infrastructure/black-start
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: infrastructure:33f0e30229062a99386803721b63a396069a50ce
Branches Tags
infrastructure:main
...
compare: infrastructure:main
Branches Tags
infrastructure:main

3 Commits
33f0e30229 ... main

Author SHA1 Message Date
William P
3d60cb6706 add omni 2026-04-09 18:02:06 +00:00
William P
58bb6ffac4 add authentik 2026-04-08 11:20:06 -04:00
William P
8c5641e8eb use more sane k8s manifest management 2026-04-08 10:40:16 -04:00
17 changed files with 482 additions and 182 deletions
Expand all files Collapse all files

170
kubernetes/charts/authentik.nix Normal file
View File

@@ -0,0 +1,170 @@
{
services.k3s.autoDeployCharts = {
authentik = {
name = "authentik";
version = "2026.2.2";
repo = "https://charts.goauthentik.io";
createNamespace = true;
targetNamespace = "authentik";
hash = "sha256-zgoaiXnO2M410oRVnJpg4KCN81psLSjVqUpV6CYowOU=";
values = {
server = {
replicas = 1;
volumeMounts = [
{
name = "cert-dubyatp-xyz";
readOnly = true;
mountPath = "/certs/dubyatp-xyz";
}
];
volumes = [
{
name = "cert-dubyatp-xyz";
secret = {
defaultMode = 420; # octal 0644
secretName = "cert-dubyatp-xyz";
};
}
];
};
worker = {
replicas = 0;
};
global = {
env = [
{
name = "AUTHENTIK_SECRET_KEY";
valueFrom.secretKeyRef = {
name = "authentik-credentials";
key = "authentik-secret-key";
};
}
{
name = "AUTHENTIK_POSTGRESQL__DISABLE_SERVER_SIDE_CURSORS";
value = "true";
}
{
name = "AUTHENTIK_POSTGRESQL__HOST";
value = "weyma-bs-pgsql-rw.cloudnativepg.svc.cluster.local";
}
{
name = "AUTHENTIK_POSTGRESQL__NAME";
value = "authentik";
}
{
name = "AUTHENTIK_POSTGRESQL__USER";
value = "authentik";
}
{
name = "AUTHENTIK_POSTGRESQL__PASSWORD";
valueFrom.secretKeyRef = {
name = "authentik-db-auth";
key = "password";
};
}
{
name = "AUTHENTIK_EMAIL__FROM";
value = "authentik_dubyatp@em924671.dubyatp.xyz";
}
{
name = "AUTHENTIK_EMAIL__HOST";
value = "mail.smtp2go.com";
}
{
name = "AUTHENTIK_EMAIL__USE_TLS";
value = "true";
}
{
name = "AUTHENTIK_EMAIL__USERNAME";
value = "authentik_dubyatp";
}
{
name = "AUTHENTIK_EMAIL__PASSWORD";
valueFrom.secretKeyRef = {
name = "authentik-credentials";
key = "smtp-password";
};
}
{
name = "AUTHENTIK_EMAIL__TIMEOUT";
value = "30";
}
{
name = "AUTHENTIK_STORAGE__BACKEND";
value = "s3";
}
{
name = "AUTHENTIK_STORAGE__S3__ENDPOINT";
value = "https://weyma-s3.infra.dubyatp.xyz";
}
{
name = "AUTHENTIK_STORAGE__S3__BUCKET_NAME";
value = "authentik-files";
}
{
name = "AUTHENTIK_STORAGE__S3__ACCESS_KEY";
valueFrom.secretKeyRef = {
name = "authentik-files";
key = "AWS_ACCESS_KEY_ID";
};
}
{
name = "AUTHENTIK_STORAGE__S3__SECRET_KEY";
valueFrom.secretKeyRef = {
name = "authentik-files";
key = "AWS_SECRET_ACCESS_KEY";
};
}
];
};
additionalObjects = [
{
apiVersion = "networking.k8s.io/v1";
kind = "Ingress";
metadata.name = "authentik-ingress";
spec = {
ingressClassName = "traefik";
rules = [
{
host = "auth.dubyatp.xyz";
http.paths = [
{
backend.service = {
name = "authentik-server";
port.number = 80;
};
path = "/";
pathType = "Prefix";
}
];
}
{
host = "auth-bs.dubyatp.xyz";
http.paths = [
{
backend.service = {
name = "authentik-server";
port.number = 80;
};
path = "/";
pathType = "Prefix";
}
];
}
];
tls = [
{
hosts = [
"auth.dubyatp.xyz"
"auth-bs.dubyatp.xyz"
];
secretName = "cert-dubyatp-xyz";
}
];
};
}
];
};
};
};
}

