feat: Add brand recovery flow config and improve security

- Add brand default recovery flow configuration to Authentik setup - Update create_recovery_flow.py to set brand's recovery flow automatically - All 17 servers now have brand recovery flow configured Security improvements: - Remove secrets/clients/*.sops.yaml from git tracking - Remove ansible/host_vars/ from git tracking - Update .gitignore to exclude sensitive config files - Files remain encrypted and local, just not in repo Note: Files still exist in git history. Consider using BFG Repo Cleaner to remove them completely if needed. 🤖 Generated with Claude Code Co-Authored-By: Claude <noreply@anthropic.com>
feat: Configure Diun with Docker Hub auth and watchRepo control
2026-01-26 09:17:08 +01:00 · 2026-01-24 13:16:25 +01:00 · 2026-01-24 12:44:54 +01:00 · 2026-01-23 21:41:14 +01:00 · 2026-01-23 21:36:30 +01:00 · 2026-01-23 21:25:44 +01:00
70 changed files with 1370 additions and 1910 deletions
--- a/.gitignore
+++ b/.gitignore
@ -3,7 +3,9 @@ secrets/**/*.yaml
 secrets/**/*.yml
 !secrets/**/*.sops.yaml
 !secrets/.sops.yaml
 secrets/clients/*.sops.yaml
 keys/age-key.txt
 keys/ssh/
 *.key
 *.pem
@ -12,12 +14,16 @@ tofu/.terraform/
 tofu/.terraform.lock.hcl
 tofu/terraform.tfstate
 tofu/terraform.tfstate.backup
 tofu/terraform.tfstate.*.backup
 tofu/*.tfvars
 !tofu/terraform.tfvars.example
 tofu/*.tfplan
 tofu/tfplan
 # Ansible
 ansible/*.retry
 ansible/.vault_pass
 ansible/host_vars/
 # OS files
 .DS_Store
--- a/ansible/ansible.cfg
+++ b/ansible/ansible.cfg
@ -37,4 +37,4 @@ become_ask_pass = False
 [ssh_connection]
 pipelining = True
-ssh_args = -o ControlMaster=auto -o ControlPersist=60s -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no
+ssh_args = -o ControlMaster=auto -o ControlPersist=60s -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -o IdentitiesOnly=yes
--- a/ansible/host_vars/das.yml
+++ b/ansible/host_vars/das.yml
@ -1,10 +0,0 @@
 ---
 # das server - direct public IP
 # SSH directly to public IP
 ansible_host: 49.13.49.246
 # Client identification
 client_name: das
 client_domain: das.vrije.cloud
 client_secrets_file: das.sops.yaml
--- a/ansible/host_vars/egel.yml
+++ b/ansible/host_vars/egel.yml
@ -1,11 +0,0 @@
 ---
 # egel server - behind edge proxy (private network only)
 # SSH via edge server as bastion/jump host
 ansible_host: 10.0.0.52
 ansible_ssh_common_args: '-o ProxyCommand="ssh -i ../keys/ssh/edge -W %h:%p -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null root@78.47.191.38" -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no'
 # Client identification
 client_name: egel
 client_domain: egel.vrije.cloud
 client_secrets_file: egel.sops.yaml
--- a/ansible/host_vars/haas.yml
+++ b/ansible/host_vars/haas.yml
@ -1,11 +0,0 @@
 ---
 # haas server - public network
 # SSH directly via public IP
 ansible_host: 78.46.229.195
 ansible_ssh_private_key_file: ../keys/ssh/haas
 # Client identification
 client_name: haas
 client_domain: haas.vrije.cloud
 client_secrets_file: haas.sops.yaml
--- a/ansible/host_vars/kikker.yml
+++ b/ansible/host_vars/kikker.yml
@ -1,10 +0,0 @@
 ---
 # kikker server - direct public IP
 # SSH directly to public IP
 ansible_host: 23.88.124.67
 # Client identification
 client_name: kikker
 client_domain: kikker.vrije.cloud
 client_secrets_file: kikker.sops.yaml
--- a/ansible/host_vars/mees.yml
+++ b/ansible/host_vars/mees.yml
@ -1,11 +0,0 @@
 ---
 # mees server - public network
 # SSH directly via public IP
 ansible_host: 167.235.198.19
 ansible_ssh_private_key_file: ../keys/ssh/mees
 # Client identification
 client_name: mees
 client_domain: mees.vrije.cloud
 client_secrets_file: mees.sops.yaml
--- a/ansible/host_vars/mol.yml
+++ b/ansible/host_vars/mol.yml
@ -1,10 +0,0 @@
 ---
 # mol server - direct public IP
 # SSH directly to server
 ansible_host: 49.13.56.23
 # Client identification
 client_name: mol
 client_domain: mol.vrije.cloud
 client_secrets_file: mol.sops.yaml
--- a/ansible/host_vars/mus.yml
+++ b/ansible/host_vars/mus.yml
@ -1,10 +0,0 @@
 ---
 # mus server - direct public IP
 # SSH directly to server
 ansible_host: 91.107.217.126
 # Client identification
 client_name: mus
 client_domain: mus.vrije.cloud
 client_secrets_file: mus.sops.yaml
--- a/ansible/host_vars/ree.yml
+++ b/ansible/host_vars/ree.yml
@ -1,11 +0,0 @@
 ---
 # ree server - behind edge proxy (private network only)
 # SSH via edge server as bastion/jump host
 ansible_host: 10.0.0.49
 ansible_ssh_common_args: '-o ProxyCommand="ssh -i ../keys/ssh/edge -W %h:%p -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null root@78.47.191.38" -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no'
 # Client identification
 client_name: ree
 client_domain: ree.vrije.cloud
 client_secrets_file: ree.sops.yaml
--- a/ansible/host_vars/specht.yml
+++ b/ansible/host_vars/specht.yml
@ -1,11 +0,0 @@
 ---
 # specht server - public network
 # SSH directly via public IP
 ansible_host: 188.245.122.208
 ansible_ssh_private_key_file: ../keys/ssh/specht
 # Client identification
 client_name: specht
 client_domain: specht.vrije.cloud
 client_secrets_file: specht.sops.yaml
--- a/ansible/host_vars/uil.yml
+++ b/ansible/host_vars/uil.yml
@ -1,10 +0,0 @@
 ---
 # uil server - direct public IP
 # SSH directly to server
 ansible_host: 91.99.208.20
 # Client identification
 client_name: uil
 client_domain: uil.vrije.cloud
 client_secrets_file: uil.sops.yaml
--- a/ansible/host_vars/valk.yml
+++ b/ansible/host_vars/valk.yml
@ -1,10 +0,0 @@
 ---
 # valk server - direct public IP
 # SSH directly to public IP
 ansible_host: 78.47.191.38
 # Client identification
 client_name: valk
 client_domain: valk.vrije.cloud
 client_secrets_file: valk.sops.yaml
--- a/ansible/host_vars/vos.yml
+++ b/ansible/host_vars/vos.yml
@ -1,10 +0,0 @@
 ---
 # vos server - direct public IP
 # SSH directly to server
 ansible_host: 128.140.91.174
 # Client identification
 client_name: vos
 client_domain: vos.vrije.cloud
 client_secrets_file: vos.sops.yaml
--- a/ansible/host_vars/white.yml
+++ b/ansible/host_vars/white.yml
@ -1,11 +0,0 @@
 ---
 # white server - behind edge proxy (private network only)
 # SSH via edge server as bastion/jump host
 ansible_host: 10.0.0.40
 ansible_ssh_common_args: '-o ProxyCommand="ssh -i ../keys/ssh/edge -W %h:%p -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null root@78.47.191.38" -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no'
 # Client identification
 client_name: white
 client_domain: white.vrije.cloud
 client_secrets_file: white.sops.yaml
--- a/ansible/host_vars/wolf.yml
+++ b/ansible/host_vars/wolf.yml
@ -1,10 +0,0 @@
 ---
 # wolf server - direct public IP
 # SSH directly to server
 ansible_host: 159.69.189.177
 # Client identification
 client_name: wolf
 client_domain: wolf.vrije.cloud
 client_secrets_file: wolf.sops.yaml
--- a/ansible/host_vars/zwaan.yml
+++ b/ansible/host_vars/zwaan.yml
@ -1,11 +0,0 @@
 ---
 # zwaan server - behind edge proxy (private network only)
 # SSH via edge server as bastion/jump host
 ansible_host: 10.0.0.42
 ansible_ssh_common_args: '-o ProxyCommand="ssh -i ../keys/ssh/edge -W %h:%p -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null root@78.47.191.38" -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no'
 # Client identification
 client_name: zwaan
 client_domain: zwaan.vrije.cloud
 client_secrets_file: zwaan.sops.yaml
--- a/ansible/playbooks/260123-configure-diun-webhook.yml
+++ b/ansible/playbooks/260123-configure-diun-webhook.yml
@ -0,0 +1,124 @@
 ---
 # Configure Diun to use webhook notifications instead of email
 # This playbook updates all servers to send container update notifications
 # to a Matrix room via webhook instead of individual emails per server
 #
 # Usage:
 #   ansible-playbook -i hcloud.yml playbooks/260123-configure-diun-webhook.yml
 #
 # Or for specific servers:
 #   ansible-playbook -i hcloud.yml playbooks/260123-configure-diun-webhook.yml --limit das,uil,vos
 - name: Configure Diun webhook notifications on all servers
  hosts: all
  become: yes
  vars:
    # Diun base configuration (from role defaults)
    diun_version: "latest"
    diun_log_level: "info"
    diun_watch_workers: 10
    diun_watch_all: true
    diun_exclude_containers: []
    diun_first_check_notif: false
    # Schedule: Daily at 6am UTC
    diun_schedule: "0 6 * * *"
    # Webhook configuration - sends to Matrix via custom webhook
    diun_notif_enabled: true
    diun_notif_type: webhook
    diun_webhook_endpoint: "https://diun-webhook.postxsociety.cloud"
    diun_webhook_method: POST
    diun_webhook_headers:
      Content-Type: application/json
    # Disable email notifications
    diun_email_enabled: false
    # SMTP defaults (not used when email disabled, but needed for template)
    diun_smtp_host: "smtp.eu.mailgun.org"
    diun_smtp_port: 587
    diun_smtp_from: "{{ client_name }}@mg.vrije.cloud"
    diun_smtp_to: "pieter@postxsociety.org"
    # Optional notification defaults (unused but needed for template)
    diun_slack_webhook_url: ""
    diun_matrix_enabled: false
    diun_matrix_homeserver_url: ""
    diun_matrix_user: ""
    diun_matrix_password: ""
    diun_matrix_room_id: ""
  pre_tasks:
    - name: Gather facts
      setup:
    - name: Determine client name from hostname
      set_fact:
        client_name: "{{ inventory_hostname }}"
    - name: Load client secrets
      community.sops.load_vars:
        file: "{{ playbook_dir }}/../../secrets/clients/{{ client_name }}.sops.yaml"
        name: client_secrets
        age_keyfile: "{{ lookup('env', 'SOPS_AGE_KEY_FILE') }}"
      no_log: true
    - name: Load shared secrets
      community.sops.load_vars:
        file: "{{ playbook_dir }}/../../secrets/shared.sops.yaml"
        name: shared_secrets
        age_keyfile: "{{ lookup('env', 'SOPS_AGE_KEY_FILE') }}"
      no_log: true
    - name: Merge shared secrets into client_secrets
      set_fact:
        client_secrets: "{{ client_secrets | combine(shared_secrets) }}"
      no_log: true
  tasks:
    - name: Set SMTP credentials (required by template even if unused)
      set_fact:
        diun_smtp_username_final: "{{ client_secrets.mailgun_smtp_user | default('') }}"
        diun_smtp_password_final: ""
      no_log: true
    - name: Display configuration summary
      debug:
        msg: |
          Configuring Diun on {{ inventory_hostname }}:
          - Webhook endpoint: {{ diun_webhook_endpoint }}
          - Email notifications: {{ 'enabled' if diun_email_enabled else 'disabled' }}
          - Schedule: {{ diun_schedule }} (Daily at 6am UTC)
    - name: Deploy Diun configuration with webhook
      template:
        src: "{{ playbook_dir }}/../roles/diun/templates/diun.yml.j2"
        dest: /opt/docker/diun/diun.yml
        mode: '0644'
      notify: Restart Diun
    - name: Restart Diun to apply new configuration
      community.docker.docker_compose_v2:
        project_src: /opt/docker/diun
        state: restarted
    - name: Wait for Diun to start
      pause:
        seconds: 5
    - name: Check Diun status
      shell: docker ps --filter name=diun --format "{{ '{{' }}.Status{{ '}}' }}"
      register: diun_status
      changed_when: false
    - name: Display Diun status
      debug:
        msg: "Diun status on {{ inventory_hostname }}: {{ diun_status.stdout }}"
  handlers:
    - name: Restart Diun
      community.docker.docker_compose_v2:
        project_src: /opt/docker/diun
        state: restarted
--- a/ansible/playbooks/260123-upgrade-nextcloud-stage-v2.yml
+++ b/ansible/playbooks/260123-upgrade-nextcloud-stage-v2.yml
@ -0,0 +1,123 @@
 ---
 # Nextcloud Upgrade Stage Task File (Fixed Version)
 # This file is included by 260123-upgrade-nextcloud-v2.yml for each upgrade stage
 # Do not run directly
 #
 # Improvements:
 # - Better version detection (actual running version)
 # - Proper error handling
 # - Clearer status messages
 # - Maintenance mode handling
 - name: "Stage {{ stage.stage }}: Starting v{{ stage.from }} → v{{ stage.to }}"
  debug:
    msg: |
      ============================================================
      Stage {{ stage.stage }}: Upgrading v{{ stage.from }} → v{{ stage.to }}
      ============================================================
 - name: "Stage {{ stage.stage }}: Get current running version"
  shell: docker exec -u www-data nextcloud php occ status --output=json
  register: stage_version_check
  changed_when: false
 - name: "Stage {{ stage.stage }}: Parse current version"
  set_fact:
    stage_current: "{{ (stage_version_check.stdout | from_json).versionstring }}"
 - name: "Stage {{ stage.stage }}: Display current version"
  debug:
    msg: "Currently running: v{{ stage_current }}"
 - name: "Stage {{ stage.stage }}: Check if already on target version"
  debug:
    msg: "✓ Already on v{{ stage_current }} - skipping this stage"
  when: stage_current is version(stage.to, '>=')
 - name: "Stage {{ stage.stage }}: Skip if already upgraded"
  meta: end_play
  when: stage_current is version(stage.to, '>=')
 - name: "Stage {{ stage.stage }}: Verify version is compatible"
  fail:
    msg: "Cannot upgrade from v{{ stage_current }} (expected v{{ stage.from }}.x)"
  when: stage_current is version(stage.from, '<') or (stage_current is version(stage.to, '>='))
 - name: "Stage {{ stage.stage }}: Update docker-compose.yml to v{{ stage.to }}"
  replace:
    path: "{{ nextcloud_base_dir }}/docker-compose.yml"
    regexp: 'image:\s*nextcloud:{{ stage.from }}'
    replace: 'image: nextcloud:{{ stage.to }}'
 - name: "Stage {{ stage.stage }}: Verify docker-compose.yml was updated"
  shell: grep "image{{ ':' }} nextcloud{{ ':' }}{{ stage.to }}" {{ nextcloud_base_dir }}/docker-compose.yml
  register: compose_verify
  changed_when: false
  failed_when: compose_verify.rc != 0
 - name: "Stage {{ stage.stage }}: Pull Nextcloud v{{ stage.to }} image"
  shell: docker pull nextcloud:{{ stage.to }}
  register: image_pull
  changed_when: "'Downloaded' in image_pull.stdout or 'Pulling' in image_pull.stdout or 'Downloaded newer' in image_pull.stderr"
 - name: "Stage {{ stage.stage }}: Stop containers before upgrade"
  community.docker.docker_compose_v2:
    project_src: "{{ nextcloud_base_dir }}"
    state: stopped
 - name: "Stage {{ stage.stage }}: Start containers with new version"
  community.docker.docker_compose_v2:
    project_src: "{{ nextcloud_base_dir }}"
    state: present
 - name: "Stage {{ stage.stage }}: Wait for Nextcloud container to be ready"
  shell: |
    count=0
    max_attempts=60
    while [ $count -lt $max_attempts ]; do
      if docker exec nextcloud curl -f http://localhost:80/status.php 2>/dev/null; then
        echo "Container ready after $count attempts"
        exit 0
      fi
      sleep 5
      count=$((count + 1))
    done
    echo "Timeout waiting for container after $max_attempts attempts"
    exit 1
  register: container_ready
  changed_when: false
 - name: "Stage {{ stage.stage }}: Run occ upgrade"
  shell: docker exec -u www-data nextcloud php occ upgrade --no-interaction
  register: occ_upgrade
  changed_when: "'Update successful' in occ_upgrade.stdout or 'upgraded' in occ_upgrade.stdout"
  failed_when:
    - occ_upgrade.rc != 0
    - "'already latest version' not in occ_upgrade.stdout"
    - "'No upgrade required' not in occ_upgrade.stdout"
 - name: "Stage {{ stage.stage }}: Display upgrade output"
  debug:
    msg: "{{ occ_upgrade.stdout_lines }}"
 - name: "Stage {{ stage.stage }}: Verify upgrade succeeded"
  shell: docker exec -u www-data nextcloud php occ status --output=json
  register: stage_verify
  changed_when: false
 - name: "Stage {{ stage.stage }}: Parse upgraded version"
  set_fact:
    stage_upgraded: "{{ (stage_verify.stdout | from_json).versionstring }}"
 - name: "Stage {{ stage.stage }}: Check upgrade was successful"
  fail:
    msg: "Upgrade to v{{ stage.to }} failed - still on v{{ stage_upgraded }}"
  when: stage_upgraded is version(stage.to, '<')
 - name: "Stage {{ stage.stage }}: Success"
  debug:
    msg: |
      ============================================================
      ✓ Stage {{ stage.stage }} completed successfully
      Upgraded from v{{ stage_current }} to v{{ stage_upgraded }}
      ============================================================
--- a/ansible/playbooks/260123-upgrade-nextcloud-v2.yml
+++ b/ansible/playbooks/260123-upgrade-nextcloud-v2.yml
@ -0,0 +1,378 @@
 ---
 # Nextcloud Major Version Upgrade Playbook (Fixed Version)
 # Created: 2026-01-23
 # Purpose: Safely upgrade Nextcloud from v30 to v32 via v31 (staged upgrade)
 #
 # Usage:
 #   cd ansible/
 #   HCLOUD_TOKEN="..." ansible-playbook -i hcloud.yml \
 #     playbooks/260123-upgrade-nextcloud-v2.yml --limit <server> \
 #     --private-key "../keys/ssh/<server>"
 #
 # Requirements:
 #   - HCLOUD_TOKEN environment variable set
 #   - SSH access to target server
 #   - Sufficient disk space for backups
 #
 # Improvements over v1:
 #   - Idempotent: can be re-run safely after failures
 #   - Better version state tracking (reads actual running version)
 #   - Proper maintenance mode handling
 #   - Stage skipping if already on target version
 #   - Better error messages and rollback instructions
 - name: Upgrade Nextcloud from v30 to v32 (staged)
  hosts: all
  become: true
  gather_facts: true
  vars:
    nextcloud_base_dir: "/opt/nextcloud"
    backup_dir: "/root/nextcloud-backup-{{ ansible_date_time.iso8601_basic_short }}"
    target_version: "32"
  tasks:
    # ============================================================
    # PRE-UPGRADE CHECKS
    # ============================================================
    - name: Display upgrade plan
      debug:
        msg: |
          ============================================================
          Nextcloud Upgrade Plan - {{ inventory_hostname }}
          ============================================================
          Target: Nextcloud v{{ target_version }}
          Backup: {{ backup_dir }}
          This playbook will:
          1. Detect current version
          2. Create backup if needed
          3. Upgrade through required stages (v30→v31→v32)
          4. Skip stages already completed
          5. Re-enable apps and disable maintenance mode
          Estimated time: 10-20 minutes
          ============================================================
    - name: Check if Nextcloud is installed
      shell: docker ps --filter "name=^nextcloud$" --format "{{ '{{' }}.Names{{ '}}' }}"
      register: nextcloud_running
      changed_when: false
      failed_when: false
    - name: Fail if Nextcloud is not running
      fail:
        msg: "Nextcloud container is not running on {{ inventory_hostname }}"
      when: "'nextcloud' not in nextcloud_running.stdout"
    - name: Get current Nextcloud version
      shell: docker exec -u www-data nextcloud php occ status --output=json
      register: nextcloud_status
      changed_when: false
      failed_when: false
    - name: Parse Nextcloud status
      set_fact:
        nc_status: "{{ nextcloud_status.stdout | from_json }}"
      when: nextcloud_status.rc == 0
    - name: Handle Nextcloud in maintenance mode
      block:
        - name: Display maintenance mode warning
          debug:
            msg: "⚠ Nextcloud is in maintenance mode. Attempting to disable it..."
        - name: Disable maintenance mode if enabled
          shell: docker exec -u www-data nextcloud php occ maintenance:mode --off
          register: maint_off
          changed_when: "'disabled' in maint_off.stdout"
        - name: Wait a moment for mode change
          pause:
            seconds: 2
        - name: Re-check status after disabling maintenance mode
          shell: docker exec -u www-data nextcloud php occ status --output=json
          register: nextcloud_status_retry
          changed_when: false
        - name: Update status
          set_fact:
            nc_status: "{{ nextcloud_status_retry.stdout | from_json }}"
      when: nextcloud_status.rc != 0 or (nc_status is defined and nc_status.maintenance | bool)
    - name: Display current version
      debug:
        msg: |
          Current: v{{ nc_status.versionstring }}
          Target: v{{ target_version }}
          Maintenance mode: {{ nc_status.maintenance }}
    - name: Check if already on target version
      debug:
        msg: "✓ Nextcloud is already on v{{ nc_status.versionstring }} - nothing to do"
      when: nc_status.versionstring is version(target_version, '>=')
    - name: End play if already upgraded
      meta: end_host
      when: nc_status.versionstring is version(target_version, '>=')
    - name: Check disk space
      shell: df -BG {{ nextcloud_base_dir }} | tail -1 | awk '{print $4}' | sed 's/G//'
      register: disk_space_gb
      changed_when: false
    - name: Verify sufficient disk space
      fail:
        msg: "Insufficient disk space: {{ disk_space_gb.stdout }}GB available, need at least 5GB"
      when: disk_space_gb.stdout | int < 5
    - name: Display available disk space
      debug:
        msg: "Available disk space: {{ disk_space_gb.stdout }}GB"
    # ============================================================
    # BACKUP PHASE (only if not already backed up)
    # ============================================================
    - name: Check if backup already exists
      stat:
        path: "{{ backup_dir }}"
      register: backup_exists
    - name: Skip backup if already exists
      debug:
        msg: "✓ Backup already exists at {{ backup_dir }} - skipping backup phase"
      when: backup_exists.stat.exists
    - name: Create backup
      block:
        - name: Create backup directory
          file:
            path: "{{ backup_dir }}"
            state: directory
            mode: '0700'
        - name: Enable maintenance mode for backup
          shell: docker exec -u www-data nextcloud php occ maintenance:mode --on
          register: maintenance_on
          changed_when: "'enabled' in maintenance_on.stdout"
        - name: Backup Nextcloud database
          shell: |
            docker exec nextcloud-db pg_dump -U nextcloud nextcloud | gzip > {{ backup_dir }}/database.sql.gz
          args:
            creates: "{{ backup_dir }}/database.sql.gz"
        - name: Get database backup size
          stat:
            path: "{{ backup_dir }}/database.sql.gz"
          register: db_backup
        - name: Display database backup info
          debug:
            msg: "Database backup: {{ (db_backup.stat.size / 1024 / 1024) | round(2) }} MB"
        - name: Stop Nextcloud containers for volume backup
          community.docker.docker_compose_v2:
            project_src: "{{ nextcloud_base_dir }}"
            state: stopped
        - name: Backup Nextcloud app volume
          shell: |
            tar -czf {{ backup_dir }}/nextcloud-app-volume.tar.gz -C /var/lib/docker/volumes/nextcloud-app/_data .
          args:
            creates: "{{ backup_dir }}/nextcloud-app-volume.tar.gz"
        - name: Backup Nextcloud database volume
          shell: |
            tar -czf {{ backup_dir }}/nextcloud-db-volume.tar.gz -C /var/lib/docker/volumes/nextcloud-db-data/_data .
          args:
            creates: "{{ backup_dir }}/nextcloud-db-volume.tar.gz"
        - name: Copy current docker-compose.yml to backup
          copy:
            src: "{{ nextcloud_base_dir }}/docker-compose.yml"
            dest: "{{ backup_dir }}/docker-compose.yml.backup"
            remote_src: true
        - name: Display backup summary
          debug:
            msg: |
              ============================================================
              ✓ Backup completed: {{ backup_dir }}
              ============================================================
              To restore from backup if needed:
              1. cd {{ nextcloud_base_dir }} && docker compose down
              2. tar -xzf {{ backup_dir }}/nextcloud-app-volume.tar.gz -C /var/lib/docker/volumes/nextcloud-app/_data
              3. tar -xzf {{ backup_dir }}/nextcloud-db-volume.tar.gz -C /var/lib/docker/volumes/nextcloud-db-data/_data
              4. cp {{ backup_dir }}/docker-compose.yml.backup {{ nextcloud_base_dir }}/docker-compose.yml
              5. cd {{ nextcloud_base_dir }} && docker compose up -d
              ============================================================
        - name: Restart containers after backup
          community.docker.docker_compose_v2:
            project_src: "{{ nextcloud_base_dir }}"
            state: present
        - name: Wait for Nextcloud to be ready
          shell: |
            count=0
            max_attempts=24
            while [ $count -lt $max_attempts ]; do
              if docker exec nextcloud curl -f http://localhost:80/status.php 2>/dev/null; then
                echo "Ready after $count attempts"
                exit 0
              fi
              sleep 5
              count=$((count + 1))
            done
            echo "Timeout after $max_attempts attempts"
            exit 1
          register: nextcloud_ready
          changed_when: false
        - name: Disable maintenance mode after backup
          shell: docker exec -u www-data nextcloud php occ maintenance:mode --off
          register: maint_off_backup
          changed_when: "'disabled' in maint_off_backup.stdout"
      when: not backup_exists.stat.exists
    # ============================================================
    # DETERMINE UPGRADE PATH
    # ============================================================
    - name: Initialize stage counter
      set_fact:
        stage_number: 0
    # ============================================================
    # STAGED UPGRADE LOOP - Dynamic version checking
    # ============================================================
    - name: Stage 1 - Upgrade v30→v31 if needed
      block:
        - name: Get current version
          shell: docker exec -u www-data nextcloud php occ status --output=json
          register: version_check
          changed_when: false
        - name: Parse version
          set_fact:
            current_version: "{{ (version_check.stdout | from_json).versionstring }}"
        - name: Check if v30→v31 upgrade needed
          set_fact:
            needs_v31_upgrade: "{{ current_version is version('30', '>=') and current_version is version('31', '<') }}"
        - name: Perform v30→v31 upgrade
          include_tasks: "{{ playbook_dir }}/260123-upgrade-nextcloud-stage-v2.yml"
          vars:
            stage:
              from: "30"
              to: "31"
              stage: 1
          when: needs_v31_upgrade
    - name: Stage 2 - Upgrade v31→v32 if needed
      block:
        - name: Get current version
          shell: docker exec -u www-data nextcloud php occ status --output=json
          register: version_check
          changed_when: false
        - name: Parse version
          set_fact:
            current_version: "{{ (version_check.stdout | from_json).versionstring }}"
        - name: Check if v31→v32 upgrade needed
          set_fact:
            needs_v32_upgrade: "{{ current_version is version('31', '>=') and current_version is version('32', '<') }}"
        - name: Perform v31→v32 upgrade
          include_tasks: "{{ playbook_dir }}/260123-upgrade-nextcloud-stage-v2.yml"
          vars:
            stage:
              from: "31"
              to: "32"
              stage: 2
          when: needs_v32_upgrade
    # ============================================================
    # POST-UPGRADE
    # ============================================================
    - name: Get final version
      shell: docker exec -u www-data nextcloud php occ status --output=json
      register: final_status
      changed_when: false
    - name: Parse final version
      set_fact:
        final_version: "{{ (final_status.stdout | from_json).versionstring }}"
    - name: Verify upgrade to target version
      fail:
        msg: "Upgrade incomplete - on v{{ final_version }}, expected v{{ target_version }}.x"
      when: final_version is version(target_version, '<')
    - name: Run database optimizations
      shell: docker exec -u www-data nextcloud php occ db:add-missing-indices
      register: db_indices
      changed_when: false
      failed_when: false
    - name: Run bigint conversion
      shell: docker exec -u www-data nextcloud php occ db:convert-filecache-bigint --no-interaction
      register: db_bigint
      changed_when: false
      failed_when: false
      timeout: 600
    - name: Re-enable critical apps
      shell: |
        docker exec -u www-data nextcloud php occ app:enable user_oidc || true
        docker exec -u www-data nextcloud php occ app:enable richdocuments || true
      register: apps_enabled
      changed_when: false
    - name: Ensure maintenance mode is disabled
      shell: docker exec -u www-data nextcloud php occ maintenance:mode --off
      register: final_maint_off
      changed_when: "'disabled' in final_maint_off.stdout"
      failed_when: false
    - name: Update docker-compose.yml to use latest tag
      replace:
        path: "{{ nextcloud_base_dir }}/docker-compose.yml"
        regexp: 'image:\s*nextcloud:\d+'
        replace: 'image: nextcloud:latest'
    - name: Display success message
      debug:
        msg: |
          ============================================================
          ✓ UPGRADE SUCCESSFUL!
          ============================================================
          Server: {{ inventory_hostname }}
          From: v30.x
          To: v{{ final_version }}
          Backup: {{ backup_dir }}
          Next steps:
          1. Test login: https://nextcloud.{{ client_domain }}
          2. Test OIDC: Click "Login with Authentik"
          3. Test file operations
          4. Test Collabora Office
          If all tests pass, remove backup:
            rm -rf {{ backup_dir }}
          docker-compose.yml now uses 'nextcloud:latest' tag
          ============================================================
--- a/ansible/playbooks/260124-configure-diun-watchrepo.yml
+++ b/ansible/playbooks/260124-configure-diun-watchrepo.yml
@ -0,0 +1,156 @@
 ---
 # Configure Diun to disable watchRepo and add Docker Hub authentication
 # This playbook updates all servers to:
 # - Only watch specific image tags (not entire repositories) to reduce API calls
 # - Add Docker Hub authentication for higher rate limits
 #
 # Background:
 # - watchRepo: true checks ALL tags in a repository (hundreds of API calls)
 # - watchRepo: false only checks the specific tag being used (1-2 API calls)
 # - Docker Hub auth increases rate limit from 100 to 5000 pulls per 6 hours
 #
 # Usage:
 #   cd ansible/
 #   SOPS_AGE_KEY_FILE="../keys/age-key.txt" HCLOUD_TOKEN="..." \
 #     ansible-playbook -i hcloud.yml playbooks/260124-configure-diun-watchrepo.yml
 #
 # Or for specific servers:
 #   SOPS_AGE_KEY_FILE="../keys/age-key.txt" HCLOUD_TOKEN="..." \
 #     ansible-playbook -i hcloud.yml playbooks/260124-configure-diun-watchrepo.yml \
 #     --limit das,uil,vos --private-key "../keys/ssh/das"
 - name: Configure Diun watchRepo and Docker Hub authentication
  hosts: all
  become: yes
  vars:
    # Diun base configuration
    diun_version: "latest"
    diun_log_level: "info"
    diun_watch_workers: 10
    diun_watch_all: true
    diun_exclude_containers: []
    diun_first_check_notif: false
    # Schedule: Weekly on Monday at 6am UTC (to reduce API calls)
    diun_schedule: "0 6 * * 1"
    # Disable watchRepo - only check the specific tags we're using
    diun_watch_repo: false
    # Webhook configuration - sends to Matrix via custom webhook
    diun_notif_enabled: true
    diun_notif_type: webhook
    diun_webhook_endpoint: "https://diun-webhook.postxsociety.cloud"
    diun_webhook_method: POST
    diun_webhook_headers:
      Content-Type: application/json
    # Disable email notifications
    diun_email_enabled: false
    # SMTP defaults (not used when email disabled, but needed for template)
    diun_smtp_host: "smtp.eu.mailgun.org"
    diun_smtp_port: 587
    diun_smtp_from: "{{ client_name }}@mg.vrije.cloud"
    diun_smtp_to: "pieter@postxsociety.org"
    # Optional notification defaults (unused but needed for template)
    diun_slack_webhook_url: ""
    diun_matrix_enabled: false
    diun_matrix_homeserver_url: ""
    diun_matrix_user: ""
    diun_matrix_password: ""
    diun_matrix_room_id: ""
  pre_tasks:
    - name: Gather facts
      setup:
    - name: Determine client name from hostname
      set_fact:
        client_name: "{{ inventory_hostname }}"
    - name: Load client secrets
      community.sops.load_vars:
        file: "{{ playbook_dir }}/../../secrets/clients/{{ client_name }}.sops.yaml"
        name: client_secrets
        age_keyfile: "{{ lookup('env', 'SOPS_AGE_KEY_FILE') }}"
      no_log: true
    - name: Load shared secrets
      community.sops.load_vars:
        file: "{{ playbook_dir }}/../../secrets/shared.sops.yaml"
        name: shared_secrets
        age_keyfile: "{{ lookup('env', 'SOPS_AGE_KEY_FILE') }}"
      no_log: true
    - name: Merge shared secrets into client_secrets
      set_fact:
        client_secrets: "{{ client_secrets | combine(shared_secrets) }}"
      no_log: true
  tasks:
    - name: Set SMTP credentials (required by template even if unused)
      set_fact:
        diun_smtp_username_final: "{{ client_secrets.mailgun_smtp_user | default('') }}"
        diun_smtp_password_final: ""
      no_log: true
    - name: Set Docker Hub credentials for higher rate limits
      set_fact:
        diun_docker_hub_username: "{{ client_secrets.docker_hub_username }}"
        diun_docker_hub_password: "{{ client_secrets.docker_hub_password }}"
      no_log: true
    - name: Display configuration summary
      debug:
        msg: |
          Configuring Diun on {{ inventory_hostname }}:
          - Webhook endpoint: {{ diun_webhook_endpoint }}
          - Email notifications: {{ 'enabled' if diun_email_enabled else 'disabled' }}
          - Schedule: {{ diun_schedule }} (Weekly on Monday at 6am UTC)
          - Watch entire repositories: {{ 'yes' if diun_watch_repo else 'no (only specific tags)' }}
          - Docker Hub auth: {{ 'enabled' if diun_docker_hub_username else 'disabled' }}
    - name: Deploy Diun configuration with watchRepo disabled and Docker Hub auth
      template:
        src: "{{ playbook_dir }}/../roles/diun/templates/diun.yml.j2"
        dest: /opt/docker/diun/diun.yml
        mode: '0644'
      notify: Restart Diun
    - name: Restart Diun to apply new configuration
      community.docker.docker_compose_v2:
        project_src: /opt/docker/diun
        state: restarted
    - name: Wait for Diun to start
      pause:
        seconds: 5
    - name: Check Diun status
      shell: docker ps --filter name=diun --format "{{ '{{' }}.Status{{ '}}' }}"
      register: diun_status
      changed_when: false
    - name: Display Diun status
      debug:
        msg: "Diun status on {{ inventory_hostname }}: {{ diun_status.stdout }}"
    - name: Verify Diun configuration
      shell: docker exec diun cat /diun.yml | grep -E "(watchRepo|regopts)" || echo "Config deployed"
      register: diun_config_check
      changed_when: false
    - name: Display configuration verification
      debug:
        msg: |
          Configuration applied on {{ inventory_hostname }}:
          {{ diun_config_check.stdout }}
  handlers:
    - name: Restart Diun
      community.docker.docker_compose_v2:
        project_src: /opt/docker/diun
        state: restarted
--- a/ansible/playbooks/260124-nextcloud-maintenance.yml
+++ b/ansible/playbooks/260124-nextcloud-maintenance.yml
@ -0,0 +1,151 @@
 ---
 # Nextcloud Maintenance Playbook
 # Created: 2026-01-24
 # Purpose: Run database and file maintenance tasks on Nextcloud instances
 #
 # This playbook performs:
 #   1. Add missing database indices (improves query performance)
 #   2. Update mimetypes database (ensures proper file type handling)
 #
 # Usage:
 #   cd ansible/
 #   HCLOUD_TOKEN="..." ansible-playbook -i hcloud.yml \
 #     playbooks/nextcloud-maintenance.yml --limit <server> \
 #     --private-key "../keys/ssh/<server>"
 #
 #   To run on all servers:
 #   HCLOUD_TOKEN="..." ansible-playbook -i hcloud.yml \
 #     playbooks/nextcloud-maintenance.yml \
 #     --private-key "../keys/ssh/<server>"
 #
 # Requirements:
 #   - HCLOUD_TOKEN environment variable set
 #   - SSH access to target server(s)
 #   - Nextcloud container must be running
 - name: Nextcloud Maintenance Tasks
  hosts: all
  become: true
  gather_facts: true
  vars:
    nextcloud_container: "nextcloud"
  tasks:
    # ============================================================
    # PRE-CHECK
    # ============================================================
    - name: Display maintenance plan
      debug:
        msg: |
          ============================================================
          Nextcloud Maintenance - {{ inventory_hostname }}
          ============================================================
          This playbook will:
          1. Add missing database indices
          2. Update mimetypes database
          3. Display results
          Estimated time: 1-3 minutes per server
          ============================================================
    - name: Check if Nextcloud container is running
      shell: docker ps --filter "name=^{{ nextcloud_container }}$" --format "{{ '{{' }}.Names{{ '}}' }}"
      register: nextcloud_running
      changed_when: false
      failed_when: false
    - name: Fail if Nextcloud is not running
      fail:
        msg: "Nextcloud container is not running on {{ inventory_hostname }}"
      when: "'nextcloud' not in nextcloud_running.stdout"
    - name: Get current Nextcloud version
      shell: docker exec -u www-data {{ nextcloud_container }} php occ --version
      register: nextcloud_version
      changed_when: false
    - name: Display Nextcloud version
      debug:
        msg: "{{ nextcloud_version.stdout }}"
    # ============================================================
    # TASK 1: ADD MISSING DATABASE INDICES
    # ============================================================
    - name: Check for missing database indices
      shell: docker exec -u www-data {{ nextcloud_container }} php occ db:add-missing-indices
      register: db_indices_result
      changed_when: "'updated successfully' in db_indices_result.stdout"
      failed_when: db_indices_result.rc != 0
    - name: Display database indices results
      debug:
        msg: |
          ============================================================
          Database Indices Results
          ============================================================
          {{ db_indices_result.stdout }}
          ============================================================
    # ============================================================
    # TASK 2: UPDATE MIMETYPES DATABASE
    # ============================================================
    - name: Update mimetypes database
      shell: docker exec -u www-data {{ nextcloud_container }} php occ maintenance:mimetype:update-db
      register: mimetype_result
      changed_when: "'Added' in mimetype_result.stdout"
      failed_when: mimetype_result.rc != 0
    - name: Parse mimetype results
      set_fact:
        mimetypes_added: "{{ mimetype_result.stdout | regex_search('Added (\\d+) new mimetypes', '\\1') | default(['0'], true) | first }}"
    - name: Display mimetype results
      debug:
        msg: |
          ============================================================
          Mimetype Update Results
          ============================================================
          Mimetypes added: {{ mimetypes_added }}
          {% if mimetypes_added | int > 0 %}
          ✓ Mimetype database updated successfully
          {% else %}
          ✓ All mimetypes already up to date
          {% endif %}
          ============================================================
    # ============================================================
    # SUMMARY
    # ============================================================
    - name: Display maintenance summary
      debug:
        msg: |
          ============================================================
          ✓ MAINTENANCE COMPLETED - {{ inventory_hostname }}
          ============================================================
          Server: {{ inventory_hostname }}
          Version: {{ nextcloud_version.stdout }}
          Tasks completed:
          {% if db_indices_result.changed %}
          ✓ Database indices: Updated
          {% else %}
          ✓ Database indices: Already optimized
          {% endif %}
          {% if mimetype_result.changed %}
          ✓ Mimetypes: Added {{ mimetypes_added }} new types
          {% else %}
          ✓ Mimetypes: Already up to date
          {% endif %}
          Next steps:
          - Check admin interface for any remaining warnings
          - Warnings may take a few minutes to clear from cache
          ============================================================
--- a/ansible/playbooks/deploy.yml
+++ b/ansible/playbooks/deploy.yml
@ -39,6 +39,7 @@
        name: client_secrets
        age_keyfile: "{{ lookup('env', 'SOPS_AGE_KEY_FILE') }}"
      no_log: true
      tags: always
    - name: Load shared secrets (Mailgun API key, etc.)
      community.sops.load_vars:
@ -46,11 +47,13 @@
        name: shared_secrets
        age_keyfile: "{{ lookup('env', 'SOPS_AGE_KEY_FILE') }}"
      no_log: true
      tags: always
    - name: Merge shared secrets into client_secrets
      set_fact:
        client_secrets: "{{ client_secrets | combine(shared_secrets) }}"
      no_log: true
      tags: always
    - name: Set client domain from secrets
      set_fact:
--- a/ansible/playbooks/fix-private-network.yml
+++ b/ansible/playbooks/fix-private-network.yml
@ -1,48 +0,0 @@
 ---
 # Playbook to fix private network configuration on servers
 # This fixes the netplan configuration to properly enable DHCP
 # on the private network interface (enp7s0)
 - name: Fix private network configuration
  hosts: all
  gather_facts: no
  become: yes
  tasks:
    - name: Check if server is reachable
      ansible.builtin.wait_for_connection:
        timeout: 5
      register: connection_test
      ignore_errors: yes
    - name: Create corrected netplan configuration for private network
      ansible.builtin.copy:
        dest: /etc/netplan/60-private-network.yaml
        mode: '0600'
        content: |
          network:
            version: 2
            ethernets:
              enp7s0:
                dhcp4: true
                dhcp4-overrides:
                  use-routes: false
                routes:
                  - to: default
                    via: 10.0.0.1
      when: connection_test is succeeded
    - name: Apply netplan configuration
      ansible.builtin.command: netplan apply
      when: connection_test is succeeded
      register: netplan_result
    - name: Show netplan result
      ansible.builtin.debug:
        msg: "Netplan applied successfully on {{ inventory_hostname }}"
      when: connection_test is succeeded and netplan_result is succeeded
    - name: Wait for network to stabilize
      ansible.builtin.wait_for_connection:
        timeout: 10
      when: connection_test is succeeded
--- a/ansible/playbooks/setup-edge.yml
+++ b/ansible/playbooks/setup-edge.yml
@ -1,20 +0,0 @@
 ---
 # Setup Edge Server
 # Configures the edge server with Traefik reverse proxy
 - name: Setup edge server
  hosts: edge
  become: yes
  roles:
    - role: common
      tags: [common, setup]
    - role: docker
      tags: [docker, setup]
    - role: nat-gateway
      tags: [nat, gateway]
    - role: edge-traefik
      tags: [traefik, edge]
--- a/ansible/roles/authentik/files/create_recovery_flow.py
+++ b/ansible/roles/authentik/files/create_recovery_flow.py
@ -8,6 +8,7 @@ This script creates a complete password recovery flow in Authentik with:
 - Recovery email stage (sends recovery token)
 - Password change stages (with validation)
 - Integration with default authentication flow
 - Brand default recovery flow configuration
 Usage:
    python3 create_recovery_flow.py <api_token> <authentik_domain>
@ -361,6 +362,45 @@ def update_authentication_identification_stage(base_url, token, stage_uuid, pass
        return False
 def update_brand_recovery_flow(base_url, token, recovery_flow_uuid):
    """Update the default brand to use the recovery flow"""
    print("Updating brand default recovery flow...")
