lander/nix-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

refactor: add hosting-01 to colmena

Browse source 
Signed-off-by: Lander Van den Bulcke <landervandenbulcke@gmail.com>
This commit is contained in:
Lander Van den Bulcke 2025-10-21 13:34:45 +02:00
parent f1f8662e98
commit 440e1a6541
Signed by: lander
GPG key ID: 0142722B4B0C536F
11 changed files with 155 additions and 223 deletions
Download patch file Download diff file Expand all files Collapse all files

188
hosts/servers/auth/authelia.nix Normal file
View file

@ -0,0 +1,188 @@
{ config, lib, ... }:
{
services = {
authelia.instances.escapeangle = {
enable = true;
settings = {
theme = "auto";
authentication_backend.ldap = {
address = "ldap://localhost:3890";
base_dn = "dc=escapeangle,dc=com";
users_filter = "(&({username_attribute}={input})(objectClass=person))";
groups_filter = "(&(member={dn})(objectClass=groupOfUniqueNames))";
user = "uid=authelia,ou=people,dc=escapeangle,dc=com";
};
access_control = {
default_policy = "deny";
rules = lib.mkAfter [
{
domain = "*.escapeangle.com";
policy = "one_factor";
}
];
};
storage.postgres = {
address = "db-01.tailnet.escapeangle.com";
database = "authelia";
username = "authelia";
password = "authelia"; # using peer auth
};
session = {
cookies = [
{
domain = "escapeangle.com";
authelia_url = "https://auth.escapeangle.com";
inactivity = "1M";
expiration = "3M";
remember_me = "1y";
}
];
};
notifier.smtp = {
address = "smtp://mail.escapeangle.com:587";
username = "authelia@escapeangle.com";
sender = "authelia@escapeangle.com";
};
log.level = "info";
identity_providers.oidc = {
cors = {
endpoints = [ "token" ];
allowed_origins_from_client_redirect_uris = true;
};
authorization_policies.default = {
default_policy = "one_factor";
rules = [
{
policy = "deny";
subject = "group:lldap_strict_readonly";
}
];
};
clients = [
{
client_id = "forgejo";
client_name = "Forgejo";
client_secret = "$pbkdf2-sha512$310000$C696AL9dgf0.yv6VF.jLvA$iNAWSUckoX/6y6yQcfo5FMjICl6D8iAeElIG5AZD5vC8Z8unBcLFR9LcqdMQgsYK3S9DNekQtJpNbbRzXrliDQ";
public = false;
authorization_policy = "two_factor";
require_pkce = true;
pkce_challenge_method = "S256";
redirect_uris = [ "https://git.escapeangle.com/user/oauth2/Authelia/callback" ];
scopes = [
"openid"
"email"
"profile"
];
response_types = [ "code" ];
grant_types = [ "authorization_code" ];
access_token_signed_response_alg = "none";
userinfo_signed_response_alg = "none";
token_endpoint_auth_method = "client_secret_basic";
}
{
client_id = "headscale";
client_name = "Headscale";
client_secret = "$pbkdf2-sha512$310000$fvaPyF69vBFs3oG1h4Qa1w$ezdJFynGV6bSA8UzGNangyOcaST7a3.LZ6WkVYeI.Ag5znxPsjmm9U23BL7OBMQWAY75CsvftYJWK5eE8nxi9A";
public = false;
authorization_policy = "two_factor";
require_pkce = true;
redirect_uris = [ "https://headscale.escapeangle.com/oidc/callback" ];
scopes = [
"openid"
"email"
"profile"
"groups"
];
response_types = [ "code" ];
grant_types = [ "authorization_code" ];
access_token_signed_response_alg = "none";
userinfo_signed_response_alg = "none";
token_endpoint_auth_method = "client_secret_basic";
}
{
client_id = "mealie";
client_name = "Mealie";
client_secret = "$pbkdf2-sha512$310000$Bi3.Z5ewisL.INFbSquvHQ$.Dicey0nFqoqGtmwoncmoNCARnK32twdVUcveWaO9OMKz5f8neIOEFTXSmIL7hf1erO20A08khv9W2I7aReZMw";
public = false;
authorization_policy = "two_factor";
require_pkce = true;
pkce_challenge_method = "S256";
redirect_uris = [ "https://recipes.escapeangle.com/login" ];
scopes = [
"openid"
"email"
"profile"
"groups"
];
response_types = [ "code" ];
grant_types = [ "authorization_code" ];
access_token_signed_response_alg = "none";
userinfo_signed_response_alg = "none";
token_endpoint_auth_method = "client_secret_basic";
}
];
};
};
secrets = with config.sops; {
jwtSecretFile = secrets."authelia/jwt_secret".path;
oidcIssuerPrivateKeyFile = secrets."authelia/jwks".path;
oidcHmacSecretFile = secrets."authelia/hmac_secret".path;
sessionSecretFile = secrets."authelia/session_secret".path;
storageEncryptionKeyFile = secrets."authelia/storage_encryption_key".path;
};
environmentVariables = with config.sops; {
AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE =
secrets."authelia/lldap_authelia_password".path;
AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE = secrets."authelia/smtp_password".path;
};
};
};
services.nginx.virtualHosts."auth.escapeangle.com" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://localhost:9091";
};
};
sops = {
defaultSopsFile = ../hosting-01.yaml;
secrets = {
"authelia/hmac_secret" = {
owner = "authelia-escapeangle";
};
"authelia/jwks" = {
owner = "authelia-escapeangle";
};
"authelia/jwt_secret" = {
owner = "authelia-escapeangle";
};
"authelia/session_secret" = {
owner = "authelia-escapeangle";
};
"authelia/storage_encryption_key" = {
owner = "authelia-escapeangle";
};
"authelia/lldap_authelia_password" = {
owner = "authelia-escapeangle";
};
"authelia/smtp_password" = {
owner = "authelia-escapeangle";
};
};
};
}

