feat: repo-local secrets implemented for yubikey

2025-12-06 09:07:21 +01:00 · 2025-06-11 04:01:07 +02:00 · 2025-06-11 04:01:07 +02:00 · 85cbd5e1f6
commit 85cbd5e1f6
parent 609bb1597f
11 changed files with 230 additions and 60 deletions
--- a/SwarselSystems.org
+++ b/SwarselSystems.org
@ -3990,6 +3990,7 @@ Modules that need to be loaded on the NixOS level. Note that these will not be a
        network = lib.mkDefault true;
        time = lib.mkDefault true;
        commonSops = lib.mkDefault true;
        pii = lib.mkDefault true;
        stylix = lib.mkDefault true;
        programs = lib.mkDefault true;
        zsh = lib.mkDefault true;
@ -4249,6 +4250,7 @@ Modules that need to be loaded on the NixOS level. Note that these will not be a
        modules = {
          general = lib.mkDefault true;
          nix-ld = lib.mkDefault true;
          pii = lib.mkDefault true;
          home-manager = lib.mkDefault true;
          home-managerExtra = lib.mkDefault true;
          xserver = lib.mkDefault true;
@ -4297,6 +4299,7 @@ Modules that need to be loaded on the NixOS level. Note that these will not be a
        modules = {
          general = lib.mkDefault true;
          nix-ld = lib.mkDefault true;
        pii = lib.mkDefault true;
          home-manager = lib.mkDefault true;
          home-managerExtra = lib.mkDefault true;
          xserver = lib.mkDefault true;
@ -4753,8 +4756,8 @@ in
    nixFile:
    assert assertMsg (builtins.isPath nixFile)
      "The file to decrypt must be given as a path to prevent impurity.";
-    assert assertMsg (hasSuffix ".nix.age" nixFile)
+    assert assertMsg (hasSuffix ".nix.enc" nixFile)
-      "The content of the decrypted file must be a nix expression and should therefore end in .nix.age";
+      "The content of the decrypted file must be a nix expression and should therefore end in .nix.enc";
    exec [
        ./sops-decrypt-and-cache.sh
        nixFile
@ -4778,7 +4781,7 @@ in
  file="$1"
  shift
-  basename="$file"
+  basename="${file%".enc"}"
  # store path prefix or ./ if applicable
  [[ $file == "/nix/store/"* ]] && basename="${basename#*"-"}"
  [[ $file == "./"* ]] && basename="${basename#"./"}"
@ -5684,6 +5687,20 @@ Setup timezone and locale. I want to use the US layout, but have the rest adapte
  }
 #+end_src
 **** Meta options
 #+begin_src nix :tangle modules/nixos/common/meta.nix
  { lib, ... }:
  {
    options.node.secretsDir = lib.mkOption {
      description = "Path to the secrets directory for this node.";
      type = lib.types.path;
      default = ./.;
    };
  }
 #+end_src
 **** sops
 :PROPERTIES:
 :CUSTOM_ID: h:d87d80fd-2ac7-4f29-b338-0518d06b4deb
@ -5753,6 +5770,84 @@ I use sops-nix to handle secrets that I want to have available on my machines at
  }
 #+end_src
 **** PII management
 #+begin_src nix :tangle modules/nixos/common/pii.nix
  { config, inputs, lib, ... }:
  let
    # If the given expression is a bare set, it will be wrapped in a function,
    # so that the imported file can always be applied to the inputs, similar to
    # how modules can be functions or sets.
    constSet = x: if builtins.isAttrs x then (_: x) else x;