    # Get the default brand (authentik has one brand by default)
    status, brands = api_request(base_url, token, '/api/v3/core/brands/')
    if status != 200:
        print(f"  ✗ Failed to get brands: {brands}")
        return False
    results = brands.get('results', [])
    if not results:
        print(f"  ✗ No brands found")
        return False
    # Use the first/default brand
    brand = results[0]
    brand_uuid = brand.get('brand_uuid')
    # Check if already configured
    if brand.get('flow_recovery') == recovery_flow_uuid:
        print(f"  ✓ Brand recovery flow already configured")
        return True
    # Update the brand with recovery flow
    update_data = {
        "domain": brand.get('domain'),
        "flow_recovery": recovery_flow_uuid
    }
    status, result = api_request(base_url, token, f'/api/v3/core/brands/{brand_uuid}/', 'PATCH', update_data)
    if status == 200:
        print(f"  ✓ Updated brand default recovery flow")
        return True
    else:
        print(f"  ✗ Failed to update brand: {result}")
        return False
 def main():
    if len(sys.argv) < 3:
        print("Usage: python3 create_recovery_flow.py <api_token> <authentik_domain>")
@ -445,6 +485,10 @@ def main():
    if not remove_separate_password_stage_from_auth_flow(base_url, token, auth_flow_uuid, auth_password_uuid):
        print("\n⚠ Warning: Failed to remove separate password stage (may not exist)")
    # Step 9: Update brand default recovery flow
    if not update_brand_recovery_flow(base_url, token, recovery_flow_uuid):
        print("\n⚠ Warning: Failed to update brand recovery flow (non-critical)")
    # Success!
    print("\n" + "=" * 80)
    print("✓ Recovery Flow Configuration Complete!")
@ -456,6 +500,7 @@ def main():
    print("  ✓ Recovery email with 30-minute token")
    print("  ✓ Password + username on same login page")
    print("  ✓ 'Forgot password?' link on login page")
    print("  ✓ Brand default recovery flow configured")
    print("\nTest the recovery flow:")
    print(f"  1. Visit: https://{authentik_domain}/if/flow/default-authentication-flow/")
    print("  2. Click 'Forgot password?' link")
--- a/ansible/roles/authentik/tasks/providers.yml
+++ b/ansible/roles/authentik/tasks/providers.yml
@ -23,7 +23,7 @@
      if not auth_flow or not key: print(json.dumps({'error': 'Config missing'}), file=sys.stderr); sys.exit(1)
      s, prov = req('/api/v3/providers/oauth2/', 'POST', {'name': 'Nextcloud', 'authorization_flow': auth_flow, 'invalidation_flow': inval_flow, 'client_type': 'confidential', 'redirect_uris': [{'matching_mode': 'strict', 'url': 'https://{{ nextcloud_domain }}/apps/user_oidc/code'}], 'signing_key': key, 'sub_mode': 'hashed_user_id', 'include_claims_in_id_token': True})
      if s != 201: print(json.dumps({'error': 'Provider failed', 'details': prov}), file=sys.stderr); sys.exit(1)
-      s, app = req('/api/v3/core/applications/', 'POST', {'name': 'Nextcloud', 'slug': 'nextcloud', 'provider': prov['pk'], 'meta_launch_url': 'https://{{ nextcloud_domain }}'})
+      s, app = req('/api/v3/core/applications/', 'POST', {'name': 'Nextcloud', 'slug': 'nextcloud', 'provider': prov['pk'], 'meta_launch_url': 'https://nextcloud.{{ client_domain }}'})
      if s != 201: print(json.dumps({'error': 'App failed', 'details': app}), file=sys.stderr); sys.exit(1)
      print(json.dumps({'success': True, 'provider_id': prov['pk'], 'application_id': app['pk'], 'client_id': prov['client_id'], 'client_secret': prov['client_secret'], 'discovery_uri': f"https://{{ authentik_domain }}/application/o/nextcloud/.well-known/openid-configuration", 'issuer': f"https://{{ authentik_domain }}/application/o/nextcloud/"}))
    dest: /tmp/create_oidc.py
--- a/ansible/roles/diun/defaults/main.yml
+++ b/ansible/roles/diun/defaults/main.yml
@ -1,7 +1,7 @@
 ---
 # Diun default configuration
 diun_version: "latest"
-diun_schedule: "0 6 * * 1"  # Weekly on Monday at 6am UTC (was daily)
+diun_schedule: "0 6 * * *"  # Daily at 6am UTC
 diun_log_level: "info"
 diun_watch_workers: 10
@ -27,5 +27,13 @@ diun_smtp_to: "pieter@postxsociety.org"
 diun_watch_all: true
 diun_exclude_containers: []
-# Reduce notification spam - only send ONE email per server per week
+# Don't send notifications on first check (prevents spam on initial run)
 diun_first_check_notif: false
 # Optional: Matrix notification
 diun_matrix_enabled: false
 diun_matrix_homeserver_url: ""  # e.g., https://matrix.postxsociety.cloud
 diun_matrix_user: ""            # e.g., @diun:matrix.postxsociety.cloud
 diun_matrix_password: ""        # Bot user password (if using password auth)
 diun_matrix_access_token: ""    # Bot access token (preferred over password)
 diun_matrix_room_id: ""         # e.g., !abc123:matrix.postxsociety.cloud
--- a/ansible/roles/diun/templates/diun.yml.j2
+++ b/ansible/roles/diun/templates/diun.yml.j2
@ -11,11 +11,18 @@ watch:
  firstCheckNotif: {{ diun_first_check_notif | lower }}
 defaults:
-  watchRepo: true
+  watchRepo: {{ diun_watch_repo | default(true) | lower }}
  notifyOn:
    - new
    - update
 {% if diun_docker_hub_username is defined and diun_docker_hub_password is defined %}
 regopts:
  - selector: image
    username: {{ diun_docker_hub_username }}
    password: {{ diun_docker_hub_password }}
 {% endif %}
 providers:
  docker:
    watchByDefault: {{ diun_watch_all | lower }}
@ -56,3 +63,15 @@ notif:
    from: {{ diun_smtp_from }}
    to: {{ diun_smtp_to }}
 {% endif %}
 {% if diun_matrix_enabled and diun_matrix_homeserver_url and diun_matrix_user and diun_matrix_room_id %}
  matrix:
    homeserverURL: {{ diun_matrix_homeserver_url }}
    user: "{{ diun_matrix_user }}"
 {% if diun_matrix_access_token %}
    accessToken: {{ diun_matrix_access_token }}
 {% elif diun_matrix_password %}
    password: "{{ diun_matrix_password }}"
 {% endif %}
    roomID: "{{ diun_matrix_room_id }}"
 {% endif %}
--- a/ansible/roles/edge-traefik/defaults/main.yml
+++ b/ansible/roles/edge-traefik/defaults/main.yml
@ -1,13 +0,0 @@
 ---
 # Edge Traefik Default Variables
 # This Traefik instance acts as a reverse proxy for private network clients
 traefik_version: "v3.3"
 traefik_network: "web"
 traefik_docker_socket: "/var/run/docker.sock"
 traefik_acme_email: "admin@vrije.cloud"
 traefik_acme_staging: false
 traefik_dashboard_enabled: false
 # Backend client servers (populated from inventory)
 backend_clients: []
--- a/ansible/roles/edge-traefik/handlers/main.yml
+++ b/ansible/roles/edge-traefik/handlers/main.yml
@ -1,7 +0,0 @@
 ---
 # Edge Traefik Handlers
 - name: Restart Traefik
  community.docker.docker_compose_v2:
    project_src: /opt/docker/traefik
    state: restarted
--- a/ansible/roles/edge-traefik/tasks/main.yml
+++ b/ansible/roles/edge-traefik/tasks/main.yml
@ -1,60 +0,0 @@
 ---
 # Edge Traefik Installation Tasks
 # Sets up Traefik as edge reverse proxy for private network clients
 - name: Ensure Traefik configuration directory exists
  file:
    path: /opt/docker/traefik
    state: directory
    mode: '0755'
  tags: [traefik, edge]
 - name: Create Let's Encrypt storage directory
  file:
    path: /opt/docker/traefik/letsencrypt
    state: directory
    mode: '0600'
  tags: [traefik, edge]
 - name: Create Traefik log directory
  file:
    path: /var/log/traefik
    state: directory
    mode: '0755'
  tags: [traefik, edge]
 - name: Deploy Traefik static configuration
  template:
    src: traefik.yml.j2
    dest: /opt/docker/traefik/traefik.yml
    mode: '0644'
  notify: Restart Traefik
  tags: [traefik, edge, config]
 - name: Deploy Traefik dynamic configuration (routing rules)
  template:
    src: dynamic.yml.j2
    dest: /opt/docker/traefik/dynamic.yml
    mode: '0644'
  notify: Restart Traefik
  tags: [traefik, edge, config]
 - name: Deploy Traefik Docker Compose file
  template:
    src: docker-compose.yml.j2
    dest: /opt/docker/traefik/docker-compose.yml
    mode: '0644'
  tags: [traefik, edge]
 - name: Start Traefik container
  community.docker.docker_compose_v2:
    project_src: /opt/docker/traefik
    state: present
  tags: [traefik, edge]
 - name: Wait for Traefik to be ready
  wait_for:
    port: 443
    delay: 5
    timeout: 60
  tags: [traefik, edge]
--- a/ansible/roles/edge-traefik/templates/docker-compose.yml.j2
+++ b/ansible/roles/edge-traefik/templates/docker-compose.yml.j2
@ -1,24 +0,0 @@
 # Edge Traefik Docker Compose
 # Managed by Ansible - do not edit manually
 services:
  traefik:
    image: traefik:{{ traefik_version }}
    container_name: traefik
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true
    ports:
      - "80:80"
      - "443:443"
 {% if traefik_dashboard_enabled %}
      - "8080:8080"
 {% endif %}
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - ./traefik.yml:/etc/traefik/traefik.yml:ro
      - ./dynamic.yml:/etc/traefik/dynamic.yml:ro
      - ./letsencrypt:/letsencrypt
      - /var/log/traefik:/var/log/traefik
    labels:
      - "traefik.enable=false"
--- a/ansible/roles/edge-traefik/templates/dynamic.yml.j2
+++ b/ansible/roles/edge-traefik/templates/dynamic.yml.j2
@ -1,559 +0,0 @@
 # Edge Traefik Dynamic Configuration
 # Managed by Ansible - do not edit manually
 # Routes traffic to backend servers on private network
 http:
  # Routers for white client
  routers:
    white-auth:
      rule: "Host(`auth.white.vrije.cloud`)"
      service: white-auth
      entryPoints:
        - websecure
      tls:
        certResolver: letsencrypt
    white-nextcloud:
      rule: "Host(`nextcloud.white.vrije.cloud`)"
      service: white-nextcloud
      entryPoints:
        - websecure
      tls:
        certResolver: letsencrypt
    white-collabora:
      rule: "Host(`office.white.vrije.cloud`)"
      service: white-collabora
      entryPoints:
        - websecure
      tls:
        certResolver: letsencrypt
    valk-auth:
      rule: "Host(`auth.valk.vrije.cloud`)"
      service: valk-auth
      entryPoints:
        - websecure
      tls:
        certResolver: letsencrypt
    valk-nextcloud:
      rule: "Host(`nextcloud.valk.vrije.cloud`)"
      service: valk-nextcloud
      entryPoints:
        - websecure
      tls:
        certResolver: letsencrypt
    valk-collabora:
      rule: "Host(`office.valk.vrije.cloud`)"
      service: valk-collabora
      entryPoints:
        - websecure
      tls:
        certResolver: letsencrypt
    zwaan-auth:
      rule: "Host(`auth.zwaan.vrije.cloud`)"
      service: zwaan-auth
      entryPoints:
        - websecure
      tls:
        certResolver: letsencrypt
    zwaan-nextcloud:
      rule: "Host(`nextcloud.zwaan.vrije.cloud`)"
      service: zwaan-nextcloud
      entryPoints:
        - websecure
      tls:
        certResolver: letsencrypt
    zwaan-collabora:
      rule: "Host(`office.zwaan.vrije.cloud`)"
      service: zwaan-collabora
      entryPoints:
        - websecure
      tls:
        certResolver: letsencrypt
    specht-auth:
      rule: "Host(`auth.specht.vrije.cloud`)"
      service: specht-auth
      entryPoints:
        - websecure
      tls:
        certResolver: letsencrypt
    specht-nextcloud:
      rule: "Host(`nextcloud.specht.vrije.cloud`)"
      service: specht-nextcloud
      entryPoints:
        - websecure
      tls:
        certResolver: letsencrypt
    specht-collabora:
      rule: "Host(`office.specht.vrije.cloud`)"
      service: specht-collabora
      entryPoints:
        - websecure
      tls:
        certResolver: letsencrypt
    das-auth:
      rule: "Host(`auth.das.vrije.cloud`)"
      service: das-auth
      entryPoints:
        - websecure
      tls:
        certResolver: letsencrypt
    das-nextcloud:
      rule: "Host(`nextcloud.das.vrije.cloud`)"
      service: das-nextcloud
      entryPoints:
        - websecure
      tls:
        certResolver: letsencrypt
    das-collabora:
      rule: "Host(`office.das.vrije.cloud`)"
      service: das-collabora
      entryPoints:
        - websecure
      tls:
        certResolver: letsencrypt
    uil-auth:
      rule: "Host(`auth.uil.vrije.cloud`)"
      service: uil-auth
      entryPoints:
        - websecure
      tls:
        certResolver: letsencrypt
    uil-nextcloud:
      rule: "Host(`nextcloud.uil.vrije.cloud`)"
      service: uil-nextcloud
      entryPoints:
        - websecure
      tls:
        certResolver: letsencrypt
    uil-collabora:
      rule: "Host(`office.uil.vrije.cloud`)"
      service: uil-collabora
      entryPoints:
        - websecure
      tls:
        certResolver: letsencrypt
    vos-auth:
      rule: "Host(`auth.vos.vrije.cloud`)"
      service: vos-auth
      entryPoints:
        - websecure
      tls:
        certResolver: letsencrypt
    vos-nextcloud:
      rule: "Host(`nextcloud.vos.vrije.cloud`)"
      service: vos-nextcloud
      entryPoints:
        - websecure
      tls:
        certResolver: letsencrypt
    vos-collabora:
      rule: "Host(`office.vos.vrije.cloud`)"
      service: vos-collabora
      entryPoints:
        - websecure
      tls:
        certResolver: letsencrypt
    haas-auth:
      rule: "Host(`auth.haas.vrije.cloud`)"
      service: haas-auth
      entryPoints:
        - websecure
      tls:
        certResolver: letsencrypt
    haas-nextcloud:
      rule: "Host(`nextcloud.haas.vrije.cloud`)"
      service: haas-nextcloud
      entryPoints:
        - websecure
      tls:
        certResolver: letsencrypt
    haas-collabora:
      rule: "Host(`office.haas.vrije.cloud`)"
      service: haas-collabora
      entryPoints:
        - websecure
      tls:
        certResolver: letsencrypt
    wolf-auth:
      rule: "Host(`auth.wolf.vrije.cloud`)"
      service: wolf-auth
      entryPoints:
        - websecure
      tls:
        certResolver: letsencrypt
    wolf-nextcloud:
      rule: "Host(`nextcloud.wolf.vrije.cloud`)"
      service: wolf-nextcloud
      entryPoints:
        - websecure
      tls:
        certResolver: letsencrypt
    wolf-collabora:
      rule: "Host(`office.wolf.vrije.cloud`)"
      service: wolf-collabora
      entryPoints:
        - websecure
      tls:
        certResolver: letsencrypt
    ree-auth:
      rule: "Host(`auth.ree.vrije.cloud`)"
      service: ree-auth
      entryPoints:
        - websecure
      tls:
        certResolver: letsencrypt
    ree-nextcloud:
      rule: "Host(`nextcloud.ree.vrije.cloud`)"
      service: ree-nextcloud
      entryPoints:
        - websecure
      tls:
        certResolver: letsencrypt
    ree-collabora:
      rule: "Host(`office.ree.vrije.cloud`)"
      service: ree-collabora
      entryPoints:
        - websecure
      tls:
        certResolver: letsencrypt
    mees-auth:
      rule: "Host(`auth.mees.vrije.cloud`)"
      service: mees-auth
      entryPoints:
        - websecure
      tls:
        certResolver: letsencrypt
    mees-nextcloud:
      rule: "Host(`nextcloud.mees.vrije.cloud`)"
      service: mees-nextcloud
      entryPoints:
        - websecure
      tls:
        certResolver: letsencrypt
    mees-collabora:
      rule: "Host(`office.mees.vrije.cloud`)"
      service: mees-collabora
      entryPoints:
        - websecure
      tls:
        certResolver: letsencrypt
    mus-auth:
      rule: "Host(`auth.mus.vrije.cloud`)"
      service: mus-auth
      entryPoints:
        - websecure
      tls:
        certResolver: letsencrypt
    mus-nextcloud:
      rule: "Host(`nextcloud.mus.vrije.cloud`)"
      service: mus-nextcloud
      entryPoints:
        - websecure
      tls:
        certResolver: letsencrypt
    mus-collabora:
      rule: "Host(`office.mus.vrije.cloud`)"
      service: mus-collabora
      entryPoints:
        - websecure
      tls:
        certResolver: letsencrypt
    mol-auth:
      rule: "Host(`auth.mol.vrije.cloud`)"
      service: mol-auth
      entryPoints:
        - websecure
      tls:
        certResolver: letsencrypt
    mol-nextcloud:
      rule: "Host(`nextcloud.mol.vrije.cloud`)"
      service: mol-nextcloud
      entryPoints:
        - websecure
      tls:
        certResolver: letsencrypt
    mol-collabora:
      rule: "Host(`office.mol.vrije.cloud`)"
      service: mol-collabora
      entryPoints:
        - websecure
      tls:
        certResolver: letsencrypt
  # Services (backend servers)
  services:
    white-auth:
      loadBalancer:
        servers:
          - url: "https://10.0.0.40:443"
        serversTransport: insecureTransport
    white-nextcloud:
      loadBalancer:
        servers:
          - url: "https://10.0.0.40:443"
        serversTransport: insecureTransport
    white-collabora:
      loadBalancer:
        servers:
          - url: "https://10.0.0.40:443"
        serversTransport: insecureTransport
    valk-auth:
      loadBalancer:
        servers:
          - url: "https://10.0.0.41:443"
        serversTransport: insecureTransport
    valk-nextcloud:
      loadBalancer:
        servers:
          - url: "https://10.0.0.41:443"
        serversTransport: insecureTransport
    valk-collabora:
      loadBalancer:
        servers:
          - url: "https://10.0.0.41:443"
        serversTransport: insecureTransport
    zwaan-auth:
      loadBalancer:
        servers:
          - url: "https://10.0.0.42:443"
        serversTransport: insecureTransport
    zwaan-nextcloud:
      loadBalancer:
        servers:
          - url: "https://10.0.0.42:443"
        serversTransport: insecureTransport
    zwaan-collabora:
      loadBalancer:
        servers:
          - url: "https://10.0.0.42:443"
        serversTransport: insecureTransport
    specht-auth:
      loadBalancer:
        servers:
          - url: "https://10.0.0.43:443"
        serversTransport: insecureTransport
    specht-nextcloud:
      loadBalancer:
        servers:
          - url: "https://10.0.0.43:443"
        serversTransport: insecureTransport
    specht-collabora:
      loadBalancer:
        servers:
          - url: "https://10.0.0.43:443"
        serversTransport: insecureTransport
    das-auth:
      loadBalancer:
        servers:
          - url: "https://10.0.0.44:443"
        serversTransport: insecureTransport
    das-nextcloud:
      loadBalancer:
        servers:
          - url: "https://10.0.0.44:443"
        serversTransport: insecureTransport
    das-collabora:
      loadBalancer:
        servers:
          - url: "https://10.0.0.44:443"
        serversTransport: insecureTransport
    uil-auth:
      loadBalancer:
        servers:
          - url: "https://10.0.0.45:443"
        serversTransport: insecureTransport
    uil-nextcloud:
      loadBalancer:
        servers:
          - url: "https://10.0.0.45:443"
        serversTransport: insecureTransport
    uil-collabora:
      loadBalancer:
        servers:
          - url: "https://10.0.0.45:443"
        serversTransport: insecureTransport
    vos-auth:
      loadBalancer:
        servers:
          - url: "https://10.0.0.46:443"
        serversTransport: insecureTransport
    vos-nextcloud:
      loadBalancer:
        servers:
          - url: "https://10.0.0.46:443"
        serversTransport: insecureTransport
    vos-collabora:
      loadBalancer:
        servers:
          - url: "https://10.0.0.46:443"
        serversTransport: insecureTransport
    haas-auth:
      loadBalancer:
        servers:
          - url: "https://10.0.0.47:443"
        serversTransport: insecureTransport
    haas-nextcloud:
      loadBalancer:
        servers:
          - url: "https://10.0.0.47:443"
        serversTransport: insecureTransport
    haas-collabora:
      loadBalancer:
        servers:
          - url: "https://10.0.0.47:443"
        serversTransport: insecureTransport
    wolf-auth:
      loadBalancer:
        servers:
          - url: "https://10.0.0.48:443"
        serversTransport: insecureTransport
    wolf-nextcloud:
      loadBalancer:
        servers:
          - url: "https://10.0.0.48:443"
        serversTransport: insecureTransport
    wolf-collabora:
      loadBalancer:
        servers:
          - url: "https://10.0.0.48:443"
        serversTransport: insecureTransport
    ree-auth:
      loadBalancer:
        servers:
          - url: "https://10.0.0.49:443"
        serversTransport: insecureTransport
    ree-nextcloud:
      loadBalancer:
        servers:
          - url: "https://10.0.0.49:443"
        serversTransport: insecureTransport
    ree-collabora:
      loadBalancer:
        servers:
          - url: "https://10.0.0.49:443"
        serversTransport: insecureTransport
    mees-auth:
      loadBalancer:
        servers:
          - url: "https://10.0.0.50:443"
        serversTransport: insecureTransport
    mees-nextcloud:
      loadBalancer:
        servers:
          - url: "https://10.0.0.50:443"
        serversTransport: insecureTransport
    mees-collabora:
      loadBalancer:
        servers:
          - url: "https://10.0.0.50:443"
        serversTransport: insecureTransport
    mus-auth:
      loadBalancer:
        servers:
          - url: "https://10.0.0.51:443"
        serversTransport: insecureTransport
    mus-nextcloud:
      loadBalancer:
        servers:
          - url: "https://10.0.0.51:443"
        serversTransport: insecureTransport
    mus-collabora:
      loadBalancer:
        servers:
          - url: "https://10.0.0.51:443"
        serversTransport: insecureTransport
    mol-auth:
      loadBalancer:
        servers:
          - url: "https://10.0.0.53:443"
        serversTransport: insecureTransport
    mol-nextcloud:
      loadBalancer:
        servers:
          - url: "https://10.0.0.53:443"
        serversTransport: insecureTransport
    mol-collabora:
      loadBalancer:
        servers:
          - url: "https://10.0.0.53:443"
        serversTransport: insecureTransport
  # Server transport (allow self-signed certs from backends)
  serversTransports:
    insecureTransport:
      insecureSkipVerify: true
--- a/ansible/roles/edge-traefik/templates/traefik.yml.j2
+++ b/ansible/roles/edge-traefik/templates/traefik.yml.j2
@ -1,47 +0,0 @@
 # Edge Traefik Static Configuration
 # Managed by Ansible - do not edit manually
 # This configuration proxies to backend servers on private network
 api:
  dashboard: {{ traefik_dashboard_enabled | lower }}
 {% if traefik_dashboard_enabled %}
  insecure: false
 {% endif %}
 entryPoints:
  web:
    address: ":80"
    http:
      redirections:
        entryPoint:
          to: websecure
          scheme: https
  websecure:
    address: ":443"
    http:
      tls:
        certResolver: letsencrypt
 providers:
  # File provider for static backend configurations
  file:
    filename: /etc/traefik/dynamic.yml
    watch: true
 certificatesResolvers:
  letsencrypt:
    acme:
      email: {{ traefik_acme_email }}
      storage: /letsencrypt/acme.json
 {% if traefik_acme_staging %}
      caServer: https://acme-staging-v02.api.letsencrypt.org/directory
 {% endif %}
      httpChallenge:
        entryPoint: web
 log:
  level: INFO
 accessLog:
  filePath: /var/log/traefik/access.log
--- a/ansible/roles/nat-gateway/handlers/main.yml
+++ b/ansible/roles/nat-gateway/handlers/main.yml
@ -1,6 +0,0 @@
 ---
 # NAT Gateway Handlers
 - name: Save iptables rules
  shell: |
    iptables-save > /etc/iptables/rules.v4
--- a/ansible/roles/nat-gateway/tasks/main.yml
+++ b/ansible/roles/nat-gateway/tasks/main.yml
@ -1,66 +0,0 @@
 ---
 # NAT Gateway Configuration
 # Enables internet access for private network clients via edge server
 - name: Enable IP forwarding
  sysctl:
    name: net.ipv4.ip_forward
    value: '1'
    state: present
    reload: yes
  tags: [nat, gateway]
 - name: Install iptables-persistent
  apt:
    name: iptables-persistent
    state: present
    update_cache: yes
  tags: [nat, gateway]
 - name: Configure NAT (masquerading) for private network
  iptables:
    table: nat
    chain: POSTROUTING
    out_interface: eth0
    source: 10.0.0.0/16
    jump: MASQUERADE
    comment: NAT for private network clients
  notify: Save iptables rules
  tags: [nat, gateway]
 - name: Allow forwarding from private network (in DOCKER-USER chain)
  iptables:
    chain: DOCKER-USER
    in_interface: enp7s0
    out_interface: eth0
    source: 10.0.0.0/16
    jump: ACCEPT
    comment: Allow forwarding from private network
  notify: Save iptables rules
  tags: [nat, gateway]
 - name: Allow established connections back to private network (in DOCKER-USER chain)
  iptables:
    chain: DOCKER-USER
    in_interface: eth0
    out_interface: enp7s0
    ctstate: ESTABLISHED,RELATED
    jump: ACCEPT
    comment: Allow established connections to private network
  notify: Save iptables rules
  tags: [nat, gateway]
 - name: Return from DOCKER-USER chain for other traffic
  iptables:
    chain: DOCKER-USER
    jump: RETURN
    comment: Let Docker handle other traffic
  notify: Save iptables rules
  tags: [nat, gateway]
 - name: Save iptables rules
  shell: |
    iptables-save > /etc/iptables/rules.v4
  args:
    creates: /etc/iptables/rules.v4
  tags: [nat, gateway]
--- a/keys/ssh/black.pub
+++ b/keys/ssh/black.pub
@ -1 +0,0 @@
 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJU6ntTc5bYP4FslcLXjm9C+RsO+hygmlsIo8tGOC1Up client-black-deploy-key
--- a/keys/ssh/dev.pub
+++ b/keys/ssh/dev.pub
@ -1 +0,0 @@
 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFvJSvafujjq5eojqH/A66mDLLr7/G9o202QCma0SmPt client-dev-deploy-key
--- a/keys/ssh/edge.pub
+++ b/keys/ssh/edge.pub
@ -1 +0,0 @@
 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICpzsMHVbAZMugslwn2mJnxg30zYrfU3t+zsZ7Lw3DDD edge-server-deploy-key
--- a/keys/ssh/purple.pub
+++ b/keys/ssh/purple.pub
@ -1 +0,0 @@
 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHuR1BR4JaATFwOmLauvvfKjhHarPz1SfnJ+j0caqISr client-purple-deploy-key
--- a/keys/ssh/white.pub
+++ b/keys/ssh/white.pub
@ -1 +0,0 @@
 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL+BKRVBWUnS2NSPLvP3nxW7oxcv5wfu2DAY1YP0M+6m client-white-deploy-key
--- a/scripts/add-client-to-terraform.sh
+++ b/scripts/add-client-to-terraform.sh
@ -222,11 +222,9 @@ if [ ! -f "$HOST_VARS_FILE" ]; then
    cat > "$HOST_VARS_FILE" << EOF
 ---
-# ${CLIENT_NAME} server - behind edge proxy (private network only)
+# ${CLIENT_NAME} server configuration
 # SSH via edge server as bastion/jump host
 ansible_host: ${PRIVATE_IP}
 ansible_ssh_common_args: '-o ProxyCommand="ssh -i ../keys/ssh/edge -W %h:%p -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null root@78.47.191.38" -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no'
 # Client identification
 client_name: ${CLIENT_NAME}
--- a/scripts/configure-diun-all-servers.sh
+++ b/scripts/configure-diun-all-servers.sh
@ -0,0 +1,170 @@
 #!/usr/bin/env bash
 #
 # Configure Diun on all servers (disable watchRepo, add Docker Hub auth)
 # Created: 2026-01-24
 #
 # This script runs the diun configuration playbook on each server
 # with its corresponding SSH key.
 #
 # Usage:
 #   cd infrastructure/
 #   SOPS_AGE_KEY_FILE="keys/age-key.txt" HCLOUD_TOKEN="..." ./scripts/configure-diun-all-servers.sh
 set -euo pipefail
 # Colors for output
 RED='\033[0;31m'
 GREEN='\033[0;32m'
 YELLOW='\033[1;33m'
 BLUE='\033[0;34m'
 NC='\033[0m' # No Color
 # Configuration
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 PROJECT_ROOT="$(cd "$SCRIPT_DIR/.." && pwd)"
 ANSIBLE_DIR="$PROJECT_ROOT/ansible"
 KEYS_DIR="$PROJECT_ROOT/keys/ssh"
 PLAYBOOK="playbooks/260124-configure-diun-watchrepo.yml"
 # Check required environment variables
 if [ -z "${HCLOUD_TOKEN:-}" ]; then
    echo -e "${RED}Error: HCLOUD_TOKEN environment variable is required${NC}"
    exit 1
 fi
 if [ -z "${SOPS_AGE_KEY_FILE:-}" ]; then
    echo -e "${RED}Error: SOPS_AGE_KEY_FILE environment variable is required${NC}"
    exit 1
 fi
 # Convert SOPS_AGE_KEY_FILE to absolute path if it's relative
 if [[ ! "$SOPS_AGE_KEY_FILE" = /* ]]; then
    export SOPS_AGE_KEY_FILE="$PROJECT_ROOT/$SOPS_AGE_KEY_FILE"
 fi
 # Change to ansible directory
 cd "$ANSIBLE_DIR"
 echo -e "${BLUE}============================================================${NC}"
 echo -e "${BLUE}Diun Configuration - All Servers${NC}"
 echo -e "${BLUE}============================================================${NC}"
 echo ""
 echo "Playbook: $PLAYBOOK"
 echo "Ansible directory: $ANSIBLE_DIR"
 echo ""
 echo "Configuration changes:"
 echo "  - Disable watchRepo (only check specific tags, not entire repos)"
 echo "  - Add Docker Hub authentication (5000 pulls/6h limit)"
 echo "  - Schedule: Weekly on Monday at 6am UTC"
 echo ""
 # Get list of all servers with SSH keys
 SERVERS=()
 for keyfile in "$KEYS_DIR"/*.pub; do
    if [ -f "$keyfile" ]; then
        server=$(basename "$keyfile" .pub)
        # Skip special servers
        if [[ "$server" != "README" ]] && [[ "$server" != "edge" ]]; then
            SERVERS+=("$server")
        fi
    fi
 done
 echo -e "${BLUE}Found ${#SERVERS[@]} servers:${NC}"
 printf '%s\n' "${SERVERS[@]}" | sort
 echo ""
 # Counters
 SUCCESS_COUNT=0
 FAILED_COUNT=0
 SKIPPED_COUNT=0
 declare -a SUCCESS_SERVERS
 declare -a FAILED_SERVERS
 declare -a SKIPPED_SERVERS
 echo -e "${BLUE}============================================================${NC}"
 echo -e "${BLUE}Starting configuration run...${NC}"
 echo -e "${BLUE}============================================================${NC}"
 echo ""
 # Run playbook for each server
 for server in "${SERVERS[@]}"; do
    echo -e "${YELLOW}-----------------------------------------------------------${NC}"
    echo -e "${YELLOW}Processing: $server${NC}"
    echo -e "${YELLOW}-----------------------------------------------------------${NC}"
    SSH_KEY="$KEYS_DIR/$server"
    if [ ! -f "$SSH_KEY" ]; then
        echo -e "${RED}✗ SSH key not found: $SSH_KEY${NC}"
        SKIPPED_COUNT=$((SKIPPED_COUNT + 1))
        SKIPPED_SERVERS+=("$server")
        echo ""
        continue
    fi
    # Run the playbook (with SSH options to prevent agent key issues)
    if env HCLOUD_TOKEN="$HCLOUD_TOKEN" \
        SOPS_AGE_KEY_FILE="$SOPS_AGE_KEY_FILE" \
        ANSIBLE_SSH_ARGS="-o IdentitiesOnly=yes" \
        ~/.local/bin/ansible-playbook \
        -i hcloud.yml \
        "$PLAYBOOK" \
        --limit "$server" \
        --private-key "$SSH_KEY" 2>&1; then
        echo -e "${GREEN}✓ Success: $server${NC}"
        SUCCESS_COUNT=$((SUCCESS_COUNT + 1))
        SUCCESS_SERVERS+=("$server")
    else
        echo -e "${RED}✗ Failed: $server${NC}"
        FAILED_COUNT=$((FAILED_COUNT + 1))
        FAILED_SERVERS+=("$server")
    fi
    echo ""
 done
 # Summary
 echo -e "${BLUE}============================================================${NC}"
 echo -e "${BLUE}CONFIGURATION RUN SUMMARY${NC}"
 echo -e "${BLUE}============================================================${NC}"
 echo ""
 echo "Total servers: ${#SERVERS[@]}"
 echo -e "${GREEN}Successful: $SUCCESS_COUNT${NC}"
 echo -e "${RED}Failed: $FAILED_COUNT${NC}"
 echo -e "${YELLOW}Skipped: $SKIPPED_COUNT${NC}"
 echo ""
 if [ $SUCCESS_COUNT -gt 0 ]; then
    echo -e "${GREEN}Successful servers:${NC}"
    printf '  %s\n' "${SUCCESS_SERVERS[@]}"
    echo ""
 fi
 if [ $FAILED_COUNT -gt 0 ]; then
    echo -e "${RED}Failed servers:${NC}"
    printf '  %s\n' "${FAILED_SERVERS[@]}"
    echo ""
 fi
 if [ $SKIPPED_COUNT -gt 0 ]; then
    echo -e "${YELLOW}Skipped servers:${NC}"
    printf '  %s\n' "${SKIPPED_SERVERS[@]}"
    echo ""
 fi
 echo -e "${BLUE}============================================================${NC}"
 echo ""
 echo "Next steps:"
 echo "  1. Wait for next Monday at 6am UTC for scheduled run"
 echo "  2. Or manually trigger: docker exec diun diun once"
 echo "  3. Check logs: docker logs diun"
 echo ""