7
hosts/servers/auth/default.nix Normal file
View file

@ -0,0 +1,7 @@
{ ... }:
{
imports = [
./authelia.nix
./lldap.nix
];
}

49
hosts/servers/auth/lldap.nix Normal file
View file

@ -0,0 +1,49 @@
{ config, ... }:
{
services = {
lldap = {
enable = true;
settings = {
ldap_base_dn = "dc=escapeangle,dc=com";
ldap_user_email = "lander@escapeangle.com";
database_url = "postgresql://lldap@db-01.tailnet.escapeangle.com/lldap";
};
environment = {
LLDAP_JWT_SECRET_FILE = config.sops.secrets."lldap/jwt_secret".path;
LLDAP_KEY_SEED_FILE = config.sops.secrets."lldap/key_seed".path;
LLDAP_USER_PASS_FILE = config.sops.secrets."lldap/admin_password".path;
};
};
};
services.nginx.virtualHosts."users.escapeangle.com" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://localhost:${toString config.services.lldap.settings.http_port}";
};
};
users = {
users.lldap = {
group = "lldap";
isSystemUser = true;
};
groups.lldap = { };
};
sops = {
defaultSopsFile = ../hosting-01.yaml;
secrets = {
"lldap/jwt_secret" = {
owner = "lldap";
};
"lldap/key_seed" = {
owner = "lldap";
};
"lldap/admin_password" = {
owner = "lldap";
};
};
};
}

