Repository: NixOS/nixos-org-configurations
Branch: main
Commit: f7fcb33b303e
Files: 381
Total size: 799.2 KB

Directory structure:
gitextract_0_mr47ix/

├── .github/
│   ├── CODEOWNERS
│   ├── ISSUE_TEMPLATE/
│   │   ├── feature_request.md
│   │   └── service_disruption.md
│   ├── scripts/
│   │   └── format-and-absorb.sh
│   └── workflows/
│       ├── ci.yml
│       ├── dns-apply.yml
│       ├── dns-preview.yml
│       ├── format-pr.yml
│       └── zizmor.yml
├── .gitignore
├── LICENSE
├── README.md
├── build/
│   ├── .envrc
│   ├── colmena.nix
│   ├── colmena.sh
│   ├── common.nix
│   ├── datadog/
│   │   ├── hydra.nix
│   │   └── hydra.py
│   ├── flake-module.nix
│   ├── haumea/
│   │   ├── boot.nix
│   │   ├── default.nix
│   │   ├── network.nix
│   │   ├── postgresql.nix
│   │   └── zrepl.yml
│   ├── hydra-proxy.nix
│   ├── hydra.nix
│   ├── id_buildfarm.pub
│   ├── mimas/
│   │   ├── boot.nix
│   │   ├── default.nix
│   │   ├── disko.nix
│   │   ├── firewall.nix
│   │   └── network.nix
│   ├── nginx-error-pages/
│   │   ├── 403.html
│   │   ├── 502.html
│   │   └── 503.html
│   ├── pluto/
│   │   ├── boot.nix
│   │   ├── default.nix
│   │   ├── disko.nix
│   │   ├── grafana.nix
│   │   ├── network.nix
│   │   ├── nginx.nix
│   │   ├── nixos-metrics.nix
│   │   └── prometheus/
│   │       ├── alertmanager.nix
│   │       ├── default.nix
│   │       └── exporters/
│   │           ├── anubis.nix
│   │           ├── blackbox.nix
│   │           ├── channel-exporter.py
│   │           ├── channel.nix
│   │           ├── domain.nix
│   │           ├── fastly.nix
│   │           ├── github.nix
│   │           ├── hydra-queue-runner-reexporter.py
│   │           ├── hydra.nix
│   │           ├── json.nix
│   │           ├── matrix-synapse.nix
│   │           ├── nixos.nix
│   │           ├── node.nix
│   │           ├── owncast.nix
│   │           ├── postgresql.nix
│   │           ├── rasdaemon.nix
│   │           ├── sql.nix
│   │           ├── storagebox.nix
│   │           ├── up.nix
│   │           ├── zfs.nix
│   │           └── zrepl.nix
│   ├── scripts/
│   │   ├── nix-mac-installer.sh
│   │   └── nix-mac-nuke.sh
│   ├── secrets/
│   │   ├── alertmanager-matrix-forwarder.age
│   │   ├── alertmanager-oauth2-proxy-env.age
│   │   ├── eager-heisenberg-queue-runner-token.age
│   │   ├── elated-minsky-queue-runner-token.age
│   │   ├── enormous-catfish-queue-runner-token.age
│   │   ├── fastly-exporter-env.age
│   │   ├── goofy-hopcroft-queue-runner-token.age
│   │   ├── grafana-secret-key.age
│   │   ├── growing-jennet-queue-runner-token.age
│   │   ├── hopeful-rivest-queue-runner-token.age
│   │   ├── hydra-aws-credentials.age
│   │   ├── hydra-github-client-secret.age
│   │   ├── hydra-mirror-aws-credentials.age
│   │   ├── hydra-mirror-git-credentials.age
│   │   ├── intense-heron-queue-runner-token.age
│   │   ├── kind-lumiere-queue-runner-token.age
│   │   ├── maximum-snail-queue-runner-token.age
│   │   ├── norwegian-blue-queue-runner-token.age
│   │   ├── owncast-admin-password.age
│   │   ├── pluto-backup-secret.age
│   │   ├── pluto-backup-ssh-key.age
│   │   ├── rfc39-credentials.age
│   │   ├── rfc39-github.age
│   │   ├── rfc39-record-push.age
│   │   ├── sleepy-brown-queue-runner-token.age
│   │   ├── storagebox-exporter-token.age
│   │   ├── sweeping-filly-queue-runner-token.age
│   │   ├── tarball-mirror-aws-credentials.age
│   │   └── zrepl-ssh-key.age
│   ├── secrets.nix
│   └── titan/
│       ├── boot.nix
│       ├── default.nix
│       ├── disko.nix
│       ├── network.nix
│       ├── postgresql.nix
│       ├── zrepl.nix
│       └── zrepl.yml
├── builders/
│   ├── boot/
│   │   └── efi-grub.nix
│   ├── common/
│   │   ├── hardening.nix
│   │   ├── hydra-queue-builder.nix
│   │   ├── network.nix
│   │   ├── nix.nix
│   │   ├── node-exporter.nix
│   │   ├── ssh.nix
│   │   ├── system.nix
│   │   ├── tools.nix
│   │   ├── update.nix
│   │   └── users.nix
│   ├── disk-layouts/
│   │   └── efi-zfs-raid0.nix
│   ├── flake-module.nix
│   ├── instances/
│   │   ├── elated-minsky.nix
│   │   ├── goofy-hopcroft.nix
│   │   ├── hopeful-rivest.nix
│   │   └── sleepy-brown.nix
│   ├── network/
│   │   └── autoconfig.nix
│   └── profiles/
│       ├── hetzner-ax101r.nix
│       ├── hetzner-rx170.nix
│       └── hetzner-rx220.nix
├── channels.nix
├── checks/
│   └── flake-module.nix
├── dns/
│   ├── .envrc
│   ├── creds.json
│   ├── dnsconfig.js
│   ├── flake-module.nix
│   ├── nix.dev.js
│   ├── nixcon.org.js
│   ├── nixos.org.js
│   └── ofborg.org.js
├── docs/
│   ├── inventory.md
│   └── meeting-notes/
│       ├── 2024-01-11.md
│       ├── 2024-01-25.md
│       ├── 2024-02-08.md
│       ├── 2024-02-22.md
│       ├── 2024-03-07.md
│       ├── 2024-03-21.md
│       ├── 2024-04-18.md
│       ├── 2024-05-30.md
│       ├── 2024-06-13.md
│       ├── 2024-06-27.md
│       ├── 2024-11-14.md
│       ├── 2025-04-03.md
│       ├── 2025-04-17.md
│       ├── 2025-05-01.md
│       ├── 2025-05-15.md
│       ├── 2025-05-29.md
│       └── 2025-06-12.md
├── flake.nix
├── formatter/
│   └── flake-module.nix
├── lib/
│   └── service-order.nix
├── macs/
│   ├── README.md
│   ├── common.nix
│   ├── flake-module.nix
│   ├── hydra-queue-builder.nix
│   ├── mac-exec
│   ├── mac-update
│   └── profiles/
│       ├── m1.nix
│       └── m2.large.nix
├── metrics/
│   └── fastly/
│       ├── README.md
│       ├── cron.sh
│       ├── flake.nix
│       ├── ingest-raw-logs.sh
│       ├── run-queries.sh
│       └── update-asn-list.sh
├── modules/
│   ├── backup.nix
│   ├── common.nix
│   ├── hydra-mirror.nix
│   ├── nftables.nix
│   ├── prometheus/
│   │   ├── default.nix
│   │   ├── nixos-exporter/
│   │   │   ├── default.nix
│   │   │   ├── prometheus_nixos_exporter/
│   │   │   │   └── __main__.py
│   │   │   └── pyproject.toml
│   │   └── system-version-exporter.sh
│   ├── rasdaemon.nix
│   ├── rfc39.nix
│   ├── tarball-mirror.nix
│   └── tarball-mirror.patch
├── non-critical-infra/
│   ├── .envrc
│   ├── .sops.yaml
│   ├── README.md
│   ├── colmena.sh
│   ├── flake-module.nix
│   ├── hosts/
│   │   ├── caliban/
│   │   │   ├── default.nix
│   │   │   ├── disko.nix
│   │   │   ├── hardware.nix
│   │   │   └── nixpkgs-swh.nix
│   │   ├── staging-hydra/
│   │   │   ├── bootstrap-staging-hydra.sh
│   │   │   ├── ca.crt
│   │   │   ├── default.nix
│   │   │   ├── disko.nix
│   │   │   ├── genca.sh
│   │   │   ├── hardware.nix
│   │   │   ├── hydra-proxy.nix
│   │   │   ├── hydra.nix
│   │   │   └── server.crt
│   │   └── umbriel/
│   │       ├── README.md
│   │       ├── default.nix
│   │       ├── disko.nix
│   │       └── hardware.nix
│   ├── modules/
│   │   ├── backup.nix
│   │   ├── common.nix
│   │   ├── draupnir.nix
│   │   ├── element-web.nix
│   │   ├── limesurvey.nix
│   │   ├── mailserver/
│   │   │   ├── README.md
│   │   │   ├── default.nix
│   │   │   ├── freescout.nix
│   │   │   ├── mailing-lists-options.nix
│   │   │   └── mailing-lists.nix
│   │   ├── matrix-synapse.nix
│   │   ├── nginx.nix
│   │   ├── owncast.nix
│   │   ├── postfix.nix
│   │   ├── postgresql.nix
│   │   └── vaultwarden.nix
│   ├── packages/
│   │   └── encrypt-email/
│   │       ├── default.nix
│   │       └── encrypt-email.py
│   └── secrets/
│       ├── 0x4A6F-hardware-email-address.umbriel
│       ├── 0x4A6F-moderation-email-address.umbriel
│       ├── DieracDelta-email-address.umbriel
│       ├── Ericson2314-email-address.umbriel
│       ├── ForsakenHarmony-email-address.umbriel
│       ├── Gabriella439-email-address.umbriel
│       ├── Kranzes-email-address.umbriel
│       ├── LeSuisse-email-address.umbriel
│       ├── MMesch-email-address.umbriel
│       ├── Mic92-email-address.umbriel
│       ├── Mic92-wiki-email-address.umbriel
│       ├── Nebucatnetzer-email-address.umbriel
│       ├── a-kenji-email-address.umbriel
│       ├── aleksana-email-address.umbriel
│       ├── andir-email-address.umbriel
│       ├── avocadoom-email-address.umbriel
│       ├── backup-secret.caliban
│       ├── backup-secret.umbriel
│       ├── bryanhonof-email-address.umbriel
│       ├── das-g-email-address.umbriel
│       ├── djacu-email-address.umbriel
│       ├── edef1c-email-address.umbriel
│       ├── edolstra-admin-email-address.umbriel
│       ├── edolstra-email-address.umbriel
│       ├── edolstra-foundation-email-address.umbriel
│       ├── edolstra-summer-email-address.umbriel
│       ├── elections-email-login.umbriel
│       ├── escherlies-email-address.umbriel
│       ├── finance-email-login.umbriel
│       ├── flyfloh-email-address.umbriel
│       ├── fmehta-email-address.umbriel
│       ├── foundation-email-login.umbriel
│       ├── freescout-app-key.umbriel
│       ├── fricklerhandwerk-email-address.umbriel
│       ├── gefla-email-address.umbriel
│       ├── gytis-ivaskevicius-email-address.umbriel
│       ├── hardware-email-login.umbriel
│       ├── hehongbo-xsa-email-address.umbriel
│       ├── hexa-email-login.umbriel
│       ├── hydra-aws-credentials.staging-hydra
│       ├── hydra-password.staging-hydra
│       ├── hydra-users.staging-hydra
│       ├── idabzo-email-address.umbriel
│       ├── infinisil-email-address.umbriel
│       ├── infinisil-nixcon-email-address.umbriel
│       ├── jfly-email-address.umbriel
│       ├── john-rodewald-email-address.umbriel
│       ├── jtojnar-email-address.umbriel
│       ├── kate-email-address.umbriel
│       ├── lach-xsa-email-address.umbriel
│       ├── lassulus-email-address.umbriel
│       ├── lassulus-nixcon-email-address.umbriel
│       ├── lassulus-wiki-email-address.umbriel
│       ├── limesurvey-encryption-key.caliban
│       ├── limesurvey-encryption-nonce.caliban
│       ├── matrix-synapse-secrets.caliban
│       ├── matrix-synapse-signing-key.caliban
│       ├── mjolnir-access-token.caliban
│       ├── mjolnir-password.caliban
│       ├── moderation-email-login.umbriel
│       ├── mweinelt-email-address.umbriel
│       ├── ners-email-address.umbriel
│       ├── ngi-nixos-org-email-login.umbriel
│       ├── nixcon-email-login.umbriel
│       ├── nixcon.org.mail.key.umbriel
│       ├── nixos.org.mail.key.umbriel
│       ├── nixpkgs-core-email-login.umbriel
│       ├── opendkim-private-key.caliban
│       ├── picnoir-email-address.umbriel
│       ├── postsrsd-secret.umbriel
│       ├── queue-runner-ca.key.staging-hydra
│       ├── queue-runner-server.key.staging-hydra
│       ├── ra33it0-email-address.umbriel
│       ├── ra33ito-email-address.umbriel
│       ├── ral-email-address.umbriel
│       ├── rbvermaa-email-address.umbriel
│       ├── refroni-email-address.umbriel
│       ├── refroni-nixcon-email-address.umbriel
│       ├── risicle-email-address.umbriel
│       ├── roberth-email-address.umbriel
│       ├── rosscomputerguy-email-address.umbriel
│       ├── securitytracker-noreply-email-login.umbriel
│       ├── sigmasquadron-xsa-email-address.umbriel
│       ├── signing-key.staging-hydra
│       ├── staging-hydra-hostkeys.yaml
│       ├── steering-email-login.umbriel
│       ├── storagebox-ssh-key.caliban
│       ├── storagebox-ssh-key.umbriel
│       ├── test-sender-email-login.umbriel
│       ├── therealpxc-email-address.umbriel
│       ├── tomberek-email-address.umbriel
│       ├── uep-email-address.umbriel
│       ├── vaultwarden-env.caliban
│       ├── vcunat-email-address.umbriel
│       ├── winterqt-email-address.umbriel
│       ├── ysndr-email-address.umbriel
│       ├── zimbatm-admin-email-address.umbriel
│       ├── zimbatm-email-address.umbriel
│       └── zmberber-email-address.umbriel
├── pyproject.toml
├── renovate.json
├── ssh-keys.nix
├── terraform/
│   ├── .envrc
│   ├── .envrc.local.template
│   ├── .gitignore
│   ├── README.md
│   ├── artifacts.tf
│   ├── aws-config
│   ├── cache/
│   │   ├── diagnostic.sh
│   │   ├── index.html
│   │   ├── nix-cache-info
│   │   └── s3-authn.vcl
│   ├── cache-bucket/
│   │   ├── main.tf
│   │   └── providers.tf
│   ├── cache-staging/
│   │   ├── diagnostic.sh
│   │   ├── index.html
│   │   ├── new-cache-test-file
│   │   ├── nix-cache-info
│   │   ├── old-cache-test-file
│   │   └── s3-authn.vcl
│   ├── cache-staging.tf
│   ├── cache.tf
│   ├── cache_inventory.tf
│   ├── cache_log.tf
│   ├── channels.tf
│   ├── flake-module.nix
│   ├── locals.tf
│   ├── netlify_sites.tf
│   ├── nixpkgs-tarballs/
│   │   └── index.html
│   ├── nixpkgs-tarballs.tf
│   ├── providers.tf
│   ├── releases.tf
│   ├── releases_inventory.tf
│   ├── s3_listing.html.tpl
│   ├── terraform.tf
│   ├── tf.sh
│   └── wiki-test.tf
└── terraform-iam/
    ├── .envrc
    ├── .gitignore
    ├── README.md
    ├── archeologist.tf
    ├── assume_github_actions_policy_document/
    │   └── main.tf
    ├── assume_identity_center_permission_policy/
    │   └── main.tf
    ├── aws-config
    ├── cache-staging.tf
    ├── cache.tf
    ├── cache_eventbridge.tf
    ├── fastlylog/
    │   ├── main.tf
    │   ├── outputs.tf
    │   └── variables.tf
    ├── fastlylog.tf
    ├── iam_users.tf
    ├── locals.tf
    ├── nix_repo_oidc.tf
    ├── outputs.tf
    ├── providers.tf
    ├── terraform.tf
    └── tf.sh

================================================
FILE CONTENTS
================================================

================================================
FILE: .github/CODEOWNERS
================================================
# Every directory containing configurations impacting the core infra needs a
# review from a member of core infra.
/.github/                  @NixOS/infra-build
/build/                    @NixOS/infra-build
/builders/                 @NixOS/infra-build
/dns/                      @NixOS/infra-build
/lib/                      @NixOS/infra-build
/macs/                     @NixOS/infra-build
/metrics/                  @NixOS/infra-build
/modules/                  @NixOS/infra-build
/terraform-iam/            @NixOS/infra-build
/terraform/                @NixOS/infra-build
/channels.nix              @NixOS/infra-build
/ssh-keys.nix              @NixOS/infra-build


================================================
FILE: .github/ISSUE_TEMPLATE/feature_request.md
================================================
---
name: Feature request
about: Suggest an improvement for this project
title: ""
labels: enhancement
assignees: ""
---

**Is your feature request related to a problem? Please describe.**

<!--
A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
-->

**Describe the solution you'd like**

<!--
A clear and concise description of what you want to happen.
-->

**Describe alternatives you've considered**

<!--
A clear and concise description of any alternative solutions or features you've considered.
-->

**Additional context**

<!--
Add any other context or screenshots about the feature request here.
-->


================================================
FILE: .github/ISSUE_TEMPLATE/service_disruption.md
================================================
---
name: Service disruption report
about: Use this to report service instabilities
title: "<service-name>: "
labels: bug
assignees: ""
---

**Affected service**

<!-- What service is affected? -->

**Describe the issue**

<!-- A clear and concise description of what the issue is. -->

**System information**

<!-- Relevant system versions. If it's a connectivity issue, `mtr` reports. -->


================================================
FILE: .github/scripts/format-and-absorb.sh
================================================
#!/usr/bin/env -S nix shell --inputs-from . nixpkgs#bash nixpkgs#git-absorb --command bash
# shellcheck shell=bash
set -euo pipefail

# This script runs nix fmt and git absorb to update a pull request
# It's designed to be run in a GitHub Actions workflow

echo "::group::Running nix fmt"
nix fmt
echo "::endgroup::"

echo "::group::Checking for changes"
if git diff --quiet; then
  echo "No formatting changes needed"
  exit 0
fi
echo "::endgroup::"

echo "::group::Running git absorb"
# Run git absorb with --force to automatically absorb changes
git add -A
# Create fixup commits
# Find the merge base to properly identify which commits can absorb changes
MERGE_BASE=$(git merge-base origin/main HEAD)
git absorb --force --base "$MERGE_BASE"
# Then do a non-interactive autosquash rebase with git identity set
export GIT_EDITOR=:
export GIT_SEQUENCE_EDITOR=:
export GIT_AUTHOR_NAME="github-actions[bot]"
export GIT_AUTHOR_EMAIL="github-actions[bot]@users.noreply.github.com"
export GIT_COMMITTER_NAME="github-actions[bot]"
export GIT_COMMITTER_EMAIL="github-actions[bot]@users.noreply.github.com"
git rebase -i --autosquash origin/main
echo "::endgroup::"

echo "::group::Pushing changes"
git push --force-with-lease
echo "::endgroup::"

echo "Successfully formatted code and absorbed changes!"


================================================
FILE: .github/workflows/ci.yml
================================================
name: CI

on:
  push:
    branches:
      - main
  pull_request:
  merge_group:

permissions:
  contents: read

jobs:
  checks:
    runs-on: "${{ matrix.os }}"
    strategy:
      fail-fast: false
      matrix:
        os:
          - ubuntu-latest
          - ubuntu-22.04-arm
          - macos-latest
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
        with:
          persist-credentials: false
      - uses: cachix/install-nix-action@8aa03977d8d733052d78f4e008a241fd1dbf36b3 # v31
      - uses: cachix/cachix-action@1eb2ef646ac0255473d23a5907ad7b04ce94065c # v17
        with:
          name: nixos-infra-dev
          authToken: "${{ secrets.CACHIX_AUTH_TOKEN }}"
      - run: nix run --inputs-from . nixpkgs#nix-fast-build -- --skip-cached --no-nom
  nixos-x86_64:
    runs-on: ubuntu-latest
    strategy:
      fail-fast: false
      matrix:
        machine:
          - caliban
          - elated-minsky
          - sleepy-brown
          - haumea
          - pluto
          - mimas
    steps:
      - name: Free disk space
        if: matrix.machine == 'mimas'
        run: |
          sudo rm -rf /usr/share/dotnet /usr/local/lib/android /opt/ghc
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
        with:
          persist-credentials: false
      - uses: cachix/install-nix-action@8aa03977d8d733052d78f4e008a241fd1dbf36b3 # v31
      - uses: cachix/cachix-action@1eb2ef646ac0255473d23a5907ad7b04ce94065c # v17
        with:
          name: nixos-infra-dev
          authToken: "${{ secrets.CACHIX_AUTH_TOKEN }}"
      - run: nix run --inputs-from . nixpkgs#nix-fast-build -- --skip-cached --no-nom --flake '.#nixosConfigurations."${{ matrix.machine }}".config.system.build.toplevel'
  nixos-aarch64:
    runs-on: ubuntu-22.04-arm
    strategy:
      fail-fast: false
      matrix:
        machine:
          - umbriel
          - goofy-hopcroft
          - staging-hydra
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
        with:
          persist-credentials: false
      - uses: cachix/install-nix-action@8aa03977d8d733052d78f4e008a241fd1dbf36b3 # v31
      - uses: cachix/cachix-action@1eb2ef646ac0255473d23a5907ad7b04ce94065c # v17
        with:
          name: nixos-infra-dev
          authToken: "${{ secrets.CACHIX_AUTH_TOKEN }}"
      - run: nix run --inputs-from . nixpkgs#nix-fast-build -- --skip-cached --no-nom --flake '.#nixosConfigurations."${{ matrix.machine }}".config.system.build.toplevel'
  nix-darwin:
    runs-on: macos-latest
    strategy:
      fail-fast: false
      matrix:
        machine:
          - intense-heron # m1
          - kind-lumiere # m2
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
        with:
          persist-credentials: false
      - uses: cachix/install-nix-action@8aa03977d8d733052d78f4e008a241fd1dbf36b3 # v31
      - uses: cachix/cachix-action@1eb2ef646ac0255473d23a5907ad7b04ce94065c # v17
        with:
          name: nixos-infra-dev
          authToken: "${{ secrets.CACHIX_AUTH_TOKEN }}"
      - run: nix run --inputs-from . nixpkgs#nix-fast-build -- --skip-cached --no-nom --flake '.#darwinConfigurations."${{ matrix.machine }}".config.system.build.toplevel'


================================================
FILE: .github/workflows/dns-apply.yml
================================================
---
name: Apply DNS changes

on:
  push:
    branches:
      - main
    paths:
      - "dns/**"
  workflow_dispatch:

permissions: {}

jobs:
  dnscontrol:
    runs-on: ubuntu-latest
    strategy:
      fail-fast: true
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false
      - uses: cachix/install-nix-action@8aa03977d8d733052d78f4e008a241fd1dbf36b3 # v31
      - name: dnscontrol push
        env:
          GANDI_TOKEN: "${{ secrets.GANDI_TOKEN }}" # Expires 2026-04-07
        working-directory: ./dns/
        run: |
          nix run --inputs-from . nixpkgs#dnscontrol -- push


================================================
FILE: .github/workflows/dns-preview.yml
================================================
---
name: Test/Preview DNS changes

on:
  pull_request:
    paths:
      - "dns/**"

permissions: {}

jobs:
  dnscontrol:
    # only run for local branches
    if: github.event.pull_request.head.repo.full_name == github.repository
    runs-on: ubuntu-latest
    strategy:
      fail-fast: false
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false
      - uses: cachix/install-nix-action@8aa03977d8d733052d78f4e008a241fd1dbf36b3 # v31
      - name: dnscontrol preview
        env:
          GANDI_TOKEN: "${{ secrets.GANDI_TOKEN }}" # Expires 2026-04-07
        working-directory: ./dns/
        run: |
          nix run --inputs-from . nixpkgs#dnscontrol -- preview


================================================
FILE: .github/workflows/format-pr.yml
================================================
name: Format PR

on:
  issue_comment:
    types: [created]
  workflow_dispatch:
    inputs:
      pr_number:
        description: "PR number to format"
        required: true
        type: number

permissions:
  contents: write
  pull-requests: write

jobs:
  format:
    if: |
      github.event.issue.pull_request &&
      github.event.comment.body == '/format'
    runs-on: ubuntu-latest
    steps:
      - name: Check if user has write access
        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
        with:
          script: |
            const permission = await github.rest.repos.getCollaboratorPermissionLevel({
              owner: context.repo.owner,
              repo: context.repo.repo,
              username: context.payload.comment.user.login,
            });

            if (!['admin', 'write'].includes(permission.data.permission)) {
              await github.rest.issues.createComment({
                owner: context.repo.owner,
                repo: context.repo.repo,
                issue_number: context.issue.number,
                body: '❌ You need write access to run this command.'
              });
              core.setFailed('User lacks write permission');
            }

      - name: React to comment
        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
        with:
          script: |
            await github.rest.reactions.createForIssueComment({
              owner: context.repo.owner,
              repo: context.repo.repo,
              comment_id: context.payload.comment.id,
              content: 'rocket'
            });

      - name: Get PR branch
        id: pr
        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
        with:
          script: |
            const pr = await github.rest.pulls.get({
              owner: context.repo.owner,
              repo: context.repo.repo,
              pull_number: context.issue.number,
            });
            core.setOutput('head_ref', pr.data.head.ref);
            core.setOutput('head_sha', pr.data.head.sha);

      - name: Checkout PR
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          ref: ${{ steps.pr.outputs.head_ref }}
          fetch-depth: 0

      - name: Install Nix
        uses: cachix/install-nix-action@8aa03977d8d733052d78f4e008a241fd1dbf36b3 # v31

      - name: Setup Cachix
        uses: cachix/cachix-action@1eb2ef646ac0255473d23a5907ad7b04ce94065c # v17
        with:
          name: nixos-infra-dev
          authToken: "${{ secrets.CACHIX_AUTH_TOKEN }}"

      - name: Run format and absorb
        run: ./.github/scripts/format-and-absorb.sh

      - name: Comment on success
        if: success()
        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
        with:
          script: |
            await github.rest.issues.createComment({
              owner: context.repo.owner,
              repo: context.repo.repo,
              issue_number: context.issue.number,
              body: '✅ Successfully formatted and absorbed changes!'
            });

      - name: Comment on failure
        if: failure()
        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
        with:
          script: |
            await github.rest.issues.createComment({
              owner: context.repo.owner,
              repo: context.repo.repo,
              issue_number: context.issue.number,
              body: '❌ Failed to format and absorb changes. Check the workflow logs for details.'
            });


================================================
FILE: .github/workflows/zizmor.yml
================================================
name: GitHub Actions Security Analysis with zizmor 🌈

on:
  push:
    branches:
      - main
    paths:
      - ".github/**"
      - flake.lock
  pull_request:
    paths:
      - ".github/**"
      - flake.lock

permissions: {}

jobs:
  zizmor:
    name: Run zizmor against GitHub Action workflows
    runs-on: ubuntu-latest
    permissions:
      security-events: write
    steps:
      - name: Clone repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
        with:
          persist-credentials: false

      - name: Install nix
        uses: cachix/install-nix-action@8aa03977d8d733052d78f4e008a241fd1dbf36b3 # v31

      - name: Run zizmor 🌈
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          nix run --inputs-from . nixpkgs-unstable#zizmor -- \
            --format sarif --pedantic . > results.sarif

      - name: Upload SARIF file
        uses: github/codeql-action/upload-sarif@68bde559dea0fdcac2102bfdf6230c5f70eb485e # v4
        with:
          sarif_file: results.sarif
          category: zizmor


================================================
FILE: .gitignore
================================================
*~

# Terraform
.terraform*

# Direnv
.direnv

# Nix build outputs
result

# Colmena --keep-result roots directory
.gcroots


================================================
FILE: LICENSE
================================================
MIT License

Copyright (c) 2024 NixOS Foundation and contributors

Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.


================================================
FILE: README.md
================================================
# The NixOS infrastructure configurations

This repository contains all the hardware configuration for the nixos project
infrastructure.

All the hosts are currently managed using NixOps. Some of the infrastructure is
managed using Terraform. There are still a lot of things configured manually.

## Docs

- [Resources inventory](docs/inventory.md)

## Team

There are two teams managing this repository. The responsibility of both teams
is to provide infrastructure for the Nix and NixOS community.

### [@NixOS/infra-build](https://github.com/orgs/NixOS/teams/infra-build)

This team has access to all the infrastructure, including the build
infrastructure. The members are a subset of the next team.

### [@NixOS/infra](https://github.com/orgs/NixOS/teams/infra)

First level responders. This team helps with the high-level infrastructure.

All the members should be watching this repository for changes.

## Regular catch up

We meet regularly over [Lasuite Meet](https://github.com/suitenumerique/meet) to
catch up and make decisions. Sometimes it helps to have dedicated focus and
higher communication bandwidth.

There is an open team meeting **every other Thursday at
[18:00 (Europe/Zurich)](https://dateful.com/convert/zurich?t=18)**. See the
[google calendar](https://calendar.google.com/calendar/u/0/embed?src=b9o52fobqjak8oq8lfkhg3t0qg@group.calendar.google.com)
(search for "NixOS Infra") to see the next date.

- Location: <https://meet.cccda.de/nix-osin-fra>
- Meeting notes: <https://pad.lassul.us/nixos-infra>

## Reporting issues

If you experience any issues with the infrastructure, please
[post a new issue to this repository][1].

[1]: https://github.com/NixOS/infra/issues/new


================================================
FILE: build/.envrc
================================================
# shellcheck shell=bash
use flake .#build


================================================
FILE: build/colmena.nix
================================================
# heavily adapted from https://github.com/juspay/colmena-flake
# Original license: GNU Affero General Public License v3.0
{
  config,
  lib,
  self,
  inputs,
  ...
}:
{
  options.colmena = {
    hosts = lib.mkOption {
      type = lib.types.attrsOf (
        lib.types.submodule (
          { name, ... }:
          {
            options = {
              targetHost = lib.mkOption {
                type = lib.types.str;
                default = "${name}.nixos.org";
                description = ''
                  The target host for colmena nodes
                '';
              };

              targetUser = lib.mkOption {
                type = lib.types.str;
                default = "root";
                description = ''
                  The target user for colmena nodes
                '';
              };
            };
          }
        )
      );
      description = ''
        Deployment configuration for colmena nodes
      '';
      example = {
        node1 = {
          targetHost = "node1.nixos.org";
          targetUser = "foo";
        };
      };
    };

    system = lib.mkOption {
      type = lib.types.str;
      description = ''
        The system for colmena nodes
      '';
      default = "x86_64-linux";
    };
  };
  config.flake.colmenaHive = inputs.colmena.lib.makeHive self.outputs.colmena;
  config.flake.colmena = {
    meta = {
      nixpkgs = inputs.nixpkgs.legacyPackages.${config.colmena.system};
      # https://github.com/zhaofengli/colmena/issues/60#issuecomment-1510496861
      nodeSpecialArgs = builtins.mapAttrs (_: value: value._module.specialArgs) self.nixosConfigurations;
    };
  }
  // builtins.mapAttrs (name: _: {
    imports = (self.nixosConfigurations.${name})._module.args.modules ++ [
      {
        deployment = config.colmena.hosts.${name};
      }
    ];
  }) config.colmena.hosts;
}


================================================
FILE: build/colmena.sh
================================================
#!/usr/bin/env bash
set -euo pipefail

cd "$(dirname "$0")"
colmena apply "$@"


================================================
FILE: build/common.nix
================================================
{
  pkgs,
  lib,
  ...
}:

{
  imports = [
    ../modules/common.nix
    ../modules/nftables.nix
    ../modules/prometheus
    ../modules/rasdaemon.nix
  ];

  nixpkgs.config.allowUnfree = true;

  hardware.enableAllFirmware = true;
  hardware.cpu.amd.updateMicrocode = true;
  hardware.cpu.intel.updateMicrocode = true;

  boot.kernel.sysctl = {
    # reboot on kernel panic
    "kernel.panic" = 60;
    "kernel.panic_on_oops" = 1;
  };

  documentation.nixos.enable = false;

  environment = {
    enableDebugInfo = true;
    systemPackages = with pkgs; [
      # debugging
      gdb
      lsof
      sqlite-interactive

      # editors
      helix
      neovim

      # utilities
      ripgrep
      fd

      # system introspection
      dmidecode
      hdparm
      htop
      iotop
      lm_sensors
      nvme-cli
      powerstat
      smartmontools
      sysstat
      tcpdump
      tmux
    ];
  };

  services.openssh = {
    enable = true;
    authorizedKeysFiles = lib.mkForce [ "/etc/ssh/authorized_keys.d/%u" ];
  };

  nix.extraOptions = ''
    allowed-impure-host-deps = /etc/protocols /etc/services /etc/nsswitch.conf
    allowed-uris = https://github.com/ https://git.savannah.gnu.org/ github: https://releases.nixos.org/
  '';

  # we use networkd
  networking.useDHCP = false;

  services.resolved = {
    enable = true;
    fallbackDns = [
      # https://docs.hetzner.com/de/dns-console/dns/general/recursive-name-servers/
      "185.12.64.1"
      "185.12.64.2"
      "2a01:4ff:ff00::add:1"
      "2a01:4ff:ff00::add:2"
    ];
  };

  security.acme = {
    acceptTerms = true;
    defaults.email = "infra@nixos.org";
  };

  services.zfs.autoScrub.enable = true;
}


================================================
FILE: build/datadog/hydra.nix
================================================
{ pkgs, ... }:
{
  systemd.services.dd-agent.environment.PYTHONPATH =
    "${pkgs.pythonPackages.requests}/lib/python2.7/site-packages";
  environment.etc =
    let
      hydra-config = pkgs.writeText "hydra.yaml" ''
        init_config:

        instances:
          - check: 1
      '';
    in
    [
      {
        source = hydra-config;
        target = "dd-agent/conf.d/hydra.yaml";
      }
      {
        source = ./hydra.py;
        target = "dd-agent/checks.d/hydra.py";
      }
    ];
}


================================================
FILE: build/datadog/hydra.py
================================================
import json

import requests

import checks


class HydraCheck(checks.AgentCheck):
    def check(self, instance) -> None:
        r = requests.get(
            "http://localhost:3000/status", headers={"Content-Type": "application/json"}
        )
        self.gauge("hydra.active_buildsteps", len(json.loads(r.text)))


================================================
FILE: build/flake-module.nix
================================================
{
  inputs,
  lib,
  ...
}:
let
  flakesModule = {
    imports = [
      inputs.agenix.nixosModules.age
      inputs.disko.nixosModules.disko
    ];

    nixpkgs.overlays = [
      inputs.rfc39.overlays.default
    ];
  };
in
{
  imports = [
    ./colmena.nix
  ];
  colmena.hosts = {
    haumea = { };
    pluto = { };
    mimas = { };
    titan = { };
  };

  flake = {
    nixosConfigurations.haumea = lib.nixosSystem {
      system = "x86_64-linux";

      specialArgs = { inherit inputs; };
      modules = [
        flakesModule
        ./haumea
      ];
    };

    nixosConfigurations.pluto = lib.nixosSystem {
      system = "x86_64-linux";

      specialArgs = { inherit inputs; };
      modules = [
        flakesModule
        ./pluto
      ];
    };

    nixosConfigurations.mimas = lib.nixosSystem {
      system = "x86_64-linux";

      specialArgs = { inherit inputs; };
      modules = [
        flakesModule
        ./mimas
      ];
    };

    nixosConfigurations.titan = lib.nixosSystem {
      system = "x86_64-linux";

      specialArgs = { inherit inputs; };
      modules = [
        flakesModule
        ./titan
      ];
    };
  };

  perSystem =
    { pkgs, inputs', ... }:
    {
      devShells.build = pkgs.mkShell {
        buildInputs = [
          inputs'.agenix.packages.agenix
          inputs'.colmena.packages.colmena
        ];
      };
    };
}


================================================
FILE: build/haumea/boot.nix
================================================
{
  boot.loader.grub = {
    devices = [
      "/dev/nvme0n1"
      "/dev/nvme1n1"
    ];
    copyKernels = true;
    configurationLimit = 5; # 230 MB /boot capacity
  };
  boot.initrd.availableKernelModules = [
    "ahci"
    "nvme"
    "usbhid"
  ];
  boot.kernelModules = [ "kvm-amd" ];
}


================================================
FILE: build/haumea/default.nix
================================================
{
  lib,
  modulesPath,
  pkgs,
  ...
}:

{
  imports = [
    "${modulesPath}/installer/scan/not-detected.nix"
    ../common.nix
    ./boot.nix
    ./network.nix
    ./postgresql.nix
  ];

  networking = {
    hostId = "83c81a23";
    hostName = "haumea";
    domain = "nixos.org";
  };

  environment.systemPackages = [ pkgs.lz4 ];

  fileSystems."/" = {
    device = "rpool/safe/root";
    fsType = "zfs";
  };

  fileSystems."/boot" = {
    device = "/dev/disk/by-label/boot0";
    fsType = "ext4";
  };

  fileSystems."/nix" = {
    device = "rpool/local/nix";
    fsType = "zfs";
  };

  fileSystems."/var/db/postgresql" = {
    device = "rpool/safe/postgres";
    fsType = "zfs";
  };

  services.zfs.autoScrub.enable = true;

  nix.settings.max-jobs = lib.mkDefault 16;

  powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";

  system.stateVersion = "14.12";

  users.users.root.openssh.authorizedKeys.keys =
    with (import ../../ssh-keys.nix);
    infra # maybe this isn't needed to add (again)?
    ++ [
      brianmcgee # experiments with the old Hydra's DB
    ];
}


================================================
FILE: build/haumea/network.nix
================================================
{
  systemd.network = {
    enable = true;
    networks = {
      "30-enp35s0" = {
        matchConfig = {
          MACAddress = "a8:a1:59:04:71:f5";
          Type = "ether";
        };
        address = [
          "46.4.89.205/27"
          "2a01:4f8:212:41c9::1/64"
        ];
        routes = [
          { Gateway = "46.4.89.193"; }
          { Gateway = "fe80::1"; }
        ];
        vlan = [
          "vlan4000"
        ];
        networkConfig.Description = "WAN";
        linkConfig.RequiredForOnline = true;
      };
    };
  };
}


================================================
FILE: build/haumea/postgresql.nix
================================================
{
  config,
  pkgs,
  ...
}:

{
  services.prometheus.exporters.postgres = {
    enable = true;
    dataSourceName = "user=root database=hydra host=/run/postgresql sslmode=disable";
    openFirewall = true;
    firewallRules = ''
      ip6 saddr $prometheus_inet6 tcp dport ${toString config.services.prometheus.exporters.postgres.port} accept
      ip saddr $prometheus_inet4 tcp dport ${toString config.services.prometheus.exporters.postgres.port} accept
    '';
  };

  services.postgresql = {
    enable = true;
    enableJIT = true;
    package = pkgs.postgresql_16;
    dataDir = "/var/db/postgresql/16";
    # https://pgtune.leopard.in.ua/#/
    settings = {
      # https://vadosware.io/post/everything-ive-seen-on-optimizing-postgres-on-zfs-on-linux/#zfs-related-tunables-on-the-postgres-side
      full_page_writes = "off";

      checkpoint_completion_target = "0.9";
      default_statistics_target = 100;

      log_duration = "off";
      log_statement = "none";

      # pgbadger-compatible logging
      log_transaction_sample_rate = 0.01;
      log_min_duration_statement = 5000;
      log_checkpoints = "on";
      log_connections = "on";
      log_disconnections = "on";
      log_lock_waits = "on";
      log_temp_files = 0;
      log_autovacuum_min_duration = 0;
      log_line_prefix = "user=%u,db=%d,app=%a,client=%h ";

      max_connections = 500;
      work_mem = "20MB";
      maintenance_work_mem = "2GB";

      # 25% of memory
      shared_buffers = "16GB";

      # Checkpoint every 1GB. (default)
      # increased after seeing many warninsg about frequent checkpoints
      min_wal_size = "1GB";
      max_wal_size = "2GB";
      wal_buffers = "16MB";

      max_worker_processes = 16;
      max_parallel_workers_per_gather = 8;
      max_parallel_workers = 16;

      # NVMe related performance tuning
      effective_io_concurrency = 200;
      random_page_cost = "1.1";

      # We can risk losing some transactions.
      synchronous_commit = "off";

      effective_cache_size = "16GB";

      # Enable JIT compilation if possible.
      jit = "on";

      # autovacuum and autoanalyze much more frequently:
      # at these values vacuum should run approximately
      # every 2 mass rebuilds, or a couple times a day
      # on the builds table. Some of those queries really
      # benefit from frequent vacuums, so this should
      # help. In particular, I'm thinking the jobsets
      # pages.
      autovacuum_vacuum_scale_factor = 0.02;
      autovacuum_analyze_scale_factor = 0.01;

      shared_preload_libraries = "pg_stat_statements";
      compute_query_id = "on";
    };

    # FIXME: don't use 'trust'.
    authentication = ''
      host hydra all 10.0.40.0/32 trust
      local all root peer map=prometheus
    '';

    identMap = ''
      prometheus root root
      prometheus postgres-exporter root
    '';
  };
}


================================================
FILE: build/haumea/zrepl.yml
================================================
# root@zh4461b.rsync.net:/usr/local/etc/zrepl/zrepl.yml
# zrepl main configuration file.
# For documentation, refer to https://zrepl.github.io/
#
global:
  logging:
    - type: "stdout"
      level: "error"
      format: "human"
    - type: "syslog"
      level: "info"
      format: "logfmt"

# mostly from https://blog.lenny.ninja/zrepl-on-rsync-net.html
jobs:
  - name: sink
    type: sink
    serve:
      type: stdinserver
      client_identities: [haumea]
    recv:
      placeholder:
        encryption: off
    root_fs: "data1"


================================================
FILE: build/hydra-proxy.nix
================================================
{
  config,
  pkgs,
  ...
}:

{
  networking.firewall.allowedTCPPorts = [
    80
    443
  ];

  services.anubis.instances."hydra-server" = {
    settings = {
      TARGET = "http://127.0.0.1:3000";
      BIND = ":3001";
      BIND_NETWORK = "tcp";
      METRICS_BIND = ":9001";
      METRICS_BIND_NETWORK = "tcp";
    };
  };

  networking.firewall.extraInputRules = ''
    ip6 saddr $prometheus_inet6 tcp dport 9001 accept
    ip saddr $prometheus_inet4 tcp dport 9001 accept
  '';

  services.nginx = {
    enable = true;
    enableReload = true;

    recommendedBrotliSettings = true;
    recommendedGzipSettings = true;
    recommendedOptimisation = true;
    recommendedProxySettings = true;
    recommendedTlsSettings = true;

    proxyTimeout = "900s";

    appendConfig = ''
      worker_processes auto;
    '';

    appendHttpConfig = ''
      map $request_uri $backend {
        default anubis;

        # downloads (e.g. distrobuilder for lxc/incus images)
        ~^/build/\d+/download/ hydra-server;
        ~^/build/\d+/download-by-type/ hydra-server;
        ~^/job/[^/]+/[^/]+/[^/]+/latest/download/ hydra-server;
        ~^/job/[^/]+/[^/]+/[^/]+/latest/download-by-type/file/ hydra-server;
      }

      limit_req_zone $binary_remote_addr zone=hydra-server:8m rate=2r/s;
      limit_req_status 429;
    '';

    eventsConfig = ''
      worker_connections 1024;
    '';

    upstreams = {
      anubis.servers."127.0.0.1:3001" = { };
      hydra-server.servers."127.0.0.1:3000" = { };
    };

    virtualHosts."hydra.nixos.org" = {
      forceSSL = true;
      enableACME = true;

      extraConfig = ''
        error_page 403 /403.html;
        error_page 502 /502.html;
        error_page 503 /503.html;
        location ~ /(403|502|503).html {
          root ${./nginx-error-pages};
          internal;
        }
      '';

      # Ask robots not to scrape hydra, it has various expensive endpoints
      locations."=/robots.txt".alias = pkgs.writeText "hydra.nixos.org-robots.txt" ''
        User-agent: *
        Disallow: /
        Allow: /$
      '';

      locations."~ ^/job/[^/]+/[^/]+/metrics/metric/" = {
        proxyPass = "http://hydra-server";
      };

      locations."/" = {
        proxyPass = "http://$backend";
        extraConfig = ''
          limit_req zone=hydra-server burst=7;
        '';
      };

      locations."/static/" = {
        alias = "${config.services.hydra-dev.package}/libexec/hydra/root/static/";
      };
    };
  };
}


================================================
FILE: build/hydra.nix
================================================
{
  config,
  lib,
  pkgs,
  inputs,
  ...
}:

let
  narCache = "/var/cache/hydra/nar-cache";
in

{
  imports = [
    inputs.hydra.nixosModules.hydra
  ];

  # queue-runner and hydra-notify metrics
  networking.firewall.extraInputRules = ''
    ip6 saddr $prometheus_inet6 tcp dport { 9198, 9199 } accept
    ip saddr $prometheus_inet4 tcp dport { 9198, 9199 } accept
  '';

  nix.package = config.services.hydra-dev.package.nix;

  # garbage collection
  nix.gc = {
    automatic = true;
    options = ''--max-freed "$((400 * 1024**3 - 1024 * $(df -P -k /nix/store | tail -n 1 | ${pkgs.gawk}/bin/awk '{ print $4 }')))"'';
    dates = "03,09,15,21:15";
  };

  # gc outputs as well, since they are served from the cache
  nix.settings.keep-outputs = lib.mkForce false;

  systemd.services.hydra-prune-build-logs = {
    description = "Clean up old build logs";
    startAt = "weekly";
    serviceConfig = {
      User = "hydra-queue-runner";
      Group = "hydra";
      ExecStart = lib.concatStringsSep " " [
        (lib.getExe pkgs.findutils)
        "/var/lib/hydra/build-logs/"
        "-ignore_readdir_race"
        "-type"
        "f"
        "-mtime"
        "+213" # days (~7 months, roughly one release cycle)
        "-delete"
      ];
    };
  };

  # Don't rate-limit the journal.
  services.journald.rateLimitBurst = 0;

  age.secrets.hydra-aws-credentials = {
    file = ./secrets/hydra-aws-credentials.age;
    path = "/var/lib/hydra/queue-runner/.aws/credentials";
    owner = "hydra-queue-runner";
    group = "hydra";
  };

  age.secrets.hydra-github-client-secret = {
    file = ./secrets/hydra-github-client-secret.age;
    owner = "hydra-www";
    group = "hydra";
  };

  services.hydra-dev.enable = true;
  services.hydra-dev.buildMachinesFiles = [ "/etc/nix/machines" ];
  services.hydra-dev.dbi = "dbi:Pg:dbname=hydra;host=10.0.40.3;user=hydra;";
  services.hydra-dev.logo = ./hydra-logo.png;
  services.hydra-dev.hydraURL = "https://hydra.nixos.org";
  services.hydra-dev.notificationSender = "edolstra@gmail.com";
  services.hydra-dev.smtpHost = "localhost";
  services.hydra-dev.useSubstitutes = false;
  services.hydra-dev.extraConfig = ''
    max_servers 30

    enable_google_login = 1
    google_client_id = 816926039128-ia4s4rsqrq998rsevce7i09mo6a4nffg.apps.googleusercontent.com

    github_client_id = b022c64ce4531ffc1031
    github_client_secret_file = ${config.age.secrets.hydra-github-client-secret.path}

    store_uri = s3://nix-cache?secret-key=/var/lib/hydra/queue-runner/keys/cache.nixos.org-1/secret&write-nar-listing=1&ls-compression=br&log-compression=br&index-debug-info=true
    server_store_uri = https://cache.nixos.org?local-nar-cache=${narCache}
    binary_cache_public_uri = https://cache.nixos.org

    <Plugin::Session>
      cache_size = 32m
    </Plugin::Session>

    # patchelf:master:3
    xxx-jobset-repeats = nixos:reproducibility:1

    upload_logs_to_binary_cache = true
    compress_build_logs = false  # conflicts with upload_logs_to_binary_cache

    log_prefix = https://cache.nixos.org/

    evaluator_workers = 16
    evaluator_max_memory_size = 8192

    max_concurrent_evals = 1

    # increase the number of active compress slots (CPU is 48*2 on mimas)
    max_local_worker_threads = 144

    max_unsupported_time = 86400

    allow_import_from_derivation = false

    max_output_size = 4294967295 # 4 GiB - 1 B
    max_db_connections = 350

    queue_runner_metrics_address = [::]:9198

    <hydra_notify>
      <prometheus>
        listen_address = 0.0.0.0
        port = 9199
      </prometheus>
    </hydra_notify>
  '';

  systemd.tmpfiles.rules = [
    "d /var/cache/hydra 0755 hydra hydra -  -"
    "d ${narCache}      0775 hydra hydra 1d -"
  ];

  # wait for the network before starting hydra, since we require a network
  # connection to the remote postgresql database
  systemd.services.hydra-init = {
    wants = [
      "network-online.target"
    ];
    after = [
      "network-online.target"
    ];
  };

  # eats memory as if it was free
  systemd.services.hydra-notify.enable = false;

  systemd.services.hydra-queue-runner = {
    # restarting the scheduler is very expensive
    restartIfChanged = false;
    serviceConfig = {
      ManagedOOMPreference = "avoid";
      LimitNOFILE = 65535;
    };
  };

  programs.ssh.hostKeyAlgorithms = [
    "rsa-sha2-512-cert-v01@openssh.com"
    "ssh-ed25519"
    "ssh-rsa"
    "ecdsa-sha2-nistp256"
  ];
  programs.ssh.extraConfig = lib.mkAfter ''
    ServerAliveInterval 120
    TCPKeepAlive yes
  '';

  # These IPs and SSH public keys are specifically provisioned for Hydra
  services.openssh.knownHosts = {
    # x86_64-linux at Hetzner
    "elated-minsky.builder.nixos.org".publicKey =
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIvrJpd3aynfPVGGG/s7MtRFz/S6M4dtqvqKI3Da7O7+";
    "sleepy-brown.builder.nixos.org".publicKey =
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOh4/3m7o6H3J5QG711aJdlSUVvlC8yW6KoqAES3Fy6I";
    # aarch64-linux at Hetzner
    "goofy-hopcroft.builder.nixos.org".publicKey =
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICTJEi+nQNd7hzNYN3cLBK/0JCkmwmyC1I+b5nMI7+dd";
    "hopeful-rivest.builder.nixos.org".publicKey =
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBgjwpQaNAWdEdnk1YG7JWThM4xQdKNJ3h3arhF7+iFm";

    # M1 Macs at Hetzner
    "intense-heron.mac.nixos.org".publicKey =
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICeSgOe/cr1yVAJOl30t3AZOLtvzeQa5rnrHGceKeBue";
    "sweeping-filly.mac.nixos.org".publicKey =
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE6b/coXQEcFZW1eG4zFyCMCF0mZFahqmadz6Gk9DWMF";
    "maximum-snail.mac.nixos.org".publicKey =
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEs+fK4hH8UKo+Pa7u1VYltkMufBHHH5uC93RQ2S6Xy9";
    "growing-jennet.mac.nixos.org".publicKey =
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAQGthkSSOnhxrIUCMlRQz8FOo5Y5Nk9f9WnVLNeRJpm";
    "enormous-catfish.mac.nixos.org".publicKey =
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMlg7NXxeG5L3s0YqSQIsqVG0MTyvyWDHUyYEfFPazLe";

    # M1 Macs at Flying Circus
    "norwegian-blue.mac.nixos.org".publicKey =
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDQ6Cjvoq5VBYfXl6ZV/ijQ1q4UxbWRYYfkXe0rzmJjf";

    # M2 Macs at Oakhost
    "kind-lumiere.mac.nixos.org".publicKey =
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFoqn1AAcOqtG65milpBtWVXP5VcBmTUSMGNfJzPwW8Q";
    "eager-heisenberg.mac.nixos.org".publicKey =
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBp9NStfEPu7HdeK8f2KEnynyirjG9BUk+6w2SgJtQyS";

    # vcunat
    "t2a.cunat.cz".publicKey =
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIu3itg4hn5e4KrnyoreAUN3RIbAcvqc7yWx5i6EWqAu";
    "t4b.cunat.cz".publicKey =
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC/jE8c0lkc/DlK3R7A+zBr6j/lfEQrhqSD/YOEVs8za";
  };

}


================================================
FILE: build/id_buildfarm.pub
================================================
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCyM48VC5fpjJssLI8uolFscP4/iEoMHfkPoT9R3iE3OEjadmwa1XCAiXUoa7HSshw79SgPKF2KbGBPEVCascdAcErZKGHeHUzxj7v3IsNjObouUOBbJfpN4DR7RQT28PZRsh3TvTWjWnA9vIrSY/BvAK1uezFRuObvatqAPMrw4c0DK+JuGuCNkKDGHLXNSxYBc5Pmr1oSU7/BDiHVjjyLIsAMIc20+q8SjWswKqL1mY193mN7FpUMBtZrd0Za9fMFRII9AofEIDTOayvOZM6+/1dwRWZXM6jhE6kaPPF++yromHvDPBnd6FfwODKLvSF9BkA3pO5CqrD8zs7ETmrV hydra-queue-runner@chef

================================================
FILE: build/mimas/boot.nix
================================================
{
  boot = {
    initrd.availableKernelModules = [
      "ahci"
      "xhci_pci"
      "nvme"
      "usbhid"
    ];
    supportedFilesystems.zfs = true;
    loader = {
      efi.canTouchEfiVariables = false;
      grub = {
        enable = true;
        configurationLimit = 10;
        efiSupport = true;
        efiInstallAsRemovable = true;
        mirroredBoots = [
          {
            devices = [ "nodev" ];
            path = "/efi/a";
          }
          {
            devices = [ "nodev" ];
            path = "/efi/b";
          }
        ];
      };
    };
  };
}


================================================
FILE: build/mimas/default.nix
================================================
{
  imports = [
    ../common.nix
    ../hydra.nix
    ../hydra-proxy.nix
    ./boot.nix
    ./firewall.nix
    ./network.nix
  ];

  disko.devices = import ./disko.nix;

  networking = {
    hostName = "mimas";
    domain = "nixos.org";
    hostId = "aba92093";
  };

  zramSwap = {
    enable = true;
    memoryPercent = 50;
  };

  nixpkgs.hostPlatform = "x86_64-linux";

  system.stateVersion = "24.11";
}


================================================
FILE: build/mimas/disko.nix
================================================
let
  layout = id: {
    type = "gpt";
    partitions = {
      esp = {
        type = "EF00";
        size = "512M";
        content = {
          type = "filesystem";
          format = "vfat";
          mountpoint = "/efi/${id}";
        };
      };
      zfs = {
        size = "100%";
        content = {
          type = "zfs";
          pool = "zroot";
        };
      };
    };
  };
in
{
  disk = {
    nvme0n1 = {
      type = "disk";
      device = "/dev/disk/by-id/nvme-SAMSUNG_MZQL21T9HCJR-00A07_S64GNNFX604905";
      content = layout "a";
    };
    nvme1n1 = {
      type = "disk";
      device = "/dev/disk/by-id/nvme-SAMSUNG_MZQL21T9HCJR-00A07_S64GNNFX604919";
      content = layout "b";
    };
  };

  zpool.zroot = {
    type = "zpool";
    mode = "mirror";
    options.ashift = "12";

    rootFsOptions = {
      acltype = "posixacl";
      atime = "off";
      compression = "on";
      mountpoint = "none";
      xattr = "sa";
    };

    datasets = {
      "root" = {
        type = "zfs_fs";
        mountpoint = "/";
      };
      "nix/store" = {
        type = "zfs_fs";
        mountpoint = "/nix";
      };
      "nix/db" = {
        type = "zfs_fs";
        mountpoint = "/nix/var/nix/db";
      };
      "hydra/cache" = {
        type = "zfs_fs";
        mountpoint = "/var/cache/hydra";
      };
      "hydra/state" = {
        type = "zfs_fs";
        mountpoint = "/var/lib/hydra";
      };
      "reserved" = {
        type = "zfs_fs";
        options = {
          canmount = "off";
          refreservation = "16G"; # roughly one system closure
        };
      };
    };
  };
}


================================================
FILE: build/mimas/firewall.nix
================================================
{
  pkgs,
  lib,
  inputs,
  ...
}:

let
  blockedAutNums = [
    45102 # ALIBABA-CN-NET
    45899 # VNPT-AS-VN
    132203 # TENCENT-NET-AP-CN
  ];
in

{
  networking.nftables = {
    tables."abuse" = {
      family = "inet";
      content = ''
        set ipv4blocks {
          type ipv4_addr;
          flags interval;
          auto-merge;
        }
        set ipv6blocks {
          type ipv6_addr;
          auto-merge;
          flags interval;
        }
        chain input-abuse {
          type filter hook input priority filter - 5;

          ip saddr @ipv4blocks tcp dport 443 counter drop;
          ip6 saddr @ipv6blocks tcp dport 443 counter drop;
        }
      '';
    };
  };

  systemd.services.nft-prefix-import = {
    wants = [ "network-online.target" ];
    after = [ "network-online.target" ];
    wantedBy = [ "multi-user.target" ];
    path = with pkgs; [ nftables ];
    environment.USER_AGENT = "NixOS.org Infrastructure - infra@nixos.org";
    serviceConfig = {
      Type = "oneshot";
      AmbientCapabilities = [ "CAP_NET_ADMIN" ];
      DynamicUser = true;
      User = "nft-asblock";
      Group = "nft-asblock";
      ExecStart = toString (
        [
          (lib.getExe inputs.nft-prefix-import.packages.${pkgs.stdenv.hostPlatform.system}.default)
          "--table"
          "abuse"
          "--ipv4set"
          "ipv4blocks"
          "--ipv6set"
          "ipv6blocks"
        ]
        ++ blockedAutNums
      );
      RestrictAddressFamilies = [
        "AF_NETLINK"
        "AF_INET"
        "AF_INET6"
      ];
      StateDirectory = "nft-prefix-import";
      WorkingDirectory = "/var/lib/nft-prefix-import";
    };
  };

  systemd.timers.nft-prefix-import = {
    wantedBy = [ "timers.target" ];
    timerConfig = {
      OnCalendar = "0/6:00";
      RandomizedDelaySec = 3600;
    };
  };
}


================================================
FILE: build/mimas/network.nix
================================================
{
  networking.useDHCP = false;

  systemd.network = {
    enable = true;
    netdevs = {
      "20-vlan4000" = {
        netdevConfig = {
          Kind = "vlan";
          Name = "vlan4000";
        };
        vlanConfig.Id = 4000;
      };
    };
    networks = {
      "30-enp5s0" = {
        matchConfig = {
          MACAddress = "9c:6b:00:70:d1:f8";
          Type = "ether";
        };
        linkConfig.RequiredForOnline = true;
        networkConfig.Description = "WAN";
        address = [
          "157.90.104.34/26"
          "2a01:4f8:2220:11c8::1/64"
        ];
        routes = [
          { Gateway = "157.90.104.1"; }
          { Gateway = "fe80::1"; }
        ];
        vlan = [
          "vlan4000"
        ];
      };
      "30-vlan4000" = {
        matchConfig.Name = "vlan4000";
        linkConfig = {
          MTUBytes = "1400";
          RequiredForOnline = "routable";
        };
        address = [
          "10.0.40.2/31"
        ];
      };
    };
  };
}


================================================
FILE: build/nginx-error-pages/403.html
================================================
<!DOCTYPE html>
<html lang="en">
  <head>
    <title>Error 403 - hydra.nixos.org</title>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
    <meta http-equiv="X-UA-Compatible" content="IE=Edge" />
    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
    <link
      rel="stylesheet"
      href="https://nixos.org/bootstrap/css/bootstrap.min.css"
    />
    <link
      rel="stylesheet"
      href="https://nixos.org/bootstrap/css/bootstrap-responsive.min.css"
    />
    <style>
      body {
        padding-top: 0;
        margin-top: 4em;
        margin-bottom: 4em;
      }
      body > div {
        max-width: 800px;
        text-align: center;
      }
      h1 {
        margin: 0 auto;
        text-align: center;
      }
      p {
        text-align: center;
      }
      ul {
        display: inline-block;
        text-align: left;
      }
    </style>
  </head>
  <body>
    <div class="container jumbotron">
      <div class="jumbotron">
        <p class="lead">
          <a href="https://nixos.org/nixos">
            <img
              src="https://brand.nixos.org/logos/nixos-logo-default-gradient-black-regular-horizontal-minimal.svg"
              width="500px"
              alt="logo"
            />
          </a>
        </p>

        <h1>HTTP Error 403</h1>

        <p class="lead">Access to this resource has been denied!</p>
        <p>
          This could be caused by one of the following issues:
        </p>
        <ul>
          <li>You are using an extension to spoof your user-agent</li>
          <li>The browser you are running is out of date</li>
        </ul>
        <p>
          Feel free to reach out, if you think this request was denied in error.
        </p>
      </div>
      <hr>
      <div class="help">
        <p>
          You can check the following resources for further informations:<br>
          <a href="https://prometheus.nixos.org/alerts">Alerts</a> |
          <a href="https://grafana.nixos.org/">Dashboards</a> |
          <a href="https://github.com/NixOS/infra/issues">Issues</a> |
          <a href="https://matrix.to/#/#infra:nixos.org">Chatroom</a>
        </p>
      </div>
    </div>
  </body>
</html>


================================================
FILE: build/nginx-error-pages/502.html
================================================
<!DOCTYPE html>
<html lang="en">
  <head>
    <title>Error 502 - hydra.nixos.org</title>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
    <meta http-equiv="X-UA-Compatible" content="IE=Edge" />
    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
    <link
      rel="stylesheet"
      href="https://nixos.org/bootstrap/css/bootstrap.min.css"
    />
    <link
      rel="stylesheet"
      href="https://nixos.org/bootstrap/css/bootstrap-responsive.min.css"
    />
    <style>
      body {
        padding-top: 0;
        margin-top: 4em;
        margin-bottom: 4em;
      }
      body > div {
        max-width: 800px;
      }
      h1 {
        margin: 0 auto;
        text-align: center;
      }
      p {
        text-align: center;
      }
    </style>
  </head>
  <body>
    <div class="container jumbotron">
      <div class="jumbotron">
        <p class="lead">
          <a href="https://nixos.org/nixos">
            <img
              src="https://brand.nixos.org/logos/nixos-logo-default-gradient-black-regular-horizontal-minimal.svg"
              width="500px"
              alt="logo"
            />
          </a>
        </p>

        <h1>HTTP Error 502</h1>

        <p class="lead">This service is currently unavailable!</p>
      </div>
      <hr>
      <div class="help">
        <p>
          You can check the following resources for further informations:<br>
          <a href="https://prometheus.nixos.org/alerts">Alerts</a> |
          <a href="https://grafana.nixos.org/">Dashboards</a> |
          <a href="https://github.com/NixOS/infra/issues">Issues</a> |
          <a href="https://matrix.to/#/#infra:nixos.org">Chatroom</a>
        </p>
      </div>
    </div>
  </body>
</html>


================================================
FILE: build/nginx-error-pages/503.html
================================================
<!DOCTYPE html>

<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
    <title>Hydra is down</title>
    <style type="text/css" media="screen">
      body {
        font-family: Helvetica, Arial, sans-serif;
        color: rgba(0, 0, 0, 0.7);
      }
    </style>
  </head>

  <body>
    <center>
      <img src="/apache-errors/warning.png" alt="Warning" />
      <p>Looks like Hydra is having some problems. Sorry about that!</p>
      <p style="font-size: 90%">
        <a href="https://nixos.org/">NixOS Homepage</a> |
        <a href="https://monitoring.nixos.org/prometheus/alerts"
        >System Alerts</a> |
        <a href="https://monitoring.nixos.org/grafana/">Dashboards</a> |
        <a href="https://github.com/NixOS/nixpkgs/labels/infrastructure"
        >Related Issues</a>
      </p>
    </center>
  </body>
</html>


================================================
FILE: build/pluto/boot.nix
================================================
{
  boot = {
    supportedFilesystems = [ "zfs" ];
    loader = {
      efi.canTouchEfiVariables = false;
      grub = {
        enable = true;
        efiSupport = true;
        efiInstallAsRemovable = true;
        mirroredBoots = [
          {
            devices = [ "nodev" ];
            path = "/efi/a";
          }
          {
            devices = [ "nodev" ];
            path = "/efi/b";
          }
        ];
      };
    };
  };
}


================================================
FILE: build/pluto/default.nix
================================================
{ config, ... }:

{
  imports = [
    ../common.nix
    ./boot.nix
    ./disko.nix
    ./network.nix

    ./grafana.nix
    ./nginx.nix
    ./nixos-metrics.nix
    ./prometheus

    ../../modules/hydra-mirror.nix
    ../../modules/rfc39.nix
    ../../modules/tarball-mirror.nix
  ];

  networking = {
    hostName = "pluto";
    domain = "nixos.org";
    hostId = "e4c9bd10";
  };

  age.secrets.pluto-backup-ssh-key.file = ../secrets/pluto-backup-ssh-key.age;
  age.secrets.pluto-backup-secret.file = ../secrets/pluto-backup-secret.age;

  services.backup = {
    user = "u391032-sub2";
    host = "u391032.your-storagebox.de";
    hostPublicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIICf9svRenC/PLKIL9nk6K/pxQgoiFC41wTNvoIncOxs";
    port = 23;
    sshKey = config.age.secrets.pluto-backup-ssh-key.path;
    secretPath = config.age.secrets.pluto-backup-secret.path;
  };

  nixpkgs.hostPlatform = "x86_64-linux";

  system.stateVersion = "23.11";
}


================================================
FILE: build/pluto/disko.nix
================================================
{
  disko.devices = {
    disk = {
      nvme0n1 = {
        type = "disk";
        device = "/dev/disk/by-id/nvme-SAMSUNG_MZVL2512HDJD-00B07_S782NE0W900172";
        content = {
          type = "gpt";
          partitions = {
            esp = {
              size = "1G";
              type = "EF00";
              content = {
                type = "filesystem";
                format = "vfat";
                mountpoint = "/efi/a";
              };
            };
            swap = {
              size = "16G";
              content = {
                type = "swap";
              };
            };
            zfs = {
              size = "100%";
              content = {
                type = "zfs";
                pool = "zroot";
              };
            };
          };
        };
      };
      nvme1n1 = {
        type = "disk";
        device = "/dev/disk/by-id/nvme-SAMSUNG_MZVL2512HDJD-00B07_S782NF0YA37531";
        content = {
          type = "gpt";
          partitions = {
            esp = {
              size = "1G";
              type = "EF00";
              content = {
                type = "filesystem";
                format = "vfat";
                mountpoint = "/efi/b";
              };
            };
            swap = {
              size = "16G";
              content = {
                type = "swap";
              };
            };
            zfs = {
              size = "100%";
              content = {
                type = "zfs";
                pool = "zroot";
              };
            };
          };
        };
      };
    };
    zpool = {
      zroot = {
        type = "zpool";
        options = {
          ashift = "12";
          autotrim = "on";
        };
        mode = "mirror";
        rootFsOptions = {
          acltype = "posixacl";
          compression = "zstd";
          mountpoint = "none";
        };

        datasets = {
          root = {
            type = "zfs_fs";
            mountpoint = "/";
          };
          "root/prometheus" = {
            type = "zfs_fs";
            mountpoint = "/var/lib/prometheus2";
          };
          "root/victoriametrics" = {
            type = "zfs_fs";
            mountpoint = "/var/lib/victoriametrics";
          };
        };
      };
    };
  };
}


================================================
FILE: build/pluto/grafana.nix
================================================
{
  config,
  ...
}:
{
  services.backup.includes = [ "/var/lib/grafana" ];

  age.secrets."grafana-secret-key" = {
    file = ../secrets/grafana-secret-key.age;
    owner = "grafana";
  };

  services.grafana = {
    enable = true;
    settings = {
      "auth.anonymous".enabled = true;
      users = {
        allow_sign_up = true;
        viewers_can_edit = true;
      };
      server = {
        domain = "grafana.nixos.org";
        root_url = "https://grafana.nixos.org";
        protocol = "socket";
      };
      security.secret_key = "$__file{${config.age.secrets.grafana-secret-key.path}}";
    };
  };

  systemd.services.nginx.serviceConfig.SupplementaryGroups = [ "grafana" ];
}


================================================
FILE: build/pluto/network.nix
================================================
{
  systemd.network = {
    enable = true;
    networks = {
      "30-enp5s0" = {
        matchConfig = {
          MACAddress = "c8:7f:54:67:bd:31";
          Type = "ether";
        };
        linkConfig.RequiredForOnline = true;
        networkConfig.Description = "WAN";
        address = [
          "37.27.99.100/26"
          "2a01:4f9:3070:15e0::1/64"
        ];
        routes = [
          { Gateway = "37.27.99.65"; }
          { Gateway = "fe80::1"; }
        ];
      };
    };
  };
}


================================================
FILE: build/pluto/nginx.nix
================================================
{ config, ... }:

{
  networking.firewall.allowedTCPPorts = [
    80
    443
  ];

  services.nginx = {
    enable = true;
    recommendedProxySettings = true;

    eventsConfig = ''
      worker_connections 4096;
    '';

    virtualHosts."monitoring.nixos.org" = {
      enableACME = true;
      forceSSL = true;
      default = true;
      locations."/".return = "302 https://status.nixos.org";
      locations."~ ^/prometheus/?(?<action>[^\\s]+)" = {
        return = "301 https://prometheus.nixos.org/$action$is_args$args";
        # TODO: Remove after https://github.com/NixOS/nixos-status/pull/21
        extraConfig = ''
          add_header Access-Control-Allow-Origin "*" always;
        '';
      };
      locations."~ ^/grafana/?(?<action>[^\\s]+)".return =
        "301 https://grafana.nixos.org/$action$is_args$args";
    };

    virtualHosts."prometheus.nixos.org" = {
      enableACME = true;
      forceSSL = true;
      locations."/" = {
        proxyPass = "http://${config.services.prometheus.listenAddress}:${toString config.services.prometheus.port}";
      };
    };

    virtualHosts."grafana.nixos.org" = {
      enableACME = true;
      forceSSL = true;
      locations."/" = {
        proxyPass = "http://unix:${config.services.grafana.settings.server.socket}";
        proxyWebsockets = true;
      };
    };
  };
}


================================================
FILE: build/pluto/nixos-metrics.nix
================================================
{ config, pkgs, ... }:

{
  systemd.services.pull-nixos-metrics = {
    description = "Pull nixos metrics from github:NixOS/nixos-metrics and push to local VictoriaMetrics";
    script =
      let
        inherit (config.services.victoriametrics) listenAddress;
        importURL = "http://localhost${listenAddress}/api/v1/import";
        resetURL = "http://localhost${listenAddress}/internal/resetRollupResultCache";
        dataURL = "https://raw.githubusercontent.com/NixOS/nixos-metrics/data/victoriametrics.jsonl";
        curl = "${pkgs.curl}/bin/curl";
      in
      ''
        ${curl} ${dataURL} | ${curl} -X POST --data-binary @- ${importURL}
        ${curl} -G ${resetURL}
      '';
    serviceConfig = {
      Type = "oneshot";
      User = "nobody";
    };
  };

  systemd.timers.pull-nixos-metrics = {
    description = "Pull nixos metrics, timed for after they're done updating each day.";
    wantedBy = [ "timers.target" ];
    timerConfig.OnCalendar = "12:00:00";
  };

  services.backup.includesZfsDatasets = [ "/var/lib/victoriametrics" ];

  services.victoriametrics = {
    enable = true;
    retentionPeriod = "1200w"; # 100 years
  };
}


================================================
FILE: build/pluto/prometheus/alertmanager.nix
================================================
{ config, ... }:

{
  services.prometheus = {
    alertmanagers = [
      {
        scheme = "http";
        static_configs = [
          { targets = [ "localhost:${toString config.services.prometheus.alertmanager.port}" ]; }
        ];
      }
    ];

    alertmanager = {
      enable = true;

      # Allow alertmanager to start even if it doesn't find an RFC1918 IP on
      # the machine's network interfaces.
      extraFlags = [ "--cluster.listen-address=''" ];

      webExternalUrl = "http://alerts.nixos.org";
      configuration = {
        global = { };
        route = {
          receiver = "ignore";
          group_wait = "30s";
          group_interval = "5m";
          repeat_interval = "24h";
          group_by = [ "alertname" ];

          routes = [
            {
              receiver = "go-neb";
              group_wait = "30s";
              match.severity = "warning";
            }
          ];
        };
        receivers = [
          {
            # with no *_config, this will drop all alerts directed to it
            name = "ignore";
          }
          {
            name = "go-neb";
            webhook_configs = [
              {
                url = "${config.services.go-neb.baseUrl}:4050/services/hooks/YWxlcnRtYW5hZ2VyX3NlcnZpY2U";
                send_resolved = true;
              }
            ];
          }
        ];
      };
    };
  };

  services.nginx.virtualHosts."alerts.nixos.org" = {
    enableACME = true;
    forceSSL = true;

    locations."/" = {
      proxyPass = "http://localhost:9093";
    };
  };

  age.secrets."alertmanager-oauth2-proxy-env".file = ../../secrets/alertmanager-oauth2-proxy-env.age;

  services.oauth2-proxy = {
    enable = true;

    # oidc provider
    provider = "github";
    clientID = "Ov23liDt1q76okEJpVVE";
    keyFile = config.age.secrets."alertmanager-oauth2-proxy-env".path;

    # filter criteria
    email.domains = [ "*" ];
    github = {
      org = "NixOS";
      team = "infra";
    };

    # protected domains
    nginx = {
      domain = "alerts.nixos.org";
      virtualHosts."alerts.nixos.org" = { };
    };
  };

  age.secrets.alertmanager-matrix-forwarder = {
    file = ../../secrets/alertmanager-matrix-forwarder.age;
    owner = config.systemd.services.go-neb.serviceConfig.User;
  };

  # Create user so that we can set the ownership of the key to
  # it. DynamicUser will not take full effect as a result of this.
  users.users.go-neb = {
    isSystemUser = true;
    group = "go-neb";
  };
  users.groups.go-neb = { };

  systemd.services.go-neb.serviceConfig.SupplementaryGroups = [ "keys" ];

  nixpkgs.config.permittedInsecurePackages = [ "olm-3.2.16" ];

  services.go-neb = {
    enable = true;
    bindAddress = "localhost:4050";
    baseUrl = "http://localhost";
    secretFile = config.age.secrets.alertmanager-matrix-forwarder.path;
    config = {
      clients = [
        {
          UserId = "@bot:nixos.org";
          AccessToken = "$CHANGEME";
          HomeServerUrl = "https://matrix.nixos.org";
          Sync = true;
          AutoJoinRooms = true;
          DisplayName = "Bot";
        }
      ];
      services = [
        {
          ID = "alertmanager_service";
          Type = "alertmanager";
          UserId = "@bot:nixos.org";
          Config = {
            webhook_url = "http://localhost:4050/services/hooks/YWxlcnRtYW5hZ2VyX3NlcnZpY2U";
            rooms = {
              # infra-alerts:nixos.org
              "!QLQqibtFaVtDgurUAE:nixos.org" = {
                text_template = ''
                  {{range .Alerts -}} [{{ .Status }}] {{index .Labels "alertname" }}: {{index .Annotations "description"}} {{ end -}}
                '';

                # $$severity otherwise envsubst replaces $severity with an empty string
                html_template = ''
                  {{range .Alerts -}}
                    {{ $$severity := index .Labels "severity" }}
                    {{ if eq .Status "firing" }}
                      {{ if eq $$severity "critical"}}
                        <font color='red'><b>[FIRING - CRITICAL]</b></font>
                      {{ else if eq $$severity "warning"}}
                        <font color='orange'><b>[FIRING - WARNING]</b></font>
                      {{ else }}
                        <b>[FIRING - {{ $$severity }}]</b>
                      {{ end }}
                    {{ else }}
                      <font color='green'><b>[RESOLVED]</b></font>
                    {{ end }}
                    {{ index .Labels "alertname"}}: {{ index .Annotations "summary"}}
                    (
                      {{ if .Annotations.grafana }}
                        <a href="{{ index .Annotations "grafana" }}">📈 Grafana</a>,
                      {{ end }}
                      <a href="{{ .GeneratorURL }}">🔥 Prometheus</a>,
                      <a href="{{ .SilenceURL }}">🔕 Silence</a>
                    )<br/>
                  {{end -}}'';
                msg_type = "m.text"; # Must be either `m.text` or `m.notice`
              };
            };
          };
        }
      ];
    };
  };
}


================================================
FILE: build/pluto/prometheus/default.nix
================================================
{ pkgs, ... }:

{
  imports = [
    ./alertmanager.nix
    ./exporters/anubis.nix
    ./exporters/blackbox.nix
    ./exporters/channel.nix
    ./exporters/domain.nix
    ./exporters/fastly.nix
    ./exporters/github.nix
    ./exporters/hydra.nix
    ./exporters/json.nix
    ./exporters/matrix-synapse.nix
    ./exporters/nixos.nix
    ./exporters/node.nix
    ./exporters/owncast.nix
    ./exporters/postgresql.nix
    ./exporters/rasdaemon.nix
    ./exporters/storagebox.nix
    ./exporters/sql.nix
    ./exporters/up.nix
    ./exporters/zfs.nix
    ./exporters/zrepl.nix
  ];

  services.backup.includesZfsDatasets = [ "/var/lib/prometheus2" ];

  services.prometheus = {
    enable = true;
    extraFlags = [
      "--storage.tsdb.retention.time=${toString (720 * 24)}h"
      "--web.external-url=https://prometheus.nixos.org/"
    ];
    globalConfig.scrape_interval = "15s";

    ruleFiles = [
      (pkgs.writeText "up.rules" (
        builtins.toJSON {
          groups = [
            {
              name = "up";
              rules = [
                {
                  alert = "NotUp";
                  expr = ''
                    up == 0
                  '';
                  for = "10m";
                  labels.severity = "warning";
                  annotations.summary = "scrape job {{ $labels.job }} is failing on {{ $labels.instance }}";
                }
              ];
            }
          ];
        }
      ))
    ];
  };
}


================================================
FILE: build/pluto/prometheus/exporters/anubis.nix
================================================
{
  services.prometheus = {
    scrapeConfigs = [
      {
        job_name = "anubis";
        static_configs = [
          {
            targets = [
              "hydra.nixos.org:9001"
            ];
          }
        ];
      }
    ];
  };
}


================================================
FILE: build/pluto/prometheus/exporters/blackbox.nix
================================================
{ config, pkgs, ... }:

let
  mkStaticProbe =
    {
      module,
      targets,
      job_suffix ? "",
    }:
    {
      job_name = "blackbox-${module}${job_suffix}";
      metrics_path = "/probe";
      params = {
        module = [ module ];
      };
      static_configs = [ { inherit targets; } ];
      relabel_configs = [
        {
          source_labels = [ "__address__" ];
          target_label = "__param_target";
        }
        {
          source_labels = [ "__param_target" ];
          target_label = "instance";
        }
        {
          target_label = "__address__";
          replacement = "localhost:${toString config.services.prometheus.exporters.blackbox.port}";
        }
      ];
    };

  mkDnsSdProbe = module: dns_sd_config: {
    job_name = "blackbox-${module}";
    metrics_path = "/probe";
    params = {
      module = [ module ];
    };
    dns_sd_configs = [
      dns_sd_config
    ];
    relabel_configs = [
      {
        source_labels = [ "__address__" ];
        target_label = "__param_target";
      }
      {
        source_labels = [ "__address__" ];
        target_label = "host";
      }
      {
        source_labels = [ "__meta_dns_name" ];
        target_label = "instance";
      }
      {
        target_label = "__address__";
        replacement = "localhost:${toString config.services.prometheus.exporters.blackbox.port}";
      }
    ];
  };
in
{
  services.prometheus = {
    exporters.blackbox = {
      enable = true;
      listenAddress = "127.0.0.1";
      configFile = pkgs.writeText "probes.yml" (
        builtins.toJSON {
          modules.https_success = {
            prober = "http";
            tcp.tls = true;
            http.headers.User-Agent = "blackbox-exporter";
          };

          # From https://github.com/prometheus/blackbox_exporter/blob/53e78c2b3535ecedfd072327885eeba2e9e51ea2/example.yml#L120-L133
          modules.smtp_starttls = {
            prober = "tcp";
            timeout = "10s";
            tcp = {
              query_response = [
                { expect = "^220"; }
                { send = "EHLO prober\r"; }
                { expect = "^250-STARTTLS"; }
                { send = "STARTTLS\r"; }
                { expect = "^220"; }
                { starttls = true; }
                { send = "EHLO prober\r"; }
                { expect = "^250-AUTH"; }
                { send = "QUIT\r"; }
              ];
            };
          };
        }
      );
    };

    scrapeConfigs = [
      (mkStaticProbe {
        module = "https_success";
        targets = [
          "https://cache.nixos.org"
          "https://channels.nixos.org"
          "https://common-styles.nixos.org"
          "https://discourse.nixos.org"
          "https://hydra.nixos.org"
          "https://mobile.nixos.org"
          "https://monitoring.nixos.org"
          "https://nixos.org"
          "https://planet.nixos.org"
          "https://releases.nixos.org"
          "https://status.nixos.org"
          "https://survey.nixos.org"
          "https://tarballs.nixos.org"
          "https://weekly.nixos.org"
          "https://wiki.nixos.org"
          "https://www.nixos.org"
          "https://tracker.security.nixos.org"
        ];
      })
      (mkDnsSdProbe "smtp_starttls" {
        names = [
          "nixos.org"
        ];
        type = "MX";
        port = 25;
      })
    ];

    ruleFiles = [
      (pkgs.writeText "blackbox-exporter.rules" (
        builtins.toJSON {
          groups = [
            {
              name = "blackbox";
              rules = [
                {
                  alert = "CertificateExpiry";
                  expr = ''
                    probe_ssl_earliest_cert_expiry - time() < 86400 * 14
                  '';
                  for = "15m";
                  labels.severity = "warning";
                  annotations.summary = "Certificate for {{ $labels.instance }} is expiring soon.";
                }
                {
                  alert = "HttpUnreachable";
                  expr = ''
                    probe_success{job="blackbox-https_success"} == 0
                  '';
                  for = "15m";
                  labels.severity = "warning";
                  annotations.summary = "Endpoint {{ $labels.instance }} is unreachable";
                }
                {
                  alert = "MxUnreachable";
                  expr = ''
                    probe_success{job=~"blackbox-smtp_starttls.*"} == 0
                  '';
                  for = "15m";
                  labels.severity = "warning";
                  annotations.summary = "Mail server {{ $labels.instance }} is unreachable";
                }
              ];
            }
          ];
        }
      ))
    ];
  };
}


================================================
FILE: build/pluto/prometheus/exporters/channel-exporter.py
================================================
#!/usr/bin/env python3

import json
import logging
import sys
import time
from pprint import pprint

import requests
from dateutil.parser import parse
from prometheus_client import Counter, Gauge, Histogram, start_http_server

CHANNEL_REVISION = Gauge(
    "channel_revision",
    "Current revision, exported as a hack",
    ["channel", "revision", "status", "variant", "current"],
)


CHANNEL_REQUEST_TIME = Histogram(
    "channel_request_time", "Time spent requesting channel data"
)
CHANNEL_UPDATE_TIME = Gauge(
    "channel_update_time",
    "Total number of failures to fetch spot market prices",
    ["channel"],
)
CHANNEL_CURRENT = Gauge(
    "channel_current",
    "If a channel is expected to be current",
    ["channel"],
)
CHANNEL_REQUEST_FAILURES = Counter(
    "channel_request_failures_total",
    "Number of channel status requests which have failed",
)


@CHANNEL_REQUEST_TIME.time()
def measure_channel(name):
    try:
        with CHANNEL_REQUEST_FAILURES.count_exceptions():
            result = requests.get(
                f"https://nixos.org/channels/{name}/git-revision", timeout=10
            )

            try:
                return {
                    "timestamp": parse(result.headers["last-modified"]).timestamp(),
                    "revision": result.text,
                }
            except KeyError as e:
                print(f"Got KeyError after getting our result for {name}:")
                pprint(e)
                pprint(result)

    except Exception as e:
        print(f"Got a mystery error for {name}:")
        pprint(e)


if __name__ == "__main__":
    logging.basicConfig(level=logging.DEBUG)
    start_http_server(9402)

    with open(sys.argv[1]) as channel_data:
        channels = json.load(channel_data)

    revisions = {}

    while True:
        for channel, about in channels.items():
            measurement = measure_channel(channel)
            if measurement is not None:
                revision = measurement["revision"]
                status = about.get("status", "")
                variant = about.get("variant", "")
                current = int(status != "unmaintained")
                CHANNEL_UPDATE_TIME.labels(channel=channel).set(
                    measurement["timestamp"]
                )
                CHANNEL_REVISION.labels(
                    channel=channel,
                    revision=revision,
                    status=status,
                    variant=variant,
                    current=current,
                ).set(1)
                CHANNEL_CURRENT.labels(channel=channel).set(current)
                print(f"updated {channel}")
                previous_revision = revisions.pop(channel, None)
                revisions[channel] = revision
                if previous_revision and previous_revision != revision:
                    CHANNEL_REVISION.remove(
                        channel, previous_revision, status, variant, current
                    )
        time.sleep(55)


================================================
FILE: build/pluto/prometheus/exporters/channel.nix
================================================
{ lib, pkgs, ... }:

let
  channels = pkgs.writeText "channels.json" (
    builtins.toJSON (import ../../../../channels.nix).channels
  );
in
{
  systemd.services.channel-update-exporter = {
    description = "Check all active channels' last-update times";
    path = [
      (pkgs.python3.withPackages (
        pypkgs: with pypkgs; [
          requests
          prometheus-client
          python-dateutil
        ]
      ))
    ];
    wantedBy = [ "multi-user.target" ];
    serviceConfig = {
      DynamicUser = true;
      ExecStart = "${./channel-exporter.py} ${channels}";
    };
  };

  services.prometheus.scrapeConfigs = [
    {
      job_name = "channel-updates";
      metrics_path = "/";
      static_configs = [ { targets = [ "127.0.0.1:9402" ]; } ];
    }
  ]
  ++ lib.mapAttrsToList (name: value: {
    job_name = "channel-job-${name}";
    scheme = "https";
    scrape_interval = "5m";
    metrics_path = "/job/${value.job}/prometheus";
    static_configs = [
      {
        labels = {
          current = if value.status != "unmaintained" then "1" else "0";
          channel = name;
        };
        targets = [ "hydra.nixos.org:443" ];
      }
    ];
  }) (import ../../../../channels.nix).channels;
}


================================================
FILE: build/pluto/prometheus/exporters/domain.nix
================================================
{ pkgs, ... }:

{
  services.prometheus = {
    exporters.domain = {
      enable = true;
      listenAddress = "localhost";
    };

    scrapeConfigs = [
      {
        # https://github.com/caarlos0/domain_exporter#configuration
        job_name = "domain";
        metrics_path = "/probe";
        relabel_configs = [
          {
            source_labels = [ "__address__" ];
            target_label = "__param_target";
          }
          {
            target_label = "__address__";
            replacement = "localhost:9222";
          }
        ];
        static_configs = [
          {
            targets = [
              "nix.ci"
              "nix.dev"
              "nixos.org"
              "ofborg.org"
            ];
          }
        ];
      }
    ];

    ruleFiles = [
      (pkgs.writeText "domain-exporter.rules" (
        builtins.toJSON {
          groups = [
            {
              name = "domain";
              rules = [
                {
                  alert = "DomainExpiry";
                  expr = "domain_expiry_days != -1 and domain_expiry_days < 30";
                  for = "1h";
                  labels.severity = "warning";
                  annotations.summary = "Domain {{ $labels.domain }} will expire in less than 30 days";
                }
                {
                  alert = "DomainProbeFailure";
                  expr = "domain_probe_success == 0";
                  for = "1d";
                  labels.severity = "warning";
                  annotations.summary = "Domain {{ $labels.domain }} probe failing for more than 1 day.";
                }
              ];
            }
          ];
        }
      ))
    ];
  };
}


================================================
FILE: build/pluto/prometheus/exporters/fastly.nix
================================================
{ config, ... }:

{
  age.secrets.fastly-exporter-env.file = ../../../secrets/fastly-exporter-env.age;

  services.prometheus = {
    exporters.fastly = {
      enable = true;
      listenAddress = "127.0.0.1";
      environmentFile = config.age.secrets.fastly-exporter-env.path;
    };

    scrapeConfigs = [
      {
        job_name = "fastly";
        metrics_path = "/metrics";
        static_configs = [ { targets = [ "127.0.0.1:9118" ]; } ];
      }
    ];
  };
}


================================================
FILE: build/pluto/prometheus/exporters/github.nix
================================================
{ pkgs, ... }:

let
  exporter = pkgs.fetchFromGitHub {
    owner = "grahamc";
    repo = "prometheus-github-exporter";
    rev = "01b6f8ef06b694411baf10f49e7b05afb26ab307";
    sha256 = "sha256-Sk/ynhPeXQVIgyZJ3Gj1VynJhPWmBHjrRnGYLjnJvio=";
  };

  config = pkgs.writeText "config.json" (
    builtins.toJSON {
      port = 9401;
      repos = [
        "NixOS/nixpkgs"
        "NixOS/nix"
      ];
    }
  );
in
{
  systemd.services.prometheus-github-exporter = {
    wantedBy = [ "multi-user.target" ];
    after = [ "network.target" ];
    serviceConfig = {
      DynamicUser = true;
      User = "github-exporter";
      Restart = "always";
      RestartSec = "60s";
      PrivateTmp = true;
    };

    path = [
      (pkgs.python3.withPackages (
        ps: with ps; [
          prometheus-client
          requests
        ]
      ))
    ];

    script = "exec python3 ${exporter}/scrape.py ${config}";
  };

  services.prometheus.scrapeConfigs = [
    {
      job_name = "prometheus-github-exporter";
      metrics_path = "/";
      static_configs = [ { targets = [ "127.0.0.1:9401" ]; } ];
    }
  ];
}


================================================
FILE: build/pluto/prometheus/exporters/hydra-queue-runner-reexporter.py
================================================
#!/usr/bin/env nix-shell
#!nix-shell -i python3 -p python3 -p python3Packages.requests -p python3Packages.prometheus_client

import contextlib
import json
import time

import requests
from prometheus_client import CollectorRegistry, start_http_server
from prometheus_client.core import CounterMetricFamily, GaugeMetricFamily


def debug_remaining_state(edict) -> None:
    # pprint(edict.remaining_state())
    pass


class EvaporatingDict:
    def __init__(self, state) -> None:
        self._state = state

    def preserving_read(self, key):
        val = self._state[key]

        if isinstance(val, dict):
            return EvaporatingDict(val)
        return val

    def preserving_read_default(self, key, default):
        try:
            return self.preserving_read(key)
        except KeyError:
            return default

    def destructive_read(self, key):
        val = self.preserving_read(key)
        del self._state[key]
        return val

    def destructive_read_default(self, key, default):
        try:
            val = self.preserving_read(key)
            del self._state[key]
            return val
        except KeyError:
            # Not nice, but accounts for weird conditionals in Hydra
            # todo: log bad reads?
            return default

    def unused_read(self, key) -> None:
        self.destructive_read_default(key, default=None)

    def remaining_state(self):
        return self._state

    def items(self):
        keys = list(self._state.keys())
        for key in keys:
            yield (key, self.destructive_read(key))


class HydraScrapeImporter:
    def __init__(self, status) -> None:
        self._status = EvaporatingDict(status)

    def collect(self):
        # The metrics are consumed in the order presented by
        # https://github.com/NixOS/hydra/blob/adf59a395993d5ed1d7a31108f7666195f789c99/src/hydra-queue-runner/hydra-queue-runner.cc#L536
        yield self.trivial_gauge(
            "up",
            "Is hydra running",
            1 if self.destructive_read("status") == "up" else 0,
        )
        yield self.trivial_counter(
            "time", "Hydra's current time", self.destructive_read("time")
        )
        yield self.trivial_counter(
            "uptime", "Hydra's uptime", self.destructive_read("uptime")
        )
        self.unused_metric("pid")
        yield self.trivial_gauge(
            "builds_queued",
            "Current build queue size",
            self.destructive_read("nrQueuedBuilds"),
        )
        yield self.trivial_gauge(
            "steps_queued",
            "Current number of steps for the build queue",
            self.destructive_read("nrUnfinishedSteps"),
        )
        yield self.trivial_gauge(
            "steps_runnable",
            "Current number of steps which can run immediately",
            self.destructive_read("nrRunnableSteps"),
        )
        yield self.trivial_gauge(
            "steps_active",
            "Current number of steps which are currently active",
            self.destructive_read("nrActiveSteps"),
        )
        yield self.trivial_gauge(
            "steps_building",
            "Current number of steps which are currently building",
            self.destructive_read("nrStepsBuilding"),
        )
        yield self.trivial_gauge(
            "steps_copying_to",
            "Current number of steps which are having build inputs copied to a builder",
            self.destructive_read("nrStepsCopyingTo"),
        )
        yield self.trivial_gauge(
            "steps_copying_from",
            "Current number of steps which are having build results copied from a builder",
            self.destructive_read("nrStepsCopyingFrom"),
        )
        yield self.trivial_gauge(
            "steps_waiting",
            "Current number of steps which are waiting",
            self.destructive_read("nrStepsWaiting"),
        )
        yield self.trivial_counter(
            "build_inputs_sent_bytes",
            "Total count of bytes sent due to build inputs",
            self.destructive_read("bytesSent"),
        )
        yield self.trivial_counter(
            "build_outputs_received_bytes",
            "Total count of bytes received from build outputs",
            self.destructive_read("bytesReceived"),
        )
        yield self.trivial_counter(
            "builds_read",
            "Total count of builds whose outputs have been read",
            self.destructive_read("nrBuildsRead"),
        )
        yield self.trivial_counter(
            "builds_read_seconds",
            "Total number of seconds spent reading build outputs",
            self.destructive_read("buildReadTimeMs") / 1000,
        )
        self.unused_metric("buildReadTimeAvgMs")  # implementable in prometheus queries

        yield self.trivial_counter(
            "builds_done",
            "Total count of builds performed",
            self.destructive_read("nrBuildsDone"),
        )
        yield self.trivial_counter(
            "steps_started",
            "Total count of steps started",
            self.destructive_read("nrStepsStarted"),
        )
        yield self.trivial_counter(
            "steps_done",
            "Total count of steps completed",
            self.destructive_read("nrStepsDone"),
        )
        yield self.trivial_counter(
            "retries", "Total count of retries", self.destructive_read("nrRetries")
        )
        yield self.trivial_counter(
            "max_retries",
            "Maximum count of retries for any single job",
            self.destructive_read("maxNrRetries"),
        )
        yield self.trivial_counter(
            "step_time",
            "Total time spent executing steps",
            self.destructive_read_default("totalStepTime", 0),
        )
        yield self.trivial_counter(
            "step_build_time",
            "Total time spent executing builds steps (???)",
            self.destructive_read_default("totalStepBuildTime", 0),
        )
        self.unused_metric("avgStepTime")
        self.unused_metric("avgStepBuildTime")

        yield self.trivial_counter(
            "queue_wakeup",
            "Count of the times the queue runner has been notified of queue changes",
            self.destructive_read("nrQueueWakeups"),
        )
        yield self.trivial_counter(
            "dispatcher_wakeup",
            "Count of the times the queue runner work dispatcher woke up due to new runnable builds and completed builds.",
            self.destructive_read("nrDispatcherWakeups"),
        )
        yield self.trivial_counter(
            "dispatch_execution_seconds",
            "Number of seconds the dispatcher has spent working",
            self.destructive_read("dispatchTimeMs") / 1000,
        )
        self.unused_metric("dispatchTimeAvgMs")

        yield self.trivial_gauge(
            "db_connections",
            "Number of connections to the database",
            self.destructive_read("nrDbConnections"),
        )
        yield self.trivial_gauge(
            "db_updates",
            "Number of in-progress database updates",
            self.destructive_read("nrActiveDbUpdates"),
        )
        yield self.trivial_counter(
            "notifications_total",
            "Total number of notifications sent",
            self.preserving_read_default("nrNotificationsDone", 0)
            + self.preserving_read_default("nrNotificationsFailed", 0),
        )
        yield self.trivial_counter(
            "notifications_done",
            "Number of notifications completed",
            self.destructive_read_default("nrNotificationsDone", 0),
        )
        yield self.trivial_counter(
            "notifications_failed",
            "Number of notifications failed",
            self.destructive_read_default("nrNotificationsFailed", 0),
        )
        yield self.trivial_counter(
            "notifications_in_progress",
            "Number of notifications in_progress",
            self.destructive_read_default("nrNotificationsInProgress", 0),
        )
        yield self.trivial_counter(
            "notifications_pending",
            "Number of notifications pending",
            self.destructive_read_default("nrNotificationsPending", 0),
        )
        yield self.trivial_counter(
            "notifications_seconds",
            "Time spent delivering notifications",
            self.destructive_read_default("nrNotificationTimeMs", 0) / 1000,
        )
        self.unused_metric("nrNotificationTimeAvgMs")

        machineCollector = MachineScrapeImporter()
        for name, report in self.destructive_read("machines").items():
            machineCollector.load_machine(name, report)
        for metric in machineCollector.metrics():
            yield metric

        jobsetCollector = JobsetScrapeImporter()
        for name, report in self.destructive_read("jobsets").items():
            jobsetCollector.load_jobset(name, report)
        for metric in jobsetCollector.metrics():
            yield metric

        machineTypesCollector = MachineTypeScrapeImporter()
        for name, report in self.destructive_read("machineTypes").items():
            machineTypesCollector.load_machine_type(name, report)
        for metric in machineTypesCollector.metrics():
            yield metric

        store = self.destructive_read("store")
        yield self.trivial_counter(
            "store_nar_info_read",
            "Number of NarInfo files read from the binary cache",
            store.destructive_read("narInfoRead"),
        )
        yield self.trivial_counter(
            "store_nar_info_read_averted",
            "Number of NarInfo files reads which were avoided",
            store.destructive_read("narInfoReadAverted"),
        )
        yield self.trivial_counter(
            "store_nar_info_missing",
            "Number of NarInfo files read attempts which identified a missing narinfo file",
            store.destructive_read("narInfoMissing"),
        )
        yield self.trivial_counter(
            "store_nar_info_write",
            "Number of NarInfo files written to the binary cache",
            store.destructive_read("narInfoWrite"),
        )
        yield self.trivial_gauge(
            "store_nar_info_cache_size",
            "Size of the in-memory store path information cache",
            store.destructive_read("narInfoCacheSize"),
        )
        yield self.trivial_counter(
            "store_nar_read",
            "Number of NAR files read from the binary cache",
            store.destructive_read("narRead"),
        )
        yield self.trivial_counter(
            "store_nar_read_bytes",
            "Number of NAR file bytes read after decompression from the binary cache",
            store.destructive_read("narReadBytes"),
        )
        yield self.trivial_counter(
            "store_nar_read_compressed_bytes",
            "Number of NAR file bytes read before decompression from the binary cache",
            store.destructive_read("narReadCompressedBytes"),
        )
        yield self.trivial_counter(
            "store_nar_write",
            "Number of NAR files written to the binary cache",
            store.destructive_read("narWrite"),
        )
        yield self.trivial_counter(
            "store_nar_write_averted",
            "Number of NAR files writes skipped due to the NAR already being in the binary cache",
            store.destructive_read("narWriteAverted"),
        )
        yield self.trivial_counter(
            "store_nar_write_bytes",
            "Number of NAR file bytes written after decompression to the binary cache",
            store.destructive_read("narWriteBytes"),
        )
        yield self.trivial_counter(
            "store_nar_write_compressed_bytes",
            "Number of NAR file bytes written before decompression to the binary cache",
            store.destructive_read("narWriteCompressedBytes"),
        )
        yield self.trivial_counter(
            "store_nar_write_compression_seconds",
            "Number of seconds spent compressing data when writing NARs to the binary cache",
            store.destructive_read("narWriteCompressionTimeMs") / 1000,
        )
        store.unused_read("narCompressionSavings")
        store.unused_read("narCompressionSpeed")

        try:
            s3 = self.destructive_read("s3")
        except KeyError:
            # no key, no metrics
            s3 = None
        if s3:
            # Not in the above try to avoid the try catching mistakes
            # in the following code
            yield self.trivial_counter(
                "store_s3_put", "Number of PUTs to S3", s3.destructive_read("put")
            )
            yield self.trivial_counter(
                "store_s3_put_bytes",
                "Number of bytes written to S3",
                s3.destructive_read("putBytes"),
            )
            yield self.trivial_counter(
                "store_s3_put_seconds",
                "Number of seconds spent writing to S3",
                s3.destructive_read("putTimeMs") / 1000,
            )
            s3.unused_read("putSpeed")
            yield self.trivial_counter(
                "store_s3_get", "Number of GETs to S3", s3.destructive_read("get")
            )
            yield self.trivial_counter(
                "store_s3_get_bytes",
                "Number of bytes read from S3",
                s3.destructive_read("getBytes"),
            )
            yield self.trivial_counter(
                "store_s3_get_seconds",
                "Number of seconds spent reading from S3",
                s3.destructive_read("getTimeMs") / 1000,
            )
            s3.unused_read("getSpeed")

            yield self.trivial_counter(
                "store_s3_head", "Number of HEADs to S3", s3.destructive_read("head")
            )
            yield self.trivial_counter(
                "store_s3_cost_approximate_dollars",
                "Estimated cost of the S3 bucket activity",
                s3.destructive_read("costDollarApprox"),
            )
            debug_remaining_state(s3)
        debug_remaining_state(store)

    def trivial_gauge(self, name, help, value):
        c = GaugeMetricFamily(f"hydra_{name}", help)
        c.add_metric([], value)
        return c

    def trivial_counter(self, name, help, value):
        c = CounterMetricFamily(f"hydra_{name}_total", help)
        c.add_metric([], value)
        return c

    def unused_metric(self, key) -> None:
        self._status.unused_read(key)

    def preserving_read(self, key):
        return self._status.preserving_read(key)

    def preserving_read_default(self, key, default):
        return self._status.preserving_read_default(key, default)

    def destructive_read(self, key):
        return self._status.destructive_read(key)

    def destructive_read_default(self, key, default):
        return self._status.destructive_read_default(key, default)

    def uncollected_status(self):
        return self._status.remaining_state()


def blackhole(*args, **kwargs) -> None:
    return None


class MachineScrapeImporter:
    def __init__(self) -> None:
        labels = ["host"]
        self.consective_failures = GaugeMetricFamily(
            "hydra_machine_consecutive_failures",
            "Number of consecutive failed builds",
            labels=labels,
        )
        self.current_jobs = GaugeMetricFamily(
            "hydra_machine_current_jobs", "Number of current jobs", labels=labels
        )
        self.idle_since = GaugeMetricFamily(
            "hydra_machine_idle_since",
            "When the current idle period started",
            labels=labels,
        )
        self.disabled_until = GaugeMetricFamily(
            "hydra_machine_disabled_until",
            "When the machine will be used again",
            labels=labels,
        )
        self.enabled = GaugeMetricFamily(
            "hydra_machine_enabled",
            "If the machine is enabled (1) or not (0)",
            labels=labels,
        )
        self.last_failure = CounterMetricFamily(
            "hydra_machine_last_failure", "timestamp of the last failure", labels=labels
        )
        self.number_steps_done = CounterMetricFamily(
            "hydra_machine_steps_done_total",
            "Total count of the steps completed",
            labels=labels,
        )
        self.total_step_build_time = CounterMetricFamily(
            "hydra_machine_step_build_time_total",
            "Number of seconds spent building steps",
            labels=labels,
        )
        self.total_step_time = CounterMetricFamily(
            "hydra_machine_step_time_total",
            "Number of seconds spent on steps",
            labels=labels,
        )

    def load_machine(self, name, report) -> None:
        report.unused_read("mandatoryFeatures")
        report.unused_read("supportedFeatures")
        report.unused_read("systemTypes")
        report.unused_read("avgStepBuildTime")
        report.unused_read("avgStepTime")
        labels = [name]
        self.consective_failures.add_metric(
            labels, report.destructive_read("consecutiveFailures")
        )
        self.current_jobs.add_metric(labels, report.destructive_read("currentJobs"))
        with contextlib.suppress(KeyError):
            self.idle_since.add_metric(labels, report.destructive_read("idleSince"))
        self.disabled_until.add_metric(labels, report.destructive_read("disabledUntil"))
        self.enabled.add_metric(labels, 1 if report.destructive_read("enabled") else 0)
        self.last_failure.add_metric(labels, report.destructive_read("lastFailure"))
        self.number_steps_done.add_metric(
            labels, report.destructive_read("nrStepsDone")
        )
        self.total_step_build_time.add_metric(
            labels, report.destructive_read_default("totalStepBuildTime", default=0)
        )
        self.total_step_time.add_metric(
            labels, report.destructive_read_default("totalStepTime", default=0)
        )
        debug_remaining_state(report)

    def metrics(self):
        yield self.consective_failures
        yield self.current_jobs
        yield self.idle_since
        yield self.disabled_until
        yield self.enabled
        yield self.last_failure
        yield self.number_steps_done
        yield self.total_step_build_time
        yield self.total_step_time


class JobsetScrapeImporter:
    def __init__(self) -> None:
        self.seconds = CounterMetricFamily(
            "hydra_jobset_seconds_total",
            "Total number of seconds the jobset has been building",
            labels=["name"],
        )
        self.shares_used = CounterMetricFamily(
            "hydra_jobset_shares_used_total",
            "Total shares the jobset has consumed",
            labels=["name"],
        )

    def load_jobset(self, name, report) -> None:
        self.seconds.add_metric([name], report.destructive_read("seconds"))
        self.shares_used.add_metric([name], report.destructive_read("shareUsed"))
        debug_remaining_state(report)

    def metrics(self):
        yield self.seconds
        yield self.shares_used


class MachineTypeScrapeImporter:
    def __init__(self) -> None:
        self.runnable = GaugeMetricFamily(
            "hydra_machine_type_runnable",
            "Number of currently runnable builds",
            labels=["machineType"],
        )
        self.running = GaugeMetricFamily(
            "hydra_machine_type_running",
            "Number of currently running builds",
            labels=["machineType"],
        )
        self.wait_time = CounterMetricFamily(
            "hydra_machine_type_wait_time_total",
            "Number of seconds spent waiting",
            labels=["machineType"],
        )
        self.last_active = CounterMetricFamily(
            "hydra_machine_type_last_active_total",
            "Last time this machine type was active",
            labels=["machineType"],
        )

    def load_machine_type(self, name, report) -> None:
        self.runnable.add_metric([name], report.destructive_read("runnable"))
        self.running.add_metric([name], report.destructive_read("running"))
        with contextlib.suppress(KeyError):
            self.wait_time.add_metric([name], report.destructive_read("waitTime"))
        with contextlib.suppress(KeyError):
            self.last_active.add_metric([name], report.destructive_read("lastActive"))

        debug_remaining_state(report)

    def metrics(self):
        yield self.runnable
        yield self.running
        yield self.wait_time
        yield self.last_active


class ScrapeCollector:
    def __init__(self) -> None:
        pass

    def collect(self):
        return HydraScrapeImporter(scrape()).collect()


def scrape(cached=None):
    if cached:
        with open(cached) as f:
            return json.load(f)
    else:
        print("Scraping")
        return requests.get(
            "https://hydra.nixos.org/queue-runner-status",
            headers={"Content-Type": "application/json"},
        ).json()


registry = CollectorRegistry()

registry.register(ScrapeCollector())

if __name__ == "__main__":
    # Start up the server to expose the metrics.
    start_http_server(9200, registry=registry)
    # Generate some requests.
    while True:
        time.sleep(30)


================================================
FILE: build/pluto/prometheus/exporters/hydra.nix
================================================
{ pkgs, ... }:

{
  systemd.services.prometheus-hydra-queue-runner-exporter = {
    wantedBy = [ "multi-user.target" ];
    after = [ "network.target" ];
    wants = [ "network.target" ];
    serviceConfig = {
      DynamicUser = true;
      Restart = "always";
      RestartSec = "60s";
      PrivateTmp = true;
      WorkingDirectory = "/tmp";
      ExecStart =
        let
          python = pkgs.python3.withPackages (
            ps: with ps; [
              requests
              prometheus-client
            ]
          );
        in
        ''
          ${python.interpreter} ${./hydra-queue-runner-reexporter.py}
        '';
    };
  };

  services.prometheus = {
    scrapeConfigs = [
      {
        job_name = "hydra";
        metrics_path = "/prometheus";
        scheme = "https";
        static_configs = [ { targets = [ "hydra.nixos.org:443" ]; } ];
      }
      {
        job_name = "hydra_queue_runner";
        metrics_path = "/metrics";
        scheme = "http";
        static_configs = [ { targets = [ "hydra.nixos.org:9198" ]; } ];
      }
      {
        job_name = "hydra-webserver";
        metrics_path = "/metrics";
        scheme = "https";
        static_configs = [ { targets = [ "hydra.nixos.org:443" ]; } ];
      }
      {
        job_name = "hydra-reexport";
        metrics_path = "/";
        static_configs = [ { targets = [ "localhost:9200" ]; } ];
      }
    ];

    ruleFiles = [
      (pkgs.writeText "hydra-exporter.rules" (
        builtins.toJSON {
          groups = [
            {
              name = "hydra";
              rules = [
                {
                  alert = "BuildsStuckOverTwoDays";
                  expr = ''hydra_machine_build_duration_bucket{le="+Inf"} - ignoring(le) hydra_machine_build_duration_bucket{le="172800"} > 0'';
                  for = "30m";
                  labels.severity = "warning";
                  annotations.summary = "{{ $labels.machine }} has {{ $value }} over-age jobs.";
                  annotations.grafana = "https://grafana.nixos.org/d/j0hJAY1Wk/in-progress-build-duration-heatmap";
                }
              ];
            }
          ];
        }
      ))
    ];
  };
}


================================================
FILE: build/pluto/prometheus/exporters/json.nix
================================================
{ config, pkgs, ... }:

{
  services.prometheus = {
    exporters.json = {
      enable = true;
      listenAddress = "localhost";

      configFile = (pkgs.formats.yaml { }).generate "json-exporter-config.yml" {
        modules.matrix-federation-checker = {
          metrics = [
            {
              name = "matrix_homeserver_federation_ok";
              path = "{.FederationOK}";
              help = "False if there's any problem with federation reported.";
              type = "value";
              value_type = "gauge";
            }
          ];
        };
      };
    };

    scrapeConfigs = [
      {
        job_name = "matrix-federation-checker";
        metrics_path = "/probe";
        params = {
          module = [ "matrix-federation-checker" ];
        };
        relabel_configs = [
          {
            source_labels = [ "__address__" ];
            target_label = "__param_target";
          }
          {
            source_labels = [ "__address__" ];
            target_label = "instance";
          }
          {
            target_label = "__address__";
            replacement = "localhost:${toString config.services.prometheus.exporters.json.port}";
          }
        ];

        static_configs = [
          {
            targets = [ "https://federationtester.matrix.org/api/report?server_name=nixos.org" ];
            labels.matrix_instance = "nixos.org";
          }
        ];
      }
    ];

    ruleFiles = [
      (pkgs.writeText "matrix-federation.rules" (
        builtins.toJSON {
          groups = [
            {
              name = "matrix-federation";
              rules = [
                {
                  alert = "MatrixFederationFailure";
                  expr = "matrix_homeserver_federation_ok < 1";
                  for = "30m";
                  labels.severity = "warning";
                  annotations.summary = "Matrix federation for {{ $labels.matrix_instance }} appears to be failing.";
                }
              ];
            }
          ];
        }
      ))
    ];
  };
}


================================================
FILE: build/pluto/prometheus/exporters/matrix-synapse.nix
================================================
{
  services.prometheus.scrapeConfigs = [
    {
      job_name = "matrix_synapse";
      scheme = "https";
      static_configs = [ { targets = [ "matrix.nixos.org:443" ]; } ];
    }
  ];
}


================================================
FILE: build/pluto/prometheus/exporters/nixos.nix
================================================
{
  services.prometheus.scrapeConfigs = [
    {
      job_name = "nixos";
      static_configs = [
        {
          labels.role = "hydra";
          targets = [
            "mimas.nixos.org:9300"
          ];
        }
        {
          labels.role = "monitoring";
          targets = [
            "pluto.nixos.org:9300"
          ];
        }
        {
          labels.role = "database";
          targets = [
            "haumea.nixos.org:9300"
            "titan.nixos.org:9300"
          ];
        }
      ];
    }
  ];
}


================================================
FILE: build/pluto/prometheus/exporters/node.nix
================================================
{ pkgs, ... }:

{
  services.prometheus = {
    scrapeConfigs = [
      {
        job_name = "node";
        static_configs = [
          {
            labels.role = "hydra";
            targets = [
              "mimas.nixos.org:9100"
            ];
          }
          {
            labels.role = "database";
            targets = [
              "haumea.nixos.org:9100"
              "titan.nixos.org:9100"
            ];
          }
          {
            labels.role = "monitoring";
            targets = [
              "pluto.nixos.org:9100"
            ];
          }
          {
            labels.role = "services";
            targets = [
              "caliban.nixos.org:9100"
              "umbriel.nixos.org:9100"
              "wiki.nixos.org:9100"
              "tracker.security.nixos.org:9100"
              "makemake.ngi.nixos.org:9100"
            ];
          }
          {
            labels.role = "mac";
            targets = [
              # flying circus
              "norwegian-blue.mac.nixos.org:9100"
              # hetzner
              "intense-heron.mac.nixos.org:9100"
              "sweeping-filly.mac.nixos.org:9100"
              "maximum-snail.mac.nixos.org:9100"
              "growing-jennet.mac.nixos.org:9100"
              "enormous-catfish.mac.nixos.org:9100"
              # oakhost
              "kind-lumiere.mac.nixos.org:9100"
              "eager-heisenberg.mac.nixos.org:9100"
              # macstadium
              "mac01.ofborg.org:9100"
              "mac02.ofborg.org:9100"
              "mac03.ofborg.org:9100"
              "mac04.ofborg.org:9100"
              "mac05.ofborg.org:9100"
            ];
          }
          {
            labels.role = "builders";
            targets = [
              "elated-minsky.builder.nixos.org:9100"
              "sleepy-brown.builder.nixos.org:9100"
              "goofy-hopcroft.builder.nixos.org:9100"
              "hopeful-rivest.builder.nixos.org:9100"
            ];
          }
          {
            labels.role = "ofborg";
            targets = [
              "build01.ofborg.org:9100"
              "build02.ofborg.org:9100"
              "build03.ofborg.org:9100"
              "build04.ofborg.org:9100"
              "build05.ofborg.org:9100"
              "core01.ofborg.org:9100"
              "eval01.ofborg.org:9100"
              "eval02.ofborg.org:9100"
              "eval03.ofborg.org:9100"
              "eval04.ofborg.org:9100"
            ];
          }
        ];
      }
    ];

    ruleFiles =
      let
        diskSelector = ''mountpoint="/"'';
      in
      [
        (pkgs.writeText "node-exporter.rules" (
          builtins.toJSON {
            groups = [
              {
                name = "node";
                rules = [
                  {
                    alert = "PartitionLowInodes";
                    expr = ''
                      node_filesystem_files_free{${diskSelector}} / node_filesystem_files{${diskSelector}} * 100 < 10
                    '';
                    for = "60m";
                    labels.severity = "warning";
                    annotations.summary = "{{ $labels.device }} mounted to {{ $labels.mountpoint }} ({{ $labels.fstype }}) on {{ $labels.instance }} has only {{ $value }}% free inodes.";
                    annotations.grafana = "https://grafana.nixos.org/d/rYdddlPWk/node-exporter-full?orgId=1&var-job=node&var-node={{ $labels.instance }}";
                  }
                  {
                    alert = "PartitionLowDiskSpace";
                    expr = ''
                      round((node_filesystem_free_bytes{${diskSelector}} * 100) / node_filesystem_size_bytes{${diskSelector}}) < 10 and ON (instance, device, mountpoint) node_filesystem_free_bytes < 100 * 1024^3
                    '';
                    for = "60m";
                    labels.severity = "warning";
                    annotations.summary = "{{ $labels.device }} mounted to {{ $labels.mountpoint }} ({{ $labels.fstype }}) on {{ $labels.instance }} has {{ $value }}% free.";
                    annotations.grafana = "https://grafana.nixos.org/d/rYdddlPWk/node-exporter-full?orgId=1&var-job=node&var-node={{ $labels.instance }}";
                  }
                  {
                    alert = "SystemdUnitFailed";
                    expr = ''
                      node_systemd_unit_state{state="failed"} == 1
                    '';
                    for = "15m";
                    labels.severity = "warning";
                    annotations.summary = "systemd unit {{ $labels.name }} on {{ $labels.instance }} has been down for more than 15 minutes.";
                  }
                ];
              }
              {
                name = "scheduled-jobs";
                rules = [
                  {
                    alert = "ChannelUpdateStuck";
                    expr = ''max_over_time(node_systemd_unit_state{name=~"^update-nix.*.service$",state=~"failed"}[5m]) == 1'';
                    for = "30m";
                    labels.severity = "warning";
                    annotations.summary = "{{ $labels.name }} on {{ $labels.instance }}";
                    annotations.grafana = "https://grafana.nixos.org/d/fBW4tL1Wz/scheduled-task-state-channels-website?orgId=1&refresh=10s";
                  }
                ];
              }
            ];
          }
        ))
      ];
  };
}


================================================
FILE: build/pluto/prometheus/exporters/owncast.nix
================================================
{ config, ... }:

{
  age.secrets.owncast-admin-password = {
    file = ../../../secrets/owncast-admin-password.age;
    owner = "prometheus";
    group = "prometheus";
  };

  services.prometheus.scrapeConfigs = [
    {
      job_name = "owncast";
      metrics_path = "/api/admin/prometheus";
      basic_auth = {
        username = "admin";
        password_file = config.age.secrets.owncast-admin-password.path;
      };
      scheme = "https";
      static_configs = [ { targets = [ "live.nixos.org:443" ]; } ];
    }
  ];
}


================================================
FILE: build/pluto/prometheus/exporters/postgresql.nix
================================================
{
  services.prometheus.scrapeConfigs = [
    {
      job_name = "postgresql";
      metrics_path = "/metrics";
      static_configs = [
        {
          targets = [
            "haumea.nixos.org:9187"
            "titan.nixos.org:9187"
            "tracker.security.nixos.org:9187"
          ];
        }
      ];
    }
  ];
}


================================================
FILE: build/pluto/prometheus/exporters/rasdaemon.nix
================================================
{ pkgs, ... }:

{
  services.prometheus = {
    scrapeConfigs = [
      {
        job_name = "rasdaemon";
        static_configs = [
          {
            targets = [
              # build
              "mimas.nixos.org:10029"
              "haumea.nixos.org:10029"
              "pluto.nixos.org:10029"
              "titan.nixos.org:10029"

              # builders
              "elated-minsky.builder.nixos.org:10029"
              "sleepy-brown.builder.nixos.org:10029"
              "goofy-hopcroft.builder.nixos.org:10029"
              "hopeful-rivest.builder.nixos.org:10029"

              # non-critical
              "caliban.nixos.org:10029"
            ];
          }
        ];
      }
    ];

    ruleFiles = [
      (pkgs.writeText "rasdaemon.rules" (
        builtins.toJSON {
          groups = [
            {
              name = "rasdaemon";
              rules = [
                {
                  alert = "MachineCheckError";
                  expr = ''
                    increase(rasdaemon_mce_records_total{mce_msg!="Corrected error, no action required."}[1h]) > 0
                  '';
                  labels.severity = "warning";
                  annotations.summary = "Machine check detected an error on {{ $labels.instance }}: {{ $labels.mce_msg }}";
                }
              ];
            }
          ];
        }
      ))
    ];
  };
}


================================================
FILE: build/pluto/prometheus/exporters/sql.nix
================================================
{
  services.prometheus.scrapeConfigs = [
    {
      job_name = "sql";
      metrics_path = "/metrics";
      static_configs = [ { targets = [ "tracker.security.nixos.org:9237" ]; } ];
    }
  ];
}


================================================
FILE: build/pluto/prometheus/exporters/storagebox.nix
================================================
{
  config,
  pkgs,
  ...
}:
{
  age.secrets."storagebox-exporter-token".file = ../../../secrets/storagebox-exporter-token.age;

  services.prometheus = {
    exporters.storagebox = {
      enable = true;
      listenAddress = "localhost";
      tokenFile = config.age.secrets."storagebox-exporter-token".path;
    };

    scrapeConfigs = [
      {
        job_name = "storagebox";
        scheme = "http";
        static_configs = [ { targets = [ "localhost:9509" ]; } ];
      }
    ];

    ruleFiles = [
      (pkgs.writeText "storagebox-exporter.rules" (
        builtins.toJSON {
          groups = [
            {
              name = "storagebox";
              rules = [
                {
                  alert = "StorageboxCapacity";
                  expr = "round(100 * (1 - (storagebox_disk_usage / storagebox_disk_quota))) < 10";
                  for = "30m";
                  labels.severity = "warning";
                  annotations.summary = "StorageBox {{ $labels.name }} ({ $labels.server }}) has less than {{ $value }}% free space.";
                }
              ];
            }
          ];
        }
      ))
    ];
  };
}


================================================
FILE: build/pluto/prometheus/exporters/up.nix
================================================
{ pkgs, ... }:

{
  services.prometheus.ruleFiles = [
    (pkgs.writeText "up.rules" (
      builtins.toJSON {
        groups = [
          {
            name = "up";
            rules = [
              {
                alert = "NotUp";
                expr = ''
                  up == 0
                '';
                for = "10m";
                labels.severity = "warning";
                annotations.summary = "scrape job {{ $labels.job }} is failing on {{ $labels.instance }}";
              }
            ];
          }
        ];
      }
    ))
  ];
}


================================================
FILE: build/pluto/prometheus/exporters/zfs.nix
================================================
{
  pkgs,
  ...
}:
{
  services.prometheus = {
    scrapeConfigs = [
      {
        job_name = "zfs";
        static_configs = [
          {
            targets = [
              "haumea.nixos.org:9134"
              "mimas.nixos.org:9134"
              "pluto.nixos.org:9134"
              "titan.nixos.org:9134"
            ];
          }
        ];
      }
    ];
    ruleFiles = [
      (pkgs.writeText "node-exporter.rules" (
        builtins.toJSON {
          groups = [
            {
              name = "zfs";
              rules = [
                {
                  alert = "ZfsPoolHealth";
                  expr = ''
                    zfs_pool_health > 0
                  '';
                  for = "5m";
                  labels.severity = "WARNING";
                  annotations.summary = "ZFS pool {{ $labels.pool }} on {{ $labels.instance }} is unhealthy.";
                }
                {
                  alert = "ZfsPoolFull";
                  expr = ''
                    round((zfs_pool_free_bytes / zfs_pool_size_bytes) * 100, 1) < 15
                  '';
                  for = "30m";
                  labels.severity = "warning";
                  annotations.summary = "ZFS pool {{ $labels.pool }} on {{ $labels.instance }} has only {{ $value }}% free space.";
                  annotations.grafana = "https://grafana.nixos.org/d/rYdddlPWk/node-exporter-full?orgId=1&var-job=node&var-node={{ $labels.instance }}";
                }
              ];
            }
          ];
        }
      ))
    ];
  };
}


================================================
FILE: build/pluto/prometheus/exporters/zrepl.nix
================================================
{ pkgs, ... }:

{
  services.prometheus = {
    scrapeConfigs = [
      {
        job_name = "zrepl";
        static_configs = [
          {
            labels.role = "database";
            targets = [
              "titan.nixos.org:9811"
            ];
          }
        ];
      }
    ];

    ruleFiles = [
      (pkgs.writeText "zrepl.rules" (
        builtins.toJSON {
          groups = [
            {
              name = "zrepl";
              rules = [
                {
                  alert = "ZreplLongTimeNoSuccess";
                  expr = ''
                    time() - zrepl_replication_last_successful > ${toString (6 * 60 * 60)}
                  '';
                  for = "6h";
                  labels.severity = "warning";
                  annotations.summary = "zrepl job {{ $labels.zrepl_job }} has not succeeded recently.";
                }
              ];
            }
          ];
        }
      ))
    ];
  };
}


================================================
FILE: build/scripts/nix-mac-installer.sh
================================================
#! /usr/bin/env bash

set -e

if [[ $(id -u) != 0 ]]; then
  echo "$0: please run this script as root"
  exit 1
fi

export HOME=/var/root

if ! dscl . read /Groups/nixbld >/dev/null 2>&1; then
  dseditgroup -o create nixbld -q
fi

gid=$(dscl . -read /Groups/nixbld | awk '($1 == "PrimaryGroupID:") {print $2 }')

echo "created nixbld group with gid $gid"

for i in $(seq 1 10); do
  user=/Users/nixbld$i
  uid="$((30000 + i))"
  dscl . -create "$user"
  dscl . -create "$user" RealName "Nix build user $i"
  dscl . -create "$user" PrimaryGroupID "$gid"
  dscl . -create "$user" UserShell /usr/bin/false
  dscl . -create "$user" NFSHomeDirectory /var/empty
  dscl . -create "$user" UniqueID "$uid"
  dseditgroup -o edit -a "nixbld$i" -t user nixbld
  echo "created nixbld$i user with uid $uid"
done

curl https://nixos.org/nix/install | sh

mkdir -p /var/root/.ssh
touch /var/root/.ssh/authorized_keys
grep -v "hydra-queue-runner@chef" /var/root/.ssh/authorized_keys >/var/root/.ssh/authorized_keys.tmp || true
echo 'command="/nix/var/nix/profiles/default/bin/nix-store --serve --write" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCyM48VC5fpjJssLI8uolFscP4/iEoMHfkPoT9R3iE3OEjadmwa1XCAiXUoa7HSshw79SgPKF2KbGBPEVCascdAcErZKGHeHUzxj7v3IsNjObouUOBbJfpN4DR7RQT28PZRsh3TvTWjWnA9vIrSY/BvAK1uezFRuObvatqAPMrw4c0DK+JuGuCNkKDGHLXNSxYBc5Pmr1oSU7/BDiHVjjyLIsAMIc20+q8SjWswKqL1mY193mN7FpUMBtZrd0Za9fMFRII9AofEIDTOayvOZM6+/1dwRWZXM6jhE6kaPPF++yromHvDPBnd6FfwODKLvSF9BkA3pO5CqrD8zs7ETmrV hydra-queue-runner@chef' >>/var/root/.ssh/authorized_keys.tmp
mv /var/root/.ssh/authorized_keys.tmp /var/root/.ssh/authorized_keys

service_plist=/Library/LaunchDaemons/org.nixos.nix-daemon.plist

ln -sfn /nix/var/nix/profiles/default$service_plist $service_plist
launchctl unload $service_plist || true
launchctl load $service_plist
launchctl start $service_plist


================================================
FILE: build/scripts/nix-mac-nuke.sh
================================================
#! /usr/bin/env bash

service_plist=/Library/LaunchDaemons/org.nixos.nix-daemon.plist

launchctl stop $service_plist
launchctl unload $service_plist

dscl . -delete /Groups/nixbld

for i in $(seq 1 20); do
  dscl . -delete "/Users/nixbld$i"
done

sudo rm -f $service_plist

sudo rm -rf /nix /etc/nix/nix.conf

rm -f "$HOME/.nix-channels" "$HOME/.nix-profile"
rm -rf "$HOME/.nix-defexpr"


================================================
FILE: build/secrets/alertmanager-oauth2-proxy-env.age
================================================
age-encryption.org/v1
-> ssh-ed25519 s9hT2g WEFWAkfO/QbTyYHtjbtFU819qNNwdEbxj43CAyoCth8
qoaEcEMG3pioLP8DYEV7am6ARmo/1Fi6859geefy0TQ
-> ssh-ed25519 Gr9EaQ GQAGFJXSwPlg9lh9Uq+gX5dYyEhFGFOgzmT/Ix9vHww
322Zi2PWOPB8UXq+cLNBPCPxnUV+MikURA1SN947pRI
-> ssh-ed25519 3ENwVg YGdKuSB26eLhJivsqJ9yZCtzjDWKCHuf2Az63RgZQhM
BggPA13/FpAAGzOryNoIYZL3S60FFK5pTuB0+eGCrIY
-> ssh-rsa MuWD+w
f81kBsXTgGYsDimMkOrZAJagzqiycmLSxiSYdV+gconCZKrOLIfa9npjbOP26zIf
oWez1vf1d1O/Kzk4XYQXTBpDdX2SBncQTtaBOAaNxG9YakieGbBCV5nypAioq7RF
wYB9R4XseanmgBdXeMIQ54NWX9zsHZkPEIFCvKyTGGV+uvoiILQDreuBMY5EHB2B
o5aqzW8FW1urgRSw9bQnXixuO0QjcAFWyhqCO95P50vnugJFqj7txQpM1vrFjZ78
WCRtHYT3QufvmN0VhiaCTjWQjr1RPptvVoy7M+Q5T29+tnr5gn0DZOSyXNEQmGAU
kiWx6IV1G9l1Mzp4SMr2sQ
-> ssh-ed25519 92bXiA BiUs0UMX4R3F2boMComJcLLKfR4nnHXwtakjnqPz10M
bf9ePOMfN/WSlG0Ef3cgFtcNzTiovZRPKEBzJS+pFww
-> ssh-ed25519 Y121Gw 32ZtEmLRbyOcjtAp7Phdlmb18wHs92+kST1qh1giETw
oxfQmuhtrLplP6jeCXlawzF6wU+EPmHBUei8DIIgXgI
--- GXbCejJoEBQ71qdNg5Wbb8liJVscqX4fHBlfSdvpjkE
Z	{ ӝ`jg~H<oܞ]U÷^ayUamw1|>T_ң
/[~Ȉ=xkd
=."E΢T<О~ah$ؽ0449'*$jhccҵ

================================================
FILE: build/secrets/eager-heisenberg-queue-runner-token.age
================================================
age-encryption.org/v1
-> ssh-ed25519 cKT5Kw d2hBbAiEI7iLoP1c7WgXkJXnqfsy3GWPy23NZcHrb3A
dIEVrctp2Ryu92cSBILUE+qeeLz0raQ1nTLGAPaZec4
-> ssh-ed25519 NJQh8Q nThSL+PZmkUrXssS5YXqS1x4InMJMJKBma7/UpZcb3E
WIVRniPt17W/GkOySUO/tFk0wlecxIMMZtcgV4caG0M
-> ssh-ed25519 Gr9EaQ MTnHof1JOu4d5vObVatnKyhi20Da0K0v5TSyxhk7gwI
YXIYyvGWR2cf6GJb7VL4aiu0gxKLyK1PyGhgw2vLJz8
-> ssh-ed25519 3ENwVg rIi+Y4H0U+wkaO4zmIEbDd2Bd7tQnesw4yW+klqqQBM
vd1c2lP+A5cyk2bfUoO09oPo49SnGzlXf95FrxuxRlA
-> ssh-rsa MuWD+w
moxeHv57SfIBrPVMvLiWZhh1qJHIii5maadnQZl8JUqjSDFpnPX4hXNIvwrqBau7
Xn2X3tncgQ2Vp33757YembRDSOU7X06QASaRitxFrbHJu4iRIYwcyWoHbYn6jhPc
9yK39sMNliHgZXDq2c0+DThV/PpvZd8yuVlP2oI5FqjlITjiFnTnJf+3c+uquc6v
mxEwWUnrA8dSJD7RzcshW7swHu3FeC+MValEuiIQJaDlMUa211DhTGgtpSebuFrg
Nlx+ZqS2k8LO2qAFyCemoMRMwod7VsCqtid6PxdEuwd8O0v7wfVafu0z+LCGMZoy
SxKlCaVvDQJSzkAcj7EHvA
-> ssh-ed25519 92bXiA bH6FYqVLVNbMBleHCALYbv7nykoIHcvaWlIvQnbyNRg
joPDIXaqdMccBWdXvsvV9/ZlOVbE6pmrOFQ+WgUno68
-> ssh-ed25519 Y121Gw kWm5O/sfXSAYRFsFWgKgWR3dUSKo2OFN5I0npz2x+TI
wfbOq5meojODlRi3RZ+uFNokSPYLZNndB9nhp31wMTo
--- /EhbVaVRVAyPOjTpmhTcRSh3kuyT/KoEkedwitZpTNk
T,hv	`HAe
G_ j<O7{둍ˣ
4hH1n	QQHu[YײN)UeC"7Q1^vj]z^l."u+9Q

