hosts: route all traffic through tailscale

2023-10-07 10:29:47 -04:00 · 2023-10-07 10:29:47 -04:00 · bbed561d34
parent 566f22e61f
commit bbed561d34
8 changed files with 192 additions and 107 deletions
--- a/flake.lock
+++ b/flake.lock
@ -11,11 +11,11 @@
        "rust-overlay": "rust-overlay"
      },
      "locked": {
-        "lastModified": 1693439040,
-        "narHash": "sha256-t2nOxBcP0Q/XJt6Ild4v0hJ49OSl9F3nE1cdIT4xsDg=",
+        "lastModified": 1695511445,
+        "narHash": "sha256-mnE14re43v3/Jc50Jv0BKPMtEk7FEtDSligP6B5HwlI=",
        "owner": "ipetkov",
        "repo": "crane",
-        "rev": "174604795d316b75777e28185c3a4918bc69b399",
+        "rev": "3de322e06fc88ada5e3589dc8a375b73e749f512",
        "type": "github"
      },
      "original": {
@ -83,11 +83,11 @@
        "nixpkgs-lib": "nixpkgs-lib"
      },
      "locked": {
-        "lastModified": 1690933134,
-        "narHash": "sha256-ab989mN63fQZBFrkk4Q8bYxQCktuHmBIBqUG1jl6/FQ=",
+        "lastModified": 1693611461,
+        "narHash": "sha256-aPODl8vAgGQ0ZYFIRisxYG5MOGSkIczvu2Cd8Gb9+1Y=",
        "owner": "hercules-ci",
        "repo": "flake-parts",
-        "rev": "59cf3f1447cfc75087e7273b04b31e689a8599fb",
+        "rev": "7f53fdb7bdc5bb237da7fefef12d099e4fd611ca",
        "type": "github"
      },
      "original": {
@ -101,11 +101,11 @@
        "systems": "systems_2"
      },
      "locked": {
-        "lastModified": 1689068808,
-        "narHash": "sha256-6ixXo3wt24N/melDWjq70UuHQLxGV8jZvooRanIHXw0=",
+        "lastModified": 1694529238,
+        "narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=",
        "owner": "numtide",
        "repo": "flake-utils",
-        "rev": "919d646de7be200f3bf08cb76ae1f09402b6f9b4",
+        "rev": "ff7b65b44d01cf9ba6a71320833626af21126384",
        "type": "github"
      },
      "original": {
@ -139,11 +139,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1695984718,
-        "narHash": "sha256-LQwKgaaaFOkIcxarf0xQXeDJFwZ5BZWcgmPeo3xp2CM=",
+        "lastModified": 1696371324,
+        "narHash": "sha256-0ycIheYRxzPOL9XBWiAm/af9cqRmsiy701OpjsRsKiw=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "4f02e35f9d150573e1a710afa338846c2f6d850c",
+        "rev": "e63c30fe9792b57dea1eab98be6871a0e42a33c9",
        "type": "github"
      },
      "original": {
@ -163,11 +163,11 @@
        "xdph": "xdph"
      },
      "locked": {
-        "lastModified": 1696034465,
-        "narHash": "sha256-4/jscEYXk8x1wkjpP6EFnsMpp9h9ITQXaZsg+iVxen4=",
+        "lastModified": 1696367817,
+        "narHash": "sha256-r16HUij8M3c0JMLLPaLdRJLHlSBhtVBWsR2+JZSW1B8=",
        "owner": "hyprwm",
        "repo": "Hyprland",
-        "rev": "c298439433f9b6861c7c62ea587289ac2e4ef2f8",
+        "rev": "d61e4f9ad75d51f15eac6bced13439899d66a950",
        "type": "github"
      },
      "original": {
@ -211,11 +211,11 @@
        "rust-overlay": "rust-overlay_2"
      },
      "locked": {
-        "lastModified": 1695668783,
-        "narHash": "sha256-pXVei5KZMxALQ8ibx0oqbfh5N/FI3VzJHodDNAh41xE=",
+        "lastModified": 1696275091,
+        "narHash": "sha256-6/bnExKrZJ9GvveJwTdjIWHuJY0n8Y1pyqnsq5/4xP0=",
        "owner": "JakeStanger",
        "repo": "ironbar",
-        "rev": "0c0163cfa1a8c0286edf231507026dd6f5798644",
+        "rev": "abbd3ab62339a3ac9665dbaf7b66c23f0ae7bc64",
        "type": "github"
      },
      "original": {
@ -249,11 +249,11 @@
        "nixpkgs": "nixpkgs"
      },
      "locked": {
