diff --git a/hosts/fw/configuration.nix b/hosts/fw/configuration.nix
index d9b8591..8caf67a 100644
--- a/hosts/fw/configuration.nix
+++ b/hosts/fw/configuration.nix
@@ -43,6 +43,7 @@
 
     # web
     ./modules/web
+    ./modules/coturn.nix
 
     # git
     ./modules/forgejo.nix
diff --git a/hosts/fw/modules/coturn.nix b/hosts/fw/modules/coturn.nix
new file mode 100644
index 0000000..b660d6b
--- /dev/null
+++ b/hosts/fw/modules/coturn.nix
@@ -0,0 +1,32 @@
+{ config, ... }:
+let
+  domain = "turn.cloonar.com";
+in
+{
+  security.acme.certs."${domain}" = {
+    group = "turnserver";
+    postRun = "systemctl try-restart coturn.service";
+  };
+
+  sops.secrets.coturn-static-secret = {
+    owner = "turnserver";
+  };
+
+  services.coturn = {
+    enable = true;
+    realm = domain;
+    use-auth-secret = true;
+    static-auth-secret-file = config.sops.secrets.coturn-static-secret.path;
+    cert = "${config.security.acme.certs.${domain}.directory}/fullchain.pem";
+    pkey = "${config.security.acme.certs.${domain}.directory}/key.pem";
+    min-port = 49152;
+    max-port = 49999;
+    no-tcp-relay = true;
+    no-cli = true;
+  };
+
+  systemd.services.coturn = {
+    after = [ "acme-${domain}.service" ];
+    wants = [ "acme-${domain}.service" ];
+  };
+}
diff --git a/hosts/fw/modules/firewall.nix b/hosts/fw/modules/firewall.nix
index c876e13..61f9205 100644
--- a/hosts/fw/modules/firewall.nix
+++ b/hosts/fw/modules/firewall.nix
@@ -74,6 +74,9 @@
               # Allow returning traffic from wan and drop everthing else
               iifname "wan" ct state { established, related } accept comment "Allow established traffic"
               iifname "wan" icmp type { echo-request, destination-unreachable, time-exceeded } counter accept comment "Allow select ICMP"
+              iifname "wan" udp dport { 3478, 5349 } counter accept comment "TURN/STUN UDP"
+              iifname "wan" tcp dport { 3478, 5349 } counter accept comment "TURN/STUN TCP + TURNS/TLS"
+              iifname "wan" udp dport { 49152-49999 } counter accept comment "TURN relay UDP range"
               iifname "wan" counter drop comment "Drop all other unsolicited traffic from wan"
 
               limit rate 60/minute burst 100 packets log prefix "Input - Drop: " comment "Log any unmatched traffic"
diff --git a/hosts/fw/modules/web/default.nix b/hosts/fw/modules/web/default.nix
index edd85ee..73c72a3 100644
--- a/hosts/fw/modules/web/default.nix
+++ b/hosts/fw/modules/web/default.nix
@@ -65,6 +65,7 @@ in
           ./phpldapadmin.nix
           ./proxies.nix
           ./matrix.nix
+          ../../utils/modules/mautrix-mattermost.nix
           ./n8n.nix
           # ./piped.nix  # Replaced by Invidious
           ./invidious.nix
@@ -96,6 +97,7 @@ in
             "/var/lib/mautrix-whatsapp"
             "/var/lib/mautrix-signal"
             "/var/lib/mautrix-discord"
+            "/var/lib/mautrix-mattermost"
             "/var/log"
             "/var/lib/systemd/coredump"
             "/var/backup"
diff --git a/hosts/fw/modules/web/matrix.nix b/hosts/fw/modules/web/matrix.nix
index 475bab1..d9a8ece 100644
--- a/hosts/fw/modules/web/matrix.nix
+++ b/hosts/fw/modules/web/matrix.nix
@@ -28,6 +28,8 @@ let
       endpoint: "http://127.0.0.1:8081"
       secret_path: ${config.sops.secrets.mas-matrix-secret-synapse.path}
   '';
+
+  synapseVoipConfig = "/run/matrix-synapse/voip-config.yaml";
 in {
   # Secrets for MAS
   sops.secrets.mas-encryption-key = { owner = "mas"; };
@@ -40,9 +42,16 @@ in {
     key = "mas-matrix-secret";
   };
 
+  # TURN shared secret (for Synapse VoIP config)
+  sops.secrets.coturn-static-secret = {
+    sopsFile = ./secrets.yaml;
+    owner = "matrix-synapse";
+  };
+
   sops.secrets.mautrix-whatsapp-env = { };
   sops.secrets.mautrix-signal-env = { };
   sops.secrets.mautrix-discord-env = { };
+  sops.secrets.mautrix-mattermost-env = { };
 
   # MAS system user
   users.users.mas = {
@@ -176,7 +185,7 @@ in {
   # Synapse homeserver
   services.matrix-synapse = {
     enable = true;
-    extraConfigFiles = [ "${synapseMasConfig}" ];
+    extraConfigFiles = [ "${synapseMasConfig}" synapseVoipConfig ];
     settings = {
       server_name = "cloonar.com";
       public_baseurl = baseUrl;
@@ -207,6 +216,12 @@ in {
       };
 
       allow_guest_access = false;
+
+      # MSC4190: device management for appservices (required for encrypted bridges with MAS)
+      experimental_features = {
+        msc4190_enabled = true;
+        msc3202_device_masquerading = true;
+      };
     };
   };
 
@@ -217,6 +232,19 @@ in {
   systemd.services.matrix-synapse.after = [ "matrix-authentication-service.service" ];
   systemd.services.matrix-synapse.wants = [ "matrix-authentication-service.service" ];
   systemd.services.matrix-synapse.serviceConfig.PrivateUsers = lib.mkForce false;
+  systemd.services.matrix-synapse.preStart = lib.mkAfter ''
+    install -m 0600 -o matrix-synapse /dev/null ${synapseVoipConfig}
+    TURN_SECRET=$(cat ${config.sops.secrets.coturn-static-secret.path})
+    cat > ${synapseVoipConfig} <<EOF
+    turn_uris:
+      - "turns:turn.cloonar.com?transport=udp"
+      - "turns:turn.cloonar.com?transport=tcp"
+      - "turn:turn.cloonar.com?transport=udp"
+      - "turn:turn.cloonar.com?transport=tcp"
+    turn_shared_secret: "$TURN_SECRET"
+    turn_user_lifetime: 86400000
+    EOF
+  '';
 
   # Element Web client
   services.nginx.virtualHosts."element.cloonar.com" = {
@@ -284,6 +312,18 @@ in {
     locations."/_synapse/client".proxyPass = "http://[::1]:8008";
   };
 
+  # Internal proxy for bridges: routes login/auth to MAS, everything else to Synapse.
+  # Bridges connect here instead of directly to Synapse, which no longer serves
+  # /_matrix/client/v3/login when MAS is enabled.
+  services.nginx.virtualHosts."matrix-internal" = {
+    listen = [{ addr = "127.0.0.1"; port = 8009; }];
+    locations."~ ^/_matrix/client/(r0|v3)/login$".proxyPass = "http://127.0.0.1:8081";
+    locations."~ ^/_matrix/client/(r0|v3)/logout$".proxyPass = "http://127.0.0.1:8081";
+    locations."~ ^/_matrix/client/(r0|v3)/refresh$".proxyPass = "http://127.0.0.1:8081";
+    locations."/_matrix".proxyPass = "http://[::1]:8008";
+    locations."/_synapse/client".proxyPass = "http://[::1]:8008";
+  };
+
   #
   # Mautrix bridges (using NixOS modules)
   # Modules handle users, groups, registration files, Synapse integration,
@@ -297,7 +337,7 @@ in {
     environmentFile = config.sops.secrets.mautrix-whatsapp-env.path;
     settings = {
       homeserver = {
-        address = "http://[::1]:8008";
+        address = "http://127.0.0.1:8009";
         domain = "cloonar.com";
       };
       bridge = {
@@ -311,6 +351,7 @@ in {
         default = true;
         require = true;
         pickle_key = "$MAUTRIX_WHATSAPP_PICKLE_KEY";
+        msc4190 = true;
       };
     };
   };
@@ -322,7 +363,7 @@ in {
     environmentFile = config.sops.secrets.mautrix-signal-env.path;
     settings = {
       homeserver = {
-        address = "http://[::1]:8008";
+        address = "http://127.0.0.1:8009";
         domain = "cloonar.com";
       };
       bridge = {
@@ -336,6 +377,7 @@ in {
         default = true;
         require = true;
         pickle_key = "$MAUTRIX_SIGNAL_PICKLE_KEY";
+        msc4190 = true;
       };
       matrix.sync_direct_chat_list = true;
     };
@@ -348,7 +390,7 @@ in {
     environmentFile = config.sops.secrets.mautrix-discord-env.path;
     settings = {
       homeserver = {
-        address = "http://[::1]:8008";
+        address = "http://127.0.0.1:8009";
         domain = "cloonar.com";
       };
       bridge = {
@@ -357,9 +399,18 @@ in {
         permissions."cloonar.com" = "user";
         relay.enabled = true;
       };
-      # Override dummy token defaults so env var substitution writes real tokens
-      # into the config and registration file (module defaults are placeholder strings)
+      # Override token defaults so env var substitution writes real tokens.
+      # Must include database/address/port since setting appservice replaces the whole default.
       appservice = {
+        address = "http://localhost:29334";
+        hostname = "0.0.0.0";
+        port = 29334;
+        database = {
+          type = "sqlite3";
+          uri = "file:/var/lib/mautrix-discord/mautrix-discord.db?_txlock=immediate";
+        };
+        id = "discord";
+        bot.username = "discordbot";
         as_token = "$MAUTRIX_DISCORD_AS_TOKEN";
         hs_token = "$MAUTRIX_DISCORD_HS_TOKEN";
       };
@@ -368,6 +419,44 @@ in {
         default = true;
         require = true;
         pickle_key = "$MAUTRIX_DISCORD_PICKLE_KEY";
+        msc4190 = true;
+      };
+    };
+  };
+
+  # Mattermost bridge (bridgev2 — attrs replace entirely, so include all needed fields)
+  services.mautrix-mattermost = {
+    enable = true;
+    registerToSynapse = true;
+    environmentFile = config.sops.secrets.mautrix-mattermost-env.path;
+    settings = {
+      homeserver = {
+        address = "http://127.0.0.1:8009";
+        domain = "cloonar.com";
+      };
+      bridge = {
+        command_prefix = "!mm";
+        permissions."*" = "relay";
+        permissions."cloonar.com" = "user";
+        relay.enabled = true;
+      };
+      appservice = {
+        address = "http://localhost:29335";
+        hostname = "0.0.0.0";
+        port = 29335;
+        id = "mattermost";
+        bot.username = "mattermostbot";
+        ephemeral_events = true;
+        username_template = "mattermost_{{.}}";
+        as_token = "$MAUTRIX_MATTERMOST_AS_TOKEN";
+        hs_token = "$MAUTRIX_MATTERMOST_HS_TOKEN";
+      };
+      encryption = {
+        allow = true;
+        default = true;
+        require = true;
+        pickle_key = "$MAUTRIX_MATTERMOST_PICKLE_KEY";
+        msc4190 = true;
       };
     };
   };
diff --git a/hosts/fw/modules/web/secrets.yaml b/hosts/fw/modules/web/secrets.yaml
index b42636f..ec98f0a 100644
--- a/hosts/fw/modules/web/secrets.yaml