================================================
FILE: build/secrets/fastly-exporter-env.age
================================================
age-encryption.org/v1
-> ssh-ed25519 s9hT2g RO6Blf+MB32dW1vWtwpsdutfPRDhXp6qMh+9K5mP/yI
aojG0tr0pQ172/Sgrcm4ltdGJH5uCdW6hpgvFE/gDFE
-> ssh-ed25519 Gr9EaQ ByRH47STTrDIIyt8d/EitsWGW2zHs3XWE44A3AJVZy4
fhT87Y7e7J41Cfrvldh152mVTz9dD4PuaxN3S6OkXfc
-> ssh-ed25519 3ENwVg Wk0Tt67znuSj137ODLVZ+jmYD+QZ06pnEia24XJau20
1n5AUDJ7G4BrD4jZ/bFtmehX5wqd5nmaIluzVd+bGeY
-> ssh-rsa MuWD+w
swfRBQIzsOuJe0NW1fjEPTNbCNdDCj/tvajEZQexxZV2koyXzCZMZu6WkUE7EWIQ
9dg3dN+SgIBDsBCimVwDLdlKCv07Y4EYVJcUKWQyGrCnyKD0fNL+H/b0NFvkln5d
xpWShnL/zTEa/Bz/1ftzTcDV4B6g75HyIrfXnc5yNQPsk7w4u+tvUIZFiPsUkwj9
2raYpVSZG07xPxDDujADlNLuVNhTCw2MxN/cUS4u7iN9cMilFwND0clRVjQl4APe
Wnzb5iZ73sMi4wg2Qf8+O//zxe9221krnpjhdkyR3k8Oxk4SPACSxuLKKXn5PVcD
Gi8C3sxSSTLzpwAqySR94g
-> ssh-ed25519 92bXiA TXBDrIkPKkagHD7cvWsD0BkE8p0pJYIK5LaCCxDvzF0
gpkhwY7kVYK23ALcahfAucaOP2Tf6UJ9QuFCxbWND3k
-> ssh-ed25519 Y121Gw IMc36vETqcH985olPop763Y/SIPl0GdRDecUFlmqU1A
pWOPIMjlWkKFMxZAhnBNu5nmTn0YA3/pss3vcr2uEvU
--- 0bm0YdyW2rphnkhcSz3jjdUe5eyELylNp4MhcSmAkdU
`NLS^ǩBbܲfEV[oI/JZ_^bYQ5CDўQg~4_aهdկl'$

================================================
FILE: build/secrets/goofy-hopcroft-queue-runner-token.age
================================================
age-encryption.org/v1
-> ssh-ed25519 cKT5Kw hA/K9EJyGfAbGbokosZGVEJqasHjE2bgr2EpEN4O/iQ
7GaeyhJHezMSytl+75UzkiLvbxMpWSKoYb7aEH/D1qU
-> ssh-ed25519 h7xPTg oBM3m/s0x5ue87LfgCOpyTfs0R0N4dmKwa7oW/R+nCQ
HTxdFwkGtkCficUjMSe1bE95fv5gwMEvIlaNPb+LJvM
-> ssh-ed25519 Gr9EaQ GdbCzg5bOJlVsTebVEE+y6StuiH1kZRG07D/bt1zuww
EZqucrVkaX6ZTGJT0aiHmp4o9Z3IUIk82Df1Z2YkU5s
-> ssh-ed25519 3ENwVg Ky1YIXGrt+UX5y745wePV1pulUHrr1yXzFRd+MHEITc
BmWr551rvrtWl2PxD/+qYodybA0xA6Z/1Noza0te+Vo
-> ssh-rsa MuWD+w
RjaIoseiPazdSz75+ly66RqY0IhyQPBtltWLgGEYzhTkmzpnQNcUVpwgiPSzbt5X
y7o+o+QPaHeds5suS42ZzUPahhLp1v5ehVaMXvsmqxkOZfODLxF3GGoFj4SG/YjJ
aDd+bagUql7HX0cZRp51LpnitzOxayd8qeUZg51mqFi8uWV1DBSYrFdcVHBNeGuQ
AbdUl9tqFtYilqcBJhCJOsKsiUsrX2bC6ZP8A6Pmt3gl8UR8nJLhD5TwQH6FCxDO
iKbY21BwiKH8CJhQTNix6uwmTOwlX9mp8N6UNmqWuXB/3F4NmpyubnUvG9t0QGVl
EsS5dlQ04JG/WrWDQpOR/w
-> ssh-ed25519 92bXiA 7EaMly7GPo9fPETY606UO9in6bhbkQhgRxsO2u5Bgws
IzeyNKnkYt8lwTk1TRxLooJJJmPFxIYZJAoDHm1Oqtg
-> ssh-ed25519 Y121Gw 3tlRc4oDBLx1/Dn/KwnyUzg/odwMGLaFDksNB5RTqCk
TJhtG/2/0PL7k84hQyAFEvLAFyZYP1W8erUpCANG7Mw
--- mKpJ626SlxFTL7kt2BJOna043kiReyoMA8hl604J2hc
H&=LG*t2I˜S_X(k(4NYtrJ^K0b&?#՜S=1
jɰVQިFxQFHg4o
s	͇l~tg;!%O

================================================
FILE: build/secrets/grafana-secret-key.age
================================================
age-encryption.org/v1
-> ssh-ed25519 s9hT2g Q71aJ0AH5YJng/IVw8l5lch8zdGP3Z0QJUIQ+DqYF3w
KI+qnX5ShsgtdtC78UHGwiKjAgWNwahfSJ/nwblBovk
-> ssh-ed25519 Gr9EaQ idUvootpliMS7P2N80vhIirTOz7oJ0o3GscsMu5W4B8
kOiVYBBJhQmtqDBzX1rmGG10tM/oTrwuL0K55VMxh8I
-> ssh-ed25519 3ENwVg d5iQiKR/D0I83d7UznzTQGNRhviceQNGl9ecQyfGlw8
w4MthT7i0KjUSfV9Jh9LuhzAU+hPtr4UGO32UUn3l8M
-> ssh-rsa MuWD+w
mbVZ1olug6y9Hlf2k/NTx3DA9VTlMj/Q0jU1YSjHWvSCr2kiaeeLCm2TebKAsop5
CQc7MCTFJKz9bzitnvLGjl40OVrXKoJzvqJPG0AP6hFvsLVfs0zoX3dpHNDkRFsH
sHtqi/6DikujtsSLgZNYTnaRfMJHdRIkT1UB13TWqA962593NYK3bvuGHyih12SQ
aLxAZ2MzeXflt3V6tYsY66V4RNHCxf8hK2SfZr2sD83JiW3xtRss2UZUyp7geMQY
v8sxbBv8ONzp4FPL+w+/3pX4TO6NmO9rk7S0/xsyfIZAI7xkPKhfMcVgT9Qj/7f1
QwzCHIg9Y+Dt1lh3D0TnGA
-> ssh-ed25519 92bXiA 4oR9LMqITwM+xuuzobwJji2lP/gLjwRtJHUNEZLSEG4
wUYMpR71mFY7wskPXAk/buUZBhY2IQAVAPL61iM411g
-> ssh-ed25519 Y121Gw gbhbUYbMsatS1kaXvl3RkVHB+j+wt/9W+hxK43QiRAs
erkaoQzmzKUFZ5avT07KgS+MojylmrxuggwjOJspMy4
--- rFRS/RCB4dRgJfJBWktxivASq9KSonyLE3h/vfp1Zj0
=AC9#_[T+I>NL>*1>0xh{;mמS|"5

================================================
FILE: build/secrets/hopeful-rivest-queue-runner-token.age
================================================
age-encryption.org/v1
-> ssh-ed25519 cKT5Kw jz7oaOXlftKuXEIeFcFXacn0gcDuQhGkZRLmf0QTPXQ
Br67PR4rBrZaKbP/X8X4vFkPq8L5IiNicvfXBvuaVdw
-> ssh-ed25519 BaUP3w 8o3MNSWRhtrCgaqdQsBfmmg3LCAD9khNCXNlTAgegzE
c137Ep8omrJBRcnqbRMwVB87CyB66u07qj5Xjor8hSY
-> ssh-ed25519 Gr9EaQ tEa19teKlX3ZXJBOmBnOLU9GwnkDlfSdUzxaAMsY+3Y
gWS3dYhg6psO0WNCD+s0kjqzapOnU4hQgWrcKh0iDbk
-> ssh-ed25519 3ENwVg LiSqdv8ukjIjACQwk6203kkNotG+oRgGTkqsITRNjiU
jOnUs9E5Tcu9eEnR8WXW277LZ+tRNyqM4b3Hg8EGu/8
-> ssh-rsa MuWD+w
enx5oiARoCPhm1D/MIdgIh2kjZFx4rxszCmW0j7RaS0SXDPu79c1QENwgemQdvLY
uwX6teB+LkkWdcA6AFqY2FclopBRZq15OQuMoztBjwGPUIlk8H8OHrusViDJuGNm
zdWsL4htncmTUWaX31V1ZX/v+KFl2Zp5Mmpn8x4C21wm5d42SOd5VRnw/OlziJGX
gUG2DqLpoKzXDG9SAsKfk417Akfb8RtlVza6/tb57hThi9EsORK+BnTsUt6r6H84
NvTuqnOJJFOEWqeRz1UjLij/gI10LQvcxCzhXC/SqkG7FaMXQ92WAZ5hH7AePSEE
I/OlAU2wPj+GmPFePPODSA
-> ssh-ed25519 92bXiA nYLjnIjeF+TmJbVdCtdqK042xnYDpF4naM1u7up31SI
yVhUbve1xiySx+dqRcWdJQOYB2TRGdALa0l4hu1UnbM
-> ssh-ed25519 Y121Gw kxYp6X5VV1QRwo1HrTUCbdBHgKMjkI2AUnUnqGe3dCE
Rl2LfKLy9BQi47ktXCm+T7G6sbkBsuYaoxt5oTH2uPI
--- X3Fr2TVxWyEW1hm8h7eKwGJHJg3BjywJddTp5OLolF4
0vOsm̈IK'}"΃S*߲|OE$xWn;3tp%\XG4lBYymǮ >k+ݲRom)`

================================================
FILE: build/secrets/hydra-github-client-secret.age
================================================
age-encryption.org/v1
-> ssh-ed25519 cKT5Kw krCNPgqeLrULZyGtFdc2VwmEVaKC7uaDabi7tv3dHVw
OOEZQ4o4xqFs42TEYwNNWkOQbSvVkq8nGA38CIpgx+k
-> ssh-ed25519 Gr9EaQ /ciOg7Beq8wMwMlVlj+8qUfFkALaGuz4jV2DtG2HLB8
MU0x/eqLEtUlygWfiBu41bZcPWRWXH40DeLkfTxmgMo
-> ssh-ed25519 3ENwVg HxpXlptq9Zp6AIRo0+poqbuFTHPRi/f/VGbL8ZO5fm8
bt6tn4OrjXV+U6eDKuFEU8/dW5MkqOYqVdqkqVfCrG8
-> ssh-rsa MuWD+w
qyi9QPAHw/dr845IdEOnyw6yu2M0b7nbX3ZCnClemJlmfFx1077RE0CWNEDR7LDt
0g8241mMIr85MYHDZuVPqH1W7ZTv/DFa39MJBhVCyC0Gl62Gz2ayO9d4flrQsvCv
NnaVKJPo0uxuvLTUlcX19WWVrt6v23sDMlChleUFdRJy84lMR8ouhtfZV1ipTqXq
4wZCsXgi1vV0F9oZ37KjV0irGECHNN9ehrrS943357+bJIlZMdVbsYLOXXiI8drr
mGzOwUFLvD5VRHTWgEZJz15oeanknTjpxrIt1AAJki+esPsKFRkEJ7eL6epXMclb
5iHW/MpgBXH0j8ARyg6/jw
-> ssh-ed25519 92bXiA qLAjwconq/2yxJnG91YE9UvpLe69rniXVAwHQYJS52E
X/W4+1RGYG6qCYGPiUl+yUmwwiNwt+zmhYHQ40d6C4k
-> ssh-ed25519 Y121Gw J21DUBHP2EpQPpOdUqNZ+deh/3DLjyYgT310v+EZAW8
a8b8zJgf7DUW03hzGeW8dzvRq+Vl2RbmaG17muHoyDA
--- hAdUvRfRfdfakQXgM/QMbdpTBj+3vX0d0atqQVS6m4c
xG+BKE 5msMD{3,X9-gCksr:en

================================================
FILE: build/secrets/hydra-mirror-aws-credentials.age
================================================
age-encryption.org/v1
-> ssh-ed25519 s9hT2g 3oyWmMcrRcr1Evv9+Srx3z3OyKajSPpJiC3APOYE0RU
RCC/gmOyy0JRkWIRhzK37xckWnpQYQ74HVAKsRJdL+Y
-> ssh-ed25519 Gr9EaQ SW4eNlIrULIh+T/IywhzHe8A6wCxoHBSrg9LmC2yOWM
DbTv2Es+wHfOU6ylHfGi33BnZW9IhtmqawLBax1JPqE
-> ssh-ed25519 3ENwVg SKaButhSVmBUl8IA+yJk/z+An+/JV9oUQ/lAGEI/VXQ
6df01m0908K4WtxWoQZTwaETdm0liOz7U+hj4774rBQ
-> ssh-rsa MuWD+w
Pc51cz+ZOpJ+bakeYitE0Es/gFPjBGMhnACiT7O7shcT7vYSJPNRM8IpTpOxfbf3
HjzPBNjUihVjGshQ1JFaXbwfmnvF0yIImSlJtWDteyGX2x1yzt+/oA3zjj1KDfku
qdrhUSRnnobMrSuSaPE4DSnUddXbaMAY/kzzoxzU+nK9FusvJhCgmZ3XYhN+ew79
aQs+7YXEgTH5J72monWgeYQkj4baTY32xFwqj9qPdx5JjMvtR4cX9xkC7R14EyBd
HJeCU87uiR3Ibc27COMso1YSp2u/quc7TKmjOHyYfyi7mYZU/JC2ccDsEr/HCE4m
x00f74TPjV2UY/raslCgYQ
-> ssh-ed25519 92bXiA 4PM+2XEb8unFUvJXgNqErFmUOToBgF/x5DvCCxWazGM
xn8PfNfujIkDXtbaH0RVtyzOCPCbDig8hnUOgqfsNGI
-> ssh-ed25519 Y121Gw faO3WbLjVR26NrVIJfGO5eSrT5DI6fdTYyxPWxD+DDI
e+WqhJj8EhpXU8nxfB4dDeZZqxvmR/xNfKXj4oT5U7s
--- CJHN+xb4JfmgPyfZ5QoCGQTo2m6jqIqF4EW88S55Ymg
j]}H܈vix:s{3rC#qeaW\ȘFV0:hs+t$ÈsPr\Ы]6Q2Nka؎M
,xN1/;O`2losѹg&`&

================================================
FILE: build/secrets/hydra-mirror-git-credentials.age
================================================
age-encryption.org/v1
-> ssh-ed25519 s9hT2g To6KM19p0hgH9n8iTV5uO0DU0lK94NWPiDV9UkUwwFc
Zc1aT0dmu/6zIYmBgpQjENZpmb5Ob4E8pZRO5zfXSvs
-> ssh-ed25519 Gr9EaQ y2ta9yM3VvELEsvJgza8a/czoSb+kW/OX0QnxCr0PCQ
TNgRqt/szVwTGF+vtCUYq2O9DhN0IhRFaqWAvuvDBRk
-> ssh-ed25519 3ENwVg TtMilL9woCv5knN7L0ruW5KWZb+8M0OE9Q4wBKBwhW8
BUQ5wxtj/GF3WzuP5W5sajrXUnyeenrAJa7uV2usjck
-> ssh-rsa MuWD+w
o1dNC3qH2lvVqLOoEBgRJKcAqyqBYwvFsRAskmembVl9ho1+pEk+iTKaUYXOdA0f
ond7059ehqw7aiJofw0PCtch3IRZnOTMW4MW/aDHrW0iFJKmjsS6ZQ1nrp37awtW
Yb5HTjstJnKR01KgeHGaZVpTN2GCpiLWYAWf5Fg2HGmhhR5dxz0xI4TmnW7PtXiD
hB0Y2m6TUzcTA/Sx0sdEefyBygsCnFXSf7y2/8L611ImGqW09XKAdYbkdvT95d+y
X2fxeiNbJcZxKFH1wlq82WJ03o9UILalZrECYewIUzFqZ55DAjYgJ9F6bPpHeM51
Fa2JZHeeQY7RJ5MghTfQkg
-> ssh-ed25519 92bXiA JRqguU0+6uD8V3LsQ8DzcTJPjlA2mJv5afERNX9delc
8iVz80N/aWNpAhfXvM5UTqqVuPsp00Tai/+Vr9Pyx80
-> ssh-ed25519 Y121Gw IBQ8+sLYJDXFkhFTl8XCT97jAKAt0c4urBWw4z52emg
gT3Ur4zB7J0NJKHpJg5ws3WmCJbfnIrgEd2X4aldUSo
--- NoDwDLL8cK2qb+gi5warllNIzCIu2Linyd+WEMoSx+4
%ezoh[O(8
/[ݑQxX.w]TO9j]eS,-xԭ`="|Kɰw
`2CKA5S

================================================
FILE: build/secrets/kind-lumiere-queue-runner-token.age
================================================
age-encryption.org/v1
-> ssh-ed25519 cKT5Kw 8g2rqFnJ23pFpD4PniCDMPiueSroGH2yShkpHtPvZDc
ZyYcqRHGP4H4ElRs3rNAOzJ7In3MnVT8/2NcLHga8Ho
-> ssh-ed25519 jPdm4A k+8PUnPBFILqbb0Ikf2DMJEYVsLPwDtjYgQ6dVyNenc
e1mhAEQhzVsnznBJRsMEp3gYOO00Gmf4BCvHsXpFELU
-> ssh-ed25519 Gr9EaQ P0yT0M8e8ihKqossmqnIJc6074NXZ8KJmVL03BN7eV0
GHWdPlIDCMFf7Pca4GXfRnhZ2NJAmM0doPsMThY+iVQ
-> ssh-ed25519 3ENwVg UzvZZ0rFG3KaPQ6G6Oq4U/EQ3RRmPxyo6xF0tgadDDs
vPUm8mpqVeiBGpxGUTnYACn7tOQDcuFP3E2gWLToyXY
-> ssh-rsa MuWD+w
qSOhRpEjjuMyt+nRRC8Yd1fInXTReZqLCp6GZoRnYbO69a1AIQwU1HU5CtAHbVFe
8dIerlh4deN/T6wW3EvxM5hAA5co7kV68t3fgHGyQBdVGJvPuQRWaduSv21O/wbv
epmGODM9YwFfnPMDHXqTzt+NYEJIJoUVpH1YTTfeZDyoRza2gJ5hoSPFXtomVHL4
lO1+wcldYuELgY8bCeZpFP0kPmK7STYTa7LZxEF/yjqM2ZXhS6qOTV2+yRZhSKEy
RizOnW0ePWrCSIVvxIr4+sGlKW5cwAqeatxiPZz7/3RFSxHBG9RC/ZZEmaZUF9Er
cjILgCnk3lZJDnmpU6/+JA
-> ssh-ed25519 92bXiA 4jz8lFxCSjJBJKWZTtxYruYiuQuJytQ8utDYZccQwFY
zdLlneAU2P7zjDCC6tWVjySgJctB4Y5VXwEkvzqjhoU
-> ssh-ed25519 Y121Gw Bhy7yX2r7RWBeS/K0bMVwXbvzYVAW88pzOHVtTKKIVQ
Q9wuHdoI4SRXmjSA7iUUljjcO6dzPublR79rvPSlTlg
--- 2DnKmT2R9XL5DR6z7+amRi5Y/8GphgkifpngTogcU/A
,nݔ"%bKDʃWv
6#K4(Jf*|N(:gY}ZuR1.EtPkM
;k詜s滁c~|ȶ

================================================
FILE: build/secrets/norwegian-blue-queue-runner-token.age
================================================
age-encryption.org/v1
-> ssh-ed25519 cKT5Kw aMrFTLVt8LAofBa0xq3o4EjsxQjRAPtHm13zmSM+6VA
atGjWVSAl8O9I44eY3BO+QeQ6EDuAEsEBto5matic8s
-> ssh-ed25519 SZ+mDA VmAYOI/l96zfrGL7UwFB1qVJGTGVGjqmjP4z2+0rIjI
RKvi/BBAgHkq9Xvqr/sjCBaTFUg4nOTLpQOGejO2ZAU
-> ssh-ed25519 Gr9EaQ +zszHiPND5T8ORnDZ/tLsOH5F/dtf5/sFMxi/fB4xj4
kaiFkF95SpTTR8eIpuxnktNMBrIokcExYn4Um7AtG9s
-> ssh-ed25519 3ENwVg 9CMlmCc3jammJrza2M22LNzzeASMk+nqH9muX9xkMQc
0J5BDTOKo3HRWNdhVQdv2gzZNrPoqm4bX3zEm05Cwkc
-> ssh-rsa MuWD+w
bhIUyi/2y8zeWwYKJsBwqsG5JnPZ12aY9IuLkflKSLpJchAChTujKELFiCuzlGN4
fvlbqa7mXadzs3pkjnYSz9MjGg/DyFjRsKXfc+jRD+QztNfodFQwJaKn8+9wG0v1
+TmoQ0K5ecSkmzPvS/Ze3itLG2QfZQEIutND7I461ZJK24f4ORt3tANA4F0+INx9
tVnBMimjp3fb7TI6i7cvUmOytNaoOiipnd0j4caPPkqa9fJ3m9aeeZ58uSkmzo7i
XejZWHsE+LACMLk/hXS/h7JZQzPQGGqviATOp6a9s59Oq6eqT8V2CgjEwHIAITVp
vWpuvsxCsxJQkZg4PjLJvA
-> ssh-ed25519 92bXiA XKApXxi8qr82rvTIPYPbZ/ZFj3sadY7eAbN0DKxvLhM
Sw8RRumPRL3AaNcTAd7qJnDqxea9h7wMOEubpfU1wx4
-> ssh-ed25519 Y121Gw bbz5648ZBs2l9WmnP6spocyLNGLx7EvRizuLCH7P4RU
U0/KXGwVE7aUHeWcE+OANVTTfvQ8jVRqfKOzWCww5m0
--- Cd10Opop86bxKKJPSCO9yYSY6oAghX0dllm+efexPCA
r)P-id|wMRs"GXJ=VV9;uQmQMeyTLJ`5&jhWxgXw(F	
-;&j¬8=B

================================================
FILE: build/secrets/owncast-admin-password.age
================================================
age-encryption.org/v1
-> ssh-ed25519 s9hT2g M/D2oe8ocLzBBe0VTEO6UZ0gZb+dL13/rfZ38N1KH1I
1KmR71+57D0aBRlU7ZvPz6Prg3mNrYc7myq7JRdQQH8
-> ssh-ed25519 Gr9EaQ iOVXjyLAa/RSGBefsQismPkx53f9OGU1qMzO2rrqhhQ
8I6aGwAs7AFC/GWW7S+lv7vGyJW8T7Icv1bfHBtNdmE
-> ssh-ed25519 3ENwVg 5rP46xlqZkRF7u37BxB5PG5utkRHmfpYFxYiCA++xBY
K0/s0hGBIr88ZHocBrHrEuEUEefAnqH4Fe8dMlCcOHM
-> ssh-rsa MuWD+w
BeO4rjxRzb54rbpEglPIkhluPp2wRBKxL97Ta4utvUnG44IXRnWt6tuj016qVTXZ
Z8OzrDVTwusXJZxmOehsgF/rogFAj1Ju+bf9s4fojv1nC8ITnsXLMQjzA0X/VcTA
DgVWw8+Elrt7sJGiL3C9ws9ATt/suPSdkL+aNhOvJXRwb9NfQUn+XowvJRg1VnzS
AQx9tTyGVB5GcI4LnxHnyqPj+6ZD/F9XqbHijTMrx60GqRlqeEu9JiUa0YtWnBgX
FcIrvoRQ6b7G5QDivbqCQ4VuJDrSd7xqKddQVea1KglrQHQdY3KFNUHVlEs1n49z
Nia8ty+qWIwAEfwyt6c0Tw
-> ssh-ed25519 92bXiA F7v+xOHVTL3wZ5KUHW+nAyrl93/awx5TXv4izicA0BM
OD2ivZ1FQ696Wh+odAA4xiJElXEhqsgBok7AJ3ny10Y
-> ssh-ed25519 Y121Gw YUG5YErjueT2gqqX1x34b6U35uhbdKZWgcTALMXTRXY
0F9uoegrWXP3lzjRk3eJCtu/OGZO/QqafpVPYitUM2k
--- M3nGs3hV2JaDDtPyuNeKpyh/OdpZAk/q39OTk8n9m7g
J!{-FF/"TK#ׅGGN|ZU DQ1d1Ԟş

================================================
FILE: build/secrets/pluto-backup-secret.age
================================================
age-encryption.org/v1
-> ssh-ed25519 s9hT2g reYMr+USW2vh77665Ga/KtPbeu5OrdgrKgI4sYo8plo
4eBoVfWTjRe4w6Vdl6OAXKJr7kaSJqVVm9se0rL7IEA
-> ssh-ed25519 Gr9EaQ lNX/PDcE3MXI0q/o7tnA9AlloF6uncD51FYTqdZP3j4
otONyo6e5INW12x1Al5WqnTwfihRGL6dxdrH1/HYbe8
-> ssh-ed25519 3ENwVg 2ZHD8vTCA+FPMRO1kSvUo937f9thS8IeTApGltFhjkQ
bEN1eLyrqMtY0KuZ3IkRdIJzvX0t4bb73XzlDcuAgII
-> ssh-rsa MuWD+w
FPAZH3iUoF7It9uGw1DHksmbsYZcRqvZqGcjbnJLP/JiHmriUSyELQl7bH4n1+6H
GWhqBiqNKPWJoCq0y3vXaCzN9iFXwGCVaAyNZk3+ox/Q0dBietO0ux4MzajAWl8b
mr/UR3Mk2ybGkIBIfh1Wko8cdA+tWyCsl0CdSyqI2JY523xf/pOwcE0YLQ2kGhQc
ifu+AmIKqXbZiqhS0yj3+BM9rgJ5gVxZMKAp/CjpIBpEu/fmK64mRryAVsL0EEBF
O2CwBsqyFyJvcW3yTBdHxfKhorZrMrGO18d7CGFHGswU/AXi/UxyzrkfpjVgFUfm
b2qeI10f8PZAibqHYcQJBQ
-> ssh-ed25519 92bXiA sXYrwOcZlNpPoGELwRTsjfSNldPr6CVtv9VcYK1flGY
aMhNq6L5M70bUFR/o+7M/KcQyv9/BfVkxgzvU/fD5gk
-> ssh-ed25519 Y121Gw sGVkfMeghciO9g840KPsVsohEkEgC1Rb8mnQI0QZe2Y
uDzza0+uGQRMzTiUkYz9n6Jyt18i7TTHWBrX0p8vHAQ
--- rXFfiiTQ+BEa3Hvs0BTWxI+b1wPBwyTgWeq24QeqXVw
)caEuDW[c(8-_1nJ{6+KߤmUf5M~CiB2Ys΀hg#z?

================================================
FILE: build/secrets/sleepy-brown-queue-runner-token.age
================================================
age-encryption.org/v1
-> ssh-ed25519 cKT5Kw r8aZ+OCr9AE4h0zattrGpFPwBcnb28/Mj7vNC5EEHDE
SaN75cMS6o0bcuIzeKF8siNu0P7rvJN4DLnL0R07t3M
-> ssh-ed25519 le38mA 0syXJIHthuMy1Y6LbrfQX1QcADyJMOfmFbwzf3cQlHM
X9HHBlfYBG64Awu+TZaA463Om18A7kSu7pMYwIDkehk
-> ssh-ed25519 Gr9EaQ Wqex4/CIJTL+sm5GAlb0Du8mIjDz3QmvO7veYAQ+nmo
o//67CmR5wPgSzLuF4exx4mW+FstyQunBqeDgs9HUk8
-> ssh-ed25519 3ENwVg 5XF6k6rMk59p53Hw6nSak8iajZ7XzLJ5jOQ7aPwkdng
+YUOjq/VopumkLhVshF4GdzkjqO1aNMrfkx3TZaPtaA
-> ssh-rsa MuWD+w
gsSEjSCIFzKTsOXvJay3Ij9OpefMoAGL7AjXW1mQ4TvCVWO5M7gqYLrlgANKwMGK
sm9tpNtncFn7hC7G3YWBOU/InMIQ/qlgL5jhRBhZpou/DKMtDA+IDVZJYvSQMcT1
9467zxSpFtnjrmzW/6cnX3jjLlTRCc4AupoS1pMIeJ2gwZBNiCklS+QGPQTQiG/O
oF1nA0h/08pCbrLHIwilhFmekDzg99EesiZ3Hbqc7+kz8kbaIV9iUqFsRvV1Dwzm
K6wIQXf5nhcCkt/SAFSS/ZwwHOr19B0OR3t6L4dYMa+bl/LxW0yXYzvMo4rp07Mn
oXFd+BuBEwzHI1x8wrTmUQ
-> ssh-ed25519 92bXiA +t2D5pUYWeTRPTT7vrNYZirRUWKQO0gw5RB3o+CV0yk
b5DsQ3FUMO14U7NB7H4G9ngpw5gfPTrYXIKa7yy5Wq4
-> ssh-ed25519 Y121Gw X0D49VhFJ2kZqJATUmuKhJfQ6TIAZCkWDl2u6dqnQSk
O0JtjZWXrS/NY/FXYB14kM3MpuoAaTd2Bf1oWw7REc4
--- a+IPhlc1ru44iR5eHXGVe0X2fqgcSj03Lk1lyB3sZZg
*]HHX![(+F;8iOU&J'67=Ia1S6
.ep!4‚duL*DWG<bG~`ޣڭ˃D]cm|#\Ym;

================================================
FILE: build/secrets.nix
================================================
let
  keys = import ../ssh-keys.nix;

  secrets = with keys; {
    alertmanager-matrix-forwarder = [ machines.pluto ];
    alertmanager-oauth2-proxy-env = [ machines.pluto ];
    fastly-exporter-env = [ machines.pluto ];
    grafana-secret-key = [ machines.pluto ];
    hydra-aws-credentials = [ machines.mimas ];
    hydra-github-client-secret = [ machines.mimas ];
    hydra-mirror-aws-credentials = [ machines.pluto ];
    hydra-mirror-git-credentials = [ machines.pluto ];
    owncast-admin-password = [ machines.pluto ];
    pluto-backup-secret = [ machines.pluto ];
    pluto-backup-ssh-key = [ machines.pluto ];
    rfc39-credentials = [ machines.pluto ];
    rfc39-github = [ machines.pluto ];
    rfc39-record-push = [ machines.pluto ];
    storagebox-exporter-token = [ machines.pluto ];
    tarball-mirror-aws-credentials = [ machines.pluto ];
    zrepl-ssh-key = [ machines.titan ];

    # builders/
    elated-minsky-queue-runner-token = with machines; [
      mimas
      elated-minsky
    ];
    goofy-hopcroft-queue-runner-token = with machines; [
      mimas
      goofy-hopcroft
    ];
    hopeful-rivest-queue-runner-token = with machines; [
      mimas
      hopeful-rivest
    ];
    sleepy-brown-queue-runner-token = with machines; [
      mimas
      sleepy-brown
    ];

    # macs/
    eager-heisenberg-queue-runner-token = with machines; [
      mimas
      eager-heisenberg
    ];
    enormous-catfish-queue-runner-token = with machines; [
      mimas
      enormous-catfish
    ];
    growing-jennet-queue-runner-token = with machines; [
      mimas
      growing-jennet
    ];
    intense-heron-queue-runner-token = with machines; [
      mimas
      intense-heron
    ];
    kind-lumiere-queue-runner-token = with machines; [
      mimas
      kind-lumiere
    ];
    maximum-snail-queue-runner-token = with machines; [
      mimas
      maximum-snail
    ];
    norwegian-blue-queue-runner-token = with machines; [
      mimas
      norwegian-blue
    ];
    sweeping-filly-queue-runner-token = with machines; [
      mimas
      sweeping-filly
    ];
  };
in
builtins.listToAttrs (
  map (secretName: {
    name = "secrets/${secretName}.age";
    value.publicKeys = secrets."${secretName}" ++ keys.infra-core;
  }) (builtins.attrNames secrets)
)


================================================
FILE: build/titan/boot.nix
================================================
{
  boot = {
    initrd.availableKernelModules = [
      "ahci"
      "xhci_pci"
      "nvme"
      "usbhid"
    ];
    kernelModules = [ "kvm-amd" ];
    supportedFilesystems.zfs = true;
    loader = {
      efi.canTouchEfiVariables = false;
      grub = {
        enable = true;
        efiSupport = true;
        efiInstallAsRemovable = true;
        mirroredBoots = [
          {
            devices = [ "nodev" ];
            path = "/efi/a";
          }
          {
            devices = [ "nodev" ];
            path = "/efi/b";
          }
        ];
      };
    };
  };
}


================================================
FILE: build/titan/default.nix
================================================
{
  imports = [
    ../common.nix
    ./boot.nix
    ./network.nix
    ./postgresql.nix
    ./zrepl.nix
  ];

  disko.devices = import ./disko.nix;

  networking = {
    hostId = "e1ce6466";
    hostName = "titan";
    domain = "nixos.org";
  };

  services.zfs.autoScrub.enable = true;

  system.stateVersion = "25.11";
}


================================================
FILE: build/titan/disko.nix
================================================
let
  layout = id: {
    type = "gpt";
    partitions = {
      esp = {
        type = "EF00";
        size = "1G";
        content = {
          type = "filesystem";
          format = "vfat";
          mountpoint = "/efi/${id}";
        };
      };
      zfs = {
        size = "100%";
        content = {
          type = "zfs";
          pool = "zroot";
        };
      };
    };
  };
in
{
  disk = {
    nvme0n1 = {
      type = "disk";
      device = "/dev/disk/by-id/nvme-MTFDKCC1T9TGP-1BK1DABYY_0925109FB623";
      content = layout "a";
    };
    nvme1n1 = {
      type = "disk";
      device = "/dev/disk/by-id/nvme-MTFDKCC1T9TGP-1BK1DABYY_0925109FB922";
      content = layout "b";
    };
  };

  zpool.zroot = {
    type = "zpool";
    mode = "mirror";
    options.ashift = "12";

    rootFsOptions = {
      acltype = "posixacl";
      atime = "off";
      compression = "zstd-3";
      mountpoint = "none";
      xattr = "sa";
    };

    datasets = {
      "root" = {
        type = "zfs_fs";
        mountpoint = "/";
      };
      "nix" = {
        type = "zfs_fs";
        mountpoint = "/nix";
      };
      "pg" = {
        type = "zfs_fs";
        mountpoint = "/var/lib/postgresql";
        options = {
          logbias = "latency";
          recordsize = "16K";
          redundant_metadata = "most";
        };
      };
      "reserved" = {
        type = "zfs_fs";
        options = {
          canmount = "off";
          refreservation = "16G"; # roughly one system closure
        };
      };
    };
  };
}


================================================
FILE: build/titan/network.nix
================================================
{
  systemd.network = {
    enable = true;
    netdevs = {
      "20-vlan4000" = {
        netdevConfig = {
          Kind = "vlan";
          Name = "vlan4000";
        };
        vlanConfig.Id = 4000;
      };
    };
    networks = {
      "30-enp35s0" = {
        matchConfig = {
          MACAddress = "9c:6b:00:1f:aa:fd";
          Type = "ether";
        };
        address = [
          "159.69.62.224/26"
          "2a01:4f8:231:e53::1/64"
        ];
        routes = [
          { Gateway = "159.69.62.193"; }
          { Gateway = "fe80::1"; }
        ];
        vlan = [
          "vlan4000"
        ];
        networkConfig.Description = "WAN";
        linkConfig.RequiredForOnline = true;
      };
      "30-vlan4000" = {
        matchConfig.Name = "vlan4000";
        networkConfig = {
          DHCP = false;
          IPv6AcceptRA = false;
        };
        linkConfig = {
          MTUBytes = "1400";
          RequiredForOnline = "routable";
        };
        address = [
          "10.0.40.3/31"
        ];
      };
    };
  };
}


================================================
FILE: build/titan/postgresql.nix
================================================
{
  config,
  lib,
  pkgs,
  ...
}:

{
  services.prometheus.exporters.postgres = {
    enable = true;
    dataSourceName = "user=root database=hydra host=/run/postgresql sslmode=disable";
    openFirewall = true;
    firewallRules = ''
      ip6 saddr $prometheus_inet6 tcp dport ${toString config.services.prometheus.exporters.postgres.port} accept
      ip saddr $prometheus_inet4 tcp dport ${toString config.services.prometheus.exporters.postgres.port} accept
    '';
  };

  networking.firewall.interfaces."vlan4000".allowedTCPPorts = [ 5432 ];

  systemd.services.postgresql = {
    wants = [ "network-online.target" ];
    after = [ "network-online.target" ];
  };

  services.postgresql = {
    enable = true;
    enableJIT = true;
    package = pkgs.postgresql_18;
    # https://pgtune.leopard.in.ua/#/
    settings = {
      listen_addresses = lib.mkForce "10.0.40.3";

      # https://vadosware.io/post/everything-ive-seen-on-optimizing-postgres-on-zfs-on-linux/#zfs-related-tunables-on-the-postgres-side
      full_page_writes = "off";

      wal_init_zero = "off";
      wal_recycle = "off";

      checkpoint_completion_target = "0.9";
      default_statistics_target = 100;

      log_duration = "off";
      log_statement = "none";

      # pgbadger-compatible logging
      log_transaction_sample_rate = 0.01;
      log_min_duration_statement = 5000;
      log_checkpoints = "on";
      log_connections = "on";
      log_disconnections = "on";
      log_lock_waits = "on";
      log_temp_files = 0;
      log_autovacuum_min_duration = 0;
      log_line_prefix = "user=%u,db=%d,app=%a,client=%h ";

      max_connections = 500;
      work_mem = "20MB";
      maintenance_work_mem = "2GB";

      # 25% of memory
      shared_buffers = "32GB";

      # Checkpoint every 1GB. (default)
      # increased after seeing many warnings about frequent checkpoints
      min_wal_size = "1GB";
      max_wal_size = "4GB";
      wal_buffers = "16MB";

      max_worker_processes = 32;
      max_parallel_workers_per_gather = 4;
      max_parallel_workers = 32;

      # NVMe related performance tuning
      effective_io_concurrency = 200;
      random_page_cost = "1.1";

      # We can risk losing some transactions.
      synchronous_commit = "off";

      effective_cache_size = "64GB";

      # try to allocate huge pages, if possible
      huge_pages = "try";

      # Enable JIT compilation if possible.
      jit = "on";

      # autovacuum and autoanalyze much more frequently:
      # at these values vacuum should run approximately
      # every 2 mass rebuilds, or a couple times a day
      # on the builds table. Some of those queries really
      # benefit from frequent vacuums, so this should
      # help. In particular, I'm thinking the jobsets
      # pages.
      autovacuum_vacuum_scale_factor = 0.02;
      autovacuum_analyze_scale_factor = 0.01;

      shared_preload_libraries = "pg_stat_statements";
      compute_query_id = "on";
    };

    # FIXME: don't use 'trust'.
    authentication = ''
      host hydra all 10.0.40.2/32 trust
      local all root peer map=prometheus
    '';

    identMap = ''
      prometheus root root
      prometheus postgres-exporter root
    '';
  };
}


================================================
FILE: build/titan/zrepl.nix
================================================
{
  config,
  lib,
  ...
}:

let
  metricsPort = 9811;
in
{
  age.secrets."zrepl-ssh-key" = {
    file = ../secrets/zrepl-ssh-key.age;
    mode = "0400";
  };

  programs.ssh = {
    knownHosts = {
      rsync-net = {
        hostNames = [
          "zh4461b.rsync.net"
          "2001:1620:2019::336"
        ];
        publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILtF46LwRn+hC9vuw0vedXBKGNPMSIqrXdxl+EQOI/8J";
      };
    };
  };

  services.zrepl =
    let
      defaultBackupJob = {
        type = "push";
        filesystems."zroot/pg<" = true;
        snapshotting = {
          type = "periodic";
          interval = "30m";
          prefix = "zrepl_snap_";
          hooks = [
            {
              # https://zrepl.github.io/configuration/snapshotting.html#postgres-checkpoint-hook
              type = "postgres-checkpoint";
              dsn = "host=/run/postgresql dbname=hydra user=root sslmode=disable";
              filesystems."zroot/pg" = true;
            }
          ];
        };

        # The current pruning setup is an exponentially growing scheme, at both sides.
        pruning = {
          keep_sender = [
            { type = "not_replicated"; }
            {
              type = "grid";
              regex = "^zrepl_snap_.*";
              grid = lib.concatStringsSep " | " [
                "1x1h(keep=all)"
                "1x1h"
                "1x2h"
                "1x4h"
                # "grid" acts weird if an interval isn't a whole-number multiple
                # of the previous one, so we jump from 8h to 24h
                "2x8h"
                "1x1d"
                "1x2d"
                "1x4d"
                "1x8d"
                # At this point we keep ~10 snapshots spanning 8--16 days (depends on moment),
                # with exponentially increasing spacing (almost).
              ];
            }
          ];
          keep_receiver = [
            {
              type = "grid";
              regex = "^zrepl_snap_.*";
              grid = lib.concatStringsSep " | " [
                "2x1h(keep=all)"
                "2x1h"
                "2x2h"
                "2x4h"
                "4x8h"
                # At this point the grid spans 2 days by ~13 snapshots.
                # (See note above about 8h -> 24h.)
                "2x1d"
                "2x2d"
                "2x4d"
                "2x8d"
                "2x16d"
                "2x32d"
                "2x64d"
                "2x128d"
                # At this point we keep ~29 snapshots spanning 384--512 days (depends on moment),
                # with exponentially increasing spacing (almost).
              ];
            }
          ];
        };
      };
    in
    {
      enable = true;
      settings = {
        global = {
          logging = [
            {
              type = "syslog";
              level = "info";
              format = "human";
            }
          ];

          # https://zrepl.github.io/configuration/monitoring.html
          monitoring = [
            {
              type = "prometheus";
              listen = ":${toString metricsPort}";
            }
          ];
        };

        jobs = [
          # Covers 20240629+
          (
            defaultBackupJob
            // {
              name = "rsyncnet";
              connect = {
                identity_file = config.age.secrets."zrepl-ssh-key".path;
                type = "ssh+stdinserver";
                host = "zh4461b.rsync.net";
                user = "root";
                port = 22;
              };
            }
          )
          /*
            rsync.net provides a VM with FreeBSD
            - almost nothing is preserved on upgrades except this "data1" zpool
             $ scp ./zrepl.yml root@zh4461b.rsync.net:/usr/local/etc/zrepl/zrepl.yml
             # pkg install zrepl
             # service zrepl enable
             # service zrepl start
          */
        ];
      };
    };

  networking.firewall.extraInputRules = ''
    ip6 saddr $prometheus_inet6 tcp dport ${toString metricsPort} accept
    ip saddr $prometheus_inet4 tcp dport ${toString metricsPort} accept
  '';
}


================================================
FILE: build/titan/zrepl.yml
================================================
# root@zh4461b.rsync.net:/usr/local/etc/zrepl/zrepl.yml
# zrepl main configuration file.
# For documentation, refer to https://zrepl.github.io/
#
global:
  logging:
    - type: "stdout"
      level: "error"
      format: "human"
    - type: "syslog"
      level: "info"
      format: "logfmt"

# mostly from https://blog.lenny.ninja/zrepl-on-rsync-net.html
jobs:
  - name: sink
    type: sink
    serve:
      type: stdinserver
      client_identities: [titan]
    recv:
      placeholder:
        encryption: off
    root_fs: "data1"


================================================
FILE: builders/boot/efi-grub.nix
================================================
{
  boot.loader = {
    efi.canTouchEfiVariables = false;
    grub = {
      enable = true;
      configurationLimit = 5;
      efiSupport = true;
      efiInstallAsRemovable = true;
      mirroredBoots = [
        {
          devices = [ "nodev" ];
          path = "/efi/a";
        }
        {
          devices = [ "nodev" ];
          path = "/efi/b";
        }
      ];
    };
  };
}


================================================
FILE: builders/common/hardening.nix
================================================
{
  # no priviledge escalation through sudo or polkit
  security.sudo.execWheelOnly = true;
  security.polkit.enable = false;

  # no password authentication
  services.openssh.settings = {
    KbdInteractiveAuthentication = false;
    PasswordAuthentication = false;
  };
}


================================================
FILE: builders/common/hydra-queue-builder.nix
================================================
{
  config,
  inputs,
  lib,
  ...
}:

{
  imports = [
    inputs.hydra-staging.nixosModules.builder
  ];

  config = lib.mkIf false {
    age.secrets."queue-runner-token" = {
      file = ../../build/secrets/${config.networking.hostName}-queue-runner-token.age;
      owner = "hydra-queue-builder";
    };

    services.hydra-queue-builder-dev = {
      enable = true;
      queueRunnerAddr = "https://queue-runner.hydra.nixos.org";
      authorizationFile = config.age.secrets."queue-runner-token".path;
    };
  };
}


================================================
FILE: builders/common/network.nix
================================================
{
  networking = {
    domain = "builders.nixos.org";

    firewall = {
      # too spammy, rotates dmesg too quickly
      logRefusedConnections = false;
    };

    # we use networkd instead
    useDHCP = false;
  };
}


================================================
FILE: builders/common/nix.nix
================================================
{
  config,
  lib,
  pkgs,
  ...
}:

{
  nix = {
    package = pkgs.nix;
    nrBuildUsers = config.nix.settings.max-jobs + 32;

    gc =
      let
        maxFreed = 500; # GB
      in
      {
        automatic = true;
        dates = "hourly";
        options = "--max-freed \"$((${toString maxFreed} * 1024**3 - 1024 * $(df --output=avail /nix/store | tail -n 1)))\"";
      };

    settings = {
      accept-flake-config = false;
      builders-use-substitutes = true;
      extra-experimental-features = [
        "nix-command"
        "no-url-literals"
        "flakes"
      ];
      system-features = [
        "kvm"
        "nixos-test"
        "benchmark" # we may restrict this in the central /etc/nix/machines anyway
      ];
      trusted-users = [
        "build"
        "root"
      ];
      max-silent-time = 10800; # 3h
    };
  };

  systemd.services.prune-stale-nix-builds = {
    description = "Prune stale nix build roots";
    startAt = "hourly";
    unitConfig.Documentation = "https://github.com/NixOS/nix/issues/5207";
    serviceConfig = {
      ExecStart = lib.concatStringsSep " " [
        (lib.getExe pkgs.findutils)
        "/nix/var/nix/builds"
        "-mindepth 1"
        "-maxdepth 1"
        "-type d"
        "-mtime +1" # days
        "-exec rm -rf {} +"
      ];
    };
  };
}


================================================
FILE: builders/common/node-exporter.nix
================================================
{
  config,
  ...
}:

{
  networking.firewall.allowedTCPPorts = [
    config.services.prometheus.exporters.node.port
  ];

  services.prometheus.exporters.node = {
    enable = true;
    enabledCollectors = [ "systemd" ];
  };
}


================================================
FILE: builders/common/ssh.nix
================================================
{
  lib,
  ...
}:

{
  services.openssh = {
    enable = true;
    authorizedKeysFiles = lib.mkForce [ "/etc/ssh/authorized_keys.d/%u" ];
  };
}


================================================
FILE: builders/common/system.nix
================================================
{
  pkgs,
  ...
}:

{
  # apply microcode to fix functional and security issues
  hardware.enableRedistributableFirmware = true;
  hardware.cpu.amd.updateMicrocode = pkgs.stdenv.isx86_64;
  hardware.cpu.intel.updateMicrocode = pkgs.stdenv.isx86_64;

  # enable kernel same-page merging for improved vm test performance
  hardware.ksm.enable = true;

  # discard blocks weekly
  services.fstrim.enable = true;

  # use memory more efficiently at the cost of some compute
  zramSwap.enable = true;
}


================================================
FILE: builders/common/tools.nix
================================================
{
  pkgs,
  ...
}:

{
  environment.systemPackages = with pkgs; [
    atop
    ethtool
    htop
    lm_sensors
    nix-top
    nvme-cli
    pciutils
    smartmontools
    usbutils
  ];
}


================================================
FILE: builders/common/update.nix
================================================
{
  system.autoUpgrade = {
    enable = true;
    dates = "daily";
    flake = "git+https://github.com/nixos/infra.git?ref=main";
    allowReboot = true;
  };
}


================================================
FILE: builders/common/users.nix
================================================
{
  config,
  lib,
  pkgs,
  ...
}:
let
  sshKeys = {
    hydra-queue-runner-rhea = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOdxl6gDS7h3oeBBja2RSBxeS51Kp44av8OAJPPJwuU/ hydra-queue-runner@rhea";
  };

  authorizedNixStoreKey =
    key:
    let
      environment = lib.concatStringsSep " " [
        "NIX_SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"
      ];
    in
    "command=\"${environment} ${config.nix.package}/bin/nix-store --serve --write\" ${key}";
in

{
  users = {
    mutableUsers = false;
    users = {
      build = {
        isNormalUser = true;
        uid = 2000;
        openssh.authorizedKeys.keys = [
          (authorizedNixStoreKey sshKeys.hydra-queue-runner-rhea)
        ];
      };

      root.openssh.authorizedKeys.keys = (import ../../ssh-keys.nix).infra-core;
    };
  };
}


================================================
FILE: builders/disk-layouts/efi-zfs-raid0.nix
================================================
{
  disk1 ? "/dev/nvme0n1",
  disk2 ? "/dev/nvme1n1",
}:
let
  mkDiskLayout = id: {
    type = "gpt";
    partitions = {
      esp = {
        type = "EF00";
        size = "512M";
        content = {
          type = "filesystem";
          format = "vfat";
          mountpoint = "/efi/${id}";
        };
      };
      zdev = {
        size = "100%";
        content = {
          type = "zfs";
          pool = "zroot";
        };
      };
    };
  };
in
{
  disk = {
    a = {
      type = "disk";
      device = disk1;
      content = mkDiskLayout "a";
    };

    b = {
      type = "disk";
      device = disk2;
      content = mkDiskLayout "b";
    };
  };

  zpool.zroot = {
    mode = ""; # RAID 0
    options.ashift = "12"; # 4k blocks

    rootFsOptions = {
      acltype = "posixacl";
      atime = "off";
      compression = "on";
      mountpoint = "none";
      xattr = "sa";
    };

    datasets = {
      root = {
        type = "zfs_fs";
        mountpoint = "/";
      };
      reserved = {
        type = "zfs_fs";
        options = {
          canmount = "off";
          refreservation = "16G"; # roughly one system closure
        };
      };
    };
  };
}


================================================
FILE: builders/flake-module.nix
================================================
{ inputs, ... }:
{
  flake.nixosConfigurations =
    let
      mkNixOS =
        system: config:
        inputs.nixpkgs.lib.nixosSystem {
          inherit system;

          specialArgs = { inherit inputs; };

          modules = [
            inputs.agenix.nixosModules.age
            inputs.disko.nixosModules.disko

            ./common/hardening.nix
            ./common/network.nix
            ./common/nix.nix
            ./common/node-exporter.nix
            ./common/hydra-queue-builder.nix
            ./common/system.nix
            ./common/tools.nix
            ./common/update.nix
            ./common/users.nix
            ./common/ssh.nix

            ../modules/rasdaemon.nix

            config
          ];
        };
    in
    {
      # Epyc 9454P (48C/96T), 256 GB DDR4 RAM, 2x 1.92TB PCIe4 NVME
      elated-minsky = mkNixOS "x86_64-linux" ./instances/elated-minsky.nix;
      sleepy-brown = mkNixOS "x86_64-linux" ./instances/sleepy-brown.nix;

      # Ampere Q80-30 (80C), 256 GB DDR4 RAM, 2x3.84TB PCIe4 NVME
      goofy-hopcroft = mkNixOS "aarch64-linux" ./instances/goofy-hopcroft.nix;

      # Ampere Q80-30 (80C), 128 GB DDR4 RAM, 2x960GB PCIe4 NVME
      hopeful-rivest = mkNixOS "aarch64-linux" ./instances/hopeful-rivest.nix;
    };

  perSystem =
    { pkgs, inputs', ... }:
    {
      devShells.builders = pkgs.mkShell {
        buildInputs = [
          inputs'.agenix.packages.agenix
        ];
      };
    };
}


================================================
FILE: builders/instances/elated-minsky.nix
================================================
{
  imports = [
    ../profiles/hetzner-ax101r.nix
  ];

  nix.settings = {
    cores = 2;
    max-jobs = 48;
  };

  networking = {
    hostName = "elated-minsky";
    domain = "builders.nixos.org";
    useDHCP = false;
  };

  systemd.network = {
    enable = true;
    networks = {
      "30-enp193s0f0np0" = {
        matchConfig = {
          MACAddress = "9c:6b:00:4e:1a:6a";
          Type = "ether";
        };
        linkConfig.RequiredForOnline = true;
        networkConfig.Description = "WAN";
        address = [
          "167.235.95.99/26"
          "2a01:4f8:2220:1b03::1/64"
        ];
        routes = [
          { Gateway = "167.235.95.65"; }
          { Gateway = "fe80::1"; }
        ];
      };
    };
  };

  system.stateVersion = "24.11";
}


================================================
FILE: builders/instances/goofy-hopcroft.nix
================================================
{
  imports = [
    ../profiles/hetzner-rx220.nix
  ];

  nix.settings = {
    cores = 2;
    max-jobs = 40;
  };

  networking = {
    hostName = "goofy-hopcroft";
    domain = "builders.nixos.org";
    useDHCP = false;
  };

  systemd.network = {
    enable = true;
    networks = {
      "30-enP3p2s0f0" = {
        matchConfig = {
          MACAddress = "74:56:3c:8c:01:a9";
          Type = "ether";
        };
        linkConfig.RequiredForOnline = true;
        networkConfig.Description = "WAN";
        address = [
          "135.181.225.104/26"
          "2a01:4f9:3071:2d8b::1/64"
        ];
        routes = [
          { Gateway = "135.181.225.65"; }
          { Gateway = "fe80::1"; }
        ];
      };
    };
  };

  system.stateVersion = "24.11";
}


================================================
FILE: builders/instances/hopeful-rivest.nix
================================================
{
  imports = [
    ../profiles/hetzner-rx170.nix
  ];

  nix.settings = {
    cores = 20;
    max-jobs = 10;
    system-features = [ "big-parallel" ];
  };

  networking = {
    hostName = "hopeful-rivest";
    domain = "builders.nixos.org";
    useDHCP = false;
  };

  systemd.network = {
    enable = true;
    networks = {
      "30-eno1" = {
        matchConfig = {
          MACAddress = "74:56:3c:4e:d9:af";
          Type = "ether";
        };
        linkConfig.RequiredForOnline = true;
        networkConfig.Description = "WAN";
        address = [
          "135.181.230.86/26"
          "2a01:4f9:3080:388f::1/64"
        ];
        routes = [
          { Gateway = "135.181.230.65"; }
          { Gateway = "fe80::1"; }
        ];
      };
    };
  };

  system.stateVersion = "24.11";
}


================================================
FILE: builders/instances/sleepy-brown.nix
================================================
{
  imports = [
    ../profiles/hetzner-ax101r.nix
  ];

  nix.settings = {
    cores = 24;
    max-jobs = 4;
    system-features = [ "big-parallel" ];
  };

  networking = {
    hostName = "sleepy-brown";
    domain = "builders.nixos.org";
    useDHCP = false;
  };

  systemd.network = {
    enable = true;
    networks = {
      "30-enp193s0f0np0" = {
        matchConfig = {
          MACAddress = "9c:6b:00:4e:fd:2d";
          Type = "ether";
        };
        linkConfig.RequiredForOnline = true;
        networkConfig.Description = "WAN";
        address = [
          "162.55.130.51/26"
          "2a01:4f8:271:5c14::1/64"
        ];
        routes = [
          { Gateway = "162.55.130.1"; }
          { Gateway = "fe80::1"; }
        ];
      };
    };
  };

  system.stateVersion = "24.11";
}


================================================
FILE: builders/network/autoconfig.nix
================================================
{
  networking.useDHCP = false;

  systemd.network = {
    enable = true;
    networks = {
      "99-autoconfig" = {
        matchConfig = {
          Kind = "!*";
          Type = "ether";
        };
        networkConfig = {
          DHCP = "yes";
          IPv6AcceptRA = true;
        };
      };
    };
  };
}


================================================
FILE: builders/profiles/hetzner-ax101r.nix
================================================
{
  config,
  lib,
  ...
}:

{
  imports = [
    ../boot/efi-grub.nix
  ];

  disko.devices = import ../disk-layouts/efi-zfs-raid0.nix { };
  boot.supportedFilesystems.zfs = true;
  networking.hostId = "91312b0a";

  fileSystems."/nix/var/nix/builds" = {
    device = "none";
    fsType = "tmpfs";
    options = [
      "huge=within_size"
      "mode=0700"
      "nosuid"
      "nodev"
    ]
    # 128G tmpfs, 128G RAM (+zram swap) for standard builders
    # 160GB tmpfs, 96 GB RAM (+zram swap) for big-parallel builders
    ++ (
      if lib.elem "big-parallel" config.nix.settings.system-features then
        [ "size=160G" ]
      else
        [ "size=128G" ]
    );
  };

  boot.initrd.availableKernelModules = [
    "nvme"
    "usbhid"
  ];
}


================================================
FILE: builders/profiles/hetzner-rx170.nix
================================================
{
  imports = [
    ../boot/efi-grub.nix
  ];

  disko.devices = import ../disk-layouts/efi-zfs-raid0.nix { };
  boot.supportedFilesystems.zfs = true;
  networking.hostId = "91312b0a";

  boot.initrd.availableKernelModules = [
    "nvme"
    "usbhid"
  ];
}


================================================
FILE: builders/profiles/hetzner-rx220.nix
================================================
{
  imports = [
    ../boot/efi-grub.nix
  ];

  disko.devices = import ../disk-layouts/efi-zfs-raid0.nix { };
  boot.supportedFilesystems.zfs = true;
  networking.hostId = "91312b0a";

  boot.initrd.availableKernelModules = [
    "nvme"
    "usbhid"
  ];
}


================================================
FILE: channels.nix
================================================
rec {
  channels = {
    # "Channel name" = {
    #   # This should be the <value> part of
    #   # https://hydra.nixos.org/job/<value>/latest-finished
    #   job = "project/jobset/jobname";
    #
    #   # When adding a new version, determine if it needs to be tagged as a
    #   # variant -- for example:
    #   # nixos-xx.xx         => primary
    #   # nixos-xx.xx-small   => small
    #   # nixos-xx.xx-darwin  => darwin
    #   # nixos-xx.xx-aarch64 => aarch64
    #   variant = "primary";
    #
    #   # Channel Status:
    #   # '*-unstable' channels are always "rolling"
    #   # Otherwise a release generally progresses through the following phases:
    #   #
    #   #  - Directly after branch off                   => "beta"
    #   #  - Once the channel is released                => "stable"
    #   #  - Once the next channel is released           => "deprecated"
    #   #  - N months after the next channel is released => "unmaintained"
    #   #    (check the release notes for when this should happen)
    #   status = "beta";
    # };
    "nixos-unstable" = {
      job = "nixos/unstable/tested";
      variant = "primary";
      status = "rolling";
    };
    "nixos-unstable-small" = {
      job = "nixos/unstable-small/tested";
      variant = "small";
      status = "rolling";
    };
    "nixpkgs-unstable" = {
      job = "nixpkgs/unstable/unstable";
      status = "rolling";
    };

    "nixos-25.11" = {
      job = "nixos/release-25.11/tested";
      variant = "primary";
      status = "stable";
    };
    "nixos-25.11-small" = {
      job = "nixos/release-25.11-small/tested";
      variant = "small";
      status = "stable";
    };
    "nixpkgs-25.11-darwin" = {
      job = "nixpkgs/nixpkgs-25.11-darwin/darwin-tested";
      variant = "darwin";
      status = "stable";
    };

    "nixos-25.05" = {
      job = "nixos/release-25.05/tested";
      variant = "primary";
      status = "unmaintained";
    };
    "nixos-25.05-small" = {
      job = "nixos/release-25.05-small/tested";
      variant = "small";
      status = "unmaintained";
    };
    "nixpkgs-25.05-darwin" = {
      job = "nixpkgs/nixpkgs-25.05-darwin/darwin-tested";
      variant = "darwin";
      status = "unmaintained";
    };
  };

  channels-with-urls = builtins.mapAttrs (_name: about: about.job) channels;
}


================================================
FILE: checks/flake-module.nix
================================================
{ ... }:
{
  perSystem =
    { self', lib, ... }:
    {
      checks =
        let
          # TODO: our CI doesn't have a enough space for these just now
          #nixosMachines = lib.mapAttrs' (
          #  name: config: lib.nameValuePair "nixos-${name}" config.config.system.build.toplevel
          #) ((lib.filterAttrs (_: config: config.pkgs.system == system)) self.nixosConfigurations);
          nixosMachines = { };

          packages = lib.mapAttrs' (n: lib.nameValuePair "package-${n}") self'.packages;
          devShells = lib.mapAttrs' (n: lib.nameValuePair "devShell-${n}") self'.devShells;
        in
        nixosMachines // packages // devShells;
    };
}


================================================
FILE: dns/.envrc
================================================
# shellcheck shell=bash
use flake .#dnscontrol


================================================
FILE: dns/creds.json
================================================
{
  "gandi": {
    "TYPE": "GANDI_V5",
    "token": "$GANDI_TOKEN"
  }
}


================================================
FILE: dns/dnsconfig.js
================================================
DEFAULTS(
	DefaultTTL("1h"),
	NAMESERVER_TTL("24h")
);
var REG_NONE = NewRegistrar("none");
var DSP_GANDI = NewDnsProvider("gandi");

require("nixcon.org.js");
require("nix.dev.js");
require("nixos.org.js");
require("ofborg.org.js");



================================================
FILE: dns/flake-module.nix
================================================
{
  perSystem =
    { pkgs, ... }:
    {
      devShells.dnscontrol = pkgs.mkShellNoCC {
        packages = [
          pkgs.dnscontrol
        ];
      };
      checks.dnscontrol = pkgs.runCommand "dnscontrol" { } ''
        cd ${./.}
        ${pkgs.dnscontrol}/bin/dnscontrol check
        touch $out
      '';
    };
}


================================================
FILE: dns/nix.dev.js
================================================
D("nix.dev",
	REG_NONE,
	DnsProvider(DSP_GANDI),

	CAA_BUILDER({
		label: "@",
		iodef: "mailto:infra+caa@nixos.org",
		iodef_critical: true,
		issue: ["letsencrypt.org"],
		issue_critical: true,
		issuewild: "none",
		issuewild_critical: true,
	}),

	// Domain is not used for mail
	SPF_BUILDER({
		label: "@",
		parts: [
			"v=spf1",
			"-all"
		]
	}),
	TXT("*._domainkey", "v=DKIM1; p="),
	DMARC_BUILDER({
		policy: "reject",
		subdomainPolicy: "reject",
		alignmentDKIM: "strict",
		alignmentSPF: "strict"
	}),

	TXT("@", "google-site-verification=J55RGHyOPKpHAyIHVfBy1RdY_LuVIvLyuyR8deO62YE"),

	ALIAS("@", "nix-dev.netlify.app."),
	CNAME("www", "nix-dev.netlify.app.")
);



================================================
FILE: dns/nixcon.org.js
================================================
D("nixcon.org",
	REG_NONE,
	DnsProvider(DSP_GANDI),

	CAA_BUILDER({
		label: "@",
		iodef: "mailto:infra+caa@nixos.org",
		iodef_critical: true,
		issue: ["letsencrypt.org"],
		issue_critical: true,
		issuewild: "none",
		issuewild_critical: true,
	}),

	MX("@", 10, "umbriel.nixos.org."),
	SPF_BUILDER({
		label: "@",
		parts: [
			"v=spf1",
			"a:umbriel.nixos.org",
			"-all"
		]
	}),
	// Matching private key in `non-critical-infra/secrets/nixcon.org.mail.key.umbriel`
	TXT("mail._domainkey", "p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC1wQ2uPZfdlGmjDDxeNVet7IEFxS55TpWuqQWNKmd4fX8HcKKw7kVHXU5+gjT37wMUI27ZZnIobYhumnl+BLiXZqbuzAt7s3dbJU2de2ZWxOqcDRbK6m2A3AwIAiMzzRUjx14EWgnw55KRi2enpLyS0pKGdvSquHnxaySkAF8YIwIDAQAB"),
	DMARC_BUILDER({
		policy: "none",
	}),

	// Websites
	TXT("_github-pages-challenge-nixcon", "6608e513e09036ab8cadb7ca4eb71b"),

	// https://docs.github.com/en/pages/configuring-a-custom-domain-for-your-github-pages-site/managing-a-custom-domain-for-your-github-pages-site#configuring-an-apex-domain
	A("@", "185.199.109.153"),
	A("@", "185.199.111.153"),
	AAAA("@", "2606:50c0:8001::153"),
	AAAA("@", "2606:50c0:8003::153"),

	CNAME("www", "nixcon.github.io."),

	CNAME("2015", "nixcon.github.io."),
	CNAME("2016", "nixcon.github.io."),
	CNAME("2017", "nixcon.github.io."),
	CNAME("2018", "nixcon.github.io."),
	CNAME("2019", "nixcon.github.io."),
	CNAME("2020", "nixcon.github.io."),
	CNAME("2022", "nixcon.github.io."),
	CNAME("2023", "nixcon.github.io."),
	CNAME("2024-na", "nixcon.github.io."),
	CNAME("2024", "nixcon.github.io."),
	CNAME("2025", "nixcon.github.io."),
	CNAME("2026", "nixcon.github.io."),

	// Scheduling
	CNAME("cfp", "pretalx.com."),
	CNAME("talks", "pretalx.com."),

	// Ticketing
	CNAME("tickets", "nixcon.cname.pretix.eu."),

	// 2025 ticket voucher eligibility check
	CNAME("vouchers", "cache.ners.ch."),

	// 2025 bee game
	CNAME("bee", "cache.ners.ch.")
);


================================================
FILE: dns/nixos.org.js
================================================
D("nixos.org",
	REG_NONE,
	DnsProvider(DSP_GANDI),

	TXT("@", "apple-domain-verification=OvacO4lGB9A6dBFg"),
	TXT("@", "brevo-code:f580a125e215ecb440363a15cdf47a17"),	
	TXT("@", "google-site-verification=Pm5opvmNjJOwdb7JnuVJ_eFBPaZYWNcAavY-08AJoGc"),
	// bluesky account/domain binding
	TXT("_atproto", "did=did:plc:bf43o4nxudgubwt4iljpayb7"),

	CAA_BUILDER({
		label: "@",
		iodef: "mailto:infra+caa@nixos.org",
		iodef_critical: true,
		issue: ["letsencrypt.org"],
		issue_critical: true,
		issuewild: "none",
		issuewild_critical: true,
	}),

	// nixos.org mailing
	MX("@", 10, "umbriel"),
	SPF_BUILDER({
		label: "@",
		parts: [
			"v=spf1",
			"a:umbriel.nixos.org",
			"-all"
		]
	}),
	DMARC_BUILDER({
		policy: "none",
	}),

	// discourse
	A("discourse", "195.62.126.31"),
	AAAA("discourse", "2a02:248:101:62::146f"),
	MX("discourse", 10, "mail.nixosdiscourse.fcio.net."),
	DMARC_BUILDER({
		label: "discourse",
		policy: "none",
	}),
	SPF_BUILDER({
		label: "discourse",
		parts: [
			"v=spf1",
			"ip4:185.105.252.151",
			"ip6:2a02:248:101:62::1479",
			"-all"
		]
	}),
	TXT("mail._domainkey.discourse", "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDmxDhMfDl6lnueSRCjYiWIDeTAJXR9Yw0PfpBfG7GPUIkMyqy9jVGpb4ECVTt9S1zfpr4dbtCgir781oVwZiwGIWzC8y8XsD37wernQIPN4Yubnrnpw+6lill4uA/AuyU/ghbeZ5lW03pHD//2EW4YEu+Jw4aS4rF0Wtk+BlJRCwIDAQAB"),

	// fastly
	CNAME("_acme-challenge.cache", "k2hql6g4rigivyu6nn.fastly-validations.com."),
	CNAME("_acme-challenge.cache-staging", "kqwx9cvuf7lvjo8u9b.fastly-validations.com."),
	CNAME("_acme-challenge.channels", "9u55qij5w2odiwqxfi.fastly-validations.com."),
	CNAME("_acme-challenge.artifacts", "bsk6mjvi6b1r6wekb0.fastly-validations.com."),
	CNAME("_acme-challenge.releases", "s731ezp9ameh5f349b.fastly-validations.com."),
	CNAME("_acme-challenge.tarballs", "vnqm62k5sjx9jogeqg.fastly-validations.com."),
	CNAME("cache", "dualstack.n.sni.global.fastly.net."),
	CNAME("cache-staging", "dualstack.n.sni.global.fastly.net."),
	CNAME("channels", "dualstack.n.sni.global.fastly.net."),
	CNAME("artifacts", "dualstack.n.sni.global.fastly.net."),
	CNAME("releases", "dualstack.n.sni.global.fastly.net."),
	CNAME("tarballs", "dualstack.n.sni.global.fastly.net."),

	// hydra.nixos.org
	A("haumea", "46.4.89.205"),
	AAAA("haumea", "2a01:4f8:212:41c9::1"),

	A("mimas", "157.90.104.34"),
	AAAA("mimas", "2a01:4f8:2220:11c8::1"),
	CNAME("hydra", "mimas"),
	CNAME("queue-runner.hydra", "mimas"),

	A("pluto", "37.27.99.100"),
	AAAA("pluto", "2a01:4f9:3070:15e0::1"),
	CNAME("alerts", "pluto"),
	CNAME("grafana", "pluto"),
	CNAME("monitoring", "pluto"),
	CNAME("prometheus", "pluto"),

	A("titan", "159.69.62.224"),
	AAAA("titan", "2a01:4f8:231:e53::1"),

	// hydra builfarm
	AAAA("eager-heisenberg.mac", "2a01:4f8:d1:a027::2"),
	A("elated-minsky.builder", "167.235.95.99"),

	AAAA("elated-minsky.builder", "2a01:4f8:2220:1b03::1"),

	A("enormous-catfish.mac", "142.132.140.199"),

	A("goofy-hopcroft.builder", "135.181.225.104"),
	AAAA("goofy-hopcroft.builder", "2a01:4f9:3071:2d8b::1"),

	A("growing-jennet.mac", "23.88.76.75"),

	A("hopeful-rivest.builder", "135.181.230.86"),
	AAAA("hopeful-rivest.builder", "2a01:4f9:3080:388f::1"),

	A("intense-heron.mac", "23.88.75.215"),

	AAAA("kind-lumiere.mac", "2a09:9340:808:60a::1"),

	A("maximum-snail.mac", "23.88.76.161"),

	A("sleepy-brown.builder", "162.55.130.51"),
	AAAA("sleepy-brown.builder", "2a01:4f8:271:5c14::1"),

	A("sweeping-filly.mac", "142.132.141.35"),

	AAAA("norwegian-blue.mac", "2a06:3a80:0:41:423:898a:1e16:3cf7"),

	// hydra staging area
	A("staging-hydra", "130.236.254.207"),
	AAAA("staging-hydra", "2001:6b0:17:f0a0::cf"),
	CNAME("queue-runner.staging-hydra", "staging-hydra"),

	// services infra
	A("caliban", "65.109.26.213"),
	AAAA("caliban", "2a01:4f9:5a:186c::2"),
	CNAME("chat", "caliban"),
	CNAME("live", "caliban"),
	CNAME("matrix", "caliban"),
	CNAME("nixpkgs-swh", "caliban"),
	CNAME("survey", "caliban"),
	CNAME("vault", "caliban"),
	DMARC_BUILDER({
		label: "caliban",
		policy: "none"
	}),
	SPF_BUILDER({
		label: "caliban",
		parts: [
			"v=spf1",
			"ip4:65.109.26.213",
			"ip6:2a01:4f9:5a:186c::2",
			"-all"
		]
	}),
	TXT("mail._domainkey.caliban", "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDDCLtvNH4Ly+9COXf7InptMvoA7I5O347D7+j+saECt7RRe8yNz4TmhJTyJik+bg7e3+l7EJM0vE6k7xtpGBXACY6CCmg/8EgUi6YnDd126ttJHWpoqO96w4SWX93G+ZnoSC8O5rTPqdaTTkntYDTrw5u5n+7RA8GarZadgmaEzwIDAQAB"),

	A("umbriel", "37.27.20.162"),
	AAAA("umbriel", "2a01:4f9:c011:8fb5::1"),
	// See `nixos.org.mail.key` in `non-critical-infra/modules/mailserver/default.nix`.
	TXT("mail._domainkey", "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDcgNq4+Y23GxN8Mdza437tL5DuJJZU1y6VzTCwSi6cBNLyBDci2cmqXx/gm1sA3yv7+h+8/OyJpEgcbCIW/Ygs1XLuECqvXVX8MU6Djn4KY+d2sU1tlUdqvNM86puoneQtjEv9rDsjf3HGqaeOcjetFnQW7H+qcNcaEShxyKztzQIDAQAB"),
	CNAME("freescout", "umbriel.nixos.org."),

	// ngi
	A("makemake.ngi", "116.202.113.248"),
	AAAA("makemake.ngi", "2a01:4f8:231:4187::"),
	CNAME("buildbot.ngi", "makemake.ngi.nixos.org."),
	CNAME("cryptpad.ngi", "makemake.ngi.nixos.org."),
	CNAME("cryptpad-sandbox.ngi", "makemake.ngi.nixos.org."),
	CNAME("summer", "makemake.ngi.nixos.org."),

	A("tracker-staging.security", "188.245.41.195"),
	AAAA("tracker-staging.security", "2a01:4f8:1c1b:b87b::1"),

	A("tracker.security", "91.99.31.214"),
	AAAA("tracker.security", "2a01:4f8:1c1b:6921::1"),

	// wiki
	A("wiki", "65.21.240.250"),
	AAAA("wiki", "2a01:4f9:c012:8178::"),
	// Direct access to wiki server in Helsinki (for deployments)
	A("he1.wiki", "65.21.240.250"),
	AAAA("he1.wiki", "2a01:4f9:c012:8178::"),
	DMARC_BUILDER({
		label: "wiki",
		policy: "none"
	}),
	SPF_BUILDER({
		label: "wiki",
		parts: [
			"v=spf1",
			"ip4:65.21.240.250",
			"ip6:2a01:4f9:c012:8178::",
			"-all"
		]
	}),
	TXT("mail._domainkey.wiki", "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDa+KjIljYr3q5MWWK7sEYzjR8OcA32zBh9BCPo6/HlY1q2ODTYsmE/FDZWpYMzM5z+ddnuGYdXia322XnZaNpZNoq1TbGYuQ5DsgAEK09CGoLuzONg3PSXTrkG7E2Sd6wstwHGJ5FHxSLKtNoWkknt9F5XAFZgXapO0w54p+BWvwIDAQAB"),

	// test.wiki subdomain with Fastly
	CNAME("test.wiki", "dualstack.n.sni.global.fastly.net."),
	CNAME("_acme-challenge.test.wiki", "zsz0meyel8hxoy9dtb.fastly-validations.com."),

	// github org/domain binding
	TXT("_github-challenge-nixos", "9e10a04a4b"),

	// github pages
	CNAME("mobile", "nixos.github.io."),
	CNAME("ngi", "ngi-nix.github.io."),
	CNAME("reproducible", "nixos.github.io."),

	TXT("_github-pages-challenge-ngi-nix.ngi", "4e8bffbb7ced2aec7be1f8cf3561d6"),
	TXT("_github-pages-challenge-nixos", "f3a423ba6916e972cfb1e74f82f601"),

	// netlify pages
	A("@", "75.2.60.5"),
	A("@", "99.83.231.61"),
	CNAME("brand", "nixos-brand.netlify.app."),
	CNAME("common-styles", "nixos-common-styles.netlify.app."),
	CNAME("planet", "nixos-planet.netlify.app."),
	CNAME("search", "nixos-search.netlify.app."),
	CNAME("status", "nixos-status.netlify.app."),
	CNAME("weekly", "nixos-weekly.netlify.com."),
	CNAME("www", "nixos-homepage.netlify.app."),
);


================================================
FILE: dns/ofborg.org.js
================================================
D("ofborg.org",
	REG_NONE,
	DnsProvider(DSP_GANDI),

	CAA_BUILDER({
		label: "@",
		iodef: "mailto:infra+caa@nixos.org",
		iodef_critical: true,
		issue: ["letsencrypt.org"],
		issue_critical: true,
		issuewild: "none",
		issuewild_critical: true,
	}),

	// Domain is not used for mail
	SPF_BUILDER({
		label: "@",
		parts: [
			"v=spf1",
			"-all"
		]
	}),
	TXT("*._domainkey", "v=DKIM1; p="),
	DMARC_BUILDER({
		policy: "reject",
		subdomainPolicy: "reject",
		alignmentDKIM: "strict",
		alignmentSPF: "strict"
	}),

	A("core", "136.144.57.217"),
	AAAA("core", "2604:1380:45f1:400::3"),
	CNAME("events", "core"),
	CNAME("monitoring", "core"),
	CNAME("webhook", "core"),

	A("core01", "138.199.148.47"),
	AAAA("core01", "2a01:4f8:c012:cda4::1"),
	CNAME("gh-webhook", "core01"),
	CNAME("logs", "core01"),
	CNAME("messages", "core01"),

	A("build01", "185.119.168.10"),

	A("build02", "185.119.168.11"),

	A("build03", "185.119.168.12"),

	A("build04", "185.119.168.13"),

	A("build05", "142.132.171.106"),
	AAAA("build05", "2a01:4f8:1c1b:6d41::"),

	A("eval01", "95.217.15.9"),
	AAAA("eval01", "2a01:4f9:c012:cf00::1"),

	A("eval02", "95.216.209.162"),
	AAAA("eval02", "2a01:4f9:c012:17c6::1"),

	A("eval03", "37.27.189.4"),
	AAAA("eval03", "2a01:4f9:c012:e37b::1"),

	A("eval04", "95.217.18.12"),
	AAAA("eval04", "2a01:4f9:c012:273b::"),

	// nixos-foundation-macstadium-44911305
	A("mac01", "208.83.1.173"),

	// nixos-foundation-macstadium-44911362
	A("mac02", "208.83.1.175"),

	// nixos-foundation-macstadium-44911507
	A("mac03", "208.83.1.186"),

	// nixos-foundation-macstadium-44911207
	A("mac04", "208.83.1.145"),

	// nixos-foundation-macstadium-44911104
	A("mac05", "208.83.1.181"),
);



================================================
FILE: docs/inventory.md
================================================
# NixOS project resource inventory

This is the current list of hardware and services that everyone has access to.

# Accounts

## GitHub

owner: @edolstra @domenkozar @garbas @grahamc @rbvermaa

## Domains

- owner: @edolstra
- nixos.org - https://www.uniteddomains.com/

## DNS

owner: Foundation

Managed by Netlify.

## AWS account

- owner: Infor
- alias: lb-nixos
- access: @rbvermaa and @edolstra

## Packet.net

- owner: @grahamc

## Hetzner Cloud

- owner: Graham
- (for ofborg)

## IRC logging bot

- owner: @samueldr
- url: https://logs.nix.samueldr.com/nixos/
- nick: <code>{\`-\`}</code>
- config: https://gitlab.com/samueldr.nix/overlays/irclogger

## nix.ci

owner: @grahamc

ofborg instance and logs

hosted on Packet.

## arch64 community builder

- owner: @grahamc
- access: community members that have asked access to it
- host: Packet

lots of cores to build for the aarch64 platform

## survey.nixos.org

owner: @davidak

## nixcon2017.org

owner: Christine?

## nixcon2018.org

owner: @zimbatm

## NixOS Wiki

access: see https://wiki.nixos.org/wiki/Official_NixOS_Wiki:About

## Twitter accounts

**nixpkg** owner: Graham

**nixos_org** owner: Rob Vermaas

**nixcon2017** owner: Christine?

**nixcon2018** owner: zimbatm

## IRC

Group registration on FreeNode. Eelco and Graham can get OP on all channels
about NixOS.

The group owns:

    #nix
    #nix-*
    #nixos-*

`#nix` is invite only and is empty, it only redirects to `#nixos`

**List of common channels:**

`**#nixos-dev**`

`#` **nixos**``

- 1 niksnut +AFRefiorstv [modified ? ago]
- 17:30 2 goodwill +o [modified 3y 36w 6d ago] -
- 17:30 3 kmicu +o [modified 2y 32w 5d ago] long time member - left 4 months ago
- 17:30 4 gchristensen +o [modified 1y 37w 1d ago]

`**#nixos-borg**` `**#nixos-aarch64**` `**#nix-darwin**` `#nixos-chat`
`**#nix-core**` `**#nixos-security**` `**#nixos-bots**` `**#nixos-docs**`
`**#nixos-wiki**` `**#nixos-on-your-router**`

## cachix.org

owner: Domen

# Hardware

## On Packet.net

owner: Graham

2 builders: aarch64 packet type 2 : for hydra

1 aarch64 for ofborg _and_ community use

## Hetzner:

owner: Eelco and Rob, owned by the NixOS Foundation

“chef”: runs hydra.nixos.org, postgresql database, queue runner, hydra
provisioner. binary cache signing keys.

monitoring: **DataDog, accessible by Eelco (and Rob?) (Amine?) on the Infor
account**

## Mac Minis at Hetzner Cloud

- owner: the NixOS Foundation
- access: Cole-h & Hexa
- role: build machines

Current machine names:

- intense-heron.mac.nixos.org
- sweeping-filly.mac.nixos.org
- maximum-snail.mac.nixos.org
- growing-jennet.mac.nixos.org
- enormous-catfish.mac.nixos.org

## Mac Minis at Graham's house

- owner: the NixOS Foundation
- access: Cole-h
- role: build machines

- arm64:
  - cosmic-stud
  - tight-bug
  - quality-ram
  - becoming-hyena

There are also x86_64 mac minis, but they are offline because they produce too
much heat.

## Mac Stadium

- owner: MacStadium and rented to daniel peebles or the foundation?
- role: build machines

Eelco had a root password

## hydra-provisioner

?

## nixos-org

owner: LogicBlox EC2 instance

deployed from Eelco’s laptop

runs the website runs the channel mirror script, systemd services with timers,
updates /releases buckets and the nixpkgs-channels repository (repo:
nixos-channel-scripts)

The tarball mirror script is running from that machine.


================================================
FILE: docs/meeting-notes/2024-01-11.md
================================================
# 2024-01-11

First meeting of the (revamped) infra team.

Participants: delroth, hexa, raitobezarius, vcunat, zimbatm

## [zimbatm] Presentation

- At NixCon, we added new people to the team, but we were not able to give space
  to those new people, with this in mind, I would like to dedicate one hour per
  week or two weeks where I can unblock the infrastructure matters.
- I don’t know what people are interested in, I believe this is a volunteer
  ecosystem and you should work on what you would like to work on.
- We have big challenges in front of us, e.g. the cache situation, with a new
  team, maybe we can tackle those bigger challenges.

## Round of intros

Skipped in these edited notes.

## [raito] Recommending hexa for infra-core

- Consensus: yes please.
- [zimbatm] Done.
- delroth/vcunat to assist with onboarding, provision access, etc.

## [delroth] Matrix Homeserver situation

- EMS is dropping legacy plans after 2024-01-17
  - https://github.com/NixOS/infra/issues/325
- We are getting dropped.
- We need to react but Graham, owner of the EMS account, is not reacting.
- The problem is not the cost but access to the account.
- delroth/hexa are in favor of self-hosting.
  - But we need the database dump from EMS.
  - hexa to prepare the config for this, delroth can act as backup/fallback.
- Fallback: we can always pay the $1200 (excl. VAT) for renewing the 1 year
  plan.

## [hexa] Moving NGI out of nixos-org-configurations

- Goals: unblock ngi0 maintainers, less consumption of our review bandwidth.
- Should we move them to a new repo?
  - Either in the nixos GitHub org or the ngi-nix org.
- Action item: let's ask them!
  - https://github.com/NixOS/infra/issues/326

## Builders

- Context: various cost reduction efforts need to happen on the Hydra/ofborg
  builders infra.
- There might be the possibility to get Hetzner to sponsor one more machine.
- [delroth] Pretty sure we are not using our build resources efficiently as it
  is (queue-runner bottleneck)
- [vcunat] xz compression is the main problem
- [zimbatm] We should properly analyze where the bottlenecks are.

## Backups

- We are not doing proper backups of the NixOS infra.
- There is an rsync.net account where the Hydra database gets backed up to, at
  least.
- Julien's vaultwarden PR is currently blocked by this, we're getting backup
  storage space from Hetzner (storage boxes).


================================================
FILE: docs/meeting-notes/2024-01-25.md
================================================
# 2024-01-25

## [hexa, delroth] EMS Migration

- Configuration hasn’t been written yet, hexa might get it done this week.
- When will we get the data?
  - Graham still holding it until it can get cleaned up (removing private user
    data). Board set a deadline during the last meeting.
  - We could talk to EMS directly, to get the account handed over
  - We want ~10 days to do the migration (so: we want the data before Feb 7th)

## NixOS 23.11 upgrades

- Infra currently runs on NixOS 23.05
- No blockers, need to be updated individually

## Deployment setup

- Blocked on secret management, will likely be sops
- Machines use network configuration provided by NixOps

## Bitwarden

- Reason: Self-hosting, currently Jonas pays for the hosted plan.
- PR pending needs to be moved forward: https://github.com/NixOS/infra/pull/287
- delroth/hexa can hand out backup storage credentials.

## Binary cache

- Cost of S3 exceeds Foundation income…
  - Garbage collection will be started
    - Timeline: Start some time in 2024/02
    - Advanced communication will be sent out
    - Build list of store paths we want to keep and configure gc root for them
      - Plan is to keep all FODs
    - Make store paths that are about to get deleted unavailable prior to
      deletion
- Potentially move parts of the cache to Hetzner
  - delroth has capacity to look into this in 2024/02
  - Needs a service to decide, where (S3 or Hetzner) the request would need to
    go
    - Logic could be installed at fastly, to try hetzner first, fallback to s3
  - Service is in the critical path, currently fastly/s3 solve availability for
    us


================================================
FILE: docs/meeting-notes/2024-02-08.md
================================================
# 2024-02-08

Attendees: delroth, hexa, JulienMalka, lheckemann, raitobezarius, vcunat,
zimbatm

## [hexa, delroth] EMS Migration

Context: https://github.com/NixOS/infra/issues/325

- PR for Synapse and its dependencies is up.
  - https://github.com/NixOS/infra/pull/336
- [Julien] What's the status of the backup module?
  - Split off into its own PR and merged already:
    https://github.com/NixOS/infra/pull/345
- raito and Ron met with Matrix / EMS folks at FOSDEM 2024
  - They have scripts for GDPR compliance (user data purge), but we need to ask
    them by email.
  - Then we can get a clean DB dump, presumably without user data.
  - Not sure whether we sent an email or not. But Graham might be in contact
    directly, and EMS folks made him an offer to do the data deletion.
  - Worst case Graham/DetSys will pay for the extension of the EMS plan.
  - Probably no hurry anymore from the infra side. Foundation board is
    monitoring this to make sure we have a solution at some point.

## [delroth] Should we publish these notes more widely?

- There is a trend towards publishing notes on Discourse, etc. for visibility.
- [delroth] My thoughts: we should archive (edited) notes in Git somewhere in
  our docs/ folder, update a Discourse thread every 2 weeks.
  - I of course volunteer to take care of this :)
- Consensus: let’s do it.

## [delroth] Packet/EQM access to infra-core

- Our builders are very, very outdated. But risky to try and update stuff with 0
  debugging capabilities.
- Any reason why infra-core shouldn’t have full Packet/EQM access like we have
  Hetzner access?
  - Not entirely clear who currently has access?
  - [zimbatm] Got access from eelco last weekend, will delegate.
- [raito] Does nix-netboot-serve run on our infra?
  - [hexa] Yes, on eris. The images are also built from our infra, it’s a Hydra
    jobset. But the jobset has not successfully completed for a year.
  - [hexa] We can update stuff, but we have no way to debug issues if we do so.
- zimbatm took care of it live, woo!

## [raito] Stay in the loop of infrastructure matters

- How should work be split between zimbatm/raito?
- Would like access to private infra stuff to act as secondary.
- In general: who should have ownership to accounts?
  - A bunch of GH org owners for example are inactive.
  - Not really aligned with any subgroup e.g. foundation board.
  - [zimbatm] I think the foundation should have access, but unfortunately the
    foundation also doesn’t have the best personal security to hold those
    credentials.
  - [zimbatm] Maybe it should be the infra team instead? i.e.
    delroth/hexa/vcunat/…
  - [raito] That would work too, as long as it’s active folks who can take care
    of day to day stuff. I don’t care that it’s specifically me, just that we
    don’t get blocked due to not finding an owner.
  - [zimbatm] I don’t feel like I can make that decision alone right now. Let’s
    find some kind of organization which makes sense.
- Raito got invited into the private infra matrix channel (at least, for now)

## [Julien] NixOS wiki collaboration w/ infra team

- We have a bunch of candidate sysadmins in mind. Do we want to merge this into
  non-critical-infra?
- [Julien] I’m a bit biased since I’m sitting on both sides of this discussion,
  but I think this would be a good onramp to bring more people into
  non-critical-infra.
- [zimbatm] We can subdivide permissions on the Hetzner Cloud side of things,
  but I’m not sure whether we should share stuff further.
- [hexa] They have their setup mostly figured out already, including backups. We
  can let them run with it for now, and we can always pick it up later.
- [linus] What about inviting them to non-critical-infra and just giving them
  access to all the non-critical-infra? Even if they just want to maintain the
  wiki.
  - [hexa] It’s about responsible for all of it. I don’t think we should grant
    unneeded access.
  - [Julien] +1.
  - [delroth] I feel like if it’s official, we should treat it as such and
    onboard it as part of non-critical infra. Doesn’t require giving them access
    to everything.
  - [linus] If it is official, then it should be maintained by the official
    infra team
  - [hexa] I think we’re mostly in agreement then.
- [delroth] non-critical-infra should be restricted to the relevant directories
  and go through PRs for touching other stuff
  - [Julien] They probably want to iterate fast in the beginning
  - [delroth] They should get a dedicated machine on Hetzner Cloud, that they
    can play with
  - [Julien] Too much shared code will increase reliance on core infra members.
- [delroth] Action items
  - Let’s give them SSH access to a Hetzner Cloud VM
    - Or a separate project so they get direct access to machines. Might already
      be done.
  - Let’s make sure we agree on the idea of moving this to non-critical-infra in
    the short/mid-term future
  - Provision DNS etc.

## External requests

- Hydra DB access (raitobezarius)
  - Hashing out details in https://github.com/NixOS/infra/issues/348
- CA derivations for Hydra (Ericson2314)
  - Nix 2.20 broke interop with the old Nix 2.13 we run on builders. Rolled back
    to 2.19.
    - https://github.com/NixOS/nix/issues/9961
  - DB schema change applied.

## Ongoing projects

- [delroth] Hoping to complete the nixops deprecation this week. Then:
  core/non-critical-infra alignment.


================================================
FILE: docs/meeting-notes/2024-02-22.md
================================================
# 2024-02-08

Attendees: delroth, edolstra, hexa, JulienMalka, raitobezarius, vcunat, zimbatm

## [delroth] FYI on availability next few weeks

- Traveling until mid-April, low availability, will be on JST timezone (UTC+9)
- Missing for the next 2 infra meetings

## [delroth] Backups situation

- How do we backup haumea, long term?
  - borgbackup isn't really a good fit for a 500GB Postgres DB.
  - Currently: zrepl to my personal infra and hexa's, but that's obviously not a
    good long term solution.
  - Used to have backups to graham's rsync.net account, but that's broken since
    mid-Jan.
  - [raito] Have you ever tried pg_dump's optimized dump format?
    - [delroth] Is it fast enough to do a daily dump?
    - [raito] unsure, but there are ways to do incremental backups:
      - pg_basebackup + pg_dump compressed format

## [hexa] Migration of Synapse from EMS

- Apparently waiting for EMS to sort out removal of PII?
- [raito] As long as there's discussion happening between Graham and EMS we
  probably don't have to care about this, the legacy hosting plan is not getting
  cancelled.
- [raito] If anything goes wrong we'd likely get notified.

## [eelco] Move fastly log aggregator to pluto

- This is currently running on Eelco's local machine which is suboptimal.
- Weekly script that takes Fastly logs and loads them into AWS Athena +
  generates some aggregates.
- https://github.com/NixOS/infra/tree/master/metrics/fastly
- We will put that on the new Eris: Pluto
- [eelco] I will need to create an AWS IAM to bestow the adequate permissions to
  enable the script to run on Pluto.
  - [eelco] I just need read/write access to Athena and some S3 bucket.
- [delroth] Who is using this data?
  - [eelco] You can see on that page that the reporting is generated via this
    data
- PII data regarding access logs of cache.nixos.org
  - [everyone] What kind of policy do we want regarding PII and the non-critical
    infrastructure? e.g. new wiki access logs are available to the non-critical
    infrastructure
    - Let's take note of this, think about it for the next weeks

## [delroth, hexa] Machine changes

Our spend on outdated AWS EC2 instances and EBS volumes is too high and we are
cutting back on our use of EC2 and instead renew our infra at Hetzner.

- Reduce AWS spending
  - Started pruning old snapshots and EBS volumes (e.g. nixos-webserver, old
    nixos versions)
    - [eelco] I think it should be fine to delete them. There's a small risk
      there could be some historical data, for instance, our subversion repo
      used to be there as well and the nix-dev mailing list too. In theory, we
      have copies of all of that.
    - [delroth] I might start an instance and extract the data out there
      otherwise I will just delete it.
    - [eelco] There was a lot of scratch space for something… I don't remember
      it.
    - [delroth] I think it was bastion and is now paused.
  - Bastion is now stopped/paused
    - [hexa] Migrated to Eris and now to Pluto
    - [hexa] Channel scripts are running way faster
    - [raito] :tada:
  - Pinged survey.nixos.org owners (@garbas), to get the limesurvey instance
    migrated to something more reasonable
    - [hexa] $ 150 USD/mo
    - [hexa] Proposal: Migrate to Hetzner Cloud for a fraction of the costs
    - [delroth] I asked Julien to look into it
    - [delroth] In general, it's open to anyone who are looking to do
      non-critical work
  - Archeology machine from the cache team
    - [delroth] Jonas, can you look into the cost? And can we make it start
      on-demand?
    - [jonas] asking edef whether they can accomodate these changes]
- Hetzner machine renewal
  - Phasing out eris.nixos.org (EX41S-SSD, Intel i7-6700, 64GB RAM, 2x 256GB
    SATA)
    - [hexa] Old hardware
  - Created and deployed pluto.nixos.org (EX44, Intel i5-13500, 2x512GB NVME)
    - [hexa] Slightly cheaper but modern hardware
    - [hexa] Everything migrated except for monitoring
    - [delroth] Some disentanglement required to migrate monitoring

There's a potential of around $700/month of savings in all those operations.
That is, we're offsetting our whole current Hetzner spend with those AWS
savings.

- [delroth] Future savings (more involved):
  - [delroth] Two layers of storage for cache.nixos.org: warm paths on Hetzner
  - [delroth] It might be easier to do that stuff on NixOS releases S3 bucket
    (much smaller bucket) and it's costing ~1000 USD per month in **bandwidth**

## [julien] Opening non-critical to more members

- [Julien] Idea of non-critical infra was to lower the barrier to entry, because
  people could be trusted with less risky infra
  - [Julien] I would like to post a Discourse post to look for new people who
    might be interested to join the team
  - [Julien] It seems like we have some issues open for non-critical infra and
    let people to tackle them and could constitute a first project
    - [delroth]
      https://github.com/NixOS/infra/issues?q=is%3Aopen+is%3Aissue+label%3Anon-critical-infra
  - [Julien] I think it's a good time to do such a post and reach out
  - [Julien] I wanted to know with everyone if it was okay to invite new people
  - [delroth/zimbatm] Yes
  - [delroth] I think the most important thing is to know who will take care of
    onboarding and leading the work
  - [Julien] I am ready to handle the onboarding load and the lead, I would
    prefer to manage newcomers rather than do all the stuff by myself

## [delroth, hexa] Deployment changes

We removed nixops and deployment now happens from a `flake.nix`. The plan is to
go for colmena eventually.

- Deployment via
  `nixos-rebuild --flake .#<host> --target-host root@<host>.nixos.org
  --use-substitutes switch`
- NixOps generated configuration was imported and is being migrated, for example
  we:
  - started using agenix for secrets management and imported existing secrets
  - and migrated Network configuration to systemd-networkd/resolved

## [delroth, hexa] Infra Changelog

- All machines are now running on NixOS 23.11
- Migrated haumea's database to PostgreSQL 16
- Align timezone across machines
- Fix backup of haumea's database
  - zrepl to delroth and hexa
  - rsync.net stopped working due to zrepl API version mismatch
- Enabled trimming and scrubbing on all ZFS pools

- Fix the fastly-exporter deployment
  - Migrated to nixpkgs module, which
    [required its own fixes](https://github.com/NixOS/nixpkgs/pull/287348)
  - Generated a new API token, the old one was invalid
  - 📊
    [Dashboard](https://monitoring.nixos.org/grafana/d/SHjM6e-ik/fastly?orgId=1)
- Fixed
  [race condition and world-writable state
  file](https://github.com/packethost/prometheus-packet-sd/issues/15) upstream
  in packet-sd
- Added alerting for
  - Failed systemd units
  - [Domain expiry](https://github.com/NixOS/infra/pull/249) within the next 30
    days
- Lazy loading of eval errors on hydra (Patch by @ajs124)
  - Reduces page sizes on the common jobsets/evals by 15-20MB to a few kBs
  - More work needed, because error logs are still being fetched from the DB,
    just not rendered
- Services migrated to pluto.nixos.org
  - channel-scripts/hydra-mirror
  - netboot
  - rfc39
- Removed and refactored legacy code, e.g.
  - hydra-provisioner
  - delft/network.nix


================================================
FILE: docs/meeting-notes/2024-03-07.md
================================================
# 2024-03-07

Attendees: hexa, vcunat, zimbatm (Jonas), Linus, Julien, Raito/Ryan, Jade (most
of the time)

## [hexa] arm64 hetzner machine config

- Dump it into a new directory in the infra repo, allow infra-build to deploy
  - vcunat: There's an issue containing the bits of the configuration
  - vcunat: I assumed we wanted to migrate it directly to a new deployment
    system
  - hexa: delroth wanted to script out iPXE but this has not panned out yet, we
    discovered we had DHCP available, which is promising

## [zimbatm] Round table

What is on everyone's mind? What are your plans?

- Linus:
  - Happy to help out with stuff, pairing on with anything
  - zimbatm: Do you think we should do a better presentation?
  - linus: I think that'd be good
- hexa:
  - Looking at iPXE, hold us back the most right now
    - will coordinate with delroth, if he has already anything
  - Open to discuss the Ceph scenario
    - A lot of discussions ongoing with the self-hosted binary cache, that's
      good
    - We are running into questions that cannot be answered by anyone
      - What should be the availability?
      - What should be the durability?
      - Discussion running in circles right now
    - Form a tightr discussion group
      - So that you can identify the main points
      - And address them
      - And not run into circles
- vcunat:
  - Continuously busy with staging iterations
  - Unblocking difficult to access machines, e.g. aarch64 machine
  - There's actually more of my machines in the infra and that also requires
    update
  - Small benchmarking machine that makes sense:
    - t2a
    - The point is to have consistent benchmarking data
    - Linus: we definitely don't have cloud VMs for benchmarking, we probably
      want dedicated hardware
  - zimbatm: could you potentially create a ticket to make an inventory of your
    machines?
  - vcunat: there's two machines: t2a and t4b only really
- Julien:
  - _Short-term_: I would like to onboard more folks on non-critical
    infrastructure
    - I would like to give them tasks to do end to end
    - Difficult to do with the current list of tasks atm
  - The wiki is also something I also want to get out ASAP
    - The technical issues are basically non-existent, just a little bit more
      work to do
    - Then announcements, onboard people to do editorial work, and that's it
    - We are near ready to launch
  - zimbatm: Bitwarden
    - Julien: we need to move the data from old to new and inform the change to
      the users
    - zimbatm: OK, we need to organize that migration
    - Julien: we can discuss this async
  - Interested also in cache self-hosting discussions
    - We have momentum and it'd be nice to have some sort of stance from infra
      people
    - Addressing the recent unrest regarding the public stance of infra on self
      hosting
    - zimbatm: we should/could do a proof of concept so we can get a feeling
      about how easy is it to operate
- Ryan:
  - Recommend https://github.com/zhaofengli/colmena/pull/198

Things to pick up for infra:
https://github.com/NixOS/infra/issues?q=is%3Aissue+is%3Aopen+sort%3Aupdated-desc+label%3Anew-service

## [hexa] darwin access

- hexa: We have an inventory problem
  - What machines exist? What machines should we be able to access?
  - Important so we can delegate access and unblock work
  -

- Braindump
  - Apple M1 at Hetzner (hydra)
  - Apple M1 in Grahams basement (???)
  - Apple M1 at Macstadium (ofborg)
  - Apple x86_64 at Macstadium (ofborg)

## [hexa] ofBorg access

- hexa: we have some folks who want to work on OfBorg but cannot do because they
  are not empowered on to do so
  - it is also go via buildkite management mechanism from Graham

## [raito] aarch64.nixos.community management

- https://github.com/NixOS/aarch64-build-box/
  - managed by community or infra?
  - zimbatm: it used to be in the nix-community infra, but because the
    nix-community does not have access to the Packet account
  - hexa: in the past, the worst we had is to debug the kernel issues, which is
    difficult w/o packet access
  - utilized by ofBorg, too, not a problem because we don't need to trust its
    build results
  - zimbatm: will talk with zowoq, who manages the nix-community day-to-day
    operation

## Changelog

- Cancelled the contract for `eris.nixos.org` (ends after 2024-02-28)
  - All services have been migrated to pluto.nixos.org
- Set up backups for Prometheus, Grafana, VictoriaMetrics
- The primary hostnames for Prometheus and Grafana have changed
  - https://prometheus.nixos.org
  - https://grafana.nixos.org
  - Redirects for the old hostname/path are in place
- Hydra changes
  - Increase pipe size to improve queue-runner performance
  - Increased retention interval of Prometheus to two years so we have more
    history to evaluate these changes
- Builders have received the fix for
  https://github.com/NixOS/nix/security/advisories/GHSA-2ffj-w4mj-pg37
- GitHub App for wiki.nixos.org so users can log in.


================================================
FILE: docs/meeting-notes/2024-03-21.md
================================================
# 2024-03-21

Attendees: hexa, vcunat, Linus, zimbatm, Eelco, Janik, raitobezariusm, Alex

## Round table

- zimbatm
  - had no spoons to think about cache
- vcunat
  - expensive nixos tests that could be improved
  - noticed `nixos-disk-image.drv` steps taking a long time in send/receive
    phase
- hexa
  - unhappy with the board decision to let Anduril sponsor, like delroth. At an
    impass. We need to find a way to work on this together.
  - not sure if delroth is ultimately out.
  - don't want to burn out if delroth is gone.
  - I also don't want to invest time, when the org agrees to military
    sponsorship.
  - Next step: get to the policy, connect with delroth to see if we can keep
    working on it together or not.
- Janik
  - opened issue after the open board calls about meeting infrastructure.
    https://github.com/NixOS/infra/issues/401
  - PR with Jitsi probably soon.
  - Do we have a database for the pads?
    - hexa: should be colocated with the machine.
  - Jonas: do we have hardware for this?
  - hexa: we can try it on caliban. If it grows too big we can move it.
- Linus
  - happy to review what Janik is doing.
  - happy to pair with anyone
- Eelco
  - what the plan with the self-hosting?
    - still in discussion, we intend to a do some exploration with Ceph
  - we still need to find a way to pay for the cache.
- Alex Ou
  - NixCon NA attendee.
  - Interested in infrastructure, their main use of NixOS, managing bare-metal
    fleet of servers
- Raitobezarius
  - Concerned with the state of the infra, due to delroth ragequitting.
  - Tigris Data: CDN+S3 built on top of fly.io that migth be interested in
    sponsoring us.
  - Meeting with PCH.org: have hundreds of datacenters, they can offer
    everything in terms of storage infra.
    - Lots of POPs
    - Storage
    - ...
    - Proposition in progress.
  - Would like to update the set of people in the infra core for inactive
    people, in order to be able to reason on who has access, so we can reason
    about trust.
    - Eelco?
    - Graham?
    - Amine?
    - Proposal: remove access, and restore if needed
    - Eelco agreed. (Actually Eelco needs to reconsider.)


================================================
FILE: docs/meeting-notes/2024-04-18.md
================================================
# 2024-04-18

Attendees: delroth, Janik, dgrig, vcunat, raitobezarius, hexa, Linus, Weija

## Topics

- [delroth] Bringing up the topic of Keycloak / Kanidm again
  - We'll probably want it for Jitsi? I'd also love to drop user management
    stuff from Hydra.
  - Other use cases:
    - Wiki? (I'm guessing mediawiki can SAML)
    - Pads? (for meeting notes that we'd rather not have vandalized)
    - Calendar?
    - Hydra? https://github.com/NixOS/hydra/pull/1298
  - [hexa] Requirements:
    - GitHub login, and being able to read organization membership info
    - Maybe Dex can do what we want as well? Proxy to backend apps
      - @raitobezarius in chat:
        [oauth2-proxy](https://oauth2-proxy.github.io/oauth2-proxy/configuration/providers/github/)
        as well exist
      - @raitobezarius in chat:
        [SATOSA Proxy](https://github.com/IdentityPython/SATOSA) can be used to
        do SAML2<->Social Login

- [delroth] releases.nixos.org S3 costs
  - tl;dr discovered last week that the bandwidth costs rose significantly for
    no known reason
  - Shape of the growth looks organic but there shouldn't really be anything
    causing it.
  - Fastly logs analysis showed nothing interesting.
    - Some access is blocked by
      [eelco not sharing credentials](https://github.com/NixOS/infra/pull/388#discussion_r1545856527)
  - Enabled S3 logging, haven't analyzed yet.
  - Cost Explorer might be indicating that this isn't actually
    releases.nixos.org but something else in eu-west-1 also using S3? But then
    what? (or is Cost Explorer broken? wouldn't be too surprising)

- [Janik] Jitsi on non-critical-infra
  - nixpkgs+infra PRs were reviewed
  - Still blocked on tracking down a bug
  - Probably will land soon (if someone helps with debugging)

- [delroth] What do we still not have access to?

  | Hostname                       | System         | Location   | Purpose                     | Access <br>infra-build | Access <br>infra | Comment                                   |
  | ------------------------------ | -------------- | ---------- | --------------------------- | ---------------------- | ---------------- | ----------------------------------------- |
  | haumea.nixos.org               | x86_64-linux   | Hetzner    | Hydra database              | have                   | \-               |                                           |
  | makemake.nixos.org             | x86_64-linux   | Hetzner    | NGI Hydra                   | \-                     | \-               | via https://github.com/ngi-nix/ngi0-infra |
  | intense-heron.mac.nixos.org    | aarch64-darwin | Hetzner    | Hydra builder               | want                   | \-               |                                           |
  | sweeping-filly.mac.nixos.org   | aarch64-darwin | Hetzner    | Hydra builder               | want                   | \-               |                                           |
  | maximum-snail.mac.nixos.org    | aarch64-darwin | Hetzner    | Hydra builder               | want                   | \-               |                                           |
  | growing-jennet.mac.nixos.org   | aarch64-darwin | Hetzner    | Hydra builder               | want                   | \-               |                                           |
  | enormous-catfish.mac.nixos.org | aarch64-darwin | Hetzner    | Hydra builder               | want                   | \-               |                                           |
  | rhea.nixos.org                 | x86_64-linux   | Hetzner    | Hydra                       | have                   | \-               |                                           |
  | caliban.nixos.org              | x86-64-linux   | Hetzner    | NC-Infra                    | have                   | x                |                                           |
  | aa-hetzner-1.nixos.org         | aarch64-linux  | Hetzner    | Hydra                       | have                   | \-               | config import infra repo todo             |
  | pluto.nixos.org                | x86_64-linux   | Hetzner    | Monitoring, Channel-Scripts | have                   | \-               |                                           |
  | aarch64.nixos.community        | aarch64-linux  | Equinix    | Community/ofborg builder    | \-                     | \-               | on demand                                 |
  | 208.83.1.145                   | aarch64-darwin | Macstadium | OfBorg builder              | want                   | \-               |                                           |
  | 208.83.1.173                   | x86_64-darwin  | Macstadium | OfBorg builder              | want                   | \-               |                                           |
  | 208.83.1.175                   | x86_64-darwin  | Macstadium | OfBorg builder              | want                   | \-               |                                           |
  | 208.83.1.181                   | aarch64-darwin | Macstadium | OfBorg builder              | want                   | \-               |                                           |
  | 208.83.1.186                   | x86_64-darwin  | Macstadium | OfBorg builder              | want                   | \-               |                                           |
  | ofborg-core                    | x86_64-linux   | Equinix    | OfBorg controller           | want                   | \-               | on demand                                 |
  | netboot-foundation             | x86_64-linux   | Equinix    | ?                           | \-                     | \-               | on demand                                 |
  | ofborg-evaluator0              | x86_64-linux   | Equinix    | OfBorg evaluator/builder    | want                   |                  | on demand                                 |
  | ofborg-evaluator1              | x86_64-linux   | Equinix    | OfBorg evaluator/builder    | want                   |                  | on demand                                 |
  | ofborg-evaluator2              | x86_64-linux   | Equinix    | OfBorg evaluator/builder    | want                   |                  | on demand                                 |
  | ofborg-evaluator3              | x86_64-linux   | Equinix    | OfBorg evaluator/builder    | want                   |                  | on demand                                 |
  | ofborg-evaluator4              | x86_64-linux   | Equinix    | OfBorg evaluator/builder    | want                   |                  | on demand                                 |
  | small-c3.large.arm64           | aarch64-linux  | Equinix    | Hydra builder               | have                   | \-               | on demand                                 |
  | big-parallel-c3.large.arm64    | aarch64-linux  | Equinix    | Hydra builder               | have                   | \-               | on demand                                 |

## Changelog:

- Removed unused apps on the infra repo
  - Slack (unused)
- Removed apps from release-wiki repo
  - HackMD (unused)
- Removed unused apps on the org level
  - Bors (discontinued)
  - Marvin-MK2 (discontinued)
  - Travis-CI (unused)
- Hydra web UI is fast^W not as slow now (+ other improvements)
  - https://github.com/NixOS/hydra/commit/6189ba9c5e5308e17a7d1fb7f38443272a70f072
  - Queue runner CPU-heavy operations throttling:
    https://github.com/NixOS/hydra/commit/a51bd392a22fba5b0a0d90e2204a608b78c37ce1
- Fastly shielding location fixed for releases.nixos.org and tarballs.nixos.org
  (used to go transatlantic for no good reason)
- http:// redirects to https:// for all our S3 buckets except cache.nixos.org
  (broke nix-index, temporarily reverted)


================================================
FILE: docs/meeting-notes/2024-05-30.md
================================================
# 2024-05-30

Attendees: hexa, vcunat, zimbatm, kenji, sterni

## Round table

- [hexa]
  - Updating Hydra to Nix 2.20
    - Ran into (known) regression
      - https://github.com/NixOS/nix/issues/9961
    - vcunat rolled us back to the previous config
    - TODO: needs to persist rollback in git
    - nixpkgs is stuck on 2.18
    - next step: wait on the next stable Nix release (in nixpkgs)
  - Did a round of rotating shared passwords: Hetzner, Netlify (setup 2FA), ...
- [vcunat]
  - Not anything else significant
- [kenji]
  - Curious visitor
- [sterni]
  - Nothing in particular

## Topics

- [hexa] Vaultwarden mail delivery
  - prevents onboarding of new people
  - https://github.com/NixOS/infra/issues/430
  - solution:
    https://github.com/NixOS/nixos-wiki-infra/blob/main/modules/postfix.nix
  - talking to Julian if he can take it, with fallback to hexa

- Netlify
  - Need to talk to Marketing if GitHub pages would be sufficient
    - Netlify provides preview environments
  - Annoying because
    - it's expensive,
    - DNS is crap,
    - cost is per-user
    - so we have to share a password.

- [hexa] API modernization in sign-binary-cache script
  - https://github.com/NixOS/nixos-channel-scripts/pull/72
  - Not used for hydra.nixos.org
  - Should close the PR and remove the script to not mislead more people

- [zimbatm] Wants to transition out of the team
  - Talked with hexa previously in private to take over team lead
  - The person doing the things should be leading the team
  - Transition out over the next month or so
  - Maybe focus for the next month could be on making contributing to the infra
    repo more comfortable, needs more people who contribute to infra feel
    welcome


================================================
FILE: docs/meeting-notes/2024-06-13.md
================================================
# 2024-06-13

Attendees: hexa, vcunat, Julien (partially), Eelco

## Round table

- Julien
  - currently otherwise occupied
  - wants to finish the Lime survey migration away from AWS EC2 to non-critical
    infra
- vcunat
  - Full disk on Haumea
  - Checking on tarball mirroring service
    - wasn't working for the last two weeks, we failed to notice
    - issue in nixpkgs caused breakdown
    - tending to the script and will merge the fixed version back
- hexa
  - Haumea's backup location
    - Super write-intensive
    - Return to rsync.net
  - tried updating delft/* to 24.05 but hydra wouldn't compile
- Eelco
  - Interested in the cost-increase on the release bucket
    - March 6xxx USD
    - April 9700 USD
    - May 8200 USD
    - Still increasing as of June
  - Need to move forward with the S3 Bucket (Cache & Releases)
    - Move data into Glacier, would be cheaper there, but not accessible from
      cache.nixos.org anymore
    - Moving things out of Glacier expensive, cheaper when we batch requests and
      request them for the next day or so
    - Plan to move to Tigris data, they would give us a discount, and egress is
      currently free
    - Need to get the relevant people in a room to make a final decision
      - Eelco
      - Edef
      - Jonas
      - Infra Build (hexa, vcunat)

## Action items

- Check Prometheus Alerting Pipeline, no Alerts since May 21
- File issue about hydra/nix build failures
- Schedule call about S3 bucket decision with Eelco, Jonas, Infra-Build

## Full disk on haumea

- The ZFS pool (1 TB) on Haumea has been running full in the last few days,
  leading to the PostgreSQL database to be unavailable
- Multiple options
  - Reducing number and frequency of snapshots
    - 3x5m, 4x15m, 24x1h, 4x1d, 3x1w
      - [vcunat] 5 minutes probably excessive
  - Replace haumea with a machine with bigger disks
    - AX101 ~100 EUR/Mo
  - Long-term maybe prune Hydras database
    - or set up a new database and copy only the config over

- Spend some more time debugging the situation, if it doesn't work out go for a
  bigger machine

## Acquire rsync.net account for database backups of haumea

- Previously rsync.net, but Account was paid by Graham. He eventually deleted
  that account
- Currently only backup location is on hexa's NAS at home
- Backup size is currently 1.7TiB
- At 1.2 Cents per GB/Month that would cost ~24 USD/Month for 2TiB
  - https://www.rsync.net/signup/order.html

## E-Mail Alias Management

- Rok would like access, so that he can switch around the alias on the
  streamyard account that the Marketing team uses
- Resource currently managed by Infra-Build
- Not enough opinions, discuss in internal infra room instead

### Changelog

- Non-Critical-Infra updated to NixOS 24.05
  - migrated to systemd initrd
- Local Postfix setup for mail delivery from vault.nixos.org
- Owncast instance at live.nixos.org was set up
- Synapse Reverse-Proxying uses Unix Domain Sockets now


================================================
FILE: docs/meeting-notes/2024-06-27.md
================================================
# 2024-06-27

Attendees: edef, hexa, vcunat, zimbatm

## Round table

- hexa
  - Large PostgreSQL snapshot sizes caused by autovacuuming likely rewriting
    Indices (https://github.com/NixOS/infra/issues/446)

  - Actionables:
    1. Setup rsync.net account, so we can have a proper backup, and help hexa's
       pipe
    2. Try lighter compression with lz4 because we are seeing CPU load
       bottlenecking
    3. https://github.com/NixOS/infra/pull/447
  - Tried the limesurvey migration. Slightly cursed because NixOS 22.05. Upgrade
    path not clear because of incompatible DB versions. Might need a fresh
    instance after talking to the marketing team.

- vcunat:
  - Haumea zrepl snapshot frequency to accomodate the smol pipe of hexa's backup
    target
    - DB crashed due to full disk and would stop Hydra from working

- edef:
  - Discussed with tomberek and jonas with getting the Glacier copy started. For
    only large objects to keep it simple.
  - The release bucket traffic has grown again?
    - edef: it doesn't seem that sizable based on the graphs I am watching
    - hexa: did you see the chart Eelco posted? they looked worrying
    - edef: to the fastly endpoint
    - hexa: AWS
    - edef: (looking the AWS Price explorer) looks like 1000 USD/month (30
      USD/day), not exploded
  - 2000/2010 style infra team
    - We get this software thrown over and shall run it
    - How can Hydra be made future-proof?
    - Who maintains Hydra? Who makes sure the software works for the infra stack
      we can provide?
    - hexa: Only Ericson updates Hydra to new Nix versions, probably for CA
      derivations, not much else is happening
    - vcunat: Scale has increased much over the years since Hydra was written,
      and it hasn't kept up
    - edef: too few people to commit and cover stuff
    - biggest issues:
      - queue-runner cannot compute runnables faster than they are getting
        consumed
      - hydra kept busy with expensive xz compression of all results it gets

- jonas:
  - requester pay on the release S3 bucket?
    - last rollout resulted in 404 (silent 403s)
    - we use the same code as for the cache
    - edef: I tried the fastly code for the cache bucket. Tried it on a separate
      deployment. It doesn't appear to experience the same issues. Doesn't
      require a privileged token. Not sure how to further debug that.
  - could talk about tigris data
    - edef: let's get stuff in there
    - edef: need to talk to AWS for free egress
    - jonas: just the release bucket for now, because we have issues with it


================================================
FILE: docs/meeting-notes/2024-11-14.md
================================================
# 2024-11-14

Attendees: jkarni, zimbatm, mic92, infinisil, kenji, drig/erethon, arian, sam ,
hexa, jeremy, jeff

## Round Table

### Ofborg

- Mic92: POC to evaluate nixpkgs on GitHub Actions. Results looked promising.
  nixpkgs-review would run in 5 minutes. the ofborg-eval was heavily swapping
  and taking 15min.
- Infinisil: people might have to enable GHA in their fork, which is disabled by
  default
  - Mic92: I didn't see this behaviour?
  - Kenji: I think Github changed some defaults
    - ref:
      https://github.blog/changelog/2024-11-05-notice-of-breaking-changes-for-github-actions/#changes-to-workflow-validation-for-pull-requests-originating-from-forked-repositories
  - Mic92: I think this is true for periodic
  - Infinisil: trying now for a new user
- Mic92: if we want to pursue GHA, we would have to evaluate nixpkgs twice
  because we need to get the store paths for master, and the changes of the PR,
  and then we can compute all packages that have been changed, and append that
  textfile as data. This can then be re-used by nixpkgs-review.
- Arian: why are we not using the PR workflow?
  - Mic92: concurrency issues (limit of 20 runners per org).
  - TODO: check if we hit the limit
- hexa: the idea to comment on the PR is to compensate for the visibility issue?
  - Mic92: yes. it sucks a bit, but this could be mitigated by a small web
    service.
  - A thin wrapper that receives a webhook, checks back the PR status and
    translates it as a comment.
- Infinisil: wouldn't it be possible to have a workflow that polls on behalf of
  the user?
  - It's a workflow that tries to find the workflow on the user's push, in their
    fork.
  - It would be triggered every time you synchronize the PR.
  - Mic92: can you set this up in a way that the workflow gets triggered once
    the workflow is finished?
  - Infinisil: I think you need to poll for this.
  - Mic92: Is it a 1:1 mapping, or 1:N?
  - infinisil: Something like
    ```yaml
    # .github/workflows/query-pr.yml
    on: pull_request_target
    jobs:
      check:
        runs-on: ubuntu-latest
        steps:
          - run: |
            gh api /repos/BASE_REPO/commits/GITHUB_SHA/check-runs
    ```
  - Worry: Offloading OfBorg on to GH could give us trouble, because it might
    not be insignificant compute.
- Jeremy: is this confined to PRs, or running on all branches?
  - Mic92: it would be on push, but checking if the branch is part of the PR.
  - Mic92: actually, there might be some synchronicity issue, because the PR
    happens after the push.
  - Mic92: Because of that we might need a webservice that can trigger actions
  - Mic92: can we get an event when we open a PR?

- Arian: Team plan gives us 60 concurrent actions by the way. (And team plan is
  free for non-profit orgs)

- Pushes don't have a base branch, need a base branch to compare the out paths
  - Mic92: only if not open as a PR
  - infinisil: Can pre-compute the out paths on push, cache out paths on Nixpkgs
    master, then comparing can be done in a PR action fairly easily

- Jonas: who is going to make this happen?
  - Infinisil, Alex Balsoft, Jeremy after early December, Mic92 can write some
    scripts and don't want to lead (want to work on the binary cache).

- Infinisil: not convinced if that's a good idea.

- Jonas: What would it take to get to feature parity
  - What is the minimal set?
  - Mic92: Minimal - Evaluate Prs
  - Mic92: 2nd Phase - We can build packages.
  - Mic92: Labels for mass-rebuilds
  - Silvan: Requests reviews from maintainers (maybe not needed?)
  - Silvan: Don't need to build manual with OfBorg anymore (Is already built in
    ci)
  - Silvan: Evaluating without aliases
  - Jonas: Discourage IFD's
  - Silvan: Maybe it really is good to split this up in two parts:
    - Evaluating
    - Building

- Arian: Average job queue time is currently 9s:
  https://github.com/NixOS/nixpkgs/actions/metrics/performance
- Arian: I would aim for: Lets just try with `pull_request:` and only do the
  complicated `push:` abuse if that job queue time is gonna go up significantly
- Jonas: Looking forward to having eval failures to block merges!

- Silvan: Who can review pr's and help out:
  - kenji: +1
  - balsoft: +1
  - Mic92: +1
  - dgrig/erethon: +1
- Silvan: Can add GH Team to ping for this issue
- Silvan: TODO - Mention this effort on Discourse

- Mic92: How do we coordinate?
  - Main Evalation
  - Figure out parts we can parallelize:
    - most parts are fairly orthogonal

- Silvan: Somebody could lead the Building part:
  - Mic92: Find someone who can help out, maybe on discourse?
  - Silvan: GH doesn't have all the architectures
  - Mic92: Start with the ones we have currently
  - Silvan: If we don't need ealuation anymore - this could save a lot of
    resources, could optimize
  - hexa: Yes, but it might not apply on top of staging for example
  - Silvan: Yes, staging can probably be ignored
  - hexa: Yes, it tries to build against the target branch, led to some
    problems, for example always trying to build llvm on darwin -> continuuous
    timeouts
  - Mic92: A ton of stuff we could potentially optimize
  - Silvan: Empower users to build on more architectures
  - Mic92: Convenient to have logs in public
  - Mic92: I would like to see a /build command, so that builds can be manually
    triggered

- Silvan: Optimization of the Eval part:
  - look at path that actually changed
  - mic92: Aware of nix script that gives names of paths that are actually
    changed?
  - Silvan: Yes
  - Mic92: If heavy swapping, then it might speed up, else we might see a slow
    down

- Silvan: Where should we report?
  - discourse?
  - Mic92: Discussion would be nicer on GH, because we can link issues/pr's.

## Topics

- Transfer of the Macs located at Detsys to Flying Circus
  - Scheduled for 2024-11-25
  - Currently enrolled into Detsys MDM Account. Can we set something up to
    migrate that to an infra team account?
    - Report back the result to the Mac Mini Logistics room on Matrix
    - MDM built into macs, but need to be enrolled into an mdm vendor
    - Arian: Don't have to do it, but very convenient
    - Mic92: if there are no major problems, should look into MDM as well.
- Oakhost Macs are available
  - Need the usual setup
  - 3 new machines
  - arian can set this up
  - initial password
  - Mic92: Mac enrollment not very automated yet, last time hexa wrote some
    stuff down
  - Arians keys needs to be added to the repository
  - Arian:
    - need access to oakhost
    - ssh key to infra
- Mac Issues:
  - hexa: Forking issues on seqoia
  - hexa: Running quite well atm
  - hexa: Patched out chrooting of nix, applied patches on top of darwin
    builders
  - hexa: Not sure exactly why that works
  - hexa: Upstreaming rosetta2-gc to nix-darwin currently
  - hexa: darwin 15.1 had issues -> hetzner doesn't roll back (need rescue mode)
  - hexa: Rollbacks likely possible with mdm
  - arian: We can likely add hetzner darwin machines to be managed by mdm, but
    not too sure
  - arian: Looks into if we can add without physical access, look into what
    detsys did
- Equinix Metal Exit Plan
  - https://md.darmstadt.ccc.de/eqm-exit-plan
  - hexa: This is what we had, this is what we need, this is what it is going to
    cost.
  - mic92: Should we check out what we need for the arm64 builders?
  - hexa: Basically choice between: 64GB, or 256GB of memory
  - hexa: Likely want the bigger memory
  - Mic92: Can try the same for arm64, for x86 we can look in to funding.
  - Mic92: How long do we need for set up? - a day? Shouldn't take long to set
    up.
  - Mic92: I will set this in motion, unless someone else want's to reach out.
  - Mic92: Ok, I will do it.
  - hexa: Ideally we don't have 20 small machine, but 5 big machines. Which
    would be good for maintenance reasons. Because we likely won't get a netboot
    setup anymore.
- Security Tracker
  - dgrig: Jonas gave me access to a Hetzner Cloud project a couple of weeks
    ago. A VM is up and running, I'm figuring out how to implement this in the
    same way as nixos-infra.
  - dgrig: Do we care about having this in Terraform? I used TF to spin this up,
    but the state is in my computer currently, do we care to push it to S3?
  - drgrig: Can I do `nixos-installer --flake nixos/nixos-infra`?How can I
    install the nixos-infra
  - Mic02: Inputs :"${inputs.nixos-infra}/keys" can convert to string.
  - Example:
    ```nix
    users.users.root.openssh.authorizedKeys.keys = [] ++ (builtins.filter (l: l != [ ]) (builtins.split "\n" (builtins.readFile inputs.phaer-keys)));
    ```
  - dgrig: Do we care about the Terraform state yet?
  - hexa: Do we need the state yet?
  - drgrid: It is the tf state
  - consensus: We don't care
  - Jeremy: Nit - export the keys as a module


================================================
FILE: docs/meeting-notes/2025-04-03.md
================================================
# 2025-04-03

Attendees: dgrig/erethon, mic92, vcunat

- erethon:
  - Tested umbriel email server -> works https://github.com/NixOS/infra/pull/600
  - Security bug tracker: no news, still running and ingesting CVEs.
  - Want to work on deprecating go-neb for matrix-alertmanager tomorrow (4/4)
    https://github.com/NixOS/infra/issues/549#issuecomment-2764778573
- mic92:
  - Our Nixos infra hydra patches needs to be fixed or merged into master:
    https://github.com/NixOS/hydra/pull/1456
  - staging-hydra:
    - Works and trial-migration worked.
    - We still need to figure out how to copy old store path from old
      evaluations to the new cache (worked with shivaraj and m1-s)
      - maybe we can use
        https://releases.nixos.org/nixpkgs/nixpkgs-17.03pre96825.497e6d2/store-paths.xz
        instead
    - Glacier can be actually also quite expensive or very slow access
      - small objects need to be excluded through filters
      - migration costs from s3
- vcunat:
  - Hydra:
    - Runs stable
    - No big issues, xz compression bottlenecks less worse because of more CPU
      power
    - Build-ingestions of queue-runner is the new bottleneck (maybe a large
      latency between s3 and the server)
- Jeremy:
  - Mailserver:
    - Everything prepared and we just need to update DNS and sunset the old
      service
    - Maybe need another dump of the user
    - Saturday: 16:00 UTC / 18:00 Berlin Time
- Arian:
  - binary cache:
    - looked into moving parts of the binary cache into instant access glacier
      tier
    - phased approach. E.g. start with `nars/a*` then `nars/b*` etc ...
    - rule of thumb: access is twice as expensive but storage twice as cheap
      compared to infrequent access. but same latency guarantees
    - TODO: Please give Mic92 the s3 cost sheet
    - current storage (not bandwidth cost):
    - Want to enable object versioning on narinfos
- edef:
  - https://releases.nixos.org/nixpkgs/nixpkgs-17.03pre96825.497e6d2/store-paths.xz
  - narinfos are always in standard tier. due to small size. (Except for some
    pathalogically large narinfos)
  - rules
    - recent retrieval
    - recent upload
    - or in releases.nixos.org


================================================
FILE: docs/meeting-notes/2025-04-17.md
================================================
# 2025-04-17

Atttendees: zimbatm, arian, erethon, hexa, Mic92, jfly

- zimbatm:
  - Official leadership rotation to hexa
  - Rotation permissions for zimbatm and eelco in various places
    - Gandi
    - GitHub
    - others...

- erethon:
  - Security bug tracker: Development is restarting
    - https://tracker.security.nixos.org/
  - Want to restart makemake.ngi.nixos.org, who has access to the Hetzner Robot
    account if things go south?
    - Remote KVM via Infra
    - Infra-Build holds Hetzner Accesss
    - @Mic92 mentioned Hetzner supporting Subaccounts, let's investigate that
  - Go-neb Deprecation
    - Still WIP
    - https://github.com/NixOS/infra/issues/549#issuecomment-2782452767
    - Links to Grafana/Prometheus/Alertmanager would be useful

- hexa:
  - Onboarding US Macs (delegated to Arian)
    - Winter has worked on getting Apple Business and Mosyle
  - DNS migration
    - Prompted by shared access with Marketing to Netlify
  - Adopted hopeful-rivest (RX170)
  - Mailserver
    - Authenticated Receive Chain
    - Will get Commit Access to nixos-mailserver
    - nixcon.org Mail Migration

- arian:
  - AWS Account cleanup and audit
    - Did an audit of all access to the Logicblox account

    - Can somebody copy over the messages I sent in infra-internal about my
      research there? I lost access to my Matrix history due to deleting it
      because of the spam issue.
    - Going to disable unused high-privilege IAM roles and users that are
      probably from the Logicblox days
    ```
    I am going to disable the roles accessible by that account now.  And I suggest we delete them in a few weeks if nobody complains?