2
kubernetes/charts/default.nix
View File

@@ -2,5 +2,7 @@
imports = [
./cloudnativepg.nix
./cert-manager.nix
./authentik.nix
./omni.nix
];
}

88
kubernetes/charts/omni.nix Normal file
View File

@@ -0,0 +1,88 @@
{ pkgs, ... }:
let
omniSrc = pkgs.fetchFromGitHub {
owner = "siderolabs";
repo = "omni";
rev = "v1.6.5";
hash = "sha256-FV0aPZaEejNBY/ajjdo3dURwDFu+8RInKOmeV5SVMXw=";
};
omniChartTarball = pkgs.runCommand "omni-chart.tgz" {
nativeBuildInputs = [ pkgs.gnutar ];
} ''
tar czf "$out" -C "${omniSrc}/deploy/helm" omni
'';
omniManifest = pkgs.runCommand "omni-manifest.yaml" {
nativeBuildInputs = [ pkgs.coreutils ];
} ''
chart_content=$(base64 -w 0 < "${omniChartTarball}")
cat > "$out" <<EOF
apiVersion: helm.cattle.io/v1
kind: HelmChart
metadata:
name: omni
namespace: kube-system
spec:
targetNamespace: omni
createNamespace: true
chartContent: $chart_content
valuesContent: |-
etcdEncryptionKey:
existingSecret: omni-etcd-key
ingress:
main:
enabled: true
host: weyma-omni.infra.dubyatp.xyz
tls:
- hosts:
- weyma-omni.infra.dubyatp.xyz
secretName: cert-dubyatp-xyz
kubernetesProxy:
enabled: true
host: weyma-omni-k8s.infra.dubyatp.xyz
tls:
- hosts:
- weyma-omni-k8s.infra.dubyatp.xyz
secretName: cert-dubyatp-xyz
siderolinkApi:
enabled: true
host: weyma-omni-siderolink.infra.dubyatp.xyz
tls:
- hosts:
- weyma-omni-siderolink.infra.dubyatp.xyz
secretName: cert-dubyatp-xyz
service:
wireguard:
type: LoadBalancer
config:
account:
name: weyma-omni
id: a0a43f2a-d838-4fe0-96fb-ab9e60695e0b
auth:
auth0:
enabled: false
saml:
enabled: true
url: https://auth.dubyatp.xyz/application/saml/omni/metadata/
initialUsers:
- me@williamtpeebles.com
services:
api:
advertisedURL: https://weyma-omni.infra.dubyatp.xyz
kubernetesProxy:
advertisedURL: https://weyma-omni-k8s.infra.dubyatp.xyz
machineAPI:
advertisedURL: https://weyma-omni-siderolink.infra.dubyatp.xyz
siderolink:
wireGuard:
advertisedEndpoint: 10.105.6.198:50180
EOF
'';
in
{
services.k3s.manifests."omni-chart.yaml".source = omniManifest;
}

