set up birbs website

.sops.yaml

@@ -13,12 +13,13 @@ keys:
   - &nginx-netcup age1ypq3n3e7gnwqddq5dgkdsfm0wqagrm5pl5tkunzp44lcezsllumqsjz0hz
   - &wg-server    age15ydstgk0fmmgy2ugmqufyqhqsqypd2mvy89enzwczz0m8ar2kvzqlcdsm8
   - &nginx-cube   age1nh7nnp3rznfqkzudn7dzkkkxuz0ywjw8hacnftvgh60egtw79ejqam4n4p
+  - &farewellbird age1n7ltu5yh49l7f2pgn7nyp9xpfcp45hjs379yv2txa2t2w0yd2fqq2wt3t9
 
 creation_rules:
   - path_regex: secrets\/all\/*
     key_groups:
       - pgp: [*clara]
-        age: [*wireguard, *mcserver, *zammad, *forgejo, *mastodon, *paperless, *vikunja, *nginx-netcup, *wg-server, *nginx-cube]
+        age: [*wireguard, *mcserver, *zammad, *forgejo, *mastodon, *paperless, *vikunja, *nginx-netcup, *wg-server, *nginx-cube, *farewellbird]
   - path_regex: secrets\/wireguard\/cube.yaml
     key_groups:
       - pgp: [*clara]

configs/container_config.nix

@@ -20,6 +20,9 @@
     wget
     htop
     sudo
+    mtr
+    nettools
+    tcpdump
   ];
 
   # because getting a nix shell is super annoying otherwise

configs/containers/cube/farewellbird.nix

@@ -0,0 +1,24 @@
+{ lib, pkgs, config, ... }: {
+
+  deployment = {
+    targetHost = "10.10.0.5";
+    targetPort = 22;
+    targetUser = "root";
+    tags = [ "cube" ];
+  };
+  networking = {
+    hostName = "farewellbird";
+    interfaces.eth0 = {
+      ipAddress = "10.10.0.5";
+      prefixLength = 32;
+    };
+    defaultGateway = {
+      address = "10.10.0.254";
+      interface = "eth0";
+    };
+  };
+  imports = [
+    ../../container_config.nix
+    ../../services/farewellbird.nix
+  ];
+}

configs/containers/cube/wireguard_cube_container.nix

@@ -1,6 +1,6 @@
 { lib, pkgs, config, ... }: {
   deployment = {
-    targetHost = "192.168.178.123";
+    targetHost = "10.10.0.4";
     targetPort = 22;
     targetUser = "root";
     tags = [ "cube" ];
@@ -8,6 +8,6 @@
   networking.hostName = "wireguard";
   imports = [
     ../../container_config.nix
-    ../../services/wireguard.nix
+    ../../services/wireguard_cube.nix
   ];
 }

configs/containers/netcup_pve/wireguard_netcup_container.nix

@@ -10,6 +10,6 @@
 
   imports = [
     ../../container_config.nix
-    ../../services/wg_server.nix
+    ../../services/wireguard_netcup.nix
   ];
 }

configs/services/farewellbird.nix

@@ -0,0 +1,45 @@
+{ lib, pkgs, config, inputs, ... }:
+let
+  repoDir = "/var/www/site";
+in
+{
+
+  services.nginx =
+    {
+      enable = true;
+      virtualHosts =
+        {
+          "farewellbird.de" = {
+            locations."/" = {
+              root = repoDir;
+            };
+          };
+        };
+    };
+
+  systemd.timers."clone-repo" = {
+    wantedBy = [ "timers.target" ];
+    timerConfig = {
+      OnBootSec = "10s";
+      OnUnitActiveSec = "5m";
+      Unit = "clone-repo.service";
+    };
+  };
+  systemd.services."clone-repo" = {
+    script = ''
+      set -eu
+      if test -d ${repoDir}; then
+        cd ${repoDir}
+        ${pkgs.git}/bin/git pull
+      else
+        mkdir mkdir -p $(dirname ${repoDir})
+        ${pkgs.git}/bin/git clone -b pages https://codeberg.org/YourLocalFops/farewellbird.git ${repoDir}
+      fi
+    '';
+    serviceConfig = {
+      Type = "oneshot";
+      User = "root";
+    };
+  };
+  networking.firewall.allowedTCPPorts = [ 80 ];
+}

