pluie.me
All my system configs and packages in one repo
focaccia: add bluesky PDS + sops-nix secrets mgmt
Sovereign infrastructure baby
+11
.sops.yaml
+11
.sops.yaml
···
1
+
# NOTE: Additions/deletions _MUST_ be synchronized with age_from_1password.nu!
2
+
keys:
3
+
- &leah "age1lh4sn2s9gxj2s3naqdl4wpmz3uhpd3p8l0jfy6k5hu6cu34uyygsdwadd5"
4
+
- &focaccia "age1wtr58sze4sxjjzq9jmsq7ztkvkjakvnfzuqzn025p92htz7zsdesjpc2c8"
5
+
6
+
creation_rules:
7
+
- path_regex: systems/focaccia/secrets/[^/]+\.(yaml|json|env|ini)$
8
+
key_groups:
9
+
- age:
10
+
- *leah
11
+
- *focaccia
+43
age_from_1password.nu
+43
age_from_1password.nu
···
1
+
#!/usr/bin/env nix-shell
2
+
#!nix-shell -p nushell ssh-to-age -i nu
3
+
4
+
#==============================================================================
5
+
# SOPS w/ Age helper for retrieving my 1Password secret keys on the fly
6
+
#
7
+
# Because I am a very lazy person and don't like to watch out for the
8
+
# implications of storing my SSH keys on mobile devices that may hypothetically
9
+
# be seized at any second, I'm storing all my private keys with 1Password.
10
+
#
11
+
# Now, should you do this? For convenience, *maybe*? For maximum security?
12
+
# Definitely not. Go use a Yubikey or something. I'm just not a fan of
13
+
# keeping a metal dongle on my person this entire time. I'll probably just
14
+
# write out my master passphrase in my last will or something so people
15
+
# I trust can actually regain access to all my stuff in case something goes
16
+
# awry. Just in case.
17
+
#==============================================================================
18
+
19
+
# 1Password UUIDs of my private keys.
20
+
#
21
+
# I feel *somewhat* safe to make this globally visible since you do
22
+
# need to sign in with my 1Password account to actually access them,
23
+
# and if you ever get to that point, my security has already been defeated.
24
+
#
25
+
# All of these should be Ed25519.
26
+
#
27
+
# NOTE: Additions/deletions _MUST_ be synchronized with .sops.yaml!
28
+
let items = [
29
+
# Main SSH key
30
+
"bkk3jg6qjnwyymb6gjiopczlba"
31
+
]
32
+
33
+
# Make sure to sign in first.
34
+
# Does nothing if already signed in
35
+
^op signin
36
+
37
+
$items
38
+
| par-each { |item|
39
+
^op read $"op://Development/($item)/private key?ssh-format=openssh"
40
+
| ^ssh-to-age -private-key
41
+
}
42
+
| str join "\n"
43
+
+52
-41
flake.lock
+52
-41
flake.lock
···
22
22
"type": "github"
23
23
}
24
24
},
25
-
"empty": {
26
-
"locked": {
27
-
"lastModified": 1759502707,
28
-
"narHash": "sha256-ML60zVlqK+R0R6EH2aWhWJh9CYPj2XuaRya9AuMl/GY=",
29
-
"owner": "MidAutumnMoon",
30
-
"repo": "empty-flake",
31
-
"rev": "3b830d637cf569096d7442e57fd221ecb887feda",
32
-
"type": "github"
33
-
},
34
-
"original": {
35
-
"owner": "MidAutumnMoon",
36
-
"repo": "empty-flake",
37
-
