Post-X-Society/Post-Tyranny-Tech-Infrastructure
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Compare commits

base: Post-X-Society:9a384863226598b8bd5172b769104ec9878dc117
Branches Tags
Post-X-Society:main
Post-X-Society:feature/authentik-identity
Post-X-Society:feature/nextcloud-deployment
Post-X-Society:v1.2-invitation-stage
Post-X-Society:v1.1-2fa-enforcement
Post-X-Society:v1.0-mailgun-oidc-fix
..
compare: Post-X-Society:e092931cb7884b89701812621258bc7a29dd31eb
Branches Tags
Post-X-Society:main
Post-X-Society:feature/authentik-identity
Post-X-Society:feature/nextcloud-deployment
Post-X-Society:v1.2-invitation-stage
Post-X-Society:v1.1-2fa-enforcement
Post-X-Society:v1.0-mailgun-oidc-fix

No commits in common. "9a384863226598b8bd5172b769104ec9878dc117" and "e092931cb7884b89701812621258bc7a29dd31eb" have entirely different histories.
9a38486322 ... e092931cb7

70 changed files with 1910 additions and 1370 deletions
Show stats Expand all files Collapse all files

6
.gitignore vendored
View file

@ -3,9 +3,7 @@ secrets/**/*.yaml
secrets/**/*.yml
!secrets/**/*.sops.yaml
!secrets/.sops.yaml
secrets/clients/*.sops.yaml
keys/age-key.txt
keys/ssh/
*.key
*.pem
@ -14,16 +12,12 @@ tofu/.terraform/
tofu/.terraform.lock.hcl
tofu/terraform.tfstate
tofu/terraform.tfstate.backup
tofu/terraform.tfstate.*.backup
tofu/*.tfvars
!tofu/terraform.tfvars.example
tofu/*.tfplan
tofu/tfplan
# Ansible
ansible/*.retry
ansible/.vault_pass
ansible/host_vars/
# OS files
.DS_Store

2
ansible/ansible.cfg
View file

@ -37,4 +37,4 @@ become_ask_pass = False
[ssh_connection]
pipelining = True
ssh_args = -o ControlMaster=auto -o ControlPersist=60s -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -o IdentitiesOnly=yes
ssh_args = -o ControlMaster=auto -o ControlPersist=60s -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no

10
ansible/host_vars/das.yml Normal file
View file

@ -0,0 +1,10 @@
---
# das server - direct public IP
# SSH directly to public IP
ansible_host: 49.13.49.246
# Client identification
client_name: das
client_domain: das.vrije.cloud
client_secrets_file: das.sops.yaml

11
ansible/host_vars/egel.yml Normal file
View file

@ -0,0 +1,11 @@
---
# egel server - behind edge proxy (private network only)
# SSH via edge server as bastion/jump host
ansible_host: 10.0.0.52
ansible_ssh_common_args: '-o ProxyCommand="ssh -i ../keys/ssh/edge -W %h:%p -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null root@78.47.191.38" -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no'
# Client identification
client_name: egel
client_domain: egel.vrije.cloud
client_secrets_file: egel.sops.yaml

11
ansible/host_vars/haas.yml Normal file
View file

@ -0,0 +1,11 @@
---
# haas server - public network
# SSH directly via public IP
ansible_host: 78.46.229.195
ansible_ssh_private_key_file: ../keys/ssh/haas
# Client identification
client_name: haas
client_domain: haas.vrije.cloud
client_secrets_file: haas.sops.yaml

10
ansible/host_vars/kikker.yml Normal file
View file

@ -0,0 +1,10 @@
---
# kikker server - direct public IP
# SSH directly to public IP
ansible_host: 23.88.124.67
# Client identification
client_name: kikker
client_domain: kikker.vrije.cloud
client_secrets_file: kikker.sops.yaml

11
ansible/host_vars/mees.yml Normal file
View file

@ -0,0 +1,11 @@
---
# mees server - public network
# SSH directly via public IP
ansible_host: 167.235.198.19
ansible_ssh_private_key_file: ../keys/ssh/mees
# Client identification
client_name: mees
client_domain: mees.vrije.cloud
client_secrets_file: mees.sops.yaml

10
ansible/host_vars/mol.yml Normal file
View file

@ -0,0 +1,10 @@
---
# mol server - direct public IP
# SSH directly to server
ansible_host: 49.13.56.23
# Client identification
client_name: mol
client_domain: mol.vrije.cloud
client_secrets_file: mol.sops.yaml

10
ansible/host_vars/mus.yml Normal file
View file

@ -0,0 +1,10 @@
---
# mus server - direct public IP
# SSH directly to server
ansible_host: 91.107.217.126
# Client identification
client_name: mus
client_domain: mus.vrije.cloud
client_secrets_file: mus.sops.yaml

11
ansible/host_vars/ree.yml Normal file
View file

@ -0,0 +1,11 @@
---
# ree server - behind edge proxy (private network only)
# SSH via edge server as bastion/jump host
ansible_host: 10.0.0.49
ansible_ssh_common_args: '-o ProxyCommand="ssh -i ../keys/ssh/edge -W %h:%p -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null root@78.47.191.38" -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no'
# Client identification
client_name: ree
client_domain: ree.vrije.cloud
client_secrets_file: ree.sops.yaml

11
ansible/host_vars/specht.yml Normal file
View file

@ -0,0 +1,11 @@
---
# specht server - public network
# SSH directly via public IP
ansible_host: 188.245.122.208
ansible_ssh_private_key_file: ../keys/ssh/specht
# Client identification
client_name: specht
client_domain: specht.vrije.cloud
client_secrets_file: specht.sops.yaml

10
ansible/host_vars/uil.yml Normal file
View file

@ -0,0 +1,10 @@
---
# uil server - direct public IP
# SSH directly to server
ansible_host: 91.99.208.20
# Client identification
client_name: uil
client_domain: uil.vrije.cloud
client_secrets_file: uil.sops.yaml

10
ansible/host_vars/valk.yml Normal file
View file

@ -0,0 +1,10 @@
---
# valk server - direct public IP
# SSH directly to public IP
ansible_host: 78.47.191.38
# Client identification
client_name: valk
client_domain: valk.vrije.cloud
client_secrets_file: valk.sops.yaml

10
ansible/host_vars/vos.yml Normal file
View file

@ -0,0 +1,10 @@
---
# vos server - direct public IP
# SSH directly to server
ansible_host: 128.140.91.174
# Client identification
client_name: vos
client_domain: vos.vrije.cloud
client_secrets_file: vos.sops.yaml

11
ansible/host_vars/white.yml Normal file
View file

@ -0,0 +1,11 @@
---
# white server - behind edge proxy (private network only)
# SSH via edge server as bastion/jump host
ansible_host: 10.0.0.40
ansible_ssh_common_args: '-o ProxyCommand="ssh -i ../keys/ssh/edge -W %h:%p -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null root@78.47.191.38" -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no'
# Client identification
client_name: white
client_domain: white.vrije.cloud
client_secrets_file: white.sops.yaml

10
ansible/host_vars/wolf.yml Normal file
View file

@ -0,0 +1,10 @@
---
# wolf server - direct public IP
# SSH directly to server
ansible_host: 159.69.189.177
# Client identification
client_name: wolf
client_domain: wolf.vrije.cloud
client_secrets_file: wolf.sops.yaml

11
ansible/host_vars/zwaan.yml Normal file
View file

@ -0,0 +1,11 @@
---
# zwaan server - behind edge proxy (private network only)
# SSH via edge server as bastion/jump host
ansible_host: 10.0.0.42
ansible_ssh_common_args: '-o ProxyCommand="ssh -i ../keys/ssh/edge -W %h:%p -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null root@78.47.191.38" -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no'
# Client identification
client_name: zwaan
client_domain: zwaan.vrije.cloud
client_secrets_file: zwaan.sops.yaml

124
ansible/playbooks/260123-configure-diun-webhook.yml
View file

@ -1,124 +0,0 @@
---
# Configure Diun to use webhook notifications instead of email
# This playbook updates all servers to send container update notifications
# to a Matrix room via webhook instead of individual emails per server
#
# Usage:
# ansible-playbook -i hcloud.yml playbooks/260123-configure-diun-webhook.yml
#
# Or for specific servers:
# ansible-playbook -i hcloud.yml playbooks/260123-configure-diun-webhook.yml --limit das,uil,vos
- name: Configure Diun webhook notifications on all servers
hosts: all
become: yes
vars:
# Diun base configuration (from role defaults)
diun_version: "latest"
diun_log_level: "info"
diun_watch_workers: 10
diun_watch_all: true
diun_exclude_containers: []
diun_first_check_notif: false
# Schedule: Daily at 6am UTC
diun_schedule: "0 6 * * *"
# Webhook configuration - sends to Matrix via custom webhook
diun_notif_enabled: true
diun_notif_type: webhook
diun_webhook_endpoint: "https://diun-webhook.postxsociety.cloud"
diun_webhook_method: POST
diun_webhook_headers:
Content-Type: application/json
# Disable email notifications
diun_email_enabled: false
# SMTP defaults (not used when email disabled, but needed for template)
diun_smtp_host: "smtp.eu.mailgun.org"
diun_smtp_port: 587
diun_smtp_from: "{{ client_name }}@mg.vrije.cloud"
diun_smtp_to: "pieter@postxsociety.org"
# Optional notification defaults (unused but needed for template)
diun_slack_webhook_url: ""
diun_matrix_enabled: false
diun_matrix_homeserver_url: ""
diun_matrix_user: ""
diun_matrix_password: ""
diun_matrix_room_id: ""
pre_tasks:
- name: Gather facts
setup:
- name: Determine client name from hostname
set_fact:
client_name: "{{ inventory_hostname }}"
- name: Load client secrets
community.sops.load_vars:
file: "{{ playbook_dir }}/../../secrets/clients/{{ client_name }}.sops.yaml"
name: client_secrets
age_keyfile: "{{ lookup('env', 'SOPS_AGE_KEY_FILE') }}"
no_log: true
- name: Load shared secrets
community.sops.load_vars:
file: "{{ playbook_dir }}/../../secrets/shared.sops.yaml"
name: shared_secrets
age_keyfile: "{{ lookup('env', 'SOPS_AGE_KEY_FILE') }}"
no_log: true
- name: Merge shared secrets into client_secrets
set_fact:
client_secrets: "{{ client_secrets | combine(shared_secrets) }}"
no_log: true
tasks:
- name: Set SMTP credentials (required by template even if unused)
set_fact:
diun_smtp_username_final: "{{ client_secrets.mailgun_smtp_user | default('') }}"
diun_smtp_password_final: ""
no_log: true
- name: Display configuration summary
debug:
msg: |
Configuring Diun on {{ inventory_hostname }}:
- Webhook endpoint: {{ diun_webhook_endpoint }}
- Email notifications: {{ 'enabled' if diun_email_enabled else 'disabled' }}
- Schedule: {{ diun_schedule }} (Daily at 6am UTC)
- name: Deploy Diun configuration with webhook
template:
src: "{{ playbook_dir }}/../roles/diun/templates/diun.yml.j2"
dest: /opt/docker/diun/diun.yml
mode: '0644'
notify: Restart Diun
- name: Restart Diun to apply new configuration
community.docker.docker_compose_v2:
project_src: /opt/docker/diun
state: restarted
- name: Wait for Diun to start
pause:
seconds: 5
- name: Check Diun status
shell: docker ps --filter name=diun --format "{{ '{{' }}.Status{{ '}}' }}"
register: diun_status
changed_when: false
- name: Display Diun status
debug:
msg: "Diun status on {{ inventory_hostname }}: {{ diun_status.stdout }}"
handlers:
- name: Restart Diun
community.docker.docker_compose_v2:
project_src: /opt/docker/diun
state: restarted

123
ansible/playbooks/260123-upgrade-nextcloud-stage-v2.yml
View file

@ -1,123 +0,0 @@
---
# Nextcloud Upgrade Stage Task File (Fixed Version)
# This file is included by 260123-upgrade-nextcloud-v2.yml for each upgrade stage
# Do not run directly
#
# Improvements:
# - Better version detection (actual running version)
# - Proper error handling
# - Clearer status messages
# - Maintenance mode handling
- name: "Stage {{ stage.stage }}: Starting v{{ stage.from }} → v{{ stage.to }}"
debug:
msg: |
============================================================
Stage {{ stage.stage }}: Upgrading v{{ stage.from }} → v{{ stage.to }}
============================================================
- name: "Stage {{ stage.stage }}: Get current running version"
shell: docker exec -u www-data nextcloud php occ status --output=json
register: stage_version_check
changed_when: false
- name: "Stage {{ stage.stage }}: Parse current version"
set_fact:
stage_current: "{{ (stage_version_check.stdout | from_json).versionstring }}"
- name: "Stage {{ stage.stage }}: Display current version"
debug:
msg: "Currently running: v{{ stage_current }}"
- name: "Stage {{ stage.stage }}: Check if already on target version"
debug:
msg: "✓ Already on v{{ stage_current }} - skipping this stage"
when: stage_current is version(stage.to, '>=')
- name: "Stage {{ stage.stage }}: Skip if already upgraded"
meta: end_play
when: stage_current is version(stage.to, '>=')
- name: "Stage {{ stage.stage }}: Verify version is compatible"
fail:
msg: "Cannot upgrade from v{{ stage_current }} (expected v{{ stage.from }}.x)"
when: stage_current is version(stage.from, '<') or (stage_current is version(stage.to, '>='))
- name: "Stage {{ stage.stage }}: Update docker-compose.yml to v{{ stage.to }}"
replace:
path: "{{ nextcloud_base_dir }}/docker-compose.yml"
regexp: 'image:\s*nextcloud:{{ stage.from }}'
replace: 'image: nextcloud:{{ stage.to }}'
- name: "Stage {{ stage.stage }}: Verify docker-compose.yml was updated"
shell: grep "image{{ ':' }} nextcloud{{ ':' }}{{ stage.to }}" {{ nextcloud_base_dir }}/docker-compose.yml
register: compose_verify
changed_when: false
failed_when: compose_verify.rc != 0
- name: "Stage {{ stage.stage }}: Pull Nextcloud v{{ stage.to }} image"
shell: docker pull nextcloud:{{ stage.to }}
register: image_pull
changed_when: "'Downloaded' in image_pull.stdout or 'Pulling' in image_pull.stdout or 'Downloaded newer' in image_pull.stderr"
- name: "Stage {{ stage.stage }}: Stop containers before upgrade"
community.docker.docker_compose_v2:
project_src: "{{ nextcloud_base_dir }}"
state: stopped
- name: "Stage {{ stage.stage }}: Start containers with new version"
community.docker.docker_compose_v2:
project_src: "{{ nextcloud_base_dir }}"
state: present
- name: "Stage {{ stage.stage }}: Wait for Nextcloud container to be ready"
shell: |
count=0
max_attempts=60
while [ $count -lt $max_attempts ]; do
if docker exec nextcloud curl -f http://localhost:80/status.php 2>/dev/null; then
echo "Container ready after $count attempts"
exit 0
fi
sleep 5
count=$((count + 1))
done
echo "Timeout waiting for container after $max_attempts attempts"
exit 1
register: container_ready
changed_when: false
- name: "Stage {{ stage.stage }}: Run occ upgrade"
shell: docker exec -u www-data nextcloud php occ upgrade --no-interaction
register: occ_upgrade
changed_when: "'Update successful' in occ_upgrade.stdout or 'upgraded' in occ_upgrade.stdout"
failed_when:
- occ_upgrade.rc != 0
- "'already latest version' not in occ_upgrade.stdout"
- "'No upgrade required' not in occ_upgrade.stdout"
- name: "Stage {{ stage.stage }}: Display upgrade output"
debug:
msg: "{{ occ_upgrade.stdout_lines }}"
- name: "Stage {{ stage.stage }}: Verify upgrade succeeded"
shell: docker exec -u www-data nextcloud php occ status --output=json
register: stage_verify
changed_when: false
- name: "Stage {{ stage.stage }}: Parse upgraded version"
set_fact:
stage_upgraded: "{{ (stage_verify.stdout | from_json).versionstring }}"
- name: "Stage {{ stage.stage }}: Check upgrade was successful"
fail:
msg: "Upgrade to v{{ stage.to }} failed - still on v{{ stage_upgraded }}"
when: stage_upgraded is version(stage.to, '<')
- name: "Stage {{ stage.stage }}: Success"
debug:
msg: |
============================================================
✓ Stage {{ stage.stage }} completed successfully
Upgraded from v{{ stage_current }} to v{{ stage_upgraded }}
============================================================

378
ansible/playbooks/260123-upgrade-nextcloud-v2.yml
View file

@ -1,378 +0,0 @@
---
# Nextcloud Major Version Upgrade Playbook (Fixed Version)
# Created: 2026-01-23
# Purpose: Safely upgrade Nextcloud from v30 to v32 via v31 (staged upgrade)
#
# Usage:
# cd ansible/
# HCLOUD_TOKEN="..." ansible-playbook -i hcloud.yml \
# playbooks/260123-upgrade-nextcloud-v2.yml --limit <server> \
# --private-key "../keys/ssh/<server>"
#
# Requirements:
# - HCLOUD_TOKEN environment variable set
# - SSH access to target server
# - Sufficient disk space for backups
#
# Improvements over v1:
# - Idempotent: can be re-run safely after failures
# - Better version state tracking (reads actual running version)
# - Proper maintenance mode handling
# - Stage skipping if already on target version
# - Better error messages and rollback instructions
- name: Upgrade Nextcloud from v30 to v32 (staged)
hosts: all
become: true
gather_facts: true
vars:
nextcloud_base_dir: "/opt/nextcloud"
backup_dir: "/root/nextcloud-backup-{{ ansible_date_time.iso8601_basic_short }}"
target_version: "32"
tasks:
# ============================================================
# PRE-UPGRADE CHECKS
# ============================================================
- name: Display upgrade plan
debug:
msg: |
============================================================
Nextcloud Upgrade Plan - {{ inventory_hostname }}
============================================================
Target: Nextcloud v{{ target_version }}
Backup: {{ backup_dir }}
This playbook will:
1. Detect current version
2. Create backup if needed
3. Upgrade through required stages (v30→v31→v32)
4. Skip stages already completed
5. Re-enable apps and disable maintenance mode
Estimated time: 10-20 minutes
============================================================
- name: Check if Nextcloud is installed
shell: docker ps --filter "name=^nextcloud$" --format "{{ '{{' }}.Names{{ '}}' }}"
register: nextcloud_running
changed_when: false
failed_when: false
- name: Fail if Nextcloud is not running
fail:
msg: "Nextcloud container is not running on {{ inventory_hostname }}"
when: "'nextcloud' not in nextcloud_running.stdout"
- name: Get current Nextcloud version
shell: docker exec -u www-data nextcloud php occ status --output=json
register: nextcloud_status
changed_when: false
failed_when: false
- name: Parse Nextcloud status
set_fact:
nc_status: "{{ nextcloud_status.stdout | from_json }}"
when: nextcloud_status.rc == 0
- name: Handle Nextcloud in maintenance mode
block:
- name: Display maintenance mode warning
debug:
msg: "⚠ Nextcloud is in maintenance mode. Attempting to disable it..."
- name: Disable maintenance mode if enabled
shell: docker exec -u www-data nextcloud php occ maintenance:mode --off
register: maint_off
changed_when: "'disabled' in maint_off.stdout"
- name: Wait a moment for mode change
pause:
seconds: 2
- name: Re-check status after disabling maintenance mode
shell: docker exec -u www-data nextcloud php occ status --output=json
register: nextcloud_status_retry
changed_when: false
- name: Update status
set_fact:
nc_status: "{{ nextcloud_status_retry.stdout | from_json }}"
when: nextcloud_status.rc != 0 or (nc_status is defined and nc_status.maintenance | bool)
- name: Display current version
debug:
msg: |
Current: v{{ nc_status.versionstring }}
Target: v{{ target_version }}
Maintenance mode: {{ nc_status.maintenance }}
- name: Check if already on target version
debug:
msg: "✓ Nextcloud is already on v{{ nc_status.versionstring }} - nothing to do"
when: nc_status.versionstring is version(target_version, '>=')
- name: End play if already upgraded
meta: end_host
when: nc_status.versionstring is version(target_version, '>=')
- name: Check disk space
shell: df -BG {{ nextcloud_base_dir }} | tail -1 | awk '{print $4}' | sed 's/G//'
register: disk_space_gb
changed_when: false
- name: Verify sufficient disk space
fail:
msg: "Insufficient disk space: {{ disk_space_gb.stdout }}GB available, need at least 5GB"
when: disk_space_gb.stdout | int < 5
- name: Display available disk space
debug:
msg: "Available disk space: {{ disk_space_gb.stdout }}GB"
# ============================================================
# BACKUP PHASE (only if not already backed up)
# ============================================================
- name: Check if backup already exists
stat:
path: "{{ backup_dir }}"
register: backup_exists
- name: Skip backup if already exists
debug:
msg: "✓ Backup already exists at {{ backup_dir }} - skipping backup phase"
when: backup_exists.stat.exists
- name: Create backup
block:
- name: Create backup directory
file:
path: "{{ backup_dir }}"
state: directory
mode: '0700'
- name: Enable maintenance mode for backup
shell: docker exec -u www-data nextcloud php occ maintenance:mode --on
register: maintenance_on
changed_when: "'enabled' in maintenance_on.stdout"
- name: Backup Nextcloud database
shell: |
docker exec nextcloud-db pg_dump -U nextcloud nextcloud | gzip > {{ backup_dir }}/database.sql.gz
args:
creates: "{{ backup_dir }}/database.sql.gz"
- name: Get database backup size
stat:
path: "{{ backup_dir }}/database.sql.gz"
register: db_backup
- name: Display database backup info
debug:
msg: "Database backup: {{ (db_backup.stat.size / 1024 / 1024) | round(2) }} MB"
- name: Stop Nextcloud containers for volume backup
community.docker.docker_compose_v2:
project_src: "{{ nextcloud_base_dir }}"
state: stopped
- name: Backup Nextcloud app volume
shell: |
tar -czf {{ backup_dir }}/nextcloud-app-volume.tar.gz -C /var/lib/docker/volumes/nextcloud-app/_data .
args:
creates: "{{ backup_dir }}/nextcloud-app-volume.tar.gz"
- name: Backup Nextcloud database volume
shell: |
tar -czf {{ backup_dir }}/nextcloud-db-volume.tar.gz -C /var/lib/docker/volumes/nextcloud-db-data/_data .
args:
creates: "{{ backup_dir }}/nextcloud-db-volume.tar.gz"
- name: Copy current docker-compose.yml to backup
copy:
src: "{{ nextcloud_base_dir }}/docker-compose.yml"
dest: "{{ backup_dir }}/docker-compose.yml.backup"
remote_src: true
- name: Display backup summary
debug:
msg: |
============================================================
✓ Backup completed: {{ backup_dir }}
============================================================
To restore from backup if needed:
1. cd {{ nextcloud_base_dir }} && docker compose down
2. tar -xzf {{ backup_dir }}/nextcloud-app-volume.tar.gz -C /var/lib/docker/volumes/nextcloud-app/_data
3. tar -xzf {{ backup_dir }}/nextcloud-db-volume.tar.gz -C /var/lib/docker/volumes/nextcloud-db-data/_data
4. cp {{ backup_dir }}/docker-compose.yml.backup {{ nextcloud_base_dir }}/docker-compose.yml
5. cd {{ nextcloud_base_dir }} && docker compose up -d
============================================================
- name: Restart containers after backup
community.docker.docker_compose_v2:
project_src: "{{ nextcloud_base_dir }}"
state: present
- name: Wait for Nextcloud to be ready
shell: |
count=0
max_attempts=24
while [ $count -lt $max_attempts ]; do
if docker exec nextcloud curl -f http://localhost:80/status.php 2>/dev/null; then
echo "Ready after $count attempts"
exit 0
fi
sleep 5
count=$((count + 1))
done
echo "Timeout after $max_attempts attempts"
exit 1
register: nextcloud_ready
changed_when: false
- name: Disable maintenance mode after backup
shell: docker exec -u www-data nextcloud php occ maintenance:mode --off
register: maint_off_backup
changed_when: "'disabled' in maint_off_backup.stdout"
when: not backup_exists.stat.exists
# ============================================================
# DETERMINE UPGRADE PATH
# ============================================================
- name: Initialize stage counter
set_fact:
stage_number: 0
# ============================================================
# STAGED UPGRADE LOOP - Dynamic version checking
# ============================================================
- name: Stage 1 - Upgrade v30→v31 if needed
block:
- name: Get current version
shell: docker exec -u www-data nextcloud php occ status --output=json
register: version_check
changed_when: false
- name: Parse version
set_fact:
current_version: "{{ (version_check.stdout | from_json).versionstring }}"
- name: Check if v30→v31 upgrade needed
set_fact:
needs_v31_upgrade: "{{ current_version is version('30', '>=') and current_version is version('31', '<') }}"
- name: Perform v30→v31 upgrade
include_tasks: "{{ playbook_dir }}/260123-upgrade-nextcloud-stage-v2.yml"
vars:
stage:
from: "30"
to: "31"
stage: 1
when: needs_v31_upgrade
- name: Stage 2 - Upgrade v31→v32 if needed
block:
- name: Get current version
shell: docker exec -u www-data nextcloud php occ status --output=json
register: version_check
changed_when: false
- name: Parse version
set_fact:
current_version: "{{ (version_check.stdout | from_json).versionstring }}"
- name: Check if v31→v32 upgrade needed
set_fact:
needs_v32_upgrade: "{{ current_version is version('31', '>=') and current_version is version('32', '<') }}"
- name: Perform v31→v32 upgrade
include_tasks: "{{ playbook_dir }}/260123-upgrade-nextcloud-stage-v2.yml"
vars:
stage:
from: "31"
to: "32"
stage: 2
when: needs_v32_upgrade
# ============================================================
# POST-UPGRADE
# ============================================================
- name: Get final version
shell: docker exec -u www-data nextcloud php occ status --output=json
register: final_status
changed_when: false
- name: Parse final version
set_fact:
final_version: "{{ (final_status.stdout | from_json).versionstring }}"
- name: Verify upgrade to target version
fail:
msg: "Upgrade incomplete - on v{{ final_version }}, expected v{{ target_version }}.x"
when: final_version is version(target_version, '<')
- name: Run database optimizations
shell: docker exec -u www-data nextcloud php occ db:add-missing-indices
register: db_indices
changed_when: false
failed_when: false
- name: Run bigint conversion
shell: docker exec -u www-data nextcloud php occ db:convert-filecache-bigint --no-interaction
register: db_bigint
changed_when: false
failed_when: false
timeout: 600
- name: Re-enable critical apps
shell: |
docker exec -u www-data nextcloud php occ app:enable user_oidc || true
docker exec -u www-data nextcloud php occ app:enable richdocuments || true
register: apps_enabled
changed_when: false
- name: Ensure maintenance mode is disabled
shell: docker exec -u www-data nextcloud php occ maintenance:mode --off
register: final_maint_off
changed_when: "'disabled' in final_maint_off.stdout"
failed_when: false
- name: Update docker-compose.yml to use latest tag
replace:
path: "{{ nextcloud_base_dir }}/docker-compose.yml"
regexp: 'image:\s*nextcloud:\d+'
replace: 'image: nextcloud:latest'
- name: Display success message
debug:
msg: |
============================================================
✓ UPGRADE SUCCESSFUL!
============================================================
Server: {{ inventory_hostname }}
From: v30.x
To: v{{ final_version }}
Backup: {{ backup_dir }}
Next steps:
1. Test login: https://nextcloud.{{ client_domain }}
2. Test OIDC: Click "Login with Authentik"
3. Test file operations
4. Test Collabora Office
If all tests pass, remove backup:
rm -rf {{ backup_dir }}
docker-compose.yml now uses 'nextcloud:latest' tag
============================================================

156
ansible/playbooks/260124-configure-diun-watchrepo.yml
View file

@ -1,156 +0,0 @@
---
# Configure Diun to disable watchRepo and add Docker Hub authentication
# This playbook updates all servers to:
# - Only watch specific image tags (not entire repositories) to reduce API calls
# - Add Docker Hub authentication for higher rate limits
#
# Background:
# - watchRepo: true checks ALL tags in a repository (hundreds of API calls)
# - watchRepo: false only checks the specific tag being used (1-2 API calls)
# - Docker Hub auth increases rate limit from 100 to 5000 pulls per 6 hours
#
# Usage:
# cd ansible/
# SOPS_AGE_KEY_FILE="../keys/age-key.txt" HCLOUD_TOKEN="..." \
# ansible-playbook -i hcloud.yml playbooks/260124-configure-diun-watchrepo.yml
#
# Or for specific servers:
# SOPS_AGE_KEY_FILE="../keys/age-key.txt" HCLOUD_TOKEN="..." \
# ansible-playbook -i hcloud.yml playbooks/260124-configure-diun-watchrepo.yml \
# --limit das,uil,vos --private-key "../keys/ssh/das"
- name: Configure Diun watchRepo and Docker Hub authentication
hosts: all
become: yes
vars:
# Diun base configuration
diun_version: "latest"
diun_log_level: "info"
diun_watch_workers: 10
diun_watch_all: true
diun_exclude_containers: []
diun_first_check_notif: false
# Schedule: Weekly on Monday at 6am UTC (to reduce API calls)
diun_schedule: "0 6 * * 1"
# Disable watchRepo - only check the specific tags we're using
diun_watch_repo: false
# Webhook configuration - sends to Matrix via custom webhook
diun_notif_enabled: true
diun_notif_type: webhook
diun_webhook_endpoint: "https://diun-webhook.postxsociety.cloud"
diun_webhook_method: POST
diun_webhook_headers:
Content-Type: application/json
# Disable email notifications
diun_email_enabled: false
# SMTP defaults (not used when email disabled, but needed for template)
diun_smtp_host: "smtp.eu.mailgun.org"
diun_smtp_port: 587
diun_smtp_from: "{{ client_name }}@mg.vrije.cloud"
diun_smtp_to: "pieter@postxsociety.org"
# Optional notification defaults (unused but needed for template)
diun_slack_webhook_url: ""
diun_matrix_enabled: false
diun_matrix_homeserver_url: ""
diun_matrix_user: ""
diun_matrix_password: ""
diun_matrix_room_id: ""
pre_tasks:
- name: Gather facts
setup:
- name: Determine client name from hostname
set_fact:
client_name: "{{ inventory_hostname }}"
- name: Load client secrets
community.sops.load_vars:
file: "{{ playbook_dir }}/../../secrets/clients/{{ client_name }}.sops.yaml"
name: client_secrets
age_keyfile: "{{ lookup('env', 'SOPS_AGE_KEY_FILE') }}"
no_log: true
- name: Load shared secrets
community.sops.load_vars:
file: "{{ playbook_dir }}/../../secrets/shared.sops.yaml"
name: shared_secrets
age_keyfile: "{{ lookup('env', 'SOPS_AGE_KEY_FILE') }}"
no_log: true
- name: Merge shared secrets into client_secrets
set_fact:
client_secrets: "{{ client_secrets | combine(shared_secrets) }}"
no_log: true
tasks:
- name: Set SMTP credentials (required by template even if unused)
set_fact:
diun_smtp_username_final: "{{ client_secrets.mailgun_smtp_user | default('') }}"
diun_smtp_password_final: ""
no_log: true
- name: Set Docker Hub credentials for higher rate limits
set_fact:
diun_docker_hub_username: "{{ client_secrets.docker_hub_username }}"
diun_docker_hub_password: "{{ client_secrets.docker_hub_password }}"
no_log: true
- name: Display configuration summary
debug:
msg: |
Configuring Diun on {{ inventory_hostname }}:
- Webhook endpoint: {{ diun_webhook_endpoint }}
- Email notifications: {{ 'enabled' if diun_email_enabled else 'disabled' }}
- Schedule: {{ diun_schedule }} (Weekly on Monday at 6am UTC)
- Watch entire repositories: {{ 'yes' if diun_watch_repo else 'no (only specific tags)' }}
- Docker Hub auth: {{ 'enabled' if diun_docker_hub_username else 'disabled' }}
- name: Deploy Diun configuration with watchRepo disabled and Docker Hub auth
template:
src: "{{ playbook_dir }}/../roles/diun/templates/diun.yml.j2"
dest: /opt/docker/diun/diun.yml
mode: '0644'
notify: Restart Diun
- name: Restart Diun to apply new configuration
community.docker.docker_compose_v2:
project_src: /opt/docker/diun
state: restarted
- name: Wait for Diun to start
pause:
seconds: 5
- name: Check Diun status
shell: docker ps --filter name=diun --format "{{ '{{' }}.Status{{ '}}' }}"
register: diun_status
changed_when: false
- name: Display Diun status
debug:
msg: "Diun status on {{ inventory_hostname }}: {{ diun_status.stdout }}"
- name: Verify Diun configuration
shell: docker exec diun cat /diun.yml | grep -E "(watchRepo|regopts)" || echo "Config deployed"
register: diun_config_check
changed_when: false
- name: Display configuration verification
debug:
msg: |
Configuration applied on {{ inventory_hostname }}:
{{ diun_config_check.stdout }}
handlers:
- name: Restart Diun
community.docker.docker_compose_v2:
project_src: /opt/docker/diun
state: restarted

151
ansible/playbooks/260124-nextcloud-maintenance.yml
View file

@ -1,151 +0,0 @@
---
# Nextcloud Maintenance Playbook
# Created: 2026-01-24
# Purpose: Run database and file maintenance tasks on Nextcloud instances
#
# This playbook performs:
# 1. Add missing database indices (improves query performance)
# 2. Update mimetypes database (ensures proper file type handling)
#
# Usage:
# cd ansible/
# HCLOUD_TOKEN="..." ansible-playbook -i hcloud.yml \
# playbooks/nextcloud-maintenance.yml --limit <server> \
# --private-key "../keys/ssh/<server>"
#
# To run on all servers:
# HCLOUD_TOKEN="..." ansible-playbook -i hcloud.yml \
# playbooks/nextcloud-maintenance.yml \
# --private-key "../keys/ssh/<server>"
#
# Requirements:
# - HCLOUD_TOKEN environment variable set
# - SSH access to target server(s)
# - Nextcloud container must be running
- name: Nextcloud Maintenance Tasks
hosts: all
become: true
gather_facts: true
vars:
nextcloud_container: "nextcloud"
tasks:
# ============================================================
# PRE-CHECK
# ============================================================
- name: Display maintenance plan
debug:
msg: |
============================================================
Nextcloud Maintenance - {{ inventory_hostname }}
============================================================
This playbook will:
1. Add missing database indices
2. Update mimetypes database
3. Display results
Estimated time: 1-3 minutes per server
============================================================
- name: Check if Nextcloud container is running
shell: docker ps --filter "name=^{{ nextcloud_container }}$" --format "{{ '{{' }}.Names{{ '}}' }}"
register: nextcloud_running
changed_when: false
failed_when: false
- name: Fail if Nextcloud is not running
fail:
msg: "Nextcloud container is not running on {{ inventory_hostname }}"
when: "'nextcloud' not in nextcloud_running.stdout"
- name: Get current Nextcloud version
shell: docker exec -u www-data {{ nextcloud_container }} php occ --version
register: nextcloud_version
changed_when: false
- name: Display Nextcloud version
debug:
msg: "{{ nextcloud_version.stdout }}"
# ============================================================
# TASK 1: ADD MISSING DATABASE INDICES
# ============================================================
- name: Check for missing database indices
shell: docker exec -u www-data {{ nextcloud_container }} php occ db:add-missing-indices
register: db_indices_result
changed_when: "'updated successfully' in db_indices_result.stdout"
failed_when: db_indices_result.rc != 0
- name: Display database indices results
debug:
msg: |
============================================================
Database Indices Results
============================================================
{{ db_indices_result.stdout }}
============================================================
# ============================================================
# TASK 2: UPDATE MIMETYPES DATABASE
# ============================================================
- name: Update mimetypes database
shell: docker exec -u www-data {{ nextcloud_container }} php occ maintenance:mimetype:update-db
register: mimetype_result
changed_when: "'Added' in mimetype_result.stdout"
failed_when: mimetype_result.rc != 0
- name: Parse mimetype results
set_fact:
mimetypes_added: "{{ mimetype_result.stdout | regex_search('Added (\\d+) new mimetypes', '\\1') | default(['0'], true) | first }}"
- name: Display mimetype results
debug:
msg: |
============================================================
Mimetype Update Results
============================================================
Mimetypes added: {{ mimetypes_added }}
{% if mimetypes_added | int > 0 %}
✓ Mimetype database updated successfully
{% else %}
✓ All mimetypes already up to date
{% endif %}
============================================================
# ============================================================
# SUMMARY
# ============================================================
- name: Display maintenance summary
debug:
msg: |
============================================================
✓ MAINTENANCE COMPLETED - {{ inventory_hostname }}
============================================================
Server: {{ inventory_hostname }}
Version: {{ nextcloud_version.stdout }}
Tasks completed:
{% if db_indices_result.changed %}
✓ Database indices: Updated
{% else %}
✓ Database indices: Already optimized
{% endif %}
{% if mimetype_result.changed %}
✓ Mimetypes: Added {{ mimetypes_added }} new types
{% else %}
✓ Mimetypes: Already up to date
{% endif %}
Next steps:
- Check admin interface for any remaining warnings
- Warnings may take a few minutes to clear from cache
============================================================

3
ansible/playbooks/deploy.yml
View file

@ -39,7 +39,6 @@
name: client_secrets
age_keyfile: "{{ lookup('env', 'SOPS_AGE_KEY_FILE') }}"
no_log: true
tags: always
- name: Load shared secrets (Mailgun API key, etc.)
community.sops.load_vars:
@ -47,13 +46,11 @@
name: shared_secrets
age_keyfile: "{{ lookup('env', 'SOPS_AGE_KEY_FILE') }}"
no_log: true
tags: always
- name: Merge shared secrets into client_secrets
set_fact:
client_secrets: "{{ client_secrets | combine(shared_secrets) }}"
no_log: true
tags: always
- name: Set client domain from secrets
set_fact:

48
ansible/playbooks/fix-private-network.yml Normal file
View file

@ -0,0 +1,48 @@
---
# Playbook to fix private network configuration on servers
# This fixes the netplan configuration to properly enable DHCP
# on the private network interface (enp7s0)
- name: Fix private network configuration
hosts: all
gather_facts: no
become: yes
tasks:
- name: Check if server is reachable
ansible.builtin.wait_for_connection:
timeout: 5
register: connection_test
ignore_errors: yes
- name: Create corrected netplan configuration for private network
ansible.builtin.copy:
dest: /etc/netplan/60-private-network.yaml
mode: '0600'
content: |
network:
version: 2
ethernets:
enp7s0:
dhcp4: true
dhcp4-overrides:
use-routes: false
routes:
- to: default
via: 10.0.0.1
when: connection_test is succeeded
- name: Apply netplan configuration
ansible.builtin.command: netplan apply
when: connection_test is succeeded
register: netplan_result
- name: Show netplan result
ansible.builtin.debug:
msg: "Netplan applied successfully on {{ inventory_hostname }}"
when: connection_test is succeeded and netplan_result is succeeded
- name: Wait for network to stabilize
ansible.builtin.wait_for_connection:
timeout: 10
when: connection_test is succeeded

20
ansible/playbooks/setup-edge.yml Normal file
View file

@ -0,0 +1,20 @@
---
# Setup Edge Server
# Configures the edge server with Traefik reverse proxy
- name: Setup edge server
hosts: edge
become: yes
roles:
- role: common
tags: [common, setup]
- role: docker
tags: [docker, setup]
- role: nat-gateway
tags: [nat, gateway]
- role: edge-traefik
tags: [traefik, edge]

45
ansible/roles/authentik/files/create_recovery_flow.py
View file

@ -8,7 +8,6 @@ This script creates a complete password recovery flow in Authentik with:
- Recovery email stage (sends recovery token)
- Password change stages (with validation)
- Integration with default authentication flow
- Brand default recovery flow configuration
Usage:
python3 create_recovery_flow.py <api_token> <authentik_domain>
@ -362,45 +361,6 @@ def update_authentication_identification_stage(base_url, token, stage_uuid, pass
return False
def update_brand_recovery_flow(base_url, token, recovery_flow_uuid):
"""Update the default brand to use the recovery flow"""
print("Updating brand default recovery flow...")
# Get the default brand (authentik has one brand by default)
status, brands = api_request(base_url, token, '/api/v3/core/brands/')
if status != 200:
print(f" ✗ Failed to get brands: {brands}")
return False
results = brands.get('results', [])
if not results:
print(f" ✗ No brands found")
return False
# Use the first/default brand
brand = results[0]
brand_uuid = brand.get('brand_uuid')
# Check if already configured
if brand.get('flow_recovery') == recovery_flow_uuid:
print(f" ✓ Brand recovery flow already configured")
return True
# Update the brand with recovery flow
update_data = {
"domain": brand.get('domain'),
"flow_recovery": recovery_flow_uuid
}
status, result = api_request(base_url, token, f'/api/v3/core/brands/{brand_uuid}/', 'PATCH', update_data)
if status == 200:
print(f" ✓ Updated brand default recovery flow")
return True
else:
print(f" ✗ Failed to update brand: {result}")
return False
def main():
if len(sys.argv) < 3:
print("Usage: python3 create_recovery_flow.py <api_token> <authentik_domain>")
@ -485,10 +445,6 @@ def main():
if not remove_separate_password_stage_from_auth_flow(base_url, token, auth_flow_uuid, auth_password_uuid):
print("\n⚠ Warning: Failed to remove separate password stage (may not exist)")
# Step 9: Update brand default recovery flow
if not update_brand_recovery_flow(base_url, token, recovery_flow_uuid):
print("\n⚠ Warning: Failed to update brand recovery flow (non-critical)")
# Success!
print("\n" + "=" * 80)
print("✓ Recovery Flow Configuration Complete!")
@ -500,7 +456,6 @@ def main():
print(" ✓ Recovery email with 30-minute token")
print(" ✓ Password + username on same login page")
print("'Forgot password?' link on login page")
print(" ✓ Brand default recovery flow configured")
print("\nTest the recovery flow:")
print(f" 1. Visit: https://{authentik_domain}/if/flow/default-authentication-flow/")
print(" 2. Click 'Forgot password?' link")

2
ansible/roles/authentik/tasks/providers.yml
View file

@ -23,7 +23,7 @@
if not auth_flow or not key: print(json.dumps({'error': 'Config missing'}), file=sys.stderr); sys.exit(1)
s, prov = req('/api/v3/providers/oauth2/', 'POST', {'name': 'Nextcloud', 'authorization_flow': auth_flow, 'invalidation_flow': inval_flow, 'client_type': 'confidential', 'redirect_uris': [{'matching_mode': 'strict', 'url': 'https://{{ nextcloud_domain }}/apps/user_oidc/code'}], 'signing_key': key, 'sub_mode': 'hashed_user_id', 'include_claims_in_id_token': True})
if s != 201: print(json.dumps({'error': 'Provider failed', 'details': prov}), file=sys.stderr); sys.exit(1)
s, app = req('/api/v3/core/applications/', 'POST', {'name': 'Nextcloud', 'slug': 'nextcloud', 'provider': prov['pk'], 'meta_launch_url': 'https://nextcloud.{{ client_domain }}'})
s, app = req('/api/v3/core/applications/', 'POST', {'name': 'Nextcloud', 'slug': 'nextcloud', 'provider': prov['pk'], 'meta_launch_url': 'https://{{ nextcloud_domain }}'})
if s != 201: print(json.dumps({'error': 'App failed', 'details': app}), file=sys.stderr); sys.exit(1)
print(json.dumps({'success': True, 'provider_id': prov['pk'], 'application_id': app['pk'], 'client_id': prov['client_id'], 'client_secret': prov['client_secret'], 'discovery_uri': f"https://{{ authentik_domain }}/application/o/nextcloud/.well-known/openid-configuration", 'issuer': f"https://{{ authentik_domain }}/application/o/nextcloud/"}))
dest: /tmp/create_oidc.py

12
ansible/roles/diun/defaults/main.yml
View file

@ -1,7 +1,7 @@
---
# Diun default configuration
diun_version: "latest"
diun_schedule: "0 6 * * *" # Daily at 6am UTC
diun_schedule: "0 6 * * 1" # Weekly on Monday at 6am UTC (was daily)
diun_log_level: "info"
diun_watch_workers: 10
@ -27,13 +27,5 @@ diun_smtp_to: "pieter@postxsociety.org"
diun_watch_all: true
diun_exclude_containers: []
# Don't send notifications on first check (prevents spam on initial run)
# Reduce notification spam - only send ONE email per server per week
diun_first_check_notif: false
# Optional: Matrix notification
diun_matrix_enabled: false
diun_matrix_homeserver_url: "" # e.g., https://matrix.postxsociety.cloud
diun_matrix_user: "" # e.g., @diun:matrix.postxsociety.cloud
diun_matrix_password: "" # Bot user password (if using password auth)
diun_matrix_access_token: "" # Bot access token (preferred over password)
diun_matrix_room_id: "" # e.g., !abc123:matrix.postxsociety.cloud

21
ansible/roles/diun/templates/diun.yml.j2
View file

@ -11,18 +11,11 @@ watch:
firstCheckNotif: {{ diun_first_check_notif | lower }}
defaults:
watchRepo: {{ diun_watch_repo | default(true) | lower }}
watchRepo: true
notifyOn:
- new
- update
{% if diun_docker_hub_username is defined and diun_docker_hub_password is defined %}
regopts:
- selector: image
username: {{ diun_docker_hub_username }}
password: {{ diun_docker_hub_password }}
{% endif %}
providers:
docker:
watchByDefault: {{ diun_watch_all | lower }}
@ -63,15 +56,3 @@ notif:
from: {{ diun_smtp_from }}
to: {{ diun_smtp_to }}
{% endif %}
{% if diun_matrix_enabled and diun_matrix_homeserver_url and diun_matrix_user and diun_matrix_room_id %}
matrix:
homeserverURL: {{ diun_matrix_homeserver_url }}
user: "{{ diun_matrix_user }}"
{% if diun_matrix_access_token %}
accessToken: {{ diun_matrix_access_token }}
{% elif diun_matrix_password %}
password: "{{ diun_matrix_password }}"
{% endif %}
roomID: "{{ diun_matrix_room_id }}"
{% endif %}

13
ansible/roles/edge-traefik/defaults/main.yml Normal file
View file

@ -0,0 +1,13 @@
---
# Edge Traefik Default Variables
# This Traefik instance acts as a reverse proxy for private network clients
traefik_version: "v3.3"
traefik_network: "web"
traefik_docker_socket: "/var/run/docker.sock"
traefik_acme_email: "admin@vrije.cloud"
traefik_acme_staging: false
traefik_dashboard_enabled: false
# Backend client servers (populated from inventory)
backend_clients: []

7
ansible/roles/edge-traefik/handlers/main.yml Normal file
View file

@ -0,0 +1,7 @@
---
# Edge Traefik Handlers
- name: Restart Traefik
community.docker.docker_compose_v2:
project_src: /opt/docker/traefik
state: restarted

60
ansible/roles/edge-traefik/tasks/main.yml Normal file
View file

@ -0,0 +1,60 @@
---
# Edge Traefik Installation Tasks
# Sets up Traefik as edge reverse proxy for private network clients
- name: Ensure Traefik configuration directory exists
file:
path: /opt/docker/traefik
state: directory
mode: '0755'
tags: [traefik, edge]
- name: Create Let's Encrypt storage directory
file:
path: /opt/docker/traefik/letsencrypt
state: directory
mode: '0600'
tags: [traefik, edge]
- name: Create Traefik log directory
file:
path: /var/log/traefik
state: directory
mode: '0755'
tags: [traefik, edge]
- name: Deploy Traefik static configuration
template:
src: traefik.yml.j2
dest: /opt/docker/traefik/traefik.yml
mode: '0644'
notify: Restart Traefik
tags: [traefik, edge, config]
- name: Deploy Traefik dynamic configuration (routing rules)
template:
src: dynamic.yml.j2
dest: /opt/docker/traefik/dynamic.yml
mode: '0644'
notify: Restart Traefik
tags: [traefik, edge, config]
- name: Deploy Traefik Docker Compose file
template:
src: docker-compose.yml.j2
dest: /opt/docker/traefik/docker-compose.yml
mode: '0644'
tags: [traefik, edge]
- name: Start Traefik container
community.docker.docker_compose_v2:
project_src: /opt/docker/traefik
state: present
tags: [traefik, edge]
- name: Wait for Traefik to be ready
wait_for:
port: 443
delay: 5
timeout: 60
tags: [traefik, edge]

24
ansible/roles/edge-traefik/templates/docker-compose.yml.j2 Normal file
View file

@ -0,0 +1,24 @@
# Edge Traefik Docker Compose
# Managed by Ansible - do not edit manually
services:
traefik:
image: traefik:{{ traefik_version }}
container_name: traefik
restart: unless-stopped
security_opt:
- no-new-privileges:true
ports:
- "80:80"
- "443:443"
{% if traefik_dashboard_enabled %}
- "8080:8080"
{% endif %}
volumes:
- /etc/localtime:/etc/localtime:ro
- ./traefik.yml:/etc/traefik/traefik.yml:ro
- ./dynamic.yml:/etc/traefik/dynamic.yml:ro
- ./letsencrypt:/letsencrypt
- /var/log/traefik:/var/log/traefik
labels:
- "traefik.enable=false"

559
ansible/roles/edge-traefik/templates/dynamic.yml.j2 Normal file
View file

@ -0,0 +1,559 @@
# Edge Traefik Dynamic Configuration
# Managed by Ansible - do not edit manually
# Routes traffic to backend servers on private network
http:
# Routers for white client
routers:
white-auth:
rule: "Host(`auth.white.vrije.cloud`)"
service: white-auth
entryPoints:
- websecure
tls:
certResolver: letsencrypt
white-nextcloud:
rule: "Host(`nextcloud.white.vrije.cloud`)"
service: white-nextcloud
entryPoints:
- websecure
tls:
certResolver: letsencrypt
white-collabora:
rule: "Host(`office.white.vrije.cloud`)"
service: white-collabora
entryPoints:
- websecure
tls:
certResolver: letsencrypt
valk-auth:
rule: "Host(`auth.valk.vrije.cloud`)"
service: valk-auth
entryPoints:
- websecure
tls:
certResolver: letsencrypt
valk-nextcloud:
rule: "Host(`nextcloud.valk.vrije.cloud`)"
service: valk-nextcloud
entryPoints:
- websecure
tls:
certResolver: letsencrypt
valk-collabora:
rule: "Host(`office.valk.vrije.cloud`)"
service: valk-collabora
entryPoints:
- websecure
tls:
certResolver: letsencrypt
zwaan-auth:
rule: "Host(`auth.zwaan.vrije.cloud`)"
service: zwaan-auth
entryPoints:
- websecure
tls:
certResolver: letsencrypt
zwaan-nextcloud:
rule: "Host(`nextcloud.zwaan.vrije.cloud`)"
service: zwaan-nextcloud
entryPoints:
- websecure
tls:
certResolver: letsencrypt
zwaan-collabora:
rule: "Host(`office.zwaan.vrije.cloud`)"
service: zwaan-collabora
entryPoints:
- websecure
tls:
certResolver: letsencrypt
specht-auth:
rule: "Host(`auth.specht.vrije.cloud`)"
service: specht-auth
entryPoints:
- websecure
tls:
certResolver: letsencrypt
specht-nextcloud:
rule: "Host(`nextcloud.specht.vrije.cloud`)"
service: specht-nextcloud
entryPoints:
- websecure
tls:
certResolver: letsencrypt
specht-collabora:
rule: "Host(`office.specht.vrije.cloud`)"
service: specht-collabora
entryPoints:
- websecure
tls:
certResolver: letsencrypt
das-auth:
rule: "Host(`auth.das.vrije.cloud`)"
service: das-auth
entryPoints:
- websecure
tls:
certResolver: letsencrypt
das-nextcloud:
rule: "Host(`nextcloud.das.vrije.cloud`)"
service: das-nextcloud
entryPoints:
- websecure
tls:
certResolver: letsencrypt
das-collabora:
rule: "Host(`office.das.vrije.cloud`)"
service: das-collabora
entryPoints:
- websecure
tls:
certResolver: letsencrypt
uil-auth:
rule: "Host(`auth.uil.vrije.cloud`)"
service: uil-auth
entryPoints:
- websecure
tls:
certResolver: letsencrypt
uil-nextcloud:
rule: "Host(`nextcloud.uil.vrije.cloud`)"
service: uil-nextcloud
entryPoints:
- websecure
tls:
certResolver: letsencrypt
uil-collabora:
rule: "Host(`office.uil.vrije.cloud`)"
service: uil-collabora
entryPoints:
- websecure
tls:
certResolver: letsencrypt
vos-auth:
rule: "Host(`auth.vos.vrije.cloud`)"
service: vos-auth
entryPoints:
- websecure
tls:
certResolver: letsencrypt
vos-nextcloud:
rule: "Host(`nextcloud.vos.vrije.cloud`)"
service: vos-nextcloud
entryPoints:
- websecure
tls:
certResolver: letsencrypt
vos-collabora:
rule: "Host(`office.vos.vrije.cloud`)"
service: vos-collabora
entryPoints:
- websecure
tls:
certResolver: letsencrypt
haas-auth:
rule: "Host(`auth.haas.vrije.cloud`)"
service: haas-auth
entryPoints:
- websecure
tls:
certResolver: letsencrypt
haas-nextcloud:
rule: "Host(`nextcloud.haas.vrije.cloud`)"
service: haas-nextcloud
entryPoints:
- websecure
tls:
certResolver: letsencrypt
haas-collabora:
rule: "Host(`office.haas.vrije.cloud`)"
service: haas-collabora
entryPoints:
- websecure
tls:
certResolver: letsencrypt
wolf-auth:
rule: "Host(`auth.wolf.vrije.cloud`)"
service: wolf-auth
entryPoints:
- websecure
tls:
certResolver: letsencrypt
wolf-nextcloud:
rule: "Host(`nextcloud.wolf.vrije.cloud`)"
service: wolf-nextcloud
entryPoints:
- websecure
tls:
certResolver: letsencrypt
wolf-collabora:
rule: "Host(`office.wolf.vrije.cloud`)"
service: wolf-collabora
entryPoints:
- websecure
tls:
certResolver: letsencrypt
ree-auth:
rule: "Host(`auth.ree.vrije.cloud`)"
service: ree-auth
entryPoints:
- websecure
tls:
certResolver: letsencrypt
ree-nextcloud:
rule: "Host(`nextcloud.ree.vrije.cloud`)"
service: ree-nextcloud
entryPoints:
- websecure
tls:
certResolver: letsencrypt
ree-collabora:
rule: "Host(`office.ree.vrije.cloud`)"
service: ree-collabora
entryPoints:
- websecure
tls:
certResolver: letsencrypt
mees-auth:
rule: "Host(`auth.mees.vrije.cloud`)"
service: mees-auth
entryPoints:
- websecure
tls:
certResolver: letsencrypt
mees-nextcloud:
rule: "Host(`nextcloud.mees.vrije.cloud`)"
service: mees-nextcloud
entryPoints:
- websecure
tls:
certResolver: letsencrypt
mees-collabora:
rule: "Host(`office.mees.vrije.cloud`)"
service: mees-collabora
entryPoints:
- websecure
tls:
certResolver: letsencrypt
mus-auth:
rule: "Host(`auth.mus.vrije.cloud`)"
service: mus-auth
entryPoints:
- websecure
tls:
certResolver: letsencrypt
mus-nextcloud:
rule: "Host(`nextcloud.mus.vrije.cloud`)"
service: mus-nextcloud
entryPoints:
- websecure
tls:
certResolver: letsencrypt
mus-collabora:
rule: "Host(`office.mus.vrije.cloud`)"
service: mus-collabora
entryPoints:
- websecure
tls:
certResolver: letsencrypt
mol-auth:
rule: "Host(`auth.mol.vrije.cloud`)"
service: mol-auth
entryPoints:
- websecure
tls:
certResolver: letsencrypt
mol-nextcloud:
rule: "Host(`nextcloud.mol.vrije.cloud`)"
service: mol-nextcloud
entryPoints:
- websecure
tls:
certResolver: letsencrypt
mol-collabora:
rule: "Host(`office.mol.vrije.cloud`)"
service: mol-collabora
entryPoints:
- websecure
tls:
certResolver: letsencrypt
# Services (backend servers)
services:
white-auth:
loadBalancer:
servers:
- url: "https://10.0.0.40:443"
serversTransport: insecureTransport
white-nextcloud:
loadBalancer:
servers:
- url: "https://10.0.0.40:443"
serversTransport: insecureTransport
white-collabora:
loadBalancer:
servers:
- url: "https://10.0.0.40:443"
serversTransport: insecureTransport
valk-auth:
loadBalancer:
servers:
- url: "https://10.0.0.41:443"
serversTransport: insecureTransport
valk-nextcloud:
loadBalancer:
servers:
- url: "https://10.0.0.41:443"
serversTransport: insecureTransport
valk-collabora:
loadBalancer:
servers:
- url: "https://10.0.0.41:443"
serversTransport: insecureTransport
zwaan-auth:
loadBalancer:
servers:
- url: "https://10.0.0.42:443"
serversTransport: insecureTransport
zwaan-nextcloud:
loadBalancer:
servers:
- url: "https://10.0.0.42:443"
serversTransport: insecureTransport
zwaan-collabora:
loadBalancer:
servers:
- url: "https://10.0.0.42:443"
serversTransport: insecureTransport
specht-auth:
loadBalancer:
servers:
- url: "https://10.0.0.43:443"
serversTransport: insecureTransport
specht-nextcloud:
loadBalancer:
servers:
- url: "https://10.0.0.43:443"
serversTransport: insecureTransport
specht-collabora:
loadBalancer:
servers:
- url: "https://10.0.0.43:443"
serversTransport: insecureTransport
das-auth:
loadBalancer:
servers:
- url: "https://10.0.0.44:443"
serversTransport: insecureTransport
das-nextcloud:
loadBalancer:
servers:
- url: "https://10.0.0.44:443"
serversTransport: insecureTransport
das-collabora:
loadBalancer:
servers:
- url: "https://10.0.0.44:443"
serversTransport: insecureTransport
uil-auth:
loadBalancer:
servers:
- url: "https://10.0.0.45:443"
serversTransport: insecureTransport
uil-nextcloud:
loadBalancer:
servers:
- url: "https://10.0.0.45:443"
serversTransport: insecureTransport
uil-collabora:
loadBalancer:
servers:
- url: "https://10.0.0.45:443"
serversTransport: insecureTransport
vos-auth:
loadBalancer:
servers:
- url: "https://10.0.0.46:443"
serversTransport: insecureTransport
vos-nextcloud:
loadBalancer:
servers:
- url: "https://10.0.0.46:443"
serversTransport: insecureTransport
vos-collabora:
loadBalancer:
servers:
- url: "https://10.0.0.46:443"
serversTransport: insecureTransport
haas-auth:
loadBalancer:
servers:
- url: "https://10.0.0.47:443"
serversTransport: insecureTransport
haas-nextcloud:
loadBalancer:
servers:
- url: "https://10.0.0.47:443"
serversTransport: insecureTransport
haas-collabora:
loadBalancer:
servers:
- url: "https://10.0.0.47:443"
serversTransport: insecureTransport
wolf-auth:
loadBalancer:
servers:
- url: "https://10.0.0.48:443"
serversTransport: insecureTransport
wolf-nextcloud:
loadBalancer:
servers:
- url: "https://10.0.0.48:443"
serversTransport: insecureTransport
wolf-collabora:
loadBalancer:
servers:
- url: "https://10.0.0.48:443"
serversTransport: insecureTransport
ree-auth:
loadBalancer:
servers:
- url: "https://10.0.0.49:443"
serversTransport: insecureTransport
ree-nextcloud:
loadBalancer:
servers:
- url: "https://10.0.0.49:443"
serversTransport: insecureTransport
ree-collabora:
loadBalancer:
servers:
- url: "https://10.0.0.49:443"
serversTransport: insecureTransport
mees-auth:
loadBalancer:
servers:
- url: "https://10.0.0.50:443"
serversTransport: insecureTransport
mees-nextcloud:
loadBalancer:
servers:
- url: "https://10.0.0.50:443"
serversTransport: insecureTransport
mees-collabora:
loadBalancer:
servers:
- url: "https://10.0.0.50:443"
serversTransport: insecureTransport
mus-auth:
loadBalancer:
servers:
- url: "https://10.0.0.51:443"
serversTransport: insecureTransport
mus-nextcloud:
loadBalancer:
servers:
- url: "https://10.0.0.51:443"
serversTransport: insecureTransport
mus-collabora:
loadBalancer:
servers:
- url: "https://10.0.0.51:443"
serversTransport: insecureTransport
mol-auth:
loadBalancer:
servers:
- url: "https://10.0.0.53:443"
serversTransport: insecureTransport
mol-nextcloud:
loadBalancer:
servers:
- url: "https://10.0.0.53:443"
serversTransport: insecureTransport
mol-collabora:
loadBalancer:
servers:
- url: "https://10.0.0.53:443"
serversTransport: insecureTransport
# Server transport (allow self-signed certs from backends)
serversTransports:
insecureTransport:
insecureSkipVerify: true

47
ansible/roles/edge-traefik/templates/traefik.yml.j2 Normal file
View file

@ -0,0 +1,47 @@
# Edge Traefik Static Configuration
# Managed by Ansible - do not edit manually
# This configuration proxies to backend servers on private network
api:
dashboard: {{ traefik_dashboard_enabled | lower }}
{% if traefik_dashboard_enabled %}
insecure: false
{% endif %}
entryPoints:
web:
address: ":80"
http:
redirections:
entryPoint:
to: websecure
scheme: https
websecure:
address: ":443"
http:
tls:
certResolver: letsencrypt
providers:
# File provider for static backend configurations
file:
filename: /etc/traefik/dynamic.yml
watch: true
certificatesResolvers:
letsencrypt:
acme:
email: {{ traefik_acme_email }}
storage: /letsencrypt/acme.json
{% if traefik_acme_staging %}
caServer: https://acme-staging-v02.api.letsencrypt.org/directory
{% endif %}
httpChallenge:
entryPoint: web
log:
level: INFO
accessLog:
filePath: /var/log/traefik/access.log

6
ansible/roles/nat-gateway/handlers/main.yml Normal file
View file

@ -0,0 +1,6 @@
---
# NAT Gateway Handlers
- name: Save iptables rules
shell: |
iptables-save > /etc/iptables/rules.v4

66
ansible/roles/nat-gateway/tasks/main.yml Normal file
View file

@ -0,0 +1,66 @@
---
# NAT Gateway Configuration
# Enables internet access for private network clients via edge server
- name: Enable IP forwarding
sysctl:
name: net.ipv4.ip_forward
value: '1'
state: present
reload: yes
tags: [nat, gateway]
- name: Install iptables-persistent
apt:
name: iptables-persistent
state: present
update_cache: yes
tags: [nat, gateway]
- name: Configure NAT (masquerading) for private network
iptables:
table: nat
chain: POSTROUTING
out_interface: eth0
source: 10.0.0.0/16
jump: MASQUERADE
comment: NAT for private network clients
notify: Save iptables rules
tags: [nat, gateway]
- name: Allow forwarding from private network (in DOCKER-USER chain)
iptables:
chain: DOCKER-USER
in_interface: enp7s0
out_interface: eth0
source: 10.0.0.0/16
jump: ACCEPT
comment: Allow forwarding from private network
notify: Save iptables rules
tags: [nat, gateway]
- name: Allow established connections back to private network (in DOCKER-USER chain)
iptables:
chain: DOCKER-USER
in_interface: eth0
out_interface: enp7s0
ctstate: ESTABLISHED,RELATED
jump: ACCEPT
comment: Allow established connections to private network
notify: Save iptables rules
tags: [nat, gateway]
- name: Return from DOCKER-USER chain for other traffic
iptables:
chain: DOCKER-USER
jump: RETURN
comment: Let Docker handle other traffic
notify: Save iptables rules
tags: [nat, gateway]
- name: Save iptables rules
shell: |
iptables-save > /etc/iptables/rules.v4
args:
creates: /etc/iptables/rules.v4
tags: [nat, gateway]

1
keys/ssh/black.pub Normal file
View file

@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJU6ntTc5bYP4FslcLXjm9C+RsO+hygmlsIo8tGOC1Up client-black-deploy-key

1
keys/ssh/dev.pub Normal file
View file

@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFvJSvafujjq5eojqH/A66mDLLr7/G9o202QCma0SmPt client-dev-deploy-key

1
keys/ssh/edge.pub Normal file
View file

@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICpzsMHVbAZMugslwn2mJnxg30zYrfU3t+zsZ7Lw3DDD edge-server-deploy-key

1
keys/ssh/purple.pub Normal file
View file

@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHuR1BR4JaATFwOmLauvvfKjhHarPz1SfnJ+j0caqISr client-purple-deploy-key

1
keys/ssh/white.pub Normal file
View file

@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL+BKRVBWUnS2NSPLvP3nxW7oxcv5wfu2DAY1YP0M+6m client-white-deploy-key

4
scripts/add-client-to-terraform.sh
View file

@ -222,9 +222,11 @@ if [ ! -f "$HOST_VARS_FILE" ]; then
cat > "$HOST_VARS_FILE" << EOF
---
# ${CLIENT_NAME} server configuration
# ${CLIENT_NAME} server - behind edge proxy (private network only)
# SSH via edge server as bastion/jump host
ansible_host: ${PRIVATE_IP}
ansible_ssh_common_args: '-o ProxyCommand="ssh -i ../keys/ssh/edge -W %h:%p -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null root@78.47.191.38" -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no'
# Client identification
client_name: ${CLIENT_NAME}

170
scripts/configure-diun-all-servers.sh
View file

@ -1,170 +0,0 @@
#!/usr/bin/env bash
#
# Configure Diun on all servers (disable watchRepo, add Docker Hub auth)
# Created: 2026-01-24
#
# This script runs the diun configuration playbook on each server
# with its corresponding SSH key.
#
# Usage:
# cd infrastructure/
# SOPS_AGE_KEY_FILE="keys/age-key.txt" HCLOUD_TOKEN="..." ./scripts/configure-diun-all-servers.sh
set -euo pipefail
# Colors for output
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
NC='\033[0m' # No Color
# Configuration
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
PROJECT_ROOT="$(cd "$SCRIPT_DIR/.." && pwd)"
ANSIBLE_DIR="$PROJECT_ROOT/ansible"
KEYS_DIR="$PROJECT_ROOT/keys/ssh"
PLAYBOOK="playbooks/260124-configure-diun-watchrepo.yml"
# Check required environment variables
if [ -z "${HCLOUD_TOKEN:-}" ]; then
echo -e "${RED}Error: HCLOUD_TOKEN environment variable is required${NC}"
exit 1
fi
if [ -z "${SOPS_AGE_KEY_FILE:-}" ]; then
echo -e "${RED}Error: SOPS_AGE_KEY_FILE environment variable is required${NC}"
exit 1
fi
# Convert SOPS_AGE_KEY_FILE to absolute path if it's relative
if [[ ! "$SOPS_AGE_KEY_FILE" = /* ]]; then
export SOPS_AGE_KEY_FILE="$PROJECT_ROOT/$SOPS_AGE_KEY_FILE"
fi
# Change to ansible directory
cd "$ANSIBLE_DIR"
echo -e "${BLUE}============================================================${NC}"
echo -e "${BLUE}Diun Configuration - All Servers${NC}"
echo -e "${BLUE}============================================================${NC}"
echo ""
echo "Playbook: $PLAYBOOK"
echo "Ansible directory: $ANSIBLE_DIR"
echo ""
echo "Configuration changes:"
echo " - Disable watchRepo (only check specific tags, not entire repos)"
echo " - Add Docker Hub authentication (5000 pulls/6h limit)"
echo " - Schedule: Weekly on Monday at 6am UTC"
echo ""
# Get list of all servers with SSH keys
SERVERS=()
for keyfile in "$KEYS_DIR"/*.pub; do
if [ -f "$keyfile" ]; then
server=$(basename "$keyfile" .pub)
# Skip special servers
if [[ "$server" != "README" ]] && [[ "$server" != "edge" ]]; then
SERVERS+=("$server")
fi
fi
done
echo -e "${BLUE}Found ${#SERVERS[@]} servers:${NC}"
printf '%s\n' "${SERVERS[@]}" | sort
echo ""
# Counters
SUCCESS_COUNT=0
FAILED_COUNT=0
SKIPPED_COUNT=0
declare -a SUCCESS_SERVERS
declare -a FAILED_SERVERS
declare -a SKIPPED_SERVERS
echo -e "${BLUE}============================================================${NC}"
echo -e "${BLUE}Starting configuration run...${NC}"
echo -e "${BLUE}============================================================${NC}"
echo ""
# Run playbook for each server
for server in "${SERVERS[@]}"; do
echo -e "${YELLOW}-----------------------------------------------------------${NC}"
echo -e "${YELLOW}Processing: $server${NC}"
echo -e "${YELLOW}-----------------------------------------------------------${NC}"
SSH_KEY="$KEYS_DIR/$server"
if [ ! -f "$SSH_KEY" ]; then
echo -e "${RED}✗ SSH key not found: $SSH_KEY${NC}"
SKIPPED_COUNT=$((SKIPPED_COUNT + 1))
SKIPPED_SERVERS+=("$server")
echo ""
continue
fi
# Run the playbook (with SSH options to prevent agent key issues)
if env HCLOUD_TOKEN="$HCLOUD_TOKEN" \
SOPS_AGE_KEY_FILE="$SOPS_AGE_KEY_FILE" \
ANSIBLE_SSH_ARGS="-o IdentitiesOnly=yes" \
~/.local/bin/ansible-playbook \
-i hcloud.yml \
"$PLAYBOOK" \
--limit "$server" \
--private-key "$SSH_KEY" 2>&1; then
echo -e "${GREEN}✓ Success: $server${NC}"
SUCCESS_COUNT=$((SUCCESS_COUNT + 1))
SUCCESS_SERVERS+=("$server")
else
echo -e "${RED}✗ Failed: $server${NC}"
FAILED_COUNT=$((FAILED_COUNT + 1))
FAILED_SERVERS+=("$server")
fi
echo ""
done
# Summary
echo -e "${BLUE}============================================================${NC}"
echo -e "${BLUE}CONFIGURATION RUN SUMMARY${NC}"
echo -e "${BLUE}============================================================${NC}"
echo ""
echo "Total servers: ${#SERVERS[@]}"
echo -e "${GREEN}Successful: $SUCCESS_COUNT${NC}"
echo -e "${RED}Failed: $FAILED_COUNT${NC}"
echo -e "${YELLOW}Skipped: $SKIPPED_COUNT${NC}"
echo ""
if [ $SUCCESS_COUNT -gt 0 ]; then
echo -e "${GREEN}Successful servers:${NC}"
printf ' %s\n' "${SUCCESS_SERVERS[@]}"
echo ""
fi
if [ $FAILED_COUNT -gt 0 ]; then
echo -e "${RED}Failed servers:${NC}"
printf ' %s\n' "${FAILED_SERVERS[@]}"
echo ""
fi
if [ $SKIPPED_COUNT -gt 0 ]; then
echo -e "${YELLOW}Skipped servers:${NC}"
printf ' %s\n' "${SKIPPED_SERVERS[@]}"
echo ""
fi
echo -e "${BLUE}============================================================${NC}"
echo ""
echo "Next steps:"
echo " 1. Wait for next Monday at 6am UTC for scheduled run"
echo " 2. Or manually trigger: docker exec diun diun once"
echo " 3. Check logs: docker logs diun"
echo ""
# Exit with error if any failures
if [ $FAILED_COUNT -gt 0 ]; then
exit 1
fi
exit 0

151
scripts/run-maintenance-all-servers.sh
View file

@ -1,151 +0,0 @@
#!/usr/bin/env bash
#
# Run Nextcloud maintenance playbook on all servers
# Created: 2026-01-24
#
# This script runs the nextcloud maintenance playbook on each server
# with its corresponding SSH key.
#
# Usage:
# cd infrastructure/
# HCLOUD_TOKEN="..." ./scripts/run-maintenance-all-servers.sh
#
# Or with SOPS_AGE_KEY_FILE if needed:
# SOPS_AGE_KEY_FILE="keys/age-key.txt" HCLOUD_TOKEN="..." ./scripts/run-maintenance-all-servers.sh
set -euo pipefail
# Colors for output
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
NC='\033[0m' # No Color
# Configuration
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
PROJECT_ROOT="$(cd "$SCRIPT_DIR/.." && pwd)"
ANSIBLE_DIR="$PROJECT_ROOT/ansible"
KEYS_DIR="$PROJECT_ROOT/keys/ssh"
PLAYBOOK="playbooks/260124-nextcloud-maintenance.yml"
# Check required environment variables
if [ -z "${HCLOUD_TOKEN:-}" ]; then
echo -e "${RED}Error: HCLOUD_TOKEN environment variable is required${NC}"
exit 1
fi
# Change to ansible directory
cd "$ANSIBLE_DIR"
echo -e "${BLUE}============================================================${NC}"
echo -e "${BLUE}Nextcloud Maintenance - All Servers${NC}"
echo -e "${BLUE}============================================================${NC}"
echo ""
echo "Playbook: $PLAYBOOK"
echo "Ansible directory: $ANSIBLE_DIR"
echo ""
# Get list of all servers with SSH keys
SERVERS=()
for keyfile in "$KEYS_DIR"/*.pub; do
if [ -f "$keyfile" ]; then
server=$(basename "$keyfile" .pub)
# Skip special servers
if [[ "$server" != "README" ]] && [[ "$server" != "edge" ]]; then
SERVERS+=("$server")
fi
fi
done
echo -e "${BLUE}Found ${#SERVERS[@]} servers:${NC}"
printf '%s\n' "${SERVERS[@]}" | sort
echo ""
# Counters
SUCCESS_COUNT=0
FAILED_COUNT=0
SKIPPED_COUNT=0
declare -a SUCCESS_SERVERS
declare -a FAILED_SERVERS
declare -a SKIPPED_SERVERS
echo -e "${BLUE}============================================================${NC}"
echo -e "${BLUE}Starting maintenance run...${NC}"
echo -e "${BLUE}============================================================${NC}"
echo ""
# Run playbook for each server
for server in "${SERVERS[@]}"; do
echo -e "${YELLOW}-----------------------------------------------------------${NC}"
echo -e "${YELLOW}Processing: $server${NC}"
echo -e "${YELLOW}-----------------------------------------------------------${NC}"
SSH_KEY="$KEYS_DIR/$server"
if [ ! -f "$SSH_KEY" ]; then
echo -e "${RED}✗ SSH key not found: $SSH_KEY${NC}"
SKIPPED_COUNT=$((SKIPPED_COUNT + 1))
SKIPPED_SERVERS+=("$server")
echo ""
continue
fi
# Run the playbook (with SSH options to prevent agent key issues)
if env HCLOUD_TOKEN="$HCLOUD_TOKEN" \
ANSIBLE_SSH_ARGS="-o IdentitiesOnly=yes" \
~/.local/bin/ansible-playbook \
-i hcloud.yml \
"$PLAYBOOK" \
--limit "$server" \
--private-key "$SSH_KEY" 2>&1; then
echo -e "${GREEN}✓ Success: $server${NC}"
SUCCESS_COUNT=$((SUCCESS_COUNT + 1))
SUCCESS_SERVERS+=("$server")
else
echo -e "${RED}✗ Failed: $server${NC}"
FAILED_COUNT=$((FAILED_COUNT + 1))
FAILED_SERVERS+=("$server")
fi
echo ""
done
# Summary
echo -e "${BLUE}============================================================${NC}"
echo -e "${BLUE}MAINTENANCE RUN SUMMARY${NC}"
echo -e "${BLUE}============================================================${NC}"
echo ""
echo "Total servers: ${#SERVERS[@]}"
echo -e "${GREEN}Successful: $SUCCESS_COUNT${NC}"
echo -e "${RED}Failed: $FAILED_COUNT${NC}"
echo -e "${YELLOW}Skipped: $SKIPPED_COUNT${NC}"
echo ""
if [ $SUCCESS_COUNT -gt 0 ]; then
echo -e "${GREEN}Successful servers:${NC}"
printf ' %s\n' "${SUCCESS_SERVERS[@]}"
echo ""
fi
if [ $FAILED_COUNT -gt 0 ]; then
echo -e "${RED}Failed servers:${NC}"
printf ' %s\n' "${FAILED_SERVERS[@]}"
echo ""
fi
if [ $SKIPPED_COUNT -gt 0 ]; then
echo -e "${YELLOW}Skipped servers:${NC}"
printf ' %s\n' "${SKIPPED_SERVERS[@]}"
echo ""
fi
echo -e "${BLUE}============================================================${NC}"
# Exit with error if any failures
if [ $FAILED_COUNT -gt 0 ]; then
exit 1
fi
exit 0

