From ebf15f5582113d5494a63c7de8019330f95051e4 Mon Sep 17 00:00:00 2001 From: mjallen18 Date: Thu, 24 Apr 2025 14:44:47 -0500 Subject: [PATCH] gitea container, traefik cleanup and sops --- hosts/nas/apps/actual/default.nix | 14 +--- hosts/nas/apps/gitea/default.nix | 120 +++++++++++++++++++++++------ hosts/nas/apps/traefik/default.nix | 105 +++++++++++++++++-------- hosts/nas/sops.nix | 14 ++-- secrets/secrets.yaml | 17 ++-- 5 files changed, 190 insertions(+), 80 deletions(-) diff --git a/hosts/nas/apps/actual/default.nix b/hosts/nas/apps/actual/default.nix index 6d5c2ba..8c28bcf 100644 --- a/hosts/nas/apps/actual/default.nix +++ b/hosts/nas/apps/actual/default.nix @@ -36,7 +36,7 @@ in config = { dataDir = dataDir; openId = { - issuer = "https://authentik.mjallen.dev/application/o/actual-budget/"; + issuer = "https://authentik.mjallen.dev/application/o/actual-budget/"; # TODO client_id = "1PGCrRdndq7SoOSLuNMnXFmHpgd1NKRMOa5LSia2"; client_secret = "1PGCrRdndq7SoOSLuNMnXFmHpgd1NKRMOa5LSia2"; server_hostname = "https://actual.mjallen.dev"; @@ -56,18 +56,6 @@ in useHostResolvConf = lib.mkForce false; }; - # Create and set permissions for required directories - # system.activationScripts.actual-dirs = '' - # mkdir -p /var/lib/private/actual-data - - # chown -R nobody:nogroup /var/lib/private/actual-data - - # chmod -R 775 /var/lib/private/actual-data - - # ln -sf /var/lib/private/actual /var/lib/actual-data - - # ''; - services.resolved.enable = true; system.stateVersion = "23.11"; }; diff --git a/hosts/nas/apps/gitea/default.nix b/hosts/nas/apps/gitea/default.nix index 3fd31b8..3f76ee8 100644 --- a/hosts/nas/apps/gitea/default.nix +++ b/hosts/nas/apps/gitea/default.nix @@ -1,30 +1,104 @@ { config, ... }: +let + hostAddress = "10.0.1.18"; + localAddress = "10.0.4.18"; + httpPort = 3000; + sshPort = 2222; + rootUrl = "https://gitea.mjallen.dev/"; + stateDir = "/media/nas/ssd/nix-app-data/gitea"; + dataDir = "/var/lib/gitea"; + secretsDir = "/run/secrets/jallen-nas/gitea"; + mailerPasswordFile = config.sops.secrets."jallen-nas/gitea/mail-key".path; + metricsTokenFile = config.sops.secrets."jallen-nas/gitea/metrics-key".path; +in { - services.gitea = { - enable = true; - stateDir = "/media/nas/ssd/nix-app-data/gitea"; - useWizard = false; - mailerPasswordFile = config.sops.secrets."jallen-nas/gitea/mail-key".path; - metricsTokenFile = config.sops.secrets."jallen-nas/gitea/metrics-key".path; - settings = { - server = { - DOMAIN = "jallen-nas"; - HTTP_ADDR = "0.0.0.0"; - HTTP_PORT = 3000; - PROTOCOL = "http"; - ROOT_URL = "https://gitea.mjallen.dev/"; - SSH_PORT = 2222; + containers.gitea = { + autoStart = true; + privateNetwork = true; + hostAddress = hostAddress; + localAddress = localAddress; + + bindMounts = { + ${dataDir} = { + hostPath = stateDir; + isReadOnly = false; }; - service = { - REGISTER_EMAIL_CONFIRM = false; - ENABLE_CAPTCHA = false; - DISABLE_REGISTRATION = true; - ENABLE_OPENID_SIGNIN = false; - ENABLE_LDAP_SIGNIN = false; - ENABLE_SSH_SIGNIN = true; - ENABLE_BUILTIN_SSH_SERVER = true; - ENABLE_REVERSE_PROXY_AUTHENTICATION = true; + secrets = { + hostPath = secretsDir; + isReadOnly = true; + mountPoint = secretsDir; }; }; + + config = { lib, ... }: + { + services.gitea = { + enable = true; + stateDir = dataDir; + useWizard = false; + mailerPasswordFile = mailerPasswordFile; + metricsTokenFile = metricsTokenFile; + settings = { + server = { + DOMAIN = "jallen-nas"; + HTTP_ADDR = "0.0.0.0"; + HTTP_PORT = httpPort; + PROTOCOL = "http"; + ROOT_URL = rootUrl; + SSH_PORT = sshPort; + }; + service = { + REGISTER_EMAIL_CONFIRM = false; + ENABLE_CAPTCHA = false; + DISABLE_REGISTRATION = true; + ENABLE_OPENID_SIGNIN = false; + ENABLE_LDAP_SIGNIN = false; + ENABLE_SSH_SIGNIN = true; + ENABLE_BUILTIN_SSH_SERVER = true; + ENABLE_REVERSE_PROXY_AUTHENTICATION = true; + }; + }; + }; + + users.users.gitea = { + extraGroups = [ "keys" ]; + }; + + networking = { + firewall = { + enable = true; + allowedTCPPorts = [ httpPort sshPort 22 ]; + }; + # Use systemd-resolved inside the container + # Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686 + useHostResolvConf = lib.mkForce false; + }; + + # Create and set permissions for required directories + system.activationScripts.gitea-dirs = '' + mkdir -p /var/lib/gitea + chown -R gitea:gitea /var/lib/gitea + chmod -R 775 /var/lib/gitea + mkdir -p /run/secrets/jallen-nas + chown -R gitea:gitea /run/secrets/jallen-nas + chmod -R 775 /run/secrets/jallen-nas + ''; + + services.resolved.enable = true; + system.stateVersion = "23.11"; + }; + }; + + networking.nat = { + forwardPorts = [ + { + destination = "${localAddress}:${toString httpPort}"; + sourcePort = httpPort; + } + { + destination = "${localAddress}:${toString sshPort}"; + sourcePort = sshPort; + } + ]; }; } \ No newline at end of file diff --git a/hosts/nas/apps/traefik/default.nix b/hosts/nas/apps/traefik/default.nix index 007882f..3bb6355 100755 --- a/hosts/nas/apps/traefik/default.nix +++ b/hosts/nas/apps/traefik/default.nix @@ -2,6 +2,7 @@ let domain = "mjallen.dev"; + # Forward services authUrl = "http://10.0.1.18:9000/outpost.goauthentik.io"; authentikUrl = "http://10.0.1.18:9000"; onlyofficeUrl = "http://10.0.2.18:9980"; @@ -12,34 +13,87 @@ let openWebUIUrl = "http://10.0.1.18:8888"; paperlessUrl = "http://10.0.1.20:28981"; cacheUrl = "http://10.0.1.18:5000"; - giteaUrl = "http://10.0.1.18:3000"; + giteaUrl = "http://10.0.4.18:3000"; actualUrl = "http://10.0.3.18:3333"; lubeloggerUrl = "http://10.0.1.18:6754"; + + # Plugins + traefikPlugins = { + bouncer = { + moduleName = "github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin"; + version = "v1.4.2"; + }; + geoblock = { + moduleName = "github.com/PascalMinder/geoblock"; + version = "v0.2.5"; + }; + }; + + crowdsecAppsecHost = "10.0.1.18:7422"; + crowdsecLapiKeyFile = config.sops.secrets."jallen-nas/traefik/crowdsec-lapi-key".path; + + # Ports + httpPort = 80; + httpsPort = 443; + traefikPort = 8080; + metricsPort = 8082; + + forwardPorts = [ + httpPort + httpsPort + traefikPort + metricsPort + ]; + + # misc + letsEncryptEmail = "jalle008@proton.me"; + dataDir = "/media/nas/ssd/nix-app-data/traefik"; + authentikAddress = "http://10.0.1.18:9000/outpost.goauthentik.io/auth/traefik"; + group = [ config.users.users.nix-apps.group.name ]; in { + sops = { + secrets = { + "jallen-nas/traefik/crowdsec-lapi-key" = { + owner = config.users.users.traefik.name; + group = config.users.users.traefik.group; + restartUnits = [ "traefik.service" ]; + }; + "jallen-nas/traefik/cloudflare-dns-api-token" = { }; + "jallen-nas/traefik/cloudflare-zone-api-token" = { }; + "jallen-nas/traefik/cloudflare-api-key" = { }; + "jallen-nas/traefik/cloudflare-email" = { }; + }; + templates = { + "traefik.env" = { + content = '' + CLOUDFLARE_DNS_API_TOKEN = ${config.sops.placeholder."jallen-nas/traefik/cloudflare-dns-api-token"} + CLOUDFLARE_ZONE_API_TOKEN = ${config.sops.placeholder."jallen-nas/traefik/cloudflare-zone-api-token"} + CLOUDFLARE_API_KEY = ${config.sops.placeholder."jallen-nas/traefik/cloudflare-api-key"} + CLOUDFLARE_EMAIL = ${config.sops.placeholder."jallen-nas/traefik/cloudflare-email"} + ''; + owner = config.users.users.traefik.name; + group = config.users.users.traefik.group; + restartUnits = [ "traefik.service" ]; + }; + }; + }; + networking.firewall = { - allowedTCPPorts = [ - 80 - 443 - 8080 - ]; - allowedUDPPorts = [ - 80 - 443 - 8080 - ]; + allowedTCPPorts = forwardPorts; + allowedUDPPorts = forwardPorts; }; services.traefik = { enable = true; - dataDir = "/media/nas/ssd/nix-app-data/traefik"; - group = "jallen-nas"; + dataDir = dataDir; + group = "jallen-nas";#group; environmentFiles = [ "${config.services.traefik.dataDir}/traefik.env" ]; # todo: sops staticConfigOptions = { entryPoints = { web = { - address = ":80"; + address = ":${toString httpPort}"; asDefault = true; http.redirections.entrypoint = { to = "websecure"; @@ -48,13 +102,13 @@ in }; websecure = { - address = ":443"; + address = ":${toString httpsPort}"; asDefault = true; http.tls.certResolver = "letsencrypt"; }; metrics = { - address = ":8082"; # Port for metrics + address = ":${toString metricsPort}"; # Port for metrics }; }; @@ -72,7 +126,7 @@ in }; certificatesResolvers.letsencrypt.acme = { - email = "jalle008@proton.me"; + email = letsEncryptEmail; storage = "${config.services.traefik.dataDir}/acme.json"; dnsChallenge = { provider = "cloudflare"; @@ -88,16 +142,7 @@ in api.insecure = true; experimental = { - plugins = { - bouncer = { - moduleName = "github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin"; - version = "v1.4.2"; - }; - geoblock = { - moduleName = "github.com/PascalMinder/geoblock"; - version = "v0.2.5"; - }; - }; + plugins = traefikPlugins; }; }; @@ -107,7 +152,7 @@ in authentik = { forwardAuth = { tls.insecureSkipVerify = true; - address = "http://10.0.1.18:9000/outpost.goauthentik.io/auth/traefik"; + address = authentikAddress; trustForwardHeader = true; authResponseHeaders = [ "X-authentik-username" @@ -133,10 +178,10 @@ in plugin = { bouncer = { crowdsecAppsecEnabled = true; - crowdsecAppsecHost = "10.0.1.18:7422"; + crowdsecAppsecHost = crowdsecAppsecHost; crowdsecAppsecFailureBlock = true; crowdsecAppsecUnreachableBlock = true; - crowdsecLapiKey = "1daH89qmJ41r2Lpd9hvDw4sxtOAtBzaj3aKFOFqE"; + crowdsecLapiKeyFile = crowdsecLapiKeyFile; }; }; }; diff --git a/hosts/nas/sops.nix b/hosts/nas/sops.nix index d9e5356..2d5faf8 100755 --- a/hosts/nas/sops.nix +++ b/hosts/nas/sops.nix @@ -114,14 +114,16 @@ in restartUnits = [ "container@paperless.service" ]; }; "jallen-nas/gitea/mail-key" = { - owner = "gitea"; - group = "gitea"; - restartUnits = [ "gitea.service" ]; + owner = "root"; + group = "keys"; + mode = "0440"; + restartUnits = [ "container@gitea.service" ]; }; "jallen-nas/gitea/metrics-key" = { - owner = "gitea"; - group = "gitea"; - restartUnits = [ "gitea.service" ]; + owner = "root"; + group = "keys"; + mode = "0440"; + restartUnits = [ "container@gitea.service" ]; }; "jallen-nas/free-games/eg-email" = { }; "jallen-nas/free-games/eg-pass" = { }; diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml index f36b3ea..b57fffb 100755 --- a/secrets/secrets.yaml +++ b/secrets/secrets.yaml @@ -4,6 +4,12 @@ jallen-nas: admin_password: ENC[AES256_GCM,data:RGb0UQkLhqfBWflIc5r8yWgYvc0EZuM49uhnXH1r6o9d7Ya7eAoTn2DHdWmYnd9/LpTXPmLF07Nf8s1+/odYx8RBmaji56yWbQ==,iv:dGlvZtZFB8jsI33Qkmmb3iHTXqpVWfbd0EfNK0uX3i4=,tag:z6THeY0UmG64VwOdwnL/AA==,type:str] ups_password: ENC[AES256_GCM,data:yHCwM7XbbhQZwxE=,iv:m4dD6VlrplHbZB5hnV1fk5N8IOsc+fA5qhTcrqiTxDM=,tag:41EaB9z2jlNTfPw5wlWQ3g==,type:str] authentik-env: ENC[AES256_GCM,data:5VLJg1RZM7L0uF97nVhhbp8kDFCFyaa0NdVb21lyn5J4NYN/BsoNXEiC0IR9pXjIVd5ogpm5BhKgtsQeSmXfOHAr+acbcwtJQ9U9Cvn4iaq4jJ4LcKMCMrLOiIe1zcqorPIiUXrQ2xX04k83m9KPKAEXyYiwIbmCQI7knd9f3S7q8cnTMT6oCcLenZFXL3fVgpAU+NOpbYeByXdZ/TLXN92qImcRTZ4lIaG6fkqhzzrgO2mp6DL8Tc+Y22k5EU+69GzWcMSENMhPhMXDZd87R6l0VZc77BRecV6X1qlhjYiCbAffgJrcjZWZvHJRtYazR+mGONXlmORiRGGUDhgXYIWeOkZnL6HESkvph3G9VLS4fU2J/v9kF3MrnSbWWFMvU8nca/JrDxxfcIschGcWQ9PM33MR+3ScY4hma8kro73qNhgaiutWa/txLxxMOuiTxKxU88PN2lfp5c3O8MIj4/mRnCnu7QwmTG99Iga1xzaoI5nTP9xqGevSidoJ61s2J6Nm6aFi7OjUW+sG4HUd4Bj9D6Yhatn8UtggMIBAcjo8kcluXTjtse2mfEheQnl+OvJYgYLT4m/+O9HALbdEIXdRvUR6QLIO3ADSFAfGNKr0qgNGN+8ixnWywsclnb+ZI4TYnB4gJVs3VV3wNP0UOnZLtEtK9luDZHVTU914uBuZxzh54cdcy+I99dfuIX7YOIu75gOy4yRnu9qygyXS9/xKldFjpVN+YZ2SWj06aTWXg5LghqRSW8oAURoJxqvEHQ8=,iv:u9e/8M5LuUxq9guYAotWiq5sUQvIFwHifHTyRvMqhoE=,tag:woEsW51e7LDQImLnQPjqAw==,type:str] + traefik: + crowdsec-lapi-key: ENC[AES256_GCM,data:DetevvLkjVSeJqH9+zObMXzsHd4l+jS73m7CLPKney16Px7geslxKg==,iv:DPdA7wxqxATonlR98lLUXilJFW3/2zIirdv1BNX9olE=,tag:o2Z2VfmzqWFdKY4VOlyphw==,type:str] + cloudflare-dns-api-token: ENC[AES256_GCM,data:Hi1dN4EZLxdgpePEeBLmlWmN3eM3DLppErefP44SLfWfzNtdO6jtAQ==,iv:SDY/xuShxMuy4Orr4WWLztc6qhb+NATg3ZjlygatHkU=,tag:Z8gqmaLwsmdGgAzXd9Lb9A==,type:str] + cloudflare-zone-api-token: ENC[AES256_GCM,data:1vW4IlUUhvpCpkeIHPehDbffkyiIopZRg4v6kXBtjreI70kHiEp2mQ==,iv:tGHpVDsvijhU3/GY2k1blPStYVD4NbnL2qnRTkaOZXg=,tag:kl5Quk8HiGnPc25deT5S9w==,type:str] + cloudflare-api-key: ENC[AES256_GCM,data:NiOHyY+yDUUU2xOMk4bKfnU+OTBjEdbviB1F0zte2oTVTzeRTg==,iv:JF1pMXSPkTixSPsWxcnW54Mw5Y7CQdjRxOtBgaQc2o8=,tag:IQm2kr0SQyXeEeHJi1xnFA==,type:str] + cloudflare-email: ENC[AES256_GCM,data:D7JTtOVHHiP67U0QJfe9ufNs,iv:P///GXV+DlLzbhnQdo2Szd3ABEna7qmg4i7EKZES78s=,tag:6Y6F5HKqgW86xDVbItghlg==,type:str] collabora: ENC[AES256_GCM,data:A01H7FzgSplAEn0dsENgllyWza4=,iv:L9bPHKdeIHn7caYn78XOkdmuSk1RIuSVcIW5HFQL8PY=,tag:h0kiClGAwGB6iP327flWew==,type:str] mariadb: root_pass: ENC[AES256_GCM,data:YLPfEG4/6FeCnrKdfXv9z4hHwtpM/KtBCYqlm4IUvA==,iv:pc9Ljasy76bfkmFRJ4M+wfEtjXBUD7Kb0S0WQZhCmOs=,tag:Wk/7gpKidirhRqw4+Pu96g==,type:str] @@ -89,10 +95,6 @@ secureboot: PK-key: ENC[AES256_GCM,data:WyFWVrJ8Z2h0QjulNexOxDn+EbRaKf+wtVKSCRggX8M31FxgEejrM2ra5FN+RcGL4HQ511vw1wbICyOdZWQ3Cda8zfBXrAEjzUHoOpfwejK636Cd5AHTSle1qbv8fuqkst8dDUBWr8XwuxuqqUX2AxRZmS7wkI8hIYhGqcHKQDs214b0mB3Vx84w7kxvV4YHNTvLL8FRyxz6sSXEQhzWXOdoIE26oskChuL9bt+GjntXLdR1dcculVvtv33OsbLWaPy9DXfnlrWPSt75Keuptwlnl+6UN1bbdRa0N/O3DbA7+W8K0Pd5qauYE9eKT1ULhCXL8/HopkZVEPENYQVDPZ5DL/YoQqB4kwOPUFytzeA79plLJ2UB2pWUbJkkZklZDvYqYykt0KM1jtnEDLYb7bXCz6THCvL984vEfzIvbPUuXrvRxFE2bpElYn3dVQgHswXbf4Sv5llvpb8RYahnv0QrVhfTmLlOkVQ5sUQHHiY/UPlpfUq5aRufGCiguRaK2zz3vDJn0cuV2GEgcU5FpQyTzmGmHchJ+jAIf62xKnw9efHV7ep1qa9FQGFgkWj1/5E7wI9rObxkWDktUPV7I5T/LyLkXWLfwD9auJBZmKJfVAicvsDyUMJKmH0rw/7Lp9KqyvFASgJJAPzdQD3KGremLNog6aHfDjrdJUcGsc1iftSuAjyHqDMlNb5WKHFkIm8z7TnJmzVs1jbSzCqApRtawehmldtYY82XWpLN7MhbYG2pF5TZjYKAg2Kn4Kbkrb7vHIX93lJ6e41GCj3eEB+nVlkjVWaLwRBM8/n4GXUkNPE5v61i7q7S/4PnadXQbWK5LVYtj2s6hSGE29BVURA6lfqdHLSIcTXYhxe/5UI7VkssrggY/8uPPty1qabWe/geo41uXnaAO1104myQ4Lb+OrJBQjRjd794NkvAiLZsbRDQ0EMDiOmtUqMVmtodH+TTKz8WwG5xeGrIFDG3zmYZY5owFbc8V15vLXZkcDffFzOyxYnv+uykrhMzWWeWg5cXYrsq9PJVg/nQ8mjoaN57WrixpQvsNDWb5sxNE6OQNshQYDngjcaDSWmRutiVKHYgNjVyVDXbtPEIseOXOTcRln2OwhN3EuWH/55mXABkOz+w2MozxCJ14aLhQMjzX98z6YnvqH7wIyXufCzUEloQ1IKfBtn0/GyowhocUTvJlvyQssi69mHC1t0Qrjl/+6gWu04XiKK8shKaOhilT4/w4AHc0YvYXPiVur8ZgGEZX+xXj9KYAbwlyt/NldYigiY7MK7ymd/9mjYqNIa+Nb/AKS0jv/453acV3g5Hu9tNMgLeMejfptuLUK42IOvonqkBOrd3ljRXoUozZF1uG8NPst7G+Uv/HxjaW/8U8Sxal1hjsqwv4FlhYbHhoVu+9gkp06XFK1bLPuHsOIvgEeyWvzVzxO8lGQPQ5NgkAJXuZT29PzsM19gTXGVVykid4lLvV9B0c98FaPbflD3ncRtgYsZHN4U9WKD0WEQuzotTwN/rjpIlZY0OYWjmsAlGUwG2bosoEYve7rrD+/dsus9gW/QoKJ3VuvgK14FW0+JChiw2wjnhr8l/RIwxmhqlG1z8TtsyUgAZr1a09hidGyo6gujeBLAIHcufRvxb6NugahY3Ow/FRtUeGUt8bOTiktKIcHV6kKfS7QOq9PjjBBl2A/KdqqLVoG2UUQeABPbxB8Ea0L/OPG+mbyH4GtIHGVL905/MdkSVlvnUOGKkruogJlPATj+cHs3TDFL/Dc8FBFj8lidmHhdWv2jFBOPwTyAildRHgDH5r3Tkrejma5hoN9kMPD+l/NNolyszhxT5zPzmzjfG3FyklW5srrzI71+3ZTJ4+oi2VVDpBwAVEbNm48vTRvdWkMlAuXZzEdfctj8QMkosGpbnDJAOttzib9D9BnGGg4gq21DyExpG/fZclSVGg7RNV/6IBJU7GhN+uAp3Q2N3FW4aKnKS1SJLuBvjdMIDIzYBxjL9iTUbinmjTuEXCbyfjfDr7utn8yT+4Tj28lAJC3mw+QdmMHAlgicqQHjD/OOSPhxL0pPWuRX+R+9gYDW4SoPAg9vH3qXe11JltaAPjaUR/oQx0ATGiDduYAX7HCEtenDX9NcQL/JA3Sgiu4cefE6o8ipxmZ6WbFXIFirDKHelUvxev0Gy0Nr/DZo6WoCmoEEIT0wWvdchr/HyV+V5QsaoUgxPELOMQnLJ1NZH++AyiANp2YYT3VoQLf9/bNCBjJNTWSXfCNQNbqj1XT6gxp6V4mCU5wwoyhsaXpVXU29MqLKpHdsVzN22l0NDuyNfmUVCZN53JHQW7Rh3kp/GAYKhHp1qyW/lWjO+Xk6TUyFB9jkloMIB5CqCHZGGcJ7dZWAeE8TyEJ/YiM2p8L1/UVLcUYQXcvUYA2msN0/QxSJToEMiymY0GjYIrrdAJWfcpIR6uULrpEQPMfhbpmr1ArwXqIPVzzUFhiuWpI2iSkgdKyKj98jr4fytPSabud+wzhBQv9otYfGoywcXQgFfRaWeUZIk7rJxPfkkpP78NfdNOPbBx2H2HzsoAmbs9o2nfS5HjrWjO9kqoFdQSCXsCWCrUiyajNc1oVj7qF4YTSVMJKcoOBSlYkRgwsjgA2MX5fvvnlCk2sB49VKlL3wNyiqpJHmoDCdRPgUEiu2Y1Tw6iAxXhsXkgJC4yJZ9pd712tCOU6PE6csgVVsCxUBM5YhLCBVAX82jWJBJvWDwZGezjjcXOJKpKYPUQADWqssACGZLtwers