    There is also some other external account ids that are in use:

    * 297794765570 (has read only access. Seems to be from the same time as 33233536009 which has access to the same read only role).
    * CrowdStrike (has access to audit logs. hasn't accessed our account on like 500 days. Delete?) 
    * CloudCheckr (accessed some metadata a few hours ago. Seems to be an AWS cost management tool)
    * Fastly logs (this makes sense)
    * Duckbill Group (makes sense but maybe we can delete now?)
    ```

  - Do we want to terraform the AWS management account?
  - Want to enable CloudTrail audit logging for all our accounts in our
    management account.
  - Working on moving AMI builds out of Hydra to GHA. Almost done. Uses qemu
    emulation for the aarch64 build as opposed to KVM but works fine.
    https://github.com/NixOS/amis/pull/262
    - Mic and I had the plan to do the same for ISOs at
      https://github.com/NixOS/images - do we still want to work on that?
  - Planning to meet up with edef semi-regularly regarding s3 stuff
  - Wanted to look into the Glacier migration or Intelligent Tiering
    - 60 EUR worth of access to "old paths"
    - Intelligent Tiering Transitions might easily become more expensive than
      that

- Mic92
  - Idea: Fastly Pull-Through Cache for GitHub Releases
    - To have stable URLs and allowing us to move them in the backend as needed

- jfly
  - Does a cache hit by fastly prevent an access log entry at AWS S3?
    - Cache at fastly can be hot, while things are in low priority tier at AWS
      S3


================================================
FILE: docs/meeting-notes/2025-05-01.md
================================================
# 2025-05-01

Attendees: hexa, mightyiam, mic92, jfly, picnoir, mightyiam

- hexa:
  - hydra-server abuse management
    - loki for nginx analyzing the access logs
    - internal grafana instance for access to sensitive data (e.g. PII)
    - looking at whether go-away can better reflect our needs
  - hydra-queue-runner work
    - runnables are steps that can be sent to builder to realize
    - we have far more linux capacity than darwin capacity and the queue runner
      often stacks up darwin runnables, but cannot satisfy linux runnables
      - effectively preventing us from increasing linux capacity
    - Every two weeks meeting with Simon
    - hydra is modular, components use the database to synchronize

- jfly
  - can we put our meetings on the nixos cal?
    https://calendar.google.com/calendar/u/0/embed?src=b9o52fobqjak8oq8lfkhg3t0qg@group.calendar.google.com
    - TODO: jeremy will add
  - mailserver
    - mxlogin.com (mxroute) Deliverability: unclear what's going on with
      Valentin's email (https://github.com/NixOS/infra/issues/668)
    - Bounces from GMail: does anyone have any ideas for this?
      https://github.com/NixOS/infra/issues/650
    - Leaking email: https://github.com/NixOS/infra/issues/649
      - TODO: try BCC-ing the people we're forwarding to (`recipient_bcc_maps`
        instead of virtual alias maps)
    - ARC: are we OK to enable it? https://github.com/NixOS/infra/pull/634
      - Test it on another mailserver first

- Mic92:
  - Get rid of nix/hydra overlay to make sure we are not mixing nix from
    unstable with nixpkgs from stable
  - Would likes to reproduce cgroups build issues in NixOS infra

- picnoir:
  - Cache key rotation https://github.com/NixOS/rfcs/pull/149
    - Minimal approach, no HSM etc.
      - Generate new key on hydra machine
      - Sign everything with two keys
      - PR in Nix has been merged, not in a stable release yet, but
        cherry-pickable
      - Rollover is easy for NixOS, but not so for Nix users on other Distros
        - Nix already hardcodes the current signing key for cache.nixos.org
        - We could investigate if we can also ship the new one that way
      - Set up and maintain public information about keys, the period in which
        they were used to sign packages
      - Blocked on social issue, needing to take charge
      - Testing on staging hydra
    - Remote-Signing (PR by Raito exists,
      https://github.com/NixOS/nix/pull/9076) would be nice, not super trivial,
      but also new failure point
      - Can fail in a lot of ways, since the channel between the signing infra
        and the queue-runner/nix is undefined, and e.g. over the network is not
        trivial
  - Next steps:
    - Staging Hydra setup to validate the setup/migration script.
    - Investigate Nix upgrade path.

- mightyiam/jfly:
  - Code: https://github.com/molybdenumsoftware/pr-tracker
  - Demo: https://pr-tracker.snow.jflei.com/
  - Alternatives: Replicate the Github Webhooks via pub/sub for anyone
  - Demonstrate the need for this, then we may consider making it an official
    nixos.org deployment


================================================
FILE: docs/meeting-notes/2025-05-15.md
================================================
# 2025-05-15

Attendees: erethon, hexa, Mic92

- hexa:
  - E-Mail dogfooding: No obvious issues with sender accounts

- erethon:
  - Will send 616 emails from ngi@nixos.org today unless we're afraid this will
    break something. Testing I've done with a few personal gmail and other
    provider emails worked fine.
  - About replacing go-neb (https://github.com/NixOS/infra/issues/549), I've
    opened two PRs upstream:
    - One is a security fix
      https://github.com/jaywink/matrix-alertmanager/pull/48
    - The other extends matrix-alertmanager to allow us to have the messages in
      the same format as we currently do with go-neb
      https://github.com/jaywink/matrix-alertmanager/pull/49
  - Security tracker: I'll spin up a second instance so that automatic
    deployment don't break the production deployment.
    - Valentin (fricklerhandwerk) is figuring out how this will be paid to the
      foundation
    - TODO: Investigate reusing evals from GitHub Actions or Hydra
      - especially what information do you need from the evals

- Mic92
  - Will reach out to Picnoir to test Multi-Signer-Setup on staging hydra


================================================
FILE: docs/meeting-notes/2025-05-29.md
================================================
# 2025-05-29

Attendees: erethon jfly edef infinisil

- erethon:
  - Sent ~600 emails on the 16th of May from ngi@nixos.org, everything worked
    great.
  - Security tracker:
    - Sounds like reusing nix evals from a different host is still far away.
    - Will spin up a staging instance next week (as discussed two weeks ago).
  - No updates from upstream on the two matrix-alertmanager PRs from two weeks
    ago.
- edef
  - Going to give moving a bunch of things to Glacier a try with Arian
  - infinisil: AWS is sponsoring a lot per month
  - edef: Get a little headroom, can use credits for other things
  - Discussion between @infinisil and @edef about spending the money the
    Foundation has set aside for long term cache issues
    - Related conversation about companies donating hardware to the foundation.
      We don't currently have a place to put that stuff.
  - Good solution per @edef:
    - Have a rack in each continent
    - Own hardware to put in those racks
    - ~500TB - 1 PB
  - infinisil takes note and will consider developing a concrete action plan to
    go ahead
- Hydra queue runner improvements
  - Some work is happening, but unclear status
  - General status: Not building stuff yet
  - @conni2461 (Simon hauser) working on this
  - @Mic92, @hexa meeting with Simon every 2 weeks
  - No repo yet afaik
- infinisil: https://github.com/NixOS/infra/issues/700
  - Asked hexa in the room
  - Flake seems good (https://cyberchaos.dev/e1mo/freescout-nix-flake)
  - @dgrig: consider looking at [Zammad](https://zammad.com/en)
  - Can try out both
  - @jfly will work with @infinisil to get this deployed
  - @jfly: Backups?
    - zrepl
    - @infinisil foundation board is okay with trusting the infra team on
      maintaining confidentiality
    - maybe only keep 1 year of backups?


================================================
FILE: docs/meeting-notes/2025-06-12.md
================================================
# 2025-06-12

Attendees: hexa, Mic92, tal

- erethon:
  - Can't attend today, but here's some updates
  - Security tracker:
    - Staging host is up on Hetzner, working on setting up the security tracker
      software on it
    - Work on https://github.com/Nix-Security-WG/nix-security-tracker/pull/451
      and https://github.com/Nix-Security-WG/nix-security-tracker/issues/223
      because with 25.05 the host is running out of inodes on ext4.
    - Working on some proper architectural docs for the project

- hexa:
  - Anubis deployed
    - Access to build results is not protected, fixes the nix.dev manual access
    - Further work by Mic92: https://github.com/NixOS/nix.dev/pull/1154
  - Tarball Mirror fixes merged/deployed
    - https://github.com/NixOS/nixpkgs/pull/414869
    - https://github.com/NixOS/nixpkgs/pull/361700

- Mic92
  - GitHub Fastly Proxying
    - Naming question
      - Suggestion: artifacts.nixos.org
    - Merging with releases.nixos.org complicated
    - Ratelimits unclear, given that one Shield Pop will always ask for the ISO
      - https://docs.fastly.com/products/network-services-resource-limits
      - Look into segmented caching for fastly
  - Retire releases.nixos.org
    - By moving everything relevant to GitHub releases
    - Build and hosts ISOs on GitHub and proxy via Fastly test formatting


================================================
FILE: flake.nix
================================================
{
  description = "NixOS.org infra";

  nixConfig.extra-substituters = [ "https://nixos-infra-dev.cachix.org" ];
  nixConfig.extra-trusted-public-keys = [
    "nixos-infra-dev.cachix.org-1:OvwhqPPs81cInrtRAX0K7dG6lw8wXcQEX4xyp4AnSXw="
  ];

  inputs = {
    agenix = {
      url = "github:ryantm/agenix";
      inputs.nixpkgs.follows = "nixpkgs";
    };

    nix = {
      url = "github:NixOS/nix/2.34-maintenance";
      flake = false;
    };

    hydra = {
      url = "github:NixOS/hydra/a40d42862da88cce78a27dd594e1484a034aac4d";
      inputs.nixpkgs.follows = "nixpkgs";
      inputs.nix.follows = "nix";
    };

    hydra-staging = {
      url = "github:NixOS/hydra";
      inputs.nixpkgs.follows = "nixpkgs";
      # Can be kept in sync I suppose for now.
      inputs.nix.follows = "nix";
    };

    nixos-channel-scripts = {
      url = "github:NixOS/nixos-channel-scripts";
      inputs.nixpkgs.follows = "nixpkgs";
    };

    rfc39 = {
      url = "github:NixOS/rfc39";
      inputs.nixpkgs.follows = "nixpkgs";
    };

    nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.11-small";
    nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixpkgs-unstable";

    flake-parts = {
      url = "github:hercules-ci/flake-parts";
      inputs.nixpkgs-lib.follows = "nixpkgs";
    };

    darwin = {
      url = "github:nix-darwin/nix-darwin/nix-darwin-25.11";
      inputs.nixpkgs.follows = "nixpkgs";
    };

    flake-utils.url = "github:numtide/flake-utils";

    freescout = {
      url = "git+https://cyberchaos.dev/e1mo/freescout-nix-flake.git";
      inputs = {
        flake-utils.follows = "flake-utils";
        nixpkgs.follows = "nixpkgs";
      };
    };

    treefmt-nix = {
      url = "github:numtide/treefmt-nix";
      inputs.nixpkgs.follows = "nixpkgs-unstable";
    };

    colmena = {
      url = "github:zhaofengli/colmena";
      inputs = {
        flake-utils.follows = "flake-utils";
        nixpkgs.follows = "nixpkgs";
        stable.follows = "nixpkgs";
      };
    };

    disko = {
      url = "github:nix-community/disko";
      inputs.nixpkgs.follows = "nixpkgs";
    };

    nft-prefix-import = {
      # https://github.com/mweinelt/nft-prefix-import/pull/2
      url = "github:Mic92/nft-prefix-import/nft-stdin";
      inputs.nixpkgs.follows = "nixpkgs-unstable";
    };

    srvos = {
      url = "github:numtide/srvos";
      inputs.nixpkgs.follows = "nixpkgs";
    };

    simple-nixos-mailserver = {
      url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-25.11";
      inputs.nixpkgs.follows = "nixpkgs";
    };

    sops-nix = {
      url = "github:Mic92/sops-nix";
      inputs.nixpkgs.follows = "nixpkgs";
    };

    nixpkgs-swh = {
      url = "github:nix-community/nixpkgs-swh";
      inputs.nixpkgs.follows = "nixpkgs";
    };
  };
  outputs =
    inputs@{ flake-parts, ... }:
    flake-parts.lib.mkFlake { inherit inputs; } {
      systems = [
        "x86_64-linux"
        "aarch64-linux"
        "x86_64-darwin"
        "aarch64-darwin"
      ];
      imports = [
        ./build/flake-module.nix
        ./builders/flake-module.nix
        ./dns/flake-module.nix
        ./formatter/flake-module.nix
        ./checks/flake-module.nix
        ./terraform/flake-module.nix
        ./non-critical-infra/flake-module.nix
        ./macs/flake-module.nix
      ];
    };
}


================================================
FILE: formatter/flake-module.nix
================================================
{ inputs, ... }:
{
  imports = [ inputs.treefmt-nix.flakeModule ];

  perSystem =
    { lib, pkgs, ... }:
    {
      treefmt = {
        # Used to find the project root
        projectRootFile = ".git/config";

        settings.global.excludes = [
          "*.age"
          "non-critical-infra/secrets/*"
        ];

        # older actionlint version don't recognize aarch64 builder
        programs.actionlint.enable = lib.versionAtLeast pkgs.actionlint.version "1.7.7";
        programs.deno = {
          enable = true;
          excludes = [
            # makes these files *less* readable
            "dns/*.js"
          ];
        };
        programs.terraform.enable = true;
        programs.deadnix.enable = true;
        programs.nixfmt.enable = true;
        programs.ruff-format.enable = true;
        programs.ruff-check.enable = true;

        programs.shellcheck.enable = true;

        programs.shfmt.enable = true;
        programs.rustfmt.enable = true;
      };
    };
}


================================================
FILE: lib/service-order.nix
================================================
# Ordering Services
#
# Given a set of services, make them run one at a time in a specific
# order, on a timer.
{ }:
{
  # Given a list of systemd service, give each one an After
  # attribute, so they start in a specific order. The returned
  # list can be converted in to a systemd.services attrset with
  # `lib.listToAttrs`.
  #
  # Example:
  #
  #  mkOrderedChain [
  #    { name = "foo"; value = { script = "true"; }; }
  #    { name = "bar"; value = { script = "true"; }; }
  #  ]
  #
  # => [
  #  {
  #    name = "foo";
  #    value = {
  #      script = "true";
  #      unitConfig = { After = []; };
  #    };
  #  }
  #  {
  #    name = "bar";
  #    value = {
  #      script = "true";
  #      unitConfig = { After = [ "bar" ]; };
  #    };
  #  }
  #
  mkOrderedChain =
    jobs:
    let
      unitConfigFrom = job: job.unitConfig or { };
      afterFrom = job: (unitConfigFrom job).After or [ ];
      previousFrom = collector: if collector ? previous then [ collector.previous ] else [ ];

      ordered = builtins.foldl' (collector: item: {
        services = collector.services ++ [
          {
            inherit (item) name;
            value = item.value // {
              unitConfig = (unitConfigFrom item.value) // {
                After = (afterFrom item.value) ++ (previousFrom collector);
              };
            };
          }
        ];
        previous = "${item.name}.service";
      }) { services = [ ]; } jobs;
    in
    ordered.services;
}


================================================
FILE: macs/README.md
================================================
# Deploying to darwin

See [inventory](../docs/inventory.md).

## Inventory

### Obisdian Systems (US Hosting)

They are hosting five Macs Minis for us in the United States.

Contact: [@ryantrinkle](https://github.com/ryantrinkle)

- Mac Mini (M1 2020, 16 GB, 256 GB)
- Mac Mini (M1 2020, 16 GB, 256 GB)
- Mac Mini (M1 2020, 16 GB, 256 GB)
- Mac Mini (M1 2020, 16 GB, 256 GB)
- Mac Mini (i3-8100B, 8GB, 128 GB)

### Flying Circus (DE Hosting)

Currently hosting two Mac Minis for us in Germany.

Contact: [@ctheune](https://github.com/ctheune)

- Mac Mini (M1 2020, 16 GB, 256 GB)
- Mac Mini (M1 2020, 16 GB, 256 GB)

### Hetzner

Additional we rent five M1 (16 GB, 256 GB) builders at Hetzner online:

- enormous-catfish.mac.nixos.org
- growing-jennet.mac.nixos.org
- intense-heron.mac.nixos.org
- maximum-snail.mac.nixos.org
- sweeping-filly.mac.nixos.org

These are maintained by the build infra team.

### Oakhost

Two M2 Mac Mini with 24 GB RAM and 1 TB disk are sponsored by
[Oakhost](https://www.oakhost.com/).

If you are looking for Mac Hosting in the EU, we can recommend Oakhost. They
offer a great admin experience with ad-hoc KVM access in the browser.

- eager-heisenberg.mac.nixos.org
- kind-lumiere.mac.nixos.org

## Install

- Login to user hetzner with the given password
- Set up SSH keys in the hetzner user
- Elevate with `sudo su`
- ~~Install latest system updates~~
  - ~~softwareupdate --install --all --restart~~
- Disable auto-updates:
  - We are currently seeing performance regression in macOS Sequoia.
  - So to not have the machines auto-upgrade, we use:
    `sudo softwareupdate --schedule off`
- Install rosetta2
  - softwareupdate --install-rosetta2 --agree-to-license
- Set up passwordless sudo
  ```
  # visudo /etc/sudoers.d/passwordless
  %admin ALL = NOPASSWD: ALL
  ```
- Install nix
  - `sh <(curl -L https://nixos.org/nix/install) --daemon`
- Install nix-darwin
  - `nix --extra-experimental-features 'flakes nix-command' run nix-darwin -- switch --flake github:nixos/infra#arm64`
  - `darwin-rebuild` becomes available after restarting the shell

## Update

```
darwin-rebuild switch --flake github:nixos/infra#arm64
```


================================================
FILE: macs/common.nix
================================================
# used with https://github.com/DeterminateSystems/macos-ephemeral
{
  config,
  lib,
  pkgs,
  ...
}:

let
  sshKeys = {
    hydra-queue-runner = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOdxl6gDS7h3oeBBja2RSBxeS51Kp44av8OAJPPJwuU/ hydra-queue-runner@rhea";
  };
  environment = lib.concatStringsSep " " [
    "NIX_SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"
  ];

  authorizedNixStoreKey =
    key:
    "command=\"${environment} ${config.nix.package}/bin/nix-store --serve --store daemon --write\" ${key}";
in

{
  imports = [
    ./hydra-queue-builder.nix
  ];

  environment.darwinConfig = "/nix/home/darwin-config/macs/nix-darwin.nix";
  environment.systemPackages = [
    config.nix.package
    pkgs.nix-top
  ];

  system.stateVersion = 5;

  programs = {
    zsh = {
      enable = true;
      enableCompletion = false;
    };
    bash = {
      enable = true;
      completion.enable = true;
    };
  };

  nix = {
    settings = {
      extra-experimental-features = [
        "nix-command"
        "flakes"
      ];
      max-silent-time = 7200; # 2h
      timeout = 43200; # 12h
    };
    gc = {
      automatic = true;
      interval = [
        {
          Minute = 15;
        }
        {
          Minute = 45;
        }
      ];
      # ensure up to 100G free space every half hour
      options = "--max-freed $(df -k /nix/store | awk 'NR==2 {available=$4; required=100*1024*1024; to_free=required-available; printf \"%.0d\", to_free*1024}')";
    };
  };

  users.users.root.openssh.authorizedKeys.keys = [
    (authorizedNixStoreKey sshKeys.hydra-queue-runner)
  ]
  ++ (import ../ssh-keys.nix).infra-core;

  system.activationScripts.postActivation.text = ''
    printf "disabling spotlight indexing... "
    mdutil -i off -d / &> /dev/null
    mdutil -E / &> /dev/null
    echo "ok"
  '';

  services.prometheus.exporters.node.enable = true;

  # https://github.com/LnL7/nix-darwin/issues/1256
  users.users._prometheus-node-exporter.home = lib.mkForce "/private/var/lib/prometheus-node-exporter";

  launchd.daemons.rosetta2-gc = {
    script = ''
      date
      exec /System/Library/Filesystems/apfs.fs/Contents/Resources/apfs.util -P -minsize 0 /System/Volumes/Data
    '';
    serviceConfig.StartInterval = 3600 * 2;
    serviceConfig.RunAtLoad = true;
    serviceConfig.StandardErrorPath = "/var/log/rosetta2-gc.log";
    serviceConfig.StandardOutPath = "/var/log/rosetta2-gc.log";
  };
}


================================================
FILE: macs/flake-module.nix
================================================
{ inputs, ... }:
{
  flake.darwinConfigurations =
    let
      mkNixDarwin =
        localHostName: entrypoint:
        inputs.darwin.lib.darwinSystem {
          system = "aarch64-darwin";

          specialArgs = {
            inherit inputs;
          };

          modules = [
            {
              networking = { inherit localHostName; };
            }
            ./common.nix
            entrypoint
          ];
        };
    in
    {
      # M1 8C, 16G, 256G (Hetzner)
      enormous-catfish = mkNixDarwin "enormous-catfish" ./profiles/m1.nix;
      growing-jennet = mkNixDarwin "growing-jennet" ./profiles/m1.nix;
      intense-heron = mkNixDarwin "intense-heron" ./profiles/m1.nix;
      maximum-snail = mkNixDarwin "maximum-snail" ./profiles/m1.nix;
      sweeping-filly = mkNixDarwin "sweeping-filly" ./profiles/m1.nix;

      # M1 8C, 16G, 256G (Hosted by Flying-Circus)
      norwegian-blue = mkNixDarwin "norwegian-blue" ./profiles/m1.nix;

      # M2 8C, 24G, 1TB (Oakhost)
      eager-heisenberg = mkNixDarwin "eager-heisenberg" ./profiles/m2.large.nix;
      kind-lumiere = mkNixDarwin "kind-lumiere" ./profiles/m2.large.nix;
    };
}


================================================
FILE: macs/hydra-queue-builder.nix
================================================
{
  config,
  inputs,
  lib,
  ...
}:

{
  imports = [
    inputs.agenix.darwinModules.age
    inputs.hydra-staging.darwinModules.builder
  ];

  config = lib.mkIf false {
    age.secrets."queue-runner-token" = {
      file = ../build/secrets/${config.networking.localHostName}-queue-runner-token.age;
      owner = "hydra-queue-builder";
    };

    services.hydra-queue-builder-dev = {
      enable = true;
      queueRunnerAddr = "https://queue-runner.hydra.nixos.org";
      authorizationFile = config.age.secrets."queue-runner-token".path;
      maxJobs = if lib.elem "big-parallel" (config.nix.settings.system-features or [ ]) then 2 else 4;
    };
  };
}


================================================
FILE: macs/mac-exec
================================================
#!/usr/bin/env bash

HOSTS=(
	"hetzner@enormous-catfish.mac.nixos.org"
	"hetzner@growing-jennet.mac.nixos.org"
	"hetzner@intense-heron.mac.nixos.org"
	"hetzner@maximum-snail.mac.nixos.org"
	"hetzner@sweeping-filly.mac.nixos.org"
	"customer@eager-heisenberg.mac.nixos.org"
	"customer@kind-lumiere.mac.nixos.org"
	"root@norwegian-blue.mac.nixos.org"
)
PIDS=()

for host in "${HOSTS[@]}"; do
	# shellcheck disable=SC2068
	(ssh "${host}" -- $@ 2>&1| sed -e "s/^/${host} | /") &
	PIDS+=($!)
done

wait "${PIDS[@]}"


================================================
FILE: macs/mac-update
================================================
#!/usr/bin/env bash

PIDS=()

update() {
	local HOST=${1}
	local PROFILE=${2}
	(ssh "$HOST" -- sudo darwin-rebuild switch --flake "github:nixos/infra" 2>&1| sed -e "s/^/${HOST} | /") &
	PIDS+=($!)
}

update hetzner@enormous-catfish.mac.nixos.org
update hetzner@growing-jennet.mac.nixos.org
update hetzner@intense-heron.mac.nixos.org
update hetzner@maximum-snail.mac.nixos.org
update hetzner@sweeping-filly.mac.nixos.org
update customer@eager-heisenberg.mac.nixos.org
update customer@kind-lumiere.mac.nixos.org
update root@norwegian-blue.mac.nixos.org

wait "${PIDS[@]}"


================================================
FILE: macs/profiles/m1.nix
================================================
{
  # 8 Cores, 16 GB RAM, 256 GB Disk
  # split into 4 jobs with 2C/4G
  nix.settings = {
    cores = 2;
    max-jobs = 4;
  };
}


================================================
FILE: macs/profiles/m2.large.nix
================================================
{
  # 8 Cores, 24 GB RAM, 1 TB Disk
  # split into 2 jobs with 4C/12G
  nix.settings = {
    cores = 4;
    max-jobs = 2;
    system-features = [ "big-parallel" ];
  };
}


================================================
FILE: metrics/fastly/README.md
================================================
# Fastly log processing

This flake provides a systemd timer (`./cron.sh`) that every week:

- Ingests raw Fastly logs for {cache,channels,tarballs,releases}.nixos.org
  (which are very big) and aggregates them into a smaller AWS Athena database.

  This is performed by `./ingest-raw-logs.sh`.

- Runs a number of SQL queries against the Athena database and stores them in
  S3.

  This is performed by `./run-queries.sh`.

## AWS Athena database

The Athena database is stored in the NixOS Foundation AWS account. To get the
schema, run

```
# aws athena list-table-metadata --region eu-west-1 --catalog-name AwsDataCatalog --database-name default
```

It has the following external tables:

- `requests`: An external table. These are the raw fastly logs stored in
  s3://fastly-logs-20220622145016462800000001/ as compressed JSON records. Note
  that this bucket has a lifecycle rule that moves logs to Glacier after a few
  weeks. Logs in Glacier are not processed by Athena.

- `asn_list`: A list of ASNs. This can be updated by running
  `./update-asn-list.sh`.

- `hosting-asns`: A list of ASNs belonging to hosting/cloud providers.

- `all_paths`: The set of all store paths known in the hydra.nixos.org database.
  This is used to expand the hash part of `.narinfo` requests (e.g.
  `8kbx6s9nn7060zsdms3br0mk7bjrvbij`) to store paths (e.g.
  `/nix/store/8kbx6s9nn7060zsdms3br0mk7bjrvbij-coreutils-full-9.0`).

  FIXME: describe how to update.

- `release_paths`: All the store paths belonging to NixOS evals in
  hydra.nixos.org, as
  `{project, jobset, eval, release_name, build,
  output, path}` tuples.

  FIXME: describe how to update.

The ingestion script populates the following tables stored in
s3://nixos-athena/fastly-logs-processed/:

- `urls`: For each host/day/url, the total number of requests, bytes and elapsed
  microseconds. This only includes info about successful (2xx/3xx) requests.

- `clients`: For each host/day/ASN/country/region, the total number of requests,
  bytes and elapsed microseconds.

- `nix_cache_info`: For each day/ASN/country/region/user-agent, the number of
  requests for `nix-cache-info`.

## Reports

Currently the following reports are created every week:

- http://nixos-metrics.s3-website-eu-west-1.amazonaws.com/latest/traffic-per-day.csv

  For each day and site, the number of requests and the number of bytes
  transferred.

- http://nixos-metrics.s3-website-eu-west-1.amazonaws.com/latest/traffic-per-country.csv

  For each country, the number of requests and the number of bytes transferred.

- http://nixos-metrics.s3-website-eu-west-1.amazonaws.com/latest/cache-info-requests-per-day.csv

  For each day, the number of requests for
  https://cache.nixos.org/nix-cache-info.

- http://nixos-metrics.s3-website-eu-west-1.amazonaws.com/latest/cache-info-requests-per-day-not-hosted.csv

  The same, but with requests from "hosting" ASNs (e.g. AWS and Hetzner)
  filtered out. Note that Nix caches `nix-cache-info` file for a week, so the
  intent of this report is to gauge the number of active weekly users.

- http://nixos-metrics.s3-website-eu-west-1.amazonaws.com/latest/cache-info-requests-per-day-per-ua.csv

  For each day and user agent (e.g. `Nix/2.12.0`), the number of requests for
  https://cache.nixos.org/nix-cache-info. This is intended to track the adoption
  of Nix releases.

- http://nixos-metrics.s3-website-eu-west-1.amazonaws.com/latest/flake-registry-requests-per-day.csv

  For each day, the number of requests for
  https://channels.nixos.org/flake-registry.json. This is intended to track how
  widely flakes are used.

- http://nixos-metrics.s3-website-eu-west-1.amazonaws.com/latest/top-store-paths.csv

  For each store path listed in `all_paths`, the number of requests for its
  `.narinfo` file.

- http://nixos-metrics.s3-website-eu-west-1.amazonaws.com/latest/narinfo-queries-per-release.csv

  For each major NixOS release (e.g. `nixos-22.05`), the number of requests for
  `.narinfo` files of store paths that are part of an eval of that release.

- http://nixos-metrics.s3-website-eu-west-1.amazonaws.com/latest/nix-installer-downloads.csv

  For each day, the number of downloads of the Nix installer (i.e.
  `https://releases.nixos.org/nix/nix-[^/]+/install`).

- http://nixos-metrics.s3-website-eu-west-1.amazonaws.com/latest/nix-installer-architectures.csv

  For each architecture (e.g. `x86_64-linux`), the number of downloads of the
  Nix binary tarball.


================================================
FILE: metrics/fastly/cron.sh
================================================
#!/usr/bin/env bash

set -e

export AWS_PROFILE=nixos-org

now=$(date +%s)
#now=$((now - 86400))
prev_week=$((now / 86400 / 7))

from_date_incl=$(date +%F --date="@$((prev_week * 86400 * 7 - 2 * 86400))")
to_date_incl=$(date +%F --date="@$((prev_week * 86400 * 7 + 5 * 86400))")

echo "Ingesting [$from_date_incl, $to_date_incl)."

marker="$HOME/weeks-done/$prev_week"

if [[ -e $marker ]]; then
  echo "Already done!"
  exit 0
fi

mkdir -p "$(dirname "$marker")"
touch "$marker"

./ingest-raw-logs.sh "$from_date_incl" "$to_date_incl"

./run-queries.sh


================================================
FILE: metrics/fastly/flake.nix
================================================
{
  outputs =
    { }:
    {
      nixosModules.nix-metrics =
        { pkgs, ... }:
        {

          users.users.nix-metrics = {
            isNormalUser = true;
            description = "Nix Metrics Collection";
          };

          systemd.services.process-raw-nix-logs = {
            description = "Process Raw nixos.org Logs";
            serviceConfig.Type = "oneshot";
            serviceConfig.User = "nix-metrics";
            path = [
              pkgs.awscli
              pkgs.jq
            ];
            script = ''
              cd ${./.}
              ./cron.sh
            '';
            startAt = "Tue 07:30";
          };

        };
    };
}


================================================
FILE: metrics/fastly/ingest-raw-logs.sh
================================================
#!/usr/bin/env bash

set -e

region=eu-west-1

from_date_incl="$1"
to_date_excl="$2"

[[ -n $from_date_incl ]]
[[ -n $to_date_excl ]]

run_query() {
  local name="$1"
  local query="$2"

  res=$(aws athena start-query-execution \
    --region $region \
    --result-configuration "OutputLocation=s3://nixos-athena/ingestion/$name/" \
    --query-string "$query")

  execution_id="$(printf "%s" "$res" | jq -r -e .QueryExecutionId)"
  [[ -n $execution_id ]]

  echo "Started query $name as $execution_id."

  printf "Waiting..."
  while true; do
    res="$(aws athena get-query-execution --region $region --query-execution-id "$execution_id")"
    status="$(printf %s "$res" | jq -r -e .QueryExecution.Status.State)"
    if [[ $status == RUNNING || $status == QUEUED ]]; then
      printf "."
      sleep 1
      continue
    fi
    if [[ $status == SUCCEEDED ]]; then
      printf " done.\n"
      break
    fi
    printf "\nFailed: %s (%s)\n" "$status" "$res"
    exit 1
  done
}

run_query fill-urls \
  "
    insert into urls
    with requests2 as (select *, date_format(date_parse(timestamp, '%Y-%m-%dT%T+0000'), '%Y-%m-%d') as day from requests)
    select url, count(*) as nr, sum(response_body_size) as total_bytes, sum(elapsed_usec) as total_elapsed, host, day
    from requests2
    where (response_status >= '200' and response_status <= '399') and (day >= '$from_date_incl' and day < '$to_date_excl')
    group by host, day, url;
  "

run_query fill-nix-cache-info \
  "
    insert into nix_cache_info
    with requests2 as (select *, date_format(date_parse(timestamp, '%Y-%m-%dT%T+0000'), '%Y-%m-%d') as day from requests)
    select count(*) as nr, asn, geo_country, geo_region, request_user_agent, day
    from requests2
    where host = 'cache.nixos.org' and url = '/nix-cache-info' and (day >= '$from_date_incl' and day < '$to_date_excl')
    group by day, asn, geo_country, geo_region, request_user_agent;
  "

run_query fill-clients \
  "
    insert into clients
    with requests2 as (select *, date_format(date_parse(timestamp, '%Y-%m-%dT%T+0000'), '%Y-%m-%d') as day from requests)
    select asn, geo_country, geo_region, count(*) as nr, sum(response_body_size) as total_bytes, sum(elapsed_usec) as total_elapsed, host, day
    from requests2
    where (day >= '$from_date_incl' and day < '$to_date_excl')
    group by host, day, asn, geo_country, geo_region;
  "


================================================
FILE: metrics/fastly/run-queries.sh
================================================
#!/usr/bin/env bash

set -e

region=eu-west-1

report_date="$(date +%Y-%m-%d)"

run_query() {
  local name="$1"
  local query="$2"

  res=$(aws athena start-query-execution \
    --region $region \
    --result-configuration "OutputLocation=s3://nixos-metrics/$report_date/$name/" \
    --query-string "$query")

  execution_id="$(printf "%s" "$res" | jq -r -e .QueryExecutionId)"
  [[ -n $execution_id ]]

  echo "Started query $name as $execution_id."

  redirect=latest/$name.csv
  aws s3api put-object \
    --bucket nixos-metrics \
    --key "$redirect" \
    --website-redirect-location "/$report_date/$name/$execution_id.csv" >/dev/null

  echo "Created redirect http://nixos-metrics.s3-website-eu-west-1.amazonaws.com/$redirect."
}

if true; then

  run_query traffic-per-day \
    "
    select day, host, sum(nr) as nr_requests, sum(total_bytes) as total_bytes
    from urls
    group by day, host
    order by day, host
  "

  run_query traffic-per-country \
    "
    select geo_country, sum(nr) as nr_requests, sum(total_bytes) as total_bytes
    from clients
    group by geo_country
    order by total_bytes desc
  "

  run_query cache-info-requests-per-day \
    "
    select day, sum(nr) as cache_info_requests
    from nix_cache_info
    group by day
    order by day
  "

  run_query cache-info-requests-per-day-not-hosted \
    "
    select day, sum(nr) as cache_info_requests
    from nix_cache_info
    where asn not in (select asn_nr from hosting_asns)
    group by day
    order by day
  "

  run_query cache-info-requests-per-day-per-ua \
    "
    with tmp as
      (select *, regexp_replace(regexp_replace(request_user_agent, '.* Nix', 'Nix'), 'pre[^ ]*', 'pre*') as cleaned_ua from nix_cache_info)
    select day, cleaned_ua, sum(nr) as cache_info_requests
    from tmp
    group by day, cleaned_ua
    order by day, cache_info_requests desc
  "

  run_query flake-registry-requests-per-day \
    "
    select day, sum(nr) as total_requests
    from urls
    where host = 'channels.nixos.org' and url like '%/flake-registry.json'
    group by day
    order by day
  "

  run_query top-store-paths \
    "
    select path, sum(nr) as total_requests
    from urls
    join all_paths on regexp_replace(regexp_replace(url, '.narinfo', ''), '/', '') = regexp_replace(regexp_replace(path, '/nix/store/', ''), '-.*', '')
    where
      host = 'cache.nixos.org'
      and url like '%.narinfo'
    group by path
    having sum(nr) > 100
    order by total_requests desc
  "

  run_query narinfo-queries-per-release \
    "
    with tmp as
      (select distinct path, regexp_replace(regexp_replace(regexp_replace(regexp_replace(release_name, 'pre.*', 'pre'), 'alpha.*', ''), 'beta.*', 'beta'), '\.[0-9]+\.[0-9a-f][0-9a-f][0-9a-f][0-9a-f]+$', '') as release from release_paths)
    select release, sum(nr) as total_requests
    from urls
    join tmp on regexp_replace(regexp_replace(url, '.narinfo', ''), '/', '') = regexp_replace(regexp_replace(path, '/nix/store/', ''), '-.*', '')
    where
      host = 'cache.nixos.org'
      and url like '%.narinfo'
    group by release
    order by total_requests desc
  "

  run_query nix-installer-downloads \
    "
    select day, sum(nr)
    from urls
    where
      host = 'releases.nixos.org'
      and regexp_like(url, '^/nix/nix-[^/]+/install$')
    group by day
    order by day
  "

  run_query nix-installer-architectures \
    "
    select arch, sum(nr) as count from
      (select url, nr, regexp_replace(regexp_replace(url, '/nix/nix-[^/]+/nix-[^-]+-(rc[^-]*-)?', ''), '.tar.xz', '') as arch
       from urls
       where
         host = 'releases.nixos.org'
         and regexp_like(url, '^/nix/nix-[^/]+/nix-[^-]+-.*tar.xz$'))
    group by arch
    order by count desc
  "

fi


================================================
FILE: metrics/fastly/update-asn-list.sh
================================================
#! /bin/sh -e

curl --fail https://ftp.ripe.net/ripe/asnames/asn.txt >/tmp/asn.txt

sed -e 's/^\([0-9]\+\) \(.\+\), \([A-Z][A-Z]\)$/\1\t\2\t\3/; t; d' </tmp/asn.txt >/tmp/asn.tsv

aws s3 cp /tmp/asn.tsv s3://nixos-athena/all-asns/list.tsv


================================================
FILE: modules/backup.nix
================================================
{
  lib,
  config,
  pkgs,
  ...
}:

let
  cfg = config.services.backup;

  mkZfsPreHook = mountpoint: ''
    DATASET="$(findmnt -nr -o source "${mountpoint}")"
    zfs snapshot -r "$DATASET@borg"

    # https://github.com/borgbackup/borg/issues/6652
    ls ${mountpoint}/.zfs/snapshot/borg/ > /dev/null
  '';

  mkZfsPostHook = mountpoint: ''
    DATASET="$(findmnt -nr -o source "${mountpoint}")"
    zfs destroy -r "$DATASET@borg"
  '';
in
{
  options.services.backup =
    with lib;
    with types;
    {
      user = mkOption {
        type = str;
        description = ''
          Username for the SSH remote host.
        '';
      };

      host = mkOption {
        type = str;
        description = ''
          Hostname of the SSH remote host.
        '';
      };

      hostPublicKey = mkOption {
        type = str;
        example = "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA5EB5p/5Hp3hGW1oHok+PIOH9Pbn7cnUiGmUEBrCVjnAw+HrKyN8bYVV0dIGllswYXwkG/+bgiBlE6IVIBAq+JwVWu1Sss3KarHY3OvFJUXZoZyRRg/Gc/+LRCE7lyKpwWQ70dbelGRyyJFH36eNv6ySXoUYtGkwlU5IVaHPApOxe4LHPZa/qhSRbPo2hwoh0orCtgejRebNtW5nlx00DNFgsvn8Svz2cIYLxsPVzKgUxs8Zxsxgn+Q/UvR7uq4AbAhyBMLxv7DjJ1pc7PJocuTno2Rw9uMZi1gkjbnmiOh6TTXIEWbnroyIhwc8555uto9melEUmWNQ+C+PwAK+MPw==";
        description = ''
          Public SSH host key of the remote host. Discoverable using e.g. `ssh-keyscan`.
        '';
      };

      port = mkOption {
        type = port;
        default = 22;
        description = ''
          Port of the SSH remote host.
        '';
        apply = toString;
      };

      sshKey = mkOption {
        type = path;
        example = "/var/keys/ssh-key";
        description = ''
          Path to the SSH key required to access the remote host.
        '';
      };

      secretPath = mkOption {
        type = path;
        example = "/var/keys/borg-secret";
        description = ''
          Path to the secret used to encrypt backups in the repository.
        '';
      };

      quota = mkOption {
        type = nullOr str;
        default = null;
        example = "90G";
        description = ''
          Quota for the borg repository. Useful to prevent the target disk from running full and ensuring borg keeps some space to work with.
        '';
      };

      includes = mkOption {
        type = listOf path;
        default = [ ];
        description = ''
          Paths to include in the backup.
        '';
      };
      includesZfsDatasets = mkOption {
        type = listOf str;
        default = [ ];
        description = ''
          ZFS datasets referenced by mountpoint to snapshot and include
        '';
      };

      excludes = mkOption {
        type = listOf path;
        default = [ ];
        description = ''
          Paths to exclude in the backup.
        '';
      };

      preHook = mkOption {
        type = lines;
        default = "";
        description = ''
          Shell commands to run before the backup.
        '';
      };

      postHook = mkOption {
        type = lines;
        default = "";
        description = ''
          Shell commands to run after the backup.
        '';
      };

      wantedUnits = mkOption {
        type = listOf str;
        default = [ ];
        description = ''
          List of units to require before starting the backup.
        '';
      };
    };

  config = lib.mkIf (cfg.includes != [ ] || cfg.includesZfsDatasets != [ ]) {
    programs.ssh.knownHosts."${if cfg.port != 22 then "[${cfg.host}]:${cfg.port}" else cfg.host}" = {
      publicKey = "${cfg.hostPublicKey}";
    };

    systemd.services.borgbackup-job-state = {
      wants = cfg.wantedUnits;
      after = cfg.wantedUnits;

      path = lib.optionals (cfg.includesZfsDatasets != [ ]) [
        config.boot.zfs.package
        pkgs.util-linux
      ];
    };

    systemd.timers.borgbackup-job-state.timerConfig = {
      # Spread all backups over the day
      RandomizedDelaySec = "24h";
      FixedRandomDelay = true;
    };

    services.borgbackup.jobs.state = {
      preHook = lib.concatMapStringsSep "\n" mkZfsPreHook cfg.includesZfsDatasets;
      postHook = lib.concatMapStringsSep "\n" mkZfsPostHook cfg.includesZfsDatasets;

      # Create the repo
      doInit = true;

      # Create daily backups, but prune to a reasonable amount
      startAt = "daily";
      prune.keep = {
        daily = 7;
        weekly = 4;
        monthly = 3;
      };

      # What to backup
      paths = cfg.includes ++ (map (mp: "${mp}/.zfs/snapshot/borg") cfg.includesZfsDatasets);
      exclude = cfg.excludes;

      # Where to backup it to
      repo = "${cfg.user}@${cfg.host}:${config.networking.fqdn}";
      environment.BORG_RSH = "ssh -p ${cfg.port} -i ${cfg.sshKey}";

      # Ensure we don't fill up the destination disk
      extraInitArgs = lib.optionalString (cfg.quota != null) "--storage-quota ${cfg.quota}";

      # Authenticated & encrypted, key resides in the repository
      encryption = {
        mode = "repokey-blake2";
        passCommand = "cat ${cfg.secretPath}";
      };

      # Reduce the backup size
      compression = "auto,zstd";

      # Show summary detailing data usage once completed
      extraCreateArgs = "--stats";
    };
  };
}


================================================
FILE: modules/common.nix
================================================
{ pkgs, lib, ... }:

with lib;

{
  imports = [ ./backup.nix ];

  time.timeZone = "UTC";

  users.mutableUsers = false;

  users.extraUsers.root.openssh.authorizedKeys.keys = with import ../ssh-keys.nix; infra-core;

  nix = {
    settings = {
      cores = 0;
      experimental-features = [
        "nix-command"
        "flakes"
      ];
    };
  };

  environment.systemPackages = [
    pkgs.git
    pkgs.gdb

    # jq is required by numtide/terraform-deploy-nixos-flakes.
    pkgs.jq
  ];

  services.openssh.enable = true;
}


================================================
FILE: modules/hydra-mirror.nix
================================================
{
  config,
  lib,
  pkgs,
  inputs,
  ...
}:

let
  channels = (import ../channels.nix).channels-with-urls;

  orderLib = import ../lib/service-order.nix { };

  makeUpdateChannel = channelName: mainJob: {
    name = "update-${channelName}";
    value = {
      description = "Update Channel ${channelName}";
      path = with pkgs; [
        git
        inputs.nixos-channel-scripts.packages.${pkgs.stdenv.hostPlatform.system}.default
      ];
      script = ''
        # Hardcoded in channel scripts.
        dir=/home/hydra-mirror/nixpkgs-channels
        if ! [[ -e $dir ]]; then
          git clone --bare https://github.com/NixOS/nixpkgs.git $dir
        fi
        GIT_DIR=$dir git config credential.helper 'store --file=${config.age.secrets.hydra-mirror-git-credentials.path}'
        GIT_DIR=$dir git config remote.origin.fetch '+refs/heads/*:refs/remotes/origin/*'

        # FIXME: use IAM role.
        export AWS_ACCESS_KEY_ID=$(sed 's/aws_access_key_id=\(.*\)/\1/ ; t; d' ${config.age.secrets.hydra-mirror-aws-credentials.path})
        export AWS_SECRET_ACCESS_KEY=$(sed 's/aws_secret_access_key=\(.*\)/\1/ ; t; d' ${config.age.secrets.hydra-mirror-aws-credentials.path})
        exec mirror-nixos-branch ${channelName} https://hydra.nixos.org/job/${mainJob}/latest-finished
      '';
      serviceConfig = {
        Type = "oneshot";
        RemainAfterExit = false;
        User = "hydra-mirror";
        # Allow the unit to use 80% of the system's RAM and 100% of the system's swap
        MemoryHigh = "80%";
      };
      unitConfig = {
        After = [ "networking.target" ];
      };
      environment.TMPDIR = "/home/hydra-mirror/scratch";
      environment.GC_INITIAL_HEAP_SIZE = "4g";
    };
  };

  updateJobs = orderLib.mkOrderedChain (lib.mapAttrsToList makeUpdateChannel channels);

in

{
  age.secrets.hydra-mirror-aws-credentials = {
    file = ../build/secrets/hydra-mirror-aws-credentials.age;
    owner = "hydra-mirror";
  };

  age.secrets.hydra-mirror-git-credentials = {
    file = ../build/secrets/hydra-mirror-git-credentials.age;
    owner = "hydra-mirror";
  };

  users.users.hydra-mirror = {
    description = "Channel mirroring user";
    home = "/home/hydra-mirror";
    createHome = true;
    isSystemUser = true;
    group = "hydra-mirror";
  };

  users.groups.hydra-mirror = { };

  systemd.tmpfiles.rules = [
    ''
      d /home/hydra-mirror/scratch                    0755 hydra-mirror users 10d
      F /home/hydra-mirror/scratch/nixos-files.sqlite - - - 8d
      e /home/hydra-mirror/scratch/release-*/*        - - - 1d -
    ''
  ];

  systemd.services = (lib.listToAttrs updateJobs) // {
    "update-all-channels" = {
      description = "Start all channel updates.";
      unitConfig = {
        After = builtins.map (service: "${service.name}.service") updateJobs;
        Wants = builtins.map (service: "${service.name}.service") updateJobs;
      };
      script = "true";
    };
  };

  systemd.timers."update-all-channels" = {
    description = "Start all channel updates.";
    wantedBy = [ "timers.target" ];
    timerConfig = {
      OnUnitInactiveSec = 600;
      OnBootSec = 900;
      AccuracySec = 300;
    };
  };
}


================================================
FILE: modules/nftables.nix
================================================
{
  lib,
  ...
}:

{
  networking.nftables = {
    enable = true;
    tables."nixos-fw".content = lib.mkBefore ''
      define prometheus_inet6 = {
        2a01:4f9:3070:15e0::1
      }
      define prometheus_inet4 = {
        37.27.99.100
      }
    '';
  };

  networking.firewall = {
    enable = true;

    # be a good network citizen and allow some debugging interactions
    rejectPackets = true;
    allowPing = true;

    # prevent firewall log spam from rotating the kernel ringbuffer
    logRefusedConnections = false;
  };
}


================================================
FILE: modules/prometheus/default.nix
================================================
{
  config,
  pkgs,
  ...
}:

let
  prometheus-nixos-exporter = pkgs.callPackage ./nixos-exporter { };
in
{
  services.prometheus.exporters.node = {
    enable = true;
    enabledCollectors = [ "systemd" ];
    extraFlags = [ "--collector.textfile.directory=/var/lib/prometheus-node-exporter-text-files" ];
    openFirewall = true;
    firewallRules = ''
      ip6 saddr $prometheus_inet6 tcp dport ${toString config.services.prometheus.exporters.node.port} accept
      ip saddr $prometheus_inet4 tcp dport ${toString config.services.prometheus.exporters.node.port} accept
    '';
  };

  system.activationScripts.node-exporter-system-version = ''
    mkdir -pm 0775 /var/lib/prometheus-node-exporter-text-files

    cd /var/lib/prometheus-node-exporter-text-files
    ${./system-version-exporter.sh} | ${pkgs.moreutils}/bin/sponge system-version.prom
  '';

  systemd.services.prometheus-nixos-exporter = {
    wantedBy = [ "multi-user.target" ];
    after = [ "network.target" ];
    path = [
      pkgs.nix
      pkgs.bash
    ];
    serviceConfig = {
      Restart = "always";
      RestartSec = "60s";
      ExecStart = "${prometheus-nixos-exporter}/bin/prometheus-nixos-exporter";
    };
  };

  networking.firewall.extraInputRules = ''
    # prometheus-nixos-exporter
    ip6 saddr $prometheus_inet6 tcp dport 9300 accept
    ip saddr $prometheus_inet4 tcp dport 9300 accept
  '';

  services.prometheus.exporters.zfs = {
    enable = true;
    listenAddress = "[::]";
    openFirewall = true;
    firewallRules = ''
      ip6 saddr $prometheus_inet6 tcp dport ${toString config.services.prometheus.exporters.zfs.port} accept
      ip saddr $prometheus_inet4 tcp dport ${toString config.services.prometheus.exporters.zfs.port} accept
    '';
  };
}


================================================
FILE: modules/prometheus/nixos-exporter/default.nix
================================================
{ python3Packages }:

with python3Packages;

buildPythonApplication {
  pname = "prometheus-nixos-exporter";
  version = "0.0";
  format = "pyproject";

  src = ./.;

  nativeBuildInputs = [ setuptools ];

  propagatedBuildInputs = [
    packaging
    prometheus-client
  ];
}


================================================
FILE: modules/prometheus/nixos-exporter/prometheus_nixos_exporter/__main__.py
================================================
#!/usr/bin/env nix-shell
#!nix-shell -i python3 -p "python3.withPackages (ps: with ps; [ prometheus-client packaging ])"


import json
import os
import subprocess
import sys
import time
from collections.abc import Iterator

from packaging.version import Version
from prometheus_client import CollectorRegistry, start_http_server
from prometheus_client.core import GaugeMetricFamily


class NixosSystemCollector:
    def __init__(self) -> None:
        nix_version = self.get_nix_version()

        # https://github.com/NixOS/nix/pull/9242
        self.nix_path_info_returns_object = nix_version >= Version("2.19.0")

    def get_nix_version(self) -> Version:
        result = subprocess.run(
            ["nix", "--version"], stdout=subprocess.PIPE, check=False
        )

        if result.returncode == 0:
            response = result.stdout.decode().strip()
            return Version(response.split()[-1])
        print("Failed to determine nix version", file=sys.stderr)
        sys.exit(1)

    def collect(self) -> Iterator[GaugeMetricFamily]:
        # note: Gauges because of rollbacks.
        current_system = GaugeMetricFamily(
            "nixos_current_system_time_seconds",
            "The time the system's current generation was registered in the Nix database.",
            labels=["version_id"],
        )
        current_system.add_metric(
            [self.get_version_id("/run/current-system")],
            self.get_time("/run/current-system"),
        )
        yield current_system

        booted_system = GaugeMetricFamily(
            "nixos_booted_system_time_seconds",
            "The time the system's booted generation was registered in the Nix database.",
            labels=["version_id"],
        )
        booted_system.add_metric(
            [self.get_version_id("/run/booted-system")],
            self.get_time("/run/booted-system"),
        )
        yield booted_system

        current_system_kernel_booted = GaugeMetricFamily(
            "nixos_current_system_kernel_booted",
            "Whether the currently booted kernel matches the one in the current generation.",
            labels=[],
        )
        booted_kernel = self.get_kernel_out("/run/booted-system")
        current_kernel = self.get_kernel_out("/run/current-system")

        current_system_kernel_booted.add_metric([], booted_kernel == current_kernel)
        yield current_system_kernel_booted

    def get_version_id(self, path: str) -> str:
        result = subprocess.run(
            ["bash", "-c", f"source {path}/etc/os-release; echo $VERSION_ID"],
            stdout=subprocess.PIPE,
            check=False,
        )
        if result.returncode == 0:
            return result.stdout.decode("utf-8").strip()

        return None

    def get_kernel_out(self, path: str) -> str:
        return os.path.dirname(os.readlink(os.path.join(path, "kernel")))

    def get_time(self, path: str) -> int:
        result = subprocess.run(
            ["nix", "path-info", "--json", path], stdout=subprocess.PIPE, check=False
        )
        if result.returncode == 0:
            parsed = json.loads(result.stdout)

            if self.nix_path_info_returns_object:
                # nix path-info --json /run/booted-system | jq .[].registrationTime
                for path_info in parsed.values():
                    return path_info["registrationTime"]
            else:
                # nix path-info --json /run/booted-system | jq .[0].registrationTime
                return parsed[0]["registrationTime"]

        return 0


def main() -> None:
    registry = CollectorRegistry()
    registry.register(NixosSystemCollector())

    # Start up the server to expose the metrics.
    start_http_server(9300, registry=registry)

    while True:
        time.sleep(100000)


if __name__ == "__main__":
    main()


================================================
FILE: modules/prometheus/nixos-exporter/pyproject.toml
================================================
[build-system]
requires = ["setuptools"]
build-backend = "setuptools.build_meta"

[project]
name = "prometheus-nixos-exporter"
version = "0.0.0"
description = "Export informations about booted aund current NixOS generation"
dependencies = [
  "packaging",
  "prometheus-client",
]

[project.scripts]
prometheus-nixos-exporter = "prometheus_nixos_exporter.__main__:main"


================================================
FILE: modules/prometheus/system-version-exporter.sh
================================================
#!/usr/bin/env bash

set -euo pipefail

readonly VERSION
VERSION="$(cat /run/current-system/nixos-version)"
readonly CURRENT_SYSTEM_DRV
CURRENT_SYSTEM_DRV="$(readlink /run/current-system)"
readonly CURRENT_SYSTEM_PROFILE
CURRENT_SYSTEM_PROFILE="$(find /nix/var/nix/profiles -ilname "${CURRENT_SYSTEM_DRV}")"
readonly DEPLOY_TIMESTAMP
DEPLOY_TIMESTAMP="$(stat -c '%y' "${CURRENT_SYSTEM_PROFILE}" | cut -c '-16')"
readonly DEPLOY_SECONDS
DEPLOY_SECONDS="$(stat -c '%Y' "${CURRENT_SYSTEM_PROFILE}")"

echo "node_deployed{version=\"${VERSION}\",date=\"${DEPLOY_TIMESTAMP}\"} ${DEPLOY_SECONDS}"


================================================
FILE: modules/rasdaemon.nix
================================================
{
  config,
  ...
}:

{
  hardware.rasdaemon = {
    enable = true;
    record = true;
  };

  services.prometheus.exporters.rasdaemon = {
    enable = true;
    enabledCollectors = [
      "aer"
      "mce"
      "mc"
      "extlog"
      "devlink"
      "disk"
    ];
    openFirewall = true;
    firewallRules = ''
      ip6 saddr $prometheus_inet6 tcp dport ${toString config.services.prometheus.exporters.rasdaemon.port} accept
      ip saddr $prometheus_inet4 tcp dport ${toString config.services.prometheus.exporters.rasdaemon.port} accept
    '';
  };
}


================================================
FILE: modules/rfc39.nix
================================================
# This module fetches nixpkgs master and syncs the GitHub maintainer team.
{ config, pkgs, ... }:
let
  rfc39Secret = f: {
    file = f;
    owner = "rfc39";
  };
in
{
  age.secrets.rfc39-credentials = rfc39Secret ../build/secrets/rfc39-credentials.age;
  age.secrets.rfc39-github = rfc39Secret ../build/secrets/rfc39-github.age;
  age.secrets.rfc39-record-push = rfc39Secret ../build/secrets/rfc39-record-push.age;

  users.users.rfc39 = {
    description = "RFC39 Maintainer Team Sync";
    home = "/var/lib/rfc39-sync";
    createHome = true;
    isSystemUser = true;
    group = "rfc39";
  };
  users.groups.rfc39 = { };

  programs.ssh.knownHosts."github.com".publicKey =
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl";

  systemd.services.rfc39-sync = {
    description = "Sync the Maintainer Team ";
    path = [
      config.nix.package
      pkgs.git
      pkgs.openssh
      pkgs.rfc39
    ];
    startAt = "*:0/30";
    serviceConfig.User = "rfc39";
    serviceConfig.Group = "keys";
    serviceConfig.Type = "oneshot";
    serviceConfig.PrivateTmp = true;
    script = ''
      set -eux

      export GIT_SSH_COMMAND='ssh -i ${config.age.secrets.rfc39-record-push.path}'
      export GIT_AUTHOR_NAME="rfc39"
      export GIT_AUTHOR_EMAIL="rfc39@eris"
      export GIT_COMMITTER_NAME="rfc39"
      export GIT_COMMITTER_EMAIL="rfc39@eris"

      recordsdir=$HOME/rfc39-record
      if ! [[ -e "$recordsdir" ]]; then
        git clone git@github.com:NixOS/rfc39-record.git "$recordsdir"
      fi
      cd "$recordsdir"
      git fetch origin --no-auto-maintenance
      git checkout main
      git reset --hard origin/main
      git maintenance run --auto

      nixpkgsdir=$HOME/nixpkgs
      if ! [[ -e $nixpkgsdir ]]; then
        git clone https://github.com/NixOS/nixpkgs.git $nixpkgsdir
      fi
      cd $nixpkgsdir
      git fetch origin --no-auto-maintenance
      git checkout origin/master
      git maintenance run --auto

      rfc39 \
          --dump-metrics --metrics-delay=240 --metrics-addr=0.0.0.0:9190 \
          --credentials ${config.age.secrets.rfc39-credentials.path} \
          --maintainers ./maintainers/maintainer-list.nix \
          sync-team NixOS 3345117 --limit 50 \
          --invited-list "$recordsdir/invitations"

      cd "$recordsdir"

      if ! git diff --quiet; then
        git add .
        git commit -m "Automated team sync results."
        git push origin main
      fi
    '';
  };

}


================================================
FILE: modules/tarball-mirror.nix
================================================
# This module mirrors most tarballs reachable from Nixpkgs's
# release.nix to the content-addressed tarball cache at
# tarballs.nixos.org.

{
  config,
  lib,
  pkgs,
  ...
}:

let
  # Determine the NixPkgs branch to mirror from.
  # We take the current primary stable release.
  branches = lib.filter (p: p != null) (
    lib.mapAttrsToList (
      name: v: if v.variant or null == "primary" && v.status or null == "stable" then name else null
    ) (import ../channels.nix).channels
  );
  branch =
    assert (lib.assertMsg (lib.length branches == 1) "Multiple primary releases are marked as stable");
    lib.head branches;
in

{
  age.secrets.tarball-mirror-aws-credentials = {
    file = ../build/secrets/tarball-mirror-aws-credentials.age;
    owner = "tarball-mirror";
  };

  users.users.tarball-mirror = {
    description = "Nixpkgs tarball mirroring user";
    home = "/home/tarball-mirror";
    createHome = true;
    isSystemUser = true;
    group = "tarball-mirror";
  };

  users.groups.tarball-mirror = { };

  systemd.services.mirror-tarballs = {
    description = "Mirror Nixpkgs Tarballs";
    path = [
      config.nix.package
      pkgs.git
      pkgs.bash
    ];
    environment.NIX_REMOTE = "daemon";
    serviceConfig.User = "tarball-mirror";
    serviceConfig.Type = "oneshot";
    serviceConfig.PrivateTmp = true;
    script = ''
      dir=/home/tarball-mirror/nixpkgs
      if ! [[ -e $dir ]]; then
        git clone https://github.com/NixOS/nixpkgs.git $dir
      fi
      cd $dir
      git remote update origin
      git checkout -f origin/${branch}
      git apply ${./tarball-mirror.patch}
      # FIXME: use IAM role.
      export AWS_ACCESS_KEY_ID=$(sed 's/aws_access_key_id=\(.*\)/\1/ ; t; d' ${config.age.secrets.tarball-mirror-aws-credentials.path})
      export AWS_SECRET_ACCESS_KEY=$(sed 's/aws_secret_access_key=\(.*\)/\1/ ; t; d' ${config.age.secrets.tarball-mirror-aws-credentials.path})
      NIX_PATH=nixpkgs=. ./maintainers/scripts/copy-tarballs.pl \
        --expr 'import <nixpkgs/maintainers/scripts/all-tarballs.nix>' \
        --exclude 'registry.npmjs.org|mirror://kde|mirror://xorg|mirror://kernel|mirror://hackage|mirror://gnome|mirror://apache|mirror://mozilla|pypi.python.org'
    '';
    startAt = "05:30";
  };

}


================================================
FILE: modules/tarball-mirror.patch
================================================
From 89093ba05e6f9710aa0dcb500f6226f1be80cc86 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= <joerg@thalheim.io>
Date: Wed, 4 Dec 2024 09:39:04 +0100
Subject: [PATCH] copy-tarballs: drop perl bindings

This hopefully makes it easier to re-write this script in a language
that people understand. Because it's shelling out, it's likely slower
but hopefully still fast enough for our purposes.
---
 maintainers/scripts/copy-tarballs.pl | 78 +++++++++++++++++++++-------
 1 file changed, 58 insertions(+), 20 deletions(-)

diff --git a/maintainers/scripts/copy-tarballs.pl b/maintainers/scripts/copy-tarballs.pl
index 30fbac6f002d90..cb117ad2be0762 100755
--- a/maintainers/scripts/copy-tarballs.pl
+++ b/maintainers/scripts/copy-tarballs.pl
@@ -1,5 +1,5 @@
 #! /usr/bin/env nix-shell
-#! nix-shell -i perl -p perl perlPackages.NetAmazonS3 perlPackages.FileSlurp perlPackages.JSON perlPackages.LWPProtocolHttps nix nix.perl-bindings
+#! nix-shell -i perl -p perl perlPackages.NetAmazonS3 perlPackages.FileSlurp perlPackages.JSON perlPackages.LWPProtocolHttps nix
 
 # This command uploads tarballs to tarballs.nixos.org, the
 # content-addressed cache used by fetchurl as a fallback for when
@@ -20,14 +20,51 @@
 use File::Slurp;
 use JSON;
 use Net::Amazon::S3;
-use Nix::Store;
-
-isValidPath("/nix/store/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-foo"); # FIXME: forces Nix::Store initialisation
 
 sub usage {
     die "Syntax: $0 [--dry-run] [--exclude REGEXP] [--expr EXPR | --file FILES...]\n";
 }
 
+sub computeFixedOutputPath {
+    my ($name, $algo, $hash) = @_;
+    my $expr = <<'EXPR';
+{ name, outputHashAlgo, outputHash }:
+builtins.toString (derivation {
+  inherit name outputHashAlgo outputHash;
+  builder = "false";
+  system = "dontcare";
+  outputHashMode = "flat";
+})
+EXPR
+    open(my $fh, "-|",
+        "nix-instantiate",
+        "--eval",
+        "--strict",
+        "-E", $expr,
+        "--argstr", "name", $name,
+        "--argstr", "outputHashAlgo", $algo,
+        "--argstr", "outputHash", $hash) or die "Failed to run nix-instantiate: $!";
+
+    my $storePathJson = <$fh>;
+    chomp $storePathJson;
+    my $storePath = decode_json($storePathJson);
+    close $fh;
+    return $storePath;
+}
+
+sub nixHash {
+    my ($algo, $base16, $path) = @_;
+    open(my $fh, "-|",
+        "nix-hash",
+        "--type", $algo,
+        "--flat",
+        ($base16 ? "--base16" : ()),
+        $path) or die "Failed to run nix-hash: $!";
+    my $hash = <$fh>;
+    chomp $hash;
+    return $hash;
+}
+
 my $dryRun = 0;
 my $expr;
 my @fileNames;
@@ -90,12 +127,12 @@ sub alreadyMirrored {
 sub uploadFile {
     my ($fn, $name) = @_;
 
-    my $md5_16 = hashFile("md5", 0, $fn) or die;
-    my $sha1_16 = hashFile("sha1", 0, $fn) or die;
-    my $sha256_32 = hashFile("sha256", 1, $fn) or die;
-    my $sha256_16 = hashFile("sha256", 0, $fn) or die;
-    my $sha512_32 = hashFile("sha512", 1, $fn) or die;
-    my $sha512_16 = hashFile("sha512", 0, $fn) or die;
+    my $md5_16 = nixHash("md5", 0, $fn) or die;
+    my $sha1_16 = nixHash("sha1", 0, $fn) or die;
+    my $sha256_32 = nixHash("sha256", 1, $fn) or die;
+    my $sha256_16 = nixHash("sha256", 0, $fn) or die;
+    my $sha512_32 = nixHash("sha512", 1, $fn) or die;
+    my $sha512_16 = nixHash("sha512", 0, $fn) or die;
 
     my $mainKey = "sha512/$sha512_16";
 
@@ -130,7 +167,7 @@ sub uploadFile {
     my $res = 0;
     foreach my $fn (@fileNames) {
         eval {
-            if (alreadyMirrored("sha512", hashFile("sha512", 0, $fn))) {
+            if (alreadyMirrored("sha512", nixHash("sha512", 0, $fn))) {
                 print STDERR "$fn is already mirrored\n";
             } else {
                 uploadFile($fn, basename $fn);
@@ -176,7 +213,9 @@ sub uploadFile {
 
         if ($hash =~ /^([a-z0-9]+)-([A-Za-z0-9+\/=]+)$/) {
             $algo = $1;
-            $hash = `nix hash to-base16 $hash` or die;
+            open(my $fh, "-|", "nix", "--extra-experimental-features", "nix-command", "hash", "convert", "--to", "base16", $hash) or die;
+            $hash = <$fh>;
+            close $fh;
             chomp $hash;
         }
 
@@ -184,11 +223,13 @@ sub uploadFile {
 
         # Convert non-SRI base-64 to base-16.
         if ($hash =~ /^[A-Za-z0-9+\/=]+$/) {
-            $hash = `nix hash to-base16 --type '$algo' $hash` or die;
+            open(my $fh, "-|", "nix", "--extra-experimental-features", "nix-command", "hash", "convert", "--to", "base16", "--hash-algo", $algo, $hash) or die;
+            $hash = <$fh>;
+            close $fh;
             chomp $hash;
         }
 
-        my $storePath = makeFixedOutputPath(0, $algo, $hash, $name);
+        my $storePath = computeFixedOutputPath($name, $algo, $hash);
 
         for my $url (@$urls) {
             if (defined $ENV{DEBUG}) {
@@ -210,18 +251,15 @@ sub uploadFile {
 
             print STDERR "mirroring $url ($storePath, $algo, $hash)...\n";
 
+
             if ($dryRun) {
                 $mirrored++;
                 last;
             }
-
-            # Substitute the output.
-            if (!isValidPath($storePath)) {
-                system("nix-store", "-r", $storePath);
-            }
+            my $isValidPath = system("nix-store", "-r", $storePath) == 0;
 
             # Otherwise download the file using nix-prefetch-url.
-            if (!isValidPath($storePath)) {
+            if (!$isValidPath) {
                 $ENV{QUIET} = 1;
                 $ENV{PRINT_PATH} = 1;
                 my $fh;


================================================
FILE: non-critical-infra/.envrc
================================================
# shellcheck shell=bash
use flake .#non-critical-infra


================================================
FILE: non-critical-infra/.sops.yaml
================================================
keys:
  - &hexa age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x
  - &zimbatm age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h
  - &simon age17ez23w2kpxl0gcdx4ehcglkcfcfnv4qz0gq2n8ylxwx4yrtjpvjqxfasua
  - &caliban age1sv307kkrxwgjah8pjpap5kzl4j2r6fqr3vg234n7m32chlchs9lsey7nlq
  - &umbriel age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6
  - &staging-hydra age1zxcssfw5j6dwvcw25tmxs79lq40xk70h2s234hen8pkpte2qe30q9e7cy8
  - &mic92 age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz
  - &mic92-mac age1nnm255ah9wa4gpsaq0v023a75lnmlcxszt9lc6az3mtwzxgrucfq45rp7h
  - &Ericson2314 age1fgzf77gyah4efemnrqg4e7j0vk8fpq0uzrucepmdpsd5z7l4lgpsfq54df

creation_rules:
  - path_regex: secrets/[^/]+.caliban
    key_groups:
      - age:
          - *caliban
          - *hexa
          - *zimbatm
          - *mic92
          - *mic92-mac

  - path_regex: secrets/[^/]+.umbriel
    key_groups:
      - age:
          - *umbriel
          - *hexa
          - *zimbatm
          - *mic92
          - *mic92-mac

  # ssh keys used to bootstrap new machines
  - path_regex: secrets/[^/]+-hostkeys.yaml
    key_groups:
      - age:
          - *mic92
          - *mic92-mac
          - *hexa
          - *zimbatm
          - *staging-hydra

  - path_regex: secrets/[^/]+.staging-hydra
    key_groups:
      - age:
          - *staging-hydra
          - *mic92
          - *mic92-mac
          - *hexa
          - *zimbatm
          - *simon
          - *Ericson2314


================================================
FILE: non-critical-infra/README.md
================================================
# Non-critical-infra

This folder of the repository contains all files relative to the non-critical
infra team. Machines managed by that specific configuration are distinct from
the ones used in the rest of that repository and used to host services useful to
the general Nix/NixOS community.

## For the users

### I would like my project hosted by this infrastructure

Open a PR or an issue, and members of the infra team will tell you if this
infrastructure is suitable to the project!

### I would like to join the team

Come and talk to us on matrix: #infra:nixos.org

## For the contributors

### Secret access

Secret access is on a "need to have" basis. If you think you need access to the
secrets, please add your key to the `.sops.yaml` file on a PR and ping people
that already have access for them to run the `updatekeys` command.


================================================
FILE: non-critical-infra/colmena.sh
================================================
#!/usr/bin/env bash
set -euo pipefail

cd "$(dirname "$0")"
colmena apply "$@"


================================================
FILE: non-critical-infra/flake-module.nix
================================================
{
  inputs,
  lib,
  ...
}:
{
  colmena.hosts = {
    caliban = { };
    umbriel = { };
    staging-hydra = { };
  };
  flake =
    let
      importConfig =
        path:
        (lib.mapAttrs (name: _value: import (path + "/${name}/default.nix")) (
          lib.filterAttrs (_: v: v == "directory") (builtins.readDir path)
        ));
    in
    {
      nixosConfigurations = builtins.mapAttrs (
        _name: value:
        inputs.nixpkgs.lib.nixosSystem {
          inherit lib;
          system = "x86_64-linux";
          specialArgs = {
            inherit inputs;
          };
          modules = [
            value
            inputs.disko.nixosModules.disko
            inputs.sops-nix.nixosModules.sops
          ];
          extraModules = [ inputs.colmena.nixosModules.deploymentOptions ];

        }
      ) (importConfig ./hosts);

    };

  perSystem =
    { inputs', pkgs, ... }:
    {
      packages.encrypt-email = pkgs.callPackage ./packages/encrypt-email { };

      devShells.non-critical-infra = pkgs.mkShellNoCC {
        packages = [
          inputs'.colmena.packages.colmena
          pkgs.sops
          pkgs.ssh-to-age
        ];
      };
    };
}


================================================
FILE: non-critical-infra/hosts/caliban/default.nix
================================================
{
  config,
  inputs,
  lib,
  ...
}:

{
  imports = [
    ./hardware.nix
    inputs.srvos.nixosModules.server
    inputs.srvos.nixosModules.hardware-hetzner-online-amd
    ../../../modules/rasdaemon.nix
    ../../modules/common.nix
    ../../modules/draupnir.nix
    ../../modules/backup.nix
    ../../modules/element-web.nix
    ../../modules/limesurvey.nix
    ../../modules/matrix-synapse.nix
    ../../modules/owncast.nix
    ../../modules/vaultwarden.nix
    ./nixpkgs-swh.nix
  ];

  fileSystems."/boot-1" = {
    device = "/dev/disk/by-uuid/9299-8E8E";
    fsType = "vfat";
  };

  fileSystems."/boot-2" = {
    device = "/dev/disk/by-uuid/9297-573C";
    fsType = "vfat";
  };

  # Bootloader.
  boot.loader.grub.enable = true;
  boot.loader.grub.mirroredBoots = lib.mkForce [
    {
      path = "/boot-1";
      devices = [ "/dev/disk/by-id/nvme-SAMSUNG_MZQL23T8HCLS-00A07_S64HNJ0T508051" ];
    }
    {
      path = "/boot-2";
      devices = [ "/dev/disk/by-id/nvme-SAMSUNG_MZQL23T8HCLS-00A07_S64HNJ0T508053" ];
    }
  ];

  networking = {
    hostName = "caliban";
    domain = "nixos.org";
    hostId = "745b334a";
  };

  disko.devices = import ./disko.nix;

  networking.firewall.allowedTCPPorts = [
    80
    443
  ];
  networking.firewall.allowedUDPPorts = [ ];

  systemd.network.networks."10-uplink".networkConfig.Address = "2a01:4f9:5a:186c::2";

  sops.secrets.storagebox-ssh-key = {
    sopsFile = ../../secrets/storagebox-ssh-key.caliban;
    format = "binary";
    path = "/var/keys/storagebox-ssh-key";
    mode = "0600";
    owner = "root";
    group = "root";
  };

  sops.secrets.backup-secret = {
    sopsFile = ../../secrets/backup-secret.caliban;
    format = "binary";
    path = "/var/keys/borg-secret";
    mode = "0600";
    owner = "root";
    group = "root";
  };

  services.backup = {
    user = "u391032-sub3";
    host = "u391032-sub3.your-storagebox.de";
    hostPublicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIICf9svRenC/PLKIL9nk6K/pxQgoiFC41wTNvoIncOxs";
    port = 23;
    sshKey = config.sops.secrets.storagebox-ssh-key.path;
    secretPath = config.sops.secrets.backup-secret.path;
  };

  system.stateVersion = "23.05";

}


================================================
FILE: non-critical-infra/hosts/caliban/disko.nix
================================================
let
  partitions = {
    grub = {
      priority = 1;
      start = "0";
      end = "1M";
      type = "EF02";
    };
    boot = {
      priority = 2;
      name = "boot";
      start = "1M";
      end = "1G";
      content = {
        type = "filesystem";
        format = "vfat";
      };
    };
    root = {
      priority = 3;
      start = "1G";
      end = "100%";
      content = {
        type = "zfs";
        pool = "zroot";
      };
    };
  };
in
{
  disk = {
    nvme0n1 = {
      type = "disk";
      device = "/dev/nvme0n1";
      content = {
        type = "gpt";
        inherit partitions;
      };
    };
    nvme1n1 = {
      type = "disk";
      device = "/dev/nvme1n1";
      content = {
        type = "gpt";
        inherit partitions;
      };
    };
  };

  zpool = {
    zroot = {
      type = "zpool";
      mode = "mirror";
      rootFsOptions = {
        compression = "lz4";
        "com.sun:auto-snapshot" = "true";
        mountpoint = "none";
      };
      datasets = {
        "root" = {
          type = "zfs_fs";
          options.mountpoint = "none";
          mountpoint = null;
        };
        "root/nixos" = {
          type = "zfs_fs";
          options.mountpoint = "/";
          mountpoint = "/";
        };
      };
    };
  };
}


================================================
FILE: non-critical-infra/hosts/caliban/hardware.nix
================================================
{ config, lib, ... }:

{

  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ ];
  boot.extraModulePackages = [ ];

  swapDevices = [ ];

  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}


================================================
FILE: non-critical-infra/hosts/caliban/nixpkgs-swh.nix
================================================
{ inputs, config, ... }:
{
  imports = [
    inputs.nixpkgs-swh.nixosModules.nixpkgs-swh
  ];
  services = {
    nixpkgs-swh = {
      enable = true;
    };
    nginx = {
      enable = true;
      virtualHosts = {
        "nixpkgs-swh.nixos.org" = {
          enableACME = true;
          forceSSL = true;

          locations."/" = {
            root = config.services.nixpkgs-swh.outputDir;
            extraConfig = ''
              autoindex on;
            '';
          };
        };
      };
    };
  };
}


================================================
FILE: non-critical-infra/hosts/staging-hydra/bootstrap-staging-hydra.sh
================================================
#!/usr/bin/env bash

# Bootstrap staging-hydra on nixos.lysator.liu.se (130.236.254.207).
#
# WARNING: nixos-anywhere will WIPE all disks. Only use this for a fresh
# install. For regular deployments use colmena:
#   colmena apply --on staging-hydra

set -euo pipefail
tmpDir=$(mktemp -d)
sshDir="$tmpDir/etc/ssh"
mkdir -p "$sshDir"
trap 'rm -rf "$tmpDir"' EXIT

SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" >/dev/null 2>&1 && pwd)"

keys=(
  ssh_host_ed25519_key
  ssh_host_ed25519_key_pub
  ssh_host_rsa_key
  ssh_host_rsa_key_pub
)
for keyname in "${keys[@]}"; do
  if [[ $keyname == *.pub ]]; then
    umask 0133
  else
    umask 0177
  fi
  sops --extract '["'"$keyname"'"]' --decrypt "$SCRIPT_DIR/../../secrets/staging-hydra-hostkeys.yaml" >"$sshDir/$keyname"
done
nix run nixpkgs#nixos-anywhere -- --extra-files "$tmpDir" -f .#staging-hydra nixos@nixos.lysator.liu.se


================================================
FILE: non-critical-infra/hosts/staging-hydra/ca.crt
================================================
-----BEGIN CERTIFICATE-----
MIIBnTCCAU+gAwIBAgIUQpxYsPwAyTY70yYO9fcCmCaZreIwBQYDK2VwMEMxCzAJ
BgNVBAYTAkRFMRQwEgYDVQQKDAtOaXhPUyBJbmZyYTEeMBwGA1UEAwwVaHlkcmEt
cXVldWUtcnVubmVyLWNhMCAXDTI1MDczMTEyMDQxN1oYDzIwNzUwNzE5MTIwNDE3
WjBDMQswCQYDVQQGEwJERTEUMBIGA1UECgwLTml4T1MgSW5mcmExHjAcBgNVBAMM
FWh5ZHJhLXF1ZXVlLXJ1bm5lci1jYTAqMAUGAytlcAMhAM+Mc/XSTXwJeWPxrpqo
SPT5Xwi8/j85VO6TsfBlXFt4o1MwUTAdBgNVHQ4EFgQU0wQG6BxTKtYwlywuyD0a
Vr/1r4gwHwYDVR0jBBgwFoAU0wQG6BxTKtYwlywuyD0aVr/1r4gwDwYDVR0TAQH/
BAUwAwEB/zAFBgMrZXADQQA3BRP2+TkkDQPnPy6MQyDCxqfEeV6OQjtspSvCO0UL
GWmfvzrlUQytwTFTPfVzaErbyVPbeYU5y8rmRoGPNSoI
-----END CERTIFICATE-----


================================================
FILE: non-critical-infra/hosts/staging-hydra/default.nix
================================================
{ inputs, ... }:
{
  imports = [
    ./hardware.nix
    inputs.srvos.nixosModules.server
    ../../modules/common.nix
    ./hydra-proxy.nix
    ./hydra.nix
  ];

  nixpkgs.overlays = [
    inputs.hydra-staging.overlays.default
  ];

  disko.devices = import ./disko.nix;

  boot = {
    loader.grub = {
      enable = true;
      efiSupport = true;
      efiInstallAsRemovable = true;
      mirroredBoots = [
        {
          devices = [ "nodev" ];
          path = "/boot";
        }
        {
          devices = [ "nodev" ];
          path = "/boot-fallback/1";
        }
        {
          devices = [ "nodev" ];
          path = "/boot-fallback/2";
        }
      ];
    };
    kernelParams = [ "console=tty" ];
  };

  networking = {
    hostName = "nixos";
    domain = "lysator.liu.se";
    hostId = "44230408"; # Needed for ZFS
    useDHCP = false;
  };

  systemd.network = {
    enable = true;
    networks."10-wan" = {
      address = [
        "130.236.254.207/24"
        "2001:6b0:17:f0a0::cf/64"
      ];

      dns = [
        "130.236.254.4"
        "130.236.254.225"
        "2001:6b0:17:f0a0::e1"
      ];

      linkConfig.RequiredForOnline = "routable";

      routes = [
        { Gateway = "130.236.254.1"; }
        { Gateway = "2001:6b0:17:f0a0::1"; }
      ];

      matchConfig.Path = "pci-0000:06:00.0";
    };
  };

  networking.firewall.allowedTCPPorts = [
    80
    443
  ];
  networking.firewall.allowedUDPPorts = [ ];

  # Lysator admin account - DO NOT REMOVE
  users.users.lysroot = {
    isNormalUser = true;
    extraGroups = [ "wheel" ];
    openssh.authorizedKeys.keys = [
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF8WX07Oj1Mv9dIY6FaCdDdVQudVKJK6OSCRK8b16yzJ"
    ];
  };

  security.sudo.wheelNeedsPassword = false;

  # Lysator syslog forwarding
  services.syslog-ng = {
    enable = true;
    extraConfig = ''
      source s_local {
        system();
        internal();
      };

      destination d_loghost {
        tcp("loghost.lysator.liu.se");
      };

      log {
        source(s_local);
        destination(d_loghost);
      };
    '';
  };

  services.fail2ban.enable = true;

  system.stateVersion = "25.11";

  users.users.root.openssh.authorizedKeys.keys = [
    # John Ericson for working on Hydra
    "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCdof+fSLyz3FV5t/yE9LBk/hgR8iNfdz/DRigvh4pP6+E4VPpPKSeA0a8r4CLMWvy9ZZ3Gqa04NdJnMmo8gBSIlo87JPq66GnC5QmeDJX2NLlliSeNQqUQKJ2VVcsVerz8O/RvVfvU2MIdW8VExx/DxeZbMnwRcWfUC0nby0NotWGNeS3NOcWWQq9z4E0sDSJ+QXSIMXWSeMda5sBadUK+YERTLYE/+ZVUPiXkXCmnwuRFHpZsqlRVad+kgXsZIwNEPUEqmEablg2C0NjvEbs75Yu9WUXXPJNhwaFbVXaWUM8UWO/n39jMM8aepalZbMhdFh129cAH35SjzIYjHxTP"

    # Conni2461 for hydra-queue-runner
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPK/3rYhlIzoPCsPK38PMdK1ivqPaJgUqWwRtmxdKZrO"
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEltgDXy2aiHhkNeL4aF7P9mDcpMR9+v8zo8EKUQUNHP"

    # picnoir for multiple signing keys
    "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIPml1DaHG1i8WDEsbCCJwPRPf4wJWQAYQIYAyJh2zqMpAAAABHNzaDo="
    "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIEPPocCK4JCbFWshVHMgICOm61LC6V2JAXThzKjXv7TSAAAABHNzaDo="
    "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIEWWZ8LjNo41679gFI4Iv4YtjFxwhSbMZVsvvYYaTXdxAAAABHNzaDo= picnoir@framework"
  ];

  zramSwap = {
    enable = true;
    memoryPercent = 150;
  };
}


================================================
FILE: non-critical-infra/hosts/staging-hydra/disko.nix
================================================
# Matches the existing disk layout on nixos.lysator.liu.se:
# 3x 1.8T disks in raidz1 ZFS pool "tank", each with a 1G EFI partition
let
  espPartition = mountpoint: {
    type = "EF00";
    size = "1G";
    content = {
      type = "filesystem";
      format = "vfat";
      inherit mountpoint;
      mountOptions = [
        "fmask=0022"
        "dmask=0022"
      ];
    };
  };

  zfsPart = {
    size = "100%";
    content = {
      type = "zfs";
      pool = "tank";
    };
  };

  makeDisk = device: espMountpoint: {
    inherit device;
    type = "disk";
    content = {
      type = "gpt";
      partitions = {
        esp = espPartition espMountpoint;
        zfs = zfsPart;
      };
    };
  };
in
{
  disk = {
    sda = makeDisk "/dev/disk/by-id/wwn-0x5000cca222c595d2" "/boot";
    sdb = makeDisk "/dev/disk/by-id/wwn-0x5000cca222c1c46e" "/boot-fallback/1";
    sdc = makeDisk "/dev/disk/by-id/wwn-0x5000cca222c5c6d3" "/boot-fallback/2";
  };

  zpool.tank = {
    type = "zpool";
    mode = "raidz1";
    options = {
      ashift = "12";
    };
    rootFsOptions = {
      compression = "on";
      mountpoint = "none";
      acltype = "posix";
      xattr = "on";
    };
    datasets = {
      "root" = {
        type = "zfs_fs";
        mountpoint = "/";
      };
      "nix" = {
        type = "zfs_fs";
        mountpoint = "/nix";
      };
      "var" = {
        type = "zfs_fs";
        mountpoint = "/var";
      };
      "home" = {
        type = "zfs_fs";
        mountpoint = "/home";
      };
    };
  };
}


================================================
FILE: non-critical-infra/hosts/staging-hydra/genca.sh
================================================
#!/usr/bin/env bash

set -x

hosts="localhost ofborg-eval02 ofborg-eval03 ofborg-eval04 ofborg-build01 ofborg-build02 ofborg-build03 ofborg-build04 ofborg-build05"

C="DE"
O="NixOS Infra"

newDir="$(date '+%Y-%m-%dT%H:%M')"
mkdir "${newDir}"
cd "${newDir}" || exit

openssl genpkey -algorithm Ed25519 -out ca.key
openssl req -x509 -new -nodes -key ca.key -sha256 -days 18250 -out ca.crt \
  -subj "/C=${C}/O=${O}/CN=hydra-queue-runner-ca"

cat <<EOF >server.cnf
[req]
prompt             = no
x509_extensions    = v3_req
req_extensions     = v3_req
default_md         = sha256
distinguished_name = req_distinguished_name

[req_distinguished_name]
C  = ${C}
O  = ${O}
CN = queue-runner.staging-hydra.nixos.org

[v3_req]
basicConstraints = CA:FALSE
keyUsage         = nonRepudiation, digitalSignature, keyEncipherment, keyAgreement
extendedKeyUsage = critical, serverAuth
subjectAltName   = @alt_names

[alt_names]
DNS.1 = queue-runner.staging-hydra.nixos.org
EOF

openssl genpkey -algorithm Ed25519 -out server.key
openssl req -new -key server.key -out server.csr -config server.cnf
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 18250 -sha256 -extfile server.cnf -extensions v3_req

for host in ${hosts}; do
  openssl genpkey -algorithm Ed25519 -out "client-${host}.key"
  openssl req -new -key "client-${host}.key" -out "client-${host}.csr" \
    -subj "/C=${C}/O=${O}/CN=hydra-queue-builder-${host}"
  openssl x509 -req -in "client-${host}.csr" -CA ca.crt -CAkey ca.key -CAcreateserial -out "client-${host}.crt" -days 18250 -sha256
done

rm -rf -- *.csr *.srl
rm server.cnf

cd - || exit


================================================
FILE: non-critical-infra/hosts/staging-hydra/hardware.nix
================================================
{
  config,
  lib,
  modulesPath,
  ...
}:
{
  imports = [
    (modulesPath + "/installer/scan/not-detected.nix")
  ];

  boot.initrd.availableKernelModules = [
    "xhci_pci"
    "ehci_pci"
    "ahci"
    "usbhid"
    "usb_storage"
    "sd_mod"
    "sr_mod"
  ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ "kvm-intel" ];
  boot.extraModulePackages = [ ];

  swapDevices = [ ];

  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}


================================================
FILE: non-critical-infra/hosts/staging-hydra/hydra-proxy.nix
================================================
{
  config,
  lib,
  pkgs,
  ...
}:

let
  bannedUserAgentPatterns = [
    "Trident/"
    "Android\\s[123456789]\\."
    "iPod"
    "iPad\\sOS\\s"
    "iPhone\\sOS\\s[23456789]"
    "Opera/[89]"
    "(Chrome|CriOS)/(\\d\\d?\\.|1[01]|12[4])"
    "(Firefox|FxiOS)/(\\d\\d?\\.|1[01]|12[012345679]\\.)"
    "PPC\\sMac\\sOS"
    "Windows\\sCE"
    "Windows\\s95"
    "Windows\\s98"
    "Windows\\sNT\\s[12345]\\."
  ];
in
{
  networking.firewall.allowedTCPPorts = [
    80
    443
  ];

  services.nginx = {
    enable = true;
    enableReload = true;

    recommendedBrotliSettings = true;
    recommendedGzipSettings = true;
    recommendedOptimisation = true;
    recommendedProxySettings = true;
    recommendedTlsSettings = true;

    proxyTimeout = "900s";

    appendConfig = ''
      worker_processes auto;
    '';

    eventsConfig = ''
      worker_connections 1024;
    '';

    appendHttpConfig = ''
      map $http_user_agent $badagent {
        default 0;
        ${lib.concatMapStringsSep "\n" (pattern: ''
          ~${pattern} 1;
        '') bannedUserAgentPatterns}
      }
    '';

    # Plain HTTP access via lysator hostname (no ACME since we don't control the domain)
    virtualHosts."nixos.lysator.liu.se" = {
      locations."/" = {
        proxyPass = "http://127.0.0.1:3000";
      };
    };

    virtualHosts."staging-hydra.nixos.org" = {
      forceSSL = true;
      enableACME = true;

      extraConfig = ''
        error_page 502 /502.html;
        error_page 503 /503.html;
        location ~ /(502|503).html {
          root ${../../../build/nginx-error-pages};
          internal;
        }
      '';

      # Ask robots not to scrape hydra, it has various expensive endpoints
      locations."=/robots.txt".alias = pkgs.writeText "hydra.nixos.org-robots.txt" ''
        User-agent: *
        Disallow: /
        Allow: /$
      '';

      locations."/" = {
        proxyPass = "http://127.0.0.1:3000";
        extraConfig = ''
          if ($badagent) {
            access_log /var/log/nginx/abuse.log;
            return 403;
          }
        '';
      };

      locations."/static/" = {
        alias = "${config.services.hydra-dev.package}/libexec/hydra/root/static/";
      };
    };
  };

}


================================================
FILE: non-critical-infra/hosts/staging-hydra/hydra.nix
================================================
{
  lib,
  pkgs,
  config,
  inputs,
  ...
}:
let
  narCache = "/var/cache/hydra/nar-cache";
  localSystems = [
    "builtin"
    config.nixpkgs.hostPlatform.system
  ];
in
{
  imports = [
    inputs.hydra-staging.nixosModules.web-app
    inputs.hydra-staging.nixosModules.queue-runner
  ];

  networking.firewall.allowedTCPPorts = [
    9198 # queue-runnner metrics
    9199 # hydra-notify metrics
  ];

  services.postgresql.settings = {
    log_min_duration_statement = 5000;
    log_duration = "off";
    log_statement = "none";

    max_connections = 500;
    work_mem = "20MB";
    maintenance_work_mem = "2GB";
  };

  # garbage collection
  nix.gc = {
    automatic = true;
    options = ''--max-freed "$((400 * 1024**3 - 1024 * $(df -P -k /nix/store | tail -n 1 | ${pkgs.gawk}/bin/awk '{ print $4 }')))"'';
    dates = "03,09,15,21:15";
  };

  nix.settings = {
    # gc outputs as well, since they are served from the cache
    gc-keep-outputs = lib.mkForce false;
    allowed-users = [
      "hydra"
      "hydra-www"
    ];
  };

  # Don't rate-limit the journal.
  services.journald.rateLimitBurst = 0;

  sops.secrets = {
    signing-key = {
      sopsFile = ../../secrets/signing-key.staging-hydra;
      format = "binary";
      owner = config.systemd.services.hydra-queue-runner-dev.serviceConfig.User;
    };
    hydra-aws-credentials = {
      sopsFile = ../../secrets/hydra-aws-credentials.staging-hydra;
      format = "binary";
      owner = config.systemd.services.hydra-queue-runner-dev.serviceConfig.User;
    };
  };

  services = {
    hydra-dev = {
      enable = true;
      package = pkgs.hydra;
      buildMachinesFiles = [
        (pkgs.writeText "local" ''
          localhost ${lib.concatStringsSep "," localSystems} - 3 1 ${lib.concatStringsSep "," config.nix.settings.system-features} - -
        '')
      ];
      logo = ../../../build/hydra-logo.png;
      hydraURL = "https://hydra.nixos.org";
      notificationSender = "edolstra@gmail.com";
      smtpHost = "localhost";
      useSubstitutes = true;
      extraConfig = ''
        max_servers 30

        store_uri = s3://nix-cache-staging?secret-key=${config.sops.secrets.signing-key.path}&ls-compression=br&log-compression=br
        server_store_uri = https://cache-staging.nixos.org?local-nar-cache=${narCache}
        binary_cache_public_uri = https://cache-staging.nixos.org

        <Plugin::Session>
          cache_size = 32m
        </Plugin::Session>

        # patchelf:master:3
        xxx-jobset-repeats = nixos:reproducibility:1

        upload_logs_to_binary_cache = true
        compress_build_logs = false  # conflicts with upload_logs_to_binary_cache

        log_prefix = https://cache.nixos.org/

        evaluator_workers = 4
        evaluator_max_memory_size = 4096

        queue_runner_endpoint = http://localhost:8080

        max_concurrent_evals = 1

        max_unsupported_time = 86400

        allow_import_from_derivation = false

        max_output_size = 3821225472 # 3 << 30 + 600000000 = 3 GiB + 0.6 GB
        max_db_connections = 50

        queue_runner_metrics_address = [::]:9198

        <hydra_notify>
          <prometheus>
            listen_address = 0.0.0.0
            port = 9199
          </prometheus>
        </hydra_notify>
      '';
    };

    hydra-queue-runner-dev = {
      enable = true;
      awsCredentialsFile = config.sops.secrets.hydra-aws-credentials.path;
      settings = {
        queueTriggerTimerInS = 300;
        concurrentUploadLimit = 2;
        remoteStoreAddr = [
          "s3://nix-cache-staging?secret-key=${config.sops.secrets.signing-key.path}&ls-compression=br&log-compression=br"
        ];
      };
    };

    nginx = {
      enable = true;
      virtualHosts."queue-runner.staging-hydra.nixos.org" = {
        extraConfig = ''
          ssl_client_certificate ${./ca.crt};
          ssl_verify_depth 2;
          ssl_verify_client on;
        '';

        sslCertificate = ./server.crt;
        sslCertificateKey = config.sops.secrets."queue-runner-server.key".path;
        onlySSL = true;

        locations."/".extraConfig = ''
          # This is necessary so that grpc connections do not get closed early
          # see https://stackoverflow.com/a/67805465
          client_body_timeout 31536000s;
          client_max_body_size 0;

          grpc_pass grpc://[::1]:50051;

          grpc_read_timeout 31536000s; # 1 year in seconds
          grpc_send_timeout 31536000s; # 1 year in seconds
          grpc_socket_keepalive on;

          grpc_set_header Host $host;
          grpc_set_header X-Real-IP $remote_addr;
          grpc_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
          grpc_set_header X-Forwarded-Proto $scheme;

          grpc_set_header X-Client-DN $ssl_client_s_dn;
          grpc_set_header X-Client-Cert $ssl_client_escaped_cert;
        '';
      };
    };
  };

  sops.secrets = {
    "queue-runner-server.key" = {
      sopsFile = ../../secrets/queue-runner-server.key.staging-hydra;
      format = "binary";
      owner = config.systemd.services.nginx.serviceConfig.User;
    };
    hydra-users = {
      sopsFile = ../../secrets/hydra-users.staging-hydra;
      format = "binary";
    };
  };

  systemd = {
    tmpfiles.rules = [
      "d /var/cache/hydra 0755 hydra hydra -  -"
      "d ${narCache}      0775 hydra hydra 1d -"
    ];

    # eats memory as if it was free
    services = {
      hydra-notify.enable = false;
      hydra-queue-runner = {
        enable = false;

        # restarting the scheduler is very expensive
        restartIfChanged = false;
        serviceConfig = {
          ManagedOOMPreference = "avoid";
          LimitNOFILE = 65535;
        };
      };

      hydra-prune-build-logs = {
        description = "Clean up old build logs";
        startAt = "weekly";
        serviceConfig = {
          User = "hydra-queue-runner";
          Group = "hydra";
          ExecStart = lib.concatStringsSep " " [
            (lib.getExe pkgs.findutils)
            "/var/lib/hydra/build-logs/"
            "-ignore_readdir_race"
            "-type"
            "f"
            "-mtime"
            "+${toString (3 * 365)}" # days
            "-delete"
          ];
        };
      };
      hydra-post-init = {
        serviceConfig = {
          Type = "oneshot";
          TimeoutStartSec = "60";
        };
        wantedBy = [ config.systemd.targets.multi-user.name ];
        after = [ config.systemd.services.hydra-server.name ];
        requires = [ config.systemd.services.hydra-server.name ];
        environment = {
          inherit (config.systemd.services.hydra-init.environment) HYDRA_DBI;
        };
        path = [
          config.services.hydra.package
          pkgs.netcat
        ];
        script = ''
          set -e
          while IFS=';' read -r user role passwordhash email fullname; do
            opts=("$user" "--role" "$role" "--password-hash" "$passwordhash")
            if [[ -n "$email" ]]; then
              opts+=("--email-address" "$email")
            fi
            if [[ -n "$fullname" ]]; then
              opts+=("--full-name" "$fullname")
            fi
            hydra-create-user "''${opts[@]}"
          done < ${config.sops.secrets.hydra-users.path}
        '';
      };
    };
  };

  programs.ssh = {
    hostKeyAlgorithms = [
      "rsa-sha2-512-cert-v01@openssh.com"
      "ssh-ed25519"
      "ssh-rsa"
      "ecdsa-sha2-nistp256"
    ];

    extraConfig = lib.mkAfter ''
      ServerAliveInterval 120
      TCPKeepAlive yes
    '';
  };
}


================================================
FILE: non-critical-infra/hosts/staging-hydra/server.crt
================================================
-----BEGIN CERTIFICATE-----
MIIB/jCCAbCgAwIBAgIUfUYjDOaJML1lIMkAMvLjnSTscYswBQYDK2VwMEMxCzAJ
BgNVBAYTAkRFMRQwEgYDVQQKDAtOaXhPUyBJbmZyYTEeMBwGA1UEAwwVaHlkcmEt
cXVldWUtcnVubmVyLWNhMCAXDTI1MDczMTEyMDQxN1oYDzIwNzUwNzE5MTIwNDE3
WjBSMQswCQYDVQQGEwJERTEUMBIGA1UECgwLTml4T1MgSW5mcmExLTArBgNVBAMM
JHF1ZXVlLXJ1bm5lci5zdGFnaW5nLWh5ZHJhLm5peG9zLm9yZzAqMAUGAytlcAMh
ANVnDi5rY0Ar4hPbqRJqS+Nw7b5GTg0QxL2DM7l1xTqHo4GkMIGhMAkGA1UdEwQC
MAAwCwYDVR0PBAQDAgPoMBYGA1UdJQEB/wQMMAoGCCsGAQUFBwMBMC8GA1UdEQQo
MCaCJHF1ZXVlLXJ1bm5lci5zdGFnaW5nLWh5ZHJhLm5peG9zLm9yZzAdBgNVHQ4E
FgQU4ArR8rzVAt6dFkSXiMUlYYAzbwUwHwYDVR0jBBgwFoAU0wQG6BxTKtYwlywu
yD0aVr/1r4gwBQYDK2VwA0EAScS72oaQ8PcYpH26FuRGnKaWe4e7fQ5RmKBUyC+5
CiYIWu4D7fNGYJ15szCfh4nJIuyB0eXBv1ddAGAQMVdhDw==
-----END CERTIFICATE-----


================================================
FILE: non-critical-infra/hosts/umbriel/README.md
================================================
# `umbriel`


================================================
FILE: non-critical-infra/hosts/umbriel/default.nix
================================================
{
  config,
  inputs,
  lib,
  ...
}:

{
  imports = [
    ./hardware.nix
    inputs.srvos.nixosModules.server
    inputs.srvos.nixosModules.hardware-hetzner-cloud-arm
    ../../modules/common.nix
    ../../modules/backup.nix
    ../../modules/mailserver
  ];

  # Bootloader.
  boot.loader.systemd-boot.enable = true;
  boot.loader.timeout = lib.mkForce 5;
  boot.loader.efi.efiSysMountPoint = "/efi";

  # workaround because the console defaults to serial
  boot.kernelParams = [ "console=tty" ];

  services.cloud-init.enable = false;

  networking = {
    hostName = "umbriel";
    domain = "nixos.org";
    hostId = "36d29388";
  };

  disko.devices = import ./disko.nix;

  systemd.network.networks."10-uplink" = {
    matchConfig.MACAddress = "96:00:02:b5:f8:99";
    address = [
      "37.27.20.162/32"
      "2a01:4f9:c011:8fb5::1/64"
    ];
    routes = [
      { Gateway = "fe80::1"; }
      {
        Gateway = "172.31.1.1";
        GatewayOnLink = true;
      }
    ];
    linkConfig.RequiredForOnline = "routable";
  };

  # How to generate:
  #
  #   $ cd non-critical-infra
  #   $ SECRET_PATH=secrets/storagebox-ssh-key.umbriel
  #   $ ssh-keygen -t ed25519 -f "$SECRET_PATH" -P "" -C root@umbriel
  #   $ sops encrypt --in-place "$SECRET_PATH"
  #   $ rm "$SECRET_PATH".pub
  #
  # Next, deploy this secret, ssh to the machine and install the secret on the storagebox:
  #
  #   $ ssh-keygen -f /var/keys/storagebox-ssh-key -y | ssh -o "UserKnownHostsFile=/dev/null" -p23 u391032-sub4@u391032-sub4.your-storagebox.de install-ssh-key
  sops.secrets.storagebox-ssh-key = {
    sopsFile = ../../secrets/storagebox-ssh-key.umbriel;
    format = "binary";
    path = "/var/keys/storagebox-ssh-key";
    mode = "0600";
    owner = "root";
    group = "root";
  };

  # How to generate:
  #
  #   $ cd non-critical-infra
  #   $ SECRET_PATH=secrets/backup-secret.umbriel
  #   $ pwgen -s 64 1 > "$SECRET_PATH"
  #   $ sops encrypt --in-place "$SECRET_PATH"
  sops.secrets.backup-secret = {
    sopsFile = ../../secrets/backup-secret.umbriel;
    format = "binary";
    path = "/var/keys/borg-secret";
    mode = "0600";
    owner = "root";
    group = "root";
  };

  services.backup = {
    user = "u391032-sub4";
    host = "u391032-sub4.your-storagebox.de";
    hostPublicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIICf9svRenC/PLKIL9nk6K/pxQgoiFC41wTNvoIncOxs";
    port = 23;
    sshKey = config.sops.secrets.storagebox-ssh-key.path;
    secretPath = config.sops.secrets.backup-secret.path;
  };

  system.stateVersion = "23.05";
}


================================================
FILE: non-critical-infra/hosts/umbriel/disko.nix
================================================
{
  disk = {
    main = {
      device = "/dev/sda";
      type = "disk";
      content = {
        type = "gpt";
        partitions = {
          esp = {
            type = "EF00";
            size = "1024M";
            content = {
              type = "filesystem";
              format = "vfat";
              mountpoint = "/efi";
            };
          };
          root = {
            size = "100%";
            content = {
              type = "zfs";
              pool = "zroot";
            };
          };
        };
      };
    };
  };

  zpool.zroot = {
    type = "zpool";
    options = {
      # smartctl --all /dev/sda
      # Logical block size:   512 bytes
      ashift = "9";
    };
    rootFsOptions = {
      acltype = "posixacl";
      compression = "zstd";
      mountpoint = "none";
      xattr = "sa";
    };
    datasets = {
      "root" = {
        type = "zfs_fs";
        mountpoint = "/";
      };
      "nix" = {
        type = "zfs_fs";
        mountpoint = "/nix";
      };
      "reserved" = {
        type = "zfs_fs";
        options = {
          canmount = "off";
          refreservation = "1G";
        };
      };
    };
  };
}


================================================
FILE: non-critical-infra/hosts/umbriel/hardware.nix
================================================
{ lib, ... }:

{

  boot.initrd.availableKernelModules = [
    "xhci_pci"
    "virtio_pci"
    "usbhid"
    "sr_mod"
  ];
  boot.initrd.kernelModules = [ "virtio_gpu" ];
  boot.kernelModules = [ ];
  boot.extraModulePackages = [ ];

  swapDevices = [ ];

  nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";
}


================================================
FILE: non-critical-infra/modules/backup.nix
================================================
{
  lib,
  config,
  pkgs,
  ...
}:

let
  cfg = config.services.backup;

  mkZfsPreHook = mountpoint: ''
    DATASET="$(findmnt -nr -o source "${mountpoint}")"
    zfs snapshot -r "$DATASET@borg"

    # https://github.com/borgbackup/borg/issues/6652
    ls ${mountpoint}/.zfs/snapshot/borg/ > /dev/null
  '';

  mkZfsPostHook = mountpoint: ''
    DATASET="$(findmnt -nr -o source "${mountpoint}")"
    zfs destroy -r "$DATASET@borg"
  '';
in
{
  options.services.backup =
    with lib;
    with types;
    {
      user = mkOption {
        type = str;
        description = ''
          Username for the SSH remote host.
        '';
      };

      host = mkOption {
        type = str;
        description = ''
          Hostname of the SSH remote host.
        '';
      };

      hostPublicKey = mkOption {
        type = str;
        example = "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA5EB5p/5Hp3hGW1oHok+PIOH9Pbn7cnUiGmUEBrCVjnAw+HrKyN8bYVV0dIGllswYXwkG/+bgiBlE6IVIBAq+JwVWu1Sss3KarHY3OvFJUXZoZyRRg/Gc/+LRCE7lyKpwWQ70dbelGRyyJFH36eNv6ySXoUYtGkwlU5IVaHPApOxe4LHPZa/qhSRbPo2hwoh0orCtgejRebNtW5nlx00DNFgsvn8Svz2cIYLxsPVzKgUxs8Zxsxgn+Q/UvR7uq4AbAhyBMLxv7DjJ1pc7PJocuTno2Rw9uMZi1gkjbnmiOh6TTXIEWbnroyIhwc8555uto9melEUmWNQ+C+PwAK+MPw==";
        description = ''
          Public SSH host key of the remote host. Discoverable using e.g. `ssh-keyscan`.
        '';
      };

      port = mkOption {
        type = port;
        default = 22;
        description = ''
          Port of the SSH remote host.
        '';
        apply = toString;
      };

      sshKey = mkOption {
        type = path;
        example = "/var/keys/ssh-key";
        description = ''
          Path to the SSH key required to access the remote host.
        '';
      };

      secretPath = mkOption {
        type = path;
        example = "/var/keys/borg-secret";
        description = ''
          Path to the secret used to encrypt backups in the repository.
        '';
      };

      quota = mkOption {
        type = nullOr str;
        default = null;
        example = "90G";
        description = ''
          Quota for the borg repository. Useful to prevent the target disk from running full and ensuring borg keeps some space to work with.
        '';
      };

      includes = mkOption {
        type = listOf path;
        default = [ ];
        description = ''
          Paths to include in the backup.
        '';
      };
      includesZfsDatasets = mkOption {
        type = listOf str;
        default = [ ];
        description = ''
          ZFS datasets referenced by mountpoint to snapshot and include
        '';
      };

      excludes = mkOption {
        type = listOf path;
        default = [ ];
        description = ''
          Paths to exclude in the backup.
        '';
      };

      preHook = mkOption {
        type = lines;
        default = "";
        description = ''
          Shell commands to run before the backup.
        '';
      };

      postHook = mkOption {
        type = lines;
        default = "";
        description = ''
          Shell commands to run after the backup.
        '';
      };

      wantedUnits = mkOption {
        type = listOf str;
        default = [ ];
        description = ''
          List of units to require before starting the backup.
        '';
      };
    };

  config = lib.mkIf (cfg.includes != [ ] || cfg.includesZfsDatasets != [ ]) {
    programs.ssh.knownHosts."${if cfg.port != 22 then "[${cfg.host}]:${cfg.port}" else cfg.host}" = {
      publicKey = "${cfg.hostPublicKey}";
    };

    systemd.services.borgbackup-job-state = {
      wants = cfg.wantedUnits;
      after = cfg.wantedUnits;

      path = lib.optionals (cfg.includesZfsDatasets != [ ]) [
        config.boot.zfs.package
        pkgs.util-linux
      ];
    };

    systemd.timers.borgbackup-job-state.timerConfig = {
      # Spread all backups over the day
      RandomizedDelaySec = "24h";
      FixedRandomDelay = true;
    };

    services.borgbackup.jobs.state = {
      preHook = lib.concatMapStringsSep "\n" mkZfsPreHook cfg.includesZfsDatasets;
      postHook = lib.concatMapStringsSep "\n" mkZfsPostHook cfg.includesZfsDatasets;

      # Create the repo
      doInit = true;

      # Create daily backups, but prune to a reasonable amount
      startAt = "daily";
      prune.keep = {
        daily = 7;
        weekly = 4;
        monthly = 3;
      };

      # What to backup
      paths = cfg.includes ++ (map (mp: "${mp}/.zfs/snapshot/borg") cfg.includesZfsDatasets);
      exclude = cfg.excludes;

      # Where to backup it to
      repo = "${cfg.user}@${cfg.host}:${config.networking.fqdn}";
      environment.BORG_RSH = "ssh -p ${cfg.port} -i ${cfg.sshKey}";

      # Ensure we don't fill up the destination disk
      extraInitArgs = lib.optionalString (cfg.quota != null) "--storage-quota ${cfg.quota}";

      # Authenticated & encrypted, key resides in the repository
      encryption = {
        mode = "repokey-blake2";
        passCommand = "cat ${cfg.secretPath}";
      };

      # Reduce the backup size
      compression = "auto,zstd";

      # Show summary detailing data usage once completed
      extraCreateArgs = "--stats";
    };
  };
}


================================================
FILE: non-critical-infra/modules/common.nix
================================================
{ pkgs, ... }:

{
  imports = [
    ../../modules/nftables.nix
    ../../modules/prometheus
  ];

  boot.initrd.systemd.enable = true;

  time.timeZone = "UTC";

  systemd.services.openssh.enable = true;
  users.users.root.openssh.authorizedKeys.keys = (import ../../ssh-keys.nix).infra;

  environment.systemPackages = with pkgs; [ neovim ];

  security.acme.acceptTerms = true;
  security.acme.defaults.email = "infra@nixos.org";
}


================================================
FILE: non-critical-infra/modules/draupnir.nix
================================================
{
  config,
  ...
}:
{
  sops.secrets.mjolnir-access-token = {
    sopsFile = ../secrets/mjolnir-access-token.caliban;
    format = "binary";
    restartUnits = [ "draupnir.service" ];
  };

  services.draupnir = {
    enable = true;
    secrets = {
      accessToken = config.sops.secrets.mjolnir-access-token.path;
    };
    settings = {
      # https://github.com/the-draupnir-project/Draupnir/blob/main/config/default.yaml
      homeserverUrl = "https://matrix.nixos.org";
      managementRoom = "#draupnir:nixos.org";
      backgroundDelayMS = "10"; # snappy reactions, we don't mind the performance hit
      protectAllJoinedRooms = true;
      automaticallyRedactForReasons = [
        "spam"
      ];
      web = {
        enabled = true;
        address = "127.0.0.1";
        port = 8082;
        abuseReporting.enabled = true;
      };
      displayReports = true;
    };
  };

  services.nginx.virtualHosts."matrix.nixos.org" = {
    # https://github.com/the-draupnir-project/Draupnir/blob/main/test/nginx.conf
    locations = {
      "~ ^/_matrix/client/(r0|v3)/rooms/([^/\\s]+)/report/(.*)$" = {
        extraConfig = ''
          mirror /report_mirror;

          # Abuse reports should be sent to Draupnir.
          # The r0 endpoint is deprecated but still used by many clients.
          # As of this writing, the v3 endpoint is the up-to-date version.

          # Alias the regexps, to ensure that they're not rewritten.
          set $room_id $2;
          set $event_id $3;
        '';
        proxyPass =
          with config.services.draupnir.settings.web;
          "http://${address}:${toString port}/api/1/report/$room_id/$event_id";
      };
      "/report_mirror" = {
        proxyPass = "http://matrix-synapse$request_uri";
        extraConfig = ''
          internal;
        '';
      };
    };
  };
}


================================================
FILE: non-critical-infra/modules/element-web.nix
================================================
{ pkgs, ... }:
let
  domainName = "chat.nixos.org";

  # https://github.com/element-hq/element-web/blob/develop/config.sample.json
  elementWebConfig = {
    default_server_config = {
      "m.homeserver" = {
        base_url = "https://matrix.nixos.org";
        server_name = "nixos.org";
      };
      "m.identity_server" = {
        base_url = "https://vector.im";
      };
    };
    disable_custom_urls = false;
    disable_guests = false;
    disable_login_language_selector = false;
    disable_3pid_login = false;
    brand = "Element";
    integrations_ui_url = "https://scalar.vector.im/";
    integrations_rest_url = "https://scalar.vector.im/api";
    integrations_widgets_urls = [
      "https://scalar.vector.im/_matrix/integrations/v1"
      "https://scalar.vector.im/api"
      "https://scalar-staging.vector.im/_matrix/integrations/v1"
      "https://scalar-staging.vector.im/api"
      "https://scalar-staging.riot.im/scalar/api"
    ];
    integrations_jitsi_widget_url = "https://scalar.vector.im/api/widgets/jitsi.html";
    bug_report_endpoint_url = "https://riot.im/bugreports/submit";
    default_country_code = "GB";
    show_labs_settings = true;
    features = { };
    default_federate = true;
    default_theme = "light";
    roomDirectory = {
      servers = [ ];
    };
    settingDefaults = {
      breadcrumbs = true;
    };
    jitsi = {
      preferred_domain = "meet.element.io";
    };
    element_call = {
      url = "https://call.element.io";
      participant_limit = 8;
      brand = "Element Call";
    };
    map_style_url = "https://api.maptiler.com/maps/streets/style.json?key=fU3vlMsMn4Jb6dnEIFsx";
  };
in
{
  security.acme.certs."${domainName}".reloadServices = [ "nginx.service" ];

  services.nginx.virtualHosts."${domainName}" = {
    enableACME = true;
    forceSSL = true;

    root = pkgs.element-web.override (_old: {
      conf = elementWebConfig;
    });
  };
}


================================================
FILE: non-critical-infra/modules/limesurvey.nix
================================================
{
  config,
  ...
}:
{
  services.limesurvey = {
    enable = true;
    encryptionKeyFile = config.sops.secrets.limesurvey-encryption-key.path;
    encryptionNonceFile = config.sops.secrets.limesurvey-encryption-nonce.path;
    webserver = "nginx";
    nginx.virtualHost = {
      serverName = "survey.nixos.org";
      enableACME = true;
      forceSSL = true;
    };
  };

  sops.secrets.limesurvey-encryption-key = {
    format = "binary";
    sopsFile = ../secrets/limesurvey-encryption-key.caliban;
  };

  sops.secrets.limesurvey-encryption-nonce = {
    format = "binary";
    sopsFile = ../secrets/limesurvey-encryption-nonce.caliban;
  };

}


================================================
FILE: non-critical-infra/modules/mailserver/README.md
================================================
# NixOS mailserver

This module provides mail services for `nixos.org`.

## Mailing lists

To create a new mailing list, or change membership of a mailing list, see the
instructions at the top of [`mailing-lists.nix`](./mailing-lists.nix).

Some mailing lists allow login and sending email via `SMTP`. Search for
`loginAccount` to find examples of this.


================================================
FILE: non-critical-infra/modules/mailserver/default.nix
================================================
{
  inputs,
  config,
  pkgs,
  ...
}:

{
  imports = [
    inputs.simple-nixos-mailserver.nixosModule
    ./mailing-lists.nix
    ./freescout.nix
  ];

  # enabled through systemd.network.enable
  services.resolved.enable = false;

  mailserver = {
    enable = true;
    enableImap = false;
    stateVersion = 3;
    certificateScheme = "acme-nginx";

    fqdn = config.networking.fqdn;

    domains = [
      "nixcon.org"
      "nixos.org"
    ];

    srs.enable = true;
  };

  # https://nixos-mailserver.readthedocs.io/en/latest/backup-guide.html
  services.backup.includes = [ config.mailserver.mailDirectory ];

  sops.secrets."nixos.org.mail.key" = {
    format = "binary";
    owner = "rspamd";
    group = "rspamd";
    mode = "0600";

    # How to generate:
    #
    # ```console
    # cd non-critical-infra
    # DOMAIN=nixos.org
    # SELECTOR=mail
    # PRIVATE_KEY_PATH=secrets/$DOMAIN.$SELECTOR.key.umbriel
    # nix shell nixpkgs#opendkim --command opendkim-genkey --selector="$SELECTOR" --domain="$DOMAIN" --bits=1024
    # mv mail.private "$PRIVATE_KEY_PATH"
    # sops encrypt --in-place "$PRIVATE_KEY_PATH"
    # ```
    #
    # Next, look at `mail.txt` and update DNS accordingly.
    sopsFile = ../../secrets/nixos.org.mail.key.umbriel;

    # Ensure the file gets symlinked to where Simple NixOS Mailserver expects
    # to find it.
    path = "${config.mailserver.dkimKeyDirectory}/nixos.org.mail.key";
  };

  sops.secrets."nixcon.org.mail.key" = {
    format = "binary";
    owner = "rspamd";
    group = "rspamd";
    mode = "0600";
    sopsFile = ../../secrets/nixcon.org.mail.key.umbriel;
    path = "${config.mailserver.dkimKeyDirectory}/nixcon.org.mail.key";
  };

  services.postfix.settings.main.bounce_template_file = "${pkgs.writeText "bounce-template.cf" ''
    failure_template = <<EOF
    Charset: us-ascii
    From: MAILER-DAEMON (Mail Delivery System)
    Subject: Undelivered Mail Returned to Sender
    Postmaster-Subject: Postmaster Copy: Undelivered Mail

    This is the mail system at host $myhostname.

    I'm sorry to have to inform you that your message could not
    be delivered to one or more recipients. It's attached below.

    For further assistance, please file an issue at
    https://github.com/NixOS/infra/issues/new. Please anonymize any personal
    email addresses in your report.

    If you do so, please include this problem report. You can
    delete your own text from the attached returned message.

                  The mail system
    EOF

    delay_template = <<EOF
    Charset: us-ascii
    From: MAILER-DAEMON (Mail Delivery System)
    Subject: Delayed Mail (still being retried)
    Postmaster-Subject: Postmaster Warning: Delayed Mail

    This is the mail system at host $myhostname.

    ####################################################################
    # THIS IS A WARNING ONLY.  YOU DO NOT NEED TO RESEND YOUR MESSAGE. #
    ####################################################################

    Your message could not be delivered for more than $delay_warning_time_hours hour(s).
    It will be retried until it is $maximal_queue_lifetime_days day(s) old.

    For further assistance, please file an issue at
    https://github.com/NixOS/infra/issues/new. Please anonymize any personal
    email addresses in your report.

    If you do so, please include this problem report. You can
    delete your own text from the attached returned message.

                       The mail system
    EOF
  ''}";

  services.postsrsd.secretsFile = config.sops.secrets.postsrsd-secret.path;

  # ```
  # How to generate:
  #
  # ```console
  # cd non-critical-infra
  # SECRET_PATH=secrets/postsrsd-secret.umbriel
  # dd if=/dev/random bs=18 count=1 status=none | base64 > "$SECRET_PATH"
  # sops encrypt --in-place "$SECRET_PATH"
  # ```
  sops.secrets.postsrsd-secret = {
    format = "binary";
    owner = config.services.postsrsd.user;
    group = config.services.postsrsd.group;
    sopsFile = ../../secrets/postsrsd-secret.umbriel;
    restartUnits = [ "postsrsd.service" ];
  };
}


================================================
FILE: non-critical-infra/modules/mailserver/freescout.nix
================================================
{
  inputs,
  config,
  pkgs,
  ...
}:

{
  imports = [
    inputs.freescout.nixosModules.freescout
    ../nginx.nix
  ];

  services.freescout = {
    enable = true;
    package = inputs.freescout.packages.${pkgs.stdenv.hostPlatform.system}.default.overrideAttrs rec {
      version = "1.8.218";
      src = pkgs.fetchFromGitHub {
        owner = "freescout-helpdesk";
        repo = "freescout";
        tag = version;
        hash = "sha256-oLbsrlvsBkZ8oa2EuByJafItuG1n2MXPrt/noAXTt94=";
      };
    };
    domain = "freescout.nixos.org";

    settings.APP_KEY._secret = config.sops.secrets.freescout-app-key.path;

    databaseSetup = {
      enable = true;
      kind = "pgsql";
    };

    nginx = {
      forceSSL = true;
      enableACME = true;
    };
  };

  services.postgresqlBackup = {
    enable = true;
    databases = [ "freescout" ];
  };

  services.backup.includes = [
    "/var/lib/freescout"
    config.services.postgresqlBackup.location
  ];

  # How to generate:
  #
  #   $ cd non-critical-infra
  #   $ SECRET_PATH=secrets/freescout-app-key.umbriel
  #   $ echo "base64:$(nix run nixpkgs#openssl -- rand -base64 32)" > "$SECRET_PATH"
  #   $ sops encrypt --in-place "$SECRET_PATH"
  sops.secrets.freescout-app-key = {
    format = "binary";
    owner = config.services.postsrsd.user;
    group = config.services.postsrsd.group;
    sopsFile = ../../secrets/freescout-app-key.umbriel;
    restartUnits = [ "postsrsd.service" ];
  };
}


================================================
FILE: non-critical-infra/modules/mailserver/mailing-lists-options.nix
================================================
# This module makes it easy to define mailing lists in `simple-nixos-mailserver`
# with a couple of features:
#
#  1. We can (optionally) encrypt the forward addresses for increased privacy.
#  2. We can set up a login account for mailing addresses to allow sending
#     email via `SMTP` from those addresses.

