fix(cup-dragon): compose; ACME; forgejo themed/runner

dr460nf1r3 · Nov 12, 2024 · 4ca33d5 · 4ca33d5
1 parent 68d944d
commit 4ca33d5
Show file tree

Hide file tree

Showing 7 changed files with 107 additions and 33 deletions.
diff --git a/docs/src/modules/compose-runner.md b/docs/src/modules/compose-runner.md
@@ -0,0 +1,5 @@
+# Compose runner
+
+```nix
+{{#include ../../../nixos/modules/compose-runner.nix}}
+```
diff --git a/docs/src/modules/docker-compose-runner.md b/docs/src/modules/docker-compose-runner.md
diff --git a/nixos/cup-dragon/forgejo.nix b/nixos/cup-dragon/forgejo.nix
@@ -1,19 +1,29 @@
 {
   lib,
   config,
+  pkgs,
   ...
 }: let
   cfg = config.services.forgejo;
   srv = cfg.settings.server;
+  theme = pkgs.fetchzip {
+    url = "https://github.com/catppuccin/gitea/releases/download/v1.0.1/catppuccin-gitea.tar.gz";
+    sha256 = "sha256-et5luA3SI7iOcEIQ3CVIu0+eiLs8C/8mOitYlWQa/uI=";
+    stripRoot = false;
+  };
 in {
   services.nginx = {
     virtualHosts.${cfg.settings.server.DOMAIN} = {
-      forceSSL = true;
-      enableACME = true;
       extraConfig = ''
         client_max_body_size 512M;
       '';
+      forceSSL = true;
+      http3 = true;
+      http3_hq = true;
+      kTLS = true;
       locations."/".proxyPass = "http://localhost:${toString srv.HTTP_PORT}";
+      quic = true;
+      useACMEHost = "dr460nf1r3.org";
     };
   };
 
@@ -22,45 +32,77 @@ in {
     database.type = "postgres";
     lfs.enable = true;
     settings = {
-      server = {
-        DOMAIN = "git.dr460nf1r3.org";
-        ROOT_URL = "https://${srv.DOMAIN}/";
-        HTTP_PORT = 3000;
-      };
-      session.COOKIE_SECURE = true;
-      service.DISABLE_REGISTRATION = true;
-      actions = {
-        ENABLED = true;
-        DEFAULT_ACTIONS_URL = "github";
+      actions.ENABLED = true;
+      DEFAULT = {
+        APP_NAME = "Dragon's Git forge";
+        APP_SLOGAN = "The place where dragons forge their code";
       };
       mailer = {
         ENABLED = true;
-        SMTP_ADDR = "mail.garudalinux.net";
         FROM = "noreply@${srv.DOMAIN}";
-        USER = "noreply@${srv.DOMAIN}";
         PASSWD = config.sops.secrets."mail/forgejo".path;
+        SMTP_ADDR = "mail.garudalinux.net";
+        USER = "noreply@${srv.DOMAIN}";
