQZ+bO5aNQmSZV7sP7W3sfOnOd+xHaf6qcFalJlL7HmO/Ua1xjNkxG8Fm/jAV6gmkSwirb0MkBlcfjhkn/NW3MszOxX+tZXa2oOLXFHpYnPKOxtuMgNIgllIKT0vLclyeISidwpAq/ZzO3IcUZEQQCGwsLFgB7Po2iBKS7I8Lrd8FLb3k8gv82rUESn864x170IaMqfNpXGHAQkGXyyA84ovmanrLr38TC1TgAwOcbPFFAROs/EmqbGYJdR9UpL25IPmtQzpN4MeC7pmuNxAjX/sk1nf8MftSL/zPgQGo3XTQ63wT7HmX0J1VvXq+rT2dcIsUtyW7FiMPPFixLiGb+5T9hTyPXk3ODaBRIJaGsKhAzk+xmG+QJW10JZzIu3LyE1itMSgnZkQtK2cRzmr8qd4bpaXRwNuMpDEqfD7/MSCGba8n5JvhZROMfnX9ms+h0L5zFrp21hIYpx6P5T0lW538kesXktZcbF0guiqxywBauz8HGH8ug/yVZjUjQc3/qILQIaqtac5m5882XDOndqHyJ8+adRZmFhZscCwkv3eyXTL67X8ogAmPymXmAvID6cyxt/BwL5oBkZkERz19YS6Y6O8N5/0uiezZtNHaYcxajCA5N0EWYP1+4aOkzM17Bbd/Byd+FVhAmrrzDElLBEH+aMlkSvpZVW9ThPettr8jCBJREVjjSHBS0dSrEU9731fmIxLfPu+7WL2GLZCZzv12Ko6E+xx/5Ixi1R0Ov/LBtH0wWRp8elXpbRTXXYL5uv/sAVYzZFCfst+TjlnOq0K2TUg9dnqAw5dgQL+1IIhW/ONB6QRSMosf54LivwItl5lGQhI64NYHq8pVjQ5wTzFLdqiCvm9AhVhY4aR5Si95IQ9jMKlvhlCNvjRTcL0YnEJjd0ltwF9LcgY9rruT64VomfRkkrfMzpRnVVQCluKrWVM8wxpxCn4v61khBKzliTv+LeRrNQxplzA8WsN+HhQE81rbgF+jqW3lIOXgGNfs7X24qtaJRn2B+jj4frUOHnNykohKr429zbrTRCByWo3pFSuyLXmBViyKG3Qz7TC83sMjHYXYfMFJDsj/ZHpUZlNiYY/pPvv2cDcl+8idk+agueLgNVgNtVjYSu3VJ0IQyLNX5DEK4tOk7JIvzxt/DZQ6bdPwQ010WzfewfdT8el1DBxFVsiVHYDR8WBorj88G2cspeGTB46cqAy6/pb7bF6DdZ1Td8p7T9gaQ7lJgvI4T7OkqGrVXm7x46PfYji77LmiiSfYJ2arf8JOjhV78BknmIzcpgd+KMJSafdZS+Uc6c/sj2c2vNtAE9swQRA1mS6TGZen9aJD21qkOVz39WPbBcmjihl8vASVgzRoz59+yZzRx9bZY9W3tUbTbj4X6ypac6jBfWJ9OowIYMYHVOMOzCMetz8CU1B/olxZ4stgqqqg3fWLkJTdKpITJHxqzpBGOX0kDYP9QfFWBPXB9hofxbpCw5KtlkQLTm/Uw0xge3YuveTmfmchRnoEZQwQP6VncS8FLWAEBBBgzMOcCyNXMOqw56whJkwzpaqT466/QR+/Z9MbnWMvWczW6xfQkUgZz+WhskVOFywfNQCqyhm5/b7aU7p3p8ItpuxNLFCiHINKKqyM1uSM4/tIdGDCrj8jrpeixAgCA+SjW36CJc5HPxlc4kvgjhPJ+XQBc0ln0SCR3WQOTH9j+0Je20b1qAgnrsfWKzdmQrS9y10/uqJ2xM5aVzjKmvZ2fHgAHg5Y2fIFHKKEPkIYvFoWRrU75+vNVDrfZHsysKfnytwTWuWQuN5J3Z0wDpcJMdcRQbTr6juIkUj7HUqiyZzah344ih1xPseyoVqSVc5IcckG2yPPFraV/XIc5DsPHqvI/FsBYOqlmHKCUg6AF9A0yjXEZNnL7wGFkPM89+dOL0wZJOEv4QogwZGxJ42Zt3L7WO2FZKSjUQLJF+eDUFTM7H9RZI1oinz0HbE+ExL0E3yRoUO4jMrgeavt6TcLFWKYQrqJcRVBCQIhK1kTw0YtkE9+HYM5FG6SbTfMtisYngKPBc4vtfvzedhTOtkB9hfuYMJUnNJF3AaZYruDhEqbeZzfT3qAFu9gvjrsdSc09JSEnDr+vj0fPC9wHt0/6YclWSdUT51v4GRHboqO1xmAKXIzziLvQtxuM7DsbXnrBwj/G0wNVKbRZGN8uQSUDHYq2I06Nt5OyhPE/OFeT2OYG6fcqaSfavYT1xdti9u8MFe67tLPdOvfOTe7qpqBQvlFbWM/xv5HIgnKrAhQgNrO5sv/AhykHMiazl5bf6Aw6Qtql6rRygUWNtsbhFpjvglBwV3E74VkIe9fHLauOxpgSBUJ1F527EYq3HdywHs+YBpLXge0ghI92ls9eajAH696cO31F2XsZ+Yh4p7/6FmkpVOfY0hpHB78+vsUJn4Di23E1PTPDz+hpi0zglNBWwwQOodDum2d+fVhOYox5BhoGtlNtKudZHrnWFhgkhztuGfbAspCu1+pKqOlsio6JGe2jva17YO0QkqfmlwI/sClN7i3E2GwPXer3gCQq311Z+PbsefOYc+L3BOqzdGklnkQRf6aCeQ/AN7MSTp5qycgjc4zph8fxBIR8ZCrHLmYUMAgGtXnb/4LkJkXj7tMIrLeCYygdwtSIZPQz4Y76r400Vjqgn/00GkjfcsXZw8EmRz8eO6r98d0RKjuew0YpPnc2C5pwy2bd07A7nwcrUpYzCvrEznfwcmKMuw9BATvlPFaC32S83caDAEpoXPYMHs6PgNbI1hj+xX/+h5vqZb+CsYQe0PBSQ3DYg5CQJwvDJQa0Nr7rwATkDgDIRJ++H1IUvzSnMxws2tzppa/7fQq+7NTZyGLUZNrIR3LnfRH3b3Ft8yjDIcBQr/IwzNW7av7fT71bZvDrK+Z3/U4vW0pZJDeirtTUHd2OJ/K5KxFlaUnk/phk8BVdPYjzLlJVICwIKxWwA0OVMC8VbeoD0ha1MH3L+52zGylTn8GegkJJe30/c0O7GSoSdhM2Lq1N/FSq2E/tZdxwuuZA5eaGHP3LKoUFeRVcy2w5++3QlFeFyw,iv:xhRZCGaZQLROHKdqB+etAXJwyq3zKP9Ijfk6oNq/bQ8=,tag:eOujJ7P93/PiDG4dCtiqQQ==,type:str]
+gitea-ssh-key: ENC[AES256_GCM,data:WIZSMAhApto3U5YiUN3XZYMXhCIiHhvP4kMxib134YVnqDYLnSo8EbYlODhEYa+RjNJsqmmFPjMqDReVV3pLbx9jj8tVH29kOviFFmQsAqJdIGuBr+2258EPunHb7UJq6CVcxVotxLtqYDONh93jKFlSRpCcRCXLzTYYCKUX9hNKxauEYsasUpnLBeolJLyxmT2iSTOoeFy1PMbQHK/DnwkvCjQkFrz650tz7fUZpQAz60MyYJEobHO/KEi5/ojPTtHa+zFaGkeflesNvyYt+LLIYm87Px1ZO/6WphsL5h2lIm08ijVC6OFqZPqwAB6/FcuGGaKcRGSGcaQj2t6dj+PYtpwZdMvCRkOFPTus8YOa6G+El38EGbX9lIgwr3NxWBg8wB5MFkMqMejHG54oVNggAo5V8S0vFk3PDK61VJcj+6oDJCkrxYXcveLWvnPyX8OTkrUGH/SlfDxehMgXXxwzoxmeSi4mOrM8hSeTanj1othvsDVbpw3eqAU+3aIM6mwie2lhPWE9GEewshVM,iv:ePKkHOBU7houlZqXJ0xJQtAW12ebaKxosckuKCF3Tos=,tag:Cn5/BHy+e01a+hE7+abPWQ==,type:str]
+grafana-ldap-password: ENC[AES256_GCM,data:YiqH4sHnihnW0QtN+a6CMO3WESbu3PHTCd+9Ft8pxxEQ9zqrFWiPAiBOV/FH1iCKlTEWEhAnN+7/9KpxzmRHEGLnGSf5+9nU0cSJKOAEngK/msLEnnkbtXH7jlf+MqU4to39IBdqyC9kIxAjD6245HETkcMZ+ANmL7fPh0++HG0=,iv:de6Mh3BT6MgsbtDhrxnBJ2MjiwJWe7GvemhVz+kGPJU=,tag:B8zuU1NLFqBAvyK+4kQhGQ==,type:str]
