Add authelia.

2025-06-04 16:08:13 -05:00 · 2025-06-04 16:08:13 -05:00 · 18611e2359
commit 18611e2359
parent 588fdbd9f2
12 changed files with 261 additions and 19 deletions
--- a/common/services/authelia.nix
+++ b/common/services/authelia.nix
@ -0,0 +1,158 @@
 {
  config,
  lib,
  ...
 }: let
  inherit (lib) mkIf types mkOption mkEnableOption;
  cfg = config.foehammer.services.authelia;
 in {
  options.foehammer.services.authelia = {
    enable = mkEnableOption "Enable authelia server component.";
    domain = mkOption {
      type = types.str;
      description = ''
        Authelia's domain.
      '';
    };
    userDbFile = mkOption {
      type = types.path;
    };
    jwtSecretFile = mkOption {
      type = types.nullOr types.path;
      default = null;
      description = ''
        Path to your JWT secret used during identity verificaton.
      '';
    };
    oidcIssuerPrivateKeyFile = mkOption {
      type = types.nullOr types.path;
      default = null;
      description = ''
        Path to your private key file used to encrypt OIDC JWTs.
      '';
    };
    oidcHmacSecretFile = mkOption {
      type = types.nullOr types.path;
      default = null;
      description = ''
        Path to your HMAC secret used to sign OIDC JWTs.
      '';
    };
    sessionSecretFile = mkOption {
      type = types.nullOr types.path;
      default = null;
      description = ''
        Path to your session secret. Only used when redis is used as session storage.
      '';
    };
    storageEncryptionKeyFile = mkOption {
      type = types.nullOr types.path;
      default = null;
      description = ''
        Path to your storage encryption key.
      '';
    };
    port = mkOption {
      type = lib.types.port;
      default = 9001;
      description = ''
        What external port to serve over.
      '';
    };
    settingsFiles = mkOption {
      type = types.listOf types.path;
      default = [];
      example = [
        "/etc/authelia/config.yml"
        "/etc/authelia/access-control.yml"
        "/etc/authelia/config/"
      ];
      description = ''
        Here you can provide authelia with configuration files or directories.
        It is possible to give authelia multiple files and use the nix generated configuration
        file set via {option}`services.authelia.<instance>.settings`.
      '';
    };
    environmentVariables = mkOption {
      type = types.attrsOf types.str;
      description = ''
        Additional environment variables to provide to authelia.
        If you are providing secrets please consider the options under {option}`services.authelia.<instance>.secrets`
        or make sure you use the `_FILE` suffix.
        If you provide the raw secret rather than the location of a secret file that secret will be preserved in the nix store.
        For more details: https://www.authelia.com/configuration/methods/secrets/
      '';
      default = {};
    };
  };