"type": "github"
38
-
}
39
-
},
40
25
"flake-compat": {
41
26
"flake": false,
42
27
"locked": {
···
456
441
"root": {
457
442
"inputs": {
458
443
"deploy-rs": "deploy-rs",
459
-
"empty": "empty",
460
444
"flake-parts": "flake-parts",
461
445
"ghostty": "ghostty",
462
446
"hjem": "hjem",
···
465
449
"nixos-generators": "nixos-generators",
466
450
"nixos-hardware": "nixos-hardware",
467
451
"nixpkgs": "nixpkgs_2",
468
-
"tangled": "tangled"
452
+
"sops-nix": "sops-nix",
453
+
"tangled": "tangled",
454
+
"tranquil-pds": "tranquil-pds"
469
455
}
470
456
},
471
457
"rust-overlay": {
···
560
546
"type": "github"
561
547
}
562
548
},
549
+
"sops-nix": {
550
+
"inputs": {
551
+
"nixpkgs": [
552
+
"nixpkgs"
553
+
]
554
+
},
555
+
"locked": {
556
+
"lastModified": 1768481291,
557
+
"narHash": "sha256-NjKtkJraCZEnLHAJxLTI+BfdU//9coAz9p5TqveZwPU=",
558
+
"owner": "Mic92",
559
+
"repo": "sops-nix",
560
+
"rev": "e085e303dfcce21adcb5fec535d65aacb066f101",
561
+
"type": "github"
562
+
},
563
+
"original": {
564
+
"owner": "Mic92",
565
+
"repo": "sops-nix",
566
+
"type": "github"
567
+
}
568
+
},
563
569
"sqlite-lib-src": {
564
570
"flake": false,
565
571
"locked": {
···
650
656
},
651
657
"tangled": {
652
658
"inputs": {
653
-
"actor-typeahead-src": [
654
-
"empty"
655
-
],
656
-
"flake-compat": [
657
-
"empty"
658
-
],
659
+
"actor-typeahead-src": [],
660
+
"flake-compat": [],
659
661
"gomod2nix": "gomod2nix",
660
-
"htmx-src": [
661
-
"empty"
662
-
],
663
-
"htmx-ws-src": [
664
-
"empty"
665
-
],
666
-
"ibm-plex-mono-src": [
667
-
"empty"
668
-
],
669
-
"indigo": [
670
-
"empty"
671
-
],
672
-
"inter-fonts-src": [
673
-
"empty"
674
-
],
675
-
"lucide-src": [
676
-
"empty"
677
-
],
662
+
"htmx-src": [],
663
+
"htmx-ws-src": [],
664
+
"ibm-plex-mono-src": [],
665
+
"indigo": [],
666
+
"inter-fonts-src": [],
667
+
"lucide-src": [],
678
668
"nixpkgs": [
679
669
"nixpkgs"
680
670
],
···
693
683
"shallow": true,
694
684
"type": "git",
695
685
"url": "https://tangled.org/tangled.org/core"
686
+
}
687
+
},
688
+
"tranquil-pds": {
689
+
"inputs": {
690
+
"nixpkgs": [
691
+
"nixpkgs"
692
+
]
693
+
},
694
+
"locked": {
695
+
"lastModified": 1768063083,
696
+
"narHash": "sha256-n4wojr8uD3FgNRUfvUZzLw8w3K5UA7zq/T13c7h7ANs=",
697
+
"ref": "refs/heads/main",
698
+
"rev": "32fee7a7fff8493b78ca078a840b5819718f297d",
699
+
"revCount": 133,
700
+
"type": "git",
701
+
"url": "https://tangled.org/lewis.moe/bspds-sandbox"
702
+
},
703
+
"original": {
704
+
"rev": "32fee7a7fff8493b78ca078a840b5819718f297d",
705
+
"type": "git",
706
+
"url": "https://tangled.org/lewis.moe/bspds-sandbox"
696
707
}
697
708
},
698
709
"treefmt-nix": {
+18
-9
flake.nix
+18
-9
flake.nix
···
12
12
13
13
inputs = {
14
14
nixpkgs.url = "https://channels.nixos.org/nixos-unstable/nixexprs.tar.xz";
15
-
empty.url = "github:MidAutumnMoon/empty-flake";