6
hosts/servers/git/default.nix Normal file
View file

@ -0,0 +1,6 @@
{ ... }:
{
imports = [
./forgejo.nix
];
}

131
hosts/servers/git/forgejo.nix Normal file
View file

@ -0,0 +1,131 @@
{ config, lib, ... }:
let
cfg = config.services.forgejo;
srv = cfg.settings.server;
in
{
services.forgejo = {
enable = true;
database = {
type = "postgres";
host = "db-01.tailnet.escapeangle.com";
createDatabase = false;
};
lfs.enable = true;
settings = {
server = {
DOMAIN = "git.escapeangle.com";
ROOT_URL = "https://${srv.DOMAIN}";
HTTP_PORT = 3000;
LANDING_PAGE = "explore";
};
ui.DEFAULT_THEME = "gitea-auto";
service = {
DISABLE_REGISTRATION = false;
ALLOW_ONLY_EXTERNAL_REGISTRATION = true;
SHOW_REGISTRATION_BUTTON = false;
};
openid = {
ENABLE_OPENID_SIGNIN = false;
ENABLE_OPENID_SIGNUP = true;
WHITELISTED_URIS = "auth.escapeangle.com";
};
storage = {
STORAGE_TYPE = "minio";
MINIO_ENDPOINT = "daf6ae2391d4d68ecf3c5af2f1540f5c.r2.cloudflarestorage.com";
MINIO_BUCKET = "forgejo";
MINIO_LOCATION = "auto";
MINIO_USE_SSL = true;
MINIO_CHECKSUM_ALGORITHM = "md5";
};
mailer = {
ENABLED = true;
SMTP_ADDR = "mail.escapeangle.com";
FROM = "forgejo@escapeangle.com";
USER = "forgejo@escapeangle.com";
};
};
secrets = {
storage = {
MINIO_ACCESS_KEY_ID = config.sops.secrets."forgejo/access-key-id".path;
MINIO_SECRET_ACCESS_KEY = config.sops.secrets."forgejo/secret-access-key".path;
};
mailer = {
PASSWD = config.sops.secrets."forgejo/mailer-password".path;
};
};
};
systemd.services.forgejo = {
requires = [ "tailscaled.service" ];
preStart = # bash
''
auth="${lib.getExe config.services.forgejo.package} admin auth"
echo "Trying to find existing sso configuration for Authelia"...
set +e -o pipefail
id="$($auth list | grep "Authelia.*OAuth2" | cut -d' ' -f1)"
found=$?
set -e +o pipefail
if [[ $found = 0 ]]; then
echo Found sso configuration at id=$id, updating it if needed.
$auth update-oauth \
--id $id \
--name "Authelia" \
--provider openidConnect \
--key forgejo \
--secret $(tr -d '\n' < ${config.sops.secrets."forgejo/oidc-secret".path}) \
--auto-discover-url https://auth.escapeangle.com/.well-known/openid-configuration
else
echo Did not find any sso configuration, creating one with name Authelia.
$auth add-oauth \
--name Authelia \
--provider openidConnect \
--key forgejo \
--secret $(tr -d '\n' < ${config.sops.secrets."forgejo/oidc-secret".path}) \
--auto-discover-url https://auth.escapeangle.com/.well-known/openid-configuration
fi
'';
};
services.nginx.virtualHosts."git.escapeangle.com" = {
forceSSL = true;
enableACME = true;
extraConfig = ''
client_max_body_size 512M;
'';
locations."/" = {
proxyPass = "http://localhost:${toString srv.HTTP_PORT}";
};
};
sops = {
defaultSopsFile = ../hosting-01.yaml;
secrets = {
"forgejo/mailer-password" = {
owner = "forgejo";
};
"forgejo/oidc-secret" = {
owner = "forgejo";
};
"forgejo/access-key-id" = {
owner = "forgejo";
};
"forgejo/secret-access-key" = {
owner = "forgejo";
};
};
};
}