 # Exit with error if any failures
 if [ $FAILED_COUNT -gt 0 ]; then
    exit 1
 fi
 exit 0
--- a/scripts/run-maintenance-all-servers.sh
+++ b/scripts/run-maintenance-all-servers.sh
@ -0,0 +1,151 @@
 #!/usr/bin/env bash
 #
 # Run Nextcloud maintenance playbook on all servers
 # Created: 2026-01-24
 #
 # This script runs the nextcloud maintenance playbook on each server
 # with its corresponding SSH key.
 #
 # Usage:
 #   cd infrastructure/
 #   HCLOUD_TOKEN="..." ./scripts/run-maintenance-all-servers.sh
 #
 # Or with SOPS_AGE_KEY_FILE if needed:
 #   SOPS_AGE_KEY_FILE="keys/age-key.txt" HCLOUD_TOKEN="..." ./scripts/run-maintenance-all-servers.sh
 set -euo pipefail
 # Colors for output
 RED='\033[0;31m'
 GREEN='\033[0;32m'
 YELLOW='\033[1;33m'
 BLUE='\033[0;34m'
 NC='\033[0m' # No Color
 # Configuration
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 PROJECT_ROOT="$(cd "$SCRIPT_DIR/.." && pwd)"
 ANSIBLE_DIR="$PROJECT_ROOT/ansible"
 KEYS_DIR="$PROJECT_ROOT/keys/ssh"
 PLAYBOOK="playbooks/260124-nextcloud-maintenance.yml"
 # Check required environment variables
 if [ -z "${HCLOUD_TOKEN:-}" ]; then
    echo -e "${RED}Error: HCLOUD_TOKEN environment variable is required${NC}"
    exit 1
 fi
 # Change to ansible directory
 cd "$ANSIBLE_DIR"
 echo -e "${BLUE}============================================================${NC}"
 echo -e "${BLUE}Nextcloud Maintenance - All Servers${NC}"
 echo -e "${BLUE}============================================================${NC}"
 echo ""
 echo "Playbook: $PLAYBOOK"
 echo "Ansible directory: $ANSIBLE_DIR"
 echo ""
 # Get list of all servers with SSH keys
 SERVERS=()
 for keyfile in "$KEYS_DIR"/*.pub; do
    if [ -f "$keyfile" ]; then
        server=$(basename "$keyfile" .pub)
        # Skip special servers
        if [[ "$server" != "README" ]] && [[ "$server" != "edge" ]]; then
            SERVERS+=("$server")
        fi
    fi
 done
 echo -e "${BLUE}Found ${#SERVERS[@]} servers:${NC}"
 printf '%s\n' "${SERVERS[@]}" | sort
 echo ""
 # Counters
 SUCCESS_COUNT=0
 FAILED_COUNT=0
 SKIPPED_COUNT=0
 declare -a SUCCESS_SERVERS
 declare -a FAILED_SERVERS
 declare -a SKIPPED_SERVERS
 echo -e "${BLUE}============================================================${NC}"
 echo -e "${BLUE}Starting maintenance run...${NC}"
 echo -e "${BLUE}============================================================${NC}"
 echo ""
 # Run playbook for each server
 for server in "${SERVERS[@]}"; do
    echo -e "${YELLOW}-----------------------------------------------------------${NC}"
    echo -e "${YELLOW}Processing: $server${NC}"
    echo -e "${YELLOW}-----------------------------------------------------------${NC}"
    SSH_KEY="$KEYS_DIR/$server"
    if [ ! -f "$SSH_KEY" ]; then
        echo -e "${RED}✗ SSH key not found: $SSH_KEY${NC}"
        SKIPPED_COUNT=$((SKIPPED_COUNT + 1))
        SKIPPED_SERVERS+=("$server")
        echo ""
        continue
    fi
    # Run the playbook (with SSH options to prevent agent key issues)
    if env HCLOUD_TOKEN="$HCLOUD_TOKEN" \
        ANSIBLE_SSH_ARGS="-o IdentitiesOnly=yes" \
        ~/.local/bin/ansible-playbook \
        -i hcloud.yml \
        "$PLAYBOOK" \
        --limit "$server" \
        --private-key "$SSH_KEY" 2>&1; then
        echo -e "${GREEN}✓ Success: $server${NC}"
        SUCCESS_COUNT=$((SUCCESS_COUNT + 1))
        SUCCESS_SERVERS+=("$server")
    else
        echo -e "${RED}✗ Failed: $server${NC}"
        FAILED_COUNT=$((FAILED_COUNT + 1))
        FAILED_SERVERS+=("$server")
    fi
    echo ""
 done
 # Summary
 echo -e "${BLUE}============================================================${NC}"
 echo -e "${BLUE}MAINTENANCE RUN SUMMARY${NC}"
 echo -e "${BLUE}============================================================${NC}"
 echo ""
 echo "Total servers: ${#SERVERS[@]}"
 echo -e "${GREEN}Successful: $SUCCESS_COUNT${NC}"
 echo -e "${RED}Failed: $FAILED_COUNT${NC}"
 echo -e "${YELLOW}Skipped: $SKIPPED_COUNT${NC}"
 echo ""
 if [ $SUCCESS_COUNT -gt 0 ]; then
    echo -e "${GREEN}Successful servers:${NC}"
    printf '  %s\n' "${SUCCESS_SERVERS[@]}"
    echo ""
 fi
 if [ $FAILED_COUNT -gt 0 ]; then
    echo -e "${RED}Failed servers:${NC}"
    printf '  %s\n' "${FAILED_SERVERS[@]}"
    echo ""
 fi
 if [ $SKIPPED_COUNT -gt 0 ]; then
    echo -e "${YELLOW}Skipped servers:${NC}"
    printf '  %s\n' "${SKIPPED_SERVERS[@]}"
    echo ""
 fi
 echo -e "${BLUE}============================================================${NC}"
 # Exit with error if any failures
 if [ $FAILED_COUNT -gt 0 ]; then
    exit 1
 fi
 exit 0
--- a/secrets/clients/bever.sops.yaml
+++ b/secrets/clients/bever.sops.yaml
@ -1,38 +0,0 @@
 #ENC[AES256_GCM,data:7JUvIjolKk0K4LX1Ruum6SLciqyHyybfTQ4=,iv:MNU2x5ACjpm/QJlGjBD6a6LJFtD219uTWHFKmr9IfQk=,tag:CVItmHXurNofeg9w+haFog==,type:comment]
 #ENC[AES256_GCM,data:wWjTifXRNQ25dM+k4W8cMyolIMQ+zphKe2AYiMuEVyIBd2Evdv4=,iv:Q6/LgZNSv3tee2FcHXUZ1wIvSR25aoiqg7BAyWgWTKI=,tag:p5LuG2OMb3hoYPgK+ab7mQ==,type:comment]
 #ENC[AES256_GCM,data:RjmOnfVrJ/8xJZaTlN6OGobGGACNZQ==,iv:4FBY1WOfonv5WfKATTuZkEsqYPicM1zcX8qWu+lTk0Q=,tag:I025riqowW5FKUezBm0GZA==,type:comment]
 client_name: ENC[AES256_GCM,data:W0Bh0eE=,iv:VKQcOSHp5N9JH6eJoow3pXwcWU1eWGcbThQFocrayWQ=,tag:M4E+gRivJQbrjd0/bQNudw==,type:str]
 client_domain: ENC[AES256_GCM,data:Nqo8XlNOqHv8LkhRby06fUY=,iv:hfQYcKPm+btkwdenIPEX2TIXsPVGnWQiCY81aaduBks=,tag:GiHBboDci/99P8QHS7/PbA==,type:str]
 #ENC[AES256_GCM,data:icjtWREHoSAGN5rPbdL4j1XPeMZuzEoS,iv:sIuJcsE+rO0sZ5qhdNK6PGxtErrv2bm2HCi48P5FQKQ=,tag:P5plYgUPY9LNOQhpux6fSg==,type:comment]
 authentik_domain: ENC[AES256_GCM,data:W/R65b//HiDwPhxYXEKR4Fxi+rJtRw==,iv:mr9cs4LR/aA/7bJdO68WI+sKvzvy80RTCvmU66Cvzg8=,tag:DDKCjeyc2kC5Mval69f6OA==,type:str]
 authentik_db_password: ENC[AES256_GCM,data:/P3gQbozHLINd3KQJA/0u8MhUqhMcz6MOoLVH31X6cwmGv2q3y6KeBA8gg==,iv:stKEPGqH4EMc3h3afSX2pP3dEos3H8+mJ9o1LSF224k=,tag:7XtR6fRYfqJ4veuUlpK/vg==,type:str]
 authentik_secret_key: ENC[AES256_GCM,data:/1LY8xqI9A5Et20mkY3X2y4o6d+ka7/vqNSxQS2PJ5LAMTAEt9qbX2rr1g==,iv:v93bXYDwvXgifMLngG25qDaXPR690LWeQjkTf0fqNuw=,tag:0JYsyKSJFYWAHYawDybfGQ==,type:str]
 #ENC[AES256_GCM,data:Mw3fsLyDrw39Q2OWiyrtEdls8ub5fTWEqVmGeLTg0qkpvzsrgWRW/GiPW7SYbKU=,iv:qHqh5k1N/GaxbTJYRvPZm4RfYc0MVNDXdI7skEBBqvg=,tag:tQ3OQyNLoBymibw59GG+VA==,type:comment]
 authentik_bootstrap_password: ENC[AES256_GCM,data:RDvAMIvOYmxbwxSjb+kXqmh8GU1sSA6KHqSh8UecjB1k7F5auXN6O8ETfw==,iv:S6DC4/UTMRy/NwhnT641q+ary4638hdLPSJ2duivgZ0=,tag:8etXMMBlgVz8pM0trndyOg==,type:str]
 authentik_bootstrap_token: ENC[AES256_GCM,data:m467HmEab1OSqAzw8Yi9rcL3lRkJJW82k6nYlFiXj7UOgutJtT4BxUaSfMdUxA==,iv:8bi5CITxJK8Mgr0iSB3aD5I1Wm1+c/SL9GrBKKTIqdA=,tag:IhRleBBgg6C7ARgPwnZNcQ==,type:str]
 authentik_bootstrap_email: ENC[AES256_GCM,data:wsXyTCeS7jJQQ8vkAC7AKjDr6cna4ac=,iv:Jkq17JmmSIPcnLK0SuJ1ErUUGi5Z136GQmR9VfdFCi8=,tag:NjReOWjfRxSsIbWzrrltxA==,type:str]
 #ENC[AES256_GCM,data:klnql0MQeS1KXd/3VjVW4WRjSl5yg9Kf,iv:+v30PZBWQVnFEeeQI2InGf9kH5tvzgZnD5JCOyBnEHo=,tag:UHNaI7WU6PhzhkXkHTYtvA==,type:comment]
 nextcloud_domain: ENC[AES256_GCM,data:ZxuLrS+XqzdLVtnFRQNv/KgN5gZWAFHGqz0m,iv:isE7Bp945CPVgoeI0mKngpTlRUTItLX2HIxSCfJ5T6Q=,tag:6p26HFeNmKU/EzNpQd0yhA==,type:str]
 nextcloud_admin_user: ENC[AES256_GCM,data:uscegTQ=,iv:vK0tQIFNQZ1onK70GEy23VDfh7zcofxwyjJXEg8uY6I=,tag:wwna86Sx35Cc6QIMehfDPw==,type:str]
 nextcloud_admin_password: ENC[AES256_GCM,data:SC7jJfHvbaqynl30IdJ0wjy1Jf37eLab1VBJI6p0w1aT35EA+GCAA8HmzA==,iv:PwYkMhyHuZpiRqN53BOMFSBBUBM2mMfTVOOatNTWB1c=,tag:hnI9EUmZ9vI9w7bCT3bFyg==,type:str]
 nextcloud_db_password: ENC[AES256_GCM,data:CLpONcvumICrvxk39UK4ev7wneE70DPUoqx9Gl2N1/A1M3oOYexVbivFAA==,iv:hWgXELPBooRql5wp3O09OluTn2KBfTL98XNnNyiIfLE=,tag:2o80+vU71xtPm5MI6hlUaA==,type:str]
 nextcloud_db_root_password: ENC[AES256_GCM,data:UH4PKHcvfqbp55I8Ru2AtkQDXP+CJpaY156QjO24n6GbIXGT16G0aKN6bQ==,iv:3YKqu61Mdhy/Q2jfK+bItcRx0YFIB+HYpUgpNkXwlMY=,tag:GsQBfVfwJNufY/jY7oDPpA==,type:str]
 #ENC[AES256_GCM,data:zqxETKX7LgG6yCW8n/MUvBf80DeszYo+3TH0HVw=,iv:w+Ymv0DKrE/aPYmGsbCPIhrmauNAlDMTGQqQM7HZrVM=,tag:2wYvCPs5xeerRRpfc5f1UA==,type:comment]
 redis_password: ENC[AES256_GCM,data:9QjDXsOtQDylRyvzu+6KaWxV53BuPqUOIIF10YygBvaSvtTjc6MvROqltQ==,iv:DDPKUOwz0DLnE7tHHx51SV++Upmc7isgKNvx9fKBTIA=,tag:7ieGACSPG+FiiWqUB5UDXw==,type:str]
 #ENC[AES256_GCM,data:Dw9sxUT5diW1LvGQ/VRkPIfv2KMIoCjlsdYGtr1cU51FCRqx,iv:QDf/zXCB8qIvwRAQM9od6Ger8lyXZPDorZXb/Xg+8KY=,tag:dO/1SxL3fpLWnsEtA0xNYQ==,type:comment]
 collabora_admin_password: ENC[AES256_GCM,data:QfjXR22OLAcPewDSDKKRxYXiouzBJ3pTTB8usKq0mEOLOCkzrFR49eWvXw==,iv:BpYApcb6quYdUZ2BxIRJmY5lJK++tQ/PxSOgiIJSDjM=,tag:FQBc+HyTzOyVDYTFsvHVnQ==,type:str]
 sops:
    age:
        - recipient: age170jqy5pg6z62kevadqyxxekw8ryf3e394zaquw0nhs9ae3v9wd6qq2hxnk
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2ekhQVmprdjlER1g3NGFU
            d3pZWk1XbTZXM051N2t5Z2RLem8yVVM3ZUhvCkFrYWF0cW9XbURpQ2VKaDhuelRh
            R28wNGVlTndzcGlHa211NWxFRnBVd2MKLS0tIGhRNmkxanBndjNxTWt1bGRIaHJr
            NFU1eU51MkNDOU5jbnFSbXVYU2cyQTQKxGGn9gHuxY+1L07Ouq22dvZMjF6uLUFI
            GxlyXcV9Eyrz7AI+tliNf8XWULsixcGQ4wAzvAYOoT8JZ8CiWFd7LA==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2026-01-22T09:44:44Z"
    mac: ENC[AES256_GCM,data:iN71AD8G36b2VOTg5l2xyIwXqkPx7Mq5QoOtslug2OLzTSBz/h0RNZv3UtGXi+Au83IVLeAEJ0gPq/BA6sN155hFJPeh/VhIwffelHPzufwohZjhFdK3zB4QKlKAcKEEC6vI74GOBfQfUOMimeiuuS0IiLo4kEeADd1qk2GHcbw=,iv:LmCsgkvGcE9Jp6JO0nxsu/pqGPX48d8dmZJCEt9RHBs=,tag:fkpzKVv979jqyYUyWI0ucg==,type:str]
    unencrypted_suffix: _unencrypted
    version: 3.11.0
--- a/secrets/clients/black.sops.yaml
+++ b/secrets/clients/black.sops.yaml
@ -1,38 +0,0 @@
 #ENC[AES256_GCM,data:+pppKgjMX6IKHrEyE7WT+sVkrsKrC/S9N5s=,iv:aQcH3wCqnZ15ThzB9DRmkJhnw4xNNqVJToXsx3iwGFY=,tag:w3hEI/Nwb/GTCmwrFubQVQ==,type:comment]
 #ENC[AES256_GCM,data:InHpHdYbWF+YeElQmyml7H6wQ4y3lhHmifu4hNAfdrO9fNXh+IQ=,iv:0t4/ZHfFgEVVAWEFYAXuNaKYFYwoPUllyMfOp2UR+DQ=,tag:tfqtEioUhGj+oRjSJx3Psw==,type:comment]
 #ENC[AES256_GCM,data:Df/84YbfFeA/4eB3ERGLRrusmbjKRA==,iv:DDOY9P8TW54qmDQH/5jPQmFjyFjfPZ16ipOTGpotLyE=,tag:c+nwU9QFLBFZMcdTjbwCIQ==,type:comment]
 client_name: ENC[AES256_GCM,data:5c7mNQ4=,iv:tiSy41HLzjP3Bhs9XSn85ZAJJtYzTCTwCARlD0wqJtc=,tag:cmPx6IQs6Ocuy2xiqzIR4w==,type:str]
 client_domain: ENC[AES256_GCM,data:r/V0n6t7nOSqjXV/vYHv19M=,iv:EykIf151hcUDlDVcoGlKuOYzeRwspxajEIjnuadRQxw=,tag:KASAfQqdZg1RKQsBwuzd9A==,type:str]
 #ENC[AES256_GCM,data:Zoa/hQiGtXJbn0db06ZTBachkGsEBEOa,iv:vTyWshk5HDFCJxsnuVYL3+BOMifxmhjJ+gBKiNZ2Jg0=,tag:C2k4MfPwyZ4y/AoV4i+cDA==,type:comment]
 authentik_domain: ENC[AES256_GCM,data:qHPGPAh8Kc171vAsFaaD1IEMaPGwEQ==,iv:NvBP3kC7es518oXT7OT+ONnBI0o6GmfNCpGzvfdrQGM=,tag:YCCCivxJcZtI3qER4Im17A==,type:str]
 authentik_db_password: ENC[AES256_GCM,data:exJBbBV0PPaLfR7u0LoLmbQRuE73ZGpwdXQ09iPvntripOTM1aBkfuqqiQ==,iv:XmDhW8EB+yWdHLdWv0DhCU35rq03IP0Q8nQPxHQq/tQ=,tag:vVMFB7FN5Vi6e+d7SsqJXw==,type:str]
 authentik_secret_key: ENC[AES256_GCM,data:lfC6XAKFtaloBZmOq6hIZspxIcoRJPqMbYO5T/9LGZmz8fI9kDNMM9Skdg==,iv:Jqs1NXru9LWFnkiwQbnVz480UHzDLyw9lTz5KsJ0QTI=,tag:K5WERITMYtHN0Aa9zsG+dg==,type:str]
 #ENC[AES256_GCM,data:mvQfnGJnfGog3xEFfuX7/8qISPjhI1Jw1ljyRr2X82mFVHV1bS8Wgv1TN31k/QU=,iv:9JrDtyMhIo7D39+Vl/HBrh6R23k3E7NQSZXBqmQ1Ho4=,tag:fmIHEt03EnawuPqJsLW1Fg==,type:comment]
 authentik_bootstrap_password: ENC[AES256_GCM,data:AdMlkg6d2it1HzA3HG6m3yA1vSJQzfIWWJSvWbypdKH8eiqkr7D3XU5imw==,iv:lHvkemA8l3GxKUw/oSncKhUsTB0kM6q6q0qbEK8eLoU=,tag:gn3NYjrye7RmdYnTbj9qZQ==,type:str]
 authentik_bootstrap_token: ENC[AES256_GCM,data:F5e4pUyXkUDpgz99e3gqa8JYsDDCv6yfKCgG0E8Mn3CfbR3ty7TtlM/CvFcOTQ==,iv:rQFxh49ACncotu5JcQyLJHJjaIWHSi2MPaMECUtoUWg=,tag:8olrhhiXRYDM0oog4Nn2ag==,type:str]
 authentik_bootstrap_email: ENC[AES256_GCM,data:DfjaNz0/lxfkhBInGBiNgtyljSe/Ox8=,iv:v7HRWWbq1iGWGN8t4ckLEXanhksS+jyKvpHtWFLGJbc=,tag:CaYUvzC7DDfwbVzzCpuwkQ==,type:str]
 #ENC[AES256_GCM,data:8v7EAUTlRdWKoG2ji5qcJloBymG+ytAA,iv:8/UHfEHBMDA5NYmUwZSZHq1y7TOIHFIjEO6y0hwsdV0=,tag:tdsDXMuIOxHSXu0cnJq+Yw==,type:comment]
 nextcloud_domain: ENC[AES256_GCM,data:WzFgX42WIPRi5NtRWsUZAlwP3wUE6grJQE+y,iv:e/VkjDmxbQjv83g4ibg3DmXmujnYZqEytFSK4jT1uGo=,tag:gew/qFyCmtzd5LrB9MOkhA==,type:str]
 nextcloud_admin_user: ENC[AES256_GCM,data:VP4i484=,iv:x5/FODYkvGwLsypL0EEFK+aX1vomc1g2BRMjz7MVdN8=,tag:yeDjVIrPHMcGIHL55CNi3A==,type:str]
 nextcloud_admin_password: ENC[AES256_GCM,data:BHQxIcK37o0xyf3kN1g0RV5XO1RtH8g97nVGNjnYLJDd3+VUMKMNYL/iVg==,iv:3tTMTdLYHupHzr/YKC0gBuNRz60w9vUbGcB7INw4L+A=,tag:EWmtvDFzK239WsnseQZcLQ==,type:str]
 nextcloud_db_password: ENC[AES256_GCM,data:94yfQRPn5rMdtzKWPaBbS+dZUmUAI4xo4i1/hxfm0Z0623KaMs/jcBGqwA==,iv:JNXoHRaY91zJhtViRIfz+ihPI3JlKwy9xfO5KTlDwsA=,tag:nJvT7uNts3DXaBsbHfts7g==,type:str]
 nextcloud_db_root_password: ENC[AES256_GCM,data:SGw7KzCfOUVG60a099rMYI77CYoOTeoKkdQbKEYT2cSKJ2LTKtZCdbXCoA==,iv:57W+KwAPrKfB919TJDHPIdT09B5aT8ZKmkrLcz3um5M=,tag:Aq3mRmTvCsGSGLA4VK4RGg==,type:str]
 #ENC[AES256_GCM,data:2Ca94oWcPDsThITdONt2BwtCQtgo1T1/+QrL5No=,iv:YNoWLwci667/gN3ZX2sYCLkYB/phYFLvtgwUVp3h9I4=,tag:pPlgbwv/6fkTFE2WfSPfdg==,type:comment]
 redis_password: ENC[AES256_GCM,data:jpi8rEcRBaM2XNMLlDz0WkKosp1j6NLyGE933bZp2PieOWk2gNHFNwJ6Hg==,iv:1ynRlMYpBo2FRknD4AWosDtF6JBJnT+vuwy1HNPs2RM=,tag:gr/v/kfe5M1sHjYq1szOIA==,type:str]
 #ENC[AES256_GCM,data:7bmjCFZTqyGV3MmxtmEyY21L0AX0xg2xwQyNFvQld5F4p2uT,iv:Hu5k8+bEewx+J59IKwT0l202h9Sgofzuh7/++Nvvx8k=,tag:YuRPCf4cUN8GlModxkaJTg==,type:comment]
 collabora_admin_password: ENC[AES256_GCM,data:K6UAvUM90klSCqMCiWwE7VkAhvx5c/+QqSElEXjgpmDdoiNE35H1BgYNOg==,iv:v9j6cfmQUkM7IvQvh/pW0C73jOdvx8YEpYuulhKHVsg=,tag:T4bGJJfejMOCgHg9c2nrcg==,type:str]
 sops:
    age:
        - recipient: age170jqy5pg6z62kevadqyxxekw8ryf3e394zaquw0nhs9ae3v9wd6qq2hxnk
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0YkVJdG5Vd29zRXlEMTFk
            RVJjN3NSTFFHUm5DUkpQUi9ISHdiUEtZVVJBCnFTT252VGpUVWNzU3JCWGRBdXov
            YzFLSXU5UzJCN01nTTVRTU00VGtoTWMKLS0tIHMrQkRFT3hJM01vOExSR1ZoKzNp
            aTZOUDdNMzVUZ0lickNCT0dIaWFuS3MKWHNDkkJ4kJljn2Ull8VCksmnjuORLYtN
            ASfbOgiRJqXzQxwNgigUkvnvFuAEeaijIyG8/KazEP0YlhTWTkY5Sg==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2026-01-19T10:56:00Z"
    mac: ENC[AES256_GCM,data:LhzvYjkGf0i5g1S1SPQqBKRFatsOKKjwch90KIITZJOZ5i6/5L5BPFeyI8EVl/3/jbN+/wIBOr206nWYkXz+G0i4fDzC0wuAxXc/o1KB+ovMRrQCg5Qw9QGEayViXlKgLOC3EzXzw3gDybxJ13yOw2YSxHgirRRdjVJr6G0/Rcs=,iv:YvE1KhDVAwtXYnjsMOAPnQoluEFMFOU4GByeiQB5W/4=,tag:HbyR29sNZXUhWyQKs5SC4A==,type:str]
    unencrypted_suffix: _unencrypted
    version: 3.11.0
--- a/secrets/clients/das.sops.yaml
+++ b/secrets/clients/das.sops.yaml
@ -1,38 +0,0 @@
 #ENC[AES256_GCM,data:0u28ehaNftLzef/Ge203EtpREQG4w5kU,iv:uowORCiPGmtOa56MNO5cKaQsmsom3foNlQnmwctgw0U=,tag:19iE53kteSZ9Q09PYh4ykw==,type:comment]
 #ENC[AES256_GCM,data:wWjTifXRNQ25dM+k4W8cMyolIMQ+zphKe2AYiMuEVyIBd2Evdv4=,iv:Q6/LgZNSv3tee2FcHXUZ1wIvSR25aoiqg7BAyWgWTKI=,tag:p5LuG2OMb3hoYPgK+ab7mQ==,type:comment]
 #ENC[AES256_GCM,data:RjmOnfVrJ/8xJZaTlN6OGobGGACNZQ==,iv:4FBY1WOfonv5WfKATTuZkEsqYPicM1zcX8qWu+lTk0Q=,tag:I025riqowW5FKUezBm0GZA==,type:comment]
 client_name: ENC[AES256_GCM,data:b03e,iv:In6iivcJ24tpfG9N34qsCOazY9H8Elg6QIou+om14CI=,tag:fplhvM7ExqVZCBHT1wcOKA==,type:str]
 client_domain: ENC[AES256_GCM,data:pDlhbKxvHqbSG9cwDXGk,iv:Yn62cKh+Xq2yCzLMS+FjsXjbzvGKMruY/vdmjlr5q/k=,tag:fsJ/jJF6NAvIXRzBLg0mvQ==,type:str]
 #ENC[AES256_GCM,data:icjtWREHoSAGN5rPbdL4j1XPeMZuzEoS,iv:sIuJcsE+rO0sZ5qhdNK6PGxtErrv2bm2HCi48P5FQKQ=,tag:P5plYgUPY9LNOQhpux6fSg==,type:comment]
 authentik_domain: ENC[AES256_GCM,data:QMwZmfUeW1nYDppRFWBu6JhJLDM=,iv:RlLkkWYK+AfwhfPScek67Ba+T0JF5cebPZbC1hNcrrk=,tag:3b45Z6WflSMtJw/wpcPPbw==,type:str]
 authentik_db_password: ENC[AES256_GCM,data:/P3gQbozHLINd3KQJA/0u8MhUqhMcz6MOoLVH31X6cwmGv2q3y6KeBA8gg==,iv:stKEPGqH4EMc3h3afSX2pP3dEos3H8+mJ9o1LSF224k=,tag:7XtR6fRYfqJ4veuUlpK/vg==,type:str]
 authentik_secret_key: ENC[AES256_GCM,data:/1LY8xqI9A5Et20mkY3X2y4o6d+ka7/vqNSxQS2PJ5LAMTAEt9qbX2rr1g==,iv:v93bXYDwvXgifMLngG25qDaXPR690LWeQjkTf0fqNuw=,tag:0JYsyKSJFYWAHYawDybfGQ==,type:str]
 #ENC[AES256_GCM,data:Mw3fsLyDrw39Q2OWiyrtEdls8ub5fTWEqVmGeLTg0qkpvzsrgWRW/GiPW7SYbKU=,iv:qHqh5k1N/GaxbTJYRvPZm4RfYc0MVNDXdI7skEBBqvg=,tag:tQ3OQyNLoBymibw59GG+VA==,type:comment]
 authentik_bootstrap_password: ENC[AES256_GCM,data:RDvAMIvOYmxbwxSjb+kXqmh8GU1sSA6KHqSh8UecjB1k7F5auXN6O8ETfw==,iv:S6DC4/UTMRy/NwhnT641q+ary4638hdLPSJ2duivgZ0=,tag:8etXMMBlgVz8pM0trndyOg==,type:str]
 authentik_bootstrap_token: ENC[AES256_GCM,data:m467HmEab1OSqAzw8Yi9rcL3lRkJJW82k6nYlFiXj7UOgutJtT4BxUaSfMdUxA==,iv:8bi5CITxJK8Mgr0iSB3aD5I1Wm1+c/SL9GrBKKTIqdA=,tag:IhRleBBgg6C7ARgPwnZNcQ==,type:str]
 authentik_bootstrap_email: ENC[AES256_GCM,data:m0sZisLNP774T6ytCwhO3c699wy7,iv:06/kldGACKC/DuSf6hO+r2IgCIJiP+qEKBiJcWCNC2Q=,tag:JRwxkhuDLOU2sMw1cT1c4w==,type:str]
 #ENC[AES256_GCM,data:klnql0MQeS1KXd/3VjVW4WRjSl5yg9Kf,iv:+v30PZBWQVnFEeeQI2InGf9kH5tvzgZnD5JCOyBnEHo=,tag:UHNaI7WU6PhzhkXkHTYtvA==,type:comment]
 nextcloud_domain: ENC[AES256_GCM,data:mN0xoqcpE6tH8UxKPmEaO8zw/qlJRBSpvA==,iv:myiAX/cbkEuyIUcOW2jOrIuO5E931bLi6orxUwUdwzY=,tag:Rd87OGiH0HBc/dFBvvXhOg==,type:str]
 nextcloud_admin_user: ENC[AES256_GCM,data:uscegTQ=,iv:vK0tQIFNQZ1onK70GEy23VDfh7zcofxwyjJXEg8uY6I=,tag:wwna86Sx35Cc6QIMehfDPw==,type:str]
 nextcloud_admin_password: ENC[AES256_GCM,data:SC7jJfHvbaqynl30IdJ0wjy1Jf37eLab1VBJI6p0w1aT35EA+GCAA8HmzA==,iv:PwYkMhyHuZpiRqN53BOMFSBBUBM2mMfTVOOatNTWB1c=,tag:hnI9EUmZ9vI9w7bCT3bFyg==,type:str]
 nextcloud_db_password: ENC[AES256_GCM,data:CLpONcvumICrvxk39UK4ev7wneE70DPUoqx9Gl2N1/A1M3oOYexVbivFAA==,iv:hWgXELPBooRql5wp3O09OluTn2KBfTL98XNnNyiIfLE=,tag:2o80+vU71xtPm5MI6hlUaA==,type:str]
 nextcloud_db_root_password: ENC[AES256_GCM,data:UH4PKHcvfqbp55I8Ru2AtkQDXP+CJpaY156QjO24n6GbIXGT16G0aKN6bQ==,iv:3YKqu61Mdhy/Q2jfK+bItcRx0YFIB+HYpUgpNkXwlMY=,tag:GsQBfVfwJNufY/jY7oDPpA==,type:str]
 #ENC[AES256_GCM,data:zqxETKX7LgG6yCW8n/MUvBf80DeszYo+3TH0HVw=,iv:w+Ymv0DKrE/aPYmGsbCPIhrmauNAlDMTGQqQM7HZrVM=,tag:2wYvCPs5xeerRRpfc5f1UA==,type:comment]
 redis_password: ENC[AES256_GCM,data:9QjDXsOtQDylRyvzu+6KaWxV53BuPqUOIIF10YygBvaSvtTjc6MvROqltQ==,iv:DDPKUOwz0DLnE7tHHx51SV++Upmc7isgKNvx9fKBTIA=,tag:7ieGACSPG+FiiWqUB5UDXw==,type:str]
 #ENC[AES256_GCM,data:Dw9sxUT5diW1LvGQ/VRkPIfv2KMIoCjlsdYGtr1cU51FCRqx,iv:QDf/zXCB8qIvwRAQM9od6Ger8lyXZPDorZXb/Xg+8KY=,tag:dO/1SxL3fpLWnsEtA0xNYQ==,type:comment]
 collabora_admin_password: ENC[AES256_GCM,data:QfjXR22OLAcPewDSDKKRxYXiouzBJ3pTTB8usKq0mEOLOCkzrFR49eWvXw==,iv:BpYApcb6quYdUZ2BxIRJmY5lJK++tQ/PxSOgiIJSDjM=,tag:FQBc+HyTzOyVDYTFsvHVnQ==,type:str]
 sops:
    age:
        - recipient: age170jqy5pg6z62kevadqyxxekw8ryf3e394zaquw0nhs9ae3v9wd6qq2hxnk
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2ekhQVmprdjlER1g3NGFU
            d3pZWk1XbTZXM051N2t5Z2RLem8yVVM3ZUhvCkFrYWF0cW9XbURpQ2VKaDhuelRh
            R28wNGVlTndzcGlHa211NWxFRnBVd2MKLS0tIGhRNmkxanBndjNxTWt1bGRIaHJr
            NFU1eU51MkNDOU5jbnFSbXVYU2cyQTQKxGGn9gHuxY+1L07Ouq22dvZMjF6uLUFI
            GxlyXcV9Eyrz7AI+tliNf8XWULsixcGQ4wAzvAYOoT8JZ8CiWFd7LA==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2026-01-20T19:27:02Z"
    mac: ENC[AES256_GCM,data:qwucrhsdG8HKhyDn9H788SVX376oAyLmViVSr9zL8ffCjDNH620JSkHhF7xzeN2O3/eDqwjSbCukABEiQNV91LZjSHD8fibWvzldPGqxaR2cm/zt7gM995Iu/HnGq2QVBnWfNHey3eGYTtxXZ5zvQ3EUjNw/rbEEFvSb/V2okSA=,iv:RFKkAIhLHyF2Nv643YT52vloT4erDkpXbuEwrPA/nPo=,tag:F5PQaOhz02WZoVJhf4Ryxg==,type:str]
    unencrypted_suffix: _unencrypted
    version: 3.11.0
--- a/secrets/clients/dev.sops.yaml
+++ b/secrets/clients/dev.sops.yaml
@ -1,38 +0,0 @@
 #ENC[AES256_GCM,data:ymRtlDUra9tSxlfNL9hsU/uVhrRXvOu4,iv:S4OfocN3cKcexGEHX54tsuXImzkGXen6U60gE0zpe/Y=,tag:sSmOzlH0HMe4PCsvzpyVAw==,type:comment]
 #ENC[AES256_GCM,data:Ih65jpW9OtppD+HkbCFa3g/MB4NNRUS3h5LmcKXCBgoyBIRaRzs=,iv:cXZoc3pBbwYJbs1BbwpygWGhGjEDLH2+RQbwaR9J4XE=,tag:4ipEocSRc6nXNSnMjbtVDA==,type:comment]
 #ENC[AES256_GCM,data:QCfMorbJDIKzrocCUxvCs71HpYVxbA==,iv:xc2A+AoixVaSKiKnfi2k9p9fvReY3LD9c9qbOktY3TU=,tag:f4DtSyiBqm11MEihfDUtuA==,type:comment]
 client_name: ENC[AES256_GCM,data:7jtx,iv:G34LmmUydqBMQERem3AEmFt3a7zW21y8qi8SFoNjqwY=,tag:ELYpWsD9meZV6AoJ6bfvWg==,type:str]
 client_domain: ENC[AES256_GCM,data:iuUtLyEEZ15/A5w9mIWG,iv:SjwyH2vUuwyUWMRd6dBLl/76u469uX3ZbFx6NTWwq20=,tag:xCfT40L3t873A/zjVkKQug==,type:str]
 #ENC[AES256_GCM,data:mV/niOOibBhl8XBtZtiX6/A9LIKTN/wE,iv:MQLRhzNeDS7G5SwCr7cnKCZuVxFWURf+cc93IjQg5Us=,tag:b8zmEGkniSt4sPqGXlXEjw==,type:comment]
 authentik_domain: ENC[AES256_GCM,data:Xla3sFvlQAR4KfTspgyFe5m1Wm4=,iv:NMWklBKP3NHGk4F9tR15W2UAWIbqa8sHJ9nPz1xHo7Y=,tag:gh0I/5QWpAAHTi3ocMVrwg==,type:str]
 authentik_db_password: ENC[AES256_GCM,data:aQmwQyjunCUMCf5zRg62K9n0TWNd3JwAIUcn+RdVW9M5DMwswGozHEqB6w==,iv:7dMnn8hhCzDoMo7f9+ue+b02KTEdR5Ql88UVaFC2RWg=,tag:fcxPOxowaCztEuZtbLKa5A==,type:str]
 authentik_secret_key: ENC[AES256_GCM,data:xy+Yiu7q36k7AmMHpcdv00sF0wd/XeUaiZajKHAXZe+/wSVyZfDJcE0svw==,iv:3AgFDCT3gPX9mc6yd2+grmMTvqpfsdYNAmq0UDPf4B8=,tag:Ih0//8cjXyQ7m379dzKAcQ==,type:str]
 #ENC[AES256_GCM,data:U5ImRCLi3J9l4h8C2+Yq3o3FWuRW3074OFcQhzUpElCpIupWJLU+wHuUtZAElHA=,iv:b7pr0W1JOivV8aGF4/uDgc0+TfLcsfRMyTvjvwPmDlE=,tag:l3s6Cnm9+ZRuVfMIDoDaxQ==,type:comment]
 authentik_bootstrap_password: ENC[AES256_GCM,data:id4NmApo2ywOVHVbSzgMAQGUMCt7yB6hm8vwXkNFT/KjFeZLcV2fyLafeA==,iv:y5LwHTCQh8dlbg0MLLz+jbylKGKXxfpqBN/oyqlLQYM=,tag:ZY1GgC27VVfCfNOtoWi9Hw==,type:str]
 authentik_bootstrap_token: ENC[AES256_GCM,data:C9Vb9ZgRWDSQ9OuTTfoq9Qcq54TvKsMghZ9xrKI0HYL0IPhnqe586Ic3rWp+JA==,iv:3ttEhHa9dZD+GYY0x/5pxdt+hT/jxMPayY8oimPyaBg=,tag:T93dy7elwfKt+36LOP93Iw==,type:str]
 authentik_bootstrap_email: ENC[AES256_GCM,data:kNv1+u/H18hR8ZkzaXxfnvwGaTL3,iv:qwZlG5j0w34EO8d9ACg72e/iWbVisTMXMBfWhRe1Rb8=,tag:nQHbejCw4+RtmeJk9Hjtgg==,type:str]
 #ENC[AES256_GCM,data:WpMiRkwY6pSztpimEWjxDBfyQ1n04vv1,iv:KI3xu+1k6xIgJsfitegukBW5dWeXQikW2lvzb/cbijU=,tag:vvSq1qXuDBZs+7BRgNOniw==,type:comment]