+++ b/hosts/fw/modules/web/secrets.yaml
@@ -1,62 +1,64 @@
-borg-passphrase: ENC[AES256_GCM,data:xuSgy269tSzDNjo/XOYS82OPkfPyA/B0et25Sc8j23ifWu1y9yjzb9jSgc3MU9rXeDe6sCNw8v9JV6+btdvomH4VzzM=,iv:hRvMcFmTr+LT0VRCGFp0Vdt7/Wvwu02l2xMyL6ZVKYk=,tag:w1FI6GS71pmPk9Qsr0vyAg==,type:str]
-borg-ssh-key: ENC[AES256_GCM,data:W6OtuMBsvhTHVojbo01uwDbEWlm3rhXmLnYQBQh0+YFRmQmlveYxojUmyMIsesXNSysRRF8dkmjYrMuB3LMqWFvYO4mt5AfSkjwmpHnOFtk//ctQownye5b6jnQjo+bD1/v2rbd6RSHwB/hI+xT2uxZ+8eBVW3AxnUZuSRKyVFsMrmxqJrK3+glhamP8cy5lnD8i1YDCmgicOUBh/CGzRHgTOXzhe9dUEljAXFRhV179mU7YkxDnSuLLexh+LJ7YM4DtUP7M2SI9DA3vBM5aCrsRyR8Pw4f5R5790v82GoIWZl4L6V1QDeXdeTFdhu3jBmBrLUNECbPwA6NLssEulufpXtwl5SRVyr+8a8Ch1/6VUOiUiFIRiZ/a4+gD3cAFGrq7CFmf6zavyi/UxJhVFz1qKTuu44AWtYKW81zRFbs3zgQ+6MuU7pAsEd70vPZmfKUDMsWUAQavjiZKihF/DKazeDC/Lquv/7Gq7LZG07DzdTMgr06i6Z3Dw7b+EqPkOYfdkr2289iFJoLnQm02XqcDlqnXbM8iegxxYceW9NhFOaMa1l2vYROg5zxxRdukqGK655iNEK/Q2eoaN2SUoi1UNOlK9X/bJADMVr/e6fEkD0BJVL/qnPyi26jNqFcTXFt51/DZ4yOiwOFheSOhXKNIBxn2Vl4INSYhUqze+4oFSzBMRVtwemDYZUdXkFM2QbdUe6U/kYKHOl1xH56eTKiI59ZoqHxKMlHNDpOO6KUKj6rVxFBHC57ZTnto7WOfOWmy8s8+DzU0OeYZzE+7Mfp6onTGVtKCZFmYOR6JARfF90TD4t8iocUdiuvLV5GeRE7YKyjoMIuGcRVvb8eR/8iVZNtTKKNGKhpYwTdgQDeBCDRzsq2Del0ZtVpnDydCI07/mApMqES8V41rE65u6qZOJPOpe0FSf+Ozkrkq8yEiGVwdgm213F/c5K8+YUwNeU7fJHvbWOdRdzdfWIes0sKlJBB4pJiUuDp9xqYiqYDV6+0VqSZA7nTeWPvm/LTjlbFvRboyXNKHfpq7GD2vQI4jgr+Jk5LRJ8pI73pF3dVo5QphsRmAgmtL/+d17KXHzlG0l/TE9STfIhCrZ7yx1+9Nz5cG25fvENybpX6aCiZz27BBidG5VLRNgcRqLE5rQcsrnd3iqo2HAXnlGiggClH9SbK9ao64cCA7fW4EFoxK8G4gQmqCXGZqKEChLfIOThYkXIxlpc2VSMEhsysENTmBHOM3oI76f0JvTttftgbGt/pZcJGfgLa/qwb7Se0J8OsWsxRH3bjAFbuO6wjgx5wCIztH6fMsofTTl4i6dyAc6ub9zGQKm8AEBD0xDftCEhrlFH2kR1bkacCKQz6R35E7eisAXP3JU9Luc25cmmxkiqxuW+Aw109Hmm00QCsDM/xWBZtbwotVrN0enOLjsUpE7Dk+ibLCM3I8QAxvgXfd90vrRDUjUpEVKwm53naa4cHJObBsXuIDPfAXxga9ePOUbD9IdGuDw43d/RSPlCOQmRLIosvt/OnAKoCtyFw/0OEr+pGRmbnLShHJKXlFIQqTTe5NT/O5jX+plqkVNYHL3XKQxU1ALF55zWge8OuJmD9kgia7692ul2JR/irdWqk/CeKYZy3B+PBfulSkWLUsRn0s2CYkwAsmbcE+3lllk/7VSZrJn74SObV+sCan0FL5T6G8N5kgMJHagUGMOiqqvJh5npAMgX/a4ynCb2IWt3wIZ67pdVEt7AVZZMShFkTBVRD0amPRD1cJuPba5ABul5QloQ5iLl5KnuB0Qg40ogpFMB1DE43fFoJjzF1mfz+Mt4b5w9hZph3qkvGOKB4kAkIic63CrFSia+slH3mRbsvo5XqZJ5Yp2H8iG4XzIICGlRQ0/C6nKqNNkG9SsP1GourbwW1QIbxuTJxrDCI0LfVm9zigkH7vIo02ZNpa6ZWh0t2gXL7I/T274Q/wLUkGmv0quxbrF35TcD9a/uOA87zPpI3J73sxGmTbQSDoopBf10vlZcoxougBxlh3LgECF2DO9XkqzgZVvwdelrYwLT0UY7zJSiN+/nFYHxyMLNYZb7QJ6xqNFbh1EtlFDgNW9XzUPMDZQzrg7jhODYC6P+U1K145cwIqAfCWsn84m/+U/iFBFL8I/wino/1/0yG10mP64Ecf6r+VVfkKZ8rAn0WlKYEovNdmfQhqs7lJdY4oLhAJZimgdtx6fo1ZGSEt1em5pWU87vQvogA23bQPCKSCaiza9KLraz2s3SaYqZo+mALMpOU8BtvvAT8zBOrrSt/JWzJHSsVrT84LZumIHd+os3Q6juNq7konIRX3jJUvkGlgim2KRpCfgipw9OoyNExzrffcCnf3jEUtTdviB27lxamFSv0eZZgoPxNbANZhd/zrvEpQj+NHZOaSg7LbfrO2eIgkc290T/10vkhvzXEpjxt1prSLSF1/I7RYpv8sgwhpEIuvOf97tBxJX9Aw8ylJhbiZuceUI736LGyGrxDqxIMzb8pbQ9k/8VXjOIQBPEcC0d1zXKUrYteMHhHXVjmMeAlTLsHpmsQ7q1NVu35tyuqBImXu4wU06VkDak5pjBR/+GAqYMnEPKs5ALNfUkZDtRjS5SGMiKP0e8kQuC0bk6Dhl/GAfO5ckv5kuPArOzUIknYvNU234bcVTOfjh7kfAA1UnSIX7Fa/vcAAzWxjhYvuszagJe6xwrnZTvI9IzaTn0TcOovjpVZUiP2E1Pghrlv+//RT+XeRu9cjNxVrpwmlNVCDDZmz+jaH00YOT7kGNejJUvclR3gjyUK1uo+MqF4nCLpBc2yrnvctMfcY03pwyR46pyhsSx1c377G9E9c3pBVyPFXz8zY3xRcd9aMRUJiJEwD1wn1HZaEo+qvJYsZcFPEF03MenVl2vup0JYZNYEMe9VPEefaLJ/uPCdUYedIo74EZr4baDqdButp39v5kXih4Cab4AsPwlds42BcYfkDS3oXHE/BRMppGvAngHZWwmyuGGAEiT+UjumqFmiPtKL6KWVRGfS2gyS9CJ8oEZJBizVFXzjhdoh/kg9M5MFT7uQfjory8dJWX7jpUuWMIHyLYfYhzTm0K6mFvOoO3W25SvvFnygo6JmBbuuAzV2raFktgsjZm1xDmZOPvbM6Ur3XUWzGXyWLiWqNVgAishPccAzI9F2/ocH0NeXOf+D3tWld9kXBbQPI4DClprRrGqpzKtct16VAKc1kAuuK8BuSD+YbyP5T/3EaO95/KxKhG3ZfJo5map4cuCmz6dys2oKCHmbAxkLFJwzC6hoYhnwJUZj6SWeGJB4IT8bfZ6UYKpfdONW2/841r+WbKljhTzDvSKqGZDvLF6YB2aK4Oe92tnzPbuArNohERv0oJPvAtdUiSW3Ku+62e4YNKEprLNYBVkJ3ew7d3V/Pc8Rb8uMFehx8oq0ojV6Xzj/PT4B1Vt8XrUQlYxkha+ZThs3iJLlSyQ==,iv:qAE9OZM64KdFc2guTNGCVxom8HWmv5CWQJvt0MmHZIE=,tag:56KMQ/JnK1AtRojWGcClcg==,type:str]
-zammad-key-base: ENC[AES256_GCM,data:WZsUd7jTG7WlF/d1MRnYPdBDxAuSWATJMN8kpR0LRXbGcPgJL6q55FRIWc5lopeUfqt5fTnY9MqgZ/imjwcj4MX9WkPQ7kMi8cquL60++sn4zmrcs6mIKlj4GJDCJ2uUk1kqJFdSRHAnSvJyC//3g8HmX/CFa0j4j4sihJmeZ6A=,iv:dFX0aOrJBeWk8wErKK4hqu/sWbjamHFRZUrxxvoySUo=,tag:+uoE7cW5ioc5nkXcvY0NCA==,type:str]
-invidious-hmac-key: ENC[AES256_GCM,data:TkacC/3KV3+yIHo2WF1Na/x0e4RhApFNOqmyuw==,iv:sbmS2l5NjZDGLOQR7wWQ0lFB7WIf3endlvWC0+Sbh5U=,tag:oIBtURshPQCAcvj4ANYFiw==,type:str]
-invidious-admin-password: ENC[AES256_GCM,data:R2FF0lz6QZkHVJ/vSRzr0crxta5euQdLwLFWKeWRXy/Nu3xwcFP+bRjWYXiyxYoAig==,iv:/4b4vNJlgNjD08M55e/IVFhmeNT/z9qMi8i1r54xr5A=,tag:swjJVaydugX9Xa/v98ULbQ==,type:str]
-invidious-companion-key: ENC[AES256_GCM,data:AMrP65ryJOfdWsSMX+4Fdw==,iv:nlDdFqK494VBjFS37g+slU5TFAZkT/fsHvMxCH8+Aw4=,tag:58XOkEZYjCOdUXTZr4gZNw==,type:str]
-dendrite-private-key: ENC[AES256_GCM,data:oUCh44Ejbw6itfirf5/3hVo2FBlUo8OeR4eTlL388NWAsOKp5fgY2yx2xX8W4Swq2BixKA/KyAV/cFOTzN0Sg2PfasrGYaWxlchwmyHTwSH6+PlFqDqTwGmjfghWagJ0RYadxwm6Z2YsebDkGoJEwSXlwj/zxU5tNJc2WBmto1lg34eYFMGrJmg=,iv:si85iXafRCdX3KxO+fxH+H6iO/xyfU+mV1+e+I9DQKo=,tag:SOLSM2JH7Ktk3685Al14ug==,type:str]
-matrix-shared-secret: ENC[AES256_GCM,data:rmYdPQNubnYN6JUsGbzYvdtTZkWoJOor2VtiLhICRPlJDrobZflUDKF5WcWR+rwNKgta6jTmZD9QnQbT,iv:q9TZFxN/SEYiYUhjQmUF/dtQtjQkBeLeF3vlBs/KJ78=,tag:pjtQLEbdCtyVmz1wjXyv6Q==,type:str]
-n8n-env: ENC[AES256_GCM,data:7Rm5u1eAp/fw3xgyS8K4P7TshJVy9Vs3cHVtzqnQqBggX185LRDtADoslkEnvidxxjImGWZ6Me+Ukchdz3PTnxLoDi9QwpOcL2qP0/RSkqQeMpbwn6aOsd+r54VS1micL2LWQkuwNczPKGcQbrAnSDWaPP44F2r429dENzX2Px8MAHlBBZxhveBWY+vXuwLBD6ylOu9juFz7foq1s+BZxf66B1yo6u5JIPlR3oojDpbPJ7vYa2bMPBEZYB1M4bgkl0mv7IMpQoSItndQNX4AxoB3ZzCFjfZSe2mzhiJtazB2b/CMa0aoBt4UmPSZBfabJ1fvDvRD0KI0G2GIPCmuUT5960bfFcHDImgR3nTzi6AQsxEVgWbLfB9TTFC8duM=,iv:JPdWPnF+uzbWCIzqCVtV3i01s6VYEOD3HATYUw1JM/g=,tag:9HpH8zJAPpeRCZpL3YpTyg==,type:str]
-n8n-git-key: ENC[AES256_GCM,data:R5vJ7nFmEYza3adrfWe2X6WExlmxaUrUdv8PDqBAeF/YWHK/mzIld28Bz38EEUgHwzHazhByVyoz5SQoe1ikNphjWYl14mWkwSPFSdet+UQ6hipLAslRMG9QFcR0funfSvUELN0WK+ewJ1B9imbhPpyLVpTKuns5SSUNOidJX1lnEvLmVrVITvU0XkCpzjNZKl5vMULPu3+Blg7L+vlpAM3vrH24vbRA++HxPfox3hneHkbe4Ckll3ID+KUt7TFeFoKoiB4SWuF5+3mHcl74zuYUORmlvqP9x6sNvYm6ozQggb6J+1zBSmD8mlNFr4s0FmGgnPkjwImKzvETqAcf5Ny7wa2Bu4zQsPQsZP6qco9pbFH6hmF0+g6U/o3G1Bqf/K+xCYtOVIfposk/hLCFAN1G0NvkVjyGrnmwrsrhdR9fVDVfxrshxOGip7PMxFIUuHs+gaGP44ocFmIAeizwrY3skb7dAZqQsXwgEEOKoWEtTWxFyvr1moCdjwgByHXPMRpdEF8mzNwLpNqEVo0y,iv:qRJUj/tHElD+UA7cxvBPiHSRBBrg+hPtL9REtyn8uN4=,tag:8MxVx9KbtAu1oKyS1E0H3w==,type:str]
-phpldapadmin: ENC[AES256_GCM,data:ctXBV5sxhlY6DeR2ZNCDaxXMhGcdZvoLXNBpE4bZ9zBvOUuo1PwwPkDa2akwVGDyIWHkTQIuoEQO/oS+yc2rHVf/4sf3YSJJvsrpwLYiFyzYBi0ar9PNwAdUAGzTuFrilM5/XiGbXCa5bOk7Cp+FN566xipCvGZpMXO9EGLPIeEBh8ojpPOTFGkLA+4Izw9MZZslPMbsPd3jFeI9bAe+w8o816bCM5xoebO5/7rKTvaWVOWbIXocye43jhD7+C/KArWKO4KW2HytuuXDt33xEbypAA2z4C0o29jQ96QruVk5rl5Cb9P0qLA=,iv:jc7Xwo+Ux2pTlwwQ82bo4QFRkk9bLxYtGkiEPLdxl6o=,tag:58Ty5w2cO2QLZD53abRyUg==,type:str]
-piped-db-password: ENC[AES256_GCM,data:oinOX75JbOw6HtNK+xmn4UaW2fTHzm8XASjgLaZrXtD/IOOh+/3DUaSwz30=,iv:00ZVBisldW/t6Sma4Ov9hGuK8Y6lq817OKYH4QuHz9A=,tag:GV8FP9XAktdLMbHquP2xnQ==,type:str]
-synapse-oidc-client-secret: ENC[AES256_GCM,data:fU0WUkNvaR+JWRlADp1yk5EmFf0RM5JBdBvVsPLtxzPwhZtNN8zhRTv9anp6NZoThLSNOffXqievBE0PMxVGiw==,iv:mnijdEufA77vU8dYOGrjvaN0LwFNhT1S050lStRgRD4=,tag:GdhdGRQedaXcp4rJ/OBXoQ==,type:str]
-mas-encryption-key: ENC[AES256_GCM,data:w9V55+9fpCeYHwT9XLHM+9SHpGNaJO0fWI7JO/DEkGyOQd/7/zLeSaxDnOvORl9T1WTMZfob6XvroeOgt+/Iew==,iv:CtSuhO1KhiSkkfFcvp7KOiQjKU27VlzIayOUEoFjin0=,tag:iZdVd4QTxX2g+W5X2TqvRg==,type:str]
-mas-matrix-secret: ENC[AES256_GCM,data:OvBEnMhif9OfZKd2NWhSprIupt4fM7x0ROPKatY2eJbXtzkF9qkKitEhsWgbBrkZP6fp0qEgN7VCF134dmVuGg==,iv:72IrdvZsi4DwkkLPRPM82rhB+g677kaJNeS6KkcA9zA=,tag:H6znD9OQT4hOZ2bIcaj5Tg==,type:str]
-mas-authelia-client-secret: ENC[AES256_GCM,data:UB//9okQ5nFouVaRky3t9qyBuOHMw4eX/V0jirD2xBzW2OUieRBDandusPLaFqCm5VjZJUTezT2M+SBpKk7sww==,iv:GDmYh+7RJ7deOLbUtbGXoa2gY+dGa5BrzaSk7PSl85Y=,tag:smPKgSWcmuVZVwm/Osjrxw==,type:str]
-mas-rsa-key: ENC[AES256_GCM,data:PMp9YBPL2wXTOm80b5bIG6+rA6fvPX+PHhr+Hvb+vl0n5MGjrmIVwkVHslY5QEMDFmlk4ytKH5BDYV0OVm619vxuopN4CAqUpFhLum3XKXKINGUziwj8HDv3xk5wxdPsQSofGR+E0Cmmls/bHp00CKfid/GzlooI/3hA0+0y1N0JcaiR7xOZJuFGzqzo31UaLoYqdsviKEWoTieme+TiU9CkX297C5PPUqjDGGEZ/UBvueOAlFB+t3So8xdFL5Q8tY2ZeM0YZS1GCodDJUeKHL8X/cmN9PcIoVgJ4UMbQaL8IShgKqAwRNGjBEWgL+q1BlpxCmsGNWnX9V6ox3wpsQM+n6RLkQezJkamQ9E9PmYleo/9Qk3RC1pOMGzMjvnp/Dl3lmzUkXVrkQpDyBPU+DN4l9uWQbxFlk+APAloeXYwrucr2dUGpJNPvpxI22X248qOh++03yIRY/Woef3URDjz/EFZbOExj2HLPb8NnyGl336dpP+FTHolzMxplcsTAp/dyyL2UQiDX5ms1QA90HQ/YHWo74OhZwbV8jAxL/fu3oXwUA2aBHwlNYObPrrWbXMC5QBChLeOxPQaVL0Yj6sSAS0S6H8MW/we0qb8P19T6bYWBSvzSLIKqU2mIvdYx7gNDjMDZUgKaVTk8E4J5KihryN0NBMcyWROeSdKXET71BSp9oEIWtDqzatpMMEGcqXFkZjRt6GT95cYkhiYIPweCQGcggF0eZSTQUBCzfBnugMtbB3UoE/EoGKqELB9KjgoIz/IQOmR5vbhislSZ0myCr4h9J9r++I4b34n7CeK8omKflNY7i7ru3CQyxXcI9pLQjJgAdzFadNONMIvPhTfYymXYAMbm9nJjNprVKnvAP1DN6QMQGpfgqx9ausj7rQoCPhR+CmTVezWokTvu7fk0rphlOawtcf0Zt3TCi3OeAP8w14tXrywyO5fAa/M8u2VSChLIFC/dY1X9lrZxzt4AKnJ7rLitliCQFe4Sm6UhJgb8r5TszN9nBnN9Wo0WoqRnYR7Oj+aDEqeANF/fhDlFzi9y/2hDRiWSbQV13rOwoObgoUMj1+VWCYdgKUJUo5FhpBaEEsVfxS0dJ/cgNprFqbu8srhGa8ajnb6JReKnTwRgN3IquppF6lgBQc50Eb9m6mFZhNR/5cgNxUXpI3uFYqwNnwuRn+nE5s5Py0Dr7d1C579S5BF/awiVQZYGi9tK4OA9qCxjESRThe3jXSatOnCTtYaGs3F85HXEtexKejn9qmLIEbuoBs01BoaLWzGBIRdrbBanbMXCr8JsxyTEk8uRvm1YujH0WDk8HEhjOaDAr+0MPROF2oOlKNzY6Nj65rmXy3wTat0/NhUgf5R4oS7CNhMxo1HyOXaNdAlLkGjbC9p53I8Ic2aeX467jCqkR0fzjd5WNJG3y4Gl7vwbJcv971Zq1JFLkppDFjTiKBNtfCChXtO4nSKMRltHYVnSVSok08ZjFIknqzl2Krnj+GO3AXUYDHwnYHY1NN5e65omJMH6OGHSQqDy2FRSupDX+dx3Bi4p6sw7Khas9+QE1Qx2mzaXknjR+8drYNqMTG4WtRfikwHeqGXJIVCF174NdXBqy4qjyDNPp5SZevpOTbwgn0lIb8F0auQKJ+QyF6cd8vbi4nYh/WTxXU3agjpnojblid1qP6/AjzMIFAnWBOJN1kpwCLcbCSOH9nErqlFl+YrGpifcMIuHncXtbY6mtNPKX+FSj+Vc9ifoDnldtThak0D9ZUKgt3j3oJD4JoMv4ci0AsRpBqNYMnIUhkOdhkApG4mxx1MZ0q/Ahykd4Xgau2bHX65SW20mp0HAjo4b5jz0YE3TLC4nT/MPGUBzGxwNcSpTunsZoH08rh4VIMRmPDRQT6FMiadfxkSQaX78OSBQNVsDcpbHwIL+3kToMkG/o2UQGL9tvORJuU/oyHObIGJpmJHozpFLoy9M0LDaza3e60KT/Vr/DTbgoadtG3tEN2ELGfUCUMuiQcAqd7mdC1pIRX4bLnmSFPERAQ8W+Nyo51+qBeFrZMN9h/vOB