-        "lastModified": 1692351612,
-        "narHash": "sha256-KTGonidcdaLadRnv9KFgwSMh1ZbXoR/OBmPjeNMhFwU=",
+        "lastModified": 1694081375,
+        "narHash": "sha256-vzJXOUnmkMCm3xw8yfPP5m8kypQ3BhAIRe4RRCWpzy8=",
        "owner": "nix-community",
        "repo": "naersk",
-        "rev": "78789c30d64dea2396c9da516bbcc8db3a475207",
+        "rev": "3f976d822b7b37fc6fb8e6f157c2dd05e7e94e89",
        "type": "github"
      },
      "original": {
@ -271,11 +271,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1694971480,
-        "narHash": "sha256-5UKSMDiboMIs15WN6jbctJgYfnGPfkHhvWWaboB2rGk=",
+        "lastModified": 1696149398,
+        "narHash": "sha256-RwlAyww4bzeu2ndeQoScelYtlYiSxPdCn70R+xGdZBc=",
        "owner": "viperML",
        "repo": "nh",
-        "rev": "4b88da6fc89bf06d6598ce9a881590a7cc0dcafd",
+        "rev": "2985f5a45d6f3e1a9d8d3ca5c777ef1bc9c7fbd1",
        "type": "github"
      },
      "original": {
@ -286,11 +286,11 @@
    },
    "nix-filter": {
      "locked": {
-        "lastModified": 1687178632,
-        "narHash": "sha256-HS7YR5erss0JCaUijPeyg2XrisEb959FIct3n2TMGbE=",
+        "lastModified": 1694857738,
+        "narHash": "sha256-bxxNyLHjhu0N8T3REINXQ2ZkJco0ABFPn6PIe2QUfqo=",
        "owner": "numtide",
        "repo": "nix-filter",
-        "rev": "d90c75e8319d0dd9be67d933d8eb9d0894ec9174",
+        "rev": "41fd48e00c22b4ced525af521ead8792402de0ea",
        "type": "github"
      },
      "original": {
@ -306,11 +306,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1695526222,
-        "narHash": "sha256-/NwZz3QcVplrfiDKk1thYg1EIHLSNucVHNUi2uwO3RI=",
+        "lastModified": 1696131323,
+        "narHash": "sha256-Y47r8Jo+9rs+XUWHcDPZtkQs6wFeZ24L4CQTfVwE+vY=",
        "owner": "Mic92",
        "repo": "nix-index-database",
-        "rev": "25d6369c232bbea1ec1f90226fd17982e7a0a647",
+        "rev": "031d4b22505fdea47bd53bfafad517cd03c26a4f",
        "type": "github"
      },
      "original": {
@ -321,11 +321,11 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1693355128,
-        "narHash": "sha256-+ZoAny3ZxLcfMaUoLVgL9Ywb/57wP+EtsdNGuXUJrwg=",
+        "lastModified": 1695978539,
+        "narHash": "sha256-lta5HToBZMWZ2hl5CautNSUgIZViR41QxN7JKbMAjgQ=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "a63a64b593dcf2fe05f7c5d666eb395950f36bc9",
+        "rev": "bd9b686c0168041aea600222be0805a0de6e6ab8",
        "type": "github"
      },
      "original": {
@ -336,11 +336,11 @@
    "nixpkgs-lib": {
      "locked": {
        "dir": "lib",
-        "lastModified": 1690881714,
-        "narHash": "sha256-h/nXluEqdiQHs1oSgkOOWF+j8gcJMWhwnZ9PFabN6q0=",
+        "lastModified": 1693471703,
+        "narHash": "sha256-0l03ZBL8P1P6z8MaSDS/MvuU8E75rVxe5eE1N6gxeTo=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "9e1960bc196baf6881340d53dccb203a951745a2",
+        "rev": "3e52e76b70d5508f3cec70b882a29199f4d1ee85",
        "type": "github"
      },
      "original": {
@ -353,11 +353,11 @@
    },
    "nixpkgs-stable": {
      "locked": {
-        "lastModified": 1694908564,
-        "narHash": "sha256-ducA98AuWWJu5oUElIzN24Q22WlO8bOfixGzBgzYdVc=",
+        "lastModified": 1696123266,
+        "narHash": "sha256-S6MZEneQeE4M/E/C8SMnr7B7oBnjH/hbm96Kak5hAAI=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "596611941a74be176b98aeba9328aa9d01b8b322",
+        "rev": "dbe90e63a36762f1fbde546e26a84af774a32455",
        "type": "github"
      },
      "original": {
@ -369,11 +369,11 @@