16
15
17
16
# NOTE: please keep this in alphabetical order.
18
17
···
53
52
inputs.nixpkgs.follows = "nixpkgs";
54
53
};
55
54
55
+
sops-nix = {
56
+
url = "github:Mic92/sops-nix";
57
+
inputs.nixpkgs.follows = "nixpkgs";
58
+
};
59
+
56
60
tangled = {
57
61
url = "git+https://tangled.org/tangled.org/core?shallow=1";
58
62
inputs = {
59
63
nixpkgs.follows = "nixpkgs";
60
64
61
65
# We don't need any of these
62
-
flake-compat.follows = "empty";
63
-
indigo.follows = "empty";
64
-
htmx-src.follows = "empty";
65
-
htmx-ws-src.follows = "empty";
66
-
lucide-src.follows = "empty";
67
-
inter-fonts-src.follows = "empty";
68
-
actor-typeahead-src.follows = "empty";
69
-
ibm-plex-mono-src.follows = "empty";
66
+
flake-compat.follows = "";
67
+
indigo.follows = "";
68
+
htmx-src.follows = "";
69
+
htmx-ws-src.follows = "";
70
+
lucide-src.follows = "";
71
+
inter-fonts-src.follows = "";
72
+
actor-typeahead-src.follows = "";
73
+
ibm-plex-mono-src.follows = "";
70
74
};
75
+
};
76
+
77
+
tranquil-pds = {
78
+
url = "git+https://tangled.org/lewis.moe/bspds-sandbox?rev=32fee7a7fff8493b78ca078a840b5819718f297d";
79
+
inputs.nixpkgs.follows = "nixpkgs";
71
80
};
72
81
};
73
82
+11
-3
systems/focaccia/configuration.nix
+11
-3
systems/focaccia/configuration.nix
···
9
9
./networking.nix
10
10
../../modules/nixos/hysteria.nix
11
11
inputs.tangled.nixosModules.knot
12
+
inputs.sops-nix.nixosModules.sops
13
+
./pds.nix
12
14
];
13
15
14
16
networking = {
···
33
35
home = "/home/leah";
34
36
35
37
openssh.authorizedKeys.keys = [
36
-
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKbsavGX9rGRx5R+7ovLn+r7D/w3zkbqCik4bS31moSz"
38
+
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINcpWY17MNJBx56APRSvLOfUjHllXn9gY/cV51JaLoh6"
37
39
];
38
40
};
39
41
···
83
85
services.caddy = {
84
86
enable = true;
85
87
email = "srv@acc.pluie.me";
86
-
virtualHosts."focaccia.pluie.me" = {
88
+
virtualHosts."pds.pluie.me" = {
89
+
extraConfig = ''
90
+
reverse_proxy :11037
91
+
'';
92
+
};
93
+
virtualHosts."knot.pluie.me" = {
87
94
extraConfig = ''
88
95
reverse_proxy :8964
89
96
'';
···
99
106
listenAddr = "0.0.0.0:8964";
100
107
internalListenAddr = "127.0.0.1:4698";
101
108
owner = "did:plc:e4f33w5yt2m54tq6vsagpwiu";
102
-
hostname = "focaccia.pluie.me";
109
+
hostname = "knot.pluie.me";
103
110
};
104
111
};
112
+
105
113
}
+99
systems/focaccia/pds.nix
+99
systems/focaccia/pds.nix
···
1
+
{
2
+
# inputs,
3
+
config,
4
+
# lib,
5
+
# pkgs,
6
+
...
7
+
}:
8
+
{
9
+
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
10
+
sops.secrets.bluesky-pds = {
11
+
sopsFile = ./secrets/bluesky-pds.env;