+8c6eXZ8FVflFCSHrsPeG+Ju9uuXUOVf7dIjMnZlqbsf4FvX0rcGzIIgEHkoMSa3nOcWvvpSFAA/cflvKsoa05b9/4o/Bo0uXu2Ojil2fsIYUsaajfquxO4r3Z7GZd1JGXJhu4QcOClAW1FsfzlbgEbBtgnx2KK0OrVZ5rCHf5/8EMpiK1ZoFT8xNFEG5Mvc0fj/7HM7UUnHPqRf51/n+6Yzzxd8R6PBght/boiexkxLFwsqkLD1Mpd3klCdaCQbEnTO3GMWPBCs5lxxyJsUjeLY1vNestZdDAQQMCVD2LZ+HnhAmiSak39G1h2glvwKITMRxnAco32mkDPJyYFYcgSANDXZijj9R385uc1h7xIwFYh2z9XRX47QYE1kWvjg7z7lEOH4v/7TwWMw+T3dPocNxRKn3HVcNBFabHLilfECSq6aDXp+7eSUSkKvBCkXJ4xj7ED7y2etee5nVCmG7kVWOHJROxWAJG3htniF+kMtoOLWlSpnPhFlWDaNE5E7TsX/T+zNfbTX3RpGWFLqqMvL1PJyR13rAS+rHeL2KPKoVWbX4JPfTP8vWwKheG3smhDdEAzXugp9gfw4ZweSOpOMJMRf0RvpnU+A9udVwVIpHd9DT/DMtaCvGz/rAZclr5LCuIFQ+OWLytrV4ZKdY9pJ0EXfgpYh7kt+LXjsVGqtQlU0lG9v2jvmaxPMMZtj3Oq3Cx/ZskELcn2YGPl9Q99nsz0RXeeXPJJ7QhId9Zw4TocJAZXC4ZEyf1GPeb5CIGhWM1Lz2kn3ftM+xwTBpj7u0FNFsEbMKBxw8WQb28poiZFB2K5qabWpi1n7S+yIJEmviNGMG9FsIAWNOm474NzHBZT5VByHEQfYEMjIXejrDcD2Cs6CGmaAm7C9Cl4l42LZKmJ7KRXq00/vcbotVN4YnPRfHbelhVvTQYcpPIqqsKs/JefTViA3YMYRnj+WhRyn2KU1g+hzyTwyyKhfTVRDIkwxVEr+yrINgSDCxRxRWR4YlTnVGhOki+bmURGxWYLRcxk73+OHfz2/rYRsTzyzDBWv0xs1ycplOHehc7JuweFJgFn2KTAxS2yX14fZ+R1PSKyN7yRa036qoZN5bG6dMh8Ki6+DR6oQv0ejc4W72yYQ6XXdXeEHd0oQoGrF5kFK5UuX4dQZ+RpgsrL/pFEGQG+h09IvR8N3V5iZXJf557LyhOsGxPY5ZFv5Wl6ZklHdwsbGtU6iuMMdWyGsQ9k0/UPPSijsoRomS9DMFgqZBxzkajYV8dMKLcJCbIYzk6q5w/YdKr4YjglDF1lnkggVORLHVNYsPagjokPJikpSmFlnUdIfbTMSk2UlcTinxVkwiu9yyGD2Ra34Cbe+b43EdS1Jph4abopadT5k1snpfIFiVy5lp1RDGFaqkr+phf6SQDOoLXk3i+toYwElq3pS4Wes7xoUWj+y6icGwXQjv09/TP7KKxwq/lYGcjENOANA1eztkAb2q787ZYAHYOvJiwz2C//D+QG0H8rCP1B6VBZZe29qDM6T9FI45LkkTximoOwPFJfO3XM7tn2CSJ+CMffQTlFkucfqYuB38G0lf6eTxA1bSEua7l0gOnfyTmO+KY1J8yIDJ+gkwLdeE1jK+5/Vn9hVNmYbj3MuzdddzMJ1uQuZcs7LzUTYdkSVUKyT9Pvndlvfeoa4s9W/5lbfa6vpo7pcya5p8dIgU3l9hmqzl/XWZW4yLANImpxGEdTWQabun8HZT3s1Dw7kw6TQymAFky/FEx/gulC7e5n7285FXsC6jIu4Cv0bmqVRdu2qvo1XNEIQxhwp4IemwMfe5Bol6tCQtlVUDgyvgXhZ+rUzc9h/zYNui8AdUVgwEO4GIDEfDI1LGV9rDYAj4ZKDTK2irwDMtdUq3VDK43+IxKLAUqxKA4fBx1CMseY58Tbdky6vLX1VhKB6N5R6zJIl6m9DapYSAdYVuJDjtBAwB3KobJyPrQNEYBSLmp4yqvVDR9ElONs5IURci4VFgIXPTyxsmPKrXjHXiZBYXU+nHNY0KlCnzaScgKRIQDSIOHuu+1acEUETutZWv3+ru7+3cEe7D6SPEDt89MyiBJCVRfnu0s9ssojOMDLvKn5Ba7j7HMsi6cFAyETfFqwrl3HHoc5e69J+1kwc1pxKmn8oJubuBn+7lgp7vJ6GfxobDGi/V5/ICwBMl3FbNfeagpuFguvY6ix426W7Eha5coC9WHNC6wLGJvRyo5aWRcqeakl9veUX8Zh19qPxSsgq3glnGzvcXwZGCY7CcCxLmOrZe0Efy+5vVq9D8XDdwq0twsN5w=,iv:rMEKALM7zs/akDPwSL0yEhcgZJC00shO+BgmLvpGRIs=,tag:B8PSa4SgYlhxtbsUJQNisg==,type:str]
-mautrix-whatsapp-env: ENC[AES256_GCM,data:FKYO9xS3ndWzsrEan0aQo0VnYn3vFYB3/6bgR2JzyAWSO6BLCFKbpKOZQ12/9fs/Ofxl3YutKwfCjULqt5WHcl/xU7kGxd1WnaAMXMsfzbteB+leZb68nK1b4TR4,iv:9XdrEhmZE6ck5xZKJASnF14cI0mGgiBTzTYXkTG5sM8=,tag:NMPEwVPV4TLLljSPpjy2kw==,type:str]
-mautrix-signal-env: ENC[AES256_GCM,data:5J9XEMZ56gZWwo2yGXqS4fnGYMHUMxB1FDogrh/HguyUizc7sgiX/nqMjm2byoPQajdYmPkNkp6cuKPre7uThvOHBLTXoQAPa7oH2rHuoxFGKHEoaMNS9ASC3A==,iv:ralynGox+FPfraSRg9L9DFU2NNhDQkhWrOtR/REnpok=,tag:u14jhQe50opbyNv1XFdhKA==,type:str]
-mautrix-discord-env: ENC[AES256_GCM,data:ZFTR6bJ/OXo8Eb7OsB65FX0dv2L53voJL8aE8i1AmXgr6t2e4RIxEj5cMUMv8g5YjnTxodlQwlCojErU68RGikksSHt0I00aEVxD7QzAoZ168apwh4PY6/jklyoclusRV7O4p3nGqjMJHgLe5abZUbTSwG64jspn9xF74SIPC7FseOwb4L9rkFZdwF2Guvg/vuX5bPOjxw300qiJmxh0qyQOWE61jTWPD0NMBhvKdBgvHhxqOx5UPV8mldEJ3lsIyfADF4nOygfuumZ48P1v3mSo8jdQczHhACfw2HhoZd+vhtfo3d9T3brbRVMDbVerOukUAUn7lb6wqJEUKtaUOquNV/xunoTKmRjwD5+FdDA=,iv:ed4Eb4zvkb14Fx4Fnt7ldDdjH4FhHm0OoCcWdbVb3WI=,tag:0w3SYMcrFs6ODtdjH+cbZQ==,type:str]
+borg-passphrase: ENC[AES256_GCM,data:WycO5oHIJFgpWsr28MNlN2eEyux3hbdZ4YtDqQ63UheLskUZczIUUAggcRl5k7cRnV3Op7TsOaCZWX+LFwUgPgMWpwU=,iv:GRr6U360VaxPfI65TxLUamGnhTLWB0MxNmpPSp07YVw=,tag:eRiQz+pdWmAI/ZODUP0b6w==,type:str]
+borg-ssh-key: ENC[AES256_GCM,data:29SBU1nvyPLRfQctTw9b9xtIfdHW/x9rUd4Njb4EE4r9sxX9gXYd+fHm0c7HnirzjMqVTkRWXq0j4Ncs3llTOf4B6+mw4N+X1veDVZ7DaWdfyJrMHKbHgo6ANLj9TokIcBpPR2K4Szmf3tpXQHM3E4dIWnOyXGwUQf4051Aq4go9YJq5fP54/dy2ITRT963MoRAfac8vDOfTJV6y/ZdxPFq86vqqK+2SCxLqDiKlEocYoe8rWtsG5HPkjLLdYLa4xy79JdbQo4+qt9B7HrB/e++c76vPgZOnWtK5GGCS+mArU8jrQEeAfwI2+mt/dJtCTP/0Ewb7p2h77rpiwKNse/Cjtv7i5eDBhYuIjFtPN4PMEO/sExVoSEG8b5Y3TLlP6ehIJtcplzqAbHR8HL+LC+7FrdtjBB5/YWsgZ8EmIrkcWCDWcCWxw84sZFYuz5mWSIPTtlmz0rN9xox3DqSV3A5Nke3Qvd8TiXDbRBGaAYTWk0LC0m/QiiL9Yen7TeXmi3eAoL479vxOcxcXV0XVqC+lVwe6sa1iGG+DxEoteSRs7RjgC+VXWASY1cK04QAh11PMymzLg/T+b5Uclo9iGuLq2oO6KXEtbMmR+MC2JBU/Aau7btb4Yj80X7Kwqv3Ck6yZwxsoPEgdhQmd/A7b5yVZdMRPcL82+tJnxR050Qa0SqDr1cqL0DGULzK7L11bKMKptvPhXQlEuO9b2J3aYmF0X84KZdyegHOjmKh4416lrHLWTB7TYLtSZngIPtT8RcBWWNJnCRHQztZoJs5z4/Vpg4/pnO3P+yQ34TOrJzs/dzJgvLufLjyE71shUgBonjRoO2n3oOkZWrEg9VqJYNFFQ4vh3TqRJY0TKjwfeFCEVNkBZOJi7CT2h0vpxYDalNF8XnfEzzCjI0j4GQKmgwFky85MapscTblbmwws3VJ61d3eQ0cxQMFW6N56SDRAjtFnKAn2fA3kIyPrZL22/5JWo4kl4JGRpdCnDwljyZ/qr+UcHXjuCrALIagGjPRnTWDbPzMgpGz8CC2hpLVdiJj+AZ325NObBVSMfrZaZmWIIQzdD/1x43dOHX4l96YIqoF7ZolU5zWBcmXQNsWhs5TRk1A6YTd7qEvo8F/awXtIvXS0pa2TrbJk4KYblsMpEMhUxfRCXAx2exE78jFIVBveWRrkIwbJC8SffnPg3i6v80zt7rxcwy29Lkyx0gB8RPWVlyaDgaJ0TR2CKL7/beNwGW6G73LiWyYkb1BRDsw+rkliV1x5IdNcuLXLcTXSr17xioO0ErpPEKLgYfuv5cRiYTXsriTYkiuGAjgpZHhe9qJm/1Cxx/9qFMgGGnL1ubbpdVVrkBoUwPPKBVclnehCSdy0e09z6SHXKKe6kgTDJ36xXRb80GpjRpn96AZP+03L9Xy8gMILhKRAauIoV7fG3KrZBl6z/MR7HcT891ydoAJ3TRxmVI3+aHY4tuz8lR1emgHnc1K3mxCADoN5JGZXtND1xaH7fV0j8j5jlkxTaL5kTnU8SvwW1aLaUKsCL6It4ZS9wcfSC74cEkWCAfTwcl4GUulWoTPrYQ3p4/2YcffYUnP78c1ywdOyI5nWMO+mzm3zG2T/PUOQD7meLJzLnWUfGsPGW/A+ZcBYqbjokXNW4oaZJKcmstjSnFmFQY6eo+pdWxXcEd+2T+pxO3wfDKDWDEvybibWXJpUw0+kLoQQIYJslbCyHAEBbjiVp2FJUUIBbxjMbWpUbm3/w0FQ/Ya3oKzRvrlkD179rk8KkLi6+7WKhEJao0cqpV+1V+FglR5I8+S6kbW3sq8c+ryaNXyC2ReFFZIEEmGRvvhUEbELI1TKCavisFmfeSs5Xw/lZDrqqSI6c11gWjvttCYpKtggTE3zzc3eFZ1oMVB+nWM4yqojqIhoWJHa+GEc+RscBi4rN3oPZAGxSv2KHMq2Wueq5w1ZDZ0Ox5R3jvU68+7KFgVBSsSzTCdEYH8bElYwI3kf3crNKe/mMueTA7YhaxtCd6vd158UsWfhAXvlgKSnCIZn+SovlEWQdv+6WTI2jwwF25pMTviXILZAFTCh2EfSILrQDgYbwICRgXcioaTh3W3OgeVrdAMVWvIvMsH9Z/o1m5NfxZNtaOv9f3HA8yJti6u3VFXe0GJfxm7RrrpJhGURf6oKItbanZDwVbDlL3ruEvjnz5O9T67WVqe6tK3IyWJv70apEfLpN6gp/CiK9/7vC9JXxbnWHw6/Sl2g8cbF+P4yzFp68v0kh/79H1gLFzBgS57cCBqDey4v86slNSu6suVvuVkKZ3Dy1OW5cRg0OGsBytgNrX0s9aKSNvg0q4zZ83QrT0mAxscspJzKupqML44K3fkDJrFo9QR3XdYMY9hSqw1dVL5XatagVCM6jxMGJksp9lF+Fk5Ln5DW6c9xc5B+stCps79beCLVwajWvKSqhqH5BHhCHF5A6+tq9U1Gh+aArRmL290lU7Fo+ALyAJPPKJ5gGLdsuCpHD+DM4IGYpTIhvnHp1rx+KwQu6MaK4KjE6ofa5DomaoNzjZ7KOWy8ARTgrP61dvbSYgLhHYx1qCVIkEIje1p4PdVdG2YK6UJsYjGiD9PRTIuYs5oU7KzOVhvgh3/1660A0syoDuJk3T/kbGDi9fr4DreTopZuQiD12XR++6XlVcynxSnskf8SBvRNwVTLR21Pw2yX+qT7c011P6keFeR/1j8BbzlyP8mY/ukap5yhTwH+dskq7dQM/xuMOEvnV/8ggefy2L9X68DlzwoJNIZk0FvbEZFto4SHUvCavKSVMLQXO3YQKv7jaAyxLI6wIvzMN0nskHTnz58JZ8+6rDjPu1iKpUP3JVFMBv2t/3IimOSJUcL5YWsQrxUdbn0AbCwtzq1u71IQSzaZhrFBA4PqSUv/SHCK6Iq+yj3o5GdFX2l2hfCC6GPS066uHYJo3qS4ujL8PKpBJZZlQL0rPgNXIglXQV05c6cV9FEZvFNMRxmL8OfTtJHVgsoqkfWN4Fc8t5HBk3ojOEcS24UOdQ3h7QoCz4o8E24I4/14lAlXIxI6v3TScC6ZaQy5ERvIwHak59YPYjbqzSVbrtC6GYZDdsgfhhx7S42oYcbhDQ1T3wVYWhhLOPyVS25ZCe3QGTbmkZ2SCaHYAykWhkrlh52o5rNK2dQTlMsz88MsHRz6IeMOweYLgGyD1sSMQ8jN2Xh+v9qfE4Bf7k74WClv6scYYM6k38V6eX2KinB8mw2XeGpxBu+Nu5EMxwEC/DTqKJMHaGptOyu8ZQtZEo3pnu+yOfdoO+f+ZQPjOgJo24kcT9IFpdq+m8kobvFT559aYtaQmA3kKzqbhM2fCVzLTD3NQOTm9y4zMFIYYZ3dYW+bkgrghBAjX8rCBF9oZAeTXWF7mb5zL7QbsLIS4jAMrdH2jEKlfaEzBmeWE/Za2JuxgL21BUK84SjHgK7kKzUcszmsLe8jvl3B5g==,iv:OueDyI/8KXfzY/JcQPSDe1CtWhv0GSaPTIo+4bh6SJ0=,tag:9jFibpU1pl2NqRYzI+zM5w==,type:str]
+coturn-static-secret: ENC[AES256_GCM,data:zATUKql62Swx3pv3JWtH9audrCY/I/zlnCX+Bi02z6TS8x0NIvQ81aRA10N7prRfPhV0fxuE9CFbOYv6/TF77w==,iv:xaGFsdd1RQWy6l4pFoMYai8llrU6Lk21A6rib1Nda5I=,tag:0aX+r0u948MyNHkBdHdsPg==,type:str]
+zammad-key-base: ENC[AES256_GCM,data:kyn06GFS5l1TN2iqRP9Sx1vNysjaATA4fVGEmVhfxh1hU8XkIjm/P9CdJpIZQdoU8sx/rAx5UBrOlfFYd/xd53AvEn94Ag5nYGc6DtqX2ZD6ZG+kbZBL/W084dq6Jb+E4ID1ypicvocLdGc0q/MLaHFT8oqoNz1QimEZ0X0o/VM=,iv:pf6eKQXjOiDDGlLKMNJCBKmwpTGiGatL1A3J4HaBhpo=,tag:FSEoCjVnpzQO0gFG+YPd8g==,type:str]
+invidious-hmac-key: ENC[AES256_GCM,data:gP3ksPfVEZnyhBKTutklmy2Hqnt3iM5QfRImjw==,iv:rz2OxkOFrPkHPbHvBSicAMPWRuE5QXrUqfrgzrp+UNk=,tag:0jTMuCZwsv5AxM2rDZDK3g==,type:str]
+invidious-admin-password: ENC[AES256_GCM,data:f7onBaT2ZMWLAVE/mM12dCPSiClwO/b6MqFloNsEaZjPmWKqETYb8Vv1YISa8Bsilw==,iv:giW/S/RWla0BWBZUY3XxCo9msdo1Qr48AKm5VniT2eo=,tag:4O+y6d8qswd4CLpYeNoivw==,type:str]
+invidious-companion-key: ENC[AES256_GCM,data:p5KgkduPMU9gRLVVvIv4Ow==,iv:/FwI6+m1+BDx4GqMRbS6LX5f5yn5OshV/8A3SL5aCMs=,tag:dZvEISiIMYPLtyuBiYc9UQ==,type:str]
+dendrite-private-key: ENC[AES256_GCM,data:C3+nTLSd15ao7NOf4/K+TGvomjztZmS87erBRpo1WrkHaOfUcu9TKHNQVEyxo7ZMLXigVllGknq26g6py5T3pXd7OuFzJZnrF+rkRdGLb/DgbA//FXnvttWepOtDzAb4p36fvPuEc2KX5U0L3zPxADdZUUQtXebqLpmOQdP7beIgPk8Ulms2wB4=,iv:X5zj727mg1awj1uJPc4GF2oP5tR+bSbsI6J4cIhFJMc=,tag:MZO9yU8Pu4/ZY76Acg702Q==,type:str]
+matrix-shared-secret: ENC[AES256_GCM,data:Zmcv964w0wFGvCfcKCg7ZSWKEYrgAUKuVmXMRNG7RtoaFd/8HQjWwORSMOvwvF8yslGh0JgZUpntzUID,iv:rS7XnxyoJzD5sd2zCMq+hGcGIxKnwElykejpbCpdfC4=,tag:QOLfnccTo1pAJPh8XZ4HHw==,type:str]
+n8n-env: ENC[AES256_GCM,data:F3uZ/Knlea09DUOKOD3hYWKvbclYdRDsDx7+JBijxG70WvH0KUCFftGZRxfP13rUts0IALMW59nHbFu1qRT6tnjYcSmhTj2YCggDGRpoxOO5eJzDi2jOIPio0nG0V4hi4bHtoheWyvid/qhtboh0uLq98eNJFALsv1u1VlKvxt+gWRK5LsBrl9NKG9o2sTB/Dav2Kyu4EXAw1UzyhtGB4HkIx94pY015TwYyYzucO7/L3H+0TszUn5MfWabvRGZ9pDQ4mI7vL/+YxE9TyRVRyKg1YEagZWHVUv+BWzuia5kh7Tp6hhFKICT2vCK5qBYq+JT/N07DAiOj5yCN76seX+NeipUz3j9BUjkW8YE1HVLg0P36kWksXI+gwQ6So7c=,iv:STbMKVrVxdDmXR14Fase3IVBOT3ArGc7mzrZ15OnIhE=,tag:DBZe7oOTtr14rKzYK2Ajlw==,type:str]
+n8n-git-key: ENC[AES256_GCM,data:K//mROzlO8YKDXXKk3bcT4qaGQx91SaDV+nZaMVi7cHxe35idJFOCkXVc3C7AwqHNBSYukzUmOh94BsJ2Nqmsjt5QTgPYcfhGQ7fhED2dEDp1DS1hClXFK9GzzdcRBlSHGmDea1wWmDK6MqSv1KYkb893AzIpS8IpgZ9L96gAAkWSzyeCgqCQYvvy16oT8/3/8JNwAIHhXUPnuYd8dYFVriYph3h0BmIomRqRIFuNNUKO+KfhrH+rcf1Ihsy4UJN6oA/Zo+l1CxcOvCMhwi2FDUJOrhERvMibWfJECZQpQWMvi1jqAUXKDlHdLmna86+UP9l/e0sYPMPM56NgJP5aGJwirX9+EpMOQiZ+k16i6IFXd2qiJ9CPdmd+6OAaiygksTNfl87RbUy0wTgjttUW1awxgybqWFpDOPPie1F2xvB97ZZ2vlHSyPD67IJGGcHuPfh67TyQg5og3u+sA4kQlHvQ5NTMfMprotLFOQGPXw8GN2PEI7TTqjHNz8RzoD4Qg3V9Bf9QSds9LQWtI5A,iv:Dy/HschT+hVNx7nK5QcoLRx36QfRomXBt1jvVcanZvk=,tag:2cwjY3fUX7GelEzgFuxGpg==,type:str]