  config = mkIf cfg.enable {
    services.authelia.instances.main = {
      inherit (cfg) settingsFiles environmentVariables;
      enable = true;
      settings = {
        theme = "dark";
        default_2fa_method = "totp";
        server.address = "tcp://:${toString cfg.port}";
        log = {
          level = "info";
          format = "json";
          # file_path = "/var/log/authelia/authelia.log";
        };
        totp = {
          disable = false;
          issuer = cfg.domain;
        };
        duo_api.disable = true;
        access_control.default_policy = "two_factor";
        session.cookies = [
          {
            domain = cfg.domain;
            authelia_url = "https://${cfg.domain}";
          }
        ];
        notifier = {
          filesystem.filename = "/var/lib/authelia-main/notifications.txt";
        };
        authentication_backend = {
          password_change.disable = true;
          password_reset.disable = true;
          file = {
            path = cfg.userDbFile;
          };
        };
        storage.local = {
          path = "/var/lib/authelia-main/db.sqlite3";
        };
      };
      secrets = {
        inherit
          (cfg)
          jwtSecretFile
          oidcIssuerPrivateKeyFile
          oidcHmacSecretFile
          sessionSecretFile
          storageEncryptionKeyFile
          ;
      };
    };
  };
 }
--- a/flake.lock
+++ b/flake.lock
@ -20,16 +20,16 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1738843498,
+        "lastModified": 1749024892,
-        "narHash": "sha256-7x+Q4xgFj9UxZZO9aUDCR8h4vyYut4zPUvfj3i+jBHE=",
+        "narHash": "sha256-OGcDEz60TXQC+gVz5sdtgGJdKVYr6rwdzQKuZAJQpCA=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "f5a32fa27df91dfc4b762671a0e0a859a8a0058f",
+        "rev": "8f1b52b04f2cb6e5ead50bd28d76528a2f0380ef",
        "type": "github"
      },
      "original": {
        "owner": "nixos",
-        "ref": "nixos-24.11",
+        "ref": "nixos-25.05",
        "repo": "nixpkgs",
        "type": "github"
      }
--- a/flake.nix
+++ b/flake.nix
@ -23,7 +23,7 @@
            allowUnfree = true;
            allowAliases = true;
          };
-          overlays = [self.overlays.default];
+          # overlays = [self.overlays.default];
        };
        # packages = import ./lib/packages.nix pkgs;
@ -31,7 +31,7 @@
      flake = {
        lib = import ./lib inputs.nixpkgs withSystem;
-        overlays.default = final: prev: (import ./lib/packages.nix prev);
+        # overlays.default = final: prev: (import ./lib/packages.nix prev);
        nixosModules.default = {...}: {
          imports = self.lib.utils.findNixFiles ./common;
--- a/machines/lebesgue/.sops.yaml
+++ b/machines/lebesgue/.sops.yaml
@ -2,7 +2,7 @@ keys:
  - &admin_foehammer A972C2063F4F2554
  - &server age1kjy9wym6cmz6wqmewws4ledsne47c0e4sr0ksmm66rff3u2f6u3qxvnyg9
 creation_rules:
-  - path_regex: secrets/[^/]+\.(yaml|json|env|ini)$