12
+
format = "dotenv";
13
+
};
14
+
15
+
# TODO: replace with tranquil PDS once i had more time
16
+
services.bluesky-pds = {
17
+
enable = true;
18
+
environmentFiles = [ config.sops.secrets.bluesky-pds.path ];
19
+
settings = {
20
+
PDS_HOSTNAME = "pds.pluie.me";
21
+
PDS_PORT = 11037;
22
+
};
23
+
};
24
+
25
+
# services.postgresql = {
26
+
# enable = true;
27
+
# authentication = ''
28
+
# host all postgres samehost trust
29
+
# '';
30
+
# ensureDatabases = [ "pds" ];
31
+
# };
32
+
33
+
# users.users.pds = {
34
+
# group = "pds";
35
+
# isSystemUser = true;
36
+
# };
37
+
38
+
# users.groups.pds = { };
39
+
40
+
# systemd.services.tranquil-pds = {
41
+
# description = "Tranquil PDS";
42
+
43
+
# after = [ "network-online.target" ];
44
+
# wants = [ "network-online.target" ];
45
+
# wantedBy = [ "multi-user.target" ];
46
+
47
+
# serviceConfig = {
48
+
# ExecStart =
49
+
# lib.getExe' inputs.tranquil-pds.packages.${pkgs.stdenv.hostPlatform.system}.default
50
+
# "tranquil-pds";
51
+
52
+
# Environment = lib.mapAttrsToList (k: v: "${k}=${toString v}") {
53
+
# PDS_HOSTNAME = "pds.pluie.me";
54
+
# SERVER_HOST = "127.0.0.1";
55
+
# SERVER_PORT = 11037;
56
+
# DATABASE_URL = "postgres://postgres:postgres@localhost:5432/pds";
57
+
# };
58
+
59
+
# EnvironmentFile = [ config.sops.secrets.tranquil-pds.path ];
60
+
# User = "pds";
61
+
# Group = "pds";
62
+
# StateDirectory = "pds";
63
+
# StateDirectoryMode = "0755";
64
+
# Restart = "always";
65
+
66
+
# # Hardening
67
+
# RemoveIPC = true;
68
+
# # CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
69
+
# NoNewPrivileges = true;
70
+
# PrivateDevices = true;
71
+
# ProtectClock = true;
72
+
# ProtectKernelLogs = true;
73
+
# ProtectControlGroups = true;
74
+
# ProtectKernelModules = true;
75
+
# PrivateMounts = true;
76
+
# SystemCallArchitectures = [ "native" ];
77
+
# MemoryDenyWriteExecute = false; # required by V8 JIT
78
+
# RestrictNamespaces = true;
79
+
# RestrictSUIDSGID = true;
80
+
# ProtectHostname = true;
81
+
# LockPersonality = true;
82
+
# ProtectKernelTunables = true;
83
+
# RestrictAddressFamilies = [
84
+
# "AF_UNIX"
85
+
# "AF_INET"
86
+
# "AF_INET6"
87
+
# ];
88
+
# RestrictRealtime = true;
89
+
# DeviceAllow = [ "" ];
90
+
# ProtectSystem = "strict";
91
+
# ProtectProc = "invisible";
92
+
# ProcSubset = "pid";
93
+
# ProtectHome = true;
94
+
# PrivateUsers = true;
95
+
# PrivateTmp = true;
96
+
# UMask = "0077";
97
+
# };
98
+
# };
99
+
}
+11
systems/focaccia/secrets/bluesky-pds.env
+11
systems/focaccia/secrets/bluesky-pds.env
···
1
+