 nextcloud_domain: ENC[AES256_GCM,data:gCt/f+oSrVTnJQJ/sHkYDbdyunRrEWxd5Q==,iv:2bgsF0PpqdvqU+7ly2ioYJhoL0nlsObszrwyyZUezZk=,tag:Fiv9qLKnDyvQyu0CCwM8ug==,type:str]
 nextcloud_admin_user: ENC[AES256_GCM,data:2QihoZk=,iv:9m6AyYhHjTd1fhogzPCfDUeyGHBVToWZRD8AC87MQTU=,tag:0eWyTlYUEMlE5aqQ/8yFMA==,type:str]
 nextcloud_admin_password: ENC[AES256_GCM,data:20ByyEeJBOjz/qCHRo35mLRRG7mnIVEYIMbM1Ngil9ez8lqiwvYlhuuM6g==,iv:KsRB+u6N3+Ts/A9lqIlV6KJGgs0taDwer0u9ZgLicis=,tag:ffitP/5sxtXkRwseaDlfcg==,type:str]
 nextcloud_db_password: ENC[AES256_GCM,data:WaQgJt0TVB4ITGJfcMUzrdKIa+BUDSP/m8NL/WM/DMk4SqzGOBbIUOR4QA==,iv:F/+qSV5YjQLlFnEo4xM9dcqZ16/TpzOxKxpV2CLtT4U=,tag:cUKG0VhwUSV2/unYRhUAFQ==,type:str]
 nextcloud_db_root_password: ENC[AES256_GCM,data:sj1OjHb12e/Win3eA9CQgK0DSzQC0Q+axZfQ+kFx01y/kqAPxBJom5EvvQ==,iv:ngLUsxQ58YxkyELNh/Kz24Nw398B0qSeBJHxzsnuXmI=,tag:7LxrfnAgFGAMzqGi1IpgrQ==,type:str]
 #ENC[AES256_GCM,data:HpCu3pN8ViTgEP4AwNAcZ9pLjOyTW+sGDIpYdMc=,iv:uZCxNQ04KiXn7q4LvEKLr1/b+/ubk8WJYePKY9g0ncg=,tag:I4J8R9DmFiAAysmfWGzLtg==,type:comment]
 redis_password: ENC[AES256_GCM,data:t2bYWu5jJ6JdTrOzjBqvbVJJSlv4qkFxpSg4eRhRZMyhiq6f+HGff2fsjw==,iv:/7Nbh8acsmoQskdcN8kY3fXRe6jcwK/vC9JLpA18ziY=,tag:bdffnRdvZ7I6heh6DF5qNA==,type:str]
 #ENC[AES256_GCM,data:ut++04KnSSYlD3iRzNFhOFaEvZPArHVbSlikhC2VT5jDlfzJ,iv:QVsOoWjr2vFhERCyMs6W/bGWLlj3UJlBCnQ661MG138=,tag:+WvL/AHwqz/0xJoWJHvK9w==,type:comment]
 collabora_admin_password: ENC[AES256_GCM,data:E+BD7F6q9PyvU2g+c/66aCw5YR5G5U3BzMCzcBnseWEZt1Sw8W//ka4YMw==,iv:dLW1jkvgD8Ius5p1SFy51Nb7SURvGXF9AuNy6hnd+XM=,tag:WRkpA4PsuYanb2+1Zc2RlA==,type:str]
 sops:
    age:
        - recipient: age170jqy5pg6z62kevadqyxxekw8ryf3e394zaquw0nhs9ae3v9wd6qq2hxnk
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFY01lRTJxS0RzcG5ZQTEr
            RERPamdvb1pCNlg3cWpRSWpFUHhCUXdrWVJFCmpVN3h6ZXRjdmo0Q3pvRmJzRWxL
            Qlc0dUVTWTNuR1JDSUNFMDRaaXljMTgKLS0tIGg1NHVodm9sWkpFL3JacmplZ2p0
            WmhQUnFzSW9HeEh2MWx1NWVKRzFDVWcKVviSyHfzQt7iu3cGp1VExGBVi0zfJ/p1
            YddPTbtm3uzFqHwFRPNDcNwJkZXOY2LO1ouKFFr6W5UubRHaHppeBw==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2026-01-18T16:02:15Z"
    mac: ENC[AES256_GCM,data:7cPJP+ELChBnSiTiio6KkajcF7UrrIrUSrkWtg/AfL7DhN2pLNFxkvvBsuYrYMz4myZ6X2u1YiDl61sEGVMgRu+b9qcqQcQvO35tfXSN1j04Tnvl+T9oKAG+bpBJaAkJrbDTRuIp2OjSdXNPl+KCiZ1ross7QImTNXVeosequdQ=,iv:j20TFApriRHirC5CIY332I8RVq4khRnTcKgJVptx4gI=,tag:80VFem7Dl6gNE/rAEqyKzw==,type:str]
    unencrypted_suffix: _unencrypted
    version: 3.11.0
--- a/secrets/clients/egel.sops.yaml
+++ b/secrets/clients/egel.sops.yaml
@ -1,38 +0,0 @@
 #ENC[AES256_GCM,data:0GANpiSe/t/8nNVeEeF3xhbPLbswHZk+1g==,iv:2Q+TbLECTqw8LOF12qlCpTCJVAiiONafgtqOxOy6jvg=,tag:H5m1lytoOFuWReEnQrN8KA==,type:comment]
 #ENC[AES256_GCM,data:As3OROMNLTL+e2EUAZFv7RrJ3p+EQvkOdNjvFNuUSI5iq0xhYNg=,iv:23QHhD4A0VW8ccjMW3ivRsKlW2mNaQ0AwgqTg3LQUnc=,tag:zlFt8r6m+FNvD0Y9d48FeA==,type:comment]
 #ENC[AES256_GCM,data:vbx3SU+Yc5p9FaaaTX+lzNScNsmEBQ==,iv:3goZ/7+7erCc186ZPJjnS+01KFbun327rQ2u/ia9NLc=,tag:V01ZFE1y0/Yhp8t/O+X6pA==,type:comment]
 client_name: ENC[AES256_GCM,data:mhCH2w==,iv:4oRhdfLMY/IJv+DXiFVLXZ4vBxKk+zoYlDThq7ARfOA=,tag:DojfBjqyXAMgk1cDs8FWmw==,type:str]
 client_domain: ENC[AES256_GCM,data:vCltXbTBfuJqj4jk8Uf/Ow==,iv:6hsza3t7nQDNHYEIrYvopSt8os+o1fz7Enc0cJFxbYY=,tag:rwoAEHdsCSWGOKniue8xOQ==,type:str]
 #ENC[AES256_GCM,data:36WknJsToqr6KDZgMvm9VsCZwC+BOyIq,iv:lIV3CJXv80WQkTvud7KlPj058xY+AcIg+ti9B+tqRmk=,tag:0Ho8XR14HxO9nrGlqw84Bw==,type:comment]
 authentik_domain: ENC[AES256_GCM,data:xRr/HCyiscbPJUIzLbl5muzX4lPl,iv:DzDCwXEgaI65ViKOgeydbQ1XBPBVk8Vr3IPX2HsrTC0=,tag:FzUcBnT84QLjUELO/NepcQ==,type:str]
 authentik_db_password: ENC[AES256_GCM,data:EKxxfM01KdXFXZkIe3Odpl2n8I4nbdQzUC6ryN7aM52MHQDzv4Y+z3pANg==,iv:zaG2VcR+x8fqkMyL2vQTonKK9u/KmObyBiE3oFYgwTM=,tag:eS2cQmNoUbet5gBB/EoAzg==,type:str]
 authentik_secret_key: ENC[AES256_GCM,data:vojKY09CrpwNdcJR3GHv6Z3HfR8n7EB+qNZs4fXXQOVgk3eqVMSz3Qx8mQ==,iv:RG9f1hHUEHlqRiHXXODJV0HIsIFHib6837p68p1746c=,tag:YqIueX3A07hRAjJmsI6r6Q==,type:str]
 #ENC[AES256_GCM,data:VsLPKpx3W6YN6QXhRx+YTAxKNu9IQzGiZG32H4Rwvg8wxje5BMhmuSTR5UJorMU=,iv:QswzckRT9Q51N7vSRQrm13kxECRhfBJpsFooFYHKb0s=,tag:oEC4Hc6AVALzVqiOG/09DA==,type:comment]
 authentik_bootstrap_password: ENC[AES256_GCM,data:dz0+NGAa5D154vbjuKpuRnIEXVQfTgUsIOPjIzdxYMLxbbNTBP2z4whElg==,iv:hWR7E+hPMQ6zSgZIaIvaGHPRuW8md/uYfRQ/xeb8DeE=,tag:CRgtDtN9UEk/6DUCFMwoYw==,type:str]
 authentik_bootstrap_token: ENC[AES256_GCM,data:e8O+c7DAwwYV91ATgEOi0Hf/i0IfnQoxAQRK+KIZ/Tdo4O0t3Al/6SHl+BFGZw==,iv:9f+tfa9tRhn/yuBSqFaLJndnRDx150zBd3Wxc38onRw=,tag:KOeZnWr/uig4KI5g8BE6VA==,type:str]
 authentik_bootstrap_email: ENC[AES256_GCM,data:MlQJIrG2a7f8jRVjRm3pFBTwz+SMCw==,iv:c5MSTtscFb5qFWghRilJqscrqdriju/AU3H4bE5zYfQ=,tag:msz63u6YpGoAI7ulT880TQ==,type:str]
 #ENC[AES256_GCM,data:p0JREYAvVu02Qqoz0HoEufCL287NwNDH,iv:2oJm8p5m+KyEv/MedtBjurQcLDer+QMcxjVxfjkljZk=,tag:k87CX+v7zGZbcbjT8s8JGQ==,type:comment]
 nextcloud_domain: ENC[AES256_GCM,data:gPyjwlPhAh1B56O2Ua7+hgVYbr3girvNgn0=,iv:jWGVFWDxXuYFqQtWIMlrBn0bYkYzB2vrH46sFvrX7lM=,tag:5/jQQTEtsWoy2i59sR58jw==,type:str]
 nextcloud_admin_user: ENC[AES256_GCM,data:v7wuCG8=,iv:YG6aNYwV0RPJ/sfHcSleqvBvkdq+zE2nBjMyN4QDir4=,tag:n987hO4NlJvdgvUqjf8ZVQ==,type:str]
 nextcloud_admin_password: ENC[AES256_GCM,data:B5mp8NCWgQclAERE4QXoROeV6nlxwiYP5+hsizIfHctk+iMZldEt9YCJ3A==,iv:xLg6G5lYc1fBVXCy8PnCIpO+t3K3kZ5iYMfBFfZ5llE=,tag:xIi1A1nuwlN4TyrEeN7Zag==,type:str]
 nextcloud_db_password: ENC[AES256_GCM,data:vLx15cJfiToYaaAR4eIqWAo1wBLDSCIYznC3SBsngMBKssVkQcQpnpO7Zw==,iv:DNDNz19jU3nATAzJw6/FXyq8QUcsUIv3xVWG02CZKJQ=,tag:mEkQIJgpcQdKlxTey6Zqjg==,type:str]
 nextcloud_db_root_password: ENC[AES256_GCM,data:BVHmAhREJQ9U91YiQoLp8trQR1A6hpMrXGUCVLGKSV3xgxloWCcPvF5Fmw==,iv:kcJrzZlvmwAUQRbKe6cFu7BTr5Eg/s7frfTAoGrk6HA=,tag:Z6kUpUx3GeIf073mYHE5Lg==,type:str]
 #ENC[AES256_GCM,data:FuFmCCQIoLt38f3rp/f21F2SUEmUe5mew7mafIs=,iv:/epTrJv3iq3Apu82EXzv4cLL6678wDvtEL10xnKN8lg=,tag:dTSwYH1+TWZ3uTAn+8e5Pg==,type:comment]
 redis_password: ENC[AES256_GCM,data:2ZRr7+7Nnq09Ozal4FWU/vb+qdBX3njZE5KdzyXPdtZQZ3lkB8p5mgXkUw==,iv:4YXUPxFubIQyIoSYMWc059zGAUPI9dk+YF3V7kn5j6Q=,tag:+0Gi1qZ6HFgjnzah7pGBUQ==,type:str]
 #ENC[AES256_GCM,data:uw9XOlYDr7zZK8dx51LFiHzPjKgBlmwWoyPqREd3cQHzwo5U,iv:9luZspimHV61i9oTgpePLJur78Km17lyhrOWjVledXA=,tag:pSezIsLxWvcEZ6rklfJ4Mg==,type:comment]
 collabora_admin_password: ENC[AES256_GCM,data:NpAz49/Nu/SAVa9gpfnkdZKuRXqbawVutx/YuGA4V+KL6/mXSJn30EtBdA==,iv:lzDFtpF+3AZ7SQiKwN1ewY6jeWAI0GKO6M6QbxjGGUM=,tag:lPc7ubFRLIOBT0G7fZRhCQ==,type:str]
 sops:
    age:
        - recipient: age170jqy5pg6z62kevadqyxxekw8ryf3e394zaquw0nhs9ae3v9wd6qq2hxnk
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3K2Q1VUdWcG5LVmxEVzdl
            SXNjZ0swWTdJNmlQV3pudkV3QlZ3cStHL2lrCjVCMHY4a1lTK2V3cHo1UHN0Qit0
            aU5BYy81dERuZGhpNzlQbkxnU3BncTQKLS0tIFNGS1NFRk5LamhMc2dOZXBQalVP
            UktCNEQ2MGxLM2R0Y3cxRU9WV2hvUkUK3q4VetTBIM/xB5rdALtaNkhVr14XcOvv
            Od35KPTjMKjTycae9K/9UAaW/GyqYUhna+S10iMKiVImaNyP+Yve+g==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2026-01-21T19:27:39Z"
    mac: ENC[AES256_GCM,data:hv6CBUEhuu8sdqAjSjbB6fS559RY8nCssdejS1L55/PY6KtLvh/lPhmlc9eIiXwt4gVCO3S5eSguK9FDGN6AcPbCR4oV6abO2HsjoXnkAq2twlY+vvQ9WHnt3yR9ndSu4+8T17WqlQkib7p1Akzns8g3GL8W6wt4A7hW/YcnZqE=,iv:m7neOUmZ9Ou9MCtfGElDMUrOiffX+ROafOTaMK2XfiU=,tag:70Veha2fvdobCEKhLVn3iw==,type:str]
    unencrypted_suffix: _unencrypted
    version: 3.11.0
--- a/secrets/clients/haas.sops.yaml
+++ b/secrets/clients/haas.sops.yaml
@ -1,38 +0,0 @@
 #ENC[AES256_GCM,data:263AsaFnsT/v03J3dTnRU9reOdPrqBK+Eg==,iv:ihmZCQ8KnKc/qwa34pr/JOj42tceourqSkirLVOlg+U=,tag:1otLg1EwXYv7/EcE197WDA==,type:comment]
 #ENC[AES256_GCM,data:6NozW8S6KxeV87FehIpl1qNRpKsdl/lg36chh3egDk2sWn4iNhY=,iv:QwVCpWyFTUpPXf57OdcCqajRmLdXOlNbCoPgEU+7EH4=,tag:yFyiWe5/OI5m/AI5rs6yLw==,type:comment]
 #ENC[AES256_GCM,data:jlKWnfCv+u//hfMa/8L3YlUCoyBjwg==,iv:NxvrTJ/lVlJK/JnWXTY/4OhQ9rzjZmQWTWoMDUy9kPA=,tag:T5rIeC1ZmBDxNiA3SG6jdw==,type:comment]
 client_name: ENC[AES256_GCM,data:Go1JEQ==,iv:3P3tHtfLbc+DspwK1SVrNyHExioefaVbfA7yXATHHpI=,tag:KY+W2M+pi/xYc7i/5Hb3Cg==,type:str]
 client_domain: ENC[AES256_GCM,data:/0tEausGEs9gdL+ZOkRsFg==,iv:iCqkzpRmxzq1O7J8k2GWxocCsJmpkF/lgHHFBS42Evw=,tag:E/Z8URfOFNLx2NGVkbTcEQ==,type:str]
 #ENC[AES256_GCM,data:Q4cIm4NebGcflGee+HZZgEX7/OyuwtAp,iv:Gb92l3hzk7e5GQscDwoDBi9YBdhZvOtmrTaRErScYqA=,tag:IEqwdyE6j4u0uGK26hei5g==,type:comment]
 authentik_domain: ENC[AES256_GCM,data:jEkOfeF+FQn14QdYfprDFO3FyL5N,iv:LZ7knjGqqBGyKBTRqzSlFI3da2nRujGY/+B9Uyw+ga8=,tag:hx98SqLo3oz/V5BQ220YKg==,type:str]
 authentik_db_password: ENC[AES256_GCM,data:jBQTmw7unol2VNI5HHPm6ac8zEaN4gFJpof00JMOr2hg/BKGErnWNYRlNg==,iv:kF/L2gqncz/yHK6v0Mz1/SsiyG1upMG8DeIKWYj0o1w=,tag:WBvL687LuSsdhnkDCCEonQ==,type:str]
 authentik_secret_key: ENC[AES256_GCM,data:pY5wvfM8dMYRzNSlwU4vfMSKOxEqJm2IEXsfCHjFtA47/7Ltj31NApee8Q==,iv:XWUacJqrDgutuT6hTtgxEvfhWucQnP5vdce9puzhb64=,tag:y7Hey6dwt/9+VcgMbNxvew==,type:str]
 #ENC[AES256_GCM,data:5ucGhUZv2qjbYwI5o8rG1/8gqOX5x0Scip3+/T2EVyH87J+lxYKn4vK6jhCDJY8=,iv:Fff+f7SlljApCvryzqS/9aAQoKCyA5AbWqBNZ01MAls=,tag:rjK2ivHO3u1OVXRwoZOwBw==,type:comment]
 authentik_bootstrap_password: ENC[AES256_GCM,data:VwxTylvuPqL/H4ad+Nr85NxCCgvEhAeC3/xa4RZt0vZ/7RMcSkXECIusng==,iv:3a5cvPXP+4wVKsRuOUxepv9idK03qknHPoiGYT4JYNc=,tag:DWacaePwtEiBlcARzXXGbA==,type:str]
 authentik_bootstrap_token: ENC[AES256_GCM,data:WRwF8eAyMFaHbCIC7us8KfDZ8FUErkj+OUsyAJziIETC0YPIFOyG8v4nM7MFRg==,iv:RtfGnGWhXDUHWc77tyEbpini6wlD4Zr/FuMfB/Exf3Q=,tag:GZQunFQynvG49FC979FNng==,type:str]
 authentik_bootstrap_email: ENC[AES256_GCM,data:a5opY+7AVaGZ7DJR3jhxdGk3hODH6w==,iv:Ea1CRC45PEStquXv7W2M/WgQPnBNlTq5qh1K5ZwG9CI=,tag:VBNh/xVnIYY98Z53CvU7VQ==,type:str]
 #ENC[AES256_GCM,data:uJ4wPND6Cg+f0gOnx+a8K88RNrvGxszl,iv:s5NEVK+9buT2607GdGE7hO2EQnEFEGhMABtBC6QVuLg=,tag:DPDxu0IKwxJzUqsr3w8zag==,type:comment]
 nextcloud_domain: ENC[AES256_GCM,data:Qit+lD3CB8NrM1JsQtqdC8XBMwS1dsQD7Hk=,iv:p0WFFJpgXeIkBB19o7jJvONEuF8C9i0Q5L+sF+vKu8Y=,tag:8SmnbpSF3euICD55M01bdQ==,type:str]
 nextcloud_admin_user: ENC[AES256_GCM,data:EbRJDQQ=,iv:t077WeC7X88/XnoMP+xKSiCG6a3KWftjcwS3lKDxFfc=,tag:ZhFL5eJ7iH1Ka8lawa5tPg==,type:str]
 nextcloud_admin_password: ENC[AES256_GCM,data:D1lsP/cOUC13sps8kmRlvazq7lkOMzHv/AvxKRmdlUsEOUC+vaHjl7HKjA==,iv:DHqxqin2dw2OJ5KAWNcCThPJanZd2S+cDNJhfw/trCs=,tag:X0BBH2arW2nsWxHdT9F33g==,type:str]
 nextcloud_db_password: ENC[AES256_GCM,data:USgbbNviB76dpGdKfrlT5FJo8NJWs6TDZ1V3HtvBajlaHOVHrg7HZ/ciBw==,iv:5jg7hiZsEtu7D3eoNzzeOEX8/ISMDlIosquh/cnfh/M=,tag:t8yv/jPMtIePgQ6guklE1g==,type:str]
 nextcloud_db_root_password: ENC[AES256_GCM,data:pliuG8kF3nhvUfTuXBnTZ8SEn+NcdiMMFYaicCpeSL5b664YWsYA6b9O2w==,iv:8C2ecJUZg4a0Va08cDvelptN3RObL7qpwqunwkFt7As=,tag:1fBz3hrP0wAVtjuq/I2fAw==,type:str]
 #ENC[AES256_GCM,data:FDhOFTZd5ODvp/k/7LwJEbSTgmQB4y0C3Dh0UQw=,iv:kryzQXpKS38QCrxVThG3IHV+96+5q2twNRn4NGipSdo=,tag:ZxByg7mBnHlJ0naR/6ZVAA==,type:comment]
 redis_password: ENC[AES256_GCM,data:ShoUwNalboMrmEvmnthtCHjUZerRzzS5L2tVkW35S9jEExZaSZSUwfcPLw==,iv:TwDLqrgzRDhuwos3wnyNXA3PmJeEAfquwj3Z+F9qM40=,tag:St6MUoT7tymgjkefx6mB6A==,type:str]
 #ENC[AES256_GCM,data:PIlcwi0CYHxJ+2gWR3h8ZeE4LaKUUtAk1E8ERu9b3mq7/jZa,iv:HKO5hKbieTF2P2w3BFYx4WLJ/81stbLYwj/sSa2UvX4=,tag:YFxA45XUC3+zrvgwUFg4kw==,type:comment]
 collabora_admin_password: ENC[AES256_GCM,data:DFpT4PXQeQXZzTygONz5Sbi8Qfj+yBkvTf9cnje1EbLwizITA4mnyyXaFw==,iv:PvA3FhLoJEwQrC5jr0koqkcxlYpjBBLINjiIKgf05MY=,tag:b0kfuU077mOwlRb98YSoFA==,type:str]
 sops:
    age:
        - recipient: age170jqy5pg6z62kevadqyxxekw8ryf3e394zaquw0nhs9ae3v9wd6qq2hxnk
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2SFZxckxOL0JMRzhFYVZV
            bmRiV0dmeU9XUHdtYVlObHJKRjRZaGs3K3lFCmZ6NEFSTlRSTmRCUkJSTFFEZllj
            WjBlMGxWZzhLazFRczdkMnhHZ1l6SEkKLS0tIDljaWZnaGxzYXU2NVM2U2lpU1dH
            VVZXNVhkTW1xRFgvTmJQM09oRDRJV3cK7ZO0tK0+KTovKYqW5AW0hhk7NxNVi9o8
            UAqmY2X1vAV1ekHryLRZtdQ9CpQh6Pc/8D6aGg79ZbHxPMeUBdPf/g==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2026-01-21T06:50:20Z"
    mac: ENC[AES256_GCM,data:iTRh6UXx/EeR/2ZrcUoIvujPt8cVlKEEuSO3x9miMEquZsNTnp8RIXoDETSmNpheXx7gG2jXOvgBbo/Bj52p45/Wo42TgmJGEo7tMExAfDKrx4JZAQqNO7SOGt3Vo8xQ05M6edfsbzAnke7Iz7T41065RYgl8L5qqFdGASAb8Po=,iv:JwIxfaG2nzWy8uRxsz5/b8bdv5HyUCkB9FsVep8EUjU=,tag:FapmKA3FwOOxNe0Diet56Q==,type:str]
    unencrypted_suffix: _unencrypted
    version: 3.11.0
--- a/secrets/clients/kikker.sops.yaml
+++ b/secrets/clients/kikker.sops.yaml
@ -1,38 +0,0 @@
 #ENC[AES256_GCM,data:+OGneTnZcnOaOPgw4zJDfO9lhon2bn72N3km,iv:/nZQnMlDMbofcxjJom4Tm4vXc7wQJCTRbZvzm3wEk2w=,tag:0HA3xkq9oRCwahio+48QFQ==,type:comment]
 #ENC[AES256_GCM,data:DzVdDsbfKUPhrR3RfDtNcz5t0eai/DIe9ip30YDHqP1Cy25Bock=,iv:p+B0zs9MJqBY5pskUPraGLBzolkp6mJgfuBt9hNuDB0=,tag:Z6xCRTWDFlQFS2rq5Wcu9A==,type:comment]
 #ENC[AES256_GCM,data:UwzF6CrMrTa7w2x1WZkeeu4XlCO3KQ==,iv:515JLeVFc99aDjhZm46YBiHP6XU2054t/JlAMJP8ATc=,tag:tbWqRRIjVVBN/CW2q2tP4g==,type:comment]
 client_name: ENC[AES256_GCM,data:OW87HSgM,iv:l9hVz5O9kIpIU8coHFEAi7USAT9szRd/yWEPUJ/cy+c=,tag:nkmXbsXgRFdfLxlXEK3Cvg==,type:str]
 client_domain: ENC[AES256_GCM,data:T96fwpdymgEzpWk1AHCuyPk6,iv:hxyUMZRUptennahYciQN5SvaFKNY5L9vbSkod3sJ/18=,tag:1H2qxINQe6+bahDqwg/+kQ==,type:str]
 #ENC[AES256_GCM,data:yt18Q2bAXbVqlh1YYhITEi0sqA3ysADl,iv:Ps2WPtuOTYrH4eBAijAxvr6iVwPy7UE4pCVxck+qTRk=,tag:y5yQxqKR55R594815o4ivw==,type:comment]
 authentik_domain: ENC[AES256_GCM,data:EGcA/dwACmdF4BxHBniaTw5VbBwcFLM=,iv:a7Br9mBBbRCLrBLtXOVlhyaNMl9KojCky2DnnAorzaM=,tag:J7BY5gGrWtq4K/Fi4vPrGg==,type:str]
 authentik_db_password: ENC[AES256_GCM,data:z3hJ1S58N2+e2JSLZDFk4EfZdQnWOHXYXQLpRlq79xMOICfkdNOPk4Xy+Q==,iv:PbJMxOVvnCzx9NTZ7TmuzjjCnAPRfnAhEtgNUndkP24=,tag:iNeufIP3cexO//3HXX1l5w==,type:str]
 authentik_secret_key: ENC[AES256_GCM,data:p7XuDZJpX1TB729fnwWSjw8xOiq89n9RuUInbz59yQwj1WZnMbOGFWtKhA==,iv:lCVIG22DPaq3zlWdhTNKkTxoZhHYDSUi/X5HCgd3RxA=,tag:8rb5pgQFSFPqbPb6CyN2Jg==,type:str]
 #ENC[AES256_GCM,data:+GpzYBHrXCH8MLp9hNnTq8KQGE21woqupYuhdFsgtXIYNgcDJF7vYpvgMe3Svgg=,iv:9co1ZnzMW6JP0CTF4Y/MpOBSxJJIAHUlrcLV7zqmiZk=,tag:cIMlwU6C4cOCYc2ECGkczw==,type:comment]
 authentik_bootstrap_password: ENC[AES256_GCM,data:96NFk4/+nQ3tFX2lWZwWj6G8JbxLVMwYrDghHEC+UebE/QGgV0XpWbmzFw==,iv:Vvqpr3dbxROLEQBe1Qu//8ZcnWeJPH2XBel/4kDn+Os=,tag:yO1ofUIr5fDwiaMJ5Gye4A==,type:str]
 authentik_bootstrap_token: ENC[AES256_GCM,data:St6ECyiagUCW4MaBnD8YxUb/BMHEUqeIpvbkokMnWN5SVkBp3RjbsfcHTJyGDA==,iv:osYqlia0kbscK2o7L4tX0BsOXM+RyBGrvnHzBTMoVqg=,tag:xclsy5A/sAECV2OdAzPakw==,type:str]
 authentik_bootstrap_email: ENC[AES256_GCM,data:aM5/55cmtD+KpcPuLG8o7Xk8Y53wtiQM,iv:xJl0XP3BROi7Cd5xsoyTJD1WG0sFXV8DYu+utM/Gr0E=,tag:Zng3mRgJlZodmzm1vYAfYA==,type:str]
 #ENC[AES256_GCM,data:ewwEAuc2sMr7/JymX/unIrWbPLiYmFCp,iv:RCTjyRNDpbb1KASMaQLivmzPTUqhIj87xBf0sPkAo7A=,tag:DhpjJbmdz4LptfkiK4tuFg==,type:comment]
 nextcloud_domain: ENC[AES256_GCM,data:m8wSqeV2KINu4jDEZzJLHWCXCf+2mkD2qW4GfA==,iv:VjDqoqslB2m6iiEwiqFYmSWs3FzFGMs4L27Scd0W1jU=,tag:ZUEyoijAdOttmCPA3jYqSw==,type:str]
 nextcloud_admin_user: ENC[AES256_GCM,data:2wJAtW0=,iv:2M24KF/VVNYW4SuQpzRimujh1U4iUnTdXmdvMoDgDIk=,tag:ZwlovzOtGyBItAG2UbVhBA==,type:str]
 nextcloud_admin_password: ENC[AES256_GCM,data:aU28NwDezrkeyLQzGqs/P955uyICfPH+Tiqw1MyReERBl3/iAhXzPf7STg==,iv:PCPovUjxW1FIM47bTCuaimkMHY+3W3WdOtj/Utyu55k=,tag:Meg3UOwbNsMHWttSp9VVEA==,type:str]
 nextcloud_db_password: ENC[AES256_GCM,data:9KIlpdOY4PrmjqFX8xv5qj4Vi0wcrcKWOAzRVxnFst8YDKaOEwRLvOxT6A==,iv:lpUiKPb2A266p9NLM7rm3zWz5axXp/HM1/E9WhSj4zI=,tag:i7hts7cQCVidJ3Z1drpuEA==,type:str]
 nextcloud_db_root_password: ENC[AES256_GCM,data:yDmM51PHybSGy0t5349w0cXOBvb9/ow0a8PooPr80PAYg9IIik3kyDcZrA==,iv:FgbqiKS+ilhmlqkZ7O8UdnvFYeAwjlpkQYO+yTMuODI=,tag:AxHEn1qPSlAEdSyBY8UvSg==,type:str]
 #ENC[AES256_GCM,data:WWVZIdIMEoxOQOwJWUgPho2tSHpHtkFtzdiHzl4=,iv:m37ibZwqNOuyVZwo5ImwP4Nct52tAUGPJ9ATC2wRsFo=,tag:eovZH2v4k5Vh726L9WNpHg==,type:comment]
 redis_password: ENC[AES256_GCM,data:/BwaUhH4nAKeTkzdOZYksHapMbhiR7BqhB8JTBxvcZUycRKpz4IHjrHKHQ==,iv:bE/6biVZ/EY2CGU3JM0R7MxASM5zd6Bky/1qv5MFzUk=,tag:0XFoF4AvgIgy0zJS5nEMyA==,type:str]
 #ENC[AES256_GCM,data:SUh/lkNFWNxcqprX+qpLUp7T05d8m/X33lEiP6e63oqntICG,iv:itrjKHbXWc9MmCcT39JDpWXgBpd/j2j17t4Gi+BT4sI=,tag:W6u02s+tuyE4KADgwzN8/A==,type:comment]
 collabora_admin_password: ENC[AES256_GCM,data:kEYIiowJqq8+rPynVbKz7f8J92XoFnZAlK4I1135gIRzpH9QFFaZl+OdsQ==,iv:gPWECbawEkAQ8gvr6qXbmji3RnrFRJyiUmD9B46kebs=,tag:X6vDF0zNj+relaveRZJm/A==,type:str]
 sops:
    age:
        - recipient: age170jqy5pg6z62kevadqyxxekw8ryf3e394zaquw0nhs9ae3v9wd6qq2hxnk
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPVUVEbFBaZVBoM3U2dDFa
            clhaSjNob1VwT3ZMYTViSHd1enptZkZxcjFZCmVxR3RZaVU0NjB4QWNrNm94aEs4
            WVZ3OFBBM0pjZVpUblQ5Wi9wZlF0RTQKLS0tIE5nQ0ZPaWJVSHlxbHIzcHc3UTE4
            U3dnS2YwRVdvd1JWUU41WGVrcVZDYUUKHCxEWjcs3tSh0M7r58O2lrAlgL8qSum4
            Wt+TzqCGv0u3mMTsilTSTtaWqLeMHu9jXvPgbD118KtHrSy3tr2imw==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2026-01-22T09:15:08Z"
    mac: ENC[AES256_GCM,data:kx3z9ok704JFFv6f4ffkLPrf0EifQKoW2HsZ+ff1mWUxAm9seFpE1OhmyU3SpSrndmbKSANVMOI88eXne/2w1plqxVYUp75nS2f2fAKTlssTEVrH3vvWS0a7O9McGKgGIQUhzjSiavsrReye7ok50WeiQSlgnzYreM9FBk46c2A=,iv:0ekt8pMJCF9hhRh3CahbKb44Pq/+wordmoe3he78Kg4=,tag:AReHlK8VvGQHy4m8uqK+lg==,type:str]
    unencrypted_suffix: _unencrypted
    version: 3.11.0
--- a/secrets/clients/kraai.sops.yaml
+++ b/secrets/clients/kraai.sops.yaml
@ -1,38 +0,0 @@
 #ENC[AES256_GCM,data:tFeRrhiv0poNJKknFOXi/jTCauHB3FI7HHE=,iv:vBPdvel/tDeZbsgy9ThwBAnLfn3/W+atKXrhWaDnWYc=,tag:1FIw+vHdpnEi9PWaCL7nvQ==,type:comment]
 #ENC[AES256_GCM,data:wWjTifXRNQ25dM+k4W8cMyolIMQ+zphKe2AYiMuEVyIBd2Evdv4=,iv:Q6/LgZNSv3tee2FcHXUZ1wIvSR25aoiqg7BAyWgWTKI=,tag:p5LuG2OMb3hoYPgK+ab7mQ==,type:comment]
 #ENC[AES256_GCM,data:RjmOnfVrJ/8xJZaTlN6OGobGGACNZQ==,iv:4FBY1WOfonv5WfKATTuZkEsqYPicM1zcX8qWu+lTk0Q=,tag:I025riqowW5FKUezBm0GZA==,type:comment]
 client_name: ENC[AES256_GCM,data:E38tnNk=,iv:1ilhr+3A7QALq/WELOwxoJG+dJ71u83xmZUEQELzGCw=,tag:LbfHCLGHzMMUQavS/UP6Lw==,type:str]
 client_domain: ENC[AES256_GCM,data:ddZVeXV+lbYKVZzeJ1Z94ME=,iv:AeWmpKnQD3+72NnygSh58mH/GLd7eQtdBHx7yW1iUWM=,tag:6KIdfvmcrmbFL1bfeXtetQ==,type:str]
 #ENC[AES256_GCM,data:icjtWREHoSAGN5rPbdL4j1XPeMZuzEoS,iv:sIuJcsE+rO0sZ5qhdNK6PGxtErrv2bm2HCi48P5FQKQ=,tag:P5plYgUPY9LNOQhpux6fSg==,type:comment]
 authentik_domain: ENC[AES256_GCM,data:sxx8OXgDXRueC6s1yBuM6lgxK46beA==,iv:3hTgWXPRkSaNn4juhC8YnHu6WzydErGHlIAnOKTdARg=,tag:1iHZhBfwChYV99fvl7bAcw==,type:str]
 authentik_db_password: ENC[AES256_GCM,data:/P3gQbozHLINd3KQJA/0u8MhUqhMcz6MOoLVH31X6cwmGv2q3y6KeBA8gg==,iv:stKEPGqH4EMc3h3afSX2pP3dEos3H8+mJ9o1LSF224k=,tag:7XtR6fRYfqJ4veuUlpK/vg==,type:str]
 authentik_secret_key: ENC[AES256_GCM,data:/1LY8xqI9A5Et20mkY3X2y4o6d+ka7/vqNSxQS2PJ5LAMTAEt9qbX2rr1g==,iv:v93bXYDwvXgifMLngG25qDaXPR690LWeQjkTf0fqNuw=,tag:0JYsyKSJFYWAHYawDybfGQ==,type:str]
 #ENC[AES256_GCM,data:Mw3fsLyDrw39Q2OWiyrtEdls8ub5fTWEqVmGeLTg0qkpvzsrgWRW/GiPW7SYbKU=,iv:qHqh5k1N/GaxbTJYRvPZm4RfYc0MVNDXdI7skEBBqvg=,tag:tQ3OQyNLoBymibw59GG+VA==,type:comment]
 authentik_bootstrap_password: ENC[AES256_GCM,data:RDvAMIvOYmxbwxSjb+kXqmh8GU1sSA6KHqSh8UecjB1k7F5auXN6O8ETfw==,iv:S6DC4/UTMRy/NwhnT641q+ary4638hdLPSJ2duivgZ0=,tag:8etXMMBlgVz8pM0trndyOg==,type:str]
 authentik_bootstrap_token: ENC[AES256_GCM,data:m467HmEab1OSqAzw8Yi9rcL3lRkJJW82k6nYlFiXj7UOgutJtT4BxUaSfMdUxA==,iv:8bi5CITxJK8Mgr0iSB3aD5I1Wm1+c/SL9GrBKKTIqdA=,tag:IhRleBBgg6C7ARgPwnZNcQ==,type:str]
 authentik_bootstrap_email: ENC[AES256_GCM,data:ncj8km/6ocTdl9OuTQDjT+bL/z/P0lw=,iv:LYBhp/J6jdl+WbaG4kmRqLaqrYfqNkWaHkqC2QAIUcc=,tag:lgay80kux5aV/Ed7WTB1zg==,type:str]
 #ENC[AES256_GCM,data:klnql0MQeS1KXd/3VjVW4WRjSl5yg9Kf,iv:+v30PZBWQVnFEeeQI2InGf9kH5tvzgZnD5JCOyBnEHo=,tag:UHNaI7WU6PhzhkXkHTYtvA==,type:comment]
 nextcloud_domain: ENC[AES256_GCM,data:RPe7IOqz8pL6ZZRxTyHnHNhGDMc4ZhJ3zBNu,iv:yltqNWZA9JrLz5ZoMPj7NtQ9JU5EC3cRWG9U3hz+Js4=,tag:bcC78v08TVv+hpzD5p/mmQ==,type:str]
 nextcloud_admin_user: ENC[AES256_GCM,data:uscegTQ=,iv:vK0tQIFNQZ1onK70GEy23VDfh7zcofxwyjJXEg8uY6I=,tag:wwna86Sx35Cc6QIMehfDPw==,type:str]
 nextcloud_admin_password: ENC[AES256_GCM,data:SC7jJfHvbaqynl30IdJ0wjy1Jf37eLab1VBJI6p0w1aT35EA+GCAA8HmzA==,iv:PwYkMhyHuZpiRqN53BOMFSBBUBM2mMfTVOOatNTWB1c=,tag:hnI9EUmZ9vI9w7bCT3bFyg==,type:str]
 nextcloud_db_password: ENC[AES256_GCM,data:CLpONcvumICrvxk39UK4ev7wneE70DPUoqx9Gl2N1/A1M3oOYexVbivFAA==,iv:hWgXELPBooRql5wp3O09OluTn2KBfTL98XNnNyiIfLE=,tag:2o80+vU71xtPm5MI6hlUaA==,type:str]
 nextcloud_db_root_password: ENC[AES256_GCM,data:UH4PKHcvfqbp55I8Ru2AtkQDXP+CJpaY156QjO24n6GbIXGT16G0aKN6bQ==,iv:3YKqu61Mdhy/Q2jfK+bItcRx0YFIB+HYpUgpNkXwlMY=,tag:GsQBfVfwJNufY/jY7oDPpA==,type:str]
 #ENC[AES256_GCM,data:zqxETKX7LgG6yCW8n/MUvBf80DeszYo+3TH0HVw=,iv:w+Ymv0DKrE/aPYmGsbCPIhrmauNAlDMTGQqQM7HZrVM=,tag:2wYvCPs5xeerRRpfc5f1UA==,type:comment]
 redis_password: ENC[AES256_GCM,data:9QjDXsOtQDylRyvzu+6KaWxV53BuPqUOIIF10YygBvaSvtTjc6MvROqltQ==,iv:DDPKUOwz0DLnE7tHHx51SV++Upmc7isgKNvx9fKBTIA=,tag:7ieGACSPG+FiiWqUB5UDXw==,type:str]
 #ENC[AES256_GCM,data:Dw9sxUT5diW1LvGQ/VRkPIfv2KMIoCjlsdYGtr1cU51FCRqx,iv:QDf/zXCB8qIvwRAQM9od6Ger8lyXZPDorZXb/Xg+8KY=,tag:dO/1SxL3fpLWnsEtA0xNYQ==,type:comment]
 collabora_admin_password: ENC[AES256_GCM,data:QfjXR22OLAcPewDSDKKRxYXiouzBJ3pTTB8usKq0mEOLOCkzrFR49eWvXw==,iv:BpYApcb6quYdUZ2BxIRJmY5lJK++tQ/PxSOgiIJSDjM=,tag:FQBc+HyTzOyVDYTFsvHVnQ==,type:str]
 sops:
    age:
        - recipient: age170jqy5pg6z62kevadqyxxekw8ryf3e394zaquw0nhs9ae3v9wd6qq2hxnk
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2ekhQVmprdjlER1g3NGFU
            d3pZWk1XbTZXM051N2t5Z2RLem8yVVM3ZUhvCkFrYWF0cW9XbURpQ2VKaDhuelRh
            R28wNGVlTndzcGlHa211NWxFRnBVd2MKLS0tIGhRNmkxanBndjNxTWt1bGRIaHJr
            NFU1eU51MkNDOU5jbnFSbXVYU2cyQTQKxGGn9gHuxY+1L07Ouq22dvZMjF6uLUFI