172
hosts/servers/hosting-01.nix Normal file
View file

@ -0,0 +1,172 @@
{
config,
lib,
pkgs,
...
}:
let
format = pkgs.formats.yaml { };
settings = lib.recursiveUpdate config.services.headscale.settings {
acme_email = "/dev/null";
tls_cert_path = "/dev/null";
tls_key_path = "/dev/null";
policy.path = "/dev/null";
oidc.client_secret_path = "/dev/null";
};
headscaleConfig = format.generate "headscale.yml" settings;
in
{
imports = [
./auth
./git
];
networking.firewall = {
enable = true;
allowedTCPPorts = [
80
443
];
};
services.nginx = {
enable = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
};
services.headscale = {
enable = true;
address = "0.0.0.0";
port = 8080;
settings = {
server_url = "https://headscale.escapeangle.com";
dns = {
base_domain = "tailnet.escapeangle.com";
};
};
};
services.headplane = {
enable = true;
agent.enable = false;
settings = {
server = {
host = "127.0.0.1";
port = 8081;
cookie_secret = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"; # replaced in env
cookie_secure = true;
};
headscale = {
url = "https://headscale.escapeangle.com";
config_path = "${headscaleConfig}";
config_strict = true;
};
integration.proc.enabled = true;
};
};
services.nginx.virtualHosts."headscale.escapeangle.com" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://localhost:${toString config.services.headscale.port}";
proxyWebsockets = true;
};
locations."/admin" = {
proxyPass = "http://127.0.0.1:${toString config.services.headplane.settings.server.port}";
proxyWebsockets = true;
};
};
users.users.mealie = {
enable = true;
group = "mealie";
isSystemUser = true;
};
users.groups.mealie = { };
services.mealie = {
enable = true;
settings = {
BASE_URL = "https://recipes.escapeangle.com/";
DB_ENGINE = "postgres";
POSTGRES_SERVER = "db-01.tailnet.escapeangle.com";
ALLOW_SIGNUP = "false";
ALLOW_PASSWORD_LOGIN = "false";
OIDC_AUTH_ENABLED = "true";
OIDC_SIGNUP_ENABLED = "true";
OIDC_CONFIGURATION_URL = "https://auth.escapeangle.com/.well-known/openid-configuration";
OIDC_CLIENT_ID = "mealie";
OIDC_AUTO_REDIRECT = "false";
OIDC_ADMIN_GROUP = "mealie-admins";
OIDC_USER_GROUP = "mealie-users";
};
credentialsFile = config.sops.secrets.mealie-env.path;
};
services.nginx.virtualHosts."recipes.escapeangle.com" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://localhost:${toString config.services.mealie.port}";
};
};
services.atuin = {
enable = true;
openRegistration = false;
database = {
uri = "postgresql://atuin@db-01.tailnet.escapeangle.com:5432/atuin";
createLocally = false;
};
};
services.nginx.virtualHosts."atuin.escapeangle.com" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://localhost:${toString config.services.atuin.port}";
};
};
services.vaultwarden = {
enable = true;
dbBackend = "postgresql";
config = {
DOMAIN = "https://bitwarden.kinkystar.com";
ROCKET_PORT = 8222;
};
environmentFile = config.sops.secrets.vaultwarden.path;
};
services.nginx.virtualHosts."bitwarden.kinkystar.com" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://localhost:${toString config.services.vaultwarden.config.ROCKET_PORT}";
};
};
sops = {
defaultSopsFile = ./hosting-01.yaml;
validateSopsFiles = false;
secrets = {
mealie-env = {
owner = "mealie";
};
vaultwarden = {
owner = "root";
};
};
};
system.stateVersion = "25.05";
}

