From b6c9fa666dc4134258cb2c7a47683a452b6050dd Mon Sep 17 00:00:00 2001 From: Pieter Date: Fri, 23 Jan 2026 20:36:31 +0100 Subject: [PATCH] chore: Post-workshop state - January 23rd, 2026 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This commit captures the infrastructure state immediately following the "Post-Tyranny Tech" workshop on January 23rd, 2026. Infrastructure Status: - 13 client servers deployed (white, valk, zwaan, specht, das, uil, vos, haas, wolf, ree, mees, mus, mol, kikker) - Services: Authentik SSO, Nextcloud, Collabora Office, Traefik - Private network architecture with edge NAT gateway - OIDC integration between Authentik and Nextcloud - Automated recovery flows and invitation system - Container update monitoring with Diun - Uptime monitoring with Uptime Kuma Changes include: - Multiple new client host configurations - Network architecture improvements (private IPs + NAT) - DNS management automation - Container update notifications - Email configuration via Mailgun - SSH key generation for all clients - Encrypted secrets for all deployments - Health check and diagnostic scripts Known Issues to Address: - Nextcloud version pinned to v30 (should use 'latest' or v32) - Zitadel references in templates (migrated to Authentik but templates not updated) - Traefik dynamic config has obsolete static routes 🤖 Generated with Claude Code (https://claude.com/claude-code) Co-Authored-By: Claude --- ansible/ansible.cfg | 6 +- ansible/host_vars/das.yml | 10 + ansible/host_vars/egel.yml | 11 + ansible/host_vars/haas.yml | 11 + ansible/host_vars/kikker.yml | 10 + ansible/host_vars/mees.yml | 11 + ansible/host_vars/mol.yml | 10 + ansible/host_vars/mus.yml | 10 + ansible/host_vars/ree.yml | 11 + ansible/host_vars/specht.yml | 11 + ansible/host_vars/uil.yml | 10 + ansible/host_vars/valk.yml | 7 +- ansible/host_vars/vos.yml | 10 + ansible/host_vars/white.yml | 8 +- ansible/host_vars/wolf.yml | 10 + ansible/host_vars/zwaan.yml | 11 + ansible/inventory-temp.ini | 4 + ansible/inventory-temp.yml | 8 + ansible/playbooks/configure-email.yml | 53 ++ ansible/playbooks/fix-private-network.yml | 48 ++ ansible/playbooks/setup.yml | 7 + ansible/playbooks/update-containers.yml | 311 ++++++++++++ ansible/roles/diun/defaults/main.yml | 5 +- ansible/roles/diun/templates/diun.yml.j2 | 2 +- .../edge-traefik/templates/dynamic.yml.j2 | 462 ++++++++++++++++++ ansible/roles/nextcloud/defaults/main.yml | 2 +- ansible/roles/nextcloud/tasks/docker.yml | 14 +- ansible/roles/nextcloud/tasks/oidc.yml | 11 + .../templates/docker-compose.nextcloud.yml.j2 | 11 +- keys/ssh/bever.pub | 1 + keys/ssh/black.pub | 1 + keys/ssh/das.pub | 1 + keys/ssh/edge.pub | 1 + keys/ssh/egel.pub | 1 + keys/ssh/green.pub | 1 - keys/ssh/haas.pub | 1 + keys/ssh/kikker.pub | 1 + keys/ssh/kraai.pub | 1 + keys/ssh/mees.pub | 1 + keys/ssh/mol.pub | 1 + keys/ssh/mus.pub | 1 + keys/ssh/otter.pub | 1 + keys/ssh/purple.pub | 1 + keys/ssh/ree.pub | 1 + keys/ssh/specht.pub | 1 + keys/ssh/uil.pub | 1 + keys/ssh/valk.pub | 1 + keys/ssh/vos.pub | 1 + keys/ssh/white.pub | 1 + keys/ssh/wolf.pub | 1 + keys/ssh/zwaan.pub | 1 + scripts/add-client-to-terraform.sh | 27 + scripts/configure-oidc.sh | 156 ++++++ scripts/deploy-client.sh | 10 +- scripts/destroy-client.sh | 25 +- scripts/health-check.sh | 116 +++++ secrets/clients/bever.sops.yaml | 38 ++ secrets/clients/black.sops.yaml | 38 ++ secrets/clients/das.sops.yaml | 38 ++ secrets/clients/egel.sops.yaml | 38 ++ secrets/clients/green.sops.yaml | 38 -- secrets/clients/haas.sops.yaml | 38 ++ secrets/clients/kikker.sops.yaml | 38 ++ secrets/clients/kraai.sops.yaml | 38 ++ secrets/clients/mees.sops.yaml | 38 ++ secrets/clients/mol.sops.yaml | 38 ++ secrets/clients/mus.sops.yaml | 38 ++ secrets/clients/otter.sops.yaml | 38 ++ secrets/clients/purple.sops.yaml | 38 ++ secrets/clients/ree.sops.yaml | 38 ++ secrets/clients/specht.sops.yaml | 38 ++ secrets/clients/uil.sops.yaml | 38 ++ secrets/clients/valk.sops.yaml | 38 ++ secrets/clients/vos.sops.yaml | 38 ++ secrets/clients/white.sops.yaml | 38 ++ secrets/clients/wolf.sops.yaml | 38 ++ secrets/clients/zwaan.sops.yaml | 38 ++ secrets/shared.sops.yaml | 44 +- tofu/dns.tf | 33 +- tofu/main.tf | 19 +- tofu/network.tf | 89 +--- tofu/tfplan | Bin 0 -> 13139 bytes tofu/user-data-private.yml | 4 + tofu/variables.tf | 15 - 84 files changed, 2228 insertions(+), 225 deletions(-) create mode 100644 ansible/host_vars/das.yml create mode 100644 ansible/host_vars/egel.yml create mode 100644 ansible/host_vars/haas.yml create mode 100644 ansible/host_vars/kikker.yml create mode 100644 ansible/host_vars/mees.yml create mode 100644 ansible/host_vars/mol.yml create mode 100644 ansible/host_vars/mus.yml create mode 100644 ansible/host_vars/ree.yml create mode 100644 ansible/host_vars/specht.yml create mode 100644 ansible/host_vars/uil.yml create mode 100644 ansible/host_vars/vos.yml create mode 100644 ansible/host_vars/wolf.yml create mode 100644 ansible/host_vars/zwaan.yml create mode 100644 ansible/inventory-temp.ini create mode 100644 ansible/inventory-temp.yml create mode 100644 ansible/playbooks/configure-email.yml create mode 100644 ansible/playbooks/fix-private-network.yml create mode 100644 ansible/playbooks/update-containers.yml create mode 100644 keys/ssh/bever.pub create mode 100644 keys/ssh/black.pub create mode 100644 keys/ssh/das.pub create mode 100644 keys/ssh/edge.pub create mode 100644 keys/ssh/egel.pub delete mode 100644 keys/ssh/green.pub create mode 100644 keys/ssh/haas.pub create mode 100644 keys/ssh/kikker.pub create mode 100644 keys/ssh/kraai.pub create mode 100644 keys/ssh/mees.pub create mode 100644 keys/ssh/mol.pub create mode 100644 keys/ssh/mus.pub create mode 100644 keys/ssh/otter.pub create mode 100644 keys/ssh/purple.pub create mode 100644 keys/ssh/ree.pub create mode 100644 keys/ssh/specht.pub create mode 100644 keys/ssh/uil.pub create mode 100644 keys/ssh/valk.pub create mode 100644 keys/ssh/vos.pub create mode 100644 keys/ssh/white.pub create mode 100644 keys/ssh/wolf.pub create mode 100644 keys/ssh/zwaan.pub create mode 100755 scripts/configure-oidc.sh create mode 100755 scripts/health-check.sh create mode 100644 secrets/clients/bever.sops.yaml create mode 100644 secrets/clients/black.sops.yaml create mode 100644 secrets/clients/das.sops.yaml create mode 100644 secrets/clients/egel.sops.yaml delete mode 100644 secrets/clients/green.sops.yaml create mode 100644 secrets/clients/haas.sops.yaml create mode 100644 secrets/clients/kikker.sops.yaml create mode 100644 secrets/clients/kraai.sops.yaml create mode 100644 secrets/clients/mees.sops.yaml create mode 100644 secrets/clients/mol.sops.yaml create mode 100644 secrets/clients/mus.sops.yaml create mode 100644 secrets/clients/otter.sops.yaml create mode 100644 secrets/clients/purple.sops.yaml create mode 100644 secrets/clients/ree.sops.yaml create mode 100644 secrets/clients/specht.sops.yaml create mode 100644 secrets/clients/uil.sops.yaml create mode 100644 secrets/clients/valk.sops.yaml create mode 100644 secrets/clients/vos.sops.yaml create mode 100644 secrets/clients/white.sops.yaml create mode 100644 secrets/clients/wolf.sops.yaml create mode 100644 secrets/clients/zwaan.sops.yaml create mode 100644 tofu/tfplan diff --git a/ansible/ansible.cfg b/ansible/ansible.cfg index cbb5ea8..c3b50be 100644 --- a/ansible/ansible.cfg +++ b/ansible/ansible.cfg @@ -1,6 +1,6 @@ [defaults] # Inventory configuration -inventory = hcloud.yml +# inventory = hcloud.yml # Disabled - use -i flag instead host_key_checking = False interpreter_python = auto_silent @@ -26,8 +26,8 @@ timeout = 30 roles_path = ./roles [inventory] -# Enable Hetzner Cloud dynamic inventory plugin -enable_plugins = hetzner.hcloud.hcloud +# Enable inventory plugins +enable_plugins = hetzner.hcloud.hcloud, ini, yaml, auto [privilege_escalation] become = True diff --git a/ansible/host_vars/das.yml b/ansible/host_vars/das.yml new file mode 100644 index 0000000..fba2125 --- /dev/null +++ b/ansible/host_vars/das.yml @@ -0,0 +1,10 @@ +--- +# das server - direct public IP + +# SSH directly to public IP +ansible_host: 49.13.49.246 + +# Client identification +client_name: das +client_domain: das.vrije.cloud +client_secrets_file: das.sops.yaml diff --git a/ansible/host_vars/egel.yml b/ansible/host_vars/egel.yml new file mode 100644 index 0000000..c38865e --- /dev/null +++ b/ansible/host_vars/egel.yml @@ -0,0 +1,11 @@ +--- +# egel server - behind edge proxy (private network only) + +# SSH via edge server as bastion/jump host +ansible_host: 10.0.0.52 +ansible_ssh_common_args: '-o ProxyCommand="ssh -i ../keys/ssh/edge -W %h:%p -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null root@78.47.191.38" -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no' + +# Client identification +client_name: egel +client_domain: egel.vrije.cloud +client_secrets_file: egel.sops.yaml diff --git a/ansible/host_vars/haas.yml b/ansible/host_vars/haas.yml new file mode 100644 index 0000000..6e5c12d --- /dev/null +++ b/ansible/host_vars/haas.yml @@ -0,0 +1,11 @@ +--- +# haas server - public network + +# SSH directly via public IP +ansible_host: 78.46.229.195 +ansible_ssh_private_key_file: ../keys/ssh/haas + +# Client identification +client_name: haas +client_domain: haas.vrije.cloud +client_secrets_file: haas.sops.yaml diff --git a/ansible/host_vars/kikker.yml b/ansible/host_vars/kikker.yml new file mode 100644 index 0000000..dd5b075 --- /dev/null +++ b/ansible/host_vars/kikker.yml @@ -0,0 +1,10 @@ +--- +# kikker server - direct public IP + +# SSH directly to public IP +ansible_host: 23.88.124.67 + +# Client identification +client_name: kikker +client_domain: kikker.vrije.cloud +client_secrets_file: kikker.sops.yaml diff --git a/ansible/host_vars/mees.yml b/ansible/host_vars/mees.yml new file mode 100644 index 0000000..e60df7b --- /dev/null +++ b/ansible/host_vars/mees.yml @@ -0,0 +1,11 @@ +--- +# mees server - public network + +# SSH directly via public IP +ansible_host: 167.235.198.19 +ansible_ssh_private_key_file: ../keys/ssh/mees + +# Client identification +client_name: mees +client_domain: mees.vrije.cloud +client_secrets_file: mees.sops.yaml diff --git a/ansible/host_vars/mol.yml b/ansible/host_vars/mol.yml new file mode 100644 index 0000000..4dcaa2e --- /dev/null +++ b/ansible/host_vars/mol.yml @@ -0,0 +1,10 @@ +--- +# mol server - direct public IP + +# SSH directly to server +ansible_host: 49.13.56.23 + +# Client identification +client_name: mol +client_domain: mol.vrije.cloud +client_secrets_file: mol.sops.yaml diff --git a/ansible/host_vars/mus.yml b/ansible/host_vars/mus.yml new file mode 100644 index 0000000..65144ab --- /dev/null +++ b/ansible/host_vars/mus.yml @@ -0,0 +1,10 @@ +--- +# mus server - direct public IP + +# SSH directly to server +ansible_host: 91.107.217.126 + +# Client identification +client_name: mus +client_domain: mus.vrije.cloud +client_secrets_file: mus.sops.yaml diff --git a/ansible/host_vars/ree.yml b/ansible/host_vars/ree.yml new file mode 100644 index 0000000..e3e8924 --- /dev/null +++ b/ansible/host_vars/ree.yml @@ -0,0 +1,11 @@ +--- +# ree server - behind edge proxy (private network only) + +# SSH via edge server as bastion/jump host +ansible_host: 10.0.0.49 +ansible_ssh_common_args: '-o ProxyCommand="ssh -i ../keys/ssh/edge -W %h:%p -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null root@78.47.191.38" -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no' + +# Client identification +client_name: ree +client_domain: ree.vrije.cloud +client_secrets_file: ree.sops.yaml diff --git a/ansible/host_vars/specht.yml b/ansible/host_vars/specht.yml new file mode 100644 index 0000000..7649fc6 --- /dev/null +++ b/ansible/host_vars/specht.yml @@ -0,0 +1,11 @@ +--- +# specht server - public network + +# SSH directly via public IP +ansible_host: 188.245.122.208 +ansible_ssh_private_key_file: ../keys/ssh/specht + +# Client identification +client_name: specht +client_domain: specht.vrije.cloud +client_secrets_file: specht.sops.yaml diff --git a/ansible/host_vars/uil.yml b/ansible/host_vars/uil.yml new file mode 100644 index 0000000..d9813a8 --- /dev/null +++ b/ansible/host_vars/uil.yml @@ -0,0 +1,10 @@ +--- +# uil server - direct public IP + +# SSH directly to server +ansible_host: 91.99.208.20 + +# Client identification +client_name: uil +client_domain: uil.vrije.cloud +client_secrets_file: uil.sops.yaml diff --git a/ansible/host_vars/valk.yml b/ansible/host_vars/valk.yml index df85c57..751f8bb 100644 --- a/ansible/host_vars/valk.yml +++ b/ansible/host_vars/valk.yml @@ -1,9 +1,8 @@ --- -# valk server - behind edge proxy (private network only) +# valk server - direct public IP -# SSH via edge server as bastion/jump host -ansible_host: 10.0.0.41 -ansible_ssh_common_args: '-o ProxyCommand="ssh -i ../keys/ssh/edge -W %h:%p -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null root@78.47.191.38" -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no' +# SSH directly to public IP +ansible_host: 78.47.191.38 # Client identification client_name: valk diff --git a/ansible/host_vars/vos.yml b/ansible/host_vars/vos.yml new file mode 100644 index 0000000..9f9d6e1 --- /dev/null +++ b/ansible/host_vars/vos.yml @@ -0,0 +1,10 @@ +--- +# vos server - direct public IP + +# SSH directly to server +ansible_host: 128.140.91.174 + +# Client identification +client_name: vos +client_domain: vos.vrije.cloud +client_secrets_file: vos.sops.yaml diff --git a/ansible/host_vars/white.yml b/ansible/host_vars/white.yml index 050ac16..4475f50 100644 --- a/ansible/host_vars/white.yml +++ b/ansible/host_vars/white.yml @@ -1,9 +1,9 @@ --- -# White server - behind edge proxy -# Note: Currently has public IP for initial setup +# white server - behind edge proxy (private network only) -# SSH directly via public IP (temporary) -ansible_host: 159.69.182.238 +# SSH via edge server as bastion/jump host +ansible_host: 10.0.0.40 +ansible_ssh_common_args: '-o ProxyCommand="ssh -i ../keys/ssh/edge -W %h:%p -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null root@78.47.191.38" -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no' # Client identification client_name: white diff --git a/ansible/host_vars/wolf.yml b/ansible/host_vars/wolf.yml new file mode 100644 index 0000000..55c0072 --- /dev/null +++ b/ansible/host_vars/wolf.yml @@ -0,0 +1,10 @@ +--- +# wolf server - direct public IP + +# SSH directly to server +ansible_host: 159.69.189.177 + +# Client identification +client_name: wolf +client_domain: wolf.vrije.cloud +client_secrets_file: wolf.sops.yaml diff --git a/ansible/host_vars/zwaan.yml b/ansible/host_vars/zwaan.yml new file mode 100644 index 0000000..110aa2a --- /dev/null +++ b/ansible/host_vars/zwaan.yml @@ -0,0 +1,11 @@ +--- +# zwaan server - behind edge proxy (private network only) + +# SSH via edge server as bastion/jump host +ansible_host: 10.0.0.42 +ansible_ssh_common_args: '-o ProxyCommand="ssh -i ../keys/ssh/edge -W %h:%p -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null root@78.47.191.38" -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no' + +# Client identification +client_name: zwaan +client_domain: zwaan.vrije.cloud +client_secrets_file: zwaan.sops.yaml diff --git a/ansible/inventory-temp.ini b/ansible/inventory-temp.ini new file mode 100644 index 0000000..3af2779 --- /dev/null +++ b/ansible/inventory-temp.ini @@ -0,0 +1,4 @@ +[clients] +valk ansible_host=78.47.191.38 ansible_user=root ansible_ssh_private_key_file=../keys/ssh/valk +kikker ansible_host=23.88.124.67 ansible_user=root ansible_ssh_private_key_file=../keys/ssh/kikker +das ansible_host=49.13.49.246 ansible_user=root ansible_ssh_private_key_file=../keys/ssh/das diff --git a/ansible/inventory-temp.yml b/ansible/inventory-temp.yml new file mode 100644 index 0000000..d4bb3df --- /dev/null +++ b/ansible/inventory-temp.yml @@ -0,0 +1,8 @@ +all: + children: + clients: + hosts: + valk: + ansible_host: 78.47.191.38 + ansible_user: root + ansible_ssh_private_key_file: ../keys/ssh/valk diff --git a/ansible/playbooks/configure-email.yml b/ansible/playbooks/configure-email.yml new file mode 100644 index 0000000..3d8326a --- /dev/null +++ b/ansible/playbooks/configure-email.yml @@ -0,0 +1,53 @@ +--- +# Configure email for a single server +- hosts: all + gather_facts: yes + tasks: + - name: Load client secrets + community.sops.load_vars: + file: "{{ playbook_dir }}/../../secrets/clients/{{ inventory_hostname }}.sops.yaml" + name: client_secrets + age_keyfile: "{{ lookup('env', 'SOPS_AGE_KEY_FILE') }}" + no_log: true + + - name: Load shared secrets + community.sops.load_vars: + file: "{{ playbook_dir }}/../../secrets/shared.sops.yaml" + name: shared_secrets + age_keyfile: "{{ lookup('env', 'SOPS_AGE_KEY_FILE') }}" + no_log: true + + - name: Merge secrets + set_fact: + client_secrets: "{{ client_secrets | combine(shared_secrets) }}" + no_log: true + + - name: Include mailgun role + include_role: + name: mailgun + + - name: Configure Nextcloud email if credentials available + shell: | + docker exec -u www-data nextcloud php occ config:system:set mail_smtpmode --value="smtp" + docker exec -u www-data nextcloud php occ config:system:set mail_smtpsecure --value="tls" + docker exec -u www-data nextcloud php occ config:system:set mail_smtphost --value="smtp.eu.mailgun.org" + docker exec -u www-data nextcloud php occ config:system:set mail_smtpport --value="587" + docker exec -u www-data nextcloud php occ config:system:set mail_smtpauth --value="1" + docker exec -u www-data nextcloud php occ config:system:set mail_smtpname --value="{{ mailgun_smtp_user }}" + docker exec -u www-data nextcloud php occ config:system:set mail_smtppassword --value="{{ mailgun_smtp_password }}" + docker exec -u www-data nextcloud php occ config:system:set mail_from_address --value="{{ inventory_hostname }}" + docker exec -u www-data nextcloud php occ config:system:set mail_domain --value="mg.vrije.cloud" + when: mailgun_smtp_user is defined + no_log: true + register: email_config + + - name: Display email configuration status + debug: + msg: | + ======================================== + Email Configuration + ======================================== + Status: {{ 'Configured' if email_config.changed | default(false) else 'Skipped (credentials not available)' }} + SMTP: smtp.eu.mailgun.org:587 (TLS) + From: {{ inventory_hostname }}@mg.vrije.cloud + ======================================== diff --git a/ansible/playbooks/fix-private-network.yml b/ansible/playbooks/fix-private-network.yml new file mode 100644 index 0000000..56aacd5 --- /dev/null +++ b/ansible/playbooks/fix-private-network.yml @@ -0,0 +1,48 @@ +--- +# Playbook to fix private network configuration on servers +# This fixes the netplan configuration to properly enable DHCP +# on the private network interface (enp7s0) + +- name: Fix private network configuration + hosts: all + gather_facts: no + become: yes + + tasks: + - name: Check if server is reachable + ansible.builtin.wait_for_connection: + timeout: 5 + register: connection_test + ignore_errors: yes + + - name: Create corrected netplan configuration for private network + ansible.builtin.copy: + dest: /etc/netplan/60-private-network.yaml + mode: '0600' + content: | + network: + version: 2 + ethernets: + enp7s0: + dhcp4: true + dhcp4-overrides: + use-routes: false + routes: + - to: default + via: 10.0.0.1 + when: connection_test is succeeded + + - name: Apply netplan configuration + ansible.builtin.command: netplan apply + when: connection_test is succeeded + register: netplan_result + + - name: Show netplan result + ansible.builtin.debug: + msg: "Netplan applied successfully on {{ inventory_hostname }}" + when: connection_test is succeeded and netplan_result is succeeded + + - name: Wait for network to stabilize + ansible.builtin.wait_for_connection: + timeout: 10 + when: connection_test is succeeded diff --git a/ansible/playbooks/setup.yml b/ansible/playbooks/setup.yml index 4f0f9bf..fca9f98 100644 --- a/ansible/playbooks/setup.yml +++ b/ansible/playbooks/setup.yml @@ -18,6 +18,13 @@ - name: Gather facts setup: + - name: Load shared secrets (Docker Hub, etc.) + community.sops.load_vars: + file: "{{ playbook_dir }}/../../secrets/shared.sops.yaml" + name: shared_secrets + age_keyfile: "{{ lookup('env', 'SOPS_AGE_KEY_FILE') }}" + no_log: true + roles: - role: common tags: ['common', 'security'] diff --git a/ansible/playbooks/update-containers.yml b/ansible/playbooks/update-containers.yml new file mode 100644 index 0000000..9eb0d0c --- /dev/null +++ b/ansible/playbooks/update-containers.yml @@ -0,0 +1,311 @@ +--- +# Playbook: Update Docker containers across clients +# Usage: +# # Update single client +# ansible-playbook -i hcloud.yml playbooks/update-containers.yml --limit black +# +# # Update specific service only +# ansible-playbook -i hcloud.yml playbooks/update-containers.yml --limit black --tags authentik +# +# # Dry run (check mode) +# ansible-playbook -i hcloud.yml playbooks/update-containers.yml --limit black --check +# +# # Update multiple clients in sequence +# ansible-playbook -i hcloud.yml playbooks/update-containers.yml --limit "dev,test" + +- name: Update Docker containers + hosts: all + become: yes + serial: 1 # Process one host at a time for safety + + vars: + # Services to update (override with -e "services_to_update=['authentik']") + services_to_update: + - traefik + - authentik + - nextcloud + - diun + + # Backup before update + create_backup: true + + # Wait time between service updates (seconds) + update_delay: 30 + + pre_tasks: + - name: Display update plan + debug: + msg: | + Updating {{ inventory_hostname }} + Services: {{ services_to_update | join(', ') }} + Backup enabled: {{ create_backup }} + tags: always + + - name: Check if host is reachable + ping: + tags: always + + - name: Get current container status (before) + shell: docker ps --format 'table {{{{.Names}}}}\t{{{{.Status}}}}\t{{{{.Image}}}}' + register: containers_before + changed_when: false + tags: always + + - name: Display current containers + debug: + msg: "{{ containers_before.stdout_lines }}" + tags: always + + tasks: + # ========================================== + # Traefik Updates + # ========================================== + - name: Update Traefik + block: + - name: Create Traefik backup + shell: | + cd /opt/docker/traefik + tar -czf /tmp/traefik-backup-$(date +%Y%m%d-%H%M%S).tar.gz \ + acme.json docker-compose.yml traefik.yml 2>/dev/null || true + when: create_backup + + - name: Pull latest Traefik image + docker_image: + name: traefik:latest + source: pull + force_source: yes + + - name: Restart Traefik + docker_compose: + project_src: /opt/docker/traefik + restarted: yes + pull: yes + + - name: Wait for Traefik to be healthy + shell: docker inspect --format='{{{{.State.Status}}}}' traefik + register: traefik_status + until: traefik_status.stdout == "running" + retries: 10 + delay: 5 + changed_when: false + + - name: Verify Traefik SSL certificates + shell: docker exec traefik ls -la /acme.json + register: traefik_certs + changed_when: false + failed_when: traefik_certs.rc != 0 + + - name: Delay between services + pause: + seconds: "{{ update_delay }}" + when: "'traefik' in services_to_update" + tags: traefik + + # ========================================== + # Authentik Updates + # ========================================== + - name: Update Authentik + block: + - name: Create Authentik database backup + shell: | + docker exec authentik-db pg_dump -U authentik authentik | \ + gzip > /tmp/authentik-backup-$(date +%Y%m%d-%H%M%S).sql.gz + when: create_backup + + - name: Pull latest Authentik images + docker_image: + name: "{{ item }}" + source: pull + force_source: yes + loop: + - ghcr.io/goauthentik/server:latest + - postgres:16-alpine + - redis:alpine + + - name: Restart Authentik services + docker_compose: + project_src: /opt/docker/authentik + restarted: yes + pull: yes + + - name: Wait for Authentik server to be healthy + shell: docker inspect --format='{{{{.State.Health.Status}}}}' authentik-server + register: authentik_status + until: authentik_status.stdout == "healthy" + retries: 20 + delay: 10 + changed_when: false + + - name: Wait for Authentik worker to be healthy + shell: docker inspect --format='{{{{.State.Health.Status}}}}' authentik-worker + register: authentik_worker_status + until: authentik_worker_status.stdout == "healthy" + retries: 20 + delay: 10 + changed_when: false + + - name: Verify Authentik web interface + uri: + url: "https://auth.