+phpldapadmin: ENC[AES256_GCM,data:FUWblLo6eqi+MFmJur/drBnu2HZvkk6fPz/rlf1hUmsCaP/340fKSeiqn8DSO0NyVgm/G1R8A4rZ5Qe8wz3oDhj+f+9aSQbbBKLsuv759s/tuU1KLFvGRR8Uv55bVxu5gHfHgbS3hgFhkb5xxsdzQCmpGsD38tS9DNjYOgP3eheGXREoZeeq79Pxp5fWvM1Upvgg8kl/OtMhdU0wjlJCJz9/CixUYPw/zN4/aHiX72+UO3XXdpEEXS4XPfaUEjvK3v4y/7k8sKk7VUe546FpzVZYhB4PeiylFcYLYTWULNNh2/as84LSMGE=,iv:bU5uPzXHuFWNGCZswbYej5TYuNFfNpIYo5d31fi/8Ow=,tag:OgWf7J4sjhgTN/yKWGm+DA==,type:str]
+piped-db-password: ENC[AES256_GCM,data:3TaUfu1thd6bFNmoSK4EDxtckLGE4mxuPWvAkwm+ujVHsMsNOoAPrhCXj4g=,iv:J9R9CU1y2dHLvUKN5Y7QWHBAZWvy8zR4mA1lPqdQU04=,tag:zLZR8/p+7ut+o424IK+9Xg==,type:str]
+synapse-oidc-client-secret: ENC[AES256_GCM,data:8wJx0VFZUSsrnUDjeNVzNjs29sMpv9iTkNmrBoqAxOHAQeq+ISk3aQS9VC78LmD3zvC+x2lSp06XfBuelQiWzg==,iv:a4D0misSVNWexWEulwoeQdvLIF6Il0l06t0E021zwDk=,tag:YyXKyn4dRsEuzOYqymF6Mg==,type:str]
+mas-encryption-key: ENC[AES256_GCM,data:HCBiBdj+JC6W593oAYHcftb78xS12Ja6/4CdzJ7gOGzWHKFFPhPHFR7X9e6+H4NppQu4TGv+DuOcOlpP71A0gg==,iv:6M4bmVbt03vmXbpONi8ooZjwAqc1eELs1ro0ndE8X7U=,tag:xFt9uudnA73oglCz9j0/Ww==,type:str]
+mas-matrix-secret: ENC[AES256_GCM,data:NpQ/0aCyYHlaP3nThKCsO8t40Y1P2TSFT8ly0gK+HuT1sN3E8LloMOZNF3181b4vi7tWkfe2h7t3wp957vGODw==,iv:YYDA3VLlpTARAu0jTfQ2xIToVSDxbdKrZeJN6KRR/H4=,tag:gLXUlMNwXrB7//2TJGQGoQ==,type:str]
+mas-authelia-client-secret: ENC[AES256_GCM,data:kPKzfTbHZMf1QEPm1uNVpke2GxmcHonO8deUuYJeomG4WqJ6MbNs34ez235ZxWyzW3SbxonTUysgtInV+RKHLQ==,iv:/DYQrdnFnnO2W6VgRnlyEjUmlYl/t+4yF0kU2HTiLgo=,tag:Ja61RVmgokF+Cpk/UcRAFA==,type:str]
+mas-rsa-key: ENC[AES256_GCM,data:C8CQELMsdsIKKa5NTXd/Gx2KQZkI1UichxvBpTMvZYpioBmB1c3KCVpkcEJLQ8wBd/b+/gBfh6txQ9w0zLCFaquLbInTy+2HvUPA4awsrzPSMGPmca12oN3lj2HyxQRmZqkZAymetFRuXP/QDg3iQjumooYPuFLb/ZTKkr4kKTxrZHIZ6RgRb3h34gfKZ/ermYfqbAJPEqPzy0SZ4/9Ed7jWel3fD30WoRwTs0/SsaDKFs4GZ91aLpWGDKs4TM7wUDtq6M8SmrcTad781jAGLezOqbERk2KjjoEHsbuowdElxNh1Os3mRp3Vom2c3emsOdgunkOq7ys6TFUftbHzAqs4ZtdkeLq4SB1NvFXlYELa+fj7XP9lKMKMGUkwff8ZU2zf6eKEIckKpinfDDJqYogmJCxFWaCIKF8AohEszFeCxcx1BmZ2NFFpv25dMpz4rWtJRBfdyAtOZeq21VErNqI9JuWBpPN3fcT+ow8GKTCJ4yE1QyOXsxzNpuiyfbUPl8NbNPjT2yclES3ZvbftCC22VNtdUncqzNNy0VJk7SV5y3KMyao0Ms+aWZw3l+674pqN1cx0D9y4iItJHz1mEZRto+2jkLpgqKnoMx6Usnsfofq74hqIWRz96om0Cl81u4B8aI21ryjWNjcBGpWkea4YI8MGCEGO9tS9X1c2DYVfDpcn0yBz0UA2CWWe1NxfxqGktsxR1Mg49rBh6FrdEmbjZyUFbrzMHvcNIN5fd/JsPkg/cQOSCHgoKiJfChEaEfD5FMIfz5lCeFd/rkO2sDTHTcTvd6wLTI5KviD6KC5YmYPNllSBMCzKBbAPB9zg9r5cwyPzz/+/ArSsXGydKjb3YYd3I984Ye1lDlTzLXW5YjBxrVRnW7VRl2ojHhpHNqlW4hoV95Y5sCnZ8ntfva87I2dC1fsI+1JJVW+LjCSPNG8lWyXFOzdMMukHzRUyYKR7FDRGgujPgmq9+NR039s5ZY0VynPnoU75AfmHFoqUC8sNC2hqiFEorvohyRN5AMvSHHYybjFtzrJZiNCBY8idIkl/SbiBbHYS5gwCuQlV1pZUbiN6upGaZ/yh8Z3R5JKqnGziZlKUzjajdUx9QxCYrgHxB0pFsMFEkysR/wwPu3463DSHwyDB1QQc7Zr63ppOehOylE00l84HJsbRs3FQ73EURaSrdhSud2KJkEV4SqHBG2WRWqThTphJzn0zpXwBAnhBk87rG6cEFMvaQWSzVSfLd/OpVcPPejC5jRBVfEkgVny+fVkxx0F7XkemGM1P90NeCVIgiB5YPBSBKWBwCcgvP5lZ0/lfINmVVWvhEfhtk3isNsJSqusg78LWATQUvXIu3/XQ/S/wQF+3nAP8loPhszNUSI3cN07i1bTAjWkjWchx5KM0K2r9gFS/JhX1Q2IC1UgcvAxcaJcj1DcIVpGoY+QZx8qQX/G0sdBbcWxar0/pR3X0PVsZi8oOW/qZwfyH00DJo+EwHujOG3bvkT+tx3S7zZ3mp8euQvNBo0dlBCuZKbH61PAxpf+NEvlLq30x19k7ILab7bv4MlHX3+udiy/ZNsFi0ZGnMbI5J6WyeHpqRBH+DYhQHRcQaympiXr5pRhEKLH5JgrfTat7p0OUX8Ds9C32gUQ99RgKMjxFoklLVhhoXMSh1Aijz5yvDP2Bx5Jy0yPrwXDhLY+BvIUW041MdDZHHaWPeVjhfSaQxthcZgY/B3Exr0UBRZeXpq18/NKohEcuQH8hhSV/ikrt6q4RrQ7KqLQBDLhrIPiRswQae2VIelGuzCRm4Nt4ABcQgTW8Blq3D1qfkTwecg++dwsEzpR55Zy0TGO7u8wnWD2En+X0pFA0Kjc1CSyu6NOkzL5OoM2vGKlrW6jDHGDVyDVrA5LxhhmhyKKiS+6M6HqaWgq5YEYT9QgKH+FnUyZrVcVcwbLhLI7+nOD85fa9AmmXk4zIROivWbEwojfB6SpWaa6Rqz6GoFsdCCXPg+eSIdo2OCtqsUTovhkQnstYjcW2Naou/erP7SLqviIaiwBIU8ce/KZoooU2BqyxlkgG5lFCXCxzwE162YebAExuJQHWk5echXHhmG0DN1ARijdv+afZbLipt7eHHoLq7buuyjlMstVXtCIwHw1onPg8dna81n9o7UhQO1NJNhVKB57IVBqYmHoNPFkUp/CXJTvzpgY62/mbkRYmhQ5AIP+rX90R4Sd9zH3EZOAtlIZnCMgjRz3XrtWIdnVSUXg90VIC3Uwf55rB7+XQOtpLNOkPYdZYQ/OTP2Kp3SHIe3jjXJ3PkSLxySqYa+3ejyE18tG2N7XaSHFRJ5iH79abFNXxs9kkk2RW3ZLPzVkWnOk1EwyCF1kpbMGy6aWBAriAn8gdAqwSg0XN7j0VduFi6dOu6RoQePBJwpri8R8ClK0nmXkppCByri+DDfRUK6rw1zsTwNacw9f0HuCMBTpA0X2+e48skmsvmxMGnP7YlmsCIMUK1wD+1Gy3BGsleQ/5cjkxdMmV6J2ID9zfNxCRj/r6kbCWGWdxecchGq56/tbOSzqkGg5BRmnP43JvZ3egry4/peYbo+61xeDalg6Vuw4Vxi3lZYZzBG7LNO2pQC2oPXKPp8qPFm6doPEM3P7GyGUCJiRBe+nmuL2pZ1hagkP1G1yG1f46Ldggyyi1AbEedpaeMOA1/6QVcHbiROtJJ55MF8xCiMlBPfpLbvCDeODv05OU3LjmCKAbzYcSutV9WBU7oGpUnGytyaOGtzUJlGfHPbA7f2xScPslR6XttfdIF3nGgNHIV4cJ242XAi3oq5sINUB9AbfqMBBwpcAC0irKvqWgTRnaDFqXyeqaNI0uUHAOvq4jZOEVYK0HF5wdosRAgWq98rGv4jGFHnPR33AxxBgdfU7olTVmCTlgVo6V4yMmZ+dQLVd5OUYLG8AR732xgKf4QY13U60ASczoDhBb4gwH6poBrWS6uAYkIVitiidzeElDBTZu9OzrhJ3dXfgdYkDInHi5AtMDq8jumwwER+Ug49axzcVghNtDmAXe/5oLVt2MHFWD34g5nqgBlkqhz4mGjAlVIvpje+xpuj9YgijA2bQ1GEgqDFm7LZvKqQfP5d/LSILXDnorUWSsZ55XYc2jBv/C/RGH8OpodpC5oIivezlasogQy9wvFFN09nZ/WG6rJenRP7xHWOeix+Jkw4rkS/aqy595a8qESE4mKxy8IYhSEi/NHn8U/rogBuwh7A0Zpu9C62wpze32hKmP1QoLvc6A6RZWQ4lBFvBigeO76IkupXeQACx1eTGZzfmar6qmFNwC1h2XUSnxeOHt0Qnsf50fU7Tk1v2Nj/kC3IgPxQHXheB0V3ggpHuOlk21IpKaXD1dp0+sL5eqZ7xp1F3XEwvTcxx0Qg1UKVj9kKjNjsGyRWR+0lapZ59EBz/Qqh4xN90fLzm3blGUK3O5F+dzqToSnn4p7qcpNYivfAhS67inYx24/LnrlW7qxUWJZ/UUcoqR/sMkuJoDBIRcylw7jT/97Vl95ZfVxuqOTjyWunsGuCxv8odTOWrT+s70UytEP07RhK+z1Al/YM/oLX2oA/MDsXAcK+kD3qZyhuuLRktVfm2vE3wOiHGip0jq6Q9LZNz7RTMWz5hAacLdaWNOQBvCHwPNuno9lJsbDz7gch/cB85bATDGpOXV80BK9e0ASORkLpL1ccm3cmTqLYzUHyGGgMIdPHedfUvX6oYBXEW+4IpC8KWKhs75KNktipSZWgWBhphgy7vv2qlKvjcbTh9gXT63yuMOkx/X11oH0Pk4xMgp1sQ2gqWBC7oj08OZJWEmh/BOe1eE82s2yjXmJLqlsCJA1Tc3AZhbr3F6IWmbSC2p3q7lpyre60YJDQG6ec9FVnIAxdDOEux9uyBC2AVx+hzuir2YAmXBsQRQCgeIatZ/+HHNGWe4av6vusS77OI4xskzrIQkYceTgvoHDpVh56BosxEo9Yh7yx606VYZnZnxub5MRXMIDSa8nF+fm2DbqkmSkloNie3w5Xa+F7HokALpJ2cgp47pbTmeZtN2XF5C60KtJid2seS6fEHNZxf/hHLdwsshXsZivT8X1wZ6tont0g+8XlmvVAHuM2552Izthfg3FFKC517BrBU0J+giXxHM6XoZLsINOoJthvmxw88mBezvqP7CQ6USBk8eZsjku+Rrt68NKOICJhuGCxN/mW5evFL1Nz8hbRgJfIyJ50c5GyLZrrXfYGI6jBajf3lEeyO07wQNi2krYaBfUqnw1tkx7undQ1kxgojJtwBUAceWEfjgIKjEqOCb72jKbgTcxYmFv73V6sUnr3QcIoPlCXiZ7S1tFx26Cx+DAzBZq0KneyCZk6M65hc=,iv:ppXbRM6d+FBQE+drirOckl8xhtdW+5MRwl+t30dZt1o=,tag:CbCB3F53nfg7XT6dtY2HQA==,type:str]
+mautrix-whatsapp-env: ENC[AES256_GCM,data:qZzw2sXRGOgaeIRUfqAPmkmS4N6OSCaaNSvUEj1rMEqMOCkr7alBRqyjWEhQSJrNnPsnwIOFmuvk/+wAklC/f9NPGNzAPfXHz99M6eIx/7alkZ75hxJm3jYWCD7U,iv:hvPKwXNIXfBJW4MVA7amVtn5yREAfpbvN36USOd5TQk=,tag:xoaPokXspL1RQ/FbRovejA==,type:str]
+mautrix-signal-env: ENC[AES256_GCM,data:MOwL+bTZ/wvdFdVuNMqC1V0Z1YX5dnVCUw+GtWj/S8ejIsColF3lxg8lFS879moKEU/iCBaQ74pfL32kqDDQ+vifhuPinUdR+dfr6au2YEcqSahlpRoJyu1MWQ==,iv:LoWSuhQXYSFinS6EC0f+rVIMWZSHi8/EAV58GlWWq6Q=,tag:RR5wxb9Fsf5kO2ip94fJ6g==,type:str]
+mautrix-discord-env: ENC[AES256_GCM,data:Gb0jnFspKrbJMQ4R9mt5Ss5MvvLYNSZ+TepOk45aQSi4FWyMl17xuNNWwh3r25PL30g/VsJGV/1MPBIuD3NX6YBnP73oaqkdudoGBt9in/qy/8s2mifJ8FIzqiYl9VW1dVLH0Ooqrjf5oe4iM0VJeA81ZX1ppmxb74PJTwGGKg5ePw3nLqHEMdGbvt6tk9kKhsDzMS+FdPD8MSl5gLgYj0Pvr5caEarEmLy9+xgSYABr52gEXNv9Rc0dAIGwnAx4xMQBvYyqH1JpR1hH+A05INXOhQnPi6cRU6FJRHEkV1qzPYhyzo8CcWJTh70c+1FB1vnuZERjSZXlwLd5EuvDgbiCCtW3R1gxSbDv2MAyaSY=,iv:N5XKJixpKClqfZ49ZKunHGCkYVaod45U8NCXWdVKNls=,tag:5B8ztRvDVHOSE2vMPX9TdA==,type:str]
+mautrix-mattermost-env: ENC[AES256_GCM,data:BCqIRo3Y9tea9egmixFS11G2t4e1xB+dQSg52sRXOEyROB469TIpY7hh2yskgYoe2Pr25VVbc4kh0ZjEphX6trzHx2uzm1WiuCDmf9/ppZSQ2zcdBFcSvzj/TDKtencnZjRWpMWWBXO4G68g1kX1Hc7fKvH/FfIUqyGkllEAeup1EelR7EjXqvToPOQodQ6RlY0rmAoB3QJ6lQGe210r5GbsyzdMXQTKCf+YNQDqETnWj7s6TTFJW1z8VXlP/sTcTB5945QkhyZGyzcgfYTrR641SnQG2OLXs02m9jJEJWTglrkoQEvGun/q96YgrpRSNbGPIGPMzgqAXc+t+jrVx3SQYGjNEc8511mPk/Q8MSyewhxZUXZY4MY=,iv:ayLZTiGBeBUYI5fwq2MyWBGBhqNR27pfyoPMjs4kwzs=,tag:avXc1c3tWYgBGOTNpaEUEw==,type:str]
 sops:
     age:
         - recipient: age14grjcxaq4h55yfnjxvnqhtswxhj9sfdcvyas4lwvpa8py27pjy2sv3g6v7
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyMkl1OGpYYmxUd1AvejdG
-            WlRtOXh6TjhPTTlyNmtHZFhRQ1Z3OFJOckFBCktGbEcrZHR1MHRQanhxaGpWQUNB
-            ekdVMkZQU3FkbDlURklLNlJyNENDRHcKLS0tIDdxSkVBMnhkS0dMZFJ6bGs5V0lV
-            TThyY2hQeTRIcnpQKzYzbXdlUVQxaUUKE0jgn7aNzN/jnJzLabYPkEw6hSxEbTK4
-            dbaccqGjDs/ubiD2ajtsX2/BhARSfsA400vZu/gXBLF9+bzJ3paM3A==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6WGlvaGxQRTNqRm9QNElu
+            dmhDNzR1c0RReHFqRWdHK2pSaDV3R09EK2lJCmVFekJhNk1hTUpKZ1JSR3FXQjlI
+            QzVndmtmNG5mVC9CeE1ZMHlzYk45WE0KLS0tIG9QbFgxMm9mTmtYemJpUktCOUU0
+            NXNHS3JGVG1GWnJWMWI5VUtyUGpybkEKsdH5M+eFUrYlrzQYminHTEnvxm6woqYi
+            6WXNr9Nhuxl1hK0yEPn594v95kjrKF4+3jbvwE5SG7pSALlzZgTtPA==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1exny8unxynaw03yu8ppahu5z28uermghr8ag34e7kdqnaduq9stsyettzz
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAycjIzMzVoWmRKUWc3U2Vi
-            Z1dhYTB4Y3ZoeDU1Wng2M2F4ZDBjd0tvcjFvCkRYVlhiWXFlTFdWazcyMG9xSnd5
-            Z3h0U3J0MEIrYWZQaDlwUFR4MDVidFUKLS0tIGErakZGRUpEN1RqRVhrRGp6bTNP
-            S3JmQnFEL0dWRU02dUI5T0RldXFvSWMKT9t6jWeX51XlE27BoKnUsrgWz5jn4ygf
-            +gqh2KUQPmVooPAooTXl6SVBuqaak+A5kv02/5iiKdKS30m9nEOgUg==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrSXlFYWNLK0lpeGV4Z3JT
+            RXZaVEc0NEhDL3hYY3lncjRRVmJoajh4SWtvCkExS204U3ZpeEl5bEhaTVU2aFdk
+            U2svTDBJM2FCOW9vdFM5blpFLzdoWTAKLS0tIFU5MnhuUXVoYmxyY0REZ3RtTHEr
+            UzlsdTE3cER4MHVUOVc3TkZCYWFSZ1EKb+I+a/E51FnitrzKScBtbsNcPnvLGELs
+            9+ZddzlGZbpFSp5Jsm1aojQvKMJiUz3jpGWInNpWpjl5PhEg5KDInw==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1v6p8dan2t3w9h94fz4flldl32082j3s9x6zqq7u5j66keth9aphsd6pvch
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1dktnemgySlhZbFUrYjl0
-            aTB0QlpkL0lReFJONjBvczF1MGMyU0ozRjNzClpGaDlqUWRTbWVDb0hPRys5T0x3
-            eVd6cXBrNDR0YlJLQVJoN2QxeEZQaW8KLS0tIDAxVXd0TTNZWmFNM0F2ZEJnTUZZ
-            NlNWTnJjWTdNdXRjTjRRWk9MZGp6SWsKMvtB5iYQfa3GFYzf4w5peWuf7zf55Dhj
-            9bNf/AzapwW1czt684gkpPLxMlBOFqj+0hVks1YZn7QLtB1EcnAbBg==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4NnFuWTVVUmpEM0V5RjIv
+            T0N5RWFicTV1NjE5MDVwd3BzbUE3MUtvZjFNClh1c05YVTdKNFpRSW9LQlZvc0FM
+            L2hBVTRwQ1V5bTJlK0EwVmw2VUlxclkKLS0tIFA5RE81WS9leDJyS0FDSkhmeDNU
+            dEZmZ0FFTTk2WVQrMC95UkxRZ2ttclEK6CJykupxPbXQb1v2Oz298bJxFRx22fdO