    },
    "nixpkgs_2": {
      "locked": {
-        "lastModified": 1695830400,
-        "narHash": "sha256-gToZXQVr0G/1WriO83olnqrLSHF2Jb8BPcmCt497ro0=",
+        "lastModified": 1696193975,
+        "narHash": "sha256-mnQjUcYgp9Guu3RNVAB2Srr1TqKcPpRXmJf4LJk6KRY=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "8a86b98f0ba1c405358f1b71ff8b5e1d317f5db2",
+        "rev": "fdd898f8f79e8d2f99ed2ab6b3751811ef683242",
        "type": "github"
      },
      "original": {
@ -410,11 +410,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1691374719,
-        "narHash": "sha256-HCodqnx1Mi2vN4f3hjRPc7+lSQy18vRn8xWW68GeQOg=",
+        "lastModified": 1695003086,
+        "narHash": "sha256-d1/ZKuBRpxifmUf7FaedCqhy0lyVbqj44Oc2s+P5bdA=",
        "owner": "oxalica",
        "repo": "rust-overlay",
-        "rev": "b520a3889b24aaf909e287d19d406862ced9ffc9",
+        "rev": "b87a14abea512d956f0b89d0d8a1e9b41f3e20ff",
        "type": "github"
      },
      "original": {
@ -432,11 +432,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1693447852,
-        "narHash": "sha256-K9npbs4S6+r51vpiElJi+0vwbAeftCAcOGbot/PCBnQ=",
+        "lastModified": 1696039808,
+        "narHash": "sha256-7TbAr9LskWG6ISPhUdyp6zHboT7FsFrME5QsWKybPTA=",
        "owner": "oxalica",
        "repo": "rust-overlay",
-        "rev": "40e851593ef4f9f8cd0b69c8cae7b722b9953a23",
+        "rev": "a4c3c904ab29e04a20d3a6da6626d66030385773",
        "type": "github"
      },
      "original": {
@ -453,11 +453,11 @@
        "nixpkgs-stable": "nixpkgs-stable"
      },
      "locked": {
-        "lastModified": 1695284550,
-        "narHash": "sha256-z9fz/wz9qo9XePEvdduf+sBNeoI9QG8NJKl5ssA8Xl4=",
+        "lastModified": 1696320910,
+        "narHash": "sha256-fbuEc6wylH+0VxG48lhPBK+SQJHfo2lusUwWHZNipIM=",
        "owner": "Mic92",
        "repo": "sops-nix",
-        "rev": "2f375ed8702b0d8ee2430885059d5e7975e38f78",
+        "rev": "746c7fa1a64c1671a4bf287737c27fdc7101c4c2",
        "type": "github"
      },
      "original": {
@ -530,18 +530,18 @@
      "flake": false,
      "locked": {
        "host": "gitlab.freedesktop.org",
-        "lastModified": 1695919988,
-        "narHash": "sha256-4RBgIZHaVqH0m1POnfzYRzwCWxifIKH4xQ0kCn2LGkA=",
+        "lastModified": 1696255886,
+        "narHash": "sha256-0KZfiqqREousitBgG1mkzKmmNX4tjOIWdbBm6MvRCjQ=",
        "owner": "wlroots",
        "repo": "wlroots",
-        "rev": "c2aa7fd965cb7ee8bed24f4122b720aca8f0fc1e",
+        "rev": "5ef42e8e8adece098848fac53c721b6eb3818fc2",
        "type": "gitlab"
      },
      "original": {
        "host": "gitlab.freedesktop.org",
        "owner": "wlroots",
        "repo": "wlroots",
-        "rev": "c2aa7fd965cb7ee8bed24f4122b720aca8f0fc1e",
+        "rev": "5ef42e8e8adece098848fac53c721b6eb3818fc2",
        "type": "gitlab"
      }
    },
--- a/hosts/sakura/services/default.nix
+++ b/hosts/sakura/services/default.nix
@ -10,5 +10,6 @@
    ./vaultwarden.nix
    ./conduit.nix
    ./cloudflareddns.nix
+    ./tailscale.nix
  ];
 }
--- a/hosts/sakura/services/tailscale.nix
+++ b/hosts/sakura/services/tailscale.nix
@ -0,0 +1,41 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: {
+  sops.secrets.tsauth-sakura = {};
+  environment.systemPackages = [pkgs.jq pkgs.tailscale];
+  services.tailscale = {
+    useRoutingFeatures = lib.mkDefault "client";
+  };
+  networking.firewall.allowedUDPPorts = [config.services.tailscale.port];