{ config, lib, ... }:

let
  inherit (lib) types;

  fileToSecretId = file: builtins.baseNameOf file;

  listsWithSecretPlaceholders = lib.mapAttrs' (name: mailingList: {
    name = name;
    value =
      (lib.optional (mailingList.loginAccount != null && mailingList.loginAccount.storeEmail) name)
      ++ map (
        member:
        if builtins.isString member then member else config.sops.placeholder.${fileToSecretId member}
      ) mailingList.forwardTo;
  }) config.mailing-lists;

  secretAddressFiles = lib.pipe config.mailing-lists [
    (lib.mapAttrsToList (_name: mailingList: mailingList.forwardTo))
    lib.flatten
    (builtins.filter (member: !builtins.isString member))
  ];

  secretPasswordFiles = lib.pipe config.mailing-lists [
    (lib.filterAttrs (_name: mailingList: mailingList.loginAccount != null))
    (lib.mapAttrsToList (_name: mailingList: mailingList.loginAccount.encryptedHashedPassword))
  ];
in

{
  options = {
    mailing-lists = lib.mkOption {
      type = types.attrsOf (
        types.submodule {
          options = {
            forwardTo = lib.mkOption {
              type = types.listOf (types.either types.str types.path);
              default = [ ];
              description = ''
                Either a plaintext email address, or a path to an email address
                encrypted with `nix run .#encrypt-email address`
              '';
            };
            loginAccount = lib.mkOption {
              type = types.nullOr (
                types.submodule {
                  options = {
                    encryptedHashedPassword = lib.mkOption {
                      type = types.path;
                      description = ''
                        If specified, this enables sending emails from this address via SMTP.
                        Must be a path to encrypted file generated with `nix run .#encrypt-email login`
                      '';
                    };
                    storeEmail = lib.mkOption {
                      type = types.bool;
                      description = ''
                        Whether to store emails sent to this mailing list in a
                        mailbox accessible via IMAP.
                      '';
                    };
                  };
                }
              );
              default = null;
            };
          };
        }
      );
      description = ''
        Mailing lists. Supports both forward-only mailing lists, as well as mailing
        lists that allow sending via SMTP.
      '';
    };
  };

  config = {
    assertions = lib.mapAttrsToList (name: mailingList: {
      assertion = mailingList.forwardTo != [ ] || mailingList.loginAccount != null;
      message = "Mailing list '${name}' must have either forwardTo addresses or a loginAccount configured";
    }) config.mailing-lists;

    mailserver.loginAccounts = lib.pipe config.mailing-lists [
      (lib.filterAttrs (_name: mailingList: mailingList.loginAccount != null))
      (lib.mapAttrs (
        _name: mailingList: {
          hashedPasswordFile =
            config.sops.secrets.${fileToSecretId mailingList.loginAccount.encryptedHashedPassword}.path;
        }
      ))
    ];

    # Declare secrets for every secret file.
    sops.secrets = builtins.listToAttrs (
      (map (file: {
        name = fileToSecretId file;
        value = {
          format = "binary";
          sopsFile = file;
        };
      }) secretAddressFiles)
      ++ (map (file: {
        name = fileToSecretId file;
        value = {
          format = "binary";
          sopsFile = file;
          # Need to restart `dovecot2.service` to trigger `genPasswdScript` in
          # `nixos-mailserver`:
          # https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/blob/af7d3bf5daeba3fc28089b015c0dd43f06b176f2/mail-server/dovecot.nix#L369
          # This could go away if sops-nix gets support for "input addressed secret
          # paths": https://github.com/Mic92/sops-nix/issues/648
          restartUnits = [ "dovecot2.service" ];
        };
      }) secretPasswordFiles)
    );

    sops.templates."postfix-virtual-mailing-lists" = {
      content = lib.concatStringsSep "\n" (
        lib.mapAttrsToList (
          name: members: "${name} ${lib.concatStringsSep ", " members}"
        ) listsWithSecretPlaceholders
      );

      # Need to restart postfix-setup to rerun `postmap` and generate updated `.db`
      # files whenever mailing list membership changes.
      # This could go away if sops-nix gets support for "input addressed secret
      # paths": https://github.com/Mic92/sops-nix/issues/648
      restartUnits = [ "postfix-setup.service" ];
    };

    services.postfix.mapFiles.virtual-mailing-lists =
      config.sops.templates."postfix-virtual-mailing-lists".path;

    services.postfix.settings.main.virtual_alias_maps = [ "hash:/etc/postfix/virtual-mailing-lists" ];
  };
}


================================================
FILE: non-critical-infra/modules/mailserver/mailing-lists.nix
================================================
{
  imports = [ ./mailing-lists-options.nix ];

  # If you wish to hide your email address, you can encrypt it with SOPS. Just
  # run `nix run .#encrypt-email address -- --help` and follow the instructions.
  #
  # If you wish to set up a login account for sending/storing email, you must generate
  # an encrypted password. Run `nix run .#encrypt-email login -- --help` and
  # follow the instructions.
  mailing-lists = {
    # nixcon.org
    "orgateam@nixcon.org" = {
      forwardTo = [
        "nixcon@nixos.org"
      ];
    };

    # nixos.org
    "abuse@nixos.org" = {
      forwardTo = [
        "infra@nixos.org"
      ];
    };

    "finance@nixos.org" = {
      loginAccount = {
        encryptedHashedPassword = ../../secrets/finance-email-login.umbriel;
        storeEmail = true;
      };
    };

    "hardware@nixos.org" = {
      forwardTo = [
        "joerg.hardware@thalheim.io"
        ../../secrets/0x4A6F-hardware-email-address.umbriel # https://github.com/0x4A6F
        ../../secrets/ra33it0-email-address.umbriel # https://github.com/Ra33it0
        ../../secrets/rosscomputerguy-email-address.umbriel # https://github.com/rosscomputerguy
      ];
      loginAccount = {
        encryptedHashedPassword = ../../secrets/hardware-email-login.umbriel;
        storeEmail = true;
      };
    };

    "foundation@nixos.org" = {
      loginAccount = {
        encryptedHashedPassword = ../../secrets/foundation-email-login.umbriel;
        storeEmail = true;
      };
    };

    "fundraising@nixos.org" = {
      forwardTo = [
        "foundation@nixos.org"
      ];
    };

    "hexa@nixos.org" = {
      forwardTo = [
        ../../secrets/mweinelt-email-address.umbriel # https://github.com/mweinelt
      ];
      loginAccount = {
        encryptedHashedPassword = ../../secrets/hexa-email-login.umbriel;
        storeEmail = false;
      };
    };

    "hostmaster@nixos.org" = {
      forwardTo = [
        "infra@nixos.org"
      ];
    };

    "infra@nixos.org" = {
      forwardTo = [
        ../../secrets/mweinelt-email-address.umbriel # https://github.com/mweinelt
        ../../secrets/zimbatm-email-address.umbriel # https://github.com/zimbatm
        ../../secrets/vcunat-email-address.umbriel # https://github.com/vcunat
        ../../secrets/edef1c-email-address.umbriel # https://github.com/edef1c
        ../../secrets/Mic92-email-address.umbriel # https://github.com/Mic92
      ];
    };

    "marketing@nixos.org" = {
      forwardTo = [
        ../../secrets/idabzo-email-address.umbriel # https://github.com/idabzo
        ../../secrets/avocadoom-email-address.umbriel # https://discourse.nixos.org/u/avocadoom
        ../../secrets/djacu-email-address.umbriel # https://discourse.nixos.org/u/djacu
        ../../secrets/flyfloh-email-address.umbriel # https://discourse.nixos.org/u/flyfloh
      ];
    };

    "moderation@nixos.org" = {
      forwardTo = [
        ../../secrets/lassulus-email-address.umbriel # https://github.com/lassulus
        ../../secrets/uep-email-address.umbriel # https://discourse.nixos.org/u/uep
        ../../secrets/0x4A6F-moderation-email-address.umbriel # https://github.com/0x4A6F
        ../../secrets/aleksana-email-address.umbriel # https://github.com/aleksanaa
      ];
      loginAccount = {
        encryptedHashedPassword = ../../secrets/moderation-email-login.umbriel;
        storeEmail = true;
      };
    };

    "elections@nixos.org" = {
      loginAccount = {
        encryptedHashedPassword = ../../secrets/elections-email-login.umbriel;
        storeEmail = true;
      };
    };

    "ngi@nixos.org" = {
      loginAccount = {
        encryptedHashedPassword = ../../secrets/ngi-nixos-org-email-login.umbriel;
        storeEmail = true;
      };
    };

    "nixpkgs-core@nixos.org" = {
      loginAccount = {
        encryptedHashedPassword = ../../secrets/nixpkgs-core-email-login.umbriel;
        storeEmail = true;
      };
    };

    "nixcon@nixos.org" = {
      loginAccount = {
        encryptedHashedPassword = ../../secrets/nixcon-email-login.umbriel;
        storeEmail = true;
      };
    };

    "cfp@nixcon.org" = {
      forwardTo = [
        "nixcon@nixos.org"
      ];
    };

    "partnerships@nixos.org" = {
      forwardTo = [
        "foundation@nixos.org"
      ];
    };

    "postmaster@nixos.org" = {
      forwardTo = [
        "infra@nixos.org"
      ];
    };

    "rob@nixos.org" = {
      forwardTo = [
        ../../secrets/rbvermaa-email-address.umbriel # https://github.com/rbvermaa
      ];
    };

    "ron@nixos.org" = {
      forwardTo = [
        ../../secrets/refroni-email-address.umbriel # https://github.com/refroni
      ];
    };

    "security@nixos.org" = {
      forwardTo = [
        ../../secrets/mweinelt-email-address.umbriel # https://github.com/mweinelt
        ../../secrets/risicle-email-address.umbriel # https://github.com/risicle
        ../../secrets/LeSuisse-email-address.umbriel # https://github.com/LeSuisse
      ];
    };

    "noreply-securitytracker@nixos.org" = {
      loginAccount = {
        encryptedHashedPassword = ../../secrets/securitytracker-noreply-email-login.umbriel;
        storeEmail = false;
      };
    };

    "sponsor@nixos.org" = {
      forwardTo = [
        "steering@nixos.org"
        "foundation@nixos.org"
      ];
    };

    "steering@nixos.org" = {
      loginAccount = {
        encryptedHashedPassword = ../../secrets/steering-email-login.umbriel;
        storeEmail = true;
      };
    };

    "summer@nixos.org" = {
      forwardTo = [
        ../../secrets/edolstra-summer-email-address.umbriel # https://github.com/edolstra
        ../../secrets/MMesch-email-address.umbriel # https://github.com/MMesch
        ../../secrets/bryanhonof-email-address.umbriel # https://github.com/bryanhonof
        ../../secrets/tomberek-email-address.umbriel # https://github.com/tomberek
        ../../secrets/gytis-ivaskevicius-email-address.umbriel # https://github.com/gytis-ivaskevicius
        ../../secrets/ysndr-email-address.umbriel # https://github.com/ysndr
        ../../secrets/DieracDelta-email-address.umbriel # https://github.com/DieracDelta
      ];
    };

    "sysadmin@nixos.org" = {
      forwardTo = [
        ../../secrets/edolstra-admin-email-address.umbriel # https://github.com/edolstra
        ../../secrets/zimbatm-admin-email-address.umbriel # https://github.com/zimbatm
      ];
    };

    "webmaster@nixos.org" = {
      forwardTo = [
        "infra@nixos.org"
      ];
    };

    "wiki@nixos.org" = {
      forwardTo = [
        ../../secrets/lassulus-wiki-email-address.umbriel # https://github.com/lassulus
        ../../secrets/Mic92-wiki-email-address.umbriel # https://github.com/Mic92
      ];
    };

    "winter@nixos.org" = {
      forwardTo = [
        ../../secrets/winterqt-email-address.umbriel # https://github.com/winterqt
      ];
    };

    "xsa@nixos.org" = {
      forwardTo = [
        ../../secrets/lach-xsa-email-address.umbriel # https://github.com/CertainLach
        ../../secrets/hehongbo-xsa-email-address.umbriel # https://github.com/hehongbo
        ../../secrets/sigmasquadron-xsa-email-address.umbriel # https://github.com/SigmaSquadron
      ];
    };
  };
}


================================================
FILE: non-critical-infra/modules/matrix-synapse.nix
================================================
{ config, pkgs, ... }:

{
  imports = [
    ./nginx.nix
    ./postgresql.nix
  ];

  fileSystems."/var/lib/matrix-synapse" = {
    device = "zroot/root/matrix-synapse";
    fsType = "zfs";
    options = [ "zfsutil" ];
  };

  services.postgresql = {
    ensureUsers = [
      {
        name = "matrix-synapse";
        ensureDBOwnership = true;
      }
    ];
    # Insufficient to create the database with the correct collation
    # https://github.com/element-hq/synapse/blob/develop/docs/postgres.md#set-up-database
    ensureDatabases = [ "matrix-synapse" ];
  };

  services.postgresqlBackup.databases = [ "matrix-synapse" ];

  services.redis.servers.matrix-synapse = {
    enable = true;
  };

  environment.systemPackages = with pkgs; [ synadm ];

  services.backup.includesZfsDatasets = [ "/var/lib/matrix-synapse" ];

  sops.secrets.matrix-synapse-signing-key = {
    sopsFile = ../secrets/matrix-synapse-signing-key.caliban;
    format = "binary";
    path = "/var/lib/matrix-synapse/nixos.org.signing.key";
    mode = "0600";
    owner = "matrix-synapse";
    group = "matrix-synapse";
  };

  sops.secrets.matrix-synapse-secrets = {
    sopsFile = ../secrets/matrix-synapse-secrets.caliban;
    format = "binary";
    path = "/var/keys/matrix-synapse-secrets.conf";
    mode = "0600";
    owner = "matrix-synapse";
    group = "matrix-synapse";
  };

  systemd.services.matrix-synapse.serviceConfig.SupplementaryGroups = [ "redis-matrix-synapse" ];

  services.matrix-synapse = {
    enable = true;
    enableRegistrationScript = false; # not compatible with unix sockets
    withJemalloc = true;

    extraConfigFiles = [ config.sops.secrets.matrix-synapse-secrets.path ];

    # https://github.com/element-hq/synapse/blob/master/docs/usage/configuration/config_documentation.md
    settings = {
      enable_metrics = true;

      server_name = "nixos.org";
      signing_key_path = config.sops.secrets.matrix-synapse-signing-key.path;
      public_baseurl = "https://matrix.nixos.org";
      admin_contact = "infra@nixos.org";
      web_client_location = "https://matrix.to/#/#community:nixos.org";

      allow_public_rooms_over_federation = true;
      allow_public_rooms_without_auth = true;

      max_upload_size = "50M";

      media_retention = {
        local_media_lifetime = "90d";
        remote_media_lifetime = "14d";
      };

      database = {
        name = "psycopg2";
        args = {
          host = "/run/postgresql";
        };
      };

      redis = {
        enabled = true;
        path = config.services.redis.servers.matrix-synapse.unixSocket;
      };

      listeners = [
        {
          type = "http";
          path = "/run/matrix-synapse/matrix-synapse.sock";
          mode = "0660";
          resources = [
            {
              compress = true;
              names = [ "client" ];
            }
            {
              compress = false;
              names = [ "federation" ];
            }
          ];
        }
        {
          type = "http";
          bind_addresses = [
            "127.0.0.1"
            "::1"
          ];
          port = 8090;
          tls = false;
          resources = [ { names = [ "metrics" ]; } ];
        }
      ];
    };
  };

  systemd.services.nginx.serviceConfig.SupplementaryGroups = [ "matrix-synapse" ];

  services.nginx = {
    clientMaxBodySize = config.services.matrix-synapse.settings.max_upload_size;
    upstreams."matrix-synapse".servers = {
      "unix:/run/matrix-synapse/matrix-synapse.sock" = { };
    };
    virtualHosts."matrix.nixos.org" = {
      forceSSL = true;
      enableACME = true;

      locations."~* ^(/_matrix|/_synapse)" = {
        proxyPass = "http://matrix-synapse";
      };
      locations."= /metrics" = {
        proxyPass = "http://localhost:8090/_synapse/metrics";
      };
      locations."= /" = {
        return = "301 https://matrix.to/#/#community:nixos.org";
      };
    };
  };
}


================================================
FILE: non-critical-infra/modules/nginx.nix
================================================
{
  networking.firewall = {
    allowedTCPPorts = [
      80
      443
    ];
  };

  # Grant nginx access to certificates
  systemd.services.nginx.serviceConfig.SupplementaryGroups = [ "acme" ];

  # Reload nginx after certificate renewal
  security.acme.defaults.reloadServices = [ "nginx.service" ];

  services.nginx = {
    enable = true;
    enableReload = true;

    recommendedBrotliSettings = true;
    recommendedGzipSettings = true;
    recommendedOptimisation = true;
    recommendedProxySettings = true;
    recommendedTlsSettings = true;
  };
}


================================================
FILE: non-critical-infra/modules/owncast.nix
================================================
{ config, ... }:

{
  imports = [ ./nginx.nix ];

  fileSystems."/var/lib/owncast" = {
    device = "zroot/root/owncast";
    fsType = "zfs";
    options = [ "zfsutil" ];
  };

  services.backup.includesZfsDatasets = [ "/var/lib/owncast" ];

  services.owncast = {
    enable = true;
    openFirewall = true;
  };

  services.nginx.virtualHosts."live.nixos.org" = {
    forceSSL = true;
    enableACME = true;

    locations."/" = {
      proxyPass = with config.services.owncast; "http://${listen}:${toString port}";
      proxyWebsockets = true;
    };
  };
}


================================================
FILE: non-critical-infra/modules/postfix.nix
================================================
{ config, pkgs, ... }:

{
  sops.secrets.opendkim-private-key = {
    sopsFile = ../secrets/opendkim-private-key.caliban;
    format = "binary";
    owner = config.services.postfix.user;
  };
  services.opendkim = {
    enable = true;
    domains = config.networking.fqdn;
    selector = "mail";
    inherit (config.services.postfix) user group;
    keyPath = "/run/opendkim-keys";
  };

  systemd.services.opendkim.serviceConfig = {
    ExecStartPre = [
      "+${pkgs.writeShellScript "opendkim-keys" ''
        install -o ${config.services.postfix.user} -g ${config.services.postfix.group} -D -m0700 ${config.sops.secrets.opendkim-private-key.path} /run/opendkim-keys/${config.services.opendkim.selector}.private
      ''}"
    ];
  };

  services.postfix = {
    enable = true;
    settings.main = {
      myhostname = config.networking.fqdn;
      mydomain = config.networking.fqdn;
      smtp_tls_note_starttls_offer = "yes";
      smtp_tls_security_level = "may";
      tls_medium_cipherlist = "AES128+EECDH:AES128+EDH";
      smtpd_relay_restrictions = "permit_mynetworks permit_sasl_authenticated defer_unauth_destination";
      mydestination = "localhost.$mydomain, localhost, $myhostname";
      myorigin = "$mydomain";
      milter_default_action = "accept";
      milter_protocol = "6";
      smtpd_milters = "unix:/run/opendkim/opendkim.sock";
      non_smtpd_milters = "unix:/run/opendkim/opendkim.sock";
      inet_interfaces = "loopback-only";
      inet_protocols = "all";
    };
  };

}


================================================
FILE: non-critical-infra/modules/postgresql.nix
================================================
{ config, pkgs, ... }:

{
  fileSystems."/var/lib/postgresql" = {
    device = "zroot/root/postgresql";
    fsType = "zfs";
    options = [ "zfsutil" ];
  };

  services.postgresql = {
    enable = true;
    enableJIT = true;
    package = pkgs.postgresql_16_jit;
  };

  # create database dumps
  services.postgresqlBackup = {
    enable = true;
    compression = "zstd";
    # pulled in through the backup job
    startAt = [ ];
  };

  # include postgres dumps in the backup
  services.backup = {
    includes = [ "/var/backup/postgresql" ];
    wantedUnits =
      if config.services.postgresqlBackup.databases == [ ] then
        [ "postgresqlBackup.service" ]
      else
        map (db: "postgresqlBackup-${db}.service") config.services.postgresqlBackup.databases;
  };
}


================================================
FILE: non-critical-infra/modules/vaultwarden.nix
================================================
{ config, ... }:
{
  imports = [
    ./backup.nix
    ./postfix.nix
  ];

  services.vaultwarden = {
    enable = true;
    backupDir = "/var/backup/vaultwarden/";
    environmentFile = "/var/lib/bitwarden_rs/vaultwarden.env";
    config = {
      DOMAIN = "https://vault.nixos.org";
      SIGNUPS_ALLOWED = false;
      SHOW_PASSWORD_HINT = false;
      ROCKET_ADDRESS = "127.0.0.1";
      ROCKET_PORT = 8222;
      ROCKET_LOG = "critical";
      SMTP_HOST = "localhost";
      SMTP_PORT = 25;
      SMTP_SSL = false;
      SMTP_FROM = "vaultwarden@caliban.nixos.org";
      SMTP_FROM_NAME = "NixOS Vaultwarden";
      ORG_EVENTS_ENABLED = true;
    };
  };

  services.nginx = {
    enable = true;
    recommendedGzipSettings = true;
    recommendedOptimisation = true;
    recommendedProxySettings = true;
    recommendedTlsSettings = true;
    virtualHosts."vault.nixos.org" = {
      forceSSL = true;
      enableACME = true;
      locations."/" = {
        proxyPass = "http://127.0.0.1:${toString config.services.vaultwarden.config.ROCKET_PORT}";
      };
    };
  };

  sops.secrets = {
    vaultwarden-env = {
      sopsFile = ../secrets/vaultwarden-env.caliban;
      format = "binary";
      path = "/var/lib/bitwarden_rs/vaultwarden.env";
    };

  };

  services.backup.includes = [ config.services.vaultwarden.backupDir ];

  services.fail2ban = {
    enable = true;
    jails = {
      vaultwarden-web = {
        filter = {
          INCLUDES.before = "common.conf";
          Definition = {
            failregex = "^.*Username or password is incorrect. Try again. IP: <ADDR>. Username:.*$";
            ignoreregex = "";
          };
        };
        settings = {
          backend = "systemd";
          port = "80,443";
          filter = "vaultwarden-web[journalmatch='_SYSTEMD_UNIT=vaultwarden.service']";
          banaction = "%(banaction_allports)s";
          maxretry = 3;
          bantime = 14400;
          findtime = 14400;
        };
      };
      vaultwarden-admin = {
        filter = {
          INCLUDES.before = "common.conf";
          Definition = {
            failregex = "^.*Invalid admin token. IP: <ADDR>.*$";
            ignoreregex = "";
          };
        };
        settings = {
          backend = "systemd";
          port = "80,443";
          filter = "vaultwarden-admin[journalmatch='_SYSTEMD_UNIT=vaultwarden.service']";
          banaction = "%(banaction_allports)s";
          maxretry = 3;
          bantime = 14400;
          findtime = 14400;
        };
      };
    };

  };

}


================================================
FILE: non-critical-infra/packages/encrypt-email/default.nix
================================================
{
  lib,
  mkpasswd,
  python3,
  sops,
}:

python3.pkgs.buildPythonApplication {
  name = "encrypt-email";
  src = ./.;

  format = "other";

  propagatedBuildInputs = [ python3.pkgs.click ];

  installPhase = ''
    mkdir -p $out/bin
    mv ./encrypt-email.py $out/bin/encrypt-email
    wrapProgram $out/bin/encrypt-email --prefix PATH : ${
      lib.makeBinPath [
        sops
        mkpasswd
      ]
    }
  '';
}


================================================
FILE: non-critical-infra/packages/encrypt-email/encrypt-email.py
================================================
#!/usr/bin/env python3

import re
import subprocess
import sys
from pathlib import Path
from textwrap import dedent, indent

import click


def find_project_root(start: Path) -> Path:
    # Can search for `flake.nix` because there are multiple in this project.
    root_indicator = start / ".git/config"
    if root_indicator.exists():
        return start

    return find_project_root(start.parent)


def find_relative_project_root() -> Path:
    return find_project_root(Path.cwd()).relative_to(Path.cwd(), walk_up=True)


PROJECT_ROOT = find_relative_project_root()
NON_CRITICAL_INFRA_DIR = PROJECT_ROOT / "non-critical-infra"
MAILING_LISTS_NIX = NON_CRITICAL_INFRA_DIR / "modules/mailserver/mailing-lists.nix"
assert MAILING_LISTS_NIX.exists()


def encrypt_to_file(plaintext: str, secret_path: Path, force: bool) -> None:
    if secret_path.exists():
        if not force:
            msg = f"Refusing to clobber existing {secret_path}. Use `--force` to override."
            raise click.ClickException(msg)
        click.secho(f"Clobbering existing {secret_path}", fg="yellow")

    cp = subprocess.run(
        [
            "sops",
            "--encrypt",
            "--filename-override",
            secret_path,
            "/dev/stdin",
        ],
        cwd=secret_path.parent,
        text=True,
        check=True,
        stdout=subprocess.PIPE,
        input=plaintext,
    )

    secret_path.write_text(cp.stdout)
    subprocess.run(
        ["git", "add", "--intent-to-add", "--force", "--", secret_path], check=True
    )

    click.secho(f"Successfully generated {secret_path}", fg="green")


def hash_password(plaintext: str) -> str:
    cp = subprocess.run(
        ["mkpasswd", "--stdin", "--method=bcrypt"],
        stdout=subprocess.PIPE,
        input=plaintext,
        text=True,
        check=True,
    )
    return cp.stdout


@click.group()
def main() -> None:
    pass


@main.command()
@click.argument("address_id")
@click.argument("email")
@click.option("--force/--no-force", "-f/ ", default=False)
def address(address_id: str, email: str, force: bool) -> None:
    """
    Encrypt an email address (or email addresses) for inclusion in a mailing list.

    Example:

        \bencrypt-email address some-token 'me@example.com,you@example.com'

    Then follow the instructions for what to do next.
    """
    # Feel free to make the regex less restrictive if you need to.
    id_re = re.compile("[A-Za-z0-9-]+")
    if not id_re.fullmatch(address_id):
        msg = f"Given ID: {address_id!r} is invalid. Must match regex: {id_re.pattern}"
        raise click.ClickException(msg)

    # Make sure we aren't being given a text file that happens to have a newline at the end.
    clean_email = email.strip()
    if clean_email != email:
        click.secho("Removed whitespace surrounding given email address", fg="yellow")
    email = clean_email

    secret_path = NON_CRITICAL_INFRA_DIR / f"secrets/{address_id}-email-address.umbriel"
    encrypt_to_file(email, secret_path, force)

    click.secho()
    click.secho("Now add `", nl=False)
    click.secho(
        secret_path.relative_to(MAILING_LISTS_NIX.parent, walk_up=True),
        fg="blue",
        nl=False,
    )
    click.secho("` to the relevant mailing list in '", nl=False)
    click.secho(MAILING_LISTS_NIX, fg="blue")


@main.command()
@click.argument("address_id")
@click.option("--force/--no-force", "-f/ ", default=False)
def login(address_id: str, force: bool) -> None:
    """
    Encrypt a password to set up a login account for a mailing list. The password must be given via stdin.

    Example:

        \bencrypt-email login test-sender < file-with-password

    Then follow the instructions for what to do next.
    """
    # Make sure we aren't being given a text file that happens to have a newline at the end.
    password = sys.stdin.read()
    clean_password = password.strip()
    if clean_password != password:
        click.secho("Removed whitespace surrounding given password", fg="yellow")
    password = clean_password

    hashed_password = hash_password(password)

    secret_path = NON_CRITICAL_INFRA_DIR / f"secrets/{address_id}-email-login.umbriel"
    encrypt_to_file(hashed_password, secret_path, force)

    nix_code = dedent(
        f"""\
        "{address_id}@nixos.org" = {{
          forwardTo = [
            # Add emails here
          ];
          loginAccount = {{
            encryptedHashedPassword = ../../secrets/{address_id}-email-login.umbriel;
            storeEmail = false;  # Set to `true` if you want to store email in a mailbox accessible via IMAP.
          }};
        }};
        """
    )
    click.secho()
    click.secho("Now add this login account to ", nl=False)
    click.secho(MAILING_LISTS_NIX, fg="blue", nl=False)
    click.secho("'. Add or edit an entry that looks like this:")
    click.secho()
    click.secho(indent(nix_code, prefix=" " * 4), fg="blue")


if __name__ == "__main__":
    main()


================================================
FILE: non-critical-infra/secrets/0x4A6F-hardware-email-address.umbriel
================================================
{
	"data": "ENC[AES256_GCM,data:T1DGBnN180XRCkkYYXsspXPcYOH6p4y39FW4xiI3,iv:zZ8gb0sXJ6nFnibFWToQqYbZqe9JT45fauWeH5by/NI=,tag:gmavcl3rCjHqfsZ0HBg9rw==,type:str]",
	"sops": {
		"age": [
			{
				"recipient": "age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZbUlzR3AxV3lxSjNTQS9p\nSURKaFFrb1BSWCtEc1krc2ZnK01oWjRLQkJFCm56WXFRVHBxT3BpZlczSk1HaFB0\nbjlkbnpoWUtHN3JmNmxJOVlsdS9QRzgKLS0tIGFoOU9PSm1LRjlRelVMOHhTR3dl\nb01vYXhvWjNqTGVwdk90bGltQXdmb1UKiZEINoSdBjeNCivlsuXgIbFkKUGO8AX+\nzVhtVihIlNesJ2L3qrfYp48DAtLgHGOKoCLLI+lVtXRTBYx9KL+gtQ==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBSGJJRWRraWlQb1YvVXNv\ndk1YUllDaDBlbWpwaWw3Mkc2c0dTOHhma2hrCjNaSkpKTWh1QmYveCt3aldwcktF\nSVVwbkNmbEpMSzc1MjVTeEswYTErUEEKLS0tIHBJa2V0cFExUXFoUjIzckZZNWJz\nMkxPRFljRWFRWVh2RzRxbUh2MTM4WDAKfmGLWEiH5FRQE8wNtPdQRrw9g7FtLQVw\nqW1dJmwxT/RrKt7Cj6bfdMQMdbdaCOD2dLntrjzPWewzTUZQe7m4ng==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxUGFOWmxadkN6M3NSTW1W\nTzBJN2VGK0c3UUVxbVplYmZ5MkFpL3hGVjNnCmFnZUNoWVZnenZneEx4SjkyR1gx\nRVFEclJVMUwwUW9CN2lkckRjVEQvZWMKLS0tIHUzM3JIMVlTR21IT1Q1S3RHSTJG\na1hqUWJmbTJDYWpWOWlpRDFQNTYzMzAKNptbBbk6PmxNUvHM2WQ+5Q5LItnyGJY8\nrM+O8XQLNT/o8c7bk2a+jE67cVDrnZMVR8nZtncbZZSDw23hQ4MWJg==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4STJ4aGdoRGxZVDQzVjFD\nSjE0VnY2WEZBcS96czFoOHJ5YVBHRm1jV2g0CjJGNGg2WHJoU1FtOEFiRVIzTHVx\nTXZrY3dnZlBVNnFRK1J2SXU0emRFdGsKLS0tIElzWnljeERzcTZmV3lpMytLRVZC\nV2Y5cm9XSndjVDZ4bnl5MUYzUnZCbFUKN3kCadQzJyN2n2NuvuKyU5qxCPgIFUBA\nlrrFoltqzVH0xBLcbz22yJ3zhH8AJrbKswfmA11c8xs0lppWy2eQ0Q==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1nnm255ah9wa4gpsaq0v023a75lnmlcxszt9lc6az3mtwzxgrucfq45rp7h",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFckwxUmJNaXdMRXBTSVdK\nK1RWOHFBc2VRRDZ4dU4wRHNNb2ZQOHhobG1nCmIzQnBVUzY4ZkdIcmRUTU9SYlVr\nL0l2dC9Xd3ZraGJWKzNJcFY2REJMYlEKLS0tIGVSTUJNUjhzTmlKd1NNN2pIVFVv\nNzUweGtoYVhGUzhFRzRHZFU1ZlNnUVEKdNo9CNt9gmPqJ0Q8YnQJEkR6a6350cD5\nnCp0FKTqI5wVP1aITcV6KEemfK3A/fYwNThUmvAgHAnEPhFDKlq63w==\n-----END AGE ENCRYPTED FILE-----\n"
			}
		],
		"lastmodified": "2025-09-03T18:13:12Z",
		"mac": "ENC[AES256_GCM,data:qK62+alw9neFyFERDBfjenwJQfGm+d0w0H/G9Z+6DktjaHqGObMoIy48BpUNqmWwU4J3HAiU9sRJNGt3w6kGYy69rVnVF8xHHvmyhJ9skE6L5BghOK37ZimDcbk1KYDzPE5tbAK9DBPGuyKS2Otd8incaSc3AqQ36Z4tEDkIkgg=,iv:2iC6A0qEgcqQtCBn49p75cbjwhpshFvM1gAeAQmXh8A=,tag:WI6suEwv16G0nuRhdIgxvw==,type:str]",
		"unencrypted_suffix": "_unencrypted",
		"version": "3.10.2"
	}
}


================================================
FILE: non-critical-infra/secrets/0x4A6F-moderation-email-address.umbriel
================================================
{
	"data": "ENC[AES256_GCM,data:jmy9KJWK16fq8Ba+N8FD4XdCPEH8hQJN36+XRmJgxXM=,iv:i6XZniBSITisyXUPA3FB8kKTgySz8YWcdK0zfWLbDC8=,tag:qH/lOwsGNeVG8G45TiFISw==,type:str]",
	"sops": {
		"age": [
			{
				"recipient": "age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJd2FXYkhXS3lQTnlDRy8y\nNEE5d0NKaHR5QXBDYzZIeThCalkyOHJ5VUFrCnhxUWhMeEdWTzZScytSZUhMRzY2\nZXFKUkRSTUFKbzc2cXhNazVZUDZpb1EKLS0tIHR3alY1TkZCa1dsV29XYTVSZ1Av\nSklza0EzNDZjWXFXVW5rSGNIcnByWXMKrf1FG1gLW/mluifSq3RPjqEn9UfL98iS\nv/Ddm0nZgWCDle0CTtKWQHSOXOVXeKZWYdp3++9Nrz6ryuIzCpJryA==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNYXd6QTRYVFJCQWNJWklz\nRnFacUliMUF3SlFuYVA0aEg0UktuZHBFSVdFCjVlZ0F4bW15SkJFZzF2cWpXWWcx\nd3lnUjlFSVlwT1dCWDJxQnhhb2VoakUKLS0tIGFCSC9CTXliQ3BBQ2ZNczFaMWp5\nZWFkb0cyZjZPcVNvaEZndEl3S3UwK28KlFMnhFeMTrACM+21KVtMpEdR88sG3BE5\nzksspDSnwHIfr5cmoyivY1ZQpGjDOjCwo2zWfWeRuYf0It/i3zRUhg==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2a3drOHh5M2dMWlVWR3F6\nZ2lJY0hqVW9rTGhyaVp4cWs0SGdlL29wcWhvCmYwTHVuTnQ2ajZlN3A3K2lFdVAv\nVWJiU3dTanZxSHVzcitNSzlwNnZZLzgKLS0tIFAyN3kwdyt4eFBiMnkvOG9SVmF6\nM2NSemo3NEFBcG5zS2lYbnlRN0FyK2MKsNGibLDF1x4t7zKsbcxc5O5u08LD7abR\nFSCyU0a6oGAgGrePNIlB0XQlhrMvCLPsz2lmT3fwPcvHyX9Rln1vxQ==\n-----END AGE ENCRYPTED FILE-----\n"
			}
		],
		"lastmodified": "2025-06-02T21:05:16Z",
		"mac": "ENC[AES256_GCM,data:+vd/4QvumYVYoim+2voBNCNGSYBCSxlEaWKUTu3Z3+iVUPuPqQyPwmUu7lR6NmPcLdAaWDS/VFTTnXWgvMsIMqhAObZzoLPKClKiZJhCfLm7pn96bz9+jGm2fFH9U9DLaPHX9K7gDgJZ8qkyFZ0vtmHvm5FzcPJorFa5wTFVFH8=,iv:EL4Tip6v/pf5kHy56HsTUpjo8hACFaKci5VEQYdWAfs=,tag:fWZJIrn5jHBTtW4pKoa5Ww==,type:str]",
		"unencrypted_suffix": "_unencrypted",
		"version": "3.10.2"
	}
}


================================================
FILE: non-critical-infra/secrets/DieracDelta-email-address.umbriel
================================================
{
	"data": "ENC[AES256_GCM,data:X3yYaojL6gq9TRvAd8OMMnU=,iv:ULH7wpkAHPQLGuYudsoNb0uPmzm4K7qDFWYYcMR8u48=,tag:vgFnwkPkXS/QeJvE+XZ2UQ==,type:str]",
	"sops": {
		"kms": null,
		"gcp_kms": null,
		"azure_kv": null,
		"hc_vault": null,
		"age": [
			{
				"recipient": "age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZeENFdXpQNFA5aDNvUURZ\nYXprcVY4SjByNEE1eVF3RjBrRlQ3aXd0eFZBCnNvU3hpNml6OGtxN2RQcGJ5bjRI\nSlF6UWJEUmo3UE12d3pNRU9qVWFtQkkKLS0tIG00bVB3dEFwNnJnZWV2eElscVlV\naGZIWHVCbEZJMDAreFY0VU1UMUVkaG8KJ9bSidOMy2MVuQALIRrCzZI1HL0aQ1zu\nrogntkr9eKlqN6orMXsYEewHJ4cXrvR2A2OrWZHWUIS9OC/xh9qHMA==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSVVA3NDFjd0hLMlhjZ0xW\ndFh4M01XaGgvaWlONk5MYjJNOStpOWoyNTE0CnVVM3FKbmYzSkJRaWtCMDRoMk9z\nSm00eStNUHhKTVEzU3VDTm9peHNZYkUKLS0tIEZYN1RnV1R1SnBhckhHd2Y0RFE0\nYTJqUGsyWXVwRWg2MjI5bGhYYkJwRU0KRZD1QazLtJzDNd4LS43z347pPxjBv3GQ\nw75Vzz99G85Wne1W882k+8ACVhF0OXCfmPYhZg/uq0f4HQGRKEVwsg==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrV2xlUXh5b1pOSStoWjRS\neXdVSDZxUTZLNVJ2cm03K0NqZC94YUZmcmdNCktoRFJPaXZHdGR6WUhjaUpDb1Yr\nZVM0b2VicldNWE1PekFJRU1wS3NRaUUKLS0tIHN1MlprK2RnaFBJUnZMWkE4emFq\nWXhqa0lQeWlYYXdIN3IwNm52ZkdKU0EKQjJnpZY2hEtXgEAlVpoEsz75fv6xP/Ls\nonNqppZHawRrCMEonQ0st71/bXiPLfvlTydWd8Gm2sh9x8Q6iCIXjw==\n-----END AGE ENCRYPTED FILE-----\n"
			}
		],
		"lastmodified": "2025-03-22T15:54:32Z",
		"mac": "ENC[AES256_GCM,data:EeeJ9xKUEbNAPk6dIEoTkZfmzuhSXv6o4aMDrlAMtyM74FZFd4+UgFMWX9jDenMLOwuABf+V8n7uwRG1F69irMElOUHnRFWddVyNd99xJ8qNCmcOWTozDIoWEPC7gSUJklioPe/H52oa4x9MB3mo0tQco5OX8cCIHhMFfdZsetE=,iv:YsY+UdizldTnAf1NYvW9lA5D+GLiwN4AJiDWHIsUikE=,tag:VSo6ceJDowM3s9etW92DAQ==,type:str]",
		"pgp": null,
		"unencrypted_suffix": "_unencrypted",
		"version": "3.9.4"
	}
}

================================================
FILE: non-critical-infra/secrets/Ericson2314-email-address.umbriel
================================================
{
	"data": "ENC[AES256_GCM,data:u/wikuNZRqFUN80sb4aOKF7A,iv:06zg9gnBY5X3nJTh1pYAkj8LbaojO6FXn48JAfsMojs=,tag:ZMfs9E2X7VGP1C8O6X6YtA==,type:str]",
	"sops": {
		"kms": null,
		"gcp_kms": null,
		"azure_kv": null,
		"hc_vault": null,
		"age": [
			{
				"recipient": "age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSWndNejZpQ01GcmFzRmky\nMVNmaTdBd2FaVTE3MnFncHZzVnIzekQxa0FvCmdTZjVzQjlMNndNY2Y2VUlEKy9D\nNUtpeFI3Zm1zUzVIUzFiNmE0cm9ScHcKLS0tIEF5bmx1L0M3TzNUTkpUUXVnanli\nVDFsakR0eCsyaWxoUFNvYkRLV2VsRk0KuJwyIOPDB5e9dDDWW6FNbDqmuyY/OBuG\n+g0Y6h/jtoRmgm1As+RK3GE5ZIO7wgIziiliW7lq7+wDo+ywttfvcA==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTYkd1aUN3SWFrc3RvdXU1\nWHRQTk5Tamw0eXpiaU53UXhwM3cwOS9wTUVFCkVxNWordzFTUGg4L2ZpTFFWSnY1\nd2dqWVM1dXFpSVZwVldDa00yZm5MKzQKLS0tIDZ4b1RqK1RJdHd5R2lzbDB3cFlC\nNzROY0JVN0lCemtNQUR2emNzRVZ3bVEK1PXujfeLj7VXtmJV0SSRp387WRjxq/l/\neTIoDw1GiwIesPcer/+a22XV5iPkOMGcgxUFZG9QmzhWQO1G1FTOdw==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLRDFmMHFNYW9NdnJndGtL\nWmlRUUI5MEtIekMvVHphdVlHK1FxeVBraEMwClVOQ2JOYklPYWhrOGRSdEJwcjJj\nN1dUalVibGtTZmxFK2I2ejVXYVJoS1kKLS0tIDRpaCtKdnpBOFZHd2pWQ2JUNG9l\nWVBjeGJUN21EQmt1MzZjNUV6UHRPcjAKEv10tHiU1chCx4XA12DRXcBrL5Gu8uze\n6ZiUoKhihO7bSBpw4Qbl9klCkZyKQ+yHOXBCrfr8XGGyYO/GLO8bQA==\n-----END AGE ENCRYPTED FILE-----\n"
			}
		],
		"lastmodified": "2025-03-22T15:54:24Z",
		"mac": "ENC[AES256_GCM,data:3/oy9v0leIbu+MBH9+mH+qhiiWYzmQkWAAT0HHPutRLG7/RQGIklmuVCYNAvmknWogpI3lBrz0g1eyjZVdyylQGefWG/7mxcbYI7UoyAgmfUdfy7N5LnagD/Yca6EERekrK8hzpKDHeQeR7TVvUfXoVn1eDYJCs4QpARC4gZwTk=,iv:r+AOzfsRgyetuwDu9vNrqr5NtiGMShrGhh5Lo3Vcx9U=,tag:2UAgw0kjQOz8wa/D2y0jbg==,type:str]",
		"pgp": null,
		"unencrypted_suffix": "_unencrypted",
		"version": "3.9.4"
	}
}

================================================
FILE: non-critical-infra/secrets/ForsakenHarmony-email-address.umbriel
================================================
{
	"data": "ENC[AES256_GCM,data:/q3jAh5Gbh4t2rcwhA==,iv:C9hFbszs+fOJjvi4TAVnrXf5zKnmmtUZt8W79GIkpXQ=,tag:6KGQdgeidkplMbh5glqr0A==,type:str]",
	"sops": {
		"kms": null,
		"gcp_kms": null,
		"azure_kv": null,
		"hc_vault": null,
		"age": [
			{
				"recipient": "age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2c3RJVENPLzFQUnBQWmYr\nMDlUSlJOZU9DQmtKZXF1K3V2bUF0UE1nclhzCmRVQWVhV0pNVjlHM2FXcDBEZ0RS\nTG9JcFc2VHl5Y3ZlRVdlWm8xVkozdm8KLS0tIFZteG10L0pVSGJoSCtWQ0dSVm5r\ndllWb3lNZzhRRTZualF1a29DODI4QmsK/QsoEBBDbcozYwxH0KXlULWt4ZDk35T5\nEGnaTTmLZt2HWouAzIAhWAIP4r/1ITBV6Sp1PpsurzEzAmXG7DF8Gg==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCVVJWYlpSMjcxVFJjem4r\nVW1kQzdLcExNZk9ySklaM21Jc1N2djk1ZlRFCkxCWkhlREFCZUE1YStUL21ETGd4\nV1UzUGRUUVpYMVZJcURDMEs0Q2dWMG8KLS0tIDhkZ0RpQlphanNmUkFaRUU0TTBW\nbUZzeDdBd2cxcThIbm5zOE9rN1NsdDQKRBNqF/GmLdmuGEaakXA/RyOe8ExIxhRR\neivwaB2/pFVE3SwMaAGvx/fyzG0Ul0mD352jyn7a4/XKPTeWqPVwng==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmQXdudit5QXhJYjFlSHc2\nQjByT2lwbmYyWUVxdktVNjFyYkZuUTBPL1hNClpVQXY1ZThXSjliRi91M0JGOGs1\nOVdKOU1pUmZPTTBjajJIb2lCY2tzMTQKLS0tIE44TURVR3RRVWY5QTR0MEdieXF3\nbWt0SXNzOGRVdjc1akxoRWV6QzVYL3cKit7meiKwcYw77fi3F6U0whUcyGpkXAQO\nBoZqs6pr4iDCsWAFVpGV4hfqXNLhrzBKSmUxVxCpSfbmUb4ZwZEVWA==\n-----END AGE ENCRYPTED FILE-----\n"
			}
		],
		"lastmodified": "2025-03-22T15:54:18Z",
		"mac": "ENC[AES256_GCM,data:Qo6ddwfmbMbBfv4ScDvhv5Ol68hc3Wm3KviWxO4iCjKjidHVMAmJPr0TDJtMR8e7e6ywBHcIPsGOCh0GJ7P53os0Pz2S79o4iXDx5hykvoFmOqWGr9INSFwAe8VwDYE1bt80Um6W8twCR5Y4Z5FC6n+2hWQA/3iM+KngctI2pJ4=,iv:1PR/uwLBXps+TzAjwef6g1aSkcAdyO/EYdZrRRFH6Jc=,tag:DoqtX9yPh9KeQA4Ysrv83A==,type:str]",
		"pgp": null,
		"unencrypted_suffix": "_unencrypted",
		"version": "3.9.4"
	}
}

================================================
FILE: non-critical-infra/secrets/Gabriella439-email-address.umbriel
================================================
{
	"data": "ENC[AES256_GCM,data:C0rILZtiz2wxslQbHqXo0kG0UQLc3BOFkhI=,iv:1l9l2IbznCKZGtfmqj/SLwS4f3r6uC3DRdgcohhEh54=,tag:ndMxeQNCDd/DN3ysVdqgpw==,type:str]",
	"sops": {
		"kms": null,
		"gcp_kms": null,
		"azure_kv": null,
		"hc_vault": null,
		"age": [
			{
				"recipient": "age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6OHgza3dYcTYxUURjTHhi\nUWJwVjV1ZVRVV2orNzBXank1K2pqUDVjYWhZCjNTelc5ampmOXlpcElNWVhxNXln\nSktBdkhJblRpTGlHT1U0QU1raEhEc3MKLS0tIHdGczB1bmM1NzQ4Nkl5YUlqU0Jo\nU1Nkd29XWHdXL25ZYlJzdjRiUHVqcncKBDFKH31IKCsEvGRw2x/zO+1LyE6nWsyq\nxlMWmRnJJbu9pYNs3qzIUbGlD0pAaLZigBIMEMiHEDUeSeVHKupQkQ==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQU0Z0MTRtdThxWjhianJz\ndEJQZUxXWEluU2xLZlQxaDBOQnlBNW1Bc1VvCis2QkhZNHR4Z0lIMUJEMTY3cUFI\ndVU2VGZhL2RKWkozZzlwbzl6VE9iMGsKLS0tIDd4eEdqVzFuaVoydlFwVEdlR0I2\nZFBWZVgzaXVPTFpDeDk1ZU5tcld1TGcK/c7c8HsbTrGeG+92pWmMn3YPpNvUFx1Z\n2Xfm5Zr3/VdTA18BN30uBva5oYOCiDIiXgaQrT//DDZNQDPhJKlWQg==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2dFRYbEhqcC9xTWpncU5y\nOGVTR0RHZXZJSFFtaDVnN3F2R2g2WTJ1YkNNCmhPTkVTdEFrRFlnN0Nmc0lOeDcv\nZzdwUlVwaFBKRUNYYWRjeUVDUU9aa0kKLS0tIDJtWGRmdUxSMlA4a3VDOEtmM2hp\nMDNiUEdYRms2VTRteHdtRlBTQ3NHcmcKB/ACXZhqxS9yghBBwuTmkR5cgsakv1I4\nzPC09vPIS1q7amMHQ4zhnl00tykl3AwfSOGO9wTUBSpGu6byRPUOWg==\n-----END AGE ENCRYPTED FILE-----\n"
			}
		],
		"lastmodified": "2025-03-22T15:54:25Z",
		"mac": "ENC[AES256_GCM,data:41DiT3lGEreAgFAid7nukcr4cPHIwbmMwp+97dyc8e2vcuB4hi4DCMH3HF5G6TXMF8k0WE2fxFc6+lN7TyP2cbz06YrrrZaz+oDcMh43rvRmwBmrsXSkh5B1dlYlMHYQ8qQrq4wqa9JN0gYuA22vuoEV/fao4VhNpnJm5CubTxE=,iv:IF03wTAIfmRNym6yCR7fMraYra8QVHhpCiXRFiaev+Y=,tag:CDnRSoBgRJWHdNr86cc9ng==,type:str]",
		"pgp": null,
		"unencrypted_suffix": "_unencrypted",
		"version": "3.9.4"
	}
}

================================================
FILE: non-critical-infra/secrets/Kranzes-email-address.umbriel
================================================
{
	"data": "ENC[AES256_GCM,data:Rbt40fvOkd12tUOrdattVlc23zCEHZkDjhFN,iv:9tKOblb08ZdyIBYzfSNGIPZWQLgiGy8QLaRTVBzUk5U=,tag:69JCHM3Q+d8sPbS8QrtOFA==,type:str]",
	"sops": {
		"kms": null,
		"gcp_kms": null,
		"azure_kv": null,
		"hc_vault": null,
		"age": [
			{
				"recipient": "age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOUWswZVEwbkZhOXFRUE1K\nYm5reW9UdTZaZ2IyOWxub3pXOVBDSWIzUEZVCjB1aElrb1JXUmtMcUxPaHZYQ3lW\namFuY056SGpuRTlDRVlHOTJudjd6c2sKLS0tIGpjMDYvazE0MTBjQlhHUnVTQ0kx\nci9Kb0piSGtzU1VFWEZ3Um54R1k1VjQKPqMA8/TCkOyoCXj4IBSmE8IrEGLK7xRk\nwCA5ZAQrpCdx98H4yxJv9V5q3sozrKafmluu+9MuvFlV9GR9Sl7PDA==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpRnRGaWo3YmlFUFQ4Vld2\nRm9jaVQ4aVk5N3REQ09yOUF1K0FXNSs1dHkwClZwUjM2dVhRMkNCa3JVamU3bGdh\ncDA4ZnhzNldyQ0pDVXlFaWN6RHJmd2MKLS0tIFBJSHhsWVNsajBlWXZkRk9hbGw1\nalR6cFBjc1RPRGFTNFVlbkhaK0Z2QzgKaTyBrdj9pxrW8v6MuYVNFj+fwseHD5JR\nMNbOAsS8J07znV5hHstn3j5ESaLd4DwyZgSAPlryEIQhG+NPVthBgQ==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGT3dIcXI0RXBUOFUyRk4v\ndkdUY0F2aExHRGlHdTBoUlNCaTRLeFFha1JZCmM1d1F4NTlicGgzWG1BaWRZOGZS\nNkJhbzg4eUpIRStZYiszZGpHZnN1OG8KLS0tIHJnTUJZWkJ0QXRJZnlhT3NqL3JR\nVmYvZUdUa01wNlBRUkcyckdvR3NIQ28KvUhddXSOLOIdD2xSACfka/IgdTN9db2W\nMNlkhumZmZYwFoCwyFi3WlYpxUHgwywLW627rDKsK6lEWGHMHgiing==\n-----END AGE ENCRYPTED FILE-----\n"
			}
		],
		"lastmodified": "2025-03-22T15:54:02Z",
		"mac": "ENC[AES256_GCM,data:HQRWdn/UHk0sRhCQF57nTY3AGODVCsq/yUXs1g9B7RD1qTAH+CBFq/861xn40Q76tKE03qil2ucZJ1dPSNBGwk9fuIfXHytumg6Lr2Fmq7m0ri1X5vxGs09Nw7AcQ1dJcnL3H3F4wDa0C4jojSBnh5JSD3Q9w8CI1EbEj8xuyYs=,iv:cny74YHIlI6AYrwfDtPTizd64LJc/1K0HmfwNKWD0FY=,tag:RuhZ+zbr5B0ZZgOChJGdlQ==,type:str]",
		"pgp": null,
		"unencrypted_suffix": "_unencrypted",
		"version": "3.9.4"
	}
}

================================================
FILE: non-critical-infra/secrets/LeSuisse-email-address.umbriel
================================================
{
	"data": "ENC[AES256_GCM,data:h78IdHjkj0APVFZdq8oFzw==,iv:6QB2mRaGYvQjCjO6QKcnuvfO2QaLMd9twdeF97uyccU=,tag:udGErtYAJX2wlumAThxpuQ==,type:str]",
	"sops": {
		"kms": null,
		"gcp_kms": null,
		"azure_kv": null,
		"hc_vault": null,
		"age": [
			{
				"recipient": "age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlczgva1Q1bUZpMmtuYTdM\nd3gvMUZLM0VhY1hoamN3WVM3OGMvZGpaa2xVCmtyaURwbVMwYk5nU0pTOUN4bndY\nakFFLy83WGtTM0FqRXR5ajBHQU9EZFUKLS0tIDBFWHBVbzRzRi8xZVp3MXh1MGlK\nNTB0alRIUG5xRlZLcFVwMCt1UEdWZ0EKdRFNMI7yxSAfsLnwQw9M+0XdILgWifZu\nw4Wm7zjSWgoV9rHEm9tZWidXbJ8gfEFsqP0Gc3vrs3b8O1n8RvBTbQ==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaREZqeVduL2JBNTJ4Ui91\nRWJpUnBIR0MvQS80MkQzUkVjdDc0aW40anhVCkFPZ2hjYWJzSUdXUDlqMVlyUXIv\naHk4ZHJrNXNZMDZVdXJHbytnY2FWUHcKLS0tIDNPeXVuVFlTQXpSRHpKVVEyVFYz\nNExDL2x0OCtxTkJxaCtMUUU2N3ZFOUEKjX/bLagzQUoOsQ0zXPkx2/G8TpucsVEc\niP7lOnnqefIF9YBZfWrLjdFjlAKBlZW1sokDNiFfeNlVXLv3nXhmQw==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzSUwxakk4aGRQT2FyQ0FG\nSnNGODlrcFY1YXlpbHNJUkJSZ2ZjeW56bmdnCjhCQTBDWE1oWTlkY2V1bmc2Y2pR\nT1ZvUDZjSlVMVStuckV1QnUvS0wxQWsKLS0tIE9saEh1S2Rza3Q0RDJOcDF1cE9U\nUjdnaGFHd3ZVb1pMaXlWZllJcXVVMFkKhSZ+mABcFxPsrbtxhnRv69m65IJFNIAD\nA5Ovz9AVu1KZiWCe3obDI7ImvGK/P1kYxgtcxOZAmPqYj+8AWN94vw==\n-----END AGE ENCRYPTED FILE-----\n"
			}
		],
		"lastmodified": "2025-03-22T15:54:23Z",
		"mac": "ENC[AES256_GCM,data:V/Qs+xRtrcBYzDDANHueSrNIsHq4wT1ZOrQDJff+k8Si3Uaw9D7yGsZHrdFj+wuAt8u45WHlDZ4C+4zyNWJU9PiengAgQdRWl3z92LrFWfBFsvbCwZhcB/C/Z/HtpnNxV4eCnENnhEiQbXClYpndFiq9JRKv2eWTRbLzf6jwSeM=,iv:eC++s4t3iEcREtREiacb393DcN8IQhgU7rbdKXQMSwQ=,tag:/1+oiZAmYHY488iPPGkwYQ==,type:str]",
		"pgp": null,
		"unencrypted_suffix": "_unencrypted",
		"version": "3.9.4"
	}
}

================================================
FILE: non-critical-infra/secrets/MMesch-email-address.umbriel
================================================
{
	"data": "ENC[AES256_GCM,data:/MyKjCi/ikz9u8TCJ0c7yhieWtF1Pq4osnE=,iv:TuY8UnNiROVHbrah0DdOs1FP8nCEwPlaZro+y1c1XiU=,tag:QJ8AmBoVI0mPL6WMt++UZw==,type:str]",
	"sops": {
		"kms": null,
		"gcp_kms": null,
		"azure_kv": null,
		"hc_vault": null,
		"age": [
			{
				"recipient": "age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJRncrOCtDSzNMRFBjcEZF\nK3ZpSDVlUFFBVDhXcGJDV3ZFT1JoZkhWQ2tvCmxXK2ZqcG40eUtqU09DcWV5ckJz\ndlVvdHJzYU5RRkN4QVFaYnVPc3BPdGsKLS0tIFJoSEJCRDBRL1dmYTc2Ry80cTFx\nYXJIZkJGZHkzcmc3OGUrUklzY0t6dk0Kat3DEijf/XA0ixOAr3cwPlh2Zbu2EeDj\nmXB9fH79JY2sh8+JQ4x6sQJMQnnvG7rPK+8x6H3565HudUpOvVSP3g==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiZWYxM00zald4TTVhNHgz\nTEFkd3pGcHcyOTZGRmhxWjQzVENLdFoxem5ZCkJhVFZoK0xHRTNRWGh6Y3BGbG5k\nVEVaeVc3dDNnRm1oZXFKTEREWGQ1VEkKLS0tIGpwRkNUaGgvc0V0K3k0N04zK0hB\nSERwd2NsWDE5THZ3NkJGR1hpVUIvaVEKgcM7kURq8DiYpZ1bLfdTfeqSlCgope2h\nJbzdw7pvgyLr6hsa6+sudj13qVy6rEplqC6dBsZ7shMqtmqRQLauOg==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRbGg3RHZtdUVsK1pVb1N6\nM0l1US9UQ0tadVBObEVMN3NpZWRMaCtKWFRjCno3dHpuK2liNzBKL1lESFozSnpV\nUFBscE00SXdBN3JlL2FMR0tmMExHU2MKLS0tIFBKZ0ZGeE1oNVlPRW1OTWJRb0FN\nZ0VCR09WWVhydStqbTdrQXJBOG1sb2cK6MqLXg540RT2LwfTRyrZbbqMKemtLo+x\nYffXEJIq8aRedMCV6a2MAyi2+OXGTNJGJsRddwP9vCkG0W6qOVRdzA==\n-----END AGE ENCRYPTED FILE-----\n"
			}
		],
		"lastmodified": "2025-03-22T15:54:29Z",
		"mac": "ENC[AES256_GCM,data:lCKzgeTe0ySL/llOVXjybNMQ4SaAZfxx9q+UQFBQJeWeSWx5VpBAj3D0OjJA8URrIBJEvLublcM756yiN5uuOBmFUILrx2x4hc1FrFjcwlap7w2/yCkhl/e8LVXJnXlE2Bxc1hkkF7NBpFRy4BTuHM2HCFmDSG6tnBrqeWOizAQ=,iv:a9B+wZ+f0XvLcjbYnMkKulUBKaJhBA13tmVyMwTcVHU=,tag:ApPc5CmMlU53iXCkBhFJSw==,type:str]",
		"pgp": null,
		"unencrypted_suffix": "_unencrypted",
		"version": "3.9.4"
	}
}

================================================
FILE: non-critical-infra/secrets/Mic92-email-address.umbriel
================================================
{
	"data": "ENC[AES256_GCM,data:TvG6EEUzxziXHkm9Io4pqXg=,iv:vcS7p6p7q+v/NPT9Noj+DzSVQHaVQSqEtUx4ZIeq5kU=,tag:BqcA/NkWJee1MADjHoj3qg==,type:str]",
	"sops": {
		"kms": null,
		"gcp_kms": null,
		"azure_kv": null,
		"hc_vault": null,
		"age": [
			{
				"recipient": "age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmQUdtS09CbEEwSEtrOUYv\naE54MjJPWUVoVkFzQ1BzaG1oTmdlcDRLTDFBCktMK2NRY3ZaejRKTWRUNStOTC8z\neDFTS1VrTjhWekl5K1V1NlcrWjZXMTAKLS0tICtnS2tLY012VFR2LzB2QXlBT25n\nR2JFZSswTysxNXJlbFhaMHZ0T3BlUHMKiPRqvaTAfyCOQRcp4t4VhxXIQ3ULzfPS\nTDv1bnUy6TKHl2ax5KZus0VJos0Lei/nOT5aN0sujG9PV3atq0hI+A==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4RGhRZy96VDhCZTlHWENR\nZWFPY2s3RUFUbnZYbTRkVmJtOG5oU3ZuWEVRCmVaZlcrZlduR202U3ZPMDNnZTVa\nd2Z0R3UxT2E2aGh2QjdLK3VGYitwbmcKLS0tIHVaUFhtTW5nZ0tJM2NHZHcvRHdV\ncHZFc3NSL0tiN0RGU3RsRGZRM1ZsSEkKSZDmFRP/LtNMZ2hxCLDBh+m+BKzCKdXE\nlSL6Vy1o+aMH+wgM1mQQ0LgDRvPBdIuFkCFG7yVw+B7+sicJZy4CWg==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBub0FkYTBwUkZkM0RDMDRm\nZTI2WGtyWkRrc3VEMTdIOWl0WXRmenp4aXpnCmZVdW5YY0xJTWtDUFBobUIyMjh2\nZ00zNWlrZ3lOVlJGY3NTOFZEMlc4N3cKLS0tIFRETmpydGVFK2NkaUV6VGplN0U0\nQjRyb2ZVTi9tTmNCN0hwbE0zbzAzZ2cK3C1glQ5B/M117NTebH7CsG8e8qgH+h/k\nm+TuuuR6PDYD7nYGNttLRB9X3UTTbzkyqqD8Rxc3IQqGr9abAMaZ/Q==\n-----END AGE ENCRYPTED FILE-----\n"
			}
		],
		"lastmodified": "2025-03-22T15:54:00Z",
		"mac": "ENC[AES256_GCM,data:/86wMc+s3MNBI7Vg+e6FcJMxd5ifn7Zgu+AksxtikdmsC6zttkx307W1MFAVZvdWLuUO886NV0pKfsPnDNVWNK1tsujN1Y5PRbJP3PUa/utTC1aCA7cQGL9Enu9/q252OB7YEqS8BXUMFQrKL4x3Atr2om8uf1gTgzBM4aLXN+c=,iv:LAWUu09guUq0QWY7yi/LB75tVuJRwl4DCXK9X/mlBRk=,tag:A//45Ms1Dx8fQ3JzOfoaWg==,type:str]",
		"pgp": null,
		"unencrypted_suffix": "_unencrypted",
		"version": "3.9.4"
	}
}

================================================
FILE: non-critical-infra/secrets/Mic92-wiki-email-address.umbriel
================================================
{
	"data": "ENC[AES256_GCM,data:JF/vFN9c1mUt11NAF05GmbU=,iv:v9++RDL6/iJ9+l5a0lZa6/Q8/YwjDQQcaRqoIu/rDqY=,tag:aWZGnleR8KsWquOu8NXWsA==,type:str]",
	"sops": {
		"kms": null,
		"gcp_kms": null,
		"azure_kv": null,
		"hc_vault": null,
		"age": [
			{
				"recipient": "age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZYlhNM0dXdU0zRm1LUGVF\nazlUNWlIL0V0OGZVbSs4OTBsNGtoNTdSZGtjCk5zS1Z4L1FsL3A3QUtkak5GaURS\nNUJMWnFieXhLcWZjdTJpdmg2Y1YxaHcKLS0tIEtiT05wbDVNWXRGaG44VVRKTWVz\nTkQvVmp5MUd6OWp3d1RhcVJVOGVYb0kKe0JunA19oPyTWjh3f+hCjdbukZZexkkC\nH9hAQ0ZANglvgpzddqZ0Zk62Dlg4eiWUV71LOAnG8sxYlxkNmfwoJg==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2Z2JpSTFzKzFTU2lsSjQw\nbUZ2dWI3QnlYOHgvcWtEekYrcURiSEt2Wm1VCks3UTZ5dlRXNm9mZmozT1M4dXY3\nODVhc3lkUktaNThTTFVZRTRjaWVsR3MKLS0tIHVqTGFKNHlrOVlyU2xKbDErbVl5\nYmhLenREOGdJcFVTdi9sRnBrb2dZMTgKTi+dLUexJLeIP3mjv9IcWRLjJgMdo/ZS\n1b1tOqeT1kwB562jmkJ91MgRebQvOTr1tUqF72B9tUoiksyK3UgLNw==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2bHd3NUhhS05aTGZpZ3Bx\nMTd6S2JERWlsalhrcFczSWFqZEhrY0FOcEdjCmQveGhwUDh1R21jQzFJcnNISXdL\nTlJKMWRMaFpDU21pRHhtTU16b3lwQncKLS0tIHZoZ2FIOFFkOW9VWXFVZk1zQVR6\nME01V2VkUm9YVk9pWHJGdFFtL0pnaTgKSLX4TjbjDs2uIRziomy8tH4sLhDleeWm\nLI8deM0wDWmq/oJDPHr4a35Ho5qt9Kvm9e6l9zosyockoSlANkRn7g==\n-----END AGE ENCRYPTED FILE-----\n"
			}
		],
		"lastmodified": "2025-04-05T23:02:43Z",
		"mac": "ENC[AES256_GCM,data:TOcCqULV7Fpd2x5tnaFR1ooKWLFPWWdogf8EYeWfJSc1CFcNKHNwZf9TdDKo3oVmWEUqhf6alOxBI3Xx2gcbStV89BkIbmv3FnYPgn3TlmkD1bCeJ4ACx+eYYUVFN02DZZSmZ8TTrl5pvqFzxyUNgfLizJDttNZ3wQiTSgDO/OA=,iv:ypUbsY32/IQhPpuBZhmDbw/ji9WcByGN5meuKmb98ac=,tag:+/ezgSOWXnu2RDMXbMOI2g==,type:str]",
		"pgp": null,
		"unencrypted_suffix": "_unencrypted",
		"version": "3.9.4"
	}
}

================================================
FILE: non-critical-infra/secrets/Nebucatnetzer-email-address.umbriel
================================================
{
	"data": "ENC[AES256_GCM,data:+AibStUNqlK15znxZ3+wCK8p2paf4Vm8K2NOqA==,iv:4grF9oXAfvUxUUoKzs3dFHgnk4P1mYqX3RNzSRHNmxs=,tag:pd6G1ocabxwUgGTdABHExQ==,type:str]",
	"sops": {
		"kms": null,
		"gcp_kms": null,
		"azure_kv": null,
		"hc_vault": null,
		"age": [
			{
				"recipient": "age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmb3RtTTlUV2FZWnlUKzQv\nUTVPdnZPYjBwK0FHYm95cjBLeGd0UUZobVc4Cm1qNWc2MVdKMUhJakpIbzdJcEtS\nU2xFUmFnSUlwSXJUaWxCZGZ2dUN2cXMKLS0tIDdrbytXaFRhUWp4VkZodUgyRm9L\nVHJ2djZWTVFtcHNKa3NleWowZE9MbmcKotJzRU02eep6AmhHmynqYqbjJj6kDZU4\n1G/jp6r/y2mFFyO3JjPcWhzEdjhiUn959RSQPQWvCnPMXqP6vCdlLw==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaU0RVN0RydWF5UDNYTFJy\nUHB2RXVKZUlBU3A0WlpDcGQyRG0rMmYrZ2hBCk1xeEw5MmxESVhxZFNSMjRsR0JX\nVlJHS0lkRlBIdGJBM2NrUEU0NjhFbGsKLS0tIExYNlVmMXcvTkVLYnNlRjdTUUhu\nakhBd1ZDWXVpSFBSUFJXK2ZOeVFXbWMKkvtfrZb+HeuaysRJtViS9Rsh4hrdYARv\nHH8xe1QJ6N9V5f92v3K1VOvUHi3dV6q8QC/hWWsIVzwK1XzKDKxmrg==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAreUJZWE1yOWxPN2plNWsw\nVXYwYzNWSXhOcE9KWnhCOXlnbjU1K0NEWVZjCktqcUNQdkx1cjl3cndKeWV3UlU5\ndFJNRXFMeFJZSGpBL0xza0IxZjc0VjQKLS0tIDhJZWRyMFcwemNaeEY3NjBOdFk5\nWldRUlVCcy9TQnd5NU1pL2ZONW13bzAKoWgEKqexTLE8sx92qajrmLFyvmrcRs7R\nbXvwzMchw5ijc7x4B+tXbs98ooPjhQiU4X3F5TU1Preg7O5gdTvdvA==\n-----END AGE ENCRYPTED FILE-----\n"
			}
		],
		"lastmodified": "2025-03-22T15:54:15Z",
		"mac": "ENC[AES256_GCM,data:MutcAk/0+yZW1xqBFRPRFgxIJRLZq74WQejccmADhj3B16qKSvbYtMoRhHEeBFW6/8XdG+DWGXaHglyjWtyTWcWaTaEMBDkEiF0aQ5m6EiVocsUUxTacVwBfDzqRBK7Hj2bjPQ6MJqEg51m4OqQ4ENiRd5txcDip3TrrZsnHhEk=,iv:4AFRY+3PfNsDqNgWitLNGdk+ApICZqj1WunbImbbByw=,tag:6tOYpHXjx2rNRu36GWgTfg==,type:str]",
		"pgp": null,
		"unencrypted_suffix": "_unencrypted",
		"version": "3.9.4"
	}
}

================================================
FILE: non-critical-infra/secrets/a-kenji-email-address.umbriel
================================================
{
	"data": "ENC[AES256_GCM,data:5k202eaaTleSbcK4+COHEsaICQGoNXb4,iv:nsMrI/YhjJkvP9NtHEm3bgZiZVRxmCiHo9WncdrKPa8=,tag:RLkMixG7JcLF/Wgjj4+N8g==,type:str]",
	"sops": {
		"kms": null,
		"gcp_kms": null,
		"azure_kv": null,
		"hc_vault": null,
		"age": [
			{
				"recipient": "age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBMmxlRFhEV0dBK2VrRng3\nbHFSZ1duajZPa3pEaTNReTFQYmVLZXZsTlZFCnY2aFpNdzVaSFFqV08vZVNKQ092\nRlRWWmJMVEZZYXIzNkdURFFFMVFYdVkKLS0tIG1iUUg4YW1aVEQvd01Gckw2TG53\nYUUwTkRHa1V2aExIdzcrckRucEVCcWsKpeLfSDvPzfvoWI+NUYnYgwebISzKTXgU\n4046ER4XCfbTHaB2tnP4xHuVlCS95wP4IsYanyyP8BcPSnrbXwQQuQ==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPc29UVGxSaU1KUTFSRGY1\nNjJOMzJBMFcrVHJ5QWdtaERUTmlnR2VkSWhNCjJXem9KTUJtV3VjdXZRc2dUU3Qy\nczNIZlBYRFA0bFJXK0Vobi96WVEyUzAKLS0tIGlaZDBlZ0NNaXBJdHVrTktCT241\nSjdZamE2ejFNaWlPMFpKRmlPVVpFY3MKlH3c3qw4xOSNS+CiCezUkKEgB19zVo3G\nzVuZSm0eFzeuBxOCquqJqBQchgegoKdeNFs+75Z3otbZr7iIjch5KA==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAveEZXYmFWNm50ZGoyc1hM\nbUd5TllwT2lwVHlsVlJDcU1YMDJRNGtMWGxjCkRuanJHNTZJN1dCWkNsRDVrdmkz\nRWxzUEhmTDNXMWxRa3VpaVJ3RHR2N00KLS0tIERId21QUSt6RHlnTEtSTERqclF4\nWW9mUi91ZjFVSXlveFZRamUwT0lRMmMK1ikxhLbVSFji2LNspHPlWKDjbbhQArSE\nf9O7sWh8BD2v/gGokpAh9XczDMvOGteYOHb5plAZ5AFZHYa1xfv5eQ==\n-----END AGE ENCRYPTED FILE-----\n"
			}
		],
		"lastmodified": "2025-03-22T15:54:16Z",
		"mac": "ENC[AES256_GCM,data:4nGSwf0fv2sdne/F5XW7Nv8PAR/9/uHfFaik6y/2MgyCThR9+md/s05JTkoX7NjKwFZa4ylNetBfCDHe7c6PD+cwpLYtQIKtXZjrrz3ejM5KhzSCk2ldszXZZT4RN0OL1f+hhuclWcy6CDsN46vGtwwQtI9ywSp2m11F1sBXbmc=,iv:eZE1Y1xlwhaK3ECSen6eXtN42A4y6frxGA0oWOeJoG8=,tag:SQ39eKn1RdN/OqtQUL8VdQ==,type:str]",
		"pgp": null,
		"unencrypted_suffix": "_unencrypted",
		"version": "3.9.4"
	}
}

================================================
FILE: non-critical-infra/secrets/aleksana-email-address.umbriel
================================================
{
	"data": "ENC[AES256_GCM,data:Cln9T5ynj5zXOicAoj1n,iv:zlC/JWbVGyq1VXN+RA4RVGD6lHyjJk5QZY6q+72WwhE=,tag:0VA365nlsqS7oMR95CuR2Q==,type:str]",
	"sops": {
		"kms": null,
		"gcp_kms": null,
		"azure_kv": null,
		"hc_vault": null,
		"age": [
			{
				"recipient": "age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2UUNtd1VRZU1aYUhoVkxl\nRmZzbjNrekZHYnllV1VqVVU5cDdxclo3UGtJCk0zTHNlWFpWeDhvMTZLL2JSUTVK\nampEV3Q0OHZkbmNUYjd4eWYwNkkrMW8KLS0tIDh1YU92OEkrZ0d4Zm5tVnR1NVR3\nT25TeitPSjlsT2N1VG8vSWVoMldTZ1UKq36ucMw2dWTPFtWXzqbzoTru3QQqpX3/\ngwcQVykoyZ0vB1A69Bsd6l35CEHM3VPQogoORsk4oA0Vfu+7ECp4JA==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnMWpBKzFBNkhvejllVnFJ\nQncvVS95VTZDeThzL2ZLWXUrYnBDVVNvZWhvClhkalJQcXQ4a1JSeENmYWJTY1Zm\nK2JPamNuZXVTQ3FNK29TVzVIaDd1RG8KLS0tIGZOelE1SlFDVTNnUDQreU5mcXNI\nUW9zMnZ4L0NVZVhmMXVEKzA5UTF5UUEKAcOKdOYYGuWMDqFWsAAWjTyM3Is7gMd4\nyvvGZUOChbhv5bim5W+Pj0bRFiq925OpfuBQOGtU9L7YTZCPjHl7yw==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAycnphT3lIYkkwSUE5a29z\nclJPL3VSRWlKdDhDRWtZeEdoK3pseUNsd0M0CnBFMkVUSm9JQ3BQUmtqamlJTjZK\nUktncXlnRHhBUk9NY0Nlb0JNLy9iY3cKLS0tICtDQkY3SU9mYWdRcURWRnpqUjY4\ncmJvQTA1cklnRnhFYTBkLzR3YXIyNXMKU316One60SXFG2qmSZNhByPwXKmoeA82\nFUdJIfReLcBWM4/4rC3KLGfh+CrVnT2uNUWBC+suosaF4oKs+yQzww==\n-----END AGE ENCRYPTED FILE-----\n"
			}
		],
		"lastmodified": "2025-07-21T15:21:46Z",
		"mac": "ENC[AES256_GCM,data:hU4wMBofItjQ+VlkmP/Ud75k2Hy4TWg8irwm0fhy5vyymHS/vDpe4Zu9IIaGFdsNgxpThmlQvwW4iQk5QVjYS/ATBznuB0QXsFNBdr3mf16pT1P164uGyR++xOWg8reKTQKz1Nyxrw34JMxnKyM0nPkCtboAFITKtTlDH2C6DUU=,iv:iEwffVlvqJtax71otGbMQBsDUpyO69QewT2zzFF8hAE=,tag:okHYyouWtbi0dRnb/1Njqg==,type:str]",
		"pgp": null,
		"unencrypted_suffix": "_unencrypted",
		"version": "3.9.4"
	}
}

================================================
FILE: non-critical-infra/secrets/andir-email-address.umbriel
================================================
{
	"data": "ENC[AES256_GCM,data:jfoMFBsk/LrrFBuOTWWJf8HnUQ==,iv:EjLtt6TnZNBWk3bNFBegZy7tERMF1iSp4Uyx9P/TK8I=,tag:3iPZHTzExMO14Ez6G5C+sA==,type:str]",
	"sops": {
		"kms": null,
		"gcp_kms": null,
		"azure_kv": null,
		"hc_vault": null,
		"age": [
			{
				"recipient": "age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxaGtURXcyVGRYT3lGb0g0\nZ3NSZHo1d2RZSWU3OEFQUWNHZ3hyRksyWmxFCnRQb3VWajY2ajBmcFlJaFp0ZGJW\nK1ZGOWVRUmFhbmkxVUhXWmZiVUZ4bzQKLS0tIDJZajdIWDBpNUFmMWlZTEdjSWYy\nK2ZWVy9CTXNvZVo3cXMrRVp3K0tTcmsKjuJ4jmR8wesvPnmigcF6F1oLDQzxV51T\nDRGwFVgFbrlNuHCnG0KeB4vQkGdbRV7kleeGjhbj4DOzZSuKrCOqLQ==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxeEVHaVhOZWIwd3FFNmVk\nUkc5bitBbGZESHkzaGpOZlBkQkxDODZtQjJNCmRrMHJWQkYyVy9SaExXUk1aRWVl\nb0NjUDcwbmh0UlNITVRmUUt1OFNKTk0KLS0tIGFTMzcxZUZjYVBtMFAzVGV4aERF\nL1ZhMEh3bUsxTlpQQkd4VVpkSjVsaEkKHaBO79rCdaFPvTuOyrzhGIMsSmVZ8HEY\nUNIx2ZnH0Msxwq49DYaXwYHa1eJsrujVe7SZz8xRSx94mxKjLvd2RA==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2QTJ5YlFiRjg2SkR6cis2\nYVZZS0IyRTNTVXprRlFqOTVKV0lycmp3aFdJCjdnaE51dlU0SkxJQ3hXTUtlVzNK\nRGExcFIrM21lVFY4RmVZcGFOVzNHUU0KLS0tIC9md2ZVaVBETk5PNjhVN2h2cWZN\nWFV0QXIwTjk2V1VVUGc5QWxmaHFxRVkKCYHAKhJgvVP3xYeXMZ5qpKn78OkRlSx5\ny703es/fJtRkV+U2TZUM/33gKlgJd9vfZRPC5NsSCFry7Q0BwctQUQ==\n-----END AGE ENCRYPTED FILE-----\n"
			}
		],
		"lastmodified": "2025-03-22T15:54:15Z",
		"mac": "ENC[AES256_GCM,data:wneBlpjjTzeUQwK6YdWx1+b9OcGB3d38p0Dh2SUzeFOX6oYBCHkiPr85maMmR+WlKGP/YS8aXavUgodXPMsDkQuOejiwt91fU808LRcW3E3wKVJJwaSlMfyfrDIThVJvpSCLo/KX7GUWF14ycYr0cQTseeQfeFDAdJmwRrID6Yo=,iv:cXMaAXygnDUcXnhel0WrZHTHLygCt34M9vK8a/zKqw0=,tag:iYFrtIgPGkcMW9fTpwZm4Q==,type:str]",
		"pgp": null,
		"unencrypted_suffix": "_unencrypted",
		"version": "3.9.4"
	}
}

================================================
FILE: non-critical-infra/secrets/avocadoom-email-address.umbriel
================================================
{
	"data": "ENC[AES256_GCM,data:6ubFaZHxHfwFu9GSTwWdtetcoc47hIcQ2w==,iv:Muih5HPkX59lMJnyH72CyaAerSMdgt7yqpkrnh6wtDg=,tag:01df0hT6KJphUJb17RNBOw==,type:str]",
	"sops": {
		"kms": null,
		"gcp_kms": null,
		"azure_kv": null,
		"hc_vault": null,
		"age": [
			{
				"recipient": "age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPR1NpTXc3c3RhcFJFd3Y4\nZXlIcmdIdWVlVGpxaWU0YUs4YzY4VUR6ajBnCitMTTZuUW9PTkxIWnpSeWhmTEFO\nYS9LZFNxYi9vQjFYWnVoNGFMRkFhYU0KLS0tIHpHUFA3NDY4VHRqdlRDMjlGbHFr\nSnBWVmdRbmNzN0NRVUFISWJrVS9WdUUKMKsLI/r8NL66jtDphJNWZV95uGuekO1W\nMbS3yOl9BZRBRIQzObZepgWUwlb2xEA076IaPvdqcKgPBTox+fOc0A==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzL0RKeHZVMHNhNkRibEpZ\nS0dSRzdXZ3NnSGRDSysydTdtUlJ5clU4R1JRClQ0Yml0VVFIRWlncmhsWFNjTGF5\nM3ZJeFlIaXFpSzJVdVVCNXcxVTc4SUEKLS0tIGtSYkNmV0szZFZTeTV5RmRwQUNy\naE5Qdm5tR3VnRzhJTXU3dGZKNTFmdlkKyMRASS6nKZ/b3ZhXh7dUwCoRrK0eaCvw\nUBGP4HP+zaXnHxvQAFNFZ/M5Du4koTdxaqATpe++EMoT5PHLorR1oQ==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoZkF6WWVnSlAyemNqaEZT\nL1J6ZE51ay9HMEsxZWxIUVBjd1dydnY5NURNCitZRXJ3N3QrNmFjRWdtdWNpNmsx\nSGJ2T3dYQXBiMlNYbEZhZ0s0aTZYN0EKLS0tIENyeU90cFMvM2c3N0Q2anRndEZZ\nWVZ0dXI2SDRTNzRzSDhrbFVlczIzcncKr+MLrlba26U53Mll2kz51FxrXH0Q9JCb\n7P5ZKIHJCJCqzAnngrkf/a6YPHH1IygQ7YvzG0OF4iMR/xiV+K+j1Q==\n-----END AGE ENCRYPTED FILE-----\n"
			}
		],
		"lastmodified": "2025-04-05T14:28:22Z",
		"mac": "ENC[AES256_GCM,data:TsqI4NHTO2oFSMDaXU3iduQCvaM4O2QBDhkyC9QwdyCU1zM8rT5Eljh2unm7Av4lZBR1QzxkdWQepYtoVc3QGPQ8mEp53sBdV5yd8GhSRlECcSQSKVkvknW797mc8s6xXpE8OnCOSQkKfiq7bTVNiDdmKxVkkpa9a+48Tb1TXts=,iv:h10XPeT5av862+BJrZRJhHZ+3Dfs+JhQtotL7AytPAY=,tag:SDxNk2HT2I6qT6AFu5L4Pw==,type:str]",
		"pgp": null,
		"unencrypted_suffix": "_unencrypted",
		"version": "3.9.4"
	}
}

================================================
FILE: non-critical-infra/secrets/backup-secret.caliban
================================================
{
	"data": "ENC[AES256_GCM,data:X4VUnWfPTrCzfc16/+korcEI0sExkevl6vqHXm8E+WwbmIRJu4gITwM2278swsp/wzq5zrRHNewzZpFtXp85HCY=,iv:S4KPDjH5SW4hh5X9NVjrz9Dvd/Fpnd/b8pLlDYiHzzI=,tag:Ls1aJtXfP8wW4w8F/DGsOQ==,type:str]",
	"sops": {
		"kms": null,
		"gcp_kms": null,
		"azure_kv": null,
		"hc_vault": null,
		"age": [
			{
				"recipient": "age1sv307kkrxwgjah8pjpap5kzl4j2r6fqr3vg234n7m32chlchs9lsey7nlq",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBycEh4OTM4d0J5N0pyOTA4\neDliTjFYL1lzNUc2M0NBRDVIcnFKNEJla1RZCmg4M2lKWnArWGNjNzk5cFBHV1h3\naTNNWHhMbXFtNWNzRXhRM0Q1YzlSOTQKLS0tIE8walJxY2k3TW9oRVVZbEZPS0V3\nTWo2Q3RVV0N2VGVjQUxNTUpsQi9qVUEKfAgRqP2RBWDB42Ut/At9bRfhBmMYsUXR\nsYtyP1waOU65FKNmL6Im24OWYa9tLi39V5fTadi3e5MV3OmE6WRYWQ==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlZWJ3M0thdzFYUTMvcWc5\nL1hUenMrdHU2RVRLcS9KU3V5SHlJSlZub0hvCjZ2b2E0N0xLOXdUbElQa2huM21v\nNG5DblZJeXpadExtUjBpRWV1eHV1N1kKLS0tIGdjRTBLSk95NlNpVElFVmVRQnpQ\nbzhmREgwK3ZHN2JwVWZJbjBqSklMRUEKIozBlvYMxb4v3DnUARAL9UBvr/Mbhgq2\nzYkont0oNowlns4pHeC2/rN6ES/oK4PyXmdrEMwcLSo5Y9KNuBWE0g==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1qlwzeg37fwwn2l6fm3quvkn787nn0m89xrjtrhgf9uedtfv2kqlqnec976",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1MVFsbnB3eURLWk9yWnBJ\nWUtlOVlBUzFIMjBMUXNIZWRQeDQvNFVJSVRjCjhvU1R5TnNUWFJwRkxsYXZBRlRP\nL2pXTjc4QUxMVzNQaVhRRVNPbUw1MzAKLS0tIEY2dTloc3Q5dTFDUXI2UGtDNjBv\nNEhDTXpVaDZwNXJKMmVGN3ZGbmlYKzgK268c0T2MNlrU1r/dwdwr9Per+VLWxb+m\n6VL/etWMx4jL4JfYbi6Bk35PwGM/WfdZErnUvIQv+56qGZ9eMIETXg==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1YlQwWmU3SDFVM0ZBZzBK\nNkFraVkvOG9lNHF5QjNqYzRXWGQ4ai92eFYwCnhBNlhUc2Z0TTdsUmlYWmFSTzFM\nODJ4QUZPbnhmODN5c2JMT2hPUWFnZ28KLS0tIFZKbVRPUHdJL3hqKzlwRGptR2M4\nTjE1b21xWFVFR3J1azdtUjlXTDVLbjAKfc2/NhPiecmp3wRoFOE8iIAihNvOdQ++\n4m0HLOlTU6b5N0myCutbj1Uug7cVY6L6Vivxe7Zp25W0v1z0m5didQ==\n-----END AGE ENCRYPTED FILE-----\n"
			}
		],
		"lastmodified": "2024-01-29T15:17:00Z",
		"mac": "ENC[AES256_GCM,data:i/EHL4LBLixq3dhsIIdO0yMMBY19v7/4ttLd+cfB1ZIAyvsfbUepFNW6yPzv0bC3OLEVVIePXXqc2m6lqsItYUJ/Z9kiH8+fg38rpQz5kp5RukWDNP3+ql2xbt1/yU/geyPTxI08+2KTJprbyXRfvUBER8ukP/hLmsBrR/53dbY=,iv:zSW+bj7WeYlh+0cTkZSBg4JF9olY7RcyxqF23LOb1tc=,tag:Xu0jR8QDvrM/S0b0d/R+aw==,type:str]",
		"pgp": null,
		"unencrypted_suffix": "_unencrypted",
		"version": "3.8.1"
	}
}

================================================
FILE: non-critical-infra/secrets/backup-secret.umbriel
================================================
{
	"data": "ENC[AES256_GCM,data:ceXkGoUn9mid9uVMyxnNonGfkqodqPQ6iPShWT1qjwqq47sXpE5GP6UurneL1blzo1MooaeAOsI9zsxFDyXLfU0=,iv:QXPiFRM/MNcAD+i7mIRjZ7Zqym7aoO/2ZNzbSdayPj8=,tag:JBnSAvFJOG2kBzEw2Arjvg==,type:str]",
	"sops": {
		"age": [
			{
				"recipient": "age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzd1poSURwWFFUcWlqZEdz\nTSttUjFzZHRJemJHZys4cWpES0IxL0lhQkJrCmpvYXl2UGhwbnorbDJ0UktJYnh0\nSWdvYnNRQTVSRElMcVpReXdpZEVWTWMKLS0tIG9tQWtBODhUWVBFc1VzTmJ2dml2\nOCs3QXNJQngyODVORGVUelBPeHJHbXMKqPYMtVEfxGupyajiFv+yTDLL5r5O/gx/\n/631GB9yCv6idwRcoUAV99dj0Gsr1IQwbBJTWb6d2o/ik0JkkeNJfw==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoY1JvTkZEZlp4a3Fwcnph\nU1hrUXpPd0FRQmtwN3VMdldYUmh6SmtzMlc4Cjc4ZU14WVJaYVFabVhhR05DVHov\nMEVmV245RlM5ODFMQUJoQXNrd0VrZDQKLS0tIEdCTlh6SVNyUWhQbytKenROMVRp\nUjZteHF3Nlg2T0gyZTY2VU5GR0pSbXMK5uUemFhCQNv6YmcWVC0CZ+WDWWDkKuYd\nTDHuT3ltMEn376yKTnHxqoi1fMh1rM/nSVtYiPqDdKJSiuH/HoBd+w==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMUTdUZ09jenBJUHprb3ZB\ndThWY2NtZDZTTzdRd21Hd3ZVY3JxdGY1WlhnCnlSWVFUSk4wQVhRUHQ1QmhxV1F0\nanpXS2crWG5UVGtRcXJsWkZhV2E0RlUKLS0tIHNzTWRnS2VyUERGY0pmZ2FDdGZL\nbkRWc2lKV2NRMHlYM0tISEcvY0VWeTQKR7m9WyBPE+9mgBGMItrbbH9ii2Y9zAI2\njJ52i2UvTbDxg64rXOc5nkYgM9rIiResRW/xK/uZHbLY7nFiOdZTTw==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkVkN0YXRySHhOTmpTTHdV\nMm8zRzFDYXVRLy9qZlR4Y1NlZ3NHOHprL3ljCm1lbEFNdkxKODBKUEkrSFN1STdG\naTVGNTdFc0ZzSUg2MkFmYVNnYVJKdHMKLS0tIDRES1BuYkFJNWJuQ1p0UjFoTkY0\nSXU5dTlYbEtYOVdhMmFGL0tJTVR2OU0K59/Y4gYtO8k0W9tHG7N3bJE/xFEszfER\nDSyE1qkLxNDsVpzuBEbS3SDqBS1sPMLSXoi0DMv+SCtDJXWemEzhJA==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1nnm255ah9wa4gpsaq0v023a75lnmlcxszt9lc6az3mtwzxgrucfq45rp7h",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYbEJuTURFRllSLytQZVly\nZE1lUEdPMVd3cFhKbEowcEVwSjdkbkFKWUEwCmVmM0dXTE5adkZWLzRNUmFOWnRv\nZ1lSSHRaMExQYVhydXBZSW1DYVlKZEEKLS0tIE56dEloWk5WQ05vVVZQTUIvYUxi\nR25Wa2l6ZjFaUW5aN2R1YmY0N05zd0EK+ogRcMHGDI5I13c/DkeHOVmG2w1dFIrm\nDPjHWLAaK45VLdD1qCyXKze3zm3pYdMcox0ss9tIwiZY+eqg0zlPHQ==\n-----END AGE ENCRYPTED FILE-----\n"
			}
		],
		"lastmodified": "2025-09-22T21:03:07Z",
		"mac": "ENC[AES256_GCM,data:PrInJ5kvru2aeoSxipXjRdOppUNe+SFVNaDlAnSlyxHrKWDIztMs5S68AL1sAI9Sx/UMlIvcn8AUPCiMRIPrSQODAkr3OsUOz9poGMJiH4lVg0e+S+UgpH2+WLtE+F6xnCAI2i0Oc1ug67/JlHpKaKTYwalUFpIIekdtFoiOavo=,iv:cWh0NBE49n9RtXcMqlIUXFEeI8mAksNKpXpDxub4DlA=,tag:LBqRYbpoWTo1Uc6ekeCpNQ==,type:str]",
		"unencrypted_suffix": "_unencrypted",
		"version": "3.10.2"
	}
}


================================================
FILE: non-critical-infra/secrets/bryanhonof-email-address.umbriel
================================================
{
	"data": "ENC[AES256_GCM,data:oUF4X6GHD5SJJvxc6BIUIK4yAGc=,iv:m3FFgV0mhIvh+J4KaiZ0Mlr3T1DZqV41bz+6Uq7jzgQ=,tag:l5gjpNOe5O3Qmov2wX5VQQ==,type:str]",
	"sops": {
		"kms": null,
		"gcp_kms": null,
		"azure_kv": null,
		"hc_vault": null,
		"age": [
			{
				"recipient": "age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpKzRYM3ZVMU5PbW13dmFj\nSHMrV1MvZzVKd1RsOUxqQlYrcjl4N0JUUlZvCi83WnRvVWZHdjNlWFVUU0pmRmw0\nNkZ1RytUN0g1Y216WnRHZFQ3QmpXQU0KLS0tIGVFZ0hzR0I3MHVqNnIzL0hLTDN0\nQUllQUJRYW1KVlVsQmlDVnF1bFMrYlEKydk1t2eMK7/CjFSYOvq1Hy3kB7J4HfZ4\nGLw71kh3fjeFQQJtL0Ozy8haLfrYrRo7tqZxz+475fbyfLQoHBLQgg==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzdUJlRTFNNEJhV204dEVU\nNitwWVowZG1aSE1aTy8xSXpXQjNtVVJ1aDJRCkVhZFJNWUZMRUZtS2hmV2h3UHlK\nMm5sSFptWGIveEpMN1VuYVFtb1BXNmcKLS0tIGNBN3ZTTUVmQWIzTDF6M1IxTjdl\nRzc3TnErdXZ5aFUyczZyTURWL2xyWjAKdUV8zkD4BiO57G3DJ/K98YUprtl+FZRi\nD2la8idltKl7K5zWbCQ5ywqJiI4dDNY/Q9XmPjoM5Ej0RMWo+n2XlA==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZU2dPbm1PVENuOW51WEo3\nTTBXRTBhMllSeTBxYVVBR1Z5YW9PM2dEclZZCjlKZEFXV2o3dHN4S0w0bmVKWDMv\nS3dobzd3a3ovM2RCOHRNZlJwaXEvK1EKLS0tIHg1Smoxdm5DUDRWR0RLTFV6T1ly\nUEhMbmh2ZjhUOExjNFJ1UG9PVkRvS1EKWYIumny7HOXcr63byGgiMZXsLrMhtBpQ\nHi/n//KeejwIQVUxDfOTENmEZN+ShwQ8rzFTIYB4145m/+PcA74mMQ==\n-----END AGE ENCRYPTED FILE-----\n"
			}
		],
		"lastmodified": "2025-03-22T15:54:30Z",
		"mac": "ENC[AES256_GCM,data:bdGxTwvyMeUmomVjvPwqZdIiBFJXq0XcC6RzlhLsK5qv2EhGel6T97zDt/At6uNJwB5YScymxZuu4vpNVGdXFCAarxeDZ0+2WitMZLnSrj5Aqfx6refj6j+AgsvcAO3DuP1T7wdtvtBO0bCvorYAmBE8CsUpjxPgin2X+bFt3rc=,iv:1yZg8d0yMVPoZNlQY6W7F0pGI4j9WsUpfrFimPCOPnU=,tag:zH6AZJIlNoQxxvAIYoFO/g==,type:str]",
		"pgp": null,
		"unencrypted_suffix": "_unencrypted",
		"version": "3.9.4"
	}
}

================================================
FILE: non-critical-infra/secrets/das-g-email-address.umbriel
================================================
{
	"data": "ENC[AES256_GCM,data:NXChftwP/orYMVTkcb6QwVec4AYi0U3lFM9L2tvSfCo9MzY=,iv:XtVrvSW2cs+yGraNNjWHrUXhixa/tzGij19E7jiHiM4=,tag:sAszvSOVCVbE3CIpCNZJrQ==,type:str]",
	"sops": {
		"kms": null,
		"gcp_kms": null,
		"azure_kv": null,
		"hc_vault": null,
		"age": [
			{
				"recipient": "age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmendNMVo2dkpOSGY2cHNx\nWUxzTHptZmExT0krVU1NUFZLRFlUMU5pZEJJCktxZmVuSytQby9OMlE1U2I2dko5\nOUVQY0E4cUdXNWE1Tm9wSElPZkF2MFkKLS0tIGRGOEg0S0cxeFdXcDh1NWxGRkt3\nUEF2VFlmaVlaMHVrVDVmY3NUTnY5VE0KE7tc0n0RNuTkCVIKcz5usIEY57z5Or7n\ndcrA6n7F2s2rvVEU38Gij7PNThL7QQ02TLDp7h8oV2XZHgSPTgxeJQ==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYT2pEaWlMMjA4eWswVk5u\nNG9qdFFuMEx4YThWeFdIc0krazVNSnhJQmlJCnlnMGFsUmtPdThiYVZYMU8wdnVy\nY2hPd3ZMSlZML0M3Nm0vRlBGTkMrZGcKLS0tIGF3ZzFPSzlEcWdReXY1a1ZKclk1\nRlVIeWtNNEU1UVA0MHU5ckU3THl2YTQKUIZLZ4jmBmJkGbN1hJCzmrNiC0RjrsNE\nqhOTzMKiYo3gFm3DZ4NyQteNFLNo8UOjsPH70Ig4dcTqD+UheAwEMw==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZTlpzMlBGb1BOZEJlcVNl\nRXluN2wrYU1CWjFHeDBzdkxrWnhibGs0b1J3CmMzeXVxUnlMVXhjRkxSNzVpZVV0\na0NBMjZjMjBNcUorS3pSNWRpNHhjdjgKLS0tIEFrMlhMVzg3SDNhUkNCakRWUjlS\ncmptVjAyVDFTbnBVUkFMdXIwbFhiUFkKlwPN/fIioTNdruLy4qk4tBLH9GepPodd\nKLvCkjVdTy/dAk5vi4f0dg2rlqiVXSvwHp9qyTaekfrhs/gbP2cXlQ==\n-----END AGE ENCRYPTED FILE-----\n"
			}
		],
		"lastmodified": "2025-03-22T15:54:12Z",
		"mac": "ENC[AES256_GCM,data:GSuOKKl0u8eujxA0UKQI5M70Eo1KBmI2KyHM2g8OQXsUWqVStjekUn4DKoyTi25Z57Dp+bsxVnhK+s4Em2dZy9U0uPxisbUU94bV5wt3AYXP/UnqWb6of7EVBoSCsdc159qpmp2oPVTWCASbAUlUWF6GBCY9KAKvm/uVa4e0MW4=,iv:AjYMAlKF5vy8t/YizA26f0IvSXvsv5K8VtVwmUHH6GU=,tag:dZ25LTnpEa8AoXLiDeVEsA==,type:str]",
		"pgp": null,
		"unencrypted_suffix": "_unencrypted",
		"version": "3.9.4"
	}
}

================================================
FILE: non-critical-infra/secrets/djacu-email-address.umbriel
================================================
{
	"data": "ENC[AES256_GCM,data:eAxQaE4Z0GGJgvsSdg==,iv:0eUNb7In+x7/YSocUInNBaYcYrI7xWtDAfIyT7/COzQ=,tag:e2L1pkeyViEHH8CnwQM3og==,type:str]",
	"sops": {
		"kms": null,
		"gcp_kms": null,
		"azure_kv": null,
		"hc_vault": null,
		"age": [
			{
				"recipient": "age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlY0NRenBUWFJ0ZFBMbTB4\nQ3l2NEo1ZHJXeWRFbnNlSDhvZ1ZrazI1ZlFvCjJLUEREaGJmQS9hQWhkVFdCZmNx\nb3JmTElFcnEvbnNiaEdMU0VoUHMyM1UKLS0tIG5OdlFCVFd0KyswT2Jna2ZzcHFR\nNUZ0Qnk0TWhhUkMxeWZiRUZCZmNnMWsKaSyDpJ4SiKd+do/KAksA31n4IihjcL6r\nhnZ6LLwkIirFSDvgxnM998tWWpGYrRCaGry+ZpWTkmfwf/j+NynSOQ==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzeFh0UTlNTGRUU0lHU1pM\ndVR5SzU2V1JmK2NaR01lQ285NStHNW51Rmx3CmdCYis1WmZxTEhwR05nMWRTR2pV\nODVCbk9lWGpTVi9FbG14blNhdG5NQmcKLS0tIEhNZUR5bmFXcHNDditLMFJDaEFy\nU1dQU3Z3NHkwZ0U4WDZUbE5IY2JxUVUKC5x+Kra9bzOjX9m2m4zP9xD+gBAHbntk\nuUj7BiAhE1syvMAZo0w15smwrMwAL3n+1yUb1cUOseAtPnmHmyxbow==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2cFlFbjJUV3UvWS80TzZr\nUzl5Q0dwWnU3Z1Y0NlNmWGdkeDhJeTlZeWdRClFRSG45OXdJQ2E2bHFnczZhbC9R\nYkJ1cVZCSnNCRmJ4VmZSYnAxWlJ0T00KLS0tIGUzREQ2dGFMODBHNnFkNE1oWUtj\nc2xBaEFFWmkyMjJxd3VnVHRxNUFtNE0Kx1oOwbdd0vkH/KSWu1cNFED1BDWceZbx\n0j3ZIltZ0e+JzEvz2ofJwASZJBBROWFYGWk+C8KGD5CtUHOOr2UKKQ==\n-----END AGE ENCRYPTED FILE-----\n"
			}
		],
		"lastmodified": "2025-04-05T14:28:23Z",
		"mac": "ENC[AES256_GCM,data:ljYU1gtZDtOdWQLP3aaKCWjK0fx9wT7pTv2sPUvJt7ZQG39bz5cE+Ij+pe8AWt1h/vTZv2gTyowuSIxMHeuZ/u8Ws5JkGTHASui1+VgSF/ptn/KgQLWZqtd+1n5C61jTthooUTdPSAk3gVt/8o4K5lx8CEqPr6W0lvZdqtp0jos=,iv:+G1OsRWIiDtvuREDtG0+W5cPa/yLuWMu7fjTUpiVAUY=,tag:2MdJVCiqG5TkMJH4ed3Nmw==,type:str]",
		"pgp": null,
		"unencrypted_suffix": "_unencrypted",
		"version": "3.9.4"
	}
}

================================================
FILE: non-critical-infra/secrets/edef1c-email-address.umbriel
================================================
{
	"data": "ENC[AES256_GCM,data:olK8g+ZfUzQioDE2,iv:ar2uCtJq8TsHG5wwtav1bqeFdOpsnPTOvPQ8Gmxso5c=,tag:qqNpfWcM799dDM2wIKEosQ==,type:str]",
	"sops": {
		"kms": null,
		"gcp_kms": null,
		"azure_kv": null,
		"hc_vault": null,
		"age": [
			{
				"recipient": "age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWSXg1MlNzLzBTK1NxcGZF\nY2pSTWoxVHZlcVRyUm9FTGtwUWNjeFFMeFRBCjBQcnFpRjk2OGE1b0pzL1VoS1M1\nTmVENlRXMnhCK0VERDBQQVpnQlVqNWsKLS0tIDBKSlpSek1YdlI1K3JBeGFHUmMw\nbmNHcm9LRE5IT1lOODk1TDliTUxtMEUKQ7joZh+ltgsWfpfzMgpOHm9CcVcKxj7f\naHZbpwEPd6qCQ+9Z+FFdr9wenHTFJ5D1tXrIoJTo2qzk+VfaQYKUUw==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1RXJnSGtiRjhRcFNLS05R\nSFJTUUs4enlaNldTVlY1SGlOSmkrVnVBUFVjCmxkWWIvTk5HRkw5aXZaTzBxOHJp\na2p1bktDUUlSbUsvT0dqN3V4RU1qa1EKLS0tIDhlaXZWcTlrNWUzeGRNMHBUeXhu\nS2FSZGZ6UC9oZDgvV2xyYUlPSklOdEkKZtXolHiy8mMpiXN3fYVGf8LePUPCpZvZ\nbT+FG79LvD41bsz9SrH+o/FmmMOjwcAbZxdw4e1h6ftbxPCmNrrNtA==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3RG9vdHJqUW1jdk9SdDFP\ndHBDZ0dwTVB0ZGFxb0c2bU9GZUJLL0M4TmhJCk1sNWVsSnc1RFRSeXhzOHZ1ZVpa\naTY3cUlWNGhWRHUxOHhZMUVoaC9tY3cKLS0tIElad3k3Rks5YWRTdllVQTJDaFJH\nWHFZSGtjV2lDNHY2QWVwcnJGMFhuWFkKC5dcccogfUd1oY/iafRzGdSS5PpKdzZV\nBwOBN89fshSPGEU29AySd+qXOC0WXZ/iY3tpH86M69sDrrUYOrGInw==\n-----END AGE ENCRYPTED FILE-----\n"
			}
		],
		"lastmodified": "2025-03-22T15:53:59Z",
		"mac": "ENC[AES256_GCM,data:bOfnrINsRSacHJe2sdGge4JseZIkKoBr4uDbYMo+gRpXUPsEXr8G4ilYN8PTV21nBhl64w1hdwlcCTz3Ret0ZS73HVlDq7dzMqRftdePam5QJxrL9kn9tqIezvhiNoulzcPQ5LFta6RbcCY405IiIfDNNv8XFy4yLnq+fJpnCSM=,iv:xqAzo7L50+8XMTVoT5r9Lu3A9tfjQ1/hoB5Qv2FGXwU=,tag:NdHPOykcvNGvSSwGCwJoCA==,type:str]",
		"pgp": null,
		"unencrypted_suffix": "_unencrypted",
		"version": "3.9.4"
	}
}

================================================
FILE: non-critical-infra/secrets/edolstra-admin-email-address.umbriel
================================================
{
	"data": "ENC[AES256_GCM,data:BfqImaH+VSFNxZ6VEe+ZDiTYcB/WKTD3,iv:dQB5Wh8KB/txZjQGkE+8JaN/DXk3XX05VIBYwd/kXys=,tag:EFfGz1JiiA6AN8kku7m1iA==,type:str]",
	"sops": {
		"kms": null,
		"gcp_kms": null,
		"azure_kv": null,
		"hc_vault": null,
		"age": [
			{
				"recipient": "age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5Q3FaMjhvNWdFcHhaQWlS\nMng2TngwSjZOTm50QWJEZVZqV21WRUR6VmhZCitPVWgrVURwZ1hLMm5QVGtjbzZ0\nSWM4eDJDemx1Q3BKajZEMnN2UkZraU0KLS0tIGQwOUxxTFIyTHVZNzlLSlRZblJF\nYlFVSWt0S3RabkdHYVMxNFM2VjRGaFEK/ITaVlCVUVLeNooHFvmdffVlVn5Mm2Vc\n6gH90kMH2XRPaojpMN0hHOLSYgD0HYqyOTAlhmqaVE8/OltAlORD9A==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzcTZJeDB4aXB2WHZOQmQ0\neU1oblpDVUFIK2ZLN1ZvTXloMUcySVhhZUFFCngrekw4T0dtTnlRczN5eG1vWmkr\nSVA2QWk5WDUwaVRLekkxVFhEZHUyTTgKLS0tIExUaVZqY0hBZ1o0Z3ZYQk9PQk9u\neWZYamNXVWFFYmxsZDNDKzRqSmt0QlUKzRivObwIkjf5TgZ3sbX6btEVVSP0g+rN\nRPP/Jmt4GC89YhSEzfDstod+m4wfeDJTiu1Oj401f77suDisZEazoA==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwdHJNL3hHNElaUSsvamVn\nVitQclZsNzRLY2RsYWtoS0krVHo0R1dleFJ3CjVIaFZWVEYveDU3cUhyNEt1Rk14\ndmxRV3U1WUR4Rzh5NUNQakRMaVpJVVkKLS0tIGxlSm9HWU5DT2VGK0FzcmVwd2h1\nQTFZckN1Yng5Q3hIbkU1RUlnQ1NJWUEKS2a2qdZQ550diz9f3TuHjxhf57wkuWJ7\naSJ0nq8wfuubmYoZmdhf/YcuLdEnz/XYO33tPqyLef9yn+vJpU/Tbg==\n-----END AGE ENCRYPTED FILE-----\n"
			}
		],
		"lastmodified": "2025-03-22T15:54:33Z",
		"mac": "ENC[AES256_GCM,data:z91Y3V3j3cGwssk+VBW7gCCUfZ6p93ef1TFTaDtch7uCgtOXXmMcD9UxF0NNT94hCih46kWtbwYvPU/7LgDKbjmV2C+ILHrD7z7RHRU3qteoybIR2Uk+ORtaec1vfjt9Qeqf/PKBckx3/uXvufKP5cpMaIrsLKNROTHvLgaXjcE=,iv:ML/pctW6YQQTkAYBZhT4D7h6VoHLL1AFwUE/3BSi7Vo=,tag:FgUigE6ph6389ajItAglqw==,type:str]",
		"pgp": null,
		"unencrypted_suffix": "_unencrypted",
		"version": "3.9.4"
	}
}

================================================
FILE: non-critical-infra/secrets/edolstra-email-address.umbriel
================================================
{
	"data": "ENC[AES256_GCM,data:P/ICBtclLOI2y/G0z0d7cfUW,iv:WM401Rq0v5spCCCaRZCdX3/3qJ/w6PM+rsJ/NyrLJ6A=,tag:+Xie8cztUsp6OmQ6uDneBA==,type:str]",
	"sops": {
		"kms": null,
		"gcp_kms": null,
		"azure_kv": null,
		"hc_vault": null,
		"age": [
			{
				"recipient": "age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5UUdLa05kRVZXazZQRWsv\ndmtBa1EzUEpicXRZMGtaeWg3VzNBalFGT1NFCjc2WHhkcSt1b2hRaHNsZE53YUVj\nOWZqZlNSdXJrREYxUlNSQmcyc1VOT0kKLS0tIEdFRlJPVWh4R3BXSGVNQXBLTFdZ\nb3VqR203UzJDdVkrZllVMnZxKzR1VnMKMO9pZh/ukJslEBGIYioJH8DJV4i2O0BF\n7D64/8ETSaOAIVzt8yZOpXvRjIwxbsEkNoQSf7GGm5ynmCzfJ7V6aw==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2N0VncXpkejZGTjV3Vmxs\nZVdBaERCeERaK1VtTHFObk9RMlYxaXpUV3owClcyelZ5cURmUmNUaHZtU2NhN0lZ\nRjFWZTRIdHdQNDU5ektHbTl1L0s2eUUKLS0tIGJnUU9mL2lQa0R4eXg2UkpYK09x\nTXorMUZSakJPVGFSVXNlQTRGZlV2dk0KZ/qJoRpK16fjbG2wNQ89UU7Jz4AiX5cT\nOFKZ1pQTaUu4BLVkXebnPpkrjmpSwxxOQ5cCEbq0AQkzSX54UbkUHw==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNOUQwcDE1VVltc0VYMkVs\nU01vaWg0VUxhNnBiVmRoUUpVaVcvZlNsWVdVCjZRekthWjJ1MDU0UGNXd2hheXBn\nSXpTU3RUOXY2V3F6UnA3OW1SMTFobDgKLS0tIGJXWUhyTm1kMGsvN0lpdkRSUmR6\nTUsyK0NQS0QxYzQ1clg2MTdKVjhTeW8K+QgNV6Iy1BOq5SABcYOVq06hNpW+k4mB\n/WIcvefIjDDg2QAYZkW2LjWnBLjBi72U4VKFmj5UF8zEUFZeRClLGA==\n-----END AGE ENCRYPTED FILE-----\n"
			}
		],
		"lastmodified": "2025-03-22T15:53:51Z",
		"mac": "ENC[AES256_GCM,data:dZeSkgRXajdTJuSNst1TTUXBabgcaoL5AwhMsRQVyasVyjpVXU3RRmqdHU4/EZEIpLs3pAFBx05mX668h98tIudZkheNAhoWhG1FIpzrA4AacGUGYCbDmCQ8z2sM1UKTJFv6/lM2VMYGGGsADqXL4u9omAOIQ2AdLElNp9r2prA=,iv:tfifFZ8n6o/ZkNFCFeEHaBoqM613xNaYXVfyeyoHKsQ=,tag:wZygpKvhVGyqaF8l8f7UZg==,type:str]",
		"pgp": null,
		"unencrypted_suffix": "_unencrypted",
		"version": "3.9.4"
	}
}

================================================
FILE: non-critical-infra/secrets/edolstra-foundation-email-address.umbriel
================================================
{
	"data": "ENC[AES256_GCM,data:jXei86Qti7mGFUbtSN+2bGkj30JgLajEMYkOQhI=,iv:b5+lzos1RJEWNH36xCwQS/W1LHPsrGd33zh8vuLw0w4=,tag:D4fGtRAeP5SaYtbtB5XE/w==,type:str]",
	"sops": {
		"kms": null,
		"gcp_kms": null,
		"azure_kv": null,
		"hc_vault": null,
		"age": [
			{
				"recipient": "age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBbzJ6U3ZudWJpNzAxUEVZ\naFgwR0FjWG1jVEVvMG5ab3p4WUx5bjBzNUZvCjhDcUpWQnNKRDRoR1cvZkNrOXYr\nOFdsUUtFcWhwMi9IVSt5MG5wVjY2cVEKLS0tIFBsZzYxNTJmV0hBRUdYZTU3RmNv\nUkx4cnp5U2MzS015QTRSTkpxT1NMdzgKgbfgW0kFAMf2QlwSpdvLJiSmg6040DYb\nZvcgVXkNizcYvn2czXwFpMEOPptiA+OFUeVXYYmx6Sgo+BgUbjKDvg==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWbndxelFoUkFHVmFpVmJ6\ndXNvOWxXSE9QaEgvMk41ekRwc3VsQitrcmg4CkVHME9PQUM0My9ZRGc4OGVIb2Nx\nWU1EL0xpNytNRXdUSXpEUjFlc0dYV2MKLS0tIGd0L2VRS2ZmWjVZQmpEYVRyQWtX\ndytzVlpMWHZHWkh3cWhhRzFkb3VYclUKFT9ISZNBJ/0hu70M3Zz1A6fl7bTmRZOo\nVNsz9ydtnZMjsOOhaQi6zI2HdTCLEC0HoI4IqXza/6fCXbJ00IDsGg==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBONVdZTmwzRFd2Ym5DUS9Y\nZUp3ZFA2VTZYdlhUZnE0dmNDdnRIYnVyODA0CkFSWFE3dFdQZUNFUExnb3BYVHJ0\nS2NkeDM4dlp1dlkrVFRhcHJpdjNEZWsKLS0tIC9oVFhHQ2ZsY2R1RHhoeUtISjVP\nS2RqbEFVWHJrcG1LUzFXUWdGVUV3V0UKGQPDl1K4IWysN4ZFfx19ibgMUw/Fuu08\nshhbKqTHwjDwwTzwoaMkgh+2AjmqP0rwFr8hd+rZcN5fPimdIEhsFg==\n-----END AGE ENCRYPTED FILE-----\n"
			}
		],
		"lastmodified": "2025-03-22T15:53:52Z",
		"mac": "ENC[AES256_GCM,data:Q7CCyy17DXioU1i/1EZH4xfxlvW+mLJq29BvH2WfNeR/7/dvp0wu78+YJXohbRzaMkW7wqIKCBwvaH6OG0xVA+nGunlLoLdyUjePNuxr+UG7T0G3AqbAvOPkqKDkmFnVWeR2kqOdxlaVKeyF0IpRfaHUo40alKN1/ArMNGNUfls=,iv:WkJD7WjBcGOt7aDeCD3fv4eXiJGcbMOfKvH6WqG1lu0=,tag:MRSLaG6y6/mokYSBSIbVBA==,type:str]",
		"pgp": null,
		"unencrypted_suffix": "_unencrypted",
		"version": "3.9.4"
	}
}

================================================
FILE: non-critical-infra/secrets/edolstra-summer-email-address.umbriel
================================================
{
	"data": "ENC[AES256_GCM,data:1If0PoaPxK+sJtOAuf6PQb36OmqfZEP5GQ==,iv:riQ8eyLgDqncfveonjbtYA1/1LZP4vbnS5NOUc/kEAw=,tag:QKMOE2Ys+AHB2E3cZDfnGg==,type:str]",
	"sops": {
		"kms": null,
		"gcp_kms": null,
		"azure_kv": null,
		"hc_vault": null,
		"age": [
			{
				"recipient": "age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2WDJ2SzRWNDV3R1hjQjVj\ndVFnc3dVRVFlUFZNZkFmdThkZ1QxRTFEOXg0ClptcGJHdHhHQS9wMncrdDZZcDZn\naGF6RlNoWEFrc1ovT2tYY0I0Nit4NDgKLS0tIGkrMmloYmt2OHByMWxocXdPSytj\nLzBNL1dnQUpDOWhMSHIvZDh1Z2xVNkUK5tzxrjBCTTBPGqUxGKeQY+FSseKLens9\nJvIXDhWAFkC8xJLr8D+/BGZRFZIQEbk/5hOLv0bsjc/no7Wrs6Zlzw==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvRlpvSWc2OHNJWE85RStN\nUHFGazNnd0wxZWN5c2hRL3lJSFdDNENBSlRvCi8xRk8yOGE1WHdwM0VsdG0yOUhk\nMVRSK2tQZXFYRGtibHd2NGNIZkVsd0UKLS0tIEpWb3BNNDQrV3RJNzNlY0Q2Q21I\nZHlvdUptRzk3c3FnNmFEVnFSdVc3bG8KmncYZ8jB9sPR0pC+OXoBo3j/1bitzQjH\n3fAe5a0yru/LJxWloaCgD1ipY/QAePRWrL4B3PjDp4J9Wzzy1KfMRw==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1SWk2d0VDb3gzakFBS1Q3\ndWpGK2RDS1RuejM4VXNlTDZSWXYrWGxhZHk4CjI1UzBXcE5KenV3dWNTOGZTMEtt\nMUwvZEUvc0JET05QRVNzMC9FQkVEWVkKLS0tIFRNaHlKdWF2ZE1XcHJQY2JFOHlF\nZXcxbXJTNllITTNkbkFpVVBBc1JTd1EKB/3xLQcgdBejEQWI0YwdoYhCUsh5HiYd\nd1bn6Y15kOHGbhjNH8pwhuRN0sJZSfd5PqWoMdF8X8d0oMUcLH4PCw==\n-----END AGE ENCRYPTED FILE-----\n"
			}
		],
		"lastmodified": "2025-03-22T15:54:28Z",
		"mac": "ENC[AES256_GCM,data:iCF8Wh4FcWtAl26fNUFQn7cduq1R+AAzfOV4SjXC3MC281h1Q9PxIcyXkw7gGydTpriLn2GDyN6mFFayqhfygGN98on7DcfUMEWwULOTa/6NhlYU5+q8jVgHtWXuNzc9yfVYssfkb8rM44rVnDzIfevlJ+3yB8s5MifgiOHz6Wc=,iv:Ge2YkGE+YBIKDK/mhW6fnvMY/GPZQHv/lpw+nbpK/HQ=,tag:3uJ0+aBvOhjyH8IL8XfgBA==,type:str]",
		"pgp": null,
		"unencrypted_suffix": "_unencrypted",
		"version": "3.9.4"
	}
}

================================================
FILE: non-critical-infra/secrets/elections-email-login.umbriel
================================================
{
	"data": "ENC[AES256_GCM,data:7tM+BCtXDNpk1YUziJAViGflNHSdVDuktlaU6XwGONxMwspUKiLv4m1sBHH7U0AW+QJBbRtEQssBl/7bCQ==,iv:FGICEI+5TP/+a4Cz9yWpIraPTZ1AUt2dKp4F7ZJI4fk=,tag:NrIhcCAiASj1njHn39HVSg==,type:str]",
	"sops": {
		"age": [
			{
				"recipient": "age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjdkJlV1Q0NmZEcVVnQVpI\nVWsxdWd1RVZMT3ZMVWhBQzlyaEttdFpFZjFVCi8rQzkybHJ5eTgvU21PTzZyYkhN\nNEM3enJRY3dnSXF2Zzkvb1pscGJDWmMKLS0tIDRoaHZheGVjc2ZZdUo4SzczRWlC\nZEh0N3BsVlNicDk5OHhaVU55ZlJ5azQKHWQhNSoeM09Kd2Btl5xhFg1rbbvnJIik\nuNCO7rYCfiCJcEhv5OaXMc7EKHdBRmxxLz5TAnaqN4/pCnIBhc08Jw==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUVWlFbFRpZFhNQSt0Y2wr\ncUdsV3ZzNUp1M2xpenVjdk51MEpoQnB2aVZnCjAxek5qNFpGeEYwcXVpSjRiUCs1\ndVlaR1NJaUx5L1ErdUZ5Y2pCekU4L3MKLS0tIDcyYmtmc1o2SXF1bXFldnUzZmU2\nMnhRR3p5T1dkY1gvSjlKbDRKVEFQTWsKS/EB2i8sDp6FANEUrVKnShcIzTslnogm\n0HCWSIorOkqTFHawAyE/oUk5VOyU4JdkSo4ZFlzLdosLq0zWwCRHpw==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmcnY4U0hWSTNYVERxUkg2\nVFpISVJBSFovcjNFUjNTempHZFRNNHM4S0JnCncyWE9hQTlZQzVWbHQ5dm9oeUNm\nWHAyRTJUK01oY0JqcWdQMUllbWovOW8KLS0tIGdhNFhYK01xSnoxd0hUVWFkMnNM\nMEtYT3ZJS0VFRWsxakdSUFFKejdReUEKgmZC+EQAvQEsOvfD3hiyVaFtvC2PWVlH\nqE4RIThK0CJ32zBq6wJGYgBC/4IDQlszlZiClbZ+LBbVIDerAtvL1g==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFdXhkRThjNFk4ZGgyYlUy\nRjhnVXYyNXZIekhUSzdhVXlxNTRvcjZpSEJzCkM5d3U5Q1ExMDFnaFVlVkNTY2to\nYiszbXlQdytMd2Q0UXJFVzJxZjBlemsKLS0tIHBOcllXZi90NkpJbDJVMFJ3NWU3\nVlkyampzMEsraXJRWSt3RDZ2Qm9IMkkK9slGDyDWQHJFU+no8i9AjrriDDTypuzW\n8xFqF8dHVZRlHDe1JldwI78W+90oqRkwD9UPqhB5vNC48xSd77Pq6Q==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1nnm255ah9wa4gpsaq0v023a75lnmlcxszt9lc6az3mtwzxgrucfq45rp7h",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTYkZLWWxKT3N0US95aTJ3\nc0VEWlJ0bkljUU5KRFNtdFdDdGxBbVlPU2pFCnZLVW8vZVpLU1E2NHY0eGRqSUp1\nNXg1eVMyeG0wVVN3b3dPN0gySzR5eUkKLS0tIEt6Zm5pOXUzdzk4L1hHMm5EeVYv\naVdkdmdVd04zUGpLck9TSmc4UEJoTXMKh+8YyhlQHRmshlecrFX/7CladcbrWVeQ\nLurJ0L29X8CDGF1SwWbQ5ZyBQbGLuqYc7h1Co05cKaUSNcLTxoAvWg==\n-----END AGE ENCRYPTED FILE-----\n"
			}
		],
		"lastmodified": "2025-09-09T15:40:03Z",
		"mac": "ENC[AES256_GCM,data:haLAj3NRhlAzo03vNUKT+Jm7RGj7AP3CNfC38PYTFeuI+V6UNFbQwXOaEcwnYDOpSJWXsGgmtYDCLaRBbAN1HpgvFIhviv54yQU5NW/tEmd1EwuSQQMyeVIPkwwQOdfDgL2YvoB3LIEmX46KKH1iO+lL72jxEB3aFYz5ktmo0yY=,iv:M5YIOM45DamFiyCLGiC3GrdKf74lazYnhleErQnTbfg=,tag:AAlVoGY1nSJu2FwdlC+xHQ==,type:str]",
		"unencrypted_suffix": "_unencrypted",
		"version": "3.10.2"
	}
}


================================================
FILE: non-critical-infra/secrets/escherlies-email-address.umbriel
================================================
{
	"data": "ENC[AES256_GCM,data:GNknC/aCGlRcAl4JlkKLkyaluU4optI=,iv:BFn+TyosPAB/DR+ymWKR+iI40DF5PrrIi03e5OZjItA=,tag:AJkzPZ9tefszOES1yhx1HA==,type:str]",
	"sops": {
		"kms": null,
		"gcp_kms": null,
		"azure_kv": null,
		"hc_vault": null,
		"age": [
			{
				"recipient": "age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJN3U1eDUxTVJvb2I3b3V6\nVTNHKzg1WHp5QVQyem5kT2pmajVlM2VmdUcwCkJMcnNQQnErQndCR0M1dVNjRkJ0\na3hETG54YnlrV2gzWHpINHNjdTFibkUKLS0tIGZBcSt3ZVJzdWVFa2ppTllzUnVD\nWW1jeG9hajUxTTJsY0VmTVBEaEpWQW8Kzq1LeBHMldkfo9bcmtVXaHnQDx0wOxUE\nPyLnc6tlS4yzylUJ2Whd+EnmNCF0iIbOtLPKzv0niVtbgQONCrXkFQ==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpNW5RN3A3WDg2b3lUeHdH\nR0dudVQ3WmErOXhMRWJFT2IrQit5cmlGY244CnROa3BOaWRoSmsrUGVKZmhKa0g5\namF0M1F3YkJBWmhSYS95UWJvbEZpTTgKLS0tIFJLOGdBdmE0UnpBQ2lZRnlONE1k\nOUxIOVVlb0RDVlVPYjZMOHllUzRmMVUKYbeLKzwIfgjBsyFPuFppwd+mrmQJl+Uc\nM6Kc8LcuH6knJzhUZWeuOlybQdvGyXISDN3azLosGLVadpx+4xAwxA==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiajJkMEZxM0N3aUU2cy90\nOURBQW5uRmk4bzNFYkh2SjFMK0FQdllON1g0CmJTSElrT3pLazdBYm00UnlpbCtD\nbi91dFFqZy9jeHhRUTdXeHRFaTI3dzAKLS0tIEFjOXNWU0p5LzVESWdIanNMTmZn\nNk9iRnJXeXZhMnladkwvKyt6Qnl1VjgKuWsRsAftEeoWIeWChTTC7Uook9RpQ3hu\nfOFVNK3+EzMfwHrtUbSoVKhZcszYrFQHCKkW5rt5GkzR4Vfy7ijO8Q==\n-----END AGE ENCRYPTED FILE-----\n"
			}
		],
		"lastmodified": "2025-04-10T19:22:57Z",
		"mac": "ENC[AES256_GCM,data:ozpkoaEU90s7mdxHy2LPnYuWdG/Dkm0YyCeMA3mNthvfbiiZDLKn0Q/mUxoRkCG9/T+U2ulmYLFNj73rAzuotYa6qhQiIeGI+7lsduWAxfNQ5SpK8+mfHV9B0lpKLQQQ0oZ0TuxvzjA5262WfGAvmq4g/ArV6/AD+xiVK3bJ0bw=,iv:dYJUwrv0wyKFiaWU5lWQ3sObMkm8Fk+KrboQ/28QWoU=,tag:BxUwwh1VC8dkhTyz70c6hQ==,type:str]",
		"pgp": null,
		"unencrypted_suffix": "_unencrypted",
		"version": "3.9.4"
	}
}

================================================
FILE: non-critical-infra/secrets/finance-email-login.umbriel
================================================
{
	"data": "ENC[AES256_GCM,data:iZoRESxys4WFqUm/zDAGo13MTHAPjEK+WFemjhDPPtCj7MyY8h4hIJXFtByLiR7Wszpjx+dcATgiIdLHwA==,iv:OlR2jr2wX7pOLgKQzsFQWIYC+wkLDrfrhjqaOwHmk44=,tag:/y6s6RxYmNkyYFi2LA3XwQ==,type:str]",
	"sops": {
		"age": [
			{
				"recipient": "age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGRy8xN1RoTmFielo4WGh5\nVFowU2gzMi9Oa3hlR0N4Uis1VW5NcXRhK3dBCjNhdExjb2NwdkwyZXlNWXVJMTJV\nR2pCVUt0Q1R2UytKaHROdzByNDltZkEKLS0tIFZoMUlvZlJWdzg3Q2M2a2RHY081\nZmtDT3Q0TkVUc3RWZnF3cGp2OXJoeGMK8cD5kslSNjPH1FQzyLqsdvrZr5yTAynz\nrLczLT68ofsA2ZEmiMA+Ee/xjukBRvm4UmiVAvT6iSljw1pJ/sbrTQ==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBldFVnNUFUWFp3NCt1WE1I\nU2t0NXIvOE5zZVJLdDlCOEdKeThURGRrMHc0CnpvRkg1ZE0vWk1lYmxxRmkyMUNq\nQWliOEptR2JrTHh6RDU5eUhuandzamsKLS0tIE9MWTl5MHhSR1pWeThQWStTRG9s\nc2JEdWw5eTlTQ3Qvd2txMzV3WjlWOFEKSuQsIYSksdx1oyRWcQR2VfHKx7SLUPPM\nuVtRjul0nKE4WN7Sdp3pU+YyDJulUdHHShbKpaEAv4CEM3f4F/xOyA==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNSWNJc3dkTlVZU2hGcUtO\nQlVlNXBBZlRXRWdaUmRKUWRWWUtMbDg1dWpFClI2NTc4eCt1ZnZCc01Ud3VicGdo\nMm53SDBhVnVPZkdrZ0dtaUIwNHdVcFkKLS0tIE00NzNzbVJvYjF4SXNnblFTRFNS\nV0JlN3Q5aWdtQzNncFFkSm9xUFBxUk0KZfE9BmwUN2kJVFthkIKSocCekZa/+r+Q\nfXDJFS0n09WmJLhrk0DdsJJHDKg4thkC6HcmNg03PA0FU6PGdIq6ng==\n-----END AGE ENCRYPTED FILE-----\n"
			}
		],
		"lastmodified": "2025-06-13T16:16:06Z",
		"mac": "ENC[AES256_GCM,data:YG+3AQ1nDKdQ9lGkiKorybdHKDA8wbx5kJkB0RT3MAB3grazK43ZGB75022BZG5bdMafXCznQJ1eDcDwhDDK+MPKtWUfQwVIhsbQ26IRxA+cf7aR8+RQ7rFKIJHounc4gRVdfj89oI29SFteLFwtQHqO9BJiFK5wI+JR2FbgcfM=,iv:HaQjQ0fp/F/Yg87mFi8B7oeFwhv3hYEk/9q2ODvC4ds=,tag:Io1oYOfpN1lE0xwsY5SObA==,type:str]",
		"unencrypted_suffix": "_unencrypted",
		"version": "3.10.2"
	}
}


================================================
FILE: non-critical-infra/secrets/flyfloh-email-address.umbriel
================================================
{
	"data": "ENC[AES256_GCM,data:l9rFe7HXxOeoSBSWIC/UZ0qF2J9KrkDrf+fLmu8hk0AbjvN4,iv:uqsn+2R3ItVPqaYlSeKGurdpSLDMOwwxAYa+sL5/nck=,tag:w4y+zofICiPFMIzRGJsW9g==,type:str]",
	"sops": {
		"kms": null,
		"gcp_kms": null,
		"azure_kv": null,
		"hc_vault": null,
		"age": [
			{
				"recipient": "age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5Z0REY2lpWHlibStKSndn\nbWlzU3hHNHliRnBXZmIyREZySGZhSmtCb2pzCm9ZT0dhcGhmdEtFcHM5TlhYbStL\nRjRwcml2a3NGQTd1c0ltSzU2Z29XYXcKLS0tIHhIdm5pNFZaUlBwbHRGcFJ2SC9v\nU3MyUWRYOTVtWjc3RTdlVHZpcVlSTEkKmbtkuQvlisrQcsvGy7CE67mwxOBC7xkd\n/wpdqaoXkQ5X6iHhbJYASPEjLxxyl0f1Wr2G3nlabcmvTSUitVeBmg==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPbWpxdUhMTmRwcU5Eazht\nVnhhQm9uRE9MRXdqb0psTnBwZ2dHclI3MERvCm01RE9QbUFFTzYwUWhvRjVsZjJw\nK1ZmSUZtdFVLSUVLVWJtVmI5dTJiaUEKLS0tIEZld2UyMldHTERsZmIzOFJYYzVH\nRlRDOE81RUl5ek4zZURWOEdWRjdPVVUKRtMstBmmndsfmell9apWh/VMHNwZLpFI\niUH4bOD6Kag8QddVqpNIJ3vPVn54mVLmfUslDv2d0sjHiyMozyGsLg==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsUjVxRzZqekZjWGpEL1RV\nMXJrU1k4VzUxL2dmYk9RbzNZcXFKeDBoUG5NCjRRdUFBT1lMWHp1STRyUFU3QnQr\nanI4ZDNaN25pMmJoL1dNU09wekJ5YXMKLS0tIFZMb2VvUW5BdnZBdzMwbXdiOURM\nSkI1Y0FHc2NrOEpWYTVtU0JYTlprM3cKFHlRoWU6J4nBcVc7IUHNlzkFh1l96Rl6\nigN0HFfCniijU46lSQll9J6/M5TkbsUnAGuSYiddGAUlCUmD64gnWw==\n-----END AGE ENCRYPTED FILE-----\n"
			}
		],
		"lastmodified": "2025-04-05T14:28:24Z",
		"mac": "ENC[AES256_GCM,data:sCLqN4YsIiMQVI968FEIFOcqYAYJP198OSbEFosGq5CHfIsSWAZEDw25hWF6/3j5jvoPld++poexBx4i/8XJ7pXZY2O42ezDgATU1tQehUSJxuJdcQTV7Ujk5Z+ZWQl67jk+6YP3XJYn/O4zQiMP7xpO7+eB69iyFP+XQmMRN6I=,iv:wn2m+MV3Tv6w5FDmFoGxq78y01yiFUdddLGdNeqye3U=,tag:hRCRImNqUlmOK6TxUjzuCA==,type:str]",
		"pgp": null,
		"unencrypted_suffix": "_unencrypted",
		"version": "3.9.4"
	}
}

================================================
FILE: non-critical-infra/secrets/fmehta-email-address.umbriel
================================================
{
	"data": "ENC[AES256_GCM,data:rl1p4ISh6x7O4wPC7besr63fXQ==,iv:9JvxdbtKo3LU2Z+NItRpfazXlOlQe1D21RWKJFnHJ0g=,tag:W8AOd0kIggnUKVFXRd7K6w==,type:str]",
	"sops": {
		"kms": null,
		"gcp_kms": null,
		"azure_kv": null,
		"hc_vault": null,
		"age": [
			{
				"recipient": "age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6VVVVZ3g0NWlzRUxnRytV\nUC92dXQxSFpWWTY4a2FHU2FFRmZ6TWlUc1dZCjJiTERVQTd2NDI1WnNJekpNRnhr\nSGRWMVJrdTlJdG1pcTB2WFBJYkMrNmMKLS0tIE5vaEF1RUt5aXVURW1WTURRNkdx\ncG9JR0cxaW5XZDZhWTFRM2dEb2k5QkkKNVcQXYikIpnTyGyhoH5G86Te+WBJIBp6\nBoH1qq1VVk1O9MioNtCS0B8LjIJBgKt2soS6fT3hrTEPaomRScVJfA==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhS1dxYWg5WDlscllSTllL\nSjdCc0tmT2s1WDVJQkt2dEk5YjdTVENNckE4Cmt1ZnNsbEVuUzRkcXN1d2hGQkZ1\nQXhCSXZWbDZ4Q0N2UTBJTkNQUXpzaFEKLS0tIDBHTE9tY2tsMkFXSSs0S1R6UWdQ\nK2lLUDAyRGZtaEpmSWpoYWN6ckVaMkkKKziG0lLoHtQOTakMpUxtuG5TdkhGFtFR\n0ZhwirHwkCUMDfEUHczwuREEEypsTXAWwnnBZ3mtFa017x9prbcKCg==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3L3ptaHAzbVNsc05ySWxz\nODZCaHpWSTFuNERWVDdHMlZtZEplamNybUR3ClVHaXZaV0tVNlk4SlF4cGVweTRU\ncmpVd2FmcXdBZjYzRnVJajBiRnFqYlUKLS0tIEcvWklqZThJVGxXYWp6a045NjQ4\nTG5oeFpvR3pVazdoZW8yeDJOWDJXTWcK8zSRfzjgP7EvizlA2gjmhqcblWH1O3aH\nJjmNGr0o6uQDWEaBtxpLlPOhIJZvcP1mP8eNMCfLiHdEcGakg8edEA==\n-----END AGE ENCRYPTED FILE-----\n"
			}
		],
		"lastmodified": "2025-05-09T11:09:08Z",
		"mac": "ENC[AES256_GCM,data:LXiwdWODDzSwifZXpyU352EkbVoxcEwWD0aabY56BpmKeU2exUJwg+CJHD1VIKNesJZ8oF6q5yqah3+KNg2yohh9iqb8Z1clqI+laUjmvPs48juYGaoPR0iOsoqV99+c2ETHs7pk/2Iyes5tXdU+VwB1s2QY/QRSzYx97EEWNdU=,iv:ALdtZUZH9+G+jfoFB+2anpad15eLDaOUH5T3Yu64hcI=,tag:r3N38OGg1NOenuF2xF5Pnw==,type:str]",
		"pgp": null,
		"unencrypted_suffix": "_unencrypted",
		"version": "3.9.4"
	}
}

================================================
FILE: non-critical-infra/secrets/foundation-email-login.umbriel
================================================
{
	"data": "ENC[AES256_GCM,data:SjwOmC28ufjZFodhZ2RGaW2k1jWNgi8984PekMr3QjhTKjCIWmBSao85PihY0WEvwSZeGOH4X7as3FpjgA==,iv:cZcNnNOVTwDWnjIy9K3p9ZPxzxLoleOn3jM8G62A0wM=,tag:PsbNd0yI9U/SwFGlSXVqhw==,type:str]",
	"sops": {
		"age": [
			{
				"recipient": "age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxQ0E5SmhEM1hrckdvN3pk\nWGxLTGdTZWZ3Si9YdEVoWTM3c1RTTHRLdHdVCnNEZVcrd09RdDcyWFVLUzZXMGp2\ncTV4Y1NJOHNrUEdKYmFnbEFzZmpwV28KLS0tIGM2eEdWR2RranhTdGs5Vmw5Mjkr\nNFVra3dOOTB2RzFMVHUwdU1vcEx5T1kKmCTc3zw8lLUYNKA1ne6SnSlQiBHfvILL\nU6GtEMN6cJfCIgLbc60Mo9xNbeP7/kn4D4YJugT4wWAGdbrivV6DxA==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhYUV3TmpnWlFLNFZRellT\nT29xM01VbUJQNnArRWNoeTJ6dkJFazB0QzBZCkdxa1ROcWFOSGE4VlJnclNIU25S\nSHlQemNJSk1UNGNoVUh1aWhqTHk5bDAKLS0tIGhxTFNHbGNjVFlhbEU0K1JTZUpP\nUVIwL3lUczNCWExha0I3VmU3TytqUEUK/MvrNcGSd5Mn1PisOO1RuJQRVlZrKHJw\n6hdWNUuIqJnPh7TVN3Q8CJxiw/r4GpQliArSLKvYMP4bv5W1yPw+AQ==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvOTdCTUhnODFtVjBWS3JE\nV2hrUFFJZkwxcWFWdmY0TENVSUpzbUFmaDJzCmNKZUxNWEUwVFNudXAzT2NndU9w\naGJ3c1BqZ3hLdkhkK3QxMGNIdzdCQVkKLS0tIExkeS90SndQQ2lxTGtHOFpuUlNK\nRGxIUnliUFVrN2FSRDh6ZGFBQVdsajAKJ/LFLirrrtaLo5h9BdWqytvBsxvAVnU6\n9dNw57jrmxjHZTPKx06xdp7Q6jB6d7WBu5UCHOWyya5NrtbDiA9CCA==\n-----END AGE ENCRYPTED FILE-----\n"
			}
		],
		"lastmodified": "2025-06-03T21:08:15Z",
		"mac": "ENC[AES256_GCM,data:f6GNT+abhZzFgdeMML40ea0DBS58uGOBPuMfEEcLEk7oiIK60/xue/MhwS91hAQFQJrhl7x19lvVqJW1IDQUKKNW3b9Bx/bFOrT3q2SlleeuqeVHrpgL/Qi+8bMLnL5nOXP6wx70CBbC5uSiJILwNfl+5mHBRk5La0AYMKxxlVI=,iv:xfa4oa6N5v3+t5vIoWW2863/JBIM4JcDERije//aV8M=,tag:hiunqHRxxJP1AgiIj3oyEg==,type:str]",
		"unencrypted_suffix": "_unencrypted",
		"version": "3.10.2"
	}
}


================================================
FILE: non-critical-infra/secrets/freescout-app-key.umbriel
================================================
{
	"data": "ENC[AES256_GCM,data:jYgs3IlDta15hr1OIFMtT4HU9u96nvN0GRPDa1+TPuC+gcMbCBRWtFrFYM+/O03mDtJV2w==,iv:M6yUMvnHHe4DUDMCvjL3uQViMxbZzz0NOYlx2J8Mz8c=,tag:qm+/x0TWQwrZbh+pxpto6w==,type:str]",
	"sops": {
		"age": [
			{
				"recipient": "age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnb3N4UitvYUg2NHNVVFR5\nVmNydmUrOXE1bG9mVFh5NkZZdENENmNZcG1vCjV6RExtL3MxUVZHTk1xVzZBSmFk\nTE1yeFRxMnpYYXJjekNNejN4SWc5M2cKLS0tIG9IMm05bVRwSGV2bjJoK1Fjenht\nU2xWVWx6TXJHQWg1TnBFM3JWSXo1MWcKnNfOufmvt90kpjiB0GZ8yWTv8UIXaQAs\nba2Ew4Ca68s3zUCgsaQOstkbh8Dszia6HyoYZ7yj1sjzaUI2AMqknw==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUMlZheitoajRtWWhpRG5n\nS3dFY1NsaFlYRVR5cFZvYStjQ1JoREh0cjBzCnNGZUlEV2RsdHpBcWxCRVhCZURi\nTlROK0NJMDQrdE53OWNKdkhaVmNWdncKLS0tIDFoNXZEY1B2bXI5blQ0SVlxN0Zi\nUUpDUjYvWWM0ZE5OL1FpK3JIY1RScUUKLTur/VK1HukuFybYVep78VKQGJFAc8bC\n6XjsFe2xhr6mwfWpRW62LbxzQkjPqdWpNAilH+oQWh6EnDcjBOUCPg==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBibEp5MDk0ZzQyeExuVzhR\nQmY1NnNYTzh2c2VhWFNFc285dVB5MEdBNWxvCnVnTU9oaGJlNVdOSS8rMUFiQnU3\nOWN2aVdPeFU0WWFYNGplM3hNYmRFdncKLS0tIEZyeUFMMVpYUXhBakN3TTRNOGxO\nVXJXa0tRcVgwWGx6Y0RmdmpkOTRuSk0KyAxdvgekHTatCurFIQlg74BoDwjVrw+y\n3xtTubPw6M3qW5/k1b4ClQwHVpppbIG1hQg8OG/QD+nARqSKMCoH3g==\n-----END AGE ENCRYPTED FILE-----\n"
			}
		],
		"lastmodified": "2025-06-03T19:23:12Z",
		"mac": "ENC[AES256_GCM,data:oZOR73ZapeN5Eir+Z0BXAqLzoRdtrCbuNAsrCGh9wyCDuL1Xv478jLhVvYhe3O0+errwnAnY8/SiAv5+dSu7sJDHL0RDtY9OWjQhxdv0iTTXZUn+gci1i383pkgLccQzlDZzhtVj33HBY968KOhavD9yNhN8nSy9ow8cLzhcYio=,iv:Xq9Dwsez/HjcHr+hSQNN97ZuoUGbOVrlBTl5JigMJEs=,tag:wkPDY1lYU6vOZ6uED6lalQ==,type:str]",
		"unencrypted_suffix": "_unencrypted",
		"version": "3.10.2"
	}
}