{{ client_name }}.vrije.cloud/if/flow/default-authentication-flow/" + validate_certs: yes + status_code: 200 + register: authentik_health + retries: 5 + delay: 10 + + - name: Delay between services + pause: + seconds: "{{ update_delay }}" + when: "'authentik' in services_to_update" + tags: authentik + + # ========================================== + # Nextcloud Updates + # ========================================== + - name: Update Nextcloud + block: + - name: Create Nextcloud database backup + shell: | + docker exec nextcloud-db mysqldump -u nextcloud -p$(docker exec nextcloud-db cat /run/secrets/db_password 2>/dev/null || echo 'password') nextcloud | \ + gzip > /tmp/nextcloud-backup-$(date +%Y%m%d-%H%M%S).sql.gz + when: create_backup + ignore_errors: yes + + - name: Enable Nextcloud maintenance mode + shell: docker exec -u www-data nextcloud php occ maintenance:mode --on + register: maintenance_mode + changed_when: "'Maintenance mode enabled' in maintenance_mode.stdout" + + - name: Pull latest Nextcloud images + docker_image: + name: "{{ item }}" + source: pull + force_source: yes + loop: + - nextcloud:latest + - mariadb:11 + - redis:alpine + - collabora/code:latest + + - name: Restart Nextcloud services + docker_compose: + project_src: /opt/docker/nextcloud + restarted: yes + pull: yes + + - name: Wait for Nextcloud to be ready + shell: docker exec nextcloud-db mysqladmin ping -h localhost -u root --silent + register: nc_db_status + until: nc_db_status.rc == 0 + retries: 20 + delay: 5 + changed_when: false + + - name: Run Nextcloud upgrade (if needed) + shell: docker exec -u www-data nextcloud php occ upgrade + register: nc_upgrade + changed_when: "'Updated database' in nc_upgrade.stdout" + failed_when: nc_upgrade.rc != 0 and 'already latest version' not in nc_upgrade.stdout + + - name: Disable Nextcloud maintenance mode + shell: docker exec -u www-data nextcloud php occ maintenance:mode --off + register: maintenance_off + changed_when: "'Maintenance mode disabled' in maintenance_off.stdout" + + - name: Verify Nextcloud web interface + uri: + url: "https://nextcloud.{{ client_name }}.vrije.cloud/status.php" + validate_certs: yes + status_code: 200 + register: nc_health + retries: 10 + delay: 10 + + - name: Verify Nextcloud installed status + uri: + url: "https://nextcloud.{{ client_name }}.vrije.cloud/status.php" + validate_certs: yes + return_content: yes + register: nc_status_check + failed_when: "'\"installed\":true' not in nc_status_check.content" + + - name: Delay between services + pause: + seconds: "{{ update_delay }}" + when: "'nextcloud' in services_to_update" + tags: nextcloud + + # ========================================== + # Diun Updates + # ========================================== + - name: Update Diun + block: + - name: Pull latest Diun image + docker_image: + name: crazymax/diun:latest + source: pull + force_source: yes + + - name: Restart Diun + docker_compose: + project_src: /opt/docker/diun + restarted: yes + pull: yes + + - name: Wait for Diun to be running + shell: docker inspect --format='{{{{.State.Status}}}}' diun + register: diun_status + until: diun_status.stdout == "running" + retries: 5 + delay: 3 + changed_when: false + when: "'diun' in services_to_update" + tags: diun + + post_tasks: + - name: Get final container status + shell: docker ps --format 'table {{{{.Names}}}}\t{{{{.Status}}}}\t{{{{.Image}}}}' + register: containers_after + changed_when: false + tags: always + + - name: Display final container status + debug: + msg: "{{ containers_after.stdout_lines }}" + tags: always + + - name: Verify all expected containers are running + shell: docker ps --filter "status=running" --format '{{{{.Names}}}}' | wc -l + register: running_count + changed_when: false + tags: always + + - name: Check for unhealthy containers + shell: docker ps --filter "health=unhealthy" --format '{{{{.Names}}}}' + register: unhealthy_containers + changed_when: false + failed_when: unhealthy_containers.stdout != "" + tags: always + + - name: Update summary + debug: + msg: | + ======================================== + Update Summary for {{ inventory_hostname }} + ======================================== + Running containers: {{ running_count.stdout }} + Unhealthy containers: {{ unhealthy_containers.stdout or 'None' }} + + Services updated: {{ services_to_update | join(', ') }} + Status: SUCCESS + tags: always + +- name: Post-update validation + hosts: all + become: yes + gather_facts: no + + tasks: + - name: Final health check + debug: + msg: "All updates completed successfully on {{ inventory_hostname }}" diff --git a/ansible/roles/diun/defaults/main.yml b/ansible/roles/diun/defaults/main.yml index 1313d5b..bfd6da5 100644 --- a/ansible/roles/diun/defaults/main.yml +++ b/ansible/roles/diun/defaults/main.yml @@ -1,7 +1,7 @@ --- # Diun default configuration diun_version: "latest" -diun_schedule: "0 6 * * *" # Daily at 6am UTC +diun_schedule: "0 6 * * 1" # Weekly on Monday at 6am UTC (was daily) diun_log_level: "info" diun_watch_workers: 10 @@ -26,3 +26,6 @@ diun_smtp_to: "pieter@postxsociety.org" # Which containers to watch diun_watch_all: true diun_exclude_containers: [] + +# Reduce notification spam - only send ONE email per server per week +diun_first_check_notif: false diff --git a/ansible/roles/diun/templates/diun.yml.j2 b/ansible/roles/diun/templates/diun.yml.j2 index a973ae2..2336001 100644 --- a/ansible/roles/diun/templates/diun.yml.j2 +++ b/ansible/roles/diun/templates/diun.yml.j2 @@ -8,7 +8,7 @@ db: watch: workers: {{ diun_watch_workers }} schedule: "{{ diun_schedule }}" - firstCheckNotif: false + firstCheckNotif: {{ diun_first_check_notif | lower }} defaults: watchRepo: true diff --git a/ansible/roles/edge-traefik/templates/dynamic.yml.j2 b/ansible/roles/edge-traefik/templates/dynamic.yml.j2 index 1f542aa..8d56294 100644 --- a/ansible/roles/edge-traefik/templates/dynamic.yml.j2 +++ b/ansible/roles/edge-traefik/templates/dynamic.yml.j2 @@ -53,6 +53,270 @@ http: tls: certResolver: letsencrypt + zwaan-auth: + rule: "Host(`auth.zwaan.vrije.cloud`)" + service: zwaan-auth + entryPoints: + - websecure + tls: + certResolver: letsencrypt + + zwaan-nextcloud: + rule: "Host(`nextcloud.zwaan.vrije.cloud`)" + service: zwaan-nextcloud + entryPoints: + - websecure + tls: + certResolver: letsencrypt + + zwaan-collabora: + rule: "Host(`office.zwaan.vrije.cloud`)" + service: zwaan-collabora + entryPoints: + - websecure + tls: + certResolver: letsencrypt + + specht-auth: + rule: "Host(`auth.specht.vrije.cloud`)" + service: specht-auth + entryPoints: + - websecure + tls: + certResolver: letsencrypt + + specht-nextcloud: + rule: "Host(`nextcloud.specht.vrije.cloud`)" + service: specht-nextcloud + entryPoints: + - websecure + tls: + certResolver: letsencrypt + + specht-collabora: + rule: "Host(`office.specht.vrije.cloud`)" + service: specht-collabora + entryPoints: + - websecure + tls: + certResolver: letsencrypt + + das-auth: + rule: "Host(`auth.das.vrije.cloud`)" + service: das-auth + entryPoints: + - websecure + tls: + certResolver: letsencrypt + + das-nextcloud: + rule: "Host(`nextcloud.das.vrije.cloud`)" + service: das-nextcloud + entryPoints: + - websecure + tls: + certResolver: letsencrypt + + das-collabora: + rule: "Host(`office.das.vrije.cloud`)" + service: das-collabora + entryPoints: + - websecure + tls: + certResolver: letsencrypt + + uil-auth: + rule: "Host(`auth.uil.vrije.cloud`)" + service: uil-auth + entryPoints: + - websecure + tls: + certResolver: letsencrypt + + uil-nextcloud: + rule: "Host(`nextcloud.uil.vrije.cloud`)" + service: uil-nextcloud + entryPoints: + - websecure + tls: + certResolver: letsencrypt + + uil-collabora: + rule: "Host(`office.uil.vrije.cloud`)" + service: uil-collabora + entryPoints: + - websecure + tls: + certResolver: letsencrypt + + vos-auth: + rule: "Host(`auth.vos.vrije.cloud`)" + service: vos-auth + entryPoints: + - websecure + tls: + certResolver: letsencrypt + + vos-nextcloud: + rule: "Host(`nextcloud.vos.vrije.cloud`)" + service: vos-nextcloud + entryPoints: + - websecure + tls: + certResolver: letsencrypt + + vos-collabora: + rule: "Host(`office.vos.vrije.cloud`)" + service: vos-collabora + entryPoints: + - websecure + tls: + certResolver: letsencrypt + + haas-auth: + rule: "Host(`auth.haas.vrije.cloud`)" + service: haas-auth + entryPoints: + - websecure + tls: + certResolver: letsencrypt + + haas-nextcloud: + rule: "Host(`nextcloud.haas.vrije.cloud`)" + service: haas-nextcloud + entryPoints: + - websecure + tls: + certResolver: letsencrypt + + haas-collabora: + rule: "Host(`office.haas.vrije.cloud`)" + service: haas-collabora + entryPoints: + - websecure + tls: + certResolver: letsencrypt + + wolf-auth: + rule: "Host(`auth.wolf.vrije.cloud`)" + service: wolf-auth + entryPoints: + - websecure + tls: + certResolver: letsencrypt + + wolf-nextcloud: + rule: "Host(`nextcloud.wolf.vrije.cloud`)" + service: wolf-nextcloud + entryPoints: + - websecure + tls: + certResolver: letsencrypt + + wolf-collabora: + rule: "Host(`office.wolf.vrije.cloud`)" + service: wolf-collabora + entryPoints: + - websecure + tls: + certResolver: letsencrypt + + ree-auth: + rule: "Host(`auth.ree.vrije.cloud`)" + service: ree-auth + entryPoints: + - websecure + tls: + certResolver: letsencrypt + + ree-nextcloud: + rule: "Host(`nextcloud.ree.vrije.cloud`)" + service: ree-nextcloud + entryPoints: + - websecure + tls: + certResolver: letsencrypt + + ree-collabora: + rule: "Host(`office.ree.vrije.cloud`)" + service: ree-collabora + entryPoints: + - websecure + tls: + certResolver: letsencrypt + + mees-auth: + rule: "Host(`auth.mees.vrije.cloud`)" + service: mees-auth + entryPoints: + - websecure + tls: + certResolver: letsencrypt + + mees-nextcloud: + rule: "Host(`nextcloud.mees.vrije.cloud`)" + service: mees-nextcloud + entryPoints: + - websecure + tls: + certResolver: letsencrypt + + mees-collabora: + rule: "Host(`office.mees.vrije.cloud`)" + service: mees-collabora + entryPoints: + - websecure + tls: + certResolver: letsencrypt + + mus-auth: + rule: "Host(`auth.mus.vrije.cloud`)" + service: mus-auth + entryPoints: + - websecure + tls: + certResolver: letsencrypt + + mus-nextcloud: + rule: "Host(`nextcloud.mus.vrije.cloud`)" + service: mus-nextcloud + entryPoints: + - websecure + tls: + certResolver: letsencrypt + + mus-collabora: + rule: "Host(`office.mus.vrije.cloud`)" + service: mus-collabora + entryPoints: + - websecure + tls: + certResolver: letsencrypt + + mol-auth: + rule: "Host(`auth.mol.vrije.cloud`)" + service: mol-auth + entryPoints: + - websecure + tls: + certResolver: letsencrypt + + mol-nextcloud: + rule: "Host(`nextcloud.mol.vrije.cloud`)" + service: mol-nextcloud + entryPoints: + - websecure + tls: + certResolver: letsencrypt + + mol-collabora: + rule: "Host(`office.mol.vrije.cloud`)" + service: mol-collabora + entryPoints: + - websecure + tls: + certResolver: letsencrypt + # Services (backend servers) services: white-auth: @@ -91,6 +355,204 @@ http: - url: "https://10.0.0.41:443" serversTransport: insecureTransport + zwaan-auth: + loadBalancer: + servers: + - url: "https://10.0.0.42:443" + serversTransport: insecureTransport + + zwaan-nextcloud: + loadBalancer: + servers: + - url: "https://10.0.0.42:443" + serversTransport: insecureTransport + + zwaan-collabora: + loadBalancer: + servers: + - url: "https://10.0.0.42:443" + serversTransport: insecureTransport + + specht-auth: + loadBalancer: + servers: + - url: "https://10.0.0.43:443" + serversTransport: insecureTransport + + specht-nextcloud: + loadBalancer: + servers: + - url: "https://10.0.0.43:443" + serversTransport: insecureTransport + + specht-collabora: + loadBalancer: + servers: + - url: "https://10.0.0.43:443" + serversTransport: insecureTransport + + das-auth: + loadBalancer: + servers: + - url: "https://10.0.0.44:443" + serversTransport: insecureTransport + + das-nextcloud: + loadBalancer: + servers: + - url: "https://10.0.0.44:443" + serversTransport: insecureTransport + + das-collabora: + loadBalancer: + servers: + - url: "https://10.0.0.44:443" + serversTransport: insecureTransport + + uil-auth: + loadBalancer: + servers: + - url: "https://10.0.0.45:443" + serversTransport: insecureTransport + + uil-nextcloud: + loadBalancer: + servers: + - url: "https://10.0.0.45:443" + serversTransport: insecureTransport + + uil-collabora: + loadBalancer: + servers: + - url: "https://10.0.0.45:443" + serversTransport: insecureTransport + + vos-auth: + loadBalancer: + servers: + - url: "https://10.0.0.46:443" + serversTransport: insecureTransport + + vos-nextcloud: + loadBalancer: + servers: + - url: "https://10.0.0.46:443" + serversTransport: insecureTransport + + vos-collabora: + loadBalancer: + servers: + - url: "https://10.0.0.46:443" + serversTransport: insecureTransport + + haas-auth: + loadBalancer: + servers: + - url: "https://10.0.0.47:443" + serversTransport: insecureTransport + + haas-nextcloud: + loadBalancer: + servers: + - url: "https://10.0.0.47:443" + serversTransport: insecureTransport + + haas-collabora: + loadBalancer: + servers: + - url: "https://10.0.0.47:443" + serversTransport: insecureTransport + + wolf-auth: + loadBalancer: + servers: + - url: "https://10.0.0.48:443" + serversTransport: insecureTransport + + wolf-nextcloud: + loadBalancer: + servers: + - url: "https://10.0.0.48:443" + serversTransport: insecureTransport + + wolf-collabora: + loadBalancer: + servers: + - url: "https://10.0.0.48:443" + serversTransport: insecureTransport + + ree-auth: + loadBalancer: + servers: + - url: "https://10.0.0.49:443" + serversTransport: insecureTransport + + ree-nextcloud: + loadBalancer: + servers: + - url: "https://10.0.0.49:443" + serversTransport: insecureTransport + + ree-collabora: + loadBalancer: + servers: + - url: "https://10.0.0.49:443" + serversTransport: insecureTransport + + mees-auth: + loadBalancer: + servers: + - url: "https://10.0.0.50:443" + serversTransport: insecureTransport + + mees-nextcloud: + loadBalancer: + servers: + - url: "https://10.0.0.50:443" + serversTransport: insecureTransport + + mees-collabora: + loadBalancer: + servers: + - url: "https://10.0.0.50:443" + serversTransport: insecureTransport + + mus-auth: + loadBalancer: + servers: + - url: "https://10.0.0.51:443" + serversTransport: insecureTransport + + mus-nextcloud: + loadBalancer: + servers: + - url: "https://10.0.0.51:443" + serversTransport: insecureTransport + + mus-collabora: + loadBalancer: + servers: + - url: "https://10.0.0.51:443" + serversTransport: insecureTransport + + mol-auth: + loadBalancer: + servers: + - url: "https://10.0.0.53:443" + serversTransport: insecureTransport + + mol-nextcloud: + loadBalancer: + servers: + - url: "https://10.0.0.53:443" + serversTransport: insecureTransport + + mol-collabora: + loadBalancer: + servers: + - url: "https://10.0.0.53:443" + serversTransport: insecureTransport + # Server transport (allow self-signed certs from backends) serversTransports: insecureTransport: diff --git a/ansible/roles/nextcloud/defaults/main.yml b/ansible/roles/nextcloud/defaults/main.yml index 37f44a6..d584d48 100644 --- a/ansible/roles/nextcloud/defaults/main.yml +++ b/ansible/roles/nextcloud/defaults/main.yml @@ -2,7 +2,7 @@ # Default variables for nextcloud role # Nextcloud version -nextcloud_version: "30" # Latest stable version (uses major version tag) +nextcloud_version: "latest" # Always use latest stable version # Database configuration nextcloud_db_type: "pgsql" diff --git a/ansible/roles/nextcloud/tasks/docker.yml b/ansible/roles/nextcloud/tasks/docker.yml index d690f91..5a46214 100644 --- a/ansible/roles/nextcloud/tasks/docker.yml +++ b/ansible/roles/nextcloud/tasks/docker.yml @@ -20,10 +20,12 @@ state: present register: nextcloud_deploy -- name: Wait for Nextcloud to be ready - wait_for: - host: localhost - port: 80 - delay: 10 - timeout: 300 +- name: Wait for Nextcloud container to be ready + shell: docker exec nextcloud sh -c 'until curl -f http://localhost:80 >/dev/null 2>&1; do sleep 2; done' + args: + executable: /bin/bash + register: nextcloud_ready + changed_when: false + failed_when: false + timeout: 300 when: nextcloud_deploy.changed diff --git a/ansible/roles/nextcloud/tasks/oidc.yml b/ansible/roles/nextcloud/tasks/oidc.yml index 55f7df2..f466b23 100644 --- a/ansible/roles/nextcloud/tasks/oidc.yml +++ b/ansible/roles/nextcloud/tasks/oidc.yml @@ -56,6 +56,17 @@ register: oidc_config changed_when: oidc_config.rc == 0 +- name: Configure OIDC settings (allow native login + OIDC) + shell: | + docker exec -u www-data nextcloud php occ config:app:set user_oidc allow_multiple_user_backends --value=1 + docker exec -u www-data nextcloud php occ config:app:set user_oidc auto_provision --value=1 + docker exec -u www-data nextcloud php occ config:app:set user_oidc single_logout --value=0 + when: + - authentik_oidc is defined + - authentik_oidc.success | default(false) + register: oidc_settings + changed_when: oidc_settings.rc == 0 + - name: Cleanup OIDC credentials file file: path: /tmp/authentik_oidc_credentials.json diff --git a/ansible/roles/nextcloud/templates/docker-compose.nextcloud.yml.j2 b/ansible/roles/nextcloud/templates/docker-compose.nextcloud.yml.j2 index 8ddd42e..4825508 100644 --- a/ansible/roles/nextcloud/templates/docker-compose.nextcloud.yml.j2 +++ b/ansible/roles/nextcloud/templates/docker-compose.nextcloud.yml.j2 @@ -10,8 +10,17 @@ services: POSTGRES_DB: {{ nextcloud_db_name }} POSTGRES_USER: {{ nextcloud_db_user }} POSTGRES_PASSWORD: {{ client_secrets.nextcloud_db_password }} - # Grant full privileges to the user POSTGRES_INITDB_ARGS: "--auth-host=scram-sha-256" + command: > + postgres + -c shared_buffers=256MB + -c max_connections=200 + -c shared_preload_libraries='' + healthcheck: + test: ["CMD-SHELL", "pg_isready -U {{ nextcloud_db_user }} -d {{ nextcloud_db_name }}"] + interval: 10s + timeout: 5s + retries: 5 networks: - nextcloud-internal diff --git a/keys/ssh/bever.pub b/keys/ssh/bever.pub new file mode 100644 index 0000000..804b8e9 --- /dev/null +++ b/keys/ssh/bever.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILKuSYRVVWCYqjNvJ5pHZTErkmVbEb1g3ac8olXUcXy7 client-bever-deploy-key diff --git a/keys/ssh/black.pub b/keys/ssh/black.pub new file mode 100644 index 0000000..0150323 --- /dev/null +++ b/keys/ssh/black.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJU6ntTc5bYP4FslcLXjm9C+RsO+hygmlsIo8tGOC1Up client-black-deploy-key diff --git a/keys/ssh/das.pub b/keys/ssh/das.pub new file mode 100644 index 0000000..df8f314 --- /dev/null +++ b/keys/ssh/das.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGsGfzhrcVtYEn2YHzxVGibBDXPd571unltfOaVo5JlR client-das-deploy-key diff --git a/keys/ssh/edge.pub b/keys/ssh/edge.pub new file mode 100644 index 0000000..cff58b5 --- /dev/null +++ b/keys/ssh/edge.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICpzsMHVbAZMugslwn2mJnxg30zYrfU3t+zsZ7Lw3DDD edge-server-deploy-key diff --git a/keys/ssh/egel.pub b/keys/ssh/egel.pub new file mode 100644 index 0000000..58ab33e --- /dev/null +++ b/keys/ssh/egel.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE75mnMfKHTIeq5Hp8LKaKYHGbzdFke1a9N7e0UEMNBu client-egel-deploy-key diff --git a/keys/ssh/green.pub b/keys/ssh/green.pub deleted file mode 100644 index 657492d..0000000 --- a/keys/ssh/green.pub +++ /dev/null @@ -1 +0,0 @@ -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBELJtdA3jK2LirX+DSQmGaeiI8U3A6aslNP+JpZlo7q green-client-deploy diff --git a/keys/ssh/haas.pub b/keys/ssh/haas.pub new file mode 100644 index 0000000..5a6de91 --- /dev/null +++ b/keys/ssh/haas.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAa4QHMVKnTSS/q5kptQYzas7ln2MbgE5Db47GM2DjRI client-haas-deploy-key diff --git a/keys/ssh/kikker.pub b/keys/ssh/kikker.pub new file mode 100644 index 0000000..a708dbf --- /dev/null +++ b/keys/ssh/kikker.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICtZzQTzNWLcFi4NNqg6l53kqPVDsgau1O7GWWKwZh9l client-kikker-deploy-key diff --git a/keys/ssh/kraai.pub b/keys/ssh/kraai.pub new file mode 100644 index 0000000..162b08e --- /dev/null +++ b/keys/ssh/kraai.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPXF5COMplFqwxCRymXN7y4b+RWiBbVQpIMmFoK10qgh client-kraai-deploy-key diff --git a/keys/ssh/mees.pub b/keys/ssh/mees.pub new file mode 100644 index 0000000..cc9525b --- /dev/null +++ b/keys/ssh/mees.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDGPPukFDhM4eIolsowRsD6jYrNYoM3/B9yLi2KNqmPi client-mees-deploy-key diff --git a/keys/ssh/mol.pub b/keys/ssh/mol.pub new file mode 100644 index 0000000..95aefd6 --- /dev/null +++ b/keys/ssh/mol.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHAsLbdkl0peC15KnxhSsCI45Z2FwQu2Hy1LArzHoXu5 client-mol-deploy-key diff --git a/keys/ssh/mus.pub b/keys/ssh/mus.pub new file mode 100644 index 0000000..2d11411 --- /dev/null +++ b/keys/ssh/mus.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINAoeg3LDX5zRuw5Yt5WwbYNRXo70H7e5OYE3oMbJRyL client-mus-deploy-key diff --git a/keys/ssh/otter.pub b/keys/ssh/otter.pub new file mode 100644 index 0000000..df70953 --- /dev/null +++ b/keys/ssh/otter.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG3edQhsIBD9Ers7wuFWSww8r3ROkKNJF8YcxgRtQdov client-otter-deploy-key diff --git a/keys/ssh/purple.pub b/keys/ssh/purple.pub new file mode 100644 index 0000000..01b855a --- /dev/null +++ b/keys/ssh/purple.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHuR1BR4JaATFwOmLauvvfKjhHarPz1SfnJ+j0caqISr client-purple-deploy-key diff --git a/keys/ssh/ree.pub b/keys/ssh/ree.pub new file mode 100644 index 0000000..594743c --- /dev/null +++ b/keys/ssh/ree.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB4QOkx75M28l7JAkQPl8bLjGuV/kKDFQINkUGRVRgIk client-ree-deploy-key diff --git a/keys/ssh/specht.pub b/keys/ssh/specht.pub new file mode 100644 index 0000000..212bc3e --- /dev/null +++ b/keys/ssh/specht.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAXFskaLenHy4FJHUZL2gpehFUAYaUdNfwP0BTMqp4La client-specht-deploy-key diff --git a/keys/ssh/uil.pub b/keys/ssh/uil.pub new file mode 100644 index 0000000..abac874 --- /dev/null +++ b/keys/ssh/uil.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEhDcLx3ZaBXSHbhOoAgb5sI5xUVJwZEXl2HYq5+eRID client-uil-deploy-key diff --git a/keys/ssh/valk.pub b/keys/ssh/valk.pub new file mode 100644 index 0000000..bf0114f --- /dev/null +++ b/keys/ssh/valk.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILLDJCSNj3OZDDwGgoWSxy17K8DmJ8eqUXQ4Wmu/vRtG client-valk-deploy-key diff --git a/keys/ssh/vos.pub b/keys/ssh/vos.pub new file mode 100644 index 0000000..d63c142 --- /dev/null +++ b/keys/ssh/vos.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDg8F6LIVfdBdhD/CiNavs+xfFSiu9jxMmZcyigskuIQ client-vos-deploy-key diff --git a/keys/ssh/white.pub b/keys/ssh/white.pub new file mode 100644 index 0000000..d014501 --- /dev/null +++ b/keys/ssh/white.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL+BKRVBWUnS2NSPLvP3nxW7oxcv5wfu2DAY1YP0M+6m client-white-deploy-key diff --git a/keys/ssh/wolf.pub b/keys/ssh/wolf.pub new file mode 100644 index 0000000..6166f8f --- /dev/null +++ b/keys/ssh/wolf.