+  networking.firewall.trustedInterfaces = [config.services.tailscale.interfaceName];
+
+  systemd.services.tailscale-autoconnect = {
+    description = "Automatic connection to Tailscale";
+
+    # make sure tailscale is running before trying to connect to tailscale
+    after = ["network-pre.target" "tailscale.service"];
+    wants = ["network-pre.target" "tailscale.service"];
+    wantedBy = ["multi-user.target"];
+
+    # set this service as a oneshot job
+    serviceConfig.Type = "oneshot";
+
+    # have the job run this shell script
+    script = with pkgs; ''
+      # wait for tailscaled to settle
+      sleep 2
+
+      # check if we are already authenticated to tailscale
+      status="$(${tailscale}/bin/tailscale status -json | ${jq}/bin/jq -r .BackendState)"
+      if [ $status = "Running" ]; then # if so, then do nothing
+        exit 0
+      fi
+
+      # otherwise authenticate with tailscale
+      ${tailscale}/bin/tailscale up -authkey file:${config.sops.secrets.tsauth-sakura.path} --exit-node=100.87.54.48 --exit-node-allow-lan-access=true --accept-dns=false
+    '';
+  };
+}
--- a/hosts/sakura/services/traefik.nix
+++ b/hosts/sakura/services/traefik.nix
@ -1,6 +1,5 @@
 {config, ...}: {
  sops.secrets.cloudflare-api-key = {};
-  networking.firewall.allowedTCPPorts = [80 443];
  systemd.services.traefik = {
    environment = {
      CLOUDFLARE_EMAIL = "jch0tm2e@notohh.dev";
@ -30,57 +29,9 @@
            entrypoints = ["web"];
            service = "dashdot";
          };
-          foundryvtt = {
-            rule = "Host(`foundry.flake.sh`)";
-            entrypoints = ["websecure"];
-            service = "foundryvtt";
-            tls.domains = [{main = "*.flake.sh";}];
-            tls.certresolver = "production";
-          };
-          forgejo = {
-            rule = "Host(`git.flake.sh`)";
-            entrypoints = ["websecure"];
-            service = "forgejo";
-            tls.domains = [{main = "*.flake.sh";}];
-            tls.certresolver = "production";
-          };
-          rustypaste = {
-            rule = "Host(`i.flake.sh`)";
-            entrypoints = ["websecure"];
-            service = "rustypaste";
-            tls.domains = [{main = "*.flake.sh";}];
-            tls.certresolver = "production";
-          };
-          grafana = {
-            rule = "Host(`metrics.flake.sh`)";
-            entrypoints = ["websecure"];
-            service = "grafana";
-            tls.domains = [{main = "*.flake.sh";}];
-            tls.certresolver = "production";
-          };
-          hedgedoc = {
-            rule = "Host(`scratch.flake.sh`)";
-            entrypoints = ["websecure"];
-            service = "hedgedoc";
-            tls.domains = [{main = "*.flake.sh";}];
-            tls.certresolver = "production";
-          };
-          vaultwarden = {
-            rule = "Host(`vault.flake.sh`)";
-            entrypoints = ["websecure"];
-            service = "vaultwarden";
-            tls.domains = [{main = "*.flake.sh";}];
-            tls.certresolver = "production";
-          };
        };
        services = {
          dashdot.loadBalancer.servers = [{url = "http://localhost:4000";}];
-          foundryvtt.loadBalancer.servers = [{url = "http://localhost:30000";}];
-          forgejo.loadBalancer.servers = [{url = "http://localhost:3200";}];
-          rustypaste.loadBalancer.servers = [{url = "http://localhost:8000";}];
-          grafana.loadBalancer.servers = [{url = "http://localhost:3100";}];