configs/services/nginx_cube.nix

@@ -17,6 +17,13 @@
           ";
         };
       };
+      "farewellbird.de" = {
+        forceSSL = true;
+        enableACME = true;
+        locations."/" = {
+          proxyPass = "http://10.10.0.5";
+        };
+      };
     };
   };
 

configs/services/wireguard.nix

@@ -1,60 +0,0 @@
-{ lib, pkgs, config, ... }:
-let wg_port = 51820;
-in {
-  boot.kernel.sysctl = {
-    "net.ipv4.ip_forward" = lib.mkDefault true;
-    "net.ipv6.conf.all.forwarding" = lib.mkDefault true;
-  };
-
-  # set up secret key
-  sops = {
-    age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
-    secrets.wg_private_key = {
-      sopsFile = ../../secrets/wireguard/cube.yaml;
-    };
-  };
-
-  networking = {
-    firewall.allowedUDPPorts = [ wg_port ];
-    firewall.rejectPackets = true;
-    firewall.trustedInterfaces = [ "wgbr" "wg0" ];
-    interfaces.wgbr.ipv4 = {
-      routes = [ ];
-      addresses = [
-        {
-          address = "10.8.1.1";
-          prefixLength = 24;
-        }
-      ];
-    };
-
-    wg-quick.interfaces = {
-      wg0 = {
-        # Determines the IP address and subnet of the client's end of the tunnel interface.
-        address = [ "10.8.1.1/16" ];
-        listenPort = wg_port; # to match firewall allowedUDPPorts (without this wg uses random port numbers)
-
-        # Path to the private key file (see sops).
-        privateKeyFile = "/run/secrets/wg_private_key";
-
-        peers = [
-          # For a client configuration, one peer entry for the server will suffice.
-
-          {
-            # Public key of the server (not a file path).
-            publicKey = "AJ1nr0/w8OvsNq5Ju//m4856u7yY0hlPGMEGeZtlhlY=";
-
-            # Forward all the traffic via VPN.
-            allowedIPs = [ "10.8.0.0/16" ];
-
-            # Set this to the server IP and port.
-            endpoint = "202.61.230.52:51820";
-
-            # Send keepalives every 25 seconds. Important to keep NAT tables alive.
-            persistentKeepalive = 25;
-          }
-        ];
-      };
-    };
-  };
-}