50
hosts/servers/hosting-01.yaml Normal file
View file

@ -0,0 +1,50 @@
authelia:
hmac_secret: ENC[AES256_GCM,data:DbU0RE1cM3W2nW0qSZWFH8NCmd9qkjOuhTfGMXn+q6+UoKzh4Gf5bma8iXha4Y4ZZjpAHsj0csStGkrdayzjdQ==,iv:Q3Usgu6GXR3n5p9E9r1tUeM8CELl1WJ2gUhbOF2vzlE=,tag:8dLj1PFA/+LU2ToC44mtyA==,type:str]
jwt_secret: ENC[AES256_GCM,data:jIUeEUlv2ghFieuiTgfY7EoirOial0ZVWzUIEhvAL71GVKtYC+YfHMERiQ8l3d4FHH5gGR4VwvfX2Qo0M8JYPQ==,iv:ZbyQeoXWQHm5ql1L14XtdKYELpmEgoc3o3uldZCJsaQ=,tag:6U5xPh4tRUcox3LvFyzYwg==,type:str]
jwks: ENC[AES256_GCM,data:r3P9NWIxhcrTWKEM5paz3J/41d9LPcwSLaw/u0yNtVU6s/B1UROHnRFJSev/ed215s1YzzR5ouiIChLKyLLO9EAiz+yZKdM2l9JH3d2LxxHqZMtL3tTfKjei1uqvpr9+zuw9T0U7y/IZOm81of/vOZa7JS5IzGuRj8w9zXZey0L8CWbq7dA1WMWYmT506VlxjcktCeZCNO0vndNLxhOzQl2334OtKrVFs0LNohLu1JgvsXA3qPPX/c7t2LbttlcNni+dIZlTWWKgtg7F1FuPxfi4j6qNVbgITf253P1h1u9UsG+TPdC9x6SDVDMNbz6zzMpR1kr4tv2euDV99SYYDAzpy7W1aaiqxew+rCPqYUSTEU2zymZrLGzP3RrNWKbaZPLD2eaT0hymIdoEVQOsNYgKM/pIUF7KKFg4BYm7WqEUIfoTcFe5p2+hYHop5tHivEAgyBMFU8SkcIUGMfZFmyjTeryUK8MG9VgG2ll8Y90BRp+VRqS9D3Y0YgKGP+UfkgISsjDwo+tu9oJ3duJgzYUrOPD6ongm+u2S0hPt8SUOBdbFRnF1MwYfehShrg8Jca6y55hvNe1InQwV/oDldkOFwmWNb0nzXNIeatjKsuAmOEXWniEk44GWGk5OumgL71pfqWW8S6djp7DeWoLfTFCLZwjD8i6IfvzgsaGYUcjfj4KeHCRcjL6fplfw12cCbymCMxmAWw8w43Nz56t+9nPRC0+neI9WX8PzLONB+m+p08KGLY+6jEcy+MCIEbTmN2+leqSsB0uk2ToCRzd0FmIGImVSaKgYCOaUoT2NYBGsjIN/31num6Im/gKnN39qO4hIvIz+h6QfJyKCdzcbZ2lggvxWau48PmoDKIjy0mzfa1g3ah0GBgqWbg4pOlaNCumQ6NyRH/oBS8xVKSMLp2D4LubDcbFsTTbiXfljwwrfMQz7Ne5GFeWBIN+5pjVUtbqDM+7HlFwrTuAUWLBDbeJUe2vJMWzqeSbBihKzYHrPFX8Ic4G1HJh68wHssGnWGXQ6pWU9C0w3zCOIXBzPr8q7fd9kcjr5hWwteydIAakvKPNTGFnsw3kHL9d4TmKftCRwitFOH2YaGs7olArMAWAGL7/n8YT60A+K3vGwgMRW3X8sbLOs7kirjYMm4i5PPSfg7e3acME5Cr58UmKO7nqu8MXgU6KaR7axA1ypRrjIY0dhIiUiTMW7WaiiPXMbgV5LzWVhzb3YzEczL9c9nQUkpLWh8YGufuifaaKJpopgZoSDfu7A8u8g4yweHtFtg+fMU2ayrTUyfgtHlJ/ULIrKad3bDrvOJDRODwkUNS7NrqWVbAMP6EBRVBj65WXgqhWgsKYw6p2x9sD+Cy4Q1w5YpczcnlUu+qiV/LyZZJ0SrsoEe6UUKC0fQS7T03DHur+htvcBGwCftHqYCvf1YVDDW/sSWkdGUW8vAl3ajZuD8jGuK4faKzPCZRiwqDWiINXy3v3MC4lPUBwO1uCKeu7rnzd00xvT/C66BIKVs7R3eq1UVhVsAEEQljOb1ch2v8qMSYRKJAEICLlWWdoQazUJDoG9O3IZukva9BQU1vC07Jq3qI7EtbJM3+M1p+otwOgfZD7QOOjw08D3LtOPBn450ydDI6cl8v0ZW09Esog9nCJcyt8DfDJ/Y+5FJZ7MgQsXKWJTjIzQ8mvu888BGWeYtgDOY2wEUpk3VwzBQQR3i/qyvQm5b6w4H2AFNIxakK0Y+WX58E1AYeO+kPgXqWhxSeY9+zbj14MOV5+00ExPIZtw/rYiZhlDyu/PQ8tGzUB8MiT+8QMYWVsFKJ8l+v6uB7mhnPSo+m1rOwZQs4CxW4HDC8No+8GFNmbBXxzbmZ9E6DonCaftYEBluAAGM1ONGUSkxnb+a0PTgbDSrQ2K03LJxrkdJwvK9mMrJJ3mCNKGePTEN9PwDhY3/uMD6KLvsWAkX7/8krK8LkuPIIk3JT4p01ZYWtBVY6WH7eOnC+5FaUbDxrpVNL5hS7DrAN4fSuHtYE7R4fYslImzTILvR3Zg7Z0gkbm+SDWjvnqHcXJv3yDM1LCLgJ7OUFL8oEG+PYtUVildEPW56Ng6uww+LfsV7hJ3BR6iINIyU79zsXtL1w+UJ641ORfdy1pikKlhDflXhbYqxDLzUbAKUjyFcwSNTFSJD7LE2Gc1HdKWM8sWiHWR2OP7S2ftVpeGj5KKQ2+5Y8/W15Di/QaaZAcicED4lYmrxOTYLdxR0CaAvGd5TmKfmjQ8ePsJN8xGJMRjiLwJ7p/AlQ==,iv:H32i8uJWcvMjL8HJcYfIrGcGINBDqasIXsRgITjMmxk=,tag:Jfn82j50QAljozvvqySlug==,type:str]
lldap_authelia_password: ENC[AES256_GCM,data:zc9TIslPGg6evzinIsuAJKjt2IADOQMjQjiRq88t8eM=,iv:6EvE9yS4e2fSuo06n2ARoOpcTXzjlwpMwgg4xrJVwcQ=,tag:5wWcJJotUlEV0umKjeMLQA==,type:str]
session_secret: ENC[AES256_GCM,data:pJ/DEcH9dydXQRPBW9bfmnTfRhCBK9uV0wtLFH7aTpj5i3Fa0UzrdsgPLvSPiG3XlQwHeALszzAkj+JpYI+dIQ==,iv:g5GFeOxrxYJU0B2o/eLfSmgbOPop0duuX5WhKJkttMg=,tag:Y7hsRtopuYmXWZly1DnOQA==,type:str]
smtp_password: ENC[AES256_GCM,data:Hca+LzID58tde/TXJuTaFj82kcWY3eGcc4ndvw7L7JE=,iv:Os/+7BSLHLwUHdeRkt1T/sLX/DCaNZGa9g/e9Fftfjk=,tag:fLYJ2ybRHV56m0BSzwfUxQ==,type:str]
storage_encryption_key: ENC[AES256_GCM,data:7tbBpgE48g4LvcE7KQUFQ18ejfOMEfxKRGMLe9dpu7sLftQbTVW9dGWcSiwW1NSomMefaflqISOV077y9/EqnQ==,iv:KtSQGFB4P8i9VphgNPHgqYytSeYA/kFnL4n6N87vqPI=,tag:bYR//XM8JhQDFiPK+pfPkw==,type:str]
lldap:
jwt_secret: ENC[AES256_GCM,data:T32xPJpMno8u1w1NJ+kar4yb3IKW+hQAfuxxBJ7uv8+tLAVi6YytTKwDz7dS3KCA1H7kxHmINEqbXng5qGP+Yg==,iv:EK3cVN7kpZnxldqSLd2OxyrGd1uCeEXpNcyIDUNxUI0=,tag:UZzrwhJ6isMNHLlFGFVvSg==,type:str]