+            1P3FMBwOER2jWIix0Xa3CVEhNiXxQ2Y+ZXw5pT+N56JdX0cAmjg2ew==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1gjm4c3swt8u88e36gf2qlg3syxfc0ly94u64c42f2tsf24npw4csa6e4fw
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEeks5anEwU2FnVTZNbXpI
-            cWZiMEpQL1d5bWRpcU84OUZSOURxMXlkaW00CmJKVGppVTFRelBqYm9oTVlYT2RC
-            OWJLWFFuM05TVUhPZFlsWDhMRGdra3MKLS0tIFpYTjZPbXRlZTJ1cDV1ZFRlZFYr
-            WUJqaXo0YlR0d3FXb05zYnFFRlhtT2cKFxPi681ZwL3Pr3pyE6cJ0QFxWAGFcI6g
-            i772pQ/Yqxr81bj3hCSE+vHg0GGV9oGj5La9jdKFVrV7DcW52Rd0gQ==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3NnRHbkJ3Q3VJQVF6UXJF
+            bUIzUHdkeTV3aENsYlR5dmljb0NVL0x5cHc4CklXUWpSeUZvTGZjUnNFaCt1cDJx
+            YnFGSW9sK3lmYURhMkNPZFc4MHl3NTgKLS0tIFVDaWxscDBtcXlNMzFobUN6TmMy
+            dVFGR1Fzb2J6VlJoaWtKWmhjZ2tYZTAKbyNKYgASSoKpJtDKFyyuuwTKgbHyIXQD
+            Id3ZftDczrQ6kOaALloI86JULSzuLEuq7SzWs3FXb2r4uIY9NhonlQ==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-03-02T08:06:35Z"
-    mac: ENC[AES256_GCM,data:rWFIxCen7QsSVk4aRU19RejHyN4dympO6h+qEOUmS93eKIi8hMidiHBembLKn+R20CcrX1eKGUVfcazThRQ9RbLEV+amKV2Z3rrQWmTrKu4glCZf7Pnjex9rzSLWYo73inG7n50/bXa/6jP+HPeoBcsdzNpomIogm2ZDF4qDVcY=,iv:ZsxzVWp2B7F0dYAoUGbRi2PsJT1dV9JzrmmldwS66/g=,tag:x/jjfHX6ZyczRfpzqoNAWA==,type:str]
+    lastmodified: "2026-03-03T08:49:03Z"
+    mac: ENC[AES256_GCM,data:7aFHwY5WkKfBi7jN5Z7LsoT0kP0Qdp7npweUpGKx7QbPyXuY3fNn7WDJll1Ol9HHcG3dkdL2GuqUv1ktde8z+etpZ8dE57zUGRH+loIS9vZiJh53kmK7fCnoA4IGm8u6Mlb22XL2mrGSb+vnZRworIECwi2tvonfkw/tA2r0YVI=,iv:okDtTUAiblT++MV9Yzj2P7hWVCfFDDvJ46wN3cIoUQ4=,tag:aAGVBMO9pNHqUqmQfP0UHg==,type:str]
     unencrypted_suffix: _unencrypted
     version: 3.12.1
diff --git a/hosts/fw/secrets.yaml b/hosts/fw/secrets.yaml
index ce8c8dc..c530c65 100644
--- a/hosts/fw/secrets.yaml
+++ b/hosts/fw/secrets.yaml
@@ -1,70 +1,71 @@
-ai-mailer-imap-password: ENC[AES256_GCM,data:gmI3NcKl9DBMEIgDVXsS3pdVEQ==,iv:dxfL063CYaKT5hMBpkchn+JUiGJSojCI2CgTBgfcYUg=,tag:KoQTNAmHgC72+JaarxtHog==,type:str]
-ai-mailer-openrouter-key: ENC[AES256_GCM,data:yQPkspgL+qXP5UTaKSAMA3Y0M9tl9E5Qg66oLLYHy8FlM7h3t7kRzRprekZlWCEfFdb8zkAhmDTZX+7/myRfuIFNwE3f06JQBg==,iv:aDh08joveqaotIzzKv08kPXcM0hteIEwxL6wUPFYHWU=,tag:A+YXd8HtV0lCLqHEvSj9yQ==,type:str]
-borg-passphrase: ENC[AES256_GCM,data:UiV07u/NUf521QYWfilEdwoQDBzlRYiNik+8CbZojaIVHtleDz1dBiT1R2GZ9o7KGu6s4dCDNiPZ00zmxQ9qqUKWASU=,iv:47MJUDzSpMj6hyPXrXX+3E1mJUdnIKBH+2itREyX//U=,tag:/6eWHpGOheChYeDqzz5UmA==,type:str]
-borg-ssh-key: ENC[AES256_GCM,data:o7ZjyxoxZpjYpNbHAfnf6SLkVjV4yUHRmYJ49HuzOblZDO05f0aPcXKhQ5Pg0zvMb+9PWAjDXhtZREFKKhC9fJzAtEDeAJlaFoe2f/sBjL0bh4w5S2Lhp1Nuebv92lz2bohkrwpY11w8sPNDzjJFQ4uVDQiOwOlW7u+IJmg3fsGUGp7P/OeJssR/O44VKdFBtObbyMUI15RM9zaeC3DDarV1qpqlkLRPXknrRaccoZDAY0pmQnzxCmtwE/GyUiDLCieirIUa2dc80ou49rsbEs+ZtNsu35DFOkpqQ2iF7lqtfsU358FJCiIfhNwkzmVl7pcQ0RCP97NgK+YuCY0YHvqbgVX72x8DLXmBhOI+PKAC1fNDJc7tIn/B1OUX+/W3KQzvtV1slY/XqKm5iy7tRHg+ZL+IjRmSNIX3/QXpD+CVc9pY/rb3hEHuvXZs3peLrEWGzvtu1X2uYK6Mwu4tnfp+yDQz73auUL5Qp0xilq85B4ZykHGMIalyVrSaoEe6Yc1RM1Mz7Lx7Dds95y84uELiVMzxZL95HtFguAPxVFSNxcz8obY5HgEaSohQSSYn3Sknq1Y24044aPm7nkfiQiptvw0tE3ZzFsHaT2eXNZ2AmnqUriJ2ymJQENOGNmbUrU8jlM5W4TfHNzgsMyDuU0hJYsU+JOWdV8qF3d5seoeXPMS9GevhRxCP9NowI5Y4QnpEi7OpGi87HRbA02ZL6J3k0LrP7dqM6+w72vbE3g3KKRG3RmrvfGYBegnsW4nq7B0rY9DzQ9bCTQOhLPJCb3EKe5N/L37/7iAqdzv8LZJCRPFPqkJFP5CeC4GtbWnPm2rI+7GXQEdY3R/Vor3aneitquwQ9ANzn9xENAmDcRF3u9Rd64+NYlp1aBfw/oyKxHRuYVxfLg2z9FmUDpfDkheVPxUXVvdgcV3m/4asR5UlNNhEtZF5KXzZr9lg6xpoMZsCXhLSA7zO/cd1qcHGhgSdbVkchNoKebTxYWbyYGfBDkIxt67dW7J5XnsLtDq5CLhNqshEcMvI+seFYoFrmsa4OEMo4LmDxD/2de0qgUg2fOrB6MUh9bmqoiwTAIhypxvox0ckC/u4NrKyY0sKIrIAIoI4/LcUF8Pbsyl/ojmuCT4jw3B+3yZQA9ykHGAJUTdiK8F7x8z43+DRO5raJ4oTgsV2N83esg0Qo5ZAl50oOjYlEQz/iw2OhLoqNKpEUCE1rw2F1tbiieENF7oqJQPyuXmPEP/DMPSuv9Te8E5/La7HBaas6z/gxugVqYCePrDb8QOVlRKLUiyJfPLlD6a42M+nwfooA/iY2I90Cy20I5ijgQoP0VvLL63bWe2rYxYkzZ1VItTVy2Pk65hIqN+1/W5ruGuivqdz/sQCF98MQgUd3I1FDmoFuM7E41+46ikFPm/RPNgqG7Bei5Mc+JpgZtEkDKyt8pAnlBRfwfltan9EVn53++n4ELhuz7dMLTSiU3IuPVp6tYNiE5eNh4ZVev4R2dXvHwvRPJclvqF35SHsbhLl3zAzaW2Rf6HrUEcgwEIxeNyefd+Zxi1GyOZ6FgRdtUI7Lu7jTpGaq8Rco527Iyvk6LqsZStwH1BYH5sqCE6NmsHF8dXm3KRfdE2TB0JAYcNl5G1TOhsEi2gIDTcGHtrJoPiOmOSmb1+Qw2ke9v+Zb5YSvO+ALGu98/kzkY4AVUA3cGNvc8+f10wfhOsbz5I2YlGr0UlVphliqh8jy1X8DLUoH7oYfxfAvdVD51+lvACaSjxgdtfVSBfXIp987TMit3i+s2O+svCHMVOVIIZP+kcDXCCmborWzP4e3gOKq4HcLPPAkpzmjqGCGtqC9aifv4zCk6QIGBfS84Ucv6fRSFWElvjkiQC7obxmkBjSORnr8e9oK6RxqHgF/6XWoatErTJweU87ypNHZdvPTUcWXu72F7iQWX7SA1Ug+o3GendV8b50TEYVUBb44WokQfJ8iqiAfZfRCwY6PGcGoxvW44LjCxYGxJZqjeCAb6umkVTlQXt8JSyFbc2er010ML0yj2Qo+L0Yzqj/btLxQTnJxaiBSyf3VQ62bWvZNB3TQlVdy5atrW6kQ00zHw6uyPUy3ViMslvQafrFdo/iEPndrQTDjgFMwKfAjfUu6gVGi0y/4I1Vzcf2R6Y5McHUQadHGPfiN5U5qka0coj1+Ke2efxiJ7gU3+HKIepitBwrbl+xh72Q20JTQSW3o3CG346o2K+IU9ZTBc17MhrziiLozdLtYwhqRotROIGlaZtez6KQGSknBXiS3PSr+lPs3A8PtN/hEClefwanXIxtD3Xtu2hcuA0UUE2DGX+sBPijGTgHBzwD7udET3q5Q8vO/5fhzWrHjxPvTLQsy7X4Yg+f3gBYgr8f8f/Cl5bJ+xQuFecDMULJlLp2/kvSQB8Xt0aOWFGRnIUIByg5cLU2dqRqXP6k+6Ij4QvTjj8MSXjGAqBcHgdDl3czNmEofVh5EsWSRnSl/K0wHDQtE0p+JlGrvG8PtuMSEr9Ty5T7YUKaqDUQWUaHlvPgusiB9lArm2mwJb2p0CQgtL3mJWne9As8PG+2rRmullq9+4c6uERGe1FFcFLUuogltJBBwwPzCSjk7As5tbAW84LwWM50VM7MO47ptDBDHNOQXYJeDrwQsse9jHCktFWSi28srpizBwLvqWUDbejswZ0QI/P+m8CY0rtTe3sucBHoBqu5fz/FlGjphuPDyFwQqOUcMMoNfRV/FIjLmDgBfQHUVTMliviy4QHN+5PSE3h3qIjFT+s6PAKTz+sveIn/7/8qoM/G3qUxD3auApdJMHIuRJzueRVu+Zw9kho6J4nOqM7Mc7kDIhOhgLWhfbCze7WNlT6G/jVBOlBkBGj2uzQ1wkBbiXRh8n8GUOBSeCJO7T7TnrBvPG62kIjTnyoU7mvSl+GBHsvm6h86GJ6iF3gshvOxnaxUcI/mEV7lU5h+A95L+9tlSqiN6KfojoU3u/2Zwq0vO1P/9rqRoM1vTplG6gminhUmrbrU8M08zTZ14eiBuPSn6e+X1qpPiBTmL74AEcrtcM38GYMgLUTDseEkLN0+dLpGnLPB69CDZxP9kuPw146fGLxZotxfjrbxIjT3srwtKKbjVTJh7tNHJNmPsZtFLbiRBRqCQVL9a7qB7DzRxHH/UI4r8/WlI6vK8BLFRJ6NVAPGJi1jvFqz5VXDjqAZyvpsrRYSjyuVAPIvbZF5g8e6gW7/eDk6Txd+fkQSWl2fs7wtMbUaGs7GiUv2NvCD0vq1fDZrIZTmT4S/gcXMEIFvyoeNbUyffPWLI50ZAskG9wKBEOah9W7ZDswPqX9rpoDZHru+tZ5Cmz21H7c11qlQ+cP00Hkda0joUkVm+x5tY7HjKL+e3MqqSyMw3Ial8IijFcShQNnqANHejQrR0q8SsngLhM2ND4aYnetWTe9oYQ+QcYCpKK3z6yTBE/eVfRz0msxvsA==,iv:MuMSY6Z8qodQMj/UnVGTNJoErAzxdby4qrZq/qZpOAs=,tag:pXE3gHX4OUNc/ko6kpEuHg==,type:str]
-ddclient: ENC[AES256_GCM,data:0OUV79zzO10nVzOf+oIDWLmIraLhttYoUtq+CD1dFfA=,iv:KKfRfZsFoRMGcOdXUK4wilPBcpSyBizS0h9lSMxTkMM=,tag:HHVpH6nnFfeOsMZh7JUfgg==,type:str]
-filebot-license: ENC[AES256_GCM,data:IumXe+8M87m1LDZ3zAStIWwwcsmM7HGjdtJJorWRMFTF8pZ5Mq8czxCxgz7yLGNtj3l7e3ibSpiqOKyU3GhPgxekmL7d1agmJuur5bepNZmFRb/lIeTTSFtqv42/HtL3ISf7Lxxaf5pUOL1VivU0cab2rD/fZ81gAR8klxJcYuRtb0rdJv9lY5OwHMjb6JmnDRERzG/kANoEEpaY1By09dO7bwGfmG1XU6sEY7uvfT1xubsm6RsoWRVaQ9gUiE94c2db6iT2BB4vBL+KFprcZjvM0375/W++YulCwaqpfGKQNigOre3+xI+lIBBtBGoZc3D15i3nHrBrdeyfW5G8fRlGriICLYd0OpaPgq67c4ng4SMFE3f1IhS5nkxnp0CMe7uqSsjNJNEuvUrkT2mQkReUQjOrh4FFnpGlrDqcqjO9Vx43gZ0VHLfw38uC5r/FbfWkE4ihSm6DvlbIb2FojziKCrAzSl4IXdMrIhmJSAZflQpa//o6SBsjksTmjtfILqog1eCQI5b0qhJxyCPbxftQG6y7JKhMRR2TcmomMaD9eok/VSSjr6fjH5j+pKI2C/vWHk2bpZY5QdpJfYOOeFySriijqcgZ+X/uDjrxY5uPqnszLO0mTE5Xpp/fZ6kgSi5gPNMfrw4+YCKCaEBS/NSq52qQ4tlfyyYFKYuJZJrXWIs4Bxi3IZkxygWXxaKTLNDo7s7wD4Yf++vPJEm7xDA2VQeXnKq1mh4Sg1gU3SyDuSTn6qKzvzQxcy/pm9n77nMnWAJLboTU2rf1jKAB33MKch++mZZuxdmhu9TvGyKbTJbofop8IU0GnpvuT+/3EDePZMQBtE5NsuHCSw+4zabyayCdyt0y83AWIsxZuGF6RC4K/s6dg4qSf+S3J8o=,iv:aZijddK9oJt9aUglQ+GWpdig8+FxjgIg3pDRZigG5ko=,tag:0gAts6nqWrHUzN0TOZOTxg==,type:str]
-forgejo-mailer-password: ENC[AES256_GCM,data:0o7JavEMXp7ffNUhf+ENv46b8ylMJaKL3fnAOD4pBkYXfmkfEb3x9vlc4DKA3JHO6l1zq5UN5Dk2Al1XtMbvp7R6,iv:BaUnsuzRWGqnD/5LKDmT5WJZVnzP3hH4L0wKx3fH4bM=,tag:77fbtDtsPs72SuXYKe0TtA==,type:str]
-forgejo-runner-token: ENC[AES256_GCM,data:VJ6NO3OIR0PKA46zWTydJLIdsV4GURNAcEeJLIGTr5lh39y0zLppCr7tkKNJw98=,iv:z2r7h9UmIlSX8GezPVPWLrSmurT1eFboLPq/mSUqVLM=,tag:4rO30MkmngFgOh+cVnZzNw==,type:str]
-gitea-mailer-password: ENC[AES256_GCM,data:URT9uXyNOMPaE31lKaBc4n/daeEHY6sqkVBPG6KgnnnEGQu+4i9uTWD+I8cJiJkr5/PDIjndsD+r69uT4MwO5lw8,iv:Ebk0mAwz8eKmFQTt1o0gOpQ+IChvxlVwy/HXMEbK3OQ=,tag:5cz3czW2fJE1CQVVoQYsJQ==,type:str]
-gitea-runner: ENC[AES256_GCM,data:zLHArZqTFLsuOCN0MAnqwGbJrNe8LHoWtuqh1ANZr0hnX9/3oBo2ZHjoyIM+99RigeEU82RJ7AVuBRIk7bj6ZrRfvW7RZcfiCxpjs2HEPeqvJXS5HWJSLzBHNiy3K7dVRjxCOZDP0C833/rQGJRv9S32PL8bhSy8X51JTIpDK51i6SQThdMOrjykPrckBprtUO7G29EQYwkKxpU5MAJN1J2vDnOQJ10UTxjSF5I+oqxpC0AaW71kilCtpnJLagSUWO66jGk+V1CBTTj8S+CIWZs=,iv:IrPT/75l6X4A5sz48OkFJXAzg9vt64jUNmyt0HBPmfM=,tag:IAJeBncsZeYijgSA9/OP9g==,type:str]
-gitea-runner-token: ENC[AES256_GCM,data:igrzNy6/NHK118oE7OAne8ujLNbxAiohJJLOBlLr8xjWeDjapK2z3IW7C6oQegg=,iv:eOZkEVdMJKgmMAsEYj8wkHPX+BCEkoXwA2K+GyDpzu4=,tag:khwZaLHuiGxa+9vhdWhvng==,type:str]
-home-assistant-ldap: ENC[AES256_GCM,data:qEuLQ2RbFp75refP+jddg1u3a3NWDjv0GnJbRonlhcBHdyije+FQAdvKPllYd6sfhZwXO6HUBoVI257FL//i5w==,iv:SlS8SLyvlVtG1ZgK3/2nqd9paHOWOIgp9ThPL/EQDYs=,tag:cjRoGzFEpCxi2Ie2FilNaA==,type:str]
-home-assistant-secrets.yaml: ENC[AES256_GCM,data:bk7aQcDO7CrIIOqP7dZwFZXwGtJeHgpfmdQw1kgRtfTNrhVllODYXcYP5OWjSqHyLwF0j/Ze17yVLiNNdu1KG7dsuAVGbzpEptyWs90GsBIaIytnMrymCLwwpnXXjb3z5aCji6m7cxoQbhtPiV9UGTTgh3smcz0ToKBc7g0rfQKwVxC1mH4TF18bhVmGpexlF84thObZbZWaoA4AYZjBjmzUV/Mi+PpnxVmeszY7Tp5c72Jka7iHC2H24ymod43hjlZh1JOBJB/NarwCbgdlVhYekWK64bZo0VO7Oia7HDo0zVF5EjY6MuT0DhwxQr1bIsTTjpfQ9z8tEWuY25RdzJgY,iv:QLsK9aS3xGkMC+JlksXJJxVn7Qp9YvA9qzzTb+laBmk=,tag:ZjHuiahG8sYydybxYm6kaw==,type:str]
-moltbot-gateway-token: ENC[AES256_GCM,data:GYAeIb/acWXwtQagdqqfkedrUYj8qoJerhzmJ299V4A+uFScurUHQ2X8/cyAUlmgDH902Quqwy/vG/h1lbICvg==,iv:gNl1fcNYrbYHcblVgzQSO5G105b66gdkoZydWDrxSnU=,tag:soiGbASWDNPMvuTxzHUkRw==,type:str]
-piped-db-password: ENC[AES256_GCM,data:4cp6fAdYannTC0QbW/VgR581efySOG4jJwoHXYntEBKbUDtF+pUKJlS4PzE=,iv:pRZS2YX9OLm9X6waS2Uju3hV50kttHrE4TC060mM/Ao=,tag:HD7cz0xkSqZujO+o/Z6vUg==,type:str]
-pushover-api-token: ENC[AES256_GCM,data:9IiORqyjkDVNHsjaZgzqPslrn8wIN7ZmAlONQygn,iv:AC0SoKtCSqQm8l5QPKK5XvS7KFjirOGBQ0VZoBetGeM=,tag:eq5DaEK4KucGsH4eYNMLIg==,type:str]
-pushover-user-key: ENC[AES256_GCM,data:YjJlFe+OLbWF9D4DVJRcUh8oZ+opJ6k1GUkPFtVu,iv:1haK4nQEKEQyvLEn4cFZjpFGrUJJVL2doHaiUX4jd3Y=,tag:AdHu6K7I/5/AGkhpLdqRVw==,type:str]