+grafana-admin-password: ENC[AES256_GCM,data:bHUtdqy7yqSD6epCW7VT20djY8T7pFZn8a/iWXJidW5z60T3vOEgHFtUwjcoTiEDgpiyNuIxVAu6cUzu33vRwo4wzHCljm34yikBN80FblYFaNITCGKkR16OyWNxwFQmBDNjRQfxMKOySNOe5yGvKJ6s1z+uW7IzxZivXfNL7Lk=,iv:gAgO29Bdpl/WCXAxIWWW+0f/PBB0Eh11lhyRovIIyAc=,tag:5SekGoele8eafy4Ae9ZUYw==,type:str]
+grafana-oauth-secret: ENC[AES256_GCM,data:lVPYDhdzk6tfaiSy3PS304KViP/dL4GnT3YdG7JePreTNtxffH4wp/B2iNiBI9DnYLpligI8BEf6Pwm5x78QfrSF/EDMpG9J,iv:odF+9FdvgGv3+wfopTVy7yqMDhXcwuas0nidSGP5Y4Y=,tag:x37fuRuJDV/bkmebhMWppA==,type:str]
+linuxbind-password: ENC[AES256_GCM,data:N+rQDvW0RYG1e5WnwH8KA9Uhvz+JbcV1PJWLA4WfI75cnv1nLSbNNG9HK4LIoVEnxbnprDlBGAYsAX6pRxYmEw==,iv:mIkIQwGKh8OiUxHU88IFJ5UL1U9HBOFEQbzidWSEMcg=,tag:tYbaDL3wADA6T41BRH3wzg==,type:str]
+sssd-environment: ENC[AES256_GCM,data:beAYPtMjSDjlEkQ38iXebmjrWM1dT3MADYjWOztlOkjCiQkivk2BlAabyu3yR7AmM0EmhtxVLu51rsJCfqMIHrAq3AzJifmGWfzaP2wnEACx5w892p8B+w1/Vw==,iv:Md8/yzyllQhirqG3zIY8Gt1y4O1vjTHW9jkwudBRfss=,tag:vxy8boNgMRXf+cm4q25U0g==,type:str]
+promtail-nginx-password: ENC[AES256_GCM,data:8c7dRNmocRFiqPs9wqwufuvqUY8dfuEUBgQVd6BYfcwizdL9fhBgrBQX5MIpXWievkQi+MNE7d7hsg==,iv:5o/yCoTZ+ppvG+JVSWsMO0OskyOXcDtZ7L1npDhRvM0=,tag:VAIR3cdnDTmkc7Pl3eMW1g==,type:str]
+victoria-nginx-password: ENC[AES256_GCM,data:rCcyr8+Ul4JOuPi9nwOq9cG1OSdf833WZGo0fJHDjuEJB7XVv1TuAOXk+5Tg27ffORqPBPQ=,iv:wAq4HLTXD7jnTnt9foFqVdUcNytMbOI09ZidzlbOkr8=,tag:HQq2avwBZ8XvsgDDP9RS5g==,type:str]
+nextcloud-adminpass: ENC[AES256_GCM,data:8pekiDF8WuIgvQTWcdUo5p05tEm6W1ZAO3+J/qoBwd21n/v/WR56FK6+ZBB4TFAnV/X4mvh505+a9QmgmQkYjUZlDQIJNnlSID9zRRSy+Uyp3oXobfX7usr4D3zRx9VkWBZ3iCGi4/mZtZSis9RvrK6U/ToPp5S8XsRfA86GCSc=,iv:kXjlSXSVYkKxy16p2SN4qUaWWKuigKVIxyb+Y5iEUCM=,tag:BXgXSspPmoomdAxqBbXV7w==,type:str]
+nextcloud-secrets: ENC[AES256_GCM,data:j8nmnKEnxsvL+xrrvPQ7BiPluSyfWDxGVPjkvUvuRv0CTJiGlXj28MgagoVy2WfqnwteunYmGKDRAlxX0OGP+f1gaByKx08nzBVgIftg+jFcKciI4/58zEDtN+DID37Lqx0wOAqh00wEgba+4g==,iv:0wAODGWOu7zuzUW72Q7VFgOH8UoddOU7z1EGDrR0N1Q=,tag:T+4xQ9Ugj7T0ytDlFITidw==,type:str]
+nextcloud-smb-credentials: ENC[AES256_GCM,data:cNAb5pxUHQAiK+uJKnax/VUsaHCU+jeOK5zOrBMmDKEI5SaYHVmhoHFg5RBNjfM3,iv:A5Km3o4yU84r6M9ZQY/uYil6/L98LFOC8lpKnwHk+64=,tag:3byb6eJkMLd4YITNBZ2Xhw==,type:str]
+atticd: ENC[AES256_GCM,data:kErXcX4CqS++kj1F7koEnaKQNeIwWz6xZBnFJTroNlKTTNOqE+2lwjfMKMDzYx4uB0DpmsYZ6rNDb6h2tlVfp7yOFrHx7ZK/+Df146/upvtqAb0ib0GvVCpoWSS2MRWf/DfCOzZKm5bt9xVpVFjRYl69gqs50cDDpm4Ps8Kv5a5FgeoQzqIvZcYOJVLchrwwbSjw27c3JI6tHSZtApw23EF4QDr5cNcF9itiiKvanU1W+hE634A346UpE8L4SKgXMncW5Mt5XTk6kApkXRdBo/bTLOZZtJ0AmTpfwfKwJT07sBSO9fTtVBtc/hu7K4kds+dpKeGKZb/4qDcrsZLHimuFPeHiMXtDJrATnqjh5+d51kN1GxOtFZw97rVRBRaKutImqu0E8mt9coabGWjNORqT1zPtVD8TpmNZIPeYcXZ6pU5ZqF0huoVBmzrJ2cdqUZy4W/fKPnEnvQ54mPFdj03p7RWoVPNVYfcEkwS5zuN5Yr6eqvOWuzAbPFG8q3tVWvIUysQxEEbz3vMnBMpbekqAPDFXTlJfVvzjUP9nXwgKZD7Oxzms5avhyesjD2xRRAIZ1hGbfwT34Gdoa/sY9rqqD2YSP56xVeMIqPd9uPPZUGKNvSnXD923mkmZgSzyboocaT3jA9ZbtG7gFK9AUrhJY6Vo+vgraqEzMccqNRqNqXyitBxIwkMdWpwystIYgVSW++LMJw1WhqsKia9G+8ZR61EVjAHVMCjFZ7E5gCZQ4i5Tuf+MtE5mk/XHIXmLrs7HTABl+8tV+KVEU3tGFrm9iQmH0Df6mExg3ubJpekELHpuhsXQ7k5gRu269U6onz96osAEAUVu2E78gcg7C3OgwFiPxwoJEnlFFnXlyX1sYA4v9UK2AyBY4aU8KIuY3VMSIrarAYOK499uAfEVBLoeDMjbVwH6cRjOeqgKjA2NXkXfgL6nF54TwW6uM8AUP4l61YSAmQVz1OVm5N84Yfdgl44C8ydEFEShdJ9YiurOIi2VcsMtSbfSnPy19WYf0pULsKsKTurwjqL/JOOkr8oLVNFyiwHkhXk4XZGwyS+eQqTgVNoF55t5PUzkUFEfv3VoZH8CIMU+uxiJFPNwnDWYHCwpRuolcMpOEb3GmYjIxbpJ0zEHVTgns/P7FADQtUJAaZr/Yg9Wnl2k81YDnVzkxQzETstnY6Tt6UwS72jzhRJ3YDTAWo6GW2H91kflLluUf/zzRo7N7sWN/EQ1mp7vVIJfoLSkn6H2LTYCsYlFnqIFN9v4KalXLhAtYfOuC7pGwn6NgDVPogyZSZ7TjPOgYuumnWAzRFnxWa1Oy0B3fOhSq3pFW/cwqSZ6yb2pL8d4gb9JavNLcdQE55mr83fy549GFCIS0cQKpg5IVNNZqeSnmEsoVKUcW0agKlV5za3x0vWvEokKKXxlsLqRjWPOzJ2plhxtyjeF+j5BNF2Zpd8ZUpIdbDDgqmgYXdVsh1qHfLLh2GqateXg6Zio0eMH+QLhGMVPF0HSTAklfx29etorY3EU6bymVWshE7BlwbzAmbj7iNUHbpK0zW+rtBfnRU6UQP4WDZksUGxJTz4TfHKGJo4sINpU1+sgzPwxHNcRqnF7crCzJIb7gPYo8b7FymMMUX7+fJAmz6FIiWA/rn5SaTWEs3X3w/0OGJXYNUoollr0/pPSKHWAaV0Im9j0m7kHp5sBSnu3ifGijGCchA7xbFUfMmS9vdCvKf9cBRNdnIFdGnOH4ojixfaUpyv2KS3rsO0qzntzP+RNXjFen6+5EwvYZfmeM/iWfWQkaGmwSL36Y/mNREHPh5CrHoIcoXGO893Wxc0dLUlX1QiEBDvam+MhsPx1g2/4tcNJx/FDldIYA/QiiukSwl0u59sxQanJDq8Dnws3V/7NwtFlreSnrZiN+B/HOTGIs9QS95B7TJn7v3qzM68TULaGnU5VrBIMr7mUmo+wAAzSBtKMg4Fx/Fj6tXTGgDjnrj7RC2fqHQTnb2E2zMmOaMjXwii+XKD+N5uO/FOVYCtX8ga4DS5IymZCnJf/KddYz1KBrMcHSPrR8uorrXBxnKmS9DOmquWkpUvaC7KZIu+U5kqTO3DOSKXN0imT4iRC7chbbYtp68fzsDSMROphIQQRKyqh/dTDVa3pGqPKhodvWRfcwSiVrLfoCZY7nPWgAUdFQejhpyNywxPlvr8fC+W8o4GUrsvFR5we/OXen+/wT7bviLWgdRP8pBFVPqnexKUTPY9BXaeuj9m1hJ+OaBv7sQusQAm+mJeRdTFpLye8Z+xVWYje24CdfPRLD1Y83pUjynCEichiPKmdmq2sK+sIzq5udd7ur1rc3trNTqv0oXVD3cyKUnFvagaJMEagr5Pj/Lp7QKe+d2+KrUjWEn2QzACqyJGggaqF738rPbGT/BFciJGQee/aogQVkd+2HXezQxigmxSuXNm5O5CkUh+cNshcVTQwNDFfIymwcNRLe5mwZ8yRJC1FDaGskHvf0l28IzRVKXMW+IYKti9dSCDnflzLEROv3pOlOSXu73u7bl2P3MJuM5PS2XAamV1Yd/ZHM4BYhrDzMzlrpavddCq1Xq4f9LbHAEAj7kr4LTPhGOajQLfdJqaJ+2nVz3R0iJ9UUzSh1RnJKKTskfL5KlZGfInHfTOs/S0QIwKKK7h05fkCtyC8EqzRH/Dw0dGP9GSQSauuMGaacKNILubTv/M7300lXAR7KkhF0JpZMPspUmQBpJh0dOZIO9A5GFFZ4vzlLvQPeegwlvVjxA+eYBkXio0kqh+KykFiRPXSUjJ+igvWGgEL4VRVLU6cNyl+10cloeW9ismzKfKh4rNLE7jVfVR+Zf3qXNMYGBMNr3kHny1wZxSMd8QTrKIOglkUcw57nDKpX+zJdkBXnIuvQAEri8ZqKuJoLct0SYeXt2v9U0LMEiz/k7lSnqORSKQOgd7raxXlo8b0Q8zmU6F6Cw+MwidjO9KMVBNWBazEOifaCNqbpzV7YGpJWyZ7t8JvZIcULgqQRgR17SPcKlKw5E9MtxYyK+0S5IcwrFzHFLRNp9x+fu1UNDa56GY3UkjtA8u31xjWnOBEV1e3QaDwTIOqSMYhbUNGYopAawpw3krsF0Ws1lpHbvYIA7lHVyHehZ2JSEMdfJqAiBEDaM6Ekbke6SK5E3dINoQvQUoah/cGOLUY38WS6LYu7mg7wnPGFYtPfA7Fv1FnJ4PQ8dnkJHIqr4yW00ePm0TxqZL6CDqd/EHQGlcorUQ0/6jhcHy4aYJMb9zJ/P6Jh5/M90vRK/XV63l7BJXJ3M6qcB//EWCQGAgnO+Ot9uLYY6HwZJPyABevh9I6wuCnlL6S/WcVysTQwiDlyvcOKl0f1TThE2DFkwMg83jhjm0ToydVZr/0x8WBz28AR8RPMfnlDWwSaUaZ+H6fvKmM0nCsLnLtYcfSuDsljo3zQtWlDAmtUSw+CAuk7SYBNE3DB9gbr16T6Z++EbszKYRxi2I+YJQJVx/DwsmlD1vx5ZNSfWVBselKyYpIkCqyH0nr0tf11KQEUzSZN95QL+QQqMOcHxR8uXpXrfDoQvmuNkFExhZJMB41T2PoQCBZ8jL0qNL6pEpbYp6xugtvTbvAcixzM7vcKyS3rvb3ZOoAay9g4kFYvBbr92TqVqJ+MrgmCgiJWonNBQXC+Zt7rGV612szJdWLYO1tIu9i9RIFITGe7ammHbcBkqTBxbzuhwP6zf4ch8T/13/GxqSnJG3qPxb39eSiOTcfMib2RKgvP4BARMl65U+kR68W76a//OMYU4Y3s3iy2ZtmhrL6gneqYJPPI7Nz561q6e9gssBnQJxwrYHJU5FvTuan9u/p1f8QxqR5y2y8AfO9fpgQVaUurVg6lfPsQrg4tnVYgLICSJCkPjeoIm1V9HzzL7AY8gduyMjzzwiLa5T7uRc8oNjD9WVjsnEMZa9olLorLLGRR/RwdfGOgd5XN7DHZ5uB2z6CpE/bAdmxzNiBHpaVT8qasTsvt294zarDBLZmpA9Cxb091YxCxMHwz+KLGjwwlWrlVAnYy/qjatb/ry1IlkSG8BfXydLNcPOzVN0x9gxvYqAN3LjO4cgZPo/EPk+4FXy1FPuUFjcz6sAwnV6m3vQ4Q20me/O0pY78dZwk1bkNC7ixsfx8Ua8fFPOnG6rSiqGWbRiIyBS4MP+KEO5yuqtUhK5a9KnInsp3/Vn6Im+kUx8gSGqxxmxioUTkL6zscVp4rTooK5DXn9KPUEyjOxesqZfT1VUYIf0/cQ0zircsz9evdpoyDtJy9q7SeenlgQOXjcOMttdqKhdRQDm51YxssENEoPSavJt+dCLjd/9HNmuaeM9QWn4RcQg8FcaKb+6gdd+HzyTtWQRlc72Rm931HNtcDR2Nzk/pk8UlggUxWxkWvPcMuSqJVH9uWi9IHfiobdLeBHOQdMj2l5SG/EqE21w+Q02JGAwKDxGcLMkpTNV06hQxKTKDM8lXZJEWSEwleZSCI+ocpcylFAWmXaEm2jzWN03ooI951vzd2qPczKhPX5N7IfSwqMY0BXZ1O6BFA+RQX1CFa5hN1+jxZ1a4S/ggK/UN1zARQ9VOjh3kjYlsrM3VsDMpOlnvA0dLf3n1cc0vfwV+LaM5S0AiTXgn52wU6IyEUkFp0/SZ4gL7eSJCzKIF+KFtR3X8wDjw8VO7B6aFC6lAJkpmbIPnju8b2I4VsqBmy9tDE+Nm74i16CH3kBIKeqHreyuUu9zygUZC85G8aPTahB4GEtEwfXXeFm7PnaXP/lq2VLBO+fUJEFq+BB/28YlmHNXG2TXGq0hJVoBIzxA88kIOISgwj3RYpzsJMzq4J3kQLvpHpbR+t9EcbO30QprwXfaprt6AXRzeYfwkF00byM8mFg7GZTu+bc/ERS2kh2a58HB8LWOM8hujZ7INl8BWWwxL/5FHUMf75i5gF5ltNeU1xAWIfzjQNz82aOvPXUXFtmgk51A781ezvJc+CyIIWCfg+Zr0bBNpzhXQD7oXWpRZdotFzjFqoqxH3B3cFk9Fekuh+VeDcsHvPIeZaL68R6xHh2AYobfbH6cpTd9ZpHaNH4vw25fa5fYFHKzl4I1KtvAtLdCCL2XZhcc9I1RCpJBgBcYEVgepScuX7sjQ5+ieVnObY/BFbyr6BREtZrpqOxXT1WtIA0RfyPbWYOCoxFatKnAmoWzA5zUgWDVNGwX2iROc0k/qRaoV7GwbV6LGhExc5dUnbDEyiePZoeAt9xDRt7YWBcl4zZ9z0VCICJFRzCGgtAd1wBB3pzwixTol/y4PP8ZiCQahw7F/ciVBmBEG38K938QMVdT/MrVygNpWzDH2Pj8S9wTrheAK4ZB+3KOHyB13rVLLiPvQ7tl/kmHditS7bgOIhKYQF93yYaRpY+SGXOmXZhF3HC2hLaAcP2WdbWJKHKwl7d6xRdPqlCxsmgqUqX9aEnhuinuDDxmko12WPPwyWnalF0ag/88tnD7Z/pI18HQdB21Y2JCJdGTjXo22bKfers5Wl1+XYzb/H90pHK0dE7p9tm0daKNro7s06SyoeEN4TOAwweuyUcfdlbX22pXM3x4VPJEIGHD5KY50v+MN8MWYU33uJ9cMy493Cw7DaN9dxR5HQdDVBcwI0wgv23sOWaxiTYWtf6NhdXB2D9SRtOrOAjCTUxVpuAM7YBEGONUHLDLiZQZvX/tTRZzxocDpWmVFMtco6pBploO+nSze6Hwz7FENyMEKX5Ov5LnM3WOzSRQbh2gvgntdZ0BinOdN5kKXX9fBOuDZIpTz+Czvk7vLHGundV1VZ4n7ABiTSu8Oo6QQiSACR78b/ElYCXdHChp8kgwKDRmoNap+g78nqmTpAWB0D14q6YDtpuC57uvHrEl/QpoSfEFEVMrVnTThdeLR6CY+tLfdZaeVn4OluxuWfw==,iv:5TCRCJsui0JLOP/QUcvEfcE8gUXDTItmEI4YExzTehw=,tag:728wccl1V93pY6XtsI5mgg==,type:str]
