From 81b553c8b00845dd33a6095d4cb6ce8fdf277e7a Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Mon, 10 Feb 2025 22:51:18 +0100 Subject: [PATCH] Replace Authelia with Authentik --- deployments.nix | 6 +- flake.lock | 23 +--- flake.nix | 1 - modules/authelia.nix | 227 ------------------------------- modules/authentik.nix | 78 +++++++++++ modules/bootstrap-default.nix | 5 +- modules/cyberchef.nix | 2 - modules/default.nix | 2 +- modules/freshrss.nix | 13 +- modules/hedgedoc.nix | 16 +-- modules/traefik.nix | 18 --- nixng-configurations/default.nix | 5 +- secrets.yml | 34 ++--- 13 files changed, 117 insertions(+), 313 deletions(-) delete mode 100644 modules/authelia.nix create mode 100644 modules/authentik.nix diff --git a/deployments.nix b/deployments.nix index a2bce23..f99a14b 100644 --- a/deployments.nix +++ b/deployments.nix @@ -124,8 +124,8 @@ namespace = "ntfy"; }; - authelia = { - module.authelia.enable = true; - namespace = "authelia"; + authentik = { + module.authentik.enable = true; + namespace = "authentik"; }; } diff --git a/flake.lock b/flake.lock index fb4e805..5cc2453 100644 --- a/flake.lock +++ b/flake.lock @@ -666,11 +666,11 @@ "poetry2nix": "poetry2nix" }, "locked": { - "lastModified": 1738631908, - "narHash": "sha256-ndQgb/SAeOcgbsG7b+7qhrVn+XSTjs/Vk5m7eEb/HZY=", + "lastModified": 1739200411, + "narHash": "sha256-9Vil9l0+QIPhEh/97Ehu3yoqaR+5d820F/tMY6rtbYs=", "owner": "farcaller", "repo": "nixhelm", - "rev": "e105a8264cc981d47a0f6fbfcdcc87681487aa0c", + "rev": "5b365cdeae7077e6c06524d5317f82a593546b50", "type": "github" }, "original": { @@ -786,22 +786,6 @@ "type": "github" } }, - "nixpkgs-prowlarr": { - "locked": { - "lastModified": 1737932785, - "narHash": "sha256-0OW0c742vfXyJflQGWhwMSxk/nbivBOibHei8P2ADRA=", - "owner": "rhoriguchi", - "repo": "nixpkgs", - "rev": "67ead92f4a53625a8afbead0107a6139c4f668b6", - "type": "github" - }, - "original": { - "owner": "rhoriguchi", - "ref": "prowlarr", - "repo": "nixpkgs", - "type": "github" - } - }, "nixpkgs-stable": { "locked": { "lastModified": 1720386169, @@ -968,7 +952,6 @@ "nixng": "nixng", "nixpkgs": "nixpkgs_3", "nixpkgs-master": "nixpkgs-master", - "nixpkgs-prowlarr": "nixpkgs-prowlarr", "servers": "servers", "treefmt-nix": "treefmt-nix_4" } diff --git a/flake.nix b/flake.nix index 817bea0..0a2c12d 100644 --- a/flake.nix +++ b/flake.nix @@ -7,7 +7,6 @@ flake-utils.url = "github:numtide/flake-utils"; treefmt-nix.url = "github:numtide/treefmt-nix"; blog.url = "git+https://git.kun.is/pim/blog"; - nixpkgs-prowlarr.url = "github:rhoriguchi/nixpkgs/prowlarr"; git-hooks = { url = "github:cachix/git-hooks.nix"; diff --git a/modules/authelia.nix b/modules/authelia.nix deleted file mode 100644 index 517c4a7..0000000 --- a/modules/authelia.nix +++ /dev/null @@ -1,227 +0,0 @@ -{ - nixhelm, - system, - config, - lib, - ... -}: { - options.authelia.enable = lib.mkEnableOption "authelia"; - - config = lib.mkIf config.authelia.enable { - kubernetes = { - helm.releases.authelia = { - chart = nixhelm.chartsDerivations.