configs/services/wireguard_cube.nix

@@ -0,0 +1,99 @@
+{ lib, pkgs, config, ... }:
+let wg_port = 51820;
+in {
+  boot.kernel.sysctl = {
+    "net.ipv4.ip_forward" = lib.mkDefault true;
+    "net.ipv6.conf.all.forwarding" = lib.mkDefault true;
+  };
+
+  # set up secret key
+  sops = {
+    age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+    secrets.wg_private_key = {
+      sopsFile = ../../secrets/wireguard/cube.yaml;
+    };
+  };
+
+  networking = {
+    # Enable NAT
+    nat = {
+      enable = true;
+      enableIPv6 = true;
+      externalInterface = "eth0";
+      internalInterfaces = [ "wg0" ];
+    };
+
+    # Open ports in the firewall
+    firewall = {
+      rejectPackets = true;
+      trustedInterfaces = [ "wgbr" "wg0" ];
+      allowedTCPPorts = [ 53 ];
+      allowedUDPPorts = [ 53 wg_port ];
+    };
+
+    interfaces.wgbr.ipv4 = {
+      routes = [ ];
+      addresses = [
+        {
+          address = "10.8.2.1";
+          prefixLength = 24;
+        }
+      ];
+    };
+
+    defaultGateway = {
+      address = "10.10.0.254";
+      interface = "eth0";
+    };
+
+    interfaces.eth0.ipv4 = {
+      routes = [
+        {
+          address = "10.10.0.0";
+          prefixLength = 16;
+          via = "10.10.0.254";
+        }
+      ];
+      addresses = [
+        {
+          address = "10.10.0.4";
+          prefixLength = 24;
+        }
+      ];
+    };
+
+    wg-quick.interfaces = {
+      wg0 = {
+        # Determines the IP address and subnet of the client's end of the tunnel interface.
+        address = [ "10.8.0.1/24" ];
+        listenPort = wg_port; # to match firewall allowedUDPPorts (without this wg uses random port numbers)
+
+        # Path to the private key file (see sops).
+        privateKeyFile = "/run/secrets/wg_private_key";
+
+
+        # This allows the wireguard server to route your traffic to the internet and hence be like a VPN
+        postUp = ''
+          ${pkgs.iptables}/bin/iptables -A FORWARD -i wg0 -j ACCEPT
+          ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.8.1.1/24 -o wgbr -j MASQUERADE
+        '';
+
+        # Undo the above
+        preDown = ''
+          ${pkgs.iptables}/bin/iptables -D FORWARD -i wg0 -j ACCEPT
+          ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.8.1.1/24 -o wgbr -j MASQUERADE
+        '';
+
+        peers = [
+          # List of allowed peers.
+          {
+            # Laptop Psi
+            publicKey = "msJJwTPHuxLd1KddbNeLscGgiY7r9sQ3vkUnDtb2Fh4=";
+            # List of IPs assigned to this peer within the tunnel subnet. Used to configure routing.
+            allowedIPs = [ "10.8.0.2/32" ];
+          }
+        ];
+      };
+    };
+  };
+}

flake.nix

@@ -7,14 +7,15 @@
     colmena = {
       meta = {
         nixpkgs = import nixpkgs {
+          stdenv.hostPlatform.system = "x86_64-linux";
           system = "x86_64-linux";
         };
         specialArgs = { inherit inputs; };
       };
 
-      zammad = import ./configs/containers/cube/zammad_container.nix;
+      #zammad = import ./configs/containers/cube/zammad_container.nix;
 
-      forgejo = import ./configs/containers/cube/forgejo_container.nix;
+      forgejo = import ./configs/containers/netcup_pve/forgejo_container.nix;
 
       mastodon = import ./configs/containers/netcup_pve/mastodon_container.nix;
 
@@ -23,6 +24,10 @@
       nginx-netcup = import ./configs/containers/netcup_pve/nginx_container.nix;
 
       nginx-cube = import ./configs/containers/cube/nginx_container.nix;
+
+      wireguard-cube = import ./configs/containers/cube/wireguard_cube_container.nix;
+
+      farewellbird = import ./configs/containers/cube/farewellbird.nix;
     };
   };
 }