+atticd-smb-credentials: ENC[AES256_GCM,data:YtS1naMBLpt6c87EjTla4oTpw7a7RPIQBx5MLWh1+NvB5zEJ5hlR8gP3J5ayLiIhCT1rFMtTpV4+YV7Kjka0tj7ReMozS9YlEPKQVw==,iv:tjN/uWYua7D6ayjIt7ym+3+fcit/UQk8bQcJwQNLHzE=,tag:blQqhlxtmxwMhENTGZze1w==,type:str]
+openclaw-mysql-password: ENC[AES256_GCM,data:UfDj5MBvJErGGA3GbAdyoFlp/rvLZx8dVApOpOnnp0gpqNAFF6QZ/4HVXgXTFw==,iv:YOj2bgS2rW2xuHqql0dJu9u6uc24AIW9k5jQXar0pPw=,tag:yIPHsHe3RDiH9/eB7RwB9A==,type:str]
+pushover-api-token: ENC[AES256_GCM,data:Uij26JFdLXOTRXRU1NzsVnsCBzMJWRe5Aa5x1JwA,iv:nDro5PeH7R/WMfz5Yx13vFZ9k0cJWlk66U7Np4HWMbE=,tag:e2uHm0T+pp2qt+ZV4d2x6Q==,type:str]
+pushover-user-key: ENC[AES256_GCM,data:QHe0ohe+mE4kgtOmwN3+qymigz4i4YtA6xBlJGVr,iv:aIuqX4J56lTwOgs0vl7IsuWxvqBv85SQEkD7/XhmXFc=,tag:QwF80PcO8YxDJWpZZtzo2w==,type:str]
+sa-core-mailpw: ENC[AES256_GCM,data:jw38/GgFLpQspLka2cw0q5haoT17ndwgtO5F,iv:9aetrxTBBCyIO8Y+gd8mS9VjN19dr+tiTSA4l9HBJMs=,tag:iPERSwQnBF6qJKU6pDknWw==,type:str]
+zammad-db-password: ENC[AES256_GCM,data:W7zsRqVNrtWIxjSk0EOWBnfE0TgRfAMkeWlx0LR7q5eAJq2wKHsuN1fg0UrgXNSFB9CCB2YxuIhNMNZ8jliLtQ==,iv:InyZyJLemkVkE++IyEjKr06BoELcXrANyAKtUtTkkM0=,tag:/LOJ8BRyxuPE0IzGV0gXWw==,type:str]
+zammad-key-base: ENC[AES256_GCM,data:/sShSl1mc43c3MdeF/t3EV2SIKVoKxW2f/qtzlqteYeDEGvlvqdL986cPzw5l522HVPVyQGVU4Bm+80Zu4lqQhvnsVMAD7f52QsBKrv9dv+pW/nO4i9DeyiBTJoZIaG1gZsk/A2bMcW47qsr13UK8W8+Z0krUuygQnZz8cq+wm0=,iv:WddtqHN4vJMpXpH9Z3p4NQ1wkhck7bkkJjSJYPiygrI=,tag:P5hQMZILCe2fjSNRhqPtaw==,type:str]
+updns-token: ENC[AES256_GCM,data:Fj27w9zCG0jJVBu1V3Y5j2B0YXWEH6Qq1XiNKmCbd7U=,iv:9wljvRRqzedmYsts4bRtXmdoxPWLqpNDu9atI9kdFWY=,tag:jA5Nd0LpwUySl5zXSSNWhA==,type:str]
+wg_cloonar_key: ENC[AES256_GCM,data:27X9evcI45wjOQd+2tGzv5AP00I4vSqbhw7ZO940y1UJur5zNSKmL/oHVGs=,iv:aUWsNCZfE86AEnP3DuwNG61OzFlIAXBiAw3l+wIdmOM=,tag:uHBXREwIB1s325UEG//g1A==,type:str]
+piped-db-password: ENC[AES256_GCM,data:nPyY32wuU2z8MVIcCnWYrYV29KU8J1CRmAT2tf3LMaSeekD9xcDV4t3dx40=,iv:BRpsCWAgbE4YggCFfM+g+Q/12C4wEgJdPs6XAWnVpEE=,tag:k4iekj4euq8LOJyT52W9zw==,type:str]
+piped-http-auth: ENC[AES256_GCM,data:52xww+aZja06wl6wE/ThPGmKpEMaf0LLFEIMRbrkuYVz39ZJgbCK1dJbwQLd,iv:mxSPtrPgFhpMwVkPsjNaoUe1zCGcdHKhOGDFwezDCe4=,tag:Nxfhy0n40myy3ZMkwDdnDQ==,type:str]
+fueltide-lego-credentials: ENC[AES256_GCM,data:9JUoamBFlNP+GslVwq8NA3humQqSSuBitxh8Zd3oL2yudog516PmTz+vBK6gYNQ5oPkumNEqab//MZ7rc+4rzvvmQOtnKqYmyb4pzOEztQW1fQ==,iv:Z8/4HNi65zxWW1nVJiMkGOqIGott/EaRLNAqfnq2LDc=,tag:ASYZONwVroEhjDC19W8mmQ==,type:str]
+supabase-env: ENC[AES256_GCM,data:W5PJXzTFM0rIpzgJ4LYhTr/+F2xv/JCMfSbHGL1mR7MH7KtOyLUY8p+Efepz4G++r2vwfqgGy51wV4Ff91Jh9VVGpDD+YS8/hVhkjB+lew43LAMR8VwPgQu99Ed48w+vLbbx++RcwffUKv07hQA5uWgoeD00vbdjNkBhAZq3CwxtgGFm8NmcndRoBXkGYMFrRrLdh9Gib+ELJBbz3CpdQ6Tcdjg7OQKLpU9TBH0ZnUcYz7PlnNC8cCT+0PNGNKIGKmYWDrOtM4saHpvOSUdT9x8waMcqLWkTfaLYuTCEQJ7mdLBpTveIKNUyIrma0/oLj3tk0B9pqGT7Izn0h5X0hG4ihZveBz2ucHvUfz2SDgmh0bnxMTtNYTe367rfvbQMKt2dJVySbShm2K7mS2FF7umNkpuawbkG2BxCQ+hLtUifcKmJawmsx+/e2LRQo+mIm8kgsvgFuRniHdXdr8qDEYlXcccD5IJi9qHgVQtED8NuzMWjrCTSeXuxWa9i8ZoQD8gUtftLskCPj61ZxE78O3IrdAdG72OplX+l29jv6ztS8pSsoC4+p79oNA3RQUWiSMw8VHmcDJmGv9ivRRc67gLfjNkbOaJic82uQVCgTZEqEY7sXwD9qHwmF0k5iJTUPGR2ax6fiIwbl/XasLuspG4OhIA+3EJfaGnC7g+/1C8jpGIfbqTlvQ6mXe/A4Gc1T0hz1M4b8TDVjNS5ngsV3IBNDhcqG8NgdcjNYp4QUbLJ8tbY6i+uATXh/RnTcVD8w00eroWIQfjB/DMJe0Jf1bNvMgvooc6sL8TAMLXPLFD6HD2ymppEX2/ZN0HMLRlUkQIYjCaHmcMMFGa08l8Y+f/6KP1xg4GcsMjzPQqs7nZbxXsPlpxDUV/1CWhM0tp9354x4iMWGUWseYjpObRhQdyBArKziEx2ThGw9GsEQ1BP6bZeCqDyrQO9SoUaO/VGrQSl2xixGkLB0aOuu/02hE2kCOBirj1con+XhsCMUWBqa5d5MwPYTPX8Mbf4itwflRxMF5Mrhep8oFQOBB97UXrdgI36x+E1MEvenaocicyl/YswOW7vM29dIOyBeiUd7ayr7n52iprvlqnHLeS8e400KiH6G6OwJzNkWe6TXhbSrBe6fsSYal1kIG/1tcFBE0me43VDF/eqW0CYAtt3oRlzBdmLYDvwBK5731NUxX8N+lvS4YNpEWSZTTUl/xlhH3g+sGShPlfT8xG0Mn3kSmfjoLbd7wgR+Mjx1n2lfWrqbVnz11aWot1WnABAgZOaFHQD8Ef4e7rZ2jLxBZA=,iv:xG56Fa7XzAAzoHJvZQVXcKkxFsjtBBYxg/+rkxAqSWc=,tag:6hlaTsiKhUAQk1KW5CYTbQ==,type:str]
 sops:
     age:
         - recipient: age14grjcxaq4h55yfnjxvnqhtswxhj9sfdcvyas4lwvpa8py27pjy2sv3g6v7
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvODFIeWxGVlBJcUtydjRw
-            M0Zob3A5M21NNTlCNlhQR1FuUGpEWnMwRnhvCnVLazFqckQ0Z1llVFNZUHFraXo1
-            UENZUStQVWdHR3lDbHUzMWRWZ3cyWDQKLS0tIDVIQW5scDFxd05yTnNuNDhJRU5j
-            N2tTMDhPVHB1emZ3TktHQXdYcWs2TFkKlpbNNNJyuZhOuhi2NzNpeZY8GOXJDGC3
-            m/P5OjD9f5qCR+SLC1y3PhR5U81ZjOeB2nUpGrzQ8AW2pczZrcW2Mw==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQRHFXZUNDUHhQemZ3dDFh
+            SFJtVWp0TlVhcmUrVHpjMkdhNnRMdzkwa0Z3CkR1M3dldXBaaXdzZ0p6V0RxL2E1
+            dzlEaTZOTkZJOVZnYzZ6ZWZIRGx2TEUKLS0tIE9EQVFoSVhxZVpuUFRMM05MZmcz
+            MnF3MDhMSkllK3FwYis1N2h6ZUVyTTAK7ux3skn8LezA4NQ5FNJTk0welvuA7K7B
+            uX+aP6o7/kg0ZYlB4LXOlpzGvvZ88nQ8PaqQE8/cfieVzys2J+FzdQ==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1exny8unxynaw03yu8ppahu5z28uermghr8ag34e7kdqnaduq9stsyettzz
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUV1YxanJkeU5QRmE1YUkw
-            SVdpY3BvenQyZE1RL2FxaWptNUlyZkdhTERBCmcxRUhJMCtSc21QWWZDY1lqdW5k
-            Tzd0R1NOQlIyK3dheGVUWWxDeHMvV2sKLS0tIEhKWnZXMDFEblpRNk1ldS8wSmwx
-            UXRqUTVIQWtJcHJUNDJIalZGeUU3NE0KAcNAjxMcxaaULjh60pDh+nQ36+/s8DPl
-            3HdveEesXixu2EL4gzo7/tmTMDkYE6ifT9w9HkON+X0dHXvnUokJZQ==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiT2hESXE1YWZ1cXRCNFlM
+            YVFCUER3MnRndEdWVjVQN0FGU1R3dThyaVV3CjIvR1lqZ1htWjFYSFlkVUlDVEhW
+            SUFEaDlRYlVybmdXVytmRjlKS3RNVmcKLS0tIEVhQWdFWW56anlTMFhWR3VoZXhV
+            SzFOdkxQWjNiUUZEeFlHQ01tcGo3VTQK+7IvAMcXyXWB32pHTsUA+sQYjldJK3Jx
+            qWaU5GKf2qr2qZwqINE8+2SDI4qPuVzZaFurY3Ch6RaN6XQhL2W9Ew==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1v6p8dan2t3w9h94fz4flldl32082j3s9x6zqq7u5j66keth9aphsd6pvch
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlb1V2aFh1cnFmVEVyWnox
-            OGhoSzNCWmkxTEdxNnYwa1kvRkUrNzI1S3dzCkNLL3ZvUkJ0djVXQWhYRHEwcEFL
-            RE9VRThoYnZ5UnZlcXhvY05DOXZXdncKLS0tIFQzbTE4TVppOFhSdXhOVlN3eSt3
-            Rno0QVU1emM2NmJVUkFDbXdqSFVlZGsKOLBbJMh4s4CEbdLoqNtLYVro32Fgjavk
-            RjLaZFMsR6iIBg/tbC+nmB366CWm4dFIBxtNXznI8VWg5CRTTdpguQ==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwcHYzZng3QldjaFRTRXhn
+            WHZucTN2UVNPcmIxZmVBNERyejNBang2RW1RCnpOa1dqa3NMN3h3bUNXdTJ2ODVO
+            MjRXVGRnbkZ1NzVDQWdLTXVodUhXT1UKLS0tIDFoNnRRdThNaFdheHYvK3ExU0lC
+            cXgzSHY0OHQ4dFppbXBDUkpZY25KMjgKNrM3oyNd5A6dBhdF+9+MVRyFAHaIivtq
+            V8YaR08W9mMr6ljlecrl6GdGAhM44b+YIIeHh2P3/c7eViGDsk92/Q==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1ylrpaytkm0k5kcecsxvyv5xd9ts4md0uap48g6wsmj9pwm4lf5esffu0gw
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDMWY2UlhhQVd3Y09aM1pT
-            bUYrN0VIUTdpWGdDNHJSQjk5MEEwY1NrY0FNClF6L0lFajNZMzJlc2pQdXZWKzEz
-            bmx2b25NMSs0N25YUUd5MXRDN1JHd3cKLS0tIGVScll2NWNsSWZvd3JCQWFzZFlr
-            UEJmQTRzaUhlM20xZjROYnZyVU9uYmMKrikz0u0ITF2Os61K7vRDrIVfBnBP/WEw
-            OIyhfBfiG4ky4QfuW9XmUjO3MR3KGlWAR6K1fPfm3lwZU5YHzdpmDA==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxNFRWaURaM0dkbHRIVTFJ
+            eVFDZEVvdU1Wbm95K2ZNd0t1RC8zOTFpeVM4CkpybnhlOUZaZnJWRnJySnp0c3ll
+            enpwcEE1YS9YOXYyQUNlZWtTT043T0EKLS0tIE1BUXkzS29hQkJmK2I5VWVqOHYv
+            U3VaY2l2RDhKT3EreEhLY2tDUTZXd1UKxk9T2bXNNLwCJLMbvUyo/DTZ1M1uQ8W3
+            u/iCbM9jRfRfWjBLvAIRDIaD/uMKC9Frb7SX04hGz0ae3tM9JgtzaA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-02-09T01:03:59Z"
-    mac: ENC[AES256_GCM,data:jUqRU0rZ3csCr/+tSPmEMr7rYhb9QHYe2IBvjW91fRD4ou7arD7A9MVVBCFgzU8R00rtumBfcnjeU5TETQGkirOt0ajWqjp1TimFl3VCFYdjq023onBvZDZmRGLIumazjIKt7FMUErUuXl1y/VIIgPu95zuASfV5m1HHG7M5l0c=,iv:YqOF25Skkrbj9X6zVJZZO4+P5KIEyrrZs8OrRWFv+lU=,tag:0y+MHDBDGs6atUSVevIfsA==,type:str]
+    lastmodified: "2026-03-28T12:58:36Z"
+    mac: ENC[AES256_GCM,data:7+EJFS9gvLxhUo/n3tORh5zH7QKGn+iIfBxWk2PkehGf942u4Ty27a2ACXuyZsuDNPI8lQNvFwCo9FIo09ia0Mi9cQO5R6+B0Aim17LZlE7tPNiDwe9lQvwTtb2aXldemypD3JBI2XoTv5/c5T3E3hc39EHqVuIcr2Z/tslwn7w=,iv:Kz2oD0yu3KxnmE4eJ7QaO/ziJkq70KbK0w9d8IuvQ3c=,tag:ZRBD+CGqXJjztn2s7EMegw==,type:str]
     unencrypted_suffix: _unencrypted
-    version: 3.11.0
+    version: 3.12.1