+      };
+      other = {
+        SHOW_FOOTER_VERSION = false;
+      };
+      server = {
+        DOMAIN = "git.dr460nf1r3.org";
+        HTTP_PORT = 3050;
+        ROOT_URL = "https://${srv.DOMAIN}/";
+      };
+      service.DISABLE_REGISTRATION = true;
+      session.COOKIE_SECURE = true;
+      ui = {
+        DEFAULT_THEME = "catppuccin-maroon-auto";
+        THEMES = "catppuccin-rosewater-auto,catppuccin-flamingo-auto,catppuccin-pink-auto,catppuccin-mauve-auto,catppuccin-red-auto,catppuccin-maroon-auto,catppuccin-peach-auto,catppuccin-yellow-auto,catppuccin-green-auto,catppuccin-teal-auto,catppuccin-sky-auto,catppuccin-sapphire-auto,catppuccin-blue-auto,catppuccin-lavender-auto";
       };
     };
   };
 
   sops.secrets."mail/forgejo" = {
     mode = "0400";
     owner = config.users.users.forgejo.name;
-    path = "/var/lib/forgejo/mail";
+    path = "/var/lib/forgejo/.mail";
   };
   sops.secrets."passwords/forgejo" = {
     mode = "0400";
     owner = config.users.users.forgejo.name;
     path = "/var/lib/forgejo/.password";
   };
 
+  # Link Catppuccin themes and ensure admin user
   systemd.services.forgejo.preStart = let
     adminCmd = "${lib.getExe cfg.package} admin user";
     pwd = config.sops.secrets."passwords/forgejo";
     user = "root";
   in ''
     ${adminCmd} create --admin --email "root@localhost" --username ${user} --password "$(tr -d '\n' < ${pwd.path})" || true
-    ## uncomment this line to change an admin user which was already created
     # ${adminCmd} change-password --username ${user} --password "$(tr -d '\n' < ${pwd.path})" || true
+
+    rm -rf ${config.services.forgejo.stateDir}/custom/public/assets
+    mkdir -p ${config.services.forgejo.stateDir}/custom/public/assets
+    ln -sf ${theme} ${config.services.forgejo.stateDir}/custom/public/assets/css
   '';
+
+  # Runner for Forgejo Actions
+  services.gitea-actions-runner = {
+    package = pkgs.forgejo-actions-runner;
+    instances.default = {
+      enable = true;
+      name = "cup-dragon-1";
+      url = "https://git.dr460nf1r3.org";
+      tokenFile = config.sops.secrets."api_keys/forgejo_runner".path;
+      labels = [
+        "ubuntu-latest:docker://node:16-bullseye"
+        "ubuntu-22.04:docker://node:16-bullseye"
+        "native:host"