secrets/all/secrets.yaml

@@ -4,114 +4,123 @@ sops:
         - recipient: age12d8mxwnt0a7gl4uu0uwdqaxuqdf5j7zm50qy5qrhj0kd4ny7luaqv7rj4e
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkbzViclZjWlBBT1dlcnph
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWcTMzNGxCK1VjTm5DWlA0
-            RVVLTG5tWHloa0ZEbmZNbUZBTCt2VWsvWGw4CitWSVlERDd5YnFpak1meDJkN01K
+            QlIxZ0pQejdDa0FTbEpvQnhUNEFsTkt6SVgwCjhyN05Ba0dNQzN1UVF4L2NjQllu
-            V25BQ2Q2elMrMVRpQ1pOMDZTSTJ4dDQKLS0tIDVvY0lscDN0T2xBMjdMUFFidm1j
+            UUhXeFgzNmlENjFtekszVTRiT29oZk0KLS0tIFNJTEw4a1dlR0MrT1d6WGY3VzBh
-            L2F2VC8zb0dSdkN0QVlnTUpyTkdJMFUKL6Gj+Yk/lleYB2iM1ph/OOuxVdwZCSVc
+            M1N1Um50VC83QnErK0VyQ2IzS1lXY0EKXaexvogS/+g+wEdsidqRAmkPBfvXp8cN
-            yE/yN0+5A1nsMcyNDv5/G+BPoeXCr/vzYl320llpAkinhcAl8HKFCQ==
+            K5r6WPKCXvDN6k72tIh7y081dAqJECkELhyOxBfwrsyuEBZXUQsL9w==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1jlt47gkctq7vfrykqlyg9um5mypy872pvtfql7kkpvhnemlex4mq89a3a8
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGYkJ4TW5vRUNobDZtQTd2
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzS3QwN0hEb3RQOTUwbHUv
-            a0V0SzF4TktjWklMUDIyZ2REWWNVUnlqSWtvCkYwVjF3NDJYaFFwSzVrNUNuYmxD
+            S21sSXNOS2pmRVhBM3JVMmk5Yit5c1IvWkNFCjVoU0J5eW5wZ0RMTjVzdHp0NEhj
-            Wk9XVk1EdTFsN25XT2lqM0YzcFJpSGsKLS0tIHVZKzJvdUF4MzlENTFvek5admlK
+            S3VDT3EzSkV6aHNmZTRjN2N1Q2RwQjgKLS0tIDdMNHdUVGtyd1pMaDZ2MHU3eXZW
-            Q3NCVDlGOHh3Ylp6N25rZVByUEhEUHMKRxGmaE5lLhHlg++yKRG/TpoMhc5+7h5g
+            YkFHdGdJWnhLaENlU050WkZoNWRZeWMK50XHXXrfs5aZNG0tYFotayCFji6JXzak
-            uv0zN6q9g1ULgMDdbC5v5g4n6ssIHHb50cFkjEm7b7ee7PWiPJ3/xw==
+            Lsv/yBO6rK4wNfWuNU8ap7wjLpRxLVqNa1xJya/dYMe1eddUCxYD8Q==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age14ukkn4plvnjacvjux929qwpeynxk4cfxw285vlwddqakm43kfyysfdg02c
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzcDlValVTL1czVG4vaXQ0
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEZVk1TUV6VHN5Ym5MMkFL
-            NWUzR2lGTk84NnFrd051K2pwZ25lekdBdXd3CmpWWnVlZWswelNMUlVlazg1Wkxw
+            SXdyWndzTCtyRzBFV1hsV3M5a1FLZHdYZUI0ClNaUmhxUGMxd1cwNzBzczJUU2hR
-            VlhsNUVrckxzajhKQStzUGdBTG5Ea0UKLS0tIHRGc2FMV2VUeVFJWHdJUEJyYXUr
+            eXR5elV5T2htTHN1OUpwSlZpZ1NnZ0kKLS0tIElWN2pwSVpHOEM3Vm9JenRlUHdE
-            bGF6eDN0Y0F5cjdPSTJqdDl1M2lHTHcK6QwAWnajE5yBLd+Fp095TCVEurBaGAV8