06mETlyItkFOBvyrVYHntYS3yj+J6eNNTq2LZXPu72t0sEOFDDHLKy4+PuGhvuCP7p63a+/m6VwF8P1//94j7CeKFxbmq5OFFBDSrxmgGQUN7gnjhD70JOZLbp0DSmEEltsSuCMc6vQgA+pjiLRo0Dzec6Obc3YFOCRnJduNpPx743HyU8i3c1zlmqqI8f/4afAOikFYtocy0sEGnmkIyeiYryDjUU1psUsJRm+yZOQ0e7y32mNL2+Sn2Yn8DZbo9Nycnm567LRUjAzrw9M/jujxQ+Nc8tmhcgeHescYRwVOLxTMeXKcrFtQ95HSnLhL8Qtv70GHusyLUTPQYOyMITddTTAqX6oceDyxa0DLQpEMxn9oRVflZWKuOOWLqqPq34ZIjNwOPdEk9BGPL4j+/0Letk/GHPsv2ZqKq7g8898QI2uAuMoWKMQXbYsQJGBwwCoSJdeAlJZ5qwsNRZ2mwzZWHEWMCyhP807+4xaBytc4Muu3vmwdcKwZYKQWzKGPkm3jq3WJAqsfp+w35ZXEf4xZXpE8uHAMAtyNintTAs6YAuCJKrJ+DM7bJNUjcTdjhm4Kk/QkWbPtRnfaUnLRD8/H8jIwXpLKzSxgV4sq1UGmr2i0QBp1RFh9yWfQY0Nu5UIQF+OU+14IXitix0u/R2Sz6jX42CXha9eXuuwPu6U2z/mNN7vu2KsNwOBItFiI31/7rqxKDZXF3e3aEGsclvxvcytzWrLTpMOson8HTSnyDHouDnLa7i1Buk82BeVGbtBBl9CyI/QMZ0CinighfiUwDZ1PENh23s3O/fXOdBm9R2a1CVucCMoLiGnumxT6C7DNqMEsl2Vm4hTfiTrxJJfkZUG6D6N4ZL8YhVsAB/ercE8BMCxuFOkXzk0dsKwmK/AE1Tth2QaxHqU9BkFK60V9jPdJ6VY0Ph3HPRLP941db6/Ta8FBDxe5qxvYLx5tMUZboD/uviDiEZF2CH3vjytzT93cz6zIA4wwYnPKqZK+uzzKT20RQZszNvnZskReVUfHAFoRC+0mOKXGewR5NFdDhXwo0LEINjTyYuAIS3iD3GywuH5+6A5faZPi6Xoy2jw1g1YAyStQSZdDHW6p3D7AxHDbqOqFxqB7HUsdOkPl5eZ9EmMJc/wBXSuRWDhHFAcZiHB/J6Fhkucigx/PkB51YHXrkvW3zcwum3nkJqdfQjAuEsn6hO4pG6NbZElaNd/DylHIL4kicq/+DoGZ7cCMVMrp+ftu89xAr5mmUVr1TZDiwJg+z7DE7Xla3Vl2i8WQINsXf0lW5HxMGyhmV8kprmyRQcZqJsgM0370jOHCvFAvuKVv/Y3Mr1A6SD0IVhbaylE6xzYEfe0QUZK9viy4jhQwf9Gz2hZl18IykYUKTa+zsxG5mL207CFGvQ2kgNoWMoe1x9dO5NcDHyi2dUWnxinE5y/4mXNJPsxrlr+YTX6x2eOn5c/8kMJGmiBRAyhMqwZh4Z3Vb+76VhMoRXz0vWBpPKdE2T5yqHCpS3Bt/xZM90fjhODmmhrxHTAtPLRzJstkbQtaPnhMF2x0T2NmidpeJ989jNN08bqyCzuYGg+Cjzf64Q=,iv:NpO32iyBdzKGLt7oS86WT7IJrpZeuHcxO0BF4ZoMI1U=,tag:INU0SbXFmQzrAA8TxKqBfA==,type:str] PK-pem: ENC[AES256_GCM,data:nLgeHrItUVzmSALKG25H6YYxXP9JViAac2in8n4QOT9CYRAi8VlJWbRszddZdKCPboAzmWsk2pSaERHx1UBXVP9vdpPBBlM51SSgEXlVouLVUB9Yw3Yl6bvgRrIxq3/A3bM19E/gnOV78kzA1TiEOeaHQYC0JEZSMOPT8W3es4B9pZ7WN2pUH5b51qUT4yAxjjZIh4dEMaGKMhKgnTH726hYzFB9YglSppvboab9Z+OheRtus8kDJaAgD2enoNK1bPYi/mRVBlhg8UPxEduSntpW47Ro3ooFojGNQBsI8LCGH7un4rgzMsxAVSj6QnPBFQXpTKoxu9hrLihG3NvKzH2af2/WNk7T9LMt9ZQYiXNWfmVhxpWTKLBosrbzdym6x9/O+BcNsRqVzPb/jp0k4+Nozy4yZTyHXMSfis/uElXf5xpenrqx1S+vK8kYbKj/lGyFyHXlYoIKTBrxLHqsKHjBMeGkqLlL91pBlxjT8WE+fV4wgpwhEzy1ikJkZKUoXCTcIsbsOIOuOHnydLTztBSrHS8jK7QKLxJ46bbBQ0Ob349OFRFNla6q6VQGaLfXqbQImzlgBJmQgHs4a2pnoqyUAWTBFmaQsvoRA3XVsRpQlcL0CYMY5cCBg2jUkLhO6W8E6L9I5ud3J6z+7YQFfsRqnV8M6zOxa7XaEqxKb072Z38/t56f/sx8lpPDOAtg9u+ESZ2y+CexcGul50HlV+15PiCs4+MnuxhaUucR8xODAfdssAPs+KmLkovoWZmnwMPYfUZilhSpfEfbLHFgI0v248GLZygLyEO79T6MoNCrPzb0W8z8gObzgKE7RFGHs8gJeHjbZ2c2D65VpmkiWbTOAbDwQczkYoTxv+V3D83eqq8lpodBL8