    # Try to access the extra builtin we loaded via nix-plugins.
    # Throw an error if that doesn't exist.
    sopsImportEncrypted =
      assert lib.assertMsg (builtins ? extraBuiltins.sopsImportEncrypted)
        "The extra builtin 'sopsImportEncrypted' is not available, so repo.secrets cannot be decrypted. Did you forget to add nix-plugins and point it to `<flakeRoot>/nix/extra-builtins.nix` ?";
      builtins.extraBuiltins.sopsImportEncrypted;
    # This "imports" an encrypted .nix.age file by evaluating the decrypted content.
    importEncrypted =
      path:
      constSet (
        if builtins.pathExists path then
          sopsImportEncrypted path
        else
          { }
      );
  in
  {
    options = {
      repo = {
        secretFiles = lib.mkOption {
          default = { };
          type = lib.types.attrsOf lib.types.path;
          example = lib.literalExpression "{ local = ./pii.nix.enc; }";
          description = ''
          This file manages the origin for this machine's repository-secrets. Anything that is
          technically not a secret in the classical sense (i.e. that it has to be protected
          after it has been deployed), but something you want to keep secret from the public;
          Anything that you wouldn't want people to see on GitHub, but that can live unencrypted
          on your own devices. Consider it a more ergonomic nix alternative to using git-crypt.
          All of these secrets may (and probably will be) put into the world-readable nix-store
          on the build and target hosts. You'll most likely want to store personally identifiable
          information here, such as:
            - MAC Addreses
            - Static IP addresses
            - Your full name (when configuring your users)
            - Your postal address (when configuring e.g. home-assistant)
            - ...
          Each path given here must be an sops-encrypted .nix file. For each attribute `<name>`,
          the corresponding file will be decrypted, imported and exposed as {option}`repo.secrets.<name>`.
        '';
        };
        secrets = lib.mkOption {
          readOnly = true;
          default = lib.mapAttrs (_: x: importEncrypted x inputs) config.repo.secretFiles;
          type = lib.types.unspecified;
          description = "Exposes the loaded repo secrets. This option is read-only.";
        };
      };
      swarselsystems.modules.pii = lib.mkEnableOption "enable pii management";
    };
    config = lib.mkIf config.swarselsystems.modules.pii {
      repo.secretFiles =
        let
          local = config.node.secretsDir + "/pii.nix.enc";
        in
          (lib.optionalAttrs (lib.pathExists local) { inherit local; }) // {
           common = ../../../secrets/repo/pii.nix.enc;
        };
    };
    }
 #+end_src
 **** Theme (stylix)
 :PROPERTIES:
 :CUSTOM_ID: h:e6e44705-94af-49fe-9ca0-0629d0f7d932
@ -10459,19 +10554,15 @@ I use sops-nix to handle secrets that I want to have available on my machines at
 :END:
 #+begin_src nix :tangle modules/home/common/yubikey.nix
-  { lib, config, nix-secrets, ... }:
+  { lib, config, nixosConfig, ... }:
  let
    secretsDirectory = builtins.toString nix-secrets;
    yubikey1 = lib.swarselsystems.getSecret "${secretsDirectory}/yubikey/yubikey1";
    yubikey2 = lib.swarselsystems.getSecret "${secretsDirectory}/yubikey/yubikey2";
  in
  {
    options.swarselsystems.modules.yubikey = lib.mkEnableOption "yubikey settings";
    config = lib.mkIf config.swarselsystems.modules.yubikey {
      pam.yubico.authorizedYubiKeys = {
        ids = [
-          "${yubikey1}"
+          nixosConfig.repo.secrets.common.yubikeys.dev1
-          "${yubikey2}"
+          nixosConfig.repo.secrets.common.yubikeys.dev2
        ];
      };
    };
--- a/modules/home/common/yubikey.nix
+++ b/modules/home/common/yubikey.nix
@ -1,16 +1,12 @@
-{ lib, config, nix-secrets, ... }:
+{ lib, config, nixosConfig, ... }:
 let
  secretsDirectory = builtins.toString nix-secrets;
  yubikey1 = lib.swarselsystems.getSecret "${secretsDirectory}/yubikey/yubikey1";
  yubikey2 = lib.swarselsystems.getSecret "${secretsDirectory}/yubikey/yubikey2";
 in
 {
  options.swarselsystems.modules.yubikey = lib.mkEnableOption "yubikey settings";
  config = lib.mkIf config.swarselsystems.modules.yubikey {
    pam.yubico.authorizedYubiKeys = {
      ids = [
-        "${yubikey1}"
+        nixosConfig.repo.secrets.common.yubikeys.dev1
-        "${yubikey2}"
+        nixosConfig.repo.secrets.common.yubikeys.dev2
      ];
    };
  };
--- a/modules/nixos/common/meta.nix
+++ b/modules/nixos/common/meta.nix
@ -0,0 +1,8 @@
 { lib, ... }:
 {
  options.node.secretsDir = lib.mkOption {
    description = "Path to the secrets directory for this node.";
    type = lib.types.path;
    default = ./.;
  };
 }
--- a/modules/nixos/common/pii.nix
+++ b/modules/nixos/common/pii.nix
@ -0,0 +1,72 @@
 { config, inputs, lib, ... }:
 let
  # If the given expression is a bare set, it will be wrapped in a function,
  # so that the imported file can always be applied to the inputs, similar to
  # how modules can be functions or sets.
  constSet = x: if builtins.isAttrs x then (_: x) else x;
  # Try to access the extra builtin we loaded via nix-plugins.
  # Throw an error if that doesn't exist.
  sopsImportEncrypted =
    assert lib.assertMsg (builtins ? extraBuiltins.sopsImportEncrypted)
      "The extra builtin 'sopsImportEncrypted' is not available, so repo.secrets cannot be decrypted. Did you forget to add nix-plugins and point it to `<flakeRoot>/nix/extra-builtins.nix` ?";
    builtins.extraBuiltins.sopsImportEncrypted;
  # This "imports" an encrypted .nix.age file by evaluating the decrypted content.
  importEncrypted =
    path:
    constSet (
      if builtins.pathExists path then
        sopsImportEncrypted path
      else
        { }
    );
 in
 {
  options = {
    repo = {
      secretFiles = lib.mkOption {
        default = { };
        type = lib.types.attrsOf lib.types.path;
        example = lib.literalExpression "{ local = ./pii.nix.enc; }";
        description = ''
          This file manages the origin for this machine's repository-secrets. Anything that is
          technically not a secret in the classical sense (i.e. that it has to be protected
          after it has been deployed), but something you want to keep secret from the public;
          Anything that you wouldn't want people to see on GitHub, but that can live unencrypted
          on your own devices. Consider it a more ergonomic nix alternative to using git-crypt.
          All of these secrets may (and probably will be) put into the world-readable nix-store
          on the build and target hosts. You'll most likely want to store personally identifiable
          information here, such as:
            - MAC Addreses
            - Static IP addresses
            - Your full name (when configuring your users)
            - Your postal address (when configuring e.g. home-assistant)
            - ...
          Each path given here must be an sops-encrypted .nix file. For each attribute `<name>`,
          the corresponding file will be decrypted, imported and exposed as {option}`repo.secrets.<name>`.
        '';
      };
      secrets = lib.mkOption {
        readOnly = true;
        default = lib.mapAttrs (_: x: importEncrypted x inputs) config.repo.secretFiles;