+            bkRCR21DbFU3NFhaZ1hGdlRTMmVpZXMKV1EnC8KOE9HlYrtO5kJRi/Jxz4/bghwR
-            hWvLup7dztIxXVKCK7epHvKEamaM/dSahnY6Muvy9GK0Rkf2YDpE/Q==
+            njmfI3nStV7OR07AT7QGp35nXCEy0lJESiVARCTwWmzf4mtqhYg1yg==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1vd33efsea2509hm0dwmhkuu7mm2kgw6tsss6lmzsqfg7gat06qyqys3qfh
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrajRUT1lteFg1cWlvVlhw
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrL0wrdmhmUGwyVWkyWnB4
-            RnQzcjM1S045YWJ5L0FiUnMwM0ZWVzRkRkhrCnVLRzVhSE9seXMzUVRFMGY3VlJn
+            STBwMFlTaHpwNVZLeCtBZU9NS05PeS9Md2x3ClVIdUp0UjZMN3VZZ0RaUGhrOXI5
-            UGpFZmtVenZNbWVxNWlFbFNvMURHWG8KLS0tIEthRGc2dHRGbDNjcDVMY2ZEK29q
+            Q2g3RHpFdFI5dWwrTmdCQzBycDNxSTQKLS0tIGVEZGMrZUZCK2tLSjh4MEZhTVlv
-            M1FHemlxcXV0VTEyZTlYeUF3dmlBZWMKzcuj0FXT2s+L7LVYcwigSMFb4jtOEhSz
+            NHBySGdjVlVtZFpMaUdqN3dlWklsVWcKMhLmsGRJcmwJEgK8KvHDgYKONPrpFUzt
-            OZYZVl3NzyfoU2Y0PeyIiv5g2CI+EYPUrTPf/HJLeYLQftW9FBUhGA==
+            uXIV9KV4HnDnWVk0d9kAAmNP/9m0JkuqArp8Gv0n5fZyv02mROANKg==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age19efecaur72d92g452zpe4uxjtwev2ktjtaezascxg9l2p8544s8s05d93r
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQQWxyUG0zNlFEcmNhRzhE
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBN1lpWnhNbUViUmRlME9Q
-            cVZ2ODBBWmZNYk0vWS9qSmpvSkUyQmcyZ3dBCjBXTWxEdk9RbWdHQ2thOVZtamVh
+            V3lMN3JtNTNHSHZhcnk3Snp3cS9WcGxGdTF3CmV6QkNNWVg5VVdrY1dtbWtJaWFP
-            NXIwdlRmZE9hWXpvUlZWRFgwRGFqZncKLS0tIDNSQmlmSzJmOGl1aHhnQ3o0VmR2
+            SFU5aXM0bWNBWnZaTVVCaUN6Z085UFEKLS0tIFVFV1AveUZiZW9xMVVVVmh6SWph
-            Z2tpUDUxWWlmczdiVmUyUTBaUnlIZncKIVv0fUmv1w0OjI4Fg7Xj4XSeXMAJurJN
+            TXR5R0lMek1lOXkxTm1aZXZ3SWxZUzgK18VJbvxSpEBqLTh8wRWtly3oPu+mfxEl
-            Hs9Ydo8FLd6jKJbj75oGqhwFIM5t+9GkH2dvk92mhDmW3Yxx4Y08KA==
+            pVRHhPUnm+yBIY7Io8G9Z5MQ6KI1n15Yi735882LYuI6ErW3Utnb8w==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1zj3tzzcpyq5s66phlrf2g203am7vl6vxg2jlpr8vy6u385xljapqt0d2fr
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjM2xJMEk5R0ZhZjAvQ3Zm
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWMmtEN3Z4bTZSOFBNcUl4
-            b0FyY2xXWnVZa3k0ZWRUVHphejV6d0lBWnpBCjNVbmY0bWhJV1RXSm8zUzY0TFo0
+            UlJEVWNuSTFDRXV5NmxDcERzTHdWYXl4QVM4Cmd0L3FJUVphMkR4SXFBY1UrekM5
-            a3k0dGFxSGhRMzYzekM0Nk9yK3lIVWMKLS0tIGY2TEQ5S0J0UnI4RjZ3a3JNSWc1