            GxlyXcV9Eyrz7AI+tliNf8XWULsixcGQ4wAzvAYOoT8JZ8CiWFd7LA==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2026-01-22T11:05:15Z"
    mac: ENC[AES256_GCM,data:6WsLQi7a3YNlx/1YnvnBpt/6VpweZNvIEh77GsScWkSs4PqmIw8mDoMelcCfk8tBNJyeYwlGC2OGIcosu2j6YzQ5R4EWXdPE1P/yyAn+ISB90XalkSTI4ENInrDObZvcDsI5YnnOoKlE/SAVwW0kKCLgEwd+KPeWzmPFGg/1R/A=,iv:veISYuAHivnC3KdMqJ84zUeC04mhlwSsIn2X55bSLL4=,tag:CUYKa6KgmDnw6y0dCNk4oQ==,type:str]
    unencrypted_suffix: _unencrypted
    version: 3.11.0
--- a/secrets/clients/mees.sops.yaml
+++ b/secrets/clients/mees.sops.yaml
@ -1,38 +0,0 @@
 #ENC[AES256_GCM,data:nDHmEIQrxX1Pu11WWGfMyNo3gyhtySV0vQ==,iv:gTJ1bYCQ2DZtqSOTy4T3za5/O+tnHxcAuya9UOIcf7Q=,tag:e4fwliLES/Bv5DeACcjAAA==,type:comment]
 #ENC[AES256_GCM,data:ck1Dp40dTIZ84ehfBqIEZd242WMzBjmjqOgXMyfdf84gn1Is1xY=,iv:j9sbhYriH6qWWI5G3gw0tTS2NtjQX3wU40A99FflcGA=,tag:hU6UPt1n7QsB4ziLx+7Zog==,type:comment]
 #ENC[AES256_GCM,data:lx5ejDrTXucx+hg5tqhUvpqxT59avA==,iv:xG3VE978h/itkDTnQdb6eFFkiTx/hCHHpa3FY2wU+Og=,tag:pnX5T91NgzYXKOmph0gMcA==,type:comment]
 client_name: ENC[AES256_GCM,data:wQt0Xw==,iv:geKwR+D090w3Z9cYz/CXtkPxl63/TbYgNMoQw874Y7k=,tag:0JaDBDVHtdVO+SrO5uEMCg==,type:str]
 client_domain: ENC[AES256_GCM,data:zvmzOyldRRKq5iLqQvl5Vw==,iv:P6/bTwdkOkjYNCsutAVo0EReIepDo/hL+XiTFaoHeV4=,tag:cyTr7kIJ7wQa4HV3rToO3A==,type:str]
 #ENC[AES256_GCM,data:DtFzZfzpBcTQTDC3TI1T4auritGFQIUE,iv:EuoaqcZX8jWn5X1bIsnmMaNX64QexVkLw2rY3EdIJ20=,tag:20bcj0D4UCQzj86ysDg54Q==,type:comment]
 authentik_domain: ENC[AES256_GCM,data:xg5NwpJJvKgjWChjRbhb1JQUEAHf,iv:ewb05t2dHqgVcQxQXpsjYemWWq5mY5XiyP6HtCnq1I8=,tag:PD3wNOw3HYHWwy0epmRDlw==,type:str]
 authentik_db_password: ENC[AES256_GCM,data:J0SfjEIAThTHoch4r33Tpd+EE9gcTagzIE/RfQ2jm2UUweg47/QH1u6RyQ==,iv:WC6aapw+m/jX0sjhNtSfi6Kd75Fr5YUduj+G4+4STDE=,tag:Mkl99nCwb57SI71E62g2HA==,type:str]
 authentik_secret_key: ENC[AES256_GCM,data:5Ru4q8mccdW06CXzPcSSqMcKhE+CAczwytt3Exb5WL+fub6472dl8zTQNQ==,iv:2eKh3o8sfG/eCgnDQslCMLL0RTQPDG4HQJgsihqkhSs=,tag:8sdP1BDJMQ5P7cixm4iyBg==,type:str]
 #ENC[AES256_GCM,data:Ga3iv15rbcUYFnPAZFZha37LM6jBJSAwUC69TjG7K4pHQDRHh/zd1dO0ajiDACY=,iv:Pbbqlfdtts7e9QmX9kG7XT706pmUJ3tj8zWsUWSJrgk=,tag:vxGsVR5AY1wg1beRGGry2Q==,type:comment]
 authentik_bootstrap_password: ENC[AES256_GCM,data:h/HeW1PwVSJtMhbL+ty2b34E+9sfAN7smcMFsfF1kC15rUcQ4/940Owr6g==,iv:WU4tqoArtyftsy/uAdYs8hfYpb73YXLGm3yu8wOMc/c=,tag:rvYAUsdBWZYwb2Cbg1huLQ==,type:str]
 authentik_bootstrap_token: ENC[AES256_GCM,data:8wp7ZsxJK8fpyMd0iCw27FdTd54t9eDWF35O6oQ8pCz78uDO3MJbgolRdqlBEA==,iv:O5d5P5epsLdP6wxf8cP7TXqNGhbJnZwxWEZ976TxNj0=,tag:HraY3oocXLyLaOkBjqeQ7A==,type:str]
 authentik_bootstrap_email: ENC[AES256_GCM,data:Myu8GgKcO53boxzzhmV2E6QY3MgCYA==,iv:c7rPSZuCAbHtRwV9y3UhcR7AP67WcKHSVMVybsBdRi0=,tag:rCT68PXIGdi7EueTKyEG/Q==,type:str]
 #ENC[AES256_GCM,data:WJqMdpKOg+zsX1ASUeoqspYKJxHMeCFW,iv:IfIZCIDcx65BY6wXp2FN2E9l9viW4vTWreLnuUJ3Zs8=,tag:VExM0tQg34RqAzLgGiLXYA==,type:comment]
 nextcloud_domain: ENC[AES256_GCM,data:dxYUrXI+eJZQTxr5h9QYWs6feN7iWeeF95w=,iv:H7C8wi46eERpI57k5vAyC4AJDsyyp/R+TAoDT/DGXpY=,tag:sHGb8/WUAiO0o4Krrp1K2Q==,type:str]
 nextcloud_admin_user: ENC[AES256_GCM,data:c62OMlM=,iv:tg0Ij2+GNLMwCvqSDkxbdhHbmFPtMb0ZzRMwJUIxFsQ=,tag:20qJfwFGy+G4bhJdYU3WLQ==,type:str]
 nextcloud_admin_password: ENC[AES256_GCM,data:i+ysZEftt7iueQGMk8vROi4iwkfb926Xj5q1O0N7AlDVfyKS6wt1+9hMyQ==,iv:JG8cGdRFUKE2qEuy8QS5U4ZzZuZ7ie6iE1XYn/Kbar8=,tag:wpPi1qCPcQXtrBbkSVZ31w==,type:str]
 nextcloud_db_password: ENC[AES256_GCM,data:cB0dHH5fsDLylnjB24XERpCnXZ//ailF9REEobhyHsaJRzA6LXUtfpO/Yg==,iv:QdKCF/RFJLbwYIeztkT++y/1EPA1HYZwplxqf9u2ST8=,tag:ckIBUQ2oWDUy92QqlETuHg==,type:str]
 nextcloud_db_root_password: ENC[AES256_GCM,data:yYDL0RHzwAM408tUyreIu5vGQcs58pLbReUqFY0MQ1fKBgOVNlBpF6tWPw==,iv:kG/B56x/Gh2leopPgIFdfvJQ0XFWlMrNQPmvzhTfDnM=,tag:HPpsoQGv9ApVGcDKQ3JPjg==,type:str]
 #ENC[AES256_GCM,data:eHzQOLm/jWa6QhUi1zhZCf+s/D3sABuVbMmPzXw=,iv:jyTY6YppOMyZbbKzLcE/fxCaFV8Ua0Pr6xj9WnIsNTY=,tag:0jk4nmcIBziBPb43+7YskQ==,type:comment]
 redis_password: ENC[AES256_GCM,data:zPswVPsKFMl5FlOzSof1Jn6qDCA77WIBCeXFrm+mR/x6sDDInfp1jTWnsQ==,iv:I02hJFCuLkFYwBWgkP3lQBkVxX49BYYVPzCMBi9QxCM=,tag:1rc5zrmm8SErEhiORVXjag==,type:str]
 #ENC[AES256_GCM,data:jpXkEZB0CrHeFNNBbEjzyn1hXPpnIqoTPEtkyjaukBc5F5A/,iv:dh5h4H4ZkjcBbO4BX1M04uNn64V30szSPMBvY3Yx3IM=,tag:bDyIybKZajGd84xM3AHFrQ==,type:comment]
 collabora_admin_password: ENC[AES256_GCM,data:QCGMIFOM9w3ZdfHLOEl4+WQU455bk5ln6C1Bs3P7lZ/mIVp4ltZQUY9UfQ==,iv:8773AVMUj+SxLCqQmP25onnlTBSCjsHMqQUAnopNpIc=,tag:hOaCO0pGzu538WA+lB1sEg==,type:str]
 sops:
    age:
        - recipient: age170jqy5pg6z62kevadqyxxekw8ryf3e394zaquw0nhs9ae3v9wd6qq2hxnk
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5bThsRTRXVUJpM1l1eGlT
            YXdLankycGlpTWdTMXJsYUVHdFE1K0tBc1NFCitLUnVjdlVBK3poYzd6L0trcDZi
            TmtCOXdHWG9DSTdYTmFOVjRvTUpWYnMKLS0tIC91aWgvZVIzaEhCb0Z5TkFsa1pI
            UmRwMjhqZTZUSDFKZloycnUrbGdHTVEK0+u+Y3FRNT8My2+xRY9Lnjv/GHamgx5y
            /mzWgXUaqbAwgSbHBKMjh8pIHoaAwDY97k6jvRUZ2Js7im21Aq+qmA==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2026-01-21T11:38:58Z"
    mac: ENC[AES256_GCM,data:AgPn2dJmYDIKji1NEmQxbCxWnUwnS5/h/+k7uB7QqGwfwP+jRO3Mr9UW532Pn0UxxjiVHFByXMmiaf+QiFjE5+OVgmMOh2OwltbIC87f4NVeGb4SusFIDFMAPMBWIHremeMwIAztGhtM7dwi2EaxyyHsiaaJYtVkbmzrnFhH3l4=,iv:oKOvax++BObkUX8E6ZIlRpYpKirnqy0DQx+qrceT/eE=,tag:NEvnbyltfaY333rzF1zGTg==,type:str]
    unencrypted_suffix: _unencrypted
    version: 3.11.0
--- a/secrets/clients/mol.sops.yaml
+++ b/secrets/clients/mol.sops.yaml
@ -1,38 +0,0 @@
 #ENC[AES256_GCM,data:RdqH+wYWCgAVstaIUfbRv96cH+RrxFHh,iv:0Q5HV6Q/bg/oS6KtUBGjIyQMw8Zgty6osDh0oc8ipMA=,tag:6CzBxe9kN7Bf0yCdQefALA==,type:comment]
 #ENC[AES256_GCM,data:CqCuxZQYtcjnI6gptclKrAAeRUctw4NtHLydoyDdrqYuXTKwHZs=,iv:+EJcbrL4sW2u22VZ3jsetOnCimPpftQ07OLf19z6++8=,tag:+3Dprdl79C1BZtOEF0Ii1g==,type:comment]
 #ENC[AES256_GCM,data:fDeInmn8uIqJlBMUEzM0jBHh3so25g==,iv:jHekZqvM7G/93Bg3+0SAURNVh1pTbLmjMvOh0CXmTFo=,tag:HnRSv6MYdfa1Pqbf9ywGTA==,type:comment]
 client_name: ENC[AES256_GCM,data:W5+k,iv:fq1/jwCzgkqPPdBb0ZD8mKAtOGCSkfTb2H9xJaRpc8g=,tag:uL9WCnsfybaT9nUCZRWAGg==,type:str]
 client_domain: ENC[AES256_GCM,data:1FlFZwI9RcCM5yNN8lKz,iv:j2+yQ/ipOHXv5a0mPeoXOYqZYpew3/cxyL6i2x3EtDQ=,tag:HdoJ19j+Tg9gGrGdi83GZA==,type:str]
 #ENC[AES256_GCM,data:Qp0bKgcF/I3fmkzQLYVgmNFZGo7K4na8,iv:LLNsKjHmTnTvwVp8PRsWGx+kgVlP+KMX+1kUF+BEWWY=,tag:L/ON6Xd+2LwXxQ4N2rd0iQ==,type:comment]
 authentik_domain: ENC[AES256_GCM,data:dxG+fMJkp6DWw0YyFcwy2ybrmg4=,iv:y/n6oXUwddMfrh9GelEfcpvz0w/L0oLS3OEDlurxkyk=,tag:FPn4NGstNO+/zxKIRujW+A==,type:str]
 authentik_db_password: ENC[AES256_GCM,data:qZenOCjcUeZezRD5KbwMFgGd6Bp0pJs85NwUcZKr9ZCVIVz0sK6IBthR7w==,iv:IBe2wdaEa+5rBpV5tnViviPJnlSKn7WaAoPe7/y+xpE=,tag:dO1PV5Ipb61RITiyq54jxA==,type:str]
 authentik_secret_key: ENC[AES256_GCM,data:2K0ZNdyI8SQ0xeEHOe5Rgmtko+bQwd46pYdxTD798r/ngtT+m536PMzuGw==,iv:ZlvopRCOjx+dQu7faD+qYhKqkT1zFcdPSD1c+CNQMoU=,tag:jF0KgAXwsdHZ3m2TQRt3SQ==,type:str]
 #ENC[AES256_GCM,data:O0Mvr5fB5iJMxjr2HxRYEFN+ErzvHYH/t9OPmasX0uoH8zC8bdrn85q3S2QkuGE=,iv:bmut3zKKAMl01hHNj6bY3X6CtzeDjKxx9AquLOaZA88=,tag:KN3VH2f1Ndtq4MRqhFCGzw==,type:comment]
 authentik_bootstrap_password: ENC[AES256_GCM,data:+hkED2QPS4DI9WrXICe05unKFa7t/vfwgWW7LZFU/qt4g6Td+JyIRiXMXQ==,iv:d7y1w4Znh5dqL5jDREd0HSoMBYjaCkpkjpUu2yMtVJU=,tag:cXK+yC+6sDWAmJrSiH4JKg==,type:str]
 authentik_bootstrap_token: ENC[AES256_GCM,data:qKcmlg4yGocun5azL3psNUGvgdTSCY9qI4qcJAoRkbZiUoM4qtQ9sYLZNmFkew==,iv:Vq77p4d0Ts57McXm5T9hPt3INBRAToxNpT4jbv8ORzE=,tag:OzpbZvmwws7wyWXf/91W1g==,type:str]
 authentik_bootstrap_email: ENC[AES256_GCM,data:tLFpuy2pC4QBPmLOo7HTep7YPi3t,iv:6Jz7ORj12kw24e3RvTZEQI6h4Fqj7cN7e5ucNvbMtvI=,tag:t6UI4RdNTtsfIdArzoZ5bg==,type:str]
 #ENC[AES256_GCM,data:6GO38RYO9CeicXN+AqbMUNUAU+cxOdTF,iv:WuhMYR74Lk+V28wIKJVXigeH9kuu4IWAWXtsacLGDv0=,tag:1Ec6KJq5G2tzqzWwSrzLGA==,type:comment]
 nextcloud_domain: ENC[AES256_GCM,data:0t9HBZO0c1Q5996vhRpcKOgaW99RXY0OBA==,iv:5UgZu2r3ng/wRmv0pQWom7C/2Yp0KsIdE2m6h8asIIU=,tag:QtmCdmmkS8ZkUPjEbkeXdw==,type:str]
 nextcloud_admin_user: ENC[AES256_GCM,data:qavi4rQ=,iv:4vZNZSyPrKfgiEmhAvmS0g6+mkQhhXB7cIVu1UHYDWM=,tag:k7PcSi+cIV+OUrfQJ2zXGw==,type:str]
 nextcloud_admin_password: ENC[AES256_GCM,data:ijbkHPbCFNKQzcKb5pKNhNwi3loqap4+hNCJXryQHvQp+ANLjDKgpJEmWQ==,iv:cK3hVTvzDIektLJGvZcG28pv/j1STWcHjZDW+2WDeXQ=,tag:yNeK7k/oWjp5n9c1SVXB7w==,type:str]
 nextcloud_db_password: ENC[AES256_GCM,data:Z6d5EatnFo274B5p+Nvm6RJ+ZrFPXb4hcIa1w3Sds7KiruBUTO5gOaS6LQ==,iv:XfzBxp3Vx41imjj7r2b0qlp7bsNd8xzfMcFpTj+vhIM=,tag:b5ZYfiNnEiyMNHA7PKN9fA==,type:str]
 nextcloud_db_root_password: ENC[AES256_GCM,data:f/XTZ2Qi1436d7sAlxTwblI7C+RDCXci2rEpOtjFkQ6AvzJh/Glnfah+6Q==,iv:VIvUU/Xg7hdHM2EL28L5J6dMNq4Ja3aAqz4AqYj5coA=,tag:S1wlmhruRnMeK1CcU3d1UA==,type:str]
 #ENC[AES256_GCM,data:6nio7dp/aucjQ90gvMB2vtp3gaT0fGlpHo43JF4=,iv:X/J0/GVAc6r6iibkeF75+rUNho+QNrogCf8Z1ytZmVg=,tag:l2Z3qJHpa57uaH19Qam7aw==,type:comment]
 redis_password: ENC[AES256_GCM,data:7Y5aJUlLRAflGnwfAvVmuRsMSFf1BuX4wqttSUBH2pd2Xo3ni/sUzwFwcw==,iv:0LAtF5Ok6DMXQs/OdPNClkX6KoKmgHBgDITzLJ/x8i8=,tag:AC4IdGdXQKtjj/TNXJk4Pw==,type:str]
 #ENC[AES256_GCM,data:hmPRuxO2AUuutHtQFzCVIwZa89QefbPwoy8J2BCvyMcqwdnk,iv:ttxTseQfYHpC5HAnRbQ49kOXLrAURsB0S85+AK/sSWs=,tag:Bay5IyyPbc52Ei/Yt874Mg==,type:comment]
 collabora_admin_password: ENC[AES256_GCM,data:/YRfkl8HNjzaWGsjKr8X4j6kQqQ4BisuvcSiCWkI0M4FnlrrS7mjsIfwmg==,iv:wRY623bkVdilZl1KO0NpNrW+1WVOGCQmFPuHKHQWUok=,tag:x1bIVqiiKNgbUbWnsTcSbg==,type:str]
 sops:
    age:
        - recipient: age170jqy5pg6z62kevadqyxxekw8ryf3e394zaquw0nhs9ae3v9wd6qq2hxnk
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSMWVIajJsR1Y2amY1aEhk
            S2hzMXZxU1p3bXlSdmkrazlKU3ZMM1dGSVhBCnJST2QxaWhHOG4wV0NVVnp1VXNL
            Q1RpWTUzWVFmOUdEcjVPcUFxa3hPcFkKLS0tIG0wRGVuVldoL09oMStnMWhnZ1gz
            SHNhUjQxUkFUdVA4dGVvRHlKWFprSE0Ki4fdUq6+Qo94Agl/3/+BQC+Nv+TTNhzv
            mZhzHk0eNJBbnbMpF7iGgupmSFb/i84KuE5G2d37d2WLAoyGXfvong==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2026-01-22T07:17:12Z"
    mac: ENC[AES256_GCM,data:JplSf3ioj3e7c/cSItAH3celI47WChGs4f+VyEPPoka5aYoBfFghg9pLAK/G4Kfp9xle7ePQiskf9kdQtchmT7AdO7KhzI6/5A4Sqd7nuErASE6WXFQNzUT6cepeUO8/bmkUajkiJLkNM27taVgL1JaK/yf85jU/NJa7q1DoUbo=,iv:oOQR85sm+7ZbXW6h7jhHtP3COYOH2HAVP0aauVualeY=,tag:p8ov1f+F5O3dhysrsjipBQ==,type:str]
    unencrypted_suffix: _unencrypted
    version: 3.11.0
--- a/secrets/clients/mus.sops.yaml
+++ b/secrets/clients/mus.sops.yaml
@ -1,38 +0,0 @@
 #ENC[AES256_GCM,data:YZA9R4wwAXnkrXNFaaT0omEYVCB7kk9H,iv:QsxsOjBOFrmpYJK/2kcV2LSA8ceYoepiSnKIHem/rQE=,tag:bRtBKlFBhpTMKN4AB3eZ5A==,type:comment]
 #ENC[AES256_GCM,data:un9/ID4C+fJ6nzFLT0ycrrcdZlHi32eC/NUasU82WtJUTIA03FE=,iv:ryjN1H8tMmkG9BZf2Y27LpF4SzqiUjYlMmLyvX0zTNg=,tag:0j9cG9Y8MRbQVMLJlyR8RA==,type:comment]
 #ENC[AES256_GCM,data:aAWxqRPPzOaiuvEsoZAqrzAzA3eeTg==,iv:yPjRlrXRWJsefXaWUEmaAvRXL96qKKAX2iSLVojzyzE=,tag:K9hJsHIsE3SvNEPqb+VnBw==,type:comment]
 client_name: ENC[AES256_GCM,data:FQJ6,iv:S2SrrdpkQKbN3D8a16U5dfiyu9hh51vsfonBYrHjM3c=,tag:xKTiG+Xgw5YRfmYKU9U/KA==,type:str]
 client_domain: ENC[AES256_GCM,data:8QS0uin4ACeo0FE7P/u8,iv:7rle27f1LTWhwjL2M2yj/0L9HGae5nl72YaAQqJrVi4=,tag:W1VNH4kcsoaWiFVPrCzcDw==,type:str]
 #ENC[AES256_GCM,data:KMngZdLTSg/jkX4gKZVIUoDavjj2sl7e,iv:93G1744rfbEm0yrD7IezXZM/dHSN8M7Txzj9rO5OVoU=,tag:1M/dOckZVIN6Pr2ZXxmWCA==,type:comment]
 authentik_domain: ENC[AES256_GCM,data:7kY3IQuzvK3qz2IQv40TkpL5na0=,iv:jZZRvz/Z1pAUHFmBjuTN8Um31ikwF5po8Wxi+iDAuMc=,tag:NsDoCYO2FPWqE9hD2oJ00g==,type:str]
 authentik_db_password: ENC[AES256_GCM,data:se7eQ0H5ZeLWFpWKxxIiLcfjdkoeP4zGoRlvmK9/u2V097LOq1qd4tCEAQ==,iv:5Sx3wFmOZjPi086GtGz1+OGz6NHV6qI28+HeeI3YBeQ=,tag:51dNJyRSwsHsz5ioY9bmCQ==,type:str]
 authentik_secret_key: ENC[AES256_GCM,data:BvC7iQvyQYAeUnF8+bcvULMn0WobUl4E8ITU82ih7LbiwIKvEEIWai6GPg==,iv:GCWiwaCU9WNZY/m1DuIKGvTBPud5MwskGKTAZWh9VSk=,tag:dbdqFg17NgjU3S2vNIYPEA==,type:str]
 #ENC[AES256_GCM,data:ExyBmA/Ulbw/LqJ6PZVPgKZfoqkz+dv3wuOQF5vkWn0dh9skvO9soei2xzcMmdo=,iv:/ILkjORzZrbbPIIHQ6Tc5RUqv6CELpt1N58TTH1Njrk=,tag:el/HVmO6olMDdGnOBn6TaA==,type:comment]
 authentik_bootstrap_password: ENC[AES256_GCM,data:GuIxtvuktBkr/oUJxXN0RM+qk+3FcfrcOGZ/ewZh5n8wfzIN0Y7K5FwW6Q==,iv:3JZz9nRPcgZxwIJItx5vR0BUDrOhBegp8YluUhaA7fY=,tag:TFuXV4WSYFQgHkwpYAYbRg==,type:str]
 authentik_bootstrap_token: ENC[AES256_GCM,data:+qdNWwFFuv0DvTUDFkTQ6H4VzZdyxZajMuahT4C9CVIw6ozsNaR5hqLnr2yMAQ==,iv:2OPzFT8a8X7thPx+UghHN5AyG+7YTaBCs7JsNab8L4M=,tag:YgyidHgea5csHjsnF0IoyA==,type:str]
 authentik_bootstrap_email: ENC[AES256_GCM,data:4oppBPW3/0IVczASXStlZ5pkAhuh,iv:fq1x29fkVHLAD/A0jObrajfvW5SJdkn1plWuoT15uAU=,tag:4p1GCwoeUm5YTBV5h5vdKQ==,type:str]
 #ENC[AES256_GCM,data:J8pXk2AS/DjJITzESevYk5bwmOFk7aSk,iv:MT3TjZJimnMREBUc06awyRo6MBTLg48AP9FZ9kX0+oM=,tag:+aLEod6hYLYpxF67i3hCJg==,type:comment]
 nextcloud_domain: ENC[AES256_GCM,data:SzcFMO0GtLbOwY5FDxRNYHHwLKnJj0+Nqg==,iv:hgfdMbpGbETRHxfHqZibXvJvJduSbT4TR54gWrjpIfI=,tag:cTIO+DvAJKcMtKLT/ik3Jw==,type:str]
 nextcloud_admin_user: ENC[AES256_GCM,data:5LAWcsM=,iv:BnPPE/MpwZaRLKbdjrzelFN/Zy8kVwg2IcXNH/TN1rQ=,tag:wKHdKhK1d+anvDJwT/28yw==,type:str]
 nextcloud_admin_password: ENC[AES256_GCM,data:TVKosO9LqXW4DPxEdRQh13b2BDWAdclZXEvQ/dRBmCGIEcAlXIrjK4weyw==,iv:OrTQHZUrlyYHl/JBsaeK1Z3oOuuD5gfUlIEvYmU2KkI=,tag:KmA+hO48igHoGmaPAOGHrg==,type:str]
 nextcloud_db_password: ENC[AES256_GCM,data:VupWHMWaROOv1j7lhNZQVSSuTub78Yug+C3RPYcaGAS4Fhik4NPRQihbGw==,iv:OoSG9L7i6inI89l0d/JnItIP9laIwvfaj+9tIEM+wZY=,tag:xijIIdvKQ+nQbzbSaD2ggg==,type:str]
 nextcloud_db_root_password: ENC[AES256_GCM,data:TgLuo/AU9tKl2m5MH3AmhAUjjeG99DXuQdUpEdWPEBb4HJe3J6RhJRNsfQ==,iv:XyQuePKBDIiGsfzkqC3UgLC0/4C7nL2jtvVYKBt/quE=,tag:Y3jxROi15R0N4hsoeqHAlQ==,type:str]
 #ENC[AES256_GCM,data:+7Cq3d03lCXJMyNaNGpI3U6AkcSFAXc+Z9nsQ+Q=,iv:jRoTC7rMhlKJl6GqTYkvXEO2QWAOCudETcDziesKns0=,tag:BImFAcuYvcLFPyiiMmN/sw==,type:comment]
 redis_password: ENC[AES256_GCM,data:q2jKUkaVg5iMbVeTe8rRWui+A0GIoHOEk+E+FpKy8u3R1qrrr5EEOfuDdw==,iv:alZjGn3kTbcpNs6PMyVZGwRTM6L/TIUQZRDIAz2uWog=,tag:OZpSrEECmJfl8UDklNWd0g==,type:str]
 #ENC[AES256_GCM,data:DZwggOPEAOWxDa/8qzlW8BVk6SHCWHucZG/v0FbTdX8/9Apl,iv:EeXq0gfuF3esJZeosA6RL2TnYdS2zqCVFooJwal07JQ=,tag:vIwTJ3v3aRSxvpu7Yo2ucQ==,type:comment]
 collabora_admin_password: ENC[AES256_GCM,data:AUIUtwM7H4SYEEX0rSisIKNIDCNFlg8ePuLLWBXoXoMcgy2dW4TPCBfLTg==,iv:um3LiQ8uhFtjvbyP6YD4/z/7+9qVt9XG37BVJNEZaAE=,tag:9XA6CfXCCTDUxjznEuRO6w==,type:str]
 sops:
    age:
        - recipient: age170jqy5pg6z62kevadqyxxekw8ryf3e394zaquw0nhs9ae3v9wd6qq2hxnk
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoQ1ZWRzErY29jM3pFMTc4
            MkxoQ3dHNUVSN21jOTZsbHNmajZnRnVKWVFRCjdwMzEyTi9hZzkrMWl4ZTJ4RUNR
            c3JtOEIvOEZITzRDT3RTT01ERWpJbW8KLS0tIDVQVGN4RTZ2WDBWaWVhTVl1Qk0y
            QXhMWlRQRTh6azhSMk1LaE1UQ2llZTQKM8ldB0EFiYxPAQLGnTVxo+MDdoDiqYIx
            S05IJoSZuPbBA8XnQHbzndkpJjF9GI3sfpZLqaSoqotuBFJeATsymw==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2026-01-21T14:00:17Z"
    mac: ENC[AES256_GCM,data:OhwwkRU4Of5jVQ52ttIQcRAPPvsIU35VOZOoL4tuOPTgtCWtJTCT1ZRXpL3QTDK+YoZaggktGxisQBbv8QD9ymXBT46EEf9GZHkW499fpJlCAmPwNBYdAgBStOJU4PYewPRsrAWwCqBUkKln+MlIhQWXk94hqzd+i3NnEa5IXUc=,iv:rH9Lf/BeMa3ZoUfkKCxY5wCoI+ThuhdgWX1QdP2ZNMo=,tag:7Bhifb2RldBUetttNphtrQ==,type:str]
    unencrypted_suffix: _unencrypted
    version: 3.11.0
--- a/secrets/clients/otter.sops.yaml
+++ b/secrets/clients/otter.sops.yaml
@ -1,38 +0,0 @@
 #ENC[AES256_GCM,data:RGF9yorvXzWMSWdhscxtn5C964XA+/IkfgE=,iv:yAjY3CrAjNS/JlZbrDdK4OMjfh3uyO0+DPYRW8l7GYY=,tag:xU94y+pyC3/fSF5b5vWMuA==,type:comment]
 #ENC[AES256_GCM,data:yknOZn2UtlVcGsIKrLvRbQlHSbr0alQUrhCgPmR+97NV8D2cm9c=,iv:KYJWVBfNHj2KtSNP0e5eOx2hhakZwfspcP5LUuayQDc=,tag:J3gL8A3HDFOLjmdBpS5DbA==,type:comment]
 #ENC[AES256_GCM,data:fxDy2AK9zP+igk1rxc7GcbxOkE5Zzw==,iv:FUMvH9VwQGLBKB68Wg24bwBYc8dY04hJc6P293Ma31w=,tag:e1GxGh3XW7UPbaUVssxCrw==,type:comment]
 client_name: ENC[AES256_GCM,data:tv1fhY8=,iv:cAMyIDjZsel44lfZip/JlfnKzkbATxYuwW+ByYkG658=,tag:5Pl4Rls+9TrFAYswPPkXRQ==,type:str]
 client_domain: ENC[AES256_GCM,data:p4f90ADNdeycGby7rCcpWCU=,iv:jfRw9oG5Lz0sY5QzXAVdNTnlQOPw/Em4mBviva8nA+M=,tag:L60czr0DNFrHP/K3uDvTuA==,type:str]
 #ENC[AES256_GCM,data:PETVydzmEI8h5wmrpCijpL6DYXM4cIGz,iv:05CjqutrdhemcRwjVUxrXIG1aGYZ0wGvP9bJxPGsZkQ=,tag:coJXV1wr48V87QzfBkvsHw==,type:comment]
 authentik_domain: ENC[AES256_GCM,data:8gQAjxcBeXUOIgY/dWZ7Nl4xXs/IJQ==,iv:0VhKsC3YT/6d6iaX7qag4YWZrnJn2M+eNmAozKo9Ry4=,tag:YNGgRsEIA4wjSCXUPa7iVw==,type:str]
 authentik_db_password: ENC[AES256_GCM,data:lSfuOczTbKp7dGgoxlLR258SNeNMUiYUD3ousLDeC3pTg9bpck6v1E+eBg==,iv:F1/5dRRVwPJ4NrwA3IPDsJtH09Xri1iBUqCCO9xpUs8=,tag:7I5K6FEUgj3XqwX3R8ukaA==,type:str]
 authentik_secret_key: ENC[AES256_GCM,data:+PSgNbtKleEUazMzt5PlhqolZbIntLj5GMGVYkvHoKsDzQ9YuGkN4eelMg==,iv:aHyQUjzEpmBEyGhjfcI/V3lPyVCvAk6R2V6Rig+rVgo=,tag:wobcHSmepivNf7giByLA2A==,type:str]
 #ENC[AES256_GCM,data:cH3ULQzHGDeYR+aa02YI26EaPMag9UfuzK20Y19p44SuVNwhVfXpOdI3Ea/hLck=,iv:iR2lvbQAmwwraZir+7T6uzduWIaI3+2frvg+Rwe0bU4=,tag:v/OSZKMkczloL/++NfCLmA==,type:comment]
 authentik_bootstrap_password: ENC[AES256_GCM,data:V0ua8jW/+jFiwu+VOvPYs4Pu+w1KknfMDdRboNZqDhT6juzvsyvKoM3vhQ==,iv:UZw8o7s0luFTtYkbPfUXPzEoeDcJqb16Atx/TprTT/E=,tag:irl+tNh3DDTyL1PTCCSzkA==,type:str]
 authentik_bootstrap_token: ENC[AES256_GCM,data:otHKwk1LhsMH0gBo69VYwYBB4Oqkp3ZJcWHt54iuQvF2OV1O9a5R8kpLJgSlqw==,iv:OaVW9c2XQJUNUIZTceUQXlA/+RnQbDEHIkAiPzNl+ss=,tag:V9pwQKQkSMOReGHJVrqV0Q==,type:str]
 authentik_bootstrap_email: ENC[AES256_GCM,data:CWlZIVwBxqE2RBTiGcIG1dujQgTCCis=,iv:lYb6yppkFGK/PANeCXY9+4ZLQ6cU9zL6YYMYza9SKeg=,tag:NAssJMYH+ErEIlHxKnBaog==,type:str]
 #ENC[AES256_GCM,data:0tDLV9dubxl47Q1YVkxpkCHI6Lw7xp7T,iv:GJutMJoIbN5aLo5kDSo68gPdGumBHPugXbdmNGSXgU0=,tag:/75Whr9APJ4b+f7L/iOAbA==,type:comment]
 nextcloud_domain: ENC[AES256_GCM,data:BG34MrxgOWpIrMZf23nTpN9DumSJ0hsUYFRZ,iv:NX8oFSOnUwB4Z8bTDgNnkFnoDW+QpOuvb6ytysgiZmA=,tag:a6JxQD1p2VqR1NMATXFanw==,type:str]
 nextcloud_admin_user: ENC[AES256_GCM,data:p6HrBkc=,iv:xWDx2c3w4Jbd68ZoR6coAefZUT4PVxiRMJ8Csr645H8=,tag:SAcYI4Nzs0Uo9HVRdwYeEw==,type:str]
 nextcloud_admin_password: ENC[AES256_GCM,data:lpn91mx/I4IU9pdQ7Vn+m9z3YZIMW0h5DcY1+z5xXG87wpa0mukNQxrm/A==,iv:GQLesAS3xUMkYkPt3OpLsLxXbvcU4FMwVWbK4vmKlCg=,tag:PhTVeiQY2jKiVVjzVcEpSg==,type:str]
 nextcloud_db_password: ENC[AES256_GCM,data:wienpLg+QkUbqazEfhosFqFH32eVSecef+NkBSJ/Xk8JbKxw9eU45S9IfA==,iv:74DE8BD01YaFj7MytjpCdfcks6iFvBIqm3hXZSHYBME=,tag:A7D6nbnG6ReT8sK8mS33Ug==,type:str]
 nextcloud_db_root_password: ENC[AES256_GCM,data:f4xjVOiU/wdNifENTGDQeCBFY43056ktFzOvzicT3YbUdUl0tgnwUcM1BQ==,iv:Ch1b1JbvI0plSV1mB9To21pWgwAD8E1Wyicra47GGWs=,tag:/yQ21BTxhTRnhsyK5euUSg==,type:str]
 #ENC[AES256_GCM,data:2AQKUKlnbjUXv7aCvvGoEYy5+xRiVhB6POOh+pE=,iv:jLo1cdid+6JU5+/XDb1EnrUIWMjs9+Fp/Gwn5Iq45e4=,tag:JMdlj6PbOnO6Q3UJgCGMiA==,type:comment]
 redis_password: ENC[AES256_GCM,data:oUlYFaptttsMM3rpfVveXuahz1ygBcKx1IV+uaCmcqPD34BiINVnC9E3xA==,iv:0nC/b42Oub2Qj7bHQRbOUy3oRsptAnVxaf7l9Q4ZOsk=,tag:PPF2LqXuVyYpkn09sMTRMw==,type:str]
 #ENC[AES256_GCM,data:7tSQD98CIC203QnJG5fG6ukCwuvIwQ4Pn3hocW2DA/d3hyck,iv:kGXiuxJ3WczmmGqw2MM4BUnP6wzYXJJlUqVt3hA81Mo=,tag:9tNp35S/A7J+y5wy2k4ykQ==,type:comment]
 collabora_admin_password: ENC[AES256_GCM,data:Wf/fuet2JGCv9Ise7lT8c/i+VVyUp1jJcy1PEafuDcJ6+usuHJeEr+Is3Q==,iv:8B5LOtypt3Q+KDjIBhAnbBa73VKOsJLjbvyUorZZPH4=,tag:YNeOP5USNDe1fW6/DIKUOQ==,type:str]
 sops:
    age:
        - recipient: age170jqy5pg6z62kevadqyxxekw8ryf3e394zaquw0nhs9ae3v9wd6qq2hxnk
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyQkJGRWJnVi9aMmZhWjFX
            ODBrcWVweUJ4NjA2S2dHQkgvWnk4NUZvOFFBCjlPUkY1VnJnT1NnTEoxRTZZVmky
            dXR0QjFsY2MwQVJoZnoxRytZTmpxejgKLS0tIGJKRk40dUNjRmlrMHg0eWw2VkZa
            WFNzNjZIRzBIQVdBZnVzcnowVkFLc2cK2FMHZPwcaEopR/wTqbhToPABRGNAr5qI
            KA5rlTPAeLWmZtr/3LtvlR4IcMwdJY9guwkjWwV6elp5lZ6SE/sKnQ==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2026-01-22T10:05:00Z"
    mac: ENC[AES256_GCM,data:p02A5wX3cvycCJiFLjPPnhMMTPHp6Ceo6NJwTjSNkIbEPKTZ494dFILRuD3jU5mmmplQ+uKosIgd0SBPXwvog6Wca7Ftfl1s98feodxunLtz0+A47AemmVxrCqKxdBa+OG26PRLj5j5K9eWHu6nzSiHA4tnWeyx/Lose3J70g30=,iv:ygy4Fjo4GPnZMQ6rVDLyeGE03hYq6n2U6zKamDTlnD0=,tag:IR2xLsR/KxxwC8kUEAfZZA==,type:str]
    unencrypted_suffix: _unencrypted
    version: 3.11.0
--- a/secrets/clients/purple.sops.yaml
+++ b/secrets/clients/purple.sops.yaml
@ -1,38 +0,0 @@
 #ENC[AES256_GCM,data:38aUbCWeuHrSJ4UMuLkuGj/eMnL4foaEdsnM,iv:WRv5ed/FGlkozCKw9f83fDYTCaXYfZKlA3ZlNiuaO9Y=,tag:DAvZ6c14PpfHtMbdzrH80g==,type:comment]
 #ENC[AES256_GCM,data:dZ/jzcuXlLT29Vb6U0eLmNIKO1EIwfrQoBh6kHQRkMEYouCupjA=,iv:C6azAP0KfX7OQGKasg0eq/GAhQtht8NeO9HTWicaX5E=,tag:xTXdUrImAAk4D5BWwYo2OA==,type:comment]
 #ENC[AES256_GCM,data:dRVGRH3SGAdzyG+Y/wGhWq0Dx4QqVQ==,iv:KiZmQKRW0STGHhxQh233fCfnJtmuImmNYk/wU8gOxCs=,tag:scGhi/prlmwwLikf1IYKBA==,type:comment]
 client_name: ENC[AES256_GCM,data:3zPrF0pB,iv:BOomPNbfc1x0KtrDWsCWfb2QUABq2FRRVi0gba1k6xE=,tag:zoVJLIYHM+VQaTwhKJ54RQ==,type:str]
 client_domain: ENC[AES256_GCM,data:Cr7GhZ1o7XdR/PB4HTvpNjFm,iv:7VmHONNTWfqJFI8A2r361xZgV0ecIopcrwuFPr/tM2Q=,tag:dT+JB+ebUtwwx168dctH6Q==,type:str]
 #ENC[AES256_GCM,data:nYF9G09Uzj7ivZOU/Mf/tlkid5meHz/P,iv:NTP6Rzy9Rx2ToBX60IhVf77EcJwQsCr4u/Yi+8IAiec=,tag:vxJFXANyTVKAnZTG9DzJMg==,type:comment]
 authentik_domain: ENC[AES256_GCM,data:oFBo59xd15xFmN7dAocZQGYn+qTn8bM=,iv:wTXbudWvFcEa8zsgsQJIzIAdutrFlHGPdVq2LXGN2U0=,tag:7T0F3fhba/eW4L6qSODbzA==,type:str]
 authentik_db_password: ENC[AES256_GCM,data:QKv114mUTyBVYzK3TQqp+7wCKizEEmnU7X+CMcMcsw/f2IR+Ob3qVEU+Eg==,iv:hiTHPIy7tosh16pesLjPl//bbNgkXcYGRS9TQ1fwlaY=,tag:fZQYu4Ctwp5zhxQC5uxlPg==,type:str]
 authentik_secret_key: ENC[AES256_GCM,data:DfuHQVIPDiczdsZYqa4Wn3HxjNSzvuL5vRojGaVBgSHCKwUlFRqOcYeUwA==,iv:8DMzp9kdndphH2lbEegkQedknDYHGX/YqJQV4LmIFf0=,tag:uXPb2qdO6UcY4r2tpHB9qQ==,type:str]