109
kubernetes/manifests/cnpg.nix
View File

@@ -1,108 +1,7 @@
{
services.k3s.manifests = {
"objectstore.yaml".content = {
apiVersion = "barmancloud.cnpg.io/v1";
kind = "ObjectStore";
metadata.name = "truenas-s3";
metadata.namespace = "cloudnativepg";
spec = {
configuration = {
destinationPath = "s3://weyma-talos-shared-pgsql-new/";
endpointURL = "http://10.105.15.20:9000";
s3Credentials = {
accessKeyId = {
key = "s3AccessKey";
name = "s3-backup-creds";
};
secretAccessKey = {
key = "s3SecretKey";
name = "s3-backup-creds";
};
};
};
};
};
"pg-cluster.yaml".content = {
apiVersion = "postgresql.cnpg.io/v1";
kind = "Cluster";
metadata.name = "weyma-bs-pgsql";
metadata.namespace = "cloudnativepg";
spec = {
instances = 1;
imageName = "ghcr.io/cloudnative-pg/postgresql:16.9-5-bullseye";
storage = {
size = "50Gi";
storageClass = "local-path";
};
plugins = [
{
name = "barman-cloud.cloudnative-pg.io";
parameters.barmanObjectName = "truenas-s3";
}
];
bootstrap.recovery.source = "weyma-pgsql";
externalClusters = [
{
name = "weyma-bs-pgsql";
plugin = {
name = "barman-cloud.cloudnative-pg.io";
parameters = {
barmanObjectName = "truenas-s3";
serverName = "weyma-bs-pgsql";
};
};
}
{
name = "weyma-pgsql";
connectionParameters = {
host = "10.105.10.24";
user = "streaming_replica";
dbname = "postgres";
sslmode = "require";
};
plugin = {
name = "barman-cloud.cloudnative-pg.io";
parameters = {
barmanObjectName = "truenas-s3";
serverName = "weyma-pgsql";
};
};
sslKey = {
name = "weyma-pgsql-replication";
key = "tls.key";
};
sslCert = {
name = "weyma-pgsql-replication";
key = "tls.crt";
};
sslRootCert = {
name = "weyma-pgsql-ca";
key = "ca.crt";
};
}
];
replica = {
primary = "weyma-pgsql";
source = "weyma-pgsql";
};
managed.services.additional = [
{
selectorType = "rw";
serviceTemplate = {
metadata.name = "weyma-bs-pgsql-ext";
spec.type = "LoadBalancer";
};
}
];
};
};
"weyma-pgsql-ca.yaml".content = {
apiVersion = "v1";
kind = "Secret";
metadata.name = "weyma-pgsql-ca";
metadata.namespace = "cloudnativepg";
# this is fine to be in plaintext since it's just a cert and contains no key
data."ca.crt" = "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJtekNDQVVLZ0F3SUJBZ0lRUjMzT3F3OTJKbDlmeXFzMkZyREd0akFLQmdncWhrak9QUVFEQWpBdU1SWXcKRkFZRFZRUUxFdzFqYkc5MVpHNWhkR2wyWlhCbk1SUXdFZ1lEVlFRREV3dDNaWGx0WVMxd1ozTnhiREFlRncweQpOVEV5TWpnd01URTROVEZhRncweU5qQXpNamd3TVRFNE5URmFNQzR4RmpBVUJnTlZCQXNURFdOc2IzVmtibUYwCmFYWmxjR2N4RkRBU0JnTlZCQU1UQzNkbGVXMWhMWEJuYzNGc01Ga3dFd1lIS29aSXpqMENBUVlJS29aSXpqMEQKQVFjRFFnQUU5c1R4R0tLNWdRVnhmZzNkZWtlbHpFSGlMbG5GaHBZa1hTMzJSYlphV0llZ3ZWWk11cC9TRmU4YQoyai92TWdETldpZVJWcHBTVElBeml0YUxQYXdvSktOQ01FQXdEZ1lEVlIwUEFRSC9CQVFEQWdJRU1BOEdBMVVkCkV3RUIvd1FGTUFNQkFmOHdIUVlEVlIwT0JCWUVGRysxclg2aUgwaG50bE0yaEpXdnpGaW9peTZGTUFvR0NDcUcKU000OUJBTUNBMGNBTUVRQ0lBeXhPS3VGVFhhQUJwaGhJZDI0VXZkU0FLTytPanpIZStvbVJYeDdqbTJOQWlCbAo1TVc0MDZzU3haTDgydTFtL2J3V0JXQWZPTWhLNXVlYmIyemR3QzE0Vmc9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==";
};
"objectstore.yaml".source = ./cnpg/objectstore.yaml;
"pg-cluster.yaml".source = ./cnpg/pg-cluster.yaml;
"weyma-pgsql-ca.yaml".source = ./cnpg/weyma-pgsql-ca.yaml;
};
}
}