        type = lib.types.unspecified;
        description = "Exposes the loaded repo secrets. This option is read-only.";
      };
    };
    swarselsystems.modules.pii = lib.mkEnableOption "enable pii management";
  };
  config = lib.mkIf config.swarselsystems.modules.pii {
    repo.secretFiles =
      let
        local = config.node.secretsDir + "/pii.nix.enc";
      in
      (lib.optionalAttrs (lib.pathExists local) { inherit local; }) // {
        common = ../../../secrets/repo/pii.nix.enc;
      };
  };
 }
--- a/nix/extra-builtins.nix
+++ b/nix/extra-builtins.nix
@ -17,8 +17,8 @@ in
    nixFile:
      assert assertMsg (builtins.isPath nixFile)
        "The file to decrypt must be given as a path to prevent impurity.";
-      assert assertMsg (hasSuffix ".nix.age" nixFile)
+      assert assertMsg (hasSuffix ".nix.enc" nixFile)
-        "The content of the decrypted file must be a nix expression and should therefore end in .nix.age";
+        "The content of the decrypted file must be a nix expression and should therefore end in .nix.enc";
      exec [
        ./sops-decrypt-and-cache.sh
        nixFile
--- a/nix/sops-decrypt-and-cache.sh
+++ b/nix/sops-decrypt-and-cache.sh
@ -11,7 +11,7 @@ fi
 file="$1"
 shift
-basename="$file"
+basename="${file%".enc"}"
 # store path prefix or ./ if applicable
 [[ $file == "/nix/store/"* ]] && basename="${basename#*"-"}"
 [[ $file == "./"* ]] && basename="${basename#"./"}"
--- a/profiles/nixos/localserver/default.nix
+++ b/profiles/nixos/localserver/default.nix
@ -6,6 +6,7 @@
      modules = {
        general = lib.mkDefault true;
        nix-ld = lib.mkDefault true;
        pii = lib.mkDefault true;
        home-manager = lib.mkDefault true;
        home-managerExtra = lib.mkDefault true;
        xserver = lib.mkDefault true;
--- a/profiles/nixos/personal/default.nix
+++ b/profiles/nixos/personal/default.nix
@ -18,6 +18,7 @@
      network = lib.mkDefault true;
      time = lib.mkDefault true;
      commonSops = lib.mkDefault true;
      pii = lib.mkDefault true;
      stylix = lib.mkDefault true;
      programs = lib.mkDefault true;
      zsh = lib.mkDefault true;
--- a/profiles/nixos/syncserver/default.nix
+++ b/profiles/nixos/syncserver/default.nix
@ -6,6 +6,7 @@
      modules = {
        general = lib.mkDefault true;
        nix-ld = lib.mkDefault true;
        pii = lib.mkDefault true;
        home-manager = lib.mkDefault true;