38
secrets/clients/bever.sops.yaml Normal file
View file

@ -0,0 +1,38 @@
#ENC[AES256_GCM,data:7JUvIjolKk0K4LX1Ruum6SLciqyHyybfTQ4=,iv:MNU2x5ACjpm/QJlGjBD6a6LJFtD219uTWHFKmr9IfQk=,tag:CVItmHXurNofeg9w+haFog==,type:comment]
#ENC[AES256_GCM,data:wWjTifXRNQ25dM+k4W8cMyolIMQ+zphKe2AYiMuEVyIBd2Evdv4=,iv:Q6/LgZNSv3tee2FcHXUZ1wIvSR25aoiqg7BAyWgWTKI=,tag:p5LuG2OMb3hoYPgK+ab7mQ==,type:comment]
#ENC[AES256_GCM,data:RjmOnfVrJ/8xJZaTlN6OGobGGACNZQ==,iv:4FBY1WOfonv5WfKATTuZkEsqYPicM1zcX8qWu+lTk0Q=,tag:I025riqowW5FKUezBm0GZA==,type:comment]
client_name: ENC[AES256_GCM,data:W0Bh0eE=,iv:VKQcOSHp5N9JH6eJoow3pXwcWU1eWGcbThQFocrayWQ=,tag:M4E+gRivJQbrjd0/bQNudw==,type:str]
client_domain: ENC[AES256_GCM,data:Nqo8XlNOqHv8LkhRby06fUY=,iv:hfQYcKPm+btkwdenIPEX2TIXsPVGnWQiCY81aaduBks=,tag:GiHBboDci/99P8QHS7/PbA==,type:str]
#ENC[AES256_GCM,data:icjtWREHoSAGN5rPbdL4j1XPeMZuzEoS,iv:sIuJcsE+rO0sZ5qhdNK6PGxtErrv2bm2HCi48P5FQKQ=,tag:P5plYgUPY9LNOQhpux6fSg==,type:comment]
authentik_domain: ENC[AES256_GCM,data:W/R65b//HiDwPhxYXEKR4Fxi+rJtRw==,iv:mr9cs4LR/aA/7bJdO68WI+sKvzvy80RTCvmU66Cvzg8=,tag:DDKCjeyc2kC5Mval69f6OA==,type:str]
authentik_db_password: ENC[AES256_GCM,data:/P3gQbozHLINd3KQJA/0u8MhUqhMcz6MOoLVH31X6cwmGv2q3y6KeBA8gg==,iv:stKEPGqH4EMc3h3afSX2pP3dEos3H8+mJ9o1LSF224k=,tag:7XtR6fRYfqJ4veuUlpK/vg==,type:str]
authentik_secret_key: ENC[AES256_GCM,data:/1LY8xqI9A5Et20mkY3X2y4o6d+ka7/vqNSxQS2PJ5LAMTAEt9qbX2rr1g==,iv:v93bXYDwvXgifMLngG25qDaXPR690LWeQjkTf0fqNuw=,tag:0JYsyKSJFYWAHYawDybfGQ==,type:str]
#ENC[AES256_GCM,data:Mw3fsLyDrw39Q2OWiyrtEdls8ub5fTWEqVmGeLTg0qkpvzsrgWRW/GiPW7SYbKU=,iv:qHqh5k1N/GaxbTJYRvPZm4RfYc0MVNDXdI7skEBBqvg=,tag:tQ3OQyNLoBymibw59GG+VA==,type:comment]
authentik_bootstrap_password: ENC[AES256_GCM,data:RDvAMIvOYmxbwxSjb+kXqmh8GU1sSA6KHqSh8UecjB1k7F5auXN6O8ETfw==,iv:S6DC4/UTMRy/NwhnT641q+ary4638hdLPSJ2duivgZ0=,tag:8etXMMBlgVz8pM0trndyOg==,type:str]
authentik_bootstrap_token: ENC[AES256_GCM,data:m467HmEab1OSqAzw8Yi9rcL3lRkJJW82k6nYlFiXj7UOgutJtT4BxUaSfMdUxA==,iv:8bi5CITxJK8Mgr0iSB3aD5I1Wm1+c/SL9GrBKKTIqdA=,tag:IhRleBBgg6C7ARgPwnZNcQ==,type:str]
authentik_bootstrap_email: ENC[AES256_GCM,data:wsXyTCeS7jJQQ8vkAC7AKjDr6cna4ac=,iv:Jkq17JmmSIPcnLK0SuJ1ErUUGi5Z136GQmR9VfdFCi8=,tag:NjReOWjfRxSsIbWzrrltxA==,type:str]
#ENC[AES256_GCM,data:klnql0MQeS1KXd/3VjVW4WRjSl5yg9Kf,iv:+v30PZBWQVnFEeeQI2InGf9kH5tvzgZnD5JCOyBnEHo=,tag:UHNaI7WU6PhzhkXkHTYtvA==,type:comment]
nextcloud_domain: ENC[AES256_GCM,data:ZxuLrS+XqzdLVtnFRQNv/KgN5gZWAFHGqz0m,iv:isE7Bp945CPVgoeI0mKngpTlRUTItLX2HIxSCfJ5T6Q=,tag:6p26HFeNmKU/EzNpQd0yhA==,type:str]
nextcloud_admin_user: ENC[AES256_GCM,data:uscegTQ=,iv:vK0tQIFNQZ1onK70GEy23VDfh7zcofxwyjJXEg8uY6I=,tag:wwna86Sx35Cc6QIMehfDPw==,type:str]
nextcloud_admin_password: ENC[AES256_GCM,data:SC7jJfHvbaqynl30IdJ0wjy1Jf37eLab1VBJI6p0w1aT35EA+GCAA8HmzA==,iv:PwYkMhyHuZpiRqN53BOMFSBBUBM2mMfTVOOatNTWB1c=,tag:hnI9EUmZ9vI9w7bCT3bFyg==,type:str]
nextcloud_db_password: ENC[AES256_GCM,data:CLpONcvumICrvxk39UK4ev7wneE70DPUoqx9Gl2N1/A1M3oOYexVbivFAA==,iv:hWgXELPBooRql5wp3O09OluTn2KBfTL98XNnNyiIfLE=,tag:2o80+vU71xtPm5MI6hlUaA==,type:str]
nextcloud_db_root_password: ENC[AES256_GCM,data:UH4PKHcvfqbp55I8Ru2AtkQDXP+CJpaY156QjO24n6GbIXGT16G0aKN6bQ==,iv:3YKqu61Mdhy/Q2jfK+bItcRx0YFIB+HYpUgpNkXwlMY=,tag:GsQBfVfwJNufY/jY7oDPpA==,type:str]
#ENC[AES256_GCM,data:zqxETKX7LgG6yCW8n/MUvBf80DeszYo+3TH0HVw=,iv:w+Ymv0DKrE/aPYmGsbCPIhrmauNAlDMTGQqQM7HZrVM=,tag:2wYvCPs5xeerRRpfc5f1UA==,type:comment]
redis_password: ENC[AES256_GCM,data:9QjDXsOtQDylRyvzu+6KaWxV53BuPqUOIIF10YygBvaSvtTjc6MvROqltQ==,iv:DDPKUOwz0DLnE7tHHx51SV++Upmc7isgKNvx9fKBTIA=,tag:7ieGACSPG+FiiWqUB5UDXw==,type:str]
#ENC[AES256_GCM,data:Dw9sxUT5diW1LvGQ/VRkPIfv2KMIoCjlsdYGtr1cU51FCRqx,iv:QDf/zXCB8qIvwRAQM9od6Ger8lyXZPDorZXb/Xg+8KY=,tag:dO/1SxL3fpLWnsEtA0xNYQ==,type:comment]
collabora_admin_password: ENC[AES256_GCM,data:QfjXR22OLAcPewDSDKKRxYXiouzBJ3pTTB8usKq0mEOLOCkzrFR49eWvXw==,iv:BpYApcb6quYdUZ2BxIRJmY5lJK++tQ/PxSOgiIJSDjM=,tag:FQBc+HyTzOyVDYTFsvHVnQ==,type:str]
sops:
age:
- recipient: age170jqy5pg6z62kevadqyxxekw8ryf3e394zaquw0nhs9ae3v9wd6qq2hxnk
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2ekhQVmprdjlER1g3NGFU
d3pZWk1XbTZXM051N2t5Z2RLem8yVVM3ZUhvCkFrYWF0cW9XbURpQ2VKaDhuelRh
R28wNGVlTndzcGlHa211NWxFRnBVd2MKLS0tIGhRNmkxanBndjNxTWt1bGRIaHJr
NFU1eU51MkNDOU5jbnFSbXVYU2cyQTQKxGGn9gHuxY+1L07Ouq22dvZMjF6uLUFI
GxlyXcV9Eyrz7AI+tliNf8XWULsixcGQ4wAzvAYOoT8JZ8CiWFd7LA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2026-01-22T09:44:44Z"
mac: ENC[AES256_GCM,data:iN71AD8G36b2VOTg5l2xyIwXqkPx7Mq5QoOtslug2OLzTSBz/h0RNZv3UtGXi+Au83IVLeAEJ0gPq/BA6sN155hFJPeh/VhIwffelHPzufwohZjhFdK3zB4QKlKAcKEEC6vI74GOBfQfUOMimeiuuS0IiLo4kEeADd1qk2GHcbw=,iv:LmCsgkvGcE9Jp6JO0nxsu/pqGPX48d8dmZJCEt9RHBs=,tag:fkpzKVv979jqyYUyWI0ucg==,type:str]
unencrypted_suffix: _unencrypted
version: 3.11.0

38
secrets/clients/black.sops.yaml Normal file
View file

@ -0,0 +1,38 @@
#ENC[AES256_GCM,data:+pppKgjMX6IKHrEyE7WT+sVkrsKrC/S9N5s=,iv:aQcH3wCqnZ15ThzB9DRmkJhnw4xNNqVJToXsx3iwGFY=,tag:w3hEI/Nwb/GTCmwrFubQVQ==,type:comment]
#ENC[AES256_GCM,data:InHpHdYbWF+YeElQmyml7H6wQ4y3lhHmifu4hNAfdrO9fNXh+IQ=,iv:0t4/ZHfFgEVVAWEFYAXuNaKYFYwoPUllyMfOp2UR+DQ=,tag:tfqtEioUhGj+oRjSJx3Psw==,type:comment]
#ENC[AES256_GCM,data:Df/84YbfFeA/4eB3ERGLRrusmbjKRA==,iv:DDOY9P8TW54qmDQH/5jPQmFjyFjfPZ16ipOTGpotLyE=,tag:c+nwU9QFLBFZMcdTjbwCIQ==,type:comment]
client_name: ENC[AES256_GCM,data:5c7mNQ4=,iv:tiSy41HLzjP3Bhs9XSn85ZAJJtYzTCTwCARlD0wqJtc=,tag:cmPx6IQs6Ocuy2xiqzIR4w==,type:str]
client_domain: ENC[AES256_GCM,data:r/V0n6t7nOSqjXV/vYHv19M=,iv:EykIf151hcUDlDVcoGlKuOYzeRwspxajEIjnuadRQxw=,tag:KASAfQqdZg1RKQsBwuzd9A==,type:str]
#ENC[AES256_GCM,data:Zoa/hQiGtXJbn0db06ZTBachkGsEBEOa,iv:vTyWshk5HDFCJxsnuVYL3+BOMifxmhjJ+gBKiNZ2Jg0=,tag:C2k4MfPwyZ4y/AoV4i+cDA==,type:comment]
authentik_domain: ENC[AES256_GCM,data:qHPGPAh8Kc171vAsFaaD1IEMaPGwEQ==,iv:NvBP3kC7es518oXT7OT+ONnBI0o6GmfNCpGzvfdrQGM=,tag:YCCCivxJcZtI3qER4Im17A==,type:str]
authentik_db_password: ENC[AES256_GCM,data:exJBbBV0PPaLfR7u0LoLmbQRuE73ZGpwdXQ09iPvntripOTM1aBkfuqqiQ==,iv:XmDhW8EB+yWdHLdWv0DhCU35rq03IP0Q8nQPxHQq/tQ=,tag:vVMFB7FN5Vi6e+d7SsqJXw==,type:str]
authentik_secret_key: ENC[AES256_GCM,data:lfC6XAKFtaloBZmOq6hIZspxIcoRJPqMbYO5T/9LGZmz8fI9kDNMM9Skdg==,iv:Jqs1NXru9LWFnkiwQbnVz480UHzDLyw9lTz5KsJ0QTI=,tag:K5WERITMYtHN0Aa9zsG+dg==,type:str]
#ENC[AES256_GCM,data:mvQfnGJnfGog3xEFfuX7/8qISPjhI1Jw1ljyRr2X82mFVHV1bS8Wgv1TN31k/QU=,iv:9JrDtyMhIo7D39+Vl/HBrh6R23k3E7NQSZXBqmQ1Ho4=,tag:fmIHEt03EnawuPqJsLW1Fg==,type:comment]
authentik_bootstrap_password: ENC[AES256_GCM,data:AdMlkg6d2it1HzA3HG6m3yA1vSJQzfIWWJSvWbypdKH8eiqkr7D3XU5imw==,iv:lHvkemA8l3GxKUw/oSncKhUsTB0kM6q6q0qbEK8eLoU=,tag:gn3NYjrye7RmdYnTbj9qZQ==,type:str]
authentik_bootstrap_token: ENC[AES256_GCM,data:F5e4pUyXkUDpgz99e3gqa8JYsDDCv6yfKCgG0E8Mn3CfbR3ty7TtlM/CvFcOTQ==,iv:rQFxh49ACncotu5JcQyLJHJjaIWHSi2MPaMECUtoUWg=,tag:8olrhhiXRYDM0oog4Nn2ag==,type:str]
authentik_bootstrap_email: ENC[AES256_GCM,data:DfjaNz0/lxfkhBInGBiNgtyljSe/Ox8=,iv:v7HRWWbq1iGWGN8t4ckLEXanhksS+jyKvpHtWFLGJbc=,tag:CaYUvzC7DDfwbVzzCpuwkQ==,type:str]
#ENC[AES256_GCM,data:8v7EAUTlRdWKoG2ji5qcJloBymG+ytAA,iv:8/UHfEHBMDA5NYmUwZSZHq1y7TOIHFIjEO6y0hwsdV0=,tag:tdsDXMuIOxHSXu0cnJq+Yw==,type:comment]
nextcloud_domain: ENC[AES256_GCM,data:WzFgX42WIPRi5NtRWsUZAlwP3wUE6grJQE+y,iv:e/VkjDmxbQjv83g4ibg3DmXmujnYZqEytFSK4jT1uGo=,tag:gew/qFyCmtzd5LrB9MOkhA==,type:str]
nextcloud_admin_user: ENC[AES256_GCM,data:VP4i484=,iv:x5/FODYkvGwLsypL0EEFK+aX1vomc1g2BRMjz7MVdN8=,tag:yeDjVIrPHMcGIHL55CNi3A==,type:str]
nextcloud_admin_password: ENC[AES256_GCM,data:BHQxIcK37o0xyf3kN1g0RV5XO1RtH8g97nVGNjnYLJDd3+VUMKMNYL/iVg==,iv:3tTMTdLYHupHzr/YKC0gBuNRz60w9vUbGcB7INw4L+A=,tag:EWmtvDFzK239WsnseQZcLQ==,type:str]
nextcloud_db_password: ENC[AES256_GCM,data:94yfQRPn5rMdtzKWPaBbS+dZUmUAI4xo4i1/hxfm0Z0623KaMs/jcBGqwA==,iv:JNXoHRaY91zJhtViRIfz+ihPI3JlKwy9xfO5KTlDwsA=,tag:nJvT7uNts3DXaBsbHfts7g==,type:str]
nextcloud_db_root_password: ENC[AES256_GCM,data:SGw7KzCfOUVG60a099rMYI77CYoOTeoKkdQbKEYT2cSKJ2LTKtZCdbXCoA==,iv:57W+KwAPrKfB919TJDHPIdT09B5aT8ZKmkrLcz3um5M=,tag:Aq3mRmTvCsGSGLA4VK4RGg==,type:str]
#ENC[AES256_GCM,data:2Ca94oWcPDsThITdONt2BwtCQtgo1T1/+QrL5No=,iv:YNoWLwci667/gN3ZX2sYCLkYB/phYFLvtgwUVp3h9I4=,tag:pPlgbwv/6fkTFE2WfSPfdg==,type:comment]
redis_password: ENC[AES256_GCM,data:jpi8rEcRBaM2XNMLlDz0WkKosp1j6NLyGE933bZp2PieOWk2gNHFNwJ6Hg==,iv:1ynRlMYpBo2FRknD4AWosDtF6JBJnT+vuwy1HNPs2RM=,tag:gr/v/kfe5M1sHjYq1szOIA==,type:str]
#ENC[AES256_GCM,data:7bmjCFZTqyGV3MmxtmEyY21L0AX0xg2xwQyNFvQld5F4p2uT,iv:Hu5k8+bEewx+J59IKwT0l202h9Sgofzuh7/++Nvvx8k=,tag:YuRPCf4cUN8GlModxkaJTg==,type:comment]
collabora_admin_password: ENC[AES256_GCM,data:K6UAvUM90klSCqMCiWwE7VkAhvx5c/+QqSElEXjgpmDdoiNE35H1BgYNOg==,iv:v9j6cfmQUkM7IvQvh/pW0C73jOdvx8YEpYuulhKHVsg=,tag:T4bGJJfejMOCgHg9c2nrcg==,type:str]
sops:
age:
- recipient: age170jqy5pg6z62kevadqyxxekw8ryf3e394zaquw0nhs9ae3v9wd6qq2hxnk
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0YkVJdG5Vd29zRXlEMTFk
RVJjN3NSTFFHUm5DUkpQUi9ISHdiUEtZVVJBCnFTT252VGpUVWNzU3JCWGRBdXov
YzFLSXU5UzJCN01nTTVRTU00VGtoTWMKLS0tIHMrQkRFT3hJM01vOExSR1ZoKzNp
aTZOUDdNMzVUZ0lickNCT0dIaWFuS3MKWHNDkkJ4kJljn2Ull8VCksmnjuORLYtN
ASfbOgiRJqXzQxwNgigUkvnvFuAEeaijIyG8/KazEP0YlhTWTkY5Sg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2026-01-19T10:56:00Z"
mac: ENC[AES256_GCM,data:LhzvYjkGf0i5g1S1SPQqBKRFatsOKKjwch90KIITZJOZ5i6/5L5BPFeyI8EVl/3/jbN+/wIBOr206nWYkXz+G0i4fDzC0wuAxXc/o1KB+ovMRrQCg5Qw9QGEayViXlKgLOC3EzXzw3gDybxJ13yOw2YSxHgirRRdjVJr6G0/Rcs=,iv:YvE1KhDVAwtXYnjsMOAPnQoluEFMFOU4GByeiQB5W/4=,tag:HbyR29sNZXUhWyQKs5SC4A==,type:str]
unencrypted_suffix: _unencrypted
version: 3.11.0

38
secrets/clients/das.sops.yaml Normal file
View file

@ -0,0 +1,38 @@
#ENC[AES256_GCM,data:0u28ehaNftLzef/Ge203EtpREQG4w5kU,iv:uowORCiPGmtOa56MNO5cKaQsmsom3foNlQnmwctgw0U=,tag:19iE53kteSZ9Q09PYh4ykw==,type:comment]
#ENC[AES256_GCM,data:wWjTifXRNQ25dM+k4W8cMyolIMQ+zphKe2AYiMuEVyIBd2Evdv4=,iv:Q6/LgZNSv3tee2FcHXUZ1wIvSR25aoiqg7BAyWgWTKI=,tag:p5LuG2OMb3hoYPgK+ab7mQ==,type:comment]
#ENC[AES256_GCM,data:RjmOnfVrJ/8xJZaTlN6OGobGGACNZQ==,iv:4FBY1WOfonv5WfKATTuZkEsqYPicM1zcX8qWu+lTk0Q=,tag:I025riqowW5FKUezBm0GZA==,type:comment]
client_name: ENC[AES256_GCM,data:b03e,iv:In6iivcJ24tpfG9N34qsCOazY9H8Elg6QIou+om14CI=,tag:fplhvM7ExqVZCBHT1wcOKA==,type:str]
client_domain: ENC[AES256_GCM,data:pDlhbKxvHqbSG9cwDXGk,iv:Yn62cKh+Xq2yCzLMS+FjsXjbzvGKMruY/vdmjlr5q/k=,tag:fsJ/jJF6NAvIXRzBLg0mvQ==,type:str]
#ENC[AES256_GCM,data:icjtWREHoSAGN5rPbdL4j1XPeMZuzEoS,iv:sIuJcsE+rO0sZ5qhdNK6PGxtErrv2bm2HCi48P5FQKQ=,tag:P5plYgUPY9LNOQhpux6fSg==,type:comment]
authentik_domain: ENC[AES256_GCM,data:QMwZmfUeW1nYDppRFWBu6JhJLDM=,iv:RlLkkWYK+AfwhfPScek67Ba+T0JF5cebPZbC1hNcrrk=,tag:3b45Z6WflSMtJw/wpcPPbw==,type:str]
authentik_db_password: ENC[AES256_GCM,data:/P3gQbozHLINd3KQJA/0u8MhUqhMcz6MOoLVH31X6cwmGv2q3y6KeBA8gg==,iv:stKEPGqH4EMc3h3afSX2pP3dEos3H8+mJ9o1LSF224k=,tag:7XtR6fRYfqJ4veuUlpK/vg==,type:str]
authentik_secret_key: ENC[AES256_GCM,data:/1LY8xqI9A5Et20mkY3X2y4o6d+ka7/vqNSxQS2PJ5LAMTAEt9qbX2rr1g==,iv:v93bXYDwvXgifMLngG25qDaXPR690LWeQjkTf0fqNuw=,tag:0JYsyKSJFYWAHYawDybfGQ==,type:str]
#ENC[AES256_GCM,data:Mw3fsLyDrw39Q2OWiyrtEdls8ub5fTWEqVmGeLTg0qkpvzsrgWRW/GiPW7SYbKU=,iv:qHqh5k1N/GaxbTJYRvPZm4RfYc0MVNDXdI7skEBBqvg=,tag:tQ3OQyNLoBymibw59GG+VA==,type:comment]
authentik_bootstrap_password: ENC[AES256_GCM,data:RDvAMIvOYmxbwxSjb+kXqmh8GU1sSA6KHqSh8UecjB1k7F5auXN6O8ETfw==,iv:S6DC4/UTMRy/NwhnT641q+ary4638hdLPSJ2duivgZ0=,tag:8etXMMBlgVz8pM0trndyOg==,type:str]
authentik_bootstrap_token: ENC[AES256_GCM,data:m467HmEab1OSqAzw8Yi9rcL3lRkJJW82k6nYlFiXj7UOgutJtT4BxUaSfMdUxA==,iv:8bi5CITxJK8Mgr0iSB3aD5I1Wm1+c/SL9GrBKKTIqdA=,tag:IhRleBBgg6C7ARgPwnZNcQ==,type:str]
authentik_bootstrap_email: ENC[AES256_GCM,data:m0sZisLNP774T6ytCwhO3c699wy7,iv:06/kldGACKC/DuSf6hO+r2IgCIJiP+qEKBiJcWCNC2Q=,tag:JRwxkhuDLOU2sMw1cT1c4w==,type:str]
#ENC[AES256_GCM,data:klnql0MQeS1KXd/3VjVW4WRjSl5yg9Kf,iv:+v30PZBWQVnFEeeQI2InGf9kH5tvzgZnD5JCOyBnEHo=,tag:UHNaI7WU6PhzhkXkHTYtvA==,type:comment]
nextcloud_domain: ENC[AES256_GCM,data:mN0xoqcpE6tH8UxKPmEaO8zw/qlJRBSpvA==,iv:myiAX/cbkEuyIUcOW2jOrIuO5E931bLi6orxUwUdwzY=,tag:Rd87OGiH0HBc/dFBvvXhOg==,type:str]
nextcloud_admin_user: ENC[AES256_GCM,data:uscegTQ=,iv:vK0tQIFNQZ1onK70GEy23VDfh7zcofxwyjJXEg8uY6I=,tag:wwna86Sx35Cc6QIMehfDPw==,type:str]
nextcloud_admin_password: ENC[AES256_GCM,data:SC7jJfHvbaqynl30IdJ0wjy1Jf37eLab1VBJI6p0w1aT35EA+GCAA8HmzA==,iv:PwYkMhyHuZpiRqN53BOMFSBBUBM2mMfTVOOatNTWB1c=,tag:hnI9EUmZ9vI9w7bCT3bFyg==,type:str]
nextcloud_db_password: ENC[AES256_GCM,data:CLpONcvumICrvxk39UK4ev7wneE70DPUoqx9Gl2N1/A1M3oOYexVbivFAA==,iv:hWgXELPBooRql5wp3O09OluTn2KBfTL98XNnNyiIfLE=,tag:2o80+vU71xtPm5MI6hlUaA==,type:str]
nextcloud_db_root_password: ENC[AES256_GCM,data:UH4PKHcvfqbp55I8Ru2AtkQDXP+CJpaY156QjO24n6GbIXGT16G0aKN6bQ==,iv:3YKqu61Mdhy/Q2jfK+bItcRx0YFIB+HYpUgpNkXwlMY=,tag:GsQBfVfwJNufY/jY7oDPpA==,type:str]
#ENC[AES256_GCM,data:zqxETKX7LgG6yCW8n/MUvBf80DeszYo+3TH0HVw=,iv:w+Ymv0DKrE/aPYmGsbCPIhrmauNAlDMTGQqQM7HZrVM=,tag:2wYvCPs5xeerRRpfc5f1UA==,type:comment]
redis_password: ENC[AES256_GCM,data:9QjDXsOtQDylRyvzu+6KaWxV53BuPqUOIIF10YygBvaSvtTjc6MvROqltQ==,iv:DDPKUOwz0DLnE7tHHx51SV++Upmc7isgKNvx9fKBTIA=,tag:7ieGACSPG+FiiWqUB5UDXw==,type:str]
#ENC[AES256_GCM,data:Dw9sxUT5diW1LvGQ/VRkPIfv2KMIoCjlsdYGtr1cU51FCRqx,iv:QDf/zXCB8qIvwRAQM9od6Ger8lyXZPDorZXb/Xg+8KY=,tag:dO/1SxL3fpLWnsEtA0xNYQ==,type:comment]
collabora_admin_password: ENC[AES256_GCM,data:QfjXR22OLAcPewDSDKKRxYXiouzBJ3pTTB8usKq0mEOLOCkzrFR49eWvXw==,iv:BpYApcb6quYdUZ2BxIRJmY5lJK++tQ/PxSOgiIJSDjM=,tag:FQBc+HyTzOyVDYTFsvHVnQ==,type:str]
sops:
age:
- recipient: age170jqy5pg6z62kevadqyxxekw8ryf3e394zaquw0nhs9ae3v9wd6qq2hxnk
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2ekhQVmprdjlER1g3NGFU
d3pZWk1XbTZXM051N2t5Z2RLem8yVVM3ZUhvCkFrYWF0cW9XbURpQ2VKaDhuelRh
R28wNGVlTndzcGlHa211NWxFRnBVd2MKLS0tIGhRNmkxanBndjNxTWt1bGRIaHJr
NFU1eU51MkNDOU5jbnFSbXVYU2cyQTQKxGGn9gHuxY+1L07Ouq22dvZMjF6uLUFI
GxlyXcV9Eyrz7AI+tliNf8XWULsixcGQ4wAzvAYOoT8JZ8CiWFd7LA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2026-01-20T19:27:02Z"
mac: ENC[AES256_GCM,data:qwucrhsdG8HKhyDn9H788SVX376oAyLmViVSr9zL8ffCjDNH620JSkHhF7xzeN2O3/eDqwjSbCukABEiQNV91LZjSHD8fibWvzldPGqxaR2cm/zt7gM995Iu/HnGq2QVBnWfNHey3eGYTtxXZ5zvQ3EUjNw/rbEEFvSb/V2okSA=,iv:RFKkAIhLHyF2Nv643YT52vloT4erDkpXbuEwrPA/nPo=,tag:F5PQaOhz02WZoVJhf4Ryxg==,type:str]
unencrypted_suffix: _unencrypted
version: 3.11.0

38
secrets/clients/dev.sops.yaml Normal file
View file

@ -0,0 +1,38 @@
#ENC[AES256_GCM,data:ymRtlDUra9tSxlfNL9hsU/uVhrRXvOu4,iv:S4OfocN3cKcexGEHX54tsuXImzkGXen6U60gE0zpe/Y=,tag:sSmOzlH0HMe4PCsvzpyVAw==,type:comment]
#ENC[AES256_GCM,data:Ih65jpW9OtppD+HkbCFa3g/MB4NNRUS3h5LmcKXCBgoyBIRaRzs=,iv:cXZoc3pBbwYJbs1BbwpygWGhGjEDLH2+RQbwaR9J4XE=,tag:4ipEocSRc6nXNSnMjbtVDA==,type:comment]
#ENC[AES256_GCM,data:QCfMorbJDIKzrocCUxvCs71HpYVxbA==,iv:xc2A+AoixVaSKiKnfi2k9p9fvReY3LD9c9qbOktY3TU=,tag:f4DtSyiBqm11MEihfDUtuA==,type:comment]
client_name: ENC[AES256_GCM,data:7jtx,iv:G34LmmUydqBMQERem3AEmFt3a7zW21y8qi8SFoNjqwY=,tag:ELYpWsD9meZV6AoJ6bfvWg==,type:str]
client_domain: ENC[AES256_GCM,data:iuUtLyEEZ15/A5w9mIWG,iv:SjwyH2vUuwyUWMRd6dBLl/76u469uX3ZbFx6NTWwq20=,tag:xCfT40L3t873A/zjVkKQug==,type:str]
#ENC[AES256_GCM,data:mV/niOOibBhl8XBtZtiX6/A9LIKTN/wE,iv:MQLRhzNeDS7G5SwCr7cnKCZuVxFWURf+cc93IjQg5Us=,tag:b8zmEGkniSt4sPqGXlXEjw==,type:comment]
authentik_domain: ENC[AES256_GCM,data:Xla3sFvlQAR4KfTspgyFe5m1Wm4=,iv:NMWklBKP3NHGk4F9tR15W2UAWIbqa8sHJ9nPz1xHo7Y=,tag:gh0I/5QWpAAHTi3ocMVrwg==,type:str]
authentik_db_password: ENC[AES256_GCM,data:aQmwQyjunCUMCf5zRg62K9n0TWNd3JwAIUcn+RdVW9M5DMwswGozHEqB6w==,iv:7dMnn8hhCzDoMo7f9+ue+b02KTEdR5Ql88UVaFC2RWg=,tag:fcxPOxowaCztEuZtbLKa5A==,type:str]
authentik_secret_key: ENC[AES256_GCM,data:xy+Yiu7q36k7AmMHpcdv00sF0wd/XeUaiZajKHAXZe+/wSVyZfDJcE0svw==,iv:3AgFDCT3gPX9mc6yd2+grmMTvqpfsdYNAmq0UDPf4B8=,tag:Ih0//8cjXyQ7m379dzKAcQ==,type:str]
#ENC[AES256_GCM,data:U5ImRCLi3J9l4h8C2+Yq3o3FWuRW3074OFcQhzUpElCpIupWJLU+wHuUtZAElHA=,iv:b7pr0W1JOivV8aGF4/uDgc0+TfLcsfRMyTvjvwPmDlE=,tag:l3s6Cnm9+ZRuVfMIDoDaxQ==,type:comment]
authentik_bootstrap_password: ENC[AES256_GCM,data:id4NmApo2ywOVHVbSzgMAQGUMCt7yB6hm8vwXkNFT/KjFeZLcV2fyLafeA==,iv:y5LwHTCQh8dlbg0MLLz+jbylKGKXxfpqBN/oyqlLQYM=,tag:ZY1GgC27VVfCfNOtoWi9Hw==,type:str]
authentik_bootstrap_token: ENC[AES256_GCM,data:C9Vb9ZgRWDSQ9OuTTfoq9Qcq54TvKsMghZ9xrKI0HYL0IPhnqe586Ic3rWp+JA==,iv:3ttEhHa9dZD+GYY0x/5pxdt+hT/jxMPayY8oimPyaBg=,tag:T93dy7elwfKt+36LOP93Iw==,type:str]
authentik_bootstrap_email: ENC[AES256_GCM,data:kNv1+u/H18hR8ZkzaXxfnvwGaTL3,iv:qwZlG5j0w34EO8d9ACg72e/iWbVisTMXMBfWhRe1Rb8=,tag:nQHbejCw4+RtmeJk9Hjtgg==,type:str]
#ENC[AES256_GCM,data:WpMiRkwY6pSztpimEWjxDBfyQ1n04vv1,iv:KI3xu+1k6xIgJsfitegukBW5dWeXQikW2lvzb/cbijU=,tag:vvSq1qXuDBZs+7BRgNOniw==,type:comment]
nextcloud_domain: ENC[AES256_GCM,data:gCt/f+oSrVTnJQJ/sHkYDbdyunRrEWxd5Q==,iv:2bgsF0PpqdvqU+7ly2ioYJhoL0nlsObszrwyyZUezZk=,tag:Fiv9qLKnDyvQyu0CCwM8ug==,type:str]
nextcloud_admin_user: ENC[AES256_GCM,data:2QihoZk=,iv:9m6AyYhHjTd1fhogzPCfDUeyGHBVToWZRD8AC87MQTU=,tag:0eWyTlYUEMlE5aqQ/8yFMA==,type:str]
nextcloud_admin_password: ENC[AES256_GCM,data:20ByyEeJBOjz/qCHRo35mLRRG7mnIVEYIMbM1Ngil9ez8lqiwvYlhuuM6g==,iv:KsRB+u6N3+Ts/A9lqIlV6KJGgs0taDwer0u9ZgLicis=,tag:ffitP/5sxtXkRwseaDlfcg==,type:str]
nextcloud_db_password: ENC[AES256_GCM,data:WaQgJt0TVB4ITGJfcMUzrdKIa+BUDSP/m8NL/WM/DMk4SqzGOBbIUOR4QA==,iv:F/+qSV5YjQLlFnEo4xM9dcqZ16/TpzOxKxpV2CLtT4U=,tag:cUKG0VhwUSV2/unYRhUAFQ==,type:str]
nextcloud_db_root_password: ENC[AES256_GCM,data:sj1OjHb12e/Win3eA9CQgK0DSzQC0Q+axZfQ+kFx01y/kqAPxBJom5EvvQ==,iv:ngLUsxQ58YxkyELNh/Kz24Nw398B0qSeBJHxzsnuXmI=,tag:7LxrfnAgFGAMzqGi1IpgrQ==,type:str]
#ENC[AES256_GCM,data:HpCu3pN8ViTgEP4AwNAcZ9pLjOyTW+sGDIpYdMc=,iv:uZCxNQ04KiXn7q4LvEKLr1/b+/ubk8WJYePKY9g0ncg=,tag:I4J8R9DmFiAAysmfWGzLtg==,type:comment]
redis_password: ENC[AES256_GCM,data:t2bYWu5jJ6JdTrOzjBqvbVJJSlv4qkFxpSg4eRhRZMyhiq6f+HGff2fsjw==,iv:/7Nbh8acsmoQskdcN8kY3fXRe6jcwK/vC9JLpA18ziY=,tag:bdffnRdvZ7I6heh6DF5qNA==,type:str]
#ENC[AES256_GCM,data:ut++04KnSSYlD3iRzNFhOFaEvZPArHVbSlikhC2VT5jDlfzJ,iv:QVsOoWjr2vFhERCyMs6W/bGWLlj3UJlBCnQ661MG138=,tag:+WvL/AHwqz/0xJoWJHvK9w==,type:comment]
collabora_admin_password: ENC[AES256_GCM,data:E+BD7F6q9PyvU2g+c/66aCw5YR5G5U3BzMCzcBnseWEZt1Sw8W//ka4YMw==,iv:dLW1jkvgD8Ius5p1SFy51Nb7SURvGXF9AuNy6hnd+XM=,tag:WRkpA4PsuYanb2+1Zc2RlA==,type:str]
sops:
age:
- recipient: age170jqy5pg6z62kevadqyxxekw8ryf3e394zaquw0nhs9ae3v9wd6qq2hxnk
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFY01lRTJxS0RzcG5ZQTEr
RERPamdvb1pCNlg3cWpRSWpFUHhCUXdrWVJFCmpVN3h6ZXRjdmo0Q3pvRmJzRWxL
Qlc0dUVTWTNuR1JDSUNFMDRaaXljMTgKLS0tIGg1NHVodm9sWkpFL3JacmplZ2p0
WmhQUnFzSW9HeEh2MWx1NWVKRzFDVWcKVviSyHfzQt7iu3cGp1VExGBVi0zfJ/p1
YddPTbtm3uzFqHwFRPNDcNwJkZXOY2LO1ouKFFr6W5UubRHaHppeBw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2026-01-18T16:02:15Z"
mac: ENC[AES256_GCM,data:7cPJP+ELChBnSiTiio6KkajcF7UrrIrUSrkWtg/AfL7DhN2pLNFxkvvBsuYrYMz4myZ6X2u1YiDl61sEGVMgRu+b9qcqQcQvO35tfXSN1j04Tnvl+T9oKAG+bpBJaAkJrbDTRuIp2OjSdXNPl+KCiZ1ross7QImTNXVeosequdQ=,iv:j20TFApriRHirC5CIY332I8RVq4khRnTcKgJVptx4gI=,tag:80VFem7Dl6gNE/rAEqyKzw==,type:str]
unencrypted_suffix: _unencrypted
version: 3.11.0