16
kubernetes/manifests/cnpg/objectstore.yaml Normal file
View File

@@ -0,0 +1,16 @@
apiVersion: barmancloud.cnpg.io/v1
kind: ObjectStore
metadata:
name: truenas-s3
namespace: cloudnativepg
spec:
configuration:
destinationPath: s3://weyma-talos-shared-pgsql-new/
endpointURL: http://10.105.15.20:9000
s3Credentials:
accessKeyId:
key: s3AccessKey
name: s3-backup-creds
secretAccessKey:
key: s3SecretKey
name: s3-backup-creds

57
kubernetes/manifests/cnpg/pg-cluster.yaml Normal file
View File

@@ -0,0 +1,57 @@
apiVersion: postgresql.cnpg.io/v1
kind: Cluster
metadata:
name: weyma-bs-pgsql
namespace: cloudnativepg
spec:
instances: 1
imageName: ghcr.io/cloudnative-pg/postgresql:16.9-5-bullseye
storage:
size: 50Gi
storageClass: local-path
plugins:
- name: barman-cloud.cloudnative-pg.io
parameters:
barmanObjectName: truenas-s3
bootstrap:
recovery:
source: weyma-pgsql
externalClusters:
- name: weyma-bs-pgsql
plugin:
name: barman-cloud.cloudnative-pg.io
parameters:
barmanObjectName: truenas-s3
serverName: weyma-bs-pgsql
- name: weyma-pgsql
connectionParameters:
host: "10.105.10.24"
user: streaming_replica
dbname: postgres
sslmode: require
plugin:
name: barman-cloud.cloudnative-pg.io
parameters:
barmanObjectName: truenas-s3
serverName: weyma-pgsql
sslKey:
name: weyma-pgsql-replication
key: tls.key
sslCert:
name: weyma-pgsql-replication
key: tls.crt
sslRootCert:
name: weyma-pgsql-ca
key: ca.crt
replica:
primary: weyma-pgsql
source: weyma-pgsql
managed:
services:
additional:
- selectorType: rw
serviceTemplate:
metadata:
name: weyma-bs-pgsql-ext
spec:
type: LoadBalancer

8
kubernetes/manifests/cnpg/weyma-pgsql-ca.yaml Normal file
View File

@@ -0,0 +1,8 @@
apiVersion: v1
kind: Secret
metadata:
name: weyma-pgsql-ca
namespace: cloudnativepg
# This is fine to be in plaintext since it's just a cert and contains no key
data:
ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJtekNDQVVLZ0F3SUJBZ0lRUjMzT3F3OTJKbDlmeXFzMkZyREd0akFLQmdncWhrak9QUVFEQWpBdU1SWXcKRkFZRFZRUUxFdzFqYkc5MVpHNWhkR2wyWlhCbk1SUXdFZ1lEVlFRREV3dDNaWGx0WVMxd1ozTnhiREFlRncweQpOVEV5TWpnd01URTROVEZhRncweU5qQXpNamd3TVRFNE5URmFNQzR4RmpBVUJnTlZCQXNURFdOc2IzVmtibUYwCmFYWmxjR2N4RkRBU0JnTlZCQU1UQzNkbGVXMWhMWEJuYzNGc01Ga3dFd1lIS29aSXpqMENBUVlJS29aSXpqMEQKQVFjRFFnQUU5c1R4R0tLNWdRVnhmZzNkZWtlbHpFSGlMbG5GaHBZa1hTMzJSYlphV0llZ3ZWWk11cC9TRmU4YQoyai92TWdETldpZVJWcHBTVElBeml0YUxQYXdvSktOQ01FQXdEZ1lEVlIwUEFRSC9CQVFEQWdJRU1BOEdBMVVkCkV3RUIvd1FGTUFNQkFmOHdIUVlEVlIwT0JCWUVGRysxclg2aUgwaG50bE0yaEpXdnpGaW9peTZGTUFvR0NDcUcKU000OUJBTUNBMGNBTUVRQ0lBeXhPS3VGVFhhQUJwaGhJZDI0VXZkU0FLTytPanpIZStvbVJYeDdqbTJOQWlCbAo1TVc0MDZzU3haTDgydTFtL2J3V0JXQWZPTWhLNXVlYmIyemR3QzE0Vmc9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==