key_seed: ENC[AES256_GCM,data:1y2snXLHVAnuwBSQ3ksvsMg9g3sozTkC5P0IgbJIg328RL8dZK3K9+mMe71W5a970NwP8agvEHaq4y/pQbbtIg==,iv:6sKjiaHPexmYjyzf+w1wU/rZk20cMawKXnsQ0PSbB2Y=,tag:kVi+s90LiLTgiYICjTNTUA==,type:str]
admin_password: ENC[AES256_GCM,data:08Wgc0iZGnd5MZm3BCiFY9VRGw==,iv:4RsV1KSfXk70zpMp589c5p8HOh6ybLULVXjevIdco2o=,tag:7ylVDQ9shfXUYWutzprP8g==,type:str]
oidc_clients:
headscale:
hashed: ENC[AES256_GCM,data:R1ePOxO+TBeM9oGjIayq34H3EBS7InGfbWtWc1+4GtQpUUDlk2elxPqzZf2fKcUcxJm5ToavRfJzkfv9G9RX1xm+YcP6J25anWUrjp4fkAL092CdYY4YxCti/nNqxm2IyeytyE9iS3p/fBGLdzQilXzsT2iW4tfW7mDtyh+ikp3I/po=,iv:E1+1K3oXYTv1xyFsyq9jHIjgHdrcRtSkv0WP2xePRm0=,tag:OlYBl3IJwSarpZDwfxKrmQ==,type:str]
unhashed: ENC[AES256_GCM,data:1+WcSLyYJofKz5VFgfPuAzreVOSTNiqLsavsL6fo0C0VW3tgINdvYeAqncr44ugrN3ZYkyo9KB/uN882/Vex/TAfUL4WSgkJ,iv:bXlqtcLFQv1cCravGYKuwImFKtYzjk39mFKAMy2PUKY=,tag:+vHaGjtldPvWlEpO86Ct1Q==,type:str]
forgejo:
access-key-id: ENC[AES256_GCM,data:RTNN8jVGLM1gLdLL8LIn8ntBBrrCevHTAweydc4cpLo=,iv:gU0vCbqgWAANBP/WsZwnoKpFeLgRlJhEWS7pxma2b8I=,tag:NSzRIQvS6A47bwUq+kRlrA==,type:str]
secret-access-key: ENC[AES256_GCM,data:sIubWLP6XT5rETypmHduKKdJmTGTsr0K9litkBqmLSNppqzaCNzK6XuTwn+3Ge22Pjk8hgk+cWbCGYID9gtYGg==,iv:3iZgxvXYkOppMTXZxpWWmgtd2gYnNXlg+WaUnlkxMhA=,tag:P7fZyHvUOaaFuzcOOQPrNw==,type:str]
mailer-password: ENC[AES256_GCM,data:smIdxI/OiqjDmatCV5nh2qkY4/2J9Vmi1lP5sEezduqpUp2Lsd7DkYJIpI5927Bf5Nb/rUlnYMipz9nd/KjfkA==,iv:rfMOGk2/bP1MxQVYQBgmR/Z6z2p1yWhejvz66OjqvH4=,tag:XvZfHh5ndpGQIN2cubYVHg==,type:str]
oidc-secret: ENC[AES256_GCM,data:CC78bq7nFYXAV0MLIshBkB1s7kQOgn0bkk21olNf9xT10KjJBB4KkbIZ6WI45T88MsK9Lv3FB6C9tRaPo3TLzcuz7D2Yk6O7,iv:ouUIoQY03DRlKpbEy8LTFnuClmYADa38Tp9EN932XSU=,tag:ieVnmE1A6g91qw9p1ek49Q==,type:str]
mealie-env: ENC[AES256_GCM,data:E9z2K/HJNs3MrYMG+WjxUjxl5vslVskQOyHSs2qwDWbL6Dzjqd3ifvwuT6vSufEce0QaU9d+lIC/EAwi3LIxl9M77eBaUq3QXLeTdJ87DObJOpsxhbelaV5rKec=,iv:w1cdMEIaHFES8oHvMGcGp4jHhMPMje3SVepbaMJcEe4=,tag:wl5+xDtjM8rd9ecq2ws/Xw==,type:str]