38
secrets/clients/egel.sops.yaml Normal file
View file

@ -0,0 +1,38 @@
#ENC[AES256_GCM,data:0GANpiSe/t/8nNVeEeF3xhbPLbswHZk+1g==,iv:2Q+TbLECTqw8LOF12qlCpTCJVAiiONafgtqOxOy6jvg=,tag:H5m1lytoOFuWReEnQrN8KA==,type:comment]
#ENC[AES256_GCM,data:As3OROMNLTL+e2EUAZFv7RrJ3p+EQvkOdNjvFNuUSI5iq0xhYNg=,iv:23QHhD4A0VW8ccjMW3ivRsKlW2mNaQ0AwgqTg3LQUnc=,tag:zlFt8r6m+FNvD0Y9d48FeA==,type:comment]
#ENC[AES256_GCM,data:vbx3SU+Yc5p9FaaaTX+lzNScNsmEBQ==,iv:3goZ/7+7erCc186ZPJjnS+01KFbun327rQ2u/ia9NLc=,tag:V01ZFE1y0/Yhp8t/O+X6pA==,type:comment]
client_name: ENC[AES256_GCM,data:mhCH2w==,iv:4oRhdfLMY/IJv+DXiFVLXZ4vBxKk+zoYlDThq7ARfOA=,tag:DojfBjqyXAMgk1cDs8FWmw==,type:str]
client_domain: ENC[AES256_GCM,data:vCltXbTBfuJqj4jk8Uf/Ow==,iv:6hsza3t7nQDNHYEIrYvopSt8os+o1fz7Enc0cJFxbYY=,tag:rwoAEHdsCSWGOKniue8xOQ==,type:str]
#ENC[AES256_GCM,data:36WknJsToqr6KDZgMvm9VsCZwC+BOyIq,iv:lIV3CJXv80WQkTvud7KlPj058xY+AcIg+ti9B+tqRmk=,tag:0Ho8XR14HxO9nrGlqw84Bw==,type:comment]
authentik_domain: ENC[AES256_GCM,data:xRr/HCyiscbPJUIzLbl5muzX4lPl,iv:DzDCwXEgaI65ViKOgeydbQ1XBPBVk8Vr3IPX2HsrTC0=,tag:FzUcBnT84QLjUELO/NepcQ==,type:str]
authentik_db_password: ENC[AES256_GCM,data:EKxxfM01KdXFXZkIe3Odpl2n8I4nbdQzUC6ryN7aM52MHQDzv4Y+z3pANg==,iv:zaG2VcR+x8fqkMyL2vQTonKK9u/KmObyBiE3oFYgwTM=,tag:eS2cQmNoUbet5gBB/EoAzg==,type:str]
authentik_secret_key: ENC[AES256_GCM,data:vojKY09CrpwNdcJR3GHv6Z3HfR8n7EB+qNZs4fXXQOVgk3eqVMSz3Qx8mQ==,iv:RG9f1hHUEHlqRiHXXODJV0HIsIFHib6837p68p1746c=,tag:YqIueX3A07hRAjJmsI6r6Q==,type:str]
#ENC[AES256_GCM,data:VsLPKpx3W6YN6QXhRx+YTAxKNu9IQzGiZG32H4Rwvg8wxje5BMhmuSTR5UJorMU=,iv:QswzckRT9Q51N7vSRQrm13kxECRhfBJpsFooFYHKb0s=,tag:oEC4Hc6AVALzVqiOG/09DA==,type:comment]
authentik_bootstrap_password: ENC[AES256_GCM,data:dz0+NGAa5D154vbjuKpuRnIEXVQfTgUsIOPjIzdxYMLxbbNTBP2z4whElg==,iv:hWR7E+hPMQ6zSgZIaIvaGHPRuW8md/uYfRQ/xeb8DeE=,tag:CRgtDtN9UEk/6DUCFMwoYw==,type:str]
authentik_bootstrap_token: ENC[AES256_GCM,data:e8O+c7DAwwYV91ATgEOi0Hf/i0IfnQoxAQRK+KIZ/Tdo4O0t3Al/6SHl+BFGZw==,iv:9f+tfa9tRhn/yuBSqFaLJndnRDx150zBd3Wxc38onRw=,tag:KOeZnWr/uig4KI5g8BE6VA==,type:str]
authentik_bootstrap_email: ENC[AES256_GCM,data:MlQJIrG2a7f8jRVjRm3pFBTwz+SMCw==,iv:c5MSTtscFb5qFWghRilJqscrqdriju/AU3H4bE5zYfQ=,tag:msz63u6YpGoAI7ulT880TQ==,type:str]
#ENC[AES256_GCM,data:p0JREYAvVu02Qqoz0HoEufCL287NwNDH,iv:2oJm8p5m+KyEv/MedtBjurQcLDer+QMcxjVxfjkljZk=,tag:k87CX+v7zGZbcbjT8s8JGQ==,type:comment]
nextcloud_domain: ENC[AES256_GCM,data:gPyjwlPhAh1B56O2Ua7+hgVYbr3girvNgn0=,iv:jWGVFWDxXuYFqQtWIMlrBn0bYkYzB2vrH46sFvrX7lM=,tag:5/jQQTEtsWoy2i59sR58jw==,type:str]
nextcloud_admin_user: ENC[AES256_GCM,data:v7wuCG8=,iv:YG6aNYwV0RPJ/sfHcSleqvBvkdq+zE2nBjMyN4QDir4=,tag:n987hO4NlJvdgvUqjf8ZVQ==,type:str]
nextcloud_admin_password: ENC[AES256_GCM,data:B5mp8NCWgQclAERE4QXoROeV6nlxwiYP5+hsizIfHctk+iMZldEt9YCJ3A==,iv:xLg6G5lYc1fBVXCy8PnCIpO+t3K3kZ5iYMfBFfZ5llE=,tag:xIi1A1nuwlN4TyrEeN7Zag==,type:str]
nextcloud_db_password: ENC[AES256_GCM,data:vLx15cJfiToYaaAR4eIqWAo1wBLDSCIYznC3SBsngMBKssVkQcQpnpO7Zw==,iv:DNDNz19jU3nATAzJw6/FXyq8QUcsUIv3xVWG02CZKJQ=,tag:mEkQIJgpcQdKlxTey6Zqjg==,type:str]
nextcloud_db_root_password: ENC[AES256_GCM,data:BVHmAhREJQ9U91YiQoLp8trQR1A6hpMrXGUCVLGKSV3xgxloWCcPvF5Fmw==,iv:kcJrzZlvmwAUQRbKe6cFu7BTr5Eg/s7frfTAoGrk6HA=,tag:Z6kUpUx3GeIf073mYHE5Lg==,type:str]
#ENC[AES256_GCM,data:FuFmCCQIoLt38f3rp/f21F2SUEmUe5mew7mafIs=,iv:/epTrJv3iq3Apu82EXzv4cLL6678wDvtEL10xnKN8lg=,tag:dTSwYH1+TWZ3uTAn+8e5Pg==,type:comment]
redis_password: ENC[AES256_GCM,data:2ZRr7+7Nnq09Ozal4FWU/vb+qdBX3njZE5KdzyXPdtZQZ3lkB8p5mgXkUw==,iv:4YXUPxFubIQyIoSYMWc059zGAUPI9dk+YF3V7kn5j6Q=,tag:+0Gi1qZ6HFgjnzah7pGBUQ==,type:str]
#ENC[AES256_GCM,data:uw9XOlYDr7zZK8dx51LFiHzPjKgBlmwWoyPqREd3cQHzwo5U,iv:9luZspimHV61i9oTgpePLJur78Km17lyhrOWjVledXA=,tag:pSezIsLxWvcEZ6rklfJ4Mg==,type:comment]
collabora_admin_password: ENC[AES256_GCM,data:NpAz49/Nu/SAVa9gpfnkdZKuRXqbawVutx/YuGA4V+KL6/mXSJn30EtBdA==,iv:lzDFtpF+3AZ7SQiKwN1ewY6jeWAI0GKO6M6QbxjGGUM=,tag:lPc7ubFRLIOBT0G7fZRhCQ==,type:str]
sops:
age:
- recipient: age170jqy5pg6z62kevadqyxxekw8ryf3e394zaquw0nhs9ae3v9wd6qq2hxnk
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3K2Q1VUdWcG5LVmxEVzdl
SXNjZ0swWTdJNmlQV3pudkV3QlZ3cStHL2lrCjVCMHY4a1lTK2V3cHo1UHN0Qit0
aU5BYy81dERuZGhpNzlQbkxnU3BncTQKLS0tIFNGS1NFRk5LamhMc2dOZXBQalVP
UktCNEQ2MGxLM2R0Y3cxRU9WV2hvUkUK3q4VetTBIM/xB5rdALtaNkhVr14XcOvv
Od35KPTjMKjTycae9K/9UAaW/GyqYUhna+S10iMKiVImaNyP+Yve+g==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2026-01-21T19:27:39Z"
mac: ENC[AES256_GCM,data:hv6CBUEhuu8sdqAjSjbB6fS559RY8nCssdejS1L55/PY6KtLvh/lPhmlc9eIiXwt4gVCO3S5eSguK9FDGN6AcPbCR4oV6abO2HsjoXnkAq2twlY+vvQ9WHnt3yR9ndSu4+8T17WqlQkib7p1Akzns8g3GL8W6wt4A7hW/YcnZqE=,iv:m7neOUmZ9Ou9MCtfGElDMUrOiffX+ROafOTaMK2XfiU=,tag:70Veha2fvdobCEKhLVn3iw==,type:str]
unencrypted_suffix: _unencrypted
version: 3.11.0

38
secrets/clients/haas.sops.yaml Normal file
View file

@ -0,0 +1,38 @@
#ENC[AES256_GCM,data:263AsaFnsT/v03J3dTnRU9reOdPrqBK+Eg==,iv:ihmZCQ8KnKc/qwa34pr/JOj42tceourqSkirLVOlg+U=,tag:1otLg1EwXYv7/EcE197WDA==,type:comment]
#ENC[AES256_GCM,data:6NozW8S6KxeV87FehIpl1qNRpKsdl/lg36chh3egDk2sWn4iNhY=,iv:QwVCpWyFTUpPXf57OdcCqajRmLdXOlNbCoPgEU+7EH4=,tag:yFyiWe5/OI5m/AI5rs6yLw==,type:comment]
#ENC[AES256_GCM,data:jlKWnfCv+u//hfMa/8L3YlUCoyBjwg==,iv:NxvrTJ/lVlJK/JnWXTY/4OhQ9rzjZmQWTWoMDUy9kPA=,tag:T5rIeC1ZmBDxNiA3SG6jdw==,type:comment]
client_name: ENC[AES256_GCM,data:Go1JEQ==,iv:3P3tHtfLbc+DspwK1SVrNyHExioefaVbfA7yXATHHpI=,tag:KY+W2M+pi/xYc7i/5Hb3Cg==,type:str]
client_domain: ENC[AES256_GCM,data:/0tEausGEs9gdL+ZOkRsFg==,iv:iCqkzpRmxzq1O7J8k2GWxocCsJmpkF/lgHHFBS42Evw=,tag:E/Z8URfOFNLx2NGVkbTcEQ==,type:str]
#ENC[AES256_GCM,data:Q4cIm4NebGcflGee+HZZgEX7/OyuwtAp,iv:Gb92l3hzk7e5GQscDwoDBi9YBdhZvOtmrTaRErScYqA=,tag:IEqwdyE6j4u0uGK26hei5g==,type:comment]
authentik_domain: ENC[AES256_GCM,data:jEkOfeF+FQn14QdYfprDFO3FyL5N,iv:LZ7knjGqqBGyKBTRqzSlFI3da2nRujGY/+B9Uyw+ga8=,tag:hx98SqLo3oz/V5BQ220YKg==,type:str]
authentik_db_password: ENC[AES256_GCM,data:jBQTmw7unol2VNI5HHPm6ac8zEaN4gFJpof00JMOr2hg/BKGErnWNYRlNg==,iv:kF/L2gqncz/yHK6v0Mz1/SsiyG1upMG8DeIKWYj0o1w=,tag:WBvL687LuSsdhnkDCCEonQ==,type:str]
authentik_secret_key: ENC[AES256_GCM,data:pY5wvfM8dMYRzNSlwU4vfMSKOxEqJm2IEXsfCHjFtA47/7Ltj31NApee8Q==,iv:XWUacJqrDgutuT6hTtgxEvfhWucQnP5vdce9puzhb64=,tag:y7Hey6dwt/9+VcgMbNxvew==,type:str]
#ENC[AES256_GCM,data:5ucGhUZv2qjbYwI5o8rG1/8gqOX5x0Scip3+/T2EVyH87J+lxYKn4vK6jhCDJY8=,iv:Fff+f7SlljApCvryzqS/9aAQoKCyA5AbWqBNZ01MAls=,tag:rjK2ivHO3u1OVXRwoZOwBw==,type:comment]
authentik_bootstrap_password: ENC[AES256_GCM,data:VwxTylvuPqL/H4ad+Nr85NxCCgvEhAeC3/xa4RZt0vZ/7RMcSkXECIusng==,iv:3a5cvPXP+4wVKsRuOUxepv9idK03qknHPoiGYT4JYNc=,tag:DWacaePwtEiBlcARzXXGbA==,type:str]
authentik_bootstrap_token: ENC[AES256_GCM,data:WRwF8eAyMFaHbCIC7us8KfDZ8FUErkj+OUsyAJziIETC0YPIFOyG8v4nM7MFRg==,iv:RtfGnGWhXDUHWc77tyEbpini6wlD4Zr/FuMfB/Exf3Q=,tag:GZQunFQynvG49FC979FNng==,type:str]
authentik_bootstrap_email: ENC[AES256_GCM,data:a5opY+7AVaGZ7DJR3jhxdGk3hODH6w==,iv:Ea1CRC45PEStquXv7W2M/WgQPnBNlTq5qh1K5ZwG9CI=,tag:VBNh/xVnIYY98Z53CvU7VQ==,type:str]
#ENC[AES256_GCM,data:uJ4wPND6Cg+f0gOnx+a8K88RNrvGxszl,iv:s5NEVK+9buT2607GdGE7hO2EQnEFEGhMABtBC6QVuLg=,tag:DPDxu0IKwxJzUqsr3w8zag==,type:comment]
nextcloud_domain: ENC[AES256_GCM,data:Qit+lD3CB8NrM1JsQtqdC8XBMwS1dsQD7Hk=,iv:p0WFFJpgXeIkBB19o7jJvONEuF8C9i0Q5L+sF+vKu8Y=,tag:8SmnbpSF3euICD55M01bdQ==,type:str]
nextcloud_admin_user: ENC[AES256_GCM,data:EbRJDQQ=,iv:t077WeC7X88/XnoMP+xKSiCG6a3KWftjcwS3lKDxFfc=,tag:ZhFL5eJ7iH1Ka8lawa5tPg==,type:str]
nextcloud_admin_password: ENC[AES256_GCM,data:D1lsP/cOUC13sps8kmRlvazq7lkOMzHv/AvxKRmdlUsEOUC+vaHjl7HKjA==,iv:DHqxqin2dw2OJ5KAWNcCThPJanZd2S+cDNJhfw/trCs=,tag:X0BBH2arW2nsWxHdT9F33g==,type:str]
nextcloud_db_password: ENC[AES256_GCM,data:USgbbNviB76dpGdKfrlT5FJo8NJWs6TDZ1V3HtvBajlaHOVHrg7HZ/ciBw==,iv:5jg7hiZsEtu7D3eoNzzeOEX8/ISMDlIosquh/cnfh/M=,tag:t8yv/jPMtIePgQ6guklE1g==,type:str]
nextcloud_db_root_password: ENC[AES256_GCM,data:pliuG8kF3nhvUfTuXBnTZ8SEn+NcdiMMFYaicCpeSL5b664YWsYA6b9O2w==,iv:8C2ecJUZg4a0Va08cDvelptN3RObL7qpwqunwkFt7As=,tag:1fBz3hrP0wAVtjuq/I2fAw==,type:str]
#ENC[AES256_GCM,data:FDhOFTZd5ODvp/k/7LwJEbSTgmQB4y0C3Dh0UQw=,iv:kryzQXpKS38QCrxVThG3IHV+96+5q2twNRn4NGipSdo=,tag:ZxByg7mBnHlJ0naR/6ZVAA==,type:comment]
redis_password: ENC[AES256_GCM,data:ShoUwNalboMrmEvmnthtCHjUZerRzzS5L2tVkW35S9jEExZaSZSUwfcPLw==,iv:TwDLqrgzRDhuwos3wnyNXA3PmJeEAfquwj3Z+F9qM40=,tag:St6MUoT7tymgjkefx6mB6A==,type:str]
#ENC[AES256_GCM,data:PIlcwi0CYHxJ+2gWR3h8ZeE4LaKUUtAk1E8ERu9b3mq7/jZa,iv:HKO5hKbieTF2P2w3BFYx4WLJ/81stbLYwj/sSa2UvX4=,tag:YFxA45XUC3+zrvgwUFg4kw==,type:comment]
collabora_admin_password: ENC[AES256_GCM,data:DFpT4PXQeQXZzTygONz5Sbi8Qfj+yBkvTf9cnje1EbLwizITA4mnyyXaFw==,iv:PvA3FhLoJEwQrC5jr0koqkcxlYpjBBLINjiIKgf05MY=,tag:b0kfuU077mOwlRb98YSoFA==,type:str]
sops:
age:
- recipient: age170jqy5pg6z62kevadqyxxekw8ryf3e394zaquw0nhs9ae3v9wd6qq2hxnk
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2SFZxckxOL0JMRzhFYVZV
bmRiV0dmeU9XUHdtYVlObHJKRjRZaGs3K3lFCmZ6NEFSTlRSTmRCUkJSTFFEZllj
WjBlMGxWZzhLazFRczdkMnhHZ1l6SEkKLS0tIDljaWZnaGxzYXU2NVM2U2lpU1dH
VVZXNVhkTW1xRFgvTmJQM09oRDRJV3cK7ZO0tK0+KTovKYqW5AW0hhk7NxNVi9o8
UAqmY2X1vAV1ekHryLRZtdQ9CpQh6Pc/8D6aGg79ZbHxPMeUBdPf/g==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2026-01-21T06:50:20Z"
mac: ENC[AES256_GCM,data:iTRh6UXx/EeR/2ZrcUoIvujPt8cVlKEEuSO3x9miMEquZsNTnp8RIXoDETSmNpheXx7gG2jXOvgBbo/Bj52p45/Wo42TgmJGEo7tMExAfDKrx4JZAQqNO7SOGt3Vo8xQ05M6edfsbzAnke7Iz7T41065RYgl8L5qqFdGASAb8Po=,iv:JwIxfaG2nzWy8uRxsz5/b8bdv5HyUCkB9FsVep8EUjU=,tag:FapmKA3FwOOxNe0Diet56Q==,type:str]
unencrypted_suffix: _unencrypted
version: 3.11.0

38
secrets/clients/kikker.sops.yaml Normal file
View file

@ -0,0 +1,38 @@
#ENC[AES256_GCM,data:+OGneTnZcnOaOPgw4zJDfO9lhon2bn72N3km,iv:/nZQnMlDMbofcxjJom4Tm4vXc7wQJCTRbZvzm3wEk2w=,tag:0HA3xkq9oRCwahio+48QFQ==,type:comment]
#ENC[AES256_GCM,data:DzVdDsbfKUPhrR3RfDtNcz5t0eai/DIe9ip30YDHqP1Cy25Bock=,iv:p+B0zs9MJqBY5pskUPraGLBzolkp6mJgfuBt9hNuDB0=,tag:Z6xCRTWDFlQFS2rq5Wcu9A==,type:comment]
#ENC[AES256_GCM,data:UwzF6CrMrTa7w2x1WZkeeu4XlCO3KQ==,iv:515JLeVFc99aDjhZm46YBiHP6XU2054t/JlAMJP8ATc=,tag:tbWqRRIjVVBN/CW2q2tP4g==,type:comment]
client_name: ENC[AES256_GCM,data:OW87HSgM,iv:l9hVz5O9kIpIU8coHFEAi7USAT9szRd/yWEPUJ/cy+c=,tag:nkmXbsXgRFdfLxlXEK3Cvg==,type:str]
client_domain: ENC[AES256_GCM,data:T96fwpdymgEzpWk1AHCuyPk6,iv:hxyUMZRUptennahYciQN5SvaFKNY5L9vbSkod3sJ/18=,tag:1H2qxINQe6+bahDqwg/+kQ==,type:str]
#ENC[AES256_GCM,data:yt18Q2bAXbVqlh1YYhITEi0sqA3ysADl,iv:Ps2WPtuOTYrH4eBAijAxvr6iVwPy7UE4pCVxck+qTRk=,tag:y5yQxqKR55R594815o4ivw==,type:comment]
authentik_domain: ENC[AES256_GCM,data:EGcA/dwACmdF4BxHBniaTw5VbBwcFLM=,iv:a7Br9mBBbRCLrBLtXOVlhyaNMl9KojCky2DnnAorzaM=,tag:J7BY5gGrWtq4K/Fi4vPrGg==,type:str]
authentik_db_password: ENC[AES256_GCM,data:z3hJ1S58N2+e2JSLZDFk4EfZdQnWOHXYXQLpRlq79xMOICfkdNOPk4Xy+Q==,iv:PbJMxOVvnCzx9NTZ7TmuzjjCnAPRfnAhEtgNUndkP24=,tag:iNeufIP3cexO//3HXX1l5w==,type:str]
authentik_secret_key: ENC[AES256_GCM,data:p7XuDZJpX1TB729fnwWSjw8xOiq89n9RuUInbz59yQwj1WZnMbOGFWtKhA==,iv:lCVIG22DPaq3zlWdhTNKkTxoZhHYDSUi/X5HCgd3RxA=,tag:8rb5pgQFSFPqbPb6CyN2Jg==,type:str]
#ENC[AES256_GCM,data:+GpzYBHrXCH8MLp9hNnTq8KQGE21woqupYuhdFsgtXIYNgcDJF7vYpvgMe3Svgg=,iv:9co1ZnzMW6JP0CTF4Y/MpOBSxJJIAHUlrcLV7zqmiZk=,tag:cIMlwU6C4cOCYc2ECGkczw==,type:comment]
authentik_bootstrap_password: ENC[AES256_GCM,data:96NFk4/+nQ3tFX2lWZwWj6G8JbxLVMwYrDghHEC+UebE/QGgV0XpWbmzFw==,iv:Vvqpr3dbxROLEQBe1Qu//8ZcnWeJPH2XBel/4kDn+Os=,tag:yO1ofUIr5fDwiaMJ5Gye4A==,type:str]
authentik_bootstrap_token: ENC[AES256_GCM,data:St6ECyiagUCW4MaBnD8YxUb/BMHEUqeIpvbkokMnWN5SVkBp3RjbsfcHTJyGDA==,iv:osYqlia0kbscK2o7L4tX0BsOXM+RyBGrvnHzBTMoVqg=,tag:xclsy5A/sAECV2OdAzPakw==,type:str]
authentik_bootstrap_email: ENC[AES256_GCM,data:aM5/55cmtD+KpcPuLG8o7Xk8Y53wtiQM,iv:xJl0XP3BROi7Cd5xsoyTJD1WG0sFXV8DYu+utM/Gr0E=,tag:Zng3mRgJlZodmzm1vYAfYA==,type:str]
#ENC[AES256_GCM,data:ewwEAuc2sMr7/JymX/unIrWbPLiYmFCp,iv:RCTjyRNDpbb1KASMaQLivmzPTUqhIj87xBf0sPkAo7A=,tag:DhpjJbmdz4LptfkiK4tuFg==,type:comment]
nextcloud_domain: ENC[AES256_GCM,data:m8wSqeV2KINu4jDEZzJLHWCXCf+2mkD2qW4GfA==,iv:VjDqoqslB2m6iiEwiqFYmSWs3FzFGMs4L27Scd0W1jU=,tag:ZUEyoijAdOttmCPA3jYqSw==,type:str]
nextcloud_admin_user: ENC[AES256_GCM,data:2wJAtW0=,iv:2M24KF/VVNYW4SuQpzRimujh1U4iUnTdXmdvMoDgDIk=,tag:ZwlovzOtGyBItAG2UbVhBA==,type:str]
nextcloud_admin_password: ENC[AES256_GCM,data:aU28NwDezrkeyLQzGqs/P955uyICfPH+Tiqw1MyReERBl3/iAhXzPf7STg==,iv:PCPovUjxW1FIM47bTCuaimkMHY+3W3WdOtj/Utyu55k=,tag:Meg3UOwbNsMHWttSp9VVEA==,type:str]
nextcloud_db_password: ENC[AES256_GCM,data:9KIlpdOY4PrmjqFX8xv5qj4Vi0wcrcKWOAzRVxnFst8YDKaOEwRLvOxT6A==,iv:lpUiKPb2A266p9NLM7rm3zWz5axXp/HM1/E9WhSj4zI=,tag:i7hts7cQCVidJ3Z1drpuEA==,type:str]
nextcloud_db_root_password: ENC[AES256_GCM,data:yDmM51PHybSGy0t5349w0cXOBvb9/ow0a8PooPr80PAYg9IIik3kyDcZrA==,iv:FgbqiKS+ilhmlqkZ7O8UdnvFYeAwjlpkQYO+yTMuODI=,tag:AxHEn1qPSlAEdSyBY8UvSg==,type:str]
#ENC[AES256_GCM,data:WWVZIdIMEoxOQOwJWUgPho2tSHpHtkFtzdiHzl4=,iv:m37ibZwqNOuyVZwo5ImwP4Nct52tAUGPJ9ATC2wRsFo=,tag:eovZH2v4k5Vh726L9WNpHg==,type:comment]
redis_password: ENC[AES256_GCM,data:/BwaUhH4nAKeTkzdOZYksHapMbhiR7BqhB8JTBxvcZUycRKpz4IHjrHKHQ==,iv:bE/6biVZ/EY2CGU3JM0R7MxASM5zd6Bky/1qv5MFzUk=,tag:0XFoF4AvgIgy0zJS5nEMyA==,type:str]
#ENC[AES256_GCM,data:SUh/lkNFWNxcqprX+qpLUp7T05d8m/X33lEiP6e63oqntICG,iv:itrjKHbXWc9MmCcT39JDpWXgBpd/j2j17t4Gi+BT4sI=,tag:W6u02s+tuyE4KADgwzN8/A==,type:comment]
collabora_admin_password: ENC[AES256_GCM,data:kEYIiowJqq8+rPynVbKz7f8J92XoFnZAlK4I1135gIRzpH9QFFaZl+OdsQ==,iv:gPWECbawEkAQ8gvr6qXbmji3RnrFRJyiUmD9B46kebs=,tag:X6vDF0zNj+relaveRZJm/A==,type:str]
sops:
age:
- recipient: age170jqy5pg6z62kevadqyxxekw8ryf3e394zaquw0nhs9ae3v9wd6qq2hxnk
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPVUVEbFBaZVBoM3U2dDFa
clhaSjNob1VwT3ZMYTViSHd1enptZkZxcjFZCmVxR3RZaVU0NjB4QWNrNm94aEs4
WVZ3OFBBM0pjZVpUblQ5Wi9wZlF0RTQKLS0tIE5nQ0ZPaWJVSHlxbHIzcHc3UTE4
U3dnS2YwRVdvd1JWUU41WGVrcVZDYUUKHCxEWjcs3tSh0M7r58O2lrAlgL8qSum4
Wt+TzqCGv0u3mMTsilTSTtaWqLeMHu9jXvPgbD118KtHrSy3tr2imw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2026-01-22T09:15:08Z"
mac: ENC[AES256_GCM,data:kx3z9ok704JFFv6f4ffkLPrf0EifQKoW2HsZ+ff1mWUxAm9seFpE1OhmyU3SpSrndmbKSANVMOI88eXne/2w1plqxVYUp75nS2f2fAKTlssTEVrH3vvWS0a7O9McGKgGIQUhzjSiavsrReye7ok50WeiQSlgnzYreM9FBk46c2A=,iv:0ekt8pMJCF9hhRh3CahbKb44Pq/+wordmoe3he78Kg4=,tag:AReHlK8VvGQHy4m8uqK+lg==,type:str]
unencrypted_suffix: _unencrypted
version: 3.11.0

38
secrets/clients/kraai.sops.yaml Normal file
View file

@ -0,0 +1,38 @@
#ENC[AES256_GCM,data:tFeRrhiv0poNJKknFOXi/jTCauHB3FI7HHE=,iv:vBPdvel/tDeZbsgy9ThwBAnLfn3/W+atKXrhWaDnWYc=,tag:1FIw+vHdpnEi9PWaCL7nvQ==,type:comment]
#ENC[AES256_GCM,data:wWjTifXRNQ25dM+k4W8cMyolIMQ+zphKe2AYiMuEVyIBd2Evdv4=,iv:Q6/LgZNSv3tee2FcHXUZ1wIvSR25aoiqg7BAyWgWTKI=,tag:p5LuG2OMb3hoYPgK+ab7mQ==,type:comment]
#ENC[AES256_GCM,data:RjmOnfVrJ/8xJZaTlN6OGobGGACNZQ==,iv:4FBY1WOfonv5WfKATTuZkEsqYPicM1zcX8qWu+lTk0Q=,tag:I025riqowW5FKUezBm0GZA==,type:comment]
client_name: ENC[AES256_GCM,data:E38tnNk=,iv:1ilhr+3A7QALq/WELOwxoJG+dJ71u83xmZUEQELzGCw=,tag:LbfHCLGHzMMUQavS/UP6Lw==,type:str]
client_domain: ENC[AES256_GCM,data:ddZVeXV+lbYKVZzeJ1Z94ME=,iv:AeWmpKnQD3+72NnygSh58mH/GLd7eQtdBHx7yW1iUWM=,tag:6KIdfvmcrmbFL1bfeXtetQ==,type:str]
#ENC[AES256_GCM,data:icjtWREHoSAGN5rPbdL4j1XPeMZuzEoS,iv:sIuJcsE+rO0sZ5qhdNK6PGxtErrv2bm2HCi48P5FQKQ=,tag:P5plYgUPY9LNOQhpux6fSg==,type:comment]
authentik_domain: ENC[AES256_GCM,data:sxx8OXgDXRueC6s1yBuM6lgxK46beA==,iv:3hTgWXPRkSaNn4juhC8YnHu6WzydErGHlIAnOKTdARg=,tag:1iHZhBfwChYV99fvl7bAcw==,type:str]
authentik_db_password: ENC[AES256_GCM,data:/P3gQbozHLINd3KQJA/0u8MhUqhMcz6MOoLVH31X6cwmGv2q3y6KeBA8gg==,iv:stKEPGqH4EMc3h3afSX2pP3dEos3H8+mJ9o1LSF224k=,tag:7XtR6fRYfqJ4veuUlpK/vg==,type:str]
authentik_secret_key: ENC[AES256_GCM,data:/1LY8xqI9A5Et20mkY3X2y4o6d+ka7/vqNSxQS2PJ5LAMTAEt9qbX2rr1g==,iv:v93bXYDwvXgifMLngG25qDaXPR690LWeQjkTf0fqNuw=,tag:0JYsyKSJFYWAHYawDybfGQ==,type:str]
#ENC[AES256_GCM,data:Mw3fsLyDrw39Q2OWiyrtEdls8ub5fTWEqVmGeLTg0qkpvzsrgWRW/GiPW7SYbKU=,iv:qHqh5k1N/GaxbTJYRvPZm4RfYc0MVNDXdI7skEBBqvg=,tag:tQ3OQyNLoBymibw59GG+VA==,type:comment]
authentik_bootstrap_password: ENC[AES256_GCM,data:RDvAMIvOYmxbwxSjb+kXqmh8GU1sSA6KHqSh8UecjB1k7F5auXN6O8ETfw==,iv:S6DC4/UTMRy/NwhnT641q+ary4638hdLPSJ2duivgZ0=,tag:8etXMMBlgVz8pM0trndyOg==,type:str]
authentik_bootstrap_token: ENC[AES256_GCM,data:m467HmEab1OSqAzw8Yi9rcL3lRkJJW82k6nYlFiXj7UOgutJtT4BxUaSfMdUxA==,iv:8bi5CITxJK8Mgr0iSB3aD5I1Wm1+c/SL9GrBKKTIqdA=,tag:IhRleBBgg6C7ARgPwnZNcQ==,type:str]
authentik_bootstrap_email: ENC[AES256_GCM,data:ncj8km/6ocTdl9OuTQDjT+bL/z/P0lw=,iv:LYBhp/J6jdl+WbaG4kmRqLaqrYfqNkWaHkqC2QAIUcc=,tag:lgay80kux5aV/Ed7WTB1zg==,type:str]
#ENC[AES256_GCM,data:klnql0MQeS1KXd/3VjVW4WRjSl5yg9Kf,iv:+v30PZBWQVnFEeeQI2InGf9kH5tvzgZnD5JCOyBnEHo=,tag:UHNaI7WU6PhzhkXkHTYtvA==,type:comment]
nextcloud_domain: ENC[AES256_GCM,data:RPe7IOqz8pL6ZZRxTyHnHNhGDMc4ZhJ3zBNu,iv:yltqNWZA9JrLz5ZoMPj7NtQ9JU5EC3cRWG9U3hz+Js4=,tag:bcC78v08TVv+hpzD5p/mmQ==,type:str]
nextcloud_admin_user: ENC[AES256_GCM,data:uscegTQ=,iv:vK0tQIFNQZ1onK70GEy23VDfh7zcofxwyjJXEg8uY6I=,tag:wwna86Sx35Cc6QIMehfDPw==,type:str]
nextcloud_admin_password: ENC[AES256_GCM,data:SC7jJfHvbaqynl30IdJ0wjy1Jf37eLab1VBJI6p0w1aT35EA+GCAA8HmzA==,iv:PwYkMhyHuZpiRqN53BOMFSBBUBM2mMfTVOOatNTWB1c=,tag:hnI9EUmZ9vI9w7bCT3bFyg==,type:str]
nextcloud_db_password: ENC[AES256_GCM,data:CLpONcvumICrvxk39UK4ev7wneE70DPUoqx9Gl2N1/A1M3oOYexVbivFAA==,iv:hWgXELPBooRql5wp3O09OluTn2KBfTL98XNnNyiIfLE=,tag:2o80+vU71xtPm5MI6hlUaA==,type:str]
nextcloud_db_root_password: ENC[AES256_GCM,data:UH4PKHcvfqbp55I8Ru2AtkQDXP+CJpaY156QjO24n6GbIXGT16G0aKN6bQ==,iv:3YKqu61Mdhy/Q2jfK+bItcRx0YFIB+HYpUgpNkXwlMY=,tag:GsQBfVfwJNufY/jY7oDPpA==,type:str]
#ENC[AES256_GCM,data:zqxETKX7LgG6yCW8n/MUvBf80DeszYo+3TH0HVw=,iv:w+Ymv0DKrE/aPYmGsbCPIhrmauNAlDMTGQqQM7HZrVM=,tag:2wYvCPs5xeerRRpfc5f1UA==,type:comment]
redis_password: ENC[AES256_GCM,data:9QjDXsOtQDylRyvzu+6KaWxV53BuPqUOIIF10YygBvaSvtTjc6MvROqltQ==,iv:DDPKUOwz0DLnE7tHHx51SV++Upmc7isgKNvx9fKBTIA=,tag:7ieGACSPG+FiiWqUB5UDXw==,type:str]
#ENC[AES256_GCM,data:Dw9sxUT5diW1LvGQ/VRkPIfv2KMIoCjlsdYGtr1cU51FCRqx,iv:QDf/zXCB8qIvwRAQM9od6Ger8lyXZPDorZXb/Xg+8KY=,tag:dO/1SxL3fpLWnsEtA0xNYQ==,type:comment]
collabora_admin_password: ENC[AES256_GCM,data:QfjXR22OLAcPewDSDKKRxYXiouzBJ3pTTB8usKq0mEOLOCkzrFR49eWvXw==,iv:BpYApcb6quYdUZ2BxIRJmY5lJK++tQ/PxSOgiIJSDjM=,tag:FQBc+HyTzOyVDYTFsvHVnQ==,type:str]
sops:
age:
- recipient: age170jqy5pg6z62kevadqyxxekw8ryf3e394zaquw0nhs9ae3v9wd6qq2hxnk
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2ekhQVmprdjlER1g3NGFU
d3pZWk1XbTZXM051N2t5Z2RLem8yVVM3ZUhvCkFrYWF0cW9XbURpQ2VKaDhuelRh
R28wNGVlTndzcGlHa211NWxFRnBVd2MKLS0tIGhRNmkxanBndjNxTWt1bGRIaHJr
NFU1eU51MkNDOU5jbnFSbXVYU2cyQTQKxGGn9gHuxY+1L07Ouq22dvZMjF6uLUFI
GxlyXcV9Eyrz7AI+tliNf8XWULsixcGQ4wAzvAYOoT8JZ8CiWFd7LA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2026-01-22T11:05:15Z"
mac: ENC[AES256_GCM,data:6WsLQi7a3YNlx/1YnvnBpt/6VpweZNvIEh77GsScWkSs4PqmIw8mDoMelcCfk8tBNJyeYwlGC2OGIcosu2j6YzQ5R4EWXdPE1P/yyAn+ISB90XalkSTI4ENInrDObZvcDsI5YnnOoKlE/SAVwW0kKCLgEwd+KPeWzmPFGg/1R/A=,iv:veISYuAHivnC3KdMqJ84zUeC04mhlwSsIn2X55bSLL4=,tag:CUYKa6KgmDnw6y0dCNk4oQ==,type:str]
unencrypted_suffix: _unencrypted
version: 3.11.0