PDS_JWT_SECRET=ENC[AES256_GCM,data:j+fIFm9mTzZmGYmqFl5WG8SEP9G2t9VGivd7Xr/CsBY=,iv:Nc3F7PMbDp1AaQ3Y21SVwSI2MKaDE6hy99BGgZVLjGA=,tag:7198yKpl3iWLwQOlb/BNkQ==,type:str]
2
+
PDS_ADMIN_PASSWORD=ENC[AES256_GCM,data:zxaNpbCXkyYOT6rnxdXK7NBJ//tAR4ZBes7L607MaW8=,iv:j8J59JH879HVls01qXenprrSica4jLR4xW5r1dEy654=,tag:4PwaijN6/aTiFingb8ykFw==,type:str]
3
+
PDS_PLC_ROTATION_KEY_K256_PRIVATE_KEY_HEX=ENC[AES256_GCM,data:iD/cSlJGPkpYaUlkzcl5rdAmF36YyIo8gvFVngTb2UANZFUg/pq9qhWoh4U0EbHnjbrQVQw7Mv6ltoFq61oVBw==,iv:k/LSB1/G+QbgBDuM4M3InzvZfI4U8YGxrZm0SBnGHkk=,tag:mQOtL2ZiOI4vKke9pv/sRw==,type:str]
4
+
sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEeFVIRm1lckRhKzkzZ0Rs\nUmNpMDh3ditkL3o3cTAzUi9RcW1TaEdoTlVnCmpZamMyb1Irc0dYRWdVem84YWRk\nN0R5cnh6WXhvd3dOdmgxb1A5NDZ4alkKLS0tIHd5bGFPUEtCUDdUNUsrMVl0allS\nL2FOOWRYeEkrTWc5MklLY3BRVGwzYzAKDbCFUNiw7qlmI21NiCYHqf3q2BjKUOuV\nKXO8ccEkPmmOwP/b2mqlsWsQNo8iGRqpoAgz1GJ5TQop/u9QP3rRkA==\n-----END AGE ENCRYPTED FILE-----\n
5
+
sops_age__list_0__map_recipient=age1lh4sn2s9gxj2s3naqdl4wpmz3uhpd3p8l0jfy6k5hu6cu34uyygsdwadd5
6
+
sops_age__list_1__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArcklib1I1eWZvT3UyeFR1\nN05DeHorUHdhRnhMdlFSUEw2TTF3UGVEZFFNCmcyZWI5Z2RVYlJnSkxHNnhDdENP\nVDVqTGlMNGowN2pMUjNjVTN1RENFU1EKLS0tIGw2U0EzckRnYjRTS0JoaVpvN05x\nWnc2UURmZExtemJYL2RjTm0rZkRBZWsKut1/Aeay31L4D1pUm/k7rWOWGFlJL+zz\nt/qqRbDQhvBaUBSal1xM7hELJbcZwAwH2x4xHcy1rMFyWVurMc/Rnw==\n-----END AGE ENCRYPTED FILE-----\n
7
+
sops_age__list_1__map_recipient=age1wtr58sze4sxjjzq9jmsq7ztkvkjakvnfzuqzn025p92htz7zsdesjpc2c8
8
+
sops_lastmodified=2026-01-16T21:28:17Z
9
+
sops_mac=ENC[AES256_GCM,data:GBGmWfc8Vf6cDNX3C1+CWs5VOquwyOqDgfG5l2ciGYXwcNcwyjmWmHyhb7e3MkaxZespb7vn2FjOxFmDBZAJX7PoFe5XTDDvTpDPc02KN5cbilcdkbj7tppIYTaoa+QTX3/Vy43mTsFnD0DrZgi4niJc3IKJwRTDpmeigw+otp0=,iv:7LgaTaLBLM/I8sfHjWm6ve6ZB+oA1Xnxe/m22hV+uLQ=,tag:hb13g+eXLjYpx440S4Jv/A==,type:str]
10
+
sops_unencrypted_suffix=_unencrypted
11
+
sops_version=3.11.0
+19
systems/focaccia/secrets/tranquil-pds.env
+19
systems/focaccia/secrets/tranquil-pds.env
···
1
+
JWT_SECRET=ENC[AES256_GCM,data:541+zhzilGnokp4FPa2sgAQf69pYTsvrCJzO7YA7IrI=,iv:2efoLLQ3Y4voEHRcIv42MWb9X6yVccpo4AVqOKiQ1eg=,tag:n88PqhcoMvc3TBNYsT2vOg==,type:str]
2
+
DPOP_SECRET=ENC[AES256_GCM,data:9PXTgjJIDdYl5WKuVl/iC7vbOUUiXMzB3qfcB/baeHI=,iv:19ZkOeGA9dknU6OlmD58K8iaUjDY1MlAGOKuyop6RQ8=,tag:WEClGenSAUk6UMmJsrbFsg==,type:str]
3
+
MASTER_KEY=ENC[AES256_GCM,data:4mG75YaQOsE2jIN2jjeM2e6EYZNymNNyrSxiTp+BGUabcpIJY8gqR8SJfAJhMAsVE5vuwRMafiEX3o1iX+T/Ug==,iv:7TnjnPBrI2dtDvVioM8fRqgBIWYc9SnVnGXkNc4mYjI=,tag:GFzVZ9vs87sFvCq4t5bU8Q==,type:str]
4
+
