[ { "path": ".github/CODEOWNERS", "content": "# Every directory containing configurations impacting the core infra needs a\n# review from a member of core infra.\n/.github/ @NixOS/infra-build\n/build/ @NixOS/infra-build\n/builders/ @NixOS/infra-build\n/dns/ @NixOS/infra-build\n/lib/ @NixOS/infra-build\n/macs/ @NixOS/infra-build\n/metrics/ @NixOS/infra-build\n/modules/ @NixOS/infra-build\n/terraform-iam/ @NixOS/infra-build\n/terraform/ @NixOS/infra-build\n/channels.nix @NixOS/infra-build\n/ssh-keys.nix @NixOS/infra-build\n" }, { "path": ".github/ISSUE_TEMPLATE/feature_request.md", "content": "---\nname: Feature request\nabout: Suggest an improvement for this project\ntitle: \"\"\nlabels: enhancement\nassignees: \"\"\n---\n\n**Is your feature request related to a problem? Please describe.**\n\n\n\n**Describe the solution you'd like**\n\n\n\n**Describe alternatives you've considered**\n\n\n\n**Additional context**\n\n\n" }, { "path": ".github/ISSUE_TEMPLATE/service_disruption.md", "content": "---\nname: Service disruption report\nabout: Use this to report service instabilities\ntitle: \": \"\nlabels: bug\nassignees: \"\"\n---\n\n**Affected service**\n\n\n\n**Describe the issue**\n\n\n\n**System information**\n\n\n" }, { "path": ".github/scripts/format-and-absorb.sh", "content": "#!/usr/bin/env -S nix shell --inputs-from . nixpkgs#bash nixpkgs#git-absorb --command bash\n# shellcheck shell=bash\nset -euo pipefail\n\n# This script runs nix fmt and git absorb to update a pull request\n# It's designed to be run in a GitHub Actions workflow\n\necho \"::group::Running nix fmt\"\nnix fmt\necho \"::endgroup::\"\n\necho \"::group::Checking for changes\"\nif git diff --quiet; then\n echo \"No formatting changes needed\"\n exit 0\nfi\necho \"::endgroup::\"\n\necho \"::group::Running git absorb\"\n# Run git absorb with --force to automatically absorb changes\ngit add -A\n# Create fixup commits\n# Find the merge base to properly identify which commits can absorb changes\nMERGE_BASE=$(git merge-base origin/main HEAD)\ngit absorb --force --base \"$MERGE_BASE\"\n# Then do a non-interactive autosquash rebase with git identity set\nexport GIT_EDITOR=:\nexport GIT_SEQUENCE_EDITOR=:\nexport GIT_AUTHOR_NAME=\"github-actions[bot]\"\nexport GIT_AUTHOR_EMAIL=\"github-actions[bot]@users.noreply.github.com\"\nexport GIT_COMMITTER_NAME=\"github-actions[bot]\"\nexport GIT_COMMITTER_EMAIL=\"github-actions[bot]@users.noreply.github.com\"\ngit rebase -i --autosquash origin/main\necho \"::endgroup::\"\n\necho \"::group::Pushing changes\"\ngit push --force-with-lease\necho \"::endgroup::\"\n\necho \"Successfully formatted code and absorbed changes!\"\n" }, { "path": ".github/workflows/ci.yml", "content": "name: CI\n\non:\n push:\n branches:\n - main\n pull_request:\n merge_group:\n\npermissions:\n contents: read\n\njobs:\n checks:\n runs-on: \"${{ matrix.os }}\"\n strategy:\n fail-fast: false\n matrix:\n os:\n - ubuntu-latest\n - ubuntu-22.04-arm\n - macos-latest\n steps:\n - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6\n with:\n persist-credentials: false\n - uses: cachix/install-nix-action@8aa03977d8d733052d78f4e008a241fd1dbf36b3 # v31\n - uses: cachix/cachix-action@1eb2ef646ac0255473d23a5907ad7b04ce94065c # v17\n with:\n name: nixos-infra-dev\n authToken: \"${{ secrets.CACHIX_AUTH_TOKEN }}\"\n - run: nix run --inputs-from . nixpkgs#nix-fast-build -- --skip-cached --no-nom\n nixos-x86_64:\n runs-on: ubuntu-latest\n strategy:\n fail-fast: false\n matrix:\n machine:\n - caliban\n - elated-minsky\n - sleepy-brown\n - haumea\n - pluto\n - mimas\n steps:\n - name: Free disk space\n if: matrix.machine == 'mimas'\n run: |\n sudo rm -rf /usr/share/dotnet /usr/local/lib/android /opt/ghc\n - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6\n with:\n persist-credentials: false\n - uses: cachix/install-nix-action@8aa03977d8d733052d78f4e008a241fd1dbf36b3 # v31\n - uses: cachix/cachix-action@1eb2ef646ac0255473d23a5907ad7b04ce94065c # v17\n with:\n name: nixos-infra-dev\n authToken: \"${{ secrets.CACHIX_AUTH_TOKEN }}\"\n - run: nix run --inputs-from . nixpkgs#nix-fast-build -- --skip-cached --no-nom --flake '.#nixosConfigurations.\"${{ matrix.machine }}\".config.system.build.toplevel'\n nixos-aarch64:\n runs-on: ubuntu-22.04-arm\n strategy:\n fail-fast: false\n matrix:\n machine:\n - umbriel\n - goofy-hopcroft\n - staging-hydra\n steps:\n - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6\n with:\n persist-credentials: false\n - uses: cachix/install-nix-action@8aa03977d8d733052d78f4e008a241fd1dbf36b3 # v31\n - uses: cachix/cachix-action@1eb2ef646ac0255473d23a5907ad7b04ce94065c # v17\n with:\n name: nixos-infra-dev\n authToken: \"${{ secrets.CACHIX_AUTH_TOKEN }}\"\n - run: nix run --inputs-from . nixpkgs#nix-fast-build -- --skip-cached --no-nom --flake '.#nixosConfigurations.\"${{ matrix.machine }}\".config.system.build.toplevel'\n nix-darwin:\n runs-on: macos-latest\n strategy:\n fail-fast: false\n matrix:\n machine:\n - intense-heron # m1\n - kind-lumiere # m2\n steps:\n - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6\n with:\n persist-credentials: false\n - uses: cachix/install-nix-action@8aa03977d8d733052d78f4e008a241fd1dbf36b3 # v31\n - uses: cachix/cachix-action@1eb2ef646ac0255473d23a5907ad7b04ce94065c # v17\n with:\n name: nixos-infra-dev\n authToken: \"${{ secrets.CACHIX_AUTH_TOKEN }}\"\n - run: nix run --inputs-from . nixpkgs#nix-fast-build -- --skip-cached --no-nom --flake '.#darwinConfigurations.\"${{ matrix.machine }}\".config.system.build.toplevel'\n" }, { "path": ".github/workflows/dns-apply.yml", "content": "---\nname: Apply DNS changes\n\non:\n push:\n branches:\n - main\n paths:\n - \"dns/**\"\n workflow_dispatch:\n\npermissions: {}\n\njobs:\n dnscontrol:\n runs-on: ubuntu-latest\n strategy:\n fail-fast: true\n steps:\n - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2\n with:\n persist-credentials: false\n - uses: cachix/install-nix-action@8aa03977d8d733052d78f4e008a241fd1dbf36b3 # v31\n - name: dnscontrol push\n env:\n GANDI_TOKEN: \"${{ secrets.GANDI_TOKEN }}\" # Expires 2026-04-07\n working-directory: ./dns/\n run: |\n nix run --inputs-from . nixpkgs#dnscontrol -- push\n" }, { "path": ".github/workflows/dns-preview.yml", "content": "---\nname: Test/Preview DNS changes\n\non:\n pull_request:\n paths:\n - \"dns/**\"\n\npermissions: {}\n\njobs:\n dnscontrol:\n # only run for local branches\n if: github.event.pull_request.head.repo.full_name == github.repository\n runs-on: ubuntu-latest\n strategy:\n fail-fast: false\n steps:\n - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2\n with:\n persist-credentials: false\n - uses: cachix/install-nix-action@8aa03977d8d733052d78f4e008a241fd1dbf36b3 # v31\n - name: dnscontrol preview\n env:\n GANDI_TOKEN: \"${{ secrets.GANDI_TOKEN }}\" # Expires 2026-04-07\n working-directory: ./dns/\n run: |\n nix run --inputs-from . nixpkgs#dnscontrol -- preview\n" }, { "path": ".github/workflows/format-pr.yml", "content": "name: Format PR\n\non:\n issue_comment:\n types: [created]\n workflow_dispatch:\n inputs:\n pr_number:\n description: \"PR number to format\"\n required: true\n type: number\n\npermissions:\n contents: write\n pull-requests: write\n\njobs:\n format:\n if: |\n github.event.issue.pull_request &&\n github.event.comment.body == '/format'\n runs-on: ubuntu-latest\n steps:\n - name: Check if user has write access\n uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0\n with:\n script: |\n const permission = await github.rest.repos.getCollaboratorPermissionLevel({\n owner: context.repo.owner,\n repo: context.repo.repo,\n username: context.payload.comment.user.login,\n });\n\n if (!['admin', 'write'].includes(permission.data.permission)) {\n await github.rest.issues.createComment({\n owner: context.repo.owner,\n repo: context.repo.repo,\n issue_number: context.issue.number,\n body: '❌ You need write access to run this command.'\n });\n core.setFailed('User lacks write permission');\n }\n\n - name: React to comment\n uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0\n with:\n script: |\n await github.rest.reactions.createForIssueComment({\n owner: context.repo.owner,\n repo: context.repo.repo,\n comment_id: context.payload.comment.id,\n content: 'rocket'\n });\n\n - name: Get PR branch\n id: pr\n uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0\n with:\n script: |\n const pr = await github.rest.pulls.get({\n owner: context.repo.owner,\n repo: context.repo.repo,\n pull_number: context.issue.number,\n });\n core.setOutput('head_ref', pr.data.head.ref);\n core.setOutput('head_sha', pr.data.head.sha);\n\n - name: Checkout PR\n uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2\n with:\n ref: ${{ steps.pr.outputs.head_ref }}\n fetch-depth: 0\n\n - name: Install Nix\n uses: cachix/install-nix-action@8aa03977d8d733052d78f4e008a241fd1dbf36b3 # v31\n\n - name: Setup Cachix\n uses: cachix/cachix-action@1eb2ef646ac0255473d23a5907ad7b04ce94065c # v17\n with:\n name: nixos-infra-dev\n authToken: \"${{ secrets.CACHIX_AUTH_TOKEN }}\"\n\n - name: Run format and absorb\n run: ./.github/scripts/format-and-absorb.sh\n\n - name: Comment on success\n if: success()\n uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0\n with:\n script: |\n await github.rest.issues.createComment({\n owner: context.repo.owner,\n repo: context.repo.repo,\n issue_number: context.issue.number,\n body: '✅ Successfully formatted and absorbed changes!'\n });\n\n - name: Comment on failure\n if: failure()\n uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0\n with:\n script: |\n await github.rest.issues.createComment({\n owner: context.repo.owner,\n repo: context.repo.repo,\n issue_number: context.issue.number,\n body: '❌ Failed to format and absorb changes. Check the workflow logs for details.'\n });\n" }, { "path": ".github/workflows/zizmor.yml", "content": "name: GitHub Actions Security Analysis with zizmor 🌈\n\non:\n push:\n branches:\n - main\n paths:\n - \".github/**\"\n - flake.lock\n pull_request:\n paths:\n - \".github/**\"\n - flake.lock\n\npermissions: {}\n\njobs:\n zizmor:\n name: Run zizmor against GitHub Action workflows\n runs-on: ubuntu-latest\n permissions:\n security-events: write\n steps:\n - name: Clone repository\n uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6\n with:\n persist-credentials: false\n\n - name: Install nix\n uses: cachix/install-nix-action@8aa03977d8d733052d78f4e008a241fd1dbf36b3 # v31\n\n - name: Run zizmor 🌈\n env:\n GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}\n run: |\n nix run --inputs-from . nixpkgs-unstable#zizmor -- \\\n --format sarif --pedantic . > results.sarif\n\n - name: Upload SARIF file\n uses: github/codeql-action/upload-sarif@68bde559dea0fdcac2102bfdf6230c5f70eb485e # v4\n with:\n sarif_file: results.sarif\n category: zizmor\n" }, { "path": ".gitignore", "content": "*~\n\n# Terraform\n.terraform*\n\n# Direnv\n.direnv\n\n# Nix build outputs\nresult\n\n# Colmena --keep-result roots directory\n.gcroots\n" }, { "path": "LICENSE", "content": "MIT License\n\nCopyright (c) 2024 NixOS Foundation and contributors\n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\nSOFTWARE.\n" }, { "path": "README.md", "content": "# The NixOS infrastructure configurations\n\nThis repository contains all the hardware configuration for the nixos project\ninfrastructure.\n\nAll the hosts are currently managed using NixOps. Some of the infrastructure is\nmanaged using Terraform. There are still a lot of things configured manually.\n\n## Docs\n\n- [Resources inventory](docs/inventory.md)\n\n## Team\n\nThere are two teams managing this repository. The responsibility of both teams\nis to provide infrastructure for the Nix and NixOS community.\n\n### [@NixOS/infra-build](https://github.com/orgs/NixOS/teams/infra-build)\n\nThis team has access to all the infrastructure, including the build\ninfrastructure. The members are a subset of the next team.\n\n### [@NixOS/infra](https://github.com/orgs/NixOS/teams/infra)\n\nFirst level responders. This team helps with the high-level infrastructure.\n\nAll the members should be watching this repository for changes.\n\n## Regular catch up\n\nWe meet regularly over [Lasuite Meet](https://github.com/suitenumerique/meet) to\ncatch up and make decisions. Sometimes it helps to have dedicated focus and\nhigher communication bandwidth.\n\nThere is an open team meeting **every other Thursday at\n[18:00 (Europe/Zurich)](https://dateful.com/convert/zurich?t=18)**. See the\n[google calendar](https://calendar.google.com/calendar/u/0/embed?src=b9o52fobqjak8oq8lfkhg3t0qg@group.calendar.google.com)\n(search for \"NixOS Infra\") to see the next date.\n\n- Location: \n- Meeting notes: \n\n## Reporting issues\n\nIf you experience any issues with the infrastructure, please\n[post a new issue to this repository][1].\n\n[1]: https://github.com/NixOS/infra/issues/new\n" }, { "path": "build/.envrc", "content": "# shellcheck shell=bash\nuse flake .#build\n" }, { "path": "build/colmena.nix", "content": "# heavily adapted from https://github.com/juspay/colmena-flake\n# Original license: GNU Affero General Public License v3.0\n{\n config,\n lib,\n self,\n inputs,\n ...\n}:\n{\n options.colmena = {\n hosts = lib.mkOption {\n type = lib.types.attrsOf (\n lib.types.submodule (\n { name, ... }:\n {\n options = {\n targetHost = lib.mkOption {\n type = lib.types.str;\n default = \"${name}.nixos.org\";\n description = ''\n The target host for colmena nodes\n '';\n };\n\n targetUser = lib.mkOption {\n type = lib.types.str;\n default = \"root\";\n description = ''\n The target user for colmena nodes\n '';\n };\n };\n }\n )\n );\n description = ''\n Deployment configuration for colmena nodes\n '';\n example = {\n node1 = {\n targetHost = \"node1.nixos.org\";\n targetUser = \"foo\";\n };\n };\n };\n\n system = lib.mkOption {\n type = lib.types.str;\n description = ''\n The system for colmena nodes\n '';\n default = \"x86_64-linux\";\n };\n };\n config.flake.colmenaHive = inputs.colmena.lib.makeHive self.outputs.colmena;\n config.flake.colmena = {\n meta = {\n nixpkgs = inputs.nixpkgs.legacyPackages.${config.colmena.system};\n # https://github.com/zhaofengli/colmena/issues/60#issuecomment-1510496861\n nodeSpecialArgs = builtins.mapAttrs (_: value: value._module.specialArgs) self.nixosConfigurations;\n };\n }\n // builtins.mapAttrs (name: _: {\n imports = (self.nixosConfigurations.${name})._module.args.modules ++ [\n {\n deployment = config.colmena.hosts.${name};\n }\n ];\n }) config.colmena.hosts;\n}\n" }, { "path": "build/colmena.sh", "content": "#!/usr/bin/env bash\nset -euo pipefail\n\ncd \"$(dirname \"$0\")\"\ncolmena apply \"$@\"\n" }, { "path": "build/common.nix", "content": "{\n pkgs,\n lib,\n ...\n}:\n\n{\n imports = [\n ../modules/common.nix\n ../modules/nftables.nix\n ../modules/prometheus\n ../modules/rasdaemon.nix\n ];\n\n nixpkgs.config.allowUnfree = true;\n\n hardware.enableAllFirmware = true;\n hardware.cpu.amd.updateMicrocode = true;\n hardware.cpu.intel.updateMicrocode = true;\n\n boot.kernel.sysctl = {\n # reboot on kernel panic\n \"kernel.panic\" = 60;\n \"kernel.panic_on_oops\" = 1;\n };\n\n documentation.nixos.enable = false;\n\n environment = {\n enableDebugInfo = true;\n systemPackages = with pkgs; [\n # debugging\n gdb\n lsof\n sqlite-interactive\n\n # editors\n helix\n neovim\n\n # utilities\n ripgrep\n fd\n\n # system introspection\n dmidecode\n hdparm\n htop\n iotop\n lm_sensors\n nvme-cli\n powerstat\n smartmontools\n sysstat\n tcpdump\n tmux\n ];\n };\n\n services.openssh = {\n enable = true;\n authorizedKeysFiles = lib.mkForce [ \"/etc/ssh/authorized_keys.d/%u\" ];\n };\n\n nix.extraOptions = ''\n allowed-impure-host-deps = /etc/protocols /etc/services /etc/nsswitch.conf\n allowed-uris = https://github.com/ https://git.savannah.gnu.org/ github: https://releases.nixos.org/\n '';\n\n # we use networkd\n networking.useDHCP = false;\n\n services.resolved = {\n enable = true;\n fallbackDns = [\n # https://docs.hetzner.com/de/dns-console/dns/general/recursive-name-servers/\n \"185.12.64.1\"\n \"185.12.64.2\"\n \"2a01:4ff:ff00::add:1\"\n \"2a01:4ff:ff00::add:2\"\n ];\n };\n\n security.acme = {\n acceptTerms = true;\n defaults.email = \"infra@nixos.org\";\n };\n\n services.zfs.autoScrub.enable = true;\n}\n" }, { "path": "build/datadog/hydra.nix", "content": "{ pkgs, ... }:\n{\n systemd.services.dd-agent.environment.PYTHONPATH =\n \"${pkgs.pythonPackages.requests}/lib/python2.7/site-packages\";\n environment.etc =\n let\n hydra-config = pkgs.writeText \"hydra.yaml\" ''\n init_config:\n\n instances:\n - check: 1\n '';\n in\n [\n {\n source = hydra-config;\n target = \"dd-agent/conf.d/hydra.yaml\";\n }\n {\n source = ./hydra.py;\n target = \"dd-agent/checks.d/hydra.py\";\n }\n ];\n}\n" }, { "path": "build/datadog/hydra.py", "content": "import json\n\nimport requests\n\nimport checks\n\n\nclass HydraCheck(checks.AgentCheck):\n def check(self, instance) -> None:\n r = requests.get(\n \"http://localhost:3000/status\", headers={\"Content-Type\": \"application/json\"}\n )\n self.gauge(\"hydra.active_buildsteps\", len(json.loads(r.text)))\n" }, { "path": "build/flake-module.nix", "content": "{\n inputs,\n lib,\n ...\n}:\nlet\n flakesModule = {\n imports = [\n inputs.agenix.nixosModules.age\n inputs.disko.nixosModules.disko\n ];\n\n nixpkgs.overlays = [\n inputs.rfc39.overlays.default\n ];\n };\nin\n{\n imports = [\n ./colmena.nix\n ];\n colmena.hosts = {\n haumea = { };\n pluto = { };\n mimas = { };\n titan = { };\n };\n\n flake = {\n nixosConfigurations.haumea = lib.nixosSystem {\n system = \"x86_64-linux\";\n\n specialArgs = { inherit inputs; };\n modules = [\n flakesModule\n ./haumea\n ];\n };\n\n nixosConfigurations.pluto = lib.nixosSystem {\n system = \"x86_64-linux\";\n\n specialArgs = { inherit inputs; };\n modules = [\n flakesModule\n ./pluto\n ];\n };\n\n nixosConfigurations.mimas = lib.nixosSystem {\n system = \"x86_64-linux\";\n\n specialArgs = { inherit inputs; };\n modules = [\n flakesModule\n ./mimas\n ];\n };\n\n nixosConfigurations.titan = lib.nixosSystem {\n system = \"x86_64-linux\";\n\n specialArgs = { inherit inputs; };\n modules = [\n flakesModule\n ./titan\n ];\n };\n };\n\n perSystem =\n { pkgs, inputs', ... }:\n {\n devShells.build = pkgs.mkShell {\n buildInputs = [\n inputs'.agenix.packages.agenix\n inputs'.colmena.packages.colmena\n ];\n };\n };\n}\n" }, { "path": "build/haumea/boot.nix", "content": "{\n boot.loader.grub = {\n devices = [\n \"/dev/nvme0n1\"\n \"/dev/nvme1n1\"\n ];\n copyKernels = true;\n configurationLimit = 5; # 230 MB /boot capacity\n };\n boot.initrd.availableKernelModules = [\n \"ahci\"\n \"nvme\"\n \"usbhid\"\n ];\n boot.kernelModules = [ \"kvm-amd\" ];\n}\n" }, { "path": "build/haumea/default.nix", "content": "{\n lib,\n modulesPath,\n pkgs,\n ...\n}:\n\n{\n imports = [\n \"${modulesPath}/installer/scan/not-detected.nix\"\n ../common.nix\n ./boot.nix\n ./network.nix\n ./postgresql.nix\n ];\n\n networking = {\n hostId = \"83c81a23\";\n hostName = \"haumea\";\n domain = \"nixos.org\";\n };\n\n environment.systemPackages = [ pkgs.lz4 ];\n\n fileSystems.\"/\" = {\n device = \"rpool/safe/root\";\n fsType = \"zfs\";\n };\n\n fileSystems.\"/boot\" = {\n device = \"/dev/disk/by-label/boot0\";\n fsType = \"ext4\";\n };\n\n fileSystems.\"/nix\" = {\n device = \"rpool/local/nix\";\n fsType = \"zfs\";\n };\n\n fileSystems.\"/var/db/postgresql\" = {\n device = \"rpool/safe/postgres\";\n fsType = \"zfs\";\n };\n\n services.zfs.autoScrub.enable = true;\n\n nix.settings.max-jobs = lib.mkDefault 16;\n\n powerManagement.cpuFreqGovernor = lib.mkDefault \"ondemand\";\n\n system.stateVersion = \"14.12\";\n\n users.users.root.openssh.authorizedKeys.keys =\n with (import ../../ssh-keys.nix);\n infra # maybe this isn't needed to add (again)?\n ++ [\n brianmcgee # experiments with the old Hydra's DB\n ];\n}\n" }, { "path": "build/haumea/network.nix", "content": "{\n systemd.network = {\n enable = true;\n networks = {\n \"30-enp35s0\" = {\n matchConfig = {\n MACAddress = \"a8:a1:59:04:71:f5\";\n Type = \"ether\";\n };\n address = [\n \"46.4.89.205/27\"\n \"2a01:4f8:212:41c9::1/64\"\n ];\n routes = [\n { Gateway = \"46.4.89.193\"; }\n { Gateway = \"fe80::1\"; }\n ];\n vlan = [\n \"vlan4000\"\n ];\n networkConfig.Description = \"WAN\";\n linkConfig.RequiredForOnline = true;\n };\n };\n };\n}\n" }, { "path": "build/haumea/postgresql.nix", "content": "{\n config,\n pkgs,\n ...\n}:\n\n{\n services.prometheus.exporters.postgres = {\n enable = true;\n dataSourceName = \"user=root database=hydra host=/run/postgresql sslmode=disable\";\n openFirewall = true;\n firewallRules = ''\n ip6 saddr $prometheus_inet6 tcp dport ${toString config.services.prometheus.exporters.postgres.port} accept\n ip saddr $prometheus_inet4 tcp dport ${toString config.services.prometheus.exporters.postgres.port} accept\n '';\n };\n\n services.postgresql = {\n enable = true;\n enableJIT = true;\n package = pkgs.postgresql_16;\n dataDir = \"/var/db/postgresql/16\";\n # https://pgtune.leopard.in.ua/#/\n settings = {\n # https://vadosware.io/post/everything-ive-seen-on-optimizing-postgres-on-zfs-on-linux/#zfs-related-tunables-on-the-postgres-side\n full_page_writes = \"off\";\n\n checkpoint_completion_target = \"0.9\";\n default_statistics_target = 100;\n\n log_duration = \"off\";\n log_statement = \"none\";\n\n # pgbadger-compatible logging\n log_transaction_sample_rate = 0.01;\n log_min_duration_statement = 5000;\n log_checkpoints = \"on\";\n log_connections = \"on\";\n log_disconnections = \"on\";\n log_lock_waits = \"on\";\n log_temp_files = 0;\n log_autovacuum_min_duration = 0;\n log_line_prefix = \"user=%u,db=%d,app=%a,client=%h \";\n\n max_connections = 500;\n work_mem = \"20MB\";\n maintenance_work_mem = \"2GB\";\n\n # 25% of memory\n shared_buffers = \"16GB\";\n\n # Checkpoint every 1GB. (default)\n # increased after seeing many warninsg about frequent checkpoints\n min_wal_size = \"1GB\";\n max_wal_size = \"2GB\";\n wal_buffers = \"16MB\";\n\n max_worker_processes = 16;\n max_parallel_workers_per_gather = 8;\n max_parallel_workers = 16;\n\n # NVMe related performance tuning\n effective_io_concurrency = 200;\n random_page_cost = \"1.1\";\n\n # We can risk losing some transactions.\n synchronous_commit = \"off\";\n\n effective_cache_size = \"16GB\";\n\n # Enable JIT compilation if possible.\n jit = \"on\";\n\n # autovacuum and autoanalyze much more frequently:\n # at these values vacuum should run approximately\n # every 2 mass rebuilds, or a couple times a day\n # on the builds table. Some of those queries really\n # benefit from frequent vacuums, so this should\n # help. In particular, I'm thinking the jobsets\n # pages.\n autovacuum_vacuum_scale_factor = 0.02;\n autovacuum_analyze_scale_factor = 0.01;\n\n shared_preload_libraries = \"pg_stat_statements\";\n compute_query_id = \"on\";\n };\n\n # FIXME: don't use 'trust'.\n authentication = ''\n host hydra all 10.0.40.0/32 trust\n local all root peer map=prometheus\n '';\n\n identMap = ''\n prometheus root root\n prometheus postgres-exporter root\n '';\n };\n}\n" }, { "path": "build/haumea/zrepl.yml", "content": "# root@zh4461b.rsync.net:/usr/local/etc/zrepl/zrepl.yml\n# zrepl main configuration file.\n# For documentation, refer to https://zrepl.github.io/\n#\nglobal:\n logging:\n - type: \"stdout\"\n level: \"error\"\n format: \"human\"\n - type: \"syslog\"\n level: \"info\"\n format: \"logfmt\"\n\n# mostly from https://blog.lenny.ninja/zrepl-on-rsync-net.html\njobs:\n - name: sink\n type: sink\n serve:\n type: stdinserver\n client_identities: [haumea]\n recv:\n placeholder:\n encryption: off\n root_fs: \"data1\"\n" }, { "path": "build/hydra-proxy.nix", "content": "{\n config,\n pkgs,\n ...\n}:\n\n{\n networking.firewall.allowedTCPPorts = [\n 80\n 443\n ];\n\n services.anubis.instances.\"hydra-server\" = {\n settings = {\n TARGET = \"http://127.0.0.1:3000\";\n BIND = \":3001\";\n BIND_NETWORK = \"tcp\";\n METRICS_BIND = \":9001\";\n METRICS_BIND_NETWORK = \"tcp\";\n };\n };\n\n networking.firewall.extraInputRules = ''\n ip6 saddr $prometheus_inet6 tcp dport 9001 accept\n ip saddr $prometheus_inet4 tcp dport 9001 accept\n '';\n\n services.nginx = {\n enable = true;\n enableReload = true;\n\n recommendedBrotliSettings = true;\n recommendedGzipSettings = true;\n recommendedOptimisation = true;\n recommendedProxySettings = true;\n recommendedTlsSettings = true;\n\n proxyTimeout = \"900s\";\n\n appendConfig = ''\n worker_processes auto;\n '';\n\n appendHttpConfig = ''\n map $request_uri $backend {\n default anubis;\n\n # downloads (e.g. distrobuilder for lxc/incus images)\n ~^/build/\\d+/download/ hydra-server;\n ~^/build/\\d+/download-by-type/ hydra-server;\n ~^/job/[^/]+/[^/]+/[^/]+/latest/download/ hydra-server;\n ~^/job/[^/]+/[^/]+/[^/]+/latest/download-by-type/file/ hydra-server;\n }\n\n limit_req_zone $binary_remote_addr zone=hydra-server:8m rate=2r/s;\n limit_req_status 429;\n '';\n\n eventsConfig = ''\n worker_connections 1024;\n '';\n\n upstreams = {\n anubis.servers.\"127.0.0.1:3001\" = { };\n hydra-server.servers.\"127.0.0.1:3000\" = { };\n };\n\n virtualHosts.\"hydra.nixos.org\" = {\n forceSSL = true;\n enableACME = true;\n\n extraConfig = ''\n error_page 403 /403.html;\n error_page 502 /502.html;\n error_page 503 /503.html;\n location ~ /(403|502|503).html {\n root ${./nginx-error-pages};\n internal;\n }\n '';\n\n # Ask robots not to scrape hydra, it has various expensive endpoints\n locations.\"=/robots.txt\".alias = pkgs.writeText \"hydra.nixos.org-robots.txt\" ''\n User-agent: *\n Disallow: /\n Allow: /$\n '';\n\n locations.\"~ ^/job/[^/]+/[^/]+/metrics/metric/\" = {\n proxyPass = \"http://hydra-server\";\n };\n\n locations.\"/\" = {\n proxyPass = \"http://$backend\";\n extraConfig = ''\n limit_req zone=hydra-server burst=7;\n '';\n };\n\n locations.\"/static/\" = {\n alias = \"${config.services.hydra-dev.package}/libexec/hydra/root/static/\";\n };\n };\n };\n}\n" }, { "path": "build/hydra.nix", "content": "{\n config,\n lib,\n pkgs,\n inputs,\n ...\n}:\n\nlet\n narCache = \"/var/cache/hydra/nar-cache\";\nin\n\n{\n imports = [\n inputs.hydra.nixosModules.hydra\n ];\n\n # queue-runner and hydra-notify metrics\n networking.firewall.extraInputRules = ''\n ip6 saddr $prometheus_inet6 tcp dport { 9198, 9199 } accept\n ip saddr $prometheus_inet4 tcp dport { 9198, 9199 } accept\n '';\n\n nix.package = config.services.hydra-dev.package.nix;\n\n # garbage collection\n nix.gc = {\n automatic = true;\n options = ''--max-freed \"$((400 * 1024**3 - 1024 * $(df -P -k /nix/store | tail -n 1 | ${pkgs.gawk}/bin/awk '{ print $4 }')))\"'';\n dates = \"03,09,15,21:15\";\n };\n\n # gc outputs as well, since they are served from the cache\n nix.settings.keep-outputs = lib.mkForce false;\n\n systemd.services.hydra-prune-build-logs = {\n description = \"Clean up old build logs\";\n startAt = \"weekly\";\n serviceConfig = {\n User = \"hydra-queue-runner\";\n Group = \"hydra\";\n ExecStart = lib.concatStringsSep \" \" [\n (lib.getExe pkgs.findutils)\n \"/var/lib/hydra/build-logs/\"\n \"-ignore_readdir_race\"\n \"-type\"\n \"f\"\n \"-mtime\"\n \"+213\" # days (~7 months, roughly one release cycle)\n \"-delete\"\n ];\n };\n };\n\n # Don't rate-limit the journal.\n services.journald.rateLimitBurst = 0;\n\n age.secrets.hydra-aws-credentials = {\n file = ./secrets/hydra-aws-credentials.age;\n path = \"/var/lib/hydra/queue-runner/.aws/credentials\";\n owner = \"hydra-queue-runner\";\n group = \"hydra\";\n };\n\n age.secrets.hydra-github-client-secret = {\n file = ./secrets/hydra-github-client-secret.age;\n owner = \"hydra-www\";\n group = \"hydra\";\n };\n\n services.hydra-dev.enable = true;\n services.hydra-dev.buildMachinesFiles = [ \"/etc/nix/machines\" ];\n services.hydra-dev.dbi = \"dbi:Pg:dbname=hydra;host=10.0.40.3;user=hydra;\";\n services.hydra-dev.logo = ./hydra-logo.png;\n services.hydra-dev.hydraURL = \"https://hydra.nixos.org\";\n services.hydra-dev.notificationSender = \"edolstra@gmail.com\";\n services.hydra-dev.smtpHost = \"localhost\";\n services.hydra-dev.useSubstitutes = false;\n services.hydra-dev.extraConfig = ''\n max_servers 30\n\n enable_google_login = 1\n google_client_id = 816926039128-ia4s4rsqrq998rsevce7i09mo6a4nffg.apps.googleusercontent.com\n\n github_client_id = b022c64ce4531ffc1031\n github_client_secret_file = ${config.age.secrets.hydra-github-client-secret.path}\n\n store_uri = s3://nix-cache?secret-key=/var/lib/hydra/queue-runner/keys/cache.nixos.org-1/secret&write-nar-listing=1&ls-compression=br&log-compression=br&index-debug-info=true\n server_store_uri = https://cache.nixos.org?local-nar-cache=${narCache}\n binary_cache_public_uri = https://cache.nixos.org\n\n \n cache_size = 32m\n \n\n # patchelf:master:3\n xxx-jobset-repeats = nixos:reproducibility:1\n\n upload_logs_to_binary_cache = true\n compress_build_logs = false # conflicts with upload_logs_to_binary_cache\n\n log_prefix = https://cache.nixos.org/\n\n evaluator_workers = 16\n evaluator_max_memory_size = 8192\n\n max_concurrent_evals = 1\n\n # increase the number of active compress slots (CPU is 48*2 on mimas)\n max_local_worker_threads = 144\n\n max_unsupported_time = 86400\n\n allow_import_from_derivation = false\n\n max_output_size = 4294967295 # 4 GiB - 1 B\n max_db_connections = 350\n\n queue_runner_metrics_address = [::]:9198\n\n \n \n listen_address = 0.0.0.0\n port = 9199\n \n \n '';\n\n systemd.tmpfiles.rules = [\n \"d /var/cache/hydra 0755 hydra hydra - -\"\n \"d ${narCache} 0775 hydra hydra 1d -\"\n ];\n\n # wait for the network before starting hydra, since we require a network\n # connection to the remote postgresql database\n systemd.services.hydra-init = {\n wants = [\n \"network-online.target\"\n ];\n after = [\n \"network-online.target\"\n ];\n };\n\n # eats memory as if it was free\n systemd.services.hydra-notify.enable = false;\n\n systemd.services.hydra-queue-runner = {\n # restarting the scheduler is very expensive\n restartIfChanged = false;\n serviceConfig = {\n ManagedOOMPreference = \"avoid\";\n LimitNOFILE = 65535;\n };\n };\n\n programs.ssh.hostKeyAlgorithms = [\n \"rsa-sha2-512-cert-v01@openssh.com\"\n \"ssh-ed25519\"\n \"ssh-rsa\"\n \"ecdsa-sha2-nistp256\"\n ];\n programs.ssh.extraConfig = lib.mkAfter ''\n ServerAliveInterval 120\n TCPKeepAlive yes\n '';\n\n # These IPs and SSH public keys are specifically provisioned for Hydra\n services.openssh.knownHosts = {\n # x86_64-linux at Hetzner\n \"elated-minsky.builder.nixos.org\".publicKey =\n \"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIvrJpd3aynfPVGGG/s7MtRFz/S6M4dtqvqKI3Da7O7+\";\n \"sleepy-brown.builder.nixos.org\".publicKey =\n \"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOh4/3m7o6H3J5QG711aJdlSUVvlC8yW6KoqAES3Fy6I\";\n # aarch64-linux at Hetzner\n \"goofy-hopcroft.builder.nixos.org\".publicKey =\n \"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICTJEi+nQNd7hzNYN3cLBK/0JCkmwmyC1I+b5nMI7+dd\";\n \"hopeful-rivest.builder.nixos.org\".publicKey =\n \"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBgjwpQaNAWdEdnk1YG7JWThM4xQdKNJ3h3arhF7+iFm\";\n\n # M1 Macs at Hetzner\n \"intense-heron.mac.nixos.org\".publicKey =\n \"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICeSgOe/cr1yVAJOl30t3AZOLtvzeQa5rnrHGceKeBue\";\n \"sweeping-filly.mac.nixos.org\".publicKey =\n \"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE6b/coXQEcFZW1eG4zFyCMCF0mZFahqmadz6Gk9DWMF\";\n \"maximum-snail.mac.nixos.org\".publicKey =\n \"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEs+fK4hH8UKo+Pa7u1VYltkMufBHHH5uC93RQ2S6Xy9\";\n \"growing-jennet.mac.nixos.org\".publicKey =\n \"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAQGthkSSOnhxrIUCMlRQz8FOo5Y5Nk9f9WnVLNeRJpm\";\n \"enormous-catfish.mac.nixos.org\".publicKey =\n \"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMlg7NXxeG5L3s0YqSQIsqVG0MTyvyWDHUyYEfFPazLe\";\n\n # M1 Macs at Flying Circus\n \"norwegian-blue.mac.nixos.org\".publicKey =\n \"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDQ6Cjvoq5VBYfXl6ZV/ijQ1q4UxbWRYYfkXe0rzmJjf\";\n\n # M2 Macs at Oakhost\n \"kind-lumiere.mac.nixos.org\".publicKey =\n \"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFoqn1AAcOqtG65milpBtWVXP5VcBmTUSMGNfJzPwW8Q\";\n \"eager-heisenberg.mac.nixos.org\".publicKey =\n \"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBp9NStfEPu7HdeK8f2KEnynyirjG9BUk+6w2SgJtQyS\";\n\n # vcunat\n \"t2a.cunat.cz\".publicKey =\n \"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIu3itg4hn5e4KrnyoreAUN3RIbAcvqc7yWx5i6EWqAu\";\n \"t4b.cunat.cz\".publicKey =\n \"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC/jE8c0lkc/DlK3R7A+zBr6j/lfEQrhqSD/YOEVs8za\";\n };\n\n}\n" }, { "path": "build/id_buildfarm.pub", "content": "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCyM48VC5fpjJssLI8uolFscP4/iEoMHfkPoT9R3iE3OEjadmwa1XCAiXUoa7HSshw79SgPKF2KbGBPEVCascdAcErZKGHeHUzxj7v3IsNjObouUOBbJfpN4DR7RQT28PZRsh3TvTWjWnA9vIrSY/BvAK1uezFRuObvatqAPMrw4c0DK+JuGuCNkKDGHLXNSxYBc5Pmr1oSU7/BDiHVjjyLIsAMIc20+q8SjWswKqL1mY193mN7FpUMBtZrd0Za9fMFRII9AofEIDTOayvOZM6+/1dwRWZXM6jhE6kaPPF++yromHvDPBnd6FfwODKLvSF9BkA3pO5CqrD8zs7ETmrV hydra-queue-runner@chef" }, { "path": "build/mimas/boot.nix", "content": "{\n boot = {\n initrd.availableKernelModules = [\n \"ahci\"\n \"xhci_pci\"\n \"nvme\"\n \"usbhid\"\n ];\n supportedFilesystems.zfs = true;\n loader = {\n efi.canTouchEfiVariables = false;\n grub = {\n enable = true;\n configurationLimit = 10;\n efiSupport = true;\n efiInstallAsRemovable = true;\n mirroredBoots = [\n {\n devices = [ \"nodev\" ];\n path = \"/efi/a\";\n }\n {\n devices = [ \"nodev\" ];\n path = \"/efi/b\";\n }\n ];\n };\n };\n };\n}\n" }, { "path": "build/mimas/default.nix", "content": "{\n imports = [\n ../common.nix\n ../hydra.nix\n ../hydra-proxy.nix\n ./boot.nix\n ./firewall.nix\n ./network.nix\n ];\n\n disko.devices = import ./disko.nix;\n\n networking = {\n hostName = \"mimas\";\n domain = \"nixos.org\";\n hostId = \"aba92093\";\n };\n\n zramSwap = {\n enable = true;\n memoryPercent = 50;\n };\n\n nixpkgs.hostPlatform = \"x86_64-linux\";\n\n system.stateVersion = \"24.11\";\n}\n" }, { "path": "build/mimas/disko.nix", "content": "let\n layout = id: {\n type = \"gpt\";\n partitions = {\n esp = {\n type = \"EF00\";\n size = \"512M\";\n content = {\n type = \"filesystem\";\n format = \"vfat\";\n mountpoint = \"/efi/${id}\";\n };\n };\n zfs = {\n size = \"100%\";\n content = {\n type = \"zfs\";\n pool = \"zroot\";\n };\n };\n };\n };\nin\n{\n disk = {\n nvme0n1 = {\n type = \"disk\";\n device = \"/dev/disk/by-id/nvme-SAMSUNG_MZQL21T9HCJR-00A07_S64GNNFX604905\";\n content = layout \"a\";\n };\n nvme1n1 = {\n type = \"disk\";\n device = \"/dev/disk/by-id/nvme-SAMSUNG_MZQL21T9HCJR-00A07_S64GNNFX604919\";\n content = layout \"b\";\n };\n };\n\n zpool.zroot = {\n type = \"zpool\";\n mode = \"mirror\";\n options.ashift = \"12\";\n\n rootFsOptions = {\n acltype = \"posixacl\";\n atime = \"off\";\n compression = \"on\";\n mountpoint = \"none\";\n xattr = \"sa\";\n };\n\n datasets = {\n \"root\" = {\n type = \"zfs_fs\";\n mountpoint = \"/\";\n };\n \"nix/store\" = {\n type = \"zfs_fs\";\n mountpoint = \"/nix\";\n };\n \"nix/db\" = {\n type = \"zfs_fs\";\n mountpoint = \"/nix/var/nix/db\";\n };\n \"hydra/cache\" = {\n type = \"zfs_fs\";\n mountpoint = \"/var/cache/hydra\";\n };\n \"hydra/state\" = {\n type = \"zfs_fs\";\n mountpoint = \"/var/lib/hydra\";\n };\n \"reserved\" = {\n type = \"zfs_fs\";\n options = {\n canmount = \"off\";\n refreservation = \"16G\"; # roughly one system closure\n };\n };\n };\n };\n}\n" }, { "path": "build/mimas/firewall.nix", "content": "{\n pkgs,\n lib,\n inputs,\n ...\n}:\n\nlet\n blockedAutNums = [\n 45102 # ALIBABA-CN-NET\n 45899 # VNPT-AS-VN\n 132203 # TENCENT-NET-AP-CN\n ];\nin\n\n{\n networking.nftables = {\n tables.\"abuse\" = {\n family = \"inet\";\n content = ''\n set ipv4blocks {\n type ipv4_addr;\n flags interval;\n auto-merge;\n }\n set ipv6blocks {\n type ipv6_addr;\n auto-merge;\n flags interval;\n }\n chain input-abuse {\n type filter hook input priority filter - 5;\n\n ip saddr @ipv4blocks tcp dport 443 counter drop;\n ip6 saddr @ipv6blocks tcp dport 443 counter drop;\n }\n '';\n };\n };\n\n systemd.services.nft-prefix-import = {\n wants = [ \"network-online.target\" ];\n after = [ \"network-online.target\" ];\n wantedBy = [ \"multi-user.target\" ];\n path = with pkgs; [ nftables ];\n environment.USER_AGENT = \"NixOS.org Infrastructure - infra@nixos.org\";\n serviceConfig = {\n Type = \"oneshot\";\n AmbientCapabilities = [ \"CAP_NET_ADMIN\" ];\n DynamicUser = true;\n User = \"nft-asblock\";\n Group = \"nft-asblock\";\n ExecStart = toString (\n [\n (lib.getExe inputs.nft-prefix-import.packages.${pkgs.stdenv.hostPlatform.system}.default)\n \"--table\"\n \"abuse\"\n \"--ipv4set\"\n \"ipv4blocks\"\n \"--ipv6set\"\n \"ipv6blocks\"\n ]\n ++ blockedAutNums\n );\n RestrictAddressFamilies = [\n \"AF_NETLINK\"\n \"AF_INET\"\n \"AF_INET6\"\n ];\n StateDirectory = \"nft-prefix-import\";\n WorkingDirectory = \"/var/lib/nft-prefix-import\";\n };\n };\n\n systemd.timers.nft-prefix-import = {\n wantedBy = [ \"timers.target\" ];\n timerConfig = {\n OnCalendar = \"0/6:00\";\n RandomizedDelaySec = 3600;\n };\n };\n}\n" }, { "path": "build/mimas/network.nix", "content": "{\n networking.useDHCP = false;\n\n systemd.network = {\n enable = true;\n netdevs = {\n \"20-vlan4000\" = {\n netdevConfig = {\n Kind = \"vlan\";\n Name = \"vlan4000\";\n };\n vlanConfig.Id = 4000;\n };\n };\n networks = {\n \"30-enp5s0\" = {\n matchConfig = {\n MACAddress = \"9c:6b:00:70:d1:f8\";\n Type = \"ether\";\n };\n linkConfig.RequiredForOnline = true;\n networkConfig.Description = \"WAN\";\n address = [\n \"157.90.104.34/26\"\n \"2a01:4f8:2220:11c8::1/64\"\n ];\n routes = [\n { Gateway = \"157.90.104.1\"; }\n { Gateway = \"fe80::1\"; }\n ];\n vlan = [\n \"vlan4000\"\n ];\n };\n \"30-vlan4000\" = {\n matchConfig.Name = \"vlan4000\";\n linkConfig = {\n MTUBytes = \"1400\";\n RequiredForOnline = \"routable\";\n };\n address = [\n \"10.0.40.2/31\"\n ];\n };\n };\n };\n}\n" }, { "path": "build/nginx-error-pages/403.html", "content": "\n\n \n Error 403 - hydra.nixos.org\n \n \n \n \n \n \n \n \n
\n
\n

\n \n \n \n

\n\n

HTTP Error 403

\n\n

Access to this resource has been denied!

\n

\n This could be caused by one of the following issues:\n

\n
    \n
  • You are using an extension to spoof your user-agent
    • \n
  • The browser you are running is out of date
    • \n
\n

\n Feel free to reach out, if you think this request was denied in error.\n

\n
\n
\n
\n

\n You can check the following resources for further informations:
\n Alerts |\n Dashboards |\n Issues |\n Chatroom\n

\n
\n
\n \n\n" }, { "path": "build/nginx-error-pages/502.html", "content": "\n\n \n Error 502 - hydra.nixos.org\n \n \n \n \n \n \n \n \n
\n
\n

\n \n \n \n

\n\n

HTTP Error 502

\n\n

This service is currently unavailable!

\n
\n
\n
\n

\n You can check the following resources for further informations:
\n Alerts |\n Dashboards |\n Issues |\n Chatroom\n

\n
\n
\n \n\n" }, { "path": "build/nginx-error-pages/503.html", "content": "\n\n\n \n \n Hydra is down\n \n \n\n \n
\n \"Warning\"\n

Looks like Hydra is having some problems. Sorry about that!