+  - path_regex: secrets/.*\.(yaml|json|env|ini|bin)$
    key_groups:
    - pgp:
      - *admin_foehammer
--- a/machines/lebesgue/config/configuration.nix
+++ b/machines/lebesgue/config/configuration.nix
@ -17,6 +17,18 @@
      envPath = config.sops.secrets.vaultwarden-env.path;
    };
    services.authelia = {
      enable = true;
      domain = "auth.foehammer.me";
      jwtSecretFile = config.sops.secrets.authelia-jwtsecret.path;
      userDbFile = config.sops.secrets.authelia-users.path;
      # oidcIssuerPrivateKeyFile = config.sops.secrets.authelia-oidc-privkey.path;
      # oidcHmacSecretFile = config.sops.secrets.authelia-oidc-hmac.path;
      sessionSecretFile = config.sops.secrets.authelia-session-secret.path;
      storageEncryptionKeyFile = config.sops.secrets.authelia-storage-encryption.path;
    };
    backups.restic = {
      enable = true;
@ -24,7 +36,7 @@
      environmentFile = config.sops.secrets.restic-env.path;
      passwordFile = config.sops.secrets.restic-password.path;
-      paths = ["/var/lib/vaultwarden"];
+      paths = ["/var/lib/vaultwarden" "/var/lib/authelia"];
    };
    tailscale = {
--- a/machines/lebesgue/config/routing.nix
+++ b/machines/lebesgue/config/routing.nix
@ -8,6 +8,11 @@
          reverse_proxy :${toString config.foehammer.services.vaultwarden.port}
        '';
      };
      "auth.foehammer.me" = {
        extraConfig = ''
          reverse_proxy :${toString config.foehammer.services.authelia.port}
        '';
      };
    };
  };
 }
--- a/machines/lebesgue/config/secrets.nix
+++ b/machines/lebesgue/config/secrets.nix
@ -2,13 +2,29 @@
  sops = {
    defaultSopsFile = ../secrets/main.yaml;
-    secrets = {
+    secrets = let
      autheliaSecret = {
        owner = "authelia-main";
        sopsFile = ../secrets/authelia/secrets.yaml;
      };
    in {
      admin-password.neededForUsers = true;
      tskey = {};
      vaultwarden-env = {};
      restic-env = {owner = "restic";};
      restic-password = {owner = "restic";};
      restic-repository = {owner = "restic";};
      authelia-jwtsecret = autheliaSecret;
      authelia-oidc-privkey = autheliaSecret;
      authelia-oidc-hmac = autheliaSecret;
      authelia-session-secret = autheliaSecret;
      authelia-storage-encryption = autheliaSecret;
      authelia-users = {
        owner = "authelia-main";
        sopsFile = ../secrets/authelia/users.yaml.bin;
        format = "binary";
      };
    };
  };
 }
--- a/machines/lebesgue/config/state.nix
+++ b/machines/lebesgue/config/state.nix
@ -8,6 +8,7 @@
      "/var/log"
      "/var/lib/nixos"
      "/var/lib/docker"
      "/var/lib/authelia-main"
      "/var/lib/caddy/.local/share/caddy"
      "/var/lib/vaultwarden"
    ];
--- a/machines/lebesgue/flake.lock
+++ b/machines/lebesgue/flake.lock
@ -50,11 +50,11 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1748889542,
+        "lastModified": 1749024892,