================================================
FILE: non-critical-infra/secrets/fricklerhandwerk-email-address.umbriel
================================================
{
	"data": "ENC[AES256_GCM,data:7r98ncQCdw7hejCciMFOGpdxDRhntRAQtV8=,iv:OgXU1bplAt2zyC6FB8n01bF4MM36rafB2khrzluiKZg=,tag:eVpTEDazQBtDrDw5vJ8gEw==,type:str]",
	"sops": {
		"kms": null,
		"gcp_kms": null,
		"azure_kv": null,
		"hc_vault": null,
		"age": [
			{
				"recipient": "age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnalpsT211YWs3R2U4VlRz\nTTNDblhScnVKRU9rMjhJaW8xbmFtVDg0Tm1rCmhiNTl3QzlzdW5GUnFUcmZQYXY4\nM2Y5T09PRUVheHNReVV0MXJ3enJoVmsKLS0tIHFRc1hSWDllSys2TTVubzJGVlFM\nMzBaenJoeGp2OEZJZEZJb25oOUdMam8KtVT2FgXxOiu1jbH055OgXadtH96Cf8RS\noF9jjKKt0eohvtPtpWwPUlXt98wg7g5P6IXmhE/bwwqYIhyEPKX9sA==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2UnNXU3ppUDhTYzFzWS9s\nUys3K3FkYyt0RzIxTkxQZzJSUC9wS3VTK3c4CmhYM1JaaCsvczNpdXV4dDkrNmpV\nQmVkeVU1c0NaOGJpUGI1cldHMnZZTGMKLS0tIGI0ZUVQRWJLbWxKdHEyWmFzZVAr\nN083eElocHFGM0ZMTnNHTHBqVlk1eFkKMl/1OXKbYZ120s4+RGzNQRC0xGgd4XQS\nqbj3rzYXGL7WdzW2GtMGxb78sIpIaF6pCqvfyWnCJwIkA1zOWXXNXQ==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3UU1PQ08zc094aHdUNTNm\nbE9odzBUU0lpV1lOSi9PU2xyazBjNUc2cDJzCmFqcndId0EwTlhmVmZkWWk2QXA2\nWStWa003Zm16a3p4OTk0dTlZckNndm8KLS0tIHVZdS9oWFR2UFlNaWR2VEkza1No\nWGI0N05uSVhDdEprQWdOZm9zN1E3cDAKUxUC0QPV9J1Gx/dgdbXlrHjjTx5k2o4S\nddpBzzYNeoCYbmkG3v1Hq+FtEaK2CSSZCEiW6H1cBXPVLlRrusKxcw==\n-----END AGE ENCRYPTED FILE-----\n"
			}
		],
		"lastmodified": "2025-04-30T06:19:20Z",
		"mac": "ENC[AES256_GCM,data:g6SzTL9thSqvPKJ7cIAsC1g5/by541c9xUjwyK+dhUOR9zbulMZsB1hcKomls762Im3CChzSGGxcbNM3SDd5M3J9hozIk20fzsngBtepkad/jV0i8+IW/PsPcCRW8Oaka3oLBrRtpGYElpzYGjBAcvd+DEIQ3vu2XxNT/Til9G4=,iv:bg655aPWGrLLG0082AhI2AoB7DgbYtETOoWD5uo4w1A=,tag:hGcD7/eHrTT+iAEhYSLwXg==,type:str]",
		"pgp": null,
		"unencrypted_suffix": "_unencrypted",
		"version": "3.9.4"
	}
}

================================================
FILE: non-critical-infra/secrets/gefla-email-address.umbriel
================================================
{
	"data": "ENC[AES256_GCM,data:5l8pOjBYBkTXeZh4aluOIsnYhP4Z3golFdUY,iv:xOu1OnuMRmOdyLkthmik9TsOOSKCm86Pu9LDMxEU+QQ=,tag:8yMSlxv0Jc5X5Jj9FiN0bg==,type:str]",
	"sops": {
		"age": [
			{
				"recipient": "age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5TUNVcDBBdUZFelZMeWtq\nb1JEVXdUMVQ4N2NKb01uRURzWUhyVmliQkZvCmJJdklrU1FDM0NhK0hTTDZmV3Z6\nRTI5TGNiQWRyYUk1YUswNWYvbFlMSFEKLS0tIEJNV1AyNmhwSlh3c2hMZVpiTzBP\nSjN2R0tiWllJN0I2MHBPL2tFRTZob1UKj4ocuKoJJVEsGPccQad3FpKlgULP4MET\nxyd/3CcVoilLckrUfVdXZqsqgDLlflCc+XUWLtTKa4Kf7NKpT0zq8g==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXVnlwZkdSVUQ1Vk9qd0hq\nNXJuaHhDMWVQekJxY1RvMVprUlc1RUdvWDNJCjRMWFFCYWZLNHJLcElOQ3pid0FC\nSTg2Q2ZXL2VIVzhNUmhNejJHaWJRVE0KLS0tIG1NbnpHUWJCeU1Ham9sdXF4ZThU\nTytWTmNSMU5QaHBPc2FRN3pwMVVQRkkK4EtcXJM5nFtgeT37S1qBCoLJp+mmhUjz\nq8xY1Yx7jQqpVfqo4poVbPOIwqxlLE0E9E4ycDTDSb1cs6v0k0UnuA==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwVmFwaTNPL0FVMXlIbm42\nRUxvVzVmeXdVRTRnS2N4dElrU1JrUjRoUVJFCmVaOWdDbktFNW9FNTIyUURkWjlz\nUDRlRmR4azl4U09kMm9KTVRRVlpmMGsKLS0tIDZxZUFXSUpLUWlna1c5T2RSZXlt\nOEE5eC9YTlZvTzJHRXNSVE9iUi8vLzAK9vafynlaUMK8HIEg1G5cGHipd7/KLIAd\nVI1J5QcdwWFUsBEfEeWGeSFj5Ov6Hbj6TxIshwJYTZ+uo5qoFtz/Bg==\n-----END AGE ENCRYPTED FILE-----\n"
			}
		],
		"lastmodified": "2025-07-09T20:20:40Z",
		"mac": "ENC[AES256_GCM,data:y3jZg8rNwDib2KfEV9DHRWjsXZ/T+2ely4v22a5lKVAvy04D/tVVEyASPbPJAv5WQzO4+553LApXZtjcg1EbOnh351W+Fm7AcMTfOThxRxQDsOGIVpiuGco5Q4cKxtAuDDbn/2p3WKYJ4zC4WNs3kzXxmuJPKzRhyVlsNGHH4cQ=,iv:dgvNcNUWL3ayIaCTQWkR5HZePNzSmiQvQuZ9SigDI2o=,tag:J3ZKac8rnmauG0JXTaxg9g==,type:str]",
		"unencrypted_suffix": "_unencrypted",
		"version": "3.10.2"
	}
}


================================================
FILE: non-critical-infra/secrets/gytis-ivaskevicius-email-address.umbriel
================================================
{
	"data": "ENC[AES256_GCM,data:KPLaBfNvjztzL5U=,iv:0cZyK7BFf+nqzoRQtXxc4ku7Iv26BJku3NOLJpZSzf8=,tag:uNJOGgGStxEuFH2RrEc7Kg==,type:str]",
	"sops": {
		"kms": null,
		"gcp_kms": null,
		"azure_kv": null,
		"hc_vault": null,
		"age": [
			{
				"recipient": "age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIUHFQNTI3NnExUmRydnNC\nNVNjMi9hczZ3U0RKa05ySGtTWDBoOU15blY0CkY2L1BJak5BZzBvNTJhbDVFTjRX\nb2NVY0YxVVhEbTBjSC9vQjIxWnlELzQKLS0tIFF2TlJKWXAvek41Nlo3RnAvWlNL\nanYxM0Fld1ZjYVhwU3VnUGZ3ZmNnSEUKOZHShXrCREAIb17qr+W/MAWAvuRmsEBR\n70hr+QKKMXZPGb6+565d3MulUvPRgaDOOZuO9rXGjVwT/Q1Y8g6ndQ==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBWVo0VlVsQzBTTENJUmZN\nMWszSHlrdWVGc2U5YTZzSnVROHp2UHBDMkF3CndKbUhWTnZ2RC9rZ3lydmFYVmM4\nQlQ3RFlrbDZ6czR2dHc5cERhVzZtejQKLS0tIG5VTkNGR0ZBYkhCUVcwUlRIaW1V\nSmx1aFI0TmY5MWorMGJUOE5lTHdpdzQKdUEcUdjpU8lWYFaFmQyGFzFct1/x3rki\nBh5MYqQVpmMDdLWq8V4eRQjnooDga7UbfwH3AxyiU3FYDCWXQvl4cw==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtbW0xUVl5QXJ2bmdueTNN\ndHFZUGdjU1RPMkVBeVYyeWdrY3NHdVZwZ21zClNaaWRmYWkxcWllQXlnYlFlcndx\nQ2FGTzRBcG02KzVvbHlVZDYvN29mNm8KLS0tIHkrYkxOblFkQ2o5S1BwV1NxOFZ6\nR3dDNWVVREtZeG9KRm9VN0kzQlpmeDAKl4xEYJ7Bkt2fURIqle0KlOaRtGca8ViH\nAx0MUFgBlJswXjpaKg0+Y3xMOq2+uivDFGpj6ozK3es3rT8XIf4LLw==\n-----END AGE ENCRYPTED FILE-----\n"
			}
		],
		"lastmodified": "2025-03-22T15:54:31Z",
		"mac": "ENC[AES256_GCM,data:AXzPMxNGZmFIf7nMaGQVjGsvO1HZkDvRmh8KTssz28vVxJ//K+wa7iK+dTREFANqKM6JBoakBk3HDdcNnzuMCeYx4SVcto1iVqYnuhWElOlIJC70cb0rrjR8RIY9xriHUuoqijPUyHCI21M+qo5+70jLXOgslG3bxqxMcg85dk4=,iv:wlwGI0afog+x0M8DlwrE3sfngOCKwQq0Qz0g7LOxR94=,tag:LwSJIBu6SW7pLWSSBRdGTw==,type:str]",
		"pgp": null,
		"unencrypted_suffix": "_unencrypted",
		"version": "3.9.4"
	}
}

================================================
FILE: non-critical-infra/secrets/hardware-email-login.umbriel
================================================
{
	"data": "ENC[AES256_GCM,data:SxYO0yuvUe0njmckkMQsxKaqi5oT+ts58dK/2lyAqhsKFe9R72NA+24xePUQmwwXaX/kUu7SNLLiiied9g==,iv:dE4JDxcBFp62U37snFTqMeWnDNNL+kV+WJgCUHkpnuU=,tag:ncmIp93A0X+sZNcWcQmEDw==,type:str]",
	"sops": {
		"age": [
			{
				"recipient": "age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCQUtsZzRtSGZOcUxJSVEz\namZ6d2ZpUXlaOXVJcFlxOUtDVzQvRjMwM1d3CmJ1MStIQmlKcFYyeWhtT05yQyto\nVzJlU0JvV0RBZ1kxRWd0MklRUUt2NUEKLS0tIElDbDE4dS9hbzJnaFRhbXBoVlJZ\nZHlZOFEzL05BYmYzWVBwTTRYYWhSMTgKpd5mmV3XY0N1mZIt/hgwAorqqL7BnVvx\nPHrgOQHPplf5XaswqquW+FHi9Hha16onNVpJNjwO3VjAONzTKK3Z4w==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1U1J6eTVDZjNzSjZRRGVE\nQk5FSXZLbUNvaWRtd1cyNkg4Q3JNZ3k3ZFYwCnJ5M2o2N3ZodEZzOUQ1NTcwQy9s\nRmpFNlVxci9iZlJ1TXhiV2JWbnRJR2sKLS0tIFlyUk9PcDU0Q3JvUVh6d0tpeFFN\nYU5zc0NnOXdvL2N2VW1JRWJteUhnQnMKn/6OQaRBN4WG1gcWW6OtxeX85kvJi9KN\nQgvzsvcz7SWAmkGxeh5psZWbNPyoSAOq5mvRxdknuV3qJljB6+ggPA==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3S28vaVdMM0FBUkhZeHFR\nRkthRnQzM1FEbE1YYkxZak9YcStSZ0ZSbzNnClBGVVExWnV3dU5HK2pScHRRRUQv\ndk8relJEQXZsUWFZWDhIZHIwcGc3Z1kKLS0tIGtoeitsdldyUzd6TXYwcjlqMU1V\nUFZIKzdLWjd6ZHVHVWs3V1RueDdxSmcKYysCePlz96DgL+Zu1dWkUry7CN+dYQwY\nNSoI6SSeGdK31ZXcwtftiz/lSUQLBZhWcRW/8OIIyem6Ju2xY6IQlA==\n-----END AGE ENCRYPTED FILE-----\n"
			}
		],
		"lastmodified": "2025-06-26T16:08:22Z",
		"mac": "ENC[AES256_GCM,data:zVT702RrFBAsSQKJb//xbC1HPQv6k4QicjG14y9z+VgTyWrKt5DVQcjMF9AxM68OUkieOo3PKoDJKyiL44zdbq/RCEgnRxwUD0suCEQD79cw8fvY8iXafKXMHWZCxphEK1LEpFPXHxcex1LddixN2rcW9CZb0Q8iunGy0SaNftg=,iv:bAsnWQXyx6vwVBbUlGGjiKEZG/M0AjL4CYMoI3wWjN0=,tag:09j3LaQHDL/viYUcqzx30w==,type:str]",
		"unencrypted_suffix": "_unencrypted",
		"version": "3.10.2"
	}
}


================================================
FILE: non-critical-infra/secrets/hehongbo-xsa-email-address.umbriel
================================================
{
	"data": "ENC[AES256_GCM,data:YpgV18YDBjaMUdCttBDMgCY=,iv:UomDrbsro6aC51lvzdJyFLI3OZ42exlzrEsOfcckK0k=,tag:w4Wg8MDmv8hcaQrjj6AYDg==,type:str]",
	"sops": {
		"kms": null,
		"gcp_kms": null,
		"azure_kv": null,
		"hc_vault": null,
		"age": [
			{
				"recipient": "age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6UUZNN2pPTGFvZ1hzTlNu\nQ0hJR2VOR0ZaRnM5bEFCUDRxUVlkQXBTYW0wCmJocjhVL29VdnFoU0NPVnY1NVNy\nbmJCTmFHeDNFMTQ3dW54SU1NTDI0bDAKLS0tIGhPdzhWK3VNc1gxVko4L0Z2a1ZO\nRWNxanN2OFdHdHRQYjFXejdEOEY2bUEKgdc0xZWxNAEBIVHM1Ocx0YdhXOD5kjCa\nrg01nZXNoAZMh+6H5+V7uNu0xb4X3cLRGGBq2nMpbmojS8oJRva8SA==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPNUkvR2Y1djF6OG5obDZW\nOXFZWCs5RE9BWW5sbjFTOWVScEp4RHFHRUhBCldLWFZEbjR5QUhNOU40U0diSytv\ndmFIeU1SajRLVk9iaE41Y3lESDhRK1kKLS0tIENlUWVtNWNYdWJFdGVJb2VJWlZz\naU9LSlcwZHBqVjlvZFlRZGdZOGduU00Kk8g7+att3GfZ6SnGrOuekB6I+/scmtl9\niTYiwcZWMnHA/2ZXvbxyD6+jvrdjQmFSlHHz74JVGVLHrfXZa2U0Kw==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGN1IrOVpHODU4KzdQNTJB\nNTViVGxTVG8rdmFuakxhT0hhQnc3MkpDVkhBCnFMK1k4UkZGQ2dLaU43ejJpaDVv\nS3FzYTNWWjkvWjJ1bjAzdmYwWS91MkEKLS0tIFhtS1paOEVGQytheXRCNkc5WWRW\nQmdoeTF5cHYvWUFYNHJLV1BXVXI5TUUK2HkrZb++aQtzF2zA63kJFfvxIrHIHo+o\n40xd2X9d1Q1WCqGLvamfYa+Iuu8C6U8FAzlx7avbbY0hSWAs5Ft2pA==\n-----END AGE ENCRYPTED FILE-----\n"
			}
		],
		"lastmodified": "2025-04-05T23:07:20Z",
		"mac": "ENC[AES256_GCM,data:GBHZAp9QBGMuhQYA/h4H1yTvWRMSEMObQQfByJ6rh9K830vi6ERgjVvIYpgW5mhmhDWlPxf2KxuCGWpKy6c222VVdUEJWjq6QXMN1iazUQx0c+M3Cu/+8dndCxc9/qt+VISjvDCnbKu4bwddvRpTgA0LD4WoJ2HNBjZEvcpGAUs=,iv:yv6+/JKFZmQC1M1AwbEooIb2JFC0dOlw8zNx4pc3qcQ=,tag:EOydRmYowwGmMQUrWp7CYg==,type:str]",
		"pgp": null,
		"unencrypted_suffix": "_unencrypted",
		"version": "3.9.4"
	}
}

================================================
FILE: non-critical-infra/secrets/hexa-email-login.umbriel
================================================
{
	"data": "ENC[AES256_GCM,data:daufNxv3XCpzvIS4xUMa1Kq31gMwW0R9sJQAg6EMgso6PTDKcxHL0+HweH5j6gjOIIRp/iM66bYpxGeK6w==,iv:RNZQMIXlkeynRvxjIzrCAeZRBWd2jFYDLHNH3MEuY+4=,tag:IoeFP+alT0/72dSWLhu7Sw==,type:str]",
	"sops": {
		"kms": null,
		"gcp_kms": null,
		"azure_kv": null,
		"hc_vault": null,
		"age": [
			{
				"recipient": "age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3NnBuV1R1S0lycjlpWDk3\nR3pScU10NmNZbHFvOFZkcDdDY012NHpzOVY0ClVnck9uQisvcFRKZkZIWjNjKzhi\nM2hwWVFkbWJIYjNFNWFSdjExWmk1WFUKLS0tIGlvVHRuZ09ubnVmTzJFcXB5R1VC\nTjMxNVQrQUxlRTFDODRmUGFLbFc0OW8KaYsxgxpaJkVrkKfwFzIrEJUqOI3wNegj\nGTBzi1RM5scYnokKRy3MLMAAueMoYMXdFeAHBWL0TXuZHQOJe3PK0Q==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4K0R1amVUWUhSOUJnRFZu\nNWllU3A0NThWVVh5R0FUSUFJdXBBUUpjaEUwCkRNdUJ0Q3N5TzJ2MG9zeUljK3dW\nSGZkK1gwT044WldmM2ZwVXdBQnRvL2cKLS0tIHVDcm5XVEp4eDFoM2xQem1lOWNm\nYStqWmEycnVLdi9vNEEzN0hmaXZ4ZXMKk9jT9kmsZKe/ogZpCMVeCEK+u+L4HsXw\n8dsyjbokqKUZ9XDC4swELgUs9w1Hu5Fd6Yl61XyvgST+LY10eajD8Q==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoM0VEUUtaaGRycmZLdE1a\nWCtCTUhsc0ZOODFUbnVUcjNpUmNaT1AvNEhJCkQwSG1kMU03bThpakszR3loWStV\nVXVYTHFWOXdzU2NGQkpRM1ZRbEwrbjQKLS0tIHIyU2hMbEtjTjJHRXoxUkx2by9x\nbDRYTEp4ZStqK2lJekNHU0FrRnZvbjAK8PTNbkr3Yv2YKUzkFs6zcIOV9dLNDUtN\nc0GbDj59O4kCdse77B3nZdPmN1I9auHlpknghByseRBAiAW9+zo0vA==\n-----END AGE ENCRYPTED FILE-----\n"
			}
		],
		"lastmodified": "2025-05-03T03:36:51Z",
		"mac": "ENC[AES256_GCM,data:vddWBmA5+haGKLSn8zBIUqNCqmsH8UXnjoBaOKZJn3N4oVxFuZ4FWchoYzUjxwWZ9aWGSkqPk7C5i8AqjCv4D64ZNwiTVecw+UTadi8ZBbyQIkGVKaShtWs2OAy7bJCAc+FojmPDPp7Gf2vTjAJog/44ezN/zQi8mamTOiWVYGQ=,iv:K5kbdThrKG7VRq7gxj3oeUvjIp28zztV7Z+o+nXezp0=,tag:uRe8Ah5wfMxr1Ci06QgrNQ==,type:str]",
		"pgp": null,
		"unencrypted_suffix": "_unencrypted",
		"version": "3.9.4"
	}
}

================================================
FILE: non-critical-infra/secrets/hydra-aws-credentials.staging-hydra
================================================
{
	"data": "ENC[AES256_GCM,data:AIuYk16eYyTEyBpz0yyjFUbrYj7Auh53/gK+3RwBO2IuSajlrDKqahpF9IkHOOSjkzjgNH9SJejcKLvZQKiHyopZW9FuTCxkB+IhXvqjSy0vrZGyTUI8CesghqPKScxeRzEGJEM7FcSP8yk50N6m68My4f0=,iv:mdgnYTLbwvGIokCqYaNdky3kTse4Keizti5SDM8BkRo=,tag:3O0SE0aqjnhUsLHysN1Y4w==,type:str]",
	"sops": {
		"age": [
			{
				"recipient": "age1zxcssfw5j6dwvcw25tmxs79lq40xk70h2s234hen8pkpte2qe30q9e7cy8",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLOVcwVUd4Vlpac2U3cnpL\nWXlud1RxRzd2Z3hidEVxUUs2OVBsRDdhZXpvCk9DRzhNeGFXb2NQazF4RlE0bzZk\nMndzdUx5d3lxdHRBaE5JT2tWZ2VNNTAKLS0tIGExeTVzc0hXakthaDFGdXhKSisz\nb0hHY3JwcVFiaUtLZ25WSWR5dTYxVnMKNZyZPomy4fuHDOR6bypwTzEIU/jZlFqq\n7E2z4a3kbRy/idJn+YcBd6QzeJMWmUFwJ+jpe0t29GbI4xZ2XMxT1Q==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOMWFpQUxQU2lGbWpMakln\nNVZ2YzIrVE1nK1pjRjRPbjJOUlQzb1dGVUc0CmVrMzZpOE5PSlVIWE4zbEgyQ3lC\nNlBzK0p4c1NKWk5LUkVSbHpsYms1MEkKLS0tIHkrYVhPOVdyWnBQcG9DMUMxcDhR\nVkl0czRHK29vOU1sbGh2RzY0a0t4ZEEKw+tOcLMM9szkC+/3FHhVLf1zyPK8k37E\nSHGKgxoLlhuRAbf1omydAsRox3Pn4KVGmRMr7kRtEPLOSmc5Cw5AVw==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1nnm255ah9wa4gpsaq0v023a75lnmlcxszt9lc6az3mtwzxgrucfq45rp7h",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNeWZrUmlieDFsd1RTNmd4\ndit4ZTVjQldhL2dJWDB4WXhadThYZUUvUWdrClljd21WQjd4cW1aMVVQMTFaUjR0\nbVhsbk5ldTIyTEo4bHJMeERhbUdKT1EKLS0tIG13ZGhPUjZrejR4V1RlRGNleVdU\nbWJia3Vtb3ArT3FVSy84TU40N0JFaTQK2mq5MZSaVYwvATu+nsOyJPKyDp0tS6qH\nQjMc0BBH8a1MGDZt9qm1uP+JpaUghnI7HyhCAh7jS7fmnAoar7JVdQ==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1Y1hXRFp4VStKTy85QXlt\naCtwMDdBajlURy9GaXY0Qm9qUGJuREU4cURVCnVSQUhSWEpaMndLN1dxVHBQM2Jm\nZjVwOTNBZTNwNFJXTGZNOXpaZ3VLS00KLS0tIHpKTlJBeWlTOTVLZyswa3hWMVp4\nVDB6RithK1lWVjVWVjBkeGp3MDhFT1kK4tonrK39j9wsNZHzfCkbBa8XyYrh5ylG\nhQzuWq9wRuDzV8aQbHe+Gc3GFTERxIQxQZiKzkcWnu3eqni+mCjYRQ==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPWjNPRS9oT1owQytRV0lp\nellPQUFBMXprU3dTb3kvc2dvZi9ObnA0YlRRCktDRDBJL2ZJMkFBajFqYkpYZ2d1\nczgvRldGUkJ0TGhSLytYWm9NbUdubzAKLS0tIEpUUEQwOW9oeWNLdnB1L0cweThQ\nUUpFTllidmtJU20rTmdzTXZWU0NkRDgK5VCOA601eKek6JijUV0IUiiRq+5f1mh/\n2OD+rqTIay3EqiHYbFaekBfvDn2QL9ShcOp7W751JdZKacFgIEz/rA==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age17ez23w2kpxl0gcdx4ehcglkcfcfnv4qz0gq2n8ylxwx4yrtjpvjqxfasua",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2bERHYXo2SlJzWHE1TGZQ\najBiY0FaQUFsYTY0T2JRQ1lRMnZYdzROZkhJCjBFV1RZb3lSclpscDcwblJrYWVY\ndllBT3hXOUthWEpDakdOUVNRZkovaWsKLS0tIHJqdURXUEIxa1VtR01uN3J4aUI4\nSGQ1aEJTZllrRW1VZ1FON2YxM1JlU0EKAYkBV9beeAOVEXwYDsMqYHklJMrE9i3z\nk9FLPmNF6uW6hSFn+V2/nPqDP84BrxXsVFyB6Zu4hPQcR1ehWUwVlw==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1fgzf77gyah4efemnrqg4e7j0vk8fpq0uzrucepmdpsd5z7l4lgpsfq54df",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxc3dwOW53QmVIUkZLZnNM\nSDBJUjgyMEVTWXg0UnFPdlhhdy9wOXNLU1g4CkhaN1NEeEVwSVNtT0JVWjRLeWJW\neFBPRXpwSyt6bzIvdkNSdDE4M3VyUTAKLS0tIFFmVHBBcUEvZjk1Qnh3MWpOZjha\nSjdVdUNycFRQdFU5VmNQbmpEVTVhNUUKDrgrHJk9RFPJvbu4QshlRflKzgwQhMfI\nvC7601ID4QozqwW61cXOjn1tMQ8Qa5mG6UFyyBGC6mO/WbyyDHa+fA==\n-----END AGE ENCRYPTED FILE-----\n"
			}
		],
		"lastmodified": "2025-07-10T16:17:16Z",
		"mac": "ENC[AES256_GCM,data:yiPrDAmt2KuboeB8dvk/kKmvwK1N5qaZomWhf/x3wwfXpPgMFK14odLRIGpNom+XVyOusDqudGFp/NCgfSwOrid+b3IFo01D9LQvugVO5ia8/pli+tifQkrmrqbXL/8vLWw6fpl2OvX58+5a46cajVFRGPjhug0yYyRNKKkHm7Q=,iv:Jip+jwly5yS8WafCQF9cstG2RGCdqcZ7pPeLYuVGNpc=,tag:LkWbxeZvt5fZVBNt2Q4+DQ==,type:str]",
		"unencrypted_suffix": "_unencrypted",
		"version": "3.10.2"
	}
}


================================================
FILE: non-critical-infra/secrets/hydra-password.staging-hydra
================================================
{
	"data": "ENC[AES256_GCM,data:fXgdw2btD3Pp0dapsgfLvOmMVGoaEdnosJvDrGwk37l/uWNX+4SSsJ5pai6XC5GHGg==,iv:t4QTb7cPNb+hBNSL3mpzZnKZR59Sxz6FddQTE5d/pFk=,tag:XpPg9/6eOq6JKF5CxA2Txg==,type:str]",
	"sops": {
		"age": [
			{
				"recipient": "age1zxcssfw5j6dwvcw25tmxs79lq40xk70h2s234hen8pkpte2qe30q9e7cy8",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYQ2VXMU0rR3I4cjAwaHdC\nNVI0NW9xK0ZGTGptc29lbk1Bc2pjMlhhaXhrCnZwSkpWdXlQT0t3WDdRb0dVay81\nYW12K1RhMG9VL0hvYWFNZ3VJcUg3YncKLS0tIEJqdFhxUmJWRHJpSUJGeG1sZnB1\nUzR1bDFMRjd2VnhXMW80QlFrbGRhemMK99AYn0X/112SWPZHDmpDJPFZWFktsPO+\nZ4qCIrxQIl4UHYwcxMgGI5gbDV7JQ98IpPjE9m3l4b0JkzAqqqW+vA==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAreEJCem1ncGgxdVJVdSth\nMzZvWHo0dk5TbDhySXM1eThLZWZlWEJXSVZnCnd1amNGRHA5NmRoekowSHZBekY0\nWDRlMm1HWmdaWFYrZU5nZm0vU1JsOWcKLS0tIFgyb2hPYmVFS1hzOGlUdExlbUM3\nbHFmT055SkpteklCWGd3cW1ML3F5dmcKgPUd79ijIfnSGImfPLMpw1bMTh6rplrf\nL2kSduDUNF2de59pKlNMDtQb/sp/En2YA3jVFoD61/DLnQgYJ3Z4qg==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1nnm255ah9wa4gpsaq0v023a75lnmlcxszt9lc6az3mtwzxgrucfq45rp7h",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvZEtHQlhPa1FWVy9Dbi9j\nNGRxdW9VbEh1emQ5WFluU3BEb3pzbmw2d3cwCmI4bHVKbWJnSjhUVnBCbk9uRStH\nK1daN3JOTjhoVE13emZpSjdwVXZyVW8KLS0tIFlNSEgwckZudjlkQUxJNmhQTFQx\nVUt6eDBoL0x2KzdxNGZDS1E2QVFTZ1EKo1ecwaOg+4I9HWtPPrI8d0G+sFCCIieI\nFRjElyLqij8vzrYjf1jS7Rbwil5hRRaL7SBxlOjVnCwSV4PnIn+YXQ==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2ZUlSQkQzM1pFNktCTHM0\nc0owdUI1a1BwZFgreTlxbElDOHZGaEpzTHlNCjR3VlNDQ3JSb21pamlTSmhaaFhI\neTIzdGZ0TUltYmdOVFBYWHNWWjdwOTgKLS0tIGVKditYYmp5aWNMTE8xSHNINUls\nTVpYSmtTVnFkNjRQOS96am11bjQrK2sK8te5JKv1DaYbluHOmemyWWkkqTxqNx51\nNrnk6UbrugiSTcDe3NmbasIi+CgAG95pnzVfKCtXctiHYiJl0IeS0A==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrUGZrc21iUEp3cE1xWjFM\nK1MzUVA4S1MvRzQzTVFsMFF6dStYeDg1YVM4CnF5MmhSR0hHNUJURkRTeUhTUERy\nQ0NabkpFOExDNUVDYkt2N1pSTG9ZTXMKLS0tIFF0VnR0VjYreWRUMVl0bUFURlZ6\nYnNhbUNyeDdNZjhKZkE0MkRlNmtHL28KhsEh1ngE5WFs7hMR3ATn37Kn60MqOwbp\ndxBpBUCIrJMrpkLolhtr5KAeXhK2d7wxaOrCtVhKKkB9agPd86XK4A==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age17ez23w2kpxl0gcdx4ehcglkcfcfnv4qz0gq2n8ylxwx4yrtjpvjqxfasua",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFVjgvRGJCck5vV0dZT29w\ncGdvT0pxaFNOUWFBTVNtQ2hzOVJ4TDBQbFdvCnhXTjVoOHVvYXpYYm9kYzZqZXgz\naWtBQlRXRXpjQUZieG4ySnpwSi9JNjAKLS0tIEt6cEp6eGFTUGlHbzk3c29tRXFO\na2g3NFNrd0liM3VZdmFSY0dtNDFoelEK5VqWOJGOLI0esy8XGynqZfDmeA72zAzX\nWvyShCc3hup8IgqyNY3Y8m2GCx/K+8W/pgs0V7pHGjNAO0UxWEtgvw==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1fgzf77gyah4efemnrqg4e7j0vk8fpq0uzrucepmdpsd5z7l4lgpsfq54df",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpQkVkOTV6S3hjOGZVUnhJ\nZkR2VDRGT21XMW1mRVk0QjdBb05sS0pqV1RNCnNuQndVU3k1eUw4SFpNUk1IUlcy\neTF0RmZ6UXhNVWlLRzYyMDUwclVRb1EKLS0tIG5nUXk4cThxMUtCRWppaTVCTnlw\nL3kwQ0hzQjRvM3UvaFY4RGU0RzVtaEUK3NV2GwtLYLJdiEqBCTThCQL20aqaUFBN\nosjL9907hxbZIVlBZyBUpnIQ9Vb7pykwOpHtEVi74sI9jq2wW4TOGQ==\n-----END AGE ENCRYPTED FILE-----\n"
			}
		],
		"lastmodified": "2025-07-10T16:27:45Z",
		"mac": "ENC[AES256_GCM,data:mFxPSk+9zIZYdJ1Vd70mPMOEqNln0SQTAPFeQD3c66ylM8/mSXwJcsKiPFCqeOzokpcy87lzikAVJLLABfz8Ni3J5XSViWnZCiA28GJCWtreRxt81LjZ2+bChGN1L2PQytQmV8iTWDzdGhV514D+VEZ/d6CzH6Xw9MXExmp/BbU=,iv:d8c7r5mUWwcL4+TygVBDZVkusBOo0xvRgkCOUG3UPGI=,tag:oZkkbMRWoDl5XUiMwMoxWw==,type:str]",
		"unencrypted_suffix": "_unencrypted",
		"version": "3.10.2"
	}
}


================================================
FILE: non-critical-infra/secrets/hydra-users.staging-hydra
================================================
{
	"data": "ENC[AES256_GCM,data:yeQiWMQRmxLAlxUqlw99ZclxfNTpjZJMltZEdxYXgbcoj0vi/pt5vcJsgfsXnUtPqn3MKY/NBrzflQGMflebrQbMa3O1Frd6kYOkCYndubFF2Np1Bdo7+CPLborRVWJvVg+Y39YG4NCSYsqrrkclt2SCKJyJnwLvjETm6uray22d+Ddf,iv:vXGbY+oJPHufacS1Nfb3CiIMY2zvEZyRHAH5ECkpyz4=,tag:sufkNRVw+Rzqluxv1PvQMw==,type:str]",
	"sops": {
		"age": [
			{
				"recipient": "age1zxcssfw5j6dwvcw25tmxs79lq40xk70h2s234hen8pkpte2qe30q9e7cy8",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUMXJBYmpUSG8rdGlGSVpW\nNktoSUFxWG9rbGYrUzlOSDc4TjErNmdtY3hBCnE5RnpoNHFGM0RTN3lqK2xLVUxm\na0NZaGtMS3pIblBRMWk4Yi9sVGtGclkKLS0tIE9OVFpzM3hwcU5NRFZJc0ltUG9X\nSXBHV3NYM3RiT3RRVWEyZlZMb0RXdUEKWZPzmGIyIP8GTGc60gWuez6j2Vco/DH9\n0HRygJt9qMiRm8ULMnhIlvwl3S61/GePLekEQon56Dzi/xGH6zXV7A==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpRHR2TGxUblJmRUNhM1Jl\ndlNTMUdDQm5qb3pzYXZlUFlFZ3BSUGZ6cEhZCmdHRWJUYlhOY1dkZGtrZS9DR29w\nWThab1JOWUpvSlhCaW82dkwyZklocFEKLS0tICtoazZmalI4SUNuM1QvckxlaDVH\nSS9OcGZCS2RNUWZETzBxWXVlOFQxY0kKdHJDN4OAyhmEpsNld/R8AN/7Ph/WWYzG\nmfTH7JuQLmyyH+oYm4UfJflcNNY+xo57AONswpffxixMt/5c+YxTFA==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1nnm255ah9wa4gpsaq0v023a75lnmlcxszt9lc6az3mtwzxgrucfq45rp7h",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzYndRMUZnSWNNb3o3OG15\nU0ZtUjdoMTBvamU4WDRoSHo3dnNoclFtdFNZCmpzeGxtRWF1dVkvc3lRdFpQb0RL\naG5kOExNTUZ5eEFXT0tldDNzUjRDZ3MKLS0tIDJpKy85cUNWZG5QLzY3SGFwMGZ1\nL0lwNlh0RFNtU29PbzlTbkdFQzd6OHcKeFNQZAQx4eJdIr5chZmOsF02Q9OkshPv\nFEXaruIMSMmKIEsYfCryTalEKUx9TsY89EoPEgGGt0L8GarqnBE/hQ==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5b0JqMHh3RXUyVStpeHli\nT3p3RE5COGwwLy9QblliQ1FxeFprbklMU0RjCjUvQUMvUjFjVzdKdyt4UXd2ZCto\nUHpjbmxlQzNMK0xFSHRSZ3NrNzdTTzAKLS0tIENPZXlzT21kenFqTGFCbE90Q3pO\ndENtVFpRN2ZPV3ZZejZrTXpVVXlHdzQKmWWQlIYtot4ot2zSLN+YjtK/DfYlOBW3\net9ojaeoh6jpcZ169P8g+NYAHtkrRmkZwLEmA6aUO17NpsO4QmCOag==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIR3VaQUQ4Nlg3WFdQQ3pW\nMXk5TUZCYXp3RGFjdVVCbDdidjJxaTRNazEwClJ5cEZQWFZqSTFERW5vcUVzNmts\nZWlhNzBXcU5hTDkrRVNwcjRGZ2dCZE0KLS0tIHV5Q0piSEJkZnJ3Rkg4NU9abFZr\nN0lvdmY1SmJrZlpNTVNZVWFMZGpRL2sKtOF/6nhVSC6UAzXlICr8bUpxqUs1aoTx\npXbDm8yYznsnB9NGrf1fxh4pebAjPKVg+OsSx1/83sBPwyEcbtgSyA==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age17ez23w2kpxl0gcdx4ehcglkcfcfnv4qz0gq2n8ylxwx4yrtjpvjqxfasua",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYZmFsOWFXQms4ajJ2d2JP\na2g2N1h3S3lTNndNTEZHajcvMkRldjAwK1dVCnhxV1F6dTkxRGdkZFNsVjBWRGVW\nbWdISERIU2s3SHVDaUpnWkV6YVFNQUEKLS0tIE1pZFRjeldjcVFkTXZ4bUFiRWo3\nakdma1RrczcxUFNtenZMZzdzR3lLbGMKLJOJbGSzzg3JFWu5S8loCv6sWZHiDolp\nuFcJntM7h/N72jh+MVihnYqYpBwy1CMmAIoa2+NB3u7tVz9o3Nh4ag==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1fgzf77gyah4efemnrqg4e7j0vk8fpq0uzrucepmdpsd5z7l4lgpsfq54df",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBISlJsbnZpRlpQVTR1MVJB\nNXJ3cmluck8zcU5WRnl6eFMreDZoZmE1OGlvCnBTbVpQSGlERWZZWGVBWklFV3Fu\nUkNNeGthQ1JiODh2MUJGa08wTE9BTzAKLS0tIE1McjlnOUM3OW9panpNd1doVGZl\nUFhzU1IxN2tZV3o5eDV3N2JFamZMNWMKCi2+5V7su8juiDGLjTOI9QcCLp/JrXnC\n5x0lzs7fe/tRKuoqk3DWPeY+XghHm11Fps4FaQmkGKqB5hsrn3IAug==\n-----END AGE ENCRYPTED FILE-----\n"
			}
		],
		"lastmodified": "2025-07-10T17:08:19Z",
		"mac": "ENC[AES256_GCM,data:yRTdwwPguqk8A3KpiUJjdRIV/9mA3/tkUpusHL6dtDFE6CS2WZLp7CYpGFzd6CqM/r5Nt9QwA82ZZZ58OSqLfqQhO/cxrsX3AiwqnKiqL4pgXDcxmQTtnUljOFM1YvupEsErkJFnaEH3QAQMieyS01A5brrFIaY/1D4Ex8luZps=,iv:12VkDMZVUvE78CWjveEKn2+IMcV6+LCVdLPUNg3qSDk=,tag:u71y+bPlDquBDruNqpOE7A==,type:str]",
		"unencrypted_suffix": "_unencrypted",
		"version": "3.10.2"
	}
}


================================================
FILE: non-critical-infra/secrets/idabzo-email-address.umbriel
================================================
{
	"data": "ENC[AES256_GCM,data:xfTE8CfwS0rZGBIlxcIONwPprL2h,iv:vtJ+uWpxDUMKw7wFK4h/zKEJNBVa2xgh8Qrq5zswrAA=,tag:xVnZhyEWGixss4FCJvSrRQ==,type:str]",
	"sops": {
		"kms": null,
		"gcp_kms": null,
		"azure_kv": null,
		"hc_vault": null,
		"age": [
			{
				"recipient": "age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTaWxvNFFhSnN6MlBQUkJR\nTVlXRkthcCtaWUh3MU9ncVFydWJzMTlxOW53CjB6UmdsS1FUc2xDaDZwbUdSWjFr\nTFU0YUtEWG1mVVViem4vMHJiVVY1MzQKLS0tIGduOGlhbHFGL29McTdsSkp0bWox\nU1NvcVNkVlo5UWdGdm1UakFZZWFRSmMKwBJXmyrOaIC1dGHsR2swAJ6sDhHjh8Hx\n+hkJrHmTTekx/7agIzevNVVY+QES47dz5k3aE9y+sZM3zhnAEkm9mg==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGTkVDNk9Ob3dPbG9kQ1Rn\nbVZZcmE5VXl1SVdOY2M2R3E1T0VoeDZRVFRnCjZMWjZGZVJ4MEhjUGhmSVhOOHpn\nbE92b3R3VllESVlLTm15Mktub29YTHMKLS0tIHE1MWs1SUhtSGxpcXRkYmgvS2Fp\nR1JBZCszcEptZTh2dEVTU01sTTloUVEKt5loGLT7+q473yYllnV+gBEFqXBdUkPG\ntlTjDCd9a40MbucGIwJ2ZxfoaYSURAcQcBSn0IM6BpLuQb2XrGpZzQ==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTZlppVVliSXZVMXhqZ2xk\nQWRPcmk1K1J3cjR3RnYzaVhBRzNWSGJDajNFCi9sTnJ0VC8veTE3cTZ5QllaSWh1\na0IxejA1T1BxTkJDR2IxQUJXZ2YyOHMKLS0tIHJEQlAvaHJYQU5nSGE3cmxsTXZh\nT0xjWWc1OE5qM0wyUkwvbkxCQmdmREUKu8R3NB6Lyy74Rx3KNfYbHlR0rO4SR69K\ngmOId0yCornVzNH+wn81w5Vo+ENRFtL7k2kwzpSo27BmX80ZtQRPlA==\n-----END AGE ENCRYPTED FILE-----\n"
			}
		],
		"lastmodified": "2025-03-22T15:54:19Z",
		"mac": "ENC[AES256_GCM,data:7rr2FFpYf5Um9gDAd1X+4S3EbL6Bl8vHPEsjbfyw3mp8KAt4bSi5DTGdZSri7HMcIsk6ZFbnWkRqMRFyMCzgxfwb/09JO44eOIYfgPPv1Br8srlXLzf30EzYucUEDch/0Iu2tbq3NZ4z5OfGiXphipOEhV8jjOxtKe8aSjylzP4=,iv:gi55gN0plG/1u04ukPqn+HR3zyvlF3nWzQoSaez7tq0=,tag:JJKjm1hbTE24hLWp98syrg==,type:str]",
		"pgp": null,
		"unencrypted_suffix": "_unencrypted",
		"version": "3.9.4"
	}
}

================================================
FILE: non-critical-infra/secrets/infinisil-email-address.umbriel
================================================
{
	"data": "ENC[AES256_GCM,data:g/NztGMiw6S5VlGl8R/v2puyS0WY,iv:RUcw9ErUfyg/IrfmFsCjRiqCqYIPhAPitzvzJ09MG+c=,tag:RNUJATI6hnkOHSyFNtFNSw==,type:str]",
	"sops": {
		"kms": null,
		"gcp_kms": null,
		"azure_kv": null,
		"hc_vault": null,
		"age": [
			{
				"recipient": "age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSckxRblVLVmc5OGx3ajFl\nZ3V2bjM5LzRhTDVDVEx1U0VyUnlzd2xyZEEwCjFTMDFtdzU1aittbkZyYnQwQ1FC\nWnpJL1N6NUN4UTlrMWZPQktDdFBJbUEKLS0tIENHa2E5NFZsdzlxU1hkT0dKUmI2\nRDAwVWp2Vlo4d2FUVjVWamtjV1c3QncK9zjkHKvFm9z+fxBrMa8H/L8pFoYoICgs\nTPRK3wxwZZEhINnbFYAffxcTSEuvKSy3yVnxa0Q/rOZJuJcpsuBa6A==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGbTNUR1NrMDBPdCtLS3RQ\nb0VBajRBVzJWWWRYRGkxdzhWNDZrRXN0QlZNClBUczBZL1A0ZnR1RytnRWw0RUpQ\nS000RHhxQ29BUTFrczJkSHA1WnJwZGsKLS0tIFNBWVFHSGE0NEJTWXJOdUVtekhT\nb1p5UmVZbnFDeEZHRXA2MGsxc0xYUGsKvFOtn4zjnQwQnQU8xFVvuc0srnTHZ1zJ\nZClsCTZi6GB/KnSGDoH0uEG3GW6pN2XeTyVpkbWM7imcslR7HNi8nQ==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKMXYzMXRsdVI5aktwdkNn\nL3NySHFiWkpSTmxCUDVYeXc2RzdCOG4rQ0NrCjFPSDFsWFBlcTlSM3ZIS3J5K1hF\nVm5yYjNyNW14R1JpNFUvd1RSZHVTM1kKLS0tIDU4MnpCcUFSbzlVb0owbWdURERR\naTFDaERxRDhQd2c0VDlsTWlrMkJSWTgKZbIRxrhupxHpremBum8hVr7nbP2vVGS9\nw92f+43HDANvrc+nN+WwRSVS6YXybPDrnWhfBeZhcofa5pyB29L0DA==\n-----END AGE ENCRYPTED FILE-----\n"
			}
		],
		"lastmodified": "2025-03-22T15:53:54Z",
		"mac": "ENC[AES256_GCM,data:DDpX70GDNDHHYgRRP6GtKwvE+1TEA7sXuupQO+uHQ4DtWSI4yyeDCaRduXZUDX6W4OXkz45cfPkFJKw0plckEsqCHgaO3hX6ub13bfCFHVsxXXXhFKV+Hd++3JBqCbbwQL2S1VLhuZXAua47bPGIt3f5ov5gcxmCzYniEtXan9I=,iv:9jwrG92UNxNdhIkW9PfbLX4rnL/kd5R6MaE+l0Z8ago=,tag:ZO1pJKO6YaUzwE3cn4r5+w==,type:str]",
		"pgp": null,
		"unencrypted_suffix": "_unencrypted",
		"version": "3.9.4"
	}
}

================================================
FILE: non-critical-infra/secrets/infinisil-nixcon-email-address.umbriel
================================================
{
	"data": "ENC[AES256_GCM,data:bwvfsHzw7jgReKI8uRvAdUusxIs=,iv:o9QOwug8Ewlv2K4uiO1NxzTWJUenlgaZD3TIe0rc6To=,tag:B4vRwFbEWZzTNHRT6L12dQ==,type:str]",
	"sops": {
		"kms": null,
		"gcp_kms": null,
		"azure_kv": null,
		"hc_vault": null,
		"age": [
			{
				"recipient": "age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDZUE4WURrL3NMdzBNNndM\ndVcyamEwblRuV1hXV3RGSlpxdWJFYlk4aEZZCjI1S3pOazVSeE91aTZwNGF5a1VQ\nVHp4YnVaOGFXTWpQNkFPMUVZdTBPSUEKLS0tIDFUenlNNDlQQXNiL2ZNVkR4VWxs\neUMrai90d3dLL1JjNXZtZ2Q3R1B5TzAKgtRotcPxCYnLchw9rD57droCcmP3mQDJ\nsVDaJ3gP54NgccmMjQ4ggFdd6BVvDq4PFNSNyGxo5E/mMUQKMDfWtA==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzTTFIcUIyd3crbXkrOWF3\nMGpGbVpHcW5LMkhPbHhqdXBsRmk3VWNZZHpNCnl1SFZnV0xINmh5N29tdUFVTi94\nSmhGZjNIbCtsSjVhTjNyWGtseFo1VFEKLS0tIElnWGIvcGkwYzFwUkpQNVVvQlRJ\nQjhlRjNIMTBtblRRaWJuNU9kL1JtS1UKDHKn0DOUNGxeYWTWMko8vlbZ9Xf6ozJ7\nNt7fMt99FPDbqRV5OEESUIjD4/x0CV2sDG6vp5dOBAu59B6WMmE5RQ==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYaFAvUFErQzlZRHIxNlVR\nbW5JeHpaNkdlQVBoOXpYNWJqTW5TYzU1d1djCm1SYjZOVDJSZWVuWmNoQm5JOW9O\nT0dxdTE5d1ZYZ2d5QUxBYjErNEQ5VmcKLS0tIHMzbDdrQ2dRL21veFFTY3BWbE0z\nWWhMdnFMbEgvSitnVHNrb3k4U2JDNmcKXnNto4P0cZV8ovGP/QP24OSZkY7IL3/O\n9+U+zcIGs8e3kca0ELA7j1E5nCEGNUyTFKOB9B2zOu46HGkJ6YTR2Q==\n-----END AGE ENCRYPTED FILE-----\n"
			}
		],
		"lastmodified": "2025-03-22T15:54:14Z",
		"mac": "ENC[AES256_GCM,data:SRevXkFgRtpHtRmzqpT8+4a6WvbR4H6/gmImJ4LTmNi0Vm65Nb0Z8k2QAZpzyl2DWyhLDxZ4cDD6w+OMSdZ16ERweyIucP0Wm1U+GlwsEq5KdkR6UuQqqnX/lONUh7rUuJ++4k1EUTbTTQdkRg/npJPanRzS0Am/0Jd66B3WL4M=,iv:KD1QTsGZvSzoh+u+1tifLu34E2S8FQhno7C74p7cxtI=,tag:Lxid7jtazSTT8OFkNzcA9w==,type:str]",
		"pgp": null,
		"unencrypted_suffix": "_unencrypted",
		"version": "3.9.4"
	}
}

================================================
FILE: non-critical-infra/secrets/jfly-email-address.umbriel
================================================
{
	"data": "ENC[AES256_GCM,data:6IohqSwaIUjML5GP886SZ3OQ2NbeuRI1ysrp1wwLe5gP/g==,iv:zPe5s1z8JmoBPP5QgCAEFDptYm+5hJxP1sP+edXW+Bg=,tag:5E9Zg3Mq5CyUqZ/pdvmMDw==,type:str]",
	"sops": {
		"kms": null,
		"gcp_kms": null,
		"azure_kv": null,
		"hc_vault": null,
		"age": [
			{
				"recipient": "age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUdEFkTk96emFXTStBRHZ1\ndi91RE90Vkk0Z0lFZEdTS0xNdHpGc0lacEZRCnFEWFFKWEtoRWhuZjlldnh3bUhj\nTDZDL1RwMlB6OVZkU1d4dnJjMTNjNDAKLS0tIFB4WjFSWEpCYUdxMkttTTdRakVJ\ndWU5dmVrcnczQTNxRVFrT1l0Ny9hbkUKUyUn7QvmjLAjqAqD8iYAx8ciR8UFhI63\nl8mWy6jmJh2ryMd64+H0B6I+YMBPDHByvG42tlNaO48A2Pe8q0Srug==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvNFdxdGlhYzV3WlFLcVJ5\nUWFaNUs3bDFWa3pWOE15VS9abWpvaU80a1VNCmRhemxPanZ1UTdZSDEwU3czU0Fq\nVlM2Y3lOTHQyMFduS2FPMlJ4a1p3OWsKLS0tIEwrbmtNOTRzam0xVndER2ZoQ1N6\nUzM4Qk1BeHBSQVV0dmlKZEhDaC9pbVkKpHjAfJMddyGzo7U7aAl/lqajm8mCwzAq\nPZ/k6MgjER/YAIlDHelvEhPsI8W9VRUYTECRIYMFXkPQaLeQB02OIw==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKWVF4S3dPanFzbUpWNGtD\ndnJmTUROY2tTWnVCOHdXSXpObUVIbFBMUjJNCjFGRnpTQXJ4eWM0bm9oUVVlaEty\ncXhxUlRXMlVXU3J6dDJpdWlVS2tYcmcKLS0tIGc0N0RmNUtUTHRWMzZVZE5mUklZ\nTmYrbU5yTVo2cTJaOTRKT2pUZzlhUlEKNdlKt3s/fxqKT1V0HwbUf3draDodeBsq\nXnLPalfN2jGHHcMiNj7nweNPy9Nu5l1WvRZ390DkVZlDJ7kkD4lYvg==\n-----END AGE ENCRYPTED FILE-----\n"
			}
		],
		"lastmodified": "2024-10-29T18:30:30Z",
		"mac": "ENC[AES256_GCM,data:q6lEknFLs1MX4gBtPH8M89lNsAcQR9rWEaG0EobzP0AgUIxUyn9TYvFURD3xMKAp4KcoPfFq7kUO50z11WtC6iw/dAidLhemWOTVT8Vv0SHtc2UKF38MnIDDjmrc05+Hg+X4NFjki76A4NPvIUiIMk+0oL1FK7IMPYBSIBzJqrc=,iv:xl/s2Ah0ccWBDAxHBTXat6hX0yYtYoVbp6gAN2WmZqo=,tag:fXzdg7JaXJdHho4vH0c33Q==,type:str]",
		"pgp": null,
		"unencrypted_suffix": "_unencrypted",
		"version": "3.9.1"
	}
}

================================================
FILE: non-critical-infra/secrets/john-rodewald-email-address.umbriel
================================================
{
	"data": "ENC[AES256_GCM,data:Vc7XQ+0U85wa6J10lcVDMbLabmmTiQ==,iv:fzXxoy/ZohNY5pR4Y2qYWa3WVLo18BNOLjE1w+dAAGI=,tag:DM3n88oe7QW0tZJXtEx4/A==,type:str]",
	"sops": {
		"kms": null,
		"gcp_kms": null,
		"azure_kv": null,
		"hc_vault": null,
		"age": [
			{
				"recipient": "age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRRkRDc2c5Uzk2cytmVE1I\nd2FNU1M3QmR1VVlEa3FSWlMrd3I5dExsMzE0CldtWHkvNTNvL1NSeEhhWkVPakQz\nVUFjTllxUkhFVnpTejhGay9MWmcvcmMKLS0tIHlNbFJBTDNlblhBbCtncnJpVmVQ\nZzRqa2JyRHY0WVhVcTZIaE5QTU01VlUK6TL0Byz4UJeHEvoHXWb6U/y57J+o4p7C\nHPFxM/R6Ib1QUOPxukYojNcWOFV/BiMxLUp64CMibHkksHYg3bDGJg==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOT1BXVE1nc3JZcld4NEo5\nRFJHQkhhVFRjVThMMFl2d29hMFlvT0xSQ2s0ClBEL1VsLzkxOENGRnIzZVRJYTFy\nWHhBOTNPMmJKNHYwMXdGV0NMZjN3WDQKLS0tIExDUElrYS9mK3o3Wmpicis2Zkdi\nQmcrbzdRQ1pBM1BmQXRycEdRWEVTNEkKX5u4At0LukCBUZQOxvBXiVMw4dn2whVc\ne0eFDkGvi8my4yUCyYoUFaAq2orygIhv++Ih+mYRorK5RyaCBpwEXg==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2RVRRMWNWODJnakZSZVpS\naHBhczhkaEkzN01QSEIzOFVueEozak04N1FrCjhDTlBrbHNyQjhqRCtua05vRHRn\nMHY0SVFpMFQ0bTFKY0lqdzB3djdwWEEKLS0tIHZVUldueGdLUG80cWoyeHB6KzRZ\nMnpEYkFyUWxQNlNJWk00bGFKck53REUKUBVnYeidyG/0NLOS4XrSiSfFtz6UHvk9\nInBHRCjsWCuyPKSvURKj1+XS01F/+mAPId98GHb75RPkqXhcu9bAcQ==\n-----END AGE ENCRYPTED FILE-----\n"
			}
		],
		"lastmodified": "2025-03-22T15:54:11Z",
		"mac": "ENC[AES256_GCM,data:ABgTUQLGRyjG/lq88CJG/f1liPvL6cUqJNaYmqxTmv+EffJR/1EWl19O41ZyFCFW3/eSPckaB9MXn/oRqUfd6pY5GZ9tqCVDoK82YZ1cMqnHU5b+2n9lEH+Kn7uqvVh604j0Bx4lCpSUZX6/pC4NgpKbZB28EOVo8ptnMUSn6KQ=,iv:UHgEnD8VUyOW0vUuVTKR61wHvdXXdQHeChDgq/MZxmM=,tag:IuO4AUtGk4FiXEcnQJs+3g==,type:str]",
		"pgp": null,
		"unencrypted_suffix": "_unencrypted",
		"version": "3.9.4"
	}
}

================================================
FILE: non-critical-infra/secrets/jtojnar-email-address.umbriel
================================================
{
	"data": "ENC[AES256_GCM,data:cAqOtDZSzehegRTVGpB6uT0=,iv:tk35P3Wpw2ikNBrjCiz1GYtzY+M+te2dxWpGpnJJNuM=,tag:aG7J4/pt7YcvYWRoizfUqw==,type:str]",
	"sops": {
		"kms": null,
		"gcp_kms": null,
		"azure_kv": null,
		"hc_vault": null,
		"age": [
			{
				"recipient": "age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6WDZJbGdmYXZRcTR6S2dW\nZWdpNXF5VUJBZjRlZTVHZGpoQWZER1VObGlrCnBud3BrWUF0ZC9tV003L0NCZjNz\nYnJGMHlEbzZraVBtb3FNWkxZNktYaEEKLS0tIHhBVyt3K1ZoeGNySzYxN3NCRElq\nTmtyZGxOM3NCVmFJa0JYd1BsYmFTODgKl4x/bqTTMNQaT/GLp5gD7B0a/orkCBva\nocYoYtouwdlcdseu7jPaXgIb2ooomziPLMwqbORicVOAitFRnvNbTA==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvZlVjek0wOGdFT0NuaWM2\nRWVXSlFRdkU5N0RNVWYvK2hsYVRrMWt5OGhJCnlyd1FLd0t5MzdjVTg3RG83Z0dQ\ncXBPR2szdkFPalBBTHFaN1FRU3BtN0EKLS0tIHFxZkZBNFpZMXdYVk5lZENRYlg2\nTEJqcHJNM2dDNGtMYVozd0F3MmFZSUUKGZY9yHf3aKBK/+/jEsofhKNN4ypIy0C8\nOAGUiEQ0Hk/yw2B8kuBAARHQSK6vNIMTqMqMtW3OMQzZ3hMrnGk3Rw==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoZHhTTlRXZ0JWTENoeVRV\nZGRGSzVBYTQ4am40NzZQakI3YlVWWXhiMGdJCnYvYUg0QlNka0lmaDZXc2VqTDNN\nRTB5dXV5Z21hdUdtY2JXalhwa0pYTmMKLS0tIGJBRmRNRnlLck42ZTNieHMxcjRq\nY29YbmZFZU5PUlJHc3lOYTdyVkVhYkkKTWI4dUPYbpmQY/PYPHVWIA1io6VPZObr\naN0hyzy+3STWnGkd7z9zLVvJ9uUBAyGxSUmDQ8qKyYo+J8Fi7BaEow==\n-----END AGE ENCRYPTED FILE-----\n"
			}
		],
		"lastmodified": "2025-03-22T15:54:28Z",
		"mac": "ENC[AES256_GCM,data:6Jh1Xo6KHU8JWDXU9lkJHmYOuJkndvJ7bL8YFZbBNmctv+O0nLTsaxl74FHhxVqdDDS/5ujtldUnWs1syl/TZO5dKCuNOvOfyOM9CeVpX1jKb1qNVRf8SRlZ0HYHngGMo5b1/BM92hy9Y8OkOB4Vas9NamKr0XYopGrnlt9jEpQ=,iv:FXrTqftMdKZFPfc2jDduEgWlFz5KbRUgDgIBuZlqghg=,tag:GL3hxPdu0JS2DbwmoVqq9w==,type:str]",
		"pgp": null,
		"unencrypted_suffix": "_unencrypted",
		"version": "3.9.4"
	}
}

================================================
FILE: non-critical-infra/secrets/kate-email-address.umbriel
================================================
{
	"data": "ENC[AES256_GCM,data:fmyrFIpAvRHBeAyQaewlt7331qUrqg==,iv:Dh0soNrOhU4ZP2lmNp2DJZl88yqvOK4Ivu/4dLjFYUg=,tag:KbVXL0E7wZ4Ezs+W2ObZYQ==,type:str]",
	"sops": {
		"kms": null,
		"gcp_kms": null,
		"azure_kv": null,
		"hc_vault": null,
		"age": [
			{
				"recipient": "age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDeEZNSGlybjNtQ2hZajNy\ncURLQklBSlJoWWw1d3NDRmxFYjl0MUZvdlZBCnR3QnNmSG5qZEw1ak1ad0FUdEVS\nelE4NTBLV3JjS1pjWUhBVUEveC8rSE0KLS0tICt4MlpvQVlmMVM1bytNbkRRYmNV\ndjJhTC92ZHJmcG9ZdUxMNUlsMUtkaXMK1fzlUh1F23trAcSWIYop3k0jTS5zIXMn\nT+rlzjZeTvSCwR5whpGLkKcW9IxEvvk0YQ4WkF/rgRxgqdOVDGqcPA==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYNmRFNE81aGFGSG1OTVFJ\nbEFBOUpYWCtLbmQvZDV3dEQ0YlRRdXNIclZvCnI3K3ZKOXd1K1JYcCtLT2x6cmNJ\nSEF5dmlhRHB4OXFWbjF5QVNyNWpNc0kKLS0tIFFYOEloV3g2ZFExOVo4MVF6cDQz\naDNRSHZrNXl6MVBmc0lOMmJnREd4azAKB5Cus+7lhFVRLUn3QXQNMBh2m2gnbqk0\nDtuQtNEv1BHxut2GQ/W7dmRYlCLFwF3RPfEdvNwHIsgVcDOx4TZZDA==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4QS90ZFNHUHZUeVZKdUV3\nZXNBTnAxWUY5RHFSUnlEQVBxSWRoc09VNUhjClZmTEFUV01iV0hFREZGUVc1eGw5\nbXNpREpGU2N3a2cxUUZGSlFNaGI0N1UKLS0tIHZNTXF6VTl0VTIxa2l3RFFudTBB\nMTB1d1ljQklGWXZTMWFXR0MvZVVTRncKmRI3OFYu/ALq57TacfVYls8LyscsdVLx\nROMkqvRNOhDWh776s+hp9uJQgNK7pXhBX5Ee2EAo7a6NZ1uLrh2O9Q==\n-----END AGE ENCRYPTED FILE-----\n"
			}
		],
		"lastmodified": "2025-03-22T15:53:53Z",
		"mac": "ENC[AES256_GCM,data:Hu54zQTTitSQr84kOAHQn7KeixF1lvtDHXKFqra9hFDEVTNSvf8zUfDa39WzeEB/aBCRjBND0RzCMEtFMpWVRIcxhYi/nW0L6Yfv9pjVgI0iYuo0W7qregRh9ipem1HH14JgLQxI19ZE4AFDNicMQWsAezNt17/JzVKrFFf/MMI=,iv:u1FhZiTxmMJXAxRyFdY3Wq0wzpyiq7RoUd2HtAab6pU=,tag:iRhYv+hggZd/4eQZIWu8bw==,type:str]",
		"pgp": null,
		"unencrypted_suffix": "_unencrypted",
		"version": "3.9.4"
	}
}

================================================
FILE: non-critical-infra/secrets/lach-xsa-email-address.umbriel
================================================
{
	"data": "ENC[AES256_GCM,data:v6aURkXCDOHJ+Eok,iv:pHaZ9UwYc+CsqO53qwaYykECc5AIcpxvUo2/1LbqfAA=,tag:UyI3V1Za/yiuSP93tc4Pvg==,type:str]",
	"sops": {
		"kms": null,
		"gcp_kms": null,
		"azure_kv": null,
		"hc_vault": null,
		"age": [
			{
				"recipient": "age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQQXY5VWZVT3duTElUNlNN\nSzZua3VjRmNxai9xS1ppV0pjVDU4REo4UWw0CldhT0JueXZtQXNNaHJNNjE5Ny9P\nVktvQTBxdlhyN2hYVThDWFVhaERtUzAKLS0tIElCMjkrYWhMZ2piQkNyTXlGYlp6\nYWZNWWN0ZWMrd040Y3gxTHRmNmRFaDgKz1RTdNandXWT5WWyF54xUmHciG0BoMe9\nyfnL1Cb5UvoDL1cSrgOyeUrfHSo1WFy/o5+cslXcM7o9B052IgBbNg==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEcXhQeHpCUGxmaHBWSW81\nZHh5MjhKSzMrNUF2ZGp5c3JON1dHMmZnMFVzClkzaUZCNlhXTU5EaWp3UnZzakMw\nQW5DajRFUDBtUXZvbndldDE0Q3dNU28KLS0tIG5BRTRRSUtLOVRPSlc2NGhybTYv\nelRZbm5yc1l4bnlZRUJkRzNaU0RSeVUKH0p7CnEm812zaUP4V9xIEJrMzD1xpyxz\nrQhbGaDyZokMmuDf9UnYeeJzKGB6tkVnBga5e7t+xvVgFjhQP2Qz+Q==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4SHJJaWdZOFBXUDdPMkR6\nbGs4dUxPbTVEVUNsalY0RFV6NTZ0dmh2MWdZCkZVVmFJN3BxeW1UWnM0ZThPeFp6\neWNablFCWFlPckZTRG1JdVhGUk9IQzAKLS0tIGZ3cU1EaWNRazRVRnJSekhaWEdu\nQldUcndZSHdvTjVIZy82SzRhb3hhbm8KfJAhPaS/I2sfhcWlW+3+fmhyTNPhW6Cy\ncB075ydLsk+RvysKuU9h8PSFuomxjJPqQ9LZB5EY5+rYBgYxXTfIbQ==\n-----END AGE ENCRYPTED FILE-----\n"
			}
		],
		"lastmodified": "2025-04-05T23:08:21Z",
		"mac": "ENC[AES256_GCM,data:l/bQwqSBoY25SkEn1A2OeTy3n9ceZLeGzUz5MspURr6a/Lu/KaUbMtUc1bkwvYF9KmS9DSnum0YOImxgJByhgGk+jLw5DefzWQixcirc/8tdPe21DU+Fgv9i0TsPC+rbo+dIwlVOVvN1IDN70Gir+bvhb1bVznif1Xd0vo04hcY=,iv:s8EdvuAap3K9B6HmvJazuNJ8c7bFMtWgKBMLAU63ZAQ=,tag:2vhlXmhYaSKOcPrT1W1suQ==,type:str]",
		"pgp": null,
		"unencrypted_suffix": "_unencrypted",
		"version": "3.9.4"
	}
}

================================================
FILE: non-critical-infra/secrets/lassulus-email-address.umbriel
================================================
{
	"data": "ENC[AES256_GCM,data:nDMmn0o4dqZWIcSDhw==,iv:Fb1Sog/1Hzk7IpIYmq79a2Hi8xpgkX0ViU47aYLO/+c=,tag:TyHkRHWO/Ijtg1SdkWzKqg==,type:str]",
	"sops": {
		"kms": null,
		"gcp_kms": null,
		"azure_kv": null,
		"hc_vault": null,
		"age": [
			{
				"recipient": "age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVazl0NEFCZE5uTC9YS2lZ\nSjJSNzRUWG9heWNQTU96MTlSQ21zekI1T0cwClJ5VkFFb2tzUDJKVGozTnFUTGlS\nK0hKdmZkT3ZtVUorUXJ0L2MvYTMzVUUKLS0tIGd0WkZyUit0bWRzNDB5bWRUWE5E\ncmxYYW1OVHR4Y1QrOWpTSy9vc1pzcFkK5+qTmQSg0FO2WW/gP9EqAUQdZT9iFYEh\nX8IWMWnMlfE7eOI0PMax1AtBvISusyvbwTXfsmhRROcvyODKhQLvig==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYMGhHTWVwQ201OUpPVnVt\naVhVUmV5Q0FGNklLSGR5Sk5aL0JjYW9GMlZjClZ0cno3VlBIQnBkaWJTeGJMZVFP\nN3lTMUJGWnJwRlU0M3hrV1RwcUNaMlkKLS0tIGZPSlkwc0F6NEs5NXFvQUZGZHh2\naVBXK0F0YUprTHdhVDBNb05za0x1LzgKl/weC/O3ms3ccJH0aRwoxdmIRuTcmmki\nTr5/MLlRBegDwbU6jJVHUT+KEj9tBRpbduD7NjKGCYwdx3XHdHXDTg==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhbE54Rk1mZTFBRFZxaFky\nNjZicnRCaVNSdjNKOFQzMENYRkJTdDNiTEhjCk9UVTNYZVh4aVdmNEtzMXZKcXY2\nbzhPak1FZWJ5NHlwUFpYSWNSZ085VmcKLS0tIFBUdlVzWllIQkl3Ukhpc0d5OEJ0\nMDRmRjNoK2FEZ2R2UHZMMERnSytWenMKyS+pjGWmtguHNDhMyTMVm/HIhw5aatIZ\nNX/csiQRAlO2UUsmimMiIfm932UStmbaePyF2X7uotNNUDUumhSEIA==\n-----END AGE ENCRYPTED FILE-----\n"
			}
		],
		"lastmodified": "2025-03-22T15:54:03Z",
		"mac": "ENC[AES256_GCM,data:wYFTO9E99YKsZbAkSNIkvt7uNgPtUUuJGZBjvUOys6rQwk7hdn0YxaThkU+giGT9vJnwBQ2r8vHVOohORjP8/gA/osnImb8RZK8tjBWp0ydB3yltn3sU4U75luv8xWRF2AxMSsFCdZde0hzRsDmnbtNalRaP7TC6jmqhteA1cW0=,iv:nsWGyAxDWN1jmMdz/VdWGZbYGVIGMRudh2RhNr5Na24=,tag:1qcKYreDOeFw0lVEtdZN7w==,type:str]",
		"pgp": null,
		"unencrypted_suffix": "_unencrypted",
		"version": "3.9.4"
	}
}

================================================
FILE: non-critical-infra/secrets/lassulus-nixcon-email-address.umbriel
================================================
{
	"data": "ENC[AES256_GCM,data:OecTZiJ863XBta1AVhrjBiW7,iv:B6jUYLlVLEpi5EHqr7cQHqiWK3hLvD3JmxQfh34EWBI=,tag:HrK4trEOhhtgPFpmDU9Rew==,type:str]",
	"sops": {
		"kms": null,
		"gcp_kms": null,
		"azure_kv": null,
		"hc_vault": null,
		"age": [
			{
				"recipient": "age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWbXhCMi8weVdPYzR3T0VV\nUUhRQ1R4em56bmZRUFZ1NFRta3k4Z3pBS1hRClN3MThaeUFjaUJYSU9ISU5qcXBH\ndmx0Z3FJK0pTdXlhZ2ZObUdnbjMzcHcKLS0tIEdCSkRwb1ZySEo0dW0vWjFHY3BW\nUVFmejhSbjBSVWhLWk90TVllT0NZNjQKyBB0dqepE2s+v9Jg5epPYpAESV7Pa8St\nILY8LYa6mlvy5k8470iriR62u1WKwz4sID0IeMcWa1WDhNEOCTJGhw==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXTUlOWDU0WXl4Skl5VW1Q\nS09JK1pqWEFmT1pEYXhicWlXTWRSL2VobUY4ClZqaUtlVWNkNWNTanlUVSszMWkx\nMHVyN2F2Yk5nN3lkdXcrTTlyWXVnaFEKLS0tIEhaM1hLYlJvS2ZHQUM0TEt5d2xT\nZ3ZVa0hiUnpyZ1lVc0oxOUVvdWNaUm8Kzn+ElRU/laE0YzvE2zc6pOAekZzTj9h/\n7OR15ozi0ulc1BM8VklWIG+xMgSXN9iWnPNVSL59d0g7bU/VSrffhA==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTSXR2MkFaNDNnM1JrN2xL\ndGF4SnY0YXgvSHZnUjN0cWF6ZEhSVmV4L2tBCnlhUVFRcnlSdVNKTS9oRVRBUTVC\nY0pWN21sdzBoVE5weGJuZWlnL1JkZ2MKLS0tIFZJTmk4QnN3aDA5eHNrN0ZPNk1m\nenZrWGNMRnZvTjFPOUZaTi9yT2crNUkK4+Nw/Juomv9D0imAXFMuD+7M7lZ/w+J9\nYCcvdTdrdWQ4DF5DBRGaHmJ90h8gG+WQgn7lmYwFAYnn/oJXE0Ss7g==\n-----END AGE ENCRYPTED FILE-----\n"
			}
		],
		"lastmodified": "2025-03-22T15:54:17Z",
		"mac": "ENC[AES256_GCM,data:00WmF64EulPqhVxJ8gJrSc19Wgu1L+9KcRwxLWq8mR+hIYddABuPWCGRVr8eo57bT3rD6s2onEI6I9ttsGHVuG6fmFPKYrhGxG5VHSgP8VQcQjXIU14qUgpD+nhI+IJDUe196NK6WDCe0y79Fve4gyjf/YxluC21eeKC22pt/7I=,iv:dWvHXS6XwGf0vcW6tbI9gdDVUfORqCR3HXFI2GzXVFw=,tag:H5rWsVf+utGEjTbKMJtBrw==,type:str]",
		"pgp": null,
		"unencrypted_suffix": "_unencrypted",
		"version": "3.9.4"
	}
}

================================================
FILE: non-critical-infra/secrets/lassulus-wiki-email-address.umbriel
================================================
{
	"data": "ENC[AES256_GCM,data:0lA/vz9bTxRvUneZvQ==,iv:D+C4LNaAClbX3T3uMOv1EpPY5IhOV8abTMjiREwwEw0=,tag:gGLFWwOXuiyyWzGWLXtEag==,type:str]",
	"sops": {
		"kms": null,
		"gcp_kms": null,
		"azure_kv": null,
		"hc_vault": null,
		"age": [
			{
				"recipient": "age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBra2lqSXhLTEVobXY0NHl5\nbE5ZNnBrNlEwTE1vR1NHZlA5Y2ZPc2tDeFdBCi9UNDhKM0svNnB1amZFYzdHUExv\nVEN6UGFtcm9pUFFTRVMreHhkLzhRZ1UKLS0tIG9uZmU1SHJOSm8zREVWSVlieHdO\ndnVJZEUvUUhtQkQ0OEtjQm40ZmNONEUKI2INfuctFxpt4XgP2QBYf9DxZNFtBJc5\nvD4L9P0tShqL4XQRcvfSLM86rZ71ycJbF0GIxVltSZk6efRUtCbI6g==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFZXdENS84REIwL0YrU1Yy\nNFNpL1RPNDN2QkQvNFpIWk5hanRab2U4TzBZCkM3dWtSMUcrb3F3cS9Gdlc2MExH\nMmZqYTMvVFRKVDduSTYwTDFWY3RDOTgKLS0tIDFrQ0NVMGhlZTNWSGZZdVdIcW9v\nUzR6VWZqQ2VJcTBsQytKaStkM0VXcmcKnMMIyyBxGrFYqLv4GeLCWhdOdmtO3awV\ndxNpQ2xWeLM1X/frO4iuor82tsdhq4A4eA2mvm5SnOuTBSkVeAEBHw==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGc0hobG56dkc5QWdSUGpa\nbmpMMG5LUlFubk8zQ3E2d0RCQnM1VU5IMEMwCjRFVnBDRUJYSVhTc1NuZEdQanRy\nV1NqNGNYOEQ3dmlCTlJuenhNU2tPN00KLS0tIGMxSTBURXdSUXZDL1dVMHduR0xB\ndkhpVkhHRkNFRzVpT1I3N3FMSzZXemcKdSV/jZ0eEEjvFxYGVl71/yx6xoKO7Jgl\nPL83lJg4YNv3RLC2gdcRLbXIUpkkUC3oV6HIsr/U+fWBleyN2ZiC0A==\n-----END AGE ENCRYPTED FILE-----\n"
			}
		],
		"lastmodified": "2025-04-05T23:02:30Z",
		"mac": "ENC[AES256_GCM,data:6qZJgoF9V1/yXlxMYQNo6QMVjsQtvTvA+6R5zu0odehUZu73ogrFoBWke7WeXbOGmRPAnr9ZsYTqoOJFM41cZaWZL6xy2R/sBIYg3ZwodFi/jk+3BjCVmXiBZIvGSziDjkwaqPkW/lLW6ummTB5drT1eeu/nRbqB156NcB372OI=,iv:UTA4U+Juyt9y4eA/a6BuUWuaWY37t0FrOpJi1WV67kg=,tag:1o8ibuii76BMrc1RC0z78w==,type:str]",
		"pgp": null,
		"unencrypted_suffix": "_unencrypted",
		"version": "3.9.4"
	}
}

================================================
FILE: non-critical-infra/secrets/limesurvey-encryption-key.caliban
================================================
{
	"data": "ENC[AES256_GCM,data:dV2y0TNxJ4prwwmKI9U1V+gVuO4AInOW4rRNl55jg4X+FyI81K6xGWFnmTwgvPornrGslw7KXnX03LNsA8HAyWE=,iv:arEPrkNSzi1lUUc0Lutfa1pDFrEKe6GQdhm2bHsZ8AE=,tag:n2Q9TQS8/b7Lbun4qK3pjA==,type:str]",
	"sops": {
		"kms": null,
		"gcp_kms": null,
		"azure_kv": null,
		"hc_vault": null,
		"age": [
			{
				"recipient": "age1sv307kkrxwgjah8pjpap5kzl4j2r6fqr3vg234n7m32chlchs9lsey7nlq",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0WmxKM2wvS29WMitIUGdP\ncFNGU1l4QllmNXM4d01GV1dOQ09ZY0pIaUZNCkExV1NKMDRtN2dlZUx3Q3Vab013\ncTB2VHBUci8vckNFbzV5RWl6K1lHNWsKLS0tIHZQMlRjczBtWDB1N3cvSkZWeS9m\nczI4aEdRQzJlcGpEelBhWTJYQnVLL2cK852vurEJeIV31PthknDZT9FAOf7mnu4n\nW596ge/xVlNVcXqQaoLZzt/Ndm8ZaRg6xz/CztOZZiQ8MzHYqSILrA==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzd05xa0hjVXRPTEtIbU9F\nbXRWTFBlUkxYNW1lN0t0a1ppN3BvUTFwVTBzCmdRRVN2K00xOVJ1aDZobG1NUC9X\nTVluZVJmaXg0SnNUaUJUV0dzQmx3RU0KLS0tIFBnVlcrOEd5SnczSlFXYkxTR21C\nSFpQVkhqdUt1ZW0vNkduYTBBVHpQN2MKUVpKaUE0+ZYmT0TKdbvsKEWn/KnJhX6I\nJcigMBkg+l6u83s64Uz7sBMrh48Ab4rdfnMv0G3bTjEBqGAG2SFHNw==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1qlwzeg37fwwn2l6fm3quvkn787nn0m89xrjtrhgf9uedtfv2kqlqnec976",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJL1BGMWZZakRIT2lkb2hT\nc3dBL2VTQ0xWcEVCWXBUaU1LdlRQUHg3ZWg4CkhaS2YvMzRiRWVwd3RwYTBFRnJT\nbVNaR0lNRG0zWjlWMUprQ2x2cU1nVU0KLS0tIG52MmRkQkFVYTdnQ1BTVG1TaTU1\naEN5YWw1QktoWnc4YlRvWGh4T1BMbU0KFKc/frIPVeTELKXawQz0P8PhtW67NF1z\n5+d2XKxL/VQIUNGx4551Ofx+V5FqJejjvtkZixdzWGh+Izez/nqhUQ==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjS1JSbHJaRU5YQzVZLzJS\ndGJ3R1ZUamRtZUxVMjV5VERLeGN5ZW9paHg0ClJMZUhTaytPWkpQdUZ4WUdiMjZT\nc0F5UVJqb01IRlY0aHJwWCt1VG52N1kKLS0tIEVPRmc1ZlVrUmdCb0I4dllnNzND\nRHpqbXNYU1Qza0NweWJnMEJVRGhqSzAKuqXPT4CK8WEQ+vVrH6qpvqZsMHbuNf+b\n6ra4xetfIo+gczDBlXpYi5d0W+UWFjfi32h6y9daVP8MabBb2R1tHw==\n-----END AGE ENCRYPTED FILE-----\n"
			}
		],
		"lastmodified": "2024-07-15T11:56:59Z",
		"mac": "ENC[AES256_GCM,data:k8dCiufWeCKrgj+fTGRphr832bGlXza03F4PgaWkfI7IAZQ97iWRD6wO6fko9GKlKBeEy7e/n6Hm8k4F74l9giKTdXq4lhQ3GqdV7h9JzJATxnKs9JYtjd44ihNIiLwBofHDOGq1BEIY/BTn2Z6EqGlwyaK/2EJIXXm56y7UpoI=,iv:zt0itYzXcTVlfGr8l4kL/fBeTjE7r9+fdv5BiBx3lf0=,tag:9dhatpgwMLmTz5XNu9uaag==,type:str]",
		"pgp": null,
		"unencrypted_suffix": "_unencrypted",
		"version": "3.8.1"
	}
}

================================================
FILE: non-critical-infra/secrets/limesurvey-encryption-nonce.caliban
================================================
{
	"data": "ENC[AES256_GCM,data:oimvox9BzWi6Ho5F8itxFWKEr2xfL2gKTlQUpvNJmbhm3qo8YN3FFmoowJVFwMYlcg==,iv:LLSZ9m/aMOQkqd16K0p2xjWBL/EKyn8RE7VZmHAhkcU=,tag:wFOZfp5NQUNpP8NmRWGRxg==,type:str]",
	"sops": {
		"kms": null,
		"gcp_kms": null,
		"azure_kv": null,
		"hc_vault": null,
		"age": [
			{
				"recipient": "age1sv307kkrxwgjah8pjpap5kzl4j2r6fqr3vg234n7m32chlchs9lsey7nlq",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4V1daYkxVWlBmcEN0V25r\nVzVDb3c1UnB0RlkxQ0owRFF4MWgrdGN2VmxBCjNZMTkvV0xkQ1pLaHdyOXl5KzM2\nQ3RYY2Y0OXY2aGU5ckxCb3pNNzF6UUUKLS0tIEcvUDNSTm9sbDVwQkVyemIzaFd1\ncVhGOE9ET1BqcHdKMk5QdzFVOTdnblUKv6HaoDUXBSK8kGXMdD5jG4Z5/0ata06d\nF3peMh6Eskfo+x6iS+goqsaZQS+QuCTkecEUqvgtwa586H4BjzBHaw==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtdStmZWk4RG00WGtLdnRx\nQ1o3M0d0Mi9XNldoSkFsVTZoTU1MRmFhYlUwCk1GdnZTeHlsVVlaNDg4SGJ3Rk5B\ndnVOTVBWd1Z1dy94c3lyVlpub1Y3TkUKLS0tIElkWlRaSzVvWjhLR2VsRHVObm54\nSmhMZHdOVkpJNE5VdGdmdVIyMW5JWFkKmiNeh3bRixVDzl6UbsU/250RckJJA/Ki\nl7V3C2YnsndU4N/0nedy2Zsy9hjVWNonO3eDnNKzW1ayRYnmXShzjQ==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1qlwzeg37fwwn2l6fm3quvkn787nn0m89xrjtrhgf9uedtfv2kqlqnec976",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHbUtWbHg4U2NzL2NQUmdT\nUlR5RUdFWEZBWk1jdGpNa2ZYSGdoeXR0blZBCkF4SVQvQ0tTdFR6aHgzdWdKZmxC\nSkVGbS84dkExVyszSm1ocVdScVJjck0KLS0tIGRodm5sTjRsZ2lmRmhzV05OekFH\nQ2dYNThzUU1kU3ZBTDV0ZmU5T1RpUzgK+Y+Ka+t/Zh3lO6xCvctZXNKuW+NDKnBL\nOTzZ6ZpAjY2X6JcJqVQJOU/3NXnTvOiTWKrIRao316O1mysYe0rbWw==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvc2FXMkN0SGRBZUFwaW1E\nL1p1NmV2cjhmN3BTMHptUURLRHN6TFV1Q0VNCmcyNGo3bXFKblFzc2hROFVmNE5a\nR0pFenY4YXljZkVNUEhvYisyUXVuMDgKLS0tIHZVK2V2T24rU1RRby9SL1VpT3du\nUmxObExlVWdMNFNvOElVU3BkSFlNQlEKp9hrLKiu72qRniD4i7oU+zOujUY5CiN4\nyajcqJmq31LOVOHHv2/kcozS4smqlidGU/PwqK03GhSWkBXoG+E81g==\n-----END AGE ENCRYPTED FILE-----\n"
			}
		],
		"lastmodified": "2024-07-15T11:56:30Z",
		"mac": "ENC[AES256_GCM,data:j+Wql6qwEKcZOgOWAYs5MhtbsvUNzjXjst7ge5hxdvqS13iFTfKsiUSpmG/K1Nrxz4swCI9N4VVov9Brg7LuDIP4v4b5r5BEhGDMkSvJKarSfVddEkwcw/HYYpILQUKc+cogLZ2CqctiMB4ViD0+XX1Nl/1+IO5JvMLSjHkqPMo=,iv:7WQ6kw10TrgJdZjaTFHnzzFRzHhS5i1O97vw3md4fKI=,tag:iq5Wx4SYpoDXWe7Wq3M9ww==,type:str]",
		"pgp": null,
		"unencrypted_suffix": "_unencrypted",
		"version": "3.8.1"
	}
}

================================================
FILE: non-critical-infra/secrets/matrix-synapse-secrets.caliban
================================================
{
	"data": "ENC[AES256_GCM,data:DR4VtLpBFM90uasJLqEdu7LQ0x3rof4qxuSlBtAfPVSVfKOYFx/NBYGdHIt/A45mhKIq/Rp14GK6pFX4mxt+9LhZHdaPUoiJ3OzW2Iwn0faevevvH1t9bA/rw2+UB9iGW9NtK6IsSdKzqsazlLCrM9nYlvkpMQCaWw==,iv:otJmMFZ5HvjKK4JyBbYizw0ZW2D4TWhKebY1F2Im+Bk=,tag:fcehpFiM6HMgS6bjbLRx4Q==,type:str]",
	"sops": {
		"kms": null,
		"gcp_kms": null,
		"azure_kv": null,
		"hc_vault": null,
		"age": [
			{
				"recipient": "age1sv307kkrxwgjah8pjpap5kzl4j2r6fqr3vg234n7m32chlchs9lsey7nlq",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1MW1WZ1VWWWwxbnAwcHdt\nM041MCtWMm5LbDdFVEd3alVaV2tSeEErRzFRCkRzOXRCOE1jRTIvcUhXWXozS1h5\nTlEyL2E3NmFUSkhTZCszYyt0a3JVUm8KLS0tIGxUUDBYaXk2NnF2alJaaFNGWTFH\nYXloZFNIVFZET0RZTndvM1VtMGpDTGsKK5HIxpvdy1HGOlp0MGd83u0A9KPbSK+4\n15023XKE/5zuFOzWOtxyxA/A8O6MnGIrw8tOVzXp5bFRwRWa/g/a0A==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSbk1ORTNCVzhPWWZJcHAy\nUlFYcmwrUlE0OXJ5TDNIbTdXWm1SdHJYalZjClQvNjJQSGp1ZTlzU2htL1N5QS81\nUzRjc3NjVGovVXhaRkNVbEhhMGJLdUkKLS0tIHdibjNrRDV1UW5Qdlp6UVE1RGNv\nd1lESFZDUmVYSmd4dC8zWHU4TU1PY3MKGkdm8io6SP0oAJeOFEjB/lbZB9XI4UMa\nnfmiA9NbwovvBATiYhNpEcpQ+lxhcR59a7ZyTWexWxtMfDvhJ1HrQw==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1qlwzeg37fwwn2l6fm3quvkn787nn0m89xrjtrhgf9uedtfv2kqlqnec976",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMYVhGc1F0SlN3SnpWamFF\nYkFuSUxPWmxTM3E0R0R4RlBIYVJBKzhNMEFnCkVTbW1VRWpUYUJYSHRoWTBIWFc3\nd2xxWEViNHlza1o3cEtwSUVYcDl2TW8KLS0tIGdxSmRxd2YzY0Q1b2V3aGtzMHRo\nRFNmYUVvTDljVTJnQjZsamVjSUt5QW8KZGntSWX35XlLeKkuw/BmBuWKKEasCyyP\nn+/2rokVu/DTKiTaTMJXUd2CWj7qNc7HwCMV8ibOGjkIi7KQNYwNuQ==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXUkdjK04wOEJZQ3hTYzI1\ncU9MTCtpT2RPSmhWOHd1emNGakorR2RPVEVnCmI3Y3ZEYkZMNEQ0QTloM2VaMXVF\nSGZvK25rV1N0R3h0Vy9VV3BUd2QxbGMKLS0tIE90YkpqQTFPVVpISC9jYzU0SHNV\nQ0JmMWx1cEp0cjRsaVk4WUEwWVJSbDgKKJGl6cv+IAz1h3XZyL/W1Q2l6nZXmEyQ\nB5nCzVY/Yr2g45eIjfTZKCo2ORxG6HvDkK8MnVpMr3dfCv7XbRi7qA==\n-----END AGE ENCRYPTED FILE-----\n"
			}
		],
		"lastmodified": "2024-05-20T18:18:09Z",
		"mac": "ENC[AES256_GCM,data:/GTwJwCXHqE/iOpcPCU69W1nV8SUBr3rauQ7aZP8N777yQzieka8/trJuMvuaJBg0cotm7Vr5krwrZC8kOqoZcf2jIK3E4p7/Y8Eos30VZIGnkF64FFjBACbxjwox+xUsOGxV9mGF1qQcZFx4L/S98qWzeReZV60HqGWshh6+pc=,iv:C0GN3+dRiguHA5YFhw/AFWfYItVKiy7Sqz0rR+07GM8=,tag:lyGhs+8Abb1Rp+qaQ9MFSg==,type:str]",
		"pgp": null,
		"unencrypted_suffix": "_unencrypted",
		"version": "3.8.1"
	}
}

================================================
FILE: non-critical-infra/secrets/matrix-synapse-signing-key.caliban
================================================
{
	"data": "ENC[AES256_GCM,data:FcqlB9tJ2ZfjhoYfvC82Ik8F120my/ZfRDg9eqEdwNkI51QaqjIhAzlAcyHmO+b2G/c9U5cy2bvMUgU=,iv:5ZsY473w3kQP4qK8CPdXCR90GTnn60I3LqGm/HMhuL4=,tag:0s/qx94SeE+580724rSgGA==,type:str]",
	"sops": {
		"kms": null,
		"gcp_kms": null,
		"azure_kv": null,
		"hc_vault": null,
		"age": [
			{
				"recipient": "age1sv307kkrxwgjah8pjpap5kzl4j2r6fqr3vg234n7m32chlchs9lsey7nlq",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQRHU0d3VjN0loVlpZTjF0\nUS9BSUF2ZHFIcHBIRTNFYkFrbkYyUDFKaGlvCld2RWpTK0ZucGk4ak1Mdk1LOGNF\nTm5zUVduaVNINUJyTzl5KzNTSEY3MmcKLS0tIEgyWjZZYVVSK2VkRlNxM29keXpz\nSTIza1lCdUhVdUFFSU9sRFJzVXQ1NzQKyN8JSEWuGxibgdozgcoEEfXTjlHV0Lro\n9LysFUn88RjHDvYX7c5V41NOQUESJcPK3DI78yxHWzsHpmWMjNtsBA==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpM2dEcnJ2MG81bkdtbGFk\nNXZaSTdGZUNOVXQ0dWNvMXFFSGlZcTBwN1JNCm5YOVpjU3dOY3pGNG5XdUhxcFhN\nMzJjK1JOSExmeW5nL001WHhyYmhzUkkKLS0tIDEyR1VrcjdOa01IbEhBZ3lSTUdn\nZlRXRjFUVTMyNmN0eFBJaXdKVTVOVzQKvcpNDONcstOtRzu++3Odt9F0IhG/FB0t\nmPHw6zfYSjmpSv+nVXSOUpNnk9pcGWWtQojHukhXLMIAXssGH0hggg==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1qlwzeg37fwwn2l6fm3quvkn787nn0m89xrjtrhgf9uedtfv2kqlqnec976",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVcFN1OUJvbXFKNHVIRk8r\nNTFkK3BaYUpmaGxIRWROaW1WQjQyN1FXZm1VCkh5YVVocExJYjQ4eUNuSVNvY0ww\nZlVnWlJJQUQwSHlGeUJDQ1ducEE0Qm8KLS0tIHdSdTRjRFMvZkN6VSszTlk4ZjN5\nUHdQRjh5NG84eDRzMkxqaWd4OGRDZTAKc01sHFNXUbi29RtvdKe4AOsVagqj7GDT\nfeiKgMhn5kEz3Rex75gDKa7nZf4bfWOlQrKrnC6L5t4G684qoChf6A==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSbWZTTnJ6V0hMZEIvWWRY\nMDJZTFJtVnJqTEJrVGZhUGRyRThZRUVlblNJCmRMUTFhMEZmY2xOTzgwdkZqRVht\naUVWd2IxY0M1YU11TEhCQnhJQzVRQm8KLS0tIGFxNnp0S0dobVJiL1pxMlFSTkNQ\na3JvN0xEUFROcUVXUDVKSndhSjQ1cXcKNHzS6W8Kbvo67rICS0w5HSTcEgztBpzP\nvL8yeNh1iAcWs3YtVnmitl5dwDMxNQFiWsbOxPr/vhHN64bS4J+MHA==\n-----END AGE ENCRYPTED FILE-----\n"
			}
		],
		"lastmodified": "2024-05-20T19:05:40Z",
		"mac": "ENC[AES256_GCM,data:tM0GE88qNSKpy/QUJDl4okf5eMbJKSiiCZrAfbJtz8V+nqiwqSTx0PYUjLcd2TIXHIicNg8bGovAp21Pm4YtOXMgLygFfNxWnGVXe2w9RcinUDOtXE1MwhJrDV3dvGWQg8C58LgzDWiq+kqgrR4m5YOk3mZUPU4dvj8HQcQ8C4s=,iv:w3nI1jPi+ObeHz32qhiXR/Zf9cRvYXJCMixkPTE+JBw=,tag:lGVfIjwKUgtez//4Uh94hg==,type:str]",
		"pgp": null,
		"unencrypted_suffix": "_unencrypted",
		"version": "3.8.1"
	}
}

================================================
FILE: non-critical-infra/secrets/mjolnir-access-token.caliban
================================================
{
	"data": "ENC[AES256_GCM,data:WuqhzFzf9bNkLGljc87P4SJcTLFFjzgfF1AwKTb7ecIW6GgiVp1X8y5ARw==,iv:htfPbSknGVotYObu7FOQhNHPzPttlTAYHeFZragGmsg=,tag:qP4l+RZPywXrupsLr8Vd/g==,type:str]",
	"sops": {
		"age": [
			{
				"recipient": "age1sv307kkrxwgjah8pjpap5kzl4j2r6fqr3vg234n7m32chlchs9lsey7nlq",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkODRUSmNnTVcrUjl1bklF\nSHZaS3NMTmxoK3daQ0FqTXNQaUFPaGpHeVZjCk1ieXdUV0NpbU4rbUhIQlk5N1dS\nZFBtQ05yMHpqOFhKM2dXaU5qL3VXdWMKLS0tIGJFUlc2ell3cTEvQkhFVEg4bVND\nL2ljY3c0ZHVGWVo2MFRGeXZBOWlEWEkKQF46cGAKEXuI1ODorYHHrSeg+slLPPtu\nQ0vOqeK0yJwarsZWaWKCc4+O2cHQP3RNFp4OUcpk/szRo/htM3ZAhw==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqdVJiekRvejhRUnNuTHhy\nZmZ1b1YyenY4d2FNY2lBT0hYWGx0KzVHYVdZCnBueEphS2dTMC9YY0FBQUlwYWNj\ncUFYNERScDlQZDkrQ0ZNb08vNTNGUGMKLS0tIERTelJDZFF5b25FWStRWk5uWkda\nVm1tVGoyNm0rZm5teEt4VEdhL2RmZk0KwamvCxl8D1q8Koet4KIa4laMieqfk4xc\nx+M3xQg/A+OdBRbYhbMvNn3p6PooQljbi1MtTOystOLQEbG+MK6yNg==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBONzZIeGI0dDF1ajBWVEtu\nWUVRWG5kUHg0YlpDYm9nNVdraXJ6ZnpiaEY0Ck9UOEgwNWtCMVRDWjJmOEQzbUxH\nVDdvby9YUW5USzk5OExZMzRESEVuWlUKLS0tIG9leGZwMG1qb3lCVkJPUm13cGJz\nY1Z5aFVrWWt3aFpXUXkyRmhjV1JJNjQKa3OZQQIQLba4Lto6yaSZtVIxr+rpsO85\nwz1EOKTYvwjDPzLpDbdqUfwDlLkIQ1KAimN2XEqfq1iI87RY7botjw==\n-----END AGE ENCRYPTED FILE-----\n"
			}
		],
		"lastmodified": "2025-06-06T21:23:25Z",
		"mac": "ENC[AES256_GCM,data:WrlVzDeD17VtFJLO2sdGDeG8JL536WTl2SDid6jnHSsUZsTqoYCRirzE5ZEKc4aN6DcBPNkuFGVSMVYcmvKq7v5khmW5Oyi0NjT+7hqcewrUAh5loDWzAZd7VOkCsD8GxjtBWtUbADIE2hJ9L8hWoATL9Yh07zwSjWvFg6pW5Bs=,iv:wTOdsNFfdqRluHAFOR1ZcOczYArurlsneqzr8se7SU4=,tag:iiYLrzEuyuuYerNPd9afBA==,type:str]",
		"unencrypted_suffix": "_unencrypted",
		"version": "3.10.2"
	}
}


================================================
FILE: non-critical-infra/secrets/mjolnir-password.caliban
================================================
{
	"data": "ENC[AES256_GCM,data:grIvbuQ4QLcsMq+vJ2L3HR8wG4axM9WmEgHjbO/fvHcu,iv:Vyd1335Pg1i11fP2X2G2cyKMyM2/0uFuXO3T28Ml228=,tag:NA2nLx864A7SJAwvkVfj6w==,type:str]",
	"sops": {
		"kms": null,
		"gcp_kms": null,
		"azure_kv": null,
		"hc_vault": null,
		"age": [
			{
				"recipient": "age1sv307kkrxwgjah8pjpap5kzl4j2r6fqr3vg234n7m32chlchs9lsey7nlq",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBteXZkeEt6WE1KdkZDUXhM\nOUtOVUFIMzgxUDFSWnpkTFVCM3BQZHY2aEVjCjYrRjZpaGxvZ1E5Ly9vazlINFp6\nNG4vMnlwZE04Q1JWa2pzcFZ5WXJDcjQKLS0tIElZU0JGZnlkTUs4QXU0UmpienFR\nVk1ESzROMURCalBSNWRaODYzVHN6ekUKMSc1M5L603f+Onx9japy2rgmVKgTcqzD\ni5CIX4LCCbB5YEWk6TqkXSGtEiShYwFNs7DcthmZyAFT/z+1k62TiA==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWUVZsR1kyVEtyd2VrZG5K\nRVhnV2kvTVVrV1F0d0VUUm1FaDJvZ3B3U1dVClJLY254RFcrSUhPWkQxMHk2UUV3\nR21HMkMyQ0hzWmI1MnhLUU5KeGlZTDQKLS0tIENVRWlpcFlRaHNDNFpibldaMmFF\naXRzYmVuZXZGTisycVF2NjA5RDFuQjAKs3zhqJKX0YNaD++eWNLgNh+dGAxPc3Cp\nS1g1LkZQE46ceiQRdz7h+lSoEyPfKDbV8510glHnqWSaEKd8WYY49g==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXTG9qeW56WjlCczZyUy9h\nR09kTjZNbE1TQXBtYjZSdTZlSCtkbklVT2dnCkt4cEpSQ2l6WUg1TVVpK2VvdWNa\nYjFEeFRIWDJCekRxYk4wQmlSSlNQQk0KLS0tIGUyeS9GZUhnU2cvb21qMGp4OVVa\nRHNKWEpRbUt0V0JDbTNlN0EySlZUaGMK9grWJ8pZ8IRfCBOQsfFmKeL3/++KT3D1\nBApdOOOYZLc4rHeMHWHwH2J0AP+YYyVHsxQo2yknf2CS8imNI1figg==\n-----END AGE ENCRYPTED FILE-----\n"
			}
		],
		"lastmodified": "2025-03-13T17:36:44Z",
		"mac": "ENC[AES256_GCM,data:f63uKmOODv1uI3r9flamhtcX+mM8O0B3LAbnhOD/XECrmRo/4iQT+eFmDXuwqBo4dVf0ITgKOnCTIviA6V7nMSUK5o5irOgqm+/rHarCn46zPaLMS+D6Pb8qtnuX4jF27+f4tqEcA1ux6Pjx817XjDnyv00wEGd+7dYbq7bTgNM=,iv:XNgzYq4ALDp+cIBHAzFMgJD+X2/XI6Y7b6IYIgaAB4Y=,tag:+Y/MUccCguCzKj6kpIoU6Q==,type:str]",
		"pgp": null,
		"unencrypted_suffix": "_unencrypted",
		"version": "3.9.4"
	}
}

================================================
FILE: non-critical-infra/secrets/moderation-email-login.umbriel
================================================
{
	"data": "ENC[AES256_GCM,data:fZezCd6vfJZQj4v4d9ceewi1wtVUs0EimfgYEpPFHj8Jf1gObsPHcYe3nj4ljpddoJEV4zZ6x8tohU1O9g==,iv:VtNWlp1j3G+NSQlYHRjZeC7SujbPc4JXaSDwHJ+rWF4=,tag:oRTl5YdRNQeLKaSZOSjv8A==,type:str]",
	"sops": {
		"age": [
			{
				"recipient": "age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtQ1h2SWpRaFd0aTdOcnpF\neVkvZ2UwVmJhYmh6ZnR6TjlKbDFGVStwL2c4CkV3Tlg3ZjQya3J0cDlCN25mUzhk\nQTg1RFRtU3hrZ2NCaGNYbElxN002RlUKLS0tIGh5bHNYdy90VGpSb045V0J3OE5F\na1orbTc4LzdpOTlxa25YM2t6R01NcDAKsZEGCihccjnr/7kF24B5xKmdjTwkYDh4\nRYaHfrrRFh3q1V0KS/O2OmEZXc5fNjP/WEhKSmHTntRS5uebdjRoUQ==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1Z1I2MGNseWYwemw5NFZZ\nMUIxcm8vaW5iWXZFUFdQQzNZT3hHeFBJSjBnCmh5czUwd01qaGFsSGFSeWJxSXBR\nRW1XdTNuZ2pVWEhSNGJ4S1BOM1RUd0UKLS0tIE9XNnd4bUFvNG1EbFNteWYrRWhJ\nbFVLSmdyZzBNZWZJTkhvRWw0QUd6MzgK75i7wJC2pqzVnoYZO5KzBqFAKZtuVMAq\n8opaHxMtzAp692H0Y7/ne01H5/WZBQSL6wQOyNpzB8eVazI+ojZ+eg==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3dkxsU1ZJVWpWL2JleDZ4\nK1RKcTM2VU40Q1VDeU42eGdnUmlRdjFiTlQ0ClNrR2c0eHUzQUtYb2t5U0lPSFJV\nMytQU3RuTUptMzlpbThjZWszU21QNWcKLS0tIDBRODgrWmlCdlNJcjVDbWpmZHhQ\nM211Z3djRjJWYkJvMzZXY05XanA1V0UKf86eQtCDgIad7JioaVMRjpsI9NUqReig\nwJZjbFF2hLzjSKZ1UCeNrrNp324lyiWn3vfZStUUPz8eX8SAvvSJLg==\n-----END AGE ENCRYPTED FILE-----\n"
			}
		],
		"lastmodified": "2025-06-18T09:55:16Z",
		"mac": "ENC[AES256_GCM,data:J6h2iEyOWLXiglrhF2+fSuGWog6BubSj5f1aW710BCK8Exc2/NwHUpUz7IuacCwt6XwwDtoudjRBgzILClUWdiM7PKpdgNGBDLJy1R0GAZUmCVfMndlF2r9bPQVyxeOoKUw3ADeZKrMppfP+zZIU0Zseu6TixJbva2DJHtac+sM=,iv:XrrwJa9a3xtx1J4cRu4JdDQQ13oteABCVcS+mcTXbug=,tag:Oqvn8VtFsqnIXUSBOkJAHw==,type:str]",
		"unencrypted_suffix": "_unencrypted",
		"version": "3.10.2"
	}
}


================================================
FILE: non-critical-infra/secrets/mweinelt-email-address.umbriel
================================================
{
	"data": "ENC[AES256_GCM,data:h9DkkRIR3GNh5ZKMGC28SjWod0m1,iv:1tSssLzQ88q9FYg1HM+y4iv9kEldZBvqNBfM2YSpG/E=,tag:bpWxmLj0kX+jW4sq/X6YXw==,type:str]",
	"sops": {
		"kms": null,
		"gcp_kms": null,
		"azure_kv": null,
		"hc_vault": null,
		"age": [
			{
				"recipient": "age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqVjUya24rSStHdCtMbVkw\nSGdxVVRTWnMvd2VyTU04WGkvNEpaaUhYblg0Cnd1MWRINC80bEhiaEVreTRLdDNB\nMkpOYWMzS0ZoWEU4TTdITm05RXFVcGMKLS0tIEowblp6eVdHeFNPaFhDTnVJUXpw\nQlR5NERWTnk3eDVXZmVaR1pKTThLSE0Kbf5RBNWt5M9PYlqojAJN1I4s/msoK6EM\negGyoxdPheoKrCVqfOiAPjRCPfXVSNrWjT8SGVxjqMy7C67ZpaS/Og==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpRkp3TkZZdFpQZ3d4NHNB\nbXBKR0Q5ck5jdVJLazhSV09ReEZKYlRpVXdzCmNkNkNLSWhNWWRHdHdrdzdMV2cz\nTUU4RklKUGY4bDZKZENDdHhpbldIMWMKLS0tIEVjYWQzclNJZWJsTnBYUVU3SXRi\nR2k3bjZ1LzV2V0Y5cS9MOXhWYmpENDQK6VSazO993LrsQ1pRyyqM8tLL9sx6BiXa\nd+8JirT3MNYn+tFkcwtA3hR3h9KiOqy43MQIIhqCstI74EXvFoDjHw==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxN0szaE9tL3d6dzdjV2Fv\nd25sS2E5QzVwUDRYMEZyL1BsSVdXTmY4bW1JCm1XQjU5WUs2ajNoeEIwdlZxcHhx\nNVNDYlNJbXQxdzRvRXRKbGh5YW1FWU0KLS0tIFUxYXc2TGlQaFh5TnNnN2JvSnQ2\nMXFINUd6cGhqSDBsVFlaQ2JvNVpFYlEKtEBikxgWvbxFw0z5DWgvQIEbWLEuPSoZ\nfylD+F7SIFFygyTWkj71gIuolu0/3F6HeU8WBe8a4av7vsIJkw91Gg==\n-----END AGE ENCRYPTED FILE-----\n"
			}
		],
		"lastmodified": "2025-03-22T15:54:22Z",
		"mac": "ENC[AES256_GCM,data:pgrUk1zEKDapi19EESjQWx/JMkcWydh4stNhf6ALk60QxhwsyNPHWhrtJHl/VsP2q0KX5oRVuh5EjIRKOjrK3WeZlpRj4xCxw5sDNcsmxYQZkl215FLqmR2xBOt7dT+0qjbducmMJk0ba8L8a/SFGzn/WWTpT8fNGmh6gKVKq8E=,iv:10TOxOAGbCOtYVRilm6Scut/R9gHG5gMqnaSc1h5B/I=,tag:CE5OGlEHBO88fZJCzqTArA==,type:str]",
		"pgp": null,
		"unencrypted_suffix": "_unencrypted",
		"version": "3.9.4"
	}
}

================================================
FILE: non-critical-infra/secrets/ners-email-address.umbriel
================================================
{
	"data": "ENC[AES256_GCM,data:MaAii21TW3gwSdI=,iv:SpXn8gy12CQsC5ymt1N+uCcnDoG/kEcoP4S9rMkh+9k=,tag:Y/M0+LAEcRYMlOZ35sgdVw==,type:str]",
	"sops": {
		"kms": null,
		"gcp_kms": null,
		"azure_kv": null,
		"hc_vault": null,
		"age": [
			{
				"recipient": "age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPVWdBSkpuVGZ1dk43SGdP\nekcyOHFXMEIrMEx3L1N0RVNhRWVwZ1pYeFRzCk9qNFduV1FKK0ZEc0xVdENsRFli\nWGlSYnNCTHM2QVRMd2xNTnliZ1kyUGsKLS0tIEk0VlZqZjd2YXkydEVZaHl2bG5m\nOUZ4WFYyOW1uaDRrRmE0anQvN2dRaEkKmcflbtYPx2vdsR6OnF9g9xYsIyhSm59z\nVgk7C62THzU3YJmklPxOgLeUYZWuGAkPZ4WNzbT6V4dOz3wwXQqZLQ==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMQzFiK2RSVFVKMFFjaFor\nZUZOL3U3VTBrdzVoV1JMVlU0d2xKSEVjS0VBCnJjcSt5SmRULzVvR09pVnVra0JT\nRzNaaGFaRmVtMmJEc1hNVVY5NThaSkkKLS0tIGZ3bFoya1lvdXhDUXJWTDdZR0tB\nSklXZ1JnR2V2dmhrZW0xWWEwN2Y1dWMKc2RP1og2xEhI4j7qjHmNyzPXx3qHF/G+\nTix/T26LKy75hgEl4jez++pX3b7yHX1+fbohTXWAqYpNlNCv9BM/JA==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxZDE5WlR2UUdROGdWTEZD\nTXZsN3lrc3g1RVVxTGFjY1RkRysrZzNQV0hvCnZiai82Nk12MjRTTmtBYkU4TjVq\nOUYrV3gxTjlGcHFzdVdSbXR5aVNPSFUKLS0tIFZ6NjlHNE5NQUlhWExqREFEQ3BQ\nRDROcTZCbFlRMWJNWFZUWGdReEdoNWMKV8c9PTqc4wQWNLrO87Gknh0xT4EnyJU/\nPzfnhtcD2svCxGsS23fYKqktthlgSubIMTLyAVjxa+Bhwo7XFGD8jw==\n-----END AGE ENCRYPTED FILE-----\n"
			}
		],
		"lastmodified": "2025-03-22T15:54:11Z",
		"mac": "ENC[AES256_GCM,data:guJ+30EF8fCCdZAE1q//fhs8stSWHuwKIXITiCa7vahZ3w628M4pbYMEhftxjXobo6m8LZEQU7eBo7DnP7vBz9yx50XJLoRuRqtGRRRxrZqIphIOId7Emrip4gfu6/wK/fPfD7abcJXnmrn43unYB6kLqOhdcsKsPZRQxwEjKxU=,iv:cTQ7JpgN9TPyRM0sOJJMNcS+C/BkJO7dyHthrcRR43s=,tag:s9TIIBaw4GFNGX2d5Vt/vQ==,type:str]",
		"pgp": null,
		"unencrypted_suffix": "_unencrypted",
		"version": "3.9.4"
	}
}

================================================
FILE: non-critical-infra/secrets/ngi-nixos-org-email-login.umbriel
================================================
{
	"data": "ENC[AES256_GCM,data:UP0vY74lmT1mKadLp+Kiw/Q2ZCjc/Y7Cc/yQ17AumruBHXGqmDOm5H9JjlcdE8DU7k43kspBHqpnxBchUA==,iv:LMaEH59zz8jZ2GfkweAGM7/2LdgQ9HQDpkaUGTZ/SOU=,tag:tIu2rBrCsaFzQsRXJyRNSA==,type:str]",
	"sops": {
		"kms": null,
		"gcp_kms": null,
		"azure_kv": null,
		"hc_vault": null,
		"age": [
			{
				"recipient": "age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTNE9Bc0FxOFIzU01kekt4\ndlJZYnBGeFpBMTNvTDUybHNlRFFGd0xZQmdvCjhLR09xWnM1c3R3MEoxMmZKZTFT\nZ2V1ZHFQQ0dlUHpIZVNreExRdG5Ja0kKLS0tIFdrcmExODhTVzh1cXo3REcxZEVi\nNmw5Sm5jcU9BVm14ZVR2djdwejhUd2cKaq53IBfwqonP+nOYQImFSrxUQ9KaejL5\n4ee8QUn+4fcZLF/rOma6Ydx3LN2K0akk96T7XzF7JT/f1cZO8uU3+Q==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhTGdCWldkOGRYdk9TSDlu\nejMwaFpDb3BkcUNENVBkSmc1azlBNjZrbmlNCkNnZ295VDJPUmZSU0dpM2RYNjhH\nWmdZZ2pZWlJGcmtMN0tEK1RsbW01NjAKLS0tIEVlekdvT0xldFdiSEw3MjVjUWVP\nZFBUdmc0V0I3SjE5RExUQ2tLMjcvT2sKEMvMayOBvWl3w+ryflSgcNaS830PyqX1\nMol+pupToqIFxXWIz8CCc6q3Xx0iJTfHXMfRp1bjfK8igN+fgPtNng==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNQTVLSThGMHlMc1hBQVFB\nZXB4Y01rdFNscEJsSDVaOWpvVVFBVFVOUENRCkF4RmFSYXR4dTd4b1o0VGpjZXJS\neCtUcit3Z0I2dUZNWjRvb3RPc2d4bjQKLS0tICsxZ281NE5OVWg5dG9mYjFDOElI\nSWFsV3c0azhISyt0RDNZU1NlRGpmSlUKFe6LRnCY1j20PQGZwbFAjfMStGupbBUN\ntNzo1xi8EK6lyxjEgrzepdTP8nF6p8pHoQuU/V9QQ0Swa6anx73GiQ==\n-----END AGE ENCRYPTED FILE-----\n"
			}
		],
		"lastmodified": "2025-03-28T22:18:06Z",
		"mac": "ENC[AES256_GCM,data:DDt0A8oyegeK2LA8eVmvxpSTsii322vpwBqBwcivnLuu/12St1Rnw7lYtHsgNv24mp5L+GhS79USWR8H/tN7ArW198qpWZ1jAs2R9XkK8wSD0W3aZInwTgnwPFxjrpDzmWZ0WC9UXERgG367P/s5aFFN/LTl7zAyfTcLLu08Vbk=,iv:Eqo1xnW6Q5G/84cA04tK6HwOUA5Wh9VL3ZTtkkmovsQ=,tag:qcof1IsOYt7LxEWznmpxsw==,type:str]",
		"pgp": null,
		"unencrypted_suffix": "_unencrypted",
		"version": "3.9.4"
	}
}

================================================
FILE: non-critical-infra/secrets/nixcon-email-login.umbriel
================================================
{
	"data": "ENC[AES256_GCM,data:v6AgrbN+ofutr+lo+o4BkC0yPop81rU7QMoC0Z7LGWHctGwL/Zc8BkHsCHEPyGJtAA4S2D8nFPLsil4n0A==,iv:EmHzvLI8WKS3ONtRYRMnC8RQvGsZQaYJWs70ZXzk6rE=,tag:84HVihatpSQmvSq1m+CoKw==,type:str]",
	"sops": {
		"age": [
			{
				"recipient": "age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGT014UGN3djZGaGYxdUVJ\nYUs0dis4eDlDSVYraWhEMnhJWktiUEFWVUdNCndleVNJNUdneUtabjI2cmFoNEpm\neXBSZEhiUis5OFM4clI2d2t3alNMOEUKLS0tIE1ZOUxuNjBieDVGLzMwb0hlWHdv\nTEhBNktmZ0c5a1N4TEprdEduVXpPSFUKX6Q4WJoHT0q/pyYeQqboKN1PCv8YufH3\nM7fTK/lyWHanPv0liDxwXF/23zfDUqQZWhWKTq1ddAxJaToTDJVA/Q==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvS0kzWHRrbnhmdCtNQ3Yw\nUHdlNHFhbHdKQ1lUM0xzTGZtSkNKVkVGVjM0Ck1GUExrNlZhL1drbjVBUnhjZDlh\nL3hrZFFrWDhUdTFPSzBXNDdkUFI3bUUKLS0tIEFLLzNHWWlDd2dRdytaazN6Tkpk\naHFFcEEwbFl0QzdxbWYyWlBKYUxkajQKwDmyfolWyuGuf3Qn4hYMWTY1aZ7AQl3H\nTn9iW+rRRIkrQP30/uqJ29Le7ct/gD/VDUXGgl2Dqvo94luz4XjO5g==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsR0l3WU1Rd013cDNYbE1O\nK3lBYjFId2hEdTdrbVplVlV5bElKa1ozaGxFCjJoT0o3U0t2WXJFOFFrckpEZE1U\nM202OGtCenJtS2FGUjVud1BwN0hUdHMKLS0tIGZRS21Qd3RjK3NyUTZKeG5Sa2xQ\nRkpGdXNidzVFbEVuc0QrdkNFc0lVQmcKQtl8Q1T3vrsnQjsTgZ9kWRGfVDgufEP9\ntz+qZ69lqa1GhpO+cYqcZ7J9i1+70mh49gcRiOg5391eu3BZTkpElA==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLYzI0b2FjMmM5MGN2Z2JM\nbjhxZDJsdHdjMnlieDJuRmVCUy9ycG1tSkdNClAxRWpFSnI0YXRFMTE3Y2NDblZp\nV2VFdWRHbnUvU3N3OE54SlJYZVVoNTgKLS0tIEpVMUQ1YTI1dkRLTUNDSEduWW1I\nVHYwVFA1cVIvQ2VsVHcwVENCWW02WDAKL2OvMBbbDlv5XyplFer9i39cpR6fDEGy\nYooSzLS39RjkIBTPLpPSwcJPfKOzmwKuRxmPJCO8a6IIMOJTbNruyA==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1nnm255ah9wa4gpsaq0v023a75lnmlcxszt9lc6az3mtwzxgrucfq45rp7h",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoa1c5SS95aHkxT0hLbGto\neURZWkxOVDVvbGVIY3BRL0F4YXBGK3lINFNZCi9KeGlUMDBSVyttbEtONGNNZVVw\nM09BRENjQ1hYbjZEMEE2eGxRSkxXTFEKLS0tIDE4anBmSGZKcU8zOGZEZXFNQ2lQ\ncXErMGY4NjcyRkt1ZFdZMkp6QnBvUTgKZZG9hA0C4uxpiXFO58fsT1Tjg797qTMo\nans/sZjIEV8QtSojDJWWLhJos1U2KuHg0R5phKqPvYwRpl38FnH1dA==\n-----END AGE ENCRYPTED FILE-----\n"
			}
		],
		"lastmodified": "2025-08-11T13:44:41Z",
		"mac": "ENC[AES256_GCM,data:hsUlG+s3uIdP6MpAL7HQSu2X54AzREgpjgl3omgoMgfXjjBjwDQbNUONHg8osAQxZbQCE0XDL//x2apqCgDR+znAi0UhZvwEFIg3ia4wd3xtLWkKuHTh2QgvjlQJag7FnoeS/TkptjgqNIzr8R6u4Fsrv8+Xuc0+MSVQZgboQjM=,iv:fSlfVoAg/FKQ/Q7cQVobVpxUwKZtVjD1CPDZUk6NM2Y=,tag:w4iCYHVTW8+IjUgG13Bxgg==,type:str]",
		"unencrypted_suffix": "_unencrypted",
		"version": "3.10.2"
	}
}


================================================
FILE: non-critical-infra/secrets/nixcon.org.mail.key.umbriel
================================================
{
	"data": "ENC[AES256_GCM,data:KhPGql8CE3DDErIq575LdsThvTOo3XQWgenGXrD5Z5nZESpHLHa67itlrXDTIyWs01Qa8aDYlL7FHBaVJk3IhlTl8+uRuD1IQTvi8qerWCN7/4yr8QueGjZDMHoVzFcKoDeFO1azC1UDX9JX2Y9bl4B5RX8ye7G4WbUw4Vlp25gya/xwMxS2/CE5k/+Sx257XxVtAXQpWQh9t4QObf2C7u6uQm33M/eISdsSzcM9NA3BTSjmu3iRgv3UrnDwimPp41mBdCb/x0G4baHOSY9Oe/3iOhsoqM6r2acWOLKqJqEIRoNBUdzo2cLMYn78FzHGDJcrxWQOO3ffP1983IbeSIEZqNVHlqY+us2N0T+hzXxc+k3fnJQjBGNwFYTLCFoN8tazs8v2a2I7nbo+4SScmtRY/xG1Egni2ssBpntypLsEq8EiEr0bELWHEvYVk43sHSKAmA2F2gipX1/YIkPIJ3JGXDLt/abd3sD98gSQoc745itRLVVp5Z4QMqN7JZxuhiBCvrN8XbpqmjIduFqPwl4FXVojhYKsOBkAhrtdYHuThfP4vKiaPN5xLKgENBO20SzDSyYtO6Y/thZRfw1fvkFWldfvMlMmsTe5qnTTdCcMQfIDJ2CVjYE9TJirasu5uBFboBIQR6Sv1bwfxivtf6Pscpw95kX42EoXjDAJwwajItz7y0l2XGpfiGPJiMNEmSHx95HItDaBlhtkObt8t/2/ymp+8BRldj+5bf2LR+I+Tb66QoDQAeiIuO7LvZc8ucZ5JWZqyLP8BuUdsb8u4WP/cJJCopUxatN1GVH5blMFRNy4imVQ020tOpc7ICkbjaYiVawhzM5B/WfbrZMCsNfSs6XQN+aS+sf5F7g7WYoKwqZV+UJaK8ZJoH5RWDMfhosCu/Q/UHmlBT/2L2fQshUgqpow06lIvcedK2vbRZ2hbO2p5bz9PfBkl1p2XH1wO+gQgx4d2qF0jg6c5+sbBnivYkMXKkxMQ83Lt4k1wbrzzS++qSN42d2dWgntZIUusBI3jPuBsTtGO05RuJF/GCjPGCsEegqlKUNphLCv5DF1nkgCMUw+4kkrcfqed+cGdY10EU2HbgnY+y+f/7f8J+93YYWy50sMK+TYaBnlVLJ42csI/gUMnah9zGC9FyV4JnkEabT1OwMuuEokvHIFz2HSkaJWqqklNld/1ImGPzBn2Dx/cwstDGIsaItiwzwCRKLWQQ==,iv:DeGWzsY9gt6xjfRws5EborbBwWVFGGlKTsfLlUemYAU=,tag:UiyvsVd7Y3KVq2fMZhMs9Q==,type:str]",
	"sops": {
		"kms": null,
		"gcp_kms": null,
		"azure_kv": null,
		"hc_vault": null,
		"age": [
			{
				"recipient": "age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLQ3VQS2ovUUxOR2RGVmI2\ncGhvR0lzVS8wQWdldU1hNkVrbFVabHE2V1YwCkt6MG92ZnMyN1Q1dldwMHZCN2x5\nVzV1ZTYvYUpkWUJPK2RhYTBNVVU0Yk0KLS0tIFg2K3dmYVQ3TmIrNFA1ZllPYURJ\nYVJKRjdPNHRkVkU4ZWtzSEI0bEZZMlUKTcwSbuX3BvSON7YtJwr8bD9626oDwyB6\nzI8rpuiVcr+r2Ppb93tqGJAUHKaOPyNIeRYMGXwiDDwBPeeMqAq81g==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDYll3R2ZYRGdUT0EvZS8y\naDhKeENVR3JNRUFJWmoyM0M1QUFoUVNQMG1JCmlrWGxTYkJoZ2YzaFVZOXpERHRR\nd1ZzQ2drR2VTZW1uZ09ZUWZ5cmpOR0kKLS0tIHlnRElKYktYc2hwZSt3ek1QLzV2\ndzViNFhOTlNPVUhObXl4aUpkMGpZdDAKQSfKR5YlBwYKtgaOKZivzEYUyoeRur25\ngPNWPmGJWrmvORQtuglEdECbm4HOsEUT8UnNwU73/08qYhc8ACFgFw==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4UzIvMXRMQ2I4QnEzRGd3\nVGtoL0lyUzAvOU5aNG50TFBsYWphelEyOEVnCkN3ZTV3aklXU1dEQklxd2dzSGNi\nRTRZWGlKS0pCd2hEU2FScEJCTkhFa0EKLS0tIGNUdUNsTGhuQ3JKSFBoalRmazUv\neGRTdVNpbmVKVGNlWEhUQnYxTEhHY2MKVFZODyZoZJ1ZiZUITIiUkjy6FDJQWbA7\nyeFlTCu62YNrd+ja1gOFC0Tz4RA1GQmjh1zWVnmQ+QMzeHHwT5c1Ww==\n-----END AGE ENCRYPTED FILE-----\n"
			}
		],
		"lastmodified": "2025-04-17T00:38:26Z",
		"mac": "ENC[AES256_GCM,data:r65s/Rw9Ip/bmCOmqd9NScRuD9pdFsgjCB9YP7jAM4Yyc9kTJfEo7bxOQAIAe4mzLRkRdURn3H6n152DYG8JVhGvEs0rgQKwGk4nO6WsGxeONPjBjwI3di2aZRUa5HNfPcUSU2d9xHXv10bMGWTUOjwTh0yR7wpkqu4Es84FkaY=,iv:mXBSvWPPncVvztSAQigND9wY6GuNXvLwOQgLgsa/ELU=,tag:dCd6cWZveFMjzknXRXM6SA==,type:str]",
		"pgp": null,
		"unencrypted_suffix": "_unencrypted",
		"version": "3.9.4"
	}
}

================================================
FILE: non-critical-infra/secrets/nixos.org.mail.key.umbriel
================================================
{
	"data": "ENC[AES256_GCM,data:xzDS4Dzi5vDKnLRZCmaH/j5oI5rknLLSzm/BAcqVL3pReOW7rE6C7QGY2EoS99TfLQ3BxB1ckrB4f3/pefEH018KIgJ7UeaeWebmkBFsXF8r+4m/yOEiDWgnGKnsq1EIzbs67AvVYV4rcEPUmTrkeFYd6TOEqIhOSM/6DO6Lg6x+ioAGSEHK6eGgRVIFVjByOhvufhOib1exX2GEM6ayluutig6ToxdnE5jRGIY1gp1bOuwDSazD07RIZanAlS0sjZvMOASacLRvwwM0HC2NEsfHHjy1YMNr1WIbW3HWV/r/j0FTGEDI0W7IP9b0livuAX+K+EixZ6Cw+9ZMhUQMZzfLRcR/c8Zo+hgmc8SJtaPCwck1RlRqOXbqceH1oMIWpYxWmdLIhSQTNgoiMp6L4JzVz7flpnzzEB2U4tkIMwnEBpa8Jz0TAtgyw9clgdbgR+11T56CGzdykbDxPjkDFhnDjhpqmUDgq8rSRRh0fhGdi8FX2rUQXnOMVrYALV0zkAN4cg2Px5dIjlMBZmHkawR7U8phYMBfQRC2FRz9USIrYVTof+J+UImWbWJwa2zMDb5ogRwOF4XhI6NNolCdorlmCvbdG7nE0LbnIbdC1b5VEeVmo0YObnm5HcI11ctugirpXb1kIcfhpg7Zaq3s2iRCbaiy5UVqQNbcKmLktItdxfAzWPQQyyQqA5xA7vlr2jQvKYP7i86H2woKEUwum8htYJewYB3w91NsJaoPikuVLmrBe00hoMwXqb/MtstEhJbI6FN0SC9r+YE8OMvlyoTzmxrysq4/X5qxeXhpbH7fqUxY77UPtOjHfG/vA8cpYHNBnvjXiRGFQwB/P4/fTdtJA5UZiO+EwvNyepadazqmN6szXxHLOcEu+qnoEGsAcbQjjN+y2IUgTXTpje2qfH75141oqhG/DHT4DFDRkI6AMuwQAVtM+6Nqk4hTzJVua8AK+HS+UwBqap0GbtVg3inSuhmcq2wQQzezz6XNpajvEvFosSpIHBwxkBsY6gn/RiCEm7iHvdePhGzOBylX+kLRLp1/PatRLCBVnZ5uwpVGhzdIMvoz7i7+Grmify1XlLuY8hxcmjJzPVn3El5euSeSamDkgdGkaaWeDRaU33OIBo0aRLFnmQeNfm2wwKYba1moqCtuZxSBfze9wiOacAmicUZZ9i2fjcYa/ejtgxTl/k10S4Z6YVhxHvK1y4D5r2zzFA==,iv:lYv/cuI7dQnBq/UAOh0tP1e+GOPgMKzHc66+cmyjZXY=,tag:mEYrazYwd93xOV5Fw5vqHg==,type:str]",
	"sops": {
		"kms": null,
		"gcp_kms": null,
		"azure_kv": null,
		"hc_vault": null,
		"age": [
			{
				"recipient": "age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBalpYcW9xYUZsTi9ZUDJV\nWEV0ZEZKWnMyNXdXUHBmRkkyS1gzaU81bGt3CkZoZVp4OUhmKzU0dkNmOHRFb1I5\nQjBacWVYYWdjSHh4NHFGQlhyNENmb2sKLS0tIGNmZFZjQ2dMYTQ1OFJnNFBLejNo\ndDJ0SUgwVHcvNjRTVVZ5Wis0NDZ1dWcKi2RTUzwVVg2x+9L+96QNwpA32IupkzV7\nmTfRtizJXHbzfUBSCUiuVis92bsk05PBRB9Zw5hQMY7K7ZAkctLprQ==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoWFdCSWd4Z1VwOEU5L3or\nelpPcm9JcDE0eXB1L1hrcVFuaGxQRDN5b1V3CnlyZzhnbkNlVUswWUFLclBqOHdv\nSEwvbTN6R3oyMTc4aS8xSDhkcVFpNVUKLS0tIGh0ZWRuUkFMSEhvRjZuV05zbTNR\ncytkaXlIOG1vQ2RWVnZLaGtJOFQ2dDQK04Fq2wcKRINC9iTCWuDMbJY8QPQAknQk\nTOEvgZ4DRQa/MnG5WGZkoA0PygirZNQTJFge2RRa0YMY+wypQvQNgg==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMWUtZd2RzOEhKbnE4THZL\nOXRsMHhJVk9XancrTi9XbGF2SWl4SjU3bm1ZCjlDWlZ3WlU3bDZma0gvbUIwdk5P\nMGt6YVZjOVBGRkFnQ3ZVakl0Z2xjTTgKLS0tIFFzbWlDNi9rNloxUzJHbFd6Qlgr\neVVudjJFSThLeWMvVFozTUg1Yy9JSVkKH4gAq3XTuWVlylHxIOU5l4pbrsU0cFAA\nSAZUQk3TsBw427B02uocjjpTQByuxFxAf3hoV5WgFfEZf04gMlEUUQ==\n-----END AGE ENCRYPTED FILE-----\n"
			}
		],
		"lastmodified": "2025-03-11T08:24:47Z",
		"mac": "ENC[AES256_GCM,data:NpYf1LwINXQyuiN4jCkp95Q1UUnp+7M++k28GfGM1oWquOYtUH0wbRKEk1ooIABGSj8uz6qx5KBBGRh8eU6ldh7qwYqqTLDey2qeJ/5kt1ZTC5aOm9qtDWYWYzzb+lznOegSL25ny16d6ipOiKJeCdfcrgJBSr+Y6MCE+GxqGEg=,iv:pzx0e4ySgKmer/zF3wsrN4vVAzPMWE8RPPbkIkx0W5o=,tag:Smm0vqPToCcy2XHyHyVkUw==,type:str]",
		"pgp": null,
		"unencrypted_suffix": "_unencrypted",
		"version": "3.9.4"
	}
}