+            OVRFd1N6Q1JJbUhaOWFoc3h4OTRvNkkKLS0tIHFHN00vblVHY1dlOFVsY1dhWWU5
-            eEVOSTc2YkpSWGtnN0FaYVZRTnZoR3cKf6LLS80KXUr9EzPkPrZRIUgt4JDmDLzT
+            MDFmeDBRMTFld2xHZEo0dkozN3hCWlEKJMSa6v8kbtHboVE6j6+a+TptU2j3EtwX
-            kflBMSaUsg1QJ3dSw3jAIJfVaOXm5Mo2fyBZmp9CtmqJ1VELXB/WSw==
+            gfmAmLjEMhgQKOuK0uSWxR1CnmI53R0u+FibcGziOCp258y7LvUfFw==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1h7yq7n8gcw35apr7jn8r66dwss4hfcdv0sf4ankfxquyavlrqukqhr0lrc
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVWUxXck9ENWladlpoZlgx
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwM0VJSlpqZHROa2tmL3RC
-            TEFObE5QVGlVKzltaXcwY1hicVhOYnlPSmkwCnhzVHRTdmo2YnY0NEI1dHZhR0hS
+            NVZlMTMvSk02TDdVdXBadytzVU9LSHRkNHpNCm1SMlJoY3NQWUF0QmZ6MGtUdEhZ
-            VW9LYzUzbUZZMEpsRHIwYnNXeFRBcGsKLS0tIDhaUzVZQTRLS1pJaWhpSVhGaXZL
+            ZjZKdTRVUXptWDdXQ3BhODJEVkFsK1kKLS0tIGtOZnZleURBcjNTMGpMQnoyYnh0
-            S2w4UnFwUFJjUlBUYzR3MjFBVFF0cjgKCmNXjm0yJdZGO7kKPQGv2qaYEZQkbF9a
+            c25LQXZ6d2ROV1BzQ2lvbE15TVhkdmcKIK0iCAItEau9ZPxc14uKXnLP49bPIxFW
-            Jijh75gl0ypHXoIkDDFzqtf9/ss6eUmTOTEs4rKeYkKl7Ze7TNiatA==
+            xTbkllqzUHWsUN0EpY1WhClTl4T582n59RStvKDGvEsJty5tMl4PUg==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1ypq3n3e7gnwqddq5dgkdsfm0wqagrm5pl5tkunzp44lcezsllumqsjz0hz
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNaS9aTWNqYU1qMlZkdW5G
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXQWpSaVNvaEY2UTVOVXN3
-            d3h1b0hZSDkycnhtRDlYTkF6SUxtVitWM0NzCm5uVzJua0dheE80QW5sN1FqUlJG
+            enM4Rkt3T2VjdmhreFpRd3JsSFNBK040N0hZCkhycndyQi9hbnZ6dFN4WC9iM1N2
-            UnV0WEh6SzE3UjhaeGpUY0prSnhOZEUKLS0tIHZhNWx3V0tFNzJrSVJBaUdoczN0
+            YUFiQjVWSXFNMURrczRWYjg5QUJucVUKLS0tIDg2aHVhSm5tNHlSRk1XdUVna3Fw
-            bnJLODQ2NVd4VDkyNHRHbUNpam1mRVkKc/bMfj6h/KerTkr+Fgyv1y5mwPm/jJ/z
+            bUl6bGZDaC8xZUpjVkQ1ajRFWFA0bHMK4hvw9uQyJprR5kpaVD7S/XRdlde66KB4
-            jrtIy7Kz+JtlE3p/TkkazHBie9A/RxBUEPTsa/SS2vT+RViB2AhBbA==
+            DqHP50q0KT6BIqWgbO163ppwzHzLhqkAYCHEz0V7lbekv1JHuj+RRg==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age15ydstgk0fmmgy2ugmqufyqhqsqypd2mvy89enzwczz0m8ar2kvzqlcdsm8
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtM1FqZG9WL1EyNDVZWlJw
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBONkdtNWw3Y0xGaElmWkZ3
-            djBFbUQwNEkyTDU0Z2psY2FLdTVKRU82VldZCkR4WkJMQjJWU3VsZ1NEL1RGQk5V