-          hedgedoc.loadBalancer.servers = [{url = "http://localhost:3300";}];
-          vaultwarden.loadBalancer.servers = [{url = "http://localhost:8222";}];
        };
      };
    };
--- a/hosts/sora/services/default.nix
+++ b/hosts/sora/services/default.nix
@ -3,5 +3,6 @@
    ./traefik.nix
    ./uptimekuma.nix
    ./gotify.nix
+    ./tailscale.nix
  ];
 }
--- a/hosts/sora/services/tailscale.nix
+++ b/hosts/sora/services/tailscale.nix
@ -0,0 +1,41 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: {
+  sops.secrets.tsauth-sora = {};
+  environment.systemPackages = [pkgs.jq pkgs.tailscale];
+  services.tailscale = {
+    useRoutingFeatures = lib.mkDefault "server"; # important to make it a server, it sets sysctl for ip forwarding without intervention and reboot
+  };
+  networking.firewall.allowedUDPPorts = [config.services.tailscale.port];
+  networking.firewall.trustedInterfaces = [config.services.tailscale.interfaceName];
+
+  systemd.services.tailscale-autoconnect = {
+    description = "Automatic connection to Tailscale";
+
+    # make sure tailscale is running before trying to connect to tailscale
+    after = ["network-pre.target" "tailscale.service"];
+    wants = ["network-pre.target" "tailscale.service"];
+    wantedBy = ["multi-user.target"];
+
+    # set this service as a oneshot job
+    serviceConfig.Type = "oneshot";
+
+    # have the job run this shell script
+    script = with pkgs; ''
+      # wait for tailscaled to settle
+      sleep 2
+
+      # check if we are already authenticated to tailscale
+      status="$(${tailscale}/bin/tailscale status -json | ${jq}/bin/jq -r .BackendState)"
+      if [ $status = "Running" ]; then # if so, then do nothing
+        exit 0
+      fi
+
+      # otherwise authenticate with tailscale
+      ${tailscale}/bin/tailscale up --authkey file:${config.sops.secrets.tsauth-sora.path} --advertise-exit-node=true --accept-dns=false
+    '';
+  };
+}
--- a/hosts/sora/services/traefik.nix
+++ b/hosts/sora/services/traefik.nix
@ -1,6 +1,6 @@
 {config, ...}: {
  sops.secrets.cloudflare-api-key = {};
-  networking.firewall.allowedTCPPorts = [80 443];
+  networking.firewall.allowedTCPPorts = [80 443 2222];
  systemd.services.traefik = {
    environment = {
      CLOUDFLARE_EMAIL = "jch0tm2e@notohh.dev";
@ -53,12 +53,60 @@
            tls.domains = [{main = "*.notohh.dev";}];
            tls.certresolver = "production";
          };
+          foundryvtt = {
+            rule = "Host(`foundry.flake.sh`)";
+            entrypoints = ["websecure"];
+            service = "foundryvtt";
+            tls.domains = [{main = "*.flake.sh";}];
+            tls.certresolver = "production";
+          };
+          forgejo = {
+            rule = "Host(`git.flake.sh`)";
+            entrypoints = ["websecure"];
+            service = "forgejo";
+            tls.domains = [{main = "*.flake.sh";}];
+            tls.certresolver = "production";
+          };
+          rustypaste = {
+            rule = "Host(`i.flake.sh`)";
+            entrypoints = ["websecure"];
+            service = "rustypaste";
+            tls.domains = [{main = "*.flake.sh";}];
+            tls.certresolver = "production";
+          };
+          grafana = {
+            rule = "Host(`metrics.flake.sh`)";
+            entrypoints = ["websecure"];
+            service = "grafana";
+            tls.domains = [{main = "*.flake.sh";}];
+            tls.certresolver = "production";
+          };
+          hedgedoc = {