 #ENC[AES256_GCM,data:tUfzVHkvxXiQCUBRXyyXaVjZB1OUeMmSFS0RxgOQ4oRA4oW1fLZFOBYKq7SyeCE=,iv:lKOgWtb0ihbzxCedDKWVqsSEPA0g1fE7+jm2P5WGgRw=,tag:LKPP+3rlY91QtgCELERBfA==,type:comment]
 authentik_bootstrap_password: ENC[AES256_GCM,data:21yEgNsIvkXhM8BWYaajgUw1d+NkQbQyxB3DQTAjGjvwv27g9mvT5nlmaQ==,iv:iEqeWliuHa2QSsKDgeeincsimAb/kVwoTIbXcj9vAtY=,tag:OWW7xQMbeTUSsdXuCIqBZw==,type:str]
 authentik_bootstrap_token: ENC[AES256_GCM,data:wlht8BfP+N2NP+fU2NlKMQOOV0/ryWWbg6hBqBvXUYeAsUtmON7HKi+Jp4pSAA==,iv:kOuILM+Ax4YCrzFItI7z3MYXTK1G/YeCegRglhME9f4=,tag:OrmUvqPCB/8yLqk4IzgsHQ==,type:str]
 authentik_bootstrap_email: ENC[AES256_GCM,data:N9Z/UuMuKyz4ARYs1HfbAbWwA0the+74,iv:JpTmfqPlq9vO9otZ3BeTk8OHLHgW2bd6hpcy8kGGlW4=,tag:MVlDKPZkX3FIkmxANvNSvg==,type:str]
 #ENC[AES256_GCM,data:BQYe87BZnR8xhfWAaK7hdegjjWpwBEK6,iv:F5s3BrUOK0t0bH1VXt1GOQOEbfoKtGo/AsB52DsO+Mg=,tag:cew2DUJsdokcV7Gb+Apppg==,type:comment]
 nextcloud_domain: ENC[AES256_GCM,data:eRL9eRLVkPqvr80wI4O+FklLdJaq6ItjgEjDpg==,iv:sPDZw6JA0NyVF+QuoswagPdlbIiPmxAhi8Hes80UMrA=,tag:RCE2rARy055L+16nVdYcLQ==,type:str]
 nextcloud_admin_user: ENC[AES256_GCM,data:URnEwfk=,iv:DxGJh6Ja54SuKe0RktQHo+MblaUqpSjZVQ8WExTkvVQ=,tag:YQCpxxWzuQzF5phVMQBkhA==,type:str]
 nextcloud_admin_password: ENC[AES256_GCM,data:Vyfr0UHAcwgCcghBetom74cVUt5BknCdFFicAo8eSrnSpmkFJNLWzWXmzQ==,iv:dsvsJabbqz7Q5v1fhInHykZmQ9A+Z8nOTvKoQYCko0c=,tag:2/P2BOppuAPf/ouYlSnu+Q==,type:str]
 nextcloud_db_password: ENC[AES256_GCM,data:mhCb13Clcd7gPMi4eVHP9gBYVcoIQwt6ZrtbPYCWAscTWB9jai+Wafa3Nw==,iv:lfU8/bivrTknJhMpch6wvcIgiEVSin4LM6xwJCxMxIM=,tag:+RImMT1bWV3lHkHRj6ju1g==,type:str]
 nextcloud_db_root_password: ENC[AES256_GCM,data:m44Qx3K895lKRRUH0uY/lejQpscf+dE8OjaSt0kl2cc+7zFvLSrzsnZ5HQ==,iv:OOn8Olejw/PSSklz61fGPANF1HD5UfyJRUUx1C+LN/0=,tag:6nYNfYqX9GipaKeVt313Cg==,type:str]
 #ENC[AES256_GCM,data:6CaSumSa+TKM9GdSAbnIpqMHIahqsQuZJoK43Vs=,iv:EfBYYv9ua1GdVkU/+7bgWQUELtsROVBTeyUKoDr67kQ=,tag:dgWCqA9o4WJPZJolO4viUw==,type:comment]
 redis_password: ENC[AES256_GCM,data:BRIEt2oU1grSkfFTEQzYvg8dK3OXrL7DdswpIU4SeTvh/7fGRS+pnJokNA==,iv:IJCFcFj2N/NHuJm4CTBnOa8YGoNNa4KrAbdRatil20k=,tag:e3SFXDpyX5uo69fisF2aRA==,type:str]
 #ENC[AES256_GCM,data:C66DApdfqVNaYdrjKft+SG+hImN1AGEZvO9wIFygVQ6mqODU,iv:FLWB7Az7/As1POoMNmzOyk3vLJqDOrlM65OgOB//wnk=,tag:pBGTeOOvp7fBRMKr+hB7jw==,type:comment]
 collabora_admin_password: ENC[AES256_GCM,data:mlyj/bdmwdJ6aaXQ57JqgJEWwbfdVWEVudlM0XTlBrOjYdVSXvJhiUH+qw==,iv:lJHeJ+F3mCA4B2ZdCRAZdO9foYHWJAta776lqvL5CDE=,tag:9P1RMpfIcmzb7O2wAD0iYA==,type:str]
 sops:
    age:
        - recipient: age170jqy5pg6z62kevadqyxxekw8ryf3e394zaquw0nhs9ae3v9wd6qq2hxnk
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqbFBEd2ZCVjNMZDR5NFp1
            KzYzeDVhYUdMS1F0SzNoVXU4ZGc1bzBmMVZjCnFVRUxuUENmWWlmNVJtSjc1cDdF
            QjFCVHpsTzhBUmFrSXlQamtsQ2lNRm8KLS0tIEJxRktXTitkcG9wNnJOT0N0d3Qw
            YXRyZkw2ZEgrKzBQOU4rQWRjWWdZOWcKusRHznYQu8aNxA/UkA7mI96qVGN9B3Es
            wf28XieHbXJ6DXrr1ZB2C4FqE2VbQsahV7ugw+mHppK1va1x0bJB/A==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2026-01-18T19:25:09Z"
    mac: ENC[AES256_GCM,data:aUf/1f3LRTc3009K5WW5et2A4vnkigKfG3sYDRv5Tg4gRjwvxh4cuyKNpGfzKZ2UT99gAIt6ruCRD93BKVX8rG2gzK9lM77Z6vkuY9vC5HzVOtUA9fJauIWCib/rzczsHIykcoA/xwSBhAZjQmiWe4tpbffSI+GIUtAhfxaAZ2s=,iv:JCZFBc1nfMR1XK/WBJOKfOAiqG4xVJ1VXbZifdxWUUI=,tag:DmJ9SFboiXKpSVkA235qEg==,type:str]
    unencrypted_suffix: _unencrypted
    version: 3.11.0
--- a/secrets/clients/ree.sops.yaml
+++ b/secrets/clients/ree.sops.yaml
@ -1,38 +0,0 @@
 #ENC[AES256_GCM,data:gIRcxOP/qg8MIiSV4WmwUbIznmR2KSka,iv:2FO2bbQdWBGdtOAZtWHsTPszAi19KNmujnE9mQpb9N4=,tag:oOzj/o3y1mIfxwWDKsVB2A==,type:comment]
 #ENC[AES256_GCM,data:mnCm9JupBAPcHEvjXQktt+fsFZkfzOx3oWvlpeTBCmKn+cuXydg=,iv:MCKQ92FI193TreKAVMCqq2dGl/oufjnQyWHFoCZHZSc=,tag:/NH/6q83gxUGM2Ro+hmG4Q==,type:comment]
 #ENC[AES256_GCM,data:sq5tiGyFmL9cmNk9miQAxpKpK3NI2Q==,iv:PYBW97pBri5xj05c6aDhVtdGJC3FqpsDjX3Et97sZxM=,tag:l0gxPcWHJeF6SbO0eACaGg==,type:comment]
 client_name: ENC[AES256_GCM,data:iFTs,iv:iPYuRIKUNwi0Etn9XQ9T20O4rMDepUcy9gNZyusDUxY=,tag:m2Agx4o6UlIc6drkW0TI8Q==,type:str]
 client_domain: ENC[AES256_GCM,data:vYs5ulzRjbqWObShWSGC,iv:IM7s2D7LG81lFszYA5rAHheWnknU9ZWGfoxYNe8i2VU=,tag:pfnioq+O8jS04dhOF4N1wA==,type:str]
 #ENC[AES256_GCM,data:nH/J0Kg+BsCFQNEH3KrDemRg84Jw23r8,iv:Kh5u4cFXsaWgeiCQeQFYo2fKBFjkSkmiMHklJl3hRYA=,tag:W7OQVAgzIXIcrP+Ps1STmg==,type:comment]
 authentik_domain: ENC[AES256_GCM,data:qTpXb4dNmicZpGsU8N7f5B/ieI0=,iv:LTtaNrZAbt+iyXQaJ4uJpkhe3kUhwcrF33n9/g0HTio=,tag:AyON8B2RPMbICUK9Rqc06A==,type:str]
 authentik_db_password: ENC[AES256_GCM,data:kGZyqzuEu9ydvTCjeu/CW4eIBLdcB7lnJBhsSs8a2M01gF0GlcXRnHwi6Q==,iv:7k6ERzAzGhJmQZQCVoxwR0weGJq/ZLScUw/1ElBEvzE=,tag:dNfWD+hCTumZoXOvzXboXQ==,type:str]
 authentik_secret_key: ENC[AES256_GCM,data:61IkssoMNXlcGmfSxGEQhdzZxTJMRVf5AL6Ouv67UYrBhzag9zoHZmEBkw==,iv:5PcjNIetF7PXfzc8MU4yJwF4SYjqARq/sU3uEbQ3dQk=,tag:SNj/CgxvpVe5KWdQc4Md8g==,type:str]
 #ENC[AES256_GCM,data:sDc+3Qkq07eMjpxs5fRhKsB+2j2JMY/FI2ys/gXOGviSs/4h5RBDchD1qvgX0TE=,iv:Rh8ie43ecz2xPi5lkPa18OZI+J79IKmcaCtkGwPtDa8=,tag:dY2kgzjTOk7XkKZd4baZLw==,type:comment]
 authentik_bootstrap_password: ENC[AES256_GCM,data:qVtBERKUxq9EW/wmYMg4U+cs7WWwVd+D5/2PMfvCeOX7KPgrlhtfr0AaYw==,iv:X6Ov1oZUZ91bFHtii/M03zSknYTnSDWFepbDoMzeWIQ=,tag:nXqzbdh02E2NBPXE9y8AGw==,type:str]
 authentik_bootstrap_token: ENC[AES256_GCM,data:pi3AZJhKRagxYcp8JLtGt5oMmcFuj8cp0YM//9EEWz0fF/nySOgtrigl2a8ytQ==,iv:cjMjta6NGJOZgzlfvSwlsaurQ0iaczyIyYkVsYpsvhg=,tag:BltF5PfT1augEZmKmTxNYA==,type:str]
 authentik_bootstrap_email: ENC[AES256_GCM,data:0BA5EbwSH9/P0D7b8R1d7VaDY6Ir,iv:mLLpINemevgjhwuTMm+e7o1mfKrb6Pv9ZQEZ65/2+4k=,tag:p2DthqoyMqBJGze7wvogCA==,type:str]
 #ENC[AES256_GCM,data:ezJ7YXDbCcLDkYDc9dzji/vD5YRMD2wt,iv:MkkO4Ozv4Byrf1/yqeizpa1DC7I2iIIJTSyo0IRTR/k=,tag:tyNZ0owm/x5cXKD8i7IbUg==,type:comment]
 nextcloud_domain: ENC[AES256_GCM,data:OGHapzRRctsMsUHBlzO0ykv19VqlGttmpQ==,iv:RFLEh9lBv/hwpHp98bu3ur/KNo6QXKuxiuYKKUcHU9Q=,tag:PWXAqp4Mc9JxOQ0+wfgQmw==,type:str]
 nextcloud_admin_user: ENC[AES256_GCM,data:RVv10zk=,iv:Qa66fpmihV5p1qyB7W6C2IjKLCGzHLjqdEXKhSQZVGY=,tag:BkwrvymFvNSUIH5jkMhjaQ==,type:str]
 nextcloud_admin_password: ENC[AES256_GCM,data:vxiueQKP8Tl6pXgSRDaGvg2Jp1BUi1I0L71e2kYFXO07bZmI7gVnYrdjpA==,iv:2cD/3kFDuWkU+C/bUuL0V/iiZwMqd5wxUdYMdM7Usu0=,tag:uWmzcCj/JkshmyOh4OntMA==,type:str]
 nextcloud_db_password: ENC[AES256_GCM,data:XRdj3bJS3o/0lda5yFlxlaTg5KDbPI1fyOCmNJ4dHSIyJZ+hmaPJzDRUnA==,iv:IAifzoc157vsW3GJ2tXo26T+iG9hAq/jgeatM9sJTD0=,tag:49CcMLTYFYiMXBxkHJ8B6g==,type:str]
 nextcloud_db_root_password: ENC[AES256_GCM,data:LCMpRhQ07WuJiNJ2fg9CgmqG860odDeFD1Swsf7DzI3rRGAGlqWn2VMqtg==,iv:Ob2hMfwea6tXvyKyybE2wP7OYvLV3z/3hSAS6DPhxjc=,tag:XQ8beEw4p6EgF75qaUeGIw==,type:str]
 #ENC[AES256_GCM,data:ksmM7Fo7/QxVNblIW5uftrn6bKCCG2ZI0K3jaiE=,iv:3mEb4dMNCKenAszZSA2nuf678jMkuYBw0fJ3XvW/vJk=,tag:n+bBuTB+RqqYFEB9+4ISTA==,type:comment]
 redis_password: ENC[AES256_GCM,data:PpU+fCCUIZCtqH5KR+s9eDRRORMIoREmpJN4ze28IaIWikbmJzPwt3I5TA==,iv:E0610SCYnDJam8poJo8qIhGSEJvv81Lt+pCq4Dz3umk=,tag:+qsUYX6NOQ9uCGl+Bml/ag==,type:str]
 #ENC[AES256_GCM,data:Yas6EOkfe6rs/quv2zRCLsJvc83b0yf+LOLjYnL7r2NccrJ1,iv:nO3yFyopSAXWZnvtSq3kb5CWP7PvwDgek2/IaQM3TY4=,tag:sb0bX1yilniBCcyL7kpJAw==,type:comment]
 collabora_admin_password: ENC[AES256_GCM,data:rIrBM/5mKsnGLPuGAlpXii61LciD3bgzss+lIt1XEwXolzd5zvml8tM6Yw==,iv:+cjc6kjXAZDbWiOBGGo4PX9AhXpFydJJdZTMU8MvT6E=,tag:EEdqubCkUBdy9Xh5i+E9RA==,type:str]
 sops:
    age:
        - recipient: age170jqy5pg6z62kevadqyxxekw8ryf3e394zaquw0nhs9ae3v9wd6qq2hxnk
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoOWtPYU5TYnNvei9aZ1NM
            Y25zUDQ2c3YvZnFja1RpYkxkam1ybGl3aHdVCjdrZnhPd1NEV0tHL3ZXL3BEZm8r
            aFBPckgxcUtUM091NS83aU84RWViQmMKLS0tIHFOakwvb2lzTHo1Z3ZZTUg4cXBD
            N0tyUmpCdFY3TjJTcWJiVEVyQ2c1TG8KXD75O122N77kGjUl0WL6dugwtRwRVsgN
            GOylW/g3Kl4ePkcb/psTBijvBksA+J8RN5d/LaOJB/DXu9FgaruwYw==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2026-01-21T11:11:40Z"
    mac: ENC[AES256_GCM,data:Ipf7iHWpgSpaPHYRMw1n3sbWzKsvwTv+WkQhQGCnTwCfWxxgWVWM7RVND+D+ecOXf8BAxJ153ogROfhVvz5P9VRkjX+nvYb71HkEqCQLg+1HmPwNRVcGbWdqph3ocE4B42rjQfwVJjuP2x0GD1rOU0y7wA+sMxm78pRKhqToC+4=,iv:HQVooZSG+CjnbtXB7X1KOq9nrUQICw603c9fDxD0k6g=,tag:2BDv/GngqC89XeohV4PjoA==,type:str]
    unencrypted_suffix: _unencrypted
    version: 3.11.0
--- a/secrets/clients/specht.sops.yaml
+++ b/secrets/clients/specht.sops.yaml
@ -1,38 +0,0 @@
 #ENC[AES256_GCM,data:yfNUU9guJh/zf4LqdGrRtSB5cZpZLsyMIxzk,iv:bJ9Sqjche9AB2CGdHu3Z5mQwy1n+7aFWllm3fbr5xO8=,tag:Mh2KgNDjoefVsF77HAvyfg==,type:comment]
 #ENC[AES256_GCM,data:EhKZmmMpBg0rA4I0ITQ6/++Mxm7ekjRKdefMyAxWUvWownuGA3U=,iv:oAtFWzW+QVcMnnQfE1bKXM1nlMSwA+JXL/LB8Es2arE=,tag:O7t8iUDS2sat0UMhDgjo8Q==,type:comment]
 #ENC[AES256_GCM,data:i0/1o1cdM4HfoSZzuQpdnQICHIqISQ==,iv:tAVlGFWLNdAeKVmhW24PkTiaa9DCGddprv8N1ydz+js=,tag:uwso4BMb8xt/5smIhLvNnQ==,type:comment]
 client_name: ENC[AES256_GCM,data:7LGt6kOx,iv:tmK/A+ORo2HbS50n4k1tg46c3M6UMse/8IqXP4w+xN0=,tag:VpThKw/7anBM2+eBVOahxA==,type:str]
 client_domain: ENC[AES256_GCM,data:GImwXpRaS9ed33w4jLYfLn4x,iv:RjVaH0J8ksbE1q8fIrWqmWaNV05O2psyjoUle5yIXUE=,tag:dkUQEBUnxZRuYQmY3YBu+Q==,type:str]
 #ENC[AES256_GCM,data:TF3jf19wRMCnkc3z9r1ir7aGUoIFSlu9,iv:5x/aNiPnC/Pgy6PQy2HJwJHUUB0PW7PVNjsgpqlIobA=,tag:eDrlKlJOuNHeeMt3E3MEKA==,type:comment]
 authentik_domain: ENC[AES256_GCM,data:cJhD9W6H1wJ79YEumtBDa6/m/MSAAAM=,iv:ONSg7gzo4KK2FCWZZwOSUO6YnIaZe/7HzX3f7W6/r74=,tag:GS9tBZx7PWvpQXVWbP/Djw==,type:str]
 authentik_db_password: ENC[AES256_GCM,data:zQCYMkbiRW+ln/SQNIlOBXCoLJbaIIp6xPMq2fc1xdXFcyOFT1RPQaVj5g==,iv:MQn4F0EqXsXCwpamSmjsZF69545XKgp89jzq46Am14s=,tag:dOWvSu9A/1kRbp6rERH5OQ==,type:str]
 authentik_secret_key: ENC[AES256_GCM,data:9+n0VmAG/M/GTalJqO66FfREsKsj+KswbAAG+BHNtxkH0jVK/FRhq8RPqw==,iv:WLGwnq3L4tBJWwy9Vgzp52g9hBBdT5AP3+p4lxoQBkI=,tag:u18Eyd1Gky4EPUGV+JXchA==,type:str]
 #ENC[AES256_GCM,data:+rK3LgVl3xCBymHyY7K9xFzfq1lt5EcIIAg5v4Tj444ahEnbFXKnPJE8uteML/w=,iv:fDFPTtCtFG+UD/gvFJYCCC79FfZ2cWUT8poaGXGnh6Y=,tag:VhHitpPxfMXQcFF9VZp9ng==,type:comment]
 authentik_bootstrap_password: ENC[AES256_GCM,data:w5/V9qXHVhSB5TCLSJoCg5KffqoI5lH89jrHDddOWzWwa47cUYHSQJJa0Q==,iv:b3Hn6ap8iVkh5RH9WjENvkPNyuiV1AK+Y9BAomIkoa4=,tag:p2xwubn3bTYJaa7oyrmLRQ==,type:str]
 authentik_bootstrap_token: ENC[AES256_GCM,data:zAgkAnfG2ImKpse/kLB5iEu5wUb3Bvx4vTg43hX/G1SXX3NLzrJFQL2BX5v6oQ==,iv:yO0j/CGUS9Y6zcUNtGC8fK9RFeWTGRFDnRtm3SBPwkM=,tag:1gEd0N+d426eTqdPTD2D7Q==,type:str]
 authentik_bootstrap_email: ENC[AES256_GCM,data:ICmbTdh0B3x3wNJJg8pArmU1NlxfZzm3,iv:KfQSIxkp4w0DJK1LecSl1hWHzylu+A+E4lYRxwC65os=,tag:+BlTf3FlEeU5U3o/FX4P/g==,type:str]
 #ENC[AES256_GCM,data:IW+obg/eKos2YxkvK/HMtnqC7LKrUWDX,iv:4wCDyj6KF6+tn6+DFz3muduSNxaHm78eO62F0AhZZ60=,tag:R3OumyZ3USxLh2MONH801A==,type:comment]
 nextcloud_domain: ENC[AES256_GCM,data:aBGUCiicsnBAN/7OtRc0C8tXwkpfb+7R5sj8uA==,iv:rWI9uhy6CFp/Noqj8EXAx5yEIilOpnsGUTEK8JvBz7E=,tag:hTanLu9fp8NlrcRxbbFwzg==,type:str]
 nextcloud_admin_user: ENC[AES256_GCM,data:4t+WgPo=,iv:H1IhMrN77ZcjzlqNDuVZ63yBlkjodSSu9Hwi1ZifRJk=,tag:y0M6PGWubZsfd2SHbY7KPg==,type:str]
 nextcloud_admin_password: ENC[AES256_GCM,data:1LJZ5CsgzqYT+G0h2Cu3a8DCe356F3DIUV5JjjWPOVYaT4oJBF7J5Oeu3Q==,iv:kSV+nBwHuceFgNVulLNuVDOCVenUzTvarDGeGK4ytuA=,tag:um5H6op+iALOV1+rVPFWHQ==,type:str]
 nextcloud_db_password: ENC[AES256_GCM,data:e1d5g7F3QPG0BlrKn0AFZ/NSp2Z8SQMMgh2gFKM2jNqrHwm/zDcaYrco+g==,iv:eFZ0+Ov9L7Gcs7L9NTdi1DL0QivnDPkXJPORDhpHXpA=,tag:8jTISi03Q3AjDGAHQgPs6Q==,type:str]
 nextcloud_db_root_password: ENC[AES256_GCM,data:XEQgU00hWtnx8ep+qrEV9f1pNgFRz0B6efXQUyjsEni4MNlRqGKAA5OjOg==,iv:BEIuj5KdLMRj8T3nVALgT6KKhziwgh4nysuD2deBpuM=,tag:b/xQkzgKOxRSi/BZIHoLHQ==,type:str]
 #ENC[AES256_GCM,data:pvjfJfG28QhQsvlxJxLblcd3Ll81M83Zpzqka+g=,iv:hmeLvxKeLDYiv/Xaf9AsrqzXBS/RBTArkCtvQKzmFl8=,tag:ijHSgmcDcNlF/MYGix2zAQ==,type:comment]
 redis_password: ENC[AES256_GCM,data:tZuCECj3T0E3zoqixHUsxdln3BRAxXlo4GAWihM7KZXGeWJ3glU/jAuFEA==,iv:zrZZ5g+CS7eFDIhd0+h5k9DGQzAopx5QOsI6tVSpOJo=,tag:7853sKzHvvN2H+rnqBEzpg==,type:str]
 #ENC[AES256_GCM,data:HI1jEKCKuYWgsxap5TW05q7wbnfMvdetgokhr77maHrQRf1z,iv:JpBwK0vaUpS8GxqdsX1fJyYVvtw2Us0tvImWYp2M084=,tag:5UcerSe9nRRKUA7FDKNo0A==,type:comment]
 collabora_admin_password: ENC[AES256_GCM,data:7aLfKiQf9wOSG4UHmTwysPqro5jm1bY3tQaSa7i1BpibbDrv7OKlGBBqsg==,iv:ImalKNXzZE4OQC8LrAGlu+myzfLw76G0JDWf5zxhB1c=,tag:EraNIQNbl5f8DWScXBhgLA==,type:str]
 sops:
    age:
        - recipient: age170jqy5pg6z62kevadqyxxekw8ryf3e394zaquw0nhs9ae3v9wd6qq2hxnk
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIWGVPRVZwbkIzK3FlRXdO
            cFZncVBGRTVnOGtDV3hFdm1HVEg4YzdLS1FnCmY1VVhRK1R5V0s1TG9VRk9uZGFt
            VFo0TmY2QWxBQzc1Z1NaNllDY2JrdDgKLS0tIFAxeGxEMmd3K3psK0dWRzFVZ3RN
            VkZqYWxGdUVLUEFWREY0Q0tWM1M1dEUK7KMmTAQXTG9qgbt9pWjUDRL3hshMRU1x
            sgGtQUDmSmVCq/IPKW59g7ccHjGzjgxC9pVzHvTTg4Iz5JgY0carig==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2026-01-20T18:45:10Z"
    mac: ENC[AES256_GCM,data:01NJofx7BUaXZCajoWs298HZEjJft48vkzDlZ2H/LuSAq7DGvakJhd6YGN9WGX7fkPukCGmsw9rlIauZwvjeE+FRd7BokeKJlrUZgqgmzLI2kA5eaS+hClZuKaQdzois+zx4g9Mjtu9WpBlWz6/bYL5iA0xG+xpdgXXrKFiVIFY=,iv:G2XKel9G/lnpL1yqsTT/P/FcKKPfsfNk0rS7Pr71n8w=,tag:ooFZ92XZdMmbfz5Q4Fs9Lw==,type:str]
    unencrypted_suffix: _unencrypted
    version: 3.11.0
--- a/secrets/clients/template.sops.yaml
+++ b/secrets/clients/template.sops.yaml
@ -1,38 +0,0 @@
 #ENC[AES256_GCM,data:eZqiMbgZ970iP9xR1lP1Mf4//4y3l76kTg==,iv:cYffSE0jP5zrezKl/UBoNFc2gxb6El1hhripoXC6Uck=,tag:bnZZjLPH2zyObXU0QT9i+Q==,type:comment]
 #ENC[AES256_GCM,data:3lAY7IxFpSbgBS9Jfte4tqBi6/jv1d4rqpXvFIzwaBi8kbIRZWc=,iv:Hx+Jd4xVRwzU7yjm962I5xU2NFX5njx43u8ibBKe/fk=,tag:EEDSENvFr/PhRu0PIY0K2g==,type:comment]
 #ENC[AES256_GCM,data:QWGb4941FGgKU/iMUHEyK+eJoIxrig==,iv:GhFhT6jSQZ076/5yfDzEvsxoxCx9O6ueTbRePGxEdD8=,tag:w/psPqZ98Dn9BZFjL4X8pw==,type:comment]
 client_name: ENC[AES256_GCM,data:RgV0RQ==,iv:uCKSI8QpjTlkTg6/wpbTcnjFxB77pjSaCnCeG0tZ4g0=,tag:vWI6wakgwwCAv6HW82q8oA==,type:str]
 client_domain: ENC[AES256_GCM,data:66fMimASNHXHjY62altJkg==,iv:q4umVB66CiqGwAp7IHcVd6txXE9Wv/Ge0AhUfb4Wyrc=,tag:3IsOGtI91VzlnHFqAzmzkg==,type:str]
 #ENC[AES256_GCM,data:2JdPa35b7MsjQ8OR3zxQF5ssn+js8AQo,iv:kDwIUJ/35Y7MJVts0DH1x3kuKWSxawrfBStDA+BbRO0=,tag:rNgsObk+N1gss5C+IzMi5A==,type:comment]
 authentik_domain: ENC[AES256_GCM,data:Mw6zdhoC5ENTsYWGx4VqgUtTNPwM,iv:xOVUdfvqpj0feDHA8s6aSTqgCWEJJhlgVKF34GW2Hm0=,tag:eZyTNJEWkSPiVexXW8zy9A==,type:str]
 authentik_db_password: ENC[AES256_GCM,data:HsyTlbM8pewD6ZUndnPQzBzlNECdlOqEWt6AgIMURU4U85NmhoRaAIwcVw==,iv:x2hHZVGnbCDggRRyW7BFfhmUT8WpAwua0tonwF2UDSI=,tag:Bbboc0vKGcrIvjIAsC2eVA==,type:str]
 authentik_secret_key: ENC[AES256_GCM,data:cl1U+PGeaQNu2OW3t4QzfWIyMtvkQdYk8Adb7EmLrSHceeHxfXgKwgxvp2Fn7C8RDpuCsztkxEz1D2vePO2xSpIo3Q==,iv:trlB7PJd4os21wOK+CyfymE+oopdksydS+z3VHBT1wU=,tag:BwQ2FygYOaX22YKOTgY0mw==,type:str]
 #ENC[AES256_GCM,data:3AF1/xf9DULcTEhTfxSr9ls8U0cr0ToG88783V10OAmsOclhq5h3ncFoLM3GZXY=,iv:Ji7447QFwRn0MKoXakAoe7ZDeJrT0fYAVHwYBWr/hjQ=,tag:+CQyj9pZxzKualOV/hlrkg==,type:comment]
 authentik_bootstrap_password: ENC[AES256_GCM,data:K0nR2CCA+mZLwt1eKY3NU0iB3aXRbze+aX089cmAfTXunBsRZgXWirC3Pg==,iv:Ki4G/iMoL8rqIR/E5YWWNa60TEFEJlpmjfSO17ccjms=,tag:c91a6Dlu2cDeAbtH0VMynw==,type:str]
 authentik_bootstrap_token: ENC[AES256_GCM,data:wzToXlHEEo4hqbTpYaj8VcjIzl9JIBYelb6csfSXB3gsecyOOriUsvpBua2By0l6c2DMpUVipRR1fEo6CZLc,iv:3U7eseITVM6LTzlc7tEPV44qYTdiLbKpOcDR+S0y9ME=,tag:UFxakIe4ZhgJy8K8caF16A==,type:str]
 authentik_bootstrap_email: ENC[AES256_GCM,data:3H2b7nl+i5AnXVSWCWkpzfCe7lk8ow==,iv:KlpRA6aP1/sSG5PSs8Q3aRshn1ZgHQwW4AtTYwCgd+0=,tag:SpD7K4Xme/QUTxLEL7Xi3A==,type:str]
 #ENC[AES256_GCM,data:ZXsSQkRtXNF5DMUPAAaLBWkAgh/hJMUX,iv:+r+WtRYebnFEkw3qmIkXRPUUYSep53qzgy2FvpGhSfw=,tag:S+w04XduCSLRntLJiEDFUQ==,type:comment]
 nextcloud_domain: ENC[AES256_GCM,data:i0hWB89Lxjn+s9NOrFsYZr/zsQ2/BzZKIk0=,iv:AU1LLm04+4Ekjm9Q3Gqe3MpqdIdGAGK7EaClJMO2bz0=,tag:8AEN6jdruVUzFEZe0sVBrg==,type:str]
 nextcloud_admin_user: ENC[AES256_GCM,data:EkGgPFQ=,iv:69EdTYC3xMzp5g9RQ+C5hjBw+gLBghaKQArOc+77nR4=,tag:17oRhQUMD1yHj06gS3ODAA==,type:str]
 nextcloud_admin_password: ENC[AES256_GCM,data:aRbg8hmK5QMOS0xqEkgq2j96ajhtG+gYnriHrT5lrZynbpNt0tXGh2SIuQ==,iv:WWnoi9si/o/9Qsj68sR3XFKba2UUWiVrjx1XLsvuhcI=,tag:AUr9WFNGyedvc1woGMFeMw==,type:str]
 nextcloud_db_password: ENC[AES256_GCM,data:xygLEUi1doSFzG8JANguzGxyP8vXm9GDhDqmRAAsj2VfIEbzANsa5iWbtQ==,iv:UgKufxyqi2LwJ8/QIT4mssHxSGvixW7dWXRTURaoI0k=,tag:yr8ZiR3DphX+mzJ63qRbRw==,type:str]
 nextcloud_db_root_password: ENC[AES256_GCM,data:IuKUtIDDJOmFHbG6dZFOC+WDrEg2vBTemWVjbapwRmYRIwQg47+38dOQjg==,iv:CISRoJZtV4JI0AB5erHNZLPRE+oeo4jxd446GUfSkWo=,tag:juEZ+gV82kfgrny2lC6Qow==,type:str]
 #ENC[AES256_GCM,data:fh5zP6W0szyikkvHfNIs98J2Vl9C8xhHnWrmFZM=,iv:Di1DjQ8Nxrb1KnvtRKJIOMfO1CmbNpweVj7Ijsx79dA=,tag:YL/eJn+uG5qLP4TW4KyPdg==,type:comment]
 redis_password: ENC[AES256_GCM,data:EgNqS7asbH0PHlad43D3kgEJqb5qpZVHI1XuWdu8uqm0H6pJu6M435s3Pg==,iv:dsiEU9Ik12CFT+6PATLA40MMgN/kgoHfOc7Lfkih/Ug=,tag:2fSPKLZgd8Ebc/j3xeb2bA==,type:str]
 #ENC[AES256_GCM,data:OxFZyktOkNHq32ixDlpaHRmlu10we9rHb+YKOG4BNig6cdzh,iv:tyh/ozm0ooidGCSEKzZ0jqX0x7Z3v+/rtV4q5+vYpjQ=,tag:zQ0KKB5U9+4T8dKhBD7ZdQ==,type:comment]
 collabora_admin_password: ENC[AES256_GCM,data:jxrOdFLAeIRp7lVBz4WiqYFNdCn+FqHJsPSfRyD3uqQWUwWhXuG2LlQmOw==,iv:j8KWGx4392q6IllfTMjL9JitkHL9XVuShdOM+6ZtP/4=,tag:D3nqs03YwmjmT4A3W1uumA==,type:str]
 sops:
    age:
        - recipient: age170jqy5pg6z62kevadqyxxekw8ryf3e394zaquw0nhs9ae3v9wd6qq2hxnk
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNVzNUaC94SnBRU2lNQjdu
            Q05BMzF6VWlBckd1VjlXOVNSMTdFR2Z3ZEhvCmdsU2tJOTNCMkhjNlVJK3FOeUFl
            VnhxT1ZObkZMdXNoSkE1UWVXUVY4d0EKLS0tIDllbVJCMGZDaXJWb2oxbHJ6Y05F
            NnN0SE4rZ0lFWUlaNjBIc293UzlxakkKYOxxyTtwEEo3j6iMGeHyArYSquT+2ieB
            cPA1QayU4OBucKo34WuZTh41TxIg2hr1GG3Ews5QDEiTJlAQuAzldw==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2026-01-09T07:31:15Z"
    mac: ENC[AES256_GCM,data:MSnPPzLLCZIIK/RmhlpMaNGEeZCHVzY2PK4A4PhC4nXuw9AwGjYDrHn3FQ9aJywi7NlXxLqFWo9nSnFswNlIUpea/3MTsa5LNimX6a22c9YRut+yImwrBU3abcgzxVJsHk7DUGIA1TY/AElC5ZLNROrw/X+sVf5L2pq7P2/oous=,iv:cOxocMqLgzzzT89RdfJdfvOfZ3Ph4tWbE6bV21WZgZI=,tag:zrthLaXOrdx3IU4I5G+zBQ==,type:str]
    unencrypted_suffix: _unencrypted
    version: 3.11.0
--- a/secrets/clients/uil.sops.yaml
+++ b/secrets/clients/uil.sops.yaml
@ -1,38 +0,0 @@
 #ENC[AES256_GCM,data:aIS/uQvfOiJ1pUuPer9qRQjggq8ZjEk9,iv:TBR9WbgvQgw9ERpnmQuIkhAyVTQZ8NABs5YaxD8KvZs=,tag:DFd/j8ZMzCHt6EvMbxVZ/Q==,type:comment]
 #ENC[AES256_GCM,data:mTI1k+swvBYRx6qN2z5rwxHAxVOCdJxHm/o9TcBDej08mONlLi4=,iv:uY/dmgLaZEcZdzUiNe/y8sa35Qkqbt0iptpi7MGIMQY=,tag:ybdNuVlTSc1kCA8qxmOnuQ==,type:comment]
 #ENC[AES256_GCM,data:uhpDxNUwH8HqvN8e9wf+QFYVGZ3EaA==,iv:Sx1aTvMKHEKzlcWO5jT8htjFloDteBVPnaov7+dQmD8=,tag:NxNZrOvJYtLVEeTFgyjX/A==,type:comment]
 client_name: ENC[AES256_GCM,data:SP5V,iv:A7ghCYqbAupSF0VDQ/SXKlPrnk8yzQqKvSdvBZzHyn0=,tag:Ljs49J7GuSStPoGs0xSk3g==,type:str]
 client_domain: ENC[AES256_GCM,data:rPUIOAv8XnUrF/8M5LHM,iv:gEIxCJo3jji3bH+9JBi0CJPhCGEMPG/lTr4wp5TBWhY=,tag:/xx02ZX32wa8HTFqw7WVxg==,type:str]
 #ENC[AES256_GCM,data:8JSPPlRnTFLhY0cZ/agat0XYeyycrk61,iv:amCrQ7D3H8Dyl6sZmLjFsZbfagxpcz5Z9aFvEKba1sE=,tag:CSMX3zbM3sAzkDzIIKz0TQ==,type:comment]
 authentik_domain: ENC[AES256_GCM,data:HTLCzAuXr7cRh2hbgF8duh5ayYw=,iv:4jl9drpkK3KGVq9ezvdtyAkOk+9kpLuughtLiyeskgs=,tag:iU0dQdwnbi5+Y3+OPm2Jlg==,type:str]
 authentik_db_password: ENC[AES256_GCM,data:XGGOiJSw/GRQXig+/mxIrpBjF0ZGEMIQ5APl1KxQ/KzxwmjF68E5XbXvjA==,iv:WtfhFP/zYQ8FJcFeISuNMVABCGJts9krmH/ycodvAGY=,tag:ka9hwaHzpKanC3q6TfXaPg==,type:str]
 authentik_secret_key: ENC[AES256_GCM,data:y35EQNMKW4/8JL54et6y0WZ8FKAgp0VWflsR6UV+j2SlCrvXFnRgQG8QyQ==,iv:TZwNiZ9Excgk89XPuig30dbuOKu2CHT0CyFKLPrfEfI=,tag:NmWN2LSsPf7tPnuhVdH82Q==,type:str]
 #ENC[AES256_GCM,data:LgTHbIXSN/afDn9wSO30d/aIBy8b2DvyxYX+OpDt7uAV6d66O90jCGx/H7uo+AQ=,iv:1Jc/rzIbQnYep7ro1GMKnau56xHdZx0ZxMthwisFYtE=,tag:8C8D1zzy5lZ5AQe0V8Fn4g==,type:comment]
 authentik_bootstrap_password: ENC[AES256_GCM,data:WnE/dn2xHwxFe2CbQmy0WC6xz/Q5UpkWW8m+a/dVi5h6O6tGfW32EmECBg==,iv:rw0XCc0N03TRkrR7DbHPjRiG2o6tkd069sJGrozU2Yc=,tag:QFmKEzJBGbXUewCLUnlXfw==,type:str]
 authentik_bootstrap_token: ENC[AES256_GCM,data:a+uoCFgICssuPKQJFoGO+emJCvVwacIKW3emysbNni7o4uIGVn98yMb+HYjt2w==,iv:zLe1hiM7zhVXwSFx2znO9WjmokRLfluPCD/UdB6oRGc=,tag:zuWocn/zAW3/VALE381Cdw==,type:str]
 authentik_bootstrap_email: ENC[AES256_GCM,data:R9kP7F4pPkSuBzJ+LsnWKDPwyg0t,iv:z6midY2wjfmBomDnjLJFFfiKySTdEvHE2Q+r+2Wi83M=,tag:lJ7kP8XhHprCftYqDiHuHA==,type:str]
 #ENC[AES256_GCM,data:1MjHrZivYjxKpxn61BHLyB3xSfivQX4L,iv:dBh7oc8U6esyi2LBNWY9ss2HuoHJpDu82Y1wJc/ex/4=,tag:E/H1sih2b284lgFxur5zbQ==,type:comment]
 nextcloud_domain: ENC[AES256_GCM,data:IYjDmAom25nyV5DeNifZKLdRPdPVpLaS6A==,iv:y5Q/qtqHCoLld4Q32mTIPP3JHQHPgJdOcA2urBVSjZo=,tag:2XUnipCDAIkSUVLBUydxig==,type:str]
 nextcloud_admin_user: ENC[AES256_GCM,data:VKNEOCs=,iv:rd2De98bIx7uIpIXr/RSCP71Kj7xlbIdaM5CL+qbHik=,tag:Kq2BD+0oJbFti6Wc9C5BCQ==,type:str]
 nextcloud_admin_password: ENC[AES256_GCM,data:dt3fpOlwn0WHxx9TCuWX1WK31VJeqCW+K69xVZ8SFNNgiQPEIzsk3A8Kww==,iv:w82gtKGyLDQPrydQo5xOKa6AsLYyG6iFStyXyKcmbNc=,tag:ci5MnasJYU+SgbcWOeTdgQ==,type:str]
 nextcloud_db_password: ENC[AES256_GCM,data:OXmim7k3E6M+T9Z+teFJPjvRn6fg8BtSeWKTHOsxmBfsiBOsz7VglVyjJw==,iv:/srFcTbjlx/ZaY5XVKxhz3T8ji+MXNmcX67SFmG0WEU=,tag:/Ohc6pzNpYQF1lBpoK2KAQ==,type:str]
 nextcloud_db_root_password: ENC[AES256_GCM,data:contgx7/DtqsXpkUo3Xa+1OjbPZkrorKM43ws5XFphte3/wIpfihqPJX5Q==,iv:vcm5KllCto5EldfwNA7HTuDUhwNjs6Q2+DgFp7NkR7M=,tag:8ncnZeR/knFR+1d7s8cUjg==,type:str]
 #ENC[AES256_GCM,data:aYbteuod8ZITWjAF6pEpGYNfDlz+RfDITn0sWuY=,iv:DQfCWGkmpVQgHBu6luSRhJNOqFQxCQiOI7cAvFP+8xA=,tag:f+YkqCeBYGdbgmUW4hLOUQ==,type:comment]