38
secrets/clients/mees.sops.yaml Normal file
View file

@ -0,0 +1,38 @@
#ENC[AES256_GCM,data:nDHmEIQrxX1Pu11WWGfMyNo3gyhtySV0vQ==,iv:gTJ1bYCQ2DZtqSOTy4T3za5/O+tnHxcAuya9UOIcf7Q=,tag:e4fwliLES/Bv5DeACcjAAA==,type:comment]
#ENC[AES256_GCM,data:ck1Dp40dTIZ84ehfBqIEZd242WMzBjmjqOgXMyfdf84gn1Is1xY=,iv:j9sbhYriH6qWWI5G3gw0tTS2NtjQX3wU40A99FflcGA=,tag:hU6UPt1n7QsB4ziLx+7Zog==,type:comment]
#ENC[AES256_GCM,data:lx5ejDrTXucx+hg5tqhUvpqxT59avA==,iv:xG3VE978h/itkDTnQdb6eFFkiTx/hCHHpa3FY2wU+Og=,tag:pnX5T91NgzYXKOmph0gMcA==,type:comment]
client_name: ENC[AES256_GCM,data:wQt0Xw==,iv:geKwR+D090w3Z9cYz/CXtkPxl63/TbYgNMoQw874Y7k=,tag:0JaDBDVHtdVO+SrO5uEMCg==,type:str]
client_domain: ENC[AES256_GCM,data:zvmzOyldRRKq5iLqQvl5Vw==,iv:P6/bTwdkOkjYNCsutAVo0EReIepDo/hL+XiTFaoHeV4=,tag:cyTr7kIJ7wQa4HV3rToO3A==,type:str]
#ENC[AES256_GCM,data:DtFzZfzpBcTQTDC3TI1T4auritGFQIUE,iv:EuoaqcZX8jWn5X1bIsnmMaNX64QexVkLw2rY3EdIJ20=,tag:20bcj0D4UCQzj86ysDg54Q==,type:comment]
authentik_domain: ENC[AES256_GCM,data:xg5NwpJJvKgjWChjRbhb1JQUEAHf,iv:ewb05t2dHqgVcQxQXpsjYemWWq5mY5XiyP6HtCnq1I8=,tag:PD3wNOw3HYHWwy0epmRDlw==,type:str]
authentik_db_password: ENC[AES256_GCM,data:J0SfjEIAThTHoch4r33Tpd+EE9gcTagzIE/RfQ2jm2UUweg47/QH1u6RyQ==,iv:WC6aapw+m/jX0sjhNtSfi6Kd75Fr5YUduj+G4+4STDE=,tag:Mkl99nCwb57SI71E62g2HA==,type:str]
authentik_secret_key: ENC[AES256_GCM,data:5Ru4q8mccdW06CXzPcSSqMcKhE+CAczwytt3Exb5WL+fub6472dl8zTQNQ==,iv:2eKh3o8sfG/eCgnDQslCMLL0RTQPDG4HQJgsihqkhSs=,tag:8sdP1BDJMQ5P7cixm4iyBg==,type:str]
#ENC[AES256_GCM,data:Ga3iv15rbcUYFnPAZFZha37LM6jBJSAwUC69TjG7K4pHQDRHh/zd1dO0ajiDACY=,iv:Pbbqlfdtts7e9QmX9kG7XT706pmUJ3tj8zWsUWSJrgk=,tag:vxGsVR5AY1wg1beRGGry2Q==,type:comment]
authentik_bootstrap_password: ENC[AES256_GCM,data:h/HeW1PwVSJtMhbL+ty2b34E+9sfAN7smcMFsfF1kC15rUcQ4/940Owr6g==,iv:WU4tqoArtyftsy/uAdYs8hfYpb73YXLGm3yu8wOMc/c=,tag:rvYAUsdBWZYwb2Cbg1huLQ==,type:str]
authentik_bootstrap_token: ENC[AES256_GCM,data:8wp7ZsxJK8fpyMd0iCw27FdTd54t9eDWF35O6oQ8pCz78uDO3MJbgolRdqlBEA==,iv:O5d5P5epsLdP6wxf8cP7TXqNGhbJnZwxWEZ976TxNj0=,tag:HraY3oocXLyLaOkBjqeQ7A==,type:str]
authentik_bootstrap_email: ENC[AES256_GCM,data:Myu8GgKcO53boxzzhmV2E6QY3MgCYA==,iv:c7rPSZuCAbHtRwV9y3UhcR7AP67WcKHSVMVybsBdRi0=,tag:rCT68PXIGdi7EueTKyEG/Q==,type:str]
#ENC[AES256_GCM,data:WJqMdpKOg+zsX1ASUeoqspYKJxHMeCFW,iv:IfIZCIDcx65BY6wXp2FN2E9l9viW4vTWreLnuUJ3Zs8=,tag:VExM0tQg34RqAzLgGiLXYA==,type:comment]
nextcloud_domain: ENC[AES256_GCM,data:dxYUrXI+eJZQTxr5h9QYWs6feN7iWeeF95w=,iv:H7C8wi46eERpI57k5vAyC4AJDsyyp/R+TAoDT/DGXpY=,tag:sHGb8/WUAiO0o4Krrp1K2Q==,type:str]
nextcloud_admin_user: ENC[AES256_GCM,data:c62OMlM=,iv:tg0Ij2+GNLMwCvqSDkxbdhHbmFPtMb0ZzRMwJUIxFsQ=,tag:20qJfwFGy+G4bhJdYU3WLQ==,type:str]
nextcloud_admin_password: ENC[AES256_GCM,data:i+ysZEftt7iueQGMk8vROi4iwkfb926Xj5q1O0N7AlDVfyKS6wt1+9hMyQ==,iv:JG8cGdRFUKE2qEuy8QS5U4ZzZuZ7ie6iE1XYn/Kbar8=,tag:wpPi1qCPcQXtrBbkSVZ31w==,type:str]
nextcloud_db_password: ENC[AES256_GCM,data:cB0dHH5fsDLylnjB24XERpCnXZ//ailF9REEobhyHsaJRzA6LXUtfpO/Yg==,iv:QdKCF/RFJLbwYIeztkT++y/1EPA1HYZwplxqf9u2ST8=,tag:ckIBUQ2oWDUy92QqlETuHg==,type:str]
nextcloud_db_root_password: ENC[AES256_GCM,data:yYDL0RHzwAM408tUyreIu5vGQcs58pLbReUqFY0MQ1fKBgOVNlBpF6tWPw==,iv:kG/B56x/Gh2leopPgIFdfvJQ0XFWlMrNQPmvzhTfDnM=,tag:HPpsoQGv9ApVGcDKQ3JPjg==,type:str]
#ENC[AES256_GCM,data:eHzQOLm/jWa6QhUi1zhZCf+s/D3sABuVbMmPzXw=,iv:jyTY6YppOMyZbbKzLcE/fxCaFV8Ua0Pr6xj9WnIsNTY=,tag:0jk4nmcIBziBPb43+7YskQ==,type:comment]
redis_password: ENC[AES256_GCM,data:zPswVPsKFMl5FlOzSof1Jn6qDCA77WIBCeXFrm+mR/x6sDDInfp1jTWnsQ==,iv:I02hJFCuLkFYwBWgkP3lQBkVxX49BYYVPzCMBi9QxCM=,tag:1rc5zrmm8SErEhiORVXjag==,type:str]
#ENC[AES256_GCM,data:jpXkEZB0CrHeFNNBbEjzyn1hXPpnIqoTPEtkyjaukBc5F5A/,iv:dh5h4H4ZkjcBbO4BX1M04uNn64V30szSPMBvY3Yx3IM=,tag:bDyIybKZajGd84xM3AHFrQ==,type:comment]
collabora_admin_password: ENC[AES256_GCM,data:QCGMIFOM9w3ZdfHLOEl4+WQU455bk5ln6C1Bs3P7lZ/mIVp4ltZQUY9UfQ==,iv:8773AVMUj+SxLCqQmP25onnlTBSCjsHMqQUAnopNpIc=,tag:hOaCO0pGzu538WA+lB1sEg==,type:str]
sops:
age:
- recipient: age170jqy5pg6z62kevadqyxxekw8ryf3e394zaquw0nhs9ae3v9wd6qq2hxnk
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5bThsRTRXVUJpM1l1eGlT
YXdLankycGlpTWdTMXJsYUVHdFE1K0tBc1NFCitLUnVjdlVBK3poYzd6L0trcDZi
TmtCOXdHWG9DSTdYTmFOVjRvTUpWYnMKLS0tIC91aWgvZVIzaEhCb0Z5TkFsa1pI
UmRwMjhqZTZUSDFKZloycnUrbGdHTVEK0+u+Y3FRNT8My2+xRY9Lnjv/GHamgx5y
/mzWgXUaqbAwgSbHBKMjh8pIHoaAwDY97k6jvRUZ2Js7im21Aq+qmA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2026-01-21T11:38:58Z"
mac: ENC[AES256_GCM,data:AgPn2dJmYDIKji1NEmQxbCxWnUwnS5/h/+k7uB7QqGwfwP+jRO3Mr9UW532Pn0UxxjiVHFByXMmiaf+QiFjE5+OVgmMOh2OwltbIC87f4NVeGb4SusFIDFMAPMBWIHremeMwIAztGhtM7dwi2EaxyyHsiaaJYtVkbmzrnFhH3l4=,iv:oKOvax++BObkUX8E6ZIlRpYpKirnqy0DQx+qrceT/eE=,tag:NEvnbyltfaY333rzF1zGTg==,type:str]
unencrypted_suffix: _unencrypted
version: 3.11.0

38
secrets/clients/mol.sops.yaml Normal file
View file

@ -0,0 +1,38 @@
#ENC[AES256_GCM,data:RdqH+wYWCgAVstaIUfbRv96cH+RrxFHh,iv:0Q5HV6Q/bg/oS6KtUBGjIyQMw8Zgty6osDh0oc8ipMA=,tag:6CzBxe9kN7Bf0yCdQefALA==,type:comment]
#ENC[AES256_GCM,data:CqCuxZQYtcjnI6gptclKrAAeRUctw4NtHLydoyDdrqYuXTKwHZs=,iv:+EJcbrL4sW2u22VZ3jsetOnCimPpftQ07OLf19z6++8=,tag:+3Dprdl79C1BZtOEF0Ii1g==,type:comment]
#ENC[AES256_GCM,data:fDeInmn8uIqJlBMUEzM0jBHh3so25g==,iv:jHekZqvM7G/93Bg3+0SAURNVh1pTbLmjMvOh0CXmTFo=,tag:HnRSv6MYdfa1Pqbf9ywGTA==,type:comment]
client_name: ENC[AES256_GCM,data:W5+k,iv:fq1/jwCzgkqPPdBb0ZD8mKAtOGCSkfTb2H9xJaRpc8g=,tag:uL9WCnsfybaT9nUCZRWAGg==,type:str]
client_domain: ENC[AES256_GCM,data:1FlFZwI9RcCM5yNN8lKz,iv:j2+yQ/ipOHXv5a0mPeoXOYqZYpew3/cxyL6i2x3EtDQ=,tag:HdoJ19j+Tg9gGrGdi83GZA==,type:str]
#ENC[AES256_GCM,data:Qp0bKgcF/I3fmkzQLYVgmNFZGo7K4na8,iv:LLNsKjHmTnTvwVp8PRsWGx+kgVlP+KMX+1kUF+BEWWY=,tag:L/ON6Xd+2LwXxQ4N2rd0iQ==,type:comment]
authentik_domain: ENC[AES256_GCM,data:dxG+fMJkp6DWw0YyFcwy2ybrmg4=,iv:y/n6oXUwddMfrh9GelEfcpvz0w/L0oLS3OEDlurxkyk=,tag:FPn4NGstNO+/zxKIRujW+A==,type:str]
authentik_db_password: ENC[AES256_GCM,data:qZenOCjcUeZezRD5KbwMFgGd6Bp0pJs85NwUcZKr9ZCVIVz0sK6IBthR7w==,iv:IBe2wdaEa+5rBpV5tnViviPJnlSKn7WaAoPe7/y+xpE=,tag:dO1PV5Ipb61RITiyq54jxA==,type:str]
authentik_secret_key: ENC[AES256_GCM,data:2K0ZNdyI8SQ0xeEHOe5Rgmtko+bQwd46pYdxTD798r/ngtT+m536PMzuGw==,iv:ZlvopRCOjx+dQu7faD+qYhKqkT1zFcdPSD1c+CNQMoU=,tag:jF0KgAXwsdHZ3m2TQRt3SQ==,type:str]
#ENC[AES256_GCM,data:O0Mvr5fB5iJMxjr2HxRYEFN+ErzvHYH/t9OPmasX0uoH8zC8bdrn85q3S2QkuGE=,iv:bmut3zKKAMl01hHNj6bY3X6CtzeDjKxx9AquLOaZA88=,tag:KN3VH2f1Ndtq4MRqhFCGzw==,type:comment]
authentik_bootstrap_password: ENC[AES256_GCM,data:+hkED2QPS4DI9WrXICe05unKFa7t/vfwgWW7LZFU/qt4g6Td+JyIRiXMXQ==,iv:d7y1w4Znh5dqL5jDREd0HSoMBYjaCkpkjpUu2yMtVJU=,tag:cXK+yC+6sDWAmJrSiH4JKg==,type:str]
authentik_bootstrap_token: ENC[AES256_GCM,data:qKcmlg4yGocun5azL3psNUGvgdTSCY9qI4qcJAoRkbZiUoM4qtQ9sYLZNmFkew==,iv:Vq77p4d0Ts57McXm5T9hPt3INBRAToxNpT4jbv8ORzE=,tag:OzpbZvmwws7wyWXf/91W1g==,type:str]
authentik_bootstrap_email: ENC[AES256_GCM,data:tLFpuy2pC4QBPmLOo7HTep7YPi3t,iv:6Jz7ORj12kw24e3RvTZEQI6h4Fqj7cN7e5ucNvbMtvI=,tag:t6UI4RdNTtsfIdArzoZ5bg==,type:str]
#ENC[AES256_GCM,data:6GO38RYO9CeicXN+AqbMUNUAU+cxOdTF,iv:WuhMYR74Lk+V28wIKJVXigeH9kuu4IWAWXtsacLGDv0=,tag:1Ec6KJq5G2tzqzWwSrzLGA==,type:comment]
nextcloud_domain: ENC[AES256_GCM,data:0t9HBZO0c1Q5996vhRpcKOgaW99RXY0OBA==,iv:5UgZu2r3ng/wRmv0pQWom7C/2Yp0KsIdE2m6h8asIIU=,tag:QtmCdmmkS8ZkUPjEbkeXdw==,type:str]
nextcloud_admin_user: ENC[AES256_GCM,data:qavi4rQ=,iv:4vZNZSyPrKfgiEmhAvmS0g6+mkQhhXB7cIVu1UHYDWM=,tag:k7PcSi+cIV+OUrfQJ2zXGw==,type:str]
nextcloud_admin_password: ENC[AES256_GCM,data:ijbkHPbCFNKQzcKb5pKNhNwi3loqap4+hNCJXryQHvQp+ANLjDKgpJEmWQ==,iv:cK3hVTvzDIektLJGvZcG28pv/j1STWcHjZDW+2WDeXQ=,tag:yNeK7k/oWjp5n9c1SVXB7w==,type:str]
nextcloud_db_password: ENC[AES256_GCM,data:Z6d5EatnFo274B5p+Nvm6RJ+ZrFPXb4hcIa1w3Sds7KiruBUTO5gOaS6LQ==,iv:XfzBxp3Vx41imjj7r2b0qlp7bsNd8xzfMcFpTj+vhIM=,tag:b5ZYfiNnEiyMNHA7PKN9fA==,type:str]
nextcloud_db_root_password: ENC[AES256_GCM,data:f/XTZ2Qi1436d7sAlxTwblI7C+RDCXci2rEpOtjFkQ6AvzJh/Glnfah+6Q==,iv:VIvUU/Xg7hdHM2EL28L5J6dMNq4Ja3aAqz4AqYj5coA=,tag:S1wlmhruRnMeK1CcU3d1UA==,type:str]
#ENC[AES256_GCM,data:6nio7dp/aucjQ90gvMB2vtp3gaT0fGlpHo43JF4=,iv:X/J0/GVAc6r6iibkeF75+rUNho+QNrogCf8Z1ytZmVg=,tag:l2Z3qJHpa57uaH19Qam7aw==,type:comment]
redis_password: ENC[AES256_GCM,data:7Y5aJUlLRAflGnwfAvVmuRsMSFf1BuX4wqttSUBH2pd2Xo3ni/sUzwFwcw==,iv:0LAtF5Ok6DMXQs/OdPNClkX6KoKmgHBgDITzLJ/x8i8=,tag:AC4IdGdXQKtjj/TNXJk4Pw==,type:str]
#ENC[AES256_GCM,data:hmPRuxO2AUuutHtQFzCVIwZa89QefbPwoy8J2BCvyMcqwdnk,iv:ttxTseQfYHpC5HAnRbQ49kOXLrAURsB0S85+AK/sSWs=,tag:Bay5IyyPbc52Ei/Yt874Mg==,type:comment]
collabora_admin_password: ENC[AES256_GCM,data:/YRfkl8HNjzaWGsjKr8X4j6kQqQ4BisuvcSiCWkI0M4FnlrrS7mjsIfwmg==,iv:wRY623bkVdilZl1KO0NpNrW+1WVOGCQmFPuHKHQWUok=,tag:x1bIVqiiKNgbUbWnsTcSbg==,type:str]
sops:
age:
- recipient: age170jqy5pg6z62kevadqyxxekw8ryf3e394zaquw0nhs9ae3v9wd6qq2hxnk
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSMWVIajJsR1Y2amY1aEhk
S2hzMXZxU1p3bXlSdmkrazlKU3ZMM1dGSVhBCnJST2QxaWhHOG4wV0NVVnp1VXNL
Q1RpWTUzWVFmOUdEcjVPcUFxa3hPcFkKLS0tIG0wRGVuVldoL09oMStnMWhnZ1gz
SHNhUjQxUkFUdVA4dGVvRHlKWFprSE0Ki4fdUq6+Qo94Agl/3/+BQC+Nv+TTNhzv
mZhzHk0eNJBbnbMpF7iGgupmSFb/i84KuE5G2d37d2WLAoyGXfvong==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2026-01-22T07:17:12Z"
mac: ENC[AES256_GCM,data:JplSf3ioj3e7c/cSItAH3celI47WChGs4f+VyEPPoka5aYoBfFghg9pLAK/G4Kfp9xle7ePQiskf9kdQtchmT7AdO7KhzI6/5A4Sqd7nuErASE6WXFQNzUT6cepeUO8/bmkUajkiJLkNM27taVgL1JaK/yf85jU/NJa7q1DoUbo=,iv:oOQR85sm+7ZbXW6h7jhHtP3COYOH2HAVP0aauVualeY=,tag:p8ov1f+F5O3dhysrsjipBQ==,type:str]
unencrypted_suffix: _unencrypted
version: 3.11.0

38
secrets/clients/mus.sops.yaml Normal file
View file

@ -0,0 +1,38 @@
#ENC[AES256_GCM,data:YZA9R4wwAXnkrXNFaaT0omEYVCB7kk9H,iv:QsxsOjBOFrmpYJK/2kcV2LSA8ceYoepiSnKIHem/rQE=,tag:bRtBKlFBhpTMKN4AB3eZ5A==,type:comment]
#ENC[AES256_GCM,data:un9/ID4C+fJ6nzFLT0ycrrcdZlHi32eC/NUasU82WtJUTIA03FE=,iv:ryjN1H8tMmkG9BZf2Y27LpF4SzqiUjYlMmLyvX0zTNg=,tag:0j9cG9Y8MRbQVMLJlyR8RA==,type:comment]
#ENC[AES256_GCM,data:aAWxqRPPzOaiuvEsoZAqrzAzA3eeTg==,iv:yPjRlrXRWJsefXaWUEmaAvRXL96qKKAX2iSLVojzyzE=,tag:K9hJsHIsE3SvNEPqb+VnBw==,type:comment]
client_name: ENC[AES256_GCM,data:FQJ6,iv:S2SrrdpkQKbN3D8a16U5dfiyu9hh51vsfonBYrHjM3c=,tag:xKTiG+Xgw5YRfmYKU9U/KA==,type:str]
client_domain: ENC[AES256_GCM,data:8QS0uin4ACeo0FE7P/u8,iv:7rle27f1LTWhwjL2M2yj/0L9HGae5nl72YaAQqJrVi4=,tag:W1VNH4kcsoaWiFVPrCzcDw==,type:str]
#ENC[AES256_GCM,data:KMngZdLTSg/jkX4gKZVIUoDavjj2sl7e,iv:93G1744rfbEm0yrD7IezXZM/dHSN8M7Txzj9rO5OVoU=,tag:1M/dOckZVIN6Pr2ZXxmWCA==,type:comment]
authentik_domain: ENC[AES256_GCM,data:7kY3IQuzvK3qz2IQv40TkpL5na0=,iv:jZZRvz/Z1pAUHFmBjuTN8Um31ikwF5po8Wxi+iDAuMc=,tag:NsDoCYO2FPWqE9hD2oJ00g==,type:str]
authentik_db_password: ENC[AES256_GCM,data:se7eQ0H5ZeLWFpWKxxIiLcfjdkoeP4zGoRlvmK9/u2V097LOq1qd4tCEAQ==,iv:5Sx3wFmOZjPi086GtGz1+OGz6NHV6qI28+HeeI3YBeQ=,tag:51dNJyRSwsHsz5ioY9bmCQ==,type:str]
authentik_secret_key: ENC[AES256_GCM,data:BvC7iQvyQYAeUnF8+bcvULMn0WobUl4E8ITU82ih7LbiwIKvEEIWai6GPg==,iv:GCWiwaCU9WNZY/m1DuIKGvTBPud5MwskGKTAZWh9VSk=,tag:dbdqFg17NgjU3S2vNIYPEA==,type:str]
#ENC[AES256_GCM,data:ExyBmA/Ulbw/LqJ6PZVPgKZfoqkz+dv3wuOQF5vkWn0dh9skvO9soei2xzcMmdo=,iv:/ILkjORzZrbbPIIHQ6Tc5RUqv6CELpt1N58TTH1Njrk=,tag:el/HVmO6olMDdGnOBn6TaA==,type:comment]
authentik_bootstrap_password: ENC[AES256_GCM,data:GuIxtvuktBkr/oUJxXN0RM+qk+3FcfrcOGZ/ewZh5n8wfzIN0Y7K5FwW6Q==,iv:3JZz9nRPcgZxwIJItx5vR0BUDrOhBegp8YluUhaA7fY=,tag:TFuXV4WSYFQgHkwpYAYbRg==,type:str]
authentik_bootstrap_token: ENC[AES256_GCM,data:+qdNWwFFuv0DvTUDFkTQ6H4VzZdyxZajMuahT4C9CVIw6ozsNaR5hqLnr2yMAQ==,iv:2OPzFT8a8X7thPx+UghHN5AyG+7YTaBCs7JsNab8L4M=,tag:YgyidHgea5csHjsnF0IoyA==,type:str]
authentik_bootstrap_email: ENC[AES256_GCM,data:4oppBPW3/0IVczASXStlZ5pkAhuh,iv:fq1x29fkVHLAD/A0jObrajfvW5SJdkn1plWuoT15uAU=,tag:4p1GCwoeUm5YTBV5h5vdKQ==,type:str]
#ENC[AES256_GCM,data:J8pXk2AS/DjJITzESevYk5bwmOFk7aSk,iv:MT3TjZJimnMREBUc06awyRo6MBTLg48AP9FZ9kX0+oM=,tag:+aLEod6hYLYpxF67i3hCJg==,type:comment]
nextcloud_domain: ENC[AES256_GCM,data:SzcFMO0GtLbOwY5FDxRNYHHwLKnJj0+Nqg==,iv:hgfdMbpGbETRHxfHqZibXvJvJduSbT4TR54gWrjpIfI=,tag:cTIO+DvAJKcMtKLT/ik3Jw==,type:str]
nextcloud_admin_user: ENC[AES256_GCM,data:5LAWcsM=,iv:BnPPE/MpwZaRLKbdjrzelFN/Zy8kVwg2IcXNH/TN1rQ=,tag:wKHdKhK1d+anvDJwT/28yw==,type:str]
nextcloud_admin_password: ENC[AES256_GCM,data:TVKosO9LqXW4DPxEdRQh13b2BDWAdclZXEvQ/dRBmCGIEcAlXIrjK4weyw==,iv:OrTQHZUrlyYHl/JBsaeK1Z3oOuuD5gfUlIEvYmU2KkI=,tag:KmA+hO48igHoGmaPAOGHrg==,type:str]
nextcloud_db_password: ENC[AES256_GCM,data:VupWHMWaROOv1j7lhNZQVSSuTub78Yug+C3RPYcaGAS4Fhik4NPRQihbGw==,iv:OoSG9L7i6inI89l0d/JnItIP9laIwvfaj+9tIEM+wZY=,tag:xijIIdvKQ+nQbzbSaD2ggg==,type:str]
nextcloud_db_root_password: ENC[AES256_GCM,data:TgLuo/AU9tKl2m5MH3AmhAUjjeG99DXuQdUpEdWPEBb4HJe3J6RhJRNsfQ==,iv:XyQuePKBDIiGsfzkqC3UgLC0/4C7nL2jtvVYKBt/quE=,tag:Y3jxROi15R0N4hsoeqHAlQ==,type:str]
#ENC[AES256_GCM,data:+7Cq3d03lCXJMyNaNGpI3U6AkcSFAXc+Z9nsQ+Q=,iv:jRoTC7rMhlKJl6GqTYkvXEO2QWAOCudETcDziesKns0=,tag:BImFAcuYvcLFPyiiMmN/sw==,type:comment]
redis_password: ENC[AES256_GCM,data:q2jKUkaVg5iMbVeTe8rRWui+A0GIoHOEk+E+FpKy8u3R1qrrr5EEOfuDdw==,iv:alZjGn3kTbcpNs6PMyVZGwRTM6L/TIUQZRDIAz2uWog=,tag:OZpSrEECmJfl8UDklNWd0g==,type:str]
#ENC[AES256_GCM,data:DZwggOPEAOWxDa/8qzlW8BVk6SHCWHucZG/v0FbTdX8/9Apl,iv:EeXq0gfuF3esJZeosA6RL2TnYdS2zqCVFooJwal07JQ=,tag:vIwTJ3v3aRSxvpu7Yo2ucQ==,type:comment]
collabora_admin_password: ENC[AES256_GCM,data:AUIUtwM7H4SYEEX0rSisIKNIDCNFlg8ePuLLWBXoXoMcgy2dW4TPCBfLTg==,iv:um3LiQ8uhFtjvbyP6YD4/z/7+9qVt9XG37BVJNEZaAE=,tag:9XA6CfXCCTDUxjznEuRO6w==,type:str]
sops:
age:
- recipient: age170jqy5pg6z62kevadqyxxekw8ryf3e394zaquw0nhs9ae3v9wd6qq2hxnk
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoQ1ZWRzErY29jM3pFMTc4
MkxoQ3dHNUVSN21jOTZsbHNmajZnRnVKWVFRCjdwMzEyTi9hZzkrMWl4ZTJ4RUNR
c3JtOEIvOEZITzRDT3RTT01ERWpJbW8KLS0tIDVQVGN4RTZ2WDBWaWVhTVl1Qk0y
QXhMWlRQRTh6azhSMk1LaE1UQ2llZTQKM8ldB0EFiYxPAQLGnTVxo+MDdoDiqYIx
S05IJoSZuPbBA8XnQHbzndkpJjF9GI3sfpZLqaSoqotuBFJeATsymw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2026-01-21T14:00:17Z"
mac: ENC[AES256_GCM,data:OhwwkRU4Of5jVQ52ttIQcRAPPvsIU35VOZOoL4tuOPTgtCWtJTCT1ZRXpL3QTDK+YoZaggktGxisQBbv8QD9ymXBT46EEf9GZHkW499fpJlCAmPwNBYdAgBStOJU4PYewPRsrAWwCqBUkKln+MlIhQWXk94hqzd+i3NnEa5IXUc=,iv:rH9Lf/BeMa3ZoUfkKCxY5wCoI+ThuhdgWX1QdP2ZNMo=,tag:7Bhifb2RldBUetttNphtrQ==,type:str]
unencrypted_suffix: _unencrypted
version: 3.11.0

38
secrets/clients/otter.sops.yaml Normal file
View file

@ -0,0 +1,38 @@
#ENC[AES256_GCM,data:RGF9yorvXzWMSWdhscxtn5C964XA+/IkfgE=,iv:yAjY3CrAjNS/JlZbrDdK4OMjfh3uyO0+DPYRW8l7GYY=,tag:xU94y+pyC3/fSF5b5vWMuA==,type:comment]
#ENC[AES256_GCM,data:yknOZn2UtlVcGsIKrLvRbQlHSbr0alQUrhCgPmR+97NV8D2cm9c=,iv:KYJWVBfNHj2KtSNP0e5eOx2hhakZwfspcP5LUuayQDc=,tag:J3gL8A3HDFOLjmdBpS5DbA==,type:comment]
#ENC[AES256_GCM,data:fxDy2AK9zP+igk1rxc7GcbxOkE5Zzw==,iv:FUMvH9VwQGLBKB68Wg24bwBYc8dY04hJc6P293Ma31w=,tag:e1GxGh3XW7UPbaUVssxCrw==,type:comment]
client_name: ENC[AES256_GCM,data:tv1fhY8=,iv:cAMyIDjZsel44lfZip/JlfnKzkbATxYuwW+ByYkG658=,tag:5Pl4Rls+9TrFAYswPPkXRQ==,type:str]
client_domain: ENC[AES256_GCM,data:p4f90ADNdeycGby7rCcpWCU=,iv:jfRw9oG5Lz0sY5QzXAVdNTnlQOPw/Em4mBviva8nA+M=,tag:L60czr0DNFrHP/K3uDvTuA==,type:str]
#ENC[AES256_GCM,data:PETVydzmEI8h5wmrpCijpL6DYXM4cIGz,iv:05CjqutrdhemcRwjVUxrXIG1aGYZ0wGvP9bJxPGsZkQ=,tag:coJXV1wr48V87QzfBkvsHw==,type:comment]
authentik_domain: ENC[AES256_GCM,data:8gQAjxcBeXUOIgY/dWZ7Nl4xXs/IJQ==,iv:0VhKsC3YT/6d6iaX7qag4YWZrnJn2M+eNmAozKo9Ry4=,tag:YNGgRsEIA4wjSCXUPa7iVw==,type:str]
authentik_db_password: ENC[AES256_GCM,data:lSfuOczTbKp7dGgoxlLR258SNeNMUiYUD3ousLDeC3pTg9bpck6v1E+eBg==,iv:F1/5dRRVwPJ4NrwA3IPDsJtH09Xri1iBUqCCO9xpUs8=,tag:7I5K6FEUgj3XqwX3R8ukaA==,type:str]
authentik_secret_key: ENC[AES256_GCM,data:+PSgNbtKleEUazMzt5PlhqolZbIntLj5GMGVYkvHoKsDzQ9YuGkN4eelMg==,iv:aHyQUjzEpmBEyGhjfcI/V3lPyVCvAk6R2V6Rig+rVgo=,tag:wobcHSmepivNf7giByLA2A==,type:str]
#ENC[AES256_GCM,data:cH3ULQzHGDeYR+aa02YI26EaPMag9UfuzK20Y19p44SuVNwhVfXpOdI3Ea/hLck=,iv:iR2lvbQAmwwraZir+7T6uzduWIaI3+2frvg+Rwe0bU4=,tag:v/OSZKMkczloL/++NfCLmA==,type:comment]
authentik_bootstrap_password: ENC[AES256_GCM,data:V0ua8jW/+jFiwu+VOvPYs4Pu+w1KknfMDdRboNZqDhT6juzvsyvKoM3vhQ==,iv:UZw8o7s0luFTtYkbPfUXPzEoeDcJqb16Atx/TprTT/E=,tag:irl+tNh3DDTyL1PTCCSzkA==,type:str]
authentik_bootstrap_token: ENC[AES256_GCM,data:otHKwk1LhsMH0gBo69VYwYBB4Oqkp3ZJcWHt54iuQvF2OV1O9a5R8kpLJgSlqw==,iv:OaVW9c2XQJUNUIZTceUQXlA/+RnQbDEHIkAiPzNl+ss=,tag:V9pwQKQkSMOReGHJVrqV0Q==,type:str]
authentik_bootstrap_email: ENC[AES256_GCM,data:CWlZIVwBxqE2RBTiGcIG1dujQgTCCis=,iv:lYb6yppkFGK/PANeCXY9+4ZLQ6cU9zL6YYMYza9SKeg=,tag:NAssJMYH+ErEIlHxKnBaog==,type:str]
#ENC[AES256_GCM,data:0tDLV9dubxl47Q1YVkxpkCHI6Lw7xp7T,iv:GJutMJoIbN5aLo5kDSo68gPdGumBHPugXbdmNGSXgU0=,tag:/75Whr9APJ4b+f7L/iOAbA==,type:comment]
nextcloud_domain: ENC[AES256_GCM,data:BG34MrxgOWpIrMZf23nTpN9DumSJ0hsUYFRZ,iv:NX8oFSOnUwB4Z8bTDgNnkFnoDW+QpOuvb6ytysgiZmA=,tag:a6JxQD1p2VqR1NMATXFanw==,type:str]
nextcloud_admin_user: ENC[AES256_GCM,data:p6HrBkc=,iv:xWDx2c3w4Jbd68ZoR6coAefZUT4PVxiRMJ8Csr645H8=,tag:SAcYI4Nzs0Uo9HVRdwYeEw==,type:str]
nextcloud_admin_password: ENC[AES256_GCM,data:lpn91mx/I4IU9pdQ7Vn+m9z3YZIMW0h5DcY1+z5xXG87wpa0mukNQxrm/A==,iv:GQLesAS3xUMkYkPt3OpLsLxXbvcU4FMwVWbK4vmKlCg=,tag:PhTVeiQY2jKiVVjzVcEpSg==,type:str]
nextcloud_db_password: ENC[AES256_GCM,data:wienpLg+QkUbqazEfhosFqFH32eVSecef+NkBSJ/Xk8JbKxw9eU45S9IfA==,iv:74DE8BD01YaFj7MytjpCdfcks6iFvBIqm3hXZSHYBME=,tag:A7D6nbnG6ReT8sK8mS33Ug==,type:str]
nextcloud_db_root_password: ENC[AES256_GCM,data:f4xjVOiU/wdNifENTGDQeCBFY43056ktFzOvzicT3YbUdUl0tgnwUcM1BQ==,iv:Ch1b1JbvI0plSV1mB9To21pWgwAD8E1Wyicra47GGWs=,tag:/yQ21BTxhTRnhsyK5euUSg==,type:str]
#ENC[AES256_GCM,data:2AQKUKlnbjUXv7aCvvGoEYy5+xRiVhB6POOh+pE=,iv:jLo1cdid+6JU5+/XDb1EnrUIWMjs9+Fp/Gwn5Iq45e4=,tag:JMdlj6PbOnO6Q3UJgCGMiA==,type:comment]
redis_password: ENC[AES256_GCM,data:oUlYFaptttsMM3rpfVveXuahz1ygBcKx1IV+uaCmcqPD34BiINVnC9E3xA==,iv:0nC/b42Oub2Qj7bHQRbOUy3oRsptAnVxaf7l9Q4ZOsk=,tag:PPF2LqXuVyYpkn09sMTRMw==,type:str]
#ENC[AES256_GCM,data:7tSQD98CIC203QnJG5fG6ukCwuvIwQ4Pn3hocW2DA/d3hyck,iv:kGXiuxJ3WczmmGqw2MM4BUnP6wzYXJJlUqVt3hA81Mo=,tag:9tNp35S/A7J+y5wy2k4ykQ==,type:comment]
collabora_admin_password: ENC[AES256_GCM,data:Wf/fuet2JGCv9Ise7lT8c/i+VVyUp1jJcy1PEafuDcJ6+usuHJeEr+Is3Q==,iv:8B5LOtypt3Q+KDjIBhAnbBa73VKOsJLjbvyUorZZPH4=,tag:YNeOP5USNDe1fW6/DIKUOQ==,type:str]
sops:
age:
- recipient: age170jqy5pg6z62kevadqyxxekw8ryf3e394zaquw0nhs9ae3v9wd6qq2hxnk
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyQkJGRWJnVi9aMmZhWjFX
ODBrcWVweUJ4NjA2S2dHQkgvWnk4NUZvOFFBCjlPUkY1VnJnT1NnTEoxRTZZVmky
dXR0QjFsY2MwQVJoZnoxRytZTmpxejgKLS0tIGJKRk40dUNjRmlrMHg0eWw2VkZa
WFNzNjZIRzBIQVdBZnVzcnowVkFLc2cK2FMHZPwcaEopR/wTqbhToPABRGNAr5qI
KA5rlTPAeLWmZtr/3LtvlR4IcMwdJY9guwkjWwV6elp5lZ6SE/sKnQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2026-01-22T10:05:00Z"
mac: ENC[AES256_GCM,data:p02A5wX3cvycCJiFLjPPnhMMTPHp6Ceo6NJwTjSNkIbEPKTZ494dFILRuD3jU5mmmplQ+uKosIgd0SBPXwvog6Wca7Ftfl1s98feodxunLtz0+A47AemmVxrCqKxdBa+OG26PRLj5j5K9eWHu6nzSiHA4tnWeyx/Lose3J70g30=,iv:ygy4Fjo4GPnZMQ6rVDLyeGE03hYq6n2U6zKamDTlnD0=,tag:IR2xLsR/KxxwC8kUEAfZZA==,type:str]
unencrypted_suffix: _unencrypted
version: 3.11.0