\n

\n NixOS Homepage |\n System Alerts |\n Dashboards |\n Related Issues\n

\n
\n \n\n" }, { "path": "build/pluto/boot.nix", "content": "{\n boot = {\n supportedFilesystems = [ \"zfs\" ];\n loader = {\n efi.canTouchEfiVariables = false;\n grub = {\n enable = true;\n efiSupport = true;\n efiInstallAsRemovable = true;\n mirroredBoots = [\n {\n devices = [ \"nodev\" ];\n path = \"/efi/a\";\n }\n {\n devices = [ \"nodev\" ];\n path = \"/efi/b\";\n }\n ];\n };\n };\n };\n}\n" }, { "path": "build/pluto/default.nix", "content": "{ config, ... }:\n\n{\n imports = [\n ../common.nix\n ./boot.nix\n ./disko.nix\n ./network.nix\n\n ./grafana.nix\n ./nginx.nix\n ./nixos-metrics.nix\n ./prometheus\n\n ../../modules/hydra-mirror.nix\n ../../modules/rfc39.nix\n ../../modules/tarball-mirror.nix\n ];\n\n networking = {\n hostName = \"pluto\";\n domain = \"nixos.org\";\n hostId = \"e4c9bd10\";\n };\n\n age.secrets.pluto-backup-ssh-key.file = ../secrets/pluto-backup-ssh-key.age;\n age.secrets.pluto-backup-secret.file = ../secrets/pluto-backup-secret.age;\n\n services.backup = {\n user = \"u391032-sub2\";\n host = \"u391032.your-storagebox.de\";\n hostPublicKey = \"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIICf9svRenC/PLKIL9nk6K/pxQgoiFC41wTNvoIncOxs\";\n port = 23;\n sshKey = config.age.secrets.pluto-backup-ssh-key.path;\n secretPath = config.age.secrets.pluto-backup-secret.path;\n };\n\n nixpkgs.hostPlatform = \"x86_64-linux\";\n\n system.stateVersion = \"23.11\";\n}\n" }, { "path": "build/pluto/disko.nix", "content": "{\n disko.devices = {\n disk = {\n nvme0n1 = {\n type = \"disk\";\n device = \"/dev/disk/by-id/nvme-SAMSUNG_MZVL2512HDJD-00B07_S782NE0W900172\";\n content = {\n type = \"gpt\";\n partitions = {\n esp = {\n size = \"1G\";\n type = \"EF00\";\n content = {\n type = \"filesystem\";\n format = \"vfat\";\n mountpoint = \"/efi/a\";\n };\n };\n swap = {\n size = \"16G\";\n content = {\n type = \"swap\";\n };\n };\n zfs = {\n size = \"100%\";\n content = {\n type = \"zfs\";\n pool = \"zroot\";\n };\n };\n };\n };\n };\n nvme1n1 = {\n type = \"disk\";\n device = \"/dev/disk/by-id/nvme-SAMSUNG_MZVL2512HDJD-00B07_S782NF0YA37531\";\n content = {\n type = \"gpt\";\n partitions = {\n esp = {\n size = \"1G\";\n type = \"EF00\";\n content = {\n type = \"filesystem\";\n format = \"vfat\";\n mountpoint = \"/efi/b\";\n };\n };\n swap = {\n size = \"16G\";\n content = {\n type = \"swap\";\n };\n };\n zfs = {\n size = \"100%\";\n content = {\n type = \"zfs\";\n pool = \"zroot\";\n };\n };\n };\n };\n };\n };\n zpool = {\n zroot = {\n type = \"zpool\";\n options = {\n ashift = \"12\";\n autotrim = \"on\";\n };\n mode = \"mirror\";\n rootFsOptions = {\n acltype = \"posixacl\";\n compression = \"zstd\";\n mountpoint = \"none\";\n };\n\n datasets = {\n root = {\n type = \"zfs_fs\";\n mountpoint = \"/\";\n };\n \"root/prometheus\" = {\n type = \"zfs_fs\";\n mountpoint = \"/var/lib/prometheus2\";\n };\n \"root/victoriametrics\" = {\n type = \"zfs_fs\";\n mountpoint = \"/var/lib/victoriametrics\";\n };\n };\n };\n };\n };\n}\n" }, { "path": "build/pluto/grafana.nix", "content": "{\n config,\n ...\n}:\n{\n services.backup.includes = [ \"/var/lib/grafana\" ];\n\n age.secrets.\"grafana-secret-key\" = {\n file = ../secrets/grafana-secret-key.age;\n owner = \"grafana\";\n };\n\n services.grafana = {\n enable = true;\n settings = {\n \"auth.anonymous\".enabled = true;\n users = {\n allow_sign_up = true;\n viewers_can_edit = true;\n };\n server = {\n domain = \"grafana.nixos.org\";\n root_url = \"https://grafana.nixos.org\";\n protocol = \"socket\";\n };\n security.secret_key = \"$__file{${config.age.secrets.grafana-secret-key.path}}\";\n };\n };\n\n systemd.services.nginx.serviceConfig.SupplementaryGroups = [ \"grafana\" ];\n}\n" }, { "path": "build/pluto/network.nix", "content": "{\n systemd.network = {\n enable = true;\n networks = {\n \"30-enp5s0\" = {\n matchConfig = {\n MACAddress = \"c8:7f:54:67:bd:31\";\n Type = \"ether\";\n };\n linkConfig.RequiredForOnline = true;\n networkConfig.Description = \"WAN\";\n address = [\n \"37.27.99.100/26\"\n \"2a01:4f9:3070:15e0::1/64\"\n ];\n routes = [\n { Gateway = \"37.27.99.65\"; }\n { Gateway = \"fe80::1\"; }\n ];\n };\n };\n };\n}\n" }, { "path": "build/pluto/nginx.nix", "content": "{ config, ... }:\n\n{\n networking.firewall.allowedTCPPorts = [\n 80\n 443\n ];\n\n services.nginx = {\n enable = true;\n recommendedProxySettings = true;\n\n eventsConfig = ''\n worker_connections 4096;\n '';\n\n virtualHosts.\"monitoring.nixos.org\" = {\n enableACME = true;\n forceSSL = true;\n default = true;\n locations.\"/\".return = \"302 https://status.nixos.org\";\n locations.\"~ ^/prometheus/?(?[^\\\\s]+)\" = {\n return = \"301 https://prometheus.nixos.org/$action$is_args$args\";\n # TODO: Remove after https://github.com/NixOS/nixos-status/pull/21\n extraConfig = ''\n add_header Access-Control-Allow-Origin \"*\" always;\n '';\n };\n locations.\"~ ^/grafana/?(?[^\\\\s]+)\".return =\n \"301 https://grafana.nixos.org/$action$is_args$args\";\n };\n\n virtualHosts.\"prometheus.nixos.org\" = {\n enableACME = true;\n forceSSL = true;\n locations.\"/\" = {\n proxyPass = \"http://${config.services.prometheus.listenAddress}:${toString config.services.prometheus.port}\";\n };\n };\n\n virtualHosts.\"grafana.nixos.org\" = {\n enableACME = true;\n forceSSL = true;\n locations.\"/\" = {\n proxyPass = \"http://unix:${config.services.grafana.settings.server.socket}\";\n proxyWebsockets = true;\n };\n };\n };\n}\n" }, { "path": "build/pluto/nixos-metrics.nix", "content": "{ config, pkgs, ... }:\n\n{\n systemd.services.pull-nixos-metrics = {\n description = \"Pull nixos metrics from github:NixOS/nixos-metrics and push to local VictoriaMetrics\";\n script =\n let\n inherit (config.services.victoriametrics) listenAddress;\n importURL = \"http://localhost${listenAddress}/api/v1/import\";\n resetURL = \"http://localhost${listenAddress}/internal/resetRollupResultCache\";\n dataURL = \"https://raw.githubusercontent.com/NixOS/nixos-metrics/data/victoriametrics.jsonl\";\n curl = \"${pkgs.curl}/bin/curl\";\n in\n ''\n ${curl} ${dataURL} | ${curl} -X POST --data-binary @- ${importURL}\n ${curl} -G ${resetURL}\n '';\n serviceConfig = {\n Type = \"oneshot\";\n User = \"nobody\";\n };\n };\n\n systemd.timers.pull-nixos-metrics = {\n description = \"Pull nixos metrics, timed for after they're done updating each day.\";\n wantedBy = [ \"timers.target\" ];\n timerConfig.OnCalendar = \"12:00:00\";\n };\n\n services.backup.includesZfsDatasets = [ \"/var/lib/victoriametrics\" ];\n\n services.victoriametrics = {\n enable = true;\n retentionPeriod = \"1200w\"; # 100 years\n };\n}\n" }, { "path": "build/pluto/prometheus/alertmanager.nix", "content": "{ config, ... }:\n\n{\n services.prometheus = {\n alertmanagers = [\n {\n scheme = \"http\";\n static_configs = [\n { targets = [ \"localhost:${toString config.services.prometheus.alertmanager.port}\" ]; }\n ];\n }\n ];\n\n alertmanager = {\n enable = true;\n\n # Allow alertmanager to start even if it doesn't find an RFC1918 IP on\n # the machine's network interfaces.\n extraFlags = [ \"--cluster.listen-address=''\" ];\n\n webExternalUrl = \"http://alerts.nixos.org\";\n configuration = {\n global = { };\n route = {\n receiver = \"ignore\";\n group_wait = \"30s\";\n group_interval = \"5m\";\n repeat_interval = \"24h\";\n group_by = [ \"alertname\" ];\n\n routes = [\n {\n receiver = \"go-neb\";\n group_wait = \"30s\";\n match.severity = \"warning\";\n }\n ];\n };\n receivers = [\n {\n # with no *_config, this will drop all alerts directed to it\n name = \"ignore\";\n }\n {\n name = \"go-neb\";\n webhook_configs = [\n {\n url = \"${config.services.go-neb.baseUrl}:4050/services/hooks/YWxlcnRtYW5hZ2VyX3NlcnZpY2U\";\n send_resolved = true;\n }\n ];\n }\n ];\n };\n };\n };\n\n services.nginx.virtualHosts.\"alerts.nixos.org\" = {\n enableACME = true;\n forceSSL = true;\n\n locations.\"/\" = {\n proxyPass = \"http://localhost:9093\";\n };\n };\n\n age.secrets.\"alertmanager-oauth2-proxy-env\".file = ../../secrets/alertmanager-oauth2-proxy-env.age;\n\n services.oauth2-proxy = {\n enable = true;\n\n # oidc provider\n provider = \"github\";\n clientID = \"Ov23liDt1q76okEJpVVE\";\n keyFile = config.age.secrets.\"alertmanager-oauth2-proxy-env\".path;\n\n # filter criteria\n email.domains = [ \"*\" ];\n github = {\n org = \"NixOS\";\n team = \"infra\";\n };\n\n # protected domains\n nginx = {\n domain = \"alerts.nixos.org\";\n virtualHosts.\"alerts.nixos.org\" = { };\n };\n };\n\n age.secrets.alertmanager-matrix-forwarder = {\n file = ../../secrets/alertmanager-matrix-forwarder.age;\n owner = config.systemd.services.go-neb.serviceConfig.User;\n };\n\n # Create user so that we can set the ownership of the key to\n # it. DynamicUser will not take full effect as a result of this.\n users.users.go-neb = {\n isSystemUser = true;\n group = \"go-neb\";\n };\n users.groups.go-neb = { };\n\n systemd.services.go-neb.serviceConfig.SupplementaryGroups = [ \"keys\" ];\n\n nixpkgs.config.permittedInsecurePackages = [ \"olm-3.2.16\" ];\n\n services.go-neb = {\n enable = true;\n bindAddress = \"localhost:4050\";\n baseUrl = \"http://localhost\";\n secretFile = config.age.secrets.alertmanager-matrix-forwarder.path;\n config = {\n clients = [\n {\n UserId = \"@bot:nixos.org\";\n AccessToken = \"$CHANGEME\";\n HomeServerUrl = \"https://matrix.nixos.org\";\n Sync = true;\n AutoJoinRooms = true;\n DisplayName = \"Bot\";\n }\n ];\n services = [\n {\n ID = \"alertmanager_service\";\n Type = \"alertmanager\";\n UserId = \"@bot:nixos.org\";\n Config = {\n webhook_url = \"http://localhost:4050/services/hooks/YWxlcnRtYW5hZ2VyX3NlcnZpY2U\";\n rooms = {\n # infra-alerts:nixos.org\n \"!QLQqibtFaVtDgurUAE:nixos.org\" = {\n text_template = ''\n {{range .Alerts -}} [{{ .Status }}] {{index .Labels \"alertname\" }}: {{index .Annotations \"description\"}} {{ end -}}\n '';\n\n # $$severity otherwise envsubst replaces $severity with an empty string\n html_template = ''\n {{range .Alerts -}}\n {{ $$severity := index .Labels \"severity\" }}\n {{ if eq .Status \"firing\" }}\n {{ if eq $$severity \"critical\"}}\n [FIRING - CRITICAL]\n {{ else if eq $$severity \"warning\"}}\n [FIRING - WARNING]\n {{ else }}\n [FIRING - {{ $$severity }}]\n {{ end }}\n {{ else }}\n [RESOLVED]\n {{ end }}\n {{ index .Labels \"alertname\"}}: {{ index .Annotations \"summary\"}}\n (\n {{ if .Annotations.grafana }}\n 📈 Grafana,\n {{ end }}\n 🔥 Prometheus,\n 🔕 Silence\n )
\n {{end -}}'';\n msg_type = \"m.text\"; # Must be either `m.text` or `m.notice`\n };\n };\n };\n }\n ];\n };\n };\n}\n" }, { "path": "build/pluto/prometheus/default.nix", "content": "{ pkgs, ... }:\n\n{\n imports = [\n ./alertmanager.nix\n ./exporters/anubis.nix\n ./exporters/blackbox.nix\n ./exporters/channel.nix\n ./exporters/domain.nix\n ./exporters/fastly.nix\n ./exporters/github.nix\n ./exporters/hydra.nix\n ./exporters/json.nix\n ./exporters/matrix-synapse.nix\n ./exporters/nixos.nix\n ./exporters/node.nix\n ./exporters/owncast.nix\n ./exporters/postgresql.nix\n ./exporters/rasdaemon.nix\n ./exporters/storagebox.nix\n ./exporters/sql.nix\n ./exporters/up.nix\n ./exporters/zfs.nix\n ./exporters/zrepl.nix\n ];\n\n services.backup.includesZfsDatasets = [ \"/var/lib/prometheus2\" ];\n\n services.prometheus = {\n enable = true;\n extraFlags = [\n \"--storage.tsdb.retention.time=${toString (720 * 24)}h\"\n \"--web.external-url=https://prometheus.nixos.org/\"\n ];\n globalConfig.scrape_interval = \"15s\";\n\n ruleFiles = [\n (pkgs.writeText \"up.rules\" (\n builtins.toJSON {\n groups = [\n {\n name = \"up\";\n rules = [\n {\n alert = \"NotUp\";\n expr = ''\n up == 0\n '';\n for = \"10m\";\n labels.severity = \"warning\";\n annotations.summary = \"scrape job {{ $labels.job }} is failing on {{ $labels.instance }}\";\n }\n ];\n }\n ];\n }\n ))\n ];\n };\n}\n" }, { "path": "build/pluto/prometheus/exporters/anubis.nix", "content": "{\n services.prometheus = {\n scrapeConfigs = [\n {\n job_name = \"anubis\";\n static_configs = [\n {\n targets = [\n \"hydra.nixos.org:9001\"\n ];\n }\n ];\n }\n ];\n };\n}\n" }, { "path": "build/pluto/prometheus/exporters/blackbox.nix", "content": "{ config, pkgs, ... }:\n\nlet\n mkStaticProbe =\n {\n module,\n targets,\n job_suffix ? \"\",\n }:\n {\n job_name = \"blackbox-${module}${job_suffix}\";\n metrics_path = \"/probe\";\n params = {\n module = [ module ];\n };\n static_configs = [ { inherit targets; } ];\n relabel_configs = [\n {\n source_labels = [ \"__address__\" ];\n target_label = \"__param_target\";\n }\n {\n source_labels = [ \"__param_target\" ];\n target_label = \"instance\";\n }\n {\n target_label = \"__address__\";\n replacement = \"localhost:${toString config.services.prometheus.exporters.blackbox.port}\";\n }\n ];\n };\n\n mkDnsSdProbe = module: dns_sd_config: {\n job_name = \"blackbox-${module}\";\n metrics_path = \"/probe\";\n params = {\n module = [ module ];\n };\n dns_sd_configs = [\n dns_sd_config\n ];\n relabel_configs = [\n {\n source_labels = [ \"__address__\" ];\n target_label = \"__param_target\";\n }\n {\n source_labels = [ \"__address__\" ];\n target_label = \"host\";\n }\n {\n source_labels = [ \"__meta_dns_name\" ];\n target_label = \"instance\";\n }\n {\n target_label = \"__address__\";\n replacement = \"localhost:${toString config.services.prometheus.exporters.blackbox.port}\";\n }\n ];\n };\nin\n{\n services.prometheus = {\n exporters.blackbox = {\n enable = true;\n listenAddress = \"127.0.0.1\";\n configFile = pkgs.writeText \"probes.yml\" (\n builtins.toJSON {\n modules.https_success = {\n prober = \"http\";\n tcp.tls = true;\n http.headers.User-Agent = \"blackbox-exporter\";\n };\n\n # From https://github.com/prometheus/blackbox_exporter/blob/53e78c2b3535ecedfd072327885eeba2e9e51ea2/example.yml#L120-L133\n modules.smtp_starttls = {\n prober = \"tcp\";\n timeout = \"10s\";\n tcp = {\n query_response = [\n { expect = \"^220\"; }\n { send = \"EHLO prober\\r\"; }\n { expect = \"^250-STARTTLS\"; }\n { send = \"STARTTLS\\r\"; }\n { expect = \"^220\"; }\n { starttls = true; }\n { send = \"EHLO prober\\r\"; }\n { expect = \"^250-AUTH\"; }\n { send = \"QUIT\\r\"; }\n ];\n };\n };\n }\n );\n };\n\n scrapeConfigs = [\n (mkStaticProbe {\n module = \"https_success\";\n targets = [\n \"https://cache.nixos.org\"\n \"https://channels.nixos.org\"\n \"https://common-styles.nixos.org\"\n \"https://discourse.nixos.org\"\n \"https://hydra.nixos.org\"\n \"https://mobile.nixos.org\"\n \"https://monitoring.nixos.org\"\n \"https://nixos.org\"\n \"https://planet.nixos.org\"\n \"https://releases.nixos.org\"\n \"https://status.nixos.org\"\n \"https://survey.nixos.org\"\n \"https://tarballs.nixos.org\"\n \"https://weekly.nixos.org\"\n \"https://wiki.nixos.org\"\n \"https://www.nixos.org\"\n \"https://tracker.security.nixos.org\"\n ];\n })\n (mkDnsSdProbe \"smtp_starttls\" {\n names = [\n \"nixos.org\"\n ];\n type = \"MX\";\n port = 25;\n })\n ];\n\n ruleFiles = [\n (pkgs.writeText \"blackbox-exporter.rules\" (\n builtins.toJSON {\n groups = [\n {\n name = \"blackbox\";\n rules = [\n {\n alert = \"CertificateExpiry\";\n expr = ''\n probe_ssl_earliest_cert_expiry - time() < 86400 * 14\n '';\n for = \"15m\";\n labels.severity = \"warning\";\n annotations.summary = \"Certificate for {{ $labels.instance }} is expiring soon.\";\n }\n {\n alert = \"HttpUnreachable\";\n expr = ''\n probe_success{job=\"blackbox-https_success\"} == 0\n '';\n for = \"15m\";\n labels.severity = \"warning\";\n annotations.summary = \"Endpoint {{ $labels.instance }} is unreachable\";\n }\n {\n alert = \"MxUnreachable\";\n expr = ''\n probe_success{job=~\"blackbox-smtp_starttls.*\"} == 0\n '';\n for = \"15m\";\n labels.severity = \"warning\";\n annotations.summary = \"Mail server {{ $labels.instance }} is unreachable\";\n }\n ];\n }\n ];\n }\n ))\n ];\n };\n}\n" }, { "path": "build/pluto/prometheus/exporters/channel-exporter.py", "content": "#!/usr/bin/env python3\n\nimport json\nimport logging\nimport sys\nimport time\nfrom pprint import pprint\n\nimport requests\nfrom dateutil.parser import parse\nfrom prometheus_client import Counter, Gauge, Histogram, start_http_server\n\nCHANNEL_REVISION = Gauge(\n \"channel_revision\",\n \"Current revision, exported as a hack\",\n [\"channel\", \"revision\", \"status\", \"variant\", \"current\"],\n)\n\n\nCHANNEL_REQUEST_TIME = Histogram(\n \"channel_request_time\", \"Time spent requesting channel data\"\n)\nCHANNEL_UPDATE_TIME = Gauge(\n \"channel_update_time\",\n \"Total number of failures to fetch spot market prices\",\n [\"channel\"],\n)\nCHANNEL_CURRENT = Gauge(\n \"channel_current\",\n \"If a channel is expected to be current\",\n [\"channel\"],\n)\nCHANNEL_REQUEST_FAILURES = Counter(\n \"channel_request_failures_total\",\n \"Number of channel status requests which have failed\",\n)\n\n\n@CHANNEL_REQUEST_TIME.time()\ndef measure_channel(name):\n try:\n with CHANNEL_REQUEST_FAILURES.count_exceptions():\n result = requests.get(\n f\"https://nixos.org/channels/{name}/git-revision\", timeout=10\n )\n\n try:\n return {\n \"timestamp\": parse(result.headers[\"last-modified\"]).timestamp(),\n \"revision\": result.text,\n }\n except KeyError as e:\n print(f\"Got KeyError after getting our result for {name}:\")\n pprint(e)\n pprint(result)\n\n except Exception as e:\n print(f\"Got a mystery error for {name}:\")\n pprint(e)\n\n\nif __name__ == \"__main__\":\n logging.basicConfig(level=logging.DEBUG)\n start_http_server(9402)\n\n with open(sys.argv[1]) as channel_data:\n channels = json.load(channel_data)\n\n revisions = {}\n\n while True:\n for channel, about in channels.items():\n measurement = measure_channel(channel)\n if measurement is not None:\n revision = measurement[\"revision\"]\n status = about.get(\"status\", \"\")\n variant = about.get(\"variant\", \"\")\n current = int(status != \"unmaintained\")\n CHANNEL_UPDATE_TIME.labels(channel=channel).set(\n measurement[\"timestamp\"]\n )\n CHANNEL_REVISION.labels(\n channel=channel,\n revision=revision,\n status=status,\n variant=variant,\n current=current,\n ).set(1)\n CHANNEL_CURRENT.labels(channel=channel).set(current)\n print(f\"updated {channel}\")\n previous_revision = revisions.pop(channel, None)\n revisions[channel] = revision\n if previous_revision and previous_revision != revision:\n CHANNEL_REVISION.remove(\n channel, previous_revision, status, variant, current\n )\n time.sleep(55)\n" }, { "path": "build/pluto/prometheus/exporters/channel.nix", "content": "{ lib, pkgs, ... }:\n\nlet\n channels = pkgs.writeText \"channels.json\" (\n builtins.toJSON (import ../../../../channels.nix).channels\n );\nin\n{\n systemd.services.channel-update-exporter = {\n description = \"Check all active channels' last-update times\";\n path = [\n (pkgs.python3.withPackages (\n pypkgs: with pypkgs; [\n requests\n prometheus-client\n python-dateutil\n ]\n ))\n ];\n wantedBy = [ \"multi-user.target\" ];\n serviceConfig = {\n DynamicUser = true;\n ExecStart = \"${./channel-exporter.py} ${channels}\";\n };\n };\n\n services.prometheus.scrapeConfigs = [\n {\n job_name = \"channel-updates\";\n metrics_path = \"/\";\n static_configs = [ { targets = [ \"127.0.0.1:9402\" ]; } ];\n }\n ]\n ++ lib.mapAttrsToList (name: value: {\n job_name = \"channel-job-${name}\";\n scheme = \"https\";\n scrape_interval = \"5m\";\n metrics_path = \"/job/${value.job}/prometheus\";\n static_configs = [\n {\n labels = {\n current = if value.status != \"unmaintained\" then \"1\" else \"0\";\n channel = name;\n };\n targets = [ \"hydra.nixos.org:443\" ];\n }\n ];\n }) (import ../../../../channels.nix).channels;\n}\n" }, { "path": "build/pluto/prometheus/exporters/domain.nix", "content": "{ pkgs, ... }:\n\n{\n services.prometheus = {\n exporters.domain = {\n enable = true;\n listenAddress = \"localhost\";\n };\n\n scrapeConfigs = [\n {\n # https://github.com/caarlos0/domain_exporter#configuration\n job_name = \"domain\";\n metrics_path = \"/probe\";\n relabel_configs = [\n {\n source_labels = [ \"__address__\" ];\n target_label = \"__param_target\";\n }\n {\n target_label = \"__address__\";\n replacement = \"localhost:9222\";\n }\n ];\n static_configs = [\n {\n targets = [\n \"nix.ci\"\n \"nix.dev\"\n \"nixos.org\"\n \"ofborg.org\"\n ];\n }\n ];\n }\n ];\n\n ruleFiles = [\n (pkgs.writeText \"domain-exporter.rules\" (\n builtins.toJSON {\n groups = [\n {\n name = \"domain\";\n rules = [\n {\n alert = \"DomainExpiry\";\n expr = \"domain_expiry_days != -1 and domain_expiry_days < 30\";\n for = \"1h\";\n labels.severity = \"warning\";\n annotations.summary = \"Domain {{ $labels.domain }} will expire in less than 30 days\";\n }\n {\n alert = \"DomainProbeFailure\";\n expr = \"domain_probe_success == 0\";\n for = \"1d\";\n labels.severity = \"warning\";\n annotations.summary = \"Domain {{ $labels.domain }} probe failing for more than 1 day.\";\n }\n ];\n }\n ];\n }\n ))\n ];\n };\n}\n" }, { "path": "build/pluto/prometheus/exporters/fastly.nix", "content": "{ config, ... }:\n\n{\n age.secrets.fastly-exporter-env.file = ../../../secrets/fastly-exporter-env.age;\n\n services.prometheus = {\n exporters.fastly = {\n enable = true;\n listenAddress = \"127.0.0.1\";\n environmentFile = config.age.secrets.fastly-exporter-env.path;\n };\n\n scrapeConfigs = [\n {\n job_name = \"fastly\";\n metrics_path = \"/metrics\";\n static_configs = [ { targets = [ \"127.0.0.1:9118\" ]; } ];\n }\n ];\n };\n}\n" }, { "path": "build/pluto/prometheus/exporters/github.nix", "content": "{ pkgs, ... }:\n\nlet\n exporter = pkgs.fetchFromGitHub {\n owner = \"grahamc\";\n repo = \"prometheus-github-exporter\";\n rev = \"01b6f8ef06b694411baf10f49e7b05afb26ab307\";\n sha256 = \"sha256-Sk/ynhPeXQVIgyZJ3Gj1VynJhPWmBHjrRnGYLjnJvio=\";\n };\n\n config = pkgs.writeText \"config.json\" (\n builtins.toJSON {\n port = 9401;\n repos = [\n \"NixOS/nixpkgs\"\n \"NixOS/nix\"\n ];\n }\n );\nin\n{\n systemd.services.prometheus-github-exporter = {\n wantedBy = [ \"multi-user.target\" ];\n after = [ \"network.target\" ];\n serviceConfig = {\n DynamicUser = true;\n User = \"github-exporter\";\n Restart = \"always\";\n RestartSec = \"60s\";\n PrivateTmp = true;\n };\n\n path = [\n (pkgs.python3.withPackages (\n ps: with ps; [\n prometheus-client\n requests\n ]\n ))\n ];\n\n script = \"exec python3 ${exporter}/scrape.py ${config}\";\n };\n\n services.prometheus.scrapeConfigs = [\n {\n job_name = \"prometheus-github-exporter\";\n metrics_path = \"/\";\n static_configs = [ { targets = [ \"127.0.0.1:9401\" ]; } ];\n }\n ];\n}\n" }, { "path": "build/pluto/prometheus/exporters/hydra-queue-runner-reexporter.py", "content": "#!/usr/bin/env nix-shell\n#!nix-shell -i python3 -p python3 -p python3Packages.requests -p python3Packages.prometheus_client\n\nimport contextlib\nimport json\nimport time\n\nimport requests\nfrom prometheus_client import CollectorRegistry, start_http_server\nfrom prometheus_client.core import CounterMetricFamily, GaugeMetricFamily\n\n\ndef debug_remaining_state(edict) -> None:\n # pprint(edict.remaining_state())\n pass\n\n\nclass EvaporatingDict:\n def __init__(self, state) -> None:\n self._state = state\n\n def preserving_read(self, key):\n val = self._state[key]\n\n if isinstance(val, dict):\n return EvaporatingDict(val)\n return val\n\n def preserving_read_default(self, key, default):\n try:\n return self.preserving_read(key)\n except KeyError:\n return default\n\n def destructive_read(self, key):\n val = self.preserving_read(key)\n del self._state[key]\n return val\n\n def destructive_read_default(self, key, default):\n try:\n val = self.preserving_read(key)\n del self._state[key]\n return val\n except KeyError:\n # Not nice, but accounts for weird conditionals in Hydra\n # todo: log bad reads?\n return default\n\n def unused_read(self, key) -> None:\n self.destructive_read_default(key, default=None)\n\n def remaining_state(self):\n return self._state\n\n def items(self):\n keys = list(self._state.keys())\n for key in keys:\n yield (key, self.destructive_read(key))\n\n\nclass HydraScrapeImporter:\n def __init__(self, status) -> None:\n self._status = EvaporatingDict(status)\n\n def collect(self):\n # The metrics are consumed in the order presented by\n # https://github.com/NixOS/hydra/blob/adf59a395993d5ed1d7a31108f7666195f789c99/src/hydra-queue-runner/hydra-queue-runner.cc#L536\n yield self.trivial_gauge(\n \"up\",\n \"Is hydra running\",\n 1 if self.destructive_read(\"status\") == \"up\" else 0,\n )\n yield self.trivial_counter(\n \"time\", \"Hydra's current time\", self.destructive_read(\"time\")\n )\n yield self.trivial_counter(\n \"uptime\", \"Hydra's uptime\", self.destructive_read(\"uptime\")\n )\n self.unused_metric(\"pid\")\n yield self.trivial_gauge(\n \"builds_queued\",\n \"Current build queue size\",\n self.destructive_read(\"nrQueuedBuilds\"),\n )\n yield self.trivial_gauge(\n \"steps_queued\",\n \"Current number of steps for the build queue\",\n self.destructive_read(\"nrUnfinishedSteps\"),\n )\n yield self.trivial_gauge(\n \"steps_runnable\",\n \"Current number of steps which can run immediately\",\n self.destructive_read(\"nrRunnableSteps\"),\n )\n yield self.trivial_gauge(\n \"steps_active\",\n \"Current number of steps which are currently active\",\n self.destructive_read(\"nrActiveSteps\"),\n )\n yield self.trivial_gauge(\n \"steps_building\",\n \"Current number of steps which are currently building\",\n self.destructive_read(\"nrStepsBuilding\"),\n )\n yield self.trivial_gauge(\n \"steps_copying_to\",\n \"Current number of steps which are having build inputs copied to a builder\",\n self.destructive_read(\"nrStepsCopyingTo\"),\n )\n yield self.trivial_gauge(\n \"steps_copying_from\",\n \"Current number of steps which are having build results copied from a builder\",\n self.destructive_read(\"nrStepsCopyingFrom\"),\n )\n yield self.trivial_gauge(\n \"steps_waiting\",\n \"Current number of steps which are waiting\",\n self.destructive_read(\"nrStepsWaiting\"),\n )\n yield self.trivial_counter(\n \"build_inputs_sent_bytes\",\n \"Total count of bytes sent due to build inputs\",\n self.destructive_read(\"bytesSent\"),\n )\n yield self.trivial_counter(\n \"build_outputs_received_bytes\",\n \"Total count of bytes received from build outputs\",\n self.destructive_read(\"bytesReceived\"),\n )\n yield self.trivial_counter(\n \"builds_read\",\n \"Total count of builds whose outputs have been read\",\n self.destructive_read(\"nrBuildsRead\"),\n )\n yield self.trivial_counter(\n \"builds_read_seconds\",\n \"Total number of seconds spent reading build outputs\",\n self.destructive_read(\"buildReadTimeMs\") / 1000,\n )\n self.unused_metric(\"buildReadTimeAvgMs\") # implementable in prometheus queries\n\n yield self.trivial_counter(\n \"builds_done\",\n \"Total count of builds performed\",\n self.destructive_read(\"nrBuildsDone\"),\n )\n yield self.trivial_counter(\n \"steps_started\",\n \"Total count of steps started\",\n self.destructive_read(\"nrStepsStarted\"),\n )\n yield self.trivial_counter(\n \"steps_done\",\n \"Total count of steps completed\",\n self.destructive_read(\"nrStepsDone\"),\n )\n yield self.trivial_counter(\n \"retries\", \"Total count of retries\", self.destructive_read(\"nrRetries\")\n )\n yield self.trivial_counter(\n \"max_retries\",\n \"Maximum count of retries for any single job\",\n self.destructive_read(\"maxNrRetries\"),\n )\n yield self.trivial_counter(\n \"step_time\",\n \"Total time spent executing steps\",\n self.destructive_read_default(\"totalStepTime\", 0),\n )\n yield self.trivial_counter(\n \"step_build_time\",\n \"Total time spent executing builds steps (???)\",\n self.destructive_read_default(\"totalStepBuildTime\", 0),\n )\n self.unused_metric(\"avgStepTime\")\n self.unused_metric(\"avgStepBuildTime\")\n\n yield self.trivial_counter(\n \"queue_wakeup\",\n \"Count of the times the queue runner has been notified of queue changes\",\n self.destructive_read(\"nrQueueWakeups\"),\n )\n yield self.trivial_counter(\n \"dispatcher_wakeup\",\n \"Count of the times the queue runner work dispatcher woke up due to new runnable builds and completed builds.\",\n self.destructive_read(\"nrDispatcherWakeups\"),\n )\n yield self.trivial_counter(\n \"dispatch_execution_seconds\",\n \"Number of seconds the dispatcher has spent working\",\n self.destructive_read(\"dispatchTimeMs\") / 1000,\n )\n self.unused_metric(\"dispatchTimeAvgMs\")\n\n yield self.trivial_gauge(\n \"db_connections\",\n \"Number of connections to the database\",\n self.destructive_read(\"nrDbConnections\"),\n )\n yield self.trivial_gauge(\n \"db_updates\",\n \"Number of in-progress database updates\",\n self.destructive_read(\"nrActiveDbUpdates\"),\n )\n yield self.trivial_counter(\n \"notifications_total\",\n \"Total number of notifications sent\",\n self.preserving_read_default(\"nrNotificationsDone\", 0)\n + self.preserving_read_default(\"nrNotificationsFailed\", 0),\n )\n yield self.trivial_counter(\n \"notifications_done\",\n \"Number of notifications completed\",\n self.destructive_read_default(\"nrNotificationsDone\", 0),\n )\n yield self.trivial_counter(\n \"notifications_failed\",\n \"Number of notifications failed\",\n self.destructive_read_default(\"nrNotificationsFailed\", 0),\n )\n yield self.trivial_counter(\n \"notifications_in_progress\",\n \"Number of notifications in_progress\",\n self.destructive_read_default(\"nrNotificationsInProgress\", 0),\n )\n yield self.trivial_counter(\n \"notifications_pending\",\n \"Number of notifications pending\",\n self.destructive_read_default(\"nrNotificationsPending\", 0),\n )\n yield self.trivial_counter(\n \"notifications_seconds\",\n \"Time spent delivering notifications\",\n self.destructive_read_default(\"nrNotificationTimeMs\", 0) / 1000,\n )\n self.unused_metric(\"nrNotificationTimeAvgMs\")\n\n machineCollector = MachineScrapeImporter()\n for name, report in self.destructive_read(\"machines\").items():\n machineCollector.load_machine(name, report)\n for metric in machineCollector.metrics():\n yield metric\n\n jobsetCollector = JobsetScrapeImporter()\n for name, report in self.destructive_read(\"jobsets\").items():\n jobsetCollector.load_jobset(name, report)\n for metric in jobsetCollector.metrics():\n yield metric\n\n machineTypesCollector = MachineTypeScrapeImporter()\n for name, report in self.destructive_read(\"machineTypes\").items():\n machineTypesCollector.load_machine_type(name, report)\n for metric in machineTypesCollector.metrics():\n yield metric\n\n store = self.destructive_read(\"store\")\n yield self.trivial_counter(\n \"store_nar_info_read\",\n \"Number of NarInfo files read from the binary cache\",\n store.destructive_read(\"narInfoRead\"),\n )\n yield self.trivial_counter(\n \"store_nar_info_read_averted\",\n \"Number of NarInfo files reads which were avoided\",\n store.destructive_read(\"narInfoReadAverted\"),\n )\n yield self.trivial_counter(\n \"store_nar_info_missing\",\n \"Number of NarInfo files read attempts which identified a missing narinfo file\",\n store.destructive_read(\"narInfoMissing\"),\n )\n yield self.trivial_counter(\n \"store_nar_info_write\",\n \"Number of NarInfo files written to the binary cache\",\n store.destructive_read(\"narInfoWrite\"),\n )\n yield self.trivial_gauge(\n \"store_nar_info_cache_size\",\n \"Size of the in-memory store path information cache\",\n store.destructive_read(\"narInfoCacheSize\"),\n )\n yield self.trivial_counter(\n \"store_nar_read\",\n \"Number of NAR files read from the binary cache\",\n store.destructive_read(\"narRead\"),\n )\n yield self.trivial_counter(\n \"store_nar_read_bytes\",\n \"Number of NAR file bytes read after decompression from the binary cache\",\n store.destructive_read(\"narReadBytes\"),\n )\n yield self.trivial_counter(\n \"store_nar_read_compressed_bytes\",\n \"Number of NAR file bytes read before decompression from the binary cache\",\n store.destructive_read(\"narReadCompressedBytes\"),\n )\n yield self.trivial_counter(\n \"store_nar_write\",\n \"Number of NAR files written to the binary cache\",\n store.destructive_read(\"narWrite\"),\n )\n yield self.trivial_counter(\n \"store_nar_write_averted\",\n \"Number of NAR files writes skipped due to the NAR already being in the binary cache\",\n store.destructive_read(\"narWriteAverted\"),\n )\n yield self.trivial_counter(\n \"store_nar_write_bytes\",\n \"Number of NAR file bytes written after decompression to the binary cache\",\n store.destructive_read(\"narWriteBytes\"),\n )\n yield self.trivial_counter(\n \"store_nar_write_compressed_bytes\",\n \"Number of NAR file bytes written before decompression to the binary cache\",\n store.destructive_read(\"narWriteCompressedBytes\"),\n )\n yield self.trivial_counter(\n \"store_nar_write_compression_seconds\",\n \"Number of seconds spent compressing data when writing NARs to the binary cache\",\n store.destructive_read(\"narWriteCompressionTimeMs\") / 1000,\n )\n store.unused_read(\"narCompressionSavings\")\n store.unused_read(\"narCompressionSpeed\")\n\n try:\n s3 = self.destructive_read(\"s3\")\n except KeyError:\n # no key, no metrics\n s3 = None\n if s3:\n # Not in the above try to avoid the try catching mistakes\n # in the following code\n yield self.trivial_counter(\n \"store_s3_put\", \"Number of PUTs to S3\", s3.destructive_read(\"put\")\n )\n yield self.trivial_counter(\n \"store_s3_put_bytes\",\n \"Number of bytes written to S3\",\n s3.destructive_read(\"putBytes\"),\n )\n yield self.trivial_counter(\n \"store_s3_put_seconds\",\n \"Number of seconds spent writing to S3\",\n s3.destructive_read(\"putTimeMs\") / 1000,\n )\n s3.unused_read(\"putSpeed\")\n yield self.trivial_counter(\n \"store_s3_get\", \"Number of GETs to S3\", s3.destructive_read(\"get\")\n )\n yield self.trivial_counter(\n \"store_s3_get_bytes\",\n \"Number of bytes read from S3\",\n s3.destructive_read(\"getBytes\"),\n )\n yield self.trivial_counter(\n \"store_s3_get_seconds\",\n \"Number of seconds spent reading from S3\",\n s3.destructive_read(\"getTimeMs\") / 1000,\n )\n s3.unused_read(\"getSpeed\")\n\n yield self.trivial_counter(\n \"store_s3_head\", \"Number of HEADs to S3\", s3.destructive_read(\"head\")\n )\n yield self.trivial_counter(\n \"store_s3_cost_approximate_dollars\",\n \"Estimated cost of the S3 bucket activity\",\n s3.destructive_read(\"costDollarApprox\"),\n )\n debug_remaining_state(s3)\n debug_remaining_state(store)\n\n def trivial_gauge(self, name, help, value):\n c = GaugeMetricFamily(f\"hydra_{name}\", help)\n c.add_metric([], value)\n return c\n\n def trivial_counter(self, name, help, value):\n c = CounterMetricFamily(f\"hydra_{name}_total\", help)\n c.add_metric([], value)\n return c\n\n def unused_metric(self, key) -> None:\n self._status.unused_read(key)\n\n def preserving_read(self, key):\n return self._status.preserving_read(key)\n\n def preserving_read_default(self, key, default):\n return self._status.preserving_read_default(key, default)\n\n def destructive_read(self, key):\n return self._status.destructive_read(key)\n\n def destructive_read_default(self, key, default):\n return self._status.destructive_read_default(key, default)\n\n def uncollected_status(self):\n return self._status.remaining_state()\n\n\ndef blackhole(*args, **kwargs) -> None:\n return None\n\n\nclass MachineScrapeImporter:\n def __init__(self) -> None:\n labels = [\"host\"]\n self.consective_failures = GaugeMetricFamily(\n \"hydra_machine_consecutive_failures\",\n \"Number of consecutive failed builds\",\n labels=labels,\n )\n self.current_jobs = GaugeMetricFamily(\n \"hydra_machine_current_jobs\", \"Number of current jobs\", labels=labels\n )\n self.idle_since = GaugeMetricFamily(\n \"hydra_machine_idle_since\",\n \"When the current idle period started\",\n labels=labels,\n )\n self.disabled_until = GaugeMetricFamily(\n \"hydra_machine_disabled_until\",\n \"When the machine will be used again\",\n labels=labels,\n )\n self.enabled = GaugeMetricFamily(\n \"hydra_machine_enabled\",\n \"If the machine is enabled (1) or not (0)\",\n labels=labels,\n )\n self.last_failure = CounterMetricFamily(\n \"hydra_machine_last_failure\", \"timestamp of the last failure\", labels=labels\n )\n self.number_steps_done = CounterMetricFamily(\n \"hydra_machine_steps_done_total\",\n \"Total count of the steps completed\",\n labels=labels,\n )\n self.total_step_build_time = CounterMetricFamily(\n \"hydra_machine_step_build_time_total\",\n \"Number of seconds spent building steps\",\n labels=labels,\n )\n self.total_step_time = CounterMetricFamily(\n \"hydra_machine_step_time_total\",\n \"Number of seconds spent on steps\",\n labels=labels,\n )\n\n def load_machine(self, name, report) -> None:\n report.unused_read(\"mandatoryFeatures\")\n report.unused_read(\"supportedFeatures\")\n report.unused_read(\"systemTypes\")\n report.unused_read(\"avgStepBuildTime\")\n report.unused_read(\"avgStepTime\")\n labels = [name]\n self.consective_failures.add_metric(\n labels, report.destructive_read(\"consecutiveFailures\")\n )\n self.current_jobs.add_metric(labels, report.destructive_read(\"currentJobs\"))\n with contextlib.suppress(KeyError):\n self.idle_since.add_metric(labels, report.destructive_read(\"idleSince\"))\n self.disabled_until.add_metric(labels, report.destructive_read(\"disabledUntil\"))\n self.enabled.add_metric(labels, 1 if report.destructive_read(\"enabled\") else 0)\n self.last_failure.add_metric(labels, report.destructive_read(\"lastFailure\"))\n self.number_steps_done.add_metric(\n labels, report.destructive_read(\"nrStepsDone\")\n )\n self.total_step_build_time.add_metric(\n labels, report.destructive_read_default(\"totalStepBuildTime\", default=0)\n )\n self.total_step_time.add_metric(\n labels, report.destructive_read_default(\"totalStepTime\", default=0)\n )\n debug_remaining_state(report)\n\n def metrics(self):\n yield self.consective_failures\n yield self.current_jobs\n yield self.idle_since\n yield self.disabled_until\n yield self.enabled\n yield self.last_failure\n yield self.number_steps_done\n yield self.total_step_build_time\n yield self.total_step_time\n\n\nclass JobsetScrapeImporter:\n def __init__(self) -> None:\n self.seconds = CounterMetricFamily(\n \"hydra_jobset_seconds_total\",\n \"Total number of seconds the jobset has been building\",\n labels=[\"name\"],\n )\n self.shares_used = CounterMetricFamily(\n \"hydra_jobset_shares_used_total\",\n \"Total shares the jobset has consumed\",\n labels=[\"name\"],\n )\n\n def load_jobset(self, name, report) -> None:\n self.seconds.add_metric([name], report.destructive_read(\"seconds\"))\n self.shares_used.add_metric([name], report.destructive_read(\"shareUsed\"))\n debug_remaining_state(report)\n\n def metrics(self):\n yield self.seconds\n yield self.shares_used\n\n\nclass MachineTypeScrapeImporter:\n def __init__(self) -> None:\n self.runnable = GaugeMetricFamily(\n \"hydra_machine_type_runnable\",\n \"Number of currently runnable builds\",\n labels=[\"machineType\"],\n )\n self.running = GaugeMetricFamily(\n \"hydra_machine_type_running\",\n \"Number of currently running builds\",\n labels=[\"machineType\"],\n )\n self.wait_time = CounterMetricFamily(\n \"hydra_machine_type_wait_time_total\",\n \"Number of seconds spent waiting\",\n labels=[\"machineType\"],\n )\n self.last_active = CounterMetricFamily(\n \"hydra_machine_type_last_active_total\",\n \"Last time this machine type was active\",\n labels=[\"machineType\"],\n )\n\n def load_machine_type(self, name, report) -> None:\n self.runnable.add_metric([name], report.destructive_read(\"runnable\"))\n self.running.add_metric([name], report.destructive_read(\"running\"))\n with contextlib.suppress(KeyError):\n self.wait_time.add_metric([name], report.destructive_read(\"waitTime\"))\n with contextlib.suppress(KeyError):\n self.last_active.add_metric([name], report.destructive_read(\"lastActive\"))\n\n debug_remaining_state(report)\n\n def metrics(self):\n yield self.runnable\n yield self.running\n yield self.wait_time\n yield self.last_active\n\n\nclass ScrapeCollector:\n def __init__(self) -> None:\n pass\n\n def collect(self):\n return HydraScrapeImporter(scrape()).collect()\n\n\ndef scrape(cached=None):\n if cached:\n with open(cached) as f:\n return json.load(f)\n else:\n print(\"Scraping\")\n return requests.get(\n \"https://hydra.nixos.org/queue-runner-status\",\n headers={\"Content-Type\": \"application/json\"},\n ).json()\n\n\nregistry = CollectorRegistry()\n\nregistry.register(ScrapeCollector())\n\nif __name__ == \"__main__\":\n # Start up the server to expose the metrics.\n start_http_server(9200, registry=registry)\n # Generate some requests.\n while True:\n time.sleep(30)\n" }, { "path": "build/pluto/prometheus/exporters/hydra.nix", "content": "{ pkgs, ... }:\n\n{\n systemd.services.prometheus-hydra-queue-runner-exporter = {\n wantedBy = [ \"multi-user.target\" ];\n after = [ \"network.target\" ];\n wants = [ \"network.target\" ];\n serviceConfig = {\n DynamicUser = true;\n Restart = \"always\";\n RestartSec = \"60s\";\n PrivateTmp = true;\n WorkingDirectory = \"/tmp\";\n ExecStart =\n let\n python = pkgs.python3.withPackages (\n ps: with ps; [\n requests\n prometheus-client\n ]\n );\n in\n ''\n ${python.interpreter} ${./hydra-queue-runner-reexporter.py}\n '';\n };\n };\n\n services.prometheus = {\n scrapeConfigs = [\n {\n job_name = \"hydra\";\n metrics_path = \"/prometheus\";\n scheme = \"https\";\n static_configs = [ { targets = [ \"hydra.nixos.org:443\" ]; } ];\n }\n {\n job_name = \"hydra_queue_runner\";\n metrics_path = \"/metrics\";\n scheme = \"http\";\n static_configs = [ { targets = [ \"hydra.nixos.org:9198\" ]; } ];\n }\n {\n job_name = \"hydra-webserver\";\n metrics_path = \"/metrics\";\n scheme = \"https\";\n static_configs = [ { targets = [ \"hydra.nixos.org:443\" ]; } ];\n }\n {\n job_name = \"hydra-reexport\";\n metrics_path = \"/\";\n static_configs = [ { targets = [ \"localhost:9200\" ]; } ];\n }\n ];\n\n ruleFiles = [\n (pkgs.writeText \"hydra-exporter.rules\" (\n builtins.toJSON {\n groups = [\n {\n name = \"hydra\";\n rules = [\n {\n alert = \"BuildsStuckOverTwoDays\";\n expr = ''hydra_machine_build_duration_bucket{le=\"+Inf\"} - ignoring(le) hydra_machine_build_duration_bucket{le=\"172800\"} > 0'';\n for = \"30m\";\n labels.severity = \"warning\";\n annotations.summary = \"{{ $labels.machine }} has {{ $value }} over-age jobs.\";\n annotations.grafana = \"https://grafana.nixos.org/d/j0hJAY1Wk/in-progress-build-duration-heatmap\";\n }\n ];\n }\n ];\n }\n ))\n ];\n };\n}\n" }, { "path": "build/pluto/prometheus/exporters/json.nix", "content": "{ config, pkgs, ... }:\n\n{\n services.prometheus = {\n exporters.json = {\n enable = true;\n listenAddress = \"localhost\";\n\n configFile = (pkgs.formats.yaml { }).generate \"json-exporter-config.yml\" {\n modules.matrix-federation-checker = {\n metrics = [\n {\n name = \"matrix_homeserver_federation_ok\";\n path = \"{.FederationOK}\";\n help = \"False if there's any problem with federation reported.\";\n type = \"value\";\n value_type = \"gauge\";\n }\n ];\n };\n };\n };\n\n scrapeConfigs = [\n {\n job_name = \"matrix-federation-checker\";\n metrics_path = \"/probe\";\n params = {\n module = [ \"matrix-federation-checker\" ];\n };\n relabel_configs = [\n {\n source_labels = [ \"__address__\" ];\n target_label = \"__param_target\";\n }\n {\n source_labels = [ \"__address__\" ];\n target_label = \"instance\";\n }\n {\n target_label = \"__address__\";\n replacement = \"localhost:${toString config.services.prometheus.exporters.json.port}\";\n }\n ];\n\n static_configs = [\n {\n targets = [ \"https://federationtester.matrix.org/api/report?server_name=nixos.org\" ];\n labels.matrix_instance = \"nixos.org\";\n }\n ];\n }\n ];\n\n ruleFiles = [\n (pkgs.writeText \"matrix-federation.rules\" (\n builtins.toJSON {\n groups = [\n {\n name = \"matrix-federation\";\n rules = [\n {\n alert = \"MatrixFederationFailure\";\n expr = \"matrix_homeserver_federation_ok < 1\";\n for = \"30m\";\n labels.severity = \"warning\";\n annotations.summary = \"Matrix federation for {{ $labels.matrix_instance }} appears to be failing.\";\n }\n ];\n }\n ];\n }\n ))\n ];\n };\n}\n" }, { "path": "build/pluto/prometheus/exporters/matrix-synapse.nix", "content": "{\n services.prometheus.scrapeConfigs = [\n {\n job_name = \"matrix_synapse\";\n scheme = \"https\";\n static_configs = [ { targets = [ \"matrix.nixos.org:443\" ]; } ];\n }\n ];\n}\n" }, { "path": "build/pluto/prometheus/exporters/nixos.nix", "content": "{\n services.prometheus.scrapeConfigs = [\n {\n job_name = \"nixos\";\n static_configs = [\n {\n labels.role = \"hydra\";\n targets = [\n \"mimas.nixos.org:9300\"\n ];\n }\n {\n labels.role = \"monitoring\";\n targets = [\n \"pluto.nixos.org:9300\"\n ];\n }\n {\n labels.role = \"database\";\n targets = [\n \"haumea.nixos.org:9300\"\n \"titan.nixos.org:9300\"\n ];\n }\n ];\n }\n ];\n}\n" }, { "path": "build/pluto/prometheus/exporters/node.nix", "content": "{ pkgs, ... }:\n\n{\n services.prometheus = {\n scrapeConfigs = [\n {\n job_name = \"node\";\n static_configs = [\n {\n labels.role = \"hydra\";\n targets = [\n \"mimas.nixos.org:9100\"\n ];\n }\n {\n labels.role = \"database\";\n targets = [\n \"haumea.nixos.org:9100\"\n \"titan.nixos.org:9100\"\n ];\n }\n {\n labels.role = \"monitoring\";\n targets = [\n \"pluto.nixos.org:9100\"\n ];\n }\n {\n labels.role = \"services\";\n targets = [\n \"caliban.nixos.org:9100\"\n \"umbriel.nixos.org:9100\"\n \"wiki.nixos.org:9100\"\n \"tracker.security.nixos.org:9100\"\n \"makemake.ngi.nixos.org:9100\"\n ];\n }\n {\n labels.role = \"mac\";\n targets = [\n # flying circus\n \"norwegian-blue.mac.nixos.org:9100\"\n # hetzner\n \"intense-heron.mac.nixos.org:9100\"\n \"sweeping-filly.mac.nixos.org:9100\"\n \"maximum-snail.mac.nixos.org:9100\"\n \"growing-jennet.mac.nixos.org:9100\"\n \"enormous-catfish.mac.nixos.org:9100\"\n # oakhost\n \"kind-lumiere.mac.nixos.org:9100\"\n \"eager-heisenberg.mac.nixos.org:9100\"\n # macstadium\n \"mac01.ofborg.org:9100\"\n \"mac02.ofborg.org:9100\"\n \"mac03.ofborg.org:9100\"\n \"mac04.ofborg.org:9100\"\n \"mac05.ofborg.org:9100\"\n ];\n }\n {\n labels.role = \"builders\";\n targets = [\n \"elated-minsky.builder.nixos.org:9100\"\n \"sleepy-brown.builder.nixos.org:9100\"\n \"goofy-hopcroft.builder.nixos.org:9100\"\n \"hopeful-rivest.builder.nixos.org:9100\"\n ];\n }\n {\n labels.role = \"ofborg\";\n targets = [\n \"build01.ofborg.org:9100\"\n \"build02.ofborg.org:9100\"\n \"build03.ofborg.org:9100\"\n \"build04.ofborg.org:9100\"\n \"build05.ofborg.org:9100\"\n \"core01.ofborg.org:9100\"\n \"eval01.ofborg.org:9100\"\n \"eval02.ofborg.org:9100\"\n \"eval03.ofborg.org:9100\"\n \"eval04.ofborg.org:9100\"\n ];\n }\n ];\n }\n ];\n\n ruleFiles =\n let\n diskSelector = ''mountpoint=\"/\"'';\n in\n [\n (pkgs.writeText \"node-exporter.rules\" (\n builtins.toJSON {\n groups = [\n {\n name = \"node\";\n rules = [\n {\n alert = \"PartitionLowInodes\";\n expr = ''\n node_filesystem_files_free{${diskSelector}} / node_filesystem_files{${diskSelector}} * 100 < 10\n '';\n for = \"60m\";\n labels.severity = \"warning\";\n annotations.summary = \"{{ $labels.device }} mounted to {{ $labels.mountpoint }} ({{ $labels.fstype }}) on {{ $labels.instance }} has only {{ $value }}% free inodes.\";\n annotations.grafana = \"https://grafana.nixos.org/d/rYdddlPWk/node-exporter-full?orgId=1&var-job=node&var-node={{ $labels.instance }}\";\n }\n {\n alert = \"PartitionLowDiskSpace\";\n expr = ''\n round((node_filesystem_free_bytes{${diskSelector}} * 100) / node_filesystem_size_bytes{${diskSelector}}) < 10 and ON (instance, device, mountpoint) node_filesystem_free_bytes < 100 * 1024^3\n '';\n for = \"60m\";\n labels.severity = \"warning\";\n annotations.summary = \"{{ $labels.device }} mounted to {{ $labels.mountpoint }} ({{ $labels.fstype }}) on {{ $labels.instance }} has {{ $value }}% free.\";\n annotations.grafana = \"https://grafana.nixos.org/d/rYdddlPWk/node-exporter-full?orgId=1&var-job=node&var-node={{ $labels.instance }}\";\n }\n {\n alert = \"SystemdUnitFailed\";\n expr = ''\n node_systemd_unit_state{state=\"failed\"} == 1\n '';\n for = \"15m\";\n labels.severity = \"warning\";\n annotations.summary = \"systemd unit {{ $labels.name }} on {{ $labels.instance }} has been down for more than 15 minutes.\";\n }\n ];\n }\n {\n name = \"scheduled-jobs\";\n rules = [\n {\n alert = \"ChannelUpdateStuck\";\n expr = ''max_over_time(node_systemd_unit_state{name=~\"^update-nix.*.service$\",state=~\"failed\"}[5m]) == 1'';\n for = \"30m\";\n labels.severity = \"warning\";\n annotations.summary = \"{{ $labels.name }} on {{ $labels.instance }}\";\n annotations.grafana = \"https://grafana.nixos.org/d/fBW4tL1Wz/scheduled-task-state-channels-website?orgId=1&refresh=10s\";\n }\n ];\n }\n ];\n }\n ))\n ];\n };\n}\n" }, { "path": "build/pluto/prometheus/exporters/owncast.nix", "content": "{ config, ... }:\n\n{\n age.secrets.owncast-admin-password = {\n file = ../../../secrets/owncast-admin-password.age;\n owner = \"prometheus\";\n group = \"prometheus\";\n };\n\n services.prometheus.scrapeConfigs = [\n {\n job_name = \"owncast\";\n metrics_path = \"/api/admin/prometheus\";\n basic_auth = {\n username = \"admin\";\n password_file = config.age.secrets.owncast-admin-password.path;\n };\n scheme = \"https\";\n static_configs = [ { targets = [ \"live.nixos.org:443\" ]; } ];\n }\n ];\n}\n" }, { "path": "build/pluto/prometheus/exporters/postgresql.nix", "content": "{\n services.prometheus.scrapeConfigs = [\n {\n job_name = \"postgresql\";\n metrics_path = \"/metrics\";\n static_configs = [\n {\n targets = [\n \"haumea.nixos.org:9187\"\n \"titan.nixos.org:9187\"\n \"tracker.security.nixos.org:9187\"\n ];\n }\n ];\n }\n ];\n}\n" }, { "path": "build/pluto/prometheus/exporters/rasdaemon.nix", "content": "{ pkgs, ... }:\n\n{\n services.prometheus = {\n scrapeConfigs = [\n {\n job_name = \"rasdaemon\";\n static_configs = [\n {\n targets = [\n # build\n \"mimas.nixos.org:10029\"\n \"haumea.nixos.org:10029\"\n \"pluto.nixos.org:10029\"\n \"titan.nixos.org:10029\"\n\n # builders\n \"elated-minsky.builder.nixos.org:10029\"\n \"sleepy-brown.builder.nixos.org:10029\"\n \"goofy-hopcroft.builder.nixos.org:10029\"\n \"hopeful-rivest.builder.nixos.org:10029\"\n\n # non-critical\n \"caliban.nixos.org:10029\"\n ];\n }\n ];\n }\n ];\n\n ruleFiles = [\n (pkgs.writeText \"rasdaemon.rules\" (\n builtins.toJSON {\n groups = [\n {\n name = \"rasdaemon\";\n rules = [\n {\n alert = \"MachineCheckError\";\n expr = ''\n increase(rasdaemon_mce_records_total{mce_msg!=\"Corrected error, no action required.\"}[1h]) > 0\n '';\n labels.severity = \"warning\";\n annotations.summary = \"Machine check detected an error on {{ $labels.instance }}: {{ $labels.mce_msg }}\";\n }\n ];\n }\n ];\n }\n ))\n ];\n };\n}\n" }, { "path": "build/pluto/prometheus/exporters/sql.nix", "content": "{\n services.prometheus.scrapeConfigs = [\n {\n job_name = \"sql\";\n metrics_path = \"/metrics\";\n static_configs = [ { targets = [ \"tracker.security.nixos.org:9237\" ]; } ];\n }\n ];\n}\n" }, { "path": "build/pluto/prometheus/exporters/storagebox.nix", "content": "{\n config,\n pkgs,\n ...\n}:\n{\n age.secrets.\"storagebox-exporter-token\".file = ../../../secrets/storagebox-exporter-token.age;\n\n services.prometheus = {\n exporters.storagebox = {\n enable = true;\n listenAddress = \"localhost\";\n tokenFile = config.age.secrets.\"storagebox-exporter-token\".path;\n };\n\n scrapeConfigs = [\n {\n job_name = \"storagebox\";\n scheme = \"http\";\n static_configs = [ { targets = [ \"localhost:9509\" ]; } ];\n }\n ];\n\n ruleFiles = [\n (pkgs.writeText \"storagebox-exporter.rules\" (\n builtins.toJSON {\n groups = [\n {\n name = \"storagebox\";\n rules = [\n {\n alert = \"StorageboxCapacity\";\n expr = \"round(100 * (1 - (storagebox_disk_usage / storagebox_disk_quota))) < 10\";\n for = \"30m\";\n labels.severity = \"warning\";\n annotations.summary = \"StorageBox {{ $labels.name }} ({ $labels.server }}) has less than {{ $value }}% free space.\";\n }\n ];\n }\n ];\n }\n ))\n ];\n };\n}\n" }, { "path": "build/pluto/prometheus/exporters/up.nix", "content": "{ pkgs, ... }:\n\n{\n services.prometheus.ruleFiles = [\n (pkgs.writeText \"up.rules\" (\n builtins.toJSON {\n groups = [\n {\n name = \"up\";\n rules = [\n {\n alert = \"NotUp\";\n expr = ''\n up == 0\n '';\n for = \"10m\";\n labels.severity = \"warning\";\n annotations.summary = \"scrape job {{ $labels.job }} is failing on {{ $labels.instance }}\";\n }\n ];\n }\n ];\n }\n ))\n ];\n}\n" }, { "path": "build/pluto/prometheus/exporters/zfs.nix", "content": "{\n pkgs,\n ...\n}:\n{\n services.prometheus = {\n scrapeConfigs = [\n {\n job_name = \"zfs\";\n static_configs = [\n {\n targets = [\n \"haumea.nixos.org:9134\"\n \"mimas.nixos.org:9134\"\n \"pluto.nixos.org:9134\"\n \"titan.nixos.org:9134\"\n ];\n }\n ];\n }\n ];\n ruleFiles = [\n (pkgs.writeText \"node-exporter.rules\" (\n builtins.toJSON {\n groups = [\n {\n name = \"zfs\";\n rules = [\n {\n alert = \"ZfsPoolHealth\";\n expr = ''\n zfs_pool_health > 0\n '';\n for = \"5m\";\n labels.severity = \"WARNING\";\n annotations.summary = \"ZFS pool {{ $labels.pool }} on {{ $labels.instance }} is unhealthy.\";\n }\n {\n alert = \"ZfsPoolFull\";\n expr = ''\n round((zfs_pool_free_bytes / zfs_pool_size_bytes) * 100, 1) < 15\n '';\n for = \"30m\";\n labels.severity = \"warning\";\n annotations.summary = \"ZFS pool {{ $labels.pool }} on {{ $labels.instance }} has only {{ $value }}% free space.\";\n annotations.grafana = \"https://grafana.nixos.org/d/rYdddlPWk/node-exporter-full?orgId=1&var-job=node&var-node={{ $labels.instance }}\";\n }\n ];\n }\n ];\n }\n ))\n ];\n };\n}\n" }, { "path": "build/pluto/prometheus/exporters/zrepl.nix", "content": "{ pkgs, ... }:\n\n{\n services.prometheus = {\n scrapeConfigs = [\n {\n job_name = \"zrepl\";\n static_configs = [\n {\n labels.role = \"database\";\n targets = [\n \"titan.nixos.org:9811\"\n ];\n }\n ];\n }\n ];\n\n ruleFiles = [\n (pkgs.writeText \"zrepl.rules\" (\n builtins.toJSON {\n groups = [\n {\n name = \"zrepl\";\n rules = [\n {\n alert = \"ZreplLongTimeNoSuccess\";\n expr = ''\n time() - zrepl_replication_last_successful > ${toString (6 * 60 * 60)}\n '';\n for = \"6h\";\n labels.severity = \"warning\";\n annotations.summary = \"zrepl job {{ $labels.zrepl_job }} has not succeeded recently.\";\n }\n ];\n }\n ];\n }\n ))\n ];\n };\n}\n" }, { "path": "build/scripts/nix-mac-installer.sh", "content": "#! /usr/bin/env bash\n\nset -e\n\nif [[ $(id -u) != 0 ]]; then\n echo \"$0: please run this script as root\"\n exit 1\nfi\n\nexport HOME=/var/root\n\nif ! dscl . read /Groups/nixbld >/dev/null 2>&1; then\n dseditgroup -o create nixbld -q\nfi\n\ngid=$(dscl . -read /Groups/nixbld | awk '($1 == \"PrimaryGroupID:\") {print $2 }')\n\necho \"created nixbld group with gid $gid\"\n\nfor i in $(seq 1 10); do\n user=/Users/nixbld$i\n uid=\"$((30000 + i))\"\n dscl . -create \"$user\"\n dscl . -create \"$user\" RealName \"Nix build user $i\"\n dscl . -create \"$user\" PrimaryGroupID \"$gid\"\n dscl . -create \"$user\" UserShell /usr/bin/false\n dscl . -create \"$user\" NFSHomeDirectory /var/empty\n dscl . -create \"$user\" UniqueID \"$uid\"\n dseditgroup -o edit -a \"nixbld$i\" -t user nixbld\n echo \"created nixbld$i user with uid $uid\"\ndone\n\ncurl https://nixos.org/nix/install | sh\n\nmkdir -p /var/root/.ssh\ntouch /var/root/.ssh/authorized_keys\ngrep -v \"hydra-queue-runner@chef\" /var/root/.ssh/authorized_keys >/var/root/.ssh/authorized_keys.tmp || true\necho 'command=\"/nix/var/nix/profiles/default/bin/nix-store --serve --write\" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCyM48VC5fpjJssLI8uolFscP4/iEoMHfkPoT9R3iE3OEjadmwa1XCAiXUoa7HSshw79SgPKF2KbGBPEVCascdAcErZKGHeHUzxj7v3IsNjObouUOBbJfpN4DR7RQT28PZRsh3TvTWjWnA9vIrSY/BvAK1uezFRuObvatqAPMrw4c0DK+JuGuCNkKDGHLXNSxYBc5Pmr1oSU7/BDiHVjjyLIsAMIc20+q8SjWswKqL1mY193mN7FpUMBtZrd0Za9fMFRII9AofEIDTOayvOZM6+/1dwRWZXM6jhE6kaPPF++yromHvDPBnd6FfwODKLvSF9BkA3pO5CqrD8zs7ETmrV hydra-queue-runner@chef' >>/var/root/.ssh/authorized_keys.tmp\nmv /var/root/.ssh/authorized_keys.tmp /var/root/.ssh/authorized_keys\n\nservice_plist=/Library/LaunchDaemons/org.nixos.nix-daemon.plist\n\nln -sfn /nix/var/nix/profiles/default$service_plist $service_plist\nlaunchctl unload $service_plist || true\nlaunchctl load $service_plist\nlaunchctl start $service_plist\n" }, { "path": "build/scripts/nix-mac-nuke.sh", "content": "#! /usr/bin/env bash\n\nservice_plist=/Library/LaunchDaemons/org.nixos.nix-daemon.plist\n\nlaunchctl stop $service_plist\nlaunchctl unload $service_plist\n\ndscl . -delete /Groups/nixbld\n\nfor i in $(seq 1 20); do\n dscl . -delete \"/Users/nixbld$i\"\ndone\n\nsudo rm -f $service_plist\n\nsudo rm -rf /nix /etc/nix/nix.conf\n\nrm -f \"$HOME/.nix-channels\" \"$HOME/.nix-profile\"\nrm -rf \"$HOME/.nix-defexpr\"\n" }, { "path": "build/secrets/alertmanager-oauth2-proxy-env.age", "content": "age-encryption.org/v1\n-> ssh-ed25519 s9hT2g WEFWAkfO/QbTyYHtjbtFU819qNNwdEbxj43CAyoCth8\nqoaEcEMG3pioLP8DYEV7am6ARmo/1Fi6859geefy0TQ\n-> ssh-ed25519 Gr9EaQ GQAGFJXSwPlg9lh9Uq+gX5dYyEhFGFOgzmT/Ix9vHww\n322Zi2PWOPB8UXq+cLNBPCPxnUV+MikURA1SN947pRI\n-> ssh-ed25519 3ENwVg YGdKuSB26eLhJivsqJ9yZCtzjDWKCHuf2Az63RgZQhM\nBggPA13/FpAAGzOryNoIYZL3S60FFK5pTuB0+eGCrIY\n-> ssh-rsa MuWD+w\nf81kBsXTgGYsDimMkOrZAJagzqiycmLSxiSYdV+gconCZKrOLIfa9npjbOP26zIf\noWez1vf1d1O/Kzk4XYQXTBpDdX2SBncQTtaBOAaNxG9YakieGbBCV5nypAioq7RF\nwYB9R4XseanmgBdXeMIQ54NWX9zsHZkPEIFCvKyTGGV+uvoiILQDreuBMY5EHB2B\no5aqzW8FW1urgRSw9bQnXixuO0QjcAFWyhqCO95P50vnugJFqj7txQpM1vrFjZ78\nWCRtHYT3QufvmN0VhiaCTjWQjr1RPptvVoy7M+Q5T29+tnr5gn0DZOSyXNEQmGAU\nkiWx6IV1G9l1Mzp4SMr2sQ\n-> ssh-ed25519 92bXiA BiUs0UMX4R3F2boMComJcLLKfR4nnHXwtakjnqPz10M\nbf9ePOMfN/WSlG0Ef3cgFtcNzTiovZRPKEBzJS+pFww\n-> ssh-ed25519 Y121Gw 32ZtEmLRbyOcjtAp7Phdlmb18wHs92+kST1qh1giETw\noxfQmuhtrLplP6jeCXlawzF6wU+EPmHBUei8DIIgXgI\n--- GXbCejJoEBQ71qdNg5Wbb8liJVscqX4fHBlfSdvpjkE\nZ\t{ ӝ`\u000b\f\u001c\u0006jg\u001c~H\u0007\u0010T_ң\r\u0011/\u000b[~Ȉ\u000f=xkd\u0001=\u0006.\f\"\fE\u0013΢T<О~\u001b\u0019ah$ؽ\u001d0449'*$\fjhccҵ" }, { "path": "build/secrets/eager-heisenberg-queue-runner-token.age", "content": "age-encryption.org/v1\n-> ssh-ed25519 cKT5Kw d2hBbAiEI7iLoP1c7WgXkJXnqfsy3GWPy23NZcHrb3A\ndIEVrctp2Ryu92cSBILUE+qeeLz0raQ1nTLGAPaZec4\n-> ssh-ed25519 NJQh8Q nThSL+PZmkUrXssS5YXqS1x4InMJMJKBma7/UpZcb3E\nWIVRniPt17W/GkOySUO/tFk0wlecxIMMZtcgV4caG0M\n-> ssh-ed25519 Gr9EaQ MTnHof1JOu4d5vObVatnKyhi20Da0K0v5TSyxhk7gwI\nYXIYyvGWR2cf6GJb7VL4aiu0gxKLyK1PyGhgw2vLJz8\n-> ssh-ed25519 3ENwVg rIi+Y4H0U+wkaO4zmIEbDd2Bd7tQnesw4yW+klqqQBM\nvd1c2lP+A5cyk2bfUoO09oPo49SnGzlXf95FrxuxRlA\n-> ssh-rsa MuWD+w\nmoxeHv57SfIBrPVMvLiWZhh1qJHIii5maadnQZl8JUqjSDFpnPX4hXNIvwrqBau7\nXn2X3tncgQ2Vp33757YembRDSOU7X06QASaRitxFrbHJu4iRIYwcyWoHbYn6jhPc\n9yK39sMNliHgZXDq2c0+DThV/PpvZd8yuVlP2oI5FqjlITjiFnTnJf+3c+uquc6v\nmxEwWUnrA8dSJD7RzcshW7swHu3FeC+MValEuiIQJaDlMUa211DhTGgtpSebuFrg\nNlx+ZqS2k8LO2qAFyCemoMRMwod7VsCqtid6PxdEuwd8O0v7wfVafu0z+LCGMZoy\nSxKlCaVvDQJSzkAcj7EHvA\n-> ssh-ed25519 92bXiA bH6FYqVLVNbMBleHCALYbv7nykoIHcvaWlIvQnbyNRg\njoPDIXaqdMccBWdXvsvV9/ZlOVbE6pmrOFQ+WgUno68\n-> ssh-ed25519 Y121Gw kWm5O/sfXSAYRFsFWgKgWR3dUSKo2OFN5I0npz2x+TI\nwfbOq5meojODlRi3RZ+uFNokSPYLZNndB9nhp31wMTo\n--- /EhbVaVRVAyPOjTpmhTcRSh3kuyT/KoEkedwitZpTNk\nT,hv\t`HA\u0003e\rG_ j ssh-ed25519 s9hT2g RO6Blf+MB32dW1vWtwpsdutfPRDhXp6qMh+9K5mP/yI\naojG0tr0pQ172/Sgrcm4ltdGJH5uCdW6hpgvFE/gDFE\n-> ssh-ed25519 Gr9EaQ ByRH47STTrDIIyt8d/EitsWGW2zHs3XWE44A3AJVZy4\nfhT87Y7e7J41Cfrvldh152mVTz9dD4PuaxN3S6OkXfc\n-> ssh-ed25519 3ENwVg Wk0Tt67znuSj137ODLVZ+jmYD+QZ06pnEia24XJau20\n1n5AUDJ7G4BrD4jZ/bFtmehX5wqd5nmaIluzVd+bGeY\n-> ssh-rsa MuWD+w\nswfRBQIzsOuJe0NW1fjEPTNbCNdDCj/tvajEZQexxZV2koyXzCZMZu6WkUE7EWIQ\n9dg3dN+SgIBDsBCimVwDLdlKCv07Y4EYVJcUKWQyGrCnyKD0fNL+H/b0NFvkln5d\nxpWShnL/zTEa/Bz/1ftzTcDV4B6g75HyIrfXnc5yNQPsk7w4u+tvUIZFiPsUkwj9\n2raYpVSZG07xPxDDujADlNLuVNhTCw2MxN/cUS4u7iN9cMilFwND0clRVjQl4APe\nWnzb5iZ73sMi4wg2Qf8+O//zxe9221krnpjhdkyR3k8Oxk4SPACSxuLKKXn5PVcD\nGi8C3sxSSTLzpwAqySR94g\n-> ssh-ed25519 92bXiA TXBDrIkPKkagHD7cvWsD0BkE8p0pJYIK5LaCCxDvzF0\ngpkhwY7kVYK23ALcahfAucaOP2Tf6UJ9QuFCxbWND3k\n-> ssh-ed25519 Y121Gw IMc36vETqcH985olPop763Y/SIPl0GdRDecUFlmqU1A\npWOPIMjlWkKFMxZAhnBNu5nmTn0YA3/pss3vcr2uEvU\n--- 0bm0YdyW2rphnkhcSz3jjdUe5eyELylNp4MhcSmAkdU\n`\fNL\u0004S^ǩBbܲf\u001aEV[\u0013oI/JZ_^bY\u0012Q5CDўQg~4_aهdկl'$\u0011" }, { "path": "build/secrets/goofy-hopcroft-queue-runner-token.age", "content": "age-encryption.org/v1\n-> ssh-ed25519 cKT5Kw hA/K9EJyGfAbGbokosZGVEJqasHjE2bgr2EpEN4O/iQ\n7GaeyhJHezMSytl+75UzkiLvbxMpWSKoYb7aEH/D1qU\n-> ssh-ed25519 h7xPTg oBM3m/s0x5ue87LfgCOpyTfs0R0N4dmKwa7oW/R+nCQ\nHTxdFwkGtkCficUjMSe1bE95fv5gwMEvIlaNPb+LJvM\n-> ssh-ed25519 Gr9EaQ GdbCzg5bOJlVsTebVEE+y6StuiH1kZRG07D/bt1zuww\nEZqucrVkaX6ZTGJT0aiHmp4o9Z3IUIk82Df1Z2YkU5s\n-> ssh-ed25519 3ENwVg Ky1YIXGrt+UX5y745wePV1pulUHrr1yXzFRd+MHEITc\nBmWr551rvrtWl2PxD/+qYodybA0xA6Z/1Noza0te+Vo\n-> ssh-rsa MuWD+w\nRjaIoseiPazdSz75+ly66RqY0IhyQPBtltWLgGEYzhTkmzpnQNcUVpwgiPSzbt5X\ny7o+o+QPaHeds5suS42ZzUPahhLp1v5ehVaMXvsmqxkOZfODLxF3GGoFj4SG/YjJ\naDd+bagUql7HX0cZRp51LpnitzOxayd8qeUZg51mqFi8uWV1DBSYrFdcVHBNeGuQ\nAbdUl9tqFtYilqcBJhCJOsKsiUsrX2bC6ZP8A6Pmt3gl8UR8nJLhD5TwQH6FCxDO\niKbY21BwiKH8CJhQTNix6uwmTOwlX9mp8N6UNmqWuXB/3F4NmpyubnUvG9t0QGVl\nEsS5dlQ04JG/WrWDQpOR/w\n-> ssh-ed25519 92bXiA 7EaMly7GPo9fPETY606UO9in6bhbkQhgRxsO2u5Bgws\nIzeyNKnkYt8lwTk1TRxLooJJJmPFxIYZJAoDHm1Oqtg\n-> ssh-ed25519 Y121Gw 3tlRc4oDBLx1/Dn/KwnyUzg/odwMGLaFDksNB5RTqCk\nTJhtG/2/0PL7k84hQyAFEvLAFyZYP1W8erUpCANG7Mw\n--- mKpJ626SlxFTL7kt2BJOna043kiReyoMA8hl604J2hc\nH\u0016&\u0006=LG*t2I\u0006\u0016˜S\u0015_X(k(4NYtr\u001eJ^K0b&\u0015?#՜\u001eS\u0005=1\u0001j\u0016ɰVQިFxQFHg4o\u0001s\t\u0016͇l~\u0010tg;!%O" }, { "path": "build/secrets/grafana-secret-key.age", "content": "age-encryption.org/v1\n-> ssh-ed25519 s9hT2g Q71aJ0AH5YJng/IVw8l5lch8zdGP3Z0QJUIQ+DqYF3w\nKI+qnX5ShsgtdtC78UHGwiKjAgWNwahfSJ/nwblBovk\n-> ssh-ed25519 Gr9EaQ idUvootpliMS7P2N80vhIirTOz7oJ0o3GscsMu5W4B8\nkOiVYBBJhQmtqDBzX1rmGG10tM/oTrwuL0K55VMxh8I\n-> ssh-ed25519 3ENwVg d5iQiKR/D0I83d7UznzTQGNRhviceQNGl9ecQyfGlw8\nw4MthT7i0KjUSfV9Jh9LuhzAU+hPtr4UGO32UUn3l8M\n-> ssh-rsa MuWD+w\nmbVZ1olug6y9Hlf2k/NTx3DA9VTlMj/Q0jU1YSjHWvSCr2kiaeeLCm2TebKAsop5\nCQc7MCTFJKz9bzitnvLGjl40OVrXKoJzvqJPG0AP6hFvsLVfs0zoX3dpHNDkRFsH\nsHtqi/6DikujtsSLgZNYTnaRfMJHdRIkT1UB13TWqA962593NYK3bvuGHyih12SQ\naLxAZ2MzeXflt3V6tYsY66V4RNHCxf8hK2SfZr2sD83JiW3xtRss2UZUyp7geMQY\nv8sxbBv8ONzp4FPL+w+/3pX4TO6NmO9rk7S0/xsyfIZAI7xkPKhfMcVgT9Qj/7f1\nQwzCHIg9Y+Dt1lh3D0TnGA\n-> ssh-ed25519 92bXiA 4oR9LMqITwM+xuuzobwJji2lP/gLjwRtJHUNEZLSEG4\nwUYMpR71mFY7wskPXAk/buUZBhY2IQAVAPL61iM411g\n-> ssh-ed25519 Y121Gw gbhbUYbMsatS1kaXvl3RkVHB+j+wt/9W+hxK43QiRAs\nerkaoQzmzKUFZ5avT07KgS+MojylmrxuggwjOJspMy4\n--- rFRS/RCB4dRgJfJBWktxivASq9KSonyLE3h/vfp1Zj0\n=AC9#_[T+I>NL>\u0012*1>0xh{;m\u0018מ\u0006\u0019S|\"5" }, { "path": "build/secrets/hopeful-rivest-queue-runner-token.age", "content": "age-encryption.org/v1\n-> ssh-ed25519 cKT5Kw jz7oaOXlftKuXEIeFcFXacn0gcDuQhGkZRLmf0QTPXQ\nBr67PR4rBrZaKbP/X8X4vFkPq8L5IiNicvfXBvuaVdw\n-> ssh-ed25519 BaUP3w 8o3MNSWRhtrCgaqdQsBfmmg3LCAD9khNCXNlTAgegzE\nc137Ep8omrJBRcnqbRMwVB87CyB66u07qj5Xjor8hSY\n-> ssh-ed25519 Gr9EaQ tEa19teKlX3ZXJBOmBnOLU9GwnkDlfSdUzxaAMsY+3Y\ngWS3dYhg6psO0WNCD+s0kjqzapOnU4hQgWrcKh0iDbk\n-> ssh-ed25519 3ENwVg LiSqdv8ukjIjACQwk6203kkNotG+oRgGTkqsITRNjiU\njOnUs9E5Tcu9eEnR8WXW277LZ+tRNyqM4b3Hg8EGu/8\n-> ssh-rsa MuWD+w\nenx5oiARoCPhm1D/MIdgIh2kjZFx4rxszCmW0j7RaS0SXDPu79c1QENwgemQdvLY\nuwX6teB+LkkWdcA6AFqY2FclopBRZq15OQuMoztBjwGPUIlk8H8OHrusViDJuGNm\nzdWsL4htncmTUWaX31V1ZX/v+KFl2Zp5Mmpn8x4C21wm5d42SOd5VRnw/OlziJGX\ngUG2DqLpoKzXDG9SAsKfk417Akfb8RtlVza6/tb57hThi9EsORK+BnTsUt6r6H84\nNvTuqnOJJFOEWqeRz1UjLij/gI10LQvcxCzhXC/SqkG7FaMXQ92WAZ5hH7AePSEE\nI/OlAU2wPj+GmPFePPODSA\n-> ssh-ed25519 92bXiA nYLjnIjeF+TmJbVdCtdqK042xnYDpF4naM1u7up31SI\nyVhUbve1xiySx+dqRcWdJQOYB2TRGdALa0l4hu1UnbM\n-> ssh-ed25519 Y121Gw kxYp6X5VV1QRwo1HrTUCbdBHgKMjkI2AUnUnqGe3dCE\nRl2LfKLy9BQi47ktXCm+T7G6sbkBsuYaoxt5oTH2uPI\n--- X3Fr2TVxWyEW1hm8h7eKwGJHJg3BjywJddTp5OLolF4\n0v\u001aOsm̈IK'}\"΃S*\u0005߲|\u001bOE$xWn\u0017;3tp%\\XG4lBYymǮ \u0002>\u0006\u000b\u000ek\u0003+\u0012ݲ\u0002Rom)\u001f\u0017`" }, { "path": "build/secrets/hydra-github-client-secret.age", "content": "age-encryption.org/v1\n-> ssh-ed25519 cKT5Kw krCNPgqeLrULZyGtFdc2VwmEVaKC7uaDabi7tv3dHVw\nOOEZQ4o4xqFs42TEYwNNWkOQbSvVkq8nGA38CIpgx+k\n-> ssh-ed25519 Gr9EaQ /ciOg7Beq8wMwMlVlj+8qUfFkALaGuz4jV2DtG2HLB8\nMU0x/eqLEtUlygWfiBu41bZcPWRWXH40DeLkfTxmgMo\n-> ssh-ed25519 3ENwVg HxpXlptq9Zp6AIRo0+poqbuFTHPRi/f/VGbL8ZO5fm8\nbt6tn4OrjXV+U6eDKuFEU8/dW5MkqOYqVdqkqVfCrG8\n-> ssh-rsa MuWD+w\nqyi9QPAHw/dr845IdEOnyw6yu2M0b7nbX3ZCnClemJlmfFx1077RE0CWNEDR7LDt\n0g8241mMIr85MYHDZuVPqH1W7ZTv/DFa39MJBhVCyC0Gl62Gz2ayO9d4flrQsvCv\nNnaVKJPo0uxuvLTUlcX19WWVrt6v23sDMlChleUFdRJy84lMR8ouhtfZV1ipTqXq\n4wZCsXgi1vV0F9oZ37KjV0irGECHNN9ehrrS943357+bJIlZMdVbsYLOXXiI8drr\nmGzOwUFLvD5VRHTWgEZJz15oeanknTjpxrIt1AAJki+esPsKFRkEJ7eL6epXMclb\n5iHW/MpgBXH0j8ARyg6/jw\n-> ssh-ed25519 92bXiA qLAjwconq/2yxJnG91YE9UvpLe69rniXVAwHQYJS52E\nX/W4+1RGYG6qCYGPiUl+yUmwwiNwt+zmhYHQ40d6C4k\n-> ssh-ed25519 Y121Gw J21DUBHP2EpQPpOdUqNZ+deh/3DLjyYgT310v+EZAW8\na8b8zJgf7DUW03hzGeW8dzvRq+Vl2RbmaG17muHoyDA\n--- hAdUvRfRfdfakQXgM/QMbdpTBj+3vX0d0atqQVS6m4c\n\u0015x\u0017G\u0019+BK\u001eE\u0003 5m\u0006sMD{3,X9-gCks\u0005r:en" }, { "path": "build/secrets/hydra-mirror-aws-credentials.age", "content": "age-encryption.org/v1\n-> ssh-ed25519 s9hT2g 3oyWmMcrRcr1Evv9+Srx3z3OyKajSPpJiC3APOYE0RU\nRCC/gmOyy0JRkWIRhzK37xckWnpQYQ74HVAKsRJdL+Y\n-> ssh-ed25519 Gr9EaQ SW4eNlIrULIh+T/IywhzHe8A6wCxoHBSrg9LmC2yOWM\nDbTv2Es+wHfOU6ylHfGi33BnZW9IhtmqawLBax1JPqE\n-> ssh-ed25519 3ENwVg SKaButhSVmBUl8IA+yJk/z+An+/JV9oUQ/lAGEI/VXQ\n6df01m0908K4WtxWoQZTwaETdm0liOz7U+hj4774rBQ\n-> ssh-rsa MuWD+w\nPc51cz+ZOpJ+bakeYitE0Es/gFPjBGMhnACiT7O7shcT7vYSJPNRM8IpTpOxfbf3\nHjzPBNjUihVjGshQ1JFaXbwfmnvF0yIImSlJtWDteyGX2x1yzt+/oA3zjj1KDfku\nqdrhUSRnnobMrSuSaPE4DSnUddXbaMAY/kzzoxzU+nK9FusvJhCgmZ3XYhN+ew79\naQs+7YXEgTH5J72monWgeYQkj4baTY32xFwqj9qPdx5JjMvtR4cX9xkC7R14EyBd\nHJeCU87uiR3Ibc27COMso1YSp2u/quc7TKmjOHyYfyi7mYZU/JC2ccDsEr/HCE4m\nx00f74TPjV2UY/raslCgYQ\n-> ssh-ed25519 92bXiA 4PM+2XEb8unFUvJXgNqErFmUOToBgF/x5DvCCxWazGM\nxn8PfNfujIkDXtbaH0RVtyzOCPCbDig8hnUOgqfsNGI\n-> ssh-ed25519 Y121Gw faO3WbLjVR26NrVIJfGO5eSrT5DI6fdTYyxPWxD+DDI\ne+WqhJj8EhpXU8nxfB4dDeZZqxvmR/xNfKXj4oT5U7s\n--- CJHN+xb4JfmgPyfZ5QoCGQTo2m6jqIqF4EW88S55Ymg\nj]}H܈vix\u001b:s{3r\u001bC#qeaW\\ȘFV0:hs+t\u0011$ÈsPr\\Ы]6\u001bQ2Nka؎\u0005M\r,xN1/;O\u0019`2lo\u0014sѹg&\u0011\u001c\u0014`\f&" }, { "path": "build/secrets/hydra-mirror-git-credentials.age", "content": "age-encryption.org/v1\n-> ssh-ed25519 s9hT2g To6KM19p0hgH9n8iTV5uO0DU0lK94NWPiDV9UkUwwFc\nZc1aT0dmu/6zIYmBgpQjENZpmb5Ob4E8pZRO5zfXSvs\n-> ssh-ed25519 Gr9EaQ y2ta9yM3VvELEsvJgza8a/czoSb+kW/OX0QnxCr0PCQ\nTNgRqt/szVwTGF+vtCUYq2O9DhN0IhRFaqWAvuvDBRk\n-> ssh-ed25519 3ENwVg TtMilL9woCv5knN7L0ruW5KWZb+8M0OE9Q4wBKBwhW8\nBUQ5wxtj/GF3WzuP5W5sajrXUnyeenrAJa7uV2usjck\n-> ssh-rsa MuWD+w\no1dNC3qH2lvVqLOoEBgRJKcAqyqBYwvFsRAskmembVl9ho1+pEk+iTKaUYXOdA0f\nond7059ehqw7aiJofw0PCtch3IRZnOTMW4MW/aDHrW0iFJKmjsS6ZQ1nrp37awtW\nYb5HTjstJnKR01KgeHGaZVpTN2GCpiLWYAWf5Fg2HGmhhR5dxz0xI4TmnW7PtXiD\nhB0Y2m6TUzcTA/Sx0sdEefyBygsCnFXSf7y2/8L611ImGqW09XKAdYbkdvT95d+y\nX2fxeiNbJcZxKFH1wlq82WJ03o9UILalZrECYewIUzFqZ55DAjYgJ9F6bPpHeM51\nFa2JZHeeQY7RJ5MghTfQkg\n-> ssh-ed25519 92bXiA JRqguU0+6uD8V3LsQ8DzcTJPjlA2mJv5afERNX9delc\n8iVz80N/aWNpAhfXvM5UTqqVuPsp00Tai/+Vr9Pyx80\n-> ssh-ed25519 Y121Gw IBQ8+sLYJDXFkhFTl8XCT97jAKAt0c4urBWw4z52emg\ngT3Ur4zB7J0NJKHpJg5ws3WmCJbfnIrgEd2X4aldUSo\n--- NoDwDLL8cK2qb+gi5warllNIzCIu2Linyd+WEMoSx+4\n%ezo\u001b\u0004h[\u0006\u0003\u001dO(8\r\u001b\u0003\u000b\u0018/[ݑQx\u001aX.w\u0014]\u001aTO9\u0006j]eS,-xԭ`=\"|Kɰ\u0019w\n\u0006`2CKA5S\u000e" }, { "path": "build/secrets/kind-lumiere-queue-runner-token.age", "content": "age-encryption.org/v1\n-> ssh-ed25519 cKT5Kw 8g2rqFnJ23pFpD4PniCDMPiueSroGH2yShkpHtPvZDc\nZyYcqRHGP4H4ElRs3rNAOzJ7In3MnVT8/2NcLHga8Ho\n-> ssh-ed25519 jPdm4A k+8PUnPBFILqbb0Ikf2DMJEYVsLPwDtjYgQ6dVyNenc\ne1mhAEQhzVsnznBJRsMEp3gYOO00Gmf4BCvHsXpFELU\n-> ssh-ed25519 Gr9EaQ P0yT0M8e8ihKqossmqnIJc6074NXZ8KJmVL03BN7eV0\nGHWdPlIDCMFf7Pca4GXfRnhZ2NJAmM0doPsMThY+iVQ\n-> ssh-ed25519 3ENwVg UzvZZ0rFG3KaPQ6G6Oq4U/EQ3RRmPxyo6xF0tgadDDs\nvPUm8mpqVeiBGpxGUTnYACn7tOQDcuFP3E2gWLToyXY\n-> ssh-rsa MuWD+w\nqSOhRpEjjuMyt+nRRC8Yd1fInXTReZqLCp6GZoRnYbO69a1AIQwU1HU5CtAHbVFe\n8dIerlh4deN/T6wW3EvxM5hAA5co7kV68t3fgHGyQBdVGJvPuQRWaduSv21O/wbv\nepmGODM9YwFfnPMDHXqTzt+NYEJIJoUVpH1YTTfeZDyoRza2gJ5hoSPFXtomVHL4\nlO1+wcldYuELgY8bCeZpFP0kPmK7STYTa7LZxEF/yjqM2ZXhS6qOTV2+yRZhSKEy\nRizOnW0ePWrCSIVvxIr4+sGlKW5cwAqeatxiPZz7/3RFSxHBG9RC/ZZEmaZUF9Er\ncjILgCnk3lZJDnmpU6/+JA\n-> ssh-ed25519 92bXiA 4jz8lFxCSjJBJKWZTtxYruYiuQuJytQ8utDYZccQwFY\nzdLlneAU2P7zjDCC6tWVjySgJctB4Y5VXwEkvzqjhoU\n-> ssh-ed25519 Y121Gw Bhy7yX2r7RWBeS/K0bMVwXbvzYVAW88pzOHVtTKKIVQ\nQ9wuHdoI4SRXmjSA7iUUljjcO6dzPublR79rvPSlTlg\n--- 2DnKmT2R9XL5DR6z7+amRi5Y/8GphgkifpngTogcU/A\n\u0018,nݔ\"%\u0019bKDʃWv\u0001\u0002\u00146#K4(Jf*|N\u0012(\b\u0006\u001b\u0017:gY}ZuR1\u0018.\u0003EtPkM\n\u0018;k詜s\u000f滁c\u0003~\u0006|ȶ" }, { "path": "build/secrets/norwegian-blue-queue-runner-token.age", "content": "age-encryption.org/v1\n-> ssh-ed25519 cKT5Kw aMrFTLVt8LAofBa0xq3o4EjsxQjRAPtHm13zmSM+6VA\natGjWVSAl8O9I44eY3BO+QeQ6EDuAEsEBto5matic8s\n-> ssh-ed25519 SZ+mDA VmAYOI/l96zfrGL7UwFB1qVJGTGVGjqmjP4z2+0rIjI\nRKvi/BBAgHkq9Xvqr/sjCBaTFUg4nOTLpQOGejO2ZAU\n-> ssh-ed25519 Gr9EaQ +zszHiPND5T8ORnDZ/tLsOH5F/dtf5/sFMxi/fB4xj4\nkaiFkF95SpTTR8eIpuxnktNMBrIokcExYn4Um7AtG9s\n-> ssh-ed25519 3ENwVg 9CMlmCc3jammJrza2M22LNzzeASMk+nqH9muX9xkMQc\n0J5BDTOKo3HRWNdhVQdv2gzZNrPoqm4bX3zEm05Cwkc\n-> ssh-rsa MuWD+w\nbhIUyi/2y8zeWwYKJsBwqsG5JnPZ12aY9IuLkflKSLpJchAChTujKELFiCuzlGN4\nfvlbqa7mXadzs3pkjnYSz9MjGg/DyFjRsKXfc+jRD+QztNfodFQwJaKn8+9wG0v1\n+TmoQ0K5ecSkmzPvS/Ze3itLG2QfZQEIutND7I461ZJK24f4ORt3tANA4F0+INx9\ntVnBMimjp3fb7TI6i7cvUmOytNaoOiipnd0j4caPPkqa9fJ3m9aeeZ58uSkmzo7i\nXejZWHsE+LACMLk/hXS/h7JZQzPQGGqviATOp6a9s59Oq6eqT8V2CgjEwHIAITVp\nvWpuvsxCsxJQkZg4PjLJvA\n-> ssh-ed25519 92bXiA XKApXxi8qr82rvTIPYPbZ/ZFj3sadY7eAbN0DKxvLhM\nSw8RRumPRL3AaNcTAd7qJnDqxea9h7wMOEubpfU1wx4\n-> ssh-ed25519 Y121Gw bbz5648ZBs2l9WmnP6spocyLNGLx7EvRizuLCH7P4RU\nU0/KXGwVE7aUHeWcE+OANVTTfvQ8jVRqfKOzWCww5m0\n--- Cd10Opop86bxKKJPSCO9yYSY6oAghX0dllm+efexPCA\nr)P-i\fd|wMRs\"GXJ=\u001fVV9;uQmQMeyTL\u0018J`5\u0017&\u001djhW\u0002xgX\u0005w(F\u0007\t\u0011\n-;&j¬8=\u001cB\u001e" }, { "path": "build/secrets/owncast-admin-password.age", "content": "age-encryption.org/v1\n-> ssh-ed25519 s9hT2g M/D2oe8ocLzBBe0VTEO6UZ0gZb+dL13/rfZ38N1KH1I\n1KmR71+57D0aBRlU7ZvPz6Prg3mNrYc7myq7JRdQQH8\n-> ssh-ed25519 Gr9EaQ iOVXjyLAa/RSGBefsQismPkx53f9OGU1qMzO2rrqhhQ\n8I6aGwAs7AFC/GWW7S+lv7vGyJW8T7Icv1bfHBtNdmE\n-> ssh-ed25519 3ENwVg 5rP46xlqZkRF7u37BxB5PG5utkRHmfpYFxYiCA++xBY\nK0/s0hGBIr88ZHocBrHrEuEUEefAnqH4Fe8dMlCcOHM\n-> ssh-rsa MuWD+w\nBeO4rjxRzb54rbpEglPIkhluPp2wRBKxL97Ta4utvUnG44IXRnWt6tuj016qVTXZ\nZ8OzrDVTwusXJZxmOehsgF/rogFAj1Ju+bf9s4fojv1nC8ITnsXLMQjzA0X/VcTA\nDgVWw8+Elrt7sJGiL3C9ws9ATt/suPSdkL+aNhOvJXRwb9NfQUn+XowvJRg1VnzS\nAQx9tTyGVB5GcI4LnxHnyqPj+6ZD/F9XqbHijTMrx60GqRlqeEu9JiUa0YtWnBgX\nFcIrvoRQ6b7G5QDivbqCQ4VuJDrSd7xqKddQVea1KglrQHQdY3KFNUHVlEs1n49z\nNia8ty+qWIwAEfwyt6c0Tw\n-> ssh-ed25519 92bXiA F7v+xOHVTL3wZ5KUHW+nAyrl93/awx5TXv4izicA0BM\nOD2ivZ1FQ696Wh+odAA4xiJElXEhqsgBok7AJ3ny10Y\n-> ssh-ed25519 Y121Gw YUG5YErjueT2gqqX1x34b6U35uhbdKZWgcTALMXTRXY\n0F9uoegrWXP3lzjRk3eJCtu/OGZO/QqafpVPYitUM2k\n--- M3nGs3hV2JaDDtPyuNeKpyh/OdpZAk/q39OTk8n9m7g\nJ\u0018!{-FF/\"TK\u0011#\u001dׅGGN|\u0010ZU\b DQ1d1Ԟş\u0015" }, { "path": "build/secrets/pluto-backup-secret.age", "content": "age-encryption.org/v1\n-> ssh-ed25519 s9hT2g reYMr+USW2vh77665Ga/KtPbeu5OrdgrKgI4sYo8plo\n4eBoVfWTjRe4w6Vdl6OAXKJr7kaSJqVVm9se0rL7IEA\n-> ssh-ed25519 Gr9EaQ lNX/PDcE3MXI0q/o7tnA9AlloF6uncD51FYTqdZP3j4\notONyo6e5INW12x1Al5WqnTwfihRGL6dxdrH1/HYbe8\n-> ssh-ed25519 3ENwVg 2ZHD8vTCA+FPMRO1kSvUo937f9thS8IeTApGltFhjkQ\nbEN1eLyrqMtY0KuZ3IkRdIJzvX0t4bb73XzlDcuAgII\n-> ssh-rsa MuWD+w\nFPAZH3iUoF7It9uGw1DHksmbsYZcRqvZqGcjbnJLP/JiHmriUSyELQl7bH4n1+6H\nGWhqBiqNKPWJoCq0y3vXaCzN9iFXwGCVaAyNZk3+ox/Q0dBietO0ux4MzajAWl8b\nmr/UR3Mk2ybGkIBIfh1Wko8cdA+tWyCsl0CdSyqI2JY523xf/pOwcE0YLQ2kGhQc\nifu+AmIKqXbZiqhS0yj3+BM9rgJ5gVxZMKAp/CjpIBpEu/fmK64mRryAVsL0EEBF\nO2CwBsqyFyJvcW3yTBdHxfKhorZrMrGO18d7CGFHGswU/AXi/UxyzrkfpjVgFUfm\nb2qeI10f8PZAibqHYcQJBQ\n-> ssh-ed25519 92bXiA sXYrwOcZlNpPoGELwRTsjfSNldPr6CVtv9VcYK1flGY\naMhNq6L5M70bUFR/o+7M/KcQyv9/BfVkxgzvU/fD5gk\n-> ssh-ed25519 Y121Gw sGVkfMeghciO9g840KPsVsohEkEgC1Rb8mnQI0QZe2Y\nuDzza0+uGQRMzTiUkYz9n6Jyt18i7TTHWBrX0p8vHAQ\n--- rXFfiiTQ+BEa3Hvs0BTWxI+b1wPBwyTgWeq24QeqXVw\n)c\u0012aEuDW[c(8-_1\u0015n\u000fJ{6+\u001a\u001dK\u0013\u0011ߤmUf5M~C\u001f\u0013\u001biB2Y\u0017s΀hg#z\u0016?" }, { "path": "build/secrets/sleepy-brown-queue-runner-token.age", "content": "age-encryption.org/v1\n-> ssh-ed25519 cKT5Kw r8aZ+OCr9AE4h0zattrGpFPwBcnb28/Mj7vNC5EEHDE\nSaN75cMS6o0bcuIzeKF8siNu0P7rvJN4DLnL0R07t3M\n-> ssh-ed25519 le38mA 0syXJIHthuMy1Y6LbrfQX1QcADyJMOfmFbwzf3cQlHM\nX9HHBlfYBG64Awu+TZaA463Om18A7kSu7pMYwIDkehk\n-> ssh-ed25519 Gr9EaQ Wqex4/CIJTL+sm5GAlb0Du8mIjDz3QmvO7veYAQ+nmo\no//67CmR5wPgSzLuF4exx4mW+FstyQunBqeDgs9HUk8\n-> ssh-ed25519 3ENwVg 5XF6k6rMk59p53Hw6nSak8iajZ7XzLJ5jOQ7aPwkdng\n+YUOjq/VopumkLhVshF4GdzkjqO1aNMrfkx3TZaPtaA\n-> ssh-rsa MuWD+w\ngsSEjSCIFzKTsOXvJay3Ij9OpefMoAGL7AjXW1mQ4TvCVWO5M7gqYLrlgANKwMGK\nsm9tpNtncFn7hC7G3YWBOU/InMIQ/qlgL5jhRBhZpou/DKMtDA+IDVZJYvSQMcT1\n9467zxSpFtnjrmzW/6cnX3jjLlTRCc4AupoS1pMIeJ2gwZBNiCklS+QGPQTQiG/O\noF1nA0h/08pCbrLHIwilhFmekDzg99EesiZ3Hbqc7+kz8kbaIV9iUqFsRvV1Dwzm\nK6wIQXf5nhcCkt/SAFSS/ZwwHOr19B0OR3t6L4dYMa+bl/LxW0yXYzvMo4rp07Mn\noXFd+BuBEwzHI1x8wrTmUQ\n-> ssh-ed25519 92bXiA +t2D5pUYWeTRPTT7vrNYZirRUWKQO0gw5RB3o+CV0yk\nb5DsQ3FUMO14U7NB7H4G9ngpw5gfPTrYXIKa7yy5Wq4\n-> ssh-ed25519 Y121Gw X0D49VhFJ2kZqJATUmuKhJfQ6TIAZCkWDl2u6dqnQSk\nO0JtjZWXrS/NY/FXYB14kM3MpuoAaTd2Bf1oWw7REc4\n--- a+IPhlc1ru44iR5eHXGVe0X2fqgcSj03Lk1lyB3sZZg\n*]HHX![(+F;\u00188\u000bi\u001aO\u0004U&J'\u001267=\u001aIa\u00191S6\n.ep!4‚duL*DWG 24h.)\n \"2x1d\"\n \"2x2d\"\n \"2x4d\"\n \"2x8d\"\n \"2x16d\"\n \"2x32d\"\n \"2x64d\"\n \"2x128d\"\n # At this point we keep ~29 snapshots spanning 384--512 days (depends on moment),\n # with exponentially increasing spacing (almost).\n ];\n }\n ];\n };\n };\n in\n {\n enable = true;\n settings = {\n global = {\n logging = [\n {\n type = \"syslog\";\n level = \"info\";\n format = \"human\";\n }\n ];\n\n # https://zrepl.github.io/configuration/monitoring.html\n monitoring = [\n {\n type = \"prometheus\";\n listen = \":${toString metricsPort}\";\n }\n ];\n };\n\n jobs = [\n # Covers 20240629+\n (\n defaultBackupJob\n // {\n name = \"rsyncnet\";\n connect = {\n identity_file = config.age.secrets.\"zrepl-ssh-key\".path;\n type = \"ssh+stdinserver\";\n host = \"zh4461b.rsync.net\";\n user = \"root\";\n port = 22;\n };\n }\n )\n /*\n rsync.net provides a VM with FreeBSD\n - almost nothing is preserved on upgrades except this \"data1\" zpool\n $ scp ./zrepl.yml root@zh4461b.rsync.net:/usr/local/etc/zrepl/zrepl.yml\n # pkg install zrepl\n # service zrepl enable\n # service zrepl start\n */\n ];\n };\n };\n\n networking.firewall.extraInputRules = ''\n ip6 saddr $prometheus_inet6 tcp dport ${toString metricsPort} accept\n ip saddr $prometheus_inet4 tcp dport ${toString metricsPort} accept\n '';\n}\n" }, { "path": "build/titan/zrepl.yml", "content": "# root@zh4461b.rsync.net:/usr/local/etc/zrepl/zrepl.yml\n# zrepl main configuration file.\n# For documentation, refer to https://zrepl.github.io/\n#\nglobal:\n logging:\n - type: \"stdout\"\n level: \"error\"\n format: \"human\"\n - type: \"syslog\"\n level: \"info\"\n format: \"logfmt\"\n\n# mostly from https://blog.lenny.ninja/zrepl-on-rsync-net.html\njobs:\n - name: sink\n type: sink\n serve:\n type: stdinserver\n client_identities: [titan]\n recv:\n placeholder:\n encryption: off\n root_fs: \"data1\"\n" }, { "path": "builders/boot/efi-grub.nix", "content": "{\n boot.loader = {\n efi.canTouchEfiVariables = false;\n grub = {\n enable = true;\n configurationLimit = 5;\n efiSupport = true;\n efiInstallAsRemovable = true;\n mirroredBoots = [\n {\n devices = [ \"nodev\" ];\n path = \"/efi/a\";\n }\n {\n devices = [ \"nodev\" ];\n path = \"/efi/b\";\n }\n ];\n };\n };\n}\n" }, { "path": "builders/common/hardening.nix", "content": "{\n # no priviledge escalation through sudo or polkit\n security.sudo.execWheelOnly = true;\n security.polkit.enable = false;\n\n # no password authentication\n services.openssh.settings = {\n KbdInteractiveAuthentication = false;\n PasswordAuthentication = false;\n };\n}\n" }, { "path": "builders/common/hydra-queue-builder.nix", "content": "{\n config,\n inputs,\n lib,\n ...\n}:\n\n{\n imports = [\n inputs.hydra-staging.nixosModules.builder\n ];\n\n config = lib.mkIf false {\n age.secrets.\"queue-runner-token\" = {\n file = ../../build/secrets/${config.networking.hostName}-queue-runner-token.age;\n owner = \"hydra-queue-builder\";\n };\n\n services.hydra-queue-builder-dev = {\n enable = true;\n queueRunnerAddr = \"https://queue-runner.hydra.nixos.org\";\n authorizationFile = config.age.secrets.\"queue-runner-token\".path;\n };\n };\n}\n" }, { "path": "builders/common/network.nix", "content": "{\n networking = {\n domain = \"builders.nixos.org\";\n\n firewall = {\n # too spammy, rotates dmesg too quickly\n logRefusedConnections = false;\n };\n\n # we use networkd instead\n useDHCP = false;\n };\n}\n" }, { "path": "builders/common/nix.nix", "content": "{\n config,\n lib,\n pkgs,\n ...\n}:\n\n{\n nix = {\n package = pkgs.nix;\n nrBuildUsers = config.nix.settings.max-jobs + 32;\n\n gc =\n let\n maxFreed = 500; # GB\n in\n {\n automatic = true;\n dates = \"hourly\";\n options = \"--max-freed \\\"$((${toString maxFreed} * 1024**3 - 1024 * $(df --output=avail /nix/store | tail -n 1)))\\\"\";\n };\n\n settings = {\n accept-flake-config = false;\n builders-use-substitutes = true;\n extra-experimental-features = [\n \"nix-command\"\n \"no-url-literals\"\n \"flakes\"\n ];\n system-features = [\n \"kvm\"\n \"nixos-test\"\n \"benchmark\" # we may restrict this in the central /etc/nix/machines anyway\n ];\n trusted-users = [\n \"build\"\n \"root\"\n ];\n max-silent-time = 10800; # 3h\n };\n };\n\n systemd.services.prune-stale-nix-builds = {\n description = \"Prune stale nix build roots\";\n startAt = \"hourly\";\n unitConfig.Documentation = \"https://github.com/NixOS/nix/issues/5207\";\n serviceConfig = {\n ExecStart = lib.concatStringsSep \" \" [\n (lib.getExe pkgs.findutils)\n \"/nix/var/nix/builds\"\n \"-mindepth 1\"\n \"-maxdepth 1\"\n \"-type d\"\n \"-mtime +1\" # days\n \"-exec rm -rf {} +\"\n ];\n };\n };\n}\n" }, { "path": "builders/common/node-exporter.nix", "content": "{\n config,\n ...\n}:\n\n{\n networking.firewall.allowedTCPPorts = [\n config.services.prometheus.exporters.node.port\n ];\n\n services.prometheus.exporters.node = {\n enable = true;\n enabledCollectors = [ \"systemd\" ];\n };\n}\n" }, { "path": "builders/common/ssh.nix", "content": "{\n lib,\n ...\n}:\n\n{\n services.openssh = {\n enable = true;\n authorizedKeysFiles = lib.mkForce [ \"/etc/ssh/authorized_keys.d/%u\" ];\n };\n}\n" }, { "path": "builders/common/system.nix", "content": "{\n pkgs,\n ...\n}:\n\n{\n # apply microcode to fix functional and security issues\n hardware.enableRedistributableFirmware = true;\n hardware.cpu.amd.updateMicrocode = pkgs.stdenv.isx86_64;\n hardware.cpu.intel.updateMicrocode = pkgs.stdenv.isx86_64;\n\n # enable kernel same-page merging for improved vm test performance\n hardware.ksm.enable = true;\n\n # discard blocks weekly\n services.fstrim.enable = true;\n\n # use memory more efficiently at the cost of some compute\n zramSwap.enable = true;\n}\n" }, { "path": "builders/common/tools.nix", "content": "{\n pkgs,\n ...\n}:\n\n{\n environment.systemPackages = with pkgs; [\n atop\n ethtool\n htop\n lm_sensors\n nix-top\n nvme-cli\n pciutils\n smartmontools\n usbutils\n ];\n}\n" }, { "path": "builders/common/update.nix", "content": "{\n system.autoUpgrade = {\n enable = true;\n dates = \"daily\";\n flake = \"git+https://github.com/nixos/infra.git?ref=main\";\n allowReboot = true;\n };\n}\n" }, { "path": "builders/common/users.nix", "content": "{\n config,\n lib,\n pkgs,\n ...\n}:\nlet\n sshKeys = {\n hydra-queue-runner-rhea = \"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOdxl6gDS7h3oeBBja2RSBxeS51Kp44av8OAJPPJwuU/ hydra-queue-runner@rhea\";\n };\n\n authorizedNixStoreKey =\n key:\n let\n environment = lib.concatStringsSep \" \" [\n \"NIX_SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt\"\n ];\n in\n \"command=\\\"${environment} ${config.nix.package}/bin/nix-store --serve --write\\\" ${key}\";\nin\n\n{\n users = {\n mutableUsers = false;\n users = {\n build = {\n isNormalUser = true;\n uid = 2000;\n openssh.authorizedKeys.keys = [\n (authorizedNixStoreKey sshKeys.hydra-queue-runner-rhea)\n ];\n };\n\n root.openssh.authorizedKeys.keys = (import ../../ssh-keys.nix).infra-core;\n };\n };\n}\n" }, { "path": "builders/disk-layouts/efi-zfs-raid0.nix", "content": "{\n disk1 ? \"/dev/nvme0n1\",\n disk2 ? \"/dev/nvme1n1\",\n}:\nlet\n mkDiskLayout = id: {\n type = \"gpt\";\n partitions = {\n esp = {\n type = \"EF00\";\n size = \"512M\";\n content = {\n type = \"filesystem\";\n format = \"vfat\";\n mountpoint = \"/efi/${id}\";\n };\n };\n zdev = {\n size = \"100%\";\n content = {\n type = \"zfs\";\n pool = \"zroot\";\n };\n };\n };\n };\nin\n{\n disk = {\n a = {\n type = \"disk\";\n device = disk1;\n content = mkDiskLayout \"a\";\n };\n\n b = {\n type = \"disk\";\n device = disk2;\n content = mkDiskLayout \"b\";\n };\n };\n\n zpool.zroot = {\n mode = \"\"; # RAID 0\n options.ashift = \"12\"; # 4k blocks\n\n rootFsOptions = {\n acltype = \"posixacl\";\n atime = \"off\";\n compression = \"on\";\n mountpoint = \"none\";\n xattr = \"sa\";\n };\n\n datasets = {\n root = {\n type = \"zfs_fs\";\n mountpoint = \"/\";\n };\n reserved = {\n type = \"zfs_fs\";\n options = {\n canmount = \"off\";\n refreservation = \"16G\"; # roughly one system closure\n };\n };\n };\n };\n}\n" }, { "path": "builders/flake-module.nix", "content": "{ inputs, ... }:\n{\n flake.nixosConfigurations =\n let\n mkNixOS =\n system: config:\n inputs.nixpkgs.lib.nixosSystem {\n inherit system;\n\n specialArgs = { inherit inputs; };\n\n modules = [\n inputs.agenix.nixosModules.age\n inputs.disko.nixosModules.disko\n\n ./common/hardening.nix\n ./common/network.nix\n ./common/nix.nix\n ./common/node-exporter.nix\n ./common/hydra-queue-builder.nix\n ./common/system.nix\n ./common/tools.nix\n ./common/update.nix\n ./common/users.nix\n ./common/ssh.nix\n\n ../modules/rasdaemon.nix\n\n config\n ];\n };\n in\n {\n # Epyc 9454P (48C/96T), 256 GB DDR4 RAM, 2x 1.92TB PCIe4 NVME\n elated-minsky = mkNixOS \"x86_64-linux\" ./instances/elated-minsky.nix;\n sleepy-brown = mkNixOS \"x86_64-linux\" ./instances/sleepy-brown.nix;\n\n # Ampere Q80-30 (80C), 256 GB DDR4 RAM, 2x3.84TB PCIe4 NVME\n goofy-hopcroft = mkNixOS \"aarch64-linux\" ./instances/goofy-hopcroft.nix;\n\n # Ampere Q80-30 (80C), 128 GB DDR4 RAM, 2x960GB PCIe4 NVME\n hopeful-rivest = mkNixOS \"aarch64-linux\" ./instances/hopeful-rivest.nix;\n };\n\n perSystem =\n { pkgs, inputs', ... }:\n {\n devShells.builders = pkgs.mkShell {\n buildInputs = [\n inputs'.agenix.packages.agenix\n ];\n };\n };\n}\n" }, { "path": "builders/instances/elated-minsky.nix", "content": "{\n imports = [\n ../profiles/hetzner-ax101r.nix\n ];\n\n nix.settings = {\n cores = 2;\n max-jobs = 48;\n };\n\n networking = {\n hostName = \"elated-minsky\";\n domain = \"builders.nixos.org\";\n useDHCP = false;\n };\n\n systemd.network = {\n enable = true;\n networks = {\n \"30-enp193s0f0np0\" = {\n matchConfig = {\n MACAddress = \"9c:6b:00:4e:1a:6a\";\n Type = \"ether\";\n };\n linkConfig.RequiredForOnline = true;\n networkConfig.Description = \"WAN\";\n address = [\n \"167.235.95.99/26\"\n \"2a01:4f8:2220:1b03::1/64\"\n ];\n routes = [\n { Gateway = \"167.235.95.65\"; }\n { Gateway = \"fe80::1\"; }\n ];\n };\n };\n };\n\n system.stateVersion = \"24.11\";\n}\n" }, { "path": "builders/instances/goofy-hopcroft.nix", "content": "{\n imports = [\n ../profiles/hetzner-rx220.nix\n ];\n\n nix.settings = {\n cores = 2;\n max-jobs = 40;\n };\n\n networking = {\n hostName = \"goofy-hopcroft\";\n domain = \"builders.nixos.org\";\n useDHCP = false;\n };\n\n systemd.network = {\n enable = true;\n networks = {\n \"30-enP3p2s0f0\" = {\n matchConfig = {\n MACAddress = \"74:56:3c:8c:01:a9\";\n Type = \"ether\";\n };\n linkConfig.RequiredForOnline = true;\n networkConfig.Description = \"WAN\";\n address = [\n \"135.181.225.104/26\"\n \"2a01:4f9:3071:2d8b::1/64\"\n ];\n routes = [\n { Gateway = \"135.181.225.65\"; }\n { Gateway = \"fe80::1\"; }\n ];\n };\n };\n };\n\n system.stateVersion = \"24.11\";\n}\n" }, { "path": "builders/instances/hopeful-rivest.nix", "content": "{\n imports = [\n ../profiles/hetzner-rx170.nix\n ];\n\n nix.settings = {\n cores = 20;\n max-jobs = 10;\n system-features = [ \"big-parallel\" ];\n };\n\n networking = {\n hostName = \"hopeful-rivest\";\n domain = \"builders.nixos.org\";\n useDHCP = false;\n };\n\n systemd.network = {\n enable = true;\n networks = {\n \"30-eno1\" = {\n matchConfig = {\n MACAddress = \"74:56:3c:4e:d9:af\";\n Type = \"ether\";\n };\n linkConfig.RequiredForOnline = true;\n networkConfig.Description = \"WAN\";\n address = [\n \"135.181.230.86/26\"\n \"2a01:4f9:3080:388f::1/64\"\n ];\n routes = [\n { Gateway = \"135.181.230.65\"; }\n { Gateway = \"fe80::1\"; }\n ];\n };\n };\n };\n\n system.stateVersion = \"24.11\";\n}\n" }, { "path": "builders/instances/sleepy-brown.nix", "content": "{\n imports = [\n ../profiles/hetzner-ax101r.nix\n ];\n\n nix.settings = {\n cores = 24;\n max-jobs = 4;\n system-features = [ \"big-parallel\" ];\n };\n\n networking = {\n hostName = \"sleepy-brown\";\n domain = \"builders.nixos.org\";\n useDHCP = false;\n };\n\n systemd.network = {\n enable = true;\n networks = {\n \"30-enp193s0f0np0\" = {\n matchConfig = {\n MACAddress = \"9c:6b:00:4e:fd:2d\";\n Type = \"ether\";\n };\n linkConfig.RequiredForOnline = true;\n networkConfig.Description = \"WAN\";\n address = [\n \"162.55.130.51/26\"\n \"2a01:4f8:271:5c14::1/64\"\n ];\n routes = [\n { Gateway = \"162.55.130.1\"; }\n { Gateway = \"fe80::1\"; }\n ];\n };\n };\n };\n\n system.stateVersion = \"24.11\";\n}\n" }, { "path": "builders/network/autoconfig.nix", "content": "{\n networking.useDHCP = false;\n\n systemd.network = {\n enable = true;\n networks = {\n \"99-autoconfig\" = {\n matchConfig = {\n Kind = \"!*\";\n Type = \"ether\";\n };\n networkConfig = {\n DHCP = \"yes\";\n IPv6AcceptRA = true;\n };\n };\n };\n };\n}\n" }, { "path": "builders/profiles/hetzner-ax101r.nix", "content": "{\n config,\n lib,\n ...\n}:\n\n{\n imports = [\n ../boot/efi-grub.nix\n ];\n\n disko.devices = import ../disk-layouts/efi-zfs-raid0.nix { };\n boot.supportedFilesystems.zfs = true;\n networking.hostId = \"91312b0a\";\n\n fileSystems.