17
kubernetes/manifests/test-color/deploy.yaml Normal file
View File

@@ -0,0 +1,17 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: test-color
namespace: test-color
spec:
selector:
matchLabels:
app: test-color
template:
metadata:
labels:
app: test-color
spec:
containers:
- name: test-color
image: kodekloud/webapp-color:latest

17
kubernetes/manifests/test-color/ingress.yaml Normal file
View File

@@ -0,0 +1,17 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: test-color-ingress
namespace: test-color
spec:
rules:
- host: test-color.weyma-bs.infra.dubyatp.xyz
http:
paths:
- pathType: Prefix
path: /
backend:
service:
name: test-color
port:
number: 8080

4
kubernetes/manifests/test-color/ns.yaml Normal file
View File

@@ -0,0 +1,4 @@
apiVersion: v1
kind: Namespace
metadata:
name: test-color

11
kubernetes/manifests/test-color/svc.yaml Normal file
View File

@@ -0,0 +1,11 @@
apiVersion: v1
kind: Service
metadata:
name: test-color
namespace: test-color
spec:
selector:
app: test-color
ports:
- port: 8080
targetPort: 8080

82
kubernetes/manifests/test.nix
View File

@@ -1,76 +1,8 @@
{
services.k3s.manifests = {
test-color-ns.content = {
apiVersion = "v1";
kind = "Namespace";
metadata = {
name = "test-color";
};
};
test-color-deploy.content = {
apiVersion = "apps/v1";
kind = "Deployment";
metadata = {
name = "test-color";
namespace = "test-color";
};
spec = {
selector = {
matchLabels = {
app = "test-color";
};
};
template = {
metadata = {
labels = {
app = "test-color";
};
};
spec = {
containers = [
{
name = "test-color";
image = "kodekloud/webapp-color:latest";
}
];
};
};
};
};
test-color-svc.content = {
apiVersion = "v1";
kind = "Service";
metadata = {
name = "test-color";
namespace = "test-color";
};
spec = {
selector.app = "test-color";
ports = [{port = 8080; targetPort = 8080;}];
};
};
test-color-ingress.content = {
apiVersion = "networking.k8s.io/v1";
kind = "Ingress";
metadata = {
name = "test-color-ingress";
namespace = "test-color";
};
spec = {
rules = [
{
host = "test-color.weyma-bs.infra.dubyatp.xyz";
http.paths = [{
pathType = "Prefix";
path = "/";
backend.service = {
name = "test-color";
port.number = 8080;
};
}];
}
];
};
};
};
}
services.k3s.manifests = {
"test-color-ns.yaml".source = ./test-color/ns.yaml;
"test-color-deploy.yaml".source = ./test-color/deploy.yaml;
"test-color-svc.yaml".source = ./test-color/svc.yaml;
"test-color-ingress.yaml".source = ./test-color/ingress.yaml;
};
}

40
kubernetes/secrets/authentik/authentik-credentials.nix Normal file
View File

@@ -0,0 +1,40 @@
{ config, ... }:
{
sops.templates."authentik-credentials.yaml" = {
mode = "0444";
content = ''
apiVersion: v1
kind: Secret
metadata:
name: authentik-credentials
namespace: authentik
type: Opaque
stringData:
admin-password: ${config.sops.placeholder.authentik_admin_password}
authentik-secret-key: ${config.sops.placeholder.authentik_secret_key}
replication-password: ${config.sops.placeholder.authentik_replication_password}
smtp-password: ${config.sops.placeholder.authentik_smtp_password}
user-password: ${config.sops.placeholder.authentik_user_password}
---
apiVersion: v1
kind: Secret
metadata:
name: authentik-db-auth
namespace: authentik
type: Opaque
stringData:
password: ${config.sops.placeholder.authentik_db_password}
---
apiVersion: v1
kind: Secret
metadata:
name: authentik-files
namespace: authentik
type: Opaque
stringData:
AWS_ACCESS_KEY_ID: ${config.sops.placeholder.authentik_files_keyid}
AWS_SECRET_ACCESS_KEY: ${config.sops.placeholder.authentik_files_keysecret}
'';
path = "/var/lib/rancher/k3s/server/manifests/secrets/authentik-credentials.yaml";
};
}