38
secrets/clients/purple.sops.yaml Normal file
View file

@ -0,0 +1,38 @@
#ENC[AES256_GCM,data:38aUbCWeuHrSJ4UMuLkuGj/eMnL4foaEdsnM,iv:WRv5ed/FGlkozCKw9f83fDYTCaXYfZKlA3ZlNiuaO9Y=,tag:DAvZ6c14PpfHtMbdzrH80g==,type:comment]
#ENC[AES256_GCM,data:dZ/jzcuXlLT29Vb6U0eLmNIKO1EIwfrQoBh6kHQRkMEYouCupjA=,iv:C6azAP0KfX7OQGKasg0eq/GAhQtht8NeO9HTWicaX5E=,tag:xTXdUrImAAk4D5BWwYo2OA==,type:comment]
#ENC[AES256_GCM,data:dRVGRH3SGAdzyG+Y/wGhWq0Dx4QqVQ==,iv:KiZmQKRW0STGHhxQh233fCfnJtmuImmNYk/wU8gOxCs=,tag:scGhi/prlmwwLikf1IYKBA==,type:comment]
client_name: ENC[AES256_GCM,data:3zPrF0pB,iv:BOomPNbfc1x0KtrDWsCWfb2QUABq2FRRVi0gba1k6xE=,tag:zoVJLIYHM+VQaTwhKJ54RQ==,type:str]
client_domain: ENC[AES256_GCM,data:Cr7GhZ1o7XdR/PB4HTvpNjFm,iv:7VmHONNTWfqJFI8A2r361xZgV0ecIopcrwuFPr/tM2Q=,tag:dT+JB+ebUtwwx168dctH6Q==,type:str]
#ENC[AES256_GCM,data:nYF9G09Uzj7ivZOU/Mf/tlkid5meHz/P,iv:NTP6Rzy9Rx2ToBX60IhVf77EcJwQsCr4u/Yi+8IAiec=,tag:vxJFXANyTVKAnZTG9DzJMg==,type:comment]
authentik_domain: ENC[AES256_GCM,data:oFBo59xd15xFmN7dAocZQGYn+qTn8bM=,iv:wTXbudWvFcEa8zsgsQJIzIAdutrFlHGPdVq2LXGN2U0=,tag:7T0F3fhba/eW4L6qSODbzA==,type:str]
authentik_db_password: ENC[AES256_GCM,data:QKv114mUTyBVYzK3TQqp+7wCKizEEmnU7X+CMcMcsw/f2IR+Ob3qVEU+Eg==,iv:hiTHPIy7tosh16pesLjPl//bbNgkXcYGRS9TQ1fwlaY=,tag:fZQYu4Ctwp5zhxQC5uxlPg==,type:str]
authentik_secret_key: ENC[AES256_GCM,data:DfuHQVIPDiczdsZYqa4Wn3HxjNSzvuL5vRojGaVBgSHCKwUlFRqOcYeUwA==,iv:8DMzp9kdndphH2lbEegkQedknDYHGX/YqJQV4LmIFf0=,tag:uXPb2qdO6UcY4r2tpHB9qQ==,type:str]
#ENC[AES256_GCM,data:tUfzVHkvxXiQCUBRXyyXaVjZB1OUeMmSFS0RxgOQ4oRA4oW1fLZFOBYKq7SyeCE=,iv:lKOgWtb0ihbzxCedDKWVqsSEPA0g1fE7+jm2P5WGgRw=,tag:LKPP+3rlY91QtgCELERBfA==,type:comment]
authentik_bootstrap_password: ENC[AES256_GCM,data:21yEgNsIvkXhM8BWYaajgUw1d+NkQbQyxB3DQTAjGjvwv27g9mvT5nlmaQ==,iv:iEqeWliuHa2QSsKDgeeincsimAb/kVwoTIbXcj9vAtY=,tag:OWW7xQMbeTUSsdXuCIqBZw==,type:str]
authentik_bootstrap_token: ENC[AES256_GCM,data:wlht8BfP+N2NP+fU2NlKMQOOV0/ryWWbg6hBqBvXUYeAsUtmON7HKi+Jp4pSAA==,iv:kOuILM+Ax4YCrzFItI7z3MYXTK1G/YeCegRglhME9f4=,tag:OrmUvqPCB/8yLqk4IzgsHQ==,type:str]
authentik_bootstrap_email: ENC[AES256_GCM,data:N9Z/UuMuKyz4ARYs1HfbAbWwA0the+74,iv:JpTmfqPlq9vO9otZ3BeTk8OHLHgW2bd6hpcy8kGGlW4=,tag:MVlDKPZkX3FIkmxANvNSvg==,type:str]
#ENC[AES256_GCM,data:BQYe87BZnR8xhfWAaK7hdegjjWpwBEK6,iv:F5s3BrUOK0t0bH1VXt1GOQOEbfoKtGo/AsB52DsO+Mg=,tag:cew2DUJsdokcV7Gb+Apppg==,type:comment]
nextcloud_domain: ENC[AES256_GCM,data:eRL9eRLVkPqvr80wI4O+FklLdJaq6ItjgEjDpg==,iv:sPDZw6JA0NyVF+QuoswagPdlbIiPmxAhi8Hes80UMrA=,tag:RCE2rARy055L+16nVdYcLQ==,type:str]
nextcloud_admin_user: ENC[AES256_GCM,data:URnEwfk=,iv:DxGJh6Ja54SuKe0RktQHo+MblaUqpSjZVQ8WExTkvVQ=,tag:YQCpxxWzuQzF5phVMQBkhA==,type:str]
nextcloud_admin_password: ENC[AES256_GCM,data:Vyfr0UHAcwgCcghBetom74cVUt5BknCdFFicAo8eSrnSpmkFJNLWzWXmzQ==,iv:dsvsJabbqz7Q5v1fhInHykZmQ9A+Z8nOTvKoQYCko0c=,tag:2/P2BOppuAPf/ouYlSnu+Q==,type:str]
nextcloud_db_password: ENC[AES256_GCM,data:mhCb13Clcd7gPMi4eVHP9gBYVcoIQwt6ZrtbPYCWAscTWB9jai+Wafa3Nw==,iv:lfU8/bivrTknJhMpch6wvcIgiEVSin4LM6xwJCxMxIM=,tag:+RImMT1bWV3lHkHRj6ju1g==,type:str]
nextcloud_db_root_password: ENC[AES256_GCM,data:m44Qx3K895lKRRUH0uY/lejQpscf+dE8OjaSt0kl2cc+7zFvLSrzsnZ5HQ==,iv:OOn8Olejw/PSSklz61fGPANF1HD5UfyJRUUx1C+LN/0=,tag:6nYNfYqX9GipaKeVt313Cg==,type:str]
#ENC[AES256_GCM,data:6CaSumSa+TKM9GdSAbnIpqMHIahqsQuZJoK43Vs=,iv:EfBYYv9ua1GdVkU/+7bgWQUELtsROVBTeyUKoDr67kQ=,tag:dgWCqA9o4WJPZJolO4viUw==,type:comment]
redis_password: ENC[AES256_GCM,data:BRIEt2oU1grSkfFTEQzYvg8dK3OXrL7DdswpIU4SeTvh/7fGRS+pnJokNA==,iv:IJCFcFj2N/NHuJm4CTBnOa8YGoNNa4KrAbdRatil20k=,tag:e3SFXDpyX5uo69fisF2aRA==,type:str]
#ENC[AES256_GCM,data:C66DApdfqVNaYdrjKft+SG+hImN1AGEZvO9wIFygVQ6mqODU,iv:FLWB7Az7/As1POoMNmzOyk3vLJqDOrlM65OgOB//wnk=,tag:pBGTeOOvp7fBRMKr+hB7jw==,type:comment]
collabora_admin_password: ENC[AES256_GCM,data:mlyj/bdmwdJ6aaXQ57JqgJEWwbfdVWEVudlM0XTlBrOjYdVSXvJhiUH+qw==,iv:lJHeJ+F3mCA4B2ZdCRAZdO9foYHWJAta776lqvL5CDE=,tag:9P1RMpfIcmzb7O2wAD0iYA==,type:str]
sops:
age:
- recipient: age170jqy5pg6z62kevadqyxxekw8ryf3e394zaquw0nhs9ae3v9wd6qq2hxnk
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqbFBEd2ZCVjNMZDR5NFp1
KzYzeDVhYUdMS1F0SzNoVXU4ZGc1bzBmMVZjCnFVRUxuUENmWWlmNVJtSjc1cDdF
QjFCVHpsTzhBUmFrSXlQamtsQ2lNRm8KLS0tIEJxRktXTitkcG9wNnJOT0N0d3Qw
YXRyZkw2ZEgrKzBQOU4rQWRjWWdZOWcKusRHznYQu8aNxA/UkA7mI96qVGN9B3Es
wf28XieHbXJ6DXrr1ZB2C4FqE2VbQsahV7ugw+mHppK1va1x0bJB/A==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2026-01-18T19:25:09Z"
mac: ENC[AES256_GCM,data:aUf/1f3LRTc3009K5WW5et2A4vnkigKfG3sYDRv5Tg4gRjwvxh4cuyKNpGfzKZ2UT99gAIt6ruCRD93BKVX8rG2gzK9lM77Z6vkuY9vC5HzVOtUA9fJauIWCib/rzczsHIykcoA/xwSBhAZjQmiWe4tpbffSI+GIUtAhfxaAZ2s=,iv:JCZFBc1nfMR1XK/WBJOKfOAiqG4xVJ1VXbZifdxWUUI=,tag:DmJ9SFboiXKpSVkA235qEg==,type:str]
unencrypted_suffix: _unencrypted
version: 3.11.0

38
secrets/clients/ree.sops.yaml Normal file
View file

@ -0,0 +1,38 @@
#ENC[AES256_GCM,data:gIRcxOP/qg8MIiSV4WmwUbIznmR2KSka,iv:2FO2bbQdWBGdtOAZtWHsTPszAi19KNmujnE9mQpb9N4=,tag:oOzj/o3y1mIfxwWDKsVB2A==,type:comment]
#ENC[AES256_GCM,data:mnCm9JupBAPcHEvjXQktt+fsFZkfzOx3oWvlpeTBCmKn+cuXydg=,iv:MCKQ92FI193TreKAVMCqq2dGl/oufjnQyWHFoCZHZSc=,tag:/NH/6q83gxUGM2Ro+hmG4Q==,type:comment]
#ENC[AES256_GCM,data:sq5tiGyFmL9cmNk9miQAxpKpK3NI2Q==,iv:PYBW97pBri5xj05c6aDhVtdGJC3FqpsDjX3Et97sZxM=,tag:l0gxPcWHJeF6SbO0eACaGg==,type:comment]
client_name: ENC[AES256_GCM,data:iFTs,iv:iPYuRIKUNwi0Etn9XQ9T20O4rMDepUcy9gNZyusDUxY=,tag:m2Agx4o6UlIc6drkW0TI8Q==,type:str]
client_domain: ENC[AES256_GCM,data:vYs5ulzRjbqWObShWSGC,iv:IM7s2D7LG81lFszYA5rAHheWnknU9ZWGfoxYNe8i2VU=,tag:pfnioq+O8jS04dhOF4N1wA==,type:str]
#ENC[AES256_GCM,data:nH/J0Kg+BsCFQNEH3KrDemRg84Jw23r8,iv:Kh5u4cFXsaWgeiCQeQFYo2fKBFjkSkmiMHklJl3hRYA=,tag:W7OQVAgzIXIcrP+Ps1STmg==,type:comment]
authentik_domain: ENC[AES256_GCM,data:qTpXb4dNmicZpGsU8N7f5B/ieI0=,iv:LTtaNrZAbt+iyXQaJ4uJpkhe3kUhwcrF33n9/g0HTio=,tag:AyON8B2RPMbICUK9Rqc06A==,type:str]
authentik_db_password: ENC[AES256_GCM,data:kGZyqzuEu9ydvTCjeu/CW4eIBLdcB7lnJBhsSs8a2M01gF0GlcXRnHwi6Q==,iv:7k6ERzAzGhJmQZQCVoxwR0weGJq/ZLScUw/1ElBEvzE=,tag:dNfWD+hCTumZoXOvzXboXQ==,type:str]
authentik_secret_key: ENC[AES256_GCM,data:61IkssoMNXlcGmfSxGEQhdzZxTJMRVf5AL6Ouv67UYrBhzag9zoHZmEBkw==,iv:5PcjNIetF7PXfzc8MU4yJwF4SYjqARq/sU3uEbQ3dQk=,tag:SNj/CgxvpVe5KWdQc4Md8g==,type:str]
#ENC[AES256_GCM,data:sDc+3Qkq07eMjpxs5fRhKsB+2j2JMY/FI2ys/gXOGviSs/4h5RBDchD1qvgX0TE=,iv:Rh8ie43ecz2xPi5lkPa18OZI+J79IKmcaCtkGwPtDa8=,tag:dY2kgzjTOk7XkKZd4baZLw==,type:comment]
authentik_bootstrap_password: ENC[AES256_GCM,data:qVtBERKUxq9EW/wmYMg4U+cs7WWwVd+D5/2PMfvCeOX7KPgrlhtfr0AaYw==,iv:X6Ov1oZUZ91bFHtii/M03zSknYTnSDWFepbDoMzeWIQ=,tag:nXqzbdh02E2NBPXE9y8AGw==,type:str]
authentik_bootstrap_token: ENC[AES256_GCM,data:pi3AZJhKRagxYcp8JLtGt5oMmcFuj8cp0YM//9EEWz0fF/nySOgtrigl2a8ytQ==,iv:cjMjta6NGJOZgzlfvSwlsaurQ0iaczyIyYkVsYpsvhg=,tag:BltF5PfT1augEZmKmTxNYA==,type:str]
authentik_bootstrap_email: ENC[AES256_GCM,data:0BA5EbwSH9/P0D7b8R1d7VaDY6Ir,iv:mLLpINemevgjhwuTMm+e7o1mfKrb6Pv9ZQEZ65/2+4k=,tag:p2DthqoyMqBJGze7wvogCA==,type:str]
#ENC[AES256_GCM,data:ezJ7YXDbCcLDkYDc9dzji/vD5YRMD2wt,iv:MkkO4Ozv4Byrf1/yqeizpa1DC7I2iIIJTSyo0IRTR/k=,tag:tyNZ0owm/x5cXKD8i7IbUg==,type:comment]
nextcloud_domain: ENC[AES256_GCM,data:OGHapzRRctsMsUHBlzO0ykv19VqlGttmpQ==,iv:RFLEh9lBv/hwpHp98bu3ur/KNo6QXKuxiuYKKUcHU9Q=,tag:PWXAqp4Mc9JxOQ0+wfgQmw==,type:str]
nextcloud_admin_user: ENC[AES256_GCM,data:RVv10zk=,iv:Qa66fpmihV5p1qyB7W6C2IjKLCGzHLjqdEXKhSQZVGY=,tag:BkwrvymFvNSUIH5jkMhjaQ==,type:str]
nextcloud_admin_password: ENC[AES256_GCM,data:vxiueQKP8Tl6pXgSRDaGvg2Jp1BUi1I0L71e2kYFXO07bZmI7gVnYrdjpA==,iv:2cD/3kFDuWkU+C/bUuL0V/iiZwMqd5wxUdYMdM7Usu0=,tag:uWmzcCj/JkshmyOh4OntMA==,type:str]
nextcloud_db_password: ENC[AES256_GCM,data:XRdj3bJS3o/0lda5yFlxlaTg5KDbPI1fyOCmNJ4dHSIyJZ+hmaPJzDRUnA==,iv:IAifzoc157vsW3GJ2tXo26T+iG9hAq/jgeatM9sJTD0=,tag:49CcMLTYFYiMXBxkHJ8B6g==,type:str]
nextcloud_db_root_password: ENC[AES256_GCM,data:LCMpRhQ07WuJiNJ2fg9CgmqG860odDeFD1Swsf7DzI3rRGAGlqWn2VMqtg==,iv:Ob2hMfwea6tXvyKyybE2wP7OYvLV3z/3hSAS6DPhxjc=,tag:XQ8beEw4p6EgF75qaUeGIw==,type:str]
#ENC[AES256_GCM,data:ksmM7Fo7/QxVNblIW5uftrn6bKCCG2ZI0K3jaiE=,iv:3mEb4dMNCKenAszZSA2nuf678jMkuYBw0fJ3XvW/vJk=,tag:n+bBuTB+RqqYFEB9+4ISTA==,type:comment]
redis_password: ENC[AES256_GCM,data:PpU+fCCUIZCtqH5KR+s9eDRRORMIoREmpJN4ze28IaIWikbmJzPwt3I5TA==,iv:E0610SCYnDJam8poJo8qIhGSEJvv81Lt+pCq4Dz3umk=,tag:+qsUYX6NOQ9uCGl+Bml/ag==,type:str]
#ENC[AES256_GCM,data:Yas6EOkfe6rs/quv2zRCLsJvc83b0yf+LOLjYnL7r2NccrJ1,iv:nO3yFyopSAXWZnvtSq3kb5CWP7PvwDgek2/IaQM3TY4=,tag:sb0bX1yilniBCcyL7kpJAw==,type:comment]
collabora_admin_password: ENC[AES256_GCM,data:rIrBM/5mKsnGLPuGAlpXii61LciD3bgzss+lIt1XEwXolzd5zvml8tM6Yw==,iv:+cjc6kjXAZDbWiOBGGo4PX9AhXpFydJJdZTMU8MvT6E=,tag:EEdqubCkUBdy9Xh5i+E9RA==,type:str]
sops:
age:
- recipient: age170jqy5pg6z62kevadqyxxekw8ryf3e394zaquw0nhs9ae3v9wd6qq2hxnk
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoOWtPYU5TYnNvei9aZ1NM
Y25zUDQ2c3YvZnFja1RpYkxkam1ybGl3aHdVCjdrZnhPd1NEV0tHL3ZXL3BEZm8r
aFBPckgxcUtUM091NS83aU84RWViQmMKLS0tIHFOakwvb2lzTHo1Z3ZZTUg4cXBD
N0tyUmpCdFY3TjJTcWJiVEVyQ2c1TG8KXD75O122N77kGjUl0WL6dugwtRwRVsgN
GOylW/g3Kl4ePkcb/psTBijvBksA+J8RN5d/LaOJB/DXu9FgaruwYw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2026-01-21T11:11:40Z"
mac: ENC[AES256_GCM,data:Ipf7iHWpgSpaPHYRMw1n3sbWzKsvwTv+WkQhQGCnTwCfWxxgWVWM7RVND+D+ecOXf8BAxJ153ogROfhVvz5P9VRkjX+nvYb71HkEqCQLg+1HmPwNRVcGbWdqph3ocE4B42rjQfwVJjuP2x0GD1rOU0y7wA+sMxm78pRKhqToC+4=,iv:HQVooZSG+CjnbtXB7X1KOq9nrUQICw603c9fDxD0k6g=,tag:2BDv/GngqC89XeohV4PjoA==,type:str]
unencrypted_suffix: _unencrypted
version: 3.11.0

38
secrets/clients/specht.sops.yaml Normal file
View file

@ -0,0 +1,38 @@
#ENC[AES256_GCM,data:yfNUU9guJh/zf4LqdGrRtSB5cZpZLsyMIxzk,iv:bJ9Sqjche9AB2CGdHu3Z5mQwy1n+7aFWllm3fbr5xO8=,tag:Mh2KgNDjoefVsF77HAvyfg==,type:comment]
#ENC[AES256_GCM,data:EhKZmmMpBg0rA4I0ITQ6/++Mxm7ekjRKdefMyAxWUvWownuGA3U=,iv:oAtFWzW+QVcMnnQfE1bKXM1nlMSwA+JXL/LB8Es2arE=,tag:O7t8iUDS2sat0UMhDgjo8Q==,type:comment]
#ENC[AES256_GCM,data:i0/1o1cdM4HfoSZzuQpdnQICHIqISQ==,iv:tAVlGFWLNdAeKVmhW24PkTiaa9DCGddprv8N1ydz+js=,tag:uwso4BMb8xt/5smIhLvNnQ==,type:comment]
client_name: ENC[AES256_GCM,data:7LGt6kOx,iv:tmK/A+ORo2HbS50n4k1tg46c3M6UMse/8IqXP4w+xN0=,tag:VpThKw/7anBM2+eBVOahxA==,type:str]
client_domain: ENC[AES256_GCM,data:GImwXpRaS9ed33w4jLYfLn4x,iv:RjVaH0J8ksbE1q8fIrWqmWaNV05O2psyjoUle5yIXUE=,tag:dkUQEBUnxZRuYQmY3YBu+Q==,type:str]
#ENC[AES256_GCM,data:TF3jf19wRMCnkc3z9r1ir7aGUoIFSlu9,iv:5x/aNiPnC/Pgy6PQy2HJwJHUUB0PW7PVNjsgpqlIobA=,tag:eDrlKlJOuNHeeMt3E3MEKA==,type:comment]
authentik_domain: ENC[AES256_GCM,data:cJhD9W6H1wJ79YEumtBDa6/m/MSAAAM=,iv:ONSg7gzo4KK2FCWZZwOSUO6YnIaZe/7HzX3f7W6/r74=,tag:GS9tBZx7PWvpQXVWbP/Djw==,type:str]
authentik_db_password: ENC[AES256_GCM,data:zQCYMkbiRW+ln/SQNIlOBXCoLJbaIIp6xPMq2fc1xdXFcyOFT1RPQaVj5g==,iv:MQn4F0EqXsXCwpamSmjsZF69545XKgp89jzq46Am14s=,tag:dOWvSu9A/1kRbp6rERH5OQ==,type:str]
authentik_secret_key: ENC[AES256_GCM,data:9+n0VmAG/M/GTalJqO66FfREsKsj+KswbAAG+BHNtxkH0jVK/FRhq8RPqw==,iv:WLGwnq3L4tBJWwy9Vgzp52g9hBBdT5AP3+p4lxoQBkI=,tag:u18Eyd1Gky4EPUGV+JXchA==,type:str]
#ENC[AES256_GCM,data:+rK3LgVl3xCBymHyY7K9xFzfq1lt5EcIIAg5v4Tj444ahEnbFXKnPJE8uteML/w=,iv:fDFPTtCtFG+UD/gvFJYCCC79FfZ2cWUT8poaGXGnh6Y=,tag:VhHitpPxfMXQcFF9VZp9ng==,type:comment]
authentik_bootstrap_password: ENC[AES256_GCM,data:w5/V9qXHVhSB5TCLSJoCg5KffqoI5lH89jrHDddOWzWwa47cUYHSQJJa0Q==,iv:b3Hn6ap8iVkh5RH9WjENvkPNyuiV1AK+Y9BAomIkoa4=,tag:p2xwubn3bTYJaa7oyrmLRQ==,type:str]
authentik_bootstrap_token: ENC[AES256_GCM,data:zAgkAnfG2ImKpse/kLB5iEu5wUb3Bvx4vTg43hX/G1SXX3NLzrJFQL2BX5v6oQ==,iv:yO0j/CGUS9Y6zcUNtGC8fK9RFeWTGRFDnRtm3SBPwkM=,tag:1gEd0N+d426eTqdPTD2D7Q==,type:str]
authentik_bootstrap_email: ENC[AES256_GCM,data:ICmbTdh0B3x3wNJJg8pArmU1NlxfZzm3,iv:KfQSIxkp4w0DJK1LecSl1hWHzylu+A+E4lYRxwC65os=,tag:+BlTf3FlEeU5U3o/FX4P/g==,type:str]
#ENC[AES256_GCM,data:IW+obg/eKos2YxkvK/HMtnqC7LKrUWDX,iv:4wCDyj6KF6+tn6+DFz3muduSNxaHm78eO62F0AhZZ60=,tag:R3OumyZ3USxLh2MONH801A==,type:comment]
nextcloud_domain: ENC[AES256_GCM,data:aBGUCiicsnBAN/7OtRc0C8tXwkpfb+7R5sj8uA==,iv:rWI9uhy6CFp/Noqj8EXAx5yEIilOpnsGUTEK8JvBz7E=,tag:hTanLu9fp8NlrcRxbbFwzg==,type:str]
nextcloud_admin_user: ENC[AES256_GCM,data:4t+WgPo=,iv:H1IhMrN77ZcjzlqNDuVZ63yBlkjodSSu9Hwi1ZifRJk=,tag:y0M6PGWubZsfd2SHbY7KPg==,type:str]
nextcloud_admin_password: ENC[AES256_GCM,data:1LJZ5CsgzqYT+G0h2Cu3a8DCe356F3DIUV5JjjWPOVYaT4oJBF7J5Oeu3Q==,iv:kSV+nBwHuceFgNVulLNuVDOCVenUzTvarDGeGK4ytuA=,tag:um5H6op+iALOV1+rVPFWHQ==,type:str]
nextcloud_db_password: ENC[AES256_GCM,data:e1d5g7F3QPG0BlrKn0AFZ/NSp2Z8SQMMgh2gFKM2jNqrHwm/zDcaYrco+g==,iv:eFZ0+Ov9L7Gcs7L9NTdi1DL0QivnDPkXJPORDhpHXpA=,tag:8jTISi03Q3AjDGAHQgPs6Q==,type:str]
nextcloud_db_root_password: ENC[AES256_GCM,data:XEQgU00hWtnx8ep+qrEV9f1pNgFRz0B6efXQUyjsEni4MNlRqGKAA5OjOg==,iv:BEIuj5KdLMRj8T3nVALgT6KKhziwgh4nysuD2deBpuM=,tag:b/xQkzgKOxRSi/BZIHoLHQ==,type:str]
#ENC[AES256_GCM,data:pvjfJfG28QhQsvlxJxLblcd3Ll81M83Zpzqka+g=,iv:hmeLvxKeLDYiv/Xaf9AsrqzXBS/RBTArkCtvQKzmFl8=,tag:ijHSgmcDcNlF/MYGix2zAQ==,type:comment]
redis_password: ENC[AES256_GCM,data:tZuCECj3T0E3zoqixHUsxdln3BRAxXlo4GAWihM7KZXGeWJ3glU/jAuFEA==,iv:zrZZ5g+CS7eFDIhd0+h5k9DGQzAopx5QOsI6tVSpOJo=,tag:7853sKzHvvN2H+rnqBEzpg==,type:str]
#ENC[AES256_GCM,data:HI1jEKCKuYWgsxap5TW05q7wbnfMvdetgokhr77maHrQRf1z,iv:JpBwK0vaUpS8GxqdsX1fJyYVvtw2Us0tvImWYp2M084=,tag:5UcerSe9nRRKUA7FDKNo0A==,type:comment]
collabora_admin_password: ENC[AES256_GCM,data:7aLfKiQf9wOSG4UHmTwysPqro5jm1bY3tQaSa7i1BpibbDrv7OKlGBBqsg==,iv:ImalKNXzZE4OQC8LrAGlu+myzfLw76G0JDWf5zxhB1c=,tag:EraNIQNbl5f8DWScXBhgLA==,type:str]
sops:
age:
- recipient: age170jqy5pg6z62kevadqyxxekw8ryf3e394zaquw0nhs9ae3v9wd6qq2hxnk
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIWGVPRVZwbkIzK3FlRXdO
cFZncVBGRTVnOGtDV3hFdm1HVEg4YzdLS1FnCmY1VVhRK1R5V0s1TG9VRk9uZGFt
VFo0TmY2QWxBQzc1Z1NaNllDY2JrdDgKLS0tIFAxeGxEMmd3K3psK0dWRzFVZ3RN
VkZqYWxGdUVLUEFWREY0Q0tWM1M1dEUK7KMmTAQXTG9qgbt9pWjUDRL3hshMRU1x
sgGtQUDmSmVCq/IPKW59g7ccHjGzjgxC9pVzHvTTg4Iz5JgY0carig==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2026-01-20T18:45:10Z"
mac: ENC[AES256_GCM,data:01NJofx7BUaXZCajoWs298HZEjJft48vkzDlZ2H/LuSAq7DGvakJhd6YGN9WGX7fkPukCGmsw9rlIauZwvjeE+FRd7BokeKJlrUZgqgmzLI2kA5eaS+hClZuKaQdzois+zx4g9Mjtu9WpBlWz6/bYL5iA0xG+xpdgXXrKFiVIFY=,iv:G2XKel9G/lnpL1yqsTT/P/FcKKPfsfNk0rS7Pr71n8w=,tag:ooFZ92XZdMmbfz5Q4Fs9Lw==,type:str]
unencrypted_suffix: _unencrypted
version: 3.11.0

38
secrets/clients/template.sops.yaml Normal file
View file

@ -0,0 +1,38 @@
#ENC[AES256_GCM,data:eZqiMbgZ970iP9xR1lP1Mf4//4y3l76kTg==,iv:cYffSE0jP5zrezKl/UBoNFc2gxb6El1hhripoXC6Uck=,tag:bnZZjLPH2zyObXU0QT9i+Q==,type:comment]
#ENC[AES256_GCM,data:3lAY7IxFpSbgBS9Jfte4tqBi6/jv1d4rqpXvFIzwaBi8kbIRZWc=,iv:Hx+Jd4xVRwzU7yjm962I5xU2NFX5njx43u8ibBKe/fk=,tag:EEDSENvFr/PhRu0PIY0K2g==,type:comment]
#ENC[AES256_GCM,data:QWGb4941FGgKU/iMUHEyK+eJoIxrig==,iv:GhFhT6jSQZ076/5yfDzEvsxoxCx9O6ueTbRePGxEdD8=,tag:w/psPqZ98Dn9BZFjL4X8pw==,type:comment]
client_name: ENC[AES256_GCM,data:RgV0RQ==,iv:uCKSI8QpjTlkTg6/wpbTcnjFxB77pjSaCnCeG0tZ4g0=,tag:vWI6wakgwwCAv6HW82q8oA==,type:str]
client_domain: ENC[AES256_GCM,data:66fMimASNHXHjY62altJkg==,iv:q4umVB66CiqGwAp7IHcVd6txXE9Wv/Ge0AhUfb4Wyrc=,tag:3IsOGtI91VzlnHFqAzmzkg==,type:str]
#ENC[AES256_GCM,data:2JdPa35b7MsjQ8OR3zxQF5ssn+js8AQo,iv:kDwIUJ/35Y7MJVts0DH1x3kuKWSxawrfBStDA+BbRO0=,tag:rNgsObk+N1gss5C+IzMi5A==,type:comment]
authentik_domain: ENC[AES256_GCM,data:Mw6zdhoC5ENTsYWGx4VqgUtTNPwM,iv:xOVUdfvqpj0feDHA8s6aSTqgCWEJJhlgVKF34GW2Hm0=,tag:eZyTNJEWkSPiVexXW8zy9A==,type:str]
authentik_db_password: ENC[AES256_GCM,data:HsyTlbM8pewD6ZUndnPQzBzlNECdlOqEWt6AgIMURU4U85NmhoRaAIwcVw==,iv:x2hHZVGnbCDggRRyW7BFfhmUT8WpAwua0tonwF2UDSI=,tag:Bbboc0vKGcrIvjIAsC2eVA==,type:str]
authentik_secret_key: ENC[AES256_GCM,data:cl1U+PGeaQNu2OW3t4QzfWIyMtvkQdYk8Adb7EmLrSHceeHxfXgKwgxvp2Fn7C8RDpuCsztkxEz1D2vePO2xSpIo3Q==,iv:trlB7PJd4os21wOK+CyfymE+oopdksydS+z3VHBT1wU=,tag:BwQ2FygYOaX22YKOTgY0mw==,type:str]
#ENC[AES256_GCM,data:3AF1/xf9DULcTEhTfxSr9ls8U0cr0ToG88783V10OAmsOclhq5h3ncFoLM3GZXY=,iv:Ji7447QFwRn0MKoXakAoe7ZDeJrT0fYAVHwYBWr/hjQ=,tag:+CQyj9pZxzKualOV/hlrkg==,type:comment]
authentik_bootstrap_password: ENC[AES256_GCM,data:K0nR2CCA+mZLwt1eKY3NU0iB3aXRbze+aX089cmAfTXunBsRZgXWirC3Pg==,iv:Ki4G/iMoL8rqIR/E5YWWNa60TEFEJlpmjfSO17ccjms=,tag:c91a6Dlu2cDeAbtH0VMynw==,type:str]
authentik_bootstrap_token: ENC[AES256_GCM,data:wzToXlHEEo4hqbTpYaj8VcjIzl9JIBYelb6csfSXB3gsecyOOriUsvpBua2By0l6c2DMpUVipRR1fEo6CZLc,iv:3U7eseITVM6LTzlc7tEPV44qYTdiLbKpOcDR+S0y9ME=,tag:UFxakIe4ZhgJy8K8caF16A==,type:str]
authentik_bootstrap_email: ENC[AES256_GCM,data:3H2b7nl+i5AnXVSWCWkpzfCe7lk8ow==,iv:KlpRA6aP1/sSG5PSs8Q3aRshn1ZgHQwW4AtTYwCgd+0=,tag:SpD7K4Xme/QUTxLEL7Xi3A==,type:str]
#ENC[AES256_GCM,data:ZXsSQkRtXNF5DMUPAAaLBWkAgh/hJMUX,iv:+r+WtRYebnFEkw3qmIkXRPUUYSep53qzgy2FvpGhSfw=,tag:S+w04XduCSLRntLJiEDFUQ==,type:comment]
nextcloud_domain: ENC[AES256_GCM,data:i0hWB89Lxjn+s9NOrFsYZr/zsQ2/BzZKIk0=,iv:AU1LLm04+4Ekjm9Q3Gqe3MpqdIdGAGK7EaClJMO2bz0=,tag:8AEN6jdruVUzFEZe0sVBrg==,type:str]
nextcloud_admin_user: ENC[AES256_GCM,data:EkGgPFQ=,iv:69EdTYC3xMzp5g9RQ+C5hjBw+gLBghaKQArOc+77nR4=,tag:17oRhQUMD1yHj06gS3ODAA==,type:str]
nextcloud_admin_password: ENC[AES256_GCM,data:aRbg8hmK5QMOS0xqEkgq2j96ajhtG+gYnriHrT5lrZynbpNt0tXGh2SIuQ==,iv:WWnoi9si/o/9Qsj68sR3XFKba2UUWiVrjx1XLsvuhcI=,tag:AUr9WFNGyedvc1woGMFeMw==,type:str]
nextcloud_db_password: ENC[AES256_GCM,data:xygLEUi1doSFzG8JANguzGxyP8vXm9GDhDqmRAAsj2VfIEbzANsa5iWbtQ==,iv:UgKufxyqi2LwJ8/QIT4mssHxSGvixW7dWXRTURaoI0k=,tag:yr8ZiR3DphX+mzJ63qRbRw==,type:str]
nextcloud_db_root_password: ENC[AES256_GCM,data:IuKUtIDDJOmFHbG6dZFOC+WDrEg2vBTemWVjbapwRmYRIwQg47+38dOQjg==,iv:CISRoJZtV4JI0AB5erHNZLPRE+oeo4jxd446GUfSkWo=,tag:juEZ+gV82kfgrny2lC6Qow==,type:str]
#ENC[AES256_GCM,data:fh5zP6W0szyikkvHfNIs98J2Vl9C8xhHnWrmFZM=,iv:Di1DjQ8Nxrb1KnvtRKJIOMfO1CmbNpweVj7Ijsx79dA=,tag:YL/eJn+uG5qLP4TW4KyPdg==,type:comment]
redis_password: ENC[AES256_GCM,data:EgNqS7asbH0PHlad43D3kgEJqb5qpZVHI1XuWdu8uqm0H6pJu6M435s3Pg==,iv:dsiEU9Ik12CFT+6PATLA40MMgN/kgoHfOc7Lfkih/Ug=,tag:2fSPKLZgd8Ebc/j3xeb2bA==,type:str]
#ENC[AES256_GCM,data:OxFZyktOkNHq32ixDlpaHRmlu10we9rHb+YKOG4BNig6cdzh,iv:tyh/ozm0ooidGCSEKzZ0jqX0x7Z3v+/rtV4q5+vYpjQ=,tag:zQ0KKB5U9+4T8dKhBD7ZdQ==,type:comment]
collabora_admin_password: ENC[AES256_GCM,data:jxrOdFLAeIRp7lVBz4WiqYFNdCn+FqHJsPSfRyD3uqQWUwWhXuG2LlQmOw==,iv:j8KWGx4392q6IllfTMjL9JitkHL9XVuShdOM+6ZtP/4=,tag:D3nqs03YwmjmT4A3W1uumA==,type:str]
sops:
age:
- recipient: age170jqy5pg6z62kevadqyxxekw8ryf3e394zaquw0nhs9ae3v9wd6qq2hxnk
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNVzNUaC94SnBRU2lNQjdu
Q05BMzF6VWlBckd1VjlXOVNSMTdFR2Z3ZEhvCmdsU2tJOTNCMkhjNlVJK3FOeUFl
VnhxT1ZObkZMdXNoSkE1UWVXUVY4d0EKLS0tIDllbVJCMGZDaXJWb2oxbHJ6Y05F
NnN0SE4rZ0lFWUlaNjBIc293UzlxakkKYOxxyTtwEEo3j6iMGeHyArYSquT+2ieB
cPA1QayU4OBucKo34WuZTh41TxIg2hr1GG3Ews5QDEiTJlAQuAzldw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2026-01-09T07:31:15Z"
mac: ENC[AES256_GCM,data:MSnPPzLLCZIIK/RmhlpMaNGEeZCHVzY2PK4A4PhC4nXuw9AwGjYDrHn3FQ9aJywi7NlXxLqFWo9nSnFswNlIUpea/3MTsa5LNimX6a22c9YRut+yImwrBU3abcgzxVJsHk7DUGIA1TY/AElC5ZLNROrw/X+sVf5L2pq7P2/oous=,iv:cOxocMqLgzzzT89RdfJdfvOfZ3Ph4tWbE6bV21WZgZI=,tag:zrthLaXOrdx3IU4I5G+zBQ==,type:str]
unencrypted_suffix: _unencrypted
version: 3.11.0