S3_ENDPOINT=ENC[AES256_GCM,data:kYgUqN41tt5cyYXPGMYqbDcsdybULR6TO6TqactUsM27z2I=,iv:os++rHvHDan/nWg5WB7liZUKyWRs9PqQ/0WOgCG2qYU=,tag:S/bDXvG/Kd/5tnnThGJVBw==,type:str]
5
+
S3_BUCKET=ENC[AES256_GCM,data:XPwx,iv:m9AaTv7Y67zXHBuKvFVPZO6XjfAie7qLQi3ZMVq/JN0=,tag:4MV5sMLoL4Jips6oIF6LSw==,type:str]
6
+
AWS_ACCESS_KEY_ID=ENC[AES256_GCM,data:wb4VbEwWZOWNn/nO0sMwu6jUD9c=,iv:HDn6qMEjQ3qjRsVMBnIqXfZ6R+u6tvQAtPs02QSAXGg=,tag:7rrmmYBXDOE/GiY+SRSOyw==,type:str]
7
+
AWS_SECRET_ACCESS_KEY=ENC[AES256_GCM,data:za1WkqB3ONCZRlJvcD/Javro0oGSpBa/7E9g4GtcFrL5Ef9wIDdf5w==,iv:+pOS+5VBUevUT87D1gIkwMHTiafFoTDA0Esip2D135s=,tag:pJ56v/BikKpRw+D0iNT9Uw==,type:str]
8
+
#ENC[AES256_GCM,data:ijngQOCRL/Z1TNU3+d1GhepidIbO08sY2ZbPWV94G/9f2qEyElC89XrD4U7jMd1Y/O/e,iv:UKQxnqSoUQuJ5frQj9TS/+w4AVdLAs/Za7/e2gCOjTU=,tag:BkwmSxONocjl7jcZD4siEQ==,type:comment]
9
+
INVITE_CODE_REQUIRED=ENC[AES256_GCM,data:WmTt3A==,iv:MxsP7j6JW+be92byD4TKujnIDVZ1cfb3f2WJj55+oyw=,tag:ZTXKQ5P37BkkdRWSV5FIDg==,type:str]
10
+
#ENC[AES256_GCM,data:PIWNrLzuxx18+HP7h6hyf/g6DfXEfp7iH8IXmA==,iv:bfevAkO62VxGkdgiP2d7ATX7/Eqz7e7jCCQ/7C1H9dA=,tag:DjrrPzkVmiaMWrwDXc+TXA==,type:comment]
11
+
PDS_AGE_ASSURANCE_OVERRIDE=ENC[AES256_GCM,data:Pg==,iv:oErlmO6hnM8qxaKckKEIOfu2Qd+D5xqqRUk9/LSbk94=,tag:Z9YGhBQTEVwKV6ftqVuN8A==,type:str]
12
+
sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEeFVIRm1lckRhKzkzZ0Rs\nUmNpMDh3ditkL3o3cTAzUi9RcW1TaEdoTlVnCmpZamMyb1Irc0dYRWdVem84YWRk\nN0R5cnh6WXhvd3dOdmgxb1A5NDZ4alkKLS0tIHd5bGFPUEtCUDdUNUsrMVl0allS\nL2FOOWRYeEkrTWc5MklLY3BRVGwzYzAKDbCFUNiw7qlmI21NiCYHqf3q2BjKUOuV\nKXO8ccEkPmmOwP/b2mqlsWsQNo8iGRqpoAgz1GJ5TQop/u9QP3rRkA==\n-----END AGE ENCRYPTED FILE-----\n
13
+
sops_age__list_0__map_recipient=age1lh4sn2s9gxj2s3naqdl4wpmz3uhpd3p8l0jfy6k5hu6cu34uyygsdwadd5
14
+
sops_age__list_1__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArcklib1I1eWZvT3UyeFR1\nN05DeHorUHdhRnhMdlFSUEw2TTF3UGVEZFFNCmcyZWI5Z2RVYlJnSkxHNnhDdENP\nVDVqTGlMNGowN2pMUjNjVTN1RENFU1EKLS0tIGw2U0EzckRnYjRTS0JoaVpvN05x\nWnc2UURmZExtemJYL2RjTm0rZkRBZWsKut1/Aeay31L4D1pUm/k7rWOWGFlJL+zz\nt/qqRbDQhvBaUBSal1xM7hELJbcZwAwH2x4xHcy1rMFyWVurMc/Rnw==\n-----END AGE ENCRYPTED FILE-----\n
15
+
sops_age__list_1__map_recipient=age1wtr58sze4sxjjzq9jmsq7ztkvkjakvnfzuqzn025p92htz7zsdesjpc2c8
16
+
sops_lastmodified=2026-01-16T21:28:02Z
17
+
sops_mac=ENC[AES256_GCM,data:jL4Mn2igySD+fQ3ugrlcc2NUY/EN9vdukkWMM7pkpKb/hPY9CMpOoAMu62ZYwcOkJq2lGhW+80ZUxshNPPvpUn+LRgQXz64XpDjn6sXrRXJgPb+CnbM6egRQsAeFI/M1L4d3/3nSKslVQCqYrt4MBF5X/FDGeFV4MReuYtytDK8=,iv:iqSynPjysmQQGfSF8IfGvqPR0YNI6qKfOv8qwyHJoz4=,tag:fJyRHaQ5vOZWXRc59fx6Yw==,type:str]
18
+
sops_unencrypted_suffix=_unencrypted
19
+
sops_version=3.11.0