+      ];
+    };
+  };
+  sops.secrets."api_keys/forgejo_runner" = {
+    mode = "0400";
+    path = "/var/lib/gitea-runner/.token";
+  };
 }
diff --git a/nixos/cup-dragon/matrix.nix b/nixos/cup-dragon/matrix.nix
@@ -34,6 +34,13 @@ in {
   };
   services.nginx = {
     virtualHosts."${matrix_hostname}" = {
+      extraConfig = ''
+        merge_slashes off;
+      '';
+      forceSSL = true;
+      http3 = true;
+      http3_hq = true;
+      kTLS = true;
       listen = [
         {
           addr = "0.0.0.0";
@@ -56,7 +63,6 @@ in {
           ssl = true;
         }
       ];
-
       locations."/_matrix/" = {
         proxyPass = "http://backend_conduit$request_uri";
         proxyWebsockets = true;
@@ -80,10 +86,8 @@ in {
           add_header Access-Control-Allow-Origin "*";
         '';
       };
-
-      extraConfig = ''
-        merge_slashes off;
-      '';
+      quic = true;
+      useACMEHost = "dr460nf1r3.org";
     };
 
     upstreams = {

diff --git a/nixos/modules/compose-runner.nix b/nixos/modules/compose-runner.nix
@@ -56,12 +56,12 @@ in {
                   chmod 600 "${statepath}/.env"
                 ''}
                 cd "${statepath}"
-                docker compose up
+                docker-compose up
               '';
               ExecStopPost = pkgs.writeShellScript ("execstop-compose-runner-" + name) ''
                 set -e
                 cd "${statepath}"
-                docker compose down
+                docker-compose down
               '';
             };
             unitConfig = {

diff --git a/nixos/modules/servers.nix b/nixos/modules/servers.nix
@@ -49,7 +49,7 @@ in {
       hardware.enable = false;
       networking.enable = false;
     };
-    boot.plymouth.enable = true;
+    boot.plymouth.enable = false;
 
     # Enable the Netdata daemon
     services.netdata.enable = lib.mkIf cfg.monitoring true;
@@ -148,6 +148,18 @@ in {
     };
     services.nginx.sslDhparam = config.security.dhparams.params.nginx.path;
 
+    # Default catch-all for unknown domains
+    services.nginx.virtualHosts."_" = lib.mkIf config.services.nginx.enable {
+      addSSL = true;
+      extraConfig = ''
+        log_not_found off;
+        return 404;
+      '';
+      http3 = true;
+      quic = true;