\"/nix/var/nix/builds\" = {\n device = \"none\";\n fsType = \"tmpfs\";\n options = [\n \"huge=within_size\"\n \"mode=0700\"\n \"nosuid\"\n \"nodev\"\n ]\n # 128G tmpfs, 128G RAM (+zram swap) for standard builders\n # 160GB tmpfs, 96 GB RAM (+zram swap) for big-parallel builders\n ++ (\n if lib.elem \"big-parallel\" config.nix.settings.system-features then\n [ \"size=160G\" ]\n else\n [ \"size=128G\" ]\n );\n };\n\n boot.initrd.availableKernelModules = [\n \"nvme\"\n \"usbhid\"\n ];\n}\n" }, { "path": "builders/profiles/hetzner-rx170.nix", "content": "{\n imports = [\n ../boot/efi-grub.nix\n ];\n\n disko.devices = import ../disk-layouts/efi-zfs-raid0.nix { };\n boot.supportedFilesystems.zfs = true;\n networking.hostId = \"91312b0a\";\n\n boot.initrd.availableKernelModules = [\n \"nvme\"\n \"usbhid\"\n ];\n}\n" }, { "path": "builders/profiles/hetzner-rx220.nix", "content": "{\n imports = [\n ../boot/efi-grub.nix\n ];\n\n disko.devices = import ../disk-layouts/efi-zfs-raid0.nix { };\n boot.supportedFilesystems.zfs = true;\n networking.hostId = \"91312b0a\";\n\n boot.initrd.availableKernelModules = [\n \"nvme\"\n \"usbhid\"\n ];\n}\n" }, { "path": "channels.nix", "content": "rec {\n channels = {\n # \"Channel name\" = {\n # # This should be the part of\n # # https://hydra.nixos.org/job//latest-finished\n # job = \"project/jobset/jobname\";\n #\n # # When adding a new version, determine if it needs to be tagged as a\n # # variant -- for example:\n # # nixos-xx.xx => primary\n # # nixos-xx.xx-small => small\n # # nixos-xx.xx-darwin => darwin\n # # nixos-xx.xx-aarch64 => aarch64\n # variant = \"primary\";\n #\n # # Channel Status:\n # # '*-unstable' channels are always \"rolling\"\n # # Otherwise a release generally progresses through the following phases:\n # #\n # # - Directly after branch off => \"beta\"\n # # - Once the channel is released => \"stable\"\n # # - Once the next channel is released => \"deprecated\"\n # # - N months after the next channel is released => \"unmaintained\"\n # # (check the release notes for when this should happen)\n # status = \"beta\";\n # };\n \"nixos-unstable\" = {\n job = \"nixos/unstable/tested\";\n variant = \"primary\";\n status = \"rolling\";\n };\n \"nixos-unstable-small\" = {\n job = \"nixos/unstable-small/tested\";\n variant = \"small\";\n status = \"rolling\";\n };\n \"nixpkgs-unstable\" = {\n job = \"nixpkgs/unstable/unstable\";\n status = \"rolling\";\n };\n\n \"nixos-25.11\" = {\n job = \"nixos/release-25.11/tested\";\n variant = \"primary\";\n status = \"stable\";\n };\n \"nixos-25.11-small\" = {\n job = \"nixos/release-25.11-small/tested\";\n variant = \"small\";\n status = \"stable\";\n };\n \"nixpkgs-25.11-darwin\" = {\n job = \"nixpkgs/nixpkgs-25.11-darwin/darwin-tested\";\n variant = \"darwin\";\n status = \"stable\";\n };\n\n \"nixos-25.05\" = {\n job = \"nixos/release-25.05/tested\";\n variant = \"primary\";\n status = \"unmaintained\";\n };\n \"nixos-25.05-small\" = {\n job = \"nixos/release-25.05-small/tested\";\n variant = \"small\";\n status = \"unmaintained\";\n };\n \"nixpkgs-25.05-darwin\" = {\n job = \"nixpkgs/nixpkgs-25.05-darwin/darwin-tested\";\n variant = \"darwin\";\n status = \"unmaintained\";\n };\n };\n\n channels-with-urls = builtins.mapAttrs (_name: about: about.job) channels;\n}\n" }, { "path": "checks/flake-module.nix", "content": "{ ... }:\n{\n perSystem =\n { self', lib, ... }:\n {\n checks =\n let\n # TODO: our CI doesn't have a enough space for these just now\n #nixosMachines = lib.mapAttrs' (\n # name: config: lib.nameValuePair \"nixos-${name}\" config.config.system.build.toplevel\n #) ((lib.filterAttrs (_: config: config.pkgs.system == system)) self.nixosConfigurations);\n nixosMachines = { };\n\n packages = lib.mapAttrs' (n: lib.nameValuePair \"package-${n}\") self'.packages;\n devShells = lib.mapAttrs' (n: lib.nameValuePair \"devShell-${n}\") self'.devShells;\n in\n nixosMachines // packages // devShells;\n };\n}\n" }, { "path": "dns/.envrc", "content": "# shellcheck shell=bash\nuse flake .#dnscontrol\n" }, { "path": "dns/creds.json", "content": "{\n \"gandi\": {\n \"TYPE\": \"GANDI_V5\",\n \"token\": \"$GANDI_TOKEN\"\n }\n}\n" }, { "path": "dns/dnsconfig.js", "content": "DEFAULTS(\n\tDefaultTTL(\"1h\"),\n\tNAMESERVER_TTL(\"24h\")\n);\nvar REG_NONE = NewRegistrar(\"none\");\nvar DSP_GANDI = NewDnsProvider(\"gandi\");\n\nrequire(\"nixcon.org.js\");\nrequire(\"nix.dev.js\");\nrequire(\"nixos.org.js\");\nrequire(\"ofborg.org.js\");\n\n" }, { "path": "dns/flake-module.nix", "content": "{\n perSystem =\n { pkgs, ... }:\n {\n devShells.dnscontrol = pkgs.mkShellNoCC {\n packages = [\n pkgs.dnscontrol\n ];\n };\n checks.dnscontrol = pkgs.runCommand \"dnscontrol\" { } ''\n cd ${./.}\n ${pkgs.dnscontrol}/bin/dnscontrol check\n touch $out\n '';\n };\n}\n" }, { "path": "dns/nix.dev.js", "content": "D(\"nix.dev\",\n\tREG_NONE,\n\tDnsProvider(DSP_GANDI),\n\n\tCAA_BUILDER({\n\t\tlabel: \"@\",\n\t\tiodef: \"mailto:infra+caa@nixos.org\",\n\t\tiodef_critical: true,\n\t\tissue: [\"letsencrypt.org\"],\n\t\tissue_critical: true,\n\t\tissuewild: \"none\",\n\t\tissuewild_critical: true,\n\t}),\n\n\t// Domain is not used for mail\n\tSPF_BUILDER({\n\t\tlabel: \"@\",\n\t\tparts: [\n\t\t\t\"v=spf1\",\n\t\t\t\"-all\"\n\t\t]\n\t}),\n\tTXT(\"*._domainkey\", \"v=DKIM1; p=\"),\n\tDMARC_BUILDER({\n\t\tpolicy: \"reject\",\n\t\tsubdomainPolicy: \"reject\",\n\t\talignmentDKIM: \"strict\",\n\t\talignmentSPF: \"strict\"\n\t}),\n\n\tTXT(\"@\", \"google-site-verification=J55RGHyOPKpHAyIHVfBy1RdY_LuVIvLyuyR8deO62YE\"),\n\n\tALIAS(\"@\", \"nix-dev.netlify.app.\"),\n\tCNAME(\"www\", \"nix-dev.netlify.app.\")\n);\n\n" }, { "path": "dns/nixcon.org.js", "content": "D(\"nixcon.org\",\n\tREG_NONE,\n\tDnsProvider(DSP_GANDI),\n\n\tCAA_BUILDER({\n\t\tlabel: \"@\",\n\t\tiodef: \"mailto:infra+caa@nixos.org\",\n\t\tiodef_critical: true,\n\t\tissue: [\"letsencrypt.org\"],\n\t\tissue_critical: true,\n\t\tissuewild: \"none\",\n\t\tissuewild_critical: true,\n\t}),\n\n\tMX(\"@\", 10, \"umbriel.nixos.org.\"),\n\tSPF_BUILDER({\n\t\tlabel: \"@\",\n\t\tparts: [\n\t\t\t\"v=spf1\",\n\t\t\t\"a:umbriel.nixos.org\",\n\t\t\t\"-all\"\n\t\t]\n\t}),\n\t// Matching private key in `non-critical-infra/secrets/nixcon.org.mail.key.umbriel`\n\tTXT(\"mail._domainkey\", \"p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC1wQ2uPZfdlGmjDDxeNVet7IEFxS55TpWuqQWNKmd4fX8HcKKw7kVHXU5+gjT37wMUI27ZZnIobYhumnl+BLiXZqbuzAt7s3dbJU2de2ZWxOqcDRbK6m2A3AwIAiMzzRUjx14EWgnw55KRi2enpLyS0pKGdvSquHnxaySkAF8YIwIDAQAB\"),\n\tDMARC_BUILDER({\n\t\tpolicy: \"none\",\n\t}),\n\n\t// Websites\n\tTXT(\"_github-pages-challenge-nixcon\", \"6608e513e09036ab8cadb7ca4eb71b\"),\n\n\t// https://docs.github.com/en/pages/configuring-a-custom-domain-for-your-github-pages-site/managing-a-custom-domain-for-your-github-pages-site#configuring-an-apex-domain\n\tA(\"@\", \"185.199.109.153\"),\n\tA(\"@\", \"185.199.111.153\"),\n\tAAAA(\"@\", \"2606:50c0:8001::153\"),\n\tAAAA(\"@\", \"2606:50c0:8003::153\"),\n\n\tCNAME(\"www\", \"nixcon.github.io.\"),\n\n\tCNAME(\"2015\", \"nixcon.github.io.\"),\n\tCNAME(\"2016\", \"nixcon.github.io.\"),\n\tCNAME(\"2017\", \"nixcon.github.io.\"),\n\tCNAME(\"2018\", \"nixcon.github.io.\"),\n\tCNAME(\"2019\", \"nixcon.github.io.\"),\n\tCNAME(\"2020\", \"nixcon.github.io.\"),\n\tCNAME(\"2022\", \"nixcon.github.io.\"),\n\tCNAME(\"2023\", \"nixcon.github.io.\"),\n\tCNAME(\"2024-na\", \"nixcon.github.io.\"),\n\tCNAME(\"2024\", \"nixcon.github.io.\"),\n\tCNAME(\"2025\", \"nixcon.github.io.\"),\n\tCNAME(\"2026\", \"nixcon.github.io.\"),\n\n\t// Scheduling\n\tCNAME(\"cfp\", \"pretalx.com.\"),\n\tCNAME(\"talks\", \"pretalx.com.\"),\n\n\t// Ticketing\n\tCNAME(\"tickets\", \"nixcon.cname.pretix.eu.\"),\n\n\t// 2025 ticket voucher eligibility check\n\tCNAME(\"vouchers\", \"cache.ners.ch.\"),\n\n\t// 2025 bee game\n\tCNAME(\"bee\", \"cache.ners.ch.\")\n);\n" }, { "path": "dns/nixos.org.js", "content": "D(\"nixos.org\",\n\tREG_NONE,\n\tDnsProvider(DSP_GANDI),\n\n\tTXT(\"@\", \"apple-domain-verification=OvacO4lGB9A6dBFg\"),\n\tTXT(\"@\", \"brevo-code:f580a125e215ecb440363a15cdf47a17\"),\t\n\tTXT(\"@\", \"google-site-verification=Pm5opvmNjJOwdb7JnuVJ_eFBPaZYWNcAavY-08AJoGc\"),\n\t// bluesky account/domain binding\n\tTXT(\"_atproto\", \"did=did:plc:bf43o4nxudgubwt4iljpayb7\"),\n\n\tCAA_BUILDER({\n\t\tlabel: \"@\",\n\t\tiodef: \"mailto:infra+caa@nixos.org\",\n\t\tiodef_critical: true,\n\t\tissue: [\"letsencrypt.org\"],\n\t\tissue_critical: true,\n\t\tissuewild: \"none\",\n\t\tissuewild_critical: true,\n\t}),\n\n\t// nixos.org mailing\n\tMX(\"@\", 10, \"umbriel\"),\n\tSPF_BUILDER({\n\t\tlabel: \"@\",\n\t\tparts: [\n\t\t\t\"v=spf1\",\n\t\t\t\"a:umbriel.nixos.org\",\n\t\t\t\"-all\"\n\t\t]\n\t}),\n\tDMARC_BUILDER({\n\t\tpolicy: \"none\",\n\t}),\n\n\t// discourse\n\tA(\"discourse\", \"195.62.126.31\"),\n\tAAAA(\"discourse\", \"2a02:248:101:62::146f\"),\n\tMX(\"discourse\", 10, \"mail.nixosdiscourse.fcio.net.\"),\n\tDMARC_BUILDER({\n\t\tlabel: \"discourse\",\n\t\tpolicy: \"none\",\n\t}),\n\tSPF_BUILDER({\n\t\tlabel: \"discourse\",\n\t\tparts: [\n\t\t\t\"v=spf1\",\n\t\t\t\"ip4:185.105.252.151\",\n\t\t\t\"ip6:2a02:248:101:62::1479\",\n\t\t\t\"-all\"\n\t\t]\n\t}),\n\tTXT(\"mail._domainkey.discourse\", \"v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDmxDhMfDl6lnueSRCjYiWIDeTAJXR9Yw0PfpBfG7GPUIkMyqy9jVGpb4ECVTt9S1zfpr4dbtCgir781oVwZiwGIWzC8y8XsD37wernQIPN4Yubnrnpw+6lill4uA/AuyU/ghbeZ5lW03pHD//2EW4YEu+Jw4aS4rF0Wtk+BlJRCwIDAQAB\"),\n\n\t// fastly\n\tCNAME(\"_acme-challenge.cache\", \"k2hql6g4rigivyu6nn.fastly-validations.com.\"),\n\tCNAME(\"_acme-challenge.cache-staging\", \"kqwx9cvuf7lvjo8u9b.fastly-validations.com.\"),\n\tCNAME(\"_acme-challenge.channels\", \"9u55qij5w2odiwqxfi.fastly-validations.com.\"),\n\tCNAME(\"_acme-challenge.artifacts\", \"bsk6mjvi6b1r6wekb0.fastly-validations.com.\"),\n\tCNAME(\"_acme-challenge.releases\", \"s731ezp9ameh5f349b.fastly-validations.com.\"),\n\tCNAME(\"_acme-challenge.tarballs\", \"vnqm62k5sjx9jogeqg.fastly-validations.com.\"),\n\tCNAME(\"cache\", \"dualstack.n.sni.global.fastly.net.\"),\n\tCNAME(\"cache-staging\", \"dualstack.n.sni.global.fastly.net.\"),\n\tCNAME(\"channels\", \"dualstack.n.sni.global.fastly.net.\"),\n\tCNAME(\"artifacts\", \"dualstack.n.sni.global.fastly.net.\"),\n\tCNAME(\"releases\", \"dualstack.n.sni.global.fastly.net.\"),\n\tCNAME(\"tarballs\", \"dualstack.n.sni.global.fastly.net.\"),\n\n\t// hydra.nixos.org\n\tA(\"haumea\", \"46.4.89.205\"),\n\tAAAA(\"haumea\", \"2a01:4f8:212:41c9::1\"),\n\n\tA(\"mimas\", \"157.90.104.34\"),\n\tAAAA(\"mimas\", \"2a01:4f8:2220:11c8::1\"),\n\tCNAME(\"hydra\", \"mimas\"),\n\tCNAME(\"queue-runner.hydra\", \"mimas\"),\n\n\tA(\"pluto\", \"37.27.99.100\"),\n\tAAAA(\"pluto\", \"2a01:4f9:3070:15e0::1\"),\n\tCNAME(\"alerts\", \"pluto\"),\n\tCNAME(\"grafana\", \"pluto\"),\n\tCNAME(\"monitoring\", \"pluto\"),\n\tCNAME(\"prometheus\", \"pluto\"),\n\n\tA(\"titan\", \"159.69.62.224\"),\n\tAAAA(\"titan\", \"2a01:4f8:231:e53::1\"),\n\n\t// hydra builfarm\n\tAAAA(\"eager-heisenberg.mac\", \"2a01:4f8:d1:a027::2\"),\n\tA(\"elated-minsky.builder\", \"167.235.95.99\"),\n\n\tAAAA(\"elated-minsky.builder\", \"2a01:4f8:2220:1b03::1\"),\n\n\tA(\"enormous-catfish.mac\", \"142.132.140.199\"),\n\n\tA(\"goofy-hopcroft.builder\", \"135.181.225.104\"),\n\tAAAA(\"goofy-hopcroft.builder\", \"2a01:4f9:3071:2d8b::1\"),\n\n\tA(\"growing-jennet.mac\", \"23.88.76.75\"),\n\n\tA(\"hopeful-rivest.builder\", \"135.181.230.86\"),\n\tAAAA(\"hopeful-rivest.builder\", \"2a01:4f9:3080:388f::1\"),\n\n\tA(\"intense-heron.mac\", \"23.88.75.215\"),\n\n\tAAAA(\"kind-lumiere.mac\", \"2a09:9340:808:60a::1\"),\n\n\tA(\"maximum-snail.mac\", \"23.88.76.161\"),\n\n\tA(\"sleepy-brown.builder\", \"162.55.130.51\"),\n\tAAAA(\"sleepy-brown.builder\", \"2a01:4f8:271:5c14::1\"),\n\n\tA(\"sweeping-filly.mac\", \"142.132.141.35\"),\n\n\tAAAA(\"norwegian-blue.mac\", \"2a06:3a80:0:41:423:898a:1e16:3cf7\"),\n\n\t// hydra staging area\n\tA(\"staging-hydra\", \"130.236.254.207\"),\n\tAAAA(\"staging-hydra\", \"2001:6b0:17:f0a0::cf\"),\n\tCNAME(\"queue-runner.staging-hydra\", \"staging-hydra\"),\n\n\t// services infra\n\tA(\"caliban\", \"65.109.26.213\"),\n\tAAAA(\"caliban\", \"2a01:4f9:5a:186c::2\"),\n\tCNAME(\"chat\", \"caliban\"),\n\tCNAME(\"live\", \"caliban\"),\n\tCNAME(\"matrix\", \"caliban\"),\n\tCNAME(\"nixpkgs-swh\", \"caliban\"),\n\tCNAME(\"survey\", \"caliban\"),\n\tCNAME(\"vault\", \"caliban\"),\n\tDMARC_BUILDER({\n\t\tlabel: \"caliban\",\n\t\tpolicy: \"none\"\n\t}),\n\tSPF_BUILDER({\n\t\tlabel: \"caliban\",\n\t\tparts: [\n\t\t\t\"v=spf1\",\n\t\t\t\"ip4:65.109.26.213\",\n\t\t\t\"ip6:2a01:4f9:5a:186c::2\",\n\t\t\t\"-all\"\n\t\t]\n\t}),\n\tTXT(\"mail._domainkey.caliban\", \"v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDDCLtvNH4Ly+9COXf7InptMvoA7I5O347D7+j+saECt7RRe8yNz4TmhJTyJik+bg7e3+l7EJM0vE6k7xtpGBXACY6CCmg/8EgUi6YnDd126ttJHWpoqO96w4SWX93G+ZnoSC8O5rTPqdaTTkntYDTrw5u5n+7RA8GarZadgmaEzwIDAQAB\"),\n\n\tA(\"umbriel\", \"37.27.20.162\"),\n\tAAAA(\"umbriel\", \"2a01:4f9:c011:8fb5::1\"),\n\t// See `nixos.org.mail.key` in `non-critical-infra/modules/mailserver/default.nix`.\n\tTXT(\"mail._domainkey\", \"v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDcgNq4+Y23GxN8Mdza437tL5DuJJZU1y6VzTCwSi6cBNLyBDci2cmqXx/gm1sA3yv7+h+8/OyJpEgcbCIW/Ygs1XLuECqvXVX8MU6Djn4KY+d2sU1tlUdqvNM86puoneQtjEv9rDsjf3HGqaeOcjetFnQW7H+qcNcaEShxyKztzQIDAQAB\"),\n\tCNAME(\"freescout\", \"umbriel.nixos.org.\"),\n\n\t// ngi\n\tA(\"makemake.ngi\", \"116.202.113.248\"),\n\tAAAA(\"makemake.ngi\", \"2a01:4f8:231:4187::\"),\n\tCNAME(\"buildbot.ngi\", \"makemake.ngi.nixos.org.\"),\n\tCNAME(\"cryptpad.ngi\", \"makemake.ngi.nixos.org.\"),\n\tCNAME(\"cryptpad-sandbox.ngi\", \"makemake.ngi.nixos.org.\"),\n\tCNAME(\"summer\", \"makemake.ngi.nixos.org.\"),\n\n\tA(\"tracker-staging.security\", \"188.245.41.195\"),\n\tAAAA(\"tracker-staging.security\", \"2a01:4f8:1c1b:b87b::1\"),\n\n\tA(\"tracker.security\", \"91.99.31.214\"),\n\tAAAA(\"tracker.security\", \"2a01:4f8:1c1b:6921::1\"),\n\n\t// wiki\n\tA(\"wiki\", \"65.21.240.250\"),\n\tAAAA(\"wiki\", \"2a01:4f9:c012:8178::\"),\n\t// Direct access to wiki server in Helsinki (for deployments)\n\tA(\"he1.wiki\", \"65.21.240.250\"),\n\tAAAA(\"he1.wiki\", \"2a01:4f9:c012:8178::\"),\n\tDMARC_BUILDER({\n\t\tlabel: \"wiki\",\n\t\tpolicy: \"none\"\n\t}),\n\tSPF_BUILDER({\n\t\tlabel: \"wiki\",\n\t\tparts: [\n\t\t\t\"v=spf1\",\n\t\t\t\"ip4:65.21.240.250\",\n\t\t\t\"ip6:2a01:4f9:c012:8178::\",\n\t\t\t\"-all\"\n\t\t]\n\t}),\n\tTXT(\"mail._domainkey.wiki\", \"v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDa+KjIljYr3q5MWWK7sEYzjR8OcA32zBh9BCPo6/HlY1q2ODTYsmE/FDZWpYMzM5z+ddnuGYdXia322XnZaNpZNoq1TbGYuQ5DsgAEK09CGoLuzONg3PSXTrkG7E2Sd6wstwHGJ5FHxSLKtNoWkknt9F5XAFZgXapO0w54p+BWvwIDAQAB\"),\n\n\t// test.wiki subdomain with Fastly\n\tCNAME(\"test.wiki\", \"dualstack.n.sni.global.fastly.net.\"),\n\tCNAME(\"_acme-challenge.test.wiki\", \"zsz0meyel8hxoy9dtb.fastly-validations.com.\"),\n\n\t// github org/domain binding\n\tTXT(\"_github-challenge-nixos\", \"9e10a04a4b\"),\n\n\t// github pages\n\tCNAME(\"mobile\", \"nixos.github.io.\"),\n\tCNAME(\"ngi\", \"ngi-nix.github.io.\"),\n\tCNAME(\"reproducible\", \"nixos.github.io.\"),\n\n\tTXT(\"_github-pages-challenge-ngi-nix.ngi\", \"4e8bffbb7ced2aec7be1f8cf3561d6\"),\n\tTXT(\"_github-pages-challenge-nixos\", \"f3a423ba6916e972cfb1e74f82f601\"),\n\n\t// netlify pages\n\tA(\"@\", \"75.2.60.5\"),\n\tA(\"@\", \"99.83.231.61\"),\n\tCNAME(\"brand\", \"nixos-brand.netlify.app.\"),\n\tCNAME(\"common-styles\", \"nixos-common-styles.netlify.app.\"),\n\tCNAME(\"planet\", \"nixos-planet.netlify.app.\"),\n\tCNAME(\"search\", \"nixos-search.netlify.app.\"),\n\tCNAME(\"status\", \"nixos-status.netlify.app.\"),\n\tCNAME(\"weekly\", \"nixos-weekly.netlify.com.\"),\n\tCNAME(\"www\", \"nixos-homepage.netlify.app.\"),\n);\n" }, { "path": "dns/ofborg.org.js", "content": "D(\"ofborg.org\",\n\tREG_NONE,\n\tDnsProvider(DSP_GANDI),\n\n\tCAA_BUILDER({\n\t\tlabel: \"@\",\n\t\tiodef: \"mailto:infra+caa@nixos.org\",\n\t\tiodef_critical: true,\n\t\tissue: [\"letsencrypt.org\"],\n\t\tissue_critical: true,\n\t\tissuewild: \"none\",\n\t\tissuewild_critical: true,\n\t}),\n\n\t// Domain is not used for mail\n\tSPF_BUILDER({\n\t\tlabel: \"@\",\n\t\tparts: [\n\t\t\t\"v=spf1\",\n\t\t\t\"-all\"\n\t\t]\n\t}),\n\tTXT(\"*._domainkey\", \"v=DKIM1; p=\"),\n\tDMARC_BUILDER({\n\t\tpolicy: \"reject\",\n\t\tsubdomainPolicy: \"reject\",\n\t\talignmentDKIM: \"strict\",\n\t\talignmentSPF: \"strict\"\n\t}),\n\n\tA(\"core\", \"136.144.57.217\"),\n\tAAAA(\"core\", \"2604:1380:45f1:400::3\"),\n\tCNAME(\"events\", \"core\"),\n\tCNAME(\"monitoring\", \"core\"),\n\tCNAME(\"webhook\", \"core\"),\n\n\tA(\"core01\", \"138.199.148.47\"),\n\tAAAA(\"core01\", \"2a01:4f8:c012:cda4::1\"),\n\tCNAME(\"gh-webhook\", \"core01\"),\n\tCNAME(\"logs\", \"core01\"),\n\tCNAME(\"messages\", \"core01\"),\n\n\tA(\"build01\", \"185.119.168.10\"),\n\n\tA(\"build02\", \"185.119.168.11\"),\n\n\tA(\"build03\", \"185.119.168.12\"),\n\n\tA(\"build04\", \"185.119.168.13\"),\n\n\tA(\"build05\", \"142.132.171.106\"),\n\tAAAA(\"build05\", \"2a01:4f8:1c1b:6d41::\"),\n\n\tA(\"eval01\", \"95.217.15.9\"),\n\tAAAA(\"eval01\", \"2a01:4f9:c012:cf00::1\"),\n\n\tA(\"eval02\", \"95.216.209.162\"),\n\tAAAA(\"eval02\", \"2a01:4f9:c012:17c6::1\"),\n\n\tA(\"eval03\", \"37.27.189.4\"),\n\tAAAA(\"eval03\", \"2a01:4f9:c012:e37b::1\"),\n\n\tA(\"eval04\", \"95.217.18.12\"),\n\tAAAA(\"eval04\", \"2a01:4f9:c012:273b::\"),\n\n\t// nixos-foundation-macstadium-44911305\n\tA(\"mac01\", \"208.83.1.173\"),\n\n\t// nixos-foundation-macstadium-44911362\n\tA(\"mac02\", \"208.83.1.175\"),\n\n\t// nixos-foundation-macstadium-44911507\n\tA(\"mac03\", \"208.83.1.186\"),\n\n\t// nixos-foundation-macstadium-44911207\n\tA(\"mac04\", \"208.83.1.145\"),\n\n\t// nixos-foundation-macstadium-44911104\n\tA(\"mac05\", \"208.83.1.181\"),\n);\n\n" }, { "path": "docs/inventory.md", "content": "# NixOS project resource inventory\n\nThis is the current list of hardware and services that everyone has access to.\n\n# Accounts\n\n## GitHub\n\nowner: @edolstra @domenkozar @garbas @grahamc @rbvermaa\n\n## Domains\n\n- owner: @edolstra\n- nixos.org - https://www.uniteddomains.com/\n\n## DNS\n\nowner: Foundation\n\nManaged by Netlify.\n\n## AWS account\n\n- owner: Infor\n- alias: lb-nixos\n- access: @rbvermaa and @edolstra\n\n## Packet.net\n\n- owner: @grahamc\n\n## Hetzner Cloud\n\n- owner: Graham\n- (for ofborg)\n\n## IRC logging bot\n\n- owner: @samueldr\n- url: https://logs.nix.samueldr.com/nixos/\n- nick: {\\`-\\`}\n- config: https://gitlab.com/samueldr.nix/overlays/irclogger\n\n## nix.ci\n\nowner: @grahamc\n\nofborg instance and logs\n\nhosted on Packet.\n\n## arch64 community builder\n\n- owner: @grahamc\n- access: community members that have asked access to it\n- host: Packet\n\nlots of cores to build for the aarch64 platform\n\n## survey.nixos.org\n\nowner: @davidak\n\n## nixcon2017.org\n\nowner: Christine?\n\n## nixcon2018.org\n\nowner: @zimbatm\n\n## NixOS Wiki\n\naccess: see https://wiki.nixos.org/wiki/Official_NixOS_Wiki:About\n\n## Twitter accounts\n\n**nixpkg** owner: Graham\n\n**nixos_org** owner: Rob Vermaas\n\n**nixcon2017** owner: Christine?\n\n**nixcon2018** owner: zimbatm\n\n## IRC\n\nGroup registration on FreeNode. Eelco and Graham can get OP on all channels\nabout NixOS.\n\nThe group owns:\n\n #nix\n #nix-*\n #nixos-*\n\n`#nix` is invite only and is empty, it only redirects to `#nixos`\n\n**List of common channels:**\n\n`**#nixos-dev**`\n\n`#` **nixos**``\n\n- 1 niksnut +AFRefiorstv [modified ? ago]\n- 17:30 2 goodwill +o [modified 3y 36w 6d ago] -\n- 17:30 3 kmicu +o [modified 2y 32w 5d ago] long time member - left 4 months ago\n- 17:30 4 gchristensen +o [modified 1y 37w 1d ago]\n\n`**#nixos-borg**` `**#nixos-aarch64**` `**#nix-darwin**` `#nixos-chat`\n`**#nix-core**` `**#nixos-security**` `**#nixos-bots**` `**#nixos-docs**`\n`**#nixos-wiki**` `**#nixos-on-your-router**`\n\n## cachix.org\n\nowner: Domen\n\n# Hardware\n\n## On Packet.net\n\nowner: Graham\n\n2 builders: aarch64 packet type 2 : for hydra\n\n1 aarch64 for ofborg _and_ community use\n\n## Hetzner:\n\nowner: Eelco and Rob, owned by the NixOS Foundation\n\n“chef”: runs hydra.nixos.org, postgresql database, queue runner, hydra\nprovisioner. binary cache signing keys.\n\nmonitoring: **DataDog, accessible by Eelco (and Rob?) (Amine?) on the Infor\naccount**\n\n## Mac Minis at Hetzner Cloud\n\n- owner: the NixOS Foundation\n- access: Cole-h & Hexa\n- role: build machines\n\nCurrent machine names:\n\n- intense-heron.mac.nixos.org\n- sweeping-filly.mac.nixos.org\n- maximum-snail.mac.nixos.org\n- growing-jennet.mac.nixos.org\n- enormous-catfish.mac.nixos.org\n\n## Mac Minis at Graham's house\n\n- owner: the NixOS Foundation\n- access: Cole-h\n- role: build machines\n\n- arm64:\n - cosmic-stud\n - tight-bug\n - quality-ram\n - becoming-hyena\n\nThere are also x86_64 mac minis, but they are offline because they produce too\nmuch heat.\n\n## Mac Stadium\n\n- owner: MacStadium and rented to daniel peebles or the foundation?\n- role: build machines\n\nEelco had a root password\n\n## hydra-provisioner\n\n?\n\n## nixos-org\n\nowner: LogicBlox EC2 instance\n\ndeployed from Eelco’s laptop\n\nruns the website runs the channel mirror script, systemd services with timers,\nupdates /releases buckets and the nixpkgs-channels repository (repo:\nnixos-channel-scripts)\n\nThe tarball mirror script is running from that machine.\n" }, { "path": "docs/meeting-notes/2024-01-11.md", "content": "# 2024-01-11\n\nFirst meeting of the (revamped) infra team.\n\nParticipants: delroth, hexa, raitobezarius, vcunat, zimbatm\n\n## [zimbatm] Presentation\n\n- At NixCon, we added new people to the team, but we were not able to give space\n to those new people, with this in mind, I would like to dedicate one hour per\n week or two weeks where I can unblock the infrastructure matters.\n- I don’t know what people are interested in, I believe this is a volunteer\n ecosystem and you should work on what you would like to work on.\n- We have big challenges in front of us, e.g. the cache situation, with a new\n team, maybe we can tackle those bigger challenges.\n\n## Round of intros\n\nSkipped in these edited notes.\n\n## [raito] Recommending hexa for infra-core\n\n- Consensus: yes please.\n- [zimbatm] Done.\n- delroth/vcunat to assist with onboarding, provision access, etc.\n\n## [delroth] Matrix Homeserver situation\n\n- EMS is dropping legacy plans after 2024-01-17\n - https://github.com/NixOS/infra/issues/325\n- We are getting dropped.\n- We need to react but Graham, owner of the EMS account, is not reacting.\n- The problem is not the cost but access to the account.\n- delroth/hexa are in favor of self-hosting.\n - But we need the database dump from EMS.\n - hexa to prepare the config for this, delroth can act as backup/fallback.\n- Fallback: we can always pay the $1200 (excl. VAT) for renewing the 1 year\n plan.\n\n## [hexa] Moving NGI out of nixos-org-configurations\n\n- Goals: unblock ngi0 maintainers, less consumption of our review bandwidth.\n- Should we move them to a new repo?\n - Either in the nixos GitHub org or the ngi-nix org.\n- Action item: let's ask them!\n - https://github.com/NixOS/infra/issues/326\n\n## Builders\n\n- Context: various cost reduction efforts need to happen on the Hydra/ofborg\n builders infra.\n- There might be the possibility to get Hetzner to sponsor one more machine.\n- [delroth] Pretty sure we are not using our build resources efficiently as it\n is (queue-runner bottleneck)\n- [vcunat] xz compression is the main problem\n- [zimbatm] We should properly analyze where the bottlenecks are.\n\n## Backups\n\n- We are not doing proper backups of the NixOS infra.\n- There is an rsync.net account where the Hydra database gets backed up to, at\n least.\n- Julien's vaultwarden PR is currently blocked by this, we're getting backup\n storage space from Hetzner (storage boxes).\n" }, { "path": "docs/meeting-notes/2024-01-25.md", "content": "# 2024-01-25\n\n## [hexa, delroth] EMS Migration\n\n- Configuration hasn’t been written yet, hexa might get it done this week.\n- When will we get the data?\n - Graham still holding it until it can get cleaned up (removing private user\n data). Board set a deadline during the last meeting.\n - We could talk to EMS directly, to get the account handed over\n - We want ~10 days to do the migration (so: we want the data before Feb 7th)\n\n## NixOS 23.11 upgrades\n\n- Infra currently runs on NixOS 23.05\n- No blockers, need to be updated individually\n\n## Deployment setup\n\n- Blocked on secret management, will likely be sops\n- Machines use network configuration provided by NixOps\n\n## Bitwarden\n\n- Reason: Self-hosting, currently Jonas pays for the hosted plan.\n- PR pending needs to be moved forward: https://github.com/NixOS/infra/pull/287\n- delroth/hexa can hand out backup storage credentials.\n\n## Binary cache\n\n- Cost of S3 exceeds Foundation income…\n - Garbage collection will be started\n - Timeline: Start some time in 2024/02\n - Advanced communication will be sent out\n - Build list of store paths we want to keep and configure gc root for them\n - Plan is to keep all FODs\n - Make store paths that are about to get deleted unavailable prior to\n deletion\n- Potentially move parts of the cache to Hetzner\n - delroth has capacity to look into this in 2024/02\n - Needs a service to decide, where (S3 or Hetzner) the request would need to\n go\n - Logic could be installed at fastly, to try hetzner first, fallback to s3\n - Service is in the critical path, currently fastly/s3 solve availability for\n us\n" }, { "path": "docs/meeting-notes/2024-02-08.md", "content": "# 2024-02-08\n\nAttendees: delroth, hexa, JulienMalka, lheckemann, raitobezarius, vcunat,\nzimbatm\n\n## [hexa, delroth] EMS Migration\n\nContext: https://github.com/NixOS/infra/issues/325\n\n- PR for Synapse and its dependencies is up.\n - https://github.com/NixOS/infra/pull/336\n- [Julien] What's the status of the backup module?\n - Split off into its own PR and merged already:\n https://github.com/NixOS/infra/pull/345\n- raito and Ron met with Matrix / EMS folks at FOSDEM 2024\n - They have scripts for GDPR compliance (user data purge), but we need to ask\n them by email.\n - Then we can get a clean DB dump, presumably without user data.\n - Not sure whether we sent an email or not. But Graham might be in contact\n directly, and EMS folks made him an offer to do the data deletion.\n - Worst case Graham/DetSys will pay for the extension of the EMS plan.\n - Probably no hurry anymore from the infra side. Foundation board is\n monitoring this to make sure we have a solution at some point.\n\n## [delroth] Should we publish these notes more widely?\n\n- There is a trend towards publishing notes on Discourse, etc. for visibility.\n- [delroth] My thoughts: we should archive (edited) notes in Git somewhere in\n our docs/ folder, update a Discourse thread every 2 weeks.\n - I of course volunteer to take care of this :)\n- Consensus: let’s do it.\n\n## [delroth] Packet/EQM access to infra-core\n\n- Our builders are very, very outdated. But risky to try and update stuff with 0\n debugging capabilities.\n- Any reason why infra-core shouldn’t have full Packet/EQM access like we have\n Hetzner access?\n - Not entirely clear who currently has access?\n - [zimbatm] Got access from eelco last weekend, will delegate.\n- [raito] Does nix-netboot-serve run on our infra?\n - [hexa] Yes, on eris. The images are also built from our infra, it’s a Hydra\n jobset. But the jobset has not successfully completed for a year.\n - [hexa] We can update stuff, but we have no way to debug issues if we do so.\n- zimbatm took care of it live, woo!\n\n## [raito] Stay in the loop of infrastructure matters\n\n- How should work be split between zimbatm/raito?\n- Would like access to private infra stuff to act as secondary.\n- In general: who should have ownership to accounts?\n - A bunch of GH org owners for example are inactive.\n - Not really aligned with any subgroup e.g. foundation board.\n - [zimbatm] I think the foundation should have access, but unfortunately the\n foundation also doesn’t have the best personal security to hold those\n credentials.\n - [zimbatm] Maybe it should be the infra team instead? i.e.\n delroth/hexa/vcunat/…\n - [raito] That would work too, as long as it’s active folks who can take care\n of day to day stuff. I don’t care that it’s specifically me, just that we\n don’t get blocked due to not finding an owner.\n - [zimbatm] I don’t feel like I can make that decision alone right now. Let’s\n find some kind of organization which makes sense.\n- Raito got invited into the private infra matrix channel (at least, for now)\n\n## [Julien] NixOS wiki collaboration w/ infra team\n\n- We have a bunch of candidate sysadmins in mind. Do we want to merge this into\n non-critical-infra?\n- [Julien] I’m a bit biased since I’m sitting on both sides of this discussion,\n but I think this would be a good onramp to bring more people into\n non-critical-infra.\n- [zimbatm] We can subdivide permissions on the Hetzner Cloud side of things,\n but I’m not sure whether we should share stuff further.\n- [hexa] They have their setup mostly figured out already, including backups. We\n can let them run with it for now, and we can always pick it up later.\n- [linus] What about inviting them to non-critical-infra and just giving them\n access to all the non-critical-infra? Even if they just want to maintain the\n wiki.\n - [hexa] It’s about responsible for all of it. I don’t think we should grant\n unneeded access.\n - [Julien] +1.\n - [delroth] I feel like if it’s official, we should treat it as such and\n onboard it as part of non-critical infra. Doesn’t require giving them access\n to everything.\n - [linus] If it is official, then it should be maintained by the official\n infra team\n - [hexa] I think we’re mostly in agreement then.\n- [delroth] non-critical-infra should be restricted to the relevant directories\n and go through PRs for touching other stuff\n - [Julien] They probably want to iterate fast in the beginning\n - [delroth] They should get a dedicated machine on Hetzner Cloud, that they\n can play with\n - [Julien] Too much shared code will increase reliance on core infra members.\n- [delroth] Action items\n - Let’s give them SSH access to a Hetzner Cloud VM\n - Or a separate project so they get direct access to machines. Might already\n be done.\n - Let’s make sure we agree on the idea of moving this to non-critical-infra in\n the short/mid-term future\n - Provision DNS etc.\n\n## External requests\n\n- Hydra DB access (raitobezarius)\n - Hashing out details in https://github.com/NixOS/infra/issues/348\n- CA derivations for Hydra (Ericson2314)\n - Nix 2.20 broke interop with the old Nix 2.13 we run on builders. Rolled back\n to 2.19.\n - https://github.com/NixOS/nix/issues/9961\n - DB schema change applied.\n\n## Ongoing projects\n\n- [delroth] Hoping to complete the nixops deprecation this week. Then:\n core/non-critical-infra alignment.\n" }, { "path": "docs/meeting-notes/2024-02-22.md", "content": "# 2024-02-08\n\nAttendees: delroth, edolstra, hexa, JulienMalka, raitobezarius, vcunat, zimbatm\n\n## [delroth] FYI on availability next few weeks\n\n- Traveling until mid-April, low availability, will be on JST timezone (UTC+9)\n- Missing for the next 2 infra meetings\n\n## [delroth] Backups situation\n\n- How do we backup haumea, long term?\n - borgbackup isn't really a good fit for a 500GB Postgres DB.\n - Currently: zrepl to my personal infra and hexa's, but that's obviously not a\n good long term solution.\n - Used to have backups to graham's rsync.net account, but that's broken since\n mid-Jan.\n - [raito] Have you ever tried pg_dump's optimized dump format?\n - [delroth] Is it fast enough to do a daily dump?\n - [raito] unsure, but there are ways to do incremental backups:\n - pg_basebackup + pg_dump compressed format\n\n## [hexa] Migration of Synapse from EMS\n\n- Apparently waiting for EMS to sort out removal of PII?\n- [raito] As long as there's discussion happening between Graham and EMS we\n probably don't have to care about this, the legacy hosting plan is not getting\n cancelled.\n- [raito] If anything goes wrong we'd likely get notified.\n\n## [eelco] Move fastly log aggregator to pluto\n\n- This is currently running on Eelco's local machine which is suboptimal.\n- Weekly script that takes Fastly logs and loads them into AWS Athena +\n generates some aggregates.\n- https://github.com/NixOS/infra/tree/master/metrics/fastly\n- We will put that on the new Eris: Pluto\n- [eelco] I will need to create an AWS IAM to bestow the adequate permissions to\n enable the script to run on Pluto.\n - [eelco] I just need read/write access to Athena and some S3 bucket.\n- [delroth] Who is using this data?\n - [eelco] You can see on that page that the reporting is generated via this\n data\n- PII data regarding access logs of cache.nixos.org\n - [everyone] What kind of policy do we want regarding PII and the non-critical\n infrastructure? e.g. new wiki access logs are available to the non-critical\n infrastructure\n - Let's take note of this, think about it for the next weeks\n\n## [delroth, hexa] Machine changes\n\nOur spend on outdated AWS EC2 instances and EBS volumes is too high and we are\ncutting back on our use of EC2 and instead renew our infra at Hetzner.\n\n- Reduce AWS spending\n - Started pruning old snapshots and EBS volumes (e.g. nixos-webserver, old\n nixos versions)\n - [eelco] I think it should be fine to delete them. There's a small risk\n there could be some historical data, for instance, our subversion repo\n used to be there as well and the nix-dev mailing list too. In theory, we\n have copies of all of that.\n - [delroth] I might start an instance and extract the data out there\n otherwise I will just delete it.\n - [eelco] There was a lot of scratch space for something… I don't remember\n it.\n - [delroth] I think it was bastion and is now paused.\n - Bastion is now stopped/paused\n - [hexa] Migrated to Eris and now to Pluto\n - [hexa] Channel scripts are running way faster\n - [raito] :tada:\n - Pinged survey.nixos.org owners (@garbas), to get the limesurvey instance\n migrated to something more reasonable\n - [hexa] $ 150 USD/mo\n - [hexa] Proposal: Migrate to Hetzner Cloud for a fraction of the costs\n - [delroth] I asked Julien to look into it\n - [delroth] In general, it's open to anyone who are looking to do\n non-critical work\n - Archeology machine from the cache team\n - [delroth] Jonas, can you look into the cost? And can we make it start\n on-demand?\n - [jonas] asking edef whether they can accomodate these changes]\n- Hetzner machine renewal\n - Phasing out eris.nixos.org (EX41S-SSD, Intel i7-6700, 64GB RAM, 2x 256GB\n SATA)\n - [hexa] Old hardware\n - Created and deployed pluto.nixos.org (EX44, Intel i5-13500, 2x512GB NVME)\n - [hexa] Slightly cheaper but modern hardware\n - [hexa] Everything migrated except for monitoring\n - [delroth] Some disentanglement required to migrate monitoring\n\nThere's a potential of around $700/month of savings in all those operations.\nThat is, we're offsetting our whole current Hetzner spend with those AWS\nsavings.\n\n- [delroth] Future savings (more involved):\n - [delroth] Two layers of storage for cache.nixos.org: warm paths on Hetzner\n - [delroth] It might be easier to do that stuff on NixOS releases S3 bucket\n (much smaller bucket) and it's costing ~1000 USD per month in **bandwidth**\n\n## [julien] Opening non-critical to more members\n\n- [Julien] Idea of non-critical infra was to lower the barrier to entry, because\n people could be trusted with less risky infra\n - [Julien] I would like to post a Discourse post to look for new people who\n might be interested to join the team\n - [Julien] It seems like we have some issues open for non-critical infra and\n let people to tackle them and could constitute a first project\n - [delroth]\n https://github.com/NixOS/infra/issues?q=is%3Aopen+is%3Aissue+label%3Anon-critical-infra\n - [Julien] I think it's a good time to do such a post and reach out\n - [Julien] I wanted to know with everyone if it was okay to invite new people\n - [delroth/zimbatm] Yes\n - [delroth] I think the most important thing is to know who will take care of\n onboarding and leading the work\n - [Julien] I am ready to handle the onboarding load and the lead, I would\n prefer to manage newcomers rather than do all the stuff by myself\n\n## [delroth, hexa] Deployment changes\n\nWe removed nixops and deployment now happens from a `flake.nix`. The plan is to\ngo for colmena eventually.\n\n- Deployment via\n `nixos-rebuild --flake .# --target-host root@.nixos.org\n --use-substitutes switch`\n- NixOps generated configuration was imported and is being migrated, for example\n we:\n - started using agenix for secrets management and imported existing secrets\n - and migrated Network configuration to systemd-networkd/resolved\n\n## [delroth, hexa] Infra Changelog\n\n- All machines are now running on NixOS 23.11\n- Migrated haumea's database to PostgreSQL 16\n- Align timezone across machines\n- Fix backup of haumea's database\n - zrepl to delroth and hexa\n - rsync.net stopped working due to zrepl API version mismatch\n- Enabled trimming and scrubbing on all ZFS pools\n\n- Fix the fastly-exporter deployment\n - Migrated to nixpkgs module, which\n [required its own fixes](https://github.com/NixOS/nixpkgs/pull/287348)\n - Generated a new API token, the old one was invalid\n - 📊\n [Dashboard](https://monitoring.nixos.org/grafana/d/SHjM6e-ik/fastly?orgId=1)\n- Fixed\n [race condition and world-writable state\n file](https://github.com/packethost/prometheus-packet-sd/issues/15) upstream\n in packet-sd\n- Added alerting for\n - Failed systemd units\n - [Domain expiry](https://github.com/NixOS/infra/pull/249) within the next 30\n days\n- Lazy loading of eval errors on hydra (Patch by @ajs124)\n - Reduces page sizes on the common jobsets/evals by 15-20MB to a few kBs\n - More work needed, because error logs are still being fetched from the DB,\n just not rendered\n- Services migrated to pluto.nixos.org\n - channel-scripts/hydra-mirror\n - netboot\n - rfc39\n- Removed and refactored legacy code, e.g.\n - hydra-provisioner\n - delft/network.nix\n" }, { "path": "docs/meeting-notes/2024-03-07.md", "content": "# 2024-03-07\n\nAttendees: hexa, vcunat, zimbatm (Jonas), Linus, Julien, Raito/Ryan, Jade (most\nof the time)\n\n## [hexa] arm64 hetzner machine config\n\n- Dump it into a new directory in the infra repo, allow infra-build to deploy\n - vcunat: There's an issue containing the bits of the configuration\n - vcunat: I assumed we wanted to migrate it directly to a new deployment\n system\n - hexa: delroth wanted to script out iPXE but this has not panned out yet, we\n discovered we had DHCP available, which is promising\n\n## [zimbatm] Round table\n\nWhat is on everyone's mind? What are your plans?\n\n- Linus:\n - Happy to help out with stuff, pairing on with anything\n - zimbatm: Do you think we should do a better presentation?\n - linus: I think that'd be good\n- hexa:\n - Looking at iPXE, hold us back the most right now\n - will coordinate with delroth, if he has already anything\n - Open to discuss the Ceph scenario\n - A lot of discussions ongoing with the self-hosted binary cache, that's\n good\n - We are running into questions that cannot be answered by anyone\n - What should be the availability?\n - What should be the durability?\n - Discussion running in circles right now\n - Form a tightr discussion group\n - So that you can identify the main points\n - And address them\n - And not run into circles\n- vcunat:\n - Continuously busy with staging iterations\n - Unblocking difficult to access machines, e.g. aarch64 machine\n - There's actually more of my machines in the infra and that also requires\n update\n - Small benchmarking machine that makes sense:\n - t2a\n - The point is to have consistent benchmarking data\n - Linus: we definitely don't have cloud VMs for benchmarking, we probably\n want dedicated hardware\n - zimbatm: could you potentially create a ticket to make an inventory of your\n machines?\n - vcunat: there's two machines: t2a and t4b only really\n- Julien:\n - _Short-term_: I would like to onboard more folks on non-critical\n infrastructure\n - I would like to give them tasks to do end to end\n - Difficult to do with the current list of tasks atm\n - The wiki is also something I also want to get out ASAP\n - The technical issues are basically non-existent, just a little bit more\n work to do\n - Then announcements, onboard people to do editorial work, and that's it\n - We are near ready to launch\n - zimbatm: Bitwarden\n - Julien: we need to move the data from old to new and inform the change to\n the users\n - zimbatm: OK, we need to organize that migration\n - Julien: we can discuss this async\n - Interested also in cache self-hosting discussions\n - We have momentum and it'd be nice to have some sort of stance from infra\n people\n - Addressing the recent unrest regarding the public stance of infra on self\n hosting\n - zimbatm: we should/could do a proof of concept so we can get a feeling\n about how easy is it to operate\n- Ryan:\n - Recommend https://github.com/zhaofengli/colmena/pull/198\n\nThings to pick up for infra:\nhttps://github.com/NixOS/infra/issues?q=is%3Aissue+is%3Aopen+sort%3Aupdated-desc+label%3Anew-service\n\n## [hexa] darwin access\n\n- hexa: We have an inventory problem\n - What machines exist? What machines should we be able to access?\n - Important so we can delegate access and unblock work\n -\n\n- Braindump\n - Apple M1 at Hetzner (hydra)\n - Apple M1 in Grahams basement (???)\n - Apple M1 at Macstadium (ofborg)\n - Apple x86_64 at Macstadium (ofborg)\n\n## [hexa] ofBorg access\n\n- hexa: we have some folks who want to work on OfBorg but cannot do because they\n are not empowered on to do so\n - it is also go via buildkite management mechanism from Graham\n\n## [raito] aarch64.nixos.community management\n\n- https://github.com/NixOS/aarch64-build-box/\n - managed by community or infra?\n - zimbatm: it used to be in the nix-community infra, but because the\n nix-community does not have access to the Packet account\n - hexa: in the past, the worst we had is to debug the kernel issues, which is\n difficult w/o packet access\n - utilized by ofBorg, too, not a problem because we don't need to trust its\n build results\n - zimbatm: will talk with zowoq, who manages the nix-community day-to-day\n operation\n\n## Changelog\n\n- Cancelled the contract for `eris.nixos.org` (ends after 2024-02-28)\n - All services have been migrated to pluto.nixos.org\n- Set up backups for Prometheus, Grafana, VictoriaMetrics\n- The primary hostnames for Prometheus and Grafana have changed\n - https://prometheus.nixos.org\n - https://grafana.nixos.org\n - Redirects for the old hostname/path are in place\n- Hydra changes\n - Increase pipe size to improve queue-runner performance\n - Increased retention interval of Prometheus to two years so we have more\n history to evaluate these changes\n- Builders have received the fix for\n https://github.com/NixOS/nix/security/advisories/GHSA-2ffj-w4mj-pg37\n- GitHub App for wiki.nixos.org so users can log in.\n" }, { "path": "docs/meeting-notes/2024-03-21.md", "content": "# 2024-03-21\n\nAttendees: hexa, vcunat, Linus, zimbatm, Eelco, Janik, raitobezariusm, Alex\n\n## Round table\n\n- zimbatm\n - had no spoons to think about cache\n- vcunat\n - expensive nixos tests that could be improved\n - noticed `nixos-disk-image.drv` steps taking a long time in send/receive\n phase\n- hexa\n - unhappy with the board decision to let Anduril sponsor, like delroth. At an\n impass. We need to find a way to work on this together.\n - not sure if delroth is ultimately out.\n - don't want to burn out if delroth is gone.\n - I also don't want to invest time, when the org agrees to military\n sponsorship.\n - Next step: get to the policy, connect with delroth to see if we can keep\n working on it together or not.\n- Janik\n - opened issue after the open board calls about meeting infrastructure.\n https://github.com/NixOS/infra/issues/401\n - PR with Jitsi probably soon.\n - Do we have a database for the pads?\n - hexa: should be colocated with the machine.\n - Jonas: do we have hardware for this?\n - hexa: we can try it on caliban. If it grows too big we can move it.\n- Linus\n - happy to review what Janik is doing.\n - happy to pair with anyone\n- Eelco\n - what the plan with the self-hosting?\n - still in discussion, we intend to a do some exploration with Ceph\n - we still need to find a way to pay for the cache.\n- Alex Ou\n - NixCon NA attendee.\n - Interested in infrastructure, their main use of NixOS, managing bare-metal\n fleet of servers\n- Raitobezarius\n - Concerned with the state of the infra, due to delroth ragequitting.\n - Tigris Data: CDN+S3 built on top of fly.io that migth be interested in\n sponsoring us.\n - Meeting with PCH.org: have hundreds of datacenters, they can offer\n everything in terms of storage infra.\n - Lots of POPs\n - Storage\n - ...\n - Proposition in progress.\n - Would like to update the set of people in the infra core for inactive\n people, in order to be able to reason on who has access, so we can reason\n about trust.\n - Eelco?\n - Graham?\n - Amine?\n - Proposal: remove access, and restore if needed\n - Eelco agreed. (Actually Eelco needs to reconsider.)\n" }, { "path": "docs/meeting-notes/2024-04-18.md", "content": "# 2024-04-18\n\nAttendees: delroth, Janik, dgrig, vcunat, raitobezarius, hexa, Linus, Weija\n\n## Topics\n\n- [delroth] Bringing up the topic of Keycloak / Kanidm again\n - We'll probably want it for Jitsi? I'd also love to drop user management\n stuff from Hydra.\n - Other use cases:\n - Wiki? (I'm guessing mediawiki can SAML)\n - Pads? (for meeting notes that we'd rather not have vandalized)\n - Calendar?\n - Hydra? https://github.com/NixOS/hydra/pull/1298\n - [hexa] Requirements:\n - GitHub login, and being able to read organization membership info\n - Maybe Dex can do what we want as well? Proxy to backend apps\n - @raitobezarius in chat:\n [oauth2-proxy](https://oauth2-proxy.github.io/oauth2-proxy/configuration/providers/github/)\n as well exist\n - @raitobezarius in chat:\n [SATOSA Proxy](https://github.com/IdentityPython/SATOSA) can be used to\n do SAML2<->Social Login\n\n- [delroth] releases.nixos.org S3 costs\n - tl;dr discovered last week that the bandwidth costs rose significantly for\n no known reason\n - Shape of the growth looks organic but there shouldn't really be anything\n causing it.\n - Fastly logs analysis showed nothing interesting.\n - Some access is blocked by\n [eelco not sharing credentials](https://github.com/NixOS/infra/pull/388#discussion_r1545856527)\n - Enabled S3 logging, haven't analyzed yet.\n - Cost Explorer might be indicating that this isn't actually\n releases.nixos.org but something else in eu-west-1 also using S3? But then\n what? (or is Cost Explorer broken? wouldn't be too surprising)\n\n- [Janik] Jitsi on non-critical-infra\n - nixpkgs+infra PRs were reviewed\n - Still blocked on tracking down a bug\n - Probably will land soon (if someone helps with debugging)\n\n- [delroth] What do we still not have access to?\n\n | Hostname | System | Location | Purpose | Access
infra-build | Access
infra | Comment |\n | ------------------------------ | -------------- | ---------- | --------------------------- | ---------------------- | ---------------- | ----------------------------------------- |\n | haumea.nixos.org | x86_64-linux | Hetzner | Hydra database | have | \\- | |\n | makemake.nixos.org | x86_64-linux | Hetzner | NGI Hydra | \\- | \\- | via https://github.com/ngi-nix/ngi0-infra |\n | intense-heron.mac.nixos.org | aarch64-darwin | Hetzner | Hydra builder | want | \\- | |\n | sweeping-filly.mac.nixos.org | aarch64-darwin | Hetzner | Hydra builder | want | \\- | |\n | maximum-snail.mac.nixos.org | aarch64-darwin | Hetzner | Hydra builder | want | \\- | |\n | growing-jennet.mac.nixos.org | aarch64-darwin | Hetzner | Hydra builder | want | \\- | |\n | enormous-catfish.mac.nixos.org | aarch64-darwin | Hetzner | Hydra builder | want | \\- | |\n | rhea.nixos.org | x86_64-linux | Hetzner | Hydra | have | \\- | |\n | caliban.nixos.org | x86-64-linux | Hetzner | NC-Infra | have | x | |\n | aa-hetzner-1.nixos.org | aarch64-linux | Hetzner | Hydra | have | \\- | config import infra repo todo |\n | pluto.nixos.org | x86_64-linux | Hetzner | Monitoring, Channel-Scripts | have | \\- | |\n | aarch64.nixos.community | aarch64-linux | Equinix | Community/ofborg builder | \\- | \\- | on demand |\n | 208.83.1.145 | aarch64-darwin | Macstadium | OfBorg builder | want | \\- | |\n | 208.83.1.173 | x86_64-darwin | Macstadium | OfBorg builder | want | \\- | |\n | 208.83.1.175 | x86_64-darwin | Macstadium | OfBorg builder | want | \\- | |\n | 208.83.1.181 | aarch64-darwin | Macstadium | OfBorg builder | want | \\- | |\n | 208.83.1.186 | x86_64-darwin | Macstadium | OfBorg builder | want | \\- | |\n | ofborg-core | x86_64-linux | Equinix | OfBorg controller | want | \\- | on demand |\n | netboot-foundation | x86_64-linux | Equinix | ? | \\- | \\- | on demand |\n | ofborg-evaluator0 | x86_64-linux | Equinix | OfBorg evaluator/builder | want | | on demand |\n | ofborg-evaluator1 | x86_64-linux | Equinix | OfBorg evaluator/builder | want | | on demand |\n | ofborg-evaluator2 | x86_64-linux | Equinix | OfBorg evaluator/builder | want | | on demand |\n | ofborg-evaluator3 | x86_64-linux | Equinix | OfBorg evaluator/builder | want | | on demand |\n | ofborg-evaluator4 | x86_64-linux | Equinix | OfBorg evaluator/builder | want | | on demand |\n | small-c3.large.arm64 | aarch64-linux | Equinix | Hydra builder | have | \\- | on demand |\n | big-parallel-c3.large.arm64 | aarch64-linux | Equinix | Hydra builder | have | \\- | on demand |\n\n## Changelog:\n\n- Removed unused apps on the infra repo\n - Slack (unused)\n- Removed apps from release-wiki repo\n - HackMD (unused)\n- Removed unused apps on the org level\n - Bors (discontinued)\n - Marvin-MK2 (discontinued)\n - Travis-CI (unused)\n- Hydra web UI is fast^W not as slow now (+ other improvements)\n - https://github.com/NixOS/hydra/commit/6189ba9c5e5308e17a7d1fb7f38443272a70f072\n - Queue runner CPU-heavy operations throttling:\n https://github.com/NixOS/hydra/commit/a51bd392a22fba5b0a0d90e2204a608b78c37ce1\n- Fastly shielding location fixed for releases.nixos.org and tarballs.nixos.org\n (used to go transatlantic for no good reason)\n- http:// redirects to https:// for all our S3 buckets except cache.nixos.org\n (broke nix-index, temporarily reverted)\n" }, { "path": "docs/meeting-notes/2024-05-30.md", "content": "# 2024-05-30\n\nAttendees: hexa, vcunat, zimbatm, kenji, sterni\n\n## Round table\n\n- [hexa]\n - Updating Hydra to Nix 2.20\n - Ran into (known) regression\n - https://github.com/NixOS/nix/issues/9961\n - vcunat rolled us back to the previous config\n - TODO: needs to persist rollback in git\n - nixpkgs is stuck on 2.18\n - next step: wait on the next stable Nix release (in nixpkgs)\n - Did a round of rotating shared passwords: Hetzner, Netlify (setup 2FA), ...\n- [vcunat]\n - Not anything else significant\n- [kenji]\n - Curious visitor\n- [sterni]\n - Nothing in particular\n\n## Topics\n\n- [hexa] Vaultwarden mail delivery\n - prevents onboarding of new people\n - https://github.com/NixOS/infra/issues/430\n - solution:\n https://github.com/NixOS/nixos-wiki-infra/blob/main/modules/postfix.nix\n - talking to Julian if he can take it, with fallback to hexa\n\n- Netlify\n - Need to talk to Marketing if GitHub pages would be sufficient\n - Netlify provides preview environments\n - Annoying because\n - it's expensive,\n - DNS is crap,\n - cost is per-user\n - so we have to share a password.\n\n- [hexa] API modernization in sign-binary-cache script\n - https://github.com/NixOS/nixos-channel-scripts/pull/72\n - Not used for hydra.nixos.org\n - Should close the PR and remove the script to not mislead more people\n\n- [zimbatm] Wants to transition out of the team\n - Talked with hexa previously in private to take over team lead\n - The person doing the things should be leading the team\n - Transition out over the next month or so\n - Maybe focus for the next month could be on making contributing to the infra\n repo more comfortable, needs more people who contribute to infra feel\n welcome\n" }, { "path": "docs/meeting-notes/2024-06-13.md", "content": "# 2024-06-13\n\nAttendees: hexa, vcunat, Julien (partially), Eelco\n\n## Round table\n\n- Julien\n - currently otherwise occupied\n - wants to finish the Lime survey migration away from AWS EC2 to non-critical\n infra\n- vcunat\n - Full disk on Haumea\n - Checking on tarball mirroring service\n - wasn't working for the last two weeks, we failed to notice\n - issue in nixpkgs caused breakdown\n - tending to the script and will merge the fixed version back\n- hexa\n - Haumea's backup location\n - Super write-intensive\n - Return to rsync.net\n - tried updating delft/* to 24.05 but hydra wouldn't compile\n- Eelco\n - Interested in the cost-increase on the release bucket\n - March 6xxx USD\n - April 9700 USD\n - May 8200 USD\n - Still increasing as of June\n - Need to move forward with the S3 Bucket (Cache & Releases)\n - Move data into Glacier, would be cheaper there, but not accessible from\n cache.nixos.org anymore\n - Moving things out of Glacier expensive, cheaper when we batch requests and\n request them for the next day or so\n - Plan to move to Tigris data, they would give us a discount, and egress is\n currently free\n - Need to get the relevant people in a room to make a final decision\n - Eelco\n - Edef\n - Jonas\n - Infra Build (hexa, vcunat)\n\n## Action items\n\n- Check Prometheus Alerting Pipeline, no Alerts since May 21\n- File issue about hydra/nix build failures\n- Schedule call about S3 bucket decision with Eelco, Jonas, Infra-Build\n\n## Full disk on haumea\n\n- The ZFS pool (1 TB) on Haumea has been running full in the last few days,\n leading to the PostgreSQL database to be unavailable\n- Multiple options\n - Reducing number and frequency of snapshots\n - 3x5m, 4x15m, 24x1h, 4x1d, 3x1w\n - [vcunat] 5 minutes probably excessive\n - Replace haumea with a machine with bigger disks\n - AX101 ~100 EUR/Mo\n - Long-term maybe prune Hydras database\n - or set up a new database and copy only the config over\n\n- Spend some more time debugging the situation, if it doesn't work out go for a\n bigger machine\n\n## Acquire rsync.net account for database backups of haumea\n\n- Previously rsync.net, but Account was paid by Graham. He eventually deleted\n that account\n- Currently only backup location is on hexa's NAS at home\n- Backup size is currently 1.7TiB\n- At 1.2 Cents per GB/Month that would cost ~24 USD/Month for 2TiB\n - https://www.rsync.net/signup/order.html\n\n## E-Mail Alias Management\n\n- Rok would like access, so that he can switch around the alias on the\n streamyard account that the Marketing team uses\n- Resource currently managed by Infra-Build\n- Not enough opinions, discuss in internal infra room instead\n\n### Changelog\n\n- Non-Critical-Infra updated to NixOS 24.05\n - migrated to systemd initrd\n- Local Postfix setup for mail delivery from vault.nixos.org\n- Owncast instance at live.nixos.org was set up\n- Synapse Reverse-Proxying uses Unix Domain Sockets now\n" }, { "path": "docs/meeting-notes/2024-06-27.md", "content": "# 2024-06-27\n\nAttendees: edef, hexa, vcunat, zimbatm\n\n## Round table\n\n- hexa\n - Large PostgreSQL snapshot sizes caused by autovacuuming likely rewriting\n Indices (https://github.com/NixOS/infra/issues/446)\n\n - Actionables:\n 1. Setup rsync.net account, so we can have a proper backup, and help hexa's\n pipe\n 2. Try lighter compression with lz4 because we are seeing CPU load\n bottlenecking\n 3. https://github.com/NixOS/infra/pull/447\n - Tried the limesurvey migration. Slightly cursed because NixOS 22.05. Upgrade\n path not clear because of incompatible DB versions. Might need a fresh\n instance after talking to the marketing team.\n\n- vcunat:\n - Haumea zrepl snapshot frequency to accomodate the smol pipe of hexa's backup\n target\n - DB crashed due to full disk and would stop Hydra from working\n\n- edef:\n - Discussed with tomberek and jonas with getting the Glacier copy started. For\n only large objects to keep it simple.\n - The release bucket traffic has grown again?\n - edef: it doesn't seem that sizable based on the graphs I am watching\n - hexa: did you see the chart Eelco posted? they looked worrying\n - edef: to the fastly endpoint\n - hexa: AWS\n - edef: (looking the AWS Price explorer) looks like 1000 USD/month (30\n USD/day), not exploded\n - 2000/2010 style infra team\n - We get this software thrown over and shall run it\n - How can Hydra be made future-proof?\n - Who maintains Hydra? Who makes sure the software works for the infra stack\n we can provide?\n - hexa: Only Ericson updates Hydra to new Nix versions, probably for CA\n derivations, not much else is happening\n - vcunat: Scale has increased much over the years since Hydra was written,\n and it hasn't kept up\n - edef: too few people to commit and cover stuff\n - biggest issues:\n - queue-runner cannot compute runnables faster than they are getting\n consumed\n - hydra kept busy with expensive xz compression of all results it gets\n\n- jonas:\n - requester pay on the release S3 bucket?\n - last rollout resulted in 404 (silent 403s)\n - we use the same code as for the cache\n - edef: I tried the fastly code for the cache bucket. Tried it on a separate\n deployment. It doesn't appear to experience the same issues. Doesn't\n require a privileged token. Not sure how to further debug that.\n - could talk about tigris data\n - edef: let's get stuff in there\n - edef: need to talk to AWS for free egress\n - jonas: just the release bucket for now, because we have issues with it\n" }, { "path": "docs/meeting-notes/2024-11-14.md", "content": "# 2024-11-14\n\nAttendees: jkarni, zimbatm, mic92, infinisil, kenji, drig/erethon, arian, sam ,\nhexa, jeremy, jeff\n\n## Round Table\n\n### Ofborg\n\n- Mic92: POC to evaluate nixpkgs on GitHub Actions. Results looked promising.\n nixpkgs-review would run in 5 minutes. the ofborg-eval was heavily swapping\n and taking 15min.\n- Infinisil: people might have to enable GHA in their fork, which is disabled by\n default\n - Mic92: I didn't see this behaviour?\n - Kenji: I think Github changed some defaults\n - ref:\n https://github.blog/changelog/2024-11-05-notice-of-breaking-changes-for-github-actions/#changes-to-workflow-validation-for-pull-requests-originating-from-forked-repositories\n - Mic92: I think this is true for periodic\n - Infinisil: trying now for a new user\n- Mic92: if we want to pursue GHA, we would have to evaluate nixpkgs twice\n because we need to get the store paths for master, and the changes of the PR,\n and then we can compute all packages that have been changed, and append that\n textfile as data. This can then be re-used by nixpkgs-review.\n- Arian: why are we not using the PR workflow?\n - Mic92: concurrency issues (limit of 20 runners per org).\n - TODO: check if we hit the limit\n- hexa: the idea to comment on the PR is to compensate for the visibility issue?\n - Mic92: yes. it sucks a bit, but this could be mitigated by a small web\n service.\n - A thin wrapper that receives a webhook, checks back the PR status and\n translates it as a comment.\n- Infinisil: wouldn't it be possible to have a workflow that polls on behalf of\n the user?\n - It's a workflow that tries to find the workflow on the user's push, in their\n fork.\n - It would be triggered every time you synchronize the PR.\n - Mic92: can you set this up in a way that the workflow gets triggered once\n the workflow is finished?\n - Infinisil: I think you need to poll for this.\n - Mic92: Is it a 1:1 mapping, or 1:N?\n - infinisil: Something like\n ```yaml\n # .github/workflows/query-pr.yml\n on: pull_request_target\n jobs:\n check:\n runs-on: ubuntu-latest\n steps:\n - run: |\n gh api /repos/BASE_REPO/commits/GITHUB_SHA/check-runs\n ```\n - Worry: Offloading OfBorg on to GH could give us trouble, because it might\n not be insignificant compute.\n- Jeremy: is this confined to PRs, or running on all branches?\n - Mic92: it would be on push, but checking if the branch is part of the PR.\n - Mic92: actually, there might be some synchronicity issue, because the PR\n happens after the push.\n - Mic92: Because of that we might need a webservice that can trigger actions\n - Mic92: can we get an event when we open a PR?\n\n- Arian: Team plan gives us 60 concurrent actions by the way. (And team plan is\n free for non-profit orgs)\n\n- Pushes don't have a base branch, need a base branch to compare the out paths\n - Mic92: only if not open as a PR\n - infinisil: Can pre-compute the out paths on push, cache out paths on Nixpkgs\n master, then comparing can be done in a PR action fairly easily\n\n- Jonas: who is going to make this happen?\n - Infinisil, Alex Balsoft, Jeremy after early December, Mic92 can write some\n scripts and don't want to lead (want to work on the binary cache).\n\n- Infinisil: not convinced if that's a good idea.\n\n- Jonas: What would it take to get to feature parity\n - What is the minimal set?\n - Mic92: Minimal - Evaluate Prs\n - Mic92: 2nd Phase - We can build packages.\n - Mic92: Labels for mass-rebuilds\n - Silvan: Requests reviews from maintainers (maybe not needed?)\n - Silvan: Don't need to build manual with OfBorg anymore (Is already built in\n ci)\n - Silvan: Evaluating without aliases\n - Jonas: Discourage IFD's\n - Silvan: Maybe it really is good to split this up in two parts:\n - Evaluating\n - Building\n\n- Arian: Average job queue time is currently 9s:\n https://github.com/NixOS/nixpkgs/actions/metrics/performance\n- Arian: I would aim for: Lets just try with `pull_request:` and only do the\n complicated `push:` abuse if that job queue time is gonna go up significantly\n- Jonas: Looking forward to having eval failures to block merges!\n\n- Silvan: Who can review pr's and help out:\n - kenji: +1\n - balsoft: +1\n - Mic92: +1\n - dgrig/erethon: +1\n- Silvan: Can add GH Team to ping for this issue\n- Silvan: TODO - Mention this effort on Discourse\n\n- Mic92: How do we coordinate?\n - Main Evalation\n - Figure out parts we can parallelize:\n - most parts are fairly orthogonal\n\n- Silvan: Somebody could lead the Building part:\n - Mic92: Find someone who can help out, maybe on discourse?\n - Silvan: GH doesn't have all the architectures\n - Mic92: Start with the ones we have currently\n - Silvan: If we don't need ealuation anymore - this could save a lot of\n resources, could optimize\n - hexa: Yes, but it might not apply on top of staging for example\n - Silvan: Yes, staging can probably be ignored\n - hexa: Yes, it tries to build against the target branch, led to some\n problems, for example always trying to build llvm on darwin -> continuuous\n timeouts\n - Mic92: A ton of stuff we could potentially optimize\n - Silvan: Empower users to build on more architectures\n - Mic92: Convenient to have logs in public\n - Mic92: I would like to see a /build command, so that builds can be manually\n triggered\n\n- Silvan: Optimization of the Eval part:\n - look at path that actually changed\n - mic92: Aware of nix script that gives names of paths that are actually\n changed?\n - Silvan: Yes\n - Mic92: If heavy swapping, then it might speed up, else we might see a slow\n down\n\n- Silvan: Where should we report?\n - discourse?\n - Mic92: Discussion would be nicer on GH, because we can link issues/pr's.\n\n## Topics\n\n- Transfer of the Macs located at Detsys to Flying Circus\n - Scheduled for 2024-11-25\n - Currently enrolled into Detsys MDM Account. Can we set something up to\n migrate that to an infra team account?\n - Report back the result to the Mac Mini Logistics room on Matrix\n - MDM built into macs, but need to be enrolled into an mdm vendor\n - Arian: Don't have to do it, but very convenient\n - Mic92: if there are no major problems, should look into MDM as well.\n- Oakhost Macs are available\n - Need the usual setup\n - 3 new machines\n - arian can set this up\n - initial password\n - Mic92: Mac enrollment not very automated yet, last time hexa wrote some\n stuff down\n - Arians keys needs to be added to the repository\n - Arian:\n - need access to oakhost\n - ssh key to infra\n- Mac Issues:\n - hexa: Forking issues on seqoia\n - hexa: Running quite well atm\n - hexa: Patched out chrooting of nix, applied patches on top of darwin\n builders\n - hexa: Not sure exactly why that works\n - hexa: Upstreaming rosetta2-gc to nix-darwin currently\n - hexa: darwin 15.1 had issues -> hetzner doesn't roll back (need rescue mode)\n - hexa: Rollbacks likely possible with mdm\n - arian: We can likely add hetzner darwin machines to be managed by mdm, but\n not too sure\n - arian: Looks into if we can add without physical access, look into what\n detsys did\n- Equinix Metal Exit Plan\n - https://md.darmstadt.ccc.de/eqm-exit-plan\n - hexa: This is what we had, this is what we need, this is what it is going to\n cost.\n - mic92: Should we check out what we need for the arm64 builders?\n - hexa: Basically choice between: 64GB, or 256GB of memory\n - hexa: Likely want the bigger memory\n - Mic92: Can try the same for arm64, for x86 we can look in to funding.\n - Mic92: How long do we need for set up? - a day? Shouldn't take long to set\n up.\n - Mic92: I will set this in motion, unless someone else want's to reach out.\n - Mic92: Ok, I will do it.\n - hexa: Ideally we don't have 20 small machine, but 5 big machines. Which\n would be good for maintenance reasons. Because we likely won't get a netboot\n setup anymore.\n- Security Tracker\n - dgrig: Jonas gave me access to a Hetzner Cloud project a couple of weeks\n ago. A VM is up and running, I'm figuring out how to implement this in the\n same way as nixos-infra.\n - dgrig: Do we care about having this in Terraform? I used TF to spin this up,\n but the state is in my computer currently, do we care to push it to S3?\n - drgrig: Can I do `nixos-installer --flake nixos/nixos-infra`?How can I\n install the nixos-infra\n - Mic02: Inputs :\"${inputs.nixos-infra}/keys\" can convert to string.\n - Example:\n ```nix\n users.users.root.openssh.authorizedKeys.keys = [] ++ (builtins.filter (l: l != [ ]) (builtins.split \"\\n\" (builtins.readFile inputs.phaer-keys)));\n ```\n - dgrig: Do we care about the Terraform state yet?\n - hexa: Do we need the state yet?\n - drgrid: It is the tf state\n - consensus: We don't care\n - Jeremy: Nit - export the keys as a module\n" }, { "path": "docs/meeting-notes/2025-04-03.md", "content": "# 2025-04-03\n\nAttendees: dgrig/erethon, mic92, vcunat\n\n- erethon:\n - Tested umbriel email server -> works https://github.com/NixOS/infra/pull/600\n - Security bug tracker: no news, still running and ingesting CVEs.\n - Want to work on deprecating go-neb for matrix-alertmanager tomorrow (4/4)\n https://github.com/NixOS/infra/issues/549#issuecomment-2764778573\n- mic92:\n - Our Nixos infra hydra patches needs to be fixed or merged into master:\n https://github.com/NixOS/hydra/pull/1456\n - staging-hydra:\n - Works and trial-migration worked.\n - We still need to figure out how to copy old store path from old\n evaluations to the new cache (worked with shivaraj and m1-s)\n - maybe we can use\n https://releases.nixos.org/nixpkgs/nixpkgs-17.03pre96825.497e6d2/store-paths.xz\n instead\n - Glacier can be actually also quite expensive or very slow access\n - small objects need to be excluded through filters\n - migration costs from s3\n- vcunat:\n - Hydra:\n - Runs stable\n - No big issues, xz compression bottlenecks less worse because of more CPU\n power\n - Build-ingestions of queue-runner is the new bottleneck (maybe a large\n latency between s3 and the server)\n- Jeremy:\n - Mailserver:\n - Everything prepared and we just need to update DNS and sunset the old\n service\n - Maybe need another dump of the user\n - Saturday: 16:00 UTC / 18:00 Berlin Time\n- Arian:\n - binary cache:\n - looked into moving parts of the binary cache into instant access glacier\n tier\n - phased approach. E.g. start with `nars/a*` then `nars/b*` etc ...\n - rule of thumb: access is twice as expensive but storage twice as cheap\n compared to infrequent access. but same latency guarantees\n - TODO: Please give Mic92 the s3 cost sheet\n - current storage (not bandwidth cost):\n - Want to enable object versioning on narinfos\n- edef:\n - https://releases.nixos.org/nixpkgs/nixpkgs-17.03pre96825.497e6d2/store-paths.xz\n - narinfos are always in standard tier. due to small size. (Except for some\n pathalogically large narinfos)\n - rules\n - recent retrieval\n - recent upload\n - or in releases.nixos.org\n" }, { "path": "docs/meeting-notes/2025-04-17.md", "content": "# 2025-04-17\n\nAtttendees: zimbatm, arian, erethon, hexa, Mic92, jfly\n\n- zimbatm:\n - Official leadership rotation to hexa\n - Rotation permissions for zimbatm and eelco in various places\n - Gandi\n - GitHub\n - others...\n\n- erethon:\n - Security bug tracker: Development is restarting\n - https://tracker.security.nixos.org/\n - Want to restart makemake.ngi.nixos.org, who has access to the Hetzner Robot\n account if things go south?\n - Remote KVM via Infra\n - Infra-Build holds Hetzner Accesss\n - @Mic92 mentioned Hetzner supporting Subaccounts, let's investigate that\n - Go-neb Deprecation\n - Still WIP\n - https://github.com/NixOS/infra/issues/549#issuecomment-2782452767\n - Links to Grafana/Prometheus/Alertmanager would be useful\n\n- hexa:\n - Onboarding US Macs (delegated to Arian)\n - Winter has worked on getting Apple Business and Mosyle\n - DNS migration\n - Prompted by shared access with Marketing to Netlify\n - Adopted hopeful-rivest (RX170)\n - Mailserver\n - Authenticated Receive Chain\n - Will get Commit Access to nixos-mailserver\n - nixcon.org Mail Migration\n\n- arian:\n - AWS Account cleanup and audit\n - Did an audit of all access to the Logicblox account\n\n - Can somebody copy over the messages I sent in infra-internal about my\n research there? I lost access to my Matrix history due to deleting it\n because of the spam issue.\n - Going to disable unused high-privilege IAM roles and users that are\n probably from the Logicblox days\n ```\n I am going to disable the roles accessible by that account now. And I suggest we delete them in a few weeks if nobody complains?\n\n There is also some other external account ids that are in use:\n\n * 297794765570 (has read only access. Seems to be from the same time as 33233536009 which has access to the same read only role).\n * CrowdStrike (has access to audit logs. hasn't accessed our account on like 500 days. Delete?) \n * CloudCheckr (accessed some metadata a few hours ago. Seems to be an AWS cost management tool)\n * Fastly logs (this makes sense)\n * Duckbill Group (makes sense but maybe we can delete now?)\n ```\n\n - Do we want to terraform the AWS management account?\n - Want to enable CloudTrail audit logging for all our accounts in our\n management account.\n - Working on moving AMI builds out of Hydra to GHA. Almost done. Uses qemu\n emulation for the aarch64 build as opposed to KVM but works fine.\n https://github.com/NixOS/amis/pull/262\n - Mic and I had the plan to do the same for ISOs at\n https://github.com/NixOS/images - do we still want to work on that?\n - Planning to meet up with edef semi-regularly regarding s3 stuff\n - Wanted to look into the Glacier migration or Intelligent Tiering\n - 60 EUR worth of access to \"old paths\"\n - Intelligent Tiering Transitions might easily become more expensive than\n that\n\n- Mic92\n - Idea: Fastly Pull-Through Cache for GitHub Releases\n - To have stable URLs and allowing us to move them in the backend as needed\n\n- jfly\n - Does a cache hit by fastly prevent an access log entry at AWS S3?\n - Cache at fastly can be hot, while things are in low priority tier at AWS\n S3\n" }, { "path": "docs/meeting-notes/2025-05-01.md", "content": "# 2025-05-01\n\nAttendees: hexa, mightyiam, mic92, jfly, picnoir, mightyiam\n\n- hexa:\n - hydra-server abuse management\n - loki for nginx analyzing the access logs\n - internal grafana instance for access to sensitive data (e.g. PII)\n - looking at whether go-away can better reflect our needs\n - hydra-queue-runner work\n - runnables are steps that can be sent to builder to realize\n - we have far more linux capacity than darwin capacity and the queue runner\n often stacks up darwin runnables, but cannot satisfy linux runnables\n - effectively preventing us from increasing linux capacity\n - Every two weeks meeting with Simon\n - hydra is modular, components use the database to synchronize\n\n- jfly\n - can we put our meetings on the nixos cal?\n https://calendar.google.com/calendar/u/0/embed?src=b9o52fobqjak8oq8lfkhg3t0qg@group.calendar.google.com\n - TODO: jeremy will add\n - mailserver\n - mxlogin.com (mxroute) Deliverability: unclear what's going on with\n Valentin's email (https://github.com/NixOS/infra/issues/668)\n - Bounces from GMail: does anyone have any ideas for this?\n https://github.com/NixOS/infra/issues/650\n - Leaking email: https://github.com/NixOS/infra/issues/649\n - TODO: try BCC-ing the people we're forwarding to (`recipient_bcc_maps`\n instead of virtual alias maps)\n - ARC: are we OK to enable it? https://github.com/NixOS/infra/pull/634\n - Test it on another mailserver first\n\n- Mic92:\n - Get rid of nix/hydra overlay to make sure we are not mixing nix from\n unstable with nixpkgs from stable\n - Would likes to reproduce cgroups build issues in NixOS infra\n\n- picnoir:\n - Cache key rotation https://github.com/NixOS/rfcs/pull/149\n - Minimal approach, no HSM etc.\n - Generate new key on hydra machine\n - Sign everything with two keys\n - PR in Nix has been merged, not in a stable release yet, but\n cherry-pickable\n - Rollover is easy for NixOS, but not so for Nix users on other Distros\n - Nix already hardcodes the current signing key for cache.nixos.org\n - We could investigate if we can also ship the new one that way\n - Set up and maintain public information about keys, the period in which\n they were used to sign packages\n - Blocked on social issue, needing to take charge\n - Testing on staging hydra\n - Remote-Signing (PR by Raito exists,\n https://github.com/NixOS/nix/pull/9076) would be nice, not super trivial,\n but also new failure point\n - Can fail in a lot of ways, since the channel between the signing infra\n and the queue-runner/nix is undefined, and e.g. over the network is not\n trivial\n - Next steps:\n - Staging Hydra setup to validate the setup/migration script.\n - Investigate Nix upgrade path.\n\n- mightyiam/jfly:\n - Code: https://github.com/molybdenumsoftware/pr-tracker\n - Demo: https://pr-tracker.snow.jflei.com/\n - Alternatives: Replicate the Github Webhooks via pub/sub for anyone\n - Demonstrate the need for this, then we may consider making it an official\n nixos.org deployment\n" }, { "path": "docs/meeting-notes/2025-05-15.md", "content": "# 2025-05-15\n\nAttendees: erethon, hexa, Mic92\n\n- hexa:\n - E-Mail dogfooding: No obvious issues with sender accounts\n\n- erethon:\n - Will send 616 emails from ngi@nixos.org today unless we're afraid this will\n break something. Testing I've done with a few personal gmail and other\n provider emails worked fine.\n - About replacing go-neb (https://github.com/NixOS/infra/issues/549), I've\n opened two PRs upstream:\n - One is a security fix\n https://github.com/jaywink/matrix-alertmanager/pull/48\n - The other extends matrix-alertmanager to allow us to have the messages in\n the same format as we currently do with go-neb\n https://github.com/jaywink/matrix-alertmanager/pull/49\n - Security tracker: I'll spin up a second instance so that automatic\n deployment don't break the production deployment.\n - Valentin (fricklerhandwerk) is figuring out how this will be paid to the\n foundation\n - TODO: Investigate reusing evals from GitHub Actions or Hydra\n - especially what information do you need from the evals\n\n- Mic92\n - Will reach out to Picnoir to test Multi-Signer-Setup on staging hydra\n" }, { "path": "docs/meeting-notes/2025-05-29.md", "content": "# 2025-05-29\n\nAttendees: erethon jfly edef infinisil\n\n- erethon:\n - Sent ~600 emails on the 16th of May from ngi@nixos.org, everything worked\n great.\n - Security tracker:\n - Sounds like reusing nix evals from a different host is still far away.\n - Will spin up a staging instance next week (as discussed two weeks ago).\n - No updates from upstream on the two matrix-alertmanager PRs from two weeks\n ago.\n- edef\n - Going to give moving a bunch of things to Glacier a try with Arian\n - infinisil: AWS is sponsoring a lot per month\n - edef: Get a little headroom, can use credits for other things\n - Discussion between @infinisil and @edef about spending the money the\n Foundation has set aside for long term cache issues\n - Related conversation about companies donating hardware to the foundation.\n We don't currently have a place to put that stuff.\n - Good solution per @edef:\n - Have a rack in each continent\n - Own hardware to put in those racks\n - ~500TB - 1 PB\n - infinisil takes note and will consider developing a concrete action plan to\n go ahead\n- Hydra queue runner improvements\n - Some work is happening, but unclear status\n - General status: Not building stuff yet\n - @conni2461 (Simon hauser) working on this\n - @Mic92, @hexa meeting with Simon every 2 weeks\n - No repo yet afaik\n- infinisil: https://github.com/NixOS/infra/issues/700\n - Asked hexa in the room\n - Flake seems good (https://cyberchaos.dev/e1mo/freescout-nix-flake)\n - @dgrig: consider looking at [Zammad](https://zammad.com/en)\n - Can try out both\n - @jfly will work with @infinisil to get this deployed\n - @jfly: Backups?\n - zrepl\n - @infinisil foundation board is okay with trusting the infra team on\n maintaining confidentiality\n - maybe only keep 1 year of backups?\n" }, { "path": "docs/meeting-notes/2025-06-12.md", "content": "# 2025-06-12\n\nAttendees: hexa, Mic92, tal\n\n- erethon:\n - Can't attend today, but here's some updates\n - Security tracker:\n - Staging host is up on Hetzner, working on setting up the security tracker\n software on it\n - Work on https://github.com/Nix-Security-WG/nix-security-tracker/pull/451\n and https://github.com/Nix-Security-WG/nix-security-tracker/issues/223\n because with 25.05 the host is running out of inodes on ext4.\n - Working on some proper architectural docs for the project\n\n- hexa:\n - Anubis deployed\n - Access to build results is not protected, fixes the nix.dev manual access\n - Further work by Mic92: https://github.com/NixOS/nix.dev/pull/1154\n - Tarball Mirror fixes merged/deployed\n - https://github.com/NixOS/nixpkgs/pull/414869\n - https://github.com/NixOS/nixpkgs/pull/361700\n\n- Mic92\n - GitHub Fastly Proxying\n - Naming question\n - Suggestion: artifacts.nixos.org\n - Merging with releases.nixos.org complicated\n - Ratelimits unclear, given that one Shield Pop will always ask for the ISO\n - https://docs.fastly.com/products/network-services-resource-limits\n - Look into segmented caching for fastly\n - Retire releases.nixos.org\n - By moving everything relevant to GitHub releases\n - Build and hosts ISOs on GitHub and proxy via Fastly test formatting\n" }, { "path": "flake.nix", "content": "{\n description = \"NixOS.org infra\";\n\n nixConfig.extra-substituters = [ \"https://nixos-infra-dev.cachix.org\" ];\n nixConfig.extra-trusted-public-keys = [\n \"nixos-infra-dev.cachix.org-1:OvwhqPPs81cInrtRAX0K7dG6lw8wXcQEX4xyp4AnSXw=\"\n ];\n\n inputs = {\n agenix = {\n url = \"github:ryantm/agenix\";\n inputs.nixpkgs.follows = \"nixpkgs\";\n };\n\n nix = {\n url = \"github:NixOS/nix/2.34-maintenance\";\n flake = false;\n };\n\n hydra = {\n url = \"github:NixOS/hydra/a40d42862da88cce78a27dd594e1484a034aac4d\";\n inputs.nixpkgs.follows = \"nixpkgs\";\n inputs.nix.follows = \"nix\";\n };\n\n hydra-staging = {\n url = \"github:NixOS/hydra\";\n inputs.nixpkgs.follows = \"nixpkgs\";\n # Can be kept in sync I suppose for now.\n inputs.nix.follows = \"nix\";\n };\n\n nixos-channel-scripts = {\n url = \"github:NixOS/nixos-channel-scripts\";\n inputs.nixpkgs.follows = \"nixpkgs\";\n };\n\n rfc39 = {\n url = \"github:NixOS/rfc39\";\n inputs.nixpkgs.follows = \"nixpkgs\";\n };\n\n nixpkgs.url = \"github:NixOS/nixpkgs/nixos-25.11-small\";\n nixpkgs-unstable.url = \"github:NixOS/nixpkgs/nixpkgs-unstable\";\n\n flake-parts = {\n url = \"github:hercules-ci/flake-parts\";\n inputs.nixpkgs-lib.follows = \"nixpkgs\";\n };\n\n darwin = {\n url = \"github:nix-darwin/nix-darwin/nix-darwin-25.11\";\n inputs.nixpkgs.follows = \"nixpkgs\";\n };\n\n flake-utils.url = \"github:numtide/flake-utils\";\n\n freescout = {\n url = \"git+https://cyberchaos.dev/e1mo/freescout-nix-flake.git\";\n inputs = {\n flake-utils.follows = \"flake-utils\";\n nixpkgs.follows = \"nixpkgs\";\n };\n };\n\n treefmt-nix = {\n url = \"github:numtide/treefmt-nix\";\n inputs.nixpkgs.follows = \"nixpkgs-unstable\";\n };\n\n colmena = {\n url = \"github:zhaofengli/colmena\";\n inputs = {\n flake-utils.follows = \"flake-utils\";\n nixpkgs.follows = \"nixpkgs\";\n stable.follows = \"nixpkgs\";\n };\n };\n\n disko = {\n url = \"github:nix-community/disko\";\n inputs.nixpkgs.follows = \"nixpkgs\";\n };\n\n nft-prefix-import = {\n # https://github.com/mweinelt/nft-prefix-import/pull/2\n url = \"github:Mic92/nft-prefix-import/nft-stdin\";\n inputs.nixpkgs.follows = \"nixpkgs-unstable\";\n };\n\n srvos = {\n url = \"github:numtide/srvos\";\n inputs.nixpkgs.follows = \"nixpkgs\";\n };\n\n simple-nixos-mailserver = {\n url = \"gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-25.11\";\n inputs.nixpkgs.follows = \"nixpkgs\";\n };\n\n sops-nix = {\n url = \"github:Mic92/sops-nix\";\n inputs.nixpkgs.follows = \"nixpkgs\";\n };\n\n nixpkgs-swh = {\n url = \"github:nix-community/nixpkgs-swh\";\n inputs.nixpkgs.follows = \"nixpkgs\";\n };\n };\n outputs =\n inputs@{ flake-parts, ... }:\n flake-parts.lib.mkFlake { inherit inputs; } {\n systems = [\n \"x86_64-linux\"\n \"aarch64-linux\"\n \"x86_64-darwin\"\n \"aarch64-darwin\"\n ];\n imports = [\n ./build/flake-module.nix\n ./builders/flake-module.nix\n ./dns/flake-module.nix\n ./formatter/flake-module.nix\n ./checks/flake-module.nix\n ./terraform/flake-module.nix\n ./non-critical-infra/flake-module.nix\n ./macs/flake-module.nix\n ];\n };\n}\n" }, { "path": "formatter/flake-module.nix", "content": "{ inputs, ... }:\n{\n imports = [ inputs.treefmt-nix.flakeModule ];\n\n perSystem =\n { lib, pkgs, ... }:\n {\n treefmt = {\n # Used to find the project root\n projectRootFile = \".git/config\";\n\n settings.global.excludes = [\n \"*.age\"\n \"non-critical-infra/secrets/*\"\n ];\n\n # older actionlint version don't recognize aarch64 builder\n programs.actionlint.enable = lib.versionAtLeast pkgs.actionlint.version \"1.7.7\";\n programs.deno = {\n enable = true;\n excludes = [\n # makes these files *less* readable\n \"dns/*.js\"\n ];\n };\n programs.terraform.enable = true;\n programs.deadnix.enable = true;\n programs.nixfmt.enable = true;\n programs.ruff-format.enable = true;\n programs.ruff-check.enable = true;\n\n programs.shellcheck.enable = true;\n\n programs.shfmt.enable = true;\n programs.rustfmt.enable = true;\n };\n };\n}\n" }, { "path": "lib/service-order.nix", "content": "# Ordering Services\n#\n# Given a set of services, make them run one at a time in a specific\n# order, on a timer.\n{ }:\n{\n # Given a list of systemd service, give each one an After\n # attribute, so they start in a specific order. The returned\n # list can be converted in to a systemd.services attrset with\n # `lib.listToAttrs`.\n #\n # Example:\n #\n # mkOrderedChain [\n # { name = \"foo\"; value = { script = \"true\"; }; }\n # { name = \"bar\"; value = { script = \"true\"; }; }\n # ]\n #\n # => [\n # {\n # name = \"foo\";\n # value = {\n # script = \"true\";\n # unitConfig = { After = []; };\n # };\n # }\n # {\n # name = \"bar\";\n # value = {\n # script = \"true\";\n # unitConfig = { After = [ \"bar\" ]; };\n # };\n # }\n #\n mkOrderedChain =\n jobs:\n let\n unitConfigFrom = job: job.unitConfig or { };\n afterFrom = job: (unitConfigFrom job).After or [ ];\n previousFrom = collector: if collector ? previous then [ collector.previous ] else [ ];\n\n ordered = builtins.foldl' (collector: item: {\n services = collector.services ++ [\n {\n inherit (item) name;\n value = item.value // {\n unitConfig = (unitConfigFrom item.value) // {\n After = (afterFrom item.value) ++ (previousFrom collector);\n };\n };\n }\n ];\n previous = \"${item.name}.service\";\n }) { services = [ ]; } jobs;\n in\n ordered.services;\n}\n" }, { "path": "macs/README.md", "content": "# Deploying to darwin\n\nSee [inventory](../docs/inventory.md).\n\n## Inventory\n\n### Obisdian Systems (US Hosting)\n\nThey are hosting five Macs Minis for us in the United States.\n\nContact: [@ryantrinkle](https://github.com/ryantrinkle)\n\n- Mac Mini (M1 2020, 16 GB, 256 GB)\n- Mac Mini (M1 2020, 16 GB, 256 GB)\n- Mac Mini (M1 2020, 16 GB, 256 GB)\n- Mac Mini (M1 2020, 16 GB, 256 GB)\n- Mac Mini (i3-8100B, 8GB, 128 GB)\n\n### Flying Circus (DE Hosting)\n\nCurrently hosting two Mac Minis for us in Germany.\n\nContact: [@ctheune](https://github.com/ctheune)\n\n- Mac Mini (M1 2020, 16 GB, 256 GB)\n- Mac Mini (M1 2020, 16 GB, 256 GB)\n\n### Hetzner\n\nAdditional we rent five M1 (16 GB, 256 GB) builders at Hetzner online:\n\n- enormous-catfish.mac.nixos.org\n- growing-jennet.mac.nixos.org\n- intense-heron.mac.nixos.org\n- maximum-snail.mac.nixos.org\n- sweeping-filly.mac.nixos.org\n\nThese are maintained by the build infra team.\n\n### Oakhost\n\nTwo M2 Mac Mini with 24 GB RAM and 1 TB disk are sponsored by\n[Oakhost](https://www.oakhost.com/).\n\nIf you are looking for Mac Hosting in the EU, we can recommend Oakhost. They\noffer a great admin experience with ad-hoc KVM access in the browser.\n\n- eager-heisenberg.mac.nixos.org\n- kind-lumiere.mac.nixos.org\n\n## Install\n\n- Login to user hetzner with the given password\n- Set up SSH keys in the hetzner user\n- Elevate with `sudo su`\n- ~~Install latest system updates~~\n - ~~softwareupdate --install --all --restart~~\n- Disable auto-updates:\n - We are currently seeing performance regression in macOS Sequoia.\n - So to not have the machines auto-upgrade, we use:\n `sudo softwareupdate --schedule off`\n- Install rosetta2\n - softwareupdate --install-rosetta2 --agree-to-license\n- Set up passwordless sudo\n ```\n # visudo /etc/sudoers.d/passwordless\n %admin ALL = NOPASSWD: ALL\n ```\n- Install nix\n - `sh <(curl -L https://nixos.org/nix/install) --daemon`\n- Install nix-darwin\n - `nix --extra-experimental-features 'flakes nix-command' run nix-darwin -- switch --flake github:nixos/infra#arm64`\n - `darwin-rebuild` becomes available after restarting the shell\n\n## Update\n\n```\ndarwin-rebuild switch --flake github:nixos/infra#arm64\n```\n" }, { "path": "macs/common.nix", "content": "# used with https://github.com/DeterminateSystems/macos-ephemeral\n{\n config,\n lib,\n pkgs,\n ...