38
secrets/clients/uil.sops.yaml Normal file
View file

@ -0,0 +1,38 @@
#ENC[AES256_GCM,data:aIS/uQvfOiJ1pUuPer9qRQjggq8ZjEk9,iv:TBR9WbgvQgw9ERpnmQuIkhAyVTQZ8NABs5YaxD8KvZs=,tag:DFd/j8ZMzCHt6EvMbxVZ/Q==,type:comment]
#ENC[AES256_GCM,data:mTI1k+swvBYRx6qN2z5rwxHAxVOCdJxHm/o9TcBDej08mONlLi4=,iv:uY/dmgLaZEcZdzUiNe/y8sa35Qkqbt0iptpi7MGIMQY=,tag:ybdNuVlTSc1kCA8qxmOnuQ==,type:comment]
#ENC[AES256_GCM,data:uhpDxNUwH8HqvN8e9wf+QFYVGZ3EaA==,iv:Sx1aTvMKHEKzlcWO5jT8htjFloDteBVPnaov7+dQmD8=,tag:NxNZrOvJYtLVEeTFgyjX/A==,type:comment]
client_name: ENC[AES256_GCM,data:SP5V,iv:A7ghCYqbAupSF0VDQ/SXKlPrnk8yzQqKvSdvBZzHyn0=,tag:Ljs49J7GuSStPoGs0xSk3g==,type:str]
client_domain: ENC[AES256_GCM,data:rPUIOAv8XnUrF/8M5LHM,iv:gEIxCJo3jji3bH+9JBi0CJPhCGEMPG/lTr4wp5TBWhY=,tag:/xx02ZX32wa8HTFqw7WVxg==,type:str]
#ENC[AES256_GCM,data:8JSPPlRnTFLhY0cZ/agat0XYeyycrk61,iv:amCrQ7D3H8Dyl6sZmLjFsZbfagxpcz5Z9aFvEKba1sE=,tag:CSMX3zbM3sAzkDzIIKz0TQ==,type:comment]
authentik_domain: ENC[AES256_GCM,data:HTLCzAuXr7cRh2hbgF8duh5ayYw=,iv:4jl9drpkK3KGVq9ezvdtyAkOk+9kpLuughtLiyeskgs=,tag:iU0dQdwnbi5+Y3+OPm2Jlg==,type:str]
authentik_db_password: ENC[AES256_GCM,data:XGGOiJSw/GRQXig+/mxIrpBjF0ZGEMIQ5APl1KxQ/KzxwmjF68E5XbXvjA==,iv:WtfhFP/zYQ8FJcFeISuNMVABCGJts9krmH/ycodvAGY=,tag:ka9hwaHzpKanC3q6TfXaPg==,type:str]
authentik_secret_key: ENC[AES256_GCM,data:y35EQNMKW4/8JL54et6y0WZ8FKAgp0VWflsR6UV+j2SlCrvXFnRgQG8QyQ==,iv:TZwNiZ9Excgk89XPuig30dbuOKu2CHT0CyFKLPrfEfI=,tag:NmWN2LSsPf7tPnuhVdH82Q==,type:str]
#ENC[AES256_GCM,data:LgTHbIXSN/afDn9wSO30d/aIBy8b2DvyxYX+OpDt7uAV6d66O90jCGx/H7uo+AQ=,iv:1Jc/rzIbQnYep7ro1GMKnau56xHdZx0ZxMthwisFYtE=,tag:8C8D1zzy5lZ5AQe0V8Fn4g==,type:comment]
authentik_bootstrap_password: ENC[AES256_GCM,data:WnE/dn2xHwxFe2CbQmy0WC6xz/Q5UpkWW8m+a/dVi5h6O6tGfW32EmECBg==,iv:rw0XCc0N03TRkrR7DbHPjRiG2o6tkd069sJGrozU2Yc=,tag:QFmKEzJBGbXUewCLUnlXfw==,type:str]
authentik_bootstrap_token: ENC[AES256_GCM,data:a+uoCFgICssuPKQJFoGO+emJCvVwacIKW3emysbNni7o4uIGVn98yMb+HYjt2w==,iv:zLe1hiM7zhVXwSFx2znO9WjmokRLfluPCD/UdB6oRGc=,tag:zuWocn/zAW3/VALE381Cdw==,type:str]
authentik_bootstrap_email: ENC[AES256_GCM,data:R9kP7F4pPkSuBzJ+LsnWKDPwyg0t,iv:z6midY2wjfmBomDnjLJFFfiKySTdEvHE2Q+r+2Wi83M=,tag:lJ7kP8XhHprCftYqDiHuHA==,type:str]
#ENC[AES256_GCM,data:1MjHrZivYjxKpxn61BHLyB3xSfivQX4L,iv:dBh7oc8U6esyi2LBNWY9ss2HuoHJpDu82Y1wJc/ex/4=,tag:E/H1sih2b284lgFxur5zbQ==,type:comment]
nextcloud_domain: ENC[AES256_GCM,data:IYjDmAom25nyV5DeNifZKLdRPdPVpLaS6A==,iv:y5Q/qtqHCoLld4Q32mTIPP3JHQHPgJdOcA2urBVSjZo=,tag:2XUnipCDAIkSUVLBUydxig==,type:str]
nextcloud_admin_user: ENC[AES256_GCM,data:VKNEOCs=,iv:rd2De98bIx7uIpIXr/RSCP71Kj7xlbIdaM5CL+qbHik=,tag:Kq2BD+0oJbFti6Wc9C5BCQ==,type:str]
nextcloud_admin_password: ENC[AES256_GCM,data:dt3fpOlwn0WHxx9TCuWX1WK31VJeqCW+K69xVZ8SFNNgiQPEIzsk3A8Kww==,iv:w82gtKGyLDQPrydQo5xOKa6AsLYyG6iFStyXyKcmbNc=,tag:ci5MnasJYU+SgbcWOeTdgQ==,type:str]
nextcloud_db_password: ENC[AES256_GCM,data:OXmim7k3E6M+T9Z+teFJPjvRn6fg8BtSeWKTHOsxmBfsiBOsz7VglVyjJw==,iv:/srFcTbjlx/ZaY5XVKxhz3T8ji+MXNmcX67SFmG0WEU=,tag:/Ohc6pzNpYQF1lBpoK2KAQ==,type:str]
nextcloud_db_root_password: ENC[AES256_GCM,data:contgx7/DtqsXpkUo3Xa+1OjbPZkrorKM43ws5XFphte3/wIpfihqPJX5Q==,iv:vcm5KllCto5EldfwNA7HTuDUhwNjs6Q2+DgFp7NkR7M=,tag:8ncnZeR/knFR+1d7s8cUjg==,type:str]
#ENC[AES256_GCM,data:aYbteuod8ZITWjAF6pEpGYNfDlz+RfDITn0sWuY=,iv:DQfCWGkmpVQgHBu6luSRhJNOqFQxCQiOI7cAvFP+8xA=,tag:f+YkqCeBYGdbgmUW4hLOUQ==,type:comment]
redis_password: ENC[AES256_GCM,data:5IpSxmVIktvHboth7UMlaukibZ/GHibNO106TjTqwOjfBH5MBhrbG5h8sg==,iv:zFuIdKFPDJlZRfmKB09cTx1A6e4p9vNAmFOoQRGSwx4=,tag:6Riu4Us4gCuGI4FA7ht5jw==,type:str]
#ENC[AES256_GCM,data:+4PS5fjQRjw2L0JB6WpwmHXDDOUKo8xmy9v5r5ez5Bx2jZUE,iv:W0Oj7k1h2fj0+HnGcvLKq+qhKeEiN2jUUO8kaq8YuXs=,tag:hcu2QnexLU9esa9uwDo+Pw==,type:comment]
collabora_admin_password: ENC[AES256_GCM,data:FGi/ZA+E4ZbODB1jD+Vj5SegQD73bqmTgKi53MXV2tmmQMW0dETE/DrYsA==,iv:9kVU+qQT2cmkiqVi458leNly5X8AHGwjfViFtOtvkX4=,tag:JzpDO0ORO0NVpgz7zaaXrw==,type:str]
sops:
age:
- recipient: age170jqy5pg6z62kevadqyxxekw8ryf3e394zaquw0nhs9ae3v9wd6qq2hxnk
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBteGJtRy9UR3MxTjNzMjAx
aVFjZURNUkhlRkFDRTc3RHNnM0cwY2NmRGtRCkhvbm9kT0UxdmJPSldMS1dscXI4
Ymhpdlo4S25yWmpVc2RiSExkcjRVYWsKLS0tIEUzWnZqTkRidm5ia3JpaHVlbmRF
MzZ4OENaazhBME50ZjdZWEFhSEhuNU0KSWxQZmSVFM55ji8TvzOepMCkNmsXonGZ
k7Y7+Ih2KAZqcT0ieTE6YEe05H6uE+LdaftMW2wEVsOZ2wjFaT8OUA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2026-01-20T19:57:06Z"
mac: ENC[AES256_GCM,data:XBtXjJM69CpGSjyCHnerLkxpfLOsifGAuUv38Leuli2/E7D9pWLomjMrhraRpyFuoPtqZdGbnFNm8Be3trMw0MmVk9uzzihwdVvKVTUucSygb2sRbkGFkl4Qqszja9Lx9wblDalbrmjKLWPQJ34QJVlba1nQns3Y3vJUX+e8Cjc=,iv:XFFp5cOTwvisVEAfS6Q538Jda4UJKzkHAbNHia7/Xy4=,tag:G+91bclflLIWToui7YMvgQ==,type:str]
unencrypted_suffix: _unencrypted
version: 3.11.0

38
secrets/clients/valk.sops.yaml Normal file
View file

@ -0,0 +1,38 @@
#ENC[AES256_GCM,data:ctaMv8OIHMLCU5j+G5V3F5xgLKOvhfc8Ug==,iv:TR4wnQ5gpLP0SZnQNIeS9fKeiyserHYCF+yp7IIgTP0=,tag:CQI5ap5b/YIaOysRN14Jxw==,type:comment]
#ENC[AES256_GCM,data:UCU6+XlbzC8We6nZeW0xNIW+L1z6dMagNqWQCeTTR2AG2CHIolg=,iv:b05l4X34Tm5Ev9JXHYCmXARfR/dOzy+lRh74LK+L8Ks=,tag:W3pkQhlD/YP+AYbXXDX/ig==,type:comment]
#ENC[AES256_GCM,data:pBDl74SnuiQlDRI/KNNMWMUJaFm4rg==,iv:+pziL+Om3+bSdOlFD7M89zBgpn/i9PutHOlWqGpXaDM=,tag:2MipxkvrtoX7FYjI0PjCdQ==,type:comment]
client_name: ENC[AES256_GCM,data:Fz5vgg==,iv:BsrNtdLTEXLkSXc0+PVeeQ4SCF7eKlF68XNlaMPtqJE=,tag:/kqw7DtQ2aVy0joAfDRRCQ==,type:str]
client_domain: ENC[AES256_GCM,data:fIrfaOb3Mf+5DqKoBEgBpw==,iv:XE4O0SyardgdtMWbkHOtMNgZ1rAKnCKVSswmMmACyNU=,tag:HjAfuLZI/Js801eJ47UIRg==,type:str]
#ENC[AES256_GCM,data:2kKajhbBS00eZe4HBlMc3HUF/Wveab9u,iv:RaRi8O8gfn5jlmNynfrxYICgsOBFVG+V0dqaSF4udOc=,tag:yqQ0ZMpito7UBvm+PJ/dxw==,type:comment]
authentik_domain: ENC[AES256_GCM,data:jaVgyFT/H+c/H0pOxCcOsfb8lGxw,iv:PHomA4L6r/1z7oY6Qn0OTqhzegd7JJC8RYf+B4zMcN4=,tag:ZOYSTcGkO3xE9mP1U2BaVw==,type:str]
authentik_db_password: ENC[AES256_GCM,data:nxTnYT028qadNScwjijxuBAvP44PsXc9SJaMjM1WwfrqXt7/DDftadVrSQ==,iv:DAdwFZ3Q1lTLmbciN3VX0p2zXq4+dORColJWXJ1HuH8=,tag:jfpyU/XuSpomQnjqDvLquA==,type:str]
authentik_secret_key: ENC[AES256_GCM,data:WST/7Ujv33URBy9VMvolqRwz33RcIuD4QxGT62uPjBRr6h0nI4ahtD8htA==,iv:Gi3rjVIqemkT/ITYkxC33JvfvVX5SFYQ5U+Rr3+HlxM=,tag:PlMMJ7g7fYhG85hm6zUScg==,type:str]
#ENC[AES256_GCM,data:xAaEFhScafyci3tP/EV5Zjl/zbasVITvV0DrNDX2ZtXB7a13PFzKWFIsGh88iCU=,iv:2+vamLWnFZHBQ2PW8/HQW6Dklrb8xWkd8oZczX3Kp8A=,tag:oiOZc+3iK/h7vlyCbiRtcA==,type:comment]
authentik_bootstrap_password: ENC[AES256_GCM,data:IUlXIwhoQvlRnn8keYYUddnPavZsvmk5AqNkyR8c3O52+5omEeutZLQ7sg==,iv:vXKiJZeaXP9i5CIP0ymDEhAwwRLMk18r3oM/JnhemnU=,tag:vVIWoB+woXeOAeWcq+bZtw==,type:str]
authentik_bootstrap_token: ENC[AES256_GCM,data:/jjShYMON1S9I6kxNJhb/XAyn6PJoUS6oI7tdSPjA7CuH13X9ffx+w33p6Q4Kw==,iv:7jzUOEWSHy2nU9gSnhKlZwZRT6jF2pXau4aVV/9J0UU=,tag:68rWsUL4skab85BefPKseg==,type:str]
authentik_bootstrap_email: ENC[AES256_GCM,data:GJipLh2OzDaux7OyhKQgAuaPM7L+pA==,iv:NTnulTaFvqU4tyy2y1YV8Sh0D2mS9HGTVBaqvbMLBKc=,tag:9eAJORhYXQoIjJa/xIHvzw==,type:str]
#ENC[AES256_GCM,data:CbNmNpHunmOKStzY06My8x4fuEyNl+GI,iv:t2utqHryCaa4PwvKSlGwQnD/Hj+RDeHxd9GgF1SuOuI=,tag:jYDNoyd70xWXnJJ4v3IRDw==,type:comment]
nextcloud_domain: ENC[AES256_GCM,data:WJ9S+9n7grhX0RSE0HyG10qtHZjKp9Cm1sg=,iv:R2WW+bOYys60aD4Kl7jMT2jIdofSos7YrLjOgiv/4uw=,tag:o++NQPKdYdjf3HYDouyn+Q==,type:str]
nextcloud_admin_user: ENC[AES256_GCM,data:L/kkIRw=,iv:A83rGPhtp/qeNKERxUnhq4nkfXAS9cQuhviUU8lrtEc=,tag:XO9trjEr/pBU9yJsSVmlLQ==,type:str]
nextcloud_admin_password: ENC[AES256_GCM,data:I1xvJ4ZhZuh0QzDZGWDXvF08yRcmJnII9dG9Y7kkHwjeiNXkCDGLxG1asA==,iv:jLTzg2VdJNUAuFbW+Ss+W/NmYG85E/2EFKhQflW3p0o=,tag:DncWEiTS8oGpGkXYQEw1Zw==,type:str]
nextcloud_db_password: ENC[AES256_GCM,data:z0okVTDnFxX4qNyJHRq0/4kDHCj0ZzPU/BoB9kFd0WxY+jr+h35MfR4FGw==,iv:70UReQQ9oMTlv01FsTagiy6XlKf4CaFeyaFNNTNKXsk=,tag:4N/i0+LdA2vGy5pBKIjo6w==,type:str]
nextcloud_db_root_password: ENC[AES256_GCM,data:Q5fqrc2iBClAKOYHiAlAZ0BsfzqJSO2Bz1oou41ypEGUZaorwoZ+wK5Geg==,iv:dNiHhl/WWsPwChBerIaH/yOnfKqkLwEK8ryDE0yESHs=,tag:D9zVqLpk6iLoOSn7rbdUgw==,type:str]
#ENC[AES256_GCM,data:XCt5Oe2WMK4lgtPb5VhPOfRMYN1sXLIrxZt+DD8=,iv:eFZGEA/ATyABVH4rgeL3MvH6pCtWXNCx0Vl37nIy1nw=,tag:NGcGtHE6eF4pZ18BL9Q9og==,type:comment]
redis_password: ENC[AES256_GCM,data:zSAgrY+4wCQ2qaIyu9f+wXxRovD6L9155gsAywlQBQIMrXJvfLIL5nipZw==,iv:k6jQU0TkuX0cfFNC+1Il2c+T41+X9joQGcSyPCIFs8Y=,tag:UhYBc+Y0BHay1Nx/XUG/Eg==,type:str]
#ENC[AES256_GCM,data:4g65bXzewEhFu/AULV0n0liscrk0uuAlLCb9DAa9AdjbzlY9,iv:mAWIWh36RDL0HBDTsWpDErDQD4poFPVc0UoPGr9hcdk=,tag:xHjpCvm94RCyMolq0BUQtg==,type:comment]
collabora_admin_password: ENC[AES256_GCM,data:kEXWAXwlzDUhLSOHfftSsgy8Tp1qxboi0OhFP+xpYYCOulPmF8/y9PFlTA==,iv:s5Pbfa+zgnp+GzlbvNWbYG9hvLogNXpnVEYupFLJ9Rk=,tag:odQjPoDrElTx5PaPMO8D6Q==,type:str]
sops:
age:
- recipient: age170jqy5pg6z62kevadqyxxekw8ryf3e394zaquw0nhs9ae3v9wd6qq2hxnk
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIbzEvdE9KVUlWYitnMlZC
bVNPMHV3NmR0VEIydmM5UHVuWHFwc2pkUUFjClROT0E0MjBjUmxWMnBoRHFtUHlQ
OTZOeHg5bXc3c0IwWWRtOWJTdWlUZXcKLS0tIEF5UENBTm9xaWlqVzNBWDlEMnpE
N0xvZG9JOGZzdHpKOGcrSDlJYzBVaFUK75rT9dmmKOjZYDdEfc7+QXLL2GMYgjoB
I1j0EGUhhScpktXnHcWB35cgTFyFvKKDc0Jdjo3JgzxkfVKzp++dRg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2026-01-20T13:11:27Z"
mac: ENC[AES256_GCM,data:uBqOnX+8CwpSMjGrIYQ/JnieZ7kKFhPtD8W2SWQhl9fSp1lylJb4c4V8UanX9pcgjelFwU2aw2RUwcOUUC1AkhzkV8OHN+Id1Sc1PV6eJzVsyHetuax6snSpgnzJDsZApiQ2ephyv4KlqxTgm5n77b8S+CdTeE8kHFxWCbANKy4=,iv:dz/HU119lValHmoq4GXC5E/NmsgOehNmDFRaDmc9uHE=,tag:2mqbs72ZIXe2f7drs6fYLw==,type:str]
unencrypted_suffix: _unencrypted
version: 3.11.0

38
secrets/clients/vos.sops.yaml Normal file
View file

@ -0,0 +1,38 @@
#ENC[AES256_GCM,data:cFXXRzZN0YJo3753ddtm6Vmwd7dohnNB,iv:5wcry5rmrnt6T/XvWyur+9OjtldCG5Uh2TzsrkCrrUw=,tag:hCJyYykGD022Ma8Tgg5DEQ==,type:comment]
#ENC[AES256_GCM,data:tYAvFjb9UaNfUHna2TUSbToTWoCWeSMqRsOg/BKVXsYGXHsw26c=,iv:/Zq4X+tLG5JUW0lKKgKGG8LGIZyUm41qNBt0z+rlLkM=,tag:xp6hu1SP5XcvywbBiSUNBA==,type:comment]
#ENC[AES256_GCM,data:C9PD0hxLSYziPKFtMF0iPBwKmRvRaA==,iv:SXZM73Ji58Elofp3VZaQn8M4UtJwP/tKWwIrz7gC9d0=,tag:jmi/H++J8k1Ye+MoiaZiIg==,type:comment]
client_name: ENC[AES256_GCM,data:J2hy,iv:4NLXMybg9pLYE0FdmY2rA95HHqp0hQpzTKQamVU/iGI=,tag:zvWyNEYWLawkofC/6LkwLQ==,type:str]
client_domain: ENC[AES256_GCM,data:llq6A/+Ec2U+wfNlIbwo,iv:c3Adz8n/zZyRjI5hvfvna03O9jows90nLIUachXlYRg=,tag:rTVpYHnfcJ3KVbXhhjZ0lg==,type:str]
#ENC[AES256_GCM,data:UdcsUJJ6sp6mgH/jKLpOMYzGbFT98Iup,iv:AB5gxNZA9XZMXMb4xIdgIuYtrP8ofHe2LS/9XLtR/Ns=,tag:N7AAMIQSC0R5vUaA57eJWg==,type:comment]
authentik_domain: ENC[AES256_GCM,data:ZY6Da25kkibJknyKWZ8ZdxAwWKM=,iv:s8eHMs03B9vaJVCAdwmjxI0QVCAu6i+T+EhjfrNnzSk=,tag:dn69p7W+8vSiZjQLWgV1bg==,type:str]
authentik_db_password: ENC[AES256_GCM,data:pwmuizt3MYFA73LBJt1Wbdf+HP9EFf0aEtn50Dlq2JSFOiZ8Qv9nVqxwCw==,iv:CyrBEcwmzEl8e+YuA+mn0APr92vmOB98/26lA0/IHcw=,tag:3GkNlrId9oO6BqZfOvwqrg==,type:str]
authentik_secret_key: ENC[AES256_GCM,data:Yx4GJ/hxR0gmCWJ81gocm16bJ0/fXjAvohTFiDgEa7jvC1ljdyMoQqLrhA==,iv:B+OX3CRwnrLwJyz5aiavAyPtJ16E6q6yxEd799SMd2A=,tag:9uz6r4GIkzenhKNR3FQErg==,type:str]
#ENC[AES256_GCM,data:B0WMvhOYmRksSGi1OepBzSB4mqtMLMlct8Vyvw8qRBCPEfpEt2W5VCZiH+jeZMM=,iv:gkAPY6y/3elb9sy9mRDSHrmTheUzpJyX1rmoiPxewMo=,tag:VYQLsobXMAJEW0gXIXkhXg==,type:comment]
authentik_bootstrap_password: ENC[AES256_GCM,data:coX1Hnrc+F+3T3Sy1B51KHP4k4SMW3ZkgZf1SpNtZ+dIc15Q71zot37oMw==,iv:3JM+zkLPw/6KAF6tc7i4m56DceoEdARNHUr6yC/WENk=,tag:t+MDE/MMQaW4NO9QR5OQiA==,type:str]
authentik_bootstrap_token: ENC[AES256_GCM,data:fhu1YN6m/uEzfG3o7BOKsT9VTaBtCeKuyNuXM0PeSoHyU6k0qNuSYw/6WR5d0g==,iv:xCYycjjcHP3twPXl4XhKW1bHTCXPftequJVKCFsCiKA=,tag:aZO2Z6vE5sk/gEHzgCUlbQ==,type:str]
authentik_bootstrap_email: ENC[AES256_GCM,data:pg62YN9Cxonx2CKqIW5NcGg0KBeY,iv:cjJEvktvIxK3/JWIag6bjvwRrjNhDPdyNiPVeX3VSBM=,tag:XVi1D580alFObJ6BFV9RPQ==,type:str]
#ENC[AES256_GCM,data:8UpgvcLkQVNgswP5iWwXcQcW9HwZu2Z3,iv:12Cw/oFng9axBRbIRFaM42GD/A1P6AclpTgIBPzcl/Y=,tag:en697guyZFldZksLUJIJHA==,type:comment]
nextcloud_domain: ENC[AES256_GCM,data:Qa19+SbFFhsoDNIYU/ACbjDRRNgy+6FOVQ==,iv:Q1HNTN5ZH3ONVutQOd/hyD6atygWQHuY5/koBBLOXuc=,tag:YunsxVm/xzzyQ5rx7Txzdw==,type:str]
nextcloud_admin_user: ENC[AES256_GCM,data:VPYQtRs=,iv:YispewRIBRrK6YhcZaHZTwFdhxKttSH3DAK+hgN2A6s=,tag:ixvRfNGyp4Y9cSQGzFn46g==,type:str]
nextcloud_admin_password: ENC[AES256_GCM,data:ODbwiXHjY0hmsXntw5vJij+nbRermqzpa6JpGnWj/UoVKAUQ4du775B6lw==,iv:ekg7/uatEVVeNHKhHOO7oHyEcCNUFKlq6rI/McS4p2Q=,tag:x9K7k/p26OFlsviAz4ry7Q==,type:str]
nextcloud_db_password: ENC[AES256_GCM,data:eJ1F04RtCyvUiQCvTieO4vw2z9NfOM6xu1S+0PgiYiWlXs64dQTApmUffw==,iv:Zyd34+tO/fTxGvh3KSooJnRdRjiphWpEvq1rKbFWX9g=,tag:Cg1sAq4MEkdsmdPnVjtmdg==,type:str]
nextcloud_db_root_password: ENC[AES256_GCM,data:z8pwAs1zAiXMzRhPLBKN3A7+f3gjUE/r81RibYHjURW19a1wojCDRTWzsA==,iv:cTSBi/GQfdNelrMdx9Kk/1fHw6hAYkbHwr7d+RxeP6g=,tag:P0gEvkLPD2dgsQ4WeChIoQ==,type:str]
#ENC[AES256_GCM,data:bYmqsHYv0hR6QiitGEvco8hdJucVswww4k99bzM=,iv:v4wc2jKZX2AkBGtrJt+U/qO4se6ofywEtMaK31KoolI=,tag:bD+m6Zq6+tMzdsT2F2hUNQ==,type:comment]
redis_password: ENC[AES256_GCM,data:5Z0VjXCe3xuj+e3BJYF8CbTtIhzmR9xg8KzH8ex5YgBdCybeaOnChHTZDA==,iv:L32kh4eRibIwfXVUKKSGrDp3pRU1SqTijdCPptE1zdo=,tag:lih8faQbuU+s0vRlDr0Jvg==,type:str]
#ENC[AES256_GCM,data:wqtWuZbTZK8R2J6ZwpjtTm9t6qS94CXs6jaeCsKRE4xZHYyH,iv:fqmSzKH6FZExCTXcAeUI3Tm6bGi4YIHTPf4xudiXQkc=,tag:M/2xo3pg0H88qH/1KrdOGA==,type:comment]
collabora_admin_password: ENC[AES256_GCM,data:5qyQ6XynQuq+v5u8FPXf06BsktISFYU8KNiXFmzQDJVmFFVDXkvzDGV4Ww==,iv:UJoESZc44w86WXmBjBn7H/s4hIIyH82uxVglzyS2QaE=,tag:uGxoDrQm4Svoa16qcb36FA==,type:str]
sops:
age:
- recipient: age170jqy5pg6z62kevadqyxxekw8ryf3e394zaquw0nhs9ae3v9wd6qq2hxnk
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvMVZLbGMrU0tQYXlDWGVl
QTRCK24xeUVBSDdCbngzVnBZWDRwNHM4dlRFCnJGWHZVdVhvaDNsK2RnbWllSE83
QkZiQ1JNZDdTN01CdkptSEVQZXp3cDgKLS0tIHJYZHJDNE1RM2tMUkNNQzZkM0d4
NlRmUTJqeTZ1WXh3YjlpdjNtUUh1SE0KJiBOBEpS9fCSKfVCBm67SEKXXdB28MYR
muE/oTBKiF29OvrqcqnLadYcUOH25E3x8OhAdUmrTBWXjvx7dpU9Vg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2026-01-20T20:37:31Z"
mac: ENC[AES256_GCM,data:9HyYYcQ3TqiI/CH156jGSmby1edRy92Jj2Uq6aLzAP9hpX7SIo5GGN2wnxg4s2+r+W5lNSnq1EC2UZU9fwwr+y1qGu9ObwCAuQ/W88/Jb2hyXcgvpaIhnhH7DmVVV43gMjaypWgBe511lK7lI/C4Tn4nlYf3ui4denK6HYzUCX8=,iv:mtIiYTSA9DjEwfEfLYznmMJ+1wugx2UmcVuwOtQ2XLk=,tag:6R+u0GVGbm0T0bt9TqVo6A==,type:str]
unencrypted_suffix: _unencrypted
version: 3.11.0

38
secrets/clients/white.sops.yaml Normal file
View file

@ -0,0 +1,38 @@
#ENC[AES256_GCM,data:i4EtCJJ9LDXVp5+pwbFqCxKk5sATX9xgYWE=,iv:75UxTUorjqd5pTD/ouZG8Y8ynpVLgDi6gLJYwSISh1k=,tag:Rrg9UuduWx6GbyTBHfcA6w==,type:comment]
#ENC[AES256_GCM,data:9rMEAZ2cpwdGWvwuOg4wOLxiRjczA7+a5MM3o0I1EYMu+tCCliU=,iv:zgTWSeYw1dAuX+rENcds3k20anccXztVmIigs+wxDGA=,tag:RDiJ5iP5RYqk+885+d/lbQ==,type:comment]
#ENC[AES256_GCM,data:eoRGcjK6M00IDrPJ+QnlmGZGO0QDgw==,iv:75Z9MridJallLerHR+/bT1OkIDkwu31oCvKnVOumvnw=,tag:2jQ3PR1cM7PO20l1VZWQhw==,type:comment]
client_name: ENC[AES256_GCM,data:F5GLzcE=,iv:zN0y2yUTADfCbEcBlWKaWtSljyp96i24Yt78rS3GpF4=,tag:9rqZQFnsOQsdDkeY4HrAJQ==,type:str]
client_domain: ENC[AES256_GCM,data:oKKwC+CdXROiuxzdToQX2Ms=,iv:fTtqRfFbeQ00lACBcuxfBuXTjY0NgYAuP1brIQjtDqc=,tag:VcZWP4qfFYY0Nl/sqQd+CA==,type:str]
#ENC[AES256_GCM,data:W4qJvSl58xpFcgbB5/ZTL627vLIqxYnZ,iv:a8ILcV80NIh7rgqZWKsCWu3sjt41I6e37fz7T/fWWj8=,tag:wAGIu961MRc8H0fzCAcqrQ==,type:comment]
authentik_domain: ENC[AES256_GCM,data:F6oeCx/wbMPXG8AJq7bKF+mSq6hBoA==,iv:vG34k0jpH5I8e2k3ERWjTiC5+G2ilemodS1EZ9QBzjI=,tag:hO3iJ/YJ7MlirqWcG5vUEQ==,type:str]
authentik_db_password: ENC[AES256_GCM,data:2ftX7AoL6LANYH4SqpLuvcvv5lFrkobzlbuzRJBzJ2fsA1Kq3KhLXXSPVQ==,iv:FL5+imjl1pnzl+YIR2D6kb/OhrSdnyVxQ+uyxEuL8Bo=,tag:Ggu+MpjiLdLY7m3NYSughg==,type:str]
authentik_secret_key: ENC[AES256_GCM,data:8JXEIr4sMDVTcaZLu+gH09q41JGHEKdtZV2GtfTYZnRoDPg05rVf5zt6lWZife5SBGHxc58FTbxC6dgjwNiGc/5h0A==,iv:TYd+GALSvMrATlsWgOfTl70i5NTHcm//KPbyn5EK8SE=,tag:R87waW1ROqQkmK9ner3W4A==,type:str]
#ENC[AES256_GCM,data:N87wpR+zOLubwiRyvm20htEYi9H0JL9vgHeXuE85xmAUBS7Pm+i1Yt+J4//Ps5s=,iv:3aX5HMyft+nmuBs/efFj2jZ9yzAkVsJtCcV+HE/Caio=,tag:vH+GpVF/6eYJ9b7npmsmXg==,type:comment]
authentik_bootstrap_password: ENC[AES256_GCM,data:I2VUG5p/Ybst4uQ/vKBPGW/hZgXFrleUgQTAg/O8owBuAGRUkc1EuDu6lA==,iv:ECiQj1urctQ/PRQfSbT27yrZGiUTbOBwnFyJiO4Z+FM=,tag:ODGLuFnH3uzs+ofwQXExig==,type:str]
authentik_bootstrap_token: ENC[AES256_GCM,data:mtUVl4AY2jIAkg0LolFSH+9J7MJL65L0twZtOM47HR+n9heOxRngYoAwuTWUYmH04jE92gRUd+zm/l35oEoE,iv:ha/2zpj4vdXkswreacYvFq+H2F4IuOqkCiDxz+nhNH4=,tag:5nAcXUnvCePuFrmH4GpEcA==,type:str]
authentik_bootstrap_email: ENC[AES256_GCM,data:aGb1ynlrNc/xi59GImvbwJ6JxIE=,iv:R+TYraLAujChXfn4m7VbE0apPYo8Ie+4NCwgYLh49hs=,tag:78vwn+sCFlEvk7h5Zk1miA==,type:str]
#ENC[AES256_GCM,data:xcWDxDrT52U2bZhed7TpJ2UWodkxbAz9,iv:+dJRUMBuUs3egZT0AiufC/ynS6TqB9CiFxJPEfmRdK4=,tag:rziNZIYKgK9I4ip+zjD/sw==,type:comment]
nextcloud_domain: ENC[AES256_GCM,data:wZFqmG1jh8PuO8y0kVbnVXBKJsSm3hOlwg5k,iv:B+o+Oq+VM7MvApjNnHES/Fn8RWt74mabiG0/QPeV+o8=,tag:GWS258HH+1ypTD92GJv3tw==,type:str]
nextcloud_admin_user: ENC[AES256_GCM,data:4U3nP3A=,iv:AMXFbrY2OijoL6k3ruMG1bmLyf9Mau7xNnt5yb9zpac=,tag:I+oxW4XVyr7v9MX1C4KQkg==,type:str]
nextcloud_admin_password: ENC[AES256_GCM,data:4nA9pSVCGeMSm6NsrIC1nSriPUztHGhI+gV0bkbQFFSbpuAuQtRGp49OVw==,iv:oLWU/XIs+XUUyKQ21eELMmAI39jqONOQk7nfyWOT8dc=,tag:ctrjeWqP5wGf8suFh2zOIg==,type:str]
nextcloud_db_password: ENC[AES256_GCM,data:HTwCdlXhbscS51dlg0wqv+Vi+I5SIgYlH2R0yf/H541WT/qNHPdynGi/AA==,iv:Q5VwH/97Qt01du6o+U5NnJU+iJj7pO7mXDmGEdbrEdc=,tag:Vn6E7+xep4WdArqDMhNeZQ==,type:str]
nextcloud_db_root_password: ENC[AES256_GCM,data:swjuwwWT0ktSwOtyt1VqqLUZ1ix2DnsSXZv8fCX/Yh1G30rVFFGyC/aqyA==,iv:/mEPTWcJIEmKMab3FEntiQwF7Lt1Jb9H2bqNoZHC7v0=,tag:7jJkshLNIgT8VyAh1OjsJw==,type:str]
#ENC[AES256_GCM,data:h54x0ZvOU2bN6EB8tVk+tBj1P7Kwfad1rx+6wpI=,iv:rJJO2EXzK2nH83OjCivCQX+8PGJlO++vOy54pn9KOi8=,tag:cMxWBdA+M9Y0mVsd5DAlkw==,type:comment]
redis_password: ENC[AES256_GCM,data:2/VPbr+cvIrrYRKWVl9q5kABx2xB7HJbcBwg66FKtcNpp5wfZInF2sV2Qg==,iv:35hTPuR5Lf00768K1sKQ2AfZDYYiFm/r/imLfGBHYe8=,tag:04Pyr84ji6oagwYD0cMGaA==,type:str]
#ENC[AES256_GCM,data:OTQvs/J1M2MNMBCdfsX4QeWPvMBJ54Rys40UrZujQUMM1xzl,iv:TaobP0sbel8W/fikk4BQqnrWALLjoaB1DgbvtM0PPBE=,tag:J5xVfVbCpSwjSQLXt1pzYA==,type:comment]
collabora_admin_password: ENC[AES256_GCM,data:Dii+n/1cbYTOHJ8ENkvrIquw+uCb9Xrqq2nqLP9YsKhKxP9J5JfPoYPImA==,iv:7q6h9TXBBAynVnVgAemWbfDBco8NuOV+XyAj4TW5k/E=,tag:nxhEH6WqMrsZUsCr//dz4w==,type:str]
sops:
age:
- recipient: age170jqy5pg6z62kevadqyxxekw8ryf3e394zaquw0nhs9ae3v9wd6qq2hxnk
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmMVhQQWlzRlg5dGhDM28w
RUYwdHFaSlBYd01hRjdLTjNjU3luZUt0SVJnCkVENmVqbG50aTlZZURXUVhaMUFk
SzUyN002bDhnWHVYQXgwMm5VaEMzNHMKLS0tIGRaK3RETlZyNDlMZFdVOEJkeHhm
TDFqdjJ0bWxiUFJtajJoNmt0ZzFOYm8KqbRJ3XHLWoszx0FSOmH7KqITASISvqft
c2K2g+h3qvY23TmhabZtEObi3n6/jb6kuUBzXBM8Dt8DIKKpaKM/1g==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2026-01-20T09:25:02Z"
mac: ENC[AES256_GCM,data:Ewc47PbiJ+pz+rVl2jtLQ8Jwopi2HZqNxg0Lns/2toCCTUtViBrk36fzFV17QAwnskE4pGLBitMz9rzu6YEJuoxAZoAUlBz74hnYkHFq7fsrDudQQt6KVP6hh8l6DhK/DGv5VWR8Q7PO91WmaVHx+kupdJ/6ak63IXJwlzGM+1s=,iv:Hg/0d6YceGN4rjpeSJUxwhpFoKLRXVVqZVQuSAs+eNw=,tag:8D+V2IHqR0nMfEExuI8gQQ==,type:str]
unencrypted_suffix: _unencrypted
version: 3.11.0