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKUcrgfG+JWtieySkcSZNyBehf/rB0YEQ35IQ93L+HHP client-wolf-deploy-key diff --git a/keys/ssh/zwaan.pub b/keys/ssh/zwaan.pub new file mode 100644 index 0000000..a176b9c --- /dev/null +++ b/keys/ssh/zwaan.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG76TbSdY1o5T7PlzGkbfu0HNGOKsiW5vtbAKLDz0BGv client-zwaan-deploy-key diff --git a/scripts/add-client-to-terraform.sh b/scripts/add-client-to-terraform.sh index cfef3f3..6c3c261 100755 --- a/scripts/add-client-to-terraform.sh +++ b/scripts/add-client-to-terraform.sh @@ -212,10 +212,37 @@ mv "$TMP_FILE" "$TFVARS_FILE" echo "" echo -e "${GREEN}✓ Client '${CLIENT_NAME}' added to terraform.tfvars${NC}" echo "" + +# Create Ansible host_vars file +HOST_VARS_FILE="$PROJECT_ROOT/ansible/host_vars/${CLIENT_NAME}.yml" +if [ ! -f "$HOST_VARS_FILE" ]; then + echo -e "${BLUE}Creating Ansible host_vars file...${NC}" + + mkdir -p "$(dirname "$HOST_VARS_FILE")" + + cat > "$HOST_VARS_FILE" << EOF +--- +# ${CLIENT_NAME} server - behind edge proxy (private network only) + +# SSH via edge server as bastion/jump host +ansible_host: ${PRIVATE_IP} +ansible_ssh_common_args: '-o ProxyCommand="ssh -i ../keys/ssh/edge -W %h:%p -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null root@78.47.191.38" -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no' + +# Client identification +client_name: ${CLIENT_NAME} +client_domain: ${CLIENT_NAME}.vrije.cloud +client_secrets_file: ${CLIENT_NAME}.sops.yaml +EOF + + echo -e "${GREEN}✓ Created host_vars file: $HOST_VARS_FILE${NC}" + echo "" +fi + echo "Configuration added:" echo " Server: $SERVER_TYPE in $LOCATION" echo " Volume: $VOLUME_SIZE GB" echo " Apps: $APPS" +echo " Private IP: $PRIVATE_IP" echo "" echo -e "${CYAN}Next steps:${NC}" echo "1. Review changes: cat tofu/terraform.tfvars" diff --git a/scripts/configure-oidc.sh b/scripts/configure-oidc.sh new file mode 100755 index 0000000..a3e1728 --- /dev/null +++ b/scripts/configure-oidc.sh @@ -0,0 +1,156 @@ +#!/usr/bin/env bash +# +# Configure OIDC for a single client +# +# Usage: ./scripts/configure-oidc.sh +# +# This script: +# 1. Creates OIDC provider in Authentik +# 2. Installs user_oidc app in Nextcloud +# 3. Configures OIDC connection +# 4. Enables multiple user backends + +set -euo pipefail + +# Colors +RED='\033[0;31m' +GREEN='\033[0;32m' +YELLOW='\033[1;33m' +BLUE='\033[0;34m' +NC='\033[0m' + +# Script directory +SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" +PROJECT_ROOT="$(dirname "$SCRIPT_DIR")" + +# Check arguments +if [ $# -ne 1 ]; then + echo -e "${RED}Error: Client name required${NC}" + echo "Usage: $0 " + exit 1 +fi + +CLIENT_NAME="$1" + +# Check environment variables +if [ -z "${SOPS_AGE_KEY_FILE:-}" ]; then + export SOPS_AGE_KEY_FILE="$PROJECT_ROOT/keys/age-key.txt" +fi + +if [ -z "${HCLOUD_TOKEN:-}" ]; then + echo -e "${RED}Error: HCLOUD_TOKEN not set${NC}" + exit 1 +fi + +echo -e "${BLUE}Configuring OIDC for ${CLIENT_NAME}...${NC}" + +cd "$PROJECT_ROOT" + +# Step 1: Get credentials from secrets +echo "Getting credentials from secrets..." +TOKEN=$(sops -d "secrets/clients/${CLIENT_NAME}.sops.yaml" | grep authentik_bootstrap_token | awk '{print $2}') + +if [ -z "$TOKEN" ]; then + echo -e "${RED}Error: Could not get Authentik token${NC}" + exit 1 +fi + +# Step 2: Create OIDC provider in Authentik +echo "Creating OIDC provider in Authentik..." + +# Create Python script +cat > /tmp/create_oidc_${CLIENT_NAME}.py << EOFPYTHON +import sys, json, urllib.request +base_url, token = "http://localhost:9000", "${TOKEN}" +def req(p, m='GET', d=None): + r = urllib.request.Request(f"{base_url}{p}", json.dumps(d).encode() if d else None, {'Authorization': f'Bearer {token}', 'Content-Type': 'application/json'}, method=m) + try: + with urllib.request.urlopen(r, timeout=30) as resp: return resp.status, json.loads(resp.read()) + except urllib.error.HTTPError as e: return e.code, json.loads(e.read()) if e.headers.get('Content-Type', '').startswith('application/json') else {'error': e.read().decode()} +s, d = req('/api/v3/flows/instances/') +auth_flow = next((f['pk'] for f in d.get('results', []) if f.get('slug') == 'default-authorization-flow' or f.get('designation') == 'authorization'), None) +inval_flow = next((f['pk'] for f in d.get('results', []) if f.get('slug') == 'default-invalidation-flow' or f.get('designation') == 'invalidation'), None) +s, d = req('/api/v3/crypto/certificatekeypairs/') +key = d.get('results', [{}])[0].get('pk') if d.get('results') else None +if not auth_flow or not key: print(json.dumps({'error': 'Config missing', 'auth_flow': auth_flow, 'key': key}), file=sys.stderr); sys.exit(1) +s, prov = req('/api/v3/providers/oauth2/', 'POST', {'name': 'Nextcloud', 'authorization_flow': auth_flow, 'invalidation_flow': inval_flow, 'client_type': 'confidential', 'redirect_uris': [{'matching_mode': 'strict', 'url': 'https://nextcloud.${CLIENT_NAME}.vrije.cloud/apps/user_oidc/code'}], 'signing_key': key, 'sub_mode': 'hashed_user_id', 'include_claims_in_id_token': True}) +if s != 201: print(json.dumps({'error': 'Provider failed', 'status': s, 'details': prov}), file=sys.stderr); sys.exit(1) +s, app = req('/api/v3/core/applications/', 'POST', {'name': 'Nextcloud', 'slug': 'nextcloud', 'provider': prov['pk'], 'meta_launch_url': 'https://nextcloud.${CLIENT_NAME}.vrije.cloud'}) +if s != 201: print(json.dumps({'error': 'App failed', 'status': s, 'details': app}), file=sys.stderr); sys.exit(1) +print(json.dumps({'success': True, 'provider_id': prov['pk'], 'application_id': app['pk'], 'client_id': prov['client_id'], 'client_secret': prov['client_secret'], 'discovery_uri': f"https://auth.${CLIENT_NAME}.vrije.cloud/application/o/nextcloud/.well-known/openid-configuration", 'issuer': f"https://auth.${CLIENT_NAME}.vrije.cloud/application/o/nextcloud/"})) +EOFPYTHON + +# Copy script to server and execute +cd ansible +env HCLOUD_TOKEN="$HCLOUD_TOKEN" \ + ansible "${CLIENT_NAME}" \ + -i hcloud.yml \ + -m copy \ + -a "src=/tmp/create_oidc_${CLIENT_NAME}.py dest=/tmp/create_oidc.py mode=0755" \ + --private-key "../keys/ssh/${CLIENT_NAME}" > /dev/null 2>&1 + +# Execute the script +OIDC_RESULT=$(env HCLOUD_TOKEN="$HCLOUD_TOKEN" \ + ansible "${CLIENT_NAME}" \ + -i hcloud.yml \ + -m shell \ + -a "docker exec -i authentik-server python3 < /tmp/create_oidc.py" \ + --private-key "../keys/ssh/${CLIENT_NAME}" 2>/dev/null | grep -A1 "CHANGED" | tail -1) + +if [ -z "$OIDC_RESULT" ]; then + echo -e "${RED}Error: Failed to create OIDC provider${NC}" + exit 1 +fi + +# Parse credentials +CLIENT_ID=$(echo "$OIDC_RESULT" | python3 -c "import sys, json; d=json.load(sys.stdin); print(d['client_id'])") +CLIENT_SECRET=$(echo "$OIDC_RESULT" | python3 -c "import sys, json; d=json.load(sys.stdin); print(d['client_secret'])") +DISCOVERY_URI=$(echo "$OIDC_RESULT" | python3 -c "import sys, json; d=json.load(sys.stdin); print(d['discovery_uri'])") + +if [ -z "$CLIENT_ID" ] || [ -z "$CLIENT_SECRET" ] || [ -z "$DISCOVERY_URI" ]; then + echo -e "${RED}Error: Failed to parse OIDC credentials${NC}" + exit 1 +fi + +echo -e "${GREEN}✓ OIDC provider created${NC}" + +# Step 3: Install user_oidc app in Nextcloud +echo "Installing user_oidc app..." + +env HCLOUD_TOKEN="$HCLOUD_TOKEN" \ + ansible "${CLIENT_NAME}" \ + -i hcloud.yml \ + -m shell \ + -a "docker exec -u www-data nextcloud php occ app:install user_oidc" \ + --private-key "../keys/ssh/${CLIENT_NAME}" > /dev/null 2>&1 || true + +echo -e "${GREEN}✓ user_oidc app installed${NC}" + +# Step 4: Configure OIDC provider in Nextcloud +echo "Configuring OIDC provider..." + +env HCLOUD_TOKEN="$HCLOUD_TOKEN" \ + ansible "${CLIENT_NAME}" \ + -i hcloud.yml \ + -m shell \ + -a "docker exec -u www-data nextcloud php occ user_oidc:provider --clientid=\"${CLIENT_ID}\" --clientsecret=\"${CLIENT_SECRET}\" --discoveryuri=\"${DISCOVERY_URI}\" \"Authentik\"" \ + --private-key "../keys/ssh/${CLIENT_NAME}" > /dev/null 2>&1 + +echo -e "${GREEN}✓ OIDC provider configured${NC}" + +# Step 5: Configure OIDC settings +echo "Configuring OIDC settings..." + +env HCLOUD_TOKEN="$HCLOUD_TOKEN" \ + ansible "${CLIENT_NAME}" \ + -i hcloud.yml \ + -m shell \ + -a "docker exec -u www-data nextcloud php occ config:app:set user_oidc allow_multiple_user_backends --value=1 && docker exec -u www-data nextcloud php occ config:app:set user_oidc auto_provision --value=1 && docker exec -u www-data nextcloud php occ config:app:set user_oidc single_logout --value=0" \ + --private-key "../keys/ssh/${CLIENT_NAME}" > /dev/null 2>&1 + +echo -e "${GREEN}✓ OIDC settings configured${NC}" + +# Cleanup +rm -f /tmp/create_oidc_${CLIENT_NAME}.py + +echo -e "${GREEN}✓ OIDC configuration complete for ${CLIENT_NAME}${NC}" diff --git a/scripts/deploy-client.sh b/scripts/deploy-client.sh index 66d8b2e..47fbd54 100755 --- a/scripts/deploy-client.sh +++ b/scripts/deploy-client.sh @@ -179,6 +179,12 @@ echo -e "${YELLOW}[1/5] Provisioning infrastructure with OpenTofu...${NC}" cd "$PROJECT_ROOT/tofu" +# Export TF_VAR environment variables if HCLOUD_TOKEN is set +if [ -n "${HCLOUD_TOKEN:-}" ]; then + export TF_VAR_hcloud_token="$HCLOUD_TOKEN" + export TF_VAR_hetznerdns_token="$HCLOUD_TOKEN" +fi + # Check if already exists if tofu state list 2>/dev/null | grep -q "hcloud_server.client\[\"$CLIENT_NAME\"\]"; then echo -e "${YELLOW}⚠ Server already exists, applying any missing DNS records...${NC}" @@ -203,7 +209,7 @@ echo -e "${YELLOW}[2/5] Setting up base system (Docker, Traefik)...${NC}" cd "$PROJECT_ROOT/ansible" -~/.local/bin/ansible-playbook -i hcloud.yml playbooks/setup.yml --limit "$CLIENT_NAME" +~/.local/bin/ansible-playbook -i hcloud.yml playbooks/setup.yml --limit "$CLIENT_NAME" --private-key "../keys/ssh/$CLIENT_NAME" echo "" echo -e "${GREEN}✓ Base system configured${NC}" @@ -212,7 +218,7 @@ echo "" # Step 3: Deploy applications echo -e "${YELLOW}[3/5] Deploying applications (Authentik, Nextcloud, SSO)...${NC}" -~/.local/bin/ansible-playbook -i hcloud.yml playbooks/deploy.yml --limit "$CLIENT_NAME" +~/.local/bin/ansible-playbook -i hcloud.yml playbooks/deploy.yml --limit "$CLIENT_NAME" --private-key "../keys/ssh/$CLIENT_NAME" echo "" echo -e "${GREEN}✓ Applications deployed${NC}" diff --git a/scripts/destroy-client.sh b/scripts/destroy-client.sh index 2b89e98..7ef2c34 100755 --- a/scripts/destroy-client.sh +++ b/scripts/destroy-client.sh @@ -142,14 +142,31 @@ tofu plan -destroy -var-file="terraform.tfvars" \ -target="hcloud_server.client[\"$CLIENT_NAME\"]" \ -target="hcloud_volume.nextcloud_data[\"$CLIENT_NAME\"]" \ -target="hcloud_volume_attachment.nextcloud_data[\"$CLIENT_NAME\"]" \ - -target="hcloud_ssh_key.client_keys[\"$CLIENT_NAME\"]" \ - -target="hetznerdns_record.client_domain[\"$CLIENT_NAME\"]" \ - -target="hetznerdns_record.client_wildcard[\"$CLIENT_NAME\"]" \ + -target="hcloud_ssh_key.client[\"$CLIENT_NAME\"]" \ + -target="hcloud_zone_rrset.client_a[\"$CLIENT_NAME\"]" \ + -target="hcloud_zone_rrset.client_wildcard[\"$CLIENT_NAME\"]" \ -out=destroy.tfplan +echo "" +echo "Verifying plan only targets $CLIENT_NAME resources..." + +# Verify the plan only contains the client's resources +PLAN_OUTPUT=$(tofu show destroy.tfplan 2>&1) +if echo "$PLAN_OUTPUT" | grep -E "will be destroyed" | grep -v "\"$CLIENT_NAME\"" | grep -q .; then + echo -e "${RED}ERROR: Plan contains resources NOT belonging to $CLIENT_NAME!${NC}" + echo "" + echo "Resources in plan:" + echo "$PLAN_OUTPUT" | grep -E "# .* will be destroyed" | head -20 + echo "" + echo "Aborting to prevent accidental destruction of other clients." + rm -f destroy.tfplan + exit 1 +fi + +echo -e "${GREEN}✓ Plan verified - only $CLIENT_NAME resources will be destroyed${NC}" echo "" echo "Applying destruction..." -tofu apply destroy.tfplan +tofu apply -auto-approve destroy.tfplan # Cleanup plan file rm -f destroy.tfplan diff --git a/scripts/health-check.sh b/scripts/health-check.sh new file mode 100755 index 0000000..3e0bf82 --- /dev/null +++ b/scripts/health-check.sh @@ -0,0 +1,116 @@ +#!/bin/bash +# Health check script for client servers +# Usage: ./health-check.sh + +set -euo pipefail + +CLIENT="${1:-}" + +if [ -z "$CLIENT" ]; then + echo "Usage: $0 " + echo "Example: $0 black" + exit 1 +fi + +# Colors +RED='\033[0;31m' +GREEN='\033[0;32m' +YELLOW='\033[1;33m' +NC='\033[0m' # No Color + +# Get client IP +cd "$(dirname "$0")/../tofu" +IP=$(tofu output -json client_ips 2>/dev/null | jq -r ".$CLIENT" 2>/dev/null) + +if [ -z "$IP" ] || [ "$IP" = "null" ]; then + echo -e "${RED}✗ ERROR: Client '$CLIENT' not found${NC}" + exit 1 +fi + +echo "========================================" +echo "Health Check: $CLIENT ($IP)" +echo "========================================" +echo "" + +# Container Status +echo "Container Status:" +echo "----------------" +ssh -i "../keys/ssh/$CLIENT" -o StrictHostKeyChecking=no root@$IP \ + "docker ps --format 'table {{.Names}}\t{{.Status}}' | grep -E 'NAME|traefik|authentik|nextcloud|collabora|diun|redis|db'" 2>/dev/null || { + echo -e "${RED}✗ Cannot connect to server${NC}" + exit 1 +} +echo "" + +# Service URLs +echo "Service Accessibility:" +echo "---------------------" + +# Authentik +AUTH_STATUS=$(curl -sI "https://auth.$CLIENT.vrije.cloud" 2>/dev/null | grep HTTP | awk '{print $2}') +if [ "$AUTH_STATUS" = "200" ] || [ "$AUTH_STATUS" = "302" ]; then + echo -e "Authentik: ${GREEN}✓ OK${NC} (HTTP $AUTH_STATUS)" +else + echo -e "Authentik: ${RED}✗ FAIL${NC} (HTTP ${AUTH_STATUS:-timeout})" +fi + +# Nextcloud +NC_STATUS=$(curl -sI "https://nextcloud.$CLIENT.vrije.cloud" 2>/dev/null | grep HTTP | awk '{print $2}') +if [ "$NC_STATUS" = "200" ] || [ "$NC_STATUS" = "302" ]; then + echo -e "Nextcloud: ${GREEN}✓ OK${NC} (HTTP $NC_STATUS)" +else + echo -e "Nextcloud: ${RED}✗ FAIL${NC} (HTTP ${NC_STATUS:-timeout})" +fi + +# Collabora +COLLAB_STATUS=$(curl -sI "https://office.$CLIENT.vrije.cloud" 2>/dev/null | grep HTTP | awk '{print $2}') +if [ "$COLLAB_STATUS" = "200" ]; then + echo -e "Collabora: ${GREEN}✓ OK${NC} (HTTP $COLLAB_STATUS)" +else + echo -e "Collabora: ${YELLOW}⚠ WARNING${NC} (HTTP ${COLLAB_STATUS:-timeout})" +fi +echo "" + +# Disk Usage +echo "Disk Usage:" +echo "-----------" +DISK_USAGE=$(ssh -i "../keys/ssh/$CLIENT" -o StrictHostKeyChecking=no root@$IP \ + "df -h /mnt/nextcloud-data 2>/dev/null | tail -1" || echo "N/A") +echo "$DISK_USAGE" +echo "" + +# fail2ban +echo "Security (fail2ban):" +echo "--------------------" +BANNED=$(ssh -i "../keys/ssh/$CLIENT" -o StrictHostKeyChecking=no root@$IP \ + "fail2ban-client status sshd 2>/dev/null | grep 'Currently banned'" || echo "N/A") +echo "$BANNED" +echo "" + +# SSL Certificate Expiry +echo "SSL Certificate:" +echo "----------------" +CERT_EXPIRY=$(echo | openssl s_client -connect "auth.$CLIENT.vrije.cloud:443" 2>/dev/null | \ + openssl x509 -noout -enddate 2>/dev/null | cut -d= -f2) +if [ -n "$CERT_EXPIRY" ]; then + echo -e "Expires: ${GREEN}$CERT_EXPIRY${NC}" +else + echo -e "${RED}✗ Cannot retrieve certificate${NC}" +fi +echo "" + +# Diun Status (if installed) +echo "Monitoring (Diun):" +echo "------------------" +DIUN_STATUS=$(ssh -i "../keys/ssh/$CLIENT" -o StrictHostKeyChecking=no root@$IP \ + "docker ps --filter 'name=diun' --format '{{.Status}}' 2>/dev/null" || echo "Not installed") +if [ "$DIUN_STATUS" = "Not installed" ]; then + echo -e "${YELLOW}⚠ Diun not installed${NC}" +else + echo -e "${GREEN}✓ Diun: $DIUN_STATUS${NC}" +fi +echo "" + +echo "========================================" +echo -e "${GREEN}Health check complete!${NC}" +echo "========================================" diff --git a/secrets/clients/bever.sops.yaml b/secrets/clients/bever.sops.yaml new file mode 100644 index 0000000..52893af --- /dev/null +++ b/secrets/clients/bever.sops.yaml @@ -0,0 +1,38 @@ +#ENC[AES256_GCM,data:7JUvIjolKk0K4LX1Ruum6SLciqyHyybfTQ4=,iv:MNU2x5ACjpm/QJlGjBD6a6LJFtD219uTWHFKmr9IfQk=,tag:CVItmHXurNofeg9w+haFog==,type:comment] +#ENC[AES256_GCM,data:wWjTifXRNQ25dM+k4W8cMyolIMQ+zphKe2AYiMuEVyIBd2Evdv4=,iv:Q6/LgZNSv3tee2FcHXUZ1wIvSR25aoiqg7BAyWgWTKI=,tag:p5LuG2OMb3hoYPgK+ab7mQ==,type:comment] +#ENC[AES256_GCM,data:RjmOnfVrJ/8xJZaTlN6OGobGGACNZQ==,iv:4FBY1WOfonv5WfKATTuZkEsqYPicM1zcX8qWu+lTk0Q=,tag:I025riqowW5FKUezBm0GZA==,type:comment] +client_name: ENC[AES256_GCM,data:W0Bh0eE=,iv:VKQcOSHp5N9JH6eJoow3pXwcWU1eWGcbThQFocrayWQ=,tag:M4E+gRivJQbrjd0/bQNudw==,type:str] +client_domain: ENC[AES256_GCM,data:Nqo8XlNOqHv8LkhRby06fUY=,iv:hfQYcKPm+btkwdenIPEX2TIXsPVGnWQiCY81aaduBks=,tag:GiHBboDci/99P8QHS7/PbA==,type:str] +#ENC[AES256_GCM,data:icjtWREHoSAGN5rPbdL4j1XPeMZuzEoS,iv:sIuJcsE+rO0sZ5qhdNK6PGxtErrv2bm2HCi48P5FQKQ=,tag:P5plYgUPY9LNOQhpux6fSg==,type:comment] +authentik_domain: ENC[AES256_GCM,data:W/R65b//HiDwPhxYXEKR4Fxi+rJtRw==,iv:mr9cs4LR/aA/7bJdO68WI+sKvzvy80RTCvmU66Cvzg8=,tag:DDKCjeyc2kC5Mval69f6OA==,type:str] +authentik_db_password: ENC[AES256_GCM,data:/P3gQbozHLINd3KQJA/0u8MhUqhMcz6MOoLVH31X6cwmGv2q3y6KeBA8gg==,iv:stKEPGqH4EMc3h3afSX2pP3dEos3H8+mJ9o1LSF224k=,tag:7XtR6fRYfqJ4veuUlpK/vg==,type:str] +authentik_secret_key: ENC[AES256_GCM,data:/1LY8xqI9A5Et20mkY3X2y4o6d+ka7/vqNSxQS2PJ5LAMTAEt9qbX2rr1g==,iv:v93bXYDwvXgifMLngG25qDaXPR690LWeQjkTf0fqNuw=,tag:0JYsyKSJFYWAHYawDybfGQ==,type:str] +#ENC[AES256_GCM,data:Mw3fsLyDrw39Q2OWiyrtEdls8ub5fTWEqVmGeLTg0qkpvzsrgWRW/GiPW7SYbKU=,iv:qHqh5k1N/GaxbTJYRvPZm4RfYc0MVNDXdI7skEBBqvg=,tag:tQ3OQyNLoBymibw59GG+VA==,type:comment] +authentik_bootstrap_password: ENC[AES256_GCM,data:RDvAMIvOYmxbwxSjb+kXqmh8GU1sSA6KHqSh8UecjB1k7F5auXN6O8ETfw==,iv:S6DC4/UTMRy/NwhnT641q+ary4638hdLPSJ2duivgZ0=,tag:8etXMMBlgVz8pM0trndyOg==,type:str] +authentik_bootstrap_token: ENC[AES256_GCM,data:m467HmEab1OSqAzw8Yi9rcL3lRkJJW82k6nYlFiXj7UOgutJtT4BxUaSfMdUxA==,iv:8bi5CITxJK8Mgr0iSB3aD5I1Wm1+c/SL9GrBKKTIqdA=,tag:IhRleBBgg6C7ARgPwnZNcQ==,type:str] +authentik_bootstrap_email: ENC[AES256_GCM,data:wsXyTCeS7jJQQ8vkAC7AKjDr6cna4ac=,iv:Jkq17JmmSIPcnLK0SuJ1ErUUGi5Z136GQmR9VfdFCi8=,tag:NjReOWjfRxSsIbWzrrltxA==,type:str] +#ENC[AES256_GCM,data:klnql0MQeS1KXd/3VjVW4WRjSl5yg9Kf,iv:+v30PZBWQVnFEeeQI2InGf9kH5tvzgZnD5JCOyBnEHo=,tag:UHNaI7WU6PhzhkXkHTYtvA==,type:comment] +nextcloud_domain: ENC[AES256_GCM,data:ZxuLrS+XqzdLVtnFRQNv/KgN5gZWAFHGqz0m,iv:isE7Bp945CPVgoeI0mKngpTlRUTItLX2HIxSCfJ5T6Q=,tag:6p26HFeNmKU/EzNpQd0yhA==,type:str] +nextcloud_admin_user: ENC[AES256_GCM,data:uscegTQ=,iv:vK0tQIFNQZ1onK70GEy23VDfh7zcofxwyjJXEg8uY6I=,tag:wwna86Sx35Cc6QIMehfDPw==,type:str] +nextcloud_admin_password: ENC[AES256_GCM,data:SC7jJfHvbaqynl30IdJ0wjy1Jf37eLab1VBJI6p0w1aT35EA+GCAA8HmzA==,iv:PwYkMhyHuZpiRqN53BOMFSBBUBM2mMfTVOOatNTWB1c=,tag:hnI9EUmZ9vI9w7bCT3bFyg==,type:str] +nextcloud_db_password: ENC[AES256_GCM,data:CLpONcvumICrvxk39UK4ev7wneE70DPUoqx9Gl2N1/A1M3oOYexVbivFAA==,iv:hWgXELPBooRql5wp3O09OluTn2KBfTL98XNnNyiIfLE=,tag:2o80+vU71xtPm5MI6hlUaA==,type:str] +nextcloud_db_root_password: ENC[AES256_GCM,data:UH4PKHcvfqbp55I8Ru2AtkQDXP+CJpaY156QjO24n6GbIXGT16G0aKN6bQ==,iv:3YKqu61Mdhy/Q2jfK+bItcRx0YFIB+HYpUgpNkXwlMY=,tag:GsQBfVfwJNufY/jY7oDPpA==,type:str] +#ENC[AES256_GCM,data:zqxETKX7LgG6yCW8n/MUvBf80DeszYo+3TH0HVw=,iv:w+Ymv0DKrE/aPYmGsbCPIhrmauNAlDMTGQqQM7HZrVM=,tag:2wYvCPs5xeerRRpfc5f1UA==,type:comment] +redis_password: ENC[AES256_GCM,data:9QjDXsOtQDylRyvzu+6KaWxV53BuPqUOIIF10YygBvaSvtTjc6MvROqltQ==,iv:DDPKUOwz0DLnE7tHHx51SV++Upmc7isgKNvx9fKBTIA=,tag:7ieGACSPG+FiiWqUB5UDXw==,type:str] +#ENC[AES256_GCM,data:Dw9sxUT5diW1LvGQ/VRkPIfv2KMIoCjlsdYGtr1cU51FCRqx,iv:QDf/zXCB8qIvwRAQM9od6Ger8lyXZPDorZXb/Xg+8KY=,tag:dO/1SxL3fpLWnsEtA0xNYQ==,type:comment] +collabora_admin_password: ENC[AES256_GCM,data:QfjXR22OLAcPewDSDKKRxYXiouzBJ3pTTB8usKq0mEOLOCkzrFR49eWvXw==,iv:BpYApcb6quYdUZ2BxIRJmY5lJK++tQ/PxSOgiIJSDjM=,tag:FQBc+HyTzOyVDYTFsvHVnQ==,type:str] +sops: + age: + - recipient: age170jqy5pg6z62kevadqyxxekw8ryf3e394zaquw0nhs9ae3v9wd6qq2hxnk + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2ekhQVmprdjlER1g3NGFU + d3pZWk1XbTZXM051N2t5Z2RLem8yVVM3ZUhvCkFrYWF0cW9XbURpQ2VKaDhuelRh + R28wNGVlTndzcGlHa211NWxFRnBVd2MKLS0tIGhRNmkxanBndjNxTWt1bGRIaHJr + NFU1eU51MkNDOU5jbnFSbXVYU2cyQTQKxGGn9gHuxY+1L07Ouq22dvZMjF6uLUFI + GxlyXcV9Eyrz7AI+tliNf8XWULsixcGQ4wAzvAYOoT8JZ8CiWFd7LA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2026-01-22T09:44:44Z" + mac: ENC[AES256_GCM,data:iN71AD8G36b2VOTg5l2xyIwXqkPx7Mq5QoOtslug2OLzTSBz/h0RNZv3UtGXi+Au83IVLeAEJ0gPq/BA6sN155hFJPeh/VhIwffelHPzufwohZjhFdK3zB4QKlKAcKEEC6vI74GOBfQfUOMimeiuuS0IiLo4kEeADd1qk2GHcbw=,iv:LmCsgkvGcE9Jp6JO0nxsu/pqGPX48d8dmZJCEt9RHBs=,tag:fkpzKVv979jqyYUyWI0ucg==,type:str] + unencrypted_suffix: _unencrypted + version: 3.11.0 diff --git a/secrets/clients/black.sops.yaml b/secrets/clients/black.sops.yaml new file mode 100644 index 0000000..31f4f07 --- /dev/null +++ b/secrets/clients/black.sops.yaml @@ -0,0 +1,38 @@ +#ENC[AES256_GCM,data:+pppKgjMX6IKHrEyE7WT+sVkrsKrC/S9N5s=,iv:aQcH3wCqnZ15ThzB9DRmkJhnw4xNNqVJToXsx3iwGFY=,tag:w3hEI/Nwb/GTCmwrFubQVQ==,type:comment] +#ENC[AES256_GCM,data:InHpHdYbWF+YeElQmyml7H6wQ4y3lhHmifu4hNAfdrO9fNXh+IQ=,iv:0t4/ZHfFgEVVAWEFYAXuNaKYFYwoPUllyMfOp2UR+DQ=,tag:tfqtEioUhGj+oRjSJx3Psw==,type:comment] +#ENC[AES256_GCM,data:Df/84YbfFeA/4eB3ERGLRrusmbjKRA==,iv:DDOY9P8TW54qmDQH/5jPQmFjyFjfPZ16ipOTGpotLyE=,tag:c+nwU9QFLBFZMcdTjbwCIQ==,type:comment] +client_name: ENC[AES256_GCM,data:5c7mNQ4=,iv:tiSy41HLzjP3Bhs9XSn85ZAJJtYzTCTwCARlD0wqJtc=,tag:cmPx6IQs6Ocuy2xiqzIR4w==,type:str] +client_domain: ENC[AES256_GCM,data:r/V0n6t7nOSqjXV/vYHv19M=,iv:EykIf151hcUDlDVcoGlKuOYzeRwspxajEIjnuadRQxw=,tag:KASAfQqdZg1RKQsBwuzd9A==,type:str] +#ENC[AES256_GCM,data:Zoa/hQiGtXJbn0db06ZTBachkGsEBEOa,iv:vTyWshk5HDFCJxsnuVYL3+BOMifxmhjJ+gBKiNZ2Jg0=,tag:C2k4MfPwyZ4y/AoV4i+cDA==,type:comment] +authentik_domain: ENC[AES256_GCM,data:qHPGPAh8Kc171vAsFaaD1IEMaPGwEQ==,iv:NvBP3kC7es518oXT7OT+ONnBI0o6GmfNCpGzvfdrQGM=,tag:YCCCivxJcZtI3qER4Im17A==,type:str] +authentik_db_password: ENC[AES256_GCM,data:exJBbBV0PPaLfR7u0LoLmbQRuE73ZGpwdXQ09iPvntripOTM1aBkfuqqiQ==,iv:XmDhW8EB+yWdHLdWv0DhCU35rq03IP0Q8nQPxHQq/tQ=,tag:vVMFB7FN5Vi6e+d7SsqJXw==,type:str] +authentik_secret_key: ENC[AES256_GCM,data:lfC6XAKFtaloBZmOq6hIZspxIcoRJPqMbYO5T/9LGZmz8fI9kDNMM9Skdg==,iv:Jqs1NXru9LWFnkiwQbnVz480UHzDLyw9lTz5KsJ0QTI=,tag:K5WERITMYtHN0Aa9zsG+dg==,type:str] +#ENC[AES256_GCM,data:mvQfnGJnfGog3xEFfuX7/8qISPjhI1Jw1ljyRr2X82mFVHV1bS8Wgv1TN31k/QU=,iv:9JrDtyMhIo7D39+Vl/HBrh6R23k3E7NQSZXBqmQ1Ho4=,tag:fmIHEt03EnawuPqJsLW1Fg==,type:comment] +authentik_bootstrap_password: ENC[AES256_GCM,data:AdMlkg6d2it1HzA3HG6m3yA1vSJQzfIWWJSvWbypdKH8eiqkr7D3XU5imw==,iv:lHvkemA8l3GxKUw/oSncKhUsTB0kM6q6q0qbEK8eLoU=,tag:gn3NYjrye7RmdYnTbj9qZQ==,type:str] +authentik_bootstrap_token: ENC[AES256_GCM,data:F5e4pUyXkUDpgz99e3gqa8JYsDDCv6yfKCgG0E8Mn3CfbR3ty7TtlM/CvFcOTQ==,iv:rQFxh49ACncotu5JcQyLJHJjaIWHSi2MPaMECUtoUWg=,tag:8olrhhiXRYDM0oog4Nn2ag==,type:str] +authentik_bootstrap_email: ENC[AES256_GCM,data:DfjaNz0/lxfkhBInGBiNgtyljSe/Ox8=,iv:v7HRWWbq1iGWGN8t4ckLEXanhksS+jyKvpHtWFLGJbc=,tag:CaYUvzC7DDfwbVzzCpuwkQ==,type:str] +#ENC[AES256_GCM,data:8v7EAUTlRdWKoG2ji5qcJloBymG+ytAA,iv:8/UHfEHBMDA5NYmUwZSZHq1y7TOIHFIjEO6y0hwsdV0=,tag:tdsDXMuIOxHSXu0cnJq+Yw==,type:comment] +nextcloud_domain: ENC[AES256_GCM,data:WzFgX42WIPRi5NtRWsUZAlwP3wUE6grJQE+y,iv:e/VkjDmxbQjv83g4ibg3DmXmujnYZqEytFSK4jT1uGo=,tag:gew/qFyCmtzd5LrB9MOkhA==,type:str] +nextcloud_admin_user: ENC[AES256_GCM,data:VP4i484=,iv:x5/FODYkvGwLsypL0EEFK+aX1vomc1g2BRMjz7MVdN8=,tag:yeDjVIrPHMcGIHL55CNi3A==,type:str] +nextcloud_admin_password: ENC[AES256_GCM,data:BHQxIcK37o0xyf3kN1g0RV5XO1RtH8g97nVGNjnYLJDd3+VUMKMNYL/iVg==,iv:3tTMTdLYHupHzr/YKC0gBuNRz60w9vUbGcB7INw4L+A=,tag:EWmtvDFzK239WsnseQZcLQ==,type:str] +nextcloud_db_password: ENC[AES256_GCM,data:94yfQRPn5rMdtzKWPaBbS+dZUmUAI4xo4i1/hxfm0Z0623KaMs/jcBGqwA==,iv:JNXoHRaY91zJhtViRIfz+ihPI3JlKwy9xfO5KTlDwsA=,tag:nJvT7uNts3DXaBsbHfts7g==,type:str] +nextcloud_db_root_password: ENC[AES256_GCM,data:SGw7KzCfOUVG60a099rMYI77CYoOTeoKkdQbKEYT2cSKJ2LTKtZCdbXCoA==,iv:57W+KwAPrKfB919TJDHPIdT09B5aT8ZKmkrLcz3um5M=,tag:Aq3mRmTvCsGSGLA4VK4RGg==,type:str] +#ENC[AES256_GCM,data:2Ca94oWcPDsThITdONt2BwtCQtgo1T1/+QrL5No=,iv:YNoWLwci667/gN3ZX2sYCLkYB/phYFLvtgwUVp3h9I4=,tag:pPlgbwv/6fkTFE2WfSPfdg==,type:comment] +redis_password: ENC[AES256_GCM,data:jpi8rEcRBaM2XNMLlDz0WkKosp1j6NLyGE933bZp2PieOWk2gNHFNwJ6Hg==,iv:1ynRlMYpBo2FRknD4AWosDtF6JBJnT+vuwy1HNPs2RM=,tag:gr/v/kfe5M1sHjYq1szOIA==,type:str] +#ENC[AES256_GCM,data:7bmjCFZTqyGV3MmxtmEyY21L0AX0xg2xwQyNFvQld5F4p2uT,iv:Hu5k8+bEewx+J59IKwT0l202h9Sgofzuh7/++Nvvx8k=,tag:YuRPCf4cUN8GlModxkaJTg==,type:comment] +collabora_admin_password: ENC[AES256_GCM,data:K6UAvUM90klSCqMCiWwE7VkAhvx5c/+QqSElEXjgpmDdoiNE35H1BgYNOg==,iv:v9j6cfmQUkM7IvQvh/pW0C73jOdvx8YEpYuulhKHVsg=,tag:T4bGJJfejMOCgHg9c2nrcg==,type:str] +sops: + age: + - recipient: age170jqy5pg6z62kevadqyxxekw8ryf3e394zaquw0nhs9ae3v9wd6qq2hxnk + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0YkVJdG5Vd29zRXlEMTFk + RVJjN3NSTFFHUm5DUkpQUi9ISHdiUEtZVVJBCnFTT252VGpUVWNzU3JCWGRBdXov + YzFLSXU5UzJCN01nTTVRTU00VGtoTWMKLS0tIHMrQkRFT3hJM01vOExSR1ZoKzNp + aTZOUDdNMzVUZ0lickNCT0dIaWFuS3MKWHNDkkJ4kJljn2Ull8VCksmnjuORLYtN + ASfbOgiRJqXzQxwNgigUkvnvFuAEeaijIyG8/KazEP0YlhTWTkY5Sg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2026-01-19T10:56:00Z" + mac: ENC[AES256_GCM,data:LhzvYjkGf0i5g1S1SPQqBKRFatsOKKjwch90KIITZJOZ5i6/5L5BPFeyI8EVl/3/jbN+/wIBOr206nWYkXz+G0i4fDzC0wuAxXc/o1KB+ovMRrQCg5Qw9QGEayViXlKgLOC3EzXzw3gDybxJ13yOw2YSxHgirRRdjVJr6G0/Rcs=,iv:YvE1KhDVAwtXYnjsMOAPnQoluEFMFOU4GByeiQB5W/4=,tag:HbyR29sNZXUhWyQKs5SC4A==,type:str] + unencrypted_suffix: _unencrypted + version: 3.11.0 diff --git a/secrets/clients/das.sops.yaml b/secrets/clients/das.sops.yaml new file mode 100644 index 0000000..0c6dc2e --- /dev/null +++ b/secrets/clients/das.sops.yaml @@ -0,0 +1,38 @@ +#ENC[AES256_GCM,data:0u28ehaNftLzef/Ge203EtpREQG4w5kU,iv:uowORCiPGmtOa56MNO5cKaQsmsom3foNlQnmwctgw0U=,tag:19iE53kteSZ9Q09PYh4ykw==,type:comment] +#ENC[AES256_GCM,data:wWjTifXRNQ25dM+k4W8cMyolIMQ+zphKe2AYiMuEVyIBd2Evdv4=,iv:Q6/LgZNSv3tee2FcHXUZ1wIvSR25aoiqg7BAyWgWTKI=,tag:p5LuG2OMb3hoYPgK+ab7mQ==,type:comment] +#ENC[AES256_GCM,data:RjmOnfVrJ/8xJZaTlN6OGobGGACNZQ==,iv:4FBY1WOfonv5WfKATTuZkEsqYPicM1zcX8qWu+lTk0Q=,tag:I025riqowW5FKUezBm0GZA==,type:comment] +client_name: ENC[AES256_GCM,data:b03e,iv:In6iivcJ24tpfG9N34qsCOazY9H8Elg6QIou+om14CI=,tag:fplhvM7ExqVZCBHT1wcOKA==,type:str] +client_domain: ENC[AES256_GCM,data:pDlhbKxvHqbSG9cwDXGk,iv:Yn62cKh+Xq2yCzLMS+FjsXjbzvGKMruY/vdmjlr5q/k=,tag:fsJ/jJF6NAvIXRzBLg0mvQ==,type:str] +#ENC[AES256_GCM,data:icjtWREHoSAGN5rPbdL4j1XPeMZuzEoS,iv:sIuJcsE+rO0sZ5qhdNK6PGxtErrv2bm2HCi48P5FQKQ=,tag:P5plYgUPY9LNOQhpux6fSg==,type:comment] +authentik_domain: ENC[AES256_GCM,data:QMwZmfUeW1nYDppRFWBu6JhJLDM=,iv:RlLkkWYK+AfwhfPScek67Ba+T0JF5cebPZbC1hNcrrk=,tag:3b45Z6WflSMtJw/wpcPPbw==,type:str] +authentik_db_password: ENC[AES256_GCM,data:/P3gQbozHLINd3KQJA/0u8MhUqhMcz6MOoLVH31X6cwmGv2q3y6KeBA8gg==,iv:stKEPGqH4EMc3h3afSX2pP3dEos3H8+mJ9o1LSF224k=,tag:7XtR6fRYfqJ4veuUlpK/vg==,type:str] +authentik_secret_key: ENC[AES256_GCM,data:/1LY8xqI9A5Et20mkY3X2y4o6d+ka7/vqNSxQS2PJ5LAMTAEt9qbX2rr1g==,iv:v93bXYDwvXgifMLngG25qDaXPR690LWeQjkTf0fqNuw=,tag:0JYsyKSJFYWAHYawDybfGQ==,type:str] +#ENC[AES256_GCM,data:Mw3fsLyDrw39Q2OWiyrtEdls8ub5fTWEqVmGeLTg0qkpvzsrgWRW/GiPW7SYbKU=,iv:qHqh5k1N/GaxbTJYRvPZm4RfYc0MVNDXdI7skEBBqvg=,tag:tQ3OQyNLoBymibw59GG+VA==,type:comment] +authentik_bootstrap_password: ENC[AES256_GCM,data:RDvAMIvOYmxbwxSjb+kXqmh8GU1sSA6KHqSh8UecjB1k7F5auXN6O8ETfw==,iv:S6DC4/UTMRy/NwhnT641q+ary4638hdLPSJ2duivgZ0=,tag:8etXMMBlgVz8pM0trndyOg==,type:str] +authentik_bootstrap_token: ENC[AES256_GCM,data:m467HmEab1OSqAzw8Yi9rcL3lRkJJW82k6nYlFiXj7UOgutJtT4BxUaSfMdUxA==,iv:8bi5CITxJK8Mgr0iSB3aD5I1Wm1+c/SL9GrBKKTIqdA=,tag:IhRleBBgg6C7ARgPwnZNcQ==,type:str] +authentik_bootstrap_email: ENC[AES256_GCM,data:m0sZisLNP774T6ytCwhO3c699wy7,iv:06/kldGACKC/DuSf6hO+r2IgCIJiP+qEKBiJcWCNC2Q=,tag:JRwxkhuDLOU2sMw1cT1c4w==,type:str] +#ENC[AES256_GCM,data:klnql0MQeS1KXd/3VjVW4WRjSl5yg9Kf,iv:+v30PZBWQVnFEeeQI2InGf9kH5tvzgZnD5JCOyBnEHo=,tag:UHNaI7WU6PhzhkXkHTYtvA==,type:comment] +nextcloud_domain: ENC[AES256_GCM,data:mN0xoqcpE6tH8UxKPmEaO8zw/qlJRBSpvA==,iv:myiAX/cbkEuyIUcOW2jOrIuO5E931bLi6orxUwUdwzY=,tag:Rd87OGiH0HBc/dFBvvXhOg==,type:str] +nextcloud_admin_user: ENC[AES256_GCM,data:uscegTQ=,iv:vK0tQIFNQZ1onK70GEy23VDfh7zcofxwyjJXEg8uY6I=,tag:wwna86Sx35Cc6QIMehfDPw==,type:str] +nextcloud_admin_password: ENC[AES256_GCM,data:SC7jJfHvbaqynl30IdJ0wjy1Jf37eLab1VBJI6p0w1aT35EA+GCAA8HmzA==,iv:PwYkMhyHuZpiRqN53BOMFSBBUBM2mMfTVOOatNTWB1c=,tag:hnI9EUmZ9vI9w7bCT3bFyg==,type:str] +nextcloud_db_password: ENC[AES256_GCM,data:CLpONcvumICrvxk39UK4ev7wneE70DPUoqx9Gl2N1/A1M3oOYexVbivFAA==,iv:hWgXELPBooRql5wp3O09OluTn2KBfTL98XNnNyiIfLE=,tag:2o80+vU71xtPm5MI6hlUaA==,type:str] +nextcloud_db_root_password: ENC[AES256_GCM,data:UH4PKHcvfqbp55I8Ru2AtkQDXP+CJpaY156QjO24n6GbIXGT16G0aKN6bQ==,iv:3YKqu61Mdhy/Q2jfK+bItcRx0YFIB+HYpUgpNkXwlMY=,tag:GsQBfVfwJNufY/jY7oDPpA==,type:str] +#ENC[AES256_GCM,data:zqxETKX7LgG6yCW8n/MUvBf80DeszYo+3TH0HVw=,iv:w+Ymv0DKrE/aPYmGsbCPIhrmauNAlDMTGQqQM7HZrVM=,tag:2wYvCPs5xeerRRpfc5f1UA==,type:comment] +redis_password: ENC[AES256_GCM,data:9QjDXsOtQDylRyvzu+6KaWxV53BuPqUOIIF10YygBvaSvtTjc6MvROqltQ==,iv:DDPKUOwz0DLnE7tHHx51SV++Upmc7isgKNvx9fKBTIA=,tag:7ieGACSPG+FiiWqUB5UDXw==,type:str] +#ENC[AES256_GCM,data:Dw9sxUT5diW1LvGQ/VRkPIfv2KMIoCjlsdYGtr1cU51FCRqx,iv:QDf/zXCB8qIvwRAQM9od6Ger8lyXZPDorZXb/Xg+8KY=,tag:dO/1SxL3fpLWnsEtA0xNYQ==,type:comment] +collabora_admin_password: ENC[AES256_GCM,data:QfjXR22OLAcPewDSDKKRxYXiouzBJ3pTTB8usKq0mEOLOCkzrFR49eWvXw==,iv:BpYApcb6quYdUZ2BxIRJmY5lJK++tQ/PxSOgiIJSDjM=,tag:FQBc+HyTzOyVDYTFsvHVnQ==,type:str] +sops: + age: + - recipient: age170jqy5pg6z62kevadqyxxekw8ryf3e394zaquw0nhs9ae3v9wd6qq2hxnk + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2ekhQVmprdjlER1g3NGFU + d3pZWk1XbTZXM051N2t5Z2RLem8yVVM3ZUhvCkFrYWF0cW9XbURpQ2VKaDhuelRh + R28wNGVlTndzcGlHa211NWxFRnBVd2MKLS0tIGhRNmkxanBndjNxTWt1bGRIaHJr + NFU1eU51MkNDOU5jbnFSbXVYU2cyQTQKxGGn9gHuxY+1L07Ouq22dvZMjF6uLUFI + GxlyXcV9Eyrz7AI+tliNf8XWULsixcGQ4wAzvAYOoT8JZ8CiWFd7LA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2026-01-20T19:27:02Z" + mac: ENC[AES256_GCM,data:qwucrhsdG8HKhyDn9H788SVX376oAyLmViVSr9zL8ffCjDNH620JSkHhF7xzeN2O3/eDqwjSbCukABEiQNV91LZjSHD8fibWvzldPGqxaR2cm/zt7gM995Iu/HnGq2QVBnWfNHey3eGYTtxXZ5zvQ3EUjNw/rbEEFvSb/V2okSA=,iv:RFKkAIhLHyF2Nv643YT52vloT4erDkpXbuEwrPA/nPo=,tag:F5PQaOhz02WZoVJhf4Ryxg==,type:str] + unencrypted_suffix: _unencrypted + version: 3.11.0 diff --git a/secrets/clients/egel.sops.yaml b/secrets/clients/egel.sops.yaml new file mode 100644 index 0000000..98ea401 --- /dev/null +++ b/secrets/clients/egel.sops.yaml @@ -0,0 +1,38 @@ +#ENC[AES256_GCM,data:0GANpiSe/t/8nNVeEeF3xhbPLbswHZk+1g==,iv:2Q+TbLECTqw8LOF12qlCpTCJVAiiONafgtqOxOy6jvg=,tag:H5m1lytoOFuWReEnQrN8KA==,type:comment] +#ENC[AES256_GCM,data:As3OROMNLTL+e2EUAZFv7RrJ3p+EQvkOdNjvFNuUSI5iq0xhYNg=,iv:23QHhD4A0VW8ccjMW3ivRsKlW2mNaQ0AwgqTg3LQUnc=,tag:zlFt8r6m+FNvD0Y9d48FeA==,type:comment] +#ENC[AES256_GCM,data:vbx3SU+Yc5p9FaaaTX+lzNScNsmEBQ==,iv:3goZ/7+7erCc186ZPJjnS+01KFbun327rQ2u/ia9NLc=,tag:V01ZFE1y0/Yhp8t/O+X6pA==,type:comment] +client_name: ENC[AES256_GCM,data:mhCH2w==,iv:4oRhdfLMY/IJv+DXiFVLXZ4vBxKk+zoYlDThq7ARfOA=,tag:DojfBjqyXAMgk1cDs8FWmw==,type:str] +client_domain: ENC[AES256_GCM,data:vCltXbTBfuJqj4jk8Uf/Ow==,iv:6hsza3t7nQDNHYEIrYvopSt8os+o1fz7Enc0cJFxbYY=,tag:rwoAEHdsCSWGOKniue8xOQ==,type:str] +#ENC[AES256_GCM,data:36WknJsToqr6KDZgMvm9VsCZwC+BOyIq,iv:lIV3CJXv80WQkTvud7KlPj058xY+AcIg+ti9B+tqRmk=,tag:0Ho8XR14HxO9nrGlqw84Bw==,type:comment] +authentik_domain: ENC[AES256_GCM,data:xRr/HCyiscbPJUIzLbl5muzX4lPl,iv:DzDCwXEgaI65ViKOgeydbQ1XBPBVk8Vr3IPX2HsrTC0=,tag:FzUcBnT84QLjUELO/NepcQ==,type:str] +authentik_db_password: ENC[AES256_GCM,data:EKxxfM01KdXFXZkIe3Odpl2n8I4nbdQzUC6ryN7aM52MHQDzv4Y+z3pANg==,iv:zaG2VcR+x8fqkMyL2vQTonKK9u/KmObyBiE3oFYgwTM=,tag:eS2cQmNoUbet5gBB/EoAzg==,type:str] +authentik_secret_key: ENC[AES256_GCM,data:vojKY09CrpwNdcJR3GHv6Z3HfR8n7EB+qNZs4fXXQOVgk3eqVMSz3Qx8mQ==,iv:RG9f1hHUEHlqRiHXXODJV0HIsIFHib6837p68p1746c=,tag:YqIueX3A07hRAjJmsI6r6Q==,type:str] +#ENC[AES256_GCM,data:VsLPKpx3W6YN6QXhRx+YTAxKNu9IQzGiZG32H4Rwvg8wxje5BMhmuSTR5UJorMU=,iv:QswzckRT9Q51N7vSRQrm13kxECRhfBJpsFooFYHKb0s=,tag:oEC4Hc6AVALzVqiOG/09DA==,type:comment] +authentik_bootstrap_password: ENC[AES256_GCM,data:dz0+NGAa5D154vbjuKpuRnIEXVQfTgUsIOPjIzdxYMLxbbNTBP2z4whElg==,iv:hWR7E+hPMQ6zSgZIaIvaGHPRuW8md/uYfRQ/xeb8DeE=,tag:CRgtDtN9UEk/6DUCFMwoYw==,type:str] +authentik_bootstrap_token: ENC[AES256_GCM,data:e8O+c7DAwwYV91ATgEOi0Hf/i0IfnQoxAQRK+KIZ/Tdo4O0t3Al/6SHl+BFGZw==,iv:9f+tfa9tRhn/yuBSqFaLJndnRDx150zBd3Wxc38onRw=,tag:KOeZnWr/uig4KI5g8BE6VA==,type:str] +authentik_bootstrap_email: ENC[AES256_GCM,data:MlQJIrG2a7f8jRVjRm3pFBTwz+SMCw==,iv:c5MSTtscFb5qFWghRilJqscrqdriju/AU3H4bE5zYfQ=,tag:msz63u6YpGoAI7ulT880TQ==,type:str] +#ENC[AES256_GCM,data:p0JREYAvVu02Qqoz0HoEufCL287NwNDH,iv:2oJm8p5m+KyEv/MedtBjurQcLDer+QMcxjVxfjkljZk=,tag:k87CX+v7zGZbcbjT8s8JGQ==,type:comment] +nextcloud_domain: ENC[AES256_GCM,data:gPyjwlPhAh1B56O2Ua7+hgVYbr3girvNgn0=,iv:jWGVFWDxXuYFqQtWIMlrBn0bYkYzB2vrH46sFvrX7lM=,tag:5/jQQTEtsWoy2i59sR58jw==,type:str] +nextcloud_admin_user: ENC[AES256_GCM,data:v7wuCG8=,iv:YG6aNYwV0RPJ/sfHcSleqvBvkdq+zE2nBjMyN4QDir4=,tag:n987hO4NlJvdgvUqjf8ZVQ==,type:str] +nextcloud_admin_password: ENC[AES256_GCM,data:B5mp8NCWgQclAERE4QXoROeV6nlxwiYP5+hsizIfHctk+iMZldEt9YCJ3A==,iv:xLg6G5lYc1fBVXCy8PnCIpO+t3K3kZ5iYMfBFfZ5llE=,tag:xIi1A1nuwlN4TyrEeN7Zag==,type:str] +nextcloud_db_password: ENC[AES256_GCM,data:vLx15cJfiToYaaAR4eIqWAo1wBLDSCIYznC3SBsngMBKssVkQcQpnpO7Zw==,iv:DNDNz19jU3nATAzJw6/FXyq8QUcsUIv3xVWG02CZKJQ=,tag:mEkQIJgpcQdKlxTey6Zqjg==,type:str] +nextcloud_db_root_password: ENC[AES256_GCM,data:BVHmAhREJQ9U91YiQoLp8trQR1A6hpMrXGUCVLGKSV3xgxloWCcPvF5Fmw==,iv:kcJrzZlvmwAUQRbKe6cFu7BTr5Eg/s7frfTAoGrk6HA=,tag:Z6kUpUx3GeIf073mYHE5Lg==,type:str] +#ENC[AES256_GCM,data:FuFmCCQIoLt38f3rp/f21F2SUEmUe5mew7mafIs=,iv:/epTrJv3iq3Apu82EXzv4cLL6678wDvtEL10xnKN8lg=,tag:dTSwYH1+TWZ3uTAn+8e5Pg==,type:comment] +redis_password: ENC[AES256_GCM,data:2ZRr7+7Nnq09Ozal4FWU/vb+qdBX3njZE5KdzyXPdtZQZ3lkB8p5mgXkUw==,iv:4YXUPxFubIQyIoSYMWc059zGAUPI9dk+YF3V7kn5j6Q=,tag:+0Gi1qZ6HFgjnzah7pGBUQ==,type:str] +#ENC[AES256_GCM,data:uw9XOlYDr7zZK8dx51LFiHzPjKgBlmwWoyPqREd3cQHzwo5U,iv:9luZspimHV61i9oTgpePLJur78Km17lyhrOWjVledXA=,tag:pSezIsLxWvcEZ6rklfJ4Mg==,type:comment] +collabora_admin_password: ENC[AES256_GCM,data:NpAz49/Nu/SAVa9gpfnkdZKuRXqbawVutx/YuGA4V+KL6/mXSJn30EtBdA==,iv:lzDFtpF+3AZ7SQiKwN1ewY6jeWAI0GKO6M6QbxjGGUM=,tag:lPc7ubFRLIOBT0G7fZRhCQ==,type:str] +sops: + age: + - recipient: age170jqy5pg6z62kevadqyxxekw8ryf3e394zaquw0nhs9ae3v9wd6qq2hxnk + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3K2Q1VUdWcG5LVmxEVzdl + SXNjZ0swWTdJNmlQV3pudkV3QlZ3cStHL2lrCjVCMHY4a1lTK2V3cHo1UHN0Qit0 + aU5BYy81dERuZGhpNzlQbkxnU3BncTQKLS0tIFNGS1NFRk5LamhMc2dOZXBQalVP + UktCNEQ2MGxLM2R0Y3cxRU9WV2hvUkUK3q4VetTBIM/xB5rdALtaNkhVr14XcOvv + Od35KPTjMKjTycae9K/9UAaW/GyqYUhna+S10iMKiVImaNyP+Yve+g== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2026-01-21T19:27:39Z" + mac: ENC[AES256_GCM,data:hv6CBUEhuu8sdqAjSjbB6fS559RY8nCssdejS1L55/PY6KtLvh/lPhmlc9eIiXwt4gVCO3S5eSguK9FDGN6AcPbCR4oV6abO2HsjoXnkAq2twlY+vvQ9WHnt3yR9ndSu4+8T17WqlQkib7p1Akzns8g3GL8W6wt4A7hW/YcnZqE=,iv:m7neOUmZ9Ou9MCtfGElDMUrOiffX+ROafOTaMK2XfiU=,tag:70Veha2fvdobCEKhLVn3iw==,type:str] + unencrypted_suffix: _unencrypted + version: 3.11.0 diff --git a/secrets/clients/green.sops.yaml b/secrets/clients/green.sops.yaml deleted file mode 100644 index 2d99527..0000000 --- a/secrets/clients/green.sops.yaml +++ /dev/null @@ -1,38 +0,0 @@ -#ENC[AES256_GCM,data:SoOe8N8L0Y8Hs6eTkOj4VuImtGdlj+hjCzE=,iv:/X3YVaoaw2Z7C4/54WIgtzeFMrfJfqEoZBGg04FZDoU=,tag:wPgCo8RaPgm/JdcSYo9hug==,type:comment] -#ENC[AES256_GCM,data:AhZkYvipCltGJR01C5imkY/LH2TrVoI/rFQYdGGGqdde6WT5rDo=,iv:ZjFc9moNOtZsYtUBGb1PVVQ25ozflguIYFBF64N073s=,tag:3EcnIRkLo3NMqkzSPXx0zw==,type:comment] -#ENC[AES256_GCM,data:c4qTyE4koVokaohPlnUA0erZyo7Jwg==,iv:GkyGUhDK5vNFD7BB7e3tXTmWS2ydnU+cquwkuCyKD9M=,tag:x7begk8wA2DGRtpcPaIqyw==,type:comment] -client_name: ENC[AES256_GCM,data:/gE8Drw=,iv:Dhich+2Wf+HdfQ5KSWP7kr1e9LYSYCdHRSMwW7fKacI=,tag:8eBTT8al3cwlphaCB0TsJA==,type:str] -client_domain: ENC[AES256_GCM,data:0ZVh+LZFp8V8ZdI3NPxcYdY=,iv:OGyI0i/x9tdXzlA55VcPtNsfBWR/vM6PS0NohWXIUz0=,tag:sN6leHQjyZkFEt0StTDUUA==,type:str] -#ENC[AES256_GCM,data:NSbqmgsxWPxXjMJ5yg1ZErVwkpeU2CA8,iv:bS9eu+DxVOTuADqIunFi8aLeRMy2sB1y+o8i8LF1Ne8=,tag:Bo1LwtqUOSwb3fbhR3o7oA==,type:comment] -authentik_domain: ENC[AES256_GCM,data:sxZ/AT0Vix7+8FVE720041E6bnL76g==,iv:WqTrmrQblmWrKluPKZKQwZ/6AyBmnpGmOdSV6nLYbrk=,tag:Bf1+1Qwe0o31WS0kE0sG0w==,type:str] -authentik_db_password: ENC[AES256_GCM,data:CH1mLJ1U1Wqrc8/Jrl4FJuzSv+yl45fnaYNIOajiFlaBMUsV4c6diQHICg==,iv:Goq3JaDP54Ctzy1gx6ipEk/K4pfZnPKIk8WA+eANSFg=,tag:ocUN4UMCHSgfAvon/DTUOQ==,type:str] -authentik_secret_key: ENC[AES256_GCM,data:9DLYWG5nRg5L1gEv5C7OTDG8LrqnI9PmaRRbkuLsn1Hn+XSjb8MUIpAW2w==,iv:liZ/IuafnT/9mKrmJdDvoZp79lQApoRqxjDXa0i6/9A=,tag:iAqCJ1Ud48Y4fsZuK1EWXQ==,type:str] -#ENC[AES256_GCM,data:uT/yL6SAhzRUIviCCUTvpwxVFk7troc2gvkPyTLU82t48QjNWdDh2uKw8JqzI9w=,iv:T5xSsQRnaSn8eG3t7/dyIxQM8RkX8ja9c/KPltXJuzY=,tag:nz9+AvdMSR6D2r6uPlLsPQ==,type:comment] -authentik_bootstrap_password: ENC[AES256_GCM,data:B1k92cCaF2RBVq5vWRKLBrfnHG0ZXIOPR88YBcAVCT0INfo8wmmsIoHFAQ==,iv:GhFnhbjDieOlzj8O7p84JB+xIDK0iAE5X23TRbxsTLQ=,tag:pma6cPybG1gE+/qAeRihGQ==,type:str] -authentik_bootstrap_token: ENC[AES256_GCM,data:ml4JFuE6B67hCPTBgqHyPwPF5FOXEE9g11EeDyRghtmSFC32M3CjUDckqh/5dg==,iv:K+Cj+u0FrYMWCpH3bpap4ZUdc709hvpuFghSXlYeOTc=,tag:DtXk9bpA5Ksx4MdE1cSWgg==,type:str] -authentik_bootstrap_email: ENC[AES256_GCM,data:k+hDXJzb3i29kg/ceKrLGYWi263n/3A=,iv:t2Ew5E69McmmYmhZfenFwcfhAylGieuS0XCACHQY8QQ=,tag:9HONIHr8apYNMc2HyE/wyQ==,type:str] -#ENC[AES256_GCM,data:QDv++JHvUjsVlHCg5caxbfBkaz63D6WN,iv:9C3gJeOBn/ywu21l5PZYKvSif4CGDl1Vf/kFWoaROXY=,tag:+3iodypQ/Id4V4EdX8TxhA==,type:comment] -nextcloud_domain: ENC[AES256_GCM,data:KeuKtUz/KJKx4pp0ah2o95YlxDKwQlfip1g/,iv:UnLxLMlFvfX7VvIq5h8RizqAxzMF/fSXJ6BESuYsUfw=,tag:sSp93F16f4w9lOL4GxklNQ==,type:str] -nextcloud_admin_user: ENC[AES256_GCM,data:SIqiQHs=,iv:43K1si1+BMNFkkfdGxqnldfE+J9V6IdurUKyyyqqKDI=,tag:tl57gv/5Bit4sw0wLAPcRg==,type:str] -nextcloud_admin_password: ENC[AES256_GCM,data:Nh0+REGEhscg2lnK+SCk9zI/xsX4i9vvkm8/L0bRHZd5ANGPZ3iaOYYDZA==,iv:1iW6iq1OxkeEKELYIC6CX5pEaMvX0/zunnX+JGYmMiQ=,tag:UE85K4QdQ3hVt4IH/C8NnQ==,type:str] -nextcloud_db_password: ENC[AES256_GCM,data:18VDj1nIr3LKYvrTmU/PdsbVURDhZL0+pnT81Lc00ZH36teVABMESrij/Q==,iv:yTtV2GevUvQt/7JcoR46YY10dhiGhD1h9EMBaoBkoUU=,tag:eGh/ytnuPgRw2EKvhPq2Mw==,type:str] -nextcloud_db_root_password: ENC[AES256_GCM,data:TAd9P0Bu5Jj61X1B9FzZVeTEjXcYEhDoTtEcpLLGK0p9L/qy73kyZHgmrQ==,iv:U7j84V3wE+PyT2dDr3Q60iaW5WzzkuuDU1C0z8Sdx/s=,tag:bUJZnkXDDVKIYWiEWKdLgg==,type:str] -#ENC[AES256_GCM,data:CN8A9tXAAkyZs0XcN6YHc2HQv1VfFplr437yC9M=,iv:UT30ox1DXNx18C198/rGekH9fSIUADvAJLbvQhunzng=,tag:GvU3xsudPkskOGlVlzTGyA==,type:comment] -redis_password: ENC[AES256_GCM,data:oy+AjfkYymVjMPtPHAb8nWQ+ck5sWt2S9yWJ0MUp5AUFKzkzpPxVtBf+MA==,iv:x9iu1p8ECtzw/mMS2kHbX9YgIJdOdF+uZIwsWwfNX0A=,tag:VXTQdnKukH6phaCQk2qQWA==,type:str] -#ENC[AES256_GCM,data:YAlGJFpMQBQxOSbp07EnKdNaoZDqzzAppjo4BXtAZbb4mTCx,iv:i8qk8eGR9d8398dTiyTw5eNI3IRk0nGc+hwBEBAuBZQ=,tag:DCSVid0nZij4MkQoII4xyw==,type:comment] -collabora_admin_password: ENC[AES256_GCM,data:rf80B5GB4uOUeYVxQNGpxAYG2ItDVFZyH4/ifmt+F+zdYItYgEiTKHOd+w==,iv:LsNYLtawJjoQr/lqG8Jl+suL6aL3b5TZK+2EmV3uP1Y=,tag:ZIjPtpKekDiKUuh1sKtDog==,type:str] -sops: - age: - - recipient: age170jqy5pg6z62kevadqyxxekw8ryf3e394zaquw0nhs9ae3v9wd6qq2hxnk - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhQTBXVVQ1elJaZUhOSU5Z - Y0ZmZG1ZN1I1RG9icHhpWDFKdkFPNnAvb0I0CkpmRVRiSndHYXhzengwY3UxZlZ6 - K2M3K0ZUUzY1TFhvTk1MY241SFhzVkkKLS0tIFViZ2oxeDA5QkgyeGFuK0VaVXYy - Z0dLa3RlSkdPMHQ3NkZXYnY3VEFDMzAKUcPDUoRcHkrn8C7chtc2ARk5sOkF3Gm+ - wmKA4RPvrGtrgp80MVt346H1iA39bDDGCAymZuTTA/81HYCrZ2xUjA== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2026-01-18T16:02:23Z" - mac: ENC[AES256_GCM,data:hGJPwiCKhqn/MS76rn6Z/yptYTkOj45yqEjKuoRhZquwm0Vmooxu2BS6EI9THdkdPQV2gNFqklneV9assEiCc73st6koI2lL0OJdhgD80TVfz6kY2f/3Xg06LkQbcbhglhzwzHfo+VLoR/1ZT6JkEj/EJerr2xrEkooc4/y84pI=,iv:b/kcsbNl/cOTvQ9usY71+Lge7rIBoBJx3I7xyulfJ0s=,tag:C1Qz9UFVEAVLmqtyXi8izA==,type:str] - unencrypted_suffix: _unencrypted - version: 3.11.0 diff --git a/secrets/clients/haas.sops.yaml b/secrets/clients/haas.sops.yaml new file mode 100644 index 0000000..95636f5 --- /dev/null +++ b/secrets/clients/haas.sops.yaml @@ -0,0 +1,38 @@ +#ENC[AES256_GCM,data:263AsaFnsT/v03J3dTnRU9reOdPrqBK+Eg==,iv:ihmZCQ8KnKc/qwa34pr/JOj42tceourqSkirLVOlg+U=,tag:1otLg1EwXYv7/EcE197WDA==,type:comment] +#ENC[AES256_GCM,data:6NozW8S6KxeV87FehIpl1qNRpKsdl/lg36chh3egDk2sWn4iNhY=,iv:QwVCpWyFTUpPXf57OdcCqajRmLdXOlNbCoPgEU+7EH4=,tag:yFyiWe5/OI5m/AI5rs6yLw==,type:comment] +#ENC[AES256_GCM,data:jlKWnfCv+u//hfMa/8L3YlUCoyBjwg==,iv:NxvrTJ/lVlJK/JnWXTY/4OhQ9rzjZmQWTWoMDUy9kPA=,tag:T5rIeC1ZmBDxNiA3SG6jdw==,type:comment] +client_name: ENC[AES256_GCM,data:Go1JEQ==,iv:3P3tHtfLbc+DspwK1SVrNyHExioefaVbfA7yXATHHpI=,tag:KY+W2M+pi/xYc7i/5Hb3Cg==,type:str] +client_domain: ENC[AES256_GCM,data:/0tEausGEs9gdL+ZOkRsFg==,iv:iCqkzpRmxzq1O7J8k2GWxocCsJmpkF/lgHHFBS42Evw=,tag:E/Z8URfOFNLx2NGVkbTcEQ==,type:str] +#ENC[AES256_GCM,data:Q4cIm4NebGcflGee+HZZgEX7/OyuwtAp,iv:Gb92l3hzk7e5GQscDwoDBi9YBdhZvOtmrTaRErScYqA=,tag:IEqwdyE6j4u0uGK26hei5g==,type:comment] +authentik_domain: ENC[AES256_GCM,data:jEkOfeF+FQn14QdYfprDFO3FyL5N,iv:LZ7knjGqqBGyKBTRqzSlFI3da2nRujGY/+B9Uyw+ga8=,tag:hx98SqLo3oz/V5BQ220YKg==,type:str] +authentik_db_password: ENC[AES256_GCM,data:jBQTmw7unol2VNI5HHPm6ac8zEaN4gFJpof00JMOr2hg/BKGErnWNYRlNg==,iv:kF/L2gqncz/yHK6v0Mz1/SsiyG1upMG8DeIKWYj0o1w=,tag:WBvL687LuSsdhnkDCCEonQ==,type:str] +authentik_secret_key: ENC[AES256_GCM,data:pY5wvfM8dMYRzNSlwU4vfMSKOxEqJm2IEXsfCHjFtA47/7Ltj31NApee8Q==,iv:XWUacJqrDgutuT6hTtgxEvfhWucQnP5vdce9puzhb64=,tag:y7Hey6dwt/9+VcgMbNxvew==,type:str] +#ENC[AES256_GCM,data:5ucGhUZv2qjbYwI5o8rG1/8gqOX5x0Scip3+/T2EVyH87J+lxYKn4vK6jhCDJY8=,iv:Fff+f7SlljApCvryzqS/9aAQoKCyA5AbWqBNZ01MAls=,tag:rjK2ivHO3u1OVXRwoZOwBw==,type:comment] +authentik_bootstrap_password: ENC[AES256_GCM,data:VwxTylvuPqL/H4ad+Nr85NxCCgvEhAeC3/xa4RZt0vZ/7RMcSkXECIusng==,iv:3a5cvPXP+4wVKsRuOUxepv9idK03qknHPoiGYT4JYNc=,tag:DWacaePwtEiBlcARzXXGbA==,type:str] +authentik_bootstrap_token: ENC[AES256_GCM,data:WRwF8eAyMFaHbCIC7us8KfDZ8FUErkj+OUsyAJziIETC0YPIFOyG8v4nM7MFRg==,iv:RtfGnGWhXDUHWc77tyEbpini6wlD4Zr/FuMfB/Exf3Q=,tag:GZQunFQynvG49FC979FNng==,type:str] +authentik_bootstrap_email: ENC[AES256_GCM,data:a5opY+7AVaGZ7DJR3jhxdGk3hODH6w==,iv:Ea1CRC45PEStquXv7W2M/WgQPnBNlTq5qh1K5ZwG9CI=,tag:VBNh/xVnIYY98Z53CvU7VQ==,type:str] +#ENC[AES256_GCM,data:uJ4wPND6Cg+f0gOnx+a8K88RNrvGxszl,iv:s5NEVK+9buT2607GdGE7hO2EQnEFEGhMABtBC6QVuLg=,tag:DPDxu0IKwxJzUqsr3w8zag==,type:comment] +nextcloud_domain: ENC[AES256_GCM,data:Qit+lD3CB8NrM1JsQtqdC8XBMwS1dsQD7Hk=,iv:p0WFFJpgXeIkBB19o7jJvONEuF8C9i0Q5L+sF+vKu8Y=,tag:8SmnbpSF3euICD55M01bdQ==,type:str] +nextcloud_admin_user: ENC[AES256_GCM,data:EbRJDQQ=,iv:t077WeC7X88/XnoMP+xKSiCG6a3KWftjcwS3lKDxFfc=,tag:ZhFL5eJ7iH1Ka8lawa5tPg==,type:str] +nextcloud_admin_password: ENC[AES256_GCM,data:D1lsP/cOUC13sps8kmRlvazq7lkOMzHv/AvxKRmdlUsEOUC+vaHjl7HKjA==,iv:DHqxqin2dw2OJ5KAWNcCThPJanZd2S+cDNJhfw/trCs=,tag:X0BBH2arW2nsWxHdT9F33g==,type:str] +nextcloud_db_password: ENC[AES256_GCM,data:USgbbNviB76dpGdKfrlT5FJo8NJWs6TDZ1V3HtvBajlaHOVHrg7HZ/ciBw==,iv:5jg7hiZsEtu7D3eoNzzeOEX8/ISMDlIosquh/cnfh/M=,tag:t8yv/jPMtIePgQ6guklE1g==,type:str] +nextcloud_db_root_password: ENC[AES256_GCM,data:pliuG8kF3nhvUfTuXBnTZ8SEn+NcdiMMFYaicCpeSL5b664YWsYA6b9O2w==,iv:8C2ecJUZg4a0Va08cDvelptN3RObL7qpwqunwkFt7As=,tag:1fBz3hrP0wAVtjuq/I2fAw==,type:str] +#ENC[AES256_GCM,data:FDhOFTZd5ODvp/k/7LwJEbSTgmQB4y0C3Dh0UQw=,iv:kryzQXpKS38QCrxVThG3IHV+96+5q2twNRn4NGipSdo=,tag:ZxByg7mBnHlJ0naR/6ZVAA==,type:comment] +redis_password: ENC[AES256_GCM,data:ShoUwNalboMrmEvmnthtCHjUZerRzzS5L2tVkW35S9jEExZaSZSUwfcPLw==,iv:TwDLqrgzRDhuwos3wnyNXA3PmJeEAfquwj3Z+F9qM40=,tag:St6MUoT7tymgjkefx6mB6A==,type:str] +#ENC[AES256_GCM,data:PIlcwi0CYHxJ+2gWR3h8ZeE4LaKUUtAk1E8ERu9b3mq7/jZa,iv:HKO5hKbieTF2P2w3BFYx4WLJ/81stbLYwj/sSa2UvX4=,tag:YFxA45XUC3+zrvgwUFg4kw==,type:comment] +collabora_admin_password: ENC[AES256_GCM,data:DFpT4PXQeQXZzTygONz5Sbi8Qfj+yBkvTf9cnje1EbLwizITA4mnyyXaFw==,iv:PvA3FhLoJEwQrC5jr0koqkcxlYpjBBLINjiIKgf05MY=,tag:b0kfuU077mOwlRb98YSoFA==,type:str] +sops: + age: + - recipient: age170jqy5pg6z62kevadqyxxekw8ryf3e394zaquw0nhs9ae3v9wd6qq2hxnk + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2SFZxckxOL0JMRzhFYVZV + bmRiV0dmeU9XUHdtYVlObHJKRjRZaGs3K3lFCmZ6NEFSTlRSTmRCUkJSTFFEZllj + WjBlMGxWZzhLazFRczdkMnhHZ1l6SEkKLS0tIDljaWZnaGxzYXU2NVM2U2lpU1dH + VVZXNVhkTW1xRFgvTmJQM09oRDRJV3cK7ZO0tK0+KTovKYqW5AW0hhk7NxNVi9o8 + UAqmY2X1vAV1ekHryLRZtdQ9CpQh6Pc/8D6aGg79ZbHxPMeUBdPf/g== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2026-01-21T06:50:20Z" + mac: ENC[AES256_GCM,data:iTRh6UXx/EeR/2ZrcUoIvujPt8cVlKEEuSO3x9miMEquZsNTnp8RIXoDETSmNpheXx7gG2jXOvgBbo/Bj52p45/Wo42TgmJGEo7tMExAfDKrx4JZAQqNO7SOGt3Vo8xQ05M6edfsbzAnke7Iz7T41065RYgl8L5qqFdGASAb8Po=,iv:JwIxfaG2nzWy8uRxsz5/b8bdv5HyUCkB9FsVep8EUjU=,tag:FapmKA3FwOOxNe0Diet56Q==,type:str] + unencrypted_suffix: _unencrypted + version: 3.11.0 diff --git a/secrets/clients/kikker.sops.yaml b/secrets/clients/kikker.sops.yaml new file mode 100644 index 0000000..ecaff9f --- /dev/null +++ b/secrets/clients/kikker.sops.yaml @@ -0,0 +1,38 @@ +#ENC[AES256_GCM,data:+OGneTnZcnOaOPgw4zJDfO9lhon2bn72N3km,iv:/nZQnMlDMbofcxjJom4Tm4vXc7wQJCTRbZvzm3wEk2w=,tag:0HA3xkq9oRCwahio+48QFQ==,type:comment] +#ENC[AES256_GCM,data:DzVdDsbfKUPhrR3RfDtNcz5t0eai/DIe9ip30YDHqP1Cy25Bock=,iv:p+B0zs9MJqBY5pskUPraGLBzolkp6mJgfuBt9hNuDB0=,tag:Z6xCRTWDFlQFS2rq5Wcu9A==,type:comment] +#ENC[AES256_GCM,data:UwzF6CrMrTa7w2x1WZkeeu4XlCO3KQ==,iv:515JLeVFc99aDjhZm46YBiHP6XU2054t/JlAMJP8ATc=,tag:tbWqRRIjVVBN/CW2q2tP4g==,type:comment] +client_name: ENC[AES256_GCM,data:OW87HSgM,iv:l9hVz5O9kIpIU8coHFEAi7USAT9szRd/yWEPUJ/cy+c=,tag:nkmXbsXgRFdfLxlXEK3Cvg==,type:str] +client_domain: ENC[AES256_GCM,data:T96fwpdymgEzpWk1AHCuyPk6,iv:hxyUMZRUptennahYciQN5SvaFKNY5L9vbSkod3sJ/18=,tag:1H2qxINQe6+bahDqwg/+kQ==,type:str] +#ENC[AES256_GCM,data:yt18Q2bAXbVqlh1YYhITEi0sqA3ysADl,iv:Ps2WPtuOTYrH4eBAijAxvr6iVwPy7UE4pCVxck+qTRk=,tag:y5yQxqKR55R594815o4ivw==,type:comment] +authentik_domain: ENC[AES256_GCM,data:EGcA/dwACmdF4BxHBniaTw5VbBwcFLM=,iv:a7Br9mBBbRCLrBLtXOVlhyaNMl9KojCky2DnnAorzaM=,tag:J7BY5gGrWtq4K/Fi4vPrGg==,type:str] +authentik_db_password: ENC[AES256_GCM,data:z3hJ1S58N2+e2JSLZDFk4EfZdQnWOHXYXQLpRlq79xMOICfkdNOPk4Xy+Q==,iv:PbJMxOVvnCzx9NTZ7TmuzjjCnAPRfnAhEtgNUndkP24=,tag:iNeufIP3cexO//3HXX1l5w==,type:str] +authentik_secret_key: ENC[AES256_GCM,data:p7XuDZJpX1TB729fnwWSjw8xOiq89n9RuUInbz59yQwj1WZnMbOGFWtKhA==,iv:lCVIG22DPaq3zlWdhTNKkTxoZhHYDSUi/X5HCgd3RxA=,tag:8rb5pgQFSFPqbPb6CyN2Jg==,type:str] +#ENC[AES256_GCM,data:+GpzYBHrXCH8MLp9hNnTq8KQGE21woqupYuhdFsgtXIYNgcDJF7vYpvgMe3Svgg=,iv:9co1ZnzMW6JP0CTF4Y/MpOBSxJJIAHUlrcLV7zqmiZk=,tag:cIMlwU6C4cOCYc2ECGkczw==,type:comment] +authentik_bootstrap_password: ENC[AES256_GCM,data:96NFk4/+nQ3tFX2lWZwWj6G8JbxLVMwYrDghHEC+UebE/QGgV0XpWbmzFw==,iv:Vvqpr3dbxROLEQBe1Qu//8ZcnWeJPH2XBel/4kDn+Os=,tag:yO1ofUIr5fDwiaMJ5Gye4A==,type:str] +authentik_bootstrap_token: ENC[AES256_GCM,data:St6ECyiagUCW4MaBnD8YxUb/BMHEUqeIpvbkokMnWN5SVkBp3RjbsfcHTJyGDA==,iv:osYqlia0kbscK2o7L4tX0BsOXM+RyBGrvnHzBTMoVqg=,tag:xclsy5A/sAECV2OdAzPakw==,type:str] +authentik_bootstrap_email: ENC[AES256_GCM,data:aM5/55cmtD+KpcPuLG8o7Xk8Y53wtiQM,iv:xJl0XP3BROi7Cd5xsoyTJD1WG0sFXV8DYu+utM/Gr0E=,tag:Zng3mRgJlZodmzm1vYAfYA==,type:str] +#ENC[AES256_GCM,data:ewwEAuc2sMr7/JymX/unIrWbPLiYmFCp,iv:RCTjyRNDpbb1KASMaQLivmzPTUqhIj87xBf0sPkAo7A=,tag:DhpjJbmdz4LptfkiK4tuFg==,type:comment] +nextcloud_domain: ENC[AES256_GCM,data:m8wSqeV2KINu4jDEZzJLHWCXCf+2mkD2qW4GfA==,iv:VjDqoqslB2m6iiEwiqFYmSWs3FzFGMs4L27Scd0W1jU=,tag:ZUEyoijAdOttmCPA3jYqSw==,type:str] +nextcloud_admin_user: ENC[AES256_GCM,data:2wJAtW0=,iv:2M24KF/VVNYW4SuQpzRimujh1U4iUnTdXmdvMoDgDIk=,tag:ZwlovzOtGyBItAG2UbVhBA==,type:str] +nextcloud_admin_password: ENC[AES256_GCM,data:aU28NwDezrkeyLQzGqs/P955uyICfPH+Tiqw1MyReERBl3/iAhXzPf7STg==,iv:PCPovUjxW1FIM47bTCuaimkMHY+3W3WdOtj/Utyu55k=,tag:Meg3UOwbNsMHWttSp9VVEA==,type:str] +nextcloud_db_password: ENC[AES256_GCM,data:9KIlpdOY4PrmjqFX8xv5qj4Vi0wcrcKWOAzRVxnFst8YDKaOEwRLvOxT6A==,iv:lpUiKPb2A266p9NLM7rm3zWz5axXp/HM1/E9WhSj4zI=,tag:i7hts7cQCVidJ3Z1drpuEA==,type:str] +nextcloud_db_root_password: ENC[AES256_GCM,data:yDmM51PHybSGy0t5349w0cXOBvb9/ow0a8PooPr80PAYg9IIik3kyDcZrA==,iv:FgbqiKS+ilhmlqkZ7O8UdnvFYeAwjlpkQYO+yTMuODI=,tag:AxHEn1qPSlAEdSyBY8UvSg==,type:str] +#ENC[AES256_GCM,data:WWVZIdIMEoxOQOwJWUgPho2tSHpHtkFtzdiHzl4=,iv:m37ibZwqNOuyVZwo5ImwP4Nct52tAUGPJ9ATC2wRsFo=,tag:eovZH2v4k5Vh726L9WNpHg==,type:comment] +redis_password: ENC[AES256_GCM,data:/BwaUhH4nAKeTkzdOZYksHapMbhiR7BqhB8JTBxvcZUycRKpz4IHjrHKHQ==,iv:bE/6biVZ/EY2CGU3JM0R7MxASM5zd6Bky/1qv5MFzUk=,tag:0XFoF4AvgIgy0zJS5nEMyA==,type:str] +#ENC[AES256_GCM,data:SUh/lkNFWNxcqprX+qpLUp7T05d8m/X33lEiP6e63oqntICG,iv:itrjKHbXWc9MmCcT39JDpWXgBpd/j2j17t4Gi+BT4sI=,tag:W6u02s+tuyE4KADgwzN8/A==,type:comment] +collabora_admin_password: ENC[AES256_GCM,data:kEYIiowJqq8+rPynVbKz7f8J92XoFnZAlK4I1135gIRzpH9QFFaZl+OdsQ==,iv:gPWECbawEkAQ8gvr6qXbmji3RnrFRJyiUmD9B46kebs=,tag:X6vDF0zNj+relaveRZJm/A==,type:str] +sops: + age: + - recipient: age170jqy5pg6z62kevadqyxxekw8ryf3e394zaquw0nhs9ae3v9wd6qq2hxnk + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPVUVEbFBaZVBoM3U2dDFa + clhaSjNob1VwT3ZMYTViSHd1enptZkZxcjFZCmVxR3RZaVU0NjB4QWNrNm94aEs4 + WVZ3OFBBM0pjZVpUblQ5Wi9wZlF0RTQKLS0tIE5nQ0ZPaWJVSHlxbHIzcHc3UTE4 + U3dnS2YwRVdvd1JWUU41WGVrcVZDYUUKHCxEWjcs3tSh0M7r58O2lrAlgL8qSum4 + Wt+TzqCGv0u3mMTsilTSTtaWqLeMHu9jXvPgbD118KtHrSy3tr2imw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2026-01-22T09:15:08Z" + mac: ENC[AES256_GCM,data:kx3z9ok704JFFv6f4ffkLPrf0EifQKoW2HsZ+ff1mWUxAm9seFpE1OhmyU3SpSrndmbKSANVMOI88eXne/2w1plqxVYUp75nS2f2fAKTlssTEVrH3vvWS0a7O9McGKgGIQUhzjSiavsrReye7ok50WeiQSlgnzYreM9FBk46c2A=,iv:0ekt8pMJCF9hhRh3CahbKb44Pq/+wordmoe3he78Kg4=,tag:AReHlK8VvGQHy4m8uqK+lg==,type:str] + unencrypted_suffix: _unencrypted + version: 3.11.0 diff --git a/secrets/clients/kraai.sops.yaml b/secrets/clients/kraai.sops.yaml new file mode 100644 index 0000000..5e3d9d8 --- /dev/null +++ b/secrets/clients/kraai.sops.yaml @@ -0,0 +1,38 @@ +#ENC[AES256_GCM,data:tFeRrhiv0poNJKknFOXi/jTCauHB3FI7HHE=,iv:vBPdvel/tDeZbsgy9ThwBAnLfn3/W+atKXrhWaDnWYc=,tag:1FIw+vHdpnEi9PWaCL7nvQ==,type:comment] +#ENC[AES256_GCM,data:wWjTifXRNQ25dM+k4W8cMyolIMQ+zphKe2AYiMuEVyIBd2Evdv4=,iv:Q6/LgZNSv3tee2FcHXUZ1wIvSR25aoiqg7BAyWgWTKI=,tag:p5LuG2OMb3hoYPgK+ab7mQ==,type:comment] +#ENC[AES256_GCM,data:RjmOnfVrJ/8xJZaTlN6OGobGGACNZQ==,iv:4FBY1WOfonv5WfKATTuZkEsqYPicM1zcX8qWu+lTk0Q=,tag:I025riqowW5FKUezBm0GZA==,type:comment] +client_name: ENC[AES256_GCM,data:E38tnNk=,iv:1ilhr+3A7QALq/WELOwxoJG+dJ71u83xmZUEQELzGCw=,tag:LbfHCLGHzMMUQavS/UP6Lw==,type:str] +client_domain: ENC[AES256_GCM,data:ddZVeXV+lbYKVZzeJ1Z94ME=,iv:AeWmpKnQD3+72NnygSh58mH/GLd7eQtdBHx7yW1iUWM=,tag:6KIdfvmcrmbFL1bfeXtetQ==,type:str] +#ENC[AES256_GCM,data:icjtWREHoSAGN5rPbdL4j1XPeMZuzEoS,iv:sIuJcsE+rO0sZ5qhdNK6PGxtErrv2bm2HCi48P5FQKQ=,tag:P5plYgUPY9LNOQhpux6fSg==,type:comment] +authentik_domain: ENC[AES256_GCM,data:sxx8OXgDXRueC6s1yBuM6lgxK46beA==,iv:3hTgWXPRkSaNn4juhC8YnHu6WzydErGHlIAnOKTdARg=,tag:1iHZhBfwChYV99fvl7bAcw==,type:str] +authentik_db_password: ENC[AES256_GCM,data:/P3gQbozHLINd3KQJA/0u8MhUqhMcz6MOoLVH31X6cwmGv2q3y6KeBA8gg==,iv:stKEPGqH4EMc3h3afSX2pP3dEos3H8+mJ9o1LSF224k=,tag:7XtR6fRYfqJ4veuUlpK/vg==,type:str] +authentik_secret_key: ENC[AES256_GCM,data:/1LY8xqI9A5Et20mkY3X2y4o6d+ka7/vqNSxQS2PJ5LAMTAEt9qbX2rr1g==,iv:v93bXYDwvXgifMLngG25qDaXPR690LWeQjkTf0fqNuw=,tag:0JYsyKSJFYWAHYawDybfGQ==,type:str] +#ENC[AES256_GCM,data:Mw3fsLyDrw39Q2OWiyrtEdls8ub5fTWEqVmGeLTg0qkpvzsrgWRW/GiPW7SYbKU=,iv:qHqh5k1N/GaxbTJYRvPZm4RfYc0MVNDXdI7skEBBqvg=,tag:tQ3OQyNLoBymibw59GG+VA==,type:comment] +authentik_bootstrap_password: ENC[AES256_GCM,data:RDvAMIvOYmxbwxSjb+kXqmh8GU1sSA6KHqSh8UecjB1k7F5auXN6O8ETfw==,iv:S6DC4/UTMRy/NwhnT641q+ary4638hdLPSJ2duivgZ0=,tag:8etXMMBlgVz8pM0trndyOg==,type:str] +authentik_bootstrap_token: ENC[AES256_GCM,data:m467HmEab1OSqAzw8Yi9rcL3lRkJJW82k6nYlFiXj7UOgutJtT4BxUaSfMdUxA==,iv:8bi5CITxJK8Mgr0iSB3aD5I1Wm1+c/SL9GrBKKTIqdA=,tag:IhRleBBgg6C7ARgPwnZNcQ==,type:str] +authentik_bootstrap_email: ENC[AES256_GCM,data:ncj8km/6ocTdl9OuTQDjT+bL/z/P0lw=,iv:LYBhp/J6jdl+WbaG4kmRqLaqrYfqNkWaHkqC2QAIUcc=,tag:lgay80kux5aV/Ed7WTB1zg==,type:str] +#ENC[AES256_GCM,data:klnql0MQeS1KXd/3VjVW4WRjSl5yg9Kf,iv:+v30PZBWQVnFEeeQI2InGf9kH5tvzgZnD5JCOyBnEHo=,tag:UHNaI7WU6PhzhkXkHTYtvA==,type:comment] +nextcloud_domain: ENC[AES256_GCM,data:RPe7IOqz8pL6ZZRxTyHnHNhGDMc4ZhJ3zBNu,iv:yltqNWZA9JrLz5ZoMPj7NtQ9JU5EC3cRWG9U3hz+Js4=,tag:bcC78v08TVv+hpzD5p/mmQ==,type:str] +nextcloud_admin_user: ENC[AES256_GCM,data:uscegTQ=,iv:vK0tQIFNQZ1onK70GEy23VDfh7zcofxwyjJXEg8uY6I=,tag:wwna86Sx35Cc6QIMehfDPw==,type:str] +nextcloud_admin_password: ENC[AES256_GCM,data:SC7jJfHvbaqynl30IdJ0wjy1Jf37eLab1VBJI6p0w1aT35EA+GCAA8HmzA==,iv:PwYkMhyHuZpiRqN53BOMFSBBUBM2mMfTVOOatNTWB1c=,tag:hnI9EUmZ9vI9w7bCT3bFyg==,type:str] +nextcloud_db_password: ENC[AES256_GCM,data:CLpONcvumICrvxk39UK4ev7wneE70DPUoqx9Gl2N1/A1M3oOYexVbivFAA==,iv:hWgXELPBooRql5wp3O09OluTn2KBfTL98XNnNyiIfLE=,tag:2o80+vU71xtPm5MI6hlUaA==,type:str] +nextcloud_db_root_password: ENC[AES256_GCM,data:UH4PKHcvfqbp55I8Ru2AtkQDXP+CJpaY156QjO24n6GbIXGT16G0aKN6bQ==,iv:3YKqu61Mdhy/Q2jfK+bItcRx0YFIB+HYpUgpNkXwlMY=,tag:GsQBfVfwJNufY/jY7oDPpA==,type:str] +#ENC[AES256_GCM,data:zqxETKX7LgG6yCW8n/MUvBf80DeszYo+3TH0HVw=,iv:w+Ymv0DKrE/aPYmGsbCPIhrmauNAlDMTGQqQM7HZrVM=,tag:2wYvCPs5xeerRRpfc5f1UA==,type:comment] +redis_password: ENC[AES256_GCM,data:9QjDXsOtQDylRyvzu+6KaWxV53BuPqUOIIF10YygBvaSvtTjc6MvROqltQ==,iv:DDPKUOwz0DLnE7tHHx51SV++Upmc7isgKNvx9fKBTIA=,tag:7ieGACSPG+FiiWqUB5UDXw==,type:str] +#ENC[AES256_GCM,data:Dw9sxUT5diW1LvGQ/VRkPIfv2KMIoCjlsdYGtr1cU51FCRqx,iv:QDf/zXCB8qIvwRAQM9od6Ger8lyXZPDorZXb/Xg+8KY=,tag:dO/1SxL3fpLWnsEtA0xNYQ==,type:comment] +collabora_admin_password: ENC[AES256_GCM,data:QfjXR22OLAcPewDSDKKRxYXiouzBJ3pTTB8usKq0mEOLOCkzrFR49eWvXw==,iv:BpYApcb6quYdUZ2BxIRJmY5lJK++tQ/PxSOgiIJSDjM=,tag:FQBc+HyTzOyVDYTFsvHVnQ==,type:str] +sops: + age: + - recipient: age170jqy5pg6z62kevadqyxxekw8ryf3e394zaquw0nhs9ae3v9wd6qq2hxnk + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2ekhQVmprdjlER1g3NGFU + d3pZWk1XbTZXM051N2t5Z2RLem8yVVM3ZUhvCkFrYWF0cW9XbURpQ2VKaDhuelRh + R28wNGVlTndzcGlHa211NWxFRnBVd2MKLS0tIGhRNmkxanBndjNxTWt1bGRIaHJr + NFU1eU51MkNDOU5jbnFSbXVYU2cyQTQKxGGn9gHuxY+1L07Ouq22dvZMjF6uLUFI + GxlyXcV9Eyrz7AI+tliNf8XWULsixcGQ4wAzvAYOoT8JZ8CiWFd7LA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2026-01-22T11:05:15Z" + mac: ENC[AES256_GCM,data:6WsLQi7a3YNlx/1YnvnBpt/6VpweZNvIEh77GsScWkSs4PqmIw8mDoMelcCfk8tBNJyeYwlGC2OGIcosu2j6YzQ5R4EWXdPE1P/yyAn+ISB90XalkSTI4ENInrDObZvcDsI5YnnOoKlE/SAVwW0kKCLgEwd+KPeWzmPFGg/1R/A=,iv:veISYuAHivnC3KdMqJ84zUeC04mhlwSsIn2X55bSLL4=,tag:CUYKa6KgmDnw6y0dCNk4oQ==,type:str] + unencrypted_suffix: _unencrypted + version: 3.11.0 diff --git a/secrets/clients/mees.sops.yaml b/secrets/clients/mees.sops.yaml new file mode 100644 index 0000000..ecf1395 --- /dev/null +++ b/secrets/clients/mees.sops.yaml @@ -0,0 +1,38 @@ +#ENC[AES256_GCM,data:nDHmEIQrxX1Pu11WWGfMyNo3gyhtySV0vQ==,iv:gTJ1bYCQ2DZtqSOTy4T3za5/O+tnHxcAuya9UOIcf7Q=,tag:e4fwliLES/Bv5DeACcjAAA==,type:comment] +#ENC[AES256_GCM,data:ck1Dp40dTIZ84ehfBqIEZd242WMzBjmjqOgXMyfdf84gn1Is1xY=,iv:j9sbhYriH6qWWI5G3gw0tTS2NtjQX3wU40A99FflcGA=,tag:hU6UPt1n7QsB4ziLx+7Zog==,type:comment] +#ENC[AES256_GCM,data:lx5ejDrTXucx+hg5tqhUvpqxT59avA==,iv:xG3VE978h/itkDTnQdb6eFFkiTx/hCHHpa3FY2wU+Og=,tag:pnX5T91NgzYXKOmph0gMcA==,type:comment] +client_name: ENC[AES256_GCM,data:wQt0Xw==,iv:geKwR+D090w3Z9cYz/CXtkPxl63/TbYgNMoQw874Y7k=,tag:0JaDBDVHtdVO+SrO5uEMCg==,type:str] +client_domain: ENC[AES256_GCM,data:zvmzOyldRRKq5iLqQvl5Vw==,iv:P6/bTwdkOkjYNCsutAVo0EReIepDo/hL+XiTFaoHeV4=,tag:cyTr7kIJ7wQa4HV3rToO3A==,type:str] +#ENC[AES256_GCM,data:DtFzZfzpBcTQTDC3TI1T4auritGFQIUE,iv:EuoaqcZX8jWn5X1bIsnmMaNX64QexVkLw2rY3EdIJ20=,tag:20bcj0D4UCQzj86ysDg54Q==,type:comment] +authentik_domain: ENC[AES256_GCM,data:xg5NwpJJvKgjWChjRbhb1JQUEAHf,iv:ewb05t2dHqgVcQxQXpsjYemWWq5mY5XiyP6HtCnq1I8=,tag:PD3wNOw3HYHWwy0epmRDlw==,type:str] +authentik_db_password: ENC[AES256_GCM,data:J0SfjEIAThTHoch4r33Tpd+EE9gcTagzIE/RfQ2jm2UUweg47/QH1u6RyQ==,iv:WC6aapw+m/jX0sjhNtSfi6Kd75Fr5YUduj+G4+4STDE=,tag:Mkl99nCwb57SI71E62g2HA==,type:str] +authentik_secret_key: ENC[AES256_GCM,data:5Ru4q8mccdW06CXzPcSSqMcKhE+CAczwytt3Exb5WL+fub6472dl8zTQNQ==,iv:2eKh3o8sfG/eCgnDQslCMLL0RTQPDG4HQJgsihqkhSs=,tag:8sdP1BDJMQ5P7cixm4iyBg==,type:str] +#ENC[AES256_GCM,data:Ga3iv15rbcUYFnPAZFZha37LM6jBJSAwUC69TjG7K4pHQDRHh/zd1dO0ajiDACY=,iv:Pbbqlfdtts7e9QmX9kG7XT706pmUJ3tj8zWsUWSJrgk=,tag:vxGsVR5AY1wg1beRGGry2Q==,type:comment] +authentik_bootstrap_password: ENC[AES256_GCM,data:h/HeW1PwVSJtMhbL+ty2b34E+9sfAN7smcMFsfF1kC15rUcQ4/940Owr6g==,iv:WU4tqoArtyftsy/uAdYs8hfYpb73YXLGm3yu8wOMc/c=,tag:rvYAUsdBWZYwb2Cbg1huLQ==,type:str] +authentik_bootstrap_token: ENC[AES256_GCM,data:8wp7ZsxJK8fpyMd0iCw27FdTd54t9eDWF35O6oQ8pCz78uDO3MJbgolRdqlBEA==,iv:O5d5P5epsLdP6wxf8cP7TXqNGhbJnZwxWEZ976TxNj0=,tag:HraY3oocXLyLaOkBjqeQ7A==,type:str] +authentik_bootstrap_email: ENC[AES256_GCM,data:Myu8GgKcO53boxzzhmV2E6QY3MgCYA==,iv:c7rPSZuCAbHtRwV9y3UhcR7AP67WcKHSVMVybsBdRi0=,tag:rCT68PXIGdi7EueTKyEG/Q==,type:str] +#ENC[AES256_GCM,data:WJqMdpKOg+zsX1ASUeoqspYKJxHMeCFW,iv:IfIZCIDcx65BY6wXp2FN2E9l9viW4vTWreLnuUJ3Zs8=,tag:VExM0tQg34RqAzLgGiLXYA==,type:comment] +nextcloud_domain: ENC[AES256_GCM,data:dxYUrXI+eJZQTxr5h9QYWs6feN7iWeeF95w=,iv:H7C8wi46eERpI57k5vAyC4AJDsyyp/R+TAoDT/DGXpY=,tag:sHGb8/WUAiO0o4Krrp1K2Q==,type:str] +nextcloud_admin_user: ENC[AES256_GCM,data:c62OMlM=,iv:tg0Ij2+GNLMwCvqSDkxbdhHbmFPtMb0ZzRMwJUIxFsQ=,tag:20qJfwFGy+G4bhJdYU3WLQ==,type:str] +nextcloud_admin_password: ENC[AES256_GCM,data:i+ysZEftt7iueQGMk8vROi4iwkfb926Xj5q1O0N7AlDVfyKS6wt1+9hMyQ==,iv:JG8cGdRFUKE2qEuy8QS5U4ZzZuZ7ie6iE1XYn/Kbar8=,tag:wpPi1qCPcQXtrBbkSVZ31w==,type:str] +nextcloud_db_password: ENC[AES256_GCM,data:cB0dHH5fsDLylnjB24XERpCnXZ//ailF9REEobhyHsaJRzA6LXUtfpO/Yg==,iv:QdKCF/RFJLbwYIeztkT++y/1EPA1HYZwplxqf9u2ST8=,tag:ckIBUQ2oWDUy92QqlETuHg==,type:str] +nextcloud_db_root_password: ENC[AES256_GCM,data:yYDL0RHzwAM408tUyreIu5vGQcs58pLbReUqFY0MQ1fKBgOVNlBpF6tWPw==,iv:kG/B56x/Gh2leopPgIFdfvJQ0XFWlMrNQPmvzhTfDnM=,tag:HPpsoQGv9ApVGcDKQ3JPjg==,type:str] +#ENC[AES256_GCM,data:eHzQOLm/jWa6QhUi1zhZCf+s/D3sABuVbMmPzXw=,iv:jyTY6YppOMyZbbKzLcE/fxCaFV8Ua0Pr6xj9WnIsNTY=,tag:0jk4nmcIBziBPb43+7YskQ==,type:comment] +redis_password: ENC[AES256_GCM,data:zPswVPsKFMl5FlOzSof1Jn6qDCA77WIBCeXFrm+mR/x6sDDInfp1jTWnsQ==,iv:I02hJFCuLkFYwBWgkP3lQBkVxX49BYYVPzCMBi9QxCM=,tag:1rc5zrmm8SErEhiORVXjag==,type:str] +#ENC[AES256_GCM,data:jpXkEZB0CrHeFNNBbEjzyn1hXPpnIqoTPEtkyjaukBc5F5A/,iv:dh5h4H4ZkjcBbO4BX1M04uNn64V30szSPMBvY3Yx3IM=,tag:bDyIybKZajGd84xM3AHFrQ==,type:comment] +collabora_admin_password: ENC[AES256_GCM,data:QCGMIFOM9w3ZdfHLOEl4+WQU455bk5ln6C1Bs3P7lZ/mIVp4ltZQUY9UfQ==,iv:8773AVMUj+SxLCqQmP25onnlTBSCjsHMqQUAnopNpIc=,tag:hOaCO0pGzu538WA+lB1sEg==,type:str] +sops: + age: + - recipient: age170jqy5pg6z62kevadqyxxekw8ryf3e394zaquw0nhs9ae3v9wd6qq2hxnk + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5bThsRTRXVUJpM1l1eGlT + YXdLankycGlpTWdTMXJsYUVHdFE1K0tBc1NFCitLUnVjdlVBK3poYzd6L0trcDZi + TmtCOXdHWG9DSTdYTmFOVjRvTUpWYnMKLS0tIC91aWgvZVIzaEhCb0Z5TkFsa1pI + UmRwMjhqZTZUSDFKZloycnUrbGdHTVEK0+u+Y3FRNT8My2+xRY9Lnjv/GHamgx5y + /mzWgXUaqbAwgSbHBKMjh8pIHoaAwDY97k6jvRUZ2Js7im21Aq+qmA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2026-01-21T11:38:58Z" + mac: ENC[AES256_GCM,data:AgPn2dJmYDIKji1NEmQxbCxWnUwnS5/h/+k7uB7QqGwfwP+jRO3Mr9UW532Pn0UxxjiVHFByXMmiaf+QiFjE5+OVgmMOh2OwltbIC87f4NVeGb4SusFIDFMAPMBWIHremeMwIAztGhtM7dwi2EaxyyHsiaaJYtVkbmzrnFhH3l4=,iv:oKOvax++BObkUX8E6ZIlRpYpKirnqy0DQx+qrceT/eE=,tag:NEvnbyltfaY333rzF1zGTg==,type:str] + unencrypted_suffix: _unencrypted + version: 3.11.0 diff --git a/secrets/clients/mol.sops.yaml b/secrets/clients/mol.sops.yaml new file mode 100644 index 0000000..c1477e9 --- /dev/null +++ b/secrets/clients/mol.sops.yaml @@ -0,0 +1,38 @@ +#ENC[AES256_GCM,data:RdqH+wYWCgAVstaIUfbRv96cH+RrxFHh,iv:0Q5HV6Q/bg/oS6KtUBGjIyQMw8Zgty6osDh0oc8ipMA=,tag:6CzBxe9kN7Bf0yCdQefALA==,type:comment] +#ENC[AES256_GCM,data:CqCuxZQYtcjnI6gptclKrAAeRUctw4NtHLydoyDdrqYuXTKwHZs=,iv:+EJcbrL4sW2u22VZ3jsetOnCimPpftQ07OLf19z6++8=,tag:+3Dprdl79C1BZtOEF0Ii1g==,type:comment] +#ENC[AES256_GCM,data:fDeInmn8uIqJlBMUEzM0jBHh3so25g==,iv:jHekZqvM7G/93Bg3+0SAURNVh1pTbLmjMvOh0CXmTFo=,tag:HnRSv6MYdfa1Pqbf9ywGTA==,type:comment] +client_name: ENC[AES256_GCM,data:W5+k,iv:fq1/jwCzgkqPPdBb0ZD8mKAtOGCSkfTb2H9xJaRpc8g=,tag:uL9WCnsfybaT9nUCZRWAGg==,type:str] +client_domain: ENC[AES256_GCM,data:1FlFZwI9RcCM5yNN8lKz,iv:j2+yQ/ipOHXv5a0mPeoXOYqZYpew3/cxyL6i2x3EtDQ=,tag:HdoJ19j+Tg9gGrGdi83GZA==,type:str] +#ENC[AES256_GCM,data:Qp0bKgcF/I3fmkzQLYVgmNFZGo7K4na8,iv:LLNsKjHmTnTvwVp8PRsWGx+kgVlP+KMX+1kUF+BEWWY=,tag:L/ON6Xd+2LwXxQ4N2rd0iQ==,type:comment] +authentik_domain: ENC[AES256_GCM,data:dxG+fMJkp6DWw0YyFcwy2ybrmg4=,iv:y/n6oXUwddMfrh9GelEfcpvz0w/L0oLS3OEDlurxkyk=,tag:FPn4NGstNO+/zxKIRujW+A==,type:str] +authentik_db_password: ENC[AES256_GCM,data:qZenOCjcUeZezRD5KbwMFgGd6Bp0pJs85NwUcZKr9ZCVIVz0sK6IBthR7w==,iv:IBe2wdaEa+5rBpV5tnViviPJnlSKn7WaAoPe7/y+xpE=,tag:dO1PV5Ipb61RITiyq54jxA==,type:str] +authentik_secret_key: ENC[AES256_GCM,data:2K0ZNdyI8SQ0xeEHOe5Rgmtko+bQwd46pYdxTD798r/ngtT+m536PMzuGw==,iv:ZlvopRCOjx+dQu7faD+qYhKqkT1zFcdPSD1c+CNQMoU=,tag:jF0KgAXwsdHZ3m2TQRt3SQ==,type:str] +#ENC[AES256_GCM,data:O0Mvr5fB5iJMxjr2HxRYEFN+ErzvHYH/t9OPmasX0uoH8zC8bdrn85q3S2QkuGE=,iv:bmut3zKKAMl01hHNj6bY3X6CtzeDjKxx9AquLOaZA88=,tag:KN3VH2f1Ndtq4MRqhFCGzw==,type:comment] +authentik_bootstrap_password: ENC[AES256_GCM,data:+hkED2QPS4DI9WrXICe05unKFa7t/vfwgWW7LZFU/qt4g6Td+JyIRiXMXQ==,iv:d7y1w4Znh5dqL5jDREd0HSoMBYjaCkpkjpUu2yMtVJU=,tag:cXK+yC+6sDWAmJrSiH4JKg==,type:str] +authentik_bootstrap_token: ENC[AES256_GCM,data:qKcmlg4yGocun5azL3psNUGvgdTSCY9qI4qcJAoRkbZiUoM4qtQ9sYLZNmFkew==,iv:Vq77p4d0Ts57McXm5T9hPt3INBRAToxNpT4jbv8ORzE=,tag:OzpbZvmwws7wyWXf/91W1g==,type:str] +authentik_bootstrap_email: ENC[AES256_GCM,data:tLFpuy2pC4QBPmLOo7HTep7YPi3t,iv:6Jz7ORj12kw24e3RvTZEQI6h4Fqj7cN7e5ucNvbMtvI=,tag:t6UI4RdNTtsfIdArzoZ5bg==,type:str] +#ENC[AES256_GCM,data:6GO38RYO9CeicXN+AqbMUNUAU+cxOdTF,iv:WuhMYR74Lk+V28wIKJVXigeH9kuu4IWAWXtsacLGDv0=,tag:1Ec6KJq5G2tzqzWwSrzLGA==,type:comment] +nextcloud_domain: ENC[AES256_GCM,data:0t9HBZO0c1Q5996vhRpcKOgaW99RXY0OBA==,iv:5UgZu2r3ng/wRmv0pQWom7C/2Yp0KsIdE2m6h8asIIU=,tag:QtmCdmmkS8ZkUPjEbkeXdw==,type:str] +nextcloud_admin_user: ENC[AES256_GCM,data:qavi4rQ=,iv:4vZNZSyPrKfgiEmhAvmS0g6+mkQhhXB7cIVu1UHYDWM=,tag:k7PcSi+cIV+OUrfQJ2zXGw==,type:str] +nextcloud_admin_password: ENC[AES256_GCM,data:ijbkHPbCFNKQzcKb5pKNhNwi3loqap4+hNCJXryQHvQp+ANLjDKgpJEmWQ==,iv:cK3hVTvzDIektLJGvZcG28pv/j1STWcHjZDW+2WDeXQ=,tag:yNeK7k/oWjp5n9c1SVXB7w==,type:str] +nextcloud_db_password: ENC[AES256_GCM,data:Z6d5EatnFo274B5p+Nvm6RJ+ZrFPXb4hcIa1w3Sds7KiruBUTO5gOaS6LQ==,iv:XfzBxp3Vx41imjj7r2b0qlp7bsNd8xzfMcFpTj+vhIM=,tag:b5ZYfiNnEiyMNHA7PKN9fA==,type:str] +nextcloud_db_root_password: ENC[AES256_GCM,data:f/XTZ2Qi1436d7sAlxTwblI7C+RDCXci2rEpOtjFkQ6AvzJh/Glnfah+6Q==,iv:VIvUU/Xg7hdHM2EL28L5J6dMNq4Ja3aAqz4AqYj5coA=,tag:S1wlmhruRnMeK1CcU3d1UA==,type:str] +#ENC[AES256_GCM,data:6nio7dp/aucjQ90gvMB2vtp3gaT0fGlpHo43JF4=,iv:X/J0/GVAc6r6iibkeF75+rUNho+QNrogCf8Z1ytZmVg=,tag:l2Z3qJHpa57uaH19Qam7aw==,type:comment] +redis_password: ENC[AES256_GCM,data:7Y5aJUlLRAflGnwfAvVmuRsMSFf1BuX4wqttSUBH2pd2Xo3ni/sUzwFwcw==,iv:0LAtF5Ok6DMXQs/OdPNClkX6KoKmgHBgDITzLJ/x8i8=,tag:AC4IdGdXQKtjj/TNXJk4Pw==,type:str] +#ENC[AES256_GCM,data:hmPRuxO2AUuutHtQFzCVIwZa89QefbPwoy8J2BCvyMcqwdnk,iv:ttxTseQfYHpC5HAnRbQ49kOXLrAURsB0S85+AK/sSWs=,tag:Bay5IyyPbc52Ei/Yt874Mg==,type:comment] +collabora_admin_password: ENC[AES256_GCM,data:/YRfkl8HNjzaWGsjKr8X4j6kQqQ4BisuvcSiCWkI0M4FnlrrS7mjsIfwmg==,iv:wRY623bkVdilZl1KO0NpNrW+1WVOGCQmFPuHKHQWUok=,tag:x1bIVqiiKNgbUbWnsTcSbg==,type:str] +sops: + age: + - recipient: age170jqy5pg6z62kevadqyxxekw8ryf3e394zaquw0nhs9ae3v9wd6qq2hxnk + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSMWVIajJsR1Y2amY1aEhk + S2hzMXZxU1p3bXlSdmkrazlKU3ZMM1dGSVhBCnJST2QxaWhHOG4wV0NVVnp1VXNL + Q1RpWTUzWVFmOUdEcjVPcUFxa3hPcFkKLS0tIG0wRGVuVldoL09oMStnMWhnZ1gz + SHNhUjQxUkFUdVA4dGVvRHlKWFprSE0Ki4fdUq6+Qo94Agl/3/+BQC+Nv+TTNhzv + mZhzHk0eNJBbnbMpF7iGgupmSFb/i84KuE5G2d37d2WLAoyGXfvong== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2026-01-22T07:17:12Z" + mac: ENC[AES256_GCM,data:JplSf3ioj3e7c/cSItAH3celI47WChGs4f+VyEPPoka5aYoBfFghg9pLAK/G4Kfp9xle7ePQiskf9kdQtchmT7AdO7KhzI6/5A4Sqd7nuErASE6WXFQNzUT6cepeUO8/bmkUajkiJLkNM27taVgL1JaK/yf85jU/NJa7q1DoUbo=,iv:oOQR85sm+7ZbXW6h7jhHtP3COYOH2HAVP0aauVualeY=,tag:p8ov1f+F5O3dhysrsjipBQ==,type:str] + unencrypted_suffix: _unencrypted + version: 3.11.0 diff --git a/secrets/clients/mus.sops.yaml b/secrets/clients/mus.sops.yaml new file mode 100644 index 0000000..eaf970a --- /dev/null +++ b/secrets/clients/mus.sops.yaml @@ -0,0 +1,38 @@ +#ENC[AES256_GCM,data:YZA9R4wwAXnkrXNFaaT0omEYVCB7kk9H,iv:QsxsOjBOFrmpYJK/2kcV2LSA8ceYoepiSnKIHem/rQE=,tag:bRtBKlFBhpTMKN4AB3eZ5A==,type:comment] +#ENC[AES256_GCM,data:un9/ID4C+fJ6nzFLT0ycrrcdZlHi32eC/NUasU82WtJUTIA03FE=,iv:ryjN1H8tMmkG9BZf2Y27LpF4SzqiUjYlMmLyvX0zTNg=,tag:0j9cG9Y8MRbQVMLJlyR8RA==,type:comment] +#ENC[AES256_GCM,data:aAWxqRPPzOaiuvEsoZAqrzAzA3eeTg==,iv:yPjRlrXRWJsefXaWUEmaAvRXL96qKKAX2iSLVojzyzE=,tag:K9hJsHIsE3SvNEPqb+VnBw==,type:comment] +client_name: ENC[AES256_GCM,data:FQJ6,iv:S2SrrdpkQKbN3D8a16U5dfiyu9hh51vsfonBYrHjM3c=,tag:xKTiG+Xgw5YRfmYKU9U/KA==,type:str] +client_domain: ENC[AES256_GCM,data:8QS0uin4ACeo0FE7P/u8,iv:7rle27f1LTWhwjL2M2yj/0L9HGae5nl72YaAQqJrVi4=,tag:W1VNH4kcsoaWiFVPrCzcDw==,type:str] +#ENC[AES256_GCM,data:KMngZdLTSg/jkX4gKZVIUoDavjj2sl7e,iv:93G1744rfbEm0yrD7IezXZM/dHSN8M7Txzj9rO5OVoU=,tag:1M/dOckZVIN6Pr2ZXxmWCA==,type:comment] +authentik_domain: ENC[AES256_GCM,data:7kY3IQuzvK3qz2IQv40TkpL5na0=,iv:jZZRvz/Z1pAUHFmBjuTN8Um31ikwF5po8Wxi+iDAuMc=,tag:NsDoCYO2FPWqE9hD2oJ00g==,type:str] +authentik_db_password: ENC[AES256_GCM,data:se7eQ0H5ZeLWFpWKxxIiLcfjdkoeP4zGoRlvmK9/u2V097LOq1qd4tCEAQ==,iv:5Sx3wFmOZjPi086GtGz1+OGz6NHV6qI28+HeeI3YBeQ=,tag:51dNJyRSwsHsz5ioY9bmCQ==,type:str] +authentik_secret_key: ENC[AES256_GCM,data:BvC7iQvyQYAeUnF8+bcvULMn0WobUl4E8ITU82ih7LbiwIKvEEIWai6GPg==,iv:GCWiwaCU9WNZY/m1DuIKGvTBPud5MwskGKTAZWh9VSk=,tag:dbdqFg17NgjU3S2vNIYPEA==,type:str] +#ENC[AES256_GCM,data:ExyBmA/Ulbw/LqJ6PZVPgKZfoqkz+dv3wuOQF5vkWn0dh9skvO9soei2xzcMmdo=,iv:/ILkjORzZrbbPIIHQ6Tc5RUqv6CELpt1N58TTH1Njrk=,tag:el/HVmO6olMDdGnOBn6TaA==,type:comment] +authentik_bootstrap_password: ENC[AES256_GCM,data:GuIxtvuktBkr/oUJxXN0RM+qk+3FcfrcOGZ/ewZh5n8wfzIN0Y7K5FwW6Q==,iv:3JZz9nRPcgZxwIJItx5vR0BUDrOhBegp8YluUhaA7fY=,tag:TFuXV4WSYFQgHkwpYAYbRg==,type:str] +authentik_bootstrap_token: ENC[AES256_GCM,data:+qdNWwFFuv0DvTUDFkTQ6H4VzZdyxZajMuahT4C9CVIw6ozsNaR5hqLnr2yMAQ==,iv:2OPzFT8a8X7thPx+UghHN5AyG+7YTaBCs7JsNab8L4M=,tag:YgyidHgea5csHjsnF0IoyA==,type:str] +authentik_bootstrap_email: ENC[AES256_GCM,data:4oppBPW3/0IVczASXStlZ5pkAhuh,iv:fq1x29fkVHLAD/A0jObrajfvW5SJdkn1plWuoT15uAU=,tag:4p1GCwoeUm5YTBV5h5vdKQ==,type:str] +#ENC[AES256_GCM,data:J8pXk2AS/DjJITzESevYk5bwmOFk7aSk,iv:MT3TjZJimnMREBUc06awyRo6MBTLg48AP9FZ9kX0+oM=,tag:+aLEod6hYLYpxF67i3hCJg==,type:comment] +nextcloud_domain: ENC[AES256_GCM,data:SzcFMO0GtLbOwY5FDxRNYHHwLKnJj0+Nqg==,iv:hgfdMbpGbETRHxfHqZibXvJvJduSbT4TR54gWrjpIfI=,tag:cTIO+DvAJKcMtKLT/ik3Jw==,type:str] +nextcloud_admin_user: ENC[AES256_GCM,data:5LAWcsM=,iv:BnPPE/MpwZaRLKbdjrzelFN/Zy8kVwg2IcXNH/TN1rQ=,tag:wKHdKhK1d+anvDJwT/28yw==,type:str] +nextcloud_admin_password: ENC[AES256_GCM,data:TVKosO9LqXW4DPxEdRQh13b2BDWAdclZXEvQ/dRBmCGIEcAlXIrjK4weyw==,iv:OrTQHZUrlyYHl/JBsaeK1Z3oOuuD5gfUlIEvYmU2KkI=,tag:KmA+hO48igHoGmaPAOGHrg==,type:str] +nextcloud_db_password: ENC[AES256_GCM,data:VupWHMWaROOv1j7lhNZQVSSuTub78Yug+C3RPYcaGAS4Fhik4NPRQihbGw==,iv:OoSG9L7i6inI89l0d/JnItIP9laIwvfaj+9tIEM+wZY=,tag:xijIIdvKQ+nQbzbSaD2ggg==,type:str] +nextcloud_db_root_password: ENC[AES256_GCM,data:TgLuo/AU9tKl2m5MH3AmhAUjjeG99DXuQdUpEdWPEBb4HJe3J6RhJRNsfQ==,iv:XyQuePKBDIiGsfzkqC3UgLC0/4C7nL2jtvVYKBt/quE=,tag:Y3jxROi15R0N4hsoeqHAlQ==,type:str] +#ENC[AES256_GCM,data:+7Cq3d03lCXJMyNaNGpI3U6AkcSFAXc+Z9nsQ+Q=,iv:jRoTC7rMhlKJl6GqTYkvXEO2QWAOCudETcDziesKns0=,tag:BImFAcuYvcLFPyiiMmN/sw==,type:comment] +redis_password: ENC[AES256_GCM,data:q2jKUkaVg5iMbVeTe8rRWui+A0GIoHOEk+E+FpKy8u3R1qrrr5EEOfuDdw==,iv:alZjGn3kTbcpNs6PMyVZGwRTM6L/TIUQZRDIAz2uWog=,tag:OZpSrEECmJfl8UDklNWd0g==,type:str] +#ENC[AES256_GCM,data:DZwggOPEAOWxDa/8qzlW8BVk6SHCWHucZG/v0FbTdX8/9Apl,iv:EeXq0gfuF3esJZeosA6RL2TnYdS2zqCVFooJwal07JQ=,tag:vIwTJ3v3aRSxvpu7Yo2ucQ==,type:comment] +collabora_admin_password: ENC[AES256_GCM,data:AUIUtwM7H4SYEEX0rSisIKNIDCNFlg8ePuLLWBXoXoMcgy2dW4TPCBfLTg==,iv:um3LiQ8uhFtjvbyP6YD4/z/7+9qVt9XG37BVJNEZaAE=,tag:9XA6CfXCCTDUxjznEuRO6w==,type:str] +sops: + age: + - recipient: age170jqy5pg6z62kevadqyxxekw8ryf3e394zaquw0nhs9ae3v9wd6qq2hxnk + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoQ1ZWRzErY29jM3pFMTc4 + MkxoQ3dHNUVSN21jOTZsbHNmajZnRnVKWVFRCjdwMzEyTi9hZzkrMWl4ZTJ4RUNR + c3JtOEIvOEZITzRDT3RTT01ERWpJbW8KLS0tIDVQVGN4RTZ2WDBWaWVhTVl1Qk0y + QXhMWlRQRTh6azhSMk1LaE1UQ2llZTQKM8ldB0EFiYxPAQLGnTVxo+MDdoDiqYIx + S05IJoSZuPbBA8XnQHbzndkpJjF9GI3sfpZLqaSoqotuBFJeATsymw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2026-01-21T14:00:17Z" + mac: ENC[AES256_GCM,data:OhwwkRU4Of5jVQ52ttIQcRAPPvsIU35VOZOoL4tuOPTgtCWtJTCT1ZRXpL3QTDK+YoZaggktGxisQBbv8QD9ymXBT46EEf9GZHkW499fpJlCAmPwNBYdAgBStOJU4PYewPRsrAWwCqBUkKln+MlIhQWXk94hqzd+i3NnEa5IXUc=,iv:rH9Lf/BeMa3ZoUfkKCxY5wCoI+ThuhdgWX1QdP2ZNMo=,tag:7Bhifb2RldBUetttNphtrQ==,type:str] + unencrypted_suffix: _unencrypted + version: 3.11.0 diff --git a/secrets/clients/otter.sops.yaml b/secrets/clients/otter.sops.yaml new file mode 100644 index 0000000..1e737a3 --- /dev/null +++ b/secrets/clients/otter.sops.yaml @@ -0,0 +1,38 @@ +#ENC[AES256_GCM,data:RGF9yorvXzWMSWdhscxtn5C964XA+/IkfgE=,iv:yAjY3CrAjNS/JlZbrDdK4OMjfh3uyO0+DPYRW8l7GYY=,tag:xU94y+pyC3/fSF5b5vWMuA==,type:comment] +#ENC[AES256_GCM,data:yknOZn2UtlVcGsIKrLvRbQlHSbr0alQUrhCgPmR+97NV8D2cm9c=,iv:KYJWVBfNHj2KtSNP0e5eOx2hhakZwfspcP5LUuayQDc=,tag:J3gL8A3HDFOLjmdBpS5DbA==,type:comment] +#ENC[AES256_GCM,data:fxDy2AK9zP+igk1rxc7GcbxOkE5Zzw==,iv:FUMvH9VwQGLBKB68Wg24bwBYc8dY04hJc6P293Ma31w=,tag:e1GxGh3XW7UPbaUVssxCrw==,type:comment] +client_name: ENC[AES256_GCM,data:tv1fhY8=,iv:cAMyIDjZsel44lfZip/JlfnKzkbATxYuwW+ByYkG658=,tag:5Pl4Rls+9TrFAYswPPkXRQ==,type:str] +client_domain: ENC[AES256_GCM,data:p4f90ADNdeycGby7rCcpWCU=,iv:jfRw9oG5Lz0sY5QzXAVdNTnlQOPw/Em4mBviva8nA+M=,tag:L60czr0DNFrHP/K3uDvTuA==,type:str] +#ENC[AES256_GCM,data:PETVydzmEI8h5wmrpCijpL6DYXM4cIGz,iv:05CjqutrdhemcRwjVUxrXIG1aGYZ0wGvP9bJxPGsZkQ=,tag:coJXV1wr48V87QzfBkvsHw==,type:comment] +authentik_domain: ENC[AES256_GCM,data:8gQAjxcBeXUOIgY/dWZ7Nl4xXs/IJQ==,iv:0VhKsC3YT/6d6iaX7qag4YWZrnJn2M+eNmAozKo9Ry4=,tag:YNGgRsEIA4wjSCXUPa7iVw==,type:str] +authentik_db_password: ENC[AES256_GCM,data:lSfuOczTbKp7dGgoxlLR258SNeNMUiYUD3ousLDeC3pTg9bpck6v1E+eBg==,iv:F1/5dRRVwPJ4NrwA3IPDsJtH09Xri1iBUqCCO9xpUs8=,tag:7I5K6FEUgj3XqwX3R8ukaA==,type:str] +authentik_secret_key: ENC[AES256_GCM,data:+PSgNbtKleEUazMzt5PlhqolZbIntLj5GMGVYkvHoKsDzQ9YuGkN4eelMg==,iv:aHyQUjzEpmBEyGhjfcI/V3lPyVCvAk6R2V6Rig+rVgo=,tag:wobcHSmepivNf7giByLA2A==,type:str] +#ENC[AES256_GCM,data:cH3ULQzHGDeYR+aa02YI26EaPMag9UfuzK20Y19p44SuVNwhVfXpOdI3Ea/hLck=,iv:iR2lvbQAmwwraZir+7T6uzduWIaI3+2frvg+Rwe0bU4=,tag:v/OSZKMkczloL/++NfCLmA==,type:comment] +authentik_bootstrap_password: ENC[AES256_GCM,data:V0ua8jW/+jFiwu+VOvPYs4Pu+w1KknfMDdRboNZqDhT6juzvsyvKoM3vhQ==,iv:UZw8o7s0luFTtYkbPfUXPzEoeDcJqb16Atx/TprTT/E=,tag:irl+tNh3DDTyL1PTCCSzkA==,type:str] +authentik_bootstrap_token: ENC[AES256_GCM,data:otHKwk1LhsMH0gBo69VYwYBB4Oqkp3ZJcWHt54iuQvF2OV1O9a5R8kpLJgSlqw==,iv:OaVW9c2XQJUNUIZTceUQXlA/+RnQbDEHIkAiPzNl+ss=,tag:V9pwQKQkSMOReGHJVrqV0Q==,type:str] +authentik_bootstrap_email: ENC[AES256_GCM,data:CWlZIVwBxqE2RBTiGcIG1dujQgTCCis=,iv:lYb6yppkFGK/PANeCXY9+4ZLQ6cU9zL6YYMYza9SKeg=,tag:NAssJMYH+ErEIlHxKnBaog==,type:str] +#ENC[AES256_GCM,data:0tDLV9dubxl47Q1YVkxpkCHI6Lw7xp7T,iv:GJutMJoIbN5aLo5kDSo68gPdGumBHPugXbdmNGSXgU0=,tag:/75Whr9APJ4b+f7L/iOAbA==,type:comment] +nextcloud_domain: ENC[AES256_GCM,data:BG34MrxgOWpIrMZf23nTpN9DumSJ0hsUYFRZ,iv:NX8oFSOnUwB4Z8bTDgNnkFnoDW+QpOuvb6ytysgiZmA=,tag:a6JxQD1p2VqR1NMATXFanw==,type:str] +nextcloud_admin_user: ENC[AES256_GCM,data:p6HrBkc=,iv:xWDx2c3w4Jbd68ZoR6coAefZUT4PVxiRMJ8Csr645H8=,tag:SAcYI4Nzs0Uo9HVRdwYeEw==,type:str] +nextcloud_admin_password: ENC[AES256_GCM,data:lpn91mx/I4IU9pdQ7Vn+m9z3YZIMW0h5DcY1+z5xXG87wpa0mukNQxrm/A==,iv:GQLesAS3xUMkYkPt3OpLsLxXbvcU4FMwVWbK4vmKlCg=,tag:PhTVeiQY2jKiVVjzVcEpSg==,type:str] +nextcloud_db_password: ENC[AES256_GCM,data:wienpLg+QkUbqazEfhosFqFH32eVSecef+NkBSJ/Xk8JbKxw9eU45S9IfA==,iv:74DE8BD01YaFj7MytjpCdfcks6iFvBIqm3hXZSHYBME=,tag:A7D6nbnG6ReT8sK8mS33Ug==,type:str] +nextcloud_db_root_password: ENC[AES256_GCM,data:f4xjVOiU/wdNifENTGDQeCBFY43056ktFzOvzicT3YbUdUl0tgnwUcM1BQ==,iv:Ch1b1JbvI0plSV1mB9To21pWgwAD8E1Wyicra47GGWs=,tag:/yQ21BTxhTRnhsyK5euUSg==,type:str] +#ENC[AES256_GCM,data:2AQKUKlnbjUXv7aCvvGoEYy5+xRiVhB6POOh+pE=,iv:jLo1cdid+6JU5+/XDb1EnrUIWMjs9+Fp/Gwn5Iq45e4=,tag:JMdlj6PbOnO6Q3UJgCGMiA==,type:comment] +redis_password: ENC[AES256_GCM,data:oUlYFaptttsMM3rpfVveXuahz1ygBcKx1IV+uaCmcqPD34BiINVnC9E3xA==,iv:0nC/b42Oub2Qj7bHQRbOUy3oRsptAnVxaf7l9Q4ZOsk=,tag:PPF2LqXuVyYpkn09sMTRMw==,type:str] +#ENC[AES256_GCM,data:7tSQD98CIC203QnJG5fG6ukCwuvIwQ4Pn3hocW2DA/d3hyck,iv:kGXiuxJ3WczmmGqw2MM4BUnP6wzYXJJlUqVt3hA81Mo=,tag:9tNp35S/A7J+y5wy2k4ykQ==,type:comment] +collabora_admin_password: ENC[AES256_GCM,data:Wf/fuet2JGCv9Ise7lT8c/i+VVyUp1jJcy1PEafuDcJ6+usuHJeEr+Is3Q==,iv:8B5LOtypt3Q+KDjIBhAnbBa73VKOsJLjbvyUorZZPH4=,tag:YNeOP5USNDe1fW6/DIKUOQ==,type:str] +sops: + age: + - recipient: age170jqy5pg6z62kevadqyxxekw8ryf3e394zaquw0nhs9ae3v9wd6qq2hxnk + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyQkJGRWJnVi9aMmZhWjFX + ODBrcWVweUJ4NjA2S2dHQkgvWnk4NUZvOFFBCjlPUkY1VnJnT1NnTEoxRTZZVmky + dXR0QjFsY2MwQVJoZnoxRytZTmpxejgKLS0tIGJKRk40dUNjRmlrMHg0eWw2VkZa + WFNzNjZIRzBIQVdBZnVzcnowVkFLc2cK2FMHZPwcaEopR/wTqbhToPABRGNAr5qI + KA5rlTPAeLWmZtr/3LtvlR4IcMwdJY9guwkjWwV6elp5lZ6SE/sKnQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2026-01-22T10:05:00Z" + mac: ENC[AES256_GCM,data:p02A5wX3cvycCJiFLjPPnhMMTPHp6Ceo6NJwTjSNkIbEPKTZ494dFILRuD3jU5mmmplQ+uKosIgd0SBPXwvog6Wca7Ftfl1s98feodxunLtz0+A47AemmVxrCqKxdBa+OG26PRLj5j5K9eWHu6nzSiHA4tnWeyx/Lose3J70g30=,iv:ygy4Fjo4GPnZMQ6rVDLyeGE03hYq6n2U6zKamDTlnD0=,tag:IR2xLsR/KxxwC8kUEAfZZA==,type:str] + unencrypted_suffix: _unencrypted + version: 3.11.0 diff --git a/secrets/clients/purple.sops.yaml b/secrets/clients/purple.sops.yaml new file mode 100644 index 0000000..d1d7ba4 --- /dev/null +++ b/secrets/clients/purple.sops.yaml @@ -0,0 +1,38 @@ +#ENC[AES256_GCM,data:38aUbCWeuHrSJ4UMuLkuGj/eMnL4foaEdsnM,iv:WRv5ed/FGlkozCKw9f83fDYTCaXYfZKlA3ZlNiuaO9Y=,tag:DAvZ6c14PpfHtMbdzrH80g==,type:comment] +#ENC[AES256_GCM,data:dZ/jzcuXlLT29Vb6U0eLmNIKO1EIwfrQoBh6kHQRkMEYouCupjA=,iv:C6azAP0KfX7OQGKasg0eq/GAhQtht8NeO9HTWicaX5E=,tag:xTXdUrImAAk4D5BWwYo2OA==,type:comment] +#ENC[AES256_GCM,data:dRVGRH3SGAdzyG+Y/wGhWq0Dx4QqVQ==,iv:KiZmQKRW0STGHhxQh233fCfnJtmuImmNYk/wU8gOxCs=,tag:scGhi/prlmwwLikf1IYKBA==,type:comment] +client_name: ENC[AES256_GCM,data:3zPrF0pB,iv:BOomPNbfc1x0KtrDWsCWfb2QUABq2FRRVi0gba1k6xE=,tag:zoVJLIYHM+VQaTwhKJ54RQ==,type:str] +client_domain: ENC[AES256_GCM,data:Cr7GhZ1o7XdR/PB4HTvpNjFm,iv:7VmHONNTWfqJFI8A2r361xZgV0ecIopcrwuFPr/tM2Q=,tag:dT+JB+ebUtwwx168dctH6Q==,type:str] +#ENC[AES256_GCM,data:nYF9G09Uzj7ivZOU/Mf/tlkid5meHz/P,iv:NTP6Rzy9Rx2ToBX60IhVf77EcJwQsCr4u/Yi+8IAiec=,tag:vxJFXANyTVKAnZTG9DzJMg==,type:comment] +authentik_domain: ENC[AES256_GCM,data:oFBo59xd15xFmN7dAocZQGYn+qTn8bM=,iv:wTXbudWvFcEa8zsgsQJIzIAdutrFlHGPdVq2LXGN2U0=,tag:7T0F3fhba/eW4L6qSODbzA==,type:str] +authentik_db_password: ENC[AES256_GCM,data:QKv114mUTyBVYzK3TQqp+7wCKizEEmnU7X+CMcMcsw/f2IR+Ob3qVEU+Eg==,iv:hiTHPIy7tosh16pesLjPl//bbNgkXcYGRS9TQ1fwlaY=,tag:fZQYu4Ctwp5zhxQC5uxlPg==,type:str] +authentik_secret_key: ENC[AES256_GCM,data:DfuHQVIPDiczdsZYqa4Wn3HxjNSzvuL5vRojGaVBgSHCKwUlFRqOcYeUwA==,iv:8DMzp9kdndphH2lbEegkQedknDYHGX/YqJQV4LmIFf0=,tag:uXPb2qdO6UcY4r2tpHB9qQ==,type:str] +#ENC[AES256_GCM,data:tUfzVHkvxXiQCUBRXyyXaVjZB1OUeMmSFS0RxgOQ4oRA4oW1fLZFOBYKq7SyeCE=,iv:lKOgWtb0ihbzxCedDKWVqsSEPA0g1fE7+jm2P5WGgRw=,tag:LKPP+3rlY91QtgCELERBfA==,type:comment] +authentik_bootstrap_password: ENC[AES256_GCM,data:21yEgNsIvkXhM8BWYaajgUw1d+NkQbQyxB3DQTAjGjvwv27g9mvT5nlmaQ==,iv:iEqeWliuHa2QSsKDgeeincsimAb/kVwoTIbXcj9vAtY=,tag:OWW7xQMbeTUSsdXuCIqBZw==,type:str] +authentik_bootstrap_token: ENC[AES256_GCM,data:wlht8BfP+N2NP+fU2NlKMQOOV0/ryWWbg6hBqBvXUYeAsUtmON7HKi+Jp4pSAA==,iv:kOuILM+Ax4YCrzFItI7z3MYXTK1G/YeCegRglhME9f4=,tag:OrmUvqPCB/8yLqk4IzgsHQ==,type:str] +authentik_bootstrap_email: ENC[AES256_GCM,data:N9Z/UuMuKyz4ARYs1HfbAbWwA0the+74,iv:JpTmfqPlq9vO9otZ3BeTk8OHLHgW2bd6hpcy8kGGlW4=,tag:MVlDKPZkX3FIkmxANvNSvg==,type:str] +#ENC[AES256_GCM,data:BQYe87BZnR8xhfWAaK7hdegjjWpwBEK6,iv:F5s3BrUOK0t0bH1VXt1GOQOEbfoKtGo/AsB52DsO+Mg=,tag:cew2DUJsdokcV7Gb+Apppg==,type:comment] +nextcloud_domain: ENC[AES256_GCM,data:eRL9eRLVkPqvr80wI4O+FklLdJaq6ItjgEjDpg==,iv:sPDZw6JA0NyVF+QuoswagPdlbIiPmxAhi8Hes80UMrA=,tag:RCE2rARy055L+16nVdYcLQ==,type:str] +nextcloud_admin_user: ENC[AES256_GCM,data:URnEwfk=,iv:DxGJh6Ja54SuKe0RktQHo+MblaUqpSjZVQ8WExTkvVQ=,tag:YQCpxxWzuQzF5phVMQBkhA==,type:str] +nextcloud_admin_password: ENC[AES256_GCM,data:Vyfr0UHAcwgCcghBetom74cVUt5BknCdFFicAo8eSrnSpmkFJNLWzWXmzQ==,iv:dsvsJabbqz7Q5v1fhInHykZmQ9A+Z8nOTvKoQYCko0c=,tag:2/P2BOppuAPf/ouYlSnu+Q==,type:str] +nextcloud_db_password: ENC[AES256_GCM,data:mhCb13Clcd7gPMi4eVHP9gBYVcoIQwt6ZrtbPYCWAscTWB9jai+Wafa3Nw==,iv:lfU8/bivrTknJhMpch6wvcIgiEVSin4LM6xwJCxMxIM=,tag:+RImMT1bWV3lHkHRj6ju1g==,type:str] +nextcloud_db_root_password: ENC[AES256_GCM,data:m44Qx3K895lKRRUH0uY/lejQpscf+dE8OjaSt0kl2cc+7zFvLSrzsnZ5HQ==,iv:OOn8Olejw/PSSklz61fGPANF1HD5UfyJRUUx1C+LN/0=,tag:6nYNfYqX9GipaKeVt313Cg==,type:str] +#ENC[AES256_GCM,data:6CaSumSa+TKM9GdSAbnIpqMHIahqsQuZJoK43Vs=,iv:EfBYYv9ua1GdVkU/+7bgWQUELtsROVBTeyUKoDr67kQ=,tag:dgWCqA9o4WJPZJolO4viUw==,type:comment] +redis_password: ENC[AES256_GCM,data:BRIEt2oU1grSkfFTEQzYvg8dK3OXrL7DdswpIU4SeTvh/7fGRS+pnJokNA==,iv:IJCFcFj2N/NHuJm4CTBnOa8YGoNNa4KrAbdRatil20k=,tag:e3SFXDpyX5uo69fisF2aRA==,type:str] +#ENC[AES256_GCM,data:C66DApdfqVNaYdrjKft+SG+hImN1AGEZvO9wIFygVQ6mqODU,iv:FLWB7Az7/As1POoMNmzOyk3vLJqDOrlM65OgOB//wnk=,tag:pBGTeOOvp7fBRMKr+hB7jw==,type:comment] +collabora_admin_password: ENC[AES256_GCM,data:mlyj/bdmwdJ6aaXQ57JqgJEWwbfdVWEVudlM0XTlBrOjYdVSXvJhiUH+qw==,iv:lJHeJ+F3mCA4B2ZdCRAZdO9foYHWJAta776lqvL5CDE=,tag:9P1RMpfIcmzb7O2wAD0iYA==,type:str] +sops: + age: + - recipient: age170jqy5pg6z62kevadqyxxekw8ryf3e394zaquw0nhs9ae3v9wd6qq2hxnk + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqbFBEd2ZCVjNMZDR5NFp1 + KzYzeDVhYUdMS1F0SzNoVXU4ZGc1bzBmMVZjCnFVRUxuUENmWWlmNVJtSjc1cDdF + QjFCVHpsTzhBUmFrSXlQamtsQ2lNRm8KLS0tIEJxRktXTitkcG9wNnJOT0N0d3Qw + YXRyZkw2ZEgrKzBQOU4rQWRjWWdZOWcKusRHznYQu8aNxA/UkA7mI96qVGN9B3Es + wf28XieHbXJ6DXrr1ZB2C4FqE2VbQsahV7ugw+mHppK1va1x0bJB/A== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2026-01-18T19:25:09Z" + mac: ENC[AES256_GCM,data:aUf/1f3LRTc3009K5WW5et2A4vnkigKfG3sYDRv5Tg4gRjwvxh4cuyKNpGfzKZ2UT99gAIt6ruCRD93BKVX8rG2gzK9lM77Z6vkuY9vC5HzVOtUA9fJauIWCib/rzczsHIykcoA/xwSBhAZjQmiWe4tpbffSI+GIUtAhfxaAZ2s=,iv:JCZFBc1nfMR1XK/WBJOKfOAiqG4xVJ1VXbZifdxWUUI=,tag:DmJ9SFboiXKpSVkA235qEg==,type:str] + unencrypted_suffix: _unencrypted + version: 3.11.0 diff --git a/secrets/clients/ree.sops.yaml b/secrets/clients/ree.sops.yaml new file mode 100644 index 0000000..6c5c2f7 --- /dev/null +++ b/secrets/clients/ree.sops.yaml @@ -0,0 +1,38 @@ +#ENC[AES256_GCM,data:gIRcxOP/qg8MIiSV4WmwUbIznmR2KSka,iv:2FO2bbQdWBGdtOAZtWHsTPszAi19KNmujnE9mQpb9N4=,tag:oOzj/o3y1mIfxwWDKsVB2A==,type:comment] +#ENC[AES256_GCM,data:mnCm9JupBAPcHEvjXQktt+fsFZkfzOx3oWvlpeTBCmKn+cuXydg=,iv:MCKQ92FI193TreKAVMCqq2dGl/oufjnQyWHFoCZHZSc=,tag:/NH/6q83gxUGM2Ro+hmG4Q==,type:comment] +#ENC[AES256_GCM,data:sq5tiGyFmL9cmNk9miQAxpKpK3NI2Q==,iv:PYBW97pBri5xj05c6aDhVtdGJC3FqpsDjX3Et97sZxM=,tag:l0gxPcWHJeF6SbO0eACaGg==,type:comment] +client_name: ENC[AES256_GCM,data:iFTs,iv:iPYuRIKUNwi0Etn9XQ9T20O4rMDepUcy9gNZyusDUxY=,tag:m2Agx4o6UlIc6drkW0TI8Q==,type:str] +client_domain: ENC[AES256_GCM,data:vYs5ulzRjbqWObShWSGC,iv:IM7s2D7LG81lFszYA5rAHheWnknU9ZWGfoxYNe8i2VU=,tag:pfnioq+O8jS04dhOF4N1wA==,type:str] +#ENC[AES256_GCM,data:nH/J0Kg+BsCFQNEH3KrDemRg84Jw23r8,iv:Kh5u4cFXsaWgeiCQeQFYo2fKBFjkSkmiMHklJl3hRYA=,tag:W7OQVAgzIXIcrP+Ps1STmg==,type:comment] +authentik_domain: ENC[AES256_GCM,data:qTpXb4dNmicZpGsU8N7f5B/ieI0=,iv:LTtaNrZAbt+iyXQaJ4uJpkhe3kUhwcrF33n9/g0HTio=,tag:AyON8B2RPMbICUK9Rqc06A==,type:str] +authentik_db_password: ENC[AES256_GCM,data:kGZyqzuEu9ydvTCjeu/CW4eIBLdcB7lnJBhsSs8a2M01gF0GlcXRnHwi6Q==,iv:7k6ERzAzGhJmQZQCVoxwR0weGJq/ZLScUw/1ElBEvzE=,tag:dNfWD+hCTumZoXOvzXboXQ==,type:str] +authentik_secret_key: ENC[AES256_GCM,data:61IkssoMNXlcGmfSxGEQhdzZxTJMRVf5AL6Ouv67UYrBhzag9zoHZmEBkw==,iv:5PcjNIetF7PXfzc8MU4yJwF4SYjqARq/sU3uEbQ3dQk=,tag:SNj/CgxvpVe5KWdQc4Md8g==,type:str] +#ENC[AES256_GCM,data:sDc+3Qkq07eMjpxs5fRhKsB+2j2JMY/FI2ys/gXOGviSs/4h5RBDchD1qvgX0TE=,iv:Rh8ie43ecz2xPi5lkPa18OZI+J79IKmcaCtkGwPtDa8=,tag:dY2kgzjTOk7XkKZd4baZLw==,type:comment] +authentik_bootstrap_password: ENC[AES256_GCM,data:qVtBERKUxq9EW/wmYMg4U+cs7WWwVd+D5/2PMfvCeOX7KPgrlhtfr0AaYw==,iv:X6Ov1oZUZ91bFHtii/M03zSknYTnSDWFepbDoMzeWIQ=,tag:nXqzbdh02E2NBPXE9y8AGw==,type:str] +authentik_bootstrap_token: ENC[AES256_GCM,data:pi3AZJhKRagxYcp8JLtGt5oMmcFuj8cp0YM//9EEWz0fF/nySOgtrigl2a8ytQ==,iv:cjMjta6NGJOZgzlfvSwlsaurQ0iaczyIyYkVsYpsvhg=,tag:BltF5PfT1augEZmKmTxNYA==,type:str] +authentik_bootstrap_email: ENC[AES256_GCM,data:0BA5EbwSH9/P0D7b8R1d7VaDY6Ir,iv:mLLpINemevgjhwuTMm+e7o1mfKrb6Pv9ZQEZ65/2+4k=,tag:p2DthqoyMqBJGze7wvogCA==,type:str] +#ENC[AES256_GCM,data:ezJ7YXDbCcLDkYDc9dzji/vD5YRMD2wt,iv:MkkO4Ozv4Byrf1/yqeizpa1DC7I2iIIJTSyo0IRTR/k=,tag:tyNZ0owm/x5cXKD8i7IbUg==,type:comment] +nextcloud_domain: ENC[AES256_GCM,data:OGHapzRRctsMsUHBlzO0ykv19VqlGttmpQ==,iv:RFLEh9lBv/hwpHp98bu3ur/KNo6QXKuxiuYKKUcHU9Q=,tag:PWXAqp4Mc9JxOQ0+wfgQmw==,type:str] +nextcloud_admin_user: ENC[AES256_GCM,data:RVv10zk=,iv:Qa66fpmihV5p1qyB7W6C2IjKLCGzHLjqdEXKhSQZVGY=,tag:BkwrvymFvNSUIH5jkMhjaQ==,type:str] +nextcloud_admin_password: ENC[AES256_GCM,data:vxiueQKP8Tl6pXgSRDaGvg2Jp1BUi1I0L71e2kYFXO07bZmI7gVnYrdjpA==,iv:2cD/3kFDuWkU+C/bUuL0V/iiZwMqd5wxUdYMdM7Usu0=,tag:uWmzcCj/JkshmyOh4OntMA==,type:str] +nextcloud_db_password: ENC[AES256_GCM,data:XRdj3bJS3o/0lda5yFlxlaTg5KDbPI1fyOCmNJ4dHSIyJZ+hmaPJzDRUnA==,iv:IAifzoc157vsW3GJ2tXo26T+iG9hAq/jgeatM9sJTD0=,tag:49CcMLTYFYiMXBxkHJ8B6g==,type:str] +nextcloud_db_root_password: ENC[AES256_GCM,data:LCMpRhQ07WuJiNJ2fg9CgmqG860odDeFD1Swsf7DzI3rRGAGlqWn2VMqtg==,iv:Ob2hMfwea6tXvyKyybE2wP7OYvLV3z/3hSAS6DPhxjc=,tag:XQ8beEw4p6EgF75qaUeGIw==,type:str] +#ENC[AES256_GCM,data:ksmM7Fo7/QxVNblIW5uftrn6bKCCG2ZI0K3jaiE=,iv:3mEb4dMNCKenAszZSA2nuf678jMkuYBw0fJ3XvW/vJk=,tag:n+bBuTB+RqqYFEB9+4ISTA==,type:comment] +redis_password: ENC[AES256_GCM,data:PpU+fCCUIZCtqH5KR+s9eDRRORMIoREmpJN4ze28IaIWikbmJzPwt3I5TA==,iv:E0610SCYnDJam8poJo8qIhGSEJvv81Lt+pCq4Dz3umk=,tag:+qsUYX6NOQ9uCGl+Bml/ag==,type:str] +#ENC[AES256_GCM,data:Yas6EOkfe6rs/quv2zRCLsJvc83b0yf+LOLjYnL7r2NccrJ1,iv:nO3yFyopSAXWZnvtSq3kb5CWP7PvwDgek2/IaQM3TY4=,tag:sb0bX1yilniBCcyL7kpJAw==,type:comment] +collabora_admin_password: ENC[AES256_GCM,data:rIrBM/5mKsnGLPuGAlpXii61LciD3bgzss+lIt1XEwXolzd5zvml8tM6Yw==,iv:+cjc6kjXAZDbWiOBGGo4PX9AhXpFydJJdZTMU8MvT6E=,tag:EEdqubCkUBdy9Xh5i+E9RA==,type:str] +sops: + age: + - recipient: age170jqy5pg6z62kevadqyxxekw8ryf3e394zaquw0nhs9ae3v9wd6qq2hxnk + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoOWtPYU5TYnNvei9aZ1NM + Y25zUDQ2c3YvZnFja1RpYkxkam1ybGl3aHdVCjdrZnhPd1NEV0tHL3ZXL3BEZm8r + aFBPckgxcUtUM091NS83aU84RWViQmMKLS0tIHFOakwvb2lzTHo1Z3ZZTUg4cXBD + N0tyUmpCdFY3TjJTcWJiVEVyQ2c1TG8KXD75O122N77kGjUl0WL6dugwtRwRVsgN + GOylW/g3Kl4ePkcb/psTBijvBksA+J8RN5d/LaOJB/DXu9FgaruwYw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2026-01-21T11:11:40Z" + mac: ENC[AES256_GCM,data:Ipf7iHWpgSpaPHYRMw1n3sbWzKsvwTv+WkQhQGCnTwCfWxxgWVWM7RVND+D+ecOXf8BAxJ153ogROfhVvz5P9VRkjX+nvYb71HkEqCQLg+1HmPwNRVcGbWdqph3ocE4B42rjQfwVJjuP2x0GD1rOU0y7wA+sMxm78pRKhqToC+4=,iv:HQVooZSG+CjnbtXB7X1KOq9nrUQICw603c9fDxD0k6g=,tag:2BDv/GngqC89XeohV4PjoA==,type:str] + unencrypted_suffix: _unencrypted + version: 3.11.0 diff --git a/secrets/clients/specht.sops.yaml b/secrets/clients/specht.sops.yaml new file mode 100644 index 0000000..7c3a050 --- /dev/null +++ b/secrets/clients/specht.sops.yaml @@ -0,0 +1,38 @@ +#ENC[AES256_GCM,data:yfNUU9guJh/zf4LqdGrRtSB5cZpZLsyMIxzk,iv:bJ9Sqjche9AB2CGdHu3Z5mQwy1n+7aFWllm3fbr5xO8=,tag:Mh2KgNDjoefVsF77HAvyfg==,type:comment] +#ENC[AES256_GCM,data:EhKZmmMpBg0rA4I0ITQ6/++Mxm7ekjRKdefMyAxWUvWownuGA3U=,iv:oAtFWzW+QVcMnnQfE1bKXM1nlMSwA+JXL/LB8Es2arE=,tag:O7t8iUDS2sat0UMhDgjo8Q==,type:comment] +#ENC[AES256_GCM,data:i0/1o1cdM4HfoSZzuQpdnQICHIqISQ==,iv:tAVlGFWLNdAeKVmhW24PkTiaa9DCGddprv8N1ydz+js=,tag:uwso4BMb8xt/5smIhLvNnQ==,type:comment] +client_name: ENC[AES256_GCM,data:7LGt6kOx,iv:tmK/A+ORo2HbS50n4k1tg46c3M6UMse/8IqXP4w+xN0=,tag:VpThKw/7anBM2+eBVOahxA==,type:str] +client_domain: ENC[AES256_GCM,data:GImwXpRaS9ed33w4jLYfLn4x,iv:RjVaH0J8ksbE1q8fIrWqmWaNV05O2psyjoUle5yIXUE=,tag:dkUQEBUnxZRuYQmY3YBu+Q==,type:str] +#ENC[AES256_GCM,data:TF3jf19wRMCnkc3z9r1ir7aGUoIFSlu9,iv:5x/aNiPnC/Pgy6PQy2HJwJHUUB0PW7PVNjsgpqlIobA=,tag:eDrlKlJOuNHeeMt3E3MEKA==,type:comment] +authentik_domain: ENC[AES256_GCM,data:cJhD9W6H1wJ79YEumtBDa6/m/MSAAAM=,iv:ONSg7gzo4KK2FCWZZwOSUO6YnIaZe/7HzX3f7W6/r74=,tag:GS9tBZx7PWvpQXVWbP/Djw==,type:str] +authentik_db_password: ENC[AES256_GCM,data:zQCYMkbiRW+ln/SQNIlOBXCoLJbaIIp6xPMq2fc1xdXFcyOFT1RPQaVj5g==,iv:MQn4F0EqXsXCwpamSmjsZF69545XKgp89jzq46Am14s=,tag:dOWvSu9A/1kRbp6rERH5OQ==,type:str] +authentik_secret_key: ENC[AES256_GCM,data:9+n0VmAG/M/GTalJqO66FfREsKsj+KswbAAG+BHNtxkH0jVK/FRhq8RPqw==,iv:WLGwnq3L4tBJWwy9Vgzp52g9hBBdT5AP3+p4lxoQBkI=,tag:u18Eyd1Gky4EPUGV+JXchA==,type:str] +#ENC[AES256_GCM,data:+rK3LgVl3xCBymHyY7K9xFzfq1lt5EcIIAg5v4Tj444ahEnbFXKnPJE8uteML/w=,iv:fDFPTtCtFG+UD/gvFJYCCC79FfZ2cWUT8poaGXGnh6Y=,tag:VhHitpPxfMXQcFF9VZp9ng==,type:comment] +authentik_bootstrap_password: ENC[AES256_GCM,data:w5/V9qXHVhSB5TCLSJoCg5KffqoI5lH89jrHDddOWzWwa47cUYHSQJJa0Q==,iv:b3Hn6ap8iVkh5RH9WjENvkPNyuiV1AK+Y9BAomIkoa4=,tag:p2xwubn3bTYJaa7oyrmLRQ==,type:str] +authentik_bootstrap_token: ENC[AES256_GCM,data:zAgkAnfG2ImKpse/kLB5iEu5wUb3Bvx4vTg43hX/G1SXX3NLzrJFQL2BX5v6oQ==,iv:yO0j/CGUS9Y6zcUNtGC8fK9RFeWTGRFDnRtm3SBPwkM=,tag:1gEd0N+d426eTqdPTD2D7Q==,type:str] +authentik_bootstrap_email: ENC[AES256_GCM,data:ICmbTdh0B3x3wNJJg8pArmU1NlxfZzm3,iv:KfQSIxkp4w0DJK1LecSl1hWHzylu+A+E4lYRxwC65os=,tag:+BlTf3FlEeU5U3o/FX4P/g==,type:str] +#ENC[AES256_GCM,data:IW+obg/eKos2YxkvK/HMtnqC7LKrUWDX,iv:4wCDyj6KF6+tn6+DFz3muduSNxaHm78eO62F0AhZZ60=,tag:R3OumyZ3USxLh2MONH801A==,type:comment] +nextcloud_domain: ENC[AES256_GCM,data:aBGUCiicsnBAN/7OtRc0C8tXwkpfb+7R5sj8uA==,iv:rWI9uhy6CFp/Noqj8EXAx5yEIilOpnsGUTEK8JvBz7E=,tag:hTanLu9fp8NlrcRxbbFwzg==,type:str] +nextcloud_admin_user: ENC[AES256_GCM,data:4t+WgPo=,iv:H1IhMrN77ZcjzlqNDuVZ63yBlkjodSSu9Hwi1ZifRJk=,tag:y0M6PGWubZsfd2SHbY7KPg==,type:str] +nextcloud_admin_password: ENC[AES256_GCM,data:1LJZ5CsgzqYT+G0h2Cu3a8DCe356F3DIUV5JjjWPOVYaT4oJBF7J5Oeu3Q==,iv:kSV+nBwHuceFgNVulLNuVDOCVenUzTvarDGeGK4ytuA=,tag:um5H6op+iALOV1+rVPFWHQ==,type:str] +nextcloud_db_password: ENC[AES256_GCM,data:e1d5g7F3QPG0BlrKn0AFZ/NSp2Z8SQMMgh2gFKM2jNqrHwm/zDcaYrco+g==,iv:eFZ0+Ov9L7Gcs7L9NTdi1DL0QivnDPkXJPORDhpHXpA=,tag:8jTISi03Q3AjDGAHQgPs6Q==,type:str] +nextcloud_db_root_password: ENC[AES256_GCM,data:XEQgU00hWtnx8ep+qrEV9f1pNgFRz0B6efXQUyjsEni4MNlRqGKAA5OjOg==,iv:BEIuj5KdLMRj8T3nVALgT6KKhziwgh4nysuD2deBpuM=,tag:b/xQkzgKOxRSi/BZIHoLHQ==,type:str] +#ENC[AES256_GCM,data:pvjfJfG28QhQsvlxJxLblcd3Ll81M83Zpzqka+g=,iv:hmeLvxKeLDYiv/Xaf9AsrqzXBS/RBTArkCtvQKzmFl8=,tag:ijHSgmcDcNlF/MYGix2zAQ==,type:comment] +redis_password: ENC[AES256_GCM,data:tZuCECj3T0E3zoqixHUsxdln3BRAxXlo4GAWihM7KZXGeWJ3glU/jAuFEA==,iv:zrZZ5g+CS7eFDIhd0+h5k9DGQzAopx5QOsI6tVSpOJo=,tag:7853sKzHvvN2H+rnqBEzpg==,type:str] +#ENC[AES256_GCM,data:HI1jEKCKuYWgsxap5TW05q7wbnfMvdetgokhr77maHrQRf1z,iv:JpBwK0vaUpS8GxqdsX1fJyYVvtw2Us0tvImWYp2M084=,tag:5UcerSe9nRRKUA7FDKNo0A==,type:comment] +collabora_admin_password: ENC[AES256_GCM,data:7aLfKiQf9wOSG4UHmTwysPqro5jm1bY3tQaSa7i1BpibbDrv7OKlGBBqsg==,iv:ImalKNXzZE4OQC8LrAGlu+myzfLw76G0JDWf5zxhB1c=,tag:EraNIQNbl5f8DWScXBhgLA==,type:str] +sops: + age: + - recipient: age170jqy5pg6z62kevadqyxxekw8ryf3e394zaquw0nhs9ae3v9wd6qq2hxnk + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIWGVPRVZwbkIzK3FlRXdO + cFZncVBGRTVnOGtDV3hFdm1HVEg4YzdLS1FnCmY1VVhRK1R5V0s1TG9VRk9uZGFt + VFo0TmY2QWxBQzc1Z1NaNllDY2JrdDgKLS0tIFAxeGxEMmd3K3psK0dWRzFVZ3RN + VkZqYWxGdUVLUEFWREY0Q0tWM1M1dEUK7KMmTAQXTG9qgbt9pWjUDRL3hshMRU1x + sgGtQUDmSmVCq/IPKW59g7ccHjGzjgxC9pVzHvTTg4Iz5JgY0carig== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2026-01-20T18:45:10Z" + mac: ENC[AES256_GCM,data:01NJofx7BUaXZCajoWs298HZEjJft48vkzDlZ2H/LuSAq7DGvakJhd6YGN9WGX7fkPukCGmsw9rlIauZwvjeE+FRd7BokeKJlrUZgqgmzLI2kA5eaS+hClZuKaQdzois+zx4g9Mjtu9WpBlWz6/bYL5iA0xG+xpdgXXrKFiVIFY=,iv:G2XKel9G/lnpL1yqsTT/P/FcKKPfsfNk0rS7Pr71n8w=,tag:ooFZ92XZdMmbfz5Q4Fs9Lw==,type:str] + unencrypted_suffix: _unencrypted + version: 3.11.0 diff --git a/secrets/clients/uil.sops.yaml b/secrets/clients/uil.sops.yaml new file mode 100644 index 0000000..58b89bc --- /dev/null +++ b/secrets/clients/uil.sops.yaml @@ -0,0 +1,38 @@ +#ENC[AES256_GCM,data:aIS/uQvfOiJ1pUuPer9qRQjggq8ZjEk9,iv:TBR9WbgvQgw9ERpnmQuIkhAyVTQZ8NABs5YaxD8KvZs=,tag:DFd/j8ZMzCHt6EvMbxVZ/Q==,type:comment] +#ENC[AES256_GCM,data:mTI1k+swvBYRx6qN2z5rwxHAxVOCdJxHm/o9TcBDej08mONlLi4=,iv:uY/dmgLaZEcZdzUiNe/y8sa35Qkqbt0iptpi7MGIMQY=,tag:ybdNuVlTSc1kCA8qxmOnuQ==,type:comment] +#ENC[AES256_GCM,data:uhpDxNUwH8HqvN8e9wf+QFYVGZ3EaA==,iv:Sx1aTvMKHEKzlcWO5jT8htjFloDteBVPnaov7+dQmD8=,tag:NxNZrOvJYtLVEeTFgyjX/A==,type:comment] +client_name: ENC[AES256_GCM,data:SP5V,iv:A7ghCYqbAupSF0VDQ/SXKlPrnk8yzQqKvSdvBZzHyn0=,tag:Ljs49J7GuSStPoGs0xSk3g==,type:str] +client_domain: ENC[AES256_GCM,data:rPUIOAv8XnUrF/8M5LHM,iv:gEIxCJo3jji3bH+9JBi0CJPhCGEMPG/lTr4wp5TBWhY=,tag:/xx02ZX32wa8HTFqw7WVxg==,type:str] +#ENC[AES256_GCM,data:8JSPPlRnTFLhY0cZ/agat0XYeyycrk61,iv:amCrQ7D3H8Dyl6sZmLjFsZbfagxpcz5Z9aFvEKba1sE=,tag:CSMX3zbM3sAzkDzIIKz0TQ==,type:comment] +authentik_domain: ENC[AES256_GCM,data:HTLCzAuXr7cRh2hbgF8duh5ayYw=,iv:4jl9drpkK3KGVq9ezvdtyAkOk+9kpLuughtLiyeskgs=,tag:iU0dQdwnbi5+Y3+OPm2Jlg==,type:str] +authentik_db_password: ENC[AES256_GCM,data:XGGOiJSw/GRQXig+/mxIrpBjF0ZGEMIQ5APl1KxQ/KzxwmjF68E5XbXvjA==,iv:WtfhFP/zYQ8FJcFeISuNMVABCGJts9krmH/ycodvAGY=,tag:ka9hwaHzpKanC3q6TfXaPg==,type:str] +authentik_secret_key: ENC[AES256_GCM,data:y35EQNMKW4/8JL54et6y0WZ8FKAgp0VWflsR6UV+j2SlCrvXFnRgQG8QyQ==,iv:TZwNiZ9Excgk89XPuig30dbuOKu2CHT0CyFKLPrfEfI=,tag:NmWN2LSsPf7tPnuhVdH82Q==,type:str] +#ENC[AES256_GCM,data:LgTHbIXSN/afDn9wSO30d/aIBy8b2DvyxYX+OpDt7uAV6d66O90jCGx/H7uo+AQ=,iv:1Jc/rzIbQnYep7ro1GMKnau56xHdZx0ZxMthwisFYtE=,tag:8C8D1zzy5lZ5AQe0V8Fn4g==,type:comment] +authentik_bootstrap_password: ENC[AES256_GCM,data:WnE/dn2xHwxFe2CbQmy0WC6xz/Q5UpkWW8m+a/dVi5h6O6tGfW32EmECBg==,iv:rw0XCc0N03TRkrR7DbHPjRiG2o6tkd069sJGrozU2Yc=,tag:QFmKEzJBGbXUewCLUnlXfw==,type:str] +authentik_bootstrap_token: ENC[AES256_GCM,data:a+uoCFgICssuPKQJFoGO+emJCvVwacIKW3emysbNni7o4uIGVn98yMb+HYjt2w==,iv:zLe1hiM7zhVXwSFx2znO9WjmokRLfluPCD/UdB6oRGc=,tag:zuWocn/zAW3/VALE381Cdw==,type:str] +authentik_bootstrap_email: ENC[AES256_GCM,data:R9kP7F4pPkSuBzJ+LsnWKDPwyg0t,iv:z6midY2wjfmBomDnjLJFFfiKySTdEvHE2Q+r+2Wi83M=,tag:lJ7kP8XhHprCftYqDiHuHA==,type:str] +#ENC[AES256_GCM,data:1MjHrZivYjxKpxn61BHLyB3xSfivQX4L,iv:dBh7oc8U6esyi2LBNWY9ss2HuoHJpDu82Y1wJc/ex/4=,tag:E/H1sih2b284lgFxur5zbQ==,type:comment] +nextcloud_domain: ENC[AES256_GCM,data:IYjDmAom25nyV5DeNifZKLdRPdPVpLaS6A==,iv:y5Q/qtqHCoLld4Q32mTIPP3JHQHPgJdOcA2urBVSjZo=,tag:2XUnipCDAIkSUVLBUydxig==,type:str] +nextcloud_admin_user: ENC[AES256_GCM,data:VKNEOCs=,iv:rd2De98bIx7uIpIXr/RSCP71Kj7xlbIdaM5CL+qbHik=,tag:Kq2BD+0oJbFti6Wc9C5BCQ==,type:str] +nextcloud_admin_password: ENC[AES256_GCM,data:dt3fpOlwn0WHxx9TCuWX1WK31VJeqCW+K69xVZ8SFNNgiQPEIzsk3A8Kww==,iv:w82gtKGyLDQPrydQo5xOKa6AsLYyG6iFStyXyKcmbNc=,tag:ci5MnasJYU+SgbcWOeTdgQ==,type:str] +nextcloud_db_password: ENC[AES256_GCM,data:OXmim7k3E6M+T9Z+teFJPjvRn6fg8BtSeWKTHOsxmBfsiBOsz7VglVyjJw==,iv:/srFcTbjlx/ZaY5XVKxhz3T8ji+MXNmcX67SFmG0WEU=,tag:/Ohc6pzNpYQF1lBpoK2KAQ==,type:str] +nextcloud_db_root_password: ENC[AES256_GCM,data:contgx7/DtqsXpkUo3Xa+1OjbPZkrorKM43ws5XFphte3/wIpfihqPJX5Q==,iv:vcm5KllCto5EldfwNA7HTuDUhwNjs6Q2+DgFp7NkR7M=,tag:8ncnZeR/knFR+1d7s8cUjg==,type:str] +#ENC[AES256_GCM,data:aYbteuod8ZITWjAF6pEpGYNfDlz+RfDITn0sWuY=,iv:DQfCWGkmpVQgHBu6luSRhJNOqFQxCQiOI7cAvFP+8xA=,tag:f+YkqCeBYGdbgmUW4hLOUQ==,type:comment] +redis_password: ENC[AES256_GCM,data:5IpSxmVIktvHboth7UMlaukibZ/GHibNO106TjTqwOjfBH5MBhrbG5h8sg==,iv:zFuIdKFPDJlZRfmKB09cTx1A6e4p9vNAmFOoQRGSwx4=,tag:6Riu4Us4gCuGI4FA7ht5jw==,type:str] +#ENC[AES256_GCM,data:+4PS5fjQRjw2L0JB6WpwmHXDDOUKo8xmy9v5r5ez5Bx2jZUE,iv:W0Oj7k1h2fj0+HnGcvLKq+qhKeEiN2jUUO8kaq8YuXs=,tag:hcu2QnexLU9esa9uwDo+Pw==,type:comment] +collabora_admin_password: ENC[AES256_GCM,data:FGi/ZA+E4ZbODB1jD+Vj5SegQD73bqmTgKi53MXV2tmmQMW0dETE/DrYsA==,iv:9kVU+qQT2cmkiqVi458leNly5X8AHGwjfViFtOtvkX4=,tag:JzpDO0ORO0NVpgz7zaaXrw==,type:str] +sops: + age: + - recipient: age170jqy5pg6z62kevadqyxxekw8ryf3e394zaquw0nhs9ae3v9wd6qq2hxnk + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBteGJtRy9UR3MxTjNzMjAx + aVFjZURNUkhlRkFDRTc3RHNnM0cwY2NmRGtRCkhvbm9kT0UxdmJPSldMS1dscXI4 + Ymhpdlo4S25yWmpVc2RiSExkcjRVYWsKLS0tIEUzWnZqTkRidm5ia3JpaHVlbmRF + MzZ4OENaazhBME50ZjdZWEFhSEhuNU0KSWxQZmSVFM55ji8TvzOepMCkNmsXonGZ + k7Y7+Ih2KAZqcT0ieTE6YEe05H6uE+LdaftMW2wEVsOZ2wjFaT8OUA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2026-01-20T19:57:06Z" + mac: ENC[AES256_GCM,data:XBtXjJM69CpGSjyCHnerLkxpfLOsifGAuUv38Leuli2/E7D9pWLomjMrhraRpyFuoPtqZdGbnFNm8Be3trMw0MmVk9uzzihwdVvKVTUucSygb2sRbkGFkl4Qqszja9Lx9wblDalbrmjKLWPQJ34QJVlba1nQns3Y3vJUX+e8Cjc=,iv:XFFp5cOTwvisVEAfS6Q538Jda4UJKzkHAbNHia7/Xy4=,tag:G+91bclflLIWToui7YMvgQ==,type:str] + unencrypted_suffix: _unencrypted + version: 3.11.0 diff --git a/secrets/clients/valk.sops.yaml b/secrets/clients/valk.sops.yaml new file mode 100644 index 0000000..84d9f08 --- /dev/null +++ b/secrets/clients/valk.sops.yaml @@ -0,0 +1,38 @@ +#ENC[AES256_GCM,data:ctaMv8OIHMLCU5j+G5V3F5xgLKOvhfc8Ug==,iv:TR4wnQ5gpLP0SZnQNIeS9fKeiyserHYCF+yp7IIgTP0=,tag:CQI5ap5b/YIaOysRN14Jxw==,type:comment] +#ENC[AES256_GCM,data:UCU6+XlbzC8We6nZeW0xNIW+L1z6dMagNqWQCeTTR2AG2CHIolg=,iv:b05l4X34Tm5Ev9JXHYCmXARfR/dOzy+lRh74LK+L8Ks=,tag:W3pkQhlD/YP+AYbXXDX/ig==,type:comment] +#ENC[AES256_GCM,data:pBDl74SnuiQlDRI/KNNMWMUJaFm4rg==,iv:+pziL+Om3+bSdOlFD7M89zBgpn/i9PutHOlWqGpXaDM=,tag:2MipxkvrtoX7FYjI0PjCdQ==,type:comment] +client_name: ENC[AES256_GCM,data:Fz5vgg==,iv:BsrNtdLTEXLkSXc0+PVeeQ4SCF7eKlF68XNlaMPtqJE=,tag:/kqw7DtQ2aVy0joAfDRRCQ==,type:str] +client_domain: ENC[AES256_GCM,data:fIrfaOb3Mf+5DqKoBEgBpw==,iv:XE4O0SyardgdtMWbkHOtMNgZ1rAKnCKVSswmMmACyNU=,tag:HjAfuLZI/Js801eJ47UIRg==,type:str] +#ENC[AES256_GCM,data:2kKajhbBS00eZe4HBlMc3HUF/Wveab9u,iv:RaRi8O8gfn5jlmNynfrxYICgsOBFVG+V0dqaSF4udOc=,tag:yqQ0ZMpito7UBvm+PJ/dxw==,type:comment] +authentik_domain: ENC[AES256_GCM,data:jaVgyFT/H+c/H0pOxCcOsfb8lGxw,iv:PHomA4L6r/1z7oY6Qn0OTqhzegd7JJC8RYf+B4zMcN4=,tag:ZOYSTcGkO3xE9mP1U2BaVw==,type:str] +authentik_db_password: ENC[AES256_GCM,data:nxTnYT028qadNScwjijxuBAvP44PsXc9SJaMjM1WwfrqXt7/DDftadVrSQ==,iv:DAdwFZ3Q1lTLmbciN3VX0p2zXq4+dORColJWXJ1HuH8=,tag:jfpyU/XuSpomQnjqDvLquA==,type:str] +authentik_secret_key: ENC[AES256_GCM,data:WST/7Ujv33URBy9VMvolqRwz33RcIuD4QxGT62uPjBRr6h0nI4ahtD8htA==,iv:Gi3rjVIqemkT/ITYkxC33JvfvVX5SFYQ5U+Rr3+HlxM=,tag:PlMMJ7g7fYhG85hm6zUScg==,type:str] +#ENC[AES256_GCM,data:xAaEFhScafyci3tP/EV5Zjl/zbasVITvV0DrNDX2ZtXB7a13PFzKWFIsGh88iCU=,iv:2+vamLWnFZHBQ2PW8/HQW6Dklrb8xWkd8oZczX3Kp8A=,tag:oiOZc+3iK/h7vlyCbiRtcA==,type:comment] +authentik_bootstrap_password: ENC[AES256_GCM,data:IUlXIwhoQvlRnn8keYYUddnPavZsvmk5AqNkyR8c3O52+5omEeutZLQ7sg==,iv:vXKiJZeaXP9i5CIP0ymDEhAwwRLMk18r3oM/JnhemnU=,tag:vVIWoB+woXeOAeWcq+bZtw==,type:str] +authentik_bootstrap_token: ENC[AES256_GCM,data:/jjShYMON1S9I6kxNJhb/XAyn6PJoUS6oI7tdSPjA7CuH13X9ffx+w33p6Q4Kw==,iv:7jzUOEWSHy2nU9gSnhKlZwZRT6jF2pXau4aVV/9J0UU=,tag:68rWsUL4skab85BefPKseg==,type:str] +authentik_bootstrap_email: ENC[AES256_GCM,data:GJipLh2OzDaux7OyhKQgAuaPM7L+pA==,iv:NTnulTaFvqU4tyy2y1YV8Sh0D2mS9HGTVBaqvbMLBKc=,tag:9eAJORhYXQoIjJa/xIHvzw==,type:str] +#ENC[AES256_GCM,data:CbNmNpHunmOKStzY06My8x4fuEyNl+GI,iv:t2utqHryCaa4PwvKSlGwQnD/Hj+RDeHxd9GgF1SuOuI=,tag:jYDNoyd70xWXnJJ4v3IRDw==,type:comment] +nextcloud_domain: ENC[AES256_GCM,data:WJ9S+9n7grhX0RSE0HyG10qtHZjKp9Cm1sg=,iv:R2WW+bOYys60aD4Kl7jMT2jIdofSos7YrLjOgiv/4uw=,tag:o++NQPKdYdjf3HYDouyn+Q==,type:str] +nextcloud_admin_user: ENC[AES256_GCM,data:L/kkIRw=,iv:A83rGPhtp/qeNKERxUnhq4nkfXAS9cQuhviUU8lrtEc=,tag:XO9trjEr/pBU9yJsSVmlLQ==,type:str] +nextcloud_admin_password: ENC[AES256_GCM,data:I1xvJ4ZhZuh0QzDZGWDXvF08yRcmJnII9dG9Y7kkHwjeiNXkCDGLxG1asA==,iv:jLTzg2VdJNUAuFbW+Ss+W/NmYG85E/2EFKhQflW3p0o=,tag:DncWEiTS8oGpGkXYQEw1Zw==,type:str] +nextcloud_db_password: ENC[AES256_GCM,data:z0okVTDnFxX4qNyJHRq0/4kDHCj0ZzPU/BoB9kFd0WxY+jr+h35MfR4FGw==,iv:70UReQQ9oMTlv01FsTagiy6XlKf4CaFeyaFNNTNKXsk=,tag:4N/i0+LdA2vGy5pBKIjo6w==,type:str] +nextcloud_db_root_password: ENC[AES256_GCM,data:Q5fqrc2iBClAKOYHiAlAZ0BsfzqJSO2Bz1oou41ypEGUZaorwoZ+wK5Geg==,iv:dNiHhl/WWsPwChBerIaH/yOnfKqkLwEK8ryDE0yESHs=,tag:D9zVqLpk6iLoOSn7rbdUgw==,type:str] +#ENC[AES256_GCM,data:XCt5Oe2WMK4lgtPb5VhPOfRMYN1sXLIrxZt+DD8=,iv:eFZGEA/ATyABVH4rgeL3MvH6pCtWXNCx0Vl37nIy1nw=,tag:NGcGtHE6eF4pZ18BL9Q9og==,type:comment] +redis_password: ENC[AES256_GCM,data:zSAgrY+4wCQ2qaIyu9f+wXxRovD6L9155gsAywlQBQIMrXJvfLIL5nipZw==,iv:k6jQU0TkuX0cfFNC+1Il2c+T41+X9joQGcSyPCIFs8Y=,tag:UhYBc+Y0BHay1Nx/XUG/Eg==,type:str] +#ENC[AES256_GCM,data:4g65bXzewEhFu/AULV0n0liscrk0uuAlLCb9DAa9AdjbzlY9,iv:mAWIWh36RDL0HBDTsWpDErDQD4poFPVc0UoPGr9hcdk=,tag:xHjpCvm94RCyMolq0BUQtg==,type:comment] +collabora_admin_password: ENC[AES256_GCM,data:kEXWAXwlzDUhLSOHfftSsgy8Tp1qxboi0OhFP+xpYYCOulPmF8/y9PFlTA==,iv:s5Pbfa+zgnp+GzlbvNWbYG9hvLogNXpnVEYupFLJ9Rk=,tag:odQjPoDrElTx5PaPMO8D6Q==,type:str] +sops: + age: + - recipient: age170jqy5pg6z62kevadqyxxekw8ryf3e394zaquw0nhs9ae3v9wd6qq2hxnk + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIbzEvdE9KVUlWYitnMlZC + bVNPMHV3NmR0VEIydmM5UHVuWHFwc2pkUUFjClROT0E0MjBjUmxWMnBoRHFtUHlQ + OTZOeHg5bXc3c0IwWWRtOWJTdWlUZXcKLS0tIEF5UENBTm9xaWlqVzNBWDlEMnpE + N0xvZG9JOGZzdHpKOGcrSDlJYzBVaFUK75rT9dmmKOjZYDdEfc7+QXLL2GMYgjoB + I1j0EGUhhScpktXnHcWB35cgTFyFvKKDc0Jdjo3JgzxkfVKzp++dRg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2026-01-20T13:11:27Z" + mac: ENC[AES256_GCM,data:uBqOnX+8CwpSMjGrIYQ/JnieZ7kKFhPtD8W2SWQhl9fSp1lylJb4c4V8UanX9pcgjelFwU2aw2RUwcOUUC1AkhzkV8OHN+Id1Sc1PV6eJzVsyHetuax6snSpgnzJDsZApiQ2ephyv4KlqxTgm5n77b8S+CdTeE8kHFxWCbANKy4=,iv:dz/HU119lValHmoq4GXC5E/NmsgOehNmDFRaDmc9uHE=,tag:2mqbs72ZIXe2f7drs6fYLw==,type:str] + unencrypted_suffix: _unencrypted + version: 3.11.0 diff --git a/secrets/clients/vos.sops.yaml b/secrets/clients/vos.sops.yaml new file mode 100644 index 0000000..64e89ec --- /dev/null +++ b/secrets/clients/vos.sops.yaml @@ -0,0 +1,38 @@ +#ENC[AES256_GCM,data:cFXXRzZN0YJo3753ddtm6Vmwd7dohnNB,iv:5wcry5rmrnt6T/XvWyur+9OjtldCG5Uh2TzsrkCrrUw=,tag:hCJyYykGD022Ma8Tgg5DEQ==,type:comment] +#ENC[AES256_GCM,data:tYAvFjb9UaNfUHna2TUSbToTWoCWeSMqRsOg/BKVXsYGXHsw26c=,iv:/Zq4X+tLG5JUW0lKKgKGG8LGIZyUm41qNBt0z+rlLkM=,tag:xp6hu1SP5XcvywbBiSUNBA==,type:comment] +#ENC[AES256_GCM,data:C9PD0hxLSYziPKFtMF0iPBwKmRvRaA==,iv:SXZM73Ji58Elofp3VZaQn8M4UtJwP/tKWwIrz7gC9d0=,tag:jmi/H++J8k1Ye+MoiaZiIg==,type:comment] +client_name: ENC[AES256_GCM,data:J2hy,iv:4NLXMybg9pLYE0FdmY2rA95HHqp0hQpzTKQamVU/iGI=,tag:zvWyNEYWLawkofC/6LkwLQ==,type:str] +client_domain: ENC[AES256_GCM,data:llq6A/+Ec2U+wfNlIbwo,iv:c3Adz8n/zZyRjI5hvfvna03O9jows90nLIUachXlYRg=,tag:rTVpYHnfcJ3KVbXhhjZ0lg==,type:str] +#ENC[AES256_GCM,data:UdcsUJJ6sp6mgH/jKLpOMYzGbFT98Iup,iv:AB5gxNZA9XZMXMb4xIdgIuYtrP8ofHe2LS/9XLtR/Ns=,tag:N7AAMIQSC0R5vUaA57eJWg==,type:comment] +authentik_domain: ENC[AES256_GCM,data:ZY6Da25kkibJknyKWZ8ZdxAwWKM=,iv:s8eHMs03B9vaJVCAdwmjxI0QVCAu6i+T+EhjfrNnzSk=,tag:dn69p7W+8vSiZjQLWgV1bg==,type:str] +authentik_db_password: ENC[AES256_GCM,data:pwmuizt3MYFA73LBJt1Wbdf+HP9EFf0aEtn50Dlq2JSFOiZ8Qv9nVqxwCw==,iv:CyrBEcwmzEl8e+YuA+mn0APr92vmOB98/26lA0/IHcw=,tag:3GkNlrId9oO6BqZfOvwqrg==,type:str] +authentik_secret_key: ENC[AES256_GCM,data:Yx4GJ/hxR0gmCWJ81gocm16bJ0/fXjAvohTFiDgEa7jvC1ljdyMoQqLrhA==,iv:B+OX3CRwnrLwJyz5aiavAyPtJ16E6q6yxEd799SMd2A=,tag:9uz6r4GIkzenhKNR3FQErg==,type:str] +#ENC[AES256_GCM,data:B0WMvhOYmRksSGi1OepBzSB4mqtMLMlct8Vyvw8qRBCPEfpEt2W5VCZiH+jeZMM=,iv:gkAPY6y/3elb9sy9mRDSHrmTheUzpJyX1rmoiPxewMo=,tag:VYQLsobXMAJEW0gXIXkhXg==,type:comment] +authentik_bootstrap_password: ENC[AES256_GCM,data:coX1Hnrc+F+3T3Sy1B51KHP4k4SMW3ZkgZf1SpNtZ+dIc15Q71zot37oMw==,iv:3JM+zkLPw/6KAF6tc7i4m56DceoEdARNHUr6yC/WENk=,tag:t+MDE/MMQaW4NO9QR5OQiA==,type:str] +authentik_bootstrap_token: ENC[AES256_GCM,data:fhu1YN6m/uEzfG3o7BOKsT9VTaBtCeKuyNuXM0PeSoHyU6k0qNuSYw/6WR5d0g==,iv:xCYycjjcHP3twPXl4XhKW1bHTCXPftequJVKCFsCiKA=,tag:aZO2Z6vE5sk/gEHzgCUlbQ==,type:str] +authentik_bootstrap_email: ENC[AES256_GCM,data:pg62YN9Cxonx2CKqIW5NcGg0KBeY,iv:cjJEvktvIxK3/JWIag6bjvwRrjNhDPdyNiPVeX3VSBM=,tag:XVi1D580alFObJ6BFV9RPQ==,type:str] +#ENC[AES256_GCM,data:8UpgvcLkQVNgswP5iWwXcQcW9HwZu2Z3,iv:12Cw/oFng9axBRbIRFaM42GD/A1P6AclpTgIBPzcl/Y=,tag:en697guyZFldZksLUJIJHA==,type:comment] +nextcloud_domain: ENC[AES256_GCM,data:Qa19+SbFFhsoDNIYU/ACbjDRRNgy+6FOVQ==,iv:Q1HNTN5ZH3ONVutQOd/hyD6atygWQHuY5/koBBLOXuc=,tag:YunsxVm/xzzyQ5rx7Txzdw==,type:str] +nextcloud_admin_user: ENC[AES256_GCM,data:VPYQtRs=,iv:YispewRIBRrK6YhcZaHZTwFdhxKttSH3DAK+hgN2A6s=,tag:ixvRfNGyp4Y9cSQGzFn46g==,type:str] +nextcloud_admin_password: ENC[AES256_GCM,data:ODbwiXHjY0hmsXntw5vJij+nbRermqzpa6JpGnWj/UoVKAUQ4du775B6lw==,iv:ekg7/uatEVVeNHKhHOO7oHyEcCNUFKlq6rI/McS4p2Q=,tag:x9K7k/p26OFlsviAz4ry7Q==,type:str] +nextcloud_db_password: ENC[AES256_GCM,data:eJ1F04RtCyvUiQCvTieO4vw2z9NfOM6xu1S+0PgiYiWlXs64dQTApmUffw==,iv:Zyd34+tO/fTxGvh3KSooJnRdRjiphWpEvq1rKbFWX9g=,tag:Cg1sAq4MEkdsmdPnVjtmdg==,type:str] +nextcloud_db_root_password: ENC[AES256_GCM,data:z8pwAs1zAiXMzRhPLBKN3A7+f3gjUE/r81RibYHjURW19a1wojCDRTWzsA==,iv:cTSBi/GQfdNelrMdx9Kk/1fHw6hAYkbHwr7d+RxeP6g=,tag:P0gEvkLPD2dgsQ4WeChIoQ==,type:str] +#ENC[AES256_GCM,data:bYmqsHYv0hR6QiitGEvco8hdJucVswww4k99bzM=,iv:v4wc2jKZX2AkBGtrJt+U/qO4se6ofywEtMaK31KoolI=,tag:bD+m6Zq6+tMzdsT2F2hUNQ==,type:comment] +redis_password: ENC[AES256_GCM,data:5Z0VjXCe3xuj+e3BJYF8CbTtIhzmR9xg8KzH8ex5YgBdCybeaOnChHTZDA==,iv:L32kh4eRibIwfXVUKKSGrDp3pRU1SqTijdCPptE1zdo=,tag:lih8faQbuU+s0vRlDr0Jvg==,type:str] +#ENC[AES256_GCM,data:wqtWuZbTZK8R2J6ZwpjtTm9t6qS94CXs6jaeCsKRE4xZHYyH,iv:fqmSzKH6FZExCTXcAeUI3Tm6bGi4YIHTPf4xudiXQkc=,tag:M/2xo3pg0H88qH/1KrdOGA==,type:comment] +collabora_admin_password: ENC[AES256_GCM,data:5qyQ6XynQuq+v5u8FPXf06BsktISFYU8KNiXFmzQDJVmFFVDXkvzDGV4Ww==,iv:UJoESZc44w86WXmBjBn7H/s4hIIyH82uxVglzyS2QaE=,tag:uGxoDrQm4Svoa16qcb36FA==,type:str] +sops: + age: + - recipient: age170jqy5pg6z62kevadqyxxekw8ryf3e394zaquw0nhs9ae3v9wd6qq2hxnk + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvMVZLbGMrU0tQYXlDWGVl + QTRCK24xeUVBSDdCbngzVnBZWDRwNHM4dlRFCnJGWHZVdVhvaDNsK2RnbWllSE83 + QkZiQ1JNZDdTN01CdkptSEVQZXp3cDgKLS0tIHJYZHJDNE1RM2tMUkNNQzZkM0d4 + NlRmUTJqeTZ1WXh3YjlpdjNtUUh1SE0KJiBOBEpS9fCSKfVCBm67SEKXXdB28MYR + muE/oTBKiF29OvrqcqnLadYcUOH25E3x8OhAdUmrTBWXjvx7dpU9Vg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2026-01-20T20:37:31Z" + mac: ENC[AES256_GCM,data:9HyYYcQ3TqiI/CH156jGSmby1edRy92Jj2Uq6aLzAP9hpX7SIo5GGN2wnxg4s2+r+W5lNSnq1EC2UZU9fwwr+y1qGu9ObwCAuQ/W88/Jb2hyXcgvpaIhnhH7DmVVV43gMjaypWgBe511lK7lI/C4Tn4nlYf3ui4denK6HYzUCX8=,iv:mtIiYTSA9DjEwfEfLYznmMJ+1wugx2UmcVuwOtQ2XLk=,tag:6R+u0GVGbm0T0bt9TqVo6A==,type:str] + unencrypted_suffix: _unencrypted + version: 3.11.0 diff --git a/secrets/clients/white.sops.yaml b/secrets/clients/white.sops.yaml new file mode 100644 index 0000000..7ea30e0 --- /dev/null +++ b/secrets/clients/white.sops.yaml @@ -0,0 +1,38 @@ +#ENC[AES256_GCM,data:i4EtCJJ9LDXVp5+pwbFqCxKk5sATX9xgYWE=,iv:75UxTUorjqd5pTD/ouZG8Y8ynpVLgDi6gLJYwSISh1k=,tag:Rrg9UuduWx6GbyTBHfcA6w==,type:comment] +#ENC[AES256_GCM,data:9rMEAZ2cpwdGWvwuOg4wOLxiRjczA7+a5MM3o0I1EYMu+tCCliU=,iv:zgTWSeYw1dAuX+rENcds3k20anccXztVmIigs+wxDGA=,tag:RDiJ5iP5RYqk+885+d/lbQ==,type:comment] +#ENC[AES256_GCM,data:eoRGcjK6M00IDrPJ+QnlmGZGO0QDgw==,iv:75Z9MridJallLerHR+/bT1OkIDkwu31oCvKnVOumvnw=,tag:2jQ3PR1cM7PO20l1VZWQhw==,type:comment] +client_name: ENC[AES256_GCM,data:F5GLzcE=,iv:zN0y2yUTADfCbEcBlWKaWtSljyp96i24Yt78rS3GpF4=,tag:9rqZQFnsOQsdDkeY4HrAJQ==,type:str] +client_domain: ENC[AES256_GCM,data:oKKwC+CdXROiuxzdToQX2Ms=,iv:fTtqRfFbeQ00lACBcuxfBuXTjY0NgYAuP1brIQjtDqc=,tag:VcZWP4qfFYY0Nl/sqQd+CA==,type:str] +#ENC[AES256_GCM,data:W4qJvSl58xpFcgbB5/ZTL627vLIqxYnZ,iv:a8ILcV80NIh7rgqZWKsCWu3sjt41I6e37fz7T/fWWj8=,tag:wAGIu961MRc8H0fzCAcqrQ==,type:comment] +authentik_domain: ENC[AES256_GCM,data:F6oeCx/wbMPXG8AJq7bKF+mSq6hBoA==,iv:vG34k0jpH5I8e2k3ERWjTiC5+G2ilemodS1EZ9QBzjI=,tag:hO3iJ/YJ7MlirqWcG5vUEQ==,type:str] +authentik_db_password: ENC[AES256_GCM,data:2ftX7AoL6LANYH4SqpLuvcvv5lFrkobzlbuzRJBzJ2fsA1Kq3KhLXXSPVQ==,iv:FL5+imjl1pnzl+YIR2D6kb/OhrSdnyVxQ+uyxEuL8Bo=,tag:Ggu+MpjiLdLY7m3NYSughg==,type:str] +authentik_secret_key: ENC[AES256_GCM,data:8JXEIr4sMDVTcaZLu+gH09q41JGHEKdtZV2GtfTYZnRoDPg05rVf5zt6lWZife5SBGHxc58FTbxC6dgjwNiGc/5h0A==,iv:TYd+GALSvMrATlsWgOfTl70i5NTHcm//KPbyn5EK8SE=,tag:R87waW1ROqQkmK9ner3W4A==,type:str] +#ENC[AES256_GCM,data:N87wpR+zOLubwiRyvm20htEYi9H0JL9vgHeXuE85xmAUBS7Pm+i1Yt+J4//Ps5s=,iv:3aX5HMyft+nmuBs/efFj2jZ9yzAkVsJtCcV+HE/Caio=,tag:vH+GpVF/6eYJ9b7npmsmXg==,type:comment] +authentik_bootstrap_password: ENC[AES256_GCM,data:I2VUG5p/Ybst4uQ/vKBPGW/hZgXFrleUgQTAg/O8owBuAGRUkc1EuDu6lA==,iv:ECiQj1urctQ/PRQfSbT27yrZGiUTbOBwnFyJiO4Z+FM=,tag:ODGLuFnH3uzs+ofwQXExig==,type:str] +authentik_bootstrap_token: ENC[AES256_GCM,data:mtUVl4AY2jIAkg0LolFSH+9J7MJL65L0twZtOM47HR+n9heOxRngYoAwuTWUYmH04jE92gRUd+zm/l35oEoE,iv:ha/2zpj4vdXkswreacYvFq+H2F4IuOqkCiDxz+nhNH4=,tag:5nAcXUnvCePuFrmH4GpEcA==,type:str] +authentik_bootstrap_email: ENC[AES256_GCM,data:aGb1ynlrNc/xi59GImvbwJ6JxIE=,iv:R+TYraLAujChXfn4m7VbE0apPYo8Ie+4NCwgYLh49hs=,tag:78vwn+sCFlEvk7h5Zk1miA==,type:str] +#ENC[AES256_GCM,data:xcWDxDrT52U2bZhed7TpJ2UWodkxbAz9,iv:+dJRUMBuUs3egZT0AiufC/ynS6TqB9CiFxJPEfmRdK4=,tag:rziNZIYKgK9I4ip+zjD/sw==,type:comment] +nextcloud_domain: ENC[AES256_GCM,data:wZFqmG1jh8PuO8y0kVbnVXBKJsSm3hOlwg5k,iv:B+o+Oq+VM7MvApjNnHES/Fn8RWt74mabiG0/QPeV+o8=,tag:GWS258HH+1ypTD92GJv3tw==,type:str] +nextcloud_admin_user: ENC[AES256_GCM,data:4U3nP3A=,iv:AMXFbrY2OijoL6k3ruMG1bmLyf9Mau7xNnt5yb9zpac=,tag:I+oxW4XVyr7v9MX1C4KQkg==,type:str] +nextcloud_admin_password: ENC[AES256_GCM,data:4nA9pSVCGeMSm6NsrIC1nSriPUztHGhI+gV0bkbQFFSbpuAuQtRGp49OVw==,iv:oLWU/XIs+XUUyKQ21eELMmAI39jqONOQk7nfyWOT8dc=,tag:ctrjeWqP5wGf8suFh2zOIg==,type:str] +nextcloud_db_password: ENC[AES256_GCM,data:HTwCdlXhbscS51dlg0wqv+Vi+I5SIgYlH2R0yf/H541WT/qNHPdynGi/AA==,iv:Q5VwH/97Qt01du6o+U5NnJU+iJj7pO7mXDmGEdbrEdc=,tag:Vn6E7+xep4WdArqDMhNeZQ==,type:str] +nextcloud_db_root_password: ENC[AES256_GCM,data:swjuwwWT0ktSwOtyt1VqqLUZ1ix2DnsSXZv8fCX/Yh1G30rVFFGyC/aqyA==,iv:/mEPTWcJIEmKMab3FEntiQwF7Lt1Jb9H2bqNoZHC7v0=,tag:7jJkshLNIgT8VyAh1OjsJw==,type:str] +#ENC[AES256_GCM,data:h54x0ZvOU2bN6EB8tVk+tBj1P7Kwfad1rx+6wpI=,iv:rJJO2EXzK2nH83OjCivCQX+8PGJlO++vOy54pn9KOi8=,tag:cMxWBdA+M9Y0mVsd5DAlkw==,type:comment] +redis_password: ENC[AES256_GCM,data:2/VPbr+cvIrrYRKWVl9q5kABx2xB7HJbcBwg66FKtcNpp5wfZInF2sV2Qg==,iv:35hTPuR5Lf00768K1sKQ2AfZDYYiFm/r/imLfGBHYe8=,tag:04Pyr84ji6oagwYD0cMGaA==,type:str] +#ENC[AES256_GCM,data:OTQvs/J1M2MNMBCdfsX4QeWPvMBJ54Rys40UrZujQUMM1xzl,iv:TaobP0sbel8W/fikk4BQqnrWALLjoaB1DgbvtM0PPBE=,tag:J5xVfVbCpSwjSQLXt1pzYA==,type:comment] +collabora_admin_password: ENC[AES256_GCM,data:Dii+n/1cbYTOHJ8ENkvrIquw+uCb9Xrqq2nqLP9YsKhKxP9J5JfPoYPImA==,iv:7q6h9TXBBAynVnVgAemWbfDBco8NuOV+XyAj4TW5k/E=,tag:nxhEH6WqMrsZUsCr//dz4w==,type:str] +sops: + age: + - recipient: age170jqy5pg6z62kevadqyxxekw8ryf3e394zaquw0nhs9ae3v9wd6qq2hxnk + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmMVhQQWlzRlg5dGhDM28w + RUYwdHFaSlBYd01hRjdLTjNjU3luZUt0SVJnCkVENmVqbG50aTlZZURXUVhaMUFk + SzUyN002bDhnWHVYQXgwMm5VaEMzNHMKLS0tIGRaK3RETlZyNDlMZFdVOEJkeHhm + TDFqdjJ0bWxiUFJtajJoNmt0ZzFOYm8KqbRJ3XHLWoszx0FSOmH7KqITASISvqft + c2K2g+h3qvY23TmhabZtEObi3n6/jb6kuUBzXBM8Dt8DIKKpaKM/1g== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2026-01-20T09:25:02Z" + mac: ENC[AES256_GCM,data:Ewc47PbiJ+pz+rVl2jtLQ8Jwopi2HZqNxg0Lns/2toCCTUtViBrk36fzFV17QAwnskE4pGLBitMz9rzu6YEJuoxAZoAUlBz74hnYkHFq7fsrDudQQt6KVP6hh8l6DhK/DGv5VWR8Q7PO91WmaVHx+kupdJ/6ak63IXJwlzGM+1s=,iv:Hg/0d6YceGN4rjpeSJUxwhpFoKLRXVVqZVQuSAs+eNw=,tag:8D+V2IHqR0nMfEExuI8gQQ==,type:str] + unencrypted_suffix: _unencrypted + version: 3.11.0 diff --git a/secrets/clients/wolf.sops.yaml b/secrets/clients/wolf.sops.yaml new file mode 100644 index 0000000..a64f19c --- /dev/null +++ b/secrets/clients/wolf.sops.yaml @@ -0,0 +1,38 @@ +#ENC[AES256_GCM,data:X8JxD4BECdQWMJOyftwbTW7pBJEHehWH7Q==,iv:VK4F7UbVeopcguqEwLI7cBdICcytulUoxKEqECHcZ54=,tag:WQ8SQL0xqH2+eJGUz+1lDQ==,type:comment] +#ENC[AES256_GCM,data:WAzAQ435o5E0Fj+lgpo5gAkheXyzK3Omp0EMFVR8RZZhQm0GwZw=,iv:HzcAidUAkkUJP5EIS0O2YeKgqOG+R154VgsLp1dNsdY=,tag:+FZcAlcn/QT7+aIn7zUitA==,type:comment] +#ENC[AES256_GCM,data:616IuQI+u1ctI0ZjZGXkBConJChApA==,iv:hY4NIGMVPYcbK0/vydVUOU/1bZVnS9aHlRQJie9Kz6U=,tag:/ZzPoERMGTn2IlnX9BTClw==,type:comment] +client_name: ENC[AES256_GCM,data:V8A2Gw==,iv:v5bJbo5ysVSQsAtvfb8fDcAYfH3agvcDgRp0DvZOS38=,tag:BG1XTCTa4Y6l2GlTuz5skg==,type:str] +client_domain: ENC[AES256_GCM,data:MUdO7f/2ztG2dIGtATQLHQ==,iv:IQ1xqLjWNnLQYvGi/+TfPkfQREasTiRQQVigouXXCVs=,tag:YwH+/6OMHTGu2ahEPlax4A==,type:str] +#ENC[AES256_GCM,data:ZUq99t7RcJlDCdpTYhb4K+wHndvNW1H3,iv:J2e5O2MJELpBpCc2bpYZ+HsEhcntAUadzXnyWq/UX9k=,tag:Us+MGcPbKnnCs75INrSU4A==,type:comment] +authentik_domain: ENC[AES256_GCM,data:Sx7o6OyxPnG1v7Icj19nwGdpVsWO,iv:jqV5WvIMzPxr3AcSOuxAa42pfAzmopNTxBh7jRKwHRI=,tag:QTwm1CXFAbXeuwR10HMO7A==,type:str] +authentik_db_password: ENC[AES256_GCM,data:o5rhEeBS5+Ek+QvGjOOgFJDQ7Yfucrt/JmZzXlgVX3FIjfwO3Skxlievmg==,iv:JXkgThh+ZxRJBSy4YOEj4DjwiyqBrhQvt3ZFUEaDKCU=,tag:cZ1zpLEE8/6dXFOVvEnHmg==,type:str] +authentik_secret_key: ENC[AES256_GCM,data:ssWAhp/pg4XfABAJL1gPMgyE9+Mo71zoPXRx7YmoPJ/aEdFNi1TrIB0Bzg==,iv:goQh+6G4hdnUpEKSbNtjP+XObhPNfG2traUCQsiJH04=,tag:ShvaYphpi4AIBJJOPzPWww==,type:str] +#ENC[AES256_GCM,data:SKCv5gSPF1ysKfQ+QGzjQ2NO1GZKfDMleKjqIg0u4SlaXWtT+E+sLcy2PVu6diU=,iv:81vttO11NXLK2y8puLbCUsJ0xIpdHF9+lj6A13gaQMU=,tag:TywoZTCgTXXRcRLQk4DB1A==,type:comment] +authentik_bootstrap_password: ENC[AES256_GCM,data:fvX2aNQJBdOWvE4QQyga8mxyrcu4OZu1c89+50SUZVzmYDLdBcfyQwkxFw==,iv:3CFgyMuJ2RFAHQ6dmtrNXWer0H3E9zN1p09JvxKpc54=,tag:W/zOxs3vApM+ZRfub6t0Vg==,type:str] +authentik_bootstrap_token: ENC[AES256_GCM,data:8tLCJ6Z+2qMUlRNg+AWw+VzRDHu87zughBoGhlTBKfRou4uidVytuj1isdkDig==,iv:y5kxepewo/2ztPwqlZkXsswG/8vGUR6MGaor9RT2nQw=,tag:hKQVnH7yHpHfkKwmHa7ISA==,type:str] +authentik_bootstrap_email: ENC[AES256_GCM,data:UQNBlZx7C3nu100NetfILGF3IBxg+Q==,iv:Xal8Bt4uRo+SIVbnJVEcB8etzfb1iu1D+84hrxzgRU0=,tag:v2EdR2odSljwEQ8e8zLo+g==,type:str] +#ENC[AES256_GCM,data:g4pOBP6xgObrVV1k0raT09Nhj2JeTWOY,iv:Qg3gUFdStMo8f9td6wtCMeB0Fv8Ubnn89qpxxKhCgBs=,tag:aEnb089WYAVlFR5y5Klwgg==,type:comment] +nextcloud_domain: ENC[AES256_GCM,data:lkPMXA/txIq0gsqxpzvD7ludBrEN54FZ3+o=,iv:YwrMdtFwRvzyutZNZxsjQHUxE8Sutgf9wmkXTDVIr4U=,tag:9xn11iq36DNzx9+h/6rwrg==,type:str] +nextcloud_admin_user: ENC[AES256_GCM,data:rp89lXA=,iv:6aAgoa64CMZ6vH5t/b6Szq4v6tZezwi4GptozGOsVQg=,tag:4Ju7uFSkSGWHzEUE0dPqxQ==,type:str] +nextcloud_admin_password: ENC[AES256_GCM,data:jGsQKNfActchwAMWWIBBLIW/c4k2WOr4IYWbnojOrbWJQdl19KKLrll0pg==,iv:zjfQc5Q6aDY2nwNVMbsVQWy4avKYM8CcY/13PN+XCZA=,tag:piJV2/Zd023MdS0/fYD31w==,type:str] +nextcloud_db_password: ENC[AES256_GCM,data:EBc95vFsEjz/HliVhMqM1U1KTKgUisbeq+95lv+Dr2rpD566+d4awJ75jA==,iv:/n9IzxphJ2Aa1N+nGEjVeEPdFHyIRyonqHokkDILxcc=,tag:UzWYPqZxx7uGc+PaDHje1A==,type:str] +nextcloud_db_root_password: ENC[AES256_GCM,data:QVHxkAfqgPDumApqaHxq4yyiH2XPRKcb///mgze/h5z9AGxTuiBK3IH9BA==,iv:UBzZQkq76BjmEGJYOV4qwEI8k2RDp8MMPDtQflsRUg4=,tag:iIBaM2JTf7GNene07YSGoA==,type:str] +#ENC[AES256_GCM,data:o9j52wW0iZ7JeaI3JIk2/fSVSvZfuROHdINsnCY=,iv:VErcoWYwmZmMj+3SYoaxt5+Rh5IY2SQoely7CgQDQ/E=,tag:/2wit+v7QN3UIJlcyhvLqw==,type:comment] +redis_password: ENC[AES256_GCM,data:hmk0W2v4NkaWtBeX7UyoCB2jybvCMELG43YVQkfhV3p56RrDZN8l8R903w==,iv:tAPVgNHCyium1zpd+SmZLjwv5a2X4yCPI9tS3dNUcXA=,tag:ddwibQhE+srBNz5WXS1jZg==,type:str] +#ENC[AES256_GCM,data:gSdSguHeDnzgAN0RqsgA4XYgSrrdFHAtZRSTdOucoxJOPFjW,iv:POe4KMzLrzHMeeX5lk6mrMUQNc41MqbVjw9iIetnFqg=,tag:L6yj9NpMbEYWzK4x38aLKQ==,type:comment] +collabora_admin_password: ENC[AES256_GCM,data:TkZZxjmLtKK1pdjq4KYIDbDv4zVhubi3NDDESzn6UY9jmcoGee6Jn0PgBw==,iv:nYtxWCejET8PvjiFIXgaPkt2CKgwRMekDI3zFH6Qpnk=,tag:NLKQqtIhjYcthIqt+unGaQ==,type:str] +sops: + age: + - recipient: age170jqy5pg6z62kevadqyxxekw8ryf3e394zaquw0nhs9ae3v9wd6qq2hxnk + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpN2hTWS9pVVJtOVB5Q0hy + cTZnOWxMcXkxZ3A3S0VxTDd4WkVJNXZ6eGlFCnFqem5MRWlsWnowTEI1amJUU1Rw + Mm9XcVo0WHZQQmVVYTV0Z0lNc0l4c1UKLS0tIGJjNldSd2xhcWxpL3ptb2MxbGky + bnRCZ0JncVNQUlgra2k4aU5OODlidTgKZzrZKcXDtkz60fkDdSqWLc4/Amp715Lt + jWlD4nBRPP4EE9lx2k6Nzasms3Kd7jY6XSxM9kdyYMJnw079FhO7oQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2026-01-21T10:19:33Z" + mac: ENC[AES256_GCM,data:Gx+21yPz2TVWBGtn8kAI9pqPU/90o/E/PTSqGJD3aUx+vdmPP2rflV1HBX6Nz8zr3A9a7UDMpzLejGb98B72pOnU31xAKlq22b0MaIlQdg33TL3OKxwwEewPtvhDQDWCf2IrTQtC2SW+Hn1DaV0CxSb58GZWj/NXtVAyq1Fd/zk=,iv:PI18voGa40uB4pJt1PHGBTHAcTfFXLIqzO/z2tHjiPY=,tag:szewwRMLvC05K7fXKbOxrg==,type:str] + unencrypted_suffix: _unencrypted + version: 3.11.0 diff --git a/secrets/clients/zwaan.sops.yaml b/secrets/clients/zwaan.sops.yaml new file mode 100644 index 0000000..79ff263 --- /dev/null +++ b/secrets/clients/zwaan.sops.yaml @@ -0,0 +1,38 @@ +#ENC[AES256_GCM,data:grMUWAptTTKARjOLuIU5ebl+z9443cYJq6I=,iv:XQUqmLqDULEaNMbMLQxMHARxuFqWtbCfBawiMprpTbs=,tag:KZCOtofgOKtpuzNuySaJ3Q==,type:comment] +#ENC[AES256_GCM,data:5jaeagHg9g+wliZySGR8LSv64yL42X3/a2HpGA9Q/Nb5YKaHbuw=,iv:mETlzOquOv3XvFolHznZsL9JtH3jH6bOc0tqZcQ15s4=,tag:LXRyVlxzgkDWjxxWFlw3Pw==,type:comment] +#ENC[AES256_GCM,data:uU8xSvIXCBoZ7XjCSfs5Qj6F9FCZng==,iv:l9Bk/vQUORlNr6UvQyayOgTn91k5jVGa3f6c5551cYE=,tag:stANmYwcjqI7fiEWUc/KxQ==,type:comment] +client_name: ENC[AES256_GCM,data:/O1WCS0=,iv:h5c47JPzk1XDAC4PYa0aUoBn/2Ce1985Mwy28CV2b/g=,tag:QyCFX8PEkKnO95CIhJU1FQ==,type:str] +client_domain: ENC[AES256_GCM,data:fA2w0n4NWUZvd8YtBh/yONQ=,iv:iRlazuwjk7VTRB/pPSzJbNCLblny5sOTV05xvMCaacY=,tag:53J+3212xm9164y+zPbRCw==,type:str] +#ENC[AES256_GCM,data:+37qvOZXoDc5kc0YJV8fwGxIY9PJUZh6,iv:Pvjicolk7OnE6ugsKVbr9HdTcgwLi1bj7j885xLluxY=,tag:8CqMSrVqkAcXXG4xODEmjw==,type:comment] +authentik_domain: ENC[AES256_GCM,data:7o4yatWlTgJqYV9WNc7qcNmLanLgJw==,iv:Tx9xJLJUmtps76UWYazjJlhhb5jDMOWH9jQSSzVFI2o=,tag:BkbImmwMq4Yu5eONAAapHA==,type:str] +authentik_db_password: ENC[AES256_GCM,data:2zbpT5WrC2lDB4U5O0w4LYOVIhSf8zCbIWvRrc/Aqim8H/JXUMyd0kwSuw==,iv:8y1eVLeY4O+jaUFr1uz2/OB5jA0MVenjxV1xknR9VfU=,tag:wL0lDaun8AiUW59fAGiCZA==,type:str] +authentik_secret_key: ENC[AES256_GCM,data:BCWmzgt7Mm61CVdjmlmgmDHpRL+K9ezooPlYwE0WyNpcObq7xz+dzFG/Iw==,iv:3AG7T9jg0GxLUOQUg96lcnURFjFYPcwtAdbMg9i5JUM=,tag:wdXmSAj8eEjD9mbSuzsPgQ==,type:str] +#ENC[AES256_GCM,data:CDts7Jm8JDCiOD8ncxHpNVuHt8xOY9Gat4BkkXfA1w1wzibWoSkPdorcxCvIATQ=,iv:/WZqkCy/k3nWosSjqAyMqyjb+BuHX6gaesEbKuL3fR8=,tag:OwrcTDfLdJIqqvGiN2S6AQ==,type:comment] +authentik_bootstrap_password: ENC[AES256_GCM,data:U95Apb8YvMoE3X9lYmwEK1jVpSOLEIzjpFKO19MLolPF1/MxkQlq3qGZ+A==,iv:/HKFSJc72x8gxL2hIlC/G4BBIkODpM7VZ2RchBo9++E=,tag:amPHnFa1Gl1qYAhs0eSjGQ==,type:str] +authentik_bootstrap_token: ENC[AES256_GCM,data:nbpEsV1WHV1615BIqsELzzRBYKS1047fOsleQiu1ACAVJ9ak892bbr86WuYC4Q==,iv:UmEja7XaET5j+gd6T9whI6/eSsE586iJf30ugRKu9PM=,tag:hNQe0SddKnUjEI7VaV2pIQ==,type:str] +authentik_bootstrap_email: ENC[AES256_GCM,data:FVM50ieG/Cngq3jPhMup6oVdRfCaJcI=,iv:dwXJy+6OZONKc06rnfr3ltHgmCoRbpOsgncjWErZewY=,tag:EbjBl/IUXoc9nwhqgoUJlw==,type:str] +#ENC[AES256_GCM,data:EmSyiq/0LxJCtJ7RT1FPFDuFKPOzOjhI,iv:zl4iKXIAxjmtioJuW2feoxLi+fSD5+G/FWWWnydKZnM=,tag:uQIzJVHDsjiGklmazzqJ/A==,type:comment] +nextcloud_domain: ENC[AES256_GCM,data:fD6e+FhhTpJwLlfTPx3yCQSaq1CObyN96j3s,iv:NF9zK6qPtONaLsS+yJqODd5nEiOI5pt7Jo5tHXLIOb4=,tag:HHFpqMFhtmT7IKo4woeIBw==,type:str] +nextcloud_admin_user: ENC[AES256_GCM,data:qP/XelI=,iv:bQUPebAzH/UOX7gs1aRRKfNYcYyhkTVZEcOEFvPGmXs=,tag:JIVcrAWPEQyLSCP6lNkYrw==,type:str] +nextcloud_admin_password: ENC[AES256_GCM,data:i6sUi+25ls+5bu9pbwxMuyUVLAGwCENjVNOYVwYQlbZDfyiYM82pCcvtnA==,iv:OhOefaqn79U6URjuKwFxrdCE7ECaf2HeUHstrrXftX4=,tag:RQGZE9B5/eDzTP8FIlal0g==,type:str] +nextcloud_db_password: ENC[AES256_GCM,data:4iQtSJq1vLLzOSCYPCjbvXiUokt2l7PAr0volEffOvxaUWatSyN+5ffI8g==,iv:FG2Pp/aNiNn/8JLj6mGzB/aAxaonGjCN8bZ5cwtEvW8=,tag:MWrlCAv4Ns/0ZymMRpHAMg==,type:str] +nextcloud_db_root_password: ENC[AES256_GCM,data:AUlBerIg5to+wqvGe4XrV6qyLv7qN5CvBLE/Mh76fwutlkcap7LGnopPJA==,iv:q/UHrYVUOX3IEcVICzEKKUwZSb8xC3GOWyfXsZcrxj4=,tag:M0G55DaVyVSapnZVKvOdHw==,type:str] +#ENC[AES256_GCM,data:/lkuwDB+t4izxgk8z7srKzVGIUV1ddVuggecZzQ=,iv:5Ew7A1CMl7loBS5Ihwn81ZQIuKxg7svrWRSfjF+Joic=,tag:QJxXoMmIjqv58eUGYVHIJA==,type:comment] +redis_password: ENC[AES256_GCM,data:Dsb/AdHGNguC+eJAwTkikEJkXDak+U5DwRinANlvu/g9H7oOVu9netXzqQ==,iv:/RDnk/Nq6RrKZhBtJxDdYSBb8NvvlnfpUZQmqsCG46o=,tag:Kc/uL312sB5ZFBVEGjh5Pg==,type:str] +#ENC[AES256_GCM,data:vHxc31U98vS/+twbwssWGtWWm/2/M9oSiSNW03A41gSDqMyA,iv:vgWYcaaxGcyhNTn/Oox04b9Kd8jWZyGWL/79/Xb06ew=,tag:uX61Pf6boE26XriX+jIJEg==,type:comment] +collabora_admin_password: ENC[AES256_GCM,data:M+JbmS5WtUl1d2GCoUl72F3NOcaslFGjaz4NwQYYXF+CKEb5DMF0EkaIHg==,iv:X3gdn4NE2O1FyBBRwdDqyYLoEqlmnXqiJ0FlhOd9DyE=,tag:POjkQqrvmB31kRFRspRcDw==,type:str] +sops: + age: + - recipient: age170jqy5pg6z62kevadqyxxekw8ryf3e394zaquw0nhs9ae3v9wd6qq2hxnk + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRWmdObzRmdWNCWlliaS94 + WWRqUnB3YU84c09mMXZGSGpEclptZHA2Q2tzCnJQdkNiaGlLS0ZmSVlxQTNzaDZO + SERZZjhaVTZXTzE4N25FVnNybmp0R00KLS0tIGJtV0ZJZEREOHNPVDg3cmRQbDVO + ZUg3UEJxUFlaWUhTWjh5dXMvbVhVQVUKeSgbz+rYkfLbhNCF/Lgx+vauPCdcaxXC + hpsERVWHHTu3+XOQbDZ60QCXelUu9kyejlYow0fLP9jMPm7Ifkujnw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2026-01-22T10:22:33Z" + mac: ENC[AES256_GCM,data:H2v+rflUC3HQJD/h2B7N2JGq5A/xUkVFhoCSROOVDm/K+u6UdyPTSf8FBWoDZirXrcCxOUMZjDLz1bhGM02BmHYH5cd53oRlBjK4DHKFniEiaa7JmxB1QVqn8NxsmtU3fS7Noy0tTq8vhnL8RXHQdgO8emUQ43NXoXOh1nPoEas=,iv:Oab+s7v4VtAp8MxN1VUZIDr7v/pFL1JKkTuZ5Kzm6to=,tag:pzNHtuD/TR4K+oJbiS3sbw==,type:str] + unencrypted_suffix: _unencrypted + version: 3.11.0 diff --git a/secrets/shared.sops.yaml b/secrets/shared.sops.yaml index d93654a..48c5e52 100644 --- a/secrets/shared.sops.yaml +++ b/secrets/shared.sops.yaml @@ -1,27 +1,33 @@ -#ENC[AES256_GCM,data:/eh4zz6uEw7qlElFH0QH6C78W+bwRwzUfrVw1w0+5poZOQl136b+6e4=,iv:t/wsXLGjDe+Lf3Cvp5R4VATw3olGLVJ1H2RUSFlOMF8=,tag:D7kzKpDHGtCY+E67LJeKkQ==,type:comment] -#ENC[AES256_GCM,data:VM0dHs+tOx/1Z6oamSlAa21A4M2He4KuNLXsPdM6/leqvus5M+k=,iv:61HeqUFJBEVw2Ge5jWps/hv4uuvPxz6iZaJrBONwySs=,tag:zi4V00IRiudBZujrs67bdQ==,type:comment] -#ENC[AES256_GCM,data:1ptTqfjwMAOzAv9T62FDHVJo+qrseQ+XHLEerh0Sux0eelsmSpxHK/lkEkclR4SctM9j+FZgEc/1fw/LgW37aoqIWFLo,iv:LPZxbeFd0oMTDDgUvswNGbkU1BO4Jmo9+zT/qVQij9g=,tag:KbNUGlGaEzjtCHPJytK4tQ==,type:comment] -hcloud_token: ENC[AES256_GCM,data:gn0NL2Wlnh44RFtACu/DfLO1Cot1hBqbPI9S8DhG58jYuutmVefiuYo5GT4AVn4cDMYjL0sthQ3gX6uGvbCh7g==,iv:PUvbYQvwez4BASvgOiIdST549HAfYJ+g/y0JsFfeQqg=,tag:2VTRTUT1hftOf1nYprjQbg==,type:str] -#ENC[AES256_GCM,data:KpCylAL5gOarG+cNdmcL5cgmJI/6YT4mdIA7GlSqSJRfgNBVYe/xBgL1Hpiq+Q==,iv:+O4/ADo/OoYvMx50+g/sAqyjy+O7DmwURGMqBdDhLZM=,tag:PI42CwChPU6MVF/8/mT6Pg==,type:comment] -storage_box_host: ENC[AES256_GCM,data:rO/FEQp1Ksd824TToUh3q0WOVFY4cRk3W64=,iv:61Jor26LvSTKoXo3A9S5NTfgwuVcP8afUneKxSmyT/c=,tag:MrWsp91eygd2YvOnNNyanA==,type:str] -storage_box_user: ENC[AES256_GCM,data:KXUlMAixCQ==,iv:8o84GdNHZXKtBJwYop31YwqUL4HqhBNeKbEnhVLPl9A=,tag:hW5O9zSZ9dSLq0FORKqx3g==,type:str] -storage_box_password: ENC[AES256_GCM,data:SyzHuEXRbLru+wflZGkxauZpZtUDmo1vMuHmbJlh0yhS,iv:PgqmRC85bQqSreMaL2ibnmOL9+nkg07i0lDNJSEQoDU=,tag:+TVM11wz89TirKBesjKwfQ==,type:str] -#ENC[AES256_GCM,data:y+MWRmWUdPVOdaHk8vyZrc3HPD44NIWDZ4mr,iv:P6wh9kz8XcE2i/OVIOfvKRj49qizcQoYh0NZqpJk3bE=,tag:ZYgRx8zsILKp06ZQDn/4/A==,type:comment] -acme_email: ENC[AES256_GCM,data:cu9ReaF3xouE0eKZEx4PkiNmMfKOPyix,iv:fqgM8f3tMz7D8HAGCJ5ziwQ/Swsu3K8ZNkQ+p6Qc0Hs=,tag:pO+8wVnAMHSMMfeZ1dEKNA==,type:str] -#ENC[AES256_GCM,data:SX03vdRrckyWY15r//Y5pJZWXFGfaQSnNnJvA6k+AsutO1Vl9reVQMexQEU=,iv:p1LbT0qxIFfoiJPUerjGqlHD+fK0o0lLnFUvPhIyHdk=,tag:1zURmS+50zRThvHpOWJ0HA==,type:comment] -mailgun_api_key: ENC[AES256_GCM,data:WxrIeq1odexHduN4YTJSIX9+CaiLaGnkPNkEQpUwTou8PU7aMqJtclxliGl6YrYjncM=,iv:RzHQO1URtLPeAFRRjR3YF9+z//5WostpuwPtf7wxCZI=,tag:mi+mVIGGJqJaHu6cM3HcfA==,type:str] +#ENC[AES256_GCM,data:2YMIFNKq+JsSJeC9Qjm5RwtyC3xK7kUoEcfZDvDl7UrMtSqKr8COUgs=,iv:iNYbG7vJdnxmQEKvKrbKT6DKpXRJasKP+sEl9n8u9kY=,tag:hWIJ51MZDWPKavBcPtfjAA==,type:comment] +#ENC[AES256_GCM,data:7hJjDYJ9YaF6I6b5Dvt+/dvgWIQjjj2AjYrmR0Kno+KKgcg1yEE=,iv:QzwxWutd8vEhusj6IL7xeLxG27PcmKigHnCwZRKEulE=,tag:Q1vlJzRxX7dj8wNrhi+Kfw==,type:comment] +#ENC[AES256_GCM,data:xtOU9wOXNJEMnPuJN0pxLxP4709/IRV0JhRFyf8BeA/QDlSt9jtyaumsuBuA9aui31+0MyhqvLeBbtE+acnTp9W0RzEo,iv:nUdN95nWS9w/UHTxos3ho58/s/dWBuFc14gWcKxPmbU=,tag:GPgBIAk9+/uNBU+9qbYhhg==,type:comment] +hcloud_token: ENC[AES256_GCM,data:8FN2vXof6ud4VolI+uPMWikqOKwTL0Lua4JJgGfGu2F8eFJAKNznNCS47X1HoDCu6ky0tl5jmZvx/RcZU6Ly5g==,iv:Sq4G5gDvoP5HpcsaZFL5bRma3iQdA9shcVjc9NgkUxA=,tag:ww1P2NFJvLyIi1Sbbf0PTg==,type:str] +#ENC[AES256_GCM,data:dV5m3Mtqq/apW8NLlEpy3KFVyQaKZS8uH4WPD3j0k2pnN3hxIc74p+/GS0V7Ew==,iv:etSVHDonOo9l7AGWt9uQCd9ye6u5yVDlM7BRLJd6keM=,tag:QCNmm+IuuaJZuai2CVBYbw==,type:comment] +storage_box_host: ENC[AES256_GCM,data:J1YKyjZ9X2x8mapgzhr57K1vZuQ2lCkrWdk=,iv:awswwnWl/ADhsG6flTgUAZGoA+e+A410hCOUQ1cvDZE=,tag:4J4oo0CKNCCNb3LrdNFh3w==,type:str] +storage_box_user: ENC[AES256_GCM,data:JIWh720v/g==,iv:HJp+Bx8kS+QnFXlqdiITPuKFOQRgpg08QPxMqEI3AXs=,tag:bDYryqzAgeuESbqCNJlY+Q==,type:str] +storage_box_password: ENC[AES256_GCM,data:/9eyEsS+sHuWfi2zzLawYwURHryZQ0ug+BP36SqSXgiX,iv:i1VaWheORGkrCZZiCpGqXsxE+lx4a/zEMczJ9hLRsmc=,tag:5OVE90R+e4H0xkI1TP8QjA==,type:str] +#ENC[AES256_GCM,data:AcDfSbReb+Fq5yDcIxTDVN1foKsKKs1eMTCc,iv:m1LZMR4uaLCHH73MrRG3qpv65JSkDFzvF7nIxMNJOWE=,tag:d2hzFSYNO01UEOeCMUJ/bQ==,type:comment] +acme_email: ENC[AES256_GCM,data:by2DuXwa5TmwKuoYB9rQWC7JQ6aJNgwJ,iv:nA/WnVsscIF8n955TOEJ4N6+bTIBesu8VBlk8GjWheo=,tag:RpxSJUt8XG3hrQ8yvSU8vQ==,type:str] +#ENC[AES256_GCM,data:oIGUDVmm09wiD9ftBozwyy8I2liAR+SvHOwD2CfePQ7y5aaXs3iCjTQGN4g=,iv:B68aM+QBRx8vDGKunDxUWSCtjWKNtoZojyHu/tAIy70=,tag:qg6uQjRcWuWQhU0u+FUZxw==,type:comment] +mailgun_api_key: ENC[AES256_GCM,data:xj31QEnmS8z4qGqXuWK1ZJUNXWk2uPOKV4dVtDFxGcsnq/grQTPUY7ZDsp02x441Wfk=,iv:Cdeyk4wSZ9T5tfq45VGE6fNI+PqqDTFf5uf9x0yxIw4=,tag:Qd3WGPtrg7ZNT2J/U4XxDw==,type:str] +#ENC[AES256_GCM,data:XGCm1nYG9utFEgZ08hY+mDzl6KUh0WzlwztGPn/ivn04BA9CXE27uwSFmQZIwtDDUm4r8SvHNmytvd4Jwg==,iv:fGx0xsCmVrRKKQn4YwGeXqk09zGiu421eSpjVlP7yaY=,tag:0dBzVVsASKgzok0wkT9F1w==,type:comment] +kuma_username: ENC[AES256_GCM,data:pvaYOaQ=,iv:LEEaIy1d9zeo/0J53G10SrCMWu+decEOJvQKQANpwMk=,tag:6B5uXYIGW9fg0nO7T3MIrQ==,type:str] +kuma_password: ENC[AES256_GCM,data:zE2zI+mrQ92I7P/zykqbx4jEACI=,iv:WQ5y/N+WI45fHolYZleoH5/N9ITlNzMTn6xtpGfPFlg=,tag:Jwh8CBShb0Nu8b6ksN5DrQ==,type:str] +#ENC[AES256_GCM,data:h5PCiXOXU3wcEAv1d5hT+ft9rDETCcDr83LBGwTeiF/PBEEVMHesSsv8Bkn1Icuj,iv:HSk5jzuX233Z6mBIwxcwBLW4Dcw+IEObUkrmkg2wfBw=,tag:473GFIBMhrI07tIBQnFZJw==,type:comment] +docker_hub_username: ENC[AES256_GCM,data:4UQe5HoWd0azh1BN,iv:KVAFe4HYtQrzpRVLhVOeVxtrg/VrX0tdh8BW+lCGqZ8=,tag:31NlEomOynhd61qiVwuMlA==,type:str] +docker_hub_password: ENC[AES256_GCM,data:qo7aespQMFAPhfXaKA9q8A07HAwwyoRKBuJy5Qm6zK+HEKiU,iv:l3vx7CIkL4fZOVnQ0CxYuWI1UWl+eIcuqfa55JTOHZU=,tag:jn7izsloBxoZ51Rj+vBdSw==,type:str] sops: age: - recipient: age170jqy5pg6z62kevadqyxxekw8ryf3e394zaquw0nhs9ae3v9wd6qq2hxnk enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4cGhtWTREWTA1NWZ1SE9u - UGwvNWM3Z2pjdmsxMXRFK2UwcHQ1MkgySVE0CmJsVDBZUWhnVlJjdnhLWkwwOE83 - b3dsMDhKamJNLzFaYnZ4V2ZnS0VydzgKLS0tIE10MmZuc3U5bFFmeDFGNXhwbytG - eXNRencwRmM5ZEdqbks2NTZ5UloxOTgK3NE24DZp7QaDUIUQOQjENm3zKorckrmt - JEk2oRXoH6PGJHrZMh2AkmoG3/enh24U8PNQBpmYX6U2ZA7zfnjZXg== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsZDdlWk4vRFZQYTFTU0RW + NDh3a3RZalFiQjhYd2NESjZsTlJKa0RvdkVRCnZLdHc1VlhYVHB1bWRmQ0lzRlNM + eitYMG5oc2wrdUw0bVJ2cXlpVW52bEEKLS0tIEtTV2s2eVN3bjljYVduZS9vMW1U + a1ZFY1NBNW5odFNZaXJSQWxFNjIzVUkKIs0FCN7RRaQBAFp4tBb09C+7c5iSlyLU + ZFNIXfMeTHtziiyB3eUtFbZHS0Mec6YijCR90WGm2Vk17dNVTu1Nlg== -----END AGE ENCRYPTED FILE----- - lastmodified: "2026-01-18T17:12:08Z" - mac: ENC[AES256_GCM,data:uNDFf6KeSbLmbmjkSlSOKJEP0R4CjsUVHdCN6Xhx5JNvFutnBpI7k0Fy6SUQgO+Glyw0fJgo7vyxixPoFRT460xAePPNRo+uGXrbtkR+gXX0nOZKaDnu1AcnW2pTXR3450abHlfBRfoYKpJ/yY5AaitIUiRk2H3Lj7H6Q4tj/oE=,iv:citqKI31p2fiifMW2QL8E43BmQYRO3/grR3nOEL3hJo=,tag:sNjW5j0Wl10nBxOiqYBCCA==,type:str] + lastmodified: "2026-01-20T10:38:25Z" + mac: ENC[AES256_GCM,data:4aL5GwxjNYoXaLBdDYtpQ2FiWz6fVPjNvlB4wMX7PedzSPb0+Eix7BK7vG6MHrRZVJzRbWQZb9xmnVzl+Bm8gdyS9ctPBfcZsv94nUFHMW9KLyavvsaf1F7asT0OuyNsHc3A7vfxjO3FT2oNOGOmulpPXKFQK2+87elL52bg80A=,iv:gQU//Hz9+Ku6X31S0ocLr2oQKvw8+Bagx9LEAqelT9s=,tag:f6P5OtH8bAyWt+BuEsdgWA==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 diff --git a/tofu/dns.tf b/tofu/dns.tf index b191b09..ac1cc81 100644 --- a/tofu/dns.tf +++ b/tofu/dns.tf @@ -6,8 +6,7 @@ data "hcloud_zone" "main" { name = var.base_domain } -# A Records for client servers with public IPs (e.g., test.vrije.cloud -> 78.47.191.38) -# Clients without public IPs (behind edge proxy) point to edge server instead +# A Records for client servers - all now have direct public IPs resource "hcloud_zone_rrset" "client_a" { for_each = var.clients @@ -17,8 +16,8 @@ resource "hcloud_zone_rrset" "client_a" { ttl = 300 records = [ { - value = lookup(each.value, "public_ip_enabled", true) ? hcloud_server.client[each.key].ipv4_address : hcloud_server.edge.ipv4_address - comment = lookup(each.value, "public_ip_enabled", true) ? "Client ${each.key} server" : "Client ${each.key} via edge proxy" + value = hcloud_server.client[each.key].ipv4_address + comment = "Client ${each.key} server" } ] } @@ -33,18 +32,15 @@ resource "hcloud_zone_rrset" "client_wildcard" { ttl = 300 records = [ { - value = lookup(each.value, "public_ip_enabled", true) ? hcloud_server.client[each.key].ipv4_address : hcloud_server.edge.ipv4_address - comment = lookup(each.value, "public_ip_enabled", true) ? "Wildcard for ${each.key} subdomains" : "Wildcard for ${each.key} via edge proxy" + value = hcloud_server.client[each.key].ipv4_address + comment = "Wildcard for ${each.key} subdomains" } ] } -# AAAA Records for IPv6 (only for servers with public IPs) +# AAAA Records for IPv6 - all clients now have IPv6 resource "hcloud_zone_rrset" "client_aaaa" { - for_each = { - for k, v in var.clients : k => v - if lookup(v, "public_ip_enabled", true) - } + for_each = var.clients zone = data.hcloud_zone.main.name name = each.value.subdomain @@ -58,16 +54,5 @@ resource "hcloud_zone_rrset" "client_aaaa" { ] } -# Static A record for monitoring server (status.vrije.cloud -> external monitoring server) -resource "hcloud_zone_rrset" "monitoring" { - zone = data.hcloud_zone.main.name - name = "status" - type = "A" - ttl = 300 - records = [ - { - value = "94.130.231.155" - comment = "Uptime Kuma monitoring server" - } - ] -} +# Static A record for monitoring server removed - managed manually +# (status.vrije.cloud -> external monitoring server) diff --git a/tofu/main.tf b/tofu/main.tf index 726e7f2..c8b46e9 100644 --- a/tofu/main.tf +++ b/tofu/main.tf @@ -70,25 +70,14 @@ resource "hcloud_server" "client" { # Enable backups if requested backups = var.enable_snapshots - # Public network configuration (can be disabled for private-only servers) + # Public network configuration - all servers now have public IPs public_net { - ipv4_enabled = lookup(each.value, "public_ip_enabled", true) - ipv6_enabled = lookup(each.value, "public_ip_enabled", true) - } - - # Private network (required for servers without public IP) - dynamic "network" { - for_each = lookup(each.value, "private_ip", null) != null ? [1] : [] - content { - network_id = hcloud_network.private.id - ip = each.value.private_ip - } + ipv4_enabled = true + ipv6_enabled = true } # User data for initial setup - user_data = lookup(each.value, "public_ip_enabled", true) == false ? templatefile("${path.module}/user-data-private.yml", { - hostname = each.key - }) : templatefile("${path.module}/user-data-public.yml", { + user_data = templatefile("${path.module}/user-data-public.yml", { hostname = each.key }) } diff --git a/tofu/network.tf b/tofu/network.tf index 104b865..7a12f45 100644 --- a/tofu/network.tf +++ b/tofu/network.tf @@ -1,86 +1,3 @@ -# Private Network Configuration -# Enables client servers to communicate without public IPs - -# Private Network -resource "hcloud_network" "private" { - name = "client-private-network" - ip_range = "10.0.0.0/16" - - labels = { - managed = "terraform" - purpose = "client-internal" - } -} - -# Subnet for client servers -resource "hcloud_network_subnet" "clients" { - network_id = hcloud_network.private.id - type = "cloud" - network_zone = "eu-central" - ip_range = "10.0.0.0/24" -} - -# Note: Client servers attach to private network via main.tf dynamic block - -# Edge Server Configuration -# Single public-facing reverse proxy for all clients - -# SSH key for edge server -resource "hcloud_ssh_key" "edge" { - name = "edge-server-deploy-key" - public_key = file("${path.module}/../keys/ssh/edge.pub") -} - -# Edge server (public IP + private network) -resource "hcloud_server" "edge" { - name = "edge" - server_type = var.edge_server_type - image = "ubuntu-24.04" - location = var.edge_location - ssh_keys = [hcloud_ssh_key.edge.id] - firewall_ids = [hcloud_firewall.client_firewall.id] - - labels = { - role = "edge-proxy" - managed = "terraform" - } - - # Enable backups - backups = var.enable_snapshots - - # User data for initial setup - user_data = <<-EOF - #cloud-config - package_update: true - package_upgrade: true - packages: - - curl - - wget - - git - - python3 - - python3-pip - runcmd: - - hostnamectl set-hostname edge - EOF - - # Ensure public network is enabled - public_net { - ipv4_enabled = true - ipv6_enabled = true - } -} - -# Attach edge server to private network -resource "hcloud_server_network" "edge" { - server_id = hcloud_server.edge.id - network_id = hcloud_network.private.id - ip = "10.0.0.2" # Fixed IP for edge server (10.0.0.1 is gateway) -} - -# NAT Gateway Route -# Routes all internet-bound traffic from private network through edge server -resource "hcloud_network_route" "nat_gateway" { - network_id = hcloud_network.private.id - destination = "0.0.0.0/0" - gateway = "10.0.0.2" # Edge server acts as NAT gateway -} +# Network configuration removed +# All client servers now use public IPs directly +# No edge server or private network needed diff --git a/tofu/tfplan b/tofu/tfplan new file mode 100644 index 0000000000000000000000000000000000000000..181ab0008295a2384f16c1123d28b29cee5e80a2 GIT binary patch literal 13139 zcmaL818`;A_Vyjywr$&X$F^-d>DcHP9b?CK(y`r1I_`9ATVKxq)_YH%{_eeF)!tRJ zcCBaEnrnr8;;sWJ$jHDF){p>q@dW_qVu?mo@v6MW8GveIKpr4-xcfxUr-6(F zg)GS<_dffYcmL(A%|pQlR?iZYGde0p)p%yQIf$@XzFYj&JzPW9G(oBpzoQEpJc?Am z`wHc|TYtNVoSyJT9KQZ%LoInP-YCfaetdm#RN_STh4D0p3d=7MQRXrt3MvzHC~#hQ zUS2iU=BQ9Q=cL)9nnWf%0N-gQ)TGo<=Rrf%kNco^?d1ktQFUO}0^8-`&U5Pd+iMJ| z*|y+f$!5NlGo!9{D8 z;x~Jg8@DczG5;hhB@715vj~Mk|5cAC^SdKP5(o}?et$jN{w1E8Aqe%*Mj?V3cMwNT zD2*JkRTxoB{_RxbF8ibqV=CTRGEopEx)!@6IP|V5@}w8v!mN^_5k^jxf4>E6x)bPt zdcNVX+g zn~_D8B}j{Pl}X(3r7#8OD|^`Xp^6#Jsox~yqo2)s>a5JX=~C2U z^ywuQ?T_{#+)CmU6WXT1hneP5EqksFu~Q7#W5*=XUWvgsdd4C$w|*#6Aw^33x&|3H zPTT7{8tczN8FQ1VXP(Qzx*k<7CB~_bKRv`~=FV10(jtACnt&CA-W}_`zniT3isSwu z{aOVmr^?319EIA9 zzxsqNvM5~2qH&hNolVQ~PrB*A&btNZlVwZhkYw_2Oy%$JfA z2+KX^(c27H#DT2gwxFVRd$Ta~t?CWniSNlUEbj)C&$60R9I?BQXs?toot%WS)KkNK zzC=@!Bz!T~B*VkTzEq>pP69Z;lA#3%T4qxEe7X7{3&rW$q}Wi(`>wKWQbL^F0_E7j zb~4x6gYe`sGbXB;=2$wsc{)fEPXO?^j*TvMy0EoD^y^w92&SBMuu&s8+V;h9L3@Q@P$I*=3LcTg$csg*f@n9{{zgcDiuS4m`%t^9H{G?LUtsAaEW#r}LMDZ>LnlYPJy#BfCMl;k zG7c!(-RH}-+7G_mbBab4FG30VXyULAj20vX(_uqy-tpZ}u#{@HQI)E~lL8l3N+c*g z{wSu_Ig@5J0u0=Mi}-W6DlfVa1IwUDgfZ`5YVIe3@6(WY!N*T{@kyGBX60ZDOJP<< zZYSYJ`2fa-K^Ds`%IPH(FVFL&HXy|>2cNhN zW)G{7L7^vtS}@6^*ORDCW@BL&M4Dq(3o&3>B}-}RqoYt+5u1Lt?sA!s_Z{CTga{gF zjEh6&j%G{7YG5r1s^ypM+JFT$nK_ZSa1=VyT3X^vkb<-2zK*{k)K;$uzD?b@ zyV`)v##Z_My(oL7{74Zmh?*?D9Sr&xcCfsv7kg+v+k1WQxhnS1a0G>VcA+l}@;()L z2jml$w2gJ`(Lm|=lLC4cAU$P`c`j3!&LKj~2u{p*&}HauN@0O_c1t`+j0G9KUVu#G zV4Dl=axkebo$({-1Vb~^go!P(s0=`%?CkavH@`R-lejn}>e+?UQ7H-*XHM4bQ$0zd zd8T?_HKvDI18Df^nqB#pm(>PSs{=}zQP@A;&b?f;_F_~ACxqMh)`T}JY({0tm{`N2 zTTJ1dDgq6KH#5PNi|`^Ll(Rnro`6Wi6)d38aPSALUZ|72cuK|GT&M9m5)%i~Wg4Wu zfQL#$n1OBabW3nURjkT58t$c&Exmh29m^bLq;8o}QpQ%RB^ydySi#qD8-*e60KPNC zTIPVjD&rg%;1OqED(r3XRM^Xi*g>z{3X+2BCW6D5kW@oT8~8aO&SlvY@$}J#gbWS? z4SgO>B~kS4B~>*o`2{lSHpaOYv%h-U@h3_@) z61=-}=a~q{%j!?D>W-JzeVNgZAVD@bi%JYA&$>qVv5%rkf|&a+y_&DJ2p9R5Os$rh zn1ot9mFsGTpox0Aj2oW4r*zFYP-l}ikl`TP%P)I|1czI1_V%*pN8bU$jqcIz^1;vD zE4_N!N;x*(-7t+RjfAdzO8QR*&N9t_$y#g=!Uciy4$2|*s$y^{D75)h!eje*d5$g= zKIxC)iwzv6$$Vuc%XFUhMZvGdFtZB3DM5uu8B9jyMP!U zj^tPW6r8PEp6oH9J}jv4VmX%WsR2 zM=RP}k3H;mJM*cDpOg&^wsUJN_Cj&YS-P@Z5;L1IDvMu5TnH;27(&o70_GYA!>OKt zz;mm0RCw5!dP-ci+=6B;^a^vH)uyU4DN~)VmoQvhA~QA|R*p)kyamB?%Pelcgg9Tz zHOm%(-{rcWrYKgg{20@Apf))-n9wX8diXS-%Ftw9OMiM~J@7*V14{>ay2<7TgorP) z#wzg{(1qN*=^Kmqdpbzz5inC%U(d|4%H1H2ETg!`H@bA z*&5}aDc&P^23s{5FT+twHa}4-`btMYVntoq@#^YZKt6NoCfWySd@ip)}G&J}MQ zs4i>(SENtV?WZ}+sH7$1UeUxjCO8p?PISga%;@H3iPZ2zpx+)dfW^{t&)~BlG@x}j zs|?nMiP$MkxSwYzL;ng^Wl-Uza zJ=!#M`KXL_WcAa}7`wHp^=qfBGW-)Nper;?D82Kf!q&Ks*M5wiVo)H>Ibf8)=E+N1 zggZdowd2rr=&`(0G~g@9C*|a{9<{>lGCFhVa{Eu?R?iN*4;rPh_xET(3~=@KGd+z$ zo^ZA{Fd+cy{uHgjL^g=0rusF26mH@nzpHH9y3ITNDgDi^`bF~MXiHfNEM4V7XVC~m z`GMxqh4!p+c|M(5&SBe3=e5+X*Q7gTx_GRIiXSjc+uOQ9O;fpHIg{W4z?}p(6-TYR zzFN#W&B(3!Mfd!yX7kzfSc!D3!aW{OjYiZopQhNW@{IugRU5Z;hT{?AR{L|+XM?~^ zj6=*9k;b;IzLnjiVi9ZNaUNP5-Y;vLQm1DCXOo{A%PNWd8R$PLj!Q%~!OzxIW{9Py zbH{8v2WIjkz@#vR;y(ziLLrk&otJ-q%zsBpd1K#TM5xUR)-3{tnbxeV`BCX7Ag zn1M+hoqJgS8TU)wSj_Bg z+Y7m+V5XaPe0RvYdhDH+yfPu@`i5g!)yJ<(EEm&eyBn#Wqwku17rN`e{EBU<@m)}J z6>T>g^)J}|ehU1NRqL|jqaAiN1@QJoPww6!fPmiL6=flz5>Ys7ui=1zSXqF86#r|z z1o?mUl8dX6tJ!Y_lakAP`=Z~wf2icA&8{UU+hHe^$%}+l5W9SO#WC(scfP2u#tBwp0@Os-~q4UYVXe5HSgE(I2ddV8kQo(PWx@;&HoN zsnK#@g7U~DTKChbO5jGokR%RPj7ff#Q4&z z7+6Dki27J~qKNY2Gv1cg#|GcaFasA z#}1-AWaqFBvnUAR`0&=mfAaWzKU|Ybi2V(QhD$b3x{xS1NeOO$qA6w`E(S*02WN;c zzS0YYlNQGaJXmUMnfq9Cs3UvpiNDI+IJ#P=Y#|dWNnskBB{947NHYWNi~LMgWM4W+ za_@u7Kz;G&0O7*)5Dlo~_bQPY+1fGo#7GhN8+e0voU;Shd4w_PG7j{2a8q;y2!uhIw#HUt_@yI(&4qWYYG&Xmj@( zECsmm72#A(f-*KGfml-h`r0QJ^|L8^R!Y2i{`he{cS!|tuJ8GYh>hMiBvIBD(q~%$ z!EU(U@E#KDqYs%8#}9clNCv*WI1(1nOJ|Q3OB~-t3rP|i zg7WZP<(Q2bvq}(#%ijSpN*%te0=Uo>k~5DN`6*jx!TO>0jer%@kP)Z=v!V>cf9F}^ z1PzG%WrZ^hIy$~g-Y*L&+1`!`Ge<%V==XOikdYco=Mi7d5iZ?+v{dUyC(uTYktP^l zL?I+$EJ+p`fPqE2E7^VJ|3%BPhZj2vv=oURaYMxWY0b>sRfi@6zhR zT~>cAtxDn@vcpZu6tFj#K7L`xy+1u)xi^-LNz5F&c>nzm`#gWxOb3_Hp3m{v4Pi|1( zaiI0x-O1#2)N0rK3qzIpl|xJ5CeuUmcpeQ&JaZwU1Up9GV8jz#Z0_1x$LOhGdGAFLuT2Z2=m7HM0PTXCpg+Zan~HU)d$9^T{#dibv6JWjF-*G2DV_*?m$5l3*I z!tyQu^RwSctP|Hae#Cf5Po{53zsjOJ1kP?S2p2IQ1AJ(88%d;01RSg+06p+T9l*@1pr71HHB`e;>Lb?K=A4L) zT}t5mE0oFn&?eEfz#WxmHl=JDShQ?GUc1r*zpjY$C~7XPlUw(yGHaVu1Pn-Ps(xYR zew+U^VIDoa$t1G1??f^Q9bq+yPv@rm;n0 zbUjd!M@v>ja{&`pkV}zZE6;(c26IKs|2oJ8_uYGO38m5>^l^vWvl1KHOWPk0As~c2 z_LVcV2Mz6*QD{jrT;jqMWXHnCwUB7jXx^@#%|j~yR*T?p6+5;tA>yFi^L}$N)mj_D z9`1`Epb*D|p)vGYX&{9m~e0lS2f6-GZ z$MGiUR*a1PJIMF=mU|OX@lAIJm@h{RzAEY2B}o*9onxrRY>;~MG(M^Gb@VOUnhGt? z6@|i)9!3R@Fk5OwMC02}6z_NMZ8JEcAmzNe(*!nkXhA(vx9c*BmN9 zIK<2qO;kt=Sk9RlvE++1yGjC=#__*tr|JJsI~c#wjzioB?H~^Kbn&qSqN_Tl0wqfb zgOL|vO=Z|%mtte3ke^y%UGvrNNw1w)hNK{iDNjvl4YO?Q!!1oWW`@$Y+ZU?akVx_H zTa1V~=hC#WP*Y{)>7a%(gHwFI+>bDmjSCP)MuVyd_!sNECPdEZ7S*kYzSpt%=n!5& zU(S+;pk&-iEJVsqFLCIysn59Pz=ICsz|k$8=~Q=h3fDMz@sDG3sh7TgFI>ug22WI7 zzJ^{`lqQKtjKtEFJv|DIL^HP`E=Y_LEnT|q;IAo#nCt5}hmwaSG}=K~?cHdN7hSz% z`tb@pgutRS(VyfPGRtLR9g+xk6EwEIk~O4|G)~PVUBjW-9#&^&;uE*&5ThsTQB}uq z=bba95mQy!xjr#{C3Gq+$68KS>1EBQsi>vB?mI`p7;u*+$f(tVRdJ#dA_98AXgqTo z3L-BwdwX$>1Cz6)7+m{RK8Clw_RDxK z_vnlInfh+Li)((RMFv@AGcjywLITD13I&NW49^((L1pGRHKriNgD7vB$JYhJLU{y!xdscCh+OsAStYp5_DsoP7eHpdg1UfXfs_!AHc&179 z%KGhjRMjLjM|ncpSh`Xv)4K2(JH+wG5-f5lZN)o)(nPzI_a?Qep;o)XBtU7-u~$yd z-p}q=`F(v`=yhch@WiNE16$Uzr$43C31W??xku%%w~i3%8N0iw$7^yy$I zWnkh&BycujRCcx96lCa{E4Fkcj7#jkkvpBZKDl@cDA~l%TIR<{>2&K#3w7wBapBEo zl{_<`IMl~BiMo}?^b|3$P+(-bBDGJ3IqxXzFMEaAqn*3nsi$hXELW7D=A9$MTC6BgU{&iU!(XgKWHnhD>&W+r8!dfqzruRGcDm0{x7{Lhc?iiQ?Nh zCZ?ZhZV=R%0uZV94q+Fs+_e5=RKM{1HneX@&gk&eZTWGR5aJhx3B+IhJ4DAPiV4CHXej_m?rjPH^nW}tNt5iV3`Dz_B6)-MRt=&wRXI8pNL;b?7U9EF| zUi`6i@(e-G$a$&LsLS}wLC|V_V2nVhciouBuTDeCAQd`>i{E6et|w?7oh3Xbb3`kB?xh z7f3Xskm2m9bzZ0QGvn3!oqDUKc*2nH#$1FdaP{eAy%j7;%c>j1kRun~nQNT=NF3^W zTgN$`pXaig$#YHA=j7m+>+$hvy`O1c?^i@OKe=yqB6r;#1AExruPcb0B=1zQE#`Vp zHH-gj**{Rjk`y5DxC}IGiMRV!T_tqv?nHQz7k)}`C*gUrrH{z#w|1Fk^u1seqLAaL zTx79|XvEM<@o*W%gMigjs$Ufnndwl-_yfVkMh_$un+}i%Q zy$r)qg_5;;<;>NCKtg3%hS5k$wE~D}l)T1>UC~OPP3>wy^`%onP_O)<+NS==N)6~R zs=!x^?Sf*ic&zRelHzs`{y59+jz8j{wfnS&(%5L^)7HlqXq%;>^+6ep|ESpgr5K-X zp*1gx0;*nTZme$F*{r&1t3Uy*#`vuFr3tg2Ot=z`8NGJMZESd(OpIH22&HNred|J< zHzw!8+h%{2?#qj#PXv}d*Jq&!xSg)72?NTverluS*!xlIv^z(?cqKhOp%L+-cto$H zgPm5D_W$FW)taaAp%mP|xQ63{YaYr$$9>)wWRI$poH>cmJ}sgktKX{idLVqEq&lD- zIgaHB+U&Hk?>DGv|I~Zr5jC9~TpE>_uwOj9b>Sm5_ai{(K~}i#?aal`)e<&WKJdjd z)}Cw!*R(x0br0v*L3kY1jknMV4F#DW^Ym?XMOl7)G&bnUXBWV{CnC#5D6V^%g#G?r z`nDBjg}0y=Wfchbe*09!k+(~Dc4#{Fb)u4-SB1xX`y=cL@B>%u<;2V-EX#w zS`lD#A#dcIDU%s^sgsLT=;SJ2aiXO#+`JZN!o7Yr9S0%45gOS?9ikBwNEd%B`?C7} zZ1Azt{jb@b)7I(Uln<^cp!#22gZh75W8z?MZe_t}N6%~B# z`)c4+i^&1YYmz)E%6uH2WS%vXlFRJJSl6$d>@aZm3a3ZuyrS1=WYc@IN#{rs>+(b! zsw&nd@)CiomL{(TXwp68Dg!a?$m7#!$Fg!y4Y-!s6AyS55Uz&I)fW(#%Ho2C*$&Ea zk)@NEh^V{dk__AOd(`ueQR(cVp@jp{@^6@j2Z_|7HA=I%B#V$QWxocl*c|=MX)PxU zU~Xs20f9~oa~Y(B**igC)=b1RSqHTynRb?GGF}ZA2P3oLFpf$}3P4bY5v3TVe9H0l zvplG9oHS`Pjy|I6`kU+Yj?EkhJu05(PQ`78KSdJbA{k%&@F zHj34zei^OmUF*~y^`*TuqE$W=Ikdd=rp9xWP)h8ttU?5z9KmX#n6ZWG&+sSw7K7 zre^thGz9u9UF`PhtnC~N=_ZSTRPbWecN&SCM(SDR$e?!(Lk~lHpQkzIgTgyua+0*O zOmcvAe~c*}OVP$81{l-3#zq7i$JRRH*i(-j-(VVM;~G`fdO_UCxr1!yg)k+Tc48q= zgqo4N4UcP5C7r1S`cMryptj~UfAps}gl+v~T(XCO{dv6H_fNX7pJUsTokL6Gqyf^7 zj_XXy$hVX#DeCO>o#nak>L)>IFTVIjp{ILFo+{Zj{6Em ze2sCD89VK==~k}Hx0d8NQ@221k;r^_@^3db}!;3aB3wi*2 zoqHNf<2d;>*`^TfU{*JQu)V1-=F0x{rq zW1o?j{(+n`hZBnt)-(=xamKM+^KajARj4RB2L=Ly0RLaUgY}2+xEncJ85!G}{lj~* zRSiC^3ZVH-mvX^8y?&7@{$d?}Oh&c(0~Ea=>yAl&R^EBl+wEjz>5wYoT!5RJJc1?v zk-DvU`m0a8Z;0%jM;Ly|3J3XAbi78zk{hD-7n>0=B{s+@fX1 z2`831URDO~9&Kz_5Qo!PZ^DPZ{*mks;5%4DZxWMdtus-vghHKex*{2OBatIVJAN(q zMw*;nt|1wN%B$IIV(MD!JKE^WnJqt7nJ388f{wC7oIbJ&M5J9#!Vq)i?CLsm890uT zIkxYuPg1g@db0;&bK&6GU0p3gj*L{Yhq!QG|E^=8cCvw{27Ii76WnB@k)ztP-A|51 z!OQpJEON%OS$~bV?dr7oI9KaQ5qexn;p`hZ*MgnAAXZ`wc){2Pdrj=6V|Rbj&Hoa0>hKbYAeQ8I*lQo-TM975!|tf zz9e1dq`4{5kP-6Ta0^=7tz*mdqIQEk-x;)`S!@>SPA#rEIOcAnez~`v?$>gTV#FV5 zUpUL>r92dY%HMkm{^H#&H^qmX^gUi}A$eOCIel-4U63ElDC0#?EP>9wo7>B;l(RIR zVfX0_OXAD#h%QowC@lo0X&*eaWWxb}N3>cQp9Q-|)C&{HfTsgt;mVqBJ*a{Ef; z9l6fE>;fq|L|G4Nq&SrCOGh)>!qG!z##a6)Lk$lu}Y-E@Qm`1irlEPZP$hR$jKMgD8)A||(!LClt`9lVLc6h# zfNi=Ouemdcb3wj*gnFk8d%Z5#Ybokr=CLVEPuSg4ndGZ6=wN7uEFIxj?Hl=~4gc_zfUq{Ud-ddZ0IzUtcVP$u4Z+PqyDU!@55U-kPt?*(` zP@37<7UR3Evmca)UE*A%UOaZHt0}Ks4OJHVn3bJqvMSo&8d~rp69g1ac6(@b(QKVM zk@4-_x@*E8m^D>ks_wVLmL#GdWckdXRYvq{2Xl3eZyts$3nP6g_8GWz`h32g9IO~H zH}e*MPQ%J>2N--L*?)PjC^Ilk%||N`^nbm3ls~-J^q-D9psHi@T?oy8y5=GMX(rX} zpuJ0=66xqO37QppuX3N2b2D$IX=;YFx5<0QL~+w9k$U+PN;-GTc@nFQr;BT_==#)m zaf=b^b>k9v@51hSI-7O1gGy^grugvC*)G5jQ=11ai?xGP;U*(Mb+5)45A4D(`i`vB z*bf(+B-MHaVZ)Lv+Y7sgA|WaM+e&wWtCciH6Q@DTj&7wYHqDeIM@Tn+;97s zwH)KsU0BWR$BL@XQORY!JTXFHAfx>`OscdTvU3`?BSz?ZF}R*v&a6`Sg1#aYsNct#EbFFUq)V8jYpm*(&FihZd%k zY8}byhWM|v-Oje!fN=Dl`dvw3*ImvgOyp^om)Bp0I&qXbR|}?e!@Ru4We269D)8HW zOEU=vfV|BQ*ZP;UwL!2tl6|Dgt&i38|DI^j|KV&7rfz=??ba?1e{VgG+EZ36`}lm= zl|q$jy|SY6T#%z4OSF(KKRE+Wf`h%wskr=m#Nf(OD`+be9jCXF?A5JqxBevKe=nI-#wR_@zJl2 zJL#w0*6KGSW?78$^6J|4m{z9goLOPFoy6~t*At|Ab?JU;(@mCa+MAEA<$Sk(Fnop3 zutN(&kYFlpzH0rt>S8l~yvn`eTJ^@BJOtTigUB3BT{6a`I)q&S{pib(=vrCJry{yZou4)4f;mB4dq z`l=g68!US>i~%hfbVFOw0VH7?R~0+G!Y@2--^hlIRX!{ZW92+PeE>_CyG<`VEl*RoIuO_h_(%l{zB zw75U?P_581BD>BOwMH*1mKQ@`6jQE_I-{3~QNRHK!~lbvvW24QRM~MRDoISdHuf93ZGL;?dUERnk1ivu($#miZfF- zD~_YszGvG0H7}M}I%#DuLFy<^yV#`&CZc)PPxbDwsSoT5#!6kPh>fQICJx8M8JaW7 zHd1k&N0^wz)>JW2L|G-4jJbY_dt!tb$Bn7%{!5|NkmcBHdY`15`{b8jD~aU7bH;1# zMA87|sj}dPNbcJ2yfkz}V)iWb*yD20gaB@5gmYyf%1_~@z?X_L6*=Li6z#G!hbFG~8`6iNQ6^dHLHKgE8>$-gR{ zzb%IBpJM;9?)g*hceeYBLH{;k%0J}(1Cjoz_B$>7^GQKJCd_{Cv;RPce~SG+8vF$q zf7?6tKgIsQjX#Bc&+vZ@9)FuH-S0yGX(;(q>vw@~ literal 0 HcmV?d00001 diff --git a/tofu/user-data-private.yml b/tofu/user-data-private.yml index d13590b..830bfdd 100644 --- a/tofu/user-data-private.yml +++ b/tofu/user-data-private.yml @@ -12,11 +12,15 @@ runcmd: - | # Configure default route for private-only server # Hetzner network route forwards traffic to edge gateway (10.0.0.2) + # Enable DHCP to get IP from Hetzner Cloud private network cat > /etc/netplan/60-private-network.yaml <<'NETPLAN' network: version: 2 ethernets: enp7s0: + dhcp4: true + dhcp4-overrides: + use-routes: false routes: - to: default via: 10.0.0.1 diff --git a/tofu/variables.tf b/tofu/variables.tf index cf2b1da..6c4d85c 100644 --- a/tofu/variables.tf +++ b/tofu/variables.tf @@ -31,25 +31,10 @@ variable "clients" { subdomain = string # e.g., "alpha" for alpha.platform.nl apps = list(string) # e.g., ["zitadel", "nextcloud"] nextcloud_volume_size = number # Size in GB for Nextcloud data volume (min 10, max 10000) - private_ip = optional(string) # Private IP in 10.0.0.0/24 range (e.g., "10.0.0.10") - public_ip_enabled = optional(bool, true) # Whether to enable public IP (default: true for backward compatibility) })) default = {} } -# Edge Server Configuration -variable "edge_server_type" { - description = "Server type for edge proxy server" - type = string - default = "cpx22" # 3 vCPU, 4 GB RAM - CPX11/21 unavailable in fsn1 -} - -variable "edge_location" { - description = "Location for edge proxy server" - type = string - default = "fsn1" # Falkenstein, Germany -} - # Enable automated snapshots variable "enable_snapshots" { description = "Enable automated daily snapshots (20% of server cost)"