From 84d8c448761156f6c91586f97236597cadf6ff24 Mon Sep 17 00:00:00 2001
From: Dominik Polakovics <dominik.polakovics@cloonar.com>
Date: Thu, 2 Apr 2026 15:19:44 +0200
Subject: [PATCH 6/8] feat: nb only serve ddev.site locally which is currently
 running

---
 hosts/nb/modules/networking.nix | 76 +++++++++++++++++++++++++++++++--
 1 file changed, 73 insertions(+), 3 deletions(-)

diff --git a/hosts/nb/modules/networking.nix b/hosts/nb/modules/networking.nix
index 0bf1995..3182ca3 100644
--- a/hosts/nb/modules/networking.nix
+++ b/hosts/nb/modules/networking.nix
@@ -1,5 +1,27 @@
 { config, lib, pkgs, ... }:
+let
+  ddev-dns-update = pkgs.writeShellScriptBin "ddev-dns-update" ''
+    set -e
+    hosts_file="/var/lib/dnsmasq/ddev-hosts"
+    new_hosts=$(${pkgs.coreutils}/bin/mktemp)
+    trap '${pkgs.coreutils}/bin/rm -f "$new_hosts"' EXIT
 
+    # Get running DDEV project names
+    running=$(${pkgs.ddev}/bin/ddev list --json-output 2>/dev/null \
+      | ${pkgs.jq}/bin/jq -r '.raw[]? | select(.status == "running") | .name // empty' 2>/dev/null) || true
+
+    # Build hosts entries
+    for name in $running; do
+      echo "127.0.0.1 $name.ddev.site" >> "$new_hosts"
+    done
+
+    # Only reload dnsmasq if content changed
+    if ! ${pkgs.diffutils}/bin/cmp -s "$new_hosts" "$hosts_file"; then
+      ${pkgs.coreutils}/bin/cp "$new_hosts" "$hosts_file"
+      /run/wrappers/bin/sudo /run/current-system/systemd/bin/systemctl reload dnsmasq.service 2>/dev/null || true
+    fi
+  '';
+in
 {
   # Enable systemd-resolved with split DNS for ddev.site
   services.resolved = {
@@ -14,18 +36,66 @@
   # Integrate NetworkManager with systemd-resolved
   networking.networkmanager.dns = "systemd-resolved";
 