38
secrets/clients/wolf.sops.yaml Normal file
View file

@ -0,0 +1,38 @@
#ENC[AES256_GCM,data:X8JxD4BECdQWMJOyftwbTW7pBJEHehWH7Q==,iv:VK4F7UbVeopcguqEwLI7cBdICcytulUoxKEqECHcZ54=,tag:WQ8SQL0xqH2+eJGUz+1lDQ==,type:comment]
#ENC[AES256_GCM,data:WAzAQ435o5E0Fj+lgpo5gAkheXyzK3Omp0EMFVR8RZZhQm0GwZw=,iv:HzcAidUAkkUJP5EIS0O2YeKgqOG+R154VgsLp1dNsdY=,tag:+FZcAlcn/QT7+aIn7zUitA==,type:comment]
#ENC[AES256_GCM,data:616IuQI+u1ctI0ZjZGXkBConJChApA==,iv:hY4NIGMVPYcbK0/vydVUOU/1bZVnS9aHlRQJie9Kz6U=,tag:/ZzPoERMGTn2IlnX9BTClw==,type:comment]
client_name: ENC[AES256_GCM,data:V8A2Gw==,iv:v5bJbo5ysVSQsAtvfb8fDcAYfH3agvcDgRp0DvZOS38=,tag:BG1XTCTa4Y6l2GlTuz5skg==,type:str]
client_domain: ENC[AES256_GCM,data:MUdO7f/2ztG2dIGtATQLHQ==,iv:IQ1xqLjWNnLQYvGi/+TfPkfQREasTiRQQVigouXXCVs=,tag:YwH+/6OMHTGu2ahEPlax4A==,type:str]
#ENC[AES256_GCM,data:ZUq99t7RcJlDCdpTYhb4K+wHndvNW1H3,iv:J2e5O2MJELpBpCc2bpYZ+HsEhcntAUadzXnyWq/UX9k=,tag:Us+MGcPbKnnCs75INrSU4A==,type:comment]
authentik_domain: ENC[AES256_GCM,data:Sx7o6OyxPnG1v7Icj19nwGdpVsWO,iv:jqV5WvIMzPxr3AcSOuxAa42pfAzmopNTxBh7jRKwHRI=,tag:QTwm1CXFAbXeuwR10HMO7A==,type:str]
authentik_db_password: ENC[AES256_GCM,data:o5rhEeBS5+Ek+QvGjOOgFJDQ7Yfucrt/JmZzXlgVX3FIjfwO3Skxlievmg==,iv:JXkgThh+ZxRJBSy4YOEj4DjwiyqBrhQvt3ZFUEaDKCU=,tag:cZ1zpLEE8/6dXFOVvEnHmg==,type:str]
authentik_secret_key: ENC[AES256_GCM,data:ssWAhp/pg4XfABAJL1gPMgyE9+Mo71zoPXRx7YmoPJ/aEdFNi1TrIB0Bzg==,iv:goQh+6G4hdnUpEKSbNtjP+XObhPNfG2traUCQsiJH04=,tag:ShvaYphpi4AIBJJOPzPWww==,type:str]
#ENC[AES256_GCM,data:SKCv5gSPF1ysKfQ+QGzjQ2NO1GZKfDMleKjqIg0u4SlaXWtT+E+sLcy2PVu6diU=,iv:81vttO11NXLK2y8puLbCUsJ0xIpdHF9+lj6A13gaQMU=,tag:TywoZTCgTXXRcRLQk4DB1A==,type:comment]
authentik_bootstrap_password: ENC[AES256_GCM,data:fvX2aNQJBdOWvE4QQyga8mxyrcu4OZu1c89+50SUZVzmYDLdBcfyQwkxFw==,iv:3CFgyMuJ2RFAHQ6dmtrNXWer0H3E9zN1p09JvxKpc54=,tag:W/zOxs3vApM+ZRfub6t0Vg==,type:str]
authentik_bootstrap_token: ENC[AES256_GCM,data:8tLCJ6Z+2qMUlRNg+AWw+VzRDHu87zughBoGhlTBKfRou4uidVytuj1isdkDig==,iv:y5kxepewo/2ztPwqlZkXsswG/8vGUR6MGaor9RT2nQw=,tag:hKQVnH7yHpHfkKwmHa7ISA==,type:str]
authentik_bootstrap_email: ENC[AES256_GCM,data:UQNBlZx7C3nu100NetfILGF3IBxg+Q==,iv:Xal8Bt4uRo+SIVbnJVEcB8etzfb1iu1D+84hrxzgRU0=,tag:v2EdR2odSljwEQ8e8zLo+g==,type:str]
#ENC[AES256_GCM,data:g4pOBP6xgObrVV1k0raT09Nhj2JeTWOY,iv:Qg3gUFdStMo8f9td6wtCMeB0Fv8Ubnn89qpxxKhCgBs=,tag:aEnb089WYAVlFR5y5Klwgg==,type:comment]
nextcloud_domain: ENC[AES256_GCM,data:lkPMXA/txIq0gsqxpzvD7ludBrEN54FZ3+o=,iv:YwrMdtFwRvzyutZNZxsjQHUxE8Sutgf9wmkXTDVIr4U=,tag:9xn11iq36DNzx9+h/6rwrg==,type:str]
nextcloud_admin_user: ENC[AES256_GCM,data:rp89lXA=,iv:6aAgoa64CMZ6vH5t/b6Szq4v6tZezwi4GptozGOsVQg=,tag:4Ju7uFSkSGWHzEUE0dPqxQ==,type:str]
nextcloud_admin_password: ENC[AES256_GCM,data:jGsQKNfActchwAMWWIBBLIW/c4k2WOr4IYWbnojOrbWJQdl19KKLrll0pg==,iv:zjfQc5Q6aDY2nwNVMbsVQWy4avKYM8CcY/13PN+XCZA=,tag:piJV2/Zd023MdS0/fYD31w==,type:str]
nextcloud_db_password: ENC[AES256_GCM,data:EBc95vFsEjz/HliVhMqM1U1KTKgUisbeq+95lv+Dr2rpD566+d4awJ75jA==,iv:/n9IzxphJ2Aa1N+nGEjVeEPdFHyIRyonqHokkDILxcc=,tag:UzWYPqZxx7uGc+PaDHje1A==,type:str]
nextcloud_db_root_password: ENC[AES256_GCM,data:QVHxkAfqgPDumApqaHxq4yyiH2XPRKcb///mgze/h5z9AGxTuiBK3IH9BA==,iv:UBzZQkq76BjmEGJYOV4qwEI8k2RDp8MMPDtQflsRUg4=,tag:iIBaM2JTf7GNene07YSGoA==,type:str]
#ENC[AES256_GCM,data:o9j52wW0iZ7JeaI3JIk2/fSVSvZfuROHdINsnCY=,iv:VErcoWYwmZmMj+3SYoaxt5+Rh5IY2SQoely7CgQDQ/E=,tag:/2wit+v7QN3UIJlcyhvLqw==,type:comment]
redis_password: ENC[AES256_GCM,data:hmk0W2v4NkaWtBeX7UyoCB2jybvCMELG43YVQkfhV3p56RrDZN8l8R903w==,iv:tAPVgNHCyium1zpd+SmZLjwv5a2X4yCPI9tS3dNUcXA=,tag:ddwibQhE+srBNz5WXS1jZg==,type:str]
#ENC[AES256_GCM,data:gSdSguHeDnzgAN0RqsgA4XYgSrrdFHAtZRSTdOucoxJOPFjW,iv:POe4KMzLrzHMeeX5lk6mrMUQNc41MqbVjw9iIetnFqg=,tag:L6yj9NpMbEYWzK4x38aLKQ==,type:comment]
collabora_admin_password: ENC[AES256_GCM,data:TkZZxjmLtKK1pdjq4KYIDbDv4zVhubi3NDDESzn6UY9jmcoGee6Jn0PgBw==,iv:nYtxWCejET8PvjiFIXgaPkt2CKgwRMekDI3zFH6Qpnk=,tag:NLKQqtIhjYcthIqt+unGaQ==,type:str]
sops:
age:
- recipient: age170jqy5pg6z62kevadqyxxekw8ryf3e394zaquw0nhs9ae3v9wd6qq2hxnk
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpN2hTWS9pVVJtOVB5Q0hy
cTZnOWxMcXkxZ3A3S0VxTDd4WkVJNXZ6eGlFCnFqem5MRWlsWnowTEI1amJUU1Rw
Mm9XcVo0WHZQQmVVYTV0Z0lNc0l4c1UKLS0tIGJjNldSd2xhcWxpL3ptb2MxbGky
bnRCZ0JncVNQUlgra2k4aU5OODlidTgKZzrZKcXDtkz60fkDdSqWLc4/Amp715Lt
jWlD4nBRPP4EE9lx2k6Nzasms3Kd7jY6XSxM9kdyYMJnw079FhO7oQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2026-01-21T10:19:33Z"
mac: ENC[AES256_GCM,data:Gx+21yPz2TVWBGtn8kAI9pqPU/90o/E/PTSqGJD3aUx+vdmPP2rflV1HBX6Nz8zr3A9a7UDMpzLejGb98B72pOnU31xAKlq22b0MaIlQdg33TL3OKxwwEewPtvhDQDWCf2IrTQtC2SW+Hn1DaV0CxSb58GZWj/NXtVAyq1Fd/zk=,iv:PI18voGa40uB4pJt1PHGBTHAcTfFXLIqzO/z2tHjiPY=,tag:szewwRMLvC05K7fXKbOxrg==,type:str]
unencrypted_suffix: _unencrypted
version: 3.11.0

38
secrets/clients/zwaan.sops.yaml Normal file
View file

@ -0,0 +1,38 @@
#ENC[AES256_GCM,data:grMUWAptTTKARjOLuIU5ebl+z9443cYJq6I=,iv:XQUqmLqDULEaNMbMLQxMHARxuFqWtbCfBawiMprpTbs=,tag:KZCOtofgOKtpuzNuySaJ3Q==,type:comment]
#ENC[AES256_GCM,data:5jaeagHg9g+wliZySGR8LSv64yL42X3/a2HpGA9Q/Nb5YKaHbuw=,iv:mETlzOquOv3XvFolHznZsL9JtH3jH6bOc0tqZcQ15s4=,tag:LXRyVlxzgkDWjxxWFlw3Pw==,type:comment]
#ENC[AES256_GCM,data:uU8xSvIXCBoZ7XjCSfs5Qj6F9FCZng==,iv:l9Bk/vQUORlNr6UvQyayOgTn91k5jVGa3f6c5551cYE=,tag:stANmYwcjqI7fiEWUc/KxQ==,type:comment]
client_name: ENC[AES256_GCM,data:/O1WCS0=,iv:h5c47JPzk1XDAC4PYa0aUoBn/2Ce1985Mwy28CV2b/g=,tag:QyCFX8PEkKnO95CIhJU1FQ==,type:str]
client_domain: ENC[AES256_GCM,data:fA2w0n4NWUZvd8YtBh/yONQ=,iv:iRlazuwjk7VTRB/pPSzJbNCLblny5sOTV05xvMCaacY=,tag:53J+3212xm9164y+zPbRCw==,type:str]
#ENC[AES256_GCM,data:+37qvOZXoDc5kc0YJV8fwGxIY9PJUZh6,iv:Pvjicolk7OnE6ugsKVbr9HdTcgwLi1bj7j885xLluxY=,tag:8CqMSrVqkAcXXG4xODEmjw==,type:comment]
authentik_domain: ENC[AES256_GCM,data:7o4yatWlTgJqYV9WNc7qcNmLanLgJw==,iv:Tx9xJLJUmtps76UWYazjJlhhb5jDMOWH9jQSSzVFI2o=,tag:BkbImmwMq4Yu5eONAAapHA==,type:str]
authentik_db_password: ENC[AES256_GCM,data:2zbpT5WrC2lDB4U5O0w4LYOVIhSf8zCbIWvRrc/Aqim8H/JXUMyd0kwSuw==,iv:8y1eVLeY4O+jaUFr1uz2/OB5jA0MVenjxV1xknR9VfU=,tag:wL0lDaun8AiUW59fAGiCZA==,type:str]
authentik_secret_key: ENC[AES256_GCM,data:BCWmzgt7Mm61CVdjmlmgmDHpRL+K9ezooPlYwE0WyNpcObq7xz+dzFG/Iw==,iv:3AG7T9jg0GxLUOQUg96lcnURFjFYPcwtAdbMg9i5JUM=,tag:wdXmSAj8eEjD9mbSuzsPgQ==,type:str]
#ENC[AES256_GCM,data:CDts7Jm8JDCiOD8ncxHpNVuHt8xOY9Gat4BkkXfA1w1wzibWoSkPdorcxCvIATQ=,iv:/WZqkCy/k3nWosSjqAyMqyjb+BuHX6gaesEbKuL3fR8=,tag:OwrcTDfLdJIqqvGiN2S6AQ==,type:comment]
authentik_bootstrap_password: ENC[AES256_GCM,data:U95Apb8YvMoE3X9lYmwEK1jVpSOLEIzjpFKO19MLolPF1/MxkQlq3qGZ+A==,iv:/HKFSJc72x8gxL2hIlC/G4BBIkODpM7VZ2RchBo9++E=,tag:amPHnFa1Gl1qYAhs0eSjGQ==,type:str]
authentik_bootstrap_token: ENC[AES256_GCM,data:nbpEsV1WHV1615BIqsELzzRBYKS1047fOsleQiu1ACAVJ9ak892bbr86WuYC4Q==,iv:UmEja7XaET5j+gd6T9whI6/eSsE586iJf30ugRKu9PM=,tag:hNQe0SddKnUjEI7VaV2pIQ==,type:str]
authentik_bootstrap_email: ENC[AES256_GCM,data:FVM50ieG/Cngq3jPhMup6oVdRfCaJcI=,iv:dwXJy+6OZONKc06rnfr3ltHgmCoRbpOsgncjWErZewY=,tag:EbjBl/IUXoc9nwhqgoUJlw==,type:str]
#ENC[AES256_GCM,data:EmSyiq/0LxJCtJ7RT1FPFDuFKPOzOjhI,iv:zl4iKXIAxjmtioJuW2feoxLi+fSD5+G/FWWWnydKZnM=,tag:uQIzJVHDsjiGklmazzqJ/A==,type:comment]
nextcloud_domain: ENC[AES256_GCM,data:fD6e+FhhTpJwLlfTPx3yCQSaq1CObyN96j3s,iv:NF9zK6qPtONaLsS+yJqODd5nEiOI5pt7Jo5tHXLIOb4=,tag:HHFpqMFhtmT7IKo4woeIBw==,type:str]
nextcloud_admin_user: ENC[AES256_GCM,data:qP/XelI=,iv:bQUPebAzH/UOX7gs1aRRKfNYcYyhkTVZEcOEFvPGmXs=,tag:JIVcrAWPEQyLSCP6lNkYrw==,type:str]
nextcloud_admin_password: ENC[AES256_GCM,data:i6sUi+25ls+5bu9pbwxMuyUVLAGwCENjVNOYVwYQlbZDfyiYM82pCcvtnA==,iv:OhOefaqn79U6URjuKwFxrdCE7ECaf2HeUHstrrXftX4=,tag:RQGZE9B5/eDzTP8FIlal0g==,type:str]
nextcloud_db_password: ENC[AES256_GCM,data:4iQtSJq1vLLzOSCYPCjbvXiUokt2l7PAr0volEffOvxaUWatSyN+5ffI8g==,iv:FG2Pp/aNiNn/8JLj6mGzB/aAxaonGjCN8bZ5cwtEvW8=,tag:MWrlCAv4Ns/0ZymMRpHAMg==,type:str]
nextcloud_db_root_password: ENC[AES256_GCM,data:AUlBerIg5to+wqvGe4XrV6qyLv7qN5CvBLE/Mh76fwutlkcap7LGnopPJA==,iv:q/UHrYVUOX3IEcVICzEKKUwZSb8xC3GOWyfXsZcrxj4=,tag:M0G55DaVyVSapnZVKvOdHw==,type:str]
#ENC[AES256_GCM,data:/lkuwDB+t4izxgk8z7srKzVGIUV1ddVuggecZzQ=,iv:5Ew7A1CMl7loBS5Ihwn81ZQIuKxg7svrWRSfjF+Joic=,tag:QJxXoMmIjqv58eUGYVHIJA==,type:comment]
redis_password: ENC[AES256_GCM,data:Dsb/AdHGNguC+eJAwTkikEJkXDak+U5DwRinANlvu/g9H7oOVu9netXzqQ==,iv:/RDnk/Nq6RrKZhBtJxDdYSBb8NvvlnfpUZQmqsCG46o=,tag:Kc/uL312sB5ZFBVEGjh5Pg==,type:str]
#ENC[AES256_GCM,data:vHxc31U98vS/+twbwssWGtWWm/2/M9oSiSNW03A41gSDqMyA,iv:vgWYcaaxGcyhNTn/Oox04b9Kd8jWZyGWL/79/Xb06ew=,tag:uX61Pf6boE26XriX+jIJEg==,type:comment]
collabora_admin_password: ENC[AES256_GCM,data:M+JbmS5WtUl1d2GCoUl72F3NOcaslFGjaz4NwQYYXF+CKEb5DMF0EkaIHg==,iv:X3gdn4NE2O1FyBBRwdDqyYLoEqlmnXqiJ0FlhOd9DyE=,tag:POjkQqrvmB31kRFRspRcDw==,type:str]
sops:
age:
- recipient: age170jqy5pg6z62kevadqyxxekw8ryf3e394zaquw0nhs9ae3v9wd6qq2hxnk
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRWmdObzRmdWNCWlliaS94
WWRqUnB3YU84c09mMXZGSGpEclptZHA2Q2tzCnJQdkNiaGlLS0ZmSVlxQTNzaDZO
SERZZjhaVTZXTzE4N25FVnNybmp0R00KLS0tIGJtV0ZJZEREOHNPVDg3cmRQbDVO
ZUg3UEJxUFlaWUhTWjh5dXMvbVhVQVUKeSgbz+rYkfLbhNCF/Lgx+vauPCdcaxXC
hpsERVWHHTu3+XOQbDZ60QCXelUu9kyejlYow0fLP9jMPm7Ifkujnw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2026-01-22T10:22:33Z"
mac: ENC[AES256_GCM,data:H2v+rflUC3HQJD/h2B7N2JGq5A/xUkVFhoCSROOVDm/K+u6UdyPTSf8FBWoDZirXrcCxOUMZjDLz1bhGM02BmHYH5cd53oRlBjK4DHKFniEiaa7JmxB1QVqn8NxsmtU3fS7Noy0tTq8vhnL8RXHQdgO8emUQ43NXoXOh1nPoEas=,iv:Oab+s7v4VtAp8MxN1VUZIDr7v/pFL1JKkTuZ5Kzm6to=,tag:pzNHtuD/TR4K+oJbiS3sbw==,type:str]
unencrypted_suffix: _unencrypted
version: 3.11.0

55
secrets/shared.sops.yaml
View file

@ -1,38 +1,33 @@
#ENC[AES256_GCM,data:04ALB+Pn3US4027Oh487+ZrAQfoLWwVh7J04BH5bLVk1odSadMrG+sg=,iv:kXjuTiE22hgz7FYcBkDw8ANCbmKBPgNvbLdx85p4kn0=,tag:Y987uVwfd4z2WG3+EsbRTQ==,type:comment]
#ENC[AES256_GCM,data:JR39Jk+yo+4xal384o+cWnxxsgZJhrf6JNCtHvl0iyx8Ukb3R4c=,iv:hY5s0YYbw0aO0958NuHeT0rPicvNoMatdzNfBwMl6/k=,tag:dGP2YmLcU9inq4LR1gFQIQ==,type:comment]
#ENC[AES256_GCM,data:MwHqTG0q+8qzCl1fbug581WIH/fAdgCuVvjew9ckw9kaXMFdjLwacKMsAAkttGrsHs60jNyOi9YP//p7dqCpDxNT+7be,iv:EAEf4ULn4YdGQSgml3S9SzWtYNPWaAp8xJm/sTrFNRc=,tag:dgEqhUTpI4KSf+jpA0tR6Q==,type:comment]
hcloud_token: ENC[AES256_GCM,data:cEBVeTBeZaoJ9zNUGeGiqG6svMY9We5Bo+xUxqyP553F/3SGhVNnIoPTQNnhoi33av9SL0TK9XUPshFnB/wAJQ==,iv:e5kv7GQZQqtResfLyWX35T4Bdh9IwoErIOAcUmtr4UM=,tag:uqYqBQYlzOE/2uN3s9lRYg==,type:str]
#ENC[AES256_GCM,data:ypfNO7kd/SLrsz2jRIykmbGWJB5Vp8SNUwh6UEE8qhttVf6bECk6a/wBVj4XzA==,iv:379fklcd9rJaq3zvJcAb/IfsFYPxPKX+ZcMmyFQ+ak0=,tag:E6IlkeneMLx2SHibs4pVrw==,type:comment]
storage_box_host: ENC[AES256_GCM,data:AZAlPKfIAjvqc6YkpIKHutny6ubJLgcpASY=,iv:MYsq9lmFVc4Yq5Dj6dF1sWrHUpcAHmXgsGozT2M2URI=,tag:R1UYUQVZH5UVqrWtBjsBpw==,type:str]
storage_box_user: ENC[AES256_GCM,data:mb3F22aIcQ==,iv:BeOYQV4ZharXF1NlPUC/G3IF98eBbZ0W3XxgMkCuR4o=,tag:stLdytx0n/EvCOta/3Cn/g==,type:str]
storage_box_password: ENC[AES256_GCM,data:2VSgTly3rNozgfU4lg4Un+K1vmNf5XEq8NTYH1ekcI9a,iv:7uDxpspTVyirGlzaHDZwSE4c/c+4TaMaH7gGCd1X1JY=,tag:njzoKPDLa5mz5RMp2gYOtQ==,type:str]
#ENC[AES256_GCM,data:qCDYq8QCwrJZu0AiE+d4ePbbBgBQAwZ1knv4,iv:Yx4aEyRVMxQlirfdYyvUXCmukOzaL/XTypB+mRaFwv4=,tag:6DHV8r33jLsVGYNHLNUE+A==,type:comment]
acme_email: ENC[AES256_GCM,data:7S0SVt/wIV6MexKntpxiioiS62dQ3JNX,iv:xCx4aXuCwDtUzUy4cEhy6Y5G221UtHiUgPBLab14Ti8=,tag:bc4cRIV663cjroTZ9B8Z5g==,type:str]
#ENC[AES256_GCM,data:QjXYPryU+RWEpbfh0Iicu6tTog73i7HVzHH3UD5HqyPMs/wSM6q2s9Ap9fw=,iv:sClGgcS7gGKptbJx+UtPn6wfYg/s8kf6GXltFsbpXyE=,tag:9ZygWXObDSCKZjGtZSPIQQ==,type:comment]
mailgun_api_key: ENC[AES256_GCM,data:+KEwwt3g24KbplG705tOab/AIXOSnpmBvQtscpB0m/UTYHQv9d3h45n1Hplw3kIvEMk=,iv:g1XC1/HqsKeysOWPDk8ArMIvYuw8mRRyjmOtn38oxFI=,tag:MQI//J1Uxw43x/n9baymdA==,type:str]
#ENC[AES256_GCM,data:+76iTnTb2ER/8LaZMwnOFe65mqD+01h3WLCtJeiFinaQ9NitTfK/+J6OI+12IIGvFzdDW4Eo1kj1ETxekg==,iv:Y4tAG2TYmMbHpZcq44WzTno4pd5JW9dF1gOvEJw7kjc=,tag:QyXsSR1gd0hI6JYzT1E4uA==,type:comment]
kuma_username: ENC[AES256_GCM,data:zmar2ok=,iv:rdMU87CaPx2SvhIBrTaMI8TzQNMy7mme6LfPwaU0B2g=,tag:GaRPVvNBwt0SEvfT5UR39A==,type:str]
kuma_password: ENC[AES256_GCM,data:GI6fLItkyjmv5yU5EBXIFeHDuQg=,iv:nnc9DfhfsZPKK66Ivme5xSrLaR+onIgEmnrND0gsYvA=,tag:LHIZUTYakGie/UgZdb0wng==,type:str]
#ENC[AES256_GCM,data:09+nWhVzHUIsLzvn6vkhv7thV2QbDJtv0dEWR+eygYSX7B+n5UhKVFhUyzgan2CA,iv:0Fs9R7cwJErJfC4o7yBpP+uSgxSjRNIZJH7ZMMAtEhs=,tag:w5WZZQrYKh+DdCxmDzbIJQ==,type:comment]
docker_hub_username: ENC[AES256_GCM,data:GJ3X6f0HnRhNTVES,iv:HS2SE/9XAScGl3tCjbvYj8rSeFbyuXsBh4+P5adRo+g=,tag:Deo5k281WG3kQnGDUiFnSA==,type:str]
docker_hub_password: ENC[AES256_GCM,data:Uj3lLaBitHiEK4Z8ki/EfomWDi35eDtrRDMehTqsi7OtMqDY,iv:tVXbAumOn8NlrBBKzUqL6G+W6VZ4hSm0UZO4+ymqqas=,tag:hznzHSJpCwfpaPdJ0fVzVQ==,type:str]
#ENC[AES256_GCM,data:JR8oUMSIpn1beUD+bLl+3Q1QTJ+fLBrgOb4aZgQJf2A5MnfmYyuz/qgn24eekfuRxV0aPua4RjaUjl77YtWtXwDhcQ6y8pUjhUniW2R5ZnnCyecJ9zs=,iv:NGrXYBj6pVvIGmN8RI8abGrtjPPtkdHRZxahgH087cw=,tag:4gBgYddoK3Nd6pVOLxBcGQ==,type:comment]
matrix_homeserver_url: ENC[AES256_GCM,data:BEgOaA/kYbT0UU20QPJp+/QR2agNiR6OygG6gyrG8lqV,iv:CVwnqhuEV/VTbcUBliFgp1rLMGNWDyBEyt1xR87O9g4=,tag:azocD23lo9riGtCLBuSIcA==,type:str]
matrix_diun_user: ENC[AES256_GCM,data:JtO2Zpt2eSPTWcGlgOHtGfMPLUmpKjHK,iv:LMnqHgrybjaTJvMdOs1TsYW4lRdQK1qtiHjVd5tygeY=,tag:tMcNM5pcrpg90BhP1akwxw==,type:str]
matrix_diun_access_token: ENC[AES256_GCM,data:13118eQvzxkI8AJAXlOfaVn0QyQm3bys5SMxXBRT/9ZlgAFHJpY=,iv:S71vHz5VAucmNUQ2Ttj+QB6Fgo+1kx7fpmwZtDDM04U=,tag:C/Fk4CTu5BkGe0X1pB++8Q==,type:str]
matrix_diun_room_id: ENC[AES256_GCM,data:uz+tkB+lArVm9XMB/vy3LfwG7YW0JSmpmI/g0hgtecKRorGSAkAD1/PFrWgv,iv:FHgFQ/w4GT/xrQHawEIi1jicri8+WACJcKHKXugImBM=,tag:2M0zFYDE0vQUGxW7YpTT3w==,type:str]
#ENC[AES256_GCM,data:2YMIFNKq+JsSJeC9Qjm5RwtyC3xK7kUoEcfZDvDl7UrMtSqKr8COUgs=,iv:iNYbG7vJdnxmQEKvKrbKT6DKpXRJasKP+sEl9n8u9kY=,tag:hWIJ51MZDWPKavBcPtfjAA==,type:comment]
#ENC[AES256_GCM,data:7hJjDYJ9YaF6I6b5Dvt+/dvgWIQjjj2AjYrmR0Kno+KKgcg1yEE=,iv:QzwxWutd8vEhusj6IL7xeLxG27PcmKigHnCwZRKEulE=,tag:Q1vlJzRxX7dj8wNrhi+Kfw==,type:comment]
#ENC[AES256_GCM,data:xtOU9wOXNJEMnPuJN0pxLxP4709/IRV0JhRFyf8BeA/QDlSt9jtyaumsuBuA9aui31+0MyhqvLeBbtE+acnTp9W0RzEo,iv:nUdN95nWS9w/UHTxos3ho58/s/dWBuFc14gWcKxPmbU=,tag:GPgBIAk9+/uNBU+9qbYhhg==,type:comment]
hcloud_token: ENC[AES256_GCM,data:8FN2vXof6ud4VolI+uPMWikqOKwTL0Lua4JJgGfGu2F8eFJAKNznNCS47X1HoDCu6ky0tl5jmZvx/RcZU6Ly5g==,iv:Sq4G5gDvoP5HpcsaZFL5bRma3iQdA9shcVjc9NgkUxA=,tag:ww1P2NFJvLyIi1Sbbf0PTg==,type:str]
#ENC[AES256_GCM,data:dV5m3Mtqq/apW8NLlEpy3KFVyQaKZS8uH4WPD3j0k2pnN3hxIc74p+/GS0V7Ew==,iv:etSVHDonOo9l7AGWt9uQCd9ye6u5yVDlM7BRLJd6keM=,tag:QCNmm+IuuaJZuai2CVBYbw==,type:comment]
storage_box_host: ENC[AES256_GCM,data:J1YKyjZ9X2x8mapgzhr57K1vZuQ2lCkrWdk=,iv:awswwnWl/ADhsG6flTgUAZGoA+e+A410hCOUQ1cvDZE=,tag:4J4oo0CKNCCNb3LrdNFh3w==,type:str]
storage_box_user: ENC[AES256_GCM,data:JIWh720v/g==,iv:HJp+Bx8kS+QnFXlqdiITPuKFOQRgpg08QPxMqEI3AXs=,tag:bDYryqzAgeuESbqCNJlY+Q==,type:str]
storage_box_password: ENC[AES256_GCM,data:/9eyEsS+sHuWfi2zzLawYwURHryZQ0ug+BP36SqSXgiX,iv:i1VaWheORGkrCZZiCpGqXsxE+lx4a/zEMczJ9hLRsmc=,tag:5OVE90R+e4H0xkI1TP8QjA==,type:str]
#ENC[AES256_GCM,data:AcDfSbReb+Fq5yDcIxTDVN1foKsKKs1eMTCc,iv:m1LZMR4uaLCHH73MrRG3qpv65JSkDFzvF7nIxMNJOWE=,tag:d2hzFSYNO01UEOeCMUJ/bQ==,type:comment]
acme_email: ENC[AES256_GCM,data:by2DuXwa5TmwKuoYB9rQWC7JQ6aJNgwJ,iv:nA/WnVsscIF8n955TOEJ4N6+bTIBesu8VBlk8GjWheo=,tag:RpxSJUt8XG3hrQ8yvSU8vQ==,type:str]
#ENC[AES256_GCM,data:oIGUDVmm09wiD9ftBozwyy8I2liAR+SvHOwD2CfePQ7y5aaXs3iCjTQGN4g=,iv:B68aM+QBRx8vDGKunDxUWSCtjWKNtoZojyHu/tAIy70=,tag:qg6uQjRcWuWQhU0u+FUZxw==,type:comment]
mailgun_api_key: ENC[AES256_GCM,data:xj31QEnmS8z4qGqXuWK1ZJUNXWk2uPOKV4dVtDFxGcsnq/grQTPUY7ZDsp02x441Wfk=,iv:Cdeyk4wSZ9T5tfq45VGE6fNI+PqqDTFf5uf9x0yxIw4=,tag:Qd3WGPtrg7ZNT2J/U4XxDw==,type:str]
#ENC[AES256_GCM,data:XGCm1nYG9utFEgZ08hY+mDzl6KUh0WzlwztGPn/ivn04BA9CXE27uwSFmQZIwtDDUm4r8SvHNmytvd4Jwg==,iv:fGx0xsCmVrRKKQn4YwGeXqk09zGiu421eSpjVlP7yaY=,tag:0dBzVVsASKgzok0wkT9F1w==,type:comment]
kuma_username: ENC[AES256_GCM,data:pvaYOaQ=,iv:LEEaIy1d9zeo/0J53G10SrCMWu+decEOJvQKQANpwMk=,tag:6B5uXYIGW9fg0nO7T3MIrQ==,type:str]
kuma_password: ENC[AES256_GCM,data:zE2zI+mrQ92I7P/zykqbx4jEACI=,iv:WQ5y/N+WI45fHolYZleoH5/N9ITlNzMTn6xtpGfPFlg=,tag:Jwh8CBShb0Nu8b6ksN5DrQ==,type:str]
#ENC[AES256_GCM,data:h5PCiXOXU3wcEAv1d5hT+ft9rDETCcDr83LBGwTeiF/PBEEVMHesSsv8Bkn1Icuj,iv:HSk5jzuX233Z6mBIwxcwBLW4Dcw+IEObUkrmkg2wfBw=,tag:473GFIBMhrI07tIBQnFZJw==,type:comment]
docker_hub_username: ENC[AES256_GCM,data:4UQe5HoWd0azh1BN,iv:KVAFe4HYtQrzpRVLhVOeVxtrg/VrX0tdh8BW+lCGqZ8=,tag:31NlEomOynhd61qiVwuMlA==,type:str]
docker_hub_password: ENC[AES256_GCM,data:qo7aespQMFAPhfXaKA9q8A07HAwwyoRKBuJy5Qm6zK+HEKiU,iv:l3vx7CIkL4fZOVnQ0CxYuWI1UWl+eIcuqfa55JTOHZU=,tag:jn7izsloBxoZ51Rj+vBdSw==,type:str]
sops:
age:
- recipient: age170jqy5pg6z62kevadqyxxekw8ryf3e394zaquw0nhs9ae3v9wd6qq2hxnk
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuU2JYVlA5bEMrZitEUk95
VHltbXgyZUtVTVVicEd3bklPQlRtMURTYTNVCkRXZTJTSkV3aG51emFsQVh2QTBi
QnZ5RmpWN3F6RmFnWTlnWUZZcXBqVW8KLS0tIGR4VTh4M3huNGFORU9CcVlMUllx
cWhVaU9sN3dYNER5ZXhRbVpOWHZBS2cKHc0pIQno9sUGsfBxRlHxLQ5BPLerb4qd
abbxYhLJ4roN+9dw3d26fEPYESg/lLts1nyZNxNGtTIz1oJG2MwJVg==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsZDdlWk4vRFZQYTFTU0RW
NDh3a3RZalFiQjhYd2NESjZsTlJKa0RvdkVRCnZLdHc1VlhYVHB1bWRmQ0lzRlNM
eitYMG5oc2wrdUw0bVJ2cXlpVW52bEEKLS0tIEtTV2s2eVN3bjljYVduZS9vMW1U
a1ZFY1NBNW5odFNZaXJSQWxFNjIzVUkKIs0FCN7RRaQBAFp4tBb09C+7c5iSlyLU
ZFNIXfMeTHtziiyB3eUtFbZHS0Mec6YijCR90WGm2Vk17dNVTu1Nlg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2026-01-23T20:07:21Z"
mac: ENC[AES256_GCM,data:huCxiz8tOLyrn2yIcIi2YRMf3TuMPNr9YAsaQJI6aho/4ZqZ7IF3Jm/qrtRsr0tyn3en0UWrQAUnWG+9RQ3AC3fM80T6TghANV4xLXJqNk0WJ5EZ7p4ILDRuuEDqeVcvDYEzawGfCGt6tKL4JVk2BW2PHQz52FaQnJCc4/3Q+ZE=,iv:7pV2UvOz56R+WljGYJl1HeVjXdOqELFvBLE9SKnEzmg=,tag:8Yw7lolyQ2oxTW10o1AdIQ==,type:str]
lastmodified: "2026-01-20T10:38:25Z"
mac: ENC[AES256_GCM,data:4aL5GwxjNYoXaLBdDYtpQ2FiWz6fVPjNvlB4wMX7PedzSPb0+Eix7BK7vG6MHrRZVJzRbWQZb9xmnVzl+Bm8gdyS9ctPBfcZsv94nUFHMW9KLyavvsaf1F7asT0OuyNsHc3A7vfxjO3FT2oNOGOmulpPXKFQK2+87elL52bg80A=,iv:gQU//Hz9+Ku6X31S0ocLr2oQKvw8+Bagx9LEAqelT9s=,tag:f6P5OtH8bAyWt+BuEsdgWA==,type:str]
unencrypted_suffix: _unencrypted
version: 3.11.0

BIN
tofu/tfplan Normal file
View file

Binary file not shown.

29
tofu/user-data-private.yml Normal file
View file

@ -0,0 +1,29 @@
#cloud-config
package_update: true
package_upgrade: true
packages:
- curl
- wget
- git
- python3
- python3-pip
runcmd:
- hostnamectl set-hostname ${hostname}
- |
# Configure default route for private-only server
# Hetzner network route forwards traffic to edge gateway (10.0.0.2)
# Enable DHCP to get IP from Hetzner Cloud private network
cat > /etc/netplan/60-private-network.yaml <<'NETPLAN'
network:
version: 2
ethernets:
enp7s0:
dhcp4: true
dhcp4-overrides:
use-routes: false
routes:
- to: default
via: 10.0.0.1
NETPLAN
chmod 600 /etc/netplan/60-private-network.yaml
netplan apply