+      useACMEHost = "dr460nf1r3.org";
+    };
+
     # Need to explicitly open our web server ports
     networking.firewall = lib.mkIf config.services.nginx.enable {
       allowedTCPPorts = [80 443];
@@ -160,10 +172,24 @@ in {
       "net.core.wmem_max" = 7500000;
     };
 
-    # Enable this so we don't get annoyed by the ACME TOS
+    # SSL certs for the server
     security.acme = {
       acceptTerms = true;
-      defaults.email = "[email protected]";
+      defaults = {
+        group = "nginx";
+        email = "[email protected]";
+      };
+      certs."dr460nf1r3.org" = {
+        extraDomainNames = ["*.dr460nf1r3.org"];
+        dnsProvider = "cloudflare";
+        dnsPropagationCheck = true;
+        credentialsFile = config.sops.secrets."api_keys/cloudflare".path;
+      };
+    };
+    sops.secrets."api_keys/cloudflare" = {
+      mode = "0400";
+      owner = "acme";
+      path = "/run/secrets/api_keys/cloudflare";
     };
   };
 }
diff --git a/secrets/global.yaml b/secrets/global.yaml
@@ -7,10 +7,12 @@ api_keys:
     cachix: ENC[AES256_GCM,data:gud98GQH6vSDW8dcTEJSb/gRcNd6VDB9mNWQh+6/OK4rpYzdONRdM2lkcTI4E3AKwwYeVgIJjYXDLbtyQIAO8ZwnQGlixKFDP0bkLErWwlS/7LSlq25s3QploHPp8wggt3qJIdj3bk2lS+lopFflCWyNh36r3aUy+0qgqgw2rK9sG9rCVqbfbmHXv2d3WzyhUuFJAqlsjLbiK/Lga9FMK0QzJDz+c3cjZ3hVhmAR6J3sZ6x85NVZjKSkwIk4VI1ZUfaWZ68c7FUOlchkt7UIJ58swiFXJ8pCcGGXG0z2EAkx2yHybaSues/Q8kciXy20XUv1zQ4D3L8sFAsYBrBIfI9r9IU8zgGJ0Eaf5nlbRLqWgxlT7WgWMakpC0JcpBbP0iNGOmvTNQW1C80CcyCpkeGj6SQNth9D47HOYG3vGXiq2zFaGAT3GmbR+6LxD/PNX9T2O8Kk/7CviF4=,iv:YzOz8pblH5H/eDX/nvm+F+H7+1u/dfIcHPm0YOHiMoU=,tag:FvmZo1vWhEzIhgkjNxpihw==,type:str]
     duo: ENC[AES256_GCM,data:GshVmN1da0b8A1Yjm6Kl8qvFwq4tMgb+AX7EwIhXzHlt1PC7usw8/A==,iv:9J0kNqoyV+xWrxtCpxOA1bu9PLjWowGriGWe+FH6gnY=,tag:KZ759xigI65g1N4Lf8jbRA==,type:str]
     github_runner: ENC[AES256_GCM,data:foEXBPWQI+wKVfPLStX/nWYgW1dyleBENhw/L68=,iv:wz8KEWisOLFtZRCpuIDYW5EOdxTYxzWDUgeXQGcXVlg=,tag:1MOpirig2XO7ecn/o+JAdg==,type:str]
+    forgejo_runner: ENC[AES256_GCM,data:6J7HbSfxc1Aiob5Yqwe1klwVtMPe8HC3d+36peeVqVJV1CLGLLuEWc1nC3bhmw==,iv:lWQB/F7wog0CRxqlf4cHearc3/4Lp7jAPj/XcC01WtI=,tag:NB8+5YSR3kkc90IPve/PPQ==,type:str]