        home-managerExtra = lib.mkDefault true;
        xserver = lib.mkDefault true;
--- a/secrets/repo/packages.nix.age
+++ b/secrets/repo/packages.nix.age
@ -1,38 +0,0 @@
 {
 	"data": "ENC[AES256_GCM,data:HOKAicZWRXn7EJdyLKfRuX1OFyWAZJKl5hteN3VzZfjlg+RuSg0/Q3xAxkc0spc2tUnwFLbtJsGkEip+ze9wpAYD6tvk9lDorgZY,iv:Yfz7LZcH0rVZ8cGCGiq0k03b1vB1H0b2pblXDjudMH8=,tag:IQW2IrBMcFBtbxx7SGg7vg==,type:str]",
 	"sops": {
 		"age": [
 			{
 				"recipient": "age1h72072slm2pthn9m2qwjsyy2dsazc6hz97kpzh4gksvv0r2jqecqul8w63",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3QjVKRENZV3d0TzlyNEhp\ndGcwaGNOT01wRlc5eW5JYjFHUUNONVFyNjM0CitnUHExUThpVmtkazFmOWt5N2J3\naGdoTUY3Y3JjL3hXRDVha3V1L3U4bFEKLS0tIGhjT3BGdWRZYkZCdHNRdDRMQnpi\nVi9hR2JTRVk2UUlQRHVXS0RLN2tpT3cKDSpdUF5s/rYEWRG9BDF53BAWzfkFAblH\nl+uwzdKc9+bxda5fwe7EFFxlJ+AYSqhyUcVqLV+NQO97avOdARadrg==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age16vzhcvz8tyxj8e0f47fy0z4p3dsg0ak4vl52ut3l07a0tz465cxslmhevl",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzc2lGU0ZUMmlHbXNXTzdi\ndzlkaVg0WC92ZUg1WXpPZnRJWU5aalRnVGxNCmJVQUVvM0lDSzMvWlZtcWtmZVVH\nYVI0dkpJa3hRTUI3VHFYSmpsZ1FhQWcKLS0tIHhHVHdyRzM5ZVhsbnBSZHdMSDRv\nMGNvaXNNdnoxM2RMNWJQd0gwZWdlYWcK4lGnEXO4D1cJV/U6yC7GRHhanVnDRCS4\nX3WZsvLHZob6bpmK+G/5zA+OQnmqXTSBNxgd3jMEHaJOMPAtVonyWA==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1zlnxraee6tddr07xn59mx5rdexw8qxryd53eqlsajasfhfy78fkq705dfg",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArSGg4NmtiVzBwYUVlWDJ4\nK3h2OFBkbmI4aEpTMUlaQk5wcUluMU11TWlvCklCY0F2VUZEYVNCREdKdkJsbmww\nZjBJYjZGOHBhWk9sblRSM2x5NGNlRlkKLS0tIGpiQnY5QkNpVGpTWk1pV2kxNTN5\nRiswRlFJYktTYUwrd3lTUmFydTBRV0EKRX2dBU+aohpa03F54M1MgrGQtfxvW88n\nZI36m8M7EgA1ij6dhnlKxEDcYSIx/dd5cu+IMBujrDewuSaU7HhyNQ==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age16lnmuuxfuxxtty3atnhut8wseppwnhp7rdhmxqd5tdvs9qnjffjq42sqyy",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuaEpCNEpwNXhRQ1FQWi9W\nRVdXazVtS3BlVE5oRnd5Y1RkdUZ5Sm9HN1hnCm82YWhWRzQzNW1iZVFTTDJScDJy\nTHA5d1ZhTUlSNU9vUllqVG5NSmk4TXcKLS0tIHAwOFk3cFFuTXZrdUN4cjlaWTM4\nLzJWUk95QWROMFFsa3l2NmJhS2pEaTAKwjzQ+Fh1A8bE/Jajf3mviDgLE0ECv/u+\nDG9yegxklNGJr/F82bkYtCizruMMPrBUq9WiM58/og98IuuSC+D2MA==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1glge4e97vgqzh332mqs5990vteezu2m8k4wq3z35jk0q8czw3gks2d7a3h",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnNENFYjZpZmZHaHdPU2pj\nelQvUWRjcENCSVVNSmU4MWwvVlRkbUFaajBZClhMR1d1VHIzSkdGMmx1bXo0R2t4\nUkMxN3d1WjlZOVRML0tOQmJQNEJ3VmsKLS0tIEt2ejYzUUVSOVZZMVh3blViM2xG\nNXdkZk91WndaYmRiN1dVaDhxZ1l5eDQKFTUi+3P9SBPrIyxPGs5E8BoYAVXXcJ6P\n+9yNQ465s7Zeq4ExVFleqleubhIfYlShxMyQlIbOeE8AVqubN7kyLQ==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