================================================
FILE: non-critical-infra/secrets/nixpkgs-core-email-login.umbriel
================================================
{
	"data": "ENC[AES256_GCM,data:aFnXR7/h3EEvIK1+A/8wThve2ywqQWVzLXnVEggyGB/VjDciDNmFRgSKCiONtsm54c/G6YhafH42FrLs7A==,iv:rI59EJbLNet5dizFhn2cqkbCZbo9ThRctswcBQmxn+g=,tag:n9LS2WUm6Q44RnXEE4rxcg==,type:str]",
	"sops": {
		"age": [
			{
				"recipient": "age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVWkU0V3BRRjUyeWp6dzZQ\nWVBHVVVEK0FjVzdlL2VQb002NDVGVjV2M1YwCk1rZ0RmMjFYTXpITEtOTzk5UURE\nUVZ6clo0T2F4VzhQLzdGTG5WTVI5SG8KLS0tIGl1bDNTMjNQcHBmWFdYY01JekNy\nQjJDY0l3UEE0YTZGTWhEbTQ3UjRQSDAKClD5h48vtJfMPd+0bELowPOY6wWy9SMS\nsBNHlFOzNOxKG8LYqLTHZ2xIu0W/rd2UzXcklFL9zNOIxL7uGzDCIQ==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1Vm9KZk16N1VmZDBYdnNn\nTUVZWTQ0Z0t0azlYVGlIWTJCaFBHUHBpZjJnCmIrU0JGNFcyMktuYTMza0d3U2VP\nYmVvQkJmL3JnODFXWlQrUHdFL1RoTTQKLS0tIEMyK3I1Z2pVRE45NUw2Tm9Tbkdh\nc2tGOWM1WGgzaENWU21kWFJacGx4RjAKDRPaTnR7qYsZFXi25fjAxfSGzw+pQNgv\nUFiKKJlIMyueTeXMozvax1Tmap4CNDE/h7hxbFZO2pdWGM38CtGNqA==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjV1p4bCtUcVpxOVVUbUZv\nNE1TK3FEM0dmbERUQ3FBWnpDcEY0aWh1UWlRCmNkb3dmTjVvRmlFVmVxVnk1NWlo\ndWpaRzlwajBLQWlWRUtEL21TMEk0TlUKLS0tICtsRVhDMkVDR005Q2oxK1luV05h\nRGtNUytJQlIrenhSVlBRTXlxWFBkRlUKexKk7NrCoI5vNZfdDIlnvO8tyePqsevC\nkHbcEK2CGSRKcKlnHE0EXreuLkmeC1fsdW09J+z0PPC+k9dGRu/mYA==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvSFhqbVZUOHp4T0JrUXUx\nc29ydU5ERVhDaE56ZGVZdUhXcFVNYmYyQUFjCkhheVZ1NXV2WEo2bDNsN1NhQmEy\nYzFkdVhqamNKRHFiMzFLQTk5N2N2U2cKLS0tIFkxU1Y0Tk1vQmFjbUNab1Q3b3ZF\nYUxTRStWRVdwWmhiUDIzUWY1andROGMKAc9/h7mB3UY82VX0WDp5BEjgDPpFrXJ8\nHgCBcI4azJUeKxw3qhZIAbKiuMu70UdCLp0Nby51xFyCKskOz90wSQ==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1nnm255ah9wa4gpsaq0v023a75lnmlcxszt9lc6az3mtwzxgrucfq45rp7h",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsUS82T0tOb1QzV3lCV1pu\nUDdrUU04OG8rR0Vza2NDRmlOUkhFckVwQ2dBCmlCbDJpK2xwZ3RwY3h2S2xrdkE2\nU3BFdmltbzFTWTlqekNxanIvNjFzcnMKLS0tIHFXdnBkUytDbmQ0K1lUamV0MjBD\nMTBoRUdVQUhiZlFnRkZqdEJhdmpDeXcK8yBkXJbk76wdtMM260FMkTPK9P7G/40/\n1UOHLbIPmhpX5AfKsx2CW8JaqseOVO5v/O+5LFWgqzJCu/c7NdkPzg==\n-----END AGE ENCRYPTED FILE-----\n"
			}
		],
		"lastmodified": "2025-09-24T18:44:02Z",
		"mac": "ENC[AES256_GCM,data:n5UpATwsy/uHUyWmxE7RAt8EzmCR+TA5fZRQP/YRxcC1vVtOi+iZf4b86thZ3x/Bx/siXEHzmyzU5+qnUOPUNPGHO72Kjz+kTUmr+/OBJjjqvZ+TrSGU/s595LqbNzWn0TfvYZtaZbmzU5BJeN0mZx8cHTBY8djNAFS98q0Y/Yo=,iv:iB0FobYcLQSJJNc0H41CMM877sP7jZCpdcLg8KDVZEI=,tag:9c3ttQFg4lEbzkl44frU1Q==,type:str]",
		"unencrypted_suffix": "_unencrypted",
		"version": "3.10.2"
	}
}


================================================
FILE: non-critical-infra/secrets/opendkim-private-key.caliban
================================================
{
	"data": "ENC[AES256_GCM,data:z3zZ7En5zaQMZhpPUdAOLlbZxu1fel9KT8vVMqVvtAPMK4v/QA1nabPgUspSUORF2qgYzzIY/tDRa0xPenTLjvVRoyRu49jiOdt5d2u7Y06oD1PI12/Dik9euqYhmcXG+rRs5/wBEOdLDmhmsRsLCsHOGvLZAioVPSbhss1bIjRt1Fi6brTB2/pwYR0QBLxhqfZcPQqHqfT+eY6E4Helkghl+UnSUMU3q/SvABTMYedPo/9HH2zTk90hiU/JZIYrKDt6rpFfufY4SMsXGROshx5ECE2Sx8zYBuvrN4N56nsOQ66LjFsZa4MX7KV5cNMoeqQp8o395YfMWxmFuOYE0I1hxJ5Sg6/ehJjGdit2xvL2Ry16eNYA7bvdhUZ1VGBhMUMyvFP1KkCYk6B7N2FXmaAssHMEonfI0kEnrfERaAaPpYaYszb6GJGJYqRQyysvq7/3IOOXZ1TC5uZiCVkJVeav7zQxcPNkBfRttNZ+iAZHFKjV1ZQO50L8VRdK9+ARNrtoFl92+HbVdOx006S8W3UgBSMAzFqwSEew/ujgnHQG1/71lXgESRDtatyGFYhx6OXJtRAnDmE/fNaJw2QR5zl0bzB8GPYqSNyXBuAFe9SJ3OLf4eVFE7gIMFnNPXGAouUIZMQqwkgmmPiibNuYUwgQhcu8aFQrceQz9DPlH19dPXnj30z6kAPHQJmEA8FFT21GzouyUDuoLz7/Iaws+k2mQWm1/2yK2LZN6GlUaS7D4Vv7WEX6L7ej3QelZnrvF0hE05JC87j9Lv4sdl5lms4hRq4KiYMoWk6UUEsx0BKm4x4rZ1HfyopLFx6bW7lHjI+21gpEmVZp4rSSYFh2sCfv7l05vjUjAtC43UfPiOgC4Ho7QhxFE0G4u/9PEgKsOQTeRwDStZkaet4+XM8I9c57oT7+7tHJvQ7LoNdIWdP/xR3jhZeEWN+nrTRmfcsdNl/H4gQTV9VINn5F7BxbzJB3oL7eymilYpdDEgiEF6Yw2lxRQ5bXTw2jPH/LA8d8CAu6BzQplC6cTJnjRuXnRY3rlBkByE+4xU09ozJLh1uOkp3HeKD8lEoroS9kb3FR+6cPr2rrW/JM2eAkALJV2+sCmcgDVUREiFTes7qBOKfydFbEGRqYym8zSBDcRN8hurb9wpI5bUmdh+Sxae1FsR1RIghMByjr02kBAPXtxYol/dZ3tF21rd0AzENRne4G,iv:zqzOFTzWS4XSfOf+Di3EtBZctQrsvd3SnY0iT3tvOmU=,tag:1xC5T6WOiEUhjAD64Q34Ug==,type:str]",
	"sops": {
		"kms": null,
		"gcp_kms": null,
		"azure_kv": null,
		"hc_vault": null,
		"age": [
			{
				"recipient": "age1sv307kkrxwgjah8pjpap5kzl4j2r6fqr3vg234n7m32chlchs9lsey7nlq",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhTkRXQ3hFdGpEWEg3RG9C\nb3BDOE5taWNvU0dUSmJBUDltTlBENW84aTE0CjU5M3A3VXJlSUo3RHRJdms0WjNR\nbXFwWUU1MkZaU1BSOW1QOXFYVmN0V2MKLS0tIHJOUFNiWmJYVk56R0NhTHhpR3lw\nK3JnVG9nanpPY0VpT2xpN2FzWmlpSm8KIXVYhkAKOSVcZmPjtG6dKtpr7PxjdRa0\nwSMJ2dacHIglbgDk1jc7EyrAjn2B/ARC82R1xw/7GKzDuL/h49Mwmw==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzUWJxTjZTMStURmk0WmE3\nYXM0NjA0eFpkdnZ2RTVRdytyU0hrZ2s4MDJZCnNsVklEL0twaE83dklnM1c2Mjc4\nNTFHYXUrUm5ybzRqNkNZMjRLTWxRN2MKLS0tIGVTNVltc0p1bEt0elUyeG9TYnZq\nSUd4T0RQTDZtc2U3US96L2dXYzFwYWsKizu8FCGL8x9iNIAyc9vEoeVE2v8RD+mh\nejIHfNKd9Sgqy1du/vqbcKlwrecD7/lTf3f8fsDpnBC0qghfs83+1A==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1qlwzeg37fwwn2l6fm3quvkn787nn0m89xrjtrhgf9uedtfv2kqlqnec976",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLaTNqdjhiOWp1aTZzZzk4\nL0tRRXhtSVJZQkdtOHNNU2V5SWdYK2tMRkFZCnBqNklyZjczT0YzUjJEb2NjY1FP\nSFg3aGhSZE10bnNCWGxtMGwwT0dxWVEKLS0tIEVDbTBvOHN3UE42bGVySGppQ3pr\nOW0xUDNUc0NrbWZXTnZRZE5POVZtYzAKzNkH6mxOsXpWv+r0bYhbCVJ6z2k0PkBC\n+oRdYpolMLNj2pb4KAgQbdRSlWTcz51JYTMAYJmth5ZT9WQeIsMs8g==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHSS8zdnZOR3R4VlJ5YzhF\nTkhhQ2FmOEdBaEMvTnFvVkN5eVN1dUdoQ2dBCnlpVXpYSXk3MitmYUt2YTBQZGQ1\nMXlaSGNxL25aNlgyWFV4d2pzTG1aUncKLS0tIEFodXdxdFFjczduSXZXbXNGTGsz\nRWsybFl0aXA3VG1VUnpSclZwOFpxSU0KmoVMzE8magbq/Ox1LpgNte3nKy10IaDB\nbNRyjSev8IGgUXclq6XIVFf2sznBdBvcXnA2SIEHulv1OgxzkaPDyw==\n-----END AGE ENCRYPTED FILE-----\n"
			}
		],
		"lastmodified": "2024-06-04T10:10:56Z",
		"mac": "ENC[AES256_GCM,data:CenZP4kiDARE/mK2lOsFBZVI7f+Vz8tlRFdi5+eipFWiUnyghZx022K7t/TjuNjHxK7DJqn29VURAjj6+4flIQbJLEb6Dmu+eY40EbtFXEvKZrxEvCTN7e8yp6ds5dg+Nuj9tRE0pp8o7Wg6wNQWr6wIxqgjGYHrBJ2fYg6Mogs=,iv:+lxJwYB9wbs+tfF75NLu8EcIhd3k3q2VR9AqyRX2pR0=,tag:2W0YXbdFq5zOOs70nxzwrQ==,type:str]",
		"pgp": null,
		"unencrypted_suffix": "_unencrypted",
		"version": "3.8.1"
	}
}

================================================
FILE: non-critical-infra/secrets/picnoir-email-address.umbriel
================================================
{
	"data": "ENC[AES256_GCM,data:nyb8CLW2mX2wsKPFOx5TgNOD9Jnu7K+x8g==,iv:G6hcbILjJzQVgVfy7vxU806M/dTJg4AwKLxlBUAlJh8=,tag:zjQXyfH7+aoT/qy+IaeCLA==,type:str]",
	"sops": {
		"kms": null,
		"gcp_kms": null,
		"azure_kv": null,
		"hc_vault": null,
		"age": [
			{
				"recipient": "age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNVm1kSzhaMFdERjhFY25q\nL00rbHB6Qm1IdzJRK3Z0ZU9JNm94bFJ5SHdRCnFTTkdURGlkU0M3WWFWR2hpanRO\nbUdKdkoranhrL1B4dHhNUURDTWY1WG8KLS0tIE1pbllTejdRKzY4Vk1WQWp2RFZE\nWWVXZHpCOGp4TUEyaVpheEJTWWhqcjgKpYHtYq5RmJ1Fl5bQb6dQSPWBUj2eiPUH\n+w50zvGKefeUuFo2wjfnxgxfr7WmfHCQAVZ/a2JrqgY9mYkJJpCyHA==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCQVorMlkySE41clJwQU82\nb3hjbmxETDNaaWhhcUV4OTNIUU0rR1JpQ2hnCitsVy9oSWdnUVBzekdUU2xlaGJF\nTzJnR3g4SmtaTjI3TWd6dE5uVktYWjgKLS0tIDdOMXo4K05kUnhxSHYyT0hRTkVZ\nUVF0T2dLZThVb2ptT3Bkeko3Q2djbkUKI70oETq5q2pl1+fjiR/GjHcSfLi0F6KP\nZvug8/S/NifH/BbO+6EuUqLrFEGBxv0RTC+vnQ1y0MpvKXlXG0K4ow==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyLzgvQU1udzhDcys3UWZI\nelFWbjFOR29wM0x1VzA1Wm9BTDNoM2V4ampNCmFwM09URHVFSVE5c2h1UmxtT1hE\nM1Mwd1JqMHkrcEc4WjhFYms3WVFKeDAKLS0tIEV5cDFIZGZnTWM2QlhXUmJFdk5P\nYkI1cXNxdi9ORGhmWjlpS1Z5VWFFWncKi8KkI51plxvpeeTOHZ9kC0Xcd/vE31+v\np2XBcU3NrKhs8bAZN9xYKVag4lM23G1myfnrwB4RCXHKGnF1VJyAtw==\n-----END AGE ENCRYPTED FILE-----\n"
			}
		],
		"lastmodified": "2025-03-22T15:54:20Z",
		"mac": "ENC[AES256_GCM,data:A5YAwuWo8pm/Hw3NxX3StvW8kT9wk2dUXLVQwJZ/inV0YpsbejhOlHIfca8iqMAb9Lu5o4V0bbdgAw9S5ThHKyatzQZtnIT2uRZM0Ietqes4yXjoL5mEjbEEgCVpbcdRd93fTNt/G4BLWEcpMU7xMNIxiT+KVk+eN0UO6tw38d0=,iv:2a4YRCi2If9VMSqRHciargwDJ9AHCbGBrRKsQxsFDTk=,tag:ejM7sV9JrR2A1EPdnz9OmQ==,type:str]",
		"pgp": null,
		"unencrypted_suffix": "_unencrypted",
		"version": "3.9.4"
	}
}

================================================
FILE: non-critical-infra/secrets/postsrsd-secret.umbriel
================================================
{
	"data": "ENC[AES256_GCM,data:Oy/Lqq1DTXVX0SK0pJOa6fJhf9H3Qi2G3w==,iv:JG2o4C9EjBbt4PqrE3kHPNabFbk2Ar3IHseQyrQxnP0=,tag:IRG+EYLebBDf99svFmcHWw==,type:str]",
	"sops": {
		"kms": null,
		"gcp_kms": null,
		"azure_kv": null,
		"hc_vault": null,
		"age": [
			{
				"recipient": "age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArTmVPZGo0aXlsbklBZlEy\naXZ3SmcxNlN1WkowQUFuSkdSVGo0Q3BneGhZClliMnIvbUVnb1FyMWJEcXFxOTh5\neDNHMFN3NUw5bGMxcm5EUWpncnkxNnMKLS0tIDNVaXFJOGxQa2FUVUhYbVkrQ0Rp\nS3RmbElCUlUxdkNXblY1S2VSQnkrc2sKusUip4Vnr56lfiEAHRPqQiZjb91rovLA\nQhPCz/LwTyxDDMTsq1dNbasniqeErmUfUfK792HqigBo2qXbsk4bjw==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBY3gzUU1WSk92QTBFNlFU\nbVhLamEybkZUYWs4U3FPYWJFSTQybXlkK2pRCjhBdUlOVEVsMkhlbUJFbEVnbS9u\nN1VuV0xpTzdQVk1zMURyb0VQTHVMWVUKLS0tIFkzdmNtMmgxajVRQlNiTTFzTnY4\nMGdZcVpGRkRLQVVSMHJ1QlZjUm9halkKnTU4dXWpYOj4GLuyoNvz90uarPbn5CBR\nfiIXd7QPQl2+3SstC8KrxXSvRx2DmxR+imtPRvqGEf7EaspXpfy1UQ==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSRUY3M0haTkV1RTlUbnpi\nNk9WNU5OTkR6dVozUTJKbzhmVXJRSlJxMG1FCmUwWTJmbm12UDNmSG0rdThVekRw\nWk1sOUFLUFlzMW0vKy9IWW5HNmtDd2cKLS0tIFc3cjVLTEF3QVdaeG1Kck9KMm13\nS2pWZEpkUU5OaTJIYmNpZzIrRHdReGsKN15CghVCZmL5irAOuhewFIR1hL8YkT27\nwahQun20ahRiIkQRZxGWi1C9HJ/v4IVjwsTRYbM9BwIuopDQkofosw==\n-----END AGE ENCRYPTED FILE-----\n"
			}
		],
		"lastmodified": "2025-04-09T10:20:42Z",
		"mac": "ENC[AES256_GCM,data:QhBJD/BaFKX16orijmxl/Oi/50d8iqBKR90QPOHgWSp+MYXfzArS/OLu8ZtZ/xwucW7pNh1oC+CGmMHTW1xrBpuMg6MQ5qyhedKjlINptYG/IIcqIkakulppOxw9LMuUWznXcDApd3w5SkMux63tO7vti0kWQ3Zv4A9XpmOXRCM=,iv:85o1/ucnYoKBc/2cCCr+TgrXCQinzX3vGYv5xzEaJmQ=,tag:dokOTNpd0aQMsvVX4MOxFg==,type:str]",
		"pgp": null,
		"unencrypted_suffix": "_unencrypted",
		"version": "3.9.4"
	}
}

================================================
FILE: non-critical-infra/secrets/queue-runner-ca.key.staging-hydra
================================================
{
	"data": "ENC[AES256_GCM,data:pe1lPpTo2O6CjOwyW3Go673wo4kJJ8O7XGk3M89pcdaoHPr0gdvvsSg8tG98qng4E5vfYnQpzXNFPBjmv9DvFkm3LDqOSmJsNw6Vp4LAIpkxQmuehGjDnsu2WxWC/JlG2Qm+2FS2saxZrfaeHEiZDvPEm1rN3oA=,iv:rrKEmM0PLIS+ur+cjW5tBR3UqOftOi6FTaqrymr6OIg=,tag:zGZtHCxldMKeWoNICBe3+A==,type:str]",
	"sops": {
		"age": [
			{
				"recipient": "age1zxcssfw5j6dwvcw25tmxs79lq40xk70h2s234hen8pkpte2qe30q9e7cy8",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1NHg5VUZWSHV1K3dRa3I3\nVy9HNkJzQW16dWNreE1ESTRkb1dkdUFmL1JjCkxxek1GYjJudThRK3VxWHZpS0tB\nc2lYcktIeWVIZ3lQaXVJK0h0WmVzOWMKLS0tIGRaZVg1NEJGdjViWGJYL3VrZVNN\ncFgrNXFSQjd2eFVxMjlESndwYXcxZlEKjXv0rWJFQcgsV6PKzvu3CUTtdvzH93wq\nQdGaszVmstbPrTnht1ty8Rt4SnsXUxg+vFwxGUrWf1f4F3D1doC1eg==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJc3RWK1ZocVRMaG13US85\najJKNTVWMGVXa1hiQlY4UG9DSjRuRDFTT1VFCi9UU3ZMRUtUdWdybWVyWFhuN0ZL\ndnM5TDQxTzE5Y0xYcGJ5OHhPV2V4elEKLS0tIFUyYzhOYWRDcEg5SFhJVW5KMmdG\nVTZSZDFlRTY5QXduVXpJZ1BUVEVjNWsK5JkQ10w2r83BJDZDLp093hBUeRun98oZ\n1cexIVKHrq0TtCF7kweNrOi9nMyitwcwyxc+iiJz1wZa6ZUYpZiZCQ==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1nnm255ah9wa4gpsaq0v023a75lnmlcxszt9lc6az3mtwzxgrucfq45rp7h",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJcjRnTjF2WEdLMURobVQ1\nUnhoWXZVd2VvZG9WZS9NTGJMNVF3Rlg0OEFnClF2Zkk5NWtoSU4vSWRsbUlzckYz\nd1h6TVhhakpQdGl5SjNTOXVlRjBkaFkKLS0tIDY3dmJXZjlrMGo5WlM1dzNFc1dQ\nMkJJelZJUVQxZnBSbzV4VnN0cWptN0kKLnqhWJ4fPdFNuHfkJr+PmQywS3L69kIY\n2v12scbgry5aCX5ChRfy0Hmy1PMHx4x6qLhicvzHn1zhLhUiB112EQ==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqeEZHL2ozc216K0Y3cE9v\naU1GaUN0dmh5NlM5Um5BN3lCb1dLeXJqOVZjClZFbDI3dnJ2MGkyMUV3dGUreEVZ\ncUFTbFVQSGJWRnhHdWhOSXpIZFpHam8KLS0tIGV2YVRPWEFRdWY4TDhqSWwzUEhJ\nK053am85SFlPWHdqTUpMcDN1eFdSR00KSMBXHDQXVtLudlp5BxGTchm6niro7Ver\nQ+2HCXKIOEVBbkp/qI2Poh707+LxOh49O/kFp/ThBCE3QzzET0/ePw==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0MHI0Mi81YkhhNzhDN2x3\nOFNua3VHdHZ5RklybTNaV0lxdEFWUm5TSXprCmpMdWRSaWFNWWdCUm51Q0RlMTJj\nUStHdTgzZVZFR0UvcHFCOEVmaVZiaUkKLS0tIDhoYldvdjVDcDlOUm1NRk9Celoy\nQlkwN2JHRzlpZTRBRmZ2cTUzVlI2Q0EKE584Lc/9WhP54Qcn9QHweKX7OJc+EkdY\ncFunUkMZbamRyFnISJDcI76B0exJaA4kEUv3XQzW2YHhfL/sdsmndQ==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age17ez23w2kpxl0gcdx4ehcglkcfcfnv4qz0gq2n8ylxwx4yrtjpvjqxfasua",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOU2NzcFlrdnZPbDZiOHRs\nN1lmcmdDOVhGaSs2Y05GcnpkajI2a0JvTEVNClp6dDFuOXVGZVl2NnVicWRRaUpn\ndnM0c1FHanJvaWR5Y1E0QmNGMGJBQTAKLS0tIG1MaXlZTzd0bW5aRTV5d2NyUkNh\nczBhQVI3cjBoMlpsNlg3VXVJSWthYU0Kcco8nmBuBO7G05Pepe1EfznQ6/qIXjdM\nthm+90r1LRNec6rUqPH+3B8jJiw4EUz2L+IzBREHqqCdr6QDH+cwZQ==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1fgzf77gyah4efemnrqg4e7j0vk8fpq0uzrucepmdpsd5z7l4lgpsfq54df",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyQnJWMVp6NGNJc21ibGcw\nejVhaWx4cDFremY2M2V4ak5MZUJ2TEowcVJBCnZ6eGFrTzd4dTIxRUExcWVVZ0lu\nTDRodnl2cDFsRzNTTmRzekdxUEpZTWcKLS0tIEVjNWJSdEdINUUyajR2MTRZOHQ5\nWG5wanNhWVhPbTZrR2Ftb3BxdHNyNzgKbhSTOqWwNH7l4Uttv9n2dJSqDKtxShj3\nswqtKnfOB2pxu/Md7o8LEi/p1G5pe4VlloUNUYRxBaJSFI4ARoC77w==\n-----END AGE ENCRYPTED FILE-----\n"
			}
		],
		"lastmodified": "2025-07-31T12:09:59Z",
		"mac": "ENC[AES256_GCM,data:EdssbCd38+X5Sr/qPSewtFgGyT0WFvR+0/ZkzpKGtj/7yS/Q9w0BoyZXbwuMF4R+n2aJ+NTmxPjCz9Ald0ENnXKXJcEHlKtTf9z2h+ft6rrFsBVBlrp3KfHY16EwcfBprvbbCkU6Bvxv5UGFGfJsw5l3jpL45LQQ7z528HiQz6c=,iv:02k7g9Fck1XFBor/TAHZGpgIiH2zPRDHsdRt4rjApeU=,tag:uJJ4J6znugGBQtARL6vwRg==,type:str]",
		"unencrypted_suffix": "_unencrypted",
		"version": "3.10.2"
	}
}


================================================
FILE: non-critical-infra/secrets/queue-runner-server.key.staging-hydra
================================================
{
	"data": "ENC[AES256_GCM,data:forqylxAxHHWDqqTG8nxgqnbuyCTtRiEZ+0VA6qYRhlRY7KAYmTM4GK3wDa8dZPBi0e+LXG5aaigyc9FFsl7hHKdtQo84OPHyJOSCZyBYjMg9qlBsy/USqxftzfMjMAxVk/ibAi5LDrNl9Jh/7w74BBtbdF3qiE=,iv:5YbKjIdd+EfVpMGzTzP0VDy0Wev22bRc9IO5e3StpA4=,tag:/jsQItUIschI6B0rs7dwQg==,type:str]",
	"sops": {
		"age": [
			{
				"recipient": "age1zxcssfw5j6dwvcw25tmxs79lq40xk70h2s234hen8pkpte2qe30q9e7cy8",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBS0pOSEE3MUpVbEY2cEVa\nV200UG4xSjVJNmpCbVd6clBoK0dGVFlpZkg4CjJZRXV6YnJub0RlWjZtbUFwbEo0\nbUFuMlhjM1ZoLzZRV0JTQzIvWUJHT0kKLS0tIFNCTnFxQVF5Ky9IOHFYeDRrM1F3\nbWQyZCtIbnMySnQ4M0M1cVFpaVJJNmcK6sszqfYP3gGr7xEQUXqi+8sjowkRFmN1\nB5LBdjUwwE8BAQCoGn8rFV9msQyixxOyotAfY59VzzUvU7BB/f7f6w==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBURHJNalpQbW9Oa2tjdjVO\nZFRpc25RZlcrdEhGSkNwTDRUVjNzTzJWSTNFCmpzcWUxMXJGZnZrODMwVTI4a1ZB\neldVbHFYNFNKeStzQTg4Nmh6ZjV3a2cKLS0tIGdQU3J4a2c5L1dqUzZ6RkFKVGZh\naWpJN0J1dUNVWnFQRm93UFB5UWN0SE0Khf1USIw8KJ64xCpvIxQ6+aU0INYz4O3i\n1ABBcYp9yQv8jLS8JBXcVV+I29e9g7ZmE7jdVOCAtS/mbtn+jwhL/A==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1nnm255ah9wa4gpsaq0v023a75lnmlcxszt9lc6az3mtwzxgrucfq45rp7h",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmOVVJSDZVdWpJYWJVbkxs\nVEZuS2NwYlowQ2UvUGN4dmx0eEpPZVdoRGtjCkt4V0wyRE9OQmhGY3YvTFZLeDA4\neWZicjVhR3RzUWtPUlBjY3RKYkVxTVUKLS0tIEdjTkxXK3JpZCtmM3ZvRElQWWVz\nTHNnZ2FiTlh3eHVOOWlPOWtXVmZ1enMKIjC9mYrzV9sFnQW5ApRTv/Gd/gugDEqo\nPKQ+4AtL9EgVZ9ZY25CbUHLnxqiBK1eWCBcz1R3SUIWf+/ypt1rMMg==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyVlZuTHdpcDRqb3RSWTN6\nSzJwUlBkWnlCYjB6OU4yWUV2WmFiTWw4RjBJCnBQbUNMbUVENklYcGJoRzRiZGlO\nNGhTZmhmUFoxNjlmVEM4RnZ5bGpTN2sKLS0tIDFNUWp4OHpJN0RkOWpDN2QzTGMx\nUUhkNWNETUNrWGJYNS9wRk1UdVd5K1UKIT9Jihb1hrWfzWWGUIspSp7oKlmM0G4+\nbLgoYb1ZLSoC4i0lzd2/XhN08JXicBy/pq1VFEsgUm7+fSAy0x+Qxw==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0ZkU4eGFGR1FlNklZS2ox\nWTBiNnR2NTJBQXRpQ0tzMlJRNERIYkdUS0N3CkRjYUNMMlk4bWxDM0pWMmxjU2ts\ndytYb1dIVUJFeHJvVGFoQVRNbXc5VE0KLS0tIDdMdTFValBHMG5TNnArN2xFZG91\nS0ZvWGVzNkM3V1dGVm14MGpkN2tKWEkKLqjCQZL2/+WDIGFxB3EdwuQVInfUzYpd\nlt6PlV8EGp2kkkavwdtfx4yg1qx86TDw1zGCCYJHu778Dz7djhSvBg==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age17ez23w2kpxl0gcdx4ehcglkcfcfnv4qz0gq2n8ylxwx4yrtjpvjqxfasua",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxdzQ3MC95d2tCSWl2eXlw\nSzhndDRnWEI3OE8rN1hWblI3NXFGS2JJeHg0CkFVWUIxR3JHTVVYSkkrSHJNaXpX\nZlE4MTNiVTYxMmJIWEg2K212V1pqZHcKLS0tIHpNWUJSQk5GbFplTzB6a09tTW55\nS0RBRFV3WU9OcmJKM0l3dUhyRkpmcEEKKC4u5QaWk+gx5fEgW2MKlUl63UkWfRJX\nWOexmG8MJABZOngU6zZQbXXHPZkgBTwLbub3yO+C5bTMWHKEBq1+mQ==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1fgzf77gyah4efemnrqg4e7j0vk8fpq0uzrucepmdpsd5z7l4lgpsfq54df",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBTjEwYmg0MkhHRUFJNnF1\nM0N1bm1QV21xZmVrM2UzWTNKYy9FaWcxMVdBCkl5TzFPOTl6SlNqTmpFNEp3TnRL\nc1FsYzhHUy9EK1RMeTBIYWxQVDB6K1kKLS0tIDI1VWxQSDljODhjL2ZxNkJqRFkz\nc0JlZWFhVWhOb3FuNnk3cXBGb0JacGsK/OqKk1+PHIKi2dozYjJDOeUcQF1/U4QJ\nIz5FhKY5fL5LzusQNgJUUJH7x2flB7RIvhAzstBUfI/pRrQPxSAC0w==\n-----END AGE ENCRYPTED FILE-----\n"
			}
		],
		"lastmodified": "2025-07-31T12:10:09Z",
		"mac": "ENC[AES256_GCM,data:QRLZ7S6CoHaYQ+m0npUo2ISRkke4JvYe/cN5nBM7ngIdKQ+yyLK1d8ucG3YwB6HaVZXDM4F0BAKkwl3VXTDujKk24BQhb4G50EL91UTcaQQ4kIOdaSVh17/D6cXV1Han8hSrxrsXQ9vvyR9EmCVbjZMIP+TyyTbdAkFfHDch2Fk=,iv:Wm7rVVZRUjUeb/SU2GF5TnOcNawf8rsndlReEUtrGeg=,tag:PsL1RufQyx+7wayK0IOSlg==,type:str]",
		"unencrypted_suffix": "_unencrypted",
		"version": "3.10.2"
	}
}


================================================
FILE: non-critical-infra/secrets/ra33it0-email-address.umbriel
================================================
{
	"data": "ENC[AES256_GCM,data:opUFn6E5u6E7tqqsHp5tb6s=,iv:KtLuT2eClZRii+RDWGU/LyanhsQp4HALs7MamLUbkao=,tag:RKzUm7KfH5ddVBiCOB0AbQ==,type:str]",
	"sops": {
		"kms": null,
		"gcp_kms": null,
		"azure_kv": null,
		"hc_vault": null,
		"age": [
			{
				"recipient": "age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3bDlKbWx3MFBBYkM4OGhR\ndDM4RDIraDNxZVdHRnU1ek5POTUybGRIREJVClJCMUR3NDN4bWVLSXRyR0VIVEFN\nOGlWTHcvOTkxNVJ3a1Y1V3pNTkxPT3cKLS0tIDc0Zm9QZ1E0dXRQNHAzVnRXU0Vo\nUkd6N3lvQU53KzRwUmJPd2M0RldIR2cKggpci+A1nPPLOYH7Pagx9/eWNvv7KPYJ\nDA2YO5yeFOnhl0F9FV5ERt+P6oyl+UUQ07LJW2Xacf/nqokVogKuZQ==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwdDc5OFZWOHd4Z29EL0tP\nTlhCR0w0bG41WXNKSlU2Ni9TUXYzaTFQSlhBCmRRaWZLQTY4WC9vNVlFWWg3bHBs\nT2FiWGxCZ0FVN25VSmMwcS82cGZ6dEkKLS0tIEJqQWhza0FSY2hYSmJzclkvNkF5\nRDBWdjA3K2lPY0R6WTg1SWEwQWY1VWsKF1lFM9OxyJ1Vy/9eoEm1eDepnkaxo4Dx\nfVhSNJjsNsoZ2PX5hIGPHupz+6gEOWYPjQWhTIr6spS7JPM2rzOxVQ==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkU0FpMmlpbHcyVHRrRzIy\nKzZSWUxEcm1jWnl1a2FXS1NqK1pjK1lpaTBvCnRsTit2aXNzSm1xK0pjNlZxS2px\ndTh0Sk1pb0RzUDhlT3pWZmMxeHU5UXcKLS0tIFJpTlZWZUtUOGNNL0hhckR5bmwx\naEFIYnVlaisxNXA1Mmg1eDN1OE1DSmMKR+aO5zRqL22lEe+DexKjwajaYL0ftaMx\nIOufdQ4vUvx2cetD9wn7cSwNM+uwfGrr3v5rADhfAmZkfnrwxNNIYw==\n-----END AGE ENCRYPTED FILE-----\n"
			}
		],
		"lastmodified": "2025-03-22T15:54:13Z",
		"mac": "ENC[AES256_GCM,data:AVc8Y8l3hYaCUfgm444IV7MJD9BK9NMA0jLtmckMwe1L2yMl6ECc/Hrw7fxj6GvVCmdwzczaFEE5gw07/29zUPqv+uIvxKvIlINI8M09pTS7wjU+1B2mvTvjuI/+7rP83rzpA+su3SzgqUXcnxHmlNtwJlX6AfCF7VYnPu2BDUg=,iv:8AUBBJslDzt/bhORPFgDJPQl7rhSA6m2gSqapyclUG8=,tag:TmBmi0HE/YXYgkm71y5LSA==,type:str]",
		"pgp": null,
		"unencrypted_suffix": "_unencrypted",
		"version": "3.9.4"
	}
}

================================================
FILE: non-critical-infra/secrets/ra33ito-email-address.umbriel
================================================
{
	"data": "ENC[AES256_GCM,data:aXQxJjHlGPyz6hxtsZmoOlQEec8=,iv:gtkcvcVpqkX2nCyZVhZyhIsWFQtxxu0+H7cNV1wNRSE=,tag:6rcFigiH/+En7fVN7GHJ6w==,type:str]",
	"sops": {
		"age": [
			{
				"recipient": "age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiNXJUMHd6NWlKYjY2YnA0\nUWJscjlxTC9PbTU5VzBHSHpwNTIySzdvNlRjClVzRU5SY2lHYW96Y1BYSzBpUlps\nTnE4QTRkQWlkQlpFMjQyYmkreHdhY1EKLS0tIGt0L1A1M3Vkcjg0N2VLYUg1cjha\nMnJ3MytOSWZmeTVTVmJSaU5GMmVUczQKdBPk3f1GHqOxdhnvajWDuOtRb9DDSl4t\nyPG1S8qdBgxW1+M28Zjiz1to8nSIZcdeR9dhvT40aKhIs3Y/4VMqrQ==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCQU95OFQzcG9MdDQvZXdZ\nYjM3YlJ5dms1ek53QlRDZC9TRFdyR0RVRTBFCnltMGpsd1MvZTluYWNuaXJnaVEv\nUEtrZ210dmQxbGNHd0tIenhjMXh3WVUKLS0tIFpvSEZ0aHQ2ZVRvMGdrbksyYVdw\nYmV1UFl2bklxbEdySnhlOUFKWmVKRFUKN/XTfYf3n4i39NGZAir1NDmG9laeJ8hI\naoZybJPImLpkHjjsa1svKqIJfP03u8gWC9W4Clme5Wfq24P5u/aSEg==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQa01lYlVuTm5TWHh0YlpI\nT01JYnI3WXE3NU5mOXpkTXV3M0hMMFlpTGlRCnYwZVppYjRXV0VNNm9GQmtmdCtR\nYzl3WFpiV2Fva1ZlUUtuSW5NMnlWRWMKLS0tIHFZSTRCN2lXQVJhaUFLN1REeXlv\nZGFFOUUxMFFGeUNuSUxaMCtZTW15TlEK/8KcQe/ZCfpdVXUvq8V3NBarT8eNgUIC\n+/oYQq12Z1yTY1jlrf2pQeCPbocKebeJo/7U+hiZPmd4Y+262Ym+sg==\n-----END AGE ENCRYPTED FILE-----\n"
			}
		],
		"lastmodified": "2025-05-30T14:12:29Z",
		"mac": "ENC[AES256_GCM,data:edUl5tqglGjt/Ys05ArT58byNKOkmr15GQDrQumr+n0N5v3BZeqVBSD+OC4UwZk69jQy0FKglZitg4jcX8fJY2n5zTmA7wVk5chveKekn+pHSd+5B5Nd1r0+f+V017N9RqzJMzlKd+dKvarcHeXz1TBwVGDmL6SdO4zH00wTUXM=,iv:HSG2ulMNV9iuewEsJ3SV5ASKgYh/85gBnSU7/qBEDFU=,tag:xZOT3ex21csZDcGbYCPOrQ==,type:str]",
		"unencrypted_suffix": "_unencrypted",
		"version": "3.10.2"
	}
}


================================================
FILE: non-critical-infra/secrets/ral-email-address.umbriel
================================================
{
	"data": "ENC[AES256_GCM,data:PZfHNe6AmAjoYCoXdarcDMm3yusCRYrVWTDIDg==,iv:9aXh9tDKDVi4kNhBGpZZ/bPhxkWl6qbG2Zvs2v+hWWM=,tag:ENV9I3tHYld4cCAg5TpRAw==,type:str]",
	"sops": {
		"age": [
			{
				"recipient": "age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnL3FDWVNaNSt2OHNjODJE\nb1liSjJnRmIrcGE4azU3Yk5EL21qYXVSNGd3ClNtb3BXQisveUVXbXgzVW9wZzdx\nOTlvRzRWZGdraHFFYlk5RnBWSGdlY1EKLS0tIGhBZEtTbVdYRWgzVVNIVjdMRTQ0\nUzBRc0NCcW9xNWJETXFNTFUzMEV0TTAKZq3GGrdiVlvL+YQ/mZnnTdi86wLM8eX4\npgo93OVS6dn9/rMyvIt1cCtQhSOpZpUUwIk21LksNXwAVUUP8rRGPg==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOejQ4T0lsOW5McWJhV1N4\nUytYOVBPbkIvSXNyZUNIU3ErL3FRYzNtSEVJCmVORk9nT1VSQXh2MWJlWlp3VHlv\nNDI0b1RDUjl6cklMZTJCUS9BUE1DcjQKLS0tIHJVNGwxbDJJRm13RXdHWWdrNGt6\nN3VxM0ZhRU1jZ1psalpNZXJNdmcxcVUKHNLade9JgL6Fs/XWvmD4keKj7zQPBNXI\n3Y7iP/NddtKZuDzFknns4kaDEsnSAeiLYdz4Du8NLyQHrI5vs+Iqtw==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhN0hvUUoxWVQxL1NSemo5\nZjdqaTZ1c2xNQTJ1WVd6MVRYWkhmWlY1MGtrCkllM2R6TGtVeEtkY3lPY01RNHJn\nRm1kdGE0ODdSbmRObnNpakI2U2NlalUKLS0tIDBRdjhoRmkzLzB3MmpIbElrZ3hB\nVURFaVdjZk1RejkwVndQTUVXOEo4Rm8KYl4knjBOwaQwYrow5OMiyMhGIl3UXLs6\nWfTdZO3lgiNLIMINC+9RRqxfFp+LdEULZr2SugptiPt0aPiGNw8KSA==\n-----END AGE ENCRYPTED FILE-----\n"
			}
		],
		"lastmodified": "2025-06-06T17:32:08Z",
		"mac": "ENC[AES256_GCM,data:33h+jFsD63OG2Zi+ApUPaLKZXGuIX5yCpd5AGPxgh/C5L+TT0SABH4g2FcdvVR5LOJjxm2f63cH1wznnK8EVkYtDHQyRtEKHStTu5rlmBJudA74r8eaqv2FC+TnfypqRQrRtY+OTrVq4bE9cmuEh78ZwR4pCZHLD4vsRmerTVKM=,iv:H2UqED5k35l1xFLCvdH6ATnTZOLGZnUmVfecnI2lGY0=,tag:lHi2AZAQAI2Dn1Ouh/IZPA==,type:str]",
		"unencrypted_suffix": "_unencrypted",
		"version": "3.10.2"
	}
}


================================================
FILE: non-critical-infra/secrets/rbvermaa-email-address.umbriel
================================================
{
	"data": "ENC[AES256_GCM,data:n4ESZDFSyxX6BcGZgxqe5FMyBTc8GAk8lef1,iv:+YIWHaElfL1LzEbIW41VPHm5ezI0CtkrpguKEN9r95o=,tag:I3XzG/R4aF99468AXSDwVA==,type:str]",
	"sops": {
		"kms": null,
		"gcp_kms": null,
		"azure_kv": null,
		"hc_vault": null,
		"age": [
			{
				"recipient": "age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0cHBZblZoQXFwYXV2eVN4\nMHZEemd4NUxFRVJlOGwraFd2RmlXMG1wbFJ3Ck1yZ3hMd0N1UG1vQVRLOENJTVZ1\nVElqUi8zS2U4UFhNODk1bjduMGFpZ1kKLS0tIExCS1U5blhNZ2N2NTNMSHdKNUdo\nR2NQTDZsY1ZSOERtOFN0VTFHWk9ybEkKZSjnPzcU+AT/ok5CPlAt2i633ditZivw\nMFaMmX7MnKbxQ8cc9n+PzykhRi1rkK13MSE+7EHURHGiKF7Mhi+FuA==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWeUhPTTZKVVQ0aWxmUUF6\nZFRzMGFpUWx1UzZZNllyeHFsdkhtVEd3SERVCnBCd0tWbzI1MkdmZjcxaFhEZXAw\nVWlHL3Bza2NyZjdad2dmTldYdVNNMWsKLS0tIFAxMVl2a0N2RTJmbS9DV01DckVK\nSldCT1dHMEtBMDRWNW5KaFBaaWZnWW8KyhH9q+BYjeXB92PTNF7Z9XnVzfZeZj08\n3UlUKDaJqNF8HDV1h1BidSwkff/CQZak3/TChRyGnMchC+reejT6fg==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKUFdudEhYTVEvd1lHVTht\nMWtCbGFCZGtBaVhyRG1pMTRIN1NMUEVoeFVVCnFEU2xrdkNzRkJRWGduV29XUW5i\nWHN3VzFHbHdNSTRMc3dLL3Y1VTlQVjgKLS0tIE1xYStVdHZXbGZWMWU2Y3Y2QWFo\nc0lOSlNmVi9qKzIzZUFFVnA4TXVHNlkKCcrrJRcQ3DN2uNe3eonpJDAcO/lT86yk\ncffD/NPtB6HdyIFNV8a4kSHpuVx8ew9/Bssh2GDT5QBdIqs2y+hpmg==\n-----END AGE ENCRYPTED FILE-----\n"
			}
		],
		"lastmodified": "2025-03-22T15:54:21Z",
		"mac": "ENC[AES256_GCM,data:l/1zLRWOiD6hirIJ3etFBgXSTTxvMz5I8RE9TEp18/lLskzpAOXf1azYftXFCvCoz6u/6WSqUIinvGmIFcGGYv3x8ZLnJ7ABDtNGPcTIvr362H+Wq5vd+sr/6OKqNCD5CsYEXx4m2KVUl5qDwSImVZB93Nw64RBukRBgCumWWm8=,iv:II4peq9wUeA7aX71KL7KHVlwsw4OhDdUN39uK9QKWpA=,tag:Q9L1VNwf5yYsfQHonK9tSg==,type:str]",
		"pgp": null,
		"unencrypted_suffix": "_unencrypted",
		"version": "3.9.4"
	}
}

================================================
FILE: non-critical-infra/secrets/refroni-email-address.umbriel
================================================
{
	"data": "ENC[AES256_GCM,data:3G/sSkcB8glDRc+ZyXOC,iv:aRKD0w7CIs7JfdjPQ8vLKSgmFmwUNWjwBvSYSbZsnhI=,tag:QLiHiRukS7Y5VdCNwmB3gQ==,type:str]",
	"sops": {
		"kms": null,
		"gcp_kms": null,
		"azure_kv": null,
		"hc_vault": null,
		"age": [
			{
				"recipient": "age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNcFlHYU9nU3RkNSt3ckhU\na0NGT2E3QnV2L3FaeEIySXNzajdyY2M5UXhFCmJheGZUbENPV3F5Q2lrOHVYbFRD\nTVphTmlsa2NBekZGUUZQNXhwOWxNOUUKLS0tIEVyTmd1amlOM1hrNDFLc1RHKzVH\nS25PVG94S0oxOUkzQmlrVk9EcmF3NmsKWnp3FVHN/xV9zs4Ip/k7ZJFsitC9W3vL\nVi8QUcdSkAWeezZvdUYVg/U858KuLSUOq/tVw2l4f4kb9Z8KhFPVcQ==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxTkdPTURGR0dQU1RraVRR\naU16NHdvbnk3STMvNHBGRXBsVUluRDhsVTF3CjdDS041SmpoeGlKT3loVkN3aTk3\nRTNjcEhqeTM4Zm01OCthelFRUU5DNmMKLS0tIDAyYk1PbXQwZUpWQXpwWlJmZG5P\ncU9seEQ4T2g3VTRhalFKcFJlTTNLOU0KZp3aRIiFi8E48fyRecX0kpng/Ct2oQoU\noqnCHIG9Ad3UMSfcSvh/vy84I3+Ru8fTcKXSOpOLe2qSwjqA7VQweA==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnNmpQSkh2OVo5QXR2Mkow\nVjNVeHhoTHNQVHRObGtmU3JXdEtJNVRPUlMwCmZSS0ZpVUpFamhnN0ZJTHdqYUgz\nYUdIZnV3N2ZWUUtKb3I2YVBDQjVpVlkKLS0tIGxDL1B4RVpBMlhqQUZNSWVVQlNB\nUnExYmpFTmR4T21MWEhjVDA0dkpHSEUKnMGqCRyghepYNGIz0ChFgp9ctkvTmBFX\nrolI+X12gguePHA4smuhXXn4qa0KuVkEEP0Uu9DdCAzJJ8CWgi2g0A==\n-----END AGE ENCRYPTED FILE-----\n"
			}
		],
		"lastmodified": "2025-03-22T15:54:21Z",
		"mac": "ENC[AES256_GCM,data:C1NGCV2Le1GkvnKNmM/6t5yDmMLyPa2nnoNhtScwb9rlzaQxjtWPSsJRRTMLgGgh/XTIhKjNO8+5PefLzQWfEqBZA0s1Y8n/0Qm1D4n18OXEajgYxPWOWpCTjR8aZfLTn6hXA+gx6IirCyYrfj05UspXcoo2mk06U4XTss669+0=,iv:kKhjEXpgdvTjSM8pfYkGhkWm3JtJOokMUvORqGLTb/o=,tag:SxuoieruxNkpqvcebrW9vw==,type:str]",
		"pgp": null,
		"unencrypted_suffix": "_unencrypted",
		"version": "3.9.4"
	}
}

================================================
FILE: non-critical-infra/secrets/refroni-nixcon-email-address.umbriel
================================================
{
	"data": "ENC[AES256_GCM,data:jFJNBd+T4CFxN6N4,iv:jzoyiMOmkN50O0Pj+J5U50nCY9zO72/AyZCAiA/vnKM=,tag:UVSK+zWYIgkVxpIxIQTP0Q==,type:str]",
	"sops": {
		"kms": null,
		"gcp_kms": null,
		"azure_kv": null,
		"hc_vault": null,
		"age": [
			{
				"recipient": "age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJMHVNNWwyZGx5aUQwNzhH\nWG15TlBLelFBcGlEWmF2ay9IaHFWNDRLL1VrCmRxbkNNSkxMN1M0MVNwaTRzc1ND\naVg5czJQakJmU2NXd0o1a2RId1pLRFkKLS0tIGxaWUJ3RXJjSzJKcHk1bzN2UnZq\nT3RZckF4ZHB0UFNCUWxvdi9DMVU3VjAKePztDIswMCRgwWDVlNVlBXf1QnZtUmVo\nOQP6TQ2b71vshmupe991xoiVYh0p3XxlcVrSzlHL1cxpzOCVVrZbtw==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWaDdyVGJrcnJjY0cxbHEv\ndVVOWll3WitNTVYzcWVURitiY3hrYS9oekZBClNDdlpyUG0xR1Z2aUViaCtQS0Ns\nbmRYTEc3ZjVadWVKdGpxVllXdjNNOEkKLS0tIFVodkpVQlRvWEI2dHYzYThFSGhH\nU0JNRm12VHZidTRQZFd5ZitVaXZBdDAKaF7XODevO7DPL9gWb0dTwEvLbe2Cr22r\nmfnjQAPKh8WX6fX6W1i2KksF2iU9Ny5Z1i6K7bTkIPWRBRMBjYTxEw==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIcVQzWk5ucms1Q21WREJP\ncjBPcHdSVXlUMnErWHpNS2tMZWlmSDJtRXdjCnFFUkxtTTErb3RvcGtCTEtxQmZj\nVk4vS2J2M2dBYVpPMnZUMnMxOTI0NFUKLS0tIE1LSlNLeUdCRjRuUGVFSXUyQmZK\nWkJoOHo5bDg4cXJnTldZa0pVdkwzOGcKudKXzT6UD5/5eILbV3XBXgiTL4giNQJg\nKiFbcyW42IjXgGpIHYW2TGmM6kBa3aIYp+9FsavJvQoGxshxpy65Dg==\n-----END AGE ENCRYPTED FILE-----\n"
			}
		],
		"lastmodified": "2025-03-22T15:54:13Z",
		"mac": "ENC[AES256_GCM,data:7Ul5t22GJMfOpZ/94QfLK+Kl/qd1EyDUDXUi2IsGpvGUTxfTP/It8lzTKF0STfzVT8JmGcm8WCy2a8i5kB+E1+gFWk6RShe3Q+IIW62UN5PxVcKQZEMThydbQG+R2JJmuQGmwZw93dFz1WWgUTY47EpXw4imIwNgk20B2S3pd3I=,iv:AMvByk17M5eGqVlS15GsmpIW/5Cx4s3Q3F7NEKsItys=,tag:PHHn6RcDD98tx0sOVK4JDw==,type:str]",
		"pgp": null,
		"unencrypted_suffix": "_unencrypted",
		"version": "3.9.4"
	}
}

================================================
FILE: non-critical-infra/secrets/risicle-email-address.umbriel
================================================
{
	"data": "ENC[AES256_GCM,data:7fe9HOXmQMbKZvq0OuNEDiwX+YHgpw==,iv:S7dcT4b9ffl7wVZ+P8Pi7E2XX1gLqo8//DhiNweUFCY=,tag:kIK6xbo2uiGcLPedC5S/2g==,type:str]",
	"sops": {
		"kms": null,
		"gcp_kms": null,
		"azure_kv": null,
		"hc_vault": null,
		"age": [
			{
				"recipient": "age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4YXhFWFo2cndkQXVsa083\nNlg3aEhOWXdERlVHdElRTUpGck5QVDNPUlU4CnF5SDFaZFhPa0o1ektkb0lVT3o3\nWFlleGY4WmZXZlpWWjcwdUhsQjh4OVUKLS0tIDZCekhOOGU5VGdDdzA0S3lhbzJN\nZ2tPWUJOV1dYK2VxQjdTQW5nM1NkR0UKWA3fPHXjPG0hc/ZQnhX9HZLEF1iP3xJ9\n+7uISRPlwy65nSch4hngfu41xdTAPLhkjJJUlcS5AE4Rp/dDc9eNkQ==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiREpoSHJyVE8ySjdIZlU4\nRjZWcTRFbnltaXpZU0V5N3VTSGlVYXdNc1J3CngwTlRZM1pUWExITnJ3NFZoeHBM\nUzVQSDNRakhicVJLUmcvNG93WW9DeDQKLS0tIDVNbTMxM0JYeGxkbjZjUTh4QkRo\ndWIwV3ozNmZGRVRMSTlzYVYrNmFCd2sKCWNELX+V6rhLKI5QRo713bq0QQBKtEwK\nl1Yr/N8tsT8LFyR38dXAee3Bi2WVFNGVOxtQvUeQwqQRlnPuCL/oUA==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNamJHRGF2VlplcXk0M0Nv\nbiszVUJtcE5iazZpNklubUF0TGxCNDJ3WkJJCm41OEVyOFMvK0JGbW4vVUpOZDU2\nYnN1UHVDMWlQRUsvMjZFSDdRQkZBazQKLS0tIEpKb2R6TnpNSExLQjJCQzY1Yjds\nK3A4TU9GZXJsRVhKYllHMGQ4OU1VOW8KasD+UNmcjx4ZrPzYpVbetlwTaIbJGni4\n0Fr12kJbt6ZjcHV13UMIr9F9wZaV8aIlTZHfszEVbk02k9sFr5WnvQ==\n-----END AGE ENCRYPTED FILE-----\n"
			}
		],
		"lastmodified": "2025-03-22T15:54:23Z",
		"mac": "ENC[AES256_GCM,data:VYTsg8ys36szFJGXSM6S7bdbKXPq3bxE0SPBgfXzoQmZN1IJD5Z0foHXqRHfG9A8YvyAMvUVlnFNAtQaUGGNUibY0MFNKFmb8YsI6hXrlQSZFB2JsHqxDD4OyoJUHG0iBTucxJhHfv0HefnvpqttCW5s2VuEMFCLDkqcT00aHJc=,iv:tQSJLFOnWvzXYpxRURYArC2B81FUiX9tJu3GW7DR+FU=,tag:kW9cE8wNiCkGXfCPM+U8Jw==,type:str]",
		"pgp": null,
		"unencrypted_suffix": "_unencrypted",
		"version": "3.9.4"
	}
}

================================================
FILE: non-critical-infra/secrets/roberth-email-address.umbriel
================================================
{
	"data": "ENC[AES256_GCM,data:BKx7sPjvcVJ6yxQCZs4dkSfM9pIxOX4=,iv:M7ImDURQWnmAIUWgc2TWU77R07i6T9ySyhKf4xmrIv8=,tag:6Ev8KHJ/i61YAZ4egUypUw==,type:str]",
	"sops": {
		"kms": null,
		"gcp_kms": null,
		"azure_kv": null,
		"hc_vault": null,
		"age": [
			{
				"recipient": "age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhc2JJa1ZmNEhubG5qRDhI\nNWFPd0Ura2xrbDRpSnlOVExQTDduU21kVTJjCmtGeWtER2Y0Z2NlMDZKOXlxRTFD\ndm92cDg3d09ZKzhsREJoblN0Y012TjAKLS0tIDh2amdFS3Y3WE0rNVhIVGUxOG1L\nN1FyQit6RzhUZk0vYkRLamUyNThxZlkKEJdDAjdh627PTMTjBY1qd0xdZRIuS3Fj\nZSj3uhKkGeQmTk4srYjTEd0IjsqdW8YhimGVX71WR7Yq9mQPTK3DWg==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQY0o2V0FQbUgzaXV2M3V0\nTTlhNHA0LzE2TWRJUE1EZTEyR3NoTjVuNmdZClBCUk1zNUdnUEJmZGN5L2RPYXRG\nN2dBRE9UcW1mQmtRc2xuWnhPN0xpOEkKLS0tIEhNSHRpZG1VandmOG11VW8rcVI0\ndG9KNzg3NlJmWGhrYTA0ME4vazBxak0KnRGxMy9fLba0qamlS3dFObUkFmZx0eLp\nM9o8aVkBBpcqELG6X/Fy7WFLPc0ZV4jJ80wBZmiCcWLhhqjs+/ZqRQ==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3a2R0NVlIYmJ5QnlON0hB\nMXlibG1XWnRKRmRTNG12SDAxR3VQRy9UTG5JCjZ2NWhZNGFjRC9rNi9lNkYxcFJt\nNEg1NlNBemN0eWd5REpCMVE5MjB6eWMKLS0tIEtOQzlPWjZDL2dVU3htTzRJNkU0\nT0NCR1FlZ04yYW50NGNyUkdRTjFpTncKTjhufMAUSSXre7/6fBRmLR5VE67iDazd\nG/tTgikrm8XT6cpp6ujsv7Odm/sxMOUM9ceaYaNarJyYG7qfa21dlA==\n-----END AGE ENCRYPTED FILE-----\n"
			}
		],
		"lastmodified": "2025-03-22T15:54:26Z",
		"mac": "ENC[AES256_GCM,data:ZulvYVb+MDCHnV65GS/cO+3hh65I05DFJpctsiVw1+oNk6sdK5zJ7N0vN4h2zcJXsWq2DDC+YItxiMuXKwZBCasbbs+KbRmO1fwyfXOjbTPbJzP2FlvZzYfA3MeS7DTJH+egVCH3OL0Kuui40jxlSY1BAvqi5YNMtE2VOmNQsaI=,iv:0gIl0i0zY1lrIFvHsQ/P6HdkHWnbUQETiNcX8x7ASDo=,tag:706cPF842rHxBg8m8f+hOA==,type:str]",
		"pgp": null,
		"unencrypted_suffix": "_unencrypted",
		"version": "3.9.4"
	}
}

================================================
FILE: non-critical-infra/secrets/rosscomputerguy-email-address.umbriel
================================================
{
	"data": "ENC[AES256_GCM,data:GazKVNo0LeiIQFVDtg41ZcqRDFbRA8xyij6Kj60N,iv:9e3TyrpTJxpbFghnhyNthycdU6BF1FtdYvrSMM8ky+E=,tag:kKYwly/7Jz7MO5b3gOrhoA==,type:str]",
	"sops": {
		"age": [
			{
				"recipient": "age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuTWlvbktLL2dRWjRWcWU3\nWTBuRHR0bHBOZ2FRcy95U3VOWGdNSkpmOHpVCmE1c2pyaXFYeGxxemFaRHI0WERk\nTTQxaVpVMjJiWllLYWtWZXhKclJHSGMKLS0tIDFvWmdNQkU2bUNKMlFQeHRndFRk\ncUlSaW1WRHZFZ0QyOTN3NkRUSjhYencK/QM+MTTOLbMZHyW1HACPMv3X1FtzOc6g\nQSgN00BTrU3fvYRGXpH2Qd6MPVEpaYFU3+C1rD9fzL/cXLKFP/d4PQ==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1aXlkM1A2dDVTZEV2YjJw\nTFdzWWdwSFFpN3o4Sk5COTh1Qm9RQnFvR1FVCjNySk1ZcHJmQ01SNFg0anRhUzAr\nTTlmVXF4bWxiU2tWS0cyZVlzdHh3NmMKLS0tIHJ1c0ZkeG1PT3dKb0dYaE9wUjhQ\nL1VId0hLSG8zaUF3anAvTkpmZFpZQlEKqts7ZK9+93BarS5LV/eyQ08qzMWVsAUw\n02REN/UFKwF73EYp7xCoKAnO06awB5X9njX5EjzfRyF+suiXQAXKkQ==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSNm5jQWhnMkM1ZHY3RDhT\nT2IyTkRQREtVVFNSUUk4SXY5KzVtZnpBWENrClJzeXZEU2FzN2VxTWhVOUtLUkpJ\nbDBBQzVIVjJnUTNpZU9nOHB5OW0xT3MKLS0tIGcwbG9nbTIwWExXUUxjVUVMZG1P\nRkM4SnBiNnkyRGNyQnQ4QzhnSmt4RUUKHQv5QVwOxNzFbL8rQh9i22yqF1T7CKEN\nCSsOTdO/5Iw6G9JKs1bnNJRYtT6CW2hrFQ3oGwofjLKko+4z0GQLbQ==\n-----END AGE ENCRYPTED FILE-----\n"
			}
		],
		"lastmodified": "2025-05-30T15:22:20Z",
		"mac": "ENC[AES256_GCM,data:S+xQqRk+lrhyxCemO/AAT3yTSzzhlRA1WQbq7Dy0YaCjGAUcx0tRUuLXq8uhAyCs+rW7skcbP4sgqRc6agunEowSaVNGxp7PeQiT7D6Wy2zFwnPbbbzwJ1mv20Z/cFgwdiR00vsAP8/Bn6uEFOZ0PQryBfZ6CxxePBzqIvFlwVk=,iv:U1Tatbb+56+df+omnIdCYl4oPXAYBIsCG8pEXwND3uM=,tag:Z2/Q+VMLZlSdwbkuK4nAXg==,type:str]",
		"unencrypted_suffix": "_unencrypted",
		"version": "3.10.2"
	}
}


================================================
FILE: non-critical-infra/secrets/securitytracker-noreply-email-login.umbriel
================================================
{
	"data": "ENC[AES256_GCM,data:OP19/y+JFoVll1jUX+KFYUoFSUVDvBrlu49j7TT0y/++c32Slkn0a9LxIB298NrNERWu6n/wgVG+bcN7IA==,iv:yGnpgTxiqtTIVjFLoWkn4FhC7LsCB9SA3wYbIw9ZpfA=,tag:F12grj5CzJZofLCZqFkafg==,type:str]",
	"sops": {
		"age": [
			{
				"recipient": "age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQcmRuWHNLNm1iQWJ5R0FU\nY3o4V1lRM2hvODhycU1GTU0rSXFNajM0ZlFnCmtIbnlsbmM2bkxZYnRBVkVLNVRa\nQWhOTmZubWNyYlRueTV3SUY5Nmo3M1UKLS0tIGdGVndWSWNaMVQramRjTjdOYmF4\nS3ArUGdFU3RYOXo4QmdoeHFmN2trVmMKSJVxIKSKmL2AQf1AcMUO+ppZxpZwQDFb\nIIKUW85aS8FAFX+14ivbodD7oh2UtH9BRCnhVuv1ZamDiq+/huiWVw==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpem45bG1IOFovdTJLM2pP\na1BQczY2eWppWVZHRWJZeWJidWpSNjFQSGpzCk9sS2RLVk5wL2dxWkQwT0QzOVlE\nYWYxaVVmYUxsQzhqekwxOGJtckx6UWcKLS0tIG5XZkN1bTlqZmI1UTBDNFk3SDAy\nbXdqcDk1bXdaTnVkVTByR0t6TmJYcW8K2NqioqDn13UuBKrI/tDEnM+zSfipCsMq\nNH9IYKsfYG48kL9yj6WrtMVQNV4P2ZLSc9IBpdZvEaQay4o99EswjA==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDZzZmUE9oRmp5VVpOYis5\nSzFTS0s0SVp5WDRDaWJZWmN4dFBMak5HZzM4ClZNYmw2V0tOUEpNRmhzaTBlQy9s\nYjR2bTg3UkhJdEc1TTdteDdNTWIrOEUKLS0tIEdFcEZjNGh0anZoODJreGJGWVNr\ndDIwZWhZTzk4WWsrajArSjFMMmdEdzgKDgWzB4U0qYeYdx4G4M04DPSuqUBj5XCG\nLurSEOpBmjxSVIkUzUVEUYAq3IsLxMiDf5iqLs1/d4TeD7Djg0oi1g==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEY3RsMGk0d2J1SW9neEFa\nS0ZnWVJSM3ZDbTdEYko1VjlSWVJpSks4MWtnCnozSmVjdU95Yk9jNm9EeFpvaUU0\nMW5zUnU0amFtRkhPZEdmcldXWW5JaGMKLS0tIDJyK1B6ZStxdkFTMUJ2OHJncndP\nRU81cG1hOXU2akRITkphSUVxaHdPMG8KtQ0B+bH7YRCO36ocidtGWhqCs36LayDc\nm8xiPLIGSJuYyHpPSkcbQcxOP/wx2yRRloRkV/LjnSt2d7DtBcFddg==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1nnm255ah9wa4gpsaq0v023a75lnmlcxszt9lc6az3mtwzxgrucfq45rp7h",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvRXRCQmpZS0JrK3RqaENh\nSitqdVZhMlltVFArTFdIL3QxZVEwcTNDQmtnCmZjVk5vQkhYRVdHZmp2TFBRT1R0\nSWY0WWFYVHFoQ21hWStScS9qQkVRRGsKLS0tIFRHU3UyRzVuZGR3NlJnaFlXNDBQ\nTVlVZFhpSFhsYjhnN3o2KzR5OTFBVkEKwkO++MNLjrd8nYXUyWtFnZu4PhDjyLki\n5Tw+XQW9zzHKZTvpFep3TZCMvvMUzCnNTcB7u81fG0fe8kHq78NTww==\n-----END AGE ENCRYPTED FILE-----\n"
			}
		],
		"lastmodified": "2025-12-18T15:28:21Z",
		"mac": "ENC[AES256_GCM,data:jHBjHm/ow2YuMspsrZd2zjTTovmuHiBkcHj4fwlH+Pchbc3DtoXlSuDxY8HO2b1nio+svYFc0Hn709gbWlZN1GGjO2pDBdddAnrl+Hqhj7prL5hTAcrnlLT4XUR8mNoGC9sVzBt+XHMopti7Dk14BUqkWfXNaFi/NrfS7JB7y60=,iv:6HG5/KdqkzzIttQ/lPoMwV+KuZjmDBVQuy8l0ueMVlQ=,tag:eD9eKdmpIVVx1n9rfB0oew==,type:str]",
		"version": "3.11.0"
	}
}


================================================
FILE: non-critical-infra/secrets/sigmasquadron-xsa-email-address.umbriel
================================================
{
	"data": "ENC[AES256_GCM,data:FeeTYcuqHqv4A+rzuRd/pvOnzrjq,iv:tiAzlAYJwD/GsjmwIF+TD/v72riKGIHgaDN6QFKAKb8=,tag:BXEq8GNbJ25gvQZd5sGl5g==,type:str]",
	"sops": {
		"kms": null,
		"gcp_kms": null,
		"azure_kv": null,
		"hc_vault": null,
		"age": [
			{
				"recipient": "age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1cFlYR244WkdFdWU0UXh5\nYTRNVGorZStBbjdsYlJ2cnpqOVhWUzVmY0E0ClNLT2J3dTZZdW41Q1NqTzc4WmxY\nME1Db3BocGNyYWtvKzNIcVl6SE5OcUkKLS0tIDFuTm9kM0NRS2lLei9WNmxEblNM\ncU9TM2VDcHRGQlhSZkdlQTdFTElVb0UKKUiqN2TNsJmJHGA49XxLuzorzRq6WWl/\nS1CP3X/xZDZyWLnLEAux7hpwrQDFq4zM2uwPERGsayes5RgGO4OxzA==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1U1U2bWRCVlpCQUtYdEds\nTDJ2M1lHaEdLRHZCakNzQ2FSaXIxZHB1VkNJCncxMnhtNU1kMi9SeEJMazFvUVg2\nTXE1UHhCTWxoUXpwRWtwYzQvRGFRYU0KLS0tIDcwdVZya3ozbXk0aU5hWHBjbjc1\nMllGV2syWVRFU2E0ZmxVejlQd0dyY1EKPU61+iPunJIOeEVqAjrGTxnsZQT8iScv\n70VFITXumYrHzC9+3eiXyxMgI+1OTKTCrgV/W25mHCmC6i+OxqB1kw==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJcmdSTHhoYklyT0tLTkE2\nL0tiY0g4VkZXNWZWWmlMUG1jQnFTeDF2OEhzClFRa1R6UHJOZ3UwdERDNDdybHNk\naVl3WWhUOHQvUDgzM1QzQTNsbDh2NzAKLS0tIGRjVTBydkFPTjFhSnppWXprQTkx\nU1hCNTRSTTN1c3pCcnhBZTJCM1dhcFEKu2QGK/8dQJuiAdzBLTOfBHyMhtmBUCn8\nl35Sm+24NdIMpKDITDdzFnu5Gese2dWZQTAPBn3dzzmbX3/ozBbv+A==\n-----END AGE ENCRYPTED FILE-----\n"
			}
		],
		"lastmodified": "2025-04-05T23:07:36Z",
		"mac": "ENC[AES256_GCM,data:J/p5R51oiqFrNU44h8d/e6nJw+zfmq2gjkLPikxdEc6ZIG3P/l7pq40sdnIjFsEj4fqWPJZxoR0U1i4HRVRx1dYL17laIXgm0NgXTdHu/rfy8IcIom6T2wJYcxpl3Z/W4Wcch0W78huujIFFDeeeT2IZy96tMuAb0LG62DaDI2Y=,iv:69UxnbyCysMljwDWnthRoCGODV12U8T/N0leuJDLFUE=,tag:npfl3GXi1xseduJqGOcdKA==,type:str]",
		"pgp": null,
		"unencrypted_suffix": "_unencrypted",
		"version": "3.9.4"
	}
}

================================================
FILE: non-critical-infra/secrets/signing-key.staging-hydra
================================================
{
	"data": "ENC[AES256_GCM,data:o+1PzKfNCuqAO8ayS17XToTq1xVj4qaL/ZcovtzaWXwu8PH85qggjalA5hWxM90B3IioJlySgp+Iw9Tzyopjfc+XnFT0T30Jx29PCQkQhi1CHjH3QcJq8rVNMzQIZ39+PHyH2b1RBOh/5pz58+/H7g==,iv:7stmWfbTZ55slCozcag87MdxZEhuJquR0uf8WTE4rOw=,tag:gMTAPLSw3AYn7nrdQX7D0A==,type:str]",
	"sops": {
		"age": [
			{
				"recipient": "age1zxcssfw5j6dwvcw25tmxs79lq40xk70h2s234hen8pkpte2qe30q9e7cy8",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoQjNIYldTc25ZVUpjRDJV\nekF2dXZaMzI5emdpUjA4cnVlK0FJSkhzVG44Cm1HNzJ1YmM4cWcrVmV3M0pPaXpC\nMUZqOWtDNFNEQWwwTnBzc3UwMWJRR1kKLS0tIEx6MzlrRmRsMndiNW9HT0dBdmF0\nekVDOWJjci95TkRKUVI3b2YwWWM5bEUKWOZNrjqPZVwjNQ53IW0SC/0wSmfwBicc\n9eQ/iq1n2RXV4fB+8FRXGu75STydXN85WRpwKEzFtBlHJxEmSSuprw==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNeUZENTN4QWxUeGdwL0xu\neWtDMmsyeVROVkJKbWhYc3ZINUJzVUQvTkJRCjJaRmZhUGRpaWVWaHpPNGQzaU5C\naExlVWJlV1BxT1lOM2loNjFnSlVFSDgKLS0tIGZYMGRXQm9RRXpqU1dYZ201Y0lv\nUlhSR0p4T0VuREJ3VFBySmQ3WVJnc3MK8qbBkGQzGMv/Q5oD1M5LjKMrjPLN2BMZ\nr8PaeWygqVUI9PNPJ9eI0RSe7St9u8hJDuZwQaN8832ysGjPwpsM3A==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1nnm255ah9wa4gpsaq0v023a75lnmlcxszt9lc6az3mtwzxgrucfq45rp7h",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqUFpvV3JPZ0NiVngzWTFq\nWVZSSkIzZjUxTDZIRVJYckphNGNZZWxob25RCkJFWVU5TGZnc2sxR2txS1loRW1S\nVElHck8xc1g4ZmZHWUt0Ykg2dldBUjQKLS0tIHhRNlNzTWs4U2lPdDR2ejJIQ3Ri\nS1cvWVBYdTM0OW1PSjkrZEhrYXNZNDgK4Zz/uHXMm7554nakLYBmtzQoK8E+eFFC\n/mT+rEZiX+MZW3nE8PDhXAa1YUAo7y/icD7XQf5GnXW4C7T1paYVyQ==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5YmVKNDBsendmV0cwOUly\nQXNldGdvcXBqQU9Ic3pPV1hCWmY5d0hqSW1nCk1qTVdEdjZ0cEgrdW4yRmtYYnlH\ndGFURms3djZzOXZ2OWdPV0JObGViRnMKLS0tIE9SZnRnRGFMaXZYUmRJY3o3cEtm\nV002c0h6UHpYdXZQYkh4R0E0MDU2a0kKv2m8fsHpsRxSzXG+PpnPRivU1obzdN2E\nDZukxQX7jkjPcE4Q0WucPsHkLdqo55zWmbvvOhgdZka/4DUNbb7O1Q==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmNURmdWhRYmhKVnR0bWx1\nbURvMjNicVpXTjNjamU4b0ZPQXNUMWl0UURnCmxGbnhBY3hJMUkvUUVqVlB3TFNk\nTE42TC8vcnE4RU9xOVkxTFJyaWprblUKLS0tIElHT0tUOTlKbmxOM2xkL1Z0OVhJ\nZzNYeWNTbnZmWEtuMUwwY0sxZ0RHUUkKwVVP8g5r4YHPOxm/72v54srpJ7EE/U4G\nCakniy44a7sTn3m8hmH4FfJuc4x/xbun2vrSYBW2gAPpu2h2Ad1H3A==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age17ez23w2kpxl0gcdx4ehcglkcfcfnv4qz0gq2n8ylxwx4yrtjpvjqxfasua",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAveTZPeVVaWDNUT1F5M2pL\nY0hnRW04NFpiM0VrazVuOWN4UTVXRFRWc0NFCjNpaWwxOFlMc3VKTG1sRE53eUdU\nSDQxOThCYTJmblJUQzFaTkJ5Y01DUGcKLS0tIDRrVkdheTBtclRqN0hvWThQN0xs\ncjVlVGlrT2RaK1VGLzdFOU54NzhZOGMKPPEtsz62T+QiMrtkyShdYNzCXDPbauVx\n/mEfLetx3EAgluZNGUAIQnoxJTHbwX08kR557YcOTAHfHNi9xdDuiw==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1fgzf77gyah4efemnrqg4e7j0vk8fpq0uzrucepmdpsd5z7l4lgpsfq54df",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMYW1oZUMyYVVKTUxmUm5L\nNUpIeStsMXE5WVVackNTTXhzRnNYMUQ5Z1UwCjlZWHU3SU9JUy9SZks0dW55VnZS\nNHJhemVkUUlkeTQrOStPalJ4SWErUWcKLS0tIFJDTEJQOVA4dFlJTDdqQWo1dEE3\nWGdrK3hxWjVrZytrQmhlOXJ6UXFNcWsKYt7yy43dw0aJ6Z/jTBKFIkuRcgBLqhLh\nXE3vGENBNs8KcrngQwy+oyyPmZlvY9J8mspoxGZIvIAYK5vX+yeNbw==\n-----END AGE ENCRYPTED FILE-----\n"
			}
		],
		"lastmodified": "2025-07-10T15:50:01Z",
		"mac": "ENC[AES256_GCM,data:x4Ze9rBUQus/TvnUsLEKPKoB26zVpdeNAE5AiFX0yYWy+IeFVxmsUxcrkvNMALKoRbM//zYZEbB9jNtf+1napt0J4+vNbOq/I8JjinA/kYdakeRKTlj4Ge5CEQU7Ix2LGM92b7vkyktT5O8aRh4bSTKv+HJDhKuEBgug75gkK9c=,iv:6o0CfZzCvz8pRbSD0rw/U3hCxx2RzTbuP3RncNgcU08=,tag:b8eXcjEhJJo9avwHQ0BZJw==,type:str]",
		"unencrypted_suffix": "_unencrypted",
		"version": "3.10.2"
	}
}


================================================
FILE: non-critical-infra/secrets/staging-hydra-hostkeys.yaml
================================================
ssh_host_ed25519_key: ENC[AES256_GCM,data:WdQWf3FMtgp3xBgwLOnq9xMeZ0fpGjxHkqlIoE717tk18L03x4VTiiQanHK5dxvn0KG8piM0rHO5EFNueevGx7SS6Ad26nT4Y9EjnN9vq607OJZnwLysBPwfTK/iCKr/+pa+8k332I+ZSqENMf0WhSjh1z55QteCZdNdWAa9hzuovDz5dHKBUR1n8DshC7mbPklDqDNc4tYn1G5DylHIWFzLTIeQKBo2tNRy2d8nfH+m9S5cFI9kITV+ovPXIBNAZ6WONf/iHZ0gt9gZsGnLVcjuz7gVlq756ho4GvARz6BYMyILOUVlIkpAfgQQm+Zq96Tj73U5ingtrfisMYbtdZY2IY2BXwuxCTOc1sZAkzzNT4QfByVe2zeY/CCaZnBZ9OjjG1DDxSkyXZmumyh3EHtOH7r2ZGPkvjFtA9CaTK0qwoMZ1+sz0MLSzaaQSeKLjxmlS4LbIIOfuQ6NFSgHU9H8lRqgADUEBU3nlSUg+C1r7mhHToKL9K6oplTII/q/mJ2d,iv:UBFtqCUupy10B6OBmjYJA/iWpN9oDrl2GfwyYHsd9NU=,tag:n+naTz5m18k0/6lkTWzMaA==,type:str]
ssh_host_ed25519_key_pub: ENC[AES256_GCM,data:dG7zyTqjq5FkeIACK5r7wk4SSk7F+Y5r0Wf0DtD7yw1Hes0tW+MY7Ggf+qyflnTood7gQBMzKCEHIjbSNiK5oJk2aLuG/DRqiEowDvjr9jI=,iv:zoSMX/vALQPXEfVr9wCkyuWZNiRY20QmwpdgQ6RcNm0=,tag:1T7yeYFVnz5EVNzX2xqIlw==,type:str]
ssh_host_rsa_key: ENC[AES256_GCM,data:xVsQKRHqRTfusak9oe5ve3k4EHtqgom9c5T6exi0E9QVTNM2o/qaAXGZlOQLoLufQCPIhCrSB7MAS0ZTx95RcWnqHFd3BGDBchVZTlKV5vX9FOTIKPcJk9n5H2Uhh0Q3mIHyGT1RYdGVcpIqJhvkpf8mVNRms8isS0aqAOutw7elsGOEjEhoLTLSUjGWgwOereDVfmTFBqfmoQvHn15OYpKgA13zBb0+OA7DCvxFDba+EuOd5bpN3cM4Ss1y2yMDYQqE2GpE/dRWbSTiC2X/o8ru5gkw/l/0tQWjV4Ft2oLh7kuqKhvAV9aE2XOSUTXGmBtppZq8Kg/O0oGK2yKrS0wu5WX0njAzatmWJBOQIJcysyc00HZjSd2JIC9EpWN51hpqCsVSwlCWdZ1/mBoufUKNiwxMO98nhAzWFQiSrKgzpNHMRM2jSd+qtqHz9w8C3AadsydnLNeWV4u9z9T89elM1euZZGB6MgQc5fcPS6TJ6EjV0fJkts/AgkwWAlh/2ZLJikG7LFOZEehAockNvVTTvV6vWcjDkwEm1co7MSrTqySqXh5EzcyDzNpcOsOh5nOOw8/BtUvE12SyVO1zlwbZyeETfhb87wkcGLvv3ewvFeZ6CVVnCUDZsGQmX9lhU28ilhtCYQazuN5lnPTtlK2+SQp8JIalqOutKgWKmgKetndYxo5X8BzaEt5Cg6oFr24Wkeb2VxitOGZEbNNpl8XuJnn9AjNhlQcWyuFop/8pwjhlRRtmG0q75wkcvFYrfiHtSDvAniebs0KRS9+8ONRWom/L0N553tS0ERO9SlanBbx4f+T9nopR5MAlojWWGS8fSKhDzVNDU9FlaZUHiUzSd19Cy7ikl6GYKd6qnU9raasB1cr5GpMSjitnQyOrD+Sz1cBmfsCQIav1M0F7o8LqZag9IjL0bCAovpSkZP/IyZI+hFzLNZ9H/XMlNokObPjzYdVYZaePhNeUC9kiGgJssM1aiW3v+tEshPj3bPP422nCKVrPiHs0Vxxc1P0aKinCCbh9c5TW8iw2vurzihFYy4Kvbqjp40p7KX5SEy/Bbe1Had7Kg7cxI+N2E2B/ad5iOqJiPkd7Wwe7fupcXow/uLffb26v+DHIWQhFn/clJibBb0Qij/NCxAL3OkLCZ1VvFDs1ENcEd19/SWH+7WnkeyQUhzMzN12U5XTANclt7YHdC0bzPFOxu/XwDQilzIioL1k86XPh7T1k3u94m7w/KS4QPYrVVDqqqyrIdMkTikeGM+reOXvGopxgac195AOQ9xBZsJWQ0FBRrcZ1wXkAP6g5dLD5cNkGxnCAI5D1gnFI+ZPkS7u++bSucQzWiyTTh8fLRAT/tyVJG7P7A0wk0AF2qNH2xwziNzueiHGUBj25w6jw3ib2T1wmLrhBOA4lDbeD7MV+4USe+cIka5nZXiZsoMz4zUq+7J8jdc1xpx1a4JqjA0NrXHfN0rr7UN1DbcZdia8dx8vUrW9VVko31EUA8GEFDdrZ31Um9Obfcz+TfW9n8hDAiurnbWJfIX2EReGUEU43aoXguKDsT95i21HMiIGgvQhz20tUsPdOzqk0wrt3P4lUXPkciaBgwTVIMs9U0jFgT+7s9TWR2w9oxOimWjtlUQsFVhVIw2IqnczWNW6/AOMnrJLSjNGbdCcWLZr8cXeugwHH1iO4HjDqOJEwZOF5DSOBfoFvRVOXS4MKzSkK3B0iFz1XUuhvIpog9wRohaYf485ThTZiIc/W5fHfq5jGjV8PUf7xioxmbP7b1Fe9cdQPiQLLACvkXJt6XYWtWiqo8BO+dd88cfRmyhqZqqWp5sew6vFpOTwTnqdTsEgG/ElpLTz4ZWvnDujhPy6Y89cAHccNWnTfa3VcytY7vNNAeVL345tyhG5wOF0E3zFPMGx0f/JgcLqI9EkMMlYooO/Jri2JZKD+0Qi6YJskT+dnawK25hWj+EQHcimKWd8Bwwm+1C4jZogZIpZsi0lr8auToCtOVYjyx98Xwy6FtqOmT7UMSNWg1POl7udWozo9DJY7H5FGEDbJ6YbM7BQ2OU32auab2XMTYYyO2Kk4zncfLu/cJSAGTxTcUH1ruOFEBwolFX4KlzIQreRDa2Xxy4QHTpWJUfNKUp45UV454Y3soSbM7rMYT4ktlSxqLLn5eWO1Cl/33b2t6BxGd2QQ+TEHJnl9Zj3GM35i3XY2x+DktSmerCT7fWUFEqIyzYHOpEZwh8CEDGrd0JFg8ITQTUWkla10/yMiXnqvGeJjHWmHLJvPNeHkwBgm4/Hoq+MjaI8FBeiapPdvGKxeumxn+GEuh7Ni6yelYPi4n3LY5Y6Fp3Mywx8BaZiz9lP4pNlsrbINhzoBk4tRtE/1MXh9GthNrGEhNZl/EWWWw0VYsqmie9F9K+hHjwtw85Ph7p7xf91ubF+E80rJMhwfhnyJnBeVjzEsUTqU+3JOVK3AT7Z/1XwG3s0b+wAuRo5Y6P9kmSJJjntWY48WY0NuR/OhJBWK/69Razq2aPvdWC4iUWsLhomdYqH68kE1ho59DN+j3mFR21+4wQg+9ZZiauqieMnvEBmuMEEh0ygb56Uays5dLSwcHK63L0T9Davn6eEvB0MXREbfNiFk3QWrvjWXLplct8KwrXlGCjVknLUtP+fK4WNYMORtAY4RRKz7HdH/cyYvIbyccv3N1lqvibGCNSVI3a0GB6Lu1ClZ6vsYOvyNJSWaYp64qLKt22Y7mrDLGlhveDi3hJLXxo1Lg10ulmLzOj0ubmAEmYi9yTFRnkqHyZFOb9R5QHttvp3zLu1JiiIOJDLPUJ9yfOW0hGGir9c1uNnLcS/56mL/+u+FOR2j9KHs4/tdGBCDrN5gdRVnHkLLgnbORMpyXBPSBz64n2lptiBnmo39wgdfWWaO7NfhWX/Nrm2kW6ky4TyDpEmvUhcqp0Uw3PHlr5byVYGeTTPleV45kS3QmqjCheE3T4UfcxLcQjOmYAKksjXQKe2rY2y9IFKZZUmMLoViGUlApXlba90+ZkXQAyxcf95Tlyjmy3eqBXOkde+FoBPVWSWgO6rrPuCjegYOdo2eyC4FjfyMnoHISYzGDhMVuaoxTLGcKBSeDUsa9C1FZEgn2HwAjH7HvbV2rWXdDA44K514OHHgXEsNr31h42z+TByezfW8AehkcgAOKC/Q74Kn54ezHuq+ibtn2U5zFBlxXk1L5cmLJekrm0j2aQcWVbqoAcZbVlaDWKjzNoboqhUzXqVqZWUNENXXCgcNaEjvjEjH+0uaMs+pI9HYeureAylnlOmj+7XsA/W9RDdUZJpPiCo8ag61YPdM9yvKQwT/NmX+cnYDyxmej+WkR+e31DsGP6q7ae0aRqmdiBobHAL828byGtIFX+1958ZMZ7K/flf32yAMbgDoFs76ditImNSUAP/GW5QB5XYTw76EYysNZHfx6g4zS9gKTvS0GdzjN6P7r6x5imQfBmg7cJSPzRny1A0CXaGi11vpzPo/rB6aRLQJeHmZ+S7JctDZAmpIR0Jxf6ekqybb9k3Z8SpOi1DGYNhsVL4LT6kdDlG1sKnSoT1rl3QcGPxIA6D2OM+yJEq2JRg66YGHY/NRLfMpC7485eTNc8QWLOT2NFncfZep0VaPatxdLfpx3U5Q2Fc0mJ/o7VV6uHwxg44v9iZGpZH7YuynUvfZXBEemZQe/cWxyn/ie4jmJsA5AmLrefm6KwiK6J2m0neTkWQPfX2MKM40w9FzS0q85AyjnjStDWLTruzNZ4ysGKNNL2r1t7/x9AzAaBVm9pLWNFTifkoVe7Zf+xjGQ0byhYsg0oBcw9PA5XmAtgIkvWI3kw2I0sp66sh4WkxwB0dDiK9BoLYprip5EhYWkHIXf1tf1cYaAF37IV1UVVPoB64BcoIcn1d0l6frbOGhdIBG4cxQj01h1n6G4ILdFLc4qktVf0Q889oJDqCrYV7VXUGN+G3h8p/5gAnT4Q3zsg+A3tep1Caq+WdrQeAUrfFqwtJvRs3J74BmenIBl2uUZuSDkg0Cl1weRgSsFe4QZAj1UnpvZIcvu2oowxesUDGDdTUTcVahZpaalH9ymXSM9NPgZA1r3LmAIMx7pOgNgZc+3bUxgYZ5SJOZWwEi76wIb3KirhLZsI+p4eZrfN2OmemPHgRTQXx+HqGm9uN3LySSbA19RKFxqzatXvC/vVbZWyuot83DClimfuzNvrsUZPKaFrUHikSLjxaaTndEM6zL946x+ojxeHXrKS2YGAcmd/Ntx+G5/+uGsx7QXVSaiIoDiLcQcUMWSbwIOyZClgx/5Axp5gIb3MTwBGMmrYL2IWYhifa9pZLj4i/bEZTTiJiiaFarMzofy4I1HIhEf/VBKNGXhSgH13wi95OwZOkufpUChuNHxa0Wad+RF9nQk8D4l3oHc8vj+tw8HV90O6mFfAl6PnFbborcZfj8wT2SV49IydyLpATvyQvGDmtoQ8co,iv:P2cvv5rYpU0Lw/t7vWNFt69BfrqSynq+HIWBPStTDVg=,tag:yLFsFeUuAS4skiyxq6iY6Q==,type:str]
ssh_host_rsa_key_pub: ENC[AES256_GCM,data:6R4IfHRukKRWg1tyyOpYyAlV/WKlkakL7O/moYPivUX57k8X0vhm5/n+yF51ywIUMUzpJ1aEyCeGtRmuyBfCoO8yN3dY+VOxt5m814ZuoF9GrPbj/6YY+SJxYtVWbbNGfPdfkW1PwMwZxvzlbLNW/0BEdXb6RtpFdCwP3HfbZWexdAeGGMdI8SVgmL7kN21RhwBCGfL8wOy/Cri0oUL5rn01YVk6e0qLWnUGhZkrgvHvuXLbPzmTPlSCRpBLQjwkXF68qJ6pI724JXpapt5Udx/uX9iHCRz4EmymmbaFoIwypL6AtvKuPk5S27ZcLLK6nVJwbo2gKyB7hMPWlRWZ9jinOlAEGCr73GtSellc7xyFk/xA7WGR1kaRy7jst4PhqsqSVRVFXE2o93OhRGZBK8lmbCH3Ab+RsK1IhaRWdWoaI//ZYf0K8eF7WUkMVDxTLb6cm6qbZKMW36JXM9Q9nmY0i4ughOjcPfbnuDVztQinLqbnadeyWiGvvCqaQzxNlWUSgfoR0WeZnxdjfEI6Zc5iQjaX24R5veuy8OkjSjeniami7XjNRY69WpFvLCQaeZz0EPHSsiJrzNvfvOVfzVIx2CD9+PfE3p+fbX3AVor20+hk0hPv5X6bfq5btwUbtcRiuXkGdTqUYCiUfvuO/0EXlly9vD7aomf2c5lew/gFFMqHvXPfPDSWirNLV/JIe/Znwv4k4jIn/ERYXQlgF0SSlT8mH+vqj8uYC5+sattnfymTTstwb/dhgl/GWK3xTHHvqApyWAGRQ/quzYGKUkVMqzhZUTetVwhQ5pmr9H6IJ+dP1Z4N4L0EU3VC9rP7YwBdMmLWjrCnMeOui19pdl4/QMXSevHUVBWjqwYOUVyDsa02gEsycgn7BslvhFv4fJCgir5hQTkL+Hw1nGpAGNo0bWugyQE+eFcHtbExkujbAkQCU4bZJ/Sq96OKuQ2hB3xNCQ==,iv:8sTcuMhrL1vYoOtUo0evChQvRibXP13dr+wzmXdYT5Q=,tag:R9BMCVc2Jzlbe/eh99oG9w==,type:str]
sops:
    age:
        - recipient: age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZd1MvMDRXWEx2RjhIN0kx
            dkppMkNkcFJINmsxVHRpT2U5c280bkR4REQ0CkwzWjJweUVlVGJ5c29HaU5uaE5y
            MWtzT3NMR282d0E2UGp4amhTY3pSdmcKLS0tIGYyaCtOSjRTQSt0VHdvVzFOR28z
            YmV2Ymg0RVdRN1ovMzhZVWdhTXdkRGsKYtfVZ4vLFNDUb5lzzQT19IAEVpn2P8RR
            /cfxNIQInQltIHb27ViHhvQD7qa00a2Rxk51rsITqY6GuNzzW8H6YA==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1nnm255ah9wa4gpsaq0v023a75lnmlcxszt9lc6az3mtwzxgrucfq45rp7h
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYcFJiTUhPbTNnUGRwQ3ht
            Q2FPeWh3SWR1c1VoNlpuTTBFR3RaNzEwS2k0CkpUT0twZjU4RUpkNU1IREpHMVJk
            eEZYb1BpTUI4cTRmVVVNakpXV1dVNWsKLS0tIHBCeFY2eVIwdmJPSW81Q1VOTGZF
            dnF2NDQzbFprVHJvZm9iRTY2VW1aazAKwcJBRgNDLbATp00hEoKAibC3yAOoNGqR
            0ZYcCMbUq39iJ6zcWlMSZeC7dSa/njFky9s+NBJhBiUG/QMtMj9I0Q==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxWmo5LzFIbVF6VG4wM0VK
            eTJIdHZKODNBby9oWWphRVV0NXlYZW5TM0Y0Ck9KdDIxRU5uZXFPbXVQMXBZWC95
            S1duY2prOWtZYVZuOW1UT3NTN0lTc1EKLS0tIHF2R0RZbUkzVEdobkFYdVQxMW5o
            TENSdTNVZFVVaTk5bHF0UFVONThaZVUKu3ljnmnNQPzG4riF/AoxUvLD5WggeuJ4
            +l2VpDK3mJ6kgqeGJEReejWbNrK5+8xy4JIpnCLVOz8Xw+aQYIqbDQ==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByV25FY2I5NTRFMnRwZlF5
            azVvRVg0K01GL3RsUGlTNW5yTC94SGNJQXpNCjRTaUx5azN2dDVheHVyejM0UldO
            YWFVWVA2RFNJc2haSlVKWTNWTThwalUKLS0tIExXblhackpzQ2tFVjNaZnQ0b3ZI
            WnI4RVI4U2VieVk2L0hmTlFVU1JpeEEKWoiPuEqy98Dt8Zfm6x3OFZsDLahKu8lZ
            wZT6setbTrJvNxse9JHdX+2dFJtuvgSXB6nKJEKtSoZ66VoOSxumoA==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1zxcssfw5j6dwvcw25tmxs79lq40xk70h2s234hen8pkpte2qe30q9e7cy8
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqRitWS1NuZzR4cTVZdWlR
            WHpKeUM2bDc5QzJWeVp3SFVqZ3dqQzIvU3pnCmpFMHZkZVRabG5DdVFpVWVHOUVO
            aGtNdS9yVXBNZXNhaXRXSGYvcEMyRmsKLS0tIHpWaGI3RlJ2ejNtZ2ZWODFyTU1i
            Q2QwYkR5UTM1R1VRb3Bkd25YR0JaN1EKIo8ZYsima/nn/KySKoM5YW4K6tU343gu
            qMT1NWhA314AA6VKJPqTDI8KcEpXlMYGDUYE3FEDskEtVvrW9TkfZQ==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2025-07-10T15:57:32Z"
    mac: ENC[AES256_GCM,data:MaNK5I+LpbEa+Qzb1VDAOnji6Bq0s/h/iUdQVh+DkjJRy6pxDazPfhRBIBcJni15yXP/ZnIiMDAge45On4BnlYCatCz8iq3oPiEZUHjEAIk4gRzR5v/C3obv7zW/bU8+TqlgXARXxvsmufnxhCNGl3OjDp9/JMLbjJS85kkZTPU=,iv:ymHmDCmcwh0PxdrnqhiUBefo6cF7x/hEvHvutT6cUVY=,tag:QOv3c43CEdZwyEay9vRc5g==,type:str]
    unencrypted_suffix: _unencrypted
    version: 3.10.2


================================================
FILE: non-critical-infra/secrets/steering-email-login.umbriel
================================================
{
	"data": "ENC[AES256_GCM,data:6HuH7cd9L5HukedZjqtG01fUZ2T0Y12dL0aA4rrArn0v7wgXRAsckPIy3Eir6lM1+W/I67IzuTr80/EbXw==,iv:Ou9+VW2QDDsbIv++W2I+optMU4sFXLlFrMKI2mp97GI=,tag:9Wv3Ja34Xq96seyJCDYPeQ==,type:str]",
	"sops": {
		"age": [
			{
				"recipient": "age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtQmgrUlI0QTFuS2lQTUJ4\nUUNsWWVDaWVqV2tDUnc1WlROZndKM0UxUUNZClcxNFlESzZKL2dXNGhEemsvaUF2\nZkxKMkRhdzcwOFRaaHBJQ0FWUXBHSTQKLS0tIHJJdlFYV3pJbjV1K0xncWRFZHlM\nd29kL01ERzR1U0hNVDNMd0lyRUJ1blEKu5rOOmicxE8mSNOuASU6EsNN/PZt2t6r\nAI0ZopuicQMz0rAt97BfAI/eDChy4LYgQwbSaKCvrMuqtKrMHJn4QQ==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByVGF4TGFiam1tTXphQ21Z\nTGpZR3lpQUx6QmE1bmp3bU1ycEJWYVhNUlJvCmRrSS90a3U0L3ZNMUJZbW1FUG1M\nY0FPcnJsWWFXOEs3b2RERHp2Vk1sWGsKLS0tIHAvZGwxSUJtNnloMUdwbHhCSE5o\nZldUL2owcmd6R1ZneGwybFJ6YldLQVUKVZt7nX8dv7u8PC104LhNOVpD2ENgfxJD\nKnHM6jYjEiUgiBlI6OkzqGjd3JfBy+ZSq4MCVxy043ioEiuix7tPAw==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvL21teExhTWs4ZzNtN2V3\nemlZa0E0VFRSWVVMMWV4RG9NNkcxY1N0MUQ4CmN2a1ovdEROUHh1YnJDdDFuaXN1\nVlVKMExnWTBQQ1lWSXJLaGhhaFRJTWcKLS0tIFZtYW5zVnh0MFpXUWdHYkVIcG40\nK0RPYmJiNUNGREZBbzVBbFN5ZnNaVWsKj1S/JK4U46X+8tStyynKU0RCWVBOpT0H\nOkrYrjR7vGlEtBInwyaGqAiD4kTP8AwQH+l/gIYj9J4xt1XXycbe+g==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxVldVSjZBbjVySG5SWStI\nMUlDY0RWd2dYeTVuZXdKZ2Q3RHBmM2t6SFFvCjBnK28vbzR1NGhldWRYSkpUV0lq\nZ0xpWG9ZcWJLUmUzZVlrOUIwREp5b3cKLS0tIENIRUFHclh4SHJRZU5RN3VoYzJB\nbThuNzZiZEkyazNHR2NlTWh0c25sdEkKdVgajd2/UIiZ3bjD6AdbVwFDryU47E1Y\ni6p/v3ofRZyS8pRBO4sQ4azVne3T8dCAX9QFryKO3/tVVCDn3au8Sg==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1nnm255ah9wa4gpsaq0v023a75lnmlcxszt9lc6az3mtwzxgrucfq45rp7h",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0a1VzOE5IT004Z1BzK3RH\nM201c24wU09LbEx5dUZ0alRLRGt6c0VZbkFJCm1sOVJMSHpXbWhsay9WbUhsMEhY\nMjJBNU9WNGQyZFpLOFExNGFuS0E0eHcKLS0tIHpCVk01U01tOTBnQ1J2Nml3UmRn\nU1BmYjBtMWhYMkpLUjNtUVlqVGI0OFEKk5hflv7MwXVlrakVxB2HCgKgzG0m61T8\nxdMYn0rOKvRCbgHOFiQYHzdH2arP7m5NmX5Ud5arOB7SsoqVFpRpCw==\n-----END AGE ENCRYPTED FILE-----\n"
			}
		],
		"lastmodified": "2025-08-15T17:27:12Z",
		"mac": "ENC[AES256_GCM,data:j/erCdDU7QEHuUSQZHEmvtR9FX2ULZqs9RKoJCcEdt7OofhkJz7a9SWJJzlnOWIUSI6DaI47qeseBmspB4hsXtuDjOpDZQdEOt8Kwb9vJl9bJceWeb1nK9LsQifWklbIkEWbw1UOvVQMa+3c8ZBIlsAE/Omdjc3JnK7cL0ue4ls=,iv:TOMSbsfDVzFY0kKVN4YiCA3jBNv+cowrL2XXUtaspKk=,tag:bIKYmakg3MQc6Pk6On50zw==,type:str]",
		"unencrypted_suffix": "_unencrypted",
		"version": "3.10.2"
	}
}


================================================
FILE: non-critical-infra/secrets/storagebox-ssh-key.caliban
================================================
{
	"data": "ENC[AES256_GCM,data:Rn47V/K87NVhlFJp+8Mj7G12w51aDUgPOQfeIIhR2vXC2U4488LoMgkq08wULWXiomsy9EfSA2wxGGAOFlyzTg86GDK/mfq1/bJGs5XopODojcB7G8R2zAqodCW+xmlnVJGV+V8IvVMkCAWZNyjTlI1C78QpqSNAyow47UjeO9ZLxWGic30BhT3YddnQML6pLWGwzimYa7xVxt4gnc9/Gq+PHxWdF4mUM4nuYdjJKxOC9R+xiY7s4NZxIkwiBTA6xomm5Wckf4WuKUCKpPD4ZGX4cTj3MXtAlKWWKPRHkY84YHxtHAiCRVJlkeZNPYEyJsUDrJ8KWDhELUb42BDSCHn8xHBuxkyffAFdhCAJztP2uPdLd+Txow2kf3Eh+YbcP1tAPKl72Tygq8EZImE8fGKMf7M+E80KN7fFjxVUfQyLcFLwkFgWpmOZFR9erJdJjBCfz1olj27e/5l340SIc0RgY3yKu3WOyXzdMyuua4ZfbYjokzSEkJXhnp0oIP8m+c8qy51VbvF8Po1inuB9,iv:6vxychlAMRy65WUacdiuSrjmqytK71E5qDgBrUSQvvE=,tag:jqFAPHjjmN5UOWROSWhUkQ==,type:str]",
	"sops": {
		"kms": null,
		"gcp_kms": null,
		"azure_kv": null,
		"hc_vault": null,
		"age": [
			{
				"recipient": "age1sv307kkrxwgjah8pjpap5kzl4j2r6fqr3vg234n7m32chlchs9lsey7nlq",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnTkhLN2YrWi84SW5SanNw\nMWxsdGNPT3kwWnFWUDE2WkQ2Y1VXSXdGbkdNCjBndEExZWEyTmhaQUY1YTdOcm90\naHp3ZjVGRmxCNkN2aUpwMi9jdkJhb00KLS0tIGFNRVhrdWd4M2tITHE4ckc2S214\naW1HTE9sOGVndllSc1JmNFU0dlhTUWMKWWAnfNKuEZAZVm8XLNwsTD8BYIduft/T\niE6iAEImAYAhh6ta3noy4SBRDDULtjrHWWe/cnBANSairr7/mURb5w==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTUU1Ib3pIbFZxaVNQbzdO\neTlidUg3djhSMVYrVnNYWW40WjlZUjFISW1ZCkluQmtCTStUNklFZUd3S2JraXl0\nYUtUYlRBTCtIbFAyS09KK1VSU1RUOEUKLS0tIEVFVGM4azZvMHhHMWl2N0cyMktp\nVkorcFZZQSt4V3k2M2gzM25NRWVjVVkKaqOmksXnveU7Sqa90X9RQtHzBAZCYC5Y\nJXfhmmIb/kNu62gvgErM+uel6ptg7uA4STSy+uD9Hr1C+v+sLOiCAg==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1qlwzeg37fwwn2l6fm3quvkn787nn0m89xrjtrhgf9uedtfv2kqlqnec976",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArR0toVUJRclJJUG4yNUE0\nb2YxdHorTnpHT2UrQVhkbkEyc3AvU1JJdlRFCk9xcEltUFlVTllRb0Ivc3c0b1Rp\naGsrQkI5V2NYRndaVDFGYzdqWG9Pc2cKLS0tIFlrWmd4NWlMV2NkRFo4aERyY05t\nbHd6QVg1ZElyRHIrYk1XaHl5VmxERzQKDT+Xsh7CTmSkQnanpFC2XwE1V1FmOHKy\nmPWh5hDQ3MZSK1x4WSsR+e0D1n6Amc20sa8xdrJ8k29qpN/1cm5PQA==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6Mm94bk92azhCQjk4NWhH\nNHNnblk1WDkxbzFMRDR3QkVOSjEzcHo4T2h3Cm53eVlmZGNXQVJUQU42SWtxeGZ1\nK1oxdXdYUmhRNTJjM3d4N3lTazJTSGsKLS0tIFh2aitRZlc2ZW44TEY3NnMycHFI\nWU5TTEFIMFBuaktnWHNOSzlINjlBbGMKXmeO3Uinr4BElDXUJ7wI6Ac7ZF6lTWxQ\nHb5byJRcd0pki/o/SZNV668eENUWKTRp7/PrY6p11cAHbrG0WmDggg==\n-----END AGE ENCRYPTED FILE-----\n"
			}
		],
		"lastmodified": "2024-01-29T14:55:03Z",
		"mac": "ENC[AES256_GCM,data:qU7d9PVk0MYn94O6r+7dJmtvzezW3Acj31hCErf/9qiqXHtsOPlX9ubzSXWTrctVtSmty6IUUjLzPTz1a/vppTKCupaeEhHNZlGkBDXE5d/xJKymM5cE9g067xDI6dwXorYZzKK+SAemJtkzTDIpQNxt9R/pyJVXiNDfG7OqEbc=,iv:EwWx1spY/tAgVuLdSjVhq+x7d3gSslAzXFtcEEhGUgo=,tag:l8gwt+wXZY6fFdraZb/sJQ==,type:str]",
		"pgp": null,
		"unencrypted_suffix": "_unencrypted",
		"version": "3.8.1"
	}
}

================================================
FILE: non-critical-infra/secrets/storagebox-ssh-key.umbriel
================================================
{
	"data": "ENC[AES256_GCM,data:ck7zFaw/7DdelananEIJkocwS3r9k8OiI8jRUPChCdTzLW+5MJcxfCmx3nT++y/Av1S5bf+nMNKJ77Q0XtegQ1eESKoIrf0EPb4Cbvg4/zVxkqcRptaXmCSuDgLq0bj7rtREvmmJ4ZhOaLTDf4mxgHof/11iOL4SvrjEbVuNvpF0k+F7wZyF5sOmsMxFzC3rGsKhwQ2VOffxmrwYqhQAi97/Crmq8pDexjNPBc+ilJws5IRZqZPucQF95EdwUhsZvd5jY+9ls7otYvjqCpkHLzMrIU08Ur4jq2VFXvffbbMtfumDk29lOomFFMj40gpIliMtc1Z9RQDRXHHDhKoHU1Ui5Z/5iobftyiBytAYNgxbJpD7F2xMeYl+DlmEK9kaSKIjyiuBQVgKbDdn7fDIVGMNbLbsDU9+WhAptO+qUkHxfHX4rJn+t1imxcMp+vilxcexbmAJ6FjwMe5qhLb+bAhhH+hxHQNLLVfR+C6rqH7ni4k2DeUislGEndhmA2j1eZDnebyV3asRkmZFr7o3,iv:jfFUCPTgzdTGV0AmPAqLMtGpGXG2fnfWNadWw9h/ELk=,tag:tNEdNvxOY3JGq158TFj+og==,type:str]",
	"sops": {
		"age": [
			{
				"recipient": "age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRazJhYjZlT3ExTGhSTWJM\nUlA0dW8zcjg4QXMwTEtKa3BOS1RTdE02R1ZFCjg2dEk2SFJhd3liV0tIYWRZREFH\nZmd1T2Y5UVpzc1JrNUt4ZFpROE00OG8KLS0tIEdBamllNkIrUm0ybzh3djZWL1NI\nZGRvWmNsQW02dENmMmVKVzVQNTl3bzQK4x7OmWlU4jYYEwaERYZm/D9WXYo7BfJi\nKxXPOYiMnU+OVD8Vc1jyR/E1GYmudJIZGnuvhS9SgzeNHcsaRaW4Pg==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvMldDTnI2QTZ4YWs1dlY0\nMTJnSlBjUGNIMllzelhkZmlMZnc1V1k3N3k4Cm5qeUExdFQ5WDFYYVBRY3ZwcjBi\nV3JwT0Z3SjVheDFicWk5VXpmV0F2bGsKLS0tIHRxSndYZ0YxWDdGczBwKzMzQ1pU\nWWxYZDNwQ0ZNZ0hRa1FWY21LdWxuejAKXrmbpP+Kkud7QH/tre7909mtAkI1hR/b\nzdHIim18Qx3eETs2rk3qic0p9jPTWW9XWaN623NBjpwezpXOFK1B2A==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvTXQ3N0hPWE1BckdVWmN0\nd3V0a2JBZTdCMXdwbDlYZnc1OVZ2c1VkeUZJCjVrVU5kWUEvU3FWQ0hjMThQVTM3\nVE15Q0FPdWhhSUVVa3MxU05OTFlaZm8KLS0tIENnekZKSm0weEhqK01IQ2dRY2Vm\nNXFLbUxrREs1WGZ0L3VSSnExNEh5aFkKQLhS7k/3LoJhcUucaVwrn4lhTYKcRdM2\nw1nQOvn7YhLY1km2ycazgQVWMq2+/fz4YQJmSKmiUuRblIv7f/w6Nw==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHUTA2ZjNXK2RacTU3d05Q\nb1NuRXNWMTBZd3FaWUlHNTE1d1Y4YzJnS2hJCjQ1K0ZMTVhoYVFlYU12YVliTG0w\ncXdzM3lVWklSZlp2RStIZU10SUJsbHcKLS0tIFZaSHFHc1FBanlKa3FvbTk3cFNN\nVTMzYlpsR2l1YTB6QThuaFZFUFVPMDgKvVHujnT/NnkHd81DRP7ZQjFpsvZPtDUm\nI2xzyRM8WleLIE7prYvRSo2+KKepep3GS4UnIQD5mEeX+scPCZW6Xw==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1nnm255ah9wa4gpsaq0v023a75lnmlcxszt9lc6az3mtwzxgrucfq45rp7h",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoZmtldmJwZDVjVEdkOWdq\nTUFaKzBDR0lURnM1am5qMDFnYXNoU2FLYTBBCk90aUlPem9Ra2VYWVVUelQ5THd0\nWjRKUzQ2NXpmMng1Sm92YzlQVzV0bjgKLS0tIHZrRVZROFltVEVjVWJHT2M4S2p5\nYnVBbGM3OS81U1o2UnN1MmxaRzFaSE0KAljGmWJR/KG4HcDSMmtEWEUpebvC0+vI\nk288ScTJ/zZqZ3IztpInPmHYdzqVJxnp9OnHxvb/ShCvVgRKOUoXkA==\n-----END AGE ENCRYPTED FILE-----\n"
			}
		],
		"lastmodified": "2025-09-18T18:58:36Z",
		"mac": "ENC[AES256_GCM,data:M9jAOuPxEL3X+WIUeZoXuDXIFF+ftkNg6FN2u+HhEV+dbOVR1WFsYe7zxIvjvPq2GwGpzj1lKwZ6pJjmafta9dIMemHhkDdUqHZSexpUqx0p6ML9XUJEzcC8euu88wGlq2gxfj24QXAkhd+mHBRqJxdJKIRYDZCSll0DtrvDSSM=,iv:DbhKGx5MU3R7SmIrGEo+/fg8F2sjWI+kk0bShsyH2TQ=,tag:2VQA7/OddGGRcROXDGzenQ==,type:str]",
		"unencrypted_suffix": "_unencrypted",
		"version": "3.10.2"
	}
}


================================================
FILE: non-critical-infra/secrets/test-sender-email-login.umbriel
================================================
{
	"data": "ENC[AES256_GCM,data:QrqhPVcJL1Q0VttVaPQ0fNuHdYyDXnSRy2EgWm/P1YRjBGLaSviwOCscYCyQw8Q8CqtPyFt2p4ddhpqueQ==,iv:ydnF/JhFy5mNDHdm/GJeS2PoRpQvAgRfFoumhCLNKsg=,tag:3zSqTVXmf2cl4G97lcF8og==,type:str]",
	"sops": {
		"kms": null,
		"gcp_kms": null,
		"azure_kv": null,
		"hc_vault": null,
		"age": [
			{
				"recipient": "age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTaTlvMm5iR0RlMHFDMEQw\nU0ZhRUVwOVlXWVhWSnJmNUN6d1lsL1lOUjNBCjNoWFI3L2R2dnFvMm96QzU2cENJ\nY2RoQVcwQkRYOVk1UFNqZTdTV2pCS0kKLS0tIC9EZFZISWFJQWdTSnpzQ2xFYkxq\nS1cveHJuOVE4ZmVsUUEzRGRKYWtYZncKccTmgBe1sdnpMYnTOV4gAUEBg93Blg18\n2gfJl1NUszoOGVnUq0HIVi0PHCFb4imMNhbF6INv0eQG5OPB0ElOig==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5U3RDTnlBWk04RVFLV2xZ\ndU5qWmJiT3lPMW1UK3I1TDljWCs2dldDcFdrCmRDRDM5ZnlrTm1NS05YQU1PUTJS\nNjlWYitnWjgxMzI2YituMzJmK2w0VUkKLS0tIHhPc3lYR1c2TWkzS3NFcms5OGQ1\nMHpZVmFmZ0owYmR1OFB5LzJqZGx5UUUKB2j2Pa25K4rJ0PX961R3KBA3UZyOXPJw\nBtuyuKUo7Ro9oOVaIiezU1Z6ii8CY/WVrEpTRHkHbYSTOAZcLKY/qw==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvK2REWTQ0eU9OMHZ2aWZM\nUTVQSFJOMHJrT2dwWSsyd2lsWVprMFFWdlY0ClZHc1dFYmJmY1dVcUJ0R2pKU0F0\nRlViQlZDMnpVQWMwZlg5aFEzS055U2sKLS0tIDhYenRPZkpVOWcrREYvUllrQnI5\nQ0U1a3R5R0dhTHhvYWRLbU5GaXh4UmsKJ23a/61odibLmp7UnbmiSkEwTErMlur2\nP1AZgvI1YZGaRo0211s5ffcV2fvmEuY3HxvIHIhby9HRC4B8wFIVUA==\n-----END AGE ENCRYPTED FILE-----\n"
			}
		],
		"lastmodified": "2024-11-10T00:44:29Z",
		"mac": "ENC[AES256_GCM,data:VNo6aIkTOxKJFq5xxIo0IJV5bzY+Za9IZP0xuGqSJNj+/TwIV5VTVjMGmQiLB+hPX8ixXcpqAflO9KlWAwxId63dtnPNlGUtOp9ys03zV+QSv0ejmAQrGg4t4FkHxIowT8YLXAw0an0jQU1AdTU4kyoL8jY6Vz2y76FDqw+YRyc=,iv:XEILC5jtuegGkMm3dyMeaZ3RBixB9MWst3ncTENvMDI=,tag:8+FDT7M0MVie+dBGLB0S8A==,type:str]",
		"pgp": null,
		"unencrypted_suffix": "_unencrypted",
		"version": "3.9.1"
	}
}

================================================
FILE: non-critical-infra/secrets/therealpxc-email-address.umbriel
================================================
{
	"data": "ENC[AES256_GCM,data:g5501h94jFz34M1mx3QxZ2CXCRrPRg==,iv:cq7/f+RIDwwtWpKWBNBLGR0kWPpl6yRMo7Uq/wOMy2w=,tag:k9U+P6JLijjrBIXDB81rtw==,type:str]",
	"sops": {
		"kms": null,
		"gcp_kms": null,
		"azure_kv": null,
		"hc_vault": null,
		"age": [
			{
				"recipient": "age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoUUluT3JIRGRmQ1NhZW40\nOW54Z2E5MWhLeWVFeXkrTVRJMjRJWE45cTBNCmZQMUpQZkF5MDEvY243OUlITFcy\nU1NaZmdxRUk0c0xGUTV1UXlmMTZ6UkUKLS0tIE5LNGxHeTczb2Q4cXdiR28wbnIr\nTkZuWElyZkFsUFkwd0ExNGc0QTF6Q0UKItz54baQWvLEl2TWmAoiKInbQvW1VRjT\nNZfuFHF+GvfsM7SikMK/RW/gl8s1CDvW8XUh9/dDPnTiNW7cQ2WVAw==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDK1ZQcjFJUGIzM0dpSE9M\naU5QR0FnQXVJMU1sa0dpZlRqc3c3VEhISlgwCnBYeE04ZUVSQ1hTdVFOSzBvaE8r\nNXd3eUlQUnZzLzFxalZPNjdSWWhkWjAKLS0tIEFmTS9vMW45THFMelJBQm91eUNR\nWkJwdDZ0Mk8zay9Ib3RVV0lHMmNneWsKCnsQZ83M/7Neu/LfXxX9wftpL18gbM26\nzBqMBlzCNtjseTVxPFJfFPEhlN+8yi7xyJHyo4sZYfcbDdtLliAtvQ==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqVDBmTmRqaHlaNHRRZUpX\nakp0M3E3YWh1ZE9iQ2R6OVdVTTdFN0Y2RVRJCk8wQnBTL3IvS3QvbkxuODc5R3VJ\nOEJUQlI4UkNuWjlBNXNkYTRlVE9TcW8KLS0tIElZZ0lzd2IxOCtuM2Nla2MxeitT\ncEllUmsvM3JyWnFIVzJoZHY0dHVTRm8Kw2RSXeiU7qVS3cAeuC7GHhXG2REbCdgn\nrKfVGY8z5/yCNE0bLmErRRNIy1SU0ozTNriatLUOWZwD7KcK3TnZ7Q==\n-----END AGE ENCRYPTED FILE-----\n"
			}
		],
		"lastmodified": "2025-03-22T15:54:01Z",
		"mac": "ENC[AES256_GCM,data:Wqg3N9V/YDERV4zNWoSqBTLC8Ice/W2UARHx+dOxVWGhBRUMdKNNatdsHVaBOYonJX/+Vnj7uNW3LbKMwzCDZdDyJuOXe+xNJ4Icqc9M4JCaVS9l47JSxiXhahQymZg3Xxq0Gbb1sd49I27Y84QgtWIzwnkWT6COF9NmJSL9kqo=,iv:AAmTF/0+wws3mimFwi7ZOqZd5fBxg585/hCkVnvQRUo=,tag:/Si62TyNF3pttks2sWPtQw==,type:str]",
		"pgp": null,
		"unencrypted_suffix": "_unencrypted",
		"version": "3.9.4"
	}
}

================================================
FILE: non-critical-infra/secrets/tomberek-email-address.umbriel
================================================
{
	"data": "ENC[AES256_GCM,data:mFYiVP1zOpwrmVB6jpahJszs,iv:EjgsCBuO67MOjF5DuoqO85n9nC6Su3yj3T264eMpPBc=,tag:1uxwCx0Y8BwrlZU+paxAmg==,type:str]",
	"sops": {
		"kms": null,
		"gcp_kms": null,
		"azure_kv": null,
		"hc_vault": null,
		"age": [
			{
				"recipient": "age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0MTR1Um5jTzdWWDF3RS9n\nWUc1YzBSKzRFVFNCOXRpL25PR096L2FjVUNzCmo0dFVKbmRIT0ZER2R4TGRKWXRL\ndTRPaWRvbk5TTHRONTFNZXZTWFo3UDgKLS0tIGFBNVNtUUppVVJWN21QbUo5VzVn\nb3RjTFZkM3FZYXRWRTBPVUZ6aVNFWk0K5ypbBy0SdPeRxYDtfrgFfGFUp03et7kr\nxZxLvtaqjJqbNHKS2e81ztRaITLORo/WJ2XswK8wb95EbhO/1wRVRA==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsNnNncUhneDc4MlRpRnBt\nUGQ0eEt4cGdYM3BhcFFvd1ptNUZ5V1BwWUhNCmZNOWZZUWVyeDJlcmVDUTlOY0I2\nWHFrU1FwODdSRVZIbzUxaHk5WGRuelUKLS0tIC9MaEpyeG9hTGRCR1ZyN1VDUlh2\nS1pUMVRCSEkrUk1GRkRYaHlkSnRRMUUKuOhXQwxO2kJSmT9RL6QeY+zwpsppgNkz\nF1nyO1t7/mz3eXg8ZSLAUqBonGwQhfzttiMZcQg3hpnMXL9ZHhnGhg==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArN1BsY05LZCtCc1VrQlpH\nbHBiTExHTEU1SlYxTlQ3VHdWaTN3NXQ2OUFZCm10bVBUejlvMWFoWTZrREJyMzVT\nV3lYVWxsQVFqdmpxTHRtcDJrYzJHU0UKLS0tIDkrcVhyZUhFbDEzT09uWmxWV3l1\nbG1uUDhGOWVOeXVZVGNObDB3VkdSazQKwMv653rlOTE/kXayVKTc388mTdZXyscU\nXdI2fVCAldknvMErvCFFDp+8BTxvvqihKrHLkrvK6SYzbIyM2fuM6w==\n-----END AGE ENCRYPTED FILE-----\n"
			}
		],
		"lastmodified": "2025-03-22T15:54:30Z",
		"mac": "ENC[AES256_GCM,data:92X7qT7ya4E24T22eETGZ8++S6f0bEJ14oyTHb1Q0ukaNLu0a0HCPrfQBw3KQFT+Y1SvrFDOot8PQIEpeijKMsDvzh1OqqhVVqSUHh98osLJwW0yMA7E3k/Wa9LKtup5/ZNIrstd0fKYhS/QVZXVxzkjddRYk8dhy7UdjVwZns8=,iv:D+/vMYfvCYIP5mcu6VLtTMm7bwZ+1lyQ8G8OC+Vo1xo=,tag:C2cassN2PStNeXf0xNxVUQ==,type:str]",
		"pgp": null,
		"unencrypted_suffix": "_unencrypted",
		"version": "3.9.4"
	}
}

================================================
FILE: non-critical-infra/secrets/uep-email-address.umbriel
================================================
{
	"data": "ENC[AES256_GCM,data:iQM6Fk2XZdQww6MLaMzd1+NlzXerV8Qv1w==,iv:HqTeo3Ad5eW62H3j5Ej9v1WzB5dMiC9OOGEQATO7OGc=,tag:1hzAv7jQ+crr2swvSbfXtg==,type:str]",
	"sops": {
		"kms": null,
		"gcp_kms": null,
		"azure_kv": null,
		"hc_vault": null,
		"age": [
			{
				"recipient": "age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzQjhBd0dibGNhbG9hQnFB\neFBwUUhoNUhEV2hGQ2s5aXRoTUNyczEwZlFzCld1L2lkM3k1bWVGOUZGekt1WDZB\nYk1FbFF2aDA2NjA5Sk9tOFFOS2VZNmMKLS0tIFFGUWJXakx2bitKWUU4QXRPNEJ4\nMUN3ZXl3WTEyMTRGZE9VN1dqeWF5N0EK1OVsikT8NJkEgzivoNZVeSehYgg7LxH0\nBR+qt5HztP8wh7181BQniHHsYrmW/NG9hAE/lWaWVMdEXJp7Af/otA==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKMTdOaHVvVENpNUJQOHNh\naUwva04zaE1HSUZDWXZyWDU2R1c5d3U4TzFJCkMybVkyd1hsc0tKQjFCZnBaS2Zv\ncUNtN1ludkhBSzFLbVl5N2FBdXkvMmMKLS0tIEtJZzFKb3l1enZkOTIvbUJ2ZVps\nZmtuV1JXaUhJL3dGWjBIYnprY2JZT1EKmr6klqS9VHCQ176Fu8+W+13eWEhi/fJy\n3GV3Ayj7na4LLrKVVbzC6zzVzKhBu3KAs+yb38VHybJm/dXByPcE9Q==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5dVhrQTJ1ampCVHU0dUU4\nSnozSitZSFVTYmxvMzJDWWZtakdWQVdoOW44CmFncmxONHdvb25XNitWZDFKa3RI\ndEJIeUpsT1FGTnJZRGQ4NTV5TVJ0OG8KLS0tIGg0cHM5cUtSRUlQbFVnZjNlUFho\nTk5pYUdwSUsvb3h5MnNyVDRqU2xvbVkKsIgJCvvqZMRjZw0Z+CERcuGfpib2IKOM\nba9//ju0Lxdc3diVBakFzXWaZVDP6ww11P7Z18Ciol5gHh+J8EnhlQ==\n-----END AGE ENCRYPTED FILE-----\n"
			}
		],
		"lastmodified": "2025-03-22T15:54:04Z",
		"mac": "ENC[AES256_GCM,data:hKITtyGY+mQS5Qr3D5x77GOew9OXw4C+ha5EIjJJZqq+v/oUdp0ao4KxgRevbqqXqjSovKLt3qF+KFrB1+HmP/WN8FBJzN6L+K8LP+DVmyjB+9tkQib4jXwp0sYDhH7eOTmgnRyzWcBSBOwApmscuvt9lvQlD4oUK9BNMQArB2E=,iv:wT9DNjqySCKuXfDPNu8c8i7Q88XGr0t0njDQPQunKE4=,tag:Rpb7zDHM06FXFJasexzLVg==,type:str]",
		"pgp": null,
		"unencrypted_suffix": "_unencrypted",
		"version": "3.9.4"
	}
}

================================================
FILE: non-critical-infra/secrets/vaultwarden-env.caliban
================================================
{
	"data": "ENC[AES256_GCM,data:5PPXJqE8FM9QqqqnbBM9UbQMWMJFs7/iJ55RTTD8Byl2++h84UdzuOcG/9X6nWeZPcdi5YalrDJIhcRgSQ16x1oSV4Y2YGif62NzfCCZHNfkOO0tLhx4wlHD9QtZHDxIYoLZ/5TMvg+usFq6Y1s51x0ofigZpruK5sVhlnFAotK00FbOov98JHO+MJKZtF+E7Gtj,iv:KvhTmOSb4+A/7p4WrkEf3vzRm7xrIHUnMQACD07yPtM=,tag:uU8IBYdIlLXBAEVvx2DKBA==,type:str]",
	"sops": {
		"kms": null,
		"gcp_kms": null,
		"azure_kv": null,
		"hc_vault": null,
		"age": [
			{
				"recipient": "age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1K1BOVU40RHQ5TjVTOEs4\nRmIvZW9ZWnJmN1BrUDZxQmpzMUpabzV0Zkd3CktFcFcxdkJOcWRPL2FBKzRmb1ph\nbHJwL1hHbFpTNXFnMUplc2ZPcUd5RHcKLS0tIEJyUUhSVlBPZGlUcFZPUW1RS2Qx\nRnEzckR1N1JZOWN0bUVNWkFQajhVUEkKI8jb+DCqnxr+6AfzXBte4xFOdscOyBz0\n1a5fS0FQ8+Can/MGGrpL4q/xPbhzKy1lUom2/kehYWHmJ8sHwJAGcA==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1qlwzeg37fwwn2l6fm3quvkn787nn0m89xrjtrhgf9uedtfv2kqlqnec976",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHaDZaVi8zZ2I1N0FpblJr\nV1B4R2pEbHlKWml5eE5Va2kzRUV3TVBnMVIwCmJQbThKc05xTkR0UEM1Qjkvd05O\nQTh4WmFRUXJMS0M4TEhMTDNUUkdNOVkKLS0tIE9FaCt1eXNVZExJTTQ2STY1aVhF\nOTZ2R2hsdWwrUUpadzlqM055UHozTVEKntJdbft7gNl6W9OrJOpHfe1By7CFvzc5\nyWvaYknU3j7nhvxarF6f9rt8upPUueGxyDW8HZXrR305dYNLafH48g==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQMm51ZnFFSE42Q3pyQ1J4\nNEt1S3NRczZTU1AwSDJUNFZxaGV3d3p2VlQ4Ci8wZ2R0cWFnK0NwTUJwem9YQ2ZC\nYy9lSDRTNGRPcVpwbHhBemtGV0ttSGMKLS0tIEk0YTBUS0UvazdxbFhxd0FtdmIw\nRFU4ZWFJZGd3dXArMHlVRzd6aXpzTzgKzQjjkmUsVJkeLAgZQ4/1OD2bgPTt9RRx\nwnTsJ7+0KI5NYMmxgrvcw5Wcrj6aVsIJGZUB/pDK+xfjmkZXI1RgYw==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1sv307kkrxwgjah8pjpap5kzl4j2r6fqr3vg234n7m32chlchs9lsey7nlq",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFUTBvTWY4VFFsSkdsWGlD\nSjBLRGVoWXBMbDRRRWVuYnVpaW05ZDRvR25RCjBTNmFkM3ptZTQrTWcvczJQWUlT\nbFMrRlZjSUlFVDlsWVRiZzZEK203QlkKLS0tIHE5Si9mYkpSRFNQa0J1ZXhvZ2dk\nSHpNYldXMjNHMDMwV3JqdUQ1Z3VZWTgKK8pb/aVyhvX5xPlcz211NZX3/sxGO3ff\nL9uC++BcZntVyZiY7mDn1bqXFjdqKa4sLAbSqcZLOPaY5DA9skdpsg==\n-----END AGE ENCRYPTED FILE-----\n"
			}
		],
		"lastmodified": "2024-06-01T18:35:49Z",
		"mac": "ENC[AES256_GCM,data:xw0+obDWdG//sTEDpF857DCVkisLUI4k088C3dbjpHgl8O7IpnUqk1yLivjM4jPcNqhW5Wrc5h8QJuy7PkXyXETz83+DbjPXiOUnuMHZQNgVqg08VnYzvwQ5FLRm9Bn51mrHLOYMaXLJMbKQWlxS3lNreLDycJGrxm+KTE6VskA=,iv:B/ArtyQffyoyaAZe9zE/p4B/gFGnesCa+lXRhxjd/Js=,tag:U32JBzTvWpfZ6zibtnuTYg==,type:str]",
		"pgp": null,
		"unencrypted_suffix": "_unencrypted",
		"version": "3.8.1"
	}
}

================================================
FILE: non-critical-infra/secrets/vcunat-email-address.umbriel
================================================
{
	"data": "ENC[AES256_GCM,data:+aa6Bj/eDk/Zx6FTU2Rh3w==,iv:fWUXCuTb52bfW45l9pZRIkpg1K4yUYjYmk3ezhbVcTs=,tag:PDR3bkCZNgLwrbibj6iVmA==,type:str]",
	"sops": {
		"kms": null,
		"gcp_kms": null,
		"azure_kv": null,
		"hc_vault": null,
		"age": [
			{
				"recipient": "age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPV0dqUS9NQmFYWmFZYjFL\ncEc5b2ZROEswbzVkdXVEOWJ3V1Avb3FzN3dZCkNiUDlia1B4NE1EV052QjM1MGQy\nUFhsSUFaYjV0NlBCc1BycUt1TDhHZE0KLS0tIDNNSEVybW5vQllTSDgvaHJiSjAx\nK0NCa0hHSFJXd25wREgxejVEakt2aFEKhagkza49dDn1LXlg4fUfmdPGOVO1wB2v\n9wV+OHFQOdbWl1QKPhE2TLRZt84Hbv4uuQaXl/aJ4sU7eFOhNlcJDA==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqU0VIakZjSmkzUHV6MS9B\nK25RMUdqZkREb2MreUFZSTUwdFhiRjB1NVFzCk54NGY2VHZJM1gwSEpUM2l6QjNZ\nRkwxYWRWTnR1ejlkcTZOUUQ5bWZlZmsKLS0tIGFJck1ZczFrSUJ2aFZIR0dSems5\nY21UdTl5bXJSSEU1MzJOai9icXd5cU0KNaPF4uhJfLBQMyxaC6/VVXZuzj7ySTr2\nkxXkT2rQcQIXkd4KyBPwCPieY52n4lmNQYwKiO9ycf5vq70nZOHGVw==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKc2VBQllmZzdCTE12VE5s\nNks5cFpxSm14R2Y1Vzc2SUR2RGJpWjRsWW1NCitpUjFXUm11RFlNdDB3dmhHN05H\nNUJia3NXM291ZHAweGNPM2pydk41a0UKLS0tIHZKTUF3ckpuSktaSUxqWGdsWi9k\nWlpNSlEzbHJUUkV1YmJFUGFhcCtYTG8KFkJKmF8R40yfLuBwgWLXVRY9lVBVYU9I\nR+nj+9xNLb4I8PYqE+qeQ/Rqm8p5UQuEaeXC7VoPHFZwJ5G6KWyhAg==\n-----END AGE ENCRYPTED FILE-----\n"
			}
		],
		"lastmodified": "2025-03-22T15:53:58Z",
		"mac": "ENC[AES256_GCM,data:ycBM+SZZmzjmVxY9ODYApiVz/7TvDvf+8KioA6TbfIhdsjfupG7w70W7NrBaqIhBKtL2F44fwHQa6hQ0umwqF6H9ALHZetXQp3WFFTcN7IIp2tUEOoNe6DQ6wWFT/wqPoPB1pNBcPZjiWeAn3+yGzOXVg8RXbpCXugCxEm/WCxM=,iv:cKm4T3Syse1SUGu+IpmcepxMC8ETxWZZKdDYYorsPio=,tag:pBjx5C4AKqzT9IWQpeO/7A==,type:str]",
		"pgp": null,
		"unencrypted_suffix": "_unencrypted",
		"version": "3.9.4"
	}
}