vaultwarden: ENC[AES256_GCM,data:YTGRVjajeSSRnjqaZHTa9HiV1c0kQj6+3m3BMirMH4Pu6NNlTYJgGOdz44jEmx4plbZkyM+ZkFVK3sL9rDryaxKGeDxZyM/2zPTlcosPVgA4ObzmmyT0XUoNRjOPYiE3CibmG9ZAEKp8hkGJGJATFOaQrphDS0Zczq/zc8+vUpVSJi8ycB1y1fxNAvfrftyETUsGYdKrD5+5s4fl422L6G12xdcy3TQNdfPz+SeXfhcTXSnORCglyYVzYlbUFQF9N6rpyZROv0dsN+s+c1d6Fsg6ROL3NrfQ0DkUy2rdmzAxrMNlRa89ZAybkDNeW/Wm24E/P+S5gqysRKA9ZJ6H/F9JZWJOazESgzcBLsWvSRO7U0O4Nou8uWAVuvQ/lmgwbepjUKG1EWRXJdNkZtL4EQiWR5G7NnhXjiLb22do7w5O8qiCXOHtQek/wfT57loLCn8oQfz6,iv:Sq7Mom6PwmmjU9t+qZM3I+Ybb416eEzqwAFeCHaeB8M=,tag:8mb+YC6zq22V/qgjMKHbPw==,type:str]
sops:
age:
- recipient: age18g4z53ykxzq35dsjq3a2np4f88xwat0kwtax229l3zn0ykhlpvqqy8fgtv
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5Y3JKMVB6Mkw1QVRFTmtm
NnRBV2k0WDhoZ0pKUzJGS2JWbzFBb3RvNnlvCkVrT200bExhc3hxMTJ4N1NFdWlH
SDBmVzRGZXJaWWtsNEU3WDlXQ0NnV2sKLS0tIEQ5bldJNlUyVUlsdW5qUWtFaGdV
RWRCYlk1RkM1Z0ZiS25mYnRuWjYybzAKcZgEfGBifKHkEowQxe+1xQJhk6JuhJXQ
LLdL9jBdfMrqXz48653XRKf3h4Nn4K70E65Ek8sPyZ5qSJYJHOwjYw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-10-21T11:33:52Z"
mac: ENC[AES256_GCM,data:6N0F+M2EyTiuXQokdVLGn3dZ5AG6Oq+uvrVoEvKPatyy8ynO0X7fS4GbvmHXmrzXcZwEIz16Y8M3Mk8S+PsVR0Zpc08HRwcIKtXCS7y00Y1iokAL83MoqG4m0kZbuvyY4nOvYAfH1VEJXsD5wSCYL2rMcer5oZ9zQagrNSjTUzw=,iv:+0990xD6258PwlWsggOLeXjSTqPSiN/qF6/xS9gRfXI=,tag:fZg+cQZncU0VV1maNSPOgg==,type:str]
pgp:
- created_at: "2025-10-21T11:33:41Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hF4DARdpY4woM6wSAQdAnTJPigLMOtu+U77zU4a4lLCbOQXQEHA4nfTpE08zbB0w
84QM/lVMfCa0T6Gng3tmJoyrwzoQyuSlo78NQcHFziFKKgKHpMfm1iAVEh27UFz9
0lwB/J66BejarAaPZYV6Wfht0T4KAzT+3UE97YfTT8PqR4UP4oleZXB8GCEYcO7y
ioHi4s0HbdB452J1pmTe3MwkalmCWLr9dPLWk9KNNqn/k6c/L8F5YjtAdU775A==
=/Qvi
-----END PGP MESSAGE-----
fp: 4BE1257015580BAB9F4B9D5FCA5B1C34E649BF92
unencrypted_suffix: _unencrypted
version: 3.11.0