2
kubernetes/secrets/default.nix
View File

@@ -3,5 +3,7 @@
./cloudnativepg/s3-backup-creds.nix
./cloudnativepg/weyma-pgsql-replication.nix
./cert-manager/cloudflare-api-token.nix
./authentik/authentik-credentials.nix
./omni/omni-etcd-key.nix
];
}

17
kubernetes/secrets/omni/omni-etcd-key.nix Normal file
View File

@@ -0,0 +1,17 @@
{ config, ... }:
{
sops.templates."omni-etcd-key.yaml" = {
mode = "0444";
content = ''
apiVersion: v1
kind: Secret
metadata:
name: omni-etcd-key
namespace: omni
type: Opaque
data:
omni.asc: ${config.sops.placeholder.omni_asc_base64}
'';
path = "/var/lib/rancher/k3s/server/manifests/secrets/omni-etcd-key.yaml";
};
}

11
security/sops.nix
View File

@@ -23,6 +23,17 @@
weyma_pgsql_replication_tls_key = {};
cloudflare_api_token = {};
authentik_admin_password = {};
authentik_secret_key = {};
authentik_replication_password = {};
authentik_smtp_password = {};
authentik_user_password = {};
authentik_db_password = {};
authentik_files_keyid = {};
authentik_files_keysecret = {};
omni_asc_base64 = {};
};
};
}