+            QjRkMmhxVUs3Mk81bWNyKzlZblF4VmJhN1ZRCmJzZ2FtdTNmMytINUJ0c3hKSDU1
-            VU84M081VVFqOXc0bGQwdThEcWthNjQKLS0tIHVFUU5YeHFBOXA0dGR0aXhCQmFa
+            a00vV09JTkhHb2c3Vm44MlgvOVozaXMKLS0tIDFiK1h6Rnd2LzhHOWI4djd1SzB2
-            VSthN3l3cm5ISC9rR0tLMDBmRHkyWkUKhflWL3W72KLrglJCCykaTcrHSyMeGS+s
+            NHFYTWlEeTdFSjR6WUtjKzM5bnRDUUkKDcUdTggzv3l4GI4iR24YqZNztrSVKWYm
-            EMDQck7nY0n5JMEybq1F14EFTv7jGDseLlss3f18Jeseov47JIao8w==
+            rPCDaDtA4UVTm04H2G8jG4m0wAVaAtnpVN4nm18B9pObFUHVVh/+VQ==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1nh7nnp3rznfqkzudn7dzkkkxuz0ywjw8hacnftvgh60egtw79ejqam4n4p
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzNDhwenphZGUxK3lSbEYv
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBERmY4TUlIK0liWlVlTS9v
-            d3lvN29VSzNVcFpZN2NHU3VUdnhsWjltQkVBCitHL3RzdmswdWltUU9LNGE4Zy9N
+            OWRRRVc5bkt0ajRpdVpZc2E3bm5OWTNzaVZNCnc0RkV0enFLN3ZJZ1J5a1FKSlQ3
-            dHBpYkV5Z2FTaE4zRThXS1RMbFdiRWsKLS0tIE9pdjI1YWw2b2hoSzF0QUtmbmJN
+            aWNGeTlaOHc0SjcrSkRINW1iWEhGR2cKLS0tIGhNeW9NZ20rNGtXSENodE1BNHlj
-            cE9PZXdBcTY3WVZlSW55dE1hcFp4eXcKXMAWZ2lfYhsJrKSaWeRIByeop6A92vxd
+            NndsN3Zja1hQRkxNNDBYZnorTFpTOGsKvMY9ajPmibz1s7AU+yN8lWHdmh0gu0II
-            f4lKX5/y5lu9EIH3j16laswfrOYLGpvopbrj2rOp4vWQ0axWVg04Jw==
+            N+bjKnq4i2KeBpYAP8C7w5otHRIVcq+RAmW7R0q3z0wNrHuZVWexFA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1n7ltu5yh49l7f2pgn7nyp9xpfcp45hjs379yv2txa2t2w0yd2fqq2wt3t9
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLNEJkdVB5bEJmNlY1OWQ0
+            N2dSRDRTZThHTFN1bFNQMnptNWFZYUVEVFJFCnJCWXFUcVdFT1p6L08vMVIzdHVv
+            V0RjZ1ljaW5DanVjY25rWXBubkNnYTgKLS0tIDQyOSt4UmhjcFoyWTRYT29sQlQ5
+            OXlLNHlpdHBvQzJVd2FOSGhBTVhJQUUK551YtRFBxVmmWuKulnBSps3Z8Y2k4YFF
+            Gf1JZc4Y8ggyLdEtr2ArmCVC/u02+6B+p7T1Ja76f8dp8mqUSppjHg==
             -----END AGE ENCRYPTED FILE-----
     lastmodified: "2025-08-08T15:38:19Z"
     mac: ENC[AES256_GCM,data:IoqrJyCNad4/OFH6y24kYMwnkF3OWfsw77POg00btvw7FoPoaSJ76RySMs6hgWs202bDYSDi44OvbgCVeNPkhe9eyM0gwF0Gf0cE3wirc+qj2qfL9/lMOTZm02WymMglJf6xTcPo3BH00XryR7ptid9+WrB0S2aBVNlcXSBwpzY=,iv:aLI2SyUzWqp/4XFPhogq2vq/u47bs6Gmgc/PRMe+GmM=,tag:jVnW7EkqDRfQluGTiw0olA==,type:str]
     pgp:
-        - created_at: "2025-11-18T15:06:30Z"
+        - created_at: "2025-11-24T13:25:53Z"
           enc: |-
             -----BEGIN PGP MESSAGE-----
 