 redis_password: ENC[AES256_GCM,data:5IpSxmVIktvHboth7UMlaukibZ/GHibNO106TjTqwOjfBH5MBhrbG5h8sg==,iv:zFuIdKFPDJlZRfmKB09cTx1A6e4p9vNAmFOoQRGSwx4=,tag:6Riu4Us4gCuGI4FA7ht5jw==,type:str]
 #ENC[AES256_GCM,data:+4PS5fjQRjw2L0JB6WpwmHXDDOUKo8xmy9v5r5ez5Bx2jZUE,iv:W0Oj7k1h2fj0+HnGcvLKq+qhKeEiN2jUUO8kaq8YuXs=,tag:hcu2QnexLU9esa9uwDo+Pw==,type:comment]
 collabora_admin_password: ENC[AES256_GCM,data:FGi/ZA+E4ZbODB1jD+Vj5SegQD73bqmTgKi53MXV2tmmQMW0dETE/DrYsA==,iv:9kVU+qQT2cmkiqVi458leNly5X8AHGwjfViFtOtvkX4=,tag:JzpDO0ORO0NVpgz7zaaXrw==,type:str]
 sops:
    age:
        - recipient: age170jqy5pg6z62kevadqyxxekw8ryf3e394zaquw0nhs9ae3v9wd6qq2hxnk
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBteGJtRy9UR3MxTjNzMjAx
            aVFjZURNUkhlRkFDRTc3RHNnM0cwY2NmRGtRCkhvbm9kT0UxdmJPSldMS1dscXI4
            Ymhpdlo4S25yWmpVc2RiSExkcjRVYWsKLS0tIEUzWnZqTkRidm5ia3JpaHVlbmRF
            MzZ4OENaazhBME50ZjdZWEFhSEhuNU0KSWxQZmSVFM55ji8TvzOepMCkNmsXonGZ
            k7Y7+Ih2KAZqcT0ieTE6YEe05H6uE+LdaftMW2wEVsOZ2wjFaT8OUA==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2026-01-20T19:57:06Z"
    mac: ENC[AES256_GCM,data:XBtXjJM69CpGSjyCHnerLkxpfLOsifGAuUv38Leuli2/E7D9pWLomjMrhraRpyFuoPtqZdGbnFNm8Be3trMw0MmVk9uzzihwdVvKVTUucSygb2sRbkGFkl4Qqszja9Lx9wblDalbrmjKLWPQJ34QJVlba1nQns3Y3vJUX+e8Cjc=,iv:XFFp5cOTwvisVEAfS6Q538Jda4UJKzkHAbNHia7/Xy4=,tag:G+91bclflLIWToui7YMvgQ==,type:str]
    unencrypted_suffix: _unencrypted
    version: 3.11.0
--- a/secrets/clients/valk.sops.yaml
+++ b/secrets/clients/valk.sops.yaml
@ -1,38 +0,0 @@
 #ENC[AES256_GCM,data:ctaMv8OIHMLCU5j+G5V3F5xgLKOvhfc8Ug==,iv:TR4wnQ5gpLP0SZnQNIeS9fKeiyserHYCF+yp7IIgTP0=,tag:CQI5ap5b/YIaOysRN14Jxw==,type:comment]
 #ENC[AES256_GCM,data:UCU6+XlbzC8We6nZeW0xNIW+L1z6dMagNqWQCeTTR2AG2CHIolg=,iv:b05l4X34Tm5Ev9JXHYCmXARfR/dOzy+lRh74LK+L8Ks=,tag:W3pkQhlD/YP+AYbXXDX/ig==,type:comment]
 #ENC[AES256_GCM,data:pBDl74SnuiQlDRI/KNNMWMUJaFm4rg==,iv:+pziL+Om3+bSdOlFD7M89zBgpn/i9PutHOlWqGpXaDM=,tag:2MipxkvrtoX7FYjI0PjCdQ==,type:comment]
 client_name: ENC[AES256_GCM,data:Fz5vgg==,iv:BsrNtdLTEXLkSXc0+PVeeQ4SCF7eKlF68XNlaMPtqJE=,tag:/kqw7DtQ2aVy0joAfDRRCQ==,type:str]
 client_domain: ENC[AES256_GCM,data:fIrfaOb3Mf+5DqKoBEgBpw==,iv:XE4O0SyardgdtMWbkHOtMNgZ1rAKnCKVSswmMmACyNU=,tag:HjAfuLZI/Js801eJ47UIRg==,type:str]
 #ENC[AES256_GCM,data:2kKajhbBS00eZe4HBlMc3HUF/Wveab9u,iv:RaRi8O8gfn5jlmNynfrxYICgsOBFVG+V0dqaSF4udOc=,tag:yqQ0ZMpito7UBvm+PJ/dxw==,type:comment]
 authentik_domain: ENC[AES256_GCM,data:jaVgyFT/H+c/H0pOxCcOsfb8lGxw,iv:PHomA4L6r/1z7oY6Qn0OTqhzegd7JJC8RYf+B4zMcN4=,tag:ZOYSTcGkO3xE9mP1U2BaVw==,type:str]
 authentik_db_password: ENC[AES256_GCM,data:nxTnYT028qadNScwjijxuBAvP44PsXc9SJaMjM1WwfrqXt7/DDftadVrSQ==,iv:DAdwFZ3Q1lTLmbciN3VX0p2zXq4+dORColJWXJ1HuH8=,tag:jfpyU/XuSpomQnjqDvLquA==,type:str]
 authentik_secret_key: ENC[AES256_GCM,data:WST/7Ujv33URBy9VMvolqRwz33RcIuD4QxGT62uPjBRr6h0nI4ahtD8htA==,iv:Gi3rjVIqemkT/ITYkxC33JvfvVX5SFYQ5U+Rr3+HlxM=,tag:PlMMJ7g7fYhG85hm6zUScg==,type:str]
 #ENC[AES256_GCM,data:xAaEFhScafyci3tP/EV5Zjl/zbasVITvV0DrNDX2ZtXB7a13PFzKWFIsGh88iCU=,iv:2+vamLWnFZHBQ2PW8/HQW6Dklrb8xWkd8oZczX3Kp8A=,tag:oiOZc+3iK/h7vlyCbiRtcA==,type:comment]
 authentik_bootstrap_password: ENC[AES256_GCM,data:IUlXIwhoQvlRnn8keYYUddnPavZsvmk5AqNkyR8c3O52+5omEeutZLQ7sg==,iv:vXKiJZeaXP9i5CIP0ymDEhAwwRLMk18r3oM/JnhemnU=,tag:vVIWoB+woXeOAeWcq+bZtw==,type:str]
 authentik_bootstrap_token: ENC[AES256_GCM,data:/jjShYMON1S9I6kxNJhb/XAyn6PJoUS6oI7tdSPjA7CuH13X9ffx+w33p6Q4Kw==,iv:7jzUOEWSHy2nU9gSnhKlZwZRT6jF2pXau4aVV/9J0UU=,tag:68rWsUL4skab85BefPKseg==,type:str]
 authentik_bootstrap_email: ENC[AES256_GCM,data:GJipLh2OzDaux7OyhKQgAuaPM7L+pA==,iv:NTnulTaFvqU4tyy2y1YV8Sh0D2mS9HGTVBaqvbMLBKc=,tag:9eAJORhYXQoIjJa/xIHvzw==,type:str]
 #ENC[AES256_GCM,data:CbNmNpHunmOKStzY06My8x4fuEyNl+GI,iv:t2utqHryCaa4PwvKSlGwQnD/Hj+RDeHxd9GgF1SuOuI=,tag:jYDNoyd70xWXnJJ4v3IRDw==,type:comment]
 nextcloud_domain: ENC[AES256_GCM,data:WJ9S+9n7grhX0RSE0HyG10qtHZjKp9Cm1sg=,iv:R2WW+bOYys60aD4Kl7jMT2jIdofSos7YrLjOgiv/4uw=,tag:o++NQPKdYdjf3HYDouyn+Q==,type:str]
 nextcloud_admin_user: ENC[AES256_GCM,data:L/kkIRw=,iv:A83rGPhtp/qeNKERxUnhq4nkfXAS9cQuhviUU8lrtEc=,tag:XO9trjEr/pBU9yJsSVmlLQ==,type:str]
 nextcloud_admin_password: ENC[AES256_GCM,data:I1xvJ4ZhZuh0QzDZGWDXvF08yRcmJnII9dG9Y7kkHwjeiNXkCDGLxG1asA==,iv:jLTzg2VdJNUAuFbW+Ss+W/NmYG85E/2EFKhQflW3p0o=,tag:DncWEiTS8oGpGkXYQEw1Zw==,type:str]
 nextcloud_db_password: ENC[AES256_GCM,data:z0okVTDnFxX4qNyJHRq0/4kDHCj0ZzPU/BoB9kFd0WxY+jr+h35MfR4FGw==,iv:70UReQQ9oMTlv01FsTagiy6XlKf4CaFeyaFNNTNKXsk=,tag:4N/i0+LdA2vGy5pBKIjo6w==,type:str]
 nextcloud_db_root_password: ENC[AES256_GCM,data:Q5fqrc2iBClAKOYHiAlAZ0BsfzqJSO2Bz1oou41ypEGUZaorwoZ+wK5Geg==,iv:dNiHhl/WWsPwChBerIaH/yOnfKqkLwEK8ryDE0yESHs=,tag:D9zVqLpk6iLoOSn7rbdUgw==,type:str]
 #ENC[AES256_GCM,data:XCt5Oe2WMK4lgtPb5VhPOfRMYN1sXLIrxZt+DD8=,iv:eFZGEA/ATyABVH4rgeL3MvH6pCtWXNCx0Vl37nIy1nw=,tag:NGcGtHE6eF4pZ18BL9Q9og==,type:comment]
 redis_password: ENC[AES256_GCM,data:zSAgrY+4wCQ2qaIyu9f+wXxRovD6L9155gsAywlQBQIMrXJvfLIL5nipZw==,iv:k6jQU0TkuX0cfFNC+1Il2c+T41+X9joQGcSyPCIFs8Y=,tag:UhYBc+Y0BHay1Nx/XUG/Eg==,type:str]
 #ENC[AES256_GCM,data:4g65bXzewEhFu/AULV0n0liscrk0uuAlLCb9DAa9AdjbzlY9,iv:mAWIWh36RDL0HBDTsWpDErDQD4poFPVc0UoPGr9hcdk=,tag:xHjpCvm94RCyMolq0BUQtg==,type:comment]
 collabora_admin_password: ENC[AES256_GCM,data:kEXWAXwlzDUhLSOHfftSsgy8Tp1qxboi0OhFP+xpYYCOulPmF8/y9PFlTA==,iv:s5Pbfa+zgnp+GzlbvNWbYG9hvLogNXpnVEYupFLJ9Rk=,tag:odQjPoDrElTx5PaPMO8D6Q==,type:str]
 sops:
    age:
        - recipient: age170jqy5pg6z62kevadqyxxekw8ryf3e394zaquw0nhs9ae3v9wd6qq2hxnk
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIbzEvdE9KVUlWYitnMlZC
            bVNPMHV3NmR0VEIydmM5UHVuWHFwc2pkUUFjClROT0E0MjBjUmxWMnBoRHFtUHlQ
            OTZOeHg5bXc3c0IwWWRtOWJTdWlUZXcKLS0tIEF5UENBTm9xaWlqVzNBWDlEMnpE
            N0xvZG9JOGZzdHpKOGcrSDlJYzBVaFUK75rT9dmmKOjZYDdEfc7+QXLL2GMYgjoB
            I1j0EGUhhScpktXnHcWB35cgTFyFvKKDc0Jdjo3JgzxkfVKzp++dRg==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2026-01-20T13:11:27Z"
    mac: ENC[AES256_GCM,data:uBqOnX+8CwpSMjGrIYQ/JnieZ7kKFhPtD8W2SWQhl9fSp1lylJb4c4V8UanX9pcgjelFwU2aw2RUwcOUUC1AkhzkV8OHN+Id1Sc1PV6eJzVsyHetuax6snSpgnzJDsZApiQ2ephyv4KlqxTgm5n77b8S+CdTeE8kHFxWCbANKy4=,iv:dz/HU119lValHmoq4GXC5E/NmsgOehNmDFRaDmc9uHE=,tag:2mqbs72ZIXe2f7drs6fYLw==,type:str]
    unencrypted_suffix: _unencrypted
    version: 3.11.0
--- a/secrets/clients/vos.sops.yaml
+++ b/secrets/clients/vos.sops.yaml
@ -1,38 +0,0 @@
 #ENC[AES256_GCM,data:cFXXRzZN0YJo3753ddtm6Vmwd7dohnNB,iv:5wcry5rmrnt6T/XvWyur+9OjtldCG5Uh2TzsrkCrrUw=,tag:hCJyYykGD022Ma8Tgg5DEQ==,type:comment]
 #ENC[AES256_GCM,data:tYAvFjb9UaNfUHna2TUSbToTWoCWeSMqRsOg/BKVXsYGXHsw26c=,iv:/Zq4X+tLG5JUW0lKKgKGG8LGIZyUm41qNBt0z+rlLkM=,tag:xp6hu1SP5XcvywbBiSUNBA==,type:comment]
 #ENC[AES256_GCM,data:C9PD0hxLSYziPKFtMF0iPBwKmRvRaA==,iv:SXZM73Ji58Elofp3VZaQn8M4UtJwP/tKWwIrz7gC9d0=,tag:jmi/H++J8k1Ye+MoiaZiIg==,type:comment]
 client_name: ENC[AES256_GCM,data:J2hy,iv:4NLXMybg9pLYE0FdmY2rA95HHqp0hQpzTKQamVU/iGI=,tag:zvWyNEYWLawkofC/6LkwLQ==,type:str]
 client_domain: ENC[AES256_GCM,data:llq6A/+Ec2U+wfNlIbwo,iv:c3Adz8n/zZyRjI5hvfvna03O9jows90nLIUachXlYRg=,tag:rTVpYHnfcJ3KVbXhhjZ0lg==,type:str]
 #ENC[AES256_GCM,data:UdcsUJJ6sp6mgH/jKLpOMYzGbFT98Iup,iv:AB5gxNZA9XZMXMb4xIdgIuYtrP8ofHe2LS/9XLtR/Ns=,tag:N7AAMIQSC0R5vUaA57eJWg==,type:comment]
 authentik_domain: ENC[AES256_GCM,data:ZY6Da25kkibJknyKWZ8ZdxAwWKM=,iv:s8eHMs03B9vaJVCAdwmjxI0QVCAu6i+T+EhjfrNnzSk=,tag:dn69p7W+8vSiZjQLWgV1bg==,type:str]
 authentik_db_password: ENC[AES256_GCM,data:pwmuizt3MYFA73LBJt1Wbdf+HP9EFf0aEtn50Dlq2JSFOiZ8Qv9nVqxwCw==,iv:CyrBEcwmzEl8e+YuA+mn0APr92vmOB98/26lA0/IHcw=,tag:3GkNlrId9oO6BqZfOvwqrg==,type:str]
 authentik_secret_key: ENC[AES256_GCM,data:Yx4GJ/hxR0gmCWJ81gocm16bJ0/fXjAvohTFiDgEa7jvC1ljdyMoQqLrhA==,iv:B+OX3CRwnrLwJyz5aiavAyPtJ16E6q6yxEd799SMd2A=,tag:9uz6r4GIkzenhKNR3FQErg==,type:str]
 #ENC[AES256_GCM,data:B0WMvhOYmRksSGi1OepBzSB4mqtMLMlct8Vyvw8qRBCPEfpEt2W5VCZiH+jeZMM=,iv:gkAPY6y/3elb9sy9mRDSHrmTheUzpJyX1rmoiPxewMo=,tag:VYQLsobXMAJEW0gXIXkhXg==,type:comment]
 authentik_bootstrap_password: ENC[AES256_GCM,data:coX1Hnrc+F+3T3Sy1B51KHP4k4SMW3ZkgZf1SpNtZ+dIc15Q71zot37oMw==,iv:3JM+zkLPw/6KAF6tc7i4m56DceoEdARNHUr6yC/WENk=,tag:t+MDE/MMQaW4NO9QR5OQiA==,type:str]
 authentik_bootstrap_token: ENC[AES256_GCM,data:fhu1YN6m/uEzfG3o7BOKsT9VTaBtCeKuyNuXM0PeSoHyU6k0qNuSYw/6WR5d0g==,iv:xCYycjjcHP3twPXl4XhKW1bHTCXPftequJVKCFsCiKA=,tag:aZO2Z6vE5sk/gEHzgCUlbQ==,type:str]
 authentik_bootstrap_email: ENC[AES256_GCM,data:pg62YN9Cxonx2CKqIW5NcGg0KBeY,iv:cjJEvktvIxK3/JWIag6bjvwRrjNhDPdyNiPVeX3VSBM=,tag:XVi1D580alFObJ6BFV9RPQ==,type:str]
 #ENC[AES256_GCM,data:8UpgvcLkQVNgswP5iWwXcQcW9HwZu2Z3,iv:12Cw/oFng9axBRbIRFaM42GD/A1P6AclpTgIBPzcl/Y=,tag:en697guyZFldZksLUJIJHA==,type:comment]
 nextcloud_domain: ENC[AES256_GCM,data:Qa19+SbFFhsoDNIYU/ACbjDRRNgy+6FOVQ==,iv:Q1HNTN5ZH3ONVutQOd/hyD6atygWQHuY5/koBBLOXuc=,tag:YunsxVm/xzzyQ5rx7Txzdw==,type:str]
 nextcloud_admin_user: ENC[AES256_GCM,data:VPYQtRs=,iv:YispewRIBRrK6YhcZaHZTwFdhxKttSH3DAK+hgN2A6s=,tag:ixvRfNGyp4Y9cSQGzFn46g==,type:str]
 nextcloud_admin_password: ENC[AES256_GCM,data:ODbwiXHjY0hmsXntw5vJij+nbRermqzpa6JpGnWj/UoVKAUQ4du775B6lw==,iv:ekg7/uatEVVeNHKhHOO7oHyEcCNUFKlq6rI/McS4p2Q=,tag:x9K7k/p26OFlsviAz4ry7Q==,type:str]
 nextcloud_db_password: ENC[AES256_GCM,data:eJ1F04RtCyvUiQCvTieO4vw2z9NfOM6xu1S+0PgiYiWlXs64dQTApmUffw==,iv:Zyd34+tO/fTxGvh3KSooJnRdRjiphWpEvq1rKbFWX9g=,tag:Cg1sAq4MEkdsmdPnVjtmdg==,type:str]
 nextcloud_db_root_password: ENC[AES256_GCM,data:z8pwAs1zAiXMzRhPLBKN3A7+f3gjUE/r81RibYHjURW19a1wojCDRTWzsA==,iv:cTSBi/GQfdNelrMdx9Kk/1fHw6hAYkbHwr7d+RxeP6g=,tag:P0gEvkLPD2dgsQ4WeChIoQ==,type:str]
 #ENC[AES256_GCM,data:bYmqsHYv0hR6QiitGEvco8hdJucVswww4k99bzM=,iv:v4wc2jKZX2AkBGtrJt+U/qO4se6ofywEtMaK31KoolI=,tag:bD+m6Zq6+tMzdsT2F2hUNQ==,type:comment]
 redis_password: ENC[AES256_GCM,data:5Z0VjXCe3xuj+e3BJYF8CbTtIhzmR9xg8KzH8ex5YgBdCybeaOnChHTZDA==,iv:L32kh4eRibIwfXVUKKSGrDp3pRU1SqTijdCPptE1zdo=,tag:lih8faQbuU+s0vRlDr0Jvg==,type:str]
 #ENC[AES256_GCM,data:wqtWuZbTZK8R2J6ZwpjtTm9t6qS94CXs6jaeCsKRE4xZHYyH,iv:fqmSzKH6FZExCTXcAeUI3Tm6bGi4YIHTPf4xudiXQkc=,tag:M/2xo3pg0H88qH/1KrdOGA==,type:comment]
 collabora_admin_password: ENC[AES256_GCM,data:5qyQ6XynQuq+v5u8FPXf06BsktISFYU8KNiXFmzQDJVmFFVDXkvzDGV4Ww==,iv:UJoESZc44w86WXmBjBn7H/s4hIIyH82uxVglzyS2QaE=,tag:uGxoDrQm4Svoa16qcb36FA==,type:str]
 sops:
    age:
        - recipient: age170jqy5pg6z62kevadqyxxekw8ryf3e394zaquw0nhs9ae3v9wd6qq2hxnk
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvMVZLbGMrU0tQYXlDWGVl
            QTRCK24xeUVBSDdCbngzVnBZWDRwNHM4dlRFCnJGWHZVdVhvaDNsK2RnbWllSE83
            QkZiQ1JNZDdTN01CdkptSEVQZXp3cDgKLS0tIHJYZHJDNE1RM2tMUkNNQzZkM0d4
            NlRmUTJqeTZ1WXh3YjlpdjNtUUh1SE0KJiBOBEpS9fCSKfVCBm67SEKXXdB28MYR
            muE/oTBKiF29OvrqcqnLadYcUOH25E3x8OhAdUmrTBWXjvx7dpU9Vg==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2026-01-20T20:37:31Z"
    mac: ENC[AES256_GCM,data:9HyYYcQ3TqiI/CH156jGSmby1edRy92Jj2Uq6aLzAP9hpX7SIo5GGN2wnxg4s2+r+W5lNSnq1EC2UZU9fwwr+y1qGu9ObwCAuQ/W88/Jb2hyXcgvpaIhnhH7DmVVV43gMjaypWgBe511lK7lI/C4Tn4nlYf3ui4denK6HYzUCX8=,iv:mtIiYTSA9DjEwfEfLYznmMJ+1wugx2UmcVuwOtQ2XLk=,tag:6R+u0GVGbm0T0bt9TqVo6A==,type:str]
    unencrypted_suffix: _unencrypted
    version: 3.11.0
--- a/secrets/clients/white.sops.yaml
+++ b/secrets/clients/white.sops.yaml
@ -1,38 +0,0 @@
 #ENC[AES256_GCM,data:i4EtCJJ9LDXVp5+pwbFqCxKk5sATX9xgYWE=,iv:75UxTUorjqd5pTD/ouZG8Y8ynpVLgDi6gLJYwSISh1k=,tag:Rrg9UuduWx6GbyTBHfcA6w==,type:comment]
 #ENC[AES256_GCM,data:9rMEAZ2cpwdGWvwuOg4wOLxiRjczA7+a5MM3o0I1EYMu+tCCliU=,iv:zgTWSeYw1dAuX+rENcds3k20anccXztVmIigs+wxDGA=,tag:RDiJ5iP5RYqk+885+d/lbQ==,type:comment]
 #ENC[AES256_GCM,data:eoRGcjK6M00IDrPJ+QnlmGZGO0QDgw==,iv:75Z9MridJallLerHR+/bT1OkIDkwu31oCvKnVOumvnw=,tag:2jQ3PR1cM7PO20l1VZWQhw==,type:comment]
 client_name: ENC[AES256_GCM,data:F5GLzcE=,iv:zN0y2yUTADfCbEcBlWKaWtSljyp96i24Yt78rS3GpF4=,tag:9rqZQFnsOQsdDkeY4HrAJQ==,type:str]
 client_domain: ENC[AES256_GCM,data:oKKwC+CdXROiuxzdToQX2Ms=,iv:fTtqRfFbeQ00lACBcuxfBuXTjY0NgYAuP1brIQjtDqc=,tag:VcZWP4qfFYY0Nl/sqQd+CA==,type:str]
 #ENC[AES256_GCM,data:W4qJvSl58xpFcgbB5/ZTL627vLIqxYnZ,iv:a8ILcV80NIh7rgqZWKsCWu3sjt41I6e37fz7T/fWWj8=,tag:wAGIu961MRc8H0fzCAcqrQ==,type:comment]
 authentik_domain: ENC[AES256_GCM,data:F6oeCx/wbMPXG8AJq7bKF+mSq6hBoA==,iv:vG34k0jpH5I8e2k3ERWjTiC5+G2ilemodS1EZ9QBzjI=,tag:hO3iJ/YJ7MlirqWcG5vUEQ==,type:str]
 authentik_db_password: ENC[AES256_GCM,data:2ftX7AoL6LANYH4SqpLuvcvv5lFrkobzlbuzRJBzJ2fsA1Kq3KhLXXSPVQ==,iv:FL5+imjl1pnzl+YIR2D6kb/OhrSdnyVxQ+uyxEuL8Bo=,tag:Ggu+MpjiLdLY7m3NYSughg==,type:str]
 authentik_secret_key: ENC[AES256_GCM,data:8JXEIr4sMDVTcaZLu+gH09q41JGHEKdtZV2GtfTYZnRoDPg05rVf5zt6lWZife5SBGHxc58FTbxC6dgjwNiGc/5h0A==,iv:TYd+GALSvMrATlsWgOfTl70i5NTHcm//KPbyn5EK8SE=,tag:R87waW1ROqQkmK9ner3W4A==,type:str]
 #ENC[AES256_GCM,data:N87wpR+zOLubwiRyvm20htEYi9H0JL9vgHeXuE85xmAUBS7Pm+i1Yt+J4//Ps5s=,iv:3aX5HMyft+nmuBs/efFj2jZ9yzAkVsJtCcV+HE/Caio=,tag:vH+GpVF/6eYJ9b7npmsmXg==,type:comment]
 authentik_bootstrap_password: ENC[AES256_GCM,data:I2VUG5p/Ybst4uQ/vKBPGW/hZgXFrleUgQTAg/O8owBuAGRUkc1EuDu6lA==,iv:ECiQj1urctQ/PRQfSbT27yrZGiUTbOBwnFyJiO4Z+FM=,tag:ODGLuFnH3uzs+ofwQXExig==,type:str]
 authentik_bootstrap_token: ENC[AES256_GCM,data:mtUVl4AY2jIAkg0LolFSH+9J7MJL65L0twZtOM47HR+n9heOxRngYoAwuTWUYmH04jE92gRUd+zm/l35oEoE,iv:ha/2zpj4vdXkswreacYvFq+H2F4IuOqkCiDxz+nhNH4=,tag:5nAcXUnvCePuFrmH4GpEcA==,type:str]
 authentik_bootstrap_email: ENC[AES256_GCM,data:aGb1ynlrNc/xi59GImvbwJ6JxIE=,iv:R+TYraLAujChXfn4m7VbE0apPYo8Ie+4NCwgYLh49hs=,tag:78vwn+sCFlEvk7h5Zk1miA==,type:str]
 #ENC[AES256_GCM,data:xcWDxDrT52U2bZhed7TpJ2UWodkxbAz9,iv:+dJRUMBuUs3egZT0AiufC/ynS6TqB9CiFxJPEfmRdK4=,tag:rziNZIYKgK9I4ip+zjD/sw==,type:comment]
 nextcloud_domain: ENC[AES256_GCM,data:wZFqmG1jh8PuO8y0kVbnVXBKJsSm3hOlwg5k,iv:B+o+Oq+VM7MvApjNnHES/Fn8RWt74mabiG0/QPeV+o8=,tag:GWS258HH+1ypTD92GJv3tw==,type:str]
 nextcloud_admin_user: ENC[AES256_GCM,data:4U3nP3A=,iv:AMXFbrY2OijoL6k3ruMG1bmLyf9Mau7xNnt5yb9zpac=,tag:I+oxW4XVyr7v9MX1C4KQkg==,type:str]
 nextcloud_admin_password: ENC[AES256_GCM,data:4nA9pSVCGeMSm6NsrIC1nSriPUztHGhI+gV0bkbQFFSbpuAuQtRGp49OVw==,iv:oLWU/XIs+XUUyKQ21eELMmAI39jqONOQk7nfyWOT8dc=,tag:ctrjeWqP5wGf8suFh2zOIg==,type:str]
 nextcloud_db_password: ENC[AES256_GCM,data:HTwCdlXhbscS51dlg0wqv+Vi+I5SIgYlH2R0yf/H541WT/qNHPdynGi/AA==,iv:Q5VwH/97Qt01du6o+U5NnJU+iJj7pO7mXDmGEdbrEdc=,tag:Vn6E7+xep4WdArqDMhNeZQ==,type:str]
 nextcloud_db_root_password: ENC[AES256_GCM,data:swjuwwWT0ktSwOtyt1VqqLUZ1ix2DnsSXZv8fCX/Yh1G30rVFFGyC/aqyA==,iv:/mEPTWcJIEmKMab3FEntiQwF7Lt1Jb9H2bqNoZHC7v0=,tag:7jJkshLNIgT8VyAh1OjsJw==,type:str]
 #ENC[AES256_GCM,data:h54x0ZvOU2bN6EB8tVk+tBj1P7Kwfad1rx+6wpI=,iv:rJJO2EXzK2nH83OjCivCQX+8PGJlO++vOy54pn9KOi8=,tag:cMxWBdA+M9Y0mVsd5DAlkw==,type:comment]
 redis_password: ENC[AES256_GCM,data:2/VPbr+cvIrrYRKWVl9q5kABx2xB7HJbcBwg66FKtcNpp5wfZInF2sV2Qg==,iv:35hTPuR5Lf00768K1sKQ2AfZDYYiFm/r/imLfGBHYe8=,tag:04Pyr84ji6oagwYD0cMGaA==,type:str]
 #ENC[AES256_GCM,data:OTQvs/J1M2MNMBCdfsX4QeWPvMBJ54Rys40UrZujQUMM1xzl,iv:TaobP0sbel8W/fikk4BQqnrWALLjoaB1DgbvtM0PPBE=,tag:J5xVfVbCpSwjSQLXt1pzYA==,type:comment]
 collabora_admin_password: ENC[AES256_GCM,data:Dii+n/1cbYTOHJ8ENkvrIquw+uCb9Xrqq2nqLP9YsKhKxP9J5JfPoYPImA==,iv:7q6h9TXBBAynVnVgAemWbfDBco8NuOV+XyAj4TW5k/E=,tag:nxhEH6WqMrsZUsCr//dz4w==,type:str]
 sops:
    age:
        - recipient: age170jqy5pg6z62kevadqyxxekw8ryf3e394zaquw0nhs9ae3v9wd6qq2hxnk
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmMVhQQWlzRlg5dGhDM28w
            RUYwdHFaSlBYd01hRjdLTjNjU3luZUt0SVJnCkVENmVqbG50aTlZZURXUVhaMUFk
            SzUyN002bDhnWHVYQXgwMm5VaEMzNHMKLS0tIGRaK3RETlZyNDlMZFdVOEJkeHhm
            TDFqdjJ0bWxiUFJtajJoNmt0ZzFOYm8KqbRJ3XHLWoszx0FSOmH7KqITASISvqft
            c2K2g+h3qvY23TmhabZtEObi3n6/jb6kuUBzXBM8Dt8DIKKpaKM/1g==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2026-01-20T09:25:02Z"
    mac: ENC[AES256_GCM,data:Ewc47PbiJ+pz+rVl2jtLQ8Jwopi2HZqNxg0Lns/2toCCTUtViBrk36fzFV17QAwnskE4pGLBitMz9rzu6YEJuoxAZoAUlBz74hnYkHFq7fsrDudQQt6KVP6hh8l6DhK/DGv5VWR8Q7PO91WmaVHx+kupdJ/6ak63IXJwlzGM+1s=,iv:Hg/0d6YceGN4rjpeSJUxwhpFoKLRXVVqZVQuSAs+eNw=,tag:8D+V2IHqR0nMfEExuI8gQQ==,type:str]
    unencrypted_suffix: _unencrypted
    version: 3.11.0
--- a/secrets/clients/wolf.sops.yaml
+++ b/secrets/clients/wolf.sops.yaml
@ -1,38 +0,0 @@
 #ENC[AES256_GCM,data:X8JxD4BECdQWMJOyftwbTW7pBJEHehWH7Q==,iv:VK4F7UbVeopcguqEwLI7cBdICcytulUoxKEqECHcZ54=,tag:WQ8SQL0xqH2+eJGUz+1lDQ==,type:comment]
 #ENC[AES256_GCM,data:WAzAQ435o5E0Fj+lgpo5gAkheXyzK3Omp0EMFVR8RZZhQm0GwZw=,iv:HzcAidUAkkUJP5EIS0O2YeKgqOG+R154VgsLp1dNsdY=,tag:+FZcAlcn/QT7+aIn7zUitA==,type:comment]
 #ENC[AES256_GCM,data:616IuQI+u1ctI0ZjZGXkBConJChApA==,iv:hY4NIGMVPYcbK0/vydVUOU/1bZVnS9aHlRQJie9Kz6U=,tag:/ZzPoERMGTn2IlnX9BTClw==,type:comment]
 client_name: ENC[AES256_GCM,data:V8A2Gw==,iv:v5bJbo5ysVSQsAtvfb8fDcAYfH3agvcDgRp0DvZOS38=,tag:BG1XTCTa4Y6l2GlTuz5skg==,type:str]
 client_domain: ENC[AES256_GCM,data:MUdO7f/2ztG2dIGtATQLHQ==,iv:IQ1xqLjWNnLQYvGi/+TfPkfQREasTiRQQVigouXXCVs=,tag:YwH+/6OMHTGu2ahEPlax4A==,type:str]
 #ENC[AES256_GCM,data:ZUq99t7RcJlDCdpTYhb4K+wHndvNW1H3,iv:J2e5O2MJELpBpCc2bpYZ+HsEhcntAUadzXnyWq/UX9k=,tag:Us+MGcPbKnnCs75INrSU4A==,type:comment]
 authentik_domain: ENC[AES256_GCM,data:Sx7o6OyxPnG1v7Icj19nwGdpVsWO,iv:jqV5WvIMzPxr3AcSOuxAa42pfAzmopNTxBh7jRKwHRI=,tag:QTwm1CXFAbXeuwR10HMO7A==,type:str]
 authentik_db_password: ENC[AES256_GCM,data:o5rhEeBS5+Ek+QvGjOOgFJDQ7Yfucrt/JmZzXlgVX3FIjfwO3Skxlievmg==,iv:JXkgThh+ZxRJBSy4YOEj4DjwiyqBrhQvt3ZFUEaDKCU=,tag:cZ1zpLEE8/6dXFOVvEnHmg==,type:str]
 authentik_secret_key: ENC[AES256_GCM,data:ssWAhp/pg4XfABAJL1gPMgyE9+Mo71zoPXRx7YmoPJ/aEdFNi1TrIB0Bzg==,iv:goQh+6G4hdnUpEKSbNtjP+XObhPNfG2traUCQsiJH04=,tag:ShvaYphpi4AIBJJOPzPWww==,type:str]
 #ENC[AES256_GCM,data:SKCv5gSPF1ysKfQ+QGzjQ2NO1GZKfDMleKjqIg0u4SlaXWtT+E+sLcy2PVu6diU=,iv:81vttO11NXLK2y8puLbCUsJ0xIpdHF9+lj6A13gaQMU=,tag:TywoZTCgTXXRcRLQk4DB1A==,type:comment]
 authentik_bootstrap_password: ENC[AES256_GCM,data:fvX2aNQJBdOWvE4QQyga8mxyrcu4OZu1c89+50SUZVzmYDLdBcfyQwkxFw==,iv:3CFgyMuJ2RFAHQ6dmtrNXWer0H3E9zN1p09JvxKpc54=,tag:W/zOxs3vApM+ZRfub6t0Vg==,type:str]
 authentik_bootstrap_token: ENC[AES256_GCM,data:8tLCJ6Z+2qMUlRNg+AWw+VzRDHu87zughBoGhlTBKfRou4uidVytuj1isdkDig==,iv:y5kxepewo/2ztPwqlZkXsswG/8vGUR6MGaor9RT2nQw=,tag:hKQVnH7yHpHfkKwmHa7ISA==,type:str]
 authentik_bootstrap_email: ENC[AES256_GCM,data:UQNBlZx7C3nu100NetfILGF3IBxg+Q==,iv:Xal8Bt4uRo+SIVbnJVEcB8etzfb1iu1D+84hrxzgRU0=,tag:v2EdR2odSljwEQ8e8zLo+g==,type:str]
 #ENC[AES256_GCM,data:g4pOBP6xgObrVV1k0raT09Nhj2JeTWOY,iv:Qg3gUFdStMo8f9td6wtCMeB0Fv8Ubnn89qpxxKhCgBs=,tag:aEnb089WYAVlFR5y5Klwgg==,type:comment]
 nextcloud_domain: ENC[AES256_GCM,data:lkPMXA/txIq0gsqxpzvD7ludBrEN54FZ3+o=,iv:YwrMdtFwRvzyutZNZxsjQHUxE8Sutgf9wmkXTDVIr4U=,tag:9xn11iq36DNzx9+h/6rwrg==,type:str]
 nextcloud_admin_user: ENC[AES256_GCM,data:rp89lXA=,iv:6aAgoa64CMZ6vH5t/b6Szq4v6tZezwi4GptozGOsVQg=,tag:4Ju7uFSkSGWHzEUE0dPqxQ==,type:str]
 nextcloud_admin_password: ENC[AES256_GCM,data:jGsQKNfActchwAMWWIBBLIW/c4k2WOr4IYWbnojOrbWJQdl19KKLrll0pg==,iv:zjfQc5Q6aDY2nwNVMbsVQWy4avKYM8CcY/13PN+XCZA=,tag:piJV2/Zd023MdS0/fYD31w==,type:str]
 nextcloud_db_password: ENC[AES256_GCM,data:EBc95vFsEjz/HliVhMqM1U1KTKgUisbeq+95lv+Dr2rpD566+d4awJ75jA==,iv:/n9IzxphJ2Aa1N+nGEjVeEPdFHyIRyonqHokkDILxcc=,tag:UzWYPqZxx7uGc+PaDHje1A==,type:str]
 nextcloud_db_root_password: ENC[AES256_GCM,data:QVHxkAfqgPDumApqaHxq4yyiH2XPRKcb///mgze/h5z9AGxTuiBK3IH9BA==,iv:UBzZQkq76BjmEGJYOV4qwEI8k2RDp8MMPDtQflsRUg4=,tag:iIBaM2JTf7GNene07YSGoA==,type:str]
 #ENC[AES256_GCM,data:o9j52wW0iZ7JeaI3JIk2/fSVSvZfuROHdINsnCY=,iv:VErcoWYwmZmMj+3SYoaxt5+Rh5IY2SQoely7CgQDQ/E=,tag:/2wit+v7QN3UIJlcyhvLqw==,type:comment]
 redis_password: ENC[AES256_GCM,data:hmk0W2v4NkaWtBeX7UyoCB2jybvCMELG43YVQkfhV3p56RrDZN8l8R903w==,iv:tAPVgNHCyium1zpd+SmZLjwv5a2X4yCPI9tS3dNUcXA=,tag:ddwibQhE+srBNz5WXS1jZg==,type:str]
 #ENC[AES256_GCM,data:gSdSguHeDnzgAN0RqsgA4XYgSrrdFHAtZRSTdOucoxJOPFjW,iv:POe4KMzLrzHMeeX5lk6mrMUQNc41MqbVjw9iIetnFqg=,tag:L6yj9NpMbEYWzK4x38aLKQ==,type:comment]
 collabora_admin_password: ENC[AES256_GCM,data:TkZZxjmLtKK1pdjq4KYIDbDv4zVhubi3NDDESzn6UY9jmcoGee6Jn0PgBw==,iv:nYtxWCejET8PvjiFIXgaPkt2CKgwRMekDI3zFH6Qpnk=,tag:NLKQqtIhjYcthIqt+unGaQ==,type:str]
 sops:
    age:
        - recipient: age170jqy5pg6z62kevadqyxxekw8ryf3e394zaquw0nhs9ae3v9wd6qq2hxnk
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpN2hTWS9pVVJtOVB5Q0hy
            cTZnOWxMcXkxZ3A3S0VxTDd4WkVJNXZ6eGlFCnFqem5MRWlsWnowTEI1amJUU1Rw
            Mm9XcVo0WHZQQmVVYTV0Z0lNc0l4c1UKLS0tIGJjNldSd2xhcWxpL3ptb2MxbGky
            bnRCZ0JncVNQUlgra2k4aU5OODlidTgKZzrZKcXDtkz60fkDdSqWLc4/Amp715Lt
            jWlD4nBRPP4EE9lx2k6Nzasms3Kd7jY6XSxM9kdyYMJnw079FhO7oQ==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2026-01-21T10:19:33Z"
    mac: ENC[AES256_GCM,data:Gx+21yPz2TVWBGtn8kAI9pqPU/90o/E/PTSqGJD3aUx+vdmPP2rflV1HBX6Nz8zr3A9a7UDMpzLejGb98B72pOnU31xAKlq22b0MaIlQdg33TL3OKxwwEewPtvhDQDWCf2IrTQtC2SW+Hn1DaV0CxSb58GZWj/NXtVAyq1Fd/zk=,iv:PI18voGa40uB4pJt1PHGBTHAcTfFXLIqzO/z2tHjiPY=,tag:szewwRMLvC05K7fXKbOxrg==,type:str]
    unencrypted_suffix: _unencrypted
    version: 3.11.0
--- a/secrets/clients/zwaan.sops.yaml
+++ b/secrets/clients/zwaan.sops.yaml
@ -1,38 +0,0 @@
 #ENC[AES256_GCM,data:grMUWAptTTKARjOLuIU5ebl+z9443cYJq6I=,iv:XQUqmLqDULEaNMbMLQxMHARxuFqWtbCfBawiMprpTbs=,tag:KZCOtofgOKtpuzNuySaJ3Q==,type:comment]
 #ENC[AES256_GCM,data:5jaeagHg9g+wliZySGR8LSv64yL42X3/a2HpGA9Q/Nb5YKaHbuw=,iv:mETlzOquOv3XvFolHznZsL9JtH3jH6bOc0tqZcQ15s4=,tag:LXRyVlxzgkDWjxxWFlw3Pw==,type:comment]
 #ENC[AES256_GCM,data:uU8xSvIXCBoZ7XjCSfs5Qj6F9FCZng==,iv:l9Bk/vQUORlNr6UvQyayOgTn91k5jVGa3f6c5551cYE=,tag:stANmYwcjqI7fiEWUc/KxQ==,type:comment]