Fi5WCjUvyWgXWv/D1y8FL0nGUt7n1/ETi/DelKrSyYKh/x0zDucbHmStgdRtnmQfHTX/ha7EkKa8Z3oJFok0Kl+q8gggfh2IylNrAZTfcvxL482z2Yan6M0Hztux8q9xwDGivqaM+S81HcaRXJa9zGE4UAjepaOYq/Pt1tYeYDZ5IzZKYzK+0EDZp5khwDhfcZS+TckqWdgzx1OxuQpldKlKUi3u9Rw13lfu3NBukDoeZYl8EyjZVzZylqlSLb30fyVIhm6U2fLjEv4ecfg2ePtHwkMATNUKOQq/pQJPleFxVPa/ZGI3o516Kg6QjTL9jJyB7mlmT0uwa93NGB/MwshqN7FfsYokK5FgpCnA/fU9Y7UDsgu16CogTc7/6cmnLfZaqPzkiLD20pqxb3LgrwsjXwmdsn9t4azDIPZe1fzl7Y8dVCViIQwDlt3ppvC5UtfpDd8aR2PH9nUDTUOeSeSsknhuFrvTtWF79T+/iZzJDWtJ/RByk/IKoTlO2HdRNMfvw7fUTjvWqYh/r86dTGXD4lzKnF1SgHJ963/8Ks9qZJouKKn54hQY4mdfSw6gqAAL2mcW8Q4ZubNZ5cN79vn+lsrE15hY580uv/S+H/0yX7OrW7s3cZGuYhPYy3OpUwZz4V9nCBVZTYAATooYFoxf7snYG19nR4hJ9b11NZR/skpU8gAbG+na2W5FJHAsj3bbcDuXmnErzGt5STU+u1MxIUeCg8dSFQ/Q35fRCnHNiAHEEl8gbSYPwkumk7E77UM2stE1VsK9ZgsyVVlQp5XrdNtc2Z/LxHd0Vd3c43435hycZ/blD9nO7vuISzFfSPAam+WO2VvfF6Hvcr8OTch6gl2cF7KuZMvaK5LlFp2wiC9g620wB305H/nFpMJ72bUTqSvu0hHy7WbCrGw1nYmU5aVQNF42jk3mxQCPW5EPr2CeoVQFAQnFeCCMbe9LEpGKwrALE4LwYeEgHheGqNU0bumEa/vkCmo+dOhTaW25S62LwtvPIm9moya9O5p7TOrBgDhGlIorE5/J9hCGuQK9juTCWU4xdiDRqYn4ZJFSTNIl5de386kNOM7OWyEgKXwHtAhgAp76Wsmrg3IYVC4qO1RsJ4eA1kfV23tStycerC+2i3kIEHuENXFgkLa/gpXByX5w7QlazHhTZC9v/nBYVZTTEEs+TGGbXPZLpLZcUfk3X4iJEmSE3vAMvfiScxyNINGXRvpifgJj2WPfKQpjqQCEdFvLFc4t+a+wZ0HRLBjX7XTCj3CW+nWw+M73K0Ig3j7Yu24i37ZBOrHaNdR6en3ARNC+/t3RzTDrmp+ufIz5kvX7Cxwvoc7BsgnYZt/Yf2s8V26l7lh5+iXQjwc05qfxi9mwEDHNgTH1HFT7bsUsvG1QgD4qcKU+Dq9lPhIRvuyngVrWvxlGnY6svZKH9noPD+dTPuSyDtoHDvRt/oy8g=,iv:l9hEcYU+9qzjYzGJ0Wag3GT+lzXE8JDQNmY+RoxEFls=,tag:QzrJ6ykAX6tXQMf19kB68A==,type:str] sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] age: - recipient: age157jemphjzg6zmk373vpccuguyw6e75qnkqmz8pcnn2yue85p939swqqhy0 enc: | @@ -148,8 +150,7 @@ sops: TWRvYVZ5eklJQU81SzBVZ1BBbENuTkEKwMTa1cAH3sNm2npVhQ/dDl5M7Q8T3vOx 9slEt5EVUgqaJVhVr9AM9aAhghWJa5i5+Eh628C6p53XFxrO+6zUYA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-04-17T23:22:06Z" - mac: ENC[AES256_GCM,data:jF1j6evEZsdvYkOLIXtdeEX8I7i+Exv6bwZeL0hZGJOap/RiMAitm54BFSrovwRS5/5Y1ZlEBQvlB91KltlZqOA1iq8mANN48U02p5O6ow3Piu04DrLkRGBbOaxri+3zWAzLf+g6qkJF9PzTaQkxOF0a44MZVxMqK69GdaZrqxw=,iv:0ngj011CKZAJFaBVDASp35h+OwYDXgreUNrQNr5OI24=,tag:Aqtv27sj7zTsJh7O1MseVw==,type:str] - pgp: [] + lastmodified: "2025-04-24T19:31:51Z" + mac: ENC[AES256_GCM,data:uUlq9fHcjs1UsPBYSnpRq2OOH3AH24bq7QnIjaS1HsIoqxqJiUD6vmljQYUHUQoFV7w8yq8tD6z2yhzfrTUiZ18EOcW5GUC+k1eYXaJhUSPPm94TnkjWs7b5B9ldk2LM9CISWSo2hwBLJAhuI1Cw7Pr1TwMePqf5AhQYeZQiIFg=,iv:vTDGkvL/cJ4gMY4Cz3P/xLwhx3+C1lPUesX1KzXIXnc=,tag:sJE3+O3Et9JH0E3Zkoyc4w==,type:str] unencrypted_suffix: _unencrypted - version: 3.9.4 + version: 3.10.1