 		"lastmodified": "2025-06-10T17:55:09Z",
 		"mac": "ENC[AES256_GCM,data:sh/ZOcT86S9gDWv2tzSefWR0jbT/1HsW1UGt67yxTFSp4w+koKk6fZxkRVBefu31DANObn1NR7re3xX3YPVRQ2oiov3tLg+hOmdBziXr7xg43vhWGQQTXk9/g7K3Bv9XCy+mISw2R92FZ4lmo9PhJV96aDnd+CUInR+OTHxfceU=,iv:efFyYq5rcQ97Y2sidFbdkiX9hndznR/doRNKz2r85iY=,tag:NzSxZWDlXi8q0+OWaRMK9Q==,type:str]",
 		"pgp": [
 			{
 				"created_at": "2025-06-10T14:51:46Z",
 				"enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMAwDh3VI7VctTAQ/9FPkVx1F30ZnXGBRkOmZkf7Gfh6K4o5JtI12cdZsajsjR\nwO8ScNT8H/imnShKGmchg/oaeq/3Tr9UJgwWm+RFeeJ/i0RbmsS+0gHVhoHKjQev\nF5Fa4s/Af1XJld6A+zOCAt9QJrNOxe1Wthrv8L4DbCpuO/bV8rurLC6k/2GXbHeO\nfVnCi0aptosxNz4C73HRLMCX7MNsE+uhiRA/kPpDzLmWvh4/6GE50874dakk8ygg\n6uQ7RRJ5ULoQKUxjvk++wvc8uhYuplcDe6pbbM3Q9NIzjEf1Ef2g6wGiXyZ+QpWU\ntE5ScTCDxzhcund8zgk/JNmajIhup3qQG64ex8rnhvlICtUWBtHVtRsf0nVvylCz\nuI2TN4KbuyuHU4lTVETCuML+8VI7zkGmUvh2Kp3ib7uXcnuFrakPy/cFWBBzd2a1\nebvYnoZL34uzXBrWXI9fidQWIiNpvqVbM2HnRC9dMyXGgP+Yr6IasX8g2tAAC6DY\nMw4IEBwtcCLxlGFYCxD47GcDCr6z95oC8Smg7L2x0KqyZEh3M6OS+z9HSVKy2Nz7\n0pFJwUQAqP3RZMLML/ZB+kcSx+g6I0tKGSegBIBHJ9Em8CTOWhuYTOu9DweRKtA7\nIx0DNBXtLn5nNNJlXJvaz55ggDtR2egoXiM9a+TDcW83qSRRNvtWYrkEuFrc7RmF\nAgwDC9FRLmchgYQBEACRk/NKKVN+qWu8EPuyAd3gkDOFPmKwnqZxYra86J0qpBr1\nNeCKGAFIV+VePnhDWW2KQeZYNpxQn4qJ5zaLO7cXMFwMhQgxmanih3lyS28Z5RkL\nm2xNnSr60M1qSm4Q04orv/WreBtzoAKWUh6mnXvf1Wldz1v2Bm2TT9GKkanb2EzB\noVr2tXTU3ZO2jbCeGab4c68RkzgGCK5RlJJhW05+9/b7gN2nK4GmxpWzlL6f62v9\n5ZJmMfJFvix6d0sE+1bToGL6SpM7jb51RlapUNXRXhG9z+74PwmwPPHNVzXlt8ne\nYzIYFpE7rTzP/0hYF0WnDIQANk/1nt7z6qV6cxD0tN88GPzMJYRuSYih4M8kNsiE\nkhxkKU4Aj7RjNwoMjTqquQtzmiL0Faak1HH22gr8jvLIwnVFtV70BndNro90a94Z\n1UZI+ip94DTRqRoCInLGcIO7LrDho6npOucusZtMObnzqxU2GDfoKWv+HW93boV8\nRvFv6bPGCmFvFbVnhO5UHV9E/8RVdIfYKavbo5w6qGy1DNPr3yrDeUP9k0dBV6sK\nhgTX5lxPPmO/U4DN1AltP3+LhjxhO9qGZ+rXSvjt38v/59gHq9JYtYZnaxQ0WxIU\nc/jWLPt5RKNmmXw4FFP5h4TotJXysxs9iPaH4t48zPbxoxYgzV7/NCMHNYgAANJe\nAUwDGCm5kyyzXDhiWG8xbZgwBBdsDnVWO7cCOQjzW1n+inZoNb4S+YjflVvckWdL\n89Lk0qtZceMis9AWYdF123jAH3okPDRjUtkLWy4dqjToqaYyQpG+YFMI+5j0ig==\n=JSDc\n-----END PGP MESSAGE-----",
 				"fp": "4BE7925262289B476DBBC17B76FD3810215AE097"
 			}
 		],