-  # Local dnsmasq for .ddev.site resolution only (port 5353)
+  # Local dnsmasq for .ddev.site resolution (port 5353)
+  # Dynamic hosts file resolves running DDEV projects to 127.0.0.1;
+  # unmatched .ddev.site queries forward to VPN DNS (returns dev server IP)
   services.dnsmasq = {
     enable = true;
+    resolveLocalQueries = false;
     settings = {
       port = 5353;
       listen-address = "127.0.0.1";
       bind-interfaces = true;
-      no-resolv = true;
-      address = "/.ddev.site/127.0.0.1";
+      server = [ "/ddev.site/10.42.97.1" ];
+      addn-hosts = "/var/lib/dnsmasq/ddev-hosts";
     };
   };
 
+  # Ensure hosts file exists before dnsmasq starts (owned by dominik so the
+  # user-level service can write it)
+  systemd.tmpfiles.rules = [
+    "d /var/lib/dnsmasq 0755 root root -"
+    "f /var/lib/dnsmasq/ddev-hosts 0644 dominik root -"
+  ];
+
+  # Poll running DDEV projects and update dnsmasq hosts
+  # Runs as dominik because ddev needs user-level Docker access
+  systemd.services.ddev-dns-update = {
+    description = "Update dnsmasq hosts for running DDEV projects";
+    after = [ "dnsmasq.service" "docker.service" ];
+    serviceConfig = {
+      Type = "oneshot";
+      User = "dominik";
+      ExecStart = "${ddev-dns-update}/bin/ddev-dns-update";
+    };
+  };
+
+  systemd.timers.ddev-dns-update = {
+    wantedBy = [ "timers.target" ];
+    timerConfig = {
+      OnBootSec = "30s";
+      OnUnitActiveSec = "10s";
+    };
+  };
+
+  environment.systemPackages = [ ddev-dns-update ];
+
+  security.sudo.extraRules = [
+    {
+      users = [ "dominik" ];
+      commands = [
+        {
+          command = "${ddev-dns-update}/bin/ddev-dns-update";
+          options = [ "NOPASSWD" ];
+        }
+        {
+          command = "/run/current-system/systemd/bin/systemctl reload dnsmasq.service";
+          options = [ "NOPASSWD" ];
+        }
+      ];
+    }
+  ];
+
   # WireGuard VPN configuration
   networking.wireguard.interfaces = {
     wg0 = {

From 7e98b2526b3d7e8bd36efa39fb97c1293dd61878 Mon Sep 17 00:00:00 2001
From: Dominik Polakovics <dominik.polakovics@cloonar.com>
Date: Thu, 2 Apr 2026 15:19:51 +0200
Subject: [PATCH 7/8] fix: nb ssh config