-        "narHash": "sha256-Hb4iMhIbjX45GcrgOp3b8xnyli+ysRPqAgZ/LZgyT5k=",
+        "narHash": "sha256-OGcDEz60TXQC+gVz5sdtgGJdKVYr6rwdzQKuZAJQpCA=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "10d7f8d34e5eb9c0f9a0485186c1ca691d2c5922",
+        "rev": "8f1b52b04f2cb6e5ead50bd28d76528a2f0380ef",
        "type": "github"
      },
      "original": {
--- a/machines/lebesgue/secrets/authelia/secrets.yaml
+++ b/machines/lebesgue/secrets/authelia/secrets.yaml
@ -0,0 +1,32 @@
 authelia-jwtsecret: ENC[AES256_GCM,data:Vn9K88LdQ6wDgah3SGWOeQM9cjb3iSXUhuIKngpf/ZApKaVXattV4/6l5yo=,iv:zczOCShgBblAOwNH/ulgpfYuyKUQcq+UiRnY/wl07nM=,tag:0S/Pc0VyElQgZsFTgIJKyw==,type:str]
 authelia-session-secret: ENC[AES256_GCM,data:itOZeg3V11RJqsuSQ/GQzO1+bjnPqrvzGa26NCnRwN+I/OTLZV4HhWW7Lqw=,iv:wb9kIkK2OYZo4pAxSVHk4+L53j07/a8SFsItvGlzxk8=,tag:fzrPRhGmy3HZ9zwtWG/5Tw==,type:str]
 authelia-storage-encryption: ENC[AES256_GCM,data:ZOY2p7qM0gaTGnvopppH76uZ/5Gi5ussK9PxS62HJYNY6lqDT39IKTfS6Y4=,iv:Kba9RHQT8wiRjpJLdM0Ww6HRbENAXqmVSiDITe4Bql8=,tag:FPcHEfQlMwbHkeF7vhjiqg==,type:str]
 authelia-oidc-hmac: ENC[AES256_GCM,data:raPEk+m3zg8pz8U3KYHmcxMUIkExPvxtKThngdhiolBt0jA+YGyxd1lOfBU=,iv:3j+bJnoc7rCUou691LCzyEoUL7Ve8jSaIpkoVvBthVM=,tag:rWIX9eEI8+h2+jozqYT4Gw==,type:str]
 authelia-oidc-privkey: ENC[AES256_GCM,data:7vIxoENRK4XwUW3vjVzd2e71rXiAv7R9QYovG6DZuDZwvo3YyNrGX1VlFNdcfqgvafF9GYfKlj0vGlKioVnNJF6QYxdHcBTsrLvKpK0RO/gGc4hdgR6tSxMqv3izPIR0demwJRPlT3nJT9v+kk76bNf5wHnv/DzfPW9a7g66XRrsKEgrxpnrzao6u3xyJYFz7ndyzYvhHMzxm9ITVbAvZIR39ze8foBlghQakgUDDV5yU3nJ4WmGq519t6d0FJeehi3RsEFS6mjPcCfylWnOug012P5DOIrxNZLpmCdoypu+4W0OIF4xf0wSglAKRK/jzz1QD1ytJCip5cFhRYrnAW5EaDFwpBQoG+a6Uar2uLmOk9qyyb8mpsRcRN4o5F/zF6fo8MkAxI0c9c3odOtWIXJ3zSU8TIw5UZvk5+jEMq4UZik9y3JyfWqaFlmVgCHEP67ORVN0R4uELWZe6chssZbfNdK/XmNX5xjSvOk5URtCmGNW+ehuB3JQ/idvNHDsG5Obi/VdULI6jtvjlsMmPh/VTdfND/4nDdokGXg/F7U0byIEEIun4bT55UWWfldVKS95zSC65jFRXUGWSe7kijnM1HpfXBFxzpX9h3w+Zkqu8+lCNfkZPM5d/YQ0so/VJFj0/JX4OBW4rb0kcR5RzX/0eIYCMiQ+0cvb1hBJgtGtWbDWboiCuMmjsDyqWW9biHLyRCii5gozuquY/tPMz7mCq1V1iMMcCn/oTsLFsWMGlj2ds6n/e+/f3HAzsm8Mk0ctHJrbgM2TifQ4uF8zAKfxjhpv7oeid7qQtEEGG+ewSfYEPvlw4H2rtyn1uemst3B2QOcMy9P03wtQwPlp3mikr/zAm9t5222XtXsoeqSvL5xtiUOjwy69wjQAEP4eoFpifIi12gPff8+AefI2c6u/pShTj8hPEMyR6yEsKPNuLjIyJY5T3erX64vBiaSySkm/TNXcsRQetQiJKO1/Ud457kadZxa98mNS9DH/jyxNLjtyO9JBzCKNKZsgS+FVv3nz1Z3o7lAl8ZtHtXJV78swdIEc2xuuOfi3tCwd1FlDfQiu1EMZNGnHypoZU4Ff698/jAHtZt7j5lBKvEYFmIk5cvlTuPD1peXY8YQ3K4ZW4dYKb1dBzlwkvOjnmApyzA9aInT7hmdcwyVC8GOijxqkEbMWe8tjOoXEpy4o5VNOBJEB4HIOkWbDUHUdOKnE/84F99wtOq/b9qU0/GDhSOeMvTG276UxVSUDG6TxkS897QS2hUBJqfu/3ZJVybkPoekG7dS0rV2g6IhVx/NBY4U9LbH9JIRj4m9thrvMPiewyKLPAswUECvmbAot87onhIm1sC+AaUGEbrsnqudMpKKdnRpTS0bg59cAnb2C5WRpmb8NT28KnsNPgqLRE6S909CbPoA64HkovsDt7igPx3hLaN7elv+L87wIbkM6SbtrluRiWbPFyJ5GgpSoNwupEB+wSQMYEZ5MGEhq06NWVYK3L4HOCN04OHZhn9Th/a6B4rUN6tkRqsETI/NZemBuUgu9vimruAG9QiN/XsnDUjPGbRrEIWv7hcrHNdg0bxItaku7VRb+ne6aA+dbhyXZGVYiiVKX7282QJl/s2LHNvFv1ckh1nf+wIbArQdKrzowU8doDrRmMf1rQ7kHc78XxAaFWBSOc+