\n}:\n\nlet\n sshKeys = {\n hydra-queue-runner = \"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOdxl6gDS7h3oeBBja2RSBxeS51Kp44av8OAJPPJwuU/ hydra-queue-runner@rhea\";\n };\n environment = lib.concatStringsSep \" \" [\n \"NIX_SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt\"\n ];\n\n authorizedNixStoreKey =\n key:\n \"command=\\\"${environment} ${config.nix.package}/bin/nix-store --serve --store daemon --write\\\" ${key}\";\nin\n\n{\n imports = [\n ./hydra-queue-builder.nix\n ];\n\n environment.darwinConfig = \"/nix/home/darwin-config/macs/nix-darwin.nix\";\n environment.systemPackages = [\n config.nix.package\n pkgs.nix-top\n ];\n\n system.stateVersion = 5;\n\n programs = {\n zsh = {\n enable = true;\n enableCompletion = false;\n };\n bash = {\n enable = true;\n completion.enable = true;\n };\n };\n\n nix = {\n settings = {\n extra-experimental-features = [\n \"nix-command\"\n \"flakes\"\n ];\n max-silent-time = 7200; # 2h\n timeout = 43200; # 12h\n };\n gc = {\n automatic = true;\n interval = [\n {\n Minute = 15;\n }\n {\n Minute = 45;\n }\n ];\n # ensure up to 100G free space every half hour\n options = \"--max-freed $(df -k /nix/store | awk 'NR==2 {available=$4; required=100*1024*1024; to_free=required-available; printf \\\"%.0d\\\", to_free*1024}')\";\n };\n };\n\n users.users.root.openssh.authorizedKeys.keys = [\n (authorizedNixStoreKey sshKeys.hydra-queue-runner)\n ]\n ++ (import ../ssh-keys.nix).infra-core;\n\n system.activationScripts.postActivation.text = ''\n printf \"disabling spotlight indexing... \"\n mdutil -i off -d / &> /dev/null\n mdutil -E / &> /dev/null\n echo \"ok\"\n '';\n\n services.prometheus.exporters.node.enable = true;\n\n # https://github.com/LnL7/nix-darwin/issues/1256\n users.users._prometheus-node-exporter.home = lib.mkForce \"/private/var/lib/prometheus-node-exporter\";\n\n launchd.daemons.rosetta2-gc = {\n script = ''\n date\n exec /System/Library/Filesystems/apfs.fs/Contents/Resources/apfs.util -P -minsize 0 /System/Volumes/Data\n '';\n serviceConfig.StartInterval = 3600 * 2;\n serviceConfig.RunAtLoad = true;\n serviceConfig.StandardErrorPath = \"/var/log/rosetta2-gc.log\";\n serviceConfig.StandardOutPath = \"/var/log/rosetta2-gc.log\";\n };\n}\n" }, { "path": "macs/flake-module.nix", "content": "{ inputs, ... }:\n{\n flake.darwinConfigurations =\n let\n mkNixDarwin =\n localHostName: entrypoint:\n inputs.darwin.lib.darwinSystem {\n system = \"aarch64-darwin\";\n\n specialArgs = {\n inherit inputs;\n };\n\n modules = [\n {\n networking = { inherit localHostName; };\n }\n ./common.nix\n entrypoint\n ];\n };\n in\n {\n # M1 8C, 16G, 256G (Hetzner)\n enormous-catfish = mkNixDarwin \"enormous-catfish\" ./profiles/m1.nix;\n growing-jennet = mkNixDarwin \"growing-jennet\" ./profiles/m1.nix;\n intense-heron = mkNixDarwin \"intense-heron\" ./profiles/m1.nix;\n maximum-snail = mkNixDarwin \"maximum-snail\" ./profiles/m1.nix;\n sweeping-filly = mkNixDarwin \"sweeping-filly\" ./profiles/m1.nix;\n\n # M1 8C, 16G, 256G (Hosted by Flying-Circus)\n norwegian-blue = mkNixDarwin \"norwegian-blue\" ./profiles/m1.nix;\n\n # M2 8C, 24G, 1TB (Oakhost)\n eager-heisenberg = mkNixDarwin \"eager-heisenberg\" ./profiles/m2.large.nix;\n kind-lumiere = mkNixDarwin \"kind-lumiere\" ./profiles/m2.large.nix;\n };\n}\n" }, { "path": "macs/hydra-queue-builder.nix", "content": "{\n config,\n inputs,\n lib,\n ...\n}:\n\n{\n imports = [\n inputs.agenix.darwinModules.age\n inputs.hydra-staging.darwinModules.builder\n ];\n\n config = lib.mkIf false {\n age.secrets.\"queue-runner-token\" = {\n file = ../build/secrets/${config.networking.localHostName}-queue-runner-token.age;\n owner = \"hydra-queue-builder\";\n };\n\n services.hydra-queue-builder-dev = {\n enable = true;\n queueRunnerAddr = \"https://queue-runner.hydra.nixos.org\";\n authorizationFile = config.age.secrets.\"queue-runner-token\".path;\n maxJobs = if lib.elem \"big-parallel\" (config.nix.settings.system-features or [ ]) then 2 else 4;\n };\n };\n}\n" }, { "path": "macs/mac-exec", "content": "#!/usr/bin/env bash\n\nHOSTS=(\n\t\"hetzner@enormous-catfish.mac.nixos.org\"\n\t\"hetzner@growing-jennet.mac.nixos.org\"\n\t\"hetzner@intense-heron.mac.nixos.org\"\n\t\"hetzner@maximum-snail.mac.nixos.org\"\n\t\"hetzner@sweeping-filly.mac.nixos.org\"\n\t\"customer@eager-heisenberg.mac.nixos.org\"\n\t\"customer@kind-lumiere.mac.nixos.org\"\n\t\"root@norwegian-blue.mac.nixos.org\"\n)\nPIDS=()\n\nfor host in \"${HOSTS[@]}\"; do\n\t# shellcheck disable=SC2068\n\t(ssh \"${host}\" -- $@ 2>&1| sed -e \"s/^/${host} | /\") &\n\tPIDS+=($!)\ndone\n\nwait \"${PIDS[@]}\"\n" }, { "path": "macs/mac-update", "content": "#!/usr/bin/env bash\n\nPIDS=()\n\nupdate() {\n\tlocal HOST=${1}\n\tlocal PROFILE=${2}\n\t(ssh \"$HOST\" -- sudo darwin-rebuild switch --flake \"github:nixos/infra\" 2>&1| sed -e \"s/^/${HOST} | /\") &\n\tPIDS+=($!)\n}\n\nupdate hetzner@enormous-catfish.mac.nixos.org\nupdate hetzner@growing-jennet.mac.nixos.org\nupdate hetzner@intense-heron.mac.nixos.org\nupdate hetzner@maximum-snail.mac.nixos.org\nupdate hetzner@sweeping-filly.mac.nixos.org\nupdate customer@eager-heisenberg.mac.nixos.org\nupdate customer@kind-lumiere.mac.nixos.org\nupdate root@norwegian-blue.mac.nixos.org\n\nwait \"${PIDS[@]}\"\n" }, { "path": "macs/profiles/m1.nix", "content": "{\n # 8 Cores, 16 GB RAM, 256 GB Disk\n # split into 4 jobs with 2C/4G\n nix.settings = {\n cores = 2;\n max-jobs = 4;\n };\n}\n" }, { "path": "macs/profiles/m2.large.nix", "content": "{\n # 8 Cores, 24 GB RAM, 1 TB Disk\n # split into 2 jobs with 4C/12G\n nix.settings = {\n cores = 4;\n max-jobs = 2;\n system-features = [ \"big-parallel\" ];\n };\n}\n" }, { "path": "metrics/fastly/README.md", "content": "# Fastly log processing\n\nThis flake provides a systemd timer (`./cron.sh`) that every week:\n\n- Ingests raw Fastly logs for {cache,channels,tarballs,releases}.nixos.org\n (which are very big) and aggregates them into a smaller AWS Athena database.\n\n This is performed by `./ingest-raw-logs.sh`.\n\n- Runs a number of SQL queries against the Athena database and stores them in\n S3.\n\n This is performed by `./run-queries.sh`.\n\n## AWS Athena database\n\nThe Athena database is stored in the NixOS Foundation AWS account. To get the\nschema, run\n\n```\n# aws athena list-table-metadata --region eu-west-1 --catalog-name AwsDataCatalog --database-name default\n```\n\nIt has the following external tables:\n\n- `requests`: An external table. These are the raw fastly logs stored in\n s3://fastly-logs-20220622145016462800000001/ as compressed JSON records. Note\n that this bucket has a lifecycle rule that moves logs to Glacier after a few\n weeks. Logs in Glacier are not processed by Athena.\n\n- `asn_list`: A list of ASNs. This can be updated by running\n `./update-asn-list.sh`.\n\n- `hosting-asns`: A list of ASNs belonging to hosting/cloud providers.\n\n- `all_paths`: The set of all store paths known in the hydra.nixos.org database.\n This is used to expand the hash part of `.narinfo` requests (e.g.\n `8kbx6s9nn7060zsdms3br0mk7bjrvbij`) to store paths (e.g.\n `/nix/store/8kbx6s9nn7060zsdms3br0mk7bjrvbij-coreutils-full-9.0`).\n\n FIXME: describe how to update.\n\n- `release_paths`: All the store paths belonging to NixOS evals in\n hydra.nixos.org, as\n `{project, jobset, eval, release_name, build,\n output, path}` tuples.\n\n FIXME: describe how to update.\n\nThe ingestion script populates the following tables stored in\ns3://nixos-athena/fastly-logs-processed/:\n\n- `urls`: For each host/day/url, the total number of requests, bytes and elapsed\n microseconds. This only includes info about successful (2xx/3xx) requests.\n\n- `clients`: For each host/day/ASN/country/region, the total number of requests,\n bytes and elapsed microseconds.\n\n- `nix_cache_info`: For each day/ASN/country/region/user-agent, the number of\n requests for `nix-cache-info`.\n\n## Reports\n\nCurrently the following reports are created every week:\n\n- http://nixos-metrics.s3-website-eu-west-1.amazonaws.com/latest/traffic-per-day.csv\n\n For each day and site, the number of requests and the number of bytes\n transferred.\n\n- http://nixos-metrics.s3-website-eu-west-1.amazonaws.com/latest/traffic-per-country.csv\n\n For each country, the number of requests and the number of bytes transferred.\n\n- http://nixos-metrics.s3-website-eu-west-1.amazonaws.com/latest/cache-info-requests-per-day.csv\n\n For each day, the number of requests for\n https://cache.nixos.org/nix-cache-info.\n\n- http://nixos-metrics.s3-website-eu-west-1.amazonaws.com/latest/cache-info-requests-per-day-not-hosted.csv\n\n The same, but with requests from \"hosting\" ASNs (e.g. AWS and Hetzner)\n filtered out. Note that Nix caches `nix-cache-info` file for a week, so the\n intent of this report is to gauge the number of active weekly users.\n\n- http://nixos-metrics.s3-website-eu-west-1.amazonaws.com/latest/cache-info-requests-per-day-per-ua.csv\n\n For each day and user agent (e.g. `Nix/2.12.0`), the number of requests for\n https://cache.nixos.org/nix-cache-info. This is intended to track the adoption\n of Nix releases.\n\n- http://nixos-metrics.s3-website-eu-west-1.amazonaws.com/latest/flake-registry-requests-per-day.csv\n\n For each day, the number of requests for\n https://channels.nixos.org/flake-registry.json. This is intended to track how\n widely flakes are used.\n\n- http://nixos-metrics.s3-website-eu-west-1.amazonaws.com/latest/top-store-paths.csv\n\n For each store path listed in `all_paths`, the number of requests for its\n `.narinfo` file.\n\n- http://nixos-metrics.s3-website-eu-west-1.amazonaws.com/latest/narinfo-queries-per-release.csv\n\n For each major NixOS release (e.g. `nixos-22.05`), the number of requests for\n `.narinfo` files of store paths that are part of an eval of that release.\n\n- http://nixos-metrics.s3-website-eu-west-1.amazonaws.com/latest/nix-installer-downloads.csv\n\n For each day, the number of downloads of the Nix installer (i.e.\n `https://releases.nixos.org/nix/nix-[^/]+/install`).\n\n- http://nixos-metrics.s3-website-eu-west-1.amazonaws.com/latest/nix-installer-architectures.csv\n\n For each architecture (e.g. `x86_64-linux`), the number of downloads of the\n Nix binary tarball.\n" }, { "path": "metrics/fastly/cron.sh", "content": "#!/usr/bin/env bash\n\nset -e\n\nexport AWS_PROFILE=nixos-org\n\nnow=$(date +%s)\n#now=$((now - 86400))\nprev_week=$((now / 86400 / 7))\n\nfrom_date_incl=$(date +%F --date=\"@$((prev_week * 86400 * 7 - 2 * 86400))\")\nto_date_incl=$(date +%F --date=\"@$((prev_week * 86400 * 7 + 5 * 86400))\")\n\necho \"Ingesting [$from_date_incl, $to_date_incl).\"\n\nmarker=\"$HOME/weeks-done/$prev_week\"\n\nif [[ -e $marker ]]; then\n echo \"Already done!\"\n exit 0\nfi\n\nmkdir -p \"$(dirname \"$marker\")\"\ntouch \"$marker\"\n\n./ingest-raw-logs.sh \"$from_date_incl\" \"$to_date_incl\"\n\n./run-queries.sh\n" }, { "path": "metrics/fastly/flake.nix", "content": "{\n outputs =\n { }:\n {\n nixosModules.nix-metrics =\n { pkgs, ... }:\n {\n\n users.users.nix-metrics = {\n isNormalUser = true;\n description = \"Nix Metrics Collection\";\n };\n\n systemd.services.process-raw-nix-logs = {\n description = \"Process Raw nixos.org Logs\";\n serviceConfig.Type = \"oneshot\";\n serviceConfig.User = \"nix-metrics\";\n path = [\n pkgs.awscli\n pkgs.jq\n ];\n script = ''\n cd ${./.}\n ./cron.sh\n '';\n startAt = \"Tue 07:30\";\n };\n\n };\n };\n}\n" }, { "path": "metrics/fastly/ingest-raw-logs.sh", "content": "#!/usr/bin/env bash\n\nset -e\n\nregion=eu-west-1\n\nfrom_date_incl=\"$1\"\nto_date_excl=\"$2\"\n\n[[ -n $from_date_incl ]]\n[[ -n $to_date_excl ]]\n\nrun_query() {\n local name=\"$1\"\n local query=\"$2\"\n\n res=$(aws athena start-query-execution \\\n --region $region \\\n --result-configuration \"OutputLocation=s3://nixos-athena/ingestion/$name/\" \\\n --query-string \"$query\")\n\n execution_id=\"$(printf \"%s\" \"$res\" | jq -r -e .QueryExecutionId)\"\n [[ -n $execution_id ]]\n\n echo \"Started query $name as $execution_id.\"\n\n printf \"Waiting...\"\n while true; do\n res=\"$(aws athena get-query-execution --region $region --query-execution-id \"$execution_id\")\"\n status=\"$(printf %s \"$res\" | jq -r -e .QueryExecution.Status.State)\"\n if [[ $status == RUNNING || $status == QUEUED ]]; then\n printf \".\"\n sleep 1\n continue\n fi\n if [[ $status == SUCCEEDED ]]; then\n printf \" done.\\n\"\n break\n fi\n printf \"\\nFailed: %s (%s)\\n\" \"$status\" \"$res\"\n exit 1\n done\n}\n\nrun_query fill-urls \\\n \"\n insert into urls\n with requests2 as (select *, date_format(date_parse(timestamp, '%Y-%m-%dT%T+0000'), '%Y-%m-%d') as day from requests)\n select url, count(*) as nr, sum(response_body_size) as total_bytes, sum(elapsed_usec) as total_elapsed, host, day\n from requests2\n where (response_status >= '200' and response_status <= '399') and (day >= '$from_date_incl' and day < '$to_date_excl')\n group by host, day, url;\n \"\n\nrun_query fill-nix-cache-info \\\n \"\n insert into nix_cache_info\n with requests2 as (select *, date_format(date_parse(timestamp, '%Y-%m-%dT%T+0000'), '%Y-%m-%d') as day from requests)\n select count(*) as nr, asn, geo_country, geo_region, request_user_agent, day\n from requests2\n where host = 'cache.nixos.org' and url = '/nix-cache-info' and (day >= '$from_date_incl' and day < '$to_date_excl')\n group by day, asn, geo_country, geo_region, request_user_agent;\n \"\n\nrun_query fill-clients \\\n \"\n insert into clients\n with requests2 as (select *, date_format(date_parse(timestamp, '%Y-%m-%dT%T+0000'), '%Y-%m-%d') as day from requests)\n select asn, geo_country, geo_region, count(*) as nr, sum(response_body_size) as total_bytes, sum(elapsed_usec) as total_elapsed, host, day\n from requests2\n where (day >= '$from_date_incl' and day < '$to_date_excl')\n group by host, day, asn, geo_country, geo_region;\n \"\n" }, { "path": "metrics/fastly/run-queries.sh", "content": "#!/usr/bin/env bash\n\nset -e\n\nregion=eu-west-1\n\nreport_date=\"$(date +%Y-%m-%d)\"\n\nrun_query() {\n local name=\"$1\"\n local query=\"$2\"\n\n res=$(aws athena start-query-execution \\\n --region $region \\\n --result-configuration \"OutputLocation=s3://nixos-metrics/$report_date/$name/\" \\\n --query-string \"$query\")\n\n execution_id=\"$(printf \"%s\" \"$res\" | jq -r -e .QueryExecutionId)\"\n [[ -n $execution_id ]]\n\n echo \"Started query $name as $execution_id.\"\n\n redirect=latest/$name.csv\n aws s3api put-object \\\n --bucket nixos-metrics \\\n --key \"$redirect\" \\\n --website-redirect-location \"/$report_date/$name/$execution_id.csv\" >/dev/null\n\n echo \"Created redirect http://nixos-metrics.s3-website-eu-west-1.amazonaws.com/$redirect.\"\n}\n\nif true; then\n\n run_query traffic-per-day \\\n \"\n select day, host, sum(nr) as nr_requests, sum(total_bytes) as total_bytes\n from urls\n group by day, host\n order by day, host\n \"\n\n run_query traffic-per-country \\\n \"\n select geo_country, sum(nr) as nr_requests, sum(total_bytes) as total_bytes\n from clients\n group by geo_country\n order by total_bytes desc\n \"\n\n run_query cache-info-requests-per-day \\\n \"\n select day, sum(nr) as cache_info_requests\n from nix_cache_info\n group by day\n order by day\n \"\n\n run_query cache-info-requests-per-day-not-hosted \\\n \"\n select day, sum(nr) as cache_info_requests\n from nix_cache_info\n where asn not in (select asn_nr from hosting_asns)\n group by day\n order by day\n \"\n\n run_query cache-info-requests-per-day-per-ua \\\n \"\n with tmp as\n (select *, regexp_replace(regexp_replace(request_user_agent, '.* Nix', 'Nix'), 'pre[^ ]*', 'pre*') as cleaned_ua from nix_cache_info)\n select day, cleaned_ua, sum(nr) as cache_info_requests\n from tmp\n group by day, cleaned_ua\n order by day, cache_info_requests desc\n \"\n\n run_query flake-registry-requests-per-day \\\n \"\n select day, sum(nr) as total_requests\n from urls\n where host = 'channels.nixos.org' and url like '%/flake-registry.json'\n group by day\n order by day\n \"\n\n run_query top-store-paths \\\n \"\n select path, sum(nr) as total_requests\n from urls\n join all_paths on regexp_replace(regexp_replace(url, '.narinfo', ''), '/', '') = regexp_replace(regexp_replace(path, '/nix/store/', ''), '-.*', '')\n where\n host = 'cache.nixos.org'\n and url like '%.narinfo'\n group by path\n having sum(nr) > 100\n order by total_requests desc\n \"\n\n run_query narinfo-queries-per-release \\\n \"\n with tmp as\n (select distinct path, regexp_replace(regexp_replace(regexp_replace(regexp_replace(release_name, 'pre.*', 'pre'), 'alpha.*', ''), 'beta.*', 'beta'), '\\.[0-9]+\\.[0-9a-f][0-9a-f][0-9a-f][0-9a-f]+$', '') as release from release_paths)\n select release, sum(nr) as total_requests\n from urls\n join tmp on regexp_replace(regexp_replace(url, '.narinfo', ''), '/', '') = regexp_replace(regexp_replace(path, '/nix/store/', ''), '-.*', '')\n where\n host = 'cache.nixos.org'\n and url like '%.narinfo'\n group by release\n order by total_requests desc\n \"\n\n run_query nix-installer-downloads \\\n \"\n select day, sum(nr)\n from urls\n where\n host = 'releases.nixos.org'\n and regexp_like(url, '^/nix/nix-[^/]+/install$')\n group by day\n order by day\n \"\n\n run_query nix-installer-architectures \\\n \"\n select arch, sum(nr) as count from\n (select url, nr, regexp_replace(regexp_replace(url, '/nix/nix-[^/]+/nix-[^-]+-(rc[^-]*-)?', ''), '.tar.xz', '') as arch\n from urls\n where\n host = 'releases.nixos.org'\n and regexp_like(url, '^/nix/nix-[^/]+/nix-[^-]+-.*tar.xz$'))\n group by arch\n order by count desc\n \"\n\nfi\n" }, { "path": "metrics/fastly/update-asn-list.sh", "content": "#! /bin/sh -e\n\ncurl --fail https://ftp.ripe.net/ripe/asnames/asn.txt >/tmp/asn.txt\n\nsed -e 's/^\\([0-9]\\+\\) \\(.\\+\\), \\([A-Z][A-Z]\\)$/\\1\\t\\2\\t\\3/; t; d' /tmp/asn.tsv\n\naws s3 cp /tmp/asn.tsv s3://nixos-athena/all-asns/list.tsv\n" }, { "path": "modules/backup.nix", "content": "{\n lib,\n config,\n pkgs,\n ...\n}:\n\nlet\n cfg = config.services.backup;\n\n mkZfsPreHook = mountpoint: ''\n DATASET=\"$(findmnt -nr -o source \"${mountpoint}\")\"\n zfs snapshot -r \"$DATASET@borg\"\n\n # https://github.com/borgbackup/borg/issues/6652\n ls ${mountpoint}/.zfs/snapshot/borg/ > /dev/null\n '';\n\n mkZfsPostHook = mountpoint: ''\n DATASET=\"$(findmnt -nr -o source \"${mountpoint}\")\"\n zfs destroy -r \"$DATASET@borg\"\n '';\nin\n{\n options.services.backup =\n with lib;\n with types;\n {\n user = mkOption {\n type = str;\n description = ''\n Username for the SSH remote host.\n '';\n };\n\n host = mkOption {\n type = str;\n description = ''\n Hostname of the SSH remote host.\n '';\n };\n\n hostPublicKey = mkOption {\n type = str;\n example = \"ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA5EB5p/5Hp3hGW1oHok+PIOH9Pbn7cnUiGmUEBrCVjnAw+HrKyN8bYVV0dIGllswYXwkG/+bgiBlE6IVIBAq+JwVWu1Sss3KarHY3OvFJUXZoZyRRg/Gc/+LRCE7lyKpwWQ70dbelGRyyJFH36eNv6ySXoUYtGkwlU5IVaHPApOxe4LHPZa/qhSRbPo2hwoh0orCtgejRebNtW5nlx00DNFgsvn8Svz2cIYLxsPVzKgUxs8Zxsxgn+Q/UvR7uq4AbAhyBMLxv7DjJ1pc7PJocuTno2Rw9uMZi1gkjbnmiOh6TTXIEWbnroyIhwc8555uto9melEUmWNQ+C+PwAK+MPw==\";\n description = ''\n Public SSH host key of the remote host. Discoverable using e.g. `ssh-keyscan`.\n '';\n };\n\n port = mkOption {\n type = port;\n default = 22;\n description = ''\n Port of the SSH remote host.\n '';\n apply = toString;\n };\n\n sshKey = mkOption {\n type = path;\n example = \"/var/keys/ssh-key\";\n description = ''\n Path to the SSH key required to access the remote host.\n '';\n };\n\n secretPath = mkOption {\n type = path;\n example = \"/var/keys/borg-secret\";\n description = ''\n Path to the secret used to encrypt backups in the repository.\n '';\n };\n\n quota = mkOption {\n type = nullOr str;\n default = null;\n example = \"90G\";\n description = ''\n Quota for the borg repository. Useful to prevent the target disk from running full and ensuring borg keeps some space to work with.\n '';\n };\n\n includes = mkOption {\n type = listOf path;\n default = [ ];\n description = ''\n Paths to include in the backup.\n '';\n };\n includesZfsDatasets = mkOption {\n type = listOf str;\n default = [ ];\n description = ''\n ZFS datasets referenced by mountpoint to snapshot and include\n '';\n };\n\n excludes = mkOption {\n type = listOf path;\n default = [ ];\n description = ''\n Paths to exclude in the backup.\n '';\n };\n\n preHook = mkOption {\n type = lines;\n default = \"\";\n description = ''\n Shell commands to run before the backup.\n '';\n };\n\n postHook = mkOption {\n type = lines;\n default = \"\";\n description = ''\n Shell commands to run after the backup.\n '';\n };\n\n wantedUnits = mkOption {\n type = listOf str;\n default = [ ];\n description = ''\n List of units to require before starting the backup.\n '';\n };\n };\n\n config = lib.mkIf (cfg.includes != [ ] || cfg.includesZfsDatasets != [ ]) {\n programs.ssh.knownHosts.\"${if cfg.port != 22 then \"[${cfg.host}]:${cfg.port}\" else cfg.host}\" = {\n publicKey = \"${cfg.hostPublicKey}\";\n };\n\n systemd.services.borgbackup-job-state = {\n wants = cfg.wantedUnits;\n after = cfg.wantedUnits;\n\n path = lib.optionals (cfg.includesZfsDatasets != [ ]) [\n config.boot.zfs.package\n pkgs.util-linux\n ];\n };\n\n systemd.timers.borgbackup-job-state.timerConfig = {\n # Spread all backups over the day\n RandomizedDelaySec = \"24h\";\n FixedRandomDelay = true;\n };\n\n services.borgbackup.jobs.state = {\n preHook = lib.concatMapStringsSep \"\\n\" mkZfsPreHook cfg.includesZfsDatasets;\n postHook = lib.concatMapStringsSep \"\\n\" mkZfsPostHook cfg.includesZfsDatasets;\n\n # Create the repo\n doInit = true;\n\n # Create daily backups, but prune to a reasonable amount\n startAt = \"daily\";\n prune.keep = {\n daily = 7;\n weekly = 4;\n monthly = 3;\n };\n\n # What to backup\n paths = cfg.includes ++ (map (mp: \"${mp}/.zfs/snapshot/borg\") cfg.includesZfsDatasets);\n exclude = cfg.excludes;\n\n # Where to backup it to\n repo = \"${cfg.user}@${cfg.host}:${config.networking.fqdn}\";\n environment.BORG_RSH = \"ssh -p ${cfg.port} -i ${cfg.sshKey}\";\n\n # Ensure we don't fill up the destination disk\n extraInitArgs = lib.optionalString (cfg.quota != null) \"--storage-quota ${cfg.quota}\";\n\n # Authenticated & encrypted, key resides in the repository\n encryption = {\n mode = \"repokey-blake2\";\n passCommand = \"cat ${cfg.secretPath}\";\n };\n\n # Reduce the backup size\n compression = \"auto,zstd\";\n\n # Show summary detailing data usage once completed\n extraCreateArgs = \"--stats\";\n };\n };\n}\n" }, { "path": "modules/common.nix", "content": "{ pkgs, lib, ... }:\n\nwith lib;\n\n{\n imports = [ ./backup.nix ];\n\n time.timeZone = \"UTC\";\n\n users.mutableUsers = false;\n\n users.extraUsers.root.openssh.authorizedKeys.keys = with import ../ssh-keys.nix; infra-core;\n\n nix = {\n settings = {\n cores = 0;\n experimental-features = [\n \"nix-command\"\n \"flakes\"\n ];\n };\n };\n\n environment.systemPackages = [\n pkgs.git\n pkgs.gdb\n\n # jq is required by numtide/terraform-deploy-nixos-flakes.\n pkgs.jq\n ];\n\n services.openssh.enable = true;\n}\n" }, { "path": "modules/hydra-mirror.nix", "content": "{\n config,\n lib,\n pkgs,\n inputs,\n ...\n}:\n\nlet\n channels = (import ../channels.nix).channels-with-urls;\n\n orderLib = import ../lib/service-order.nix { };\n\n makeUpdateChannel = channelName: mainJob: {\n name = \"update-${channelName}\";\n value = {\n description = \"Update Channel ${channelName}\";\n path = with pkgs; [\n git\n inputs.nixos-channel-scripts.packages.${pkgs.stdenv.hostPlatform.system}.default\n ];\n script = ''\n # Hardcoded in channel scripts.\n dir=/home/hydra-mirror/nixpkgs-channels\n if ! [[ -e $dir ]]; then\n git clone --bare https://github.com/NixOS/nixpkgs.git $dir\n fi\n GIT_DIR=$dir git config credential.helper 'store --file=${config.age.secrets.hydra-mirror-git-credentials.path}'\n GIT_DIR=$dir git config remote.origin.fetch '+refs/heads/*:refs/remotes/origin/*'\n\n # FIXME: use IAM role.\n export AWS_ACCESS_KEY_ID=$(sed 's/aws_access_key_id=\\(.*\\)/\\1/ ; t; d' ${config.age.secrets.hydra-mirror-aws-credentials.path})\n export AWS_SECRET_ACCESS_KEY=$(sed 's/aws_secret_access_key=\\(.*\\)/\\1/ ; t; d' ${config.age.secrets.hydra-mirror-aws-credentials.path})\n exec mirror-nixos-branch ${channelName} https://hydra.nixos.org/job/${mainJob}/latest-finished\n '';\n serviceConfig = {\n Type = \"oneshot\";\n RemainAfterExit = false;\n User = \"hydra-mirror\";\n # Allow the unit to use 80% of the system's RAM and 100% of the system's swap\n MemoryHigh = \"80%\";\n };\n unitConfig = {\n After = [ \"networking.target\" ];\n };\n environment.TMPDIR = \"/home/hydra-mirror/scratch\";\n environment.GC_INITIAL_HEAP_SIZE = \"4g\";\n };\n };\n\n updateJobs = orderLib.mkOrderedChain (lib.mapAttrsToList makeUpdateChannel channels);\n\nin\n\n{\n age.secrets.hydra-mirror-aws-credentials = {\n file = ../build/secrets/hydra-mirror-aws-credentials.age;\n owner = \"hydra-mirror\";\n };\n\n age.secrets.hydra-mirror-git-credentials = {\n file = ../build/secrets/hydra-mirror-git-credentials.age;\n owner = \"hydra-mirror\";\n };\n\n users.users.hydra-mirror = {\n description = \"Channel mirroring user\";\n home = \"/home/hydra-mirror\";\n createHome = true;\n isSystemUser = true;\n group = \"hydra-mirror\";\n };\n\n users.groups.hydra-mirror = { };\n\n systemd.tmpfiles.rules = [\n ''\n d /home/hydra-mirror/scratch 0755 hydra-mirror users 10d\n F /home/hydra-mirror/scratch/nixos-files.sqlite - - - 8d\n e /home/hydra-mirror/scratch/release-*/* - - - 1d -\n ''\n ];\n\n systemd.services = (lib.listToAttrs updateJobs) // {\n \"update-all-channels\" = {\n description = \"Start all channel updates.\";\n unitConfig = {\n After = builtins.map (service: \"${service.name}.service\") updateJobs;\n Wants = builtins.map (service: \"${service.name}.service\") updateJobs;\n };\n script = \"true\";\n };\n };\n\n systemd.timers.\"update-all-channels\" = {\n description = \"Start all channel updates.\";\n wantedBy = [ \"timers.target\" ];\n timerConfig = {\n OnUnitInactiveSec = 600;\n OnBootSec = 900;\n AccuracySec = 300;\n };\n };\n}\n" }, { "path": "modules/nftables.nix", "content": "{\n lib,\n ...\n}:\n\n{\n networking.nftables = {\n enable = true;\n tables.\"nixos-fw\".content = lib.mkBefore ''\n define prometheus_inet6 = {\n 2a01:4f9:3070:15e0::1\n }\n define prometheus_inet4 = {\n 37.27.99.100\n }\n '';\n };\n\n networking.firewall = {\n enable = true;\n\n # be a good network citizen and allow some debugging interactions\n rejectPackets = true;\n allowPing = true;\n\n # prevent firewall log spam from rotating the kernel ringbuffer\n logRefusedConnections = false;\n };\n}\n" }, { "path": "modules/prometheus/default.nix", "content": "{\n config,\n pkgs,\n ...\n}:\n\nlet\n prometheus-nixos-exporter = pkgs.callPackage ./nixos-exporter { };\nin\n{\n services.prometheus.exporters.node = {\n enable = true;\n enabledCollectors = [ \"systemd\" ];\n extraFlags = [ \"--collector.textfile.directory=/var/lib/prometheus-node-exporter-text-files\" ];\n openFirewall = true;\n firewallRules = ''\n ip6 saddr $prometheus_inet6 tcp dport ${toString config.services.prometheus.exporters.node.port} accept\n ip saddr $prometheus_inet4 tcp dport ${toString config.services.prometheus.exporters.node.port} accept\n '';\n };\n\n system.activationScripts.node-exporter-system-version = ''\n mkdir -pm 0775 /var/lib/prometheus-node-exporter-text-files\n\n cd /var/lib/prometheus-node-exporter-text-files\n ${./system-version-exporter.sh} | ${pkgs.moreutils}/bin/sponge system-version.prom\n '';\n\n systemd.services.prometheus-nixos-exporter = {\n wantedBy = [ \"multi-user.target\" ];\n after = [ \"network.target\" ];\n path = [\n pkgs.nix\n pkgs.bash\n ];\n serviceConfig = {\n Restart = \"always\";\n RestartSec = \"60s\";\n ExecStart = \"${prometheus-nixos-exporter}/bin/prometheus-nixos-exporter\";\n };\n };\n\n networking.firewall.extraInputRules = ''\n # prometheus-nixos-exporter\n ip6 saddr $prometheus_inet6 tcp dport 9300 accept\n ip saddr $prometheus_inet4 tcp dport 9300 accept\n '';\n\n services.prometheus.exporters.zfs = {\n enable = true;\n listenAddress = \"[::]\";\n openFirewall = true;\n firewallRules = ''\n ip6 saddr $prometheus_inet6 tcp dport ${toString config.services.prometheus.exporters.zfs.port} accept\n ip saddr $prometheus_inet4 tcp dport ${toString config.services.prometheus.exporters.zfs.port} accept\n '';\n };\n}\n" }, { "path": "modules/prometheus/nixos-exporter/default.nix", "content": "{ python3Packages }:\n\nwith python3Packages;\n\nbuildPythonApplication {\n pname = \"prometheus-nixos-exporter\";\n version = \"0.0\";\n format = \"pyproject\";\n\n src = ./.;\n\n nativeBuildInputs = [ setuptools ];\n\n propagatedBuildInputs = [\n packaging\n prometheus-client\n ];\n}\n" }, { "path": "modules/prometheus/nixos-exporter/prometheus_nixos_exporter/__main__.py", "content": "#!/usr/bin/env nix-shell\n#!nix-shell -i python3 -p \"python3.withPackages (ps: with ps; [ prometheus-client packaging ])\"\n\n\nimport json\nimport os\nimport subprocess\nimport sys\nimport time\nfrom collections.abc import Iterator\n\nfrom packaging.version import Version\nfrom prometheus_client import CollectorRegistry, start_http_server\nfrom prometheus_client.core import GaugeMetricFamily\n\n\nclass NixosSystemCollector:\n def __init__(self) -> None:\n nix_version = self.get_nix_version()\n\n # https://github.com/NixOS/nix/pull/9242\n self.nix_path_info_returns_object = nix_version >= Version(\"2.19.0\")\n\n def get_nix_version(self) -> Version:\n result = subprocess.run(\n [\"nix\", \"--version\"], stdout=subprocess.PIPE, check=False\n )\n\n if result.returncode == 0:\n response = result.stdout.decode().strip()\n return Version(response.split()[-1])\n print(\"Failed to determine nix version\", file=sys.stderr)\n sys.exit(1)\n\n def collect(self) -> Iterator[GaugeMetricFamily]:\n # note: Gauges because of rollbacks.\n current_system = GaugeMetricFamily(\n \"nixos_current_system_time_seconds\",\n \"The time the system's current generation was registered in the Nix database.\",\n labels=[\"version_id\"],\n )\n current_system.add_metric(\n [self.get_version_id(\"/run/current-system\")],\n self.get_time(\"/run/current-system\"),\n )\n yield current_system\n\n booted_system = GaugeMetricFamily(\n \"nixos_booted_system_time_seconds\",\n \"The time the system's booted generation was registered in the Nix database.\",\n labels=[\"version_id\"],\n )\n booted_system.add_metric(\n [self.get_version_id(\"/run/booted-system\")],\n self.get_time(\"/run/booted-system\"),\n )\n yield booted_system\n\n current_system_kernel_booted = GaugeMetricFamily(\n \"nixos_current_system_kernel_booted\",\n \"Whether the currently booted kernel matches the one in the current generation.\",\n labels=[],\n )\n booted_kernel = self.get_kernel_out(\"/run/booted-system\")\n current_kernel = self.get_kernel_out(\"/run/current-system\")\n\n current_system_kernel_booted.add_metric([], booted_kernel == current_kernel)\n yield current_system_kernel_booted\n\n def get_version_id(self, path: str) -> str:\n result = subprocess.run(\n [\"bash\", \"-c\", f\"source {path}/etc/os-release; echo $VERSION_ID\"],\n stdout=subprocess.PIPE,\n check=False,\n )\n if result.returncode == 0:\n return result.stdout.decode(\"utf-8\").strip()\n\n return None\n\n def get_kernel_out(self, path: str) -> str:\n return os.path.dirname(os.readlink(os.path.join(path, \"kernel\")))\n\n def get_time(self, path: str) -> int:\n result = subprocess.run(\n [\"nix\", \"path-info\", \"--json\", path], stdout=subprocess.PIPE, check=False\n )\n if result.returncode == 0:\n parsed = json.loads(result.stdout)\n\n if self.nix_path_info_returns_object:\n # nix path-info --json /run/booted-system | jq .[].registrationTime\n for path_info in parsed.values():\n return path_info[\"registrationTime\"]\n else:\n # nix path-info --json /run/booted-system | jq .[0].registrationTime\n return parsed[0][\"registrationTime\"]\n\n return 0\n\n\ndef main() -> None:\n registry = CollectorRegistry()\n registry.register(NixosSystemCollector())\n\n # Start up the server to expose the metrics.\n start_http_server(9300, registry=registry)\n\n while True:\n time.sleep(100000)\n\n\nif __name__ == \"__main__\":\n main()\n" }, { "path": "modules/prometheus/nixos-exporter/pyproject.toml", "content": "[build-system]\nrequires = [\"setuptools\"]\nbuild-backend = \"setuptools.build_meta\"\n\n[project]\nname = \"prometheus-nixos-exporter\"\nversion = \"0.0.0\"\ndescription = \"Export informations about booted aund current NixOS generation\"\ndependencies = [\n \"packaging\",\n \"prometheus-client\",\n]\n\n[project.scripts]\nprometheus-nixos-exporter = \"prometheus_nixos_exporter.__main__:main\"\n" }, { "path": "modules/prometheus/system-version-exporter.sh", "content": "#!/usr/bin/env bash\n\nset -euo pipefail\n\nreadonly VERSION\nVERSION=\"$(cat /run/current-system/nixos-version)\"\nreadonly CURRENT_SYSTEM_DRV\nCURRENT_SYSTEM_DRV=\"$(readlink /run/current-system)\"\nreadonly CURRENT_SYSTEM_PROFILE\nCURRENT_SYSTEM_PROFILE=\"$(find /nix/var/nix/profiles -ilname \"${CURRENT_SYSTEM_DRV}\")\"\nreadonly DEPLOY_TIMESTAMP\nDEPLOY_TIMESTAMP=\"$(stat -c '%y' \"${CURRENT_SYSTEM_PROFILE}\" | cut -c '-16')\"\nreadonly DEPLOY_SECONDS\nDEPLOY_SECONDS=\"$(stat -c '%Y' \"${CURRENT_SYSTEM_PROFILE}\")\"\n\necho \"node_deployed{version=\\\"${VERSION}\\\",date=\\\"${DEPLOY_TIMESTAMP}\\\"} ${DEPLOY_SECONDS}\"\n" }, { "path": "modules/rasdaemon.nix", "content": "{\n config,\n ...\n}:\n\n{\n hardware.rasdaemon = {\n enable = true;\n record = true;\n };\n\n services.prometheus.exporters.rasdaemon = {\n enable = true;\n enabledCollectors = [\n \"aer\"\n \"mce\"\n \"mc\"\n \"extlog\"\n \"devlink\"\n \"disk\"\n ];\n openFirewall = true;\n firewallRules = ''\n ip6 saddr $prometheus_inet6 tcp dport ${toString config.services.prometheus.exporters.rasdaemon.port} accept\n ip saddr $prometheus_inet4 tcp dport ${toString config.services.prometheus.exporters.rasdaemon.port} accept\n '';\n };\n}\n" }, { "path": "modules/rfc39.nix", "content": "# This module fetches nixpkgs master and syncs the GitHub maintainer team.\n{ config, pkgs, ... }:\nlet\n rfc39Secret = f: {\n file = f;\n owner = \"rfc39\";\n };\nin\n{\n age.secrets.rfc39-credentials = rfc39Secret ../build/secrets/rfc39-credentials.age;\n age.secrets.rfc39-github = rfc39Secret ../build/secrets/rfc39-github.age;\n age.secrets.rfc39-record-push = rfc39Secret ../build/secrets/rfc39-record-push.age;\n\n users.users.rfc39 = {\n description = \"RFC39 Maintainer Team Sync\";\n home = \"/var/lib/rfc39-sync\";\n createHome = true;\n isSystemUser = true;\n group = \"rfc39\";\n };\n users.groups.rfc39 = { };\n\n programs.ssh.knownHosts.\"github.com\".publicKey =\n \"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl\";\n\n systemd.services.rfc39-sync = {\n description = \"Sync the Maintainer Team \";\n path = [\n config.nix.package\n pkgs.git\n pkgs.openssh\n pkgs.rfc39\n ];\n startAt = \"*:0/30\";\n serviceConfig.User = \"rfc39\";\n serviceConfig.Group = \"keys\";\n serviceConfig.Type = \"oneshot\";\n serviceConfig.PrivateTmp = true;\n script = ''\n set -eux\n\n export GIT_SSH_COMMAND='ssh -i ${config.age.secrets.rfc39-record-push.path}'\n export GIT_AUTHOR_NAME=\"rfc39\"\n export GIT_AUTHOR_EMAIL=\"rfc39@eris\"\n export GIT_COMMITTER_NAME=\"rfc39\"\n export GIT_COMMITTER_EMAIL=\"rfc39@eris\"\n\n recordsdir=$HOME/rfc39-record\n if ! [[ -e \"$recordsdir\" ]]; then\n git clone git@github.com:NixOS/rfc39-record.git \"$recordsdir\"\n fi\n cd \"$recordsdir\"\n git fetch origin --no-auto-maintenance\n git checkout main\n git reset --hard origin/main\n git maintenance run --auto\n\n nixpkgsdir=$HOME/nixpkgs\n if ! [[ -e $nixpkgsdir ]]; then\n git clone https://github.com/NixOS/nixpkgs.git $nixpkgsdir\n fi\n cd $nixpkgsdir\n git fetch origin --no-auto-maintenance\n git checkout origin/master\n git maintenance run --auto\n\n rfc39 \\\n --dump-metrics --metrics-delay=240 --metrics-addr=0.0.0.0:9190 \\\n --credentials ${config.age.secrets.rfc39-credentials.path} \\\n --maintainers ./maintainers/maintainer-list.nix \\\n sync-team NixOS 3345117 --limit 50 \\\n --invited-list \"$recordsdir/invitations\"\n\n cd \"$recordsdir\"\n\n if ! git diff --quiet; then\n git add .\n git commit -m \"Automated team sync results.\"\n git push origin main\n fi\n '';\n };\n\n}\n" }, { "path": "modules/tarball-mirror.nix", "content": "# This module mirrors most tarballs reachable from Nixpkgs's\n# release.nix to the content-addressed tarball cache at\n# tarballs.nixos.org.\n\n{\n config,\n lib,\n pkgs,\n ...\n}:\n\nlet\n # Determine the NixPkgs branch to mirror from.\n # We take the current primary stable release.\n branches = lib.filter (p: p != null) (\n lib.mapAttrsToList (\n name: v: if v.variant or null == \"primary\" && v.status or null == \"stable\" then name else null\n ) (import ../channels.nix).channels\n );\n branch =\n assert (lib.assertMsg (lib.length branches == 1) \"Multiple primary releases are marked as stable\");\n lib.head branches;\nin\n\n{\n age.secrets.tarball-mirror-aws-credentials = {\n file = ../build/secrets/tarball-mirror-aws-credentials.age;\n owner = \"tarball-mirror\";\n };\n\n users.users.tarball-mirror = {\n description = \"Nixpkgs tarball mirroring user\";\n home = \"/home/tarball-mirror\";\n createHome = true;\n isSystemUser = true;\n group = \"tarball-mirror\";\n };\n\n users.groups.tarball-mirror = { };\n\n systemd.services.mirror-tarballs = {\n description = \"Mirror Nixpkgs Tarballs\";\n path = [\n config.nix.package\n pkgs.git\n pkgs.bash\n ];\n environment.NIX_REMOTE = \"daemon\";\n serviceConfig.User = \"tarball-mirror\";\n serviceConfig.Type = \"oneshot\";\n serviceConfig.PrivateTmp = true;\n script = ''\n dir=/home/tarball-mirror/nixpkgs\n if ! [[ -e $dir ]]; then\n git clone https://github.com/NixOS/nixpkgs.git $dir\n fi\n cd $dir\n git remote update origin\n git checkout -f origin/${branch}\n git apply ${./tarball-mirror.patch}\n # FIXME: use IAM role.\n export AWS_ACCESS_KEY_ID=$(sed 's/aws_access_key_id=\\(.*\\)/\\1/ ; t; d' ${config.age.secrets.tarball-mirror-aws-credentials.path})\n export AWS_SECRET_ACCESS_KEY=$(sed 's/aws_secret_access_key=\\(.*\\)/\\1/ ; t; d' ${config.age.secrets.tarball-mirror-aws-credentials.path})\n NIX_PATH=nixpkgs=. ./maintainers/scripts/copy-tarballs.pl \\\n --expr 'import ' \\\n --exclude 'registry.npmjs.org|mirror://kde|mirror://xorg|mirror://kernel|mirror://hackage|mirror://gnome|mirror://apache|mirror://mozilla|pypi.python.org'\n '';\n startAt = \"05:30\";\n };\n\n}\n" }, { "path": "modules/tarball-mirror.patch", "content": "From 89093ba05e6f9710aa0dcb500f6226f1be80cc86 Mon Sep 17 00:00:00 2001\nFrom: =?UTF-8?q?J=C3=B6rg=20Thalheim?= \nDate: Wed, 4 Dec 2024 09:39:04 +0100\nSubject: [PATCH] copy-tarballs: drop perl bindings\n\nThis hopefully makes it easier to re-write this script in a language\nthat people understand. Because it's shelling out, it's likely slower\nbut hopefully still fast enough for our purposes.\n---\n maintainers/scripts/copy-tarballs.pl | 78 +++++++++++++++++++++-------\n 1 file changed, 58 insertions(+), 20 deletions(-)\n\ndiff --git a/maintainers/scripts/copy-tarballs.pl b/maintainers/scripts/copy-tarballs.pl\nindex 30fbac6f002d90..cb117ad2be0762 100755\n--- a/maintainers/scripts/copy-tarballs.pl\n+++ b/maintainers/scripts/copy-tarballs.pl\n@@ -1,5 +1,5 @@\n #! /usr/bin/env nix-shell\n-#! nix-shell -i perl -p perl perlPackages.NetAmazonS3 perlPackages.FileSlurp perlPackages.JSON perlPackages.LWPProtocolHttps nix nix.perl-bindings\n+#! nix-shell -i perl -p perl perlPackages.NetAmazonS3 perlPackages.FileSlurp perlPackages.JSON perlPackages.LWPProtocolHttps nix\n \n # This command uploads tarballs to tarballs.nixos.org, the\n # content-addressed cache used by fetchurl as a fallback for when\n@@ -20,14 +20,51 @@\n use File::Slurp;\n use JSON;\n use Net::Amazon::S3;\n-use Nix::Store;\n-\n-isValidPath(\"/nix/store/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-foo\"); # FIXME: forces Nix::Store initialisation\n \n sub usage {\n die \"Syntax: $0 [--dry-run] [--exclude REGEXP] [--expr EXPR | --file FILES...]\\n\";\n }\n \n+sub computeFixedOutputPath {\n+ my ($name, $algo, $hash) = @_;\n+ my $expr = <<'EXPR';\n+{ name, outputHashAlgo, outputHash }:\n+builtins.toString (derivation {\n+ inherit name outputHashAlgo outputHash;\n+ builder = \"false\";\n+ system = \"dontcare\";\n+ outputHashMode = \"flat\";\n+})\n+EXPR\n+ open(my $fh, \"-|\",\n+ \"nix-instantiate\",\n+ \"--eval\",\n+ \"--strict\",\n+ \"-E\", $expr,\n+ \"--argstr\", \"name\", $name,\n+ \"--argstr\", \"outputHashAlgo\", $algo,\n+ \"--argstr\", \"outputHash\", $hash) or die \"Failed to run nix-instantiate: $!\";\n+\n+ my $storePathJson = <$fh>;\n+ chomp $storePathJson;\n+ my $storePath = decode_json($storePathJson);\n+ close $fh;\n+ return $storePath;\n+}\n+\n+sub nixHash {\n+ my ($algo, $base16, $path) = @_;\n+ open(my $fh, \"-|\",\n+ \"nix-hash\",\n+ \"--type\", $algo,\n+ \"--flat\",\n+ ($base16 ? \"--base16\" : ()),\n+ $path) or die \"Failed to run nix-hash: $!\";\n+ my $hash = <$fh>;\n+ chomp $hash;\n+ return $hash;\n+}\n+\n my $dryRun = 0;\n my $expr;\n my @fileNames;\n@@ -90,12 +127,12 @@ sub alreadyMirrored {\n sub uploadFile {\n my ($fn, $name) = @_;\n \n- my $md5_16 = hashFile(\"md5\", 0, $fn) or die;\n- my $sha1_16 = hashFile(\"sha1\", 0, $fn) or die;\n- my $sha256_32 = hashFile(\"sha256\", 1, $fn) or die;\n- my $sha256_16 = hashFile(\"sha256\", 0, $fn) or die;\n- my $sha512_32 = hashFile(\"sha512\", 1, $fn) or die;\n- my $sha512_16 = hashFile(\"sha512\", 0, $fn) or die;\n+ my $md5_16 = nixHash(\"md5\", 0, $fn) or die;\n+ my $sha1_16 = nixHash(\"sha1\", 0, $fn) or die;\n+ my $sha256_32 = nixHash(\"sha256\", 1, $fn) or die;\n+ my $sha256_16 = nixHash(\"sha256\", 0, $fn) or die;\n+ my $sha512_32 = nixHash(\"sha512\", 1, $fn) or die;\n+ my $sha512_16 = nixHash(\"sha512\", 0, $fn) or die;\n \n my $mainKey = \"sha512/$sha512_16\";\n \n@@ -130,7 +167,7 @@ sub uploadFile {\n my $res = 0;\n foreach my $fn (@fileNames) {\n eval {\n- if (alreadyMirrored(\"sha512\", hashFile(\"sha512\", 0, $fn))) {\n+ if (alreadyMirrored(\"sha512\", nixHash(\"sha512\", 0, $fn))) {\n print STDERR \"$fn is already mirrored\\n\";\n } else {\n uploadFile($fn, basename $fn);\n@@ -176,7 +213,9 @@ sub uploadFile {\n \n if ($hash =~ /^([a-z0-9]+)-([A-Za-z0-9+\\/=]+)$/) {\n $algo = $1;\n- $hash = `nix hash to-base16 $hash` or die;\n+ open(my $fh, \"-|\", \"nix\", \"--extra-experimental-features\", \"nix-command\", \"hash\", \"convert\", \"--to\", \"base16\", $hash) or die;\n+ $hash = <$fh>;\n+ close $fh;\n chomp $hash;\n }\n \n@@ -184,11 +223,13 @@ sub uploadFile {\n \n # Convert non-SRI base-64 to base-16.\n if ($hash =~ /^[A-Za-z0-9+\\/=]+$/) {\n- $hash = `nix hash to-base16 --type '$algo' $hash` or die;\n+ open(my $fh, \"-|\", \"nix\", \"--extra-experimental-features\", \"nix-command\", \"hash\", \"convert\", \"--to\", \"base16\", \"--hash-algo\", $algo, $hash) or die;\n+ $hash = <$fh>;\n+ close $fh;\n chomp $hash;\n }\n \n- my $storePath = makeFixedOutputPath(0, $algo, $hash, $name);\n+ my $storePath = computeFixedOutputPath($name, $algo, $hash);\n \n for my $url (@$urls) {\n if (defined $ENV{DEBUG}) {\n@@ -210,18 +251,15 @@ sub uploadFile {\n \n print STDERR \"mirroring $url ($storePath, $algo, $hash)...\\n\";\n \n+\n if ($dryRun) {\n $mirrored++;\n last;\n }\n-\n- # Substitute the output.\n- if (!isValidPath($storePath)) {\n- system(\"nix-store\", \"-r\", $storePath);\n- }\n+ my $isValidPath = system(\"nix-store\", \"-r\", $storePath) == 0;\n \n # Otherwise download the file using nix-prefetch-url.\n- if (!isValidPath($storePath)) {\n+ if (!$isValidPath) {\n $ENV{QUIET} = 1;\n $ENV{PRINT_PATH} = 1;\n my $fh;\n" }, { "path": "non-critical-infra/.envrc", "content": "# shellcheck shell=bash\nuse flake .#non-critical-infra\n" }, { "path": "non-critical-infra/.sops.yaml", "content": "keys:\n - &hexa age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x\n - &zimbatm age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h\n - &simon age17ez23w2kpxl0gcdx4ehcglkcfcfnv4qz0gq2n8ylxwx4yrtjpvjqxfasua\n - &caliban age1sv307kkrxwgjah8pjpap5kzl4j2r6fqr3vg234n7m32chlchs9lsey7nlq\n - &umbriel age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6\n - &staging-hydra age1zxcssfw5j6dwvcw25tmxs79lq40xk70h2s234hen8pkpte2qe30q9e7cy8\n - &mic92 age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz\n - &mic92-mac age1nnm255ah9wa4gpsaq0v023a75lnmlcxszt9lc6az3mtwzxgrucfq45rp7h\n - &Ericson2314 age1fgzf77gyah4efemnrqg4e7j0vk8fpq0uzrucepmdpsd5z7l4lgpsfq54df\n\ncreation_rules:\n - path_regex: secrets/[^/]+.caliban\n key_groups:\n - age:\n - *caliban\n - *hexa\n - *zimbatm\n - *mic92\n - *mic92-mac\n\n - path_regex: secrets/[^/]+.umbriel\n key_groups:\n - age:\n - *umbriel\n - *hexa\n - *zimbatm\n - *mic92\n - *mic92-mac\n\n # ssh keys used to bootstrap new machines\n - path_regex: secrets/[^/]+-hostkeys.yaml\n key_groups:\n - age:\n - *mic92\n - *mic92-mac\n - *hexa\n - *zimbatm\n - *staging-hydra\n\n - path_regex: secrets/[^/]+.staging-hydra\n key_groups:\n - age:\n - *staging-hydra\n - *mic92\n - *mic92-mac\n - *hexa\n - *zimbatm\n - *simon\n - *Ericson2314\n" }, { "path": "non-critical-infra/README.md", "content": "# Non-critical-infra\n\nThis folder of the repository contains all files relative to the non-critical\ninfra team. Machines managed by that specific configuration are distinct from\nthe ones used in the rest of that repository and used to host services useful to\nthe general Nix/NixOS community.\n\n## For the users\n\n### I would like my project hosted by this infrastructure\n\nOpen a PR or an issue, and members of the infra team will tell you if this\ninfrastructure is suitable to the project!\n\n### I would like to join the team\n\nCome and talk to us on matrix: #infra:nixos.org\n\n## For the contributors\n\n### Secret access\n\nSecret access is on a \"need to have\" basis. If you think you need access to the\nsecrets, please add your key to the `.sops.yaml` file on a PR and ping people\nthat already have access for them to run the `updatekeys` command.\n" }, { "path": "non-critical-infra/colmena.sh", "content": "#!/usr/bin/env bash\nset -euo pipefail\n\ncd \"$(dirname \"$0\")\"\ncolmena apply \"$@\"\n" }, { "path": "non-critical-infra/flake-module.nix", "content": "{\n inputs,\n lib,\n ...\n}:\n{\n colmena.hosts = {\n caliban = { };\n umbriel = { };\n staging-hydra = { };\n };\n flake =\n let\n importConfig =\n path:\n (lib.mapAttrs (name: _value: import (path + \"/${name}/default.nix\")) (\n lib.filterAttrs (_: v: v == \"directory\") (builtins.readDir path)\n ));\n in\n {\n nixosConfigurations = builtins.mapAttrs (\n _name: value:\n inputs.nixpkgs.lib.nixosSystem {\n inherit lib;\n system = \"x86_64-linux\";\n specialArgs = {\n inherit inputs;\n };\n modules = [\n value\n inputs.disko.nixosModules.disko\n inputs.sops-nix.nixosModules.sops\n ];\n extraModules = [ inputs.colmena.nixosModules.deploymentOptions ];\n\n }\n ) (importConfig ./hosts);\n\n };\n\n perSystem =\n { inputs', pkgs, ... }:\n {\n packages.encrypt-email = pkgs.callPackage ./packages/encrypt-email { };\n\n devShells.non-critical-infra = pkgs.mkShellNoCC {\n packages = [\n inputs'.colmena.packages.colmena\n pkgs.sops\n pkgs.ssh-to-age\n ];\n };\n };\n}\n" }, { "path": "non-critical-infra/hosts/caliban/default.nix", "content": "{\n config,\n inputs,\n lib,\n ...\n}:\n\n{\n imports = [\n ./hardware.nix\n inputs.srvos.nixosModules.server\n inputs.srvos.nixosModules.hardware-hetzner-online-amd\n ../../../modules/rasdaemon.nix\n ../../modules/common.nix\n ../../modules/draupnir.nix\n ../../modules/backup.nix\n ../../modules/element-web.nix\n ../../modules/limesurvey.nix\n ../../modules/matrix-synapse.nix\n ../../modules/owncast.nix\n ../../modules/vaultwarden.nix\n ./nixpkgs-swh.nix\n ];\n\n fileSystems.\"/boot-1\" = {\n device = \"/dev/disk/by-uuid/9299-8E8E\";\n fsType = \"vfat\";\n };\n\n fileSystems.\"/boot-2\" = {\n device = \"/dev/disk/by-uuid/9297-573C\";\n fsType = \"vfat\";\n };\n\n # Bootloader.\n boot.loader.grub.enable = true;\n boot.loader.grub.mirroredBoots = lib.mkForce [\n {\n path = \"/boot-1\";\n devices = [ \"/dev/disk/by-id/nvme-SAMSUNG_MZQL23T8HCLS-00A07_S64HNJ0T508051\" ];\n }\n {\n path = \"/boot-2\";\n devices = [ \"/dev/disk/by-id/nvme-SAMSUNG_MZQL23T8HCLS-00A07_S64HNJ0T508053\" ];\n }\n ];\n\n networking = {\n hostName = \"caliban\";\n domain = \"nixos.org\";\n hostId = \"745b334a\";\n };\n\n disko.devices = import ./disko.nix;\n\n networking.firewall.allowedTCPPorts = [\n 80\n 443\n ];\n networking.firewall.allowedUDPPorts = [ ];\n\n systemd.network.networks.\"10-uplink\".networkConfig.Address = \"2a01:4f9:5a:186c::2\";\n\n sops.secrets.storagebox-ssh-key = {\n sopsFile = ../../secrets/storagebox-ssh-key.caliban;\n format = \"binary\";\n path = \"/var/keys/storagebox-ssh-key\";\n mode = \"0600\";\n owner = \"root\";\n group = \"root\";\n };\n\n sops.secrets.backup-secret = {\n sopsFile = ../../secrets/backup-secret.caliban;\n format = \"binary\";\n path = \"/var/keys/borg-secret\";\n mode = \"0600\";\n owner = \"root\";\n group = \"root\";\n };\n\n services.backup = {\n user = \"u391032-sub3\";\n host = \"u391032-sub3.your-storagebox.de\";\n hostPublicKey = \"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIICf9svRenC/PLKIL9nk6K/pxQgoiFC41wTNvoIncOxs\";\n port = 23;\n sshKey = config.sops.secrets.storagebox-ssh-key.path;\n secretPath = config.sops.secrets.backup-secret.path;\n };\n\n system.stateVersion = \"23.05\";\n\n}\n" }, { "path": "non-critical-infra/hosts/caliban/disko.nix", "content": "let\n partitions = {\n grub = {\n priority = 1;\n start = \"0\";\n end = \"1M\";\n type = \"EF02\";\n };\n boot = {\n priority = 2;\n name = \"boot\";\n start = \"1M\";\n end = \"1G\";\n content = {\n type = \"filesystem\";\n format = \"vfat\";\n };\n };\n root = {\n priority = 3;\n start = \"1G\";\n end = \"100%\";\n content = {\n type = \"zfs\";\n pool = \"zroot\";\n };\n };\n };\nin\n{\n disk = {\n nvme0n1 = {\n type = \"disk\";\n device = \"/dev/nvme0n1\";\n content = {\n type = \"gpt\";\n inherit partitions;\n };\n };\n nvme1n1 = {\n type = \"disk\";\n device = \"/dev/nvme1n1\";\n content = {\n type = \"gpt\";\n inherit partitions;\n };\n };\n };\n\n zpool = {\n zroot = {\n type = \"zpool\";\n mode = \"mirror\";\n rootFsOptions = {\n compression = \"lz4\";\n \"com.sun:auto-snapshot\" = \"true\";\n mountpoint = \"none\";\n };\n datasets = {\n \"root\" = {\n type = \"zfs_fs\";\n options.mountpoint = \"none\";\n mountpoint = null;\n };\n \"root/nixos\" = {\n type = \"zfs_fs\";\n options.mountpoint = \"/\";\n mountpoint = \"/\";\n };\n };\n };\n };\n}\n" }, { "path": "non-critical-infra/hosts/caliban/hardware.nix", "content": "{ config, lib, ... }:\n\n{\n\n boot.initrd.kernelModules = [ ];\n boot.kernelModules = [ ];\n boot.extraModulePackages = [ ];\n\n swapDevices = [ ];\n\n nixpkgs.hostPlatform = lib.mkDefault \"x86_64-linux\";\n hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;\n}\n" }, { "path": "non-critical-infra/hosts/caliban/nixpkgs-swh.nix", "content": "{ inputs, config, ... }:\n{\n imports = [\n inputs.nixpkgs-swh.nixosModules.nixpkgs-swh\n ];\n services = {\n nixpkgs-swh = {\n enable = true;\n };\n nginx = {\n enable = true;\n virtualHosts = {\n \"nixpkgs-swh.nixos.org\" = {\n enableACME = true;\n forceSSL = true;\n\n locations.\"/\" = {\n root = config.services.nixpkgs-swh.outputDir;\n extraConfig = ''\n autoindex on;\n '';\n };\n };\n };\n };\n };\n}\n" }, { "path": "non-critical-infra/hosts/staging-hydra/bootstrap-staging-hydra.sh", "content": "#!/usr/bin/env bash\n\n# Bootstrap staging-hydra on nixos.lysator.liu.se (130.236.254.207).\n#\n# WARNING: nixos-anywhere will WIPE all disks. Only use this for a fresh\n# install. For regular deployments use colmena:\n# colmena apply --on staging-hydra\n\nset -euo pipefail\ntmpDir=$(mktemp -d)\nsshDir=\"$tmpDir/etc/ssh\"\nmkdir -p \"$sshDir\"\ntrap 'rm -rf \"$tmpDir\"' EXIT\n\nSCRIPT_DIR=\"$(cd \"$(dirname \"${BASH_SOURCE[0]}\")\" >/dev/null 2>&1 && pwd)\"\n\nkeys=(\n ssh_host_ed25519_key\n ssh_host_ed25519_key_pub\n ssh_host_rsa_key\n ssh_host_rsa_key_pub\n)\nfor keyname in \"${keys[@]}\"; do\n if [[ $keyname == *.pub ]]; then\n umask 0133\n else\n umask 0177\n fi\n sops --extract '[\"'\"$keyname\"'\"]' --decrypt \"$SCRIPT_DIR/../../secrets/staging-hydra-hostkeys.yaml\" >\"$sshDir/$keyname\"\ndone\nnix run nixpkgs#nixos-anywhere -- --extra-files \"$tmpDir\" -f .#staging-hydra nixos@nixos.lysator.liu.se\n" }, { "path": "non-critical-infra/hosts/staging-hydra/ca.crt", "content": "-----BEGIN CERTIFICATE-----\nMIIBnTCCAU+gAwIBAgIUQpxYsPwAyTY70yYO9fcCmCaZreIwBQYDK2VwMEMxCzAJ\nBgNVBAYTAkRFMRQwEgYDVQQKDAtOaXhPUyBJbmZyYTEeMBwGA1UEAwwVaHlkcmEt\ncXVldWUtcnVubmVyLWNhMCAXDTI1MDczMTEyMDQxN1oYDzIwNzUwNzE5MTIwNDE3\nWjBDMQswCQYDVQQGEwJERTEUMBIGA1UECgwLTml4T1MgSW5mcmExHjAcBgNVBAMM\nFWh5ZHJhLXF1ZXVlLXJ1bm5lci1jYTAqMAUGAytlcAMhAM+Mc/XSTXwJeWPxrpqo\nSPT5Xwi8/j85VO6TsfBlXFt4o1MwUTAdBgNVHQ4EFgQU0wQG6BxTKtYwlywuyD0a\nVr/1r4gwHwYDVR0jBBgwFoAU0wQG6BxTKtYwlywuyD0aVr/1r4gwDwYDVR0TAQH/\nBAUwAwEB/zAFBgMrZXADQQA3BRP2+TkkDQPnPy6MQyDCxqfEeV6OQjtspSvCO0UL\nGWmfvzrlUQytwTFTPfVzaErbyVPbeYU5y8rmRoGPNSoI\n-----END CERTIFICATE-----\n" }, { "path": "non-critical-infra/hosts/staging-hydra/default.nix", "content": "{ inputs, ... }:\n{\n imports = [\n ./hardware.nix\n inputs.srvos.nixosModules.server\n ../../modules/common.nix\n ./hydra-proxy.nix\n ./hydra.nix\n ];\n\n nixpkgs.overlays = [\n inputs.hydra-staging.overlays.default\n ];\n\n disko.devices = import ./disko.nix;\n\n boot = {\n loader.grub = {\n enable = true;\n efiSupport = true;\n efiInstallAsRemovable = true;\n mirroredBoots = [\n {\n devices = [ \"nodev\" ];\n path = \"/boot\";\n }\n {\n devices = [ \"nodev\" ];\n path = \"/boot-fallback/1\";\n }\n {\n devices = [ \"nodev\" ];\n path = \"/boot-fallback/2\";\n }\n ];\n };\n kernelParams = [ \"console=tty\" ];\n };\n\n networking = {\n hostName = \"nixos\";\n domain = \"lysator.liu.se\";\n hostId = \"44230408\"; # Needed for ZFS\n useDHCP = false;\n };\n\n systemd.network = {\n enable = true;\n networks.\"10-wan\" = {\n address = [\n \"130.236.254.207/24\"\n \"2001:6b0:17:f0a0::cf/64\"\n ];\n\n dns = [\n \"130.236.254.4\"\n \"130.236.254.225\"\n \"2001:6b0:17:f0a0::e1\"\n ];\n\n linkConfig.RequiredForOnline = \"routable\";\n\n routes = [\n { Gateway = \"130.236.254.1\"; }\n { Gateway = \"2001:6b0:17:f0a0::1\"; }\n ];\n\n matchConfig.Path = \"pci-0000:06:00.0\";\n };\n };\n\n networking.firewall.allowedTCPPorts = [\n 80\n 443\n ];\n networking.firewall.allowedUDPPorts = [ ];\n\n # Lysator admin account - DO NOT REMOVE\n users.users.lysroot = {\n isNormalUser = true;\n extraGroups = [ \"wheel\" ];\n openssh.authorizedKeys.keys = [\n \"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF8WX07Oj1Mv9dIY6FaCdDdVQudVKJK6OSCRK8b16yzJ\"\n ];\n };\n\n security.sudo.wheelNeedsPassword = false;\n\n # Lysator syslog forwarding\n services.syslog-ng = {\n enable = true;\n extraConfig = ''\n source s_local {\n system();\n internal();\n };\n\n destination d_loghost {\n tcp(\"loghost.lysator.liu.se\");\n };\n\n log {\n source(s_local);\n destination(d_loghost);\n };\n '';\n };\n\n services.fail2ban.enable = true;\n\n system.stateVersion = \"25.11\";\n\n users.users.root.openssh.authorizedKeys.keys = [\n # John Ericson for working on Hydra\n \"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCdof+fSLyz3FV5t/yE9LBk/hgR8iNfdz/DRigvh4pP6+E4VPpPKSeA0a8r4CLMWvy9ZZ3Gqa04NdJnMmo8gBSIlo87JPq66GnC5QmeDJX2NLlliSeNQqUQKJ2VVcsVerz8O/RvVfvU2MIdW8VExx/DxeZbMnwRcWfUC0nby0NotWGNeS3NOcWWQq9z4E0sDSJ+QXSIMXWSeMda5sBadUK+YERTLYE/+ZVUPiXkXCmnwuRFHpZsqlRVad+kgXsZIwNEPUEqmEablg2C0NjvEbs75Yu9WUXXPJNhwaFbVXaWUM8UWO/n39jMM8aepalZbMhdFh129cAH35SjzIYjHxTP\"\n\n # Conni2461 for hydra-queue-runner\n \"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPK/3rYhlIzoPCsPK38PMdK1ivqPaJgUqWwRtmxdKZrO\"\n \"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEltgDXy2aiHhkNeL4aF7P9mDcpMR9+v8zo8EKUQUNHP\"\n\n # picnoir for multiple signing keys\n \"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIPml1DaHG1i8WDEsbCCJwPRPf4wJWQAYQIYAyJh2zqMpAAAABHNzaDo=\"\n \"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIEPPocCK4JCbFWshVHMgICOm61LC6V2JAXThzKjXv7TSAAAABHNzaDo=\"\n \"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIEWWZ8LjNo41679gFI4Iv4YtjFxwhSbMZVsvvYYaTXdxAAAABHNzaDo= picnoir@framework\"\n ];\n\n zramSwap = {\n enable = true;\n memoryPercent = 150;\n };\n}\n" }, { "path": "non-critical-infra/hosts/staging-hydra/disko.nix", "content": "# Matches the existing disk layout on nixos.lysator.liu.se:\n# 3x 1.8T disks in raidz1 ZFS pool \"tank\", each with a 1G EFI partition\nlet\n espPartition = mountpoint: {\n type = \"EF00\";\n size = \"1G\";\n content = {\n type = \"filesystem\";\n format = \"vfat\";\n inherit mountpoint;\n mountOptions = [\n \"fmask=0022\"\n \"dmask=0022\"\n ];\n };\n };\n\n zfsPart = {\n size = \"100%\";\n content = {\n type = \"zfs\";\n pool = \"tank\";\n };\n };\n\n makeDisk = device: espMountpoint: {\n inherit device;\n type = \"disk\";\n content = {\n type = \"gpt\";\n partitions = {\n esp = espPartition espMountpoint;\n zfs = zfsPart;\n };\n };\n };\nin\n{\n disk = {\n sda = makeDisk \"/dev/disk/by-id/wwn-0x5000cca222c595d2\" \"/boot\";\n sdb = makeDisk \"/dev/disk/by-id/wwn-0x5000cca222c1c46e\" \"/boot-fallback/1\";\n sdc = makeDisk \"/dev/disk/by-id/wwn-0x5000cca222c5c6d3\" \"/boot-fallback/2\";\n };\n\n zpool.tank = {\n type = \"zpool\";\n mode = \"raidz1\";\n options = {\n ashift = \"12\";\n };\n rootFsOptions = {\n compression = \"on\";\n mountpoint = \"none\";\n acltype = \"posix\";\n xattr = \"on\";\n };\n datasets = {\n \"root\" = {\n type = \"zfs_fs\";\n mountpoint = \"/\";\n };\n \"nix\" = {\n type = \"zfs_fs\";\n mountpoint = \"/nix\";\n };\n \"var\" = {\n type = \"zfs_fs\";\n mountpoint = \"/var\";\n };\n \"home\" = {\n type = \"zfs_fs\";\n mountpoint = \"/home\";\n };\n };\n };\n}\n" }, { "path": "non-critical-infra/hosts/staging-hydra/genca.sh", "content": "#!/usr/bin/env bash\n\nset -x\n\nhosts=\"localhost ofborg-eval02 ofborg-eval03 ofborg-eval04 ofborg-build01 ofborg-build02 ofborg-build03 ofborg-build04 ofborg-build05\"\n\nC=\"DE\"\nO=\"NixOS Infra\"\n\nnewDir=\"$(date '+%Y-%m-%dT%H:%M')\"\nmkdir \"${newDir}\"\ncd \"${newDir}\" || exit\n\nopenssl genpkey -algorithm Ed25519 -out ca.key\nopenssl req -x509 -new -nodes -key ca.key -sha256 -days 18250 -out ca.crt \\\n -subj \"/C=${C}/O=${O}/CN=hydra-queue-runner-ca\"\n\ncat <server.cnf\n[req]\nprompt = no\nx509_extensions = v3_req\nreq_extensions = v3_req\ndefault_md = sha256\ndistinguished_name = req_distinguished_name\n\n[req_distinguished_name]\nC = ${C}\nO = ${O}\nCN = queue-runner.staging-hydra.nixos.org\n\n[v3_req]\nbasicConstraints = CA:FALSE\nkeyUsage = nonRepudiation, digitalSignature, keyEncipherment, keyAgreement\nextendedKeyUsage = critical, serverAuth\nsubjectAltName = @alt_names\n\n[alt_names]\nDNS.1 = queue-runner.staging-hydra.nixos.org\nEOF\n\nopenssl genpkey -algorithm Ed25519 -out server.key\nopenssl req -new -key server.key -out server.csr -config server.cnf\nopenssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 18250 -sha256 -extfile server.cnf -extensions v3_req\n\nfor host in ${hosts}; do\n openssl genpkey -algorithm Ed25519 -out \"client-${host}.key\"\n openssl req -new -key \"client-${host}.key\" -out \"client-${host}.csr\" \\\n -subj \"/C=${C}/O=${O}/CN=hydra-queue-builder-${host}\"\n openssl x509 -req -in \"client-${host}.csr\" -CA ca.crt -CAkey ca.key -CAcreateserial -out \"client-${host}.crt\" -days 18250 -sha256\ndone\n\nrm -rf -- *.csr *.srl\nrm server.cnf\n\ncd - || exit\n" }, { "path": "non-critical-infra/hosts/staging-hydra/hardware.nix", "content": "{\n config,\n lib,\n modulesPath,\n ...\n}:\n{\n imports = [\n (modulesPath + \"/installer/scan/not-detected.nix\")\n ];\n\n boot.initrd.availableKernelModules = [\n \"xhci_pci\"\n \"ehci_pci\"\n \"ahci\"\n \"usbhid\"\n \"usb_storage\"\n \"sd_mod\"\n \"sr_mod\"\n ];\n boot.initrd.kernelModules = [ ];\n boot.kernelModules = [ \"kvm-intel\" ];\n boot.extraModulePackages = [ ];\n\n swapDevices = [ ];\n\n nixpkgs.hostPlatform = lib.mkDefault \"x86_64-linux\";\n hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;\n}\n" }, { "path": "non-critical-infra/hosts/staging-hydra/hydra-proxy.nix", "content": "{\n config,\n lib,\n pkgs,\n ...\n}:\n\nlet\n bannedUserAgentPatterns = [\n \"Trident/\"\n \"Android\\\\s[123456789]\\\\.\"\n \"iPod\"\n \"iPad\\\\sOS\\\\s\"\n \"iPhone\\\\sOS\\\\s[23456789]\"\n \"Opera/[89]\"\n \"(Chrome|CriOS)/(\\\\d\\\\d?\\\\.|1[01]|12[4])\"\n \"(Firefox|FxiOS)/(\\\\d\\\\d?\\\\.|1[01]|12[012345679]\\\\.)\"\n \"PPC\\\\sMac\\\\sOS\"\n \"Windows\\\\sCE\"\n \"Windows\\\\s95\"\n \"Windows\\\\s98\"\n \"Windows\\\\sNT\\\\s[12345]\\\\.\"\n ];\nin\n{\n networking.firewall.allowedTCPPorts = [\n 80\n 443\n ];\n\n services.nginx = {\n enable = true;\n enableReload = true;\n\n recommendedBrotliSettings = true;\n recommendedGzipSettings = true;\n recommendedOptimisation = true;\n recommendedProxySettings = true;\n recommendedTlsSettings = true;\n\n proxyTimeout = \"900s\";\n\n appendConfig = ''\n worker_processes auto;\n '';\n\n eventsConfig = ''\n worker_connections 1024;\n '';\n\n appendHttpConfig = ''\n map $http_user_agent $badagent {\n default 0;\n ${lib.concatMapStringsSep \"\\n\" (pattern: ''\n ~${pattern} 1;\n '') bannedUserAgentPatterns}\n }\n '';\n\n # Plain HTTP access via lysator hostname (no ACME since we don't control the domain)\n virtualHosts.\"nixos.lysator.liu.se\" = {\n locations.\"/\" = {\n proxyPass = \"http://127.0.0.1:3000\";\n };\n };\n\n virtualHosts.\"staging-hydra.nixos.org\" = {\n forceSSL = true;\n enableACME = true;\n\n extraConfig = ''\n error_page 502 /502.html;\n error_page 503 /503.html;\n location ~ /(502|503).html {\n root ${../../../build/nginx-error-pages};\n internal;\n }\n '';\n\n # Ask robots not to scrape hydra, it has various expensive endpoints\n locations.\"=/robots.txt\".alias = pkgs.writeText \"hydra.nixos.org-robots.txt\" ''\n User-agent: *\n Disallow: /\n Allow: /$\n '';\n\n locations.\"/\" = {\n proxyPass = \"http://127.0.0.1:3000\";\n extraConfig = ''\n if ($badagent) {\n access_log /var/log/nginx/abuse.log;\n return 403;\n }\n '';\n };\n\n locations.\"/static/\" = {\n alias = \"${config.services.hydra-dev.package}/libexec/hydra/root/static/\";\n };\n };\n };\n\n}\n" }, { "path": "non-critical-infra/hosts/staging-hydra/hydra.nix", "content": "{\n lib,\n pkgs,\n config,\n inputs,\n ...\n}:\nlet\n narCache = \"/var/cache/hydra/nar-cache\";\n localSystems = [\n \"builtin\"\n config.nixpkgs.hostPlatform.system\n ];\nin\n{\n imports = [\n inputs.hydra-staging.nixosModules.web-app\n inputs.hydra-staging.nixosModules.queue-runner\n ];\n\n networking.firewall.allowedTCPPorts = [\n 9198 # queue-runnner metrics\n 9199 # hydra-notify metrics\n ];\n\n services.postgresql.settings = {\n log_min_duration_statement = 5000;\n log_duration = \"off\";\n log_statement = \"none\";\n\n max_connections = 500;\n work_mem = \"20MB\";\n maintenance_work_mem = \"2GB\";\n };\n\n # garbage collection\n nix.gc = {\n automatic = true;\n options = ''--max-freed \"$((400 * 1024**3 - 1024 * $(df -P -k /nix/store | tail -n 1 | ${pkgs.gawk}/bin/awk '{ print $4 }')))\"'';\n dates = \"03,09,15,21:15\";\n };\n\n nix.settings = {\n # gc outputs as well, since they are served from the cache\n gc-keep-outputs = lib.mkForce false;\n allowed-users = [\n \"hydra\"\n \"hydra-www\"\n ];\n };\n\n # Don't rate-limit the journal.\n services.journald.rateLimitBurst = 0;\n\n sops.secrets = {\n signing-key = {\n sopsFile = ../../secrets/signing-key.staging-hydra;\n format = \"binary\";\n owner = config.systemd.services.hydra-queue-runner-dev.serviceConfig.User;\n };\n hydra-aws-credentials = {\n sopsFile = ../../secrets/hydra-aws-credentials.staging-hydra;\n format = \"binary\";\n owner = config.systemd.services.hydra-queue-runner-dev.serviceConfig.User;\n };\n };\n\n services = {\n hydra-dev = {\n enable = true;\n package = pkgs.hydra;\n buildMachinesFiles = [\n (pkgs.writeText \"local\" ''\n localhost ${lib.concatStringsSep \",\" localSystems} - 3 1 ${lib.concatStringsSep \",\" config.nix.settings.system-features} - -\n '')\n ];\n logo = ../../../build/hydra-logo.png;\n hydraURL = \"https://hydra.nixos.org\";\n notificationSender = \"edolstra@gmail.com\";\n smtpHost = \"localhost\";\n useSubstitutes = true;\n extraConfig = ''\n max_servers 30\n\n store_uri = s3://nix-cache-staging?secret-key=${config.sops.secrets.signing-key.path}&ls-compression=br&log-compression=br\n server_store_uri = https://cache-staging.nixos.org?local-nar-cache=${narCache}\n binary_cache_public_uri = https://cache-staging.nixos.org\n\n \n cache_size = 32m\n \n\n # patchelf:master:3\n xxx-jobset-repeats = nixos:reproducibility:1\n\n upload_logs_to_binary_cache = true\n compress_build_logs = false # conflicts with upload_logs_to_binary_cache\n\n log_prefix = https://cache.nixos.org/\n\n evaluator_workers = 4\n evaluator_max_memory_size = 4096\n\n queue_runner_endpoint = http://localhost:8080\n\n max_concurrent_evals = 1\n\n max_unsupported_time = 86400\n\n allow_import_from_derivation = false\n\n max_output_size = 3821225472 # 3 << 30 + 600000000 = 3 GiB + 0.6 GB\n max_db_connections = 50\n\n queue_runner_metrics_address = [::]:9198\n\n \n \n listen_address = 0.0.0.0\n port = 9199\n \n \n '';\n };\n\n hydra-queue-runner-dev = {\n enable = true;\n awsCredentialsFile = config.sops.secrets.hydra-aws-credentials.path;\n settings = {\n queueTriggerTimerInS = 300;\n concurrentUploadLimit = 2;\n remoteStoreAddr = [\n \"s3://nix-cache-staging?secret-key=${config.sops.secrets.signing-key.path}&ls-compression=br&log-compression=br\"\n ];\n };\n };\n\n nginx = {\n enable = true;\n virtualHosts.\"queue-runner.staging-hydra.nixos.org\" = {\n extraConfig = ''\n ssl_client_certificate ${./ca.crt};\n ssl_verify_depth 2;\n ssl_verify_client on;\n '';\n\n sslCertificate = ./server.crt;\n sslCertificateKey = config.sops.secrets.\"queue-runner-server.key\".path;\n onlySSL = true;\n\n locations.\"/\".extraConfig = ''\n # This is necessary so that grpc connections do not get closed early\n # see https://stackoverflow.com/a/67805465\n client_body_timeout 31536000s;\n client_max_body_size 0;\n\n grpc_pass grpc://[::1]:50051;\n\n grpc_read_timeout 31536000s; # 1 year in seconds\n grpc_send_timeout 31536000s; # 1 year in seconds\n grpc_socket_keepalive on;\n\n grpc_set_header Host $host;\n grpc_set_header X-Real-IP $remote_addr;\n grpc_set_header X-Forwarded-For $proxy_add_x_forwarded_for;\n grpc_set_header X-Forwarded-Proto $scheme;\n\n grpc_set_header X-Client-DN $ssl_client_s_dn;\n grpc_set_header X-Client-Cert $ssl_client_escaped_cert;\n '';\n };\n };\n };\n\n sops.secrets = {\n \"queue-runner-server.key\" = {\n sopsFile = ../../secrets/queue-runner-server.key.staging-hydra;\n format = \"binary\";\n owner = config.systemd.services.nginx.serviceConfig.User;\n };\n hydra-users = {\n sopsFile = ../../secrets/hydra-users.staging-hydra;\n format = \"binary\";\n };\n };\n\n systemd = {\n tmpfiles.rules = [\n \"d /var/cache/hydra 0755 hydra hydra - -\"\n \"d ${narCache} 0775 hydra hydra 1d -\"\n ];\n\n # eats memory as if it was free\n services = {\n hydra-notify.enable = false;\n hydra-queue-runner = {\n enable = false;\n\n # restarting the scheduler is very expensive\n restartIfChanged = false;\n serviceConfig = {\n ManagedOOMPreference = \"avoid\";\n LimitNOFILE = 65535;\n };\n };\n\n hydra-prune-build-logs = {\n description = \"Clean up old build logs\";\n startAt = \"weekly\";\n serviceConfig = {\n User = \"hydra-queue-runner\";\n Group = \"hydra\";\n ExecStart = lib.concatStringsSep \" \" [\n (lib.getExe pkgs.findutils)\n \"/var/lib/hydra/build-logs/\"\n \"-ignore_readdir_race\"\n \"-type\"\n \"f\"\n \"-mtime\"\n \"+${toString (3 * 365)}\" # days\n \"-delete\"\n ];\n };\n };\n hydra-post-init = {\n serviceConfig = {\n Type = \"oneshot\";\n TimeoutStartSec = \"60\";\n };\n wantedBy = [ config.systemd.targets.multi-user.name ];\n after = [ config.systemd.services.hydra-server.name ];\n requires = [ config.systemd.services.hydra-server.name ];\n environment = {\n inherit (config.systemd.services.hydra-init.environment) HYDRA_DBI;\n };\n path = [\n config.services.hydra.package\n pkgs.netcat\n ];\n script = ''\n set -e\n while IFS=';' read -r user role passwordhash email fullname; do\n opts=(\"$user\" \"--role\" \"$role\" \"--password-hash\" \"$passwordhash\")\n if [[ -n \"$email\" ]]; then\n opts+=(\"--email-address\" \"$email\")\n fi\n if [[ -n \"$fullname\" ]]; then\n opts+=(\"--full-name\" \"$fullname\")\n fi\n hydra-create-user \"''${opts[@]}\"\n done < ${config.sops.secrets.hydra-users.path}\n '';\n };\n };\n };\n\n programs.ssh = {\n hostKeyAlgorithms = [\n \"rsa-sha2-512-cert-v01@openssh.com\"\n \"ssh-ed25519\"\n \"ssh-rsa\"\n \"ecdsa-sha2-nistp256\"\n ];\n\n extraConfig = lib.mkAfter ''\n ServerAliveInterval 120\n TCPKeepAlive yes\n '';\n };\n}\n" }, { "path": "non-critical-infra/hosts/staging-hydra/server.crt", "content": "-----BEGIN CERTIFICATE-----\nMIIB/jCCAbCgAwIBAgIUfUYjDOaJML1lIMkAMvLjnSTscYswBQYDK2VwMEMxCzAJ\nBgNVBAYTAkRFMRQwEgYDVQQKDAtOaXhPUyBJbmZyYTEeMBwGA1UEAwwVaHlkcmEt\ncXVldWUtcnVubmVyLWNhMCAXDTI1MDczMTEyMDQxN1oYDzIwNzUwNzE5MTIwNDE3\nWjBSMQswCQYDVQQGEwJERTEUMBIGA1UECgwLTml4T1MgSW5mcmExLTArBgNVBAMM\nJHF1ZXVlLXJ1bm5lci5zdGFnaW5nLWh5ZHJhLm5peG9zLm9yZzAqMAUGAytlcAMh\nANVnDi5rY0Ar4hPbqRJqS+Nw7b5GTg0QxL2DM7l1xTqHo4GkMIGhMAkGA1UdEwQC\nMAAwCwYDVR0PBAQDAgPoMBYGA1UdJQEB/wQMMAoGCCsGAQUFBwMBMC8GA1UdEQQo\nMCaCJHF1ZXVlLXJ1bm5lci5zdGFnaW5nLWh5ZHJhLm5peG9zLm9yZzAdBgNVHQ4E\nFgQU4ArR8rzVAt6dFkSXiMUlYYAzbwUwHwYDVR0jBBgwFoAU0wQG6BxTKtYwlywu\nyD0aVr/1r4gwBQYDK2VwA0EAScS72oaQ8PcYpH26FuRGnKaWe4e7fQ5RmKBUyC+5\nCiYIWu4D7fNGYJ15szCfh4nJIuyB0eXBv1ddAGAQMVdhDw==\n-----END CERTIFICATE-----\n" }, { "path": "non-critical-infra/hosts/umbriel/README.md", "content": "# `umbriel`\n" }, { "path": "non-critical-infra/hosts/umbriel/default.nix", "content": "{\n config,\n inputs,\n lib,\n ...\n}:\n\n{\n imports = [\n ./hardware.nix\n inputs.srvos.nixosModules.server\n inputs.srvos.nixosModules.hardware-hetzner-cloud-arm\n ../../modules/common.nix\n ../../modules/backup.nix\n ../../modules/mailserver\n ];\n\n # Bootloader.\n boot.loader.systemd-boot.enable = true;\n boot.loader.timeout = lib.mkForce 5;\n boot.loader.efi.efiSysMountPoint = \"/efi\";\n\n # workaround because the console defaults to serial\n boot.kernelParams = [ \"console=tty\" ];\n\n services.cloud-init.enable = false;\n\n networking = {\n hostName = \"umbriel\";\n domain = \"nixos.org\";\n hostId = \"36d29388\";\n };\n\n disko.devices = import ./disko.nix;\n\n systemd.network.networks.\"10-uplink\" = {\n matchConfig.MACAddress = \"96:00:02:b5:f8:99\";\n address = [\n \"37.27.20.162/32\"\n \"2a01:4f9:c011:8fb5::1/64\"\n ];\n routes = [\n { Gateway = \"fe80::1\"; }\n {\n Gateway = \"172.31.1.1\";\n GatewayOnLink = true;\n }\n ];\n linkConfig.RequiredForOnline = \"routable\";\n };\n\n # How to generate:\n #\n # $ cd non-critical-infra\n # $ SECRET_PATH=secrets/storagebox-ssh-key.umbriel\n # $ ssh-keygen -t ed25519 -f \"$SECRET_PATH\" -P \"\" -C root@umbriel\n # $ sops encrypt --in-place \"$SECRET_PATH\"\n # $ rm \"$SECRET_PATH\".pub\n #\n # Next, deploy this secret, ssh to the machine and install the secret on the storagebox:\n #\n # $ ssh-keygen -f /var/keys/storagebox-ssh-key -y | ssh -o \"UserKnownHostsFile=/dev/null\" -p23 u391032-sub4@u391032-sub4.your-storagebox.de install-ssh-key\n sops.secrets.storagebox-ssh-key = {\n sopsFile = ../../secrets/storagebox-ssh-key.umbriel;\n format = \"binary\";\n path = \"/var/keys/storagebox-ssh-key\";\n mode = \"0600\";\n owner = \"root\";\n group = \"root\";\n };\n\n # How to generate:\n #\n # $ cd non-critical-infra\n # $ SECRET_PATH=secrets/backup-secret.umbriel\n # $ pwgen -s 64 1 > \"$SECRET_PATH\"\n # $ sops encrypt --in-place \"$SECRET_PATH\"\n sops.secrets.backup-secret = {\n sopsFile = ../../secrets/backup-secret.umbriel;\n format = \"binary\";\n path = \"/var/keys/borg-secret\";\n mode = \"0600\";\n owner = \"root\";\n group = \"root\";\n };\n\n services.backup = {\n user = \"u391032-sub4\";\n host = \"u391032-sub4.your-storagebox.de\";\n hostPublicKey = \"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIICf9svRenC/PLKIL9nk6K/pxQgoiFC41wTNvoIncOxs\";\n port = 23;\n sshKey = config.sops.secrets.storagebox-ssh-key.path;\n secretPath = config.sops.secrets.backup-secret.path;\n };\n\n system.stateVersion = \"23.05\";\n}\n" }, { "path": "non-critical-infra/hosts/umbriel/disko.nix", "content": "{\n disk = {\n main = {\n device = \"/dev/sda\";\n type = \"disk\";\n content = {\n type = \"gpt\";\n partitions = {\n esp = {\n type = \"EF00\";\n size = \"1024M\";\n content = {\n type = \"filesystem\";\n format = \"vfat\";\n mountpoint = \"/efi\";\n };\n };\n root = {\n size = \"100%\";\n content = {\n type = \"zfs\";\n pool = \"zroot\";\n };\n };\n };\n };\n };\n };\n\n zpool.zroot = {\n type = \"zpool\";\n options = {\n # smartctl --all /dev/sda\n # Logical block size: 512 bytes\n ashift = \"9\";\n };\n rootFsOptions = {\n acltype = \"posixacl\";\n compression = \"zstd\";\n mountpoint = \"none\";\n xattr = \"sa\";\n };\n datasets = {\n \"root\" = {\n type = \"zfs_fs\";\n mountpoint = \"/\";\n };\n \"nix\" = {\n type = \"zfs_fs\";\n mountpoint = \"/nix\";\n };\n \"reserved\" = {\n type = \"zfs_fs\";\n options = {\n canmount = \"off\";\n refreservation = \"1G\";\n };\n };\n };\n };\n}\n" }, { "path": "non-critical-infra/hosts/umbriel/hardware.nix", "content": "{ lib, ... }:\n\n{\n\n boot.initrd.availableKernelModules = [\n \"xhci_pci\"\n \"virtio_pci\"\n \"usbhid\"\n \"sr_mod\"\n ];\n boot.initrd.kernelModules = [ \"virtio_gpu\" ];\n boot.kernelModules = [ ];\n boot.extraModulePackages = [ ];\n\n swapDevices = [ ];\n\n nixpkgs.hostPlatform = lib.mkDefault \"aarch64-linux\";\n}\n" }, { "path": "non-critical-infra/modules/backup.nix", "content": "{\n lib,\n config,\n pkgs,\n ...\n}:\n\nlet\n cfg = config.services.backup;\n\n mkZfsPreHook = mountpoint: ''\n DATASET=\"$(findmnt -nr -o source \"${mountpoint}\")\"\n zfs snapshot -r \"$DATASET@borg\"\n\n # https://github.com/borgbackup/borg/issues/6652\n ls ${mountpoint}/.zfs/snapshot/borg/ > /dev/null\n '';\n\n mkZfsPostHook = mountpoint: ''\n DATASET=\"$(findmnt -nr -o source \"${mountpoint}\")\"\n zfs destroy -r \"$DATASET@borg\"\n '';\nin\n{\n options.services.backup =\n with lib;\n with types;\n {\n user = mkOption {\n type = str;\n description = ''\n Username for the SSH remote host.\n '';\n };\n\n host = mkOption {\n type = str;\n description = ''\n Hostname of the SSH remote host.\n '';\n };\n\n hostPublicKey = mkOption {\n type = str;\n example = \"ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA5EB5p/5Hp3hGW1oHok+PIOH9Pbn7cnUiGmUEBrCVjnAw+HrKyN8bYVV0dIGllswYXwkG/+bgiBlE6IVIBAq+JwVWu1Sss3KarHY3OvFJUXZoZyRRg/Gc/+LRCE7lyKpwWQ70dbelGRyyJFH36eNv6ySXoUYtGkwlU5IVaHPApOxe4LHPZa/qhSRbPo2hwoh0orCtgejRebNtW5nlx00DNFgsvn8Svz2cIYLxsPVzKgUxs8Zxsxgn+Q/UvR7uq4AbAhyBMLxv7DjJ1pc7PJocuTno2Rw9uMZi1gkjbnmiOh6TTXIEWbnroyIhwc8555uto9melEUmWNQ+C+PwAK+MPw==\";\n description = ''\n Public SSH host key of the remote host. Discoverable using e.g. `ssh-keyscan`.\n '';\n };\n\n port = mkOption {\n type = port;\n default = 22;\n description = ''\n Port of the SSH remote host.\n '';\n apply = toString;\n };\n\n sshKey = mkOption {\n type = path;\n example = \"/var/keys/ssh-key\";\n description = ''\n Path to the SSH key required to access the remote host.\n '';\n };\n\n secretPath = mkOption {\n type = path;\n example = \"/var/keys/borg-secret\";\n description = ''\n Path to the secret used to encrypt backups in the repository.\n '';\n };\n\n quota = mkOption {\n type = nullOr str;\n default = null;\n example = \"90G\";\n description = ''\n Quota for the borg repository. Useful to prevent the target disk from running full and ensuring borg keeps some space to work with.\n '';\n };\n\n includes = mkOption {\n type = listOf path;\n default = [ ];\n description = ''\n Paths to include in the backup.\n '';\n };\n includesZfsDatasets = mkOption {\n type = listOf str;\n default = [ ];\n description = ''\n ZFS datasets referenced by mountpoint to snapshot and include\n '';\n };\n\n excludes = mkOption {\n type = listOf path;\n default = [ ];\n description = ''\n Paths to exclude in the backup.\n '';\n };\n\n preHook = mkOption {\n type = lines;\n default = \"\";\n description = ''\n Shell commands to run before the backup.\n '';\n };\n\n postHook = mkOption {\n type = lines;\n default = \"\";\n description = ''\n Shell commands to run after the backup.\n '';\n };\n\n wantedUnits = mkOption {\n type = listOf str;\n default = [ ];\n description = ''\n List of units to require before starting the backup.\n '';\n };\n };\n\n config = lib.mkIf (cfg.includes != [ ] || cfg.includesZfsDatasets != [ ]) {\n programs.ssh.knownHosts.\"${if cfg.port != 22 then \"[${cfg.host}]:${cfg.port}\" else cfg.host}\" = {\n publicKey = \"${cfg.hostPublicKey}\";\n };\n\n systemd.services.borgbackup-job-state = {\n wants = cfg.wantedUnits;\n after = cfg.wantedUnits;\n\n path = lib.optionals (cfg.includesZfsDatasets != [ ]) [\n config.boot.zfs.package\n pkgs.util-linux\n ];\n };\n\n systemd.timers.borgbackup-job-state.timerConfig = {\n # Spread all backups over the day\n RandomizedDelaySec = \"24h\";\n FixedRandomDelay = true;\n };\n\n services.borgbackup.jobs.state = {\n preHook = lib.concatMapStringsSep \"\\n\" mkZfsPreHook cfg.includesZfsDatasets;\n postHook = lib.concatMapStringsSep \"\\n\" mkZfsPostHook cfg.includesZfsDatasets;\n\n # Create the repo\n doInit = true;\n\n # Create daily backups, but prune to a reasonable amount\n startAt = \"daily\";\n prune.keep = {\n daily = 7;\n weekly = 4;\n monthly = 3;\n };\n\n # What to backup\n paths = cfg.includes ++ (map (mp: \"${mp}/.zfs/snapshot/borg\") cfg.includesZfsDatasets);\n exclude = cfg.excludes;\n\n # Where to backup it to\n repo = \"${cfg.user}@${cfg.host}:${config.networking.fqdn}\";\n environment.BORG_RSH = \"ssh -p ${cfg.port} -i ${cfg.sshKey}\";\n\n # Ensure we don't fill up the destination disk\n extraInitArgs = lib.optionalString (cfg.quota != null) \"--storage-quota ${cfg.quota}\";\n\n # Authenticated & encrypted, key resides in the repository\n encryption = {\n mode = \"repokey-blake2\";\n passCommand = \"cat ${cfg.secretPath}\";\n };\n\n # Reduce the backup size\n compression = \"auto,zstd\";\n\n # Show summary detailing data usage once completed\n extraCreateArgs = \"--stats\";\n };\n };\n}\n" }, { "path": "non-critical-infra/modules/common.nix", "content": "{ pkgs, ... }:\n\n{\n imports = [\n ../../modules/nftables.nix\n ../../modules/prometheus\n ];\n\n boot.initrd.systemd.enable = true;\n\n time.timeZone = \"UTC\";\n\n systemd.services.openssh.enable = true;\n users.users.root.openssh.authorizedKeys.keys = (import ../../ssh-keys.nix).infra;\n\n environment.systemPackages = with pkgs; [ neovim ];\n\n security.acme.acceptTerms = true;\n security.acme.defaults.email = \"infra@nixos.org\";\n}\n" }, { "path": "non-critical-infra/modules/draupnir.nix", "content": "{\n config,\n ...\n}:\n{\n sops.secrets.mjolnir-access-token = {\n sopsFile = ../secrets/mjolnir-access-token.caliban;\n format = \"binary\";\n restartUnits = [ \"draupnir.service\" ];\n };\n\n services.draupnir = {\n enable = true;\n secrets = {\n accessToken = config.sops.secrets.mjolnir-access-token.path;\n };\n settings = {\n # https://github.com/the-draupnir-project/Draupnir/blob/main/config/default.yaml\n homeserverUrl = \"https://matrix.nixos.org\";\n managementRoom = \"#draupnir:nixos.org\";\n backgroundDelayMS = \"10\"; # snappy reactions, we don't mind the performance hit\n protectAllJoinedRooms = true;\n automaticallyRedactForReasons = [\n \"spam\"\n ];\n web = {\n enabled = true;\n address = \"127.0.0.1\";\n port = 8082;\n abuseReporting.enabled = true;\n };\n displayReports = true;\n };\n };\n\n services.nginx.virtualHosts.\"matrix.nixos.org\" = {\n # https://github.com/the-draupnir-project/Draupnir/blob/main/test/nginx.conf\n locations = {\n \"~ ^/_matrix/client/(r0|v3)/rooms/([^/\\\\s]+)/report/(.*)$\" = {\n extraConfig = ''\n mirror /report_mirror;\n\n # Abuse reports should be sent to Draupnir.\n # The r0 endpoint is deprecated but still used by many clients.\n # As of this writing, the v3 endpoint is the up-to-date version.\n\n # Alias the regexps, to ensure that they're not rewritten.\n set $room_id $2;\n set $event_id $3;\n '';\n proxyPass =\n with config.services.draupnir.settings.web;\n \"http://${address}:${toString port}/api/1/report/$room_id/$event_id\";\n };\n \"/report_mirror\" = {\n proxyPass = \"http://matrix-synapse$request_uri\";\n extraConfig = ''\n internal;\n '';\n };\n };\n };\n}\n" }, { "path": "non-critical-infra/modules/element-web.nix", "content": "{ pkgs, ... }:\nlet\n domainName = \"chat.nixos.org\";\n\n # https://github.com/element-hq/element-web/blob/develop/config.sample.json\n elementWebConfig = {\n default_server_config = {\n \"m.homeserver\" = {\n base_url = \"https://matrix.nixos.org\";\n server_name = \"nixos.org\";\n };\n \"m.identity_server\" = {\n base_url = \"https://vector.im\";\n };\n };\n disable_custom_urls = false;\n disable_guests = false;\n disable_login_language_selector = false;\n disable_3pid_login = false;\n brand = \"Element\";\n integrations_ui_url = \"https://scalar.vector.im/\";\n integrations_rest_url = \"https://scalar.vector.im/api\";\n integrations_widgets_urls = [\n \"https://scalar.vector.im/_matrix/integrations/v1\"\n \"https://scalar.vector.im/api\"\n \"https://scalar-staging.vector.im/_matrix/integrations/v1\"\n \"https://scalar-staging.vector.im/api\"\n \"https://scalar-staging.riot.im/scalar/api\"\n ];\n integrations_jitsi_widget_url = \"https://scalar.vector.im/api/widgets/jitsi.html\";\n bug_report_endpoint_url = \"https://riot.im/bugreports/submit\";\n default_country_code = \"GB\";\n show_labs_settings = true;\n features = { };\n default_federate = true;\n default_theme = \"light\";\n roomDirectory = {\n servers = [ ];\n };\n settingDefaults = {\n breadcrumbs = true;\n };\n jitsi = {\n preferred_domain = \"meet.element.io\";\n };\n element_call = {\n url = \"https://call.element.io\";\n participant_limit = 8;\n brand = \"Element Call\";\n };\n map_style_url = \"https://api.maptiler.com/maps/streets/style.json?key=fU3vlMsMn4Jb6dnEIFsx\";\n };\nin\n{\n security.acme.certs.\"${domainName}\".reloadServices = [ \"nginx.service\" ];\n\n services.nginx.virtualHosts.\"${domainName}\" = {\n enableACME = true;\n forceSSL = true;\n\n root = pkgs.element-web.override (_old: {\n conf = elementWebConfig;\n });\n };\n}\n" }, { "path": "non-critical-infra/modules/limesurvey.nix", "content": "{\n config,\n ...\n}:\n{\n services.limesurvey = {\n enable = true;\n encryptionKeyFile = config.sops.secrets.limesurvey-encryption-key.path;\n encryptionNonceFile = config.sops.secrets.limesurvey-encryption-nonce.path;\n webserver = \"nginx\";\n nginx.virtualHost = {\n serverName = \"survey.nixos.org\";\n enableACME = true;\n forceSSL = true;\n };\n };\n\n sops.secrets.limesurvey-encryption-key = {\n format = \"binary\";\n sopsFile = ../secrets/limesurvey-encryption-key.caliban;\n };\n\n sops.secrets.limesurvey-encryption-nonce = {\n format = \"binary\";\n sopsFile = ../secrets/limesurvey-encryption-nonce.caliban;\n };\n\n}\n" }, { "path": "non-critical-infra/modules/mailserver/README.md", "content": "# NixOS mailserver\n\nThis module provides mail services for `nixos.org`.\n\n## Mailing lists\n\nTo create a new mailing list, or change membership of a mailing list, see the\ninstructions at the top of [`mailing-lists.nix`](./mailing-lists.nix).\n\nSome mailing lists allow login and sending email via `SMTP`. Search for\n`loginAccount` to find examples of this.\n" }, { "path": "non-critical-infra/modules/mailserver/default.nix", "content": "{\n inputs,\n config,\n pkgs,\n ...\n}:\n\n{\n imports = [\n inputs.simple-nixos-mailserver.nixosModule\n ./mailing-lists.nix\n ./freescout.nix\n ];\n\n # enabled through systemd.network.enable\n services.resolved.enable = false;\n\n mailserver = {\n enable = true;\n enableImap = false;\n stateVersion = 3;\n certificateScheme = \"acme-nginx\";\n\n fqdn = config.networking.fqdn;\n\n domains = [\n \"nixcon.org\"\n \"nixos.org\"\n ];\n\n srs.enable = true;\n };\n\n # https://nixos-mailserver.readthedocs.io/en/latest/backup-guide.html\n services.backup.includes = [ config.mailserver.mailDirectory ];\n\n sops.secrets.\"nixos.org.mail.key\" = {\n format = \"binary\";\n owner = \"rspamd\";\n group = \"rspamd\";\n mode = \"0600\";\n\n # How to generate:\n #\n # ```console\n # cd non-critical-infra\n # DOMAIN=nixos.org\n # SELECTOR=mail\n # PRIVATE_KEY_PATH=secrets/$DOMAIN.$SELECTOR.key.umbriel\n # nix shell nixpkgs#opendkim --command opendkim-genkey --selector=\"$SELECTOR\" --domain=\"$DOMAIN\" --bits=1024\n # mv mail.private \"$PRIVATE_KEY_PATH\"\n # sops encrypt --in-place \"$PRIVATE_KEY_PATH\"\n # ```\n #\n # Next, look at `mail.txt` and update DNS accordingly.\n sopsFile = ../../secrets/nixos.org.mail.key.umbriel;\n\n # Ensure the file gets symlinked to where Simple NixOS Mailserver expects\n # to find it.\n path = \"${config.mailserver.dkimKeyDirectory}/nixos.org.mail.key\";\n };\n\n sops.secrets.\"nixcon.org.mail.key\" = {\n format = \"binary\";\n owner = \"rspamd\";\n group = \"rspamd\";\n mode = \"0600\";\n sopsFile = ../../secrets/nixcon.org.mail.key.umbriel;\n path = \"${config.mailserver.dkimKeyDirectory}/nixcon.org.mail.key\";\n };\n\n services.postfix.settings.main.bounce_template_file = \"${pkgs.writeText \"bounce-template.cf\" ''\n failure_template = < \"$SECRET_PATH\"\n # sops encrypt --in-place \"$SECRET_PATH\"\n # ```\n sops.secrets.postsrsd-secret = {\n format = \"binary\";\n owner = config.services.postsrsd.user;\n group = config.services.postsrsd.group;\n sopsFile = ../../secrets/postsrsd-secret.umbriel;\n restartUnits = [ \"postsrsd.service\" ];\n };\n}\n" }, { "path": "non-critical-infra/modules/mailserver/freescout.nix", "content": "{\n inputs,\n config,\n pkgs,\n ...\n}:\n\n{\n imports = [\n inputs.freescout.nixosModules.freescout\n ../nginx.nix\n ];\n\n services.freescout = {\n enable = true;\n package = inputs.freescout.packages.${pkgs.stdenv.hostPlatform.system}.default.overrideAttrs rec {\n version = \"1.8.218\";\n src = pkgs.fetchFromGitHub {\n owner = \"freescout-helpdesk\";\n repo = \"freescout\";\n tag = version;\n hash = \"sha256-oLbsrlvsBkZ8oa2EuByJafItuG1n2MXPrt/noAXTt94=\";\n };\n };\n domain = \"freescout.nixos.org\";\n\n settings.APP_KEY._secret = config.sops.secrets.freescout-app-key.path;\n\n databaseSetup = {\n enable = true;\n kind = \"pgsql\";\n };\n\n nginx = {\n forceSSL = true;\n enableACME = true;\n };\n };\n\n services.postgresqlBackup = {\n enable = true;\n databases = [ \"freescout\" ];\n };\n\n services.backup.includes = [\n \"/var/lib/freescout\"\n config.services.postgresqlBackup.location\n ];\n\n # How to generate:\n #\n # $ cd non-critical-infra\n # $ SECRET_PATH=secrets/freescout-app-key.umbriel\n # $ echo \"base64:$(nix run nixpkgs#openssl -- rand -base64 32)\" > \"$SECRET_PATH\"\n # $ sops encrypt --in-place \"$SECRET_PATH\"\n sops.secrets.freescout-app-key = {\n format = \"binary\";\n owner = config.services.postsrsd.user;\n group = config.services.postsrsd.group;\n sopsFile = ../../secrets/freescout-app-key.umbriel;\n restartUnits = [ \"postsrsd.service\" ];\n };\n}\n" }, { "path": "non-critical-infra/modules/mailserver/mailing-lists-options.nix", "content": "# This module makes it easy to define mailing lists in `simple-nixos-mailserver`\n# with a couple of features:\n#\n# 1. We can (optionally) encrypt the forward addresses for increased privacy.\n# 2. We can set up a login account for mailing addresses to allow sending\n# email via `SMTP` from those addresses.