     heroku: ENC[AES256_GCM,data:jcGxknX/12J2XypnnDSYi7jhz8rCXY6gtyUsPITl0Aj1ADAbtDAQcLTq56ZlnqlK5JO6e2kV7uhu/TmtpRIu7Uo9UjBTemklONHjpjtDRnAQEYxkgByfhqS0fF+967E+2qUKP6iBCUJELW2sMZ1aj3rGTKXIWbmScy556BKV3wBuM4lwcIl0AORnoCR5hlVZyM9fZuGnSz9EA5csQvR7N0GMrKfgHEB4lmD1W6ba6435z6ntLDGAtiRMY8V4NwSbXE/Qat/xw1QrQKpmASElvUOUcXyXmNBROyCitDxlAEop7aVkSyMGZ1wBfRwW,iv:/JkkOfC9/FJa+9obFUf94qgL87+ZrWLaoqZ3RQbXXJg=,tag:erUYHN2B19YLnoQwbpg2Yg==,type:str]
     sops: ENC[AES256_GCM,data:XK1QW0QdpZVUOrYFrGMZzL1c/MiANtKSbB1fJ0LVuh/UF9SxYHPC8jAXUXAY+6HtY/UHYERToyY9I2K8PgpZT2UHsLNXwDVnEUc=,iv:RQXCDSULJdZxZmom8/CpGstnegj/XCT5lOKWii4DZIg=,tag:3RcZhgsVKy1wlFqakIFEnQ==,type:str]
     netdata: ENC[AES256_GCM,data:+gkJn18ztLBXSJ8DSFlHtaTHJKJFXGLw1/0PfzKt3ptJJGucZxHcQz5MmpDTeOypSO1iQ41Un9mD1ul+UxJCfjvqUXvbmYX11Nq4Tgheme4ciPNra5EYGx1i+Oc5dpMyp3v1nwPw/4Jbkl66dqUXL0k9xu6Glniwpi2JRQD/x3Hl7AzwI0n4,iv:MsoIpaJx6VEZiLd+It9xq6E3nCr5OWRhlxqQd0W2opM=,tag:iK+xo9Dq3P6NsT9+pyd63w==,type:str]
     cloudflared: ENC[AES256_GCM,data:78Ig5nIGpwg2PbkffMMH4PCQlW6oUYVjpYI1Dudq2SMBaUyYuMewB5N6xRq90OQREWKLZ1MK64LF4kjAw++Of4yJ3BtCmDJ/KcmwPyVruDe8H0zKEWy90ZxuqLBRTCJWBnM8vQxXQZbpRRkQhNRMOP1FwKTmcerIAB9asJP3DsTXa6bGn+zXZqce1xCRURwZ1DXqsDuOsVT5JQI8Jrq2CK3Pf+/T2GaeCGaFx0L9foEJB2zRD3pOYfP5SfalMSKWXHx+49aXrrRzyB5BXZDsBm9aCfCIer2Z/rHRbcy1V7GbctXQI+2Zc2i8gqqn5/iufx0SjZ0KBzloGN4ObwymGGSUVd8TRZVZIerAMDZ2ilBmnrZolZFfy3sRRB+zu54b0Rt9kOmBXQ08qvJZNfnVqa8GSluHbEU4I5lGoOLSPGSfcGrKflkXu1ADpEyVV02uNEf+lLc1igtQJmofV0bSbVry4LALECu2iykam5QXmapTFG1/hYDHuZXcABfQU8zQlPsEnNS04kQUdBFbthX4KGvyv8zJu84yV6FMnH+20Ea2XoNPbT7VnGexlN5GOMpb408RM/Ee6YtqaxEvdyq1i52/sFi6xjH1qtcocIZD0vHlGo1yXq+4ZKAk+Y+85s4g++vLiA3Iw7cNpo0UESgawAle4gXWmk6Q8anuUkpMwfhfGflRbCSEegt9U4bfqDc3qZMc1KyzSIvWDvzJQ23AMcFKBVD6IQ5DRVsxRXGFnBHvFhUmgN2AqClsSvxBT4HenmPuGrAYyD9mtBTzcZhOxxdfkfJ+uiRHOxCbapRL1emCPvtKHgyQ3YzBkb6qCqs7q1X3NAg1xuU9lSVN6QL7pUpzGdCKl8TKL4Bs04XQb7uY+kPqjxvIYOj4bK28z3FL8mr0wuLdrpQ6N9UwmUQfB65SLdYmcB4JcUDfycr+d7fcAuBkh4fY80J1uA+MUeanAVVIh7EkYeQSskOBvhsbHLWf3UZm7bIbS02/lBMj1RG1r+6GWuPNt69ZQg/Vpbo+QpIky9zEV91b9QIqMOzcGsRVfdj46BskQWk1uunKqbuIuUtTz1DpAHiFIBMFTH5p1tYgV/y9UHAY0srBmQjNSVsyDijuKaE0I1C1PBzp1HceB2R5nY58RXMnKwkKfqQm2M/Q8URJDrH3Fd6CpAI5Gq0Xs08rUfeZCMQ8NMHg2SLy/eR3tZqTTZHt3EEQWLWBA8RxAlVDVg6ISSfJO1/DeQzX7Yte9sw991xmAa+tRwKtmatgvp1tOHTvn02pbAk8VWHqqz4K6UuqBf7m7gRsj4AEvyyvntLHHFHPlRWDdRu++7kvgkIyohCmEg8FV1fKhmZ8sQEh8361s2286YG0zMmd8mXx7xNSyF0MQNB+uiyDZQEeHljx4FcfhhARL8c/lqx+RGJJ34nHtZDcYD4GeESfFan0OpJ6ZIoH7CfeJWdZNdE0lNNVqq99B7ZuZlZPhZPUw8Sww/gZ1pqZixY13cUI0k1ZROfIiEnTSJoOPJv6VgpoyzuaQ5Ni/hsUZ02O2OjTHMy6NvJ41j1JBrX83pbHlhsReB4ftAZkr/kynUdYIJldfXrgfDTu0Y43RFxEhaoTxdCKIGhhtvJKXm2UY9Y3gU3yfWapGnDP/EE+GVDs2xpReMwta3QL7l7YC9ql0znEoP/Ix0+RV2PwVF+7EcjgM8H6lEM1ScDJrt0Ji9sA9Ut5xh2iFm7N+9W/Inzx60KpvmpluRtYrAXz+zKDXKnVY1M3kaBAZ0r6wqkXCg+vLfKhXJXOrnQ/1mMS11RKvP8vn5K04RwcZJPm8N4ndARjbptRdSX8Ryp2yBsWNaFVqjeEaSrw0SBvUcZNWBF6vzy5yq/A7tqfXtLK809cS9IeuLFfrPf0WH21jnMEhY7h4R0NZekURjgD1oA/S65h6/o0GLYYWwHaYoe62WMBiwUbUUWJ3L0zT3iGctaJ9QTxWHpqukbNM5J570bvoBAqGl7D4paV0r2pUgN9lTQF0zB/6gQrisZq7htcAjjqUhBzNCzVgl7x26/wI/2RvVxGK+g/8RGOt2KBn6UokeY2/2l7Ongf6N0f/fRnVzUrDvdxX2+VWfKEHOyHMRqA+u08AJmthCWe3j0cO/FteRE3qch81dILcVFhrLCeOvN+WPj+8tJ+95OuuK8baG4Gu8gu8bybJBSm46FJtFRCbypqEUq1nw+dC9Nzk61DXfnEpzXTf1/iXGA4245eUMF22KbUxFTSZ9Fw/M0huLGB2XYZreGh53M34t+a17Jry+mMkjmPDOaIrrzO5NnyX4gLzGk/S+1VooopPR/DVJqy40BMHdeLAUAXge4saRcOq6EHcpl8TKUWX1MYtFU4HiULB0r+C+b48HOUrrcZ7/xV9KNNQ1AYuCRFQ62BUlO7MtP9z4PWnlI9d5pEwGLotz4Hpt5BWh/PONPft2/S1Iffh2C6Vcy6RttvWpLqT4rfKHbsk+Eby0N8HNYh9YTn5+rxioAXQa3kzwcdjASusv3ypVACmMBeOGfLeYD3CsqeeAVIhDz7/1jGW+dYtlwLiqVL2V39pCUupP4USbJi4nAVlARDlWaD,iv:ryBxLu4M+BcOlj4p+IRmrz+7IJRoo43EVd6enDsJoxk=,tag:1Evrd4w5LjDdOUvWVwclCA==,type:str]
+    cloudflare: ENC[AES256_GCM,data:pxg/tO/o89zuwCEE03sHRsb1vLs0EwIQRGubEB6mrzJQXvXsoWzmxTbgcexySdkmM3Se/TYS0AthKmk1qVsIbAcF5Gm/sMw5hSJzy+ZBF8YhUI/mqCx2l6J4yCQJ73bRW4G3FrrkisXoNDFpiMg/g+K7TPedyri0peIDr0ePqiQ4+wMczj38phyBMI8ylgg3jtlm3Qf1fsMIgJsk3Ag8SL/PYhZ9MronWHPMqGfO8W5bg1r5pRSBl+02c3hiPSLogWNj8tvquLXd9q/Rr8khEG/cXwufc+C0aEHAYm7SUl6/TGWUveOtAw/5,iv:Gz3uoFlvaHrFVobXNych9orO4QzneMxdd8zYmcCi7wQ=,tag:+X3JnhMO4ADSI0FXbIAKDw==,type:str]
 ssh_keys:
     id_rsa: ENC[AES256_GCM,data:8gymCNAeefZHAOl1LvB9mtnsRs3IIb1uEkPVkS4zYSlDqtQjFOPhQxSklO2DseHSWwN3IkuFa2XBZvJlygFtx/dNHJhboc/KoyigZcPc/3MI42tRxnuxBQDQ8Bu6HTfEXj46dzdM6ghp0Ukq1T+9a+ERM1mpQE6oQRk6gjzHHdKMhdTHLS3oReYKPwkSdABgmb5PRtOHf/iQIBKU7XJjLA6q6Jvg7PCQwXsh/9PA8nak0BxjUAz0bcTASa9yJPKJcq/67X2LggG2J6Sil+ZFpusGbVz+o/c9lhCLed8dCcRw6F6RCFBgPu0f4HRvy8vbYd7e+O/2qZN7Yf8tWJqJrD/ZnuIaq4QvDHGNdeNeBYqwioMox9jV3CXl4EU48RZalPA/aAoPtCqayRXzftjKplMiJbirvSPUuqlUUyYOiiGq+lht4MRVkKv4rQEAVlJU1R+kjr6YTofQX9i2to0m6BFRFwVChwYszs/n/a6umwPFmrcSJ2z7Zz2/jeFejlsPtuEHQT20zpaqbkudmWErnZkfaT6JakG5m+wTVCE4OQeQCOXvknB5w710dsUq5tlclBG+uz8LoJ8MA8iqR0Ey8y944qWyQLWTTxol3OmGFkUNQUwpq76zG2RuToAOucApE+UtOEFkwFGOPYSaC7V+XllQvZvPNG8sklGS3gs7W/iNZZ172o4QXF2577FtVjD8uSv3ObaBusk6cAoZBHccKeod8ft3RQZzQFfoOadaUabYW8Fgrva2phByoz8NGOVGnY0siwamzCDZmYAvpvR0BMlitiBiysUiGIwJRgH30Jg5Io7JFzQicRyZXQqCd/ZvfgDJSzavmQyzOJlm1AqHzqFfCSI2KmKTy9WaZm2gRaVTa2nCAE1nMibex+rneMwqitVwDAhIKqJSQFefWj8blpvhGO99QCtsIZ1z6zUt4H1Bsv8s35XP037sqAgIHlrExR+5TV3fyQy36Vps90PXBXEILcBDxtJ5sH5uobVVJ7H8Ex+/ze+2PlQF125q1EejWedEtmOmRfNJTQ8Cba/nCgpxzvHdaweMlPvzbfgsZKbNl1fgoq/MOv+f9IcXVZxMU76auDBzfBqYVOUHGpzcZ/FkkROsn5bxC7us8SE3w2U1HX4PX5eO9aY10FdOFLako8Vyj0UXXNEkPhY5JVvMJbRhZtBQQI22F5EXuvM5WjOXeLQAih1Dm2JwygkB0ZMp+4FPK5dA3fsemjPDBIH2FEyzrGf0C/Iiy9VGg8fnZgnwb+CGk0H79e302MyNKVz3DEKaenTEmbXM3FrEs0RdwBIHUbrRwm4WPesL/2LJ7e19fsKvG41b7WUafQgr7IAn4mHstwj6xNbXisezGN2sxt09kIv/2UHdwiwIlYRLe7Lmjh2LzWL6dF+KaFkTdIuKHpvEIW5mzYwtSFbkqgy/Ztj+DM/BqQ7GMLCSg74o/98ueN5KWRiR8Aw64Rzyc5COvkNvArNtE32d6U3HrBmiOwo5FumKXVHqySAOlATYazRgXGfAZ0azh2+HSCnT4CTtTpdO1ag5mt3VdeTfnjgZxTCLMJ5k9Ix5SzTdnYz3VPQxhr+OgSs7Jd1rKAmK1pdBDi5A6OUwe/Vkb1Gkw6ertV2BG3FyIVfjlLE3qId13ErItkYltEM9O9ixRunWnOheFk76QGLLjknEDf7EGVGqxKxUT81tL9u5h/kOK2WGNPlpWXi/0eZ0CvRMpGSKRLfcJccXkvBAdzKApIUx1zrCpjn0bWvBq32hlhJloCK4OKlbC9Qk2CbclciCB+9J9iyKnwPtDKyfQJ7aJ+7qn4FTtHV+goDUroS0y9NjblapUupzxsdKcwMQzkyQTkI/4Qu6r9lKjnj0NynfGNEX31i18ope9Oe2iVICNeLyvmgdR4WoWM2MAKJi4MF5RZvSJwaxmm6ezwuE68+X2BVwexXT97GVRowxkG68+3YBbRGXcGj4jREWEalg+Fr17OAXmAge1UNGmZeCCF6XmzGe8++YV/dXQQIlbmZPDs4dbkTMPUQsk1rDZM/iU3qK1m/t7Bgmog756jGLJYXZC7AHARw9GdfoOwR8JRgpP5PyH/IxHFNaZvuZJ3dB1Avq9ulIs8TurBr0wgn5OknLvMFX0YZkKCub5R9wN3FrjKacr5JEOcnciYF3xfFJbgOZ6FJMs7i06XiDnjG/0SL5hHT3fjF4ntvomO3A7LnAu75y7gx0ZGNfKQRtOy9/6gFgKzrI/dNCZOAa3njQ4Z6xCIE2n5CUEYAdO1XPXJbjAvB/pvFX7zp15SpocEorIqZPeX+Gi8z/a8rPjM6xbKTgTWB14ykDiWcOWlq8cZ2hHrKBc9/oC4Sj40+Mckw2RsoHbEi4LYLLiSf6pTxYDHcmp+qcq6dxr3ASyRAkIAlrHbigeLcxmoArZ/eokkdnrfJuqrmf1JLQDUWaftOlK2KxeNa+MG5te7yFpH/Z1omSgoUmek5+R2Izu/uWHAqyMgfTjXsceY4Tin3RxFEmegAMovuDZvy4hxMRtt3rXP1UKdx9vddwv9rZ9IzL3GkUrgnFptkbXzvQayKGNY073Axg276tjsJrouOJlBItzkrbMXtSNSc9pnoBmHW+NYWfzdAEMkMJNa4Ac+iFLWBi4GGVE4TejmqTMqdekWXSUw2bP10zzTOBuolmdumMEhoR/Im1llOe0q9ZxHWiviga218s1M+iL/INs6mIEpVXDgWEMUqPYfrLmGXgJOjLVEZFEQRZEN1tdQC8EoItMqB119g2secb5+hImq0lY3Yl07ibsVrfT95ka9ShtNndXneA6WUiKH6s8qED7BNjewLB/I4O3/GKI9yBIMEdV5JumRDjC8C69yqE7rbFZc71e/1KXVMTmRCNzGEr59C27pqgFyV6mzKx1uzlTzEo5KpsKtsX7UsbVtaZepEWqVTc0kX3/gfm5zHg4gG6eCgaOcWrm2m+yv9ryTMCAS/fBgnFRV4+P0H+GEwbOHGKSO9z1KQDiGorarBmt/G4QAXOo7tL5UNwDUZsDT65jLfFivahLJuVwbSA8VLY2Pk2Zu/NlgjXP4qFTmVN93TLg3vtoSp/1oOos/b17TBwgLkfPX4bRg3UW9+hykiVQbOp9z7sM/md8+953I4v10sAQESUAh4sWwSK8K5yMzqSfOPk6u05FJEOK/8dgcswGUMNYtL2Oiourb+zk5UcVwMhUDE08Ac0SR9E5yHDWq6UTZKmhwAw9W0jjogXTNcn/KpFmwPeAdwnE0sDTAryR9AT/3d9C7eLJYFxRIOk3tWQsqaXLQA0XZsRg4iMyN1FWuJIPC3G3E9hwLT4ZJ4p254w5KoLB4UVTjnlsUEOCSdw6QZ0779FjVoday+iCyNRWBZlOuXJZGHKaSsPFL8/6hIJq7Bk/souLHZX+A2LzN+WbEfDgD7GERCqV2d8JljIJnJjYqTdhRUA73eqGUUPsb2kMo6xlJ1NgEBXVA==,iv:c27aL7cSRwZo4PFRxVgJe/oydVTNr6ajGV0cOfHZK2U=,tag:Wb82drZzl4hDJoAmlKLsXA==,type:str]
     id_ed25519: ENC[AES256_GCM,data:5zZ/JqPx2BYcNZRwvaD9P39TVbsvs4s/eacuX0JqNFmEt42Q62953FTpRqoNxvJGhHroZ8WSXpaqTvazclAvCfuCykNEWXbz8yqL6U/pzdD4FoGg6EcN9Rd4sgEQolsmNJwqNUB9hJD/QHJoUBzpAu6KuqwMoT10lkicFw5PvQkgwOUDO9L900+qG1M8XyZ5kAItpabzQJSdi87pefOmVJwL3ttFp+7tXmOvTnfmx8iFpYDsB09OZ2vCScaA302tUoyJL67c6aFg69Pb7WE/G0MZA+os51bXC92trisrgg3JCd0djlCwy/ZgKLfAQfw7JbQwR7PtwLsxi7gyNP9i+504HEwLbZAU7mV8vyt0x2RnIT6KTt8kuTZlfBqId+w9QArpoLQjxUObj+xmr8OjGyihoYwyeEmGNDaepaoC+IyLK6iv2A+5XOaKjw==,iv:sz+COZA5+FkQdA9TpCSWrrbDAKMJnG3dWGgimCE5yrA=,tag:1oaYTSWqN2Hm2IcO0Yk2Xw==,type:str]
@@ -66,8 +68,8 @@ sops:
             RXBDTUFBMGxCRjFZYjNQTjAyZEp2djAKcLU+XtcpgRhDceOm13skVyfJyWXUa09t
             dDW6UW9/GcPW6DtOkM1vlGnQ1Wh+i3E/9R05uXp9QXfbuA0rW5Zcrw==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-11-11T17:34:41Z"
-    mac: ENC[AES256_GCM,data:ehpUSw2b7MEGHPI+f9K9sxrxYN7tTC5y/oa5huxvtGg+6IJt3owbjotoSQH9KcXvx0ZFH+0e5SIhL5jbma58bkoXk0e368tN3LFec2Qs0dQkHjbRSgQufNoeKGuy8IJlH1y5RVV57x66u6TvrlQh5L7oqIrih8H0hBUsG9KJn5A=,iv:qnMPcNK6Hhoy0Go42hUffsulzjwChAgljzhxp8MbmHs=,tag:mRY9xUx8QXmO5PGg27Ip+g==,type:str]
+    lastmodified: "2024-11-12T09:23:41Z"
+    mac: ENC[AES256_GCM,data:U0HhaB0JycUFUuQNCzpdrMAvHKYXZop9/DnzMQJ6KpXtLSR4ge/HLYD/M+JH47LziHBo1XLxNnXXhK76HuArRXknkJ8aWuXGpZHoNGTP+ndFjjv2P11WPP/zl0JYNR/aDaVd6rIWup/DNX8tMcVwbpXNDIOTgM62X16zLdYcby0=,iv:kNLFUClayCe9NMtzADaGMLQIr1FjnTZ7PzTkquF08ps=,tag:CrarSNJ/DsdYqAOf9GptUA==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.9.1