 client_name: ENC[AES256_GCM,data:/O1WCS0=,iv:h5c47JPzk1XDAC4PYa0aUoBn/2Ce1985Mwy28CV2b/g=,tag:QyCFX8PEkKnO95CIhJU1FQ==,type:str]
 client_domain: ENC[AES256_GCM,data:fA2w0n4NWUZvd8YtBh/yONQ=,iv:iRlazuwjk7VTRB/pPSzJbNCLblny5sOTV05xvMCaacY=,tag:53J+3212xm9164y+zPbRCw==,type:str]
 #ENC[AES256_GCM,data:+37qvOZXoDc5kc0YJV8fwGxIY9PJUZh6,iv:Pvjicolk7OnE6ugsKVbr9HdTcgwLi1bj7j885xLluxY=,tag:8CqMSrVqkAcXXG4xODEmjw==,type:comment]
 authentik_domain: ENC[AES256_GCM,data:7o4yatWlTgJqYV9WNc7qcNmLanLgJw==,iv:Tx9xJLJUmtps76UWYazjJlhhb5jDMOWH9jQSSzVFI2o=,tag:BkbImmwMq4Yu5eONAAapHA==,type:str]
 authentik_db_password: ENC[AES256_GCM,data:2zbpT5WrC2lDB4U5O0w4LYOVIhSf8zCbIWvRrc/Aqim8H/JXUMyd0kwSuw==,iv:8y1eVLeY4O+jaUFr1uz2/OB5jA0MVenjxV1xknR9VfU=,tag:wL0lDaun8AiUW59fAGiCZA==,type:str]
 authentik_secret_key: ENC[AES256_GCM,data:BCWmzgt7Mm61CVdjmlmgmDHpRL+K9ezooPlYwE0WyNpcObq7xz+dzFG/Iw==,iv:3AG7T9jg0GxLUOQUg96lcnURFjFYPcwtAdbMg9i5JUM=,tag:wdXmSAj8eEjD9mbSuzsPgQ==,type:str]
 #ENC[AES256_GCM,data:CDts7Jm8JDCiOD8ncxHpNVuHt8xOY9Gat4BkkXfA1w1wzibWoSkPdorcxCvIATQ=,iv:/WZqkCy/k3nWosSjqAyMqyjb+BuHX6gaesEbKuL3fR8=,tag:OwrcTDfLdJIqqvGiN2S6AQ==,type:comment]
 authentik_bootstrap_password: ENC[AES256_GCM,data:U95Apb8YvMoE3X9lYmwEK1jVpSOLEIzjpFKO19MLolPF1/MxkQlq3qGZ+A==,iv:/HKFSJc72x8gxL2hIlC/G4BBIkODpM7VZ2RchBo9++E=,tag:amPHnFa1Gl1qYAhs0eSjGQ==,type:str]
 authentik_bootstrap_token: ENC[AES256_GCM,data:nbpEsV1WHV1615BIqsELzzRBYKS1047fOsleQiu1ACAVJ9ak892bbr86WuYC4Q==,iv:UmEja7XaET5j+gd6T9whI6/eSsE586iJf30ugRKu9PM=,tag:hNQe0SddKnUjEI7VaV2pIQ==,type:str]
 authentik_bootstrap_email: ENC[AES256_GCM,data:FVM50ieG/Cngq3jPhMup6oVdRfCaJcI=,iv:dwXJy+6OZONKc06rnfr3ltHgmCoRbpOsgncjWErZewY=,tag:EbjBl/IUXoc9nwhqgoUJlw==,type:str]
 #ENC[AES256_GCM,data:EmSyiq/0LxJCtJ7RT1FPFDuFKPOzOjhI,iv:zl4iKXIAxjmtioJuW2feoxLi+fSD5+G/FWWWnydKZnM=,tag:uQIzJVHDsjiGklmazzqJ/A==,type:comment]
 nextcloud_domain: ENC[AES256_GCM,data:fD6e+FhhTpJwLlfTPx3yCQSaq1CObyN96j3s,iv:NF9zK6qPtONaLsS+yJqODd5nEiOI5pt7Jo5tHXLIOb4=,tag:HHFpqMFhtmT7IKo4woeIBw==,type:str]
 nextcloud_admin_user: ENC[AES256_GCM,data:qP/XelI=,iv:bQUPebAzH/UOX7gs1aRRKfNYcYyhkTVZEcOEFvPGmXs=,tag:JIVcrAWPEQyLSCP6lNkYrw==,type:str]
 nextcloud_admin_password: ENC[AES256_GCM,data:i6sUi+25ls+5bu9pbwxMuyUVLAGwCENjVNOYVwYQlbZDfyiYM82pCcvtnA==,iv:OhOefaqn79U6URjuKwFxrdCE7ECaf2HeUHstrrXftX4=,tag:RQGZE9B5/eDzTP8FIlal0g==,type:str]
 nextcloud_db_password: ENC[AES256_GCM,data:4iQtSJq1vLLzOSCYPCjbvXiUokt2l7PAr0volEffOvxaUWatSyN+5ffI8g==,iv:FG2Pp/aNiNn/8JLj6mGzB/aAxaonGjCN8bZ5cwtEvW8=,tag:MWrlCAv4Ns/0ZymMRpHAMg==,type:str]
 nextcloud_db_root_password: ENC[AES256_GCM,data:AUlBerIg5to+wqvGe4XrV6qyLv7qN5CvBLE/Mh76fwutlkcap7LGnopPJA==,iv:q/UHrYVUOX3IEcVICzEKKUwZSb8xC3GOWyfXsZcrxj4=,tag:M0G55DaVyVSapnZVKvOdHw==,type:str]
 #ENC[AES256_GCM,data:/lkuwDB+t4izxgk8z7srKzVGIUV1ddVuggecZzQ=,iv:5Ew7A1CMl7loBS5Ihwn81ZQIuKxg7svrWRSfjF+Joic=,tag:QJxXoMmIjqv58eUGYVHIJA==,type:comment]
 redis_password: ENC[AES256_GCM,data:Dsb/AdHGNguC+eJAwTkikEJkXDak+U5DwRinANlvu/g9H7oOVu9netXzqQ==,iv:/RDnk/Nq6RrKZhBtJxDdYSBb8NvvlnfpUZQmqsCG46o=,tag:Kc/uL312sB5ZFBVEGjh5Pg==,type:str]
 #ENC[AES256_GCM,data:vHxc31U98vS/+twbwssWGtWWm/2/M9oSiSNW03A41gSDqMyA,iv:vgWYcaaxGcyhNTn/Oox04b9Kd8jWZyGWL/79/Xb06ew=,tag:uX61Pf6boE26XriX+jIJEg==,type:comment]
 collabora_admin_password: ENC[AES256_GCM,data:M+JbmS5WtUl1d2GCoUl72F3NOcaslFGjaz4NwQYYXF+CKEb5DMF0EkaIHg==,iv:X3gdn4NE2O1FyBBRwdDqyYLoEqlmnXqiJ0FlhOd9DyE=,tag:POjkQqrvmB31kRFRspRcDw==,type:str]
 sops:
    age:
        - recipient: age170jqy5pg6z62kevadqyxxekw8ryf3e394zaquw0nhs9ae3v9wd6qq2hxnk
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRWmdObzRmdWNCWlliaS94
            WWRqUnB3YU84c09mMXZGSGpEclptZHA2Q2tzCnJQdkNiaGlLS0ZmSVlxQTNzaDZO
            SERZZjhaVTZXTzE4N25FVnNybmp0R00KLS0tIGJtV0ZJZEREOHNPVDg3cmRQbDVO
            ZUg3UEJxUFlaWUhTWjh5dXMvbVhVQVUKeSgbz+rYkfLbhNCF/Lgx+vauPCdcaxXC
            hpsERVWHHTu3+XOQbDZ60QCXelUu9kyejlYow0fLP9jMPm7Ifkujnw==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2026-01-22T10:22:33Z"
    mac: ENC[AES256_GCM,data:H2v+rflUC3HQJD/h2B7N2JGq5A/xUkVFhoCSROOVDm/K+u6UdyPTSf8FBWoDZirXrcCxOUMZjDLz1bhGM02BmHYH5cd53oRlBjK4DHKFniEiaa7JmxB1QVqn8NxsmtU3fS7Noy0tTq8vhnL8RXHQdgO8emUQ43NXoXOh1nPoEas=,iv:Oab+s7v4VtAp8MxN1VUZIDr7v/pFL1JKkTuZ5Kzm6to=,tag:pzNHtuD/TR4K+oJbiS3sbw==,type:str]
    unencrypted_suffix: _unencrypted
    version: 3.11.0
--- a/secrets/shared.sops.yaml
+++ b/secrets/shared.sops.yaml
@ -1,33 +1,38 @@
-#ENC[AES256_GCM,data:2YMIFNKq+JsSJeC9Qjm5RwtyC3xK7kUoEcfZDvDl7UrMtSqKr8COUgs=,iv:iNYbG7vJdnxmQEKvKrbKT6DKpXRJasKP+sEl9n8u9kY=,tag:hWIJ51MZDWPKavBcPtfjAA==,type:comment]
+#ENC[AES256_GCM,data:04ALB+Pn3US4027Oh487+ZrAQfoLWwVh7J04BH5bLVk1odSadMrG+sg=,iv:kXjuTiE22hgz7FYcBkDw8ANCbmKBPgNvbLdx85p4kn0=,tag:Y987uVwfd4z2WG3+EsbRTQ==,type:comment]
-#ENC[AES256_GCM,data:7hJjDYJ9YaF6I6b5Dvt+/dvgWIQjjj2AjYrmR0Kno+KKgcg1yEE=,iv:QzwxWutd8vEhusj6IL7xeLxG27PcmKigHnCwZRKEulE=,tag:Q1vlJzRxX7dj8wNrhi+Kfw==,type:comment]
+#ENC[AES256_GCM,data:JR39Jk+yo+4xal384o+cWnxxsgZJhrf6JNCtHvl0iyx8Ukb3R4c=,iv:hY5s0YYbw0aO0958NuHeT0rPicvNoMatdzNfBwMl6/k=,tag:dGP2YmLcU9inq4LR1gFQIQ==,type:comment]
-#ENC[AES256_GCM,data:xtOU9wOXNJEMnPuJN0pxLxP4709/IRV0JhRFyf8BeA/QDlSt9jtyaumsuBuA9aui31+0MyhqvLeBbtE+acnTp9W0RzEo,iv:nUdN95nWS9w/UHTxos3ho58/s/dWBuFc14gWcKxPmbU=,tag:GPgBIAk9+/uNBU+9qbYhhg==,type:comment]
+#ENC[AES256_GCM,data:MwHqTG0q+8qzCl1fbug581WIH/fAdgCuVvjew9ckw9kaXMFdjLwacKMsAAkttGrsHs60jNyOi9YP//p7dqCpDxNT+7be,iv:EAEf4ULn4YdGQSgml3S9SzWtYNPWaAp8xJm/sTrFNRc=,tag:dgEqhUTpI4KSf+jpA0tR6Q==,type:comment]
-hcloud_token: ENC[AES256_GCM,data:8FN2vXof6ud4VolI+uPMWikqOKwTL0Lua4JJgGfGu2F8eFJAKNznNCS47X1HoDCu6ky0tl5jmZvx/RcZU6Ly5g==,iv:Sq4G5gDvoP5HpcsaZFL5bRma3iQdA9shcVjc9NgkUxA=,tag:ww1P2NFJvLyIi1Sbbf0PTg==,type:str]
+hcloud_token: ENC[AES256_GCM,data:cEBVeTBeZaoJ9zNUGeGiqG6svMY9We5Bo+xUxqyP553F/3SGhVNnIoPTQNnhoi33av9SL0TK9XUPshFnB/wAJQ==,iv:e5kv7GQZQqtResfLyWX35T4Bdh9IwoErIOAcUmtr4UM=,tag:uqYqBQYlzOE/2uN3s9lRYg==,type:str]
-#ENC[AES256_GCM,data:dV5m3Mtqq/apW8NLlEpy3KFVyQaKZS8uH4WPD3j0k2pnN3hxIc74p+/GS0V7Ew==,iv:etSVHDonOo9l7AGWt9uQCd9ye6u5yVDlM7BRLJd6keM=,tag:QCNmm+IuuaJZuai2CVBYbw==,type:comment]
+#ENC[AES256_GCM,data:ypfNO7kd/SLrsz2jRIykmbGWJB5Vp8SNUwh6UEE8qhttVf6bECk6a/wBVj4XzA==,iv:379fklcd9rJaq3zvJcAb/IfsFYPxPKX+ZcMmyFQ+ak0=,tag:E6IlkeneMLx2SHibs4pVrw==,type:comment]
-storage_box_host: ENC[AES256_GCM,data:J1YKyjZ9X2x8mapgzhr57K1vZuQ2lCkrWdk=,iv:awswwnWl/ADhsG6flTgUAZGoA+e+A410hCOUQ1cvDZE=,tag:4J4oo0CKNCCNb3LrdNFh3w==,type:str]
+storage_box_host: ENC[AES256_GCM,data:AZAlPKfIAjvqc6YkpIKHutny6ubJLgcpASY=,iv:MYsq9lmFVc4Yq5Dj6dF1sWrHUpcAHmXgsGozT2M2URI=,tag:R1UYUQVZH5UVqrWtBjsBpw==,type:str]
-storage_box_user: ENC[AES256_GCM,data:JIWh720v/g==,iv:HJp+Bx8kS+QnFXlqdiITPuKFOQRgpg08QPxMqEI3AXs=,tag:bDYryqzAgeuESbqCNJlY+Q==,type:str]
+storage_box_user: ENC[AES256_GCM,data:mb3F22aIcQ==,iv:BeOYQV4ZharXF1NlPUC/G3IF98eBbZ0W3XxgMkCuR4o=,tag:stLdytx0n/EvCOta/3Cn/g==,type:str]
-storage_box_password: ENC[AES256_GCM,data:/9eyEsS+sHuWfi2zzLawYwURHryZQ0ug+BP36SqSXgiX,iv:i1VaWheORGkrCZZiCpGqXsxE+lx4a/zEMczJ9hLRsmc=,tag:5OVE90R+e4H0xkI1TP8QjA==,type:str]
+storage_box_password: ENC[AES256_GCM,data:2VSgTly3rNozgfU4lg4Un+K1vmNf5XEq8NTYH1ekcI9a,iv:7uDxpspTVyirGlzaHDZwSE4c/c+4TaMaH7gGCd1X1JY=,tag:njzoKPDLa5mz5RMp2gYOtQ==,type:str]
-#ENC[AES256_GCM,data:AcDfSbReb+Fq5yDcIxTDVN1foKsKKs1eMTCc,iv:m1LZMR4uaLCHH73MrRG3qpv65JSkDFzvF7nIxMNJOWE=,tag:d2hzFSYNO01UEOeCMUJ/bQ==,type:comment]
+#ENC[AES256_GCM,data:qCDYq8QCwrJZu0AiE+d4ePbbBgBQAwZ1knv4,iv:Yx4aEyRVMxQlirfdYyvUXCmukOzaL/XTypB+mRaFwv4=,tag:6DHV8r33jLsVGYNHLNUE+A==,type:comment]
-acme_email: ENC[AES256_GCM,data:by2DuXwa5TmwKuoYB9rQWC7JQ6aJNgwJ,iv:nA/WnVsscIF8n955TOEJ4N6+bTIBesu8VBlk8GjWheo=,tag:RpxSJUt8XG3hrQ8yvSU8vQ==,type:str]
+acme_email: ENC[AES256_GCM,data:7S0SVt/wIV6MexKntpxiioiS62dQ3JNX,iv:xCx4aXuCwDtUzUy4cEhy6Y5G221UtHiUgPBLab14Ti8=,tag:bc4cRIV663cjroTZ9B8Z5g==,type:str]
-#ENC[AES256_GCM,data:oIGUDVmm09wiD9ftBozwyy8I2liAR+SvHOwD2CfePQ7y5aaXs3iCjTQGN4g=,iv:B68aM+QBRx8vDGKunDxUWSCtjWKNtoZojyHu/tAIy70=,tag:qg6uQjRcWuWQhU0u+FUZxw==,type:comment]
+#ENC[AES256_GCM,data:QjXYPryU+RWEpbfh0Iicu6tTog73i7HVzHH3UD5HqyPMs/wSM6q2s9Ap9fw=,iv:sClGgcS7gGKptbJx+UtPn6wfYg/s8kf6GXltFsbpXyE=,tag:9ZygWXObDSCKZjGtZSPIQQ==,type:comment]
-mailgun_api_key: ENC[AES256_GCM,data:xj31QEnmS8z4qGqXuWK1ZJUNXWk2uPOKV4dVtDFxGcsnq/grQTPUY7ZDsp02x441Wfk=,iv:Cdeyk4wSZ9T5tfq45VGE6fNI+PqqDTFf5uf9x0yxIw4=,tag:Qd3WGPtrg7ZNT2J/U4XxDw==,type:str]
+mailgun_api_key: ENC[AES256_GCM,data:+KEwwt3g24KbplG705tOab/AIXOSnpmBvQtscpB0m/UTYHQv9d3h45n1Hplw3kIvEMk=,iv:g1XC1/HqsKeysOWPDk8ArMIvYuw8mRRyjmOtn38oxFI=,tag:MQI//J1Uxw43x/n9baymdA==,type:str]
-#ENC[AES256_GCM,data:XGCm1nYG9utFEgZ08hY+mDzl6KUh0WzlwztGPn/ivn04BA9CXE27uwSFmQZIwtDDUm4r8SvHNmytvd4Jwg==,iv:fGx0xsCmVrRKKQn4YwGeXqk09zGiu421eSpjVlP7yaY=,tag:0dBzVVsASKgzok0wkT9F1w==,type:comment]
+#ENC[AES256_GCM,data:+76iTnTb2ER/8LaZMwnOFe65mqD+01h3WLCtJeiFinaQ9NitTfK/+J6OI+12IIGvFzdDW4Eo1kj1ETxekg==,iv:Y4tAG2TYmMbHpZcq44WzTno4pd5JW9dF1gOvEJw7kjc=,tag:QyXsSR1gd0hI6JYzT1E4uA==,type:comment]
-kuma_username: ENC[AES256_GCM,data:pvaYOaQ=,iv:LEEaIy1d9zeo/0J53G10SrCMWu+decEOJvQKQANpwMk=,tag:6B5uXYIGW9fg0nO7T3MIrQ==,type:str]
+kuma_username: ENC[AES256_GCM,data:zmar2ok=,iv:rdMU87CaPx2SvhIBrTaMI8TzQNMy7mme6LfPwaU0B2g=,tag:GaRPVvNBwt0SEvfT5UR39A==,type:str]
-kuma_password: ENC[AES256_GCM,data:zE2zI+mrQ92I7P/zykqbx4jEACI=,iv:WQ5y/N+WI45fHolYZleoH5/N9ITlNzMTn6xtpGfPFlg=,tag:Jwh8CBShb0Nu8b6ksN5DrQ==,type:str]
+kuma_password: ENC[AES256_GCM,data:GI6fLItkyjmv5yU5EBXIFeHDuQg=,iv:nnc9DfhfsZPKK66Ivme5xSrLaR+onIgEmnrND0gsYvA=,tag:LHIZUTYakGie/UgZdb0wng==,type:str]
-#ENC[AES256_GCM,data:h5PCiXOXU3wcEAv1d5hT+ft9rDETCcDr83LBGwTeiF/PBEEVMHesSsv8Bkn1Icuj,iv:HSk5jzuX233Z6mBIwxcwBLW4Dcw+IEObUkrmkg2wfBw=,tag:473GFIBMhrI07tIBQnFZJw==,type:comment]
+#ENC[AES256_GCM,data:09+nWhVzHUIsLzvn6vkhv7thV2QbDJtv0dEWR+eygYSX7B+n5UhKVFhUyzgan2CA,iv:0Fs9R7cwJErJfC4o7yBpP+uSgxSjRNIZJH7ZMMAtEhs=,tag:w5WZZQrYKh+DdCxmDzbIJQ==,type:comment]
-docker_hub_username: ENC[AES256_GCM,data:4UQe5HoWd0azh1BN,iv:KVAFe4HYtQrzpRVLhVOeVxtrg/VrX0tdh8BW+lCGqZ8=,tag:31NlEomOynhd61qiVwuMlA==,type:str]
+docker_hub_username: ENC[AES256_GCM,data:GJ3X6f0HnRhNTVES,iv:HS2SE/9XAScGl3tCjbvYj8rSeFbyuXsBh4+P5adRo+g=,tag:Deo5k281WG3kQnGDUiFnSA==,type:str]
-docker_hub_password: ENC[AES256_GCM,data:qo7aespQMFAPhfXaKA9q8A07HAwwyoRKBuJy5Qm6zK+HEKiU,iv:l3vx7CIkL4fZOVnQ0CxYuWI1UWl+eIcuqfa55JTOHZU=,tag:jn7izsloBxoZ51Rj+vBdSw==,type:str]
+docker_hub_password: ENC[AES256_GCM,data:Uj3lLaBitHiEK4Z8ki/EfomWDi35eDtrRDMehTqsi7OtMqDY,iv:tVXbAumOn8NlrBBKzUqL6G+W6VZ4hSm0UZO4+ymqqas=,tag:hznzHSJpCwfpaPdJ0fVzVQ==,type:str]
 #ENC[AES256_GCM,data:JR8oUMSIpn1beUD+bLl+3Q1QTJ+fLBrgOb4aZgQJf2A5MnfmYyuz/qgn24eekfuRxV0aPua4RjaUjl77YtWtXwDhcQ6y8pUjhUniW2R5ZnnCyecJ9zs=,iv:NGrXYBj6pVvIGmN8RI8abGrtjPPtkdHRZxahgH087cw=,tag:4gBgYddoK3Nd6pVOLxBcGQ==,type:comment]
 matrix_homeserver_url: ENC[AES256_GCM,data:BEgOaA/kYbT0UU20QPJp+/QR2agNiR6OygG6gyrG8lqV,iv:CVwnqhuEV/VTbcUBliFgp1rLMGNWDyBEyt1xR87O9g4=,tag:azocD23lo9riGtCLBuSIcA==,type:str]
 matrix_diun_user: ENC[AES256_GCM,data:JtO2Zpt2eSPTWcGlgOHtGfMPLUmpKjHK,iv:LMnqHgrybjaTJvMdOs1TsYW4lRdQK1qtiHjVd5tygeY=,tag:tMcNM5pcrpg90BhP1akwxw==,type:str]
 matrix_diun_access_token: ENC[AES256_GCM,data:13118eQvzxkI8AJAXlOfaVn0QyQm3bys5SMxXBRT/9ZlgAFHJpY=,iv:S71vHz5VAucmNUQ2Ttj+QB6Fgo+1kx7fpmwZtDDM04U=,tag:C/Fk4CTu5BkGe0X1pB++8Q==,type:str]
 matrix_diun_room_id: ENC[AES256_GCM,data:uz+tkB+lArVm9XMB/vy3LfwG7YW0JSmpmI/g0hgtecKRorGSAkAD1/PFrWgv,iv:FHgFQ/w4GT/xrQHawEIi1jicri8+WACJcKHKXugImBM=,tag:2M0zFYDE0vQUGxW7YpTT3w==,type:str]
 sops:
    age:
        - recipient: age170jqy5pg6z62kevadqyxxekw8ryf3e394zaquw0nhs9ae3v9wd6qq2hxnk
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsZDdlWk4vRFZQYTFTU0RW
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuU2JYVlA5bEMrZitEUk95
-            NDh3a3RZalFiQjhYd2NESjZsTlJKa0RvdkVRCnZLdHc1VlhYVHB1bWRmQ0lzRlNM
+            VHltbXgyZUtVTVVicEd3bklPQlRtMURTYTNVCkRXZTJTSkV3aG51emFsQVh2QTBi
-            eitYMG5oc2wrdUw0bVJ2cXlpVW52bEEKLS0tIEtTV2s2eVN3bjljYVduZS9vMW1U
+            QnZ5RmpWN3F6RmFnWTlnWUZZcXBqVW8KLS0tIGR4VTh4M3huNGFORU9CcVlMUllx
-            a1ZFY1NBNW5odFNZaXJSQWxFNjIzVUkKIs0FCN7RRaQBAFp4tBb09C+7c5iSlyLU
+            cWhVaU9sN3dYNER5ZXhRbVpOWHZBS2cKHc0pIQno9sUGsfBxRlHxLQ5BPLerb4qd
-            ZFNIXfMeTHtziiyB3eUtFbZHS0Mec6YijCR90WGm2Vk17dNVTu1Nlg==
+            abbxYhLJ4roN+9dw3d26fEPYESg/lLts1nyZNxNGtTIz1oJG2MwJVg==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-01-20T10:38:25Z"
+    lastmodified: "2026-01-23T20:07:21Z"
-    mac: ENC[AES256_GCM,data:4aL5GwxjNYoXaLBdDYtpQ2FiWz6fVPjNvlB4wMX7PedzSPb0+Eix7BK7vG6MHrRZVJzRbWQZb9xmnVzl+Bm8gdyS9ctPBfcZsv94nUFHMW9KLyavvsaf1F7asT0OuyNsHc3A7vfxjO3FT2oNOGOmulpPXKFQK2+87elL52bg80A=,iv:gQU//Hz9+Ku6X31S0ocLr2oQKvw8+Bagx9LEAqelT9s=,tag:f6P5OtH8bAyWt+BuEsdgWA==,type:str]
+    mac: ENC[AES256_GCM,data:huCxiz8tOLyrn2yIcIi2YRMf3TuMPNr9YAsaQJI6aho/4ZqZ7IF3Jm/qrtRsr0tyn3en0UWrQAUnWG+9RQ3AC3fM80T6TghANV4xLXJqNk0WJ5EZ7p4ILDRuuEDqeVcvDYEzawGfCGt6tKL4JVk2BW2PHQz52FaQnJCc4/3Q+ZE=,iv:7pV2UvOz56R+WljGYJl1HeVjXdOqELFvBLE9SKnEzmg=,tag:8Yw7lolyQ2oxTW10o1AdIQ==,type:str]
    unencrypted_suffix: _unencrypted
    version: 3.11.0
--- a/tofu/tfplan
+++ b/tofu/tfplan
--- a/tofu/user-data-private.yml
+++ b/tofu/user-data-private.yml
@ -1,29 +0,0 @@
 #cloud-config
 package_update: true
 package_upgrade: true
 packages:
  - curl
  - wget
  - git
  - python3
  - python3-pip
 runcmd:
  - hostnamectl set-hostname ${hostname}
  - |
    # Configure default route for private-only server
    # Hetzner network route forwards traffic to edge gateway (10.0.0.2)
    # Enable DHCP to get IP from Hetzner Cloud private network
    cat > /etc/netplan/60-private-network.yaml <<'NETPLAN'
    network:
      version: 2
      ethernets:
        enp7s0:
          dhcp4: true
          dhcp4-overrides:
            use-routes: false
          routes:
            - to: default
              via: 10.0.0.1
    NETPLAN
    chmod 600 /etc/netplan/60-private-network.yaml
    netplan apply
Author	SHA1	Message	Date
Pieter	9a38486322	feat: Add brand recovery flow config and improve security - Add brand default recovery flow configuration to Authentik setup - Update create_recovery_flow.py to set brand's recovery flow automatically - All 17 servers now have brand recovery flow configured Security improvements: - Remove secrets/clients/*.sops.yaml from git tracking - Remove ansible/host_vars/ from git tracking - Update .gitignore to exclude sensitive config files - Files remain encrypted and local, just not in repo Note: Files still exist in git history. Consider using BFG Repo Cleaner to remove them completely if needed. 🤖 Generated with Claude Code Co-Authored-By: Claude <noreply@anthropic.com>	2026-01-26 09:17:08 +01:00
Pieter	12d9fc06e5	feat: Configure Diun with Docker Hub auth and watchRepo control This commit resolves Docker Hub rate limiting issues on all servers by: 1. Adding Docker Hub authentication support to Diun configuration 2. Making watchRepo configurable (disabled to reduce API calls) 3. Creating automation to deploy changes across all 17 servers Changes: - Enhanced diun.yml.j2 template to support: - Configurable watchRepo setting (defaults to true for compatibility) - Docker Hub authentication via regopts when credentials provided - Created 260124-configure-diun-watchrepo.yml playbook to: - Disable watchRepo (only checks specific tags vs entire repo) - Enable Docker Hub authentication (5000 pulls/6h vs 100/6h) - Change schedule to weekly (Monday 6am UTC) - Created configure-diun-all-servers.sh automation script with: - Proper SOPS age key file path handling - Per-server SSH key management - Sequential deployment across all servers - Fixed Authentik OIDC provider meta_launch_url to use client_domain Successfully deployed to all 17 servers (bever, das, egel, haas, kikker, kraai, mees, mol, mus, otter, ree, specht, uil, valk, vos, wolf, zwaan). 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>	2026-01-24 13:16:25 +01:00
Pieter	39c57d583a	feat: Add Nextcloud maintenance automation and cleanup - Add 260124-nextcloud-maintenance.yml playbook for database indices and mimetypes - Add run-maintenance-all-servers.sh script to run maintenance on all servers - Update ansible.cfg with IdentitiesOnly SSH option to prevent auth failures - Remove orphaned SSH keys for deleted servers (black, dev, purple, white, edge) - Remove obsolete edge-traefik and nat-gateway roles - Remove old upgrade playbooks and fix-private-network playbook - Update host_vars for egel, ree, zwaan - Update diun webhook configuration Successfully ran maintenance on all 17 active servers: - Database indices optimized - Mimetypes updated (145-157 new types on most servers) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>	2026-01-24 12:44:54 +01:00
Pieter	60513601d4	fix: Improve container wait loop to actually wait 5 minutes	2026-01-23 21:41:14 +01:00
Pieter	6af727f665	fix: YAML syntax error in stage verification task	2026-01-23 21:36:30 +01:00
Pieter	fb90d77dbc	feat: Add improved Nextcloud upgrade playbook (v2) Complete rewrite of the upgrade playbook based on lessons learned from the kikker upgrade. The v2 playbook is fully idempotent and handles all edge cases properly. Key improvements over v1: 1. Idempotency - Can be safely re-run after failures 2. Smart version detection - Reads actual running version, not just docker-compose.yml 3. Stage skipping - Automatically skips completed upgrade stages 4. Better maintenance mode handling - Properly enables/disables at right times 5. Backup reuse - Skips backup if already exists from previous run 6. Dynamic upgrade path - Only runs needed stages based on current version 7. Clear status messages - Shows what's happening at each step 8. Proper error handling - Fails gracefully with helpful messages Files: - playbooks/260123-upgrade-nextcloud-v2.yml (main playbook) - playbooks/260123-upgrade-nextcloud-stage-v2.yml (stage tasks) Testing: - v1 playbook partially tested on kikker (manual intervention required) - v2 playbook ready for full end-to-end testing Usage: cd ansible/ HCLOUD_TOKEN="..." ansible-playbook -i hcloud.yml \ playbooks/260123-upgrade-nextcloud-v2.yml --limit <server> \ --private-key "../keys/ssh/<server>" The playbook will: - Detect current version (v30/v31/v32) - Skip stages already completed - Create backup only if needed - Upgrade through required stages - Re-enable critical apps - Update to 'latest' tag 🤖 Generated with Claude Code (https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>	2026-01-23 21:25:44 +01:00
Pieter	7e91e0e9de	fix: Correct docker_compose_v2 pull parameter syntax	2026-01-23 21:13:49 +01:00
Pieter	c56ba5d567	fix: Restart containers after backup before upgrade stages	2026-01-23 21:03:13 +01:00
Pieter	14256bcbce	feat: Add Nextcloud major version upgrade playbook (v30→v32) Created: 2026-01-23 Add automated playbook to safely upgrade Nextcloud from v30 (EOL) to v32 through staged upgrades, respecting Nextcloud's no-version-skip policy. Features: - Pre-upgrade validation (version, disk space, maintenance mode) - Automatic full backup (database + volumes) - Staged upgrades: v30 → v31 → v32 - Per-stage app disabling/enabling - Database migrations (indices, bigint conversion) - Post-upgrade validation and system checks - Rollback instructions in case of failure - Updates docker-compose.yml to 'latest' tag after success Files: - playbooks/260123-upgrade-nextcloud.yml (main playbook) - playbooks/260123-upgrade-nextcloud-stage.yml (stage tasks) Usage: cd ansible/ HCLOUD_TOKEN="..." ansible-playbook -i hcloud.yml \ playbooks/260123-upgrade-nextcloud.yml --limit kikker Safety: - Creates timestamped backup before any changes - Stops containers during volume backup - Verifies version after each stage - Provides rollback commands in output Ready to upgrade kikker from v30.0.17 to v32.x 🤖 Generated with Claude Code (https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>	2026-01-23 20:58:25 +01:00
Pieter	27d59e4cd3	chore: Clean up Terraform/Tofu artifacts and improve .gitignore Remove accidentally committed tfplan file and obsolete backup files from the tofu/ directory. Changes: - Remove tofu/tfplan from repository (binary plan file, should not be tracked) - Delete terraform.tfvars.bak (old private network config, no longer needed) - Delete terraform.tfstate.1768302414.backup (outdated state from Jan 13) - Update .gitignore to prevent future commits of: - tfplan files (tofu/tfplan, tofu/.tfplan) - Numbered state backups (tofu/terraform.tfstate..backup) Security Assessment: - tfplan contained infrastructure state (server IPs) but no credentials - No sensitive tokens or passwords were exposed - All actual secrets remain in SOPS-encrypted files only The tfplan was only in commit `b6c9fa6` (post-workshop state) and is now removed going forward. 🤖 Generated with Claude Code (https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>	2026-01-23 20:45:48 +01:00
		`@ -1 +0,0 @@`
			`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJU6ntTc5bYP4FslcLXjm9C+RsO+hygmlsIo8tGOC1Up client-black-deploy-key`
		`@ -1 +0,0 @@`
			`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFvJSvafujjq5eojqH/A66mDLLr7/G9o202QCma0SmPt client-dev-deploy-key`
		`@ -1 +0,0 @@`
			`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICpzsMHVbAZMugslwn2mJnxg30zYrfU3t+zsZ7Lw3DDD edge-server-deploy-key`
		`@ -1 +0,0 @@`
			`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHuR1BR4JaATFwOmLauvvfKjhHarPz1SfnJ+j0caqISr client-purple-deploy-key`
		`@ -1 +0,0 @@`
			`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL+BKRVBWUnS2NSPLvP3nxW7oxcv5wfu2DAY1YP0M+6m client-white-deploy-key`