lEVT+Z+hHiDJuKtRo6I3D6aWNpYRO9B0O2WjzYH37H4H15XzSadl1EdJi0zxqN7ABKpwxrao44izgBru949JKSzHYetTNxiyoH0oVuS/89bjY4aGb6qSI6TGEZVDjzIdF2ydSjMp2RncdU5ZU7JCcMA1w6g5qozr+6gn2XE+fOLSzggWBy11slWKEODsps9t5Xxt0pD5j+aXV+EoJxDjejPyRSDd1iyPRBlAdvVXt6kdgel6+qpRTS+Sc1R5p6QKpucUbIvPWdndEh5ZG+n7w762l0lkxqCpObm/q2Mzlke1SELpjl5PP5V1X/Rn5rJcmO5zI0/8eV3qqKsHmVchh4QNNLYDokQHHblaSIvwhZWYjvEYJizYz0U4ryKQN6SXMCSh9++tKaZGbK2KOzB24qE3As40GE+xqyeAaozisQHtVmIgXIdXdFRFhdVZ8Evteo0VnTfm39BDxxqcdast8lOnYhpCF0mcq/gex7n7MVfKEroI66nly8xy6zmgur7nrTOvAcXtbkRhMR94iCROHgPoDRB8Wb6XVig43M0iVu8ahtPGmF7PLCuVth3SQCArpz9teRiF/dV2r2cXsDSAF6,iv:sm6m1pgilv2rM/7IK3ARoDLjoAr6MjIFL6R9hgYAQjY=,tag:ngQjStO7oSAcXbLOTrK9sg==,type:str]
 sops:
    age:
        - recipient: age1kjy9wym6cmz6wqmewws4ledsne47c0e4sr0ksmm66rff3u2f6u3qxvnyg9
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiRG1QRDdJMFBkN01reUZm
            d1VtUTV1WjdFODhUL3d1NWVGV2QxTkYwSURrCm91RnRrRkNNclNjcDkyaldoZWR2
            ekE1NnIwWVNBQVhCUDY5ZnE2SEZ1c0UKLS0tIEhVMjZVNEpqbjJyM0ZBd3JJOXB1
            cmJMTWdHTlVPUU52dXYrelM4aDlKbE0KaKvTldyLmJPTLq3p8136ZV0692KaANSp
            8tH0wFq8HUaAvB+oRgAPZxd6BmnAU6wlkpFw9mka8nY4U37yna6yOg==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2025-06-04T21:04:51Z"
    mac: ENC[AES256_GCM,data:HvL9IPa7pZ9X6hEPrknzjvS9u3l28iChfnfCcY+KNX/WyvlhoLBU0jR148ATyy1e/gbyFNYY00Qa1MbwM9j+kun8awZQ6WdxCrIU7XE5dnH6RnsEtvfErSERnCE4byIBeCCADjdYRb7RQsVaD+UKSj9hERCwvFEaLCy4lbod2Gk=,iv:sWCOMB7ibpKveZIUyhj4MteQgYfOgESGADpXJiwHQL4=,tag:Npn1zIVRgBs50EN3g8MgcQ==,type:str]
    pgp:
        - created_at: "2025-06-04T21:04:24Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----
            hF4DAAAAAAAAAAASAQdAyr8AYkg9I7SqOqPGpZ+HMPyq1fyetVAOcI38r1C1QF4w
            bvaY5tLOZcNQzcl+Qo+u4X0/hrAKpBmeDwSfxjw/C5TQccopTrk3hd7GSjXOWeEq
            0l4B7al7wUlgU1C7kH5hjVHcgN2sjsqwDfhivUg58yKQOZhmww5pdu4jSNS9+kR0
            9+nsTNrZZ9xfQHyR0frlqEClFWo8+nkJghK+bCZ+obnBsyGL3HF84A5Y10G3l/EC
            =utfQ
            -----END PGP MESSAGE-----
          fp: A972C2063F4F2554
    unencrypted_suffix: _unencrypted
    version: 3.10.2
--- a/machines/lebesgue/secrets/authelia/users.yaml.bin
+++ b/machines/lebesgue/secrets/authelia/users.yaml.bin
@ -0,0 +1,22 @@
 {
 	"data": "ENC[AES256_GCM,data:ZYbiTO7AoIprolgZB5DPElxqvmpXOMveL5wpR1q5pPHBsLypWmE+5Cyv7ltH+KCwdGjPQK+qScMKAgFi23OaQwulp8VGcG8FMsyLKWQKb6+VPwGk41fha1ymfxnJ/JxQwTVjz74ugd4RMDvnSydwxLEyKpkoRexibdJ0JB/46Od63+KxoCKDzfXrerO7iMJ/BsFxqJOjpY+3voyR27oRIm9p5tL6eVVKdeTmgZ0rZMp9Rr55eVvLOhRIGsghGYr+miCVV8jOHdEy/ktfoHZG0A==,iv:gbkYffA/+wH7VefKbbh1qpdu2fu4D9os9zoQlUYW3JQ=,tag:GwvsyEv1fjBDnEptdHkmvQ==,type:str]",
 	"sops": {
 		"age": [
 			{
 				"recipient": "age1kjy9wym6cmz6wqmewws4ledsne47c0e4sr0ksmm66rff3u2f6u3qxvnyg9",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOZVdLbzVjcSsyU3Mvdkdp\nYU43bXREbTVwNnZqVXhTZnZnY2UyeGkrMWhzCnN4WkF2T3l5Zk5OTzFTUzMvdkhU\nS0lmMjFHbEE4VlJjU0xPR2V3ZDdnN0UKLS0tIGRMWkROWVdiS1piRTZFZ1ZXVUFo\nMFkvNzdsL24yVlRRRnNuK0MvMjFDUWMKio15sHTVTCzoW6xDZ8xW1R1f3FZWJ70c\nAxVlwdhZHFsfXK++vsU+PT42ejqodEMpZiHvIjQzg6EulopdKUYU/g==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