13
security/sops_nix.yaml
View File

@@ -3,6 +3,15 @@ pw_root: ENC[AES256_GCM,data:hbPcqxEFhdH4Y6KOFFCMfujL0B9uHzmNAwNNK4qLEVE=,iv:Xrw
cnpg_s3_backup_key: ENC[AES256_GCM,data:zaMuxcu2XwgkmhkYnYKeZQQwRzSEJGPT2662B7k5JHzCH4e1TEEd+A==,iv:Na2iAuqgx8UNnDvXvP3N+csqVZFTsDwqR6OKeO/b/GY=,tag:jHeFVdRdTwk83XG6T1TwGA==,type:str]
weyma_pgsql_replication_tls_key: ENC[AES256_GCM,data:WHCH9DJMa5/L9BCNAyfYUmgptCLu+NVtEIDjjPeb7adDUfz/fDwAUB7TOXBf19AyXaCD4NTw4IVm6UVp9/8azpAVyQ5uR5R0X3eVYAEdIHUQdOPVQsCmIQTAMwih2G41QedM3Q+gA/JRIqxX+DwtH44Celb069VmiGmlzwLbvPt9d9ZREs3KKr7p/GvVoa2atMk74/qLAKSmkAP9yZJ3q5azmmQ5/skECWmvRJ4prr/uUpIzzMIIQ6kyaafE3sKf8s/+rlsb+zT+6T527OX54xmp0QCDPQuqhEiuFvLXnqxiDwcgZ+QWbFQwj5ubCU++F3GtasCec5/wTSKa26MgNd7DvSwpQH0vdxszOoxStxNAXSouIevwFdKsvAZP60x3jWs+BcFry+cFlVrAMp5NmQ==,iv:JN+9SeyIx4kJfTiuFucLp8cKCEGeWvd3DbNeMsfeVms=,tag:GSkGD1kRmzruG0bWmxa+xA==,type:str]
cloudflare_api_token: ENC[AES256_GCM,data:luEm0zRdyUgOe4VxJ6IrTlKSf5tk4ayQn7MwbImvn2Eswzq4tXdCsQ==,iv:BoI/p2n5+RIfL6KsiOViv5RlhpCkP5ylEOf7eRBjxcw=,tag:dxN1qRoaYnCoBepWSmBRBQ==,type:str]
authentik_admin_password: ENC[AES256_GCM,data:TiuxIguDfhI3e+6GdqTLfqNUZ7ZigV8E4gj6Goqozgg=,iv:uVzCa6VQucQY5as3S+75r+0IGBqoFmPxUPqkjRr2KpA=,tag:pEYGLzIu8Dg4/XB3JXfn7w==,type:str]
authentik_secret_key: ENC[AES256_GCM,data:A3GKlCYuTW3nVezQ5TuI/eBbaBQLy43tqbgibTkrZiU=,iv:z4sBa9EESqYIv1IWx63dHvKSpQ7RVejsFhXFW45dTU8=,tag:PikzndBzaEmUBTcy0O+lnQ==,type:str]
authentik_replication_password: ENC[AES256_GCM,data:CXPdevPPexbK2BCCpa50EHrL3g8bQCBW/8AAMd3XppA=,iv:9L7J3NJ5b9ZDczYHTZ3LFHfURhogxCAKyIPneTuKjuw=,tag:m0BY8rYVrVF3NGsjzsOW+A==,type:str]
authentik_smtp_password: ENC[AES256_GCM,data:l0vfN1QxHWlu321XQvccpw==,iv:1nT8d+xDTZE3UOnXdAC2O72SOImeE8WRQlzM58do+9g=,tag:B9u/96C7fNbYNjIpTYLSAA==,type:str]
authentik_user_password: ENC[AES256_GCM,data:BJdiJouByTIoXYL3xn7zn6czVuXHheDdRKXKrM22PlE=,iv:0qvfgfHxUzFJGpDViMOzIDLjBwONvgUePNTE1lOKoQ8=,tag:K+8dgVwTZ+JA7yY07xoNdg==,type:str]
authentik_db_password: ENC[AES256_GCM,data:mAYOax2eC3E4lPsseD/bjPlOnL7pFavXbfArETKy,iv:hb/VBLKNc8yU6viSWm1ds4v24kpbndbKjwf4xN5/Ha8=,tag:T22wPtEvJXWfohP/lyU9YQ==,type:str]
authentik_files_keyid: ENC[AES256_GCM,data:342mVrO6ezaKAxDBWpnoFV2K5ZI=,iv:hCdivaMnEKl1zTC8BO+3EjdEPUDF0SHlev4N1tjprRo=,tag:zhiP0fZCW061HCyn6y8blw==,type:str]
authentik_files_keysecret: ENC[AES256_GCM,data:KlYmsEsvINbyzoHRuru7asAysw5c9XJPdTb+YF/hb256AifG7zfp0Q==,iv:AXV6xolmQZtHzE1FmGAuLwgg3i/mMqiTWNwnXKCUNE0=,tag:frd3kvOu91hjRljUeXViNQ==,type:str]