\n\n{ config, lib, ... }:\n\nlet\n inherit (lib) types;\n\n fileToSecretId = file: builtins.baseNameOf file;\n\n listsWithSecretPlaceholders = lib.mapAttrs' (name: mailingList: {\n name = name;\n value =\n (lib.optional (mailingList.loginAccount != null && mailingList.loginAccount.storeEmail) name)\n ++ map (\n member:\n if builtins.isString member then member else config.sops.placeholder.${fileToSecretId member}\n ) mailingList.forwardTo;\n }) config.mailing-lists;\n\n secretAddressFiles = lib.pipe config.mailing-lists [\n (lib.mapAttrsToList (_name: mailingList: mailingList.forwardTo))\n lib.flatten\n (builtins.filter (member: !builtins.isString member))\n ];\n\n secretPasswordFiles = lib.pipe config.mailing-lists [\n (lib.filterAttrs (_name: mailingList: mailingList.loginAccount != null))\n (lib.mapAttrsToList (_name: mailingList: mailingList.loginAccount.encryptedHashedPassword))\n ];\nin\n\n{\n options = {\n mailing-lists = lib.mkOption {\n type = types.attrsOf (\n types.submodule {\n options = {\n forwardTo = lib.mkOption {\n type = types.listOf (types.either types.str types.path);\n default = [ ];\n description = ''\n Either a plaintext email address, or a path to an email address\n encrypted with `nix run .#encrypt-email address`\n '';\n };\n loginAccount = lib.mkOption {\n type = types.nullOr (\n types.submodule {\n options = {\n encryptedHashedPassword = lib.mkOption {\n type = types.path;\n description = ''\n If specified, this enables sending emails from this address via SMTP.\n Must be a path to encrypted file generated with `nix run .#encrypt-email login`\n '';\n };\n storeEmail = lib.mkOption {\n type = types.bool;\n description = ''\n Whether to store emails sent to this mailing list in a\n mailbox accessible via IMAP.\n '';\n };\n };\n }\n );\n default = null;\n };\n };\n }\n );\n description = ''\n Mailing lists. Supports both forward-only mailing lists, as well as mailing\n lists that allow sending via SMTP.\n '';\n };\n };\n\n config = {\n assertions = lib.mapAttrsToList (name: mailingList: {\n assertion = mailingList.forwardTo != [ ] || mailingList.loginAccount != null;\n message = \"Mailing list '${name}' must have either forwardTo addresses or a loginAccount configured\";\n }) config.mailing-lists;\n\n mailserver.loginAccounts = lib.pipe config.mailing-lists [\n (lib.filterAttrs (_name: mailingList: mailingList.loginAccount != null))\n (lib.mapAttrs (\n _name: mailingList: {\n hashedPasswordFile =\n config.sops.secrets.${fileToSecretId mailingList.loginAccount.encryptedHashedPassword}.path;\n }\n ))\n ];\n\n # Declare secrets for every secret file.\n sops.secrets = builtins.listToAttrs (\n (map (file: {\n name = fileToSecretId file;\n value = {\n format = \"binary\";\n sopsFile = file;\n };\n }) secretAddressFiles)\n ++ (map (file: {\n name = fileToSecretId file;\n value = {\n format = \"binary\";\n sopsFile = file;\n # Need to restart `dovecot2.service` to trigger `genPasswdScript` in\n # `nixos-mailserver`:\n # https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/blob/af7d3bf5daeba3fc28089b015c0dd43f06b176f2/mail-server/dovecot.nix#L369\n # This could go away if sops-nix gets support for \"input addressed secret\n # paths\": https://github.com/Mic92/sops-nix/issues/648\n restartUnits = [ \"dovecot2.service\" ];\n };\n }) secretPasswordFiles)\n );\n\n sops.templates.\"postfix-virtual-mailing-lists\" = {\n content = lib.concatStringsSep \"\\n\" (\n lib.mapAttrsToList (\n name: members: \"${name} ${lib.concatStringsSep \", \" members}\"\n ) listsWithSecretPlaceholders\n );\n\n # Need to restart postfix-setup to rerun `postmap` and generate updated `.db`\n # files whenever mailing list membership changes.\n # This could go away if sops-nix gets support for \"input addressed secret\n # paths\": https://github.com/Mic92/sops-nix/issues/648\n restartUnits = [ \"postfix-setup.service\" ];\n };\n\n services.postfix.mapFiles.virtual-mailing-lists =\n config.sops.templates.\"postfix-virtual-mailing-lists\".path;\n\n services.postfix.settings.main.virtual_alias_maps = [ \"hash:/etc/postfix/virtual-mailing-lists\" ];\n };\n}\n" }, { "path": "non-critical-infra/modules/mailserver/mailing-lists.nix", "content": "{\n imports = [ ./mailing-lists-options.nix ];\n\n # If you wish to hide your email address, you can encrypt it with SOPS. Just\n # run `nix run .#encrypt-email address -- --help` and follow the instructions.\n #\n # If you wish to set up a login account for sending/storing email, you must generate\n # an encrypted password. Run `nix run .#encrypt-email login -- --help` and\n # follow the instructions.\n mailing-lists = {\n # nixcon.org\n \"orgateam@nixcon.org\" = {\n forwardTo = [\n \"nixcon@nixos.org\"\n ];\n };\n\n # nixos.org\n \"abuse@nixos.org\" = {\n forwardTo = [\n \"infra@nixos.org\"\n ];\n };\n\n \"finance@nixos.org\" = {\n loginAccount = {\n encryptedHashedPassword = ../../secrets/finance-email-login.umbriel;\n storeEmail = true;\n };\n };\n\n \"hardware@nixos.org\" = {\n forwardTo = [\n \"joerg.hardware@thalheim.io\"\n ../../secrets/0x4A6F-hardware-email-address.umbriel # https://github.com/0x4A6F\n ../../secrets/ra33it0-email-address.umbriel # https://github.com/Ra33it0\n ../../secrets/rosscomputerguy-email-address.umbriel # https://github.com/rosscomputerguy\n ];\n loginAccount = {\n encryptedHashedPassword = ../../secrets/hardware-email-login.umbriel;\n storeEmail = true;\n };\n };\n\n \"foundation@nixos.org\" = {\n loginAccount = {\n encryptedHashedPassword = ../../secrets/foundation-email-login.umbriel;\n storeEmail = true;\n };\n };\n\n \"fundraising@nixos.org\" = {\n forwardTo = [\n \"foundation@nixos.org\"\n ];\n };\n\n \"hexa@nixos.org\" = {\n forwardTo = [\n ../../secrets/mweinelt-email-address.umbriel # https://github.com/mweinelt\n ];\n loginAccount = {\n encryptedHashedPassword = ../../secrets/hexa-email-login.umbriel;\n storeEmail = false;\n };\n };\n\n \"hostmaster@nixos.org\" = {\n forwardTo = [\n \"infra@nixos.org\"\n ];\n };\n\n \"infra@nixos.org\" = {\n forwardTo = [\n ../../secrets/mweinelt-email-address.umbriel # https://github.com/mweinelt\n ../../secrets/zimbatm-email-address.umbriel # https://github.com/zimbatm\n ../../secrets/vcunat-email-address.umbriel # https://github.com/vcunat\n ../../secrets/edef1c-email-address.umbriel # https://github.com/edef1c\n ../../secrets/Mic92-email-address.umbriel # https://github.com/Mic92\n ];\n };\n\n \"marketing@nixos.org\" = {\n forwardTo = [\n ../../secrets/idabzo-email-address.umbriel # https://github.com/idabzo\n ../../secrets/avocadoom-email-address.umbriel # https://discourse.nixos.org/u/avocadoom\n ../../secrets/djacu-email-address.umbriel # https://discourse.nixos.org/u/djacu\n ../../secrets/flyfloh-email-address.umbriel # https://discourse.nixos.org/u/flyfloh\n ];\n };\n\n \"moderation@nixos.org\" = {\n forwardTo = [\n ../../secrets/lassulus-email-address.umbriel # https://github.com/lassulus\n ../../secrets/uep-email-address.umbriel # https://discourse.nixos.org/u/uep\n ../../secrets/0x4A6F-moderation-email-address.umbriel # https://github.com/0x4A6F\n ../../secrets/aleksana-email-address.umbriel # https://github.com/aleksanaa\n ];\n loginAccount = {\n encryptedHashedPassword = ../../secrets/moderation-email-login.umbriel;\n storeEmail = true;\n };\n };\n\n \"elections@nixos.org\" = {\n loginAccount = {\n encryptedHashedPassword = ../../secrets/elections-email-login.umbriel;\n storeEmail = true;\n };\n };\n\n \"ngi@nixos.org\" = {\n loginAccount = {\n encryptedHashedPassword = ../../secrets/ngi-nixos-org-email-login.umbriel;\n storeEmail = true;\n };\n };\n\n \"nixpkgs-core@nixos.org\" = {\n loginAccount = {\n encryptedHashedPassword = ../../secrets/nixpkgs-core-email-login.umbriel;\n storeEmail = true;\n };\n };\n\n \"nixcon@nixos.org\" = {\n loginAccount = {\n encryptedHashedPassword = ../../secrets/nixcon-email-login.umbriel;\n storeEmail = true;\n };\n };\n\n \"cfp@nixcon.org\" = {\n forwardTo = [\n \"nixcon@nixos.org\"\n ];\n };\n\n \"partnerships@nixos.org\" = {\n forwardTo = [\n \"foundation@nixos.org\"\n ];\n };\n\n \"postmaster@nixos.org\" = {\n forwardTo = [\n \"infra@nixos.org\"\n ];\n };\n\n \"rob@nixos.org\" = {\n forwardTo = [\n ../../secrets/rbvermaa-email-address.umbriel # https://github.com/rbvermaa\n ];\n };\n\n \"ron@nixos.org\" = {\n forwardTo = [\n ../../secrets/refroni-email-address.umbriel # https://github.com/refroni\n ];\n };\n\n \"security@nixos.org\" = {\n forwardTo = [\n ../../secrets/mweinelt-email-address.umbriel # https://github.com/mweinelt\n ../../secrets/risicle-email-address.umbriel # https://github.com/risicle\n ../../secrets/LeSuisse-email-address.umbriel # https://github.com/LeSuisse\n ];\n };\n\n \"noreply-securitytracker@nixos.org\" = {\n loginAccount = {\n encryptedHashedPassword = ../../secrets/securitytracker-noreply-email-login.umbriel;\n storeEmail = false;\n };\n };\n\n \"sponsor@nixos.org\" = {\n forwardTo = [\n \"steering@nixos.org\"\n \"foundation@nixos.org\"\n ];\n };\n\n \"steering@nixos.org\" = {\n loginAccount = {\n encryptedHashedPassword = ../../secrets/steering-email-login.umbriel;\n storeEmail = true;\n };\n };\n\n \"summer@nixos.org\" = {\n forwardTo = [\n ../../secrets/edolstra-summer-email-address.umbriel # https://github.com/edolstra\n ../../secrets/MMesch-email-address.umbriel # https://github.com/MMesch\n ../../secrets/bryanhonof-email-address.umbriel # https://github.com/bryanhonof\n ../../secrets/tomberek-email-address.umbriel # https://github.com/tomberek\n ../../secrets/gytis-ivaskevicius-email-address.umbriel # https://github.com/gytis-ivaskevicius\n ../../secrets/ysndr-email-address.umbriel # https://github.com/ysndr\n ../../secrets/DieracDelta-email-address.umbriel # https://github.com/DieracDelta\n ];\n };\n\n \"sysadmin@nixos.org\" = {\n forwardTo = [\n ../../secrets/edolstra-admin-email-address.umbriel # https://github.com/edolstra\n ../../secrets/zimbatm-admin-email-address.umbriel # https://github.com/zimbatm\n ];\n };\n\n \"webmaster@nixos.org\" = {\n forwardTo = [\n \"infra@nixos.org\"\n ];\n };\n\n \"wiki@nixos.org\" = {\n forwardTo = [\n ../../secrets/lassulus-wiki-email-address.umbriel # https://github.com/lassulus\n ../../secrets/Mic92-wiki-email-address.umbriel # https://github.com/Mic92\n ];\n };\n\n \"winter@nixos.org\" = {\n forwardTo = [\n ../../secrets/winterqt-email-address.umbriel # https://github.com/winterqt\n ];\n };\n\n \"xsa@nixos.org\" = {\n forwardTo = [\n ../../secrets/lach-xsa-email-address.umbriel # https://github.com/CertainLach\n ../../secrets/hehongbo-xsa-email-address.umbriel # https://github.com/hehongbo\n ../../secrets/sigmasquadron-xsa-email-address.umbriel # https://github.com/SigmaSquadron\n ];\n };\n };\n}\n" }, { "path": "non-critical-infra/modules/matrix-synapse.nix", "content": "{ config, pkgs, ... }:\n\n{\n imports = [\n ./nginx.nix\n ./postgresql.nix\n ];\n\n fileSystems.\"/var/lib/matrix-synapse\" = {\n device = \"zroot/root/matrix-synapse\";\n fsType = \"zfs\";\n options = [ \"zfsutil\" ];\n };\n\n services.postgresql = {\n ensureUsers = [\n {\n name = \"matrix-synapse\";\n ensureDBOwnership = true;\n }\n ];\n # Insufficient to create the database with the correct collation\n # https://github.com/element-hq/synapse/blob/develop/docs/postgres.md#set-up-database\n ensureDatabases = [ \"matrix-synapse\" ];\n };\n\n services.postgresqlBackup.databases = [ \"matrix-synapse\" ];\n\n services.redis.servers.matrix-synapse = {\n enable = true;\n };\n\n environment.systemPackages = with pkgs; [ synadm ];\n\n services.backup.includesZfsDatasets = [ \"/var/lib/matrix-synapse\" ];\n\n sops.secrets.matrix-synapse-signing-key = {\n sopsFile = ../secrets/matrix-synapse-signing-key.caliban;\n format = \"binary\";\n path = \"/var/lib/matrix-synapse/nixos.org.signing.key\";\n mode = \"0600\";\n owner = \"matrix-synapse\";\n group = \"matrix-synapse\";\n };\n\n sops.secrets.matrix-synapse-secrets = {\n sopsFile = ../secrets/matrix-synapse-secrets.caliban;\n format = \"binary\";\n path = \"/var/keys/matrix-synapse-secrets.conf\";\n mode = \"0600\";\n owner = \"matrix-synapse\";\n group = \"matrix-synapse\";\n };\n\n systemd.services.matrix-synapse.serviceConfig.SupplementaryGroups = [ \"redis-matrix-synapse\" ];\n\n services.matrix-synapse = {\n enable = true;\n enableRegistrationScript = false; # not compatible with unix sockets\n withJemalloc = true;\n\n extraConfigFiles = [ config.sops.secrets.matrix-synapse-secrets.path ];\n\n # https://github.com/element-hq/synapse/blob/master/docs/usage/configuration/config_documentation.md\n settings = {\n enable_metrics = true;\n\n server_name = \"nixos.org\";\n signing_key_path = config.sops.secrets.matrix-synapse-signing-key.path;\n public_baseurl = \"https://matrix.nixos.org\";\n admin_contact = \"infra@nixos.org\";\n web_client_location = \"https://matrix.to/#/#community:nixos.org\";\n\n allow_public_rooms_over_federation = true;\n allow_public_rooms_without_auth = true;\n\n max_upload_size = \"50M\";\n\n media_retention = {\n local_media_lifetime = \"90d\";\n remote_media_lifetime = \"14d\";\n };\n\n database = {\n name = \"psycopg2\";\n args = {\n host = \"/run/postgresql\";\n };\n };\n\n redis = {\n enabled = true;\n path = config.services.redis.servers.matrix-synapse.unixSocket;\n };\n\n listeners = [\n {\n type = \"http\";\n path = \"/run/matrix-synapse/matrix-synapse.sock\";\n mode = \"0660\";\n resources = [\n {\n compress = true;\n names = [ \"client\" ];\n }\n {\n compress = false;\n names = [ \"federation\" ];\n }\n ];\n }\n {\n type = \"http\";\n bind_addresses = [\n \"127.0.0.1\"\n \"::1\"\n ];\n port = 8090;\n tls = false;\n resources = [ { names = [ \"metrics\" ]; } ];\n }\n ];\n };\n };\n\n systemd.services.nginx.serviceConfig.SupplementaryGroups = [ \"matrix-synapse\" ];\n\n services.nginx = {\n clientMaxBodySize = config.services.matrix-synapse.settings.max_upload_size;\n upstreams.\"matrix-synapse\".servers = {\n \"unix:/run/matrix-synapse/matrix-synapse.sock\" = { };\n };\n virtualHosts.\"matrix.nixos.org\" = {\n forceSSL = true;\n enableACME = true;\n\n locations.\"~* ^(/_matrix|/_synapse)\" = {\n proxyPass = \"http://matrix-synapse\";\n };\n locations.\"= /metrics\" = {\n proxyPass = \"http://localhost:8090/_synapse/metrics\";\n };\n locations.\"= /\" = {\n return = \"301 https://matrix.to/#/#community:nixos.org\";\n };\n };\n };\n}\n" }, { "path": "non-critical-infra/modules/nginx.nix", "content": "{\n networking.firewall = {\n allowedTCPPorts = [\n 80\n 443\n ];\n };\n\n # Grant nginx access to certificates\n systemd.services.nginx.serviceConfig.SupplementaryGroups = [ \"acme\" ];\n\n # Reload nginx after certificate renewal\n security.acme.defaults.reloadServices = [ \"nginx.service\" ];\n\n services.nginx = {\n enable = true;\n enableReload = true;\n\n recommendedBrotliSettings = true;\n recommendedGzipSettings = true;\n recommendedOptimisation = true;\n recommendedProxySettings = true;\n recommendedTlsSettings = true;\n };\n}\n" }, { "path": "non-critical-infra/modules/owncast.nix", "content": "{ config, ... }:\n\n{\n imports = [ ./nginx.nix ];\n\n fileSystems.\"/var/lib/owncast\" = {\n device = \"zroot/root/owncast\";\n fsType = \"zfs\";\n options = [ \"zfsutil\" ];\n };\n\n services.backup.includesZfsDatasets = [ \"/var/lib/owncast\" ];\n\n services.owncast = {\n enable = true;\n openFirewall = true;\n };\n\n services.nginx.virtualHosts.\"live.nixos.org\" = {\n forceSSL = true;\n enableACME = true;\n\n locations.\"/\" = {\n proxyPass = with config.services.owncast; \"http://${listen}:${toString port}\";\n proxyWebsockets = true;\n };\n };\n}\n" }, { "path": "non-critical-infra/modules/postfix.nix", "content": "{ config, pkgs, ... }:\n\n{\n sops.secrets.opendkim-private-key = {\n sopsFile = ../secrets/opendkim-private-key.caliban;\n format = \"binary\";\n owner = config.services.postfix.user;\n };\n services.opendkim = {\n enable = true;\n domains = config.networking.fqdn;\n selector = \"mail\";\n inherit (config.services.postfix) user group;\n keyPath = \"/run/opendkim-keys\";\n };\n\n systemd.services.opendkim.serviceConfig = {\n ExecStartPre = [\n \"+${pkgs.writeShellScript \"opendkim-keys\" ''\n install -o ${config.services.postfix.user} -g ${config.services.postfix.group} -D -m0700 ${config.sops.secrets.opendkim-private-key.path} /run/opendkim-keys/${config.services.opendkim.selector}.private\n ''}\"\n ];\n };\n\n services.postfix = {\n enable = true;\n settings.main = {\n myhostname = config.networking.fqdn;\n mydomain = config.networking.fqdn;\n smtp_tls_note_starttls_offer = \"yes\";\n smtp_tls_security_level = \"may\";\n tls_medium_cipherlist = \"AES128+EECDH:AES128+EDH\";\n smtpd_relay_restrictions = \"permit_mynetworks permit_sasl_authenticated defer_unauth_destination\";\n mydestination = \"localhost.$mydomain, localhost, $myhostname\";\n myorigin = \"$mydomain\";\n milter_default_action = \"accept\";\n milter_protocol = \"6\";\n smtpd_milters = \"unix:/run/opendkim/opendkim.sock\";\n non_smtpd_milters = \"unix:/run/opendkim/opendkim.sock\";\n inet_interfaces = \"loopback-only\";\n inet_protocols = \"all\";\n };\n };\n\n}\n" }, { "path": "non-critical-infra/modules/postgresql.nix", "content": "{ config, pkgs, ... }:\n\n{\n fileSystems.\"/var/lib/postgresql\" = {\n device = \"zroot/root/postgresql\";\n fsType = \"zfs\";\n options = [ \"zfsutil\" ];\n };\n\n services.postgresql = {\n enable = true;\n enableJIT = true;\n package = pkgs.postgresql_16_jit;\n };\n\n # create database dumps\n services.postgresqlBackup = {\n enable = true;\n compression = \"zstd\";\n # pulled in through the backup job\n startAt = [ ];\n };\n\n # include postgres dumps in the backup\n services.backup = {\n includes = [ \"/var/backup/postgresql\" ];\n wantedUnits =\n if config.services.postgresqlBackup.databases == [ ] then\n [ \"postgresqlBackup.service\" ]\n else\n map (db: \"postgresqlBackup-${db}.service\") config.services.postgresqlBackup.databases;\n };\n}\n" }, { "path": "non-critical-infra/modules/vaultwarden.nix", "content": "{ config, ... }:\n{\n imports = [\n ./backup.nix\n ./postfix.nix\n ];\n\n services.vaultwarden = {\n enable = true;\n backupDir = \"/var/backup/vaultwarden/\";\n environmentFile = \"/var/lib/bitwarden_rs/vaultwarden.env\";\n config = {\n DOMAIN = \"https://vault.nixos.org\";\n SIGNUPS_ALLOWED = false;\n SHOW_PASSWORD_HINT = false;\n ROCKET_ADDRESS = \"127.0.0.1\";\n ROCKET_PORT = 8222;\n ROCKET_LOG = \"critical\";\n SMTP_HOST = \"localhost\";\n SMTP_PORT = 25;\n SMTP_SSL = false;\n SMTP_FROM = \"vaultwarden@caliban.nixos.org\";\n SMTP_FROM_NAME = \"NixOS Vaultwarden\";\n ORG_EVENTS_ENABLED = true;\n };\n };\n\n services.nginx = {\n enable = true;\n recommendedGzipSettings = true;\n recommendedOptimisation = true;\n recommendedProxySettings = true;\n recommendedTlsSettings = true;\n virtualHosts.\"vault.nixos.org\" = {\n forceSSL = true;\n enableACME = true;\n locations.\"/\" = {\n proxyPass = \"http://127.0.0.1:${toString config.services.vaultwarden.config.ROCKET_PORT}\";\n };\n };\n };\n\n sops.secrets = {\n vaultwarden-env = {\n sopsFile = ../secrets/vaultwarden-env.caliban;\n format = \"binary\";\n path = \"/var/lib/bitwarden_rs/vaultwarden.env\";\n };\n\n };\n\n services.backup.includes = [ config.services.vaultwarden.backupDir ];\n\n services.fail2ban = {\n enable = true;\n jails = {\n vaultwarden-web = {\n filter = {\n INCLUDES.before = \"common.conf\";\n Definition = {\n failregex = \"^.*Username or password is incorrect. Try again. IP: . Username:.*$\";\n ignoreregex = \"\";\n };\n };\n settings = {\n backend = \"systemd\";\n port = \"80,443\";\n filter = \"vaultwarden-web[journalmatch='_SYSTEMD_UNIT=vaultwarden.service']\";\n banaction = \"%(banaction_allports)s\";\n maxretry = 3;\n bantime = 14400;\n findtime = 14400;\n };\n };\n vaultwarden-admin = {\n filter = {\n INCLUDES.before = \"common.conf\";\n Definition = {\n failregex = \"^.*Invalid admin token. IP: .*$\";\n ignoreregex = \"\";\n };\n };\n settings = {\n backend = \"systemd\";\n port = \"80,443\";\n filter = \"vaultwarden-admin[journalmatch='_SYSTEMD_UNIT=vaultwarden.service']\";\n banaction = \"%(banaction_allports)s\";\n maxretry = 3;\n bantime = 14400;\n findtime = 14400;\n };\n };\n };\n\n };\n\n}\n" }, { "path": "non-critical-infra/packages/encrypt-email/default.nix", "content": "{\n lib,\n mkpasswd,\n python3,\n sops,\n}:\n\npython3.pkgs.buildPythonApplication {\n name = \"encrypt-email\";\n src = ./.;\n\n format = \"other\";\n\n propagatedBuildInputs = [ python3.pkgs.click ];\n\n installPhase = ''\n mkdir -p $out/bin\n mv ./encrypt-email.py $out/bin/encrypt-email\n wrapProgram $out/bin/encrypt-email --prefix PATH : ${\n lib.makeBinPath [\n sops\n mkpasswd\n ]\n }\n '';\n}\n" }, { "path": "non-critical-infra/packages/encrypt-email/encrypt-email.py", "content": "#!/usr/bin/env python3\n\nimport re\nimport subprocess\nimport sys\nfrom pathlib import Path\nfrom textwrap import dedent, indent\n\nimport click\n\n\ndef find_project_root(start: Path) -> Path:\n # Can search for `flake.nix` because there are multiple in this project.\n root_indicator = start / \".git/config\"\n if root_indicator.exists():\n return start\n\n return find_project_root(start.parent)\n\n\ndef find_relative_project_root() -> Path:\n return find_project_root(Path.cwd()).relative_to(Path.cwd(), walk_up=True)\n\n\nPROJECT_ROOT = find_relative_project_root()\nNON_CRITICAL_INFRA_DIR = PROJECT_ROOT / \"non-critical-infra\"\nMAILING_LISTS_NIX = NON_CRITICAL_INFRA_DIR / \"modules/mailserver/mailing-lists.nix\"\nassert MAILING_LISTS_NIX.exists()\n\n\ndef encrypt_to_file(plaintext: str, secret_path: Path, force: bool) -> None:\n if secret_path.exists():\n if not force:\n msg = f\"Refusing to clobber existing {secret_path}. Use `--force` to override.\"\n raise click.ClickException(msg)\n click.secho(f\"Clobbering existing {secret_path}\", fg=\"yellow\")\n\n cp = subprocess.run(\n [\n \"sops\",\n \"--encrypt\",\n \"--filename-override\",\n secret_path,\n \"/dev/stdin\",\n ],\n cwd=secret_path.parent,\n text=True,\n check=True,\n stdout=subprocess.PIPE,\n input=plaintext,\n )\n\n secret_path.write_text(cp.stdout)\n subprocess.run(\n [\"git\", \"add\", \"--intent-to-add\", \"--force\", \"--\", secret_path], check=True\n )\n\n click.secho(f\"Successfully generated {secret_path}\", fg=\"green\")\n\n\ndef hash_password(plaintext: str) -> str:\n cp = subprocess.run(\n [\"mkpasswd\", \"--stdin\", \"--method=bcrypt\"],\n stdout=subprocess.PIPE,\n input=plaintext,\n text=True,\n check=True,\n )\n return cp.stdout\n\n\n@click.group()\ndef main() -> None:\n pass\n\n\n@main.command()\n@click.argument(\"address_id\")\n@click.argument(\"email\")\n@click.option(\"--force/--no-force\", \"-f/ \", default=False)\ndef address(address_id: str, email: str, force: bool) -> None:\n \"\"\"\n Encrypt an email address (or email addresses) for inclusion in a mailing list.\n\n Example:\n\n \\bencrypt-email address some-token 'me@example.com,you@example.com'\n\n Then follow the instructions for what to do next.\n \"\"\"\n # Feel free to make the regex less restrictive if you need to.\n id_re = re.compile(\"[A-Za-z0-9-]+\")\n if not id_re.fullmatch(address_id):\n msg = f\"Given ID: {address_id!r} is invalid. Must match regex: {id_re.pattern}\"\n raise click.ClickException(msg)\n\n # Make sure we aren't being given a text file that happens to have a newline at the end.\n clean_email = email.strip()\n if clean_email != email:\n click.secho(\"Removed whitespace surrounding given email address\", fg=\"yellow\")\n email = clean_email\n\n secret_path = NON_CRITICAL_INFRA_DIR / f\"secrets/{address_id}-email-address.umbriel\"\n encrypt_to_file(email, secret_path, force)\n\n click.secho()\n click.secho(\"Now add `\", nl=False)\n click.secho(\n secret_path.relative_to(MAILING_LISTS_NIX.parent, walk_up=True),\n fg=\"blue\",\n nl=False,\n )\n click.secho(\"` to the relevant mailing list in '\", nl=False)\n click.secho(MAILING_LISTS_NIX, fg=\"blue\")\n\n\n@main.command()\n@click.argument(\"address_id\")\n@click.option(\"--force/--no-force\", \"-f/ \", default=False)\ndef login(address_id: str, force: bool) -> None:\n \"\"\"\n Encrypt a password to set up a login account for a mailing list. The password must be given via stdin.\n\n Example:\n\n \\bencrypt-email login test-sender < file-with-password\n\n Then follow the instructions for what to do next.\n \"\"\"\n # Make sure we aren't being given a text file that happens to have a newline at the end.\n password = sys.stdin.read()\n clean_password = password.strip()\n if clean_password != password:\n click.secho(\"Removed whitespace surrounding given password\", fg=\"yellow\")\n password = clean_password\n\n hashed_password = hash_password(password)\n\n secret_path = NON_CRITICAL_INFRA_DIR / f\"secrets/{address_id}-email-login.umbriel\"\n encrypt_to_file(hashed_password, secret_path, force)\n\n nix_code = dedent(\n f\"\"\"\\\n \"{address_id}@nixos.org\" = {{\n forwardTo = [\n # Add emails here\n ];\n loginAccount = {{\n encryptedHashedPassword = ../../secrets/{address_id}-email-login.umbriel;\n storeEmail = false; # Set to `true` if you want to store email in a mailbox accessible via IMAP.\n }};\n }};\n \"\"\"\n )\n click.secho()\n click.secho(\"Now add this login account to \", nl=False)\n click.secho(MAILING_LISTS_NIX, fg=\"blue\", nl=False)\n click.secho(\"'. Add or edit an entry that looks like this:\")\n click.secho()\n click.secho(indent(nix_code, prefix=\" \" * 4), fg=\"blue\")\n\n\nif __name__ == \"__main__\":\n main()\n" }, { "path": "non-critical-infra/secrets/0x4A6F-hardware-email-address.umbriel", "content": "{\n\t\"data\": \"ENC[AES256_GCM,data:T1DGBnN180XRCkkYYXsspXPcYOH6p4y39FW4xiI3,iv:zZ8gb0sXJ6nFnibFWToQqYbZqe9JT45fauWeH5by/NI=,tag:gmavcl3rCjHqfsZ0HBg9rw==,type:str]\",\n\t\"sops\": {\n\t\t\"age\": [\n\t\t\t{\n\t\t\t\t\"recipient\": \"age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZbUlzR3AxV3lxSjNTQS9p\\nSURKaFFrb1BSWCtEc1krc2ZnK01oWjRLQkJFCm56WXFRVHBxT3BpZlczSk1HaFB0\\nbjlkbnpoWUtHN3JmNmxJOVlsdS9QRzgKLS0tIGFoOU9PSm1LRjlRelVMOHhTR3dl\\nb01vYXhvWjNqTGVwdk90bGltQXdmb1UKiZEINoSdBjeNCivlsuXgIbFkKUGO8AX+\\nzVhtVihIlNesJ2L3qrfYp48DAtLgHGOKoCLLI+lVtXRTBYx9KL+gtQ==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBSGJJRWRraWlQb1YvVXNv\\ndk1YUllDaDBlbWpwaWw3Mkc2c0dTOHhma2hrCjNaSkpKTWh1QmYveCt3aldwcktF\\nSVVwbkNmbEpMSzc1MjVTeEswYTErUEEKLS0tIHBJa2V0cFExUXFoUjIzckZZNWJz\\nMkxPRFljRWFRWVh2RzRxbUh2MTM4WDAKfmGLWEiH5FRQE8wNtPdQRrw9g7FtLQVw\\nqW1dJmwxT/RrKt7Cj6bfdMQMdbdaCOD2dLntrjzPWewzTUZQe7m4ng==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxUGFOWmxadkN6M3NSTW1W\\nTzBJN2VGK0c3UUVxbVplYmZ5MkFpL3hGVjNnCmFnZUNoWVZnenZneEx4SjkyR1gx\\nRVFEclJVMUwwUW9CN2lkckRjVEQvZWMKLS0tIHUzM3JIMVlTR21IT1Q1S3RHSTJG\\na1hqUWJmbTJDYWpWOWlpRDFQNTYzMzAKNptbBbk6PmxNUvHM2WQ+5Q5LItnyGJY8\\nrM+O8XQLNT/o8c7bk2a+jE67cVDrnZMVR8nZtncbZZSDw23hQ4MWJg==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4STJ4aGdoRGxZVDQzVjFD\\nSjE0VnY2WEZBcS96czFoOHJ5YVBHRm1jV2g0CjJGNGg2WHJoU1FtOEFiRVIzTHVx\\nTXZrY3dnZlBVNnFRK1J2SXU0emRFdGsKLS0tIElzWnljeERzcTZmV3lpMytLRVZC\\nV2Y5cm9XSndjVDZ4bnl5MUYzUnZCbFUKN3kCadQzJyN2n2NuvuKyU5qxCPgIFUBA\\nlrrFoltqzVH0xBLcbz22yJ3zhH8AJrbKswfmA11c8xs0lppWy2eQ0Q==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1nnm255ah9wa4gpsaq0v023a75lnmlcxszt9lc6az3mtwzxgrucfq45rp7h\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFckwxUmJNaXdMRXBTSVdK\\nK1RWOHFBc2VRRDZ4dU4wRHNNb2ZQOHhobG1nCmIzQnBVUzY4ZkdIcmRUTU9SYlVr\\nL0l2dC9Xd3ZraGJWKzNJcFY2REJMYlEKLS0tIGVSTUJNUjhzTmlKd1NNN2pIVFVv\\nNzUweGtoYVhGUzhFRzRHZFU1ZlNnUVEKdNo9CNt9gmPqJ0Q8YnQJEkR6a6350cD5\\nnCp0FKTqI5wVP1aITcV6KEemfK3A/fYwNThUmvAgHAnEPhFDKlq63w==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t}\n\t\t],\n\t\t\"lastmodified\": \"2025-09-03T18:13:12Z\",\n\t\t\"mac\": \"ENC[AES256_GCM,data:qK62+alw9neFyFERDBfjenwJQfGm+d0w0H/G9Z+6DktjaHqGObMoIy48BpUNqmWwU4J3HAiU9sRJNGt3w6kGYy69rVnVF8xHHvmyhJ9skE6L5BghOK37ZimDcbk1KYDzPE5tbAK9DBPGuyKS2Otd8incaSc3AqQ36Z4tEDkIkgg=,iv:2iC6A0qEgcqQtCBn49p75cbjwhpshFvM1gAeAQmXh8A=,tag:WI6suEwv16G0nuRhdIgxvw==,type:str]\",\n\t\t\"unencrypted_suffix\": \"_unencrypted\",\n\t\t\"version\": \"3.10.2\"\n\t}\n}\n" }, { "path": "non-critical-infra/secrets/0x4A6F-moderation-email-address.umbriel", "content": "{\n\t\"data\": \"ENC[AES256_GCM,data:jmy9KJWK16fq8Ba+N8FD4XdCPEH8hQJN36+XRmJgxXM=,iv:i6XZniBSITisyXUPA3FB8kKTgySz8YWcdK0zfWLbDC8=,tag:qH/lOwsGNeVG8G45TiFISw==,type:str]\",\n\t\"sops\": {\n\t\t\"age\": [\n\t\t\t{\n\t\t\t\t\"recipient\": \"age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJd2FXYkhXS3lQTnlDRy8y\\nNEE5d0NKaHR5QXBDYzZIeThCalkyOHJ5VUFrCnhxUWhMeEdWTzZScytSZUhMRzY2\\nZXFKUkRSTUFKbzc2cXhNazVZUDZpb1EKLS0tIHR3alY1TkZCa1dsV29XYTVSZ1Av\\nSklza0EzNDZjWXFXVW5rSGNIcnByWXMKrf1FG1gLW/mluifSq3RPjqEn9UfL98iS\\nv/Ddm0nZgWCDle0CTtKWQHSOXOVXeKZWYdp3++9Nrz6ryuIzCpJryA==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNYXd6QTRYVFJCQWNJWklz\\nRnFacUliMUF3SlFuYVA0aEg0UktuZHBFSVdFCjVlZ0F4bW15SkJFZzF2cWpXWWcx\\nd3lnUjlFSVlwT1dCWDJxQnhhb2VoakUKLS0tIGFCSC9CTXliQ3BBQ2ZNczFaMWp5\\nZWFkb0cyZjZPcVNvaEZndEl3S3UwK28KlFMnhFeMTrACM+21KVtMpEdR88sG3BE5\\nzksspDSnwHIfr5cmoyivY1ZQpGjDOjCwo2zWfWeRuYf0It/i3zRUhg==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2a3drOHh5M2dMWlVWR3F6\\nZ2lJY0hqVW9rTGhyaVp4cWs0SGdlL29wcWhvCmYwTHVuTnQ2ajZlN3A3K2lFdVAv\\nVWJiU3dTanZxSHVzcitNSzlwNnZZLzgKLS0tIFAyN3kwdyt4eFBiMnkvOG9SVmF6\\nM2NSemo3NEFBcG5zS2lYbnlRN0FyK2MKsNGibLDF1x4t7zKsbcxc5O5u08LD7abR\\nFSCyU0a6oGAgGrePNIlB0XQlhrMvCLPsz2lmT3fwPcvHyX9Rln1vxQ==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t}\n\t\t],\n\t\t\"lastmodified\": \"2025-06-02T21:05:16Z\",\n\t\t\"mac\": \"ENC[AES256_GCM,data:+vd/4QvumYVYoim+2voBNCNGSYBCSxlEaWKUTu3Z3+iVUPuPqQyPwmUu7lR6NmPcLdAaWDS/VFTTnXWgvMsIMqhAObZzoLPKClKiZJhCfLm7pn96bz9+jGm2fFH9U9DLaPHX9K7gDgJZ8qkyFZ0vtmHvm5FzcPJorFa5wTFVFH8=,iv:EL4Tip6v/pf5kHy56HsTUpjo8hACFaKci5VEQYdWAfs=,tag:fWZJIrn5jHBTtW4pKoa5Ww==,type:str]\",\n\t\t\"unencrypted_suffix\": \"_unencrypted\",\n\t\t\"version\": \"3.10.2\"\n\t}\n}\n" }, { "path": "non-critical-infra/secrets/DieracDelta-email-address.umbriel", "content": "{\n\t\"data\": \"ENC[AES256_GCM,data:X3yYaojL6gq9TRvAd8OMMnU=,iv:ULH7wpkAHPQLGuYudsoNb0uPmzm4K7qDFWYYcMR8u48=,tag:vgFnwkPkXS/QeJvE+XZ2UQ==,type:str]\",\n\t\"sops\": {\n\t\t\"kms\": null,\n\t\t\"gcp_kms\": null,\n\t\t\"azure_kv\": null,\n\t\t\"hc_vault\": null,\n\t\t\"age\": [\n\t\t\t{\n\t\t\t\t\"recipient\": \"age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZeENFdXpQNFA5aDNvUURZ\\nYXprcVY4SjByNEE1eVF3RjBrRlQ3aXd0eFZBCnNvU3hpNml6OGtxN2RQcGJ5bjRI\\nSlF6UWJEUmo3UE12d3pNRU9qVWFtQkkKLS0tIG00bVB3dEFwNnJnZWV2eElscVlV\\naGZIWHVCbEZJMDAreFY0VU1UMUVkaG8KJ9bSidOMy2MVuQALIRrCzZI1HL0aQ1zu\\nrogntkr9eKlqN6orMXsYEewHJ4cXrvR2A2OrWZHWUIS9OC/xh9qHMA==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSVVA3NDFjd0hLMlhjZ0xW\\ndFh4M01XaGgvaWlONk5MYjJNOStpOWoyNTE0CnVVM3FKbmYzSkJRaWtCMDRoMk9z\\nSm00eStNUHhKTVEzU3VDTm9peHNZYkUKLS0tIEZYN1RnV1R1SnBhckhHd2Y0RFE0\\nYTJqUGsyWXVwRWg2MjI5bGhYYkJwRU0KRZD1QazLtJzDNd4LS43z347pPxjBv3GQ\\nw75Vzz99G85Wne1W882k+8ACVhF0OXCfmPYhZg/uq0f4HQGRKEVwsg==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrV2xlUXh5b1pOSStoWjRS\\neXdVSDZxUTZLNVJ2cm03K0NqZC94YUZmcmdNCktoRFJPaXZHdGR6WUhjaUpDb1Yr\\nZVM0b2VicldNWE1PekFJRU1wS3NRaUUKLS0tIHN1MlprK2RnaFBJUnZMWkE4emFq\\nWXhqa0lQeWlYYXdIN3IwNm52ZkdKU0EKQjJnpZY2hEtXgEAlVpoEsz75fv6xP/Ls\\nonNqppZHawRrCMEonQ0st71/bXiPLfvlTydWd8Gm2sh9x8Q6iCIXjw==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t}\n\t\t],\n\t\t\"lastmodified\": \"2025-03-22T15:54:32Z\",\n\t\t\"mac\": \"ENC[AES256_GCM,data:EeeJ9xKUEbNAPk6dIEoTkZfmzuhSXv6o4aMDrlAMtyM74FZFd4+UgFMWX9jDenMLOwuABf+V8n7uwRG1F69irMElOUHnRFWddVyNd99xJ8qNCmcOWTozDIoWEPC7gSUJklioPe/H52oa4x9MB3mo0tQco5OX8cCIHhMFfdZsetE=,iv:YsY+UdizldTnAf1NYvW9lA5D+GLiwN4AJiDWHIsUikE=,tag:VSo6ceJDowM3s9etW92DAQ==,type:str]\",\n\t\t\"pgp\": null,\n\t\t\"unencrypted_suffix\": \"_unencrypted\",\n\t\t\"version\": \"3.9.4\"\n\t}\n}" }, { "path": "non-critical-infra/secrets/Ericson2314-email-address.umbriel", "content": "{\n\t\"data\": \"ENC[AES256_GCM,data:u/wikuNZRqFUN80sb4aOKF7A,iv:06zg9gnBY5X3nJTh1pYAkj8LbaojO6FXn48JAfsMojs=,tag:ZMfs9E2X7VGP1C8O6X6YtA==,type:str]\",\n\t\"sops\": {\n\t\t\"kms\": null,\n\t\t\"gcp_kms\": null,\n\t\t\"azure_kv\": null,\n\t\t\"hc_vault\": null,\n\t\t\"age\": [\n\t\t\t{\n\t\t\t\t\"recipient\": \"age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSWndNejZpQ01GcmFzRmky\\nMVNmaTdBd2FaVTE3MnFncHZzVnIzekQxa0FvCmdTZjVzQjlMNndNY2Y2VUlEKy9D\\nNUtpeFI3Zm1zUzVIUzFiNmE0cm9ScHcKLS0tIEF5bmx1L0M3TzNUTkpUUXVnanli\\nVDFsakR0eCsyaWxoUFNvYkRLV2VsRk0KuJwyIOPDB5e9dDDWW6FNbDqmuyY/OBuG\\n+g0Y6h/jtoRmgm1As+RK3GE5ZIO7wgIziiliW7lq7+wDo+ywttfvcA==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTYkd1aUN3SWFrc3RvdXU1\\nWHRQTk5Tamw0eXpiaU53UXhwM3cwOS9wTUVFCkVxNWordzFTUGg4L2ZpTFFWSnY1\\nd2dqWVM1dXFpSVZwVldDa00yZm5MKzQKLS0tIDZ4b1RqK1RJdHd5R2lzbDB3cFlC\\nNzROY0JVN0lCemtNQUR2emNzRVZ3bVEK1PXujfeLj7VXtmJV0SSRp387WRjxq/l/\\neTIoDw1GiwIesPcer/+a22XV5iPkOMGcgxUFZG9QmzhWQO1G1FTOdw==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLRDFmMHFNYW9NdnJndGtL\\nWmlRUUI5MEtIekMvVHphdVlHK1FxeVBraEMwClVOQ2JOYklPYWhrOGRSdEJwcjJj\\nN1dUalVibGtTZmxFK2I2ejVXYVJoS1kKLS0tIDRpaCtKdnpBOFZHd2pWQ2JUNG9l\\nWVBjeGJUN21EQmt1MzZjNUV6UHRPcjAKEv10tHiU1chCx4XA12DRXcBrL5Gu8uze\\n6ZiUoKhihO7bSBpw4Qbl9klCkZyKQ+yHOXBCrfr8XGGyYO/GLO8bQA==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t}\n\t\t],\n\t\t\"lastmodified\": \"2025-03-22T15:54:24Z\",\n\t\t\"mac\": \"ENC[AES256_GCM,data:3/oy9v0leIbu+MBH9+mH+qhiiWYzmQkWAAT0HHPutRLG7/RQGIklmuVCYNAvmknWogpI3lBrz0g1eyjZVdyylQGefWG/7mxcbYI7UoyAgmfUdfy7N5LnagD/Yca6EERekrK8hzpKDHeQeR7TVvUfXoVn1eDYJCs4QpARC4gZwTk=,iv:r+AOzfsRgyetuwDu9vNrqr5NtiGMShrGhh5Lo3Vcx9U=,tag:2UAgw0kjQOz8wa/D2y0jbg==,type:str]\",\n\t\t\"pgp\": null,\n\t\t\"unencrypted_suffix\": \"_unencrypted\",\n\t\t\"version\": \"3.9.4\"\n\t}\n}" }, { "path": "non-critical-infra/secrets/ForsakenHarmony-email-address.umbriel", "content": "{\n\t\"data\": \"ENC[AES256_GCM,data:/q3jAh5Gbh4t2rcwhA==,iv:C9hFbszs+fOJjvi4TAVnrXf5zKnmmtUZt8W79GIkpXQ=,tag:6KGQdgeidkplMbh5glqr0A==,type:str]\",\n\t\"sops\": {\n\t\t\"kms\": null,\n\t\t\"gcp_kms\": null,\n\t\t\"azure_kv\": null,\n\t\t\"hc_vault\": null,\n\t\t\"age\": [\n\t\t\t{\n\t\t\t\t\"recipient\": \"age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2c3RJVENPLzFQUnBQWmYr\\nMDlUSlJOZU9DQmtKZXF1K3V2bUF0UE1nclhzCmRVQWVhV0pNVjlHM2FXcDBEZ0RS\\nTG9JcFc2VHl5Y3ZlRVdlWm8xVkozdm8KLS0tIFZteG10L0pVSGJoSCtWQ0dSVm5r\\ndllWb3lNZzhRRTZualF1a29DODI4QmsK/QsoEBBDbcozYwxH0KXlULWt4ZDk35T5\\nEGnaTTmLZt2HWouAzIAhWAIP4r/1ITBV6Sp1PpsurzEzAmXG7DF8Gg==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCVVJWYlpSMjcxVFJjem4r\\nVW1kQzdLcExNZk9ySklaM21Jc1N2djk1ZlRFCkxCWkhlREFCZUE1YStUL21ETGd4\\nV1UzUGRUUVpYMVZJcURDMEs0Q2dWMG8KLS0tIDhkZ0RpQlphanNmUkFaRUU0TTBW\\nbUZzeDdBd2cxcThIbm5zOE9rN1NsdDQKRBNqF/GmLdmuGEaakXA/RyOe8ExIxhRR\\neivwaB2/pFVE3SwMaAGvx/fyzG0Ul0mD352jyn7a4/XKPTeWqPVwng==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmQXdudit5QXhJYjFlSHc2\\nQjByT2lwbmYyWUVxdktVNjFyYkZuUTBPL1hNClpVQXY1ZThXSjliRi91M0JGOGs1\\nOVdKOU1pUmZPTTBjajJIb2lCY2tzMTQKLS0tIE44TURVR3RRVWY5QTR0MEdieXF3\\nbWt0SXNzOGRVdjc1akxoRWV6QzVYL3cKit7meiKwcYw77fi3F6U0whUcyGpkXAQO\\nBoZqs6pr4iDCsWAFVpGV4hfqXNLhrzBKSmUxVxCpSfbmUb4ZwZEVWA==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t}\n\t\t],\n\t\t\"lastmodified\": \"2025-03-22T15:54:18Z\",\n\t\t\"mac\": \"ENC[AES256_GCM,data:Qo6ddwfmbMbBfv4ScDvhv5Ol68hc3Wm3KviWxO4iCjKjidHVMAmJPr0TDJtMR8e7e6ywBHcIPsGOCh0GJ7P53os0Pz2S79o4iXDx5hykvoFmOqWGr9INSFwAe8VwDYE1bt80Um6W8twCR5Y4Z5FC6n+2hWQA/3iM+KngctI2pJ4=,iv:1PR/uwLBXps+TzAjwef6g1aSkcAdyO/EYdZrRRFH6Jc=,tag:DoqtX9yPh9KeQA4Ysrv83A==,type:str]\",\n\t\t\"pgp\": null,\n\t\t\"unencrypted_suffix\": \"_unencrypted\",\n\t\t\"version\": \"3.9.4\"\n\t}\n}" }, { "path": "non-critical-infra/secrets/Gabriella439-email-address.umbriel", "content": "{\n\t\"data\": \"ENC[AES256_GCM,data:C0rILZtiz2wxslQbHqXo0kG0UQLc3BOFkhI=,iv:1l9l2IbznCKZGtfmqj/SLwS4f3r6uC3DRdgcohhEh54=,tag:ndMxeQNCDd/DN3ysVdqgpw==,type:str]\",\n\t\"sops\": {\n\t\t\"kms\": null,\n\t\t\"gcp_kms\": null,\n\t\t\"azure_kv\": null,\n\t\t\"hc_vault\": null,\n\t\t\"age\": [\n\t\t\t{\n\t\t\t\t\"recipient\": \"age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6OHgza3dYcTYxUURjTHhi\\nUWJwVjV1ZVRVV2orNzBXank1K2pqUDVjYWhZCjNTelc5ampmOXlpcElNWVhxNXln\\nSktBdkhJblRpTGlHT1U0QU1raEhEc3MKLS0tIHdGczB1bmM1NzQ4Nkl5YUlqU0Jo\\nU1Nkd29XWHdXL25ZYlJzdjRiUHVqcncKBDFKH31IKCsEvGRw2x/zO+1LyE6nWsyq\\nxlMWmRnJJbu9pYNs3qzIUbGlD0pAaLZigBIMEMiHEDUeSeVHKupQkQ==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQU0Z0MTRtdThxWjhianJz\\ndEJQZUxXWEluU2xLZlQxaDBOQnlBNW1Bc1VvCis2QkhZNHR4Z0lIMUJEMTY3cUFI\\ndVU2VGZhL2RKWkozZzlwbzl6VE9iMGsKLS0tIDd4eEdqVzFuaVoydlFwVEdlR0I2\\nZFBWZVgzaXVPTFpDeDk1ZU5tcld1TGcK/c7c8HsbTrGeG+92pWmMn3YPpNvUFx1Z\\n2Xfm5Zr3/VdTA18BN30uBva5oYOCiDIiXgaQrT//DDZNQDPhJKlWQg==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2dFRYbEhqcC9xTWpncU5y\\nOGVTR0RHZXZJSFFtaDVnN3F2R2g2WTJ1YkNNCmhPTkVTdEFrRFlnN0Nmc0lOeDcv\\nZzdwUlVwaFBKRUNYYWRjeUVDUU9aa0kKLS0tIDJtWGRmdUxSMlA4a3VDOEtmM2hp\\nMDNiUEdYRms2VTRteHdtRlBTQ3NHcmcKB/ACXZhqxS9yghBBwuTmkR5cgsakv1I4\\nzPC09vPIS1q7amMHQ4zhnl00tykl3AwfSOGO9wTUBSpGu6byRPUOWg==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t}\n\t\t],\n\t\t\"lastmodified\": \"2025-03-22T15:54:25Z\",\n\t\t\"mac\": \"ENC[AES256_GCM,data:41DiT3lGEreAgFAid7nukcr4cPHIwbmMwp+97dyc8e2vcuB4hi4DCMH3HF5G6TXMF8k0WE2fxFc6+lN7TyP2cbz06YrrrZaz+oDcMh43rvRmwBmrsXSkh5B1dlYlMHYQ8qQrq4wqa9JN0gYuA22vuoEV/fao4VhNpnJm5CubTxE=,iv:IF03wTAIfmRNym6yCR7fMraYra8QVHhpCiXRFiaev+Y=,tag:CDnRSoBgRJWHdNr86cc9ng==,type:str]\",\n\t\t\"pgp\": null,\n\t\t\"unencrypted_suffix\": \"_unencrypted\",\n\t\t\"version\": \"3.9.4\"\n\t}\n}" }, { "path": "non-critical-infra/secrets/Kranzes-email-address.umbriel", "content": "{\n\t\"data\": \"ENC[AES256_GCM,data:Rbt40fvOkd12tUOrdattVlc23zCEHZkDjhFN,iv:9tKOblb08ZdyIBYzfSNGIPZWQLgiGy8QLaRTVBzUk5U=,tag:69JCHM3Q+d8sPbS8QrtOFA==,type:str]\",\n\t\"sops\": {\n\t\t\"kms\": null,\n\t\t\"gcp_kms\": null,\n\t\t\"azure_kv\": null,\n\t\t\"hc_vault\": null,\n\t\t\"age\": [\n\t\t\t{\n\t\t\t\t\"recipient\": \"age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOUWswZVEwbkZhOXFRUE1K\\nYm5reW9UdTZaZ2IyOWxub3pXOVBDSWIzUEZVCjB1aElrb1JXUmtMcUxPaHZYQ3lW\\namFuY056SGpuRTlDRVlHOTJudjd6c2sKLS0tIGpjMDYvazE0MTBjQlhHUnVTQ0kx\\nci9Kb0piSGtzU1VFWEZ3Um54R1k1VjQKPqMA8/TCkOyoCXj4IBSmE8IrEGLK7xRk\\nwCA5ZAQrpCdx98H4yxJv9V5q3sozrKafmluu+9MuvFlV9GR9Sl7PDA==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpRnRGaWo3YmlFUFQ4Vld2\\nRm9jaVQ4aVk5N3REQ09yOUF1K0FXNSs1dHkwClZwUjM2dVhRMkNCa3JVamU3bGdh\\ncDA4ZnhzNldyQ0pDVXlFaWN6RHJmd2MKLS0tIFBJSHhsWVNsajBlWXZkRk9hbGw1\\nalR6cFBjc1RPRGFTNFVlbkhaK0Z2QzgKaTyBrdj9pxrW8v6MuYVNFj+fwseHD5JR\\nMNbOAsS8J07znV5hHstn3j5ESaLd4DwyZgSAPlryEIQhG+NPVthBgQ==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGT3dIcXI0RXBUOFUyRk4v\\ndkdUY0F2aExHRGlHdTBoUlNCaTRLeFFha1JZCmM1d1F4NTlicGgzWG1BaWRZOGZS\\nNkJhbzg4eUpIRStZYiszZGpHZnN1OG8KLS0tIHJnTUJZWkJ0QXRJZnlhT3NqL3JR\\nVmYvZUdUa01wNlBRUkcyckdvR3NIQ28KvUhddXSOLOIdD2xSACfka/IgdTN9db2W\\nMNlkhumZmZYwFoCwyFi3WlYpxUHgwywLW627rDKsK6lEWGHMHgiing==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t}\n\t\t],\n\t\t\"lastmodified\": \"2025-03-22T15:54:02Z\",\n\t\t\"mac\": \"ENC[AES256_GCM,data:HQRWdn/UHk0sRhCQF57nTY3AGODVCsq/yUXs1g9B7RD1qTAH+CBFq/861xn40Q76tKE03qil2ucZJ1dPSNBGwk9fuIfXHytumg6Lr2Fmq7m0ri1X5vxGs09Nw7AcQ1dJcnL3H3F4wDa0C4jojSBnh5JSD3Q9w8CI1EbEj8xuyYs=,iv:cny74YHIlI6AYrwfDtPTizd64LJc/1K0HmfwNKWD0FY=,tag:RuhZ+zbr5B0ZZgOChJGdlQ==,type:str]\",\n\t\t\"pgp\": null,\n\t\t\"unencrypted_suffix\": \"_unencrypted\",\n\t\t\"version\": \"3.9.4\"\n\t}\n}" }, { "path": "non-critical-infra/secrets/LeSuisse-email-address.umbriel", "content": "{\n\t\"data\": \"ENC[AES256_GCM,data:h78IdHjkj0APVFZdq8oFzw==,iv:6QB2mRaGYvQjCjO6QKcnuvfO2QaLMd9twdeF97uyccU=,tag:udGErtYAJX2wlumAThxpuQ==,type:str]\",\n\t\"sops\": {\n\t\t\"kms\": null,\n\t\t\"gcp_kms\": null,\n\t\t\"azure_kv\": null,\n\t\t\"hc_vault\": null,\n\t\t\"age\": [\n\t\t\t{\n\t\t\t\t\"recipient\": \"age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlczgva1Q1bUZpMmtuYTdM\\nd3gvMUZLM0VhY1hoamN3WVM3OGMvZGpaa2xVCmtyaURwbVMwYk5nU0pTOUN4bndY\\nakFFLy83WGtTM0FqRXR5ajBHQU9EZFUKLS0tIDBFWHBVbzRzRi8xZVp3MXh1MGlK\\nNTB0alRIUG5xRlZLcFVwMCt1UEdWZ0EKdRFNMI7yxSAfsLnwQw9M+0XdILgWifZu\\nw4Wm7zjSWgoV9rHEm9tZWidXbJ8gfEFsqP0Gc3vrs3b8O1n8RvBTbQ==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaREZqeVduL2JBNTJ4Ui91\\nRWJpUnBIR0MvQS80MkQzUkVjdDc0aW40anhVCkFPZ2hjYWJzSUdXUDlqMVlyUXIv\\naHk4ZHJrNXNZMDZVdXJHbytnY2FWUHcKLS0tIDNPeXVuVFlTQXpSRHpKVVEyVFYz\\nNExDL2x0OCtxTkJxaCtMUUU2N3ZFOUEKjX/bLagzQUoOsQ0zXPkx2/G8TpucsVEc\\niP7lOnnqefIF9YBZfWrLjdFjlAKBlZW1sokDNiFfeNlVXLv3nXhmQw==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzSUwxakk4aGRQT2FyQ0FG\\nSnNGODlrcFY1YXlpbHNJUkJSZ2ZjeW56bmdnCjhCQTBDWE1oWTlkY2V1bmc2Y2pR\\nT1ZvUDZjSlVMVStuckV1QnUvS0wxQWsKLS0tIE9saEh1S2Rza3Q0RDJOcDF1cE9U\\nUjdnaGFHd3ZVb1pMaXlWZllJcXVVMFkKhSZ+mABcFxPsrbtxhnRv69m65IJFNIAD\\nA5Ovz9AVu1KZiWCe3obDI7ImvGK/P1kYxgtcxOZAmPqYj+8AWN94vw==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t}\n\t\t],\n\t\t\"lastmodified\": \"2025-03-22T15:54:23Z\",\n\t\t\"mac\": \"ENC[AES256_GCM,data:V/Qs+xRtrcBYzDDANHueSrNIsHq4wT1ZOrQDJff+k8Si3Uaw9D7yGsZHrdFj+wuAt8u45WHlDZ4C+4zyNWJU9PiengAgQdRWl3z92LrFWfBFsvbCwZhcB/C/Z/HtpnNxV4eCnENnhEiQbXClYpndFiq9JRKv2eWTRbLzf6jwSeM=,iv:eC++s4t3iEcREtREiacb393DcN8IQhgU7rbdKXQMSwQ=,tag:/1+oiZAmYHY488iPPGkwYQ==,type:str]\",\n\t\t\"pgp\": null,\n\t\t\"unencrypted_suffix\": \"_unencrypted\",\n\t\t\"version\": \"3.9.4\"\n\t}\n}" }, { "path": "non-critical-infra/secrets/MMesch-email-address.umbriel", "content": "{\n\t\"data\": \"ENC[AES256_GCM,data:/MyKjCi/ikz9u8TCJ0c7yhieWtF1Pq4osnE=,iv:TuY8UnNiROVHbrah0DdOs1FP8nCEwPlaZro+y1c1XiU=,tag:QJ8AmBoVI0mPL6WMt++UZw==,type:str]\",\n\t\"sops\": {\n\t\t\"kms\": null,\n\t\t\"gcp_kms\": null,\n\t\t\"azure_kv\": null,\n\t\t\"hc_vault\": null,\n\t\t\"age\": [\n\t\t\t{\n\t\t\t\t\"recipient\": \"age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJRncrOCtDSzNMRFBjcEZF\\nK3ZpSDVlUFFBVDhXcGJDV3ZFT1JoZkhWQ2tvCmxXK2ZqcG40eUtqU09DcWV5ckJz\\ndlVvdHJzYU5RRkN4QVFaYnVPc3BPdGsKLS0tIFJoSEJCRDBRL1dmYTc2Ry80cTFx\\nYXJIZkJGZHkzcmc3OGUrUklzY0t6dk0Kat3DEijf/XA0ixOAr3cwPlh2Zbu2EeDj\\nmXB9fH79JY2sh8+JQ4x6sQJMQnnvG7rPK+8x6H3565HudUpOvVSP3g==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiZWYxM00zald4TTVhNHgz\\nTEFkd3pGcHcyOTZGRmhxWjQzVENLdFoxem5ZCkJhVFZoK0xHRTNRWGh6Y3BGbG5k\\nVEVaeVc3dDNnRm1oZXFKTEREWGQ1VEkKLS0tIGpwRkNUaGgvc0V0K3k0N04zK0hB\\nSERwd2NsWDE5THZ3NkJGR1hpVUIvaVEKgcM7kURq8DiYpZ1bLfdTfeqSlCgope2h\\nJbzdw7pvgyLr6hsa6+sudj13qVy6rEplqC6dBsZ7shMqtmqRQLauOg==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRbGg3RHZtdUVsK1pVb1N6\\nM0l1US9UQ0tadVBObEVMN3NpZWRMaCtKWFRjCno3dHpuK2liNzBKL1lESFozSnpV\\nUFBscE00SXdBN3JlL2FMR0tmMExHU2MKLS0tIFBKZ0ZGeE1oNVlPRW1OTWJRb0FN\\nZ0VCR09WWVhydStqbTdrQXJBOG1sb2cK6MqLXg540RT2LwfTRyrZbbqMKemtLo+x\\nYffXEJIq8aRedMCV6a2MAyi2+OXGTNJGJsRddwP9vCkG0W6qOVRdzA==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t}\n\t\t],\n\t\t\"lastmodified\": \"2025-03-22T15:54:29Z\",\n\t\t\"mac\": \"ENC[AES256_GCM,data:lCKzgeTe0ySL/llOVXjybNMQ4SaAZfxx9q+UQFBQJeWeSWx5VpBAj3D0OjJA8URrIBJEvLublcM756yiN5uuOBmFUILrx2x4hc1FrFjcwlap7w2/yCkhl/e8LVXJnXlE2Bxc1hkkF7NBpFRy4BTuHM2HCFmDSG6tnBrqeWOizAQ=,iv:a9B+wZ+f0XvLcjbYnMkKulUBKaJhBA13tmVyMwTcVHU=,tag:ApPc5CmMlU53iXCkBhFJSw==,type:str]\",\n\t\t\"pgp\": null,\n\t\t\"unencrypted_suffix\": \"_unencrypted\",\n\t\t\"version\": \"3.9.4\"\n\t}\n}" }, { "path": "non-critical-infra/secrets/Mic92-email-address.umbriel", "content": "{\n\t\"data\": \"ENC[AES256_GCM,data:TvG6EEUzxziXHkm9Io4pqXg=,iv:vcS7p6p7q+v/NPT9Noj+DzSVQHaVQSqEtUx4ZIeq5kU=,tag:BqcA/NkWJee1MADjHoj3qg==,type:str]\",\n\t\"sops\": {\n\t\t\"kms\": null,\n\t\t\"gcp_kms\": null,\n\t\t\"azure_kv\": null,\n\t\t\"hc_vault\": null,\n\t\t\"age\": [\n\t\t\t{\n\t\t\t\t\"recipient\": \"age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmQUdtS09CbEEwSEtrOUYv\\naE54MjJPWUVoVkFzQ1BzaG1oTmdlcDRLTDFBCktMK2NRY3ZaejRKTWRUNStOTC8z\\neDFTS1VrTjhWekl5K1V1NlcrWjZXMTAKLS0tICtnS2tLY012VFR2LzB2QXlBT25n\\nR2JFZSswTysxNXJlbFhaMHZ0T3BlUHMKiPRqvaTAfyCOQRcp4t4VhxXIQ3ULzfPS\\nTDv1bnUy6TKHl2ax5KZus0VJos0Lei/nOT5aN0sujG9PV3atq0hI+A==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4RGhRZy96VDhCZTlHWENR\\nZWFPY2s3RUFUbnZYbTRkVmJtOG5oU3ZuWEVRCmVaZlcrZlduR202U3ZPMDNnZTVa\\nd2Z0R3UxT2E2aGh2QjdLK3VGYitwbmcKLS0tIHVaUFhtTW5nZ0tJM2NHZHcvRHdV\\ncHZFc3NSL0tiN0RGU3RsRGZRM1ZsSEkKSZDmFRP/LtNMZ2hxCLDBh+m+BKzCKdXE\\nlSL6Vy1o+aMH+wgM1mQQ0LgDRvPBdIuFkCFG7yVw+B7+sicJZy4CWg==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBub0FkYTBwUkZkM0RDMDRm\\nZTI2WGtyWkRrc3VEMTdIOWl0WXRmenp4aXpnCmZVdW5YY0xJTWtDUFBobUIyMjh2\\nZ00zNWlrZ3lOVlJGY3NTOFZEMlc4N3cKLS0tIFRETmpydGVFK2NkaUV6VGplN0U0\\nQjRyb2ZVTi9tTmNCN0hwbE0zbzAzZ2cK3C1glQ5B/M117NTebH7CsG8e8qgH+h/k\\nm+TuuuR6PDYD7nYGNttLRB9X3UTTbzkyqqD8Rxc3IQqGr9abAMaZ/Q==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t}\n\t\t],\n\t\t\"lastmodified\": \"2025-03-22T15:54:00Z\",\n\t\t\"mac\": \"ENC[AES256_GCM,data:/86wMc+s3MNBI7Vg+e6FcJMxd5ifn7Zgu+AksxtikdmsC6zttkx307W1MFAVZvdWLuUO886NV0pKfsPnDNVWNK1tsujN1Y5PRbJP3PUa/utTC1aCA7cQGL9Enu9/q252OB7YEqS8BXUMFQrKL4x3Atr2om8uf1gTgzBM4aLXN+c=,iv:LAWUu09guUq0QWY7yi/LB75tVuJRwl4DCXK9X/mlBRk=,tag:A//45Ms1Dx8fQ3JzOfoaWg==,type:str]\",\n\t\t\"pgp\": null,\n\t\t\"unencrypted_suffix\": \"_unencrypted\",\n\t\t\"version\": \"3.9.4\"\n\t}\n}" }, { "path": "non-critical-infra/secrets/Mic92-wiki-email-address.umbriel", "content": "{\n\t\"data\": \"ENC[AES256_GCM,data:JF/vFN9c1mUt11NAF05GmbU=,iv:v9++RDL6/iJ9+l5a0lZa6/Q8/YwjDQQcaRqoIu/rDqY=,tag:aWZGnleR8KsWquOu8NXWsA==,type:str]\",\n\t\"sops\": {\n\t\t\"kms\": null,\n\t\t\"gcp_kms\": null,\n\t\t\"azure_kv\": null,\n\t\t\"hc_vault\": null,\n\t\t\"age\": [\n\t\t\t{\n\t\t\t\t\"recipient\": \"age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZYlhNM0dXdU0zRm1LUGVF\\nazlUNWlIL0V0OGZVbSs4OTBsNGtoNTdSZGtjCk5zS1Z4L1FsL3A3QUtkak5GaURS\\nNUJMWnFieXhLcWZjdTJpdmg2Y1YxaHcKLS0tIEtiT05wbDVNWXRGaG44VVRKTWVz\\nTkQvVmp5MUd6OWp3d1RhcVJVOGVYb0kKe0JunA19oPyTWjh3f+hCjdbukZZexkkC\\nH9hAQ0ZANglvgpzddqZ0Zk62Dlg4eiWUV71LOAnG8sxYlxkNmfwoJg==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2Z2JpSTFzKzFTU2lsSjQw\\nbUZ2dWI3QnlYOHgvcWtEekYrcURiSEt2Wm1VCks3UTZ5dlRXNm9mZmozT1M4dXY3\\nODVhc3lkUktaNThTTFVZRTRjaWVsR3MKLS0tIHVqTGFKNHlrOVlyU2xKbDErbVl5\\nYmhLenREOGdJcFVTdi9sRnBrb2dZMTgKTi+dLUexJLeIP3mjv9IcWRLjJgMdo/ZS\\n1b1tOqeT1kwB562jmkJ91MgRebQvOTr1tUqF72B9tUoiksyK3UgLNw==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2bHd3NUhhS05aTGZpZ3Bx\\nMTd6S2JERWlsalhrcFczSWFqZEhrY0FOcEdjCmQveGhwUDh1R21jQzFJcnNISXdL\\nTlJKMWRMaFpDU21pRHhtTU16b3lwQncKLS0tIHZoZ2FIOFFkOW9VWXFVZk1zQVR6\\nME01V2VkUm9YVk9pWHJGdFFtL0pnaTgKSLX4TjbjDs2uIRziomy8tH4sLhDleeWm\\nLI8deM0wDWmq/oJDPHr4a35Ho5qt9Kvm9e6l9zosyockoSlANkRn7g==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t}\n\t\t],\n\t\t\"lastmodified\": \"2025-04-05T23:02:43Z\",\n\t\t\"mac\": \"ENC[AES256_GCM,data:TOcCqULV7Fpd2x5tnaFR1ooKWLFPWWdogf8EYeWfJSc1CFcNKHNwZf9TdDKo3oVmWEUqhf6alOxBI3Xx2gcbStV89BkIbmv3FnYPgn3TlmkD1bCeJ4ACx+eYYUVFN02DZZSmZ8TTrl5pvqFzxyUNgfLizJDttNZ3wQiTSgDO/OA=,iv:ypUbsY32/IQhPpuBZhmDbw/ji9WcByGN5meuKmb98ac=,tag:+/ezgSOWXnu2RDMXbMOI2g==,type:str]\",\n\t\t\"pgp\": null,\n\t\t\"unencrypted_suffix\": \"_unencrypted\",\n\t\t\"version\": \"3.9.4\"\n\t}\n}" }, { "path": "non-critical-infra/secrets/Nebucatnetzer-email-address.umbriel", "content": "{\n\t\"data\": \"ENC[AES256_GCM,data:+AibStUNqlK15znxZ3+wCK8p2paf4Vm8K2NOqA==,iv:4grF9oXAfvUxUUoKzs3dFHgnk4P1mYqX3RNzSRHNmxs=,tag:pd6G1ocabxwUgGTdABHExQ==,type:str]\",\n\t\"sops\": {\n\t\t\"kms\": null,\n\t\t\"gcp_kms\": null,\n\t\t\"azure_kv\": null,\n\t\t\"hc_vault\": null,\n\t\t\"age\": [\n\t\t\t{\n\t\t\t\t\"recipient\": \"age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmb3RtTTlUV2FZWnlUKzQv\\nUTVPdnZPYjBwK0FHYm95cjBLeGd0UUZobVc4Cm1qNWc2MVdKMUhJakpIbzdJcEtS\\nU2xFUmFnSUlwSXJUaWxCZGZ2dUN2cXMKLS0tIDdrbytXaFRhUWp4VkZodUgyRm9L\\nVHJ2djZWTVFtcHNKa3NleWowZE9MbmcKotJzRU02eep6AmhHmynqYqbjJj6kDZU4\\n1G/jp6r/y2mFFyO3JjPcWhzEdjhiUn959RSQPQWvCnPMXqP6vCdlLw==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaU0RVN0RydWF5UDNYTFJy\\nUHB2RXVKZUlBU3A0WlpDcGQyRG0rMmYrZ2hBCk1xeEw5MmxESVhxZFNSMjRsR0JX\\nVlJHS0lkRlBIdGJBM2NrUEU0NjhFbGsKLS0tIExYNlVmMXcvTkVLYnNlRjdTUUhu\\nakhBd1ZDWXVpSFBSUFJXK2ZOeVFXbWMKkvtfrZb+HeuaysRJtViS9Rsh4hrdYARv\\nHH8xe1QJ6N9V5f92v3K1VOvUHi3dV6q8QC/hWWsIVzwK1XzKDKxmrg==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAreUJZWE1yOWxPN2plNWsw\\nVXYwYzNWSXhOcE9KWnhCOXlnbjU1K0NEWVZjCktqcUNQdkx1cjl3cndKeWV3UlU5\\ndFJNRXFMeFJZSGpBL0xza0IxZjc0VjQKLS0tIDhJZWRyMFcwemNaeEY3NjBOdFk5\\nWldRUlVCcy9TQnd5NU1pL2ZONW13bzAKoWgEKqexTLE8sx92qajrmLFyvmrcRs7R\\nbXvwzMchw5ijc7x4B+tXbs98ooPjhQiU4X3F5TU1Preg7O5gdTvdvA==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t}\n\t\t],\n\t\t\"lastmodified\": \"2025-03-22T15:54:15Z\",\n\t\t\"mac\": \"ENC[AES256_GCM,data:MutcAk/0+yZW1xqBFRPRFgxIJRLZq74WQejccmADhj3B16qKSvbYtMoRhHEeBFW6/8XdG+DWGXaHglyjWtyTWcWaTaEMBDkEiF0aQ5m6EiVocsUUxTacVwBfDzqRBK7Hj2bjPQ6MJqEg51m4OqQ4ENiRd5txcDip3TrrZsnHhEk=,iv:4AFRY+3PfNsDqNgWitLNGdk+ApICZqj1WunbImbbByw=,tag:6tOYpHXjx2rNRu36GWgTfg==,type:str]\",\n\t\t\"pgp\": null,\n\t\t\"unencrypted_suffix\": \"_unencrypted\",\n\t\t\"version\": \"3.9.4\"\n\t}\n}" }, { "path": "non-critical-infra/secrets/a-kenji-email-address.umbriel", "content": "{\n\t\"data\": \"ENC[AES256_GCM,data:5k202eaaTleSbcK4+COHEsaICQGoNXb4,iv:nsMrI/YhjJkvP9NtHEm3bgZiZVRxmCiHo9WncdrKPa8=,tag:RLkMixG7JcLF/Wgjj4+N8g==,type:str]\",\n\t\"sops\": {\n\t\t\"kms\": null,\n\t\t\"gcp_kms\": null,\n\t\t\"azure_kv\": null,\n\t\t\"hc_vault\": null,\n\t\t\"age\": [\n\t\t\t{\n\t\t\t\t\"recipient\": \"age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBMmxlRFhEV0dBK2VrRng3\\nbHFSZ1duajZPa3pEaTNReTFQYmVLZXZsTlZFCnY2aFpNdzVaSFFqV08vZVNKQ092\\nRlRWWmJMVEZZYXIzNkdURFFFMVFYdVkKLS0tIG1iUUg4YW1aVEQvd01Gckw2TG53\\nYUUwTkRHa1V2aExIdzcrckRucEVCcWsKpeLfSDvPzfvoWI+NUYnYgwebISzKTXgU\\n4046ER4XCfbTHaB2tnP4xHuVlCS95wP4IsYanyyP8BcPSnrbXwQQuQ==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPc29UVGxSaU1KUTFSRGY1\\nNjJOMzJBMFcrVHJ5QWdtaERUTmlnR2VkSWhNCjJXem9KTUJtV3VjdXZRc2dUU3Qy\\nczNIZlBYRFA0bFJXK0Vobi96WVEyUzAKLS0tIGlaZDBlZ0NNaXBJdHVrTktCT241\\nSjdZamE2ejFNaWlPMFpKRmlPVVpFY3MKlH3c3qw4xOSNS+CiCezUkKEgB19zVo3G\\nzVuZSm0eFzeuBxOCquqJqBQchgegoKdeNFs+75Z3otbZr7iIjch5KA==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAveEZXYmFWNm50ZGoyc1hM\\nbUd5TllwT2lwVHlsVlJDcU1YMDJRNGtMWGxjCkRuanJHNTZJN1dCWkNsRDVrdmkz\\nRWxzUEhmTDNXMWxRa3VpaVJ3RHR2N00KLS0tIERId21QUSt6RHlnTEtSTERqclF4\\nWW9mUi91ZjFVSXlveFZRamUwT0lRMmMK1ikxhLbVSFji2LNspHPlWKDjbbhQArSE\\nf9O7sWh8BD2v/gGokpAh9XczDMvOGteYOHb5plAZ5AFZHYa1xfv5eQ==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t}\n\t\t],\n\t\t\"lastmodified\": \"2025-03-22T15:54:16Z\",\n\t\t\"mac\": \"ENC[AES256_GCM,data:4nGSwf0fv2sdne/F5XW7Nv8PAR/9/uHfFaik6y/2MgyCThR9+md/s05JTkoX7NjKwFZa4ylNetBfCDHe7c6PD+cwpLYtQIKtXZjrrz3ejM5KhzSCk2ldszXZZT4RN0OL1f+hhuclWcy6CDsN46vGtwwQtI9ywSp2m11F1sBXbmc=,iv:eZE1Y1xlwhaK3ECSen6eXtN42A4y6frxGA0oWOeJoG8=,tag:SQ39eKn1RdN/OqtQUL8VdQ==,type:str]\",\n\t\t\"pgp\": null,\n\t\t\"unencrypted_suffix\": \"_unencrypted\",\n\t\t\"version\": \"3.9.4\"\n\t}\n}" }, { "path": "non-critical-infra/secrets/aleksana-email-address.umbriel", "content": "{\n\t\"data\": \"ENC[AES256_GCM,data:Cln9T5ynj5zXOicAoj1n,iv:zlC/JWbVGyq1VXN+RA4RVGD6lHyjJk5QZY6q+72WwhE=,tag:0VA365nlsqS7oMR95CuR2Q==,type:str]\",\n\t\"sops\": {\n\t\t\"kms\": null,\n\t\t\"gcp_kms\": null,\n\t\t\"azure_kv\": null,\n\t\t\"hc_vault\": null,\n\t\t\"age\": [\n\t\t\t{\n\t\t\t\t\"recipient\": \"age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2UUNtd1VRZU1aYUhoVkxl\\nRmZzbjNrekZHYnllV1VqVVU5cDdxclo3UGtJCk0zTHNlWFpWeDhvMTZLL2JSUTVK\\nampEV3Q0OHZkbmNUYjd4eWYwNkkrMW8KLS0tIDh1YU92OEkrZ0d4Zm5tVnR1NVR3\\nT25TeitPSjlsT2N1VG8vSWVoMldTZ1UKq36ucMw2dWTPFtWXzqbzoTru3QQqpX3/\\ngwcQVykoyZ0vB1A69Bsd6l35CEHM3VPQogoORsk4oA0Vfu+7ECp4JA==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnMWpBKzFBNkhvejllVnFJ\\nQncvVS95VTZDeThzL2ZLWXUrYnBDVVNvZWhvClhkalJQcXQ4a1JSeENmYWJTY1Zm\\nK2JPamNuZXVTQ3FNK29TVzVIaDd1RG8KLS0tIGZOelE1SlFDVTNnUDQreU5mcXNI\\nUW9zMnZ4L0NVZVhmMXVEKzA5UTF5UUEKAcOKdOYYGuWMDqFWsAAWjTyM3Is7gMd4\\nyvvGZUOChbhv5bim5W+Pj0bRFiq925OpfuBQOGtU9L7YTZCPjHl7yw==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAycnphT3lIYkkwSUE5a29z\\nclJPL3VSRWlKdDhDRWtZeEdoK3pseUNsd0M0CnBFMkVUSm9JQ3BQUmtqamlJTjZK\\nUktncXlnRHhBUk9NY0Nlb0JNLy9iY3cKLS0tICtDQkY3SU9mYWdRcURWRnpqUjY4\\ncmJvQTA1cklnRnhFYTBkLzR3YXIyNXMKU316One60SXFG2qmSZNhByPwXKmoeA82\\nFUdJIfReLcBWM4/4rC3KLGfh+CrVnT2uNUWBC+suosaF4oKs+yQzww==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t}\n\t\t],\n\t\t\"lastmodified\": \"2025-07-21T15:21:46Z\",\n\t\t\"mac\": \"ENC[AES256_GCM,data:hU4wMBofItjQ+VlkmP/Ud75k2Hy4TWg8irwm0fhy5vyymHS/vDpe4Zu9IIaGFdsNgxpThmlQvwW4iQk5QVjYS/ATBznuB0QXsFNBdr3mf16pT1P164uGyR++xOWg8reKTQKz1Nyxrw34JMxnKyM0nPkCtboAFITKtTlDH2C6DUU=,iv:iEwffVlvqJtax71otGbMQBsDUpyO69QewT2zzFF8hAE=,tag:okHYyouWtbi0dRnb/1Njqg==,type:str]\",\n\t\t\"pgp\": null,\n\t\t\"unencrypted_suffix\": \"_unencrypted\",\n\t\t\"version\": \"3.9.4\"\n\t}\n}" }, { "path": "non-critical-infra/secrets/andir-email-address.umbriel", "content": "{\n\t\"data\": \"ENC[AES256_GCM,data:jfoMFBsk/LrrFBuOTWWJf8HnUQ==,iv:EjLtt6TnZNBWk3bNFBegZy7tERMF1iSp4Uyx9P/TK8I=,tag:3iPZHTzExMO14Ez6G5C+sA==,type:str]\",\n\t\"sops\": {\n\t\t\"kms\": null,\n\t\t\"gcp_kms\": null,\n\t\t\"azure_kv\": null,\n\t\t\"hc_vault\": null,\n\t\t\"age\": [\n\t\t\t{\n\t\t\t\t\"recipient\": \"age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxaGtURXcyVGRYT3lGb0g0\\nZ3NSZHo1d2RZSWU3OEFQUWNHZ3hyRksyWmxFCnRQb3VWajY2ajBmcFlJaFp0ZGJW\\nK1ZGOWVRUmFhbmkxVUhXWmZiVUZ4bzQKLS0tIDJZajdIWDBpNUFmMWlZTEdjSWYy\\nK2ZWVy9CTXNvZVo3cXMrRVp3K0tTcmsKjuJ4jmR8wesvPnmigcF6F1oLDQzxV51T\\nDRGwFVgFbrlNuHCnG0KeB4vQkGdbRV7kleeGjhbj4DOzZSuKrCOqLQ==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxeEVHaVhOZWIwd3FFNmVk\\nUkc5bitBbGZESHkzaGpOZlBkQkxDODZtQjJNCmRrMHJWQkYyVy9SaExXUk1aRWVl\\nb0NjUDcwbmh0UlNITVRmUUt1OFNKTk0KLS0tIGFTMzcxZUZjYVBtMFAzVGV4aERF\\nL1ZhMEh3bUsxTlpQQkd4VVpkSjVsaEkKHaBO79rCdaFPvTuOyrzhGIMsSmVZ8HEY\\nUNIx2ZnH0Msxwq49DYaXwYHa1eJsrujVe7SZz8xRSx94mxKjLvd2RA==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2QTJ5YlFiRjg2SkR6cis2\\nYVZZS0IyRTNTVXprRlFqOTVKV0lycmp3aFdJCjdnaE51dlU0SkxJQ3hXTUtlVzNK\\nRGExcFIrM21lVFY4RmVZcGFOVzNHUU0KLS0tIC9md2ZVaVBETk5PNjhVN2h2cWZN\\nWFV0QXIwTjk2V1VVUGc5QWxmaHFxRVkKCYHAKhJgvVP3xYeXMZ5qpKn78OkRlSx5\\ny703es/fJtRkV+U2TZUM/33gKlgJd9vfZRPC5NsSCFry7Q0BwctQUQ==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t}\n\t\t],\n\t\t\"lastmodified\": \"2025-03-22T15:54:15Z\",\n\t\t\"mac\": \"ENC[AES256_GCM,data:wneBlpjjTzeUQwK6YdWx1+b9OcGB3d38p0Dh2SUzeFOX6oYBCHkiPr85maMmR+WlKGP/YS8aXavUgodXPMsDkQuOejiwt91fU808LRcW3E3wKVJJwaSlMfyfrDIThVJvpSCLo/KX7GUWF14ycYr0cQTseeQfeFDAdJmwRrID6Yo=,iv:cXMaAXygnDUcXnhel0WrZHTHLygCt34M9vK8a/zKqw0=,tag:iYFrtIgPGkcMW9fTpwZm4Q==,type:str]\",\n\t\t\"pgp\": null,\n\t\t\"unencrypted_suffix\": \"_unencrypted\",\n\t\t\"version\": \"3.9.4\"\n\t}\n}" }, { "path": "non-critical-infra/secrets/avocadoom-email-address.umbriel", "content": "{\n\t\"data\": \"ENC[AES256_GCM,data:6ubFaZHxHfwFu9GSTwWdtetcoc47hIcQ2w==,iv:Muih5HPkX59lMJnyH72CyaAerSMdgt7yqpkrnh6wtDg=,tag:01df0hT6KJphUJb17RNBOw==,type:str]\",\n\t\"sops\": {\n\t\t\"kms\": null,\n\t\t\"gcp_kms\": null,\n\t\t\"azure_kv\": null,\n\t\t\"hc_vault\": null,\n\t\t\"age\": [\n\t\t\t{\n\t\t\t\t\"recipient\": \"age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPR1NpTXc3c3RhcFJFd3Y4\\nZXlIcmdIdWVlVGpxaWU0YUs4YzY4VUR6ajBnCitMTTZuUW9PTkxIWnpSeWhmTEFO\\nYS9LZFNxYi9vQjFYWnVoNGFMRkFhYU0KLS0tIHpHUFA3NDY4VHRqdlRDMjlGbHFr\\nSnBWVmdRbmNzN0NRVUFISWJrVS9WdUUKMKsLI/r8NL66jtDphJNWZV95uGuekO1W\\nMbS3yOl9BZRBRIQzObZepgWUwlb2xEA076IaPvdqcKgPBTox+fOc0A==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzL0RKeHZVMHNhNkRibEpZ\\nS0dSRzdXZ3NnSGRDSysydTdtUlJ5clU4R1JRClQ0Yml0VVFIRWlncmhsWFNjTGF5\\nM3ZJeFlIaXFpSzJVdVVCNXcxVTc4SUEKLS0tIGtSYkNmV0szZFZTeTV5RmRwQUNy\\naE5Qdm5tR3VnRzhJTXU3dGZKNTFmdlkKyMRASS6nKZ/b3ZhXh7dUwCoRrK0eaCvw\\nUBGP4HP+zaXnHxvQAFNFZ/M5Du4koTdxaqATpe++EMoT5PHLorR1oQ==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoZkF6WWVnSlAyemNqaEZT\\nL1J6ZE51ay9HMEsxZWxIUVBjd1dydnY5NURNCitZRXJ3N3QrNmFjRWdtdWNpNmsx\\nSGJ2T3dYQXBiMlNYbEZhZ0s0aTZYN0EKLS0tIENyeU90cFMvM2c3N0Q2anRndEZZ\\nWVZ0dXI2SDRTNzRzSDhrbFVlczIzcncKr+MLrlba26U53Mll2kz51FxrXH0Q9JCb\\n7P5ZKIHJCJCqzAnngrkf/a6YPHH1IygQ7YvzG0OF4iMR/xiV+K+j1Q==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t}\n\t\t],\n\t\t\"lastmodified\": \"2025-04-05T14:28:22Z\",\n\t\t\"mac\": \"ENC[AES256_GCM,data:TsqI4NHTO2oFSMDaXU3iduQCvaM4O2QBDhkyC9QwdyCU1zM8rT5Eljh2unm7Av4lZBR1QzxkdWQepYtoVc3QGPQ8mEp53sBdV5yd8GhSRlECcSQSKVkvknW797mc8s6xXpE8OnCOSQkKfiq7bTVNiDdmKxVkkpa9a+48Tb1TXts=,iv:h10XPeT5av862+BJrZRJhHZ+3Dfs+JhQtotL7AytPAY=,tag:SDxNk2HT2I6qT6AFu5L4Pw==,type:str]\",\n\t\t\"pgp\": null,\n\t\t\"unencrypted_suffix\": \"_unencrypted\",\n\t\t\"version\": \"3.9.4\"\n\t}\n}" }, { "path": "non-critical-infra/secrets/backup-secret.caliban", "content": "{\n\t\"data\": \"ENC[AES256_GCM,data:X4VUnWfPTrCzfc16/+korcEI0sExkevl6vqHXm8E+WwbmIRJu4gITwM2278swsp/wzq5zrRHNewzZpFtXp85HCY=,iv:S4KPDjH5SW4hh5X9NVjrz9Dvd/Fpnd/b8pLlDYiHzzI=,tag:Ls1aJtXfP8wW4w8F/DGsOQ==,type:str]\",\n\t\"sops\": {\n\t\t\"kms\": null,\n\t\t\"gcp_kms\": null,\n\t\t\"azure_kv\": null,\n\t\t\"hc_vault\": null,\n\t\t\"age\": [\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1sv307kkrxwgjah8pjpap5kzl4j2r6fqr3vg234n7m32chlchs9lsey7nlq\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBycEh4OTM4d0J5N0pyOTA4\\neDliTjFYL1lzNUc2M0NBRDVIcnFKNEJla1RZCmg4M2lKWnArWGNjNzk5cFBHV1h3\\naTNNWHhMbXFtNWNzRXhRM0Q1YzlSOTQKLS0tIE8walJxY2k3TW9oRVVZbEZPS0V3\\nTWo2Q3RVV0N2VGVjQUxNTUpsQi9qVUEKfAgRqP2RBWDB42Ut/At9bRfhBmMYsUXR\\nsYtyP1waOU65FKNmL6Im24OWYa9tLi39V5fTadi3e5MV3OmE6WRYWQ==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlZWJ3M0thdzFYUTMvcWc5\\nL1hUenMrdHU2RVRLcS9KU3V5SHlJSlZub0hvCjZ2b2E0N0xLOXdUbElQa2huM21v\\nNG5DblZJeXpadExtUjBpRWV1eHV1N1kKLS0tIGdjRTBLSk95NlNpVElFVmVRQnpQ\\nbzhmREgwK3ZHN2JwVWZJbjBqSklMRUEKIozBlvYMxb4v3DnUARAL9UBvr/Mbhgq2\\nzYkont0oNowlns4pHeC2/rN6ES/oK4PyXmdrEMwcLSo5Y9KNuBWE0g==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1qlwzeg37fwwn2l6fm3quvkn787nn0m89xrjtrhgf9uedtfv2kqlqnec976\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1MVFsbnB3eURLWk9yWnBJ\\nWUtlOVlBUzFIMjBMUXNIZWRQeDQvNFVJSVRjCjhvU1R5TnNUWFJwRkxsYXZBRlRP\\nL2pXTjc4QUxMVzNQaVhRRVNPbUw1MzAKLS0tIEY2dTloc3Q5dTFDUXI2UGtDNjBv\\nNEhDTXpVaDZwNXJKMmVGN3ZGbmlYKzgK268c0T2MNlrU1r/dwdwr9Per+VLWxb+m\\n6VL/etWMx4jL4JfYbi6Bk35PwGM/WfdZErnUvIQv+56qGZ9eMIETXg==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1YlQwWmU3SDFVM0ZBZzBK\\nNkFraVkvOG9lNHF5QjNqYzRXWGQ4ai92eFYwCnhBNlhUc2Z0TTdsUmlYWmFSTzFM\\nODJ4QUZPbnhmODN5c2JMT2hPUWFnZ28KLS0tIFZKbVRPUHdJL3hqKzlwRGptR2M4\\nTjE1b21xWFVFR3J1azdtUjlXTDVLbjAKfc2/NhPiecmp3wRoFOE8iIAihNvOdQ++\\n4m0HLOlTU6b5N0myCutbj1Uug7cVY6L6Vivxe7Zp25W0v1z0m5didQ==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t}\n\t\t],\n\t\t\"lastmodified\": \"2024-01-29T15:17:00Z\",\n\t\t\"mac\": \"ENC[AES256_GCM,data:i/EHL4LBLixq3dhsIIdO0yMMBY19v7/4ttLd+cfB1ZIAyvsfbUepFNW6yPzv0bC3OLEVVIePXXqc2m6lqsItYUJ/Z9kiH8+fg38rpQz5kp5RukWDNP3+ql2xbt1/yU/geyPTxI08+2KTJprbyXRfvUBER8ukP/hLmsBrR/53dbY=,iv:zSW+bj7WeYlh+0cTkZSBg4JF9olY7RcyxqF23LOb1tc=,tag:Xu0jR8QDvrM/S0b0d/R+aw==,type:str]\",\n\t\t\"pgp\": null,\n\t\t\"unencrypted_suffix\": \"_unencrypted\",\n\t\t\"version\": \"3.8.1\"\n\t}\n}" }, { "path": "non-critical-infra/secrets/backup-secret.umbriel", "content": "{\n\t\"data\": \"ENC[AES256_GCM,data:ceXkGoUn9mid9uVMyxnNonGfkqodqPQ6iPShWT1qjwqq47sXpE5GP6UurneL1blzo1MooaeAOsI9zsxFDyXLfU0=,iv:QXPiFRM/MNcAD+i7mIRjZ7Zqym7aoO/2ZNzbSdayPj8=,tag:JBnSAvFJOG2kBzEw2Arjvg==,type:str]\",\n\t\"sops\": {\n\t\t\"age\": [\n\t\t\t{\n\t\t\t\t\"recipient\": \"age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzd1poSURwWFFUcWlqZEdz\\nTSttUjFzZHRJemJHZys4cWpES0IxL0lhQkJrCmpvYXl2UGhwbnorbDJ0UktJYnh0\\nSWdvYnNRQTVSRElMcVpReXdpZEVWTWMKLS0tIG9tQWtBODhUWVBFc1VzTmJ2dml2\\nOCs3QXNJQngyODVORGVUelBPeHJHbXMKqPYMtVEfxGupyajiFv+yTDLL5r5O/gx/\\n/631GB9yCv6idwRcoUAV99dj0Gsr1IQwbBJTWb6d2o/ik0JkkeNJfw==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoY1JvTkZEZlp4a3Fwcnph\\nU1hrUXpPd0FRQmtwN3VMdldYUmh6SmtzMlc4Cjc4ZU14WVJaYVFabVhhR05DVHov\\nMEVmV245RlM5ODFMQUJoQXNrd0VrZDQKLS0tIEdCTlh6SVNyUWhQbytKenROMVRp\\nUjZteHF3Nlg2T0gyZTY2VU5GR0pSbXMK5uUemFhCQNv6YmcWVC0CZ+WDWWDkKuYd\\nTDHuT3ltMEn376yKTnHxqoi1fMh1rM/nSVtYiPqDdKJSiuH/HoBd+w==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMUTdUZ09jenBJUHprb3ZB\\ndThWY2NtZDZTTzdRd21Hd3ZVY3JxdGY1WlhnCnlSWVFUSk4wQVhRUHQ1QmhxV1F0\\nanpXS2crWG5UVGtRcXJsWkZhV2E0RlUKLS0tIHNzTWRnS2VyUERGY0pmZ2FDdGZL\\nbkRWc2lKV2NRMHlYM0tISEcvY0VWeTQKR7m9WyBPE+9mgBGMItrbbH9ii2Y9zAI2\\njJ52i2UvTbDxg64rXOc5nkYgM9rIiResRW/xK/uZHbLY7nFiOdZTTw==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkVkN0YXRySHhOTmpTTHdV\\nMm8zRzFDYXVRLy9qZlR4Y1NlZ3NHOHprL3ljCm1lbEFNdkxKODBKUEkrSFN1STdG\\naTVGNTdFc0ZzSUg2MkFmYVNnYVJKdHMKLS0tIDRES1BuYkFJNWJuQ1p0UjFoTkY0\\nSXU5dTlYbEtYOVdhMmFGL0tJTVR2OU0K59/Y4gYtO8k0W9tHG7N3bJE/xFEszfER\\nDSyE1qkLxNDsVpzuBEbS3SDqBS1sPMLSXoi0DMv+SCtDJXWemEzhJA==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1nnm255ah9wa4gpsaq0v023a75lnmlcxszt9lc6az3mtwzxgrucfq45rp7h\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYbEJuTURFRllSLytQZVly\\nZE1lUEdPMVd3cFhKbEowcEVwSjdkbkFKWUEwCmVmM0dXTE5adkZWLzRNUmFOWnRv\\nZ1lSSHRaMExQYVhydXBZSW1DYVlKZEEKLS0tIE56dEloWk5WQ05vVVZQTUIvYUxi\\nR25Wa2l6ZjFaUW5aN2R1YmY0N05zd0EK+ogRcMHGDI5I13c/DkeHOVmG2w1dFIrm\\nDPjHWLAaK45VLdD1qCyXKze3zm3pYdMcox0ss9tIwiZY+eqg0zlPHQ==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t}\n\t\t],\n\t\t\"lastmodified\": \"2025-09-22T21:03:07Z\",\n\t\t\"mac\": \"ENC[AES256_GCM,data:PrInJ5kvru2aeoSxipXjRdOppUNe+SFVNaDlAnSlyxHrKWDIztMs5S68AL1sAI9Sx/UMlIvcn8AUPCiMRIPrSQODAkr3OsUOz9poGMJiH4lVg0e+S+UgpH2+WLtE+F6xnCAI2i0Oc1ug67/JlHpKaKTYwalUFpIIekdtFoiOavo=,iv:cWh0NBE49n9RtXcMqlIUXFEeI8mAksNKpXpDxub4DlA=,tag:LBqRYbpoWTo1Uc6ekeCpNQ==,type:str]\",\n\t\t\"unencrypted_suffix\": \"_unencrypted\",\n\t\t\"version\": \"3.10.2\"\n\t}\n}\n" }, { "path": "non-critical-infra/secrets/bryanhonof-email-address.umbriel", "content": "{\n\t\"data\": \"ENC[AES256_GCM,data:oUF4X6GHD5SJJvxc6BIUIK4yAGc=,iv:m3FFgV0mhIvh+J4KaiZ0Mlr3T1DZqV41bz+6Uq7jzgQ=,tag:l5gjpNOe5O3Qmov2wX5VQQ==,type:str]\",\n\t\"sops\": {\n\t\t\"kms\": null,\n\t\t\"gcp_kms\": null,\n\t\t\"azure_kv\": null,\n\t\t\"hc_vault\": null,\n\t\t\"age\": [\n\t\t\t{\n\t\t\t\t\"recipient\": \"age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpKzRYM3ZVMU5PbW13dmFj\\nSHMrV1MvZzVKd1RsOUxqQlYrcjl4N0JUUlZvCi83WnRvVWZHdjNlWFVUU0pmRmw0\\nNkZ1RytUN0g1Y216WnRHZFQ3QmpXQU0KLS0tIGVFZ0hzR0I3MHVqNnIzL0hLTDN0\\nQUllQUJRYW1KVlVsQmlDVnF1bFMrYlEKydk1t2eMK7/CjFSYOvq1Hy3kB7J4HfZ4\\nGLw71kh3fjeFQQJtL0Ozy8haLfrYrRo7tqZxz+475fbyfLQoHBLQgg==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzdUJlRTFNNEJhV204dEVU\\nNitwWVowZG1aSE1aTy8xSXpXQjNtVVJ1aDJRCkVhZFJNWUZMRUZtS2hmV2h3UHlK\\nMm5sSFptWGIveEpMN1VuYVFtb1BXNmcKLS0tIGNBN3ZTTUVmQWIzTDF6M1IxTjdl\\nRzc3TnErdXZ5aFUyczZyTURWL2xyWjAKdUV8zkD4BiO57G3DJ/K98YUprtl+FZRi\\nD2la8idltKl7K5zWbCQ5ywqJiI4dDNY/Q9XmPjoM5Ej0RMWo+n2XlA==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZU2dPbm1PVENuOW51WEo3\\nTTBXRTBhMllSeTBxYVVBR1Z5YW9PM2dEclZZCjlKZEFXV2o3dHN4S0w0bmVKWDMv\\nS3dobzd3a3ovM2RCOHRNZlJwaXEvK1EKLS0tIHg1Smoxdm5DUDRWR0RLTFV6T1ly\\nUEhMbmh2ZjhUOExjNFJ1UG9PVkRvS1EKWYIumny7HOXcr63byGgiMZXsLrMhtBpQ\\nHi/n//KeejwIQVUxDfOTENmEZN+ShwQ8rzFTIYB4145m/+PcA74mMQ==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t}\n\t\t],\n\t\t\"lastmodified\": \"2025-03-22T15:54:30Z\",\n\t\t\"mac\": \"ENC[AES256_GCM,data:bdGxTwvyMeUmomVjvPwqZdIiBFJXq0XcC6RzlhLsK5qv2EhGel6T97zDt/At6uNJwB5YScymxZuu4vpNVGdXFCAarxeDZ0+2WitMZLnSrj5Aqfx6refj6j+AgsvcAO3DuP1T7wdtvtBO0bCvorYAmBE8CsUpjxPgin2X+bFt3rc=,iv:1yZg8d0yMVPoZNlQY6W7F0pGI4j9WsUpfrFimPCOPnU=,tag:zH6AZJIlNoQxxvAIYoFO/g==,type:str]\",\n\t\t\"pgp\": null,\n\t\t\"unencrypted_suffix\": \"_unencrypted\",\n\t\t\"version\": \"3.9.4\"\n\t}\n}" }, { "path": "non-critical-infra/secrets/das-g-email-address.umbriel", "content": "{\n\t\"data\": \"ENC[AES256_GCM,data:NXChftwP/orYMVTkcb6QwVec4AYi0U3lFM9L2tvSfCo9MzY=,iv:XtVrvSW2cs+yGraNNjWHrUXhixa/tzGij19E7jiHiM4=,tag:sAszvSOVCVbE3CIpCNZJrQ==,type:str]\",\n\t\"sops\": {\n\t\t\"kms\": null,\n\t\t\"gcp_kms\": null,\n\t\t\"azure_kv\": null,\n\t\t\"hc_vault\": null,\n\t\t\"age\": [\n\t\t\t{\n\t\t\t\t\"recipient\": \"age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmendNMVo2dkpOSGY2cHNx\\nWUxzTHptZmExT0krVU1NUFZLRFlUMU5pZEJJCktxZmVuSytQby9OMlE1U2I2dko5\\nOUVQY0E4cUdXNWE1Tm9wSElPZkF2MFkKLS0tIGRGOEg0S0cxeFdXcDh1NWxGRkt3\\nUEF2VFlmaVlaMHVrVDVmY3NUTnY5VE0KE7tc0n0RNuTkCVIKcz5usIEY57z5Or7n\\ndcrA6n7F2s2rvVEU38Gij7PNThL7QQ02TLDp7h8oV2XZHgSPTgxeJQ==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYT2pEaWlMMjA4eWswVk5u\\nNG9qdFFuMEx4YThWeFdIc0krazVNSnhJQmlJCnlnMGFsUmtPdThiYVZYMU8wdnVy\\nY2hPd3ZMSlZML0M3Nm0vRlBGTkMrZGcKLS0tIGF3ZzFPSzlEcWdReXY1a1ZKclk1\\nRlVIeWtNNEU1UVA0MHU5ckU3THl2YTQKUIZLZ4jmBmJkGbN1hJCzmrNiC0RjrsNE\\nqhOTzMKiYo3gFm3DZ4NyQteNFLNo8UOjsPH70Ig4dcTqD+UheAwEMw==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZTlpzMlBGb1BOZEJlcVNl\\nRXluN2wrYU1CWjFHeDBzdkxrWnhibGs0b1J3CmMzeXVxUnlMVXhjRkxSNzVpZVV0\\na0NBMjZjMjBNcUorS3pSNWRpNHhjdjgKLS0tIEFrMlhMVzg3SDNhUkNCakRWUjlS\\ncmptVjAyVDFTbnBVUkFMdXIwbFhiUFkKlwPN/fIioTNdruLy4qk4tBLH9GepPodd\\nKLvCkjVdTy/dAk5vi4f0dg2rlqiVXSvwHp9qyTaekfrhs/gbP2cXlQ==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t}\n\t\t],\n\t\t\"lastmodified\": \"2025-03-22T15:54:12Z\",\n\t\t\"mac\": \"ENC[AES256_GCM,data:GSuOKKl0u8eujxA0UKQI5M70Eo1KBmI2KyHM2g8OQXsUWqVStjekUn4DKoyTi25Z57Dp+bsxVnhK+s4Em2dZy9U0uPxisbUU94bV5wt3AYXP/UnqWb6of7EVBoSCsdc159qpmp2oPVTWCASbAUlUWF6GBCY9KAKvm/uVa4e0MW4=,iv:AjYMAlKF5vy8t/YizA26f0IvSXvsv5K8VtVwmUHH6GU=,tag:dZ25LTnpEa8AoXLiDeVEsA==,type:str]\",\n\t\t\"pgp\": null,\n\t\t\"unencrypted_suffix\": \"_unencrypted\",\n\t\t\"version\": \"3.9.4\"\n\t}\n}" }, { "path": "non-critical-infra/secrets/djacu-email-address.umbriel", "content": "{\n\t\"data\": \"ENC[AES256_GCM,data:eAxQaE4Z0GGJgvsSdg==,iv:0eUNb7In+x7/YSocUInNBaYcYrI7xWtDAfIyT7/COzQ=,tag:e2L1pkeyViEHH8CnwQM3og==,type:str]\",\n\t\"sops\": {\n\t\t\"kms\": null,\n\t\t\"gcp_kms\": null,\n\t\t\"azure_kv\": null,\n\t\t\"hc_vault\": null,\n\t\t\"age\": [\n\t\t\t{\n\t\t\t\t\"recipient\": \"age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlY0NRenBUWFJ0ZFBMbTB4\\nQ3l2NEo1ZHJXeWRFbnNlSDhvZ1ZrazI1ZlFvCjJLUEREaGJmQS9hQWhkVFdCZmNx\\nb3JmTElFcnEvbnNiaEdMU0VoUHMyM1UKLS0tIG5OdlFCVFd0KyswT2Jna2ZzcHFR\\nNUZ0Qnk0TWhhUkMxeWZiRUZCZmNnMWsKaSyDpJ4SiKd+do/KAksA31n4IihjcL6r\\nhnZ6LLwkIirFSDvgxnM998tWWpGYrRCaGry+ZpWTkmfwf/j+NynSOQ==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzeFh0UTlNTGRUU0lHU1pM\\ndVR5SzU2V1JmK2NaR01lQ285NStHNW51Rmx3CmdCYis1WmZxTEhwR05nMWRTR2pV\\nODVCbk9lWGpTVi9FbG14blNhdG5NQmcKLS0tIEhNZUR5bmFXcHNDditLMFJDaEFy\\nU1dQU3Z3NHkwZ0U4WDZUbE5IY2JxUVUKC5x+Kra9bzOjX9m2m4zP9xD+gBAHbntk\\nuUj7BiAhE1syvMAZo0w15smwrMwAL3n+1yUb1cUOseAtPnmHmyxbow==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2cFlFbjJUV3UvWS80TzZr\\nUzl5Q0dwWnU3Z1Y0NlNmWGdkeDhJeTlZeWdRClFRSG45OXdJQ2E2bHFnczZhbC9R\\nYkJ1cVZCSnNCRmJ4VmZSYnAxWlJ0T00KLS0tIGUzREQ2dGFMODBHNnFkNE1oWUtj\\nc2xBaEFFWmkyMjJxd3VnVHRxNUFtNE0Kx1oOwbdd0vkH/KSWu1cNFED1BDWceZbx\\n0j3ZIltZ0e+JzEvz2ofJwASZJBBROWFYGWk+C8KGD5CtUHOOr2UKKQ==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t}\n\t\t],\n\t\t\"lastmodified\": \"2025-04-05T14:28:23Z\",\n\t\t\"mac\": \"ENC[AES256_GCM,data:ljYU1gtZDtOdWQLP3aaKCWjK0fx9wT7pTv2sPUvJt7ZQG39bz5cE+Ij+pe8AWt1h/vTZv2gTyowuSIxMHeuZ/u8Ws5JkGTHASui1+VgSF/ptn/KgQLWZqtd+1n5C61jTthooUTdPSAk3gVt/8o4K5lx8CEqPr6W0lvZdqtp0jos=,iv:+G1OsRWIiDtvuREDtG0+W5cPa/yLuWMu7fjTUpiVAUY=,tag:2MdJVCiqG5TkMJH4ed3Nmw==,type:str]\",\n\t\t\"pgp\": null,\n\t\t\"unencrypted_suffix\": \"_unencrypted\",\n\t\t\"version\": \"3.9.4\"\n\t}\n}" }, { "path": "non-critical-infra/secrets/edef1c-email-address.umbriel", "content": "{\n\t\"data\": \"ENC[AES256_GCM,data:olK8g+ZfUzQioDE2,iv:ar2uCtJq8TsHG5wwtav1bqeFdOpsnPTOvPQ8Gmxso5c=,tag:qqNpfWcM799dDM2wIKEosQ==,type:str]\",\n\t\"sops\": {\n\t\t\"kms\": null,\n\t\t\"gcp_kms\": null,\n\t\t\"azure_kv\": null,\n\t\t\"hc_vault\": null,\n\t\t\"age\": [\n\t\t\t{\n\t\t\t\t\"recipient\": \"age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWSXg1MlNzLzBTK1NxcGZF\\nY2pSTWoxVHZlcVRyUm9FTGtwUWNjeFFMeFRBCjBQcnFpRjk2OGE1b0pzL1VoS1M1\\nTmVENlRXMnhCK0VERDBQQVpnQlVqNWsKLS0tIDBKSlpSek1YdlI1K3JBeGFHUmMw\\nbmNHcm9LRE5IT1lOODk1TDliTUxtMEUKQ7joZh+ltgsWfpfzMgpOHm9CcVcKxj7f\\naHZbpwEPd6qCQ+9Z+FFdr9wenHTFJ5D1tXrIoJTo2qzk+VfaQYKUUw==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1RXJnSGtiRjhRcFNLS05R\\nSFJTUUs4enlaNldTVlY1SGlOSmkrVnVBUFVjCmxkWWIvTk5HRkw5aXZaTzBxOHJp\\na2p1bktDUUlSbUsvT0dqN3V4RU1qa1EKLS0tIDhlaXZWcTlrNWUzeGRNMHBUeXhu\\nS2FSZGZ6UC9oZDgvV2xyYUlPSklOdEkKZtXolHiy8mMpiXN3fYVGf8LePUPCpZvZ\\nbT+FG79LvD41bsz9SrH+o/FmmMOjwcAbZxdw4e1h6ftbxPCmNrrNtA==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3RG9vdHJqUW1jdk9SdDFP\\ndHBDZ0dwTVB0ZGFxb0c2bU9GZUJLL0M4TmhJCk1sNWVsSnc1RFRSeXhzOHZ1ZVpa\\naTY3cUlWNGhWRHUxOHhZMUVoaC9tY3cKLS0tIElad3k3Rks5YWRTdllVQTJDaFJH\\nWHFZSGtjV2lDNHY2QWVwcnJGMFhuWFkKC5dcccogfUd1oY/iafRzGdSS5PpKdzZV\\nBwOBN89fshSPGEU29AySd+qXOC0WXZ/iY3tpH86M69sDrrUYOrGInw==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t}\n\t\t],\n\t\t\"lastmodified\": \"2025-03-22T15:53:59Z\",\n\t\t\"mac\": \"ENC[AES256_GCM,data:bOfnrINsRSacHJe2sdGge4JseZIkKoBr4uDbYMo+gRpXUPsEXr8G4ilYN8PTV21nBhl64w1hdwlcCTz3Ret0ZS73HVlDq7dzMqRftdePam5QJxrL9kn9tqIezvhiNoulzcPQ5LFta6RbcCY405IiIfDNNv8XFy4yLnq+fJpnCSM=,iv:xqAzo7L50+8XMTVoT5r9Lu3A9tfjQ1/hoB5Qv2FGXwU=,tag:NdHPOykcvNGvSSwGCwJoCA==,type:str]\",\n\t\t\"pgp\": null,\n\t\t\"unencrypted_suffix\": \"_unencrypted\",\n\t\t\"version\": \"3.9.4\"\n\t}\n}" }, { "path": "non-critical-infra/secrets/edolstra-admin-email-address.umbriel", "content": "{\n\t\"data\": \"ENC[AES256_GCM,data:BfqImaH+VSFNxZ6VEe+ZDiTYcB/WKTD3,iv:dQB5Wh8KB/txZjQGkE+8JaN/DXk3XX05VIBYwd/kXys=,tag:EFfGz1JiiA6AN8kku7m1iA==,type:str]\",\n\t\"sops\": {\n\t\t\"kms\": null,\n\t\t\"gcp_kms\": null,\n\t\t\"azure_kv\": null,\n\t\t\"hc_vault\": null,\n\t\t\"age\": [\n\t\t\t{\n\t\t\t\t\"recipient\": \"age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5Q3FaMjhvNWdFcHhaQWlS\\nMng2TngwSjZOTm50QWJEZVZqV21WRUR6VmhZCitPVWgrVURwZ1hLMm5QVGtjbzZ0\\nSWM4eDJDemx1Q3BKajZEMnN2UkZraU0KLS0tIGQwOUxxTFIyTHVZNzlLSlRZblJF\\nYlFVSWt0S3RabkdHYVMxNFM2VjRGaFEK/ITaVlCVUVLeNooHFvmdffVlVn5Mm2Vc\\n6gH90kMH2XRPaojpMN0hHOLSYgD0HYqyOTAlhmqaVE8/OltAlORD9A==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzcTZJeDB4aXB2WHZOQmQ0\\neU1oblpDVUFIK2ZLN1ZvTXloMUcySVhhZUFFCngrekw4T0dtTnlRczN5eG1vWmkr\\nSVA2QWk5WDUwaVRLekkxVFhEZHUyTTgKLS0tIExUaVZqY0hBZ1o0Z3ZYQk9PQk9u\\neWZYamNXVWFFYmxsZDNDKzRqSmt0QlUKzRivObwIkjf5TgZ3sbX6btEVVSP0g+rN\\nRPP/Jmt4GC89YhSEzfDstod+m4wfeDJTiu1Oj401f77suDisZEazoA==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwdHJNL3hHNElaUSsvamVn\\nVitQclZsNzRLY2RsYWtoS0krVHo0R1dleFJ3CjVIaFZWVEYveDU3cUhyNEt1Rk14\\ndmxRV3U1WUR4Rzh5NUNQakRMaVpJVVkKLS0tIGxlSm9HWU5DT2VGK0FzcmVwd2h1\\nQTFZckN1Yng5Q3hIbkU1RUlnQ1NJWUEKS2a2qdZQ550diz9f3TuHjxhf57wkuWJ7\\naSJ0nq8wfuubmYoZmdhf/YcuLdEnz/XYO33tPqyLef9yn+vJpU/Tbg==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t}\n\t\t],\n\t\t\"lastmodified\": \"2025-03-22T15:54:33Z\",\n\t\t\"mac\": \"ENC[AES256_GCM,data:z91Y3V3j3cGwssk+VBW7gCCUfZ6p93ef1TFTaDtch7uCgtOXXmMcD9UxF0NNT94hCih46kWtbwYvPU/7LgDKbjmV2C+ILHrD7z7RHRU3qteoybIR2Uk+ORtaec1vfjt9Qeqf/PKBckx3/uXvufKP5cpMaIrsLKNROTHvLgaXjcE=,iv:ML/pctW6YQQTkAYBZhT4D7h6VoHLL1AFwUE/3BSi7Vo=,tag:FgUigE6ph6389ajItAglqw==,type:str]\",\n\t\t\"pgp\": null,\n\t\t\"unencrypted_suffix\": \"_unencrypted\",\n\t\t\"version\": \"3.9.4\"\n\t}\n}" }, { "path": "non-critical-infra/secrets/edolstra-email-address.umbriel", "content": "{\n\t\"data\": \"ENC[AES256_GCM,data:P/ICBtclLOI2y/G0z0d7cfUW,iv:WM401Rq0v5spCCCaRZCdX3/3qJ/w6PM+rsJ/NyrLJ6A=,tag:+Xie8cztUsp6OmQ6uDneBA==,type:str]\",\n\t\"sops\": {\n\t\t\"kms\": null,\n\t\t\"gcp_kms\": null,\n\t\t\"azure_kv\": null,\n\t\t\"hc_vault\": null,\n\t\t\"age\": [\n\t\t\t{\n\t\t\t\t\"recipient\": \"age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5UUdLa05kRVZXazZQRWsv\\ndmtBa1EzUEpicXRZMGtaeWg3VzNBalFGT1NFCjc2WHhkcSt1b2hRaHNsZE53YUVj\\nOWZqZlNSdXJrREYxUlNSQmcyc1VOT0kKLS0tIEdFRlJPVWh4R3BXSGVNQXBLTFdZ\\nb3VqR203UzJDdVkrZllVMnZxKzR1VnMKMO9pZh/ukJslEBGIYioJH8DJV4i2O0BF\\n7D64/8ETSaOAIVzt8yZOpXvRjIwxbsEkNoQSf7GGm5ynmCzfJ7V6aw==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2N0VncXpkejZGTjV3Vmxs\\nZVdBaERCeERaK1VtTHFObk9RMlYxaXpUV3owClcyelZ5cURmUmNUaHZtU2NhN0lZ\\nRjFWZTRIdHdQNDU5ektHbTl1L0s2eUUKLS0tIGJnUU9mL2lQa0R4eXg2UkpYK09x\\nTXorMUZSakJPVGFSVXNlQTRGZlV2dk0KZ/qJoRpK16fjbG2wNQ89UU7Jz4AiX5cT\\nOFKZ1pQTaUu4BLVkXebnPpkrjmpSwxxOQ5cCEbq0AQkzSX54UbkUHw==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNOUQwcDE1VVltc0VYMkVs\\nU01vaWg0VUxhNnBiVmRoUUpVaVcvZlNsWVdVCjZRekthWjJ1MDU0UGNXd2hheXBn\\nSXpTU3RUOXY2V3F6UnA3OW1SMTFobDgKLS0tIGJXWUhyTm1kMGsvN0lpdkRSUmR6\\nTUsyK0NQS0QxYzQ1clg2MTdKVjhTeW8K+QgNV6Iy1BOq5SABcYOVq06hNpW+k4mB\\n/WIcvefIjDDg2QAYZkW2LjWnBLjBi72U4VKFmj5UF8zEUFZeRClLGA==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t}\n\t\t],\n\t\t\"lastmodified\": \"2025-03-22T15:53:51Z\",\n\t\t\"mac\": \"ENC[AES256_GCM,data:dZeSkgRXajdTJuSNst1TTUXBabgcaoL5AwhMsRQVyasVyjpVXU3RRmqdHU4/EZEIpLs3pAFBx05mX668h98tIudZkheNAhoWhG1FIpzrA4AacGUGYCbDmCQ8z2sM1UKTJFv6/lM2VMYGGGsADqXL4u9omAOIQ2AdLElNp9r2prA=,iv:tfifFZ8n6o/ZkNFCFeEHaBoqM613xNaYXVfyeyoHKsQ=,tag:wZygpKvhVGyqaF8l8f7UZg==,type:str]\",\n\t\t\"pgp\": null,\n\t\t\"unencrypted_suffix\": \"_unencrypted\",\n\t\t\"version\": \"3.9.4\"\n\t}\n}" }, { "path": "non-critical-infra/secrets/edolstra-foundation-email-address.umbriel", "content": "{\n\t\"data\": \"ENC[AES256_GCM,data:jXei86Qti7mGFUbtSN+2bGkj30JgLajEMYkOQhI=,iv:b5+lzos1RJEWNH36xCwQS/W1LHPsrGd33zh8vuLw0w4=,tag:D4fGtRAeP5SaYtbtB5XE/w==,type:str]\",\n\t\"sops\": {\n\t\t\"kms\": null,\n\t\t\"gcp_kms\": null,\n\t\t\"azure_kv\": null,\n\t\t\"hc_vault\": null,\n\t\t\"age\": [\n\t\t\t{\n\t\t\t\t\"recipient\": \"age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBbzJ6U3ZudWJpNzAxUEVZ\\naFgwR0FjWG1jVEVvMG5ab3p4WUx5bjBzNUZvCjhDcUpWQnNKRDRoR1cvZkNrOXYr\\nOFdsUUtFcWhwMi9IVSt5MG5wVjY2cVEKLS0tIFBsZzYxNTJmV0hBRUdYZTU3RmNv\\nUkx4cnp5U2MzS015QTRSTkpxT1NMdzgKgbfgW0kFAMf2QlwSpdvLJiSmg6040DYb\\nZvcgVXkNizcYvn2czXwFpMEOPptiA+OFUeVXYYmx6Sgo+BgUbjKDvg==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWbndxelFoUkFHVmFpVmJ6\\ndXNvOWxXSE9QaEgvMk41ekRwc3VsQitrcmg4CkVHME9PQUM0My9ZRGc4OGVIb2Nx\\nWU1EL0xpNytNRXdUSXpEUjFlc0dYV2MKLS0tIGd0L2VRS2ZmWjVZQmpEYVRyQWtX\\ndytzVlpMWHZHWkh3cWhhRzFkb3VYclUKFT9ISZNBJ/0hu70M3Zz1A6fl7bTmRZOo\\nVNsz9ydtnZMjsOOhaQi6zI2HdTCLEC0HoI4IqXza/6fCXbJ00IDsGg==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBONVdZTmwzRFd2Ym5DUS9Y\\nZUp3ZFA2VTZYdlhUZnE0dmNDdnRIYnVyODA0CkFSWFE3dFdQZUNFUExnb3BYVHJ0\\nS2NkeDM4dlp1dlkrVFRhcHJpdjNEZWsKLS0tIC9oVFhHQ2ZsY2R1RHhoeUtISjVP\\nS2RqbEFVWHJrcG1LUzFXUWdGVUV3V0UKGQPDl1K4IWysN4ZFfx19ibgMUw/Fuu08\\nshhbKqTHwjDwwTzwoaMkgh+2AjmqP0rwFr8hd+rZcN5fPimdIEhsFg==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t}\n\t\t],\n\t\t\"lastmodified\": \"2025-03-22T15:53:52Z\",\n\t\t\"mac\": \"ENC[AES256_GCM,data:Q7CCyy17DXioU1i/1EZH4xfxlvW+mLJq29BvH2WfNeR/7/dvp0wu78+YJXohbRzaMkW7wqIKCBwvaH6OG0xVA+nGunlLoLdyUjePNuxr+UG7T0G3AqbAvOPkqKDkmFnVWeR2kqOdxlaVKeyF0IpRfaHUo40alKN1/ArMNGNUfls=,iv:WkJD7WjBcGOt7aDeCD3fv4eXiJGcbMOfKvH6WqG1lu0=,tag:MRSLaG6y6/mokYSBSIbVBA==,type:str]\",\n\t\t\"pgp\": null,\n\t\t\"unencrypted_suffix\": \"_unencrypted\",\n\t\t\"version\": \"3.9.4\"\n\t}\n}" }, { "path": "non-critical-infra/secrets/edolstra-summer-email-address.umbriel", "content": "{\n\t\"data\": \"ENC[AES256_GCM,data:1If0PoaPxK+sJtOAuf6PQb36OmqfZEP5GQ==,iv:riQ8eyLgDqncfveonjbtYA1/1LZP4vbnS5NOUc/kEAw=,tag:QKMOE2Ys+AHB2E3cZDfnGg==,type:str]\",\n\t\"sops\": {\n\t\t\"kms\": null,\n\t\t\"gcp_kms\": null,\n\t\t\"azure_kv\": null,\n\t\t\"hc_vault\": null,\n\t\t\"age\": [\n\t\t\t{\n\t\t\t\t\"recipient\": \"age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2WDJ2SzRWNDV3R1hjQjVj\\ndVFnc3dVRVFlUFZNZkFmdThkZ1QxRTFEOXg0ClptcGJHdHhHQS9wMncrdDZZcDZn\\naGF6RlNoWEFrc1ovT2tYY0I0Nit4NDgKLS0tIGkrMmloYmt2OHByMWxocXdPSytj\\nLzBNL1dnQUpDOWhMSHIvZDh1Z2xVNkUK5tzxrjBCTTBPGqUxGKeQY+FSseKLens9\\nJvIXDhWAFkC8xJLr8D+/BGZRFZIQEbk/5hOLv0bsjc/no7Wrs6Zlzw==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvRlpvSWc2OHNJWE85RStN\\nUHFGazNnd0wxZWN5c2hRL3lJSFdDNENBSlRvCi8xRk8yOGE1WHdwM0VsdG0yOUhk\\nMVRSK2tQZXFYRGtibHd2NGNIZkVsd0UKLS0tIEpWb3BNNDQrV3RJNzNlY0Q2Q21I\\nZHlvdUptRzk3c3FnNmFEVnFSdVc3bG8KmncYZ8jB9sPR0pC+OXoBo3j/1bitzQjH\\n3fAe5a0yru/LJxWloaCgD1ipY/QAePRWrL4B3PjDp4J9Wzzy1KfMRw==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1SWk2d0VDb3gzakFBS1Q3\\ndWpGK2RDS1RuejM4VXNlTDZSWXYrWGxhZHk4CjI1UzBXcE5KenV3dWNTOGZTMEtt\\nMUwvZEUvc0JET05QRVNzMC9FQkVEWVkKLS0tIFRNaHlKdWF2ZE1XcHJQY2JFOHlF\\nZXcxbXJTNllITTNkbkFpVVBBc1JTd1EKB/3xLQcgdBejEQWI0YwdoYhCUsh5HiYd\\nd1bn6Y15kOHGbhjNH8pwhuRN0sJZSfd5PqWoMdF8X8d0oMUcLH4PCw==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t}\n\t\t],\n\t\t\"lastmodified\": \"2025-03-22T15:54:28Z\",\n\t\t\"mac\": \"ENC[AES256_GCM,data:iCF8Wh4FcWtAl26fNUFQn7cduq1R+AAzfOV4SjXC3MC281h1Q9PxIcyXkw7gGydTpriLn2GDyN6mFFayqhfygGN98on7DcfUMEWwULOTa/6NhlYU5+q8jVgHtWXuNzc9yfVYssfkb8rM44rVnDzIfevlJ+3yB8s5MifgiOHz6Wc=,iv:Ge2YkGE+YBIKDK/mhW6fnvMY/GPZQHv/lpw+nbpK/HQ=,tag:3uJ0+aBvOhjyH8IL8XfgBA==,type:str]\",\n\t\t\"pgp\": null,\n\t\t\"unencrypted_suffix\": \"_unencrypted\",\n\t\t\"version\": \"3.9.4\"\n\t}\n}" }, { "path": "non-critical-infra/secrets/elections-email-login.umbriel", "content": "{\n\t\"data\": \"ENC[AES256_GCM,data:7tM+BCtXDNpk1YUziJAViGflNHSdVDuktlaU6XwGONxMwspUKiLv4m1sBHH7U0AW+QJBbRtEQssBl/7bCQ==,iv:FGICEI+5TP/+a4Cz9yWpIraPTZ1AUt2dKp4F7ZJI4fk=,tag:NrIhcCAiASj1njHn39HVSg==,type:str]\",\n\t\"sops\": {\n\t\t\"age\": [\n\t\t\t{\n\t\t\t\t\"recipient\": \"age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjdkJlV1Q0NmZEcVVnQVpI\\nVWsxdWd1RVZMT3ZMVWhBQzlyaEttdFpFZjFVCi8rQzkybHJ5eTgvU21PTzZyYkhN\\nNEM3enJRY3dnSXF2Zzkvb1pscGJDWmMKLS0tIDRoaHZheGVjc2ZZdUo4SzczRWlC\\nZEh0N3BsVlNicDk5OHhaVU55ZlJ5azQKHWQhNSoeM09Kd2Btl5xhFg1rbbvnJIik\\nuNCO7rYCfiCJcEhv5OaXMc7EKHdBRmxxLz5TAnaqN4/pCnIBhc08Jw==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUVWlFbFRpZFhNQSt0Y2wr\\ncUdsV3ZzNUp1M2xpenVjdk51MEpoQnB2aVZnCjAxek5qNFpGeEYwcXVpSjRiUCs1\\ndVlaR1NJaUx5L1ErdUZ5Y2pCekU4L3MKLS0tIDcyYmtmc1o2SXF1bXFldnUzZmU2\\nMnhRR3p5T1dkY1gvSjlKbDRKVEFQTWsKS/EB2i8sDp6FANEUrVKnShcIzTslnogm\\n0HCWSIorOkqTFHawAyE/oUk5VOyU4JdkSo4ZFlzLdosLq0zWwCRHpw==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmcnY4U0hWSTNYVERxUkg2\\nVFpISVJBSFovcjNFUjNTempHZFRNNHM4S0JnCncyWE9hQTlZQzVWbHQ5dm9oeUNm\\nWHAyRTJUK01oY0JqcWdQMUllbWovOW8KLS0tIGdhNFhYK01xSnoxd0hUVWFkMnNM\\nMEtYT3ZJS0VFRWsxakdSUFFKejdReUEKgmZC+EQAvQEsOvfD3hiyVaFtvC2PWVlH\\nqE4RIThK0CJ32zBq6wJGYgBC/4IDQlszlZiClbZ+LBbVIDerAtvL1g==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFdXhkRThjNFk4ZGgyYlUy\\nRjhnVXYyNXZIekhUSzdhVXlxNTRvcjZpSEJzCkM5d3U5Q1ExMDFnaFVlVkNTY2to\\nYiszbXlQdytMd2Q0UXJFVzJxZjBlemsKLS0tIHBOcllXZi90NkpJbDJVMFJ3NWU3\\nVlkyampzMEsraXJRWSt3RDZ2Qm9IMkkK9slGDyDWQHJFU+no8i9AjrriDDTypuzW\\n8xFqF8dHVZRlHDe1JldwI78W+90oqRkwD9UPqhB5vNC48xSd77Pq6Q==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1nnm255ah9wa4gpsaq0v023a75lnmlcxszt9lc6az3mtwzxgrucfq45rp7h\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTYkZLWWxKT3N0US95aTJ3\\nc0VEWlJ0bkljUU5KRFNtdFdDdGxBbVlPU2pFCnZLVW8vZVpLU1E2NHY0eGRqSUp1\\nNXg1eVMyeG0wVVN3b3dPN0gySzR5eUkKLS0tIEt6Zm5pOXUzdzk4L1hHMm5EeVYv\\naVdkdmdVd04zUGpLck9TSmc4UEJoTXMKh+8YyhlQHRmshlecrFX/7CladcbrWVeQ\\nLurJ0L29X8CDGF1SwWbQ5ZyBQbGLuqYc7h1Co05cKaUSNcLTxoAvWg==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t}\n\t\t],\n\t\t\"lastmodified\": \"2025-09-09T15:40:03Z\",\n\t\t\"mac\": \"ENC[AES256_GCM,data:haLAj3NRhlAzo03vNUKT+Jm7RGj7AP3CNfC38PYTFeuI+V6UNFbQwXOaEcwnYDOpSJWXsGgmtYDCLaRBbAN1HpgvFIhviv54yQU5NW/tEmd1EwuSQQMyeVIPkwwQOdfDgL2YvoB3LIEmX46KKH1iO+lL72jxEB3aFYz5ktmo0yY=,iv:M5YIOM45DamFiyCLGiC3GrdKf74lazYnhleErQnTbfg=,tag:AAlVoGY1nSJu2FwdlC+xHQ==,type:str]\",\n\t\t\"unencrypted_suffix\": \"_unencrypted\",\n\t\t\"version\": \"3.10.2\"\n\t}\n}\n" }, { "path": "non-critical-infra/secrets/escherlies-email-address.umbriel", "content": "{\n\t\"data\": \"ENC[AES256_GCM,data:GNknC/aCGlRcAl4JlkKLkyaluU4optI=,iv:BFn+TyosPAB/DR+ymWKR+iI40DF5PrrIi03e5OZjItA=,tag:AJkzPZ9tefszOES1yhx1HA==,type:str]\",\n\t\"sops\": {\n\t\t\"kms\": null,\n\t\t\"gcp_kms\": null,\n\t\t\"azure_kv\": null,\n\t\t\"hc_vault\": null,\n\t\t\"age\": [\n\t\t\t{\n\t\t\t\t\"recipient\": \"age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJN3U1eDUxTVJvb2I3b3V6\\nVTNHKzg1WHp5QVQyem5kT2pmajVlM2VmdUcwCkJMcnNQQnErQndCR0M1dVNjRkJ0\\na3hETG54YnlrV2gzWHpINHNjdTFibkUKLS0tIGZBcSt3ZVJzdWVFa2ppTllzUnVD\\nWW1jeG9hajUxTTJsY0VmTVBEaEpWQW8Kzq1LeBHMldkfo9bcmtVXaHnQDx0wOxUE\\nPyLnc6tlS4yzylUJ2Whd+EnmNCF0iIbOtLPKzv0niVtbgQONCrXkFQ==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpNW5RN3A3WDg2b3lUeHdH\\nR0dudVQ3WmErOXhMRWJFT2IrQit5cmlGY244CnROa3BOaWRoSmsrUGVKZmhKa0g5\\namF0M1F3YkJBWmhSYS95UWJvbEZpTTgKLS0tIFJLOGdBdmE0UnpBQ2lZRnlONE1k\\nOUxIOVVlb0RDVlVPYjZMOHllUzRmMVUKYbeLKzwIfgjBsyFPuFppwd+mrmQJl+Uc\\nM6Kc8LcuH6knJzhUZWeuOlybQdvGyXISDN3azLosGLVadpx+4xAwxA==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiajJkMEZxM0N3aUU2cy90\\nOURBQW5uRmk4bzNFYkh2SjFMK0FQdllON1g0CmJTSElrT3pLazdBYm00UnlpbCtD\\nbi91dFFqZy9jeHhRUTdXeHRFaTI3dzAKLS0tIEFjOXNWU0p5LzVESWdIanNMTmZn\\nNk9iRnJXeXZhMnladkwvKyt6Qnl1VjgKuWsRsAftEeoWIeWChTTC7Uook9RpQ3hu\\nfOFVNK3+EzMfwHrtUbSoVKhZcszYrFQHCKkW5rt5GkzR4Vfy7ijO8Q==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t}\n\t\t],\n\t\t\"lastmodified\": \"2025-04-10T19:22:57Z\",\n\t\t\"mac\": \"ENC[AES256_GCM,data:ozpkoaEU90s7mdxHy2LPnYuWdG/Dkm0YyCeMA3mNthvfbiiZDLKn0Q/mUxoRkCG9/T+U2ulmYLFNj73rAzuotYa6qhQiIeGI+7lsduWAxfNQ5SpK8+mfHV9B0lpKLQQQ0oZ0TuxvzjA5262WfGAvmq4g/ArV6/AD+xiVK3bJ0bw=,iv:dYJUwrv0wyKFiaWU5lWQ3sObMkm8Fk+KrboQ/28QWoU=,tag:BxUwwh1VC8dkhTyz70c6hQ==,type:str]\",\n\t\t\"pgp\": null,\n\t\t\"unencrypted_suffix\": \"_unencrypted\",\n\t\t\"version\": \"3.9.4\"\n\t}\n}" }, { "path": "non-critical-infra/secrets/finance-email-login.umbriel", "content": "{\n\t\"data\": \"ENC[AES256_GCM,data:iZoRESxys4WFqUm/zDAGo13MTHAPjEK+WFemjhDPPtCj7MyY8h4hIJXFtByLiR7Wszpjx+dcATgiIdLHwA==,iv:OlR2jr2wX7pOLgKQzsFQWIYC+wkLDrfrhjqaOwHmk44=,tag:/y6s6RxYmNkyYFi2LA3XwQ==,type:str]\",\n\t\"sops\": {\n\t\t\"age\": [\n\t\t\t{\n\t\t\t\t\"recipient\": \"age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGRy8xN1RoTmFielo4WGh5\\nVFowU2gzMi9Oa3hlR0N4Uis1VW5NcXRhK3dBCjNhdExjb2NwdkwyZXlNWXVJMTJV\\nR2pCVUt0Q1R2UytKaHROdzByNDltZkEKLS0tIFZoMUlvZlJWdzg3Q2M2a2RHY081\\nZmtDT3Q0TkVUc3RWZnF3cGp2OXJoeGMK8cD5kslSNjPH1FQzyLqsdvrZr5yTAynz\\nrLczLT68ofsA2ZEmiMA+Ee/xjukBRvm4UmiVAvT6iSljw1pJ/sbrTQ==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBldFVnNUFUWFp3NCt1WE1I\\nU2t0NXIvOE5zZVJLdDlCOEdKeThURGRrMHc0CnpvRkg1ZE0vWk1lYmxxRmkyMUNq\\nQWliOEptR2JrTHh6RDU5eUhuandzamsKLS0tIE9MWTl5MHhSR1pWeThQWStTRG9s\\nc2JEdWw5eTlTQ3Qvd2txMzV3WjlWOFEKSuQsIYSksdx1oyRWcQR2VfHKx7SLUPPM\\nuVtRjul0nKE4WN7Sdp3pU+YyDJulUdHHShbKpaEAv4CEM3f4F/xOyA==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNSWNJc3dkTlVZU2hGcUtO\\nQlVlNXBBZlRXRWdaUmRKUWRWWUtMbDg1dWpFClI2NTc4eCt1ZnZCc01Ud3VicGdo\\nMm53SDBhVnVPZkdrZ0dtaUIwNHdVcFkKLS0tIE00NzNzbVJvYjF4SXNnblFTRFNS\\nV0JlN3Q5aWdtQzNncFFkSm9xUFBxUk0KZfE9BmwUN2kJVFthkIKSocCekZa/+r+Q\\nfXDJFS0n09WmJLhrk0DdsJJHDKg4thkC6HcmNg03PA0FU6PGdIq6ng==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t}\n\t\t],\n\t\t\"lastmodified\": \"2025-06-13T16:16:06Z\",\n\t\t\"mac\": \"ENC[AES256_GCM,data:YG+3AQ1nDKdQ9lGkiKorybdHKDA8wbx5kJkB0RT3MAB3grazK43ZGB75022BZG5bdMafXCznQJ1eDcDwhDDK+MPKtWUfQwVIhsbQ26IRxA+cf7aR8+RQ7rFKIJHounc4gRVdfj89oI29SFteLFwtQHqO9BJiFK5wI+JR2FbgcfM=,iv:HaQjQ0fp/F/Yg87mFi8B7oeFwhv3hYEk/9q2ODvC4ds=,tag:Io1oYOfpN1lE0xwsY5SObA==,type:str]\",\n\t\t\"unencrypted_suffix\": \"_unencrypted\",\n\t\t\"version\": \"3.10.2\"\n\t}\n}\n" }, { "path": "non-critical-infra/secrets/flyfloh-email-address.umbriel", "content": "{\n\t\"data\": \"ENC[AES256_GCM,data:l9rFe7HXxOeoSBSWIC/UZ0qF2J9KrkDrf+fLmu8hk0AbjvN4,iv:uqsn+2R3ItVPqaYlSeKGurdpSLDMOwwxAYa+sL5/nck=,tag:w4y+zofICiPFMIzRGJsW9g==,type:str]\",\n\t\"sops\": {\n\t\t\"kms\": null,\n\t\t\"gcp_kms\": null,\n\t\t\"azure_kv\": null,\n\t\t\"hc_vault\": null,\n\t\t\"age\": [\n\t\t\t{\n\t\t\t\t\"recipient\": \"age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5Z0REY2lpWHlibStKSndn\\nbWlzU3hHNHliRnBXZmIyREZySGZhSmtCb2pzCm9ZT0dhcGhmdEtFcHM5TlhYbStL\\nRjRwcml2a3NGQTd1c0ltSzU2Z29XYXcKLS0tIHhIdm5pNFZaUlBwbHRGcFJ2SC9v\\nU3MyUWRYOTVtWjc3RTdlVHZpcVlSTEkKmbtkuQvlisrQcsvGy7CE67mwxOBC7xkd\\n/wpdqaoXkQ5X6iHhbJYASPEjLxxyl0f1Wr2G3nlabcmvTSUitVeBmg==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPbWpxdUhMTmRwcU5Eazht\\nVnhhQm9uRE9MRXdqb0psTnBwZ2dHclI3MERvCm01RE9QbUFFTzYwUWhvRjVsZjJw\\nK1ZmSUZtdFVLSUVLVWJtVmI5dTJiaUEKLS0tIEZld2UyMldHTERsZmIzOFJYYzVH\\nRlRDOE81RUl5ek4zZURWOEdWRjdPVVUKRtMstBmmndsfmell9apWh/VMHNwZLpFI\\niUH4bOD6Kag8QddVqpNIJ3vPVn54mVLmfUslDv2d0sjHiyMozyGsLg==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsUjVxRzZqekZjWGpEL1RV\\nMXJrU1k4VzUxL2dmYk9RbzNZcXFKeDBoUG5NCjRRdUFBT1lMWHp1STRyUFU3QnQr\\nanI4ZDNaN25pMmJoL1dNU09wekJ5YXMKLS0tIFZMb2VvUW5BdnZBdzMwbXdiOURM\\nSkI1Y0FHc2NrOEpWYTVtU0JYTlprM3cKFHlRoWU6J4nBcVc7IUHNlzkFh1l96Rl6\\nigN0HFfCniijU46lSQll9J6/M5TkbsUnAGuSYiddGAUlCUmD64gnWw==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t}\n\t\t],\n\t\t\"lastmodified\": \"2025-04-05T14:28:24Z\",\n\t\t\"mac\": \"ENC[AES256_GCM,data:sCLqN4YsIiMQVI968FEIFOcqYAYJP198OSbEFosGq5CHfIsSWAZEDw25hWF6/3j5jvoPld++poexBx4i/8XJ7pXZY2O42ezDgATU1tQehUSJxuJdcQTV7Ujk5Z+ZWQl67jk+6YP3XJYn/O4zQiMP7xpO7+eB69iyFP+XQmMRN6I=,iv:wn2m+MV3Tv6w5FDmFoGxq78y01yiFUdddLGdNeqye3U=,tag:hRCRImNqUlmOK6TxUjzuCA==,type:str]\",\n\t\t\"pgp\": null,\n\t\t\"unencrypted_suffix\": \"_unencrypted\",\n\t\t\"version\": \"3.9.4\"\n\t}\n}" }, { "path": "non-critical-infra/secrets/fmehta-email-address.umbriel", "content": "{\n\t\"data\": \"ENC[AES256_GCM,data:rl1p4ISh6x7O4wPC7besr63fXQ==,iv:9JvxdbtKo3LU2Z+NItRpfazXlOlQe1D21RWKJFnHJ0g=,tag:W8AOd0kIggnUKVFXRd7K6w==,type:str]\",\n\t\"sops\": {\n\t\t\"kms\": null,\n\t\t\"gcp_kms\": null,\n\t\t\"azure_kv\": null,\n\t\t\"hc_vault\": null,\n\t\t\"age\": [\n\t\t\t{\n\t\t\t\t\"recipient\": \"age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6VVVVZ3g0NWlzRUxnRytV\\nUC92dXQxSFpWWTY4a2FHU2FFRmZ6TWlUc1dZCjJiTERVQTd2NDI1WnNJekpNRnhr\\nSGRWMVJrdTlJdG1pcTB2WFBJYkMrNmMKLS0tIE5vaEF1RUt5aXVURW1WTURRNkdx\\ncG9JR0cxaW5XZDZhWTFRM2dEb2k5QkkKNVcQXYikIpnTyGyhoH5G86Te+WBJIBp6\\nBoH1qq1VVk1O9MioNtCS0B8LjIJBgKt2soS6fT3hrTEPaomRScVJfA==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhS1dxYWg5WDlscllSTllL\\nSjdCc0tmT2s1WDVJQkt2dEk5YjdTVENNckE4Cmt1ZnNsbEVuUzRkcXN1d2hGQkZ1\\nQXhCSXZWbDZ4Q0N2UTBJTkNQUXpzaFEKLS0tIDBHTE9tY2tsMkFXSSs0S1R6UWdQ\\nK2lLUDAyRGZtaEpmSWpoYWN6ckVaMkkKKziG0lLoHtQOTakMpUxtuG5TdkhGFtFR\\n0ZhwirHwkCUMDfEUHczwuREEEypsTXAWwnnBZ3mtFa017x9prbcKCg==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3L3ptaHAzbVNsc05ySWxz\\nODZCaHpWSTFuNERWVDdHMlZtZEplamNybUR3ClVHaXZaV0tVNlk4SlF4cGVweTRU\\ncmpVd2FmcXdBZjYzRnVJajBiRnFqYlUKLS0tIEcvWklqZThJVGxXYWp6a045NjQ4\\nTG5oeFpvR3pVazdoZW8yeDJOWDJXTWcK8zSRfzjgP7EvizlA2gjmhqcblWH1O3aH\\nJjmNGr0o6uQDWEaBtxpLlPOhIJZvcP1mP8eNMCfLiHdEcGakg8edEA==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t}\n\t\t],\n\t\t\"lastmodified\": \"2025-05-09T11:09:08Z\",\n\t\t\"mac\": \"ENC[AES256_GCM,data:LXiwdWODDzSwifZXpyU352EkbVoxcEwWD0aabY56BpmKeU2exUJwg+CJHD1VIKNesJZ8oF6q5yqah3+KNg2yohh9iqb8Z1clqI+laUjmvPs48juYGaoPR0iOsoqV99+c2ETHs7pk/2Iyes5tXdU+VwB1s2QY/QRSzYx97EEWNdU=,iv:ALdtZUZH9+G+jfoFB+2anpad15eLDaOUH5T3Yu64hcI=,tag:r3N38OGg1NOenuF2xF5Pnw==,type:str]\",\n\t\t\"pgp\": null,\n\t\t\"unencrypted_suffix\": \"_unencrypted\",\n\t\t\"version\": \"3.9.4\"\n\t}\n}" }, { "path": "non-critical-infra/secrets/foundation-email