================================================
FILE: non-critical-infra/secrets/winterqt-email-address.umbriel
================================================
{
	"data": "ENC[AES256_GCM,data:GaqqJ535lfLVj+gQth9zpo0=,iv:QNau6T2abPBkd02Q+xg0HMP8HF1hA1HI6I3HuSJ5GHk=,tag:0W/RMZmkn7uMiJZCmJ+mQg==,type:str]",
	"sops": {
		"kms": null,
		"gcp_kms": null,
		"azure_kv": null,
		"hc_vault": null,
		"age": [
			{
				"recipient": "age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5N2hZb2dXbk1zTEYrOUda\nSXZzMkxqaC9wRFNGZzBzbnk3M3J1TVhNV3hNClpPalduWldsSlNoa2xxUGk3RVUz\nVEZxUkV1NFQ1eU1wd1lLM0hQc0dubVEKLS0tIGxBdHF0TGxxVFExUmw1dXIyN2ZM\nQVFkeE5LTEtoMmx3SFkwSU10bi9YRTgKtBAtzERSghfG081LWDen3g2asRCOqki9\na9pIdnn7nPUCA1d0JYd/+ydKENZqi7MmRrqRVe7ahKP7gTEJYPBVmw==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqaSs0aWcvTW1oTWh5Misz\nUzR0bWdCV0RLMGZobnlDY3JmZS81OWpscXdRCjcyaU1lUmdQeHVjL3JsdDcvd3Yx\ncGs1RVBvTDF4K3JSWWhMSUNEZzh0ZGMKLS0tIHVMclkvUkR2L3lpQm10MkZkNUJy\nVXV2TzRMZ280ZUtPNlRjVTdRc0ZJKzQK6DCNcmVHESA8C55fSuv4LzfSBOILbyqH\noIIoGO+J86K9/jZxS1rAQUcm9vabnIdQPMVip/5uFG7NPiykN/6QVA==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhRzBMUzc4d244aHRhaGQy\nbEVwcU5QLzNIMlgvd2JGUjVsRklDY2dmdWgwCjlzeE4wbEo5Q1BjYWwvR3ZYVFlY\naDZVd290bDRFZUlXTDRNY2FqTzFNamsKLS0tIFM3Zzh1SVExSW9TZ2d6dUNlWm5a\nVW1VaGU1Y29iWmFoSUVZbldtOU1uRG8KVPqRlzOCYGhiNqJG098shKR5Vfz5PxXL\nKSe/DteGWCtKTTaDf+vQxnMZYn27ZQ1thnYBdCVkDTZHcZJh8XiATQ==\n-----END AGE ENCRYPTED FILE-----\n"
			}
		],
		"lastmodified": "2025-03-22T15:54:27Z",
		"mac": "ENC[AES256_GCM,data:p8KIUyM7slHxJI5b/78KrGymcTkuV4puIYvTTllK5F1A+DiyU3D88NHEUAmMxuRovNgBtyuDFnTa03ozHD93s6PVP12FT5nUNI53UysQptcx6Pz/5UCKXx0Shzok2RGr8IfvxuV+Z03YUCoHEc6+rROzQmYamZDBRCi0ipLpNzg=,iv:+79HhdlGWJaERzk58+JI1YEezUNrVI1Hv+OT6yfpPCM=,tag:sbyc7SDrVZLb6qUL6A9vaw==,type:str]",
		"pgp": null,
		"unencrypted_suffix": "_unencrypted",
		"version": "3.9.4"
	}
}

================================================
FILE: non-critical-infra/secrets/ysndr-email-address.umbriel
================================================
{
	"data": "ENC[AES256_GCM,data:Y4YOmEBOaGquqDY=,iv:A8TPjKU97NEW4q2bGWMZcXZTkrm0eQCdwUgtxOMTyVo=,tag:Q/u0rcCpxEX4w/qwPjCWCA==,type:str]",
	"sops": {
		"kms": null,
		"gcp_kms": null,
		"azure_kv": null,
		"hc_vault": null,
		"age": [
			{
				"recipient": "age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5cjJjWmpkT3NGdURUL3c2\nOU10VFJVckVLNGNYdGNaaVZxUFRtUVJkQ1FJCnBOMHhjL24wUER3bk1heitXQ29O\nTGRURXBlYkFiWEtXM1FoYTQwQ1RtOUkKLS0tIFRWcEs0cmJ5OGlxZDhGaSt4akNh\nSEpSSTV4Ui95d1pJUHZVUDhWYmxxdUkKr+pfm60iiA/KPvGC+8/FG+k66VrWUe55\n5wJWY9kaAiryufCOJ6MxusmA7wukEyG11fL2/pbVnyuTjyVQQJBncg==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJM1NRVlZPbWZpYmdoaUc3\nM1lxN1NvamJNci8wWWs2TlpTTWx6N1UzQmpjCkJaYXVRdWpFYks3RWNhcjE4WGxl\nV0g0TnpPTllnR3FsandBMkIzT2c1cDQKLS0tIDc5VktJaVdoSWNGRmwyZCsrWnBw\nUG04MEpWNXQ4YUMveHdybjZoZ0VoYkEKRyHiuLYrnkDhyBvatsGhojZJY5Zw93Ul\nUZUnSP9VHEKUUeRden8t0GbDB5yaE07Ct38dutZBiKdwq5Ndd+Dstw==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3SFRpdWxFV2s2M0xxNUNT\nczlLRUtmOEE4cUpDSjcyNjQrbzlFeDJxRHg4CkZiWTlReUF2clRWbFhNcExkdjRz\nQzYxcEZ3Tk1KYzdJK3Qza1lqZXlFelkKLS0tIGpRb1Fnc1NzaE9sMlN5Mk5ic05P\nUlJxVGpybDVqNzJHOXhrdE1McWo3ZnMKI6TIXqZmjgTP6n6aIYqVsNRpDWveivk9\nC1QHKDfSBzVd/T2GABTV6Z9eMsudYFyBte6cZOCRl2BKRLDKJii3cA==\n-----END AGE ENCRYPTED FILE-----\n"
			}
		],
		"lastmodified": "2025-03-22T15:54:32Z",
		"mac": "ENC[AES256_GCM,data:srReKGtO+y3gEbo8QV7Mn+rlELqjGO5FBSCicBOdvZqhNMrhi2pjA7lcf2AOA/QADczF3wDIHb/sLfSK0jorHV6UxnnLsz9xiIja/I3PFykKa1UBVtT9rEoLB3B1J7tTdXmZbr13TC/FnoaDs5XqQ+HESp08GYCB1KPUUpJqhks=,iv:7QvEVhTXwy3cPBu1zTVYqHThxmP0Rq9Gfz4M4arbjQo=,tag:BN512LFyrlYGuW2ZNoVD8Q==,type:str]",
		"pgp": null,
		"unencrypted_suffix": "_unencrypted",
		"version": "3.9.4"
	}
}

================================================
FILE: non-critical-infra/secrets/zimbatm-admin-email-address.umbriel
================================================
{
	"data": "ENC[AES256_GCM,data:/B9q0aK0T58QAWuDM432j67GOn97P9Q0cQ==,iv:CmoZAWxAwhVICYChnnv+KJKbBVNBDsIsd46O7xbW09M=,tag:9M91PSeVYqjFLBwU29B1Lw==,type:str]",
	"sops": {
		"kms": null,
		"gcp_kms": null,
		"azure_kv": null,
		"hc_vault": null,
		"age": [
			{
				"recipient": "age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvNS84ZGhEejJCT096OG9o\nbmt0V204aS9ndHNoYUJQWFRXd3B2RXlWQUZzCk0yai92c09icUJrU0pZNlpXTzho\nY3Q4QkRqTVdVdlkxOVJMVHpyNERYSTgKLS0tIFVoZDd2VWwremR0NzVvNmRxWkg0\ndHk3ZjZWVlpMZWs2ZG82d3BsbFVuelEKzfSkYRqQfanMZNHQ6wjHr54a2VR3jRfF\n71VVbbLLDNoZ0kkwv/mjdH/Dn0iQyVDUMRn9uQqmlirT3DH74Jsh1w==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0TENhT2QvWit4UjBkcy85\nRVlxL3ozRnBUNlVZVW1UcWVFams5dmhiVm1nCm05ZlVrT0hVSmlKQmozNUU5MHFU\nb1VUV25mK2hocXhnNGJOVWxuMVJ5UVEKLS0tIHBRZEluTnVHMFo3VGVIN2VkNDc3\ncUZOTExwMTMxNW96S1h5SlhHNXVqWjQKdYoZxT9IDjtLcmUHClyuTqnpWHa3zX9e\n/afTEsArLfJ00n2O1hThP3puJmSEe1mDvz7CF57Cwf7iu51nLhitpg==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjTzBFdnNGV0FaYVd0aUp0\nczJoNmQ0Y0p2a3VxSTBrT0V2QjNWdTlaZVM0CjQvSENGMmlrWWIzVEhEL1h4QnBx\nR1RISHQzK21Rb2hpS2hzK0czWmZFbVkKLS0tIG85b1VXVVlpRXRENU1ScEUrd1BL\nQlpDWXVKeHpsbktQT2dnNDR1RGY2cncKB5611errmeH6HkZ563J0tweRl2kY3/85\neIqp8yuADpdxOW8EpTtGBFLXc3XpWErK4KLz1i9XiPUl3NEF7r9nIg==\n-----END AGE ENCRYPTED FILE-----\n"
			}
		],
		"lastmodified": "2025-03-22T15:54:33Z",
		"mac": "ENC[AES256_GCM,data:y9bVOXG1I8zmQWo/MX1QTcCsoSkJXMCERUaeRKiAbOlDUOsjmrUhmGyz51XRNXmYNELLF7uYjTV6xy3ZKc64fxaxt90R8YAftElFAYk9wZIBGrA27pkXD91+pTk9Y9gFqQ3CXHVp7VNrabuGDQsNfG9AVIiUZKzp5qUOMBfH6vw=,iv:RAg3UaPFKb3a9SYWLkwZtolwqMQhhfYWaStlTMj61RY=,tag:DbOWDc7M3hRCeSN7VlnBVw==,type:str]",
		"pgp": null,
		"unencrypted_suffix": "_unencrypted",
		"version": "3.9.4"
	}
}

================================================
FILE: non-critical-infra/secrets/zimbatm-email-address.umbriel
================================================
{
	"data": "ENC[AES256_GCM,data:hWrx45+MS4e2v2YPpWbpZ6nKpw==,iv:YSbUsRMeyCKs1gt5ScnE/seG3LC7YcylLE8tegRo208=,tag:CjcOuODmVt5HPsD6Dl3/OA==,type:str]",
	"sops": {
		"kms": null,
		"gcp_kms": null,
		"azure_kv": null,
		"hc_vault": null,
		"age": [
			{
				"recipient": "age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWN1Q4bFY4aHRQdlNZa2RJ\nRmJDdWdyMGZnUTBQcHlacVdkK2h1eWgwWnhVCkk1OGRlSCtpZWR1dEg4OTVocEor\nT1UzRm9BZmFEbXZyaXdTb3ZmR082cTQKLS0tIDRYRUhMY1hIYSswcENkenZJNUh3\nQ2VtVlFsdmxRcDBYTll6ZVJCN2NRWDQKT0/VwpK38hNStcRcnQE6L34tcTS+0JEK\nGxlsdm9uQ5XLtmLF3UabrGkGee80mQ1XkhPYte9CPnNZRlIJoxHA1g==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxcXZNd2ZIOXhDTnFzNFNN\nSWpSRHFyZHA4bUZRNzBhS1pkVWNlcGRWaUdjCjZVSFczUGdrK2swNy9sdzVhTk5j\nbjlDQko1bklXU0UwU2E4Y3IvTTZnd28KLS0tIFl0NVR4ZzZHZk9reEl4dDRMdDZi\nZG9pRVJYU3JWK016d1BWMzRueXZJL3MKCR3NxNuASwNrMwa8DmyV1T46kJWEc3ZF\nO/apjWFxxmLDui3AN5hLWVF70a9kEjk62g12XKvVTZ+cZT695si/Pw==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvcCtZeVBaaVNiQ3RLN25k\nUVZuRUNrS1psZ2oydFdzYldORWxrWXF3Y2pjCnVPaERFMjk5VUNlbGp0dmI2REpE\nOUdhV2dLV0N5bWxWRVhmRDRzbzFzdE0KLS0tIE9CZGJQSEFPeFdQL3dKbFlBU1dK\nUEhkdThKdkNsU2NEb0JRUUZLRVE2cVkKqIPmBE2+dpWLGwiOlVvWxleJUZ85gscR\nn8DeAxHkj91yYvKTVRFI7IHXodKm5Tv36Do20FEYActXU7O04x5gKA==\n-----END AGE ENCRYPTED FILE-----\n"
			}
		],
		"lastmodified": "2025-03-22T15:53:58Z",
		"mac": "ENC[AES256_GCM,data:4ArDpnWg+fOyx3GXmKutr5/NT4PvoeUDT5W/r7D4vtbQG/dwlnBZ4PV7tZte03lnCWfRRxWsV9Uo3gkfcbs9PXU5jcWiUjsZF6fwHaOo7icD2szA/gyWka66SC1Bxx5Ob0DQBhe3FuzLTq7ZPYxp1vXRdqTT8CSxe+ImzPGHank=,iv:t7ogDMdhVG6BX7hxRH3G2ov2LPH5DBZ0j6enx5YmobQ=,tag:TVKzrERdsJo0ARzxk1TsWQ==,type:str]",
		"pgp": null,
		"unencrypted_suffix": "_unencrypted",
		"version": "3.9.4"
	}
}

================================================
FILE: non-critical-infra/secrets/zmberber-email-address.umbriel
================================================
{
	"data": "ENC[AES256_GCM,data:2k7CE3eP/tkjWrDsVD5VHj5MMw==,iv:W9ojzlwPejmI801En8WyXkJ2Mbon5VD8CdBevDdn8SQ=,tag:Qzlgqp3jRYiMjofENRok1A==,type:str]",
	"sops": {
		"kms": null,
		"gcp_kms": null,
		"azure_kv": null,
		"hc_vault": null,
		"age": [
			{
				"recipient": "age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSNTI3bHYxNml0WVRZZkxn\nRG03eDJha0p0TmI3ZXZsRkpXSm9sMEpwT2tRCmszSWxicnZGa2EyL2RoUDF4ZWZN\nazIrMmJydkRvUlFTb0VNTVNuQTBwMUEKLS0tIElVSVN3T0hNdkdoTnJUUlFJenQ1\nMEd4ZW5aemtQcm15ZVozK3hOSW5YbG8KGOpwQmdk0CNUTI8CaUjXg4HqHuwn0Fcx\nNKJRYbRLsawTgWu7Cpg72uM0TaiYhU9+HOIP+XRgrXWDBrTos3qPjA==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKTEpBMnVnNzVPcmdZd0F3\nR3R0aFpxUVdXNGpiQ3BRU1dNT202akFuMHcwCnJKUFZ6UnV3d2c4WDkrdFdpUFdJ\nSFF1UmczZHlYQ0NEaDRYWkhXTHF1TWsKLS0tIFB6SDQ3VFJPK3B3aFQrOVVYYnlv\nclQrT2Q0NklDS2Y1Mm9Kd3BBVmV0VHMK12RhOd3Y/+RqqzVLi7iSx1MJ0ZwgMRqB\nNa6hQ26E5VvrrpD2DWez3B4tFcvPnqs0E8H+XSmepAZDkKwaCEk9gg==\n-----END AGE ENCRYPTED FILE-----\n"
			},
			{
				"recipient": "age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h",
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCQy9qZ1ZPTU0reXNxSHJ0\nVDRHeTZud0JibGF4SGlhMDBYYW42SVR6SGdnClk0VG81MFdXVDRBU0VkK3VKN2gw\ncXAwamlXanlUTDlGMU5kMDI2QVU2R2cKLS0tIG1tc3RtMW1ZMkhFekMvcHc4NUxS\nL1FIL1l2Rlo2NkdqZXVYV3hySDloYTAKHR3ylAvNTCgcqYBT5fqtAekzsFfhyAlG\nML9owA1as6L2gz0Q0mNs+hQ7bVTJcX79IvGJO3XGRzzKiV0mDg9+6w==\n-----END AGE ENCRYPTED FILE-----\n"
			}
		],
		"lastmodified": "2025-03-22T15:54:16Z",
		"mac": "ENC[AES256_GCM,data:pdfPTfLuchk8RPTYJn5+zF2SyJVVr85gSbwQVHZ8ntViyGLUpvnlhLDay33CYV/6bnwQZIF9S5xo13/eQeemTa+p++tZKz4A8g6vWh5NuHgN4PBz63W25tmfPQGLk/sy6wm9wMmatDncJ9RjGtRfkDxqhjpNXM8eW9rvUezFBOA=,iv:pw92c307xRw8iZABrzeKycsv54TJWlzJBgl+itBb5vU=,tag:0LglVHSUgHi+CgA6US9vWQ==,type:str]",
		"pgp": null,
		"unencrypted_suffix": "_unencrypted",
		"version": "3.9.4"
	}
}

================================================
FILE: pyproject.toml
================================================
[tool.ruff]
line-length = 88
target-version = "py312"

lint.select = ["ALL"]

lint.ignore = [
  # pydocstyle
  "D",
  # todo comments
  "TD",
  # fixmes
  "FIX",

  # Unused function argument
  "ARG001",

  ## breaks with nix-shell
  # Shebang should be at the beginning of the file
  "EXE005",
  "EXE003",
  "EXE001",

  # Missing type annotation for `self` in method
  "ANN101",
  # Dynamically typed expressions (typing.Any)
  "ANN401",
  # Trailing comma missing
  "COM812",
  # Unnecessary `dict` call (rewrite as a literal)
  "C408",
  # Found commented-out code
  "ERA001",
  # Boolean-typed positional argument in function definition
  "FBT001",
  # Logging statement uses f-string
  "G004",
  # disabled on ruff's recommendation as causes problems with the formatter
  "ISC001",
  # Use of `assert` detected
  "S101",
  # `subprocess` call: check for execution of untrusted input
  "S603",
  # Starting a process with a partial executable path
  "S607",
  # Boolean default positional argument in function definition
  "FBT002",

  # Too many statements
  "PLR0915",
  # Too many arguments in function definition
  "PLR0913",
  "PLR0912", # Too many branches
  # $X is too complex
  "C901",

  "E501",    # line too long
  "T201",    # `print` found
  "T203",    # `pprint` found
  "PLR2004", # Magic value used in comparison
]

# TODO fixes
[tool.ruff.lint.per-file-ignores]
"modules/prometheus/nixos-exporter/prometheus_nixos_exporter/__main__.py" = [
  "PTH115",
  "PTH118",
  "PTH120"
]
"build/pluto/prometheus/exporters/**.py" = [
  "ANN"
]
"build/datadog/hydra.py" = [
  "ANN001",
  "ARG002",
  "INP001",
  "S113",
]
"build/pluto/prometheus/exporters/channel-exporter.py" = [
  "BLE001",
  "PTH123"
]
"build/pluto/prometheus/exporters/hydra-queue-runner-reexporter.py" = [
  "TRY300",
  "N806",
  "A002",
  "PTH123",
  "S113"
]

[[tool.mypy.overrides]]
ignore_missing_imports = true



================================================
FILE: renovate.json
================================================
{
  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
  "extends": [
    "config:recommended",
    ":dependencyDashboard",
    "helpers:pinGitHubActionDigests"
  ],
  "nix": {
    "enabled": true
  },
  "lockFileMaintenance": {
    "enabled": true
  },
  "semanticCommits": "disabled"
}


================================================
FILE: ssh-keys.nix
================================================
rec {
  arianvp-mac = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHdERauixCGEk0oxLB+725k2M3McKHM0hjOjOWS+Dxdf arian@Mac";

  eelco = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAnI5L6oCgFyvEesL04LnbnH1TBhegq1Yery6TNlIRAA edolstra@gmail.com";

  hydra-queue-runner = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCyM48VC5fpjJssLI8uolFscP4/iEoMHfkPoT9R3iE3OEjadmwa1XCAiXUoa7HSshw79SgPKF2KbGBPEVCascdAcErZKGHeHUzxj7v3IsNjObouUOBbJfpN4DR7RQT28PZRsh3TvTWjWnA9vIrSY/BvAK1uezFRuObvatqAPMrw4c0DK+JuGuCNkKDGHLXNSxYBc5Pmr1oSU7/BDiHVjjyLIsAMIc20+q8SjWswKqL1mY193mN7FpUMBtZrd0Za9fMFRII9AofEIDTOayvOZM6+/1dwRWZXM6jhE6kaPPF++yromHvDPBnd6FfwODKLvSF9BkA3pO5CqrD8zs7ETmrV hydra-queue-runner@chef";

  zimbatm = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOuiDoBOxgyer8vGcfAIbE6TC4n4jo8lhG9l01iJ0bZz zimbatm";

  vcunat = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC4IJkFIVyImkfD4fM89ya+hy2ig8kUg09PCdjB5rS82akFoucYZSYMG41ZrlMT5LAikIgWusBzpO5bBkqxqcYqaYK/VF06zVBk3kF1pAIoitst9z0PLXY8/N+bFJg6oT7p6EWGRvFggUviSTTvJFMNUdDgEpsLqLp8+IYXjfM3Cz6+TQmyWQSockobRqgdILTjc1p2uxmNSzy2fElpZ0sKRPLNYG4SVPBPnOavs1KPOtyC1pIHOuz5A605gPLFXoWpX2lIK6atmGheiHxURDAX3pANVm+iMmnjteP0jEGU26/SPqgVP3OxdcryHxL3WnSJGtTnycoa30qP/Edmy9vB";

  hexa-gaia = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAWQRR7dspgQ6kCwyFnoVlgmmPR4iWL1+nvq6a5ad2Ug hexa@gaia";
  hexa-helix = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFSpdtIxIBFtd7TLrmIPmIu5uemAFJx4sNslRsJXfFxr hexa@helix";

  mic92-turingmachine = "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIEVSsc5mlP8aWiUVwWWM3gKlB5LHVpmKSifnDyox/BnVAAAABHNzaDo= yubikey1";
  mic92-evo = "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCsjXKHCkpQT4LhWIdT0vDM/E/3tw/4KHTQcdJhyqPSH0FnwC8mfP2N9oHYFa2isw538kArd5ZMo5DD1ujL5dLk= ssh@secretive.Joerg’s-Laptop.local";

  jfly = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIImw0Xc1buEQ9WOskyGGeg3QwdbU7DTUQBiu02fObDlm jfly";

  brianmcgee = "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKHHl5kgMDNQA/zqK+AzT4SO09rfAp+y/EeUC+Ow5XqyNid5lm6sgLGM+AqZDx0jOrMKWhd5lhzGDdtsSf0Y8g4= brian@saturn";

  infra-core = [
    hexa-gaia
    hexa-helix
    vcunat
    zimbatm
    mic92-turingmachine
    mic92-evo
    arianvp-mac
  ];

  infra = infra-core ++ [ jfly ];

  machines = {
    # build/
    haumea = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBamzRwZmoLjBFoNruGSVJEahk02Ku7NrBOmqcRWxcPm";
    pluto = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPzc6B1S4mp3T3oWZnqQDkDVWFBIzLtkgkdgstfYZ5d/";
    mimas = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICzfTNppOS5b5IvZl1wqjGTUZE0D/o/MY8d7uKPWDvIp";
    titan = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDgz6s5Yho6/bjvrRDuJ2IewAZQaevAMOeMjVjMaw5e+";

    # builders/
    elated-minsky = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIvrJpd3aynfPVGGG/s7MtRFz/S6M4dtqvqKI3Da7O7+";
    goofy-hopcroft = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICTJEi+nQNd7hzNYN3cLBK/0JCkmwmyC1I+b5nMI7+dd";
    hopeful-rivest = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBgjwpQaNAWdEdnk1YG7JWThM4xQdKNJ3h3arhF7+iFm";
    sleepy-brown = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOh4/3m7o6H3J5QG711aJdlSUVvlC8yW6KoqAES3Fy6I";

    # macs/
    eager-heisenberg = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBp9NStfEPu7HdeK8f2KEnynyirjG9BUk+6w2SgJtQyS";
    enormous-catfish = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMlg7NXxeG5L3s0YqSQIsqVG0MTyvyWDHUyYEfFPazLe";
    growing-jennet = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAQGthkSSOnhxrIUCMlRQz8FOo5Y5Nk9f9WnVLNeRJpm";
    intense-heron = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICeSgOe/cr1yVAJOl30t3AZOLtvzeQa5rnrHGceKeBue";
    kind-lumiere = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFoqn1AAcOqtG65milpBtWVXP5VcBmTUSMGNfJzPwW8Q";
    maximum-snail = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEs+fK4hH8UKo+Pa7u1VYltkMufBHHH5uC93RQ2S6Xy9";
    norwegian-blue = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDQ6Cjvoq5VBYfXl6ZV/ijQ1q4UxbWRYYfkXe0rzmJjf";
    sweeping-filly = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE6b/coXQEcFZW1eG4zFyCMCF0mZFahqmadz6Gk9DWMF";
  };
}


================================================
FILE: terraform/.envrc
================================================
# shellcheck shell=bash
use flake .#terraform

export AWS_CONFIG_FILE=$PWD/aws-config
export AWS_PROFILE=nixos-prod

source_env_if_exists .envrc.local


================================================
FILE: terraform/.envrc.local.template
================================================
#!/bin/sh

# Get this one from https://manage.fastly.com/account/personal/tokens and set a global scope.
export FASTLY_API_KEY=...


================================================
FILE: terraform/.gitignore
================================================
/.envrc.local


================================================
FILE: terraform/README.md
================================================
# For the bits that are not nixops-able

This terraform root module manages:

- the resource in the AWS main account (S3 buckets)
- Fastly
- Netlify DNS

## Setup

In order to use this, make sure to install direnv and Nix with flakes enabled.

Then copy the `.envrc.local.template` to `.envrc.local`, and fill in the related
keys.

> FIXME: Unset the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY env vars if they
> are already set. Those have been replaced by AWS SSO.

Then run `direnv allow` to load the environment with the runtime dependencies.

Run `aws sso login` to acquire a temporary token.

## Usage

We use opentofu, which is a fork of https://www.terraform.io/ maintained by the
Linux foundation.

Then run the following command to diff the changes and then apply if approved:

```sh
./tf.sh apply
```

## Terraform workflow

Write the Tofu code and test the changes using `./tf.sh validate`.

Before committing run `nix fmt`.

Once the code is ready to be deployed, create a new PR with the attached output
of `./tf.sh plan`.

Once the PR is merged, run `./tf.sh apply` to apply the changes.

## Upgrade from terraform to opentofu

If you have used terraform, you may have to delete .terraform in this directory
once to fixup provider registry addresses.


================================================
FILE: terraform/artifacts.tf
================================================
# Artifacts Proxy Service
#
# This service provides IPv6-enabled access to GitHub releases through Fastly CDN.
# It transparently follows GitHub's S3 redirects to provide direct file access.
#
# Supported URL patterns:
# - /nix-installer/tag/* -> /NixOS/nix-installer/releases/download/*
# - /nix-installer -> /NixOS/nix-installer/releases/latest/download/nix-installer.sh
# - /nix-installer/* -> /NixOS/nix-installer/releases/latest/download/*
# - /experimental-installer/tag/* -> /NixOS/experimental-nix-installer/releases/download/* (legacy)
# - /experimental-installer -> /NixOS/experimental-nix-installer/releases/latest/download/nix-installer.sh (legacy)
# - /experimental-installer/* -> /NixOS/experimental-nix-installer/releases/latest/download/* (legacy)
# - /patchelf/* -> /NixOS/patchelf/releases/download/*
#
# Testing commands:
#
# Basic functionality tests:
# curl -I https://artifacts.nixos.org/nix/0.27.0/nix-installer.sh
# curl -s https://artifacts.nixos.org/nix/0.27.0/nix-installer.sh | head -n 5
#
# IPv6 connectivity test:
# curl -6 -I https://artifacts.nixos.org/nix/0.27.0/nix-installer.sh
#
# Performance comparison (should show redirect following):
# time curl -s https://artifacts.nixos.org/nix/0.27.0/nix-installer-x86_64-linux > /dev/null
# time curl -s https://github.com/NixOS/experimental-nix-installer/releases/download/0.27.0/nix-installer-x86_64-linux > /dev/null
#
# Error cases (should return 404):
# curl -I https://artifacts.nixos.org/invalid/path
# curl -I https://artifacts.nixos.org/patchelf/999.999.999/nonexistent-file

locals {
  artifacts_domain = "artifacts.nixos.org"
}

resource "fastly_service_vcl" "artifacts" {
  name        = local.artifacts_domain
  default_ttl = 3600

  backend {
    address               = "github.com"
    auto_loadbalance      = false
    between_bytes_timeout = 10000
    connect_timeout       = 1000
    error_threshold       = 0
    first_byte_timeout    = 15000
    max_conn              = 200
    name                  = "github.com"
    override_host         = "github.com"
    port                  = 443
    ssl_cert_hostname     = "github.com"
    ssl_check_cert        = true
    use_ssl               = true
    weight                = 100
    request_condition     = "Use GitHub backend"
  }

  backend {
    address               = "objects.githubusercontent.com"
    auto_loadbalance      = false
    between_bytes_timeout = 10000
    connect_timeout       = 1000
    error_threshold       = 0
    first_byte_timeout    = 15000
    max_conn              = 200
    name                  = "objects_githubusercontent_com"
    override_host         = "objects.githubusercontent.com"
    port                  = 443
    ssl_cert_hostname     = "objects.githubusercontent.com"
    ssl_check_cert        = true
    use_ssl               = true
    weight                = 100
    request_condition     = "Use Objects backend"
  }

  condition {
    name      = "Use GitHub backend"
    priority  = 10
    statement = "!req.http.X-Use-Objects-Backend"
    type      = "REQUEST"
  }

  condition {
    name      = "Use Objects backend"
    priority  = 10
    statement = "req.http.X-Use-Objects-Backend"
    type      = "REQUEST"
  }


  request_setting {
    name      = "Redirect HTTP to HTTPS"
    force_ssl = true
  }

  domain {
    name = local.artifacts_domain
  }

  # Main VCL snippet to handle the redirect logic
  snippet {
    content  = <<-EOT
      # Only rewrite if this is the first request (not a restart)
      if (!req.http.X-Rewritten) {
        # New nix-installer routes (NixOS/nix-installer)
        if (req.url ~ "^/nix-installer/tag/") {
          set req.url = regsub(req.url.path, "^/nix-installer/tag/", "/NixOS/nix-installer/releases/download/");
          set req.http.X-Rewritten = "true";
        } else if (req.url ~ "^(/nix-installer|/nix-installer/)$") {
          set req.url = regsub(req.url.path, "^(/nix-installer|/nix-installer/)$", "/NixOS/nix-installer/releases/latest/download/nix-installer.sh");
          set req.http.X-Rewritten = "true";
        } else if (req.url ~ "^/nix-installer/") {
          set req.url = regsub(req.url.path, "^/nix-installer", "/NixOS/nix-installer/releases/latest/download/");
          set req.http.X-Rewritten = "true";
        # Legacy experimental-installer routes (NixOS/experimental-nix-installer)
        } else if (req.url ~ "^/experimental-installer/tag/") {
          set req.url = regsub(req.url.path, "^/experimental-installer/tag/", "/NixOS/experimental-nix-installer/releases/download/");
          set req.http.X-Rewritten = "true";
        } else if (req.url ~ "^(/experimental-installer|/experimental-installer/)$") {
          set req.url = regsub(req.url.path, "^(/experimental-installer|/experimental-installer/)$", "/NixOS/experimental-nix-installer/releases/latest/download/nix-installer.sh");
          set req.http.X-Rewritten = "true";
        } else if (req.url ~ "^/experimental-installer/") {
          set req.url = regsub(req.url.path, "^/experimental-installer", "/NixOS/experimental-nix-installer/releases/latest/download/");
          set req.http.X-Rewritten = "true";
        } else if (req.url ~ "^/patchelf/") {
          set req.url = regsub(req.url.path, "^/patchelf/", "/NixOS/patchelf/releases/download/");
          set req.http.X-Rewritten = "true";
        } else {
          error 600;
        }
      }
    EOT
    name     = "GitHub releases redirect"
    priority = 100
    type     = "recv"
  }

  # Handle redirects from GitHub to S3
  snippet {
    content  = <<-EOT
      if (beresp.status == 302 && beresp.http.Location ~ "^https://objects\.githubusercontent\.com/") {
        # Extract the full path including query parameters
        set req.url = regsub(beresp.http.Location, "^https://objects\.githubusercontent\.com", "");
        set req.http.X-Use-Objects-Backend = "true";
        # Set correct host header for S3
        set req.http.Host = "objects.githubusercontent.com";
        # Clear GitHub-specific headers that might interfere
        unset req.http.Authorization;
        unset req.http.Cookie;
        restart;
      }
    EOT
    name     = "Follow GitHub redirects"
    priority = 100
    type     = "fetch"
  }




  # Handle 404 errors
  snippet {
    content  = <<-EOT
      if (obj.status == 600) {
        set obj.status = 404;
        set obj.http.Content-Type = "text/html";
        synthetic {"<h1>Not Found</h1>"};
        return(deliver);
      }
    EOT
    name     = "Handle 404 errors"
    priority = 100
    type     = "error"
  }

  # Add HSTS header for security
  header {
    destination = "http.Strict-Transport-Security"
    type        = "response"
    action      = "set"
    name        = "Add HSTS"
    source      = "\"max-age=300\""
  }

  logging_s3 {
    name              = "${local.artifacts_domain}-to-s3"
    bucket_name       = local.fastlylogs["bucket_name"]
    compression_codec = "zstd"
    domain            = local.fastlylogs["s3_domain"]
    format            = local.fastlylogs["format"]
    format_version    = 2
    path              = "${local.artifacts_domain}/"
    period            = local.fastlylogs["period"]
    message_type      = "blank"
    s3_iam_role       = local.fastlylogs["iam_role_arn"]
  }
}

resource "fastly_tls_subscription" "artifacts" {
  domains               = [for domain in fastly_service_vcl.artifacts.domain : domain.name]
  configuration_id      = local.fastly_tls13_quic_configuration_id
  certificate_authority = "lets-encrypt"
}

output "artifacts-managed_dns_challenge" {
  value = fastly_tls_subscription.artifacts.managed_dns_challenges
}


================================================
FILE: terraform/aws-config
================================================
[profile nixos-prod]
sso_start_url = https://nixos.awsapps.com/start
sso_region = eu-north-1
sso_account_id = 080433136561
sso_role_name = AWSPowerUserAccess
region = eu-north-1


================================================
FILE: terraform/cache/diagnostic.sh
================================================
#!/usr/bin/env nix-shell
#!nix-shell -i bash -p bind.dnsutils -p mtr -p curl -p netcat
# shellcheck shell=bash
# impure: needs ping
#
# Run this script if you are having issues with cache.nixos.org and paste the
# output URL in a new issue in the same repo.
#

domain=${1:-cache.nixos.org}

run() {
  echo "> $*"
  "$@" |& sed -e "s/^/    /"
  printf "Exit: %s\n\n\n" "$?"
}

curl_w="
time_namelookup:    %{time_namelookup}
time_connect:       %{time_connect}
time_appconnect:    %{time_appconnect}
time_pretransfer:   %{time_pretransfer}
time_redirect:      %{time_redirect}
time_starttransfer: %{time_starttransfer}
time_total:         %{time_total}
"

curl_test() {
  curl -w "$curl_w" -v -o /dev/null "$@"
}

termbin() {
  url=$(cat | nc termbin.com 9999)
  echo "Pasted at: $url"
}

(
  echo "domain=$domain"
  run dig -t A "$domain"
  run ping -c1 "$domain"
  run ping -4 -c1 "$domain"
  run ping -6 -c1 "$domain"
  run mtr -c 20 -w -r "$domain"
  run curl_test -4 "http://$domain/"
  run curl_test -6 "http://$domain/"
  run curl_test -4 "https://$domain/"
  run curl_test -6 "https://$domain/"
  run curl -I -4 "https://$domain/"
  run curl -I -4 "https://$domain/"
  run curl -I -4 "https://$domain/"
  run curl -I -6 "https://$domain/"
  run curl -I -6 "https://$domain/"
  run curl -I -6 "https://$domain/"
) | tee /dev/stderr | termbin


================================================
FILE: terraform/cache/index.html
================================================
<!DOCTYPE html>
<html lang="en">
  <head>
    <title>cache.nixos.org is up</title>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
    <meta http-equiv="X-UA-Compatible" content="IE=Edge" />
    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
    <link
      rel="stylesheet"
      href="https://nixos.org/bootstrap/css/bootstrap.min.css"
    />
    <link
      rel="stylesheet"
      href="https://nixos.org/bootstrap/css/bootstrap-responsive.min.css"
    />
    <style>
      body {
        padding-top: 0;
        margin-top: 4em;
        margin-bottom: 4em;
      }
      body > div {
        max-width: 800px;
      }
      p {
        text-align: center;
      }
      .cache {
        font-style: italic;
      }
    </style>
  </head>
  <body>
    <div class="container jumbotron">
      <div class="jumbotron">
        <p class="lead">
          <a href="https://nixos.org/nixos">
            <img
              src="https://brand.nixos.org/logos/nixos-logo-default-gradient-black-regular-horizontal-minimal.svg"
              width="500px"
              alt="logo"
            />
          </a>
        </p>

        <p class="lead">
          <code>https://cache.nixos.org/</code> provides prebuilt binaries for
          Nixpkgs and NixOS. It is used automatically by the Nix package manager
          to speed up builds.
        </p>
      </div>
      <hr />
      <div class="help">
        <p>
          If you are having trouble, please reach out through one of the
          <a href="https://nixos.org/nixos/support.html">support channels</a>
          with the results of
          <a
            href="https://github.com/NixOS/infra/blob/main/terraform/cache/diagnostic.sh"
          >this diagnostics script</a>
          which will help us figure out where the issue lies.
        </p>
        <p>
          For questions, or support, <a
            href="https://nixos.org/nixos/support.html"
          >
            the support page</a> from the NixOS website describes how to get in
          touch.
        </p>
      </div>
    </div>
  </body>
</html>


================================================
FILE: terraform/cache/nix-cache-info
================================================
StoreDir: /nix/store
WantMassQuery: 1
Priority: 40


================================================
FILE: terraform/cache/s3-authn.vcl
================================================
# VCL snippet to authenticate Fastly<->S3 requests.
#
# https://docs.fastly.com/en/guides/amazon-s3#using-an-amazon-s3-private-bucket

declare local var.canonicalHeaders STRING;
declare local var.signedHeaders STRING;
declare local var.canonicalRequest STRING;
declare local var.canonicalQuery STRING;
declare local var.stringToSign STRING;
declare local var.dateStamp STRING;
declare local var.signature STRING;
declare local var.scope STRING;

if (req.method == "GET" && !req.backend.is_shield) {
  set bereq.http.x-amz-content-sha256 = digest.hash_sha256("");
  set bereq.http.x-amz-date = strftime({"%Y%m%dT%H%M%SZ"}, now);
  set bereq.http.x-amz-request-payer = "requester";
  set bereq.http.host = "${backend_domain}";
  set bereq.url = querystring.remove(bereq.url);
  set bereq.url = regsuball(urlencode(urldecode(bereq.url.path)), {"%2F"}, "/");
  set var.dateStamp = strftime({"%Y%m%d"}, now);
  set var.canonicalHeaders = ""
    "host:" bereq.http.host LF
    "x-amz-content-sha256:" bereq.http.x-amz-content-sha256 LF
    "x-amz-date:" bereq.http.x-amz-date LF
    "x-amz-request-payer:" bereq.http.x-amz-request-payer LF
  ;
  set var.canonicalQuery = "";
  set var.signedHeaders = "host;x-amz-content-sha256;x-amz-date;x-amz-request-payer";
  set var.canonicalRequest = ""
    "GET" LF
    bereq.url.path LF
    var.canonicalQuery LF
    var.canonicalHeaders LF
    var.signedHeaders LF
    digest.hash_sha256("")
  ;

  set var.scope = var.dateStamp "/${aws_region}/s3/aws4_request";

  set var.stringToSign = ""
    "AWS4-HMAC-SHA256" LF
    bereq.http.x-amz-date LF
    var.scope LF
    regsub(digest.hash_sha256(var.canonicalRequest),"^0x", "")
  ;

  set var.signature = digest.awsv4_hmac(
    "${secret_key}",
    var.dateStamp,
    "${aws_region}",
    "s3",
    var.stringToSign
  );

  set bereq.http.Authorization = "AWS4-HMAC-SHA256 "
    "Credential=${access_key}/" var.scope ", "
    "SignedHeaders=" var.signedHeaders ", "
    "Signature=" + regsub(var.signature,"^0x", "")
  ;
  unset bereq.http.Accept;
  unset bereq.http.Accept-Language;
  unset bereq.http.User-Agent;
  unset bereq.http.Fastly-Client-IP;
}


================================================
FILE: terraform/cache-bucket/main.tf
================================================
variable "bucket_name" {
  type = string
}

resource "aws_s3_bucket" "cache" {
  provider = aws
  bucket   = var.bucket_name
}

resource "aws_s3_bucket_lifecycle_configuration" "cache" {
  provider = aws
  bucket   = aws_s3_bucket.cache.id

  rule {
    id     = "Infrequent Access"
    status = "Enabled"

    filter {
      prefix = ""
    }

    transition {
      days          = 365
      storage_class = "STANDARD_IA"
    }
  }
}

resource "aws_s3_bucket_cors_configuration" "cache" {
  provider = aws
  bucket   = aws_s3_bucket.cache.bucket

  cors_rule {
    allowed_headers = ["Authorization"]
    allowed_methods = ["GET"]
    allowed_origins = ["*"]
    max_age_seconds = 3000
  }
}


resource "aws_s3_bucket_public_access_block" "cache" {
  bucket = aws_s3_bucket.cache.bucket

  block_public_acls   = false
  block_public_policy = false
}

resource "aws_s3_bucket_object" "cache-nix-cache-info" {
  provider   = aws
  depends_on = [aws_s3_bucket_public_access_block.cache]

  bucket       = aws_s3_bucket.cache.bucket
  content_type = "text/x-nix-cache-info"
  etag         = filemd5("${path.module}/../cache-staging/nix-cache-info")
  key          = "nix-cache-info"
  source       = "${path.module}/../cache-staging/nix-cache-info"
}

resource "aws_s3_bucket_object" "cache-index-html" {
  provider   = aws
  depends_on = [aws_s3_bucket_public_access_block.cache]

  bucket       = aws_s3_bucket.cache.bucket
  content_type = "text/html"
  etag         = filemd5("${path.module}/../cache-staging/index.html")
  key          = "index.html"
  source       = "${path.module}/../cache-staging/index.html"
}

resource "aws_s3_bucket_policy" "cache" {
  provider   = aws
  bucket     = aws_s3_bucket.cache.id
  depends_on = [aws_s3_bucket_public_access_block.cache]

  # imported from existing
  policy = <<EOF
{
  "Version": "2008-10-17",
  "Statement": [
    {
      "Sid": "AllowPublicRead",
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::${var.bucket_name}/*"
    },
    {
      "Sid": "AllowUploadDebuginfoWrite",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::080433136561:user/s3-upload-releases"
      },
      "Action": [
        "s3:PutObject",
        "s3:PutObjectAcl"
      ],
      "Resource": "arn:aws:s3:::${var.bucket_name}/debuginfo/*"
    },
    {
      "Sid": "AllowUploadDebuginfoRead",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::080433136561:user/s3-upload-releases"
      },
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::${var.bucket_name}/*"
    },
    {
      "Sid": "AllowUploadDebuginfoRead2",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::080433136561:user/s3-upload-releases"
      },
      "Action": [
        "s3:ListBucket",
        "s3:GetBucketLocation"
      ],
      "Resource": "arn:aws:s3:::${var.bucket_name}"
    }
  ]
}
EOF
}

resource "aws_s3_bucket_request_payment_configuration" "cache" {
  provider = aws
  bucket   = aws_s3_bucket.cache.id
  payer    = "Requester"
}

output "bucket" {
  value = aws_s3_bucket.cache.bucket
}

output "bucket_domain_name" {
  value = aws_s3_bucket.cache.bucket_domain_name
}

output "bucket_regional_domain_name" {
  value = aws_s3_bucket.cache.bucket_regional_domain_name
}

output "region" {
  value = aws_s3_bucket.cache.region
}


================================================
FILE: terraform/cache-bucket/providers.tf
================================================
terraform {
  required_providers {
    aws = {
      source = "registry.opentofu.org/hashicorp/aws"
    }
  }
}


================================================
FILE: terraform/cache-staging/diagnostic.sh
================================================
#!/usr/bin/env nix-shell
#!nix-shell -i bash -p bind.dnsutils -p mtr -p curl -p netcat
# shellcheck shell=bash
# impure: needs ping
#
# Run this script if you are having issues with cache.nixos.org and paste the
# output URL in a new issue in the same repo.
#

domain=${1:-cache-staging.nixos.org}

run() {
  echo "> $*"
  "$@" |& sed -e "s/^/    /"
  printf "Exit: %s\n\n\n" "$?"
}

curl_w="
time_namelookup:    %{time_namelookup}
time_connect:       %{time_connect}
time_appconnect:    %{time_appconnect}
time_pretransfer:   %{time_pretransfer}
time_redirect:      %{time_redirect}
time_starttransfer: %{time_starttransfer}
time_total:         %{time_total}
"

curl_test() {
  curl -w "$curl_w" -v -o /dev/null "$@"
}

termbin() {
  url=$(cat | nc termbin.com 9999)
  echo "Pasted at: $url"
}

(
  echo "domain=$domain"
  run dig -t A "$domain"
  run ping -c1 "$domain"
  run ping -4 -c1 "$domain"
  run ping -6 -c1 "$domain"
  run mtr -c 20 -w -r "$domain"
  run curl_test -4 "http://$domain/"
  run curl_test -6 "http://$domain/"
  run curl_test -4 "https://$domain/"
  run curl_test -6 "https://$domain/"
  run curl -I -4 "https://$domain/"
  run curl -I -4 "https://$domain/"
  run curl -I -4 "https://$domain/"
  run curl -I -6 "https://$domain/"
  run curl -I -6 "https://$domain/"
  run curl -I -6 "https://$domain/"
) | tee /dev/stderr | termbin


================================================
FILE: terraform/cache-staging/index.html
================================================
<!DOCTYPE html>
<html lang="en">
  <head>
    <title>cache-staging.nixos.org is up</title>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
    <meta http-equiv="X-UA-Compatible" content="IE=Edge" />
    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
    <link
      rel="stylesheet"
      href="https://nixos.org/bootstrap/css/bootstrap.min.css"
    />
    <link
      rel="stylesheet"
      href="https://nixos.org/bootstrap/css/bootstrap-responsive.min.css"
    />
    <style>
      body {
        padding-top: 0;
        margin-top: 4em;
        margin-bottom: 4em;
      }
      body > div {
        max-width: 800px;
      }
      p {
        text-align: center;
      }
      .cache {
        font-style: italic;
      }
    </style>
  </head>
  <body>
    <div class="container jumbotron">
      <div class="jumbotron">
        <p class="lead">
          <a href="https://nixos.org/nixos">
            <img
              src="https://brand.nixos.org/logos/nixos-logo-default-gradient-black-regular-horizontal-minimal.svg"
              width="500px"
              alt="logo"
            />
          </a>
        </p>

        <p class="lead">
          <code>https://cache.nixos.org/</code> provides prebuilt binaries for
          Nixpkgs and NixOS. It is used automatically by the Nix package manager
          to speed up builds.
        </p>
      </div>
      <hr />
      <div class="help">
        <p>
          If you are having trouble, please reach out through one of the
          <a href="https://nixos.org/nixos/support.html">support channels</a>
          with the results of
          <a
            href="https://github.com/NixOS/infra/blob/main/terraform/cache/diagnostic.sh"
          >this diagnostics script</a>
          which will help us figure out where the issue lies.
        </p>
        <p>
          For questions, or support, <a
            href="https://nixos.org/nixos/support.html"
          >
            the support page</a> from the NixOS website describes how to get in
          touch.
        </p>
      </div>
    </div>
  </body>
</html>


================================================
FILE: terraform/cache-staging/new-cache-test-file
================================================
new


================================================
FILE: terraform/cache-staging/nix-cache-info
================================================
StoreDir: /nix/store
WantMassQuery: 1
Priority: 40


================================================
FILE: terraform/cache-staging/old-cache-test-file
================================================
old


================================================
FILE: terraform/cache-staging/s3-authn.vcl
================================================
# VCL snippet to authenticate Fastly<->S3 requests.
#
# https://docs.fastly.com/en/guides/amazon-s3#using-an-amazon-s3-private-bucket

if (req.method == "GET" && !req.backend.is_shield && req.backend == ${backend_name}) {
  set var.awsAccessKey = "${access_key}";
  set var.awsSecretKey = "${secret_key}";
  set var.awsS3Bucket = "${bucket}";
  set var.awsRegion = "${aws_region}";   # Change this value to your own data
  set var.awsS3Host = var.awsS3Bucket ".s3." var.awsRegion ".amazonaws.com";

  set bereq.http.x-amz-content-sha256 = digest.hash_sha256("");
  set bereq.http.x-amz-date = strftime({"%Y%m%dT%H%M%SZ"}, now);
  set bereq.http.x-amz-request-payer = "requester";
  set bereq.http.host = var.awsS3Host;

  set bereq.url = querystring.remove(bereq.url);
  set bereq.url = regsuball(urlencode(urldecode(bereq.url.path)), {"%2F"}, "/");
  set var.dateStamp = strftime({"%Y%m%d"}, now);
  set var.canonicalHeaders = ""
    "host:" bereq.http.host LF
    "x-amz-content-sha256:" bereq.http.x-amz-content-sha256 LF
    "x-amz-date:" bereq.http.x-amz-date LF
    "x-amz-request-payer:" bereq.http.x-amz-request-payer LF
  ;
  set var.canonicalQuery = "";
  set var.signedHeaders = "host;x-amz-content-sha256;x-amz-date;x-amz-request-payer";
  set var.canonicalRequest = ""
    "GET" LF
    bereq.url.path LF
    var.canonicalQuery LF
    var.canonicalHeaders LF
    var.signedHeaders LF
    digest.hash_sha256("")
  ;

  set var.scope = var.dateStamp "/" var.awsRegion "/s3/aws4_request";

  set var.stringToSign = ""
    "AWS4-HMAC-SHA256" LF
    bereq.http.x-amz-date LF
    var.scope LF
    regsub(digest.hash_sha256(var.canonicalRequest),"^0x", "")
  ;

  set var.signature = digest.awsv4_hmac(
    var.awsSecretKey,
    var.dateStamp,
    var.awsRegion,
    "s3",
    var.stringToSign
  );

  set bereq.http.Authorization = "AWS4-HMAC-SHA256 "
    "Credential=${access_key}/" var.scope ", "
    "SignedHeaders=" var.signedHeaders ", "
    "Signature=" + regsub(var.signature,"^0x", "")
  ;

  unset bereq.http.Accept;
  unset bereq.http.Accept-Language;
  unset bereq.http.User-Agent;
  unset bereq.http.Fastly-Client-IP;
}


================================================
FILE: terraform/cache-staging.tf
================================================
locals {
  cache_staging_domain = "cache-staging.nixos.org"
}

# This is the old bucket we want to archive.
module "cache-staging-202010" {
  source      = "./cache-bucket"
  bucket_name = "nix-cache-staging"
  providers = {
    aws = aws.us
  }
}

import {
  to = module.cache-staging-202010.aws_s3_bucket_lifecycle_configuration.cache
  id = "nix-cache-staging"
}

import {
  to = module.cache-staging-202010.aws_s3_bucket_cors_configuration.cache
  id = "nix-cache-staging"
}


# This is the new bucket we want to use in future.
module "cache-staging-202410" {
  source      = "./cache-bucket"
  bucket_name = "nix-cache-staging-202410"
  providers = {
    # move the new bucket to EU
    aws = aws
  }
}

import {
  to = module.cache-staging-202410.aws_s3_bucket_lifecycle_configuration.cache
  id = "nix-cache-staging-202410"
}

import {
  to = module.cache-staging-202410.aws_s3_bucket_cors_configuration.cache
  id = "nix-cache-staging-202410"
}

# The fastly configuration below will first try the new bucket and than the old bucket.
# As demonstation we have two files in the buckets:
# $ curl https://cache-staging.nixos.org/new-cache                                                                                                                                                               │
# new
# $ curl https://cache-staging.nixos.org/old-cache
# old

resource "aws_s3_object" "old-cache-test-file" {
  provider   = aws.us
  depends_on = [module.cache-staging-202010]

  bucket       = module.cache-staging-202010.bucket
  content_type = "text/plain"
  etag         = filemd5("${path.module}/cache-staging/old-cache-test-file")
  key          = "old-cache"
  source       = "${path.module}/cache-staging/old-cache-test-file"
}
resource "aws_s3_object" "new-cache-test-file" {
  provider   = aws
  depends_on = [module.cache-staging-202410]

  bucket       = module.cache-staging-202410.bucket
  content_type = "text/plain"
  etag         = filemd5("${path.module}/cache-staging/new-cache-test-file")
  key          = "new-cache"
  source       = "${path.module}/cache-staging/new-cache-test-file"
}

resource "fastly_service_vcl" "cache-staging" {
  name        = local.cache_staging_domain
  default_ttl = 86400

  backend {
    address               = module.cache-staging-202010.bucket_regional_domain_name
    auto_loadbalance      = false
    between_bytes_timeout = 10000
    connect_timeout       = 5000
    error_threshold       = 0
    first_byte_timeout    = 15000
    max_conn              = 200
    name                  = "old_bucket"
    port                  = 443
    # For the old bucket we want to use Ashburn as our bucket is in us-east-1
    shield            = "iad-va-us"
    ssl_cert_hostname = module.cache-staging-202010.bucket_regional_domain_name
    ssl_check_cert    = true
    use_ssl           = true
    weight            = 100
  }

  backend {
    address               = module.cache-staging-202410.bucket_regional_domain_name
    auto_loadbalance      = false
    between_bytes_timeout = 10000
    connect_timeout       = 5000
    error_threshold       = 0
    first_byte_timeout    = 15000
    max_conn              = 200
    name                  = "new_bucket"
    port                  = 443
    # The new bucket is in EU (eu-west-1)
    shield            = "dub-dublin-ie"
    ssl_cert_hostname = module.cache-staging-202410.bucket_regional_domain_name
    ssl_check_cert    = true
    use_ssl           = true

    # newer bucket has higher priority
    weight = 200
  }

  # Temporarily disabled due to nix-index bugs: see https://github.com/nix-community/nix-index/issues/249
  #request_setting {
  #  name      = "Redirect HTTP to HTTPS"
  #  force_ssl = true
  #}

  condition {
    name      = "is-404"
    priority  = 0
    statement = "beresp.status == 404"
    type      = "CACHE"
  }

  condition {
    name      = "Match /"
    priority  = 10
    statement = "req.url ~ \"^/$\""
    type      = "REQUEST"
  }

  condition {
    name      = "Restarts > 0"
    type      = "REQUEST"
    priority  = 20
    statement = "req.restarts > 0"
  }

  domain {
    name = "cache-staging.nixos.org"
  }

  header {
    name              = "Landing page"
    request_condition = "Match /"
    ignore_if_set     = false
    priority          = 10
    type              = "request"

    action      = "set"
    destination = "url"
    source      = "\"/index.html\""

  }

  header {
    name              = "Use old bucket"
    request_condition = "Restarts > 0"
    ignore_if_set     = false
    priority          = 20
    type              = "request"

    action      = "set"
    destination = "backend"
    source      = "F_old_bucket"
  }

  # Clean headers for caching
  header {
    destination = "http.x-amz-request-id"
    type        = "cache"
    action      = "delete"
    name        = "remove x-amz-request-id"
  }
  header {
    destination = "http.x-amz-version-id"
    type        = "cache"
    action      = "delete"
    name        = "remove x-amz-version-id"
  }
  header {
    destination = "http.x-amz-id-2"
    type        = "cache"
    action      = "delete"
    name        = "remove x-amz-id-2"
  }

  # Enable Streaming Miss.
  # https://docs.fastly.com/en/guides/streaming-miss
  # https://github.com/NixOS/infra/issues/212#issuecomment-1187568233
  header {
    priority    = 20
    destination = "do_stream"
    type        = "cache"
    action      = "set"
    name        = "Enabling Streaming Miss"
    source      = "true"
  }

  # Allow CORS GET requests.
  header {
    destination = "http.access-control-allow-origin"
    type        = "response"
    action      = "set"
    name        = "CORS Allow"
    source      = "\"*\""
  }

  response_object {
    name            = "404-page"
    cache_condition = "is-404"
    content         = "404"
    content_type    = "text/plain"
    response        = "Not Found"
    status          = 404
  }

  snippet {
    name     = "Variables for aws s3 auth"
    type     = "miss"
    priority = 90
    content  = <<-EOT
declare local var.awsAccessKey STRING;
declare local var.awsSecretKey STRING;
declare local var.awsS3Bucket STRING;
declare local var.awsRegion STRING;
declare local var.awsS3Host STRING;

declare local var.canonicalHeaders STRING;
declare local var.signedHeaders STRING;
declare local var.canonicalRequest STRING;
declare local var.canonicalQuery STRING;
declare local var.stringToSign STRING;
declare local var.dateStamp STRING;
declare local var.signature STRING;
declare local var.scope STRING;
EOT
  }

  # Authenticate Fastly<->S3 requests. See Fastly documentation:
  # https://docs.fastly.com/en/guides/amazon-s3#using-an-amazon-s3-private-bucket
  snippet {
    name     = "Authenticate S3 requests for new bucket"
    type     = "miss"
    priority = 100
    content = templatefile("${path.module}/cache-staging/s3-authn.vcl", {
      backend_name   = "F_new_bucket"
      aws_region     = module.cache-staging-202410.region
      bucket         = module.cache-staging-202410.bucket
      backend_domain = module.cache-staging-202410.bucket_domain_name
      access_key     = local.cache-iam.key
      secret_key     = local.cache-iam.secret
    })
  }

  snippet {
    name     = "Authenticate S3 requests for old bucket"
    type     = "miss"
    priority = 100
    content = templatefile("${path.module}/cache-staging/s3-authn.vcl", {
      backend_name   = "F_old_bucket"
      aws_region     = module.cache-staging-202010.region
      bucket         = module.cache-staging-202010.bucket
      backend_domain = module.cache-staging-202010.bucket_domain_name
      access_key     = local.cache-iam.key
      secret_key     = local.cache-iam.secret
    })
  }

  snippet {
    content  = "set req.url = querystring.remove(req.url);"
    name     = "Remove all query strings"
    priority = 50
    type     = "recv"
  }


  # Work around the 2GB size limit for large files
  #
  # See https://docs.fastly.com/en/guides/segmented-caching
  snippet {
    content  = <<-EOT
      if (req.url.path ~ "^/nar/") {
        set req.enable_segmented_caching = true;
      }
    EOT
    name     = "Enable segment caching for NAR files"
    priority = 60
    type     = "recv"
  }

  snippet {
    name     = "Fallback to old bucket on 403 or return 404"
    type     = "fetch"
    priority = 90
    content  = <<-EOT
      if (beresp.status == 403) {
         if (req.backend == F_new_bucket) {
           restart;
         } else {
           set beresp.status = 404;
         }
      }
    EOT
  }

  # We will switch to this snipped once we retire the old bucket instead of the fallback above
  #snippet {
  #  name     = "Return 404 on 403"
  #  type     = "fetch"
  #  priority = 90
  #  content  = <<-EOT
  #    if (beresp.status == 403) {
  #      set beresp.status = 404;
  #    }
  #  EOT
  #}

  # Add a snippet to set a custom header based on the backend used
  snippet {
    name     = "Set-Backend-Header"
    type     = "deliver"
    priority = 70
    content  = <<-EOT
      if (req.backend == F_old_bucket) {
        set resp.http.X-Bucket = "${module.cache-staging-202010.bucket}";
      } else if (req.backend == F_new_bucket) {
        set resp.http.X-Bucket = "${module.cache-staging-202410.bucket}";
      }
    EOT
  }

  logging_s3 {
    name              = "${local.cache_staging_domain}-to-s3"
    bucket_name       = local.fastlylogs["bucket_name"]
    compression_codec = "zstd"
    domain            = local.fastlylogs["s3_domain"]
    format            = local.fastlylogs["format"]
    format_version    = 2
    path              = "${local.cache_staging_domain}/"
    period            = local.fastlylogs["period"]
    message_type      = "blank"
    s3_iam_role       = local.fastlylogs["iam_role_arn"]
  }
}

resource "fastly_tls_subscription" "cache-staging-2025-11" {
  domains               = [for domain in fastly_service_vcl.cache-staging.domain : domain.name]
  configuration_id      = local.fastly_tls13_quic_configuration_id
  certificate_authority = "lets-encrypt"
}


================================================
FILE: terraform/cache.tf
================================================
locals {
  cache_domain = "cache.nixos.org"
}

resource "aws_s3_bucket" "cache" {
  provider = aws.us
  bucket   = "nix-cache"
}

resource "aws_s3_bucket_versioning" "cache" {
  provider = aws.us
  bucket   = aws_s3_bucket.cache.id
  versioning_configuration {
    status = "Enabled"
  }
}

resource "aws_s3_bucket_lifecycle_configuration" "cache" {
  provider = aws.us
  bucket   = aws_s3_bucket.cache.id

  depends_on = [aws_s3_bucket_versioning.cache]

  transition_default_minimum_object_size = "varies_by_storage_class"

  rule {
    id     = "Infrequent Access"
    status = "Enabled"

    filter {
      prefix = ""
    }

    transition {
      days          = 365
      storage_class = "STANDARD_IA"
    }
  }

  # We delete no-current versions after 30 days
  rule {
    id     = "Non-current Versions"
    status = "Enabled"

    noncurrent_version_expiration {
      noncurrent_days = 30
    }
  }
}

import {
  to = aws_s3_bucket_lifecycle_configuration.cache
  id = aws_s3_bucket.cache.id
}

resource "aws_s3_bucket_cors_configuration" "cache" {
  provider = aws.us
  bucket   = aws_s3_bucket.cache.id
  cors_rule {
    allowed_headers = ["Authorization"]
    allowed_methods = ["GET"]
    allowed_origins = ["*"]
    max_age_seconds = 3000
  }
}

import {
  to = aws_s3_bucket_cors_configuration.cache
  id = aws_s3_bucket.cache.id
}

resource "aws_s3_bucket_object" "cache-nix-cache-info" {
  provider = aws.us

  acl          = "public-read"
  bucket       = aws_s3_bucket.cache.bucket
  content_type = "text/x-nix-cache-info"
  etag         = filemd5("${path.module}/cache/nix-cache-info")
  key          = "nix-cache-info"
  source       = "${path.module}/cache/nix-cache-info"
}

resource "aws_s3_bucket_object" "cache-index-html" {
  provider = aws.us

  acl          = "public-read"
  bucket       = aws_s3_bucket.cache.bucket
  content_type = "text/html"
  etag         = filemd5("${path.module}/cache/index.html")
  key          = "index.html"
  source       = "${path.module}/cache/index.html"
}

resource "aws_s3_bucket_policy" "cache" {
  provider = aws.us
  bucket   = aws_s3_bucket.cache.id

  # imported from existing
  policy = <<EOF
{
  "Version": "2008-10-17",
  "Statement": [
    {
      "Sid": "AllowPublicRead",
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::nix-cache/*"
    },
    {
      "Sid": "AllowUploadDebuginfoWrite",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::080433136561:user/s3-upload-releases"
      },
      "Action": [
        "s3:PutObject",
        "s3:PutObjectAcl"
      ],
      "Resource": "arn:aws:s3:::nix-cache/debuginfo/*"
    },
    {
      "Sid": "AllowUploadDebuginfoRead",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::080433136561:user/s3-upload-releases"
      },
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::nix-cache/*"
    },
    {
      "Sid": "AllowUploadDebuginfoRead2",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::080433136561:user/s3-upload-releases"
      },
      "Action": [
        "s3:ListBucket",
        "s3:GetBucketLocation"
      ],
      "Resource": "arn:aws:s3:::nix-cache"
    }
  ]
}
EOF
}

resource "aws_s3_bucket_request_payment_configuration" "cache" {
  provider = aws.us
  bucket   = aws_s3_bucket.cache.id
  payer    = "Requester"
}

resource "fastly_service_vcl" "cache" {
  name        = local.cache_domain
  default_ttl = 86400

  backend {
    address               = "s3.amazonaws.com"
    auto_loadbalance      = false
    between_bytes_timeout = 10000
    connect_timeout       = 5000
    error_threshold       = 0
    first_byte_timeout    = 15000
    max_conn              = 200
    name                  = "s3.amazonaws.com"
    override_host         = aws_s3_bucket.cache.bucket_domain_name
    port                  = 443
    shield                = "iad-va-us"
    ssl_cert_hostname     = "s3.amazonaws.com"
    ssl_check_cert        = true
    use_ssl               = true
    weight                = 100
  }

  request_setting {
    name      = "Redirect HTTP to HTTPS"
    force_ssl = true
  }

  condition {
    name      = "is-404"
    priority  = 0
    statement = "beresp.status == 404"
    type      = "CACHE"
  }

  condition {
    name      = "Match /"
    priority  = 10
    statement = "req.url ~ \"^/$\""
    type      = "REQUEST"
  }

  domain {
    name = "cache.nixos.org"
  }

  header {
    action            = "set"
    destination       = "url"
    ignore_if_set     = false
    name              = "Landing page"
    priority          = 10
    request_condition = "Match /"
    source            = "\"/index.html\""
    type              = "request"
  }

  # Clean headers for caching
  header {
    destination = "http.x-amz-request-id"
    type        = "cache"
    action      = "delete"
    name        = "remove x-amz-request-id"
  }
  header {
    destination = "http.x-amz-version-id"
    type        = "cache"
    action      = "delete"
    name        = "remove x-amz-version-id"
  }
  header {
    destination = "http.x-amz-id-2"
    type        = "cache"
    action      = "delete"
    name        = "remove x-amz-id-2"
  }

  # Enable Streaming Miss.
  # https://docs.fastly.com/en/guides/streaming-miss
  # https://github.com/NixOS/infra/issues/212#issuecomment-1187568233
  header {
    priority    = 20
    destination = "do_stream"
    type        = "cache"
    action      = "set"
    name        = "Enabling Streaming Miss"
    source      = "true"
  }

  # Allow CORS GET requests.
  header {
    destination = "http.access-control-allow-origin"
    type        = "response"
    action      = "set"
    name        = "CORS Allow"
    source      = "\"*\""
  }

  response_object {
    name            = "404-page"
    cache_condition = "is-404"
    content         = "404"
    content_type    = "text/plain"
    response        = "Not Found"
    status          = 404
  }

  # Authenticate Fastly<->S3 requests. See Fastly documentation:
  # https://docs.fastly.com/en/guides/amazon-s3#using-an-amazon-s3-private-bucket
  snippet {
    name     = "Authenticate S3 requests"
    type     = "miss"
    priority = 100
    content = templatefile("${path.module}/cache/s3-authn.vcl", {
      aws_region     = aws_s3_bucket.cache.region
      backend_domain = aws_s3_bucket.cache.bucket_domain_name
      access_key     = local.cache-iam.key
      secret_key     = local.cache-iam.secret
    })
  }

  snippet {
    content  = "set req.url = querystring.remove(req.url);"
    name     = "Remove all query strings"
    priority = 50
    type     = "recv"
  }

  # Work around the 2GB size limit for large files
  #
  # See https://docs.fastly.com/en/guides/segmented-caching
  snippet {
    content  = <<-EOT
      if (req.url.path ~ "^/nar/") {
        set req.enable_segmented_caching = true;
      }
    EOT
    name     = "Enable segment caching for NAR files"
    priority = 60
    type     = "recv"
  }

  snippet {
    name     = "cache-errors"
    content  = <<-EOT
      if (beresp.status == 403) {
        set beresp.status = 404;
      }
    EOT
    priority = 100
    type     = "fetch"
  }

  logging_s3 {
    name              = "${local.cache_domain}-to-s3"
    bucket_name       = local.fastlylogs["bucket_name"]
    compression_codec = "zstd"
    domain            = local.fastlylogs["s3_domain"]
    format            = local.fastlylogs["format"]
    format_version    = 2
    path              = "${local.cache_domain}/"
    period            = local.fastlylogs["period"]
    message_type      = "blank"
    s3_iam_role       = local.fastlylogs["iam_role_arn"]
  }
}

resource "fastly_tls_subscription" "cache-2025-11" {
  domains               = [for domain in fastly_service_vcl.cache.domain : domain.name]
  configuration_id      = local.fastly_tls13_quic_configuration_id
  certificate_authority = "lets-encrypt"
}

output "cache-managed_dns_challenge" {
  value = fastly_tls_subscription.cache-2025-11.managed_dns_challenges
}


================================================
FILE: terraform/cache_inventory.tf
================================================
# Get the list of files from the cache
resource "aws_s3_bucket" "cache_inventory" {
  provider = aws.us
  bucket   = "nix-cache-inventory"
}

resource "aws_s3_bucket_lifecycle_configuration" "cache_inventory" {
  provider = aws.us
  bucket   = aws_s3_bucket.cache_inventory.id

  transition_default_minimum_object_size = "varies_by_storage_class"

  rule {
    id     = "tf-s3-lifecycle-20231017200421961900000001"
    status = "Enabled"

    filter {
      prefix = ""
    }

    # Only keep the last 30 days
    expiration {
      days = 30
    }
  }
}

import {
  to = aws_s3_bucket_lifecycle_configuration.cache_inventory
  id = aws_s3_bucket.cache_inventory.id
}

resource "aws_s3_bucket_inventory" "cache_inventory" {
  provider = aws.us

  bucket = aws_s3_bucket.cache.id
  name   = "nix-cache-inventory"

  included_object_versions = "Current"

  optional_fields = [
    "ETag",
    "LastModifiedDate",
    "Size",
    "StorageClass",
  ]

  schedule {
    frequency = "Daily"
  }

  destination {
    bucket {
      account_id = "080433136561"
      format     = "Parquet"
      bucket_arn = aws_s3_bucket.cache_inventory.arn
    }
  }
}


================================================
FILE: terraform/cache_log.tf
================================================
resource "aws_s3_bucket" "cache_log" {
  provider = aws.us

  bucket = "nix-cache-log"
}

resource "aws_s3_bucket_logging" "cache_log" {
  provider = aws.us

  bucket = aws_s3_bucket.cache.id

  target_bucket = aws_s3_bucket.cache_log.id
  target_prefix = "log/"
}

resource "aws_s3_bucket_lifecycle_configuration" "cache_log" {
  provider = aws.us

  bucket = aws_s3_bucket.cache_log.id

  rule {
    id     = "rule-1"
    status = "Enabled"

    filter {
      prefix = ""
    }

    expiration {
      days = "30"
    }
  }
}

data "aws_iam_policy_document" "cache_log" {
  statement {
    sid = "AWSLogDeliveryWrite"

    principals {
      type        = "Service"
      identifiers = ["delivery.logs.amazonaws.com"]
    }

    effect = "Allow"

    actions = [
      "s3:PutObject",
    ]

    resources = [
      "${aws_s3_bucket.cache_log.arn}/*",
    ]

    condition {
      test     = "StringEquals"
      variable = "s3:x-amz-acl"
      values   = ["bucket-owner-full-control"]
    }
  }

  statement {
    sid = "AWSLogDeliveryAclCheck"

    effect = "Allow"

    principals {
      type        = "Service"
      identifiers = ["delivery.logs.amazonaws.com"]
    }

    actions = [
      "s3:GetBucketAcl",
    ]

    resources = [
      aws_s3_bucket.cache_log.arn,
    ]
  }

  statement {
    sid    = "S3PolicyStmt-DO-NOT-MODIFY-1699369618664"
    effect = "Allow"

    principals {
      type        = "Service"
      identifiers = ["logging.s3.amazonaws.com"]
    }

    actions = ["s3:PutObject"]

    resources = [
      "${aws_s3_bucket.cache_log.arn}/*",
    ]
  }
}

resource "aws_s3_bucket_policy" "cache_log" {
  provider = aws.us

  bucket = aws_s3_bucket.cache_log.id
  policy = data.aws_iam_policy_document.cache_log.json
}


================================================
FILE: terraform/channels.tf
================================================
locals {
  channels_domain = "channels.nixos.org"

  channels_index = templatefile("${path.module}/s3_listing.html.tpl", {
    bucket_name    = aws_s3_bucket.channels.bucket
    bucket_url     = "https://${aws_s3_bucket.channels.bucket_domain_name}"
    bucket_website = "https://${local.channels_domain}"
  })

  # Use the website endpoint because the bucket is configured with website
  # enabled. This also means we can't use TLS between Fastly and AWS because
  # the website endpoint only has port 80 open.
  channels_backend = "nix-channels.s3-website-us-east-1.amazonaws.com"
  # TODO: Uncomment this once has been applied once. This is to work around fastly bug https://github.com/fastly/terraform-provider-fastly/issues/884
  # channels_backend = aws_s3_bucket_website_configuration.channels.website_endpoint
}

resource "aws_s3_bucket" "channels" {
  provider = aws.us
  bucket   = "nix-channels"
}

resource "aws_s3_bucket_website_configuration" "channels" {
  provider = aws.us
  bucket   = aws_s3_bucket.channels.id

  index_document {
    suffix = "index.html"
  }
}

import {
  to = aws_s3_bucket_website_configuration.channels
  id = aws_s3_bucket.channels.id
}

resource "aws_s3_bucket_cors_configuration" "channels" {
  provider = aws.us
  bucket   = aws_s3_bucket.channels.id

  cors_rule {
    allowed_headers = ["*"]
    allowed_methods = ["HEAD", "GET"]
    allowed_origins = ["*"]
    expose_headers  = ["ETag"]
    max_age_seconds = 3600
  }
}

import {
  to = aws_s3_bucket_cors_configuration.channels
  id = aws_s3_bucket.channels.id

}

resource "aws_s3_bucket_object" "channels-index-html" {
  provider = aws.us

  acl          = "public-read"
  bucket       = aws_s3_bucket.channels.bucket
  content_type = "text/html"
  etag         = md5(local.channels_index)
  key          = "index.html"
  content      = local.channels_index
}

resource "aws_s3_bucket_policy" "channels" {
  provider = aws.us
  bucket   = aws_s3_bucket.channels.id
  policy   = <<EOF
{
  "Version": "2008-10-17",
  "Statement": [
    {
      "Sid": "AllowPublicRead",
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::nix-channels/*"
    },
    {
      "Sid": "AllowPublicList",
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": [
        "s3:ListBucket",
        "s3:GetBucketLocation"
      ],
      "Resource": "arn:aws:s3:::nix-channels"
    },
    {
      "Sid": "AllowUpload",
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam::080433136561:user/s3-upload-releases",
          "arn:aws:iam::065343343465:user/nixos-s3-upload-releases"
        ]
      },
      "Action": [
        "s3:PutObject",
        "s3:PutObjectAcl"
      ],
      "Resource": "arn:aws:s3:::nix-channels/*"
    }
  ]
}
EOF
}

resource "fastly_service_vcl" "channels" {
  name        = local.channels_domain
  default_ttl = 3600

  backend {
    address           = local.channels_backend
    auto_loadbalance  = false
    connect_timeout   = 5000
    name              = local.channels_backend
    override_host     = local.channels_backend
    request_condition = "not-flake-registry"
    shield            = "iad-va-us"
  }

  backend {
    # https://github.com/NixOS/flake-registry/raw/master/flake-registry.json
    name              = "flake-registry"
    address           = "raw.githubusercontent.com"
    auto_loadbalance  = false
    override_host     = "raw.githubusercontent.com"
    port              = 443
    use_ssl           = true
    ssl_check_cert    = false
    request_condition = "flake-registry"
  }

  request_setting {
    name      = "Redirect HTTP to HTTPS"
    force_ssl = true
  }

  condition {
    name      = "Match /"
    priority  = 10
    statement = "req.url ~ \"^/$\""
    type      = "REQUEST"
  }

  condition {
    name      = "not-flake-registry"
    statement = "req.url != \"/NixOS/flake-registry/master/flake-registry.json\""
    type      = "REQUEST"
  }

  condition {
    name      = "flake-registry"
    statement = "req.url == \"/NixOS/flake-registry/master/flake-registry.json\""
    type      = "REQUEST"
  }

  domain {
    name = local.channels_domain
  }

  header {
    action            = "set"
    destination       = "url"
    ignore_if_set     = false
    name              = "Landing page"
    priority          = 10
    request_condition = "Match /"
    source            = "\"/index.html\""
    type              = "request"
  }

  # Clean headers for caching
  header {
    destination = "http.x-amz-request-id"
    type        = "cache"
    action      = "delete"
    name        = "remove x-amz-request-id"
  }
  header {
    destination = "http.x-amz-version-id"
    type        = "cache"
    action      = "delete"
    name        = "remove x-amz-version-id"
  }
  header {
    destination = "http.x-amz-id-2"
    type        = "cache"
    action      = "delete"
    name        = "remove x-amz-id-2"
  }

  # Allow CORS GET requests.
  header {
    destination = "http.access-control-allow-origin"
    type        = "cache"
    action      = "set"
    name        = "CORS Allow"
    source      = "\"*\""
  }

  snippet {
    content  = "set req.url = querystring.remove(req.url);"
    name     = "Remove all query strings"
    priority = 50
    type     = "recv"
  }

  snippet {
    content  = <<-EOT
      if (beresp.status == 403) {
        set beresp.status = 404;
        set beresp.ttl = 86400s;
        set beresp.grace = 0s;
        set beresp.cacheable = true;
      }
      if (req.url ~ "/flake-registry.json") {
        set beresp.stale_if_error = 1000000s;
      }
    EOT
    name     = "Change 403 from S3 to 404"
    priority = 100
    type     = "fetch"
  }

  snippet {
    name    = "flake-registry"
    content = <<-EOT
      if (req.url == "/flake-registry.json") {
        set req.url = "/NixOS/flake-registry/master/flake-registry.json";
      }
    EOT
    type    = "recv"
  }

  snippet {
    content = <<-EOT
      # S3 object-level redirects can only be 301s. We use them to point
      # "latest" versions of various channel/release artifacts to the correct
      # location. First, mark these redirects as temporary. Second, disable
      # caching, since some of the artifacts need to have matching versions
      # (e.g. a .iso and its checksum), which is near-impossible to guarantee
      # with caching unless we explicitly perform invalidations.
      #
      # Note: we need to match on 301s and 302s here, since Fastly has multiple
      # layers, and otherwise a redirect might still get cached at the second
      # layer after the first layer turned a 301 into a 302.
      #
      # Additionally, this also implements the "Lockable HTTP Tarball Protocol"
      # to use nixexprs.tar.xz with Flakes and have it locked properly.
      if (beresp.status == 301 || beresp.status == 302) {
        set beresp.status = 302;
        set beresp.ttl = 0s;
        set beresp.grace = 0s;
        set beresp.cacheable = false;
        if (req.backend.is_origin && std.suffixof(bereq.url, "/nixexprs.tar.xz")) {
          # pass redirect location into special flake "immutable tarball" header
          set beresp.http.link = "<" + beresp.http.location + {">; rel="immutable""};
          # clear query string from redirect destination as precaution in case
          # legacy consumers can't handle flake attributes like "?rev=" in it
          set beresp.http.location = querystring.remove(beresp.http.location);
        }
        return (pass);
      }
    EOT
    name    = "Change 301 from S3 to 302"
    # Keep close to last, since it conditionally returns.
    priority = 999
    type     = "fetch"
  }

  logging_s3 {
    name              = "${local.channels_domain}-to-s3"
    bucket_name       = local.fastlylogs["bucket_name"]
    compression_codec = "zstd"
    domain            = local.fastlylogs["s3_domain"]
    format            = local.fastlylogs["format"]
    format_version    = 2
    path              = "${local.channels_domain}/"
    period            = local.fastlylogs["period"]
    message_type      = "blank"
    s3_iam_role       = local.fastlylogs["iam_role_arn"]
  }
}

resource "fastly_tls_subscription" "channels-2025-11" {
  domains               = [for domain in fastly_service_vcl.channels.domain : domain.name]
  configuration_id      = local.fastly_tls13_quic_configuration_id
  certificate_authority = "lets-encrypt"
}

output "channels-managed_dns_challenge" {
  value = fastly_tls_subscription.channels-2025-11.managed_dns_challenges
}


================================================
FILE: terraform/flake-module.nix
================================================
{
  perSystem =
    { pkgs, ... }:
    {
      devShells.terraform = pkgs.mkShellNoCC {
        packages = [
          pkgs.awscli2
          (pkgs.opentofu.withPlugins (
            plugin: with plugin; [
              hashicorp_aws
              fastly_fastly
              aegirhealth_netlify
              numtide_secret
            ]
          ))
        ];
      };
    };
}


================================================
FILE: terraform/locals.tf
================================================
locals {
  fastly_customer_id = "1RhOVUmKLBjCFTU4i9Cekx"

  # TLS v1.2, protocols HTTP/1.1 and HTTP/2
  fastly_tls12_sni_configuration_id = "5PXBTa6c01Xoh54ylNwmVA"

  # TLS1.2 and 1.3+0RTT, HTTP/1.1, HTTP/2 and HTTP/3
  fastly_tls13_quic_configuration_id = "oZPSgSiY0PM8sNTAAyOZHw"

  cache-iam  = data.terraform_remote_state.terraform-iam.outputs.cache
  fastlylogs = data.terraform_remote_state.terraform-iam.outputs.fastlylogs

  # fastlylogs = {
  #   bucket_name = "fastly-logs-20220622145016462800000001"
  #   iam_role_arn = "arn:aws:iam::080433136561:role/system/FastlyLogForwarder"
  #   period = 3600
  #   format = "{\"asn\": %%{client.as.number}V,\"elapsed_usec\": %%{json.escape(time.elapsed.usec)}V,\"fastly_is_edge\": %%{if(fastly.ff.visits_this_service == 0, \"true\", \"false\")}V,\"fastly_server\": \"%%{json.escape(server.identity)}V\",\"geo_country\": \"%%{json.escape(client.geo.country_name)}V\",\"geo_region\": \"%%{json.escape(client.geo.region.utf8)}V\",\"geo_speed\": \"%%{json.escape(client.geo.conn_speed)}V\",\"host\": \"%%{json.escape(if(req.http.Fastly-Orig-Host, req.http.Fastly-Orig-Host, req.http.Host))}V\",\"request_method\": \"%%{json.escape(req.method)}V\",\"request_protocol\": \"%%{json.escape(req.proto)}V\",\"request_referer\": \"%%{json.escape(req.http.referer)}V\",\"request_size\": %%{json.escape(req.bytes_read)}V,\"request_user_agent\": \"%%{json.escape(req.http.User-Agent)}V\",\"response_body_size\": %%{resp.body_bytes_written}V,\"response_reason\": %%{if(resp.response, \"%22\"+json.escape(resp.response)+\"%22\", \"null\")}V,\"response_state\": \"%%{json.escape(fastly_info.state)}V\",\"response_status\": \"%%{resp.status}V\",\"timestamp\": \"%%{strftime(\\{\"%Y-%m-%dT%H:%M:%S%z\"\\}, time.start)}V\",\"tls_client_cipher\": \"%%{json.escape(if(tls.client.cipher, tls.client.cipher, \"null\"))}V\",\"tls_client_protocol\": \"%%{json.escape(if(tls.client.protocol, tls.client.protocol, \"null\"))}V\",\"url\": \"%%{json.escape(req.url)}V\"}"
  #   s3_domain = "s3.eu-west-1.amazonaws.com"
  # }
}


================================================
FILE: terraform/netlify_sites.tf
================================================
# This file contains all of the websites that we host using Netlify.

resource "netlify_deploy_key" "key" {}

resource "netlify_site" "nix-dev" {
  name          = "nix-dev"
  custom_domain = "nix.dev"

  repo {
    provider    = "github"
    repo_path   = "NixOS/nix.dev"
    repo_branch = "master"
  }
}

resource "netlify_site" "nixos-common-styles" {
  name          = "nixos-common-styles"
  custom_domain = "common-styles.nixos.org"

  repo {
    provider    = "github"
    repo_path   = "NixOS/nixos-common-styles"
    repo_branch = "main"
  }
}

resource "netlify_site" "nixos-status" {
  name          = "nixos-status"
  custom_domain = "status.nixos.org"

  repo {
    provider    = "github"
    repo_path   = "NixOS/nixos-status"
    repo_branch = "main"
  }
}

resource "netlify_site" "nixos-planet" {
  name          = "nixos-planet"
  custom_domain = "planet.nixos.org"

  repo {
    provider    = "github"
    repo_path   = "NixOS/nixos-planet"
    repo_branch = "master"
  }
}

resource "netlify_site" "nixos-search" {
  name          = "nixos-search"
  custom_domain = "search.nixos.org"

  repo {
    provider    = "github"
    repo_path   = "NixOS/nixos-search"
    repo_branch = "master"
  }
}

resource "netlify_site" "nixos-homepage" {
  name          = "nixos-homepage"
  custom_domain = "nixos.org"

  repo {
    deploy_key_id = netlify_deploy_key.key.id
    provider      = "github"
    repo_path     = "NixOS/nixos-homepage"
    repo_branch   = "master"
  }
}


================================================
FILE: terraform/nixpkgs-tarballs/index.html
================================================
<!DOCTYPE html>
<html lang="en">
  <head>
    <title>tarballs.nixos.org is up</title>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
    <meta http-equiv="X-UA-Compatible" content="IE=Edge" />
    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
    <link
      rel="stylesheet"
      href="https://nixos.org/bootstrap/css/bootstrap.min.css"
    />
    <link
      rel="stylesheet"
      href="https://nixos.org/bootstrap/css/bootstrap-responsive.min.css"
    />
    <style>
      body {
        padding-top: 0;
        margin-top: 4em;
        margin-bottom: 4em;
      }
      body > div {
        max-width: 800px;
      }
      p {
        text-align: center;
      }
      .cache {
        font-style: italic;
      }
    </style>
  </head>
  <body>
    <div class="container jumbotron">
      <div class="jumbotron">
        <p class="lead">
          <a href="https://nixos.org/nixos">
            <img
              src="https://brand.nixos.org/logos/nixos-logo-default-gradient-black-regular-horizontal-minimal.svg"
              width="500px"
              alt="logo"
            />
          </a>
        </p>

        <p class="lead">
          <code>https://tarballs.nixos.org/</code> provides content-addressable
          binaries for Nixpkgs and NixOS. Those are mainly used to bootstrap the
          various stdenv.
        </p>
      </div>
      <hr />
      <div class="help">
        <p>
          If you are having trouble, please reach out through one of the <a
            href="https://nixos.org/nixos/support.html"
          >support channels</a>
          with the results of <a
            href="https://github.com/NixOS/infra/blob/main/terraform/cache/diagnostic.sh"
          >this diagnostics script</a>
          which will help us figure out where the issue lies.
        </p>
        <p>
          For questions, or support, <a
            href="https://nixos.org/nixos/support.html"
          >
            the support page</a> from the NixOS website describes how to get in
          touch.
        </p>
      </div>
    </div>
  </body>
</html>


================================================
FILE: terraform/nixpkgs-tarballs.tf
================================================
locals {
  tarballs_domain = "tarballs.nixos.org"
  # Use the website endpoint because the bucket is configured with website
  # enabled. This also means we can't use TLS between Fastly and AWS because
  # the website endpoint only has port 80 open.
  tarballs_backend = "nixpkgs-tarballs.s3-website-eu-west-1.amazonaws.com"
  # TODO: Uncomment this once has been applied once. This is to work around fastly bug https://github.com/fastly/terraform-provider-fastly/issues/884
  # tarballs_backend = aws_s3_bucket_website_configuration.nixpkgs-tarballs.website_endpoint
}

resource "aws_s3_bucket" "nixpkgs-tarballs" {
  bucket = "nixpkgs-tarballs"
}

resource "aws_s3_bucket_website_configuration" "nixpkgs-tarballs" {
  bucket = aws_s3_bucket.nixpkgs-tarballs.id
  index_document {
    suffix = "index.html"
  }
}

import {
  to = aws_s3_bucket_website_configuration.nixpkgs-tarballs
  id = aws_s3_bucket.nixpkgs-tarballs.id
}

resource "aws_s3_bucket_policy" "nixpkgs-tarballs" {
  bucket = aws_s3_bucket.nixpkgs-tarballs.id

  # imported from existing
  policy = <<EOF
{
  "Version": "2008-10-17",
  "Statement": [
    {
      "Sid": "AllowPublicRead",
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::nixpkgs-tarballs/*"
    },
    {
      "Sid": "AllowUpload",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::080433136561:user/s3-upload-tarballs"
      },
      "Action": [
        "s3:PutObject",
        "s3:PutObjectAcl"
      ],
      "Resource": "arn:aws:s3:::nixpkgs-tarballs/*"
    },
    {
      "Sid": "AllowUpload2",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::080433136561:user/s3-upload-tarballs"
      },
      "Action": "s3:ListBucket",
      "Resource": "arn:aws:s3:::nixpkgs-tarballs"
    },
    {
      "Sid": "CopumpkinAllowUpload",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::390897850978:root"
      },
      "Action": [
        "s3:PutObject",
        "s3:PutObjectAcl"
      ],
      "Resource": "arn:aws:s3:::nixpkgs-tarballs/*"
    },
    {
      "Sid": "CopumpkinAllowUpload2",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::390897850978:root"
      },
      "Action": "s3:ListBucket",
      "Resource": "arn:aws:s3:::nixpkgs-tarballs"
    },
    {
      "Sid": "ShlevyAllowUpload",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::976576280863:user/shlevy"
      },
      "Action": [
        "s3:PutObject",
        "s3:PutObjectAcl"
      ],
      "Resource": "arn:aws:s3:::nixpkgs-tarballs/*"
    },
    {
      "Sid": "ShlevyAllowUpload2",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::976576280863:user/shlevy"
      },
      "Action": "s3:ListBucket",
      "Resource": "arn:aws:s3:::nixpkgs-tarballs"
    },
    {
      "Sid": "DaiderdAllowUpload",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::014292808257:user/lnl7"
      },
      "Action": [
        "s3:PutObject",
        "s3:PutObjectAcl"
      ],
      "Resource": "arn:aws:s3:::nixpkgs-tarballs/*"
    },
    {
      "Sid": "DaiderdAllowUpload2",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::014292808257:user/lnl7"
      },
      "Action": "s3:ListBucket",
      "Resource": "arn:aws:s3:::nixpkgs-tarballs"
    },
    {
      "Sid": "LovesegfaultAllowUpload",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::839273551904:root"
      },
      "Action": [
        "s3:PutObject",
        "s3:PutObjectAcl"
      ],
      "Resource": "arn:aws:s3:::nixpkgs-tarballs/*"
    },
    {
      "Sid": "LovesegfaultAllowUpload2",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::839273551904:root"
      },
      "Action": "s3:ListBucket",
      "Resource": "arn:aws:s3:::nixpkgs-tarballs"
    }
  ]
}
EOF
}

resource "aws_s3_bucket_object" "nixpkgs-tarballs-index" {
  bucket       = aws_s3_bucket.nixpkgs-tarballs.id
  content_type = "text/html"
  etag         = filemd5("${path.module}/nixpkgs-tarballs/index.html")
  key          = "index.html"
  source       = "${path.module}/nixpkgs-tarballs/index.html"
}

resource "fastly_service_vcl" "nixpkgs-tarballs" {
  name        = local.tarballs_domain
  default_ttl = 86400

  backend {
    address               = local.tarballs_backend
    auto_loadbalance      = false
    between_bytes_timeout = 10000
    connect_timeout       = 5000
    error_threshold       = 0
    first_byte_timeout    = 15000
    max_conn              = 200
    name                  = local.tarballs_backend
    override_host         = local.tarballs_backend
    port                  = 80
    shield                = "dub-dublin-ie"
    use_ssl               = false
    weight                = 100
  }

  request_setting {
    name      = "Redirect HTTP to HTTPS"
    force_ssl = true
  }

  condition {
    name      = "Generated by synthetic response for 404 page"
    priority  = 0
    statement = "beresp.status == 404"
    type      = "CACHE"
  }

  condition {
    name      = "Match /"
    priority  = 10
    statement = "req.url ~ \"^/$\""
    type      = "REQUEST"
  }

  domain {
    name = local.tarballs_domain
  }

  header {
    action            = "set"
    destination       = "url"
    ignore_if_set     = false
    name              = "Landing page"
    priority          = 10
    request_condition = "Match /"
    source            = "\"/index.html\""
    type              = "request"
  }

  # Clean headers for caching
  header {
    destination = "http.x-amz-request-id"
    type        = "cache"
    action      = "delete"
    name        = "remove x-amz-request-id"
  }
  header {
    destination = "http.x-amz-version-id"
    type        = "cache"
    action      = "delete"
    name        = "remove x-amz-version-id"
  }
  header {
    destination = "http.x-amz-id-2"
    type        = "cache"
    action      = "delete"
    name        = "remove x-amz-id-2"
  }

  # Allow CORS GET requests.
  header {
    destination = "http.access-control-allow-origin"
    type        = "cache"
    action      = "set"
    name        = "CORS Allow"
    source      = "\"*\""
  }

  response_object {
    cache_condition = "Generated by synthetic response for 404 page"
    content         = "404"
    content_type    = "text/html"
    name            = "Generated by synthetic response for 404 page"
    response        = "Not Found"
    status          = 404
  }

  snippet {
    content  = "set req.url = querystring.remove(req.url);"
    name     = "Remove all query strings"
    priority = 50
    type     = "recv"
  }

  snippet {
    content  = <<-EOT
      if (beresp.status == 403) {
        set beresp.status = 404;
        set beresp.ttl = 86400s;
        set beresp.grace = 0s;
        set beresp.cacheable = true;
      }
    EOT
    name     = "Change 403 from S3 to 404"
    priority = 100
    type     = "fetch"
  }

  logging_s3 {
    name              = "${local.tarballs_domain}-to-s3"
    bucket_name       = local.fastlylogs["bucket_name"]
    compression_codec = "zstd"
    domain            = local.fastlylogs["s3_domain"]
    format            = local.fastlylogs["format"]
    format_version    = 2
    path              = "${local.tarballs_domain}/"
    period            = local.fastlylogs["period"]
    message_type      = "blank"
    s3_iam_role       = local.fastlylogs["iam_role_arn"]
  }
}

resource "fastly_tls_subscription" "nixpkgs-tarballs-2025-11" {
  domains               = [for domain in fastly_service_vcl.nixpkgs-tarballs.domain : domain.name]
  configuration_id      = local.fastly_tls13_quic_configuration_id
  certificate_authority = "lets-encrypt"
}

output "nixpkgs-tarballs-managed_dns_challenge" {
  value = fastly_tls_subscription.nixpkgs-tarballs-2025-11.managed_dns_challenges
}

# Create an S3 bucket for CloudTrail logs
resource "aws_s3_bucket" "nixpkgs-tarballs-cloudtrail-logs" {
  bucket = "nixpkgs-tarballs-cloudtrail-logs"
  # We can potentially make this public for transparency?
  # But first I want to see what the logs look like.
  acl = "private"
}

resource "aws_s3_bucket_versioning" "nixpkgs-tarballs-cloudtrail-logs" {
  bucket = aws_s3_bucket.nixpkgs-tarballs-cloudtrail-logs.id
  versioning_configuration {
    status = "Enabled"
  }
}


import {
  to = aws_s3_bucket_versioning.nixpkgs-tarballs-cloudtrail-logs
  id = aws_s3_bucket.nixpkgs-tarballs-cloudtrail-logs.id
}

# Attach a policy to the CloudTrail logs S3 bucket
data "aws_iam_policy_document" "nixpkgs-tarballs-cloudtrail-logs-policy" {
  statement {
    sid    = "AWSCloudTrailAclCheck"
    effect = "Allow"

    principals {
      type        = "Service"
      identifiers = ["cloudtrail.amazonaws.com"]
    }

    actions   = ["s3:GetBucketAcl"]
    resources = [aws_s3_bucket.nixpkgs-tarballs-cloudtrail-logs.arn]
    condition {
      test     = "StringEquals"
      variable = "aws:SourceArn"
      values   = ["arn:${data.aws_partition.current.partition}:cloudtrail:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:trail/nixpkgs-tarballs"]
    }
  }

  statement {
    sid    = "AWSCloudTrailWrite"
    effect = "Allow"

    principals {
      type        = "Service"
      identifiers = ["cloudtrail.amazonaws.com"]
    }

    actions   = ["s3:PutObject"]
    resources = ["${aws_s3_bucket.nixpkgs-tarballs-cloudtrail-logs.arn}/*"]

    condition {
      test     = "StringEquals"
      variable = "s3:x-amz-acl"
      values   = ["bucket-owner-full-control"]
    }
    condition {
      test     = "StringEquals"
      variable = "aws:SourceArn"
      values   = ["arn:${data.aws_partition.current.partition}:cloudtrail:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:trail/nixpkgs-tarballs"]
    }
  }
}

data "aws_caller_identity" "current" {}
data "aws_partition" "current" {}
data "aws_region" "current" {}

resource "aws_s3_bucket_policy" "nixpkgs-tarballs-cloudtrail-logs-policy" {
  bucket = aws_s3_bucket.nixpkgs-tarballs-cloudtrail-logs.id
  policy = data.aws_iam_policy_document.nixpkgs-tarballs-cloudtrail-logs-policy.json
}

# Create a CloudTrail
resource "aws_cloudtrail" "nixpkgs-tarballs" {
  name                       = "nixpkgs-tarballs"
  s3_bucket_name             = aws_s3_bucket.nixpkgs-tarballs-cloudtrail-logs.bucket
  enable_log_file_validation = true
  depends_on = [
    aws_s3_bucket_policy.nixpkgs-tarballs-cloudtrail-logs-policy
  ]
  # You must specify a log group and a role ARN.

  event_selector {
    read_write_type           = "WriteOnly"
    include_management_events = false

    data_resource {
      type   = "AWS::S3::Object"
      values = ["arn:aws:s3:::${aws_s3_bucket.nixpkgs-tarballs.bucket}/"]
    }
  }
}


================================================
FILE: terraform/providers.tf
================================================
provider "aws" {
  region  = "eu-west-1"
  profile = "nixos-prod"

  ignore_tags {
    keys = ["nixos-cost-tag"]
  }
}

provider "aws" {
  alias   = "us"
  region  = "us-east-1"
  profile = "nixos-prod"

  ignore_tags {
    keys = ["nixos-cost-tag"]
  }
}

provider "fastly" {}

# Create a token at https://app.netlify.com/user/applications/personal
# And then import using
# - terraform state rm secret_resource.netlify_token
# - terraform import secret_resource.netlify_token <TOKEN>
resource "secret_resource" "netlify_token" {
  lifecycle { prevent_destroy = true }
}

provider "netlify" {
  token = secret_resource.netlify_token.value
}


================================================
FILE: terraform/releases.tf
================================================
locals {
  releases_domain = "releases.nixos.org"

  releases_index = templatefile("${path.module}/s3_listing.html.tpl", {
    bucket_name    = aws_s3_bucket.releases.bucket
    bucket_url     = "https://${aws_s3_bucket.releases.bucket_domain_name}"
    bucket_website = "https://${local.releases_domain}"
  })

  releases_backend = "nix-releases.s3-eu-west-1.amazonaws.com"
}

resource "aws_s3_bucket" "releases" {
  bucket = "nix-releases"
}

resource "aws_s3_bucket_lifecycle_configuration" "releases" {
  bucket = aws_s3_bucket.releases.id


  transition_default_minimum_object_size = "varies_by_storage_class"
  rule {
    id     = "tf-s3-lifecycle-20230907091915137900000001"
    status = "Enabled"

    filter {
      prefix = ""
    }

    transition {
      days          = 365
      storage_class = "STANDARD_IA"
    }
  }
}

import {
  id = aws_s3_bucket.releases.id
  to = aws_s3_bucket_lifecycle_configuration.releases
}

resource "aws_s3_bucket_cors_configuration" "releases" {
  bucket = aws_s3_bucket.releases.id

  cors_rule {
    allowed_headers = ["*"]
    allowed_methods = ["HEAD", "GET"]
    allowed_origins = ["*"]
    expose_headers  = ["ETag"]
    max_age_seconds = 3600
  }
}

import {
  to = aws_s3_bucket_cors_configuration.releases
  id = aws_s3_bucket.releases.id
}

resource "aws_s3_bucket_object" "releases-index-html" {
  acl          = "public-read"
  bucket       = aws_s3_bucket.releases.bucket
  content_type = "text/html"
  etag         = md5(local.releases_index)
  key          = "index.html"
  content      = local.releases_index
}

resource "aws_s3_bucket_policy" "releases" {
  bucket = aws_s3_bucket.releases.id
  policy = <<EOF
{
  "Version": "2008-10-17",
  "Statement": [
    {
      "Sid": "AllowPublicRead",
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::nix-releases/*"
    },
    {
      "Sid": "AllowPublicList",
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": [
        "s3:ListBucket",
        "s3:GetBucketLocation"
      ],
      "Resource": "arn:aws:s3:::nix-releases"
    },
    {
      "Sid": "AllowUpload",
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam::080433136561:user/s3-upload-releases",
          "arn:aws:iam::065343343465:user/nixos-s3-upload-releases"
        ]
      },
      "Action": [
        "s3:PutObject",
        "s3:PutObjectAcl"
      ],
      "Resource": "arn:aws:s3:::nix-releases/*"
    }
  ]
}
EOF
}

resource "fastly_service_vcl" "releases" {
  name        = local.releases_domain
  default_ttl = 86400

  backend {
    address               = local.releases_backend
    auto_loadbalance      = false
    between_bytes_timeout = 10000
    connect_timeout       = 5000
    error_threshold       = 0
    first_byte_timeout    = 15000
    max_conn              = 200
    name                  = local.releases_backend
    override_host         = local.releases_backend
    port                  = 443
    shield                = "dub-dublin-ie"
    ssl_cert_hostname     = local.releases_backend
    ssl_check_cert        = true
    use_ssl               = true
    weight                = 100
  }

  request_setting {
    name      = "Redirect HTTP to HTTPS"
    force_ssl = true
  }

  condition {
    name      = "Generated by synthetic response for 404 page"
    priority  = 0
    statement = "beresp.status == 404"
    type      = "CACHE"
  }

  condition {
    name      = "Match /"
    priority  = 10
    statement = "req.url ~ \"^/$\""
    type      = "REQUEST"
  }

  domain {
    name = local.releases_domain
  }

  header {
    action            = "set"
    destination       = "url"
    ignore_if_set     = false
    name              = "Landing page"
    priority          = 10
    request_condition = "Match /"
    source            = "\"/index.html\""
    type              = "request"
  }

  # Clean headers for caching
  header {
    destination = "http.x-amz-request-id"
    type        = "cache"
    action      = "delete"
    name        = "remove x-amz-request-id"
  }
  header {
    destination = "http.x-amz-version-id"
    type        = "cache"
    action      = "delete"
    name        = "remove x-amz-version-id"
  }
  header {
    destination = "http.x-amz-id-2"
    type        = "cache"
    action      = "delete"
    name        = "remove x-amz-id-2"
  }

  # Allow CORS GET requests.
  header {
    destination = "http.access-control-allow-origin"
    type        = "cache"
    action      = "set"
    name        = "CORS Allow"
    source      = "\"*\""
  }

  response_object {
    cache_condition = "Generated by synthetic response for 404 page"
    content         = "404"
    content_type    = "text/html"
    name            = "Generated by synthetic response for 404 page"
    response        = "Not Found"
    status          = 404
  }

  snippet {
    content  = "set req.url = querystring.remove(req.url);"
    name     = "Remove all query strings"
    priority = 50
    type     = "recv"
  }

  # Work around the 2GB size limit for large files
  #
  # See https://docs.fastly.com/en/guides/segmented-caching
  snippet {
    content  = <<-EOT
      if (req.url.path ~ "^/nixos/") {
        set req.enable_segmented_caching = true;
      }
    EOT
    name     = "Enable segment caching for ISOs and friends"
    priority = 60
    type     = "recv"
  }

  snippet {
    content  = <<-EOT
      if (beresp.status == 403) {
        set beresp.status = 404;
        set beresp.ttl = 86400s;
        set beresp.grace = 0s;
        set beresp.cacheable = true;
      }
    EOT
    name     = "Change 403 from S3 to 404"
    priority = 100
    type     = "fetch"
  }

  logging_s3 {
    name              = "${local.releases_domain}-to-s3"
    bucket_name       = local.fastlylogs["bucket_name"]
    compression_codec = "zstd"
    domain            = local.fastlylogs["s3_domain"]
    format            = local.fastlylogs["format"]
    format_version    = 2
    path              = "${local.releases_domain}/"
    period            = local.fastlylogs["period"]
    message_type      = "blank"
    s3_iam_role       = local.fastlylogs["iam_role_arn"]
  }
}

resource "fastly_tls_subscription" "releases-2025-11" {
  domains               = [for domain in fastly_service_vcl.releases.domain : domain.name]
  configuration_id      = local.fastly_tls13_quic_configuration_id
  certificate_authority = "lets-encrypt"
}

output "releases-managed_dns_challenge" {
  value = fastly_tls_subscription.releases-2025-11.managed_dns_challenges
}


================================================
FILE: terraform/releases_inventory.tf
================================================
# Get the list of files from the releases
resource "aws_s3_bucket" "releases_inventory" {
  bucket_prefix = "nix-releases-inventory2"
}

resource "aws_s3_bucket_lifecycle_configuration" "releases_inventory" {
  bucket = aws_s3_bucket.releases_inventory.id

  transition_default_minimum_object_size = "varies_by_storage_class"

  rule {
    id     = "tf-s3-lifecycle-20231029182032300100000002"
    status = "Enabled"

    filter {
      prefix = ""
    }

    expiration {
      days = 30
    }
  }
}

import {
  to = aws_s3_bucket_lifecycle_configuration.releases_inventory
  id = aws_s3_bucket.releases_inventory.id
}

resource "aws_s3_bucket_inventory" "releases_inventory" {
  bucket = aws_s3_bucket.releases.id
  name   = "nix-releases-inventory"

  included_object_versions = "Current"

  optional_fields = [
    "ETag",
    "LastModifiedDate",
    "Size",
    "StorageClass",
  ]

  schedule {
    frequency = "Daily"
  }

  destination {
    bucket {
      account_id = "080433136561"
      format     = "Parquet"
      bucket_arn = aws_s3_bucket.releases_inventory.arn
    }
  }
}


================================================
FILE: terraform/s3_listing.html.tpl
================================================
<!DOCTYPE html>
<html>
<head>
  <title>Channels for NixOS project(s)</title>
</head>
<body>
  <div id="navigation"></div>
  <div id="listing"></div>