---
 hosts/nb/users/dominik.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hosts/nb/users/dominik.nix b/hosts/nb/users/dominik.nix
index a21fb75..42bc68b 100644
--- a/hosts/nb/users/dominik.nix
+++ b/hosts/nb/users/dominik.nix
@@ -724,7 +724,7 @@ in
           };
           identityFile = "~/.ssh/epicenter.id_rsa";
         };
-        "*.cloonar.com" = {
+        "*.cloonar.com !mac.cloonar.com" = {
           user = "root";
         };
         "*.cloonar.smart" = {

From 856761d407372567c75a23136bde5d1505630a66 Mon Sep 17 00:00:00 2001
From: Dominik Polakovics <dominik.polakovics@cloonar.com>
Date: Thu, 2 Apr 2026 15:19:57 +0200
Subject: [PATCH 8/8] fix: supabase connection

---
 hosts/web-arm/modules/supabase/default.nix     | 12 +++++-------
 hosts/web-arm/modules/supabase/env-generate.sh | 15 +++++++++------
 2 files changed, 14 insertions(+), 13 deletions(-)

diff --git a/hosts/web-arm/modules/supabase/default.nix b/hosts/web-arm/modules/supabase/default.nix
index ce515a7..19df8bb 100644
--- a/hosts/web-arm/modules/supabase/default.nix
+++ b/hosts/web-arm/modules/supabase/default.nix
@@ -26,6 +26,7 @@ in
     "d /var/lib/supabase/snippets 0755 root root -"
   ];
 
+
   # --- Systemd services: network, env generation, and container ordering ---
   systemd.services =
     let
@@ -45,7 +46,7 @@ in
         "supabase-functions"
       ];
       mkContainerDeps = name: {
-        "docker-${name}" = {
+        "podman-${name}" = {
           after = [ "init-supabase-network.service" "supabase-env-generate.service" ];
           requires = [ "init-supabase-network.service" "supabase-env-generate.service" ];
         };
@@ -54,22 +55,19 @@ in
     lib.mkMerge (map mkContainerDeps containerNames ++ [
       {
         init-supabase-network = {
-          description = "Create supabase-net Docker network";
-          after = [ "docker.service" ];
-          requires = [ "docker.service" ];
+          description = "Create supabase-net Podman network";
           wantedBy = [ "multi-user.target" ];
           serviceConfig = {
             Type = "oneshot";
             RemainAfterExit = true;
             # '-' prefix tells systemd to ignore non-zero exit (network may already exist)
-            ExecStart = "-${pkgs.docker}/bin/docker network create supabase-net";
+            ExecStart = "-${pkgs.podman}/bin/podman network create supabase-net";
           };
         };
         supabase-env-generate = {
           description = "Generate Supabase per-container env files from SOPS secrets";
-          after = [ "docker.service" ];
-          requires = [ "docker.service" ];
           wantedBy = [ "multi-user.target" ];
+          path = [ pkgs.jq ];
           serviceConfig = {
             Type = "oneshot";
             RemainAfterExit = true;
diff --git a/hosts/web-arm/modules/supabase/env-generate.sh b/hosts/web-arm/modules/supabase/env-generate.sh
index 331bfdc..ecf4f1b 100644
--- a/hosts/web-arm/modules/supabase/env-generate.sh
+++ b/hosts/web-arm/modules/supabase/env-generate.sh
@@ -6,6 +6,9 @@ set -a
 source "$1"
 set +a
 
+# URL-encode password for use in connection strings
+PG_PASS_ENCODED=$(printf '%s' "$POSTGRES_PASSWORD" | jq -sRr @uri)
+
 cat > /run/supabase/db.env <<EOF
 POSTGRES_PASSWORD=$POSTGRES_PASSWORD
 PGPASSWORD=$POSTGRES_PASSWORD
@@ -16,18 +19,18 @@ cat > /run/supabase/analytics.env <<EOF
 DB_PASSWORD=$POSTGRES_PASSWORD
 LOGFLARE_PUBLIC_ACCESS_TOKEN=$LOGFLARE_PUBLIC_ACCESS_TOKEN
 LOGFLARE_PRIVATE_ACCESS_TOKEN=$LOGFLARE_PRIVATE_ACCESS_TOKEN
-POSTGRES_BACKEND_URL=postgresql://supabase_admin:$POSTGRES_PASSWORD@db:5432/_supabase
+POSTGRES_BACKEND_URL=postgresql://supabase_admin:$PG_PASS_ENCODED@db:5432/_supabase
 EOF
 
 cat > /run/supabase/auth.env <<EOF
 GOTRUE_JWT_SECRET=$JWT_SECRET
-GOTRUE_DB_DATABASE_URL=postgres://supabase_auth_admin:$POSTGRES_PASSWORD@db:5432/postgres
+GOTRUE_DB_DATABASE_URL=postgres://supabase_auth_admin:$PG_PASS_ENCODED@db:5432/postgres
 EOF
 
 cat > /run/supabase/rest.env <<EOF
 PGRST_JWT_SECRET=$JWT_SECRET
 PGRST_APP_SETTINGS_JWT_SECRET=$JWT_SECRET
-PGRST_DB_URI=postgres://authenticator:$POSTGRES_PASSWORD@db:5432/postgres
+PGRST_DB_URI=postgres://authenticator:$PG_PASS_ENCODED@db:5432/postgres
 EOF
 
 cat > /run/supabase/realtime.env <<EOF
@@ -41,7 +44,7 @@ cat > /run/supabase/storage.env <<EOF
 ANON_KEY=$ANON_KEY
 SERVICE_KEY=$SERVICE_ROLE_KEY
 AUTH_JWT_SECRET=$JWT_SECRET
-DATABASE_URL=postgres://supabase_storage_admin:$POSTGRES_PASSWORD@db:5432/postgres
+DATABASE_URL=postgres://supabase_storage_admin:$PG_PASS_ENCODED@db:5432/postgres
 S3_PROTOCOL_ACCESS_KEY_ID=$S3_PROTOCOL_ACCESS_KEY_ID
 S3_PROTOCOL_ACCESS_KEY_SECRET=$S3_PROTOCOL_ACCESS_KEY_SECRET
 EOF
@@ -52,7 +55,7 @@ CRYPTO_KEY=$PG_META_CRYPTO_KEY
 EOF
 
 cat > /run/supabase/studio.env <<EOF
-POSTGRES_PASSWORD=$POSTGRES_PASSWORD
+POSTGRES_PASSWORD=$PG_PASS_ENCODED
 PG_META_CRYPTO_KEY=$PG_META_CRYPTO_KEY
 SUPABASE_ANON_KEY=$ANON_KEY
 SUPABASE_SERVICE_KEY=$SERVICE_ROLE_KEY
@@ -75,7 +78,7 @@ EOF
 
 cat > /run/supabase/pooler.env <<EOF
 POSTGRES_PASSWORD=$POSTGRES_PASSWORD
-DATABASE_URL=ecto://supabase_admin:$POSTGRES_PASSWORD@db:5432/_supabase
+DATABASE_URL=ecto://supabase_admin:$PG_PASS_ENCODED@db:5432/_supabase
 SECRET_KEY_BASE=$SECRET_KEY_BASE
 VAULT_ENC_KEY=$VAULT_ENC_KEY
 API_JWT_SECRET=$JWT_SECRET