-wrwks_vpn_key: ENC[AES256_GCM,data:7KoQMt/NTpnai8bcbbtIeOPJE2dyuN3leUczDa03V/6cT4D39Ji/JRCqjtqGNqZV/LOhUBN623vuT/txUZJYaw==,iv:kRMYH2kglQgSQbVNmHgs2c/1hcdeAqpUkRPPQK322C8=,tag:3FfhHNseVKDO8QHeGX4ZFw==,type:str]
-wg_cloonar_key: ENC[AES256_GCM,data:GbSON+OSbxarTvYN1xQAZmwfDh+JW7yzQanhs7sITfxkNOTxjykPx/rCKFI=,iv:NRSPNwfZdlA7vBsL18iPpDo3bBM+N+5qZI1LQ4g2GN4=,tag:Lb/DS7ATa7vE4gRsKImbSw==,type:str]
-wg_epicenter_works_key: ENC[AES256_GCM,data:YT23qoZzpqUfZbi8OzlT3QFYXF4lytisiY1LeQFHGcSIv6AEh2jmLIV2G/U=,iv:61yDAUxmWKN7Jf90IUV//TGqSZlCsduSKxuSjdrvHc8=,tag:Y4QvNTamIacZZLkxJa/xmg==,type:str]
-wg_epicenter_works_psk: ENC[AES256_GCM,data:8Mz8Rd3Uifbbqmuv7az2JYBmFQDPjG9X/zEjwbLQs8ut4BHGq3U+0Cjm3cA=,iv:qpX8fYckAYY7/fbpgDEnbjpvaPF1/dbsSvqj9SudJbc=,tag:lzaL+IXZeQOgReBt7248eg==,type:str]
-wg_ghetto_at_key: ENC[AES256_GCM,data:6gRuY/h5dxyDWhafL82+zQh/yNnTeZ4LVjNM4B+KuNBi7weJIvbu7a27vS8=,iv:JiwzNLlyk8X1c/rFBVQ7vG5BcGeVajUCf7RKeWRlnhY=,tag:lrwz0zT97/Haz4i+N9Lvaw==,type:str]
-matrix-shared-secret: ENC[AES256_GCM,data:fHN6VaTx8dfMgmI6m/zbthqxMlPYQtFA0KxvhiVOkc+hpL0Ebf4rFMvfmYPFrAucgQWzXYL2hq66pkxh1Q==,iv:2Hp6eJxU8tQeTCFD6z+4e44fv0BkoIRaN1XV3TKI7BM=,tag:YhMYPduqh6SKE4W9HSwamA==,type:str]
-phpldapadmin: ENC[AES256_GCM,data:moIviVTgfDdc687czj6Ck5pFjvtyXAZzP34ZPmPmzsUM4ZxnA2fTLyV3j1V4tcmSLt8t+PZ42qO8nW0dQjEU/kAtC7r9uM8nOl4b2ADNXlpyP+3EfS11qVAgltHvlap6B2D3aKywZjhKxq4ydAZSMHgCxo5DpONJgW4RALyJQxQgSC7VxkdcOzNjXdCe9LYANzht5X+iVghv+wOzDTQAaNGCRK8LuoANnOix3uUhhF0ow5OtdCS+W7q4/W20Wl93+/YMvPmrGRSwHrlUKuU2XRv1zOtL/7qpyP4LB77X4+mYYmviyKKCadOsNmJMcOe4gFmB3v2LveHEKf0xZLwrBuCu2JiUX8K+,iv:ypEMOrI8RoJS+gpIkrSwNULOBlsHYPJtKN66JAukKVY=,tag:hvCRgZPqR7enbDNtpHWzug==,type:str]
-firefox-sync: ENC[AES256_GCM,data:XQT8QQKE+o1ZjjujDGWGJYMddXPKajmlB/WDdhx/44pCS/Fl53ea9hUdCpoACQA7Q4CUd19/LbuDMtfLH0ikh7rxGBCmqYtBVj5/m9fA+KwuvLigMp6M89JDUspYiAAuQvc1klstTfWrmcHF+TQhkEDMkCUiL9I6lwKiauzLj6QA8naKGUu2f4fdwQSfqYg=,iv:9rC9e5S61ELxWGR45N/FZDfb8SI8LuVRMrabHm049Cs=,tag:4UGYHcjde7GEhTrof5/m6Q==,type:str]
-knot-tsig-key: ENC[AES256_GCM,data:Xotza7niLfN9Aa5ZnKcPTnPlw0adiRpyE6cptufwGgVhzhS36VG1gLXHjrY=,iv:kYToZQDJpdSWuHQNp/HgHq/Th3mDc8v7ZNZOUmNUDvc=,tag:/oophT7X00kPSDmy6ZuOxg==,type:str]
-mopidy-spotify: ENC[AES256_GCM,data:jtkEFmSegG6Rh7uUmnvUP4EdEX00WNTd5xFf0mqiDm/CndTimHFrz0mgRuX1DwbYUWfczdWst9n3Bw0PektUPvBbJ9lAXTrv+jegAa4RuZ9C+FcJaEOVTO+E1IZUQiFFpXQ4+f2rywA5ZqExBPjW4WUmtOSUYt34,iv:VfeCWF0VDrkFhp5Ion2D+/aU92A1cuiXPPdPA5UsgVs=,tag:+dghF/WvyBYyjcWSe20Iqg==,type:str]
-lms-spotify: ENC[AES256_GCM,data:rF1kzfqFxnCFcN8qLdVM78oJbobtcDJJnuZnqCRYyLJXfvw8B6XdBnmcA55twrgynlNX6LBujZI2bp3/fLvSRn5sjoWKLESisaHP9J1okVluSS8DJiiViOfGYcPHWPvCVW5x8ss3qNDdonsmjPlljGaV1zYDfc0FaYhKo20z5Wx4zbK+TdNVr+cWOY8VMFUo1nt/U3xMMW9mRD8dk7WC2d6LqqXq+hbGO8BhgxH6//2f0h6l4V1D318vQsh/9pDntXDw9WS8rw==,iv:6jP04x0HWVn9YU7N2AEdkenan1rJ9sLUa1Pzg+GNr6g=,tag:5rtqz7bDZV6KfRLc3YDG7w==,type:str]
+ai-mailer-imap-password: ENC[AES256_GCM,data:yXeP9Z8EDc3u3vKRiypp80OIcg==,iv:nxqBbvlpeuvA+8c+6cpWvbKSBeTHvzU5MPs5/2jUrtQ=,tag:vFmt2OhB4uA1a87LshE+gA==,type:str]
+ai-mailer-openrouter-key: ENC[AES256_GCM,data:njJT/wI+oGMFnSc0pm9YORHyLWVIyTEn2DUUbuWX/uWwWMWr9Frbo1FK+StPjjWT5zgZVvFDs/IwYzDof6Vy68VAlqnCUUe/Kw==,iv:+/0wG9pg4yhTx8Qax/K6Db5j4wYZc/GDuR1tsaxQq98=,tag:z4MnDDq4rD3P25++2+nMwA==,type:str]
+borg-passphrase: ENC[AES256_GCM,data:MYUQDHjp+DE6/xK6dhTxYgPPiR7F8184ZCSXqsOAYmLmoEDjwKI9THePfp0fByrHhkHbxdJ+3rA1eJKt1b6UvdYORV4=,iv:shm9UFQjCOLRJZWPTbuU4VCeTYouii1iFuSJPXDxjZg=,tag:NWlaGB/Ir5GH9dyH1d4HwQ==,type:str]
+borg-ssh-key: ENC[AES256_GCM,data:bcfekKBMr+OGH+C0v3Degvyo2ybAHNgT0ecXnvAUqvhrO8F/IMhjn2lOXHEi9IRrnzjhd7l0GGXMieH6wOZc0oIs1Os9THzOm7mfeHvSVLNOVHqC00N/nD00z2kbJGr0JLG4a7v6BwlFVeiFRyeeFeFwkJw5czUpUAJ/bbaHNmKbWe+TuTIDL2x+4fVQJjczfE9VIHwpWR5rrYAFQkQq7njH7c7FcXTBFxLYgCWGn3v7452N5WkLwMjo9P16kJif40u/OV4wOHTmozVgtcBFZePksT8eEXgJsTVVQuiFxuz+A4ouMItIBwe3GYXHsvnE7N8jbx4VVitv8cccQ0xs4jpKVKfjFgUDuLG6Usd+vbftu6YKQkerGyD1pT3OQOmgjEAA/6Zr8E50P9XHBsGqHT/BHOSwXxjgEcXjYAonkrst6CC0WUGAgKcJKayqMvDrlapnTXEi+9AGs/w4q/yS4P/HRiBAABAqae71/U/4W4+P8Lx1CxMmrd1pph5x4KTquv2uttPDbEuSd7p/u+qieUV4qeCVrQvcMKQeyI2Fo23ftVw87ZXv1HNCi7pZddmAhvSNMpX7OnxeVzu5+Y2bYDhYEd6Yhd9b5f6SHUVrs8pJlwZCxAE52XGnH1uL3VjBidBmBoG77ljTWBaSN+HVP2+V4xQco8KU9zIyS/HD6OOpmWvsUBrn6+HRV6kn9yiWOuNOj5iSWes7Js6Jano7JoQpDDzK9ngHIjZCeKYoiKvLNtuwfoRZ0tVJMv+Q0XpXx6zxaj+CJjoOUMZDS/nlzLpT+0qShB4F1nTBXs4rccj2uIUVF9MaGvjgaDGB2ROAE1Q0yFY3Fx/JGFGSr9aqNE5tw/F2YvhryFr3Zyq5/xkLy503wBC9zerabtXEpq6GJWEwaHjRuBXeJyRJsduxoBRLm/0+4qHiGxgre7XaoGBfDYk1LnN3BpEn08EJpTl44QhSr7o5fgKnEB4qL0zjH9eddOI3EATkxwMiXU04uyTD1+7+rwuryQZqD/9b4Bre9BZrR52vVt6U59HNMaoZR2zFAHRXKnrTqp3gR96yF9HdW/5lPiqm8s3Ko4MXO8897dEmWhYv2tREU+iBQ6Oh+4daC339gc8/BHkzUJtXqx8gGtmul03AWZnSQSIQ70fBAZlBnFdSsnGBLr5nlwmfQbBrs9CVQ4pc4LCNkvFGZ6IznZCVi17+GI5hdr2UHN4Ac5ibOe/S6Ti6+vG+3Uvr78XXgdZ3bwtsk5mfsW3EVWTVTHEkIwoZEqF7jhnhOvdKi5dsb015CcsrmhFO/nySGDg8WeKrCbuHYog6U2zkF4BM+k5eLeZS7UMMAQiGOpSDTVF5svordPCFSJRkv7byGMhBppCj1wlmXs5gBPFNxt1zhGexxncxU/HboCUp1+aSV41s9QuJAAsu+tUG01jtR0pS6i46aI63cG1ytnF1YLm4dSwqUmbK4qUtaJh875+ht4HlVCNqNFmoW7I9C0atxkP0jAFji1ue5neOw7fABej94zZA9SPGESTtwUIF+Vqyqizl1fdZh3794xvJ6hk4NblskgFIoc8boLbZ2nHxTf/phcda4Muwhcw8cTQmiipQkefw2MqbBRLgHw0RZgLYwPxMU6g0N9GEL2h3m/p86ordbaV0Srp6/CKIQYRnHHpc+YS7Wy4kOekg0aSKLFKseCFw859em2kW3A2iEno4OfyxxDo7e5lQfbTxClZWudA7mBFdIaRWDTuXzvyBKshySgZ/9K4CqdBSiX40w1hEhvzN3GFKa7PvCSBzGa6CLeekyG1ccQrSjuL89U3D2LwSRt12JZUSF+okjC9MBzy2TPPsxh1VV0mCax/UTttI+YayqSiiDaJmX6j9NXggzE/NZTTQLs3VB9/UwETf9n+VuKClseks+UJ9ekXyao+otkA51oII53GFkFghD3yDuFhWcko1+qqNr5yOWklTKO0LbuYIrIWqva9Or4KCmMHpP/WbCbBYhn1peCd9tUwcHtEHHABQyn0IW1Xg1YAXEDp3p9F0GFoHTlFex29C1bbPZm8ZEevo60jmhEL+CG6TkELEYAYugi6bUpwy6/VII0rGA7lJkEe20ogCGbS9ZUHOc1SWhwmuKpi/VNJj80pnXjN+7ashUBn50G+xNFOFHU7lBsVEYSw39Pg7OCz2N8IRj/nDVLC3QQLaxuebLciHQlv9kdCrES3FOw8N0v88F5FncszgQpbVH+cEgTictYUOASc4ZZxMLbNhgjXlBEvq+QGMI21e8rr4IRofz9eAuLotnzmxrMBNy666DxGkljMMNVHWnsMbjFHAV+tNAI1HzhFC05bROYyUfYizfnit0a2szuYllpd//EGh61ZZbM/FAfR1Pqf1yu7delefcBGFBaIK+r+lm6pTnvKhwUW/3wCB6AbcwOu0y/XZUjqFStmelNiKNdrsRaNrRtN06ewCx0nD+nj2kvFlzWLU2F6cHpmVaPv2QPM83GOcoGKnVW0CjTr7ZjFceQldfOyNSRXnJUQzEQ+SRQzihHguLsnTe08+t40lsbrGUve7ENMQNdO36rRxu5ot0yX05fiKWGx6xHaQsvXtjnxTfxIxbfNuhGOeDkSn1JGB/b0pi1HAbPUFq3brVvnV/Gemay98pQMlPybsVf4MrMVce6FnMFg/rx5vQ1DMWDBOOl4ni++iuORUEltmXb9T3kMxlSMefloSk2eUg3IjqmxG1AR7gdP9L7EXv1+avW+D0XAP00EoBLULg2SvNyUPH1lyRmjDXwyIXkKVViu3mOknxQUVgIFOHi+tcDTNvXytWcSFFsMsdDapgVlom7PVQRPwwFe+aGAmXE2HRGo7982WylmzzqtVJadUvqZK52FGZIbCFcPIHMa8KGylcw3rHDAXZKU6QqNz1KCC7oTV6hiS93QXd4aeCxBfAbNxNI8BHHwi+T8DyRor8ayaoRT9rmsE6Rh557TcolhCucPbl07TUcufT5KRLZP/XWx74zM77C5FuWu7wyEMaAeSDiSNRdzj+zNs8KeQsXWSEq9wGDOv5ikk1vr7b50Pmeg+3foEPZpi1sKkbEeIf2WoKzOWsDuOg35YXk/miePsEtEtVjcgc8+3+ZXzWox8gH+nHEeD6p3pY4QuxNLJ3GUMvpD1J6z82M0PqjyTGwgsnxma98gbYKJ79vlDqBENO/c/pcYAV7hJ69c5m/+I5igb+fCS3bzKuOcn5bUmp+/XufxePiScKfPAK3MAu3b9mbNwcLIhrtGyhJYj1F/cWGDXSoK4NSfy5OqCOjWW0yJbZexJFlQhPJxkKJfciq/kN3LNN7nkGxedDAwwL5A8hTMzb7A7XXlWuadvj71a7BTX6U5aSdPJh+jgwttieRAr4QpkFngOTRdNTzxa+FsH1xpNUmCTz3EhB74s6JumbP+9OdBdOE0uuSWhFamGyAm4M8hLDFLx3CqJsWeF4yu9iEQhtyS43B0S5SdfoA==,iv:LUwijmyKEEFYahQF5NoMuMTyd/TlVp95gjeziYDiYLM=,tag:eA6zmHDJirC1y1SwqaNuxQ==,type:str]
+coturn-static-secret: ENC[AES256_GCM,data:qz/yAU/mbIVpcaQF65aQiB6//b1tKkMd+QOfStovQhk3irWk06mdq6DSE7ldTIiWqO6VJZdSiXWUwC7MzQLz8Q==,iv:ooXtagWVAFK0x4J7OMar+z6MNRLO+WRgi797WQMnicQ=,tag:RKwGI0TZGmUUL15UhoWzYg==,type:str]
+ddclient: ENC[AES256_GCM,data:ax2sCugTU5jsWKklYgkvy9SAvDSYg9H644juJuTlS9k=,iv:0uz078nioyoFrKDznaxHwLHWYAg1/iiDw2NznrKo5wM=,tag:nPkCdvLgJrrQKXlqyxzELA==,type:str]
+filebot-license: ENC[AES256_GCM,data:7OYdiunxlRQYUQkumAshiQ1VVLXde5U0WVnsKxeNuStPJHClbZjrtywwh5VRDm2G1Dnm+dgDDL7OqAW1JG8ufD0ipmO1SKH0zmxoizJ+KCWP/8Ym+V2kORz1TCWvZPsaZxAQxNa1ZO0tOalhmjOd9ylcJ83dFWkT1KIXuHKOEArKOG460WD0zPCmKM+kWfSRMIJXIP+qZNG1Lr2u22jRmhV/qBvzTPAFIZMQfCY75unposmaD2nILozXgzILQqUZ8f7orOlRrNQOwkoHuhFgCLOZ/4YvRlPFJygKLjvH7iFn160+j7QOS5sLo1Ro3UAiJI0adiQzPB+FPOtbkjFxPSpykIe6aoX04rWtoM3y2LwBg7nBuon7EPjHMXn05+u2doAerhSxnPb2MYcsA5BkgwLO5nEZo+Gn5YnBFYWuT/Bx7ICje4xOwDM0zOKkcidx4Wbm2yPDMGa9Xd6wGT6JV3qRBXWoSmRzDfYL+Y0z9Pu9WftE4Cgbe0S+IO2+c2hbQKUFrix/Vbak+FGvDDiyj7mbt8f56uBWPmp28yRTP914uWcPWf0WYCcwqSg7jyDo9xEMlJxqjgEIssaHoxwMWJyTqZKrgPZMwKJgRULwYKxveHpcIucOxXsTIPBaBBqrevUs+plXGBtlpHxFCfT1dwiJkkLztxLKZxsabufUz5VEA3FiSr/mUQMa5eofPJjcClrb1IFugcKtwVmDP6NQPIsurV7Nab9BIYk7uS8RE3kXK+xLDBWTqK7BfQIdcTQg20UjzlougZdhGI9ZL67WsNokT/20Cc6s1ZHYG5a1Liny355YR+H51CMozMmDkU9FHvtUDvB0colnocpE1/9+cQ3DdA2eYXX42MGYahA7eRsPjec3KVzwX6vIt8duxwg=,iv:WpsYHgKeZg6EOO5JF4y/4FSoa/6GWEHTSRF494xLsuI=,tag:Oe8VKL3ADkAMm0vqTglyOg==,type:str]
+forgejo-mailer-password: ENC[AES256_GCM,data:r2i3qMJlHDkftGYYiDSkWAlInM0VsqlbDQQXeAP/mxi52eLeS+slxquGig6uVvt72qd4YDZMPN38xpcIqG7C2p87,iv:QzIYOzrAuRRvuEkyZnaH4IXuPGSqKZD55WTv5ml/8u0=,tag:D67hgVPZpkDk31PTM2+S9g==,type:str]
+forgejo-runner-token: ENC[AES256_GCM,data:KWyspWfB1GUMsGtyLXFe5ygqdTtTby0pSzAOOZwAZdfa9zrVq2j1lRwoUplazSE=,iv:EYENBh6AFnDQSeXS+CXH8CztGzKPgIdQYF9gIJbzaDQ=,tag:M4dQxmcAuAVFoe8NuDbrxA==,type:str]
+gitea-mailer-password: ENC[AES256_GCM,data:iMkrvzo5pTdD8SYPHzCXFcMPTuk47XTtSAqAiy8+8Z01lkdZcZ0vKQs+/Isr67u18lDvAnl/O2YVkpIFB1TiWtxI,iv:Z28fAaAClNl9lKulKwpqeVQ6vn3OFSOtIhGoriA5Y7g=,tag:CSp6x2FNzks9nNqzMQUE7w==,type:str]
+gitea-runner: ENC[AES256_GCM,data:7EPcUqFquC9ms1uNzrIKXKhBWX2d6JfCORUOv9doMqEUoh2AtpEQ6O2ZcmoxuqZyYNucxGzN/dmvQDo92EGyB/vcqW2NnRVLsGt2crlufoSmtHW7TALwptSwjITEK/bWrqiI9/oIhy+TSDSyfpqVuaa2KR3fbiWqMF8n6ixv0s21b9/fZ/cnuoF6kWRVX69IVm/ndENI9wgpx8jzMBuGkr340oD2rxIQ3/RTWiFKtH2HHf2njy3PjJhiSif1uA/mzFikBuopu14xGPFu6tGvQho=,iv:uNjOJZgtcnkj1tjuhL6dku5GGbCljc3rtMa5RQ+UsS0=,tag:ER5aq95QCoCBxIaWKP+Vtg==,type:str]
+gitea-runner-token: ENC[AES256_GCM,data:qmw9T9h30k/TY1cuPA+PjwoVrf2L47ljwXaprledR+ysHstEG94QnWp58T+gMBk=,iv:nggVb4gXC35ZtY0RBwZeHYuOU44z8fS5cemYvZqygTE=,tag:KvDL/F8WQhaO4yQkJKEgbQ==,type:str]
+home-assistant-ldap: ENC[AES256_GCM,data:gkYWKzed0yIcHiPkXE685Bo/f0KVvyK1guOcr2DzM8ma22WI1w2kOel2KUjO0RnjCdyacgCX4df3144pfG2pRw==,iv:SGFt+eG3M5cOmiuQxhaOHfRlesd0aEi0p7tm+97HlO4=,tag:B+zbk9pO4X27LfK1/I4jTQ==,type:str]