  <!-- jQuery v3.1.1 | (c) jQuery Foundation | jquery.org/license -->
  <script type="text/javascript">!function(a,b){"use strict";"object"==typeof module&&"object"==typeof module.exports?module.exports=a.document?b(a,!0):function(a){if(!a.document)throw new Error("jQuery requires a window with a document");return b(a)}:b(a)}("undefined"!=typeof window?window:this,function(a,b){"use strict";var c=[],d=a.document,e=Object.getPrototypeOf,f=c.slice,g=c.concat,h=c.push,i=c.indexOf,j={},k=j.toString,l=j.hasOwnProperty,m=l.toString,n=m.call(Object),o={};function p(a,b){b=b||d;var c=b.createElement("script");c.text=a,b.head.appendChild(c).parentNode.removeChild(c)}var q="3.1.1",r=function(a,b){return new r.fn.init(a,b)},s=/^[\s\uFEFF\xA0]+|[\s\uFEFF\xA0]+$/g,t=/^-ms-/,u=/-([a-z])/g,v=function(a,b){return b.toUpperCase()};r.fn=r.prototype={jquery:q,constructor:r,length:0,toArray:function(){return f.call(this)},get:function(a){return null==a?f.call(this):a<0?this[a+this.length]:this[a]},pushStack:function(a){var b=r.merge(this.constructor(),a);return b.prevObject=this,b},each:function(a){return r.each(this,a)},map:function(a){return this.pushStack(r.map(this,function(b,c){return a.call(b,c,b)}))},slice:function(){return this.pushStack(f.apply(this,arguments))},first:function(){return this.eq(0)},last:function(){return this.eq(-1)},eq:function(a){var b=this.length,c=+a+(a<0?b:0);return this.pushStack(c>=0&&c<b?[this[c]]:[])},end:function(){return this.prevObject||this.constructor()},push:h,sort:c.sort,splice:c.splice},r.extend=r.fn.extend=function(){var a,b,c,d,e,f,g=arguments[0]||{},h=1,i=arguments.length,j=!1;for("boolean"==typeof g&&(j=g,g=arguments[h]||{},h++),"object"==typeof g||r.isFunction(g)||(g={}),h===i&&(g=this,h--);h<i;h++)if(null!=(a=arguments[h]))for(b in a)c=g[b],d=a[b],g!==d&&(j&&d&&(r.isPlainObject(d)||(e=r.isArray(d)))?(e?(e=!1,f=c&&r.isArray(c)?c:[]):f=c&&r.isPlainObject(c)?c:{},g[b]=r.extend(j,f,d)):void 0!==d&&(g[b]=d));return g},r.extend({expando:"jQuery"+(q+Math.random()).replace(/\D/g,""),isReady:!0,error:function(a){throw new Error(a)},noop:function(){},isFunction:function(a){return"function"===r.type(a)},isArray:Array.isArray,isWindow:function(a){return null!=a&&a===a.window},isNumeric:function(a){var b=r.type(a);return("number"===b||"string"===b)&&!isNaN(a-parseFloat(a))},isPlainObject:function(a){var b,c;return!(!a||"[object Object]"!==k.call(a))&&(!(b=e(a))||(c=l.call(b,"constructor")&&b.constructor,"function"==typeof c&&m.call(c)===n))},isEmptyObject:function(a){var b;for(b in a)return!1;return!0},type:function(a){return null==a?a+"":"object"==typeof a||"function"==typeof a?j[k.call(a)]||"object":typeof a},globalEval:function(a){p(a)},camelCase:function(a){return a.replace(t,"ms-").replace(u,v)},nodeName:function(a,b){return a.nodeName&&a.nodeName.toLowerCase()===b.toLowerCase()},each:function(a,b){var c,d=0;if(w(a)){for(c=a.length;d<c;d++)if(b.call(a[d],d,a[d])===!1)break}else for(d in a)if(b.call(a[d],d,a[d])===!1)break;return a},trim:function(a){return null==a?"":(a+"").replace(s,"")},makeArray:function(a,b){var c=b||[];return null!=a&&(w(Object(a))?r.merge(c,"string"==typeof a?[a]:a):h.call(c,a)),c},inArray:function(a,b,c){return null==b?-1:i.call(b,a,c)},merge:function(a,b){for(var c=+b.length,d=0,e=a.length;d<c;d++)a[e++]=b[d];return a.length=e,a},grep:function(a,b,c){for(var d,e=[],f=0,g=a.length,h=!c;f<g;f++)d=!b(a[f],f),d!==h&&e.push(a[f]);return e},map:function(a,b,c){var d,e,f=0,h=[];if(w(a))for(d=a.length;f<d;f++)e=b(a[f],f,c),null!=e&&h.push(e);else for(f in a)e=b(a[f],f,c),null!=e&&h.push(e);return g.apply([],h)},guid:1,proxy:function(a,b){var c,d,e;if("string"==typeof b&&(c=a[b],b=a,a=c),r.isFunction(a))return d=f.call(arguments,2),e=function(){return a.apply(b||this,d.concat(f.call(arguments)))},e.guid=a.guid=a.guid||r.guid++,e},now:Date.now,support:o}),"function"==typeof Symbol&&(r.fn[Symbol.iterator]=c[Symbol.iterator]),r.each("Boolean Number String Function Array Date RegExp Object Error Symbol".split(" "),function(a,b){j["[object "+b+"]"]=b.toLowerCase()});function w(a){var b=!!a&&"length"in a&&a.length,c=r.type(a);return"function"!==c&&!r.isWindow(a)&&("array"===c||0===b||"number"==typeof b&&b>0&&b-1 in a)}var x=function(a){var b,c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u="sizzle"+1*new Date,v=a.document,w=0,x=0,y=ha(),z=ha(),A=ha(),B=function(a,b){return a===b&&(l=!0),0},C={}.hasOwnProperty,D=[],E=D.pop,F=D.push,G=D.push,H=D.slice,I=function(a,b){for(var c=0,d=a.length;c<d;c++)if(a[c]===b)return c;return-1},J="checked|selected|async|autofocus|autoplay|controls|defer|disabled|hidden|ismap|loop|multiple|open|readonly|required|scoped",K="[\\x20\\t\\r\\n\\f]",L="(?:\\\\.|[\\w-]|[^\0-\\xa0])+",M="\\["+K+"*("+L+")(?:"+K+"*([*^$|!~]?=)"+K+"*(?:'((?:\\\\.|[^\\\\'])*)'|\"((?:\\\\.|[^\\\\\"])*)\"|("+L+"))|)"+K+"*\\]",N=":("+L+")(?:\\((('((?:\\\\.|[^\\\\'])*)'|\"((?:\\\\.|[^\\\\\"])*)\")|((?:\\\\.|[^\\\\()[\\]]|"+M+")*)|.*)\\)|)",O=new RegExp(K+"+","g"),P=new RegExp("^"+K+"+|((?:^|[^\\\\])(?:\\\\.)*)"+K+"+$","g"),Q=new RegExp("^"+K+"*,"+K+"*"),R=new RegExp("^"+K+"*([>+~]|"+K+")"+K+"*"),S=new RegExp("="+K+"*([^\\]'\"]*?)"+K+"*\\]","g"),T=new RegExp(N),U=new RegExp("^"+L+"$"),V={ID:new RegExp("^#("+L+")"),CLASS:new RegExp("^\\.("+L+")"),TAG:new RegExp("^("+L+"|[*])"),ATTR:new RegExp("^"+M),PSEUDO:new RegExp("^"+N),CHILD:new RegExp("^:(only|first|last|nth|nth-last)-(child|of-type)(?:\\("+K+"*(even|odd|(([+-]|)(\\d*)n|)"+K+"*(?:([+-]|)"+K+"*(\\d+)|))"+K+"*\\)|)","i"),bool:new RegExp("^(?:"+J+")$","i"),needsContext:new RegExp("^"+K+"*[>+~]|:(even|odd|eq|gt|lt|nth|first|last)(?:\\("+K+"*((?:-\\d)?\\d*)"+K+"*\\)|)(?=[^-]|$)","i")},W=/^(?:input|select|textarea|button)$/i,X=/^h\d$/i,Y=/^[^{]+\{\s*\[native \w/,Z=/^(?:#([\w-]+)|(\w+)|\.([\w-]+))$/,$=/[+~]/,_=new RegExp("\\\\([\\da-f]{1,6}"+K+"?|("+K+")|.)","ig"),aa=function(a,b,c){var d="0x"+b-65536;return d!==d||c?b:d<0?String.fromCharCode(d+65536):String.fromCharCode(d>>10|55296,1023&d|56320)},ba=/([\0-\x1f\x7f]|^-?\d)|^-$|[^\0-\x1f\x7f-\uFFFF\w-]/g,ca=function(a,b){return b?"\0"===a?"\ufffd":a.slice(0,-1)+"\\"+a.charCodeAt(a.length-1).toString(16)+" ":"\\"+a},da=function(){m()},ea=ta(function(a){return a.disabled===!0&&("form"in a||"label"in a)},{dir:"parentNode",next:"legend"});try{G.apply(D=H.call(v.childNodes),v.childNodes),D[v.childNodes.length].nodeType}catch(fa){G={apply:D.length?function(a,b){F.apply(a,H.call(b))}:function(a,b){var c=a.length,d=0;while(a[c++]=b[d++]);a.length=c-1}}}function ga(a,b,d,e){var f,h,j,k,l,o,r,s=b&&b.ownerDocument,w=b?b.nodeType:9;if(d=d||[],"string"!=typeof a||!a||1!==w&&9!==w&&11!==w)return d;if(!e&&((b?b.ownerDocument||b:v)!==n&&m(b),b=b||n,p)){if(11!==w&&(l=Z.exec(a)))if(f=l[1]){if(9===w){if(!(j=b.getElementById(f)))return d;if(j.id===f)return d.push(j),d}else if(s&&(j=s.getElementById(f))&&t(b,j)&&j.id===f)return d.push(j),d}else{if(l[2])return G.apply(d,b.getElementsByTagName(a)),d;if((f=l[3])&&c.getElementsByClassName&&b.getElementsByClassName)return G.apply(d,b.getElementsByClassName(f)),d}if(c.qsa&&!A[a+" "]&&(!q||!q.test(a))){if(1!==w)s=b,r=a;else if("object"!==b.nodeName.toLowerCase()){(k=b.getAttribute("id"))?k=k.replace(ba,ca):b.setAttribute("id",k=u),o=g(a),h=o.length;while(h--)o[h]="#"+k+" "+sa(o[h]);r=o.join(","),s=$.test(a)&&qa(b.parentNode)||b}if(r)try{return G.apply(d,s.querySelectorAll(r)),d}catch(x){}finally{k===u&&b.removeAttribute("id")}}}return i(a.replace(P,"$1"),b,d,e)}function ha(){var a=[];function b(c,e){return a.push(c+" ")>d.cacheLength&&delete b[a.shift()],b[c+" "]=e}return b}function ia(a){return a[u]=!0,a}function ja(a){var b=n.createElement("fieldset");try{return!!a(b)}catch(c){return!1}finally{b.parentNode&&b.parentNode.removeChild(b),b=null}}function ka(a,b){var c=a.split("|"),e=c.length;while(e--)d.attrHandle[c[e]]=b}function la(a,b){var c=b&&a,d=c&&1===a.nodeType&&1===b.nodeType&&a.sourceIndex-b.sourceIndex;if(d)return d;if(c)while(c=c.nextSibling)if(c===b)return-1;return a?1:-1}function ma(a){return function(b){var c=b.nodeName.toLowerCase();return"input"===c&&b.type===a}}function na(a){return function(b){var c=b.nodeName.toLowerCase();return("input"===c||"button"===c)&&b.type===a}}function oa(a){return function(b){return"form"in b?b.parentNode&&b.disabled===!1?"label"in b?"label"in b.parentNode?b.parentNode.disabled===a:b.disabled===a:b.isDisabled===a||b.isDisabled!==!a&&ea(b)===a:b.disabled===a:"label"in b&&b.disabled===a}}function pa(a){return ia(function(b){return b=+b,ia(function(c,d){var e,f=a([],c.length,b),g=f.length;while(g--)c[e=f[g]]&&(c[e]=!(d[e]=c[e]))})})}function qa(a){return a&&"undefined"!=typeof a.getElementsByTagName&&a}c=ga.support={},f=ga.isXML=function(a){var b=a&&(a.ownerDocument||a).documentElement;return!!b&&"HTML"!==b.nodeName},m=ga.setDocument=function(a){var b,e,g=a?a.ownerDocument||a:v;return g!==n&&9===g.nodeType&&g.documentElement?(n=g,o=n.documentElement,p=!f(n),v!==n&&(e=n.defaultView)&&e.top!==e&&(e.addEventListener?e.addEventListener("unload",da,!1):e.attachEvent&&e.attachEvent("onunload",da)),c.attributes=ja(function(a){return a.className="i",!a.getAttribute("className")}),c.getElementsByTagName=ja(function(a){return a.appendChild(n.createComment("")),!a.getElementsByTagName("*").length}),c.getElementsByClassName=Y.test(n.getElementsByClassName),c.getById=ja(function(a){return o.appendChild(a).id=u,!n.getElementsByName||!n.getElementsByName(u).length}),c.getById?(d.filter.ID=function(a){var b=a.replace(_,aa);return function(a){return a.getAttribute("id")===b}},d.find.ID=function(a,b){if("undefined"!=typeof b.getElementById&&p){var c=b.getElementById(a);return c?[c]:[]}}):(d.filter.ID=function(a){var b=a.replace(_,aa);return function(a){var c="undefined"!=typeof a.getAttributeNode&&a.getAttributeNode("id");return c&&c.value===b}},d.find.ID=function(a,b){if("undefined"!=typeof b.getElementById&&p){var c,d,e,f=b.getElementById(a);if(f){if(c=f.getAttributeNode("id"),c&&c.value===a)return[f];e=b.getElementsByName(a),d=0;while(f=e[d++])if(c=f.getAttributeNode("id"),c&&c.value===a)return[f]}return[]}}),d.find.TAG=c.getElementsByTagName?function(a,b){return"undefined"!=typeof b.getElementsByTagName?b.getElementsByTagName(a):c.qsa?b.querySelectorAll(a):void 0}:function(a,b){var c,d=[],e=0,f=b.getElementsByTagName(a);if("*"===a){while(c=f[e++])1===c.nodeType&&d.push(c);return d}return f},d.find.CLASS=c.getElementsByClassName&&function(a,b){if("undefined"!=typeof b.getElementsByClassName&&p)return b.getElementsByClassName(a)},r=[],q=[],(c.qsa=Y.test(n.querySelectorAll))&&(ja(function(a){o.appendChild(a).innerHTML="<a id='"+u+"'></a><select id='"+u+"-\r\\' msallowcapture=''><option selected=''></option></select>",a.querySelectorAll("[msallowcapture^='']").length&&q.push("[*^$]="+K+"*(?:''|\"\")"),a.querySelectorAll("[selected]").length||q.push("\\["+K+"*(?:value|"+J+")"),a.querySelectorAll("[id~="+u+"-]").length||q.push("~="),a.querySelectorAll(":checked").length||q.push(":checked"),a.querySelectorAll("a#"+u+"+*").length||q.push(".#.+[+~]")}),ja(function(a){a.innerHTML="<a href='' disabled='disabled'></a><select disabled='disabled'><option/></select>";var b=n.createElement("input");b.setAttribute("type","hidden"),a.appendChild(b).setAttribute("name","D"),a.querySelectorAll("[name=d]").length&&q.push("name"+K+"*[*^$|!~]?="),2!==a.querySelectorAll(":enabled").length&&q.push(":enabled",":disabled"),o.appendChild(a).disabled=!0,2!==a.querySelectorAll(":disabled").length&&q.push(":enabled",":disabled"),a.querySelectorAll("*,:x"),q.push(",.*:")})),(c.matchesSelector=Y.test(s=o.matches||o.webkitMatchesSelector||o.mozMatchesSelector||o.oMatchesSelector||o.msMatchesSelector))&&ja(function(a){c.disconnectedMatch=s.call(a,"*"),s.call(a,"[s!='']:x"),r.push("!=",N)}),q=q.length&&new RegExp(q.join("|")),r=r.length&&new RegExp(r.join("|")),b=Y.test(o.compareDocumentPosition),t=b||Y.test(o.contains)?function(a,b){var c=9===a.nodeType?a.documentElement:a,d=b&&b.parentNode;return a===d||!(!d||1!==d.nodeType||!(c.contains?c.contains(d):a.compareDocumentPosition&&16&a.compareDocumentPosition(d)))}:function(a,b){if(b)while(b=b.parentNode)if(b===a)return!0;return!1},B=b?function(a,b){if(a===b)return l=!0,0;var d=!a.compareDocumentPosition-!b.compareDocumentPosition;return d?d:(d=(a.ownerDocument||a)===(b.ownerDocument||b)?a.compareDocumentPosition(b):1,1&d||!c.sortDetached&&b.compareDocumentPosition(a)===d?a===n||a.ownerDocument===v&&t(v,a)?-1:b===n||b.ownerDocument===v&&t(v,b)?1:k?I(k,a)-I(k,b):0:4&d?-1:1)}:function(a,b){if(a===b)return l=!0,0;var c,d=0,e=a.parentNode,f=b.parentNode,g=[a],h=[b];if(!e||!f)return a===n?-1:b===n?1:e?-1:f?1:k?I(k,a)-I(k,b):0;if(e===f)return la(a,b);c=a;while(c=c.parentNode)g.unshift(c);c=b;while(c=c.parentNode)h.unshift(c);while(g[d]===h[d])d++;return d?la(g[d],h[d]):g[d]===v?-1:h[d]===v?1:0},n):n},ga.matches=function(a,b){return ga(a,null,null,b)},ga.matchesSelector=function(a,b){if((a.ownerDocument||a)!==n&&m(a),b=b.replace(S,"='$1']"),c.matchesSelector&&p&&!A[b+" "]&&(!r||!r.test(b))&&(!q||!q.test(b)))try{var d=s.call(a,b);if(d||c.disconnectedMatch||a.document&&11!==a.document.nodeType)return d}catch(e){}return ga(b,n,null,[a]).length>0},ga.contains=function(a,b){return(a.ownerDocument||a)!==n&&m(a),t(a,b)},ga.attr=function(a,b){(a.ownerDocument||a)!==n&&m(a);var e=d.attrHandle[b.toLowerCase()],f=e&&C.call(d.attrHandle,b.toLowerCase())?e(a,b,!p):void 0;return void 0!==f?f:c.attributes||!p?a.getAttribute(b):(f=a.getAttributeNode(b))&&f.specified?f.value:null},ga.escape=function(a){return(a+"").replace(ba,ca)},ga.error=function(a){throw new Error("Syntax error, unrecognized expression: "+a)},ga.uniqueSort=function(a){var b,d=[],e=0,f=0;if(l=!c.detectDuplicates,k=!c.sortStable&&a.slice(0),a.sort(B),l){while(b=a[f++])b===a[f]&&(e=d.push(f));while(e--)a.splice(d[e],1)}return k=null,a},e=ga.getText=function(a){var b,c="",d=0,f=a.nodeType;if(f){if(1===f||9===f||11===f){if("string"==typeof a.textContent)return a.textContent;for(a=a.firstChild;a;a=a.nextSibling)c+=e(a)}else if(3===f||4===f)return a.nodeValue}else while(b=a[d++])c+=e(b);return c},d=ga.selectors={cacheLength:50,createPseudo:ia,match:V,attrHandle:{},find:{},relative:{">":{dir:"parentNode",first:!0}," ":{dir:"parentNode"},"+":{dir:"previousSibling",first:!0},"~":{dir:"previousSibling"}},preFilter:{ATTR:function(a){return a[1]=a[1].replace(_,aa),a[3]=(a[3]||a[4]||a[5]||"").replace(_,aa),"~="===a[2]&&(a[3]=" "+a[3]+" "),a.slice(0,4)},CHILD:function(a){return a[1]=a[1].toLowerCase(),"nth"===a[1].slice(0,3)?(a[3]||ga.error(a[0]),a[4]=+(a[4]?a[5]+(a[6]||1):2*("even"===a[3]||"odd"===a[3])),a[5]=+(a[7]+a[8]||"odd"===a[3])):a[3]&&ga.error(a[0]),a},PSEUDO:function(a){var b,c=!a[6]&&a[2];return V.CHILD.test(a[0])?null:(a[3]?a[2]=a[4]||a[5]||"":c&&T.test(c)&&(b=g(c,!0))&&(b=c.indexOf(")",c.length-b)-c.length)&&(a[0]=a[0].slice(0,b),a[2]=c.slice(0,b)),a.slice(0,3))}},filter:{TAG:function(a){var b=a.replace(_,aa).toLowerCase();return"*"===a?function(){return!0}:function(a){return a.nodeName&&a.nodeName.toLowerCase()===b}},CLASS:function(a){var b=y[a+" "];return b||(b=new RegExp("(^|"+K+")"+a+"("+K+"|$)"))&&y(a,function(a){return b.test("string"==typeof a.className&&a.className||"undefined"!=typeof a.getAttribute&&a.getAttribute("class")||"")})},ATTR:function(a,b,c){return function(d){var e=ga.attr(d,a);return null==e?"!="===b:!b||(e+="","="===b?e===c:"!="===b?e!==c:"^="===b?c&&0===e.indexOf(c):"*="===b?c&&e.indexOf(c)>-1:"$="===b?c&&e.slice(-c.length)===c:"~="===b?(" "+e.replace(O," ")+" ").indexOf(c)>-1:"|="===b&&(e===c||e.slice(0,c.length+1)===c+"-"))}},CHILD:function(a,b,c,d,e){var f="nth"!==a.slice(0,3),g="last"!==a.slice(-4),h="of-type"===b;return 1===d&&0===e?function(a){return!!a.parentNode}:function(b,c,i){var j,k,l,m,n,o,p=f!==g?"nextSibling":"previousSibling",q=b.parentNode,r=h&&b.nodeName.toLowerCase(),s=!i&&!h,t=!1;if(q){if(f){while(p){m=b;while(m=m[p])if(h?m.nodeName.toLowerCase()===r:1===m.nodeType)return!1;o=p="only"===a&&!o&&"nextSibling"}return!0}if(o=[g?q.firstChild:q.lastChild],g&&s){m=q,l=m[u]||(m[u]={}),k=l[m.uniqueID]||(l[m.uniqueID]={}),j=k[a]||[],n=j[0]===w&&j[1],t=n&&j[2],m=n&&q.childNodes[n];while(m=++n&&m&&m[p]||(t=n=0)||o.pop())if(1===m.nodeType&&++t&&m===b){k[a]=[w,n,t];break}}else if(s&&(m=b,l=m[u]||(m[u]={}),k=l[m.uniqueID]||(l[m.uniqueID]={}),j=k[a]||[],n=j[0]===w&&j[1],t=n),t===!1)while(m=++n&&m&&m[p]||(t=n=0)||o.pop())if((h?m.nodeName.toLowerCase()===r:1===m.nodeType)&&++t&&(s&&(l=m[u]||(m[u]={}),k=l[m.uniqueID]||(l[m.uniqueID]={}),k[a]=[w,t]),m===b))break;return t-=e,t===d||t%d===0&&t/d>=0}}},PSEUDO:function(a,b){var c,e=d.pseudos[a]||d.setFilters[a.toLowerCase()]||ga.error("unsupported pseudo: "+a);return e[u]?e(b):e.length>1?(c=[a,a,"",b],d.setFilters.hasOwnProperty(a.toLowerCase())?ia(function(a,c){var d,f=e(a,b),g=f.length;while(g--)d=I(a,f[g]),a[d]=!(c[d]=f[g])}):function(a){return e(a,0,c)}):e}},pseudos:{not:ia(function(a){var b=[],c=[],d=h(a.replace(P,"$1"));return d[u]?ia(function(a,b,c,e){var f,g=d(a,null,e,[]),h=a.length;while(h--)(f=g[h])&&(a[h]=!(b[h]=f))}):function(a,e,f){return b[0]=a,d(b,null,f,c),b[0]=null,!c.pop()}}),has:ia(function(a){return function(b){return ga(a,b).length>0}}),contains:ia(function(a){return a=a.replace(_,aa),function(b){return(b.textContent||b.innerText||e(b)).indexOf(a)>-1}}),lang:ia(function(a){return U.test(a||"")||ga.error("unsupported lang: "+a),a=a.replace(_,aa).toLowerCase(),function(b){var c;do if(c=p?b.lang:b.getAttribute("xml:lang")||b.getAttribute("lang"))return c=c.toLowerCase(),c===a||0===c.indexOf(a+"-");while((b=b.parentNode)&&1===b.nodeType);return!1}}),target:function(b){var c=a.location&&a.location.hash;return c&&c.slice(1)===b.id},root:function(a){return a===o},focus:function(a){return a===n.activeElement&&(!n.hasFocus||n.hasFocus())&&!!(a.type||a.href||~a.tabIndex)},enabled:oa(!1),disabled:oa(!0),checked:function(a){var b=a.nodeName.toLowerCase();return"input"===b&&!!a.checked||"option"===b&&!!a.selected},selected:function(a){return a.parentNode&&a.parentNode.selectedIndex,a.selected===!0},empty:function(a){for(a=a.firstChild;a;a=a.nextSibling)if(a.nodeType<6)return!1;return!0},parent:function(a){return!d.pseudos.empty(a)},header:function(a){return X.test(a.nodeName)},input:function(a){return W.test(a.nodeName)},button:function(a){var b=a.nodeName.toLowerCase();return"input"===b&&"button"===a.type||"button"===b},text:function(a){var b;return"input"===a.nodeName.toLowerCase()&&"text"===a.type&&(null==(b=a.getAttribute("type"))||"text"===b.toLowerCase())},first:pa(function(){return[0]}),last:pa(function(a,b){return[b-1]}),eq:pa(function(a,b,c){return[c<0?c+b:c]}),even:pa(function(a,b){for(var c=0;c<b;c+=2)a.push(c);return a}),odd:pa(function(a,b){for(var c=1;c<b;c+=2)a.push(c);return a}),lt:pa(function(a,b,c){for(var d=c<0?c+b:c;--d>=0;)a.push(d);return a}),gt:pa(function(a,b,c){for(var d=c<0?c+b:c;++d<b;)a.push(d);return a})}},d.pseudos.nth=d.pseudos.eq;for(b in{radio:!0,checkbox:!0,file:!0,password:!0,image:!0})d.pseudos[b]=ma(b);for(b in{submit:!0,reset:!0})d.pseudos[b]=na(b);function ra(){}ra.prototype=d.filters=d.pseudos,d.setFilters=new ra,g=ga.tokenize=function(a,b){var c,e,f,g,h,i,j,k=z[a+" "];if(k)return b?0:k.slice(0);h=a,i=[],j=d.preFilter;while(h){c&&!(e=Q.exec(h))||(e&&(h=h.slice(e[0].length)||h),i.push(f=[])),c=!1,(e=R.exec(h))&&(c=e.shift(),f.push({value:c,type:e[0].replace(P," ")}),h=h.slice(c.length));for(g in d.filter)!(e=V[g].exec(h))||j[g]&&!(e=j[g](e))||(c=e.shift(),f.push({value:c,type:g,matches:e}),h=h.slice(c.length));if(!c)break}return b?h.length:h?ga.error(a):z(a,i).slice(0)};function sa(a){for(var b=0,c=a.length,d="";b<c;b++)d+=a[b].value;return d}function ta(a,b,c){var d=b.dir,e=b.next,f=e||d,g=c&&"parentNode"===f,h=x++;return b.first?function(b,c,e){while(b=b[d])if(1===b.nodeType||g)return a(b,c,e);return!1}:function(b,c,i){var j,k,l,m=[w,h];if(i){while(b=b[d])if((1===b.nodeType||g)&&a(b,c,i))return!0}else while(b=b[d])if(1===b.nodeType||g)if(l=b[u]||(b[u]={}),k=l[b.uniqueID]||(l[b.uniqueID]={}),e&&e===b.nodeName.toLowerCase())b=b[d]||b;else{if((j=k[f])&&j[0]===w&&j[1]===h)return m[2]=j[2];if(k[f]=m,m[2]=a(b,c,i))return!0}return!1}}function ua(a){return a.length>1?function(b,c,d){var e=a.length;while(e--)if(!a[e](b,c,d))return!1;return!0}:a[0]}function va(a,b,c){for(var d=0,e=b.length;d<e;d++)ga(a,b[d],c);return c}function wa(a,b,c,d,e){for(var f,g=[],h=0,i=a.length,j=null!=b;h<i;h++)(f=a[h])&&(c&&!c(f,d,e)||(g.push(f),j&&b.push(h)));return g}function xa(a,b,c,d,e,f){return d&&!d[u]&&(d=xa(d)),e&&!e[u]&&(e=xa(e,f)),ia(function(f,g,h,i){var j,k,l,m=[],n=[],o=g.length,p=f||va(b||"*",h.nodeType?[h]:h,[]),q=!a||!f&&b?p:wa(p,m,a,h,i),r=c?e||(f?a:o||d)?[]:g:q;if(c&&c(q,r,h,i),d){j=wa(r,n),d(j,[],h,i),k=j.length;while(k--)(l=j[k])&&(r[n[k]]=!(q[n[k]]=l))}if(f){if(e||a){if(e){j=[],k=r.length;while(k--)(l=r[k])&&j.push(q[k]=l);e(null,r=[],j,i)}k=r.length;while(k--)(l=r[k])&&(j=e?I(f,l):m[k])>-1&&(f[j]=!(g[j]=l))}}else r=wa(r===g?r.splice(o,r.length):r),e?e(null,g,r,i):G.apply(g,r)})}function ya(a){for(var b,c,e,f=a.length,g=d.relative[a[0].type],h=g||d.relative[" "],i=g?1:0,k=ta(function(a){return a===b},h,!0),l=ta(function(a){return I(b,a)>-1},h,!0),m=[function(a,c,d){var e=!g&&(d||c!==j)||((b=c).nodeType?k(a,c,d):l(a,c,d));return b=null,e}];i<f;i++)if(c=d.relative[a[i].type])m=[ta(ua(m),c)];else{if(c=d.filter[a[i].type].apply(null,a[i].matches),c[u]){for(e=++i;e<f;e++)if(d.relative[a[e].type])break;return xa(i>1&&ua(m),i>1&&sa(a.slice(0,i-1).concat({value:" "===a[i-2].type?"*":""})).replace(P,"$1"),c,i<e&&ya(a.slice(i,e)),e<f&&ya(a=a.slice(e)),e<f&&sa(a))}m.push(c)}return ua(m)}function za(a,b){var c=b.length>0,e=a.length>0,f=function(f,g,h,i,k){var l,o,q,r=0,s="0",t=f&&[],u=[],v=j,x=f||e&&d.find.TAG("*",k),y=w+=null==v?1:Math.random()||.1,z=x.length;for(k&&(j=g===n||g||k);s!==z&&null!=(l=x[s]);s++){if(e&&l){o=0,g||l.ownerDocument===n||(m(l),h=!p);while(q=a[o++])if(q(l,g||n,h)){i.push(l);break}k&&(w=y)}c&&((l=!q&&l)&&r--,f&&t.push(l))}if(r+=s,c&&s!==r){o=0;while(q=b[o++])q(t,u,g,h);if(f){if(r>0)while(s--)t[s]||u[s]||(u[s]=E.call(i));u=wa(u)}G.apply(i,u),k&&!f&&u.length>0&&r+b.length>1&&ga.uniqueSort(i)}return k&&(w=y,j=v),t};return c?ia(f):f}return h=ga.compile=function(a,b){var c,d=[],e=[],f=A[a+" "];if(!f){b||(b=g(a)),c=b.length;while(c--)f=ya(b[c]),f[u]?d.push(f):e.push(f);f=A(a,za(e,d)),f.selector=a}return f},i=ga.select=function(a,b,c,e){var f,i,j,k,l,m="function"==typeof a&&a,n=!e&&g(a=m.selector||a);if(c=c||[],1===n.length){if(i=n[0]=n[0].slice(0),i.length>2&&"ID"===(j=i[0]).type&&9===b.nodeType&&p&&d.relative[i[1].type]){if(b=(d.find.ID(j.matches[0].replace(_,aa),b)||[])[0],!b)return c;m&&(b=b.parentNode),a=a.slice(i.shift().value.length)}f=V.needsContext.test(a)?0:i.length;while(f--){if(j=i[f],d.relative[k=j.type])break;if((l=d.find[k])&&(e=l(j.matches[0].replace(_,aa),$.test(i[0].type)&&qa(b.parentNode)||b))){if(i.splice(f,1),a=e.length&&sa(i),!a)return G.apply(c,e),c;break}}}return(m||h(a,n))(e,b,!p,c,!b||$.test(a)&&qa(b.parentNode)||b),c},c.sortStable=u.split("").sort(B).join("")===u,c.detectDuplicates=!!l,m(),c.sortDetached=ja(function(a){return 1&a.compareDocumentPosition(n.createElement("fieldset"))}),ja(function(a){return a.innerHTML="<a href='#'></a>","#"===a.firstChild.getAttribute("href")})||ka("type|href|height|width",function(a,b,c){if(!c)return a.getAttribute(b,"type"===b.toLowerCase()?1:2)}),c.attributes&&ja(function(a){return a.innerHTML="<input/>",a.firstChild.setAttribute("value",""),""===a.firstChild.getAttribute("value")})||ka("value",function(a,b,c){if(!c&&"input"===a.nodeName.toLowerCase())return a.defaultValue}),ja(function(a){return null==a.getAttribute("disabled")})||ka(J,function(a,b,c){var d;if(!c)return a[b]===!0?b.toLowerCase():(d=a.getAttributeNode(b))&&d.specified?d.value:null}),ga}(a);r.find=x,r.expr=x.selectors,r.expr[":"]=r.expr.pseudos,r.uniqueSort=r.unique=x.uniqueSort,r.text=x.getText,r.isXMLDoc=x.isXML,r.contains=x.contains,r.escapeSelector=x.escape;var y=function(a,b,c){var d=[],e=void 0!==c;while((a=a[b])&&9!==a.nodeType)if(1===a.nodeType){if(e&&r(a).is(c))break;d.push(a)}return d},z=function(a,b){for(var c=[];a;a=a.nextSibling)1===a.nodeType&&a!==b&&c.push(a);return c},A=r.expr.match.needsContext,B=/^<([a-z][^\/\0>:\x20\t\r\n\f]*)[\x20\t\r\n\f]*\/?>(?:<\/\1>|)$/i,C=/^.[^:#\[\.,]*$/;function D(a,b,c){return r.isFunction(b)?r.grep(a,function(a,d){return!!b.call(a,d,a)!==c}):b.nodeType?r.grep(a,function(a){return a===b!==c}):"string"!=typeof b?r.grep(a,function(a){return i.call(b,a)>-1!==c}):C.test(b)?r.filter(b,a,c):(b=r.filter(b,a),r.grep(a,function(a){return i.call(b,a)>-1!==c&&1===a.nodeType}))}r.filter=function(a,b,c){var d=b[0];return c&&(a=":not("+a+")"),1===b.length&&1===d.nodeType?r.find.matchesSelector(d,a)?[d]:[]:r.find.matches(a,r.grep(b,function(a){return 1===a.nodeType}))},r.fn.extend({find:function(a){var b,c,d=this.length,e=this;if("string"!=typeof a)return this.pushStack(r(a).filter(function(){for(b=0;b<d;b++)if(r.contains(e[b],this))return!0}));for(c=this.pushStack([]),b=0;b<d;b++)r.find(a,e[b],c);return d>1?r.uniqueSort(c):c},filter:function(a){return this.pushStack(D(this,a||[],!1))},not:function(a){return this.pushStack(D(this,a||[],!0))},is:function(a){return!!D(this,"string"==typeof a&&A.test(a)?r(a):a||[],!1).length}});var E,F=/^(?:\s*(<[\w\W]+>)[^>]*|#([\w-]+))$/,G=r.fn.init=function(a,b,c){var e,f;if(!a)return this;if(c=c||E,"string"==typeof a){if(e="<"===a[0]&&">"===a[a.length-1]&&a.length>=3?[null,a,null]:F.exec(a),!e||!e[1]&&b)return!b||b.jquery?(b||c).find(a):this.constructor(b).find(a);if(e[1]){if(b=b instanceof r?b[0]:b,r.merge(this,r.parseHTML(e[1],b&&b.nodeType?b.ownerDocument||b:d,!0)),B.test(e[1])&&r.isPlainObject(b))for(e in b)r.isFunction(this[e])?this[e](b[e]):this.attr(e,b[e]);return this}return f=d.getElementById(e[2]),f&&(this[0]=f,this.length=1),this}return a.nodeType?(this[0]=a,this.length=1,this):r.isFunction(a)?void 0!==c.ready?c.ready(a):a(r):r.makeArray(a,this)};G.prototype=r.fn,E=r(d);var H=/^(?:parents|prev(?:Until|All))/,I={children:!0,contents:!0,next:!0,prev:!0};r.fn.extend({has:function(a){var b=r(a,this),c=b.length;return this.filter(function(){for(var a=0;a<c;a++)if(r.contains(this,b[a]))return!0})},closest:function(a,b){var c,d=0,e=this.length,f=[],g="string"!=typeof a&&r(a);if(!A.test(a))for(;d<e;d++)for(c=this[d];c&&c!==b;c=c.parentNode)if(c.nodeType<11&&(g?g.index(c)>-1:1===c.nodeType&&r.find.matchesSelector(c,a))){f.push(c);break}return this.pushStack(f.length>1?r.uniqueSort(f):f)},index:function(a){return a?"string"==typeof a?i.call(r(a),this[0]):i.call(this,a.jquery?a[0]:a):this[0]&&this[0].parentNode?this.first().prevAll().length:-1},add:function(a,b){return this.pushStack(r.uniqueSort(r.merge(this.get(),r(a,b))))},addBack:function(a){return this.add(null==a?this.prevObject:this.prevObject.filter(a))}});function J(a,b){while((a=a[b])&&1!==a.nodeType);return a}r.each({parent:function(a){var b=a.parentNode;return b&&11!==b.nodeType?b:null},parents:function(a){return y(a,"parentNode")},parentsUntil:function(a,b,c){return y(a,"parentNode",c)},next:function(a){return J(a,"nextSibling")},prev:function(a){return J(a,"previousSibling")},nextAll:function(a){return y(a,"nextSibling")},prevAll:function(a){return y(a,"previousSibling")},nextUntil:function(a,b,c){return y(a,"nextSibling",c)},prevUntil:function(a,b,c){return y(a,"previousSibling",c)},siblings:function(a){return z((a.parentNode||{}).firstChild,a)},children:function(a){return z(a.firstChild)},contents:function(a){return a.contentDocument||r.merge([],a.childNodes)}},function(a,b){r.fn[a]=function(c,d){var e=r.map(this,b,c);return"Until"!==a.slice(-5)&&(d=c),d&&"string"==typeof d&&(e=r.filter(d,e)),this.length>1&&(I[a]||r.uniqueSort(e),H.test(a)&&e.reverse()),this.pushStack(e)}});var K=/[^\x20\t\r\n\f]+/g;function L(a){var b={};return r.each(a.match(K)||[],function(a,c){b[c]=!0}),b}r.Callbacks=function(a){a="string"==typeof a?L(a):r.extend({},a);var b,c,d,e,f=[],g=[],h=-1,i=function(){for(e=a.once,d=b=!0;g.length;h=-1){c=g.shift();while(++h<f.length)f[h].apply(c[0],c[1])===!1&&a.stopOnFalse&&(h=f.length,c=!1)}a.memory||(c=!1),b=!1,e&&(f=c?[]:"")},j={add:function(){return f&&(c&&!b&&(h=f.length-1,g.push(c)),function d(b){r.each(b,function(b,c){r.isFunction(c)?a.unique&&j.has(c)||f.push(c):c&&c.length&&"string"!==r.type(c)&&d(c)})}(arguments),c&&!b&&i()),this},remove:function(){return r.each(arguments,function(a,b){var c;while((c=r.inArray(b,f,c))>-1)f.splice(c,1),c<=h&&h--}),this},has:function(a){return a?r.inArray(a,f)>-1:f.length>0},empty:function(){return f&&(f=[]),this},disable:function(){return e=g=[],f=c="",this},disabled:function(){return!f},lock:function(){return e=g=[],c||b||(f=c=""),this},locked:function(){return!!e},fireWith:function(a,c){return e||(c=c||[],c=[a,c.slice?c.slice():c],g.push(c),b||i()),this},fire:function(){return j.fireWith(this,arguments),this},fired:function(){return!!d}};return j};function M(a){return a}function N(a){throw a}function O(a,b,c){var d;try{a&&r.isFunction(d=a.promise)?d.call(a).done(b).fail(c):a&&r.isFunction(d=a.then)?d.call(a,b,c):b.call(void 0,a)}catch(a){c.call(void 0,a)}}r.extend({Deferred:function(b){var c=[["notify","progress",r.Callbacks("memory"),r.Callbacks("memory"),2],["resolve","done",r.Callbacks("once memory"),r.Callbacks("once memory"),0,"resolved"],["reject","fail",r.Callbacks("once memory"),r.Callbacks("once memory"),1,"rejected"]],d="pending",e={state:function(){return d},always:function(){return f.done(arguments).fail(arguments),this},"catch":function(a){return e.then(null,a)},pipe:function(){var a=arguments;return r.Deferred(function(b){r.each(c,function(c,d){var e=r.isFunction(a[d[4]])&&a[d[4]];f[d[1]](function(){var a=e&&e.apply(this,arguments);a&&r.isFunction(a.promise)?a.promise().progress(b.notify).done(b.resolve).fail(b.reject):b[d[0]+"With"](this,e?[a]:arguments)})}),a=null}).promise()},then:function(b,d,e){var f=0;function g(b,c,d,e){return function(){var h=this,i=arguments,j=function(){var a,j;if(!(b<f)){if(a=d.apply(h,i),a===c.promise())throw new TypeError("Thenable self-resolution");j=a&&("object"==typeof a||"function"==typeof a)&&a.then,r.isFunction(j)?e?j.call(a,g(f,c,M,e),g(f,c,N,e)):(f++,j.call(a,g(f,c,M,e),g(f,c,N,e),g(f,c,M,c.notifyWith))):(d!==M&&(h=void 0,i=[a]),(e||c.resolveWith)(h,i))}},k=e?j:function(){try{j()}catch(a){r.Deferred.exceptionHook&&r.Deferred.exceptionHook(a,k.stackTrace),b+1>=f&&(d!==N&&(h=void 0,i=[a]),c.rejectWith(h,i))}};b?k():(r.Deferred.getStackHook&&(k.stackTrace=r.Deferred.getStackHook()),a.setTimeout(k))}}return r.Deferred(function(a){c[0][3].add(g(0,a,r.isFunction(e)?e:M,a.notifyWith)),c[1][3].add(g(0,a,r.isFunction(b)?b:M)),c[2][3].add(g(0,a,r.isFunction(d)?d:N))}).promise()},promise:function(a){return null!=a?r.extend(a,e):e}},f={};return r.each(c,function(a,b){var g=b[2],h=b[5];e[b[1]]=g.add,h&&g.add(function(){d=h},c[3-a][2].disable,c[0][2].lock),g.add(b[3].fire),f[b[0]]=function(){return f[b[0]+"With"](this===f?void 0:this,arguments),this},f[b[0]+"With"]=g.fireWith}),e.promise(f),b&&b.call(f,f),f},when:function(a){var b=arguments.length,c=b,d=Array(c),e=f.call(arguments),g=r.Deferred(),h=function(a){return function(c){d[a]=this,e[a]=arguments.length>1?f.call(arguments):c,--b||g.resolveWith(d,e)}};if(b<=1&&(O(a,g.done(h(c)).resolve,g.reject),"pending"===g.state()||r.isFunction(e[c]&&e[c].then)))return g.then();while(c--)O(e[c],h(c),g.reject);return g.promise()}});var P=/^(Eval|Internal|Range|Reference|Syntax|Type|URI)Error$/;r.Deferred.exceptionHook=function(b,c){a.console&&a.console.warn&&b&&P.test(b.name)&&a.console.warn("jQuery.Deferred exception: "+b.message,b.stack,c)},r.readyException=function(b){a.setTimeout(function(){throw b})};var Q=r.Deferred();r.fn.ready=function(a){return Q.then(a)["catch"](function(a){r.readyException(a)}),this},r.extend({isReady:!1,readyWait:1,holdReady:function(a){a?r.readyWait++:r.ready(!0)},ready:function(a){(a===!0?--r.readyWait:r.isReady)||(r.isReady=!0,a!==!0&&--r.readyWait>0||Q.resolveWith(d,[r]))}}),r.ready.then=Q.then;function R(){d.removeEventListener("DOMContentLoaded",R),a.removeEventListener("load",R),r.ready()}"complete"===d.readyState||"loading"!==d.readyState&&!d.documentElement.doScroll?a.setTimeout(r.ready):(d.addEventListener("DOMContentLoaded",R),a.addEventListener("load",R));var S=function(a,b,c,d,e,f,g){var h=0,i=a.length,j=null==c;if("object"===r.type(c)){e=!0;for(h in c)S(a,b,h,c[h],!0,f,g)}else if(void 0!==d&&(e=!0,r.isFunction(d)||(g=!0),j&&(g?(b.call(a,d),b=null):(j=b,b=function(a,b,c){return j.call(r(a),c)})),b))for(;h<i;h++)b(a[h],c,g?d:d.call(a[h],h,b(a[h],c)));return e?a:j?b.call(a):i?b(a[0],c):f},T=function(a){return 1===a.nodeType||9===a.nodeType||!+a.nodeType};function U(){this.expando=r.expando+U.uid++}U.uid=1,U.prototype={cache:function(a){var b=a[this.expando];return b||(b={},T(a)&&(a.nodeType?a[this.expando]=b:Object.defineProperty(a,this.expando,{value:b,configurable:!0}))),b},set:function(a,b,c){var d,e=this.cache(a);if("string"==typeof b)e[r.camelCase(b)]=c;else for(d in b)e[r.camelCase(d)]=b[d];return e},get:function(a,b){return void 0===b?this.cache(a):a[this.expando]&&a[this.expando][r.camelCase(b)]},access:function(a,b,c){return void 0===b||b&&"string"==typeof b&&void 0===c?this.get(a,b):(this.set(a,b,c),void 0!==c?c:b)},remove:function(a,b){var c,d=a[this.expando];if(void 0!==d){if(void 0!==b){r.isArray(b)?b=b.map(r.camelCase):(b=r.camelCase(b),b=b in d?[b]:b.match(K)||[]),c=b.length;while(c--)delete d[b[c]]}(void 0===b||r.isEmptyObject(d))&&(a.nodeType?a[this.expando]=void 0:delete a[this.expando])}},hasData:function(a){var b=a[this.expando];return void 0!==b&&!r.isEmptyObject(b)}};var V=new U,W=new U,X=/^(?:\{[\w\W]*\}|\[[\w\W]*\])$/,Y=/[A-Z]/g;function Z(a){return"true"===a||"false"!==a&&("null"===a?null:a===+a+""?+a:X.test(a)?JSON.parse(a):a)}function $(a,b,c){var d;if(void 0===c&&1===a.nodeType)if(d="data-"+b.replace(Y,"-$&").toLowerCase(),c=a.getAttribute(d),"string"==typeof c){try{c=Z(c)}catch(e){}W.set(a,b,c)}else c=void 0;return c}r.extend({hasData:function(a){return W.hasData(a)||V.hasData(a)},data:function(a,b,c){return W.access(a,b,c)},removeData:function(a,b){W.remove(a,b)},_data:function(a,b,c){return V.access(a,b,c)},_removeData:function(a,b){V.remove(a,b)}}),r.fn.extend({data:function(a,b){var c,d,e,f=this[0],g=f&&f.attributes;if(void 0===a){if(this.length&&(e=W.get(f),1===f.nodeType&&!V.get(f,"hasDataAttrs"))){c=g.length;while(c--)g[c]&&(d=g[c].name,0===d.indexOf("data-")&&(d=r.camelCase(d.slice(5)),$(f,d,e[d])));V.set(f,"hasDataAttrs",!0)}return e}return"object"==typeof a?this.each(function(){W.set(this,a)}):S(this,function(b){var c;if(f&&void 0===b){if(c=W.get(f,a),void 0!==c)return c;if(c=$(f,a),void 0!==c)return c}else this.each(function(){W.set(this,a,b)})},null,b,arguments.length>1,null,!0)},removeData:function(a){return this.each(function(){W.remove(this,a)})}}),r.extend({queue:function(a,b,c){var d;if(a)return b=(b||"fx")+"queue",d=V.get(a,b),c&&(!d||r.isArray(c)?d=V.access(a,b,r.makeArray(c)):d.push(c)),d||[]},dequeue:function(a,b){b=b||"fx";var c=r.queue(a,b),d=c.length,e=c.shift(),f=r._queueHooks(a,b),g=function(){r.dequeue(a,b)};"inprogress"===e&&(e=c.shift(),d--),e&&("fx"===b&&c.unshift("inprogress"),delete f.stop,e.call(a,g,f)),!d&&f&&f.empty.fire()},_queueHooks:function(a,b){var c=b+"queueHooks";return V.get(a,c)||V.access(a,c,{empty:r.Callbacks("once memory").add(function(){V.remove(a,[b+"queue",c])})})}}),r.fn.extend({queue:function(a,b){var c=2;return"string"!=typeof a&&(b=a,a="fx",c--),arguments.length<c?r.queue(this[0],a):void 0===b?this:this.each(function(){var c=r.queue(this,a,b);r._queueHooks(this,a),"fx"===a&&"inprogress"!==c[0]&&r.dequeue(this,a)})},dequeue:function(a){return this.each(function(){r.dequeue(this,a)})},clearQueue:function(a){return this.queue(a||"fx",[])},promise:function(a,b){var c,d=1,e=r.Deferred(),f=this,g=this.length,h=function(){--d||e.resolveWith(f,[f])};"string"!=typeof a&&(b=a,a=void 0),a=a||"fx";while(g--)c=V.get(f[g],a+"queueHooks"),c&&c.empty&&(d++,c.empty.add(h));return h(),e.promise(b)}});var _=/[+-]?(?:\d*\.|)\d+(?:[eE][+-]?\d+|)/.source,aa=new RegExp("^(?:([+-])=|)("+_+")([a-z%]*)$","i"),ba=["Top","Right","Bottom","Left"],ca=function(a,b){return a=b||a,"none"===a.style.display||""===a.style.display&&r.contains(a.ownerDocument,a)&&"none"===r.css(a,"display")},da=function(a,b,c,d){var e,f,g={};for(f in b)g[f]=a.style[f],a.style[f]=b[f];e=c.apply(a,d||[]);for(f in b)a.style[f]=g[f];return e};function ea(a,b,c,d){var e,f=1,g=20,h=d?function(){return d.cur()}:function(){return r.css(a,b,"")},i=h(),j=c&&c[3]||(r.cssNumber[b]?"":"px"),k=(r.cssNumber[b]||"px"!==j&&+i)&&aa.exec(r.css(a,b));if(k&&k[3]!==j){j=j||k[3],c=c||[],k=+i||1;do f=f||".5",k/=f,r.style(a,b,k+j);while(f!==(f=h()/i)&&1!==f&&--g)}return c&&(k=+k||+i||0,e=c[1]?k+(c[1]+1)*c[2]:+c[2],d&&(d.unit=j,d.start=k,d.end=e)),e}var fa={};function ga(a){var b,c=a.ownerDocument,d=a.nodeName,e=fa[d];return e?e:(b=c.body.appendChild(c.createElement(d)),e=r.css(b,"display"),b.parentNode.removeChild(b),"none"===e&&(e="block"),fa[d]=e,e)}function ha(a,b){for(var c,d,e=[],f=0,g=a.length;f<g;f++)d=a[f],d.style&&(c=d.style.display,b?("none"===c&&(e[f]=V.get(d,"display")||null,e[f]||(d.style.display="")),""===d.style.display&&ca(d)&&(e[f]=ga(d))):"none"!==c&&(e[f]="none",V.set(d,"display",c)));for(f=0;f<g;f++)null!=e[f]&&(a[f].style.display=e[f]);return a}r.fn.extend({show:function(){return ha(this,!0)},hide:function(){return ha(this)},toggle:function(a){return"boolean"==typeof a?a?this.show():this.hide():this.each(function(){ca(this)?r(this).show():r(this).hide()})}});var ia=/^(?:checkbox|radio)$/i,ja=/<([a-z][^\/\0>\x20\t\r\n\f]+)/i,ka=/^$|\/(?:java|ecma)script/i,la={option:[1,"<select multiple='multiple'>","</select>"],thead:[1,"<table>","</table>"],col:[2,"<table><colgroup>","</colgroup></table>"],tr:[2,"<table><tbody>","</tbody></table>"],td:[3,"<table><tbody><tr>","</tr></tbody></table>"],_default:[0,"",""]};la.optgroup=la.option,la.tbody=la.tfoot=la.colgroup=la.caption=la.thead,la.th=la.td;function ma(a,b){var c;return c="undefined"!=typeof a.getElementsByTagName?a.getElementsByTagName(b||"*"):"undefined"!=typeof a.querySelectorAll?a.querySelectorAll(b||"*"):[],void 0===b||b&&r.nodeName(a,b)?r.merge([a],c):c}function na(a,b){for(var c=0,d=a.length;c<d;c++)V.set(a[c],"globalEval",!b||V.get(b[c],"globalEval"))}var oa=/<|&#?\w+;/;function pa(a,b,c,d,e){for(var f,g,h,i,j,k,l=b.createDocumentFragment(),m=[],n=0,o=a.length;n<o;n++)if(f=a[n],f||0===f)if("object"===r.type(f))r.merge(m,f.nodeType?[f]:f);else if(oa.test(f)){g=g||l.appendChild(b.createElement("div")),h=(ja.exec(f)||["",""])[1].toLowerCase(),i=la[h]||la._default,g.innerHTML=i[1]+r.htmlPrefilter(f)+i[2],k=i[0];while(k--)g=g.lastChild;r.merge(m,g.childNodes),g=l.firstChild,g.textContent=""}else m.push(b.createTextNode(f));l.textContent="",n=0;while(f=m[n++])if(d&&r.inArray(f,d)>-1)e&&e.push(f);else if(j=r.contains(f.ownerDocument,f),g=ma(l.appendChild(f),"script"),j&&na(g),c){k=0;while(f=g[k++])ka.test(f.type||"")&&c.push(f)}return l}!function(){var a=d.createDocumentFragment(),b=a.appendChild(d.createElement("div")),c=d.createElement("input");c.setAttribute("type","radio"),c.setAttribute("checked","checked"),c.setAttribute("name","t"),b.appendChild(c),o.checkClone=b.cloneNode(!0).cloneNode(!0).lastChild.checked,b.innerHTML="<textarea>x</textarea>",o.noCloneChecked=!!b.cloneNode(!0).lastChild.defaultValue}();var qa=d.documentElement,ra=/^key/,sa=/^(?:mouse|pointer|contextmenu|drag|drop)|click/,ta=/^([^.]*)(?:\.(.+)|)/;function ua(){return!0}function va(){return!1}function wa(){try{return d.activeElement}catch(a){}}function xa(a,b,c,d,e,f){var g,h;if("object"==typeof b){"string"!=typeof c&&(d=d||c,c=void 0);for(h in b)xa(a,h,c,d,b[h],f);return a}if(null==d&&null==e?(e=c,d=c=void 0):null==e&&("string"==typeof c?(e=d,d=void 0):(e=d,d=c,c=void 0)),e===!1)e=va;else if(!e)return a;return 1===f&&(g=e,e=function(a){return r().off(a),g.apply(this,arguments)},e.guid=g.guid||(g.guid=r.guid++)),a.each(function(){r.event.add(this,b,e,d,c)})}r.event={global:{},add:function(a,b,c,d,e){var f,g,h,i,j,k,l,m,n,o,p,q=V.get(a);if(q){c.handler&&(f=c,c=f.handler,e=f.selector),e&&r.find.matchesSelector(qa,e),c.guid||(c.guid=r.guid++),(i=q.events)||(i=q.events={}),(g=q.handle)||(g=q.handle=function(b){return"undefined"!=typeof r&&r.event.triggered!==b.type?r.event.dispatch.apply(a,arguments):void 0}),b=(b||"").match(K)||[""],j=b.length;while(j--)h=ta.exec(b[j])||[],n=p=h[1],o=(h[2]||"").split(".").sort(),n&&(l=r.event.special[n]||{},n=(e?l.delegateType:l.bindType)||n,l=r.event.special[n]||{},k=r.extend({type:n,origType:p,data:d,handler:c,guid:c.guid,selector:e,needsContext:e&&r.expr.match.needsContext.test(e),namespace:o.join(".")},f),(m=i[n])||(m=i[n]=[],m.delegateCount=0,l.setup&&l.setup.call(a,d,o,g)!==!1||a.addEventListener&&a.addEventListener(n,g)),l.add&&(l.add.call(a,k),k.handler.guid||(k.handler.guid=c.guid)),e?m.splice(m.delegateCount++,0,k):m.push(k),r.event.global[n]=!0)}},remove:function(a,b,c,d,e){var f,g,h,i,j,k,l,m,n,o,p,q=V.hasData(a)&&V.get(a);if(q&&(i=q.events)){b=(b||"").match(K)||[""],j=b.length;while(j--)if(h=ta.exec(b[j])||[],n=p=h[1],o=(h[2]||"").split(".").sort(),n){l=r.event.special[n]||{},n=(d?l.delegateType:l.bindType)||n,m=i[n]||[],h=h[2]&&new RegExp("(^|\\.)"+o.join("\\.(?:.*\\.|)")+"(\\.|$)"),g=f=m.length;while(f--)k=m[f],!e&&p!==k.origType||c&&c.guid!==k.guid||h&&!h.test(k.namespace)||d&&d!==k.selector&&("**"!==d||!k.selector)||(m.splice(f,1),k.selector&&m.delegateCount--,l.remove&&l.remove.call(a,k));g&&!m.length&&(l.teardown&&l.teardown.call(a,o,q.handle)!==!1||r.removeEvent(a,n,q.handle),delete i[n])}else for(n in i)r.event.remove(a,n+b[j],c,d,!0);r.isEmptyObject(i)&&V.remove(a,"handle events")}},dispatch:function(a){var b=r.event.fix(a),c,d,e,f,g,h,i=new Array(arguments.length),j=(V.get(this,"events")||{})[b.type]||[],k=r.event.special[b.type]||{};for(i[0]=b,c=1;c<arguments.length;c++)i[c]=arguments[c];if(b.delegateTarget=this,!k.preDispatch||k.preDispatch.call(this,b)!==!1){h=r.event.handlers.call(this,b,j),c=0;while((f=h[c++])&&!b.isPropagationStopped()){b.currentTarget=f.elem,d=0;while((g=f.handlers[d++])&&!b.isImmediatePropagationStopped())b.rnamespace&&!b.rnamespace.test(g.namespace)||(b.handleObj=g,b.data=g.data,e=((r.event.special[g.origType]||{}).handle||g.handler).apply(f.elem,i),void 0!==e&&(b.result=e)===!1&&(b.preventDefault(),b.stopPropagation()))}return k.postDispatch&&k.postDispatch.call(this,b),b.result}},handlers:function(a,b){var c,d,e,f,g,h=[],i=b.delegateCount,j=a.target;if(i&&j.nodeType&&!("click"===a.type&&a.button>=1))for(;j!==this;j=j.parentNode||this)if(1===j.nodeType&&("click"!==a.type||j.disabled!==!0)){for(f=[],g={},c=0;c<i;c++)d=b[c],e=d.selector+" ",void 0===g[e]&&(g[e]=d.needsContext?r(e,this).index(j)>-1:r.find(e,this,null,[j]).length),g[e]&&f.push(d);f.length&&h.push({elem:j,handlers:f})}return j=this,i<b.length&&h.push({elem:j,handlers:b.slice(i)}),h},addProp:function(a,b){Object.defineProperty(r.Event.prototype,a,{enumerable:!0,configurable:!0,get:r.isFunction(b)?function(){if(this.originalEvent)return b(this.originalEvent)}:function(){if(this.originalEvent)return this.originalEvent[a]},set:function(b){Object.defineProperty(this,a,{enumerable:!0,configurable:!0,writable:!0,value:b})}})},fix:function(a){return a[r.expando]?a:new r.Event(a)},special:{load:{noBubble:!0},focus:{trigger:function(){if(this!==wa()&&this.focus)return this.focus(),!1},delegateType:"focusin"},blur:{trigger:function(){if(this===wa()&&this.blur)return this.blur(),!1},delegateType:"focusout"},click:{trigger:function(){if("checkbox"===this.type&&this.click&&r.nodeName(this,"input"))return this.click(),!1},_default:function(a){return r.nodeName(a.target,"a")}},beforeunload:{postDispatch:function(a){void 0!==a.result&&a.originalEvent&&(a.originalEvent.returnValue=a.result)}}}},r.removeEvent=function(a,b,c){a.removeEventListener&&a.removeEventListener(b,c)},r.Event=function(a,b){return this instanceof r.Event?(a&&a.type?(this.originalEvent=a,this.type=a.type,this.isDefaultPrevented=a.defaultPrevented||void 0===a.defaultPrevented&&a.returnValue===!1?ua:va,this.target=a.target&&3===a.target.nodeType?a.target.parentNode:a.target,this.currentTarget=a.currentTarget,this.relatedTarget=a.relatedTarget):this.type=a,b&&r.extend(this,b),this.timeStamp=a&&a.timeStamp||r.now(),void(this[r.expando]=!0)):new r.Event(a,b)},r.Event.prototype={constructor:r.Event,isDefaultPrevented:va,isPropagationStopped:va,isImmediatePropagationStopped:va,isSimulated:!1,preventDefault:function(){var a=this.originalEvent;this.isDefaultPrevented=ua,a&&!this.isSimulated&&a.preventDefault()},stopPropagation:function(){var a=this.originalEvent;this.isPropagationStopped=ua,a&&!this.isSimulated&&a.stopPropagation()},stopImmediatePropagation:function(){var a=this.originalEvent;this.isImmediatePropagationStopped=ua,a&&!this.isSimulated&&a.stopImmediatePropagation(),this.stopPropagation()}},r.each({altKey:!0,bubbles:!0,cancelable:!0,changedTouches:!0,ctrlKey:!0,detail:!0,eventPhase:!0,metaKey:!0,pageX:!0,pageY:!0,shiftKey:!0,view:!0,"char":!0,charCode:!0,key:!0,keyCode:!0,button:!0,buttons:!0,clientX:!0,clientY:!0,offsetX:!0,offsetY:!0,pointerId:!0,pointerType:!0,screenX:!0,screenY:!0,targetTouches:!0,toElement:!0,touches:!0,which:function(a){var b=a.button;return null==a.which&&ra.test(a.type)?null!=a.charCode?a.charCode:a.keyCode:!a.which&&void 0!==b&&sa.test(a.type)?1&b?1:2&b?3:4&b?2:0:a.which}},r.event.addProp),r.each({mouseenter:"mouseover",mouseleave:"mouseout",pointerenter:"pointerover",pointerleave:"pointerout"},function(a,b){r.event.special[a]={delegateType:b,bindType:b,handle:function(a){var c,d=this,e=a.relatedTarget,f=a.handleObj;return e&&(e===d||r.contains(d,e))||(a.type=f.origType,c=f.handler.apply(this,arguments),a.type=b),c}}}),r.fn.extend({on:function(a,b,c,d){return xa(this,a,b,c,d)},one:function(a,b,c,d){return xa(this,a,b,c,d,1)},off:function(a,b,c){var d,e;if(a&&a.preventDefault&&a.handleObj)return d=a.handleObj,r(a.delegateTarget).off(d.namespace?d.origType+"."+d.namespace:d.origType,d.selector,d.handler),this;if("object"==typeof a){for(e in a)this.off(e,b,a[e]);return this}return b!==!1&&"function"!=typeof b||(c=b,b=void 0),c===!1&&(c=va),this.each(function(){r.event.remove(this,a,c,b)})}});var ya=/<(?!area|br|col|embed|hr|img|input|link|meta|param)(([a-z][^\/\0>\x20\t\r\n\f]*)[^>]*)\/>/gi,za=/<script|<style|<link/i,Aa=/checked\s*(?:[^=]|=\s*.checked.)/i,Ba=/^true\/(.*)/,Ca=/^\s*<!(?:\[CDATA\[|--)|(?:\]\]|--)>\s*$/g;function Da(a,b){return r.nodeName(a,"table")&&r.nodeName(11!==b.nodeType?b:b.firstChild,"tr")?a.getElementsByTagName("tbody")[0]||a:a}function Ea(a){return a.type=(null!==a.getAttribute("type"))+"/"+a.type,a}function Fa(a){var b=Ba.exec(a.type);return b?a.type=b[1]:a.removeAttribute("type"),a}function Ga(a,b){var c,d,e,f,g,h,i,j;if(1===b.nodeType){if(V.hasData(a)&&(f=V.access(a),g=V.set(b,f),j=f.events)){delete g.handle,g.events={};for(e in j)for(c=0,d=j[e].length;c<d;c++)r.event.add(b,e,j[e][c])}W.hasData(a)&&(h=W.access(a),i=r.extend({},h),W.set(b,i))}}function Ha(a,b){var c=b.nodeName.toLowerCase();"input"===c&&ia.test(a.type)?b.checked=a.checked:"input"!==c&&"textarea"!==c||(b.defaultValue=a.defaultValue)}function Ia(a,b,c,d){b=g.apply([],b);var e,f,h,i,j,k,l=0,m=a.length,n=m-1,q=b[0],s=r.isFunction(q);if(s||m>1&&"string"==typeof q&&!o.checkClone&&Aa.test(q))return a.each(function(e){var f=a.eq(e);s&&(b[0]=q.call(this,e,f.html())),Ia(f,b,c,d)});if(m&&(e=pa(b,a[0].ownerDocument,!1,a,d),f=e.firstChild,1===e.childNodes.length&&(e=f),f||d)){for(h=r.map(ma(e,"script"),Ea),i=h.length;l<m;l++)j=e,l!==n&&(j=r.clone(j,!0,!0),i&&r.merge(h,ma(j,"script"))),c.call(a[l],j,l);if(i)for(k=h[h.length-1].ownerDocument,r.map(h,Fa),l=0;l<i;l++)j=h[l],ka.test(j.type||"")&&!V.access(j,"globalEval")&&r.contains(k,j)&&(j.src?r._evalUrl&&r._evalUrl(j.src):p(j.textContent.replace(Ca,""),k))}return a}function Ja(a,b,c){for(var d,e=b?r.filter(b,a):a,f=0;null!=(d=e[f]);f++)c||1!==d.nodeType||r.cleanData(ma(d)),d.parentNode&&(c&&r.contains(d.ownerDocument,d)&&na(ma(d,"script")),d.parentNode.removeChild(d));return a}r.extend({htmlPrefilter:function(a){return a.replace(ya,"<$1></$2>")},clone:function(a,b,c){var d,e,f,g,h=a.cloneNode(!0),i=r.contains(a.ownerDocument,a);if(!(o.noCloneChecked||1!==a.nodeType&&11!==a.nodeType||r.isXMLDoc(a)))for(g=ma(h),f=ma(a),d=0,e=f.length;d<e;d++)Ha(f[d],g[d]);if(b)if(c)for(f=f||ma(a),g=g||ma(h),d=0,e=f.length;d<e;d++)Ga(f[d],g[d]);else Ga(a,h);return g=ma(h,"script"),g.length>0&&na(g,!i&&ma(a,"script")),h},cleanData:function(a){for(var b,c,d,e=r.event.special,f=0;void 0!==(c=a[f]);f++)if(T(c)){if(b=c[V.expando]){if(b.events)for(d in b.events)e[d]?r.event.remove(c,d):r.removeEvent(c,d,b.handle);c[V.expando]=void 0}c[W.expando]&&(c[W.expando]=void 0)}}}),r.fn.extend({detach:function(a){return Ja(this,a,!0)},remove:function(a){return Ja(this,a)},text:function(a){return S(this,function(a){return void 0===a?r.text(this):this.empty().each(function(){1!==this.nodeType&&11!==this.nodeType&&9!==this.nodeType||(this.textContent=a)})},null,a,arguments.length)},append:function(){return Ia(this,arguments,function(a){if(1===this.nodeType||11===this.nodeType||9===this.nodeType){var b=Da(this,a);b.appendChild(a)}})},prepend:function(){return Ia(this,arguments,function(a){if(1===this.nodeType||11===this.nodeType||9===this.nodeType){var b=Da(this,a);b.insertBefore(a,b.firstChild)}})},before:function(){return Ia(this,arguments,function(a){this.parentNode&&this.parentNode.insertBefore(a,this)})},after:function(){return Ia(this,arguments,function(a){this.parentNode&&this.parentNode.insertBefore(a,this.nextSibling)})},empty:function(){for(var a,b=0;null!=(a=this[b]);b++)1===a.nodeType&&(r.cleanData(ma(a,!1)),a.textContent="");return this},clone:function(a,b){return a=null!=a&&a,b=null==b?a:b,this.map(function(){return r.clone(this,a,b)})},html:function(a){return S(this,function(a){var b=this[0]||{},c=0,d=this.length;if(void 0===a&&1===b.nodeType)return b.innerHTML;if("string"==typeof a&&!za.test(a)&&!la[(ja.exec(a)||["",""])[1].toLowerCase()]){a=r.htmlPrefilter(a);try{for(;c<d;c++)b=this[c]||{},1===b.nodeType&&(r.cleanData(ma(b,!1)),b.innerHTML=a);b=0}catch(e){}}b&&this.empty().append(a)},null,a,arguments.length)},replaceWith:function(){var a=[];return Ia(this,arguments,function(b){var c=this.parentNode;r.inArray(this,a)<0&&(r.cleanData(ma(this)),c&&c.replaceChild(b,this))},a)}}),r.each({appendTo:"append",prependTo:"prepend",insertBefore:"before",insertAfter:"after",replaceAll:"replaceWith"},function(a,b){r.fn[a]=function(a){for(var c,d=[],e=r(a),f=e.length-1,g=0;g<=f;g++)c=g===f?this:this.clone(!0),r(e[g])[b](c),h.apply(d,c.get());return this.pushStack(d)}});var Ka=/^margin/,La=new RegExp("^("+_+")(?!px)[a-z%]+$","i"),Ma=function(b){var c=b.ownerDocument.defaultView;return c&&c.opener||(c=a),c.getComputedStyle(b)};!function(){function b(){if(i){i.style.cssText="box-sizing:border-box;position:relative;display:block;margin:auto;border:1px;padding:1px;top:1%;width:50%",i.innerHTML="",qa.appendChild(h);var b=a.getComputedStyle(i);c="1%"!==b.top,g="2px"===b.marginLeft,e="4px"===b.width,i.style.marginRight="50%",f="4px"===b.marginRight,qa.removeChild(h),i=null}}var c,e,f,g,h=d.createElement("div"),i=d.createElement("div");i.style&&(i.style.backgroundClip="content-box",i.cloneNode(!0).style.backgroundClip="",o.clearCloneStyle="content-box"===i.style.backgroundClip,h.style.cssText="border:0;width:8px;height:0;top:0;left:-9999px;padding:0;margin-top:1px;position:absolute",h.appendChild(i),r.extend(o,{pixelPosition:function(){return b(),c},boxSizingReliable:function(){return b(),e},pixelMarginRight:function(){return b(),f},reliableMarginLeft:function(){return b(),g}}))}();function Na(a,b,c){var d,e,f,g,h=a.style;return c=c||Ma(a),c&&(g=c.getPropertyValue(b)||c[b],""!==g||r.contains(a.ownerDocument,a)||(g=r.style(a,b)),!o.pixelMarginRight()&&La.test(g)&&Ka.test(b)&&(d=h.width,e=h.minWidth,f=h.maxWidth,h.minWidth=h.maxWidth=h.width=g,g=c.width,h.width=d,h.minWidth=e,h.maxWidth=f)),void 0!==g?g+"":g}function Oa(a,b){return{get:function(){return a()?void delete this.get:(this.get=b).apply(this,arguments)}}}var Pa=/^(none|table(?!-c[ea]).+)/,Qa={position:"absolute",visibility:"hidden",display:"block"},Ra={letterSpacing:"0",fontWeight:"400"},Sa=["Webkit","Moz","ms"],Ta=d.createElement("div").style;function Ua(a){if(a in Ta)return a;var b=a[0].toUpperCase()+a.slice(1),c=Sa.length;while(c--)if(a=Sa[c]+b,a in Ta)return a}function Va(a,b,c){var d=aa.exec(b);return d?Math.max(0,d[2]-(c||0))+(d[3]||"px"):b}function Wa(a,b,c,d,e){var f,g=0;for(f=c===(d?"border":"content")?4:"width"===b?1:0;f<4;f+=2)"margin"===c&&(g+=r.css(a,c+ba[f],!0,e)),d?("content"===c&&(g-=r.css(a,"padding"+ba[f],!0,e)),"margin"!==c&&(g-=r.css(a,"border"+ba[f]+"Width",!0,e))):(g+=r.css(a,"padding"+ba[f],!0,e),"padding"!==c&&(g+=r.css(a,"border"+ba[f]+"Width",!0,e)));return g}function Xa(a,b,c){var d,e=!0,f=Ma(a),g="border-box"===r.css(a,"boxSizing",!1,f);if(a.getClientRects().length&&(d=a.getBoundingClientRect()[b]),d<=0||null==d){if(d=Na(a,b,f),(d<0||null==d)&&(d=a.style[b]),La.test(d))return d;e=g&&(o.boxSizingReliable()||d===a.style[b]),d=parseFloat(d)||0}return d+Wa(a,b,c||(g?"border":"content"),e,f)+"px"}r.extend({cssHooks:{opacity:{get:function(a,b){if(b){var c=Na(a,"opacity");return""===c?"1":c}}}},cssNumber:{animationIterationCount:!0,columnCount:!0,fillOpacity:!0,flexGrow:!0,flexShrink:!0,fontWeight:!0,lineHeight:!0,opacity:!0,order:!0,orphans:!0,widows:!0,zIndex:!0,zoom:!0},cssProps:{"float":"cssFloat"},style:function(a,b,c,d){if(a&&3!==a.nodeType&&8!==a.nodeType&&a.style){var e,f,g,h=r.camelCase(b),i=a.style;return b=r.cssProps[h]||(r.cssProps[h]=Ua(h)||h),g=r.cssHooks[b]||r.cssHooks[h],void 0===c?g&&"get"in g&&void 0!==(e=g.get(a,!1,d))?e:i[b]:(f=typeof c,"string"===f&&(e=aa.exec(c))&&e[1]&&(c=ea(a,b,e),f="number"),null!=c&&c===c&&("number"===f&&(c+=e&&e[3]||(r.cssNumber[h]?"":"px")),o.clearCloneStyle||""!==c||0!==b.indexOf("background")||(i[b]="inherit"),g&&"set"in g&&void 0===(c=g.set(a,c,d))||(i[b]=c)),void 0)}},css:function(a,b,c,d){var e,f,g,h=r.camelCase(b);return b=r.cssProps[h]||(r.cssProps[h]=Ua(h)||h),g=r.cssHooks[b]||r.cssHooks[h],g&&"get"in g&&(e=g.get(a,!0,c)),void 0===e&&(e=Na(a,b,d)),"normal"===e&&b in Ra&&(e=Ra[b]),""===c||c?(f=parseFloat(e),c===!0||isFinite(f)?f||0:e):e}}),r.each(["height","width"],function(a,b){r.cssHooks[b]={get:function(a,c,d){if(c)return!Pa.test(r.css(a,"display"))||a.getClientRects().length&&a.getBoundingClientRect().width?Xa(a,b,d):da(a,Qa,function(){return Xa(a,b,d)})},set:function(a,c,d){var e,f=d&&Ma(a),g=d&&Wa(a,b,d,"border-box"===r.css(a,"boxSizing",!1,f),f);return g&&(e=aa.exec(c))&&"px"!==(e[3]||"px")&&(a.style[b]=c,c=r.css(a,b)),Va(a,c,g)}}}),r.cssHooks.marginLeft=Oa(o.reliableMarginLeft,function(a,b){if(b)return(parseFloat(Na(a,"marginLeft"))||a.getBoundingClientRect().left-da(a,{marginLeft:0},function(){return a.getBoundingClientRect().left}))+"px"}),r.each({margin:"",padding:"",border:"Width"},function(a,b){r.cssHooks[a+b]={expand:function(c){for(var d=0,e={},f="string"==typeof c?c.split(" "):[c];d<4;d++)e[a+ba[d]+b]=f[d]||f[d-2]||f[0];return e}},Ka.test(a)||(r.cssHooks[a+b].set=Va)}),r.fn.extend({css:function(a,b){return S(this,function(a,b,c){var d,e,f={},g=0;if(r.isArray(b)){for(d=Ma(a),e=b.length;g<e;g++)f[b[g]]=r.css(a,b[g],!1,d);return f}return void 0!==c?r.style(a,b,c):r.css(a,b)},a,b,arguments.length>1)}});function Ya(a,b,c,d,e){return new Ya.prototype.init(a,b,c,d,e)}r.Tween=Ya,Ya.prototype={constructor:Ya,init:function(a,b,c,d,e,f){this.elem=a,this.prop=c,this.easing=e||r.easing._default,this.options=b,this.start=this.now=this.cur(),this.end=d,this.unit=f||(r.cssNumber[c]?"":"px")},cur:function(){var a=Ya.propHooks[this.prop];return a&&a.get?a.get(this):Ya.propHooks._default.get(this)},run:function(a){var b,c=Ya.propHooks[this.prop];return this.options.duration?this.pos=b=r.easing[this.easing](a,this.options.duration*a,0,1,this.options.duration):this.pos=b=a,this.now=(this.end-this.start)*b+this.start,this.options.step&&this.options.step.call(this.elem,this.now,this),c&&c.set?c.set(this):Ya.propHooks._default.set(this),this}},Ya.prototype.init.prototype=Ya.prototype,Ya.propHooks={_default:{get:function(a){var b;return 1!==a.elem.nodeType||null!=a.elem[a.prop]&&null==a.elem.style[a.prop]?a.elem[a.prop]:(b=r.css(a.elem,a.prop,""),b&&"auto"!==b?b:0)},set:function(a){r.fx.step[a.prop]?r.fx.step[a.prop](a):1!==a.elem.nodeType||null==a.elem.style[r.cssProps[a.prop]]&&!r.cssHooks[a.prop]?a.elem[a.prop]=a.now:r.style(a.elem,a.prop,a.now+a.unit)}}},Ya.propHooks.scrollTop=Ya.propHooks.scrollLeft={set:function(a){a.elem.nodeType&&a.elem.parentNode&&(a.elem[a.prop]=a.now)}},r.easing={linear:function(a){return a},swing:function(a){return.5-Math.cos(a*Math.PI)/2},_default:"swing"},r.fx=Ya.prototype.init,r.fx.step={};var Za,$a,_a=/^(?:toggle|show|hide)$/,ab=/queueHooks$/;function bb(){$a&&(a.requestAnimationFrame(bb),r.fx.tick())}function cb(){return a.setTimeout(function(){Za=void 0}),Za=r.now()}function db(a,b){var c,d=0,e={height:a};for(b=b?1:0;d<4;d+=2-b)c=ba[d],e["margin"+c]=e["padding"+c]=a;return b&&(e.opacity=e.width=a),e}function eb(a,b,c){for(var d,e=(hb.tweeners[b]||[]).concat(hb.tweeners["*"]),f=0,g=e.length;f<g;f++)if(d=e[f].call(c,b,a))return d}function fb(a,b,c){var d,e,f,g,h,i,j,k,l="width"in b||"height"in b,m=this,n={},o=a.style,p=a.nodeType&&ca(a),q=V.get(a,"fxshow");c.queue||(g=r._queueHooks(a,"fx"),null==g.unqueued&&(g.unqueued=0,h=g.empty.fire,g.empty.fire=function(){g.unqueued||h()}),g.unqueued++,m.always(function(){m.always(function(){g.unqueued--,r.queue(a,"fx").length||g.empty.fire()})}));for(d in b)if(e=b[d],_a.test(e)){if(delete b[d],f=f||"toggle"===e,e===(p?"hide":"show")){if("show"!==e||!q||void 0===q[d])continue;p=!0}n[d]=q&&q[d]||r.style(a,d)}if(i=!r.isEmptyObject(b),i||!r.isEmptyObject(n)){l&&1===a.nodeType&&(c.overflow=[o.overflow,o.overflowX,o.overflowY],j=q&&q.display,null==j&&(j=V.get(a,"display")),k=r.css(a,"display"),"none"===k&&(j?k=j:(ha([a],!0),j=a.style.display||j,k=r.css(a,"display"),ha([a]))),("inline"===k||"inline-block"===k&&null!=j)&&"none"===r.css(a,"float")&&(i||(m.done(function(){o.display=j}),null==j&&(k=o.display,j="none"===k?"":k)),o.display="inline-block")),c.overflow&&(o.overflow="hidden",m.always(function(){o.overflow=c.overflow[0],o.overflowX=c.overflow[1],o.overflowY=c.overflow[2]})),i=!1;for(d in n)i||(q?"hidden"in q&&(p=q.hidden):q=V.access(a,"fxshow",{display:j}),f&&(q.hidden=!p),p&&ha([a],!0),m.done(function(){p||ha([a]),V.remove(a,"fxshow");for(d in n)r.style(a,d,n[d])})),i=eb(p?q[d]:0,d,m),d in q||(q[d]=i.start,p&&(i.end=i.start,i.start=0))}}function gb(a,b){var c,d,e,f,g;for(c in a)if(d=r.camelCase(c),e=b[d],f=a[c],r.isArray(f)&&(e=f[1],f=a[c]=f[0]),c!==d&&(a[d]=f,delete a[c]),g=r.cssHooks[d],g&&"expand"in g){f=g.expand(f),delete a[d];for(c in f)c in a||(a[c]=f[c],b[c]=e)}else b[d]=e}function hb(a,b,c){var d,e,f=0,g=hb.prefilters.length,h=r.Deferred().always(function(){delete i.elem}),i=function(){if(e)return!1;for(var b=Za||cb(),c=Math.max(0,j.startTime+j.duration-b),d=c/j.duration||0,f=1-d,g=0,i=j.tweens.length;g<i;g++)j.tweens[g].run(f);return h.notifyWith(a,[j,f,c]),f<1&&i?c:(h.resolveWith(a,[j]),!1)},j=h.promise({elem:a,props:r.extend({},b),opts:r.extend(!0,{specialEasing:{},easing:r.easing._default},c),originalProperties:b,originalOptions:c,startTime:Za||cb(),duration:c.duration,tweens:[],createTween:function(b,c){var d=r.Tween(a,j.opts,b,c,j.opts.specialEasing[b]||j.opts.easing);return j.tweens.push(d),d},stop:function(b){var c=0,d=b?j.tweens.length:0;if(e)return this;for(e=!0;c<d;c++)j.tweens[c].run(1);return b?(h.notifyWith(a,[j,1,0]),h.resolveWith(a,[j,b])):h.rejectWith(a,[j,b]),this}}),k=j.props;for(gb(k,j.opts.specialEasing);f<g;f++)if(d=hb.prefilters[f].call(j,a,k,j.opts))return r.isFunction(d.stop)&&(r._queueHooks(j.elem,j.opts.queue).stop=r.proxy(d.stop,d)),d;return r.map(k,eb,j),r.isFunction(j.opts.start)&&j.opts.start.call(a,j),r.fx.timer(r.extend(i,{elem:a,anim:j,queue:j.opts.queue})),j.progress(j.opts.progress).done(j.opts.done,j.opts.complete).fail(j.opts.fail).always(j.opts.always)}r.Animation=r.extend(hb,{tweeners:{"*":[function(a,b){var c=this.createTween(a,b);return ea(c.elem,a,aa.exec(b),c),c}]},tweener:function(a,b){r.isFunction(a)?(b=a,a=["*"]):a=a.match(K);for(var c,d=0,e=a.length;d<e;d++)c=a[d],hb.tweeners[c]=hb.tweeners[c]||[],hb.tweeners[c].unshift(b)},prefilters:[fb],prefilter:function(a,b){b?hb.prefilters.unshift(a):hb.prefilters.push(a)}}),r.speed=function(a,b,c){var e=a&&"object"==typeof a?r.extend({},a):{complete:c||!c&&b||r.isFunction(a)&&a,duration:a,easing:c&&b||b&&!r.isFunction(b)&&b};return r.fx.off||d.hidden?e.duration=0:"number"!=typeof e.duration&&(e.duration in r.fx.speeds?e.duration=r.fx.speeds[e.duration]:e.duration=r.fx.speeds._default),null!=e.queue&&e.queue!==!0||(e.queue="fx"),e.old=e.complete,e.complete=function(){r.isFunction(e.old)&&e.old.call(this),e.queue&&r.dequeue(this,e.queue)},e},r.fn.extend({fadeTo:function(a,b,c,d){return this.filter(ca).css("opacity",0).show().end().animate({opacity:b},a,c,d)},animate:function(a,b,c,d){var e=r.isEmptyObject(a),f=r.speed(b,c,d),g=function(){var b=hb(this,r.extend({},a),f);(e||V.get(this,"finish"))&&b.stop(!0)};return g.finish=g,e||f.queue===!1?this.each(g):this.queue(f.queue,g)},stop:function(a,b,c){var d=function(a){var b=a.stop;delete a.stop,b(c)};return"string"!=typeof a&&(c=b,b=a,a=void 0),b&&a!==!1&&this.queue(a||"fx",[]),this.each(function(){var b=!0,e=null!=a&&a+"queueHooks",f=r.timers,g=V.get(this);if(e)g[e]&&g[e].stop&&d(g[e]);else for(e in g)g[e]&&g[e].stop&&ab.test(e)&&d(g[e]);for(e=f.length;e--;)f[e].elem!==this||null!=a&&f[e].queue!==a||(f[e].anim.stop(c),b=!1,f.splice(e,1));!b&&c||r.dequeue(this,a)})},finish:function(a){return a!==!1&&(a=a||"fx"),this.each(function(){var b,c=V.get(this),d=c[a+"queue"],e=c[a+"queueHooks"],f=r.timers,g=d?d.length:0;for(c.finish=!0,r.queue(this,a,[]),e&&e.stop&&e.stop.call(this,!0),b=f.length;b--;)f[b].elem===this&&f[b].queue===a&&(f[b].anim.stop(!0),f.splice(b,1));for(b=0;b<g;b++)d[b]&&d[b].finish&&d[b].finish.call(this);delete c.finish})}}),r.each(["toggle","show","hide"],function(a,b){var c=r.fn[b];r.fn[b]=function(a,d,e){return null==a||"boolean"==typeof a?c.apply(this,arguments):this.animate(db(b,!0),a,d,e)}}),r.each({slideDown:db("show"),slideUp:db("hide"),slideToggle:db("toggle"),fadeIn:{opacity:"show"},fadeOut:{opacity:"hide"},fadeToggle:{opacity:"toggle"}},function(a,b){r.fn[a]=function(a,c,d){return this.animate(b,a,c,d)}}),r.timers=[],r.fx.tick=function(){var a,b=0,c=r.timers;for(Za=r.now();b<c.length;b++)a=c[b],a()||c[b]!==a||c.splice(b--,1);c.length||r.fx.stop(),Za=void 0},r.fx.timer=function(a){r.timers.push(a),a()?r.fx.start():r.timers.pop()},r.fx.interval=13,r.fx.start=function(){$a||($a=a.requestAnimationFrame?a.requestAnimationFrame(bb):a.setInterval(r.fx.tick,r.fx.interval))},r.fx.stop=function(){a.cancelAnimationFrame?a.cancelAnimationFrame($a):a.clearInterval($a),$a=null},r.fx.speeds={slow:600,fast:200,_default:400},r.fn.delay=function(b,c){return b=r.fx?r.fx.speeds[b]||b:b,c=c||"fx",this.queue(c,function(c,d){var e=a.setTimeout(c,b);d.stop=function(){a.clearTimeout(e)}})},function(){var a=d.createElement("input"),b=d.createElement("select"),c=b.appendChild(d.createElement("option"));a.type="checkbox",o.checkOn=""!==a.value,o.optSelected=c.selected,a=d.createElement("input"),a.value="t",a.type="radio",o.radioValue="t"===a.value}();var ib,jb=r.expr.attrHandle;r.fn.extend({attr:function(a,b){return S(this,r.attr,a,b,arguments.length>1)},removeAttr:function(a){return this.each(function(){r.removeAttr(this,a)})}}),r.extend({attr:function(a,b,c){var d,e,f=a.nodeType;if(3!==f&&8!==f&&2!==f)return"undefined"==typeof a.getAttribute?r.prop(a,b,c):(1===f&&r.isXMLDoc(a)||(e=r.attrHooks[b.toLowerCase()]||(r.expr.match.bool.test(b)?ib:void 0)),void 0!==c?null===c?void r.removeAttr(a,b):e&&"set"in e&&void 0!==(d=e.set(a,c,b))?d:(a.setAttribute(b,c+""),c):e&&"get"in e&&null!==(d=e.get(a,b))?d:(d=r.find.attr(a,b),null==d?void 0:d))},attrHooks:{type:{set:function(a,b){if(!o.radioValue&&"radio"===b&&r.nodeName(a,"input")){var c=a.value;return a.setAttribute("type",b),c&&(a.value=c),b}}}},removeAttr:function(a,b){var c,d=0,e=b&&b.match(K);if(e&&1===a.nodeType)while(c=e[d++])a.removeAttribute(c)}}),ib={set:function(a,b,c){return b===!1?r.removeAttr(a,c):a.setAttribute(c,c),c}},r.each(r.expr.match.bool.source.match(/\w+/g),function(a,b){var c=jb[b]||r.find.attr;jb[b]=function(a,b,d){var e,f,g=b.toLowerCase();return d||(f=jb[g],jb[g]=e,e=null!=c(a,b,d)?g:null,jb[g]=f),e}});var kb=/^(?:input|select|textarea|button)$/i,lb=/^(?:a|area)$/i;r.fn.extend({prop:function(a,b){return S(this,r.prop,a,b,arguments.length>1)},removeProp:function(a){return this.each(function(){delete this[r.propFix[a]||a]})}}),r.extend({prop:function(a,b,c){var d,e,f=a.nodeType;if(3!==f&&8!==f&&2!==f)return 1===f&&r.isXMLDoc(a)||(b=r.propFix[b]||b,e=r.propHooks[b]),void 0!==c?e&&"set"in e&&void 0!==(d=e.set(a,c,b))?d:a[b]=c:e&&"get"in e&&null!==(d=e.get(a,b))?d:a[b]},propHooks:{tabIndex:{get:function(a){var b=r.find.attr(a,"tabindex");return b?parseInt(b,10):kb.test(a.nodeName)||lb.test(a.nodeName)&&a.href?0:-1}}},propFix:{"for":"htmlFor","class":"className"}}),o.optSelected||(r.propHooks.selected={get:function(a){var b=a.parentNode;return b&&b.parentNode&&b.parentNode.selectedIndex,null},set:function(a){var b=a.parentNode;b&&(b.selectedIndex,b.parentNode&&b.parentNode.selectedIndex)}}),r.each(["tabIndex","readOnly","maxLength","cellSpacing","cellPadding","rowSpan","colSpan","useMap","frameBorder","contentEditable"],function(){r.propFix[this.toLowerCase()]=this});function mb(a){var b=a.match(K)||[];return b.join(" ")}function nb(a){return a.getAttribute&&a.getAttribute("class")||""}r.fn.extend({addClass:function(a){var b,c,d,e,f,g,h,i=0;if(r.isFunction(a))return this.each(function(b){r(this).addClass(a.call(this,b,nb(this)))});if("string"==typeof a&&a){b=a.match(K)||[];while(c=this[i++])if(e=nb(c),d=1===c.nodeType&&" "+mb(e)+" "){g=0;while(f=b[g++])d.indexOf(" "+f+" ")<0&&(d+=f+" ");h=mb(d),e!==h&&c.setAttribute("class",h)}}return this},removeClass:function(a){var b,c,d,e,f,g,h,i=0;if(r.isFunction(a))return this.each(function(b){r(this).removeClass(a.call(this,b,nb(this)))});if(!arguments.length)return this.attr("class","");if("string"==typeof a&&a){b=a.match(K)||[];while(c=this[i++])if(e=nb(c),d=1===c.nodeType&&" "+mb(e)+" "){g=0;while(f=b[g++])while(d.indexOf(" "+f+" ")>-1)d=d.replace(" "+f+" "," ");h=mb(d),e!==h&&c.setAttribute("class",h)}}return this},toggleClass:function(a,b){var c=typeof a;return"boolean"==typeof b&&"string"===c?b?this.addClass(a):this.removeClass(a):r.isFunction(a)?this.each(function(c){r(this).toggleClass(a.call(this,c,nb(this),b),b)}):this.each(function(){var b,d,e,f;if("string"===c){d=0,e=r(this),f=a.match(K)||[];while(b=f[d++])e.hasClass(b)?e.removeClass(b):e.addClass(b)}else void 0!==a&&"boolean"!==c||(b=nb(this),b&&V.set(this,"__className__",b),this.setAttribute&&this.setAttribute("class",b||a===!1?"":V.get(this,"__className__")||""))})},hasClass:function(a){var b,c,d=0;b=" "+a+" ";while(c=this[d++])if(1===c.nodeType&&(" "+mb(nb(c))+" ").indexOf(b)>-1)return!0;return!1}});var ob=/\r/g;r.fn.extend({val:function(a){var b,c,d,e=this[0];{if(arguments.length)return d=r.isFunction(a),this.each(function(c){var e;1===this.nodeType&&(e=d?a.call(this,c,r(this).val()):a,null==e?e="":"number"==typeof e?e+="":r.isArray(e)&&(e=r.map(e,function(a){return null==a?"":a+""})),b=r.valHooks[this.type]||r.valHooks[this.nodeName.toLowerCase()],b&&"set"in b&&void 0!==b.set(this,e,"value")||(this.value=e))});if(e)return b=r.valHooks[e.type]||r.valHooks[e.nodeName.toLowerCase()],b&&"get"in b&&void 0!==(c=b.get(e,"value"))?c:(c=e.value,"string"==typeof c?c.replace(ob,""):null==c?"":c)}}}),r.extend({valHooks:{option:{get:function(a){var b=r.find.attr(a,"value");return null!=b?b:mb(r.text(a))}},select:{get:function(a){var b,c,d,e=a.options,f=a.selectedIndex,g="select-one"===a.type,h=g?null:[],i=g?f+1:e.length;for(d=f<0?i:g?f:0;d<i;d++)if(c=e[d],(c.selected||d===f)&&!c.disabled&&(!c.parentNode.disabled||!r.nodeName(c.parentNode,"optgroup"))){if(b=r(c).val(),g)return b;h.push(b)}return h},set:function(a,b){var c,d,e=a.options,f=r.makeArray(b),g=e.length;while(g--)d=e[g],(d.selected=r.inArray(r.valHooks.option.get(d),f)>-1)&&(c=!0);return c||(a.selectedIndex=-1),f}}}}),r.each(["radio","checkbox"],function(){r.valHooks[this]={set:function(a,b){if(r.isArray(b))return a.checked=r.inArray(r(a).val(),b)>-1}},o.checkOn||(r.valHooks[this].get=function(a){return null===a.getAttribute("value")?"on":a.value})});var pb=/^(?:focusinfocus|focusoutblur)$/;r.extend(r.event,{trigger:function(b,c,e,f){var g,h,i,j,k,m,n,o=[e||d],p=l.call(b,"type")?b.type:b,q=l.call(b,"namespace")?b.namespace.split("."):[];if(h=i=e=e||d,3!==e.nodeType&&8!==e.nodeType&&!pb.test(p+r.event.triggered)&&(p.indexOf(".")>-1&&(q=p.split("."),p=q.shift(),q.sort()),k=p.indexOf(":")<0&&"on"+p,b=b[r.expando]?b:new r.Event(p,"object"==typeof b&&b),b.isTrigger=f?2:3,b.namespace=q.join("."),b.rnamespace=b.namespace?new RegExp("(^|\\.)"+q.join("\\.(?:.*\\.|)")+"(\\.|$)"):null,b.result=void 0,b.target||(b.target=e),c=null==c?[b]:r.makeArray(c,[b]),n=r.event.special[p]||{},f||!n.trigger||n.trigger.apply(e,c)!==!1)){if(!f&&!n.noBubble&&!r.isWindow(e)){for(j=n.delegateType||p,pb.test(j+p)||(h=h.parentNode);h;h=h.parentNode)o.push(h),i=h;i===(e.ownerDocument||d)&&o.push(i.defaultView||i.parentWindow||a)}g=0;while((h=o[g++])&&!b.isPropagationStopped())b.type=g>1?j:n.bindType||p,m=(V.get(h,"events")||{})[b.type]&&V.get(h,"handle"),m&&m.apply(h,c),m=k&&h[k],m&&m.apply&&T(h)&&(b.result=m.apply(h,c),b.result===!1&&b.preventDefault());return b.type=p,f||b.isDefaultPrevented()||n._default&&n._default.apply(o.pop(),c)!==!1||!T(e)||k&&r.isFunction(e[p])&&!r.isWindow(e)&&(i=e[k],i&&(e[k]=null),r.event.triggered=p,e[p](),r.event.triggered=void 0,i&&(e[k]=i)),b.result}},simulate:function(a,b,c){var d=r.extend(new r.Event,c,{type:a,isSimulated:!0});r.event.trigger(d,null,b)}}),r.fn.extend({trigger:function(a,b){return this.each(function(){r.event.trigger(a,b,this)})},triggerHandler:function(a,b){var c=this[0];if(c)return r.event.trigger(a,b,c,!0)}}),r.each("blur focus focusin focusout resize scroll click dblclick mousedown mouseup mousemove mouseover mouseout mouseenter mouseleave change select submit keydown keypress keyup contextmenu".split(" "),function(a,b){r.fn[b]=function(a,c){return arguments.length>0?this.on(b,null,a,c):this.trigger(b)}}),r.fn.extend({hover:function(a,b){return this.mouseenter(a).mouseleave(b||a)}}),o.focusin="onfocusin"in a,o.focusin||r.each({focus:"focusin",blur:"focusout"},function(a,b){var c=function(a){r.event.simulate(b,a.target,r.event.fix(a))};r.event.special[b]={setup:function(){var d=this.ownerDocument||this,e=V.access(d,b);e||d.addEventListener(a,c,!0),V.access(d,b,(e||0)+1)},teardown:function(){var d=this.ownerDocument||this,e=V.access(d,b)-1;e?V.access(d,b,e):(d.removeEventListener(a,c,!0),V.remove(d,b))}}});var qb=a.location,rb=r.now(),sb=/\?/;r.parseXML=function(b){var c;if(!b||"string"!=typeof b)return null;try{c=(new a.DOMParser).parseFromString(b,"text/xml")}catch(d){c=void 0}return c&&!c.getElementsByTagName("parsererror").length||r.error("Invalid XML: "+b),c};var tb=/\[\]$/,ub=/\r?\n/g,vb=/^(?:submit|button|image|reset|file)$/i,wb=/^(?:input|select|textarea|keygen)/i;function xb(a,b,c,d){var e;if(r.isArray(b))r.each(b,function(b,e){c||tb.test(a)?d(a,e):xb(a+"["+("object"==typeof e&&null!=e?b:"")+"]",e,c,d)});else if(c||"object"!==r.type(b))d(a,b);else for(e in b)xb(a+"["+e+"]",b[e],c,d)}r.param=function(a,b){var c,d=[],e=function(a,b){var c=r.isFunction(b)?b():b;d[d.length]=encodeURIComponent(a)+"="+encodeURIComponent(null==c?"":c)};if(r.isArray(a)||a.jquery&&!r.isPlainObject(a))r.each(a,function(){e(this.name,this.value)});else for(c in a)xb(c,a[c],b,e);return d.join("&")},r.fn.extend({serialize:function(){return r.param(this.serializeArray())},serializeArray:function(){return this.map(function(){var a=r.prop(this,"elements");return a?r.makeArray(a):this}).filter(function(){var a=this.type;return this.name&&!r(this).is(":disabled")&&wb.test(this.nodeName)&&!vb.test(a)&&(this.checked||!ia.test(a))}).map(function(a,b){var c=r(this).val();return null==c?null:r.isArray(c)?r.map(c,function(a){return{name:b.name,value:a.replace(ub,"\r\n")}}):{name:b.name,value:c.replace(ub,"\r\n")}}).get()}});var yb=/%20/g,zb=/#.*$/,Ab=/([?&])_=[^&]*/,Bb=/^(.*?):[ \t]*([^\r\n]*)$/gm,Cb=/^(?:about|app|app-storage|.+-extension|file|res|widget):$/,Db=/^(?:GET|HEAD)$/,Eb=/^\/\//,Fb={},Gb={},Hb="*/".concat("*"),Ib=d.createElement("a");Ib.href=qb.href;function Jb(a){return function(b,c){"string"!=typeof b&&(c=b,b="*");var d,e=0,f=b.toLowerCase().match(K)||[];if(r.isFunction(c))while(d=f[e++])"+"===d[0]?(d=d.slice(1)||"*",(a[d]=a[d]||[]).unshift(c)):(a[d]=a[d]||[]).push(c)}}function Kb(a,b,c,d){var e={},f=a===Gb;function g(h){var i;return e[h]=!0,r.each(a[h]||[],function(a,h){var j=h(b,c,d);return"string"!=typeof j||f||e[j]?f?!(i=j):void 0:(b.dataTypes.unshift(j),g(j),!1)}),i}return g(b.dataTypes[0])||!e["*"]&&g("*")}function Lb(a,b){var c,d,e=r.ajaxSettings.flatOptions||{};for(c in b)void 0!==b[c]&&((e[c]?a:d||(d={}))[c]=b[c]);return d&&r.extend(!0,a,d),a}function Mb(a,b,c){var d,e,f,g,h=a.contents,i=a.dataTypes;while("*"===i[0])i.shift(),void 0===d&&(d=a.mimeType||b.getResponseHeader("Content-Type"));if(d)for(e in h)if(h[e]&&h[e].test(d)){i.unshift(e);break}if(i[0]in c)f=i[0];else{for(e in c){if(!i[0]||a.converters[e+" "+i[0]]){f=e;break}g||(g=e)}f=f||g}if(f)return f!==i[0]&&i.unshift(f),c[f]}function Nb(a,b,c,d){var e,f,g,h,i,j={},k=a.dataTypes.slice();if(k[1])for(g in a.converters)j[g.toLowerCase()]=a.converters[g];f=k.shift();while(f)if(a.responseFields[f]&&(c[a.responseFields[f]]=b),!i&&d&&a.dataFilter&&(b=a.dataFilter(b,a.dataType)),i=f,f=k.shift())if("*"===f)f=i;else if("*"!==i&&i!==f){if(g=j[i+" "+f]||j["* "+f],!g)for(e in j)if(h=e.split(" "),h[1]===f&&(g=j[i+" "+h[0]]||j["* "+h[0]])){g===!0?g=j[e]:j[e]!==!0&&(f=h[0],k.unshift(h[1]));break}if(g!==!0)if(g&&a["throws"])b=g(b);else try{b=g(b)}catch(l){return{state:"parsererror",error:g?l:"No conversion from "+i+" to "+f}}}return{state:"success",data:b}}r.extend({active:0,lastModified:{},etag:{},ajaxSettings:{url:qb.href,type:"GET",isLocal:Cb.test(qb.protocol),global:!0,processData:!0,async:!0,contentType:"application/x-www-form-urlencoded; charset=UTF-8",accepts:{"*":Hb,text:"text/plain",html:"text/html",xml:"application/xml, text/xml",json:"application/json, text/javascript"},contents:{xml:/\bxml\b/,html:/\bhtml/,json:/\bjson\b/},responseFields:{xml:"responseXML",text:"responseText",json:"responseJSON"},converters:{"* text":String,"text html":!0,"text json":JSON.parse,"text xml":r.parseXML},flatOptions:{url:!0,context:!0}},ajaxSetup:function(a,b){return b?Lb(Lb(a,r.ajaxSettings),b):Lb(r.ajaxSettings,a)},ajaxPrefilter:Jb(Fb),ajaxTransport:Jb(Gb),ajax:function(b,c){"object"==typeof b&&(c=b,b=void 0),c=c||{};var e,f,g,h,i,j,k,l,m,n,o=r.ajaxSetup({},c),p=o.context||o,q=o.context&&(p.nodeType||p.jquery)?r(p):r.event,s=r.Deferred(),t=r.Callbacks("once memory"),u=o.statusCode||{},v={},w={},x="canceled",y={readyState:0,getResponseHeader:function(a){var b;if(k){if(!h){h={};while(b=Bb.exec(g))h[b[1].toLowerCase()]=b[2]}b=h[a.toLowerCase()]}return null==b?null:b},getAllResponseHeaders:function(){return k?g:null},setRequestHeader:function(a,b){return null==k&&(a=w[a.toLowerCase()]=w[a.toLowerCase()]||a,v[a]=b),this},overrideMimeType:function(a){return null==k&&(o.mimeType=a),this},statusCode:function(a){var b;if(a)if(k)y.always(a[y.status]);else for(b in a)u[b]=[u[b],a[b]];return this},abort:function(a){var b=a||x;return e&&e.abort(b),A(0,b),this}};if(s.promise(y),o.url=((b||o.url||qb.href)+"").replace(Eb,qb.protocol+"//"),o.type=c.method||c.type||o.method||o.type,o.dataTypes=(o.dataType||"*").toLowerCase().match(K)||[""],null==o.crossDomain){j=d.createElement("a");try{j.href=o.url,j.href=j.href,o.crossDomain=Ib.protocol+"//"+Ib.host!=j.protocol+"//"+j.host}catch(z){o.crossDomain=!0}}if(o.data&&o.processData&&"string"!=typeof o.data&&(o.data=r.param(o.data,o.traditional)),Kb(Fb,o,c,y),k)return y;l=r.event&&o.global,l&&0===r.active++&&r.event.trigger("ajaxStart"),o.type=o.type.toUpperCase(),o.hasContent=!Db.test(o.type),f=o.url.replace(zb,""),o.hasContent?o.data&&o.processData&&0===(o.contentType||"").indexOf("application/x-www-form-urlencoded")&&(o.data=o.data.replace(yb,"+")):(n=o.url.slice(f.length),o.data&&(f+=(sb.test(f)?"&":"?")+o.data,delete o.data),o.cache===!1&&(f=f.replace(Ab,"$1"),n=(sb.test(f)?"&":"?")+"_="+rb++ +n),o.url=f+n),o.ifModified&&(r.lastModified[f]&&y.setRequestHeader("If-Modified-Since",r.lastModified[f]),r.etag[f]&&y.setRequestHeader("If-None-Match",r.etag[f])),(o.data&&o.hasContent&&o.contentType!==!1||c.contentType)&&y.setRequestHeader("Content-Type",o.contentType),y.setRequestHeader("Accept",o.dataTypes[0]&&o.accepts[o.dataTypes[0]]?o.accepts[o.dataTypes[0]]+("*"!==o.dataTypes[0]?", "+Hb+"; q=0.01":""):o.accepts["*"]);for(m in o.headers)y.setRequestHeader(m,o.headers[m]);if(o.beforeSend&&(o.beforeSend.call(p,y,o)===!1||k))return y.abort();if(x="abort",t.add(o.complete),y.done(o.success),y.fail(o.error),e=Kb(Gb,o,c,y)){if(y.readyState=1,l&&q.trigger("ajaxSend",[y,o]),k)return y;o.async&&o.timeout>0&&(i=a.setTimeout(function(){y.abort("timeout")},o.timeout));try{k=!1,e.send(v,A)}catch(z){if(k)throw z;A(-1,z)}}else A(-1,"No Transport");function A(b,c,d,h){var j,m,n,v,w,x=c;k||(k=!0,i&&a.clearTimeout(i),e=void 0,g=h||"",y.readyState=b>0?4:0,j=b>=200&&b<300||304===b,d&&(v=Mb(o,y,d)),v=Nb(o,v,y,j),j?(o.ifModified&&(w=y.getResponseHeader("Last-Modified"),w&&(r.lastModified[f]=w),w=y.getResponseHeader("etag"),w&&(r.etag[f]=w)),204===b||"HEAD"===o.type?x="nocontent":304===b?x="notmodified":(x=v.state,m=v.data,n=v.error,j=!n)):(n=x,!b&&x||(x="error",b<0&&(b=0))),y.status=b,y.statusText=(c||x)+"",j?s.resolveWith(p,[m,x,y]):s.rejectWith(p,[y,x,n]),y.statusCode(u),u=void 0,l&&q.trigger(j?"ajaxSuccess":"ajaxError",[y,o,j?m:n]),t.fireWith(p,[y,x]),l&&(q.trigger("ajaxComplete",[y,o]),--r.active||r.event.trigger("ajaxStop")))}return y},getJSON:function(a,b,c){return r.get(a,b,c,"json")},getScript:function(a,b){return r.get(a,void 0,b,"script")}}),r.each(["get","post"],function(a,b){r[b]=function(a,c,d,e){return r.isFunction(c)&&(e=e||d,d=c,c=void 0),r.ajax(r.extend({url:a,type:b,dataType:e,data:c,success:d},r.isPlainObject(a)&&a))}}),r._evalUrl=function(a){return r.ajax({url:a,type:"GET",dataType:"script",cache:!0,async:!1,global:!1,"throws":!0})},r.fn.extend({wrapAll:function(a){var b;return this[0]&&(r.isFunction(a)&&(a=a.call(this[0])),b=r(a,this[0].ownerDocument).eq(0).clone(!0),this[0].parentNode&&b.insertBefore(this[0]),b.map(function(){var a=this;while(a.firstElementChild)a=a.firstElementChild;return a}).append(this)),this},wrapInner:function(a){return r.isFunction(a)?this.each(function(b){r(this).wrapInner(a.call(this,b))}):this.each(function(){var b=r(this),c=b.contents();c.length?c.wrapAll(a):b.append(a)})},wrap:function(a){var b=r.isFunction(a);return this.each(function(c){r(this).wrapAll(b?a.call(this,c):a)})},unwrap:function(a){return this.parent(a).not("body").each(function(){r(this).replaceWith(this.childNodes)}),this}}),r.expr.pseudos.hidden=function(a){return!r.expr.pseudos.visible(a)},r.expr.pseudos.visible=function(a){return!!(a.offsetWidth||a.offsetHeight||a.getClientRects().length)},r.ajaxSettings.xhr=function(){try{return new a.XMLHttpRequest}catch(b){}};var Ob={0:200,1223:204},Pb=r.ajaxSettings.xhr();o.cors=!!Pb&&"withCredentials"in Pb,o.ajax=Pb=!!Pb,r.ajaxTransport(function(b){var c,d;if(o.cors||Pb&&!b.crossDomain)return{send:function(e,f){var g,h=b.xhr();if(h.open(b.type,b.url,b.async,b.username,b.password),b.xhrFields)for(g in b.xhrFields)h[g]=b.xhrFields[g];b.mimeType&&h.overrideMimeType&&h.overrideMimeType(b.mimeType),b.crossDomain||e["X-Requested-With"]||(e["X-Requested-With"]="XMLHttpRequest");for(g in e)h.setRequestHeader(g,e[g]);c=function(a){return function(){c&&(c=d=h.onload=h.onerror=h.onabort=h.onreadystatechange=null,"abort"===a?h.abort():"error"===a?"number"!=typeof h.status?f(0,"error"):f(h.status,h.statusText):f(Ob[h.status]||h.status,h.statusText,"text"!==(h.responseType||"text")||"string"!=typeof h.responseText?{binary:h.response}:{text:h.responseText},h.getAllResponseHeaders()))}},h.onload=c(),d=h.onerror=c("error"),void 0!==h.onabort?h.onabort=d:h.onreadystatechange=function(){4===h.readyState&&a.setTimeout(function(){c&&d()})},c=c("abort");try{h.send(b.hasContent&&b.data||null)}catch(i){if(c)throw i}},abort:function(){c&&c()}}}),r.ajaxPrefilter(function(a){a.crossDomain&&(a.contents.script=!1)}),r.ajaxSetup({accepts:{script:"text/javascript, application/javascript, application/ecmascript, application/x-ecmascript"},contents:{script:/\b(?:java|ecma)script\b/},converters:{"text script":function(a){return r.globalEval(a),a}}}),r.ajaxPrefilter("script",function(a){void 0===a.cache&&(a.cache=!1),a.crossDomain&&(a.type="GET")}),r.ajaxTransport("script",function(a){if(a.crossDomain){var b,c;return{send:function(e,f){b=r("<script>").prop({charset:a.scriptCharset,src:a.url}).on("load error",c=function(a){b.remove(),c=null,a&&f("error"===a.type?404:200,a.type)}),d.head.appendChild(b[0])},abort:function(){c&&c()}}}});var Qb=[],Rb=/(=)\?(?=&|$)|\?\?/;r.ajaxSetup({jsonp:"callback",jsonpCallback:function(){var a=Qb.pop()||r.expando+"_"+rb++;return this[a]=!0,a}}),r.ajaxPrefilter("json jsonp",function(b,c,d){var e,f,g,h=b.jsonp!==!1&&(Rb.test(b.url)?"url":"string"==typeof b.data&&0===(b.contentType||"").indexOf("application/x-www-form-urlencoded")&&Rb.test(b.data)&&"data");if(h||"jsonp"===b.dataTypes[0])return e=b.jsonpCallback=r.isFunction(b.jsonpCallback)?b.jsonpCallback():b.jsonpCallback,h?b[h]=b[h].replace(Rb,"$1"+e):b.jsonp!==!1&&(b.url+=(sb.test(b.url)?"&":"?")+b.jsonp+"="+e),b.converters["script json"]=function(){return g||r.error(e+" was not called"),g[0]},b.dataTypes[0]="json",f=a[e],a[e]=function(){g=arguments},d.always(function(){void 0===f?r(a).removeProp(e):a[e]=f,b[e]&&(b.jsonpCallback=c.jsonpCallback,Qb.push(e)),g&&r.isFunction(f)&&f(g[0]),g=f=void 0}),"script"}),o.createHTMLDocument=function(){var a=d.implementation.createHTMLDocument("").body;return a.innerHTML="<form></form><form></form>",2===a.childNodes.length}(),r.parseHTML=function(a,b,c){if("string"!=typeof a)return[];"boolean"==typeof b&&(c=b,b=!1);var e,f,g;return b||(o.createHTMLDocument?(b=d.implementation.createHTMLDocument(""),e=b.createElement("base"),e.href=d.location.href,b.head.appendChild(e)):b=d),f=B.exec(a),g=!c&&[],f?[b.createElement(f[1])]:(f=pa([a],b,g),g&&g.length&&r(g).remove(),r.merge([],f.childNodes))},r.fn.load=function(a,b,c){var d,e,f,g=this,h=a.indexOf(" ");return h>-1&&(d=mb(a.slice(h)),a=a.slice(0,h)),r.isFunction(b)?(c=b,b=void 0):b&&"object"==typeof b&&(e="POST"),g.length>0&&r.ajax({url:a,type:e||"GET",dataType:"html",data:b}).done(function(a){f=arguments,g.html(d?r("<div>").append(r.parseHTML(a)).find(d):a)}).always(c&&function(a,b){g.each(function(){c.apply(this,f||[a.responseText,b,a])})}),this},r.each(["ajaxStart","ajaxStop","ajaxComplete","ajaxError","ajaxSuccess","ajaxSend"],function(a,b){r.fn[b]=function(a){return this.on(b,a)}}),r.expr.pseudos.animated=function(a){return r.grep(r.timers,function(b){return a===b.elem}).length};function Sb(a){return r.isWindow(a)?a:9===a.nodeType&&a.defaultView}r.offset={setOffset:function(a,b,c){var d,e,f,g,h,i,j,k=r.css(a,"position"),l=r(a),m={};"static"===k&&(a.style.position="relative"),h=l.offset(),f=r.css(a,"top"),i=r.css(a,"left"),j=("absolute"===k||"fixed"===k)&&(f+i).indexOf("auto")>-1,j?(d=l.position(),g=d.top,e=d.left):(g=parseFloat(f)||0,e=parseFloat(i)||0),r.isFunction(b)&&(b=b.call(a,c,r.extend({},h))),null!=b.top&&(m.top=b.top-h.top+g),null!=b.left&&(m.left=b.left-h.left+e),"using"in b?b.using.call(a,m):l.css(m)}},r.fn.extend({offset:function(a){if(arguments.length)return void 0===a?this:this.each(function(b){r.offset.setOffset(this,a,b)});var b,c,d,e,f=this[0];if(f)return f.getClientRects().length?(d=f.getBoundingClientRect(),d.width||d.height?(e=f.ownerDocument,c=Sb(e),b=e.documentElement,{top:d.top+c.pageYOffset-b.clientTop,left:d.left+c.pageXOffset-b.clientLeft}):d):{top:0,left:0}},position:function(){if(this[0]){var a,b,c=this[0],d={top:0,left:0};return"fixed"===r.css(c,"position")?b=c.getBoundingClientRect():(a=this.offsetParent(),b=this.offset(),r.nodeName(a[0],"html")||(d=a.offset()),d={top:d.top+r.css(a[0],"borderTopWidth",!0),left:d.left+r.css(a[0],"borderLeftWidth",!0)}),{top:b.top-d.top-r.css(c,"marginTop",!0),left:b.left-d.left-r.css(c,"marginLeft",!0)}}},offsetParent:function(){return this.map(function(){var a=this.offsetParent;while(a&&"static"===r.css(a,"position"))a=a.offsetParent;return a||qa})}}),r.each({scrollLeft:"pageXOffset",scrollTop:"pageYOffset"},function(a,b){var c="pageYOffset"===b;r.fn[a]=function(d){return S(this,function(a,d,e){var f=Sb(a);return void 0===e?f?f[b]:a[d]:void(f?f.scrollTo(c?f.pageXOffset:e,c?e:f.pageYOffset):a[d]=e)},a,d,arguments.length)}}),r.each(["top","left"],function(a,b){r.cssHooks[b]=Oa(o.pixelPosition,function(a,c){if(c)return c=Na(a,b),La.test(c)?r(a).position()[b]+"px":c})}),r.each({Height:"height",Width:"width"},function(a,b){r.each({padding:"inner"+a,content:b,"":"outer"+a},function(c,d){r.fn[d]=function(e,f){var g=arguments.length&&(c||"boolean"!=typeof e),h=c||(e===!0||f===!0?"margin":"border");return S(this,function(b,c,e){var f;return r.isWindow(b)?0===d.indexOf("outer")?b["inner"+a]:b.document.documentElement["client"+a]:9===b.nodeType?(f=b.documentElement,Math.max(b.body["scroll"+a],f["scroll"+a],b.body["offset"+a],f["offset"+a],f["client"+a])):void 0===e?r.css(b,c,h):r.style(b,c,e,h)},b,g?e:void 0,g)}})}),r.fn.extend({bind:function(a,b,c){return this.on(a,null,b,c)},unbind:function(a,b){return this.off(a,null,b)},delegate:function(a,b,c,d){return this.on(b,a,c,d)},undelegate:function(a,b,c){return 1===arguments.length?this.off(a,"**"):this.off(b,a||"**",c)}}),r.parseJSON=JSON.parse,"function"==typeof define&&define.amd&&define("jquery",[],function(){return r});var Tb=a.jQuery,Ub=a.$;return r.noConflict=function(b){return a.$===r&&(a.$=Ub),b&&a.jQuery===r&&(a.jQuery=Tb),r},b||(a.jQuery=a.$=r),r});</script>

  <script type="text/javascript">
    var S3BL_IGNORE_PATH = true;
    var BUCKET_NAME = '${ bucket_name }';
    var BUCKET_URL = '${ bucket_url }';
    var BUCKET_WEBSITE_URL = '${ bucket_website }';
    var S3B_SORT = 'DEFAULT';
    var EXCLUDE_FILE = 'index.html';  // change to array to exclude multiple files
    var AUTO_TITLE = true;
    //var S3_REGION = 's3'; // for us-east-1

    if (typeof AUTO_TITLE != 'undefined' && AUTO_TITLE == true) {
      document.title = location.hostname;
    }

    if (typeof S3_REGION != 'undefined') {
      var BUCKET_URL = 'http://' + location.hostname + '.' + S3_REGION + '.amazonaws.com'; // e.g. just 's3' for us-east-1 region
      var BUCKET_WEBSITE_URL = location.protocol + '//' + location.hostname;
    }

    if (typeof S3BL_IGNORE_PATH == 'undefined' || S3BL_IGNORE_PATH != true) {
      var S3BL_IGNORE_PATH = false;
    }

    if (typeof BUCKET_URL == 'undefined') {
      var BUCKET_URL = location.protocol + '//' + location.hostname;
    }

    if (typeof BUCKET_WEBSITE_URL == 'undefined') {
      var BUCKET_WEBSITE_URL = BUCKET_URL;
    }

    if (typeof S3B_ROOT_DIR == 'undefined') {
      var S3B_ROOT_DIR = '';
    }

    if (typeof S3B_SORT == 'undefined') {
      var S3B_SORT = 'DEFAULT';
    }

    if (typeof EXCLUDE_FILE == 'undefined') {
      var EXCLUDE_FILE = [];
    } else if (typeof EXCLUDE_FILE == 'string') {
      var EXCLUDE_FILE = [EXCLUDE_FILE];
    }

    // https://tc39.github.io/ecma262/#sec-array.prototype.includes
    if (!Array.prototype.includes) {
      Object.defineProperty(Array.prototype, 'includes', {
        value: function(searchElement, fromIndex) {

          if (this == null) {
            throw new TypeError('"this" is null or not defined');
          }

          // 1. Let O be ? ToObject(this value).
          var o = Object(this);

          // 2. Let len be ? ToLength(? Get(O, "length")).
          var len = o.length >>> 0;

          // 3. If len is 0, return false.
          if (len === 0) {
            return false;
          }

          // 4. Let n be ? ToInteger(fromIndex).
          //    (If fromIndex is undefined, this step produces the value 0.)
          var n = fromIndex | 0;

          // 5. If n ≥ 0, then
          //  a. Let k be n.
          // 6. Else n < 0,
          //  a. Let k be len + n.
          //  b. If k < 0, let k be 0.
          var k = Math.max(n >= 0 ? n : len - Math.abs(n), 0);

          function sameValueZero(x, y) {
            return x === y || (typeof x === 'number' && typeof y === 'number' && isNaN(x) && isNaN(y));
          }

          // 7. Repeat, while k < len
          while (k < len) {
            // a. Let elementK be the result of ? Get(O, ! ToString(k)).
            // b. If SameValueZero(searchElement, elementK) is true, return true.
            if (sameValueZero(o[k], searchElement)) {
              return true;
            }
            // c. Increase k by 1. 
            k++;
          }

          // 8. Return false
          return false;
        }
      });
    }

    jQuery(function($) { getS3Data(); });

    // This will sort your file listing by most recently modified.
    // Flip the comparator to '>' if you want oldest files first.
    function sortFunction(a, b) {
      switch (S3B_SORT) {
        case "OLD2NEW":
          return a.LastModified > b.LastModified ? 1 : -1;
        case "NEW2OLD":
          return a.LastModified < b.LastModified ? 1 : -1;
        case "A2Z":
          return a.Key < b.Key ? 1 : -1;
        case "Z2A":
          return a.Key > b.Key ? 1 : -1;
        case "BIG2SMALL":
          return a.Size < b.Size ? 1 : -1;
        case "SMALL2BIG":
          return a.Size > b.Size ? 1 : -1;
      }
    }

    function getS3Data(marker, html) {
      var s3_rest_url = createS3QueryUrl(marker);
      // set loading notice
      $('#listing')
          .html('<img src="//assets.okfn.org/images/icons/ajaxload-circle.gif" />');
      $.get(s3_rest_url)
          .done(function(data) {
            // clear loading notice
            $('#listing').html('');
            var xml = $(data);
            var info = getInfoFromS3Data(xml);

            // Slight modification by FuzzBall03
            // This will sort your file listing based on var S3B_SORT
            // See url for example:
            // http://esp-link.s3-website-us-east-1.amazonaws.com/
            if (S3B_SORT != 'DEFAULT') {
              var sortedFiles = info.files;
              sortedFiles.sort(sortFunction);
              info.files = sortedFiles;
            }

            buildNavigation(info);

            html = typeof html !== 'undefined' ? html + prepareTable(info) :
                                                 prepareTable(info);
            if (info.nextMarker !== null) {
              getS3Data(info.nextMarker, html);
            } else {
              document.getElementById('listing').innerHTML =
                  '<pre>' + html + '</pre>';
            }
          })
          .fail(function(error) {
            console.error(error);
            $('#listing').html('<strong>Error: ' + error + '</strong>');
          });
    }

    function buildNavigation(info) {
      var root = 's3:// <a href="?prefix=">' + BUCKET_NAME + '</a> / ';
      if (info.prefix) {
        var processedPathSegments = '';
        var content = $.map(info.prefix.split('/'), function(pathSegment) {
          processedPathSegments =
              processedPathSegments + encodeURIComponent(pathSegment) + '/';
          var link = document.createElement('a');
          link.setAttribute('href', processedPathSegments.replace(/"/g, '&quot;'));
          link.innerText = pathSegment;
          return link.outerHTML;
        });
        $('#navigation').html(root + content.join(' / '));
      } else {
        $('#navigation').html(root);
      }
    }

    function createS3QueryUrl(marker) {
      var s3_rest_url = BUCKET_URL;
      s3_rest_url += '?delimiter=/';

      //
      // Handling paths and prefixes:
      //
      // 1. S3BL_IGNORE_PATH = false
      // Uses the pathname
      // {bucket}/{path} => prefix = {path}
      //
      // 2. S3BL_IGNORE_PATH = true
      // Uses ?prefix={prefix}
      //
      // Why both? Because we want classic directory style listing in normal
      // buckets but also allow deploying to non-buckets
      //

      var rx = '.*[?&]prefix=' + S3B_ROOT_DIR + '([^&]+)(&.*)?$';
      var prefix = '';
      if (S3BL_IGNORE_PATH == false) {
        var prefix = location.pathname.replace(/^\//, S3B_ROOT_DIR);
      }
      var match = location.search.match(rx);
      if (match) {
        prefix = S3B_ROOT_DIR + match[1];
      } else {
        if (S3BL_IGNORE_PATH) {
          var prefix = S3B_ROOT_DIR;
        }
      }
      if (prefix) {
        // make sure we end in /
        var prefix = prefix.replace(/\/$/, '') + '/';
        s3_rest_url += '&prefix=' + encodePath(prefix);
      }
      if (marker) {
        s3_rest_url += '&marker=' + encodePath(marker);
      }
      return s3_rest_url;
    }

    function getInfoFromS3Data(xml) {
      var files = $.map(xml.find('Contents'), function(item) {
        item = $(item);
        // clang-format off
        return {
          Key: item.find('Key').text(),
              LastModified: item.find('LastModified').text(),
              Size: bytesToHumanReadable(item.find('Size').text()),
              Type: 'file'
        }
        // clang-format on
      });
      var directories = $.map(xml.find('CommonPrefixes'), function(item) {
        item = $(item);
        // clang-format off
        return {
          Key: item.find('Prefix').text(),
            LastModified: '',
            Size: '0',
            Type: 'directory'
        }
        // clang-format on
      });
      console.log($(xml.find('IsTruncated')[0]).text());
      if ($(xml.find('IsTruncated')[0]).text() == 'true') {
        var nextMarker = xml.find('NextMarker').text();
      } else {
        var nextMarker = null;
      }
      // clang-format off
      return {
        files: files,
        directories: directories,
        prefix: $(xml.find('Prefix')[0]).text(),
        nextMarker: nextMarker
      }
      // clang-format on
    }

    // info is object like:
    // {
    //    files: ..
    //    directories: ..
    //    prefix: ...
    // }
    function prepareTable(info) {
      var files = info.directories.concat(info.files), prefix = info.prefix;
      var cols = [45, 30, 15];
      var content = [];
      content.push(padRight('Last Modified', cols[1]) + '  ' +
                   padRight('Size', cols[2]) + 'Key \n');
      content.push(new Array(cols[0] + cols[1] + cols[2] + 4).join('-') + '\n');

      // add ../ at the start of the dir listing, unless we are already at root dir
      if (prefix && prefix !== S3B_ROOT_DIR) {
        var up = prefix.replace(/\/$/, '').split('/').slice(0, -1).concat('').join(
                '/'),  // one directory up
            item =
                {
                  Key: up,
                  LastModified: '',
                  Size: '',
                  keyText: '../',
                  href: S3BL_IGNORE_PATH ? '?prefix=' + encodePath(up) : '../'
                },
            row = renderRow(item, cols);
        content.push(row + '\n');
      }

      jQuery.each(files, function(idx, item) {
        // strip off the prefix
        item.keyText = item.Key.substring(prefix.length);
        if (item.Type === 'directory') {
          if (S3BL_IGNORE_PATH) {
            item.href = location.protocol + '//' + location.hostname +
                        location.pathname + '?prefix=' + encodePath(item.Key);
          } else {
            item.href = encodePath(item.keyText);
          }
        } else {
          item.href = BUCKET_WEBSITE_URL + '/' + encodePath(item.Key);
        }
        var row = renderRow(item, cols);
        if (!EXCLUDE_FILE.includes(item.Key))
          content.push(row + '\n');
      });

      return content.join('');
    }

    // Encode everything but "/" which are significant in paths and to S3
    function encodePath(path) {
      return encodeURIComponent(path).replace(/%2F/g, '/')
    }

    function prettyDate(date) {
      if (date === '') return '';
      var date_obj = new Date(date);
      return date_obj.toLocaleDateString() + ' ' + date_obj.toLocaleTimeString()
    }
    function renderRow(item, cols) {
      var row = '';
      row += padRight(prettyDate(item.LastModified), cols[1]) + '  ';
      row += padRight(item.Size, cols[2]);
      row += '<a href="' + item.href + '">' + item.keyText + '</a>';
      return row;
    }

    function padRight(padString, length) {
      var str = padString.slice(0, length - 3);
      if (padString.length > str.length) {
        str += '...';
      }
      while (str.length < length) {
        str = str + ' ';
      }
      return str;
    }

    function bytesToHumanReadable(sizeInBytes) {
      var i = -1;
      var units = [' kB', ' MB', ' GB'];
      do {
        sizeInBytes = sizeInBytes / 1024;
        i++;
      } while (sizeInBytes > 1024);
      return Math.max(sizeInBytes, 0.1).toFixed(1) + units[i];
    }

  </script>
</body>
</html>


================================================
FILE: terraform/terraform.tf
================================================
terraform {
  backend "s3" {
    bucket  = "nixos-terraform-state"
    encrypt = true
    key     = "targets/terraform"
    region  = "eu-west-1"
    profile = "nixos-prod"
  }

  required_providers {
    aws = {
      source = "registry.opentofu.org/hashicorp/aws"
    }
    fastly = {
      source = "registry.opentofu.org/fastly/fastly"
    }
    netlify = {
      source = "registry.opentofu.org/AegirHealth/netlify"
    }
    secret = {
      source = "registry.opentofu.org/numtide/secret"
    }
  }
}

data "terraform_remote_state" "terraform-iam" {
  backend = "s3"
  config = {
    bucket  = "nixos-terraform-state"
    encrypt = true
    key     = "targets/terraform-iam"
    region  = "eu-west-1"
    profile = "nixos-prod"
  }
}


================================================
FILE: terraform/tf.sh
================================================
#!/usr/bin/env bash
set -euo pipefail

cd "$(dirname "$0")"
rm -f .terraform.lock.hcl
tofu init
tofu "$@"


================================================
FILE: terraform/wiki-test.tf
================================================
locals {
  wiki_test_domain = "test.wiki.nixos.org"
}

resource "fastly_service_vcl" "wiki-test" {
  name        = local.wiki_test_domain
  default_ttl = 86400

  backend {
    address               = "he1.wiki.nixos.org"
    auto_loadbalance      = false
    between_bytes_timeout = 10000
    connect_timeout       = 5000
    error_threshold       = 0
    first_byte_timeout    = 15000
    max_conn              = 200
    name                  = "wiki_backend"
    port                  = 443
    # Shield location for Helsinki backend
    shield            = "hel-helsinki-fi"
    ssl_cert_hostname = "he1.wiki.nixos.org"
    ssl_check_cert    = true
    use_ssl           = true
    weight            = 100
  }

  domain {
    name = local.wiki_test_domain
  }

  # Pass through the original Host header
  header {
    destination = "http.Host"
    type        = "request"
    action      = "set"
    name        = "Set Host Header"
    source      = "\"wiki.nixos.org\""
  }

  logging_s3 {
    name              = "${local.wiki_test_domain}-to-s3"
    bucket_name       = local.fastlylogs["bucket_name"]
    compression_codec = "zstd"
    domain            = local.fastlylogs["s3_domain"]
    format            = local.fastlylogs["format"]
    format_version    = 2
    path              = "${local.wiki_test_domain}/"
    period            = local.fastlylogs["period"]
    message_type      = "blank"
    s3_iam_role       = local.fastlylogs["iam_role_arn"]
  }
}

resource "fastly_tls_subscription" "wiki-test" {
  domains               = [for domain in fastly_service_vcl.wiki-test.domain : domain.name]
  configuration_id      = local.fastly_tls13_quic_configuration_id
  certificate_authority = "lets-encrypt"
}

output "wiki_test_acme_challenge" {
  value       = fastly_tls_subscription.wiki-test.managed_dns_challenges
  description = "ACME challenge records for test.wiki.nixos.org - add these to DNS"
}


================================================
FILE: terraform-iam/.envrc
================================================
# shellcheck shell=bash
use flake .#terraform

export AWS_CONFIG_FILE=$PWD/aws-config
export AWS_PROFILE=nixos-prod

source_env_if_exists .envrc.local


================================================
FILE: terraform-iam/.gitignore
================================================
/.envrc.local


================================================
FILE: terraform-iam/README.md
================================================
# User & permission management

This module is for superadmins in the team.

This terraform root module manages:

- IAM roles
- fastly log module
- infrastructure for archeologist team
- Webhooks for the Cache bucket as our terraform code is awkwardly split and it
  requires iam:PassRole

## Setup

In order to use this, make sure to install direnv and Nix with flakes enabled.

Then run `direnv allow` to load the environment with the runtime dependencies.

Run `aws sso login` to acquire a temporary token.

## Usage

We use opentofu, which is a fork of https://www.terraform.io/ maintained by the
Linux foundation.

Then run the following command to diff the changes and then apply if approved:

```sh
./tf.sh apply
```

## Terraform workflow

Write the Tofu code and test the changes using `./tf.sh validate`.

Before committing run `nix fmt`.

Once the code is ready to be deployed, create a new PR with the attached output
of `./tf.sh plan`.

Once the PR is merged, run `./tf.sh apply` to apply the changes.


================================================
FILE: terraform-iam/archeologist.tf
================================================
# Workspace to dump analysis data extracted from the cache and other places.
resource "aws_s3_bucket" "archeologist" {
  # Keep it in the same region as the cache
  provider = aws.us

  bucket = "nix-archeologist"
}

data "aws_iam_policy_document" "archaeologist" {
  statement {
    # Read-only access and listing permissions
    # To the cache and releases inventories,
    # as well as the bucket where cache bucket logs end up in.
    sid = "NixCacheReadOnly"

    actions = [
      "s3:List*",
      "s3:Get*"
    ]

    resources = [
      "arn:aws:s3:::nix-cache",
      "arn:aws:s3:::nix-cache/*",
      "arn:aws:s3:::nix-cache-inventory",
      "arn:aws:s3:::nix-cache-inventory/*",
      "arn:aws:s3:::nix-cache-log",
      "arn:aws:s3:::nix-cache-log/*",
      "arn:aws:s3:::nix-releases-inventory220231029182031496800000001",
      "arn:aws:s3:::nix-releases-inventory220231029182031496800000001/*"
    ]
  }

  statement {
    # Allows fetching information on the bucket
    sid = "ListMetrics"

    actions = [
      "cloudwatch:ListMetrics",
      "cloudwatch:GetMetricStatistics"
    ]

    # We don't have any private metrics, KISS
    resources = ["*"]
  }

  statement {
    # Full access to the Archaeologist bucket
    sid = "NixArchaeologistReadWrite"

    actions = [
      "s3:*"
    ]

    resources = [
      aws_s3_bucket.archeologist.arn,
      "${aws_s3_bucket.archeologist.arn}/*"
    ]
  }
}

# This is the role that is given to the AWS Identity Center users
resource "aws_iam_policy" "archologist" {
  provider = aws.us

  name        = "archeologist"
  description = "used by the S3 archeologists"

  policy = data.aws_iam_policy_document.archaeologist.json
}

# Prepare this role to be attached to the EC2 instance
resource "aws_iam_role" "archeologist-worker" {
  provider = aws.us

  name = "archeologist-worker"

  assume_role_policy = <<EOF
  {
    "Version": "2012-10-17",
    "Statement": [
      {
        "Action": "sts:AssumeRole",
        "Principal": {
          "Service": "ec2.amazonaws.com"
        },
        "Effect": "Allow",
        "Sid": ""
      }
    ]
  }
  EOF
}

resource "aws_iam_role_policy" "archeologist-worker" {
  provider = aws.us

  name = "archeologist-worker"
  role = aws_iam_role.archeologist-worker.id

  # The EC2 instance gets the same policy as the users
  policy = aws_iam_policy.archologist.policy
}

resource "aws_iam_instance_profile" "archeologist" {
  provider = aws.us

  name = "archeologist-worker"
  role = aws_iam_role.archeologist-worker.name
  # Make sure the role is attached before continuing
  depends_on = [aws_iam_role_policy.archeologist-worker]
}

resource "aws_key_pair" "edef" {
  provider = aws.us

  key_name   = "edef-key"
  public_key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGu/CiEnmhIthp0XaGhU1cB18t6Ta/51k1/7EeIzKFwm"
}

resource "aws_instance" "archeologist" {
  provider = aws.us

  ami                         = "ami-07df5833f04703a2a" # "23.05".us-east-1.x86_64-linux.hvm-ebs
  associate_public_ip_address = true
  iam_instance_profile        = aws_iam_instance_profile.archeologist.id
  instance_type               = "r5a.2xlarge"
  key_name                    = aws_key_pair.edef.key_name
  subnet_id                   = "subnet-1eb22868" # default subnet us-east-1c

  root_block_device {
    volume_size = "1024" # GB
  }

  vpc_security_group_ids = [
    "sg-51d35d29", # default
    "sg-b2ee60ca", # public-ssh
  ]

  tags = {
    Name = "archeologist-workspace"
  }
}


================================================
FILE: terraform-iam/assume_github_actions_policy_document/main.tf
================================================
terraform {
  required_providers {
    aws = {
      source = "hashicorp/aws"
    }
  }
}

variable "subject_filter" {
  type = list(string)
}

data "aws_caller_identity" "current" {}

data "aws_iam_openid_connect_provider" "github_actions" {
  url = "https://token.actions.githubusercontent.com"
}

data "aws_iam_policy_document" "assume_github_actions" {

  statement {
    effect  = "Allow"
    actions = ["sts:AssumeRoleWithWebIdentity"]

    principals {
      type        = "Federated"
      identifiers = [data.aws_iam_openid_connect_provider.github_actions.arn]
    }

    condition {
      test     = "StringLike"
      variable = "token.actions.githubusercontent.com:sub"
      values   = var.subject_filter
    }
  }
}

output "json" {
  value = data.aws_iam_policy_document.assume_github_actions.json
}


================================================
FILE: terraform-iam/assume_identity_center_permission_policy/main.tf
================================================
terraform {
  required_providers {
    aws = {
      source = "hashicorp/aws"
    }
  }
}

variable "target_account_id" {
  description = "AWS account ID where the reserved SSO roles exist (the target account)."
  type        = string
}

variable "sso_region" {
  description = "Region of the AWS IAM Identity Center instance."
  type        = string
  default     = "eu-north-1"
}

variable "permission_set_name" {
  description = "Name of the IAM Identity Center permission set (without the AWSReservedSSO_ prefix)."
  type        = string
}

locals {
  reserved_role_pattern = format(
    "arn:aws:iam::%s:role/aws-reserved/sso.amazonaws.com/%s/AWSReservedSSO_%s_*",
    var.target_account_id,
    var.sso_region,
    var.permission_set_name,
  )
}

data "aws_iam_policy_document" "this" {
  statement {
    effect  = "Allow"
    actions = ["sts:AssumeRole"]
    principals {
      type        = "AWS"
      identifiers = [format("arn:aws:iam::%s:root", var.target_account_id)]
    }
    condition {
      test     = "ArnLike"
      variable = "aws:PrincipalArn"
      values   = [local.reserved_role_pattern]
    }
  }
}

output "json" {
  value = data.aws_iam_policy_document.this.json
}


================================================
FILE: terraform-iam/aws-config
================================================
[profile nixos-prod]
sso_start_url = https://nixos.awsapps.com/start
sso_region = eu-north-1
sso_account_id = 080433136561
sso_role_name = AWSAdministratorAccess
region = eu-north-1


================================================
FILE: terraform-iam/cache-staging.tf
================================================
resource "aws_iam_user" "s3-upload-cache-staging" {
  name = "s3-upload-cache-staging"
}

resource "aws_iam_access_key" "s3-upload-cache-staging" {
  user = aws_iam_user.s3-upload-cache-staging.name
}

data "aws_iam_policy_document" "s3-upload-cache-staging" {
  statement {
    # Read-only access and listing permissions
    # To the cache and releases inventories,
    # as well as the bucket where cache bucket logs end up in.
    sid = "NixCacheStagingBucket"

    actions = [
      "s3:*"
    ]

    resources = [
      "arn:aws:s3:::nix-cache-staging",
      "arn:aws:s3:::nix-cache-staging/*",
      "arn:aws:s3:::nix-cache-staging-202410",
      "arn:aws:s3:::nix-cache-staging-202410/*",
    ]
  }
}

# This is the role that is given to the AWS Identity Center users
resource "aws_iam_policy" "s3-upload-cache-staging" {
  provider = aws.us

  name        = "s3-upload-cache-staging"
  description = "used by staging hydra"

  policy = data.aws_iam_policy_document.s3-upload-cache-staging.json
}

resource "aws_iam_user_policy_attachment" "s3-upload-cache-staging-attachment" {
  user       = aws_iam_user.s3-upload-cache-staging.name
  policy_arn = aws_iam_policy.s3-upload-cache-staging.arn
}

output "s3-upload-key-staging" {
  value = {
    key    = aws_iam_access_key.s3-upload-cache-staging.id
    secret = aws_iam_access_key.s3-upload-cache-staging.secret
  }
  sensitive = true
}



================================================
FILE: terraform-iam/cache.tf
================================================
resource "aws_iam_user" "fastly-cache-access" {
  name = "fastly-cache-access"
}

resource "aws_iam_access_key" "fastly-cache-access" {
  user = aws_iam_user.fastly-cache-access.name
}


================================================
FILE: terraform-iam/cache_eventbridge.tf
================================================
# Forward S3 Object Created events on the nix-cache bucket to the
# https://cache-updates.snix.store webhook via an EventBridge API destination.
#
# Lives in terraform-iam (rather than terraform/) because creating the
# EventBridge target requires iam:PassRole on the IAM role below, which the
# AWSPowerUserAccess SSO role used by terraform/ does not have.

locals {
  cache_webhook_url        = "https://cache-updates.snix.store"
  cache_webhook_header_key = "X-API-Key"
  cache_bucket_name        = "nix-cache"
}

resource "secret_resource" "cache_webhook_api_key" {}

# Cost: $1.00 per million events ingested. S3 EventBridge events are opt-in
# data plane events, billed as custom events on the default bus.
# https://aws.amazon.com/eventbridge/pricing/
resource "aws_s3_bucket_notification" "cache" {
  provider    = aws.us
  bucket      = local.cache_bucket_name
  eventbridge = true
}

resource "aws_cloudwatch_event_connection" "cache_webhook" {
  provider           = aws.us
  name               = "cache-updates-snix-store"
  authorization_type = "API_KEY"

  auth_parameters {
    api_key {
      key   = local.cache_webhook_header_key
      value = secret_resource.cache_webhook_api_key.value
    }
  }
}

# Cost: $0.20 per million invocations.
# https://aws.amazon.com/eventbridge/pricing/
resource "aws_cloudwatch_event_api_destination" "cache_webhook" {
  provider            = aws.us
  name                = "cache-updates-snix-store"
  invocation_endpoint = local.cache_webhook_url
  http_method         = "POST"
  # Tweak this based on the amount of uploads per 24 hours?
  invocation_rate_limit_per_second = 300
  connection_arn                   = aws_cloudwatch_event_connection.cache_webhook.arn
}

resource "aws_cloudwatch_event_rule" "cache_object_created" {
  provider    = aws.us
  name        = "nix-cache-object-created"
  description = "S3 Object Created events on nix-cache forwarded to cache-updates.snix.store"

  event_pattern = jsonencode({
    source        = ["aws.s3"]
    "detail-type" = ["Object Created"]
    detail = {
      bucket = {
        name = [local.cache_bucket_name]
      }
    }
  })
}

data "aws_iam_policy_document" "cache_webhook_assume" {
  statement {
    effect  = "Allow"
    actions = ["sts:AssumeRole"]
    principals {
      type        = "Service"
      identifiers = ["events.amazonaws.com"]
    }
  }
}

data "aws_iam_policy_document" "cache_webhook_invoke" {
  statement {
    effect    = "Allow"
    actions   = ["events:InvokeApiDestination"]
    resources = [aws_cloudwatch_event_api_destination.cache_webhook.arn]
  }
}

resource "aws_iam_role" "cache_webhook" {
  provider           = aws.us
  name               = "EventBridgeInvokeCacheWebhook"
  assume_role_policy = data.aws_iam_policy_document.cache_webhook_assume.json
}

resource "aws_iam_role_policy" "cache_webhook" {
  provider = aws.us
  name     = "InvokeCacheWebhook"
  role     = aws_iam_role.cache_webhook.id
  policy   = data.aws_iam_policy_document.cache_webhook_invoke.json
}

resource "aws_cloudwatch_event_target" "cache_webhook" {
  provider  = aws.us
  rule      = aws_cloudwatch_event_rule.cache_object_created.name
  target_id = "cache-updates-snix-store"
  arn       = aws_cloudwatch_event_api_destination.cache_webhook.arn
  role_arn  = aws_iam_role.cache_webhook.arn

  # https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-rule-retry-policy.html
  retry_policy {
    maximum_event_age_in_seconds = 86400
    maximum_retry_attempts       = 185
  }
}


================================================
FILE: terraform-iam/fastlylog/main.tf
================================================
resource "aws_s3_bucket" "logs" {
  bucket_prefix = "fastly-logs-"

  lifecycle_rule {
    enabled = true

    expiration {
      days = 365
    }
  }

  lifecycle_rule {
    id = "move-to-glacier"

    enabled = true

    transition {
      days          = 120
      storage_class = "DEEP_ARCHIVE"
    }
  }
}

resource "aws_s3_bucket_policy" "logs" {
  bucket = aws_s3_bucket.logs.id
  policy = <<EOF
{
  "Version": "2008-10-17",
  "Statement": [
    {
      "Sid": "AllowNixOSOrgRead",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::008826681144:user/fastly-log-processor"
      },
      "Action": [
        "s3:GetObject",
        "s3:ListBucket"
      ],
      "Resource": [
        "arn:aws:s3:::${aws_s3_bucket.logs.id}/*",
        "arn:aws:s3:::${aws_s3_bucket.logs.id}"
      ]
    }
  ]
}
EOF
}


resource "aws_iam_role" "fastly_log_forwarder" {
  name = "FastlyLogForwarder"
  path = "/system/"

  assume_role_policy = data.aws_iam_policy_document.assume_role_policy.json
}

resource "aws_iam_policy" "policy" {
  name_prefix = "FastlyLogForwarder"
  path        = "/system/"
  description = "Allow Fastly to write logs to ${aws_s3_bucket.logs.bucket}."

  policy = data.aws_iam_policy_document.fastly_write.json
}

resource "aws_iam_role_policy_attachment" "attachment" {
  role       = aws_iam_role.fastly_log_forwarder.name
  policy_arn = aws_iam_policy.policy.arn
}

data "aws_iam_policy_document" "assume_role_policy" {
  statement {
    actions = ["sts:AssumeRole"]

    condition {
      test     = "StringEquals"
      variable = "sts:ExternalId"

      # this is our Fastly customer ID
      values = [var.fastly_customer_id]
    }

    principals {
      type = "AWS"

      # This is the ID of the Fastly AWS account
      identifiers = ["717331877981"]
    }
  }
}

data "aws_iam_policy_document" "fastly_write" {
  statement {
    actions   = ["s3:PutObject"]
    resources = ["${aws_s3_bucket.logs.arn}/*"]
  }
}


================================================
FILE: terraform-iam/fastlylog/outputs.tf
================================================
output "bucket_name" {
  value = aws_s3_bucket.logs.bucket
}

output "s3_domain" {
  # I don't kno whow to get this from the S3 bucket resource :/.
  value = "s3.eu-west-1.amazonaws.com"
}

output "iam_role_arn" {
  value = aws_iam_role.fastly_log_forwarder.arn
}



output "period" {
  # Frequency that Fastly servers will push a file to S3, in seconds
  value = 3600
}

output "format" {
  value = "{${join(",", [for k, v in {
    asn                 = "%%{client.as.number}V",
    elapsed_usec        = "%%{json.escape(time.elapsed.usec)}V",
    fastly_is_edge      = "%%{if(fastly.ff.visits_this_service == 0, \"true\", \"false\")}V",
    fastly_server       = "\"%%{json.escape(server.identity)}V\"",
    geo_country         = "\"%%{json.escape(client.geo.country_name)}V\"",
    geo_region          = "\"%%{json.escape(client.geo.region.utf8)}V\"",
    geo_speed           = "\"%%{json.escape(client.geo.conn_speed)}V\"",
    host                = "\"%%{json.escape(if(req.http.Fastly-Orig-Host, req.http.Fastly-Orig-Host, req.http.Host))}V\"",
    request_method      = "\"%%{json.escape(req.method)}V\"",
    request_protocol    = "\"%%{json.escape(req.proto)}V\"",
    request_referer     = "\"%%{json.escape(req.http.referer)}V\"",
    request_size        = "%%{json.escape(req.bytes_read)}V",
    request_user_agent  = "\"%%{json.escape(req.http.User-Agent)}V\"",
    response_body_size  = "%%{resp.body_bytes_written}V",
    response_reason     = "%%{if(resp.response, \"%22\"+json.escape(resp.response)+\"%22\", \"null\")}V",
    response_state      = "\"%%{json.escape(fastly_info.state)}V\"",
    response_status     = "\"%%{resp.status}V\"",
    timestamp           = "\"%%{strftime(\\{\"%Y-%m-%dT%H:%M:%S%z\"\\}, time.start)}V\"",
    tls_client_cipher   = "\"%%{json.escape(if(tls.client.cipher, tls.client.cipher, \"null\"))}V\"",
    tls_client_protocol = "\"%%{json.escape(if(tls.client.protocol, tls.client.protocol, \"null\"))}V\"",
    url                 = "\"%%{json.escape(req.url)}V\"",
  } : "\"${k}\": ${v}"])}}"
}

================================================
FILE: terraform-iam/fastlylog/variables.tf
================================================
variable "fastly_customer_id" {
  type = string
}


================================================
FILE: terraform-iam/fastlylog.tf
================================================
module "fastlylogs" {
  source             = "./fastlylog"
  fastly_customer_id = local.fastly_customer_id
}


================================================
FILE: terraform-iam/iam_users.tf
================================================
resource "aws_iam_user" "s3-upload-cache" {
  name = "s3-upload-cache"
}

resource "aws_iam_user" "s3-upload-releases" {
  name = "s3-upload-releases"
}

resource "aws_iam_user" "s3-upload-tarballs" {
  name = "s3-upload-tarballs"
}


================================================
FILE: terraform-iam/locals.tf
================================================
locals {
  fastly_customer_id = "1RhOVUmKLBjCFTU4i9Cekx"
}


================================================
FILE: terraform-iam/nix_repo_oidc.tf
================================================
# In this document we configure OIDC from GitHub to allow automatically
# publishing NixOS/nix releases using GitHub Actions.
#
# This means that everyone with merge rights in the Nix repo can publish
# releases (with a public trail).

resource "aws_iam_openid_connect_provider" "github_actions" {
  url = "https://token.actions.githubusercontent.com"

  client_id_list = ["sts.amazonaws.com"]
  thumbprint_list = [
    # https://github.com/aws-actions/configure-aws-credentials/issues/357#issuecomment-1626357333
    "6938fd4d98bab03faadb97b34396831e3780aea1",
  ]
}

import {
  to = aws_iam_openid_connect_provider.github_actions
  id = format(
    "arn:aws:iam::%s:oidc-provider/token.actions.githubusercontent.com",
    data.aws_caller_identity.current.account_id,
  )
}

data "aws_iam_policy_document" "nix_release" {
  statement {
    effect = "Allow"
    actions = [
      "s3:GetObject",
      "s3:PutObject"
    ]
    # Only allow uploading in the /nix/ prefix in the bucket
    resources = ["arn:aws:s3:::nix-releases/nix/*"]
  }

  statement {
    effect = "Allow"
    actions = [
      "s3:ListBucket",
      "s3:ListBucketMultipartUploads"
    ]
    resources = ["arn:aws:s3:::nix-releases"]
    condition {
      test     = "StringLike"
      variable = "s3:prefix"
      values   = ["nix/*"]
    }
  }

  statement {
    effect = "Allow"
    actions = [
      "s3:PutObject"
    ]
    # The release also publishes the install script when it's the latest
    # release.
    resources = ["arn:aws:s3:::nix-channels/nix-latest/install"]
  }

  statement {
    effect = "Allow"
    actions = [
      "s3:ListBucket"
    ]
    resources = ["arn:aws:s3:::nix-channels"]
    condition {
      test     = "StringLike"
      variable = "s3:prefix"
      values   = ["nix-latest/*"]
    }
  }
}

resource "aws_iam_policy" "nix_release" {
  name   = "nix-release"
  policy = data.aws_iam_policy_document.nix_release.json
}

data "aws_caller_identity" "current" {}

module "assume_nix_releases_permission" {
  source              = "./assume_identity_center_permission_policy"
  target_account_id   = data.aws_caller_identity.current.account_id
  permission_set_name = "NixReleases"
  sso_region          = "eu-north-1"
}

module "assume_nix_release" {
  source = "./assume_github_actions_policy_document"

  # Only allow to assume this role in the NixOS/nix repo, and while running
  # in the "releases" environment.
  subject_filter = ["repo:NixOS/nix:environment:releases"]
}

data "aws_iam_policy_document" "assume_nix_release" {
  source_policy_documents = [
    module.assume_nix_releases_permission.json,
    module.assume_nix_release.json,
  ]
}

resource "aws_iam_role" "nix_release" {
  name               = "nix-release"
  assume_role_policy = data.aws_iam_policy_document.assume_nix_release.json
}

resource "aws_iam_role_policy_attachment" "nix_release_managed_policy" {
  role       = aws_iam_role.nix_release.name
  policy_arn = aws_iam_policy.nix_release.arn
}

output "nix_release_role_arn" {
  value = aws_iam_role.nix_release.arn
}


================================================
FILE: terraform-iam/outputs.tf
================================================
output "cache" {
  value = {
    key    = aws_iam_access_key.fastly-cache-access.id
    secret = aws_iam_access_key.fastly-cache-access.secret
  }
  sensitive = true
}

output "fastlylogs" {
  value = module.fastlylogs
}


================================================
FILE: terraform-iam/providers.tf
================================================
provider "aws" {
  region  = "eu-west-1"
  profile = "nixos-prod"
}

provider "aws" {
  alias   = "us"
  region  = "us-east-1"
  profile = "nixos-prod"
}

provider "fastly" {}


================================================
FILE: terraform-iam/terraform.tf
================================================
terraform {
  backend "s3" {
    bucket  = "nixos-terraform-state"
    encrypt = true
    key     = "targets/terraform-iam"
    region  = "eu-west-1"
    profile = "nixos-prod"
  }

  required_providers {
    aws = {
      source = "hashicorp/aws"
    }
    fastly = {
      source = "fastly/fastly"
    }
    netlify = {
      source = "AegirHealth/netlify"
    }
    secret = {
      source = "numtide/secret"
    }
  }
}


================================================
FILE: terraform-iam/tf.sh
================================================
#!/usr/bin/env bash
set -euo pipefail

cd "$(dirname "$0")"
rm -f .terraform.lock.hcl
tofu init
tofu "$@"