+            rule = "Host(`scratch.flake.sh`)";
+            entrypoints = ["websecure"];
+            service = "hedgedoc";
+            tls.domains = [{main = "*.flake.sh";}];
+            tls.certresolver = "production";
+          };
+          vaultwarden = {
+            rule = "Host(`vault.flake.sh`)";
+            entrypoints = ["websecure"];
+            service = "vaultwarden";
+            tls.domains = [{main = "*.flake.sh";}];
+            tls.certresolver = "production";
+          };
        };
        services = {
          uptime-kuma.loadBalancer.servers = [{url = "http://100.87.54.48:4000";}];
          gotify.loadBalancer.servers = [{url = "http://100.87.54.48:3000";}];
          conduit.loadBalancer.servers = [{url = "http://100.121.201.47:6167";}];
          authelia.loadBalancer.servers = [{url = "http://100.121.201.47:9091";}];
+          foundryvtt.loadBalancer.servers = [{url = "http://100.121.201.47:30000";}];
+          forgejo.loadBalancer.servers = [{url = "http://100.121.201.47:3200";}];
+          rustypaste.loadBalancer.servers = [{url = "http://100.121.201.47:8000";}];
+          grafana.loadBalancer.servers = [{url = "http://100.121.201.47:3100";}];
+          hedgedoc.loadBalancer.servers = [{url = "http://100.121.201.47:3300";}];
+          vaultwarden.loadBalancer.servers = [{url = "http://100.121.201.47:8222";}];
        };
      };
    };
--- a/secrets/secrets.yaml
+++ b/secrets/secrets.yaml
@ -9,6 +9,8 @@ authelia-jwt: ENC[AES256_GCM,data:cAn2uZeSGjG2FqTFgZkupcSutCZLvZXCNBsxuUQvGX4=,i
 authelia-sek: ENC[AES256_GCM,data:yWhAvl1AuEcrUCFAv2vcz6A8BLEIMIz9sqbFRAriHpw=,iv:i887EZgqGtRfFs6mHHAJry0XfQzvrTaDliz8PRh7oLs=,tag:dmn2GSG8gZk9CVXMNmH1Dw==,type:str]
 cloudflareddns: ENC[AES256_GCM,data:xow7oaqa3QbMPwggx2zmGvLcKmov7isvLLZKuC6jW/SNjst8kicSQmNhrZw8M/eq8TuqxOT4BqMILQ+I7As2ZCOjSbEBxi1DwU/z47qI,iv:W8UH4kWlh9JyxcGkeuOjRZKqjOHDg9vpzXezHYs1kEg=,tag:YgGk7svEQr9sqLJtKWcHqA==,type:str]
 forgejo-runner-token: ENC[AES256_GCM,data:cmE70bA22B1YMr/iD32f+TRhk/X1f4aA8N4z1NGj4GxLgYMXkS1FpA==,iv:8XQ00VnQTyOh3wgb3ipO8P0QTo3qPSAJXvf7rRGi+Tc=,tag:QZpyUa+MDL8Hsjj3mdpOnA==,type:str]
+tsauth-sora: ENC[AES256_GCM,data:3jzPB0whb9xHudVl/MhNeCUgjDfzzQpxGJGqfMf2GqEtfEkiynVTLO/TFDt1PorBuUQOjVfxn8c=,iv:5vLHbhY2ZlnsVQbLlu6Hxo32azpfcj6ORAMn3oSdcHY=,tag:zN8qPOSaSMMdJn+zsTXPaA==,type:str]
+tsauth-sakura: ENC[AES256_GCM,data:iN77ArKDnltxrWGCz8bMqMHBAp45oGUk+n5ilAE0tY2rz01PGaCmIgPFSDfNaMphH6gX+AbEd5Y=,iv:k/lBIZW7aKT3u+dgcFnQORah2yHZXAmY+PBv53tM1ao=,tag:9/pebj3D9LURTedqkduoaw==,type:str]
 sops:
    kms: []
    gcp_kms: []
@ -24,8 +26,8 @@ sops:
            YWNQcURKMSs2U0pOa3E0cTdCZ3RnalkKGayA7DBUQS+kn+6OYVBc6oTunF0qeZdt
            5b9DLHgh0HRWFm09XGSOog8K315d93Wzblw1My1/dXeEQX/ryinqUQ==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-10-05T20:42:39Z"
-    mac: ENC[AES256_GCM,data:bniacC304lHRxyxpVPopWtKu2508fIpp+TmVt+2EJjsPiqV2x6tA377DTiczh+7tjjcEKJQ7UclkRs+8BH095WyYuX7LC6F8HzQY2its1BoMUvBoHo9x0gVTK0lgg01kLTrLFrWP3uv5xcGgj1/huBLfr6tOwvymmyEgORlf/+M=,iv:VJIYUqzflBQ+vXEWinBCPBjnQXH36nYdRehjPnErSBo=,tag:6nBssjqsd0oIpakpw+mFsw==,type:str]
+    lastmodified: "2023-10-07T14:08:11Z"
+    mac: ENC[AES256_GCM,data:uk8GkhA5j5w6Az/4uZmPR5eyZ1WOenyeqozSInRfkSZbYwC+bABmSx+DlkqTFKvppTjuWJmCii6OrYGbloiI48x46GzI2qgHfG/Q4a/+HDEmHEa8pnGGioazFzML4Wqwsvba9CaGJq62bSuh44qdH7lQbE3YqhTrEgZqJ3Zmkcg=,iv:foDwveVQ4K3ygA35lrARACwMv/YmDQB3V2fFLOZI2n8=,tag:pC40f60MdlQsYhgNT+7kTw==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.8.0