 		"lastmodified": "2025-06-04T20:14:57Z",
 		"mac": "ENC[AES256_GCM,data:VAKNR4y9UxN0PpaMRFu9xYDKLINoyd54zPPKSP61Bnp/HTMjAWPK6fOJt1ihJGFAN/MUDyVbklFYO8m56FzxxdszNN4+CAhsdIL2J5um4OEFZf70XW3m9mSUCP28d+n0U2hTZ17IfHhHe7pwmiTX0wMAsERM+PQ70/TplorNJ0E=,iv:27TmA6ge3OjWfjezNOBrnThsmbxregmPb55+WWJlPW0=,tag:B/kQoVKL0SDmbd3qWw5/5Q==,type:str]",
 		"pgp": [
 			{
 				"created_at": "2025-06-04T20:14:12Z",
 				"enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DAAAAAAAAAAASAQdARkN3yYHRUH/nfobwd2YF4ePWpbruXUNCZkNQubo/EV4w\n/1ybFvY9O+p6X/U//a6WuiQoli12nNUYegEHDJc8CzH6Q+9BwqKqYfMoa+Ahy2hi\n0l4BOQfnONeflgF9bctA7BJB1lvF4pbhbxTf2bImf6HDAajFyaYfvML0ad4MMRBU\nqmBCXG9WAf6VQb99uUj8wwbxunny4pLF1Q4YhMdC/hbkG9unN4slsQUr7jM8N9Dz\n=C1Sa\n-----END PGP MESSAGE-----",
 				"fp": "A972C2063F4F2554"
 			}
 		],
 		"unencrypted_suffix": "_unencrypted",
 		"version": "3.10.2"
 	}
 }
--- a/machines/lebesgue/secrets/main.yaml
+++ b/machines/lebesgue/secrets/main.yaml
@ -5,10 +5,6 @@ restic-password: ENC[AES256_GCM,data:Ympe5/hJxOzJp7IeJy5mZy0fMIrnV+3cWJo1uKwbHHD
 restic-repository: ENC[AES256_GCM,data:KkFaam8iltY9nz89sVxk4u0xZ46Sq+7UsOY/9wieASD5A2FRruou7BiudX9X4hRA2RMTctO8aqYkrg==,iv:mIZ9z7BJV9s+wSiVMnzYAWM1/zsa6C+RCK1UhSiJVxI=,tag:S7tedxcfd/UaQ5hMEYfBVQ==,type:str]
 restic-env: ENC[AES256_GCM,data:KW9ma36zmHJF3xBStpoStDRQqg34wlMJMVSYfbLSnWq26R6e6eGf3+kTVkobhn/bqL6ZYi8ctlyvDS8IOz8VveYogsqxZ7/LK62mA0d9I3xEZMG7eNQ8M1PdeZ9RqAUgFJU=,iv:RxwvZ2vNuwmUc3haK2Ub8vHk9UQhjepLCwsfIcSJg9s=,tag:Tvq2RDh8mJ3jGhmpL1uuCA==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age:
        - recipient: age1kjy9wym6cmz6wqmewws4ledsne47c0e4sr0ksmm66rff3u2f6u3qxvnyg9
          enc: |
@ -19,8 +15,8 @@ sops:
            L2VhMXV4WityYUFDZytxVTJHOXZGVVkKgbKR56dsru6U7I4KpnxfxQsswFwJsTM7
            8dzAaFl30mdRwFIH9kzdY3XxyYsJ0Yr0x3xwJ8mI4rjgpI8S9ihJFw==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-02-06T23:41:49Z"
+    lastmodified: "2025-06-04T21:04:47Z"
-    mac: ENC[AES256_GCM,data:r8T1Yn5UjKy9zBbFUf9fMVQxy7iyAu1LZINeDQtHuU/tCpn2cqs8FHqhSbtKdFTSPeq3KUe3RTMcbWV17iIoo2CPX+Q9PGQMiN6Wai1CJY5ybr43op7U/WntC3ui/5BGODGbL8EWCc4SHuedqfXTtt8tWIN+qbONzQltP1spVbk=,iv:g9kdAU7bNUdLE+Cr3OhO9IFL2EKKAT2ty05OOoLMOdU=,tag:6JhgR8vqjOBA/VPV9TEK1A==,type:str]
+    mac: ENC[AES256_GCM,data:fGTVTDhqVNLQJaZyBFhBEauW/Cnb/V57aHOcaeODNeA9g1oZiC3IzUkpRVnEC+gPx4KLDrBwuCk7Au/TarVpFVK+nyqcwrDgr2RsWtVDP0UQH/+8G8PkASxnMnTp/oQnvEKGAbySfGelqEQkDhbMiR7GaP99lJcIoIQ/wG87peA=,iv:+NJnPQmh6VYzDu/UoGv1YHVGfMocKMdX5XxZG6FmS90=,tag:vnHzhvOQOw0U7BwNJKA0kw==,type:str]
    pgp:
        - created_at: "2025-02-03T18:58:54Z"
          enc: |-
@ -34,4 +30,4 @@ sops:
            -----END PGP MESSAGE-----
          fp: A972C2063F4F2554
    unencrypted_suffix: _unencrypted
-    version: 3.9.4
+    version: 3.10.2