 		"unencrypted_suffix": "_unencrypted",
 		"version": "3.10.2"
 	}
 }
--- a/secrets/repo/pii.nix.enc
+++ b/secrets/repo/pii.nix.enc
@ -0,0 +1,38 @@
 {
 	"data": "ENC[AES256_GCM,data:s7upsped0qBHSmSbW4ESqH9RbroHNMSO7wYwXRf12aWo6Ula6vpwQYHyCqhuiI4WtSL1osRLoosLipfNJLJRgunLB+qAJgkof+5njmCw,iv:ywC5bm4W9dkuxgqA7GxTE40pgzjGdLsHQifoMHYgEaY=,tag:bOf0xTa2VxZ+zONVRoXf9g==,type:str]",
 	"sops": {
 		"age": [
 			{
 				"recipient": "age1h72072slm2pthn9m2qwjsyy2dsazc6hz97kpzh4gksvv0r2jqecqul8w63",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzVEtLVVQvTUVGOUtwWmdE\nM291NmRENW5mT3FNa2k4SHNpZWM1V0t5SFcwCjdtQW9jV3d3aDR4M2d5TFRaTEZO\ncXZBazJhc0FsY3dNakxsTGhFaHRLRmcKLS0tIHZMRUYwZHVwV0F2SGV6R0lGZDhW\nVDVIYzhUVlV5TWNQbXBzNTk1LzBGQUUKVsntBAZ6ani53sK7loNBnn8QfXuEOP7s\nY3PEzWyPLxryX8LQ+i7swvv8GaBZ8IxhiyR2dCdoJwQifA7xlkrVkQ==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age16vzhcvz8tyxj8e0f47fy0z4p3dsg0ak4vl52ut3l07a0tz465cxslmhevl",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGdWtvVWNRM0VJc1BqRytV\nQjJUMDN0SEMvQVByK0l0ZU5raVlHWTlnb0FnCjdkRm4wcEYydFlncWFjQWoybEtu\na2dHOTFKQkdTa1VZbW81LzhDYTRoekkKLS0tIEZOZXhsdzQ0a01MSThpZUZFNko0\nQ2RULzRxZnIzSi9IRkJXNWhDN0dxUDgKH1e1MDSP3Jex/afETM49iqyMm4fbDMGY\nKsRlVb4+ZiT+opkhEMvdiA/DqtHi8xXTiwyIszWv2m2YwETownbQng==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1zlnxraee6tddr07xn59mx5rdexw8qxryd53eqlsajasfhfy78fkq705dfg",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJY2NzUHZ1WDZNQnRqTUI2\ncDQrWjZRSGxqRVJPekV6ZzRNWFdOaS82VFJNCmZVVWpjdTJEcEN2WHZWNG9Cd1Fr\nZXNPb3Q1Nm5mTWJlZ3BLUTZ2bmdFK1UKLS0tIEVCRC9FQXFybExLbVR0Q3pFbDJy\ndVY4bElVRDVYTkRmcW54SUJVcjdmVmsKAQDTjgDxupu+Lbkhks9eR5iouaPe5Ubh\nHLSb6iKFvnaG+vapVNPonLPW0x5Cp8Co5Lh8aTdWvaL8PeKJSnMZ7A==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age16lnmuuxfuxxtty3atnhut8wseppwnhp7rdhmxqd5tdvs9qnjffjq42sqyy",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqV2c4eHlpNlpwNmsxMnM1\nbjQ3SFZlR1hFY3d2WTk5R3NLcllqdzdETjJrClBKWGVwRHlpbENFdElRWGdWNWVE\nL1NBa3d5bnZCVHBRaldQTjFzYnRkc1UKLS0tIDcrOEhNY3Z5VTMzM0RSUm4yNmpW\nM2l1SFpVYXFjNmhSdnBrU0pWYXNXZkUKD0rk5+3McTNhgyJ0e7qpdHTS1ajQ2eZl\nP98G2Xz6zlE7uFxUTyEprPcuvc5SrOpWplemnerhCvwUs78S/fd+jg==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1glge4e97vgqzh332mqs5990vteezu2m8k4wq3z35jk0q8czw3gks2d7a3h",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4bFIrQjZ5cUFBQUp4dTRW\ndEdaZys0OHE5L3BPaVNic3ZZRDQ5N09SaGdZCllhWnY4T2lLZzVUMlp5VjMvQ2lP\ndGFNSTBqbjNMaUcwbVRaWFVCazU3OEUKLS0tIHBIWUZCYjFDVDgzbUUxMC9TNzdp\naFdiWmV6TGIva0RNUDNHWmdJZGgzNHMKiIzjo6sH/SP12cAXTvXiP0X9EE/A8Qw1\nIfgZfyEHdf/Mxd/iNzlWb2Nb0MLerYYw/qZ/+L5eDpUr4Vl051qOXA==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