+home-assistant-secrets.yaml: ENC[AES256_GCM,data:iyTYy+sexe8RJfNTeE2HKnAJkZ98qSy/jNODETXQHhEcqV+HKLmhKIbCTDXXRPU0tyFJvUZ4iWmLRSHy0crJdiJ9MiQUXuD8rll5lbaIjjRcX9C4Y9e+qsHXEd1tIcnk93r6xV6r/XkgEqpMBesa/S5BOoMy8hbr4bywuD4vDR+0KIImONKnQ/jPlIdgHre/qNmsV+NK9B0hu6oRfq+V9N03yKKk7x3h2fgMo3dSCaC5EvI1pRa+1kqAKyQUZnrZgSlV06MPn1uvR6xVEJDQlXp44kZ9fb2YsIo2oj8pu4BikTtOh7sMKnGHFIMzHlUNl1aw4yWz1BSlp96ctAXV16TX,iv:jda1a1XYbZ/j395woQK04eeACnn0jv/HJ5pMBHYYw1U=,tag:dmBVIux0ADdGaHg7WWNwPw==,type:str]
+moltbot-gateway-token: ENC[AES256_GCM,data:Xm7XxZ3uon7Ehm9wuN6WZtSBYrAw3aBwtEFC2ZQcztG5RkkgpBjfraRaIIUEryCNCz8tFRsR50mPtKTwwlqptw==,iv:T2leY58vQtz+5WyqMBEX0D1lLpuVOPWshuW18VOIS4g=,tag:JOtjOUEoacAtCJkg0VD9CQ==,type:str]
+piped-db-password: ENC[AES256_GCM,data:7y+cT6uHyToP6meSba78WuPE6++SPm1JY2OFSlIWS4f87XdGiCvopheLgvk=,iv:WgG7I+HzLXihPxOzcevmDjay/j79FTZjoGYZEEoIVZI=,tag:paKcWlu8W7dhNbsX0A6e+g==,type:str]
+pushover-api-token: ENC[AES256_GCM,data:0isXPtR/hHBSh7FCbaJN8hkcT02U9h1yvL+fPu6w,iv:5pluAxqyMcAO9mkd+/w9dWM+NWwdazhKOVXjR0lADgc=,tag:jOxllkR22aGtIJp6mOuSrA==,type:str]
+pushover-user-key: ENC[AES256_GCM,data:epxLO93mFXsHTeaFQSmjjZx5n2m4K13DmLNBnTY1,iv:DGhtSwrYU97iu4Q4z/cs8HuBFQl4H+mE5h9baorcPQI=,tag:JSwjy4MIdXUXaiFS7YvgiA==,type:str]
+wrwks_vpn_key: ENC[AES256_GCM,data:m3gxj5mAxTzz1Muy1PB8lwantBz4COZRvwnforZqI4+T2KwSFGB0T+t0OH8RkJYMxsig5AZOiKh8N4NvXZIEiQ==,iv:OSL1bI8SMgOEkLmb4rV1iXDED5Ze7ZZPpgmI9+l4xmg=,tag:5n7f9R0qdfk3YqvK+HkpYA==,type:str]
+wg_cloonar_key: ENC[AES256_GCM,data:hJ9K0nkH4r7E9CjhAFQ8t1kqN4T4a7fKphXrVoHppBhwhbW4Y4sKc7Tqw4s=,iv:gLGP7JKLmcLjVjtOP3TXKalf8lKV+vI6ckvdXdo7a0o=,tag:XA1NJV26xf0p/c2BgBgd9Q==,type:str]
+wg_epicenter_works_key: ENC[AES256_GCM,data:z46JOWF+hPl6KqIqZcesSTmUwZiF28vBxFxQ6mScR93ezPScNgVNOHL2IS4=,iv:QlIReHFxoH9V/ag6oPdVAMbjvoJEhC6SKLGU8bHBc08=,tag:hU3Uu75fBcX0GN6Ya7xe7g==,type:str]
+wg_epicenter_works_psk: ENC[AES256_GCM,data:l7O47wWDFD6dtfcE46Fa/qURLwgHeX5KUTMJDbqfqBwyJlmIp0F9x5p1oA8=,iv:kBvRSWq42sRTtXdxQ9V1NdphLpPTZXSDKRtiLdiTwP0=,tag:QBWKiCbXIGzwYoMTP3Odag==,type:str]
+wg_ghetto_at_key: ENC[AES256_GCM,data:WoC26cprF7OjszHWrPvuA2NIKLeNt+82EUWeRFIHVF73JSPYi/Zm1XIkmYk=,iv:65JXvrZYScE+wWz1MJw9FL579nEl+iyLJquVL5uD0hI=,tag:KviWIasayjy1KufO+3a+Jw==,type:str]
+matrix-shared-secret: ENC[AES256_GCM,data:RjPwmMc6/FPCzYvGUofHlTSlqgaiZqUQVGs4NWejYMsDy3YrhZ/i01ccvaW5UO6B74G2yXlAtUzJsSnxpQ==,iv:SmucxFuU39EH6PbYPDm185bmNarL6V0GsWXDOMiOzss=,tag:evDrxic4o69GYFBQa4grIw==,type:str]
+phpldapadmin: ENC[AES256_GCM,data:xOzNaprhV8DWPUUuRtoMiG695R1ZI4CbWepi6le2OKPy1M1c1h8ZSlbX4D4Oo2IZn4mavLKn4FKFJIUmIRcXLdTjxnvuYQWx7/3IS98eRBjSeKBf0JKq4kYHrQaSHx4hy4D/rrMHPIeQsW/t97pk7JHyPvncqtTtPXdcCdY/MoRhgd8zkEyFHQWCzLt2UHZ0DvmIuBPiYaDLqCSVKLD3tK33KbsiQ66CC5KvsTjAGtg3YAzuVZLRQKueku/mFBIpSj1uai7VcM2SEhuDLN5CS0IQIx3E2DpBNLICjz7jhV7PE8XkhpAhP6fe2EGLnyD4zzAPT0NiJNdI9AnW6TAmltPjveSLhUcx,iv:4nUVSV1UaYRyxhCuCzyegbgFBsO693+a1RZO0h8xdo8=,tag:zTHqLvScy9TrxsL4Y4hU9A==,type:str]
+firefox-sync: ENC[AES256_GCM,data:Yzm7sy9UYD1sYXp3QWY21Y6i+vL1Rt+wdVP9paExuZIsEqPF4dsrmwjEMJXjTVqONChKIJ4d6uWqwq1loY0uFjGGDxv1soV/fjdcvwIfs0hSCpST9aFehh360TknnhPlKjSJ++mYHTALlaRwxIXQeRayv5ib49TdvGN3jjY9NZs/raZKf1W8wdxSSdMo0+4=,iv:8A2unC2B1cUILiL7u8rzl9Sca5MoK5USu1Fo5CfCvWU=,tag:4Nmi1oHBesLx9BeYsMBS7A==,type:str]
+knot-tsig-key: ENC[AES256_GCM,data:VuHmS3O75japDrqw5JiPVqd2t70mZXtJdYfwDWV/F25bqHzvsH7+ZPXQGQ4=,iv:bmSl0khY00It9Ja50THH/1fWWDWy+Wba9VdddFRpeqo=,tag:Fjz9aP4UzcVT4eMejFaa7g==,type:str]
+mopidy-spotify: ENC[AES256_GCM,data:ite73VZ/e5t3TTqjFNwc9ZMRcMvCXA38UIIjCCHF0i98mhXn5tz2azlG5sfJa9lV8ZAL+rrqBLuik1BieF9+ISFa7xJyQE75NnJAyxBjwP3Ua1PIWLoK42vupRLuIFkQNY12ysvvI9bdpqN/IDhhr3hkdbp65XM7,iv:gLSM9XVLD+Qdab/zm4G2SoAvccoPSrc7WVYXD99Nkpk=,tag:zrv8dMwNENZbMcZyTA2eag==,type:str]
+lms-spotify: ENC[AES256_GCM,data:Ey400XMe1MbeIiKfZUHiDDVfvjz+NW5NLoJbxzgPRT3XwmhC9BlcgGhFe6AXFEP1HQPjo/MxkJma9LiAGsQGOfYvmWgxWWSl++yiSNaljjUXb77u99ZQakNeEKoe/mtCcvbdJWICoPfBtN5DMf0I0Y47O4YD32bkCIEaMvJqpjIsxWQWHkjt016vwGa50gC5em1wnFCdtOWuxwF4HytQxGonwsY75lYwLrBjKa6cyucFkz1XnuG3tret3dgMv7q7EBJZD4pTIw==,iv:m6p/5nmuzTfkAPxCr1NW8bK+DhTxHTqXNQjs3r6T20s=,tag:ihPwj10fLweX/Ffpcljx4A==,type:str]
 sops:
     age:
         - recipient: age14grjcxaq4h55yfnjxvnqhtswxhj9sfdcvyas4lwvpa8py27pjy2sv3g6v7
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4L3JKSFFlWHZTdUNINXJj
-            UjJUTWhiT2VqLzlSMjZzYzlwdjdQaTg4c0RzCnE4ZVFOWWNobjU0WC9ucE05TVhP
-            blZDTW5xR2ZqMzQ5S29FZm1zb2tia3cKLS0tIGVFajVnaGpJNFVmMjEwVEcvbDlu
-            dkdTeHBObDlmVUJRTWhsOWRtSXJJdWMKBTEmvlsjuhIHLeDV8wi6vPC2dnYlrB9b
-            DyXJ2Yux3nJojXUyctdsVoEnLyULEr0faJwhEY6wM8o7q2kulJsZdQ==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnakM5dGd4TlBVZVpQOVh5
+            WjBFajV1OU1YR1RBeGRoeEFpc1VvaFFUdmxFClpCL0dvaERLcTlKdllIVDJHR25G
+            cGNRc25lUk1lcEdiV1NOb2ZuNGVoNDgKLS0tIHE0bmFQdlVxZGJMdGN6S2oxQ200
+            bnlEcWs2MnRKQlhOcmJWcGZIOW9IckUKkdBuRzZq5hu7Mgz5wIeFt+Y9tX8r6fgT
+            NoEGLHxlv1BYWyqwFHUr9vyrJjeHFbUxLJ9tnex/ub8R8fwRnHDq6g==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1exny8unxynaw03yu8ppahu5z28uermghr8ag34e7kdqnaduq9stsyettzz
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2RGFNL2twNWNpL29PQ0Za
-            T2g3UWNOeEFmL0E5Ykg3SFAvTnZySmlleTB3CkhJT1lncThiVmI4WmpUbm9mTzNM
-            T0xEMlRXQzNzckJUVnpNM2JlaW9UaDAKLS0tICt4YlFCaStnMzRLMGhOM2NHTUZl
-            d2FmMlNuVWZZeFo4ampidy9PbDZGam8KADSGf3e66eJShjahca6ce1re8PJVtBT7
-            qfuIoYUW4y70qJ+8C57y2HamN228NqO3FJ1h0H4pM5G7JGWLk7lGaQ==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzbmlhTmZVdDZnRTVJY1E2
+            OURCN3VMcTNZZkVnYk82ckY0RFZYeFZISUdnCnljcm5JcFBubnpGdnB4QWRENFI4
+            dFh4SWZYVjVlMEx1TkVURHVoUHRoM00KLS0tIHpXcG1LRGxDeWY0VGg3ZngrMXE4
+            TTN6aFVWZ2JUSjZQNyt4TmczQ3VtT0UKyzo4hyw1zO96kioh9JyiTxRruTg+hDAy
+            N8mH1PMPJGZeOK7o2rpTFRNjR+jYquoT1jkxzI1dpK4WGAtCjlx9Xw==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1v6p8dan2t3w9h94fz4flldl32082j3s9x6zqq7u5j66keth9aphsd6pvch
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1UzJYeTM1VzEycXkxak14
-            YzNNWm8rSU5FVVZxUE02OHNqVndoYmcrRzBjCjJoY3dFeThHNjdqTGd2TG9hU2Zp
-            b3Q5NkpxWWluYlBIbnIyMU9pWUZTc28KLS0tIG9UN0xBUElhQTgrOUtFWGI5TXhk
-            cFU1QnI5SDBPQkhqWkdmUnh2WEhONE0K0Qii/MSgwBJaF1M6XaXpezk8kfV2GyBI
-            yodlsrl/F4PUBGWOOy5YYp/6CS+5KN4ZkwWg/tSkgxQmU472/LZL4g==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByNzRjdVZHQVBhZU5wTVZQ
+            YXBiSjdqcnFBUTBFVkhPNWx6KzhGblZHd1RZCmZEV1BuTElJUlF4MG8wK1BSM0li
+            aU1DZWpHZTJZY2M1Y3U4K2pUbnd5QUUKLS0tIEtMZHdDZkZBcjdqOFY3WlJSQ2o2
+            ajhxNzZMRjlkbkhTOHZQK3Q1MEVLOGcKbk36Q6Jllru7J+dP7cB5RaPbVyczgWDE
+            xIQ9o90PthVJnwIPTlFl/PDq+YbCEVyVD6xIXlBcEeFr6yQziIjNug==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1wq82xjyj80htz33x7agxddjfumr3wkwh3r24tasagepxw7ka893sau68df
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuVmtZb2xzMU1lTkVQQXY1
-            WUxTTTJzZHdyczJ5VEdMNWhYcS9uVTZPeFRVClNNUEhRdExobVJ4ZnpJbE5iTGpK
-            Y08zTnVyU0dQL0dKN0Y0RVMxdGIwZXMKLS0tIG9xVzVsWnFOVng3RjBDb1NDSjZt
-            cHNTMWhiamRISFJRc3piRCt4YmhqMjAKCGJQIwxYHRw1yh27Q4ZBQANEYxuliuDA
-            dzEEA/xHu7AIXHFUlXNpHFpK2RCVKoDGWOrTK1kGOgJ8fghaFypkmA==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUMStUcUxJZmcwbnhYRG9S
+            M2UxT3FFYkZkczZDMS96QXVobkxHaXdHSWdJCjJQNU1oczZDeHdrVFg2K0JQNWls
+            WDZ0YXhZaVJnVWY2cmdqdHhOeTVoVjAKLS0tIDQ1djRRNW1CVXdqSmtUM1JFblZL
+            MlZrRjdaZWI2MUlVeUx1NXJKOW9FRXMKCtRT1KpD94A2yk0qNViJWEndKGmIn9xG
+            MEuTggOzLzfT8IEB78bHw9tdaIOvZwAOgnhlccP/OfiQF6JBbCf54g==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-03-01T11:43:30Z"
-    mac: ENC[AES256_GCM,data:FKnbwWlgjKbXbqUCuLgL3q3eZDTOI6U6WXmo4U433eaFydDtl0ALos/SVxNExUiY7JAB/ZncZKX8qrYTX3/ZhC9iiLnhzi3euc+qelj+SLuGy84FDmLrqzoSDHoFonYMLotl9Bkta7OFRMq2N+wzu4iD72qkgFrGgfBk1bbi1Is=,iv:gQ7EgzM6zMWwrkO+L/rUA6EcDpVprUM6Vqv/AYV5FtM=,tag:6VDDIZLg1L9tUv86GkqgRw==,type:str]
+    lastmodified: "2026-03-03T08:49:07Z"
+    mac: ENC[AES256_GCM,data:qShxHi0PA5pl2+dvuGE329WPeIkdF1MjLSLiWlo9zMcppljWPBNGyTMr/X7BRq3WPVTkLJRulPcJ9hfZqie5Iq2hftFQ6TaQFuPPIWLhWGFLwP0N4EmlyTkvWbc9UnM7NRFcPAguCs+1cjIfaXfoggI1dDqe555/0YhZ73jFDl4=,iv:xjXkmPGMwAoHCRB6LTheMFf/c2euPwTciwjr6uGtvV0=,tag:eBTtPMOec7z41Q9yfmrQuA==,type:str]
     unencrypted_suffix: _unencrypted
     version: 3.12.1
diff --git a/hosts/web-arm/sites/cloonar.com.nix b/hosts/web-arm/sites/cloonar.com.nix
index e11af1a..5aac37c 100644
--- a/hosts/web-arm/sites/cloonar.com.nix
+++ b/hosts/web-arm/sites/cloonar.com.nix
@@ -2,6 +2,15 @@
 let
   domain = config.networking.domain;
   dataDir = "/var/www/${domain}";
+  # Matrix well-known for homeserver and auth issuer discovery
+  matrixClientConfig = {
+    "m.homeserver".base_url = "https://matrix.cloonar.com";
+    "org.matrix.msc2965.authentication" = {
+      issuer = "https://matrix.cloonar.com/";
+      account = "https://matrix.cloonar.com/account";
+    };
+  };
+  matrixServerConfig."m.server" = "matrix.cloonar.com:443";
 in {
 
   services.webstack.instances."${domain}" = {
@@ -15,6 +24,18 @@ in {
       index index.html;
     '';
 
+    # Matrix well-known endpoints for server/client discovery
+    locations."= /.well-known/matrix/server".extraConfig = ''
+      default_type application/json;
+      add_header Access-Control-Allow-Origin *;
+      return 200 '${builtins.toJSON matrixServerConfig}';
+    '';
+    locations."= /.well-known/matrix/client".extraConfig = ''
+      default_type application/json;
+      add_header Access-Control-Allow-Origin *;
+      return 200 '${builtins.toJSON matrixClientConfig}';
+    '';
+
     locations."~* \.(jpe?g|png)$".extraConfig = ''
       set $img_format Z;
 
diff --git a/utils/modules/mautrix-mattermost.nix b/utils/modules/mautrix-mattermost.nix
new file mode 100644
index 0000000..ecc19cc
--- /dev/null
+++ b/utils/modules/mautrix-mattermost.nix
@@ -0,0 +1,400 @@
+# Mautrix-Mattermost bridge module (bridgev2 format)
+#
+# Key differences from legacy mautrix bridges (discord, whatsapp, signal):
+# - database is a top-level config key, NOT under appservice
+# - network section required for bridge-specific settings
+# - bridge section has different fields (no username_template, etc.)