${system}.authelia.authelia; - includeCRDs = true; - namespace = "authelia"; - - values = { - pod = { - kind = "Deployment"; - replicas = 1; - - extraVolumes = [ - { - name = "data"; - persistentVolumeClaim.claimName = "data"; - } - ]; - - extraVolumeMounts = [ - { - name = "data"; - mountPath = "/storage"; - } - ]; - }; - - secret.additionalSecrets.authelia.items = [ - { - key = "storage"; - path = "storage"; - } - { - key = "session"; - path = "session"; - } - { - key = "users"; - path = "users"; - } - { - key = "smtpPassword"; - path = "smtpPassword"; - } - { - key = "oidc_hmac_secret"; - path = "oidc_hmac_secret"; - } - { - key = "oidc_jwk_rs256_private"; - path = "oidc.jwk.RS256.pem"; - } - { - key = "freshrss_client_secret"; - path = "freshrss_client_secret"; - } - { - key = "hedgedoc_client_secret"; - path = "hedgedoc_client_secret"; - } - ]; - - configMap = { - identity_providers.oidc = { - enabled = true; - - hmac_secret = { - secret_name = "authelia"; - path = "oidc_hmac_secret"; - }; - - jwks = [ - { - algorithm = "RS256"; - key.path = "/secrets/authelia/oidc.jwk.RS256.pem"; - } - ]; - - clients = [ - { - client_id = "HDp48U5TaX-3gWKNEfHx5ea2C7gfaQm-OsSWREq4WTzln56IBGy.rT61lq9rF-LTZFlWOd44"; - client_name = "FreshRSS"; - client_secret.path = "/secrets/authelia/freshrss_client_secret"; - public = false; - authorization_policy = "two_factor"; - redirect_uris = ["https://freshrss.griffin-mermaid.ts.net/i/oidc/"]; - scopes = ["openid" "groups" "email" "profile"]; - userinfo_signed_response_alg = "none"; - token_endpoint_auth_method = "client_secret_basic"; - consent_mode = "implicit"; - } - { - client_id = "ZZI33JnLIuGk58HPkN_YEfETxNTz-1Mq--YPu9Sa6Y39BwykY0GDmxBVn1w9X70fIHT09xHq"; - client_name = "HedgeDoc"; - client_secret.path = "/secrets/authelia/hedgedoc_client_secret"; - public = false; - authorization_policy = "two_factor"; - redirect_uris = ["https://md.kun.is/auth/oauth2/callback"]; - scopes = ["openid" "profile" "email" "groups"]; - userinfo_signed_response_alg = "none"; - token_endpoint_auth_method = "client_secret_post"; - consent_mode = "implicit"; - } - ]; - }; - - access_control = { - default_policy = "one_factor"; - - rules = [ - { - domain = "cyberchef.kun.is"; - policy = "two_factor"; - } - ]; - }; - - authentication_backend = { - password_reset.disable = true; - ldap.enabled = false; - - file = { - enabled = true; - path = "/secrets/authelia/users"; - search.email = true; - password.algorithm = "argon2"; - }; - }; - - storage = { - encryption_key = { - secret_name = "authelia"; - path = "storage"; - }; - - local = { - enabled = true; - path = "/storage/database.sqlite"; - }; - }; - - session = { - encryption_key = { - secret_name = "authelia"; - path = "session"; - }; - - cookies = [ - { - domain = "kun.is"; - subdomain = "auth"; - } - ]; - }; - - notifier = { - filesystem.enabled = false; - - smtp = { - enabled = true; - address = "submission://mail.smtp2go.com:2525"; - identifier = "auth.kun.is"; - sender = "Authelia "; - username = "uxY88HYzbBTAoWYm4PUxpT76u"; - - password = { - secret_name = "authelia"; - path = "smtpPassword"; - }; - }; - }; - }; - }; - }; - - resources = { - deployments.authelia.spec = { - strategy = { - type = "RollingUpdate"; - - rollingUpdate = { - maxSurge = lib.mkForce 0; - maxUnavailable = lib.mkForce 1; - }; - }; - }; - - secrets.authelia.stringData = { - storage = "ref+sops://secrets.yml#/authelia/encryption_keys/storage"; - session = "ref+sops://secrets.yml#/authelia/encryption_keys/session"; - smtpPassword = "ref+sops://secrets.yml#/authelia/smtpPassword"; - users = "ref+sops://secrets.yml#/authelia/users"; - oidc_hmac_secret = "ref+sops://secrets.yml#/authelia/oidc/hmac_secret"; - oidc_jwk_rs256_private = "ref+sops://secrets.yml#/authelia/oidc/jwk_rs256/private"; - oidc_jwk_rs256_public = "ref+sops://secrets.yml#/authelia/oidc/jwk_rs256/public"; - freshrss_client_secret = "ref+sops://secrets.yml#/freshrss/oidc/client_secret/digest"; - hedgedoc_client_secret = "ref+sops://secrets.yml#/hedgedoc/oidc/client_secret/digest"; - }; - }; - }; - - lab = { - ingresses.authelia = { - host = "auth.kun.is"; - - service = { - name = "authelia"; - portName = "http"; - }; - }; - - longhorn.persistentVolumeClaim.data = { - volumeName = "authelia"; - storage = "100Mi"; - }; - }; - }; -} diff --git a/modules/authentik.nix b/modules/authentik.nix new file mode 100644 index 0000000..d29c715 --- /dev/null +++ b/modules/authentik.nix @@ -0,0 +1,78 @@ +{ + nixhelm, + system, + config, + lib, + ... +}: { + options.authentik.enable = lib.mkEnableOption "authentik"; + + config = lib.mkIf config.authentik.enable { + kubernetes = { + helm.releases.authentik = { + chart = nixhelm.chartsDerivations.${system}.authentik.authentik; + includeCRDs = true; + namespace = "authentik"; + + values = { + authentik = { + secret_key = "ref+sops://secrets.yml#/authentik/secret_key"; + postgresql.password = "ref+sops://secrets.yml#/authentik/postgresql_password"; + }; + + postgresql = { + enabled = true; + auth.password = "ref+sops://secrets.yml#/authentik/postgresql_password"; + primary.persistence.existingClaim = "db"; + }; + + redis = { + enabled = true; + master.persistence.existingClaim = "redis"; + }; + + email = { + host = "mail.smtp2go.com"; + port = 2525; + username = "ref+sops://secrets.yml#/smtp2go/username"; + password = "ref+sops://secrets.yml#/smtp2go/password"; + from = "Authentik "; + }; + }; + }; + }; + + lab = { + longhorn.persistentVolumeClaim = { + db = { + volumeName = "authentik-db"; + storage = "10Gi"; + }; + + redis = { + volumeName = "authentik-redis"; + storage = "5Gi"; + }; + }; + + ingresses.authentik = { + host = "authentik.kun.is"; + + service = { + name = "authentik-server"; + portName = "http"; + }; + }; + + tailscaleIngresses = { + tailscale-authentik = { + host = "authentik"; + service = { + name = "authentik-server"; + portName = "http"; + }; + }; + }; + }; + }; +} diff --git a/modules/bootstrap-default.nix b/modules/bootstrap-default.nix index 59e51a1..9a0fbb7 100644 --- a/modules/bootstrap-default.nix +++ b/modules/bootstrap-default.nix @@ -62,7 +62,7 @@ minecraft = {}; tailscale = {}; ntfy = {}; - authelia = {}; + authentik = {}; }; nodes = @@ -126,8 +126,9 @@ minecraft.storage = "1Gi"; ntfy.storage = "300Mi"; deluge.storage = "500Mi"; - authelia.storage = "100Mi"; keepassxc.storage = "100Mi"; + authentik-db.storage = "10Gi"; + authentik-redis.storage = "5Gi"; }; tailscaleIngresses.tailscale-longhorn = { diff --git a/modules/cyberchef.nix b/modules/cyberchef.nix index 3a5529a..d2dabbc 100644 --- a/modules/cyberchef.nix +++ b/modules/cyberchef.nix @@ -31,8 +31,6 @@ targetPort = "web"; }; }; - - ingresses.cyberchef.metadata.annotations."traefik.ingress.kubernetes.io/router.middlewares" = "kube-system-forwardauth-authelia@kubernetescrd"; }; lab.ingresses.cyberchef = { diff --git a/modules/default.nix b/modules/default.nix index 0958257..ef212e2 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -29,6 +29,6 @@ ./tailscale.nix ./ntfy.nix ./minecraft.nix - ./authelia.nix + ./authentik.nix ]; } diff --git a/modules/freshrss.nix b/modules/freshrss.nix index 347bb9e..614fb78 100644 --- a/modules/freshrss.nix +++ b/modules/freshrss.nix @@ -37,13 +37,12 @@ ADMIN_EMAIL.value = "pim@kunis.nl"; PUBLISHED_PORT.value = "443"; OIDC_ENABLED.value = "1"; - OIDC_PROVIDER_METADATA_URL.value = "https://auth.kun.is/.well-known/openid-configuration"; - OIDC_CLIENT_ID.value = "HDp48U5TaX-3gWKNEfHx5ea2C7gfaQm-OsSWREq4WTzln56IBGy.rT61lq9rF-LTZFlWOd44"; - OIDC_CLIENT_SECRET.value = "ref+sops://secrets.yml#/freshrss/oidc/client_secret/password"; - OIDC_CLIENT_CRYPTO_KEY.value = "ref+sops://secrets.yml#/freshrss/oidc/crypto_key"; - OIDC_REMOTE_USER_CLAIM.value = "preferred_username"; - OIDC_SCOPES.value = "openid groups email profile"; - OIDC_X_FORWARDED_HEADERS.value = "X-Forwarded-Host X-Forwarded-Port X-Forwarded-Proto"; + OIDC_PROVIDER_METADATA_URL.value = "https://authentik.kun.is/application/o/freshrss/.well-known/openid-configuration"; + OIDC_CLIENT_ID.value = "5J2L7Ufq4KMayQ8qrqxHCslxHWL2SXNMKJmsbbiQ"; + OIDC_CLIENT_SECRET.value = "ref+sops://secrets.yml#/authentik/oauth2/freshrss/client_secret"; + OIDC_CLIENT_CRYPTO_KEY.value = "ref+sops://secrets.yml#/freshrss/oidc_crypto_key"; + OIDC_SCOPES.value = "openid email profile"; + OIDC_X_FORWARDED_HEADERS.value = "X-Forwarded-Port X-Forwarded-Proto X-Forwarded-Host"; ADMIN_PASSWORD.valueFrom.secretKeyRef = { name = "server"; diff --git a/modules/hedgedoc.nix b/modules/hedgedoc.nix index 868c684..b9471b4 100644 --- a/modules/hedgedoc.nix +++ b/modules/hedgedoc.nix @@ -54,18 +54,16 @@ CMD_PROTOCOL_USESSL.value = "true"; CMD_CSP_ENABLE.value = "false"; - CMD_OAUTH2_PROVIDERNAME.value = "Authelia"; - CMD_OAUTH2_AUTHORIZATION_URL.value = "https://auth.kun.is/api/oidc/authorization"; - CMD_OAUTH2_TOKEN_URL.value = "https://auth.kun.is/api/oidc/token"; - CMD_OAUTH2_USER_PROFILE_URL.value = "https://auth.kun.is/api/oidc/userinfo"; - CMD_OAUTH2_CLIENT_ID.value = "ZZI33JnLIuGk58HPkN_YEfETxNTz-1Mq--YPu9Sa6Y39BwykY0GDmxBVn1w9X70fIHT09xHq"; - CMD_OAUTH2_CLIENT_SECRET.value = "ref+sops://secrets.yml#/hedgedoc/oidc/client_secret/password"; - CMD_OAUTH2_SCOPE.value = "openid email profile groups"; + CMD_OAUTH2_PROVIDERNAME.value = "Authentik"; + CMD_OAUTH2_CLIENT_ID.value = "ZF56062l4BPnq2INv2zaO9cEiE6sAj7CrxbWhExj"; + CMD_OAUTH2_CLIENT_SECRET.value = "ref+sops://secrets.yml#/authentik/oauth2/hedgedoc/client_secret"; + CMD_OAUTH2_SCOPE.value = "openid email profile"; + CMD_OAUTH2_USER_PROFILE_URL.value = "https://authentik.kun.is/application/o/userinfo/"; + CMD_OAUTH2_TOKEN_URL.value = "https://authentik.kun.is/application/o/token/"; + CMD_OAUTH2_AUTHORIZATION_URL.value = "https://authentik.kun.is/application/o/authorize/"; CMD_OAUTH2_USER_PROFILE_USERNAME_ATTR.value = "preferred_username"; CMD_OAUTH2_USER_PROFILE_DISPLAY_NAME_ATTR.value = "name"; CMD_OAUTH2_USER_PROFILE_EMAIL_ATTR.value = "email"; - CMD_OAUTH2_ROLES_CLAIM.value = "groups"; - CMD_OAUTH2_ACCESS_ROLE.value = "hedgedoc"; CMD_DB_URL.valueFrom.secretKeyRef = { name = "hedgedoc"; diff --git a/modules/traefik.nix b/modules/traefik.nix index 48a8899..b59253d 100644 --- a/modules/traefik.nix +++ b/modules/traefik.nix @@ -61,24 +61,6 @@ }; }; }; - - middlewares.forwardauth-authelia = { - metadata.labels = { - "app.kubernetes.io/instance" = "authelia"; - "app.kubernetes.io/name" = "authelia"; - }; - - spec.forwardAuth = { - address = "http://authelia.authelia.svc.cluster.local/api/authz/forward-auth"; - - authResponseHeaders = [ - "Remote-User" - "Remote-Groups" - "Remote-Email" - "Remote-Name" - ]; - }; - }; }; lab = { diff --git a/nixng-configurations/default.nix b/nixng-configurations/default.nix index f4664ed..5a9c943 100644 --- a/nixng-configurations/default.nix +++ b/nixng-configurations/default.nix @@ -6,7 +6,6 @@ blog, nixpkgs, nixpkgs-master, - nixpkgs-prowlarr, ... }: flake-utils.lib.eachDefaultSystem (system: let @@ -47,10 +46,8 @@ in { { nixpkgs.overlays = [ (_final: _prev: { - inherit (nixpkgs-prowlarr.legacyPackages.${system}) prowlarr; - # From master branch - inherit (nixpkgs-master.legacyPackages.${system}) jellyseerr radicale bazarr; + inherit (nixpkgs-master.legacyPackages.${system}) jellyseerr radicale bazarr prowlarr; }) ]; } diff --git a/secrets.yml b/secrets.yml index 4208f96..c3bca77 100644 --- a/secrets.yml +++ b/secrets.yml @@ -1,10 +1,6 @@ freshrss: password: ENC[AES256_GCM,data:ECDPrW+VgO8PY9p2fLIreRETNiRL5ZGnu/PMC7aNj8KaWfyNYL+l3w==,iv:srR/r1EtOpC/CKKrCDKcTLVdMFPAYIJIB1CCg8mS0UU=,tag:YN4PqR5uvPkVskpJWD+91g==,type:str] - oidc: - client_secret: - password: ENC[AES256_GCM,data:wlMJwiqCxUFqSVRGZvVkMtcRHW+r74EwpMtIAD499qnmJADsK1jPFsLuAODZ4QsklxWdWDqfNsk7T5FMZ+e61947fEp+QzGC,iv:qDEjlk5sywrMEIXQr8daVntYdTQ5M3KrtCpIHIgLy4U=,tag:QWGI0zISqE6kDR5n3IxQDg==,type:str] - digest: ENC[AES256_GCM,data:8uw5mg6VIERkb96FiJ7CuutUqWfcFk9qDA8w+8e8DBWRlegrfmvHKyg6tfUP6JKc6I1OkzuPMiSHweNJghMY5oH0eJWxU9F9YCtxjW3iJINUYF3tq2phO1kk3LEbjdnmglFMajHz2c8d4NkQ6iAfWziOaTieCN88yvnAACYnBBiU/yA=,iv:rQMDRDavPSHA8rcfJ/iijsMhGFYfcrQfOv6JF4iPbMA=,tag:tDM3+NquRN0Y6Kq9yyTSYA==,type:str] - crypto_key: ENC[AES256_GCM,data:AKEX6F1rAwapjvzz5JSyBbvDxSl4vjeOIKzH13/CMK1QGT5AzhEawpYb1j95/QVREt1M8bKulFpHHZIn8WuFZbdChgA/PMXssd5yznEMVY/qmymGqDOLe0CFv75zRG4c6RTuc0/U33Ez2tSi+DgKtLHpU9MZlgLFXIS4aCb0p0A=,iv:VhWgEzq8gqNDJPP/akmv6c/kuKHH4cv6yT9Mz47bTf4=,tag:b8DviZh9I5ZOFXpEFCU6GQ==,type:str] + oidc_crypto_key: ENC[AES256_GCM,data:dFQKZtFVd5l8W2go6WcK76o7O7hpQWnQKXCGTf9EhSVURvWigv6zzBULie7Y4lkJCsItG8oKmIiCYSy3MhFnU3DJTUJcenm4I7NHyINjvzHOBgUVPXbYQjQhouJwOlPkdqlSKv1f38ItZKNPJebMObZj+kACKbjdik6e6yM40RM=,iv:g6Ygval2qTQwKnrliI+n/r9OxJFePT9MKYyBLU6b3UQ=,tag:kWXTbm2JIR5aL/s4OX2Tqg==,type:str] pihole: password: ENC[AES256_GCM,data:MA60825Tl6aYEFVoPgo8k5Vjb9zmIxtPLJriQV1B3P1bOKu1KK7vxQ==,iv:RGZHox8CbJiEEEjMo2k/tNbtjCPy/QY7vOuMN/YNZcg=,tag:yphrq03IKpXM/tSDBLeSgA==,type:str] hedgedoc: @@ -38,17 +34,17 @@ immich: tailscale: clientID: ENC[AES256_GCM,data:O8tTyy55xP85JkbJNR5daB4=,iv:SMj83Sxh7BvPRG3l5TnnpmclO5N2treUQCCJuMy8cO8=,tag:UUSN3bsZvb09cyYN65RQDg==,type:str] clientSecret: ENC[AES256_GCM,data:c8E/a7McI+wGN9TFJ/yzTSkrhUlISmrNJdjDDMqAQrZ8s5wFEZ+4+h+dtwcjF9Ykj198glgny7cP3HubHVDw,iv:ifaP4NmLRQbYQtJQaMMCMaehosapZ2R3im9ew5h6f9E=,tag:XF+xB94nua8RZlkGxFDFFQ==,type:str] -authelia: - encryption_keys: - storage: ENC[AES256_GCM,data:RbD5StdFItHooBt/ESeAqnBRWV8USKedplz9cnZTA5K9k2EIE99yDdwkL+UNpRjN5oTImqQtWo3ESuBiq439ftSMeMyWT++qkV3ImbPOEYInLPdwHTxb28CC5zbY3FGH+GdB5q9V3zK+Pofslw6BMCsoL++tV8EWjX2isCfkWSk=,iv:e83TCcMW2qEc+R2E8209dhRUJvLZw2MPu4IWMSQVMy8=,tag:opewKZtNr4VT5Gj9l9B71Q==,type:str] - session: ENC[AES256_GCM,data:N50TuHkiOvjxbhTzwy7cjYSyMM9txYCas8x+zEhC2vshWi4pD0dHNDVz90jS0waDYAKLxTMYUT9v9zpkXoQ+X2VWa+tzDU3IWixclHktew/ufWN7nXCRBCW/ZEw8Tm4bB61GTalXfpra3q8Z88bMhGcEfaCiHwfnMbhVn5jjQtM=,iv:QPTVCPzuLAZI06rRPCLYiyW/hd3P/r/nxocI4u3qRtk=,tag:1oqJoQedqGsln48jQphENw==,type:str] - smtpPassword: ENC[AES256_GCM,data:Zd2F237gWaL555lf022zjr7VHVcAFUyFxg==,iv:ka8YuGFclNrWV1U0g2ERypiKy6rN5ppPIVlsjBqkFrI=,tag:e+5fO6VR1z1cqYTXJ6Yo+Q==,type:str] - oidc: - hmac_secret: ENC[AES256_GCM,data:4SDX5lopMeomhkMpkei6Qu6S+BBhFGCZswBfOtfWNSzv3qAEme9h3wQeIQ2W18J84RwprTpDZdkk++bbAYoch2iZF1yEV+8XBcmVcg4q+s5isn0lAaTDhHHCZ6Cci8KuyYy5/tcMDgF61oM5H0g7nGv7rhPD8clDubZwAvEDf7g=,iv:S7cCKyWbB4QaqGYsrp9JavKBAMxnfzhnl5bMRyq4TT4=,tag:S2+NglxgDsi4ivvR2FYjsQ==,type:str] - jwk_rs256: - private: ENC[AES256_GCM,data:WaTdMntWZF40pBOsHpKlQAcsVoceQDKkPlNbkwlPjY231cZSgHYw2u3V89BHx1p3LT4OUAEQvBcQ3c8sJbRYHTo7wXVYTwMrWL+KIu5AOp1pqHWESJrxO/12tgITcM5xJx+zwAoc/85l0LK3EIXYayEYe6ISNjx13K3YaSuD74iEXrNtWuvqwvbT9zNtYg8gb+l1FEW+TwS6wdzWyglfZl4erOQXb1a373qRdTz5m71MEPY8nJPS948nxO5M1DgJ8eqyztVdHY+z3X40vsDv3anSApeBNe/jexUVGBmuRtOhoAbirbNo7F8tjbI1qVy1lw0YNiaXAyH/BY2EtcSb9bU/VqCRdLteZnSed4LFrCIFt9mYoAWPX4GjXanfshNUaqM0IEFVjH7cXzf4rKql9VnxvCufupIGKhcOkAuxFtuOPL9q3RVT4CkarhmgDpKKjUlyAHRAvLH2F2l+K6zwEengiYDXkyBzd393Gsee6ML30X/MRSwd1TBqKZ1VInpk3bn/GwVMipywiYsviLE6JW+IcRJiHCI3bbch2aRsq9MP8AE9qornqC9nt6DQKnOr2HvEAjTHGvmiJN2nKaRU/B6T5xmH9nsdZ3CTsmTIkWBi/Fa8th9DvT8UrQe4LiQ8t6/6TrhgZ+QCjgwp59B2dwrPnT7oY8B0o5O0k/06HnsaG0YxyEM2JgVBer0K4BzUAoap4S8YGj88oPVlSHV3ks7qjx8J+pytNmyND3O1CzKUuluTjCLoowyDx9OA8AcfxVCva6BI6EqJEVU0eqlo146kdgERPR4U6TgCAU6uk4rb+SQgwN6brd15AezRKUW9iDbr4hoxCA0XNTzcDLJKKFFU2ZlHdvs9WTif7gmVwAsogy31xWyKdTdSCoUME4mAKeHM2o763UICjL4HO6drMn16G5yA0anxkctVJqWKcpLrD9rVCC30bbFy8u3H1Icfzf2dZxbTLCbJVn5i39I9AqehIOapD7SwN3pyXwicfnr6h1prGKdHQ0cXjlwCiiP7lSBLP+Q4DwjoSVF/Iei4DcFQoHqSpGreGeP5yRNiRe8HEp63yQXFM/l6PMIVZw+0q/VDb5sEUZ6XItAi/UL3CqY1WI5SVvbeuxbKivuxRcspiFRHB9aXS2eG8hx/Oq9OFvPq3eAQ7xtZLw5oMAFgED4epZl3mAaYz8n5m2i2J8QujxP1POqotkeA1uQFelQL1xMUdpIg41mRNch0M3H50fcgR5dJ3k41NAJTCi5B+X9lFVoo/ByLvX4hkmx4YeZ5VPW6hVLiZMcdA+RluBWVAShYXBBg5rV3ak/G8Lj9P/cc1Tg32Qr1m9h3Tl4Q8AEmWBABRXYcZ526fMFdTQa0SkdvO3jp6Zt/6TObygSyOrOjBIgXye4BAT3zuyNK07Z1gOP1X0rE23T50S5A4KCI59QCs+szugk9umUbqeZF3DKj1oiVq1f5I1m2zbBuWq6vi6kH7eD7eSnTqpIuYeOsuWlREvsNHfXOA7lrURy+yLheKYuIRqx+5TKJaapgMkagw5nQ74RAvEJgAPHJaKYt5YJklMSxTkUR6FlvZNq2salMpM+mGrtH9l1tEVUbKh6QAyG4EkUbnFmT3orCgBJJFh+HXMpb6pwVL06+/0sSvgBI1ZBfbGYWk//RKSHbVzOi1UXyW1izeLgSwKNc/ZUCDnZ0hrBafQn3S8Ap+5j9h++fdH9NwfQyGV7GuTMYBkCtG3+l9+iitFWPUnZ2PvNypi4kJX31XlSyR/JoQfvFNm3nWw1pdLJRF7shqYxbSuGx/Fz02zocEvNNu5NBp5+0nPXIWp5PoRHqWHXI6TvNduji0/ycKjLhtpnFV3NhhWq0no5fKo+t4seoQ88oFzbH0wVXnLRALPq6yZ1kzbWhGp5RLmtixEMXcAwuw2Ewol2BhIf2+5o7d7ndgmZ6lOM4LzApumzS0m3z91XQ1keqHZUWA0XdCekIucNrhw4uVIWg228G5IWjI1QuL6c9zeIHl8NvSCzC7lJLXR6NiCzFvVH92krQ91yiEsSvg3+8MkU+6mlLiCvbl98WVMcQ6Ig9Hh+p1ALSuUDDqOK8k4ja3sblwjDE1vQhacm9gaCjYfID+UFpbJ1FLwdOiBrcUu3jSnN2zBViWjH48xnM7kvxliDRbAElyMPylD2wE6Gce/nyueSAktsfPzt3GnHzspfuoDokJ2pss+8u/x/5whe+xkMMEhExWJWTe4WiwYxyM7dIX8JLJBqQ+T3pUQLMYwECHvPstLiQjpWy,iv:cZQEw3E1Kq+Qg1ZB0gwMW87NG1z/tGDnQOpRiCsdpUs=,tag:N/JqLdXIwCerHynMhmvhug==,type:str] - public: ENC[AES256_GCM,data:TivRCWgU3skYJbDopZAdSAZBi7OhgzLjOLi0f8bUN3hEfDS9Bqbo3ZirepWkxDZcEBJH9ut/rAwumWGedU6C71eFtOpC/++c/++VILmWGM2BDUvlUaksaWZE0sNQRZxXmHFd5Fnxq13vVhs0i5Grdu6WG6wdq9dD9iFooLqee5KT6z33lD9THitecYiGf4hccVfJXKriNmNfmFkyv2KMaDNBwgSHtAsXSbYoHOpIz68SzS3KrngSIAvavfSSsW1RXDXvf/3aB94lPtizCZVtKZ+JcHYg3xPesXdwwA6h7A5W7rfJoAQdiDGQJMb4hFhtjhaBGmiUAv5JwRvvEAhQIrVtPmkO9ibir3yDDrcwNXuJDgHrcd0rpSjYWyAM1pgzXiWAiLzhh/AcL+l2xV286XRDwm1xxoPNdGdmOYkiN2AZre8CoR1aFkIP+T479rkOylJq14RzSQAbJ8AaZ6dK2mFxKYFyVpW0aMjEoo9Yqd4IFZpMWIlVALeh3+bpqgtCCkBYq3MX3J0FJ6vL4LUV5855GUrP4CJhSSCAnKaiXKnps2TrHN8Kp1dqtnv1ihq8fwVoSgqiISN4xY8VXsW/IjJYcQ==,iv:o8F7qgHLWhWXEOOSzum+Qore2tGSraqmC1VMWtpaj0I=,tag:Kn5myis0OwoCMa+8yhssPg==,type:str] - users: ENC[AES256_GCM,data:9V0vcpT//ZzFLhlO2gZnns/5T7XEk92iDqTzHFujWC177QUi3LSYY6jcGQ0/3VlDXjsA0PsOV1UzIKc1LJXj9QuedABu48c+4OVN3cinKFs6Tqur/0yQ/T74U8lyap35qwK24lpRE02DZxKd1Tin57AfyfRqG5V6L4MVWzbApDn1cGtIWC3+TuWmO2PeSvNx5KQp/nk36rmTHcNAMZ5srsxMTtzCSTc6SUuCQvdkTbL6UpxQ34WUMkPJM0UfB06eJ19dxXJ6NnG7QlRgf21szuI11I+g6al2XYmCvvcbu2tK6IXVmIbWvdlrZmsaZ6RfN+ZcKqgwZobDTBPVou/Zuaa1SbtBaK45NDVi5I8AlcnKqhejiCdEKMhDavQ5yQrT52GmhbMTCyD3DZTn9fBZDwmpGDJ82Ty7iOtsSuwjKoblOEkEJPn+dJWMJqRcaXw6kguRSjaq7LmS43IWtiGbVhSaZDmKGsnFHHjun6mhvK2irpSw79XXsKxZC5BZhaU3S6aKB8pplak4MqId6hW1Rx7AvBtUJL8A+HIZKcmJzXckM0dvQKrKGQ3JbvmC6QNTtq5YLDLV4wiC4Za8xOxYL+f8ry2+hsFQmXIe5pElmam08nncNo9ZIRSQXYhk/5aeqqDMIjXocIXi9YwN0k2biZLfP5muWq44uIyLciWfSQxhYbTR2xibb4kpoA2eNyptYXul4AR8,iv:qbp7+yepBIPsmpuEGTeHLPENrvfEGoL9u+smf7jqHzo=,tag:u3bkLxICTMm/EEjGjt5ENA==,type:str] +authentik: + secret_key: ENC[AES256_GCM,data:bbEEpymADAGY/fDNMU7FfzveyK2SBUBCitQLN85tB5C5u32PRsRnOa2MDjKGU4kArnyV/WtJQXT4HJ//nMLVh53Q8BYclWYYVFourEjaajTixkZ2gkAfcMJ1mMaQG09ylrwMhLsZWbeaLFzW6dfPSQOCchvj3VhgvJSXuhNmr90=,iv:aE/DGt/yd9wL5qlWfdyT/9SIsCj7U3GcljArcGIdh9k=,tag:CVeiZITOJ71/jdLzjZjteA==,type:str] + postgresql_password: ENC[AES256_GCM,data:4okPqDzPDnx7ZBFQV2Jtk6SEHTskRd2GVG4XLdpMQrgivKsuhQJf1QAnCWHrjmtg74xdlUy2TdPwTWGd5UiM1G90GwHSzLPSJt6X0IFMxCuq/eyYYbD9w8Wk1pVuvqoluPcjN6WoRJdCzap1QITih8B+oSkTJ/rk84xczsjah4U=,iv:r0dYWcsIqdH8FGuBd2dxAJ1AjRmk6k4QYKq0cnZITk4=,tag:errORaXgO7yJW7ERbmdtRg==,type:str] + oauth2: + freshrss: + client_secret: ENC[AES256_GCM,data:e7wdwWRS8KivGkcWaMgSrUEEuOTHzj1oim+qUcLD35/DA/V6itM2XqVPhqIOXHrf6pOyYgprEv14bEx8zUvtT6iXV4fsEUEWeWTgt4NI3YULtx/t0yVDq9Zc8fN9cIqGxGeig1mcQwmm7vByq58mNJEpcfz46swjN2ATf/CPJQs=,iv:xeNgSKd+g4ne8NLw/2KQjTXSvNkqezOhMn5niuWpD38=,tag:ElOUMg0oZ+q15hCgh/Mzug==,type:str] + hedgedoc: + client_secret: ENC[AES256_GCM,data:hdNQzatO6Pf6mxvfO4h1XrhycKMBUHElEwacGttzByi4JDbIndAwYc2GXdwUmytPMYs/s+lVjcdHhspUFWS01DETWQfnWm/GN73GzW18uj3XyRXqt62HhMf18GvRlOWkGX+jYpUTGGoonYes2xijhD/mNCjxKk5Q+6FVFT2mdJ4=,iv:pScEX6YnoU7HelxmCes8A9vJjPdvFbqbclHYMme8OOE=,tag:FURxphI8IDMvOwB4ahD8hg==,type:str] +smtp2go: + username: ENC[AES256_GCM,data:BEr7Rq7rlGvfYEpY/ZXnhM2eClnHdqU81A==,iv:dwYD5h+C5bzS9ikUgxQ51+jRQ32TtDy2PhDbd1tpS8Q=,tag:CjjLDz5n4H28qi8jWf9S4w==,type:str] + password: ENC[AES256_GCM,data:Yys6qy6DRYo16+X+Uj9oa9otjaKBnHOtIQ==,iv:G7H9mxsODShFoVlNMwuV8O18NBG/7LTFDFdqnH83YkE=,tag:hSlYp27QMoPZwiKBqyOpKA==,type:str] sops: kms: [] gcp_kms: [] @@ -73,8 +69,8 @@ sops: azR0UkJyL0RwUVk4ZzdkSWptcDlWVjAK5FU9B5TBSnV3azO4eCv13T6i3dGGuI68 UgBrVEb1/Fv+4XTjeSEhpiOaH8sNWYoNa3Aa7uTZYlHDRWga2GC7zw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-02-09T12:24:21Z" - mac: ENC[AES256_GCM,data:oXJ06eJS12T0T2i0XxQ2wsyLAojIa7X2lJgb4JWY11If7BOtl8wK/FFKh6ukRdM/pM5nARS2ZUgYPmIQxRX+0dfo85AcqAuFzIb8VMhLdLCIuOVciQMMWyrNmyuMzNgYq2lmk8xQarVk2A1DNBfxCiKVc07J/Uz3tVhnXOXkmGA=,iv:4MObZijkp5TDacLRLYVctEhsvDtkY/soYZ3a4WpC/+I=,tag:KUvalf5sLEouIxMDcA4acw==,type:str] + lastmodified: "2025-02-10T21:46:28Z" + mac: ENC[AES256_GCM,data:NMQNgNKgms8fyK0gLSjvLxVprk5k/zSVdJL07+dnXjbbYA7IjsktQF4Nljg641NVU12F4IHr6vLvihDfCI78Qm9c66osp+vdmsYvGwLdploWwjOLONJL8WNiJI6AJjgnbUP9puca+AeKgl8o3ymNfhro+K8GsbRb5+mk8frasGM=,iv:KUSyiojnjbY3e59Ci40+Vk6+6bAyyuhQ5rUlUmVIDBs=,tag:Cr3eQfO8AIiBihTR1T4jxw==,type:str] pgp: [] unencrypted_suffix: _unencrypted - version: 3.9.2 + version: 3.9.4