 		"lastmodified": "2025-06-11T01:57:02Z",
 		"mac": "ENC[AES256_GCM,data:c/fERNdNCLBb26sZzse/liAQWosjFB20nP7xje1qsJ+NpGa9fvZXGtbxMTbFx/BWy5VB2LEwXLzOTNv10gbjCa7Ovr6fzWaZZ9PoadsrDA2nSiAvTu3v+a70vKCwsTWTUA42w61lEEWBJwjU3kKiI3WF8TPOCeB0CLf3J1t4AHo=,iv:BoPCpP2VwDSHJllcQMpcClHFr6YWDQIT5GJGSZ1HAYY=,tag:hdQUQEFHH3a0PhlEmKdPoQ==,type:str]",
 		"pgp": [
 			{
 				"created_at": "2025-06-11T01:05:00Z",
 				"enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMAwDh3VI7VctTAQ//WxrJpUeO3Patchym/u5+UVliqMoHtH0RPDaUNkjwnEXV\ndI5kNkwjTp1FHLLGm8WS4JKVejSmg4RUNIx0h53CViKrw75oMArHpFLF3y0ffsfK\nocvYW3tmtRKSBiv13T9bmo/BglhbuZVPKtSSb+0oo4bhzsQRWj4GBmkLGa4uSbC2\n2+QIk5C0+6IR2BtB4l5Txsx1hu3Z7Hb4uhtmw/veyulpRiI3LwW4FgmO3CVRYw27\noEr+8X/sJ/RVevU0IRKa0mbRi7KYl73JDb4a+VZw2BAFXfI6SuOtJfxW8oTPTYjC\nIf/ZRaa9tLvf1Q1cicnmth8I1WlwGUA8P2vBolxLhA46UxlpbdeBqXwunswWAEWw\nt/AYr3loNDeV2A0kUoUtI0TNFVOZBRK4zvEYoRP9My4A7ZNSCy1KCXie7UJs7YOH\nCtlNwArJxAXhOYQuN5amvHsvM99/fXeztqvj43uNVaoOFA73+s70WyscvPxeQKKt\nY5y2Xs/iCPnV6p1gEUgeqEd7IDxYicqEZS1rrC+vLffPxmw9aLMCBjzPdfNCOiIM\njOOMt3zU2dyHgeSarpTWheVZc6j0bOAi8pyfcxoAQgxFhMOmArQPYt+D8NMIJV7U\nnteZCWikYGXh3apEA/cxgNDOFMa3SzQNRI5Fw3vX5ab/GNm9XBe6L4lOV5oY8z2F\nAgwDC9FRLmchgYQBD/9CSRv2RDKnFqbvoEThajl5JTGE3kWEf4WrIcB7e78OPa9r\nXj88CpwwblBLt5GJno5t2pThO4t9jn+VvqfX8h1B+NNR4S4T66Ng2n8SXIfhmSgA\nW71tkaAYWCPMg/sp0pc5C6HttsWf9nhrthxHA41WbHXAtmPTh44YrDA2pRlozQNb\n2qxJs4jnSqhlz8CS8/LZ1IMyJKDfD8vlGJ6FcvPh1vjnO3jOa/DnuK2nxmoqpg23\nN2niPqPhcNkMmaQwdsOUxuRg+2sR1RecTI9YO0dY9s2225PObv6c58BicF9+76Bm\nASTGY5lKCwAS1mVdSuaujImWguEoG3JDZY2NaZa0bqkXbHU3htAo+/QdssMnr7BG\n/KzReLMDJqHhcDx9PRaOylEVi16RjTDLoWlaPDv45q5C78e9LVrVdrFrvPC5+IPY\nBElAtXUk7J9+siIlOPETkYIha9vtQMp6It+1zmgcj9L3ziLPtSJGS/MmG6ipS73w\nku1bKWmWMKiFY6ewUeTZRhyHBi/Zp/25j1XN+NC2pPyqL2bkLCXMP4thMMqykBu1\nQtD6G3KTpfxhKudRpQWWBf6YjI0h5/P50Z74ruVNSAjB/IJ4p8uVSsFiMRb4OYDA\nb5L2GRmDmqo8/zh45WP0Qe931zBNYnskZXGfdSdXAyO+DkKVv6GSI6uWKtZl29Jc\nAbDEhXsCr9rREBVDbrSEfiI26nxBZQyZxAj4sozfxBu425bAi2suLt5TilkWWZrD\nR6dedAYVESvFjU3Zd4Saru0Ko6FvTm5EWjQzofCU94mviStnFoMqFrjA00Y=\n=Z2Jy\n-----END PGP MESSAGE-----",
 				"fp": "4BE7925262289B476DBBC17B76FD3810215AE097"
 			}
 		],
 		"unencrypted_suffix": "_unencrypted",
 		"version": "3.10.2"
 	}
 }