+{
+  lib,
+  config,
+  pkgs,
+  ...
+}:
+let
+  cfg = config.services.mautrix-mattermost;
+  dataDir = cfg.dataDir;
+  format = pkgs.formats.yaml { };
+
+  registrationFile = "${dataDir}/mattermost-registration.yaml";
+
+  settingsFile = "${dataDir}/config.yaml";
+  settingsFileUnformatted = format.generate "mattermost-config-unsubstituted.yaml" cfg.settings;
+in
+{
+  options = {
+    services.mautrix-mattermost = {
+      enable = lib.mkEnableOption "Mautrix-Mattermost, a Matrix-Mattermost puppeting/relay-bot bridge";
+
+      package = lib.mkOption {
+        type = lib.types.package;
+        default = pkgs.mautrix-mattermost;
+        defaultText = lib.literalExpression "pkgs.mautrix-mattermost";
+        description = "The mautrix-mattermost package to use.";
+      };
+
+      settings = lib.mkOption {
+        type = lib.types.submodule {
+          freeformType = format.type;
+
+          config = {
+            _module.args = { inherit cfg lib; };
+          };
+
+          options = {
+            homeserver = lib.mkOption {
+              type = lib.types.attrs;
+              default = {
+                software = "standard";
+                status_endpoint = null;
+                message_send_checkpoint_endpoint = null;
+                async_media = false;
+                websocket = false;
+                ping_interval_seconds = 0;
+              };
+              description = "Homeserver configuration.";
+            };
+
+            appservice = lib.mkOption {
+              type = lib.types.attrs;
+              default = {
+                address = "http://localhost:29335";
+                hostname = "0.0.0.0";
+                port = 29335;
+                id = "mattermost";
+                bot = {
+                  username = "mattermostbot";
+                  displayname = "Mattermost bridge bot";
+                  avatar = "";
+                };
+                ephemeral_events = true;
+                async_transactions = false;
+                username_template = "mattermost_{{.}}";
+                as_token = "This value is generated when generating the registration";
+                hs_token = "This value is generated when generating the registration";
+              };
+              description = "Appservice configuration.";
+            };
+
+            database = lib.mkOption {
+              type = lib.types.attrs;
+              default = {
+                type = "sqlite3-fk-wal";
+                uri = "file:${dataDir}/mautrix-mattermost.db?_txlock=immediate";
+                max_open_conns = 5;
+                max_idle_conns = 1;
+                max_conn_idle_time = null;
+                max_conn_lifetime = null;
+              };
+              description = "Database configuration (top-level in bridgev2).";
+            };
+
+            bridge = lib.mkOption {
+              type = lib.types.attrs;
+              default = {
+                command_prefix = "!mm";
+                personal_filtering_spaces = true;
+                private_chat_portal_meta = true;
+                relay = {
+                  enabled = false;
+                  admin_only = true;
+                  default_relays = [ ];
+                };
+                permissions = {
+                  "*" = "relay";
+                };
+              };
+              description = "Bridge configuration (bridgev2 format).";
+            };
+
+            encryption = lib.mkOption {
+              type = lib.types.attrs;
+              default = {
+                allow = false;
+                default = false;
+                require = false;
+                appservice = false;
+                msc4190 = false;
+                allow_key_sharing = false;
+                plaintext_mentions = false;
+                delete_keys = {
+                  delete_outbound_on_ack = false;
+                  dont_store_outbound = false;
+                  ratchet_on_decrypt = false;
+                  delete_fully_used_on_decrypt = false;
+                  delete_prev_on_new_session = false;
+                  delete_on_device_delete = false;
+                  periodically_delete_expired = false;
+                  delete_outdated_inbound = false;
+                };
+                verification_levels = {
+                  receive = "unverified";
+                  send = "unverified";
+                  share = "cross-signed-tofu";
+                };
+                rotation = {
+                  enable_custom = false;
+                  milliseconds = 604800000;
+                  messages = 100;
+                  disable_device_change_key_rotation = false;
+                };
+              };
+              description = "End-to-bridge encryption configuration.";
+            };
+
+            network = lib.mkOption {
+              type = lib.types.attrs;
+              default = { };
+              description = "Mattermost-specific network configuration.";
+            };
+
+            logging = lib.mkOption {
+              type = lib.types.attrs;
+              default = {
+                min_level = "info";
+                writers = lib.singleton {
+                  type = "stdout";
+                  format = "pretty-colored";
+                  time_format = " ";
+                };
+              };
+              description = "Logging configuration.";
+            };
+          };
+        };
+        default = { };
+        description = ''
+          {file}`config.yaml` configuration as a Nix attribute set.
+        '';
+      };
+
+      registerToSynapse = lib.mkOption {
+        type = lib.types.bool;
+        default = config.services.matrix-synapse.enable;
+        defaultText = lib.literalExpression "config.services.matrix-synapse.enable";
+        description = ''
+          Whether to add the bridge's app service registration file to
+          `services.matrix-synapse.settings.app_service_config_files`.
+        '';
+      };
+
+      dataDir = lib.mkOption {
+        type = lib.types.path;
+        default = "/var/lib/mautrix-mattermost";
+        description = "Directory to store the bridge's configuration and database files.";
+      };
+
+      environmentFile = lib.mkOption {
+        type = lib.types.nullOr lib.types.path;
+        default = null;
+        description = ''
+          File containing environment variables to substitute when copying the configuration
+          out of Nix store to the `services.mautrix-mattermost.dataDir`.
+        '';
+      };
+
+      serviceUnit = lib.mkOption {
+        type = lib.types.str;
+        readOnly = true;
+        default = "mautrix-mattermost.service";
+        description = "The systemd unit for the bridge service.";
+      };
+
+      registrationServiceUnit = lib.mkOption {
+        type = lib.types.str;
+        readOnly = true;
+        default = "mautrix-mattermost-registration.service";
+        description = "The registration service that generates the registration file.";
+      };
+
+      serviceDependencies = lib.mkOption {
+        type = lib.types.listOf lib.types.str;
+        default = [
+          cfg.registrationServiceUnit
+        ]
+        ++ (lib.lists.optional config.services.matrix-synapse.enable config.services.matrix-synapse.serviceUnit)
+        ++ (lib.lists.optional (config.services ? matrix-conduit && config.services.matrix-conduit.enable) "matrix-conduit.service")
+        ++ (lib.lists.optional (config.services ? dendrite && config.services.dendrite.enable) "dendrite.service");
+        description = "List of Systemd services to require and wait for when starting the application service.";
+      };
+    };
+  };
+  config = lib.mkIf cfg.enable {
+    assertions = [
+      {
+        assertion =
+          cfg.settings.homeserver.domain or "" != "" && cfg.settings.homeserver.address or "" != "";
+        message = ''
+          The options with information about the homeserver:
+          `services.mautrix-mattermost.settings.homeserver.domain` and
+          `services.mautrix-mattermost.settings.homeserver.address` have to be set.
+        '';
+      }
+      {
+        assertion = (cfg.settings.bridge.permissions or { }) != { };
+        message = ''
+          The option `services.mautrix-mattermost.settings.bridge.permissions` has to be set.
+        '';
+      }
+    ];
+
+    users.users.mautrix-mattermost = {
+      isSystemUser = true;
+      group = "mautrix-mattermost";
+      extraGroups = [ "mautrix-mattermost-registration" ];
+      home = dataDir;
+      description = "Mautrix-Mattermost bridge user";
+    };
+
+    users.groups.mautrix-mattermost = { };
+    users.groups.mautrix-mattermost-registration = {
+      members = lib.lists.optional config.services.matrix-synapse.enable "matrix-synapse";
+    };
+
+    services.matrix-synapse = lib.mkIf cfg.registerToSynapse {
+      settings.app_service_config_files = [ registrationFile ];
+    };
+
+    systemd.tmpfiles.rules = [
+      "d ${cfg.dataDir} 770 mautrix-mattermost mautrix-mattermost -"
+    ];
+
+    systemd.services = {
+      matrix-synapse = lib.mkIf cfg.registerToSynapse {
+        serviceConfig.SupplementaryGroups = [ "mautrix-mattermost-registration" ];
+        wants = [ "mautrix-mattermost-registration.service" ];
+        after = [ "mautrix-mattermost-registration.service" ];
+      };
+
+      mautrix-mattermost-registration = {
+        description = "Mautrix-Mattermost registration generation service";
+
+        wantedBy = lib.mkIf cfg.registerToSynapse [ "multi-user.target" ];
+        before = lib.mkIf cfg.registerToSynapse [ "matrix-synapse.service" ];
+
+        path = [
+          pkgs.yq
+          pkgs.envsubst
+          cfg.package
+        ];
+
+        script = ''
+          # substitute the settings file by environment variables
+          # in this case read from EnvironmentFile
+          rm -f '${settingsFile}'
+          old_umask=$(umask)
+          umask 0177
+          envsubst \
+            -o '${settingsFile}' \
+            -i '${settingsFileUnformatted}'
+          config_has_tokens=$(yq '.appservice | has("as_token") and has("hs_token")' '${settingsFile}')
+          registration_already_exists=$([[ -f '${registrationFile}' ]] && echo "true" || echo "false")
+          echo "There are tokens in the config: $config_has_tokens"
+          echo "Registration already existed: $registration_already_exists"
+          # tokens not configured from config/environment file, and registration file
+          # is already generated, override tokens in config to make sure they are not lost
+          if [[ $config_has_tokens == "false" && $registration_already_exists == "true" ]]; then
+            echo "Copying as_token, hs_token from registration into configuration"
+            yq -sY '.[0].appservice.as_token = .[1].as_token
+              | .[0].appservice.hs_token = .[1].hs_token
+              | .[0]' '${settingsFile}' '${registrationFile}' \
+              > '${settingsFile}.tmp'
+            mv '${settingsFile}.tmp' '${settingsFile}'
+          fi
+          # make sure --generate-registration does not affect config.yaml
+          cp '${settingsFile}' '${settingsFile}.tmp'
+          echo "Generating registration file"
+          mautrix-mattermost \
+            --generate-registration \
+            --config='${settingsFile}.tmp' \
+            --registration='${registrationFile}'
+          rm '${settingsFile}.tmp'
+          # no tokens configured, and new were just generated by generate registration for first time
+          if [[ $config_has_tokens == "false" && $registration_already_exists == "false" ]]; then
+            echo "Copying newly generated as_token, hs_token from registration into configuration"
+            yq -sY '.[0].appservice.as_token = .[1].as_token
+              | .[0].appservice.hs_token = .[1].hs_token
+              | .[0]' '${settingsFile}' '${registrationFile}' \
+              > '${settingsFile}.tmp'
+            mv '${settingsFile}.tmp' '${settingsFile}'
+          fi
+          # Make sure correct tokens are in the registration file
+          if [[ $config_has_tokens == "true" || $registration_already_exists == "true" ]]; then
+            echo "Copying as_token, hs_token from configuration to the registration file"
+            yq -sY '.[1].as_token = .[0].appservice.as_token
+              | .[1].hs_token = .[0].appservice.hs_token
+              | .[1]' '${settingsFile}' '${registrationFile}' \
+              > '${registrationFile}.tmp'
+            mv '${registrationFile}.tmp' '${registrationFile}'
+          fi
+          umask $old_umask
+          chown :mautrix-mattermost-registration '${registrationFile}'
+          chmod 640 '${registrationFile}'
+        '';
+
+        serviceConfig = {
+          Type = "oneshot";
+          RemainAfterExit = true;
+          UMask = 27;
+
+          User = "mautrix-mattermost";
+          Group = "mautrix-mattermost";
+
+          SystemCallFilter = [ "@system-service" ];
+
+          ProtectSystem = "strict";
+          ProtectHome = true;
+
+          ReadWritePaths = [ dataDir ];
+          StateDirectory = "mautrix-mattermost";
+          EnvironmentFile = cfg.environmentFile;
+        };
+
+        restartTriggers = [ settingsFileUnformatted ];
+      };
+
+      mautrix-mattermost = {
+        description = "Mautrix-Mattermost, a Matrix-Mattermost puppeting/relaybot bridge";
+
+        wantedBy = [ "multi-user.target" ];
+        wants = [ "network-online.target" ] ++ cfg.serviceDependencies;
+        after = [ "network-online.target" ] ++ cfg.serviceDependencies;
+
+        serviceConfig = {
+          Type = "simple";
+          User = "mautrix-mattermost";
+          Group = "mautrix-mattermost";
+          PrivateUsers = true;
+          Restart = "on-failure";
+          RestartSec = 30;
+          WorkingDirectory = dataDir;
+          ExecStart = ''
+            ${lib.getExe cfg.package} \
+              --config='${settingsFile}'
+          '';
+          EnvironmentFile = cfg.environmentFile;
+
+          ProtectSystem = "strict";
+          ProtectHome = true;
+          ProtectKernelTunables = true;
+          ProtectKernelModules = true;
+          ProtectControlGroups = true;
+          PrivateDevices = true;
+          PrivateTmp = true;
+          RestrictSUIDSGID = true;
+          RestrictRealtime = true;
+          LockPersonality = true;
+          ProtectKernelLogs = true;
+          ProtectHostname = true;
+          ProtectClock = true;
+
+          SystemCallArchitectures = "native";
+          SystemCallErrorNumber = "EPERM";
+          SystemCallFilter = "@system-service";
+          ReadWritePaths = [ cfg.dataDir ];
+        };
+
+        restartTriggers = [ settingsFileUnformatted ];
+      };
+    };
+  };
+}
diff --git a/utils/overlays/packages.nix b/utils/overlays/packages.nix
index 25a59b8..719929a 100644
--- a/utils/overlays/packages.nix
+++ b/utils/overlays/packages.nix
@@ -5,6 +5,7 @@ self: super: {
   openaudible = (super.callPackage ../pkgs/openaudible.nix { });
   openmanus = (super.callPackage ../pkgs/openmanus.nix { });
   ai-mailer = self.callPackage ../pkgs/ai-mailer.nix { };
+  mautrix-mattermost = self.callPackage ../pkgs/mautrix-mattermost { };
   claude-code = self.callPackage ../pkgs/claude-code { claude-code = super.claude-code; };
 
   # Python packages
diff --git a/utils/pkgs/mautrix-mattermost/default.nix b/utils/pkgs/mautrix-mattermost/default.nix
new file mode 100644
index 0000000..ee7c3ad
--- /dev/null
+++ b/utils/pkgs/mautrix-mattermost/default.nix
@@ -0,0 +1,30 @@
+{ lib, buildGo126Module, fetchFromGitHub, olm }:
+
+buildGo126Module rec {
+  pname = "mautrix-mattermost";
+  version = "0-unstable-2026-03-01";
+
+  src = fetchFromGitHub {
+    owner = "bostrot";
+    repo = "mautrix-mattermost";
+    rev = "f7996f0e4acd68b24f2a1a88961712682b6017a5";
+    hash = "sha256-J8CJd0tsTLHJRyRVP8fVnzsCS5VV9iXr1epA6P2Qec4=";
+  };
+
+  vendorHash = "sha256-r4mmSEzx/oSv0OutLuXe7LwODUJaSwuQ/CNFZNqw5+c=";
+
+  buildInputs = [ olm ];
+
+  # Disable CGO except for olm
+  env.CGO_ENABLED = 1;
+
+  doCheck = false;
+
+  meta = with lib; {
+    description = "A Matrix-Mattermost puppeting bridge based on mautrix-go";
+    homepage = "https://github.com/bostrot/mautrix-mattermost";
+    license = licenses.agpl3Plus;
+    maintainers = [ ];
+    mainProgram = "mautrix-mattermost";
+  };
+}
diff --git a/utils/pkgs/mautrix-mattermost/update.sh b/utils/pkgs/mautrix-mattermost/update.sh
new file mode 100755
index 0000000..2cb220e
--- /dev/null
+++ b/utils/pkgs/mautrix-mattermost/update.sh
@@ -0,0 +1,64 @@
+#!/usr/bin/env nix-shell
+#!nix-shell -i bash -p nix-prefetch-github jq cacert
+
+set -euo pipefail
+
+cd "$(dirname "${BASH_SOURCE[0]}")"
+repo_root="$(cd ../../.. && pwd)"
+
+owner="bostrot"
+repo="mautrix-mattermost"
+
+# Get latest commit from GitHub
+echo "Fetching latest commit from $owner/$repo..."
+commit_info=$(curl -s "https://api.github.com/repos/$owner/$repo/commits?per_page=1")
+rev=$(echo "$commit_info" | jq -r '.[0].sha')
+date=$(echo "$commit_info" | jq -r '.[0].commit.committer.date' | cut -dT -f1)
+echo "Latest commit: $rev ($date)"
+
+# Update rev in default.nix
+sed -i "s|rev = \".*\";|rev = \"$rev\";|" default.nix
+sed -i "s|version = \".*\";|version = \"0-unstable-$date\";|" default.nix
+
+# Fetch source hash
+echo "Fetching source hash..."
+prefetch_output=$(nix-prefetch-github "$owner" "$repo" --rev "$rev" --json 2>/dev/null)
+src_hash=$(echo "$prefetch_output" | jq -r '.hash')
+echo "Source hash: $src_hash"
+sed -i "s|hash = \"sha256-.*\";|hash = \"$src_hash\";|" default.nix
+
+# Set placeholder vendorHash to trigger build failure
+sed -i "s|vendorHash = \"sha256-.*\";|vendorHash = \"sha256-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=\";|" default.nix
+
+# Build to get the correct vendorHash
+echo "Building to determine vendorHash..."
+cd "$repo_root"
+build_output=$(nix build --impure --no-link --expr 'with import <nixpkgs> { config.permittedInsecurePackages = ["olm-3.2.16"]; }; callPackage ./utils/pkgs/mautrix-mattermost {}' 2>&1 || true)
+
+vendor_hash=$(echo "$build_output" | grep -oP "got:\s+sha256-[A-Za-z0-9+/=]+" | tail -1 | awk '{print $2}')
+
+if [ -z "$vendor_hash" ]; then
+  echo "Error: Could not determine vendorHash from build output"
+  echo "Build output:"
+  echo "$build_output"
+  exit 1
+fi
+
+echo "vendorHash: $vendor_hash"
+cd "$repo_root/utils/pkgs/mautrix-mattermost"
+sed -i "s|vendorHash = \"sha256-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=\";|vendorHash = \"$vendor_hash\";|" default.nix
+
+# Verify the build works
+echo ""
+echo "Verifying build..."
+cd "$repo_root"
+if nix build --impure --no-link --expr 'with import <nixpkgs> { config.permittedInsecurePackages = ["olm-3.2.16"]; }; callPackage ./utils/pkgs/mautrix-mattermost {}'; then
+  echo ""
+  echo "Successfully updated mautrix-mattermost to $rev ($date)"
+  echo "  Source hash: $src_hash"
+  echo "  vendorHash: $vendor_hash"
+else
+  echo ""
+  echo "Build failed after updating hashes"
+  exit 1
+fi