-            hQIMAzwtBoBqH5ZOARAAiUhe3cBmpiJrkNinVIqUw+52Q1GC20LmQVfounrLxegY
+            hQIMAzwtBoBqH5ZOAQ/+PPG+DkWHyr1BWMsxmOmxk47TMjVvU9y1XPjTfgXgoE/2
-            5hEWzKUKs3qBF54oVnLITUJfgYAxYMW9Zn0nlASSPc5QHUGNv013KgOaPQjwaoXS
+            kRLgnUd57rOzjbHuYW6ipctdBsu/o3kJwRdqXySVoLckaHoqoErejG7msypuDaKj
-            8Z3wYMh3qFObbJVmiPI7FtoGfBh6WXfPgPwTjzMfsOJg1zr4WWJzuBJbhMtiI3zJ
+            0lCFE8KAwqN5QJwYZOFeJ/WN+kbsVTWY2tUgN3kPLTrF/mQwKY1b5gAOvNRjaPLw
-            rrJiK0IYzQkoha34oT1VJaHBH+xQha2JWVIZ4pBKZLkTJFQYKckAxeKmlEn8nQTT
+            rYeR29fJge1PNH6PeaY9ODGG4NU0YctUz0AO0RSVEpO5rxTdxHMzpK6xtviQKhwA
-            SJwtBKKlc80fZCe/s7hwKPm0GTTV+wwv1jvCsaf/GIFqKoMOBmqEAz8GcETQNaFC
+            9MaHJWZmL8F0ccCLM60QO4NHPFe/cw/qhYqAXcc1IJDwOU4uslNwnZY7x0V7dwWt
-            sNkDWWFlxlsioG6Zi+Ok7tvFhyxEoF4sABuYx8LoBbL12UgZJRbhM7HIakxnORBu
+            I9RS73cz4fgaFDLmBl45GOnii5D8Nz4AXfkOyv7hXTbsV86LErudHwV3ARObU9LN
-            a3QomZKAxfZ4zMRKaOYjUVGFdoJWgxb3wqa5WiHM5GeOQJzRzdpPwdTJPrxQSsx4
+            VCln1hu9bbGZXNbxzQceaHFgnnGj+2AC/+T+jZntayMeIKFVEWhKLWl6z47PqEpO
-            /p5+MOFoia9GdBbwcdkVEopX+m5TvY+i3Gs/GnHSWZaXQBjhSW/O5UE29dHas3ai
+            wJRuXnDfuWyg14qVXZ/w43NVvFPAiPBEMZCLSOZXgn2SUD1rbvFuyXo1ZPTi8b4I
-            tY+1FVnUpVyCnqF/BXRhgXydpVzZEAHoYF/hz2ah7AI2CnmeQ3ypO1DsfoADkgm+
+            yPeYUmSRsrw4ZVgT/loS4Y7JTRe7P1x05csIMsrEHrXsAS3oWxEg52/FufChvwaz
-            iinHFmU+ZpZJndpPsjoarJHBySoK4N34JsiJcv4DGv+4XbtEySb/r7rgZzrRNuj5
+            SYdg48lPK1lPpehmAwVNmtugMXIP9GVEa/BZO8Pj4cJQoF780q4TknwkWyFqTWEh
-            tMtmQs82Ii+836NDImvJs8vg2H40bPLsVMtJ7xAYSGLXDDueXHPmCFOuJZ0KsR/S
+            E8wgEzyUB14g8CCxzteOWsv/1WtuXylp4/yEQe2/pSGAR4r4KLf2ZRL1Nj3GsMnS
-            XgFe91sDNTG/6j0PEilYTMyp04qMaxwT4teouMRlLr/rACJj5jpt5BVO4K8nDaYf
+            XgEtYhgBHg4mmUd8T/uo63ZRKGtlLNLLdKkSLkzm0wgTY//r1iEhqwOMQjbRPuM7
-            uq0wX2mXYJqoWZU1DBYO0vRRTpcpenLMV5M+ZrUy2LQINmLCUAuFB73cGUlQNac=
+            osITmHr5VPhQYLKkEMeg4IweXsN6Zkb79un32hcFGlBGJcMpI22m0svDmGhB5oc=
-            =8FwO
+            =USV4
             -----END PGP MESSAGE-----
           fp: 58EF8D71114EF548DEE3320DE6F04916B6EEBD83
     unencrypted_suffix: _unencrypted