-login.umbriel", "content": "{\n\t\"data\": \"ENC[AES256_GCM,data:SjwOmC28ufjZFodhZ2RGaW2k1jWNgi8984PekMr3QjhTKjCIWmBSao85PihY0WEvwSZeGOH4X7as3FpjgA==,iv:cZcNnNOVTwDWnjIy9K3p9ZPxzxLoleOn3jM8G62A0wM=,tag:PsbNd0yI9U/SwFGlSXVqhw==,type:str]\",\n\t\"sops\": {\n\t\t\"age\": [\n\t\t\t{\n\t\t\t\t\"recipient\": \"age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxQ0E5SmhEM1hrckdvN3pk\\nWGxLTGdTZWZ3Si9YdEVoWTM3c1RTTHRLdHdVCnNEZVcrd09RdDcyWFVLUzZXMGp2\\ncTV4Y1NJOHNrUEdKYmFnbEFzZmpwV28KLS0tIGM2eEdWR2RranhTdGs5Vmw5Mjkr\\nNFVra3dOOTB2RzFMVHUwdU1vcEx5T1kKmCTc3zw8lLUYNKA1ne6SnSlQiBHfvILL\\nU6GtEMN6cJfCIgLbc60Mo9xNbeP7/kn4D4YJugT4wWAGdbrivV6DxA==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhYUV3TmpnWlFLNFZRellT\\nT29xM01VbUJQNnArRWNoeTJ6dkJFazB0QzBZCkdxa1ROcWFOSGE4VlJnclNIU25S\\nSHlQemNJSk1UNGNoVUh1aWhqTHk5bDAKLS0tIGhxTFNHbGNjVFlhbEU0K1JTZUpP\\nUVIwL3lUczNCWExha0I3VmU3TytqUEUK/MvrNcGSd5Mn1PisOO1RuJQRVlZrKHJw\\n6hdWNUuIqJnPh7TVN3Q8CJxiw/r4GpQliArSLKvYMP4bv5W1yPw+AQ==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvOTdCTUhnODFtVjBWS3JE\\nV2hrUFFJZkwxcWFWdmY0TENVSUpzbUFmaDJzCmNKZUxNWEUwVFNudXAzT2NndU9w\\naGJ3c1BqZ3hLdkhkK3QxMGNIdzdCQVkKLS0tIExkeS90SndQQ2lxTGtHOFpuUlNK\\nRGxIUnliUFVrN2FSRDh6ZGFBQVdsajAKJ/LFLirrrtaLo5h9BdWqytvBsxvAVnU6\\n9dNw57jrmxjHZTPKx06xdp7Q6jB6d7WBu5UCHOWyya5NrtbDiA9CCA==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t}\n\t\t],\n\t\t\"lastmodified\": \"2025-06-03T21:08:15Z\",\n\t\t\"mac\": \"ENC[AES256_GCM,data:f6GNT+abhZzFgdeMML40ea0DBS58uGOBPuMfEEcLEk7oiIK60/xue/MhwS91hAQFQJrhl7x19lvVqJW1IDQUKKNW3b9Bx/bFOrT3q2SlleeuqeVHrpgL/Qi+8bMLnL5nOXP6wx70CBbC5uSiJILwNfl+5mHBRk5La0AYMKxxlVI=,iv:xfa4oa6N5v3+t5vIoWW2863/JBIM4JcDERije//aV8M=,tag:hiunqHRxxJP1AgiIj3oyEg==,type:str]\",\n\t\t\"unencrypted_suffix\": \"_unencrypted\",\n\t\t\"version\": \"3.10.2\"\n\t}\n}\n" }, { "path": "non-critical-infra/secrets/freescout-app-key.umbriel", "content": "{\n\t\"data\": \"ENC[AES256_GCM,data:jYgs3IlDta15hr1OIFMtT4HU9u96nvN0GRPDa1+TPuC+gcMbCBRWtFrFYM+/O03mDtJV2w==,iv:M6yUMvnHHe4DUDMCvjL3uQViMxbZzz0NOYlx2J8Mz8c=,tag:qm+/x0TWQwrZbh+pxpto6w==,type:str]\",\n\t\"sops\": {\n\t\t\"age\": [\n\t\t\t{\n\t\t\t\t\"recipient\": \"age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnb3N4UitvYUg2NHNVVFR5\\nVmNydmUrOXE1bG9mVFh5NkZZdENENmNZcG1vCjV6RExtL3MxUVZHTk1xVzZBSmFk\\nTE1yeFRxMnpYYXJjekNNejN4SWc5M2cKLS0tIG9IMm05bVRwSGV2bjJoK1Fjenht\\nU2xWVWx6TXJHQWg1TnBFM3JWSXo1MWcKnNfOufmvt90kpjiB0GZ8yWTv8UIXaQAs\\nba2Ew4Ca68s3zUCgsaQOstkbh8Dszia6HyoYZ7yj1sjzaUI2AMqknw==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUMlZheitoajRtWWhpRG5n\\nS3dFY1NsaFlYRVR5cFZvYStjQ1JoREh0cjBzCnNGZUlEV2RsdHpBcWxCRVhCZURi\\nTlROK0NJMDQrdE53OWNKdkhaVmNWdncKLS0tIDFoNXZEY1B2bXI5blQ0SVlxN0Zi\\nUUpDUjYvWWM0ZE5OL1FpK3JIY1RScUUKLTur/VK1HukuFybYVep78VKQGJFAc8bC\\n6XjsFe2xhr6mwfWpRW62LbxzQkjPqdWpNAilH+oQWh6EnDcjBOUCPg==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBibEp5MDk0ZzQyeExuVzhR\\nQmY1NnNYTzh2c2VhWFNFc285dVB5MEdBNWxvCnVnTU9oaGJlNVdOSS8rMUFiQnU3\\nOWN2aVdPeFU0WWFYNGplM3hNYmRFdncKLS0tIEZyeUFMMVpYUXhBakN3TTRNOGxO\\nVXJXa0tRcVgwWGx6Y0RmdmpkOTRuSk0KyAxdvgekHTatCurFIQlg74BoDwjVrw+y\\n3xtTubPw6M3qW5/k1b4ClQwHVpppbIG1hQg8OG/QD+nARqSKMCoH3g==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t}\n\t\t],\n\t\t\"lastmodified\": \"2025-06-03T19:23:12Z\",\n\t\t\"mac\": \"ENC[AES256_GCM,data:oZOR73ZapeN5Eir+Z0BXAqLzoRdtrCbuNAsrCGh9wyCDuL1Xv478jLhVvYhe3O0+errwnAnY8/SiAv5+dSu7sJDHL0RDtY9OWjQhxdv0iTTXZUn+gci1i383pkgLccQzlDZzhtVj33HBY968KOhavD9yNhN8nSy9ow8cLzhcYio=,iv:Xq9Dwsez/HjcHr+hSQNN97ZuoUGbOVrlBTl5JigMJEs=,tag:wkPDY1lYU6vOZ6uED6lalQ==,type:str]\",\n\t\t\"unencrypted_suffix\": \"_unencrypted\",\n\t\t\"version\": \"3.10.2\"\n\t}\n}\n" }, { "path": "non-critical-infra/secrets/fricklerhandwerk-email-address.umbriel", "content": "{\n\t\"data\": \"ENC[AES256_GCM,data:7r98ncQCdw7hejCciMFOGpdxDRhntRAQtV8=,iv:OgXU1bplAt2zyC6FB8n01bF4MM36rafB2khrzluiKZg=,tag:eVpTEDazQBtDrDw5vJ8gEw==,type:str]\",\n\t\"sops\": {\n\t\t\"kms\": null,\n\t\t\"gcp_kms\": null,\n\t\t\"azure_kv\": null,\n\t\t\"hc_vault\": null,\n\t\t\"age\": [\n\t\t\t{\n\t\t\t\t\"recipient\": \"age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnalpsT211YWs3R2U4VlRz\\nTTNDblhScnVKRU9rMjhJaW8xbmFtVDg0Tm1rCmhiNTl3QzlzdW5GUnFUcmZQYXY4\\nM2Y5T09PRUVheHNReVV0MXJ3enJoVmsKLS0tIHFRc1hSWDllSys2TTVubzJGVlFM\\nMzBaenJoeGp2OEZJZEZJb25oOUdMam8KtVT2FgXxOiu1jbH055OgXadtH96Cf8RS\\noF9jjKKt0eohvtPtpWwPUlXt98wg7g5P6IXmhE/bwwqYIhyEPKX9sA==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2UnNXU3ppUDhTYzFzWS9s\\nUys3K3FkYyt0RzIxTkxQZzJSUC9wS3VTK3c4CmhYM1JaaCsvczNpdXV4dDkrNmpV\\nQmVkeVU1c0NaOGJpUGI1cldHMnZZTGMKLS0tIGI0ZUVQRWJLbWxKdHEyWmFzZVAr\\nN083eElocHFGM0ZMTnNHTHBqVlk1eFkKMl/1OXKbYZ120s4+RGzNQRC0xGgd4XQS\\nqbj3rzYXGL7WdzW2GtMGxb78sIpIaF6pCqvfyWnCJwIkA1zOWXXNXQ==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3UU1PQ08zc094aHdUNTNm\\nbE9odzBUU0lpV1lOSi9PU2xyazBjNUc2cDJzCmFqcndId0EwTlhmVmZkWWk2QXA2\\nWStWa003Zm16a3p4OTk0dTlZckNndm8KLS0tIHVZdS9oWFR2UFlNaWR2VEkza1No\\nWGI0N05uSVhDdEprQWdOZm9zN1E3cDAKUxUC0QPV9J1Gx/dgdbXlrHjjTx5k2o4S\\nddpBzzYNeoCYbmkG3v1Hq+FtEaK2CSSZCEiW6H1cBXPVLlRrusKxcw==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t}\n\t\t],\n\t\t\"lastmodified\": \"2025-04-30T06:19:20Z\",\n\t\t\"mac\": \"ENC[AES256_GCM,data:g6SzTL9thSqvPKJ7cIAsC1g5/by541c9xUjwyK+dhUOR9zbulMZsB1hcKomls762Im3CChzSGGxcbNM3SDd5M3J9hozIk20fzsngBtepkad/jV0i8+IW/PsPcCRW8Oaka3oLBrRtpGYElpzYGjBAcvd+DEIQ3vu2XxNT/Til9G4=,iv:bg655aPWGrLLG0082AhI2AoB7DgbYtETOoWD5uo4w1A=,tag:hGcD7/eHrTT+iAEhYSLwXg==,type:str]\",\n\t\t\"pgp\": null,\n\t\t\"unencrypted_suffix\": \"_unencrypted\",\n\t\t\"version\": \"3.9.4\"\n\t}\n}" }, { "path": "non-critical-infra/secrets/gefla-email-address.umbriel", "content": "{\n\t\"data\": \"ENC[AES256_GCM,data:5l8pOjBYBkTXeZh4aluOIsnYhP4Z3golFdUY,iv:xOu1OnuMRmOdyLkthmik9TsOOSKCm86Pu9LDMxEU+QQ=,tag:8yMSlxv0Jc5X5Jj9FiN0bg==,type:str]\",\n\t\"sops\": {\n\t\t\"age\": [\n\t\t\t{\n\t\t\t\t\"recipient\": \"age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5TUNVcDBBdUZFelZMeWtq\\nb1JEVXdUMVQ4N2NKb01uRURzWUhyVmliQkZvCmJJdklrU1FDM0NhK0hTTDZmV3Z6\\nRTI5TGNiQWRyYUk1YUswNWYvbFlMSFEKLS0tIEJNV1AyNmhwSlh3c2hMZVpiTzBP\\nSjN2R0tiWllJN0I2MHBPL2tFRTZob1UKj4ocuKoJJVEsGPccQad3FpKlgULP4MET\\nxyd/3CcVoilLckrUfVdXZqsqgDLlflCc+XUWLtTKa4Kf7NKpT0zq8g==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXVnlwZkdSVUQ1Vk9qd0hq\\nNXJuaHhDMWVQekJxY1RvMVprUlc1RUdvWDNJCjRMWFFCYWZLNHJLcElOQ3pid0FC\\nSTg2Q2ZXL2VIVzhNUmhNejJHaWJRVE0KLS0tIG1NbnpHUWJCeU1Ham9sdXF4ZThU\\nTytWTmNSMU5QaHBPc2FRN3pwMVVQRkkK4EtcXJM5nFtgeT37S1qBCoLJp+mmhUjz\\nq8xY1Yx7jQqpVfqo4poVbPOIwqxlLE0E9E4ycDTDSb1cs6v0k0UnuA==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwVmFwaTNPL0FVMXlIbm42\\nRUxvVzVmeXdVRTRnS2N4dElrU1JrUjRoUVJFCmVaOWdDbktFNW9FNTIyUURkWjlz\\nUDRlRmR4azl4U09kMm9KTVRRVlpmMGsKLS0tIDZxZUFXSUpLUWlna1c5T2RSZXlt\\nOEE5eC9YTlZvTzJHRXNSVE9iUi8vLzAK9vafynlaUMK8HIEg1G5cGHipd7/KLIAd\\nVI1J5QcdwWFUsBEfEeWGeSFj5Ov6Hbj6TxIshwJYTZ+uo5qoFtz/Bg==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t}\n\t\t],\n\t\t\"lastmodified\": \"2025-07-09T20:20:40Z\",\n\t\t\"mac\": \"ENC[AES256_GCM,data:y3jZg8rNwDib2KfEV9DHRWjsXZ/T+2ely4v22a5lKVAvy04D/tVVEyASPbPJAv5WQzO4+553LApXZtjcg1EbOnh351W+Fm7AcMTfOThxRxQDsOGIVpiuGco5Q4cKxtAuDDbn/2p3WKYJ4zC4WNs3kzXxmuJPKzRhyVlsNGHH4cQ=,iv:dgvNcNUWL3ayIaCTQWkR5HZePNzSmiQvQuZ9SigDI2o=,tag:J3ZKac8rnmauG0JXTaxg9g==,type:str]\",\n\t\t\"unencrypted_suffix\": \"_unencrypted\",\n\t\t\"version\": \"3.10.2\"\n\t}\n}\n" }, { "path": "non-critical-infra/secrets/gytis-ivaskevicius-email-address.umbriel", "content": "{\n\t\"data\": \"ENC[AES256_GCM,data:KPLaBfNvjztzL5U=,iv:0cZyK7BFf+nqzoRQtXxc4ku7Iv26BJku3NOLJpZSzf8=,tag:uNJOGgGStxEuFH2RrEc7Kg==,type:str]\",\n\t\"sops\": {\n\t\t\"kms\": null,\n\t\t\"gcp_kms\": null,\n\t\t\"azure_kv\": null,\n\t\t\"hc_vault\": null,\n\t\t\"age\": [\n\t\t\t{\n\t\t\t\t\"recipient\": \"age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIUHFQNTI3NnExUmRydnNC\\nNVNjMi9hczZ3U0RKa05ySGtTWDBoOU15blY0CkY2L1BJak5BZzBvNTJhbDVFTjRX\\nb2NVY0YxVVhEbTBjSC9vQjIxWnlELzQKLS0tIFF2TlJKWXAvek41Nlo3RnAvWlNL\\nanYxM0Fld1ZjYVhwU3VnUGZ3ZmNnSEUKOZHShXrCREAIb17qr+W/MAWAvuRmsEBR\\n70hr+QKKMXZPGb6+565d3MulUvPRgaDOOZuO9rXGjVwT/Q1Y8g6ndQ==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBWVo0VlVsQzBTTENJUmZN\\nMWszSHlrdWVGc2U5YTZzSnVROHp2UHBDMkF3CndKbUhWTnZ2RC9rZ3lydmFYVmM4\\nQlQ3RFlrbDZ6czR2dHc5cERhVzZtejQKLS0tIG5VTkNGR0ZBYkhCUVcwUlRIaW1V\\nSmx1aFI0TmY5MWorMGJUOE5lTHdpdzQKdUEcUdjpU8lWYFaFmQyGFzFct1/x3rki\\nBh5MYqQVpmMDdLWq8V4eRQjnooDga7UbfwH3AxyiU3FYDCWXQvl4cw==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtbW0xUVl5QXJ2bmdueTNN\\ndHFZUGdjU1RPMkVBeVYyeWdrY3NHdVZwZ21zClNaaWRmYWkxcWllQXlnYlFlcndx\\nQ2FGTzRBcG02KzVvbHlVZDYvN29mNm8KLS0tIHkrYkxOblFkQ2o5S1BwV1NxOFZ6\\nR3dDNWVVREtZeG9KRm9VN0kzQlpmeDAKl4xEYJ7Bkt2fURIqle0KlOaRtGca8ViH\\nAx0MUFgBlJswXjpaKg0+Y3xMOq2+uivDFGpj6ozK3es3rT8XIf4LLw==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t}\n\t\t],\n\t\t\"lastmodified\": \"2025-03-22T15:54:31Z\",\n\t\t\"mac\": \"ENC[AES256_GCM,data:AXzPMxNGZmFIf7nMaGQVjGsvO1HZkDvRmh8KTssz28vVxJ//K+wa7iK+dTREFANqKM6JBoakBk3HDdcNnzuMCeYx4SVcto1iVqYnuhWElOlIJC70cb0rrjR8RIY9xriHUuoqijPUyHCI21M+qo5+70jLXOgslG3bxqxMcg85dk4=,iv:wlwGI0afog+x0M8DlwrE3sfngOCKwQq0Qz0g7LOxR94=,tag:LwSJIBu6SW7pLWSSBRdGTw==,type:str]\",\n\t\t\"pgp\": null,\n\t\t\"unencrypted_suffix\": \"_unencrypted\",\n\t\t\"version\": \"3.9.4\"\n\t}\n}" }, { "path": "non-critical-infra/secrets/hardware-email-login.umbriel", "content": "{\n\t\"data\": \"ENC[AES256_GCM,data:SxYO0yuvUe0njmckkMQsxKaqi5oT+ts58dK/2lyAqhsKFe9R72NA+24xePUQmwwXaX/kUu7SNLLiiied9g==,iv:dE4JDxcBFp62U37snFTqMeWnDNNL+kV+WJgCUHkpnuU=,tag:ncmIp93A0X+sZNcWcQmEDw==,type:str]\",\n\t\"sops\": {\n\t\t\"age\": [\n\t\t\t{\n\t\t\t\t\"recipient\": \"age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCQUtsZzRtSGZOcUxJSVEz\\namZ6d2ZpUXlaOXVJcFlxOUtDVzQvRjMwM1d3CmJ1MStIQmlKcFYyeWhtT05yQyto\\nVzJlU0JvV0RBZ1kxRWd0MklRUUt2NUEKLS0tIElDbDE4dS9hbzJnaFRhbXBoVlJZ\\nZHlZOFEzL05BYmYzWVBwTTRYYWhSMTgKpd5mmV3XY0N1mZIt/hgwAorqqL7BnVvx\\nPHrgOQHPplf5XaswqquW+FHi9Hha16onNVpJNjwO3VjAONzTKK3Z4w==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1U1J6eTVDZjNzSjZRRGVE\\nQk5FSXZLbUNvaWRtd1cyNkg4Q3JNZ3k3ZFYwCnJ5M2o2N3ZodEZzOUQ1NTcwQy9s\\nRmpFNlVxci9iZlJ1TXhiV2JWbnRJR2sKLS0tIFlyUk9PcDU0Q3JvUVh6d0tpeFFN\\nYU5zc0NnOXdvL2N2VW1JRWJteUhnQnMKn/6OQaRBN4WG1gcWW6OtxeX85kvJi9KN\\nQgvzsvcz7SWAmkGxeh5psZWbNPyoSAOq5mvRxdknuV3qJljB6+ggPA==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3S28vaVdMM0FBUkhZeHFR\\nRkthRnQzM1FEbE1YYkxZak9YcStSZ0ZSbzNnClBGVVExWnV3dU5HK2pScHRRRUQv\\ndk8relJEQXZsUWFZWDhIZHIwcGc3Z1kKLS0tIGtoeitsdldyUzd6TXYwcjlqMU1V\\nUFZIKzdLWjd6ZHVHVWs3V1RueDdxSmcKYysCePlz96DgL+Zu1dWkUry7CN+dYQwY\\nNSoI6SSeGdK31ZXcwtftiz/lSUQLBZhWcRW/8OIIyem6Ju2xY6IQlA==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t}\n\t\t],\n\t\t\"lastmodified\": \"2025-06-26T16:08:22Z\",\n\t\t\"mac\": \"ENC[AES256_GCM,data:zVT702RrFBAsSQKJb//xbC1HPQv6k4QicjG14y9z+VgTyWrKt5DVQcjMF9AxM68OUkieOo3PKoDJKyiL44zdbq/RCEgnRxwUD0suCEQD79cw8fvY8iXafKXMHWZCxphEK1LEpFPXHxcex1LddixN2rcW9CZb0Q8iunGy0SaNftg=,iv:bAsnWQXyx6vwVBbUlGGjiKEZG/M0AjL4CYMoI3wWjN0=,tag:09j3LaQHDL/viYUcqzx30w==,type:str]\",\n\t\t\"unencrypted_suffix\": \"_unencrypted\",\n\t\t\"version\": \"3.10.2\"\n\t}\n}\n" }, { "path": "non-critical-infra/secrets/hehongbo-xsa-email-address.umbriel", "content": "{\n\t\"data\": \"ENC[AES256_GCM,data:YpgV18YDBjaMUdCttBDMgCY=,iv:UomDrbsro6aC51lvzdJyFLI3OZ42exlzrEsOfcckK0k=,tag:w4Wg8MDmv8hcaQrjj6AYDg==,type:str]\",\n\t\"sops\": {\n\t\t\"kms\": null,\n\t\t\"gcp_kms\": null,\n\t\t\"azure_kv\": null,\n\t\t\"hc_vault\": null,\n\t\t\"age\": [\n\t\t\t{\n\t\t\t\t\"recipient\": \"age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6UUZNN2pPTGFvZ1hzTlNu\\nQ0hJR2VOR0ZaRnM5bEFCUDRxUVlkQXBTYW0wCmJocjhVL29VdnFoU0NPVnY1NVNy\\nbmJCTmFHeDNFMTQ3dW54SU1NTDI0bDAKLS0tIGhPdzhWK3VNc1gxVko4L0Z2a1ZO\\nRWNxanN2OFdHdHRQYjFXejdEOEY2bUEKgdc0xZWxNAEBIVHM1Ocx0YdhXOD5kjCa\\nrg01nZXNoAZMh+6H5+V7uNu0xb4X3cLRGGBq2nMpbmojS8oJRva8SA==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPNUkvR2Y1djF6OG5obDZW\\nOXFZWCs5RE9BWW5sbjFTOWVScEp4RHFHRUhBCldLWFZEbjR5QUhNOU40U0diSytv\\ndmFIeU1SajRLVk9iaE41Y3lESDhRK1kKLS0tIENlUWVtNWNYdWJFdGVJb2VJWlZz\\naU9LSlcwZHBqVjlvZFlRZGdZOGduU00Kk8g7+att3GfZ6SnGrOuekB6I+/scmtl9\\niTYiwcZWMnHA/2ZXvbxyD6+jvrdjQmFSlHHz74JVGVLHrfXZa2U0Kw==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGN1IrOVpHODU4KzdQNTJB\\nNTViVGxTVG8rdmFuakxhT0hhQnc3MkpDVkhBCnFMK1k4UkZGQ2dLaU43ejJpaDVv\\nS3FzYTNWWjkvWjJ1bjAzdmYwWS91MkEKLS0tIFhtS1paOEVGQytheXRCNkc5WWRW\\nQmdoeTF5cHYvWUFYNHJLV1BXVXI5TUUK2HkrZb++aQtzF2zA63kJFfvxIrHIHo+o\\n40xd2X9d1Q1WCqGLvamfYa+Iuu8C6U8FAzlx7avbbY0hSWAs5Ft2pA==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t}\n\t\t],\n\t\t\"lastmodified\": \"2025-04-05T23:07:20Z\",\n\t\t\"mac\": \"ENC[AES256_GCM,data:GBHZAp9QBGMuhQYA/h4H1yTvWRMSEMObQQfByJ6rh9K830vi6ERgjVvIYpgW5mhmhDWlPxf2KxuCGWpKy6c222VVdUEJWjq6QXMN1iazUQx0c+M3Cu/+8dndCxc9/qt+VISjvDCnbKu4bwddvRpTgA0LD4WoJ2HNBjZEvcpGAUs=,iv:yv6+/JKFZmQC1M1AwbEooIb2JFC0dOlw8zNx4pc3qcQ=,tag:EOydRmYowwGmMQUrWp7CYg==,type:str]\",\n\t\t\"pgp\": null,\n\t\t\"unencrypted_suffix\": \"_unencrypted\",\n\t\t\"version\": \"3.9.4\"\n\t}\n}" }, { "path": "non-critical-infra/secrets/hexa-email-login.umbriel", "content": "{\n\t\"data\": \"ENC[AES256_GCM,data:daufNxv3XCpzvIS4xUMa1Kq31gMwW0R9sJQAg6EMgso6PTDKcxHL0+HweH5j6gjOIIRp/iM66bYpxGeK6w==,iv:RNZQMIXlkeynRvxjIzrCAeZRBWd2jFYDLHNH3MEuY+4=,tag:IoeFP+alT0/72dSWLhu7Sw==,type:str]\",\n\t\"sops\": {\n\t\t\"kms\": null,\n\t\t\"gcp_kms\": null,\n\t\t\"azure_kv\": null,\n\t\t\"hc_vault\": null,\n\t\t\"age\": [\n\t\t\t{\n\t\t\t\t\"recipient\": \"age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3NnBuV1R1S0lycjlpWDk3\\nR3pScU10NmNZbHFvOFZkcDdDY012NHpzOVY0ClVnck9uQisvcFRKZkZIWjNjKzhi\\nM2hwWVFkbWJIYjNFNWFSdjExWmk1WFUKLS0tIGlvVHRuZ09ubnVmTzJFcXB5R1VC\\nTjMxNVQrQUxlRTFDODRmUGFLbFc0OW8KaYsxgxpaJkVrkKfwFzIrEJUqOI3wNegj\\nGTBzi1RM5scYnokKRy3MLMAAueMoYMXdFeAHBWL0TXuZHQOJe3PK0Q==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4K0R1amVUWUhSOUJnRFZu\\nNWllU3A0NThWVVh5R0FUSUFJdXBBUUpjaEUwCkRNdUJ0Q3N5TzJ2MG9zeUljK3dW\\nSGZkK1gwT044WldmM2ZwVXdBQnRvL2cKLS0tIHVDcm5XVEp4eDFoM2xQem1lOWNm\\nYStqWmEycnVLdi9vNEEzN0hmaXZ4ZXMKk9jT9kmsZKe/ogZpCMVeCEK+u+L4HsXw\\n8dsyjbokqKUZ9XDC4swELgUs9w1Hu5Fd6Yl61XyvgST+LY10eajD8Q==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoM0VEUUtaaGRycmZLdE1a\\nWCtCTUhsc0ZOODFUbnVUcjNpUmNaT1AvNEhJCkQwSG1kMU03bThpakszR3loWStV\\nVXVYTHFWOXdzU2NGQkpRM1ZRbEwrbjQKLS0tIHIyU2hMbEtjTjJHRXoxUkx2by9x\\nbDRYTEp4ZStqK2lJekNHU0FrRnZvbjAK8PTNbkr3Yv2YKUzkFs6zcIOV9dLNDUtN\\nc0GbDj59O4kCdse77B3nZdPmN1I9auHlpknghByseRBAiAW9+zo0vA==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t}\n\t\t],\n\t\t\"lastmodified\": \"2025-05-03T03:36:51Z\",\n\t\t\"mac\": \"ENC[AES256_GCM,data:vddWBmA5+haGKLSn8zBIUqNCqmsH8UXnjoBaOKZJn3N4oVxFuZ4FWchoYzUjxwWZ9aWGSkqPk7C5i8AqjCv4D64ZNwiTVecw+UTadi8ZBbyQIkGVKaShtWs2OAy7bJCAc+FojmPDPp7Gf2vTjAJog/44ezN/zQi8mamTOiWVYGQ=,iv:K5kbdThrKG7VRq7gxj3oeUvjIp28zztV7Z+o+nXezp0=,tag:uRe8Ah5wfMxr1Ci06QgrNQ==,type:str]\",\n\t\t\"pgp\": null,\n\t\t\"unencrypted_suffix\": \"_unencrypted\",\n\t\t\"version\": \"3.9.4\"\n\t}\n}" }, { "path": "non-critical-infra/secrets/hydra-aws-credentials.staging-hydra", "content": "{\n\t\"data\": \"ENC[AES256_GCM,data:AIuYk16eYyTEyBpz0yyjFUbrYj7Auh53/gK+3RwBO2IuSajlrDKqahpF9IkHOOSjkzjgNH9SJejcKLvZQKiHyopZW9FuTCxkB+IhXvqjSy0vrZGyTUI8CesghqPKScxeRzEGJEM7FcSP8yk50N6m68My4f0=,iv:mdgnYTLbwvGIokCqYaNdky3kTse4Keizti5SDM8BkRo=,tag:3O0SE0aqjnhUsLHysN1Y4w==,type:str]\",\n\t\"sops\": {\n\t\t\"age\": [\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1zxcssfw5j6dwvcw25tmxs79lq40xk70h2s234hen8pkpte2qe30q9e7cy8\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLOVcwVUd4Vlpac2U3cnpL\\nWXlud1RxRzd2Z3hidEVxUUs2OVBsRDdhZXpvCk9DRzhNeGFXb2NQazF4RlE0bzZk\\nMndzdUx5d3lxdHRBaE5JT2tWZ2VNNTAKLS0tIGExeTVzc0hXakthaDFGdXhKSisz\\nb0hHY3JwcVFiaUtLZ25WSWR5dTYxVnMKNZyZPomy4fuHDOR6bypwTzEIU/jZlFqq\\n7E2z4a3kbRy/idJn+YcBd6QzeJMWmUFwJ+jpe0t29GbI4xZ2XMxT1Q==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOMWFpQUxQU2lGbWpMakln\\nNVZ2YzIrVE1nK1pjRjRPbjJOUlQzb1dGVUc0CmVrMzZpOE5PSlVIWE4zbEgyQ3lC\\nNlBzK0p4c1NKWk5LUkVSbHpsYms1MEkKLS0tIHkrYVhPOVdyWnBQcG9DMUMxcDhR\\nVkl0czRHK29vOU1sbGh2RzY0a0t4ZEEKw+tOcLMM9szkC+/3FHhVLf1zyPK8k37E\\nSHGKgxoLlhuRAbf1omydAsRox3Pn4KVGmRMr7kRtEPLOSmc5Cw5AVw==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1nnm255ah9wa4gpsaq0v023a75lnmlcxszt9lc6az3mtwzxgrucfq45rp7h\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNeWZrUmlieDFsd1RTNmd4\\ndit4ZTVjQldhL2dJWDB4WXhadThYZUUvUWdrClljd21WQjd4cW1aMVVQMTFaUjR0\\nbVhsbk5ldTIyTEo4bHJMeERhbUdKT1EKLS0tIG13ZGhPUjZrejR4V1RlRGNleVdU\\nbWJia3Vtb3ArT3FVSy84TU40N0JFaTQK2mq5MZSaVYwvATu+nsOyJPKyDp0tS6qH\\nQjMc0BBH8a1MGDZt9qm1uP+JpaUghnI7HyhCAh7jS7fmnAoar7JVdQ==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1Y1hXRFp4VStKTy85QXlt\\naCtwMDdBajlURy9GaXY0Qm9qUGJuREU4cURVCnVSQUhSWEpaMndLN1dxVHBQM2Jm\\nZjVwOTNBZTNwNFJXTGZNOXpaZ3VLS00KLS0tIHpKTlJBeWlTOTVLZyswa3hWMVp4\\nVDB6RithK1lWVjVWVjBkeGp3MDhFT1kK4tonrK39j9wsNZHzfCkbBa8XyYrh5ylG\\nhQzuWq9wRuDzV8aQbHe+Gc3GFTERxIQxQZiKzkcWnu3eqni+mCjYRQ==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPWjNPRS9oT1owQytRV0lp\\nellPQUFBMXprU3dTb3kvc2dvZi9ObnA0YlRRCktDRDBJL2ZJMkFBajFqYkpYZ2d1\\nczgvRldGUkJ0TGhSLytYWm9NbUdubzAKLS0tIEpUUEQwOW9oeWNLdnB1L0cweThQ\\nUUpFTllidmtJU20rTmdzTXZWU0NkRDgK5VCOA601eKek6JijUV0IUiiRq+5f1mh/\\n2OD+rqTIay3EqiHYbFaekBfvDn2QL9ShcOp7W751JdZKacFgIEz/rA==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age17ez23w2kpxl0gcdx4ehcglkcfcfnv4qz0gq2n8ylxwx4yrtjpvjqxfasua\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2bERHYXo2SlJzWHE1TGZQ\\najBiY0FaQUFsYTY0T2JRQ1lRMnZYdzROZkhJCjBFV1RZb3lSclpscDcwblJrYWVY\\ndllBT3hXOUthWEpDakdOUVNRZkovaWsKLS0tIHJqdURXUEIxa1VtR01uN3J4aUI4\\nSGQ1aEJTZllrRW1VZ1FON2YxM1JlU0EKAYkBV9beeAOVEXwYDsMqYHklJMrE9i3z\\nk9FLPmNF6uW6hSFn+V2/nPqDP84BrxXsVFyB6Zu4hPQcR1ehWUwVlw==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1fgzf77gyah4efemnrqg4e7j0vk8fpq0uzrucepmdpsd5z7l4lgpsfq54df\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxc3dwOW53QmVIUkZLZnNM\\nSDBJUjgyMEVTWXg0UnFPdlhhdy9wOXNLU1g4CkhaN1NEeEVwSVNtT0JVWjRLeWJW\\neFBPRXpwSyt6bzIvdkNSdDE4M3VyUTAKLS0tIFFmVHBBcUEvZjk1Qnh3MWpOZjha\\nSjdVdUNycFRQdFU5VmNQbmpEVTVhNUUKDrgrHJk9RFPJvbu4QshlRflKzgwQhMfI\\nvC7601ID4QozqwW61cXOjn1tMQ8Qa5mG6UFyyBGC6mO/WbyyDHa+fA==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t}\n\t\t],\n\t\t\"lastmodified\": \"2025-07-10T16:17:16Z\",\n\t\t\"mac\": \"ENC[AES256_GCM,data:yiPrDAmt2KuboeB8dvk/kKmvwK1N5qaZomWhf/x3wwfXpPgMFK14odLRIGpNom+XVyOusDqudGFp/NCgfSwOrid+b3IFo01D9LQvugVO5ia8/pli+tifQkrmrqbXL/8vLWw6fpl2OvX58+5a46cajVFRGPjhug0yYyRNKKkHm7Q=,iv:Jip+jwly5yS8WafCQF9cstG2RGCdqcZ7pPeLYuVGNpc=,tag:LkWbxeZvt5fZVBNt2Q4+DQ==,type:str]\",\n\t\t\"unencrypted_suffix\": \"_unencrypted\",\n\t\t\"version\": \"3.10.2\"\n\t}\n}\n" }, { "path": "non-critical-infra/secrets/hydra-password.staging-hydra", "content": "{\n\t\"data\": \"ENC[AES256_GCM,data:fXgdw2btD3Pp0dapsgfLvOmMVGoaEdnosJvDrGwk37l/uWNX+4SSsJ5pai6XC5GHGg==,iv:t4QTb7cPNb+hBNSL3mpzZnKZR59Sxz6FddQTE5d/pFk=,tag:XpPg9/6eOq6JKF5CxA2Txg==,type:str]\",\n\t\"sops\": {\n\t\t\"age\": [\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1zxcssfw5j6dwvcw25tmxs79lq40xk70h2s234hen8pkpte2qe30q9e7cy8\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYQ2VXMU0rR3I4cjAwaHdC\\nNVI0NW9xK0ZGTGptc29lbk1Bc2pjMlhhaXhrCnZwSkpWdXlQT0t3WDdRb0dVay81\\nYW12K1RhMG9VL0hvYWFNZ3VJcUg3YncKLS0tIEJqdFhxUmJWRHJpSUJGeG1sZnB1\\nUzR1bDFMRjd2VnhXMW80QlFrbGRhemMK99AYn0X/112SWPZHDmpDJPFZWFktsPO+\\nZ4qCIrxQIl4UHYwcxMgGI5gbDV7JQ98IpPjE9m3l4b0JkzAqqqW+vA==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAreEJCem1ncGgxdVJVdSth\\nMzZvWHo0dk5TbDhySXM1eThLZWZlWEJXSVZnCnd1amNGRHA5NmRoekowSHZBekY0\\nWDRlMm1HWmdaWFYrZU5nZm0vU1JsOWcKLS0tIFgyb2hPYmVFS1hzOGlUdExlbUM3\\nbHFmT055SkpteklCWGd3cW1ML3F5dmcKgPUd79ijIfnSGImfPLMpw1bMTh6rplrf\\nL2kSduDUNF2de59pKlNMDtQb/sp/En2YA3jVFoD61/DLnQgYJ3Z4qg==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1nnm255ah9wa4gpsaq0v023a75lnmlcxszt9lc6az3mtwzxgrucfq45rp7h\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvZEtHQlhPa1FWVy9Dbi9j\\nNGRxdW9VbEh1emQ5WFluU3BEb3pzbmw2d3cwCmI4bHVKbWJnSjhUVnBCbk9uRStH\\nK1daN3JOTjhoVE13emZpSjdwVXZyVW8KLS0tIFlNSEgwckZudjlkQUxJNmhQTFQx\\nVUt6eDBoL0x2KzdxNGZDS1E2QVFTZ1EKo1ecwaOg+4I9HWtPPrI8d0G+sFCCIieI\\nFRjElyLqij8vzrYjf1jS7Rbwil5hRRaL7SBxlOjVnCwSV4PnIn+YXQ==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2ZUlSQkQzM1pFNktCTHM0\\nc0owdUI1a1BwZFgreTlxbElDOHZGaEpzTHlNCjR3VlNDQ3JSb21pamlTSmhaaFhI\\neTIzdGZ0TUltYmdOVFBYWHNWWjdwOTgKLS0tIGVKditYYmp5aWNMTE8xSHNINUls\\nTVpYSmtTVnFkNjRQOS96am11bjQrK2sK8te5JKv1DaYbluHOmemyWWkkqTxqNx51\\nNrnk6UbrugiSTcDe3NmbasIi+CgAG95pnzVfKCtXctiHYiJl0IeS0A==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrUGZrc21iUEp3cE1xWjFM\\nK1MzUVA4S1MvRzQzTVFsMFF6dStYeDg1YVM4CnF5MmhSR0hHNUJURkRTeUhTUERy\\nQ0NabkpFOExDNUVDYkt2N1pSTG9ZTXMKLS0tIFF0VnR0VjYreWRUMVl0bUFURlZ6\\nYnNhbUNyeDdNZjhKZkE0MkRlNmtHL28KhsEh1ngE5WFs7hMR3ATn37Kn60MqOwbp\\ndxBpBUCIrJMrpkLolhtr5KAeXhK2d7wxaOrCtVhKKkB9agPd86XK4A==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age17ez23w2kpxl0gcdx4ehcglkcfcfnv4qz0gq2n8ylxwx4yrtjpvjqxfasua\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFVjgvRGJCck5vV0dZT29w\\ncGdvT0pxaFNOUWFBTVNtQ2hzOVJ4TDBQbFdvCnhXTjVoOHVvYXpYYm9kYzZqZXgz\\naWtBQlRXRXpjQUZieG4ySnpwSi9JNjAKLS0tIEt6cEp6eGFTUGlHbzk3c29tRXFO\\na2g3NFNrd0liM3VZdmFSY0dtNDFoelEK5VqWOJGOLI0esy8XGynqZfDmeA72zAzX\\nWvyShCc3hup8IgqyNY3Y8m2GCx/K+8W/pgs0V7pHGjNAO0UxWEtgvw==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1fgzf77gyah4efemnrqg4e7j0vk8fpq0uzrucepmdpsd5z7l4lgpsfq54df\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpQkVkOTV6S3hjOGZVUnhJ\\nZkR2VDRGT21XMW1mRVk0QjdBb05sS0pqV1RNCnNuQndVU3k1eUw4SFpNUk1IUlcy\\neTF0RmZ6UXhNVWlLRzYyMDUwclVRb1EKLS0tIG5nUXk4cThxMUtCRWppaTVCTnlw\\nL3kwQ0hzQjRvM3UvaFY4RGU0RzVtaEUK3NV2GwtLYLJdiEqBCTThCQL20aqaUFBN\\nosjL9907hxbZIVlBZyBUpnIQ9Vb7pykwOpHtEVi74sI9jq2wW4TOGQ==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t}\n\t\t],\n\t\t\"lastmodified\": \"2025-07-10T16:27:45Z\",\n\t\t\"mac\": \"ENC[AES256_GCM,data:mFxPSk+9zIZYdJ1Vd70mPMOEqNln0SQTAPFeQD3c66ylM8/mSXwJcsKiPFCqeOzokpcy87lzikAVJLLABfz8Ni3J5XSViWnZCiA28GJCWtreRxt81LjZ2+bChGN1L2PQytQmV8iTWDzdGhV514D+VEZ/d6CzH6Xw9MXExmp/BbU=,iv:d8c7r5mUWwcL4+TygVBDZVkusBOo0xvRgkCOUG3UPGI=,tag:oZkkbMRWoDl5XUiMwMoxWw==,type:str]\",\n\t\t\"unencrypted_suffix\": \"_unencrypted\",\n\t\t\"version\": \"3.10.2\"\n\t}\n}\n" }, { "path": "non-critical-infra/secrets/hydra-users.staging-hydra", "content": "{\n\t\"data\": \"ENC[AES256_GCM,data:yeQiWMQRmxLAlxUqlw99ZclxfNTpjZJMltZEdxYXgbcoj0vi/pt5vcJsgfsXnUtPqn3MKY/NBrzflQGMflebrQbMa3O1Frd6kYOkCYndubFF2Np1Bdo7+CPLborRVWJvVg+Y39YG4NCSYsqrrkclt2SCKJyJnwLvjETm6uray22d+Ddf,iv:vXGbY+oJPHufacS1Nfb3CiIMY2zvEZyRHAH5ECkpyz4=,tag:sufkNRVw+Rzqluxv1PvQMw==,type:str]\",\n\t\"sops\": {\n\t\t\"age\": [\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1zxcssfw5j6dwvcw25tmxs79lq40xk70h2s234hen8pkpte2qe30q9e7cy8\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUMXJBYmpUSG8rdGlGSVpW\\nNktoSUFxWG9rbGYrUzlOSDc4TjErNmdtY3hBCnE5RnpoNHFGM0RTN3lqK2xLVUxm\\na0NZaGtMS3pIblBRMWk4Yi9sVGtGclkKLS0tIE9OVFpzM3hwcU5NRFZJc0ltUG9X\\nSXBHV3NYM3RiT3RRVWEyZlZMb0RXdUEKWZPzmGIyIP8GTGc60gWuez6j2Vco/DH9\\n0HRygJt9qMiRm8ULMnhIlvwl3S61/GePLekEQon56Dzi/xGH6zXV7A==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpRHR2TGxUblJmRUNhM1Jl\\ndlNTMUdDQm5qb3pzYXZlUFlFZ3BSUGZ6cEhZCmdHRWJUYlhOY1dkZGtrZS9DR29w\\nWThab1JOWUpvSlhCaW82dkwyZklocFEKLS0tICtoazZmalI4SUNuM1QvckxlaDVH\\nSS9OcGZCS2RNUWZETzBxWXVlOFQxY0kKdHJDN4OAyhmEpsNld/R8AN/7Ph/WWYzG\\nmfTH7JuQLmyyH+oYm4UfJflcNNY+xo57AONswpffxixMt/5c+YxTFA==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1nnm255ah9wa4gpsaq0v023a75lnmlcxszt9lc6az3mtwzxgrucfq45rp7h\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzYndRMUZnSWNNb3o3OG15\\nU0ZtUjdoMTBvamU4WDRoSHo3dnNoclFtdFNZCmpzeGxtRWF1dVkvc3lRdFpQb0RL\\naG5kOExNTUZ5eEFXT0tldDNzUjRDZ3MKLS0tIDJpKy85cUNWZG5QLzY3SGFwMGZ1\\nL0lwNlh0RFNtU29PbzlTbkdFQzd6OHcKeFNQZAQx4eJdIr5chZmOsF02Q9OkshPv\\nFEXaruIMSMmKIEsYfCryTalEKUx9TsY89EoPEgGGt0L8GarqnBE/hQ==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5b0JqMHh3RXUyVStpeHli\\nT3p3RE5COGwwLy9QblliQ1FxeFprbklMU0RjCjUvQUMvUjFjVzdKdyt4UXd2ZCto\\nUHpjbmxlQzNMK0xFSHRSZ3NrNzdTTzAKLS0tIENPZXlzT21kenFqTGFCbE90Q3pO\\ndENtVFpRN2ZPV3ZZejZrTXpVVXlHdzQKmWWQlIYtot4ot2zSLN+YjtK/DfYlOBW3\\net9ojaeoh6jpcZ169P8g+NYAHtkrRmkZwLEmA6aUO17NpsO4QmCOag==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIR3VaQUQ4Nlg3WFdQQ3pW\\nMXk5TUZCYXp3RGFjdVVCbDdidjJxaTRNazEwClJ5cEZQWFZqSTFERW5vcUVzNmts\\nZWlhNzBXcU5hTDkrRVNwcjRGZ2dCZE0KLS0tIHV5Q0piSEJkZnJ3Rkg4NU9abFZr\\nN0lvdmY1SmJrZlpNTVNZVWFMZGpRL2sKtOF/6nhVSC6UAzXlICr8bUpxqUs1aoTx\\npXbDm8yYznsnB9NGrf1fxh4pebAjPKVg+OsSx1/83sBPwyEcbtgSyA==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age17ez23w2kpxl0gcdx4ehcglkcfcfnv4qz0gq2n8ylxwx4yrtjpvjqxfasua\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYZmFsOWFXQms4ajJ2d2JP\\na2g2N1h3S3lTNndNTEZHajcvMkRldjAwK1dVCnhxV1F6dTkxRGdkZFNsVjBWRGVW\\nbWdISERIU2s3SHVDaUpnWkV6YVFNQUEKLS0tIE1pZFRjeldjcVFkTXZ4bUFiRWo3\\nakdma1RrczcxUFNtenZMZzdzR3lLbGMKLJOJbGSzzg3JFWu5S8loCv6sWZHiDolp\\nuFcJntM7h/N72jh+MVihnYqYpBwy1CMmAIoa2+NB3u7tVz9o3Nh4ag==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1fgzf77gyah4efemnrqg4e7j0vk8fpq0uzrucepmdpsd5z7l4lgpsfq54df\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBISlJsbnZpRlpQVTR1MVJB\\nNXJ3cmluck8zcU5WRnl6eFMreDZoZmE1OGlvCnBTbVpQSGlERWZZWGVBWklFV3Fu\\nUkNNeGthQ1JiODh2MUJGa08wTE9BTzAKLS0tIE1McjlnOUM3OW9panpNd1doVGZl\\nUFhzU1IxN2tZV3o5eDV3N2JFamZMNWMKCi2+5V7su8juiDGLjTOI9QcCLp/JrXnC\\n5x0lzs7fe/tRKuoqk3DWPeY+XghHm11Fps4FaQmkGKqB5hsrn3IAug==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t}\n\t\t],\n\t\t\"lastmodified\": \"2025-07-10T17:08:19Z\",\n\t\t\"mac\": \"ENC[AES256_GCM,data:yRTdwwPguqk8A3KpiUJjdRIV/9mA3/tkUpusHL6dtDFE6CS2WZLp7CYpGFzd6CqM/r5Nt9QwA82ZZZ58OSqLfqQhO/cxrsX3AiwqnKiqL4pgXDcxmQTtnUljOFM1YvupEsErkJFnaEH3QAQMieyS01A5brrFIaY/1D4Ex8luZps=,iv:12VkDMZVUvE78CWjveEKn2+IMcV6+LCVdLPUNg3qSDk=,tag:u71y+bPlDquBDruNqpOE7A==,type:str]\",\n\t\t\"unencrypted_suffix\": \"_unencrypted\",\n\t\t\"version\": \"3.10.2\"\n\t}\n}\n" }, { "path": "non-critical-infra/secrets/idabzo-email-address.umbriel", "content": "{\n\t\"data\": \"ENC[AES256_GCM,data:xfTE8CfwS0rZGBIlxcIONwPprL2h,iv:vtJ+uWpxDUMKw7wFK4h/zKEJNBVa2xgh8Qrq5zswrAA=,tag:xVnZhyEWGixss4FCJvSrRQ==,type:str]\",\n\t\"sops\": {\n\t\t\"kms\": null,\n\t\t\"gcp_kms\": null,\n\t\t\"azure_kv\": null,\n\t\t\"hc_vault\": null,\n\t\t\"age\": [\n\t\t\t{\n\t\t\t\t\"recipient\": \"age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTaWxvNFFhSnN6MlBQUkJR\\nTVlXRkthcCtaWUh3MU9ncVFydWJzMTlxOW53CjB6UmdsS1FUc2xDaDZwbUdSWjFr\\nTFU0YUtEWG1mVVViem4vMHJiVVY1MzQKLS0tIGduOGlhbHFGL29McTdsSkp0bWox\\nU1NvcVNkVlo5UWdGdm1UakFZZWFRSmMKwBJXmyrOaIC1dGHsR2swAJ6sDhHjh8Hx\\n+hkJrHmTTekx/7agIzevNVVY+QES47dz5k3aE9y+sZM3zhnAEkm9mg==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGTkVDNk9Ob3dPbG9kQ1Rn\\nbVZZcmE5VXl1SVdOY2M2R3E1T0VoeDZRVFRnCjZMWjZGZVJ4MEhjUGhmSVhOOHpn\\nbE92b3R3VllESVlLTm15Mktub29YTHMKLS0tIHE1MWs1SUhtSGxpcXRkYmgvS2Fp\\nR1JBZCszcEptZTh2dEVTU01sTTloUVEKt5loGLT7+q473yYllnV+gBEFqXBdUkPG\\ntlTjDCd9a40MbucGIwJ2ZxfoaYSURAcQcBSn0IM6BpLuQb2XrGpZzQ==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTZlppVVliSXZVMXhqZ2xk\\nQWRPcmk1K1J3cjR3RnYzaVhBRzNWSGJDajNFCi9sTnJ0VC8veTE3cTZ5QllaSWh1\\na0IxejA1T1BxTkJDR2IxQUJXZ2YyOHMKLS0tIHJEQlAvaHJYQU5nSGE3cmxsTXZh\\nT0xjWWc1OE5qM0wyUkwvbkxCQmdmREUKu8R3NB6Lyy74Rx3KNfYbHlR0rO4SR69K\\ngmOId0yCornVzNH+wn81w5Vo+ENRFtL7k2kwzpSo27BmX80ZtQRPlA==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t}\n\t\t],\n\t\t\"lastmodified\": \"2025-03-22T15:54:19Z\",\n\t\t\"mac\": \"ENC[AES256_GCM,data:7rr2FFpYf5Um9gDAd1X+4S3EbL6Bl8vHPEsjbfyw3mp8KAt4bSi5DTGdZSri7HMcIsk6ZFbnWkRqMRFyMCzgxfwb/09JO44eOIYfgPPv1Br8srlXLzf30EzYucUEDch/0Iu2tbq3NZ4z5OfGiXphipOEhV8jjOxtKe8aSjylzP4=,iv:gi55gN0plG/1u04ukPqn+HR3zyvlF3nWzQoSaez7tq0=,tag:JJKjm1hbTE24hLWp98syrg==,type:str]\",\n\t\t\"pgp\": null,\n\t\t\"unencrypted_suffix\": \"_unencrypted\",\n\t\t\"version\": \"3.9.4\"\n\t}\n}" }, { "path": "non-critical-infra/secrets/infinisil-email-address.umbriel", "content": "{\n\t\"data\": \"ENC[AES256_GCM,data:g/NztGMiw6S5VlGl8R/v2puyS0WY,iv:RUcw9ErUfyg/IrfmFsCjRiqCqYIPhAPitzvzJ09MG+c=,tag:RNUJATI6hnkOHSyFNtFNSw==,type:str]\",\n\t\"sops\": {\n\t\t\"kms\": null,\n\t\t\"gcp_kms\": null,\n\t\t\"azure_kv\": null,\n\t\t\"hc_vault\": null,\n\t\t\"age\": [\n\t\t\t{\n\t\t\t\t\"recipient\": \"age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSckxRblVLVmc5OGx3ajFl\\nZ3V2bjM5LzRhTDVDVEx1U0VyUnlzd2xyZEEwCjFTMDFtdzU1aittbkZyYnQwQ1FC\\nWnpJL1N6NUN4UTlrMWZPQktDdFBJbUEKLS0tIENHa2E5NFZsdzlxU1hkT0dKUmI2\\nRDAwVWp2Vlo4d2FUVjVWamtjV1c3QncK9zjkHKvFm9z+fxBrMa8H/L8pFoYoICgs\\nTPRK3wxwZZEhINnbFYAffxcTSEuvKSy3yVnxa0Q/rOZJuJcpsuBa6A==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGbTNUR1NrMDBPdCtLS3RQ\\nb0VBajRBVzJWWWRYRGkxdzhWNDZrRXN0QlZNClBUczBZL1A0ZnR1RytnRWw0RUpQ\\nS000RHhxQ29BUTFrczJkSHA1WnJwZGsKLS0tIFNBWVFHSGE0NEJTWXJOdUVtekhT\\nb1p5UmVZbnFDeEZHRXA2MGsxc0xYUGsKvFOtn4zjnQwQnQU8xFVvuc0srnTHZ1zJ\\nZClsCTZi6GB/KnSGDoH0uEG3GW6pN2XeTyVpkbWM7imcslR7HNi8nQ==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKMXYzMXRsdVI5aktwdkNn\\nL3NySHFiWkpSTmxCUDVYeXc2RzdCOG4rQ0NrCjFPSDFsWFBlcTlSM3ZIS3J5K1hF\\nVm5yYjNyNW14R1JpNFUvd1RSZHVTM1kKLS0tIDU4MnpCcUFSbzlVb0owbWdURERR\\naTFDaERxRDhQd2c0VDlsTWlrMkJSWTgKZbIRxrhupxHpremBum8hVr7nbP2vVGS9\\nw92f+43HDANvrc+nN+WwRSVS6YXybPDrnWhfBeZhcofa5pyB29L0DA==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t}\n\t\t],\n\t\t\"lastmodified\": \"2025-03-22T15:53:54Z\",\n\t\t\"mac\": \"ENC[AES256_GCM,data:DDpX70GDNDHHYgRRP6GtKwvE+1TEA7sXuupQO+uHQ4DtWSI4yyeDCaRduXZUDX6W4OXkz45cfPkFJKw0plckEsqCHgaO3hX6ub13bfCFHVsxXXXhFKV+Hd++3JBqCbbwQL2S1VLhuZXAua47bPGIt3f5ov5gcxmCzYniEtXan9I=,iv:9jwrG92UNxNdhIkW9PfbLX4rnL/kd5R6MaE+l0Z8ago=,tag:ZO1pJKO6YaUzwE3cn4r5+w==,type:str]\",\n\t\t\"pgp\": null,\n\t\t\"unencrypted_suffix\": \"_unencrypted\",\n\t\t\"version\": \"3.9.4\"\n\t}\n}" }, { "path": "non-critical-infra/secrets/infinisil-nixcon-email-address.umbriel", "content": "{\n\t\"data\": \"ENC[AES256_GCM,data:bwvfsHzw7jgReKI8uRvAdUusxIs=,iv:o9QOwug8Ewlv2K4uiO1NxzTWJUenlgaZD3TIe0rc6To=,tag:B4vRwFbEWZzTNHRT6L12dQ==,type:str]\",\n\t\"sops\": {\n\t\t\"kms\": null,\n\t\t\"gcp_kms\": null,\n\t\t\"azure_kv\": null,\n\t\t\"hc_vault\": null,\n\t\t\"age\": [\n\t\t\t{\n\t\t\t\t\"recipient\": \"age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDZUE4WURrL3NMdzBNNndM\\ndVcyamEwblRuV1hXV3RGSlpxdWJFYlk4aEZZCjI1S3pOazVSeE91aTZwNGF5a1VQ\\nVHp4YnVaOGFXTWpQNkFPMUVZdTBPSUEKLS0tIDFUenlNNDlQQXNiL2ZNVkR4VWxs\\neUMrai90d3dLL1JjNXZtZ2Q3R1B5TzAKgtRotcPxCYnLchw9rD57droCcmP3mQDJ\\nsVDaJ3gP54NgccmMjQ4ggFdd6BVvDq4PFNSNyGxo5E/mMUQKMDfWtA==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzTTFIcUIyd3crbXkrOWF3\\nMGpGbVpHcW5LMkhPbHhqdXBsRmk3VWNZZHpNCnl1SFZnV0xINmh5N29tdUFVTi94\\nSmhGZjNIbCtsSjVhTjNyWGtseFo1VFEKLS0tIElnWGIvcGkwYzFwUkpQNVVvQlRJ\\nQjhlRjNIMTBtblRRaWJuNU9kL1JtS1UKDHKn0DOUNGxeYWTWMko8vlbZ9Xf6ozJ7\\nNt7fMt99FPDbqRV5OEESUIjD4/x0CV2sDG6vp5dOBAu59B6WMmE5RQ==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYaFAvUFErQzlZRHIxNlVR\\nbW5JeHpaNkdlQVBoOXpYNWJqTW5TYzU1d1djCm1SYjZOVDJSZWVuWmNoQm5JOW9O\\nT0dxdTE5d1ZYZ2d5QUxBYjErNEQ5VmcKLS0tIHMzbDdrQ2dRL21veFFTY3BWbE0z\\nWWhMdnFMbEgvSitnVHNrb3k4U2JDNmcKXnNto4P0cZV8ovGP/QP24OSZkY7IL3/O\\n9+U+zcIGs8e3kca0ELA7j1E5nCEGNUyTFKOB9B2zOu46HGkJ6YTR2Q==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t}\n\t\t],\n\t\t\"lastmodified\": \"2025-03-22T15:54:14Z\",\n\t\t\"mac\": \"ENC[AES256_GCM,data:SRevXkFgRtpHtRmzqpT8+4a6WvbR4H6/gmImJ4LTmNi0Vm65Nb0Z8k2QAZpzyl2DWyhLDxZ4cDD6w+OMSdZ16ERweyIucP0Wm1U+GlwsEq5KdkR6UuQqqnX/lONUh7rUuJ++4k1EUTbTTQdkRg/npJPanRzS0Am/0Jd66B3WL4M=,iv:KD1QTsGZvSzoh+u+1tifLu34E2S8FQhno7C74p7cxtI=,tag:Lxid7jtazSTT8OFkNzcA9w==,type:str]\",\n\t\t\"pgp\": null,\n\t\t\"unencrypted_suffix\": \"_unencrypted\",\n\t\t\"version\": \"3.9.4\"\n\t}\n}" }, { "path": "non-critical-infra/secrets/jfly-email-address.umbriel", "content": "{\n\t\"data\": \"ENC[AES256_GCM,data:6IohqSwaIUjML5GP886SZ3OQ2NbeuRI1ysrp1wwLe5gP/g==,iv:zPe5s1z8JmoBPP5QgCAEFDptYm+5hJxP1sP+edXW+Bg=,tag:5E9Zg3Mq5CyUqZ/pdvmMDw==,type:str]\",\n\t\"sops\": {\n\t\t\"kms\": null,\n\t\t\"gcp_kms\": null,\n\t\t\"azure_kv\": null,\n\t\t\"hc_vault\": null,\n\t\t\"age\": [\n\t\t\t{\n\t\t\t\t\"recipient\": \"age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUdEFkTk96emFXTStBRHZ1\\ndi91RE90Vkk0Z0lFZEdTS0xNdHpGc0lacEZRCnFEWFFKWEtoRWhuZjlldnh3bUhj\\nTDZDL1RwMlB6OVZkU1d4dnJjMTNjNDAKLS0tIFB4WjFSWEpCYUdxMkttTTdRakVJ\\ndWU5dmVrcnczQTNxRVFrT1l0Ny9hbkUKUyUn7QvmjLAjqAqD8iYAx8ciR8UFhI63\\nl8mWy6jmJh2ryMd64+H0B6I+YMBPDHByvG42tlNaO48A2Pe8q0Srug==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvNFdxdGlhYzV3WlFLcVJ5\\nUWFaNUs3bDFWa3pWOE15VS9abWpvaU80a1VNCmRhemxPanZ1UTdZSDEwU3czU0Fq\\nVlM2Y3lOTHQyMFduS2FPMlJ4a1p3OWsKLS0tIEwrbmtNOTRzam0xVndER2ZoQ1N6\\nUzM4Qk1BeHBSQVV0dmlKZEhDaC9pbVkKpHjAfJMddyGzo7U7aAl/lqajm8mCwzAq\\nPZ/k6MgjER/YAIlDHelvEhPsI8W9VRUYTECRIYMFXkPQaLeQB02OIw==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKWVF4S3dPanFzbUpWNGtD\\ndnJmTUROY2tTWnVCOHdXSXpObUVIbFBMUjJNCjFGRnpTQXJ4eWM0bm9oUVVlaEty\\ncXhxUlRXMlVXU3J6dDJpdWlVS2tYcmcKLS0tIGc0N0RmNUtUTHRWMzZVZE5mUklZ\\nTmYrbU5yTVo2cTJaOTRKT2pUZzlhUlEKNdlKt3s/fxqKT1V0HwbUf3draDodeBsq\\nXnLPalfN2jGHHcMiNj7nweNPy9Nu5l1WvRZ390DkVZlDJ7kkD4lYvg==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t}\n\t\t],\n\t\t\"lastmodified\": \"2024-10-29T18:30:30Z\",\n\t\t\"mac\": \"ENC[AES256_GCM,data:q6lEknFLs1MX4gBtPH8M89lNsAcQR9rWEaG0EobzP0AgUIxUyn9TYvFURD3xMKAp4KcoPfFq7kUO50z11WtC6iw/dAidLhemWOTVT8Vv0SHtc2UKF38MnIDDjmrc05+Hg+X4NFjki76A4NPvIUiIMk+0oL1FK7IMPYBSIBzJqrc=,iv:xl/s2Ah0ccWBDAxHBTXat6hX0yYtYoVbp6gAN2WmZqo=,tag:fXzdg7JaXJdHho4vH0c33Q==,type:str]\",\n\t\t\"pgp\": null,\n\t\t\"unencrypted_suffix\": \"_unencrypted\",\n\t\t\"version\": \"3.9.1\"\n\t}\n}" }, { "path": "non-critical-infra/secrets/john-rodewald-email-address.umbriel", "content": "{\n\t\"data\": \"ENC[AES256_GCM,data:Vc7XQ+0U85wa6J10lcVDMbLabmmTiQ==,iv:fzXxoy/ZohNY5pR4Y2qYWa3WVLo18BNOLjE1w+dAAGI=,tag:DM3n88oe7QW0tZJXtEx4/A==,type:str]\",\n\t\"sops\": {\n\t\t\"kms\": null,\n\t\t\"gcp_kms\": null,\n\t\t\"azure_kv\": null,\n\t\t\"hc_vault\": null,\n\t\t\"age\": [\n\t\t\t{\n\t\t\t\t\"recipient\": \"age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRRkRDc2c5Uzk2cytmVE1I\\nd2FNU1M3QmR1VVlEa3FSWlMrd3I5dExsMzE0CldtWHkvNTNvL1NSeEhhWkVPakQz\\nVUFjTllxUkhFVnpTejhGay9MWmcvcmMKLS0tIHlNbFJBTDNlblhBbCtncnJpVmVQ\\nZzRqa2JyRHY0WVhVcTZIaE5QTU01VlUK6TL0Byz4UJeHEvoHXWb6U/y57J+o4p7C\\nHPFxM/R6Ib1QUOPxukYojNcWOFV/BiMxLUp64CMibHkksHYg3bDGJg==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOT1BXVE1nc3JZcld4NEo5\\nRFJHQkhhVFRjVThMMFl2d29hMFlvT0xSQ2s0ClBEL1VsLzkxOENGRnIzZVRJYTFy\\nWHhBOTNPMmJKNHYwMXdGV0NMZjN3WDQKLS0tIExDUElrYS9mK3o3Wmpicis2Zkdi\\nQmcrbzdRQ1pBM1BmQXRycEdRWEVTNEkKX5u4At0LukCBUZQOxvBXiVMw4dn2whVc\\ne0eFDkGvi8my4yUCyYoUFaAq2orygIhv++Ih+mYRorK5RyaCBpwEXg==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2RVRRMWNWODJnakZSZVpS\\naHBhczhkaEkzN01QSEIzOFVueEozak04N1FrCjhDTlBrbHNyQjhqRCtua05vRHRn\\nMHY0SVFpMFQ0bTFKY0lqdzB3djdwWEEKLS0tIHZVUldueGdLUG80cWoyeHB6KzRZ\\nMnpEYkFyUWxQNlNJWk00bGFKck53REUKUBVnYeidyG/0NLOS4XrSiSfFtz6UHvk9\\nInBHRCjsWCuyPKSvURKj1+XS01F/+mAPId98GHb75RPkqXhcu9bAcQ==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t}\n\t\t],\n\t\t\"lastmodified\": \"2025-03-22T15:54:11Z\",\n\t\t\"mac\": \"ENC[AES256_GCM,data:ABgTUQLGRyjG/lq88CJG/f1liPvL6cUqJNaYmqxTmv+EffJR/1EWl19O41ZyFCFW3/eSPckaB9MXn/oRqUfd6pY5GZ9tqCVDoK82YZ1cMqnHU5b+2n9lEH+Kn7uqvVh604j0Bx4lCpSUZX6/pC4NgpKbZB28EOVo8ptnMUSn6KQ=,iv:UHgEnD8VUyOW0vUuVTKR61wHvdXXdQHeChDgq/MZxmM=,tag:IuO4AUtGk4FiXEcnQJs+3g==,type:str]\",\n\t\t\"pgp\": null,\n\t\t\"unencrypted_suffix\": \"_unencrypted\",\n\t\t\"version\": \"3.9.4\"\n\t}\n}" }, { "path": "non-critical-infra/secrets/jtojnar-email-address.umbriel", "content": "{\n\t\"data\": \"ENC[AES256_GCM,data:cAqOtDZSzehegRTVGpB6uT0=,iv:tk35P3Wpw2ikNBrjCiz1GYtzY+M+te2dxWpGpnJJNuM=,tag:aG7J4/pt7YcvYWRoizfUqw==,type:str]\",\n\t\"sops\": {\n\t\t\"kms\": null,\n\t\t\"gcp_kms\": null,\n\t\t\"azure_kv\": null,\n\t\t\"hc_vault\": null,\n\t\t\"age\": [\n\t\t\t{\n\t\t\t\t\"recipient\": \"age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6WDZJbGdmYXZRcTR6S2dW\\nZWdpNXF5VUJBZjRlZTVHZGpoQWZER1VObGlrCnBud3BrWUF0ZC9tV003L0NCZjNz\\nYnJGMHlEbzZraVBtb3FNWkxZNktYaEEKLS0tIHhBVyt3K1ZoeGNySzYxN3NCRElq\\nTmtyZGxOM3NCVmFJa0JYd1BsYmFTODgKl4x/bqTTMNQaT/GLp5gD7B0a/orkCBva\\nocYoYtouwdlcdseu7jPaXgIb2ooomziPLMwqbORicVOAitFRnvNbTA==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvZlVjek0wOGdFT0NuaWM2\\nRWVXSlFRdkU5N0RNVWYvK2hsYVRrMWt5OGhJCnlyd1FLd0t5MzdjVTg3RG83Z0dQ\\ncXBPR2szdkFPalBBTHFaN1FRU3BtN0EKLS0tIHFxZkZBNFpZMXdYVk5lZENRYlg2\\nTEJqcHJNM2dDNGtMYVozd0F3MmFZSUUKGZY9yHf3aKBK/+/jEsofhKNN4ypIy0C8\\nOAGUiEQ0Hk/yw2B8kuBAARHQSK6vNIMTqMqMtW3OMQzZ3hMrnGk3Rw==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoZHhTTlRXZ0JWTENoeVRV\\nZGRGSzVBYTQ4am40NzZQakI3YlVWWXhiMGdJCnYvYUg0QlNka0lmaDZXc2VqTDNN\\nRTB5dXV5Z21hdUdtY2JXalhwa0pYTmMKLS0tIGJBRmRNRnlLck42ZTNieHMxcjRq\\nY29YbmZFZU5PUlJHc3lOYTdyVkVhYkkKTWI4dUPYbpmQY/PYPHVWIA1io6VPZObr\\naN0hyzy+3STWnGkd7z9zLVvJ9uUBAyGxSUmDQ8qKyYo+J8Fi7BaEow==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t}\n\t\t],\n\t\t\"lastmodified\": \"2025-03-22T15:54:28Z\",\n\t\t\"mac\": \"ENC[AES256_GCM,data:6Jh1Xo6KHU8JWDXU9lkJHmYOuJkndvJ7bL8YFZbBNmctv+O0nLTsaxl74FHhxVqdDDS/5ujtldUnWs1syl/TZO5dKCuNOvOfyOM9CeVpX1jKb1qNVRf8SRlZ0HYHngGMo5b1/BM92hy9Y8OkOB4Vas9NamKr0XYopGrnlt9jEpQ=,iv:FXrTqftMdKZFPfc2jDduEgWlFz5KbRUgDgIBuZlqghg=,tag:GL3hxPdu0JS2DbwmoVqq9w==,type:str]\",\n\t\t\"pgp\": null,\n\t\t\"unencrypted_suffix\": \"_unencrypted\",\n\t\t\"version\": \"3.9.4\"\n\t}\n}" }, { "path": "non-critical-infra/secrets/kate-email-address.umbriel", "content": "{\n\t\"data\": \"ENC[AES256_GCM,data:fmyrFIpAvRHBeAyQaewlt7331qUrqg==,iv:Dh0soNrOhU4ZP2lmNp2DJZl88yqvOK4Ivu/4dLjFYUg=,tag:KbVXL0E7wZ4Ezs+W2ObZYQ==,type:str]\",\n\t\"sops\": {\n\t\t\"kms\": null,\n\t\t\"gcp_kms\": null,\n\t\t\"azure_kv\": null,\n\t\t\"hc_vault\": null,\n\t\t\"age\": [\n\t\t\t{\n\t\t\t\t\"recipient\": \"age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDeEZNSGlybjNtQ2hZajNy\\ncURLQklBSlJoWWw1d3NDRmxFYjl0MUZvdlZBCnR3QnNmSG5qZEw1ak1ad0FUdEVS\\nelE4NTBLV3JjS1pjWUhBVUEveC8rSE0KLS0tICt4MlpvQVlmMVM1bytNbkRRYmNV\\ndjJhTC92ZHJmcG9ZdUxMNUlsMUtkaXMK1fzlUh1F23trAcSWIYop3k0jTS5zIXMn\\nT+rlzjZeTvSCwR5whpGLkKcW9IxEvvk0YQ4WkF/rgRxgqdOVDGqcPA==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYNmRFNE81aGFGSG1OTVFJ\\nbEFBOUpYWCtLbmQvZDV3dEQ0YlRRdXNIclZvCnI3K3ZKOXd1K1JYcCtLT2x6cmNJ\\nSEF5dmlhRHB4OXFWbjF5QVNyNWpNc0kKLS0tIFFYOEloV3g2ZFExOVo4MVF6cDQz\\naDNRSHZrNXl6MVBmc0lOMmJnREd4azAKB5Cus+7lhFVRLUn3QXQNMBh2m2gnbqk0\\nDtuQtNEv1BHxut2GQ/W7dmRYlCLFwF3RPfEdvNwHIsgVcDOx4TZZDA==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4QS90ZFNHUHZUeVZKdUV3\\nZXNBTnAxWUY5RHFSUnlEQVBxSWRoc09VNUhjClZmTEFUV01iV0hFREZGUVc1eGw5\\nbXNpREpGU2N3a2cxUUZGSlFNaGI0N1UKLS0tIHZNTXF6VTl0VTIxa2l3RFFudTBB\\nMTB1d1ljQklGWXZTMWFXR0MvZVVTRncKmRI3OFYu/ALq57TacfVYls8LyscsdVLx\\nROMkqvRNOhDWh776s+hp9uJQgNK7pXhBX5Ee2EAo7a6NZ1uLrh2O9Q==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t}\n\t\t],\n\t\t\"lastmodified\": \"2025-03-22T15:53:53Z\",\n\t\t\"mac\": \"ENC[AES256_GCM,data:Hu54zQTTitSQr84kOAHQn7KeixF1lvtDHXKFqra9hFDEVTNSvf8zUfDa39WzeEB/aBCRjBND0RzCMEtFMpWVRIcxhYi/nW0L6Yfv9pjVgI0iYuo0W7qregRh9ipem1HH14JgLQxI19ZE4AFDNicMQWsAezNt17/JzVKrFFf/MMI=,iv:u1FhZiTxmMJXAxRyFdY3Wq0wzpyiq7RoUd2HtAab6pU=,tag:iRhYv+hggZd/4eQZIWu8bw==,type:str]\",\n\t\t\"pgp\": null,\n\t\t\"unencrypted_suffix\": \"_unencrypted\",\n\t\t\"version\": \"3.9.4\"\n\t}\n}" }, { "path": "non-critical-infra/secrets/lach-xsa-email-address.umbriel", "content": "{\n\t\"data\": \"ENC[AES256_GCM,data:v6aURkXCDOHJ+Eok,iv:pHaZ9UwYc+CsqO53qwaYykECc5AIcpxvUo2/1LbqfAA=,tag:UyI3V1Za/yiuSP93tc4Pvg==,type:str]\",\n\t\"sops\": {\n\t\t\"kms\": null,\n\t\t\"gcp_kms\": null,\n\t\t\"azure_kv\": null,\n\t\t\"hc_vault\": null,\n\t\t\"age\": [\n\t\t\t{\n\t\t\t\t\"recipient\": \"age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQQXY5VWZVT3duTElUNlNN\\nSzZua3VjRmNxai9xS1ppV0pjVDU4REo4UWw0CldhT0JueXZtQXNNaHJNNjE5Ny9P\\nVktvQTBxdlhyN2hYVThDWFVhaERtUzAKLS0tIElCMjkrYWhMZ2piQkNyTXlGYlp6\\nYWZNWWN0ZWMrd040Y3gxTHRmNmRFaDgKz1RTdNandXWT5WWyF54xUmHciG0BoMe9\\nyfnL1Cb5UvoDL1cSrgOyeUrfHSo1WFy/o5+cslXcM7o9B052IgBbNg==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEcXhQeHpCUGxmaHBWSW81\\nZHh5MjhKSzMrNUF2ZGp5c3JON1dHMmZnMFVzClkzaUZCNlhXTU5EaWp3UnZzakMw\\nQW5DajRFUDBtUXZvbndldDE0Q3dNU28KLS0tIG5BRTRRSUtLOVRPSlc2NGhybTYv\\nelRZbm5yc1l4bnlZRUJkRzNaU0RSeVUKH0p7CnEm812zaUP4V9xIEJrMzD1xpyxz\\nrQhbGaDyZokMmuDf9UnYeeJzKGB6tkVnBga5e7t+xvVgFjhQP2Qz+Q==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4SHJJaWdZOFBXUDdPMkR6\\nbGs4dUxPbTVEVUNsalY0RFV6NTZ0dmh2MWdZCkZVVmFJN3BxeW1UWnM0ZThPeFp6\\neWNablFCWFlPckZTRG1JdVhGUk9IQzAKLS0tIGZ3cU1EaWNRazRVRnJSekhaWEdu\\nQldUcndZSHdvTjVIZy82SzRhb3hhbm8KfJAhPaS/I2sfhcWlW+3+fmhyTNPhW6Cy\\ncB075ydLsk+RvysKuU9h8PSFuomxjJPqQ9LZB5EY5+rYBgYxXTfIbQ==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t}\n\t\t],\n\t\t\"lastmodified\": \"2025-04-05T23:08:21Z\",\n\t\t\"mac\": \"ENC[AES256_GCM,data:l/bQwqSBoY25SkEn1A2OeTy3n9ceZLeGzUz5MspURr6a/Lu/KaUbMtUc1bkwvYF9KmS9DSnum0YOImxgJByhgGk+jLw5DefzWQixcirc/8tdPe21DU+Fgv9i0TsPC+rbo+dIwlVOVvN1IDN70Gir+bvhb1bVznif1Xd0vo04hcY=,iv:s8EdvuAap3K9B6HmvJazuNJ8c7bFMtWgKBMLAU63ZAQ=,tag:2vhlXmhYaSKOcPrT1W1suQ==,type:str]\",\n\t\t\"pgp\": null,\n\t\t\"unencrypted_suffix\": \"_unencrypted\",\n\t\t\"version\": \"3.9.4\"\n\t}\n}" }, { "path": "non-critical-infra/secrets/lassulus-email-address.umbriel", "content": "{\n\t\"data\": \"ENC[AES256_GCM,data:nDMmn0o4dqZWIcSDhw==,iv:Fb1Sog/1Hzk7IpIYmq79a2Hi8xpgkX0ViU47aYLO/+c=,tag:TyHkRHWO/Ijtg1SdkWzKqg==,type:str]\",\n\t\"sops\": {\n\t\t\"kms\": null,\n\t\t\"gcp_kms\": null,\n\t\t\"azure_kv\": null,\n\t\t\"hc_vault\": null,\n\t\t\"age\": [\n\t\t\t{\n\t\t\t\t\"recipient\": \"age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVazl0NEFCZE5uTC9YS2lZ\\nSjJSNzRUWG9heWNQTU96MTlSQ21zekI1T0cwClJ5VkFFb2tzUDJKVGozTnFUTGlS\\nK0hKdmZkT3ZtVUorUXJ0L2MvYTMzVUUKLS0tIGd0WkZyUit0bWRzNDB5bWRUWE5E\\ncmxYYW1OVHR4Y1QrOWpTSy9vc1pzcFkK5+qTmQSg0FO2WW/gP9EqAUQdZT9iFYEh\\nX8IWMWnMlfE7eOI0PMax1AtBvISusyvbwTXfsmhRROcvyODKhQLvig==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYMGhHTWVwQ201OUpPVnVt\\naVhVUmV5Q0FGNklLSGR5Sk5aL0JjYW9GMlZjClZ0cno3VlBIQnBkaWJTeGJMZVFP\\nN3lTMUJGWnJwRlU0M3hrV1RwcUNaMlkKLS0tIGZPSlkwc0F6NEs5NXFvQUZGZHh2\\naVBXK0F0YUprTHdhVDBNb05za0x1LzgKl/weC/O3ms3ccJH0aRwoxdmIRuTcmmki\\nTr5/MLlRBegDwbU6jJVHUT+KEj9tBRpbduD7NjKGCYwdx3XHdHXDTg==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhbE54Rk1mZTFBRFZxaFky\\nNjZicnRCaVNSdjNKOFQzMENYRkJTdDNiTEhjCk9UVTNYZVh4aVdmNEtzMXZKcXY2\\nbzhPak1FZWJ5NHlwUFpYSWNSZ085VmcKLS0tIFBUdlVzWllIQkl3Ukhpc0d5OEJ0\\nMDRmRjNoK2FEZ2R2UHZMMERnSytWenMKyS+pjGWmtguHNDhMyTMVm/HIhw5aatIZ\\nNX/csiQRAlO2UUsmimMiIfm932UStmbaePyF2X7uotNNUDUumhSEIA==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t}\n\t\t],\n\t\t\"lastmodified\": \"2025-03-22T15:54:03Z\",\n\t\t\"mac\": \"ENC[AES256_GCM,data:wYFTO9E99YKsZbAkSNIkvt7uNgPtUUuJGZBjvUOys6rQwk7hdn0YxaThkU+giGT9vJnwBQ2r8vHVOohORjP8/gA/osnImb8RZK8tjBWp0ydB3yltn3sU4U75luv8xWRF2AxMSsFCdZde0hzRsDmnbtNalRaP7TC6jmqhteA1cW0=,iv:nsWGyAxDWN1jmMdz/VdWGZbYGVIGMRudh2RhNr5Na24=,tag:1qcKYreDOeFw0lVEtdZN7w==,type:str]\",\n\t\t\"pgp\": null,\n\t\t\"unencrypted_suffix\": \"_unencrypted\",\n\t\t\"version\": \"3.9.4\"\n\t}\n}" }, { "path": "non-critical-infra/secrets/lassulus-nixcon-email-address.umbriel", "content": "{\n\t\"data\": \"ENC[AES256_GCM,data:OecTZiJ863XBta1AVhrjBiW7,iv:B6jUYLlVLEpi5EHqr7cQHqiWK3hLvD3JmxQfh34EWBI=,tag:HrK4trEOhhtgPFpmDU9Rew==,type:str]\",\n\t\"sops\": {\n\t\t\"kms\": null,\n\t\t\"gcp_kms\": null,\n\t\t\"azure_kv\": null,\n\t\t\"hc_vault\": null,\n\t\t\"age\": [\n\t\t\t{\n\t\t\t\t\"recipient\": \"age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWbXhCMi8weVdPYzR3T0VV\\nUUhRQ1R4em56bmZRUFZ1NFRta3k4Z3pBS1hRClN3MThaeUFjaUJYSU9ISU5qcXBH\\ndmx0Z3FJK0pTdXlhZ2ZObUdnbjMzcHcKLS0tIEdCSkRwb1ZySEo0dW0vWjFHY3BW\\nUVFmejhSbjBSVWhLWk90TVllT0NZNjQKyBB0dqepE2s+v9Jg5epPYpAESV7Pa8St\\nILY8LYa6mlvy5k8470iriR62u1WKwz4sID0IeMcWa1WDhNEOCTJGhw==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXTUlOWDU0WXl4Skl5VW1Q\\nS09JK1pqWEFmT1pEYXhicWlXTWRSL2VobUY4ClZqaUtlVWNkNWNTanlUVSszMWkx\\nMHVyN2F2Yk5nN3lkdXcrTTlyWXVnaFEKLS0tIEhaM1hLYlJvS2ZHQUM0TEt5d2xT\\nZ3ZVa0hiUnpyZ1lVc0oxOUVvdWNaUm8Kzn+ElRU/laE0YzvE2zc6pOAekZzTj9h/\\n7OR15ozi0ulc1BM8VklWIG+xMgSXN9iWnPNVSL59d0g7bU/VSrffhA==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTSXR2MkFaNDNnM1JrN2xL\\ndGF4SnY0YXgvSHZnUjN0cWF6ZEhSVmV4L2tBCnlhUVFRcnlSdVNKTS9oRVRBUTVC\\nY0pWN21sdzBoVE5weGJuZWlnL1JkZ2MKLS0tIFZJTmk4QnN3aDA5eHNrN0ZPNk1m\\nenZrWGNMRnZvTjFPOUZaTi9yT2crNUkK4+Nw/Juomv9D0imAXFMuD+7M7lZ/w+J9\\nYCcvdTdrdWQ4DF5DBRGaHmJ90h8gG+WQgn7lmYwFAYnn/oJXE0Ss7g==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t}\n\t\t],\n\t\t\"lastmodified\": \"2025-03-22T15:54:17Z\",\n\t\t\"mac\": \"ENC[AES256_GCM,data:00WmF64EulPqhVxJ8gJrSc19Wgu1L+9KcRwxLWq8mR+hIYddABuPWCGRVr8eo57bT3rD6s2onEI6I9ttsGHVuG6fmFPKYrhGxG5VHSgP8VQcQjXIU14qUgpD+nhI+IJDUe196NK6WDCe0y79Fve4gyjf/YxluC21eeKC22pt/7I=,iv:dWvHXS6XwGf0vcW6tbI9gdDVUfORqCR3HXFI2GzXVFw=,tag:H5rWsVf+utGEjTbKMJtBrw==,type:str]\",\n\t\t\"pgp\": null,\n\t\t\"unencrypted_suffix\": \"_unencrypted\",\n\t\t\"version\": \"3.9.4\"\n\t}\n}" }, { "path": "non-critical-infra/secrets/lassulus-wiki-email-address.umbriel", "content": "{\n\t\"data\": \"ENC[AES256_GCM,data:0lA/vz9bTxRvUneZvQ==,iv:D+C4LNaAClbX3T3uMOv1EpPY5IhOV8abTMjiREwwEw0=,tag:gGLFWwOXuiyyWzGWLXtEag==,type:str]\",\n\t\"sops\": {\n\t\t\"kms\": null,\n\t\t\"gcp_kms\": null,\n\t\t\"azure_kv\": null,\n\t\t\"hc_vault\": null,\n\t\t\"age\": [\n\t\t\t{\n\t\t\t\t\"recipient\": \"age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBra2lqSXhLTEVobXY0NHl5\\nbE5ZNnBrNlEwTE1vR1NHZlA5Y2ZPc2tDeFdBCi9UNDhKM0svNnB1amZFYzdHUExv\\nVEN6UGFtcm9pUFFTRVMreHhkLzhRZ1UKLS0tIG9uZmU1SHJOSm8zREVWSVlieHdO\\ndnVJZEUvUUhtQkQ0OEtjQm40ZmNONEUKI2INfuctFxpt4XgP2QBYf9DxZNFtBJc5\\nvD4L9P0tShqL4XQRcvfSLM86rZ71ycJbF0GIxVltSZk6efRUtCbI6g==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFZXdENS84REIwL0YrU1Yy\\nNFNpL1RPNDN2QkQvNFpIWk5hanRab2U4TzBZCkM3dWtSMUcrb3F3cS9Gdlc2MExH\\nMmZqYTMvVFRKVDduSTYwTDFWY3RDOTgKLS0tIDFrQ0NVMGhlZTNWSGZZdVdIcW9v\\nUzR6VWZqQ2VJcTBsQytKaStkM0VXcmcKnMMIyyBxGrFYqLv4GeLCWhdOdmtO3awV\\ndxNpQ2xWeLM1X/frO4iuor82tsdhq4A4eA2mvm5SnOuTBSkVeAEBHw==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGc0hobG56dkc5QWdSUGpa\\nbmpMMG5LUlFubk8zQ3E2d0RCQnM1VU5IMEMwCjRFVnBDRUJYSVhTc1NuZEdQanRy\\nV1NqNGNYOEQ3dmlCTlJuenhNU2tPN00KLS0tIGMxSTBURXdSUXZDL1dVMHduR0xB\\ndkhpVkhHRkNFRzVpT1I3N3FMSzZXemcKdSV/jZ0eEEjvFxYGVl71/yx6xoKO7Jgl\\nPL83lJg4YNv3RLC2gdcRLbXIUpkkUC3oV6HIsr/U+fWBleyN2ZiC0A==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t}\n\t\t],\n\t\t\"lastmodified\": \"2025-04-05T23:02:30Z\",\n\t\t\"mac\": \"ENC[AES256_GCM,data:6qZJgoF9V1/yXlxMYQNo6QMVjsQtvTvA+6R5zu0odehUZu73ogrFoBWke7WeXbOGmRPAnr9ZsYTqoOJFM41cZaWZL6xy2R/sBIYg3ZwodFi/jk+3BjCVmXiBZIvGSziDjkwaqPkW/lLW6ummTB5drT1eeu/nRbqB156NcB372OI=,iv:UTA4U+Juyt9y4eA/a6BuUWuaWY37t0FrOpJi1WV67kg=,tag:1o8ibuii76BMrc1RC0z78w==,type:str]\",\n\t\t\"pgp\": null,\n\t\t\"unencrypted_suffix\": \"_unencrypted\",\n\t\t\"version\": \"3.9.4\"\n\t}\n}" }, { "path": "non-critical-infra/secrets/limesurvey-encryption-key.caliban", "content": "{\n\t\"data\": \"ENC[AES256_GCM,data:dV2y0TNxJ4prwwmKI9U1V+gVuO4AInOW4rRNl55jg4X+FyI81K6xGWFnmTwgvPornrGslw7KXnX03LNsA8HAyWE=,iv:arEPrkNSzi1lUUc0Lutfa1pDFrEKe6GQdhm2bHsZ8AE=,tag:n2Q9TQS8/b7Lbun4qK3pjA==,type:str]\",\n\t\"sops\": {\n\t\t\"kms\": null,\n\t\t\"gcp_kms\": null,\n\t\t\"azure_kv\": null,\n\t\t\"hc_vault\": null,\n\t\t\"age\": [\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1sv307kkrxwgjah8pjpap5kzl4j2r6fqr3vg234n7m32chlchs9lsey7nlq\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0WmxKM2wvS29WMitIUGdP\\ncFNGU1l4QllmNXM4d01GV1dOQ09ZY0pIaUZNCkExV1NKMDRtN2dlZUx3Q3Vab013\\ncTB2VHBUci8vckNFbzV5RWl6K1lHNWsKLS0tIHZQMlRjczBtWDB1N3cvSkZWeS9m\\nczI4aEdRQzJlcGpEelBhWTJYQnVLL2cK852vurEJeIV31PthknDZT9FAOf7mnu4n\\nW596ge/xVlNVcXqQaoLZzt/Ndm8ZaRg6xz/CztOZZiQ8MzHYqSILrA==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzd05xa0hjVXRPTEtIbU9F\\nbXRWTFBlUkxYNW1lN0t0a1ppN3BvUTFwVTBzCmdRRVN2K00xOVJ1aDZobG1NUC9X\\nTVluZVJmaXg0SnNUaUJUV0dzQmx3RU0KLS0tIFBnVlcrOEd5SnczSlFXYkxTR21C\\nSFpQVkhqdUt1ZW0vNkduYTBBVHpQN2MKUVpKaUE0+ZYmT0TKdbvsKEWn/KnJhX6I\\nJcigMBkg+l6u83s64Uz7sBMrh48Ab4rdfnMv0G3bTjEBqGAG2SFHNw==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1qlwzeg37fwwn2l6fm3quvkn787nn0m89xrjtrhgf9uedtfv2kqlqnec976\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJL1BGMWZZakRIT2lkb2hT\\nc3dBL2VTQ0xWcEVCWXBUaU1LdlRQUHg3ZWg4CkhaS2YvMzRiRWVwd3RwYTBFRnJT\\nbVNaR0lNRG0zWjlWMUprQ2x2cU1nVU0KLS0tIG52MmRkQkFVYTdnQ1BTVG1TaTU1\\naEN5YWw1QktoWnc4YlRvWGh4T1BMbU0KFKc/frIPVeTELKXawQz0P8PhtW67NF1z\\n5+d2XKxL/VQIUNGx4551Ofx+V5FqJejjvtkZixdzWGh+Izez/nqhUQ==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjS1JSbHJaRU5YQzVZLzJS\\ndGJ3R1ZUamRtZUxVMjV5VERLeGN5ZW9paHg0ClJMZUhTaytPWkpQdUZ4WUdiMjZT\\nc0F5UVJqb01IRlY0aHJwWCt1VG52N1kKLS0tIEVPRmc1ZlVrUmdCb0I4dllnNzND\\nRHpqbXNYU1Qza0NweWJnMEJVRGhqSzAKuqXPT4CK8WEQ+vVrH6qpvqZsMHbuNf+b\\n6ra4xetfIo+gczDBlXpYi5d0W+UWFjfi32h6y9daVP8MabBb2R1tHw==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t}\n\t\t],\n\t\t\"lastmodified\": \"2024-07-15T11:56:59Z\",\n\t\t\"mac\": \"ENC[AES256_GCM,data:k8dCiufWeCKrgj+fTGRphr832bGlXza03F4PgaWkfI7IAZQ97iWRD6wO6fko9GKlKBeEy7e/n6Hm8k4F74l9giKTdXq4lhQ3GqdV7h9JzJATxnKs9JYtjd44ihNIiLwBofHDOGq1BEIY/BTn2Z6EqGlwyaK/2EJIXXm56y7UpoI=,iv:zt0itYzXcTVlfGr8l4kL/fBeTjE7r9+fdv5BiBx3lf0=,tag:9dhatpgwMLmTz5XNu9uaag==,type:str]\",\n\t\t\"pgp\": null,\n\t\t\"unencrypted_suffix\": \"_unencrypted\",\n\t\t\"version\": \"3.8.1\"\n\t}\n}" }, { "path": "non-critical-infra/secrets/limesurvey-encryption-nonce.caliban", "content": "{\n\t\"data\": \"ENC[AES256_GCM,data:oimvox9BzWi6Ho5F8itxFWKEr2xfL2gKTlQUpvNJmbhm3qo8YN3FFmoowJVFwMYlcg==,iv:LLSZ9m/aMOQkqd16K0p2xjWBL/EKyn8RE7VZmHAhkcU=,tag:wFOZfp5NQUNpP8NmRWGRxg==,type:str]\",\n\t\"sops\": {\n\t\t\"kms\": null,\n\t\t\"gcp_kms\": null,\n\t\t\"azure_kv\": null,\n\t\t\"hc_vault\": null,\n\t\t\"age\": [\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1sv307kkrxwgjah8pjpap5kzl4j2r6fqr3vg234n7m32chlchs9lsey7nlq\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4V1daYkxVWlBmcEN0V25r\\nVzVDb3c1UnB0RlkxQ0owRFF4MWgrdGN2VmxBCjNZMTkvV0xkQ1pLaHdyOXl5KzM2\\nQ3RYY2Y0OXY2aGU5ckxCb3pNNzF6UUUKLS0tIEcvUDNSTm9sbDVwQkVyemIzaFd1\\ncVhGOE9ET1BqcHdKMk5QdzFVOTdnblUKv6HaoDUXBSK8kGXMdD5jG4Z5/0ata06d\\nF3peMh6Eskfo+x6iS+goqsaZQS+QuCTkecEUqvgtwa586H4BjzBHaw==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtdStmZWk4RG00WGtLdnRx\\nQ1o3M0d0Mi9XNldoSkFsVTZoTU1MRmFhYlUwCk1GdnZTeHlsVVlaNDg4SGJ3Rk5B\\ndnVOTVBWd1Z1dy94c3lyVlpub1Y3TkUKLS0tIElkWlRaSzVvWjhLR2VsRHVObm54\\nSmhMZHdOVkpJNE5VdGdmdVIyMW5JWFkKmiNeh3bRixVDzl6UbsU/250RckJJA/Ki\\nl7V3C2YnsndU4N/0nedy2Zsy9hjVWNonO3eDnNKzW1ayRYnmXShzjQ==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1qlwzeg37fwwn2l6fm3quvkn787nn0m89xrjtrhgf9uedtfv2kqlqnec976\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHbUtWbHg4U2NzL2NQUmdT\\nUlR5RUdFWEZBWk1jdGpNa2ZYSGdoeXR0blZBCkF4SVQvQ0tTdFR6aHgzdWdKZmxC\\nSkVGbS84dkExVyszSm1ocVdScVJjck0KLS0tIGRodm5sTjRsZ2lmRmhzV05OekFH\\nQ2dYNThzUU1kU3ZBTDV0ZmU5T1RpUzgK+Y+Ka+t/Zh3lO6xCvctZXNKuW+NDKnBL\\nOTzZ6ZpAjY2X6JcJqVQJOU/3NXnTvOiTWKrIRao316O1mysYe0rbWw==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvc2FXMkN0SGRBZUFwaW1E\\nL1p1NmV2cjhmN3BTMHptUURLRHN6TFV1Q0VNCmcyNGo3bXFKblFzc2hROFVmNE5a\\nR0pFenY4YXljZkVNUEhvYisyUXVuMDgKLS0tIHZVK2V2T24rU1RRby9SL1VpT3du\\nUmxObExlVWdMNFNvOElVU3BkSFlNQlEKp9hrLKiu72qRniD4i7oU+zOujUY5CiN4\\nyajcqJmq31LOVOHHv2/kcozS4smqlidGU/PwqK03GhSWkBXoG+E81g==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t}\n\t\t],\n\t\t\"lastmodified\": \"2024-07-15T11:56:30Z\",\n\t\t\"mac\": \"ENC[AES256_GCM,data:j+Wql6qwEKcZOgOWAYs5MhtbsvUNzjXjst7ge5hxdvqS13iFTfKsiUSpmG/K1Nrxz4swCI9N4VVov9Brg7LuDIP4v4b5r5BEhGDMkSvJKarSfVddEkwcw/HYYpILQUKc+cogLZ2CqctiMB4ViD0+XX1Nl/1+IO5JvMLSjHkqPMo=,iv:7WQ6kw10TrgJdZjaTFHnzzFRzHhS5i1O97vw3md4fKI=,tag:iq5Wx4SYpoDXWe7Wq3M9ww==,type:str]\",\n\t\t\"pgp\": null,\n\t\t\"unencrypted_suffix\": \"_unencrypted\",\n\t\t\"version\": \"3.8.1\"\n\t}\n}" }, { "path": "non-critical-infra/secrets/matrix-synapse-secrets.caliban", "content": "{\n\t\"data\": \"ENC[AES256_GCM,data:DR4VtLpBFM90uasJLqEdu7LQ0x3rof4qxuSlBtAfPVSVfKOYFx/NBYGdHIt/A45mhKIq/Rp14GK6pFX4mxt+9LhZHdaPUoiJ3OzW2Iwn0faevevvH1t9bA/rw2+UB9iGW9NtK6IsSdKzqsazlLCrM9nYlvkpMQCaWw==,iv:otJmMFZ5HvjKK4JyBbYizw0ZW2D4TWhKebY1F2Im+Bk=,tag:fcehpFiM6HMgS6bjbLRx4Q==,type:str]\",\n\t\"sops\": {\n\t\t\"kms\": null,\n\t\t\"gcp_kms\": null,\n\t\t\"azure_kv\": null,\n\t\t\"hc_vault\": null,\n\t\t\"age\": [\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1sv307kkrxwgjah8pjpap5kzl4j2r6fqr3vg234n7m32chlchs9lsey7nlq\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1MW1WZ1VWWWwxbnAwcHdt\\nM041MCtWMm5LbDdFVEd3alVaV2tSeEErRzFRCkRzOXRCOE1jRTIvcUhXWXozS1h5\\nTlEyL2E3NmFUSkhTZCszYyt0a3JVUm8KLS0tIGxUUDBYaXk2NnF2alJaaFNGWTFH\\nYXloZFNIVFZET0RZTndvM1VtMGpDTGsKK5HIxpvdy1HGOlp0MGd83u0A9KPbSK+4\\n15023XKE/5zuFOzWOtxyxA/A8O6MnGIrw8tOVzXp5bFRwRWa/g/a0A==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSbk1ORTNCVzhPWWZJcHAy\\nUlFYcmwrUlE0OXJ5TDNIbTdXWm1SdHJYalZjClQvNjJQSGp1ZTlzU2htL1N5QS81\\nUzRjc3NjVGovVXhaRkNVbEhhMGJLdUkKLS0tIHdibjNrRDV1UW5Qdlp6UVE1RGNv\\nd1lESFZDUmVYSmd4dC8zWHU4TU1PY3MKGkdm8io6SP0oAJeOFEjB/lbZB9XI4UMa\\nnfmiA9NbwovvBATiYhNpEcpQ+lxhcR59a7ZyTWexWxtMfDvhJ1HrQw==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1qlwzeg37fwwn2l6fm3quvkn787nn0m89xrjtrhgf9uedtfv2kqlqnec976\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMYVhGc1F0SlN3SnpWamFF\\nYkFuSUxPWmxTM3E0R0R4RlBIYVJBKzhNMEFnCkVTbW1VRWpUYUJYSHRoWTBIWFc3\\nd2xxWEViNHlza1o3cEtwSUVYcDl2TW8KLS0tIGdxSmRxd2YzY0Q1b2V3aGtzMHRo\\nRFNmYUVvTDljVTJnQjZsamVjSUt5QW8KZGntSWX35XlLeKkuw/BmBuWKKEasCyyP\\nn+/2rokVu/DTKiTaTMJXUd2CWj7qNc7HwCMV8ibOGjkIi7KQNYwNuQ==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXUkdjK04wOEJZQ3hTYzI1\\ncU9MTCtpT2RPSmhWOHd1emNGakorR2RPVEVnCmI3Y3ZEYkZMNEQ0QTloM2VaMXVF\\nSGZvK25rV1N0R3h0Vy9VV3BUd2QxbGMKLS0tIE90YkpqQTFPVVpISC9jYzU0SHNV\\nQ0JmMWx1cEp0cjRsaVk4WUEwWVJSbDgKKJGl6cv+IAz1h3XZyL/W1Q2l6nZXmEyQ\\nB5nCzVY/Yr2g45eIjfTZKCo2ORxG6HvDkK8MnVpMr3dfCv7XbRi7qA==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t}\n\t\t],\n\t\t\"lastmodified\": \"2024-05-20T18:18:09Z\",\n\t\t\"mac\": \"ENC[AES256_GCM,data:/GTwJwCXHqE/iOpcPCU69W1nV8SUBr3rauQ7aZP8N777yQzieka8/trJuMvuaJBg0cotm7Vr5krwrZC8kOqoZcf2jIK3E4p7/Y8Eos30VZIGnkF64FFjBACbxjwox+xUsOGxV9mGF1qQcZFx4L/S98qWzeReZV60HqGWshh6+pc=,iv:C0GN3+dRiguHA5YFhw/AFWfYItVKiy7Sqz0rR+07GM8=,tag:lyGhs+8Abb1Rp+qaQ9MFSg==,type:str]\",\n\t\t\"pgp\": null,\n\t\t\"unencrypted_suffix\": \"_unencrypted\",\n\t\t\"version\": \"3.8.1\"\n\t}\n}" }, { "path": "non-critical-infra/secrets/matrix-synapse-signing-key.caliban", "content": "{\n\t\"data\": \"ENC[AES256_GCM,data:FcqlB9tJ2ZfjhoYfvC82Ik8F120my/ZfRDg9eqEdwNkI51QaqjIhAzlAcyHmO+b2G/c9U5cy2bvMUgU=,iv:5ZsY473w3kQP4qK8CPdXCR90GTnn60I3LqGm/HMhuL4=,tag:0s/qx94SeE+580724rSgGA==,type:str]\",\n\t\"sops\": {\n\t\t\"kms\": null,\n\t\t\"gcp_kms\": null,\n\t\t\"azure_kv\": null,\n\t\t\"hc_vault\": null,\n\t\t\"age\": [\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1sv307kkrxwgjah8pjpap5kzl4j2r6fqr3vg234n7m32chlchs9lsey7nlq\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQRHU0d3VjN0loVlpZTjF0\\nUS9BSUF2ZHFIcHBIRTNFYkFrbkYyUDFKaGlvCld2RWpTK0ZucGk4ak1Mdk1LOGNF\\nTm5zUVduaVNINUJyTzl5KzNTSEY3MmcKLS0tIEgyWjZZYVVSK2VkRlNxM29keXpz\\nSTIza1lCdUhVdUFFSU9sRFJzVXQ1NzQKyN8JSEWuGxibgdozgcoEEfXTjlHV0Lro\\n9LysFUn88RjHDvYX7c5V41NOQUESJcPK3DI78yxHWzsHpmWMjNtsBA==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpM2dEcnJ2MG81bkdtbGFk\\nNXZaSTdGZUNOVXQ0dWNvMXFFSGlZcTBwN1JNCm5YOVpjU3dOY3pGNG5XdUhxcFhN\\nMzJjK1JOSExmeW5nL001WHhyYmhzUkkKLS0tIDEyR1VrcjdOa01IbEhBZ3lSTUdn\\nZlRXRjFUVTMyNmN0eFBJaXdKVTVOVzQKvcpNDONcstOtRzu++3Odt9F0IhG/FB0t\\nmPHw6zfYSjmpSv+nVXSOUpNnk9pcGWWtQojHukhXLMIAXssGH0hggg==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1qlwzeg37fwwn2l6fm3quvkn787nn0m89xrjtrhgf9uedtfv2kqlqnec976\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVcFN1OUJvbXFKNHVIRk8r\\nNTFkK3BaYUpmaGxIRWROaW1WQjQyN1FXZm1VCkh5YVVocExJYjQ4eUNuSVNvY0ww\\nZlVnWlJJQUQwSHlGeUJDQ1ducEE0Qm8KLS0tIHdSdTRjRFMvZkN6VSszTlk4ZjN5\\nUHdQRjh5NG84eDRzMkxqaWd4OGRDZTAKc01sHFNXUbi29RtvdKe4AOsVagqj7GDT\\nfeiKgMhn5kEz3Rex75gDKa7nZf4bfWOlQrKrnC6L5t4G684qoChf6A==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSbWZTTnJ6V0hMZEIvWWRY\\nMDJZTFJtVnJqTEJrVGZhUGRyRThZRUVlblNJCmRMUTFhMEZmY2xOTzgwdkZqRVht\\naUVWd2IxY0M1YU11TEhCQnhJQzVRQm8KLS0tIGFxNnp0S0dobVJiL1pxMlFSTkNQ\\na3JvN0xEUFROcUVXUDVKSndhSjQ1cXcKNHzS6W8Kbvo67rICS0w5HSTcEgztBpzP\\nvL8yeNh1iAcWs3YtVnmitl5dwDMxNQFiWsbOxPr/vhHN64bS4J+MHA==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t}\n\t\t],\n\t\t\"lastmodified\": \"2024-05-20T19:05:40Z\",\n\t\t\"mac\": \"ENC[AES256_GCM,data:tM0GE88qNSKpy/QUJDl4okf5eMbJKSiiCZrAfbJtz8V+nqiwqSTx0PYUjLcd2TIXHIicNg8bGovAp21Pm4YtOXMgLygFfNxWnGVXe2w9RcinUDOtXE1MwhJrDV3dvGWQg8C58LgzDWiq+kqgrR4m5YOk3mZUPU4dvj8HQcQ8C4s=,iv:w3nI1jPi+ObeHz32qhiXR/Zf9cRvYXJCMixkPTE+JBw=,tag:lGVfIjwKUgtez//4Uh94hg==,type:str]\",\n\t\t\"pgp\": null,\n\t\t\"unencrypted_suffix\": \"_unencrypted\",\n\t\t\"version\": \"3.8.1\"\n\t}\n}" }, { "path": "non-critical-infra/secrets/mjolnir-access-token.caliban", "content": "{\n\t\"data\": \"ENC[AES256_GCM,data:WuqhzFzf9bNkLGljc87P4SJcTLFFjzgfF1AwKTb7ecIW6GgiVp1X8y5ARw==,iv:htfPbSknGVotYObu7FOQhNHPzPttlTAYHeFZragGmsg=,tag:qP4l+RZPywXrupsLr8Vd/g==,type:str]\",\n\t\"sops\": {\n\t\t\"age\": [\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1sv307kkrxwgjah8pjpap5kzl4j2r6fqr3vg234n7m32chlchs9lsey7nlq\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkODRUSmNnTVcrUjl1bklF\\nSHZaS3NMTmxoK3daQ0FqTXNQaUFPaGpHeVZjCk1ieXdUV0NpbU4rbUhIQlk5N1dS\\nZFBtQ05yMHpqOFhKM2dXaU5qL3VXdWMKLS0tIGJFUlc2ell3cTEvQkhFVEg4bVND\\nL2ljY3c0ZHVGWVo2MFRGeXZBOWlEWEkKQF46cGAKEXuI1ODorYHHrSeg+slLPPtu\\nQ0vOqeK0yJwarsZWaWKCc4+O2cHQP3RNFp4OUcpk/szRo/htM3ZAhw==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqdVJiekRvejhRUnNuTHhy\\nZmZ1b1YyenY4d2FNY2lBT0hYWGx0KzVHYVdZCnBueEphS2dTMC9YY0FBQUlwYWNj\\ncUFYNERScDlQZDkrQ0ZNb08vNTNGUGMKLS0tIERTelJDZFF5b25FWStRWk5uWkda\\nVm1tVGoyNm0rZm5teEt4VEdhL2RmZk0KwamvCxl8D1q8Koet4KIa4laMieqfk4xc\\nx+M3xQg/A+OdBRbYhbMvNn3p6PooQljbi1MtTOystOLQEbG+MK6yNg==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBONzZIeGI0dDF1ajBWVEtu\\nWUVRWG5kUHg0YlpDYm9nNVdraXJ6ZnpiaEY0Ck9UOEgwNWtCMVRDWjJmOEQzbUxH\\nVDdvby9YUW5USzk5OExZMzRESEVuWlUKLS0tIG9leGZwMG1qb3lCVkJPUm13cGJz\\nY1Z5aFVrWWt3aFpXUXkyRmhjV1JJNjQKa3OZQQIQLba4Lto6yaSZtVIxr+rpsO85\\nwz1EOKTYvwjDPzLpDbdqUfwDlLkIQ1KAimN2XEqfq1iI87RY7botjw==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t}\n\t\t],\n\t\t\"lastmodified\": \"2025-06-06T21:23:25Z\",\n\t\t\"mac\": \"ENC[AES256_GCM,data:WrlVzDeD17VtFJLO2sdGDeG8JL536WTl2SDid6jnHSsUZsTqoYCRirzE5ZEKc4aN6DcBPNkuFGVSMVYcmvKq7v5khmW5Oyi0NjT+7hqcewrUAh5loDWzAZd7VOkCsD8GxjtBWtUbADIE2hJ9L8hWoATL9Yh07zwSjWvFg6pW5Bs=,iv:wTOdsNFfdqRluHAFOR1ZcOczYArurlsneqzr8se7SU4=,tag:iiYLrzEuyuuYerNPd9afBA==,type:str]\",\n\t\t\"unencrypted_suffix\": \"_unencrypted\",\n\t\t\"version\": \"3.10.2\"\n\t}\n}\n" }, { "path": "non-critical-infra/secrets/mjolnir-password.caliban", "content": "{\n\t\"data\": \"ENC[AES256_GCM,data:grIvbuQ4QLcsMq+vJ2L3HR8wG4axM9WmEgHjbO/fvHcu,iv:Vyd1335Pg1i11fP2X2G2cyKMyM2/0uFuXO3T28Ml228=,tag:NA2nLx864A7SJAwvkVfj6w==,type:str]\",\n\t\"sops\": {\n\t\t\"kms\": null,\n\t\t\"gcp_kms\": null,\n\t\t\"azure_kv\": null,\n\t\t\"hc_vault\": null,\n\t\t\"age\": [\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1sv307kkrxwgjah8pjpap5kzl4j2r6fqr3vg234n7m32chlchs9lsey7nlq\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBteXZkeEt6WE1KdkZDUXhM\\nOUtOVUFIMzgxUDFSWnpkTFVCM3BQZHY2aEVjCjYrRjZpaGxvZ1E5Ly9vazlINFp6\\nNG4vMnlwZE04Q1JWa2pzcFZ5WXJDcjQKLS0tIElZU0JGZnlkTUs4QXU0UmpienFR\\nVk1ESzROMURCalBSNWRaODYzVHN6ekUKMSc1M5L603f+Onx9japy2rgmVKgTcqzD\\ni5CIX4LCCbB5YEWk6TqkXSGtEiShYwFNs7DcthmZyAFT/z+1k62TiA==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWUVZsR1kyVEtyd2VrZG5K\\nRVhnV2kvTVVrV1F0d0VUUm1FaDJvZ3B3U1dVClJLY254RFcrSUhPWkQxMHk2UUV3\\nR21HMkMyQ0hzWmI1MnhLUU5KeGlZTDQKLS0tIENVRWlpcFlRaHNDNFpibldaMmFF\\naXRzYmVuZXZGTisycVF2NjA5RDFuQjAKs3zhqJKX0YNaD++eWNLgNh+dGAxPc3Cp\\nS1g1LkZQE46ceiQRdz7h+lSoEyPfKDbV8510glHnqWSaEKd8WYY49g==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXTG9qeW56WjlCczZyUy9h\\nR09kTjZNbE1TQXBtYjZSdTZlSCtkbklVT2dnCkt4cEpSQ2l6WUg1TVVpK2VvdWNa\\nYjFEeFRIWDJCekRxYk4wQmlSSlNQQk0KLS0tIGUyeS9GZUhnU2cvb21qMGp4OVVa\\nRHNKWEpRbUt0V0JDbTNlN0EySlZUaGMK9grWJ8pZ8IRfCBOQsfFmKeL3/++KT3D1\\nBApdOOOYZLc4rHeMHWHwH2J0AP+YYyVHsxQo2yknf2CS8imNI1figg==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t}\n\t\t],\n\t\t\"lastmodified\": \"2025-03-13T17:36:44Z\",\n\t\t\"mac\": \"ENC[AES256_GCM,data:f63uKmOODv1uI3r9flamhtcX+mM8O0B3LAbnhOD/XECrmRo/4iQT+eFmDXuwqBo4dVf0ITgKOnCTIviA6V7nMSUK5o5irOgqm+/rHarCn46zPaLMS+D6Pb8qtnuX4jF27+f4tqEcA1ux6Pjx817XjDnyv00wEGd+7dYbq7bTgNM=,iv:XNgzYq4ALDp+cIBHAzFMgJD+X2/XI6Y7b6IYIgaAB4Y=,tag:+Y/MUccCguCzKj6kpIoU6Q==,type:str]\",\n\t\t\"pgp\": null,\n\t\t\"unencrypted_suffix\": \"_unencrypted\",\n\t\t\"version\": \"3.9.4\"\n\t}\n}" }, { "path": "non-critical-infra/secrets/moderation-email-login.umbriel", "content": "{\n\t\"data\": \"ENC[AES256_GCM,data:fZezCd6vfJZQj4v4d9ceewi1wtVUs0EimfgYEpPFHj8Jf1gObsPHcYe3nj4ljpddoJEV4zZ6x8tohU1O9g==,iv:VtNWlp1j3G+NSQlYHRjZeC7SujbPc4JXaSDwHJ+rWF4=,tag:oRTl5YdRNQeLKaSZOSjv8A==,type:str]\",\n\t\"sops\": {\n\t\t\"age\": [\n\t\t\t{\n\t\t\t\t\"recipient\": \"age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtQ1h2SWpRaFd0aTdOcnpF\\neVkvZ2UwVmJhYmh6ZnR6TjlKbDFGVStwL2c4CkV3Tlg3ZjQya3J0cDlCN25mUzhk\\nQTg1RFRtU3hrZ2NCaGNYbElxN002RlUKLS0tIGh5bHNYdy90VGpSb045V0J3OE5F\\na1orbTc4LzdpOTlxa25YM2t6R01NcDAKsZEGCihccjnr/7kF24B5xKmdjTwkYDh4\\nRYaHfrrRFh3q1V0KS/O2OmEZXc5fNjP/WEhKSmHTntRS5uebdjRoUQ==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1Z1I2MGNseWYwemw5NFZZ\\nMUIxcm8vaW5iWXZFUFdQQzNZT3hHeFBJSjBnCmh5czUwd01qaGFsSGFSeWJxSXBR\\nRW1XdTNuZ2pVWEhSNGJ4S1BOM1RUd0UKLS0tIE9XNnd4bUFvNG1EbFNteWYrRWhJ\\nbFVLSmdyZzBNZWZJTkhvRWw0QUd6MzgK75i7wJC2pqzVnoYZO5KzBqFAKZtuVMAq\\n8opaHxMtzAp692H0Y7/ne01H5/WZBQSL6wQOyNpzB8eVazI+ojZ+eg==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3dkxsU1ZJVWpWL2JleDZ4\\nK1RKcTM2VU40Q1VDeU42eGdnUmlRdjFiTlQ0ClNrR2c0eHUzQUtYb2t5U0lPSFJV\\nMytQU3RuTUptMzlpbThjZWszU21QNWcKLS0tIDBRODgrWmlCdlNJcjVDbWpmZHhQ\\nM211Z3djRjJWYkJvMzZXY05XanA1V0UKf86eQtCDgIad7JioaVMRjpsI9NUqReig\\nwJZjbFF2hLzjSKZ1UCeNrrNp324lyiWn3vfZStUUPz8eX8SAvvSJLg==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t}\n\t\t],\n\t\t\"lastmodified\": \"2025-06-18T09:55:16Z\",\n\t\t\"mac\": \"ENC[AES256_GCM,data:J6h2iEyOWLXiglrhF2+fSuGWog6BubSj5f1aW710BCK8Exc2/NwHUpUz7IuacCwt6XwwDtoudjRBgzILClUWdiM7PKpdgNGBDLJy1R0GAZUmCVfMndlF2r9bPQVyxeOoKUw3ADeZKrMppfP+zZIU0Zseu6TixJbva2DJHtac+sM=,iv:XrrwJa9a3xtx1J4cRu4JdDQQ13oteABCVcS+mcTXbug=,tag:Oqvn8VtFsqnIXUSBOkJAHw==,type:str]\",\n\t\t\"unencrypted_suffix\": \"_unencrypted\",\n\t\t\"version\": \"3.10.2\"\n\t}\n}\n" }, { "path": "non-critical-infra/secrets/mweinelt-email-address.umbriel", "content": "{\n\t\"data\": \"ENC[AES256_GCM,data:h9DkkRIR3GNh5ZKMGC28SjWod0m1,iv:1tSssLzQ88q9FYg1HM+y4iv9kEldZBvqNBfM2YSpG/E=,tag:bpWxmLj0kX+jW4sq/X6YXw==,type:str]\",\n\t\"sops\": {\n\t\t\"kms\": null,\n\t\t\"gcp_kms\": null,\n\t\t\"azure_kv\": null,\n\t\t\"hc_vault\": null,\n\t\t\"age\": [\n\t\t\t{\n\t\t\t\t\"recipient\": \"age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqVjUya24rSStHdCtMbVkw\\nSGdxVVRTWnMvd2VyTU04WGkvNEpaaUhYblg0Cnd1MWRINC80bEhiaEVreTRLdDNB\\nMkpOYWMzS0ZoWEU4TTdITm05RXFVcGMKLS0tIEowblp6eVdHeFNPaFhDTnVJUXpw\\nQlR5NERWTnk3eDVXZmVaR1pKTThLSE0Kbf5RBNWt5M9PYlqojAJN1I4s/msoK6EM\\negGyoxdPheoKrCVqfOiAPjRCPfXVSNrWjT8SGVxjqMy7C67ZpaS/Og==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpRkp3TkZZdFpQZ3d4NHNB\\nbXBKR0Q5ck5jdVJLazhSV09ReEZKYlRpVXdzCmNkNkNLSWhNWWRHdHdrdzdMV2cz\\nTUU4RklKUGY4bDZKZENDdHhpbldIMWMKLS0tIEVjYWQzclNJZWJsTnBYUVU3SXRi\\nR2k3bjZ1LzV2V0Y5cS9MOXhWYmpENDQK6VSazO993LrsQ1pRyyqM8tLL9sx6BiXa\\nd+8JirT3MNYn+tFkcwtA3hR3h9KiOqy43MQIIhqCstI74EXvFoDjHw==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxN0szaE9tL3d6dzdjV2Fv\\nd25sS2E5QzVwUDRYMEZyL1BsSVdXTmY4bW1JCm1XQjU5WUs2ajNoeEIwdlZxcHhx\\nNVNDYlNJbXQxdzRvRXRKbGh5YW1FWU0KLS0tIFUxYXc2TGlQaFh5TnNnN2JvSnQ2\\nMXFINUd6cGhqSDBsVFlaQ2JvNVpFYlEKtEBikxgWvbxFw0z5DWgvQIEbWLEuPSoZ\\nfylD+F7SIFFygyTWkj71gIuolu0/3F6HeU8WBe8a4av7vsIJkw91Gg==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t}\n\t\t],\n\t\t\"lastmodified\": \"2025-03-22T15:54:22Z\",\n\t\t\"mac\": \"ENC[AES256_GCM,data:pgrUk1zEKDapi19EESjQWx/JMkcWydh4stNhf6ALk60QxhwsyNPHWhrtJHl/VsP2q0KX5oRVuh5EjIRKOjrK3WeZlpRj4xCxw5sDNcsmxYQZkl215FLqmR2xBOt7dT+0qjbducmMJk0ba8L8a/SFGzn/WWTpT8fNGmh6gKVKq8E=,iv:10TOxOAGbCOtYVRilm6Scut/R9gHG5gMqnaSc1h5B/I=,tag:CE5OGlEHBO88fZJCzqTArA==,type:str]\",\n\t\t\"pgp\": null,\n\t\t\"unencrypted_suffix\": \"_unencrypted\",\n\t\t\"version\": \"3.9.4\"\n\t}\n}" }, { "path": "non-critical-infra/secrets/ners-email-address.umbriel", "content": "{\n\t\"data\": \"ENC[AES256_GCM,data:MaAii21TW3gwSdI=,iv:SpXn8gy12CQsC5ymt1N+uCcnDoG/kEcoP4S9rMkh+9k=,tag:Y/M0+LAEcRYMlOZ35sgdVw==,type:str]\",\n\t\"sops\": {\n\t\t\"kms\": null,\n\t\t\"gcp_kms\": null,\n\t\t\"azure_kv\": null,\n\t\t\"hc_vault\": null,\n\t\t\"age\": [\n\t\t\t{\n\t\t\t\t\"recipient\": \"age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPVWdBSkpuVGZ1dk43SGdP\\nekcyOHFXMEIrMEx3L1N0RVNhRWVwZ1pYeFRzCk9qNFduV1FKK0ZEc0xVdENsRFli\\nWGlSYnNCTHM2QVRMd2xNTnliZ1kyUGsKLS0tIEk0VlZqZjd2YXkydEVZaHl2bG5m\\nOUZ4WFYyOW1uaDRrRmE0anQvN2dRaEkKmcflbtYPx2vdsR6OnF9g9xYsIyhSm59z\\nVgk7C62THzU3YJmklPxOgLeUYZWuGAkPZ4WNzbT6V4dOz3wwXQqZLQ==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMQzFiK2RSVFVKMFFjaFor\\nZUZOL3U3VTBrdzVoV1JMVlU0d2xKSEVjS0VBCnJjcSt5SmRULzVvR09pVnVra0JT\\nRzNaaGFaRmVtMmJEc1hNVVY5NThaSkkKLS0tIGZ3bFoya1lvdXhDUXJWTDdZR0tB\\nSklXZ1JnR2V2dmhrZW0xWWEwN2Y1dWMKc2RP1og2xEhI4j7qjHmNyzPXx3qHF/G+\\nTix/T26LKy75hgEl4jez++pX3b7yHX1+fbohTXWAqYpNlNCv9BM/JA==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxZDE5WlR2UUdROGdWTEZD\\nTXZsN3lrc3g1RVVxTGFjY1RkRysrZzNQV0hvCnZiai82Nk12MjRTTmtBYkU4TjVq\\nOUYrV3gxTjlGcHFzdVdSbXR5aVNPSFUKLS0tIFZ6NjlHNE5NQUlhWExqREFEQ3BQ\\nRDROcTZCbFlRMWJNWFZUWGdReEdoNWMKV8c9PTqc4wQWNLrO87Gknh0xT4EnyJU/\\nPzfnhtcD2svCxGsS23fYKqktthlgSubIMTLyAVjxa+Bhwo7XFGD8jw==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t}\n\t\t],\n\t\t\"lastmodified\": \"2025-03-22T15:54:11Z\",\n\t\t\"mac\": \"ENC[AES256_GCM,data:guJ+30EF8fCCdZAE1q//fhs8stSWHuwKIXITiCa7vahZ3w628M4pbYMEhftxjXobo6m8LZEQU7eBo7DnP7vBz9yx50XJLoRuRqtGRRRxrZqIphIOId7Emrip4gfu6/wK/fPfD7abcJXnmrn43unYB6kLqOhdcsKsPZRQxwEjKxU=,iv:cTQ7JpgN9TPyRM0sOJJMNcS+C/BkJO7dyHthrcRR43s=,tag:s9TIIBaw4GFNGX2d5Vt/vQ==,type:str]\",\n\t\t\"pgp\": null,\n\t\t\"unencrypted_suffix\": \"_unencrypted\",\n\t\t\"version\": \"3.9.4\"\n\t}\n}" }, { "path": "non-critical-infra/secrets/ngi-nixos-org-email-login.umbriel", "content": "{\n\t\"data\": \"ENC[AES256_GCM,data:UP0vY74lmT1mKadLp+Kiw/Q2ZCjc/Y7Cc/yQ17AumruBHXGqmDOm5H9JjlcdE8DU7k43kspBHqpnxBchUA==,iv:LMaEH59zz8jZ2GfkweAGM7/2LdgQ9HQDpkaUGTZ/SOU=,tag:tIu2rBrCsaFzQsRXJyRNSA==,type:str]\",\n\t\"sops\": {\n\t\t\"kms\": null,\n\t\t\"gcp_kms\": null,\n\t\t\"azure_kv\": null,\n\t\t\"hc_vault\": null,\n\t\t\"age\": [\n\t\t\t{\n\t\t\t\t\"recipient\": \"age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTNE9Bc0FxOFIzU01kekt4\\ndlJZYnBGeFpBMTNvTDUybHNlRFFGd0xZQmdvCjhLR09xWnM1c3R3MEoxMmZKZTFT\\nZ2V1ZHFQQ0dlUHpIZVNreExRdG5Ja0kKLS0tIFdrcmExODhTVzh1cXo3REcxZEVi\\nNmw5Sm5jcU9BVm14ZVR2djdwejhUd2cKaq53IBfwqonP+nOYQImFSrxUQ9KaejL5\\n4ee8QUn+4fcZLF/rOma6Ydx3LN2K0akk96T7XzF7JT/f1cZO8uU3+Q==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhTGdCWldkOGRYdk9TSDlu\\nejMwaFpDb3BkcUNENVBkSmc1azlBNjZrbmlNCkNnZ295VDJPUmZSU0dpM2RYNjhH\\nWmdZZ2pZWlJGcmtMN0tEK1RsbW01NjAKLS0tIEVlekdvT0xldFdiSEw3MjVjUWVP\\nZFBUdmc0V0I3SjE5RExUQ2tLMjcvT2sKEMvMayOBvWl3w+ryflSgcNaS830PyqX1\\nMol+pupToqIFxXWIz8CCc6q3Xx0iJTfHXMfRp1bjfK8igN+fgPtNng==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNQTVLSThGMHlMc1hBQVFB\\nZXB4Y01rdFNscEJsSDVaOWpvVVFBVFVOUENRCkF4RmFSYXR4dTd4b1o0VGpjZXJS\\neCtUcit3Z0I2dUZNWjRvb3RPc2d4bjQKLS0tICsxZ281NE5OVWg5dG9mYjFDOElI\\nSWFsV3c0azhISyt0RDNZU1NlRGpmSlUKFe6LRnCY1j20PQGZwbFAjfMStGupbBUN\\ntNzo1xi8EK6lyxjEgrzepdTP8nF6p8pHoQuU/V9QQ0Swa6anx73GiQ==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t}\n\t\t],\n\t\t\"lastmodified\": \"2025-03-28T22:18:06Z\",\n\t\t\"mac\": \"ENC[AES256_GCM,data:DDt0A8oyegeK2LA8eVmvxpSTsii322vpwBqBwcivnLuu/12St1Rnw7lYtHsgNv24mp5L+GhS79USWR8H/tN7ArW198qpWZ1jAs2R9XkK8wSD0W3aZInwTgnwPFxjrpDzmWZ0WC9UXERgG367P/s5aFFN/LTl7zAyfTcLLu08Vbk=,iv:Eqo1xnW6Q5G/84cA04tK6HwOUA5Wh9VL3ZTtkkmovsQ=,tag:qcof1IsOYt7LxEWznmpxsw==,type:str]\",\n\t\t\"pgp\": null,\n\t\t\"unencrypted_suffix\": \"_unencrypted\",\n\t\t\"version\": \"3.9.4\"\n\t}\n}" }, { "path": "non-critical-infra/secrets/nixcon-email-login.umbriel", "content": "{\n\t\"data\": \"ENC[AES256_GCM,data:v6AgrbN+ofutr+lo+o4BkC0yPop81rU7QMoC0Z7LGWHctGwL/Zc8BkHsCHEPyGJtAA4S2D8nFPLsil4n0A==,iv:EmHzvLI8WKS3ONtRYRMnC8RQvGsZQaYJWs70ZXzk6rE=,tag:84HVihatpSQmvSq1m+CoKw==,type:str]\",\n\t\"sops\": {\n\t\t\"age\": [\n\t\t\t{\n\t\t\t\t\"recipient\": \"age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGT014UGN3djZGaGYxdUVJ\\nYUs0dis4eDlDSVYraWhEMnhJWktiUEFWVUdNCndleVNJNUdneUtabjI2cmFoNEpm\\neXBSZEhiUis5OFM4clI2d2t3alNMOEUKLS0tIE1ZOUxuNjBieDVGLzMwb0hlWHdv\\nTEhBNktmZ0c5a1N4TEprdEduVXpPSFUKX6Q4WJoHT0q/pyYeQqboKN1PCv8YufH3\\nM7fTK/lyWHanPv0liDxwXF/23zfDUqQZWhWKTq1ddAxJaToTDJVA/Q==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvS0kzWHRrbnhmdCtNQ3Yw\\nUHdlNHFhbHdKQ1lUM0xzTGZtSkNKVkVGVjM0Ck1GUExrNlZhL1drbjVBUnhjZDlh\\nL3hrZFFrWDhUdTFPSzBXNDdkUFI3bUUKLS0tIEFLLzNHWWlDd2dRdytaazN6Tkpk\\naHFFcEEwbFl0QzdxbWYyWlBKYUxkajQKwDmyfolWyuGuf3Qn4hYMWTY1aZ7AQl3H\\nTn9iW+rRRIkrQP30/uqJ29Le7ct/gD/VDUXGgl2Dqvo94luz4XjO5g==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsR0l3WU1Rd013cDNYbE1O\\nK3lBYjFId2hEdTdrbVplVlV5bElKa1ozaGxFCjJoT0o3U0t2WXJFOFFrckpEZE1U\\nM202OGtCenJtS2FGUjVud1BwN0hUdHMKLS0tIGZRS21Qd3RjK3NyUTZKeG5Sa2xQ\\nRkpGdXNidzVFbEVuc0QrdkNFc0lVQmcKQtl8Q1T3vrsnQjsTgZ9kWRGfVDgufEP9\\ntz+qZ69lqa1GhpO+cYqcZ7J9i1+70mh49gcRiOg5391eu3BZTkpElA==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLYzI0b2FjMmM5MGN2Z2JM\\nbjhxZDJsdHdjMnlieDJuRmVCUy9ycG1tSkdNClAxRWpFSnI0YXRFMTE3Y2NDblZp\\nV2VFdWRHbnUvU3N3OE54SlJYZVVoNTgKLS0tIEpVMUQ1YTI1dkRLTUNDSEduWW1I\\nVHYwVFA1cVIvQ2VsVHcwVENCWW02WDAKL2OvMBbbDlv5XyplFer9i39cpR6fDEGy\\nYooSzLS39RjkIBTPLpPSwcJPfKOzmwKuRxmPJCO8a6IIMOJTbNruyA==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1nnm255ah9wa4gpsaq0v023a75lnmlcxszt9lc6az3mtwzxgrucfq45rp7h\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoa1c5SS95aHkxT0hLbGto\\neURZWkxOVDVvbGVIY3BRL0F4YXBGK3lINFNZCi9KeGlUMDBSVyttbEtONGNNZVVw\\nM09BRENjQ1hYbjZEMEE2eGxRSkxXTFEKLS0tIDE4anBmSGZKcU8zOGZEZXFNQ2lQ\\ncXErMGY4NjcyRkt1ZFdZMkp6QnBvUTgKZZG9hA0C4uxpiXFO58fsT1Tjg797qTMo\\nans/sZjIEV8QtSojDJWWLhJos1U2KuHg0R5phKqPvYwRpl38FnH1dA==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t}\n\t\t],\n\t\t\"lastmodified\": \"2025-08-11T13:44:41Z\",\n\t\t\"mac\": \"ENC[AES256_GCM,data:hsUlG+s3uIdP6MpAL7HQSu2X54AzREgpjgl3omgoMgfXjjBjwDQbNUONHg8osAQxZbQCE0XDL//x2apqCgDR+znAi0UhZvwEFIg3ia4wd3xtLWkKuHTh2QgvjlQJag7FnoeS/TkptjgqNIzr8R6u4Fsrv8+Xuc0+MSVQZgboQjM=,iv:fSlfVoAg/FKQ/Q7cQVobVpxUwKZtVjD1CPDZUk6NM2Y=,tag:w4iCYHVTW8+IjUgG13Bxgg==,type:str]\",\n\t\t\"unencrypted_suffix\": \"_unencrypted\",\n\t\t\"version\": \"3.10.2\"\n\t}\n}\n" }, { "path": "non-critical-infra/secrets/nixcon.org.mail.key.umbriel", "content": "{\n\t\"data\": \"ENC[AES256_GCM,data:KhPGql8CE3DDErIq575LdsThvTOo3XQWgenGXrD5Z5nZESpHLHa67itlrXDTIyWs01Qa8aDYlL7FHBaVJk3IhlTl8+uRuD1IQTvi8qerWCN7/4yr8QueGjZDMHoVzFcKoDeFO1azC1UDX9JX2Y9bl4B5RX8ye7G4WbUw4Vlp25gya/xwMxS2/CE5k/+Sx257XxVtAXQpWQh9t4QObf2C7u6uQm33M/eISdsSzcM9NA3BTSjmu3iRgv3UrnDwimPp41mBdCb/x0G4baHOSY9Oe/3iOhsoqM6r2acWOLKqJqEIRoNBUdzo2cLMYn78FzHGDJcrxWQOO3ffP1983IbeSIEZqNVHlqY+us2N0T+hzXxc+k3fnJQjBGNwFYTLCFoN8tazs8v2a2I7nbo+4SScmtRY/xG1Egni2ssBpntypLsEq8EiEr0bELWHEvYVk43sHSKAmA2F2gipX1/YIkPIJ3JGXDLt/abd3sD98gSQoc745itRLVVp5Z4QMqN7JZxuhiBCvrN8XbpqmjIduFqPwl4FXVojhYKsOBkAhrtdYHuThfP4vKiaPN5xLKgENBO20SzDSyYtO6Y/thZRfw1fvkFWldfvMlMmsTe5qnTTdCcMQfIDJ2CVjYE9TJirasu5uBFboBIQR6Sv1bwfxivtf6Pscpw95kX42EoXjDAJwwajItz7y0l2XGpfiGPJiMNEmSHx95HItDaBlhtkObt8t/2/ymp+8BRldj+5bf2LR+I+Tb66QoDQAeiIuO7LvZc8ucZ5JWZqyLP8BuUdsb8u4WP/cJJCopUxatN1GVH5blMFRNy4imVQ020tOpc7ICkbjaYiVawhzM5B/WfbrZMCsNfSs6XQN+aS+sf5F7g7WYoKwqZV+UJaK8ZJoH5RWDMfhosCu/Q/UHmlBT/2L2fQshUgqpow06lIvcedK2vbRZ2hbO2p5bz9PfBkl1p2XH1wO+gQgx4d2qF0jg6c5+sbBnivYkMXKkxMQ83Lt4k1wbrzzS++qSN42d2dWgntZIUusBI3jPuBsTtGO05RuJF/GCjPGCsEegqlKUNphLCv5DF1nkgCMUw+4kkrcfqed+cGdY10EU2HbgnY+y+f/7f8J+93YYWy50sMK+TYaBnlVLJ42csI/gUMnah9zGC9FyV4JnkEabT1OwMuuEokvHIFz2HSkaJWqqklNld/1ImGPzBn2Dx/cwstDGIsaItiwzwCRKLWQQ==,iv:DeGWzsY9gt6xjfRws5EborbBwWVFGGlKTsfLlUemYAU=,tag:UiyvsVd7Y3KVq2fMZhMs9Q==,type:str]\",\n\t\"sops\": {\n\t\t\"kms\": null,\n\t\t\"gcp_kms\": null,\n\t\t\"azure_kv\": null,\n\t\t\"hc_vault\": null,\n\t\t\"age\": [\n\t\t\t{\n\t\t\t\t\"recipient\": \"age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLQ3VQS2ovUUxOR2RGVmI2\\ncGhvR0lzVS8wQWdldU1hNkVrbFVabHE2V1YwCkt6MG92ZnMyN1Q1dldwMHZCN2x5\\nVzV1ZTYvYUpkWUJPK2RhYTBNVVU0Yk0KLS0tIFg2K3dmYVQ3TmIrNFA1ZllPYURJ\\nYVJKRjdPNHRkVkU4ZWtzSEI0bEZZMlUKTcwSbuX3BvSON7YtJwr8bD9626oDwyB6\\nzI8rpuiVcr+r2Ppb93tqGJAUHKaOPyNIeRYMGXwiDDwBPeeMqAq81g==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDYll3R2ZYRGdUT0EvZS8y\\naDhKeENVR3JNRUFJWmoyM0M1QUFoUVNQMG1JCmlrWGxTYkJoZ2YzaFVZOXpERHRR\\nd1ZzQ2drR2VTZW1uZ09ZUWZ5cmpOR0kKLS0tIHlnRElKYktYc2hwZSt3ek1QLzV2\\ndzViNFhOTlNPVUhObXl4aUpkMGpZdDAKQSfKR5YlBwYKtgaOKZivzEYUyoeRur25\\ngPNWPmGJWrmvORQtuglEdECbm4HOsEUT8UnNwU73/08qYhc8ACFgFw==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4UzIvMXRMQ2I4QnEzRGd3\\nVGtoL0lyUzAvOU5aNG50TFBsYWphelEyOEVnCkN3ZTV3aklXU1dEQklxd2dzSGNi\\nRTRZWGlKS0pCd2hEU2FScEJCTkhFa0EKLS0tIGNUdUNsTGhuQ3JKSFBoalRmazUv\\neGRTdVNpbmVKVGNlWEhUQnYxTEhHY2MKVFZODyZoZJ1ZiZUITIiUkjy6FDJQWbA7\\nyeFlTCu62YNrd+ja1gOFC0Tz4RA1GQmjh1zWVnmQ+QMzeHHwT5c1Ww==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t}\n\t\t],\n\t\t\"lastmodified\": \"2025-04-17T00:38:26Z\",\n\t\t\"mac\": \"ENC[AES256_GCM,data:r65s/Rw9Ip/bmCOmqd9NScRuD9pdFsgjCB9YP7jAM4Yyc9kTJfEo7bxOQAIAe4mzLRkRdURn3H6n152DYG8JVhGvEs0rgQKwGk4nO6WsGxeONPjBjwI3di2aZRUa5HNfPcUSU2d9xHXv10bMGWTUOjwTh0yR7wpkqu4Es84FkaY=,iv:mXBSvWPPncVvztSAQigND9wY6GuNXvLwOQgLgsa/ELU=,tag:dCd6cWZveFMjzknXRXM6SA==,type:str]\",\n\t\t\"pgp\": null,\n\t\t\"unencrypted_suffix\": \"_unencrypted\",\n\t\t\"version\": \"3.9.4\"\n\t}\n}" }, { "path": "non-critical-infra/secrets/nixos.org.mail.key.umbriel", "content": "{\n\t\"data\": \"ENC[AES256_GCM,data:xzDS4Dzi5vDKnLRZCmaH/j5oI5rknLLSzm/BAcqVL3pReOW7rE6C7QGY2EoS99TfLQ3BxB1ckrB4f3/pefEH018KIgJ7UeaeWebmkBFsXF8r+4m/yOEiDWgnGKnsq1EIzbs67AvVYV4rcEPUmTrkeFYd6TOEqIhOSM/6DO6Lg6x+ioAGSEHK6eGgRVIFVjByOhvufhOib1exX2GEM6ayluutig6ToxdnE5jRGIY1gp1bOuwDSazD07RIZanAlS0sjZvMOASacLRvwwM0HC2NEsfHHjy1YMNr1WIbW3HWV/r/j0FTGEDI0W7IP9b0livuAX+K+EixZ6Cw+9ZMhUQMZzfLRcR/c8Zo+hgmc8SJtaPCwck1RlRqOXbqceH1oMIWpYxWmdLIhSQTNgoiMp6L4JzVz7flpnzzEB2U4tkIMwnEBpa8Jz0TAtgyw9clgdbgR+11T56CGzdykbDxPjkDFhnDjhpqmUDgq8rSRRh0fhGdi8FX2rUQXnOMVrYALV0zkAN4cg2Px5dIjlMBZmHkawR7U8phYMBfQRC2FRz9USIrYVTof+J+UImWbWJwa2zMDb5ogRwOF4XhI6NNolCdorlmCvbdG7nE0LbnIbdC1b5VEeVmo0YObnm5HcI11ctugirpXb1kIcfhpg7Zaq3s2iRCbaiy5UVqQNbcKmLktItdxfAzWPQQyyQqA5xA7vlr2jQvKYP7i86H2woKEUwum8htYJewYB3w91NsJaoPikuVLmrBe00hoMwXqb/MtstEhJbI6FN0SC9r+YE8OMvlyoTzmxrysq4/X5qxeXhpbH7fqUxY77UPtOjHfG/vA8cpYHNBnvjXiRGFQwB/P4/fTdtJA5UZiO+EwvNyepadazqmN6szXxHLOcEu+qnoEGsAcbQjjN+y2IUgTXTpje2qfH75141oqhG/DHT4DFDRkI6AMuwQAVtM+6Nqk4hTzJVua8AK+HS+UwBqap0GbtVg3inSuhmcq2wQQzezz6XNpajvEvFosSpIHBwxkBsY6gn/RiCEm7iHvdePhGzOBylX+kLRLp1/PatRLCBVnZ5uwpVGhzdIMvoz7i7+Grmify1XlLuY8hxcmjJzPVn3El5euSeSamDkgdGkaaWeDRaU33OIBo0aRLFnmQeNfm2wwKYba1moqCtuZxSBfze9wiOacAmicUZZ9i2fjcYa/ejtgxTl/k10S4Z6YVhxHvK1y4D5r2zzFA==,iv:lYv/cuI7dQnBq/UAOh0tP1e+GOPgMKzHc66+cmyjZXY=,tag:mEYrazYwd93xOV5Fw5vqHg==,type:str]\",\n\t\"sops\": {\n\t\t\"kms\": null,\n\t\t\"gcp_kms\": null,\n\t\t\"azure_kv\": null,\n\t\t\"hc_vault\": null,\n\t\t\"age\": [\n\t\t\t{\n\t\t\t\t\"recipient\": \"age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBalpYcW9xYUZsTi9ZUDJV\\nWEV0ZEZKWnMyNXdXUHBmRkkyS1gzaU81bGt3CkZoZVp4OUhmKzU0dkNmOHRFb1I5\\nQjBacWVYYWdjSHh4NHFGQlhyNENmb2sKLS0tIGNmZFZjQ2dMYTQ1OFJnNFBLejNo\\ndDJ0SUgwVHcvNjRTVVZ5Wis0NDZ1dWcKi2RTUzwVVg2x+9L+96QNwpA32IupkzV7\\nmTfRtizJXHbzfUBSCUiuVis92bsk05PBRB9Zw5hQMY7K7ZAkctLprQ==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoWFdCSWd4Z1VwOEU5L3or\\nelpPcm9JcDE0eXB1L1hrcVFuaGxQRDN5b1V3CnlyZzhnbkNlVUswWUFLclBqOHdv\\nSEwvbTN6R3oyMTc4aS8xSDhkcVFpNVUKLS0tIGh0ZWRuUkFMSEhvRjZuV05zbTNR\\ncytkaXlIOG1vQ2RWVnZLaGtJOFQ2dDQK04Fq2wcKRINC9iTCWuDMbJY8QPQAknQk\\nTOEvgZ4DRQa/MnG5WGZkoA0PygirZNQTJFge2RRa0YMY+wypQvQNgg==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMWUtZd2RzOEhKbnE4THZL\\nOXRsMHhJVk9XancrTi9XbGF2SWl4SjU3bm1ZCjlDWlZ3WlU3bDZma0gvbUIwdk5P\\nMGt6YVZjOVBGRkFnQ3ZVakl0Z2xjTTgKLS0tIFFzbWlDNi9rNloxUzJHbFd6Qlgr\\neVVudjJFSThLeWMvVFozTUg1Yy9JSVkKH4gAq3XTuWVlylHxIOU5l4pbrsU0cFAA\\nSAZUQk3TsBw427B02uocjjpTQByuxFxAf3hoV5WgFfEZf04gMlEUUQ==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t}\n\t\t],\n\t\t\"lastmodified\": \"2025-03-11T08:24:47Z\",\n\t\t\"mac\": \"ENC[AES256_GCM,data:NpYf1LwINXQyuiN4jCkp95Q1UUnp+7M++k28GfGM1oWquOYtUH0wbRKEk1ooIABGSj8uz6qx5KBBGRh8eU6ldh7qwYqqTLDey2qeJ/5kt1ZTC5aOm9qtDWYWYzzb+lznOegSL25ny16d6ipOiKJeCdfcrgJBSr+Y6MCE+GxqGEg=,iv:pzx0e4ySgKmer/zF3wsrN4vVAzPMWE8RPPbkIkx0W5o=,tag:Smm0vqPToCcy2XHyHyVkUw==,type:str]\",\n\t\t\"pgp\": null,\n\t\t\"unencrypted_suffix\": \"_unencrypted\",\n\t\t\"version\": \"3.9.4\"\n\t}\n}" }, { "path": "non-critical-infra/secrets/nixpkgs-core-email-login.umbriel", "content": "{\n\t\"data\": \"ENC[AES256_GCM,data:aFnXR7/h3EEvIK1+A/8wThve2ywqQWVzLXnVEggyGB/VjDciDNmFRgSKCiONtsm54c/G6YhafH42FrLs7A==,iv:rI59EJbLNet5dizFhn2cqkbCZbo9ThRctswcBQmxn+g=,tag:n9LS2WUm6Q44RnXEE4rxcg==,type:str]\",\n\t\"sops\": {\n\t\t\"age\": [\n\t\t\t{\n\t\t\t\t\"recipient\": \"age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVWkU0V3BRRjUyeWp6dzZQ\\nWVBHVVVEK0FjVzdlL2VQb002NDVGVjV2M1YwCk1rZ0RmMjFYTXpITEtOTzk5UURE\\nUVZ6clo0T2F4VzhQLzdGTG5WTVI5SG8KLS0tIGl1bDNTMjNQcHBmWFdYY01JekNy\\nQjJDY0l3UEE0YTZGTWhEbTQ3UjRQSDAKClD5h48vtJfMPd+0bELowPOY6wWy9SMS\\nsBNHlFOzNOxKG8LYqLTHZ2xIu0W/rd2UzXcklFL9zNOIxL7uGzDCIQ==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1Vm9KZk16N1VmZDBYdnNn\\nTUVZWTQ0Z0t0azlYVGlIWTJCaFBHUHBpZjJnCmIrU0JGNFcyMktuYTMza0d3U2VP\\nYmVvQkJmL3JnODFXWlQrUHdFL1RoTTQKLS0tIEMyK3I1Z2pVRE45NUw2Tm9Tbkdh\\nc2tGOWM1WGgzaENWU21kWFJacGx4RjAKDRPaTnR7qYsZFXi25fjAxfSGzw+pQNgv\\nUFiKKJlIMyueTeXMozvax1Tmap4CNDE/h7hxbFZO2pdWGM38CtGNqA==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjV1p4bCtUcVpxOVVUbUZv\\nNE1TK3FEM0dmbERUQ3FBWnpDcEY0aWh1UWlRCmNkb3dmTjVvRmlFVmVxVnk1NWlo\\ndWpaRzlwajBLQWlWRUtEL21TMEk0TlUKLS0tICtsRVhDMkVDR005Q2oxK1luV05h\\nRGtNUytJQlIrenhSVlBRTXlxWFBkRlUKexKk7NrCoI5vNZfdDIlnvO8tyePqsevC\\nkHbcEK2CGSRKcKlnHE0EXreuLkmeC1fsdW09J+z0PPC+k9dGRu/mYA==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvSFhqbVZUOHp4T0JrUXUx\\nc29ydU5ERVhDaE56ZGVZdUhXcFVNYmYyQUFjCkhheVZ1NXV2WEo2bDNsN1NhQmEy\\nYzFkdVhqamNKRHFiMzFLQTk5N2N2U2cKLS0tIFkxU1Y0Tk1vQmFjbUNab1Q3b3ZF\\nYUxTRStWRVdwWmhiUDIzUWY1andROGMKAc9/h7mB3UY82VX0WDp5BEjgDPpFrXJ8\\nHgCBcI4azJUeKxw3qhZIAbKiuMu70UdCLp0Nby51xFyCKskOz90wSQ==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1nnm255ah9wa4gpsaq0v023a75lnmlcxszt9lc6az3mtwzxgrucfq45rp7h\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsUS82T0tOb1QzV3lCV1pu\\nUDdrUU04OG8rR0Vza2NDRmlOUkhFckVwQ2dBCmlCbDJpK2xwZ3RwY3h2S2xrdkE2\\nU3BFdmltbzFTWTlqekNxanIvNjFzcnMKLS0tIHFXdnBkUytDbmQ0K1lUamV0MjBD\\nMTBoRUdVQUhiZlFnRkZqdEJhdmpDeXcK8yBkXJbk76wdtMM260FMkTPK9P7G/40/\\n1UOHLbIPmhpX5AfKsx2CW8JaqseOVO5v/O+5LFWgqzJCu/c7NdkPzg==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t}\n\t\t],\n\t\t\"lastmodified\": \"2025-09-24T18:44:02Z\",\n\t\t\"mac\": \"ENC[AES256_GCM,data:n5UpATwsy/uHUyWmxE7RAt8EzmCR+TA5fZRQP/YRxcC1vVtOi+iZf4b86thZ3x/Bx/siXEHzmyzU5+qnUOPUNPGHO72Kjz+kTUmr+/OBJjjqvZ+TrSGU/s595LqbNzWn0TfvYZtaZbmzU5BJeN0mZx8cHTBY8djNAFS98q0Y/Yo=,iv:iB0FobYcLQSJJNc0H41CMM877sP7jZCpdcLg8KDVZEI=,tag:9c3ttQFg4lEbzkl44frU1Q==,type:str]\",\n\t\t\"unencrypted_suffix\": \"_unencrypted\",\n\t\t\"version\": \"3.10.2\"\n\t}\n}\n" }, { "path": "non-critical-infra/secrets/opendkim-private-key.caliban", "content": "{\n\t\"data\": \"ENC[AES256_GCM,data:z3zZ7En5zaQMZhpPUdAOLlbZxu1fel9KT8vVMqVvtAPMK4v/QA1nabPgUspSUORF2qgYzzIY/tDRa0xPenTLjvVRoyRu49jiOdt5d2u7Y06oD1PI12/Dik9euqYhmcXG+rRs5/wBEOdLDmhmsRsLCsHOGvLZAioVPSbhss1bIjRt1Fi6brTB2/pwYR0QBLxhqfZcPQqHqfT+eY6E4Helkghl+UnSUMU3q/SvABTMYedPo/9HH2zTk90hiU/JZIYrKDt6rpFfufY4SMsXGROshx5ECE2Sx8zYBuvrN4N56nsOQ66LjFsZa4MX7KV5cNMoeqQp8o395YfMWxmFuOYE0I1hxJ5Sg6/ehJjGdit2xvL2Ry16eNYA7bvdhUZ1VGBhMUMyvFP1KkCYk6B7N2FXmaAssHMEonfI0kEnrfERaAaPpYaYszb6GJGJYqRQyysvq7/3IOOXZ1TC5uZiCVkJVeav7zQxcPNkBfRttNZ+iAZHFKjV1ZQO50L8VRdK9+ARNrtoFl92+HbVdOx006S8W3UgBSMAzFqwSEew/ujgnHQG1/71lXgESRDtatyGFYhx6OXJtRAnDmE/fNaJw2QR5zl0bzB8GPYqSNyXBuAFe9SJ3OLf4eVFE7gIMFnNPXGAouUIZMQqwkgmmPiibNuYUwgQhcu8aFQrceQz9DPlH19dPXnj30z6kAPHQJmEA8FFT21GzouyUDuoLz7/Iaws+k2mQWm1/2yK2LZN6GlUaS7D4Vv7WEX6L7ej3QelZnrvF0hE05JC87j9Lv4sdl5lms4hRq4KiYMoWk6UUEsx0BKm4x4rZ1HfyopLFx6bW7lHjI+21gpEmVZp4rSSYFh2sCfv7l05vjUjAtC43UfPiOgC4Ho7QhxFE0G4u/9PEgKsOQTeRwDStZkaet4+XM8I9c57oT7+7tHJvQ7LoNdIWdP/xR3jhZeEWN+nrTRmfcsdNl/H4gQTV9VINn5F7BxbzJB3oL7eymilYpdDEgiEF6Yw2lxRQ5bXTw2jPH/LA8d8CAu6BzQplC6cTJnjRuXnRY3rlBkByE+4xU09ozJLh1uOkp3HeKD8lEoroS9kb3FR+6cPr2rrW/JM2eAkALJV2+sCmcgDVUREiFTes7qBOKfydFbEGRqYym8zSBDcRN8hurb9wpI5bUmdh+Sxae1FsR1RIghMByjr02kBAPXtxYol/dZ3tF21rd0AzENRne4G,iv:zqzOFTzWS4XSfOf+Di3EtBZctQrsvd3SnY0iT3tvOmU=,tag:1xC5T6WOiEUhjAD64Q34Ug==,type:str]\",\n\t\"sops\": {\n\t\t\"kms\": null,\n\t\t\"gcp_kms\": null,\n\t\t\"azure_kv\": null,\n\t\t\"hc_vault\": null,\n\t\t\"age\": [\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1sv307kkrxwgjah8pjpap5kzl4j2r6fqr3vg234n7m32chlchs9lsey7nlq\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhTkRXQ3hFdGpEWEg3RG9C\\nb3BDOE5taWNvU0dUSmJBUDltTlBENW84aTE0CjU5M3A3VXJlSUo3RHRJdms0WjNR\\nbXFwWUU1MkZaU1BSOW1QOXFYVmN0V2MKLS0tIHJOUFNiWmJYVk56R0NhTHhpR3lw\\nK3JnVG9nanpPY0VpT2xpN2FzWmlpSm8KIXVYhkAKOSVcZmPjtG6dKtpr7PxjdRa0\\nwSMJ2dacHIglbgDk1jc7EyrAjn2B/ARC82R1xw/7GKzDuL/h49Mwmw==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzUWJxTjZTMStURmk0WmE3\\nYXM0NjA0eFpkdnZ2RTVRdytyU0hrZ2s4MDJZCnNsVklEL0twaE83dklnM1c2Mjc4\\nNTFHYXUrUm5ybzRqNkNZMjRLTWxRN2MKLS0tIGVTNVltc0p1bEt0elUyeG9TYnZq\\nSUd4T0RQTDZtc2U3US96L2dXYzFwYWsKizu8FCGL8x9iNIAyc9vEoeVE2v8RD+mh\\nejIHfNKd9Sgqy1du/vqbcKlwrecD7/lTf3f8fsDpnBC0qghfs83+1A==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1qlwzeg37fwwn2l6fm3quvkn787nn0m89xrjtrhgf9uedtfv2kqlqnec976\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLaTNqdjhiOWp1aTZzZzk4\\nL0tRRXhtSVJZQkdtOHNNU2V5SWdYK2tMRkFZCnBqNklyZjczT0YzUjJEb2NjY1FP\\nSFg3aGhSZE10bnNCWGxtMGwwT0dxWVEKLS0tIEVDbTBvOHN3UE42bGVySGppQ3pr\\nOW0xUDNUc0NrbWZXTnZRZE5POVZtYzAKzNkH6mxOsXpWv+r0bYhbCVJ6z2k0PkBC\\n+oRdYpolMLNj2pb4KAgQbdRSlWTcz51JYTMAYJmth5ZT9WQeIsMs8g==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHSS8zdnZOR3R4VlJ5YzhF\\nTkhhQ2FmOEdBaEMvTnFvVkN5eVN1dUdoQ2dBCnlpVXpYSXk3MitmYUt2YTBQZGQ1\\nMXlaSGNxL25aNlgyWFV4d2pzTG1aUncKLS0tIEFodXdxdFFjczduSXZXbXNGTGsz\\nRWsybFl0aXA3VG1VUnpSclZwOFpxSU0KmoVMzE8magbq/Ox1LpgNte3nKy10IaDB\\nbNRyjSev8IGgUXclq6XIVFf2sznBdBvcXnA2SIEHulv1OgxzkaPDyw==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t}\n\t\t],\n\t\t\"lastmodified\": \"2024-06-04T10:10:56Z\",\n\t\t\"mac\": \"ENC[AES256_GCM,data:CenZP4kiDARE/mK2lOsFBZVI7f+Vz8tlRFdi5+eipFWiUnyghZx022K7t/TjuNjHxK7DJqn29VURAjj6+4flIQbJLEb6Dmu+eY40EbtFXEvKZrxEvCTN7e8yp6ds5dg+Nuj9tRE0pp8o7Wg6wNQWr6wIxqgjGYHrBJ2fYg6Mogs=,iv:+lxJwYB9wbs+tfF75NLu8EcIhd3k3q2VR9AqyRX2pR0=,tag:2W0YXbdFq5zOOs70nxzwrQ==,type:str]\",\n\t\t\"pgp\": null,\n\t\t\"unencrypted_suffix\": \"_unencrypted\",\n\t\t\"version\": \"3.8.1\"\n\t}\n}" }, { "path": "non-critical-infra/secrets/picnoir-email-address.umbriel", "content": "{\n\t\"data\": \"ENC[AES256_GCM,data:nyb8CLW2mX2wsKPFOx5TgNOD9Jnu7K+x8g==,iv:G6hcbILjJzQVgVfy7vxU806M/dTJg4AwKLxlBUAlJh8=,tag:zjQXyfH7+aoT/qy+IaeCLA==,type:str]\",\n\t\"sops\": {\n\t\t\"kms\": null,\n\t\t\"gcp_kms\": null,\n\t\t\"azure_kv\": null,\n\t\t\"hc_vault\": null,\n\t\t\"age\": [\n\t\t\t{\n\t\t\t\t\"recipient\": \"age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNVm1kSzhaMFdERjhFY25q\\nL00rbHB6Qm1IdzJRK3Z0ZU9JNm94bFJ5SHdRCnFTTkdURGlkU0M3WWFWR2hpanRO\\nbUdKdkoranhrL1B4dHhNUURDTWY1WG8KLS0tIE1pbllTejdRKzY4Vk1WQWp2RFZE\\nWWVXZHpCOGp4TUEyaVpheEJTWWhqcjgKpYHtYq5RmJ1Fl5bQb6dQSPWBUj2eiPUH\\n+w50zvGKefeUuFo2wjfnxgxfr7WmfHCQAVZ/a2JrqgY9mYkJJpCyHA==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCQVorMlkySE41clJwQU82\\nb3hjbmxETDNaaWhhcUV4OTNIUU0rR1JpQ2hnCitsVy9oSWdnUVBzekdUU2xlaGJF\\nTzJnR3g4SmtaTjI3TWd6dE5uVktYWjgKLS0tIDdOMXo4K05kUnhxSHYyT0hRTkVZ\\nUVF0T2dLZThVb2ptT3Bkeko3Q2djbkUKI70oETq5q2pl1+fjiR/GjHcSfLi0F6KP\\nZvug8/S/NifH/BbO+6EuUqLrFEGBxv0RTC+vnQ1y0MpvKXlXG0K4ow==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyLzgvQU1udzhDcys3UWZI\\nelFWbjFOR29wM0x1VzA1Wm9BTDNoM2V4ampNCmFwM09URHVFSVE5c2h1UmxtT1hE\\nM1Mwd1JqMHkrcEc4WjhFYms3WVFKeDAKLS0tIEV5cDFIZGZnTWM2QlhXUmJFdk5P\\nYkI1cXNxdi9ORGhmWjlpS1Z5VWFFWncKi8KkI51plxvpeeTOHZ9kC0Xcd/vE31+v\\np2XBcU3NrKhs8bAZN9xYKVag4lM23G1myfnrwB4RCXHKGnF1VJyAtw==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t}\n\t\t],\n\t\t\"lastmodified\": \"2025-03-22T15:54:20Z\",\n\t\t\"mac\": \"ENC[AES256_GCM,data:A5YAwuWo8pm/Hw3NxX3StvW8kT9wk2dUXLVQwJZ/inV0YpsbejhOlHIfca8iqMAb9Lu5o4V0bbdgAw9S5ThHKyatzQZtnIT2uRZM0Ietqes4yXjoL5mEjbEEgCVpbcdRd93fTNt/G4BLWEcpMU7xMNIxiT+KVk+eN0UO6tw38d0=,iv:2a4YRCi2If9VMSqRHciargwDJ9AHCbGBrRKsQxsFDTk=,tag:ejM7sV9JrR2A1EPdnz9OmQ==,type:str]\",\n\t\t\"pgp\": null,\n\t\t\"unencrypted_suffix\": \"_unencrypted\",\n\t\t\"version\": \"3.9.4\"\n\t}\n}" }, { "path": "non-critical-infra/secrets/postsrsd-secret.umbriel", "content": "{\n\t\"data\": \"ENC[AES256_GCM,data:Oy/Lqq1DTXVX0SK0pJOa6fJhf9H3Qi2G3w==,iv:JG2o4C9EjBbt4PqrE3kHPNabFbk2Ar3IHseQyrQxnP0=,tag:IRG+EYLebBDf99svFmcHWw==,type:str]\",\n\t\"sops\": {\n\t\t\"kms\": null,\n\t\t\"gcp_kms\": null,\n\t\t\"azure_kv\": null,\n\t\t\"hc_vault\": null,\n\t\t\"age\": [\n\t\t\t{\n\t\t\t\t\"recipient\": \"age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArTmVPZGo0aXlsbklBZlEy\\naXZ3SmcxNlN1WkowQUFuSkdSVGo0Q3BneGhZClliMnIvbUVnb1FyMWJEcXFxOTh5\\neDNHMFN3NUw5bGMxcm5EUWpncnkxNnMKLS0tIDNVaXFJOGxQa2FUVUhYbVkrQ0Rp\\nS3RmbElCUlUxdkNXblY1S2VSQnkrc2sKusUip4Vnr56lfiEAHRPqQiZjb91rovLA\\nQhPCz/LwTyxDDMTsq1dNbasniqeErmUfUfK792HqigBo2qXbsk4bjw==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBY3gzUU1WSk92QTBFNlFU\\nbVhLamEybkZUYWs4U3FPYWJFSTQybXlkK2pRCjhBdUlOVEVsMkhlbUJFbEVnbS9u\\nN1VuV0xpTzdQVk1zMURyb0VQTHVMWVUKLS0tIFkzdmNtMmgxajVRQlNiTTFzTnY4\\nMGdZcVpGRkRLQVVSMHJ1QlZjUm9halkKnTU4dXWpYOj4GLuyoNvz90uarPbn5CBR\\nfiIXd7QPQl2+3SstC8KrxXSvRx2DmxR+imtPRvqGEf7EaspXpfy1UQ==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSRUY3M0haTkV1RTlUbnpi\\nNk9WNU5OTkR6dVozUTJKbzhmVXJRSlJxMG1FCmUwWTJmbm12UDNmSG0rdThVekRw\\nWk1sOUFLUFlzMW0vKy9IWW5HNmtDd2cKLS0tIFc3cjVLTEF3QVdaeG1Kck9KMm13\\nS2pWZEpkUU5OaTJIYmNpZzIrRHdReGsKN15CghVCZmL5irAOuhewFIR1hL8YkT27\\nwahQun20ahRiIkQRZxGWi1C9HJ/v4IVjwsTRYbM9BwIuopDQkofosw==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t}\n\t\t],\n\t\t\"lastmodified\": \"2025-04-09T10:20:42Z\",\n\t\t\"mac\": \"ENC[AES256_GCM,data:QhBJD/BaFKX16orijmxl/Oi/50d8iqBKR90QPOHgWSp+MYXfzArS/OLu8ZtZ/xwucW7pNh1oC+CGmMHTW1xrBpuMg6MQ5qyhedKjlINptYG/IIcqIkakulppOxw9LMuUWznXcDApd3w5SkMux63tO7vti0kWQ3Zv4A9XpmOXRCM=,iv:85o1/ucnYoKBc/2cCCr+TgrXCQinzX3vGYv5xzEaJmQ=,tag:dokOTNpd0aQMsvVX4MOxFg==,type:str]\",\n\t\t\"pgp\": null,\n\t\t\"unencrypted_suffix\": \"_unencrypted\",\n\t\t\"version\": \"3.9.4\"\n\t}\n}" }, { "path": "non-critical-infra/secrets/queue-runner-ca.key.staging-hydra", "content": "{\n\t\"data\": \"ENC[AES256_GCM,data:pe1lPpTo2O6CjOwyW3Go673wo4kJJ8O7XGk3M89pcdaoHPr0gdvvsSg8tG98qng4E5vfYnQpzXNFPBjmv9DvFkm3LDqOSmJsNw6Vp4LAIpkxQmuehGjDnsu2WxWC/JlG2Qm+2FS2saxZrfaeHEiZDvPEm1rN3oA=,iv:rrKEmM0PLIS+ur+cjW5tBR3UqOftOi6FTaqrymr6OIg=,tag:zGZtHCxldMKeWoNICBe3+A==,type:str]\",\n\t\"sops\": {\n\t\t\"age\": [\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1zxcssfw5j6dwvcw25tmxs79lq40xk70h2s234hen8pkpte2qe30q9e7cy8\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1NHg5VUZWSHV1K3dRa3I3\\nVy9HNkJzQW16dWNreE1ESTRkb1dkdUFmL1JjCkxxek1GYjJudThRK3VxWHZpS0tB\\nc2lYcktIeWVIZ3lQaXVJK0h0WmVzOWMKLS0tIGRaZVg1NEJGdjViWGJYL3VrZVNN\\ncFgrNXFSQjd2eFVxMjlESndwYXcxZlEKjXv0rWJFQcgsV6PKzvu3CUTtdvzH93wq\\nQdGaszVmstbPrTnht1ty8Rt4SnsXUxg+vFwxGUrWf1f4F3D1doC1eg==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJc3RWK1ZocVRMaG13US85\\najJKNTVWMGVXa1hiQlY4UG9DSjRuRDFTT1VFCi9UU3ZMRUtUdWdybWVyWFhuN0ZL\\ndnM5TDQxTzE5Y0xYcGJ5OHhPV2V4elEKLS0tIFUyYzhOYWRDcEg5SFhJVW5KMmdG\\nVTZSZDFlRTY5QXduVXpJZ1BUVEVjNWsK5JkQ10w2r83BJDZDLp093hBUeRun98oZ\\n1cexIVKHrq0TtCF7kweNrOi9nMyitwcwyxc+iiJz1wZa6ZUYpZiZCQ==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1nnm255ah9wa4gpsaq0v023a75lnmlcxszt9lc6az3mtwzxgrucfq45rp7h\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJcjRnTjF2WEdLMURobVQ1\\nUnhoWXZVd2VvZG9WZS9NTGJMNVF3Rlg0OEFnClF2Zkk5NWtoSU4vSWRsbUlzckYz\\nd1h6TVhhakpQdGl5SjNTOXVlRjBkaFkKLS0tIDY3dmJXZjlrMGo5WlM1dzNFc1dQ\\nMkJJelZJUVQxZnBSbzV4VnN0cWptN0kKLnqhWJ4fPdFNuHfkJr+PmQywS3L69kIY\\n2v12scbgry5aCX5ChRfy0Hmy1PMHx4x6qLhicvzHn1zhLhUiB112EQ==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqeEZHL2ozc216K0Y3cE9v\\naU1GaUN0dmh5NlM5Um5BN3lCb1dLeXJqOVZjClZFbDI3dnJ2MGkyMUV3dGUreEVZ\\ncUFTbFVQSGJWRnhHdWhOSXpIZFpHam8KLS0tIGV2YVRPWEFRdWY4TDhqSWwzUEhJ\\nK053am85SFlPWHdqTUpMcDN1eFdSR00KSMBXHDQXVtLudlp5BxGTchm6niro7Ver\\nQ+2HCXKIOEVBbkp/qI2Poh707+LxOh49O/kFp/ThBCE3QzzET0/ePw==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0MHI0Mi81YkhhNzhDN2x3\\nOFNua3VHdHZ5RklybTNaV0lxdEFWUm5TSXprCmpMdWRSaWFNWWdCUm51Q0RlMTJj\\nUStHdTgzZVZFR0UvcHFCOEVmaVZiaUkKLS0tIDhoYldvdjVDcDlOUm1NRk9Celoy\\nQlkwN2JHRzlpZTRBRmZ2cTUzVlI2Q0EKE584Lc/9WhP54Qcn9QHweKX7OJc+EkdY\\ncFunUkMZbamRyFnISJDcI76B0exJaA4kEUv3XQzW2YHhfL/sdsmndQ==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age17ez23w2kpxl0gcdx4ehcglkcfcfnv4qz0gq2n8ylxwx4yrtjpvjqxfasua\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOU2NzcFlrdnZPbDZiOHRs\\nN1lmcmdDOVhGaSs2Y05GcnpkajI2a0JvTEVNClp6dDFuOXVGZVl2NnVicWRRaUpn\\ndnM0c1FHanJvaWR5Y1E0QmNGMGJBQTAKLS0tIG1MaXlZTzd0bW5aRTV5d2NyUkNh\\nczBhQVI3cjBoMlpsNlg3VXVJSWthYU0Kcco8nmBuBO7G05Pepe1EfznQ6/qIXjdM\\nthm+90r1LRNec6rUqPH+3B8jJiw4EUz2L+IzBREHqqCdr6QDH+cwZQ==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1fgzf77gyah4efemnrqg4e7j0vk8fpq0uzrucepmdpsd5z7l4lgpsfq54df\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyQnJWMVp6NGNJc21ibGcw\\nejVhaWx4cDFremY2M2V4ak5MZUJ2TEowcVJBCnZ6eGFrTzd4dTIxRUExcWVVZ0lu\\nTDRodnl2cDFsRzNTTmRzekdxUEpZTWcKLS0tIEVjNWJSdEdINUUyajR2MTRZOHQ5\\nWG5wanNhWVhPbTZrR2Ftb3BxdHNyNzgKbhSTOqWwNH7l4Uttv9n2dJSqDKtxShj3\\nswqtKnfOB2pxu/Md7o8LEi/p1G5pe4VlloUNUYRxBaJSFI4ARoC77w==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t}\n\t\t],\n\t\t\"lastmodified\": \"2025-07-31T12:09:59Z\",\n\t\t\"mac\": \"ENC[AES256_GCM,data:EdssbCd38+X5Sr/qPSewtFgGyT0WFvR+0/ZkzpKGtj/7yS/Q9w0BoyZXbwuMF4R+n2aJ+NTmxPjCz9Ald0ENnXKXJcEHlKtTf9z2h+ft6rrFsBVBlrp3KfHY16EwcfBprvbbCkU6Bvxv5UGFGfJsw5l3jpL45LQQ7z528HiQz6c=,iv:02k7g9Fck1XFBor/TAHZGpgIiH2zPRDHsdRt4rjApeU=,tag:uJJ4J6znugGBQtARL6vwRg==,type:str]\",\n\t\t\"unencrypted_suffix\": \"_unencrypted\",\n\t\t\"version\": \"3.10.2\"\n\t}\n}\n" }, { "path": "non-critical-infra/secrets/queue-runner-server.key.staging-hydra", "content": "{\n\t\"data\": \"ENC[AES256_GCM,data:forqylxAxHHWDqqTG8nxgqnbuyCTtRiEZ+0VA6qYRhlRY7KAYmTM4GK3wDa8dZPBi0e+LXG5aaigyc9FFsl7hHKdtQo84OPHyJOSCZyBYjMg9qlBsy/USqxftzfMjMAxVk/ibAi5LDrNl9Jh/7w74BBtbdF3qiE=,iv:5YbKjIdd+EfVpMGzTzP0VDy0Wev22bRc9IO5e3StpA4=,tag:/jsQItUIschI6B0rs7dwQg==,type:str]\",\n\t\"sops\": {\n\t\t\"age\": [\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1zxcssfw5j6dwvcw25tmxs79lq40xk70h2s234hen8pkpte2qe30q9e7cy8\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBS0pOSEE3MUpVbEY2cEVa\\nV200UG4xSjVJNmpCbVd6clBoK0dGVFlpZkg4CjJZRXV6YnJub0RlWjZtbUFwbEo0\\nbUFuMlhjM1ZoLzZRV0JTQzIvWUJHT0kKLS0tIFNCTnFxQVF5Ky9IOHFYeDRrM1F3\\nbWQyZCtIbnMySnQ4M0M1cVFpaVJJNmcK6sszqfYP3gGr7xEQUXqi+8sjowkRFmN1\\nB5LBdjUwwE8BAQCoGn8rFV9msQyixxOyotAfY59VzzUvU7BB/f7f6w==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBURHJNalpQbW9Oa2tjdjVO\\nZFRpc25RZlcrdEhGSkNwTDRUVjNzTzJWSTNFCmpzcWUxMXJGZnZrODMwVTI4a1ZB\\neldVbHFYNFNKeStzQTg4Nmh6ZjV3a2cKLS0tIGdQU3J4a2c5L1dqUzZ6RkFKVGZh\\naWpJN0J1dUNVWnFQRm93UFB5UWN0SE0Khf1USIw8KJ64xCpvIxQ6+aU0INYz4O3i\\n1ABBcYp9yQv8jLS8JBXcVV+I29e9g7ZmE7jdVOCAtS/mbtn+jwhL/A==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1nnm255ah9wa4gpsaq0v023a75lnmlcxszt9lc6az3mtwzxgrucfq45rp7h\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmOVVJSDZVdWpJYWJVbkxs\\nVEZuS2NwYlowQ2UvUGN4dmx0eEpPZVdoRGtjCkt4V0wyRE9OQmhGY3YvTFZLeDA4\\neWZicjVhR3RzUWtPUlBjY3RKYkVxTVUKLS0tIEdjTkxXK3JpZCtmM3ZvRElQWWVz\\nTHNnZ2FiTlh3eHVOOWlPOWtXVmZ1enMKIjC9mYrzV9sFnQW5ApRTv/Gd/gugDEqo\\nPKQ+4AtL9EgVZ9ZY25CbUHLnxqiBK1eWCBcz1R3SUIWf+/ypt1rMMg==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyVlZuTHdpcDRqb3RSWTN6\\nSzJwUlBkWnlCYjB6OU4yWUV2WmFiTWw4RjBJCnBQbUNMbUVENklYcGJoRzRiZGlO\\nNGhTZmhmUFoxNjlmVEM4RnZ5bGpTN2sKLS0tIDFNUWp4OHpJN0RkOWpDN2QzTGMx\\nUUhkNWNETUNrWGJYNS9wRk1UdVd5K1UKIT9Jihb1hrWfzWWGUIspSp7oKlmM0G4+\\nbLgoYb1ZLSoC4i0lzd2/XhN08JXicBy/pq1VFEsgUm7+fSAy0x+Qxw==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0ZkU4eGFGR1FlNklZS2ox\\nWTBiNnR2NTJBQXRpQ0tzMlJRNERIYkdUS0N3CkRjYUNMMlk4bWxDM0pWMmxjU2ts\\ndytYb1dIVUJFeHJvVGFoQVRNbXc5VE0KLS0tIDdMdTFValBHMG5TNnArN2xFZG91\\nS0ZvWGVzNkM3V1dGVm14MGpkN2tKWEkKLqjCQZL2/+WDIGFxB3EdwuQVInfUzYpd\\nlt6PlV8EGp2kkkavwdtfx4yg1qx86TDw1zGCCYJHu778Dz7djhSvBg==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age17ez23w2kpxl0gcdx4ehcglkcfcfnv4qz0gq2n8ylxwx4yrtjpvjqxfasua\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxdzQ3MC95d2tCSWl2eXlw\\nSzhndDRnWEI3OE8rN1hWblI3NXFGS2JJeHg0CkFVWUIxR3JHTVVYSkkrSHJNaXpX\\nZlE4MTNiVTYxMmJIWEg2K212V1pqZHcKLS0tIHpNWUJSQk5GbFplTzB6a09tTW55\\nS0RBRFV3WU9OcmJKM0l3dUhyRkpmcEEKKC4u5QaWk+gx5fEgW2MKlUl63UkWfRJX\\nWOexmG8MJABZOngU6zZQbXXHPZkgBTwLbub3yO+C5bTMWHKEBq1+mQ==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1fgzf77gyah4efemnrqg4e7j0vk8fpq0uzrucepmdpsd5z7l4lgpsfq54df\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBTjEwYmg0MkhHRUFJNnF1\\nM0N1bm1QV21xZmVrM2UzWTNKYy9FaWcxMVdBCkl5TzFPOTl6SlNqTmpFNEp3TnRL\\nc1FsYzhHUy9EK1RMeTBIYWxQVDB6K1kKLS0tIDI1VWxQSDljODhjL2ZxNkJqRFkz\\nc0JlZWFhVWhOb3FuNnk3cXBGb0JacGsK/OqKk1+PHIKi2dozYjJDOeUcQF1/U4QJ\\nIz5FhKY5fL5LzusQNgJUUJH7x2flB7RIvhAzstBUfI/pRrQPxSAC0w==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t}\n\t\t],\n\t\t\"lastmodified\": \"2025-07-31T12:10:09Z\",\n\t\t\"mac\": \"ENC[AES256_GCM,data:QRLZ7S6CoHaYQ+m0npUo2ISRkke4JvYe/cN5nBM7ngIdKQ+yyLK1d8ucG3YwB6HaVZXDM4F0BAKkwl3VXTDujKk24BQhb4G50EL91UTcaQQ4kIOdaSVh17/D6cXV1Han8hSrxrsXQ9vvyR9EmCVbjZMIP+TyyTbdAkFfHDch2Fk=,iv:Wm7rVVZRUjUeb/SU2GF5TnOcNawf8rsndlReEUtrGeg=,tag:PsL1RufQyx+7wayK0IOSlg==,type:str]\",\n\t\t\"unencrypted_suffix\": \"_unencrypted\",\n\t\t\"version\": \"3.10.2\"\n\t}\n}\n" }, { "path": "non-critical-infra/secrets/ra33it0-email-address.umbriel", "content": "{\n\t\"data\": \"ENC[AES256_GCM,data:opUFn6E5u6E7tqqsHp5tb6s=,iv:KtLuT2eClZRii+RDWGU/LyanhsQp4HALs7MamLUbkao=,tag:RKzUm7KfH5ddVBiCOB0AbQ==,type:str]\",\n\t\"sops\": {\n\t\t\"kms\": null,\n\t\t\"gcp_kms\": null,\n\t\t\"azure_kv\": null,\n\t\t\"hc_vault\": null,\n\t\t\"age\": [\n\t\t\t{\n\t\t\t\t\"recipient\": \"age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3bDlKbWx3MFBBYkM4OGhR\\ndDM4RDIraDNxZVdHRnU1ek5POTUybGRIREJVClJCMUR3NDN4bWVLSXRyR0VIVEFN\\nOGlWTHcvOTkxNVJ3a1Y1V3pNTkxPT3cKLS0tIDc0Zm9QZ1E0dXRQNHAzVnRXU0Vo\\nUkd6N3lvQU53KzRwUmJPd2M0RldIR2cKggpci+A1nPPLOYH7Pagx9/eWNvv7KPYJ\\nDA2YO5yeFOnhl0F9FV5ERt+P6oyl+UUQ07LJW2Xacf/nqokVogKuZQ==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwdDc5OFZWOHd4Z29EL0tP\\nTlhCR0w0bG41WXNKSlU2Ni9TUXYzaTFQSlhBCmRRaWZLQTY4WC9vNVlFWWg3bHBs\\nT2FiWGxCZ0FVN25VSmMwcS82cGZ6dEkKLS0tIEJqQWhza0FSY2hYSmJzclkvNkF5\\nRDBWdjA3K2lPY0R6WTg1SWEwQWY1VWsKF1lFM9OxyJ1Vy/9eoEm1eDepnkaxo4Dx\\nfVhSNJjsNsoZ2PX5hIGPHupz+6gEOWYPjQWhTIr6spS7JPM2rzOxVQ==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkU0FpMmlpbHcyVHRrRzIy\\nKzZSWUxEcm1jWnl1a2FXS1NqK1pjK1lpaTBvCnRsTit2aXNzSm1xK0pjNlZxS2px\\ndTh0Sk1pb0RzUDhlT3pWZmMxeHU5UXcKLS0tIFJpTlZWZUtUOGNNL0hhckR5bmwx\\naEFIYnVlaisxNXA1Mmg1eDN1OE1DSmMKR+aO5zRqL22lEe+DexKjwajaYL0ftaMx\\nIOufdQ4vUvx2cetD9wn7cSwNM+uwfGrr3v5rADhfAmZkfnrwxNNIYw==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t}\n\t\t],\n\t\t\"lastmodified\": \"2025-03-22T15:54:13Z\",\n\t\t\"mac\": \"ENC[AES256_GCM,data:AVc8Y8l3hYaCUfgm444IV7MJD9BK9NMA0jLtmckMwe1L2yMl6ECc/Hrw7fxj6GvVCmdwzczaFEE5gw07/29zUPqv+uIvxKvIlINI8M09pTS7wjU+1B2mvTvjuI/+7rP83rzpA+su3SzgqUXcnxHmlNtwJlX6AfCF7VYnPu2BDUg=,iv:8AUBBJslDzt/bhORPFgDJPQl7rhSA6m2gSqapyclUG8=,tag:TmBmi0HE/YXYgkm71y5LSA==,type:str]\",\n\t\t\"pgp\": null,\n\t\t\"unencrypted_suffix\": \"_unencrypted\",\n\t\t\"version\": \"3.9.4\"\n\t}\n}" }, { "path": "non-critical-infra/secrets/ra33ito-email-address.umbriel", "content": "{\n\t\"data\": \"ENC[AES256_GCM,data:aXQxJjHlGPyz6hxtsZmoOlQEec8=,iv:gtkcvcVpqkX2nCyZVhZyhIsWFQtxxu0+H7cNV1wNRSE=,tag:6rcFigiH/+En7fVN7GHJ6w==,type:str]\",\n\t\"sops\": {\n\t\t\"age\": [\n\t\t\t{\n\t\t\t\t\"recipient\": \"age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiNXJUMHd6NWlKYjY2YnA0\\nUWJscjlxTC9PbTU5VzBHSHpwNTIySzdvNlRjClVzRU5SY2lHYW96Y1BYSzBpUlps\\nTnE4QTRkQWlkQlpFMjQyYmkreHdhY1EKLS0tIGt0L1A1M3Vkcjg0N2VLYUg1cjha\\nMnJ3MytOSWZmeTVTVmJSaU5GMmVUczQKdBPk3f1GHqOxdhnvajWDuOtRb9DDSl4t\\nyPG1S8qdBgxW1+M28Zjiz1to8nSIZcdeR9dhvT40aKhIs3Y/4VMqrQ==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCQU95OFQzcG9MdDQvZXdZ\\nYjM3YlJ5dms1ek53QlRDZC9TRFdyR0RVRTBFCnltMGpsd1MvZTluYWNuaXJnaVEv\\nUEtrZ210dmQxbGNHd0tIenhjMXh3WVUKLS0tIFpvSEZ0aHQ2ZVRvMGdrbksyYVdw\\nYmV1UFl2bklxbEdySnhlOUFKWmVKRFUKN/XTfYf3n4i39NGZAir1NDmG9laeJ8hI\\naoZybJPImLpkHjjsa1svKqIJfP03u8gWC9W4Clme5Wfq24P5u/aSEg==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQa01lYlVuTm5TWHh0YlpI\\nT01JYnI3WXE3NU5mOXpkTXV3M0hMMFlpTGlRCnYwZVppYjRXV0VNNm9GQmtmdCtR\\nYzl3WFpiV2Fva1ZlUUtuSW5NMnlWRWMKLS0tIHFZSTRCN2lXQVJhaUFLN1REeXlv\\nZGFFOUUxMFFGeUNuSUxaMCtZTW15TlEK/8KcQe/ZCfpdVXUvq8V3NBarT8eNgUIC\\n+/oYQq12Z1yTY1jlrf2pQeCPbocKebeJo/7U+hiZPmd4Y+262Ym+sg==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t}\n\t\t],\n\t\t\"lastmodified\": \"2025-05-30T14:12:29Z\",\n\t\t\"mac\": \"ENC[AES256_GCM,data:edUl5tqglGjt/Ys05ArT58byNKOkmr15GQDrQumr+n0N5v3BZeqVBSD+OC4UwZk69jQy0FKglZitg4jcX8fJY2n5zTmA7wVk5chveKekn+pHSd+5B5Nd1r0+f+V017N9RqzJMzlKd+dKvarcHeXz1TBwVGDmL6SdO4zH00wTUXM=,iv:HSG2ulMNV9iuewEsJ3SV5ASKgYh/85gBnSU7/qBEDFU=,tag:xZOT3ex21csZDcGbYCPOrQ==,type:str]\",\n\t\t\"unencrypted_suffix\": \"_unencrypted\",\n\t\t\"version\": \"3.10.2\"\n\t}\n}\n" }, { "path": "non-critical-infra/secrets/ral-email-address.umbriel", "content": "{\n\t\"data\": \"ENC[AES256_GCM,data:PZfHNe6AmAjoYCoXdarcDMm3yusCRYrVWTDIDg==,iv:9aXh9tDKDVi4kNhBGpZZ/bPhxkWl6qbG2Zvs2v+hWWM=,tag:ENV9I3tHYld4cCAg5TpRAw==,type:str]\",\n\t\"sops\": {\n\t\t\"age\": [\n\t\t\t{\n\t\t\t\t\"recipient\": \"age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnL3FDWVNaNSt2OHNjODJE\\nb1liSjJnRmIrcGE4azU3Yk5EL21qYXVSNGd3ClNtb3BXQisveUVXbXgzVW9wZzdx\\nOTlvRzRWZGdraHFFYlk5RnBWSGdlY1EKLS0tIGhBZEtTbVdYRWgzVVNIVjdMRTQ0\\nUzBRc0NCcW9xNWJETXFNTFUzMEV0TTAKZq3GGrdiVlvL+YQ/mZnnTdi86wLM8eX4\\npgo93OVS6dn9/rMyvIt1cCtQhSOpZpUUwIk21LksNXwAVUUP8rRGPg==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOejQ4T0lsOW5McWJhV1N4\\nUytYOVBPbkIvSXNyZUNIU3ErL3FRYzNtSEVJCmVORk9nT1VSQXh2MWJlWlp3VHlv\\nNDI0b1RDUjl6cklMZTJCUS9BUE1DcjQKLS0tIHJVNGwxbDJJRm13RXdHWWdrNGt6\\nN3VxM0ZhRU1jZ1psalpNZXJNdmcxcVUKHNLade9JgL6Fs/XWvmD4keKj7zQPBNXI\\n3Y7iP/NddtKZuDzFknns4kaDEsnSAeiLYdz4Du8NLyQHrI5vs+Iqtw==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhN0hvUUoxWVQxL1NSemo5\\nZjdqaTZ1c2xNQTJ1WVd6MVRYWkhmWlY1MGtrCkllM2R6TGtVeEtkY3lPY01RNHJn\\nRm1kdGE0ODdSbmRObnNpakI2U2NlalUKLS0tIDBRdjhoRmkzLzB3MmpIbElrZ3hB\\nVURFaVdjZk1RejkwVndQTUVXOEo4Rm8KYl4knjBOwaQwYrow5OMiyMhGIl3UXLs6\\nWfTdZO3lgiNLIMINC+9RRqxfFp+LdEULZr2SugptiPt0aPiGNw8KSA==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t}\n\t\t],\n\t\t\"lastmodified\": \"2025-06-06T17:32:08Z\",\n\t\t\"mac\": \"ENC[AES256_GCM,data:33h+jFsD63OG2Zi+ApUPaLKZXGuIX5yCpd5AGPxgh/C5L+TT0SABH4g2FcdvVR5LOJjxm2f63cH1wznnK8EVkYtDHQyRtEKHStTu5rlmBJudA74r8eaqv2FC+TnfypqRQrRtY+OTrVq4bE9cmuEh78ZwR4pCZHLD4vsRmerTVKM=,iv:H2UqED5k35l1xFLCvdH6ATnTZOLGZnUmVfecnI2lGY0=,tag:lHi2AZAQAI2Dn1Ouh/IZPA==,type:str]\",\n\t\t\"unencrypted_suffix\": \"_unencrypted\",\n\t\t\"version\": \"3.10.2\"\n\t}\n}\n" }, { "path": "non-critical-infra/secrets/rbvermaa-email-address.umbriel", "content": "{\n\t\"data\": \"ENC[AES256_GCM,data:n4ESZDFSyxX6BcGZgxqe5FMyBTc8GAk8lef1,iv:+YIWHaElfL1LzEbIW41VPHm5ezI0CtkrpguKEN9r95o=,tag:I3XzG/R4aF99468AXSDwVA==,type:str]\",\n\t\"sops\": {\n\t\t\"kms\": null,\n\t\t\"gcp_kms\": null,\n\t\t\"azure_kv\": null,\n\t\t\"hc_vault\": null,\n\t\t\"age\": [\n\t\t\t{\n\t\t\t\t\"recipient\": \"age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0cHBZblZoQXFwYXV2eVN4\\nMHZEemd4NUxFRVJlOGwraFd2RmlXMG1wbFJ3Ck1yZ3hMd0N1UG1vQVRLOENJTVZ1\\nVElqUi8zS2U4UFhNODk1bjduMGFpZ1kKLS0tIExCS1U5blhNZ2N2NTNMSHdKNUdo\\nR2NQTDZsY1ZSOERtOFN0VTFHWk9ybEkKZSjnPzcU+AT/ok5CPlAt2i633ditZivw\\nMFaMmX7MnKbxQ8cc9n+PzykhRi1rkK13MSE+7EHURHGiKF7Mhi+FuA==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWeUhPTTZKVVQ0aWxmUUF6\\nZFRzMGFpUWx1UzZZNllyeHFsdkhtVEd3SERVCnBCd0tWbzI1MkdmZjcxaFhEZXAw\\nVWlHL3Bza2NyZjdad2dmTldYdVNNMWsKLS0tIFAxMVl2a0N2RTJmbS9DV01DckVK\\nSldCT1dHMEtBMDRWNW5KaFBaaWZnWW8KyhH9q+BYjeXB92PTNF7Z9XnVzfZeZj08\\n3UlUKDaJqNF8HDV1h1BidSwkff/CQZak3/TChRyGnMchC+reejT6fg==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKUFdudEhYTVEvd1lHVTht\\nMWtCbGFCZGtBaVhyRG1pMTRIN1NMUEVoeFVVCnFEU2xrdkNzRkJRWGduV29XUW5i\\nWHN3VzFHbHdNSTRMc3dLL3Y1VTlQVjgKLS0tIE1xYStVdHZXbGZWMWU2Y3Y2QWFo\\nc0lOSlNmVi9qKzIzZUFFVnA4TXVHNlkKCcrrJRcQ3DN2uNe3eonpJDAcO/lT86yk\\ncffD/NPtB6HdyIFNV8a4kSHpuVx8ew9/Bssh2GDT5QBdIqs2y+hpmg==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t}\n\t\t],\n\t\t\"lastmodified\": \"2025-03-22T15:54:21Z\",\n\t\t\"mac\": \"ENC[AES256_GCM,data:l/1zLRWOiD6hirIJ3etFBgXSTTxvMz5I8RE9TEp18/lLskzpAOXf1azYftXFCvCoz6u/6WSqUIinvGmIFcGGYv3x8ZLnJ7ABDtNGPcTIvr362H+Wq5vd+sr/6OKqNCD5CsYEXx4m2KVUl5qDwSImVZB93Nw64RBukRBgCumWWm8=,iv:II4peq9wUeA7aX71KL7KHVlwsw4OhDdUN39uK9QKWpA=,tag:Q9L1VNwf5yYsfQHonK9tSg==,type:str]\",\n\t\t\"pgp\": null,\n\t\t\"unencrypted_suffix\": \"_unencrypted\",\n\t\t\"version\": \"3.9.4\"\n\t}\n}" }, { "path": "non-critical-infra/secrets/refroni-email-address.umbriel", "content": "{\n\t\"data\": \"ENC[AES256_GCM,data:3G/sSkcB8glDRc+ZyXOC,iv:aRKD0w7CIs7JfdjPQ8vLKSgmFmwUNWjwBvSYSbZsnhI=,tag:QLiHiRukS7Y5VdCNwmB3gQ==,type:str]\",\n\t\"sops\": {\n\t\t\"kms\": null,\n\t\t\"gcp_kms\": null,\n\t\t\"azure_kv\": null,\n\t\t\"hc_vault\": null,\n\t\t\"age\": [\n\t\t\t{\n\t\t\t\t\"recipient\": \"age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNcFlHYU9nU3RkNSt3ckhU\\na0NGT2E3QnV2L3FaeEIySXNzajdyY2M5UXhFCmJheGZUbENPV3F5Q2lrOHVYbFRD\\nTVphTmlsa2NBekZGUUZQNXhwOWxNOUUKLS0tIEVyTmd1amlOM1hrNDFLc1RHKzVH\\nS25PVG94S0oxOUkzQmlrVk9EcmF3NmsKWnp3FVHN/xV9zs4Ip/k7ZJFsitC9W3vL\\nVi8QUcdSkAWeezZvdUYVg/U858KuLSUOq/tVw2l4f4kb9Z8KhFPVcQ==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxTkdPTURGR0dQU1RraVRR\\naU16NHdvbnk3STMvNHBGRXBsVUluRDhsVTF3CjdDS041SmpoeGlKT3loVkN3aTk3\\nRTNjcEhqeTM4Zm01OCthelFRUU5DNmMKLS0tIDAyYk1PbXQwZUpWQXpwWlJmZG5P\\ncU9seEQ4T2g3VTRhalFKcFJlTTNLOU0KZp3aRIiFi8E48fyRecX0kpng/Ct2oQoU\\noqnCHIG9Ad3UMSfcSvh/vy84I3+Ru8fTcKXSOpOLe2qSwjqA7VQweA==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnNmpQSkh2OVo5QXR2Mkow\\nVjNVeHhoTHNQVHRObGtmU3JXdEtJNVRPUlMwCmZSS0ZpVUpFamhnN0ZJTHdqYUgz\\nYUdIZnV3N2ZWUUtKb3I2YVBDQjVpVlkKLS0tIGxDL1B4RVpBMlhqQUZNSWVVQlNB\\nUnExYmpFTmR4T21MWEhjVDA0dkpHSEUKnMGqCRyghepYNGIz0ChFgp9ctkvTmBFX\\nrolI+X12gguePHA4smuhXXn4qa0KuVkEEP0Uu9DdCAzJJ8CWgi2g0A==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t}\n\t\t],\n\t\t\"lastmodified\": \"2025-03-22T15:54:21Z\",\n\t\t\"mac\": \"ENC[AES256_GCM,data:C1NGCV2Le1GkvnKNmM/6t5yDmMLyPa2nnoNhtScwb9rlzaQxjtWPSsJRRTMLgGgh/XTIhKjNO8+5PefLzQWfEqBZA0s1Y8n/0Qm1D4n18OXEajgYxPWOWpCTjR8aZfLTn6hXA+gx6IirCyYrfj05UspXcoo2mk06U4XTss669+0=,iv:kKhjEXpgdvTjSM8pfYkGhkWm3JtJOokMUvORqGLTb/o=,tag:SxuoieruxNkpqvcebrW9vw==,type:str]\",\n\t\t\"pgp\": null,\n\t\t\"unencrypted_suffix\": \"_unencrypted\",\n\t\t\"version\": \"3.9.4\"\n\t}\n}" }, { "path": "non-critical-infra/secrets/refroni-nixcon-email-address.umbriel", "content": "{\n\t\"data\": \"ENC[AES256_GCM,data:jFJNBd+T4CFxN6N4,iv:jzoyiMOmkN50O0Pj+J5U50nCY9zO72/AyZCAiA/vnKM=,tag:UVSK+zWYIgkVxpIxIQTP0Q==,type:str]\",\n\t\"sops\": {\n\t\t\"kms\": null,\n\t\t\"gcp_kms\": null,\n\t\t\"azure_kv\": null,\n\t\t\"hc_vault\": null,\n\t\t\"age\": [\n\t\t\t{\n\t\t\t\t\"recipient\": \"age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJMHVNNWwyZGx5aUQwNzhH\\nWG15TlBLelFBcGlEWmF2ay9IaHFWNDRLL1VrCmRxbkNNSkxMN1M0MVNwaTRzc1ND\\naVg5czJQakJmU2NXd0o1a2RId1pLRFkKLS0tIGxaWUJ3RXJjSzJKcHk1bzN2UnZq\\nT3RZckF4ZHB0UFNCUWxvdi9DMVU3VjAKePztDIswMCRgwWDVlNVlBXf1QnZtUmVo\\nOQP6TQ2b71vshmupe991xoiVYh0p3XxlcVrSzlHL1cxpzOCVVrZbtw==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWaDdyVGJrcnJjY0cxbHEv\\ndVVOWll3WitNTVYzcWVURitiY3hrYS9oekZBClNDdlpyUG0xR1Z2aUViaCtQS0Ns\\nbmRYTEc3ZjVadWVKdGpxVllXdjNNOEkKLS0tIFVodkpVQlRvWEI2dHYzYThFSGhH\\nU0JNRm12VHZidTRQZFd5ZitVaXZBdDAKaF7XODevO7DPL9gWb0dTwEvLbe2Cr22r\\nmfnjQAPKh8WX6fX6W1i2KksF2iU9Ny5Z1i6K7bTkIPWRBRMBjYTxEw==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIcVQzWk5ucms1Q21WREJP\\ncjBPcHdSVXlUMnErWHpNS2tMZWlmSDJtRXdjCnFFUkxtTTErb3RvcGtCTEtxQmZj\\nVk4vS2J2M2dBYVpPMnZUMnMxOTI0NFUKLS0tIE1LSlNLeUdCRjRuUGVFSXUyQmZK\\nWkJoOHo5bDg4cXJnTldZa0pVdkwzOGcKudKXzT6UD5/5eILbV3XBXgiTL4giNQJg\\nKiFbcyW42IjXgGpIHYW2TGmM6kBa3aIYp+9FsavJvQoGxshxpy65Dg==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t}\n\t\t],\n\t\t\"lastmodified\": \"2025-03-22T15:54:13Z\",\n\t\t\"mac\": \"ENC[AES256_GCM,data:7Ul5t22GJMfOpZ/94QfLK+Kl/qd1EyDUDXUi2IsGpvGUTxfTP/It8lzTKF0STfzVT8JmGcm8WCy2a8i5kB+E1+gFWk6RShe3Q+IIW62UN5PxVcKQZEMThydbQG+R2JJmuQGmwZw93dFz1WWgUTY47EpXw4imIwNgk20B2S3pd3I=,iv:AMvByk17M5eGqVlS15GsmpIW/5Cx4s3Q3F7NEKsItys=,tag:PHHn6RcDD98tx0sOVK4JDw==,type:str]\",\n\t\t\"pgp\": null,\n\t\t\"unencrypted_suffix\": \"_unencrypted\",\n\t\t\"version\": \"3.9.4\"\n\t}\n}" }, { "path": "non-critical-infra/secrets/risicle-email-address.umbriel", "content": "{\n\t\"data\": \"ENC[AES256_GCM,data:7fe9HOXmQMbKZvq0OuNEDiwX+YHgpw==,iv:S7dcT4b9ffl7wVZ+P8Pi7E2XX1gLqo8//DhiNweUFCY=,tag:kIK6xbo2uiGcLPedC5S/2g==,type:str]\",\n\t\"sops\": {\n\t\t\"kms\": null,\n\t\t\"gcp_kms\": null,\n\t\t\"azure_kv\": null,\n\t\t\"hc_vault\": null,\n\t\t\"age\": [\n\t\t\t{\n\t\t\t\t\"recipient\": \"age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4YXhFWFo2cndkQXVsa083\\nNlg3aEhOWXdERlVHdElRTUpGck5QVDNPUlU4CnF5SDFaZFhPa0o1ektkb0lVT3o3\\nWFlleGY4WmZXZlpWWjcwdUhsQjh4OVUKLS0tIDZCekhOOGU5VGdDdzA0S3lhbzJN\\nZ2tPWUJOV1dYK2VxQjdTQW5nM1NkR0UKWA3fPHXjPG0hc/ZQnhX9HZLEF1iP3xJ9\\n+7uISRPlwy65nSch4hngfu41xdTAPLhkjJJUlcS5AE4Rp/dDc9eNkQ==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiREpoSHJyVE8ySjdIZlU4\\nRjZWcTRFbnltaXpZU0V5N3VTSGlVYXdNc1J3CngwTlRZM1pUWExITnJ3NFZoeHBM\\nUzVQSDNRakhicVJLUmcvNG93WW9DeDQKLS0tIDVNbTMxM0JYeGxkbjZjUTh4QkRo\\ndWIwV3ozNmZGRVRMSTlzYVYrNmFCd2sKCWNELX+V6rhLKI5QRo713bq0QQBKtEwK\\nl1Yr/N8tsT8LFyR38dXAee3Bi2WVFNGVOxtQvUeQwqQRlnPuCL/oUA==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNamJHRGF2VlplcXk0M0Nv\\nbiszVUJtcE5iazZpNklubUF0TGxCNDJ3WkJJCm41OEVyOFMvK0JGbW4vVUpOZDU2\\nYnN1UHVDMWlQRUsvMjZFSDdRQkZBazQKLS0tIEpKb2R6TnpNSExLQjJCQzY1Yjds\\nK3A4TU9GZXJsRVhKYllHMGQ4OU1VOW8KasD+UNmcjx4ZrPzYpVbetlwTaIbJGni4\\n0Fr12kJbt6ZjcHV13UMIr9F9wZaV8aIlTZHfszEVbk02k9sFr5WnvQ==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t}\n\t\t],\n\t\t\"lastmodified\": \"2025-03-22T15:54:23Z\",\n\t\t\"mac\": \"ENC[AES256_GCM,data:VYTsg8ys36szFJGXSM6S7bdbKXPq3bxE0SPBgfXzoQmZN1IJD5Z0foHXqRHfG9A8YvyAMvUVlnFNAtQaUGGNUibY0MFNKFmb8YsI6hXrlQSZFB2JsHqxDD4OyoJUHG0iBTucxJhHfv0HefnvpqttCW5s2VuEMFCLDkqcT00aHJc=,iv:tQSJLFOnWvzXYpxRURYArC2B81FUiX9tJu3GW7DR+FU=,tag:kW9cE8wNiCkGXfCPM+U8Jw==,type:str]\",\n\t\t\"pgp\": null,\n\t\t\"unencrypted_suffix\": \"_unencrypted\",\n\t\t\"version\": \"3.9.4\"\n\t}\n}" }, { "path": "non-critical-infra/secrets/roberth-email-address.umbriel", "content": "{\n\t\"data\": \"ENC[AES256_GCM,data:BKx7sPjvcVJ6yxQCZs4dkSfM9pIxOX4=,iv:M7ImDURQWnmAIUWgc2TWU77R07i6T9ySyhKf4xmrIv8=,tag:6Ev8KHJ/i61YAZ4egUypUw==,type:str]\",\n\t\"sops\": {\n\t\t\"kms\": null,\n\t\t\"gcp_kms\": null,\n\t\t\"azure_kv\": null,\n\t\t\"hc_vault\": null,\n\t\t\"age\": [\n\t\t\t{\n\t\t\t\t\"recipient\": \"age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhc2JJa1ZmNEhubG5qRDhI\\nNWFPd0Ura2xrbDRpSnlOVExQTDduU21kVTJjCmtGeWtER2Y0Z2NlMDZKOXlxRTFD\\ndm92cDg3d09ZKzhsREJoblN0Y012TjAKLS0tIDh2amdFS3Y3WE0rNVhIVGUxOG1L\\nN1FyQit6RzhUZk0vYkRLamUyNThxZlkKEJdDAjdh627PTMTjBY1qd0xdZRIuS3Fj\\nZSj3uhKkGeQmTk4srYjTEd0IjsqdW8YhimGVX71WR7Yq9mQPTK3DWg==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQY0o2V0FQbUgzaXV2M3V0\\nTTlhNHA0LzE2TWRJUE1EZTEyR3NoTjVuNmdZClBCUk1zNUdnUEJmZGN5L2RPYXRG\\nN2dBRE9UcW1mQmtRc2xuWnhPN0xpOEkKLS0tIEhNSHRpZG1VandmOG11VW8rcVI0\\ndG9KNzg3NlJmWGhrYTA0ME4vazBxak0KnRGxMy9fLba0qamlS3dFObUkFmZx0eLp\\nM9o8aVkBBpcqELG6X/Fy7WFLPc0ZV4jJ80wBZmiCcWLhhqjs+/ZqRQ==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3a2R0NVlIYmJ5QnlON0hB\\nMXlibG1XWnRKRmRTNG12SDAxR3VQRy9UTG5JCjZ2NWhZNGFjRC9rNi9lNkYxcFJt\\nNEg1NlNBemN0eWd5REpCMVE5MjB6eWMKLS0tIEtOQzlPWjZDL2dVU3htTzRJNkU0\\nT0NCR1FlZ04yYW50NGNyUkdRTjFpTncKTjhufMAUSSXre7/6fBRmLR5VE67iDazd\\nG/tTgikrm8XT6cpp6ujsv7Odm/sxMOUM9ceaYaNarJyYG7qfa21dlA==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t}\n\t\t],\n\t\t\"lastmodified\": \"2025-03-22T15:54:26Z\",\n\t\t\"mac\": \"ENC[AES256_GCM,data:ZulvYVb+MDCHnV65GS/cO+3hh65I05DFJpctsiVw1+oNk6sdK5zJ7N0vN4h2zcJXsWq2DDC+YItxiMuXKwZBCasbbs+KbRmO1fwyfXOjbTPbJzP2FlvZzYfA3MeS7DTJH+egVCH3OL0Kuui40jxlSY1BAvqi5YNMtE2VOmNQsaI=,iv:0gIl0i0zY1lrIFvHsQ/P6HdkHWnbUQETiNcX8x7ASDo=,tag:706cPF842rHxBg8m8f+hOA==,type:str]\",\n\t\t\"pgp\": null,\n\t\t\"unencrypted_suffix\": \"_unencrypted\",\n\t\t\"version\": \"3.9.4\"\n\t}\n}" }, { "path": "non-critical-infra/secrets/rosscomputerguy-email-address.umbriel", "content": "{\n\t\"data\": \"ENC[AES256_GCM,data:GazKVNo0LeiIQFVDtg41ZcqRDFbRA8xyij6Kj60N,iv:9e3TyrpTJxpbFghnhyNthycdU6BF1FtdYvrSMM8ky+E=,tag:kKYwly/7Jz7MO5b3gOrhoA==,type:str]\",\n\t\"sops\": {\n\t\t\"age\": [\n\t\t\t{\n\t\t\t\t\"recipient\": \"age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuTWlvbktLL2dRWjRWcWU3\\nWTBuRHR0bHBOZ2FRcy95U3VOWGdNSkpmOHpVCmE1c2pyaXFYeGxxemFaRHI0WERk\\nTTQxaVpVMjJiWllLYWtWZXhKclJHSGMKLS0tIDFvWmdNQkU2bUNKMlFQeHRndFRk\\ncUlSaW1WRHZFZ0QyOTN3NkRUSjhYencK/QM+MTTOLbMZHyW1HACPMv3X1FtzOc6g\\nQSgN00BTrU3fvYRGXpH2Qd6MPVEpaYFU3+C1rD9fzL/cXLKFP/d4PQ==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1aXlkM1A2dDVTZEV2YjJw\\nTFdzWWdwSFFpN3o4Sk5COTh1Qm9RQnFvR1FVCjNySk1ZcHJmQ01SNFg0anRhUzAr\\nTTlmVXF4bWxiU2tWS0cyZVlzdHh3NmMKLS0tIHJ1c0ZkeG1PT3dKb0dYaE9wUjhQ\\nL1VId0hLSG8zaUF3anAvTkpmZFpZQlEKqts7ZK9+93BarS5LV/eyQ08qzMWVsAUw\\n02REN/UFKwF73EYp7xCoKAnO06awB5X9njX5EjzfRyF+suiXQAXKkQ==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSNm5jQWhnMkM1ZHY3RDhT\\nT2IyTkRQREtVVFNSUUk4SXY5KzVtZnpBWENrClJzeXZEU2FzN2VxTWhVOUtLUkpJ\\nbDBBQzVIVjJnUTNpZU9nOHB5OW0xT3MKLS0tIGcwbG9nbTIwWExXUUxjVUVMZG1P\\nRkM4SnBiNnkyRGNyQnQ4QzhnSmt4RUUKHQv5QVwOxNzFbL8rQh9i22yqF1T7CKEN\\nCSsOTdO/5Iw6G9JKs1bnNJRYtT6CW2hrFQ3oGwofjLKko+4z0GQLbQ==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t}\n\t\t],\n\t\t\"lastmodified\": \"2025-05-30T15:22:20Z\",\n\t\t\"mac\": \"ENC[AES256_GCM,data:S+xQqRk+lrhyxCemO/AAT3yTSzzhlRA1WQbq7Dy0YaCjGAUcx0tRUuLXq8uhAyCs+rW7skcbP4sgqRc6agunEowSaVNGxp7PeQiT7D6Wy2zFwnPbbbzwJ1mv20Z/cFgwdiR00vsAP8/Bn6uEFOZ0PQryBfZ6CxxePBzqIvFlwVk=,iv:U1Tatbb+56+df+omnIdCYl4oPXAYBIsCG8pEXwND3uM=,tag:Z2/Q+VMLZlSdwbkuK4nAXg==,type:str]\",\n\t\t\"unencrypted_suffix\": \"_unencrypted\",\n\t\t\"version\": \"3.10.2\"\n\t}\n}\n" }, { "path": "non-critical-infra/secrets/securitytracker-noreply-email-login.umbriel", "content": "{\n\t\"data\": \"ENC[AES256_GCM,data:OP19/y+JFoVll1jUX+KFYUoFSUVDvBrlu49j7TT0y/++c32Slkn0a9LxIB298NrNERWu6n/wgVG+bcN7IA==,iv:yGnpgTxiqtTIVjFLoWkn4FhC7LsCB9SA3wYbIw9ZpfA=,tag:F12grj5CzJZofLCZqFkafg==,type:str]\",\n\t\"sops\": {\n\t\t\"age\": [\n\t\t\t{\n\t\t\t\t\"recipient\": \"age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQcmRuWHNLNm1iQWJ5R0FU\\nY3o4V1lRM2hvODhycU1GTU0rSXFNajM0ZlFnCmtIbnlsbmM2bkxZYnRBVkVLNVRa\\nQWhOTmZubWNyYlRueTV3SUY5Nmo3M1UKLS0tIGdGVndWSWNaMVQramRjTjdOYmF4\\nS3ArUGdFU3RYOXo4QmdoeHFmN2trVmMKSJVxIKSKmL2AQf1AcMUO+ppZxpZwQDFb\\nIIKUW85aS8FAFX+14ivbodD7oh2UtH9BRCnhVuv1ZamDiq+/huiWVw==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpem45bG1IOFovdTJLM2pP\\na1BQczY2eWppWVZHRWJZeWJidWpSNjFQSGpzCk9sS2RLVk5wL2dxWkQwT0QzOVlE\\nYWYxaVVmYUxsQzhqekwxOGJtckx6UWcKLS0tIG5XZkN1bTlqZmI1UTBDNFk3SDAy\\nbXdqcDk1bXdaTnVkVTByR0t6TmJYcW8K2NqioqDn13UuBKrI/tDEnM+zSfipCsMq\\nNH9IYKsfYG48kL9yj6WrtMVQNV4P2ZLSc9IBpdZvEaQay4o99EswjA==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDZzZmUE9oRmp5VVpOYis5\\nSzFTS0s0SVp5WDRDaWJZWmN4dFBMak5HZzM4ClZNYmw2V0tOUEpNRmhzaTBlQy9s\\nYjR2bTg3UkhJdEc1TTdteDdNTWIrOEUKLS0tIEdFcEZjNGh0anZoODJreGJGWVNr\\ndDIwZWhZTzk4WWsrajArSjFMMmdEdzgKDgWzB4U0qYeYdx4G4M04DPSuqUBj5XCG\\nLurSEOpBmjxSVIkUzUVEUYAq3IsLxMiDf5iqLs1/d4TeD7Djg0oi1g==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEY3RsMGk0d2J1SW9neEFa\\nS0ZnWVJSM3ZDbTdEYko1VjlSWVJpSks4MWtnCnozSmVjdU95Yk9jNm9EeFpvaUU0\\nMW5zUnU0amFtRkhPZEdmcldXWW5JaGMKLS0tIDJyK1B6ZStxdkFTMUJ2OHJncndP\\nRU81cG1hOXU2akRITkphSUVxaHdPMG8KtQ0B+bH7YRCO36ocidtGWhqCs36LayDc\\nm8xiPLIGSJuYyHpPSkcbQcxOP/wx2yRRloRkV/LjnSt2d7DtBcFddg==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1nnm255ah9wa4gpsaq0v023a75lnmlcxszt9lc6az3mtwzxgrucfq45rp7h\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvRXRCQmpZS0JrK3RqaENh\\nSitqdVZhMlltVFArTFdIL3QxZVEwcTNDQmtnCmZjVk5vQkhYRVdHZmp2TFBRT1R0\\nSWY0WWFYVHFoQ21hWStScS9qQkVRRGsKLS0tIFRHU3UyRzVuZGR3NlJnaFlXNDBQ\\nTVlVZFhpSFhsYjhnN3o2KzR5OTFBVkEKwkO++MNLjrd8nYXUyWtFnZu4PhDjyLki\\n5Tw+XQW9zzHKZTvpFep3TZCMvvMUzCnNTcB7u81fG0fe8kHq78NTww==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t}\n\t\t],\n\t\t\"lastmodified\": \"2025-12-18T15:28:21Z\",\n\t\t\"mac\": \"ENC[AES256_GCM,data:jHBjHm/ow2YuMspsrZd2zjTTovmuHiBkcHj4fwlH+Pchbc3DtoXlSuDxY8HO2b1nio+svYFc0Hn709gbWlZN1GGjO2pDBdddAnrl+Hqhj7prL5hTAcrnlLT4XUR8mNoGC9sVzBt+XHMopti7Dk14BUqkWfXNaFi/NrfS7JB7y60=,iv:6HG5/KdqkzzIttQ/lPoMwV+KuZjmDBVQuy8l0ueMVlQ=,tag:eD9eKdmpIVVx1n9rfB0oew==,type:str]\",\n\t\t\"version\": \"3.11.0\"\n\t}\n}\n" }, { "path": "non-critical-infra/secrets/sigmasquadron-xsa-email-address.umbriel", "content": "{\n\t\"data\": \"ENC[AES256_GCM,data:FeeTYcuqHqv4A+rzuRd/pvOnzrjq,iv:tiAzlAYJwD/GsjmwIF+TD/v72riKGIHgaDN6QFKAKb8=,tag:BXEq8GNbJ25gvQZd5sGl5g==,type:str]\",\n\t\"sops\": {\n\t\t\"kms\": null,\n\t\t\"gcp_kms\": null,\n\t\t\"azure_kv\": null,\n\t\t\"hc_vault\": null,\n\t\t\"age\": [\n\t\t\t{\n\t\t\t\t\"recipient\": \"age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1cFlYR244WkdFdWU0UXh5\\nYTRNVGorZStBbjdsYlJ2cnpqOVhWUzVmY0E0ClNLT2J3dTZZdW41Q1NqTzc4WmxY\\nME1Db3BocGNyYWtvKzNIcVl6SE5OcUkKLS0tIDFuTm9kM0NRS2lLei9WNmxEblNM\\ncU9TM2VDcHRGQlhSZkdlQTdFTElVb0UKKUiqN2TNsJmJHGA49XxLuzorzRq6WWl/\\nS1CP3X/xZDZyWLnLEAux7hpwrQDFq4zM2uwPERGsayes5RgGO4OxzA==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1U1U2bWRCVlpCQUtYdEds\\nTDJ2M1lHaEdLRHZCakNzQ2FSaXIxZHB1VkNJCncxMnhtNU1kMi9SeEJMazFvUVg2\\nTXE1UHhCTWxoUXpwRWtwYzQvRGFRYU0KLS0tIDcwdVZya3ozbXk0aU5hWHBjbjc1\\nMllGV2syWVRFU2E0ZmxVejlQd0dyY1EKPU61+iPunJIOeEVqAjrGTxnsZQT8iScv\\n70VFITXumYrHzC9+3eiXyxMgI+1OTKTCrgV/W25mHCmC6i+OxqB1kw==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJcmdSTHhoYklyT0tLTkE2\\nL0tiY0g4VkZXNWZWWmlMUG1jQnFTeDF2OEhzClFRa1R6UHJOZ3UwdERDNDdybHNk\\naVl3WWhUOHQvUDgzM1QzQTNsbDh2NzAKLS0tIGRjVTBydkFPTjFhSnppWXprQTkx\\nU1hCNTRSTTN1c3pCcnhBZTJCM1dhcFEKu2QGK/8dQJuiAdzBLTOfBHyMhtmBUCn8\\nl35Sm+24NdIMpKDITDdzFnu5Gese2dWZQTAPBn3dzzmbX3/ozBbv+A==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t}\n\t\t],\n\t\t\"lastmodified\": \"2025-04-05T23:07:36Z\",\n\t\t\"mac\": \"ENC[AES256_GCM,data:J/p5R51oiqFrNU44h8d/e6nJw+zfmq2gjkLPikxdEc6ZIG3P/l7pq40sdnIjFsEj4fqWPJZxoR0U1i4HRVRx1dYL17laIXgm0NgXTdHu/rfy8IcIom6T2wJYcxpl3Z/W4Wcch0W78huujIFFDeeeT2IZy96tMuAb0LG62DaDI2Y=,iv:69UxnbyCysMljwDWnthRoCGODV12U8T/N0leuJDLFUE=,tag:npfl3GXi1xseduJqGOcdKA==,type:str]\",\n\t\t\"pgp\": null,\n\t\t\"unencrypted_suffix\": \"_unencrypted\",\n\t\t\"version\": \"3.9.4\"\n\t}\n}" }, { "path": "non-critical-infra/secrets/signing-key.staging-hydra", "content": "{\n\t\"data\": \"ENC[AES256_GCM,data:o+1PzKfNCuqAO8ayS17XToTq1xVj4qaL/ZcovtzaWXwu8PH85qggjalA5hWxM90B3IioJlySgp+Iw9Tzyopjfc+XnFT0T30Jx29PCQkQhi1CHjH3QcJq8rVNMzQIZ39+PHyH2b1RBOh/5pz58+/H7g==,iv:7stmWfbTZ55slCozcag87MdxZEhuJquR0uf8WTE4rOw=,tag:gMTAPLSw3AYn7nrdQX7D0A==,type:str]\",\n\t\"sops\": {\n\t\t\"age\": [\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1zxcssfw5j6dwvcw25tmxs79lq40xk70h2s234hen8pkpte2qe30q9e7cy8\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoQjNIYldTc25ZVUpjRDJV\\nekF2dXZaMzI5emdpUjA4cnVlK0FJSkhzVG44Cm1HNzJ1YmM4cWcrVmV3M0pPaXpC\\nMUZqOWtDNFNEQWwwTnBzc3UwMWJRR1kKLS0tIEx6MzlrRmRsMndiNW9HT0dBdmF0\\nekVDOWJjci95TkRKUVI3b2YwWWM5bEUKWOZNrjqPZVwjNQ53IW0SC/0wSmfwBicc\\n9eQ/iq1n2RXV4fB+8FRXGu75STydXN85WRpwKEzFtBlHJxEmSSuprw==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNeUZENTN4QWxUeGdwL0xu\\neWtDMmsyeVROVkJKbWhYc3ZINUJzVUQvTkJRCjJaRmZhUGRpaWVWaHpPNGQzaU5C\\naExlVWJlV1BxT1lOM2loNjFnSlVFSDgKLS0tIGZYMGRXQm9RRXpqU1dYZ201Y0lv\\nUlhSR0p4T0VuREJ3VFBySmQ3WVJnc3MK8qbBkGQzGMv/Q5oD1M5LjKMrjPLN2BMZ\\nr8PaeWygqVUI9PNPJ9eI0RSe7St9u8hJDuZwQaN8832ysGjPwpsM3A==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1nnm255ah9wa4gpsaq0v023a75lnmlcxszt9lc6az3mtwzxgrucfq45rp7h\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqUFpvV3JPZ0NiVngzWTFq\\nWVZSSkIzZjUxTDZIRVJYckphNGNZZWxob25RCkJFWVU5TGZnc2sxR2txS1loRW1S\\nVElHck8xc1g4ZmZHWUt0Ykg2dldBUjQKLS0tIHhRNlNzTWs4U2lPdDR2ejJIQ3Ri\\nS1cvWVBYdTM0OW1PSjkrZEhrYXNZNDgK4Zz/uHXMm7554nakLYBmtzQoK8E+eFFC\\n/mT+rEZiX+MZW3nE8PDhXAa1YUAo7y/icD7XQf5GnXW4C7T1paYVyQ==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5YmVKNDBsendmV0cwOUly\\nQXNldGdvcXBqQU9Ic3pPV1hCWmY5d0hqSW1nCk1qTVdEdjZ0cEgrdW4yRmtYYnlH\\ndGFURms3djZzOXZ2OWdPV0JObGViRnMKLS0tIE9SZnRnRGFMaXZYUmRJY3o3cEtm\\nV002c0h6UHpYdXZQYkh4R0E0MDU2a0kKv2m8fsHpsRxSzXG+PpnPRivU1obzdN2E\\nDZukxQX7jkjPcE4Q0WucPsHkLdqo55zWmbvvOhgdZka/4DUNbb7O1Q==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmNURmdWhRYmhKVnR0bWx1\\nbURvMjNicVpXTjNjamU4b0ZPQXNUMWl0UURnCmxGbnhBY3hJMUkvUUVqVlB3TFNk\\nTE42TC8vcnE4RU9xOVkxTFJyaWprblUKLS0tIElHT0tUOTlKbmxOM2xkL1Z0OVhJ\\nZzNYeWNTbnZmWEtuMUwwY0sxZ0RHUUkKwVVP8g5r4YHPOxm/72v54srpJ7EE/U4G\\nCakniy44a7sTn3m8hmH4FfJuc4x/xbun2vrSYBW2gAPpu2h2Ad1H3A==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age17ez23w2kpxl0gcdx4ehcglkcfcfnv4qz0gq2n8ylxwx4yrtjpvjqxfasua\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAveTZPeVVaWDNUT1F5M2pL\\nY0hnRW04NFpiM0VrazVuOWN4UTVXRFRWc0NFCjNpaWwxOFlMc3VKTG1sRE53eUdU\\nSDQxOThCYTJmblJUQzFaTkJ5Y01DUGcKLS0tIDRrVkdheTBtclRqN0hvWThQN0xs\\ncjVlVGlrT2RaK1VGLzdFOU54NzhZOGMKPPEtsz62T+QiMrtkyShdYNzCXDPbauVx\\n/mEfLetx3EAgluZNGUAIQnoxJTHbwX08kR557YcOTAHfHNi9xdDuiw==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1fgzf77gyah4efemnrqg4e7j0vk8fpq0uzrucepmdpsd5z7l4lgpsfq54df\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMYW1oZUMyYVVKTUxmUm5L\\nNUpIeStsMXE5WVVackNTTXhzRnNYMUQ5Z1UwCjlZWHU3SU9JUy9SZks0dW55VnZS\\nNHJhemVkUUlkeTQrOStPalJ4SWErUWcKLS0tIFJDTEJQOVA4dFlJTDdqQWo1dEE3\\nWGdrK3hxWjVrZytrQmhlOXJ6UXFNcWsKYt7yy43dw0aJ6Z/jTBKFIkuRcgBLqhLh\\nXE3vGENBNs8KcrngQwy+oyyPmZlvY9J8mspoxGZIvIAYK5vX+yeNbw==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t}\n\t\t],\n\t\t\"lastmodified\": \"2025-07-10T15:50:01Z\",\n\t\t\"mac\": \"ENC[AES256_GCM,data:x4Ze9rBUQus/TvnUsLEKPKoB26zVpdeNAE5AiFX0yYWy+IeFVxmsUxcrkvNMALKoRbM//zYZEbB9jNtf+1napt0J4+vNbOq/I8JjinA/kYdakeRKTlj4Ge5CEQU7Ix2LGM92b7vkyktT5O8aRh4bSTKv+HJDhKuEBgug75gkK9c=,iv:6o0CfZzCvz8pRbSD0rw/U3hCxx2RzTbuP3RncNgcU08=,tag:b8eXcjEhJJo9avwHQ0BZJw==,type:str]\",\n\t\t\"unencrypted_suffix\": \"_unencrypted\",\n\t\t\"version\": \"3.10.2\"\n\t}\n}\n" }, { "path": "non-critical-infra/secrets/staging-hydra-hostkeys.yaml", "content": "ssh_host_ed25519_key: ENC[AES256_GCM,data:WdQWf3FMtgp3xBgwLOnq9xMeZ0fpGjxHkqlIoE717tk18L03x4VTiiQanHK5dxvn0KG8piM0rHO5EFNueevGx7SS6Ad26nT4Y9EjnN9vq607OJZnwLysBPwfTK/iCKr/+pa+8k332I+ZSqENMf0WhSjh1z55QteCZdNdWAa9hzuovDz5dHKBUR1n8DshC7mbPklDqDNc4tYn1G5DylHIWFzLTIeQKBo2tNRy2d8nfH+m9S5cFI9kITV+ovPXIBNAZ6WONf/iHZ0gt9gZsGnLVcjuz7gVlq756ho4GvARz6BYMyILOUVlIkpAfgQQm+Zq96Tj73U5ingtrfisMYbtdZY2IY2BXwuxCTOc1sZAkzzNT4QfByVe2zeY/CCaZnBZ9OjjG1DDxSkyXZmumyh3EHtOH7r2ZGPkvjFtA9CaTK0qwoMZ1+sz0MLSzaaQSeKLjxmlS4LbIIOfuQ6NFSgHU9H8lRqgADUEBU3nlSUg+C1r7mhHToKL9K6oplTII/q/mJ2d,iv:UBFtqCUupy10B6OBmjYJA/iWpN9oDrl2GfwyYHsd9NU=,tag:n+naTz5m18k0/6lkTWzMaA==,type:str]\nssh_host_ed25519_key_pub: ENC[AES256_GCM,data:dG7zyTqjq5FkeIACK5r7wk4SSk7F+Y5r0Wf0DtD7yw1Hes0tW+MY7Ggf+qyflnTood7gQBMzKCEHIjbSNiK5oJk2aLuG/DRqiEowDvjr9jI=,iv:zoSMX/vALQPXEfVr9wCkyuWZNiRY20QmwpdgQ6RcNm0=,tag:1T7yeYFVnz5EVNzX2xqIlw==,type:str]\nssh_host_rsa_key: ENC[AES256_GCM,data:xVsQKRHqRTfusak9oe5ve3k4EHtqgom9c5T6exi0E9QVTNM2o/qaAXGZlOQLoLufQCPIhCrSB7MAS0ZTx95RcWnqHFd3BGDBchVZTlKV5vX9FOTIKPcJk9n5H2Uhh0Q3mIHyGT1RYdGVcpIqJhvkpf8mVNRms8isS0aqAOutw7elsGOEjEhoLTLSUjGWgwOereDVfmTFBqfmoQvHn15OYpKgA13zBb0+OA7DCvxFDba+EuOd5bpN3cM4Ss1y2yMDYQqE2GpE/dRWbSTiC2X/o8ru5gkw/l/0tQWjV4Ft2oLh7kuqKhvAV9aE2XOSUTXGmBtppZq8Kg/O0oGK2yKrS0wu5WX0njAzatmWJBOQIJcysyc00HZjSd2JIC9EpWN51hpqCsVSwlCWdZ1/mBoufUKNiwxMO98nhAzWFQiSrKgzpNHMRM2jSd+qtqHz9w8C3AadsydnLNeWV4u9z9T89elM1euZZGB6MgQc5fcPS6TJ6EjV0fJkts/AgkwWAlh/2ZLJikG7LFOZEehAockNvVTTvV6vWcjDkwEm1co7MSrTqySqXh5EzcyDzNpcOsOh5nOOw8/BtUvE12SyVO1zlwbZyeETfhb87wkcGLvv3ewvFeZ6CVVnCUDZsGQmX9lhU28ilhtCYQazuN5lnPTtlK2+SQp8JIalqOutKgWKmgKetndYxo5X8BzaEt5Cg6oFr24Wkeb2VxitOGZEbNNpl8XuJnn9AjNhlQcWyuFop/8pwjhlRRtmG0q75wkcvFYrfiHtSDvAniebs0KRS9+8ONRWom/L0N553tS0ERO9SlanBbx4f+T9nopR5MAlojWWGS8fSKhDzVNDU9FlaZUHiUzSd19Cy7ikl6GYKd6qnU9raasB1cr5GpMSjitnQyOrD+Sz1cBmfsCQIav1M0F7o8LqZag9IjL0bCAovpSkZP/IyZI+hFzLNZ9H/XMlNokObPjzYdVYZaePhNeUC9kiGgJssM1aiW3v+tEshPj3bPP422nCKVrPiHs0Vxxc1P0aKinCCbh9c5TW8iw2vurzihFYy4Kvbqjp40p7KX5SEy/Bbe1Had7Kg7cxI+N2E2B/ad5iOqJiPkd7Wwe7fupcXow/uLffb26v+DHIWQhFn/clJibBb0Qij/NCxAL3OkLCZ1VvFDs1ENcEd19/SWH+7WnkeyQUhzMzN12U5XTANclt7YHdC0bzPFOxu/XwDQilzIioL1k86XPh7T1k3u94m7w/KS4QPYrVVDqqqyrIdMkTikeGM+reOXvGopxgac195AOQ9xBZsJWQ0FBRrcZ1wXkAP6g5dLD5cNkGxnCAI5D1gnFI+ZPkS7u++bSucQzWiyTTh8fLRAT/tyVJG7P7A0wk0AF2qNH2xwziNzueiHGUBj25w6jw3ib2T1wmLrhBOA4lDbeD7MV+4USe+cIka5nZXiZsoMz4zUq+7J8jdc1xpx1a4JqjA0NrXHfN0rr7UN1DbcZdia8dx8vUrW9VVko31EUA8GEFDdrZ31Um9Obfcz+TfW9n8hDAiurnbWJfIX2EReGUEU43aoXguKDsT95i21HMiIGgvQhz20tUsPdOzqk0wrt3P4lUXPkciaBgwTVIMs9U0jFgT+7s9TWR2w9oxOimWjtlUQsFVhVIw2IqnczWNW6/AOMnrJLSjNGbdCcWLZr8cXeugwHH1iO4HjDqOJEwZOF5DSOBfoFvRVOXS4MKzSkK3B0iFz1XUuhvIpog9wRohaYf485ThTZiIc/W5fHfq5jGjV8PUf7xioxmbP7b1Fe9cdQPiQLLACvkXJt6XYWtWiqo8BO+dd88cfRmyhqZqqWp5sew6vFpOTwTnqdTsEgG/ElpLTz4ZWvnDujhPy6Y89cAHccNWnTfa3VcytY7vNNAeVL345tyhG5wOF0E3zFPMGx0f/JgcLqI9EkMMlYooO/Jri2JZKD+0Qi6YJskT+dnawK25hWj+EQHcimKWd8Bwwm+1C4jZogZIpZsi0lr8auToCtOVYjyx98Xwy6FtqOmT7UMSNWg1POl7udWozo9DJY7H5FGEDbJ6YbM7BQ2OU32auab2XMTYYyO2Kk4zncfLu/cJSAGTxTcUH1ruOFEBwolFX4KlzIQreRDa2Xxy4QHTpWJUfNKUp45UV454Y3soSbM7rMYT4ktlSxqLLn5eWO1Cl/33b2t6BxGd2QQ+TEHJnl9Zj3GM35i3XY2x+DktSmerCT7fWUFEqIyzYHOpEZwh8CEDGrd0JFg8ITQTUWkla10/yMiXnqvGeJjHWmHLJvPNeHkwBgm4/Hoq+MjaI8FBeiapPdvGKxeumxn+GEuh7Ni6yelYPi4n3LY5Y6Fp3Mywx8BaZiz9lP4pNlsrbINhzoBk4tRtE/1MXh9GthNrGEhNZl/EWWWw0VYsqmie9F9K+hHjwtw85Ph7p7xf91ubF+E80rJMhwfhnyJnBeVjzEsUTqU+3JOVK3AT7Z/1XwG3s0b+wAuRo5Y6P9kmSJJjntWY48WY0NuR/OhJBWK/69Razq2aPvdWC4iUWsLhomdYqH68kE1ho59DN+j3mFR21+4wQg+9ZZiauqieMnvEBmuMEEh0ygb56Uays5dLSwcHK63L0T9Davn6eEvB0MXREbfNiFk3QWrvjWXLplct8KwrXlGCjVknLUtP+fK4WNYMORtAY4RRKz7HdH/cyYvIbyccv3N1lqvibGCNSVI3a0GB6Lu1ClZ6vsYOvyNJSWaYp64qLKt22Y7mrDLGlhveDi3hJLXxo1Lg10ulmLzOj0ubmAEmYi9yTFRnkqHyZFOb9R5QHttvp3zLu1JiiIOJDLPUJ9yfOW0hGGir9c1uNnLcS/56mL/+u+FOR2j9KHs4/tdGBCDrN5gdRVnHkLLgnbORMpyXBPSBz64n2lptiBnmo39wgdfWWaO7NfhWX/Nrm2kW6ky4TyDpEmvUhcqp0Uw3PHlr5byVYGeTTPleV45kS3QmqjCheE3T4UfcxLcQjOmYAKksjXQKe2rY2y9IFKZZUmMLoViGUlApXlba90+ZkXQAyxcf95Tlyjmy3eqBXOkde+FoBPVWSWgO6rrPuCjegYOdo2eyC4FjfyMnoHISYzGDhMVuaoxTLGcKBSeDUsa9C1FZEgn2HwAjH7HvbV2rWXdDA44K514OHHgXEsNr31h42z+TByezfW8AehkcgAOKC/Q74Kn54ezHuq+ibtn2U5zFBlxXk1L5cmLJekrm0j2aQcWVbqoAcZbVlaDWKjzNoboqhUzXqVqZWUNENXXCgcNaEjvjEjH+0uaMs+pI9HYeureAylnlOmj+7XsA/W9RDdUZJpPiCo8ag61YPdM9yvKQwT/NmX+cnYDyxmej+WkR+e31DsGP6q7ae0aRqmdiBobHAL828byGtIFX+1958ZMZ7K/flf32yAMbgDoFs76ditImNSUAP/GW5QB5XYTw76EYysNZHfx6g4zS9gKTvS0GdzjN6P7r6x5imQfBmg7cJSPzRny1A0CXaGi11vpzPo/rB6aRLQJeHmZ+S7JctDZAmpIR0Jxf6ekqybb9k3Z8SpOi1DGYNhsVL4LT6kdDlG1sKnSoT1rl3QcGPxIA6D2OM+yJEq2JRg66YGHY/NRLfMpC7485eTNc8QWLOT2NFncfZep0VaPatxdLfpx3U5Q2Fc0mJ/o7VV6uHwxg44v9iZGpZH7YuynUvfZXBEemZQe/cWxyn/ie4jmJsA5AmLrefm6KwiK6J2m0neTkWQPfX2MKM40w9FzS0q85AyjnjStDWLTruzNZ4ysGKNNL2r1t7/x9AzAaBVm9pLWNFTifkoVe7Zf+xjGQ0byhYsg0oBcw9PA5XmAtgIkvWI3kw2I0sp66sh4WkxwB0dDiK9BoLYprip5EhYWkHIXf1tf1cYaAF37IV1UVVPoB64BcoIcn1d0l6frbOGhdIBG4cxQj01h1n6G4ILdFLc4qktVf0Q889oJDqCrYV7VXUGN+G3h8p/5gAnT4Q3zsg+A3tep1Caq+WdrQeAUrfFqwtJvRs3J74BmenIBl2uUZuSDkg0Cl1weRgSsFe4QZAj1UnpvZIcvu2oowxesUDGDdTUTcVahZpaalH9ymXSM9NPgZA1r3LmAIMx7pOgNgZc+3bUxgYZ5SJOZWwEi76wIb3KirhLZsI+p4eZrfN2OmemPHgRTQXx+HqGm9uN3LySSbA19RKFxqzatXvC/vVbZWyuot83DClimfuzNvrsUZPKaFrUHikSLjxaaTndEM6zL946x+ojxeHXrKS2YGAcmd/Ntx+G5/+uGsx7QXVSaiIoDiLcQcUMWSbwIOyZClgx/5Axp5gIb3MTwBGMmrYL2IWYhifa9pZLj4i/bEZTTiJiiaFarMzofy4I1HIhEf/VBKNGXhSgH13wi95OwZOkufpUChuNHxa0Wad+RF9nQk8D4l3oHc8vj+tw8HV90O6mFfAl6PnFbborcZfj8wT2SV49IydyLpATvyQvGDmtoQ8co,iv:P2cvv5rYpU0Lw/t7vWNFt69BfrqSynq+HIWBPStTDVg=,tag:yLFsFeUuAS4skiyxq6iY6Q==,type:str]\nssh_host_rsa_key_pub: ENC[AES256_GCM,data:6R4IfHRukKRWg1tyyOpYyAlV/WKlkakL7O/moYPivUX57k8X0vhm5/n+yF51ywIUMUzpJ1aEyCeGtRmuyBfCoO8yN3dY+VOxt5m814ZuoF9GrPbj/6YY+SJxYtVWbbNGfPdfkW1PwMwZxvzlbLNW/0BEdXb6RtpFdCwP3HfbZWexdAeGGMdI8SVgmL7kN21RhwBCGfL8wOy/Cri0oUL5rn01YVk6e0qLWnUGhZkrgvHvuXLbPzmTPlSCRpBLQjwkXF68qJ6pI724JXpapt5Udx/uX9iHCRz4EmymmbaFoIwypL6AtvKuPk5S27ZcLLK6nVJwbo2gKyB7hMPWlRWZ9jinOlAEGCr73GtSellc7xyFk/xA7WGR1kaRy7jst4PhqsqSVRVFXE2o93OhRGZBK8lmbCH3Ab+RsK1IhaRWdWoaI//ZYf0K8eF7WUkMVDxTLb6cm6qbZKMW36JXM9Q9nmY0i4ughOjcPfbnuDVztQinLqbnadeyWiGvvCqaQzxNlWUSgfoR0WeZnxdjfEI6Zc5iQjaX24R5veuy8OkjSjeniami7XjNRY69WpFvLCQaeZz0EPHSsiJrzNvfvOVfzVIx2CD9+PfE3p+fbX3AVor20+hk0hPv5X6bfq5btwUbtcRiuXkGdTqUYCiUfvuO/0EXlly9vD7aomf2c5lew/gFFMqHvXPfPDSWirNLV/JIe/Znwv4k4jIn/ERYXQlgF0SSlT8mH+vqj8uYC5+sattnfymTTstwb/dhgl/GWK3xTHHvqApyWAGRQ/quzYGKUkVMqzhZUTetVwhQ5pmr9H6IJ+dP1Z4N4L0EU3VC9rP7YwBdMmLWjrCnMeOui19pdl4/QMXSevHUVBWjqwYOUVyDsa02gEsycgn7BslvhFv4fJCgir5hQTkL+Hw1nGpAGNo0bWugyQE+eFcHtbExkujbAkQCU4bZJ/Sq96OKuQ2hB3xNCQ==,iv:8sTcuMhrL1vYoOtUo0evChQvRibXP13dr+wzmXdYT5Q=,tag:R9BMCVc2Jzlbe/eh99oG9w==,type:str]\nsops:\n age:\n - recipient: age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz\n enc: |\n -----BEGIN AGE ENCRYPTED FILE-----\n YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZd1MvMDRXWEx2RjhIN0kx\n dkppMkNkcFJINmsxVHRpT2U5c280bkR4REQ0CkwzWjJweUVlVGJ5c29HaU5uaE5y\n MWtzT3NMR282d0E2UGp4amhTY3pSdmcKLS0tIGYyaCtOSjRTQSt0VHdvVzFOR28z\n YmV2Ymg0RVdRN1ovMzhZVWdhTXdkRGsKYtfVZ4vLFNDUb5lzzQT19IAEVpn2P8RR\n /cfxNIQInQltIHb27ViHhvQD7qa00a2Rxk51rsITqY6GuNzzW8H6YA==\n -----END AGE ENCRYPTED FILE-----\n - recipient: age1nnm255ah9wa4gpsaq0v023a75lnmlcxszt9lc6az3mtwzxgrucfq45rp7h\n enc: |\n -----BEGIN AGE ENCRYPTED FILE-----\n YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYcFJiTUhPbTNnUGRwQ3ht\n Q2FPeWh3SWR1c1VoNlpuTTBFR3RaNzEwS2k0CkpUT0twZjU4RUpkNU1IREpHMVJk\n eEZYb1BpTUI4cTRmVVVNakpXV1dVNWsKLS0tIHBCeFY2eVIwdmJPSW81Q1VOTGZF\n dnF2NDQzbFprVHJvZm9iRTY2VW1aazAKwcJBRgNDLbATp00hEoKAibC3yAOoNGqR\n 0ZYcCMbUq39iJ6zcWlMSZeC7dSa/njFky9s+NBJhBiUG/QMtMj9I0Q==\n -----END AGE ENCRYPTED FILE-----\n - recipient: age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x\n enc: |\n -----BEGIN AGE ENCRYPTED FILE-----\n YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxWmo5LzFIbVF6VG4wM0VK\n eTJIdHZKODNBby9oWWphRVV0NXlYZW5TM0Y0Ck9KdDIxRU5uZXFPbXVQMXBZWC95\n S1duY2prOWtZYVZuOW1UT3NTN0lTc1EKLS0tIHF2R0RZbUkzVEdobkFYdVQxMW5o\n TENSdTNVZFVVaTk5bHF0UFVONThaZVUKu3ljnmnNQPzG4riF/AoxUvLD5WggeuJ4\n +l2VpDK3mJ6kgqeGJEReejWbNrK5+8xy4JIpnCLVOz8Xw+aQYIqbDQ==\n -----END AGE ENCRYPTED FILE-----\n - recipient: age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h\n enc: |\n -----BEGIN AGE ENCRYPTED FILE-----\n YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByV25FY2I5NTRFMnRwZlF5\n azVvRVg0K01GL3RsUGlTNW5yTC94SGNJQXpNCjRTaUx5azN2dDVheHVyejM0UldO\n YWFVWVA2RFNJc2haSlVKWTNWTThwalUKLS0tIExXblhackpzQ2tFVjNaZnQ0b3ZI\n WnI4RVI4U2VieVk2L0hmTlFVU1JpeEEKWoiPuEqy98Dt8Zfm6x3OFZsDLahKu8lZ\n wZT6setbTrJvNxse9JHdX+2dFJtuvgSXB6nKJEKtSoZ66VoOSxumoA==\n -----END AGE ENCRYPTED FILE-----\n - recipient: age1zxcssfw5j6dwvcw25tmxs79lq40xk70h2s234hen8pkpte2qe30q9e7cy8\n enc: |\n -----BEGIN AGE ENCRYPTED FILE-----\n YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqRitWS1NuZzR4cTVZdWlR\n WHpKeUM2bDc5QzJWeVp3SFVqZ3dqQzIvU3pnCmpFMHZkZVRabG5DdVFpVWVHOUVO\n aGtNdS9yVXBNZXNhaXRXSGYvcEMyRmsKLS0tIHpWaGI3RlJ2ejNtZ2ZWODFyTU1i\n Q2QwYkR5UTM1R1VRb3Bkd25YR0JaN1EKIo8ZYsima/nn/KySKoM5YW4K6tU343gu\n qMT1NWhA314AA6VKJPqTDI8KcEpXlMYGDUYE3FEDskEtVvrW9TkfZQ==\n -----END AGE ENCRYPTED FILE-----\n lastmodified: \"2025-07-10T15:57:32Z\"\n mac: ENC[AES256_GCM,data:MaNK5I+LpbEa+Qzb1VDAOnji6Bq0s/h/iUdQVh+DkjJRy6pxDazPfhRBIBcJni15yXP/ZnIiMDAge45On4BnlYCatCz8iq3oPiEZUHjEAIk4gRzR5v/C3obv7zW/bU8+TqlgXARXxvsmufnxhCNGl3OjDp9/JMLbjJS85kkZTPU=,iv:ymHmDCmcwh0PxdrnqhiUBefo6cF7x/hEvHvutT6cUVY=,tag:QOv3c43CEdZwyEay9vRc5g==,type:str]\n unencrypted_suffix: _unencrypted\n version: 3.10.2\n" }, { "path": "non-critical-infra/secrets/steering-email-login.umbriel", "content": "{\n\t\"data\": \"ENC[AES256_GCM,data:6HuH7cd9L5HukedZjqtG01fUZ2T0Y12dL0aA4rrArn0v7wgXRAsckPIy3Eir6lM1+W/I67IzuTr80/EbXw==,iv:Ou9+VW2QDDsbIv++W2I+optMU4sFXLlFrMKI2mp97GI=,tag:9Wv3Ja34Xq96seyJCDYPeQ==,type:str]\",\n\t\"sops\": {\n\t\t\"age\": [\n\t\t\t{\n\t\t\t\t\"recipient\": \"age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtQmgrUlI0QTFuS2lQTUJ4\\nUUNsWWVDaWVqV2tDUnc1WlROZndKM0UxUUNZClcxNFlESzZKL2dXNGhEemsvaUF2\\nZkxKMkRhdzcwOFRaaHBJQ0FWUXBHSTQKLS0tIHJJdlFYV3pJbjV1K0xncWRFZHlM\\nd29kL01ERzR1U0hNVDNMd0lyRUJ1blEKu5rOOmicxE8mSNOuASU6EsNN/PZt2t6r\\nAI0ZopuicQMz0rAt97BfAI/eDChy4LYgQwbSaKCvrMuqtKrMHJn4QQ==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByVGF4TGFiam1tTXphQ21Z\\nTGpZR3lpQUx6QmE1bmp3bU1ycEJWYVhNUlJvCmRrSS90a3U0L3ZNMUJZbW1FUG1M\\nY0FPcnJsWWFXOEs3b2RERHp2Vk1sWGsKLS0tIHAvZGwxSUJtNnloMUdwbHhCSE5o\\nZldUL2owcmd6R1ZneGwybFJ6YldLQVUKVZt7nX8dv7u8PC104LhNOVpD2ENgfxJD\\nKnHM6jYjEiUgiBlI6OkzqGjd3JfBy+ZSq4MCVxy043ioEiuix7tPAw==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvL21teExhTWs4ZzNtN2V3\\nemlZa0E0VFRSWVVMMWV4RG9NNkcxY1N0MUQ4CmN2a1ovdEROUHh1YnJDdDFuaXN1\\nVlVKMExnWTBQQ1lWSXJLaGhhaFRJTWcKLS0tIFZtYW5zVnh0MFpXUWdHYkVIcG40\\nK0RPYmJiNUNGREZBbzVBbFN5ZnNaVWsKj1S/JK4U46X+8tStyynKU0RCWVBOpT0H\\nOkrYrjR7vGlEtBInwyaGqAiD4kTP8AwQH+l/gIYj9J4xt1XXycbe+g==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxVldVSjZBbjVySG5SWStI\\nMUlDY0RWd2dYeTVuZXdKZ2Q3RHBmM2t6SFFvCjBnK28vbzR1NGhldWRYSkpUV0lq\\nZ0xpWG9ZcWJLUmUzZVlrOUIwREp5b3cKLS0tIENIRUFHclh4SHJRZU5RN3VoYzJB\\nbThuNzZiZEkyazNHR2NlTWh0c25sdEkKdVgajd2/UIiZ3bjD6AdbVwFDryU47E1Y\\ni6p/v3ofRZyS8pRBO4sQ4azVne3T8dCAX9QFryKO3/tVVCDn3au8Sg==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1nnm255ah9wa4gpsaq0v023a75lnmlcxszt9lc6az3mtwzxgrucfq45rp7h\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0a1VzOE5IT004Z1BzK3RH\\nM201c24wU09LbEx5dUZ0alRLRGt6c0VZbkFJCm1sOVJMSHpXbWhsay9WbUhsMEhY\\nMjJBNU9WNGQyZFpLOFExNGFuS0E0eHcKLS0tIHpCVk01U01tOTBnQ1J2Nml3UmRn\\nU1BmYjBtMWhYMkpLUjNtUVlqVGI0OFEKk5hflv7MwXVlrakVxB2HCgKgzG0m61T8\\nxdMYn0rOKvRCbgHOFiQYHzdH2arP7m5NmX5Ud5arOB7SsoqVFpRpCw==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t}\n\t\t],\n\t\t\"lastmodified\": \"2025-08-15T17:27:12Z\",\n\t\t\"mac\": \"ENC[AES256_GCM,data:j/erCdDU7QEHuUSQZHEmvtR9FX2ULZqs9RKoJCcEdt7OofhkJz7a9SWJJzlnOWIUSI6DaI47qeseBmspB4hsXtuDjOpDZQdEOt8Kwb9vJl9bJceWeb1nK9LsQifWklbIkEWbw1UOvVQMa+3c8ZBIlsAE/Omdjc3JnK7cL0ue4ls=,iv:TOMSbsfDVzFY0kKVN4YiCA3jBNv+cowrL2XXUtaspKk=,tag:bIKYmakg3MQc6Pk6On50zw==,type:str]\",\n\t\t\"unencrypted_suffix\": \"_unencrypted\",\n\t\t\"version\": \"3.10.2\"\n\t}\n}\n" }, { "path": "non-critical-infra/secrets/storagebox-ssh-key.caliban", "content": "{\n\t\"data\": \"ENC[AES256_GCM,data:Rn47V/K87NVhlFJp+8Mj7G12w51aDUgPOQfeIIhR2vXC2U4488LoMgkq08wULWXiomsy9EfSA2wxGGAOFlyzTg86GDK/mfq1/bJGs5XopODojcB7G8R2zAqodCW+xmlnVJGV+V8IvVMkCAWZNyjTlI1C78QpqSNAyow47UjeO9ZLxWGic30BhT3YddnQML6pLWGwzimYa7xVxt4gnc9/Gq+PHxWdF4mUM4nuYdjJKxOC9R+xiY7s4NZxIkwiBTA6xomm5Wckf4WuKUCKpPD4ZGX4cTj3MXtAlKWWKPRHkY84YHxtHAiCRVJlkeZNPYEyJsUDrJ8KWDhELUb42BDSCHn8xHBuxkyffAFdhCAJztP2uPdLd+Txow2kf3Eh+YbcP1tAPKl72Tygq8EZImE8fGKMf7M+E80KN7fFjxVUfQyLcFLwkFgWpmOZFR9erJdJjBCfz1olj27e/5l340SIc0RgY3yKu3WOyXzdMyuua4ZfbYjokzSEkJXhnp0oIP8m+c8qy51VbvF8Po1inuB9,iv:6vxychlAMRy65WUacdiuSrjmqytK71E5qDgBrUSQvvE=,tag:jqFAPHjjmN5UOWROSWhUkQ==,type:str]\",\n\t\"sops\": {\n\t\t\"kms\": null,\n\t\t\"gcp_kms\": null,\n\t\t\"azure_kv\": null,\n\t\t\"hc_vault\": null,\n\t\t\"age\": [\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1sv307kkrxwgjah8pjpap5kzl4j2r6fqr3vg234n7m32chlchs9lsey7nlq\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnTkhLN2YrWi84SW5SanNw\\nMWxsdGNPT3kwWnFWUDE2WkQ2Y1VXSXdGbkdNCjBndEExZWEyTmhaQUY1YTdOcm90\\naHp3ZjVGRmxCNkN2aUpwMi9jdkJhb00KLS0tIGFNRVhrdWd4M2tITHE4ckc2S214\\naW1HTE9sOGVndllSc1JmNFU0dlhTUWMKWWAnfNKuEZAZVm8XLNwsTD8BYIduft/T\\niE6iAEImAYAhh6ta3noy4SBRDDULtjrHWWe/cnBANSairr7/mURb5w==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTUU1Ib3pIbFZxaVNQbzdO\\neTlidUg3djhSMVYrVnNYWW40WjlZUjFISW1ZCkluQmtCTStUNklFZUd3S2JraXl0\\nYUtUYlRBTCtIbFAyS09KK1VSU1RUOEUKLS0tIEVFVGM4azZvMHhHMWl2N0cyMktp\\nVkorcFZZQSt4V3k2M2gzM25NRWVjVVkKaqOmksXnveU7Sqa90X9RQtHzBAZCYC5Y\\nJXfhmmIb/kNu62gvgErM+uel6ptg7uA4STSy+uD9Hr1C+v+sLOiCAg==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1qlwzeg37fwwn2l6fm3quvkn787nn0m89xrjtrhgf9uedtfv2kqlqnec976\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArR0toVUJRclJJUG4yNUE0\\nb2YxdHorTnpHT2UrQVhkbkEyc3AvU1JJdlRFCk9xcEltUFlVTllRb0Ivc3c0b1Rp\\naGsrQkI5V2NYRndaVDFGYzdqWG9Pc2cKLS0tIFlrWmd4NWlMV2NkRFo4aERyY05t\\nbHd6QVg1ZElyRHIrYk1XaHl5VmxERzQKDT+Xsh7CTmSkQnanpFC2XwE1V1FmOHKy\\nmPWh5hDQ3MZSK1x4WSsR+e0D1n6Amc20sa8xdrJ8k29qpN/1cm5PQA==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6Mm94bk92azhCQjk4NWhH\\nNHNnblk1WDkxbzFMRDR3QkVOSjEzcHo4T2h3Cm53eVlmZGNXQVJUQU42SWtxeGZ1\\nK1oxdXdYUmhRNTJjM3d4N3lTazJTSGsKLS0tIFh2aitRZlc2ZW44TEY3NnMycHFI\\nWU5TTEFIMFBuaktnWHNOSzlINjlBbGMKXmeO3Uinr4BElDXUJ7wI6Ac7ZF6lTWxQ\\nHb5byJRcd0pki/o/SZNV668eENUWKTRp7/PrY6p11cAHbrG0WmDggg==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t}\n\t\t],\n\t\t\"lastmodified\": \"2024-01-29T14:55:03Z\",\n\t\t\"mac\": \"ENC[AES256_GCM,data:qU7d9PVk0MYn94O6r+7dJmtvzezW3Acj31hCErf/9qiqXHtsOPlX9ubzSXWTrctVtSmty6IUUjLzPTz1a/vppTKCupaeEhHNZlGkBDXE5d/xJKymM5cE9g067xDI6dwXorYZzKK+SAemJtkzTDIpQNxt9R/pyJVXiNDfG7OqEbc=,iv:EwWx1spY/tAgVuLdSjVhq+x7d3gSslAzXFtcEEhGUgo=,tag:l8gwt+wXZY6fFdraZb/sJQ==,type:str]\",\n\t\t\"pgp\": null,\n\t\t\"unencrypted_suffix\": \"_unencrypted\",\n\t\t\"version\": \"3.8.1\"\n\t}\n}" }, { "path": "non-critical-infra/secrets/storagebox-ssh-key.umbriel", "content": "{\n\t\"data\": \"ENC[AES256_GCM,data:ck7zFaw/7DdelananEIJkocwS3r9k8OiI8jRUPChCdTzLW+5MJcxfCmx3nT++y/Av1S5bf+nMNKJ77Q0XtegQ1eESKoIrf0EPb4Cbvg4/zVxkqcRptaXmCSuDgLq0bj7rtREvmmJ4ZhOaLTDf4mxgHof/11iOL4SvrjEbVuNvpF0k+F7wZyF5sOmsMxFzC3rGsKhwQ2VOffxmrwYqhQAi97/Crmq8pDexjNPBc+ilJws5IRZqZPucQF95EdwUhsZvd5jY+9ls7otYvjqCpkHLzMrIU08Ur4jq2VFXvffbbMtfumDk29lOomFFMj40gpIliMtc1Z9RQDRXHHDhKoHU1Ui5Z/5iobftyiBytAYNgxbJpD7F2xMeYl+DlmEK9kaSKIjyiuBQVgKbDdn7fDIVGMNbLbsDU9+WhAptO+qUkHxfHX4rJn+t1imxcMp+vilxcexbmAJ6FjwMe5qhLb+bAhhH+hxHQNLLVfR+C6rqH7ni4k2DeUislGEndhmA2j1eZDnebyV3asRkmZFr7o3,iv:jfFUCPTgzdTGV0AmPAqLMtGpGXG2fnfWNadWw9h/ELk=,tag:tNEdNvxOY3JGq158TFj+og==,type:str]\",\n\t\"sops\": {\n\t\t\"age\": [\n\t\t\t{\n\t\t\t\t\"recipient\": \"age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRazJhYjZlT3ExTGhSTWJM\\nUlA0dW8zcjg4QXMwTEtKa3BOS1RTdE02R1ZFCjg2dEk2SFJhd3liV0tIYWRZREFH\\nZmd1T2Y5UVpzc1JrNUt4ZFpROE00OG8KLS0tIEdBamllNkIrUm0ybzh3djZWL1NI\\nZGRvWmNsQW02dENmMmVKVzVQNTl3bzQK4x7OmWlU4jYYEwaERYZm/D9WXYo7BfJi\\nKxXPOYiMnU+OVD8Vc1jyR/E1GYmudJIZGnuvhS9SgzeNHcsaRaW4Pg==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvMldDTnI2QTZ4YWs1dlY0\\nMTJnSlBjUGNIMllzelhkZmlMZnc1V1k3N3k4Cm5qeUExdFQ5WDFYYVBRY3ZwcjBi\\nV3JwT0Z3SjVheDFicWk5VXpmV0F2bGsKLS0tIHRxSndYZ0YxWDdGczBwKzMzQ1pU\\nWWxYZDNwQ0ZNZ0hRa1FWY21LdWxuejAKXrmbpP+Kkud7QH/tre7909mtAkI1hR/b\\nzdHIim18Qx3eETs2rk3qic0p9jPTWW9XWaN623NBjpwezpXOFK1B2A==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvTXQ3N0hPWE1BckdVWmN0\\nd3V0a2JBZTdCMXdwbDlYZnc1OVZ2c1VkeUZJCjVrVU5kWUEvU3FWQ0hjMThQVTM3\\nVE15Q0FPdWhhSUVVa3MxU05OTFlaZm8KLS0tIENnekZKSm0weEhqK01IQ2dRY2Vm\\nNXFLbUxrREs1WGZ0L3VSSnExNEh5aFkKQLhS7k/3LoJhcUucaVwrn4lhTYKcRdM2\\nw1nQOvn7YhLY1km2ycazgQVWMq2+/fz4YQJmSKmiUuRblIv7f/w6Nw==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHUTA2ZjNXK2RacTU3d05Q\\nb1NuRXNWMTBZd3FaWUlHNTE1d1Y4YzJnS2hJCjQ1K0ZMTVhoYVFlYU12YVliTG0w\\ncXdzM3lVWklSZlp2RStIZU10SUJsbHcKLS0tIFZaSHFHc1FBanlKa3FvbTk3cFNN\\nVTMzYlpsR2l1YTB6QThuaFZFUFVPMDgKvVHujnT/NnkHd81DRP7ZQjFpsvZPtDUm\\nI2xzyRM8WleLIE7prYvRSo2+KKepep3GS4UnIQD5mEeX+scPCZW6Xw==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1nnm255ah9wa4gpsaq0v023a75lnmlcxszt9lc6az3mtwzxgrucfq45rp7h\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoZmtldmJwZDVjVEdkOWdq\\nTUFaKzBDR0lURnM1am5qMDFnYXNoU2FLYTBBCk90aUlPem9Ra2VYWVVUelQ5THd0\\nWjRKUzQ2NXpmMng1Sm92YzlQVzV0bjgKLS0tIHZrRVZROFltVEVjVWJHT2M4S2p5\\nYnVBbGM3OS81U1o2UnN1MmxaRzFaSE0KAljGmWJR/KG4HcDSMmtEWEUpebvC0+vI\\nk288ScTJ/zZqZ3IztpInPmHYdzqVJxnp9OnHxvb/ShCvVgRKOUoXkA==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t}\n\t\t],\n\t\t\"lastmodified\": \"2025-09-18T18:58:36Z\",\n\t\t\"mac\": \"ENC[AES256_GCM,data:M9jAOuPxEL3X+WIUeZoXuDXIFF+ftkNg6FN2u+HhEV+dbOVR1WFsYe7zxIvjvPq2GwGpzj1lKwZ6pJjmafta9dIMemHhkDdUqHZSexpUqx0p6ML9XUJEzcC8euu88wGlq2gxfj24QXAkhd+mHBRqJxdJKIRYDZCSll0DtrvDSSM=,iv:DbhKGx5MU3R7SmIrGEo+/fg8F2sjWI+kk0bShsyH2TQ=,tag:2VQA7/OddGGRcROXDGzenQ==,type:str]\",\n\t\t\"unencrypted_suffix\": \"_unencrypted\",\n\t\t\"version\": \"3.10.2\"\n\t}\n}\n" }, { "path": "non-critical-infra/secrets/test-sender-email-login.umbriel", "content": "{\n\t\"data\": \"ENC[AES256_GCM,data:QrqhPVcJL1Q0VttVaPQ0fNuHdYyDXnSRy2EgWm/P1YRjBGLaSviwOCscYCyQw8Q8CqtPyFt2p4ddhpqueQ==,iv:ydnF/JhFy5mNDHdm/GJeS2PoRpQvAgRfFoumhCLNKsg=,tag:3zSqTVXmf2cl4G97lcF8og==,type:str]\",\n\t\"sops\": {\n\t\t\"kms\": null,\n\t\t\"gcp_kms\": null,\n\t\t\"azure_kv\": null,\n\t\t\"hc_vault\": null,\n\t\t\"age\": [\n\t\t\t{\n\t\t\t\t\"recipient\": \"age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTaTlvMm5iR0RlMHFDMEQw\\nU0ZhRUVwOVlXWVhWSnJmNUN6d1lsL1lOUjNBCjNoWFI3L2R2dnFvMm96QzU2cENJ\\nY2RoQVcwQkRYOVk1UFNqZTdTV2pCS0kKLS0tIC9EZFZISWFJQWdTSnpzQ2xFYkxq\\nS1cveHJuOVE4ZmVsUUEzRGRKYWtYZncKccTmgBe1sdnpMYnTOV4gAUEBg93Blg18\\n2gfJl1NUszoOGVnUq0HIVi0PHCFb4imMNhbF6INv0eQG5OPB0ElOig==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5U3RDTnlBWk04RVFLV2xZ\\ndU5qWmJiT3lPMW1UK3I1TDljWCs2dldDcFdrCmRDRDM5ZnlrTm1NS05YQU1PUTJS\\nNjlWYitnWjgxMzI2YituMzJmK2w0VUkKLS0tIHhPc3lYR1c2TWkzS3NFcms5OGQ1\\nMHpZVmFmZ0owYmR1OFB5LzJqZGx5UUUKB2j2Pa25K4rJ0PX961R3KBA3UZyOXPJw\\nBtuyuKUo7Ro9oOVaIiezU1Z6ii8CY/WVrEpTRHkHbYSTOAZcLKY/qw==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvK2REWTQ0eU9OMHZ2aWZM\\nUTVQSFJOMHJrT2dwWSsyd2lsWVprMFFWdlY0ClZHc1dFYmJmY1dVcUJ0R2pKU0F0\\nRlViQlZDMnpVQWMwZlg5aFEzS055U2sKLS0tIDhYenRPZkpVOWcrREYvUllrQnI5\\nQ0U1a3R5R0dhTHhvYWRLbU5GaXh4UmsKJ23a/61odibLmp7UnbmiSkEwTErMlur2\\nP1AZgvI1YZGaRo0211s5ffcV2fvmEuY3HxvIHIhby9HRC4B8wFIVUA==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t}\n\t\t],\n\t\t\"lastmodified\": \"2024-11-10T00:44:29Z\",\n\t\t\"mac\": \"ENC[AES256_GCM,data:VNo6aIkTOxKJFq5xxIo0IJV5bzY+Za9IZP0xuGqSJNj+/TwIV5VTVjMGmQiLB+hPX8ixXcpqAflO9KlWAwxId63dtnPNlGUtOp9ys03zV+QSv0ejmAQrGg4t4FkHxIowT8YLXAw0an0jQU1AdTU4kyoL8jY6Vz2y76FDqw+YRyc=,iv:XEILC5jtuegGkMm3dyMeaZ3RBixB9MWst3ncTENvMDI=,tag:8+FDT7M0MVie+dBGLB0S8A==,type:str]\",\n\t\t\"pgp\": null,\n\t\t\"unencrypted_suffix\": \"_unencrypted\",\n\t\t\"version\": \"3.9.1\"\n\t}\n}" }, { "path": "non-critical-infra/secrets/therealpxc-email-address.umbriel", "content": "{\n\t\"data\": \"ENC[AES256_GCM,data:g5501h94jFz34M1mx3QxZ2CXCRrPRg==,iv:cq7/f+RIDwwtWpKWBNBLGR0kWPpl6yRMo7Uq/wOMy2w=,tag:k9U+P6JLijjrBIXDB81rtw==,type:str]\",\n\t\"sops\": {\n\t\t\"kms\": null,\n\t\t\"gcp_kms\": null,\n\t\t\"azure_kv\": null,\n\t\t\"hc_vault\": null,\n\t\t\"age\": [\n\t\t\t{\n\t\t\t\t\"recipient\": \"age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoUUluT3JIRGRmQ1NhZW40\\nOW54Z2E5MWhLeWVFeXkrTVRJMjRJWE45cTBNCmZQMUpQZkF5MDEvY243OUlITFcy\\nU1NaZmdxRUk0c0xGUTV1UXlmMTZ6UkUKLS0tIE5LNGxHeTczb2Q4cXdiR28wbnIr\\nTkZuWElyZkFsUFkwd0ExNGc0QTF6Q0UKItz54baQWvLEl2TWmAoiKInbQvW1VRjT\\nNZfuFHF+GvfsM7SikMK/RW/gl8s1CDvW8XUh9/dDPnTiNW7cQ2WVAw==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDK1ZQcjFJUGIzM0dpSE9M\\naU5QR0FnQXVJMU1sa0dpZlRqc3c3VEhISlgwCnBYeE04ZUVSQ1hTdVFOSzBvaE8r\\nNXd3eUlQUnZzLzFxalZPNjdSWWhkWjAKLS0tIEFmTS9vMW45THFMelJBQm91eUNR\\nWkJwdDZ0Mk8zay9Ib3RVV0lHMmNneWsKCnsQZ83M/7Neu/LfXxX9wftpL18gbM26\\nzBqMBlzCNtjseTVxPFJfFPEhlN+8yi7xyJHyo4sZYfcbDdtLliAtvQ==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqVDBmTmRqaHlaNHRRZUpX\\nakp0M3E3YWh1ZE9iQ2R6OVdVTTdFN0Y2RVRJCk8wQnBTL3IvS3QvbkxuODc5R3VJ\\nOEJUQlI4UkNuWjlBNXNkYTRlVE9TcW8KLS0tIElZZ0lzd2IxOCtuM2Nla2MxeitT\\ncEllUmsvM3JyWnFIVzJoZHY0dHVTRm8Kw2RSXeiU7qVS3cAeuC7GHhXG2REbCdgn\\nrKfVGY8z5/yCNE0bLmErRRNIy1SU0ozTNriatLUOWZwD7KcK3TnZ7Q==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t}\n\t\t],\n\t\t\"lastmodified\": \"2025-03-22T15:54:01Z\",\n\t\t\"mac\": \"ENC[AES256_GCM,data:Wqg3N9V/YDERV4zNWoSqBTLC8Ice/W2UARHx+dOxVWGhBRUMdKNNatdsHVaBOYonJX/+Vnj7uNW3LbKMwzCDZdDyJuOXe+xNJ4Icqc9M4JCaVS9l47JSxiXhahQymZg3Xxq0Gbb1sd49I27Y84QgtWIzwnkWT6COF9NmJSL9kqo=,iv:AAmTF/0+wws3mimFwi7ZOqZd5fBxg585/hCkVnvQRUo=,tag:/Si62TyNF3pttks2sWPtQw==,type:str]\",\n\t\t\"pgp\": null,\n\t\t\"unencrypted_suffix\": \"_unencrypted\",\n\t\t\"version\": \"3.9.4\"\n\t}\n}" }, { "path": "non-critical-infra/secrets/tomberek-email-address.umbriel", "content": "{\n\t\"data\": \"ENC[AES256_GCM,data:mFYiVP1zOpwrmVB6jpahJszs,iv:EjgsCBuO67MOjF5DuoqO85n9nC6Su3yj3T264eMpPBc=,tag:1uxwCx0Y8BwrlZU+paxAmg==,type:str]\",\n\t\"sops\": {\n\t\t\"kms\": null,\n\t\t\"gcp_kms\": null,\n\t\t\"azure_kv\": null,\n\t\t\"hc_vault\": null,\n\t\t\"age\": [\n\t\t\t{\n\t\t\t\t\"recipient\": \"age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0MTR1Um5jTzdWWDF3RS9n\\nWUc1YzBSKzRFVFNCOXRpL25PR096L2FjVUNzCmo0dFVKbmRIT0ZER2R4TGRKWXRL\\ndTRPaWRvbk5TTHRONTFNZXZTWFo3UDgKLS0tIGFBNVNtUUppVVJWN21QbUo5VzVn\\nb3RjTFZkM3FZYXRWRTBPVUZ6aVNFWk0K5ypbBy0SdPeRxYDtfrgFfGFUp03et7kr\\nxZxLvtaqjJqbNHKS2e81ztRaITLORo/WJ2XswK8wb95EbhO/1wRVRA==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsNnNncUhneDc4MlRpRnBt\\nUGQ0eEt4cGdYM3BhcFFvd1ptNUZ5V1BwWUhNCmZNOWZZUWVyeDJlcmVDUTlOY0I2\\nWHFrU1FwODdSRVZIbzUxaHk5WGRuelUKLS0tIC9MaEpyeG9hTGRCR1ZyN1VDUlh2\\nS1pUMVRCSEkrUk1GRkRYaHlkSnRRMUUKuOhXQwxO2kJSmT9RL6QeY+zwpsppgNkz\\nF1nyO1t7/mz3eXg8ZSLAUqBonGwQhfzttiMZcQg3hpnMXL9ZHhnGhg==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArN1BsY05LZCtCc1VrQlpH\\nbHBiTExHTEU1SlYxTlQ3VHdWaTN3NXQ2OUFZCm10bVBUejlvMWFoWTZrREJyMzVT\\nV3lYVWxsQVFqdmpxTHRtcDJrYzJHU0UKLS0tIDkrcVhyZUhFbDEzT09uWmxWV3l1\\nbG1uUDhGOWVOeXVZVGNObDB3VkdSazQKwMv653rlOTE/kXayVKTc388mTdZXyscU\\nXdI2fVCAldknvMErvCFFDp+8BTxvvqihKrHLkrvK6SYzbIyM2fuM6w==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t}\n\t\t],\n\t\t\"lastmodified\": \"2025-03-22T15:54:30Z\",\n\t\t\"mac\": \"ENC[AES256_GCM,data:92X7qT7ya4E24T22eETGZ8++S6f0bEJ14oyTHb1Q0ukaNLu0a0HCPrfQBw3KQFT+Y1SvrFDOot8PQIEpeijKMsDvzh1OqqhVVqSUHh98osLJwW0yMA7E3k/Wa9LKtup5/ZNIrstd0fKYhS/QVZXVxzkjddRYk8dhy7UdjVwZns8=,iv:D+/vMYfvCYIP5mcu6VLtTMm7bwZ+1lyQ8G8OC+Vo1xo=,tag:C2cassN2PStNeXf0xNxVUQ==,type:str]\",\n\t\t\"pgp\": null,\n\t\t\"unencrypted_suffix\": \"_unencrypted\",\n\t\t\"version\": \"3.9.4\"\n\t}\n}" }, { "path": "non-critical-infra/secrets/uep-email-address.umbriel", "content": "{\n\t\"data\": \"ENC[AES256_GCM,data:iQM6Fk2XZdQww6MLaMzd1+NlzXerV8Qv1w==,iv:HqTeo3Ad5eW62H3j5Ej9v1WzB5dMiC9OOGEQATO7OGc=,tag:1hzAv7jQ+crr2swvSbfXtg==,type:str]\",\n\t\"sops\": {\n\t\t\"kms\": null,\n\t\t\"gcp_kms\": null,\n\t\t\"azure_kv\": null,\n\t\t\"hc_vault\": null,\n\t\t\"age\": [\n\t\t\t{\n\t\t\t\t\"recipient\": \"age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzQjhBd0dibGNhbG9hQnFB\\neFBwUUhoNUhEV2hGQ2s5aXRoTUNyczEwZlFzCld1L2lkM3k1bWVGOUZGekt1WDZB\\nYk1FbFF2aDA2NjA5Sk9tOFFOS2VZNmMKLS0tIFFGUWJXakx2bitKWUU4QXRPNEJ4\\nMUN3ZXl3WTEyMTRGZE9VN1dqeWF5N0EK1OVsikT8NJkEgzivoNZVeSehYgg7LxH0\\nBR+qt5HztP8wh7181BQniHHsYrmW/NG9hAE/lWaWVMdEXJp7Af/otA==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKMTdOaHVvVENpNUJQOHNh\\naUwva04zaE1HSUZDWXZyWDU2R1c5d3U4TzFJCkMybVkyd1hsc0tKQjFCZnBaS2Zv\\ncUNtN1ludkhBSzFLbVl5N2FBdXkvMmMKLS0tIEtJZzFKb3l1enZkOTIvbUJ2ZVps\\nZmtuV1JXaUhJL3dGWjBIYnprY2JZT1EKmr6klqS9VHCQ176Fu8+W+13eWEhi/fJy\\n3GV3Ayj7na4LLrKVVbzC6zzVzKhBu3KAs+yb38VHybJm/dXByPcE9Q==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5dVhrQTJ1ampCVHU0dUU4\\nSnozSitZSFVTYmxvMzJDWWZtakdWQVdoOW44CmFncmxONHdvb25XNitWZDFKa3RI\\ndEJIeUpsT1FGTnJZRGQ4NTV5TVJ0OG8KLS0tIGg0cHM5cUtSRUlQbFVnZjNlUFho\\nTk5pYUdwSUsvb3h5MnNyVDRqU2xvbVkKsIgJCvvqZMRjZw0Z+CERcuGfpib2IKOM\\nba9//ju0Lxdc3diVBakFzXWaZVDP6ww11P7Z18Ciol5gHh+J8EnhlQ==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t}\n\t\t],\n\t\t\"lastmodified\": \"2025-03-22T15:54:04Z\",\n\t\t\"mac\": \"ENC[AES256_GCM,data:hKITtyGY+mQS5Qr3D5x77GOew9OXw4C+ha5EIjJJZqq+v/oUdp0ao4KxgRevbqqXqjSovKLt3qF+KFrB1+HmP/WN8FBJzN6L+K8LP+DVmyjB+9tkQib4jXwp0sYDhH7eOTmgnRyzWcBSBOwApmscuvt9lvQlD4oUK9BNMQArB2E=,iv:wT9DNjqySCKuXfDPNu8c8i7Q88XGr0t0njDQPQunKE4=,tag:Rpb7zDHM06FXFJasexzLVg==,type:str]\",\n\t\t\"pgp\": null,\n\t\t\"unencrypted_suffix\": \"_unencrypted\",\n\t\t\"version\": \"3.9.4\"\n\t}\n}" }, { "path": "non-critical-infra/secrets/vaultwarden-env.caliban", "content": "{\n\t\"data\": \"ENC[AES256_GCM,data:5PPXJqE8FM9QqqqnbBM9UbQMWMJFs7/iJ55RTTD8Byl2++h84UdzuOcG/9X6nWeZPcdi5YalrDJIhcRgSQ16x1oSV4Y2YGif62NzfCCZHNfkOO0tLhx4wlHD9QtZHDxIYoLZ/5TMvg+usFq6Y1s51x0ofigZpruK5sVhlnFAotK00FbOov98JHO+MJKZtF+E7Gtj,iv:KvhTmOSb4+A/7p4WrkEf3vzRm7xrIHUnMQACD07yPtM=,tag:uU8IBYdIlLXBAEVvx2DKBA==,type:str]\",\n\t\"sops\": {\n\t\t\"kms\": null,\n\t\t\"gcp_kms\": null,\n\t\t\"azure_kv\": null,\n\t\t\"hc_vault\": null,\n\t\t\"age\": [\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1K1BOVU40RHQ5TjVTOEs4\\nRmIvZW9ZWnJmN1BrUDZxQmpzMUpabzV0Zkd3CktFcFcxdkJOcWRPL2FBKzRmb1ph\\nbHJwL1hHbFpTNXFnMUplc2ZPcUd5RHcKLS0tIEJyUUhSVlBPZGlUcFZPUW1RS2Qx\\nRnEzckR1N1JZOWN0bUVNWkFQajhVUEkKI8jb+DCqnxr+6AfzXBte4xFOdscOyBz0\\n1a5fS0FQ8+Can/MGGrpL4q/xPbhzKy1lUom2/kehYWHmJ8sHwJAGcA==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1qlwzeg37fwwn2l6fm3quvkn787nn0m89xrjtrhgf9uedtfv2kqlqnec976\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHaDZaVi8zZ2I1N0FpblJr\\nV1B4R2pEbHlKWml5eE5Va2kzRUV3TVBnMVIwCmJQbThKc05xTkR0UEM1Qjkvd05O\\nQTh4WmFRUXJMS0M4TEhMTDNUUkdNOVkKLS0tIE9FaCt1eXNVZExJTTQ2STY1aVhF\\nOTZ2R2hsdWwrUUpadzlqM055UHozTVEKntJdbft7gNl6W9OrJOpHfe1By7CFvzc5\\nyWvaYknU3j7nhvxarF6f9rt8upPUueGxyDW8HZXrR305dYNLafH48g==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQMm51ZnFFSE42Q3pyQ1J4\\nNEt1S3NRczZTU1AwSDJUNFZxaGV3d3p2VlQ4Ci8wZ2R0cWFnK0NwTUJwem9YQ2ZC\\nYy9lSDRTNGRPcVpwbHhBemtGV0ttSGMKLS0tIEk0YTBUS0UvazdxbFhxd0FtdmIw\\nRFU4ZWFJZGd3dXArMHlVRzd6aXpzTzgKzQjjkmUsVJkeLAgZQ4/1OD2bgPTt9RRx\\nwnTsJ7+0KI5NYMmxgrvcw5Wcrj6aVsIJGZUB/pDK+xfjmkZXI1RgYw==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1sv307kkrxwgjah8pjpap5kzl4j2r6fqr3vg234n7m32chlchs9lsey7nlq\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFUTBvTWY4VFFsSkdsWGlD\\nSjBLRGVoWXBMbDRRRWVuYnVpaW05ZDRvR25RCjBTNmFkM3ptZTQrTWcvczJQWUlT\\nbFMrRlZjSUlFVDlsWVRiZzZEK203QlkKLS0tIHE5Si9mYkpSRFNQa0J1ZXhvZ2dk\\nSHpNYldXMjNHMDMwV3JqdUQ1Z3VZWTgKK8pb/aVyhvX5xPlcz211NZX3/sxGO3ff\\nL9uC++BcZntVyZiY7mDn1bqXFjdqKa4sLAbSqcZLOPaY5DA9skdpsg==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t}\n\t\t],\n\t\t\"lastmodified\": \"2024-06-01T18:35:49Z\",\n\t\t\"mac\": \"ENC[AES256_GCM,data:xw0+obDWdG//sTEDpF857DCVkisLUI4k088C3dbjpHgl8O7IpnUqk1yLivjM4jPcNqhW5Wrc5h8QJuy7PkXyXETz83+DbjPXiOUnuMHZQNgVqg08VnYzvwQ5FLRm9Bn51mrHLOYMaXLJMbKQWlxS3lNreLDycJGrxm+KTE6VskA=,iv:B/ArtyQffyoyaAZe9zE/p4B/gFGnesCa+lXRhxjd/Js=,tag:U32JBzTvWpfZ6zibtnuTYg==,type:str]\",\n\t\t\"pgp\": null,\n\t\t\"unencrypted_suffix\": \"_unencrypted\",\n\t\t\"version\": \"3.8.1\"\n\t}\n}" }, { "path": "non-critical-infra/secrets/vcunat-email-address.umbriel", "content": "{\n\t\"data\": \"ENC[AES256_GCM,data:+aa6Bj/eDk/Zx6FTU2Rh3w==,iv:fWUXCuTb52bfW45l9pZRIkpg1K4yUYjYmk3ezhbVcTs=,tag:PDR3bkCZNgLwrbibj6iVmA==,type:str]\",\n\t\"sops\": {\n\t\t\"kms\": null,\n\t\t\"gcp_kms\": null,\n\t\t\"azure_kv\": null,\n\t\t\"hc_vault\": null,\n\t\t\"age\": [\n\t\t\t{\n\t\t\t\t\"recipient\": \"age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPV0dqUS9NQmFYWmFZYjFL\\ncEc5b2ZROEswbzVkdXVEOWJ3V1Avb3FzN3dZCkNiUDlia1B4NE1EV052QjM1MGQy\\nUFhsSUFaYjV0NlBCc1BycUt1TDhHZE0KLS0tIDNNSEVybW5vQllTSDgvaHJiSjAx\\nK0NCa0hHSFJXd25wREgxejVEakt2aFEKhagkza49dDn1LXlg4fUfmdPGOVO1wB2v\\n9wV+OHFQOdbWl1QKPhE2TLRZt84Hbv4uuQaXl/aJ4sU7eFOhNlcJDA==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqU0VIakZjSmkzUHV6MS9B\\nK25RMUdqZkREb2MreUFZSTUwdFhiRjB1NVFzCk54NGY2VHZJM1gwSEpUM2l6QjNZ\\nRkwxYWRWTnR1ejlkcTZOUUQ5bWZlZmsKLS0tIGFJck1ZczFrSUJ2aFZIR0dSems5\\nY21UdTl5bXJSSEU1MzJOai9icXd5cU0KNaPF4uhJfLBQMyxaC6/VVXZuzj7ySTr2\\nkxXkT2rQcQIXkd4KyBPwCPieY52n4lmNQYwKiO9ycf5vq70nZOHGVw==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKc2VBQllmZzdCTE12VE5s\\nNks5cFpxSm14R2Y1Vzc2SUR2RGJpWjRsWW1NCitpUjFXUm11RFlNdDB3dmhHN05H\\nNUJia3NXM291ZHAweGNPM2pydk41a0UKLS0tIHZKTUF3ckpuSktaSUxqWGdsWi9k\\nWlpNSlEzbHJUUkV1YmJFUGFhcCtYTG8KFkJKmF8R40yfLuBwgWLXVRY9lVBVYU9I\\nR+nj+9xNLb4I8PYqE+qeQ/Rqm8p5UQuEaeXC7VoPHFZwJ5G6KWyhAg==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t}\n\t\t],\n\t\t\"lastmodified\": \"2025-03-22T15:53:58Z\",\n\t\t\"mac\": \"ENC[AES256_GCM,data:ycBM+SZZmzjmVxY9ODYApiVz/7TvDvf+8KioA6TbfIhdsjfupG7w70W7NrBaqIhBKtL2F44fwHQa6hQ0umwqF6H9ALHZetXQp3WFFTcN7IIp2tUEOoNe6DQ6wWFT/wqPoPB1pNBcPZjiWeAn3+yGzOXVg8RXbpCXugCxEm/WCxM=,iv:cKm4T3Syse1SUGu+IpmcepxMC8ETxWZZKdDYYorsPio=,tag:pBjx5C4AKqzT9IWQpeO/7A==,type:str]\",\n\t\t\"pgp\": null,\n\t\t\"unencrypted_suffix\": \"_unencrypted\",\n\t\t\"version\": \"3.9.4\"\n\t}\n}" }, { "path": "non-critical-infra/secrets/winterqt-email-address.umbriel", "content": "{\n\t\"data\": \"ENC[AES256_GCM,data:GaqqJ535lfLVj+gQth9zpo0=,iv:QNau6T2abPBkd02Q+xg0HMP8HF1hA1HI6I3HuSJ5GHk=,tag:0W/RMZmkn7uMiJZCmJ+mQg==,type:str]\",\n\t\"sops\": {\n\t\t\"kms\": null,\n\t\t\"gcp_kms\": null,\n\t\t\"azure_kv\": null,\n\t\t\"hc_vault\": null,\n\t\t\"age\": [\n\t\t\t{\n\t\t\t\t\"recipient\": \"age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5N2hZb2dXbk1zTEYrOUda\\nSXZzMkxqaC9wRFNGZzBzbnk3M3J1TVhNV3hNClpPalduWldsSlNoa2xxUGk3RVUz\\nVEZxUkV1NFQ1eU1wd1lLM0hQc0dubVEKLS0tIGxBdHF0TGxxVFExUmw1dXIyN2ZM\\nQVFkeE5LTEtoMmx3SFkwSU10bi9YRTgKtBAtzERSghfG081LWDen3g2asRCOqki9\\na9pIdnn7nPUCA1d0JYd/+ydKENZqi7MmRrqRVe7ahKP7gTEJYPBVmw==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqaSs0aWcvTW1oTWh5Misz\\nUzR0bWdCV0RLMGZobnlDY3JmZS81OWpscXdRCjcyaU1lUmdQeHVjL3JsdDcvd3Yx\\ncGs1RVBvTDF4K3JSWWhMSUNEZzh0ZGMKLS0tIHVMclkvUkR2L3lpQm10MkZkNUJy\\nVXV2TzRMZ280ZUtPNlRjVTdRc0ZJKzQK6DCNcmVHESA8C55fSuv4LzfSBOILbyqH\\noIIoGO+J86K9/jZxS1rAQUcm9vabnIdQPMVip/5uFG7NPiykN/6QVA==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhRzBMUzc4d244aHRhaGQy\\nbEVwcU5QLzNIMlgvd2JGUjVsRklDY2dmdWgwCjlzeE4wbEo5Q1BjYWwvR3ZYVFlY\\naDZVd290bDRFZUlXTDRNY2FqTzFNamsKLS0tIFM3Zzh1SVExSW9TZ2d6dUNlWm5a\\nVW1VaGU1Y29iWmFoSUVZbldtOU1uRG8KVPqRlzOCYGhiNqJG098shKR5Vfz5PxXL\\nKSe/DteGWCtKTTaDf+vQxnMZYn27ZQ1thnYBdCVkDTZHcZJh8XiATQ==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t}\n\t\t],\n\t\t\"lastmodified\": \"2025-03-22T15:54:27Z\",\n\t\t\"mac\": \"ENC[AES256_GCM,data:p8KIUyM7slHxJI5b/78KrGymcTkuV4puIYvTTllK5F1A+DiyU3D88NHEUAmMxuRovNgBtyuDFnTa03ozHD93s6PVP12FT5nUNI53UysQptcx6Pz/5UCKXx0Shzok2RGr8IfvxuV+Z03YUCoHEc6+rROzQmYamZDBRCi0ipLpNzg=,iv:+79HhdlGWJaERzk58+JI1YEezUNrVI1Hv+OT6yfpPCM=,tag:sbyc7SDrVZLb6qUL6A9vaw==,type:str]\",\n\t\t\"pgp\": null,\n\t\t\"unencrypted_suffix\": \"_unencrypted\",\n\t\t\"version\": \"3.9.4\"\n\t}\n}" }, { "path": "non-critical-infra/secrets/ysndr-email-address.umbriel", "content": "{\n\t\"data\": \"ENC[AES256_GCM,data:Y4YOmEBOaGquqDY=,iv:A8TPjKU97NEW4q2bGWMZcXZTkrm0eQCdwUgtxOMTyVo=,tag:Q/u0rcCpxEX4w/qwPjCWCA==,type:str]\",\n\t\"sops\": {\n\t\t\"kms\": null,\n\t\t\"gcp_kms\": null,\n\t\t\"azure_kv\": null,\n\t\t\"hc_vault\": null,\n\t\t\"age\": [\n\t\t\t{\n\t\t\t\t\"recipient\": \"age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5cjJjWmpkT3NGdURUL3c2\\nOU10VFJVckVLNGNYdGNaaVZxUFRtUVJkQ1FJCnBOMHhjL24wUER3bk1heitXQ29O\\nTGRURXBlYkFiWEtXM1FoYTQwQ1RtOUkKLS0tIFRWcEs0cmJ5OGlxZDhGaSt4akNh\\nSEpSSTV4Ui95d1pJUHZVUDhWYmxxdUkKr+pfm60iiA/KPvGC+8/FG+k66VrWUe55\\n5wJWY9kaAiryufCOJ6MxusmA7wukEyG11fL2/pbVnyuTjyVQQJBncg==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJM1NRVlZPbWZpYmdoaUc3\\nM1lxN1NvamJNci8wWWs2TlpTTWx6N1UzQmpjCkJaYXVRdWpFYks3RWNhcjE4WGxl\\nV0g0TnpPTllnR3FsandBMkIzT2c1cDQKLS0tIDc5VktJaVdoSWNGRmwyZCsrWnBw\\nUG04MEpWNXQ4YUMveHdybjZoZ0VoYkEKRyHiuLYrnkDhyBvatsGhojZJY5Zw93Ul\\nUZUnSP9VHEKUUeRden8t0GbDB5yaE07Ct38dutZBiKdwq5Ndd+Dstw==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3SFRpdWxFV2s2M0xxNUNT\\nczlLRUtmOEE4cUpDSjcyNjQrbzlFeDJxRHg4CkZiWTlReUF2clRWbFhNcExkdjRz\\nQzYxcEZ3Tk1KYzdJK3Qza1lqZXlFelkKLS0tIGpRb1Fnc1NzaE9sMlN5Mk5ic05P\\nUlJxVGpybDVqNzJHOXhrdE1McWo3ZnMKI6TIXqZmjgTP6n6aIYqVsNRpDWveivk9\\nC1QHKDfSBzVd/T2GABTV6Z9eMsudYFyBte6cZOCRl2BKRLDKJii3cA==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t}\n\t\t],\n\t\t\"lastmodified\": \"2025-03-22T15:54:32Z\",\n\t\t\"mac\": \"ENC[AES256_GCM,data:srReKGtO+y3gEbo8QV7Mn+rlELqjGO5FBSCicBOdvZqhNMrhi2pjA7lcf2AOA/QADczF3wDIHb/sLfSK0jorHV6UxnnLsz9xiIja/I3PFykKa1UBVtT9rEoLB3B1J7tTdXmZbr13TC/FnoaDs5XqQ+HESp08GYCB1KPUUpJqhks=,iv:7QvEVhTXwy3cPBu1zTVYqHThxmP0Rq9Gfz4M4arbjQo=,tag:BN512LFyrlYGuW2ZNoVD8Q==,type:str]\",\n\t\t\"pgp\": null,\n\t\t\"unencrypted_suffix\": \"_unencrypted\",\n\t\t\"version\": \"3.9.4\"\n\t}\n}" }, { "path": "non-critical-infra/secrets/zimbatm-admin-email-address.umbriel", "content": "{\n\t\"data\": \"ENC[AES256_GCM,data:/B9q0aK0T58QAWuDM432j67GOn97P9Q0cQ==,iv:CmoZAWxAwhVICYChnnv+KJKbBVNBDsIsd46O7xbW09M=,tag:9M91PSeVYqjFLBwU29B1Lw==,type:str]\",\n\t\"sops\": {\n\t\t\"kms\": null,\n\t\t\"gcp_kms\": null,\n\t\t\"azure_kv\": null,\n\t\t\"hc_vault\": null,\n\t\t\"age\": [\n\t\t\t{\n\t\t\t\t\"recipient\": \"age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvNS84ZGhEejJCT096OG9o\\nbmt0V204aS9ndHNoYUJQWFRXd3B2RXlWQUZzCk0yai92c09icUJrU0pZNlpXTzho\\nY3Q4QkRqTVdVdlkxOVJMVHpyNERYSTgKLS0tIFVoZDd2VWwremR0NzVvNmRxWkg0\\ndHk3ZjZWVlpMZWs2ZG82d3BsbFVuelEKzfSkYRqQfanMZNHQ6wjHr54a2VR3jRfF\\n71VVbbLLDNoZ0kkwv/mjdH/Dn0iQyVDUMRn9uQqmlirT3DH74Jsh1w==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0TENhT2QvWit4UjBkcy85\\nRVlxL3ozRnBUNlVZVW1UcWVFams5dmhiVm1nCm05ZlVrT0hVSmlKQmozNUU5MHFU\\nb1VUV25mK2hocXhnNGJOVWxuMVJ5UVEKLS0tIHBRZEluTnVHMFo3VGVIN2VkNDc3\\ncUZOTExwMTMxNW96S1h5SlhHNXVqWjQKdYoZxT9IDjtLcmUHClyuTqnpWHa3zX9e\\n/afTEsArLfJ00n2O1hThP3puJmSEe1mDvz7CF57Cwf7iu51nLhitpg==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjTzBFdnNGV0FaYVd0aUp0\\nczJoNmQ0Y0p2a3VxSTBrT0V2QjNWdTlaZVM0CjQvSENGMmlrWWIzVEhEL1h4QnBx\\nR1RISHQzK21Rb2hpS2hzK0czWmZFbVkKLS0tIG85b1VXVVlpRXRENU1ScEUrd1BL\\nQlpDWXVKeHpsbktQT2dnNDR1RGY2cncKB5611errmeH6HkZ563J0tweRl2kY3/85\\neIqp8yuADpdxOW8EpTtGBFLXc3XpWErK4KLz1i9XiPUl3NEF7r9nIg==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t}\n\t\t],\n\t\t\"lastmodified\": \"2025-03-22T15:54:33Z\",\n\t\t\"mac\": \"ENC[AES256_GCM,data:y9bVOXG1I8zmQWo/MX1QTcCsoSkJXMCERUaeRKiAbOlDUOsjmrUhmGyz51XRNXmYNELLF7uYjTV6xy3ZKc64fxaxt90R8YAftElFAYk9wZIBGrA27pkXD91+pTk9Y9gFqQ3CXHVp7VNrabuGDQsNfG9AVIiUZKzp5qUOMBfH6vw=,iv:RAg3UaPFKb3a9SYWLkwZtolwqMQhhfYWaStlTMj61RY=,tag:DbOWDc7M3hRCeSN7VlnBVw==,type:str]\",\n\t\t\"pgp\": null,\n\t\t\"unencrypted_suffix\": \"_unencrypted\",\n\t\t\"version\": \"3.9.4\"\n\t}\n}" }, { "path": "non-critical-infra/secrets/zimbatm-email-address.umbriel", "content": "{\n\t\"data\": \"ENC[AES256_GCM,data:hWrx45+MS4e2v2YPpWbpZ6nKpw==,iv:YSbUsRMeyCKs1gt5ScnE/seG3LC7YcylLE8tegRo208=,tag:CjcOuODmVt5HPsD6Dl3/OA==,type:str]\",\n\t\"sops\": {\n\t\t\"kms\": null,\n\t\t\"gcp_kms\": null,\n\t\t\"azure_kv\": null,\n\t\t\"hc_vault\": null,\n\t\t\"age\": [\n\t\t\t{\n\t\t\t\t\"recipient\": \"age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWN1Q4bFY4aHRQdlNZa2RJ\\nRmJDdWdyMGZnUTBQcHlacVdkK2h1eWgwWnhVCkk1OGRlSCtpZWR1dEg4OTVocEor\\nT1UzRm9BZmFEbXZyaXdTb3ZmR082cTQKLS0tIDRYRUhMY1hIYSswcENkenZJNUh3\\nQ2VtVlFsdmxRcDBYTll6ZVJCN2NRWDQKT0/VwpK38hNStcRcnQE6L34tcTS+0JEK\\nGxlsdm9uQ5XLtmLF3UabrGkGee80mQ1XkhPYte9CPnNZRlIJoxHA1g==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxcXZNd2ZIOXhDTnFzNFNN\\nSWpSRHFyZHA4bUZRNzBhS1pkVWNlcGRWaUdjCjZVSFczUGdrK2swNy9sdzVhTk5j\\nbjlDQko1bklXU0UwU2E4Y3IvTTZnd28KLS0tIFl0NVR4ZzZHZk9reEl4dDRMdDZi\\nZG9pRVJYU3JWK016d1BWMzRueXZJL3MKCR3NxNuASwNrMwa8DmyV1T46kJWEc3ZF\\nO/apjWFxxmLDui3AN5hLWVF70a9kEjk62g12XKvVTZ+cZT695si/Pw==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvcCtZeVBaaVNiQ3RLN25k\\nUVZuRUNrS1psZ2oydFdzYldORWxrWXF3Y2pjCnVPaERFMjk5VUNlbGp0dmI2REpE\\nOUdhV2dLV0N5bWxWRVhmRDRzbzFzdE0KLS0tIE9CZGJQSEFPeFdQL3dKbFlBU1dK\\nUEhkdThKdkNsU2NEb0JRUUZLRVE2cVkKqIPmBE2+dpWLGwiOlVvWxleJUZ85gscR\\nn8DeAxHkj91yYvKTVRFI7IHXodKm5Tv36Do20FEYActXU7O04x5gKA==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t}\n\t\t],\n\t\t\"lastmodified\": \"2025-03-22T15:53:58Z\",\n\t\t\"mac\": \"ENC[AES256_GCM,data:4ArDpnWg+fOyx3GXmKutr5/NT4PvoeUDT5W/r7D4vtbQG/dwlnBZ4PV7tZte03lnCWfRRxWsV9Uo3gkfcbs9PXU5jcWiUjsZF6fwHaOo7icD2szA/gyWka66SC1Bxx5Ob0DQBhe3FuzLTq7ZPYxp1vXRdqTT8CSxe+ImzPGHank=,iv:t7ogDMdhVG6BX7hxRH3G2ov2LPH5DBZ0j6enx5YmobQ=,tag:TVKzrERdsJo0ARzxk1TsWQ==,type:str]\",\n\t\t\"pgp\": null,\n\t\t\"unencrypted_suffix\": \"_unencrypted\",\n\t\t\"version\": \"3.9.4\"\n\t}\n}" }, { "path": "non-critical-infra/secrets/zmberber-email-address.umbriel", "content": "{\n\t\"data\": \"ENC[AES256_GCM,data:2k7CE3eP/tkjWrDsVD5VHj5MMw==,iv:W9ojzlwPejmI801En8WyXkJ2Mbon5VD8CdBevDdn8SQ=,tag:Qzlgqp3jRYiMjofENRok1A==,type:str]\",\n\t\"sops\": {\n\t\t\"kms\": null,\n\t\t\"gcp_kms\": null,\n\t\t\"azure_kv\": null,\n\t\t\"hc_vault\": null,\n\t\t\"age\": [\n\t\t\t{\n\t\t\t\t\"recipient\": \"age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSNTI3bHYxNml0WVRZZkxn\\nRG03eDJha0p0TmI3ZXZsRkpXSm9sMEpwT2tRCmszSWxicnZGa2EyL2RoUDF4ZWZN\\nazIrMmJydkRvUlFTb0VNTVNuQTBwMUEKLS0tIElVSVN3T0hNdkdoTnJUUlFJenQ1\\nMEd4ZW5aemtQcm15ZVozK3hOSW5YbG8KGOpwQmdk0CNUTI8CaUjXg4HqHuwn0Fcx\\nNKJRYbRLsawTgWu7Cpg72uM0TaiYhU9+HOIP+XRgrXWDBrTos3qPjA==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKTEpBMnVnNzVPcmdZd0F3\\nR3R0aFpxUVdXNGpiQ3BRU1dNT202akFuMHcwCnJKUFZ6UnV3d2c4WDkrdFdpUFdJ\\nSFF1UmczZHlYQ0NEaDRYWkhXTHF1TWsKLS0tIFB6SDQ3VFJPK3B3aFQrOVVYYnlv\\nclQrT2Q0NklDS2Y1Mm9Kd3BBVmV0VHMK12RhOd3Y/+RqqzVLi7iSx1MJ0ZwgMRqB\\nNa6hQ26E5VvrrpD2DWez3B4tFcvPnqs0E8H+XSmepAZDkKwaCEk9gg==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"recipient\": \"age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h\",\n\t\t\t\t\"enc\": \"-----BEGIN AGE ENCRYPTED FILE-----\\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCQy9qZ1ZPTU0reXNxSHJ0\\nVDRHeTZud0JibGF4SGlhMDBYYW42SVR6SGdnClk0VG81MFdXVDRBU0VkK3VKN2gw\\ncXAwamlXanlUTDlGMU5kMDI2QVU2R2cKLS0tIG1tc3RtMW1ZMkhFekMvcHc4NUxS\\nL1FIL1l2Rlo2NkdqZXVYV3hySDloYTAKHR3ylAvNTCgcqYBT5fqtAekzsFfhyAlG\\nML9owA1as6L2gz0Q0mNs+hQ7bVTJcX79IvGJO3XGRzzKiV0mDg9+6w==\\n-----END AGE ENCRYPTED FILE-----\\n\"\n\t\t\t}\n\t\t],\n\t\t\"lastmodified\": \"2025-03-22T15:54:16Z\",\n\t\t\"mac\": \"ENC[AES256_GCM,data:pdfPTfLuchk8RPTYJn5+zF2SyJVVr85gSbwQVHZ8ntViyGLUpvnlhLDay33CYV/6bnwQZIF9S5xo13/eQeemTa+p++tZKz4A8g6vWh5NuHgN4PBz63W25tmfPQGLk/sy6wm9wMmatDncJ9RjGtRfkDxqhjpNXM8eW9rvUezFBOA=,iv:pw92c307xRw8iZABrzeKycsv54TJWlzJBgl+itBb5vU=,tag:0LglVHSUgHi+CgA6US9vWQ==,type:str]\",\n\t\t\"pgp\": null,\n\t\t\"unencrypted_suffix\": \"_unencrypted\",\n\t\t\"version\": \"3.9.4\"\n\t}\n}" }, { "path": "pyproject.toml", "content": "[tool.ruff]\nline-length = 88\ntarget-version = \"py312\"\n\nlint.select = [\"ALL\"]\n\nlint.ignore = [\n # pydocstyle\n \"D\",\n # todo comments\n \"TD\",\n # fixmes\n \"FIX\",\n\n # Unused function argument\n \"ARG001\",\n\n ## breaks with nix-shell\n # Shebang should be at the beginning of the file\n \"EXE005\",\n \"EXE003\",\n \"EXE001\",\n\n # Missing type annotation for `self` in method\n \"ANN101\",\n # Dynamically typed expressions (typing.Any)\n \"ANN401\",\n # Trailing comma missing\n \"COM812\",\n # Unnecessary `dict` call (rewrite as a literal)\n \"C408\",\n # Found commented-out code\n \"ERA001\",\n # Boolean-typed positional argument in function definition\n \"FBT001\",\n # Logging statement uses f-string\n \"G004\",\n # disabled on ruff's recommendation as causes problems with the formatter\n \"ISC001\",\n # Use of `assert` detected\n \"S101\",\n # `subprocess` call: check for execution of untrusted input\n \"S603\",\n # Starting a process with a partial executable path\n \"S607\",\n # Boolean default positional argument in function definition\n \"FBT002\",\n\n # Too many statements\n \"PLR0915\",\n # Too many arguments in function definition\n \"PLR0913\",\n \"PLR0912\", # Too many branches\n # $X is too complex\n \"C901\",\n\n \"E501\", # line too long\n \"T201\", # `print` found\n \"T203\", # `pprint` found\n \"PLR2004\", # Magic value used in comparison\n]\n\n# TODO fixes\n[tool.ruff.lint.per-file-ignores]\n\"modules/prometheus/nixos-exporter/prometheus_nixos_exporter/__main__.py\" = [\n \"PTH115\",\n \"PTH118\",\n \"PTH120\"\n]\n\"build/pluto/prometheus/exporters/**.py\" = [\n \"ANN\"\n]\n\"build/datadog/hydra.py\" = [\n \"ANN001\",\n \"ARG002\",\n \"INP001\",\n \"S113\",\n]\n\"build/pluto/prometheus/exporters/channel-exporter.py\" = [\n \"BLE001\",\n \"PTH123\"\n]\n\"build/pluto/prometheus/exporters/hydra-queue-runner-reexporter.py\" = [\n \"TRY300\",\n \"N806\",\n \"A002\",\n \"PTH123\",\n \"S113\"\n]\n\n[[tool.mypy.overrides]]\nignore_missing_imports = true\n\n" }, { "path": "renovate.json", "content": "{\n \"$schema\": \"https://docs.renovatebot.com/renovate-schema.json\",\n \"extends\": [\n \"config:recommended\",\n \":dependencyDashboard\",\n \"helpers:pinGitHubActionDigests\"\n ],\n \"nix\": {\n \"enabled\": true\n },\n \"lockFileMaintenance\": {\n \"enabled\": true\n },\n \"semanticCommits\": \"disabled\"\n}\n" }, { "path": "ssh-keys.nix", "content": "rec {\n arianvp-mac = \"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHdERauixCGEk0oxLB+725k2M3McKHM0hjOjOWS+Dxdf arian@Mac\";\n\n eelco = \"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAnI5L6oCgFyvEesL04LnbnH1TBhegq1Yery6TNlIRAA edolstra@gmail.com\";\n\n hydra-queue-runner = \"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCyM48VC5fpjJssLI8uolFscP4/iEoMHfkPoT9R3iE3OEjadmwa1XCAiXUoa7HSshw79SgPKF2KbGBPEVCascdAcErZKGHeHUzxj7v3IsNjObouUOBbJfpN4DR7RQT28PZRsh3TvTWjWnA9vIrSY/BvAK1uezFRuObvatqAPMrw4c0DK+JuGuCNkKDGHLXNSxYBc5Pmr1oSU7/BDiHVjjyLIsAMIc20+q8SjWswKqL1mY193mN7FpUMBtZrd0Za9fMFRII9AofEIDTOayvOZM6+/1dwRWZXM6jhE6kaPPF++yromHvDPBnd6FfwODKLvSF9BkA3pO5CqrD8zs7ETmrV hydra-queue-runner@chef\";\n\n zimbatm = \"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOuiDoBOxgyer8vGcfAIbE6TC4n4jo8lhG9l01iJ0bZz zimbatm\";\n\n vcunat = \"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC4IJkFIVyImkfD4fM89ya+hy2ig8kUg09PCdjB5rS82akFoucYZSYMG41ZrlMT5LAikIgWusBzpO5bBkqxqcYqaYK/VF06zVBk3kF1pAIoitst9z0PLXY8/N+bFJg6oT7p6EWGRvFggUviSTTvJFMNUdDgEpsLqLp8+IYXjfM3Cz6+TQmyWQSockobRqgdILTjc1p2uxmNSzy2fElpZ0sKRPLNYG4SVPBPnOavs1KPOtyC1pIHOuz5A605gPLFXoWpX2lIK6atmGheiHxURDAX3pANVm+iMmnjteP0jEGU26/SPqgVP3OxdcryHxL3WnSJGtTnycoa30qP/Edmy9vB\";\n\n hexa-gaia = \"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAWQRR7dspgQ6kCwyFnoVlgmmPR4iWL1+nvq6a5ad2Ug hexa@gaia\";\n hexa-helix = \"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFSpdtIxIBFtd7TLrmIPmIu5uemAFJx4sNslRsJXfFxr hexa@helix\";\n\n mic92-turingmachine = \"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIEVSsc5mlP8aWiUVwWWM3gKlB5LHVpmKSifnDyox/BnVAAAABHNzaDo= yubikey1\";\n mic92-evo = \"ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCsjXKHCkpQT4LhWIdT0vDM/E/3tw/4KHTQcdJhyqPSH0FnwC8mfP2N9oHYFa2isw538kArd5ZMo5DD1ujL5dLk= ssh@secretive.Joerg’s-Laptop.local\";\n\n jfly = \"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIImw0Xc1buEQ9WOskyGGeg3QwdbU7DTUQBiu02fObDlm jfly\";\n\n brianmcgee = \"ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKHHl5kgMDNQA/zqK+AzT4SO09rfAp+y/EeUC+Ow5XqyNid5lm6sgLGM+AqZDx0jOrMKWhd5lhzGDdtsSf0Y8g4= brian@saturn\";\n\n infra-core = [\n hexa-gaia\n hexa-helix\n vcunat\n zimbatm\n mic92-turingmachine\n mic92-evo\n arianvp-mac\n ];\n\n infra = infra-core ++ [ jfly ];\n\n machines = {\n # build/\n haumea = \"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBamzRwZmoLjBFoNruGSVJEahk02Ku7NrBOmqcRWxcPm\";\n pluto = \"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPzc6B1S4mp3T3oWZnqQDkDVWFBIzLtkgkdgstfYZ5d/\";\n mimas = \"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICzfTNppOS5b5IvZl1wqjGTUZE0D/o/MY8d7uKPWDvIp\";\n titan = \"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDgz6s5Yho6/bjvrRDuJ2IewAZQaevAMOeMjVjMaw5e+\";\n\n # builders/\n elated-minsky = \"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIvrJpd3aynfPVGGG/s7MtRFz/S6M4dtqvqKI3Da7O7+\";\n goofy-hopcroft = \"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICTJEi+nQNd7hzNYN3cLBK/0JCkmwmyC1I+b5nMI7+dd\";\n hopeful-rivest = \"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBgjwpQaNAWdEdnk1YG7JWThM4xQdKNJ3h3arhF7+iFm\";\n sleepy-brown = \"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOh4/3m7o6H3J5QG711aJdlSUVvlC8yW6KoqAES3Fy6I\";\n\n # macs/\n eager-heisenberg = \"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBp9NStfEPu7HdeK8f2KEnynyirjG9BUk+6w2SgJtQyS\";\n enormous-catfish = \"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMlg7NXxeG5L3s0YqSQIsqVG0MTyvyWDHUyYEfFPazLe\";\n growing-jennet = \"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAQGthkSSOnhxrIUCMlRQz8FOo5Y5Nk9f9WnVLNeRJpm\";\n intense-heron = \"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICeSgOe/cr1yVAJOl30t3AZOLtvzeQa5rnrHGceKeBue\";\n kind-lumiere = \"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFoqn1AAcOqtG65milpBtWVXP5VcBmTUSMGNfJzPwW8Q\";\n maximum-snail = \"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEs+fK4hH8UKo+Pa7u1VYltkMufBHHH5uC93RQ2S6Xy9\";\n norwegian-blue = \"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDQ6Cjvoq5VBYfXl6ZV/ijQ1q4UxbWRYYfkXe0rzmJjf\";\n sweeping-filly = \"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE6b/coXQEcFZW1eG4zFyCMCF0mZFahqmadz6Gk9DWMF\";\n };\n}\n" }, { "path": "terraform/.envrc", "content": "# shellcheck shell=bash\nuse flake .#terraform\n\nexport AWS_CONFIG_FILE=$PWD/aws-config\nexport AWS_PROFILE=nixos-prod\n\nsource_env_if_exists .envrc.local\n" }, { "path": "terraform/.envrc.local.template", "content": "#!/bin/sh\n\n# Get this one from https://manage.fastly.com/account/personal/tokens and set a global scope.\nexport FASTLY_API_KEY=...\n" }, { "path": "terraform/.gitignore", "content": "/.envrc.local\n" }, { "path": "terraform/README.md", "content": "# For the bits that are not nixops-able\n\nThis terraform root module manages:\n\n- the resource in the AWS main account (S3 buckets)\n- Fastly\n- Netlify DNS\n\n## Setup\n\nIn order to use this, make sure to install direnv and Nix with flakes enabled.\n\nThen copy the `.envrc.local.template` to `.envrc.local`, and fill in the related\nkeys.\n\n> FIXME: Unset the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY env vars if they\n> are already set. Those have been replaced by AWS SSO.\n\nThen run `direnv allow` to load the environment with the runtime dependencies.\n\nRun `aws sso login` to acquire a temporary token.\n\n## Usage\n\nWe use opentofu, which is a fork of https://www.terraform.io/ maintained by the\nLinux foundation.\n\nThen run the following command to diff the changes and then apply if approved:\n\n```sh\n./tf.sh apply\n```\n\n## Terraform workflow\n\nWrite the Tofu code and test the changes using `./tf.sh validate`.\n\nBefore committing run `nix fmt`.\n\nOnce the code is ready to be deployed, create a new PR with the attached output\nof `./tf.sh plan`.\n\nOnce the PR is merged, run `./tf.sh apply` to apply the changes.\n\n## Upgrade from terraform to opentofu\n\nIf you have used terraform, you may have to delete .terraform in this directory\nonce to fixup provider registry addresses.\n" }, { "path": "terraform/artifacts.tf", "content": "# Artifacts Proxy Service\n#\n# This service provides IPv6-enabled access to GitHub releases through Fastly CDN.\n# It transparently follows GitHub's S3 redirects to provide direct file access.\n#\n# Supported URL patterns:\n# - /nix-installer/tag/* -> /NixOS/nix-installer/releases/download/*\n# - /nix-installer -> /NixOS/nix-installer/releases/latest/download/nix-installer.sh\n# - /nix-installer/* -> /NixOS/nix-installer/releases/latest/download/*\n# - /experimental-installer/tag/* -> /NixOS/experimental-nix-installer/releases/download/* (legacy)\n# - /experimental-installer -> /NixOS/experimental-nix-installer/releases/latest/download/nix-installer.sh (legacy)\n# - /experimental-installer/* -> /NixOS/experimental-nix-installer/releases/latest/download/* (legacy)\n# - /patchelf/* -> /NixOS/patchelf/releases/download/*\n#\n# Testing commands:\n#\n# Basic functionality tests:\n# curl -I https://artifacts.nixos.org/nix/0.27.0/nix-installer.sh\n# curl -s https://artifacts.nixos.org/nix/0.27.0/nix-installer.sh | head -n 5\n#\n# IPv6 connectivity test:\n# curl -6 -I https://artifacts.nixos.org/nix/0.27.0/nix-installer.sh\n#\n# Performance comparison (should show redirect following):\n# time curl -s https://artifacts.nixos.org/nix/0.27.0/nix-installer-x86_64-linux > /dev/null\n# time curl -s https://github.com/NixOS/experimental-nix-installer/releases/download/0.27.0/nix-installer-x86_64-linux > /dev/null\n#\n# Error cases (should return 404):\n# curl -I https://artifacts.nixos.org/invalid/path\n# curl -I https://artifacts.nixos.org/patchelf/999.999.999/nonexistent-file\n\nlocals {\n artifacts_domain = \"artifacts.nixos.org\"\n}\n\nresource \"fastly_service_vcl\" \"artifacts\" {\n name = local.artifacts_domain\n default_ttl = 3600\n\n backend {\n address = \"github.com\"\n auto_loadbalance = false\n between_bytes_timeout = 10000\n connect_timeout = 1000\n error_threshold = 0\n first_byte_timeout = 15000\n max_conn = 200\n name = \"github.com\"\n override_host = \"github.com\"\n port = 443\n ssl_cert_hostname = \"github.com\"\n ssl_check_cert = true\n use_ssl = true\n weight = 100\n request_condition = \"Use GitHub backend\"\n }\n\n backend {\n address = \"objects.githubusercontent.com\"\n auto_loadbalance = false\n between_bytes_timeout = 10000\n connect_timeout = 1000\n error_threshold = 0\n first_byte_timeout = 15000\n max_conn = 200\n name = \"objects_githubusercontent_com\"\n override_host = \"objects.githubusercontent.com\"\n port = 443\n ssl_cert_hostname = \"objects.githubusercontent.com\"\n ssl_check_cert = true\n use_ssl = true\n weight = 100\n request_condition = \"Use Objects backend\"\n }\n\n condition {\n name = \"Use GitHub backend\"\n priority = 10\n statement = \"!req.http.X-Use-Objects-Backend\"\n type = \"REQUEST\"\n }\n\n condition {\n name = \"Use Objects backend\"\n priority = 10\n statement = \"req.http.X-Use-Objects-Backend\"\n type = \"REQUEST\"\n }\n\n\n request_setting {\n name = \"Redirect HTTP to HTTPS\"\n force_ssl = true\n }\n\n domain {\n name = local.artifacts_domain\n }\n\n # Main VCL snippet to handle the redirect logic\n snippet {\n content = <<-EOT\n # Only rewrite if this is the first request (not a restart)\n if (!req.http.X-Rewritten) {\n # New nix-installer routes (NixOS/nix-installer)\n if (req.url ~ \"^/nix-installer/tag/\") {\n set req.url = regsub(req.url.path, \"^/nix-installer/tag/\", \"/NixOS/nix-installer/releases/download/\");\n set req.http.X-Rewritten = \"true\";\n } else if (req.url ~ \"^(/nix-installer|/nix-installer/)$\") {\n set req.url = regsub(req.url.path, \"^(/nix-installer|/nix-installer/)$\", \"/NixOS/nix-installer/releases/latest/download/nix-installer.sh\");\n set req.http.X-Rewritten = \"true\";\n } else if (req.url ~ \"^/nix-installer/\") {\n set req.url = regsub(req.url.path, \"^/nix-installer\", \"/NixOS/nix-installer/releases/latest/download/\");\n set req.http.X-Rewritten = \"true\";\n # Legacy experimental-installer routes (NixOS/experimental-nix-installer)\n } else if (req.url ~ \"^/experimental-installer/tag/\") {\n set req.url = regsub(req.url.path, \"^/experimental-installer/tag/\", \"/NixOS/experimental-nix-installer/releases/download/\");\n set req.http.X-Rewritten = \"true\";\n } else if (req.url ~ \"^(/experimental-installer|/experimental-installer/)$\") {\n set req.url = regsub(req.url.path, \"^(/experimental-installer|/experimental-installer/)$\", \"/NixOS/experimental-nix-installer/releases/latest/download/nix-installer.sh\");\n set req.http.X-Rewritten = \"true\";\n } else if (req.url ~ \"^/experimental-installer/\") {\n set req.url = regsub(req.url.path, \"^/experimental-installer\", \"/NixOS/experimental-nix-installer/releases/latest/download/\");\n set req.http.X-Rewritten = \"true\";\n } else if (req.url ~ \"^/patchelf/\") {\n set req.url = regsub(req.url.path, \"^/patchelf/\", \"/NixOS/patchelf/releases/download/\");\n set req.http.X-Rewritten = \"true\";\n } else {\n error 600;\n }\n }\n EOT\n name = \"GitHub releases redirect\"\n priority = 100\n type = \"recv\"\n }\n\n # Handle redirects from GitHub to S3\n snippet {\n content = <<-EOT\n if (beresp.status == 302 && beresp.http.Location ~ \"^https://objects\\.githubusercontent\\.com/\") {\n # Extract the full path including query parameters\n set req.url = regsub(beresp.http.Location, \"^https://objects\\.githubusercontent\\.com\", \"\");\n set req.http.X-Use-Objects-Backend = \"true\";\n # Set correct host header for S3\n set req.http.Host = \"objects.githubusercontent.com\";\n # Clear GitHub-specific headers that might interfere\n unset req.http.Authorization;\n unset req.http.Cookie;\n restart;\n }\n EOT\n name = \"Follow GitHub redirects\"\n priority = 100\n type = \"fetch\"\n }\n\n\n\n\n # Handle 404 errors\n snippet {\n content = <<-EOT\n if (obj.status == 600) {\n set obj.status = 404;\n set obj.http.Content-Type = \"text/html\";\n synthetic {\"