omni_asc_base64: ENC[AES256_GCM,data:+hZDcjfOLxyUrLC+M0tb47s71OQyJB7PzLzPwzamhooP3QZe9SOpYswHVhLeZELt1pUgm2ntIoqz9JMvoABDZZDXSob8uBsk4hLH3QJccNRxba1+laDzH3ni3OAVHZq6eSczDfX+aD+Z7JRaqp+cf4fwrb1scxE3kNL+bKcFXy0pOlqo36Ltcgr0sR5Jywf/zt8wvDGZ8GoiAMxBRIdgZL5W2/5MNqMtu1yllAPh4YU2qhrCxqKqmIKFROV/aMY3D34eW8VKOFG+3kfovNvXAA6bf9QZhkYEb1tO4ln8ULEtGmxQNyzbxnvDGmALcVgSXRCvuXK/QumxYyTGCkLrXHgC7xsqPHMU90jrLE7UVLiGsYfwuBsUVq8vmQpsQablNxzmbTSAHc+cTxBPj7ssgzJTwB4d/d2K7AJfpG4YEhv5PtyA5hYKXVunBM4N4mUiM+jqEJaJa3a9cmVxrdGfuCx3hj8sy0D2oTx6YsbX8+wg2bF+sQn+L6COH0Uw28NAFS7YBnbavLzt8PCAmi8CFgb24lYZoHwcMlbmK25etkEbEYGB6fYawqlKqhG248Ji6ACke0aylGHudX3ENfKvhOztjMQ9e5oDOetntNj3ITrjz+oMWUDlKeG8vqnZxss8aru17Mdo4/YIIVirUnO3GmqG88P1d6csJZXrglJcVHxV++CFL36a83ccGXmYFrCEmmZzxvbVCvr01L32qCEvWppw0B5jX+N2uL8gnn58PNiG+JKRMZct3ygq8Le0HI+XqxmbKRsES35KwFjeBFdEAdJ9ecFBWmUOVnGi/m6uPjgiPIrSCBBRkSFw/LdqmFPeHWAGJK6CgtLwhGfXznsy+PY1V6UkrVRoYKpX8hKVTaxPfWrSMfcWvnqw1bkPWaeicOMYRbl4Sj/hDr7UOCGnMse8LYmPcecsLYdjqsRbcDrPucgoW75EdFCIj3UXYIMcOtHa8rySItOdHnDNaf29OvWxblqd4RqTNGTwNZgkjFoMrLEwKFDQbmSjgq0PrwuZ7Lxgr4pHjYWlnAVAHLDrPaLyuY9LR+Y0jCsFcNWBtfV6E1kaiznJ2zXntlJgA5z7+KgOG1F/mJGUp4ciFqPl9FBD9XrFFgOQ4RvzMs4t8e2jUl6UJ83UlSQmGdUklmn1B+S9mF2kdHA7J3+Fh/AqYttt07ujMU/BbkUPKGIUnG7wjmG6L1bfnvj2pob5bJyi79UTma+iSH/HdoNXVt55RbkDJ5nUMxcTFCYVML3LA/w=,iv:C50Ad6hRMKKma6Ar/lS0tItjaKDQKSx1b8nS/GIUsik=,tag:w8YAfIuQHF9aPqPUAMAB1g==,type:str]
sops:
age:
- recipient: age1usxppyy4nfqtlvlvj5fgcwze6yy3yyvuqadrcmwwtt5dtctfkfrqzuk5w3
@@ -14,7 +23,7 @@ sops:
Q1VUZnpnOUh2SVQ2RC9XOG5qUTVzeWMKd4nZfXETJi1tbRrUDb938mk+OOnIru9t
F66KTiCc7akLC165G1ywBMShMPi5K+X9vRzGfmzUmwOHh2f4tZLBHA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2026-03-19T22:11:05Z"
mac: ENC[AES256_GCM,data:E5PsFbu3XLpqAX3x3EFEkFd9XgUeaZraSmYhjItCoAmIZE7qy1/10j2B72tGtDC0GQ5o/0cC0mkjkHqUJZjdmGUTQ2+dKC1rSBDpOsrLEMPqKgxsfxXYRRWK1zqK0tlIhDcGECWAvcq9oIArZ5yMQB88dYIZ+u/AX5PHOLvDH6Y=,iv:KP8BAqyrNzk7VwZrtJBXtpQ79ySBwQzMs3hd8S42yLc=,tag:i0USZC6KkZuoHoNjHY2rGg==,type:str]
lastmodified: "2026-04-08T15:30:13Z"
mac: ENC[AES256_GCM,data:ftM+7yM6SA96iALU6O6AqdzMsAftZeeHeajTU7fhQnU11Z9cSzBEbdrgg4jIJ9nVgoV+voHoeA3OX3NEvlC3dlnCVN+Re1xcBR8RRIptyVJxw1pEANPLUzMh3eBxtnLL/c6PFbvHogm5AOw65IwpfYLlAzSlg8agTGmHKoRVnuE=,iv:gJKXt5viHq01S28/gBaAzz3GleLz6JgNJd7vyvgWGvc=,tag:+9a2dcn3EmUhqbl7ISwuwg==,type:str]
unencrypted_suffix: _unencrypted
version: 3.12.2