Not Found

\"};\n return(deliver);\n }\n EOT\n name = \"Handle 404 errors\"\n priority = 100\n type = \"error\"\n }\n\n # Add HSTS header for security\n header {\n destination = \"http.Strict-Transport-Security\"\n type = \"response\"\n action = \"set\"\n name = \"Add HSTS\"\n source = \"\\\"max-age=300\\\"\"\n }\n\n logging_s3 {\n name = \"${local.artifacts_domain}-to-s3\"\n bucket_name = local.fastlylogs[\"bucket_name\"]\n compression_codec = \"zstd\"\n domain = local.fastlylogs[\"s3_domain\"]\n format = local.fastlylogs[\"format\"]\n format_version = 2\n path = \"${local.artifacts_domain}/\"\n period = local.fastlylogs[\"period\"]\n message_type = \"blank\"\n s3_iam_role = local.fastlylogs[\"iam_role_arn\"]\n }\n}\n\nresource \"fastly_tls_subscription\" \"artifacts\" {\n domains = [for domain in fastly_service_vcl.artifacts.domain : domain.name]\n configuration_id = local.fastly_tls13_quic_configuration_id\n certificate_authority = \"lets-encrypt\"\n}\n\noutput \"artifacts-managed_dns_challenge\" {\n value = fastly_tls_subscription.artifacts.managed_dns_challenges\n}\n" }, { "path": "terraform/aws-config", "content": "[profile nixos-prod]\nsso_start_url = https://nixos.awsapps.com/start\nsso_region = eu-north-1\nsso_account_id = 080433136561\nsso_role_name = AWSPowerUserAccess\nregion = eu-north-1\n" }, { "path": "terraform/cache/diagnostic.sh", "content": "#!/usr/bin/env nix-shell\n#!nix-shell -i bash -p bind.dnsutils -p mtr -p curl -p netcat\n# shellcheck shell=bash\n# impure: needs ping\n#\n# Run this script if you are having issues with cache.nixos.org and paste the\n# output URL in a new issue in the same repo.\n#\n\ndomain=${1:-cache.nixos.org}\n\nrun() {\n echo \"> $*\"\n \"$@\" |& sed -e \"s/^/ /\"\n printf \"Exit: %s\\n\\n\\n\" \"$?\"\n}\n\ncurl_w=\"\ntime_namelookup: %{time_namelookup}\ntime_connect: %{time_connect}\ntime_appconnect: %{time_appconnect}\ntime_pretransfer: %{time_pretransfer}\ntime_redirect: %{time_redirect}\ntime_starttransfer: %{time_starttransfer}\ntime_total: %{time_total}\n\"\n\ncurl_test() {\n curl -w \"$curl_w\" -v -o /dev/null \"$@\"\n}\n\ntermbin() {\n url=$(cat | nc termbin.com 9999)\n echo \"Pasted at: $url\"\n}\n\n(\n echo \"domain=$domain\"\n run dig -t A \"$domain\"\n run ping -c1 \"$domain\"\n run ping -4 -c1 \"$domain\"\n run ping -6 -c1 \"$domain\"\n run mtr -c 20 -w -r \"$domain\"\n run curl_test -4 \"http://$domain/\"\n run curl_test -6 \"http://$domain/\"\n run curl_test -4 \"https://$domain/\"\n run curl_test -6 \"https://$domain/\"\n run curl -I -4 \"https://$domain/\"\n run curl -I -4 \"https://$domain/\"\n run curl -I -4 \"https://$domain/\"\n run curl -I -6 \"https://$domain/\"\n run curl -I -6 \"https://$domain/\"\n run curl -I -6 \"https://$domain/\"\n) | tee /dev/stderr | termbin\n" }, { "path": "terraform/cache/index.html", "content": "\n\n \n cache.nixos.org is up\n \n \n \n \n \n \n \n \n
\n
\n

\n \n \n \n

\n\n

\n https://cache.nixos.org/ provides prebuilt binaries for\n Nixpkgs and NixOS. It is used automatically by the Nix package manager\n to speed up builds.\n

\n
\n
\n
\n

\n If you are having trouble, please reach out through one of the\n support channels\n with the results of\n this diagnostics script\n which will help us figure out where the issue lies.\n

\n

\n For questions, or support, \n the support page from the NixOS website describes how to get in\n touch.\n

\n
\n
\n \n\n" }, { "path": "terraform/cache/nix-cache-info", "content": "StoreDir: /nix/store\nWantMassQuery: 1\nPriority: 40\n" }, { "path": "terraform/cache/s3-authn.vcl", "content": "# VCL snippet to authenticate Fastly<->S3 requests.\n#\n# https://docs.fastly.com/en/guides/amazon-s3#using-an-amazon-s3-private-bucket\n\ndeclare local var.canonicalHeaders STRING;\ndeclare local var.signedHeaders STRING;\ndeclare local var.canonicalRequest STRING;\ndeclare local var.canonicalQuery STRING;\ndeclare local var.stringToSign STRING;\ndeclare local var.dateStamp STRING;\ndeclare local var.signature STRING;\ndeclare local var.scope STRING;\n\nif (req.method == \"GET\" && !req.backend.is_shield) {\n set bereq.http.x-amz-content-sha256 = digest.hash_sha256(\"\");\n set bereq.http.x-amz-date = strftime({\"%Y%m%dT%H%M%SZ\"}, now);\n set bereq.http.x-amz-request-payer = \"requester\";\n set bereq.http.host = \"${backend_domain}\";\n set bereq.url = querystring.remove(bereq.url);\n set bereq.url = regsuball(urlencode(urldecode(bereq.url.path)), {\"%2F\"}, \"/\");\n set var.dateStamp = strftime({\"%Y%m%d\"}, now);\n set var.canonicalHeaders = \"\"\n \"host:\" bereq.http.host LF\n \"x-amz-content-sha256:\" bereq.http.x-amz-content-sha256 LF\n \"x-amz-date:\" bereq.http.x-amz-date LF\n \"x-amz-request-payer:\" bereq.http.x-amz-request-payer LF\n ;\n set var.canonicalQuery = \"\";\n set var.signedHeaders = \"host;x-amz-content-sha256;x-amz-date;x-amz-request-payer\";\n set var.canonicalRequest = \"\"\n \"GET\" LF\n bereq.url.path LF\n var.canonicalQuery LF\n var.canonicalHeaders LF\n var.signedHeaders LF\n digest.hash_sha256(\"\")\n ;\n\n set var.scope = var.dateStamp \"/${aws_region}/s3/aws4_request\";\n\n set var.stringToSign = \"\"\n \"AWS4-HMAC-SHA256\" LF\n bereq.http.x-amz-date LF\n var.scope LF\n regsub(digest.hash_sha256(var.canonicalRequest),\"^0x\", \"\")\n ;\n\n set var.signature = digest.awsv4_hmac(\n \"${secret_key}\",\n var.dateStamp,\n \"${aws_region}\",\n \"s3\",\n var.stringToSign\n );\n\n set bereq.http.Authorization = \"AWS4-HMAC-SHA256 \"\n \"Credential=${access_key}/\" var.scope \", \"\n \"SignedHeaders=\" var.signedHeaders \", \"\n \"Signature=\" + regsub(var.signature,\"^0x\", \"\")\n ;\n unset bereq.http.Accept;\n unset bereq.http.Accept-Language;\n unset bereq.http.User-Agent;\n unset bereq.http.Fastly-Client-IP;\n}\n" }, { "path": "terraform/cache-bucket/main.tf", "content": "variable \"bucket_name\" {\n type = string\n}\n\nresource \"aws_s3_bucket\" \"cache\" {\n provider = aws\n bucket = var.bucket_name\n}\n\nresource \"aws_s3_bucket_lifecycle_configuration\" \"cache\" {\n provider = aws\n bucket = aws_s3_bucket.cache.id\n\n rule {\n id = \"Infrequent Access\"\n status = \"Enabled\"\n\n filter {\n prefix = \"\"\n }\n\n transition {\n days = 365\n storage_class = \"STANDARD_IA\"\n }\n }\n}\n\nresource \"aws_s3_bucket_cors_configuration\" \"cache\" {\n provider = aws\n bucket = aws_s3_bucket.cache.bucket\n\n cors_rule {\n allowed_headers = [\"Authorization\"]\n allowed_methods = [\"GET\"]\n allowed_origins = [\"*\"]\n max_age_seconds = 3000\n }\n}\n\n\nresource \"aws_s3_bucket_public_access_block\" \"cache\" {\n bucket = aws_s3_bucket.cache.bucket\n\n block_public_acls = false\n block_public_policy = false\n}\n\nresource \"aws_s3_bucket_object\" \"cache-nix-cache-info\" {\n provider = aws\n depends_on = [aws_s3_bucket_public_access_block.cache]\n\n bucket = aws_s3_bucket.cache.bucket\n content_type = \"text/x-nix-cache-info\"\n etag = filemd5(\"${path.module}/../cache-staging/nix-cache-info\")\n key = \"nix-cache-info\"\n source = \"${path.module}/../cache-staging/nix-cache-info\"\n}\n\nresource \"aws_s3_bucket_object\" \"cache-index-html\" {\n provider = aws\n depends_on = [aws_s3_bucket_public_access_block.cache]\n\n bucket = aws_s3_bucket.cache.bucket\n content_type = \"text/html\"\n etag = filemd5(\"${path.module}/../cache-staging/index.html\")\n key = \"index.html\"\n source = \"${path.module}/../cache-staging/index.html\"\n}\n\nresource \"aws_s3_bucket_policy\" \"cache\" {\n provider = aws\n bucket = aws_s3_bucket.cache.id\n depends_on = [aws_s3_bucket_public_access_block.cache]\n\n # imported from existing\n policy = < $*\"\n \"$@\" |& sed -e \"s/^/ /\"\n printf \"Exit: %s\\n\\n\\n\" \"$?\"\n}\n\ncurl_w=\"\ntime_namelookup: %{time_namelookup}\ntime_connect: %{time_connect}\ntime_appconnect: %{time_appconnect}\ntime_pretransfer: %{time_pretransfer}\ntime_redirect: %{time_redirect}\ntime_starttransfer: %{time_starttransfer}\ntime_total: %{time_total}\n\"\n\ncurl_test() {\n curl -w \"$curl_w\" -v -o /dev/null \"$@\"\n}\n\ntermbin() {\n url=$(cat | nc termbin.com 9999)\n echo \"Pasted at: $url\"\n}\n\n(\n echo \"domain=$domain\"\n run dig -t A \"$domain\"\n run ping -c1 \"$domain\"\n run ping -4 -c1 \"$domain\"\n run ping -6 -c1 \"$domain\"\n run mtr -c 20 -w -r \"$domain\"\n run curl_test -4 \"http://$domain/\"\n run curl_test -6 \"http://$domain/\"\n run curl_test -4 \"https://$domain/\"\n run curl_test -6 \"https://$domain/\"\n run curl -I -4 \"https://$domain/\"\n run curl -I -4 \"https://$domain/\"\n run curl -I -4 \"https://$domain/\"\n run curl -I -6 \"https://$domain/\"\n run curl -I -6 \"https://$domain/\"\n run curl -I -6 \"https://$domain/\"\n) | tee /dev/stderr | termbin\n" }, { "path": "terraform/cache-staging/index.html", "content": "\n\n \n cache-staging.nixos.org is up\n \n \n \n \n \n \n \n \n
\n
\n

\n \n \n \n

\n\n

\n https://cache.nixos.org/ provides prebuilt binaries for\n Nixpkgs and NixOS. It is used automatically by the Nix package manager\n to speed up builds.\n

\n
\n
\n
\n

\n If you are having trouble, please reach out through one of the\n support channels\n with the results of\n this diagnostics script\n which will help us figure out where the issue lies.\n

\n

\n For questions, or support, \n the support page from the NixOS website describes how to get in\n touch.\n

\n
\n
\n \n\n" }, { "path": "terraform/cache-staging/new-cache-test-file", "content": "new\n" }, { "path": "terraform/cache-staging/nix-cache-info", "content": "StoreDir: /nix/store\nWantMassQuery: 1\nPriority: 40\n" }, { "path": "terraform/cache-staging/old-cache-test-file", "content": "old\n" }, { "path": "terraform/cache-staging/s3-authn.vcl", "content": "# VCL snippet to authenticate Fastly<->S3 requests.\n#\n# https://docs.fastly.com/en/guides/amazon-s3#using-an-amazon-s3-private-bucket\n\nif (req.method == \"GET\" && !req.backend.is_shield && req.backend == ${backend_name}) {\n set var.awsAccessKey = \"${access_key}\";\n set var.awsSecretKey = \"${secret_key}\";\n set var.awsS3Bucket = \"${bucket}\";\n set var.awsRegion = \"${aws_region}\"; # Change this value to your own data\n set var.awsS3Host = var.awsS3Bucket \".s3.\" var.awsRegion \".amazonaws.com\";\n\n set bereq.http.x-amz-content-sha256 = digest.hash_sha256(\"\");\n set bereq.http.x-amz-date = strftime({\"%Y%m%dT%H%M%SZ\"}, now);\n set bereq.http.x-amz-request-payer = \"requester\";\n set bereq.http.host = var.awsS3Host;\n\n set bereq.url = querystring.remove(bereq.url);\n set bereq.url = regsuball(urlencode(urldecode(bereq.url.path)), {\"%2F\"}, \"/\");\n set var.dateStamp = strftime({\"%Y%m%d\"}, now);\n set var.canonicalHeaders = \"\"\n \"host:\" bereq.http.host LF\n \"x-amz-content-sha256:\" bereq.http.x-amz-content-sha256 LF\n \"x-amz-date:\" bereq.http.x-amz-date LF\n \"x-amz-request-payer:\" bereq.http.x-amz-request-payer LF\n ;\n set var.canonicalQuery = \"\";\n set var.signedHeaders = \"host;x-amz-content-sha256;x-amz-date;x-amz-request-payer\";\n set var.canonicalRequest = \"\"\n \"GET\" LF\n bereq.url.path LF\n var.canonicalQuery LF\n var.canonicalHeaders LF\n var.signedHeaders LF\n digest.hash_sha256(\"\")\n ;\n\n set var.scope = var.dateStamp \"/\" var.awsRegion \"/s3/aws4_request\";\n\n set var.stringToSign = \"\"\n \"AWS4-HMAC-SHA256\" LF\n bereq.http.x-amz-date LF\n var.scope LF\n regsub(digest.hash_sha256(var.canonicalRequest),\"^0x\", \"\")\n ;\n\n set var.signature = digest.awsv4_hmac(\n var.awsSecretKey,\n var.dateStamp,\n var.awsRegion,\n \"s3\",\n var.stringToSign\n );\n\n set bereq.http.Authorization = \"AWS4-HMAC-SHA256 \"\n \"Credential=${access_key}/\" var.scope \", \"\n \"SignedHeaders=\" var.signedHeaders \", \"\n \"Signature=\" + regsub(var.signature,\"^0x\", \"\")\n ;\n\n unset bereq.http.Accept;\n unset bereq.http.Accept-Language;\n unset bereq.http.User-Agent;\n unset bereq.http.Fastly-Client-IP;\n}\n" }, { "path": "terraform/cache-staging.tf", "content": "locals {\n cache_staging_domain = \"cache-staging.nixos.org\"\n}\n\n# This is the old bucket we want to archive.\nmodule \"cache-staging-202010\" {\n source = \"./cache-bucket\"\n bucket_name = \"nix-cache-staging\"\n providers = {\n aws = aws.us\n }\n}\n\nimport {\n to = module.cache-staging-202010.aws_s3_bucket_lifecycle_configuration.cache\n id = \"nix-cache-staging\"\n}\n\nimport {\n to = module.cache-staging-202010.aws_s3_bucket_cors_configuration.cache\n id = \"nix-cache-staging\"\n}\n\n\n# This is the new bucket we want to use in future.\nmodule \"cache-staging-202410\" {\n source = \"./cache-bucket\"\n bucket_name = \"nix-cache-staging-202410\"\n providers = {\n # move the new bucket to EU\n aws = aws\n }\n}\n\nimport {\n to = module.cache-staging-202410.aws_s3_bucket_lifecycle_configuration.cache\n id = \"nix-cache-staging-202410\"\n}\n\nimport {\n to = module.cache-staging-202410.aws_s3_bucket_cors_configuration.cache\n id = \"nix-cache-staging-202410\"\n}\n\n# The fastly configuration below will first try the new bucket and than the old bucket.\n# As demonstation we have two files in the buckets:\n# $ curl https://cache-staging.nixos.org/new-cache │\n# new\n# $ curl https://cache-staging.nixos.org/old-cache\n# old\n\nresource \"aws_s3_object\" \"old-cache-test-file\" {\n provider = aws.us\n depends_on = [module.cache-staging-202010]\n\n bucket = module.cache-staging-202010.bucket\n content_type = \"text/plain\"\n etag = filemd5(\"${path.module}/cache-staging/old-cache-test-file\")\n key = \"old-cache\"\n source = \"${path.module}/cache-staging/old-cache-test-file\"\n}\nresource \"aws_s3_object\" \"new-cache-test-file\" {\n provider = aws\n depends_on = [module.cache-staging-202410]\n\n bucket = module.cache-staging-202410.bucket\n content_type = \"text/plain\"\n etag = filemd5(\"${path.module}/cache-staging/new-cache-test-file\")\n key = \"new-cache\"\n source = \"${path.module}/cache-staging/new-cache-test-file\"\n}\n\nresource \"fastly_service_vcl\" \"cache-staging\" {\n name = local.cache_staging_domain\n default_ttl = 86400\n\n backend {\n address = module.cache-staging-202010.bucket_regional_domain_name\n auto_loadbalance = false\n between_bytes_timeout = 10000\n connect_timeout = 5000\n error_threshold = 0\n first_byte_timeout = 15000\n max_conn = 200\n name = \"old_bucket\"\n port = 443\n # For the old bucket we want to use Ashburn as our bucket is in us-east-1\n shield = \"iad-va-us\"\n ssl_cert_hostname = module.cache-staging-202010.bucket_regional_domain_name\n ssl_check_cert = true\n use_ssl = true\n weight = 100\n }\n\n backend {\n address = module.cache-staging-202410.bucket_regional_domain_name\n auto_loadbalance = false\n between_bytes_timeout = 10000\n connect_timeout = 5000\n error_threshold = 0\n first_byte_timeout = 15000\n max_conn = 200\n name = \"new_bucket\"\n port = 443\n # The new bucket is in EU (eu-west-1)\n shield = \"dub-dublin-ie\"\n ssl_cert_hostname = module.cache-staging-202410.bucket_regional_domain_name\n ssl_check_cert = true\n use_ssl = true\n\n # newer bucket has higher priority\n weight = 200\n }\n\n # Temporarily disabled due to nix-index bugs: see https://github.com/nix-community/nix-index/issues/249\n #request_setting {\n # name = \"Redirect HTTP to HTTPS\"\n # force_ssl = true\n #}\n\n condition {\n name = \"is-404\"\n priority = 0\n statement = \"beresp.status == 404\"\n type = \"CACHE\"\n }\n\n condition {\n name = \"Match /\"\n priority = 10\n statement = \"req.url ~ \\\"^/$\\\"\"\n type = \"REQUEST\"\n }\n\n condition {\n name = \"Restarts > 0\"\n type = \"REQUEST\"\n priority = 20\n statement = \"req.restarts > 0\"\n }\n\n domain {\n name = \"cache-staging.nixos.org\"\n }\n\n header {\n name = \"Landing page\"\n request_condition = \"Match /\"\n ignore_if_set = false\n priority = 10\n type = \"request\"\n\n action = \"set\"\n destination = \"url\"\n source = \"\\\"/index.html\\\"\"\n\n }\n\n header {\n name = \"Use old bucket\"\n request_condition = \"Restarts > 0\"\n ignore_if_set = false\n priority = 20\n type = \"request\"\n\n action = \"set\"\n destination = \"backend\"\n source = \"F_old_bucket\"\n }\n\n # Clean headers for caching\n header {\n destination = \"http.x-amz-request-id\"\n type = \"cache\"\n action = \"delete\"\n name = \"remove x-amz-request-id\"\n }\n header {\n destination = \"http.x-amz-version-id\"\n type = \"cache\"\n action = \"delete\"\n name = \"remove x-amz-version-id\"\n }\n header {\n destination = \"http.x-amz-id-2\"\n type = \"cache\"\n action = \"delete\"\n name = \"remove x-amz-id-2\"\n }\n\n # Enable Streaming Miss.\n # https://docs.fastly.com/en/guides/streaming-miss\n # https://github.com/NixOS/infra/issues/212#issuecomment-1187568233\n header {\n priority = 20\n destination = \"do_stream\"\n type = \"cache\"\n action = \"set\"\n name = \"Enabling Streaming Miss\"\n source = \"true\"\n }\n\n # Allow CORS GET requests.\n header {\n destination = \"http.access-control-allow-origin\"\n type = \"response\"\n action = \"set\"\n name = \"CORS Allow\"\n source = \"\\\"*\\\"\"\n }\n\n response_object {\n name = \"404-page\"\n cache_condition = \"is-404\"\n content = \"404\"\n content_type = \"text/plain\"\n response = \"Not Found\"\n status = 404\n }\n\n snippet {\n name = \"Variables for aws s3 auth\"\n type = \"miss\"\n priority = 90\n content = <<-EOT\ndeclare local var.awsAccessKey STRING;\ndeclare local var.awsSecretKey STRING;\ndeclare local var.awsS3Bucket STRING;\ndeclare local var.awsRegion STRING;\ndeclare local var.awsS3Host STRING;\n\ndeclare local var.canonicalHeaders STRING;\ndeclare local var.signedHeaders STRING;\ndeclare local var.canonicalRequest STRING;\ndeclare local var.canonicalQuery STRING;\ndeclare local var.stringToSign STRING;\ndeclare local var.dateStamp STRING;\ndeclare local var.signature STRING;\ndeclare local var.scope STRING;\nEOT\n }\n\n # Authenticate Fastly<->S3 requests. See Fastly documentation:\n # https://docs.fastly.com/en/guides/amazon-s3#using-an-amazon-s3-private-bucket\n snippet {\n name = \"Authenticate S3 requests for new bucket\"\n type = \"miss\"\n priority = 100\n content = templatefile(\"${path.module}/cache-staging/s3-authn.vcl\", {\n backend_name = \"F_new_bucket\"\n aws_region = module.cache-staging-202410.region\n bucket = module.cache-staging-202410.bucket\n backend_domain = module.cache-staging-202410.bucket_domain_name\n access_key = local.cache-iam.key\n secret_key = local.cache-iam.secret\n })\n }\n\n snippet {\n name = \"Authenticate S3 requests for old bucket\"\n type = \"miss\"\n priority = 100\n content = templatefile(\"${path.module}/cache-staging/s3-authn.vcl\", {\n backend_name = \"F_old_bucket\"\n aws_region = module.cache-staging-202010.region\n bucket = module.cache-staging-202010.bucket\n backend_domain = module.cache-staging-202010.bucket_domain_name\n access_key = local.cache-iam.key\n secret_key = local.cache-iam.secret\n })\n }\n\n snippet {\n content = \"set req.url = querystring.remove(req.url);\"\n name = \"Remove all query strings\"\n priority = 50\n type = \"recv\"\n }\n\n\n # Work around the 2GB size limit for large files\n #\n # See https://docs.fastly.com/en/guides/segmented-caching\n snippet {\n content = <<-EOT\n if (req.url.path ~ \"^/nar/\") {\n set req.enable_segmented_caching = true;\n }\n EOT\n name = \"Enable segment caching for NAR files\"\n priority = 60\n type = \"recv\"\n }\n\n snippet {\n name = \"Fallback to old bucket on 403 or return 404\"\n type = \"fetch\"\n priority = 90\n content = <<-EOT\n if (beresp.status == 403) {\n if (req.backend == F_new_bucket) {\n restart;\n } else {\n set beresp.status = 404;\n }\n }\n EOT\n }\n\n # We will switch to this snipped once we retire the old bucket instead of the fallback above\n #snippet {\n # name = \"Return 404 on 403\"\n # type = \"fetch\"\n # priority = 90\n # content = <<-EOT\n # if (beresp.status == 403) {\n # set beresp.status = 404;\n # }\n # EOT\n #}\n\n # Add a snippet to set a custom header based on the backend used\n snippet {\n name = \"Set-Backend-Header\"\n type = \"deliver\"\n priority = 70\n content = <<-EOT\n if (req.backend == F_old_bucket) {\n set resp.http.X-Bucket = \"${module.cache-staging-202010.bucket}\";\n } else if (req.backend == F_new_bucket) {\n set resp.http.X-Bucket = \"${module.cache-staging-202410.bucket}\";\n }\n EOT\n }\n\n logging_s3 {\n name = \"${local.cache_staging_domain}-to-s3\"\n bucket_name = local.fastlylogs[\"bucket_name\"]\n compression_codec = \"zstd\"\n domain = local.fastlylogs[\"s3_domain\"]\n format = local.fastlylogs[\"format\"]\n format_version = 2\n path = \"${local.cache_staging_domain}/\"\n period = local.fastlylogs[\"period\"]\n message_type = \"blank\"\n s3_iam_role = local.fastlylogs[\"iam_role_arn\"]\n }\n}\n\nresource \"fastly_tls_subscription\" \"cache-staging-2025-11\" {\n domains = [for domain in fastly_service_vcl.cache-staging.domain : domain.name]\n configuration_id = local.fastly_tls13_quic_configuration_id\n certificate_authority = \"lets-encrypt\"\n}\n" }, { "path": "terraform/cache.tf", "content": "locals {\n cache_domain = \"cache.nixos.org\"\n}\n\nresource \"aws_s3_bucket\" \"cache\" {\n provider = aws.us\n bucket = \"nix-cache\"\n}\n\nresource \"aws_s3_bucket_versioning\" \"cache\" {\n provider = aws.us\n bucket = aws_s3_bucket.cache.id\n versioning_configuration {\n status = \"Enabled\"\n }\n}\n\nresource \"aws_s3_bucket_lifecycle_configuration\" \"cache\" {\n provider = aws.us\n bucket = aws_s3_bucket.cache.id\n\n depends_on = [aws_s3_bucket_versioning.cache]\n\n transition_default_minimum_object_size = \"varies_by_storage_class\"\n\n rule {\n id = \"Infrequent Access\"\n status = \"Enabled\"\n\n filter {\n prefix = \"\"\n }\n\n transition {\n days = 365\n storage_class = \"STANDARD_IA\"\n }\n }\n\n # We delete no-current versions after 30 days\n rule {\n id = \"Non-current Versions\"\n status = \"Enabled\"\n\n noncurrent_version_expiration {\n noncurrent_days = 30\n }\n }\n}\n\nimport {\n to = aws_s3_bucket_lifecycle_configuration.cache\n id = aws_s3_bucket.cache.id\n}\n\nresource \"aws_s3_bucket_cors_configuration\" \"cache\" {\n provider = aws.us\n bucket = aws_s3_bucket.cache.id\n cors_rule {\n allowed_headers = [\"Authorization\"]\n allowed_methods = [\"GET\"]\n allowed_origins = [\"*\"]\n max_age_seconds = 3000\n }\n}\n\nimport {\n to = aws_s3_bucket_cors_configuration.cache\n id = aws_s3_bucket.cache.id\n}\n\nresource \"aws_s3_bucket_object\" \"cache-nix-cache-info\" {\n provider = aws.us\n\n acl = \"public-read\"\n bucket = aws_s3_bucket.cache.bucket\n content_type = \"text/x-nix-cache-info\"\n etag = filemd5(\"${path.module}/cache/nix-cache-info\")\n key = \"nix-cache-info\"\n source = \"${path.module}/cache/nix-cache-info\"\n}\n\nresource \"aws_s3_bucket_object\" \"cache-index-html\" {\n provider = aws.us\n\n acl = \"public-read\"\n bucket = aws_s3_bucket.cache.bucket\n content_type = \"text/html\"\n etag = filemd5(\"${path.module}/cache/index.html\")\n key = \"index.html\"\n source = \"${path.module}/cache/index.html\"\n}\n\nresource \"aws_s3_bucket_policy\" \"cache\" {\n provider = aws.us\n bucket = aws_s3_bucket.cache.id\n\n # imported from existing\n policy = <S3 requests. See Fastly documentation:\n # https://docs.fastly.com/en/guides/amazon-s3#using-an-amazon-s3-private-bucket\n snippet {\n name = \"Authenticate S3 requests\"\n type = \"miss\"\n priority = 100\n content = templatefile(\"${path.module}/cache/s3-authn.vcl\", {\n aws_region = aws_s3_bucket.cache.region\n backend_domain = aws_s3_bucket.cache.bucket_domain_name\n access_key = local.cache-iam.key\n secret_key = local.cache-iam.secret\n })\n }\n\n snippet {\n content = \"set req.url = querystring.remove(req.url);\"\n name = \"Remove all query strings\"\n priority = 50\n type = \"recv\"\n }\n\n # Work around the 2GB size limit for large files\n #\n # See https://docs.fastly.com/en/guides/segmented-caching\n snippet {\n content = <<-EOT\n if (req.url.path ~ \"^/nar/\") {\n set req.enable_segmented_caching = true;\n }\n EOT\n name = \"Enable segment caching for NAR files\"\n priority = 60\n type = \"recv\"\n }\n\n snippet {\n name = \"cache-errors\"\n content = <<-EOT\n if (beresp.status == 403) {\n set beresp.status = 404;\n }\n EOT\n priority = 100\n type = \"fetch\"\n }\n\n logging_s3 {\n name = \"${local.cache_domain}-to-s3\"\n bucket_name = local.fastlylogs[\"bucket_name\"]\n compression_codec = \"zstd\"\n domain = local.fastlylogs[\"s3_domain\"]\n format = local.fastlylogs[\"format\"]\n format_version = 2\n path = \"${local.cache_domain}/\"\n period = local.fastlylogs[\"period\"]\n message_type = \"blank\"\n s3_iam_role = local.fastlylogs[\"iam_role_arn\"]\n }\n}\n\nresource \"fastly_tls_subscription\" \"cache-2025-11\" {\n domains = [for domain in fastly_service_vcl.cache.domain : domain.name]\n configuration_id = local.fastly_tls13_quic_configuration_id\n certificate_authority = \"lets-encrypt\"\n}\n\noutput \"cache-managed_dns_challenge\" {\n value = fastly_tls_subscription.cache-2025-11.managed_dns_challenges\n}\n" }, { "path": "terraform/cache_inventory.tf", "content": "# Get the list of files from the cache\nresource \"aws_s3_bucket\" \"cache_inventory\" {\n provider = aws.us\n bucket = \"nix-cache-inventory\"\n}\n\nresource \"aws_s3_bucket_lifecycle_configuration\" \"cache_inventory\" {\n provider = aws.us\n bucket = aws_s3_bucket.cache_inventory.id\n\n transition_default_minimum_object_size = \"varies_by_storage_class\"\n\n rule {\n id = \"tf-s3-lifecycle-20231017200421961900000001\"\n status = \"Enabled\"\n\n filter {\n prefix = \"\"\n }\n\n # Only keep the last 30 days\n expiration {\n days = 30\n }\n }\n}\n\nimport {\n to = aws_s3_bucket_lifecycle_configuration.cache_inventory\n id = aws_s3_bucket.cache_inventory.id\n}\n\nresource \"aws_s3_bucket_inventory\" \"cache_inventory\" {\n provider = aws.us\n\n bucket = aws_s3_bucket.cache.id\n name = \"nix-cache-inventory\"\n\n included_object_versions = \"Current\"\n\n optional_fields = [\n \"ETag\",\n \"LastModifiedDate\",\n \"Size\",\n \"StorageClass\",\n ]\n\n schedule {\n frequency = \"Daily\"\n }\n\n destination {\n bucket {\n account_id = \"080433136561\"\n format = \"Parquet\"\n bucket_arn = aws_s3_bucket.cache_inventory.arn\n }\n }\n}\n" }, { "path": "terraform/cache_log.tf", "content": "resource \"aws_s3_bucket\" \"cache_log\" {\n provider = aws.us\n\n bucket = \"nix-cache-log\"\n}\n\nresource \"aws_s3_bucket_logging\" \"cache_log\" {\n provider = aws.us\n\n bucket = aws_s3_bucket.cache.id\n\n target_bucket = aws_s3_bucket.cache_log.id\n target_prefix = \"log/\"\n}\n\nresource \"aws_s3_bucket_lifecycle_configuration\" \"cache_log\" {\n provider = aws.us\n\n bucket = aws_s3_bucket.cache_log.id\n\n rule {\n id = \"rule-1\"\n status = \"Enabled\"\n\n filter {\n prefix = \"\"\n }\n\n expiration {\n days = \"30\"\n }\n }\n}\n\ndata \"aws_iam_policy_document\" \"cache_log\" {\n statement {\n sid = \"AWSLogDeliveryWrite\"\n\n principals {\n type = \"Service\"\n identifiers = [\"delivery.logs.amazonaws.com\"]\n }\n\n effect = \"Allow\"\n\n actions = [\n \"s3:PutObject\",\n ]\n\n resources = [\n \"${aws_s3_bucket.cache_log.arn}/*\",\n ]\n\n condition {\n test = \"StringEquals\"\n variable = \"s3:x-amz-acl\"\n values = [\"bucket-owner-full-control\"]\n }\n }\n\n statement {\n sid = \"AWSLogDeliveryAclCheck\"\n\n effect = \"Allow\"\n\n principals {\n type = \"Service\"\n identifiers = [\"delivery.logs.amazonaws.com\"]\n }\n\n actions = [\n \"s3:GetBucketAcl\",\n ]\n\n resources = [\n aws_s3_bucket.cache_log.arn,\n ]\n }\n\n statement {\n sid = \"S3PolicyStmt-DO-NOT-MODIFY-1699369618664\"\n effect = \"Allow\"\n\n principals {\n type = \"Service\"\n identifiers = [\"logging.s3.amazonaws.com\"]\n }\n\n actions = [\"s3:PutObject\"]\n\n resources = [\n \"${aws_s3_bucket.cache_log.arn}/*\",\n ]\n }\n}\n\nresource \"aws_s3_bucket_policy\" \"cache_log\" {\n provider = aws.us\n\n bucket = aws_s3_bucket.cache_log.id\n policy = data.aws_iam_policy_document.cache_log.json\n}\n" }, { "path": "terraform/channels.tf", "content": "locals {\n channels_domain = \"channels.nixos.org\"\n\n channels_index = templatefile(\"${path.module}/s3_listing.html.tpl\", {\n bucket_name = aws_s3_bucket.channels.bucket\n bucket_url = \"https://${aws_s3_bucket.channels.bucket_domain_name}\"\n bucket_website = \"https://${local.channels_domain}\"\n })\n\n # Use the website endpoint because the bucket is configured with website\n # enabled. This also means we can't use TLS between Fastly and AWS because\n # the website endpoint only has port 80 open.\n channels_backend = \"nix-channels.s3-website-us-east-1.amazonaws.com\"\n # TODO: Uncomment this once has been applied once. This is to work around fastly bug https://github.com/fastly/terraform-provider-fastly/issues/884\n # channels_backend = aws_s3_bucket_website_configuration.channels.website_endpoint\n}\n\nresource \"aws_s3_bucket\" \"channels\" {\n provider = aws.us\n bucket = \"nix-channels\"\n}\n\nresource \"aws_s3_bucket_website_configuration\" \"channels\" {\n provider = aws.us\n bucket = aws_s3_bucket.channels.id\n\n index_document {\n suffix = \"index.html\"\n }\n}\n\nimport {\n to = aws_s3_bucket_website_configuration.channels\n id = aws_s3_bucket.channels.id\n}\n\nresource \"aws_s3_bucket_cors_configuration\" \"channels\" {\n provider = aws.us\n bucket = aws_s3_bucket.channels.id\n\n cors_rule {\n allowed_headers = [\"*\"]\n allowed_methods = [\"HEAD\", \"GET\"]\n allowed_origins = [\"*\"]\n expose_headers = [\"ETag\"]\n max_age_seconds = 3600\n }\n}\n\nimport {\n to = aws_s3_bucket_cors_configuration.channels\n id = aws_s3_bucket.channels.id\n\n}\n\nresource \"aws_s3_bucket_object\" \"channels-index-html\" {\n provider = aws.us\n\n acl = \"public-read\"\n bucket = aws_s3_bucket.channels.bucket\n content_type = \"text/html\"\n etag = md5(local.channels_index)\n key = \"index.html\"\n content = local.channels_index\n}\n\nresource \"aws_s3_bucket_policy\" \"channels\" {\n provider = aws.us\n bucket = aws_s3_bucket.channels.id\n policy = <; rel=\"immutable\"\"};\n # clear query string from redirect destination as precaution in case\n # legacy consumers can't handle flake attributes like \"?rev=\" in it\n set beresp.http.location = querystring.remove(beresp.http.location);\n }\n return (pass);\n }\n EOT\n name = \"Change 301 from S3 to 302\"\n # Keep close to last, since it conditionally returns.\n priority = 999\n type = \"fetch\"\n }\n\n logging_s3 {\n name = \"${local.channels_domain}-to-s3\"\n bucket_name = local.fastlylogs[\"bucket_name\"]\n compression_codec = \"zstd\"\n domain = local.fastlylogs[\"s3_domain\"]\n format = local.fastlylogs[\"format\"]\n format_version = 2\n path = \"${local.channels_domain}/\"\n period = local.fastlylogs[\"period\"]\n message_type = \"blank\"\n s3_iam_role = local.fastlylogs[\"iam_role_arn\"]\n }\n}\n\nresource \"fastly_tls_subscription\" \"channels-2025-11\" {\n domains = [for domain in fastly_service_vcl.channels.domain : domain.name]\n configuration_id = local.fastly_tls13_quic_configuration_id\n certificate_authority = \"lets-encrypt\"\n}\n\noutput \"channels-managed_dns_challenge\" {\n value = fastly_tls_subscription.channels-2025-11.managed_dns_challenges\n}\n" }, { "path": "terraform/flake-module.nix", "content": "{\n perSystem =\n { pkgs, ... }:\n {\n devShells.terraform = pkgs.mkShellNoCC {\n packages = [\n pkgs.awscli2\n (pkgs.opentofu.withPlugins (\n plugin: with plugin; [\n hashicorp_aws\n fastly_fastly\n aegirhealth_netlify\n numtide_secret\n ]\n ))\n ];\n };\n };\n}\n" }, { "path": "terraform/locals.tf", "content": "locals {\n fastly_customer_id = \"1RhOVUmKLBjCFTU4i9Cekx\"\n\n # TLS v1.2, protocols HTTP/1.1 and HTTP/2\n fastly_tls12_sni_configuration_id = \"5PXBTa6c01Xoh54ylNwmVA\"\n\n # TLS1.2 and 1.3+0RTT, HTTP/1.1, HTTP/2 and HTTP/3\n fastly_tls13_quic_configuration_id = \"oZPSgSiY0PM8sNTAAyOZHw\"\n\n cache-iam = data.terraform_remote_state.terraform-iam.outputs.cache\n fastlylogs = data.terraform_remote_state.terraform-iam.outputs.fastlylogs\n\n # fastlylogs = {\n # bucket_name = \"fastly-logs-20220622145016462800000001\"\n # iam_role_arn = \"arn:aws:iam::080433136561:role/system/FastlyLogForwarder\"\n # period = 3600\n # format = \"{\\\"asn\\\": %%{client.as.number}V,\\\"elapsed_usec\\\": %%{json.escape(time.elapsed.usec)}V,\\\"fastly_is_edge\\\": %%{if(fastly.ff.visits_this_service == 0, \\\"true\\\", \\\"false\\\")}V,\\\"fastly_server\\\": \\\"%%{json.escape(server.identity)}V\\\",\\\"geo_country\\\": \\\"%%{json.escape(client.geo.country_name)}V\\\",\\\"geo_region\\\": \\\"%%{json.escape(client.geo.region.utf8)}V\\\",\\\"geo_speed\\\": \\\"%%{json.escape(client.geo.conn_speed)}V\\\",\\\"host\\\": \\\"%%{json.escape(if(req.http.Fastly-Orig-Host, req.http.Fastly-Orig-Host, req.http.Host))}V\\\",\\\"request_method\\\": \\\"%%{json.escape(req.method)}V\\\",\\\"request_protocol\\\": \\\"%%{json.escape(req.proto)}V\\\",\\\"request_referer\\\": \\\"%%{json.escape(req.http.referer)}V\\\",\\\"request_size\\\": %%{json.escape(req.bytes_read)}V,\\\"request_user_agent\\\": \\\"%%{json.escape(req.http.User-Agent)}V\\\",\\\"response_body_size\\\": %%{resp.body_bytes_written}V,\\\"response_reason\\\": %%{if(resp.response, \\\"%22\\\"+json.escape(resp.response)+\\\"%22\\\", \\\"null\\\")}V,\\\"response_state\\\": \\\"%%{json.escape(fastly_info.state)}V\\\",\\\"response_status\\\": \\\"%%{resp.status}V\\\",\\\"timestamp\\\": \\\"%%{strftime(\\\\{\\\"%Y-%m-%dT%H:%M:%S%z\\\"\\\\}, time.start)}V\\\",\\\"tls_client_cipher\\\": \\\"%%{json.escape(if(tls.client.cipher, tls.client.cipher, \\\"null\\\"))}V\\\",\\\"tls_client_protocol\\\": \\\"%%{json.escape(if(tls.client.protocol, tls.client.protocol, \\\"null\\\"))}V\\\",\\\"url\\\": \\\"%%{json.escape(req.url)}V\\\"}\"\n # s3_domain = \"s3.eu-west-1.amazonaws.com\"\n # }\n}\n" }, { "path": "terraform/netlify_sites.tf", "content": "# This file contains all of the websites that we host using Netlify.\n\nresource \"netlify_deploy_key\" \"key\" {}\n\nresource \"netlify_site\" \"nix-dev\" {\n name = \"nix-dev\"\n custom_domain = \"nix.dev\"\n\n repo {\n provider = \"github\"\n repo_path = \"NixOS/nix.dev\"\n repo_branch = \"master\"\n }\n}\n\nresource \"netlify_site\" \"nixos-common-styles\" {\n name = \"nixos-common-styles\"\n custom_domain = \"common-styles.nixos.org\"\n\n repo {\n provider = \"github\"\n repo_path = \"NixOS/nixos-common-styles\"\n repo_branch = \"main\"\n }\n}\n\nresource \"netlify_site\" \"nixos-status\" {\n name = \"nixos-status\"\n custom_domain = \"status.nixos.org\"\n\n repo {\n provider = \"github\"\n repo_path = \"NixOS/nixos-status\"\n repo_branch = \"main\"\n }\n}\n\nresource \"netlify_site\" \"nixos-planet\" {\n name = \"nixos-planet\"\n custom_domain = \"planet.nixos.org\"\n\n repo {\n provider = \"github\"\n repo_path = \"NixOS/nixos-planet\"\n repo_branch = \"master\"\n }\n}\n\nresource \"netlify_site\" \"nixos-search\" {\n name = \"nixos-search\"\n custom_domain = \"search.nixos.org\"\n\n repo {\n provider = \"github\"\n repo_path = \"NixOS/nixos-search\"\n repo_branch = \"master\"\n }\n}\n\nresource \"netlify_site\" \"nixos-homepage\" {\n name = \"nixos-homepage\"\n custom_domain = \"nixos.org\"\n\n repo {\n deploy_key_id = netlify_deploy_key.key.id\n provider = \"github\"\n repo_path = \"NixOS/nixos-homepage\"\n repo_branch = \"master\"\n }\n}\n" }, { "path": "terraform/nixpkgs-tarballs/index.html", "content": "\n\n \n tarballs.nixos.org is up\n \n \n \n \n \n \n \n \n
\n
\n

\n \n \n \n

\n\n

\n https://tarballs.nixos.org/ provides content-addressable\n binaries for Nixpkgs and NixOS. Those are mainly used to bootstrap the\n various stdenv.\n

\n
\n
\n
\n

\n If you are having trouble, please reach out through one of the support channels\n with the results of this diagnostics script\n which will help us figure out where the issue lies.\n

\n

\n For questions, or support, \n the support page from the NixOS website describes how to get in\n touch.\n

\n
\n
\n \n\n" }, { "path": "terraform/nixpkgs-tarballs.tf", "content": "locals {\n tarballs_domain = \"tarballs.nixos.org\"\n # Use the website endpoint because the bucket is configured with website\n # enabled. This also means we can't use TLS between Fastly and AWS because\n # the website endpoint only has port 80 open.\n tarballs_backend = \"nixpkgs-tarballs.s3-website-eu-west-1.amazonaws.com\"\n # TODO: Uncomment this once has been applied once. This is to work around fastly bug https://github.com/fastly/terraform-provider-fastly/issues/884\n # tarballs_backend = aws_s3_bucket_website_configuration.nixpkgs-tarballs.website_endpoint\n}\n\nresource \"aws_s3_bucket\" \"nixpkgs-tarballs\" {\n bucket = \"nixpkgs-tarballs\"\n}\n\nresource \"aws_s3_bucket_website_configuration\" \"nixpkgs-tarballs\" {\n bucket = aws_s3_bucket.nixpkgs-tarballs.id\n index_document {\n suffix = \"index.html\"\n }\n}\n\nimport {\n to = aws_s3_bucket_website_configuration.nixpkgs-tarballs\n id = aws_s3_bucket.nixpkgs-tarballs.id\n}\n\nresource \"aws_s3_bucket_policy\" \"nixpkgs-tarballs\" {\n bucket = aws_s3_bucket.nixpkgs-tarballs.id\n\n # imported from existing\n policy = <\nresource \"secret_resource\" \"netlify_token\" {\n lifecycle { prevent_destroy = true }\n}\n\nprovider \"netlify\" {\n token = secret_resource.netlify_token.value\n}\n" }, { "path": "terraform/releases.tf", "content": "locals {\n releases_domain = \"releases.nixos.org\"\n\n releases_index = templatefile(\"${path.module}/s3_listing.html.tpl\", {\n bucket_name = aws_s3_bucket.releases.bucket\n bucket_url = \"https://${aws_s3_bucket.releases.bucket_domain_name}\"\n bucket_website = \"https://${local.releases_domain}\"\n })\n\n releases_backend = \"nix-releases.s3-eu-west-1.amazonaws.com\"\n}\n\nresource \"aws_s3_bucket\" \"releases\" {\n bucket = \"nix-releases\"\n}\n\nresource \"aws_s3_bucket_lifecycle_configuration\" \"releases\" {\n bucket = aws_s3_bucket.releases.id\n\n\n transition_default_minimum_object_size = \"varies_by_storage_class\"\n rule {\n id = \"tf-s3-lifecycle-20230907091915137900000001\"\n status = \"Enabled\"\n\n filter {\n prefix = \"\"\n }\n\n transition {\n days = 365\n storage_class = \"STANDARD_IA\"\n }\n }\n}\n\nimport {\n id = aws_s3_bucket.releases.id\n to = aws_s3_bucket_lifecycle_configuration.releases\n}\n\nresource \"aws_s3_bucket_cors_configuration\" \"releases\" {\n bucket = aws_s3_bucket.releases.id\n\n cors_rule {\n allowed_headers = [\"*\"]\n allowed_methods = [\"HEAD\", \"GET\"]\n allowed_origins = [\"*\"]\n expose_headers = [\"ETag\"]\n max_age_seconds = 3600\n }\n}\n\nimport {\n to = aws_s3_bucket_cors_configuration.releases\n id = aws_s3_bucket.releases.id\n}\n\nresource \"aws_s3_bucket_object\" \"releases-index-html\" {\n acl = \"public-read\"\n bucket = aws_s3_bucket.releases.bucket\n content_type = \"text/html\"\n etag = md5(local.releases_index)\n key = \"index.html\"\n content = local.releases_index\n}\n\nresource \"aws_s3_bucket_policy\" \"releases\" {\n bucket = aws_s3_bucket.releases.id\n policy = <\n\n\n Channels for NixOS project(s)\n\n\n
\n
\n\n \n \n\n \n\n\n" }, { "path": "terraform/terraform.tf", "content": "terraform {\n backend \"s3\" {\n bucket = \"nixos-terraform-state\"\n encrypt = true\n key = \"targets/terraform\"\n region = \"eu-west-1\"\n profile = \"nixos-prod\"\n }\n\n required_providers {\n aws = {\n source = \"registry.opentofu.org/hashicorp/aws\"\n }\n fastly = {\n source = \"registry.opentofu.org/fastly/fastly\"\n }\n netlify = {\n source = \"registry.opentofu.org/AegirHealth/netlify\"\n }\n secret = {\n source = \"registry.opentofu.org/numtide/secret\"\n }\n }\n}\n\ndata \"terraform_remote_state\" \"terraform-iam\" {\n backend = \"s3\"\n config = {\n bucket = \"nixos-terraform-state\"\n encrypt = true\n key = \"targets/terraform-iam\"\n region = \"eu-west-1\"\n profile = \"nixos-prod\"\n }\n}\n" }, { "path": "terraform/tf.sh", "content": "#!/usr/bin/env bash\nset -euo pipefail\n\ncd \"$(dirname \"$0\")\"\nrm -f .terraform.lock.hcl\ntofu init\ntofu \"$@\"\n" }, { "path": "terraform/wiki-test.tf", "content": "locals {\n wiki_test_domain = \"test.wiki.nixos.org\"\n}\n\nresource \"fastly_service_vcl\" \"wiki-test\" {\n name = local.wiki_test_domain\n default_ttl = 86400\n\n backend {\n address = \"he1.wiki.nixos.org\"\n auto_loadbalance = false\n between_bytes_timeout = 10000\n connect_timeout = 5000\n error_threshold = 0\n first_byte_timeout = 15000\n max_conn = 200\n name = \"wiki_backend\"\n port = 443\n # Shield location for Helsinki backend\n shield = \"hel-helsinki-fi\"\n ssl_cert_hostname = \"he1.wiki.nixos.org\"\n ssl_check_cert = true\n use_ssl = true\n weight = 100\n }\n\n domain {\n name = local.wiki_test_domain\n }\n\n # Pass through the original Host header\n header {\n destination = \"http.Host\"\n type = \"request\"\n action = \"set\"\n name = \"Set Host Header\"\n source = \"\\\"wiki.nixos.org\\\"\"\n }\n\n logging_s3 {\n name = \"${local.wiki_test_domain}-to-s3\"\n bucket_name = local.fastlylogs[\"bucket_name\"]\n compression_codec = \"zstd\"\n domain = local.fastlylogs[\"s3_domain\"]\n format = local.fastlylogs[\"format\"]\n format_version = 2\n path = \"${local.wiki_test_domain}/\"\n period = local.fastlylogs[\"period\"]\n message_type = \"blank\"\n s3_iam_role = local.fastlylogs[\"iam_role_arn\"]\n }\n}\n\nresource \"fastly_tls_subscription\" \"wiki-test\" {\n domains = [for domain in fastly_service_vcl.wiki-test.domain : domain.name]\n configuration_id = local.fastly_tls13_quic_configuration_id\n certificate_authority = \"lets-encrypt\"\n}\n\noutput \"wiki_test_acme_challenge\" {\n value = fastly_tls_subscription.wiki-test.managed_dns_challenges\n description = \"ACME challenge records for test.wiki.nixos.org - add these to DNS\"\n}\n" }, { "path": "terraform-iam/.envrc", "content": "# shellcheck shell=bash\nuse flake .#terraform\n\nexport AWS_CONFIG_FILE=$PWD/aws-config\nexport AWS_PROFILE=nixos-prod\n\nsource_env_if_exists .envrc.local\n" }, { "path": "terraform-iam/.gitignore", "content": "/.envrc.local\n" }, { "path": "terraform-iam/README.md", "content": "# User & permission management\n\nThis module is for superadmins in the team.\n\nThis terraform root module manages:\n\n- IAM roles\n- fastly log module\n- infrastructure for archeologist team\n- Webhooks for the Cache bucket as our terraform code is awkwardly split and it\n requires iam:PassRole\n\n## Setup\n\nIn order to use this, make sure to install direnv and Nix with flakes enabled.\n\nThen run `direnv allow` to load the environment with the runtime dependencies.\n\nRun `aws sso login` to acquire a temporary token.\n\n## Usage\n\nWe use opentofu, which is a fork of https://www.terraform.io/ maintained by the\nLinux foundation.\n\nThen run the following command to diff the changes and then apply if approved:\n\n```sh\n./tf.sh apply\n```\n\n## Terraform workflow\n\nWrite the Tofu code and test the changes using `./tf.sh validate`.\n\nBefore committing run `nix fmt`.\n\nOnce the code is ready to be deployed, create a new PR with the attached output\nof `./tf.sh plan`.\n\nOnce the PR is merged, run `./tf.sh apply` to apply the changes.\n" }, { "path": "terraform-iam/archeologist.tf", "content": "# Workspace to dump analysis data extracted from the cache and other places.\nresource \"aws_s3_bucket\" \"archeologist\" {\n # Keep it in the same region as the cache\n provider = aws.us\n\n bucket = \"nix-archeologist\"\n}\n\ndata \"aws_iam_policy_document\" \"archaeologist\" {\n statement {\n # Read-only access and listing permissions\n # To the cache and releases inventories,\n # as well as the bucket where cache bucket logs end up in.\n sid = \"NixCacheReadOnly\"\n\n actions = [\n \"s3:List*\",\n \"s3:Get*\"\n ]\n\n resources = [\n \"arn:aws:s3:::nix-cache\",\n \"arn:aws:s3:::nix-cache/*\",\n \"arn:aws:s3:::nix-cache-inventory\",\n \"arn:aws:s3:::nix-cache-inventory/*\",\n \"arn:aws:s3:::nix-cache-log\",\n \"arn:aws:s3:::nix-cache-log/*\",\n \"arn:aws:s3:::nix-releases-inventory220231029182031496800000001\",\n \"arn:aws:s3:::nix-releases-inventory220231029182031496800000001/*\"\n ]\n }\n\n statement {\n # Allows fetching information on the bucket\n sid = \"ListMetrics\"\n\n actions = [\n \"cloudwatch:ListMetrics\",\n \"cloudwatch:GetMetricStatistics\"\n ]\n\n # We don't have any private metrics, KISS\n resources = [\"*\"]\n }\n\n statement {\n # Full access to the Archaeologist bucket\n sid = \"NixArchaeologistReadWrite\"\n\n actions = [\n \"s3:*\"\n ]\n\n resources = [\n aws_s3_bucket.archeologist.arn,\n \"${aws_s3_bucket.archeologist.arn}/*\"\n ]\n }\n}\n\n# This is the role that is given to the AWS Identity Center users\nresource \"aws_iam_policy\" \"archologist\" {\n provider = aws.us\n\n name = \"archeologist\"\n description = \"used by the S3 archeologists\"\n\n policy = data.aws_iam_policy_document.archaeologist.json\n}\n\n# Prepare this role to be attached to the EC2 instance\nresource \"aws_iam_role\" \"archeologist-worker\" {\n provider = aws.us\n\n name = \"archeologist-worker\"\n\n assume_role_policy = <